I've correct this bug adding an expire header like :
location ^~ /protected-file/ {
expires 30s;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
gzip off;
internal;
alias /;
}
And my PHP headers are :
header("X-Accel-Redirect: /protected-file".realpath($realpath));
header("X-Accel-Buffering: yes");
header('Content-Length: '.$size);
header("Content-Type: ");
header('Content-Disposition: attachment; filename="'.$filename.'"');
Nginx MIME types are /etc/nginx/mime.conf (from normal config)