I stumbled upon the exact same problem today while moving our site from Lighttpd to nginx.

This is how we solved it:

Link to our protected files look like this:

/pdf/number.pdf/MD5_hash/hex_of_timestamp

and this is our location directive:

[code]
# PDF download
location /pdf {
secure_download on;
secure_download_secret $request_addr;
secure_download_path_mode file;

if ($uri ~ "^/pdf/(.+\.pdf)$") {
set $filename $1;
}
add_header Content-Disposition "attachment; filename=$filename";
}
[/code]

As you can see from the example we are extracting the filename from the request uri and setting the appropriate header.