Browser accesses URL of Application:
http://www.example.com/private_media/my_file.pdf
The Permissions are checked by the application backend.
If Access is denied the application backend returns a 403
and thats the end of it.
If Access is granted the application backend returns a special http header:
X-Accel-Redirect: /my_private_location/path/to/my_file.pdf;
Nginx in turn serves whatever is accessible from that url, bypassing the internal
safeguard on the location
directives. In this case it would serve:
/path/to/real/location/in/filesystem/path/to/my_file.pdf
Same as general idea as above. The header might look like this:
X-Accel-Redirect: /my_private_mogilefs_location/path/to/my_file.pdf;
And nginx will serve the content from MogileFS using the path as file key:
/path/to/my_file.pdf