The auth_request module was implemented in recent versions of Nginx and allows you to allow or deny access to a resource based on the result of a sub-request. Nginx calls the URI that you specify via the auth_request directive: if the sub-request returns a 2xx response code (such as HTTP/200 OK), access is allowed. If the sub-request returns a 401 or 403 status code, access is denied, and Nginx forwards the response code to the client. Should the backend return any other response code, Nginx will consider it to be an error and deny access to the resource:

location /downloads/ {
     # if the script below returns a 200 status code, 
     # the download is authorized
     auth_request /authorization.php; 
 } 

Additionally, the module offers a second directive, called auth_request_set, allowing you to set a variable after the sub-request is executed. You can insert variables that originate from the sub-request upstream ($upstream_http_*), such as $upstream_http_server or other HTTP headers, from the server response:

location /downloads/ {
     # requests authorization from PHP script
     auth_request /authorization.php;
     # assuming authorization is granted, get filename from
     # sub-request response header and redirect
     auth_request_set $filename "${upstream_http_x_filename}.zip"; 
    rewrite ^ /documents/$filename; 
}