We are using NginxHttpSecureLinkModule
(http://wiki.nginx.org/NginxHttpSecureLinkModule) to write secure links
for our media hosting, and we added on the TTL module so the links can
expire after X minutes
(Nginx secure link module with TTL - Masterzen’s Blog).
This has also been tested without this module, and with the latest
stable version (0.7.64) and the latest development version (0.8.32) and
the outcome has been the same.
When using a Secure Link, adding any request variables (?start=20) cause
it to fail and pass to our default 403 page. Without the Secure Links,
request variables work fine and are handled properly by the Location
tags in the config.
I thought that it might have been treating the request string as part of
the filename you’re hashing, so I included it within the has, but the
link also gave a 403 so I don’t believe it is. We’re trying to use it
to play video files through a flash player, which adds extra strings to
the url by default.
You should be able to reproduce it by appending a query string of any
type to any link using this module (secure_link_secret config option).