I only have experience using this nginx module (and I customized it a bit):
Which was discontinued when nginx came out with their official module which I listed in my previous post, and appears to do the same thing as the above 3rd party module.
We have it configured like so:
So, when we generate the link in php it looks like this:
We then redirect the user to that link. When the user arrives on the fileserver with the above link, if the url and auth hash checks out, they are served:
When someone goes to site.tld/folder/filename they are shown /fail.html. So the only way to access the file would be to, as you said, bruteforce the authhash. We use a very long secretkey plus a customized hash method so its extremely unlikely that it'll ever be bruteforced.
We offer many large files too, and found this to be the best option, and found nginx by far the best httpd to use in terms of performance.