Anywayz derailed it a bit.. But as previously poitned out, not looking for a PHP solutions, i think apache should able to do it, since i see alot of one click file sharing does this, the files are not necessary located at the download http link.
The vast majority of file sharing sites use one of the modules I mentioned earlier, or a custom module or server side language.
If the only reason why you don't want to use the modules I listed earlier is brute forcing, then you can use a 50 digit alphanumeric key that would never get bruteforced. You can also edit the code and add an extra hash (what our company did) which means that people will have no idea how the hash is made up, or even what algorithm it is, so then cant brute force it.
So, when we generate the link in php it looks like this:
We then redirect the user to that link. When the user arrives on the fileserver with the above link, if the url and auth hash checks out, they are served:
When someone goes to site.tld/folder/filename they are shown /fail.html. So the only way to access the file would be to, as you said, bruteforce the authhash. We use a very long secretkey plus a customized hash method so its extremely unlikely that it'll ever be bruteforced.
We offer many large files too, and found this to be the best option, and found nginx by far the best httpd to use in terms of performance.