generate URL for nginx secure_link

secure_link.php

<?php

/**
 * @param $baseUrl - non protected part of the URL including hostname, e.g. http://example.com
 * @param $path - protected path to the file, e.g. /downloads/myfile.zip
 * @param $secret - the shared secret with the nginx server. Keep this info secure!!!
 * @param $ttl - the number of seconds until this link expires
 * @param $userIp - ip of the user allowed to download
 * @return string
 */
function buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp)
{
    $expires = time() + $ttl;
    $md5 = md5("$expires$path$userIp $secret", true);
    $md5 = base64_encode($md5);
    $md5 = strtr($md5, '+/', '-_');
    $md5 = str_replace('=', '', $md5);

    return $baseUrl . $path . '?md5=' . $md5 . '&expires=' . $expires;
}

// example usage
$secret = 'the_secret_key_configured_in_nginx';
$baseUrl = 'http://example.com';
$path = '/path/to/file.zip';
$ttl = 120; //no of seconds this link is active
$userIp = '195.99.99.99'; // normally you would read this from something like $_SERVER['REMOTE_ADDR'];

echo buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp);

Then, maybe there's something wrong with the nginx config.

I'm using the config provided above, and all the PHP is running ok on the subdomain. Also tried the config from (https://rahul-juneja3.medium.com/how-to-create-secure-download-link-urls-via-nginx-5578a0db5913), with and without the 443 SSL from certbot.

Well, at this point, I would look for small typos, maybe the secret is not the same in nginx config and in your php script. Maybe a weird character copy pasted somewhere.

I don't have any other ideas... :)

UPD. did it in this way

location section {
    if ($secure_link = "0") {
          return 419;
    }
}
...
error_page 419 = @unsecure;
....
location @unsecure {
    # Handle unsecure requests here
    rewrite "^/([0-9]+)/th_([a-z0-9-_]+).(jpg|png|gif)$" /local_folder/picture.php?id=$1&size=th&idx=01&tkey=$tkey;
}

is there any possibility to rewrite or redirect to php script using wildcards in case of expired image?
e.g. something like

if($secure_link = "0") {
    rewrite "^/([0-9]{7})/th_([a-z0-9-_]+).(jpg|png|gif)$" /local_folder/picture.php?id=$1&size=th&idx=01&tkey=$tkey break;
}

but then the php file is saved and not loaded in the browser.
When I enter in browser URL https://this.server/local_folder/picture.php?id=XXXXX&size=th&idx=01&tkey=XXXXXXXXXXX - all is loading fine (image with filters is shown)
There's a block in server setting, which handles php scripts

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}

when I use

if($secure_link = "0") {
    return 302 /local_folder/picture.php?id=$1&size=th&idx=01&tkey=$tkey;
}

all working - URL is redirected, image is shown. But how to use rewrite here? Better solution is to keep original URL

Any ideas?