No, this won't work.
Here's a flow:
1. You need to setup nginx to proxy requests to your tornado application. You can do it based on URL matching and, say,
mysite.com/download/ will go to Tornado;
location /download/ {
proxy_redirect off;
... maybe some other options as well ...
}
2. You need to add protected directory. For example:
location /protected/ {
internal;
root /some/path;
}
3. Then, in your CheckHandler you need to set protected cookie based on some condition
4. In ProtectedHandler, check if cookie was set. If it was, set X-Accel-Redirect header. Otherwise return 403 or something.
So, this how it will work:
1. User makes request to CheckHandler, cookie will be set. It can be done either through enginx or directly, as long as /download/ is on the same domain;
2. User decides to download file, clicks on the /download/ link;
3. Request will be made to the Nginx;
4. Nginx will make request to ProtectedHandler;
5. ProtectedHandler will make decision what should happen. Lets assume cookie was set;
6. Nginx will receive X-Accel-Redirect header from the Tornado and will send static file back instead of proxying original response;
7. User is happy.
Serge.