There is a really good nginx module doing this.

The URL gets two parameters – Let’s call them s (security) and t (timestamp). Security is a secure hash generated from timestamp, path and a salt (in your case just add the ip).

$ip = $_SERVER['REMOTE_ADDR'];
$salt = 'change me cause im not secure';
$path = '/download/webapp.rar';
$timestamp = time() + 3600; // one hour valid
$hash = md5($salt . $ip . $timestamp . $path); // order isn't important at all... just do the same when verifying
$url = "http://mysite.com{$path}?s={$hash}&t={$timestamp}"; // use this as DL url

To verify:

$ip = $_SERVER['REMOTE_ADDR'];
$salt = 'change me cause im not secure';
$path = $_SERVER['REQUEST_URI'];
$hashGiven = $_GET['s'];
$timestamp = $_GET['t'];
$hash = md5($salt . $ip . $timestamp . $path);
if($hashGiven == $hash && $timestamp <= time()) {
    // serve file
} else {
    die('link expired or invalid');
}

Now you just need to rewrite the downloads to this “man in the middle”-script and you are done.

Example rewrite for nginx:

location /download {
    rewrite ^.*$ /download.php last;
    break;
}

I’m not really familar with apache rewrites so you may check for this yourself.

If you are using one of the following modules you do not need to verify all this yourself and it is much better performance-wise but note that it affords more configuration and sometimes another way to generate the url and hash (see module docs here).

Or you just use the nginx secure link module: http://wiki.nginx.org/HttpSecureLinkModule

There is also a pendant for lighty: http://redmine.lighttpd.net/wiki/1/Docs:ModSecDownload

Or the nginx secure download module: http://wiki.nginx.org/HttpSecureDownload

Maybe there is something for apache too… Maybe you could do something with rewrites there…