如何加密文件下载路径

At some point you will have to give the browser the real URI so it can fetch the file. Trying to conceal it is pointless.

I don't believe this to be true. There's a simple way to protect the files on your server from unprivileged downloading using PHP's fpassthru. If you were to have a file called download.php, with the following contents:

<?php

/**
 * Make sure the downloads are *not* in a publically accessible path, otherwise, people
 * are still able to download the files directly.
 */
$filename = '/the/path/to/your/files/' . basename( $_GET['filename'] );

/**
 * You can do a check here, to see if the user is logged in, for example, or if 
 * the current IP address has already downloaded it, the possibilities are endless.
 */


if( file_exists( $filename ) ) {
    /** 
     * Send some headers indicating the filetype, and it's size. This works for PHP >= 5.3.
     * If you're using PHP < 5.3, you might want to consider installing the Fileinfo PECL
     * extension.
     */
    $finfo = finfo_open( FILEINFO_MIME );
    header( 'Content-Disposition: attachment; filename= ' . basename( $filename ) );
    header( 'Content-Type: ' . finfo_file( $finfo, $filename );
    header( 'Content-Length: ' . filesize( $filename ) );
    header( 'Expires: 0' );
    finfo_close( $finfo );

    /**
     * Now clear the buffer, read the file and output it to the browser.
     */
    ob_clean( );
    flush( );
    readfile( $filename );
    exit;
}

header( 'HTTP/1.1 404 Not Found' );

echo "<h1>File not found</h1>";
exit;

You can call download.php with ?filename=test.foo, and it will download /the/path/to/your/files/test.foo, which is not publicly accessible.