Rails の controller 側

class DownloadController < ApplicationController

  def action

    # 認証処理
    ...

    resource_id = 2
    resource = Resource.find resource_id    

    response.header['X-Accel-Redirect'] = '/reproxy'
    response.header['X-Reproxy-URL'] = resource.data_url

    render nothing: true
  end

end

nginx の 設定

upstream hoge_sock {
        server unix:/var/www/html/hoge/current/tmp/sockets/unicorn.sock fail_timeout=0;
}

server {

        listen   80 default;
        server_name hoge.com;

        root /var/www/html/hoge/current/public;

        client_max_body_size 10M;

        access_log /var/log/nginx/access_hoge.log;
        error_log /var/log/nginx/error_hoge.log;


        location / {
                try_files $uri $uri/index.html  @unicorn;
        }

        location ~ /\. {
                deny  all;
        }

        location /reproxy {
                internal;
                resolver 8.8.8.8;
                set $reproxy  $upstream_http_x_reproxy_url;
                proxy_pass $reproxy;
                # コンテントタイプを隠す場合
                proxy_hide_header Content-Type;
                # 認証ヘッダを削除
                proxy_set_header  Authorization "";
        }

        location @unicorn {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_pass http://hoge_sock;
        }
}

S3の方に、無駄なヘッダーを送るとダウンロードできないようです。