Insecure Downloads in Chrome and Publicly Accessible Documents Folder Warning FYI #714
Description
I am posting this as a solution to two issues that I have seen addressed here and in the WP support threads as independent issues.
During development we experienced issues with downloads of private documents failing in Chrome due to an insecure redirect step (see #695, https://wordpress.org/support/topic/allowoverride-problems/, https://wordpress.org/support/topic/mixed-content-error-when-downloading-attachments/ ). Simultaneously, a warning that the docs folder was directly accessible regardless of privacy settings on the document was displaying in the WP admin.
After toiling with our host (Cloudways) regarding the downloads issue and not getting anywhere, I informed them of the direct access warning message and referred them to your wiki (https://github.com/boonebgorges/buddypress-docs/wiki/Attachment-Privacy#nginx). They implemented an NGINX config update and not only did it fix the direct access warning, it fixed the downloads issue as well. I cannot attest to if they used the config statement from the wiki verbatim.
So it would appear that the two issues are related and can be solved with updating the nginx config. It may be useful for other users who experience the same issues with NGINX running as a reverse-proxy to update the wiki as such.