I have some large audio files that I need to serve via HTTPs. They need to be protected by my PHP login system so they cannot live inside of the webroot. Fortunately there is a nifty Apache module named X-sendfile, that lets you serve files outside of the webroot.

Credential checking is done in PHP, and then you set a special HTTP header that Apache watches for. When Apaches sees the X-Sendfile header it serves the file directly. This gets you all the advantages of a full-blown HTTP server handling your files, but the convenience and simplicity of PHP for handling authentication.

if ($authorized) {
    $mime_type = mime_from_filename($filepath);

    header("Content-Type: $mime_type");
    header("X-Sendfile: $filepath");
    exit;
}

See also: Get mime type for file