Foaa

I was helping my brother to create his new website based on Wordpress. He has a lot of image stuff to upload and the Flash Uploader simply didnt work. All we got was a simple plain red “HTTP Error”. A lot of google research suggested that we have either wrong directory permissions (impossible, my server, each VirtualHosts runs as a single unix user and has rw to all his own directories) or running mod_security (which we dont).  However, i spent a lot of time, testing on all the browsers in my portfolio.. FF 2,3, 3.5, Opera 9.x, Google Chrome, IEx .. but always the same results.

Meanwhile i was and am still working on a relaunch of a customers website (not on Wordpress ) and ran into very similar problems: upload via flash didnt work either! Here i had the big advantage to have two deployments of the website: one on my laptop, where the upload works like a charm, and one in an online testing environment, where it didnt. At last i cased it: it is the damn HTTP Authentication! Damn it, one view in the logfiles would have reveal it at any time.

Now i could write a simple temporary solution for the still protected new website of my brother. The idea is to allow the flash uploader unauthorized access, while anybody else still has to authenticate. Here it is (added to .htaccess):

SetEnvIf    User-Agent    "^Shockwave Flash"    is_allowed
<Limit POST>
    Require valid-user
    Allow from env=is_allowed
</Limit>
<LimitExcept POST>
    Require valid-user
</LimitExcept>
Order Deny,Allow
Deny from all

Satisfy any

If you have the big luck of having a static IP at your workplace (or are’nt as lazy as me and will replace your IP in the following .htaccess snippet every time it renews), you can even make it far more secure like this:

<Limit POST>
    Require valid-user
    # REPLACE WITH YOUR IP:
    Allow from 1.2.3.4
</Limit>
<LimitExcept POST>
    Require valid-user
</LimitExcept>
Order Deny,Allow
Deny from all

Satisfy any