Change media upload URL, but only for wp-admin (6 posts)

  1. johnmontfx
    Posted 2 years ago #

    Love using Cloudflare, but one of the limitations is that they restrict upload file sizes to 100MB and I need to have users be able to upload larger files. The workaround I've been using is to change wp-admin to be a subdomain (bypass.fxg.com) and bypass this subdomain on CloudFlare. This way, the limit doesn't apply. Through mod_rewrite, the subdomain is actually the same WordPress install...same directory, files, etc...just the url is different.

    That works pretty well, but does end up breaking some plugins, especially caching ones (since they "think" the site is bypass.fxg.com and not http://www.fxg.com).

    So what i'd like to try is to move the admin back to http://www.fxg.com, and "simply" change the URL for the uploader to be "bypass.fxg.com". This way, files would get automatically uploaded via bypass and not be limited. And files on the site for users would still come from http://www.fxg.com.

    In 3.5 you can still hook into upload_url_path, but then this changes where the files are served from.

    So is there a hook somewhere in admin where you can change the upload url -- and only have it impact the upload functionality? And not change the URL that is stored, etc?

    Or maybe a fancy redirect on the upload if I can figure out the URL used....

    Thanks for any insight....

  2. bcworkz
    Posted 2 years ago #

    There is the 'wp_handle_upload_prefilter' filter which appears to be the correct hook. You may need to have your script examine the passed URL and by content decide if the URL modification is justified or not. Or perhaps all URLs going through this filter need to be modified. Further testing is required, but should be a good place to start.

  3. johnmontfx
    Posted 2 years ago #

    Good pointer....thanks for the response. I'll look into that for sure. I had actually gotten a bit further in my research and found this in media.php:

    function wp_plupload_default_settings()
    $defaults = array(
    		'runtimes'            => 'html5,silverlight,flash,html4',
    		'file_data_name'      => 'async-upload', // key passed to $_FILE.
    		'multiple_queues'     => true,
    		'max_file_size'       => $max_upload_size . 'b',
    		'url'                 => admin_url( 'async-upload.php', 'relative' ),
    		'flash_swf_url'       => includes_url( 'js/plupload/plupload.flash.swf' ),
    		'silverlight_xap_url' => includes_url( 'js/plupload/plupload.silverlight.xap' ),
    		'filters'             => array( array( 'title' => __( 'Allowed Files' ), 'extensions' => '*') ),
    		'multipart'           => true,
    		'urlstream_upload'    => true,
    $defaults = apply_filters( 'plupload_default_settings', $defaults );

    Seems like the url value might do the trick for me. I'm gonna have to deal with cookie domains for the admin, etc....but between your insight and this I think I might be onto something.

  4. johnmontfx
    Posted 2 years ago #

    Well...this isn't working. For some reason it fails when I switch to a different subdomain for the submit.

    I've set all cookies to / and "fxguide.com" -- but it just fails in the verification check. I've tried this with and without the nonce as well...no go.


    //'url'  => admin_url( 'async-upload.php', 'relative' ),
      'url' => wp_nonce_url('https://ipa.fxguide.com/wp-admin/async-upload.php', 'fxg' ),
  5. bcworkz
    Posted 2 years ago #

    I fear you may have run up against browser security. If it decides the site is different than the one that set the cookie (even if wrongly), it will not send the cookie along with the request. Setting your site parameters in the cookie makes no difference, the browser considers that data untrustworthy.

    I'm no expert in how browsers work, so I may be wrong on this, but this is what it sounds like. I've tried to think of a way around this without compromising security but have come up blank.

  6. johnmontfx
    Posted 2 years ago #

    Thanks for thinking about this...appreciate another mind on it. :)

    I went through the .php includes for wp to debug where the process failed and it does seem related to cookies. I thought maybe the nonce would override this, but apparently doesn't.

    If I stick with using "www" for both admin and async-upload.php it works fine. If I stick with using "bypass" for both admin and async-upload.php it works fine. I can switch back and forth between the two without logging in. But a mix...no go.

    Meet brick wall.

    I love using CloudFlare, but the 100MB limit is a bummer of a workaround.

Topic Closed

This topic has been closed to new replies.

About this Topic