FV WordPress Flowplayer – Foliovision 403 error

[darkspeed.com]

I have one more problem with displaying videos on my site

Analysis of darkspeed.com/video/day-trading-software.mp4 (local):
Error: Server does not support HTTP range requests!
Error: Access to video forbidden (HTTP 403)!

Format: mp4
Meta Data (moov) position: 28
Seek points: 60 (stts)
Audio: 1 stream, mp4 (ISO/IEC 14496-3 AAC) 48000Hz, 2 channels, 16bit, stereo
Video: avc1 (H.264 Encoder) codec, mp42 (MS-MPEG4 v2 Decoder) file type

>>>>>>>>>>> 403 GET or Other Request Error Logged - June 15, 2013 - 6:25 pm <<<<<<<<<<<
REMOTE_ADDR: 209.59.173.243
Host Name: darkspeed.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /video/day-trading-software.mp4
QUERY_STRING:
HTTP_USER_AGENT: WordPress/3.5.1; http: //darkspeed.com

[Anonymous]

Your comment was spammed again of course.  Testing posting with a user account using .com

[AITpro Admin]

Hmm ok the .com in your user account is not the issue.  Will check the DB to see if BuddyPress or bbPress add some kind of usermeta.

[AITpro Admin]

Where is SERVER_PROTOCOL: HTTP/1.0 coming from?  Are you using an outdated Proxy?  Squid Proxy?  HTTP/1.0 is used by spammers, scrapers and hackers.  All legitimate apps, etc. use the new Server Protocol HTTP/1.1 as of 1997.

Try creating either a skip/bypass rule for the file: day-trading-software.mp4 by adding it to the Misc file skip/bypass rule above or you can try one of the 3rd Party App options in the link below.

http://www.ait-pro.com/aitpro-blog/2252/bulletproof-security-plugin-support/checking-plugin-compatibility-with-bps-plugin-testing-to-do-list/#Custom-PHP-Applications-Outside-WordPress

[AITpro Admin]

I checked your website and your HTTP Headers and Server Protocol are good so that is really odd that HTTP/1.0 is shown in the error.  Unless of course this is someone who is scraping your site.  Scrapers will show your host name and IP address during the mirror of your site.

GET / HTTP/1.1
Host: darkspeed.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

[darkspeed.com]

The 1.0 call was triggered when using foliovision.com WordPress Plugin Flowplayer to embed a video

[AITpro Admin]

Ah I see where it is coming from now on your website.  How ironic that this uses a Server Protocol that is known to be used by spammers, scrapers and hackers and it has to do with security.  Too funny.

OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List

Host: ocsp.verisign.com

HTTP/1.0 200 Ok
Last-Modified: Fri, 14 Jun 2013 19:19:06 GMT
Expires: Fri, 21 Jun 2013 19:19:06 GMT
Content-Type: application/ocsp-response
content-transfer-encoding: binary
Content-Length: 1856
Cache-Control: max-age=512190, public, no-transform, must-revalidate
Date: Sat, 15 Jun 2013 21:02:36 GMT
nncoection: close
Connection: Keep-Alive

[AITpro Admin]

And just for the heck of it I checked to see if this is interfering with your mp4 and it is not so the OCSP thing is not a real big deal.

GET /video/day-trading-software.mp4 HTTP/1.1
Host: darkspeed.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 AlexaToolbar/alxf-2.18
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=31ec343d938d16dda8ca2d394a91d5f4; __atuvc=3%7C24
Connection: keep-alive
Range: bytes=2626182-
If-Range: "9d0e9-9d87d3-4de9b44b74040"

HTTP/1.1 200 OK
Date: Sat, 15 Jun 2013 21:27:18 GMT
Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sat, 08 Jun 2013 02:26:01 GMT
Etag: "9d0e9-9d87d3-4de9b44b74040"
Accept-Ranges: bytes
Content-Length: 10323923
Content-Type: video/mp4

[darkspeed.com]

Thank you for all of the help!

[AITpro Admin]

Someone else had a similar problem with FV WordPress Flowplayer – Foliovision 403 error.  I installed and tested the FV WordPress Flowplayer plugin and the Server Protocol HTTP/1.0 is coming from this plugin.  Everything works fine, but an Admin error is shown to administrators of the website and a 403 error is generated in the BPS Security Log.  The 403 error is happening because a HEAD Request is being made and does NOT have to do with the Server Protocol issue.  The Server Protocol issue is just a minor nick nack that I assume would just need to have a Host Header field added either in javascript or the php coding of this plugin to fix the Server Protocol HTTP/1.0 issue.

To stop the 403 error from occurring and being logged in the BPS Security log you would add this code to BPS Custom Code.

1. Copy this REQUEST METHODS FILTERED .htaccess code to this BPS Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED: 
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

BPS Pro 11.5+ & BPS free .53.1+

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]

BPS Pro 11.4|BPS free .53 and lower versions

# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and 
# remove/delete HEAD| from the Request Method filter.
# Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
# The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]

[Foliovision]

Hello darkspeed.com,

thank you for reporting the issue, although we have our own support forums: http://foliovision.com/support

We are using a standard WordPress function wp_remote_head() to perform the request when checking the video file. However I see that we can just skip this check of video file response headers, as the video gets downloaded for further analysis anyway.

So this will be fixed in a new release – coming out today or tomorrow.

Thanks,
Martin

[AITpro Admin]

@ Foliovision – your reply was spammed and has been unspammed.  We did not see the reply until today.  Thanks.

[Author]

Posts