You forgot to configure the Public role to have access to the /upload path. Right now it is accessible only to authenticated users.
Public
/upload
