We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
How can troubleshoot 403 error on my CDN resource?
Answer
In circumstances where all responses from CDN edge servers are "403 Forbidden Access" you may consider the following probable scenarios:
1. CDN Resource with Country Access, Hotlink Policy, IP Access, or URL signing features
Enabling the above features will return 403 Forbidden Access if the request made does not follow the rules as defined for the specific resource.
2. CDN Resource with forbidden access HTTP Rules
Enabling HTTP Rules with forbidden access will return 403 Forbidden Access if the request made does not follow the rules as defined for the specific resource.
3. CDN Resource without access control or security settings
If you have a CDN resource without any access control or security settings, you may validate the issue by the following steps:
1. Make a HTTP request using CDN resource primary hostname
$ curl -I cdn.something.com
HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 29 Aug 2016 06:08:30 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 328
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
X-Storage: 43.242.41.1:8001
X-Edge-IP: 43.242.41.1
X-Edge-Location: Hong Kong, HK
2. Make a HTTP request using origin
$ curl -I 11.222.333.100
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Aug 2016 06:09:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/6.1.2
3. Make a HTTP request using origin with Host HTTP request header, with CDN resource primary hostname as its value
$ curl -I -H "Host: cdn.something.com" 11.222.333.100
HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 29 Aug 2016 06:09:34 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
The reason behind 403 Forbidden Access for this scenario is likely caused by the failure of origin to acknowledge legitimate HTTP request made by CDN edge server. To resolve this issue, kindly configure your origin to support CDN primary hostname in your origin. For more details, kindly refer to Q&A: Origin by hostname or IP?