Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled? -

If you use Alibaba Cloud CDN to accelerate static content delivery from OSS buckets, you may need to enable access to private OSS buckets and host the static websites on OSS. This topic describes how to fix the error that may arise in this scenario.

Background information

For more information about static website hosting, see Overview.
For more information about how to grant Alibaba Cloud CDN access permissions on private OSS buckets, see Grant Alibaba Cloud CDN access permissions on private OSS buckets.

Challenge

A website that consists of static web pages is hosted on a private OSS bucket, and Alibaba Cloud CDN is granted the permissions to access private OSS buckets.

A user attempts to visit the homepage https://example.com/index.html of the website https://example.com/, but Alibaba Cloud CDN returns the 403 Forbidden error message to the user and prompts "You don't have permission to access the URL on this server". The debugging information of the browser shows the following response message: x-tengine-error: You are forbidden to list buckets. FAQ

Causes

Access to private OSS buckets conflicts with the settings of the default homepage of the website that is hosted on OSS.

Note When you configure static website hosting, you must set the default homepage of the website domain name to a specific file, such as index.html. Anonymous requests to the website domain name, such as https://example.com/, are automatically redirected to the default homepage, such as https://example.com/index.html. After you allow Alibaba Cloud CDN to access private OSS buckets, back-to-origin requests from the accelerated domain name to the OSS bucket are considered anonymous requests that are destined for the root directory. In this case, the CDN rejects the requests. The error message "You are forbidden to list buckets" is triggered.

Solutions

Solution 1: If the static website hosting feature is not required, disable it. To disable static website hosting, clear relevant settings. For more information, see Overview.
Solution 2: If you must enable static website hosting, create a URI rewrite rule to prevent requests from accessing the root directory.
In the URI rewrite rule, set Path to Be Rewritten to ^/$, Target Path to /index.html, and Flag to Redirect. After the URI rewrite rule is set, Alibaba Cloud CDN returns the HTTP 302 status code and redirects user requests that are destined for www.example.com/ to www.example.com/index.html. For more information, see Create a URI rewrite rule.