All Products
Search
Document Center

:Access Alibaba Cloud Content Delivery Network Acceleration Resources Returns 403 status code

Last Updated:May 19, 2022

Overview

The 403 status code of Alibaba Cloud Content Delivery Network access may usually be caused by the following situations. When troubleshooting the problem, you can open the browser developer mode, switch to the Netwrok tab, re-request the abnormal URL, reproduce the 403 problem, and then check the response header returned by the Alibaba Cloud Content Delivery Network under Headers. Through this information, you can determine what causes the 403 error. These situations will be described in detail in this article.

Details

The accelerated domain name is not added to the Alibaba Cloud Content Delivery Network.

When you add aliyundoc.com primary domain names to CDN and the corresponding CNAM is aliyundoc.com.w.alikunlun.com, your other level 2 domain names, such as example.aliyundoc.com and demo.aliyundoc.com, are not added to CDN. aliyundoc.com.w.alikunlun.com, this will lead to CDN response 403. The specific error is reported as follows.

X-Tengine-Bf-Error: non-existent domain

Alibaba Cloud Content Delivery Network authentication issues

Alibaba Cloud Content Delivery Network authentication problems are usually manifested in the absence of authentication parameters, authentication expiration, and authentication calculation errors. You need to understand the authentication principle according to the URL authentication document and then further troubleshoot and solve it.

  1. Common authentication issues are as follows:
    • No authentication parameters are carried: Alibaba Cloud Content Delivery Network authentication is enabled, the actual access URL does not carry authentication parameters. As a result, the following error occurs.
      X-Tengine-Error:denied by req auth: no url arg auth_key
    • Authentication Expiration: Alibaba Cloud Content Delivery Network authentication is enabled and the URL carries authentication parameters, but the authentication parameters expire.
      X-Tengine-Error: denied by req auth: expired timestamp
    • Authentication calculation error: The MD5 value of the authentication parameter is not calculated correctly.
      X-Tengine-Error: denied by req auth: invalid md5hash

  2. Solution:
    • If the authentication parameter
      is not included, log on to the Alibaba Cloud Content Delivery Network console and disable authentication if you do not need the Alibaba Cloud Content Delivery Network authentication function.
    • The authentication expires
      . If the authentication expires, regenerate the authentication URL.
    • Authentication calculation error
      If the MD5 calculation of authentication is incorrect, we recommend that you use the address generator in the Alibaba Cloud Content Delivery Network console to generate a URL to compare your own authentication code, or see the authentication sample code.

Anti-leech issue

The hotlinking protection feature is enabled, but the Referer header in the actual Request Headers request header does not comply with the hotlinking protection rule, resulting in 403. The X-Tengine-Error in the Alibaba Cloud Content Delivery Network Response headers will return the denied by Referer ACL for the 403 caused by the hotlink protection problem. For more information about hotlink protection issues, see Solution for access Alibaba Cloud Content Delivery Network returning 403 errors due to hotlink protection exceptions.

 X-Tengine-Error: denied by Referer ACL

IP black and white list issues

If the IP address black and white list is configured in the Alibaba Cloud Content Delivery Network console, the actual accessed IP address does not conform to the configuration rules, resulting in 403.

  1. IP black and white list problem phenomenon
    • An IP address whitelist is configured, but the IP address of the client that is actually accessed is not in the IP address whitelist, resulting in a 403. The following error is reported.
      X-Tengine-Error: denied by IP ACL = not in whitelist
    • The IP blacklist is configured, and the actual IP address of the client is in the IP blacklist, resulting in 403. The following error is reported.
      X-Tengine-Error: denied by IP ACL = blacklist
  2. Modify the IP address blacklist and whitelist configurations based on the corresponding issues. For more information, see Configure IP address blacklist and whitelist.

UA black and white list problem

  1. If the UA blacklist is configured, the client UA hits the blacklist rule and reports the following error.
    X-Tengine-Error: black ua
  2. If the UA whitelist is configured, the client UA is not in the UA whitelist list. The following error is reported.
    X-Tengine-Error: not in white ua

URL violations are blocked

the 403 URL involves illegal and bad information, which violates the relevant service agreement and Article 15 of the Internet Information Service Management Measures. In this case, the illegal URL will be blocked by the Alibaba Cloud Content Delivery Network. In this case, you will receive an email or SMS notification. Make sure that the Alibaba Cloud Content Delivery Network accelerated content is legal. After confirming that it is legal, submit a ticket to apply for unblocking. The following two errors are caused by URL violations.


x-swift-error:request hit url black list  
x-tengine-ban-error: global ban hit

image.png

Origin response 403

If the origin server responds to the 403 to the Alibaba Cloud Content Delivery Network, the Alibaba Cloud Content Delivery Network then responds to the 403 to the client. The following error is returned when the origin server responds to the 403.

X-Swift-Error: orig response 4XX error

  • The origin server
    is a situation where the user server can bind the Host to the origin server to test whether there is a 403. If the origin server has a 403 situation, the 403 problem of the origin server needs to be solved first. In addition, it should be noted that Alibaba Cloud Content Delivery Network back-to-origin Host configuration errors may also lead to 403 errors. The difference between the origin HOST and the origin is that the origin determines the specific IP address requested when returning to the origin, while the origin HOST determines the specific site on which the origin request accesses the IP address.
  • The source station is Aliyun OSS
    Problem description Solutions

    If the access permission of the source bucket is private, but the access URL does not contain the OSS private signature parameters (Signature, Expires, OSSAccessKeyId), it will cause the Alibaba Cloud Content Delivery Network to fail the OSS authentication when requesting OSS from the source, resulting in 403. The following error is reported.

    You have no right to access this object because of bucket acl

    If this issue occurs, we recommend that you enable Alibaba Cloud Content Delivery Network OSS private bucket back-to-origin authorization. For more information, see Alibaba Cloud OSS private bucket back-to-origin authorization.

    If the following error occurs, indicating that the 403 is returned by OSS hotlink protection authentication, you need to check the hotlink protection settings of OSS.

    You are denied by bucket referer policy

    Modify the hotlink protection configurations of OSS. For more information, see Configure hotlink protection.

    If the following error occurs, the static homepage of OSS is accessed with private bucket back-to-origin authorization enabled. Currently, the Alibaba Cloud Content Delivery Network private bucket back-to-origin feature conflicts with the static website hosting feature of OSS and cannot be used together.

     You are forbidden to list buckets

    You can choose one of the following solutions to deal with it according to the actual situation:

Application scope

  • CDN