All Products
Search

This Product

    :Resolve the "You are forbidden to list buckets" error with private OSS back-to-origin

    Document Center

    :Resolve the "You are forbidden to list buckets" error with private OSS back-to-origin

    Last Updated:Jun 21, 2026

    When you use Alibaba Cloud CDN to accelerate static assets in an OSS bucket, enabling both static website hosting and the back-to-origin for private buckets feature can cause an access error. This topic explains how to resolve this issue.

    Background information

    Problem

    This problem occurs when an OSS bucket is set to private, static website hosting is enabled, and back-to-origin for private buckets is enabled in Alibaba Cloud CDN.

    When a user accesses https://example.com/ to view the default homepage https://example.com/index.html, the Alibaba Cloud CDN PoP (Point of Presence) returns a 403 Forbidden error with the message You don't have permission to access the URL on this server. The browser's developer tools show the response header x-tengine-error: You are forbidden to list buckets. 
    403 Forbidden
You don't have permission to access the URL on this server.
Powered by Tengine
Response Headers
content-type: text/html
date: Sun, 01 Mar 2020 01:31:13 GMT
eagleid: xxx
server: xxx
status: 403
timing-allow-origin: *
via: cache51.l2cn2302[,0], kunlun7.cn250[9,403-1280,M], kunlun2.cn250[12,0]
x-cache: MISS TCP_MISS dirn:-2:-2
x-swift-cachetime: 1
x-swift-error: orig response 4XX error
x-swift-savetime: Sun, 01 Mar 2020 01:31:13 GMT
x-tengine-error: You are forbidden to list buckets
Request Headers
:authority: xxx.xxx.com

    Cause

    The back-to-origin for private buckets feature of Alibaba Cloud CDN conflicts with the default homepage configuration of OSS static website hosting.

    Note When you configure static website hosting for an OSS bucket, you must specify a default homepage, such as index.html. When an anonymous user accesses the website domain, such as https://example.com/, OSS automatically serves the default homepage, for example, https://example.com/index.html. However, after you enable back-to-origin for private buckets in Alibaba Cloud CDN, the back-to-origin request from the CDN to OSS is an authenticated request to access the root directory. Unlike an anonymous request, OSS does not automatically serve the default homepage. Instead, OSS interprets the request as an attempt to list the contents of the bucket, which is denied by default for private buckets. This causes the "You are forbidden to list buckets" error.

    Solutions

    • Solution 1: If you do not need the static website hosting feature, disable it for the OSS bucket. For instructions, see Static website hosting.
    • Solution 2: If you require static website hosting, configure a URI rewrite rule in Alibaba Cloud CDN. This prevents Alibaba Cloud CDN from sending back-to-origin requests that target the root directory.

      To configure the rule, set Path to Be Rewritten to ^/$ to match requests for the root directory, set Target Path to /index.html, and set Flag to Redirect. After the rule is configured, when a client requests www.example.com/, the Alibaba Cloud CDN PoP returns a 302 redirect, instructing the client to request www.example.com/index.html. For detailed steps, see Rewrite access URLs.