All Products
Search

This Product

    Object Storage Service:Accessing a CDN-accelerated domain returns a "You are forbidden to list buckets" error after enabling origin fetch to a private OSS bucket

    Document Center

    Object Storage Service:Accessing a CDN-accelerated domain returns a "You are forbidden to list buckets" error after enabling origin fetch to a private OSS bucket

    Last Updated:Mar 20, 2026

    When you access a Content Delivery Network (CDN) accelerated domain name backed by a private OSS bucket, the following error appears:

    X-Tengine-Error: You are forbidden to list buckets

    This topic explains why the error occurs and provides steps to resolve it.

    Why this happens

    When CDN back-to-origin for private buckets is enabled, accessing the accelerated domain name at the root path triggers a GetBucket (ListObjects) request. CDN rejects ListObjects by default.

    There are two root causes:

    • Static website hosting conflict — OSS static website hosting is incompatible with CDN private bucket back-to-origin. When both are enabled, CDN cannot correctly sign and forward requests to OSS.

    • Missing `index.html` in the back-to-origin request — When a request hits the root path (for example, www.example.com), CDN signs the request for that path. OSS, however, serves www.example.com/index.html. The signature covers the root path, not the file path, so OSS rejects the request as unauthorized.

    Important

    OSS static website hosting conflicts with CDN private bucket back-to-origin. If your bucket has static website hosting enabled, resolve that first before troubleshooting the signature mismatch.

    Resolution

    Step 1: Check whether static website hosting is enabled

    Go to your OSS bucket settings and check the static website hosting status.

    If static website hosting is enabled, choose one of the following options based on your use case:

    OptionWhen to useWhat to do
    Disable static website hostingYou don't need OSS to serve a static siteDisable static website hosting. For details, see Static website hosting.
    Switch to public read and disable private back-to-originYou need static website hosting functionalitySet the bucket ACL to public read and disable CDN private bucket back-to-origin. For details, see Configure access to private OSS buckets.

    If static website hosting is not enabled, proceed to Step 2.

    Step 2: Add a URL rewrite rule in CDN

    On the CDN side, add a rewrite rule that redirects root path requests to index.html. For example, rewrite www.example.com to www.example.com/index.html.

    This ensures the CDN signature and the actual OSS file path match, resolving the error.

    For instructions on creating rewrite rules, see Rewrite access URLs.