How to troubleshoot website access issues - - Alibaba Cloud Documentation Center

This topic describes how to diagnose and resolve access issues for a website that is protected by Web Application Firewall (WAF).

Procedure

To troubleshoot access issues after adding your website to Web Application Firewall, follow these steps:

Check for origin server issues: Bypass WAF to determine if your origin server is causing the issue.
Check for WAF false positives: Temporarily disable protection modules to determine if WAF is blocking legitimate requests.
Troubleshoot common access errors: Refer to a list of common errors to analyze and resolve the issue.

For information about the tools that are used in this procedure, see Appendix: Common tools.

Check for origin server issues

Follow these steps to bypass WAF and determine if an issue is caused by your origin server:

Disable security measures on your origin server, such as security groups, blacklists, whitelists, firewalls, or other security products. This prevents your server from blocking WAF's back-to-origin IP addresses.
Modify the hosts file on your local computer to map the domain name to the public IP address of the corresponding ECS instance, SLB instance, or server. This is the origin server IP address you configured in WAF.
From a browser on your local computer, access the domain name to check if the issue persists without WAF.
- If the issue persists, the problem is likely with the origin server. Check the server's status, including its processes, CPU, memory usage, and web logs, to identify and fix any anomalies.
- If the issue does not occur, the origin server is not the cause. To continue troubleshooting, see Check for WAF false positives.

Check for WAF false positives

Follow these steps to disable WAF protection features and determine if WAF is incorrectly blocking legitimate requests:

Disable the protection rules engine for the domain name and check if the issue is resolved. For more information, see Configure the protection rules engine.
If the issue is resolved, change the Protection Rule Group for the protection rules engine to Loose Rule Group. The default setting is Medium Rule Group. Alternatively, you can use Log Service to analyze the problematic URL and create a custom protection policy to allow requests to that URL. For more information, see Configure a custom protection policy.
If the issue persists after you disable the protection rules engine, disable HTTP Flood Protection for the domain name and check if the issue is resolved. For more information, see Configure HTTP flood protection.
If the issue is resolved, set the mode for HTTP Flood Protection to Protection. If the mode is already set to Protection, you can skip this step. Alternatively, you can use Log Service to analyze the problematic URL and create a custom protection policy to allow requests to that URL. For more information, see Configure a custom protection policy.
If the issue persists after you disable HTTP Flood Protection, the problem is not a WAF false positive. Proceed to Troubleshoot common access errors.

Troubleshoot common access errors

If the issue disappears when you bypass WAF but consistently reappears when WAF is enabled, use the following table to identify and resolve the problem.

Issue	Symptom	Cause	Resolution
410 Gone	A "410 Website temporarily unavailable" page is displayed, or an HTTP 410 status code is returned. The page indicates that the protocol and port for the domain name have not been added to WAF.	The domain name or port is not configured in WAF. For example, if you configure only port 80 in WAF but a user tries to access your website on port 443, WAF returns a 410 error.	Add the required domain name or port in the WAF console. For more information, see Add a domain name.
405 Method Not Allowed	A 405 block page is displayed, or an HTTP 405 status code is returned.	The request is blocked by a custom protection policy or the protection rules engine.	Disable the custom protection policy for the domain name and check if the 405 error persists. For more information, see Configure a custom protection policy. If the error is resolved, a rule in your policy is causing a false positive. Identify and delete the specific rule. If the issue persists, disable the protection rules engine for the domain name and check again. For more information, see Configure the protection rules engine. If the issue is resolved, change the Protection Rule Group for the protection rules engine to Loose Rule Group. The default setting is Medium Rule Group. Alternatively, you can use Log Service to analyze the problematic URL and create a custom protection policy to allow requests to that URL. For more information, see Configure a custom protection policy.
302 Found (Connection Reset)	When accessing the website from certain IP addresses, the connection is reset, an HTTP 302 status code is returned, and the response includes a Set-Cookie header.	The request from the IP address triggered an HTTP flood protection rule.	Disable HTTP Flood Protection for the domain name and check if the issue is resolved. For more information, see Configure HTTP flood protection. If this restores access, the issue is a false positive. Set the mode for HTTP Flood Protection to Protection. If the mode is already set to Protection, you can skip this step. Alternatively, you can use Log Service to analyze the problematic URL and create a custom protection policy to allow requests to that URL. For more information, see Configure a custom protection policy.
HTTPS access issues	An HTTPS request returns a certificate for `www.notexist.com`.	WAF requires client browsers to support Server Name Indication (SNI). This error occurs if the client's browser does not support SNI.	macOS supports SNI by default. For Windows and Android operating systems, you may need to ensure SNI compatibility. For more information, see HTTPS access issues caused by SNI incompatibility (untrusted server certificate).
502 Bad Gateway (Blank Screen)	The website displays a blank screen, and an HTTP 502 status code is returned.	WAF returns a 502 error if it cannot reach the origin server (such as an ECS instance, an SLB instance, or a physical server) or experiences packet loss.	Check for security software or policies on the origin server, such as a blacklist, iptables rules, a firewall, or other security applications. If any exist, disable or uninstall them, clear the blacklist, and ensure that WAF's back-to-origin IP addresses are allowed. For more information, see Allow WAF back-to-origin IP addresses. Bypass WAF to test access to the origin server directly. For more information, see Check for origin server issues. If the issue persists, the problem is likely with the origin server. Check its status, including processes, CPU and memory usage, and web logs. If the issue does not occur, it is not an origin server problem. Check if WAF is causing a false positive by following the steps in the resolution for the 405 Method Not Allowed issue.
504 Gateway Timeout	The website displays a "Gateway Timeout" error, and an HTTP 504 status code is returned.	Increased traffic can cause performance issues on the backend server, leading to a 504 error. A persistent connection has timed out.	Backend server performance: Check your backend servers for performance bottlenecks. For example, high connection counts or excessive CPU or memory usage can cause 504 errors. Persistent connection timeout: Check if the timeout issue is related to persistent connections between the client and the server. For more information, see What do I do if a persistent connection times out?.
Cannot ping the domain name	The domain name is unreachable by ping, and you receive an alert that your WAF instance is under a DDoS attack and its traffic is routed to a blackhole.	WAF does not protect against volumetric DDoS attacks.	Activate Anti-DDoS to mitigate DDoS attacks. For more information, see Comparison of Alibaba Cloud Anti-DDoS solutions.
Uneven server load	Traffic is not distributed evenly across multiple backend servers.	WAF uses Layer 4 IP hash. If you chain Anti-DDoS with WAF, or if you use an SLB instance that is configured for Layer 4 forwarding, traffic may be distributed unevenly to your ECS instances.	Use an SLB instance for load balancing between WAF and your ECS instances. Configure the SLB instance for Layer 7 forwarding and enable cookie-based session persistence.
WeChat or Alipay callback failure	Callbacks from WeChat or Alipay fail.	This issue can occur if high-frequency access is blocked by HTTP flood protection rules, or if the callback uses HTTPS and the service (WeChat or Alipay) does not support SNI.	HTTP flood protection: Disable HTTP Flood Protection and check if the callback succeeds. For more information, see Configure HTTP flood protection. If it does, the issue is a false positive. Set the mode for HTTP Flood Protection to Protection. If the mode is already set to Protection, you can skip this step. You can also use Log Service to analyze the request and create a custom protection policy to allow it. For more information, see Configure a custom protection policy. SNI issues: Configure WeChat or Alipay to send callbacks directly to the public IP address of your ECS or SLB instance, thereby bypassing WAF. For more information, see HTTPS access issues caused by SNI incompatibility (untrusted server certificate).

Appendix: Common tools

Chrome DevTools: A set of web developer tools built into Chrome for inspecting network activity and page element loading. Press F12 to open DevTools and go to the Network tab.
ping: A command-line tool that is available in Windows and Linux for testing network connectivity. In Windows, press Win+R and enter cmd to open Command Prompt. Usage: ping .
traceroute (Linux) and tracert (Windows): Command-line tools for tracing the network path to a destination and identifying packet loss at each hop. In Windows, press Win+R and enter cmd to open Command Prompt. Usage: tracert -d .
nslookup: A command-line tool for verifying that domain name resolution is working correctly. In Windows, press Win+R and enter cmd to open Command Prompt. Usage: nslookup .