Question
How can I troubleshoot a 403 Forbidden response in my CDN resource?
Answer
If you receive a 403 Forbidden response from CDN edge servers, consider the following scenarios:
- Enabling the Country Access, Hotlink Policy, IP Access, or URL Signing features returns a 403 Forbidden response if a request does not comply with the rules defined for the specific resource.
- Enabling HTTP Rules with forbidden access returns a 403 Forbidden response if a request does not comply with the rules defined for the specific resource.
- If you have a CDN resource without any access control or security settings, you may validate the issue following the steps below:
• Make an HTTP request using a CDN resource primary hostname:
$ curl -I cdn.something.com
HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 29 Aug 2016 06:08:30 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 328
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
X-Storage: 43.242.41.1:8001
X-Edge-IP: 43.242.41.1
X-Edge-Location: Hong Kong, HK
CODE
• Make an HTTP request using an origin:
$ curl -I 11.222.333.100
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Aug 2016 06:09:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/6.1.2
CODE
• Make an HTTP request using an origin with the host HTTP request header, with the CDN resource primary hostname as its value:
$ curl -I -H "Host: cdn.something.com" 11.222.333.100
HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 29 Aug 2016 06:09:34 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
CODE
The reason is caused by the failure of the origin to acknowledge a legitimate HTTP request made by the CDN edge server. To resolve this issue, configure your origin to support the CDN primary hostname in your origin. For more details, refer to Create HTTP CDN Resource.