Resolving Forbidden Error: How to Fix 403 Error in EdgeOne

Encountering a 403 error while browsing or managing a website can be both confusing and frustrating. This common HTTP status code indicates that access to the requested resource is forbidden. Understanding the underlying reasons and knowing how to address them can make resolving the issue much simpler. In this article, we will delve into what a 403 error is, explore its common causes, and provide a step-by-step guide on how to fix it in Tencent EdgeOne. This will ensure that you can restore access to your website or the specific resource in no time.

What is a 403 Forbidden Error?

A 403 Error, also known as a 403 Forbidden Error, is an HTTP status code that indicates that the server understands the request but refuses to authorize it. This error typically occurs when the server's permissions settings do not allow the requested action to be performed. In simpler terms, the server is denying access to the resource you are trying to reach.

What are the Common Causes of 403 Forbidden Errors?

Typically, the causes of a 403 error may include the following:

• Incorrect File Permissions: One of the most common reasons for a 403 error is incorrect file or directory permissions. If the permissions are set too restrictively, the server will block access.
• IP Blocking: Some servers are configured to block specific IP addresses or ranges of IP addresses. If your IP is on the blocklist, you will encounter a 403 error.
• Misconfigured .htaccess File: The .htaccess file is used to configure server settings. If this file is misconfigured, it can lead to a 403 error.
• Index File Issues: If the server is unable to find an index file (like index.html or index.php) in a directory, it may return a 403 error.
• Authentication Issues: Some resources require authentication, and if you fail to provide the correct credentials, you will receive a 403 error.
   

How to Fix a 403 Forbidden Error?

Common ways to fix a 403 forbidden error include the following:

• Check File Permissions: Ensure that the file and directory permissions are set correctly. For most web servers, directories should have permissions set to 755 and files should be set to 644. You can change these permissions using an FTP client or through your hosting control panel.
• Review .htaccess File: If you have access to the .htaccess file, review it for any misconfigurations. Look for directives that might be causing the issue, such as `Deny from all` or incorrect `RewriteRule` settings.
• Check IP Blocking: If you suspect that your IP might be blocked, contact your hosting provider to verify and request unblocking if necessary.
• Ensure Correct Index File: Make sure that the directory you are trying to access contains an index file. If not, either add an index file or configure the server to allow directory listing.
• Authentication: If the resource requires authentication, ensure that you are providing the correct username and password. If you have forgotten your credentials, you may need to reset them.
• Clear Browser Cache: Sometimes, the browser cache can cause issues. Clear your browser cache and cookies and try accessing the resource again.
• Contact Hosting Provider: If you have tried all the above steps and are still encountering a 403 error, it may be best to contact your hosting provider for further assistance. They can provide more specific insights and help resolve the issue.

Best Practices for Fixing 403 Errors in EdgeOne

After using Tencent EdgeOne to accelerate site access, a 403 error may occur. This is usually caused by domain configuration, security policies, and source station responding with 403. The following will detail five common scenarios that trigger a 403 error. The first four scenarios mainly occur in the prevention and avoidance of website resource scraping.

1. Token Authentication Issue

Token authentication is a simple and reliable access control strategy. By configuring authentication rules for URL access verification, it can effectively prevent site resources from being maliciously scraped. The use of this feature requires cooperation between the client and EdgeOne. After the client initiates an encrypted URL request, EdgeOne is responsible for verifying the legality of the URL according to pre-set rules.

Authentication issues causing 403 errors usually manifest as not carrying authentication parameters, authentication expiration, or authentication calculation errors. It is necessary to understand the principles of authentication according to the URL's authentication document, and then further investigate and resolve.

Some common causes are listed below:

1.1 Not Carrying Authentication Parameters

The rule engine has added token authentication, but the actual accessed URL does not carry authentication parameters, and the access will report a 403 error.

For example:

1.2 Authentication parameter expired

The rule engine has added token authentication, and the URL carries authentication parameters, but if the authentication parameter has expired, an error code of 1 will be returned. 

This indicates that the authentication parameter has expired and needs to recalculate the timestamp.   

1.3 MD5 Calculation is Incorrect

If a URL with parameters is provided, but the MD5 check is incorrect, a 403 will also be returned, along with an error code of -5.

The error code returned can quickly determine the issue causing the 403.

EdgeOne provides us with an Authentication Calculator feature, which makes it easy for us to calculate and verify whether the authentication calculation is incorrect. 

2. Referer Anti-leeching Issue

By setting access control rules based on the Referer field in the HTTP request header, the identity of visitors can be recognized and filtered to prevent website resources from being illegally used. By configuring a Referer whitelist and blacklist, EdgeOne will identify the request identity according to the list, and allow or deny access requests. If the request is allowed, EdgeOne will return a resource link; if the request is denied, EdgeOne will return a 403 response code.

The setting of Referer anti-leeching is as follows: the domain business of www.example.com under the example.com site only allows access with a Referer of https://www.example.com, and all other requests are directly denied with a 403. 

Empty referers will return a 403. 

Referers not in the configuration will also return a 403. 

Only referers in the configuration can access normally.

3. IP Whitelist and Blacklist Issue

By configuring an IP whitelist and blacklist to filter user requests, you can intercept or allow access from specific IPs, effectively limiting access sources and solving problems such as malicious IP scraping and attacks. If the IP whitelist and blacklist are configured in the console, and the actual access IP does not comply with the configuration rules, a 403 will occur.

For example: the domain business of www.example.com under the example.com site only allows client IPs in the range of 1.1.2.1~1.1.2.254 (including 1.1.2.1 and 1.1.2.254) to access resources under this accelerated domain, otherwise, it will directly refuse with a 403.

4. User-Agent Blacklist Issue

User-Agent is a part of the HTTP request header, which contains identification information such as the operating system and version used by the user when accessing, and the type and version of the browser. You can restrict the user source of accessing business resources and enhance the security of acceleration by configuring User-Agent whitelist and blacklist rules.

For example: The domain business of www.example.com under the example.com site is maliciously crawled by Google spiders, causing a sudden increase in domain bandwidth and seriously affecting the bill. Through analysis, it is found that the User-Agent of the spider request contains spider. We can configure the following UA rules.

5. Origin Server Responds with 403

The origin server responds with a 403 to EdgeOne, and EdgeOne then gives a 403 response to the client. Generally speaking, the server header in the response header of Tencent Cloud EdgeOne will carry the NWS mark. If the server header of the 403 return is not NWS, you can check the origin server configuration.

5.1 Self-owned Origin Server

You can bind the Host to the origin server for access testing to see if there is a 403 situation. If there is a 403 situation on the origin server, you need to solve the 403 problem of the origin server first. Another point to note is that an incorrect back-to-source Host configuration in EdgeOne may also cause a 403 error. The difference between the back-to-source HOST and the origin server is that the origin server determines the specific IP address requested when returning to the source, while the back-to-source HOST determines the specific site accessed by the back-to-source request on this IP address.

5.2 The Origin Server is Tencent Cloud COS 

If the access permission of the source bucket is private and the authorization service is not enabled, it will cause the back-to-source request to COS to fail, and the COS authentication will cause a 403 error.

You can enable the authorization service when accessing EdgeOne. For example:

 Access 403 before enabling:

After enabling:

Conclusion

A 403 error can be frustrating, but understanding its causes and knowing how to troubleshoot it can help you resolve the issue quickly. By checking file permissions, reviewing the .htaccess file, and ensuring proper authentication, you can often fix the problem on your own. If all else fails, your hosting provider can offer additional support to get your site back up and running.

We have listed some common causes of 403 errors encountered when accessing EdgeOne, and we hope it can be of some help to you. If you are interested in experiencing, feel free to Contact Us to learn more about Tencent EdgeOne and its features. You can also Click Here to get started free and experience its benefits firsthand.