Encountering a 403 error while browsing or managing a website can be both confusing and frustrating. This common HTTP status code indicates that access to the requested resource is forbidden. Understanding the underlying reasons and knowing how to address them can make resolving the issue much simpler. In this article, we will delve into what a 403 error is, explore its common causes, and provide a step-by-step guide on how to fix it in Tencent EdgeOne. This will ensure that you can restore access to your website or the specific resource in no time.
A 403 Error, also known as a 403 Forbidden Error, is an HTTP status code that indicates that the server understands the request but refuses to authorize it. This error typically occurs when the server's permissions settings do not allow the requested action to be performed. In simpler terms, the server is denying access to the resource you are trying to reach.
Typically, the causes of a 403 error may include the following:
Common ways to fix a 403 forbidden error include the following:
After using Tencent EdgeOne to accelerate site access, a 403 error may occur. This is usually caused by domain configuration, security policies, and source station responding with 403. The following will detail five common scenarios that trigger a 403 error. The first four scenarios mainly occur in the prevention and avoidance of website resource scraping.
Token authentication is a simple and reliable access control strategy. By configuring authentication rules for URL access verification, it can effectively prevent site resources from being maliciously scraped. The use of this feature requires cooperation between the client and EdgeOne. After the client initiates an encrypted URL request, EdgeOne is responsible for verifying the legality of the URL according to pre-set rules.
Authentication issues causing 403 errors usually manifest as not carrying authentication parameters, authentication expiration, or authentication calculation errors. It is necessary to understand the principles of authentication according to the URL's authentication document, and then further investigate and resolve.
Some common causes are listed below:
The rule engine has added token authentication, but the actual accessed URL does not carry authentication parameters, and the access will report a 403 error.
For example:
The rule engine has added token authentication, and the URL carries authentication parameters, but if the authentication parameter has expired, an error code of 1 will be returned.
This indicates that the authentication parameter has expired and needs to recalculate the timestamp.
If a URL with parameters is provided, but the MD5 check is incorrect, a 403 will also be returned, along with an error code of -5.
The error code returned can quickly determine the issue causing the 403.
EdgeOne provides us with an Authentication Calculator feature, which makes it easy for us to calculate and verify whether the authentication calculation is incorrect.
By setting access control rules based on the Referer field in the HTTP request header, the identity of visitors can be recognized and filtered to prevent website resources from being illegally used. By configuring a Referer whitelist and blacklist, EdgeOne will identify the request identity according to the list, and allow or deny access requests. If the request is allowed, EdgeOne will return a resource link; if the request is denied, EdgeOne will return a 403 response code.
The setting of Referer anti-leeching is as follows: the domain business of www.example.com
under the example.com
site only allows access with a Referer of https://www.example.com
, and all other requests are directly denied with a 403.
Empty referers will return a 403.
Referers not in the configuration will also return a 403.
Only referers in the configuration can access normally.
By configuring an IP whitelist and blacklist to filter user requests, you can intercept or allow access from specific IPs, effectively limiting access sources and solving problems such as malicious IP scraping and attacks. If the IP whitelist and blacklist are configured in the console, and the actual access IP does not comply with the configuration rules, a 403 will occur.
For example: the domain business of www.example.com
under the example.com
site only allows client IPs in the range of 1.1.2.1~1.1.2.254 (including 1.1.2.1 and 1.1.2.254) to access resources under this accelerated domain, otherwise, it will directly refuse with a 403.
User-Agent is a part of the HTTP request header, which contains identification information such as the operating system and version used by the user when accessing, and the type and version of the browser. You can restrict the user source of accessing business resources and enhance the security of acceleration by configuring User-Agent whitelist and blacklist rules.
For example: The domain business of www.example.com
under the example.com
site is maliciously crawled by Google spiders, causing a sudden increase in domain bandwidth and seriously affecting the bill. Through analysis, it is found that the User-Agent of the spider request contains spider
. We can configure the following UA rules.
The origin server responds with a 403 to EdgeOne, and EdgeOne then gives a 403 response to the client. Generally speaking, the server header in the response header of Tencent Cloud EdgeOne will carry the NWS mark. If the server header of the 403 return is not NWS, you can check the origin server configuration.
You can bind the Host to the origin server for access testing to see if there is a 403 situation. If there is a 403 situation on the origin server, you need to solve the 403 problem of the origin server first. Another point to note is that an incorrect back-to-source Host configuration in EdgeOne may also cause a 403 error. The difference between the back-to-source HOST and the origin server is that the origin server determines the specific IP address requested when returning to the source, while the back-to-source HOST determines the specific site accessed by the back-to-source request on this IP address.
If the access permission of the source bucket is private and the authorization service is not enabled, it will cause the back-to-source request to COS to fail, and the COS authentication will cause a 403 error.
You can enable the authorization service when accessing EdgeOne. For example:
Access 403 before enabling:
After enabling:
A 403 error can be frustrating, but understanding its causes and knowing how to troubleshoot it can help you resolve the issue quickly. By checking file permissions, reviewing the .htaccess file, and ensuring proper authentication, you can often fix the problem on your own. If all else fails, your hosting provider can offer additional support to get your site back up and running.
We have listed some common causes of 403 errors encountered when accessing EdgeOne, and we hope it can be of some help to you. If you are interested in experiencing, feel free to Contact Us to learn more about Tencent EdgeOne and its features. You can also Click Here to get started free and experience its benefits firsthand.