当前位置:网站首页>What about 403 errors? Six reasons to help you pinpoint

What about 403 errors? Six reasons to help you pinpoint

2020-12-07 19:20:20 Alivewei

brief introduction : Use Tencent cloud CDN Speed up site access after 403 error , Usually, it may be configured by the domain name 、CDN Security policy and origin response 403 Lead to . This article introduces in detail CDN Common triggers 403 The wrong problem scenario .

1.1 CDN Authentication

CDN The authentication problem is usually manifested in the absence of authentication parameters 、 Authentication expired 、 Authentication calculation error , Need basis URL To understand the principle of authentication , Then go to further investigation and solve . At present, Tencent cloud console provides 4 There are several authentication methods available , For details, please refer to the document :https://cloud.tencent.com/document/product/228/41622

1.1.1 CDN Authentication enabled , But the actual visit url There is no authentication parameter in it , The interview will report an error 403

for example :

Here we use typeD Take authentication as an example

It can be seen that access without authentication parameters will directly return 403

1.1.2 Authentication parameters expired

CDN I opened authentication , also url With authentication parameters , But the authentication parameters have expired , Then it will return a error by 1 Error code

for example :

This means that the authentication parameters have expired , Need to recalculate the timestamp .

1.1.3 Authentication parameters MD5 The calculation is not correct

If you have a parameter url, however MD5 The calibration is not correct , And it will return 403 Of , At the same time, there will be a error by -5 Error code

for example :

Through the returned error code, we can quickly judge 403 The problem is

Be careful : Set the effective time of authentication

When set to 0 when , Indicates that the current time has expired

for example , The time stamp of the authentication parameter is 1605247592 Express 2020/11/13 14:06:32 , When local time reaches this time , That parameter is out of date

conversely , If set to 2200, said 1605247592 After that time 2200 Authentication is valid in seconds , More than the 2200 Seconds expire .

CDN The console provides authentication calculator function , It is convenient for us to calculate and verify whether the authentication is wrong , It's a very good function .

Authentication leads to 403 Solution

1、 If you don't need to CDN The authentication function of , Can be in CDN Console off Authentication

2、 If the authentication expires , Please regenerate Authentication url

3、 If authentication MD5 The calculation is not correct , Can be generated by the authentication calculator url Compare your own authentication code to check the calculation error

1.2 Security chain problem

Turn on the anti-theft chain function , But in the actual request header referer The head fails to comply with the anti-theft chain rules , Due to the problem of anti-theft chain 403.

Referer The types of anti-theft chain are as follows :

The blacklist : The domain names in the blacklist cannot access the current resources

White list : Only whitelist domain names can access the current resource

Blacklist and whitelist are mutually exclusive , Only one of them is supported at the same time .

for example : Set the white list and check blank referer

empty refer Returns the 403

Not on the white list refer It will be 403

Only on the white list refer To access

If you need url It can be accessed directly in the browser , You need to check allow blank refer Oh .

1.3 ip Black and white list problem

stay CDN The console is configured ip Black and white list , Actually visited ip Not in accordance with the configuration rules , Lead to a 403

common problem :

ask : Why is it configured IP The blacklist , You can still visit normally , Respond to 200, instead of 403 ?

answer : This situation is usually the real exit of the client IP Follow IP Configured in the blacklist IP Inconsistency leads to Of . It is recommended to get the real exit of the client IP, Can pass IP Tool query ; You can also download CDN Of journal , from CDN To find the request ,CDN The client is recorded in the log of IP.

ask : Discovering malicious requests , Put the malicious request of the client IP Configured to blacklist , Why are there still requests CDN ?

answer :CDN As a server , Can't control client not to request CDN,CDN What we can do is to be evil To ask for CDN When ,CDN Reject illegal requests according to the configured security rules , With 403 Access is denied in the form of .

1.4 UA Black and white list problem

Configured with UA Black and white list ,User-Agent The list types are as follows :

The blacklist : On the blacklist User-Agent Fields cannot access the current resource .

White list : Only on the white list User-Agent Field can access the current resource , Beyond the white list User-Agent Fields cannot access the current resource .

Blacklist and whitelist are mutually exclusive , Only one of them is supported at the same time .

for example : To configure UA The blacklist

No blacklist UA Normal access

Blacklisted ua Then return to 403

1.5 URL The violation is banned

403 Of URL Involving illegal and bad information , Violation of the relevant service agreement and 《 Internet Information Services 》 The provisions of the , In this case, it's illegal URL Will be CDN Do block access processing . Usually this kind of situation will receive the station letter or the short message notification , Please take care to make sure CDN Accelerated content is legal content .

1.6 Source response 403

The origin responded 403 to CDN,CDN And then 403 Respond to clients .

Generally speaking , Tencent cloud CDN In the response header server The head will carry NWS Mark . if 403 Back to server Toufei NWS, You can check the origin configuration .

1.6.1 The source station has its own source

Can be bound Host Access to the source site test whether the same exists 403 The situation of , If the origin has 403 The situation of , Need to solve the origin of the 403 problem . There is another point to note ,CDN Back to the source of Host Configuration errors can also cause 403 error . Back to the source HOST The difference with the origin is , The source station determines the return to the source

When you ask for it IP Address , And back to the source HOST Decide to return to the source request access to the IP Address specific site

1.6.2 The source station is Tencent cloud COS

If the source bucket Access to is private , However, if the back source authentication is not enabled , Then it will lead to CDN Back to source request COS When it's time to pass COS Authentication results in 403

You can access CDN Turn on the authorization service .

You can also open the corresponding option in the object storage console

for example :

Access before opening 403

After opening :

Last

The above is for access CDN Common 403 Some of the reasons for the problem , I hope it can help readers . If there is something wrong , Welcome to point out in time .

Original statement , This article is authorized by the author + Community publication , Unauthorized , Shall not be reproduced .

If there is any infringement , Please contact the yunjia_community@tencent.com Delete .

版权声明
本文为[Alivewei]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/11/20201113185659754w.html