for the last 24 hours we’ve been getting intermittent 403 errors, but since they are intermittent (and I’m just a php dev), it;s very hard to diagnose, so I need all the help I can get.
I’ll try to explain the situation…
We have a single web server (cssigniter.com). DNS, WAF, etc are on Cloudflare, and use a 3rd party cdn, KeyCDN. While this happens with all cdn zones, I’ll focus on one.
KeyCDN provides a url for the zone, (previewcdn-2246.kxcdn.com) which in order to use with ssl needs to have a CNAME record in cloudflare (preview.cssigniter.com).
We use this zone to serve static files, and all has been going well for the past 6 months until yesterday.
Assets would suddenly fail to load with a 403, and visiting an asset’s URL directly (while the problem “is active”) would result in a cloudflare challenge page. It doesn’t matter if I completed the challenge succesfully. I’d still get the same challenge page and never see the resource. A few minutes late, if I simply refresh the browser window, the resource appears. This whole thing repeats at (seemingly) random intervals.
I have already contacted KeyCDN support and they say their edge servers receive 403, and our host checked the LiteSpeed access logs and says there aren’t any related 403 records.
As a whole example, on this URL: https://www.cssigniter.com/preview/resto/the-restaurant-gallery/
Visiting the url of a single asset, e.g. https://preview.cssigniter.com/preview/resto/files/2014/10/Fotolia_43979273_Subscription_XXL-260x165.jpg presented a challenge page.
KeyCDN’s Speed test which shows requests and screenshot for the specific asset: https://tools.keycdn.com/speed?h=5cada9c20a23471fb8319782
Ray ID (not sure what this is): 4c535c8c1f3d9d5c
I tried searching for this ray id on the CF firewall event log, no results.
I can’t whitelist KeyCDN’s servers as they don’t disclose any IPs.
I’m really lost!