Intermittent, rare 403 errors from Cloudflare

shmax · March 27, 2023, 5:13pm

Hi folks, a user of my website, shmax.com, reports intermittent 403 errors. I’ve read the official Cloudflare tips for addressing 403 issues, but the material seems to be geared towards general configuration or browser issues, but in my case the issue only happens very rarely (once every 3-4 days).

I asked the user to see if he could capture the headers in Chrome developer tools, and he submitted this:

Response Headers

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 7ae8506e6d707fdc-IAD
content-encoding: br
content-type: text/html
date: Mon, 27 Mar 2023 14:27:27 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=CwXvttP4zZw%2F8uAqWdi%2FaU42dzQ9sHZD1uENUhY9KJcDBmPPU4UoSBoLWhMRRCzXWtD6aiRSTjzVk%2B0lI%2Fc0HBbPEfJQ2V5bszzAriQ4VGXZ8R%2BwhKSbCZsgsQS0f506"}],"group":"cf-nel","max_age":604800}
server: cloudflare

Request Headers
:authority: [www.shmax.com](http://www.shmax.com/)
:method: GET
:path: /product_details/57851/blackout_color_mode_8pack
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
cookie: statistics-view1.101=brief; photos-view1.101=brief; collection-view1.101=details; wishlist-view1.101=brief; collection-sort1.101=13; 1_102_shmax\page\Products_review_submissions_v=details; 1_102_shmax\page\Products__v=details; collection-view1.102=details; statistics-view1.102=brief; 1_102_shmax\page\Parts__v=brief; 1_102_shmax\page\Products__numResults=60; 1_102_shmax\page\Products_empties_v=details; 1_102_shmax\page\Photos__v=brief; collection-sort1.102=13; 1_102_shmax\page\AskDatabase__v=brief; photos-view1.102=brief; 1_102_shmax\page\Photos__numResults=60; 1_102_shmax\page\Photos__sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A9%3A%22photoDate%22%3Bs%3A3%3A%22dir%22%3Bs%3A4%3A%22desc%22%3B%7D; 1_102_shmax\page\Products_review_submissions_sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A11%3A%22dateUpdated%22%3Bs%3A3%3A%22dir%22%3Bs%3A4%3A%22desc%22%3B%7D; 1_102_shmax\page\Parts_review_submissions_v=brief; 1_102_shmax\page\Collectors__v=brief; 1_102_shmax\page\Products_review_submissions_numResults=60; 1_102_shmax\page\Products__sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A7%3A%22toyline%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22asc%22%3B%7D; PHPSESSID=u65jkk863gp2esgr41sve6kmfg; SMFCookie72=a%3A4%3A%7Bi%3A0%3Bs%3A3%3A%22117%22%3Bi%3A1%3Bs%3A128%3A%22a926baff6f81c26e35208c0b53e7730398403beba5f40d9e4094fe68defda2def38d5d49dcaf8caaa5635addd054dd08cbdcde78655e7b86f56f0b342bacabaf%22%3Bi%3A2%3Bi%3A1711327772%3Bi%3A3%3Bi%3A0%3B%7D
referer: https://www.shmax.com/products?q_filters_keywords=squeezelings
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

I found a post in these forums suggesting to look up the cf-ray key in the Security logs, but mine are empty.

Where should I try next? Thank you.

WhiteDemonhia · March 27, 2023, 6:32pm

I didn’t received any errors when I visited the page. Also, sending the headers or the 403 error code will not help much in this case, if this really is Cloudflare’s thing.

You need your visitor to get this cf-ray and send to you. Please note, that the logs vanish after 24 hours on most plans. So you need to get the cf-ray and check it on the same day.

Also, If you can ask your user to take a screenshot of the error page would be very useful. What error page is him receiving? An 1X error for example.

shmax · March 27, 2023, 7:30pm

Hi, thanks for replying.

Yes, it was in the response I already posted above. Here it is:
7ae8506e6d707fdc-IAD

This happened this morning (at 7:28am PDT), and there is nothing in the Security logs from the last 24 hours.

There is nothing useful on the page he is viewing, because it’s a 403 error and as such there is no content to view.

WhiteDemonhia · March 27, 2023, 8:15pm

I mean. He should see something like this:

Or another page with an error.

Try without the -IAD

7ae8506e6d707fdc

WhiteDemonhia · March 27, 2023, 8:19pm

It worked just fine for me. With my ray ID.

shmax · March 27, 2023, 8:25pm

Well, I didn’t notice I could filter on Ray ID, which is interesting, but since I have no events whatsoever there is nothing to filter:

WhiteDemonhia · March 27, 2023, 8:29pm

I see. Then please, ask your user to replicate the error, send the ray id and then check it on your dashboard again.

shmax · March 27, 2023, 8:34pm

But that’s where we’re at, already. He replicated the error, sent the information, and there’s nothing in the Security events log at all. Is it possible to trigger a 403 for some other reason than security reasons? What other logs are there to look at?

WhiteDemonhia · March 27, 2023, 8:46pm

Can you please send a screenshot of your WAF tab? Please, do not crop anything, except the IPs.

shmax · March 27, 2023, 10:05pm

Sure. Not too much to see:

shmax · March 27, 2023, 10:06pm

shmax · March 27, 2023, 10:06pm

shmax · March 27, 2023, 10:07pm

WhiteDemonhia · March 28, 2023, 1:53am

Thank you! Well, there is nothing to see… As there is not much information or logs to debug the issue, I can’t help you.

Hope that someone like @cloonan can help you.

Cheers.

cloonan · March 28, 2023, 7:17pm

Cloudflare does not generate a 403 error, it’s something on your origin or between your origin and visitors to your site. Did you follow the 403 #CommunityTip QuickFix ideas?

I am also unable to replicate the error, can you replicate the error @shmax? Are the visitors reporting the error all from the same country (quickfix idea 3). The next time you get a report, ask the visitor to try a different browswer (quickfix idea 2). And, can you share a screenshot (#6)

And, I’d also check the quickfix ideas for 526 error to make sure the orgin certificate is ok with your Full security setting. Does the value of your CNAME record called shmax.com load properly for you?

shmax · March 28, 2023, 7:42pm

Well, that doesn’t seem to agree with the material you linked to, which says:
“With the exception of requests that violate WAF rules or subdomains that are not covered by a certificate”, meaning it DOES generate 403 in some cases.

We also see “server: Cloudflare” in the response body I originally posted.

Finally, I have inspected the AWS logs in detail each time I receive a 403 report, and there is nothing there, which seems to be a pretty strong clue that the request is never getting as far as my server.

It sure seems to be happening at the Cloudflare level.

I read over the community tips, and again, all that material seems to be solving config or general browser issues, but none of those seem to apply to my case, where the problem is only rare and intermittent (meaning, everything works just fine 99% of the time, so there’s no reason to expect that changing browsers or fiddling with DNS settings is likely to change anything).

But I am interested in the “black & white” vs “Cloudflare branding” distinction, so I’ll ask the user to do his best to secure a screenshot of the displayed content as well as the header information the next time it happens.

Thanks much!

cloonan · March 28, 2023, 8:20pm

The plain black & white page is from the origin

Where cf serves the 403, you will see a cf branded page

Getting a screen shot from an affected visitor will help. Having them immediate try from a different browser/clearing cache, et al will also help diagnose.

shmax · March 28, 2023, 9:56pm

Just received another report, this time with a screenshot of the content alongside the header info:

General
Request URL: https://www.shmax.com/product_details/29280/optimus_prime_peekabot_rollin_rig
Request Method: GET
Status Code: 403
Remote Address: 104.21.93.188:443
Referrer Policy: strict-origin-when-cross-origin

Response Headers
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 7af2d6afae4c8000-IAD
content-encoding: br
content-type: text/html
date: Tue, 28 Mar 2023 21:06:44 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=txvOeiJzxLmHIREmcWTsJBH3Z9213GzyVnXOr19uLBVN98%2B5x4WQcw09vRXfY%2FZtzcVrqp9wLCEmicNcfdf92qBAJoLJxU5iiOiq7HSvf68pivdyuZP50adUuPnGgow%2F"}],"group":"cf-nel","max_age":604800}
server: cloudflare

Request Headers
:authority: www.shmax.com
:method: GET
:path: /product_details/29280/optimus_prime_peekabot_rollin_rig
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
cookie: statistics-view1.101=brief; photos-view1.101=brief; collection-view1.101=details; wishlist-view1.101=brief; collection-sort1.101=13; 1_102_shmax\page\Products_review_submissions_v=details; 1_102_shmax\page\Products__v=details; collection-view1.102=details; statistics-view1.102=brief; 1_102_shmax\page\Parts__v=brief; 1_102_shmax\page\Products__numResults=60; 1_102_shmax\page\Photos__v=brief; collection-sort1.102=13; 1_102_shmax\page\AskDatabase__v=brief; photos-view1.102=brief; 1_102_shmax\page\Photos__numResults=60; 1_102_shmax\page\Photos__sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A9%3A%22photoDate%22%3Bs%3A3%3A%22dir%22%3Bs%3A4%3A%22desc%22%3B%7D; 1_102_shmax\page\Products_review_submissions_sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A11%3A%22dateUpdated%22%3Bs%3A3%3A%22dir%22%3Bs%3A4%3A%22desc%22%3B%7D; 1_102_shmax\page\Parts_review_submissions_v=brief; 1_102_shmax\page\Collectors__v=brief; 1_102_shmax\page\Products_review_submissions_numResults=60; 1_102_shmax\page\Products__sort=a%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A7%3A%22toyline%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%22asc%22%3B%7D; PHPSESSID=no8g11qtaissn5qqrpccn2pp57; SMFCookie72=a%3A4%3A%7Bi%3A0%3Bs%3A3%3A%22117%22%3Bi%3A1%3Bs%3A128%3A%22a926baff6f81c26e35208c0b53e7730398403beba5f40d9e4094fe68defda2def38d5d49dcaf8caaa5635addd054dd08cbdcde78655e7b86f56f0b342bacabaf%22%3Bi%3A2%3Bi%3A1711546688%3Bi%3A3%3Bi%3A0%3B%7D
referer: https://www.shmax.com/engledogg/collection/?c_filters_toyline=1&c_filters_tags=Goodwill
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

This was in Chrome. He then tried in Edge and didn’t have any issues, but I’m not sure if that really proves anything, as we’ve seen in the past that 403 problems tend to disappear on their own on subsequent refreshes.

WhiteDemonhia · March 28, 2023, 11:21pm

That means that your origin is serving the 403 Error, not Cloudflare. Please, check your website logs.

WhiteDemonhia · March 28, 2023, 11:25pm

I never get an error when I visit the page. Please, ask your client to access your website through another browser, without any extensions, etc. And ask him if the problem persists. If yes, then you must check your logs again or/and ask help from your host provider to see if they can assist you.

Cheers!