5 Common Causes of 40x Errors for CDN Users
August 14, 2015 | Jovan Katic
At MaxCDN we offer a complimentary 1-on-1 integration call to all new customers. This service, provided by me and my fellow support engineers on our Speed Team, ensures MaxCDN fits seamlessly into your existing system. After this call, you and your users are left with an error-free CDN experience … until something changes.
Whether you’re changing CDN settings to accommodate new features or a completely new content delivery strategy, CDN-related errors can and do happen.
In this post we’ll identify the most common causes of 403 and 404 errors for CDN users and walk you through the troubleshooting process. While some points overlap with those directed in our post 5 Reasons for CDN Slowdown, this post strictly focuses on solving and preventing errors rather than poor CDN performance.
Error #1: Wrong Origin Server URL
One of the most common causes of content delivery problems is having the wrong origin server URL on your pull zone. With an incorrect origin server URL (the location from which CDN edge servers pull static assets), 404 errors occur. This means files can’t be found on the specified path or domain.
Image: Zone configuration box in MaxCDN Control Panel (Zones -> Pull Zones -> Manage Settings -> Summary)
Incorrect origin server URLs are often caused by an excess subfolder in the origin URL. This unwanted subfolder may be inserted by CMS platforms that use extensions to rewrite the domain. Below you can see how the rewrite process works with common CDN rewrite extensions, considering your website resides on http://domian.com/subfolder:
- Original URL for any file: http://domain.com/subfolder/path-to/file.ext
- URL after rewrite process: http://cdn-domain.com/subfolder/path-to/file.ext
If the origin URL has /subfolder/ as well, the request that CDN edge servers send will look like this: http://domain.com/subfolder/subfolder/path-to/file.ext. This results in a 404 Not Found error as the actual file doesn’t exist at the given location.
Best practice is to try implementing the CDN with only the domain inputted in the origin URL. If that returns a 404 for all files, try adding the subfolder.
Error #2: Wrong Origin IP Resolution
When a CDN is used as a reverse proxy solution (pull zone), the assets are replicated from the specified domain (origin server URL). By default, each CDN edge server looks up the origin domain and fetches the requested file from the IP address to which the origin URL resolves.
The MaxCDN Control Panel allows you to bypass the DNS lookup process by entering the origin IP address in your zone settings. Before enabling the origin IP resolution feature, you should confirm that files are available on the IP address you are saving in your control panel.
Image: Origin Information box in MaxCDN Control Panel (Zones -> Pull Zones -> Manage Settings)
Your server’s IP address can be found in your hosting panel and, in most cases, the activation email that hosting companies send you upon account creation.
If you’ve migrated your website to a different host, you should update your origin IP information in your control panel to your new server IP. This way the CDN can fetch the files from the proper location. Otherwise a 404 Not Found or a 502 Bad Gateway error will be returned from the old server which is no longer configured to serve requests for your domain.
Error #3: Custom Domain (CNAME) Misconfiguration
Custom domains allow you to mask the CDN domain (zone.company.netdna-cdn.com) with a domain such as cdn.domain.com, static.domain.com, images.domain.com or anything.domain.com.
Before HTTP/2, one of the advantages of having custom domains, other than the ability to use a desired name over a generated one, was having the ability to parallelize downloads across hostnames. When attempting to do this or change the domain for another reason, mistakes are often made.
The DNS records for custom domains are made on your control panel (cPanel or similar DNS Manager) where your actual domain is managed. To avoid 404 errors, the domain record should be CNAME type and point to your zone’s CDN domain.
Once the DNS record for your new custom domain is created, it can take up to 48 hours before the domain is usable (usually it’s only 1-4 hours). It’s important to note that the time it takes to propagate a newly created DNS record is not related to the record’s TTL value, rather to the setting of the DNS provider.
To learn how to properly configure your CNAME, view this tutorial. Here we show you how to do it step by step with the most popular domain and DNS providers.
Error #4: Wrong HTTP Referer
Hotlinking protection, also known as the HTTP referer feature, allows you to whitelist domains that can access (refer to) your files. If a visitor comes from a non-whitelisted domain, edge servers will return a 403 Forbidden error for each request.
Say you have content on your website that others might want to share on their websites. This usually happens with viral images, however it’s not exclusive to them as practically all static content can be hotlinked and shared across various domains.
If you were to have a viral image on your website being served with a CDN, others might want to share it in hopes of boosting the virality of their own website. In turn, they and their visitors would “leech” your bandwidth as the image would be accessed through your CDN URL or CNAME.
To prevent bandwidth leeching and unauthorized sharing, your best bet is to set up an HTTP referer and whitelist only the domains through which the viral image (or other content) can be displayed. Non-whitelisted domains will return a 403 Forbidden message and 0 bandwidth will be spent.
Image: HTTP Referer Whitelist box in MaxCDN Control Panel (Zones -> Pull Zones -> Manage Settings -> Security)
When considering which domains should be whitelisted, it’s important to review if the desired domains use a subdomain of any type. For example, if your domain has a www subdomain as well, you should whitelist it as users accessing your website through that subdomain would otherwise get a 403 error.
Note: MaxCDN’s HTTP Referer allows you to use wildcards in case you want to whitelist domain.com, www.domain.com, and all of its subdomains. To do this, the following entry should be used:
The given entries cover domain.com and any subdomains (inluding www) so that any visitors referred to CDN assets from them will have clear access.
Error #5: Non-SSL Links on an SSL Page
The HTTPS protocol allows encrypted communication between the client and server which prevents connections from being intercepted by attackers.
When a browser establishes a connection via HTTPS, it expects that all assets being fetched are sent through SSL. So when there’s an asset called through HTTP on an HTTPS page, it’s dropped by the browser and 404 errors occur. This is how you know you have mixed content problems.
Related Tutorial: How to Solve Mixed Content Problems
If you’ve secured your website with SSL on your origin, MaxCDN can be configured to serve static content over SSL using either Shared SSL, SNI, or Dedicated SSL. Using one of these ensures all cached assets are sent securely and that your page loads as intended. Below I’ll go over each of the three SSL options to help you better understand which one is right for you.
Image: SSL Settings box in MaxCDN Control Panel (Zones -> Pull Zones -> Manage Settings -> EdgeSSL)
- Shared SSL is a free feature and probably the easiest to use. All you have to do is enable it and use the newly created shared URL that looks like this – zone-company.netdna-ssl.com. This feature allows you to use your zone in HTTPS mode without having to purchase your own SSL certificate. Instead, you use our certificate on our server netdna-ssl.com. Just note that using Shared SSL does not let you use CNAMEs. [View Tutorial]
- SNI is another free SSL feature that stands for Server Name Indication, but unlike Shared SSL, it allows you to upload a certificate in order to secure a CNAME that you can point to your zone. If you choose to use SNI, make sure your SSL certificate covers the custom domain that you have created on your pull zone (i.e. cdn.domain.com). The only downside of SNI is that it’s incompatible with some older web browsers and operating systems. [View Tutorial]
- Dedicated SSL is a premium feature that allows you to purchase an SSL certificate for a custom domain on your zone through our dashboard. You also have the option of uploading your own certificate for the custom domain(s) like you do with SNI. Unlike SNI, however, Dedicated SSL is compatible with all web browser and OS versions. [View Tutorial]
Troubleshooting: Gratifying and Easy
At MaxCDN we like to give you the resources you need to solve problems on your own. As problem solvers ourselves, we recognize how gratifying it is when you “lone wolf” it and complete the mission.
But we never leave you stranded.
Whether you’re troubleshooting using blog posts like this, tutorials on MaxCDN One, or PDFs like The CDN Troubleshooting Guide, members of our Speed Team are here 24/7 to offer you assistance when you need it. Simply start a live chat or contact us in the manner you prefer and we’ll respond within two minutes. That’s our promise and we stick to it.
If you have any questions about solving the CDN-related errors mentioned in this piece, feel free to leave a comment below.