How do I troubleshoot Application Load Balancer HTTP 403 forbidden errors?
Last updated: 2022-04-27
My Application Load Balancer is returning HTTP 403 forbidden errors. How can I troubleshoot this?
Follow these troubleshooting steps for your scenario.
Important: Before you begin, make sure that you have access logging enabled for your Application Load Balancer. For instructions, see Enable access logging.
An AWS WAF web access control list (web ACL) is configured to monitor requests to your Application Load Balancer and it blocked a request.
The load balancer sends HTTP errors to access logs and increments the HTTPCode_ELB_4XX_Count metric similar to the following:
elb_status_code = 403 target_status_code = - actions_executed = waf
This means that the load balancer forwarded the request to AWS WAF to determine whether the request should be forwarded to the target. Then, AWS WAF determined that the request should be rejected. To diagnose the rule configuration, review the AWS WAF logs. For more information, see Managing logging for a web ACL.
The Application Load Balancer might have a rule configured with a fixed-response action to provide an HTTP 403 response.
Check the access logs for a fixed-response action similar to the following:
elb_status_code = 403 target_status_code = - actions_executed = fixed-response
This log indicates that the rule configuration has a fixed-response action to provide an HTTP 403 error.
The target responded with an HTTP 403 error and the Application Load Balancer is forwarding this response to the client.
Check the access logs for 403 entries for values similar to the following:
elb_status_code = 403 target_status_code = 403
If the target_status_code and elb_status_code values match, then the target application sent the HTTP 403 response. To determine why the target application generated the HTTP 403 forbidden error, check with your application vendor. You can also use the X-Amzn-Trace-Id header to trace requests through the Application Load Balancer. For more information, see How do I trace an Application Load Balancer request using X-Amzn-Trace-Id?