403 Error: Forbidden on spotify.com and maybe google itself

Networking & Firewalls
1

I need help to troubleshoot the error:

403 Forbidden
Error: Forbidden

Your client does not have permission to get URL / from this server.

So far I get this error only with https://open.spotify.com/ I know it has something to do with my network because on the phone without WLAN it works. With WLAN it doesn’t. - I also think it has something to do with pfsense because I tried it on 3 different computers. One of them is a clean / fresh PopOS installation.

Second strange behavior happens on my NVIDIA Shield. I can access youtube and my mediaserver just fine. But when I try spotify or trying to sign in to google I get the error “please connect your ethernet”

Which logs can I check on pfsense?

Ah yes, it worked before. I think I didn’t change anything. I also restarted pfsense and restartet unbound service.

Thank you for your help.

2

Are you using a PFBlockerng?
What are you using for you access point?
Do you have any DNS blocking service running on your access point?

3

I have no PFBlockerng running on pfsense.

Access Point is a UAP-AC-Pro

But the three computers are all connected over Ethernet.

Modem (Bridge mode) → pfsense box → Netgear switch → devices (nvidia, win10 (x2) and popos)

4

Do you have your DHCP handing out DNS or do you have manual entries on the devices using WLAN?

5

LAN and WLAN devices get DHCP from pfsense. DNS Server is the pfsense itself. I have DNS Resolver running on pfsense.

6

I suspect the Access Point is misconfigured. Your pfsense (eg. 10.0.0.1) provides DNS so any pc like popOS should be able to access that spotify site. On popOS, type resolvectl to see the DNS used.

If the Access point has DHCP enabled, it will mess up things. The AP should have just LAN configured like 10.0.0.9 (assume 1-9 are static and DHCP offers 10-250)

1 Like
7

The Access Point is not really envolved because mein Win10 and PopOs computer are conneted with ethernet.

Result of resolvectl:
Current Scopes: DNS
Protocol: +DefaultRoute +LLMNR - mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.1.0.1
DNS Servers: 10.1.0.1
DNS Domain: locl.lan

On Windows 10:
IPv4 Address. . . . . . . . . . . : 10.1.0.30(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.0.1
DHCP Server . . . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 10.1.0.1

What I don’t understand is, that only https://open.spotify.com/ is not working. Because I am writing this post on the same computer where I geht the forbitten error when I try to access the spotify link.

8

clear cookies and cache on the windows pc.

9

Did a ipconfig /flushdns. Also cleared cookies and site data in firefox. Didn’t help.

10

I manually switched the DNS server - ipconfig is now:
IPv4 Address. . . . . . . . . . . : 10.1.0.30(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.0.1
DHCP Server . . . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 9.9.9.9
1.1.1.1

DNS Query is working fine:
nslookup spotify.com
Server: dns9.quad9.net
Address: 9.9.9.9

Non-authoritative answer:
Name: spotify.com
Addresses: 2600:1901:1:c36::
35.186.224.25

Error is still the same.

11

try curl -v https://open.spotify.com/ you should see the TLS chatter, maybe something is off.

I am able to access that link via FF and popOS.

12

Do you by chance have something special configured on your browser that might be causing the issue?

13 
tcurl -v https://open.spotify.com/
*   Trying 35.186.224.25:443...
* Connected to open.spotify.com (35.186.224.25) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=SE; L=Stockholm; O=Spotify AB; CN=*.spotify.com
*  start date: Mar  7 00:00:00 2023 GMT
*  expire date: Mar  6 23:59:59 2024 GMT
*  subjectAltName: host "open.spotify.com" matched cert's "*.spotify.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x560b8df5fe90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: open.spotify.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 403 
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 295
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/</code> from this server.</h2>
<h2></h2>
</body></html>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Connection #0 to host open.spotify.com left intact
14

On my windows 10 computer it could be… there is a lot of stuff i tried over the years. Therefore I am testing it also on my PopOs computer. Here is everything out of the box. Because I just start to learn this OS.

15

could it be that for some reason my WAN IP is blocked by them?

16

You could try loading another linux OS on a USB stick and boot from that and see if you get the same error, if so then it’s not the OS.

17

I have a little success. I switche from pfsense firewall to fritz.box firewall and now all works. I will switch back later but I guess it is the WAN IP. Because now I have a new one. Maybe pfsense didn’t update it or so… I will report back later.

18

I guess I found the problem:

image
image706×81 3.44 KB

This is with my internet providers WAN IP address. spotify.com is not working with this IP.

When I start a VPN Client on the windows machine I get this as result.
image

With this status everything works fine. I guess I have to request a /renew on my WAN IP. But why my WAN IP is on a blacklist I have no idea.