403 Forbidden for some clients/unable to connect

[xBy Tez]

Hi everyone,

Lately I've noticed that some of our clients email us saying they are unable to connect to our Google App Engine domain. (It's CNAMEd to ghs.googlehosted.com)

This seems to happen for Russian people. Some will get a 403 Forbidden. 

"Your client does not have permission to get URL (...) from this
server. " is the error message they will get.

Another Russian customer got "ERR::CONNECTION_RESET" errors when trying to access our GAE domain.

What should we do in order to resolve this and make this page available for everyone?

[Nick (Cloud Platform Support)]

Hey xBy,

This issue is a bit difficult to comment on in the abstract. There could be many reasons why a network link would experience failure. The best advice I can give is to use traceroute or mtr from their machines to the machine they wanted to connect to and this might help diagnose the network issue.

Cheers,

Nick

[Evan Jones]

Funny, I've been dealing with the same issue this week. We have a customer who is on their corporate network, and they cannot access our static resources if they use https://(projectid).appspot.com. If they use HTTP, or our domain alias (https://www.bluecore.com/) it works. I haven't been able to track down the cause, but there are minor certificate, DNS and IP differences between *.appspot.com and ghs.googlehosted.com.

This is a long winded way of saying: I've run into similar issues, I don't know how to fix them, but try plain HTTP or a domain alias as potential workarounds. Good luck, and if you figure out anything, please let me know.

[Evan Jones]

Sorry I should clarify: We have a slightly different symptom. Our affected customer gets timeouts connecting to https://(projectid).appspot.com/(static path), but it works fine if they use HTTP.

[Nick (Cloud Platform Support)]

Hey Folks,

If anybody could capture the requests and response of a consistently-failing link (what Evan has said about certificates, HTTPS and static file paths is interesting) using wireshark, using HAR capture from the browser, or using curl with the -v (verbose) flag set, this information could be included in a Public Issue Tracker report which might allow us to look deeper into whether something we could fix might be involved.

Feel free to let me know if you have any questions about this! We're here to help.

Cheers,

Nick
Cloud Platform Community Support

[Evan Jones]

I think I figured out my issue: Our customer has a corporate firewall that appears to be blocking *.appspot.com. Probably due to "security" concerns (see following). Our workaround is to just use our custom domain everywhere instead. For whatever reason, they don't block that.

http://wccftech.com/house-blocks-access-google-services/

--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/F7_74hS9rfc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/3465136b-36ac-401f-8f30-1a8a155167df%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Maxim Tsepkov]

I experience same 403 from Google when connect from certain IP in Russia. Another IP is working well. 

Why like this?