Fixing Teamcity build agent "403 forbidden" errors
Note: this guide is for fixing when running your teamcity service behind Cloudflare. Check with your host for other firewalls that may be blocking the agent.
Chances are you're running a teamcity server and, when trying to connect a legitimate build agent to the server, you receive one of the following errors:
Failed to download AgentUpdateInfo from server. Server returned  Forbidden for example.com
Server does not provide teamcity-agent.xml. Will download only buildAgent.zip.
These errors stem from a firewall of some sort, and here the likely culprite is Cloudflare.
Cloudflare will, by default, turn on Browser integrity Check preventing bad browsers from hitting your website and possibly DDOSing your web server. Because the TeamCity agent uses an irregulular user agent, CF won't trust it when it's trying to download the agent files it needs.
There are two ways to fix this, through a page rule or via a global switch. Note that you may be vulnerable to DDOS attacks if you turn the switch off globally.
To turn this off globally, head to the Cloudflare Dashboard and go to your website -> firewall.
From there scroll down and switch to the "Web Application Firewall" tab that's next to the "IP Firewall" tab.
From there uncheck "Browser Integrity Check".
Turning off the setting via a page rule will greatly increase your security and prevent other zones in your domain from also being affected. First, head to the Cloudflare Dashboard and go to your website -> Page Rules.
Create a page rule and set the url to:
And add the setting "Browser Integrity Check" set to off.
An example with the url correctly replaced:
After a few minutes the settings you changed should propegate to Cloudfdlare's edge locations and the build agent will no longer be blocked from downloading the agent files.
If you have any other questions, leave a comment below or share on HN.