Anaconda mirror wrongly returns 403 (instead of 404) for non-existent file

[Vigilans]

使用micromamba，将http://mirror.sjtu.edu.cn/anaconda/pkgs/main设置为 default_channels，在安装包时会报错：

micromamba create -n py$PYTHON_VERSION python=$PYTHON_VERSION --verbose
info     libmamba Parsing MatchSpec python=3.7
info     libmamba Searching index cache file for repo 'http://mirror.sjtu.edu.cn/anaconda/pkgs/main/linux-64/repodata.json'
info     libmamba No valid cache found
info     libmamba Using OpenSSL backend
info     libmamba Searching index cache file for repo 'http://mirror.sjtu.edu.cn/anaconda/pkgs/main/noarch/repodata.json'
info     libmamba No valid cache found
info     libmamba Starting to download targets
[+] 0.2s
anaconda/pkgs/main/linux-64 (check zst) ━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━   0.0 B /  ??.?MB @  ??.?MB/s Checking  0.2s
anaconda/pkgs/main/noarch (check zst)   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━   0.0 B /  ??.?MB @  ??.?MB/s Checking  0.2sinfo     libmamba Transfer done for 'anaconda/pkgs/main/noarch (check zst)'
info     libmamba Transfer finalized, status: 200 [https://mirror.sjtu.edu.cn/anaconda/pkgs/main/noarch/repodata.json.zst] 0 bytes
info     libmamba Checked: http://mirror.sjtu.edu.cn/anaconda/pkgs/main/noarch/repodata.json.zst [200]
info     libmamba Transfer done for 'anaconda/pkgs/main/linux-64 (check zst)'
anaconda/pkgs/main/noarch (check zst)               Checked  0.2s
anaconda/pkgs/main/linux-64 (check zst)             Checked  0.3s
info     libmamba Starting to download targets
[+] 0.2s
anaconda/pkgs/main/linux-64 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━   0.0 B /  ??.?MB @  ??.?MB/s  0.2s
anaconda/pkgs/main/noarch   ━━━━━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━   0.0 B /  ??.?MB @  ??.?MB/s  0.2serror    libmamba ZSTD decompression error: Unknown frame descriptor
error    libmamba ZSTD decompression error: Unknown frame descriptor
info     libmamba Download error (23) Failed writing received data to disk/application [https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/linux-64/repodata.json.zst]
    Failure writing output to destination
info     libmamba Transfer done for 'anaconda/pkgs/main/linux-64'
info     libmamba Transfer finalized, status: 403 [https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/linux-64/repodata.json.zst] 0 bytes
info     libmamba Unable to retrieve repodata (response: 403) for 'http://mirror.sjtu.edu.cn/anaconda/pkgs/main/linux-64/repodata.json.zst'
info     libmamba Download error (23) Failed writing received data to disk/application [https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01
anaconda/pkgs/main/linux-64                         ??.?MB @  ??.?MB/s 403 failed  0.2s
critical libmamba Multiple errors occured:
    Download error (23) Failed writing received data to disk/application [https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/noarch/repodata.json.zst]
    Failure writing output to destination
    Subdir anaconda/pkgs/main/noarch not loaded!

这是因为对https://mirror.sjtu.edu.cn/anaconda/pkgs/main/noarch/repodata.json.zst的访问会返回403：

# curl -L https://mirror.sjtu.edu.cn/anaconda/pkgs/main/noarch/repodata.json.zst -v
*   Trying 111.186.58.212:443...
* Connected to mirror.sjtu.edu.cn (111.186.58.212) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mirror.sjtu.edu.cn
*  start date: May 19 02:09:25 2024 GMT
*  expire date: Aug 17 02:09:24 2024 GMT
*  subjectAltName: host "mirror.sjtu.edu.cn" matched cert's "mirror.sjtu.edu.cn"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /anaconda/pkgs/main/noarch/repodata.json.zst]
* h2h3 [:scheme: https]
* h2h3 [:authority: mirror.sjtu.edu.cn]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55cc2d344670)
> GET /anaconda/pkgs/main/noarch/repodata.json.zst HTTP/2
> Host: mirror.sjtu.edu.cn
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 301 
< alt-svc: h3=":443"; ma=2592000
< date: Sun, 26 May 2024 06:52:58 GMT
< location: https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/noarch/repodata.json.zst
< server: Caddy
< x-intel-queue-length: 0
< x-sjtug-mirror-id: siyuan
< content-length: 0
< 
* Connection #0 to host mirror.sjtu.edu.cn left intact
* Issue another request to this URL: 'https://s3.jcloud.sjtu.edu.cn/899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/noarch/repodata.json.zst'
*   Trying 111.186.60.58:443...
* Connected to s3.jcloud.sjtu.edu.cn (111.186.60.58) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.s3.jcloud.sjtu.edu.cn
*  start date: Oct 26 00:00:00 2023 GMT
*  expire date: Nov  4 23:59:59 2024 GMT
*  subjectAltName: host "s3.jcloud.sjtu.edu.cn" matched cert's "s3.jcloud.sjtu.edu.cn"
*  issuer: C=CN; O=TrustAsia Technologies, Inc.; CN=TrustAsia ECC DV TLS CA G3
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /899a892efef34b1b944a19981040f55b-oss01/anaconda/pkgs/main/noarch/repodata.json.zst HTTP/1.1
> Host: s3.jcloud.sjtu.edu.cn
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: openresty/1.13.6.1
< Date: Sun, 26 May 2024 06:52:58 GMT
< Content-Type: application/xml
< Content-Length: 264
< Connection: keep-alive
< x-amz-request-id: tx00000000000001b11f126-006652dc4a-74b10cf-zone-00864d
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT, PATCH
< Access-Control-Allow-Headers: content-type,x-amz-server-side-encryption,range,x-amz-user-agent,x-amz-copy-source,x-amz-content-sha256,x-amz-date,authorization,x-amz-acl,etag,content-encoding,x-requested-with
< 
* Connection #1 to host s3.jcloud.sjtu.edu.cn left intact
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>899a892efef34b1b944a19981040f55b-oss01</BucketName><RequestId>tx00000000000001b11f126-006652dc4a-74b10cf-zone-00864d</RequestId><HostId>74b10cf-zone-00864d-zg-00864d</HostId></Error>

而 tuna 会返回404：

# curl -L https://mirror.tuna.tsinghua.edu.cn/anaconda/pkgs/main/noarch/repodata.json.zst -v
*   Trying 101.6.15.130:443...
* Connected to mirror.tuna.tsinghua.edu.cn (101.6.15.130) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=tuna.tsinghua.edu.cn
*  start date: May  6 19:41:03 2024 GMT
*  expire date: Aug  4 19:41:02 2024 GMT
*  subjectAltName: host "mirror.tuna.tsinghua.edu.cn" matched cert's "*.tuna.tsinghua.edu.cn"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /anaconda/pkgs/main/noarch/repodata.json.zst]
* h2h3 [:scheme: https]
* h2h3 [:authority: mirror.tuna.tsinghua.edu.cn]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55e77cd0a670)
> GET /anaconda/pkgs/main/noarch/repodata.json.zst HTTP/2
> Host: mirror.tuna.tsinghua.edu.cn
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 404 
< server: nginx/1.22.1
< date: Sun, 26 May 2024 06:53:59 GMT
< content-type: text/html
< content-length: 153
< vary: Accept-Encoding
< vary: Accept-Encoding
< strict-transport-security: max-age=31536000
< x-tuna-mirror-id: nanomirrors
< strict-transport-security: max-age=31536000
< x-tuna-mirror-id: neomirrors
< 
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
* Connection #0 to host mirror.tuna.tsinghua.edu.cn left intact