IP addresses used to access a bucket dynamically change. You can use ECS instances to configure reverse proxy for access to OSS. This way, a static IP address can be used to access the bucket.

Background information

OSS uses Restful APIs to provide services. Users use OSS domain names or custom domain names to access OSS. In some scenarios, users need to use a static IP address to access OSS.
  • For security reasons, some enterprises need to configure outbound rules to specify that internal employees and business systems can access only the specified public IP address. However, the IP addresses used to access a bucket in OSS dynamically change. Enterprises need to frequently modify firewall rules.
  • Due to the architecture limits of Alibaba Fiance Cloud, internal network-specific buckets in Alibaba Finance Cloud can be accessed only within Alibaba Finance Cloud. These buckets cannot be accessed over the Internet.
To resolve these problems, you can use ECS instances to configure reverse proxy for access to OSS.

Procedure

  1. Create an ECS instance that runs CentOS. Ensure that the instance and the specified bucket are located within the same region.
    The CentOS 7.6 (64-bit) system is used in this example. For more information, see Create an ECS instance.
  2. Log on to the ECS instance as the root user. Install NGINX.
    root@test:~# yum install -y nginx
    Note Default locations of NGINX:
     /usr/sbin/nginx       Stores the NGINX executable. 
     /etc/nginx            Stores configuration files. 
     /usr/share/nginx      Stores static files. 
     /var/log/nginx        Stores log files.
  3. Open the configuration file of NGINX.
    root@test:~# vi /etc/nginx/nginx.conf
  4. Add the following content to the http context of the configuration file:
    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name 47. **. **.43; 
    root /usr/share/nginx/html;
    
    
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
    
    
    location / {
    proxy_pass https://bucketname.oss-cn-beijing-internal.aliyuncs.com; 
    proxy_set_header Host $host; 
    }
    • server_name: the IP address used to provide the reverse proxy service, which is the public IP address of the ECS instance.
    • proxy_pass: the endpoint for redirection.
      • When the ECS instance and the target bucket are located within the same region, specify the internal endpoint of the target bucket. For more information about endpoints, see OSS domain names.
      • When the ECS instance and the target bucket are located within different regions, specify the public endpoint of the target bucket.
      • For security reasons, when an OSS domain name is used to access an OSS image or web page object through a browser, the object is directly downloaded. To preview the object, use a custom domain name. Add the custom domain name for this parameter. For more information about how to bind a custom domain name, see Bind custom domain names.
    • proxy_set_header Host $host: If you add this parameter, the host value is replaced with the IP address of the ECS instance when NGINX sends a request to OSS. If the following situations exist, you must add this parameter:
      • Signature errors.
      • Your custom domain name is resolved to the public IP address of the ECS instance, and your user needs to browse image or web page objects in a bucket. You can bind a custom domain name to the bucket for which reverse proxy is configured. You do not need to configure CNAME. You can set proxy_pass to the internal or public endpoint of the bucket. For more information about how to bind a custom domain name, see Bind custom domain names.
    Note This topic uses the demo environment. For data security reasons, we recommend that you configure the https context. For more information, see Configure HTTPS for your own domain name in OSS through reverse proxy.
  5. Go to the folder of the NGINX executable. Start NGINX.
    root@test:~# cd /usr/sbin/
    root@test:~# ./nginx
  6. Add the object path to the public IP address of the ECS instance to access OSS resources.

References

Use ECS instances that run Ubuntu to configure reverse proxy for access to Alibaba Cloud OSS