If an error occurs in a back-to-origin fetch request from Alibaba Cloud CDN or a different CDN service to an Object Storage Service (OSS) bucket, OSS returns an error message that contains the domain name of the bucket. A bucket domain name is a piece of sensitive information, whose exposure increases bucket security risks.
Causes
In a back-to-origin fetch request for an object in an OSS bucket from a CDN service, the default value of the Host header in the request is the domain name of the bucket. Error information that is returned by OSS for an invalid back-to-origin fetch request contains the value of the Host header sent in the request.
The following figure shows an example of default origin host settings for a bucket.
Examples
For example, if the requested object does not exist, OSS returns an 404 error, which contains the domain name of the bucket. OSS includes the domain name of the bucket for a failed request, regardless of the error code returned.
The following figure shows an example of the 404 error.
Solutions
Before you modify an origin host in a back-to-origin configuration, make sure that you have completed the mapping between the accelerated domain name and the bucket and that CDN can retrieve data from the bucket. If you modify the origin host when the mapping is not complete, OSS cannot process the request with an unknown Host value. This causes back-to-origin fetch requests to the bucket to fail. For more information, see Map accelerated domain names.
Change the origin host to the accelerated domain name. This way, if a back-to-origin fetch error occurs, OSS includes the accelerated domain name in the error information, not the domain name of the bucket.
For more information, see Configure the default origin host.
The following figure shows an example of a modified origin host.
The following figure provides an example error for a back-to-origin fetch request.
References
You can also modify an origin host to hide a bucket domain name in other business scenarios, for example, when you configure an Nginx reverse proxy. For more information, see Use ECS instances to configure a reverse proxy for access to OSS.