Use OSS as a CDN origin server to cache static resources, such as images, videos, and scripts, on global edge nodes for nearby access. This approach significantly improves access speed and reduces the load on the origin server.
Note: If you are using a default OSS domain name, such as {bucket}.oss-cn-hangzhou.aliyuncs.com, to access resources, you cannot directly convert these URLs to CDN-accelerated links. You must use a custom domain name for CDN acceleration, which requires updating the original URLs in your application.
Use cases
Alibaba Cloud OSS provides low-cost object storage, and CDN accelerates the delivery of static resources. Using OSS as a CDN origin server offers the following benefits:
All user requests are served by CDN, which reduces the load on the origin server.
The unit price of CDN outbound data transfer is lower than the price of outbound data transfer from direct OSS access.
CDN delivers content from the edge node closest to the client, reducing network latency and access time.
Light video workloads: OSS provides low-cost storage, and CDN delivery from nearby nodes reduces latency, offering a simple and economical solution. For advanced features such as transcoding, encryption, and player integration, consider using ApsaraVideo VOD.
Static image workloads: The unit price for CDN outbound data transfer is lower than for direct OSS outbound data transfer. If all your users are in the Chinese mainland, the speed difference between using CDN with OSS and accessing OSS directly is minimal. However, CDN provides a slightly better user experience by caching content on edge nodes that are physically closer to users. An OSS Transfer Acceleration domain is more suitable for cross-region scenarios or as a back-to-origin address to optimize cross-border access.
How it works
This solution uses CDN as a caching layer for OSS. When a user requests a resource, the request is first routed to the nearest CDN edge node:
Cache hit: If a node has the requested resource cached, it returns the resource directly to the user for the fastest response.
Cache miss: If the resource is not cached, the node sends a request to the origin server (the OSS bucket) to retrieve it. The node then serves the resource to the user and creates a cached copy for future requests.
Procedure
Step 1: Register domain and complete ICP filing
Register a new domain name: Domain Registration
Purchase an existing domain name: Domain Backorder
According to the regulations of the Ministry of Industry and Information Technology (MIIT) of the People's Republic of China, all websites providing services in the Chinese mainland must complete an ICP filing. Domain names purchased on the Alibaba Cloud International site do not support ICP filing. If you need to provide services in the Chinese mainland (by resolving your website to a server in the Chinese mainland), you must first complete the ICP filing process or learn about the GoChina ICP Filing Assistant.
Step 2: Add accelerated domain and link OSS origin
In this step, add an accelerated domain name in the CDN console and associate it with the OSS bucket that serves as the origin server.
Log on to the CDN console.
Click Add Domain Name and configure the basic information for the accelerated domain name:
Domain Name to Accelerate: Enter a custom domain name, such as
www.example.com. Wildcard domains like*.example.comare also supported. This is the public-facing domain name for CDN acceleration, not the default OSS domain name.Region: Select the region based on the geographic location of your primary users.
Business Type: Select the type based on your content. For example, for images and small web files under 20 MB, select "Image and Small File".
When you add a domain name for the first time, you must verify its ownership by using either file verification or DNS verification.
If you select Chinese mainland or Global, the accelerated domain name must have a valid ICP filing. Otherwise, an ICP check is triggered, which blocks the operation.
If DNS verification fails, check whether the domain name has completed ICP filing (required for acceleration in the Chinese mainland) and whether any DNS conflicts exist.
Click Add Origin Server and enter the OSS information:
Origin Info: Select OSS Domain as the origin type.
Domain Name: If the origin type is OSS Domain, you can select the public domain name of an existing OSS bucket in your account from the drop-down list.
When configuring multiple origin servers, you can set the following parameters:
Parameter
Description
Priority
Primary (20) or Secondary (30).
Weight
The value can range from 1 to 100. The default value is sufficient for single-origin scenarios.
Port
The default port is 80 for HTTP and 443 for HTTPS. Custom ports from 1 to 65535 are supported. If the origin type is Function Compute, the system automatically sets the port to 80.
Click OK. After you add the domain, you are redirected to the Recommended Configurations tab.
Step 3: Configure core acceleration policies
Follow the guided workflow in Recommended Configurations to set up basic policies for cache expiration, range-based back-to-origin, and ignoring query string parameters. These configurations improve CDN cache hit rates, performance, and security.
Configure cache expiration
Well-configured cache rules maximize CDN performance and reduce unnecessary back-to-origin requests. Cache rules are matched in order, and the first matched rule takes effect. In the CDN console, go to the management and configuration page for your domain and select the Cache feature. The following are recommended settings:
File type | File extension | Expiration time | Description |
Images/Audio/Video |
| 30 days | For content that does not change frequently. |
Static scripts |
| 1 hour | For content that may change frequently with new releases. |
Website homepage |
| Do not cache (0 seconds) | Ensures users always get the latest page structure. |
If you serve a mix of large videos and small MP3 files, configure separate cache policies by file type. For large video files like MP4, set a long cache duration (for example, 30 days) and enable range-based back-to-origin to support chunked retrieval and improve time to first frame. For small files like MP3, also set a long cache duration. Because these files are small, you do not need to enable range-based back-to-origin. You can add separate cache rules for the .mp4 and .mp3 extensions.
Configure ignore query string
In the CDN console, go to the management and configuration page for your domain and select Optimization > Ignore Parameters. After you enable the Ignore Query String feature, CDN nodes remove any parameters after the ? in a URL when generating the cache key. This allows requests for the same resource with different parameters to hit the same cache entry, which helps improve the cache hit rate and reduce back-to-origin traffic.
Enable Range back-to-origin
When range-based back-to-origin is enabled, CDN nodes retrieve large files from the origin server (OSS) in chunks based on the requested Range. This reduces back-to-origin traffic and response time. This feature is suitable for distributing large files like audio and video but is not necessary for accelerating image delivery or other small-file scenarios.
Configure automatic OSS cache refresh
To ensure that content updates in OSS are promptly reflected on CDN, you can enable automatic cache refresh. In the OSS console, go to the page for your bucket. Enable Bind Custom Domain Name to OSS and Auto CDN Cache Update for the target domain, then select the events that should trigger a refresh. When the content in OSS is updated, OSS automatically triggers a CDN refresh task.
This feature is event-triggered and does not guarantee 100% delivery or real-time updates. Refresh events may be lost in extreme cases, such as high-concurrency writes to OSS or network jitter. For time-sensitive scenarios, use the CDN Refresh and Prefetch feature directly.
Step 4: Configure DNS and verify
In the CDN console, go to the Domain Management list, find the domain you added, and copy its CNAME value. If the value is empty, wait a few seconds and refresh the page.
Log on to the Alibaba Cloud DNS console with the Alibaba Cloud account that owns the accelerated domain. On the Public Zone page, find your domain and click Settings.
Click Add Record to create a new CNAME record:
Record Type: Select
CNAME.Hostname: Enter the subdomain prefix (for example,
www).Record Value: Paste the CNAME value you copied from the CDN console.
Keep the default values for other parameters and click Confirm.
Verify that traffic is routed through CDN
After configuring DNS, you can verify that traffic is correctly routed through CDN in the following ways:
Check response headers with
curl -I: Runcurl -I https://your-domain.com/filein a terminal and check theX-Cacheheader in the response. A value ofX-Cache: HITorX-Cache: MISSindicates that CDN processed the request. If theX-Cacheheader is not present, the request may have gone directly to OSS.View monitoring data in the CDN console: Log on to the CDN console and check the monitoring page for your domain. If traffic data appears after the configuration takes effect, traffic is flowing through CDN.
Check CNAME status: In the CDN console, verify that the CNAME status for the domain is Configured. The CNAME status can be: Configured (green), Awaiting Configuration (yellow), or Detection Timed Out.
If your domain resolves to both OSS and CDN, requests may bypass CDN and go directly to OSS, causing the acceleration to fail. Ensure that your DNS configuration contains only the CNAME record pointing to CDN and remove any A or CNAME records that point directly to the OSS domain.
Step 5: Configure security settings
Enable HTTPS
If your application supported HTTPS access before you configured Alibaba Cloud CDN, you must configure an HTTPS certificate. Otherwise, your domain will no longer support HTTPS access.
Enabling HTTPS incurs fees for HTTPS requests. HTTPS request fees cannot be offset by CDN data transfer plans. Ensure that your account has a sufficient balance or purchase an HTTPS request pack to avoid service interruptions due to overdue payments. For more information, see Static HTTPS Requests.
In the Alibaba Cloud CDN console, go to the Domain Management list, find the domain you added, and click its name to go to the configuration page.
Select the HTTPS tab, find the SSL Certificate section, and click Modify.
On the Modify HTTPS Settings page, turn on the HTTPS Secure Acceleration switch and select a certificate:
Certificate type
Description
SSL Certificates Service
Select an existing certificate from your Alibaba Cloud SSL certificate products. Search for and select the certificate from the list.
Custom Certificate (Certificate+Private Key)
Manually upload the content of a PEM-formatted certificate and its private key. You must provide a certificate name and upload the certificate and private key files.
Free Certificate
A free DV certificate from Alibaba Cloud and DigiCert, valid for one year with auto-renewal. Wildcard domains are not supported. You must select the authorization check box.
CSR Certificate
Use this option after you submit a Certificate Signing Request (CSR).
If you have already purchased a certificate from Alibaba Cloud Certificate Management Service, select it from the SSL Certificates Service list.
If you cannot select a purchased certificate, check whether the domain name bound to the certificate matches the accelerated domain name. If you are using a certificate issued by a third-party provider, select Custom Certificate (Certificate+Private Key) and upload the Certificate (Public Key) and private key. The certificate is saved to Alibaba Cloud Certificate Management Service, where you can view it on the My Certificates page.
Grant CDN access to private bucket
If your OSS bucket is private, you must grant CDN access to it. Otherwise, all back-to-origin requests will fail due to insufficient permissions.
In the Alibaba Cloud CDN console, go to the Domain Management list and click the domain name you added to go to its configuration page.
In the Origin Fetch, enable Alibaba Cloud OSS Private Bucket Access and select Bucket in the Same Account. For cross-account access, see Accessing a private OSS bucket.
Configure URL authentication
URL authentication, also known as timestamp-based hotlink protection, prevents unauthorized access to your resources by adding a signature and an expiration time to access URLs.
In the Alibaba Cloud CDN console, go to the Domain Management list and click the domain name you added to go to its configuration page.
On the Access Control tab, select Set URL Signing and click Modify.
On the configuration page, select Type A, set a Primary Key and a Secondary Key (at least one must be set), and store them securely. Your server will use these keys to validate signed URLs. For usage examples, see Authentication Method A.
Set a validity period for authenticated URLs based on your business needs, such as 1800 seconds.
Configure usage cap
To prevent high bills from sudden bandwidth spikes caused by attacks or unauthorized use, you can set a usage cap to control the maximum bandwidth, traffic, and number of HTTPS requests for a domain. This helps reduce losses from unexpected traffic surges.
In the Alibaba Cloud CDN console, go to the Domain Management page, find the target domain, and click Manage in the Actions column.
In the left-side navigation pane for the domain, click Traffic Throttling.
On the Usage Cap tab, configure a policy by following the feature overview.
Click Configure and choose a suitable Statistical Period, Cap, and Unblocking Time. For details on these parameters, see the feature overview.
Click OK. The capping rule is created and takes effect immediately.
Monitoring and alerts
Set up real-time monitoring: Configure monitoring for the peak bandwidth of a specific domain under your CDN product. When the peak bandwidth reaches the set threshold, an alert is sent to the administrator, helping you promptly identify potential risks.
Set up spending alerts: In the console header, select Billing and use the following features to control your account spending:
Balance alert: Set an alert to be sent to your specified contacts when your account balance falls below a specified amount.
Billing
When you use OSS as a CDN origin server, the following fees may be incurred:
CDN outbound traffic fees: Charged for data transferred from CDN to users. Purchase a CDN traffic plan to reduce costs, as the unit price for CDN outbound traffic is typically lower than that for OSS outbound data transfer. After you purchase a CDN resource plan, the system automatically uses it to offset your CDN outbound traffic fees.
OSS-to-CDN outbound data transfer fees: Charged for OSS outbound data transfer generated when CDN performs back-to-origin requests to OSS.
Static HTTPS request fees: Incurred after enabling HTTPS secure acceleration.
HTTPS request fees cannot be offset by CDN data transfer plans. You must purchase a separate HTTPS request resource plan or ensure your account has a sufficient balance.