This document explains how to configure Alibaba Cloud Content Delivery Network (CDN) to accelerate static resources stored in Object Storage Service (OSS). In this solution, OSS serves as the origin server for CDN, whose global network of edge nodes caches static content. This allows users to fetch resources from the nearest node, significantly improving access speed and reducing origin server load.
Benefits
Using OSS as an origin server for CDN combines the low-cost storage of Alibaba Cloud OSS with the accelerated delivery of static resources from CDN, offering the following benefits:
CDN handles all requests for your website resources, reducing the load on your origin server.
CDN data transfer costs less than direct data transfer from OSS.
Clients fetch resources from the nearest CDN edge node, which reduces network latency by shortening the transmission distance.
How it works
In this solution, CDN acts as a caching layer for OSS. When a user requests a resource, the request is first routed to the nearest CDN edge node.
Cache hit: If the edge node has the requested resource cached, it returns the resource directly to the user.
Cache miss: If the edge node does not have the resource cached, it sends an origin request to the origin server (the OSS bucket) to retrieve it. After the edge node receives the resource, it serves the resource to the user and caches a copy for future requests.
Billing
When you use OSS as an origin server for CDN, charges may include CDN data transfer and data transfer from OSS to CDN (origin fetch). For more information, see Billing of OSS content acceleration.
Before you begin
You have an Alibaba Cloud account and have completed identity verification.
You have a valid domain name, or you can register a domain name now.
To accelerate access to resources in the Chinese mainland, you must first complete the ICP filing process.
You have activated OSS, created a bucket, and uploaded your resources.
Procedure
Step 1: Register domain name and complete ICP filing
A domain name, such as aliyun.com, is the unique address of your website on the internet. It serves as the entry point for users and is part of your brand identity.
Register a new domain name: Domain Name Registration
Purchase an existing domain name: Domain Buy-Back
According to the regulations of the Ministry of Industry and Information Technology of the People's Republic of China, all websites that provide services in the Chinese mainland must complete an ICP filing. Domain names purchased from the Alibaba Cloud international site do not support ICP filing. If you need to provide services in the Chinese mainland (which requires your website to be hosted on a server in the Chinese mainland), please go to the Alibaba Cloud China site to complete domain name registration and the ICP filing, or learn about the GoChina ICP Filing Service.
Step 2: Add accelerated domain and link OSS origin
In this step, add an accelerated domain name in the CDN console and associate it with an OSS bucket as the origin server.
Log on to the CDN console and go to the Domain Names page.
Click Add Domain Name and configure the basic information:
Domain Name to Accelerate: Enter the domain name for your service, such as
www.example.com.Region: Select a region based on the geographic location of your primary users.
Business Type: Select a type that matches your content. For example, for images and small web files under 20 MB, select "Images and Small Files".
Click Add Origin Server and enter the OSS information:
Origin Info: Select OSS Domain.
Domain Name: Select the public endpoint of the target OSS bucket from the drop-down list.
Click OK, and then click Next. After the domain name is added, the Recommended Features page appears.
Step 3: Configure core acceleration policies
Follow the guided process on the Recommended Features page to add basic configurations such as cache expiration time, range origin fetch, and ignore parameters. These settings improve your CDN service's cache hit ratio, performance, and security.
3.1 Configure cache expiration time
Proper cache rules maximize CDN performance and reduce unnecessary origin requests. Cache rules are matched in order, and the first matching rule takes effect. Configure a proper cache expiration time based on your resource characteristics. Log on to the CDN console. In the management page for the specified domain name, find the Cache Expiration feature in the Cache section. The following table provides some recommended configurations.
File type | Extension | TTL | Description |
Images/Audio/Video |
| 30 days | Resource content does not change frequently. |
Static scripts |
| 1 hour | May change frequently with version releases. |
Website homepage |
| Do not cache (0 seconds) | Ensures users always get the latest page structure. |
3.2 Configure ignore parameters
Log on to the CDN console. In the management page of the specified domain name, find the Ignore Parameters feature in the Optimization section. After you enable the ignore parameters feature, CDN edge nodes remove the parameters after the question mark (?) in a URL when generating a cache key. This allows requests for the same resource with different parameters to match the same cache entry. This improves the cache hit ratio and reduces origin fetch traffic.
3.3 Enable range origin fetch
This feature is ideal for distributing large files like audio and video, but it is not recommended for small files like images.
When range origin fetch is enabled, if a CDN edge node requests a large file from the origin OSS, OSS returns the content in chunks based on the range specified in the CDN request. This reduces origin fetch traffic and improves resource response time.
3.4 Configure automatic cache update for OSS
To ensure that content updates in OSS are promptly synchronized to CDN, you can enable Map Custom Domain Name and Auto CDN Cache Update for the target domain on the page of the OSS console. Then, select the operations that you want to trigger automatic updates. When the content in OSS is updated, OSS automatically triggers a CDN purge task.
This feature is event-triggered and does not guarantee 100% delivery or real-time performance. In extreme situations, such as high-concurrency writes to OSS or network jitter, purge events may be lost. For scenarios with high real-time requirements, use the CDN purge and prefetch resources feature instead.
Step 4: Configure and verify DNS resolution
Go to the Domain Names page in the Alibaba Cloud CDN console. Find the domain name that you added and copy its CNAME value. If the value is empty, wait a few seconds and then refresh the page.
Log on to the Alibaba Cloud DNS console with the Alibaba Cloud account that owns the accelerated domain name. On the domain resolution page, find the domain name and click Settings.
Click Add Record to create a CNAME record:
Record Type: Select
CNAME.Hostname: Enter the prefix of the subdomain, for example,
www.Record Value: Paste the CNAME value that you copied from the CDN console.
Keep the default settings for other parameters and click Confirm.
Step 5: Configure security settings
5.1 Enable HTTPS for encrypted data transfer
If your application supported HTTPS access before you configured Alibaba Cloud CDN, you must configure an HTTPS certificate. Otherwise, your domain name will no longer support HTTPS access.
Enabling HTTPS generates HTTPS requests. Charges for HTTPS requests cannot be offset by CDN data transfer plans. Make sure that your account has a sufficient balance or purchase an HTTPS request resource plan to prevent service suspension due to overdue payments. For more information, see Static HTTPS requests.
Go to the Domain Names page in the Alibaba Cloud CDN console, find the domain name that you added, and click Manage to go to the domain name configuration page.
On the HTTPS tab, in the SSL Certificate section, click Modify Configuration.
On the Modify HTTPS Settings page, turn on the HTTPS Secure Acceleration switch and configure the certificate parameters.
NoteIf you purchased a certificate from Alibaba Cloud SSL Certificates Service, select SSL Certificates Service and choose the certificate from the Certificate Name drop-down list. If you cannot find your purchased certificate, check whether the domain name bound to the certificate is the same as the accelerated domain name.
If you are using a certificate issued by a third-party provider, select Custom Certificate (Certificate+Private Key). You need to set the Certificate Name, then upload the Certificate (Public Key) and Private Key. The certificate will be saved in Alibaba Cloud SSL Certificates Service. You can view it in My Certificates.
5.2 Authorize CDN to access a private bucket
If your OSS bucket is private, you must grant CDN access to it. Otherwise, all origin requests will fail due to insufficient permissions.
Go to the Domain Names page in the Alibaba Cloud CDN console, find the domain name that you added, and click Manage to go to the domain name configuration page.
In the Origin Fetch section, turn on Alibaba Cloud OSS Private Bucket Access, and then select Bucket in the Same Account. For cross-account origin fetch, see Access a private OSS bucket.
5.3 Configure URL signing
URL signing, also known as timestamp-based hotlink protection, prevents unauthorized use of your resources by adding a signature and expiration time to access URLs. Alibaba Cloud CDN provides multiple signing methods. For the differences and implementation of these methods, see Configure URL signing.
Go to the Domain Names page in the Alibaba Cloud CDN console, find the domain name that you added, and click Manage to go to the domain name configuration page.
On the Access Control tab, find Set URL Signing and click Modify Configuration.
On the configuration page, select Type A, set a Primary Key and a Secondary Key (you must set at least one of them), and keep them secure. These keys will be used on the server side to verify signed URLs. For usage examples, see Type A signing.
Set the validity period of the signed URL based on your business needs, for example, 1800 seconds.
5.4 Configure a usage cap
To prevent high bills from sudden traffic spikes caused by attacks or unauthorized access, you can configure a usage cap. This feature lets you control the maximum bandwidth, traffic, and number of HTTPS requests for a domain, mitigating losses from unexpected traffic surges.
On the Domain Names page, find the target domain name and click Manage in the Actions column.
In the left-side navigation pane for the domain name, click Traffic Throttling.
On the Usage Cap tab, configure a usage cap policy suitable for your business by following the instructions in the feature description.
Click Modify Configuration. You can select a suitable Statistics Period, Threshold, and Unblock Time based on your business needs. For detailed parameter configurations, see Feature description.
Click OK. The cap rule is created and takes effect immediately.
5.5 Set up monitoring and alerts
Set up real-time monitoring
Set up peak bandwidth monitoring for a specified domain name under the CDN service. When the set peak bandwidth is reached, an alert is sent to the administrator, helping to identify potential risks more promptly. For details, see Set an alert rule.
Set up spending alerts
In the console, navigate to Billing > Billing Management to control spending and prevent unexpectedly high bills with the following features:
Available credit alert: Sends an alert to your alert contacts when your account balance falls below a certain amount.
Troubleshooting
Requests return 403 Forbidden
What to check
Check the error message on the page. If the error message is
You don't have permission to access the URL on this serverwith additional information such asdenied by IP ACL = not in whitelist, you can use the error message to quickly locate the blocking policy.If the error message is only
You don't have permission to access the URL on this serverwithout any information about what blocked the request, check the URL signing and remote authentication configurations in CDN.
Low cache hit ratio and frequent origin fetches
What to check
Run the curl -I command multiple times for the same resource and check the Age and X-Cache response header. An Age: 0 or X-Cache: MISS header indicates an origin fetch.
Solutions
The TTL in the cache rule is set too short or is set to "Do not cache". Adjust the cache rule to increase the cache expiration time.
The "ignore parameters" feature is enabled, but the URL contains necessary parameters for version control or image processing, such as
?v=1.1orx-oss-process. This causes CDN to ignore these parameters, treat all requests as being for the same resource, and serve incorrect content. In this case, you must disable the ignore parameters feature.An origin response header, such as
Cache-Control: no-cache, instructs CDN not to cache the resource. In this case, you need to adjust the origin server's caching policy or configure CDN to not follow the origin server's caching policy by enabling Ignore Origin No-Cache Header when you configure CDN cache expiration time.
AccessDenied error
What to check
Check the error message. If the error is You have no right to access this object because of bucket acl, it means the error is due to the OSS bucket's ACL being private. You need to enable Alibaba Cloud OSS Private Bucket Access.
Solution
In the Origin Fetch configuration of the CDN console, enable Alibaba Cloud OSS private bucket access. Then, use the Purge and prefetch resources feature. After the cache for the access link is purged, you can access the resource.