This topic answers frequently asked questions (FAQ) about using Alibaba Cloud CDN to accelerate access to Object Storage Service (OSS).
How do I verify CDN acceleration to OSS?
Step 1: Check the CNAME record
Take Alibaba Cloud DNS as an example. Log on to the DNS console, select Public Zone, and click Settings next to your domain name.
Check that the CNAME record for the CDN-accelerated domain name has been added. For example, the CNAME record for
oss.example.commight beoss.example.com.w.kunlunaq.com.
Step 2: Use the nslookup command to verify that the domain name points to a CDN node
Open Command Prompt (Windows) or Terminal (macOS/Linux).
Enter nslookup -type=CNAME and the accelerated domain name. If the result matches the CNAME value of the accelerated domain name in the CDN console, CDN acceleration has taken effect.
If you have not configured a CNAME, see Configure a CNAME.
How do I use CDN to accelerate access to a private OSS bucket?
If the origin of your accelerated domain name is a private bucket, enable private OSS bucket origin fetch to accelerate access to resources in the private OSS bucket using CDN.
After you enable private bucket origin fetch, you can use the accelerated domain name to access all resources in your private bucket. The original private authentication method for the URLs becomes invalid. To protect your resources from unauthorized access, use the hotlink protection (Referer) and URL signing features provided by CDN. For more information, see Configure a Referer blacklist or whitelist and Configure URL signing.
How do I deploy an HTTPS certificate when using CDN to accelerate access to OSS?
When you use CDN to accelerate access to OSS, deploy an HTTPS certificate in the CDN console. For more information, see Configure an HTTPS certificate.
If your certificate is managed in Certificate Management Service, you can also deploy it from the CMS console. For more information, see Deploy SSL certificates to Alibaba Cloud services.
In a scenario where CDN accelerates access to a private OSS bucket, how do I use the OSS static page hosting feature?
If you have configured the static website hosting feature for an OSS bucket and the bucket or its default index page (such as index.html) is private, you must enable private OSS bucket origin fetch.
Problem description
When you access the CDN-accelerated domain name, an error message is returned, such as You don't have permission to access the URL on this server or You are forbidden to list buckets.
Cause
When you configure static website hosting for an OSS bucket, you set a default index page, such as index.html. An anonymous request to the website's root directory (for example, https://example.com/) is automatically redirected to the default index page (for example, https://example.com/index.html). However, after you enable private OSS bucket origin fetch for CDN, origin-fetch requests from the CDN-accelerated domain name are treated as authenticated requests to the root directory. OSS denies these requests by default.
Solution
In the CDN console, configure a URL rewrite rule to rewrite the access URL to the configured index page, such as index.html. CDN points of presence (POPs) will then use a 302 redirect to direct the client to the index.html content. This allows the static website hosting feature to function correctly. For more information, see Rewrite access URLs.
Configuration method: Set Path to Be Rewritten to ^/$, set Target Path to /index.html, and set Flag to Redirect.
How do I configure features such as cross-domain sharing and hotlink protection when using CDN to accelerate access to OSS?
If you use a CDN-accelerated domain name to provide services over the Internet, configure access control features such as hotlink protection (Referer) and URL signing in the CDN console to protect your resources. For more information, see Access control.
Features such as cross-origin resource sharing (CORS) must also be configured in the CDN console. For more information, see Configure CORS.
When using CDN to accelerate access to OSS, why does access seem slower after enabling CDN?
When a client uses an accelerated domain name to access a resource for the first time, the request reaches a CDN POP. Because the resource is not yet cached on the POP, the POP fetches the resource from OSS and caches it. Subsequent requests for this resource are served directly from the POP. Therefore, the first access may be slower than without CDN acceleration.
You can use the prefetch feature of CDN to proactively cache resources from OSS to CDN POPs. When a client requests a resource for the first time, it can be retrieved directly from the nearest POP instead of the origin server. For more information, see Refresh and prefetch resources.
If CDN frequently fetches from OSS, how do I set the cache policy?
If you do not configure a time-to-live (TTL) or if the configured TTL is not suitable, CDN may frequently perform origin-fetch operations. This increases the origin-fetch traffic to OSS and the related costs (the CdnOut item in OSS billing), and can reduce access speed. Configure the cache TTL as needed:
For static files that are rarely updated, such as images and application packages, set the TTL to one month or longer.
For frequently updated static files, such as JS and CSS files, set the TTL as needed.
For more information, see Configure cache expiration.
When using CDN to accelerate access to OSS, how do I ensure users access the latest resources after an OSS file is refreshed?
After you modify a file in OSS, if you want CDN POPs to automatically refresh their cache to serve the updated content, enable the Auto CDN Cache Update feature in the OSS console. To configure this feature, see the "Enable auto CDN cache update" section in Accelerate access with CDN.
This feature does not guarantee that a refresh task is successfully submitted or that it is submitted promptly. If timeliness is critical or you need to know the result of the task, you can use the refresh feature of CDN. For more information, see Refresh and prefetch resources.
What do I do if I cannot enable auto CDN cache update in the OSS console because a domain name must be bound first?
Problem description
You cannot enable auto CDN cache update, and the message "Please bind this domain name on OSS first." is displayed.
Solution
Click Unmapped in the Map Custom Domain Name column for the domain name, and then bind the domain name as prompted.
If you have already bound a CDN-accelerated domain name and its DNS record points to the CNAME, do not change the DNS settings after you bind the domain name in OSS. Otherwise, the CDN acceleration service will be interrupted.
After using CDN to accelerate OSS, why do the OSS image processing parameters do not take effect?
When you use CDN to accelerate access to OSS, requests first reach CDN POPs. If the ignore parameters feature is enabled in CDN, POPs ignore any parameters that follow the question mark (?) from the request URL. If the resource is already cached, the POP does not fetch it from OSS again. As a result, OSS image processing does not take effect. For more information, see Ignore parameters.
To resolve this, disable the ignore parameters feature in the CDN console. When a user request contains parameters, it triggers an origin fetch to OSS, and image processing is applied as expected.
After you disable the ignore parameters feature, the cache hit ratio may decrease because all requests with parameters trigger an origin fetch. Alternatively, you can use the image processing feature provided by CDN to process images on POPs.