configure an OSS bucket as an origin server, configure the server used to store static resources, configure the origin server for DNS resolution - Edge Security Acceleration

Using ESA to distribute static resources such as images, audio or video from OSS can significantly improve resource loading speed and website security.

Example

A website uses OSS to store many static resources such as images and videos, primarily serving users outside the Chinese mainland. With more and more users, the response time for file downloads and resource loading has slowed, especially for users in distant locations. To address this issue, the website was added to ESA. ESA offers acceleration for OSS to achieve fast resource delivery at the lowest cost, while comprehensively improving user experience and website security through features such as WAF and DDoS.

Solution overview

You can store static resources in a private OSS bucket, then accelerate its access through ESA. When a client initiates a request, ESA automatically selects the fastest point of presence (POP) based on the domain name. If the POP has cached the requested resource, it directly returns the resource to the user. If not, the POP retrieves the resource from the origin, returns it to the user, and caches the resource for subsequent requests.

Prerequisites

You have completed Alibaba Cloud account registration.
You have activated OSS service and stored static resources in a private OSS bucket.
You have registered a domain name.
Note
If your website's acceleration region includes the Chinese mainland, you need to complete ICP filing for your domain name.

Add your website to ESA

Once connecting your website's primary domain name (for example, example.com) to ESA, you can accelerate and manage both the primary domain name and all its subdomains.

Step 1: Add your website

In the ESA console, choose Websites and click Add Website.
On the Enter Website page, enter the primary domain name of the website you want to connect (for example, example.com) in the input box, and click Next.
For Loaction, select Global (Excluding Chinese Mainland), and for DNS Setup, select CNAME, and then click Next.
On the Select Plan page, you can bind a suitable package by clicking New Plans or Purchased Plans. Follow the console instructions.

Step 2: Verify domain ownership

When you add a domain name to ESA for the first time, you need to verify your domain ownership.

On the Overview page, copy the Record Type, Host Record, and Record Value generated by ESA.
Log on to the Alibaba Cloud DNS console, and select Public DNS Resolution > Authoritative DNS Resolution.
On the Authoritative DNS Resolution tab, find the target domain name (such as example.com), and click Configure in the Actions column.
Click Add Record, fill in the relevant parameters according to the content copied in Step 1, and then click OK.
- Record Type: TXT
- Host Record: _esaauth
- Resolution Request Source: Default
- Record Value: verify_3***9e1
- TTL: 10 (recommended)
Return to the ESA console, go to the target site overview page, and click Verify.
When viewing the verification result, if the system shows Verification Successful, it means the verification has passed.

Add domain name and configure DNS resolution

To achieve acceleration, you need to add the accelerated domain name in ESA, and then configure DNS resolution through the Alibaba Cloud DNS platform. The following example uses the domain name images.example.com and the OSS private Bucket address bucket***aliyuncs.com. Replace the domain name and Bucket address in the example with your actual domain name and address that need acceleration.

Step 1: Add domain name in ESA

You need to configure the accelerated domain name, OSS private Bucket address, and other information in the ESA server by adding DNS records to obtain the CNAME value.

In the ESA console, choose Websites and click the name of the website you want to manage.
In the left navigation pane, select DNS > Records, and click Add Record. Fill in the record parameters according to the following information, and then click Next.
- Record Type: CNAME.
- Host Record: images.
- Proxy Status: Enabled.
- Record Value: Select OSS.
- Origin Type: Select Private Access (Same-account).
- Authorization: By default, automatically authorize access to private Buckets in the same OSS account.
- OSS Bucket: Select bucket***aliyuncs.com.
- TTL: Default Auto.
Select Images/Videos, and click Complete.
In the CNAME Configuration Guide, copy the Host Record and Record Value, and go to the Alibaba Cloud DNS console to add a CNAME type DNS record.

Step 2: Configure DNS resolution

Copy the corresponding CNAME value in ESA and add the CNAME record in the Alibaba Cloud DNS. When users access the accelerated domain name, the request will be resolved through the Alibaba Cloud DNS platform to the corresponding ESA edge POP, thereby enabling accelerated proxy service.

On the Authoritative DNS Resolution page, click DNS Settings in the Actions column of the target domain name (such as example.com).
Click Add Record, fill in the parameters according to the Host Record and Record Value copied from ESA, and then click OK.
- Record Type: CNAME
- Host Record: images
- DNS Request Source: Default
- Record Value: images.example.com.a1.initzz.com
- TTL: 10 (recommended)
Return to ESA to check if the accelerated domain name is effective, which might take a few minutes. When the CNAME Status shows Configured, the acceleration is effective.

Step 3: Verify acceleration

Access the same file through both the ESA accelerated domain name and the Bucket domain name to verify the acceleration effect of ESA.

In the example, the results show that the loading time through the ESA accelerated domain name is 128ms, while the loading time through the Bucket domain name is 163ms. The ESA accelerated domain name is about 21% faster.

Note

The above data is for reference only. The effects may vary depending on network environment, geographical location, and other factors. Generally, the closer users are to edge POP or the better the network environment, the faster ESA can be.

Access by ESA accelerated domain name

Access by Bucket domain name

Enable protection for your website

To improve your website’s data security, configure key features such as DDoS protection (to block flood attacks), Web Application Firewall (WAF, to prevent malicious activity), and SSL certificate management (to encrypt data transmission). Together, these features help create a safer and more reliable website.

Access protection: Comprehensive website security

Access protection defends websites against malicious attacks and ensures website stability and availability. ESA uses native WAF capabilities, combined with predefined rules and custom rules, to intelligently filter client request traffic, ensuring that only legitimate, clean traffic can reach the server, thereby reducing potential risks.

ESA collects and analyzes client request data in real time through security analytics and events analytics to identify abnormal behavior. Combined with WAF custom rules, you can flexibly configure measures such as blocking, JavaScript Challenge, and redirection to precisely respond to different attacks.

ESA also provides basic DDoS protection by default, which can effectively defend against large-scale DDoS attacks and CC attacks, ensuring stable website operation under high-traffic attacks.

With these layered protections, ESA helps you quickly identify and block abnormal access, offering strong defense against threats to fully protect your website.

Data transmission encryption: secure communication between client and server

Encrypting data during transmission is essential to protect sensitive information from theft or tampering. ESA offers end-to-end data transmission security between the client and your server, ensuring your data stays safe at every stage.

First, ESA enables SSL/TLS encryption by default. The SSL/TLS protocol ensures the confidentiality and integrity of data during transmission by establishing an encrypted channel between the client and server.

To further enhance security, apply for a free edge certificate. By deploying edge certificates, clients will communicate with ESA POPs using the HTTPS protocol, ensuring that data transmission is encrypted and authenticated, increasing user trust in your website.

ESA also supports enabling edge TLS mutual authentication. This feature establishes a bidirectional authentication mechanism between the client and ESA POP, ensuring that only authorized clients can access the server. This mechanism greatly enhances the security of data transmission and effectively prevents unauthorized access and malicious attacks.

Through these security measures, your business data is protected from various network threats during transmission, safeguarding your business.

Recommended configurations

ESA offers several optimization strategies to improve resource access, enhance network performance, and increase cache hit rates. These features help provide faster, more stable, and more secure website access..

Optimize resource access

By enabling and optimizing website settings, ESA can significantly improve application performance. ESA adopts multiple advanced technologies to optimize resource access, including custom image transformation, resource minimization, and transmission protocol upgrade. These optimization features boost website speed, allowing you to access resources more quickly and improving the overall user experience.

Custom image transformation: Automatically adjusts image size and format based on the user's device and screen, reducing unnecessary data transfer.
Resource minimization: Compresses and optimizes static resources, removes redundant code and useless data, reducing resource file size.
Transmission protocol upgrade: Supports transmission protocols such as HTTP/2 and HTTP/3, improving data transmission efficiency and reducing latency.

Optimize network performance

To boost network speed, ESA offers four network optimization settings that improve performance from protocol support to communication methods.

IPv6 protocol support: Fully compatible with IPv6 protocol, improving the utilization of network address resources and optimizing network connection efficiency.
WebSocket low-latency communication: Uses WebSocket protocol for real-time communication, reducing data transmission latency and improving real-time application response speed.
gRPC efficient service interaction: Provides low-latency, high-throughput service interaction based on gRPC's efficient communication mechanism, suitable for scenarios with extremely high performance requirements.
Intelligent traffic shaping to prevent overload: Intelligent traffic control and load balancing prevent network congestion and overload, ensuring stable transmission speeds even during high traffic.

Improve cache hit ratio

To improve resource access speed, ESA supports configuring website cache policies or creating cache rules to store frequently used resource files on edge POPs. When users request files, POPs respond directly, avoiding long origin fetch requests, thereby significantly reducing resource loading time.

Global cache: Flexibly configure cache rules. You can specify which resources need to be cached and which do not, maximizing cache hit ratio.
Tiered cache: Store frequently used resources and static files on globally distributed edge POPs. This lets users access content from nearby locations, reducing transmission distance and latency.