The IP address used to access an Object Storage Service (OSS) bucket dynamically changes. You can configure a reverse proxy on an Elastic Compute Service (ECS) instance to access the OSS bucket by using a static IP address.
Background information
OSS uses Restful APIs to provide services. You can access a bucket by using the default endpoint of the bucket or custom domain names that are mapped to the bucket. However, you may need to use a static IP address to access OSS in some scenarios.
- For security reasons, some enterprises must configure outbound rules to specify that internal employees and business systems can access only the specified public IP addresses. However, the IP addresses used to access a bucket in OSS dynamically change. In this case, enterprises must frequently modify firewall rules.
- Limited by the network architecture of Alibaba Finance Cloud, internal network-specific buckets in Alibaba Finance Cloud can be accessed only by requests from Alibaba Finance Cloud but not those from the Internet.
To resolve the preceding issues, you can use an ECS instance to configure a reverse proxy to access OSS. 

Procedure
- Create an ECS instance. In this example, an ECS instance that runs Ubuntu 18.04 (64-bit) is created. Make sure that the ECS instance and the bucket you want to access are located in the same region.
For more information about how to create an ECS instance, see Create an instance.
- Connect to the ECS instance. For more information about how to connect to an ECS instance, see Connect to an instance.
- Run the following command to update the APT sources:
sudo apt-get update
- Run the following command to install NGINX:
sudo apt-get install nginx
By default, the NGINX files are installed in the following paths.Directory Description /usr/sbin/nginx Stores the NGINX executable file. /etc/nginx Stores configuration files. /usr/share/nginx Stores static files. /var/log/nginx Stores logs. - Run the following command to open the nginx.conf file:
sudo vi /etc/nginx/nginx.conf
- Refer to the following instructions to modify the HTTP module in the nginx.conf file. Important
- In this topic, a demo environment is used as an example. To ensure data security, we recommend that you configure the HTTP module based on your actual scenario. For more information, see How to reverse proxy an OSS domain name in an ECS instance and implement HTTPS access.
- You can configure a reverse proxy for only one bucket if you use this configuration method.
server { listen 80; server_name 47.**.**.73; location / { proxy_pass http://bucketname.oss-cn-beijing-internal.aliyuncs.com; #proxy_set_header Host $host; } }
Parameter Description server_name The IP address used to provide the reverse proxy service, which is the public IP address of the ECS instance. proxy_pass The domain name for redirection. - If the ECS instance and the bucket that you want to access are located in the same region, specify the internal endpoint of the bucket. For more information, see Access OSS over the internal network.
- If the ECS instance and the bucket that you want to access are located in different regions, specify the public endpoint of the bucket. For more information, see Access OSS over the public network.
- To preview an image or web page object in a bucket in a browser: To ensure security, when you access an image or web page object in a bucket by using the default domain name of the bucket in a browser, the object is downloaded. To preview the object in the browser, map a custom domain name to the bucket in which the object is stored and add the custom domain name to the value of proxy_pass. For more information about how to map a custom domain name to a bucket, see Map custom domain names.
proxy_set_header Host If you add this parameter, the $host value is replaced with the IP address of the ECS instance when NGINX sends a request to OSS. You must add this parameter in the following scenarios:
- Signature errors occur.
- The custom domain name that is mapped to the bucket is resolved to the public IP address of the ECS instance. You must preview image or web page objects in the bucket by using a browser. You can map the custom domain name to the bucket for which a reverse proxy is configured without adding a CNAME record for the custom domain name. In this case, you can set proxy_pass to the internal or public endpoint of the bucket. For more information about how to map a custom domain name to a bucket, see Map custom domain names.
Note This option is suitable for scenarios where a custom domain name is used to request access to a proxy server. If you use the IP address to directly request access to the proxy server, you must addproxy_set_header Host $host
to the nginx.conf file. - Run the following command to go to the directory of the NGINX executable file:
sudo cd /usr/sbin/
- Run the following command to start NGINX:
sudo ./nginx
- Enable TCP port 80 of the ECS instance. By default, NGINX uses TCP port 80. Therefore, you must enable TCP port 80 when you configure a security group for the ECS instance.
For more information, see Add a security group rule.
- Add the object path to the public IP address of the ECS instance to access OSS resources. If the object access control list (ACL) is private, you must sign the object URL. For more information, see Add signatures to URLs.