Configuration examples of mirroring-based back-to-origin - Object Storage Service

This topic describes how to configure mirroring-based back-to-origin rules in several special scenarios.

Example 1

Customer A creates a bucket named bucket-01 in the China (Hangzhou) region and has the following requirements:

When a requester accesses a file that does not exist in the examplefolder directory, the file can be obtained from the https://example.com destfolder directory of the site.
The MD5 hashes of the objects in the origin must be checked. If the MD5 hashes of the objects in the origin do not match the MD5 hashes calculated by Object Storage Service (OSS), these objects are not stored in bucket-01.

To meet the preceding requirements, configure a mirroring-based back-to-origin rule based on the following steps:

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left navigation bar, select Data Management > Back-to-Origin.
On the Back-to-Origin page, click Create Rule.

In the Create Rule panel, configure the required parameters as described in the following table. Keep the default values for other parameters.

Parameter	Configuration
Back-to-Origin Type	Select Mirroring.
Back-to-Origin Condition	Select File Name Prefix and set it to examplefolder/.
Replace Or Truncate Prefix	Select Replace Or Truncate Prefix and set it to destfolder/. Note This option is displayed only after you set File Name Prefix in the Back-to-Origin Condition section.
Origin URL	Set the first column to https, the second column to example.com, and leave the third column empty.
Check MD5	Select Check MD5. When the response to the back-to-origin request contains the Content-MD5 header, OSS checks whether the MD5 hash of the object obtained from the origin matches the value of the Content-MD5 header. If the calculated MD5 hash of the object matches the value of the Content-MD5 header obtained from the origin, the client obtains the object, and OSS saves the object obtained from the origin. If the calculated MD5 hash of the object does not match the value of the Content-MD5 header obtained from the origin, OSS does not save the object although the object is still returned to the client.

Click OK.
You can access the required object based on the following processes after you have configured the rule:
1. A requester accesses https://bucket-01.oss-cn-hangzhou.aliyuncs.com/examplefolder/example.txt for the first time.
2. If the examplefolder/example.txt file does not exist in bucket-01, OSS requests the file from https://example.com/destfolder/example.txt.
3. After the required object is obtained, OSS performs the following operations:
  - If the response to the back-to-origin request contains the Content-MD5 header, OSS calculates the MD5 hash of the object obtained from the origin, and matches the calculated MD5 hash with the value of the Content-MD5 header obtained from the origin. If the MD5 hash matches, OSS renames the file to examplefolder/example.txt, saves it to bucket-01, and returns it to the requester. If the MD5 hash does not match, OSS returns the file to the user without saving it to bucket-01.
  - If the response to the back-to-origin request does not contain the Content-MD5 header, OSS renames the file to examplefolder/example.txt, saves it to bucket-01, and returns it to the requester.

Example 2

Customer B creates a bucket named bucket-02 in the China (Beijing) region and has two sites with identical directories: Origin A (https://example.com) and Origin B (https://example.org). Customer B has the following requirements:

When a requester accesses a file that does not exist in the bucket-02/dir1 directory, the file is obtained from the https://example.com example1 directory of the site.
When a requester accesses a file that does not exist in the bucket-02/dir2 directory, the file is obtained from the https://example.org example2 directory of the site.
Determine whether to request objects from the specified address based on whether the redirection policy is configured for Origin A and Origin B.

To meet the preceding requirements, refer to the operation guide in Example 1 to configure the following two mirroring-based back-to-origin rules:

Rule 1:

Parameter	Configuration
Back-to-Origin Type	Select Mirroring.
Back-to-Origin Condition	Select File Name Prefix and set it to dir1/.
Replace Or Truncate Prefix	Select Replace Or Truncate Prefix and set it to example1/. Note This option is displayed only after you set File Name Prefix in the Back-to-Origin Condition section.
Origin URL	Set the first column to https, the second column to example.com, and leave the third column empty.
3xx Response Policy	Select Follow Origin Redirection Request. Note If Follow Origin Redirection Request is not selected, OSS directly returns the address specified by the origin redirection rule to the requester.

Rule 2:

Parameter	Configuration
Back-to-Origin Type	Select Mirroring.
Back-to-Origin Condition	Select File Name Prefix and set it to dir2.
Replace Or Truncate Prefix	Select Replace Or Truncate Prefix and set it to example2/. Note This option is displayed only after you set File Name Prefix in the Back-to-Origin Condition section.
Origin URL	Set the first column to https, the second column to example.org, and leave the third column empty.
3xx Response Policy	Select Follow Origin Redirection Request.

The following content shows the access process after the preceding back-to-origin rules are configured:

A requester accesses https://bucket-02.oss-cn-beijing.aliyuncs.com/dir1/example.txt for the first time.
If the example.txt file does not exist in the dir1 directory of bucket-02, OSS requests the file from https://example.com/example1/example.txt.
- If Origin A has configured a redirection rule for example1/example.txt, OSS sends a new request to the address specified by the origin redirection rule. After obtaining the file, OSS renames it to dir1/example1/example.txt, saves it to bucket-02, and returns it to the requester.
- If Origin A has not configured a redirection rule for example1/example.txt, OSS renames the obtained file to dir1/example1/example.txt, saves it to bucket-02, and returns it to the requester.
If the requester accesses https://bucket-02.oss-cn-beijing.aliyuncs.com/dir2/example.txt, the file obtained through the mirroring-based back-to-origin rule will be stored in the dir2/example2 directory of bucket-02.

Example 3

Customer C creates a public-read bucket named bucket-03 and a private bucket named bucket-04 in the China (Shanghai) region. Customer C has the following requirements:

When a requester accesses a file that does not exist in the examplefolder directory in the root directory of bucket-03, the target file is obtained from the examplefolder directory of bucket-04.
Allow the query string included in the request URL for an object to be transferred to the origin.
Allow the header1, header2, and header3 HTTP headers included in the request URL to be transferred to the origin.

To meet the preceding requirements, refer to the operation guide in Example 1 to configure the following mirroring-based back-to-origin rule:

Parameter	Configuration
Back-to-Origin Type	Select Mirroring.
Back-to-Origin Condition	Select File Name Prefix and set it to examplefolder/.
Origin Type	Select Private OSS Bucket and select bucket-04 from the Origin Bucket drop-down list. After this option is configured, when a user accesses a non-existent object, OSS pulls data from the specified private origin bucket through the default role `AliyunOSSMirrorDefaultRole`. The `AliyunOSSReadOnlyAccess` permission is required during the data pulling process to ensure that OSS can access the origin data in read-only mode, preventing modification or deletion of the origin data. When a RAM user configures mirroring-based back-to-origin for a private OSS bucket, the RAM user must have the `ram:GetRole` permission. This permission is used to check whether the `AliyunOSSMirrorDefaultRole` role exists. If the role exists, it is directly called. If the role does not exist, it is recommended to create the `AliyunOSSMirrorDefaultRole` role through the Alibaba Cloud account associated with the RAM user in advance and grant the `AliyunOSSReadOnlyAccess` permission to this role. This avoids granting high-risk permissions to RAM users, such as creating roles (ram:CreateRole) and granting permissions to roles (ram:AttachPolicyToRole). After authorization is complete, RAM users can directly reuse the created role, reducing permission configuration risks.
Origin URL	Set the first column to https and leave the others empty.
Back-to-Origin Parameters	Select Transfer Query String. OSS transfers the query string included in the URL of the required object to the origin.
Set HTTP Header Transfer Rules	Select Transfer Specified HTTP Headers and add the header1, header2, and header3 HTTP headers. Back-to-origin rules do not support transferring some standard HTTP headers, such as `authorization`, `authorization2`, `range`, `content-length`, `date`, and HTTP headers that start with `x-oss-`, `oss-`, or `x-drs-`. Important When using back-to-origin for a private bucket, do not select to transfer all HTTP header parameters, as this will cause the back-to-origin operation to fail.

The following content shows the access process after the preceding back-to-origin rule is configured:

A requester accesses https://bucket-03.oss-cn-shanghai.aliyuncs.com/examplefolder/example.png?caller=lucas&production=oss for the first time.
If the examplefolder/example.png file does not exist in bucket-03, OSS requests the file from https://bucket-04.oss-cn-shanghai.aliyuncs.com/examplefolder/example.png?caller=lucas&production=oss.
bucket-04 returns the ?caller=lucas&production=oss example.png file to OSS based on the transferred parameters.
OSS renames the obtained file to examplefolder/example.png and stores the renamed file in bucket-03.

If the request also includes the header1, header2, and header3 HTTP headers, these headers will also be transferred to bucket-04.