All Products
Search
Document Center

Object Storage Service:Use Alibaba Cloud CDN to accelerate access to OSS objects

Last Updated:Dec 03, 2024

You can use Alibaba Cloud CDN to distribute static resources, such as images, videos, and documents in Object Storage Service (OSS), to reduce traffic costs and accelerate resource loading.

Process

The following figure describes how to use Alibaba Cloud CDN to accelerate access to static resources in OSS.

image

Steps:

  1. Create a private bucket: You must create a private bucket to store static resources. The bucket is used as the origin server to allow Alibaba Cloud CDN to accelerate the delivery of the static resources. At the same time, unauthorized access to the static resources is denied, which ensures data security.

  2. Add a domain name to accelerate and add a CNAME record for the domain name: After you add a domain name in the Alibaba Cloud CDN console, the system assigns a CNAME to the domain name. Next, you must add a CNAME record in the system of your DNS service provider to map the domain name to the CNAME. This way, when users request the resources by using the accelerated domain name, the requests that are destined for the origin server are redirected to points of presence (POPs).

  3. Enable access to the private bucket: If you enable access to the private bucket, Alibaba Cloud CDN obtains the static resources from the private bucket.

Prerequisites

  • OSS is activated. For more information, see Get started with OSS.

  • Alibaba Cloud CDN is activated. For more information, see Activate Alibaba Cloud CDN.

  • A domain name is registered. For more information, see Register a domain name on Alibaba Cloud. You can map a domain name that is not registered with Alibaba Cloud to a bucket. If you do not have a domain name, you can register one by using the Alibaba Cloud Domains service platform.

  • An Internet Content Provider (ICP) filing is obtained for your domain name if the bucket to which you want to map the domain name resides in the Chinese mainland. For more information, see ICP filing process.

Procedure

Manual deployment

Step 1: Create a private bucket

  1. Log on to the OSS console. In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.

  2. In the Create Bucket panel, specify the bucket name and retain the default settings for other parameters as shown in the following figure. Click OK.

    bucket001.jpg

Step 2: Add the domain name that you want to accelerate and add a CNAME record for the domain name

In the following steps, oss.example.com is used as a CDN-accelerated domain name. You can specify a root domain name, subdomain, or wildcard domain name as the accelerated domain name.

  1. Add the domain name that you want to accelerate.

    1. On the Add Domain Name wizard in the CDN console, configure the parameters and click Next. The following table describes the parameters that you must configure. Retain the default settings for other parameters.

      cdn.jpg

    2. On the Domain Names page, wait until the status of the domain name becomes Enabled. Copy the value of the CNAME record. In this example, the value of the CNAME is oss.example.com.w.kunlunaq.com.

  2. Resolve the domain name.

    1. On the Domain Name Resolution page in the Alibaba Cloud DNS console, click DNS Settings in the Actions column of oss.example.com. On the DNS Settings tab, click Add DNS Record. In the Add DNS Record dialog box, specify the required parameters as shown in the following figure. Retain the default settings for other parameters and click OK.

      dns.jpg

    2. Wait for a few minutes and then run the ping command to check whether the accelerated domain name takes effect. If the command output is similar to the command output that is shown in the following figure, the accelerated domain name is in effect.

      ping

Step 3: Enable access to the private bucket

  1. On the Domain Names page of the Alibaba Cloud CDN console, click the accelerated domain name.

  2. In the left-side navigation tree, click Origin Fetch and turn on Alibaba Cloud OSS Private Bucket Access.

    cdn.jpg

Verification

After you complete the preceding steps, you must upload an object to the created bucket and check whether access to the object is accelerated by using the CDN-accelerated domain name.

  1. Upload an image to the created bucket.

    1. On the Buckets page of the OSS console, click the bucket to which you want to upload the image.

    2. On the Objects page, click Upload Object, select the image that you want to upload, such as an image named dest.jpg, and then follow the on-screen instructions to upload the image.

  2. Obtain the URL of the uploaded image.

    1. In the left-side navigation tree, choose Object Management > Objects. On the Objects page, find the image whose URL you want to obtain and click View Details in the Actions column.

    2. In the View Details panel, click Copy Object URL to obtain the image URL.

      • Obtain the URL of the image that you can use to access the image by using the bucket domain name

        The image access control list (ACL) is private. In this case, you must sign the image URL.

        Dingtalk_20240927113557.jpg

      • Obtain the URL of the image that you can use to access the image by using the CDN-accelerated domain name

        Obtain an image URL that does not contain signature information. For example, if the copied image URL is http://oss.example.com/dest.jpg?Expires=1727408333&OSSAccessKeyId=TMP.3********&Signature=eg********, the image URL which does not contain signature information is https://oss.example.com/dest.jpg.

        dest.jpg

  3. Verify the acceleration result.

    Use HTTP Detection in the CloudMonitor console to compare the loading time when the image is accessed by using the bucket domain name and the CDN-accelerated domain name. The results indicate that the loading time when the image is accessed by using the CDN-accelerated domain name is 90.04 ms, whereas the loading time when the image is accessed by using the bucket domain name is 146.61 ms. The speed when the image is accessed by using the CDN-accelerated domain name is approximately 38% faster than the speed when the image is accessed by using the bucket domain name.

    Note

    The preceding acceleration result is provided only for reference. The improvement of access speed varies based on factors such as different network connections and geographical locations. In most cases, if the region in which the user is located is close to the POP or the network connection is good, the access speed may be increased to a higher rate.

    image

Suggested configurations

To improve acceleration performance and secure data transmission, you can enable the corresponding features based on your business requirements.

Enable HTTPS secure acceleration

Alibaba Cloud CDN supports HTTPS secure acceleration. You can deploy an SSL certificate in the Alibaba Cloud CDN console and enable HTTPS secure acceleration to encrypt requests between clients and POPs. For more information, see Configure an SSL certificate.

Improve cache hit rate

  • Auto CDN cache update: To ensure that users can access the latest modified files in OSS in a timely manner, you can enable the CDN cache auto-refresh function through the OSS console. The specific steps are as follows:

    1. On the Buckets page, find the bucket that you want to use and click the bucket name.

    2. In the left-side navigation pane, choose Bucket Settings > Domain Names, then click Supported Operations.

    3. In the drop-down list, select the API operations that trigger automatic updates of CDN cache and click OK.

Important

This feature does not guarantee that a purge task can be submitted as expected or in a timely manner. If you want to purge the cache in a timely manner or to obtain the purge results, you can use the purge feature of Alibaba Cloud CDN. For more information, see Purge and prefetch resources.

  • Specify a proper TTL value for cached resources

    • Specify a time to live (TTL) of one month or longer for static resources that are infrequently updated, such as images and application packages.

    • Specify a TTL based on your business requirements for static resources that are frequently updated, such as JavaScript and CSS files.

    • Specify a TTL of 0 seconds to disable caching for dynamic resources, such as PHP, JSP, and ASP files.

    For more information, see Create a cache rule for resources.

Protect websites from unauthorized access

Hotlink protection identifies and filters requesters based on the Referer header in requests to implement access control and prevent unauthorized access. After you configure a Referer whitelist or blacklist, Alibaba Cloud CDN allows or denies requests based on user identities. If a request is allowed, Alibaba Cloud CDN returns the URL of the requested resource. If a request is denied, Alibaba Cloud CDN returns the HTTP 403 status code. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection.

Prevent website resources from being maliciously downloaded

Content that is delivered by Alibaba Cloud CDN is publicly available. Requesters who have the URL of an object can access the object. To prevent unauthorized access to resources on your website, you can configure URL signing to add signature strings and timestamps to URLs for access control. For more information, see Configure URL signing.

Accelerate file distribution on CDN POPs

After you enable range origin fetch, the OSS bucket that serves as the origin server returns the chunk of file that is specified by the Range header to POPs. This reduces origin traffic and accelerates content delivery. Range origin fetch is suitable for large file distribution scenarios such as audio and video streaming. Range origin fetch is not suitable for small file distribution scenarios. You do not need to enable range origin fetch when you use Alibaba Cloud CDN to accelerate the delivery of images. For more information, see Range origin fetch.

FAQ

How can I check whether a request hits the cache?

  • A request does not hit the cache

    You can check whether data is served from a POP by opening the browser developer tools and checking the X-Cache field. If the value of the X-Cache field starts with MISS, the requested object is a cache miss on the POP and the CDN POP requests the origin server for the missing object.

    outside.jpg

  • A request hits the cache

    If the missing object is retrieved from the origin server, the object is cached on the POP. The value of the X-Cache field in subsequent requests for the object starts with HIT, which indicates that the requested object is cached on and served from the POP.

    outside.jpg

Why can I use Alibaba Cloud CDN to accelerate access to static resources in OSS?

Alibaba Cloud CDN deploys POPs in multiple regions around the world. When a user requests access to static resources in OSS, Alibaba Cloud CDN redirects the request to the nearest POP. This way, the user does not need to directly access OSS resources over long distances. Network latency is reduced and access speed is improved.

Why can I reduce traffic costs if I use Alibaba Cloud CDN to access resources in OSS?

If you use the public endpoint of a bucket to directly access OSS resources, you are charged for OSS outbound traffic over the Internet. Alibaba Cloud CDN can cache static resources in OSS to POPs all over the world. When you access OSS resources by using an Alibaba Cloud CDN-accelerated domain name, the resources are served from the nearest POP instead of the origin server. You are charged for outbound data transfer from Alibaba Cloud CDN. Compared with OSS outbound traffic over the Internet, the unit price of outbound data transfer from Alibaba Cloud CDN is lower. Therefore, if you use Alibaba Cloud CDN to access OSS resources, you can effectively reduce traffic costs. For more information, see Billing of OSS content acceleration.

Why is an error reported when I use a CDN-accelerated domain name to access a private object in OSS?

  • Cause

    If you enable access to a private bucket, Alibaba Cloud CDN adds the Authorization header to origin requests that are sent to the bucket and sets the header value to the authentication signature information of the bucket. An origin request cannot contain signature information in both the Authorization header and URL request parameters. If origin requests sent to a bucket have the Authorization header, the object URLs cannot contain signature information, such as Expires, Signature, and OSSAccessKeyId. Otherwise, OSS authentication fails.

  • Solution

    Use an object URL that does not contain signature information. For example, if the URL of a private object is ttps://oss.example.com/outside.jpg?Expires=1700628094&OSSAccessKeyId=TMP.3********&Signature=B********, use the URL which does not contain the signature information, which is https://oss.example.com/outside.jpg.

Why is an error reported when I initiate a request to access the default homepage of a bucket after I enable access to a private bucket?

For more information, see Why am I unable to access the default homepage of a bucket when I retrieve an object from a private bucket by using Alibaba Cloud CDN?