All Products
Search
Document Center

Object Storage Service:Use Alibaba Cloud CDN to accelerate access to OSS objects

Last Updated:Mar 13, 2025

You can use Alibaba Cloud CDN to distribute static resources stored on Object Storage Service (OSS), such as images, videos, and documents, to reduce traffic costs and accelerate resource loading.

Solution overview

The following figure describes how to use Alibaba Cloud CDN to accelerate access to static resources in OSS.

image

To accelerate access by using Alibaba Cloud CDN, perform the following steps:

  1. Create a private bucket for storing static resources: A private bucket restricts unauthorized access to static resources stored within the bucket and serves as the origin server from which Alibaba Cloud CDN caches data to enhance content delivery speed.

  2. Add a domain name to accelerate and add a CNAME record for the domain name: After you add a domain name in the Alibaba Cloud CDN console, the system assigns a CNAME to the domain name. Next, you must add a CNAME record in the system of your DNS service provider to map the domain name to the CNAME. This way, when users request the resources by using the CDN-accelerated domain name, the requests that are destined for the origin server are redirected to points of presence (POPs).

  3. Enable back-to-origin routing access to the private bucket: If you enable back-to-origin routing access to the private bucket, Alibaba Cloud CDN can obtain the static resources from the private bucket.

Prerequisites

  • OSS is activated.

  • Alibaba Cloud CDN is activated.

  • A domain name is registered. For more information, see Register a domain name on Alibaba Cloud. You can use a domain name registered with a third-party provider. If you do not have a domain name, we recommend that you register one by using the Alibaba Cloud Domains service platform.

  • An Internet Content Provider (ICP) filing is obtained for your domain name if the bucket to which you want to map the domain name resides in the Chinese mainland. For more information, see ICP filing process.

Procedure

Manual deployment

Step 1: Create a private bucket

  1. On the Buckets page of the OSS console, click Create Bucket.

  2. In the Create Bucket panel, specify the bucket name, retain the default settings for other parameters, and click OK.

    bucket001.jpg

Step 2: Add the domain name that you want to accelerate and add a CNAME record for the domain name

In the following steps, oss.example.com is used as a CDN-accelerated domain name. You can specify a root domain name, subdomain, or wildcard domain name as the CDN-accelerated domain name.

  1. Add the domain name that you want to accelerate.

    1. In the Specify Domain Name Information step of the Add Domain Name wizard in the CDN console, configure the parameters marked in the following figure and click Next.

      cdn.jpg

    2. On the Domain Names page, wait until the status of the domain name becomes Enabled. Copy the CNAME. In this example, the CNAME is oss.example.com.w.kunlunaq.com.

  2. Resolve the domain name.

    1. On the Authoritative DNS Resolution page in the Alibaba Cloud DNS console, click DNS Settings in the Actions column of oss.example.com. On the DNS Settings tab, click Add DNS Record. In the Add DNS Record dialog box, specify the required parameters shown in the following figure, retain the default settings for other parameters, and click OK.

      dns.jpg

    2. Wait for a few minutes and then run the ping command to check whether the CDN-accelerated domain name takes effect. If the command output is similar to the command output shown in the following figure, the CDN-accelerated domain name is in effect.

      ping

Step 3: Enable access to the private bucket

  1. On the Domain Names page of the Alibaba Cloud CDN console, click the CDN-accelerated domain name.

  2. In the left-side navigation tree, click Origin Fetch and turn on Alibaba Cloud OSS Private Bucket Access.

    cdn.jpg

Verify the effect of the configuration

After you complete the preceding steps, you can upload an object to the bucket and check whether access to the object is accelerated by using the CDN-accelerated domain name.

  1. Upload an image to the bucket.

    1. On the Buckets page of the OSS console, click the name of the bucket.

    2. On the Objects page, click Upload Object, select the image that you want to upload, such as an image named dest.jpg, and then follow the on-screen instructions to upload the image.

  2. Obtain a URL of the uploaded image.

    1. On the Objects page, find the image and click View Details in the Actions column.

    2. In the View Details panel, click Copy Object URL to obtain the image URL.

      • Obtain a URL that uses the bucket domain name

        The access control list (ACL) of the image is private. The image URL based on the bucket domain name includes signature information.

        Dingtalk_20240927113557.jpg

      • Obtain a URL that uses the CDN-accelerated domain name

        When you use a CDN-accelerated domain name to access the object, do not include signature information in the object URL. For example, if the copied image URL is http://oss.example.com/dest.jpg?Expires=1727408333&OSSAccessKeyId=TMP.3********&Signature=eg********, you should use https://oss.example.com/dest.jpg, which does not contain signature information.

        dest.jpg

  3. Verify the acceleration result.

    Use HTTP Detection in the CloudMonitor console to compare the loading time when the image is accessed by using the bucket domain name and the CDN-accelerated domain name. The following figure indicates that the loading time when the image is accessed by using the CDN-accelerated domain name is 90.04 ms, whereas the loading time when the image is accessed by using the bucket domain name is 146.61 ms. The CDN-accelerated domain name improves the access speed approximately by 38% compared with the bucket domain name.

    Note

    The preceding acceleration result is provided only for reference. The improvement in access speed varies based on factors such as network connections and geographical locations. In most cases, if the region in which the requester is located is closer to the POP or the network connection is better, a CDN-accelerated domain name brings a higher performance improvement.

    image

Recommended configurations

To further improve acceleration performance and secure data transmission, you can enable additional features and apply some useful settings.

Enable HTTPS secure acceleration

Alibaba Cloud CDN supports HTTPS secure acceleration. You can deploy an SSL certificate in the Alibaba Cloud CDN console and enable HTTPS secure acceleration to encrypt requests between clients and POPs. For more information, see Configure an SSL certificate.

Improve the cache hit rate

  • Enable auto CDN cache update in the OSS console: To ensure that users have access to the latest objects in an OSS bucket, enable auto CDN cache update in the OSS console by using the following steps:

    1. On the Buckets page, find the bucket and click the bucket name.

    2. In the left-side navigation tree, choose Bucket Settings > Domain Names. On the Domain Names page, find the CDN-accelerated domain name and click Supported Operations in the Auto CDN Cache Update column.

      cdn.jpg

    3. In the drop-down list, select the API operations that trigger automatic updates of CDN cache and click OK. For example, if you want CDN cache is automatically updated for object uploads to OSS, you can select upload-related API operations, such as PutObject, PostObject, AppendObject, and CompleteMultipartUpload. Generally, you can select all the supported operations.

    Important

    This feature does not guarantee that a purge task can be submitted successfully or at the earliest opportunities. If you want to purge the cache at the earliest opportunities or to obtain the purge results, you can use the purge feature of Alibaba Cloud CDN. For more information, see Purge and prefetch resources.

  • Specify a proper TTL value for cached resources

    • Specify a time to live (TTL) of one month or longer for static resources that are infrequently updated, such as images and application packages.

    • Specify a TTL based on your business requirements for static resources that are frequently updated, such as JavaScript and CSS files.

    • Specify a TTL of 0 seconds to disable caching for dynamic resources, such as PHP, JSP, and ASP files.

    For more information, see Create a cache rule for resources.

Protect websites from unauthorized access

Hotlink protection identifies and filters requesters based on the Referer header in requests to implement access control and prevent unauthorized access. After you configure a Referer whitelist or blacklist, Alibaba Cloud CDN allows or denies requests based on user identities. If a request is allowed, Alibaba Cloud CDN returns the URL of the requested resource. If a request is denied, Alibaba Cloud CDN returns the HTTP 403 status code. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection.

Prevent website resources from being maliciously downloaded

Content that is delivered by Alibaba Cloud CDN is publicly available by default. Any requester who has the URL of an object can access the object. To prevent unauthorized access to resources on your website, you can configure URL signing to add signature strings and timestamps to URLs for access control. For more information, see Configure URL signing.

Accelerate file distribution on CDN POPs

After you enable range origin fetch, the OSS bucket that serves as the origin server returns the data chunk that is specified by the Range header to POPs. This reduces origin traffic and accelerates content delivery. Range origin fetch is suitable for large file distribution scenarios such as audio and video streaming. Range origin fetch is not suitable for small file distribution scenarios. You do not need to enable range origin fetch when you use Alibaba Cloud CDN to accelerate the delivery of images. For more information, see Range origin fetch.

Prevent back-to-origin requests without SNI from affecting OSS access

To prevent OSS access failures due to back-to-origin requests without Server Name Indication (SNI), you can configure SNI settings in Alibaba Cloud CDN. The SNI is the same as the origin host (CDN-accelerated domain name by default). If a back-to-origin request carries SNI, OSS can accurately identify the domain name during the TLS handshake phase. This allows OSS to return a certificate that matches the domain name and provides a certain degree of access protection for your domain name. If OSS receives a request that does not carry SNI, OSS cannot accurately identify the domain name and therefore returns the default certificate. During the TLS handshake phase, all requests without SNI are treated similarly. This may result in stricter traffic restrictions, and any request without SNI may be affected. For more information, see Configure SNI.

FAQ

How can I check whether a request hits the cache?

  • Cache miss

    You can check whether data is served from a POP by opening the browser developer tools and checking the X-Cache field. If the value of the X-Cache field starts with MISS, the requested object is a cache miss on the POP and the CDN POP requests the origin server for the missing object.

    outside.jpg

  • Cache hit

    If the missing object is retrieved from the origin server, the object is cached on the POP. The value of the X-Cache field in subsequent requests for the object starts with HIT, which indicates that the requested object is cached on and served from the POP.

    outside.jpg

Why can Alibaba Cloud CDN ccelerate access to static resources in OSS?

Alibaba Cloud CDN deploys POPs in multiple regions around the world. When a user requests access to static resources in OSS, Alibaba Cloud CDN redirects the request to the nearest POP. This way, the user does not need to directly access OSS resources over long distances. This mechanism significantly reduces data transfer distances, minimizes network latency, and enhances data access speed.

How does Alibaba Cloud CDN lower traffic costs for accessing resources on OSS?

If you use the public domain name of a bucket to directly access OSS resources, you are charged for OSS outbound traffic over the Internet. Alibaba Cloud CDN caches static resources stored on OSS to POPs all over the world. When you access OSS resources by using an Alibaba Cloud CDN-accelerated domain name, the resources are served from the nearest POP instead of the origin server. You are charged for outbound data transfer from Alibaba Cloud CDN. Compared with OSS outbound traffic over the Internet, the unit price of outbound data transfer from Alibaba Cloud CDN is lower. Therefore, if you use Alibaba Cloud CDN to access OSS resources, you can effectively reduce traffic costs. For more information, see Billing of OSS content acceleration.

Why is an error reported when I use a CDN-accelerated domain name to access a private object stored on OSS?

  • Cause

    If you enable access to a private bucket, Alibaba Cloud CDN adds the Authorization header to origin requests that are sent to the bucket and sets the header value to the authentication signature information of the bucket. An origin request cannot contain signature information in both the Authorization header and URL request parameters. If origin requests sent to a bucket have the Authorization header, the object URLs cannot contain signature information, such as Expires, Signature, and OSSAccessKeyId. Otherwise, OSS authentication fails.

  • Solution

    Use an object URL that does not contain signature information. For example, if the URL of a private object ishttps://oss.example.com/outside.jpg?Expires=1700628094&OSSAccessKeyId=TMP.3********&Signature=B********, use the URL https://oss.example.com/outside.jpg, which does not contain signature information.

Why is an error reported for a request to access a website homepage hosted on a private bucket after I enable back-to-origin routing to the private bucket?

For more information, see Why am I unable to access the default homepage when I retrieve an object from a private bucket by using Alibaba Cloud CDN?

Can I use a CDN-accelerated domain name to upload data to OSS?

For security reasons, we recommend that you do not use a CDN-accelerated domain name to upload data to OSS. If public read and write access is enabled on Alibaba Cloud CDN, anyone can upload data to OSS by using the CDN-accelerated domain name, without the need for authentication or permission verification. This exposes the OSS bucket to a significant risk of malicious uploads and data tampering. We recommend that you grant the minimum permissions required for data uploads and use the bucket domain names for upload operations.

How do I configure back-to-origin routing to different buckets based on paths for a CDN-accelerated domain name?

You can use the rules engine to configure back-to-origin routing to different buckets based on paths.