Alibaba Object Storage Service

      Last updated November 09, 2020

    Alibaba Object Storage Service (OSS) can be used as an origin for Fastly for both public and private content.

    Using OSS as an origin

    To use OSS as an origin, follow the steps below.

    Setting up and configuring your OSS account

    1. Sign up for Alibaba Object Storage Service.
    2. Create a bucket to store your origin's data. The Create Bucket window appears.

      Alibaba Object Storage Service New Bucket window

    3. Fill out the Create Bucket fields as follows:
      • In the Bucket Name field, enter a name for your bucket. Remember the name you enter. You'll need it to connect your bucket to your Fastly service.
      • From the Region menu, select a location to store your content. Most customers select a region close to the POP they specify for shielding.
      • From the Storage Class options, select Standard.
      • From the Access Control List (ACL) options, select Public Read.
      • Optionally select other options, such as Server-side Encryption and Scheduled Backup.
    4. Click the OK button.

    Uploading files to your bucket

    Once you've created your bucket, select it and then navigate to the Files tab to add files to it by clicking the Upload button.

    Alibaba Object Storage Service New Bucket window

    You can make the files externally accessible by selecting the Public Read option for the bucket or you can use the Inherited from Bucket option next to each of the files.

    Setting up Fastly to use OSS as an origin

    To add your OSS bucket as an origin, follow the instructions for connecting to origins. You'll add specific details about your origin server.

    1. On the Origins page, click Create Host and enter the appropriate address for your host using the format <BUCKET>.<REGION>.aliyuncs.com. For example, if your bucket name is test123 and your region is Beijing (e.g., oss-cn-beijing) your hostname would be test123.oss-cn-beijing.aliyuncs.com. You can also find the hostname on the Bucket Overview page in the Bucket Domain Name area.
    2. Click on the newly created host to edit it.
    3. In the Name field, enter a descriptive name for your service (e.g., Alibaba Object Storage).
    4. If the Address field doesn't contain the <BUCKET>.<REGION>.aliyuncs.com hostname you provided in the first step, enter it now.
    5. Fill out the Transport Layer Security (TLS) area fields as follows:
      • Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
      • Leave the Verify certificate? default set to Yes.
      • Set the Certificate hostname field to the same address that appears in the Address field (e.g., test123.oss-cn-beijing.aliyuncs.com).
      • In the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The hostname address you entered during host creation appears.
    6. From the Shielding menu below the TLS area, select a Fastly POP near the Alibaba region from the list of shielding locations.
    7. In the Override host field in the Advanced options area, enter an appropriate address for your host (e.g., test123.oss-cn-beijing.aliyuncs.com). You entered this information during host creation.

    Review our caveats of shielding and select a shield POP accordingly.

    Using OSS with private objects

    To use Fastly with OSS private objects, be sure you've already made your OSS data available to Fastly by pointing to the right OSS bucket, then follow the steps below.

    Setting up a private bucket and sub user

    Setting up a private bucket is the same as setting up a public bucket, except you select the Private option in the Access Control List (ACL) area of the OSS bucket settings.

    You'll need an AccessKey ID and Access Key Secret. These can be linked to your account by clicking on your avatar in the top right corner of the Alibaba Cloud Console, selecting Access Key, and then creating a new key. Since this key has full access to the account, we recommend following Alibaba's procedure for creating a sub user. Follow the steps below.

    1. Navigate to the Resource Access Management (RAM) page.
    2. Click the Users tab.
    3. Click Create User.
    4. Enter an appropriate Logon Name and Display Name.
    5. Select the Programmatic Access checkbox to enable access through the Alibaba API.

      Alibaba Cloud Create RAM User

    6. Click the OK button.
    7. Copy the AccessKeyId and AccessKeySecret. You'll need these later when you're creating an Authorization header.
    8. Go back to the bucket overview, click on the Files tab and then click on the Authorize button. You should see a list of authorized users. If this is a new bucket it should be empty.
    9. Click on the Authorize button, filling out the fields as follows:
      • From the Applied To menu, select the Whole Bucket option. You can select Specified Resources, but this may lead to unexpected errors later if you don't update the permissions with new files.
      • From the Accounts menu, select RAM Users and then use the menu to select your newly created RAM user.
      • From the Authorized Operation menu, select Read Only.
      • You can leave Condition blank or customize it using IP =, Fastly's IP ranges, or setting Access Method to HTTPS.

    Setting up Fastly to use OSS private content

    To use OSS private content with Fastly, you'll need to create two headers: a Date header (required for authorization signature) and a Host header. You'll also need to add some authorization parameters.

    Creating a Date header

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Edit configuration button and then select Clone active. The Domains page appears.
    4. Click the Content link. The Content page appears.
    5. Click the Create header button. The Create a new header page appears.

      creating a Date header via the new header page

    6. Fill out the Create a new header fields as follows:
      • In the Name field, enter Date.
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, enter http.Date.
      • In the Source field, enter var.ali_expires.
      • From the Ignore if set menu, select No.
      • In the Priority field, enter 19.
    7. Click the Create button. A new Date header appears on the Content page. You will use this later within the signature of the Authorization header.

    Creating a Host header

    1. Click the Create header button. The Create a new header page appears.
    2. Fill out the Create a new header fields as follows:
      • In the Name field, enter Date.
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, enter http.Host.
      • In the Source field, enter "<your OSS domain>".
      • From the Ignore if set menu, select No.
      • In the Priority field, enter 19.
    3. Click the Create button. A new Host header appears on the Content page.

    Creating the Authorization header

    1. Click the Create header button again to create another new header. The Create a header page appears.

      creating an Authorization header via the header page

    2. Fill out the Create a header fields as follows:
      • In the Name field, enter Authorization.
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, enter url.
      • From the Ignore if set menu, select No.
      • In the Priority field, enter 20.
    3. In the Source field, enter the Authorization header information using the following format:

      1
      
         req.url.path "?" "OSSAccessKeyId=<AccessKeyId>" "&" "Signature=" digest.hmac_sha1_base64("<AccessKeySecret>", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/<OSS bucket name>" req.url.path) "&" "Expires=" var.ali_expires
      

      Replace <AccessKeyId>, <AccessKeySecret>, and <OSS bucket name> with the information you gathered before you began. For example:

      1
      
         req.url.path "?" "OSSAccessKeyId=AOSSdecafbad" "&" "Signature=" urlencode(digest.hmac_sha1_base64("AOSSdeadbeef", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/test123" req.url.path)) "&" "Expires=" var.ali_expires
      
    4. Click the Create button. A new Authorization header appears on the Content page.
    5. Click the Activate button to deploy your configuration changes.

    Setting up Fastly to use OSS private content using VCL Snippets

    You can also put the configuration in a VCL Snippet with a priority of 20.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    
    declare local var.ali_bucket STRING;
    declare local var.ali_region STRING;
    declare local var.ali_access_key_id STRING;
    declare local var.ali_access_key_secret STRING;
    declare local var.ali_expires INTEGER;
    declare local var.ali_canon STRING;
    declare local var.ali_sig STRING;_
    
    set var.ali_bucket = "test123";
    set var.ali_region = "oss-cn-beijing";
    set var.ali_access_key_id = "decafbad";
    set var.ali_access_key_secret = "deadbeef";
    set var.ali_expires  = std.atoi(now.sec);
    set var.ali_expires += 60;
    
    
    set req.http.Host = var.ali_bucket "." + var.ali_region + ".aliyuncs.com";
    set req.http.Date = var.ali_expires;
    set var.ali_canon = if(req.method == "HEAD", "GET", req.method) LF LF LF 
                        req.http.Date LF "/" var.ali_bucket req.url.path; 
    set var.ali_sig   = digest.hmac_sha1_base64(var.alibaba_access_key_secret, var.ali_canon);
    
    set req.url       = req.url.path;
    set req.url       = querystring.set(req.url, "OSSAccessKeyId", var.alibaba_access_key_id);
    set req.url       = querystring.set(req.url, "Signature",  var.ali_sig);
    set req.url       = querystring.set(req.url, "Expires",  var.ali_expires);
    
    This article describes an integration with a service provided by a third party. Please see our note on integrations.
    Back to Top