Alibaba Object Storage Service

Alibaba Object Storage Service (OSS) can be used as an origin for Fastly for both public and private content.

Using OSS as an origin

To use OSS as an origin, follow the steps below.

Setting up and configuring your OSS account

1. Sign up for Alibaba Object Storage Service.

2. Create a bucket to store your origin's data.

   

3. Fill out the Create Bucket fields as follows:

   • In the Bucket Name field, enter a name for your bucket. Remember the name you enter. You'll need it to connect your bucket to your Fastly service.
   • From the Region menu, select a location to store your content. Most customers select a region close to the POP they specify for shielding.
   • From the Storage Class options, select Standard.
   • From the Access Control List (ACL) options, select Public Read.
   • (Optional) Select other options, such as Server-side Encryption and Scheduled Backup.

4. Click OK.

Uploading files to your bucket

Once you've created your bucket, select it and then navigate to the Files tab to add files to it by clicking Upload.

You can make the files externally accessible by selecting the Public Read option for the bucket or you can use the Inherited from Bucket option next to each of the files.

Setting up Fastly to use OSS as an origin

To add your OSS bucket as an origin, follow the instructions for working with hosts. You'll add specific details about your origin server.

1. On the Origins page, click Create Host and enter the appropriate address for your Host using the format <BUCKET>.<REGION>.aliyuncs.com. For example, if your bucket name is test123 and your region is Beijing (e.g., oss-cn-beijing) your hostname would be test123.oss-cn-beijing.aliyuncs.com. You can also find the hostname on the Bucket Overview page in the Bucket Domain Name area.
2. Click on the newly created Host to edit it.
3. In the Name field, enter a descriptive name for your service (e.g., Alibaba Object Storage).
4. If the Address field doesn't contain the <BUCKET>.<REGION>.aliyuncs.com hostname you provided in the first step, enter it now.
5. Fill out the Transport Layer Security (TLS) area fields as follows:
   • Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
   • Leave the Verify certificate? default set to Yes.
   • Set the Certificate hostname field to the same address that appears in the Address field (e.g., test123.oss-cn-beijing.aliyuncs.com).
   • In the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The hostname address you entered during Host creation appears.
6. From the Shielding menu below the TLS area, select a Fastly POP near the Alibaba region from the list of shielding locations.
7. In the Override host field, enter an appropriate address for your Host (e.g., test123.oss-cn-beijing.aliyuncs.com). You entered this information during Host creation.

Review our caveats of shielding and select a shield POP accordingly.

Using OSS with private objects

To use Fastly with OSS private objects, be sure you've already made your OSS data available to Fastly by pointing to the right OSS bucket, then follow the steps below.

Setting up a private bucket and sub user

Setting up a private bucket is the same as setting up a public bucket, except you select the Private option in the Access Control List (ACL) area of the OSS bucket settings.

You'll need an AccessKey ID and Access Key Secret. These can be linked to your account by clicking on your avatar in the top right corner of the Alibaba Cloud Console, selecting Access Key, and then creating a new key. Since this key has full access to the account, we recommend following Alibaba's procedure for creating a sub user. Follow the steps below.

1. Navigate to the Resource Access Management (RAM) page.

2. Click Users.

3. Click Create User.

4. Enter an appropriate Logon Name and Display Name.

5. Select the Programmatic Access checkbox to enable access through the Alibaba API.

   

6. Click OK.

7. Copy the AccessKeyId and AccessKeySecret. You'll need these later when you're creating an Authorization header.

8. Go back to the bucket overview, click Files and then click Authorize. You should see a list of authorized users. If this is a new bucket it should be empty.

9. Click Authorize, filling out the fields as follows:

   • From the Applied To menu, select the Whole Bucket option. You can select Specified Resources, but this may lead to unexpected errors later if you don't update the permissions with new files.
   • From the Accounts menu, select RAM Users and then use the menu to select your newly created RAM user.
   • From the Authorized Operation menu, select Read Only.
   • You can leave Condition blank or customize it using IP =, Fastly's IP ranges, or setting Access Method to HTTPS.

Setting up Fastly to use OSS private content

To use OSS private content with Fastly, you'll need to create two headers: a Date header (required for authorization signature) and a Host header. You'll also need to add some authorization parameters.

Creating a Date header

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Content.

5. Click Create header.

   

6. Fill out the Create a new header fields as follows:

   • In the Name field, enter Date.
   • From the Type menu, select Request, and from the Action menu, select Set.
   • In the Destination field, enter http.Date.
   • In the Source field, enter var.ali_expires.
   • From the Ignore if set menu, select No.
   • In the Priority field, enter 19.

7. Click Create. A new Date header appears on the Content page. You will use this later within the signature of the Authorization header.

Creating a Host header

1. Click Create header.
2. Fill out the Create a new header fields as follows:
   • In the Name field, enter Date.
   • From the Type menu, select Request, and from the Action menu, select Set.
   • In the Destination field, enter http.Host.
   • In the Source field, enter "<your OSS domain>".
   • From the Ignore if set menu, select No.
   • In the Priority field, enter 19.
3. Click Create. A new Host header appears on the Content page.

Creating the Authorization header

1. Click Create header again to create another new header.

   

2. Fill out the Create a header fields as follows:

   • In the Name field, enter Authorization.
   • From the Type menu, select Request, and from the Action menu, select Set.
   • In the Destination field, enter url.
   • From the Ignore if set menu, select No.
   • In the Priority field, enter 20.

3. In the Source field, enter the Authorization header information using the following format:

   req.url.path "?" "OSSAccessKeyId=<AccessKeyId>" "&" "Signature=" digest.hmac_sha1_base64("<AccessKeySecret>", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/<OSS bucket name>" req.url.path) "&" "Expires=" var.ali_expires

   Replace <AccessKeyId>, <AccessKeySecret>, and <OSS bucket name> with the information you gathered before you began. For example:

   req.url.path "?" "OSSAccessKeyId=AOSSdecafbad" "&" "Signature=" urlencode(digest.hmac_sha1_base64("AOSSdeadbeef", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/test123" req.url.path)) "&" "Expires=" var.ali_expires

4. Click Create. A new Authorization header appears on the Content page.

5. Click Activate to deploy your configuration changes.

Setting up Fastly to use OSS private content using VCL Snippets

You can also put the configuration in a VCL Snippet with a priority of 20.

1declare local var.ali_bucket STRING;
2declare local var.ali_region STRING;
3declare local var.ali_access_key_id STRING;
4declare local var.ali_access_key_secret STRING;
5declare local var.ali_expires INTEGER;
6declare local var.ali_canon STRING;
7declare local var.ali_sig STRING;_
8
9set var.ali_bucket = "test123";
10set var.ali_region = "oss-cn-beijing";
11set var.ali_access_key_id = "decafbad";
12set var.ali_access_key_secret = "deadbeef";
13set var.ali_expires  = std.atoi(now.sec);
14set var.ali_expires += 60;
15
16
17set req.http.Host = var.ali_bucket "." + var.ali_region + ".aliyuncs.com";
18set req.http.Date = var.ali_expires;
19set var.ali_canon = if(req.method == "HEAD", "GET", req.method) LF LF LF
20                    req.http.Date LF "/" var.ali_bucket req.url.path;
21set var.ali_sig   = digest.hmac_sha1_base64(var.alibaba_access_key_secret, var.ali_canon);
22
23set req.url       = req.url.path;
24set req.url       = querystring.set(req.url, "OSSAccessKeyId", var.alibaba_access_key_id);
25set req.url       = querystring.set(req.url, "Signature",  var.ali_sig);
26set req.url       = querystring.set(req.url, "Expires",  var.ali_expires);