Oracle Cloud Storage

      Last updated October 16, 2020

    Oracle Cloud Storage public and private buckets can be used as origins with Fastly.

    Before you begin

    Before you begin the setup and configuration steps required to use Oracle Cloud as an origin, keep in mind the following:

    Using Oracle Cloud Storage as an origin

    To use Oracle Cloud Storage as an origin, follow the steps below.

    Creating a new bucket

    Data in Oracle Cloud Storage is stored in buckets. Follow these steps to create a new bucket via the Oracle Cloud web interface.

    1. Log in to your Oracle account. Your Oracle account settings page appears.
    2. Open the navigation menu in the upper left and navigate to Object Storage, then select Object Storage.

      Oracle Cloud Object Storage New Bucket window

    3. Select a compartment from the Compartment list on the left side of the page.
    4. Click Create a Bucket. The Create a Bucket window appears.
    5. In the Bucket Name field, enter a unique bucket name. Bucket names must be unique within the namespace and cannot be nested. The name can contain letters, numbers, dashes, and periods.

      Oracle Cloud Object Storage New Bucket window

    6. Click the Create a Bucket button. The new bucket appears in the list of buckets on the Oracle Cloud Storage Buckets page.
    7. By default, new buckets are private. Click on three dots on the right side of the bucket and select Edit Visibility. Change the visibility to Public and deselect the Allow users to list objects from this bucket option.
    8. Upload a file to the new bucket you just created.

    Finding your bucket's namespace and hostname

    To set up a Fastly service that interacts with your Oracle Cloud Storage, you will need to know the namespace identifier and hostname assigned to the bucket you created and uploaded files to.

    To find your namespace, click on the bucket and examine the Bucket Information tab. In this example the namespace is decafbaddeadbeef.

    Oracle Cloud Storage Bucket Details

    To determine your bucket's hostname:

    Creating a new service

    To create a new Fastly service, you must first create a new domain and then create a new host and edit it to accept traffic for Oracle Cloud Storage. Instructions to do this appear in our guide to creating a new service. While completing these instructions, keep the following in mind:

    Using the Oracle Cloud API with public objects

    To use the Oracle Cloud API with public objects, you need to either create a new header, or a VCL Snippet. The purpose of the header or VCL snippet is to rewrite request URLs for your Oracle Cloud Storage instance.

    Using a Header object

    1. On your Fastly service's configuration page, click the Create header button to create a new header. The Create a header page appears.
    2. Fill out the Create a header fields as follows:
      • In the Name field, type Rewrite Oracle Cloud Storage URL.
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, type url.
      • From the Ignore if set menu, select No.
      • In the Priority field, type 20.
    3. In the Source field type the "/n/<namespace id>/b/<bucket name>/o/" req.url (e.g., "/n/decafbaddeadbeef/b/fastly-bucket/o/" req.url).
    4. Click the Create button. The new header appears on the Content page.
    5. Click the Activate button to deploy your configuration changes.

    Using a VCL Snippet

    1. Click VCL Snippets on your service's configuration page, then click Create Snippet.
    2. In the Create a VCL Snippet page, enter a name for the snippet.
    3. Select within subroutine to specify its placement, and miss as the subroutine type.

      Select VCL Snippet type

    4. Add the following code to the VCL field. Change the values of the oracleNamespace and oracleBucket variables to match your Oracle namespace and bucket.

      1
      2
      3
      4
      5
      6
      7
      8
      
       declare local var.oracleNamespace STRING;
       declare local var.oracleBucket STRING;
       set var.oracleNamespace = "YOUR_ORACLE_NAMESPACE_ID";   # Change this value to your own data
       set var.oracleBucket = "YOUR_ORACLE_BUCKET_NAME";   # Change this value to your own data
      
       if (req.method == "GET" && !req.backend.is_shield) {
         set bereq.url = "/n/" var.oracleNamespace "/b/" var.oracleBucket "/o/" bereq.url;
       }
      

    Using the S3 Compatible API with public objects

    To use the S3 Compatible API with public objects you must create a new header, as explained below.

    1. On your Fastly service's configuration page, click the Create header button to create a new header. The Create a header page appears.
    2. Fill out the Create a header fields as follows:
      • In the Name field, type Rewrite Oracle Cloud Storage URL.
      • From the Type menu, select Request, and from the Action menu, select Set.
      • In the Destination field, type url.
      • From the Ignore if set menu, select No.
      • In the Priority field, type 20.
    3. In the Source field type the "/<bucket name>/" req.url (e.g "/fastly-bucket/o/" req.url).
    4. Click the Create button. A new header appears on the Content page.
    5. Click the Activate button to deploy your configuration changes.

    Private Buckets

    To use an Oracle Cloud Storage private bucket with Fastly you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL. Keep in mind the following:

    The following table lists the information you need to obtain from Oracle Cloud Storage before starting.

    Item Description
    Namespace The namespace identifier assigned to your bucket (see Finding your bucket's namespace and hostname.
    Bucket name The name of your OCS bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object.
    Region The OCS region code of the location where your bucket resides (e.g., us-east-1).
    Access key The OCS access key string for your account that has at least read permission on the bucket.
    Secret key The OCS secret access key paired with the access key above.

    Once you have this information, you can configure your Fastly service to authenticate against your S3 bucket using header authentication by calculating the appropriate header value in VCL.

    Start by creating a regular VCL snippet. Give it a meaningful name, such as AWS protected origin. When you create the snippet, select within subroutine to specify its placement and choose miss as the subroutine type. Then, populate the VCL field with the following code (be sure to change specific values as noted to ones relevant to your own AWS bucket):

    1. Click VCL Snippets on your service's configuration page, then click Create Snippet.
    2. In the Create a VCL Snippet page give the snippet a meaningful name, such as AWS protected origin.
    3. Select within subroutine to specify snippet placement, and miss as the subroutine type.

      Select VCL Snippet type

    4. Add the following code to the VCL field. Be sure to change the values of the variables (ocsNamespace, ocsAccessKey, etc.) to match your Oracle environment.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      44
      45
      46
      47
      48
      49
      50
      51
      52
      53
      54
      55
      56
      57
      58
      59
      60
      61
      62
      63
      64
      65
      66
      67
      68
      69
      70
      71
      
       declare local var.ocsNamespace STRING;
       declare local var.ocsAccessKey STRING;
       declare local var.ocsSecretKey STRING;
       declare local var.ocsS3Bucket STRING;
       declare local var.ocsRegion STRING;
       declare local var.canonicalHeaders STRING;
       declare local var.signedHeaders STRING;
       declare local var.canonicalRequest STRING;
       declare local var.canonicalQuery STRING;
       declare local var.stringToSign STRING;
       declare local var.dateStamp STRING;
       declare local var.signature STRING;
       declare local var.scope STRING;
      
       set var.ocsNamespace = "YOUR_OCS_NAMESPACE"; # Change this value to your own data
       set var.ocsAccessKey = "YOUR_OCS_ACCESS_KEY";   # Change this value to your own data
       set var.ocsSecretKey = "YOUR_OCS_SECRET_KEY";   # Change this value to your own data
       set var.ocsS3Bucket = "YOUR_OCS_BUCKET_NAME";   # Change this value to your own data
       set var.ocsRegion = "YOUR_OCS_REGION";   # Change this value to your own data
      
       if (req.method == "GET" && !req.backend.is_shield) {
      
         set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
         set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
         set bereq.http.host = var.ocsNamespace ".compat.objectstorage." var.ocsRegion ".oraclecloud.com";
         set bereq.url = querystring.remove(bereq.url);
         set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
         set var.dateStamp = strftime({"%Y%m%d"}, now);
         set var.canonicalHeaders = ""
           "host:" bereq.http.host LF
           "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
           "x-amz-date:" bereq.http.x-amz-date LF
         ;
         set var.canonicalQuery = "";
         set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
         set var.canonicalRequest = ""
           "GET" LF
           bereq.url.path LF
           var.canonicalQuery LF
           var.canonicalHeaders LF
           var.signedHeaders LF
           digest.hash_sha256("")
         ;
      
         set var.scope = var.dateStamp "/" var.ocsRegion "/s3/aws4_request";
      
         set var.stringToSign = ""
           "AWS4-HMAC-SHA256" LF
           bereq.http.x-amz-date LF
           var.scope LF
           regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
         ;
      
         set var.signature = digest.awsv4_hmac(
           var.ocsSecretKey,
           var.dateStamp,
           var.ocsRegion,
           "s3",
           var.stringToSign
         );
      
         set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
           "Credential=" var.ocsAccessKey "/" var.scope ", "
           "SignedHeaders=" var.signedHeaders ", "
           "Signature=" + regsub(var.signature,"^0x", "")
         ;
         unset bereq.http.Accept;
         unset bereq.http.Accept-Language;
         unset bereq.http.User-Agent;
         unset bereq.http.Fastly-Client-IP;
       }
      
    This article describes an integration with a service provided by a third party. See our note on integrations for details.
    Back to Top