This topic describes an acceleration solution for websites with static resources such as images, audio, and videos. We recommend that you use Alibaba Cloud Object Storage Service (OSS) together with Edge Security Acceleration (ESA) to achieve efficient and secure global content distribution, and improve the loading speed and user experience for your website.
Usage notes
After you authorize ESA to fetch content from a private OSS bucket within the same account or across different accounts, all resources in the bucket are accessible by using the ESA-covered domain. Perform such origin fetch authorization with caution. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not authorize ESA to access the bucket.
If you want to authorize ESA to fetch content from a private OSS bucket that belongs to another Alibaba Cloud account, do not grant the write or delete permissions on the bucket to Resource Access Management (RAM) users. For more information about how to grant a RAM user the permissions to access OSS, see Access OSS by using a RAM user.
Fetching content from a private OSS bucket conflicts with the default homepage settings of static website hosting for the private OSS bucket. To use ESA to accelerate access to a private bucket for which static website hosting is configured, see instructions in Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
An OSS origin server qualifies for OSS origin traffic discounts. For more information, see Billing overview.
Procedure
When you map an OSS bucket to your ESA website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to OSS. For more information, see Manage DNS records or Create an origin pool.
For Access Type, select Public Access, Private Access (Same-account), or Private Access (Cross-account), depending on the access control list (ACL) and owning account of the bucket.
If you select Public Access, enter the public domain name of the bucket in the OSS Bucket field. In this case, you do not need to complete the authorization. For more information about bucket domain names, see Endpoints and domain names.
If you select Private Access (Same-account) or Private Access (Cross-account), configure authorization and authentication by using the following steps.
Private Access (Same-account)
The system automatically requests a security token from STS. This option allows ESA to pull content from private OSS buckets only within the same Alibaba Cloud account.
The first time you authorize ESA to access a private OSS bucket within the same account, the system creates a RAM role for ESA with the default permission policy attached. By assuming the role, ESA has read-only access to all OSS buckets within the same account by using temporary security tokens.
In the Authorization section, click Authorize. On the Cloud Resource Access Authorization page, click Agree to Authorization.
NoteIf you cannot complete the authorization by clicking the Authorize button in the ESA console, try performing the authorization in the RAM console. For more information, see Use the RAM console to authorize ESA to access private OSS buckets in the same account.
After the authorization is successful, select the domain name of the bucket from the OSS Bucket drop-down list.
NoteThe previous authorization configuration allows ESA to fetch only non-encrypted data from the private bucket. To configure ESA to fetch both encrypted and non-encrypted data from the bucket, you must additionally attach the AliyunKMSCryptoUserAccess policy to the AliyunESAAccessingPrivateOSSRole role.
Private Access (Cross-account)
You need to configure a permanent security token. This option allows ESA to pull content from private OSS buckets both in the same Alibaba Cloud account and across Alibaba Cloud accounts.
Parameter
Description
Access Type
Select Private Access (Cross-account).
OSS Bucket
Enter the public domain name of the bucket. For more information about bucket domain names, see Endpoints and domain names.
AccessKey ID
Specify the AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret
Specify the AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.
Use the RAM console to authorize ESA to access private OSS buckets in the same account
Revoke authorization of ESA access to private buckets
What to do next
You can protect your resources by configuring Web Application Firewall (WAF) settings in ESA, such as Referer whitelists, Referer blacklists, and rate limiting rules. For more information, see WAF.