How do I use ECS instances to configure a reverse proxy to access OSS? - Object Storage Service

The IP address used to access an Object Storage Service (OSS) bucket by using DNS resolution dynamically changes. However, you may need to use a static IP address to access objects in the bucket in specific scenarios. In this case, you can configure an NGINX reverse proxy on an Elastic Compute Service (ECS) instance to access the bucket by using a static IP address. You can access the objects in the bucket by using port 80 of the public IP address of the reverse proxy. This way, you can access objects through a static IP address.

Benefits

After you configure an NGINX reverse proxy on an ECS instance, you can use the static IP address of the reverse proxy to forward the access requests to the internal endpoint of the region in which the bucket is located. The following items describe the benefits:

Static IP address access: Access by using the static IP address resolves the issue that the IP address of the default domain name of the bucket dynamically changes and is suitable for scenarios in which a static IP address must be used to meet the requirements of enterprise firewall whitelists and third-party system calls.
Enhanced security: The name of the bucket and the region in which the bucket is located are hidden and only the domain name or IP address of the ECS instance is exposed, which reduces the risk of directly exposing OSS.
Cost optimization: The ECS instance is located in the same region in which the bucket is located and can communicate with the bucket over the same internal network to reduce data transfer costs.

Procedure

Ubuntu

Note

In this example, an ECS instance that runs Ubuntu 18.04 (64-bit) is created. Make sure that the instance and the bucket that you want to access are located in the same region.

Step 1: Install NGINX

Create and connect to an ECS instance. For more information, see Create an instance on the Custom Launch tab in the ECS console and manage the instance.
Enable TCP port 80 of the ECS instance. By default, NGINX uses TCP port 80. Therefore, you must enable TCP port 80 when you configure a security group rule for the ECS instance. For more information, see Add a security group rule.
Run the following command to update the APT repository:
```
sudo apt-get update
```
Run the following commands to install NGINX:
```
sudo apt-get install nginx
```

Step 2: Configure NGINX

Run the following command to open the nginx.conf file:
```
sudo vi /etc/nginx/nginx.conf
```

Refer to the following parameters to modify the HTTP module in the nginx.conf file:

Important

In this example, a demo environment is used. To ensure data security, we recommend that you configure the HTTPS module based on your actual scenario. For more information, see Install SSL certificates on NGINX or Tengine servers.
You can configure a reverse proxy for only one bucket if you use this configuration method.

server {
        listen 80;
        server_name 47.**.**.73; 

        location / {
            proxy_pass http://bucketname.oss-cn-beijing-internal.aliyuncs.com;            
            proxy_http_version 1.1;
     }  
}

Parameter

Description

server_name

The IP address used to provide the reverse proxy service. Set this parameter to the public IP address of the ECS instance.

proxy_pass

The IP address of the proxy server, which specifies the endpoint of the bucket.

If the ECS instance and the bucket that you want to access are located in the same region, specify the internal endpoint of the bucket. Example: http://bucketname.oss-cn-beijing-internal.aliyuncs.com.
If the ECS instance and the bucket that you want to access are located in different regions, specify the public endpoint of the bucket. Example: http://bucketname.oss-cn-beijing.aliyuncs.com.

For more information about endpoints, see Endpoints.

Press the Esc key and enter :wq to save the changes and close the nginx.conf file.
Run the following command to test the status of the nginx.conf file:
```
nginx -t
```
Run the following command to restart NGINX and allow the configurations to take effect:
```
systemctl restart nginx
```

CentOS

You can skip the following steps and use template-based quick deployment to deploy a reverse proxy on a CentOS ECS instance.

Note

In this example, an ECS instance that runs CentOS 7.6 (64-bit) is created. Make sure that the ECS instance and the bucket that you want to access are located in the same region.

Step 1: Install NGINX

Create and connect to an ECS instance. For more information, see Create an instance on the Custom Launch tab in the ECS console and manage the instance.
Enable TCP port 80 of the ECS instance. By default, NGINX uses TCP port 80. Therefore, you must enable TCP port 80 when you configure a security group rule for the ECS instance. For more information, see Add a security group rule.
Run the following commands to install NGINX:
```
sudo yum install -y nginx
```

Step 2: Configure NGINX

Run the following command to open the nginx.conf file:
```
sudo vi /etc/nginx/nginx.conf
```

Refer to the following parameters to modify the HTTP module in the nginx.conf file:

Important

In this example, a demo environment is used. To ensure data security, we recommend that you configure the HTTPS module based on your actual scenario. For more information, see Install SSL certificates on NGINX or Tengine servers.
You can configure a reverse proxy for only one bucket if you use this configuration method.

server {
        listen 80;
        server_name 47.**.**.73; 

        location / {
            proxy_pass http://bucketname.oss-cn-beijing-internal.aliyuncs.com;            
            proxy_http_version 1.1;
     }  
}

Parameter

Description

server_name

The IP address used to provide the reverse proxy service. Set this parameter to the public IP address of the ECS instance.

proxy_pass

The IP address of the proxy server, which specifies the endpoint of the bucket.

If the ECS instance and the bucket that you want to access are located in the same region, specify the internal endpoint of the bucket. Example: http://bucketname.oss-cn-beijing-internal.aliyuncs.com.
If the ECS instance and the bucket that you want to access are located in different regions, specify the public endpoint of the bucket. Example: http://bucketname.oss-cn-beijing.aliyuncs.com.

For more information about endpoints, see Endpoints.

Press the Esc key and enter :wq to save the changes and close the nginx.conf file.
Run the following command to test the status of the nginx.conf file:
```
nginx -t
```
Run the following command to restart NGINX and allow the configurations to take effect:
```
systemctl restart nginx
```

Windows

Note

In this example, an ECS instance that runs Windows Server 2019 Datacenter 64-bit is used. Make sure that the instance and the bucket that you want to access are located in the same region.

Step 1: Install NGINX

Create and connect to an ECS instance. For more information, see Create an instance on the Custom Launch tab in the ECS console and manage the instance.
Enable TCP port 80 of the ECS instance. By default, NGINX uses TCP port 80. Therefore, you must enable TCP port 80 when you configure a security group rule for the ECS instance. For more information, see Add a security group rule.
Download the NGINX package and decompress the package. In this example, NGINX 1.19.2 is used.

Step 2: Configure NGINX

Important

In this topic, a demo environment is used as an example. To ensure data security, we recommend that you configure the HTTPS module based on your actual scenario. For more information, see Install SSL certificates on NGINX or Tengine servers.
You can configure a reverse proxy for only one bucket if you use this configuration method.

Go to the conf directory and open the nginx.conf file by using a Notepad.

Modify the content of the nginx.conf file.

server {
        listen 80;
        server_name 47.**.**.73; 

        location / {
            proxy_pass http://bucketname.oss-cn-beijing-internal.aliyuncs.com;            
            proxy_http_version 1.1;
     }  
}

Parameter

Description

server_name

The IP address used to provide the reverse proxy service. Set this parameter to the public IP address of the ECS instance.

proxy_pass

The IP address of the proxy server, which specifies the endpoint of the bucket.

If the ECS instance and the bucket that you want to access are located in the same region, specify the internal endpoint of the bucket. Example: http://bucketname.oss-cn-beijing-internal.aliyuncs.com.
If the ECS instance and the bucket that you want to access are located in different regions, specify the public endpoint of the bucket. Example: http://bucketname.oss-cn-beijing.aliyuncs.com.

For more information about endpoints, see Endpoints.

Go to the directory in which the NGINX executable file is located. Double-click nginx.exe to start NGINX.

Verify the results

You can add a public-read or public-read-write object path to the public IP address of the ECS instance to access the object. If the object can be accessed, the configurations are successful. For example, the following result is returned if you use http://ECS public IP address/demo.png to access the demo.png object.

Note

If the object access control list (ACL) is private, you must include a signature in the object URL. For more information, see (Recommended) Include a V4 signature in a URL.

Common parameters

You can refer to the following code to modify the HTTP module in the nginx.conf file based on your business scenario.

server {
        listen 80;
        server_name 47.**.**.73; 

        location / {
            proxy_pass http://bucketname.oss-cn-beijing-internal.aliyuncs.com;            
            proxy_http_version 1.1;
            proxy_set_header Host $http_host;
            proxy_connect_timeout 15s;
            proxy_read_timeout 15s;
            proxy_send_timeout 15s;
            proxy_set_header Connection "";
            proxy_buffering off;
            proxy_request_buffering off;
     }  
}

Parameter	Required	Description
server_name	Yes	The IP address used to provide the reverse proxy service. Set this parameter to the public IP address of the ECS instance.
proxy_pass	Yes	The IP address of the proxy server, which specifies the endpoint of the bucket. If the ECS instance and the bucket that you want to access are located in the same region, specify the internal endpoint of the bucket. Example: `http://bucketname.oss-cn-beijing-internal.aliyuncs.com`. If the ECS instance and the bucket that you want to access are located in different regions, specify the public endpoint of the bucket. Example: `http://bucketname.oss-cn-beijing.aliyuncs.com`. For more information about endpoints, see Endpoints.
proxy_set_header Host	No	If you specify this parameter, the $host value is replaced with the IP address of the ECS instance when NGINX sends a request to OSS. You must specify this parameter in the following scenarios: Signature errors occur. The custom domain name that is mapped to the bucket is resolved to the public IP address of the ECS instance, and you need to preview image objects or web page objects in the bucket by using a browser. You can map the custom domain name to the bucket for which a reverse proxy is configured without adding a CNAME record for the custom domain name.
proxy_connect_timeout	No	The timeout period for the connection between NGINX and the backend server. This parameter determines the maximum timeout period for NGINX to establish a connection with the backend server. If the connection times out, NGINX returns an error message.
proxy_read_timeout	No	The timeout period for NGINX to read the response from the backend server. If the response cannot be read from the backend server before the timeout period ends, NGINX returns an error message. This is important for processing requests that may require a long response time.
proxy_send_timeout	No	The timeout period for NGINX to send request data to the backend server. This parameter is used to ensure that NGINX connects to the backend server when the request data is sent to the backend server before the connection times out or is explicitly closed.
proxy_set_header Connection	No	Specifies whether to add the Connection field to the request. If you set the `Connection` field in the request header to an empty string, NGINX does not add the `Connection` field to the request. This prevents the HTTP/1.1 persistent connection issues and ensures that NGINX connects to the backend server as expected.
proxy_buffering	No	Specifies whether NGINX caches data received from the backend server. If you set the parameter to on, NGINX immediately caches data and sends the data to the client from the cache If you set the parameter to off, NGINX immediately sends data to the client without caching data, which can reduce the latency, but may also increase bandwidth consumption.
proxy_request_buffering	No	Specifies whether NGINX waits for the entire request body to be fully received before forwarding it to the backend server. If you set the parameter to `off`, NGINX immediately forwards the received data without waiting for the entire request body to be received. This is suitable for scenarios that require high real-time performance.

Example: Use a browser to preview images or web page objects in a bucket

For security reasons, when you access an image or web page object in a bucket by using the default domain name of the bucket in a browser, the object is downloaded. To preview an image object or web page object by using a browser, map a custom domain name to the bucket in which the object is stored and add the custom domain name to the value of the proxy_pass parameter. For more information about how to map a custom domain name to a bucket, see Map a custom domain name to the default domain name of a bucket.

server {
        listen 80;
        server_name 47.**.**.73; 

        location / {
            proxy_pass http://static.example.com;
            proxy_http_version 1.1;
     }  
}