All Products
Search
Document Center

Object Storage Service:How do I use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS?

Last Updated:Oct 09, 2024

The IP address used to access an Object Storage Service (OSS) bucket dynamically changes. You can configure a reverse proxy on an Elastic Compute Service (ECS) instance to access the bucket by using a static IP address.

Background information

OSS uses RESTful APIs to provide services. You can access an OSS bucket by using the default domain name of the bucket or a custom domain name that is mapped to the bucket. However, you may need to use a static IP address to access OSS in specific scenarios.

  • For security reasons, some enterprises need to configure outbound rules to specify that internal employees and business systems can access only specific public IP addresses. However, the IP addresses used to access a bucket in OSS dynamically change. In this case, enterprises need to frequently modify firewall rules to meet their requirements.

  • The network architecture of Alibaba Finance Cloud allows only requests from Alibaba Finance Cloud to access internal network-specific buckets in Alibaba Finance Cloud. Access requests from the Internet are denied.

To resolve these issues, you can use an ECS instance to configure a reverse proxy for access to OSS.

Procedure

Note

You can skip the following steps and use template-based quick deployment to deploy a reverse proxy on a CentOS ECS instance.

  1. Create an ECS instance.

    In this example, an ECS instance that runs CentOS 7.6 (64-bit) is created. Make sure that the ECS instance and the bucket you want to access are located in the same region.

    For more information, see Create an instance.

  2. Connect to an ECS instance.

    For information about how to connect to an ECS instance, see Create and manage an ECS instance by using the ECS console (express version).

  3. Run the following commands to install NGINX:

    sudo yum install -y nginx
    By default, the NGINX files are installed in the following paths.
    Directory Description
    /usr/sbin/nginx Stores the NGINX executable file.
    /etc/nginx Stores configuration files.
    /usr/share/nginx Stores static files.
    /var/log/nginx Stores logs.
  4. Run the following command to open the nginx.conf file:

    sudo vi /etc/nginx/nginx.conf
  5. Refer to the following instructions to modify the HTTP module in the nginx.conf file:

    Important
    • In this topic, a demo environment is used as an example. To ensure data security, we recommend that you configure the HTTPS module based on your actual scenario. For more information, see Install SSL certificates on NGINX or Tengine servers.

    • You can configure a reverse proxy for only one bucket if you use this configuration method.

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
            proxy_pass https://bucketname.oss-cn-beijing-internal.aliyuncs.com;
            proxy_http_version 1.1;
            proxy_set_header Host $http_host;
            proxy_connect_timeout 15s;
            proxy_read_timeout 15s;
            proxy_send_timeout 15s;
            proxy_set_header Connection "";
            proxy_buffering off;
            proxy_request_buffering off;
        }
    }

    Parameter

    Description

    server_name

    The IP address used to provide the reverse proxy service. Set this parameter to the public IP address of the ECS instance.

    proxy_pass

    The domain name used for redirection.

    • If the ECS instance and the bucket that you want to access are located in the same region, specify the internal domain name of the bucket. For more information, see Access OSS over the internal network.

    • If the ECS instance and the bucket that you want to access are located in different regions, specify the public domain name of the bucket. For more information, see Access OSS over the public network.

    • If you want to preview an image object or web page object in a bucket by using a browser, take note of the following items: To ensure security, when you access an image object or web page object in a bucket by using the default domain name of the bucket in a browser, the object is downloaded. To preview an image object or web page object by using a browser, map a custom domain name to the bucket in which the object is stored and add the custom domain name to the value of the proxy_pass parameter. For more information, see Map custom domain names.

    proxy_set_header Host

    If you specify this parameter, the $host value is replaced with the IP address of the ECS instance when NGINX sends a request to OSS.

    You must specify this parameter in the following scenarios:

    • Signature errors occur.

    • The custom domain name that is mapped to the bucket is resolved to the public IP address of the ECS instance, and you need to preview image objects or web page objects in the bucket by using a browser. You can map the custom domain name to the bucket for which a reverse proxy is configured without adding a CNAME record for the custom domain name. In this case, you can set the proxy_pass parameter to the internal or public domain name of the bucket. For more information, see Map custom domain names.

    Note

    This parameter applies to scenarios in which a custom domain name is used to request access to a proxy server. If you use an IP address to directly request access to the proxy server, you must specify the proxy_set_header Host $host parameter in the nginx.conf file.

    proxy_connect_timeout

    The timeout period for the connection between Nginx and the backend server. If the connection times out, Nginx returns an error message.

    proxy_read_timeout

    The timeout period for Nginx to read the response from the backend server. If the response cannot be read from the backend server before the timeout period ends, NGINX returns an error message. This is important for processing requests that may require a long response time.

    proxy_send_timeout

    The timeout period for Nginx to send request data to the backend server. This parameter is used to ensure that Nginx connects to the backend server when the request data is sent to the backend server before the connection times out or is explicitly closed.

    proxy_set_header Connection

    Specifies whether to add the Connection field to the request. If you set the Connection field in the request header to an empty string, NGINX does not add the Connection header to the request. This prevents the HTTP/1.1 persistent connection issues and ensures that NGINX connects to the backend server as expected.

    proxy_buffering

    Specifies whether Nginx caches data received from the backend server. If you set the parameter to off, Nginx immediately sends data to the client without caching data, which can reduce latency, but may also increase bandwidth consumption.

    proxy_request_buffering

    Specifies whether Nginx waits for the entire request body to be fully received before forwarding it to the backend server. If you set the parameter to off, NGINX immediately forwards the received data without waiting for the entire request body to be received. This is suitable for scenarios that require high real-time performance.

  6. Run the following command to go to the directory of the NGINX executable file:

    cd /usr/sbin/
  7. Run the following command to start NGINX:

    sudo ./nginx
  8. Enable TCP port 80 of the ECS instance.

    By default, NGINX uses TCP port 80. Therefore, you must enable TCP port 80 when you configure a security group rule for the ECS instance.

    For more information, see Add a security group rule.

  9. Add the object path to the public IP address of the ECS instance to access OSS resources.

    In this example, the default domain name is used. When you use a local browser to access OSS resources, OSS resources are automatically downloaded. If you want to preview the OSS resources that you access, you must use a custom domain name when you configure the proxy_pass parameter.

    Note

    If the object access control list (ACL) is private, you must sign the object URL. For more information, see Include a V1 signature in a URL.

References