How to Configure AWS S3 as Origin Site on Alibaba Cloud CDN
By Joon Park, Solutions Architect
Scenario Description
Alibaba Cloud Content Delivery Network (CDN) is a scalable and high-performance content delivery service for accelerated distribution of content to users across the globe. CDN is commonly used with Alibaba Cloud’s Object Storage Service (OSS) to accelerate large files and other static content for websites.
However, CDN is not limited to OSS; CDN can be used to accelerate files hosted on third party platforms, such as in a multi-cloud scenario. In this scenario, traffic flows from Clients to Alibaba Cloud CDN, which will then be forwarded to AWS S3. Both HTTP and HTTPS protocols are supported in this solution. For this solution to work, the AWS S3 bucket is assumed to be properly configured with access policy with HTTP referer.
Step 1: Verify Public Address and Access Permission on S3 Bucket
1. Take note of your S3 public end-point address and bucket name as your origin site.
- AWS console > Services > Storage > S3 > Your bucket name
- In this guide, the S3 public end-point address is “s3.ap-northeast-2.amazonaws.com” and bucket name is “ali-cdn-test”
2. Make sure your S3 bucket has “Public Access” permission. At the end of this guide, we will apply HTTP referer policy on S3 bucket to protect unauthorized access from any IP or Address.
3. Perform a pre-test on your S3 bucket through your browser with S3 public end-point address.
- In this scenario, hit the URL https://s3.ap-northeast-2.amazonaws.com/ali-cdn-test/15mb.jpg
Step 2: Add and Configure Alibaba Cloud CDN with AWS S3 Public Address
1. Go to the CDN console on Alibaba Cloud
- Alibaba Cloud console > CDN > Domain Names > Add Domain Name
2. Add and configure your service domain
- Domain: your service domain, “test.test.com”
- Origin Site Information: “Origin Site”
- Domain Name: your S3 public address, in this guide: “s3.ap-northeast-2.amazonaws.com”
- “Acceleration Region” options can be selected based on your own needs
3. Additional configure for AWS S3 as origin site
- Domain Names > Your service Domain > Manage > Back-to-Origin Configuration > Back-to-origin Host > Enable > Domain Type > Origin Site
Step 3: Configure CNAME Record on Your DNS
1. Take a note CNAME record from CDN console on Alibaba Cloud. In this guide, I will use “test.test.com.w.kunlunsl.com”
2. Update CNAME record of your service domain on DNS
- Detailed steps are described in this document: Update DNS settings
3. Verify CNAME record is working correctly
- Please make sure “Exclamation mark” is removed from CDN console”.
- DIG command with your service domain has right CNAME record.
Step 4: Validate
1. Input your service domain with S3 bucket name,http://service-domain/s3-bucket-name/filename
- In this scenario, http://test.test.com/ali-dns-test/15mb.jpg
- If you already apply “SSL certification” on this service domain, you can input https protocol. You can find “SSL protocol enable guide” at the end of this document.
Step 5: Security Hardening
1. Apply SSL certification and enable HTTPS protocol on Alibaba Cloud CDN
2. Configure ACL (Access Control List) policy on S3 Public Bucket
In case of AWS S3 with Alibaba CDN, this is a mandatory security hardening task, not optional. Please make sure your S3 bucket must be accessed from limited service domain, not from any public address.
{
"Id": "Alibaba CDN with AWS S3 http referer policy",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ali-cdn-test/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://test.test.com/*"
}
}
}
]
}
