Last updated: 2019-08-29 11:21:16PDF
CDN acceleration is used to speed up the download and delivery of COS bucket content, especially if the same content is downloaded repeatedly.
You can manage the following domain names to quickly download and deliver objects in buckets:
- Default domain: This is COS origin server's domain name, which is automatically generated based on the bucket name and region when the bucket is created. It should be distinguished from the default accelerated domain name.
- Default accelerated domain: This is the domain name passing through CDN acceleration nodes and is generated by the system. You can choose to enable/disable it.
- Custom accelerated domain: You can bind the registered custom domain name to the bucket on Tencent Cloud's domestic CDN acceleration platform, and access the objects in the bucket via the custom domain name.
- Custom origin domain: You can bind the registered custom domain name to the current bucket, and access the objects in the bucket via the custom domain name.
You must activate CDN acceleration to use a custom domain name supported by COS:
- Domain names bound to CDN Mainland China needs ICP filing, but it does not need to be through Tencent Cloud.
- Domain names bound to CDN Outside Mainland China do not need ICP filing, but note that the data and operations on Tencent Cloud still need to comply with the laws and regulations of relevant countries/regions and the Tencent Cloud Service Agreement.
With CDN acceleration enabled for the default accelerated domain name or the custom domain name, if the origin server is a public-read bucket, the objects in the origin server can be accessed directly via the CDN accelerated domain name or the custom domain name; if the origin server is a private-read bucket, it is recommended to enable the CDN origin-pull authentication and CDN authentication configuration options.
- Origin-pull authentication (CDN service authorization must be added before it can be enabled): If the data requested by a user is not cached in the edge node, CDN fetches the data from the origin server. If COS is used as the origin server and origin-pull authentication is enabled, the CDN edge server accesses the COS origin server using a special service identity (which must be authorized by CDN service) to acquire and cache the data in the private bucket.
- CDN authentication: When a user attempts to acquire cached data by accessing an edge server, the edge server verifies the authentication field in the accessed URL based on the authentication configuration rules to prevent unauthorized access and realize hotlink protection, thus improving the security and reliability of the data cached in the edge server.
CDN authentication configuration and CDN origin-pull authentication do not conflict with each other, but whether to enable them can affect the level of data protection, as shown below:
|Bucket access permission||CDN origin-pull authentication||CDN authentication configuration||Origin server can be accessed via CDN accelerated domain name||Origin server can be accessed via COS origin server's domain name||Scenarios|
|Public read||Disabled||Disabled||Yes||Yes||Public read globally|
|Public read||Disabled||Enabled||URL authentication is required||Yes||Not recommended|
|Public read||Enabled||Disabled||No||Yes||Not recommended|
|Public read||Enabled||Enabled||URL authentication is required||Yes||Not recommended|
|Private read + CDN service authorization||Enabled||Enabled||URL authentication is required||COS authentication is required||Protection throughout link|
|Private read + CDN service authorization||Disabled||Enabled||URL authentication is required||COS authentication is required||Not recommended|
|Private read + CDN service authorization||Enabled||Disabled||Yes||COS authentication is required||Origin server protection|
|Private read + CDN service authorization||Disabled||Disabled||No||COS authentication is required||Not recommended|
|Private read||Disabled||Enabled or disabled||No||COS authentication is required||CDN is unavailable|
- For the first row of the above list, if the bucket access permission in origin server is public read, and neither CDN origin-pull authentication nor CDN authentication configuration is enabled, then CDN edge servers and buckets in origin server can be accessed directly via the CDN domain name, and buckets in origin server can be accessed directly via the COS domain name.
- After CDN acceleration is enabled for a domain name, anyone can directly access the origin server via the domain name. Therefore, if you need to keep your data private, be sure to protect your data in the origin server through Authentication Configuration.