Overview

Last updated: 2019-08-29 11:21:16

PDF

CDN acceleration is used to speed up the download and delivery of COS bucket content, especially if the same content is downloaded repeatedly.

Setup Instructions

You can manage the following domain names to quickly download and deliver objects in buckets:

  • Default domain: This is COS origin server's domain name, which is automatically generated based on the bucket name and region when the bucket is created. It should be distinguished from the default accelerated domain name.
  • Default accelerated domain: This is the domain name passing through CDN acceleration nodes and is generated by the system. You can choose to enable/disable it.
  • Custom accelerated domain: You can bind the registered custom domain name to the bucket on Tencent Cloud's domestic CDN acceleration platform, and access the objects in the bucket via the custom domain name.
  • Custom origin domain: You can bind the registered custom domain name to the current bucket, and access the objects in the bucket via the custom domain name.

You must activate CDN acceleration to use a custom domain name supported by COS:

  1. Domain names bound to CDN Mainland China needs ICP filing, but it does not need to be through Tencent Cloud.
  2. Domain names bound to CDN Outside Mainland China do not need ICP filing, but note that the data and operations on Tencent Cloud still need to comply with the laws and regulations of relevant countries/regions and the Tencent Cloud Service Agreement.

With CDN acceleration enabled for the default accelerated domain name or the custom domain name, if the origin server is a public-read bucket, the objects in the origin server can be accessed directly via the CDN accelerated domain name or the custom domain name; if the origin server is a private-read bucket, it is recommended to enable the CDN origin-pull authentication and CDN authentication configuration options.

  • Origin-pull authentication (CDN service authorization must be added before it can be enabled): If the data requested by a user is not cached in the edge node, CDN fetches the data from the origin server. If COS is used as the origin server and origin-pull authentication is enabled, the CDN edge server accesses the COS origin server using a special service identity (which must be authorized by CDN service) to acquire and cache the data in the private bucket.
  • CDN authentication: When a user attempts to acquire cached data by accessing an edge server, the edge server verifies the authentication field in the accessed URL based on the authentication configuration rules to prevent unauthorized access and realize hotlink protection, thus improving the security and reliability of the data cached in the edge server.

CDN authentication configuration and CDN origin-pull authentication do not conflict with each other, but whether to enable them can affect the level of data protection, as shown below:

Bucket access permission CDN origin-pull authentication CDN authentication configuration Origin server can be accessed via CDN accelerated domain name Origin server can be accessed via COS origin server's domain name Scenarios
Public read Disabled Disabled Yes Yes Public read globally
Public read Disabled Enabled URL authentication is required Yes Not recommended
Public read Enabled Disabled No Yes Not recommended
Public read Enabled Enabled URL authentication is required Yes Not recommended
Private read + CDN service authorization Enabled Enabled URL authentication is required COS authentication is required Protection throughout link
Private read + CDN service authorization Disabled Enabled URL authentication is required COS authentication is required Not recommended
Private read + CDN service authorization Enabled Disabled Yes COS authentication is required Origin server protection
Private read + CDN service authorization Disabled Disabled No COS authentication is required Not recommended
Private read Disabled Enabled or disabled No COS authentication is required CDN is unavailable
  • For the first row of the above list, if the bucket access permission in origin server is public read, and neither CDN origin-pull authentication nor CDN authentication configuration is enabled, then CDN edge servers and buckets in origin server can be accessed directly via the CDN domain name, and buckets in origin server can be accessed directly via the COS domain name.
  • After CDN acceleration is enabled for a domain name, anyone can directly access the origin server via the domain name. Therefore, if you need to keep your data private, be sure to protect your data in the origin server through Authentication Configuration.

The relevant operation