Accelerating COS with CDN allows you to mass download and deliver the content in a bucket, especially in the use cases where the same content is repeatedly downloaded. With the origin-pull authentication feature, the delivery of content in a Public-Read bucket can be accelerated using CDN, and with the CDN authentication feature, the content can only be downloaded by legitimate users, thus avoiding data security problem and high traffic cost caused by unrestricted download access.
Content Delivery Network (CDN) is a layer of network architecture built on the Internet that is composed of globally distributed servers which work together to provide faster delivery of Internet content. These high-performance cache nodes store your Internet content based on a certain caching policy. When your user makes a request for your Internet content, the request will be routed to the server closest to the user. Then the server responds to the request directly, greatly reducing the user's access delay and improving availability.
Caching and origin-pull will occur on a CDN. When a user accesses a URL, if the requested content is not cached on the edge server to which the access request is directed, or the cached content has expired, the request will be returned to the origin server to get the content.
An access node is an access domain name that is assigned to a bucket based on the region and name of the bucket when it is created. The domain name can be used to access the data in the bucket.
If the static website feature is enabled, you can get an access node for a static website to present the specially configured response content that is different from that of the default node.
<bucketname>-<APPID>.cos.<region>.myqcloud.com
. It is suitable for RESTful API calls. With an XML access node, you can configure a bucket or upload/download objects as described in API documentation.<bucketname>-<APPID>.cos-website.<region>.myqcloud.com
is provided. Static websites support special index pages (IndexPage), error pages (ErrorPage), and redirects, and only allow the download of objects. You can obtain content through static website nodes.You can accelerate access to COS by managing the following two domain names:
<bucketname>-<APPID>.file.mycloud.com
). You can enable or disable it at your option.Notes:
Default accelerated domain name and custom domain name can be collectively referred to as CDN accelerated domain names.
When a bucket is set to allow public access, and the CDN origin server is set to the COS access node, the CDN edge servers can acquire and cache the object data in the bucket without you enabling origin-pull authentication.
You can provide limited protection for the data in the bucket by enabling Authentication Configuration in the CDN Console. This is because that regardless of whether this feature is enabled in the CDN, the users who know the bucket access domain name can access all objects in the bucket. Whether the access to public-read buckets is possible via different domain names when CDN authentication is enabled or disabled is as follows:
CDN Authentication | CDN Accelerated Domain Name | COS Domain Name | Scenarios |
---|---|---|---|
Disabled (default) | Yes | Yes | Public access to the entire website via CDN or origin server is allowed. |
Enabled | URL authentication is required | Yes | Hotlink protection is enabled for access via CDN access, but not for access via origin server (not recommended) |
When a bucket defaults to Private Read, and the CDN origin server is set to the COS access node, the CDN edge nodes are unable to get and cache any data. Therefore, you need to add the CDN service identity to the Bucket Policy and authorize the identity to perform the following operations:
You can complete quick authorization in both the CDN Console and the COS Console by simply clicking Add CDN Service Authorization. Then you need to enable Origin-Pull Authentication. After that, a CDN edge server can access the data in the COS with its service identity.
Notes:
- If the bucket is set to Private Read, you must add an authorization and enable origin-pull authentication, otherwise COS will deny the access to it.
- A CDN edge server will generate a unique service account for each root account. Therefore, the account authorization is only valid for the root account to which the accelerated domain name belongs. Cross-account binding of an accelerated domain name will cause the access via the domain name to be denied.
After the CDN service authorization is added and origin-pull authentication is enabled, the CDN edge nodes are able to directly get and cache the data. Therefore, it is highly recommended to enable Authentication Configuration to protect the private data in a bucket. Whether the access to private-read buckets is possible via different domain names when CDN authentication is enabled or disabled is as follows:
CDN Authentication | CDN Accelerated Domain Name | COS Domain Name | Scenarios |
---|---|---|---|
Disabled (default) | Yes | COS authentication is required | Direct access to CDN domain names is allowed to protect the data on origin server. |
Enabled | URL authentication is required | COS authentication is required | Full stack strict SSL secured connection. Hotlink protection for CDN authentication is supported. |
Was this page helpful?