Object Storage(OSS)
What is object storage
Object Storage (e.g., AWS S3) is an unstructured data storage service designed for storing and managing massive amounts of files like images, videos, documents, and logs. Using object storage as an origin is typically suitable for static content acceleration (files hosted directly in object storage buckets), low-cost storage solutions, or serverless architectures.
Why Use Object Storage as Origin
Object storage offers high availability, low cost, and easy scalability.
1.OSS supports high-concurrency reads, making it ideal for handling traffic spikes.
2.Its security and access control features effectively prevent resource hotlinking.
3.Simplified operations - automatically scales with business needs without manual intervention.
Using Object Storage with CDN
Architecture Diagram
How to Add OSS to LightCDN? (Where to Get Authorization Parameters?)
Navigate to Object Storage → Third-party Object Storage, click Authorize Access, and enter the parameters obtained from third-party platforms as shown below:
AWS S3 Parameter Guide
| Parameter | |
|---|---|
| Name | Only used for platform identification, not the third-party bucket name. |
| Third-party platform | Currently only AWS S3 is available. Other platforms will be supported later. |
| Access key ID (AK) + Secret access key (SK) | Credentials for user authentication and authorization, commonly used in cloud platforms or API services. How to obtain: 1. Click account avatar → Security Credentials.  2. Select IAM → Users → Create user. 3. Enter a username specifically for S3 authorization.  4. For permissions → Add user to group.  5. Set permission boundary by selecting "Use boundary to control maximum permissions". Search for "AmazonS3FullAccess" - meaning this sub-account will only access S3 buckets.  6. Complete creation process. 7. Return to Users → Select username to view details. 8. Security credentials → Create access Key.  9. Select "Third-party service".  10. Important: The secret key is only displayed once - save it immediately.  |
| Region | Corresponds to the AWS region of your S3 bucket. See bucket list for region. |
| Access method | Two options available: 1. Specific Bucket: Authorize one bucket only by entering its exact name (matches S3 bucket list name).  2. Specific Path: Bind only to a directory within a bucket (e.g., bucket-name.oss-cn-hangzhou.aliyuncs.com/path/to/dir/). CDN can only access files in this directory, with automatic path prefix removal (requesting /file actually fetches /path/to/dir/file from origin). Ideal for directory-based isolation or multi-service bucket sharing. |
Key Configurations
| Parameter | Guidance |
|---|---|
| Origin server hostname | When origin is object storage, typically select "Custom" and enter the bucket domain as Host header. Since the accelerated domain differs from origin domain, object storage providers rely on Host header for validation. Recommendation: Set origin hostname to custom domain using bucket endpoint (e.g., bucket-name.s3.us-east-1.amazonaws.com) as Host header. This ensures proper routing and authentication. |
| Cache Policy | Set appropriate cache expiration - 7 days recommended for static files. |
| Security Hardening | ●Enable CDN authentication (e.g., URL signing, Hotlink policy). ●Configure Bucket Policy on OSS to restrict access to CDN IP ranges only. |
Configuration Validation
Origin Test
Access your accelerated domain and verify HTTP 200 response.
If failed,check AK/SK permissions or verify bucket policy wheather oss isn't blocking CDN edge servers.
Security Recommendations
Principle of Least Privilege
This tutorial uses dedicated RAM sub-accounts with object-storage-only permissions. Advanced users may configure custom permissions.
Regular AK/SK Rotation
Periodically update credentials and synchronize in LightCDN console.
Enable CDN Authentication
Combine with URL signing to prevent hotlinking.
Troubleshooting
403 Origin Errors?
Verify AK/SK correctness or check RAM permissions.
Cache Inconsistency Between CDN and OSS?
Align CDN cache TTL with OSS update frequency, or manually purge CDN cache after OSS updates.