--- title: Alibaba Object Storage Service summary: null url: >- https://www.fastly.com/documentation/guides/integrations/non-fastly-services/alibaba-object-storage-service --- [Alibaba Object Storage Service](https://www.alibabacloud.com/product/oss) (OSS) can be used as an [origin](https://www.fastly.com/documentation/guides/getting-started/hosts/working-with-hosts) for Fastly for both public and [private content](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/alibaba-object-storage-service#using-oss-with-private-objects). ## Using OSS as an origin To use OSS as an origin, follow the steps below. ### Setting up and configuring your OSS account 1. Sign up for [Alibaba Object Storage Service](https://www.alibabacloud.com/product/oss). 2. [Create a bucket](https://www.alibabacloud.com/help/doc-detail/31885.html) to store your origin's data. ![Alibaba Object Storage Service New Bucket window](/img/alibaba-object-storage-service-new-bucket.png) 3. Fill out the **Create Bucket** fields as follows: - In the **Bucket Name** field, enter a name for your bucket. Remember the name you enter. You'll need it to connect your bucket to your Fastly service. - From the **Region** menu, [select a location](https://www.fastly.com/documentation/guides/concepts/shielding/#choosing-a-shield-location) to store your content. Most customers select a region close to the POP they specify for [shielding](https://www.fastly.com/documentation/guides/getting-started/hosts/shielding). - From the **Storage Class** options, select **Standard**. - From the **Access Control List (ACL)** options, select **Public Read**. - _(Optional)_ Select other options, such as **Server-side Encryption** and **Scheduled Backup**. 4. Click **OK**. ### Uploading files to your bucket Once you've created your bucket, select it and then navigate to the Files tab to add files to it by clicking **Upload**. ![Alibaba Object Storage Service New Bucket window](/img/alibaba-object-storage-service-add-file.png) You can make the files externally accessible by selecting the **Public Read** option for the bucket or you can use the **Inherited from Bucket** option next to each of the files. ### Setting up Fastly to use OSS as an origin To add your OSS bucket as an origin, follow the instructions for [working with hosts](https://www.fastly.com/documentation/guides/getting-started/hosts/working-with-hosts). You'll add specific details about your origin server. 1. On the **Origins** page, click **Create Host** and enter the appropriate address for your Host using the format `..aliyuncs.com`. For example, if your bucket name is `test123` and your region is Beijing (e.g., `oss-cn-beijing`) your hostname would be `test123.oss-cn-beijing.aliyuncs.com`. You can also find the hostname on the Bucket Overview page in the **Bucket Domain Name** area. 2. Click on the newly created Host to edit it. 3. In the **Name** field, enter a descriptive name for your service (e.g., `Alibaba Object Storage`). 4. If the **Address** field doesn't contain the `..aliyuncs.com` hostname you provided in the first step, enter it now. 5. Fill out the **Transport Layer Security (TLS)** area fields as follows: - Leave the **Enable TLS?** default set to **Yes** to secure the connection between Fastly and your origin. - Leave the **Verify certificate?** default set to **Yes**. - Set the **Certificate hostname** field to the same address that appears in the Address field (e.g., `test123.oss-cn-beijing.aliyuncs.com`). - In the **SNI hostname** field, select the checkbox to **Match the SNI hostname to the Certificate hostname**. The hostname address you entered during Host creation appears. 6. From the **Shielding** menu below the TLS area, select a Fastly POP near the Alibaba region from the list of shielding locations. 7. In the **Override host** field, enter an appropriate address for your Host (e.g., `test123.oss-cn-beijing.aliyuncs.com`). You entered this information during Host creation. Review our [caveats of shielding](https://www.fastly.com/documentation/guides/getting-started/hosts/shielding#caveats-of-shielding) and select a [shield POP](https://www.fastly.com/documentation/guides/concepts/shielding/#choosing-a-shield-location) accordingly. ## Using OSS with private objects To use Fastly with OSS private objects, be sure you've already made your OSS data available to Fastly by [pointing to the right OSS bucket](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/alibaba-object-storage-service#setting-up-fastly-to-use-oss-as-an-origin), then follow the steps below. ### Setting up a private bucket and sub user Setting up a private bucket is the same as setting up a public bucket, except you select the **Private** option in the **Access Control List (ACL)** area of the OSS bucket settings. You'll need an **AccessKey ID** and **Access Key Secret**. These can be linked to your account by clicking on your avatar in the top right corner of the Alibaba Cloud Console, selecting **Access Key**, and then creating a new key. Since this key has full access to the account, we recommend following Alibaba's procedure for creating a sub user. Follow the steps below. 1. Navigate to the [Resource Access Management (RAM)](https://www.alibabacloud.com/product/ram) page. 2. Click **Users**. 3. Click **Create User**. 4. Enter an appropriate **Logon Name** and **Display Name**. 5. Select the **Programmatic Access** checkbox to enable access through the Alibaba API. ![Alibaba Cloud Create RAM User](/img/alibaba-object-storage-create-ram-user.png) 6. Click **OK**. 7. Copy the **AccessKeyId** and **AccessKeySecret**. You'll need these later when you're [creating an Authorization header](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/alibaba-object-storage-service#creating-the-authorization-header). 8. Go back to the bucket overview, click **Files** and then click **Authorize**. You should see a list of authorized users. If this is a new bucket it should be empty. 9. Click **Authorize**, filling out the fields as follows: - From the **Applied To** menu, select the **Whole Bucket** option. You can select **Specified Resources**, but this may lead to unexpected errors later if you don't update the permissions with new files. - From the **Accounts** menu, select **RAM Users** and then use the menu to select your newly created RAM user. - From the **Authorized Operation** menu, select **Read Only**. - You can leave **Condition** blank or customize it using **IP =**, [Fastly's IP ranges](https://www.fastly.com/documentation/reference/api/utils/public-ip-list/), or setting **Access Method** to **HTTPS**. ### Setting up Fastly to use OSS private content To use OSS private content with Fastly, you'll need to create two [headers](https://www.fastly.com/documentation/guides/full-site-delivery/headers/adding-or-modifying-headers-on-http-requests-and-responses): a Date header (required for authorization signature) and a Host header. You'll also need to add some authorization parameters. #### Creating a Date header 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain. 3. Click **Edit configuration** and then select the option to clone the active version. 4. Click **Content**. 5. Click **Create header**. ![creating a Date header via the new header page](/img/create-new-date-header.png) 6. Fill out the **Create a new header** fields as follows: - In the **Name** field, enter `Date`. - From the **Type** menu, select **Request**, and from the **Action** menu, select **Set**. - In the **Destination** field, enter `http.Date`. - In the **Source** field, enter `var.ali_expires`. - From the **Ignore if set** menu, select **No**. - In the **Priority** field, enter `19`. 7. Click **Create**. A new Date header appears on the Content page. You will use this later within the signature of the Authorization header. #### Creating a Host header 1. Click **Create header**. 2. Fill out the **Create a new header** fields as follows: - In the **Name** field, enter `Date`. - From the **Type** menu, select **Request**, and from the **Action** menu, select **Set**. - In the **Destination** field, enter `http.Host`. - In the **Source** field, enter `""`. - From the **Ignore if set** menu, select **No**. - In the **Priority** field, enter `19`. 3. Click **Create**. A new Host header appears on the Content page. #### Creating the Authorization header 1. Click **Create header** again to create another new header. ![creating an Authorization header via the header page](/img/create-authorization-header-alibaba-oss.png) 2. Fill out the **Create a header** fields as follows: - In the **Name** field, enter `Authorization`. - From the **Type** menu, select **Request**, and from the **Action** menu, select **Set**. - In the **Destination** field, enter `url`. - From the **Ignore if set** menu, select **No**. - In the **Priority** field, enter `20`. 3. In the **Source** field, enter the Authorization header information using the following format: ```plain req.url.path "?" "OSSAccessKeyId=" "&" "Signature=" digest.hmac_sha1_base64("", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/" req.url.path) "&" "Expires=" var.ali_expires ``` Replace ``, ``, and `` with the information you gathered before you began. For example: ```plain req.url.path "?" "OSSAccessKeyId=AOSSdecafbad" "&" "Signature=" urlencode(digest.hmac_sha1_base64("AOSSdeadbeef", if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/test123" req.url.path)) "&" "Expires=" var.ali_expires ``` 4. Click **Create**. A new Authorization header appears on the Content page. 5. From the **Activate** menu, select **Activate on Production** to deploy your configuration changes. ### Setting up Fastly to use OSS private content using VCL snippets You can also put the configuration in a [VCL Snippet](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/vcl-snippets/about-vcl-snippets) with a priority of `20`. ```perl declare local var.ali_bucket STRING; declare local var.ali_region STRING; declare local var.ali_access_key_id STRING; declare local var.ali_access_key_secret STRING; declare local var.ali_expires INTEGER; declare local var.ali_canon STRING; declare local var.ali_sig STRING;_ set var.ali_bucket = "test123"; set var.ali_region = "oss-cn-beijing"; set var.ali_access_key_id = "decafbad"; set var.ali_access_key_secret = "deadbeef"; set var.ali_expires = std.atoi(now.sec); set var.ali_expires += 60; set req.http.Host = var.ali_bucket "." + var.ali_region + ".aliyuncs.com"; set req.http.Date = var.ali_expires; set var.ali_canon = if(req.method == "HEAD", "GET", req.method) LF LF LF req.http.Date LF "/" var.ali_bucket req.url.path; set var.ali_sig = digest.hmac_sha1_base64(var.alibaba_access_key_secret, var.ali_canon); set req.url = req.url.path; set req.url = querystring.set(req.url, "OSSAccessKeyId", var.alibaba_access_key_id); set req.url = querystring.set(req.url, "Signature", var.ali_sig); set req.url = querystring.set(req.url, "Expires", var.ali_expires); ``` > **NOTE:** > > This article describes how to configure an integration with a service provided by a third party. As stated in our [Terms of Service](https://www.fastly.com/terms), we do not provide direct support for non-Fastly services. > > ## Related content - [Working with hosts](https://www.fastly.com/documentation/guides/getting-started/hosts/working-with-hosts) - [Creating request headers](https://www.fastly.com/documentation/guides/full-site-delivery/headers/adding-or-modifying-headers-on-http-requests-and-responses) - [Alibaba Object Storage code example](https://www.fastly.com/documentation/solutions/examples/alibaba-oss-private/)