If the origin server for your accelerated domain is a private Object Storage Service (OSS) bucket, you can use access authentication to prevent unauthorized traffic consumption. In this scenario, we recommend enabling back-to-origin access to the private bucket for your accelerated domain. This allows Alibaba Cloud CDN or Edge Security Acceleration (ESA) to accelerate resources from the private OSS bucket. After videos are uploaded to OSS, the live transcoding feature enables playback across various devices and network environments. To increase the speed and efficiency of live transcoding, you can accelerate it with Alibaba Cloud CDN, which reduces OSS bandwidth usage and lowers the load on your origin server.
Use cases
This solution is ideal for delivering popular videos. By using the caching and distribution capabilities of Alibaba Cloud CDN, you can reduce the load on your origin server, such as an OSS bucket, lower your bandwidth costs, and provide viewers with a fast and stable playback experience.
Prerequisites
-
You have completed account registration and real-name verification for Alibaba Cloud.
-
You have activated Alibaba Cloud CDN and configured live transcoding.
-
You have configured back-to-origin access for the private OSS bucket you plan to use.
Procedure
Step 1: Use Resource Access Management (RAM) to enable CDN back-to-origin access to a private OSS bucket
When you configure back-to-origin for a private OSS bucket, the system prompts you to grant CDN access to your cloud resources and automatically creates the AliyunCDNAccessingPrivateOSSRole role in Resource Access Management (RAM). You need to modify the policy of the AliyunCDNAccessingPrivateOSSRole role in RAM to grant CDN permissions to access Intelligent Media Management (IMM).
You can grant either full access or fine-grained permissions.
-
To grant full access to IMM and OSS, find the AliyunCDNAccessingPrivateOSSRole role in the RAM console. On the Permissions tab for the role, add the AliyunIMMFullAccess and AliyunOSSFullAccess system policies.
-
To grant fine-grained permissions to the AliyunCDNAccessingPrivateOSSRole role, create a custom policy. For more information, refer to the policy documentation. The following example shows a policy named
aliplayer-testthat grants the minimum required permissions for IMM and OSS.After you add the policy, the custom policy aliplayer-test appears on the role's Permissions tab, with a resource scope at the account level.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PostProcessTask",
"oss:ProcessImm"
],
"Resource": "*"
},
{
"Action": [
"imm:GenerateVideoPlaylist",
"imm:LiveTranscoding"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}
],
"Version": "1"
}Step 2: Configure live transcoding for back-to-origin requests
-
Log on to the Alibaba Cloud CDN console.
-
In the left-side navigation pane, click Domain Names.
-
On the Domain Names page, find your domain name and click Manage.
-
In the left-side navigation pane for the domain, click Rules Engine.
-
On the Rules Engine page, click Add Rule and create a rule that matches files with the ".ts" extension.
NoteIf your bucket also contains .ts files that are not from live transcoding, add a file path condition to make your rule more specific.
-
In the left-side navigation pane for your domain, click **Back-to-Origin**. On the Parameter Rewrite page, enable the feature switch. Add a parameter and set its value to
x-oss-process=if_status_eq_404{hls/ts}. For the Rule Condition, select the rule you just created.
Trigger live transcoding through Alibaba Cloud CDN
Because you configured a back-to-origin parameter for .ts files, you do not need to add the hls/sign parameter to the M3U8 file URL. You can directly use the CDN domain name followed by the path to the M3U8 file to trigger live transcoding. For more details, see the live transcoding documentation.
You must use a browser or player that supports HTTP Live Streaming (HLS), such as VLC media player, to access the M3U8 file.