How do I access OSS resources over HTTPS?-Object Storage Service(OSS)-阿里云帮助中心

Overview

Alibaba Cloud Object Storage Service (OSS) lets you access resources in a bucket over both HTTP and HTTPS. Because HTTP is vulnerable to security risks, we recommend using HTTPS to access your OSS resources.

Methods

Choose one of the following methods to access OSS resources over HTTPS, based on your environment:

Important

Before you perform high-risk operations, such as modifying instance configurations or data, ensure your instance has adequate disaster recovery and fault tolerance capabilities to protect your data.
Before you modify the configurations or data of an instance, such as an ECS or ApsaraDB RDS instance, we recommend creating a snapshot or enabling features such as ApsaraDB RDS log backup.
If you have granted permissions or submitted sensitive information, such as usernames and passwords, in the Alibaba Cloud Management Console, we recommend changing them as soon as possible.

Use an OSS-provided domain name

OSS provides domain names that support HTTPS access. To view them, log on to the OSS console. In the left-side navigation pane, click Buckets. Click the name of the target bucket. On the Overview page, find the Port section to see the bucket's domain names and their HTTPS support status.

When you access the URL, a lock icon in your browser's address bar indicates an active HTTPS connection. Click the lock icon to view the certificate information. If the certificate is valid and issued to \*.oss.aliyuncs.com, HTTPS access is configured correctly.

Note

OSS-provided domain names have a limitation: when you use them to access content like images or static HTML, the resources are downloaded directly instead of being displayed in the browser. To avoid this behavior, we recommend mapping a custom domain name to your bucket.

Map a custom domain name to a bucket

You can map a custom domain name to a bucket. For more information, see Map custom domain names. You can also enable certificate hosting for the mapped domain name to support access over HTTPS. For more information, see Access OSS over HTTPS.

Note

To enforce HTTPS for all requests to a bucket, configure a Bucket Policy. For more information, see Configure an HTTPS request and a certificate.

Accelerate OSS access with Alibaba Cloud CDN

Alibaba Cloud CDN supports HTTPS. You can use it to accelerate access to your OSS resources by configuring a certificate for the accelerated domain name.

For information about how to map an accelerated domain name to an OSS bucket, see Map accelerated domain names.
For more information about how to configure an HTTPS certificate for an accelerated domain name, see Configure an HTTPS certificate.

Configure a reverse proxy

Install NGINX on an ECS instance and configure a reverse proxy to enable HTTPS access. For more information, see Configure an ECS reverse proxy for OSS on CentOS.

Troubleshoot HTTPS access issues

If you encounter issues when accessing OSS resources over HTTPS, use the following methods to troubleshoot:

In your browser, verify that the certificate matches the domain name you are using. Check for mismatches, especially when using an OSS-provided or accelerated domain name.
If your browser displays an error message indicating that the connection was terminated, check if an HTTPS certificate is configured for the domain name. Then, use the telnet command to test connectivity to port 443.

References

To authorize users to access specific resources over HTTPS, see Use a Bucket Policy to grant users access to specified resources.