TL;DR
- Scenario: Enterprises and individuals migrating images/audio/video/static resources to Aliyun OSS need stable operations and cost control
- Conclusion: Configure precisely by region and permissions, combine hotlink protection/CNAME/logs to balance availability and cost
- Output: A deployable error quick reference covering common configurations and troubleshooting
Basic Introduction
Alibaba Cloud Object Storage Service (OSS) is a massive, secure, low-cost, highly reliable cloud storage service provided by Alibaba Cloud. Its data design durability is no less than 99.9999999999% (12 nines), and service design availability or business continuity is no less than 99.995%.
Basic Concepts
Storage Space (Bucket)
A storage space is a container for users to store Objects, and all objects must belong to some storage space.
Naming Rules:
- Can only include lowercase letters, numbers, and hyphens
- Must start and end with a lowercase letter or number
- Length must be between 3-63 bytes
Object/File (Object)
An object is the basic unit for storing data in OSS, also known as an OSS file. An object consists of metadata (Object Meta), user data (Data), and filename (Key).
Region
Represents the physical location of OSS data centers. Users can choose the appropriate region to create a Bucket based on cost and request source.
Feature Details
Object External Link Address
If the Bucket is set to public-read permission, external users can access the Object. The external link address composition rules are as follows:
http://<your-bucket-name>.<data-center-service-domain>/<your-object-name>Hotlink Protection
OSS supports hotlink protection based on the Referer field in HTTP headers.
Details Analysis:
- Hotlink verification is only performed when accessing Object via URL signature or anonymous access
- One Bucket can support multiple referer parameters, separated by newlines in configuration
- Referer parameters support wildcards
*and?
Custom Domain (CNAME)
OSS supports users binding custom domain names to their Buckets.
Error Quick Reference
| Symptom | Root Cause | Diagnosis | Fix |
|---|---|---|---|
| 403 Forbidden (anonymous external link access denied) | Referer not in whitelist/empty Referer not allowed | Console Permissions → Hotlink Protection | Add domain to whitelist or use signed URL |
| 403 AccessDenied (cannot read object) | Bucket is private and request is not signed | Console ACL | Generate server-side signed URL or change to public-read |
| 403 SignatureDoesNotMatch | Client time drift/signature string calculation error | Packet capture comparison | NTP time sync; review Canonical header |
| 301/404 | Wrong Endpoint/Region used | Console check Bucket Region | Switch to correct regional Endpoint |
| 409 BucketAlreadyExists | Name globally unique conflict | Create return code | Change to globally unique name |
| Custom domain 404/certificate exception | CNAME not生效/not bound | nslookup; browser certificate chain | Complete console binding and certificate deployment |
| Downstream cost surge | Hotlinking or hot resources without cache | Access log analysis | Enable hotlink protection; add CDN cache in front |