Aliyun OSS anti-sealing: build high-performance object storage from zero to one
In the mobile Internet and high concurrent architecture, the traditional server local file storage scheme has been stretched. Whether it is pictures, videos, APK and IPA format installation packages, directly stuffed into the server hard disk will not only drain the bandwidth, but also cause the core business to shut down due to a single point of failure.
Alibaba Cloud Object Storage (Object Storage Service, abbreviated
Alibaba Cloud OSS
), with its massive, secure, low-cost and high-reliability features, has become the mainstream cloud storage solution. This article abandons all the official grand slangs and nonsense, and starts directly from the actual combat, taking you from zero to one to build your own.
Alibaba Cloud OSS
Storage system, and for industry pain points, in-depth analysis of high-risk files (such as APK/IPA) anti-sealing and security policies.
1. core concepts: 3 words you must understand before you do it
Don't be scared by the cumbersome console interface, play around
Alibaba Cloud OSS
, you only need to understand the three core concepts:
Bucket (storage space): equivalent to the "root directory" or "top-level folder" in your network disk ". The name of each bucket is unique across the network. You need to set its region and access permissions here.
Object (object/file): Is the specific data you upload, including file content (Data) and metadata (Metadata). In OSS, there is no real concept of "folder". The so-called folder is just a virtual path combined with slashes (such as images/photo.png).
Endpoint (access domain name): the external or internal network access address provided by OSS for each region. Your application to upload or download files needs to point to this domain name.
2. practical exercise: 5 minutes to complete OSS from creation to use
Step 1: Create a Bucket
Log on to the Alibaba Cloud console and search for Object Storage Service (OSS) ".
Click Bucket List-> Create Bucket ".
Key points for configuration: Bucket name: Custom. It must be globally unique. Region: Select the region closest to your business server (for example, East China 1-Hangzhou). If the server and OSS are in the same region, subsequent transmission can be made through the intranet, which is extremely fast and free of traffic charges. Read and Write Permission (ACL): If you want to store system private logs and backup data, select Private (Private). If it is to store website pictures, App static resources, or publicly downloaded installation packages, select Public Read (Public Read)(write permission is still private, only you can upload, everyone can download).
Step 2: Get the API Key (AccessKey)
Never use your Aliyun primary account key directly in the code! This is an extremely dangerous act of thunder.
Under control
Click on the avatar in the upper right corner of the station and select AccessKey management.
We recommend that you create a RAM sub-account and grant the RAM sub-account only the permission to AliyunOSSFullAccess (manage Object Storage Service).
Save the generated AccessKey ID and AccessKey Secret, which are the only credentials for you to connect to OSS with code or tools.
Step 3: Visual management tool recommendation
Although you can upload files through the web console, for developers and operators, it is recommended to use the official
ossbrowser
The desktop client. Enter the sub-account AccessKey just now to upload, download, and manage directories in batches just like operating a local network disk.
3. Advanced Dead Cave: APK and IPA File's "Anti-Sealing" Technical Architecture
Many developers will
Alibaba Cloud OSS
Used to distribute mobile applications (Android APK package and iOS IPA package). However, downloading these packages directly and publicly using the OSS default domain name can easily trigger two wind control pain points:
WeChat/QQ and other social software interception (report poison, prompt unofficial download channels).
Operator hijacking and malicious reporting led to the ban of OSS domain names.
How to be efficient
Alibaba Cloud OSS anti-sealing
,
Alibaba Cloud Storage APK Anti-Sealing
and also
Alibaba Cloud OSS IPA anti-sealing
? The following are the industry standard industrial-grade pit avoidance and protection programs:
1. Cut off the default domain name and bind a custom independent domain name.
Rule: Never expose the * .oss-cn-xxx.aliyuncs.com domain name automatically generated by OSS to the front end of the product.
Alibaba Cloud's official control of the default domain name is extremely strict. Once your APK or IPA is maliciously reported, or triggers the green network interception of Tencent and other major factories, Aliyun will directly ban or restrict the access of the default domain name in order to protect the security of the entire cluster, and even force the download of some large files to be converted into attachment preview, which directly causes the App to be unable to update or download.
Solution: Prepare an independent second-level domain name (such as download.yourdomain.com) that has been filed, bind the domain name in "Transmission Management"-> "Domain Name Management" in the OSS console, and configure the CNAME resolution provided by Aliyun. In this way, all the download traffic goes to your own domain name.
2. Configure CDN acceleration: hide OSS source station and anti-brush
If the custom domain name is directly connected to OSS, not only the download speed is limited by the user's bandwidth, but also the replacement cost is extremely high once the domain name is hijacked or blocked.
Isolation protection: Add a layer of Alibaba Cloud CDN between the custom domain name and OSS. All download requests of users are requested to CDN nodes, and CDN sends them to O
SS back to the source.
Anti-blocking logic: Even if the domain name is blocked by walls in some areas or within WeChat, you only need to replace a new shadow domain name on the CDN side or smoothly switch alternate domain names, while your APK/IPA resources of hundreds of GB and TB in OSS do not need to be moved at all. This achieves Alibaba Cloud OSS anti-blocking of core data assets.
3. Environmental judgment for WeChat/QQ blocking (anti-masking strategy)
No matter what
Alibaba Cloud Storage APK Anti-Ban
Still
Alibaba Cloud OSS IP address anti-blocking
The most common scenario is that users cannot download it by clicking on a link in WeChat.
APK (Android) anti-sealing scheme: add judgment logic to the front-end download page. If WeChat's built-in browser is opened, use the code to trigger the "jump prompt" and force the three points in the upper right corner to select "open in browser". A more advanced approach is to configure dynamic Headers and use Content-Disposition: attachment; filename = "xxx.apk" to trigger the automatic wake-up external browser download mechanism of some Android systems.
IPA (Apple) anti-blocking scheme: iOS IPA downloads rely on the itms-services:// protocol and a special plist configuration file. Since WeChat completely blocks the protocol, you must host plist files and IPA packages on OSS configured with HTTPS, and also adopt the strategy of guiding users to jump out of WeChat and open Safari browser. Safari browser has native parsing and pull-up installation capabilities for compliant self-signed or enterprise-signed IPA.
4. Dynamic URL and anti-theft chain (to avoid malicious brush traffic)
APK/IPA package volume is usually large (tens of M to hundreds of M). If the download address is fixed and public, it is easy for competitors to use scripts to maliciously swipe traffic, resulting in huge OSS traffic bills.
Protection measures: open Referer anti-theft chain on OSS or CDN side, and only allow specific embedded web pages or specific App sources to request download. Use URL signature (STS temporary certificate with expiration time). The download link is not static, but the backend is dynamically generated according to user Session, for example.../app.apk?OSSAccessKeyId = xxx & Expires = 1700000000 & Signature = xxx. The link automatically fails after 5 or 10 minutes, completely eliminating the risk of malicious grabbing, crazy brushing or even tampering with the installation package address.
4. Summary and Best Practice checklist
Build a highly available and seal-proof
Alibaba Cloud OSS
The storage system does not simply transfer the file to the end.
Check your schema against the following checklist:
[] Permission isolation: Is the RAM sub-account used instead of the master account?
[] Regional intranet: Is the ECS server and OSS in the same region? (Ensure that the source goes through the intranet, with fast speed and zero traffic fee)
[] Anti-seal Architecture: Is a custom domain name bound? Is CDN acceleration prepended?
[] Targeted protection: For the distribution of APK and IPA, has the front-end done a good job of jumping out of social software such as WeChat? Has the download link done a signature anti-brush restriction?
Doing a good job of these underlying designs can not only make your application distribution as fast as lightning, but also ensure the continuous stability and high availability of your business in a complex and harsh network risk control environment.
