Updated on 2024-08-08 GMT+08:00

Getting Started

(Optional) Modifying Security Group Rules

A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC.

You can modify security group rules, for example, by adding, modifying, or deleting a TCP port, as follows:

  • Adding a security group rule: Add an inbound rule to enable a TCP port if needed.
  • Modifying a security group rule: Inappropriate security group settings can be a serious security risk. You can modify a security group rule to ensure network security of your ECSs.
  • Deleting a security group rule: If the source or destination IP address of an inbound or outbound security group rule changes, or a port needs to be disabled, delete the security group rule.

(Optional) Configuring an OBS Bucket Policy

If your bucket is public read or you want others to add a signature in the URL when accessing objects in your private bucket, skip the following steps.

If you do not want URLs containing a signature to access resources in your private bucket, configure the following bucket policy that allows only the IP address of the Nginx proxy server to access your bucket.

  1. Log in to OBS Console. In the bucket list, click the target bucket and choose Permissions > Bucket Policy from the navigation pane.

    Figure 1 Going to the bucket policy page

  2. Click Create.

    Figure 2 Creating a custom policy

  3. Configure the parameters listed in Figure 3 and click Next and then Create to complete the policy creation. If the bucket and ECS are in the same region, set the value of SourceIp for condition operator IpAddress to 100.64.0.0/10,214.0.0.0/7,Private IP address of the ECS. If the bucket and ECS are in different regions, set the value of SourceIp for condition operator IpAddress to EIP of the ECS.

    Figure 3 Bucket policy parameters
    Figure 4 Bucket policy created

Verifying the Reverse Proxy Settings

  1. In Google Chrome, access OBS resources with an address containing the ECS EIP and the absolute path of the object name, for example, http://ECS EIP/Absolute path of the object name.

    Figure 5 Using a fixed IP address to access OBS resources