locked
Verizon CDN Premium / SAS Blob Storage Rewrite RRS feed

  • Question

  • This is actually a reply to https://social.msdn.microsoft.com/Forums/azure/en-US/02233cee-6ba6-4ceb-b9d9-c664e9f569a6/restrict-azure-blob-container-access-to-azure-cdn

    But for whatever reason I can't reply to that thread as all I get is "Unknown Error" (Internal Server Error).

    Anyways:

    If you wish to keep the SAS token hidden from the end customer completely, you can use a Verizon Premium profile and use a URL rewrite rule to add the SAS url from the CDN.

    Could you please provide more information on how to achieve that?

    The URL rewrite feature forces a base path for a destination and that ends up affecting the destination URL at the storage account.

    For instance, rule:
    URL Rewrite
    Source "/CDNBASE/CDNPATH/" REGEX
    Destination "/CDNBASE/CDNPATH/" SUBSTITUTION

    Results in:
    https://domain.azureedge.net/storagepath/myfile.ext
    Rewrites to >
    https://xxx.blob.core.windows.net//CDNBASE/CDNPATH/storagepath/myfile.ext

    The CDN forces either:
    /CDNBASE/CDNPATH/
    or
    /CDNBASE/

    in the destination as seen here:

    Error message from blob storage:

    Sorry, I should also clarify that I am fully aware that it is likely a problem with my regex. So to indicate what I wish to rewrite (essentially just replacing the query string to the SAS token):

    https://domain.azureedge.net/storagecontainerpath/potential/other/paths/myfile.ext?tokenauth=xxxyyyzzz

    https://domain.blob.core.windows.net/storagecontainerpath/potential/other/paths/myfile.ext?blobsas=aaabbbccc

    • Edited by NoCopy_ Saturday, November 4, 2017 2:37 AM
    Friday, November 3, 2017 2:56 PM

Answers

  • Update: It was, in fact, my regex. For anyone looking for a similar answer, this seems to work to rewrite a CDN token Auth request to a Blob Storage SAS request:

    RULE: URL Rewrite

    Source: /CDNBASE/CDNPATH/ (dropdown)
    Regex: ((?:[^\?]*/)?[^\?/]+)($|\?.*)

    Destination: /CDNBASE/CDNPATH/ (dropdown)
    Substitution: $1$2&sv=<YOUR SAS TOKEN PARAMS>

    Note: that in the substitution the initial CDN auth query is included in addition to the SAS token - without it I was getting an 403 Permission Denied

    While I am sure there is a more straight forward regex, this was the only one that worked for me - and I tried many.

    Edit: A far more straightforward regex is to simply match the storage container path, eg:

    Source: /CDNBASE/CDNPATH/ (dropdown)
    Regex: (your-storage-path\/.*)

    Destination: /CDNBASE/CDNPATH/ (dropdown)
    Substitution: $1&sv=<YOUR SAS TOKEN PARAMS>

    • Marked as answer by NoCopy_ Sunday, November 5, 2017 1:31 AM
    • Edited by NoCopy_ Wednesday, November 8, 2017 4:15 AM
    Sunday, November 5, 2017 1:28 AM