Azure CDN Verizon Premium Hidden SAS token GET method Error 403 - azure

I have pretty simple question.
Our company is using Azure CDN Premium Verizon (because of options of Rules Engine).
I have succesfully configured Endpoint with custom domain which is pointed to Origin Azure Blob Storage.
In this blob storage we have some Containers secured as Private.
I have followed instructions on Microsoft website to configure Hidden SAS token Authentication with URL Rewrite Rule.
The CDN point called cdn.company.com is working pretty nice. The content stored in Private Blob Storage is view-able in any internet browser (Chrome, IE, Edge..) via CDN point and also with hidden SAS token Rule.
The problem is that our API of internet application is trying to call CDN endpoint via GET method. And thats it. Everytime an error 403 has been occured. I dont really know how to fix that.
I am attaching screenshot from rule engine down below.
Thank you for every ideas.
In screenshots I am trying to get content via GET method of some JavaScript stored in private container "jsc".

Solved... In the end it was problem with regex syntax. The second problem was that our API of the Internet Application generated a random pattern automatically.
So I used regex like
/80XXXXX/XXXXXXX/([\w-.]+[^#?\s]+)(.*)?(#[\w-]+)?$
and now everything works properly.

Related

Azure Storage Static Website security issues

I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?
You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.
https://learn.microsoft.com/en-us/azure/functions/tutorial-static-website-serverless-api-with-database
The static website endpoint is strictly read only. So the client will not be able to change the content of the website.
Currently static website is anonymous access. "add oauth" will be added soon. For read access, once the site is enabled, it'll be available to all public.
Currently we don't have oauth support. Anybody can read the content of the website as long as they have the uri

Securing assets on Microsoft Azure CDN (Verizon Premium) using token authentication

I am attempting to secure files in one folder on Verizon Premium CDN using token authentication. I have followed the docs here.
I have successfully installed the PHP module that encrypts requests and it is working correctly in my application, tested against the encrypt/decrypt tool in the Azure Portal.
I have set up a rule in the rules engine on the CDN endpoint, but when I access the files directly on the CDN endpoint they are not locked or secured and do not require any token key to load them. I am not sure if I have missed something, or if my Rules Engine rule is wrong. My custom rule in the rules engine is set up with this logic:
If 'URL Path Directory' 'matches' '/assets/v1/' then 'enable' 'Token Authentication', 'ignore case', relative to 'root' (the other option rather than root would be 'origin').
Have I got the path wrong? Am I missing some regular expression detail?
The only similar questions here on SO have not successfully dealt with this question and have just talked about privacy options on blobs/containers etc. I originally tried all the same setup on an Azure Storage using a container and blobs but these did not get secured in any way either. I have now set it up to get the files from the web application web site instead. I am quite happy to set it up whichever way works best.

Redirecting Base URL in Azure Blob Storage

My Azure blob storage url looks like this:
https://mycompany.blob.core.windows.net/myplugin
I have files there which is meant to be used by a "source web app". This source web app expects that the above url direct to another file within the above directory:
https://mycompany.blob.core.windows.net/myplugin/myfile.json
Can someone suggest how to get this setup?
Can someone suggest how to get this setup?
As of today this functionality is not possible with Azure Blob Storage. For this functionality to work, Azure Blob Storage need to work like a web server which it is not. It is simply an object store where objects are exposed via a REST API.
You would need to use a proper web server.
It is still not possible to do it today using blob storage only however you can do it using an azure CDN endpoint in front of your azure blob storage and configure a redirection (via the cdn rules engine)
Some useful links:
CDN rules engine
Rules engine features - url redirection

How to host html application on Azure

I have a single page html application, that uses a lot of jQuery. The app content (data as xml and media audio/video/image) is (and has to be) provided by blobs on azure account. I don't need any application server.
What is the recommended way to host such single page html application on Windows Azure Environment (Azure is a requirement).
As I do not need any application server, all application files are currently uploaded into single container as Blobs with appropriate content types. It all works very good.
Still, I've seen that Azure has some website hosting capabilities I've been wondering if what I did is appropriate?
Thanks
Windows Azure Web Sites would work well and could be free for the duration. If the constraints of the free offering don't work for you, you can scale out easily.
You could also store your home page in Azure blob storage, but that means users would have to have the full path to it as there's no server configuration to specify a default page. Publicizing your site endpoint via a vanity URL from bit.ly or the like could make that a non-issue though.
Do note though, that by having everything in blob storage, you're incurring a transaction cost for every image, every page, every script access (that's not cached on the browser that is). Depending on the nature of your site and traffic, it could be more cost-effective to leverage something like Windows Azure Web Site for some of this.

How can I use Window Azure CDN

I have hosted on web application on window azure platform and now client suggest me to put this video using CDN section but i don't know about how can i do that.
I just go through msdn blogs but not cleared yet that concept, after enabling endpoint how can i put content on CDN and how can i access that content?
can anyone please explain me that?
If you're already enabled the endpoint for a storage account, then all you need to do is upload your content to a public blob container either in code of you can use a one of the storage explorers. Then to access the content you can just replace the myaccount.blob.core.windows.net part of the url to your blob with [Default HTTP End Point from the portal].vo.msecnd.net
It's quite straight forward to do, and can be enabled from the Management Console.
Follow these steps:
Log in to the Windows Azure Management Console.
Go to the CDN option in the menu on the left.
Press the 'New Endpoint'.
Select the storage account you wish to enable.
There's also a walkthrough here: http://msdn.microsoft.com/en-us/library/gg680301.aspx

Resources