I will try to keep this simple.
1) I have a VM : NGINX server serving a webpage. ( azure VM )
2) I have a storage with a Blob folder called web-images. ( azure storage )
This storage are fully block to only " Selected networks "
Question:
How does a page in the NGINX server can point to the blob storage and get the file?
Example:
<img src="https://xxxxxx.blob.core.windows.net/web-images/demoImage-1.jpg" >
thanks for the help..
Simple answer is that you can't. Because the storage account is restricted to selected networks and when a user accesses a resource in that account through a browser they are accessing it via their network and thus they will not be able to access the file.
One option is to download the file on your server from the storage account and then use a link of your servers in your HTML pages but then it defeats the process of having files in storage in the first place.
Related
I have an Azure Storage account that hosts a static web site as explained here. This means the static web site "lives" in a storage container named $web. This web site is accessible via a custom domain. This is currently working as desired. However, there is one file that I want to restrict access to.
There is one file in the $web storage container that I only want individuals to access if a) they have a key and b) it's during a specific time window. My thinking was that I could accomplish this with a Shared Access Signature (SAS). However, while testing this approach, it doesn't seem to work. It seems that everything in the $web storage container is publicly visible whether a SAS has been generated or not. Is this correct?
Is there a way to require that a file in the $web storage container have an SAS? Or, do I need to "host" the file in a separate storage container (thus removing it from my custom domain)?
Thank you.
When visit the files stored in $web container via primary static website endpoint(for example, https://contosoblobaccount.z22.web.core.windows.net/index.html), the files are always be accessible whether the container is public or private. So it doesn't matter the sas token is specified or not.
And the sas token only take effects if the $web container is private access, and people visit it via primary blob service endpoint(For example, https://contosoblobaccount.blob.core.windows.net/$web/index.html).
Please refer to this official doc for more details.
So for your purpose, you should put it in another container with private access.
I create the the Storage account, CDN Profile and CDN endpoint from powershell. But adding images to the storage account is a manual process after creating all azure components. Now we have the issue that images are not showing up in page. When I try to access the CDN image url directly, I get this error
The requested URI does not represent any resource on the server
But I can access the content directly by using blob storage url to ensure content exist. I tried changing the caching rules , but nothing is working. I have standard verizon cdn profile.
Any suggestions?
Update1 : When I delete the endpoint and recreate the endpoint with all images already loaded in Storage account, everything works fine. Any idea what is the predictable behaviour?
This error happens when you're using a "/" with the root container where the blob is present (sub-folders). for now the "/" are not supported, you can get around it by referencing the root container in the link, ex:
GET https://myaccount.blob.core.windows.net/$root/myphoto
When using the CDN, the format should look like the following:
http://<EndpointName>.azureedge.net/<myPublicContainer>/<BlobName>
There is also a cool tutorial on how to host static sites via blobs and CDN worth checking out: https://blog.lifeishao.com/2017/05/24/serving-your-static-sites-with-azure-blob-and-cdn
Documentation:
You can get more info from these links: https://learn.microsoft.com/en-us/rest/api/storageservices/Working-with-the-Root-Container?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/azure/cdn/cdn-create-a-storage-account-with-cdn
I am using LogicApp to import a set of files which are inside the directory(/devcontainer/sample1/abc.csv).
The problem here is that,I could not even located to the azure file from my LogicApp, I am getting the following error as:
verify that the path exists and does not contain the blob name.List Folder is not allowed on blobs.
Screenshots for reference
The problem here is that,I could not even located to the azure file from my LogicApp,
The file explorer will show all the contains and blobs when you choose blob path. And it will cache the data for a period of time to ensure the smoothness of the operation. If a blob is added to the container recently, it will not be seen and chosen from the file explorer. The workaround is by clicking the change connection link and using a new connection to retrieve the data.
Does your blob connection pointing to the correct storage account? one thing you can try to do is instead of providing the path try to browse the path so that you can what are the containers and the blobs that are present in the storage account that you are trying to access.
I'm trying to link to or embed images which are stored in an azure BLOB storage container. I don't have any server side programming available, i.e. no C# or PHP, only HTML + JavaScript. Is this possible, and what technologies would you recommend?
I should also mention that my website does not run on the same server and is not running in Azure either.
Since blob storage is accessible via HTTP protocol, you don't have to do any server side programming. Just ensure that the blob container containing images has Blob or Container ACL (See this answer of mine: Can't access the blob file in sub directory). After that you just have to use the URL of the image and put that in the src attribute of the image and you're done!
So assuming your storage account name is myaccount and blob container name is images and the image name is logo.png, the blob URL would be [http|https]://myaccount.blob.core.windows.net/images/logo.png and that is something you would put in the src attribute:
<img src="[http|https]://myaccount.blob.core.windows.net/images/logo.png" />
I am looking at using azure Containers and Blobs to store images and videos for my website. I found http://msdn.microsoft.com/en-us/library/windowsazure/dd179354.aspx which talks about the different ALC settings but it did not answer one of my questions. If a Container/Blob are set to "No public read access" the site says that only the account owner can read the data. Would this mean that people could not access it by the URL but my MVC Web App hosted on an Azure VM would be able to access it via URL?
Please bear with me if the answer sounds a bit preachy & unnecessary lengthy :)
Essentially each resource (Blob Container, Blob) in Windows Azure has a unique URL and is accessible via REST API (thus accessible over http/https protocol). Wit ACL, you basically tell storage service whether or not to honor the request sent to serve the resource. To read more about authentication mechanism, you may find this link useful: http://msdn.microsoft.com/en-us/library/windowsazure/dd179428.aspx.
When you set the ACL as No public read access, you're instructing storage service not to honor any anonymous requests. Only authenticated requests will be honored. To create an authenticated request, you would require your account name and key and create an authorization header which gets passed along with the request to access the request. If this authorization header is not present in your request, the request will be rejected.
So long story short, to answer your question even your MVC application won't be able to access the blob via URL unless that authorization header is included in the request. One possibility would be to explore Shared Access Signature (SAS) functionality in blob storage. This would give time-bound restricted permissions to blobs in your storage. So what you would do is create a SAS URL for your blob in your MVC app using your account name and key and use that SAS URL in the application.
To further explain the concept of ACL, let's say you have a blob container called mycontainer and it has a blob called myblob.txt in a storage account named myaccount. For listing blobs in the container, the container URL would be http://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=list and the blob URL would be http://myaccount.blob.core.windows.net/mycontainer/myblob.txt. Following will be the behavior when you try to access these URLs directly through the browser with different ACL:
No public read access
Container URL - Error
Blob URL - Error
Public read access for blobs only
Container URL - Error
Blob URL - Success (will download the blob)
Full public read access
Container URL - Success (will show an XML document containing information about all blobs in the container)
Blob URL - Success (will download the blob)