Securing assets on Microsoft Azure CDN (Verizon Premium) using token authentication - azure

I am attempting to secure files in one folder on Verizon Premium CDN using token authentication. I have followed the docs here.
I have successfully installed the PHP module that encrypts requests and it is working correctly in my application, tested against the encrypt/decrypt tool in the Azure Portal.
I have set up a rule in the rules engine on the CDN endpoint, but when I access the files directly on the CDN endpoint they are not locked or secured and do not require any token key to load them. I am not sure if I have missed something, or if my Rules Engine rule is wrong. My custom rule in the rules engine is set up with this logic:
If 'URL Path Directory' 'matches' '/assets/v1/' then 'enable' 'Token Authentication', 'ignore case', relative to 'root' (the other option rather than root would be 'origin').
Have I got the path wrong? Am I missing some regular expression detail?
The only similar questions here on SO have not successfully dealt with this question and have just talked about privacy options on blobs/containers etc. I originally tried all the same setup on an Azure Storage using a container and blobs but these did not get secured in any way either. I have now set it up to get the files from the web application web site instead. I am quite happy to set it up whichever way works best.

Related

Local ASP Core 3.1 MVC App with Microsoft Authentication - Single Tenant or Multi Tenant

Some background, I am deploying a local ASP Core 3.1 MVC Application within our companies internal network. Currently working on it in a local dev environment, but will eventually run on a linux system where the URL is routed through our DNS server and given a nicer looking url than the plain IP Address. Our organization uses Azure AD and all our employees have microsoft accounts. I am trying to only allow logins via Microsoft accounts. I have followed the Quickstart guide within the Azure Portal, but am now getting the following error : "AADSTS50194 ... not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant"
The guides did not mention anything about configuring endpoints as far as I could see. I currently have it set to single tenant as it seems like it will only allow accounts that follow this format, employeesname#mycompany.com. The mycompany.com is the domain we own.
This app will service multiple users concurrently, but we only want our own employees to have access, no guests or exceptions.
Questions:
Is there a reason why I should use multi-tenancy, or is single-tenancy ok? If single tenancy, how do I go about configuring the endpoint?
I am new to 3.1 and the example project from Microsoft is 2.1 (I see where they seem to be configuring endpoints here, but not sure how to update this to 3.1)
So after moving back and forth between attempts in the Startup.cs file
services.AddAuthentication().AddMicrosoftAccount(microsoftOptions => {
microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
//microsoftOptions.CallbackPath = "/signin-microsoft";
});
I settled with the above. I changed to multi tenant because the more restrictive pages will be granted manually so if someone manages to login inside our network, with their personal MS account, it wont make much of a difference
just be sure to use this in your layout file (or any razor views):
#if (User.Identity.IsAuthenticated)
to see if a user has authenticated correctly

Azure CDN Verizon Premium Hidden SAS token GET method Error 403

I have pretty simple question.
Our company is using Azure CDN Premium Verizon (because of options of Rules Engine).
I have succesfully configured Endpoint with custom domain which is pointed to Origin Azure Blob Storage.
In this blob storage we have some Containers secured as Private.
I have followed instructions on Microsoft website to configure Hidden SAS token Authentication with URL Rewrite Rule.
The CDN point called cdn.company.com is working pretty nice. The content stored in Private Blob Storage is view-able in any internet browser (Chrome, IE, Edge..) via CDN point and also with hidden SAS token Rule.
The problem is that our API of internet application is trying to call CDN endpoint via GET method. And thats it. Everytime an error 403 has been occured. I dont really know how to fix that.
I am attaching screenshot from rule engine down below.
Thank you for every ideas.
In screenshots I am trying to get content via GET method of some JavaScript stored in private container "jsc".
Solved... In the end it was problem with regex syntax. The second problem was that our API of the Internet Application generated a random pattern automatically.
So I used regex like
/80XXXXX/XXXXXXX/([\w-.]+[^#?\s]+)(.*)?(#[\w-]+)?$
and now everything works properly.

Azure Storage Static Website security issues

I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?
You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.
https://learn.microsoft.com/en-us/azure/functions/tutorial-static-website-serverless-api-with-database
The static website endpoint is strictly read only. So the client will not be able to change the content of the website.
Currently static website is anonymous access. "add oauth" will be added soon. For read access, once the site is enabled, it'll be available to all public.
Currently we don't have oauth support. Anybody can read the content of the website as long as they have the uri

Redirecting Base URL in Azure Blob Storage

My Azure blob storage url looks like this:
https://mycompany.blob.core.windows.net/myplugin
I have files there which is meant to be used by a "source web app". This source web app expects that the above url direct to another file within the above directory:
https://mycompany.blob.core.windows.net/myplugin/myfile.json
Can someone suggest how to get this setup?
Can someone suggest how to get this setup?
As of today this functionality is not possible with Azure Blob Storage. For this functionality to work, Azure Blob Storage need to work like a web server which it is not. It is simply an object store where objects are exposed via a REST API.
You would need to use a proper web server.
It is still not possible to do it today using blob storage only however you can do it using an azure CDN endpoint in front of your azure blob storage and configure a redirection (via the cdn rules engine)
Some useful links:
CDN rules engine
Rules engine features - url redirection

How can I use Window Azure CDN

I have hosted on web application on window azure platform and now client suggest me to put this video using CDN section but i don't know about how can i do that.
I just go through msdn blogs but not cleared yet that concept, after enabling endpoint how can i put content on CDN and how can i access that content?
can anyone please explain me that?
If you're already enabled the endpoint for a storage account, then all you need to do is upload your content to a public blob container either in code of you can use a one of the storage explorers. Then to access the content you can just replace the myaccount.blob.core.windows.net part of the url to your blob with [Default HTTP End Point from the portal].vo.msecnd.net
It's quite straight forward to do, and can be enabled from the Management Console.
Follow these steps:
Log in to the Windows Azure Management Console.
Go to the CDN option in the menu on the left.
Press the 'New Endpoint'.
Select the storage account you wish to enable.
There's also a walkthrough here: http://msdn.microsoft.com/en-us/library/gg680301.aspx

Resources