Custom subdomain name for blob CDN endpoint causes error 400 - azure

I'm trying to set up a custom domain name for a blob CDN endpoint, following these instructions, but can't seem to access my content using the subdomain static.mydomain.com. I've created the following record with my registrar:
Subdomain: static
Type: CNAME
TTL: 7200
Data: blobconatinername.blob.core.windows.net.
For example, I can access this file (note https):
https://blobcontanername.blob.core.windows.net/somefile.mp3
But trying to access this file
http://static.mydomain.com/somefile.mp3
I get an invalid URI error (an error 400):
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>InvalidUri</Code>
<Message>
The requested URI does not represent any resource on the server. RequestId:c5ec4859-0001-0079-0bf8-961dfa000000 Time:2016-04-15T09:22:32.1317877Z
</Message>
<UriPath>
http://static.mydomain.com/somefile.mp3
</UriPath>
</Error>
Resolution?

Can you access the file via the CDN endpoint, yourcdnendpoint.azureedge.net/path/to/file?
Shouldn't static.yourdomain.com point to the CDN endpoint, not your blob storage?
Subdomain: static
Type: CNAME
TTL: 7200
Data: yourcdnendpoint.azureedge.net.
Also, the domain you are using must be verified. The process is described at https://azure.microsoft.com/sv-se/documentation/articles/cdn-map-content-to-custom-domain/

This 400 error occurred for us too - the fix was to assign the Origin Host Header value. We are using the Verizon Premium CDN plan in Azure - MS support advised us that Host Header is required despite it appearing as optional in the Azure Portal UI.
CDN Profile => CDN Endpoint => Origin => Origin Host Header

Related

Azure CDN Token with Verizon Premium

I have configured a token and following are the settings at the Verizon Premium token config for the token generation.
My CDN is pointing to static files on storage account. But apart from home page rest all pages are giving 403 error. I have '/' on the ec_url_allow. I am unable to solve this problem any idea?
enter image description here
• You are getting this 403 error for all the other pages other than the home page because though ‘/’ is allowed in the ‘ec_url_allow’ section in the token configuration section, you will have to define the correct paths in the rule’s engine, enable the token authentication feature and enable the additional token authentication related capabilities.
For the above purpose, you will have to create a rule set to define the asset or path for which you want to apply token authentication with the condition ‘if the URL Path Directory Matches value equals to <directory path>, then the token authentication will take place and be enabled’. To do the same as discussed above, kindly follow the below documentation: -
https://learn.microsoft.com/en-us/azure/cdn/cdn-token-auth#setting-up-token-authentication
As a result, the ‘custom name’ option defined in the ‘Name’ option only contains valid URL characters that defines the name of the query string parameter where Token-Based Authentication will expect a token value. Hence, as per in the example below, the custom name should be specified post enabling the token authentication parameter: -
http://cdn.mydomain.com/secure/asset.html?mycustomname=Token
Thus, you should enable the rule and configure it accordingly to allow the custom path name in it to be able to access the files inherent in that path and avoid the ‘403’ error.
Update : - Kindly check the below snapshots for the modifications in the 'token auth' section of the verizon premium endpoint management: -
Also, do ensure that the custom 'test' blob created for your static website hosted in the storage account is configured for the access level 'Blob (anonymous read access for blobs only)' such that when you are trying to access the content within the 'test' blob, you are able to access it and not interrupted by the blob's access level policy even when the rules engines settings are correct.
The URL that I am forming to access content within the '$web' blob is as follows: -
'https://storageaccountname.blob.core.windows.net/test/ADFS role post-install configuration certificate install.jpg?Tokengenerated'
Please find the below formed rules policy in the rules engine as in below snapshot: -
Thus, configuring a policy as a rule in the rule builder based on the parameters defined in the token auth is necessary for accessing the different pages of the storage account successfully.
Please do make sure that you are not giving the default '$web' path in the rules engine policy because it won't work, thus you will have to create some other custom blob container and give its path in the rules engine as given by me.

Azure API Management: Could not establish trust relationship for the SSL/TLS secure channel

I'm trying to set up an API Management Gateway using a custom domain. However, when I go to test it out, I get an SSL error. I am not sure if I've missed any steps or I've misconfigured my custom domain. The API returns a 200 response when I use the default Gateway URL but returns a 400 when I use my custom domain.
Any help in this domain is appreciated. Thanks
I've described the steps I've followed below:
Steps followed to create a custom domain:
Setup a CNAME for my custom domain api.something.com in Route 53 with Value as .azure-api.net
When creating a custom domain, I added my PFX certificate to the custom domain. When creating my certificate, I set CN="*.something.com. Additional settings such as Negotiate Client Certificate: false and Default SSL binding: true
Created an API with the suffix app1 so that my API is reachable at api.something.com/app1
Now, when I try to test it out through the portal, I get the error
HTTP/1.1 400 Bad Request
content-length: 123
content-type: application/json
vary: Origin
{
"error": "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
}
This is the request header. ALs I've turned off Require Subscription Key but I'm not sure why the subscription key is still included in the header
GET https://api.something.com/app1/api/heartbeat HTTP/1.1
Host: api.something.com
Ocp-Apim-Subscription-Key: xxxxxxxxx
Ocp-Apim-Trace: true

Error in calling Azure rest API -The requested URI does not represent any resource on the server

i am calling Azure Rest API to list all blobs in a directory (inside container) throuh informatica cloud using web service transformation.But i am getting error while running the mapping InvalidUriThe requested URI does not represent any resource on the server.
API: https://<account_name>.blob.core.windows.net/training?restype=container&comp=list&prefix=training/Type/Class
Could not reproduce your issue, the REST API - List Blobs works fine on my side.
You could refer to the sample below, make sure you are using it the same as mine.
Note: When you using prefix, you have already used the container name training in the url, don't use it again in the parameter, it should be prefix=Type/Class.
Request URL:
GET https://accountname.blob.core.windows.net/training?restype=container&comp=list&prefix=Type/Class
Request header:
x-ms-version = 2019-12-12
Test in the postman:
My storage structure:

How do I enable CORS on Azure Storage Blob

I am trying to customize the UI page on Azure B2C using an Azure storage blob using this article. It needs to be CORS enabled. I have tested it using test-cors.org and I know it is not but I do not know how to set it
Ther article uses https://wingtiptoysb2c.blob.core.windows.net/b2c/wingtip/selfasserted.html which I test and returns a 200 but mine does not
https://bookssorted.blob.core.windows.net/b2c/selfasserted.html
This article talks about using this PUT https://myaccount.blob.core.windows.net/?restype=service&comp=properties HTTP/1.1 but how do I run this?
EDIT: I am using Azure Storage Explorer and I have these rules set on the blob but it is still not returning a http 200 from test-cors.org
EDIT2: this is the url that makes the request to the authentication policy which loads the page that makes the request to load the blob
https://login.microsoftonline.com/bookssorted.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_bookssortedAuthenticationPolicy&client_Id=35f308cd-8914-4035-9f62-cec7600c1727&nonce=defaultNonce&redirect_uri=https%3A%2F%2Flocalhost%2Fbookssorted%2Fsecure%2Fsuccess&scope=openid&response_type=id_token&prompt=login
EDIT3: headers as requested
In order for a cross-origin request to succeed, the request must match the CORS configuration. This includes the request origin, request headers & exposed (response) headers. Any mismatch there would result in request to fail.
If the origin is known, then that URL must be specified (including protocol & port number if applicable) in the CORS rule. If the origin is not known and you can specify * as the origin and all URLs will be able to make such requests.
Same thing goes for request headers and exposed headers. Since different requests to Azure Storage make use of different request headers and return different response headers, it is advisable to set the value for these as * in the CORS rule. This will ensure that all request/response headers are accepted.

Generating Azure Shared Access Signatures with BlobService.getBlobURL() in Azure SDK for Node.js

I am attempting to generate a url to a blob with a Shared Access Signature using BlobService.getBlobURL() in the Azure library on Node.js on my local machine. But when I try to retrieve the blob via the generated URL, I'm getting an Authentication Error saying that the "Signature did not match". Downloading the same blob from the Azure Management Portal works fine.
Below is the code I'm using to generate the URL:
process.env['AZURE_STORAGE_ACCOUNT'] = "[MY_ACCOUNT_NAME]";
process.env['AZURE_STORAGE_ACCESS_KEY'] = "[MY_ACCESS_KEY]";
var azure = require('azure');
var blobs = azure.createBlobService();
blobs.getBlobUrl('[CONTAINER_NAME]', "[BLOB_NAME]", { AccessPolicy: {
Start: Date.now(),
Expiry: azure.date.minutesFromNow(60),
Permissions: azure.Constants.BlobConstants.SharedAccessPermissions.READ
}});
The URL generated by this function is:
https://[MY_ACCOUNT_NAME].blob.core.windows.net:443/[CONTAINER_NAME]/
[ENCODED_BLOB_NAME]
?st=2013-10-28T18%3A34%3A23Z
&se=2013-10-28T19%3A34%3A23Z
&sp=r
&sr=b
&sv=2012-02-12
&sig=rLB%2FEOAWzijkkWcseju8TJLAxzeE5e3Pvq1i68i5Erc%3D
When I try to paste this URL into a browser, I get the following error message:
<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:9fe3d3ed-97f4-43d1-8c65-c95ce6b15a08 Time:2013-10-28T18:34:43.3015398Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was r 2013-10-28T18:34:23Z 2013-10-28T19:34:23Z /[MY_ACCOUNT_NAME]/[CONTAINER_NAME]/[BLOB_NAME] 2012-02-12
</AuthenticationErrorDetail>
</Error>
Then I tried logging on to the Azure Management Portal, selecting the same blob, and downloading it. This worked. URL provided from the Management Portal was:
http://[MY_ACCOUNT_NAME].blob.core.windows.net/[CONTAINER_NAME]/
[ENCODED_BLOB_NAME]
?sv=2012-02-12
&st=2013-10-28T18%3A35%3A16Z
&se=2013-10-28T18%3A42%3A16Z
&sr=b
&sp=r
&sig=kcjV%2BkrNAaWOj%2F7NFwmHefXJEiEyu61U7mUTsw3pw7w%3D
It appears that as of the Azure Node.js Library version 0.7.16, there is a bug causing this behavior. When a Blob name includes spaces, BlobService.getBlobURL() fails to generate a correct signature. To resolve, upload a new blob without any spaces in its name, and call BlobService.getBlobURL() again with the name of the new blob. The URL produced this time will be valid. You can check in on this issue on Github.

Resources