Verizon CDN Premium / SAS Blob Storage Rewrite

Category: azure cdn

Question

NoCopy_ on Fri, 03 Nov 2017 14:56:05


This is actually a reply to https://social.msdn.microsoft.com/Forums/azure/en-US/02233cee-6ba6-4ceb-b9d9-c664e9f569a6/restrict-azure-blob-container-access-to-azure-cdn

But for whatever reason I can't reply to that thread as all I get is "Unknown Error" (Internal Server Error).

Anyways:

If you wish to keep the SAS token hidden from the end customer completely, you can use a Verizon Premium profile and use a URL rewrite rule to add the SAS url from the CDN.

Could you please provide more information on how to achieve that?

The URL rewrite feature forces a base path for a destination and that ends up affecting the destination URL at the storage account.

For instance, rule:
URL Rewrite
Source "/CDNBASE/CDNPATH/" REGEX
Destination "/CDNBASE/CDNPATH/" SUBSTITUTION

Results in:
https://domain.azureedge.net/storagepath/myfile.ext
Rewrites to >
https://xxx.blob.core.windows.net//CDNBASE/CDNPATH/storagepath/myfile.ext

The CDN forces either:
/CDNBASE/CDNPATH/
or
/CDNBASE/

in the destination as seen here:

Error message from blob storage:

Sorry, I should also clarify that I am fully aware that it is likely a problem with my regex. So to indicate what I wish to rewrite (essentially just replacing the query string to the SAS token):

https://domain.azureedge.net/storagecontainerpath/potential/other/paths/myfile.ext?tokenauth=xxxyyyzzz

https://domain.blob.core.windows.net/storagecontainerpath/potential/other/paths/myfile.ext?blobsas=aaabbbccc

Replies

NoCopy_ on Sun, 05 Nov 2017 01:28:16


Update: It was, in fact, my regex. For anyone looking for a similar answer, this seems to work to rewrite a CDN token Auth request to a Blob Storage SAS request:

RULE: URL Rewrite

Source: /CDNBASE/CDNPATH/ (dropdown)
Regex: ((?:[^\?]*/)?[^\?/]+)($|\?.*)

Destination: /CDNBASE/CDNPATH/ (dropdown)
Substitution: $1$2&sv=<YOUR SAS TOKEN PARAMS>

Note: that in the substitution the initial CDN auth query is included in addition to the SAS token - without it I was getting an 403 Permission Denied

While I am sure there is a more straight forward regex, this was the only one that worked for me - and I tried many.

Edit: A far more straightforward regex is to simply match the storage container path, eg:

Source: /CDNBASE/CDNPATH/ (dropdown)
Regex: (your-storage-path\/.*)

Destination: /CDNBASE/CDNPATH/ (dropdown)
Substitution: $1&sv=<YOUR SAS TOKEN PARAMS>