Azure CDN URL Rewrite Rule with Token authentication and Blob storage SAS

2
votes

I'm attempting to setup our CDN without weakening our security. So we're using the premium CDN from Azure using Token authentication, which seems to work, we're able to generate an encrypted token which the CDN is able to decrypt.

However, after authentication we want the CDN to rewrite the URL to contain a SAS signature for our blob storage. We've generated a working SAS signature, but we're having trouble setting up the URL rewrite rule.

We query the CDN with a URL with the following format:

endpoint.azureedge.net/blob path?encrypted token

As far as I've understood we'll need to rewrite the URL using the rules to apply the SAS signature for the blob-like so:

endpoint.azureedge.net/blob path?SAS signature

This is probably extremely simple however I'm a bit out of my comfort zone and the CDN rules seem like a black box where I have no idea what's wrong, I just get a 403 error back.

Hope someone can help.

(edit added screenshot of current rule)

enter image description here

2
azureazure-storage-blobsazure-cdn

2 Answers

0
votes

Have you seen the documentation on setting this up: https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support#option-2-hidden-cdn-security-token-using-rewrite-rule
Here is the rule they have:
enter image description here

I think you just need to play around a little with your regex rule. Azure CDN uses Perl compatible regular expressions: http://pcre.org/ . You can test using this tool: https://regex101.com/ .

I did find a forum post related to struggles with the expression and they look to have found a solution: https://social.msdn.microsoft.com/Forums/azure/en-US/0c26c276-163c-428c-a53d-eac998291755/verizon-cdn-premium-sas-blob-storage-rewrite?forum=azurecdn

0
votes

destination should be: $1?sv=

don't forget $1, which represents the first value in source

document: https://docs.microsoft.com/en-us/azure/cdn/cdn-rules-engine-reference-features#url-rewrite