URL Rewrite for adding SAS token. Edgio premium rules engine

Sirish Bajpai 5

I am trying to setup a CDN endpoint to serve static image files from a blob container. To restrict public access, the container account allows selected vnets and IPs and access is via SAS tokens. The CDN therefore has to rewrite request URL to blob origin to inject SAS as query param

I believe this would be a very common scenario and a detailed documentation would exist someplace. Alas all the literature I found is very confusing. For e.g, its's very hard to figure out what the source' and destination in rewrite rule should be?

My set for fetching a file {image-file-name} is as below

CDN external endpoint is: https://mycdnep.azureedge.net/*{images-file-name}*

Blob endpoint is: https://myblobaccount.blob.core.windows.net/imagecontainer/images/*{image-file-name}*

Origin on CDN is set to:

Type: Storage

Host: myblobaccount.blob.core.windows.net

Origin Path: None

Please let me know what the correct source and destination should be on Edgio premium rules engine URL-Rewrite feature to inject a SAS token.

Verizon supplement management portal documentation is also pretty scarce and tailored for its own CDN customers rather than Azure customers.

Any help greatly appericiated.

GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee

2023-09-11T05:03:43.1+00:00

Hello @Sirish Bajpai ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Please allow me sometime to research on this and perform a lab to help you with your requirement.

Will keep you posted.

Regards,

Gita
CoderRivian 0 Reputation points

2024-04-23T16:58:29.52+00:00

Hello @GitaraniSharma-MSFT , I tried following your steps but it still doesn't do a URL rewrite to my storage account for some reason. Is there a way to see how the Rules Engine v4.0 is rewriting the URLs?
GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee

2024-04-26T12:06:03.2466667+00:00

@CoderRivian , you may validate how the rule works in the Staging environment before applying it to live site traffic.

Refer: https://docs.edgecast.com/cdn/Content/HRE/Environment.htm

https://docs.edgecast.com/cdn/Content/HRE/F/URL-Redirect.htm

Additional docs that may help:

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/cdn/cdn-verizon-premium-rules-engine-reference.md

https://video2.skills-academy.com/en-us/answers/questions/1186340/how-to-write-rules-engine-for-azure-premium-verizo

Regards,

Gita

1 answer

GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee

2023-09-12T14:25:55.4666667+00:00

Hello @Sirish Bajpai ,

I understand that you are trying to setup a CDN endpoint to serve static image files from a blob container and to restrict public access, the container account allows selected Vnets and IPs, and access is via SAS tokens, and you would like to know how to rewrite request URL to blob origin to inject SAS as query param using Edgio premium rules engine.

I just found that this is already available in the below doc which shows how to use CDN security token authentication with a rewrite rule using Azure CDN Premium from Edgio profile:

https://video2.skills-academy.com/en-us/azure/cdn/cdn-sas-storage-support#option-2-using-cdn-security-token-authentication-with-a-rewrite-rule

The URL rewrite uses the below parameters:

Source:(container1/.*) --> Replace container1 with your container name from your Storage endpoint URL.

NOTE: For the source, you can also use just (.*).

Destination: $1&sv=2017-07-29&ss=b&srt=c&sp=r&se=2027-12-19T17:35:58Z&st=2017-12-19T09:35:58Z&spr=https&sig=kquaXsAuCLXomN7R00b8CYM13UpDbAHcsRfGOW3Du1M%3D

You just need to replace everything after $1 with your own SAS token from the Azure Storage Account.

Refer: https://video2.skills-academy.com/en-us/rest/api/storageservices/create-account-sas#account-sas-uri-example

The above URL is constructed using the parameters shown in the below doc:

https://video2.skills-academy.com/en-us/rest/api/storageservices/create-account-sas#construct-an-account-sas-uri

But looks like the screenshot on the Using CDN security token authentication with a rewrite rule doc is from an older UI.

So, I'm sharing the new UI look screenshot below:

If the above screenshot is not clear, try to access this file: EdgioCDNSASRewriteRule.png

If you need a basic understanding of how to draft/write URL rewrite rules for Azure Premium Verizon CDN, please refer the below thread where I've explained it in more detail:

https://stackoverflow.com/questions/75595941/how-to-write-rules-engine-for-azure-premium-verizon-cdn-httptohttps-spa-rewri

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Sirish Bajpai 5 Reputation points

2023-09-13T07:38:51.8233333+00:00

Hi GitaRaniSharma,

I would like to have better understanding of how regular expressions and capture groups are being used in source URL.

For e.g. my source URLs may or may not arrive with a query string of their own. So I cannot blindly append the SAS token as: ?<token>, which would mess up if url already has a token, OR as &<token> which would mess up if url did'nt have a token.

So I need to have a regular expression to break up the full URI into path and query string. This needs anchoring anchoring elements: ^,$. But using them in source url does not seem to work. Testing with trial and error is a nightmare given deployment/propagation delays.

My source regex is: ^([^?]+)\??(.*)$

And destination: /80xxxxx/container/$1?<SAS-TOKEN>&$2

This setup does not seem to work . What's the problem here?

GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee

2023-09-13T14:20:11.6+00:00

Hello @Sirish Bajpai , I'm not sure if I understand your requirement completely.

You mentioned "For e.g. my source URLs may or may not arrive with a query string of their own".

The rewrite rule that I shared works as below:

Source: /CDNAccountID/CDNendpointname/containername/(.*) OR /CDNAccountID/CDNendpointname/(.*)

This is your source which could be a URL as below:

https://<endpoint hostname>.azureedge.net/<containername>/anything.... OR https://<endpoint hostname>.azureedge.net/anything....

Now, we are writing a rule to rewrite this source URL to a destination which will append the SAS token to it.

The URL segments that were captured from the request are appended to the new URL via "$1".

Destination: /CDNAccountID/CDNendpointname/$1&sv=2017-07-29&ss=b&srt=c&sp=r&se=2027-12-19T17:35:58Z&st=2017-12-19T09:35:58Z&spr=https&sig=kquaXsAuCLXomN7R00b8CYM13UpDbAHcsRfGOW3Du1M%3D

This rewrites your incoming URL as below:

https://<endpoint hostname>.azureedge.net/<containername>/anything...&sv=2017-07-29&ss=b&srt=c&sp=r&se=2027-12-19T17:35:58Z&st=2017-12-19T09:35:58Z&spr=https&sig=kquaXsAuCLXomN7R00b8CYM13UpDbAHcsRfGOW3Du1M%3D OR https://<endpoint hostname>.azureedge.net/anything...&sv=2017-07-29&ss=b&srt=c&sp=r&se=2027-12-19T17:35:58Z&st=2017-12-19T09:35:58Z&spr=https&sig=kquaXsAuCLXomN7R00b8CYM13UpDbAHcsRfGOW3Du1M%3D

NOTE: New rules take up to 4 hours to propagate.

Refer: https://docs.edgecast.com/cdn/Content/HRE/F/URL-Rewrite.htm

https://github.com/MicrosoftDocs/azure-docs/issues/57579

https://social.msdn.microsoft.com/forums/en-us/0c26c276-163c-428c-a53d-eac998291755/verizon-cdn-premium-sas-blob-storage-rewrite?forum=azurecdn

Now, you also mentioned "I cannot blindly append the SAS token as: ?<token>, which would mess up if url already has a token, OR as &<token> which would mess up if url did'nt have a token"

If you check the Using CDN security token authentication with a rewrite rule section, it says:

To use Azure CDN security token authentication, you must have an Azure CDN Premium from Edgio profile. This option is the most secure and customizable. Client access is based on the security parameters that you set on the security token. Once you've created and set up the security token, it's required on all CDN endpoint URLs. However, because of the URL Rewrite rule, the SAS token isn't required on the CDN endpoint.

So, why would your URL already have a SAS token?

I will try to reach out to you via email to understand your requirement better and will post a summary once we reach a conclusion.

Regards,

Gita

GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee

2023-09-18T13:09:22.9+00:00

Hello @Sirish Bajpai ,

We worked offline on this issue and below is the update:

Issue:

You are using Azure CDN Premium from Edgio profile and trying to setup a CDN endpoint to serve static image files from a blob container. To restrict public access, the container account allows selected Vnets and IPs and access is via SAS tokens. The CDN therefore must rewrite request URL to blob origin to inject SAS as query param.

And you wanted to have a better understanding of how regular expressions and capture groups are being used in source URL.

The official doc Using Azure CDN with SAS | Microsoft Learn assumes that the source URL comes in the form of https://sasstoragedemo.azureedge.net/container1/demo.jpg?a4fbc3710fd3449a7c99986bkquaXsAuCLXomN7R00b8CYM13UpDbAHcsRfGOW3Du1M%3D (this includes a query string).

But my source URLs may or may not arrive with a query string of their own. So, I cannot blindly append the SAS token as: ?<token>, which would mess it up if URL already has a query param, OR as &<token> which would mess it up if URL didn’t have a query param.

So, I need to have a regular expression to break up the full URI into path and query string. This needs anchoring elements: ^,$. But using them in source URL does not seem to work. Testing with trial and error is a nightmare given deployment/propagation delays.

My source regex is: ^([^?]+)??(.*)$ And destination: /80xxxxx/container/$1?<SAS-TOKEN>&$2 But this setup does not seem to work.

Solution:

I reached out to the Azure CDN Product Group team for help on this but in the meantime, you found the fix.

You used the below 2 variables for this purpose: %{is_args} and %{is_amp} -> They conditionally put ? or & based on query string. So that does the trick.

Refer: https://video2.skills-academy.com/en-us/azure/cdn/cdn-http-variables

I've provided feedback to the Product Group team to add such examples in the documentation for ease of use.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Regards,

Gita
Sign in to comment

Share via

URL Rewrite for adding SAS token. Edgio premium rules engine

1 answer