question

JonMaurolagoitia-8414 avatar image
0 Votes"
JonMaurolagoitia-8414 asked GitaraniSharmaMSFT-4262 commented

Azure CDN - allow only specific folders

Hi

We have setup a CDN connection point correctly: static.domain.com has its origin www.domain.com
I was wondering if it is possible to block access to all users BUT give access only to specific folders.

For example

static.domain.com/page1 is blocked
static.comain.com/css/site.css is allowed

We have tried this using the geofilter option but did not work:
Blocking / to all countries
Allowing /css/ to all countries

Is there any other option to do this

Thank you in advance

azure-cdn
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JonMaurolagoitia-8414 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

According to the security baseline guidance for Azure CDN, to restrict Azure resource access based on conditions, you can create rules on specific paths on your CDN endpoint to allow or block content in selected countries or regions using the geo-filtering feature.
Refer : https://docs.microsoft.com/en-us/azure/cdn/cdn-restrict-access-by-country-region

But per your comment, you have already tried that and it is not working. We have seen cases where Geo filtering doesn't work due to a path configuration issue.
Could you please let us know which CDN provider you are using and the screenshot of the geo-filtering rule if possible?

Thanks,
Gita


0 Votes 0 ·

Hi Gita,

thank you for your support. Please find attached the rules that I tested.
I want only to make /img and /build accesible though our Azure CDN.

Cheers
Jon


134364-image.png


0 Votes 0 ·
image.png (10.1 KiB)

Which CDN product are you using from the below list?

Azure CDN Standard from Microsoft
Azure CDN Standard from Akamai
Azure CDN Standard from Verizon
Azure CDN Premium from Verizon.

0 Votes 0 ·

Hi,

We are using CDN Standard from Verizon
Thank you

0 Votes 0 ·

Hello @JonMaurolagoitia-8414 ,

Thank you for the information.

Azure CDN Standard from Verizon should work with the path configuration shown in your screenshot.
May I know what is the behavior post configuration? Do you get an error message or the blocked files are still accessible?

Regards,
Gita

0 Votes 0 ·

Hi,

With that configuration access to all files is blocked. Also to those in /img and /build folders.
I tried to sort the configuration lines and move the firt line to teh bottom, but as soon as I press "Save" all lines are changed as seen in the screenshot.

Any ideas?

Thank you again.

0 Votes 0 ·

Hello @JonMaurolagoitia-8414 ,

Rules are generally executed sequentially so if you have “/” first, it will block everything and not evaluate the other rules. In general defaults (highest scope) should be put last. But looks like you already tried doing that and it didn't work. I have reached out to our backend team to validate this behavior. I will get back to you once I hear from them.

Thanks,
Gita

0 Votes 0 ·

Hello @JonMaurolagoitia-8414 ,

I checked with our backend team and Verizon support team and they found out that this is a code bug which is not honoring the rule sequence and hence blocking all files. The engineering team will be working to fix the code at the earliest.

In the meantime, if this is a time-sensitive project for you, we can help adjust the order of the rule from the backend so that you see the right behavior.

Thanks,
Gita

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @JonMaurolagoitia-8414 ,

Thank you providing all the requested details.

Rules are generally executed sequentially so if you have “/” first, it will block everything and not evaluate the other rules. In general defaults (highest scope) should be put last. But looks like you already tried changing the rule sequence and it didn't work.

I checked with our backend team and Verizon support team and they found out that this is a code bug which is not honoring the rule sequence and hence blocking all files. The engineering team will be working to fix the code at the earliest.

In the meantime, if this is a time-sensitive project for you, we can help adjust the order of the rule from the backend so that you see the right behavior. So, please send an email to us as advised in the private message.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Gita,

We are not using this CDN entry currently in production. As soon as this is solved we will test it and use it.
Any idea on how log could it take for this to be corrected?

Thank you

Jon

0 Votes 0 ·

Hello @JonMaurolagoitia-8414 ,

Thank you for the update.

We do not have a specific ETA for this fix currently. But I will keep checking with the engineering team and update the status once resolved.

Regards,
Gita

0 Votes 0 ·

Hello @JonMaurolagoitia-8414 ,

The engineering team do not have an ETA on the fix as of now. But they would be able to get some sense of ETA by mid October.
I will keep you posted.

Regards,
Gita

0 Votes 0 ·

<<UPDATE>>

Hello @JonMaurolagoitia-8414 ,

I just received an update from the engineering team that the fix has been rolled out globally for this issue.

Regards,
Gita

0 Votes 0 ·