如何保护 azure blob 存储 url 不被任何使用开发人员工具的人检索 [英] How to protect the azure blob storage urls from being retrieved by anyone using developer tools

问题描述

我必须将图像/视频保存在天蓝色 blob 中，然后在我的网站中使用它们.在做了一些研究之后，我发现你必须在 href 标签中包含 blob url 才能从 azure 中检索图像/视频.

I have to save images/videos in azure blobs and then use them in my site. After doing some research I found that you have to include the blob url in the href tag for the image/video to be retrieved from azure.

然而，任何人都可以打开站点页面并获取该 blob url 并滥用它.此外，该站点具有用户身份验证，因此只有在登录后用户才能在站点页面上看到该图像/视频.

However anybody could open the site page and get that blob url and misuse it. Also the site has user authentication, hence only after login should the user be able to see that image/video on the site page.

有没有其他方法可以从 azure 中检索 blob?或者任何其他解决方案可以在开发者工具中公开显示网址?

Is there any other way of retrieving blobs from azure? Or any other solution to the url being openly visible in developer tools?

我目前在 Visual Studio 中使用 azure 模拟器.

I am currently using an azure emulator with Visual Studio.

推荐答案

我重新创建了一个 Azure 函数来实现我提到的第一个场景.存储帐户内的 Blob URL 未公开，并且容器及其中的所有内容都设置为私有.由于我不知道您的身份验证方案，因此我暂时跳过了这一点，但您可以通过多种方式确保这一点.

I've recreated an Azure Function that implements the first scenario I mentioned. The Blob URL inside the storage account was not exposed, and the container and everything in it is set to be private. Since I don't know your authentication scheme I skipped that for now, but you could secure this in a number of ways.

此代码中有一些快捷方式，但您会大致了解.代码如下:

There's a few shortcuts in this code, but you'll get the general idea. Here's the code:

public static async Task<HttpResponseMessage> Run(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "files/{id}")]
    HttpRequest req, string id, TraceWriter log)
{
    var account = CloudStorageAccount.Parse("UseDevelopmentStorage=true");
    var client = account.CreateCloudBlobClient();
    var container = client.GetContainerReference("sitecontent");
    var blob = container.GetBlockBlobReference(id);

    var stream = new MemoryStream();
    await blob.DownloadToStreamAsync(stream);
    stream.Seek(0, SeekOrigin.Begin);

    HttpResponseMessage result = new HttpResponseMessage(HttpStatusCode.OK);
    result.Content = new StreamContent(stream);
    result.Content.Headers.ContentType =
            new MediaTypeHeaderValue("application/octet-stream");

    return result;
}

我已经通过从这样的 HTML 文件中引用它来测试它:

I've tested it by referencing it from an HTML file like this:

<img src="http://localhost:7071/api/files/techdays2017.jpg" alt="Me at TechDays 2017" />

我使用的图片是267KB，Function的响应时间都是<使用存储模拟器在本地测试时为 200 毫秒.

The image I used was 267KB, response times of the Function were all < 200 ms when testing locally using the Storage Emulator.

这篇关于如何保护 azure blob 存储 url 不被任何使用开发人员工具的人检索的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！