Windows Azure SAS Sharing Signing
I am developing a file sharing site and have a couple of questions related to Windows Azure Sharing Signatures.
About my site: Registered users can upload, share and store their files using blob storage. Files can be up to 2GB in size, so I want upload and download as fast as possible. It is also important that the administration cost for me as a host is minimal. User saved files must be closed.
I am fine using the SAS URI for upload, but for upload I am abit spooked.
Questions:
1. Users can store files in their account, and only that user should be able to access these files. If I were to use the SAS URI to upload here, the files will always be available with the URI as long as the URI lives (doesn't require you to be logged in, if you know the URI, you can just upload the file). This is pretty scary if you want the file to be private. I know the signature in the SAS URI is "HMAC computed by character string and key using SHA256 and then encoded using Base64 encoding", is that safe? Can I use SAS URIs for uploads even if the files are private? Should I instead transfer the file between the server and the website (this will be much safer, but the speed will suffer and the administration cost will go up).
2. How much slower and how much will it cost if I transfer downloads between server, site, user instead of using SAS (server direct to user)?
3. If I set the UAS UAS expiration time to 1 hour and the download takes more than 1 hour, will the download be canceled if the download starts before the expiration date?
4. If my site is registered at x.azurewebsites.net and I am using a purchased domain so I can access my website at www.x.com can I make the SAS URI look something like this: https: // x.com/blobpath instead of https://x.blob.core.windows.net/blobpath (my guess is not ..).
Sorry for the wall of text!
source to share
- There is nothing stopping anyone from sharing the URI, whether with or without SAS. So, from a security perspective, if you leave the expiration date far ahead in the future, the URI will remain available with a SAS encoded URI. From a general security perspective: since your blob is private, no one will be able to access your blob without a SAS encoded URI. To restrict the use of SAS: if, instead of giving out the old SAS URI, the user visited a web page (or API) to request file access, you could create a new SAS URI for a smaller time window; at this point, the end user will still be able to access the blob directly without streaming the content through the VM (this just adds an extra network hooking to get the URI along withwhat is needed to host the web server / API server) Also applies to security. If you are using a retained access policy, you have the option to change access after SAS was released, rather than inserting the start + end time directly into the SAS URI (see Section 5.1.( see access policies here ).
- You will incur the cost of the virtual machines used to fulfill the URI requests. The outbound bandwidth costs are the same as with direct blob access: you only pay for the outbound bandwidth. Performance will depend on many factors as you go through the VM: VM size, VM resource usage (for example, if your VM is running at 100% CPU, you may see performance degradation), number of concurrent accesses, etc.
- Yes, if the user passes the expiration time, the link is no longer valid.
- Yes, you can use SAS in conjunction with custom domain names that are used with storage. See here for more information on setting up custom storage domain names.
source to share