Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure storage SAS tokens #1335

Open
ed-sparkes opened this issue Sep 30, 2024 · 1 comment
Open

Azure storage SAS tokens #1335

ed-sparkes opened this issue Sep 30, 2024 · 1 comment

Comments

@ed-sparkes
Copy link

Hi,

My azure blob storage uses a private container and as such requires a SAS token in the URL.

Short lived tokens are generated on our backend and sent to the client. The client then provides the SAS token in the request to azure blob storage URL as query string.

Is there a way i can forward this sas token and still make use of URL signing or will the SAS token provide a similar level of security from a DoS perspective and can i therefore disable URL signing in this instance?
@DarthSim
Copy link
Member

Hey @ed-sparkes!

Let's split the answer into parts:

  1. imgproxy can be configured to access private Azure Blob Storage containers: https://docs.imgproxy.net/image_sources/azure_blob_storage#set-up-credentials. Thus, you don't need a SAS token.

  2. Since the SAS token is a part of a URL, it can be a part of imgproxy's source URL. However, since SAS tokens are short-lived, they'll dramatically reduce the cache hit rate. So I'd highly recommend imgproxy's ABS integration instead.

  3. imgproxy's URL signatures not only prevent attackers from accessing random images but also prevent them from using your imgproxy for their purposes by changing the processing options of source URLs. Thus it's always recommended to sign imgproxy's URLs.

  4. Generating imgproxy signatures on the frontend doesn't make any sense since doing so requires exposing the key/salt pair.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DarthSim @ed-sparkes