如何限制对 Azure 函数应用代理 URL 的访问

好吧，我没有找到一种快速的方法来使用函数应用代理来做到这一点，API 管理似乎只是使事情复杂化(授权服务器？一个小型团队静态站点需要多少台服务器，其中包含一些关于我们工作的自动发布的统计信息？(，所以我选择了代理函数应用程序，这里是：

using System.Net;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
    var authURI = new Uri(req.RequestUri.GetLeftPart(UriPartial.Authority));
    var path = authURI.MakeRelativeUri(req.RequestUri);
    var prefix = "api/myfunction";
    var fileName = path.ToString().Remove(0,prefix.Length);
    // Get request body
    dynamic data = await req.Content.ReadAsAsync<object>();
    // Authorization - allow only @myorg.com users
    IEnumerable<string> headerValues = req.Headers.GetValues("X-MS-CLIENT-PRINCIPAL-NAME");
    var user = headerValues.FirstOrDefault();
    if (!user.EndsWith("@myorg.com", true, null))
    {
        return req.CreateResponse(HttpStatusCode.Forbidden, "Unauthorized");
    }
    var blobStorageURI = System.Configuration.ConfigurationManager              
         .ConnectionStrings["BLOB_SERVICE_ENDPOINT"].ConnectionString;
    var container = System.Configuration.ConfigurationManager
         .ConnectionStrings["BLOB_CONTAINER"].ConnectionString;
    var authKey = System.Configuration.ConfigurationManager
         .ConnectionStrings["BLOB_ACCESS_STRING"].ConnectionString;
    using(var client = new HttpClient())
    {
        client.BaseAddress = new Uri(blobStorageURI);
        var storagePath = "/" + container + fileName + authKey;
        return await client.GetAsync(storagePath);
    }
}

这是函数.json：

{
  "bindings": [
    {
      "authLevel": "anonymous",
      "name": "req",
      "type": "httpTrigger",
      "direction": "in",
      "route": "myfunction/{*path}",
      "methods": [
        "get",
        "head"
      ]
    },
    {
      "name": "$return",
      "type": "http",
      "direction": "out"
    }
  ],
  "disabled": false
}

• 请注意路由以及路由与硬编码的"myfunction"之间的关系。
• 也可以使用 host.json 文件去掉"api"前缀。
• 另请注意定义对 Blob 存储的访问权限的连接字符串。我为此创建了一个 SAS(共享访问签名(。