Exposing Hangfire Dashboard hosted by Windows Service to public URL with Authentication

authorization
dashboard
Tags: #<Tag:0x00007f69fcebac40> #<Tag:0x00007f69fceba9c0>

#1

Hi, I am hosting Hangfire in a Windows service and currently I can only access the dashboard via internal IP/address via following code snippets:

In service Start method…

var options = new StartOptions();
options.Urls.Add( "http://localhost:9095" );
options.Urls.Add( "http://127.0.0.1:9095" );
options.Urls.Add( $"http://{ConfigurationHelper.IPAddress}:9095" );
options.Urls.Add( $"http://{Environment.MachineName}:9095" );

webApp = WebApp.Start<Startup>( options );

In Startup.Configuration( IAppBuilder app )

app.UseHangfireDashboard( "/hangfire", new DashboardOptions
{
	Authorization = new[] { new LocalNetworkAuthorizationFilter() },
} );

And the filter implementation is as simple as the following:

public class LocalNetworkAuthorizationFilter : IDashboardAuthorizationFilter
{
	public bool Authorize( [NotNull] DashboardContext context ) => true;
}

I can’t remember where I found this sample to always allow local network access however. Anyway, I want to expose the dashboard to a public url with the simplest form of authentication that is possible. I tried looking at the HangfireIO/Hangfire.Dashboard.Authorization nuget package but there were a few problems.

a) It was using code marked as obsolete which gave me pause.
b) When I tried to implement the BasicAuthAuthorizationFilter and use it, then the dashboard would no longer display.
c) With no sample code in the package (other than the readme), I was kind of stuck.

So I’m hoping someone can point me towards some sample code that has done something similar? Don’t know if I can use Windows Authentication on the public url or not, but that would be fine too.

Thanks in advance.


#2

There is an updated package on Nuget for authorization that fixes this https://www.nuget.org/packages/Hangfire.Dashboard.Authorization.Unofficial/

Also be aware that when using a selfhosted dashboard there are some considerations stemming from OWIN (and lower) that might require you to authorize the port to be opened by the selfhosted dashboard (normally only if the dashboard runs as a non-windows-admin account).

Contrary to the loopback (i.e. localhost) interface which is open for all users, the ports on ‘real’ network interfaces are more secured.

See (just one example, google has loads more) : https://stackoverflow.com/questions/24976425/running-self-hosted-owin-web-api-under-non-admin-account


#3

Perfect, thanks. it worked. Not sure if it was the updated package or the fact that I missed that the Ssl properties should be set to false in my development environment. But it is working as desired.