Introduction

Hey everyone! Recently, I went about redoing my hass.io installation in a Proxmox VM since my Raspberry Pi was barely keeping up with the workload. While I was setting up my components and integrations, I realized that one huge part of my home automation system was missing.

My security camera system runs on a fantastic NVR software called Blue Iris. Despite the fact that it runs on Windows, and that the documentation isn’t great, it really is the best camera feed/clip management software out there. (and I tried everything, iSpy/motionEye/iSpy Agent/etc) Unfortunately however, I never managed to get it integrated into Home Assistant. This was partially due to the lack of documentation, and partially due to security concerns with opening my cameras or Blue Iris to the internet without HTTPS. I finally got it all sorted out today, and I wanted to share what I used for integration with Blue Iris and how I created a secure connection with Blue Iris.

What’s in this guide

The method I used to securely access Blue Iris from outside my local network without using the convoluted and poorly documented stunnel method that Blue Iris suggests

The configuration and tools I used to get Blue Iris camera streams in Home Assistant

Examples of Lovelace cards that utilize live camera streams

This guide has multiple parts that can be done independently. If you want access to live feeds in HA but you don’t want to expose Blue Iris or UI3 to the internet, simply skip Parts 1 and 2, and instead only disable the Use secure session keys and login page option in Web server -> Advanced.

A note about security

This tutorial involves disabling some of Blue Iris’s security features. I want to explain now what we are doing. Blue Iris has a web interface that was not designed to work with HTTPS, it just runs an insecure web server and it suggests you use software called stunnel which is a huge pain.

While Blue Iris does not support HTTPS, it does use a clever user token system to prevent capture of your username and password, however camera feeds are able to be captured. This tutorial will use NGINX to create a secure tunnel from your hassio instance to Blue Iris which lets us expose it to the internet using HTTPS, making it much more secure than it ever was without SSL.

Part 1: NGINX Addon Setup

WARNING: This section of the tutorial requires you have a domain or DuckDNS/no-ip/custom domain set up, otherwise you cannot get an SSL certificate. For the sake of this tutorial, my domain will be my-domain.duckdns.org.

The first section of this guide is for setting up a proxy from your Home Assistant instance to your Blue Iris instance. This will let you connect to blue iris using bi.my-domain.duckdns.org or bi.my-domain.duckdns.org OR catcam.my-domain.duckdns.org , it doesn’t really matter. Also, you can use no-ip or a custom domain, I am just using my-domain.duckdns.org for the sake of this tutorial

@frenck really made things easy for us by putting this addon together. It allows us to take web requests for locations on your domain from the internet and forward them securely to local addresses on your network. Below is a little sketch I threw together to try and explain what we are doing.

My awful sketch-planation

Install the NGINX Proxy Manager Addon

Hassio -> Add-on Store -> Community Hass.io Addons -> Nginx Proxy Manager

No config here is needed, however I do recommend enabling Start on Boot and Auto Update.

Add the following Port Forwards to your Hass.io device in your router: Port 80, Port 443

If you currently forward Blue Iris on port 81 (default), you will need to remove that port forward first. This tutorial will remove any need to port forward Blue Iris. If you need instructions on how to add a port forward, no-ip has a good article. Start the addon and press "Open Web UI"

When you open the UI for the first time, the email is [email protected] , and the password is changeme . Add SSL certificates for the domain you will be using

After you reconfigure your user, go to the SSL certificates tab, and press Add New Let’s Encrypt Certificate. Under domain names, you MUST enter it with a subdomain. For example, blueiris.my-domain.duckdns.org or bi.my-domain.duckdns.org or cctv.my-domain.duckdns.org , it doesn’t matter. Just choose a subdomain you are comfortable using. Enter an email address for Let’s Encrypt, accept the terms, and press Save.

Create Proxy Host

On the tab bar, go to Hosts -> Proxy Hosts , press Add Proxy Host and use the following options. Options not specified can be left default.

Details Tab

Domain Names: Your subdomain + domain for Blue Iris (same as the one used in SSL setup) Example: bi.my-domain.org

Scheme: http The site will use SSL for the internet, but this defines if the host does, and Blue Iris does not.

Forward Hostname/IP Enter the IP or hostname of your Blue Iris Server. This is also what you use to access Blue Iris UI3 on your local network. Example: 192.168.0.5

Forward Port: 81 Enter 81 if you have not changed the port in Blue Iris, otherwise enter that here.

Websockets Support: true This allows websocket calls, which can be used in the IO + DIO tab



SSL Tab

SSL Certificate: Select the certificate we created in step 4. This is the same as the address used in domain names of the details tab.

Force SSL: true Enable this to disallow use of Blue Iris UI3 without HTTPS



Once you are done, press Save. NGINX is configured!

Part 2: Blue Iris

The next part of this guide takes place in the Blue Iris application. Please note that you cannot use the web interface for this, you must use the Windows application on the server. My server is headless, so I am accessing it over RDP using MobaXTerm.

Open Blue Iris Settings

This is the little cog button in the corner on BI4, however these settings are similar in BI5.

Enable "Register IP address to assist with client app connections

This allows you to sync your LAN and domain access with the mobile app.

Configure the Web Server Tab

On the webserver tab, enter the values below (also demonstrated in the image below)

Enable the HTTP web server on port: Enabled/Checked, Port 81

Remote Access URL: Enter the exact domain you used in SSL setup and NGINX proxy setup Example: bi.my-domain.com

Refresh external IP at startup and again every: Disabled/Unchecked We disable this so Blue Iris will not overwrite the domain we just entered.

Stunnel is installed for HTTPS on port: Enabled/Checked, Port 443 There is no need to install Stunnel, in fact it should NOT be running. This is a little workaround to force Blue Iris to send https domains to it’s server for app connections.

HTTPS LAN also: Disabled/Unchecked LAN needs to be HTTP so NGINX can access it.

Advanced Web Server Settings

In the Web server tab, press the “Advanced” button at the bottom near the “OK” button. Here, use the following config

Require from: All Connections

Use secure session keys and login page: Disabled/Unchecked

Auto-ban IP after unsuccessful attempts: Disabled/Unchecked All connections now come from your hass.io machine, meaning if anyone gets a ban, noone can access UI3.

Send Strict-Transport-Security header: Enabled/Checked



Done! Now Press OK in the advanced tab, and press OK on the web server options tab to apply changes. You should now be able to access Blue Iris UI3 by opening the domain used earlier in your browser. Don’t forget to use https:// though!

Part 3: Home Assistant Config

Open your favorite config editor for this section. I prefer the Visual Studio Code addon in the hassio store since it is so easy to set up.

Now, copy the configuration that applies to your config below, and tune it for your exact needs. Replace the bracket quoted sections with the appropriate value (Blue Iris LAN IP is the address BI uses on your local network, and Blue Iris camera shortcodes are set in camera settings on Blue Iris). Also, don’t forget to add the bi_username and bi_password values to secrets.yaml!

Single Camera # Cameras stream: camera: - platform: mjpeg mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE] name: Camera Friendly Name username: !secret bi_username password: !secret bi_password authentication: basic

Multiple Cameras Don’t forget to set a unique identifier for each component after the word camera. You can just use the shortname for organizational purposes # Cameras stream: camera uniqueName: - platform: mjpeg mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE] name: Camera Friendly Name username: !secret bi_username password: !secret bi_password authentication: basic camera anotherUniqueName: - platform: mjpeg mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE] name: Camera Friendly Name username: !secret bi_username password: !secret bi_password authentication: basic camera yetAnotherUniqueName: - platform: mjpeg mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE] name: Camera Friendly Name username: !secret bi_username password: !secret bi_password authentication: basic

Once you have done this, save your config and restart home assistant!

Part 4: Lovelace

The final section of this guide is for putting your cameras into your lovelace UI. I created a page for my cameras and each used the picture-entity card, except my garage camera which used picture-glance so I can open my garage door from the camera.

Below are the card lovelace snippets I used. You can add these by pasting their contents into the card edit/create page. Just don’t forget to change the camera entity and image entity to your camera components.

Live View / Garage Door Opener type: picture-glance camera_image: camera.garage camera_view: live entities: - switch.garage_door

Live View / No Buttons type: picture-entity entity: camera.driveway camera_image: camera.driveway camera_view: live

That’s all! Feel free to comment with any suggestions, questions, or critique!