Introduction

1023×506 356 KB

My security camera system runs on a fantastic NVR software called Blue Iris. Despite the fact that it runs on Windows, and that the documentation isn’t great, it really is the best camera feed/clip management software out there. (and I tried everything, iSpy/motionEye/iSpy Agent/etc) Unfortunately however, I never managed to get it integrated into Home Assistant. This was partially due to the lack of documentation, and partially due to security concerns with opening my cameras or Blue Iris to the internet without HTTPS. I finally got it all sorted out today, and I wanted to share what I used for integration with Blue Iris and how I created a secure connection with Blue Iris.

What’s in this guide

• The method I used to securely access Blue Iris from outside my local network without using the convoluted and poorly documented stunnel method that Blue Iris suggests

• The configuration and tools I used to get Blue Iris camera streams in Home Assistant

• Examples of Lovelace cards that utilize live camera streams

This guide has multiple parts that can be done independently. If you want access to live feeds in HA but you don’t want to expose Blue Iris or UI3 to the internet, simply skip Parts 1 and 2, and instead only disable the Use secure session keys and login page option in Web server -> Advanced.

A note about security

This tutorial involves disabling some of Blue Iris’s security features. I want to explain now what we are doing. Blue Iris has a web interface that was not designed to work with HTTPS, it just runs an insecure web server and it suggests you use software called stunnel which is a huge pain.

While Blue Iris does not support HTTPS, it does use a clever user token system to prevent capture of your username and password, however camera feeds are able to be captured. This tutorial will use NGINX to create a secure tunnel from your hassio instance to Blue Iris which lets us expose it to the internet using HTTPS, making it much more secure than it ever was without SSL.

Part 1: NGINX Addon Setup

WARNING: This section of the tutorial requires you have a domain or DuckDNS/no-ip/custom domain set up, otherwise you cannot get an SSL certificate. For the sake of this tutorial, my domain will be my-domain.duckdns.org.

The first section of this guide is for setting up a proxy from your Home Assistant instance to your Blue Iris instance. This will let you connect to blue iris using bi.my-domain.duckdns.org or bi.my-domain.duckdns.org OR catcam.my-domain.duckdns.org, it doesn’t really matter. Also, you can use no-ip or a custom domain, I am just using my-domain.duckdns.org for the sake of this tutorial

@frenck really made things easy for us by putting this addon together. It allows us to take web requests for locations on your domain from the internet and forward them securely to local addresses on your network. Below is a little sketch I threw together to try and explain what we are doing.

My awful sketch-planation

1052×791 129 KB

1. Install the NGINX Proxy Manager Addon
   Hassio -> Add-on Store -> Community Hass.io Addons -> Nginx Proxy Manager
   No config here is needed, however I do recommend enabling Start on Boot and Auto Update.
   

2. Add the following Port Forwards to your Hass.io device in your router: Port 80, Port 443
   If you currently forward Blue Iris on port 81 (default), you will need to remove that port forward first. This tutorial will remove any need to port forward Blue Iris. If you need instructions on how to add a port forward, no-ip has a good article.

3. Start the addon and press "Open Web UI"
   When you open the UI for the first time, the email is [email protected], and the password is changeme.

4. Add SSL certificates for the domain you will be using
   After you reconfigure your user, go to the SSL certificates tab, and press Add New Let’s Encrypt Certificate. Under domain names, you MUST enter it with a subdomain. For example, blueiris.my-domain.duckdns.org or bi.my-domain.duckdns.org or cctv.my-domain.duckdns.org, it doesn’t matter. Just choose a subdomain you are comfortable using. Enter an email address for Let’s Encrypt, accept the terms, and press Save.
   

5. Create Proxy Host
   On the tab bar, go to Hosts -> Proxy Hosts, press Add Proxy Host and use the following options. Options not specified can be left default.
   Details Tab
   Domain Names: Your subdomain + domain for Blue Iris (same as the one used in SSL setup) Example: bi.my-domain.org
   Scheme: http The site will use SSL for the internet, but this defines if the host does, and Blue Iris does not.
   Forward Hostname/IP Enter the IP or hostname of your Blue Iris Server. This is also what you use to access Blue Iris UI3 on your local network. Example: 192.168.0.5
   Forward Port: 81 Enter 81 if you have not changed the port in Blue Iris, otherwise enter that here.
   Websockets Support: true This allows websocket calls, which can be used in the IO + DIO tab
   

   

   497×545 13.3 KB

SSL Tab
SSL Certificate: Select the certificate we created in step 4. This is the same as the address used in domain names of the details tab.
Force SSL: true Enable this to disallow use of Blue Iris UI3 without HTTPS

Once you are done, press Save. NGINX is configured!

Part 2: Blue Iris

The next part of this guide takes place in the Blue Iris application. Please note that you cannot use the web interface for this, you must use the Windows application on the server. My server is headless, so I am accessing it over RDP using MobaXTerm.

1. Open Blue Iris Settings
   This is the little cog button in the corner on BI4, however these settings are similar in BI5.
   

   

   1664×842 370 KB

2. Enable "Register IP address to assist with client app connections
   This allows you to sync your LAN and domain access with the mobile app.
   

3. Configure the Web Server Tab
   On the webserver tab, enter the values below (also demonstrated in the image below)
   Enable the HTTP web server on port: Enabled/Checked, Port 81
Remote Access URL: Enter the exact domain you used in SSL setup and NGINX proxy setup Example: bi.my-domain.com
   Refresh external IP at startup and again every: Disabled/Unchecked We disable this so Blue Iris will not overwrite the domain we just entered.
   Stunnel is installed for HTTPS on port: Enabled/Checked, Port 443 There is no need to install Stunnel, in fact it should NOT be running. This is a little workaround to force Blue Iris to send https domains to it’s server for app connections.
   HTTPS LAN also: Disabled/Unchecked LAN needs to be HTTP so NGINX can access it.
   

   

   685×517 32.8 KB

4. Advanced Web Server Settings
   In the Web server tab, press the “Advanced” button at the bottom near the “OK” button. Here, use the following config
   Require from: All Connections
Use secure session keys and login page: Disabled/Unchecked
Auto-ban IP after unsuccessful attempts: Disabled/Unchecked All connections now come from your hass.io machine, meaning if anyone gets a ban, noone can access UI3.
   Send Strict-Transport-Security header: Enabled/Checked
   

Done! Now Press OK in the advanced tab, and press OK on the web server options tab to apply changes. You should now be able to access Blue Iris UI3 by opening the domain used earlier in your browser. Don’t forget to use https:// though!

Part 3: Home Assistant Config

Open your favorite config editor for this section. I prefer the Visual Studio Code addon in the hassio store since it is so easy to set up.

Now, copy the configuration that applies to your config below, and tune it for your exact needs. Replace the bracket quoted sections with the appropriate value (Blue Iris LAN IP is the address BI uses on your local network, and Blue Iris camera shortcodes are set in camera settings on Blue Iris). Also, don’t forget to add the bi_username and bi_password values to secrets.yaml!

# Cameras
stream:

camera:
  - platform: mjpeg
    mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
    name: Camera Friendly Name
    username: !secret bi_username
    password: !secret bi_password
    authentication: basic

# Cameras
stream:

camera uniqueName:
  - platform: mjpeg
    mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
    name: Camera Friendly Name
    username: !secret bi_username
    password: !secret bi_password
    authentication: basic

camera anotherUniqueName:
  - platform: mjpeg
    mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
    name: Camera Friendly Name
    username: !secret bi_username
    password: !secret bi_password
    authentication: basic

camera yetAnotherUniqueName:
  - platform: mjpeg
    mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
    name: Camera Friendly Name
    username: !secret bi_username
    password: !secret bi_password
    authentication: basic

Once you have done this, save your config and restart home assistant!

Part 4: Lovelace

Below are the card lovelace snippets I used. You can add these by pasting their contents into the card edit/create page. Just don’t forget to change the camera entity and image entity to your camera components.

type: picture-glance
camera_image: camera.garage
camera_view: live
entities:
  - switch.garage_door

type: picture-entity
entity: camera.driveway
camera_image: camera.driveway
camera_view: live

That’s all! Feel free to comment with any suggestions, questions, or critique!

This is great!
I am currently in the decision making process for an NVR and this is very helpful information.

Some quick (and a little side-) questions:
Besides the camera feeds, have you imported BI motion detection features to HA?
What cameras do you have? And do they have any standalone detection features? Do those work with BI and consequently with HA?

Thanks in advance.
(sorry if this is kind of out of subject, let me know and I’ll remove the post and send you a PM if you want the thread clear for specific questions about your set up )

Glad to hear you are considering the BI route! You can totally leave your comment here, it’s all constructive and this info might help someone in the future.

Motion
Okay so a few thing I should point out about motion detection. Blue Iris supports two motion detection modes. It can always use video based motion detection, which is alright but does cause quite a few false positives. It can be fine tuned quite a lot but you will still have issues like birds, bugs, sudden light changes (sun coming out from clouds) causing false motion alarms. Also, if you have a lot of cameras and a weaker computer, video motion detection can be quite taxing on the CPU.

The other mode it supports is on much higher end cameras that have built in PIR motion sensors. These are the same sensors alarm systems use and they are extremely reliable. The problem is that these cameras can be extremely expensive and only really make sense in an industrial setting. Because of this, I am getting ready to use ESPHome to set up motion sensors around my home. These will then trigger a motion event in Blue Iris AND update a sensor in Home Assistant.

Further integration
There are quite a few guides specifically about integrating events between BI and HA, because Blue Iris has a built in MQTT client. All you do is set up a mosquitto server on hassio using an addon, and then create a mosquitto user and add it to Blue Iris in the IO and DIO tab of settings

My setup
I have 5 [SV3C 1080P Bullet cams](SV3C POE Camera, 1080P IP Camera Outdoor, Home Security Surveillance Camera, Wired, 20Meter Night Vision, IP66 Waterproof, Onvif, Stabler Connection Compared with WiFi Cameras(Series L) https://www.amazon.com/dp/B01G1U4MVA/ref=cm_sw_r_cp_api_i_1byjDb3XS3P2N) and they are really solid. They are also some of the cheapest bullet cams on Amazon with good reviews. Blue Iris supports just about any camera imaginable, but these are the only ones I have experience with. These have pretty great IR night vision, and I think they are low profile enough that they look good, but it’s also not hard to spot so hopefully thieves see them and go for the neighbors instead lol. All of them are wired to a PoE switch in my attic which is wired to Ethernet downstairs. They were a breeze to install since they just screw into anything, and they only needed one low voltage cable (no electricians!) to a PoE switch.

Like I said earlier, these are cheap cameras and they don’t have PIR motion detection or many other standalone features. If you go for higher end models like those with PTZ, Blue Iris will most likely support anything they have.

I use BI for my general NVR software running on a windows PC and I have to say that it works generally pretty good. There are a few times when it randomly loses connection to one or two of my cameras but it doesn’t happen often enough to be a show stopper. But it is a bit annoying.

That said I don’t use BI for any feeds into HA. I did at one time a long time back but with the camera component and a lovelace picture entity card I can import the camera feed directly into HA without any middleman. And I don’t have to worry about one more machine/network issue causing any problems with the cameras in HA.

As far as motion detection all of my Foscam cameras have built-in motion detection that I use directly in HA and again I don’t need any middleman software for it. The Foscams also have PTZ and aren’t horribly expensive either ($60 - $80 depending on the model)

Do you mind sending the model of camera you use? I have been searching high and low for a cheaper camera with built in PIR motion detection.

The feature listings in Amazon are always the same for every camera and it’s extremely difficult to see if a camera has PIR motion detection. Most just say “Motion Detection”

Also, I use BI as the middleman because it does a few image adjustments to the feed, as well as adds the watermark to the image.

Also, I keep my cameras inside of a vLAN that only my Blue Iris and my cameras have access to. This prevents direct access to the cameras even from my own network since they are considerably insecure.

Also, this means Blue Iris is the only camera related device that needs a static IP on my network.

I know it isn’t the best setup in theory, but I have never had an issue with Blue Iris as a middleman. It is extremely reliable and in the years I have used it it has never crashed. The only time I have to involve myself is to restart the Windows machine for security patches.

Great write up! The only thing I would change is swapping out MJPEG camera and use Generic camera with the h264 stream so you can use the stream component.

I’ll look into that, thanks!

@nickdaria Thanks for the walk through, I had just installed BlueIris a few days ago and followed your settings worked great. Mostly like your walk through of the NGINX Proxy Manager Addon as I had already setup BlueIris but made some changes based on your setup.

I am trying the Generic camera to test the stream but it doesn’t seem to be working. I have the mjpeg setup and it works fine but not the generic.
This is my setup for the generic stream but doesn’t show the stream when clicking on it, just the constant circle.

- platform: generic
  still_image_url: https://mylink/image/FDoor
  stream_source: https://mylink/h264/FDoor
  name: Front Door TEST
  username: !secret blue_user
  password: !secret blue_pass
  authentication: basic

I have also tried these for the steam link

https://mylink/h264/FDoor/temp.h264
https://mylink/h264/FDoor/temp.ts
https://mylink/h264/FDoor/temp.m3u8

are you sure its upper case FDoor or lowercase? Mine are all lowercase. may want to try http as well since you should be using the LAN IP

I didn’t say they have PIR detection only that they were motion detecting cameras. I’m sure that they use the video to detect motion but even with that I don’t really have that many false positives.

the model numbers of my cameras are:

FI8910W
FI9821P
FI9821W
FI9900P V4
FI9821PB
R2 V5

I really like the cameras I have. For the price they are pretty good cameras.

I’m don’t think that I’ve ever noticed any differences between the direct camera feed and the images in BI. as far as the “watermark” I’m assuming you mean the date/time and camera name. My Foscams do that by themselves too.

I solve the security issue by just blocking all the cameras direct access to the internet thru my router software. the cameras can’t get out and I can’t see them from the outside. But I can still see the feeds either thru HA or in BI. And since the cameras can’t “phone home” I have no issues with them being on my regular network.

I’m not really sure how that counts as a benefit.

Yeah, I agree that BI is pretty reliable and it works pretty good as an NVR. But I just don’t see any benefit at all in using BI as opposed to just the direct feed from the cameras. K.I.S.S. is always the best solution. And simple means minimizing the number of links in the chain where something can (or will…) go wrong.

And I have no need to do all of the related complicated setup of NGINX/SSL/proxies or any special configuration in BI itself.

yeah it is FDoor. using https://mylink/mjpg/FDoor works fine for the platform: mjpeg but none of the options work for the stream.
which url did you use for the stream?
trying all 3 of the endings works in vlc.

the one at the very top

You make good points, I think it’s just a difference in our configurations. I don’t like having the cameras themselves do the work. I want to be able to manage everything in one place, and I want Blue Iris to feed into HA.

Also, I need to do image adjustments through Blue Iris since they are much better than the simple brightness option my camera offers.

Just saw this. As a note, use LAN IP if you can do that HA can still resolve your cameras if the internet is out.

Anyways, the generic camera type is meant to take in an RTSP stream directly from a camera, so you would have to link up your cameras directly. I decided not to use this because while the stream component is nice, Blue Iris is just so much more powerful than the simple events the stream component is capable of. If you are looking for motion capture or recording capabilities, you should look into Blue Iris’s MQTT integration.

So if you have a pic card on lovelace card using the generic platform can you watch the stream for more than 30 seconds or so?
Mine always disappear and I have to reload lovelace to see them again. This happens in the 10 second refresh as well as if you hit more info and it refreshes every second.

Great level of depth in this post. A couple of things to consider:

1. you can use that checkbox in blue Iris called use x forwarded for header to avoid the issue where BI thinks everyone is the same IP. That allows it to read info that nginx passes on who it’s talking to. Let’s you tighten up security.

2. As you mentioned, you don’t need to have ha talk to BI via https and can go direct. If you do, you can set BI up to allow unauthenticated on local network only. Combined with the last change it will let you keep the form and token based login for internet if you are comfortable with LAN users getting view only access without logging in. Keep in mind the token wasn’t doing much from a security perspective. Just let you only have to send the password in the clear once if you were using http only.

3. You can use the generic camera and stream component directly with Blue Iris to get the benefit while maintaining network separation. This does NOT require HA to directly access cameras. Make sure ffmpeg is configured properly on the server and your config. If so, camera stream source is http://bi-server:81/h264/CAM-SHORT-NAME/temp.m3u8

I have been able to leave the streams running 24/7 on my kitchen tablet. No issues.

Lots of pieces to this puzzle, but thanks for replying to let me know it works for someone.

What type of system are you running Home Assistant on?

I’m running the generic linux install of hassio on an old laptop and it seems pretty snappy compared with the rasp pi 3 I started on, but that doesn’t mean much for video I guess.

@nickdaria
When using Nginx Proxy Manager do you still use DuckDns Addon?
For the the base_url do you still put https://my-domain.duckdns.org:8123

I have the DuckdDns addon also and I keep getting invalid logins from my network and I am wondering if this is what is causing it.

If you want, you can fully migrate to a URL like ha.yourdomain.duckdns.org. Just make sure NGINX and DuckDNS are enabled, so NGINX can handle the domain cert, and the DuckDNS addon will keep the certs updated in HA for your addons and such.