Introduction
Hey everyone! Recently, I went about redoing my hass.io installation in a Proxmox VM since my Raspberry Pi was barely keeping up with the workload. While I was setting up my components and integrations, I realized that one huge part of my home automation system was missing.
My security camera system runs on a fantastic NVR software called Blue Iris. Despite the fact that it runs on Windows, and that the documentation isn’t great, it really is the best camera feed/clip management software out there. (and I tried everything, iSpy/motionEye/iSpy Agent/etc) Unfortunately however, I never managed to get it integrated into Home Assistant. This was partially due to the lack of documentation, and partially due to security concerns with opening my cameras or Blue Iris to the internet without HTTPS. I finally got it all sorted out today, and I wanted to share what I used for integration with Blue Iris and how I created a secure connection with Blue Iris.
What’s in this guide
-
The method I used to securely access Blue Iris from outside my local network without using the convoluted and poorly documented stunnel method that Blue Iris suggests
-
The configuration and tools I used to get Blue Iris camera streams in Home Assistant
-
Examples of Lovelace cards that utilize live camera streams
This guide has multiple parts that can be done independently. If you want access to live feeds in HA but you don’t want to expose Blue Iris or UI3 to the internet, simply skip Parts 1 and 2, and instead only disable the Use secure session keys and login page
option in Web server -> Advanced.
A note about security
This tutorial involves disabling some of Blue Iris’s security features. I want to explain now what we are doing. Blue Iris has a web interface that was not designed to work with HTTPS, it just runs an insecure web server and it suggests you use software called stunnel which is a huge pain.
While Blue Iris does not support HTTPS, it does use a clever user token system to prevent capture of your username and password, however camera feeds are able to be captured. This tutorial will use NGINX to create a secure tunnel from your hassio instance to Blue Iris which lets us expose it to the internet using HTTPS, making it much more secure than it ever was without SSL.
Part 1: NGINX Addon Setup
WARNING: This section of the tutorial requires you have a domain or DuckDNS/no-ip/custom domain set up, otherwise you cannot get an SSL certificate. For the sake of this tutorial, my domain will be my-domain.duckdns.org.
The first section of this guide is for setting up a proxy from your Home Assistant instance to your Blue Iris instance. This will let you connect to blue iris using bi.my-domain.duckdns.org
or bi.my-domain.duckdns.org
OR catcam.my-domain.duckdns.org
, it doesn’t really matter. Also, you can use no-ip or a custom domain, I am just using my-domain.duckdns.org for the sake of this tutorial
@frenck really made things easy for us by putting this addon together. It allows us to take web requests for locations on your domain from the internet and forward them securely to local addresses on your network. Below is a little sketch I threw together to try and explain what we are doing.
-
Install the NGINX Proxy Manager Addon
Hassio -> Add-on Store -> Community Hass.io Addons -> Nginx Proxy Manager
No config here is needed, however I do recommend enabling Start on Boot and Auto Update.
-
Add the following Port Forwards to your Hass.io device in your router: Port 80, Port 443
If you currently forward Blue Iris on port 81 (default), you will need to remove that port forward first. This tutorial will remove any need to port forward Blue Iris. If you need instructions on how to add a port forward, no-ip has a good article. -
Start the addon and press "Open Web UI"
When you open the UI for the first time, the email is[email protected]
, and the password ischangeme
. -
Add SSL certificates for the domain you will be using
After you reconfigure your user, go to the SSL certificates tab, and press Add New Let’s Encrypt Certificate. Under domain names, you MUST enter it with a subdomain. For example,blueiris.my-domain.duckdns.org
orbi.my-domain.duckdns.org
orcctv.my-domain.duckdns.org
, it doesn’t matter. Just choose a subdomain you are comfortable using. Enter an email address for Let’s Encrypt, accept the terms, and press Save.
-
Create Proxy Host
On the tab bar, go toHosts -> Proxy Hosts
, press Add Proxy Host and use the following options. Options not specified can be left default.
Details Tab
Domain Names:
Your subdomain + domain for Blue Iris (same as the one used in SSL setup) Example: bi.my-domain.org
Scheme: http
The site will use SSL for the internet, but this defines if the host does, and Blue Iris does not.
Forward Hostname/IP
Enter the IP or hostname of your Blue Iris Server. This is also what you use to access Blue Iris UI3 on your local network. Example: 192.168.0.5
Forward Port: 81
Enter 81 if you have not changed the port in Blue Iris, otherwise enter that here.
Websockets Support: true
This allows websocket calls, which can be used in the IO + DIO tab
SSL Tab
SSL Certificate:
Select the certificate we created in step 4. This is the same as the address used in domain names of the details tab.
Force SSL: true
Enable this to disallow use of Blue Iris UI3 without HTTPS
Once you are done, press Save. NGINX is configured!
Part 2: Blue Iris
The next part of this guide takes place in the Blue Iris application. Please note that you cannot use the web interface for this, you must use the Windows application on the server. My server is headless, so I am accessing it over RDP using MobaXTerm.
-
Open Blue Iris Settings
This is the little cog button in the corner on BI4, however these settings are similar in BI5.
-
Enable "Register IP address to assist with client app connections
This allows you to sync your LAN and domain access with the mobile app.
-
Configure the Web Server Tab
On the webserver tab, enter the values below (also demonstrated in the image below)
Enable the HTTP web server on port: Enabled/Checked, Port 81
Remote Access URL:
Enter the exact domain you used in SSL setup and NGINX proxy setup Example: bi.my-domain.com
Refresh external IP at startup and again every: Disabled/Unchecked
We disable this so Blue Iris will not overwrite the domain we just entered.
Stunnel is installed for HTTPS on port: Enabled/Checked, Port 443
There is no need to install Stunnel, in fact it should NOT be running. This is a little workaround to force Blue Iris to send https domains to it’s server for app connections.
HTTPS LAN also: Disabled/Unchecked
LAN needs to be HTTP so NGINX can access it.
-
Advanced Web Server Settings
In the Web server tab, press the “Advanced” button at the bottom near the “OK” button. Here, use the following config
Require from: All Connections
Use secure session keys and login page: Disabled/Unchecked
Auto-ban IP after unsuccessful attempts: Disabled/Unchecked
All connections now come from your hass.io machine, meaning if anyone gets a ban, noone can access UI3.
Send Strict-Transport-Security header: Enabled/Checked
Done! Now Press OK in the advanced tab, and press OK on the web server options tab to apply changes. You should now be able to access Blue Iris UI3 by opening the domain used earlier in your browser. Don’t forget to use https:// though!
Part 3: Home Assistant Config
Open your favorite config editor for this section. I prefer the Visual Studio Code addon in the hassio store since it is so easy to set up.
Now, copy the configuration that applies to your config below, and tune it for your exact needs. Replace the bracket quoted sections with the appropriate value (Blue Iris LAN IP is the address BI uses on your local network, and Blue Iris camera shortcodes are set in camera settings on Blue Iris). Also, don’t forget to add the bi_username
and bi_password
values to secrets.yaml!
Single Camera
# Cameras
stream:
camera:
- platform: mjpeg
mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
name: Camera Friendly Name
username: !secret bi_username
password: !secret bi_password
authentication: basic
Multiple Cameras
Don’t forget to set a unique identifier for each component after the word camera. You can just use the shortname for organizational purposes
# Cameras
stream:
camera uniqueName:
- platform: mjpeg
mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
name: Camera Friendly Name
username: !secret bi_username
password: !secret bi_password
authentication: basic
camera anotherUniqueName:
- platform: mjpeg
mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
name: Camera Friendly Name
username: !secret bi_username
password: !secret bi_password
authentication: basic
camera yetAnotherUniqueName:
- platform: mjpeg
mjpeg_url: http://[BLUE_IRIS_LAN_IP]/mjpg/[BLUE_IRIS_CAMERA_SHORTCODE]
name: Camera Friendly Name
username: !secret bi_username
password: !secret bi_password
authentication: basic
Once you have done this, save your config and restart home assistant!
Part 4: Lovelace
The final section of this guide is for putting your cameras into your lovelace UI. I created a page for my cameras and each used the picture-entity card, except my garage camera which used picture-glance so I can open my garage door from the camera.
Below are the card lovelace snippets I used. You can add these by pasting their contents into the card edit/create page. Just don’t forget to change the camera entity and image entity to your camera components.
Live View / Garage Door Opener
type: picture-glance
camera_image: camera.garage
camera_view: live
entities:
- switch.garage_door
Live View / No Buttons
type: picture-entity
entity: camera.driveway
camera_image: camera.driveway
camera_view: live
That’s all! Feel free to comment with any suggestions, questions, or critique!