Integrating Blue Iris into Home Assistant

Can you share how you’re getting motion alerts in HA? I have all of my cameras streaming from BI. However, I can’t figure out how to get motion picked up by BI to send a snapshot of the motion to HA and me receive it as an alert.

Sure.

Within BI on each camera you have an alert setting. select alert>mqtt and create the topic as ai/backyard/motion and payload ‘on’. off for reset.

Then in nodered I have this:

Then you can create a binary sensor in HA.

Also on the switch:

1 Like

Many thank nickdaria.

Was horrified to realize I had not changed this part after using duckdns and nginx.
Also the ‘all connections’ authentication option. Logged in from a pc off lan and did not ask me for any log in!!! Open to the public :open_mouth: :hushed:
All fixed now

image

This is a big security risk -
The non-lan only does not work in my case! Unless I am missing something.

If I use these configs I can still access from outside my lan without it asking for authentication!!! Immediately changed it back to ‘All connections’.

I have the same issue. Were you able to resolve this somehow?

Keep on non-lan only then in the ‘Limit access by IP’ type ‘=x.x.x.x’ replacing the ‘x’ with the IP address of your nginx server.

Using ‘=x.x.x.x’ will force authentication from the defined IP address. As all WAN connections will appear local (nginx server) to your BI machine, this IP will include all external connections.

This setup means that on your LAN you don’t need to authenticate but any devices connecting through your nginx server will be forced to authenticate.

1 Like

I might have to give this a try,

I just switched to an iPhone and didn’t really want to have to buy the Blue Iris app again, plus it is really clunky and looks awful.

I already have external access setup using Stunnel, can I skip the first part of the guide and just use the Home Assistant integration?

If you already have external access setup to your liking you can just use ui3 can’t you?

This is all I do. I just use a vpn to connect to my home network first. Simple and you don’t need to buy the app again.

Yes I have Stunnel setup currently for the BI app on Android and I can easily use OpenVPN on my Asus Router.

I can use the web interface that way. Do you integrate the WebUi with Home Assistant?

No. I found that if I pull the BI streams into the lovelace cards in HA they fail pretty often. Kinda like a timeout and then you need to refresh the entire UI to get it back and it just wasn’t worth it.
Also lag is compounded by doing this. It adds a lot of time to the stream to go from the cam to BI to HA to your phone.
In lovelace I use streams from the cameras directly.
If I find that I need to see or hear what is going on at that moment (not often) I connect to the VPN and open the browser and use UI3. Can still look at alerts and clips if needed. Does what I need. YMMV.

1 Like

this is awesome, thank you for putting this together!

Could you please advise if Generic camera is better than MJPEG in terms of lag and performance?
i tried generic, and mjpeg both of them have around 6 secs lag. Any recommendation on how can I improve that? Also how can i stream the substream (640) as opposed to the mainstream(1080). TIA

I’m just in the planning stages of my new CCTV setup and found this great guide (thanks @nickdaria!) via this blog, where the author goes over using iframes for Blue Iris streams, from UI3, on Lovelace Dashboards.

Thought I’d post it in case anyone else wanted to give it a go.

Howdy! This is my first time back on this forum in I believe a year, so i appreciate the kind words!

2 Likes

I had this working flawlessly for a year and a half. My machine suffered major corruption from a power failure. I reinstalled everything from a backup and now nothing for this BlueIris stream works. I did a fresh install of HA due to the certificates. Still no go. The cameras do not show up in the dropdown on the card. They are in the YAML from the backup. I have been at this for a week. What is the best way to troubleshoot because my going over everything is not working? HELP! I am a bit confused about whether stunnel should be on or not. I have tried both ways. Your description shows it checked, yet you say don’t use it.

1 Like

Stunnel should be enabled in Blue Iris settings, but you do not actually set it up. Please send your config (obfuscate your passwords, obviously) for your cameras, and your BI HTTP config. Also is the internal IP changed?

I am having the exact same issue. Did you ever figure out a solution?

I realize its been 3 years since this post so I’m sure a lot has changed. I just wanted to note though that I just went through this and really didn’t find the Stunnel bit tough at all. It was pretty much just:

  1. Install Stunnel
  2. Locate its folder
  3. Copy the config from Blue Iris documentation into stunnel.conf
  4. Put my certificate in Stunnel’s folder

Certificate management is probably easier with the suggested approach though since NPM does auto-renewal. But if you want to encrypt traffic within your LAN as well (as I did) then there’s not really an option.

I just want to note here that this entire paragraph suggests Blue Iris is a piece of software which should not be exposed to the public internet. It’s good you’ve added SSL but it still seems pretty risky to me to allow someone direct access to Blue Iris. If any pre-auth vulnerabilities are discovered with its login screen, API, etc. anyone in the world could exploit them.

It might be wise to note that SSL isn’t a panacea. You’re still hosting a service and exposing direct access to it that probably isn’t battle-hardened for that kind of access given it lacks even basic SSL features. At the very least perhaps consider sticking something like Cloudflare Access in front of it to limit access to specific users that have been authenticated externally. Or make it LAN only and use a VPN.

I realize this is an old post but an aside for those interested in requiring auth for non-LAN only - check Use X-Forwarded-For headers. Reverse proxies like NPM and Stunnel add this header to let services know that they are not the originator of the request and are forwarding it for another. That way Blue Iris can use the value in that header to decide whether the request came from LAN or non-LAN. If you leave that box unchecked then it looks to Blue Iris like every request is coming from your reverse proxy so it assumes everything is from LAN.

I suggested the NGINX route because it has auto cert renewal and also moved your management away from a Windows server that is headless for most users, and onto the HA environment everything else is on. Plus, many people already run NGINX.

This is true, however with NGINX the traffic is all local and you can assign security using the proxy manager which blocks certain IPs, restricts access with authentication, and more. Plus the simple login system is fundamentally more secure than the UI3 login page.

Is this the simple login system youre referring to?

I was actually very curious about this. Is there some doc you can point me to about this? I hadn’t seen anything on this and searching hadn’t turned up anything. I had assumed it was a normal session cookie, if they’re doing something different I’d like to learn more about it.