Blue Iris & nginx reverse proxy

Blue Iris… for the uninitialized is a CCTV viewing, recording, nearly-do-everything-CCTV application for analog, IP/digital, and usb based cameras. It sports a trendy web UI for viewing of the cameras added to the Blue Iris application. In this blog, will lay out the process to ensure nginx and BI plays (mostly) nice with Blue Iris web server.

This article assumes the following…

  • You have a wildcard based SSL certificate created and in-use/active for the reverse proxy access domain name.
  • You are configuring this as a sub-domain (e.g.; SomeSubDomain.potatoforinter.net) and not as a file path (e.g.; potatoforinter.net/blueiris/) to a domain.
  • You’re running Blue Iris version 5 or newer.
  • nginx is running 1.17.x or newer.
  • nginx will internally route (user doesn’t see this happen!) the HTTPS request (be it lan or wan) to a HTTP request within the lan to the Blue Iris server.
  • The Blue Iris install does not use stunnel.

On Blue Iris’s application, we need to ensure the server accepts some variables from nginx along with setting a logical configuration. Otherwise, we run into some “fun” issues later on with security and general access problems.


Go to the Blue Iris settings panel.

Click the “Web Server” tab.

Ensure your options look something similar to the above image. You will need to input the machines LAN IPv4 address into the “Local, internal access” input.

“Virtual” has to be just a forward slash /. This is a subdomain, not a folder we’ll be configuring.

Your “Remote, External access” needs to equal the IP address of your WAN IPv4 address. If your WAN IP was to be 12.34.56.78, you would input that to the Remote input field.

Ensure stunnel is unchecked. nginx will be handling all of the HTTPS/encryption from the net to the Blue Iris web server – mostly.


Click the “Advanced…” button at the bottom of the Web Server tab.

The Advanced UI should popup. With this setup, it’s a fairly generic configuration with the exception of “Use X-Forwarded-For Headers” being checked. I’m pedantic, and I like to have everything logged in the event someone gains access to it when they shouldn’t.

Let’s get crackin’ with the reverse proxy now. For the reverse proxy, am using nginx 1.17.x series.

Again, please note the following, as this article assumes the following…

  1. This installation uses SSL via Let’s encrypt. You’re using a wildcard based subdomain (*.some-domain.tld rather some-domain.tld).
  2. Access will be via a subdomain to a domain (blueiris.potatoforinter.net, not potatoforinter.net/blueiris)
  3. BIND or your DNS provider has been configured a proper A record for the domain.
    • NOTE: If using bind, and plan to throw “all the things” at the nginx reverse proxy, use a wildcard A name in addition to the non-WWW based domain.
    • It will look like this in the A field: *.potatoforinter.net. rather www.potatoforinter.net or/and potatoforinter.net. Ensure a proper A record exists for the primary/root domain however.
  4. Knowledge of how nginx includes/variables function.

Config Files for nginx

The virtual host file: /etc/nginx/sites-available/blueiris.conf

server {
        listen 443 ssl http2;
        server_name blueiris.potatoforinter.net blueiris.home.lan;
        include /etc/nginx/ssl.conf;
        set $upstream 192.168.20.2;
        location / {
                include /etc/nginx/reverse.conf;
                proxy_pass http://$upstream;
        }
}

NOTE: Edit server_name to suit your needs on the domains. I have two active. One for the lan resolver, and one for the web DNS.
NOTE: Modify set $upstream‘s IP address to the address that your blue iris installation resides on. If the web port isn’t port 80, append :1234 where 1234 is the port number that blue iris is listening for connections on. It might be 8080, it might just be 8000! It’s whatever you’ve set.

The ssl.conf file…

        ssl on;
        ssl_certificate /etc/letsencrypt/live/potatoforinter.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/potatoforinter.net/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_cache shared:le_nginx_SSL:1m;
        ssl_ecdh_curve secp384r1;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        resolver 192.168.20.1 192.168.20.1 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header Referrer-Policy no-referrer;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Download-Options noopen;

NOTE: You will need to modify the resolver IP’s to your local DNS or an internet DNS provider (Level3 DNS, Cloudflare DNS, OpenDNS, Google DNS, etc).
NOTE: You will need to modify ssl_certificate and ssl_certificate_key for your lets encrypt needs.

The reverse.conf file…

    proxy_http_version 1.1;
    proxy_temp_file_write_size 64k;
    proxy_buffer_size 64k;
    proxy_buffers 16 32k;
    proxy_busy_buffers_size 64k;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $remote_addr;
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_request_buffering off;
    proxy_buffering off;
    proxy_redirect off;

This file is more or less a jumbled addition of proxy variables set over time. I’ve not validated the impact of each setting above when it comes to Blue Iris.

Save those files to the following directories…

  • /etc/nginx/sites-available/blueiris.conf
  • /etc/nginx/ssl.conf
  • /etc/nginx/reverse.conf

Link the blueiris.conf to the sites-enabled folder.

  1. cd /etc/nginx/sites-enabled
  2. ln -s /etc/nginx/sites-available/blueiris.conf blueiris.conf

Now, restart nginx, service nginx restart. Or reload, or whatever command you deem worthy of your fingertips to restart or reload nginx.

If the reload, or restart didn’t throw errors back at you, try accessing the blue iris installation; for example: https://blueiris.potatoforinter.net/ (non-functioning URL)

Related posts

This site uses Akismet to reduce spam. Learn how your comment data is processed.