Blue Iris UI3

[bp2008]

Have you given any further consideration to workarounds for this issue? I've tried the suggestion to use Firefox on mobile devices (it's already my preferred browser in a desktop), and although it initially looked promising, the error message did eventually show up there as well. If I switch to the Javascript player, I eventually see the orange clock timer symbol, despite lightly lengthening the timeouts (ie: within reason).

Well if you used an HTTPS reverse proxy server (such as nginx or stunnel or a cloudflare tunnel) then you could try the "WebCodecs" player.

My "todo" list for UI3 has been growing, but I have been busy with other things. This will get tweaked eventually

 

[ericINT]

I have my BI machine using a HTTPS reverse proxy server (Nginx Proxy Manager) and access my system via the UI3 interface from many external locations. However, at work if I login I get very slow to load feeds and stuttering. This is not a bandwidth issue, but instead something on the corporate machine or network limiting the type of stream UI3 is using.

Is there anything I could look at changing on BI/UI3/reverse proxy that could help prevent this reduction in performance? This is likely a bit vague of a request, so if more information is needed please point me in the right direction.

 

[bp2008]

@ericINT

You can see a working nginx configuration example here: Using UI3 with a reverse proxy server

This may be a case where Nginx Proxy Manager makes your task harder since last time I used it, it only has a very simple configuration interface that does not expose all the nginx options that are available or even show which are being used.

It sounds like your nginx configuration might be trying to buffer the data it proxies, which can prevent UI3 (and the Blue Iris mobile apps) from live streaming properly as nginx will basically hold the video stream hostage for some arbitrary amount of time, causing exactly what you describe, very slow streaming loading and stuttering. A similar thing can also happen with some anti-malware services that do the same thing, buffering HTTP responses in order to scan them before delivering them.

 

[ericINT]

@bp2008

The advanced section in the proxy host of the Nginx Proxy Manager allows you to change the finer details. My configuration for the proxy manager is a bit more advanced due to using Authentik as a SSO in front of Blue Iris.

nginx | authentik

The configuration templates shown below apply to both single-application and domain-level forward auth.

docs.goauthentik.io

Spoiler: Nginx Proxy Manager Advanced settings

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Increase buffer size for large headers, **turned off
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
proxy_buffering off;
tcp_nodelay on;


# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
# Put your proxy_pass to your application here
proxy_pass http://192.168.1.5:45568;
# Set any other headers your application might need
proxy_set_header X-Forwarded-For $remote_addr;

##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass

https://192.168.1.3:9443/outpost.goauthentik.io;

# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme:/$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302

https://authentik.company/outpost.goauthentik.io/start?rd=$scheme:/$http_host$request_uri;

}
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I only see this behavior at work which of course has the corporate nannies. UI3 functions from other locations, so I had always assumed some corporate firewall/anti-malware/bandwidth/video limiter/etc was to blame, but had not looked into if there was a potential workaround.

 

[bp2008]

@bp2008

The advanced section in the proxy host of the Nginx Proxy Manager allows you to change the finer details. My configuration for the proxy manager is a bit more advanced due to using Authentik as a SSO in front of Blue Iris.

nginx | authentik

The configuration templates shown below apply to both single-application and domain-level forward auth.

docs.goauthentik.io

I only see this behavior at work which of course has the corporate nannies. UI3 functions from other locations, so I had always assumed some corporate firewall/anti-malware/bandwidth/video limiter/etc was to blame, but had not looked into if there was a potential workaround.

Nothing sticks out to me as problematic in that configuration.

There's so much that could be going on in a corporate environment in terms of web proxying for virus scanning and other purposes, it could be tough to track down the cause.

Blue Iris's video streaming uses a long-running HTTP response to deliver the streaming video, which is highly unusual (in that no other video streaming service I can think of does anything like that). Therefore it is a case that some HTTP proxy servers simply were not designed to handle appropriately.