pfsense/haproxy/blueiris always shows "200" in logs

I'm having trouble capturing failed login attempts to my blueiris VM with haproxy. I'm using the pfSense version of haproxy and it is working perfectly for a jellyfin container and the blueiris VM. Unfortunately, the only thing that is being captured in the haproxy logs for failed connections to BI (bad passwords) is a code 200 which is considered "successful".

Example line from haproxy log for BI:
2025-11-30T22:43:10-05:00 haproxy haproxy[2131]: 999.999.999.999:4956 [30/Nov/2025:22:43:07.379] port-443~ blueiris_ipv4/blueiris 0/0/1/2651/2652 200 461 - - ---- 1/1/1/1/0 0/0 "POST HTTP/2.0"

Haproxy does show a 401 for failed logins to jellyfin:
2025-11-30T22:58:33-05:00 haproxy haproxy[2131]: 999.999.999.999:4957 [30/Nov/2025:22:58:33.596] port-443~ jellyfin_ipv4/jellyfin 0/0/1/2/3 401 213 - - ---- 1/1/0/0/0 0/0 "POST HTTP/2.0"

Is there a setting in BI to return a 401 or something other than 200 when an invalid login/password is detected? I know BI offers IP blocking but I would prefer to do all my IP blocking using fail2ban and pfsense/pfblockerng as as I have a centralized syslog server that gets all my logs and it makes sense to do everything there, if possible.

I am a unix guy and not too familiar with windows logging but if I could install a log server app on the BI server to send Windows syslogs to my syslog server, is there anything available in Windows syslogs that show a 401 for BI's webserver app? Thanks for your time!

bp2008 said:

You could change the authentication method in web server settings, to HTTP digest authentication. You won't get Blue Iris's login page anymore and you should get standard HTTP digest authentication which I assume haproxy will be able to handle.

You can send BI's logs to a syslog server via the Blue Iris Status window > Log tab.

Blue Iris's web server and logging functionality are all proprietary, nothing standard on Windows.

Click to expand...

Thanks using Basic or Digest does give a 401 for a bad password in the haproxy log.

One unexpected oddity though, after authentication through the Digest login the URL that is displayed in my browser changes to . After poking around at my cameras then clicking Log Out, the browser redirects to and displays the original BI Secure login prompt (not the Digest). If I enter a garbage user/password I am back to getting 200's in the haproxy log.

Any ideas why the BI logout process is redirecting to the ui3.htm login rather than the "Basic" or "Digest" login pages?

FWIW, clearing browser data and killing the app (Android) then hitting the site again ("") does send me to the Digest login page so I'm not sure if I am worrying about something that probably won't happen.

In theory if someone figures out the subfolder "/blueiris" they will be presented with the Digest style login. Beating on that will give me 401's in the haproxy log and I can ban them. I suppose the only way they will get the BI "Secure" login would be if they were actually authenticated legitimately (or with a lucky hack which would probably have shown up as 401's anyways). Am I overthinking this?



The likelihood of If there is no simple solution for this I'm

bp2008 said:

That is a quirk of HTTP basic/digest authentication. Logging out the Blue Iris session does not clear the credentials from the web browser, so the web browser just reauthenticates you immediately on every single request to the BI web server.

So I think when you logged out and then tried logins from login.htm, as far as Blue Iris was concerned you were already logged in with a valid user account.

I'm not really sure, can the login.htm page be loaded and used when the browser does not yet have digest authentication credentials entered?

Click to expand...

You gave me what I needed for haproxy so I'm happy. I should probably not dwell on what could/could not happen in a situation like logging out/in and not getting the 401 in the log because of browser caching. Now to bash my head against the wall with haproxy and regex. Thanks again.