Skip to content
Fregata

Network & remote access

Ports

Section titled “Ports”

Fregata’s default listeners:

PortServiceBound toNotes
8971nginx → Frigate web UI + HTTP API0.0.0.0Auto-switches to HTTPS if ~/Fregata/config/ssl/cert.pem exists.
1984go2rtc admin UI127.0.0.1Localhost only by default.
8554go2rtc RTSP re-stream127.0.0.1Used by Fregata internally. Expose deliberately if you need it.
8555go2rtc WebRTC0.0.0.0Needed for low-latency live view from outside the Mac.

The HA integration only needs 8971. Most users don’t think about the others.

Reaching it from another device on your LAN

Section titled “Reaching it from another device on your LAN”

Fregata is happy to serve 8971 to anything on your LAN. Just open http://<mac-ip>:8971 from a different device.

A couple of practical notes:

  • Use a hostname, not an IP. Bonjour gives you <mac-name>.local for free; bookmarking that survives DHCP shuffles. Set the hostname in System Settings → General → Sharing → Local hostname.
  • macOS firewall. If you’ve enabled it (System Settings → Network → Firewall), the first inbound connection to Fregata triggers the standard “allow incoming connections” prompt. Allow it once and the rule sticks.

Putting Fregata behind a reverse proxy

Section titled “Putting Fregata behind a reverse proxy”

A common setup: Caddy or Traefik on a NAS or small Linux box, terminating TLS, and proxying to the Mac. The minimum Caddyfile:

cameras.your-house.example {
    reverse_proxy http://10.0.1.42:8971
}

Caddy gets you a Let’s Encrypt cert, HTTP/2, websocket upgrade (needed for live MSE/WebRTC), and a clean URL.

If you’d rather keep TLS termination on the Mac itself, drop cert.pem and privkey.pem into ~/Fregata/config/ssl/ and Fregata will switch to HTTPS automatically on the next start. The files have to be readable by the user the app runs as (i.e. you).

Exposing it to the public internet

Section titled “Exposing it to the public internet”

Short answer: don’t, unless you absolutely mean to.

Long answer: if you do, the bare minimum:

  1. Put it behind a real reverse proxy with TLS (Caddy, Traefik, Cloudflare Tunnel).
  2. Enable Frigate’s authentication. Add to config.yml: 
    auth:
      enabled: true
    Restart, then go to http://localhost:8971 once on the LAN to set the admin password (Frigate’s auth uses HTTP Basic by default — see their auth docs).
  3. Restrict by source IP at the proxy if you can.
  4. Don’t expose 8554 (RTSP) or 1984 (go2rtc admin) to the internet under any circumstance. They have no auth.

The reasonable middle path for “I want to check my cameras from my phone” is Tailscale or a similar mesh VPN: install on the Mac and on your phone, hit http://<tailscale-ip>:8971 from anywhere. No public exposure, no certificate work, near-zero attack surface.

Mac sleep and Wake-On-Demand

Section titled “Mac sleep and Wake-On-Demand”

Fregata stops recording when the Mac sleeps. Two ways to keep it awake:

  • System Settings → Energy Saver / Battery → “Prevent automatic sleeping when display is off” (desktop) or “Prevent automatic sleeping on power adapter” (laptop). Pair with “Wake for network access” so the Mac wakes when something hits port 8971.
  • The caffeinate command for short-term keep-alive while debugging.

A laptop that closes its lid is going to sleep regardless of these settings. If you need 24/7 detection, run on a desktop or stand-up Mac mini.

Ports for Home Assistant

Section titled “Ports for Home Assistant”

If you’re running HA on a different host, see the Home Assistant guide — the integration needs to reach 8971 and (if you’ve enabled it) MQTT on whatever broker you’re using.