Network & remote access
Fregata’s default listeners:
| Port | Service | Bound to | Notes |
|---|---|---|---|
8971 | nginx → Frigate web UI + HTTP API | 0.0.0.0 | HTTPS by default (self-signed cert). Set tls.enabled: false in config.yml for plain HTTP. |
5000 | nginx → Frigate API (internal) | 127.0.0.1 (default) or 0.0.0.0 | Loopback-only by default. Set FREGATA_EXPOSE_INTERNAL_PORT=1 to expose to your LAN. Plain HTTP, no authentication. If port 5000 is already taken (e.g. by macOS AirPlay Receiver), Fregata automatically uses port 5050 instead — see below. |
1984 | go2rtc admin UI | 127.0.0.1 (default) or 0.0.0.0 | Loopback-only by default. Set FREGATA_EXPOSE_GO2RTC_PORT=1 to expose to your LAN. Plain HTTP, no authentication. |
8554 | go2rtc RTSP re-stream | 0.0.0.0 (default) or 127.0.0.1 | LAN-exposed by default. Set FREGATA_EXPOSE_RTSP_PORT=0 to lock it to loopback-only. Plain RTSP, no authentication by default — see below to add a username/password. |
8555 | go2rtc WebRTC | 0.0.0.0 | Needed for low-latency live view from outside the Mac. |
The HA integration only needs 8971. Most users don’t think about
the others.
Reaching it from another device on your LAN
Section titled “Reaching it from another device on your LAN”Fregata is happy to serve 8971 to anything on your LAN. Just open
https://<mac-ip>:8971 from a different device — the first visit shows
a self-signed-certificate warning (the same one you click through on
localhost). To avoid the warning on a trusted LAN, set
tls.enabled: false in config.yml and use http://<mac-ip>:8971.
A couple of practical notes:
- Use a hostname, not an IP. Bonjour gives you
<mac-name>.localfor free; bookmarking that survives DHCP shuffles. Set the hostname in System Settings → General → Sharing → Local hostname. - macOS firewall. If you’ve enabled it (System Settings → Network → Firewall), the first inbound connection to Fregata triggers the standard “allow incoming connections” prompt. Allow it once and the rule sticks.
Putting Fregata behind a reverse proxy
Section titled “Putting Fregata behind a reverse proxy”A common setup: Caddy or Traefik on a NAS or small Linux box, terminating TLS, and proxying to the Mac. The minimum Caddyfile:
cameras.your-house.example { reverse_proxy http://10.0.1.42:8971}Caddy gets you a Let’s Encrypt cert, HTTP/2, websocket upgrade (needed for live MSE/WebRTC), and a clean URL.
Exposing it to the public internet
Section titled “Exposing it to the public internet”Short answer: don’t, unless you absolutely mean to.
Long answer: if you do, the bare minimum:
- Put it behind a real reverse proxy with TLS (Caddy, Traefik, Cloudflare Tunnel).
- Keep Frigate’s authentication on. It’s enabled by default, and the
admin password was set in the welcome wizard (see
Your dashboard sign-in).
You can confirm it in
config.yml:auth:enabled: true - Restrict by source IP at the proxy if you can.
- Don’t expose
8554(RTSP) or1984(go2rtc admin) to the internet under any circumstance. Neither has authentication by default.
The reasonable middle path for “I want to check my cameras from my
phone” is Tailscale or a similar mesh VPN: install on the Mac
and on your phone, hit https://<tailscale-ip>:8971 from anywhere
(click through the self-signed warning once). The Tailscale tunnel is
already encrypted end-to-end, so if you’d rather skip the warning, set
tls.enabled: false and use http://<tailscale-ip>:8971. No public
exposure, near-zero attack surface.
Mac sleep and Wake-On-Demand
Section titled “Mac sleep and Wake-On-Demand”Fregata keeps the system awake while it’s running. As soon as
the menu-bar status reads Running, the supervisor takes a
ProcessInfo activity assertion with .idleSystemSleepDisabled
and holds it until Frigate stops, errors out, or you quit the app.
You don’t need to touch System Settings; the display is still free
to sleep, only the system itself stays awake.
This means the boring 24/7 install case — Mac mini in a closet, Fregata launched at login, never restarted — just works.
Caveats worth knowing about:
- A laptop that closes its lid still sleeps. Lid closure is a hardware-level signal that overrides every software assertion. If you need 24/7 detection, run on a desktop or use clamshell mode with an external display attached.
- The activity is released on
.errorand.stopping. A Fregata that crashed or was stopped by you doesn’t strand the Mac awake. - Belt-and-braces: if you want the same behavior even when Fregata isn’t running, System Settings → Energy Saver / Battery → “Prevent automatic sleeping when display is off” (desktop) or “Prevent automatic sleeping on power adapter” (laptop).
caffeinatecommand or theAmphetamineapp are still useful to prevent your Mac from sleeping when Fregata isn’t yet running.
Using the API from local automation tools
Section titled “Using the API from local automation tools”Tools like Node-RED or custom scripts that run on your LAN can talk to Fregata’s HTTP API. There are two ways to do it:
Option A — Port 8971 with a Bearer token (recommended)
Section titled “Option A — Port 8971 with a Bearer token (recommended)”This is the standard path and keeps authentication in place.
- POST to
http://<mac-ip>:8971/api/loginwith your credentials:{ "user": "admin", "password": "your-password" } - The response body contains a JWT. Store it in a Node-RED flow variable or script environment.
- Add
Authorization: Bearer <token>to every subsequent request.
Tokens are valid for 24 hours by default. To keep a script running
indefinitely, re-POST to /api/login on a timer (every 23 hours is safe).
Alternatively, set auth.enabled: false in config.yml — port 8971
then requires no credentials at all, which may be simpler if the network
is fully trusted.
Option B — Port 5000 with FREGATA_EXPOSE_INTERNAL_PORT=1
Section titled “Option B — Port 5000 with FREGATA_EXPOSE_INTERNAL_PORT=1”Port 5000 is nginx’s internal proxy. It has no authentication middleware — requests arrive at the API already labelled as admin. By default it only accepts connections from the same Mac. Setting the environment variable opens it to your whole LAN.
To enable, add FREGATA_EXPOSE_INTERNAL_PORT=1 in
Settings → Environment Variables and restart Fregata. A warning
appears in the Fregata log every time Fregata starts while the flag is set,
so you always have a visible reminder that the port is open.
Point your automation tool at http://<mac-ip>:5000/api/… — no
Authorization header needed.
Option C — Port 1984 with FREGATA_EXPOSE_GO2RTC_PORT=1
Section titled “Option C — Port 1984 with FREGATA_EXPOSE_GO2RTC_PORT=1”This one’s for tools that need to talk to go2rtc directly — reading or changing restream config, or pulling an RTSP/WebRTC feed — rather than going through Frigate’s API. Most automation should use Option A or B instead; reach for this only if go2rtc itself is what you need.
To enable, add FREGATA_EXPOSE_GO2RTC_PORT=1 in
Settings → Environment Variables and restart Fregata, then point your
tool at http://<mac-ip>:1984/api/…. Unlike port 5000, there’s no
conflict fallback to worry about — go2rtc runs as its own process, so a
failed bind only affects go2rtc, and port 1984 isn’t known to collide with
anything on macOS.
Option D — Port 8554, locking it down with FREGATA_EXPOSE_RTSP_PORT=0
Section titled “Option D — Port 8554, locking it down with FREGATA_EXPOSE_RTSP_PORT=0”Port 8554 is go2rtc’s RTSP restream, and unlike the other ports on this
page it’s open to your LAN by default — tools that want to pull the
RTSP restream directly (VLC, Home Assistant’s RTSP camera platform,
another NVR) can connect to rtsp://<mac-ip>:8554/<camera_name> with no
extra configuration.
To restrict it to loopback-only, add FREGATA_EXPOSE_RTSP_PORT=0 in
Settings → Environment Variables and restart Fregata. A warning
appears in the Fregata log every time Fregata starts while the port is
locked down, so you always have a visible reminder. Same posture as port
1984 — no conflict fallback to worry about, since go2rtc runs as its own
process and port 8554 isn’t known to collide with anything on macOS.
To add a username/password instead of locking the port down entirely, set
go2rtc.rtsp.username/password in config.yml:
go2rtc: rtsp: username: "admin" password: "pass"Clients then connect with rtsp://admin:pass@<mac-ip>:8554/<camera_name>.
This is go2rtc’s own credential check, independent of Frigate’s
auth.enabled and separate from the username/password your cameras use
upstream.
Ports for Home Assistant
Section titled “Ports for Home Assistant”If you’re running HA on a different host, see the
Home Assistant guide — the integration
needs to reach 8971 and (if you’ve enabled it) MQTT on whatever
broker you’re using.