Apple HomeKit with Unifi G3 Flex

Over the past few months, I have been peppering the house with the Unifi G3 Flex security camera. They were very easy to install and since they use PoE, they minimize the wiring as well.

To monitor the cameras, I installed the Unifi Video server software on my Ubuntu Server that is up 7 x 24. All of this hardware components are behind my Unifi Security Gateway firewall.

For whatever reason, I had a thought whether Apple HomeKit can talk to these cameras? With a little Google searching, I came across this article. The instructions from the article was a bit outdated, but what peeked my interest was the use of the homebridge server. I already had homebridge service installed on my Ubuntu server because I use the same technique to have HomeKit talked to my home made garage door opener. After looking through the instructions, it looks like all I need to do is:

  1. Configure Unifi Video to enable RTSP streaming for each of the camera that it is managing;
  2. Download a homebridge camera plugin called homebridge-camera-ffmpeg;
  3. Configure homebridge to add the cameras;
  4. Add the cameras to the Home App;

The first step was extremely simple. First we had to enable RTSP streaming for all cameras managed by Unifi Video.

We then had to select each camera and enable the resolution that we want streamed.

I tested the RTSP URL on the VLC App just to make sure the streaming is working properly.

Installed the plugin with the following command line:

npm install -g --unsafe-perm homebridge-camera-ffmpeg

Add the platform section to the homebridge config.json file, which for my server was located in /var/homebridge.

"platforms": [
    "platform": "Camera-ffmpeg",
    "cameras": [
        "name": "Dining Room",
            "source": "-rtsp_transport http -re -i rtsp://",
            "maxStreams": 4,
            "maxWidth": 1280,
            "maxHeight": 720,
            "maxFPS": 15,
            "maxBitrate": 600,
            "mapvideo": "0:1",
            "mapaudio": "0:0",
            "vcodec": "h264",
            "audio": true,
            "packetSize": 188,
            "hflip": false,
            "additionalCommandline": "-x264-params intra-refresh=1:bframes=0",
            "debug": false
        "name": "Garage",
            "source": "-rtsp_transport http -re -i rtsp://",
            "maxStreams": 4,
            "maxWidth": 1280,
            "maxHeight": 720,
            "maxFPS": 15,
            "maxBitrate": 600,
            "mapvideo": "0:1",
            "mapaudio": "0:0",
            "vcodec": "h264",
            "audio": true,
            "packetSize": 188,
            "hflip": false,
            "additionalCommandline": "-x264-params intra-refresh=1:bframes=0",
            "debug": false
        "name": "Great Room",
            "source": "-rtsp_transport http -re -i rtsp://",
            "maxStreams": 4,
            "maxWidth": 1280,
            "maxHeight": 720,
            "maxFPS": 15,
            "maxBitrate": 600,
            "mapvideo": "0:1",
            "mapaudio": "0:0",
            "vcodec": "h264",
            "audio": true,
            "packetSize": 188,
            "hflip": false,
            "additionalCommandline": "-x264-params intra-refresh=1:bframes=0",
            "debug": false
        "name": "Kitchen",
            "source": "-rtsp_transport http -re -i rtsp://",
            "maxStreams": 4,
            "maxWidth": 1280,
            "maxHeight": 720,
            "maxFPS": 15,
            "maxBitrate": 600,
            "mapvideo": "0:1",
            "mapaudio": "0:0",
            "vcodec": "h264",
            "audio": true,
            "packetSize": 188,
            "hflip": false,
            "additionalCommandline": "-x264-params intra-refresh=1:bframes=0",
            "debug": false

I had four cameras installed so you will see four cameras configured within the Camera-ffmpeg platform. Note that the entire platforms section should be sibling to the accessories and bridge sections.

I restarted the homebridge service with systemctl, and you should see messages similar to:

May 14 15:00:05 avs homebridge[2973]: [2020-5-14 15:00:05] Please add [Dining Room] manually in Home app. Setup Code: 031-45-153
May 14 15:00:05 avs homebridge[2973]: [2020-5-14 15:00:05] Please add [Great Room] manually in Home app. Setup Code: 031-45-153
May 14 15:00:05 avs homebridge[2973]: [2020-5-14 15:00:05] Please add [Kitchen] manually in Home app. Setup Code: 031-45-153
May 14 15:00:05 avs homebridge[2973]: [2020-5-14 15:00:05] Please add [Garage] manually in Home app. Setup Code: 031-45-153

You simply open the Home App and add the above camera accessories using the manual process instead of the scan code method.

If everything works, you should see something like this on the Home App. Below is a screen shot taken from the macOS version of the Home App.

So it is pretty cool to have something working in your home for several months, and because of a thought, I now have a new capability in the house via Apple’s HomeKit Home App.

Thank you to the homebridge community and the UniFi Protect with HomeKit – Setup Guide.

Evidence of an Attack

Today I went about performing my regular server maintenance update and noticed an IP address hitting my Apache web server. Out of pure curiosity I thought I lookup this IP address. After a quick whois command, I found out it came from Xinjiang Province, China, specifically from the ISP.

After more investigation, I noticed that this particular visitor was attempting a ThinkPHP remote code execution attack. I don’t run the ThinkPHP framework. Below is the log recording its attempt. - - [25/Apr/2020:12:58:01 -0400] "GET /TP/public/index.php HTTP/1.1" 302 499 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" - - [25/Apr/2020:12:58:05 -0400] "GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 302 695 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" - - [25/Apr/2020:12:58:08 -0400] "POST /TP/public/index.php?s=captcha HTTP/1.1" 302 519 "-" "Go-http-client/1.1" - - [25/Apr/2020:12:58:11 -0400] "GET / HTTP/1.1" 302 499 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"

I have always wondered how many bad actors are out there and whether these bad people will end up attacking my stuff. Well now I know, experienced first hand.

It is a scary place out there.

Face Masks

They are now part of our lives. Like shoes, we now have to don one of these before we head out. I don’t disagree with this practice, but it certainly fits the bill of a “new” normal.

We have started to wear a mask when going outside for primarily grocery shopping. My immediate experience with them is the act of putting it on. It immediately felt restrictive. It is not the same as wearing a face covering toque while skiing or going out on a windy, winter day. Those are much more breathable than a mask that is suppose to filter microscopic drops of fluid. Your face immediately gets uncomfortably warm as you recycle more of your own breathes.

If put on loosely, the warm exhalation will escape and causes fogging on your glasses. It took me a couple of days to really experiment and find the best way to wear one so to minimize this effect. I have gotten it to be bearable but still not ideal.

When I check out of the store, simple acts like a smile when saying thank you can no longer be expressed fully. The concealments of such natural expression felt like I was deceiving the person that I’m communicating with. A thank you without a smile seemed incomplete. I wonder how prevalent future misunderstandings this will cause as our face to face interactions become more faceless. Will we be more angrier and less respectful of others like we are when we are in our cars to other drivers? Will this make us a less friendly society with less consideration for others? Will this make us less human to others? I certainly hope not but one has to wonder.

The physical act of checking out made me suddenly discovered that I can no longer use Face ID to authenticate Apple Pay. Luckily I still have my Apple Watch on hand. I know first world problems, but it really makes you realize how often you check your phone, from looking up contact information to monitoring simple notifications.

Aside from my unhelpful whining in regards to sporting one of these and looking like a typical Mortal Kombat character, I do support and believe that wearing one during the Covid-19 pandemic does help to limit the spread of the virus. However, I can’t help but wonder how society will change with this simple facial garment.

Perhaps this is all nothing as we all adjust to this new normal and it is no different than interacting with everyone on a cold blizzard day when everyone’s faces are concealed. However, something tells me that this will be more impactful. How do you feel about wearing a mask?

HTML5 Video on iOS 13

This past weekend, I was writing a simple HTML5 utility that provides certain videos that I have in my own personal library. The idea is that I can make a limited selection of videos and present it on a web page, so that the user can simply click on the cover art of the video and plays inline on the web page.

I thought it was a pretty simple requirement and I should be able to whip this up in a few minutes. I used the HTML5 <video> tag. Everything worked on my Mac and my iPad. It even worked on my LG OLED TV. However, when it came to the iPhone, mobile Safari would load the movie but it would not play. I was even able to seek through the movie by scrubbing the scroll bar, but when I press the play/pause button, nothing would happen.

After many hours scouring the web, I found out many caveats when serving videos on iOS with the iPhone.

  • Videos behind an authorized location may not work on an iPhone because when Safari passes this information to the player, the player does not inherit the previously authorized identity. To get around this, I had to create a token based technique, where the main page have to pass this token to a PHP page that checks this token and serves the video contents.
  • The PHP used to serve the video also need to handle HTTP Range based requests. This wonderful contribution from GitHub really helped me out!
  • Multichannel audio such as 5.1 audio encoded in AAC will load but not play on my iPhone XS currently running iOS 13. The video will play if I re-encode the audio to either AAC stereo, or 5.1 multichannel in AC3 encoding.
  • Multiple audio streams also did not work. The iOS player was only happy with a single compatible audio stream.
  • If you want to make the video autoplay while inlined within the page, it must first be muted.

Lots of things to consider here. I lost about a day and halve researching and experimenting with this, so here it is all recorded just in case I forget in the future. I also hope that this information will help you out as well.

Busted Door Bell Button

Cracked Button

We had a situation. Our original door bell that came with the house from 1999 (more than 20 years old) decided to crack and disintegrate on us last summer.

We used some transparent packaging tape to salvage the button, but last month it too has had enough of the weather.

Once again our 3D printer came to the rescue. First I designed a replacement button in Autodesk Fusion 360 after I meticulously did all the measurements at least three times. Since it was a very small part, after around 20 minutes of printing, I had the replacement ready to go. Here is the final part installed:

I was on the receiving end of some ridicule when I first purchased the 3D printer, but it certainly has come in quite handy.

Ubuntu Server Missing Network Interface

I had an opportunity recently to install Ubuntu Server on a very old server, a Dell R710 that had 4 native network interfaces and 4 add-on network interfaces, resulting in a total of 8 network interfaces.

During the installation process, the installer did recognize all the physical network interfaces on the machine but because it did not successfully acquire DHCP addresses, I was forced to install Ubuntu without networking.

After the installation, only the loop back (lo) interface existed and all the other physical interfaces were missing. I had to use the netplan command to create the interfaces. This article was of tremendous help. I pretty well just followed its instructions.

I first created the 99-disable-network-config.cfg file with the contents as instructed by the article.

sudo su -

echo "network: {config: disabled}"  >>  /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Followed by editing the 50-cloud-init.yaml file with the following contents:

vim /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
  version: 2
  renderer: networkd
      dhcp4: true

Once netplan is configured, I then executed the following command:

netplan generate
netplan apply

Once I rebooted the computer, the eno1 network interface now exists with a provisioned IP from my local DHCP server.

Much of the content in this blog is a verbatim reference from the article but I provided here so that it is more easily searched by me if I ever needed it in the future.

MacBook with Windows on External SSD

All of this started with one of my neighbour whose laptop broke down. The laptop stopped recognizing its internal SATA connection, so it will not boot. My neighbour ended up booting Windows from an external SSD using a Windows to Go solution to continue to use his laptop.

MacBook Air (13-inch, Mid 2013) running Windows 10 Home

This somehow got me thinking whether it is possible to boot Windows from an external SSD using a Mac. I knew Bootcamp allows you to create a dual boot scenario on the Mac, but the default procedure requires you to repartition your internal drive space to do so.

With external SSD drives coming down in price, for example you can get a 500GB Samsung T5 now for less than $130 CAD, it would seem a pretty sweet deal to have Windows on the side with your MacBook.

After doing some research, it seems like others have similar ideas. I am not going to detail all the steps, since you can find YouTube videos and other forums that have already done the deed. Instead, the high level process goes something like this:

  1. Use the Bootcamp Assistant App on the Mac to collect all the drivers on a USB stick or a local folder on your Mac.
  2. Download a Windows ISO and use a Virtual Machine (e.g. Parallels, VirtualBox, etc.) to install the Windows ISO onto an external SSD drive. I first tried VirtualBox but ran into Catalina permission issues that I could not circumvent. I ended up doing it with Parallels which I will go into details later.
  3. Copy the drivers from the USB stick created in 1 into the desktop of the recently installed Windows on the SSD drive.
  4. Reboot your Mac and hold the option key down before the Apple logo shows and boot into the EFI portion that contains Windows.
  5. Make sure you have an external keyboard and mouse handy because the default Windows install may not recognize the native hardware yet. On my MacBook Air, I had no issues.
  6. Once Windows come up, login and run the Bootcamp setup from the desktop that was originally copied from the USB stick.
  7. Once this is all done, you can dual boot into Windows on the Mac as long as you have that SSD drive handy.

So far everything works, and it is happily installing Visual Studio 2019. I even tried Cortana and the mic and speakers are working well. I did a quick Skype test call and the webcam is working well too.

I do want to document the steps that I performed with Parallels when installing Windows 10 onto the SSD. Those steps were not intuitive.

Step 1: Choose the Install Windows or another OS
Step 2: Choose Manually
Step 3: Don’t choose anything, but check the “Continue without a source” box at the bottom left hand corner

After this, stop the virtual machine and make the following custom configurations:

Step 4a: Select Hardware and configure the Hard Disk
Step 4b: Make sure your external media is plugged in, and select it in the Source. For example, Physical disk: Kingston DataTraveler 3.0 Media (disk2)
Step 5a: Change the boot order so that you can boot from CD, and connect the CD to your Windows ISO (not shown)

Start the Virtual Machine and it will go through the first part of the Windows installation. Once it is completed, it will reboot. Instead of booting from the external media, it will boot from the CD ISO image again. Simply shutdown the VM again and change the boot order again.

Step 5b: Change the boot order again to Hard Disk first, and restart the VM to complete its second part of the install

Once Windows 10 complete its installation, it will go through a user account setup process. If you are connected to the Internet during this stage, Windows 10 will force you to either use an existing Microsoft account or create one. This is unfortunate, but go ahead and create a temporary one. Remember to create a local administrator account and remove this temporary Microsoft account as the final step of the Windows setup.

Remember to copy the Bootcamp drivers from the USB stick to the Windows desktop before completing and shutting down the virtual machine.

Now you are ready to restart the Mac and dual boot into the external drive by holding the Option key while the machine restarts. The final step is run the Bootcamp Setup.exe program, which should be located inside the Bootcamp folder that your previously copied on the desktop. This is the last step of the Windows configuration on the SSD drive, and you can restart your Mac and dual boot into Windows one final time.

You are now running Windows natively to the Mac’s metal, without any simulators or Virtual Machines. This process is great to revitalize old MacBook’s lying around especially for students who need a Windows computer for their curriculum, but still want to retain their macOS. For more contemporary Mac’s, the small form factor and the speed of the Samsung T5 drive is a great fit for this type of situation. This is very cool!

Update: Potential Trouble with Major Windows Update

I have been told that a major Windows Update could encounter an error and a registry setting is required to fix this. The following page has more information on this. In summary, you have to set the following registry key PortableOperatingSystem from 1 to 0. This key can be found at registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control. Thanks to Martin Little for this very helpful information.

Update: Mac’s with Secure Boot using the T2 Chip

To allow a Mac with the T2 chip to boot from an external drive certain settings have to be made with the Startup Security Utility. This utility can be accessed via the Mac’s recovery mode, under the Utilities menu. You want to disable secure boot and allow for external drive. Since the secure boot is disabled, set a firmware password to prevent a bad actor booting their own operating system with their own Live USB key.

Encrypted Live USB Stick

The goal is to create a USB key that contains a Linux based operating system. Any Linux compatible computer can then be booted with this USB key, temporarily borrowing the host computer. The hosted Linux OS can then access an encrypted partition that houses important private information that may be helpful in an emergency. This technique offers the maximum portability of accessible, private information such as your will, financial data, credentials, etc.

I previously had an USB key formatted with an encrypted Mac filesystem storing the same information. However, this is inconvenient because you will need to find a Mac in an emergency situation.

In the Linux community, you can create a Live USB key. The concept is to create an operating system that will run off of the USB key with any computer that you can plug the USB key to. However, many of these Live USB distributions does not remember any changes that you make while using the operating system. The next time you boot from the Live key, all your previous changes are gone, and the Linux environment reverts back to its original, pristine state. To remember the changes during uses, these changes have to be “persisted”.

I started to find the best methodology for creating a Live Linux USB that operates with an encrypted persistent partition.

All the commands in this article has been performed within the Ubuntu 18.04 LTS Desktop install. I installed this version on both VirtualBox and Parallels on the Mac. Both worked beautifully but Parallels has smoother integration with Mac.

I tried first the Kali distribution, using the instructions in this USB Persistence & Encrypted Persistence article (Article 1). However, the USB stick that I was using which was a Kingston DTSE9 G2 USB 3.0 32GB, was simply way too slow on writes causing the Live USB almost unusable.

I searched for an alternative USB stick and settled for the SanDisk 64GB Ultra Fit USB 3.1 Flash Drive. This new USB stick’s write performance was 4x faster than the Kingston.

After learning more about initramfs hooks, boot loaders, and a refresher on UEFI and BIOS booting process and partition layout strategies for USB storage devices, I decided to roll my own Live USB using the Ubuntu Desktop as a base along with the mkusb tool for the initial layout. The reason for the change is that I already have Ubuntu else where in the house so standardization is probably a better bet.

To improve performance further, I decided that it is not necessary to encrypt the persistent partition where the system configuration updates will be stored. Instead, I will create my own private encrypted partition to store only the private data that requires protection. Article 1, also provided details on how to use the LUKS technology to encrypt any Linux partition, so my exercise with Kali Linux was not a total waste of time.

Before I run mkusb, I needed to install it first by doing the following:

sudo add-apt-repository universe
sudo add-apt-repository ppa:mkusb/ppa
sudo apt-get update
sudo apt-get install mkusb mkusb-nox usb-pack-efi

I ran the mkusb tool (after sudo su - )1, with the following options:

We also chose msdos so that more computers will be compatible for booting. Once mkusb is completed, we will need to perform some custom partition layout. We will use the gparted program for this purpose so that the completed partition layout will look something like this:

Final MBR Partition Table

We first deleted the original usbdata partition and grew the extended partition (/dev/sdb2) to about 18 GB, approximately 6 GB for casper-rw, which the system will store any custom configurations or upgrades since this Live USB key is created. We create another logical partition called Personal that is around 12 GB in size, which will be encrypted and this is where we will store private, sensitive data for emergency use.

The remaining space will be allocated to USBDATA, a last primary partition for normal USB data sharing, the typical use case for a USB stick. We also want to make sure that the other FAT32 (usbboot) partition is not visible in Windows by setting the hidden partition flag. We did that with the gparted program as well.

Once the partition table is completed, we can now encrypt the Personal (/dev/sdb6) partition. For this, we went back to Article 1, which gave us the following instructions.

~# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb6
 This will overwrite data on /dev/sdb6 irrevocably.
 Are you sure? (Type uppercase yes): YES
 Enter passphrase for /dev/sdb6: 
 Verify passphrase: 
 Key slot 0 created.
 Command successful.

~# cryptsetup luksOpen /dev/sdb6 myusb
Enter passphrase for /dev/sdb6:

~# mkfs.ext4 -L Personal /dev/mapper/myusb

~# cryptsetup luksClose /dev/mapper/myusb

All Done! Now we have a bootable USB stick that can be booted from any Ubuntu compatible computer. I can store my own personal data in a very safe and private way within the encrypted Personal partition, while any changes I make to the system will be preserved in between the uses of the USB stick. On top of it all, the USB still has 40+ GB (~37.5 GiB) of storage for normal USB transfer usage.

I spent sometime copying some confidential information which I think I will need in an emergency into the Personal partition. I want to duplicate the finished Live USB key, so that both my wife and I will have a copy always available to us on our physical keychain.

I did this on my Mac, and the command to duplicate the USB drive is:

sudo dd if=/dev/rdisk2 of=/dev/rdisk3 bs=4m conv=notrunc

If the USB key ended up to be lost, then whoever picks it up will need to:

  • Recognize that this is a bootable USB, otherwise it will just seem like 40GB USB Flash Drive;
  • Get the password needed to login to Linux; I thought about installing two factor authentication but decided not to, because any good hacker can simply access the partition from another Live Key;
  • If they do mount the partition manually, then they still need to obtain the LUKS key to decrypt the partition; I made the LUKS key to be different than the OS password and is twice as long.

I think the risk is worth the benefit of having critical info around in case of an emergency.

Update: WiFi on MacBooks

It looks like MacBooks uses Broadcom WiFi chips and most Linux distributions do not ship with these drivers. This can be easily solved by loading the following software:

sudo apt update
sudo apt install bcmwl-kernel-source

Even with the above software installed, there is still a little ritual:

  1. Launch the “Software and Updates” application;
  2. Select the “Additional Drivers” tab;
  3. Select “do not use this driver” and allow the process to go through and reboot the system;
  4. Re-enter the system and repeat steps 1 & 2, and then select the Broadcom drivers;
  5. Without rebooting, WiFi networks should be available for use

Unfortunately the above ritual will have to be performed every time the Live USB stick is powered off.

Update: Tried Linux Live Kit

I wanted to further customize my Live USB key. Instead of keeping a persistent partition, I thought I would keep a Linux VM at home and ensure that it is up to date and customized. At certain intervals, I would then create a Live USB key from the VM install.

I tried Linux Live Kit, but the results were disappointing. I was able to create a bootable USB key that worked, but the OS did not recognize the MacBook’s keyboard or trackpad. For some reasons, the drivers required did not get bundled during the process. I’ll have to read up on how I can create a Live USB key from scratch rather than depending on these tools, but it is more complicated than I thought, so for now this idea will have to be shelved until I have more time.

1For some reason mkusb will not work with the live persistence if I simply do a sudo mkusb or under a non-root account. The only way that I can get it to work is to run it within a root login session.

Custom Counter

Circular Knitting Machine

This all started when my wife started to use a circular knitting machine that she purchased recently. These machines can be used to quickly knit hats, scarfs, slippers, etc. I have seen her creating yarn goodness within a matter of minutes. The machine certainly decreases the time to produce goods when compared to traditional hand knitting by several folds. As a toy, literally, it has proven its worth several times over.

Microswitch placement

While using the machine, she has found that keeping count on the number of times the machine has revolved can be somewhat challenging. Of course this situation created a need for an electronic counter.

The idea is to use a microswitch to detect the notches on the machine, and use an ATMEGA328P microcontroller (MCU), running at 16MHz, to keep track of the count. The MCU is the same used by the famous Arduino hobby board.

Installing the Boot Loader to an ATMEGA328P

I setup a Raspberry Pi workstation and installed the Arduino IDE on Raspbian. Using a simple circuit described here. I was able to install the boot loader and program a generic ATMEGA328P chip using an Arduino Uno board.

The next step is to create a simple Arduino sketch that keeps count on the number of times the microswitch has been pressed. I also enhanced the sketch to track each press as a “tick” and have the ability to remember how many ticks make a single revolution of the knitting machine. In this fashion, the counter can be used on different sizes of circular knitting machines. The goal is to count both the number of ticks and the number of revolutions knitted so far.

Prototype the circuit
Perfboard example

The circuit is then prototyped on a breadboard with an LCD display (LCD 1602). This was the easy part. The hardest part is to solder everything on a perfboard and then design a suitable 3D printed case.

It took many tries on the 3D printer to get certain tolerance right. Finally, putting everything together we get this:

Working counter integrated with the knitting machine!

I have to say that this work was super satisfying. As a bonus, the counter can work with any type of sensors or switches that act as Normally Open (NO) and closes when it detects or closed respectively.

As a learning process and an experiment, I would like to create a simple PCB with JCLPCB. However, I have yet to start on that yet.

PlexConnect with Apache 2

To get Plex working on my old Apple TV 3, I had to setup a PlexConnect server that bridges the Apple TV 3 to the Plex Media Server. Previously I discussed about hosting the PlexConnect server on a virtual machine (VM) because the host that PlexConnect is running on must be listening to port 80 and 443. Having a virtual machine is a big nuisance, because the VM may not be up and running. I even try to host PlexConnect on a dedicate Raspberry Pi so that I can leave it on, but that proved to be too slow.

I do have a Network Attached Storage (NAS) server so it will be ideal to run PlexConnect on that, but the NAS server is running Apache 2 which is already using port 80 and 443. Eureka! How about running a reverse proxy that points to an instance of PlexConnect running on the NAS that is running on a separate port. A quick Google search for the term “PlexConnect and Apache 2” found this page on GitHub. The article turned out to be extremely helpful.

I downloaded PlexConnect as before and created the certificates.

cd /home/kang


tar zxvf V0.6.tar.gz 

mv PlexConnect-0.6 PlexConnect

rm V0.6.tar.gz

cd PlexConnect/assets/certificates

openssl req -new -nodes -newkey rsa:2048 -out trailers.pem -keyout trailers.key -x509 -days 365 -subj "/C=US/"

openssl x509 -in trailers.pem -outform der -out trailers.cer && cat trailers.key >> trailers.pem

I then have to tell PlexConnect the following:

  • Do not enable DNS since we already have a DNS server running;
  • Do not enable automatic IP detection because it will get the wrong VPN client IP, instead I hard coded the IP;
  • Disable SSL server because this will be handled by Apache 2;
  • Change the port number from 80 to 18080

The final Settings.cfg configuration file looks like this with the changed values highlighted in bold:

enable_plexgdm = True
ip_pms =
port_pms = 32400
enable_dnsserver = False
port_dnsserver = 53
ip_dnsmaster =
prevent_atv_update = True
intercept_atv_icon = True
icon = movie-trailers
enable_plexconnect_autodetect = False
ip_plexconnect =
hosttointercept =
port_webserver = 18080
enable_webserver_ssl = False
port_ssl = 18443
certfile = ./assets/certificates/trailers.pem
allow_gzip_atv = False
allow_gzip_pmslocal = False
allow_gzip_pmsremote = True
loglevel = Normal
logpath = .

I had to configure my firewall’s local DNS to resolve to my NAS server, which is This was pretty simple on my UniFi Universal Secure Gateway (USG).

The Apache 2 configuration files needed to be setup with the reverse proxy for both port 80 and 443. To do this I added the following VirtualHost settings.

<VirtualHost *:443>

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile "/home/kang/PlexConnect/assets/certificates/trailers.pem"
        SSLCertificateKeyFile "/home/kang/PlexConnect/assets/certificates/trailers.key"

	<Proxy *>
		Require ip

        RequestHeader set User-Agent AppleTV
        ProxyRequests Off
        ProxyPass / http://avs.localdomain:18080/ nocanon
        ProxyPassReverse / http://avs.localdomain:18080/
<VirtualHost *:80>
        SSLEngine off

	<Proxy *>
		Require ip

        RequestHeader set User-Agent AppleTV
        ProxyRequests Off
        ProxyPass / http://avs.localdomain:18080/ nocanon
        ProxyPassReverse / http://avs.localdomain:18080/

I also needed to enable the headers module.

sudo a2enmod headers

We then needed to create a new systemctl service for PlexConnect. I had to create a plexconnect.service file in /etc/systemd/system with the following contents.

 ExecStart=/usr/bin/python /home/kang/PlexConnect/

The final steps are:

  • Check the Apache configuration file
  • Restart Apache
  • Start PlexConnect
sudo apache2ctl configtest

sudo systemctl restart apache2

sudo systemctl start plexconnect.service

Went to the Apple TV 3, and reconfigure the DNS to auto, removed the old profile and re-add as the new profile. I discussed in my previous blog.

After signing into my Plex account, and testing various Plex media sources with the Trailers app, as well as trying out YouTube and the Prime Video app, everything is good! The VM is no longer required and we declare victory!