From a62d1b40649a992684896210647ad26d5d073f87 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Sat, 6 Dec 2025 16:52:10 -0700
Subject: [PATCH] Fix Caddyfile layer4 network address syntax

Update to use correct Caddy network address format:
- network/address instead of address/network
- udp/:5060 instead of :5060/udp
- Remove invalid tls subdirective from proxy handler
---
 Caddyfile | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 39fbac3..5afb626 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -4,18 +4,18 @@
 # 1. Layer 4 SIP proxying with rate limiting and ban management
 # 2. Admin API for managing bans (internal only)
 # 3. Web interface proxying for FreePBX
+#
+# Network address format: network/address (network defaults to tcp)
+# Examples: udp/:5060, tcp/:5060, :5060 (defaults to tcp)
 
 {
 	# Enable admin API on all interfaces for docker
 	admin 0.0.0.0:2019
 
-	# Global rate limiting zones
-	# These are shared across all routes
-
 	# Layer 4 Apps - SIP Traffic
 	layer4 {
 		# SIP over UDP (most common)
-		:5060/udp {
+		udp/:5060 {
 			@sip sip {
 				methods REGISTER INVITE OPTIONS ACK BYE CANCEL INFO NOTIFY SUBSCRIBE MESSAGE
 			}
@@ -37,7 +37,7 @@
 		}
 
 		# SIP over TCP
-		:5060/tcp {
+		tcp/:5060 {
 			@sip sip
 
 			route @sip {
@@ -46,15 +46,14 @@
 			}
 		}
 
-		# SIP over TLS (SIPS)
-		:5061/tcp {
+		# SIP over TLS (SIPS) - passthrough to upstream
+		tcp/:5061 {
 			@sip sip
 
 			route @sip {
 				sip_guardian
-				proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_TLS_PORT:5061} {
-					tls
-				}
+				# Passthrough TLS - upstream handles TLS termination
+				proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_TLS_PORT:5061}
 			}
 		}
 	}