- Add Cleanup() method (caddy.CleanerUpper) to stop goroutines on config
reload, preventing goroutine leaks
- Add Validate() method (caddy.Validator) for early config validation with
reasonable bounds checking
- Add public BanIP() method for admin handler, replacing direct internal
state manipulation
- Add bounds checking for failure tracker and ban maps to prevent memory
exhaustion under DDoS (100k/50k limits)
- Add eviction functions to proactively clean oldest entries when at capacity
Support for whitelisting SIP trunks and providers by hostname or SRV
record with automatic IP resolution and periodic refresh.
Features:
- Hostname resolution via A/AAAA records
- SRV record resolution (e.g., _sip._udp.provider.com)
- Configurable refresh interval (default 5m)
- Stale entry handling when DNS fails
- Admin API endpoints for DNS whitelist management
- Caddyfile directives: whitelist_hosts, whitelist_srv, dns_refresh
This allows whitelisting by provider name rather than tracking
constantly-changing IP addresses.
Documents all new features:
- Extension enumeration detection with config examples
- SIP message validation rules and modes
- Topology hiding (B2BUA-lite) with request/response flow diagrams
- Complete Caddyfile configuration reference
- Prometheus metrics reference
- Admin API endpoints
- Integration examples for FreePBX, Kamailio, and HA setups
- Security considerations
Architecture diagram updated to show full processing pipeline.
- Fix SetEnumerationConfig to create detector if not exists
Previously, the config would be silently discarded if called before
the detector was lazily initialized by GetEnumerationDetector
- Add test_enumeration.py script for sandbox testing
Includes fire-and-forget mode (--no-wait) for proper scanner simulation
The layer4 matchers and handlers must implement caddyfile.Unmarshaler
to be usable in Caddyfile syntax. This enables proper parsing of:
- @sip sip { methods ... } matchers
- sip_guardian { ... } handlers
