# Caddy SIP Guardian - Production Configuration
#
# This Caddyfile configures:
# 1. Layer 4 SIP proxying with rate limiting and ban management
# 2. Admin API for managing bans (internal only)
# 3. Web interface proxying for FreePBX
#
# Network address format: network/address (network defaults to tcp)
# Examples: udp/:5060, tcp/:5060, :5060 (defaults to tcp)

{
	# Enable admin API on all interfaces for docker
	admin 0.0.0.0:2019

	# Layer 4 Apps - SIP Traffic
	layer4 {
		# SIP over UDP (most common)
		udp/:5060 {
			@sip sip {
				methods REGISTER INVITE OPTIONS ACK BYE CANCEL INFO NOTIFY SUBSCRIBE MESSAGE
			}

			route @sip {
				sip_guardian {
					max_failures 5
					find_time 10m
					ban_time 1h
					whitelist 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
				}
				proxy udp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_PORT:5060}
			}

			# Unknown traffic - log and drop
			route {
				# Could proxy to a honeypot or just close
			}
		}

		# SIP over TCP
		tcp/:5060 {
			@sip sip

			route @sip {
				sip_guardian
				proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_PORT:5060}
			}
		}

		# SIP over TLS (SIPS) - passthrough to upstream
		tcp/:5061 {
			@sip sip

			route @sip {
				sip_guardian
				# Passthrough TLS - upstream handles TLS termination
				proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_TLS_PORT:5061}
			}
		}
	}
}

# Admin API - only accessible from internal networks
:2020 {
	@internal {
		remote_ip 127.0.0.1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	}

	handle @internal {
		# SIP Guardian Admin endpoints
		handle /api/sip-guardian/* {
			sip_guardian_admin
		}

		# Health check
		handle /health {
			respond "OK" 200
		}

		# Stats
		handle /stats {
			sip_guardian_admin
		}
	}

	handle {
		respond "Forbidden" 403
	}
}