# Sandbox Caddyfile for SIP Guardian Testing # # This configuration showcases all the new features: # - Prometheus metrics endpoint # - Rate limiting per method (built-in defaults) # - Suspicious pattern detection # # Note: Storage and webhooks are configured in JSON config mode, # as the L4 handler uses the shared global guardian instance { debug admin 0.0.0.0:2019 layer4 { # SIP over UDP udp/:5060 { @sip sip { methods REGISTER INVITE OPTIONS ACK BYE CANCEL INFO NOTIFY SUBSCRIBE MESSAGE } route @sip { sip_guardian { max_failures 3 # Lower for faster testing find_time 2m # Shorter window ban_time 5m # Short bans for testing # Whitelist legitimate test clients whitelist 10.55.0.50/32 # client container whitelist 10.55.0.51/32 # linphone container # Enumeration detection (low thresholds for testing) enumeration { max_extensions 10 extension_window 2m sequential_threshold 5 rapid_fire_count 8 rapid_fire_window 10s ban_time 10m exempt_extensions 100 200 } } proxy udp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_PORT} } # Unmatched traffic - drop silently route { } } # SIP over TCP tcp/:5060 { @sip sip route @sip { sip_guardian { max_failures 3 find_time 2m ban_time 5m whitelist 10.55.0.50/32 whitelist 10.55.0.51/32 } proxy tcp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_PORT} } } # SIP over TLS tcp/:5061 { @sip sip route @sip { sip_guardian { max_failures 3 find_time 2m ban_time 5m whitelist 10.55.0.50/32 whitelist 10.55.0.51/32 } proxy tcp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_TLS_PORT} } } } } # Admin API and Metrics :2020 { # SIP Guardian admin endpoints handle /api/sip-guardian/* { sip_guardian_admin } # Prometheus metrics endpoint handle /metrics { sip_guardian_metrics } # Health check handle /health { respond "OK" 200 } # Stats (alias for backwards compatibility) handle /stats { sip_guardian_admin } }