# Example Caddyfile for SIP Guardian with Layer 4 proxying
#
# This configuration provides:
# - Layer 4 SIP traffic proxying (TCP/UDP on 5060, TLS on 5061)
# - SIP-aware rate limiting and ban management
# - Admin API for managing bans
# - Regular HTTPS reverse proxy for web interfaces

{
	# Global options
	admin localhost:2019

	# Layer 4 configuration
	layer4 {
		# SIP over UDP (standard)
		:5060/udp {
			@sip sip
			route @sip {
				sip_guardian {
					# Uses default settings from sip_guardian module
				}
				proxy udp/asterisk:5060
			}
		}

		# SIP over TCP
		:5060/tcp {
			@sip sip
			route @sip {
				sip_guardian
				proxy tcp/asterisk:5060
			}
		}

		# SIP over TLS
		:5061/tcp {
			@sip sip {
				methods REGISTER INVITE OPTIONS ACK BYE CANCEL
			}
			route @sip {
				sip_guardian
				proxy tcp/asterisk:5061 {
					tls
				}
			}
		}
	}
}

# SIP Guardian Admin API
admin.sip.example.com {
	# Restrict to internal networks
	@internal {
		remote_ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
	}

	handle @internal {
		route /api/sip-guardian/* {
			sip_guardian_admin
		}
	}

	handle {
		respond "Forbidden" 403
	}
}

# FreePBX Web Interface
pbx.example.com {
	# Rate limit login attempts
	rate_limit {
		zone pbx_login {
			key {remote_host}
			events 10
			window 1m
		}
	}

	reverse_proxy freepbx:80
}

# Generic SIP status page
sip.example.com {
	respond "SIP Guardian Active" 200
}