rsp2k/caddy-sip-guardian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
caddy-sip-guardian/Caddyfile
Ryan Malloy a62d1b4064 Fix Caddyfile layer4 network address syntax 
Update to use correct Caddy network address format:
- network/address instead of address/network
- udp/:5060 instead of :5060/udp
- Remove invalid tls subdirective from proxy handler
2025-12-06 16:52:10 -07:00

89 lines
1.7 KiB
Caddyfile
Raw Permalink Blame History

# Caddy SIP Guardian - Production Configuration
#
# This Caddyfile configures:
# 1. Layer 4 SIP proxying with rate limiting and ban management
# 2. Admin API for managing bans (internal only)
# 3. Web interface proxying for FreePBX
#
# Network address format: network/address (network defaults to tcp)
# Examples: udp/:5060, tcp/:5060, :5060 (defaults to tcp)
{
# Enable admin API on all interfaces for docker
admin 0.0.0.0:2019
# Layer 4 Apps - SIP Traffic
layer4 {
# SIP over UDP (most common)
udp/:5060 {
@sip sip {
methods REGISTER INVITE OPTIONS ACK BYE CANCEL INFO NOTIFY SUBSCRIBE MESSAGE
}
route @sip {
sip_guardian {
max_failures 5
find_time 10m
ban_time 1h
whitelist 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
}
proxy udp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_PORT:5060}
}
# Unknown traffic - log and drop
route {
# Could proxy to a honeypot or just close
}
}
# SIP over TCP
tcp/:5060 {
@sip sip
route @sip {
sip_guardian
proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_PORT:5060}
}
}
# SIP over TLS (SIPS) - passthrough to upstream
tcp/:5061 {
@sip sip
route @sip {
sip_guardian
# Passthrough TLS - upstream handles TLS termination
proxy tcp/{$SIP_UPSTREAM_HOST:freepbx}:{$SIP_UPSTREAM_TLS_PORT:5061}
}
}
}
}
# Admin API - only accessible from internal networks
:2020 {
@internal {
remote_ip 127.0.0.1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
}
handle @internal {
# SIP Guardian Admin endpoints
handle /api/sip-guardian/* {
sip_guardian_admin
}
# Health check
handle /health {
respond "OK" 200
}
# Stats
handle /stats {
sip_guardian_admin
}
}
handle {
respond "Forbidden" 403
}
}
Reference in New Issue View Git Blame Copy Permalink