rsp2k/caddy-sip-guardian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
caddy-sip-guardian/Caddyfile.example
Ryan Malloy 1ba05e160c Initial commit: Caddy SIP Guardian module 
Layer 4 SIP protection with:
- SIP traffic matching (REGISTER, INVITE, etc.)
- Rate limiting and automatic IP banning
- Attack pattern detection (sipvicious, friendly-scanner)
- CIDR whitelisting
- Admin API for ban management
2025-12-06 16:38:07 -07:00

86 lines
1.4 KiB
Caddyfile
Raw Blame History

# Example Caddyfile for SIP Guardian with Layer 4 proxying
#
# This configuration provides:
# - Layer 4 SIP traffic proxying (TCP/UDP on 5060, TLS on 5061)
# - SIP-aware rate limiting and ban management
# - Admin API for managing bans
# - Regular HTTPS reverse proxy for web interfaces
{
# Global options
admin localhost:2019
# Layer 4 configuration
layer4 {
# SIP over UDP (standard)
:5060/udp {
@sip sip
route @sip {
sip_guardian {
# Uses default settings from sip_guardian module
}
proxy udp/asterisk:5060
}
}
# SIP over TCP
:5060/tcp {
@sip sip
route @sip {
sip_guardian
proxy tcp/asterisk:5060
}
}
# SIP over TLS
:5061/tcp {
@sip sip {
methods REGISTER INVITE OPTIONS ACK BYE CANCEL
}
route @sip {
sip_guardian
proxy tcp/asterisk:5061 {
tls
}
}
}
}
}
# SIP Guardian Admin API
admin.sip.example.com {
# Restrict to internal networks
@internal {
remote_ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
}
handle @internal {
route /api/sip-guardian/* {
sip_guardian_admin
}
}
handle {
respond "Forbidden" 403
}
}
# FreePBX Web Interface
pbx.example.com {
# Rate limit login attempts
rate_limit {
zone pbx_login {
key {remote_host}
events 10
window 1m
}
}
reverse_proxy freepbx:80
}
# Generic SIP status page
sip.example.com {
respond "SIP Guardian Active" 200
}
Reference in New Issue View Git Blame Copy Permalink