rsp2k/caddy-sip-guardian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
caddy-sip-guardian/Dockerfile
Ryan Malloy c73fa9d3d1 Add extension enumeration detection and comprehensive SIP protection 
Major features:
- Extension enumeration detection with 3 detection algorithms:
  - Max unique extensions threshold (default: 20 in 5 min)
  - Sequential pattern detection (e.g., 100,101,102...)
  - Rapid-fire detection (many extensions in short window)
- Prometheus metrics for all SIP Guardian operations
- SQLite persistent storage for bans and attack history
- Webhook notifications for ban/unban/suspicious events
- GeoIP-based country blocking with continent shortcuts
- Per-method rate limiting with token bucket algorithm

Bug fixes:
- Fix whitelist count always reporting zero in stats
- Fix whitelisted connections metric never incrementing
- Fix Caddyfile config not being applied to shared guardian

New files:
- enumeration.go: Extension enumeration detector
- enumeration_test.go: 14 comprehensive unit tests
- metrics.go: Prometheus metrics handler
- storage.go: SQLite persistence layer
- webhooks.go: Webhook notification system
- geoip.go: MaxMind GeoIP integration
- ratelimit.go: Per-method rate limiting

Testing:
- sandbox/ contains complete Docker Compose test environment
- All 14 enumeration tests pass
2025-12-07 15:22:28 -07:00

28 lines
850 B
Docker
Raw Blame History

# Build custom Caddy with SIP Guardian and Layer 4 support
# Use latest builder with Go 1.25+ for caddy-l4 compatibility
FROM caddy:builder AS builder
# Copy local module source
COPY . /src/caddy-sip-guardian
# Build Caddy with local module (using replace directive)
# Using latest caddy-l4 which requires Go 1.25+
WORKDIR /src
RUN xcaddy build \
--with github.com/mholt/caddy-l4 \
--with git.supported.systems/rsp2k/caddy-sip-guardian=/src/caddy-sip-guardian
FROM caddy:alpine
COPY --from=builder /src/caddy /usr/bin/caddy
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget -qO- http://localhost:2019/config/ || exit 1
EXPOSE 80 443 443/udp 5060 5060/udp 5061
ENTRYPOINT ["caddy"]
# Default: run with Caddyfile
CMD ["run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
Reference in New Issue View Git Blame Copy Permalink