config, docs: update whitelists.yaml.j2 and crowdsec.md to add whitelist expression to fix false positive of opencloud chunk problem

2026-04-04 09:59:58 +09:00
parent 0b7d1c4d78
commit 075b796608
2 changed files with 14 additions and 0 deletions
--- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
+++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
@@ -16,4 +16,6 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'"
        # immich thumbnail request 404 error false positive
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
+        # opencloud chunk request false positive
+        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
 {% endif %}
--- a/docs/services/common/crowdsec.md
+++ b/docs/services/common/crowdsec.md
@@ -235,4 +235,16 @@ fw@fw:~$ sudo cscli alerts inspect 230 -d
 - check the log and analyze and make expression
  - e.g. immich
    - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+  - e.g. opencloud
+    - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
+- free false positive decision
+
+fw@fw:~$ sudo cscli decision list
+╭─────────┬──────────┬───────────────────┬──────────────────────────────────────┬────────┬─────────┬────────────────────────┬────────┬────────────────────┬──────────╮
+│   ID    │  Source  │    Scope:Value    │                Reason                │ Action │ Country │           AS           │ Events │     expiration     │ Alert ID │
+├─────────┼──────────┼───────────────────┼──────────────────────────────────────┼────────┼─────────┼────────────────────────┼────────┼────────────────────┼──────────┤
+│ 5280078 │ crowdsec │ Ip:223.195.50.112 │ crowdsecurity/http-crawl-non_statics │ ban    │ KR      │ 9769 Sejong University │ 43     │ 3h42m21.824049012s │ 430      │
+╰─────────┴──────────┴───────────────────┴──────────────────────────────────────┴────────┴─────────┴────────────────────────┴────────┴────────────────────┴──────────╯
+fw@fw:~$ sudo cscli decision delete --id 5280078
+INFO[04-04-2026 09:55:02] 1 decision(s) deleted