From 075b7966083740def7546a0f3fe93ec09b1c91d9 Mon Sep 17 00:00:00 2001
From: il <il@ilnmors.internal>
Date: Sat, 4 Apr 2026 09:59:58 +0900
Subject: [PATCH] config, docs: update whitelists.yaml.j2 and crowdsec.md to
 add whitelist expression to fix false positive of opencloud chunk problem

---
 .../common/crowdsec/bouncers/whitelists.yaml.j2      |  2 ++
 docs/services/common/crowdsec.md                     | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
index 9c05374..fed75d1 100644
--- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
+++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
@@ -16,4 +16,6 @@ whitelist:
         - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'"
         # immich thumbnail request 404 error false positive
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
+        # opencloud chunk request false positive
+        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
 {% endif %}
diff --git a/docs/services/common/crowdsec.md b/docs/services/common/crowdsec.md
index fc6a924..1bc72dc 100644
--- a/docs/services/common/crowdsec.md
+++ b/docs/services/common/crowdsec.md
@@ -235,4 +235,16 @@ fw@fw:~$ sudo cscli alerts inspect 230 -d
 - check the log and analyze and make expression
   - e.g. immich
     - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+  - e.g. opencloud
+    - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
+- free false positive decision
+
+fw@fw:~$ sudo cscli decision list
+╭─────────┬──────────┬───────────────────┬──────────────────────────────────────┬────────┬─────────┬────────────────────────┬────────┬────────────────────┬──────────╮
+│   ID    │  Source  │    Scope:Value    │                Reason                │ Action │ Country │           AS           │ Events │     expiration     │ Alert ID │
+├─────────┼──────────┼───────────────────┼──────────────────────────────────────┼────────┼─────────┼────────────────────────┼────────┼────────────────────┼──────────┤
+│ 5280078 │ crowdsec │ Ip:223.195.50.112 │ crowdsecurity/http-crawl-non_statics │ ban    │ KR      │ 9769 Sejong University │ 43     │ 3h42m21.824049012s │ 430      │
+╰─────────┴──────────┴───────────────────┴──────────────────────────────────────┴────────┴─────────┴────────────────────────┴────────┴────────────────────┴──────────╯
+fw@fw:~$ sudo cscli decision delete --id 5280078
+INFO[04-04-2026 09:55:02] 1 decision(s) deleted