fix(crowdsec): update whitelist.yaml to prevent false positive

false positive:
- chunk problems (crowdsecurity/http-crawl-non_statics)
- directory upload 404 problem (crowdsecurity/http-probing)

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -18,4 +18,9 @@ whitelist:
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
         # opencloud chunk request false positive
         - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
+        # nextcloud chunk request false positive (crowdsecurity/http-crawl-non_statics)
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'"
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'"
+        # nextcloud upload directory request 404 error false positive (crowdsecurity/http-probing)
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'"
 {% endif %}

docs/issues/crowdsec/260502_nextcloud.md

@@ -0,0 +1,38 @@
+# Nextcloud crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-05-02
+
+## Version
+- Nextcloud: 33.0.3
+
+## Problem
+- When users download or modify some files, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Nextcloud uses chunks for actions, and uploading and downloading
+    - chunks on '/apps/viewer/js', '/dist/'
+    - `crowdsecurity/http-crawl-non_statics`
+- Nextcloud keeps checking directory which is uploading
+    - upload directory '/remote.php/dav/files/'
+    - `crowdsecurity/http-probing`
+
+## Timeline
+- 2026-05-02: Release nextcloud
+- 2026-05-02: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add expressions on whitelist
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`