diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 2180c49..952efea 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -18,4 +18,7 @@ whitelist: - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'" # nextcloud chunks.mjs request false positive - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'" + # outline POST 401 errors false positive + - "evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'" + {% endif %} diff --git a/docs/issues/crowdsec/260516_outline.md b/docs/issues/crowdsec/260516_outline.md new file mode 100644 index 0000000..2ca2062 --- /dev/null +++ b/docs/issues/crowdsec/260516_outline.md @@ -0,0 +1,26 @@ +# Outline crowdsec false positive issue + +## Status +- Finished + +## Date +- 2026-05-16 + +## Version +- Outline: 1.7.1 + +## Problem +- Reload the outline when session is terminated, it causes 401 errors + - fw ban users' IP address. + +## Reason +- When the session is terminated by some reasons, every request recieves 401 errors + - `LePresidente/http-generic-401-bf` + +## Timeline +- 2026-05-16: Release outline +- 2026-05-16: Find the false positive case, and add whitelist + +## Solution +- Add expression on whitelist + - evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'