fix(crowdsec): update whitelist.yaml to prevent false positive

false positive: - outline session problem (LePresidente/http-generic-401-bf)
2026-05-17 00:00:46 +09:00
parent 24eff8f3eb
commit a6bba986a5
2 changed files with 29 additions and 0 deletions
@@ -0,0 +1,26 @@
+# Outline crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-05-16
+
+## Version
+- Outline: 1.7.1
+
+## Problem
+- Reload the outline when session is terminated, it causes 401 errors
+  - fw ban users' IP address.
+
+## Reason
+- When the session is terminated by some reasons, every request recieves 401 errors
+    - `LePresidente/http-generic-401-bf`
+
+## Timeline
+- 2026-05-16: Release outline
+- 2026-05-16: Find the false positive case, and add whitelist
+
+## Solution
+- Add expression on whitelist
+  - evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'