From cb4d17f99e136637c975ff12309f32f58b0dd60d Mon Sep 17 00:00:00 2001 From: il Date: Mon, 27 Apr 2026 19:48:01 +0900 Subject: [PATCH] docs(issues): add the past issues which existed before tracking issues add crowdsec false positive issues fix the file name of affine android oidc issues --- ...android_oidc.md => 260420_android_oidc.md} | 4 +-- docs/issues/crowdsec/260321_actual_budget.md | 33 +++++++++++++++++++ docs/issues/crowdsec/260321_immich.md | 32 ++++++++++++++++++ docs/issues/crowdsec/260404_opencloud.md | 32 ++++++++++++++++++ 4 files changed, 99 insertions(+), 2 deletions(-) rename docs/issues/affine/{250420_android_oidc.md => 260420_android_oidc.md} (92%) create mode 100644 docs/issues/crowdsec/260321_actual_budget.md create mode 100644 docs/issues/crowdsec/260321_immich.md create mode 100644 docs/issues/crowdsec/260404_opencloud.md diff --git a/docs/issues/affine/250420_android_oidc.md b/docs/issues/affine/260420_android_oidc.md similarity index 92% rename from docs/issues/affine/250420_android_oidc.md rename to docs/issues/affine/260420_android_oidc.md index 6cb6e4b..0732588 100644 --- a/docs/issues/affine/250420_android_oidc.md +++ b/docs/issues/affine/260420_android_oidc.md @@ -6,7 +6,7 @@ ## Date - 2026-04-20 -## version +## Version - affine server: 0.26.3 (self-hosted) - affine application: 0.26.3 (Android) - IdP: Authelia:4.39.15 @@ -30,4 +30,4 @@ ## Solution - Wait for stable release which contains the merge above -- When the stable version releases, then verify after update \ No newline at end of file +- When the stable version releases, then verify after update diff --git a/docs/issues/crowdsec/260321_actual_budget.md b/docs/issues/crowdsec/260321_actual_budget.md new file mode 100644 index 0000000..e026ce7 --- /dev/null +++ b/docs/issues/crowdsec/260321_actual_budget.md @@ -0,0 +1,33 @@ +# Actual Budget crowdsec false positive issue + +## Status +- Finished + +## Date +- 2026-03-21 + +## Version +- Actual Budget: 26.3.0 + +## Problem +- When users access and log in actual budget, all connections to homelab services are refused. + - fw ban users' IP address. + +## Reason +- Actual budget has local first policy. +- When the user log in actual budget, the client downloads all sql files from the server. +- LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently. + +## Timeline +- 2026-03-21: Release actual budget +- 2026-03-21: Find the false positive case, and add whitelist + +## Solution +- Access to fw + - Check the ban list with `sudo cscli alerts list` + - Read the ban case with `sudo cscli alerts inspect $NUMBER` +- Add regex on whitelist + - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/' +- Delete false positive decision + - Check false positive decision with `sudo cscli decision list` + - Delete false positive decision with `sudo cscli decision list --id $ID` diff --git a/docs/issues/crowdsec/260321_immich.md b/docs/issues/crowdsec/260321_immich.md new file mode 100644 index 0000000..bcef00b --- /dev/null +++ b/docs/issues/crowdsec/260321_immich.md @@ -0,0 +1,32 @@ +# Immich crowdsec false positive issue + +## Status +- Finished + +## Date +- 2026-03-21 + +## Version +- Immich: 2.6.1 + +## Problem +- When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused. + - fw ban users' IP address. + +## Reason +- Immich sends 404 error to clients when the client request thumbnail while it is generating them. +- LAPI decides a ban when a lot of 404 errors occur in short time + +## Timeline +- 2026-03-21: Release Immich +- 2026-03-21: Find the false positive case, and add whitelist + +## Solution +- Access to fw + - Check the ban list with `sudo cscli alerts list` + - Read the ban case with `sudo cscli alerts inspect $NUMBER` +- Add regex on whitelist + - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail' +- Delete false positive decision + - Check false positive decision with `sudo cscli decision list` + - Delete false positive decision with `sudo cscli decision list --id $ID` diff --git a/docs/issues/crowdsec/260404_opencloud.md b/docs/issues/crowdsec/260404_opencloud.md new file mode 100644 index 0000000..7044999 --- /dev/null +++ b/docs/issues/crowdsec/260404_opencloud.md @@ -0,0 +1,32 @@ +# OpenCloud crowdsec false positive issue + +## Status +- Finished + +## Date +- 2026-04-04 + +## Version +- OpenCloud: 4.0.4 + +## Problem +- When users download some files, all connections to homelab services are refused. + - fw ban users' IP address. + +## Reason +- OpenCloud uses chunks when clients uploads or download files to it. +- LAPI decides a ban when a lot of chunks file is uploaded or downloaded from external devices + +## Timeline +- 2026-04-04: Release Immich +- 2026-04-04: Find the false positive case, and add whitelist + +## Solution +- Access to fw + - Check the ban list with `sudo cscli alerts list` + - Read the ban case with `sudo cscli alerts inspect $NUMBER` +- Add regex on whitelist + - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/' +- Delete false positive decision + - Check false positive decision with `sudo cscli decision list` + - Delete false positive decision with `sudo cscli decision list --id $ID`