From e8f523c2af42851e4a9b83e8c4dfc490eaed61b3 Mon Sep 17 00:00:00 2001 From: il Date: Sat, 21 Mar 2026 21:01:57 +0900 Subject: [PATCH] config, docs: update whitelists.yaml.j2 and crowdsec.md to add whitelist expression to fix false positive of immich thumbnails 404 error --- .../systemd/common/crowdsec/bouncers/whitelists.yaml.j2 | 2 ++ docs/services/common/crowdsec.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 506f640..56e2557 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -14,4 +14,6 @@ whitelist: expression: # budget local-first sql scrap rule - "evt.Meta.target_fqdn == 'budget.ilnmors.com' && evt.Meta.http_path contains '/data/migrations/'" + # immich thumbnail request 404 error false positive + - "evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" {% endif %} diff --git a/docs/services/common/crowdsec.md b/docs/services/common/crowdsec.md index d4dfcb0..fc6a924 100644 --- a/docs/services/common/crowdsec.md +++ b/docs/services/common/crowdsec.md @@ -228,6 +228,11 @@ auth@auth:~$ sudo cscli alerts list │ 9 │ Ip:138.68.144.227 │ crowdsecurity/jira_cve-2021-26086 │ │ │ ban:1 │ 2026-03-06 04:18:18.35776077 +0000 UTC │ ╰────┴────────────────────┴───────────────────────────────────┴─────────┴────┴───────────┴─────────────────────────────────────────╯ +## Log check and inspect +fw@fw:~$ sudo cscli alerts inspect 230 -d +- check the log and analyze and make expression + - e.g. immich + - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'