fix(crowdsec): update parser 'crowdsecurity/nextcloud-whitelist'

update note: - deprecate custom whitelist expression - apply 'crowdsecurity/nextcloud-whitelist' parser
docs(issues): fix crowdsec whitelist regex to whitelist expressions
2026-05-03 07:19:59 +09:00 · 2026-05-02 20:40:10 +09:00
6 changed files with 30 additions and 18 deletions
@@ -36,10 +36,15 @@
  ansible.builtin.set_fact:
    acquisd_list:
      fw:
-        collection: "crowdsecurity/suricata"
+        collection:
+          - "crowdsecurity/suricata"
+        parser: []
        config: "suricata.yaml"
      auth:
-        collection: "crowdsecurity/caddy"
+        collection:
+          - "crowdsecurity/caddy"
+        parser:
+          - "crowdsecurity/nextcloud-whitelist"
        config: "caddy.yaml"

 - name: Deploy crowdsec-update service files
@@ -181,7 +186,8 @@
  block:
    - name: Install crowdsec collection
      ansible.builtin.command:
-        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+        cmd: "cscli collections install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['collection'] }}"
      become: true
      changed_when: "'overwrite' not in is_collection_installed.stderr"
      failed_when:
@@ -189,6 +195,17 @@
        - "'already installed' not in is_collection_installed.stderr"
      register: "is_collection_installed"

+    - name: Install crowdsec parser
+      ansible.builtin.command:
+        cmd: "cscli parsers install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['parser'] }}"
+      become: true
+      changed_when: "'overwrite' not in is_parser_installed.stderr"
+      failed_when:
+        - is_parser_installed.rc != 0
+        - "'already installed' not in is_parser_installed.stderr"
+      register: "is_parser_installed"
+
    - name: Create crowdsec acquis.d directory
      ansible.builtin.file:
        path: "/etc/crowdsec/acquis.d"
@@ -18,9 +18,4 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
        # opencloud chunk request false positive
        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
-        # nextcloud chunk request false positive (crowdsecurity/http-crawl-non_statics)
-        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'"
-        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'"
-        # nextcloud upload directory request 404 error false positive (crowdsecurity/http-probing)
-        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'"
 {% endif %}
@@ -26,7 +26,7 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
+- Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
@@ -25,8 +25,8 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
-  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+- Add expressions on whitelist
+  - evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -25,7 +25,7 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
+- Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
@@ -14,18 +14,18 @@
  - fw ban users' IP address.

 ## Reason
- Nextcloud uses chunks for actions, and uploading and downloading
-    - chunks on '/apps/viewer/js', '/dist/'
-    - `crowdsecurity/http-crawl-non_statics`
- Nextcloud keeps checking directory which is uploading
-    - upload directory '/remote.php/dav/files/'
-    - `crowdsecurity/http-probing`
+- Nextcloud has a lot of workflows which can be caught from crowdsec

 ## Timeline
 - 2026-05-02: Release nextcloud
 - 2026-05-02: Find the false positive case, and add whitelist
+- 2026-05-03: Install crowdsecurity/nextcloud-whitelist parser
+- 2026-05-03: Make previous expressions annotation

 ## Solution
+- Install crowdsecurity/nextcloud-whitelist on auth node
+
+### Deprecated solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
Author	SHA1	Message	Date
il	880857a70a	fix(crowdsec): update parser 'crowdsecurity/nextcloud-whitelist' update note: - deprecate custom whitelist expression - apply 'crowdsecurity/nextcloud-whitelist' parser	2026-05-03 07:19:59 +09:00
il	70bf539546	docs(issues): fix crowdsec whitelist regex to whitelist expressions	2026-05-02 20:40:10 +09:00