fix(crowdsec): update whitelist.yaml to prevent false positive

false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics) - change expression 'chunks.mjs' to 'chunk.mjs'
chore(chromium): archive a removed stack from console
2026-05-11 19:40:50 +09:00 · 2026-05-11 19:37:25 +09:00 · 2026-05-11 19:34:22 +09:00
4 changed files with 6 additions and 8 deletions
@@ -1,8 +1 @@
 ---
- name: Register font
-  ansible.builtin.shell: |
-    fc-cache -f -v
-  become: true
-  changed_when: false
-  listen: "notification_update_font"
-  ignore_errors: true # noqa: ignore-errors
@@ -16,4 +16,6 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
        # nextcloud thumbnail/preview request error false positive
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
+        # nextcloud chunks.mjs request false positive
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'"
 {% endif %}
@@ -23,11 +23,14 @@
 - 2026-05-03: Make previous expressions annotation
 - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist`
 - 2026-05-07: Set whitelist expression
+- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist`
+- 2026-05-11: Set whitelist expression

 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 - Add expression on whitelist
-  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'

 ### Deprecated solution
 - Access to fw
Author	SHA1	Message	Date
il	e1936b494d	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics) - change expression 'chunks.mjs' to 'chunk.mjs'	2026-05-11 19:40:50 +09:00
il	0afc841b69	chore(chromium): archive a removed stack from console archived stack: chromium	2026-05-11 19:37:25 +09:00
il	a39122eb4b	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics)	2026-05-11 19:34:22 +09:00