fix(crowdsec): update whitelist.yaml to prevent false positive

false positive: - outline session problem (LePresidente/http-generic-401-bf)
chore(outline): fix HSTS annotation typo
2026-05-17 00:00:46 +09:00 · 2026-05-16 21:16:28 +09:00
3 changed files with 30 additions and 1 deletions
@@ -22,7 +22,7 @@ Environment="TZ={{ timezone }}"
 Environment="NODE_ENV=production"
 Environment="URL=https://{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="PORT=3000"
-#Environment="FORCE_HTTPS=true" #HTST function is not required
+#Environment="FORCE_HTTPS=true" #HSTS function is not required

 # Secrets
 Secret=OUTLINE_SECRET_KEY,type=env,target=SECRET_KEY
@@ -18,4 +18,7 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
        # nextcloud chunks.mjs request false positive
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'"
+        # outline POST 401 errors false positive
+        - "evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'"
+
 {% endif %}
@@ -0,0 +1,26 @@
+# Outline crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-05-16
+
+## Version
+- Outline: 1.7.1
+
+## Problem
+- Reload the outline when session is terminated, it causes 401 errors
+  - fw ban users' IP address.
+
+## Reason
+- When the session is terminated by some reasons, every request recieves 401 errors
+    - `LePresidente/http-generic-401-bf`
+
+## Timeline
+- 2026-05-16: Release outline
+- 2026-05-16: Find the false positive case, and add whitelist
+
+## Solution
+- Add expression on whitelist
+  - evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'
Author	SHA1	Message	Date
il	a6bba986a5	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - outline session problem (LePresidente/http-generic-401-bf)	2026-05-17 00:00:46 +09:00
il	24eff8f3eb	chore(outline): fix HSTS annotation typo	2026-05-16 21:16:28 +09:00