il
a05951f883
update notes: - add http_status and http_verb for each expressions (actual budget, immich, opencloud) - fix crowdsec and issues documents
1.2 KiB
1.2 KiB
Immich crowdsec false positive issue
Status
- Finished
Date
- 2026-03-21
Version
- Immich: 2.6.1
Problem
- When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
- fw ban users' IP address.
Reason
- Immich sends 404 error to clients when the client request thumbnail while it is generating them.
- LAPI decides a ban when a lot of 404 errors occur in short time
Timeline
- 2026-03-21: Release Immich
- 2026-03-21: Find the false positive case, and add whitelist
- 2026-05-07: Optimize whitelist expression
Solution
- Access to fw
- Check the ban list with
sudo cscli alerts list - Read the ban case with
sudo cscli alerts inspect $NUMBER
- Check the ban list with
- Add expressions on whitelist
- evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
- Delete false positive decision
- Check false positive decision with
sudo cscli decision list - Delete false positive decision with
sudo cscli decision delete --id $ID
- Check false positive decision with