From bf4040914161240425891f9a1e533b92d4d2108b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 27 Jun 2026 15:27:44 +0000 Subject: [PATCH] docs(security): note crowdsec-cf-sync rate-limit resilience Document the backoff_limit=0 + CF-429 soft-skip hardening alongside the cf-sync architecture description, with the why (the backoff_limit=2 retry-storm that escalated Cloudflare's Lists-API throttle into a stuck state). Follow-up to 5b49634f. Co-Authored-By: Claude Opus 4.8 --- docs/architecture/security.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/architecture/security.md b/docs/architecture/security.md index de36120d..1cec0de6 100644 --- a/docs/architecture/security.md +++ b/docs/architecture/security.md @@ -132,6 +132,13 @@ for the supersession history — there is no longer an inline Traefik bouncer.) account hard-limits to **one** list), and CAPI is already covered in-kernel on direct hosts and by Cloudflare's own managed protections on proxied hosts. Registered bouncer key: **`kvsync`**. +- **Rate-limit resilient (2026-06-27):** Cloudflare's Lists-API *write* endpoint + is throttled (~per-60s; `429 retry-after`). The CronJob runs `backoff_limit=0` + (one POST per cycle — the `*/2` schedule IS the retry cadence) and treats a CF + `429` as a soft-skip (exit 0, retry next cycle), the same fail-safe pattern it + uses for LAPI. An earlier `backoff_limit=2` fired 3 rapid POSTs/cycle and + escalated the throttle into a stuck state that left the list empty — a + self-inflicted DoS that this change prevents. - **Block-only**: the single-list limit precludes a separate captcha/managed-challenge list, so both ban and captcha decisions are enforced as a plain block at the edge.