crowdsec/traefik: stop captchaing legit Immich mobile bursts

Mobile timeline scrubs prefetch ~100 thumbs in <1s, which exhausted the immich-rate-limit (avg=500, burst=5000) and produced a cascade of HTTP 429s. CrowdSec's local http-429-abuse scenario then fired captcha:1 on the source IP (alert #291, 2026-04-25 — owner's Hyperoptic IPv6). Two changes: - crowdsec: add a second whitelist doc (viktor/immich-asset-paths-whitelist) filtering events by Immich asset paths so they never feed leaky buckets. Auth endpoints intentionally excluded — brute-force protection unchanged. - traefik: raise immich-rate-limit avg=500->1000, burst=5000->20000 so legitimate mobile scrubs don't produce 429s in the first place.
2026-04-26 09:27:16 +00:00 · 2026-04-26 09:27:16 +00:00 · d0152e1f38
commit d0152e1f38
parent 222013806d
2 changed files with 17 additions and 2 deletions
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@ -244,8 +244,8 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
    }
    spec = {
      rateLimit = {
-        average = 500
-        burst   = 5000
+        average = 1000
+        burst   = 20000
      }
    }
  }