Some BunnyCDN IP address are blocked

Hello,

We had a problem on our magento2 website wich use Bunny CDN to store the Files to Download.
Crowdsec is install with the cs-firewall-bouncer to drive the firewall rules.

When the firewall bouncer is started, the downloads failed.
When it is stopped it works.

I checked the ipset list and I identify 29 bunnyCDN IPs in. I remove it and it reworks with the cs-firewall-bouncer started.

I tried to make some whitelists but the ipset blacklist continue to contains the bunnyCDN IPs (and the DL failed again).

In fact the IPs are in the blacklist because there are rated with a bad reputation on Crowdsec (cf. CrowdSec Console for exemple).

Is there a way to create a whitelist which will overpass the Crowdsec blacklist ?

Thanks in advance

Yes you can create a CAPI whitelist → CAPI | CrowdSec

guess it also good to know about these, we can work on adding them ourside

https://bunnycdn.com/api/system/edgeserverlist
https://bunnycdn.com/api/system/edgeserverlist/IPv6

so a little helper script

OUTPUT="/etc/crowdsec/capi-whitelists.yaml"
echo "ips:" > $OUTPUT
curl -H "Accept: application/json" https://bunnycdn.com/api/system/edgeserverlist | jq -r '.[]' | while read -r ip; do echo "  - $ip" >> $OUTPUT; done

if you want ipv4 and ipv6

OUTPUT="/etc/crowdsec/capi-whitelists.yaml"
## If you want to cronjob it we always overwrite file at start
echo "ips:" > $OUTPUT 
## Start of the loops
for URL in https://bunnycdn.com/api/system/edgeserverlist https://bunnycdn.com/api/system/edgeserverlist/IPv6; do curl -H "Accept: application/json" $URL | jq -r '.[]' | while read -r ip; do echo "  - $ip" >> $OUTPUT; done; done

Yes I tried it but the flow still be blocked before it arrives to the Crowdsec processing.
The iptables seems to be a priority vs this solution.

For the moment my only solution consist in removing periodicly the IP from blacklist rule in the ipset.
It is not realy clean