traefik: bump bot-block-proxy large_client_header_buffers to 8x64k

The ai-bot-block forward-auth copies the full request (incl. the accumulated authentik_proxy_<random> cookie pile) to bot-block-proxy. With 30+ Authentik Proxy Providers under viktorbarzin.me the combined Cookie header exceeds openresty's default 4x8k buffers, so the auth check returned 400 "Request Header Or Cookie Too Large" (surfaced as error-pages' "Too big request header" 431) and broke Woodpecker/Forgejo OAuth sign-in for affected browsers. Mirror the existing auth-proxy-config fix: 8x64k accepts the pile. Applied live via tg apply + bot-block-proxy rollout restart. [ci skip] Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 10:16:46 +00:00 · 2026-06-01 10:16:46 +00:00 · 170a3bb052
commit 170a3bb052
parent 6f0bdf2993
1 changed files with 10 additions and 0 deletions
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -351,6 +351,16 @@ resource "kubernetes_config_map" "bot_block_proxy_config" {
      }
      server {
          listen 8080;
+
+          # Browsers accumulate one authentik_proxy_<random> cookie per Authentik
+          # Proxy Provider on the parent domain. With 30+ services under
+          # viktorbarzin.me the combined Cookie header exceeds nginx's default
+          # 4 x 8k large_client_header_buffers and the ai-bot-block forward-auth
+          # rejects it with 400 (and error-pages then shows "Too big request
+          # header" 431). Match auth-proxy-config: 8 x 64k accepts the pile.
+          client_header_buffer_size 8k;
+          large_client_header_buffers 8 64k;
+
          location /auth {
              access_by_lua_block {
                  ngx.req.clear_header("If-Match")