From 170a3bb0524efab7152ee7a34970a14de93a6df8 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 1 Jun 2026 10:16:46 +0000 Subject: [PATCH] traefik: bump bot-block-proxy large_client_header_buffers to 8x64k The ai-bot-block forward-auth copies the full request (incl. the accumulated authentik_proxy_ cookie pile) to bot-block-proxy. With 30+ Authentik Proxy Providers under viktorbarzin.me the combined Cookie header exceeds openresty's default 4x8k buffers, so the auth check returned 400 "Request Header Or Cookie Too Large" (surfaced as error-pages' "Too big request header" 431) and broke Woodpecker/Forgejo OAuth sign-in for affected browsers. Mirror the existing auth-proxy-config fix: 8x64k accepts the pile. Applied live via tg apply + bot-block-proxy rollout restart. [ci skip] Co-Authored-By: Claude Opus 4.7 --- stacks/traefik/modules/traefik/main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 1ed2ac41..8ab0e4e6 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -351,6 +351,16 @@ resource "kubernetes_config_map" "bot_block_proxy_config" { } server { listen 8080; + + # Browsers accumulate one authentik_proxy_ cookie per Authentik + # Proxy Provider on the parent domain. With 30+ services under + # viktorbarzin.me the combined Cookie header exceeds nginx's default + # 4 x 8k large_client_header_buffers and the ai-bot-block forward-auth + # rejects it with 400 (and error-pages then shows "Too big request + # header" 431). Match auth-proxy-config: 8 x 64k accepts the pile. + client_header_buffer_size 8k; + large_client_header_buffers 8 64k; + location /auth { access_by_lua_block { ngx.req.clear_header("If-Match")