From 6f4a569d1c3ea606dc8ae784d2f0fc2484baa267 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 23 May 2026 08:34:33 +0000 Subject: [PATCH] traefik: bump auth-proxy nginx header buffers to handle Authentik cookie pile Browsers accumulate one authentik_proxy_ cookie per Authentik Proxy Provider under viktorbarzin.me (Path=/). With 30+ services the combined Cookie header exceeds nginx's default 4 x 8k large_client_header_buffers and trips '431 Request Header Fields Too Large' at the forward-auth nginx (traefik/auth-proxy). Bumped to: client_header_buffer_size 8k large_client_header_buffers 8 64k Matches the pattern used on the London Flint 2 router nginx (memory id=647). --- stacks/traefik/modules/traefik/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 8aed7b91..b3ba958b 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -688,6 +688,14 @@ resource "kubernetes_config_map" "auth_proxy_config" { server { listen 9000; + # Browsers accumulate one authentik_proxy_ cookie per Authentik + # Proxy Provider on the parent domain. With 30+ services under + # viktorbarzin.me the combined Cookie header exceeds nginx's default + # 4 x 8k large_client_header_buffers and trips "Too big request header" + # (431). Bump to 8 x 64k so the auth check accepts the pile. + client_header_buffer_size 8k; + large_client_header_buffers 8 64k; + location /outpost.goauthentik.io/auth/traefik { proxy_pass http://authentik; proxy_connect_timeout 3s;