traefik: bot-block-proxy buffer 256k + document the real HTTP/2 limit

Follow-up to the 64k bump: raised bot-block-proxy large_client_header_buffers
to 256k and corrected the rationale. Investigation found the *binding* limit
for browsers is Traefik's HTTP/2 header cap (~64KB, Go maxHeaderListSize, not
exposed by Traefik config) — oversized authentik_proxy_* cookie piles are
rejected at the h2 layer upstream of bot-block regardless of these buffers.
The real fix for >64KB piles is reducing authentik_proxy_* cookie accumulation
(or clearing cookies); these buffers only prevent bot-block being a tighter
bottleneck for sub-64KB piles + HTTP/1.1 clients.

[ci skip]

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/traefik/modules/traefik/main.tf

@@ -357,9 +357,14 @@ resource "kubernetes_config_map" "bot_block_proxy_config" {
           # viktorbarzin.me the combined Cookie header exceeds nginx's default
           # 4 x 8k large_client_header_buffers and the ai-bot-block forward-auth
           # rejects it with 400 (and error-pages then shows "Too big request
-          # header" 431). Match auth-proxy-config: 8 x 64k accepts the pile.
+          # header" 431). NOTE the *binding* limit for browsers is Traefik's
+          # HTTP/2 header cap (~64KB, Go maxHeaderListSize, not configurable) —
+          # bigger piles are rejected upstream of here regardless. This 256k
+          # only keeps bot-block from being a *tighter* bottleneck (and covers
+          # HTTP/1.1 clients). poison-fountain (the bot check) ignores cookies.
+          # Real fix for >64KB piles = reduce authentik_proxy_* accumulation.
           client_header_buffer_size 8k;
-          large_client_header_buffers 8 64k;
+          large_client_header_buffers 8 256k;
 
           location /auth {
               access_by_lua_block {