From 769ae7a6d308a4924777b65bf525612abedadcd7 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Mon, 1 Jun 2026 15:15:05 +0000
Subject: [PATCH] traefik: bot-block-proxy buffer 256k + document the real
 HTTP/2 limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow-up to the 64k bump: raised bot-block-proxy large_client_header_buffers
to 256k and corrected the rationale. Investigation found the *binding* limit
for browsers is Traefik's HTTP/2 header cap (~64KB, Go maxHeaderListSize, not
exposed by Traefik config) — oversized authentik_proxy_* cookie piles are
rejected at the h2 layer upstream of bot-block regardless of these buffers.
The real fix for >64KB piles is reducing authentik_proxy_* cookie accumulation
(or clearing cookies); these buffers only prevent bot-block being a tighter
bottleneck for sub-64KB piles + HTTP/1.1 clients.

[ci skip]

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/traefik/modules/traefik/main.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf
index 8ab0e4e6..e26b2a74 100644
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@@ -357,9 +357,14 @@ resource "kubernetes_config_map" "bot_block_proxy_config" {
           # viktorbarzin.me the combined Cookie header exceeds nginx's default
           # 4 x 8k large_client_header_buffers and the ai-bot-block forward-auth
           # rejects it with 400 (and error-pages then shows "Too big request
-          # header" 431). Match auth-proxy-config: 8 x 64k accepts the pile.
+          # header" 431). NOTE the *binding* limit for browsers is Traefik's
+          # HTTP/2 header cap (~64KB, Go maxHeaderListSize, not configurable) —
+          # bigger piles are rejected upstream of here regardless. This 256k
+          # only keeps bot-block from being a *tighter* bottleneck (and covers
+          # HTTP/1.1 clients). poison-fountain (the bot check) ignores cookies.
+          # Real fix for >64KB piles = reduce authentik_proxy_* accumulation.
           client_header_buffer_size 8k;
-          large_client_header_buffers 8 64k;
+          large_client_header_buffers 8 256k;
 
           location /auth {
               access_by_lua_block {