traefik/error-pages: READ_BUFFER_SIZE 5KB -> 128KB — 431s for cookie-heavy users

Viktor hit 'Too big request header' (fasthttp 431 from error-pages) on a routed host during a brief 503 window, and sees it periodically across ingresses: Authentik forward-auth accumulates one authentik_proxy_* cookie per protected service on .viktorbarzin.me, so established browsers carry multi-10KB Cookie headers — over error-pages' 5120-byte default read buffer, which doubles as its max header size. Any error- middleware dispatch then 431'd instead of rendering the styled page. Same root cause class as the 2026-06-01 large_client_header_buffers fixes on bot-block-proxy and auth-proxy-config; error-pages was the remaining small-buffer backend on the shared chain.
2026-06-12 20:31:01 +00:00 · 2026-06-12 20:31:01 +00:00 · aa1fccb883
commit aa1fccb883
parent 12fd1fcbc9
1 changed files with 13 additions and 0 deletions
--- a/stacks/traefik/modules/traefik/error-pages.tf
+++ b/stacks/traefik/modules/traefik/error-pages.tf
@ -57,6 +57,19 @@ resource "kubernetes_deployment" "error_pages" {
            value = "shuffle"
          }

+          env {
+            # fasthttp's per-connection read buffer ALSO caps total request
+            # header size (default 5120 bytes). Authentik forward-auth sets
+            # one authentik_proxy_* cookie per protected service, all scoped
+            # to .viktorbarzin.me — 30+ services puts the aggregate Cookie
+            # header way past 5KB, so every error-middleware dispatch here
+            # answered 431 "Too big request header" instead of the styled
+            # error page (same cookie-bloat class as the 2026-06-01 openresty
+            # buffer fixes on bot-block-proxy/auth-proxy).
+            name  = "READ_BUFFER_SIZE"
+            value = "131072"
+          }
+
          liveness_probe {
            http_get {
              path = "/healthz"