From aa1fccb88302cc78d878cca6a541abe3970f6b70 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 12 Jun 2026 20:31:01 +0000 Subject: [PATCH] =?UTF-8?q?traefik/error-pages:=20READ=5FBUFFER=5FSIZE=205?= =?UTF-8?q?KB=20->=20128KB=20=E2=80=94=20431s=20for=20cookie-heavy=20users?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Viktor hit 'Too big request header' (fasthttp 431 from error-pages) on a routed host during a brief 503 window, and sees it periodically across ingresses: Authentik forward-auth accumulates one authentik_proxy_* cookie per protected service on .viktorbarzin.me, so established browsers carry multi-10KB Cookie headers — over error-pages' 5120-byte default read buffer, which doubles as its max header size. Any error- middleware dispatch then 431'd instead of rendering the styled page. Same root cause class as the 2026-06-01 large_client_header_buffers fixes on bot-block-proxy and auth-proxy-config; error-pages was the remaining small-buffer backend on the shared chain. --- stacks/traefik/modules/traefik/error-pages.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/stacks/traefik/modules/traefik/error-pages.tf b/stacks/traefik/modules/traefik/error-pages.tf index 34c1e997..4913bc99 100644 --- a/stacks/traefik/modules/traefik/error-pages.tf +++ b/stacks/traefik/modules/traefik/error-pages.tf @@ -57,6 +57,19 @@ resource "kubernetes_deployment" "error_pages" { value = "shuffle" } + env { + # fasthttp's per-connection read buffer ALSO caps total request + # header size (default 5120 bytes). Authentik forward-auth sets + # one authentik_proxy_* cookie per protected service, all scoped + # to .viktorbarzin.me — 30+ services puts the aggregate Cookie + # header way past 5KB, so every error-middleware dispatch here + # answered 431 "Too big request header" instead of the styled + # error page (same cookie-bloat class as the 2026-06-01 openresty + # buffer fixes on bot-block-proxy/auth-proxy). + name = "READ_BUFFER_SIZE" + value = "131072" + } + liveness_probe { http_get { path = "/healthz"