Increase MaxHeaderBytes for web/websecure entrypoints

sonofenoch · August 25, 2025, 9:13pm

Hello,

As referenced in a few other community posts and this github issue: Configurable max request header size by lucasrod16 · Pull Request #10995 · traefik/traefik · GitHub

Traefik blocks traffic with large http headers. I understand the default value is 1MB from the net/http go library that traefik uses but i cant seem to get that reconfigured (as per the pull request linked above)

I have added --entrypoints.web.http.maxheaderbytes=1073741824 to the start up args to no avail, and even mount a dyn.yaml configfile with it configured there too.

Error log: github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:121 > 500 Internal Server Error error="http2: request header list larger than peer's advertised limit"

please help!

bluepuma77 · August 26, 2025, 12:50pm

Share your full Traefik static and dynamic config, and Docker compose file(s) if used.

sonofenoch · August 26, 2025, 3:05pm

Using the helm chart. Mostly default.

here is the dyn.yaml

dyn.yaml: |
tls:
stores:
default:
defaultCertificate:
certFile: '/certs/tls.crt'
keyFile: '/certs/tls.key'
http:
services:
pipeline-nifi-redirect-uri-ingress-16e5de26dc4ede04dc61:
loadBalancer:
sticky: true
pipeline-nifi-8091:
loadBalancer:
sticky: true
entrypoints:
web:
http:
maxheaderbytes: 1073741824

Relavant values.yaml:
globalArguments:

"--global.sendanonymoususage=false"
"--global.checknewversion=false"
"--providers.kubernetescrd.allowCrossNamespace=true"

additionalArguments:

"--serversTransport.insecureSkipVerify=true"
"--log.level=DEBUG"
"--providers.file.filename=/config/dyn.yaml"
"--api.basePath=/services/traefik"
"--entrypoints.web.http.maxheaderbytes=1073741824"

image:

registry: docker.io

repository: traefik

tag: v3.5.0

pullPolicy: IfNotPresent

volumes:

name: traefik-config

mountPath: '/config'

type: configMap

deployment:

enabled: true

replicas: 1

annotations: {}

podAnnotations: {}

additionalContainers:

initContainers:

ports:

web:

port: 8000

expose:

  default: true

exposedPort: 443

protocol: TCP

websecure: ~

Little unorthodox but we are not using websecure. Instead, we have exposed web on port 443 with tls passthrough. TLS is handled externally by an AWS LB.

bluepuma77 · August 28, 2025, 7:30am

Use 3 backticks before and after code/config to make it more readable and preserve spacing, which is important in yaml.

What’s the TLS passthrough used for? Your target service has its own TLS cert?

sonofenoch · August 28, 2025, 5:22pm

Oop sorry I mispoke.

There is no tls passthrough.

There is TLS on the aws lb (terminated), no tls between the LB and traefik, and no tls between traefik and the service.

relavant config for this issue:
--entrypoints.web.http.maxheaderbytes=1073741824

Topic		Replies	Views
What is the MaxHeaderBytes length in traefik v2 Traefik v2 kubernetes-ingress , tcp , middleware	0	1845	April 30, 2021
431 Request Header Fields Too Large Traefik v1 kubernetes-ingress	1	4061	June 29, 2021
Error parsing headers: 'limit request headers fields size' Traefik v2 kubernetes-ingress , middleware	2	1880	November 16, 2021
Is there a way to configure a large client header buffer size for Traefik? Traefik v2 kubernetes-ingress	0	1013	October 8, 2021
Traefik Header limitations Traefik v2 kubernetes-ingress	2	1715	February 4, 2021

Increase MaxHeaderBytes for web/websecure entrypoints

Related topics