2 changed files with 14 additions and 8 deletions
--- a/files/stacks/docker-compose.prod.yml
+++ b/files/stacks/docker-compose.prod.yml
@ -64,16 +64,16 @@ services:
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
-      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${DOMAIN}
+      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      - OAUTH2_PROXY_REDIRECT_URL=https://staging-auth.${DOMAIN}/oauth2/callback
      - OAUTH2_PROXY_UPSTREAMS=http://writekit-staging:8080
      - OAUTH2_PROXY_SCOPE=user
    labels:
      - traefik.enable=true
-      - traefik.http.routers.oauth2-proxy.rule=Host(`staging-auth.${DOMAIN}`) || Host(`staging.${DOMAIN}`)
+      - traefik.http.routers.oauth2-proxy.rule=Host(`auth.staging.${DOMAIN}`)
      - traefik.http.routers.oauth2-proxy.tls=true
      - traefik.http.routers.oauth2-proxy.tls.certresolver=cloudflare
      - traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
      - traefik.http.middlewares.staging-auth.forwardauth.address=http://oauth2-proxy:4180/oauth2/auth
      - traefik.http.middlewares.staging-auth.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.staging-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email
    networks:
      - prod
@ -112,7 +112,7 @@ services:
      - traefik.http.routers.writekit-prod-platform.tls=true
      - traefik.http.routers.writekit-prod-platform.tls.certresolver=cloudflare
      - traefik.http.routers.writekit-prod-platform.service=writekit-prod
-      - traefik.http.routers.writekit-prod-blogs.rule=HostRegexp(`^.+\.${DOMAIN}$`)
+      - traefik.http.routers.writekit-prod-blogs.rule=HostRegexp(`^(?!staging\.).+\.${DOMAIN}$$`)
      - traefik.http.routers.writekit-prod-blogs.priority=10
      - traefik.http.routers.writekit-prod-blogs.tls=true
      - traefik.http.routers.writekit-prod-blogs.tls.certresolver=cloudflare
@ -157,12 +157,18 @@ services:
      - tenants-staging:/data
    labels:
      - traefik.enable=true
-      - traefik.http.routers.writekit-staging-blogs.rule=HostRegexp(`^.+\.staging\.${DOMAIN}$`)
+      - traefik.http.routers.writekit-staging-platform.rule=Host(`staging.${DOMAIN}`)
      - traefik.http.routers.writekit-staging-platform.tls=true
      - traefik.http.routers.writekit-staging-platform.tls.certresolver=cloudflare
      - traefik.http.routers.writekit-staging-platform.middlewares=staging-auth
      - traefik.http.routers.writekit-staging-platform.service=writekit-staging
      - traefik.http.routers.writekit-staging-blogs.rule=HostRegexp(`^.+\.staging\.${DOMAIN}$$`)
      - traefik.http.routers.writekit-staging-blogs.priority=20
      - traefik.http.routers.writekit-staging-blogs.tls=true
      - traefik.http.routers.writekit-staging-blogs.tls.certresolver=cloudflare
      - traefik.http.routers.writekit-staging-blogs.tls.domains[0].main=staging.${DOMAIN}
      - traefik.http.routers.writekit-staging-blogs.tls.domains[0].sans=*.staging.${DOMAIN}
      - traefik.http.routers.writekit-staging-blogs.middlewares=staging-auth
      - traefik.http.routers.writekit-staging-blogs.service=writekit-staging
      - traefik.http.services.writekit-staging.loadbalancer.server.port=8080
    depends_on:
--- a/main.tf
+++ b/main.tf
@ -238,7 +238,7 @@ resource "cloudflare_record" "staging_wildcard" {
  name    = "*.staging"
  content = hcloud_server.prod.ipv4_address
  type    = "A"
-  proxied = false
+  proxied = true
 }
 resource "cloudflare_record" "source" {