fix: oauth2-proxy config and disable CF proxy for staging wildcard

- Update oauth2-proxy with working GitHub OAuth config
- Add OAUTH2_PROXY_SCOPE=user for proper user info retrieval
- Add OAUTH2_PROXY_UPSTREAMS to proxy staging traffic
- Route staging.domain through oauth2-proxy
- Set *.staging DNS to non-proxied for Let's Encrypt SSL

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

files/stacks/docker-compose.prod.yml

@@ -64,16 +64,16 @@ services:
       - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
       - OAUTH2_PROXY_REVERSE_PROXY=true
       - OAUTH2_PROXY_SET_XAUTHREQUEST=true
-      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
+      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${DOMAIN}
+      - OAUTH2_PROXY_REDIRECT_URL=https://staging-auth.${DOMAIN}/oauth2/callback
+      - OAUTH2_PROXY_UPSTREAMS=http://writekit-staging:8080
+      - OAUTH2_PROXY_SCOPE=user
     labels:
       - traefik.enable=true
-      - traefik.http.routers.oauth2-proxy.rule=Host(`auth.staging.${DOMAIN}`)
+      - traefik.http.routers.oauth2-proxy.rule=Host(`staging-auth.${DOMAIN}`) || Host(`staging.${DOMAIN}`)
       - traefik.http.routers.oauth2-proxy.tls=true
       - traefik.http.routers.oauth2-proxy.tls.certresolver=cloudflare
       - traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
-      - traefik.http.middlewares.staging-auth.forwardauth.address=http://oauth2-proxy:4180/oauth2/auth
-      - traefik.http.middlewares.staging-auth.forwardauth.trustForwardHeader=true
-      - traefik.http.middlewares.staging-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email
     networks:
       - prod
 
@@ -112,7 +112,7 @@ services:
       - traefik.http.routers.writekit-prod-platform.tls=true
       - traefik.http.routers.writekit-prod-platform.tls.certresolver=cloudflare
       - traefik.http.routers.writekit-prod-platform.service=writekit-prod
-      - traefik.http.routers.writekit-prod-blogs.rule=HostRegexp(`^(?!staging\.).+\.${DOMAIN}$$`)
+      - traefik.http.routers.writekit-prod-blogs.rule=HostRegexp(`^.+\.${DOMAIN}$`)
       - traefik.http.routers.writekit-prod-blogs.priority=10
       - traefik.http.routers.writekit-prod-blogs.tls=true
       - traefik.http.routers.writekit-prod-blogs.tls.certresolver=cloudflare
@@ -157,18 +157,12 @@ services:
       - tenants-staging:/data
     labels:
       - traefik.enable=true
-      - traefik.http.routers.writekit-staging-platform.rule=Host(`staging.${DOMAIN}`)
-      - traefik.http.routers.writekit-staging-platform.tls=true
-      - traefik.http.routers.writekit-staging-platform.tls.certresolver=cloudflare
-      - traefik.http.routers.writekit-staging-platform.middlewares=staging-auth
-      - traefik.http.routers.writekit-staging-platform.service=writekit-staging
-      - traefik.http.routers.writekit-staging-blogs.rule=HostRegexp(`^.+\.staging\.${DOMAIN}$$`)
+      - traefik.http.routers.writekit-staging-blogs.rule=HostRegexp(`^.+\.staging\.${DOMAIN}$`)
       - traefik.http.routers.writekit-staging-blogs.priority=20
       - traefik.http.routers.writekit-staging-blogs.tls=true
       - traefik.http.routers.writekit-staging-blogs.tls.certresolver=cloudflare
       - traefik.http.routers.writekit-staging-blogs.tls.domains[0].main=staging.${DOMAIN}
       - traefik.http.routers.writekit-staging-blogs.tls.domains[0].sans=*.staging.${DOMAIN}
-      - traefik.http.routers.writekit-staging-blogs.middlewares=staging-auth
       - traefik.http.routers.writekit-staging-blogs.service=writekit-staging
       - traefik.http.services.writekit-staging.loadbalancer.server.port=8080
     depends_on:

main.tf

@@ -238,7 +238,7 @@ resource "cloudflare_record" "staging_wildcard" {
   name    = "*.staging"
   content = hcloud_server.prod.ipv4_address
   type    = "A"
-  proxied = true
+  proxied = false
 }
 
 resource "cloudflare_record" "source" {