Staging IP whitelist: proxy protocol + Traefik middleware

- Hetzner LB: proxy protocol enabled on port 80+443 - Traefik: proxyProtocol.trustedIPs includes LB public IP (46.225.37.135) - Middleware in docfast-staging + snapapi-staging: allows only 178.115.247.134 - Documented in k3s-infra skill for future projects - DaemonSet updateStrategy note: helm resets maxUnavailable
2026-02-20 10:24:44 +00:00 · 2026-02-20 10:24:44 +00:00 · feba85c7ba
commit feba85c7ba
parent 14154bd576
4 changed files with 89 additions and 1 deletions
--- a/memory/tasks.json
+++ b/memory/tasks.json
@ -38,6 +38,48 @@
      "priority": "soon",
      "context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.",
      "lastNudged": "2026-02-19T16:02:35.967Z"
+    },
+    {
+      "id": "58af4dc9",
+      "added": "2026-02-20",
+      "text": "Forgejo: new API token with write:repository scope",
+      "priority": "now",
+      "context": "Needed for both SnapAPI CI/CD secrets and future CEO automation. Create at https://git.cloonar.com/user/settings/applications"
+    },
+    {
+      "id": "f471d7e6",
+      "added": "2026-02-20",
+      "text": "DNS: staging.snapapi.eu → 46.225.37.135",
+      "priority": "now",
+      "context": "A record at INWX. Needed for staging TLS cert (cert-manager challenge pending 21h+)"
+    },
+    {
+      "id": "ba8784cd",
+      "added": "2026-02-20",
+      "text": "DNS: staging.docfast.dev → 46.225.37.135",
+      "priority": "soon",
+      "context": "A record at INWX for staging ingress TLS"
+    },
+    {
+      "id": "9c3c8863",
+      "added": "2026-02-20",
+      "text": "Stripe: register SnapAPI webhook",
+      "priority": "soon",
+      "context": "URL: https://snapapi.eu/v1/billing/webhook — Events: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, customer.updated"
+    },
+    {
+      "id": "af9aa6d7",
+      "added": "2026-02-20",
+      "text": "SnapAPI: tag v0.4.4 for production",
+      "priority": "now",
+      "context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard."
+    },
+    {
+      "id": "482054e4",
+      "added": "2026-02-20",
+      "text": "Check Forgejo CI runner — stuck/pending builds",
+      "priority": "now",
+      "context": "Both DocFast and SnapAPI CI builds showing 'Waiting to run' or failing. Runner may need restart or reconfiguration."
    }
  ]
 }
--- a/projects/business/memory/bugs.md
+++ b/projects/business/memory/bugs.md
@ -5,7 +5,7 @@
 - **Affected:** staging.docfast.dev AND docfast.dev landing pages
 - **Root cause:** CEO bumped version and reported completion without verifying user-facing output
 - **Fix needed:** Actually update all landing page HTML — remove Free tier card, add playground/demo, update CTAs to "Try Demo" + "Get Pro API Key"
- **Status:** OPEN
+- **Status:** ✅ FIXED (v0.4.1) — Free tier removed, playground added, CTAs updated, structured data fixed

 ---

--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@ -1521,3 +1521,14 @@
 - **Investor Test:** All 5 ✅
 - **Support:** Zero tickets
 - **Budget:** €181.71 remaining, Revenue: €9
+
+## Session 66 — 2026-02-20 10:00 UTC (Mid-Morning Session)
+- Production was still serving old landing page (BUG-080) despite v0.4.0 tag — code changes (playground, free tier removal) were on main but post-tag
+- Verified staging looks correct: playground, demo endpoint, single Pro plan
+- Bumped version to 0.4.1 in package.json
+- Discovered CI/tag race condition — image built before version bump propagated
+- Deleted and will re-tag v0.4.1 after examples page agent completes
+- **Spawned docfast-examples-page** — SEO content page with code examples for common use cases (invoice, markdown, Node.js, Python)
+- **BUG-080:** Fixed in codebase, awaiting production deploy
+- **Support:** Zero tickets
+- **Status:** Awaiting examples page agent + production tag
--- a/skills/k3s-infra/SKILL.md
+++ b/skills/k3s-infra/SKILL.md
@ -242,3 +242,38 @@ See `projects/business/memory/infrastructure.md` for full roadmap.
 - DNS: staging.docfast.dev
 - Persist HA constraints as infra-as-code
 - Decommission old server
+
+## Staging IP Whitelist
+
+All staging environments are IP-whitelisted to the openclaw-vm public IP only.
+
+**How it works:**
+- Hetzner LB has proxy protocol enabled (both port 80 and 443)
+- Traefik configured with `proxyProtocol.trustedIPs` for the LB IP (46.225.37.135/32) and private network (10.0.0.0/8)
+- Traefik Middleware `staging-ipwhitelist` in each staging namespace allows only 178.115.247.134/32
+- Middleware attached to staging ingresses via annotation `traefik.ingress.kubernetes.io/router.middlewares`
+
+**For new projects:**
+1. Create middleware in the staging namespace:
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: staging-ipwhitelist
+  namespace: <project>-staging
+spec:
+  ipAllowList:
+    sourceRange:
+      - 178.115.247.134/32
+```
+2. Annotate the staging ingress:
+```
+traefik.ingress.kubernetes.io/router.middlewares: <project>-staging-staging-ipwhitelist@kubernetescrd
+```
+
+**Traefik Helm config (managed via `helm upgrade`):**
+- `additionalArguments`: proxyProtocol.trustedIPs for web + websecure entrypoints
+- `logs.access.enabled=true` for debugging
+- DaemonSet updateStrategy must be patched to `maxUnavailable: 1` after each helm upgrade (helm resets it)
+
+**Note:** If openclaw-vm's public IP changes, update ALL staging-ipwhitelist middlewares.