web.core.lef (reverse proxy)
Overview
Section titled “Overview”web.core.lef (instance np-web) is the reverse proxy / public ingress for services hosted in the EVEO private cloud.
This VM runs on np-leftec-hipervisorA-1.
Public HTTP(S) traffic is filtered and forwarded by the EVEO-managed perimeter firewall before it reaches this server (see Firewall & public ingress).
Purpose
Section titled “Purpose”- Serve as the entrypoint for LEF-hosted sites and apps (virtual hosts).
- Terminate/serve TLS according to our certificate process.
- Proxy traffic to internal backends (tools, Thinkwise environments, bare metal services).
Inventory
Section titled “Inventory”| Item | Value |
|---|---|
| Provider | EVEO private cloud (VM) |
| Instance | np-web |
| VMID (Proxmox) | 100 |
| OS | Debian 12 |
| vCPU | 1 |
| RAM | 1 GB |
| Disk | 20 GB |
| LAN IP | 192.168.20.2 |
| Public VIPs (HTTP/S ingress) | 192.168.20.112–192.168.20.120 |
Entry points
Section titled “Entry points”- SSH (VPN/LAN required):
web.core.lef - Public endpoints: see Services and Firewall & public ingress
Host entries (login profiles)
Section titled “Host entries (login profiles)”| Host entry | User | Purpose | Related |
|---|---|---|---|
np-web | root | Host maintenance | — |
np-web-deploy | deploy | Deploy/ops account for web ingress | NGINX ingress |
Hosted services
Section titled “Hosted services”- NGINX reverse proxy (vhost configs per service)
- TLS certificate automation (see SSL certificates for web servers)
Operational notes
Section titled “Operational notes”- To confirm which backend a hostname uses, inspect the active NGINX config (example:
sudo nginx -T). - Safe reload pattern:
sudo nginx -t && sudo systemctl reload nginx - For listener separation (public VIPs vs internal IP) and default-vhost behavior, see NGINX ingress (public vs internal).
- If a public hostname is down:
- confirm firewall forwarding and internal VIP mapping (see Firewall & public ingress)
- confirm the vhost exists for the hostname (see Services)
- confirm the backend is reachable over VPN/LAN
Backup & recovery
Section titled “Backup & recovery”- This VM is backed up daily via EVEO (see
np-leftec-hipervisorA-1).
Known risks / failure modes
Section titled “Known risks / failure modes”- Missing vhost or TLS certificate → 404 / TLS errors.
- Wrong EVEO forwarding (public IP → VIP) → the request never reaches
web.core.lef. - Backend service down → 502/504 at the proxy.