Reverse proxies & ingress¶
There are two Caddy proxies plus one Traefik (Dokploy) in the estate. The 3 WordPress apex domains bypass E1 Caddy entirely and resolve direct to E2's Traefik.
| Ingress | Server | IP | Software | Fronts |
|---|---|---|---|---|
| EIDOSDev1 Caddy | E1 | 140.238.97.163 |
Caddy | All *.projecteidos.com (excluding apex), crm + in.crm.eidos-global.com, crm.tneconnect.app, fourway.tneconnect.app, eidos-global.tneconnect.app |
| EIDOSDev1 Dokploy/Traefik | E2 | 145.241.230.130 |
Traefik | The 3 WordPress apex domains (projecteidos.com, eidos-global.com, tneconnect.app) — apex DNS direct |
| ORA448Global Caddy | O1 | 140.238.90.91 |
Caddy | All *.448.global |
Status (2026-05-08): E1's Caddyfile is now in Git at
infra/caddy/E1.Caddyfilewith a documented rebuild path. O1's Caddyfile is still on host only — tracked under RM-007. The April 2026 outage's root cause is half-fixed.
Hostname → proxy → upstream map¶
EIDOSDev1 Caddy (E1)¶
| Hostname | Upstream server | Upstream service | App doc |
|---|---|---|---|
parallax.projecteidos.com |
E5 | Paid ADB ORDS endpoint | 01 |
apex-ur.projecteidos.com |
E5 | Paid ADB (alias for Parallax's ADB) | 08 |
apex1.projecteidos.com |
E3 | TnE Connect (Eidos) Free ADB | 09 |
apex2.projecteidos.com |
E4 | Fourway TnE Free ADB | 10 |
eidos-global.tneconnect.app |
E3 | TnE Connect (Eidos) Free ADB | 03 |
fourway.tneconnect.app |
E4 | Fourway TnE Free ADB | 02 |
bot.projecteidos.com |
E2 (Dokploy) | Teams Bot Next.js container | 07 |
platform.projecteidos.com |
E2 (Dokploy) | Dokploy itself | 18 |
git.projecteidos.com |
E2 (Dokploy) | GitLab container | 16 |
crm.eidos-global.com |
E2 (Dokploy) | Twenty CRM | 04 |
in.crm.eidos-global.com |
E2 (Dokploy) | Twenty CRM | 05 |
crm.tneconnect.app |
E2 (Dokploy) | Twenty CRM | 06 |
Caddy on E1 → either direct to ADB ORDS (for the 5 APEX hostnames) or → E2's Dokploy/Traefik (for 6 Dokploy-hosted subdomain apps: Dokploy itself, GitLab, Teams Bot, 3 Twenty CRMs).
[CONFIRM]exact path: does Caddy on E1 talk directly to Dokploy containers, or does it go E1-Caddy → E2-Traefik → container?
E2 Traefik — apex domains (no Caddy in front)¶
DNS for the WordPress apex domains points direct to E2 (145.241.230.130); Traefik on E2 routes to the WP containers.
| Hostname | Backend |
|---|---|
projecteidos.com (apex) |
E2 → WordPress container (301 → eidos-global.com) — 11 |
eidos-global.com (apex) |
E2 → WordPress container — 12 |
tneconnect.app (apex) |
E2 → WordPress container — 13 |
Architectural inconsistency (KI-025): subdomain hostnames go via E1 Caddy → E2, but apex hostnames bypass E1 entirely. Same backend (E2), two front-doors with different TLS issuers (Caddy vs Traefik). Worth standardizing.
ORA448Global Caddy (O1) — same-host proxy¶
| Hostname | Upstream | App doc |
|---|---|---|
auth.448.global |
local Authentik container | 14 |
vault.448.global |
local Vault container | 15 |
s3.448.global |
local MinIO container | 17 |
portainer.448.global |
local Portainer container | 19 |
wg.448.global |
local Wireguard portal container | 20 |
monitor.448.global |
local Beszel container | 21 |
notify.448.global |
local Gotify container | 23 |
coder.448.global |
local Coder container | 24 |
n8n.448.global |
local n8n container | 25 |
ai.448.global |
local Open WebUI container | 26 |
draw.448.global |
local Draw.io container | 27 |
tools.448.global |
local IT Tools container | 28 |
videos.448.global |
local PE Tube container | 29 |
apex1.448.global |
O2 (Free ADB) ORDS | 30 |
apex2.448.global |
O3 (Free ADB) ORDS | 31 |
Auth-proxy patterns¶
Apps with no built-in auth (Draw.io, IT Tools, possibly Beszel UI / Portainer) rely on the proxy or upstream Authentik for access control. Document each:
| App | Proxy auth method | Identity provider | Notes |
|---|---|---|---|
| Draw.io | [INFO NEEDED] |
[INFO NEEDED] |
open by default — confirm gating |
| IT Tools | [INFO NEEDED] |
[INFO NEEDED] |
open by default — confirm gating |
| Portainer | [INFO NEEDED] |
[INFO NEEDED] |
has built-in auth; confirm OIDC to Authentik |
| Vault UI | [INFO NEEDED] |
[INFO NEEDED] |
should require Wireguard at minimum |
Risks (initial read)¶
- Caddyfile not in Git on either E1 or O1. Already caused a real outage. Highest-priority Phase-2 item.
- Proxy is itself an SPOF on each tenancy. E1 down = all PE-side hostnames offline. O1 down = all
*.448.globaloffline. - TLS issuance failures — wildcard certs require DNS API tokens; if those leak, the cert can be reissued by an attacker. If renewal breaks, certs lapse silently.
- No HSTS / weak cipher config audit yet — common proxy oversight; downgrade attacks become possible.
- No rate-limiting — public dashboards (
portainer.,vault.,monitor.) are brute-force targets. - E1 Caddy is single-pathed — all 15 PE-side hostnames behind one 1-vCPU Free VPS. Capacity headroom unknown.