I’m afraid you misunderstand:
override = copy the contents of a device in the profile into the instance’s own config (at the same time modifying certain keys on the copy if specified). Cannot be run if an instance device exists already. I.e it can only be run once.set = modify a device on an instance, can be run multiple times.not english native…
and if is a mistake or device config in the profile contain mistake, how to do.?
modify directly into instance device.?
You can do lxc profile device set <profile name> <device name> ... to modify a device in a profile.
well !! practical solution 
like it.
learning lxd, not so simple, many concepts…
but the good thing coming.
after installed apache, i get correct connected peer client ip, in log,
and in monit too, with simple rule,
for apache
lxc config device add store proxyv4http80 proxy nat=true listen=tcp:192.168.1.33:80 connect=tcp:0.0.0.0:80
or for monit httpd 2812
lxc config device add store proxyv4monit proxy nat=true listen=tcp:192.168.1.33:2812 connect=tcp:0.0.0.0:2812
and now, i can manage it with fail2ban inthe container…
thanks A LOT for your understanding help !!!