I am trying to host my entire portfolio which consists of 5 React + Node.js apps (including the portfolio itself) on AWS. For each project I am hosting the frontend on S3 and fronting them with a CloudFront distribution. I have set up the portfolio to be served from a Route53 custom domain I'll call mydomain.com which has HTTPS through an ACM SSL certificate. The other apps can use the website endpoint from their bucket. I want the frontends of all the apps to interact with the EC2 instance via calling https://api.mydomain.com:${APP_PORT}/${ROUTE}, where APP_PORT is whatever port the desired API is running at. I have installed Node.js on my instance, cloned 2 repos, and started the apps with PM2. Each app listens to a get request at / and returns ${APP_NAME} API working properly. One is running on the port 5000 and the other on 5001. I have the following inbound rules in the security group attached to the instance:
| Type | Protocol | Port range | Source |
|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 |
| HTTP | TCP | 80 | ::/0 |
| SSH | TCP | 22 | 0.0.0.0/0 |
| SSH | TCP | 22 | ::/0 |
| Custom TCP | TCP | 5000 | 0.0.0.0/0 |
| Custom TCP | TCP | 5000 | ::/0 |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
| HTTPS | TCP | 443 | ::/0 |
| Custom TCP | TCP | 5001 | 0.0.0.0/0 |
| Custom TCP | TCP | 5001 | ::/0 |
Currently, I can call each API through the public IPv4 DNS of the instance and the port, so http://ec2-012-34-56-789.compute-1.amazonaws.com:5000/ and http://ec2-012-34-56-789.compute-1.amazonaws.com:5001/ work. I want to make it work with https://api.mydomain.com... instead. From what I've seen I should use an application load balancer and then create an A record on my Route53 hosted zone.
Here's where I'm stuck.
I create an application load balancer with an internal-facing scheme, an IPv4 IP address type, and the following listeners:
| Load balancer protocol | Load balancer port |
|---|---|
| HTTP | 80 |
| HTTPS | 443 |
| HTTPS | 5000 |
| HTTPS | 5001 |
I leave the default VPC and check all the availability zones. In security settings I choose my ACM certificate, which covers mydomain.com, www.mydomain.com, and *.mydomain.com. Default security policy (ELBSecurityPolicy-2016-08). Next, the security group is the same I am using for my instance. Here's where I think I'm making a mistake: I create a new target groupof type instance, protocol HTTP and version HTTP1, and port 80. The health checks are performed through HTTP at /. I register my instance and clicking create.
I create an A record for api.mydomain.com on Route53 with as an alias that points to the application load balancer. The target group finished the health check and shows unhealthy. HTTP get requests to the load balancer DNS name or api.mydomain.com both followed by either port show 400 The plain HTTP request was sent to HTTPS port. HTTPS requests show Error: Hostname/IP does not match certificate's altnames... and 502 Bad Gateway respectively.