0

I am trying to host my entire portfolio which consists of 5 React + Node.js apps (including the portfolio itself) on AWS. For each project I am hosting the frontend on S3 and fronting them with a CloudFront distribution. I have set up the portfolio to be served from a Route53 custom domain I'll call mydomain.com which has HTTPS through an ACM SSL certificate. The other apps can use the website endpoint from their bucket. I want the frontends of all the apps to interact with the EC2 instance via calling https://api.mydomain.com:${APP_PORT}/${ROUTE}, where APP_PORT is whatever port the desired API is running at. I have installed Node.js on my instance, cloned 2 repos, and started the apps with PM2. Each app listens to a get request at / and returns ${APP_NAME} API working properly. One is running on the port 5000 and the other on 5001. I have the following inbound rules in the security group attached to the instance:

Type Protocol Port range Source
HTTP TCP 80 0.0.0.0/0
HTTP TCP 80 ::/0
SSH TCP 22 0.0.0.0/0
SSH TCP 22 ::/0
Custom TCP TCP 5000 0.0.0.0/0
Custom TCP TCP 5000 ::/0
HTTPS TCP 443 0.0.0.0/0
HTTPS TCP 443 ::/0
Custom TCP TCP 5001 0.0.0.0/0
Custom TCP TCP 5001 ::/0

Currently, I can call each API through the public IPv4 DNS of the instance and the port, so http://ec2-012-34-56-789.compute-1.amazonaws.com:5000/ and http://ec2-012-34-56-789.compute-1.amazonaws.com:5001/ work. I want to make it work with https://api.mydomain.com... instead. From what I've seen I should use an application load balancer and then create an A record on my Route53 hosted zone.

Here's where I'm stuck.

I create an application load balancer with an internal-facing scheme, an IPv4 IP address type, and the following listeners:

Load balancer protocol Load balancer port
HTTP 80
HTTPS 443
HTTPS 5000
HTTPS 5001

I leave the default VPC and check all the availability zones. In security settings I choose my ACM certificate, which covers mydomain.com, www.mydomain.com, and *.mydomain.com. Default security policy (ELBSecurityPolicy-2016-08). Next, the security group is the same I am using for my instance. Here's where I think I'm making a mistake: I create a new target groupof type instance, protocol HTTP and version HTTP1, and port 80. The health checks are performed through HTTP at /. I register my instance and clicking create.

I create an A record for api.mydomain.com on Route53 with as an alias that points to the application load balancer. The target group finished the health check and shows unhealthy. HTTP get requests to the load balancer DNS name or api.mydomain.com both followed by either port show 400 The plain HTTP request was sent to HTTPS port. HTTPS requests show Error: Hostname/IP does not match certificate's altnames... and 502 Bad Gateway respectively.

Deepak Gupta
  • 387
  • 2
  • 17
Alberto Vilches
  • 303
  • 1
  • 5
  • 16
  • Is your API server doing some sort of redirect to the EC2 DNS name? If you just go to `api.mydomain.com` in a web browser, does it redirect to a different domain? That's the only way you would be getting that certificate error for API requests going to `api.mydomain.com`. Also, you are going to need to create separate target groups for each port you want to forward requests to on the EC2 instance, right now it sounds like you are forwarding everything to port `80` on the instance, when your API servers are listening on other ports. – Mark B Apr 26 '21 at 15:49
  • @MarkB The apps on my EC2 instance are not doing any kind of redirect, they are only listening for requests. I have created 2 target groups for port 80 (HTTP) and 443 (HTTPS) and assigned them to the corresponding listeners on my load balancer but both fail. I have changed the port 5000 and 5001 listeners to HTTP and forwarded them to another 2 target groups. This makes it so that when I visit ```http://api.mydomain.com:5000``` and ```http://api.mydomain.com:5001``` I get the desired response but I can't connect through HTTPS. Changing them to HTTPS makes the target group fail. – Alberto Vilches Apr 26 '21 at 16:59
  • What happens when you just open `https://api.mydomain.com` in your web browser? What does the browser say about the SSL certificate there? Either you didn't configure the ACM certificate correctly, or that domain is redirecting somehow. – Mark B Apr 26 '21 at 17:03
  • @MarkB I get a ```502 Bad Gateway``` error, with both HTTPS and HTTP. – Alberto Vilches Apr 26 '21 at 17:12

0 Answers0