Configure an EC2 instance as firewall of an Application Load Balancer

My current infrastructure is basically an DNS (Route 53) -> WAF -> ALB. The WAF is in front of the load balancer with some AWS managed filters. My application is a PHP web page and an API.

Now I'm trying to improve the security and have been trying Wallarm. I raised the instance and configured it as a new node, but now I'm struggling to put in front my ALB. The load balancer only listens to the port 443.

What I did was changing the DNS to point to the public IP of the Wallarm instance (previously it was set to ALB-alias) and set /etc/nginx/conf.d/default.conf as follows:

server {
  listen 80;
  listen 443 ssl;

  # the domains for which traffic is processed
  server_name mydomain.com;
  server_name www.mydomain.com;

  # turn on the monitoring mode of traffic processing
  wallarm_mode monitoring;
  wallarm_instance 1;

  location / {
    # setting the address for request forwarding
    proxy_pass https://alb-dns-name.region.elb.amazonaws.com;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

With this configuration the response is SSL received a record that exceeded the maximum permissible length

What am I doing wrong in there? I'm kinda experienced with Apache but pretty noob with Nginx.

When configuring ProxyPass in older Apache versions the full ALB names were sometimes too long. As a workaround we had to create a shorter name as an ALIAS in a Route53 domain, for example:

alb.mydomain.com.   A ALIAS  alb-dns-name.region.elb.amazonaws.com.

And then do ProxyPass https://alb.mydomain.com. I wonder if this could be the same problem?

Having said that, what do you need the ALB for? Now that you’ve thrown Nginx reverse proxy into the mix you can perhaps configure it to talk directly to your backend?