An nginx conf for routing sub domain request to different port with ssl support. You can repeat this for as many sites as required, you just defines an additional server block(s) for each site(sub domain). Note that this strategy requires TLS SNI support on both server and client

nginx.conf

server {
    listen 80;
    server_name admin.mysite.com www.admin.mysite.com;
 
}
 server{  
      location / {
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }
    #listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name admin.mysite.com www.admin.mysite.com;
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 80;
    server_name api.mysite.com www.api.mysite.com;
}
 server{   
   location / {
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:4000;
        proxy_redirect off;
    }
    #listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name api.mysite.com www.api.mysite.com;
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}