Can I use a proxy server to handle SSL?

Question

I'm currently building out a Shopify storefront, but unfortunately, they don't support SSL for custom domains. Right now, I'm thinking that I can get around this by doing the following:

1. Spin up an nginx server to serve SSL certs/handshake (or maybe use AWS's ELB for this)
2. proxy_pass all requests to my Shopify url (e.g. bioballs-store.myshopify.com)

Are there any gotchas that make this a bad idea? I've already tried this out, and it seems to be working just fine.

Their official way to handle custom domains is to use a CNAME.

Answer 1

If the proxy site is served over https, as you have stated in comments below, then I can't see a problem with this. In fact some CDNs allow this same model (see Cloudflare for example).

It will be a little slower than straight http (as you basically decrypt and encrypt again) but I doubt it would be noticeably slower. Also it does require keeping two sets of SSL config up to date though, but that's a minor inconvenience.

However if you were planning on using https at the front end and http for the second hop then this would mean that the traffic between your Nginx setup and shopify url would not be encrypted. This is similar to how Cloudflare's flexible SSL option works to continue with that example.

There is an argument that the most danger exists between the user and their first point of contact (i.e. user and Nginx in this case), as it's easier to hijack this traffic (with a rogue wi-fi hotspot for example) and this would now be protected by securing the end point.

However some people (quite rightly in my opinion!) feel it's disingenuous to serve your site over https, and give your users confidence it's secure, when in fact it's still travelling unencrypted over the Internet for part of its journey, especially as there is no way of a visitor knowing this.