Calling insecure endpoint from a website runs under HTTPS - nginx

I too had this issue. Everything on a page should come and request https if you are using https and don't want warning/errors. You don't need to implement an api to proxy if you are using nginx. Whatever you implement will be performance hit as you correctly surmise. Just use proxy pass in nginx.In our configuration, we have :

location /thirdparty/ {        proxy pass http://thirdpartyserver/; }

Notice the trailing slash in proxy pass, I keep all third party api which are http in https://myserver/thirdparty/requesturl. Trailing slash removes thirdparty while making request. So it becomes, http://thirdpartyserver/request

Official reference: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

In order to allow mixed content, the individual users must allow it in their browsers. Allowing HTTP content from one source is enough to compromise the security of HTTPS, so browsers forbid mixed content by default. The solutions I see are:

1. Getting rid of HTTPS (which I would NOT recommend)
2. Doing what you suggested and proxying requests through (this still isn't great security-wise)
3. Get rid of the HTTP content

Google has some recommendations for developers under step 1 (but they are basically echoed above): https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#step-1