I don't think that addresses the problem. I believe the CORS mixed content error is due to javascript requests on the https page that the browser received trying to reach non-https ports, specifically 8080. Here's one of the links that are failing, as revealed by the browser dev-tools network report:
http://do.myriadicity.net:8080/Plone/++api++/@navigation?expand.navigation.depth=1
Changing the rewrite rule you mentioned doesn't help with that – I still get the request for 8080 on the resulting page.
I guess what I need to find out is how to change the address that the frontend requests are making use a particular path rather than a port, and then translate that path (with the rewrite rule) to reach out to the port.
Looking through the plone/plone-frontend list of configuration variables, it looks like the RAZZLE_INTERNAL_API_PATH environment variable is the one I want.
Yes! After rebuilding the containers with RAZZLE_INTERNAL_API_PATH set to a path like http://backend/something_distinct/... I no longer get the mixed content error! I think I found what I'm looking for. Now I will need to adjust the rewrite rule to unmangle that and proxy_pass the request to the backend.
I'll look at the references you sent to see if they provide insights about doing that. Thanks for taking the time to help!
Ken