Reverse proxy to show Shopify store under subpath returns 403 Forbidden

Online Store and Theme Development
1

Hi everyone,

We’re trying to expose our Shopify store under a subpath of our main website using a reverse proxy, but we’re running into a 403 Forbidden issue and could use some guidance.

Goal

We want our shop to be accessible at:

https://www.example.com/nl/kopen

Instead of the default Shopify domain.
For testing, this is currently set up on a staging environment:

https://staging.example.com/nl/kopen

Which should proxy to our Shopify store at:

https://shop.example-shopify.com/nl

Current setup

We’re using Apache as a reverse proxy. The relevant configuration looks like this:

SSLProxyEngine On

<Location "/nl/kopen">
    ProxyPreserveHost Off
    ProxyPass "https://shop.example-shopify.com/nl"
    ProxyPassReverse "https://shop.example-shopify.com/nl"
</Location>

Problem

When we visit:

https://staging.example.com/nl/kopen

We receive a 403 Forbidden response.

What we’re wondering

  • Is Shopify blocking reverse proxying under a subdirectory (rather than a subdomain)?

  • Does Shopify require specific headers (e.g. Host, X-Forwarded-*) to be preserved?

  • Is ProxyPreserveHost Off causing Shopify to reject the request?

  • Are there known limitations with Shopify + Apache reverse proxy setups?

Notes

  • SSL is enabled and working

  • The Shopify store itself is reachable directly at https://shop.example-shopify.com/nl

  • This setup is for testing only at the moment

Any insight, best practices, or confirmation of whether this approach is supported by Shopify would be greatly appreciated.

Thanks in advance!

2

Hi @It_SYA

Just to confirm - is this store a regular Shopify store using a Liquid-based theme (ie: not a headless store). If so, what you’re trying to achieve with having the store accessible via a subpath is intentionally not supported.

Shopify’s edge servers detect when requests are being proxied and reject them to prevent session hijacking risks, and other security vulnerabilities.

Liquid storefronts are designed to be served from the root of a domain (e.g., shop.example.com) or the root of a subdomain (e.g., store.example.com). If exposing from a subpath is a hard requirement, I’d recommend looking into building a Hydrogen-powered storefront (or another headless solution) which gives you more control over hosting and URL structure: