348c348,379
<     $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
---
>     if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
>       // We're running HTTPS natively in the web server.
>       $base_root = 'https';
>     }
>     elseif (!isset($conf['reverse_proxy']) || $conf['reverse_proxy'] === TRUE) {
>       // Only trust this header if reverse_proxy is on or unset.  Note that
>       // this header is provided by the client and therefore can't be trusted.
>       if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
>         // We're behind a proxy that talks to the web server via HTTP.
>         if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == "https" || $_SERVER['HTTP_X_FORWARDED_PROTO'] == "HTTPS") {
>           // We appear to be behind a proxy.  I hope 'reverse_proxy' is set!
>           $base_root = "https";
>         }
>         else {
>           // There's a proxy, but no HTTPS.
>           $base_root = "http";
>         }
>       }
>       elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && $_SERVER['HTTP_FRONT_END_HTTPS'] == 'on') {
>         // The proxy follows the Microsoft convention for passing protocol
>         // information back to the web server per MS KB document Q307347.
>         $base_root = 'https';
>       }
>       else {
>         // No signs of HTTPS, or the signs failed input validation.
>         $base_root = "http";
>       }
>     }
>     else {
>       // There's no HTTPS spoor, or it's not allowed; we'll use HTTP.
>       $base_root = 'http';
>     }