--- includes/bootstrap.inc.orig	2008-09-20 16:22:23.000000000 -0400
+++ includes/bootstrap.inc	2008-09-29 03:23:52.000000000 -0400
@@ -345,7 +345,34 @@
   }
   else {
     // Create base URL
-    $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
+    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+      // We're running HTTPS natively in the web server.
+      $base_root = 'https';
+    }
+    elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+      // Only trust this header on install or if reverse_proxy is on.
+      if (!isset($conf['reverse_proxy']) || $conf['reverse_proxy'] === TRUE) {
+        // We're behind a proxy that talks to the web server via HTTP.
+        if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == "https" || $_SERVER['HTTP_X_FORWARDED_PROTO'] == "HTTPS") {
+          $base_root = "https";
+        }
+        else {
+          $base_root = "http";
+        }
+      }
+      else {
+        $base_root = "http";
+      }
+    }
+    elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && $_SERVER['HTTP_FRONT_END_HTTPS'] == 'on') {
+      // The proxy follows the Microsoft convention for passing
+      // protocol information back to the web server.
+      $base_root = 'https';
+    }
+    else {
+      // There's no HTTPS spoor -- we must be running HTTP.
+      $base_root = 'http';
+    }
 
     // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains
     // characters allowed in hostnames.