--- includes/bootstrap.inc.orig	2009-04-02 16:39:44.000000000 -0400
+++ includes/bootstrap.inc	2009-04-06 04:39:45.000000000 -0400
@@ -476,7 +476,38 @@
   }
   else {
     // Create base URL
-    $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
+    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+      // We're running HTTPS natively in the web server.
+      $base_root = 'https';
+    }
+    elseif (!isset($conf['reverse_proxy']) || $conf['reverse_proxy'] === TRUE) {
+      // Only trust this header if reverse_proxy is on or unset.  Note that
+      // this header is provided by the client and therefore can't be trusted.
+      if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+        // We're behind a proxy that talks to the web server via HTTP.
+        if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == "https" || $_SERVER['HTTP_X_FORWARDED_PROTO'] == "HTTPS") {
+          // We appear to be behind a proxy.  I hope 'reverse_proxy' is set!
+          $base_root = "https";
+        }
+        else {
+          // There's a proxy, but no HTTPS.
+          $base_root = "http";
+        }
+      }
+      elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && $_SERVER['HTTP_FRONT_END_HTTPS'] == 'on') {
+        // The proxy follows the Microsoft convention for passing protocol
+        // information back to the web server per MS KB document Q307347.
+        $base_root = 'https';
+      }
+      else {
+        // No signs of HTTPS, or the signs failed input validation.
+        $base_root = "http";
+      }
+    }
+    else {
+      // There's no HTTPS spoor, or it's not allowed; we'll use HTTP.
+      $base_root = 'http';
+    }
 
     $base_url = $base_root .= '://' . $_SERVER['HTTP_HOST'];