diff --git a/puppet/zulip/files/nginx/uwsgi_params b/puppet/zulip/files/nginx/uwsgi_params
index 7d261d8b70..b18b74d026 100644
--- a/puppet/zulip/files/nginx/uwsgi_params
+++ b/puppet/zulip/files/nginx/uwsgi_params
@@ -14,5 +14,7 @@ uwsgi_param SERVER_ADDR     $server_addr;
 uwsgi_param SERVER_PORT     $server_port;
 uwsgi_param SERVER_NAME     $server_name;
 uwsgi_param HTTP_X_REAL_IP  $remote_addr;
+uwsgi_param HTTP_X_FORWARDED_PROTO $trusted_x_forwarded_proto;
+uwsgi_param HTTP_X_FORWARDED_SSL "";
 
 uwsgi_pass django;
diff --git a/puppet/zulip/files/nginx/zulip-include-common/proxy b/puppet/zulip/files/nginx/zulip-include-common/proxy
index 756bbcd7b2..4978da7fe8 100644
--- a/puppet/zulip/files/nginx/zulip-include-common/proxy
+++ b/puppet/zulip/files/nginx/zulip-include-common/proxy
@@ -3,7 +3,7 @@ proxy_http_version 1.1;
 # http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
 proxy_set_header Connection "";
 proxy_set_header Host $host;
-proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Proto $trusted_x_forwarded_proto;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-Ip $remote_addr;
 proxy_next_upstream off;
diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp
index d6115c8cf1..49c08dd138 100644
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -55,6 +55,17 @@ class zulip::nginx {
     content => template('zulip/nginx.conf.template.erb'),
   }
 
+  $loadbalancers = split(zulipconf('loadbalancer', 'ips', ''), ',')
+  file { '/etc/nginx/zulip-include/trusted-proto':
+    ensure  => file,
+    require => Package[$zulip::common::nginx],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['nginx'],
+    content => template('zulip/nginx/trusted-proto.template.erb'),
+  }
+
   file { '/etc/nginx/uwsgi_params':
     ensure  => file,
     require => Package[$zulip::common::nginx],
diff --git a/puppet/zulip/templates/nginx/trusted-proto.template.erb b/puppet/zulip/templates/nginx/trusted-proto.template.erb
new file mode 100644
index 0000000000..6a342fc840
--- /dev/null
+++ b/puppet/zulip/templates/nginx/trusted-proto.template.erb
@@ -0,0 +1,21 @@
+<% if @loadbalancers.empty? %>
+# "set" is not supported at the server level, so use a map:
+map $remote_addr $trusted_x_forwarded_proto {
+    default $scheme;
+}
+<% else %>
+# We do this in two steps because `geo` does not support variable
+# interpolation in the value, but does support CIDR notation,
+# which the loadbalancer list may use.
+geo $realip_remote_addr $is_x_forwarded_proto_trusted {
+    default 0;
+<% @loadbalancers.each do |host| -%>
+    <%= host %> 1;
+<% end -%>
+}
+
+map $is_x_forwarded_proto_trusted $trusted_x_forwarded_proto {
+    0 $scheme;
+    1 $http_x_forwarded_proto;
+}
+<% end %>
diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
index 8ca8871781..143b5d3809 100644
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -12,6 +12,7 @@ server {
 }
 <% end -%>
 
+include /etc/nginx/zulip-include/trusted-proto;
 include /etc/nginx/zulip-include/s3-cache;
 include /etc/nginx/zulip-include/upstreams;
 include /etc/zulip/nginx_sharding_map.conf;