diff --git a/defaults/main.yml b/defaults/main.yml
index 50ae18cf..8f1662f1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -255,10 +255,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
 # Set to true when terminating SSL/TLS at a load balancer
-keystone_external_ssl: false
+keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
 
 # External SSL forwarding proto
-keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+keystone_secure_proxy_ssl_header: X-Forwarded-Proto
 
 ## Override memcached_servers
 keystone_memcached_servers: "{{ memcached_servers }}"
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index b3f9016d..59ad3343 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -20,6 +20,12 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     {% endif -%}
     Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
 
+    {% if (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
+    {% elif not (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
+    {% endif %}
+
     {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
     SSLEngine on
     SSLCertificateFile    {{ keystone_ssl_cert }}