diff --git a/src/base.h b/src/base.h
index fb2fd8ab..13ef2ab8 100644
--- a/src/base.h
+++ b/src/base.h
@@ -402,6 +402,7 @@ typedef struct connection {
 	cond_cache_t *cond_cache;
 
 	buffer *server_name;
+	buffer *proto;
 
 	/* error-handler */
 	int error_handler_saved_status;
diff --git a/src/connections.c b/src/connections.c
index cd5e09bd..b02f116d 100644
--- a/src/connections.c
+++ b/src/connections.c
@@ -547,6 +547,7 @@ connection *connection_init(server *srv) {
 	CLEAN(parse_request);
 
 	CLEAN(server_name);
+	CLEAN(proto);
 	CLEAN(dst_addr_buf);
 
 #undef CLEAN
@@ -612,6 +613,7 @@ void connections_free(server *srv) {
 		CLEAN(parse_request);
 
 		CLEAN(server_name);
+		CLEAN(proto);
 		CLEAN(dst_addr_buf);
 #undef CLEAN
 		free(con->plugin_ctx);
@@ -663,6 +665,7 @@ int connection_reset(server *srv, connection *con) {
 	CLEAN(parse_request);
 
 	CLEAN(server_name);
+	/*CLEAN(proto);*//* set to default in connection_accepted() */
 #undef CLEAN
 
 #define CLEAN(x) \
@@ -1084,6 +1087,7 @@ connection *connection_accepted(server *srv, server_socket *srv_socket, sock_add
 			connection_close(srv, con);
 			return NULL;
 		}
+		buffer_copy_string_len(con->proto, CONST_STR_LEN("http"));
 		if (HANDLER_GO_ON != plugins_call_handle_connection_accept(srv, con)) {
 			connection_close(srv, con);
 			return NULL;
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index f9433ff8..4c8bedae 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -1255,6 +1255,7 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept)
         return HANDLER_ERROR;
     }
 
+    buffer_copy_string_len(con->proto, CONST_STR_LEN("https"));
     con->network_read = connection_read_cq_ssl;
     con->network_write = connection_write_cq_ssl;
     SSL_set_app_data(hctx->ssl, hctx);
diff --git a/src/mod_proxy.c b/src/mod_proxy.c
index 94e2b0b1..07b24965 100644
--- a/src/mod_proxy.c
+++ b/src/mod_proxy.c
@@ -841,8 +841,10 @@ static void proxy_set_Forwarded(connection *con, const unsigned int flags) {
         buffer_append_string_len(ds->value, CONST_STR_LEN("proto="));
         if (NULL != dsproto) {
             buffer_append_string_buffer(ds->value, dsproto->value);
+        } else if (con->srv_socket->is_ssl) {
+            buffer_append_string_len(ds->value, CONST_STR_LEN("https"));
         } else {
-            buffer_append_string_buffer(ds->value, con->uri.scheme);
+            buffer_append_string_len(ds->value, CONST_STR_LEN("http"));
         }
         semicolon = 1;
     }
diff --git a/src/response.c b/src/response.c
index e77926d7..e0c44358 100644
--- a/src/response.c
+++ b/src/response.c
@@ -189,12 +189,10 @@ handler_t http_response_prepare(server *srv, connection *con) {
 		 *
 		 */
 
-		/* initial scheme value. can be overwritten for example by mod_extforward later */
-		if (con->srv_socket->is_ssl) {
-			buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("https"));
-		} else {
-			buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("http"));
-		}
+		/* take initial scheme value from connection-level state
+		 * (request con->uri.scheme can be overwritten for later,
+		 *  for example by mod_extforward or mod_magnet) */
+		buffer_copy_buffer(con->uri.scheme, con->proto);
 		buffer_copy_buffer(con->uri.authority, con->request.http_host);
 		buffer_to_lower(con->uri.authority);