diff --git a/defaults/main.yml b/defaults/main.yml
index 40a4b70c..38a10c46 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -108,9 +108,6 @@ keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
 
-## Secure Proxy SSL Information
-#keystone_secure_proxy_ssl_header: X-Forwarded-For
-
 ## Service Type and Data
 keystone_service_setup: true
 keystone_service_region: RegionOne
@@ -171,6 +168,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #keystone_user_ssl_key: <path to cert on ansible deployment host>
 #keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
+# External SSL forwarding proto
+keystone_ssl_external: true
+keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+
 ## Caching
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 0d1926b6..b5789e44 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -11,7 +11,7 @@ admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
 member_role_name = {{ keystone_default_role_name }}
 
-{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
+{% if keystone_external_ssl | bool %}
 secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
 {% endif %}