diff --git a/lib/modules/http.js b/lib/modules/http.js
index 9434e03..704f331 100644
--- a/lib/modules/http.js
+++ b/lib/modules/http.js
@@ -275,6 +275,30 @@ module.exports.create = function (deps, conf, greenlockMiddleware) {
       return false;
     }
 
+    var index = opts.firstChunk.indexOf('\r\n\r\n');
+    var body = opts.firstChunk.slice(index);
+
+    var head = opts.firstChunk.slice(0, index).toString();
+    var headLines = head.split('\r\n');
+    // First strip any existing `X-Forwarded-*` headers (for security purposes?)
+    headLines = headLines.filter(function (line) {
+      return !/^x-forwarded/i.test(line);
+    });
+    // Then add our own `X-Forwarded` headers at the end.
+    if (conf.http.trustProxy && headers['x-forwarded-proto']) {
+      headLines.push('X-Forwarded-Proto: ' + headers['x-forwarded-proto']);
+    } else {
+      headLines.push('X-Forwarded-Proto: ' + conn.encrypted ? 'https' : 'http');
+    }
+    var proxyChain = (headers['x-forwarded-for'] || '').split(/ *, */).filter(Boolean);
+    proxyChain.push(opts.remoteAddress || opts.address || conn.remoteAddress);
+    headLines.push('X-Forwarded-For: ' + proxyChain.join(', '));
+    headLines.push('X-Forwarded-Host: ' + headers.host);
+    // Then convert all of the head lines back into a header buffer.
+    head = Buffer.from(headLines.join('\r\n'));
+
+    opts.firstChunk = Buffer.concat([head, body]);
+
     var newConnOpts = separatePort(mod.address);
     newConnOpts.servername = separatePort(headers.host).host;
     newConnOpts.data = opts.firstChunk;