Tim,
having some problems implementing this as all we can only serve HTTP over the VPN, see Open https via public URL
It seems all the HTTPS is offloaded by your reverse proxy. we can only see the request coming in as HTTP. so would never see a HTTPS connection unless as suggested we pick it up client-side, is of course open to manipulation. preloading i think is overkill too.
It would help massively if it was optionally to enable or disable. i’m surprised no one else is concerned about it.