diff --git a/https.go b/https.go
index 271b55ca..2236c3e7 100644
--- a/https.go
+++ b/https.go
@@ -268,7 +268,12 @@ func (proxy *ProxyHttpServer) handleHttps(w http.ResponseWriter, r *http.Request
 					}
 					if isWebSocketRequest(req) {
 						ctx.Logf("Request looks like websocket upgrade.")
-						proxy.serveWebsocketTLS(ctx, w, req, tlsConfig, rawClientTls)
+						if req.URL.Scheme == "http" {
+							ctx.Logf("Enforced HTTP websocket forwarding over TLS")
+							proxy.serveWebsocketHttpOverTLS(ctx, w, req, rawClientTls)
+						} else {
+							proxy.serveWebsocketTLS(ctx, w, req, tlsConfig, rawClientTls)
+						}
 						return
 					}
 					if err != nil {
diff --git a/websocket.go b/websocket.go
index 522b88e3..753a1e8d 100644
--- a/websocket.go
+++ b/websocket.go
@@ -46,6 +46,27 @@ func (proxy *ProxyHttpServer) serveWebsocketTLS(ctx *ProxyCtx, w http.ResponseWr
 	proxy.proxyWebsocket(ctx, targetConn, clientConn)
 }
 
+func (proxy *ProxyHttpServer) serveWebsocketHttpOverTLS(ctx *ProxyCtx, w http.ResponseWriter, req *http.Request, clientConn *tls.Conn) {
+	targetURL := url.URL{Scheme: "ws", Host: req.URL.Host, Path: req.URL.Path}
+
+	// Connect to upstream
+	targetConn, err := proxy.connectDial(ctx, "tcp", targetURL.Host)
+	if err != nil {
+		ctx.Warnf("Error dialing target site: %v", err)
+		return
+	}
+	defer targetConn.Close()
+
+	// Perform handshake
+	if err := proxy.websocketHandshake(ctx, req, targetConn, clientConn); err != nil {
+		ctx.Warnf("Websocket handshake error: %v", err)
+		return
+	}
+
+	// Proxy wss connection
+	proxy.proxyWebsocket(ctx, targetConn, clientConn)
+}
+
 func (proxy *ProxyHttpServer) serveWebsocket(ctx *ProxyCtx, w http.ResponseWriter, req *http.Request) {
 	targetURL := url.URL{Scheme: "ws", Host: req.URL.Host, Path: req.URL.Path}