[MrRadar]

OK, now I understand what you meant about "a forward proxy on the client side" (as that's exactly what I mean by "use a proxy to strip the encryption"). But I still don't understand why that allows you to not have to use HTTPS-only on the originating server to get the benefits of HTTPS-only?

[apple_innocent]

Because I the user am running a forward proxy to encrypt all outgoing HTTP requests, I do not have to rely on "HTTPS-only" on the server side. I enforce "HTTP-everywhere" on the client side. That's the theory anyway.

To be honest there are still some sites that do not, and will probably never, offer HTTPS and I have to account for those with the proxy setup. For these websites I might assign them a different local IP that does not add encryption.

In running this setup there are some times where I find that for one reason or another "HTTPS-only" on the server side has failed to catch every instance where http:// should be https://. I use many different clients, the least of which is the modern browser which may have some whizbang features to try to enforce "HTTPS-everywhere". The clients I use more are simpler, less complex and do not have such features. Instead of relying on the modern browser, I rely on an extensive proxy configuration to make sure everything gets encrypted (when appropriate).