Try moving the redirect to the app layer.

config.py

@@ -60,6 +60,7 @@ class DebugConfig(FlaskConfig, MailConfig, LocalStorage, SQLiteDB):
     'level': logging.DEBUG,
     'format': LOG_FORMAT
   }
+  SECURE_REDIRECT = False
 
 
 class ProductionConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL):
@@ -69,3 +70,4 @@ class ProductionConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL):
     'level': logging.DEBUG,
     'format': LOG_FORMAT,
   }
+  SECURE_REDIRECT = True

endpoints/web.py

@@ -1,9 +1,11 @@
 import logging
+import urlparse
 
 from flask import (abort, send_file, redirect, request, url_for,
                    render_template)
 from flask.ext.login import login_user, UserMixin, login_required, logout_user
 from flask.ext.principal import identity_changed, Identity, AnonymousIdentity
+from functools import wraps
 
 from data import model
 from app import app, login_manager
@@ -23,6 +25,20 @@ class _LoginWrappedDBUser(UserMixin):
     return unicode(self.db_user.username)
 
 
+def secure_required(f):
+  @wraps(f)
+  def decorated_view(*args, **kwargs):
+    if (app.config['SECURE_REDIRECT'] and 
+        request.environ['wsgi.url_scheme'] == 'http'):
+
+      logger.debug('Redirecting http url to https.')
+      parsed = urlparse.urlparse(request.url)
+      location = urlparse.urlunparse(('https',) + parsed[1:])
+      return redirect(location)
+    return f(*args, **kwargs)
+  return decorated_view
+
+
 @login_manager.user_loader
 def load_user(username):
   logger.debug('Loading user: %s' % username)
@@ -34,6 +50,7 @@ def load_user(username):
 
 
 @app.route('/', methods=['GET'])
+@secure_required
 def index():
   return send_file('templates/index.html')
 
@@ -50,11 +67,13 @@ def common_login(db_user):
 
 
 @app.route('/signin', methods=['GET'])
+@secure_required
 def render_signin_page():
   return render_template('signin.html')
 
 
 @app.route('/signin', methods=['POST'])
+@secure_required
 def signin():
   username = request.form['username']
   password = request.form['password']
@@ -75,6 +94,7 @@ def signin():
 
 
 @app.route('/confirm', methods=['GET'])
+@secure_required
 def confirm_email():
   code = request.values['code']
   user = model.confirm_user_email(code)
@@ -85,11 +105,13 @@ def confirm_email():
 
 
 @app.route('/reset', methods=['GET'])
+@secure_required
 def password_reset():
   pass
 
 
 @app.route("/signout")
+@secure_required
 @login_required
 def logout():
     logout_user()

wsgi.conf

@@ -8,10 +8,6 @@ WSGIPassAuthorization On
 <VirtualHost *:80>
   SetEnvIf X-Forwarded-Proto https HTTPS=1
 
-  RewriteEngine On
-  RewriteCond %{HTTP:X-Forwarded-Proto} !https
-  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent]
-
   Alias /static /opt/python/current/app/static/
   <Directory /opt/python/current/app/>
     Order allow,deny