Self hosting: ec2 + cloudfront

Ghost-CLI version: 1.14.1

We have configured cloudfront to serve ghost on /blog subdirectory.
Origin is configured to add “X-Forwarded-proto:https” headers on each request. Cloudfront also terminates https and forwards all traffic to the origin using http.

Ghost is setup using the ghost-cli, nginx and ssl are disabled.

Case 1:
X-Forwaded-host: example.foo
X-Forwarded-proto: https
site url in ghost config: https://example.foo/blog

But for some reason, ghost keeps redirecting to use “https” even though ssl termination was done at cloudfront and the same was notified using the attached header.

Case 2:
X-Forwaded-host: example.foo
X-Forwarded-proto: https
site url in ghost config: http://example.foo/blog

If I change the configured site url to use http, it goes through, but the obvious downside is that all the blog urls are now downgraded to http.

Could you folks help me understand if there are any flaws in my setup? And how to debug this issue further?

My suspicion is that cloud front is not adding these headers. Is there a way to log the request headers?