diff --git a/README b/README
index f56c3a7994..70491c4c35 100644
--- a/README
+++ b/README
@@ -1355,6 +1355,11 @@ ssl: whether to use HTTPS for file URLs. Defaults to null, meaning to
 filecommand: command to use for determining the type of a file. May be
     skipped if fileinfo extension is installed. Defaults to
     '/usr/bin/file'.
+sslserver: if specified, this server will be used when creating HTTPS
+    URLs. Otherwise, the site SSL server will be used, with /file/ path.
+sslpath: if this and the sslserver are specified, this path will be used
+    when creating HTTPS URLs. Otherwise, the attachments|path value
+    will be used.
 
 group
 -----
diff --git a/classes/File.php b/classes/File.php
index d457968b5e..da029e39b6 100644
--- a/classes/File.php
+++ b/classes/File.php
@@ -261,22 +261,41 @@ class File extends Memcached_DataObject
             // TRANS: Client exception thrown if a file upload does not have a valid name.
             throw new ClientException(_("Invalid filename."));
         }
-        if(common_config('site','private')) {
+
+        if (common_config('site','private')) {
 
             return common_local_url('getfile',
                                 array('filename' => $filename));
 
+        }
+
+        if (StatusNet::isHTTPS()) {
+
+            $sslserver = common_config('attachments', 'sslserver');
+
+            if (empty($sslserver)) {
+                // XXX: this assumes that background dir == site dir + /file/
+                // not true if there's another server
+                if (is_string(common_config('site', 'sslserver')) &&
+                    mb_strlen(common_config('site', 'sslserver')) > 0) {
+                    $server = common_config('site', 'sslserver');
+                } else if (common_config('site', 'server')) {
+                    $server = common_config('site', 'server');
+                }
+                $path = common_config('site', 'path') . '/file/';
+            } else {
+                $server = $sslserver;
+                $path   = common_config('attachments', 'sslpath');
+                if (empty($path)) {
+                    $path = common_config('attachments', 'path');
+                }
+            }
+
+            $protocol = 'https';
+
         } else {
+
             $path = common_config('attachments', 'path');
-
-            if ($path[strlen($path)-1] != '/') {
-                $path .= '/';
-            }
-
-            if ($path[0] != '/') {
-                $path = '/'.$path;
-            }
-
             $server = common_config('attachments', 'server');
 
             if (empty($server)) {
@@ -285,19 +304,18 @@ class File extends Memcached_DataObject
 
             $ssl = common_config('attachments', 'ssl');
 
-            if (is_null($ssl)) { // null -> guess
-                if (common_config('site', 'ssl') == 'always' &&
-                    !common_config('attachments', 'server')) {
-                    $ssl = true;
-                } else {
-                    $ssl = false;
-                }
-            }
-
             $protocol = ($ssl) ? 'https' : 'http';
-
-            return $protocol.'://'.$server.$path.$filename;
         }
+
+        if ($path[strlen($path)-1] != '/') {
+            $path .= '/';
+        }
+
+        if ($path[0] != '/') {
+            $path = '/'.$path;
+        }
+
+        return $protocol.'://'.$server.$path.$filename;
     }
 
     function getEnclosure(){
diff --git a/lib/default.php b/lib/default.php
index 45e35e83d3..08ad811b61 100644
--- a/lib/default.php
+++ b/lib/default.php
@@ -210,6 +210,8 @@ $default =
         array('server' => null,
               'dir' => INSTALLDIR . '/file/',
               'path' => $_path . '/file/',
+              'sslserver' => null,
+              'sslpath' => null,
               'ssl' => null,
               'supported' => array('image/png',
                                    'image/jpeg',