The scheme is not set when the "forwarded" parameter is set to true. The 'hostAddress' can not contain the scheme information. For example, let us assume that there is a Front Server (reachable from outside via HTTPS) at front of Jetty running on another secured machine. If the Jetty is accessed via HTTP then there is no simple way to "forward" the scheme, too.
The workaround is to write another rewrite handler rule. The attachment contains such an implementation. The configuration of this handler is very easy. The following XML snippet demonstrates its usage:
<!-- Forward the scheme. -->