Michael, what method are you using since you aren't using Pound? -- are you using another external proxy?
It wouldn't be hard to add this to the toolkit so that you could enable it via a package param, and it would be proxy-independent, as long as you can configure the proxy to pass in a custom header for secure connections -- all we would need is a standard header and value, such as X-SSL-Request: 1.
I have not tried to restrict the entire host-node-mapped subsite to SSL so I have not seen that problem.