diff --git a/changes/changelog.d/264.enhancement b/changes/changelog.d/264.enhancement
new file mode 100644
index 0000000000000000000000000000000000000000..f527e433c3836013a4c4b89e3e8dff7c0356abd7
--- /dev/null
+++ b/changes/changelog.d/264.enhancement
@@ -0,0 +1,37 @@
+Album cover served in http (#264)
+
+Apache is now serving album covers in https
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Two issues are addressed here. The first one was about Django replying with
+mixed content (http) when queried for covers. Setting up the `X-Forwarded-Proto`
+allows Django to know that the client is using https, and that the reply must
+be https as well.
+
+Second issue was a problem of permission causing Apache a denied access to
+album cover folder. It was solved by adding another block for this path in
+the Apache configuration file for funkwhale.
+
+Here is how to modify your `funkwhale.conf` :
+
+<VirtualHost *:443>
+
+    ...
+    Include /etc/letsencrypt/options-ssl-apache.conf
+
+    #Add this new line
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ...
+
+    #Add this new block below the other <Directory/> blocks
+    <Directory /srv/funkwhale/data/media/albums>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    ...
+</VirtualHost>
+
+
diff --git a/deploy/apache.conf b/deploy/apache.conf
index 5b74efecdc029594856ac95f9811daa6cb313fae..f6f9719f6a3fa2c3155f6ce5b1971300a3ef8827 100644
--- a/deploy/apache.conf
+++ b/deploy/apache.conf
@@ -9,7 +9,7 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
 # Define funkwhale-api-ws ws://localhost:5000
 
 
-# HTTP request redirected to HTTPS
+# HTTP requests redirected to HTTPS
 <VirtualHost *:80>
    ServerName ${funkwhale-sn}
 
@@ -22,7 +22,6 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
       Options None
       Require all granted
    </Location>
-
 </VirtualHost>
 
 
@@ -46,6 +45,8 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
    SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
 
+   # Tell the api that the client is using https
+   RequestHeader set X-Forwarded-Proto "https"
 
    DocumentRoot /srv/funkwhale/front/dist
 
@@ -112,6 +113,12 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
       Require all granted
    </Directory>
 
+   <Directory /srv/funkwhale/data/media/albums>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+   </Directory>
+
    # XSendFile is serving audio files
    # WARNING : permissions on paths specified below overrides previous definition,
    # everything under those paths is potentially exposed.
@@ -123,6 +130,5 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
       XSendFilePath ${MUSIC_DIRECTORY_PATH}
       SetEnv MOD_X_SENDFILE_ENABLED 1
    </IfModule>
-
 </VirtualHost>
 </IfModule>