So, we've had conversations about detecting SSL terminators, for two reasons:
1. It would allow us to know when, particularly, we should trust x_forwarded_for fields for geolocation; 2. More importantly, it would allow us to reliably exclude traffic from internal IP ranges without excluding SSL traffic.
Aaron talked to Ops about this problem (notes at http://etherpad.wikimedia.org/p/ssl_terminators) - in conversation with Ori, though, I found out that this approach won't actually work, because caches != SSL terminators, all the time.
So: what's the right approach? How do we find these things easily and automagically.