So, we've had conversations about detecting SSL terminators, for two
reasons:
1. It would allow us to know when, particularly, we should trust
x_forwarded_for fields for geolocation;
2. More importantly, it would allow us to reliably exclude traffic from
internal IP ranges without excluding SSL traffic.
Aaron talked to Ops about this problem (notes at
http://etherpad.wikimedia.org/p/ssl_terminators) - in conversation with
Ori, though, I found out that this approach won't actually work, because
caches != SSL terminators, all the time.
So: what's the right approach? How do we find these things easily and
automagically.
--
Oliver Keyes
Research Analyst
Wikimedia Foundation