So, we've had conversations about detecting SSL terminators, for two reasons:

1. It would allow us to know when, particularly, we should trust x_forwarded_for fields for geolocation;

2. More importantly, it would allow us to reliably exclude traffic from internal IP ranges without excluding SSL traffic.

Aaron talked to Ops about this problem (notes at http://etherpad.wikimedia.org/p/ssl_terminators) - in conversation with Ori, though, I found out that this approach won't actually work, because caches != SSL terminators, all the time.

So: what's the right approach? How do we find these things easily and automagically.

Oliver Keyes
Research Analyst
Wikimedia Foundation