Apache is not even configured on port 443. I doubt we want to get an extra SSL cert for a simple redirect domain, but I'm not sure what the rules are for putting the *.wikimedia.org cert on more boxes
That redirect only exists because it used to be an "It works!" Apache site in the past and i thought it was ugly so redirected it to that meta page a long time ago. So it's really just a courtesy thing to get people to docs who try irc.wikimedia.org in their browser.
No, we don't want to put the cert on more boxes. Instead we could ask why there is an Apache on this in the first place and remove it entirely
Sounds fine. I think it'd be nice if we can find a way to serve the redirect from misc-web-lb, but that's probably not feasible.
Having an HTTP response on the hostname is quite important for discoverability. However I think it's fine to leave out for this particular service for now given it's already well-established and in the process of soon being deprecated.
We still need to figure out a solution for this kind of problem for other services, however.
The only way I can think of to get out of having to put a certificate on the box would be to forward traffic on ports 80 and 443 to misc-web-lb, but then varnish wouldn't get the end user IP etc.