These hole-punches in the wikimedia-frontend VCL template are supposed to go away, most likely when the rcstream service is replaced entirely by the newer eventstream service. I noticed we didn't have a task tracking this specific outstanding HTTPS issue, so making one here as a reminder!
@Ottomata - Any high level new info about timetables for deprecating and then removing the RCStream stuff in favor of EventStreams ( T130651 )? If it looks like it might drag on a while, we might want to go back to the idea of announcing an HTTPS-only transition ahead of the removal, perhaps. The main issue there was that at least some RCStream clients don't seem to follow redirects to HTTPS, and therefore would need manual updates of their configs to use https:// or wss:// or they get broken.
I took a peek at the most recent full day of stats in rcstream's logs, for reference, and found:
Only ~8% of requests use HTTPS
However, ~89% of requesting client IPs use HTTPS
Digging into the non-HTTPS client IPs, the overhelming majority of them are from various IPs belonging to googleusercontent.com, and most of the rest is a couple of isolated EC2 instances....