Longtime annoyance, really needs to be taken care of soon. :)
- HTTPS proxies on the same IPs as the various front-end HTTP proxies
- Some reasonably sanely priced wildcard SSL certs
Note bug 16822 covers this (or a simpler setup) just for upload.wikimedia.org, so we can "practice" there before fiddling with the main web servers.