The Heartbleed bug was a reminder that permanently inside the address space of the SSL terminator is the private key for that service. It is a high-value target.
In the interests of reducing the attack space against SSL terminators, I suggest keeping them in a separate address space from applications -- either by proxying or by CGI/FastCGI. Obviously for the main site, we are doing that already, but at least for blog.wikimedia.org and ticket.wikimedia.org we are not.