Currently, X-Forwarded-For header gets decoded by Varnish's netmapper plugin. The plugin gets its data from the private zero.wikimedia.org wiki, which contains IPs of all Zero partners as well as the trusted proxies, such as Opera Mini.
I think we should move proxy ip lists back to the meta.wikimedia.org as that information should not be private, and it will allow more transparent ip management. (E.g. Opera mini ips are published by Opera and updated with a script).