We use squid as a forward proxy, to ensure that all outbound requests come from the same (whitelisted) IP addresses.
Originally, we chose the proxy to use at deploy time, using an ansible template:
"proxy": "http://{{ hostvars['proxy-' + (["01", "02"] | random())].ansible_default_ipv4.address }}:3128"
This “load balanced” the traffic, but wouldn’t be very useful if one of the proxies disappeared (the main reason for having two of them!)
I briefly considered using nginx to pass requests to squid, as it was already installed on the app servers; but quickly realised that wouldn’t work, for the same reason we needed to use squid in the first place: it can’t proxy TLS traffic.
A bit of research revealed that you can group multiple squid instances into a hierarchy. Taken care of by some more templating, in the squid config this time:
{% if inventory_hostname in groups['app_server'] %} {% for host in proxy_ips %} cache_peer {{ host }} parent 3128 0 round-robin {% endfor %} never_direct allow all {% endif %}
Where the list of IPs is a projection from inventory data:
proxy_ips: "{{ groups['proxy_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list }}"