Reading T242602 made me realize that the web-proxies are a SPOF.
As it's not possible to specify more than one proxy uri per client server, and the current FQDN are only CNAMEs to single servers. A server failure requires a DNS change. https://wikitech.wikimedia.org/wiki/HTTP_proxy
I'm not sure how critical those proxies are, and what level of availability is expected from them, but they look like good candidates for anycast.
It would mean simplified configuration (all hosts use webproxy.anycast.wmnet. And automatic (cross-DC) failover if a node fails, similar to rec-dns.
I haven't look at the current webproxy Puppet stanzas but configuration should be straightforward: https://wikitech.wikimedia.org/wiki/Anycast#How_to_deploy_a_new_service?