diff --git a/ansible/deploy-clickhouse-proxy.yml b/ansible/deploy-clickhouse-proxy.yml
index 5101a395..fca8866a 100644
--- a/ansible/deploy-clickhouse-proxy.yml
+++ b/ansible/deploy-clickhouse-proxy.yml
@@ -13,7 +13,7 @@
         tls_cert_dir: /var/lib/dehydrated/certs
     - role: clickhouse_proxy
       vars:
-        clickhouse_url: "clickhouse3.prod.ooni.io"
+        clickhouse_url: "{{'clickhouse1.prod.ooni.io' if inventory_hostname == 'clickhouseproxy.prod.ooni.io' else 'clickhouse3.prod.ooni.io'}}"
         clickhouse_port: 9000
         clickhouse_proxy_public_fqdn: "{{ inventory_hostname }}"
     - role: prometheus_node_exporter
diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml
index 0bebba9d..e97ff16b 100644
--- a/ansible/group_vars/clickhouse/vars.yml
+++ b/ansible/group_vars/clickhouse/vars.yml
@@ -15,6 +15,8 @@ nftables_clickhouse_allow:
     ip: 5.9.112.244
   - fqdn: clickhouseproxy.dev.ooni.io
     ip: "{{ lookup('dig', 'clickhouseproxy.dev.ooni.io/A') }}"
+  - fqdn: clickhouseproxy.prod.ooni.io
+    ip: "{{ lookup('dig', 'clickhouseproxy.prod.ooni.io/A') }}"
 
 nftables_zookeeper_allow:
   - fqdn: data1.htz-fsn.prod.ooni.nu
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index d5f4df4d..c734de2e 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -219,6 +219,10 @@ data "aws_ssm_parameter" "oonipg_url" {
   name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url"
 }
 
+data "aws_ssm_parameter" "clickhouse_readonly_url" {
+  name = "/oonidevops/secrets/clickhouse_readonly_url"
+}
+
 # Manually managed with the AWS console
 data "aws_ssm_parameter" "prometheus_metrics_password" {
   name = "/oonidevops/ooni_services/prometheus_metrics_password"
@@ -561,6 +565,7 @@ module "ooniapi_ooniprobe" {
     POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
+    CLICKHOUSE_URL              = data.aws_ssm_parameter.clickhouse_readonly_url.arn
   }
 
   ooniapi_service_security_groups = [