diff --git a/README.md b/README.md
index 4e771ef..28f54c8 100644
--- a/README.md
+++ b/README.md
@@ -216,6 +216,14 @@ proxies][other-proxy].
 [haproxy-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#haproxy-configuration
 [other-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#other-proxies
 
+**Outgoing proxy**: Zulip uses [Smokescreen][smokescreen] to proxy all
+outgoing HTTP connections and prevent SSRF attacks.  If you have
+private IPs (e.g., outgoing webhook hosts on private IPs), you can set
+`PROXY_ALLOW_ADDRESSES` or `PROXY_ALLOW_RANGES` to comma-separated
+lists of IP addresses or CIDR ranges.
+
+[smokescreen]: https://zulip.readthedocs.io/en/latest/production/deployment.html#customizing-the-outgoing-http-proxy
+
 ### Manual configuration
 
 The way the environment variables configuration process described in
diff --git a/entrypoint.sh b/entrypoint.sh
index d5c907e..cb2eb98 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -146,6 +146,15 @@ puppetConfiguration() {
         crudini --set /etc/zulip/zulip.conf loadbalancer ips "${LOADBALANCER_IPS}"
     fi
 
+    if [ -n "$PROXY_ALLOW_ADDRESSES" ]; then
+        echo "Setting outgoing proxy allowed private IPs"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_addresses "${PROXY_ALLOW_ADDRESSES}"
+    fi
+    if [ -n "$PROXY_ALLOW_RANGES" ]; then
+        echo "Setting outgoing proxy allowed private IP ranges"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_ranges "${PROXY_ALLOW_RANGES}"
+    fi
+
     /home/zulip/deployments/current/scripts/zulip-puppet-apply -f
 }
 configureCerts() {