entrypoint: Add PROXY_ALLOW_* settings for setting outgoing proxy rules.

README.md

@@ -216,6 +216,14 @@ proxies][other-proxy].
 [haproxy-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#haproxy-configuration
 [other-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#other-proxies
 
+**Outgoing proxy**: Zulip uses [Smokescreen][smokescreen] to proxy all
+outgoing HTTP connections and prevent SSRF attacks.  If you have
+private IPs (e.g., outgoing webhook hosts on private IPs), you can set
+`PROXY_ALLOW_ADDRESSES` or `PROXY_ALLOW_RANGES` to comma-separated
+lists of IP addresses or CIDR ranges.
+
+[smokescreen]: https://zulip.readthedocs.io/en/latest/production/deployment.html#customizing-the-outgoing-http-proxy
+
 ### Manual configuration
 
 The way the environment variables configuration process described in

entrypoint.sh

@@ -146,6 +146,15 @@ puppetConfiguration() {
         crudini --set /etc/zulip/zulip.conf loadbalancer ips "${LOADBALANCER_IPS}"
     fi
 
+    if [ -n "$PROXY_ALLOW_ADDRESSES" ]; then
+        echo "Setting outgoing proxy allowed private IPs"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_addresses "${PROXY_ALLOW_ADDRESSES}"
+    fi
+    if [ -n "$PROXY_ALLOW_RANGES" ]; then
+        echo "Setting outgoing proxy allowed private IP ranges"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_ranges "${PROXY_ALLOW_RANGES}"
+    fi
+
     /home/zulip/deployments/current/scripts/zulip-puppet-apply -f
 }
 configureCerts() {