entrypoint: Add PROXY_ALLOW_* settings for setting outgoing proxy rules.

2025-10-23 04:51:58 +00:00 · 2025-09-18 19:17:47 +00:00
parent d3aee4a418
commit e49a16829d
2 changed files with 17 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -216,6 +216,14 @@ proxies][other-proxy].
 [haproxy-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#haproxy-configuration
 [other-proxy]: https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html#other-proxies

+**Outgoing proxy**: Zulip uses [Smokescreen][smokescreen] to proxy all
+outgoing HTTP connections and prevent SSRF attacks.  If you have
+private IPs (e.g., outgoing webhook hosts on private IPs), you can set
+`PROXY_ALLOW_ADDRESSES` or `PROXY_ALLOW_RANGES` to comma-separated
+lists of IP addresses or CIDR ranges.
+
+[smokescreen]: https://zulip.readthedocs.io/en/latest/production/deployment.html#customizing-the-outgoing-http-proxy
+
 ### Manual configuration

 The way the environment variables configuration process described in
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -146,6 +146,15 @@ puppetConfiguration() {
        crudini --set /etc/zulip/zulip.conf loadbalancer ips "${LOADBALANCER_IPS}"
    fi

+    if [ -n "$PROXY_ALLOW_ADDRESSES" ]; then
+        echo "Setting outgoing proxy allowed private IPs"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_addresses "${PROXY_ALLOW_ADDRESSES}"
+    fi
+    if [ -n "$PROXY_ALLOW_RANGES" ]; then
+        echo "Setting outgoing proxy allowed private IP ranges"
+        crudini --set /etc/zulip/zulip.conf http_proxy allow_ranges "${PROXY_ALLOW_RANGES}"
+    fi
+
    /home/zulip/deployments/current/scripts/zulip-puppet-apply -f
 }
 configureCerts() {