diff --git a/docs/production/deployment.md b/docs/production/deployment.md
index 2fd76347a7..a46a2ab2ac 100644
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -672,3 +672,10 @@ Defaults to `4750` if unspecified.
 
 The IP address that Smokescreen should bind to and listen on.
 Defaults to `127.0.0.1`.
+
+#### `enable_for_camo`
+
+Because Camo includes logic to deny access to private subnets, routing
+its requests through Smokescreen is generally not necessary. Set to
+'true' or 'false' to override the default, which uses the proxy only if
+it is not the default of Smokescreen on a local host.
diff --git a/puppet/zulip/manifests/camo.pp b/puppet/zulip/manifests/camo.pp
index e6335057aa..39d39edd23 100644
--- a/puppet/zulip/manifests/camo.pp
+++ b/puppet/zulip/manifests/camo.pp
@@ -18,6 +18,29 @@ class zulip::camo (String $listen_address = '0.0.0.0') {
     bin            => 'bin/go-camo',
   }
 
+  # We would like to not waste resources by going through Smokescreen,
+  # as go-camo already prohibits private-IP access; but a
+  # non-Smokescreen exit proxy may be required to access the public
+  # Internet.  The `enable_for_camo` flag, if it exists, can override
+  # our guess, in either direction.
+  $proxy_host = zulipconf('http_proxy', 'host', 'localhost')
+  $proxy_port = zulipconf('http_proxy', 'port', '4750')
+  $proxy_is_smokescreen = ($proxy_host in ['localhost', '127.0.0.1', '::1']) and ($proxy_port == '4750')
+  $camo_use_proxy = zulipconf('http_proxy', 'enable_for_camo', !$proxy_is_smokescreen)
+  if $camo_use_proxy {
+    if $proxy_is_smokescreen {
+      include zulip::smokescreen
+    }
+
+    if $proxy_host != '' and $proxy_port != '' {
+      $proxy = "http://${proxy_host}:${proxy_port}"
+    } else {
+      $proxy = ''
+    }
+  } else {
+    $proxy = ''
+  }
+
   file { "${zulip::common::supervisor_conf_dir}/go-camo.conf":
     ensure  => file,
     require => [
diff --git a/puppet/zulip/templates/supervisor/go-camo.conf.erb b/puppet/zulip/templates/supervisor/go-camo.conf.erb
index 3a546258da..237ebac955 100644
--- a/puppet/zulip/templates/supervisor/go-camo.conf.erb
+++ b/puppet/zulip/templates/supervisor/go-camo.conf.erb
@@ -1,5 +1,6 @@
 [program:go-camo]
 command=/usr/local/bin/secret-env-wrapper GOCAMO_HMAC=camo_key <%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose
+environment=HTTP_PROXY="<%= @proxy %>",HTTPS_PROXY="<%= @proxy %>"
 priority=15
 autostart=true
 autorestart=true