puppet: Set proxy environment variables.

These are respected by `urllib`, and thus also `requests`.  We set
`HTTP_proxy`, not `HTTP_PROXY`, because the latter is ignored in
situations which might be running under CGI -- in such cases it may be
coming from the `Proxy:` header in the request.

docs/production/deployment.md

@@ -183,6 +183,32 @@ behind reverse proxies.
 
 [using-http]: ../production/deployment.html#configuring-zulip-to-allow-http
 
+## Using an outgoing HTTP proxy
+
+Zulip supports routing all of its outgoing HTTP and HTTPS traffic
+through an HTTP `CONNECT` proxy, such as [smokescreen][smokescreen];
+this includes outgoing webhooks, image and website previews, and
+mobile push notifications.  You may wish to enable this feature to
+provide a consistent egress point, or enforce access control on URLs.
+
+To enable an outgoing HTTP proxy:
+
+1. Add the following block to `/etc/zulip/zulip.conf`, substituting in
+   your proxy's hostname/IP and port:
+
+    ```
+    [http_proxy]
+    host = 192.168.0.1
+    port = 4750
+    ```
+
+1. As root, run
+   `/home/zulip/deployments/current/scripts/zulip-puppet-apply`.  This
+   will reconfigure services to use the outgoing proxy, and restart
+   Zulip.
+
+[smokescreen]: https://github.com/stripe/smokescreen
+
 ## Putting the Zulip application behind a reverse proxy
 
 Zulip is designed to support being run behind a reverse proxy server.
@@ -560,3 +586,16 @@ configured to consume; defaults to 1/8th of the total server memory.
 
 Comma-separated list of IP addresses or netmasks of external
 load balancers whose `X-Forwarded-For` should be respected.
+
+
+
+### `[http_proxy]`
+
+#### `host`
+
+The hostname or IP address of an [outgoing HTTP `CONNECT`
+proxy](#using-an-outgoing-http-proxy).
+
+#### `port`
+
+The TCP port of the HTTP `CONNECT` proxy on the host specified above.

docs/production/mobile-push-notifications.md

@@ -11,12 +11,19 @@ will need to register your Zulip server with the Zulip mobile push
 notification service.  This service will forward push notifications
 generated by your server to the Zulip mobile app automatically.
 
+
+
 ## How to sign up
 
 Starting with Zulip 1.6 for both Android and iOS, Zulip servers
 support forwarding push notifications to a central push notification
-forwarding service.  You can enable this for your Zulip server as
-follows:
+forwarding service.  Accessing this service requires outgoing HTTPS
+access to the public Internet; if that is restricted by a proxy, you
+will need to [configure Zulip to use your outgoing HTTP
+proxy](../production/deployment.html#using-an-outgoing-http-proxy)
+first.
+
+You can enable this for your Zulip server as follows:
 
 1. Uncomment the `PUSH_NOTIFICATION_BOUNCER_URL =
    'https://push.zulipchat.com'` line in your `/etc/zulip/settings.py`

docs/production/requirements.md

@@ -77,9 +77,12 @@ on hardware requirements for larger organizations.
 * Incoming port 25 if you plan to enable Zulip's [incoming email
   integration](../production/email-gateway.md).
 * Outgoing HTTP(S) access (ports 80 and 443) to the public Internet so
-  that Zulip can properly manage image previews and embeds.  Outgoing
-  Internet access is not required if you [disable those
-  features](https://zulip.com/help/allow-image-link-previews).
+  that Zulip can properly manage image and website previews and mobile
+  push notifications.  Outgoing Internet access is not required if you
+  [disable those
+  features](https://zulip.com/help/allow-image-link-previews), or
+  configure an [existing outgoing HTTP
+  proxy](../production/deployment.html#using-an-outgoing-http-proxy).
 * Outgoing SMTP access (usually port 587) to your [SMTP
   server](../production/email.md) so that Zulip can send emails.
 * A domain name (e.g. `zulip.example.com`) that your users will use to