diff --git a/pkg/smokescreen/acl/v1/acl.go b/pkg/smokescreen/acl/v1/acl.go
index 3ad31937..f5bf3a4a 100644
--- a/pkg/smokescreen/acl/v1/acl.go
+++ b/pkg/smokescreen/acl/v1/acl.go
@@ -40,6 +40,7 @@ func New(logger *logrus.Logger, loader Loader, disabledActions []string) (*ACL,
 	if err != nil {
 		return nil, err
 	}
+
 	err = acl.DisablePolicies(disabledActions)
 	if err != nil {
 		return nil, err
diff --git a/pkg/smokescreen/smokescreen.go b/pkg/smokescreen/smokescreen.go
index a7f24be6..9a42788a 100644
--- a/pkg/smokescreen/smokescreen.go
+++ b/pkg/smokescreen/smokescreen.go
@@ -937,10 +937,9 @@ func checkACLsForRequest(config *Config, req *http.Request, destination hostport
 	// a _subsequent_ proxy to use for the CONNECT request. This is used to allow traffic
 	// flow as in: client -(TLS)-> smokescreen -(TLS)-> external proxy -(TLS)-> destination.
 	// Without this header, there's no way for the client to specify a subsequent proxy.
-	var connectProxyHost string
-	if connectProxyHostSlice := req.Header.Get("X-Upstream-Https-Proxy"); len(connectProxyHostSlice) > 0 {
-		connectProxyHost = string(connectProxyHostSlice[0])
-	}
+	// Also note - Get returns the first value for a given header, or the empty string,
+	// which is the behavior we want here.
+	connectProxyHost := req.Header.Get("X-Upstream-Https-Proxy")
 
 	ACLDecision, err := config.EgressACL.Decide(role, destination.Host, connectProxyHost)
 	decision.project = ACLDecision.Project
diff --git a/pkg/smokescreen/testdata/acl.yaml b/pkg/smokescreen/testdata/acl.yaml
index e08379f3..ad4df89c 100644
--- a/pkg/smokescreen/testdata/acl.yaml
+++ b/pkg/smokescreen/testdata/acl.yaml
@@ -22,6 +22,7 @@ services:
       - 127.0.0.1
     allowed_external_proxies:
       - myproxy.com
+      - otherproxy.org
   - name: test-external-connect-proxy-allowed-srv
     project: security
     action: enforce
@@ -29,6 +30,7 @@ services:
       - 127.0.0.1
     allowed_external_proxies:
       - localhost 
+      - thisisaproxy.com
 
 global_deny_list:
   - stripe.com