diff --git a/ci-operator/step-registry/hypershift/agent/create/config-dns/hypershift-agent-create-config-dns-commands.sh b/ci-operator/step-registry/hypershift/agent/create/config-dns/hypershift-agent-create-config-dns-commands.sh
index cb23d29b82795..42de9892761b1 100644
--- a/ci-operator/step-registry/hypershift/agent/create/config-dns/hypershift-agent-create-config-dns-commands.sh
+++ b/ci-operator/step-registry/hypershift/agent/create/config-dns/hypershift-agent-create-config-dns-commands.sh
@@ -24,6 +24,10 @@ HOSTEDCLUSTER_NAME="${2}"
 WORKER_IP=$(oc get node -lnode-role.kubernetes.io/worker="" -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
 BASEDOMAIN=$(oc get dns/cluster -ojsonpath="{.spec.baseDomain}")
 
+# The .apps wildcard DNS entries point to the MetalLB ingress IPs configured in
+# the hypershift-agent-create-metallb step: 192.168.111.30 (IPv4) and
+# fd2e:6f44:5dd8:c956::1e (IPv6). These are from the dev-scripts default
+# external network (192.168.111.0/24, fd2e:6f44:5dd8:c956::/120).
 if [[ $IP_STACK == "v4v6" ]]; then
   IFS=' ' read -ra parts <<< "$WORKER_IP"
   WORKER_IP0="${parts[0]}"
diff --git a/ci-operator/step-registry/hypershift/agent/create/proxy/hypershift-agent-create-proxy-commands.sh b/ci-operator/step-registry/hypershift/agent/create/proxy/hypershift-agent-create-proxy-commands.sh
index d9c20e87b6d99..eda6105f8ec54 100644
--- a/ci-operator/step-registry/hypershift/agent/create/proxy/hypershift-agent-create-proxy-commands.sh
+++ b/ci-operator/step-registry/hypershift/agent/create/proxy/hypershift-agent-create-proxy-commands.sh
@@ -11,11 +11,19 @@ source "${SHARED_DIR}/packet-conf.sh" && scp "${SSHOPTS[@]}" "${SHARED_DIR}/nest
 ssh "${SSHOPTS[@]}" "root@${IP}" bash - << 'EOF' |& sed -e 's/.*auths.*/*** PULL_SECRET ***/g'
 set -x
 
-API_SERVER=$(cat nested_kubeconfig | yq -r ".clusters[0].cluster.server" | sed 's|^http[s]*://||' | sed 's|:[0-9]*$||')
+API_URL=$(yq -r ".clusters[0].cluster.server" nested_kubeconfig)
+API_SERVER=$(echo "$API_URL" | sed 's|^http[s]*://||' | sed 's|:[0-9]*$||')
+API_PORT=$(echo "$API_URL" | sed 's|^http[s]*://||' | grep -o ':[0-9]*$' | tr -d ':')
+
 if [[ ! $API_SERVER =~ \[ && ! $API_SERVER =~ \] && ! $API_SERVER =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
     API_SERVER=".${API_SERVER}"
 fi
 sed -i "1 s|$| $API_SERVER|" $HOME/squid.conf
+
+# Add the API server port to allowed_ssl_ports if it is not already listed
+if [[ -n "$API_PORT" ]] && ! grep -q "acl allowed_ssl_ports port.*\b${API_PORT}\b" $HOME/squid.conf; then
+    sed -i "s|^acl allowed_ssl_ports port.*|& $API_PORT|" $HOME/squid.conf
+fi
 cat $HOME/squid.conf
 
 sudo setenforce 0