If you use a proxy, then all traffic out via the proxy should be internet facing and the proxy should not, by design, have any access to internal network services.

So if you use curl for an internal service which is not on the internet then it must not use the proxy. There are a couple places which mostly work because they pass in 'ignoresecurity', but I think all of these places should also pass proxy => false

admin/tool/opcache/cli/check_opcache.php:78:$curl = new curl(array('ignoresecurity' => true)); // The ignoresecurity option means that $CFG->curlsecurityblocked
admin/tool/opcache/cli/check_opcache.php-79- // ignored by purpose. Otherwise, $CFG->curlsecurityblockedhosts might prevent
admin/tool/opcache/cli/check_opcache.php-80- // that the web part of this CLI tool is fetched.

lib/mlbackend/python/classes/processor.php:164: $curl = new \curl(['ignoresecurity' => true]);

lib/mlbackend/python/classes/processor.php:635: $curl = new \curl(['ignoresecurity' => true]);

search/engine/solr/classes/engine.php:1400: $this->curl = new \curl(['ignoresecurity' => true]);