As a challange i tried to make a patch for every variant of internal server side request forgery.
The ssrf.php version is based on fopen and ssrf-with-curl.php is based on curl_init().
it's protected again's:
every internal ip in url. ( as well octal/hexdeminal/binery encoded )
location header redirect to internal ip's.
internal ip returned using dns.
2 ip's on one domain using dns.