Deeply Confusing Issue: PHP-FPM (www-data) Cannot Make Outbound cURL Requests, but the www-data user
Hello I'm hoping for some expert help with a bizarre Cloudflare Tunnel issue I've been stuck on for days.
The Problem:
My server is behind CGNAT, using a cloudflared tunnel. Any web app (PHP-FPM) that makes an outbound cURL POST request (like for Spotify OAuth) hangs and causes a 522 timeout.
The Mystery:
This problem only happens within the php-fpm.service. I have proven the server and user have perfect network access otherwise:
curl from the terminal (as my user OR www-data) works instantly.
A simple PHP curl GET request from the web server also works instantly.
What I've Ruled Out:
I have confirmed this is NOT a problem with:
DNS / Server Networking
Missing php-curl module
ufw firewall (outgoing is allowed, no blocks in log)
systemd sandboxing (checked systemctl show, no PrivateNetwork or other restrictive policies are active)
My Theory:
After ruling out everything on my server, the only remaining possibility is a network-layer issue. I suspect an interaction between my ISP's CGNAT and a Cloudflare security feature is silently dropping the outbound POST request from my PHP service, but not from the command line.
Has anyone ever seen this specific behavior with Tunnels on a CGNAT connection? I am completely stuck and would be grateful for any ideas, no matter how obscure.
I am happy to provide any logs, configs, or other details needed. Thank you!
The Problem:
My server is behind CGNAT, using a cloudflared tunnel. Any web app (PHP-FPM) that makes an outbound cURL POST request (like for Spotify OAuth) hangs and causes a 522 timeout.
The Mystery:
This problem only happens within the php-fpm.service. I have proven the server and user have perfect network access otherwise:
curl from the terminal (as my user OR www-data) works instantly.
A simple PHP curl GET request from the web server also works instantly.
What I've Ruled Out:
I have confirmed this is NOT a problem with:
DNS / Server Networking
Missing php-curl module
ufw firewall (outgoing is allowed, no blocks in log)
systemd sandboxing (checked systemctl show, no PrivateNetwork or other restrictive policies are active)
My Theory:
After ruling out everything on my server, the only remaining possibility is a network-layer issue. I suspect an interaction between my ISP's CGNAT and a Cloudflare security feature is silently dropping the outbound POST request from my PHP service, but not from the command line.
Has anyone ever seen this specific behavior with Tunnels on a CGNAT connection? I am completely stuck and would be grateful for any ideas, no matter how obscure.
I am happy to provide any logs, configs, or other details needed. Thank you!
