Implement proxy header injection, hop-by-hop removal, and request forwarding

- Add ProxyError enum with IntoResponse for error handling (400, 404, 502, 504)
- Implement proxy header injection: X-Real-IP, X-Forwarded-For (replaced, not appended), X-Forwarded-Proto
- Implement hop-by-hop header removal for both request and response headers
- Implement request forwarding via shared hyper::Client with HTTP and HTTPS support
- Add ProxyState with http_client and https_client instances shared via axum State
- Add per-site timeout overrides using tokio::time::timeout
- Add HTTPS upstream support with system native TLS root certificates
- No Server or Via headers added to responses
- Host header preserved as-is
- Add unit tests for header injection, hop-by-hop removal, and URI building
- Add integration tests for proxy forwarding, hop-by-hop removal, and 502 on unreachable upstream

Cargo.toml

@@ -16,6 +16,10 @@ path = "src/main.rs"
 axum = "=0.8.9"
 tokio = { version = "=1.45.1", features = ["full"] }
 hyper = "=1.6.0"
+hyper-util = { version = "=0.1.17", features = ["client-legacy", "http1", "http2", "tokio"] }
+http-body-util = "=0.1.3"
+hyper-rustls = { version = "=0.27.9", features = ["http1", "http2"] }
+rustls-native-certs = "=0.8.1"
 tower = "=0.5.2"
 rustls = { version = "=0.23.28", features = ["aws_lc_rs"] }
 tokio-rustls = "=0.26.2"
@@ -37,4 +41,4 @@ dashmap = "=6.1"
 [dev-dependencies]
 rcgen = "=0.13"
 reqwest = { version = "=0.12", features = ["json"] }
-tempfile = "=3.20"
+tempfile = "=3.20"