Add reverse proxy header security and forwarding

- Rewrite Host header to backend target (configurable via pass_host_header per mapping)
- Strip and set X-Forwarded-For/X-Real-IP from direct connection (trust boundary)
- Set X-Forwarded-Host and X-Forwarded-Proto headers
- Strip nb_session cookie and session_token query param before forwarding
- Add --forwarded-proto flag (auto/http/https) for proto detection
- Fix OIDC redirect hardcoded https scheme
- Add pass_host_header to proto, API, and management model

proxy/auth/auth.go

@@ -4,6 +4,7 @@ package auth
 
 import (
 	"crypto/ed25519"
+	"crypto/tls"
 	"fmt"
 	"time"
 
@@ -28,6 +29,21 @@ const (
 	SessionJWTIssuer     = "netbird-management"
 )
 
+// ResolveProto determines the protocol scheme based on the forwarded proto
+// configuration. When set to "http" or "https" the value is used directly.
+// Otherwise TLS state is used: if conn is non-nil "https" is returned, else "http".
+func ResolveProto(forwardedProto string, conn *tls.ConnectionState) string {
+	switch forwardedProto {
+	case "http", "https":
+		return forwardedProto
+	default:
+		if conn != nil {
+			return "https"
+		}
+		return "http"
+	}
+}
+
 // ValidateSessionJWT validates a session JWT and returns the user ID and method.
 func ValidateSessionJWT(tokenString, domain string, publicKey ed25519.PublicKey) (userID, method string, err error) {
 	if publicKey == nil {