Add reverse proxy header security and forwarding

- Rewrite Host header to backend target (configurable via pass_host_header per mapping)
- Strip and set X-Forwarded-For/X-Real-IP from direct connection (trust boundary)
- Set X-Forwarded-Host and X-Forwarded-Proto headers
- Strip nb_session cookie and session_token query param before forwarding
- Add --forwarded-proto flag (auto/http/https) for proto detection
- Fix OIDC redirect hardcoded https scheme
- Add pass_host_header to proto, API, and management model

proxy/internal/auth/oidc.go

@@ -16,16 +16,19 @@ type urlGenerator interface {
 }
 
 type OIDC struct {
-	id, accountId string
-	client        urlGenerator
+	id             string
+	accountId      string
+	forwardedProto string
+	client         urlGenerator
 }
 
 // NewOIDC creates a new OIDC authentication scheme
-func NewOIDC(client urlGenerator, id, accountId string) OIDC {
+func NewOIDC(client urlGenerator, id, accountId, forwardedProto string) OIDC {
 	return OIDC{
-		id:        id,
-		accountId: accountId,
-		client:    client,
+		id:             id,
+		accountId:      accountId,
+		forwardedProto: forwardedProto,
+		client:         client,
 	}
 }
 
@@ -42,7 +45,7 @@ func (o OIDC) Authenticate(r *http.Request) (string, string) {
 	}
 
 	redirectURL := &url.URL{
-		Scheme: "https",
+		Scheme: auth.ResolveProto(o.forwardedProto, r.TLS),
 		Host:   r.Host,
 		Path:   r.URL.Path,
 	}