feat: add mask_proxy_protocol option for PROXY protocol to mask_host

Adds mask_proxy_protocol config option (0 = off, 1 = v1 text, 2 = v2 binary)
that sends a PROXY protocol header when connecting to mask_host. This lets
the backend see the real client IP address.

Particularly useful when the masking site (nginx/HAProxy) runs on the same
host as telemt and listens on a local port — without this, the backend loses
the original client IP entirely.

PROXY protocol header is also sent during TLS emulation fetches so that
backends with proxy_protocol required don't reject the connection.

src/main.rs

@@ -474,6 +474,7 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
                 &domain,
                 Duration::from_secs(5),
                 Some(upstream_manager.clone()),
+                config.censorship.mask_proxy_protocol,
             )
             .await
             {
@@ -486,6 +487,7 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
         let cache_clone = cache.clone();
         let domains = tls_domains.clone();
         let upstream_for_task = upstream_manager.clone();
+        let proxy_protocol = config.censorship.mask_proxy_protocol;
         tokio::spawn(async move {
             loop {
                 let base_secs = rand::rng().random_range(4 * 3600..=6 * 3600);
@@ -498,6 +500,7 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
                         domain,
                         Duration::from_secs(5),
                         Some(upstream_for_task.clone()),
+                        proxy_protocol,
                     )
                     .await
                     {