Feat: optional proxy client authentication and rule-level scoping by proxy login and client source CIDR

[roman-shpp]

What

Adds optional proxy client authentication and rule-level scoping by proxy login and client source CIDR.

proxy:
  tunnel_listen: ":8080"
  auth:
    required: true
    users:
      - login: "ci"
        password_env: "IRON_PROXY_CI_PASSWORD"
      - login: "dev"
        password_env: "IRON_PROXY_DEV_PASSWORD"

transforms:
  - name: allowlist
    config:
      rules:
        - host: "api.openai.com"
          methods: ["POST"]
          proxy_logins: ["ci", "dev"]
          source_cidrs: ["10.16.0.0/16"]

HTTP proxy requests and CONNECT use Proxy-Authorization: Basic .... SOCKS5 uses username/password auth.

The shared rule matcher now accepts optional proxy_logins and source_cidrs, so existing transforms using rules can scope behavior by authenticated proxy user and client network.

Why

Some deployments need one shared iron-proxy listener serving multiple workloads or tenants, but with different egress permissions.

Host/method/path rules are not enough for that. This adds two missing policy dimensions:

• who authenticated to the proxy;
• where the request came from.

This keeps the allowlist default-deny model intact while avoiding separate proxy instances for every policy slice.

Behavior notes

• Default behavior is unchanged: proxy auth is off unless proxy.auth.required: true.
• Existing configs keep working without changes.
• SOCKS5 no-auth remains supported when proxy auth is not required.
• Rules without proxy_logins or source_cidrs match exactly as before.
• Proxy-Authorization is consumed at the proxy boundary and is not forwarded upstream.
• proxy_login and source_ip are added to audit context when available.
• Raw sni-only HTTPS connections cannot carry proxy auth metadata; when auth is required, clients should use the tunnel listener.
• /v1/reload endpoint also reloads auth config

Tests

go test ./...

New coverage includes:

• proxy auth config validation;
• HTTP proxy auth success/failure;
• CONNECT auth success/failure;
• SOCKS5 username/password auth;
• rule matching by proxy_logins;
• rule matching by source_cidrs;
• backwards-compatible defaults.