feat(proxy): add per-route disable_secure_redirection; preserve query string in redirect

By default every plain-HTTP request is 301-redirected to HTTPS — no upstream
is ever contacted, making it as close to an L4 redirect as HTTP allows.

New RouteConfig field `disable_secure_redirection` (bool, default false):
when set to true on a route, plain-HTTP requests for that host pass through
to the backend unchanged instead of being redirected.

Also fixes the redirect URL to include the original query string, which was
previously dropped (e.g. ?next=/dashboard would be lost after redirect).

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

src/config.rs

@@ -46,6 +46,10 @@ pub struct RouteConfig {
     pub backend: String,
     #[serde(default)]
     pub websocket: bool,
+    /// When true, plain-HTTP requests for this host are forwarded as-is rather
+    /// than being redirected to HTTPS. Defaults to false (redirect enforced).
+    #[serde(default)]
+    pub disable_secure_redirection: bool,
     /// Optional path-based sub-routes (longest prefix wins).
     /// If the request path matches a sub-route, its backend is used instead.
     #[serde(default)]