proxyd: support backend mTLS for websocket upstreams

[dahu33]

Summary

This updates proxyd backend TLS handling so the same backend TLS config is applied to both HTTP and WebSocket upstream connections.

It also fixes configureBackendTLS so a backend client certificate/key pair can be used without requiring ca_file to be set. In that case proxyd builds a
default tls.Config and still attaches the configured client certificate for mTLS.

Changes

• apply backend tls.Config to the outbound WebSocket dialer
• allow client_cert_file + client_key_file without requiring ca_file
• add regression tests for:
  • configureBackendTLS with cert-only and CA+cert configurations
  • WithTLSConfig wiring for both HTTP and WebSocket backend clients

Testing

• go test .
• go test ./... -run 'TestConfigureBackendTLS|TestWithTLSConfigAppliesToHTTPAndWebsocketClients'

[wiz-inc-a178a98b5d]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	1
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 84.21053% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.02%. Comparing base (ed7003d) to head (2b98ddc).

Files with missing lines	Patch %	Lines
proxyd/proxyd.go	80.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #570      +/-   ##
==========================================
+ Coverage   57.83%   58.02%   +0.19%     
==========================================
  Files          96       96              
  Lines       14501    14515      +14     
==========================================
+ Hits         8386     8423      +37     
+ Misses       5597     5570      -27     
- Partials      518      522       +4     

Flag	Coverage Δ
proxyd	71.79% <84.21%> (+0.52%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
proxyd/backend.go	79.82% <100.00%> (+0.55%)	⬆️
proxyd/proxyd.go	56.20% <80.00%> (+1.64%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.