docs: Add BunkerWeb as supported external reverse proxy

[TheophileDiot]

Summary

• Add BunkerWeb (>= 1.6.9) as a documented external reverse proxy / WAF option for self-hosted NetBird, alongside existing Traefik, Nginx, Caddy, and Nginx Proxy Manager sections
• Cover three deployment modes: Docker labels (existing BunkerWeb with autoconf), standalone stack (scheduler + bunkerweb), and host-based (variables.env)
• Provide complete configuration examples for both combined container (v0.65.0+) and legacy multi-container setups
• Include WAF security notes (gRPC bypasses ModSecurity, CRS exclusion rules for OAuth2 false positives) and BunkerWeb-specific troubleshooting entries

Details

All configuration examples have been validated against:

• The BunkerWeb gRPC and reverse proxy plugin source code (plugin.json schemas)
• The official BunkerWeb NetBird template (bunkerweb-templates/templates/netbird/template.json)
• A working production combined-container deployment with Docker labels
• A working production multi-container deployment with host-based config

BunkerWeb best practices followed:

• Standalone stack places all site config on bw-scheduler, not bunkerweb
• MULTISITE=yes with domain-prefixed per-site settings (netbird.example.com_*)
• Proper network separation (bw-universe for API, bw-services for backends)
• API_WHITELIST_IP shared via YAML anchor, BUNKERWEB_INSTANCES on scheduler
• CLIENT_HEADER_TIMEOUT / CLIENT_BODY_TIMEOUT set globally for long-lived gRPC connections
• CUSTOM_CONF_MODSEC_* for inline CRS exclusion rules
• No bw-docker-proxy in manual mode (only needed for autoconf)

No existing proxy configurations (Traefik, Nginx, Caddy, NPM) were modified. The only change to pre-existing content is adding "BunkerWeb" to the intro sentence.