add HTTP CONNECT forward-proxy support for CASB proxy chaining

[Graydon Hope (graydonhope)]

Adds Helm chart support for the firewall's HTTP CONNECT listener, for CASBs (Netskope, Zscaler, etc) configured for proxy chaining that tunnel via CONNECT to an upstream proxy.

The CONNECT method cannot traverse a Layer-7 Ingress (ALB / nginx-ingress / Traefik terminate TLS and parse HTTP, and reject/mishandle CONNECT). This adds a dedicated Layer-4 Service to expose :3128, alongside the existing Ingress/Service which keeps carrying normal HTTPS registry traffic.

Tested: static schema validation + running the pod.

TEST 1  GET /health on :3128  →  SocketFirewall/... - Health OK - forward-proxy   
TEST 2  customer CONNECT replay:
        CONNECT response:  HTTP/1.1 200 Connection established                     
        inner TLS:         TLSv1.3 / TLS_AES_256_GCM_SHA384  (terminated at :8081) 
        inner GET status:  HTTP/1.1 200 OK                                          
        inner body:        Health OK - path-routing (sfw.test.local)      

Firewall telemetry logs:

connect: tun=… event=open  target=registry.npmjs.org:443  upstream=127.0.0.1:8081
connect: tun=… event=close reason=upstream_eof bytes_up=1686 bytes_down=4118 duration_ms=17