feat: add trust_forwarded_proto option for SSL redirect handling in reverse proxy scenarios

When Nginx is behind another proxy server (like CloudFlare or AWS ALB), the force-SSL
feature can cause redirect loops because Nginx sees the connection as plain HTTP
while SSL is already handled upstream. This adds a new boolean option to trust
the X-Forwarded-Proto header from upstream proxies.

Changes:
- Add `trust_forwarded_proto` column to proxy_host table (migration)
- Update model and API schema to support the new boolean field
- Modify force-ssl Nginx template to check X-Forwarded-Proto/X-Forwarded-Scheme
- Add map directives in nginx.conf to validate and sanitize forwarded headers
- Add advanced option toggle in frontend UI with i18n support (EN/ZH)
- Set proxy headers from validated map variables instead of $scheme

This allows administrators to control SSL redirect behavior when Nginx is deployed
behind a TLS-terminating proxy.

docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf

@@ -5,9 +5,25 @@ if ($scheme = "http") {
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";
 }
+
+# Check if the ssl staff has been handled
+set $test_proto "";
+if ($trust_forwarded_proto = T){
+	set $test_proto "${test_proto}T";
+}
 if ($http_x_forwarded_proto = "https") {
+	set $test_proto "${test_proto}S";
+}
+if ($http_x_forwarded_scheme = "https") {
+	set $test_proto "${test_proto}S";
+}
+if ($test_proto = "TSS") {
+	set $test_proto "TS";
+}
+if ($test_proto = "TS") {
 	set $test "${test}S";
 }
+
 if ($test = H) {
 	return 301 https://$host$request_uri;
 }