feat: Add PROXY protocol support for RTMP and RTSP servers

[alexmck]

Summary

Adds support for PROXY protocol v1/v2 for RTMP, RTMPS, RTSP, and RTSPS ingest, allowing the real client IP to be preserved when connections pass through a load balancer or reverse proxy. This feature was first mentioned in #602.

Two new configuration options control this:

• rtspTrustedProxies list of IPs/CIDRs trusted to send PROXY headers on RTSP connections
• rtmpTrustedProxies same for RTMP connections

This follows the same format that webrtcTrustedProxies uses.

Connections from trusted proxies have their PROXY protocol header parsed, and the original client IP is used for logging and authentication. Connections from non-trusted IPs ignore any PROXY header and are passed through unchanged.

For RTMPS, the PROXY header is read before TLS negotiation to ensure correct ordering.

Also, when rtspTrustedProxies is configured with RTSPS encryption, the dumpPackets feature will not capture TLS-level traffic for RTSP. I assume the undocumented dumpPackets is for debug only, but wanted to mention it just in case this is intentionally here. I can make a revision here if requested.

This is a non-breaking change. I have also tested this PR in production and I can confirm that it works as expected.

New Dependency

This PR uses the go-proxyproto library. I wanted to make sure it's very clear that this PR introduces a new dependency to the library.

Please let me know if you have any questions.

[codecov]

Codecov Report

❌ Patch coverage is 37.73585% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.00%. Comparing base (a384135) to head (32bedce).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/servers/rtsp/server.go	0.00%	16 Missing and 2 partials ⚠️
internal/servers/rtmp/server.go	26.66%	9 Missing and 2 partials ⚠️
internal/packetdumper/listen.go	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5754      +/-   ##
==========================================
- Coverage   63.12%   63.00%   -0.13%     
==========================================
  Files         217      218       +1     
  Lines       18328    18411      +83     
==========================================
+ Hits        11569    11599      +30     
- Misses       5818     5866      +48     
- Partials      941      946       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aler9]

thanks for providing this long-awaited feature, i left some comments. In particular, we must find a way to make dumpPackets and trustedProxies coexist.

[alexmck]

Thank you for your review and feedback on this PR. I now have addressed all feedback items and lint issues.

I have made one tradeoff so the PROXY header bytes themselves don't appear in the packet dump, since they're stripped before the packetdumper sees the connection. Adding these headers to the dump would require a change to the packetdumper. I feel this could be achieved in a follow up PR if requested, but I gather the main reason for this feature is inspecting the media stream which this change will still allow.

Please let me know if you have any other feedback or concerns.