Enable third-party app access to qBittorrent API

[nmfretz]

Summary

• Enables qBittorrent's reverse proxy support so it reads the real client IP from X-Forwarded-For and checks it against AuthSubnetWhitelist instead of the direct connection IP
• Adds PROXY_AUTH_WHITELIST: "/api/*" so third-party apps can reach the API without Umbrel's proxy auth
• Includes migration for existing installs

This allows third-party apps (e.g. qRemote on iOS) to authenticate with qBittorrent natively while preserving the subnet whitelist for internal auto-configuration of Radarr, Sonarr, etc.

Fixes #4315

How it works

• Third-party app from LAN (192.168.1.x) → proxy lets /api/* through, sets X-Forwarded-For: 192.168.1.x → doesn't match 10.21.0.0/16 → qBittorrent requires native login
• Radarr/Sonarr/MAC (10.21.x.x) → connects directly, no proxy involved → matches subnet whitelist → no auth needed
• Browser via Umbrel dashboard → PROXY_AUTH_ADD handles it as usual

@al-lac I've tested this on my Umbrel and confirmed all three scenarios work. No need to merge this PR directly, feel free to bring these changes into your existing qBittorrent PR if that's easier.

[github-actions]

🎉   Linting finished with no errors or warnings   🎉

Thank you for your submission! This is an automated linter that checks for common issues in pull requests to the Umbrel App Store.