Add ability to disable SNI host validation

[ciarams87]

Proposed changes

Problem: HTTP/2 clients can encounter 421 Misdirected Request errors when redirecting between subdomains using wildcard certificates due to connection reuse with mismatched SNI and Host headers.

Solution: Add disableSNIHostValidation field to NginxProxy CRD that conditionally removes the SNI Host validation logic, allowing mismatching host connection reuse with documented security trade-offs per GEP-3567.

Testing: Verified using openssl s_client with mismatched SNI (foo.example.com) and Host header (bar.example.com) - returns 421 when flag is set to false (default), 200 when flag is set to true.

 # Use openssl s_client to establish connection with one SNI, then send different Host
(echo -e "GET / HTTP/1.1\r\nHost: bar.example.com:$GW_HTTPS_PORT\r\nConnection: close\r\n\r\n"; sleep 1) | \
openssl s_client -connect $GW_IP:$GW_HTTPS_PORT -servername foo.example.com -quiet 2>/dev/null
HTTP/1.1 421 Misdirected Request
Server: nginx
Date: Thu, 24 Jul 2025 16:33:13 GMT
Content-Type: text/html
Content-Length: 166
Connection: close

<html>
<head><title>421 Misdirected Request</title></head>
<body>
<center><h1>421 Misdirected Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
# edit to set the disableSNIHostValidation: true
❯ # Repeat above command
(echo -e "GET / HTTP/1.1\r\nHost: bar.example.com:$GW_HTTPS_PORT\r\nConnection: close\r\n\r\n"; sleep 1) | \
openssl s_client -connect $GW_IP:$GW_HTTPS_PORT -servername foo.example.com -quiet 2>/dev/null
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Jul 2025 16:34:00 GMT
Content-Type: text/html
Content-Length: 53
Connection: close
Last-Modified: Thu, 24 Jul 2025 15:50:43 GMT
ETag: "68825653-35"
Accept-Ranges: bytes

<h1>BAR Service</h1><p>Hostname: bar.example.com</p>

Closes #3226

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Add disableSNIHostValidation field to NginxProxy CRD to resolve HTTP/2 connection reuse issues with wildcard certificates, with documented security trade-offs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.05%. Comparing base (9d4a628) to head (7aaa5e2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3659      +/-   ##
==========================================
+ Coverage   87.03%   87.05%   +0.01%     
==========================================
  Files         127      127              
  Lines       15598    15602       +4     
  Branches       62       62              
==========================================
+ Hits        13576    13582       +6     
+ Misses       1862     1861       -1     
+ Partials      160      159       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.