feat: implement hop-by-hop header stripping for compliance with HTTP standards

[NiccoMlt]

Problem

Backends that advertise HTTP/2 via ALPN (e.g. Tomcat on port 8443) returned HTTP/2 responses containing connection-specific headers such as Keep-Alive. Netty's strict H2 stream decoder rejected these, producing:

Http2Exception$StreamException: Illegal connection-specific header 'keep-alive' encountered

and causing 503s for every request routed to those backends. This violates RFC 9113 §8.2.2, which forbids connection-specific headers in HTTP/2.

The underlying cause was that ProxyRequestsManager was forwarding client and backend headers verbatim, without stripping the hop-by-hop headers that a reverse proxy must not propagate between connections, as required by RFC 2616 §13.5.1 and RFC 7230 §6.1.

Solution

Add HttpUtils.stripHopByHopHeaders(), which removes the standard hop-by-hop set (Connection, Keep-Alive, Proxy-Authenticate, Proxy-Authorization, TE, Trailer, Upgrade, Proxy-Connection) plus any headers dynamically nominated via the Connection header value (RFC 7230 §6.1). Call it in ProxyRequestsManager in both directions: on the outgoing request copy before forwarding to the backend, and on the backend response headers before forwarding to the client.

Transfer-Encoding is intentionally excluded from the stripped set: Reactor Netty's H2 codec enforces its removal at the wire level (RFC 9113 §8.2.2), and stripping it in Carapace would break HTTP/1.1 chunked proxying.