fix(安全): 修复上游校验与 URL 清理问题

增加请求阶段 DNS 解析校验，阻断重绑定到私网
补充默认透传 WWW-Authenticate 头，保留认证挑战
前端相对 URL 过滤拒绝 // 协议相对路径

测试: go test ./internal/repository -run TestGitHubReleaseServiceSuite
测试: go test ./internal/repository -run TestTurnstileServiceSuite
测试: go test ./internal/repository -run TestProxyProbeServiceSuite
测试: go test ./internal/repository -run TestClaudeUsageServiceSuite

backend/internal/repository/proxy_probe_service.go

@@ -5,19 +5,21 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"time"
 
 	"github.com/Wei-Shaw/sub2api/internal/config"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/httpclient"
 	"github.com/Wei-Shaw/sub2api/internal/service"
-	"log"
 )
 
 func NewProxyExitInfoProber(cfg *config.Config) service.ProxyExitInfoProber {
 	insecure := false
+	allowPrivate := false
 	if cfg != nil {
 		insecure = cfg.Security.ProxyProbe.InsecureSkipVerify
+		allowPrivate = cfg.Security.URLAllowlist.AllowPrivateHosts
 	}
 	if insecure {
 		log.Printf("[ProxyProbe] Warning: TLS verification is disabled for proxy probing.")
@@ -25,6 +27,7 @@ func NewProxyExitInfoProber(cfg *config.Config) service.ProxyExitInfoProber {
 	return &proxyProbeService{
 		ipInfoURL:          defaultIPInfoURL,
 		insecureSkipVerify: insecure,
+		allowPrivateHosts:  allowPrivate,
 	}
 }
 
@@ -33,6 +36,7 @@ const defaultIPInfoURL = "https://ipinfo.io/json"
 type proxyProbeService struct {
 	ipInfoURL          string
 	insecureSkipVerify bool
+	allowPrivateHosts  bool
 }
 
 func (s *proxyProbeService) ProbeProxy(ctx context.Context, proxyURL string) (*service.ProxyExitInfo, int64, error) {
@@ -41,6 +45,8 @@ func (s *proxyProbeService) ProbeProxy(ctx context.Context, proxyURL string) (*s
 		Timeout:            15 * time.Second,
 		InsecureSkipVerify: s.insecureSkipVerify,
 		ProxyStrict:        true,
+		ValidateResolvedIP: true,
+		AllowPrivateHosts:  s.allowPrivateHosts,
 	})
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to create proxy client: %w", err)