Support inferring X-Forwarded-Proto from PROXY Protocol destination port

[zezaeoh]

Title: Support inferring X-Forwarded-Proto from PROXY Protocol destination port

Description:
When using AWS NLB with TLS termination and PROXY Protocol v2, Envoy cannot
correctly detect that the original request was HTTPS.

Use Case:

• AWS NLB terminates TLS (using ACM certificates)
• NLB sends traffic to Envoy with PROXY Protocol v2 enabled
• Envoy receives plain HTTP but needs to know original protocol was HTTPS

Current Behavior:
Envoy sets X-Forwarded-Proto based solely on:

1. Current connection TLS status, OR
2. Trusted downstream header (xff_num_trusted_hops)

Since NLB is L4, it cannot send HTTP headers like X-Forwarded-Proto.

Requested Behavior:
Add option to infer X-Forwarded-Proto from PROXY Protocol destination port:

• Port 443 → X-Forwarded-Proto: https
• Port 80 → X-Forwarded-Proto: http

Reference:
ingress-nginx implements this using $proxy_protocol_port variable. (docs)

Impact:
Without this, Envoy-based ingress controllers (Contour, Envoy Gateway, etc.)
cannot properly handle HTTP→HTTPS redirects when behind NLB with TLS termination.

[prashanthjos]

We recently worked on ProxyProtocol and this is a interesting usecase, I will take a stab at this and see if I can get to working and will create a PR.

[tyxia]

Thanks @prashanthjos !