Enhance mTLS error diagnostics and add custom gateway/Host header support

[Leechael]

This PR enhances mTLS error handling and adds flexible routing options for the service mesh client.

Enhanced mTLS Error Diagnostics

Before:

• All connection failures returned generic 502 Bad Gateway
• Minimal error information in logs

After:

• Fixed upstream status code propagation, and add custom status codes for specific error types:
  • 526 Invalid SSL Certificate (UnknownIssuer, expired cert)
  • 525 SSL Handshake Failed
  • 504 Gateway Timeout
• Detailed error responses with JSON format:

  {
    "status": 526,
    "status_text": "Invalid SSL Certificate",
    "error": "SSL_UNKNOWN_ISSUER",
    "message": "SSL certificate verification failed: Unknown certificate issuer",
    "details": "error sending request → client error (Connect) → invalid peer certificate: UnknownIssuer"
  }

• Certificate information logging at startup and during verification
• Simplified error logs showing root cause directly

Flexible Routing Options

Added support for custom gateway and Host header routing:

Option 1: Custom gateway via header

curl -H "x-dstack-target-app: abc123" \
     -H "x-dstack-target-gateway: custom.gateway.com" \
     http://localhost:8091/api/test
# Routes to: https://abc123-443s.custom.gateway.com/api/test

Option 2: Direct Host header routing

curl -H "Host: abc123-443s.gateway.com" \
     http://localhost:8091/api/test
# Routes to: https://abc123-443s.gateway.com/api/test

Routing priority:

1. x-dstack-target-* headers (if x-dstack-target-app present)
2. Host header (if matches target service pattern)
3. Fallback to dstack.sock

[Leechael]

Prefer two separated PRs: #24 & #25