feat: add IP whitelist support via CIDR networks

[masterbpro]

Adds optional IP whitelist support to the HTTP server

New flags:
--web.allowed-networks
--web.whitelist-config

--web.allowed-networks accepts a comma-separated list of CIDR networks.
Single IPs are accepted and treated as /32 (IPv4) or /128 (IPv6).

If configured, requests from non-matching IPs receive HTTP 403.
If not configured, behavior remains unchanged.

Whitelist applies to both:

• /metrics
• /

Client IP resolution:

IP is resolved in the following order:

• Custom headers defined in YAML (whitelist.ip_headers)
• Default headers (if none configured):
  • X-Forwarded-For (first IP is used)
  • X-Real-IP
  • X-Forwarded
• Fallback to RemoteAddr

Examples:

Allow single network:
./node_exporter --web.allowed-networks=10.0.0.0/24

Allow multiple networks:
./node_exporter --web.allowed-networks=10.0.0.0/24,192.168.1.0/24

Allow single host:
./node_exporter --web.allowed-networks=10.0.0.10

With IPv6:
./node_exporter --web.allowed-networks=2001:db8::/32

Using YAML configuration:
./node_exporter --web.whitelist-config=/etc/node_exporter/whitelist.yaml

Example YAML:

  whitelist:
    allowed_networks:
      - "10.0.0.0/24"
      - "192.168.1.0/24"
    ip_headers:
      - "X-Forwarded-For"
      - "X-Real-IP"

[SuperQ]

Sorry, no, we don't want to support this here. This is what firewalls are for.