fix: Node.js TLS 代理对所有 HTTPS 上游生效，去掉域名白名单

- 移除 proxy_hosts 白名单限制和 shouldRouteViaNodeProxy
- 所有 HTTPS 上游请求统一走 Node.js 代理
- 通过 X-Forwarded-Host 动态识别目标主机
- Anthropic / Gemini / 任意上游自动适配
- 移除诊断日志（已定位问题）

backend/internal/repository/http_upstream.go

@@ -124,19 +124,9 @@ func NewHTTPUpstream(cfg *config.Config) service.HTTPUpstream {
 //   - 调用方必须关闭 resp.Body，否则会导致 inFlight 计数泄漏
 //   - inFlight > 0 的客户端不会被淘汰，确保活跃请求不被中断
 func (s *httpUpstreamService) Do(req *http.Request, proxyURL string, accountID int64, accountConcurrency int) (*http.Response, error) {
-	// Node.js TLS 代理：仅拦截白名单内的上游主机
-	if s.isNodeTLSProxyEnabled() {
-		if req != nil && req.URL != nil {
-			slog.Warn("node_tls_proxy_check",
-				"scheme", req.URL.Scheme,
-				"host", req.URL.Host,
-				"hostname", req.URL.Hostname(),
-				"should_route", s.shouldRouteViaNodeProxy(req),
-			)
-		}
-		if s.shouldRouteViaNodeProxy(req) {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	// Node.js TLS 代理：所有 HTTPS 上游请求走 Node.js 代理
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	if err := s.validateRequestHost(req); err != nil {
@@ -191,20 +181,8 @@ func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, acco
 	}
 
 	// 优先使用 Node.js TLS 代理模式
-	if s.isNodeTLSProxyEnabled() {
-		shouldRoute := s.shouldRouteViaNodeProxy(req)
-		host := ""
-		if req != nil && req.URL != nil {
-			host = req.URL.Hostname()
-		}
-		slog.Warn("node_tls_proxy_check_tls_path",
-			"host", host,
-			"should_route", shouldRoute,
-			"tls_fingerprint_enabled", enableTLSFingerprint,
-		)
-		if shouldRoute {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	// TLS 指纹已启用，记录调试日志