Support UDP proxying through HTTP upstreams via RFC 9298 CONNECT-UDP

[Manouchehri]

This is more of a future enhancement, but worth tracking: RFC 9298 "Proxying UDP in HTTP" defines a standard way to tunnel UDP through HTTP proxies using Extended CONNECT with the connect-udp protocol.

This isn't common today, but it's a real standard (published August 2022) and is used in production by Cloudflare for WARP and iCloud Private Relay. Other implementations include Envoy and the masque-go library.

How it works:

• Client sends Extended CONNECT request with :protocol = connect-udp
• Target specified via URI template like /.well-known/masque/udp/{host}/{port}/
• UDP payloads are encapsulated using HTTP Datagrams (RFC 9297)
• Works over HTTP/2 (with overhead) or HTTP/3 (preferred, uses QUIC DATAGRAM frames)

To add this to proxy-chain:

• Create src/chain_http_udp.ts for RFC 9298 client implementation
• Would need HTTP/2 Extended CONNECT support first
• Implement the capsule protocol from RFC 9297 for datagram encapsulation
• Add config option to specify upstream supports CONNECT-UDP

This is lower priority than SOCKS5 UDP (see #634 and #633) since:

• HTTP/2 Extended CONNECT adds complexity
• Few HTTP proxies support this today
• HTTP/1.1 cannot practically support it at all

But it would be nice for completeness and future-proofing, especially as HTTP/3 adoption grows.

References:

• https://www.rfc-editor.org/rfc/rfc9298.html
• https://datatracker.ietf.org/doc/html/rfc9297