fix: WinBox tunnel bind address, port range, and proxy support

- Bind tunnel listeners to 0.0.0.0 instead of 127.0.0.1 so tunnels
  are reachable through reverse proxies and container networks
- Reduce port range to 49000-49004 (5 concurrent tunnels)
- Derive WinBox URI host from request Host header instead of
  hardcoding 127.0.0.1, enabling use behind reverse proxies
- Add README security warning about default encryption keys

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

poller/internal/tunnel/manager.go

@@ -65,7 +65,7 @@ func (m *Manager) OpenTunnel(deviceID, tenantID, userID, remoteAddr string) (*Op
 		return nil, err
 	}
 
-	ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
+	ln, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port))
 	if err != nil {
 		m.portPool.Release(port)
 		return nil, fmt.Errorf("failed to listen on port %d: %w", port, err)

poller/internal/tunnel/portpool.go

@@ -54,7 +54,7 @@ func (pp *PortPool) Release(port int) {
 }
 
 func canBind(port int) bool {
-	ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
+	ln, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port))
 	if err != nil {
 		return false
 	}

poller/internal/tunnel/portpool_test.go

@@ -71,7 +71,7 @@ func TestPortPool_ConcurrentAccess(t *testing.T) {
 
 func TestPortPool_BindVerification(t *testing.T) {
 	// Occupy a port, then verify Allocate skips it
-	ln, err := net.Listen("tcp", "127.0.0.1:49050")
+	ln, err := net.Listen("tcp", "0.0.0.0:49050")
 	require.NoError(t, err)
 	defer ln.Close()