gitlab-sshd defaults to ProxyProtocol policy: USE when proxy_protocol is enabled

Noted after checking some assertions about rollback + proxy-protocol in today's production readiness review call ( https://docs.google.com/document/d/1M8o0dUtOxzNqhafE0F1R3cjh-orb-dCxUSVbn0MyZlc/edit )

gitlab-sshd can be configured with the PROXY protocol enabled. When this is turned on, my assumption was that the PROXY protocol is required, and that unvarnished (ahahaha) connections would be rejected.

Having looked at the code a bit, it seems that's not the case - https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/internal/sshd/sshd.go#L95

	if s.Config.Server.ProxyProtocol {
		sshListener = &proxyproto.Listener{
			Listener:          sshListener,
			ReadHeaderTimeout: ProxyHeaderTimeout,
		}

		log.ContextLogger(ctx).Info("Proxy protocol is enabled")
	}

The proxyproto.Listener has a Policy member, which we're leaving unset. When unset, the default behaviour is USE, rather than REQUIRE: https://github.com/pires/go-proxyproto/blob/v0.6.0/protocol.go#L60

This means that we could actually rollback freely - although I still support doing the proxy protocol enablement as a separate step after the rollout of gitlab-sshd itself has been completed.

However, I think this is a bug. If we've been configured to have proxy_protocol enabled, we should REJECT connections that don't transmit this metadata, since it represents an infrastructure misconfiguration.

Fortunately, there's no security dimension to this, since proxy protocol support is disabled by default and the only reason to enable it is to put it behind a load-balancer. However, we should fix this before gitlab-sshd is put into beta (so we have freedom to change it quickly) - I'll add it to the gitlab-shell beta epic.