Proxy Geo secondary HTTP pushes + LFS through Workhorse

What does this MR do and why?

As the secondary is read-only, we want to ensure pushes are proxied to the primary, while reads are served localy, same with LFS files.

Screenshots or screen recordings

How to set up and validate locally

This is not particularly useful on its own, and its functionality depends on !71711 (merged). Because unified URL proxying isn't very straightforward to test in the GDK, this is also likely easier to test in an Omnibus Geo setup, so the steps assume it:

1. Rebase this locally on !71711 (merged) (cat-always-redirect-geo-primary-external-url)
2. Configure the Geo proxying and use unified URLs:

   1. In the secondary gitlab.rb, set the external URL to be the same as the primary and add:

      gitlab_workhorse['env'] = {
          "GEO_SECONDARY_PROXY" => "1"
      }

   2. Then, run a gitlab-ctl reconfigure and gitlab-ctl restart gitlab-workhorse

   3. In a primary Rails node, run gitlab-rails runner "Feature.enabled(:geo_secondary_proxy)"

   4. For the primary, set a separate internal URL (you can use the IP directly), and edit the secondary's URL to be the same URL as the primary

3. Manually point your unified URL to the secondary (through /etc/hosts or otherwise)
4. Attempt a HTTP(s) push and notice you get redirected to /-/push_from_secondary and then the push works, proxied to the primary
5. Try to push & pull LFS through HTTP(s) and SSH and notice everything working.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.