Support certificate generation for direct-to-IP TLS connections

[pimterry]

When connecting directly to an IP with TLS, no SNI is sent. Currently that means we fall back to sending a default certificate for localhost every time.

That's not perfect though, and if this becomes more common (could happen: https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/) we might want to support this better. It should be possible for all but transparent connections, as we have the original IP from the tunnel. If you tunnel to 1.1.1.1 and then create a TLS connection without SNI, we should send a certificate for 1.1.1.1 back, not localhost.

It looks like this would be possible by tweaking http-combo-server.ts to create a dynamic TLS context in that case, instead of just using the fixed TLS server context every time as now. Might have some perf overhead, unclear.