sni-router: extend PROXY-protocol sync list to four pieces

mtg now also sends PROXY v2 on the fronting dial (introduced in the
previous commit via [domain-fronting].proxy-protocol = true), so the
"Real client IPs" section's sync list must include that fourth piece.
Without it, an operator who disables Caddy's PROXY listener wrapper
without also flipping [domain-fronting].proxy-protocol will leave mtg
sending an unparsed PROXY v2 prefix to Caddy on every fronted probe.

contrib/sni-router/README.md

 
 HAProxy forwards TCP connections to mtg and Caddy with a PROXY protocol
 v2 header so both backends see the real client IP instead of HAProxy's
-container address.  The three pieces must stay in sync:
+container address.  Caddy also receives PROXY v2 from mtg on the
+fronting path (see "Fronting loop" below), so all four pieces below
+must stay in sync:
 
 - `haproxy.cfg` — `send-proxy-v2` on the `mtg` and `web` backend `server` lines
-- `mtg-config.toml` — `proxy-protocol-listener = true`
+- `mtg-config.toml` — `proxy-protocol-listener = true` (HAProxy → mtg)
+- `mtg-config.toml` — `[domain-fronting].proxy-protocol = true` (mtg → Caddy on fronting)
 - `Caddyfile` — `listener_wrappers { proxy_protocol { ... } tls }` on `:8443`
 
-If you disable one, disable all three, otherwise the backend will fail
+If you disable one, disable all four, otherwise the backend will fail
 to parse the connection.
 
 ## Fronting loop (why `[domain-fronting]` is set explicitly)