feat: CoreDNS IPv4 上游、03-03 Tomcat 修复、HAProxy 与验证脚本

- Ansible: 部署时自动配置 CoreDNS forward 为 IPv4，避免 ACME 解析失败
- 01-01/01-07: 文档增加 CoreDNS 设置说明
- 03-03: Tomcat webapps.dist 复制、HTTP/HTTPS 双 Ingress、显式 Dashboard IngressRoute
- traefik-dashboard-acme: tomcat-acme.yaml、404 排查说明
- HAProxy: 健康检查与 PROXY 配置拆分，18080/18443 部署与验证脚本

Made-with: Cursor

ansible/files/01-08-haproxy/haproxy-https.cfg

@@ -0,0 +1,41 @@
+# 01-08 HAProxy - 3.4 HTTPS 健康检查（443 应用层，HAProxy 终结 TLS，由 HAProxy 提供证书）
+# frontend 需 bind *:443 ssl，backend mode http 连 K3s:443 做 HTTP over TLS 检查
+# 将 your-ingress.example.com 改为实际 Host；将 /etc/ssl/haproxy.pem 改为实际证书路径
+# 自签/内网 CA 用 verify none，生产建议 ca-file
+# 文档：docs/01-08-openwrt-haproxy.md 第 3.4 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443 ssl crt /etc/ssl/haproxy.pem
+    mode http
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode http
+    option httpchk GET / HTTP/1.1\r\nHost:\ your-ingress.example.com
+    default-server ssl verify none
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check