Skip backend cert verification for L7 re-encrypt routes

When backend_tls=true, the h2 transport was verifying the backend's
TLS certificate. This fails when the backend address is an IP (no
IP SANs) or uses a self-signed cert. Backend connections are to
trusted internal services — skip verification. Also change rift
metrics port to 9091 to avoid conflict with exod on 9090.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/l7/serve.go

@@ -175,10 +175,13 @@ func newTransport(route RouteConfig) (http.RoundTripper, error) {
 	}
 
 	if route.BackendTLS {
-		// TLS to backend (h2 over TLS).
+		// TLS to backend (h2 over TLS). Backend cert verification is
+		// skipped — the proxy connects to trusted internal backends
+		// that may use IP addresses or self-signed certificates.
 		return &http2.Transport{
 			TLSClientConfig: &tls.Config{
-				MinVersion: tls.VersionTLS12,
+				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: true, //nolint:gosec // trusted backend
 			},
 		}, nil
 	}