Add Prometheus metrics for connections, firewall, L7, and bytes transferred

Instrument mc-proxy with prometheus/client_golang. New internal/metrics/
package defines counters, gauges, and histograms for connection totals,
active connections, firewall blocks by reason, backend dial latency,
bytes transferred, L7 HTTP status codes, and L7 policy blocks. Optional
[metrics] config section starts a scrape endpoint. Firewall gains
BlockedWithReason() to report block cause. L7 handler wraps
ResponseWriter to record status codes per hostname.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/firewall/firewall.go

@@ -71,18 +71,25 @@ func New(geoIPPath string, ips, cidrs, countries []string, rateLimit int64, rate
 
 // Blocked returns true if the given address should be blocked.
 func (f *Firewall) Blocked(addr netip.Addr) bool {
+	blocked, _ := f.BlockedWithReason(addr)
+	return blocked
+}
+
+// BlockedWithReason returns whether the address is blocked and the reason.
+// Possible reasons: "ip", "cidr", "country", "rate_limit", or "" if not blocked.
+func (f *Firewall) BlockedWithReason(addr netip.Addr) (bool, string) {
 	addr = addr.Unmap()
 
 	f.mu.RLock()
 	defer f.mu.RUnlock()
 
 	if _, ok := f.blockedIPs[addr]; ok {
-		return true
+		return true, "ip"
 	}
 
 	for _, prefix := range f.blockedCIDRs {
 		if prefix.Contains(addr) {
-			return true
+			return true, "cidr"
 		}
 	}
 
@@ -90,7 +97,7 @@ func (f *Firewall) Blocked(addr netip.Addr) bool {
 		var record geoIPRecord
 		if err := f.geoDB.Lookup(addr.AsSlice(), &record); err == nil {
 			if _, ok := f.blockedCountries[record.Country.ISOCode]; ok {
-				return true
+				return true, "country"
 			}
 		}
 	}
@@ -98,10 +105,10 @@ func (f *Firewall) Blocked(addr netip.Addr) bool {
 	// Rate limiting is checked after blocklist — no point tracking state
 	// for already-blocked IPs.
 	if f.rl != nil && !f.rl.Allow(addr) {
-		return true
+		return true, "rate_limit"
 	}
 
-	return false
+	return false, ""
 }
 
 // AddIP adds an IP address to the blocklist.

internal/firewall/firewall_test.go

@@ -170,6 +170,47 @@ func TestRateLimitBlocklistFirst(t *testing.T) {
 	}
 }
 
+func TestBlockedWithReason(t *testing.T) {
+	fw, err := New("", []string{"10.0.0.1"}, []string{"192.168.0.0/16"}, nil, 2, time.Minute)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer fw.Close()
+
+	tests := []struct {
+		addr       string
+		wantBlock  bool
+		wantReason string
+	}{
+		{"10.0.0.1", true, "ip"},
+		{"192.168.1.1", true, "cidr"},
+		{"172.16.0.1", false, ""},
+	}
+
+	for _, tt := range tests {
+		addr := netip.MustParseAddr(tt.addr)
+		blocked, reason := fw.BlockedWithReason(addr)
+		if blocked != tt.wantBlock {
+			t.Fatalf("BlockedWithReason(%s) blocked = %v, want %v", tt.addr, blocked, tt.wantBlock)
+		}
+		if reason != tt.wantReason {
+			t.Fatalf("BlockedWithReason(%s) reason = %q, want %q", tt.addr, reason, tt.wantReason)
+		}
+	}
+
+	// Test rate limit reason: use a fresh IP that will exceed the limit.
+	rlAddr := netip.MustParseAddr("10.10.10.10")
+	fw.BlockedWithReason(rlAddr)                    // 1
+	fw.BlockedWithReason(rlAddr)                    // 2
+	blocked, reason := fw.BlockedWithReason(rlAddr) // 3 — should be blocked
+	if !blocked {
+		t.Fatal("expected rate limit block")
+	}
+	if reason != "rate_limit" {
+		t.Fatalf("reason = %q, want %q", reason, "rate_limit")
+	}
+}
+
 func TestRuntimeMutation(t *testing.T) {
 	fw, err := New("", nil, nil, nil, 0, 0)
 	if err != nil {