ea3ca94e53
Probe resistance (probeResist=code:403) was always returning 400 Bad Request instead of the configured status code because the non-proxy-form request validation check (req.URL.Scheme != "http") ran before Authenticate(). Browser/scanner probes send GET / HTTP/1.1 which has an empty URL scheme, so they were rejected at the validation gate before probe resistance ever had a chance to respond. Swap the order: run Authenticate() first so probe resistance can intercept non-proxy-form probes with the configured decoy response. Legitimate clients with correct credentials proceed to request validation and routing as before.