Machine ID: Support for split proxy address operation

[strideynet]

Sometimes, tbot will need to connect to the proxy using an address that is not the address that the proxy itself thinks it is available on. Whilst the initial connection may succeed, tbot will then use the results from the proxy ping in making other connections, and this will fail. Currently, this is mostly just a problem for Application Access Tunnel since that requires the Web port and not the reverse tunnel as most other functionality requires (and which is already handled via TELEPORT_TUNNEL_PUBLIC_ADDR)

Options:

• TELEPORT_WEB_PUBLIC_ADDR env var to complement TELEPORT_TUNNEL_PUBLIC_ADDR ? We will have to keep adding more of these as we leverage other ports.
• Same as above, but instead of using env vars, use tbot's own configuration.
• Some kind of "Please use the proxy_server I've specified regardless of what the Ping says"
  • This works very well assuming that the same port is in use for all types of access e.g TLS multiplexing is in use
  • This falls apart if they use separate ports for these things. We'd have to guess the address based on the hostname provided in proxy_server and the public_addr/listen_addr for that protocol. It's fairly challenging to complete that guess, and sometimes we won't have a public_addr and will only have a listen_addr. Other parts of Teleport that leverage this sort of guesswork are fairly buggy.

[webvictim]

Issue reference for more details on TELEPORT_TUNNEL_PUBLIC_ADDR (as this isn't documented): https://github.com/gravitational/teleport/issues/27885