[feat] add ACME-based certificate management using go-acme/lego

- Introduced a new `legoManager` for managing per-domain TLS certificates.
- Implemented ACME HTTP-01 challenge handling with a configurable webroot directory.
- Created `NewLegoManagerFromEnv` to initialize ACME settings from environment variables.
- Added `verifyDomainsResolve` to validate domain DNS resolutions.
- Updated `.gitignore` to include ACME cache and webroot directories.
- Updated `go.mod` and `go.sum` with new dependencies, including `go-acme/lego`.

.env.example

@@ -47,14 +47,43 @@ HOP_SERVER_DTLS_LISTEN=:8443
 # 메인 도메인 (예: example.com)
 HOP_SERVER_DOMAIN=example.com
 
-# 프록시용 서브도메인/별도 도메인 목록 (콤마 구분)
-# 예: api.example.com,edge.example.com
-HOP_SERVER_PROXY_DOMAINS=api.example.com,edge.example.com
-
 # 디버깅용 플래그
 # 1. self signed localhost cert 사용여부 (debug: true -> 사용)
 HOP_SERVER_DEBUG=true
 
+# ---- ACME / Let's Encrypt (server-side) ----
+#
+# ACME 계정 이메일 (필수)
+# ACME account email (required)
+HOP_ACME_EMAIL=admin@example.com
+#
+# ACME/lego 캐시 디렉터리 (인증서 및 계정 정보 저장) (필수)
+# ACME/lego cache directory (stores certs and account data) (required)
+HOP_ACME_CACHE_DIR=./acme-cache
+#
+# ACME 디렉터리 URL (선택, 기본값은 Let's Encrypt production/staging)
+# ACME directory URL (optional, defaults to Let's Encrypt production/staging)
+# 예: https://acme-staging-v02.api.letsencrypt.org/directory
+#HOP_ACME_CA_DIR=
+#
+# true 이면 Let's Encrypt Staging CA 사용 (테스트용)
+# If true, use Let's Encrypt Staging CA (for testing)
+HOP_ACME_USE_STAGING=true
+#
+# 도메인 DNS가 resolve 되어야 할 기대 IP 목록 (콤마 구분, 옵션)
+# Expected IPs that domains must resolve to via 1.1.1.1 DNS (comma-separated, optional)
+# 예: 1.2.3.4,5.6.7.8
+#HOP_ACME_EXPECT_IPS=1.2.3.4,5.6.7.8
+#
+# ACME HTTP-01 webroot 디렉터리 (필수, webroot 모드 사용 시)
+# go-acme/lego 가 /.well-known/acme-challenge/{token} 파일을 생성하는 디렉터리입니다.
+# 메인 HTTP 서버는 이 디렉터리에서 해당 토큰 파일을 서빙해야 합니다.
+# ACME HTTP-01 webroot directory (required when using webroot mode).
+# go-acme/lego writes challenge files here and the main HTTP server must serve
+# /.well-known/acme-challenge/{token} from this directory.
+HOP_ACME_WEBROOT=./acme-webroot
+
+
 # ---- PostgreSQL (server-side) ----
 #
 # PostgreSQL DSN (required), e.g.:
@@ -71,7 +100,6 @@ HOP_DB_DSN=postgres://user:pass@localhost:5432/hopgate?sslmode=disable
 # e.g. "30m", "1h"
 #HOP_DB_CONN_MAX_LIFETIME=30m
 
-
 # ---- Client settings ----
 
 # DTLS 서버 주소 (host:port)
@@ -89,4 +117,4 @@ HOP_CLIENT_LOCAL_TARGET=127.0.0.1:8080
 
 # 디버깅용 플래그
 # 1. self signed 인증서를 신뢰(인증서 체인 검증 스킵)
-HOP_CLIENT_DEBUG=true
+HOP_CLIENT_DEBUG=true