feat: support fail_closed option from caddy-blocker-plugin

New field from upstream plugin: when the real client IP is
indeterminate (trusted proxy present but no usable XFF entry),
fail_closed=true blocks the request instead of passing it through.

- Add fail_closed to GeoBlockSettings type
- Include in mergeGeoBlockSettings (OR semantics: either global or host enables it)
- Emit fail_closed in buildBlockerHandler (only when true)
- Parse geoblock_fail_closed from form in both settings and proxy-host actions
- Add Checkbox UI in the Advanced accordion of GeoBlockFields

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/components/proxy-hosts/GeoBlockFields.tsx

@@ -6,10 +6,12 @@ import {
   AccordionSummary,
   Autocomplete,
   Box,
+  Checkbox,
   Chip,
   CircularProgress,
   Collapse,
   Divider,
+  FormControlLabel,
   Grid,
   IconButton,
   Stack,
@@ -468,6 +470,19 @@ export function GeoBlockFields({ initialValues, showModeSelector = true }: GeoBl
                     helperText="Used to parse X-Forwarded-For. Use private_ranges for all RFC-1918 ranges."
                   />
 
+                  <Tooltip title="When enabled, requests where the real client IP cannot be determined (e.g. behind a trusted proxy with no usable X-Forwarded-For) are blocked. Default: off (fail-open).">
+                    <FormControlLabel
+                      control={
+                        <Checkbox
+                          name="geoblock_fail_closed"
+                          defaultChecked={initial?.fail_closed ?? false}
+                          size="small"
+                        />
+                      }
+                      label={<Typography variant="body2">Fail closed (block indeterminate IPs)</Typography>}
+                    />
+                  </Tooltip>
+
                   <Divider />
 
                   <Grid container spacing={2}>