httpd: harden MI/HTTP interface with safe default and Basic Auth

[dondetir]

Summary

This addresses #2939 by implementing the two hardening steps discussed in the issue:

Step A — Safe default binding (immediate fix)

Change the default ip modparam from wildcard (0.0.0.0/::) to 127.0.0.1, preventing the management interface from being accidentally exposed to the network on fresh installations. As noted in the issue, the residential helper script sets SIP to listen on 127.0.0.1:5060 while httpd defaults to all interfaces — this inconsistency is now resolved.

Step B — HTTP Basic Authentication

Add three new modparams to the httpd module:

• auth_realm — realm string for WWW-Authenticate challenges (default: "OpenSIPS MI")
• auth_username — required username for HTTP access
• auth_password — required password for HTTP access

When both auth_username and auth_password are configured, every HTTP request must present valid Basic Auth credentials. Unauthenticated or incorrectly authenticated requests receive a 401 Unauthorized response.

Implementation notes

• The authentication check runs once per request on the first MHD callback invocation, before allocating per-request state, avoiding redundant checks on subsequent callbacks during POST processing.
• Uses libmicrohttpd's built-in Basic Auth API (MHD_basic_auth_get_username_password / MHD_queue_basic_auth_fail_response).
• Includes version guards for MHD_free() (available since 0.9.56), falling back to free() on older library versions.
• Empty username is rejected at startup.
• Documentation updated for all new parameters, including a warning to enable TLS when using Basic Auth.

Testing

• Builds clean with -Wall -Wextra -Werror, zero warnings
• All 2545 unit tests pass
• Runtime verified: 401 without credentials, 401 with wrong credentials, 200 with correct credentials
• Confirmed httpd binds to loopback only with the new default