Enable "user-agent" detection in Resource Rules Configuration

[shanelord01]

Summary

Add support for matching inbound requests by HTTP header values — particularly the User-Agent header — within the Resource Rules configuration.

This would allow conditional routing or authentication based on client type (e.g. mobile vs desktop browsers, API clients, or device families).

Motivation

Today Pangolin rules can match only by Path, IP, IP Range, or Country.
Apps can identify their official clients through the User-Agent string or custom headers (X-Client-Type, X-Emby-Client, etc.).
Being able to match on these values would enable use cases such as:

Allowing official mobile apps through without proxy-level auth while still protecting web logins (Zero-Trust layering).

Creating different auth policies for APIs vs interactive UIs.

Applying custom rate limits or CrowdSec bouncers only to specific client classes.

Without header matching, administrators must work around this using extra proxies or duplicate domains.

Proposed Solution

Extend the Resource Rules “Match Type” list to include Header (or specifically User-Agent) with operators such as:

Header Equals / Header Contains / Header Regex
Example syntax:

Match Type: Header
Header Name: User-Agent
Operator: contains
Value: Immich
Action: ACCEPT

Alternatives Considered

Running an external NGINX front proxy to filter by User-Agent before Pangolin (redundant and fragile).

Additional Context

No response