Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist.
And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.