Fixes#38217
## Problem
Turnstile CAPTCHA verification uses `http.DefaultClient`, so the request
to `challenges.cloudflare.com` bypasses Gitea's configured HTTP proxy —
unlike other outbound HTTP clients such as the update checker
(`modules/updatechecker/update_checker.go`) and migrations. In
deployments where egress is only permitted through the configured proxy,
verification fails.
## Fix
Build the client with `proxy.Proxy()` as the transport proxy, mirroring
the update checker:
```go
func httpClient() *http.Client {
return &http.Client{
Transport: &http.Transport{
Proxy: proxy.Proxy(),
},
}
}
```
The client is built per call (rather than a package-level var) because
`proxy.Proxy()` reads `setting.Proxy` when invoked; building it at
request time ensures it reflects the loaded settings. When no proxy is
configured, behavior is unchanged (`proxy.Proxy()` returns a no-op /
`http.ProxyFromEnvironment`).
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>