prevent SSRF in Nostr websocket connections

[snarfed]

Need to block localhost domains, GCP internal domains, internal IP ranges, non-wss schemes, etc.

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html