Fully support client CAs with access-lists

This commit changes access-list IP directives to be implemented using
the nginx "geo" directive.

This allows IP-based blocks to return 444 (drop connection) on
authorization failure when the "Drop Unauthorized" is enabled.

It also allows the implementation of "Satisfy Any" with the new
client CA certificate support - i.e. Satisfy Any can allow clients
from the local network to skip client certificate challenge, or drop
down to requesting basic authentication.

It should be noted that including basic authentication requirements
in Satisfy Any mode does prevent a 444 response from being sent, as
the basic auth challenge requires the server to respond.

docker/rootfs/etc/nginx/nginx.conf

@@ -73,6 +73,7 @@ http {
 
 	# Files generated by NPM
 	include /etc/nginx/conf.d/*.conf;
+	include /data/nginx/client/*.conf;
 	include /data/nginx/default_host/*.conf;
 	include /data/nginx/proxy_host/*.conf;
 	include /data/nginx/redirection_host/*.conf;

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh

@@ -21,6 +21,7 @@ mkdir -p \
 	/data/logs \
 	/data/access \
 	/data/clientca \
+	/data/nginx/client \
 	/data/nginx/default_host \
 	/data/nginx/default_www \
 	/data/nginx/proxy_host \