Add configurable blacklists to the global traffic router

Production deployments require ways to quickly kill traffic: blocking certain networks or IPs, certain user agents, or even requested URLs (legal requirements, for instance). In practical terms:

• add configurable blacklists to NGINX (global, applied to all sites):
  • user-agent blacklist
  • requested URL blacklist
• add configurable blocks to iptables (this can use our existing ipset-based implementation, which already integrates with the firewall module)
• write user-facing documentation of the above