Configure nginx to behave correctly behind the load balancer.

Created by: smarnach

This PR fixes the nginx configuration to not overwrite the X-Forwarded-* headers, and adds HTTP basic authentication to direct HTTP requests to the backend. The load balancer is configured to authenticate to the backends, and the appserver link in OCIM is updated to include username and password.

Furthermore, the protocol field is removed, since all instances use HTTPS now.

Testing instructions

I recommend testing this on stage, which will make it easier to successfully deploy an instance. Note that this PR involves a migration which can't be reverted. (Well, it could be reverted, since the field that is removed contains the same value for all instances.)

New instances should

• require HTTP authentication when trying to contact the appserver directly by IP address.
• allow HTTP access to an appserver by IP address using the username and password given in the "Settings" tab of the instance.
• allow HTTP access to the appserver using the "Authenticated Link" in the "Status" section of an appserver.
• work normally when activated and contacted via the domain name, and not require authentication.
• use HTTPS when addressed by domain name, and browsers should show a green lock symbol in the address bar (this is at least what Chrome and Firefox should do; other browser might indicate secure content in a different way).

All links to the instance in OCIM should be HTTPS links, while the direct link to the backend should be an HTTP link.