IP access list control was implemented as default success for an
empty access control list - but this had the effect of an empty list
default allowing if "Satisfy Any" was set.
Fortunately this was bugged, so empty lists default failed - but this
broke empty lists for "Satisfy All".
This patch is the correct fix: lists now always default fail, but an
empty list removes the check from access control considerations.
This restores the original implementations behavior and fixes the bug.
This commit changes access-list IP directives to be implemented using
the nginx "geo" directive.
This allows IP-based blocks to return 444 (drop connection) on
authorization failure when the "Drop Unauthorized" is enabled.
It also allows the implementation of "Satisfy Any" with the new
client CA certificate support - i.e. Satisfy Any can allow clients
from the local network to skip client certificate challenge, or drop
down to requesting basic authentication.
It should be noted that including basic authentication requirements
in Satisfy Any mode does prevent a 444 response from being sent, as
the basic auth challenge requires the server to respond.
