Introduce Berghain
    
    This introduces a proof-of-work challenge protection capability for our
    public facing reverse proxies. For the beginning this is enabled only
    for Atlas, starting with the Mailman3 and Redmine hosts, as those
    backends were recently found to be particularly prone to excess load
    from distributed bots which our existing filtering does not manage to
    tame well enough.
    The added page can be an inconvenience and inhibit clients without
    JavaScript support, especially scripts. Hence particular care is taken to
    only enable this for sites and paths which would otherwise require
    JavaScript for correct operation anyways, and exemptions for common
    search engine crawlers are implemented based on their user agents and
    source addresses.
    Additionally limiting to only take effect after a certain rate limit
    threshold was considered, however the assumption was made that
    experiencing the page upon the first request to a website is less
    annoying than experiencing it during further browsing.
    The cookie expirations are kept reasonably high, however can be lowered
    if stricter measures are deemed necessary in the future. Further the
    option to introduce levels (different hold times or expirations based on
    severity) is left open.
    
    Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>