Optional cf support

[dmp42]

This implements our earlier Cloudfront discussion.

I wrote this to be as simple as possible - although the impact is important.

Things to understand:

1. to be active, this uses the following (undocumented) configuration:

    storage_redirect: true
    cloudfront:
        base: 'http://XXXXX.cloudfront.net'
        keyid: 'XXXX'
        keysecret: 'somefile.pem'

The keysecret is a keypair generated by the AMZ admin. The keyid is not the same as the S3 keyid. The base is the public domain name that hosts the cloudfront content (beware: we must use cloudfront names for now).

I don't think there is a point in documenting this feature for the current release.

1. If only storage_redirect is true and there is no cloudfront key, S3 redirect signing will be used instead.
2. when active, this redirects all image layers (both private and public) to a cloudfront signed url
3. the given signed url is valid for 60 seconds
4. once the delay has expired, that url is 403
5. we don't keep signed urls - each time we are requested, we generate a new signed url
6. cloudfront share the cache between signed urls. Which means the same resource signed twice will be hot the second time
7. from a security standpoint, we need to think about the best / proper ttl for the signature (60 seconds might be too much)

@shin- @samalba

[samalba]

LGTM