add proxy host for the security archive

add a proxy host that can be used by the workers to access the embargoed queue (and the regular archive, so that we can test it in the meantime).

this proxy should be accessible only to the IP addresses of the configured workers.

Requirements:

• address of the embargoed queue is kept hidden. clients will access something like https://ci.debian.org/debian-security-proxy
• only CI workers have access to this proxy, probably using client certificate authentication (the same certs we already use for rabbitmq auth) is possible. if this fails, restrict by IP address.