denial of service risk in ngx_http_auth_pam_module

ngx_http_auth_pam loads before ngx_http_access and therefore does not honor allow/deny rules.

this can be exploited to eg. brute force pam passwords from disallowed networks.

more detail here: https://github.com/sto/ngx_http_auth_pam_module/issues/25

patch has been submitted upstream: https://github.com/sto/ngx_http_auth_pam_module/pull/26

however, it may be worth fixing here as well.

@ctrochalakis @onovy for visibility.