Change authorization behaviour for /metrics endpoint.

[rorymckinley]

Currently the /metrics endpoint uses the protection approach suggested by the author or Promex. If authorization fails, the promex plug is not loaded and a 404 is returned.

This has, so far, worked well. Recently I have encountered a potential consumer of metrics that will make the initial request sans credentials (whether using Basic or Bearer auth). It expects the host to reply with an HTTP 401 after which it will send a second request that contains the appropriate Authorization header.

This issue is to implement an alternative Authorization mechanism that will return HTTP 401 on Authorization failure.