Integration improvements

This release makes a few changes for QIS to integrate more easily with an existing web site.

• Allow cross-origin file uploads by default (still requires a valid API auth token)
• Only serve TLS 1.2+ by default
• Record the x-forwarded-for header in the Apache access logs
• Add a new web session background login API - turns an API auth token into a QIS session cookie - for displaying images on a web site that require the user to be logged into QIS
• Add a .well-known directory and URL - for Let's Encrypt verification and other uses

Bug fixes:

• Docker deployments - add missing documentation in running.md for setting the ownership of host directories when using Docker on Linux (issue #28)