This adds both redirect-to-signed-URL and proxy fileserving.
The proxy fileserving is somewhat limited: we don't support the Range header,
and it isn't easy to reuse the net/http ServeContent implementation because
that requires a SeekCloser. I think it might be possible to "bodge" a
SeekCloser on top of dynamically opening files, but it'll be a bit wonky and
will be slower than strictly necessary.
We add the hash of the file to the static assets, so they can be cached
indefinitely. This also, however, means that we need some way of referring to
them.
