URL auth: override status code and send custom headers
Currently we're hardcoded to 401, if the backend refuses authentication. 403 might also be desireable or 30x with a location header.
This needs two things:
- capability to set a custom status (including message)
- capability to send headers that will be forwarded to the client
The latter can also be used to set cookies, so is useful by itself.