Block non-get and non-head requests

What does this MR do?

Related issue: #217890 (closed)

This MR adds a check for maintenance mode when applied through application settings. The database will always be read-only when maintenance mode is on.

Example of a write request through the API:

ccurl -vvvX DELETE -H "Content-Type: application/json" \
 -d '{"private_token":"9i9gVHhE_-wnsFx8PE4z"}' \
 http://localhost:3000/api/v4/projects/8
*   Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 3000 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3000 (#0)
> DELETE /api/v4/projects/8 HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 40
>
* upload completely sent off: 40 out of 40 bytes
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Request-Id: ar7JYKachq
< X-Runtime: 0.145333
< Date: Wed, 04 Nov 2020 17:39:40 GMT
< Content-Length: 73
<
* Connection #0 to host localhost left intact
{"message":"You cannot perform write operations on a read-only instance"}* Closing connection 0

Example of a read request:

curl -X GET -i -H "Accept: application/json" -d '{"private_token":"9i9gVHhE_-wnsFx8PE4z"}' http://localhost:3000/api/v4/projects/8
HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Content-Type: application/json
Etag: W/"3187bae6ac3b5e1634102f999f0143e1"
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Feature-Category: projects
X-Request-Id: HQeuoAMiK65
X-Runtime: 1.588262
Date: Wed, 04 Nov 2020 17:36:05 GMT
Content-Length: 796

{"id":8,...}

Screenshots (strongly suggested)

Example of a write request through the web UI:

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers
• Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team