Support NGINX $host in Downloads hotlink protection

Fixes: #4010
Related: #3111

==== Problem ====
If there are two download mirrors, `slow.example.com` and
`fast.example.com`, hotlink protection using an NGINX `secure_link_md5`
expression in the Downloads plugin cannot distinguish between these
hostnames.

This means that a user limited to `slow.example.com` can change the
download host to `fast.example.com` and download from the better mirror.

==== Solution ====
To solve this, `NginxSecureLinkMd5Decorator` needs to support the NGINX
`$host` variable.  Having this variable in the expression will lock down
the secure link to the specific download host.

e107_plugins/download/handlers/NginxSecureLinkMd5Decorator.php

@@ -9,7 +9,8 @@ class NginxSecureLinkMd5Decorator implements SecureLinkDecorator
 	public static $SUPPORTED_VARIABLES = array(
 		'$secure_link_expires',
 		'$uri',
-		'$remote_addr'
+		'$remote_addr',
+		'$host',
 	);
 
 	static function supported_variables() {
@@ -37,7 +38,8 @@ class NginxSecureLinkMd5Decorator implements SecureLinkDecorator
 			array(
 				$expiry,
 				$url_parts['path'],
-				$_SERVER['REMOTE_ADDR']
+				$_SERVER['REMOTE_ADDR'],
+				$url_parts['host'],
 			),
 			$prefs['download_security_expression']
 		);