Do not expose /_synapse/admin publicly by default

Fixes #685 (Github Issue).

roles/matrix-nginx-proxy/defaults/main.yml

@@ -149,6 +149,26 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
 
+
+# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
+
+# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
+# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
+
+# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
+# the location prefixes that get forwarded to the Matrix Client API server.
+# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
+  {{
+    (['/_matrix'])
+    +
+    (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
+    +
+    (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
+  }}
+
 # Controls whether proxying for the Matrix Federation API should be done.
 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -105,29 +105,6 @@
 		{{- configuration_block }}
 	{% endfor %}
 
-	{#
-		This handles the Matrix Client API only.
-		The Matrix Federation API is handled by a separate vhost.
-	#}
-	location /_matrix {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
-			proxy_pass http://$backend;
-		{% else %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
-
-		client_body_buffer_size 25M;
-		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
-		proxy_max_temp_file_size 0;
-	}
-
 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
@@ -150,7 +127,11 @@
 	}
 	{% endif %}
 
-	location /_synapse {
+	{#
+		This handles the Matrix Client API only.
+		The Matrix Federation API is handled by a separate vhost.
+	#}
+	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;