Seems like Dendrite encourages serving both the Client and Federation
API at the same port.

Coming from Synapse and how things are done there, we have separate
ports. Using separate ports probably makes matrix-corporal (etc.)
integration easier, so separating the APIs by default probably makes
sense.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393

1f196f59cb

https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1311#issuecomment-945718866

when matrix_nginx_proxy_proxy_synapse_metrics is enabled

From 6f80292745

* add timeout param for nginx proxy

default value matrix_nginx_proxy_request_timeout is 60s

* default matrix_nginx_proxy_request_timeout - 60s

* few more variables for request timeout

* Update nginx.conf.j2

* Update nginx.conf.j2

* root path for the base domain

* Fix path when running in a container

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1154

According to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy,
having both a header and the `<meta>`-tag provided by Element itself is
not a problem. The 2 CSP policies get combined.

https://github.com/vector-im/element-web#configuration-best-practices

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Not sure if this is beneficial though.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)

Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket

Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022

**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.

More Production ready nginx headers for Matrix client element.