Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)

Related to https://github.com/devture/exim-relay/pull/9

Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132

We should switch back when >0.8.0 gets released.

This release fixes a denial of service attack (CVE-2021-29471) against Synapse's push rules implementation. Server admins are encouraged to upgrade.

Ref: https://github.com/matrix-org/synapse/releases/tag/v1.33.2

689dcea773 wasn't enough. The `upstream/..` tags are
just upstream sources, without the alpine-based Dockerfile.
We need to use the `docker/..` tags for that (or `master`)

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1032

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009

Related to https://github.com/devture/exim-relay/issues/6

Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132

Co-authored-by: Aaron Raimist <aaron@raim.ist>

Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket

Changelog:
https://github.com/jitsi/docker-jitsi-meet/blob/stable-5765-1/CHANGELOG.md

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009

Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022

**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.

More Production ready nginx headers for Matrix client element.

This reverts commit 1fb54a37cb.

Seems like it's been pulled or something. It used to exist, but not
anymore. Not sure what's going on.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1017

Related to
https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010

This reverts commit f825c7c263.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010

Expected to have regressed after https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008

This patch comes with its own downsides (as described in the comments
for matrix_prometheus_node_exporter_container_http_host_bind_port),
but at least there's:
- no security issue
- metrics remain readable from matrix-prometheus (even if the network metrics are inaccurate)

A better patch is certainly welcome.