matrix-docker-compose/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate      /ssl/chain.crt;
    ssl_certificate_key  /ssl/certificate.keyplain;

    client_max_body_size 25m;

    error_page 403 404 /403_404.html;
    location = /403_404.html {
	    default_type application/json;
	    return 200 'You are not authorized to access this page.';
    }

    location / {
        root /www;
    }

    # Sync requests
    location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_pass http://synapse-worker-sync:8008;
    }

    # Federation requests
    location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/|^/_matrix/federation/v1/send/ {

      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_pass http://synapse-worker-federation:8008;

    }

    # Client requests
    location ~ ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$|^/_matrix/client/(api/v1|r0|unstable)/account/3pid$|^/_matrix/client/(api/v1|r0|unstable)/devices$|^/_matrix/client/(api/v1|r0|unstable)/keys/query$|^/_matrix/client/(api/v1|r0|unstable)/keys/changes$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|unstable)/joined_groups$|^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$|^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/|^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$|^/_matrix/client/(api/v1|r0|unstable)/search$ {
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_pass http://synapse-worker-generic:8008;
   }

    # Metrics to master
    location ~ /_synapse/metrics {
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_pass http://synapse-main:9000;

      allow 10.161.228.115;
      allow 10.161.228.116;
      allow 10.161.228.117;
      allow 10.161.228.118;
      allow 10.161.228.119;
      deny all;
    }

    # All other matrix/synapse requests go to main
    location ~ /_matrix|/_synapse {
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;

      proxy_pass http://synapse-main:8008;
    }
}