Refuse external connections to the API

The Etherpad API is only useful for authenticated access via the
secret API key, which resides on the server's filesystem. It can
already be accessed from localhost over the nodejs listener socket,
so doesn't need to be reachable through the external Apache proxy.
Refuse connections to it through Apache in an effort to reduce
exposure to future unauthenticated or authentication bypass bugs in
the API implementation.

Change-Id: Ia5cf2f15c21eb397eeb878c81cd3c7a29f5aecbd

templates/etherpadlite.vhost.erb

@@ -78,6 +78,9 @@
       # etherpad-lite installation.
       RewriteRule ^/robots.txt$ <%= scope.lookupvar("etherpad_lite::apache::docroot") %>/robots.txt [L]
 
+      # Refuse external connections to the API through the proxy
+      RewriteRule ^/api/ - [F,L]
+
       RewriteCond %{REQUEST_URI} !^/p/
       RewriteCond %{REQUEST_URI} !^/locales/
       RewriteCond %{REQUEST_URI} !^/locales.json