Show warning on login page when connection is not end-to-end encrypted

Signed-off-by: DL6ER <dl6er@dl6er.de>

login.lp

@@ -9,6 +9,14 @@
 
 mg.include('scripts/pi-hole/lua/header.lp','r')
 
+-- Build HTTPS upgrade link if HTTP is used
+https_link = ""
+if not is_secure then
+    https_link = "https://pi.hole" .. mg.request_info.request_uri
+    if mg.request_info.query_string then
+        https_link = https_link .. "?" .. mg.request_info.query_string
+    end
+end
 ?>
 <body class="hold-transition layout-boxed login-page">
 <div class="box login-box" id="login-box">
@@ -27,6 +35,16 @@ mg.include('scripts/pi-hole/lua/header.lp','r')
                 <div class="text-center form-group has-error" id="dns-failure-label" style="display: none;">
                     <label>DNS Server failure detected, log in to see Pi-hole diagnosis messages</label>
                 </div>
+                <div class="text-center form-group has-error" id="dns-failure-label" style="display: <? if is_secure then ?>none<? else ?>block<? end ?>;">
+                    <div class="box box-danger" id="insecure-box">
+                        <div class="box-header with-border pointer no-user-select">
+                            <h3 class="box-title has-error control-label"><i class="fa fa-fw fa-triangle-exclamation"></i>&nbsp;&nbsp;Insecure network connection&nbsp;&nbsp;<i class="fa fa-fw fa-triangle-exclamation"></i></h3>
+                        </div>
+                        <div class="box-body">
+                            <p>Consider upgrading to <a href="<?=https_link?>">HTTPS</a> (end-to-end encryption)</p>
+                        </div>
+                    </div>
+                </div>
                 <div class="form-group has-error login-box-msg" id="error-label" style="display: none;">
                     <label class="control-label"><i class="fa fa-times-circle"></i> Wrong password!</label>
                 </div>

scripts/pi-hole/lua/footer.lp

@@ -59,6 +59,6 @@
 <!-- ./wrapper -->
 <script src="<?=pihole.fileversion('scripts/pi-hole/js/footer.js')?>"></script>
 
-<div id="advanced-info-data" style="display: none;" data-starttime="<?=starttime?>" data-endtime="<?=mg.time(true)?>" data-client-ip="<?=mg.request_info.remote_addr?>" data-tls="<?=tostring(mg.request_info.https)?>"></div>
+<div id="advanced-info-data" style="display: none;" data-starttime="<?=starttime?>" data-endtime="<?=mg.time(true)?>" data-client-ip="<?=mg.request_info.remote_addr?>" data-tls="<?=tostring(is_secure)?>"></div>
 </body>
 </html>

scripts/pi-hole/lua/header.lp

@@ -11,8 +11,9 @@
 starttime = mg.time(true)
 hostname = pihole.hostname()
 webhome = pihole.webhome()
+
 -- Get name of script by matching whatever is after the last "/" in the URI
-scriptname = mg.request_info.request_uri:match(pihole.webhome().."(.*)$")
+scriptname = mg.request_info.request_uri:match(webhome.."(.*)$")
 -- Fall back to "index.lp" if no match is found (e.g. when accessing the root)
 if scriptname == nil or string.len(scriptname) == 0 then scriptname = "index.lp" end
 
@@ -38,6 +39,10 @@ function in_array (val, tab)
     return false
 end
 
+-- Connection is considered secure if either running natively on HTTPS or behind
+-- a reverse proxy (e.g. Traefik)
+is_secure = mg.request_info.https or pihole.rev_proxy()
+
 ?>
 <html lang="en">
 <head>

settings-teleporter.lp

@@ -17,7 +17,7 @@ mg.include('scripts/pi-hole/lua/header_authenticated.lp','r')
             </div>
             <div class="box-body">
                 <p>Warning: This archive contains sensitive information about your Pi-hole installation, e.g. the API token and the 2FA-TOTP secret (if enabled). Please be careful with this file and do not share it with anyone even if they claim to help you.</p>
-                <? if not mg.request_info.https then ?><p class='text-danger'>Warning: You are currently not using an end-to-end encryption. This means that your API token and 2FA-TOTP secret will be transmitted in plain text. We recommend to use HTTPS when exporting your configuration.</p><? end ?>
+                <? if not is_secure then ?><p class='text-danger'>Warning: You are currently not using an end-to-end encryption. This means that your API token and 2FA-TOTP secret will be transmitted in plain text. We recommend to use HTTPS when exporting your configuration.</p><? end ?>
                 <div class="pull-right">
                     <a class="btn btn-app btn-success" href="/api/teleporter" target="_blank">
                         <i class="fa fa-save"></i><br>Export