[webinterface] Remember last HTTPS config; add redirect to HTTPS setting

Functionality in the LighttpdHttps task is still missing, so the new
redirect setting doesn't really do anything yet.
This refs #3058 @2h

7 files changed, 142 insertions, 12 deletions

diff --git a/modules-available/webinterface/lang/de/messages.json b/modules-available/webinterface/lang/de/messages.json
new file mode 100644
index 00000000..24ca7d5f
--- /dev/null
+++ b/modules-available/webinterface/lang/de/messages.json
@@ -0,0 +1,6 @@
+{
+    "https-on-cert-missing": "HTTPS ist aktiviert, das Zertifikat ist jedoch nicht vorhanden. Bitte nehmen Sie die HTTPS-Konfiguration erneut vor.",
+    "https-used-without-cert": "HTTPS wird gerade verwendet, obwohl kein Zertifikat installiert ist. Falls Sie die Webserver-Konfiguration manuell angepasst haben, um HTTPS zu aktivieren beachten Sie bitte, dass die Konfiguration bei einem zuk\u00fcnftigen Server-Update ohne Nachfrage \u00fcberschrieben werden k\u00f6nnte.",
+    "https-want-off-is-used": "HTTPS wird gerade verwendet, obwohl es laut Einstellungen deaktiviert ist. Merkw\u00fcrdig.",
+    "https-want-redirect-is-plain": "Weiterleitung von HTTP auf HTTPS ist aktiviert, trotzdem scheint die Verbindung Ihres Browsers mit dem Server unverschl\u00fcsselt zu sein. Nehmen Sie die Konfiguration erneut vor und wenden Sie sich an den Support, wenn das Problem weiterhin besteht."
+}
\ No newline at end of file
diff --git a/modules-available/webinterface/lang/de/template-tags.json b/modules-available/webinterface/lang/de/template-tags.json
index 3ac6186c..ea1074d2 100644
--- a/modules-available/webinterface/lang/de/template-tags.json
+++ b/modules-available/webinterface/lang/de/template-tags.json
@@ -1,17 +1,23 @@
 {
-    "lang_HttpsIsDisabled": "HTTPS ist derzeit deaktiviert",
     "lang_applyingSettings": "Anwenden der Einstellungen",
     "lang_caChain": "Optional k\u00f6nnen Sie hier die zum Zertifikat geh\u00f6rende Zertifikatkette (CA-Chain) einf\u00fcgen. Dies wird ben\u00f6tigt, wenn das Zertifikat nicht direkt von einer der in Browsern mitgeliferten CAs signiert wurde. Die Datei enth\u00e4lt ein oder meherere Zertifikatsbl\u00f6cke, im gleichen Format wie das oben gezeigte Zertifikat.",
     "lang_certificate": "Bitte f\u00fcgen Sie hier das Zertifikat ein. Das Zertifikat wird im Base64-codierten x509-Format erwartet (manchmal pem genannt). Es sieht in etwa wie folgt aus:",
     "lang_customCert": "Eigenes Zertifikat verwenden",
+    "lang_generatedSelected": "Der Server verwendet zur Zeit ein automatisch generiertes, selbst signiertes Zertifikat.",
     "lang_hidePasswords": "Passw\u00f6rter maskieren",
     "lang_httpsDescription": "Hier k\u00f6nnen Sie festlegen, ob das Web-Interface auch per HTTPS erreichbar sein soll, und welches Zertifikat daf\u00fcr verwendet werden soll.",
+    "lang_httpsRedirect": "Anfragen per HTTP immer auf HTTPS umleiten (sofern aktiviert)",
     "lang_httpsSettings": "HTTPS-Konfiguration",
     "lang_installAndRestart": "Zertifikat installieren und Webserver neustarten",
     "lang_noHttps": "HTTPS wieder deaktivieren, aktuelles Zertifikat l\u00f6schen",
+    "lang_offSelected": "HTTPS ist derzeit deaktiviert.",
     "lang_passwordFields": "Passwortfelder",
     "lang_passwordsDescription": "Legen Sie fest, ob Passwortfelder in der Web-Schnittstelle maskiert werden, oder ob Ihr Inhalt sichtbar sein soll. Wenn Sie die Schnittstelle in einer sicheren Umgebung nutzen (keine neugierigen Augen), kann dies den Komfort erh\u00f6hen. Das Passwortfeld der Anmeldemaske ist von dieser Einstellung ausgenommen.",
     "lang_privateKey": "Bitte f\u00fcgen Sie hier den privaten Schl\u00fcssel ein, der zum obigen Zertifikat geh\u00f6rt. Er muss ebenfalls im \"pem\"-Format vorliegen, und sieht wie folgt aus:",
     "lang_randomCert": "Neues selbstsigniertes Zertifikat generieren",
-    "lang_showPasswords": "Passw\u00f6rter anzeigen"
+    "lang_showPasswords": "Passw\u00f6rter anzeigen",
+    "lang_suppliedSelected": "Der Server verwendet zur Zeit ein \u00fcber die Option \"Eigenes Zertifikat\" hochgeladenes Zertifikat.",
+    "lang_unknownSelected": "Unbekanntes oder ung\u00fcltiges Zertifikat vorhanden. Wahrscheinlich wurde der Server von einer alten Version aktualisiert. Um diese Meldung zu entfernen, die HTTPS-Konfiguration erneut vornehmen.",
+    "lang_youreNotUsingHttps": "Sie besuchen diese Seite nicht per HTTPS (oder die HTTPS-Terminierung wird von einem vorgeschalteten Proxy \u00fcbernommen).",
+    "lang_youreUsingHttps": "Sie besuchen diese Seite (aus Sicht des Webservers) per HTTPS."
 }
\ No newline at end of file
diff --git a/modules-available/webinterface/lang/en/messages.json b/modules-available/webinterface/lang/en/messages.json
new file mode 100644
index 00000000..803dc73f
--- /dev/null
+++ b/modules-available/webinterface/lang/en/messages.json
@@ -0,0 +1,6 @@
+{
+    "https-on-cert-missing": "HTTPS is enabled, but the certificate is missing. Please redo the configuration steps.",
+    "https-used-without-cert": "HTTPS is currently used, but there is no certificate installed. If you tweaked the web server's configuration manually to enable HTTPS bear in mind that a future server update might overwrite your modified configuration without asking.",
+    "https-want-off-is-used": "HTTPS is currently in use although it is disabled in the settings. Very weird indeed.",
+    "https-want-redirect-is-plain": "HTTP to HTTPS redirects are enabled, but the connection from your browser appears to be unencrypted. Please redo the HTTPS configuration and contact support if the problem persists."
+}
\ No newline at end of file
diff --git a/modules-available/webinterface/lang/en/template-tags.json b/modules-available/webinterface/lang/en/template-tags.json
index 4d91e4b6..cdf2b920 100644
--- a/modules-available/webinterface/lang/en/template-tags.json
+++ b/modules-available/webinterface/lang/en/template-tags.json
@@ -1,17 +1,23 @@
 {
-    "lang_HttpsIsDisabled": "HTTPS is currently disabled",
     "lang_applyingSettings": "Applying settings",
     "lang_caChain": "Here you can paste an optional certificate chain. It should only be required if you have a certificate that was not directly signed by a certificate authority known by the browsers. It should contain one or more certificate blocks, looking just like the certificate above.",
     "lang_certificate": "Please paste your certificate below. It has to be in base64 encoded x509 format (sometimes called pem). It should look something like this:",
     "lang_customCert": "Supply own certificate",
+    "lang_generatedSelected": "The server is currently using an automatically generated, self-signed certificate.",
     "lang_hidePasswords": "Mask passwords",
     "lang_httpsDescription": "Here you can set whether the web interface should be accessible via https. You can chose if you want to use a random self signed certificate, or supply your own.",
+    "lang_httpsRedirect": "Redirect incoming HTTP requests to HTTPS (if enabled).",
     "lang_httpsSettings": "HTTPS settings",
     "lang_installAndRestart": "Installing certificate and restarting web server",
     "lang_noHttps": "Disable HTTPS, delete current certificate",
+    "lang_offSelected": "HTTPS is currently disabled.",
     "lang_passwordFields": "Password fields",
     "lang_passwordsDescription": "Set whether password fields should be masked or not. The password field of the login page to the web interface is always masked.",
     "lang_privateKey": "Please paste the private key belonging to the certificate here. It has to be in \"pem\" format too, which should look like this:",
     "lang_randomCert": "Generate new self-signed certificate",
-    "lang_showPasswords": "Show passwords"
-}
+    "lang_showPasswords": "Show passwords",
+    "lang_suppliedSelected": "The server is currently using a certificate supplied using the \"Supply own certificate\" option.",
+    "lang_unknownSelected": "Unknown or invalid certificate in use. The server war probably updated from an old version while HTTPS was already enabled. Redo the HTTPS configuration steps to get rid of this message.",
+    "lang_youreNotUsingHttps": "You're not using HTTPS to visit this website (or the HTTPS termination is done by a reverse proxy).",
+    "lang_youreUsingHttps": "You're visiting this server through an HTTPS connection (from the server's point of view)."
+}
\ No newline at end of file
diff --git a/modules-available/webinterface/page.inc.php b/modules-available/webinterface/page.inc.php
index 3c4304cd..35e14dc5 100644
--- a/modules-available/webinterface/page.inc.php
+++ b/modules-available/webinterface/page.inc.php
@@ -3,6 +3,9 @@
 class Page_WebInterface extends Page
 {
 
+	const PROP_REDIRECT = 'webinterface.https-redirect';
+	const PROP_TYPE = 'webinterface.https-type';
+
 	protected function doPreprocess()
 	{
 		User::load();
@@ -33,13 +36,17 @@ class Page_WebInterface extends Page
 			case 'custom':
 				$task = $this->setHttpsCustomCert();
 				break;
+			default:
+				$task = $this->setRedirectMode();
+				break;
 		}
 		if (isset($task['id'])) {
 			Session::set('https-id', $task['id']);
 			Util::redirect('?do=WebInterface&show=httpsupdate');
 		}
+		Util::redirect('?do=WebInterface');
 	}
-	
+
 	private function actionShowHidePassword()
 	{
 		Property::setPasswordFieldType(Request::post('mode') === 'show' ? 'text' : 'password');
@@ -48,10 +55,57 @@ class Page_WebInterface extends Page
 
 	protected function doRender()
 	{
+		//
+		// HTTPS
+		//
 		if (Request::get('show') === 'httpsupdate') {
 			Render::addTemplate('httpd-restart', array('taskid' => Session::get('https-id')));
 		}
-		Render::addTemplate('https', array('httpsEnabled' => file_exists('/etc/lighttpd/server.pem')));
+		$type = Property::get(self::PROP_TYPE);
+		$force = Property::get(self::PROP_REDIRECT) === 'True';
+		$https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+		$exists = file_exists('/etc/lighttpd/server.pem');
+		$data = array(
+			'httpsUsed' => $https,
+			'redirect_checked' => ($force ? 'checked' : '')
+		);
+		// Type should be 'off', 'generated', 'supplied'
+		if ($type === 'off') {
+			if ($exists) {
+				// HTTPS is set to off, but a certificate exists
+				if ($https) {
+					// User is using https, just warn to prevent lockout
+					Message::addWarning('https-want-off-is-used');
+				} else {
+					// User is not using https, try to delete stray certificate
+					$this->setHttpsOff();
+				}
+			} elseif ($https) {
+				// Set to off, no cert found, but still using HTTPS apparently
+				// Admin might have modified web server config in another way
+				Message::addWarning('https-used-without-cert');
+			}
+		} elseif ($type === 'generated' || $type === 'supplied') {
+			$data['httpsEnabled'] = true;
+			if ($force && !$https) {
+				Message::addWarning('https-want-redirect-is-plain');
+			}
+			if (!$exists) {
+				Message::addWarning('https-on-cert-missing');
+			}
+		} else {
+			// Unknown config - maybe upgraded old install that doesn't keep track
+			if ($exists || $https) {
+				$type = 'unknown'; // Legacy fallback
+			} else {
+				$type = 'off';
+			}
+		}
+		$data[$type . 'Selected'] = true;
+		Render::addTemplate('https', $data);
+		//
+		// Password fields
+		//
 		$data = array();
 		if (Property::getPasswordFieldType() === 'text')
 			$data['selected_show'] = 'checked';
@@ -62,23 +116,48 @@ class Page_WebInterface extends Page
 
 	private function setHttpsOff()
 	{
+		Property::set(self::PROP_TYPE, 'off');
 		return Taskmanager::submit('LighttpdHttps', array());
 	}
 
 	private function setHttpsRandomCert()
 	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_TYPE, 'generated');
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
 		return Taskmanager::submit('LighttpdHttps', array(
-				'proxyip' => Property::getServerIp()
+				'proxyip' => Property::getServerIp(),
+				'redirect' => $force,
 		));
 	}
 
 	private function setHttpsCustomCert()
 	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_TYPE, 'supplied');
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
 		return Taskmanager::submit('LighttpdHttps', array(
 				'importcert' => Request::post('certificate', 'bla'),
 				'importkey' => Request::post('privatekey', 'bla'),
-				'importchain' => Request::post('cachain', '')
+				'importchain' => Request::post('cachain', ''),
+				'redirect' => $force,
+		));
+	}
+
+	private function setRedirectMode()
+	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
+		if (Property::get(self::PROP_TYPE) === 'off') {
+			// Don't bother running the task if https isn't enabled - just
+			// update the state in DB
+			return false;
+		}
+		return Taskmanager::submit('LighttpdHttps', array(
+			'redirectOnly' => true,
+			'redirect' => $force,
 		));
 	}
 
 }
+
diff --git a/modules-available/webinterface/templates/https.html b/modules-available/webinterface/templates/https.html
index dfd2a3fe..294abe49 100644
--- a/modules-available/webinterface/templates/https.html
+++ b/modules-available/webinterface/templates/https.html
@@ -5,9 +5,24 @@
 		<div class="panel-heading">{{lang_httpsSettings}}</div>
 		<div class="panel-body">
 			<p>{{lang_httpsDescription}}</p>
-			{{^httpsEnabled}}
-			<p>{{lang_HttpsIsDisabled}}</p>
-			{{/httpsEnabled}}
+			{{^httpsUsed}}
+			{{lang_youreNotUsingHttps}}
+			{{/httpsUsed}}
+			{{#httpsUsed}}
+			{{lang_youreUsingHttps}}
+			{{/httpsUsed}}
+			{{#offSelected}}
+			<p>{{lang_offSelected}}</p>
+			{{/offSelected}}
+			{{#unknownSelected}}
+			<p>{{lang_unknownSelected}}</p>
+			{{/unknownSelected}}
+			{{#generatedSelected}}
+			<p>{{lang_generatedSelected}}</p>
+			{{/generatedSelected}}
+			{{#suppliedSelected}}
+			<p>{{lang_suppliedSelected}}</p>
+			{{/suppliedSelected}}
 			{{#httpsEnabled}}
 			<div class="input-group" onclick="$('#moff').prop('checked', true);
 					$('#wcustom').hide()">
@@ -31,6 +46,7 @@
 					{{lang_customCert}}
 				</span>
 			</div>
+
 			<div class="well well-sm" style="display:none" id="wcustom">
 				{{lang_certificate}}
 				<pre class="small">
@@ -52,6 +68,16 @@ MIIFfTCCA...
 				<textarea name="cachain" class="form-control small" cols="101" rows="10"></textarea>
 				<hr>
 			</div>
+
+			<br>
+			<div class="input-group">
+				<span class="input-group-addon"><input id="httpsredirect" type="checkbox" name="httpsredirect" value="on" {{redirect_checked}}></span>
+				<span class="form-control" onclick="$('#httpsredirect').prop('checked', !$('#httpsredirect').prop('checked'))">
+					{{lang_httpsRedirect}}
+				</span>
+			</div>
+			<br>
+
 			<div class="pull-right">
 				<button type="submit" class="btn btn-primary">{{lang_save}}</button>
 			</div>
diff --git a/modules-available/webinterface/templates/passwords.html b/modules-available/webinterface/templates/passwords.html
index 1f23dfc4..8481d884 100644
--- a/modules-available/webinterface/templates/passwords.html
+++ b/modules-available/webinterface/templates/passwords.html
@@ -17,6 +17,7 @@
 					{{lang_hidePasswords}}
 				</span>
 			</div>
+			<br>
 			<div class="pull-right">
 				<button type="submit" class="btn btn-primary">{{lang_save}}</button>
 			</div>