Replace Basic Auth with login page, add HTTP redirect and log viewer

- Session-based login page instead of HTTP Basic Auth
- /ca.crt download works without login for easy device access
- HTTP port (default 8080) redirects to HTTPS automatically
- Nginx access/error log viewer in WebUI
- API still supports Basic Auth for curl/scripts
- Logout button and log navigation in header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

nginx/entrypoint.sh

@@ -3,14 +3,15 @@ set -e
 
 echo "=== Starting HTTPS Proxy ==="
 
-# Set default for WEBUI_PORT
+# Set defaults
 export WEBUI_PORT="${WEBUI_PORT:-8443}"
+export WEBUI_PORT_HTTP="${WEBUI_PORT_HTTP:-8080}"
 
 # Generate certificates if needed
 /certs/generate-certs.sh
 
 # Replace env vars in nginx config template
-envsubst '${WEBUI_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+envsubst '${WEBUI_PORT} ${WEBUI_PORT_HTTP}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
 
 # Ensure conf.d directory exists with empty config
 mkdir -p /etc/nginx/conf.d

nginx/nginx.conf

@@ -18,7 +18,14 @@ http {
     sendfile on;
     keepalive_timeout 65;
 
-    # WebUI / Admin interface
+    # HTTP -> HTTPS redirect
+    server {
+        listen ${WEBUI_PORT_HTTP};
+        server_name _;
+        return 301 https://$host:${WEBUI_PORT}$request_uri;
+    }
+
+    # WebUI / Admin interface (HTTPS)
     server {
         listen ${WEBUI_PORT} ssl default_server;
         server_name _;
@@ -27,9 +34,6 @@ http {
         ssl_certificate_key /certs/server.key;
         ssl_protocols TLSv1.2 TLSv1.3;
 
-        # Redirect plain HTTP requests to HTTPS
-        error_page 497 https://$host:$server_port$request_uri;
-
         location / {
             proxy_pass http://127.0.0.1:5000;
             proxy_set_header Host $host;