The solution I found was to set my dnsmasq to continue to resolve everything to 192.168.30.1, but to have some exceptions for captive portal test servers:
10.45.12.1 clients3.google.com
10.45.12.1 clients.l.google.com
10.45.12.1 connectivitycheck.android.com
10.45.12.1 connectivitycheck.gstatic.com
10.45.12.1 play.googleapis.com
Basically if anything tries to resolve the above domains using our dns server, they get a reply of 10.45.12.1.
10.45.12.1 is a random IP that doesn't belong to anything. It just has to not be 192.168.30.1.
The list of domains came from here.
With this in place, as soon as you connect to the RPi's WiFi, it pops up the browser page showing my site.
This is a solution, but not really an answer to the question of why this happens. If anyone can explain it, I would appreciate it.
Edit:
With this solution, if I connect and disconnect from the WiFi on the device several times, sometimes Android pops up the login page, and sometimes it doesn't. For anyone doing something similar, in the end, for a better solution, I went with this:
- Have DNSmasq resolve everything to 10.45.12.1 (or anything outside of the 192.168.30.0/24 subnet)
- It MUST be outside of the 192.168.30.0/24 subnet (or whatever your LAN subnet is) or the client will try to use ARP to figure out the MAC address of the given device, and will fail, because the device doesn't actually exist
- Have iptables forward port 80 coming from the wifi interface to localhost
This works for Android, OS X, and Windows. I don't have an iOS device to test this with. According to this, iOS devices may require some additional work.
I'm still curious why this was even necessary, and why resolving everything to 192.168.30.1 didn't work in the first place.
Best Answer
Most browsers enable you to get a warning if you have HTTP content on an HTTPS page. This can be very annoying if you visit sites that mix HTTP content on their HTTPS pages. From your question it appears Wikipedia is one of those. When properly set, Firefox warns me visiting this page.
A web server is not required to offer HTTPS. Many sites do not offer HTTPS, and other may only use it to secure login screens and other content that they deem requires a secure path. Even if you use HTTPS, it is still possible to determine which servers you are browsing. In many cases the server only hosts one site, so the site would be known as well.
Until recently, the certificates required for HTTPS were quite expensive. Depending on the level of trust required, the cost is still high. Banks and other organizations which require a high degree of trust and security will pay high prices for their certificates.
If you wish to hide your traffic from local monitoring, you could use a secure path to a proxy. This may raise red flags with whoever is monitoring your traffic.
If you use a private proxy, anyone downstream of the proxy would be able to determine much of the information you are trying to hide.