diff --git a/mbadmin.jps b/mbadmin.jps index 469c810..04eed0d 100644 --- a/mbadmin.jps +++ b/mbadmin.jps @@ -30,7 +30,8 @@ onInstall: -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/relay/uninstall_relay.sh) - chmod +x /home/litespeed/mbmanager/relay/*.sh # Download SSL manager script - - (cd /home/litespeed/mbmanager/ssl-manager && curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ssl_manager.sh) + - (cd /home/litespeed/mbmanager/ssl-manager && curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ssl_manager.sh \ + -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ipchecker.sh) - chmod +x /home/litespeed/mbmanager/ssl-manager/*.sh # Install Certbot for AlmaLinux - dnf install -y certbot @@ -128,8 +129,25 @@ menu: action: issue_ssl_cert settings: sslCertConfig successText: "SSL certificate for '${settings.domain}' has been issued successfully." + - confirmText: Check if the domain is resolving to the expected IP address? + loadingText: Checking Domain... + caption: Check Domain IP + action: check_domain_ip + settings: checkDomainConfig + successText: "${response.out}" settings: + checkDomainConfig: + submitUnchanged: true + fields: + - name: domain + type: text + caption: Domain Name + required: true + - name: public_ip + type: text + caption: Public IP Address + required: true wpCliConfig: submitUnchanged: true fields: @@ -542,6 +560,14 @@ actions: - return: type: info message: "SSL certificate for '${settings.domain}' has been issued successfully." + check_domain_ip: + - cmd[cp]: + user: root + commands: + - bash /home/litespeed/mbmanager/ssl-manager/ipchecker.sh -d "${settings.domain}" -i "${settings.public_ip}" + - return: + type: info + message: "${response.out}" responses: enableSuccess: diff --git a/scripts/ssl-manager/ipchecker.sh b/scripts/ssl-manager/ipchecker.sh new file mode 100644 index 0000000..0e941d3 --- /dev/null +++ b/scripts/ssl-manager/ipchecker.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# Usage function +display_usage() { + echo "Usage: $0 -d -i [-t ]" + exit 1 +} + +# Parse arguments +while getopts "d:i:t:" opt; do + case ${opt} in + d) DOMAIN=${OPTARG} ;; + i) EXPECTED_IP=${OPTARG} ;; + t) TIMEOUT=${OPTARG} ;; + *) display_usage ;; + esac +done + +# Validate required arguments +if [[ -z "$DOMAIN" || -z "$EXPECTED_IP" ]]; then + display_usage +fi + +# Set default timeout if not provided +TIMEOUT=${TIMEOUT:-5} + +# Check A record using multiple resolvers +GLOBAL_A_RECORD=$(dig +short A "$DOMAIN" @8.8.8.8 | tail -n1) +CLOUDFLARE_A_RECORD=$(dig +short A "$DOMAIN" @1.1.1.1 | tail -n1) +OPENDNS_A_RECORD=$(dig +short A "$DOMAIN" @208.67.222.222 | tail -n1) +CNAME_RECORD=$(dig +short CNAME "$DOMAIN" @1.1.1.1) + +if [[ "$GLOBAL_A_RECORD" == "$EXPECTED_IP" || "$CLOUDFLARE_A_RECORD" == "$EXPECTED_IP" || "$OPENDNS_A_RECORD" == "$EXPECTED_IP" ]]; then + echo "Domain $DOMAIN is globally resolving to $EXPECTED_IP." + exit 0 +fi + +# Detect Cloudflare Proxy +if [[ -n "$CNAME_RECORD" ]]; then + echo "Cloudflare proxy detected! Domain is proxied via CNAME: $CNAME_RECORD" +fi + +# Check for DNS challenge (Let's Encrypt) +DNS_CHALLENGE=$(dig +short TXT "_acme-challenge.$DOMAIN") +if [[ ! -z "$DNS_CHALLENGE" ]]; then + echo "DNS challenge found: $DNS_CHALLENGE. Domain might be using a proxy." +fi + +# Check for HTTP challenge +ROOT_FOLDER="/var/www/webroot/ROOT" +HTTP_RESPONSE=$(curl -s --max-time $TIMEOUT "http://$DOMAIN/.well-known/acme-challenge/test" --output "$ROOT_FOLDER/http_challenge_response.txt") +if [[ ! -z "$HTTP_RESPONSE" ]]; then + echo "HTTP challenge response found: $HTTP_RESPONSE. Domain might be using a proxy." +fi + +# Direct verification using forced connection +echo "Verifying domain reaches expected server via direct connection..." +HTTP_TEST=$(curl -s --max-time $TIMEOUT --connect-to "$DOMAIN:443:$EXPECTED_IP" "https://$DOMAIN" -H "Host: $DOMAIN" -k | grep -o "VALID_RESPONSE_MARKER") + +if [[ "$HTTP_TEST" == "VALID_RESPONSE_MARKER" ]]; then + echo "Domain is correctly routing to expected server at $EXPECTED_IP. (Proxy bypass successful)" + exit 0 +fi + +# Test direct TCP connection using telnet +echo "Testing direct TCP connection to backend..." +echo -e "HEAD / HTTP/1.1\nHost: $DOMAIN\n\n" | timeout $TIMEOUT telnet "$EXPECTED_IP" 80 &>/dev/null +if [[ $? -eq 0 ]]; then + echo "Successfully connected to expected server at $EXPECTED_IP via TCP." + exit 0 +fi + +# Final failure message +echo "Domain does not resolve to the expected server. Cloudflare proxy might be active." +exit 1 \ No newline at end of file