#!/bin/bash

# Usage function
display_usage() {
    echo "Usage: $0 -d <domain> -i <expected_ip> [-t <timeout>]"
    exit 1
}

# Parse arguments
while getopts "d:i:t:" opt; do
    case ${opt} in
        d) DOMAIN=${OPTARG} ;;
        i) EXPECTED_IP=${OPTARG} ;;
        t) TIMEOUT=${OPTARG} ;;
        *) display_usage ;;
    esac
done

# Validate required arguments
if [[ -z "$DOMAIN" || -z "$EXPECTED_IP" ]]; then
    display_usage
fi

# Set default timeout if not provided
TIMEOUT=${TIMEOUT:-5}

# Check A record using multiple resolvers
GLOBAL_A_RECORD=$(dig +short A "$DOMAIN" @8.8.8.8 | tail -n1)
CLOUDFLARE_A_RECORD=$(dig +short A "$DOMAIN" @1.1.1.1 | tail -n1)
OPENDNS_A_RECORD=$(dig +short A "$DOMAIN" @208.67.222.222 | tail -n1)
CNAME_RECORD=$(dig +short CNAME "$DOMAIN" @1.1.1.1)

if [[ "$GLOBAL_A_RECORD" == "$EXPECTED_IP" || "$CLOUDFLARE_A_RECORD" == "$EXPECTED_IP" || "$OPENDNS_A_RECORD" == "$EXPECTED_IP" ]]; then
    echo "Domain $DOMAIN is globally resolving to $EXPECTED_IP."
    exit 0
fi

# Detect Cloudflare Proxy
if [[ -n "$CNAME_RECORD" ]]; then
    echo "Cloudflare proxy detected! Domain is proxied via CNAME: $CNAME_RECORD"
fi

# Check for DNS challenge (Let's Encrypt)
DNS_CHALLENGE=$(dig +short TXT "_acme-challenge.$DOMAIN")
if [[ ! -z "$DNS_CHALLENGE" ]]; then
    echo "DNS challenge found: $DNS_CHALLENGE. Domain might be using a proxy."
fi

# Check for HTTP challenge
ROOT_FOLDER="/var/www/webroot/ROOT"
HTTP_RESPONSE=$(curl -s --max-time $TIMEOUT "http://$DOMAIN/.well-known/acme-challenge/test" --output "$ROOT_FOLDER/http_challenge_response.txt")
if [[ ! -z "$HTTP_RESPONSE" ]]; then
    echo "HTTP challenge response found: $HTTP_RESPONSE. Domain might be using a proxy."
fi

# Direct verification using forced connection
echo "Verifying domain reaches expected server via direct connection..."
HTTP_TEST=$(curl -s --max-time $TIMEOUT --connect-to "$DOMAIN:443:$EXPECTED_IP" "https://$DOMAIN" -H "Host: $DOMAIN" -k | grep -o "VALID_RESPONSE_MARKER")

if [[ "$HTTP_TEST" == "VALID_RESPONSE_MARKER" ]]; then
    echo "Domain is correctly routing to expected server at $EXPECTED_IP. (Proxy bypass successful)"
    exit 0
fi

# Test direct TCP connection using telnet
echo "Testing direct TCP connection to backend..."
echo -e "HEAD / HTTP/1.1\nHost: $DOMAIN\n\n" | timeout $TIMEOUT telnet "$EXPECTED_IP" 80 &>/dev/null
if [[ $? -eq 0 ]]; then
    echo "Successfully connected to expected server at $EXPECTED_IP via TCP."
    exit 0
fi

# Final failure message
echo "Domain does not resolve to the expected server. Cloudflare proxy might be active."
exit 1