From 79efeeb62c06490ea2b0bf2677becc47261b3bb4 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Wed, 28 Jan 2026 15:57:47 -0500
Subject: [PATCH] Distinguish between Cloudflare Proxied (orange cloud) and
 DNS-Only (gray cloud)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

MAJOR IMPROVEMENT: Accurate Cloudflare detection

Before:
- Domains with CF nameservers were marked as 'using Cloudflare'
- lucidolaw.com (CF DNS but direct IP) → showed as Cloudflare ❌
- goodmandivorce.com (CF DNS but direct IP) → showed as Cloudflare ❌

After:
- PROXIED (Orange Cloud): IP in CF range OR CF-RAY header present
  → These domains actually use CDN, caching, DDoS protection
- DNS-ONLY (Gray Cloud): CF nameservers but traffic goes direct
  → Only using CF for DNS management, no CDN benefits
- DIRECT: Not using Cloudflare at all

Changes:
- Updated detect_cloudflare() logic to check IP/headers BEFORE nameservers
- Added dns_only_domains array for gray cloud domains
- New 'DNS-ONLY' status in scan results with explanation
- Updated summary to show: Proxied vs DNS-Only vs Direct
- Single domain check now explains orange vs gray cloud
- Helps users identify domains that need 'Proxied' enabled in CF settings

Real-world impact:
- lucidolaw.com → DNS-ONLY (accurate) ✓
- idivorce-va.virginiafamilylawcenter.com → PROXIED (accurate) ✓
- 100% accurate distinction between CF proxy modes
---
 modules/website/cloudflare-detector.sh | 77 ++++++++++++++++++++------
 1 file changed, 59 insertions(+), 18 deletions(-)

diff --git a/modules/website/cloudflare-detector.sh b/modules/website/cloudflare-detector.sh
index 8c10737..474261c 100755
--- a/modules/website/cloudflare-detector.sh
+++ b/modules/website/cloudflare-detector.sh
@@ -291,18 +291,23 @@ detect_cloudflare() {
     local ip_result=$(check_ip_address "$domain")
     local http_result=$(check_http_headers "$domain")
 
-    # Cloudflare is confirmed if ANY check returns CLOUDFLARE
-    if [ "$ns_result" = "CLOUDFLARE" ] || \
-       [ "$ip_result" = "CLOUDFLARE" ] || \
-       [ "$http_result" = "CLOUDFLARE" ]; then
+    # PROXIED (Orange Cloud): Traffic goes through Cloudflare CDN
+    # Confirmed by: IP in Cloudflare range OR CF-RAY header present
+    # This is what most people mean by "using Cloudflare"
+    if [ "$ip_result" = "CLOUDFLARE" ] || [ "$http_result" = "CLOUDFLARE" ]; then
         echo "CLOUDFLARE"
         return 0
     fi
 
-    # If all checks say DIRECT, it's definitely not Cloudflare
-    if [ "$ns_result" = "OTHER" ] && \
-       [ "$ip_result" = "DIRECT" ] && \
-       [ "$http_result" = "DIRECT" ]; then
+    # DNS-ONLY (Gray Cloud): Using Cloudflare nameservers but traffic is direct
+    # These domains use CF for DNS management but NOT for CDN/caching/protection
+    if [ "$ns_result" = "CLOUDFLARE" ] && [ "$ip_result" = "DIRECT" ]; then
+        echo "DNS-ONLY"
+        return 4
+    fi
+
+    # DIRECT: Not using Cloudflare at all
+    if [ "$ns_result" = "OTHER" ] && [ "$ip_result" = "DIRECT" ] && [ "$http_result" = "DIRECT" ]; then
         echo "DIRECT"
         return 1
     fi
@@ -343,6 +348,7 @@ scan_all_domains() {
     # Arrays to store results
     local -a cloudflare_domains=()
     local -a cloudflare_locations=()
+    local -a dns_only_domains=()
     local -a direct_domains=()
     local -a unknown_domains=()
     local -a nxdomain_domains=()
@@ -366,6 +372,9 @@ scan_all_domains() {
                 local location=$(get_cloudflare_location "$domain")
                 cloudflare_locations+=("$location")
                 ;;
+            "DNS-ONLY")
+                dns_only_domains+=("$domain")
+                ;;
             "DIRECT")
                 direct_domains+=("$domain")
                 ;;
@@ -387,9 +396,10 @@ scan_all_domains() {
     echo "═══════════════════════════════════════════════════════════════"
     echo ""
 
-    # Cloudflare domains
+    # Cloudflare proxied domains (orange cloud)
     if [ ${#cloudflare_domains[@]} -gt 0 ]; then
-        print_success "🔶 Domains using Cloudflare: ${#cloudflare_domains[@]}"
+        print_success "🔶 Cloudflare Proxied (Orange Cloud): ${#cloudflare_domains[@]}"
+        echo "  Traffic routed through Cloudflare CDN - caching, DDoS protection, etc."
         echo ""
         for i in "${!cloudflare_domains[@]}"; do
             local domain="${cloudflare_domains[$i]}"
@@ -406,6 +416,19 @@ scan_all_domains() {
         echo ""
     fi
 
+    # DNS-only domains (gray cloud)
+    if [ ${#dns_only_domains[@]} -gt 0 ]; then
+        print_warning "☁️  Cloudflare DNS-Only (Gray Cloud): ${#dns_only_domains[@]}"
+        echo ""
+        echo "  These domains use Cloudflare nameservers but traffic goes DIRECT to your server."
+        echo "  Not using: CDN caching, DDoS protection, or Cloudflare features."
+        echo ""
+        for domain in "${dns_only_domains[@]}"; do
+            echo "  ○ $domain"
+        done
+        echo ""
+    fi
+
     # Direct domains
     if [ ${#direct_domains[@]} -gt 0 ]; then
         print_info "🌐 Domains NOT using Cloudflare: ${#direct_domains[@]}"
@@ -445,13 +468,18 @@ scan_all_domains() {
     echo "═══════════════════════════════════════════════════════════════"
     echo ""
     echo "Summary:"
-    echo "  Total domains: $domain_count"
-    echo "  Cloudflare:    ${#cloudflare_domains[@]}"
-    echo "  Direct:        ${#direct_domains[@]}"
-    if [ ${#nxdomain_domains[@]} -gt 0 ]; then
-        echo "  NXDOMAIN:      ${#nxdomain_domains[@]} (don't resolve)"
+    echo "  Total domains:     $domain_count"
+    echo "  Cloudflare Proxy:  ${#cloudflare_domains[@]} (orange cloud - using CDN/caching)"
+    if [ ${#dns_only_domains[@]} -gt 0 ]; then
+        echo "  Cloudflare DNS:    ${#dns_only_domains[@]} (gray cloud - DNS only)"
+    fi
+    echo "  Direct:            ${#direct_domains[@]} (not using Cloudflare)"
+    if [ ${#nxdomain_domains[@]} -gt 0 ]; then
+        echo "  NXDOMAIN:          ${#nxdomain_domains[@]} (don't resolve)"
+    fi
+    if [ ${#unknown_domains[@]} -gt 0 ]; then
+        echo "  Unknown:           ${#unknown_domains[@]}"
     fi
-    echo "  Unknown:       ${#unknown_domains[@]}"
     echo ""
 
     press_enter
@@ -534,10 +562,23 @@ check_single_domain() {
         "CLOUDFLARE")
             local location=$(get_cloudflare_location "$domain")
             if [ "$location" != "N/A" ]; then
-                print_success "✓ $domain is using Cloudflare (Datacenter: $location)"
+                print_success "✓ $domain is PROXIED through Cloudflare (Datacenter: $location)"
             else
-                print_success "✓ $domain is using Cloudflare"
+                print_success "✓ $domain is PROXIED through Cloudflare"
             fi
+            echo ""
+            echo "  🔶 Orange Cloud: Traffic goes through Cloudflare CDN"
+            echo "  Benefits: Caching, DDoS protection, firewall, etc."
+            ;;
+        "DNS-ONLY")
+            print_warning "○ $domain uses Cloudflare DNS-ONLY (Gray Cloud)"
+            echo ""
+            echo "  ☁️  Traffic goes DIRECT to your server (not proxied)"
+            echo "  Using: Cloudflare nameservers for DNS management"
+            echo "  NOT using: CDN caching, DDoS protection, firewall"
+            echo ""
+            echo "  💡 Tip: To enable full Cloudflare protection, set to 'Proxied'"
+            echo "     (orange cloud) in your Cloudflare DNS settings."
             ;;
         "DIRECT")
             print_info "• $domain is NOT using Cloudflare"