From fb19dc24e5c49c472e52e5187c32ef12d10f532c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CAlbert?= Date: Thu, 5 Jan 2023 11:44:26 +0100 Subject: [PATCH] Premier commit --- README.md | 61 + agoss | 11 + changelog | 7 + confwireguard/r-ext/r-ext.ip | 36 + confwireguard/r-ext/r-ext.routes | 9 + confwireguard/r-int/r-int.ip | 36 + confwireguard/r-int/r-int.routes | 7 + confwireguard/r-vp1/r-vp1.ip | 20 + confwireguard/r-vp1/r-vp1.routes | 8 + confwireguard/r-vp2/r-vp2.ip | 18 + confwireguard/r-vp2/r-vp2.routes | 7 + confwireguard/s-infra/s-infra.ip | 12 + confwireguard/s-infra/s-infra.routes | 7 + doc/Docker-openvas.txt | 38 + doc/icinga.txt | 3 + doc/pics/e4-SAN-V2.dia | Bin 0 -> 3303 bytes doc/pics/e4-adm.dia | Bin 0 -> 7078 bytes doc/pics/e4-adm.png | Bin 0 -> 86343 bytes doc/pics/e4-agence.dia | Bin 0 -> 2281 bytes doc/pics/e4-agence.png | Bin 0 -> 16502 bytes doc/pics/e4-dmz-ab.png | Bin 0 -> 68642 bytes doc/pics/e4-dmz-ha.dia | Bin 0 -> 4755 bytes doc/pics/e4-dmz-ha.png | Bin 0 -> 49195 bytes doc/pics/e4-dmz-old.png | Bin 0 -> 52274 bytes doc/pics/e4-dmz-tl.dia | Bin 0 -> 5950 bytes doc/pics/e4-dmz-tl.png | Bin 0 -> 37584 bytes doc/pics/e4-dmz.dia | Bin 0 -> 5692 bytes doc/pics/e4-dmz.png | Bin 0 -> 31175 bytes doc/pics/e4-v2.3.dia | Bin 0 -> 7780 bytes doc/pics/e4-v2.3.png | Bin 0 -> 117308 bytes doc/pics/e4-v2.3x.dia | Bin 0 -> 7030 bytes doc/pics/e4-v2.dia | Bin 0 -> 5697 bytes doc/pics/e4-vpn-infra-v1.2.dia | Bin 0 -> 5676 bytes doc/pics/e4-vpn-infra-v1.2.png | Bin 0 -> 166247 bytes doc/pics/e4-vpn-infra.dia | Bin 0 -> 6303 bytes doc/pics/e4.dia | Bin 0 -> 5697 bytes doc/pics/e4.png | Bin 0 -> 110621 bytes doc/r-vp.txt | 23 + doc/s-fog.txt | 11 + goss/r-ext.yaml | 42 + goss/r-int.yaml | 35 + goss/r-vp1-cs.yaml | 106 + goss/r-vp1-old.yaml | 106 + goss/r-vp1.yaml | 67 + goss/r-vp2-cs.yaml | 105 + goss/r-vp2-old.yaml | 105 + goss/r-vp2goss.yaml | 67 + goss/s-adm.yaml | 80 + goss/s-agence.yaml | 39 + goss/s-appli.yaml | 35 + goss/s-fog.yaml | 28 + goss/s-infra.yaml | 90 + goss/s-itil.yaml | 36 + goss/s-lb-bd.yaml | 21 + goss/s-lb-web1.yaml | 63 + goss/s-lb-web2.yaml | 63 + goss/s-lb.yaml | 28 + goss/s-lb.yaml.old | 65 + goss/s-mon.yaml | 62 + goss/s-proxy.yaml | 30 + graylog-pont.yml | 8 + gsbchk | 14 + gsbstart | 179 + gsbstartl | 28 + lisezmoi.txt | 14 + ping-agence.sh | 14 + ping-rext.sh | 14 + ping-rint.sh | 12 + ping-sinfra.sh | 14 + pre/Vagrantfile-s-adm | 77 + pre/gsbboot | 54 + pre/inst-depl | 93 + pre/inst-depl.old | 48 + pre/pull-config | 16 + proxy | 1 + pull-config | 16 + r-ext.yml | 12 + r-int.yml | 13 + r-vp1.yml | 20 + r-vp2.yml | 23 + roles/apache2/handlers/main.yml | 6 + roles/apache2/tasks/main.yml | 14 + roles/appli/README.md | 4 + roles/appli/handlers/main.yml | 4 + roles/appli/tasks/main.yml | 72 + roles/base/files/apt.conf | 1 + roles/base/files/resolv.conf | 4 + roles/base/files/sources.list | 10 + roles/base/files/sources.list.Debian | 4 + roles/base/files/sources.list.Ubuntu | 13 + roles/base/files/sources.list.buster | 9 + roles/base/files/sources.list.jessie | 22 + roles/base/files/sources.list.wheezy | 22 + roles/base/tasks/main.yml | 76 + roles/base/templates/hosts.j2 | 27 + roles/base/templates/hosts.s-proxy.j2 | 26 + roles/db-user/files/resolv.conf | 3 + roles/db-user/tasks/main.yml | 12 + roles/dhcp-ag/files/dhcpd.conf | 152 + roles/dhcp-ag/files/isc-dhcp-server | 18 + roles/dhcp-ag/handlers/main.yml | 3 + roles/dhcp-ag/tasks/main.yml | 11 + roles/dhcp-fog/files/dhcpd.conf | 142 + roles/dhcp-fog/files/isc-dhcp-server | 18 + roles/dhcp-fog/handlers/main.yml | 3 + roles/dhcp-fog/tasks/main.yml | 14 + roles/dhcp/files/dhcpd.conf | 142 + roles/dhcp/files/isc-dhcp-server | 18 + roles/dhcp/handlers/main.yml | 3 + roles/dhcp/tasks/main.yml | 20 + roles/dns-ag-cs/files/named.conf.options | 23 + roles/dns-ag-cs/handlers/main.yml | 4 + roles/dns-ag-cs/tasks/main.yml | 11 + roles/dns-agence/files/named.conf.options | 23 + roles/dns-agence/handlers/main.yml | 4 + roles/dns-agence/tasks/main.yml | 11 + roles/dns-master/files/db.gsb.lan | 38 + roles/dns-master/files/db.gsb.lan.rev | 31 + roles/dns-master/files/forbidden.html | 2 + roles/dns-master/files/hosts | 7 + roles/dns-master/files/named.conf.local | 20 + roles/dns-master/files/named.conf.options | 26 + roles/dns-master/files/resolv.conf | 4 + roles/dns-master/handlers/main.yml | 4 + roles/dns-master/tasks/main.yml | 48 + roles/dns-slave/files/hosts | 7 + roles/dns-slave/files/named.conf.local | 28 + roles/dns-slave/files/named.conf.options | 26 + roles/dns-slave/files/resolv.conf | 4 + roles/dns-slave/handlers/main.yml | 4 + roles/dns-slave/tasks/main.yml | 38 + roles/dnsmasq/files/dnsmasq.conf | 531 + roles/dnsmasq/handlers/main.yml | 3 + roles/dnsmasq/tasks/main.yml | 11 + roles/docker-nextcloud/files/config.php | 48 + roles/docker-nextcloud/files/dhparam.pem | 13 + .../docker-nextcloud/files/docker-compose.yml | 35 + roles/docker-nextcloud/files/get_docker.sh | 502 + .../files/nginx-selfsigned.crt | 24 + .../files/nginx-selfsigned.key | 28 + roles/docker-nextcloud/files/proxy | 121 + roles/docker-nextcloud/files/proxy.bak | 100 + roles/docker-nextcloud/files/self-signed.conf | 2 + roles/docker-nextcloud/files/ssl-params.conf | 18 + roles/docker-nextcloud/tasks/main.yml | 89 + roles/docker/README.md | 10 + roles/docker/tasks/main.yml | 16 + roles/elk/README.md | 8 + roles/elk/files/get_docker.sh | 502 + roles/elk/tasks/main.yml | 27 + roles/filebeat-cli/README.md | 7 + roles/filebeat-cli/files/filebeat.yml | 226 + roles/filebeat-cli/handlers/main.yml | 5 + roles/filebeat-cli/tasks/main.yml | 23 + roles/fog/defaults/main.yml | 3 + roles/fog/tasks/main.yml | 17 + roles/gestsup/README.md | 6 + roles/gestsup/files/apache2.conf | 234 + roles/gestsup/files/php.ini | 1947 ++++ roles/gestsup/files/security.conf | 73 + roles/gestsup/handlers/main.yml | 6 + roles/gestsup/tasks/main.yml | 122 + roles/goss/defaults/main.yml | 3 + roles/goss/tasks/main.yml | 21 + roles/icinga/README.md | 117 + roles/icinga/files/cfg/contacts_icinga.cfg | 59 + roles/icinga/files/cfg/extinfo_icinga.cfg | 13 + .../icinga/files/cfg/generic-host_icinga.cfg | 19 + .../files/cfg/generic-service_icinga.cfg | 26 + roles/icinga/files/cfg/gwsio2.cfg | 14 + roles/icinga/files/cfg/hostgroups_icinga.cfg | 75 + roles/icinga/files/cfg/localhost_icinga.cfg | 60 + roles/icinga/files/cfg/netgear.cfg | 16 + roles/icinga/files/cfg/r-ext.cfg | 13 + roles/icinga/files/cfg/r-int.cfg | 13 + roles/icinga/files/cfg/s-adm.cfg | 14 + roles/icinga/files/cfg/s-infra.cfg | 14 + roles/icinga/files/cfg/s-itil.cfg | 14 + roles/icinga/files/cfg/s-lb.cfg | 14 + roles/icinga/files/cfg/s-mess.cfg | 14 + roles/icinga/files/cfg/s-proxy.cfg | 13 + roles/icinga/files/cfg/services_icinga.cfg | 106 + roles/icinga/files/cfg/srv-2012.cfg | 16 + roles/icinga/files/cfg/timeperiods_icinga.cfg | 50 + roles/icinga/files/check_iftraffic3.pl | 643 ++ roles/icinga/files/commands.cfg | 90 + roles/icinga/files/contacts_icinga.cfg | 59 + roles/icinga/files/dns.cfg | 11 + roles/icinga/files/icinga.cfg | 1494 +++ roles/icinga/files/icinga.conf | 27 + roles/icinga/files/nt.cfg | 15 + roles/icinga/files/services_icinga.cfg | 106 + roles/icinga/handlers/main.yml | 12 + roles/icinga/tasks/main.yml | 124 + roles/itil/README.md | 60 + roles/itil/defaults/main.yml | 5 + roles/itil/files/.my.cnf | 3 + roles/itil/files/dbdump | 4 + roles/itil/files/glpi.conf | 12 + roles/itil/handlers/main.yml | 9 + roles/itil/tasks/main.yml | 160 + roles/itil/templates/block.j2 | 23 + roles/local-store/files/getall-2021 | 25 + roles/local-store/files/getall-latest | 25 + roles/local-store/tasks/main.yml | 18 + roles/mariadb-ab/README.md | 4 + roles/mariadb-ab/_travis.yml | 29 + roles/mariadb-ab/defaults/main.yml | 2 + roles/mariadb-ab/files/my.cnf | 128 + roles/mariadb-ab/handlers/main.yml | 2 + roles/mariadb-ab/meta/main.yml | 232 + roles/mariadb-ab/tasks/main.yml | 42 + roles/mariadb-ab/tests/inventory | 1 + roles/mariadb-ab/tests/test.yml | 5 + roles/mariadb-ab/vars/main.yml | 2 + roles/mariadb/README.md | 4 + roles/mariadb/_travis.yml | 29 + roles/mariadb/defaults/main.yml | 2 + roles/mariadb/handlers/main.yml | 2 + roles/mariadb/meta/main.yml | 232 + roles/mariadb/tasks/main.yml | 15 + roles/mariadb/tests/inventory | 1 + roles/mariadb/tests/test.yml | 5 + roles/mariadb/vars/main.yml | 2 + roles/mess/files/nslcd.conf | 31 + roles/mess/files/pam_ldap.conf | 6 + roles/mess/files/slapd.conf | 144 + roles/mess/handlers/main.yml | 3 + roles/mess/tasks/main.yml | 15 + roles/metricbeat-cli/README.md | 9 + roles/metricbeat-cli/files/metricbeat.yml | 189 + roles/metricbeat-cli/handlers/main.yml | 5 + roles/metricbeat-cli/tasks/main.yml | 23 + roles/mysql/defaults/main.yml | 4 + roles/mysql/files/.my.cnf | 3 + roles/mysql/handlers/main.yml | 3 + roles/mysql/tasks/main.yml | 13 + roles/nagios/README.md | 152 + roles/nagios/files/cfg/localhost.cfg | 159 + roles/nagios/files/cfg/r-ext.cfg | 15 + roles/nagios/files/cfg/r-int.cfg | 14 + roles/nagios/files/cfg/s-adm.cfg | 13 + roles/nagios/files/cfg/s-appli.cfg | 13 + roles/nagios/files/cfg/s-backup.cfg | 13 + roles/nagios/files/cfg/s-fog.cfg | 14 + roles/nagios/files/cfg/s-infra.cfg | 13 + roles/nagios/files/cfg/s-itil.cfg | 14 + roles/nagios/files/cfg/s-nxc.cfg | 13 + roles/nagios/files/cfg/s-proxy.cfg | 14 + roles/nagios/files/cfg/s-win.cfg | 14 + roles/nagios/files/commands.cfg | 151 + roles/nagios/files/hostgroups.cfg | 30 + roles/nagios/files/interfaces | 23 + roles/nagios/files/nt.cfg | 15 + roles/nagios/files/sasl_passwd | 2 + roles/nagios/files/services.cfg | 126 + roles/nagios/handlers/main.yml | 17 + roles/nagios/tasks/main.yml | 124 + roles/nagios/templates/contacts.cfg.j2 | 57 + roles/nagios/templates/main.cf.j2 | 10 + roles/nagios/templates/nagios.cfg.j2 | 1394 +++ roles/nagios/templates/nagios4-cgi.conf.j2 | 27 + roles/nxc-traefik/README.md | 35 + roles/nxc-traefik/files/dynamic.yml | 18 + roles/nxc-traefik/files/nextcloud.yml | 58 + roles/nxc-traefik/files/nxc-debug.sh | 6 + roles/nxc-traefik/files/nxc-prune.sh | 4 + roles/nxc-traefik/files/nxc-start.sh | 3 + roles/nxc-traefik/files/nxc-stop.sh | 3 + roles/nxc-traefik/files/static.yml | 31 + roles/nxc-traefik/files/traefik.yml | 28 + roles/nxc-traefik/tasks/main.yml | 78 + roles/old/docker-iredmail-ab/files/fstab | 13 + .../docker-iredmail-ab/files/https_proxy.conf | 2 + .../old/docker-iredmail-ab/files/iredmail.sh | 14 + .../old/docker-iredmail-ab/handlers/main.yml | 3 + roles/old/docker-iredmail-ab/tasks/main.yml | 83 + roles/old/docker-openvas-ab/files/fstab | 13 + .../docker-openvas-ab/files/https_proxy.conf | 2 + roles/old/docker-openvas-ab/handlers/main.yml | 3 + roles/old/docker-openvas-ab/tasks/main.yml | 77 + .../old/firewall-vpn-l-cs/files/iptables-vpn | 58 + roles/old/firewall-vpn-l-cs/tasks/main.yml | 3 + roles/old/firewall-vpn-l/files/ferm.conf | 68 + roles/old/firewall-vpn-l/files/iptables-vpn | 58 + roles/old/firewall-vpn-l/handlers/main.yml | 3 + roles/old/firewall-vpn-l/tasks/main.yml | 8 + .../old/firewall-vpn-r-cs/files/iptables-vpn | 58 + roles/old/firewall-vpn-r-cs/tasks/main.yml | 3 + roles/old/firewall-vpn-r/files/ferm.conf | 67 + roles/old/firewall-vpn-r/files/iptables-vpn | 58 + roles/old/firewall-vpn-r/handlers/main.yml | 3 + roles/old/firewall-vpn-r/tasks/main.yml | 8 + roles/old/itil-cs/files/.my.cnf | 3 + roles/old/itil-cs/files/glpi.conf | 12 + roles/old/itil-cs/files/script | 4 + roles/old/itil-cs/handlers/main.yml | 6 + roles/old/itil-cs/tasks/main.yml | 65 + roles/old/snmp-cs/files/snmpd.conf | 193 + roles/old/snmp-cs/handlers/main.yml | 3 + roles/old/snmp-cs/tasks/main.yml | 14 + roles/old/user-yb/tasks/main.yml | 47 + roles/old/vpn-stg-l/files/ipsec.conf | 23 + roles/old/vpn-stg-l/files/ipsec.secrets | 8 + roles/old/vpn-stg-l/files/sysctl.conf | 60 + roles/old/vpn-stg-l/handlers/main.yml | 4 + roles/old/vpn-stg-l/tasks/main.yml | 21 + roles/old/vpn-stg-r/files/ipsec.conf | 23 + roles/old/vpn-stg-r/files/ipsec.secrets | 8 + roles/old/vpn-stg-r/files/sysctl.conf | 60 + roles/old/vpn-stg-r/handlers/main.yml | 4 + roles/old/vpn-stg-r/tasks/main.yml | 21 + roles/old/vpn/files/sysctl.conf | 60 + roles/old/vpn/handlers/main.yml | 6 + roles/old/vpn/tasks/main.yml | 23 + roles/old/vpn/templates/ipsec-tools.conf.j2 | 9 + roles/old/vpn/templates/psk.txt.j2 | 2 + roles/old/vpn/templates/racoon.conf.j2 | 19 + roles/old/wordpress/handlers/main.yml | 3 + roles/old/wordpress/tasks/main.yml | 40 + roles/old/x509-l/files/ipsec.conf | 25 + roles/old/x509-l/files/ipsec.secrets | 9 + roles/old/x509-l/files/sysctl.conf | 60 + roles/old/x509-l/handlers/main.yml | 4 + roles/old/x509-l/tasks/main.yml | 21 + roles/old/x509-r/files/generate.sh | 19 + roles/old/x509-r/files/ipsec.conf | 25 + roles/old/x509-r/files/ipsec.secrets | 9 + roles/old/x509-r/files/recupKey.sh | 16 + roles/old/x509-r/files/sysctl.conf | 60 + roles/old/x509-r/handlers/main.yml | 4 + roles/old/x509-r/tasks/main.yml | 36 + roles/php-fpm/handlers/main.yml | 3 + roles/php-fpm/tasks/main.yml | 9 + roles/php-fpm/templates/main.yml | 15 + roles/post/README.md | 7 + roles/post/files/interfaces.graylog-pont | 12 + roles/post/files/interfaces.r-ext | 38 + roles/post/files/interfaces.r-int | 44 + roles/post/files/interfaces.r-vp1 | 31 + roles/post/files/interfaces.r-vp1-cs | 26 + roles/post/files/interfaces.r-vp2 | 29 + roles/post/files/interfaces.r-vp2-cs | 25 + roles/post/files/interfaces.s-adm | 20 + roles/post/files/interfaces.s-agence | 14 + roles/post/files/interfaces.s-appli | 27 + roles/post/files/interfaces.s-backup | 25 + roles/post/files/interfaces.s-bdd | 21 + roles/post/files/interfaces.s-docker | 20 + roles/post/files/interfaces.s-elk | 20 + roles/post/files/interfaces.s-fog | 26 + roles/post/files/interfaces.s-gestsup | 24 + roles/post/files/interfaces.s-graylog | 21 + roles/post/files/interfaces.s-infra | 24 + roles/post/files/interfaces.s-itil | 20 + roles/post/files/interfaces.s-itil-cs | 24 + roles/post/files/interfaces.s-lb | 27 + roles/post/files/interfaces.s-lb-bd | 21 + roles/post/files/interfaces.s-lb-web1 | 27 + roles/post/files/interfaces.s-lb-web2 | 25 + roles/post/files/interfaces.s-lb-web3 | 25 + roles/post/files/interfaces.s-lb-wordpress | 39 + roles/post/files/interfaces.s-lb-wordpress2 | 39 + roles/post/files/interfaces.s-lb-wordpress3 | 39 + roles/post/files/interfaces.s-mess | 24 + roles/post/files/interfaces.s-mon | 23 + roles/post/files/interfaces.s-mon-gm | 22 + roles/post/files/interfaces.s-mon-kb | 22 + roles/post/files/interfaces.s-mon-yb | 22 + roles/post/files/interfaces.s-mon2 | 21 + roles/post/files/interfaces.s-mon3 | 24 + roles/post/files/interfaces.s-nas | 17 + roles/post/files/interfaces.s-nxc | 24 + roles/post/files/interfaces.s-proxy | 22 + roles/post/files/interfaces.s-san | 25 + roles/post/files/interfaces.s-sspec | 22 + roles/post/files/interfaces.s-test | 21 + roles/post/files/interfaces.s-web | 20 + roles/post/files/interfaces.s-web1 | 27 + roles/post/files/interfaces.s-web2 | 25 + roles/post/files/interfaces.s-web3 | 27 + roles/post/files/interfaces.user-yb | 23 + roles/post/files/resolv.conf | 4 + roles/post/files/resolv.conf.s-proxy | 4 + roles/post/tasks/main.yml | 24 + roles/postfix-gestsup/README.md | 12 + roles/postfix-gestsup/files/sasl_passwd | 2 + roles/postfix-gestsup/handlers/main.yml | 6 + roles/postfix-gestsup/tasks/main.yml | 28 + roles/postfix-gestsup/templates/main.cf.j2 | 10 + roles/postfix-nd/files/main.cf | 49 + roles/postfix-nd/files/sasl_passwd | 1 + .../files/thawte_Premium_Server_CA.pem | 20 + roles/postfix-nd/handlers/main.yml | 3 + roles/postfix-nd/tasks/main.yml | 36 + roles/postfix/README.md | 12 + roles/postfix/files/sasl_passwd | 2 + roles/postfix/handlers/main.yml | 6 + roles/postfix/tasks/main.yml | 28 + roles/postfix/templates/main.cf.j2 | 10 + roles/r-ext/files/ferm.conf | 113 + roles/r-ext/files/ipFerm.sh | 3 + roles/r-ext/files/mkferm | 7 + roles/r-ext/files/nat.sh | 4 + roles/r-ext/files/routagenat | 3 + roles/r-ext/files/sysctl.conf | 60 + roles/r-ext/tasks/main.yml | 24 + roles/r-int/files/routagenat | 3 + roles/r-int/files/sysctl.conf | 60 + roles/r-int/tasks/main.yml | 19 + roles/s-lb-ab/README.md | 4 + roles/s-lb-ab/files/actu.sh | 5 + roles/s-lb-ab/files/haproxy.cfg | 55 + roles/s-lb-ab/handlers/main.yml | 3 + roles/s-lb-ab/tasks/main.yml | 29 + roles/s-lb-bd-ab/README.txt | 11 + roles/s-lb-bd-ab/files/.my.cnf | 3 + roles/s-lb-bd-ab/files/installmysql.sh | 16 + roles/s-lb-bd-ab/files/my.cnf | 128 + roles/s-lb-bd-ab/handlers/main.yml | 3 + roles/s-lb-bd/files/.my.cnf | 3 + roles/s-lb-bd/files/installmysql.sh | 16 + roles/s-lb-bd/files/my.cnf | 128 + roles/s-lb-bd/handlers/main.yml | 3 + roles/s-lb-bd/tasks/main.yml | 4 + roles/s-lb-web-ab/files/.my.cnf | 3 + roles/s-lb-web-ab/files/compter.bash | 4 + roles/s-lb-web-ab/handlers/main.yml | 3 + roles/s-lb-web-ab/tasks/main.yml | 26 + roles/s-lb-web/README.md | 3 + roles/s-lb-web/files/.my.cnf | 3 + roles/s-lb-web/files/compter.bash | 4 + roles/s-lb-web/handlers/main.yml | 3 + roles/s-lb-web/tasks/main.yml | 12 + roles/s-lb-wordpress/README.md | 3 + roles/s-lb-wordpress/defaults/main.yml | 2 + roles/s-lb-wordpress/files/wp-config.php | 102 + roles/s-lb-wordpress/handlers/main.yml | 3 + roles/s-lb-wordpress/tasks/main.yml | 38 + roles/s-lb/files/goss.yaml | 23 + roles/s-lb/files/haproxy.cfg | 56 + roles/s-lb/handlers/main.yml | 3 + roles/s-lb/tasks/main.yml | 11 + roles/s-nas-client/README.md | 3 + roles/s-nas-client/handlers/main.yml | 3 + roles/s-nas-client/tasks/main.yml | 13 + roles/s-nas-server/README.md | 3 + roles/s-nas-server/files/exports | 10 + roles/s-nas-server/handlers/main.yml | 3 + roles/s-nas-server/tasks/main.yml | 18 + roles/s-ssh/files/config | 51 + roles/s-ssh/handlers/main.yml | 3 + roles/s-ssh/tasks/main.yml | 22 + roles/smb-backup/README.md | 11 + roles/smb-backup/files/backup.sh | 27 + roles/smb-backup/files/delgsb.cmd | 4 + roles/smb-backup/files/mkgsb.cmd | 11 + roles/smb-backup/tasks/main.yml | 8 + roles/snmp-agent/README.md | 7 + roles/snmp-agent/files/snmpd.conf | 87 + roles/snmp-agent/handlers/main.yml | 4 + roles/snmp-agent/tasks/main.yml | 16 + roles/squid/files/squid.s-adm.conf | 7961 +++++++++++++++ roles/squid/files/squid.s-proxy.conf | 8579 +++++++++++++++++ roles/squid/files/squid.s-proxy.conf.old | 7656 +++++++++++++++ roles/squid/handlers/main.yml | 3 + roles/squid/tasks/main.yml | 9 + roles/ssh-cli/tasks/main.yml | 10 + roles/ssh-root-access/tasks/main.yml | 7 + roles/sshk/tasks/main.yml | 10 + roles/ssl-apache/README.md | 7 + roles/ssl-apache/files/000-default.conf | 32 + roles/ssl-apache/files/default-ssl.conf | 24 + roles/ssl-apache/files/ports.conf | 15 + roles/ssl-apache/handlers/main.yml | 5 + roles/ssl-apache/tasks/main.yml | 51 + roles/syslog-cli/README.md | 12 + roles/syslog-cli/handlers/main.yml | 10 + roles/syslog-cli/tasks/main.yml | 17 + roles/syslog/README.md | 16 + roles/syslog/handlers/main.yml | 10 + roles/syslog/tasks/main.yml | 26 + roles/webautoconf/files/wpad.dat | 12 + roles/webautoconf/tasks/main.yml | 9 + roles/wireguard-l/tasks/main.yml | 21 + roles/wireguard-r/README.md | 14 + roles/wireguard-r/files/mk-wgconf.sh | 70 + roles/wireguard-r/files/scriptwg.sh | 67 + roles/wireguard-r/tasks/main.yml | 38 + s-adm.yml | 14 + s-agence.yml | 10 + s-appli.yml | 14 + s-backup.yml | 13 + s-bdd.yml | 23 + s-docker.yml | 14 + s-elk.yml | 11 + s-fog.yml | 13 + s-gestsup.yml | 12 + s-graylog.yml | 12 + s-infra.yml | 14 + s-itil.yml | 24 + s-lb-bd.yml | 24 + s-lb-web1.yml | 11 + s-lb-web2.yml | 11 + s-lb-web3.yml | 11 + s-lb-wordpress.yml | 18 + s-lb-wordpress2.yml | 18 + s-lb-wordpress3.yml | 18 + s-lb.yml | 11 + s-mess.yml | 11 + s-mon.yml | 16 + s-nas.yml | 17 + s-nxc.yml | 12 + s-proxy.yml | 12 + s-test.yml | 12 + s-web.yml | 14 + s-web1.yml | 11 + s-web2.yml | 11 + s-web3.yml | 11 + scripts/Windows/addint-r-ext.bat | 31 + scripts/Windows/addint-r-int.bat | 33 + scripts/addint.r-ext | 42 + scripts/addint.r-int | 41 + scripts/addint.r-vp1 | 26 + scripts/addint.r-vp2 | 26 + scripts/addint.s-adm | 16 + scripts/addint.s-infra | 18 + scripts/addint.s-lb | 26 + scripts/addint.s-lb-bd | 18 + scripts/addint.s-lb-web1 | 26 + scripts/addint.s-lb-web2 | 26 + scripts/addint.s-lb-web3 | 26 + scripts/addint.s-mon-kb | 18 + scripts/addint.s-nas | 18 + scripts/getall-2019 | 16 + scripts/lb-http.bash | 6 + scripts/mkvm | 96 + scripts/recup-s-lb.bash | 4 + snmp.yml | 7 + sv/postfix/README.md | 40 + sv/postfix/files/main.cf | 50 + sv/postfix/files/sasl_passwd | 1 + sv/postfix/files/thawte_Premium_Server_CA.pem | 20 + sv/postfix/handlers/main.yml | 5 + sv/postfix/tasks/main.yml | 28 + tests/s-infra.test | 24 + tests/s-proxy.test | 17 + user-yb.yml | 9 + vagrant/Vagrantfile | 22 + windows/README.md | 15 + windows/gsb-dossiers.cmd | 15 + windows/mkusr-compta.cmd | 4 + windows/mkusr-ventes.cmd | 5 + windows/mkusr.cmd | 7 + 554 files changed, 46045 insertions(+) create mode 100755 agoss create mode 100644 changelog create mode 100644 confwireguard/r-ext/r-ext.ip create mode 100644 confwireguard/r-ext/r-ext.routes create mode 100644 confwireguard/r-int/r-int.ip create mode 100644 confwireguard/r-int/r-int.routes create mode 100644 confwireguard/r-vp1/r-vp1.ip create mode 100644 confwireguard/r-vp1/r-vp1.routes create mode 100644 confwireguard/r-vp2/r-vp2.ip create mode 100644 confwireguard/r-vp2/r-vp2.routes create mode 100644 confwireguard/s-infra/s-infra.ip create mode 100644 confwireguard/s-infra/s-infra.routes create mode 100644 doc/Docker-openvas.txt create mode 100644 doc/icinga.txt create mode 100644 doc/pics/e4-SAN-V2.dia create mode 100644 doc/pics/e4-adm.dia create mode 100644 doc/pics/e4-adm.png create mode 100644 doc/pics/e4-agence.dia create mode 100644 doc/pics/e4-agence.png create mode 100644 doc/pics/e4-dmz-ab.png create mode 100644 doc/pics/e4-dmz-ha.dia create mode 100644 doc/pics/e4-dmz-ha.png create mode 100644 doc/pics/e4-dmz-old.png create mode 100644 doc/pics/e4-dmz-tl.dia create mode 100644 doc/pics/e4-dmz-tl.png create mode 100644 doc/pics/e4-dmz.dia create mode 100644 doc/pics/e4-dmz.png create mode 100644 doc/pics/e4-v2.3.dia create mode 100644 doc/pics/e4-v2.3.png create mode 100644 doc/pics/e4-v2.3x.dia create mode 100644 doc/pics/e4-v2.dia create mode 100644 doc/pics/e4-vpn-infra-v1.2.dia create mode 100644 doc/pics/e4-vpn-infra-v1.2.png create mode 100644 doc/pics/e4-vpn-infra.dia create mode 100644 doc/pics/e4.dia create mode 100644 doc/pics/e4.png create mode 100644 doc/r-vp.txt create mode 100644 doc/s-fog.txt create mode 100644 goss/r-ext.yaml create mode 100644 goss/r-int.yaml create mode 100644 goss/r-vp1-cs.yaml create mode 100644 goss/r-vp1-old.yaml create mode 100644 goss/r-vp1.yaml create mode 100644 goss/r-vp2-cs.yaml create mode 100644 goss/r-vp2-old.yaml create mode 100644 goss/r-vp2goss.yaml create mode 100644 goss/s-adm.yaml create mode 100644 goss/s-agence.yaml create mode 100644 goss/s-appli.yaml create mode 100644 goss/s-fog.yaml create mode 100644 goss/s-infra.yaml create mode 100644 goss/s-itil.yaml create mode 100644 goss/s-lb-bd.yaml create mode 100644 goss/s-lb-web1.yaml create mode 100644 goss/s-lb-web2.yaml create mode 100644 goss/s-lb.yaml create mode 100644 goss/s-lb.yaml.old create mode 100644 goss/s-mon.yaml create mode 100644 goss/s-proxy.yaml create mode 100644 graylog-pont.yml create mode 100755 gsbchk create mode 100755 gsbstart create mode 100755 gsbstartl create mode 100644 lisezmoi.txt create mode 100644 ping-agence.sh create mode 100755 ping-rext.sh create mode 100644 ping-rint.sh create mode 100644 ping-sinfra.sh create mode 100644 pre/Vagrantfile-s-adm create mode 100644 pre/gsbboot create mode 100644 pre/inst-depl create mode 100644 pre/inst-depl.old create mode 100644 pre/pull-config create mode 120000 proxy create mode 100644 pull-config create mode 100644 r-ext.yml create mode 100644 r-int.yml create mode 100644 r-vp1.yml create mode 100644 r-vp2.yml create mode 100644 roles/apache2/handlers/main.yml create mode 100644 roles/apache2/tasks/main.yml create mode 100644 roles/appli/README.md create mode 100644 roles/appli/handlers/main.yml create mode 100644 roles/appli/tasks/main.yml create mode 100644 roles/base/files/apt.conf create mode 100644 roles/base/files/resolv.conf create mode 100644 roles/base/files/sources.list create mode 100644 roles/base/files/sources.list.Debian create mode 100644 roles/base/files/sources.list.Ubuntu create mode 100644 roles/base/files/sources.list.buster create mode 100644 roles/base/files/sources.list.jessie create mode 100644 roles/base/files/sources.list.wheezy create mode 100644 roles/base/tasks/main.yml create mode 100644 roles/base/templates/hosts.j2 create mode 100644 roles/base/templates/hosts.s-proxy.j2 create mode 100644 roles/db-user/files/resolv.conf create mode 100644 roles/db-user/tasks/main.yml create mode 100644 roles/dhcp-ag/files/dhcpd.conf create mode 100644 roles/dhcp-ag/files/isc-dhcp-server create mode 100644 roles/dhcp-ag/handlers/main.yml create mode 100644 roles/dhcp-ag/tasks/main.yml create mode 100644 roles/dhcp-fog/files/dhcpd.conf create mode 100644 roles/dhcp-fog/files/isc-dhcp-server create mode 100644 roles/dhcp-fog/handlers/main.yml create mode 100644 roles/dhcp-fog/tasks/main.yml create mode 100644 roles/dhcp/files/dhcpd.conf create mode 100644 roles/dhcp/files/isc-dhcp-server create mode 100644 roles/dhcp/handlers/main.yml create mode 100644 roles/dhcp/tasks/main.yml create mode 100644 roles/dns-ag-cs/files/named.conf.options create mode 100644 roles/dns-ag-cs/handlers/main.yml create mode 100644 roles/dns-ag-cs/tasks/main.yml create mode 100644 roles/dns-agence/files/named.conf.options create mode 100644 roles/dns-agence/handlers/main.yml create mode 100644 roles/dns-agence/tasks/main.yml create mode 100644 roles/dns-master/files/db.gsb.lan create mode 100644 roles/dns-master/files/db.gsb.lan.rev create mode 100644 roles/dns-master/files/forbidden.html create mode 100644 roles/dns-master/files/hosts create mode 100644 roles/dns-master/files/named.conf.local create mode 100644 roles/dns-master/files/named.conf.options create mode 100644 roles/dns-master/files/resolv.conf create mode 100644 roles/dns-master/handlers/main.yml create mode 100644 roles/dns-master/tasks/main.yml create mode 100644 roles/dns-slave/files/hosts create mode 100644 roles/dns-slave/files/named.conf.local create mode 100644 roles/dns-slave/files/named.conf.options create mode 100644 roles/dns-slave/files/resolv.conf create mode 100644 roles/dns-slave/handlers/main.yml create mode 100644 roles/dns-slave/tasks/main.yml create mode 100644 roles/dnsmasq/files/dnsmasq.conf create mode 100644 roles/dnsmasq/handlers/main.yml create mode 100644 roles/dnsmasq/tasks/main.yml create mode 100644 roles/docker-nextcloud/files/config.php create mode 100644 roles/docker-nextcloud/files/dhparam.pem create mode 100755 roles/docker-nextcloud/files/docker-compose.yml create mode 100755 roles/docker-nextcloud/files/get_docker.sh create mode 100644 roles/docker-nextcloud/files/nginx-selfsigned.crt create mode 100644 roles/docker-nextcloud/files/nginx-selfsigned.key create mode 100644 roles/docker-nextcloud/files/proxy create mode 100644 roles/docker-nextcloud/files/proxy.bak create mode 100644 roles/docker-nextcloud/files/self-signed.conf create mode 100644 roles/docker-nextcloud/files/ssl-params.conf create mode 100644 roles/docker-nextcloud/tasks/main.yml create mode 100644 roles/docker/README.md create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/elk/README.md create mode 100755 roles/elk/files/get_docker.sh create mode 100644 roles/elk/tasks/main.yml create mode 100644 roles/filebeat-cli/README.md create mode 100644 roles/filebeat-cli/files/filebeat.yml create mode 100644 roles/filebeat-cli/handlers/main.yml create mode 100644 roles/filebeat-cli/tasks/main.yml create mode 100644 roles/fog/defaults/main.yml create mode 100644 roles/fog/tasks/main.yml create mode 100644 roles/gestsup/README.md create mode 100644 roles/gestsup/files/apache2.conf create mode 100644 roles/gestsup/files/php.ini create mode 100644 roles/gestsup/files/security.conf create mode 100644 roles/gestsup/handlers/main.yml create mode 100644 roles/gestsup/tasks/main.yml create mode 100644 roles/goss/defaults/main.yml create mode 100644 roles/goss/tasks/main.yml create mode 100644 roles/icinga/README.md create mode 100644 roles/icinga/files/cfg/contacts_icinga.cfg create mode 100644 roles/icinga/files/cfg/extinfo_icinga.cfg create mode 100644 roles/icinga/files/cfg/generic-host_icinga.cfg create mode 100644 roles/icinga/files/cfg/generic-service_icinga.cfg create mode 100644 roles/icinga/files/cfg/gwsio2.cfg create mode 100644 roles/icinga/files/cfg/hostgroups_icinga.cfg create mode 100644 roles/icinga/files/cfg/localhost_icinga.cfg create mode 100644 roles/icinga/files/cfg/netgear.cfg create mode 100644 roles/icinga/files/cfg/r-ext.cfg create mode 100644 roles/icinga/files/cfg/r-int.cfg create mode 100644 roles/icinga/files/cfg/s-adm.cfg create mode 100644 roles/icinga/files/cfg/s-infra.cfg create mode 100644 roles/icinga/files/cfg/s-itil.cfg create mode 100644 roles/icinga/files/cfg/s-lb.cfg create mode 100644 roles/icinga/files/cfg/s-mess.cfg create mode 100644 roles/icinga/files/cfg/s-proxy.cfg create mode 100644 roles/icinga/files/cfg/services_icinga.cfg create mode 100644 roles/icinga/files/cfg/srv-2012.cfg create mode 100644 roles/icinga/files/cfg/timeperiods_icinga.cfg create mode 100755 roles/icinga/files/check_iftraffic3.pl create mode 100644 roles/icinga/files/commands.cfg create mode 100644 roles/icinga/files/contacts_icinga.cfg create mode 100644 roles/icinga/files/dns.cfg create mode 100644 roles/icinga/files/icinga.cfg create mode 100644 roles/icinga/files/icinga.conf create mode 100644 roles/icinga/files/nt.cfg create mode 100644 roles/icinga/files/services_icinga.cfg create mode 100644 roles/icinga/handlers/main.yml create mode 100644 roles/icinga/tasks/main.yml create mode 100644 roles/itil/README.md create mode 100644 roles/itil/defaults/main.yml create mode 100644 roles/itil/files/.my.cnf create mode 100644 roles/itil/files/dbdump create mode 100644 roles/itil/files/glpi.conf create mode 100644 roles/itil/handlers/main.yml create mode 100644 roles/itil/tasks/main.yml create mode 100644 roles/itil/templates/block.j2 create mode 100644 roles/local-store/files/getall-2021 create mode 100644 roles/local-store/files/getall-latest create mode 100644 roles/local-store/tasks/main.yml create mode 100644 roles/mariadb-ab/README.md create mode 100644 roles/mariadb-ab/_travis.yml create mode 100644 roles/mariadb-ab/defaults/main.yml create mode 100644 roles/mariadb-ab/files/my.cnf create mode 100644 roles/mariadb-ab/handlers/main.yml create mode 100644 roles/mariadb-ab/meta/main.yml create mode 100644 roles/mariadb-ab/tasks/main.yml create mode 100644 roles/mariadb-ab/tests/inventory create mode 100644 roles/mariadb-ab/tests/test.yml create mode 100644 roles/mariadb-ab/vars/main.yml create mode 100644 roles/mariadb/README.md create mode 100644 roles/mariadb/_travis.yml create mode 100644 roles/mariadb/defaults/main.yml create mode 100644 roles/mariadb/handlers/main.yml create mode 100644 roles/mariadb/meta/main.yml create mode 100644 roles/mariadb/tasks/main.yml create mode 100644 roles/mariadb/tests/inventory create mode 100644 roles/mariadb/tests/test.yml create mode 100644 roles/mariadb/vars/main.yml create mode 100644 roles/mess/files/nslcd.conf create mode 100644 roles/mess/files/pam_ldap.conf create mode 100644 roles/mess/files/slapd.conf create mode 100644 roles/mess/handlers/main.yml create mode 100644 roles/mess/tasks/main.yml create mode 100644 roles/metricbeat-cli/README.md create mode 100644 roles/metricbeat-cli/files/metricbeat.yml create mode 100644 roles/metricbeat-cli/handlers/main.yml create mode 100644 roles/metricbeat-cli/tasks/main.yml create mode 100644 roles/mysql/defaults/main.yml create mode 100644 roles/mysql/files/.my.cnf create mode 100644 roles/mysql/handlers/main.yml create mode 100644 roles/mysql/tasks/main.yml create mode 100644 roles/nagios/README.md create mode 100644 roles/nagios/files/cfg/localhost.cfg create mode 100644 roles/nagios/files/cfg/r-ext.cfg create mode 100644 roles/nagios/files/cfg/r-int.cfg create mode 100644 roles/nagios/files/cfg/s-adm.cfg create mode 100644 roles/nagios/files/cfg/s-appli.cfg create mode 100644 roles/nagios/files/cfg/s-backup.cfg create mode 100644 roles/nagios/files/cfg/s-fog.cfg create mode 100644 roles/nagios/files/cfg/s-infra.cfg create mode 100644 roles/nagios/files/cfg/s-itil.cfg create mode 100644 roles/nagios/files/cfg/s-nxc.cfg create mode 100644 roles/nagios/files/cfg/s-proxy.cfg create mode 100644 roles/nagios/files/cfg/s-win.cfg create mode 100644 roles/nagios/files/commands.cfg create mode 100644 roles/nagios/files/hostgroups.cfg create mode 100644 roles/nagios/files/interfaces create mode 100644 roles/nagios/files/nt.cfg create mode 100644 roles/nagios/files/sasl_passwd create mode 100644 roles/nagios/files/services.cfg create mode 100644 roles/nagios/handlers/main.yml create mode 100644 roles/nagios/tasks/main.yml create mode 100644 roles/nagios/templates/contacts.cfg.j2 create mode 100644 roles/nagios/templates/main.cf.j2 create mode 100644 roles/nagios/templates/nagios.cfg.j2 create mode 100644 roles/nagios/templates/nagios4-cgi.conf.j2 create mode 100644 roles/nxc-traefik/README.md create mode 100644 roles/nxc-traefik/files/dynamic.yml create mode 100644 roles/nxc-traefik/files/nextcloud.yml create mode 100755 roles/nxc-traefik/files/nxc-debug.sh create mode 100755 roles/nxc-traefik/files/nxc-prune.sh create mode 100755 roles/nxc-traefik/files/nxc-start.sh create mode 100755 roles/nxc-traefik/files/nxc-stop.sh create mode 100644 roles/nxc-traefik/files/static.yml create mode 100644 roles/nxc-traefik/files/traefik.yml create mode 100644 roles/nxc-traefik/tasks/main.yml create mode 100644 roles/old/docker-iredmail-ab/files/fstab create mode 100644 roles/old/docker-iredmail-ab/files/https_proxy.conf create mode 100644 roles/old/docker-iredmail-ab/files/iredmail.sh create mode 100644 roles/old/docker-iredmail-ab/handlers/main.yml create mode 100644 roles/old/docker-iredmail-ab/tasks/main.yml create mode 100644 roles/old/docker-openvas-ab/files/fstab create mode 100644 roles/old/docker-openvas-ab/files/https_proxy.conf create mode 100644 roles/old/docker-openvas-ab/handlers/main.yml create mode 100644 roles/old/docker-openvas-ab/tasks/main.yml create mode 100644 roles/old/firewall-vpn-l-cs/files/iptables-vpn create mode 100644 roles/old/firewall-vpn-l-cs/tasks/main.yml create mode 100644 roles/old/firewall-vpn-l/files/ferm.conf create mode 100644 roles/old/firewall-vpn-l/files/iptables-vpn create mode 100644 roles/old/firewall-vpn-l/handlers/main.yml create mode 100644 roles/old/firewall-vpn-l/tasks/main.yml create mode 100644 roles/old/firewall-vpn-r-cs/files/iptables-vpn create mode 100644 roles/old/firewall-vpn-r-cs/tasks/main.yml create mode 100644 roles/old/firewall-vpn-r/files/ferm.conf create mode 100644 roles/old/firewall-vpn-r/files/iptables-vpn create mode 100644 roles/old/firewall-vpn-r/handlers/main.yml create mode 100644 roles/old/firewall-vpn-r/tasks/main.yml create mode 100644 roles/old/itil-cs/files/.my.cnf create mode 100644 roles/old/itil-cs/files/glpi.conf create mode 100644 roles/old/itil-cs/files/script create mode 100644 roles/old/itil-cs/handlers/main.yml create mode 100644 roles/old/itil-cs/tasks/main.yml create mode 100644 roles/old/snmp-cs/files/snmpd.conf create mode 100644 roles/old/snmp-cs/handlers/main.yml create mode 100644 roles/old/snmp-cs/tasks/main.yml create mode 100644 roles/old/user-yb/tasks/main.yml create mode 100644 roles/old/vpn-stg-l/files/ipsec.conf create mode 100644 roles/old/vpn-stg-l/files/ipsec.secrets create mode 100644 roles/old/vpn-stg-l/files/sysctl.conf create mode 100644 roles/old/vpn-stg-l/handlers/main.yml create mode 100644 roles/old/vpn-stg-l/tasks/main.yml create mode 100644 roles/old/vpn-stg-r/files/ipsec.conf create mode 100644 roles/old/vpn-stg-r/files/ipsec.secrets create mode 100644 roles/old/vpn-stg-r/files/sysctl.conf create mode 100644 roles/old/vpn-stg-r/handlers/main.yml create mode 100644 roles/old/vpn-stg-r/tasks/main.yml create mode 100644 roles/old/vpn/files/sysctl.conf create mode 100644 roles/old/vpn/handlers/main.yml create mode 100644 roles/old/vpn/tasks/main.yml create mode 100755 roles/old/vpn/templates/ipsec-tools.conf.j2 create mode 100644 roles/old/vpn/templates/psk.txt.j2 create mode 100644 roles/old/vpn/templates/racoon.conf.j2 create mode 100644 roles/old/wordpress/handlers/main.yml create mode 100644 roles/old/wordpress/tasks/main.yml create mode 100644 roles/old/x509-l/files/ipsec.conf create mode 100644 roles/old/x509-l/files/ipsec.secrets create mode 100644 roles/old/x509-l/files/sysctl.conf create mode 100644 roles/old/x509-l/handlers/main.yml create mode 100644 roles/old/x509-l/tasks/main.yml create mode 100755 roles/old/x509-r/files/generate.sh create mode 100644 roles/old/x509-r/files/ipsec.conf create mode 100644 roles/old/x509-r/files/ipsec.secrets create mode 100755 roles/old/x509-r/files/recupKey.sh create mode 100644 roles/old/x509-r/files/sysctl.conf create mode 100644 roles/old/x509-r/handlers/main.yml create mode 100644 roles/old/x509-r/tasks/main.yml create mode 100644 roles/php-fpm/handlers/main.yml create mode 100644 roles/php-fpm/tasks/main.yml create mode 100644 roles/php-fpm/templates/main.yml create mode 100644 roles/post/README.md create mode 100644 roles/post/files/interfaces.graylog-pont create mode 100644 roles/post/files/interfaces.r-ext create mode 100644 roles/post/files/interfaces.r-int create mode 100755 roles/post/files/interfaces.r-vp1 create mode 100644 roles/post/files/interfaces.r-vp1-cs create mode 100644 roles/post/files/interfaces.r-vp2 create mode 100644 roles/post/files/interfaces.r-vp2-cs create mode 100644 roles/post/files/interfaces.s-adm create mode 100644 roles/post/files/interfaces.s-agence create mode 100644 roles/post/files/interfaces.s-appli create mode 100644 roles/post/files/interfaces.s-backup create mode 100644 roles/post/files/interfaces.s-bdd create mode 100644 roles/post/files/interfaces.s-docker create mode 100644 roles/post/files/interfaces.s-elk create mode 100644 roles/post/files/interfaces.s-fog create mode 100644 roles/post/files/interfaces.s-gestsup create mode 100644 roles/post/files/interfaces.s-graylog create mode 100644 roles/post/files/interfaces.s-infra create mode 100644 roles/post/files/interfaces.s-itil create mode 100644 roles/post/files/interfaces.s-itil-cs create mode 100644 roles/post/files/interfaces.s-lb create mode 100644 roles/post/files/interfaces.s-lb-bd create mode 100644 roles/post/files/interfaces.s-lb-web1 create mode 100644 roles/post/files/interfaces.s-lb-web2 create mode 100644 roles/post/files/interfaces.s-lb-web3 create mode 100644 roles/post/files/interfaces.s-lb-wordpress create mode 100644 roles/post/files/interfaces.s-lb-wordpress2 create mode 100644 roles/post/files/interfaces.s-lb-wordpress3 create mode 100644 roles/post/files/interfaces.s-mess create mode 100644 roles/post/files/interfaces.s-mon create mode 100644 roles/post/files/interfaces.s-mon-gm create mode 100644 roles/post/files/interfaces.s-mon-kb create mode 100644 roles/post/files/interfaces.s-mon-yb create mode 100644 roles/post/files/interfaces.s-mon2 create mode 100644 roles/post/files/interfaces.s-mon3 create mode 100644 roles/post/files/interfaces.s-nas create mode 100644 roles/post/files/interfaces.s-nxc create mode 100644 roles/post/files/interfaces.s-proxy create mode 100644 roles/post/files/interfaces.s-san create mode 100644 roles/post/files/interfaces.s-sspec create mode 100644 roles/post/files/interfaces.s-test create mode 100644 roles/post/files/interfaces.s-web create mode 100644 roles/post/files/interfaces.s-web1 create mode 100644 roles/post/files/interfaces.s-web2 create mode 100644 roles/post/files/interfaces.s-web3 create mode 100644 roles/post/files/interfaces.user-yb create mode 100644 roles/post/files/resolv.conf create mode 100644 roles/post/files/resolv.conf.s-proxy create mode 100644 roles/post/tasks/main.yml create mode 100644 roles/postfix-gestsup/README.md create mode 100644 roles/postfix-gestsup/files/sasl_passwd create mode 100644 roles/postfix-gestsup/handlers/main.yml create mode 100644 roles/postfix-gestsup/tasks/main.yml create mode 100644 roles/postfix-gestsup/templates/main.cf.j2 create mode 100644 roles/postfix-nd/files/main.cf create mode 100644 roles/postfix-nd/files/sasl_passwd create mode 100644 roles/postfix-nd/files/thawte_Premium_Server_CA.pem create mode 100644 roles/postfix-nd/handlers/main.yml create mode 100644 roles/postfix-nd/tasks/main.yml create mode 100644 roles/postfix/README.md create mode 100644 roles/postfix/files/sasl_passwd create mode 100644 roles/postfix/handlers/main.yml create mode 100644 roles/postfix/tasks/main.yml create mode 100644 roles/postfix/templates/main.cf.j2 create mode 100644 roles/r-ext/files/ferm.conf create mode 100755 roles/r-ext/files/ipFerm.sh create mode 100755 roles/r-ext/files/mkferm create mode 100755 roles/r-ext/files/nat.sh create mode 100755 roles/r-ext/files/routagenat create mode 100644 roles/r-ext/files/sysctl.conf create mode 100644 roles/r-ext/tasks/main.yml create mode 100755 roles/r-int/files/routagenat create mode 100644 roles/r-int/files/sysctl.conf create mode 100644 roles/r-int/tasks/main.yml create mode 100644 roles/s-lb-ab/README.md create mode 100755 roles/s-lb-ab/files/actu.sh create mode 100644 roles/s-lb-ab/files/haproxy.cfg create mode 100644 roles/s-lb-ab/handlers/main.yml create mode 100644 roles/s-lb-ab/tasks/main.yml create mode 100644 roles/s-lb-bd-ab/README.txt create mode 100644 roles/s-lb-bd-ab/files/.my.cnf create mode 100755 roles/s-lb-bd-ab/files/installmysql.sh create mode 100644 roles/s-lb-bd-ab/files/my.cnf create mode 100644 roles/s-lb-bd-ab/handlers/main.yml create mode 100644 roles/s-lb-bd/files/.my.cnf create mode 100755 roles/s-lb-bd/files/installmysql.sh create mode 100644 roles/s-lb-bd/files/my.cnf create mode 100644 roles/s-lb-bd/handlers/main.yml create mode 100644 roles/s-lb-bd/tasks/main.yml create mode 100644 roles/s-lb-web-ab/files/.my.cnf create mode 100644 roles/s-lb-web-ab/files/compter.bash create mode 100644 roles/s-lb-web-ab/handlers/main.yml create mode 100644 roles/s-lb-web-ab/tasks/main.yml create mode 100644 roles/s-lb-web/README.md create mode 100644 roles/s-lb-web/files/.my.cnf create mode 100644 roles/s-lb-web/files/compter.bash create mode 100644 roles/s-lb-web/handlers/main.yml create mode 100644 roles/s-lb-web/tasks/main.yml create mode 100644 roles/s-lb-wordpress/README.md create mode 100644 roles/s-lb-wordpress/defaults/main.yml create mode 100644 roles/s-lb-wordpress/files/wp-config.php create mode 100644 roles/s-lb-wordpress/handlers/main.yml create mode 100644 roles/s-lb-wordpress/tasks/main.yml create mode 100644 roles/s-lb/files/goss.yaml create mode 100644 roles/s-lb/files/haproxy.cfg create mode 100644 roles/s-lb/handlers/main.yml create mode 100644 roles/s-lb/tasks/main.yml create mode 100644 roles/s-nas-client/README.md create mode 100644 roles/s-nas-client/handlers/main.yml create mode 100644 roles/s-nas-client/tasks/main.yml create mode 100644 roles/s-nas-server/README.md create mode 100644 roles/s-nas-server/files/exports create mode 100644 roles/s-nas-server/handlers/main.yml create mode 100644 roles/s-nas-server/tasks/main.yml create mode 100644 roles/s-ssh/files/config create mode 100644 roles/s-ssh/handlers/main.yml create mode 100644 roles/s-ssh/tasks/main.yml create mode 100644 roles/smb-backup/README.md create mode 100755 roles/smb-backup/files/backup.sh create mode 100644 roles/smb-backup/files/delgsb.cmd create mode 100644 roles/smb-backup/files/mkgsb.cmd create mode 100644 roles/smb-backup/tasks/main.yml create mode 100644 roles/snmp-agent/README.md create mode 100644 roles/snmp-agent/files/snmpd.conf create mode 100644 roles/snmp-agent/handlers/main.yml create mode 100644 roles/snmp-agent/tasks/main.yml create mode 100644 roles/squid/files/squid.s-adm.conf create mode 100644 roles/squid/files/squid.s-proxy.conf create mode 100644 roles/squid/files/squid.s-proxy.conf.old create mode 100644 roles/squid/handlers/main.yml create mode 100644 roles/squid/tasks/main.yml create mode 100644 roles/ssh-cli/tasks/main.yml create mode 100644 roles/ssh-root-access/tasks/main.yml create mode 100644 roles/sshk/tasks/main.yml create mode 100644 roles/ssl-apache/README.md create mode 100644 roles/ssl-apache/files/000-default.conf create mode 100644 roles/ssl-apache/files/default-ssl.conf create mode 100644 roles/ssl-apache/files/ports.conf create mode 100644 roles/ssl-apache/handlers/main.yml create mode 100644 roles/ssl-apache/tasks/main.yml create mode 100644 roles/syslog-cli/README.md create mode 100644 roles/syslog-cli/handlers/main.yml create mode 100644 roles/syslog-cli/tasks/main.yml create mode 100644 roles/syslog/README.md create mode 100644 roles/syslog/handlers/main.yml create mode 100644 roles/syslog/tasks/main.yml create mode 100644 roles/webautoconf/files/wpad.dat create mode 100644 roles/webautoconf/tasks/main.yml create mode 100644 roles/wireguard-l/tasks/main.yml create mode 100644 roles/wireguard-r/README.md create mode 100755 roles/wireguard-r/files/mk-wgconf.sh create mode 100755 roles/wireguard-r/files/scriptwg.sh create mode 100644 roles/wireguard-r/tasks/main.yml create mode 100644 s-adm.yml create mode 100644 s-agence.yml create mode 100644 s-appli.yml create mode 100644 s-backup.yml create mode 100644 s-bdd.yml create mode 100644 s-docker.yml create mode 100644 s-elk.yml create mode 100644 s-fog.yml create mode 100644 s-gestsup.yml create mode 100644 s-graylog.yml create mode 100644 s-infra.yml create mode 100644 s-itil.yml create mode 100644 s-lb-bd.yml create mode 100644 s-lb-web1.yml create mode 100644 s-lb-web2.yml create mode 100644 s-lb-web3.yml create mode 100644 s-lb-wordpress.yml create mode 100644 s-lb-wordpress2.yml create mode 100644 s-lb-wordpress3.yml create mode 100644 s-lb.yml create mode 100644 s-mess.yml create mode 100644 s-mon.yml create mode 100644 s-nas.yml create mode 100644 s-nxc.yml create mode 100644 s-proxy.yml create mode 100644 s-test.yml create mode 100644 s-web.yml create mode 100644 s-web1.yml create mode 100644 s-web2.yml create mode 100644 s-web3.yml create mode 100644 scripts/Windows/addint-r-ext.bat create mode 100644 scripts/Windows/addint-r-int.bat create mode 100755 scripts/addint.r-ext create mode 100755 scripts/addint.r-int create mode 100755 scripts/addint.r-vp1 create mode 100755 scripts/addint.r-vp2 create mode 100755 scripts/addint.s-adm create mode 100755 scripts/addint.s-infra create mode 100755 scripts/addint.s-lb create mode 100755 scripts/addint.s-lb-bd create mode 100755 scripts/addint.s-lb-web1 create mode 100755 scripts/addint.s-lb-web2 create mode 100755 scripts/addint.s-lb-web3 create mode 100755 scripts/addint.s-mon-kb create mode 100755 scripts/addint.s-nas create mode 100644 scripts/getall-2019 create mode 100644 scripts/lb-http.bash create mode 100755 scripts/mkvm create mode 100644 scripts/recup-s-lb.bash create mode 100644 snmp.yml create mode 100644 sv/postfix/README.md create mode 100644 sv/postfix/files/main.cf create mode 100644 sv/postfix/files/sasl_passwd create mode 100644 sv/postfix/files/thawte_Premium_Server_CA.pem create mode 100644 sv/postfix/handlers/main.yml create mode 100644 sv/postfix/tasks/main.yml create mode 100755 tests/s-infra.test create mode 100755 tests/s-proxy.test create mode 100644 user-yb.yml create mode 100644 vagrant/Vagrantfile create mode 100644 windows/README.md create mode 100644 windows/gsb-dossiers.cmd create mode 100644 windows/mkusr-compta.cmd create mode 100644 windows/mkusr-ventes.cmd create mode 100644 windows/mkusr.cmd diff --git a/README.md b/README.md index a994ddb..4a9ef50 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,63 @@ # gsb2023 +Environnement et playbooks ansible pour le projet GSB 2023 + +## Quickstart +prérequis : une machine Debian Bullseye + + +## Les machines + * s-adm + * s-infra + * r-int + * r-ext + * s-proxy + + +## Les playbooks + + +## Installation + +On utilisera l'image de machine virtuelle suivante : + * **debian-bullseye-2023a.ova** (2022-05-07) + * Debian Bullseye 11 - 2 cartes - 1 Go - stockage 20 Go + + +### Machine s-adm + * créer la machine virtuelle **s-adm** en important l'image ova décrite plus haut + * renommer la machine puis redémarrer + * taper : +```shell + mkdir -p tools/ansible ; cd tools/ansible + git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git + cd gsb2023/pre + bash inst-depl + cd /var/www/html/gsbstore + bash getall + cd /root/tools/ansible/gsb022/pre + bash gsbboot + cd .. ; bash pull-config +``` + - redémarrer + +### Pour chaque machine + + - importer la machine à partir du fichier **.ova** + - définir les cartes réseau en accord avec le plan d'adressage et le schéma + - donner le nom adapté (avec sed -i …) + - redémarrer + - mettre à jour les paquets : apt update && apt upgrade + - cloner le dépot : +```shell +mkdir -p tools/ansible ; cd tools/ansible +git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +cd gsb2023/pre +export DEPL=192.168.99.99 +bash gsbboot +cd ../.. +bash pull-config +``` + - **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration + + diff --git a/agoss b/agoss new file mode 100755 index 0000000..83988e1 --- /dev/null +++ b/agoss @@ -0,0 +1,11 @@ +#!/bin/bash +HOST=$(hostname) +FHOST=$(pwd)/goss/$HOST +if [ -r "$FHOST".yaml ] ; then + #goss -gossfile "$FHOST".yaml v --no-color + goss -gossfile "$FHOST".yaml v "$@" +else + echo $0 : erreur lecture fichier "$FHOST".yaml + exit 1 +fi + diff --git a/changelog b/changelog new file mode 100644 index 0000000..6bf1759 --- /dev/null +++ b/changelog @@ -0,0 +1,7 @@ +v5.0.2.j : 2019-01-25 -kb + ejout role s-nas-cliet et s-nas-server +v5.0.1 : 2019-01-24 - ps + reorganisation : anciens playbooks et roles deplaces dans repertoire old +v3.2.0 : 2017-11-16 - ps + ajout changelog + diff --git a/confwireguard/r-ext/r-ext.ip b/confwireguard/r-ext/r-ext.ip new file mode 100644 index 0000000..82ed3a5 --- /dev/null +++ b/confwireguard/r-ext/r-ext.ip @@ -0,0 +1,36 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:03:d3:28 brd ff:ff:ff:ff:ff:ff + inet 192.168.99.13/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe03:d328/64 scope link + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:63:40:ea brd ff:ff:ff:ff:ff:ff + inet 192.168.100.254/24 brd 192.168.100.255 scope global enp0s8 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe63:40ea/64 scope link + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:4f:29:27 brd ff:ff:ff:ff:ff:ff + inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic enp0s9 + valid_lft 77233sec preferred_lft 77233sec + inet6 fe80::a00:27ff:fe4f:2927/64 scope link + valid_lft forever preferred_lft forever +5: enp0s10: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:9d:16:f8 brd ff:ff:ff:ff:ff:ff + inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s10 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe9d:16f8/64 scope link + valid_lft forever preferred_lft forever +6: enp0s16: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:07:c1:0f brd ff:ff:ff:ff:ff:ff + inet 192.168.200.253/24 brd 192.168.200.255 scope global enp0s16 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe07:c10f/64 scope link + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-ext/r-ext.routes b/confwireguard/r-ext/r-ext.routes new file mode 100644 index 0000000..b9b7d78 --- /dev/null +++ b/confwireguard/r-ext/r-ext.routes @@ -0,0 +1,9 @@ +default via 192.168.0.1 dev enp0s9 +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 via 192.168.200.254 dev enp0s16 +172.16.128.0/24 via 192.168.1.2 dev enp0s10 +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.20 +192.168.1.0/24 dev enp0s10 proto kernel scope link src 192.168.1.1 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.13 +192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.254 +192.168.200.0/24 dev enp0s16 proto kernel scope link src 192.168.200.253 diff --git a/confwireguard/r-int/r-int.ip b/confwireguard/r-int/r-int.ip new file mode 100644 index 0000000..737fbc5 --- /dev/null +++ b/confwireguard/r-int/r-int.ip @@ -0,0 +1,36 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:c9:4e:0b brd ff:ff:ff:ff:ff:ff + inet 192.168.99.12/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fec9:4e0b/64 scope link + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:34:ef:8f brd ff:ff:ff:ff:ff:ff + inet 192.168.200.254/24 brd 192.168.200.255 scope global enp0s8 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe34:ef8f/64 scope link + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:56:72:01 brd ff:ff:ff:ff:ff:ff + inet 172.16.65.254/24 brd 172.16.65.255 scope global enp0s9 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe56:7201/64 scope link + valid_lft forever preferred_lft forever +5: enp0s10: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:7c:d7:5b brd ff:ff:ff:ff:ff:ff + inet 172.16.64.254/24 brd 172.16.64.255 scope global enp0s10 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe7c:d75b/64 scope link + valid_lft forever preferred_lft forever +6: enp0s16: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:e6:59:3d brd ff:ff:ff:ff:ff:ff + inet 172.16.0.254/24 brd 172.16.0.255 scope global enp0s16 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fee6:593d/64 scope link + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-int/r-int.routes b/confwireguard/r-int/r-int.routes new file mode 100644 index 0000000..720ce08 --- /dev/null +++ b/confwireguard/r-int/r-int.routes @@ -0,0 +1,7 @@ +default via 192.168.200.253 dev enp0s8 onlink +169.254.0.0/16 dev enp0s9 scope link metric 1000 +172.16.0.0/24 dev enp0s16 proto kernel scope link src 172.16.0.254 +172.16.64.0/24 dev enp0s10 proto kernel scope link src 172.16.64.254 +172.16.65.0/24 dev enp0s9 proto kernel scope link src 172.16.65.254 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.12 +192.168.200.0/24 dev enp0s8 proto kernel scope link src 192.168.200.254 diff --git a/confwireguard/r-vp1/r-vp1.ip b/confwireguard/r-vp1/r-vp1.ip new file mode 100644 index 0000000..1e76fe4 --- /dev/null +++ b/confwireguard/r-vp1/r-vp1.ip @@ -0,0 +1,20 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:53:62:8c brd ff:ff:ff:ff:ff:ff + inet 192.168.99.112/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:b0:5e:11 brd ff:ff:ff:ff:ff:ff + inet 192.168.1.2/24 brd 192.168.1.255 scope global enp0s8 + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:28:10:4c brd ff:ff:ff:ff:ff:ff + inet 192.168.0.51/24 brd 192.168.0.255 scope global enp0s9 + valid_lft forever preferred_lft forever +12: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 + link/none + inet 10.0.0.1/32 scope global wg0 + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-vp1/r-vp1.routes b/confwireguard/r-vp1/r-vp1.routes new file mode 100644 index 0000000..dc7cff3 --- /dev/null +++ b/confwireguard/r-vp1/r-vp1.routes @@ -0,0 +1,8 @@ +10.0.0.2 dev wg0 scope link +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 via 192.168.1.1 dev enp0s8 +172.16.128.0/24 dev wg0 scope link +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.51 +192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.2 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.112 +192.168.200.0/24 via 192.168.1.1 dev enp0s8 diff --git a/confwireguard/r-vp2/r-vp2.ip b/confwireguard/r-vp2/r-vp2.ip new file mode 100644 index 0000000..90ee303 --- /dev/null +++ b/confwireguard/r-vp2/r-vp2.ip @@ -0,0 +1,18 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 + link/ether 08:00:27:46:2b:0a brd ff:ff:ff:ff:ff:ff +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:99:b7:7f brd ff:ff:ff:ff:ff:ff + inet 172.16.128.254/24 brd 172.16.128.255 scope global enp0s8 + valid_lft forever preferred_lft forever +4: enp0s9: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:34:71:77 brd ff:ff:ff:ff:ff:ff + inet 192.168.0.52/24 brd 192.168.0.255 scope global enp0s9 + valid_lft forever preferred_lft forever +7: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 + link/none + inet 10.0.0.2/32 scope global wg0 + valid_lft forever preferred_lft forever diff --git a/confwireguard/r-vp2/r-vp2.routes b/confwireguard/r-vp2/r-vp2.routes new file mode 100644 index 0000000..80afa3f --- /dev/null +++ b/confwireguard/r-vp2/r-vp2.routes @@ -0,0 +1,7 @@ +10.0.0.1 dev wg0 scope link +169.254.0.0/16 dev enp0s9 scope link metric 1000 +172.16.0.0/24 dev wg0 scope link +172.16.128.0/24 dev enp0s8 proto kernel scope link src 172.16.128.254 +192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.52 +192.168.1.0/24 dev wg0 scope link +192.168.200.0/24 dev wg0 scope link diff --git a/confwireguard/s-infra/s-infra.ip b/confwireguard/s-infra/s-infra.ip new file mode 100644 index 0000000..4e7304a --- /dev/null +++ b/confwireguard/s-infra/s-infra.ip @@ -0,0 +1,12 @@ +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever +2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:4a:25:54 brd ff:ff:ff:ff:ff:ff + inet 192.168.99.1/24 brd 192.168.99.255 scope global enp0s3 + valid_lft forever preferred_lft forever +3: enp0s8: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:ee:b4:01 brd ff:ff:ff:ff:ff:ff + inet 172.16.0.1/24 brd 172.16.0.255 scope global enp0s8 + valid_lft forever preferred_lft forever diff --git a/confwireguard/s-infra/s-infra.routes b/confwireguard/s-infra/s-infra.routes new file mode 100644 index 0000000..eccc16d --- /dev/null +++ b/confwireguard/s-infra/s-infra.routes @@ -0,0 +1,7 @@ +default via 192.168.99.99 dev enp0s3 onlink +169.254.0.0/16 dev enp0s3 scope link metric 1000 +172.16.0.0/24 dev enp0s8 proto kernel scope link src 172.16.0.1 +172.16.64.0/24 via 172.16.0.254 dev enp0s8 +172.16.128.0/24 via 172.16.0.254 dev enp0s8 +192.168.0.0/16 via 172.16.0.254 dev enp0s8 +192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.1 diff --git a/doc/Docker-openvas.txt b/doc/Docker-openvas.txt new file mode 100644 index 0000000..92d4638 --- /dev/null +++ b/doc/Docker-openvas.txt @@ -0,0 +1,38 @@ +Fichier de documentation fait par Adnan Baljic, le 31/01/2019 + +Configuration machine: +Système: Carte Mère: Mémoire Vive: 2048 +Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go +Réseau 1: n-adm +Réseau 2: n-infra +USB: Décocher "Activer le contrôleur USB" + +Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb: +-fdisk /dev/sdb +-o +-n +-p +-1 +-w + +La configuration de docker se fait automatiquement via le playbook s-docker.yml +De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en +commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit. + +Manipulation à faire pour la mise en place d'Openvas via Docker: +Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que +les interfaces...) et exécuter la commande ci-dessous: +docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas + +Manipulation à faire pour la mise en place d'Openvas via Docker: +Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que +les interfaces...) et exécuter la commande ci-dessous: +docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail + +Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer. +L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443. + +Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook. + +Les tests effectués: +Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK \ No newline at end of file diff --git a/doc/icinga.txt b/doc/icinga.txt new file mode 100644 index 0000000..a9457f7 --- /dev/null +++ b/doc/icinga.txt @@ -0,0 +1,3 @@ +Roles fait par Adnan Baljic, le 17/01/2019 +Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg) +et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg) \ No newline at end of file diff --git a/doc/pics/e4-SAN-V2.dia b/doc/pics/e4-SAN-V2.dia new file mode 100644 index 0000000000000000000000000000000000000000..b16344302581b9ea1c9cd780a92a49b374f69a3e GIT binary patch literal 3303 zcmVfntiwFP!000021MOW~bKAHTe)q4?D6cY%gF9C1>?FJ0>CUuiCfPoFXp52A zP?u749QUEWr~MuK#|nV5tqW;OBteHMoJlg0A$$aM@SO_|4u1UU>nt67iL+I*n4b>; z;o%^jUo9rde0o0o`|rP=s^L$sPkx*v(GTYDG>c{f^NIP&zB(UX=lSx7v$NaVTa@0d zqI{8|G`T^m`0U?Nnnq`)(b@3z$zZVA!6eEf``-H9D9^Lx@+OZ5^Jo^I4=&bGFsb6MZkEX?&T*(dX)}vH8)uPS?vg+wFF? zT&xn)B)?nkHL2*w{=3m;-D+hT&8M$lyNl1aFqljGqoyM;@;h0D5yOI8=lMV4n#lJ7%aE*5DV%?s2#yNT=LtgfQe zh}cuZYA}jVNuDpBdHzpPx;kV4#oG_7?bww&&63H}3wNtUMK8C>B)`7+>S?-)-tRp1 z{v}x@muXz~^vOJLt^2!ny5IeF9D6^0yrDD{y;Z7*iHdp5k5>=Vn`9ENo)NR{HWfWx zubZ7cH|x9Y4xO0dtsQ0UAkyeA&eq+($+F~+|77v$GL7cL!TLL1lg=Qz%9AhmuQsM- zaruwXQ8pQz4&E-l4j;`BV}vA=^Wop{_I&M*&~#>~aBsqviwCJ91OcIB z1PpP4+3sBIGf5T9<>f9)X2ucCr)m6vgk^!mBxYku5amLR2t|s5tcM(@@$BMikmkqLJQ_Yj?vvyy_qljlnZkn>4>iP~&C0p|kscQhMw)~9 zLo@@Bf(fbXp&1J>er{xj74Y^CGyt>8_9ojGi){}L<9ZOEk~BR4V%xubQNnp@u2%V7 z8t($c^PAcFi`lagO0C7C<}Xc_7uSm{`PX8eN9mJ;+cDpdhB17ZCs+PJRyUW{$BBov zC+Rq4@MiEfndXaIV?w?ExkMe1rs}}xXN{>Cng1E39<_l1P`m)5ijKk9I!b73fJoJ2 zUC_q-9i$3u_nSY$qbgvCZj-YNnjmO`pb5Iy1RL(|@A22XL<7*q8h{{f48D;uHnE~U z{oMy7f|ycl3>;y?oD-^OUF6(O%QH$~r%ly2>cZn&?RFyRA5Wv@GEGkY^x^%<>~8hX zv?8$nL^P^OWX*yoL$>b^K1H)6y)zFO%~!*LTejyzg@^0U{y9#+#8%c%-!9V0=BhpZ zIrcO|DPyZ0#%9exx8?IF8Lb1i9j!Z1P1FI3(quZH#pT~@1<^hg$SjM+9k*D%xJRny zeA+H${l%!6k`NthOj&>g!L$RT6%ZFf7*C&30%~l5C1ws-(VANDYB8T*#Pf+8P@Q3x zw*(>Wb1Fh=T5CoMu9mxxQxMnWuy8G*0#jVTOHSa8CE6BeAXT27c~tOb-=?SfbXS7R!DYJo>2ij^D_V>(bJofF3EB6sVA z*_C;-Jo)9_$KZc;o3F^D#rb=N9+|~yhk&cGMOK73WXY)S;84{# z%bS`f>}zz0w-+4()k=8ic@?W0t5}Ax(Qwu*r&4mCD)t_UBB=-;ZyjV)j;c(OzjBYX;R zEIc37AWTb(#JC`KOMo(JUkU)<8(WpbEIk%LwAQYvd9s(-*lI~Qcnha^%vZ$SR4DFQ zHk5FC0YVY&4svR1A{ybK++ww^~B@v*$p?~ePV&oWGT9E<`x1tbX8T=b zgGeOS%79S#zBU)2yUm4QW3?ZkCe3q(Ig-*kyb^Kk*VQ&iL~@5jm2tJDF}bj|uLYCJ zcRZ$QoTcks8qd--Rdo+Dwh|hwG%}ts01me?YHihl+KxW*j*=G$wBSz=%E3lOfCBGHBHU|0l3iXDn4Im4T&tc%+{+P6f4&u>{?P?_iLyR1S$r>U;-c z&-7~~l>gMHs&Q7w3Yr95zem^M;o!gaocCOQ`w(fI<;RiM9J7%<#wfVYEI)(9?va2q zdtyz)h%%%U(LOf|S{dRYy9M?lCBZi|m(ML@TUOIpIHW1q8ku zubs1H#qA=CCdtj}sR<)T#@t)Jse`vr^;k;~Bcja0Wqzw3Yf=Cy&Bpc?BF^-PQdB#! z?wcqR+rs>XM3u0I84^{(CQ5@F{D^3Ng&&hl82d>e!)Mg%6@HAak%SaL7xyH*~;vbr4`SK!`QC z>L3iLF7{k_2gO0kMp;oDgi!mKz=-PIeVIE|8PqXXA`r3tVck(uHEn)`z>u02!loz) z<#Pjc0|+Z^6C)&NMQTJJuBirX^XJTp)1jDemu^mlcm|!@!_;aDEgX0PZcQ+IXSw!! z-l+gGx>mb1E+L9UF5C;p;Qp3`H^2NfP*q1%RUw;!s(R=iP|{Xr83j~(SN|ZYvO5z> zDF;M>TlWAHkoGk&=Dm1e#W43?r?0R({y8e?VIZ#bF}cW*!IT zHxyR@N#vYdX4uqdTw?Df>Vbb?9D|@}JB!1Wieyl1ur@}|O_W0JMY2fkc+)ZGdNvZMN_l(!;^stAE{?732}1_?z> z*w#n2qNrSqm|*Ba63d2JS{_vkN%|HPu8Qjt+LhrZS~!JH99eOsc-<2WhnC-?+}`cM z5#d~pACLvAe|F*}V!I?<)YkEd^l}LeC(`>E+?6eCMQO0N3kV|@+ACw(txE0cD+|Jm z_IyO9Lid2NY??}-sm`{b%EdC!R3B+dwLw#oGkaYMWdNRON=sL|LNWp44P>SPdO=g+ zTFDM+s#GikP4$tcny05}q`;oS5r|8#8&LL^Dg`hi9BIYacmrA1E^g2*P4U1|9mVde zq%yEn4}_!i@;ah5g}N<-hS=&O=r lI4T{SHx=aKbsF8p+3SV literal 0 HcmV?d00001 diff --git a/doc/pics/e4-adm.dia b/doc/pics/e4-adm.dia new file mode 100644 index 0000000000000000000000000000000000000000..198cfe58fcc4b51d35b14073330b18f0180fb4bf GIT binary patch literal 7078 zcmV;X8(HKZiwFP!000021MOW~bK}O9e%G&1DKEQKR8ODN_aNhx?TH;%#oj3^Sy%Z* z1&JJq8;Vp&%46kWf6wN3_>b*50Ck}RNECp^2$NPSnot4xp~2JNx%9dG;g7#w%=Uko zELYRT{Othe8sQc9-Ob& zm%o4W=HthYVs^dC*Ndf?O|Qgi^5%c@*(`rU7ri<7VsC%{{s)Znbn-6-k^+`{B`elAL zIayBfzt?}bq@NI)efZ^M`S61;E*GmQU9!Hud~`|8=kV`)*KDp@(M9vKFMju>{#|)X zn?KxrR@IHxf~+s{<=J%p7>AzDtb7zGJR;KLFu@1uw1b;x@^ZM7e&J^Q!Y%uSo34&8 z7t8fBpRON6o-7u#Nj@)8*UPI(bDY&_J|hu(YFRB-@nO1NFP^#o5BY4h%L2+j-|n`T z?%cEGbo}(j-MXUYQ^wcy@ANe4SMqT>UY{TT8tE%3Km9t=r~fitO;2W%s=J@g*PVU* zbvGaXPyz}aargF?5?6j&tr8mhiJ6!tO6crrI-aba5$5e{YCh?FbJ?5cp8Lb=T0WZb zbagq)ub*DR!;5M@E1$2Y#9{erGVX|J>Zo#_UmmU(hYxrnBGTgIeG_oi*IuJ3 zkb_pukon0TPv+xClCkqTt1orsjar4S*^SMwE>15W-cOaXdFn&&M1S>21>O8V`{yJh zELS8F>jjB~x3>bf5tTR3zZq`cy!~GPn7SX_QTgXmYIhLhuNJ>nNHMgPVoBfB$OsG( z_~Z`ps9%MN(WsmbQe~jMM+wn2~H_(&;%2a6;u$xA(CYP!GfmU`YQHm zC&I1T3bzwPm?KgI+C-FVCzNLt`l2%+$dMC924!PPbL*AuBFH3KVD3{|Na`)Aw?5UI zZtb6e@U%Idu#W7rnC=+?sR9TIDAPvx5n2I0CJS`2x?PBXeNB6x32a0n057z@Z&lmG z1c?bu2TTwOHSL3m%LAd%%wC&<1$cW(tC~h=b|!+Bi`$h3whRJ@Y7YQ-jRfe>TJXvz z8b~x?+tL7S6f*)XVuor7gCT(20V{L>JwhW4`DQUGpyk4L+5hzEycz^$EGkDHdrUI` z1l|XeY5#xz`~Qc@`r~5xciR5%^Y!UD{hm)|_hIn z^aN+q%j5IKa{AB3e4WppT-<|Hh8M#SW3H#C@jzBrC!E7JIcWTlUZxJd-2ZBNwqAUk zEcf4kU7-+s2M75|8^s5c=+VbL$j1#55K@L(c;{_#Ufvk_Rj7n69^p?Fd^D(X^3s>2II%d4UiBKXTBV|ZD zz^};#*7S$rYJ^T6;ZBjshzbA`-zUCLeE(_q{`nMMXrIF?OO^sz&{Ry*pO64dfdt?< zhu6~o;MW>L^c>#0byk}4#zT2!({gbL1&H2Jj9)E|2#PHgK3xRVcyLZbBj_^^B$?QescPFk75n#rh1 zM$PLrYFg)Yqb6mKeS|X!2&6A<8fiJ436@`@P)f%(X=+wkc_qkThicM1C@iuqOd9Ce zq#ReDfzx=y2m+~wrpRl4F3+ff2iMenrA3dTt?M4NGdeoV zFE3})y+8fxi{9-!0rW?%XtAqVw-@ZNYWXF{6 z{qtn@%Y=pf@TUj{>s$RT7DbZ;IS+c>8j>`1N}4=pR?p zu}W5KPfmB8fF>(;&{izA&Y~s)F$zl)OhvU~2}y5|K(Q6eNkGPI8V(QGitXePCMz~s zvB`=}R%~M{7NG-Gpo8^nB&eWVWK~cgS>b|rT!!E=6lVfTH%0E(ish|&b-DNMhofY} z_G81=if6K62YGOWt&`=6Hf-SbX-peY%cgFToNz`JbyGLUIy6O2=h~kYJ=FTUmQ*A<~1DCJQ~)HXDxy%aS{QKQG>q{riJGxw1| zD5DJ7=RumF(5WHRdnC&|wq>rRKx53vkX5wR^Y-(w%%MNaoMrx)$5dBr!^*9ng2H|E zS^bIr$7-Fk{a9u0wXTIxL7+4vO*V^+Ixv-hpaAj=#O9vUnm4bLQVrPJ>)`qAX6gSHE|-zh&*wDnDhIe|fGVoYlY ziHtX}88ImNl>FME^RZjh)ULDQQo2#&kS}$vsVD#G!dj?n8_hf))&kgmGh)Yat>^j$ zW9#yxAiU!|q#zWDRm_ILLAVVP3$V@rcnEA!j-;I)uyNDLBit}#_3#ua*3$@bG-H5%eIkUHwLcMz(;k&Kf$p`}zs%Uf>- zJkzm*r?-pmWoTm=&h$YAARRarwfbahaQ&8YO}j8`p7NZ?yq(PIIgmskh8L-H79IT94}p9&)bzTk>F4R$&-vMdP|+ngjT4=Co#c*eZ-l3U%Fp^ptz*CW)p|j$UsYVW zsq4}xHb&2MJ1ttbImp*tPnxNV^0u!IP(m76cAl_G#cd(RDY={ZwJsxM(5`60s6j`s z4yapa^`*hW(3)P<^{w!I2WngA_iH7bb&k{Kz{TupM?kg&0s_jk5lRA!h;5Af8UnRl zJijJ^S_l0FY5`JyNea}aK<(=d)V9v;CpwnEqqLRKGG=bS2H~Nc+3g{_g=L%E3?fK7 zo$uxI`Bgq$PWDomwx`^p8tMEzLLvBX7o`my^xJS)&UixO;`ZApfecx%nBBwG(xoVE ziqh6eVv5oZvg%07E*xs`n}|l#6D01b>jRcS9`IS=ik8S4TZ2|m;coFEKrc}e0T35>t0RVolu%wvi&86PtO%t9P%$_Lh94%u~7BQ14ffP|z#<^9V=N*zk(=1{BUj1`M<2N~T>G2)-(fF%bkIbg5%aIfH$Q%v4h?#o!u~)c(|N%lPd82L5+Y<-h#C?q5j0oR zX5?6^n-c8du+zKme@@)g4>vs$$3#p6?m%bSmxTqPdEQvyVP_aM_(e!SNJ?0Aqn;T(URTXEbaPMdOR{V<-TkiD(JFmVX`@9nja%m>BN-!} ztPw5`j%gp?z+i?>NX_=K2zo&F@!yXA^kXuRdoqwKg)&*muR7iD+2bXnJ2+l4Bo|s( zZ{nUX=>mqp_>jpc^dt7_&7e=2T0XjT(3B3E(m_)?Xlh}tn)W$xee+$iQ~R+~E5tDwslz;DvK^d(b1?-P5(g9a7`((O&cH1ekZuT` zG&mI8RYu4+s1rr?b`D-8mWif@NmH(ic%L4j&>?cPPm^NwWJ947N(!`P$&~a4U?gK`(zzZMfQwWaWi%{FsL)nJw=Nb!4JWZ3QSU-BT|W`dd=IZlFUR@ z!z8NEJ{V;^+coIp7Mt4QD9nZoc($8kNUetB?^%;bs@IrQg;XYv8YD+q*`A}Is5f;g zDn*qbq#enWLXJssiK~D86h$Uf;-$WL>9HgxS{f!TK^N8ju3!m+CT_8Rf#U>cTPmSs ziE5o00y#ks0W-CHW|#4(=>4Kxkt!`bW8Ph9?eym(V0{t|wxu z5X3}E!z88lsrsr^QXqU(qv;L@6<3J)!l45ZhG8@%YU(K(UM-G^o`y+Jt&{UH2xCiu z2qr2&-2o|^DQ@&om`)&vz)zU?sV9D_k;g<(!z8HI$>V5+hEieKsQh$`gO1amKw`m9 zatQ4}gi8F>6F*gpW1^>F(o^dMaxbhlJknc6%^xpeNH=CdxFYC82GkJJ$Aw8}bv;p2 zwJ0WL8YVNf&KXyV9IcJ3A2lR?4+tSsT1eB*pX`;NQc%1nda9GhL{P&dDBnQ?HHRZF zeAwy%7NdPyfup1jAwy!RQ1ox&mmwY8C60PlBojpqlcHKDi-Q#*kURvZ<5JWHM{zqu zZZKEGK!X6(iJ}rk?I4ngq6SG(u6>tmDZr9Z9WyjuLdc>|HrY>Qqih&NqwGXYJ;uf# ziDF`87Z#Wghj;DDw6^C_1PpC_(V*Jn4Xcw#7)EGChVY$MV1F>v8z}l z`*60XVX;^q+9@{-qbVg6^jE}EA&rTghDlDX)5R4E?M7rt#|$^!f+%w6lp;rt`xAf| zL@K6F%+%9?U4wIy=MQ_X%DsD~zr(rS-kBuZj z3{t70Wu_c(H~03>ZkKNEAhg>0u@RfOYg)_Jk4w$mQ#1F}%>A`Cb9bhLv@%H~ri722 zQ&ys&A^tbQsG=LLef{?7(c#5nzV}0ZHeIatR@bZ9;w%}gy=9m^7R_X_4%3rvotZC% zF=liqg^e5M+u)F?YS3gnMUU_pS6du_KYet1{@cGU^8Ig*zIyW~O<%}=mtVy`3PrC_ zfVqQg7S2(j*6`mk)2}E-D{k;;!6G+;!Un zcfmed>J#I7o!)-8?Rs2qojz`z?yZp+Z4{!Xd*9%c>E8OLeViOdblWCpp{Efm)#8}c z>@d}A>r`)!E(BwGP_vALWkMyXS(lZQpe$=M9neNrv$gB2zSKdXX0^tl>skF0HS6Ki zs97&N$Zk;qd1kCM7*&pMkd)BIfzR%cQ8q^IQ`sg}+gplDwMZsq+q1H5L#Jw+5q&3& zxckwyZ=I8jT5u?*ojTi1!)xI;NQ#g$ZWPu!S<>PgVhv?+2CDdd$j^U+;%dalLnRn2#^giFJPiWvj$8omdaD(94G|vj4Oj zkyC}%sJPjG&N|IQWKk>2S>Qgn0$D-yGOwCdR$mDoirWlYeTpitZbT!%`7BlTo z8)~=T9J;OztrKGGqQ=?Nes1-xy`aWf7cDz6lr_%E7h>%~)49bjs&TGd=My!~bc23y zVr)Asadv%)aTh(Z6{;Sjm>b|YEE>;Z@SYpuD1t1d*x2|DaVnQtc_pGMgjgAgLl_U(|#yY!rhsxWG<+XjbOw9J3iJcEmHwHrc$J_OoH){78?e1mE3O14E8Fq6I=rgz{wIO1@?!G9hH7x##RaQIx_mQ7JSHyhxrT{(zm10f`a>WQJMB{DJ8 zFc~Uz&=AFk5gE*J4XGOx4qcEPWgJh(RXE_%{7xQW>e7;mGE;GWs@iH{xVFv-B}O*ZdQJzIUd8mQZ;_PH-n&er zKo6dEfmO;4qHt@vp3e5Z{mc9B_P)8|uj1X57r9toC!@9}qqa_5lT|y&Gy#z9(}6k1 zTm}{iFe+x*4(BhqvS`O??lR@2E^txm=;JZ#R#|WP1dJtYazBkMpI z4Shu*T!<@(B?<(?u^8l|EqWRB5YF9`jop)tT_uajzW&7ab@_UhUr&}_?3FL*zh}$* Q;)}ii2R^yEd6W1700%kBKmY&$ literal 0 HcmV?d00001 diff --git a/doc/pics/e4-adm.png b/doc/pics/e4-adm.png new file mode 100644 index 0000000000000000000000000000000000000000..a7937afec5e6b484a79b11bb4578e7fe902c030a GIT binary patch literal 86343 zcmd43cRber-#)Beq);d+oc1b_%8KeVqHHpX$jZ!0Mx;_GJA{lxWF%W=DtkmBBV#OVnX7DPETUuQ$Bp5A4pj zi6s&uBwX_f8A!iPrgNb}ttIQnyOcD3R@Q;^{GRFA*{@|DW$M0q27WIFT}dOSZ1dqo zGCw!BcBWxPluhY1OG`^b!%y+j4}WzRrA~f5efo5|ZhlX$#l=-(W|7mxuimn<+}vDG z&(k3s7cO1CEV(jy);(jfLVoj3O3H%=4|1M=5*QT3lIF3pIQ8n)D?u-3LB9@MGCSKo zvFLFNKF5b>w>*0-;%AalY?vI|<)Rzu+PQOlEG*?;zI>^yto-mH0pCm2Oy}X{RXf+$ z87q49sBKf+>FqpNREX>&Un1mG3Q=w;`K4QCK;wN?Zv{OH0$vHtFc< zITNMc4W)em}3Bs(JvH!JoWpL_i?LEb!Fwi(9pTDjI#N$F9B+25_4awI6E)3 zXI}L&`}OrrO-&6uJ9_|=WX~IW(}|vvCBc4r-s1S;;^I)=i!?#u;o*~e8zP0HBwUXt zeHiL3uzijzh9A*?)j*MJ@O~>{dSM~FodV=d_wdF&bu zHUFgoWp*zM=h1Du4{7P>%#Sp)ijZD!To-=%9XO$Q?pz~$BERQxn8QEH0nY)9Gg?d)h4SWqxu};P~;ptSkmmhmqCa3rm}nqD5QFJUl2U z9?JMJ%#C*liHhpHI89AWjmbZL?ASO)$H8INmzGy2&+?kNd1vayjHnYf(_UZFw9gV% zU$(Th-Kc%cjb{kWvmdDRBOWuU-xoxGX2sB0FZS!#O9Vk7p@DohHa031OUpDjgZ)SJ zim%(+c4S_a4P~z|HZ?u)=VfYaJar&DD@!Y2`XT+1_Anm(Q3==in>TMhiHM+X9;gba z3ShD^H8nLeGrM|K$fW*B2&asne`@Tbq8g*Z55Ug!il=@0sPS2s2) z*3?}ry-sOPv2!O|JU%14wV>c6A@aCYWW6VbS5Hrmm}A)?_-}Z%OWj1MrzZF?nDaCg zMi@Jv5o{ct*H_BR?`|`G_hDxEW7Lx;?Ok0}6%|9n!@Y%$78sp(@?wso4nwt}PoF+L zQnnK8y*&Hl{rn+G_e=WvWlj@4__v|9)=#0h6~GJ|ixuShu~>{6shZS5 zug^Nw1hZpfR8&+vHG8X~r+4b+uSMRA&dUv=nnl&CP2s6sd z^E}1ACUutT#EBCG7kqSjT3UU5ec_Ftwd*?&c;YU9*w|6xx^Ud0?NP6VkJF&u`3~GHq(q;kRqou28)MADUIWs9(~I`TYVFYWh_ z(@Vp#3qL+5<>aVqWqmr%d-s;p*V0?A?g~XWetM65lw3DTtu1b$KcY9d+jKRHQz<4b zIXO@y{PoM2m>8l1!dD&x6O$6L#AS{qY_RuMn`=YaZ{Nq^;lCFbse+1%Ttn&g(%%WE zHZ(N_de_#~b?_9G4`#&II$a-WdPdAKYbFEKWsp^qPLzt}N-ciV26NBaycEb1hAIYQ-mOXO};-nnx}zUyUu1-Zia zp&@>)*SEdh+}zs3T3Xb7h*{1v-{n(jv-0zY?_Qk>zGU2-_sG}R7xA(wHN!{y@Qc@+ zN)h3a9#$g$W38$5U1kUZZ|sM$*f2WPCqkvqAl_Pru0As~G$io79O=I3z_N!^(P-iu zwgW*`b?Kc(sY`!u=C@!+b$VI7a8QP8bXg4Q+TT65?Io(9l6g$ELCD_0rAi9sl^-*;$96 zt=!qmzltVknwRIs9{T#q%gYlFd-_SfU10XjQERTKeQd-Xy3*4SbwYtH7*9QAE)o%5 zlyXroBL918Mk#@yudnYv(7wrv_u{L;1npW9Eby9qnm z#l=NNM#f`xE<7kGsI+tq3v8*R)#as^Ua4D+VDQqm&U;?Qsub;1S3>U>Ys7dD6ktAS z@ZRQ$vUNRU3Tg5$x8mWlbFT?qQs)!yqAvO%4( z3PD)OXOC6SR^LD@)DZ^6G256aHUBfeR}ZlZIgOlxVrF`}{if2&UHKh5b|BCD`};x?7Zmc3U@5Gz0f%#TxE-=UCSt2i;RiUQ&qKFoHQVe0^_(D%)bs#N-~v~ zuYLbuw}gbm5YxQsw4mhriakM4K)~DAH@KJAKJI4UC{4!Co)T9&I=YGC8AUrg($4$Z z-HnhG5)x9O%k|+FG(8Yv+Pmb@Q!}y+2o1SC^N2Qod$ivslaTb)T7<%FN7c{_^F7kdOs3%*PmsCHEs! z4{1x~F^!FlhXn)zhqhH!RtA6T;OO|GUT%>(;+5iwCz&=CaTp1#*BjC|_aE?Ql3dI1 zSWN}sxqtuu{QNvNxZC`=cA{6uq%Oyw7t*!3%WQJBw8j!SmrFX&WsUD%8Zx1|m*3b` z)Ya7?0o2!9V#+RN=+R1EDp*)s{k^=rymjl==_#{BbNj>W8Hxob0Qe@qm19JaYY<`$ z-&X>{nH`)LQv{qn&Sn3-z5`1&+w`MA-C=AZsarHr@pO-=4;}>c@#7)^Xes_CRtkJ2 z)7dJKMfw_7K~+tv3T|tjVgCDr9iGVX_*nMMf8P-L|BpAA#{yR!zEm&?e0oU4ZZJh7 z)qCVqqJmbXU2d2U7bmA|MLq`}aP`wgr%iF4VSL)tc;}6Yp4FA58KiRJu#7Bj)sqNKkRImnyPl zbi&TZY^D~mU{r<64Oup4>97LTzkmPy*6(>>8g(aKDSCBv^`~M^hgn(QS5?V&TVY<4 z57AZk8yrdR8yP78N^%@)ds)O1C+0FgE@Ig(;Fy2rY-SRV$I6s!u4KdmW4^2V>nN{x zeEH%uH`w%p+wdUMVNJMAZa3E>#tkqu4e;2ue=`PXAQ;Zm_=& zBe>}jsgQATSuS>-k=wgbJ3S~c@U>A*@F58ox22)*QEQ43@Ah^r#}lW|o=g0MO=Q)T zxAgnBtE;O;qne9WrC?a*SE(>Ww9c1moCKuD(XVf^OG+d(w&E^Wd3b88s!WmLAM84) ziief`P*Fimy=?4-JcP$tYBMg%ag7~haW{aCW&z*@1y$9_B(f+KAIYpocg71Zxq50lNMEHiUu#C&}kxul;=oQ z8^X4tqT=pD;#a~et()byHPQY`DH2->*LUARNy*Q}rMyO^tJ{TGLAg&L&OdT9HsQ=( z<8qc)A7;*Jxg7?T;@Ry8cN%a(iMW351Kh>OC@86OyKt_#ky?0-q3bmdcHFbiBdjRY_fT(P4E_(gj+b2(+@a$%ZZ)#HZA;u>qeL<0Y`}S>=H+h!{LEFVH z7;8H7omm|SkZd=1aL7TGoSx3lhi+GkxzYhq%t@;>}S3= ztgNi8uMA5f%Ri*!?|0%Bx^?)WvQmt=wx*`0swxdV{RxK=WhSQB#l^+?`tzTvrRHh7 zF0R{oAEJ(Cpbz~u)LVtSNK^=?Y0kO!d9mbYXD(|zV6Oi_ zR(7^eGJ=KWMQ{tC6ON!xR##_BQy!#xmX#$)u)BW!Thz0pB+gzQ=QI+Y$u63C>$!=q z{0bh|>DO15cuZaGMS|Tz+g$X@sAX))@`>BY6e+ri&Gt`pp%d7pIO^qk{WIQr$wtJs&o zO<^1q#VCf~zJ2@pwSe@Nlm2xL4V2rr11ZQ}xe{036BrnXA>U!ahZ<=KNn^4j(=uG0hdq9J+RlGqaU}0k2*{*Z zZ{Xaq(NR&i#p`*tgVjMMCMM5i{0Q+_2Q`-%I6Hspd~upijSc;%w?3?N?4jA_=AH3M zdcBETB(fH#!mBtK_lr6tuN>~Ho0}d|AY|p_0J*EH6Nx0$+FV~hj;Q~PU@nUwKQG zH}*W>l&I6MOSZOCz$@O>6%~oKXOUF@#4d0pLZ*#-V!;fG z()3&fsq%*@a-XR5JK$6O@#93rLwbF;sV&q9AU;10@75kXc^$Fx+XtULOm35>Lmymc z%*S>G;sDrMn|!~Ucnmq|SF4MzV$0EDYh@L$8y7$A%OQqOT-GKFb_Jrj3xIA2)r+rg|QbwK#XxP!wVOfU+ zNJ&ZQldP7c7^)Y!b#qqh^FB{LbqbGwmq+(RKUO?TzuO2wtj3*eKP&5VCXW>rt@HN< zNq2gg>SIvFz3u-kIgh6*C7Z68?L1g4cD_eMyLhrP;P~3Dej5@+1%#S9Q`x$=GANW& z&_Au-n-LlAg!NYeA)%|Os98X>yxWK<0D_RX_t2qJHa*2FD{c}JC5JB;rs?GR4tYOh zv;&8Dq;#==v^7;*Tbq`amdF+=j}Pv6?ZlVE-s~(j=#<$vsby7Wy4G2C8e-Oc=F! zc~f&Oz8tsdaqD~Mwc=(|US3W-=CQT{8f*CbcOX@xZ*M&$Me zjND75lKWlt)$E^9=^v;j1hz7ufJC{c5XPrMLP=c0wGNvGMn?8gQN7*v*cTb7K1M=} zm-pdr=eu|Bg7b7l5(icFzOm67Tq$<#)glh1n3WFGSYhk0HxUL9YPw5YokAas1I}TM zff1c(dbUX+(HPGQ+HF|r)KUT}mWk5eujDAg`E}`NXzajm)A8$o%jw7CTmow-c`i3G zaR@8CE9cr(YwJ^{jZeXgVdtH@Sup5WTTF@|r`;0d1_3|@t5fLLi@w%$Uz_YN@Aulx zFEM*^>L`n>CWX%+>J+KfJs*QsWe=XR+{#11LY%y%krV9%b}>T8w6LIH9|MDqu5M9L zQHFk5DJZOFXIhO$+pnOIT<1oOEiK2teS7UZV-i%!%fsC(9wd*Vyl-^W+{|obbhOZZ zSTUmHYL!2rZF=xU`u+QBWQeM3-!tZw4pCoQN#25>inWj0s6}$h)+k6PPMBzC#UP*MM;@fk#30EJe3 zz3)yuLkb_ahkmV?ZU4R4Sp72h)tFPamXW$Z4g3N+Tj{}MBUpfK;k9=J=|Qn$#}e2d z+GvHx2ZM&j*3*2RdZ!KMb+snDdx22X&}Ctf%@eHsGgu`m|8f*NZum`#%NKD82_G(T z@k=IR2U@>^=UEw_4$WT5$0k)bu9KGM@%T--U+|tcHtKuZulgRV(!^7zPObEy&fgPs zo$8Xz+9;4CbP$?7dr}>5D5lBgu{WC%8+f{tf)90oJrWZWv*|4@nb#ndrS!OHGi$1_ zprBxXe?JO$&AV5@raOWpl$EX8v4^92+>mwRbxmQ)5W+5T@7}#e*490Mj+ic9`K{?$ z2}rvU5!xskG&A%Xb_a6by z4$2c_-IuQ=hVI+HpPD+#C+1d-HBkJG(C~27c3=TIH1wkV{2IWf9JW)@DBT#E$+G;Y zI_1+Xo*zLMl$5|=o)8qQMfr~yd&^6FWwCBgO_0WH#LJPhxjIWD1g7d-C7EIFkb|#! zj6jX;?-$A1ZshnNK7SgKl-N?}I2IgC(+B0^y1l*qty`-QCfeerHPdydn~@$w{9Tu( z*|}pJFV_Tv`y#erfaQ5J^Yc05-@QBIKQKKr<5S(-9Q4yrqLf7EPLJ;Oir3I9tFFf_ zSr7$?$DF5)g0kx_#yojqW@)(s0!KtQ=UQzHzdj}7!JfGl3S9pI`ssS$96 zfuQhnLePh*su@?1R2>DEYcE9#CT${1K8n)$MWsmAbJ+lncqaEn&)(q3$l7JI?(S~s z!kZPmro!9btBHvf$p>g;4I)^2SAY7H^+{gKpH!}k_!r&!eSC+V5rQ8QI|8L%cWP=| zL&nL#^chBN{{d8c0YX1LBL9R^b z^NkwInmt8MN=ix}J31oP+a{7?-Lvp|{Tj3tKhuiOMb#fS+II7t-=~#hrjqC-Ek8fe z8|x=92_cE@`nGM`F6!(U<3hbsU0=U*`}RONwj{-9!y?3z7w045>sz^Ez`hjjsxYt_fI%8UIOMevXs z%Y_<+3MvK!igHOIf_;1?@dnY)r{1T2vundSN6>ckMqwRcgn-mj70zuh+0)v zu=p=2E0dte$jFnYPtOyv(Z)X~eXI%L^imtpbh%a=yG!ah0^n;?fn$Epo;?G9Q>gpQ zwq4e*v@mKzt-PF^R+iDZfI||cE7J;&`O?4>N5=e@$-A&j0cP5K%8Dp%h@}zC8i^|K zDh1HY+`_`ebJ6{XDx?_whm_FGv??klM$sDy+H~`lEumpy_{wq*)oJ6KBziB zm*>9dlXUqTw1n`jaV01H4}c7-4q|QX4*bH#!2z&F>`qtaoF94?zx#XwotYm%oPLQ* zF5rsrNQ-BunvMAeYR8|QbG4zoq`~1lo}lydS?YN`b@j&q0Uw*5oz>1t3tW+STjl_? zM7ewS`UGHR4QH(Pxx0H6w+fw~rtH|%=M83AAonDkr-?$FI&d*?gXYh< zDEx2b!7-ui>$0f>)g)AF1bITRd?FAxPfhq4|FmKrd!qv{Toh!sDYI_Q>hxOGt6Vt! zhmWkQvw&tgYP~(V9I0G;uL2Pm-Ey?M^Xhw>mkB)4<#tBY6}4u}H6vtko*zurWc}0H zr2NxNsMfmz2Fiw*3Gw6_(Hb0f5>CGu5Bzu;7Rbt*VIq;w;7w(Vb);sV9Ht_Z@Gz99@)pK!D=Y7QSx6bV27`OoBQSb z^BTfwO+CM=pe_Hv|7JTQ;j@aXv4Sitr`NhXLeD?EjS8e1KX2ly4r-;Y4zhY}G)=zf zmm5pBK_qKB5OjN-N+4@0Yanaa6>f4P3w@zqT>s-2T6cclTt`cECUOu(h;&40BHf+7 z{912sMZ0(pEeecX1NDGuu1Gck;Yru+f$oiplsfS57K5T1*vM>sDa0bMa%lhlF z0Yj+e`yRJI*TQQh<@Ng>&}ZG<(Y`u_|qrVJid_P-;gdJ z>}HxyJt%e~=k=oLiy`2mnc?*ly|URR4FJ%KtqBPUAkRcg$S+>J*teiktM3&R74_zg zGk*r*$dMyQkE%3lTq<*qUVoQRc@ays85~_hG5G}yUSscZ;^U|&T}{o(Fa>#e#Qvqr zD5$=b+4Au54Q6Na@bHktT>83?ACGWzv&6#zQ)n&TLS|>=hz)#z!QftJv9rBF!Dpah z(3@F9oqzZ7+*4Lp=oDZeW>O{B7M~|3vg;~dxB!ukz03j(4hr#si;y{L7iyy-B35TV zE3Lf3!np;yVr3Mi-o0D%NZ)Q$O)oA)0c%Va^$!dHK-6To;~gk0jq6BEN#*RXZrAcV zTUN}GHzs**;0?o8b(bo@lY!U_ed7yw>JDSb3RD#PUe^f;cSnRew-$DLTEIh6iCMPX z?bKVc^gYV*4c5=$SBBtueP8th^T2Ij)8*REaD(>qi)1`)<>2sDP5mzQP4KmqF7$%;j-Y{j`BpR3Bt zpS}9HvDNF}o{~OEdk1i zLPFKhIw19Pbs8BF&?m770v!}}DwCmn8l6;FhK<`}gk`zV_*!enVs9_upy|7w$Rlf-vHCauKi@jz6H+;4OFFF`Pet z{*j+wN0vIzP?;_>0oxwrbshxkw@K#$`?b_w*r}M6cqNn zpaC=+`|%@lsK4K^k3Jd#38>JOQ50p1oEK+jXP-t#FI`6M4l#Y;BE+;MzH@{^(ERI8 zLD29fZDV0ZgofhY+S3y=aV0f5nMyIo0{h#-LicX!Ym_WmS)U41xp;VBdLDrYBCuI%2;1p zMf&MyZG?Pif@R!Y=y-L5^`9lhz8kzD*~i-2l(n;N2J~W7SO8lQjdmH_Nqg|%fjZAY zpixB4CC_Uwlwz$74f|nyTWD$fyBu1N&50v1nq>j@k_%Bv@ndEaLanz@ey9whHIcdV z3i$_>lBRkZW-|0pd@;n1`3)QXkJ#aO0!pK|H!N~mgiDD{U}k_wu5W+-34uyWORIX& z0`kB()=q1R#!6V^g+IW?F^DxPI{FrTE*h;{<7D3X)RK*E`?qkn_o;8E@nPfSG+kR+ zLfBg=K1rNKk)LHi4rg4{-XxRHgm3=ANz;tlKE!DRH|T>J8r#X5;{K&HPbx*PCg@#Y zSNL>tW`2 zBwS{h2|h%Eka;;`bH~UCgz3;j$!z~J=LRYJf}*0N7cWY0PMs;30_XGnq@uf=+(0JG`R+&>5DnhKGP# z7zk$xt`0b$bbs{KzCD>WEr3JWrY$PiSXnCj$dRt!0_x7`VX_^_zrl z=2QQ*AV{9$U-zXB(#XW)_SV+cNWO$DW3Ueo1ws&X+~E;IQ31l@on&w7f$Be12A}M4 zxMN90f**5`9Ox{KcJ9=SjCJtxB=t5jl02jwGVILEOt0I_1&wGq)7gn$eKzV{FgR=y z$)fZWpfT=P1!V|R+~mT-31MMa#|?_Wl!B_S59`=uaNd!WSJ-!pWRWpHhoJ+bMIE~n z2Iesko`fx+4}Ol1pY(s|U}FA;4F+fvZmEBC}d_uP@cFMOmCCaW*CKe z8T7t^9!1VZk$eMRz_7w<$ji?${)7xrvXvSEad=14836$SOim?25~zLHQPbYOl`^P- zy91cRxGwB+p@R?YVSfH0UX@dU6_}~NR}%v|g{Ay_@p(iQY3T~YW8Q98@PPnfJiMOr zSiuK9ZH>lIl6E}iR)gTBk#3*~6Cf;=gZ=%gcZJAj$e{(p_B+*jQJF&v9X}Ia(bvWWhV|_i}kt3Xhc{eF&wi@>Tsg<~1Vi$pn)_h?EHdQCrydtBrs_LPn z=+-lTD^iU;o8l`o!UCvDq-S}X1>&QK_ldiR;og;0V60V!mVVbF5K9puM8Od?42!5& zfX5Cvl|AM=OkpyNf`tNNKt;Tk3oX?Gj5-k^q?*IdXoJ+b@WYo~z<^QiIcQoxJGVe-0|+7#E%VNn^005x{#WpE4cy&* z%B(qF+Hbeh_3O$8R~-)g4T-|Hw*-w7`G^<1A0N!uxCcL8(M4xVst))b^31PY){5JSVq)llw`V7AgLEs)kEt_rE*^i^TZP)%rmQw-j)jMf$4x>zuk*um zr9LuUB1|`Is#;5bQVnT$N)e%kVZmk=>ax`J^sK=fFlsG*>))eA?xnF}=6O{ZM+`VQ z92tGqglBV4Aj?^f^G{x*dW%qc1;6d?-2o8Ckb6kd@p#Y?11ovO|L_EaLRf4XruE0v z6F;tvV%?BdV#>KgDw)n|_N?}qipu?5LhK^%ymr*ywyzNH=D3~IXRP% zqr9Ke|J@~I)R`Z<8lv)Hh|A!H8_H=zXtbpOM+(y5Bqhe&_8$Yp%=S9?@UmjwCRt$;;*gmz~`~H8f2^$vjn~d~N7*eJdcJDi3JzK@}o2vQ61zj4N z!fo}m*lEzp?qYNE}x(VciI>^_e0kvH|i+sZErjK84ksr3=+%w<8O0v93;zb z57kLdG{2Ab4i5fx;R#jFRaxR#n?KQEZ6)!IJ^lK8S5KuMzYmwFD915}fxh>W2lnlI zJumJW)|T|~3efRfF{An4`c7Ne#bGYUCs9lPrnYSaxss`sRf*fu^wP|*4GKLJus?qM z2&J?5lu(1nZQ2lNY-M#hdr#kAZs;32MwFgVIV}8I{V1ugNM!ODx9=ye$TCs(QDANm za-A*Tq@}G)lub0o9Q>dO8#6$L>zv`h@lS{-D9%J3%sy&Def*r2m>zvuAWC-%KE@n$_}S@qqSt{Xo{rzL(*L0I@A=;2#~XZ-73lN9 zUt^QJ*19qIZ3FP(IR%CMYzt}P9?s=kOG7CrQqeg=-F#k$UfDSru!=S zgMQIkg=B7BT3pc5=%-|#tf7kA)7t*OOV23$>C>$UyOu%27cSu{$8PCzrF6E&p{UODA3=h>y3{-8C+_ ze}ApF;$e76@$&uy2dJC-E9&6BfMG}L8+s6m6{C9$JuRJ`D>!2}FZ~WM@w9YzFCVNC zI(vpLQ|h?zTt|Hb#k==sb@Ou4d&k=N{$}1S5IZF#G%9O>+*xGl$ZqPpWnQW9wdn}A zv?*?0PKsSao;kN<=;HDzI9Sy^So-Q!*1i^W0myueUAJLofF1bGoipyOO-;9%ST7M+ z@L_$KsxNaA5?B=PFtY*8w`@%JWbAO6=gEEhluOBaSd3^*46^G=B+@zt=_p^8e?gZV zZt?;a&!*ItJE!k1n;MCiIs8cR@*+tPko2HX+5PyW5%JEZw4)NGsq@T>w2z_QP;s=) z`KWCf!-J;a2{y6JEiM)p`z`(X#kzQcF6bpKtq+BEK3qqR#G>P5JwkCDBL{X?Mg|U1 z>7z%h7);DPUL<(7YQEcN_vd8>JW zjkx8GhCQLrKCLra=YPutTS7@3?_VPS9|qWQFCXFlU@`$Ox0Z_kUf$ zh-2#0p6*oRkZu0}8QC%Nzo_Z-5b9>q$|qyk0u5%PNS66KYGIl*&Eis>!}%$;_Vy2f zjsEB5eeQ9|zBXT5PMI1DN)4kd^ZGlk|1X~zXZJ5J{fF8YzNUC=ZjOJ!$I^S+JAqgU zE#q>&PyA@EWA6X;U`+1H>H0pRdwy~<$T);l2UdG>#h7gjni^xz-SodD5;7*LAA2a7 zvseU~Kd}mOM#>o_{JP%?2IbF6`mZ6+i`l<#9~HFC;=KyHCFiCKz zGM_jR?u`aQVr|P?uny|F2Di@qksAK7@)BdP#RFlyy7cDE?3tzK48rEe;1DXb(8xs< z4#&54cY2fHf0ugFO@Z-{j?tLPedNf+H7;FUU1+I=7NNmUpFTaTSFB~6NotAeL^Etk zbd;EFPY8IeXRCRgA2=+TLE|Di~w;r4Y_Ec@fl^pR~V0Bg^Com z;8?e9a35G9S*1ssSO{p#O~&mNf{DOO(~DMfY$gG4lem|ODdXMNWO)OFXMTQ^)X|b2 zF#`qgHBmLAL`2^PsXbyYZycCva4=!y%jVyHcmG6AZDodr~g0bweW5t zU2+lJd1S)(NSCrTIz2?9GRVw?NmPhPR-6t5Gnh~i&UNf3VM{XG^;a#2vQT5oSVyrT z*$>94b0Hj%AEf`F*JKuWfxckaY07a}_v{&GY=G!H* zIzQCb@&Hxj27kGF*{)Og#@}-Rw6*tF*+Tvy0z|O-55TPZ`q7X%znG|K;hQ(?92_b0YiVu6 zJ{(HkxITmbYUSyGv@lXzrtZF@hD1HRn23n|)Jx0DCZ?vCirOQn4PO8Cj--@GLYW=i z!$Bk?3oX9~IZ|0tfCb}$5rN@{j4b2L^}aLU|KN0Gr@_|PP4Z3u>01#D8?$nT?<;}v z&-;FW*CP@P-rt44broG;9P#(=-3tt)nhGXu+R)~C#ts0y&i3}r+qOwMPbYv%#`+$$ zrY4g*`=O8qSq+U8H^EduFR2bUD60^c~?bD+tlk(e%MohEOmY2{# zEWg=HlNzL`kSp_%C<$lwLh#)|2gTBOKk2TB#J@)2i%z^`WZyhCZrb$6f~T@Ue0&Ro z?6hx8j2^1?mDSZ)3D+0X%NklNBlrJfQ2)c(u0j6Bi$#^plh2IHf4~j`!^Vw>Oyz6L zo08T3>f5K~AyzzSQ00!jCq@{P;WAmSv_g*Px z3I;#vMC@u`a?8#fZf52AELQ)f)?6 zZ4sfeb8vvyN!fj`H4MELsB!vxYYiE-n@+B1C2ZNU1^ik=mT?^vv^*5leR}r?3b6Hh zp%)|SpaTdxpV_B`b65~?8J{CUS{(sL0lBBj7WQLA;~NeR3FiKe#sfTpD_`qz;#sSE36`xy`*F!WEu zEl<@9cUNt^7MU~{P(W>JOnWtaUCk)RN0XsC8-M~-x@pN=O2VqT3QMR+T7=xO)`A4bRLsr zWYxSNeMmLK0pToVgIuRyY(DfpEp2>ys1ClSVi1N< zsBS?Afi01MgalI>&bxpL%y{zp6;QF0j|haR4&-=x!sZY)7Q`xCJIKtY*`#)#n%-VXE-o{yV2IcHg$~@j0g`>UN%i<`o?9~) zMoL_FtE*~Y2vYdoANodjPN1p(PzTJFpe#X=9TL02hpwF3X{b!-3yL^;b?b5;*{HYX zLbc5QtfDB$ZkzPE8o|`)w(f2ha0us5=(ZK)4OA)7(T6iiEZ2Q2U#FP}GWN7g+_AN@ zleNzFE7<-+VEJfiD_rz^s#{xgv3Z~u;5Y}c^nO^N)X1suQuTrxLJ17r6}W*!rJ(AU zTpoE2uM#=a?u}%W4xl3Vb@Lb{T#m7`S76*hd-wKwAmG6FKfAn0`^b%~1i=fxkj1$% zb!SEpN!U*iv3~)ABD3%bd9_SE{I)-0*xqM|McjmQoJ0{o#HHf`N`;CMaS z4A)LGk-B$&{rUx6n>8MebJR#M>{(#)Fz2{49BL8q^5wM>Ju)&berDz?@9ynDZwA!1 z^9l;OSw^Hv9VN>RrfAhF8FcD%C#o6%6qqRLbubeD0Bj&f5#RSHN2>O=utC_WR zqwOWc5gY*n>Z(3#*FVQHdU^d1rcO1`lk6MHpFSsDyAatTE*nPqJ#pvdeX^u^gV2MZ z*3;8NvaO*r&0OCUu>}2J_#npp`$e#qL964ifzFE*ang;kk{^#`uQkGHfTva1SIzTo zSqvmt=)^=?BE0)>qeDEw7)Dx6&Ckcc1PfLcvKMLhqh$fwE$Q@(W{`Q1g{w&B#j(Al z)T#Ul^rMZD`qF@Q?ad`Y*_vRTSk|b(z)4cmGw>w%c`y@U@)}_j28M<-)YPE8K@-L{ z#z^Su>oau=L@M!T*O4owy#L(Q=ICK+g)XG}s1q5<$!36ypf3#$peeJS4xsrR+G6A5 zNy%+v2U;DlSgX|uL2@5@Pm)R{u4_L#HRfhshu;{kE(MJWvmCGh_!)>3Dh7M&q9i@s zVdTbHKM*ycacJmCw%m5R!LgO>l||^h6Z%w)jf}n)JAVd?k7x%kgh-bL1}xGUhMsTb zcOl$&3oX*|~f@sHq6g^~b2aqtvn) zJJ8b6sSc#XgPxniF&wFHJS{=e!bJ&CK_uS8;Wp7R79^FZ@)1t&*)L@BXnIGr^12a$ z6LbyEv?2&?bkz0+#xdU4?Zjw1rIPv|Uh%?Cs%aXmqeq<#+l zoU(fXJwZDI0-(=hJ5sqxJY~9O>}s^I0M;YaeK1xyYXxLQM3Zw*u``yw1w>_FYHMgM z@GX~$y)n`9=Tm)z!z*N^q;B8*6#o5tHS#pN;T|10@k%Wz#Z(}*1U6OhZhFNxkK(Wu zF0SN5joW!_5jfCDfdYaCoM#kH?m*QK4QURAMFV6|eSJv*fhI`7hzcZ|ZD%g80yBxH zf-;G>NfWV`+^o=JHXb#Lta~BySWQ#Yb-a1BFsG2YeySVVjk2=xwQD~x1*Y{+SV9U1 zhK7U@E}&%&4-cm%l&PJ2cUw#RPTQICs%+_Ypom)hwe> zk*r8D>GbE%2cX1$j28QXwX!TSfaH(kOiZp`4G9i5G%`|`VA%YJ&l%RH5%HM zW!77|3YQyxj?R%8$J zAgTx^0W?4sgpz{J+2+ItC4(8#hq_#W-LYCRrcnA%iis)V&?T&U%p=;X64hG%Csw*& zzc+W&)>+`_6kDrpyH+%{v=Zd#M9BgSU+_ecD#X~>GSIac4yIFXC&4hbw=b3~^j!7A zP%Tu@>t8By5k_xSeEc16oEDV!j`!1M^YMumw|%5th@xoei%H9!f&$6V@yD%gwnopN zKmRc|;WmaYPQ1QB*?eKdtgEg*i(QSp533nE1#zN~5R9EdLfHukM4UfVT>Nz4Bzm#` zsAjFTJw2tsmx!FHIl2_)8IU*uE>RC;)*IP?9>tUS`}v_5Gsf+M7sOFOrEAM$h?)Pq@-a;OQ+TruZEugMOKV3kNy8KR?-6kRT>43pL#5D z58kbV2M)OQz1woUAUHObsqP-#TIL56)7+dKJ|3R_2a$K~qu9jtU(_;cU)X5`fe{Fr zD@YDAul6wstoBiAPz2Mu(C46CUPmk^Z8~VX9@nFe3J6?xaInO#h3&%6&kq0w-P^gj z!m)+`Ja}J>xHDQXmXR^AAbQc=fi=XzVS)rlTBqo;?uGNsrI>h`j*$^@cLrhk^^X_m zLmF;~s=9&0T1Xq??b|Ex))7eu9pT#HIH#vff&`LqWEpzBZ7eK`Pyps$+L%lYnvd)l zTX+IX{9@+XgGtG_8g@yTI#ArztmMVFa$5LC%bqZqs+z=r_pviN9o=P+#W-+x|7iHR`DSz{$iuFk4` zUC(y!Q?DrCGeRfe$2~PZEmn$Efs>+rit#VF9=Uk`SXo}6X5LKF= zuD&_Ex_h&X_L~R@l}R?1%tVR32ObfN9mW#1Z*&V==zB7AYGP)&xYy~|3g8ex`n#A- zn>Ut|w^W~DrrItKTO2%E0#4X84`nQ5KC2!U&cd^hk@rEI7%qMm{w(Twt_6&3pzW75dZR=L_?wspl zM?3gb{ideu3q271OSRrtU^&~FZ1v)G>p$_2-*c(4q$NT z;3MQ$ur*s-!RKImNWUC|* z@tblUOZ)NNEiZt)+?sk3N3FGI=Va}}mB8Y%**xL3L3J=*^w3k4Q+k+PagM6YY&M{)KDmvMh`v0)?CE!%8 zZU2ihgiM(-B^#B}kWfm7gvzkV+<**;3Pnj~vPFe77*Zr5WGIyB z|J&!h-}PPJ_x<;Eo%eb>r?S^t&w8Hw{!RCMd|Zpw!Gk3*CIY*Q2oDF~o0^`EQcf#y zwy>mR8g&a^0$dqL_s$O=ezqQ!p^p#xfiKsgqGy%jUc?R;-sexBE})r%Q3i1wcF6F9 z+D%{01vVx?b+oSr<38hH{5EJto11Y(9%0U82Rm-u!u8q~;^1NO@7)vE&xjkyExG*U ziK=*l2S>3XIp2H~H>b?=vuUQ;WWXYJoD1jAyL)(?*e*e01wqL}OfD}4x(JE$p>JDD zFtf2CACaAnO%o;n(2zJ|^c4dj?FaNa>Y7903x8)IuydP2h2p`pw3WP~EEVP#F2)DS(pI)8OLov<}F z4XFeav^3iuz-v^rgm#uUj;+EKeSzC1`}gM^%!hIf30yTds$^l)*|lpKf&eTutQa83 zaAeq)xvxL2#qmz>$dMy^_tG5eK>i^kM$RYdX9=@d}1U0$m#i!!*GzoLjir?atUS z{))ib049APy@1q?Z?BlTh<)(y-*d{!$}Z_);i!oKmf#G8^Yo!@xeq`DEDhX8A{bB& zLHPV8tt2NVMv*(9Tmm*H)&p?Es`xlVnRgOo6Vzn^qhGjWIl@%w`f1)Ep42RonDnYBQ6Xfo{hc%Pxx^$nDFZ{IE~ zFYSmnAW@8rvI5c0QTCog`vF3g4Cng~6e)Nf0xzH^U~sFzy9po)rg_vcC;Z7hgDAnM zm+=bWFoOmd3`cZraEu|Y4*drU@O41px8|3i2|aVFVHuJm;0S~1fO}gI zV+fTWdmrk$jqZ&wtF^d4U22!#d9i5%$adg43 zg;#@~bM4xeMv&x_5RF1$0o(r}Tia{GTtR$#A}v7@>gv`K#$9M_2tw@&oc|3`P>%v^*t`ZY4_W=k;yv?Q|=-FXC9$uB!t02Tlvhg@=XV&uggnxu)Au z0?};tC}r`Je)c@!h^W60t6jh<{FKH6)L+_^ zL+FX?TKj743Kt=@tDBULT3T9C3FQ}8f`%K98%zjWvtxUO3f9ifZav#&bhUf;vbAi7 zQic`;fQRXd2Eob6Z>TjD>UkEeue4-b$Wh4T$5{8$iHLGKD$%=@4NG?|3rp6){Hdua zlp0hW(R*uFOC?xaTEgKUolU(kKbaZl#gUSPA3$q`ZovMyP|OQ3iIL3Pz{&@}wnGYul6N_0GJ zSAKowb8l?LK0dAwi;-raZ9-yD)YZ|+eDJ`On(`S9K;`r2087=8H%yR#Bofd>fHxM;v@ z2=zpT2l%YesyMWM(@c zcYo1MPQ8gWhjua>ySZ&m-FwQ_bzr$C0AK|;!?x9nc$FgD=l?0BAH|RkoWyhU^!!;= zRD=o%t^z?JA3&tsb zYNPP-yl-(kWvGIfX$Z++%Nnn&zNK+Sx}@DH#)=QG1H79j*3#>sFP}$w09v=LC37>+ zOH@9rEG&p2l~_EuyH~IaNn|lH+i+~4^>Z8ts4|0kw9pPHD8BupCwTJYcaqI%}!KH!NJF#h(_+dvwj$LivE*t`&6$eZ99mAQOI=l;2;*-qJ6~+Z!3hA?)-ZeHGP_0yM2-R$j)pk0rd9dq%6f*YZSblG80vak?l2M)aG_d;!e^hpmD z5+_nBSpqagFN}w&P;MB|Sg4m!igI=X#}HR*vq@Rxl!z@QVUQYeV{wJR*klOji-Z?+QMkwT%1gHx`EA zXYc(-&~E(^?rG@l6()k!l#~RcZHQN^8tQOB&vJiP5MW~uQ$GdZI@j=@gS*$=JuO+R!cT@d9TndFE6E6 z(lu3>#60@?zV^ercg3pqiFyVZZ%6QFY&(QcerRi}S>7_&HMRW7`@7MQ+K#^J9TP`3 zVrAfmaetiJS%GU03Gy$jHcZ0Lf12#%W1ET^`U_X2i?cKKc>w+6%EL(Ubf&uB;|uxn z)YF8+M%a>*Rxm&kzv8}Bzy}j$~hX+e_ty|TjW#Uhr1|ORxShRiS&&)|e z8_i6%N91{XSJ%Jbn-Giwb_7Q)N)ap+8&r0vfADh-9a@Q(Iap5IJUNN3%(&?K(F%A#&67SgGqf@D)Z99XPm9 zW`Oiiv)xI4hF{?u-mDMT{|HLb(EXrOKXbN@*v&YUR7DX_ddR>&;uRRhrPW5Stczkv zOB3|-`^qk&(eAWBx9Tqfy_i={S^EfD558W#{R8tG9HCI-p`GjJShp6{Bv=N33_s9X zLwY|M@H{uy30rXZZrnof2x!Grzi_i*A4RFx%9}F!;|FDKi_yp2SD&y!NQ~76K0)oD zlM_DoKwfKuyVx5-P1qFIOK3|aXkGZ*AaZ>PYJTuW(6|x=7Gm#LF*>_5XMSVdK)Z@M z3V4UtrI!Q&b`BJbPx>~QP`s@V9%OzzZ2n(bfNgW$?JuVQLM0|7+$kuy$}?gHP5#|k zE2!eZmE#rdDUf+(FCWJg#GLJj$e&Y4Ztcqhiv>?1qEWAB?>U%VR>oIZW}MU?uoJUCJc%>)zlG?@yZ6kxJB{ahpv?=0LFRu zHEuq*ckfEmS1eJ==Pfw2TwK<$v*)%uqqIPIC>%Cp#|s_kUx1El{+?cU9UV79zi~bp z8XB^FLg6rq?X17Q{pg8@I8wD%77wWjZRAw92ic~{$A(%C>jOerop>poOA&X}YOeBI z3kr@B!MiSW&swZ!8%kF#r?33%wyxQQ43M2jzPBbc1l9?H0K85E!(4jA*NJVT*}nj- zKfPL&g!md&)g5YTz!a=aOtzvQ09v{`(@Sl_TpAbg4&S@Iz4(=?2*N7pUCK~9DzcYs ztg^#@!`jpdvOk^&uP11f$oO=$PK_uRyJC@Ey|Lv40$+rLg^?UCAS#NxBAx!*C1iev zitaMoPk|Mli`h?6>o(z?@dfRM?gn-Gw|O3-2xcF@{w)X9!yAFSe{A~x-WpP^lEOk6 z2?;%2T|{)ypVc@H4QP$St+Fzeg$W#zh*7EQ{>E%cItg;}3BZZpkgp)rw>}7`*Q{ki z@76zHoVwn`IL^{U^}BYUmYlWM`uynY{KzZF5z!-~nnD6(Hw6M_)o7W#cJbC&w0JPS#XV1V!VxPnXvCpXW+2aIAzmO>1 zeaCCx#}QNc&ZWh z3>0RBHp+{;jAJ)wSP%LY3GU{)I{LG+S1)x1%ncMse&=#=)RExs36y+EkJmz?tf?Xz zFU6eO5|wHclYwS@9O({lyfvNER#Z^XIUZzmp2wPs6^&<#v-`sbG$LYX?055Ov|{ZRTO27`bEL zS4`cvZ(pPm;%8_(Hd;^cnd7pTxUWM(gfLA!TXd;NCIW_mjoJ$#%tm!Ar?i51NYgTe z@X$cIJle(UFKR8!-ee<}otyjOSqBi*Mpdoin#p}%;YQu4wShjQ=F>s+k^cTL zo%XR`$;oSW_rV(Pf3I$- z>K0aTRu)GLCX$?A$Nc;m)08)M^5pU3bxV%u8l^6wTehfPeQCcwN+qb7tszKHRa@NhorGFc1>$wAmY;3M-rbJzVa1neB z7?#wuG`ypb*0;mszG>5U;8TSvnnzu5d%@zv&h#0<_-D)vrm5l-S*5deCpZVKDK?C< z{9+uf=Wo}CubxS_7|gW0!p}H;T|CcHN^kIn*2R&&oy*D})wj(L4hk_atn?0htM%4} zKkzv7mjm@JyO0VSL5nUru=eAca`1S7{b0i}G^jCU7R6Z^1jp3U+q{*0Dl)<_-{B2e z5r;&$M4`^TlgjW8^6-G%I|cWY(M#EpuD){k%e1o|p`H1@%;W7g@0zPHInc=Z-VZ$* z!eCGbf7kpbH~7I(pBz;V-)3`YmDRk-?vdb)(z^1ENYY-R3*d@ z*;d^M&HPY)I=Sz8v%@$DzbH?BYpP^boyT*ByaLG8*q=VGhWix#D63BlgAc=O&TW+D zG)y9W&VC-8BD>3wk1JTmkWc)l%+av}M_>QxPEZy8tbQo>om*g3^ahS$n0}R2JT3(#lZzY-_g4K(39{@ox!qA9D$RdQFtk*L%$~3DA;w?Nb zsz)zYE#rNX6S)X;Gc)yHrwY4`z&+qthSWk@PVN|j4i1{H$$tzZ-Za9zVg;421PXh* zk=uiLrnL`xM7o?8Gd1LEz7S&mHm*WqGM>U`Z!j7p!M(5MMk!~9LyG!o!4(6|Ez*Bq zACM1c!kVEcoZj48f`ALCnYJO{P97Fo$U1mttZZ*zUrqms8}kzi(*Ser0J5N>eOlc> zN%X=QxplEf3X{k4WLSuBi)Pxh7 zd7=zvX&&4M)NoNf-mv<9?9}0BIYq^)j$F73e{u}A~F0XBSYoU8b{)@KSJ*fDCl`PsATg+#YY?N@Ii*#GCQ%%9>YR0(^; zMFF`2e22cpGQF#1$ELkfGk`!LZ-sTd@bC=EZ{XrI83}UHpr>SyutAN9V6_bCFs5FU z6Lje$*6Q^k0ZG~p8Ch8a*n__u`*0Sr_q|f5!8B*R%KAI=eLrXw94j#b3IpI?#+qY4 z>I{Sy`dbO-z1e2NbC6VkMj|U~dL)53*48VQB%j&}5@F4D_McN=_#2gW&41v>J6YPh zGl8_<7KO+0zx`rbskymQ?q9F=XjX~w?@w>cV$jbxNQ#Tm(+=jSkkQ#6Tm5h|?GiJ9 z9pTu=y@uTkUMX>5>j!7y(T|8=0wuer8G+9@oOWlTX)1oN3kAsr)WnaAiz)X~r&+k& z^j6}t97!>fW&#+=ap=H-vn$IxOKi-{(DT6&C^1+xX8Ij&Awb5cgRud?2VFbG*VEUx z3yl7Y7ngTuqRfGjp>5NCsa6;^c2r8-^j~p+?2k_^JB%ylhxlAM)%`Tz6AGWPIfk}bi&pK7&%MC z*0dOf-{Z%vuV16W!^TJ!!HN6i{{8V#23C+|gWG&Jo(b__=sQ$ z;cqrlW{f&@vjePrEUBf0wNkU{{ii9~RrWc`JM{cOf=s>5lT)+UwHbWN-N+vthFOBv zL=DK!q1QKQ=}E_qeFnp#lT1%!$ zvFNiN+)b-xkf3Zn9=}nqbTtd~rF^)thUaO=_JJNwp)pay)3c_zIjS;-3yt!|*h1f% zyp&+0OF0Kyt&QTIkQFDW#wJ0R)wY=}G9qody}y1_Rgml#H36Q%2#*>VgC>{nd?}#t zF5T+@IEDTirMpPE&Th;yIC2ESw^VrtO!cWp;=8kw;IHH1t0U^YzX!T*UuFJ%5U&cT z1F#tbR`f8o8cHQlB+ZCmXxYRzY&6O6S_u{Anbz?|UIX<77Qk0k#*BTwf#DOGPz0hdOe|M9s|ihX8q0eeeFB?EiY@s>!@5&9U8=CD*>A z1l181W`O1{35h|VMdBNdnW8zWgrpL901g+ZbJm(x4F4#<0LY-bJ{cGdr_Gi;9y*@WF43C1%gZ z?V#Of&CkcjE~rGsir=Le<+$d$JZ$Zc`MHyH$U3ARx@-ooV#`2kDgJL~4`=(pxJc)a zx9XGf#>UTdMCCc8UQGtvK-#8H7l%L_2VsBw_%&frwrOdLGfu`zu`*1UBZHsi=TBp! zP-3j0(}X;NmfIBTivt83A`Z(6@2`x+7f`x*$|6;ZH`CINxVnzweZ`kvk9gk&^;LC3 z!tAPNMmv#34w&2jh@3?)&Q3k-jpn*hLK|nOS1z%O$;N$-l(8LaTqQsWrvb)apK^b! zF2M<1yUg{^am28|1-KxF^qk@>YJCdABNP~Uzkhr{R=+g363m&}D~0(`XiD?)^G6`T zrT#dBmIAs|039sh9qT)~K~O`K5sL!~B`M@EU?MxpjAGygprTL6)UZ%Izx4NTU2NL% z`z$X);?9!w>96w{ajic#CTVBMy=^wMNbTbCb&0$LUwngSz9Te|A7nWY5Raj9#>zvh z;c&tApLi66WL%ZFd4jiUbP{n47x8$(NdtvIh)7-M#hUEhp_K6II8H#NFYNMk6(po2RM+)zm^vK zU0(I&nDDP@6<3Is3Dmw`f1m5gW5ShuR_tp`VMhC3bb??}c4}!IOW9-1EXdIZ`-`4l z1HdTQ0uUEYtDpeepiO6WVa#49zAxH69Y6yJ>Kk9}4vI2>K_-h7VXO(lgo$Q6rmGX``&JD z1-O5A?l?k12n|L-$Rh62Zqn81ZX;u3L@z-aUj(<4aGb;(+fBxLI+d^A| zRFXkSTqRzd+_YicqM{ zFUJ%oSZyriL0=%s%21+v7wK@PC3ajJ6G)&34Uz+(G8z6@b8qvqw+U$#4S& z>d#TUNN5t4@I)OQ=?IkO;*XicWsM{x0|RXiL_0auUd${jbS9rAEqK0dh=6$tL?mSI zICC}9pN6i&_JEJ~HDMkeU+A-e6EQH9-kf8nrz@ctTEvv_LGb{EJwenIcOP`hVL(L< zg~+d&8Mr`X<>YAd7!fdSYWf}7iSeRIEdyI_K0%v7fDB}Wx|5oj< zKa>Kkq*m|J$zd2B9fjIL$Cfs@5-42H$B)d8gq{JCREx;a`5HtJoh60o2W+*^P* z83~D%1Ow44_~CvaS|wmI_|m0E&wD1{Q3v!-M9Yh*RwD)vD_?}H5=<8|2^0b&sX(s& zLPJ3PurKfxSyPym2w0fC|4*9q4d;l)ey?E>L+`ws{F#rnQP3Wktv>hr%F8!ZDg<1b`nYVahhEu4?2{rzY#+n zKvy^a6uhg*ML|}~ri5nDWVFolOF49?K|@lu?|8|j$w&5DiG1q0CTrhKW*sa&AKbL~ zA9=0Y80gjyHp-ZN(VpR<2Wz@T+ z!4=9qm<%0Tn}0dFajd$7hYrE|#3y%jvA>>4Dq)MAOGt`RNpD{L*VQL37ANB&fGWrD z!-|H&3mFVWK=Wc$P;=oW$8#@9GM~a)fn5)>4PiK)uo;6(vfdD7V@WjdQNHcWxVxNY zA9aM8J}R5+AzM<%xAWZOntj z#AYW~Wj)A@Yv|S$&R@6D8H-&HX>#9RpAZ>5@SJ5M<{BM3bQ=0h0P4_yCI#O-Php6b zDfwuUD_$a8U4>H&fJdS~f0sA8>q682B53KGM_=yl-NG82%@-K8X5>ZK#*$Sb+QWUH z_L|>uah=BLyWuRRykgwxFX1g=m?7`27S~p&-{xLs9NsMZQBL#=vzJ0H- z-3|^78TY`f1oh}9Li_OHQh-vBi{oX$Bjaxp+E308L66!=^{Fowa|E`AZs8A#8r*US z56~aKI>NX$w=;^f3hgqkLeeCOhmQ|LPtuYa>z1@loRJ19vaM^rLE*U)O5&Wv%T_-%x7+$`Z?~?6cnMAqI5rSh3)S$qO3i(WPoF&l zmHe)wLlGmTa6|A)z_rSsQ2}iTYz+-0DXYNrI9(VwXRZ(q^!*Q2kGGd4RS$bodbe8;0a*5BA+(glj zeVRZGW#1?p93!I#U3ho5vH6`dKTp*?iSBjAvqyasi}E-&7QU(xNP2VJu3<_IA+}>j z4-hOQ;h<0g#BpwFAiT1YR*@jmQU&vDH|A*%SP{X%l|gS^sTq!;k7Zad6PN5;*jsRxut*eP-d!_kXyNrl*TqM}uBOX_`-`E%?xde)Es70&bNkCq6EAS4@*vIDb1>I_UxaZ)H>$u!9`cF%*Ty09$~38Usb)u6Z{a@cAdYOoE0<4-G6XquZ|m z2Y?(Jj9^B~lNc8#rr+g^gw30#Nbk{o&kdrS>|VhqZqCYHUGDnW)WoEFiA@O9ovv~8B*T{J z5-_~kzxaun*++63M)_Bu?|6Xg7{6No5QqMHwt&P4iPgw1W zlk9%rLJswpX=VXrtKi)JgEjy}!Qdh3pufMiNWqcRcGTX$&~Ov(C4{OdFd#Gm`2@K! z@{>`;Ln?wOIRQm-B+#sd`**65*p?%|= zN~2r$>Xqf@UjA8d(hsLQS8S3T7&(D49d#H1-;VfRj}?YIAXG5S;D|jYMK{G1<>snr zc5gZ4bSS@5NELp~#|j5doG7{dInDB6UxsSQg9m*rZu$$iH{IFrvPN4=Q*-r&z)0J+ zHf{AlzJ=Y)?8CmxUBiQWNG)}k)Ptx%96MUDKw&RIFSIjY(mv|dG8!B}T1qM^cn_l? z*E2K$cT3 zcXxBJHkqZ^m5h8eP>Dy6$q9Dd4W(C*{PzBVor3uKePR!6)hmuSj&^ixFg2ZZd(X`4 zUjNnm+c(~sp(RP_p6;)0nUxp*{^C3Q>^OR6htTbpW1Od{m^(l7U9PD?*!5xU^(~Lu z-v|f`M>esVdB!q;+)yiem{IBD)3=I%IB;LyTZn&N+Gm`T2&VGCe2MZ%{q$-Fry628 zIrWAM*?KQ*BsB8)`)d?T<3$ej7)J>{qwW^(vAtj=Y5oWrdWFm)UtguPZEC`=ffB!X zF$ByPbjX|5*5|ktXjUNBX|8$(?uTaGq0RNyx>#j(!V3Jq&~cQSUSe9++UBM`cMsHW zGJV|Gb|4_SutYKc@hwP(?5m8RBL=>5yzgARrQ{+t)U~mMO*B?j zX|S42=O^Cbe{%tLvr0-!FMisn{+3#@olK2G#d&KU*Nj0fqWptT>84rn_nb{gz{Xy$HUJp%T? z0;CmG@Sy@{>3sJt{B{m@B7jI58h=q&s0p8Hyuu4{EBBCT7=HfWS>E|~Y^%lP#QaY* z$i8iFUyp%wfV@z4T6IjSc=iZ0rKhFg2f^R+>st#y1OWvFJ76ILB^JD5uy&6`JeX7L ze3-dLs_Hb4ZzlEJiRg+J`pD}vH?ebicJ}+{2O@eYrJ($$P`Na`Pu}e!tkHQSKxp;1 z7tyQ`-=tJ<2$Ch^29m-|<3AtidnBeCfOu{@?tbUb)ydNyq+~&Bc8FVUrlbgPap4_} z!cYi)US6651`5&u%_^)(P!*6A!rNvBK@DCovzTVGBBUd}SjRxLX}V#Pt?;jav~9eZ zPtb=vW(up-_Q~F$=2cT){}nquN`=jjUVeE09s-Oi$n6ysVZ}In=nxIc5_X%UR0Khz z1B)F53y_>ZB-r31^-l|{T^`3;x4TN%TBrU^p)U($PR5NB6T0LiNcd5gM>&#dvf2Gt zpSzOFF+ZXQid=X&P*I)1E)O0Tts+iE9I-KnJKi@m&<0ZhjmN^nB|8sqo(q23)B0E^9yf^v(~gK+IZ9%bcHP~J#UOlTeiaE$yE_nxw~`dW1t*50JLNST-KmN@w!ZU=7K zen)}Nal_7Y;%PUGIm;a(5WpBj%HngMLNJ(`qFVS}0B#V%{nq(0N(|icUw|p0B!M~! zncMgns9#4D1{Mj}0P3PoM1;}dJ@*+? zM4rF7SrPE#y-4e690raPtTg?~*`>cB+IBd8?%x;jR3c{e^T7drc`i&E?ocPO&kwn5}t+gn+D;O=h&@oQA46P2~+ z#XGJTZ#(k%#^FM)RUfZ#6>(B2HcVFf-kh2IGIjlWdP;?3M)~@eYs8LclAOs0 z(B=WT!zbGV_Jlo%6eI`%LBWy@?x&0SLqkGp(Y*lXqwS!5DMo?ZQDoE@;B4@fuY7b? z!8cKsZ_^6k43vGqFIS@C8Pm{fcPXYYTtD{aj{4%?9hD#TCw;!v_z- zz0n2C4AJ{kA7!CASQXfkV&vgCzxz(fbw~s}-!xIf6h_if8oT-W7d)g1k2Y>>d z5JYb{?huu>1!Fixt#CS*v9VMAvK@t6gDy-^*96r(4>W{E1A7~ zIsg5NC&$LpPPDrGaxAl&)`t$QBA^F>4A;&5x@m(*$Hoyonk`3s&wO8Ok9&=`87fA= zSV~Gf_4DF}ivOry9fUDs_j6tAHoQ*J2KDE~qod9H*VfcLJeF7|GaEmsj0rrYJx{hP z_&#w;O^^UfZ760rqk+B_?J|^i(*}5(^;%en!B8n4C zx5ZAlxV&To(ID2q)~zPp26V(fMzB!sW@qxN*1Z}AQQZ@t_B}k-G%UTRKyUod%%&Wx zEI#G|>Prz6&V-X}+(~Q#ei#%tI7mhgB{na8Jw4{_Y0Mie{zzA~-RpvYH`@`;8?c)> zP(9-B7l^y_`)Ft=Syo$)5Wg2O}QQBhG%zZc$7MgkM1*(2&9 zV`3-JRzLxPY0FVc_5EJdcQNiaG|t?^7Ae8)LXF#qr^!W?_w@AClj;$b7pDoa2_s|D zRy#cbihe2wZymd6Y~I@uHbz~6@UYcTBC>PDa^E#M+NVlro0zx-1en|1G-I)gG;izZ zxQ7iz$vN)PqerOT@V`|-LVJ>F!-sInz=})r0p-6A80nC-wETebPyBY7`aF81W6uL9 zX=#YfEko0Rh9EE;k3B~Fq zh}HCci1RNwc$dDMGv5oV6i*2|=_Zud5)vr!5raeD%=&sc+I#8mnFh-5+1Vf?;%)W8L52aeczYpMouF3*7z17cdocDZzVO|9jE&Qv$prI*jTr-T z@89=G4UmgZ#4*sXXLMyz}C>{sIQhxF5fSZAUhmzA-25{w|u9%f}- zE3cUBw)hnThi7!0HLDdbiv(T_KQ@?=5c3Ri^FJs#++Si%yokh4xOEF>^eix9c;#KN ziK2ssz!Fwkv4m!E)ipyj&l;yW-u{BTyow8f0z(rhSI$ijmJheq#()(XT9;`ih?I~m z2Tz+7``xdWw`PUuSe9&7wn}a`tNjS!Oa7J$iW3=@*EVP!H8J^t#Xt~DOc5$JrfEuB zcJ5pPUIvdNL0}Vtv9zs9+rntxmE5n)L|dkd1r&@WNGRKQ9R86U6DB`0Wpl+fx#MAz z+Pb=quo!`f#&HGY7Ci}$e6Ms_u86}rIu4Kl5Wz_A*di?*I?GV98z(SVpQ1IWFUr4q7XSF* zIWjyftod|qVGga3C5t1mx{m(8mw!_7%8^P9y_5-YB?AFS>xS03cqE!Cgj1BTZ{&{J%LUVR*br^3XmjcDp;x~B9-P;;mIZRLOv)EtrTbsHrh6xr3i#1+ z)O^h3Bntb5`C>hO1}svVAup0H#Sq?AZL^K*qYKm0XzLFw<@v?+T-{-G!tC;?!Pr=L zak1nmDESsR-`^c}^HYFB3E!nl?!1cLDbJnB3T++q{DC?R|M*lnnWbTctvBNgiQ_j+ zY9=QoCbD+sWQNp@MwrWADuVF_+wpyJk>UUt>>wrYaSdQT+|H=4@T~)|5?IW}9id3G?dRhYu@XjzN+2 zQDe8*_`lZPP}*Z;Ww~;{a7@A9^Aw+J|8r-P&f~kdT*4)ghQn{r5M}Pb%lIosCeirY z>sMP8$XZTp6p@AtrIUxx*Sg+~O+Y9PNS?FX;yC*yy8!{*XO_#K{Z;4+FL z*@^yh(`K#XYhM@l4B3u(#Eqlypplf#Ln(WQ!1pk&70kYOuNw^|(vNjSj{To~{;JyM z0ioMJ$FzMlRrEicb%lvu!vw%D zoUc1~+PVE`kBZ`#aFou*ZVGA*_Acz7zo(}Unwx9Fng8Q0upf*>0AuzJGXWu!L0$W0 zfh+bWQ{U-gDo~VHuaI#{5W>681G#C!s52aDG}sLGM2gYic#6+|&Q=!MN)y64fR%~F z2qiCjtutpzn__RTOf`7{qphk$gxl^+C3+%KZy;S&J!L%mU_RUyjKuuHL*3qq2#(v6 z6CJc41@i_32IYRTyfdAgIv66dt^^cMKcKhx___&OXyai5f&j7S)vIw}8e<|o3(RMG z>*Vwcdn9sDese`N zyf85K^NWE^?(@-i@7_g*^B5<{`zfZjK6`eKO~l4##ON;)WGKucY{fKxGJHs2%^-Xm zq}<8QzEl}Pp>PpId4SqchRJ#69$Og`pp|A;@4PL!WjuUIgW2#8~@{YV`(0w z+%G7A0$+mL4H6wUw;xp(S`bYhiuFK!Vg8?`;r4{?ZVkq;sbQ|$ zks?H}agMUeL4sgl2tWShf$a3m)wFaMoPPNaJyCHOIG#2!VLd)G_fxX&Wa93h)TE?k z9-nRQ&Mq!aWZQMmH@xoYS%C={B=+RwTIxn|3J_}k_B5t`d+b%v#6q_QEM7?vdgOgZ z{Ve|}Xja8GB_}1ZXeDQ2!j_KCo;_;@R2{X4rm2uwq9oy3bX!+(!At1WRhI?yW7Kb( zNVAb%f#@^QIT7M4*nm7-v+%I2v_pkNe=Y}*Iy6hf^ufr&;?ZlU! zCv_J&992byoQ177K0P0~jEY z?9`UtU`bkdGZ*>v(I$jZ;Yv+Y6~6&RghKU8_2)d=g#`)`MF3CXIBSXADc&W;9fj7r znS3rF!2NSoC3Mb&_-foce4%vE*rjd);s?hM!sh{*^#lxi<8C=`CK=e0`ix8e3#vSN90@qxA~aLA~6X>vbW@Sh=i zD^@<46#3d0@81tmDGBszO~g2}vdY-jD@HDm{QZBT=b&M+5O_Ujf^h?W`)2CX%W5Ts zp08(nSIsh7SddTxH+&jeUTOlIi>VRkAe#95HYDRa+G~KVPzK#Wo|2bW5dtWke+1EW zS0{Rn?K(T%@ZrN8_6KZvh;f9i=J4`r|bL~~U!^1GKN6O&{5b+Yn*t=y&k{6AofiDodfNHpLjcLIzpw^w33k+al`GOWqk%^s=uW9u@&| zeIeegVPbyj5_B@CWZWz(t5%|*Mc9I z@(Y3QeZw4UrL6(<488sn^{@^Nqznr{}SakD`(;{DiTiSAWuO zffvYuGiSbCR2;9doRW-+g!#ZjTU#5}8CO?0Ww}4=aT=v#106@f2bu(LUq_k#FK`;I zkYU35ftMk-R*L?u`bIAj|xEP`i=kD|iZlbJj8MEe5L#*bD$YocBEsRm{ncP@0LZ;^uv z#tk4!Oso}G7j|r*z<+1aT1Ra#ayEpKD_1e0rbMH?(kfBO-&jtTMYuRbx_=z(%N z@lN_P`qK{&^LY8nWLu6_sC+?2ATXoeG7tW1)ZGnC9MLk<IBb|ScpPyOKbK><4twz_VIE00m;Co~p zuP_-oY<~UBnTmh_``Cua8{w>Qa8*n`U5A%+WYo{w|Mn)SRc&&!(97T48EBv#ygzX5 zWWaeZuP>eXrsR_N&HJFDt+AKq;Z20-6g`?!_ihuDNBQ~1f&P!~-4mp|VGk)f{cHGu zo?V-0d>kfH>eJEK-%TOqVsWNaoGMt(Afqru2)+kL0JKSZ2XAP0h3u8`=zCsSDVSYV zWdZ<~hevN^Nv5vx===AM@bx*7doRumd8Ds}*%}1rao3mY&s`U%v>8Wl?MLZt(Z_ zRW=d9-ABfDv+DFO3Dj8Tub~_YkeS&XcZmd>5nBc-zsP9xR0s@0P?J#)=N|*KNC*-- z@(2!%5{rkg7_qHnXPfKl?(0or)`i>2M|@lv{5Bew6Zfw0-t0qWEUkb#x(Wr%3j^sA z4IAMM|Du=;T1#)--p+0}FFaBz8kuJ*kh&LDj#65Zi_3cK8N5yp{=ZnkRZqF$dw!y1 z@z}z+ZSIg00)e)*6|NW-pbsfRm}w6rMOKOCVjtu7iXw1?)o)_)WVCtUu9vy{dV&K^ zbpR`4T)jBc*w<$*tj^6rZhgnh!t!lg1PB~*0D_;o8~hBCwVCDTu%p{?dPt_V`K(;w zi4I3tYhbwCgTb=CzUSvA>=42iD0_CLmpp157Ri}PB~>^Y3SB)+*OR;jIKRAn(W6H_ z<)`yPLg)h10er&ejiPR?sHWA}<>^%l0ul8TBMHp9$34Z;{0wvK@0*cI$PI3N^XBBY zWsE->0e}ee;unAZkc$zVFatTm0%g-}LEQ;(+s&bU=|%Ka=Odz8w~E|81Wj3sOCXXS zrSAFk6DPmFzFA?kIFvE)`X<@YaoM^HAgH^$6jsF9C{o$u$2WFFj7sYtoDr87xCYkd zksnH%fYsI3WG5$j0%|j)Tq{AufsXIVhxp%b9Y5)2-pJTqqZ(TXNflS(+*GW^R>E}TAnpwU`LD8F$0-aXgZ zc>Bwj1w6Mxf#BfK!!WL&_qHo=t-2+lZ`2Qh}#*FK; z{&a+%p&_z~2Brc)twK10!9NgFtetFS>lH=ai{W1wKM1K1@S1DTGa@he$01ltK-Gj_ zx-^VI9?8j&wfAB=7*1*r_A?+8P(Q%afw`_iuQ=Ax_vgak=}HagJX!Oa|?q+rK2{pYl3nuP7UcPlOl z$#eJfM^R%DIT$TvV1Y|%9k(NIy9XzavV6#CEZ=r z<4U9JLvTlWVV}uKriDBHUo5B&Huc51DAvD)H~Grjsp20tFC=%P?STIP=5aJAv~iGd zX>msB=}Gqw4Png3#owccQF7tb!wOjEO+M?3K=pU;Dle`8d7=$dhdu~zJQKUH_O3eN z+nCNnBR~-YRza$Ow-ag9u+?Ha{Z}H5Up^k8B5AF;rw8dWlFG_wfROdB72{OWjxIE! zwW`^JO@-F13_lNR1kSF^399?t4GR;w+@&u-X_ON1@;}zmHo1Q^2^Y`w(R1=2ClP)YA**;uci}iOG z8M!h}m6evB0rvwJ2ZS-09(k{z05k&^T6#Lg2b2@-7ei6-9=LB>w!@xo>(uRacK-9PXI$HyA z^p}*aSsfY^gM&CHBdmxsiUc){oK8#S?2ivjUD`<>g#-l`=MP9VUt+|2vb1bhOYw-fw#n#^9Q} z`clFj@rf2xuHIg!iEhdEXSth9g*kmLrEb3&E3Ezr9=KMq;TbAReSu}yqEHkajvc3H zEjLRO)^|Iy{(n#$Q&lBco`Z1r+`jF3>QqdZeWa}zlc2R!Lez6(HDrKcqrqI(P+?Ui zC7I2e0k%5GuAJ;2AFo8f2?!7{hv-wVfj|}6X9wM-B^1W+g|g!eWyetZGjDl z>l{BzRybs7DVNQ^m2|aIVyyAXrBzI(%vzC8lQ#n<$63v{MeJIAf9ossT)TLjFFk+m zS=adm_N3#VFZ>=|`*|DcGbAzq+stTp#vnhO9p5P-SM?G7hA#~Ih|c~?*&PxDeGu6I zU4i8I%aMyg>c2% z)3+9OezW{eWYf=fVV7CLRt1(^Lro3bd6xPeoIk+tAqb#F=V3~!qxL26(vLqNt~(P} zErfhxP?~dYn0CNFs{mW9``!F}(-irb($yzF%A1UIhpjg>++lIx(E5k-HOE01AFEz| zMBWF!NhkBuz31n-o{(rTZn5JE$$UqU@L{`Ee6_U>y=OE4N*1k|L`2G;G8(oyl(O`_ z3`3j%z&@GV;_I=4dpZ+&z;Vrk*iXSY%>NY{;s#jzuNL4h43=C3Ch$DW%LD1OYmnlG z07V_0mEm9LznL`|aZJ)j3~v&8P!0rc$HouHdjR8^%# zFyL$oNQZC!f0I!DS2B$1*x^o}F2-UN~kMQMq~RF+)UuL@X_=gq%HpYS_1Su+uR1#mBCFU)55s z`<`pdSQc=CCS|H4XRCtmC2cF}V}qoxvEWUA3;P^I1T{VrbSUX*QPnEnT_0YB&eLyp zrRDO++k+sZ;fP-Out9S)V(N_2S*2i(tDLl`KyjTy!LG}USDZz7ToQw@n9H=U1_Y2& z8Y86YR})-?bL51Uvy;=gB@Kf;QF(bkTap*IR`~=seMOui9f2cb ztmF&U1Aj6D2&DkcQ}9)+le!l8_gCZ4D~hiMB7-(6Or^xc_yJ;WNj^jnLqoZ&e696P z7{j@nT?rvYdPp3!kcd1?g3R1!-s@K=gNa&<*17As`BD1o;!^?~7G^6KdzSe7NhQtA z-*4Rf?(_7xg2Ilmu@{a4fW@AtZvUhp6c%3}F^9Uq(%igc1M2w1^d4chJE+KPth*c^ zU3y5m+VnL}={lOy*rx5Ndo^zMb#&BqY}Y*Z>lgYdLcW=NP_IFX&_2JI3ZW-G0l2cr zx&1s*^Y^!d(vj`N)70&G4hwb(&Bou~Y+xc_ujk=iTB&o^xLNyB&*IP_RswDaIqAPN z!FV5rOktD~p?!LLo*o^2ZSZ+#@6I9Jif2pf;gLOkI(?*0aC>1udiRq$ z4gEyI8kpgUU~FBfdl4f!{aD50inDVD5llNC=cgQj#ND~Wv0cDd^VXN2)rB^ycLL`` z?H06VU+<8)R}fYI$fPTW*@R0+<4UlYRj8B{r%A)*Jq>)US1QFnM#nW=Hdseu6v??hn8;wo2ieuhAFVOZEF z3aJ9dCJv^<7Rx(M9JaMZdi?s5rAB_b*;&8*{MbFztehNu`mSR^>VODz38asEwq*<* z;!(bwWiZ=ax*dcXI(+B2u@QiYWTyug0-KIj?!pv!Kr^?0V1`RJ=6lyiAZL&HTuq#m?<`Xsx3`$A{_F)Af4 zZvDX>8Qa1SZM9LnXr?*%7CSLu%bJ_84K7~)!m8| z(10(k=yUT61r-%&)=TaHFb}&jab5}*wAPDxzOuX^o&MmiKGweUW~o^BQxhiBB~R~- zYK71zw-lF_KDd7$kRf1$Rm8e=Qsnkc9^Iv<&;7o~Ox(C3JUE)Iwwm!ZeejEKCHU7e zvLIQUoN|ebyr$CP;s*t!4~>#d_X}m{YCe86s@?S_ogd86&D$&YYQ0Z>_mlW@?f!jb z0?MwQt}Yz-C0#4mgOpWHVF=*iV{d4oQ62Fm+!96yIWvoj?iLkAy01IHvQf<5NV|r! zHVLWyo^2S!dOLNTWGJ!qF2Dt!AMYC(nGm@ssVKe$#ss9bKwZ)L@?}SRyMn6f+~lO% znNc3~t>S*Ub-Y`B zdA8@`@fe5tT_P%DT2XPUPg`!;xnz-GNk>FQF|GFB;p@Dz@N=d7!GSyU2GJ~HJuD{G zjZSWKHE;7$_ucX^n``Op9PBOEt0i6dd%idCO%vJX!N?Qh%cD1pXU0b*11|kBF`z55 zDzv!I#;YPsJjc9DOg@Fkrw5*W=>OD(U!#)(3ElWad*bBLqkWKsA)*9@;Jzz;q%?%$ z{^x5C-lv@LJ5_!1O&KE-udtGt!<$)A`dg#z2d{b1kr^{_I-t_jx<@LleyhDg-_8V?PPHswiI#&Ay2-^2j(qAxdXD3jw z%}h>%jh(&h$&)v4-mHukJPZvBLniGd*&F;$ zi_pQKxrUM;2w{Ne3M`LZP=>kR#}#!C>YAvS7-W~zeixGDDT#?^{`kB-d@sBUVH3v@ zQVvTi#J9302cH3PRzWdszBLkmGSZ_v$2z9M)r92hYL>(_&tW+r;d zmKM@z9y&rEO$?GIxD8p77P!|Pl<^0>06bi zjC9Q3TKxOtAu{aH-jLp%<9fxYTw-np9aOpfd-`wUreZ=u6$`+E%`anIKw`EXFx(2? zscc0J!mIp-Q;*e=BbeR=+!>?5LWKKg{%~K=+vB(`+0E0l+V$N%_zFzE|3A9k1D?ya z?*snJEM#Pa$S5l-D=jNTLPlkT=x?UXqL9+E_e@f@NM$A~MRp>TBr2msg)$=E@2T$R zx!>pgynU|w{#4h6|9KwA@jHIwJ0#O@9Y1>ma#3m%%O7gju zP&zxA>X^)`W@WXUt=CynaPItL-GQSwRq@V`TyfJE93S6OHiP{(Ob!-tzcMw|sN7z* z7L*ClIxq~#veM6Jk$V?3k!#J@C$R5YJ^*)NCm5I!#S}@+mNuaG zW$U4UUxwlYkX9%pq{oG?GCZe%&xB6KS`r!+ot>;I^MKzHntL)UaxX%aw$?-=Kfr#+ z#>`erq?y}-l@k#70A6cicYuao-5xw5U|=B>kdxJ(8IfEJLrZ^eLq4+z3wykw=x>Qo zG50ln_4RTPp)q0-2#Sx-%8V^?eIFMs=wRY_$l#7ng0%Go=-#7rKnR3TNnd|I#PeQx zkUB}-(vdDECTxkV;b@@*1@UhP!C<5fjKnu!1Hj-2Ef?buE@OK7Q0Ppk4Ln87q{F`( zP!cp2)WRnaOQ6d(P|!{@>*?Wvp7Nt(r|s;v(tW<5ag%khi7?k$w+@YKs{S1{BGA;m zaDg#@`GKj#Qt@G9;ub(S1<}42p0|!>xG3V-s>w`b(5xw!MVO8^N4YW7a zJ00Au66yEd+*1T?5vxx-V!Lc?pX%zxPi$4KJR5PDb}k1y76?T7{%eh&EJ3!rzWIU@ zjGHk(Ll+t_n@XS$hZ;^?W|F*+TDl2m@+6sDUvNlQU;hFe5+I^OF@%B(Oj%_pI)j=9 zH65IotRMBSUdip4Q~6Svyr%;OEwoEVg>=2>Sc#c6c=gH2kfc7aoc(ip+Ico^UMqrc zud|I!ox~FBSp)8+Yx&F5Yc#Z0GmevFOUvC+DtdXhGctm5yiZ6-m@m#B+7<)#-vh02 zbmpb9nV;pvZt(Md+!H=I;o{`44>H&mMlxyyt6HgaJYC7@0rQ*o*et}z{KE&mTkP(Y z8iP7Zy{{PXIP@fh6myK*U@(nw2NnW-O8CUW$r;Fy8;Gv$us>QdY~{ajyA0q_oV<18 z9BU|7l9_%0l!d`2A|~oVNOsYZ5DyZ&mq9ErNZnP6-UO}zta)^UEhss;ea4Ivp^oRk z1cc*!*s+?=zJVp8|DF+3Ui3O0&4jp?w`$IEnMoyn`uv&y%-r){9K=gV-!d{NB~Q}O zbmc6wkM$3a_k6`h)!loA|DHw4j=|5hd;F5l4mY`rXHY)5xs$u*JgXt;F61ZtVie~G zuor=^Oocq}pzrr;BFq7faqHHKL^=cbEo;}>>{{o$iB9g@*RP;VFN2$O?^s0_)E|jT zIzdvX9b5otE3;+ItKancS@WQwNw-l%vB0Lk#0l0l=%dzBe^B0VO zf>%^r%wvpH^s-UGgkYVn`+R*k$=tlUsGg)&<7_Le8>gbhq ztTzWa5@uoO;_pyC4I~&iNtJ&Xjf`8bnPzwH&sKf@#X8#em^BJ=2Soy#`@L2-JNi|ZZLH>V zlP7yz5#iFbI9Q(J;s^EpjF(s3Bwf14ZLNfL)4ff|GxRM|-U=P9+gi5~cY~jQO75^A zZ;04h`{Tz|I~}&=XTSaua#`t;3)Fqj?M!X3LV_G~R!7$t5&~jaN7du}y~3(wO-Y3! z?O0Tw+I>>|;_Fb0@Vkaj5(T{?94a$8EWF-4WRUwL}>dhIp5QsoFe+288 z$M^C5J*EfIb0s1i5(~=9qcb#1<)K#-IZM5F|Nh<5d^XIH6pHD>P9O-A=74vRP?CQ8o~TK$P_`AixbdtKhAsCR)oexopJfT;vWVyl9j+{}+3 z8^JQc^nN6fn@;FNCoouQ@|*uIYTxhQyY9wU#}!9hI~^~fY`s0cdfvo8L3xN-guL_o zPYw6&r7c#0>{sjWJbs*={!uc%lj3%b)jRDQM>g(n)rSZkVE<4qLoW?JSPzgZ*4Jwo zadHdkQv+W~)#>-|selwrj{C_Yc`{a5$9RM8ELUGa!OcI5Ou7Tr6yPhQ#n9V<7 z>)bso1=0=2t1)|SO$}5sZ5g+9b$wm#Dvh^JG;KVK3LkvHdpB105kI>q-F6pAld??|D~@uXXx`i^V0FR zrC)IygH{hGQ|`anBF(<2Nwf^nGzTN7s;1^v$5>-S1E%HBlg8Brr^${R3ZV<(yS+ZY zgzgK;h0zo=wq$d*Oy3NH#lkcDVpK9H*3_I?K%4+?3*7H<%pzc%SM<)W2W=y| z^o9Q%gUNBt?I$l4Wm5O{p2B();0CdHghp1bi~A5Ag*U6rJ%+BZvNwTr=w-;oMF|2Hw{~xl=fLv zlvxuz55R0CnLct8h-|bdal}-^#LKJXxY8rA!Z90#?lvM6#NyW0uA_zZ=iq&_;%kOy zqtowL2mC=bJcXJK&EP*Ul#Nk6i;{=L%*Ew&@+3V;WqCeB=JH1$eXV0SXABVcO4hwEndXTny!rMEf=SMi5*93ofrjqlY(4i>vGLcws ziAaZo+jL|i8@Gx2NE&i7F_m{_fQi$c%S;pZ43<&E4H37&MAAF5YAzbkfmLR5S3r zO%rQa%bM#MSTwIQ>~cc+nw<_(M{DGYfa}RN?fY6jxExi&nW8tDvGvpSxORKU5ktD5 zxNicfU!5_+03j6ucp%z(7|~)7dYOiFd=;yF3j+%LCM}JL1O}ziqlaMIkzgKDpcIZB zxriAZdeE_=X3VgCBI+yOS==OgB`m>v2+}hK@4!uAdg7q+wZkl+1s;T|Ni>^3MQyr;u)9Q zXW@XP><7AdnrRSr+;V2no?Z~@r^&X?p-1npYcRO|6{fC6>LLNBD7Axx8CY!mu~(ta z|7=44#!uIxG9UvOx#hJ>6wsdqHbdCKh=)P^QGbDXdEfI@*4BBiSbwNqDmZuN($J#h z>*Hr*8T5RLMgq(SQ5|i$;c$MZOrxDT+_To#oa=!V>9T%WtK_PW9EB+i!+)wSq47JGN4uEdSZjUIZ84S~)p{Fb&9ESDy7 z4KoOluY3#jm#-6*U#&_1sI+Sr%D~_A^D^etjF@))i;f;$O{i|KB@92@9y9)dyq1i4 zz3EYr(+!5fx8qOU-Hzlu!<=K@I|hzlAj$F`5UK+7K&%haYb;^*=q)$ysfVJE!GSjv zsz@!=)F}EC<>XFGpRWRE@myuS?ZaK(%SUSxV5s(OV0Y0ZY6IKp4%;`t?h1bi1`s#n zD!4UhD)YS}>W#MUPSl71Pd8zBUwXAcCCeX`v-Wfq%^Vep%FZZoZVS#Uw6I;Ut!2LG zH#xr&{@zSHnAldEx%%$zxL|wnZQH;}toQm3CxGJAgoN4INtO65keW{R-W52PiOL1c zSlXSd(Hk6Z+lTT(s?iVMI?~2*w zFO!pmd2j3_#=iDEq}lI-9ar{)I7PO7hxF$HEJDe+=lc&Hj>P}R25u%nl1#+W897-d z6&-044DOMFkbMz*K!xY;2l9*ng!h4t0h>mqSN_P<4mN?y`r*qLoiZGdl%yo>GJHo& zJ`R*2ovI6aVf#@3rczxJUW~2acQg_p6%^`%P#?_o5XhJ?5v&nQRn(O$RKjg<5g;IQ z)d#k77aFn6v$()uncZ9lf}3Z+ykE_2z#>JB9H>dKoSAOi91t~$KD(?g1=?>6#`v8WAG&=k=Lib19=-L8l@ex<9&kN8d`2XZ|9>c7p6j;F!o5>|*s zlBVKsp%Q#IJBsuVyEXj?2#{mrcDv;_VhPckF}xGwu0OY z0UydAM;;UvV^6-yy2REoFp$dPj`_K4BQDuiFPlvG5$EJIZgP!U>O)(%f;~)?W7*eW zW2a0|l?cLlo99gy#%BTFgNLY#OeNHe1AhrjPE44WpZ)`NAN;CQe}e#Q`O%=)ILCa9N!I@Fx7u}M&piY4u!$2ua0%@P;H-E7pxrnb%`?9fgCUJx`YoN3Ud z!go3W9CUvE$@7nj+m&Pl~`-Cm(6gpLd* z?g4TUU0@SsdNgtB;wOX7?~^Z@z7-L_KZ$+QrX_INL8%BavowC}b2Q6VLOD%(!uD`W z2aP;W69Gvfz4!gTcm4HOD2Q-{geY#@y!rdLZ!bnXKwSwclb+v7F`)3WGp` zUdd-&gna0kbn6R;@;g&?HrbjEiF-&Q4B% z5`vM~|Ge+;Ri zq=QNi;#BR@w64bY}No1p(Q}23rhsIXM$i(CNB8%uvF;inIvAObal|fe!oPV!6{REmOi90vW)& z=4K~QT5!D}Lspb4rzN2PgN%_~aUUG+c4CHvzB;yg{hoe=C9DLO6i`3d9tD{M!TG<- z$FHc4iH=|D?s6!3Ams)fyVmW)nzRl=5;rmNHKtvSVO+o)cLFj4nGn(w^r&gT6D2`5 zg$ttMu~L@E#N_3F;^mVQpM5~LkML^wF}PWN#u%2lTT4%%tUhLGxp&VVZrbeOMQ9X9 znA`-p9CX({6sg$1+=JoR)&!lWvvUe`DeM)pK6diqUiQ?YDDKr&Ao11$zVe}KBCCDbLX%_Bk2lDQ&6z2#g|axy`3K;DiB zZ>l@JljR+zK7Q`*Q-}(rCvYEaPG~y~XehWPo^BA003RtRB0|^!FGDhK4CfY&g>5qw z$W+lf3=~pyyR6DrhHV`v3IB&?DY31eKYS2a?h}?a+l4p%4P|_o9U?fXsks?b5HiQR zo}T!dElo`_+qXZ&JI2ICL7}~^ZFpt@;5sT2WCOeG@p|h=v7a>u$042b`LkmTeFL!O zS7yM?AC}0g%DsQz;Oq(vTMd*KU^H{HSp`jrX0e!kqiDb~(rj(l{!<22sDctSiF!J z@C3;e`98WL6vvU#wEZ4My^JLN18!?%hA5docvRqLwq@RTY?=^`Y&<#Lf8eKyXmSFu z2V@){^vjzjc2{t8$`zsLgnaXTD1N}1Z7eN7pV)jTX$ha5)v6W*Wi^c);9%cgtA~)NOHyQ$X11^hNN06kLu=84}B`)Ts2kw6Jru zqNA-thc>xtc*;lb*4E+|IKKsjh4yUefi=x%RuAgth@puI26cNf9#+?+3~A^wsU5Hk z*d(GO13L-M&6}A>NNq_EPBgB!S&!HWr8gO%Hz9RM=Zxqk_H+SLVoV}GVnngLyd0RI zQ*aKR+{8|!rKPu`&s&}x8%qSX(bTjF8vJjUFeHWs2XGo;3ar!1KVKPOT7QsEDuRbj za5wqk(b$~j4L#y-BsGj=qS$GWp-7^r$Ec(Xh5OZTQT?PIAB!%_8dY)yS~7W?7e6+d z3Z{#8x<@KGT(!(#yAYzXNdV3tBow(|*EXF&yqjKFf($%P2z<=YAj4$a8iLk6J*7zF ze~u&5z5WcXm+SHIJrG@^;Fprpf1}3-p(PAaFvP`V07Bj9a)pM3Xegmcby`|l8q){_ zPxL~zI{?Y{d1NFDx3hyoIr@h*uRSn9#L?p6;xe1GxqMLySy8l)=^TLDLa$J?f@B+X>;V$DIM>H zHPKs>!(+cal)ezQRWO8=cP_~D$Qy+NA9CiOv0!hY$%MSA06x*s>qpTGFfzh?k;gV= z8C5vjy0*piJwb5P;sU|t0h^%Z7qdgO)Nfxra;fvTq$e*E51DiR!dA3?I} zd(Gl$Oz6EGvV8m?ak5_|;j(JEcfyWjUcafv$xt z;Gg2+g0%6|2RZ(nxjiIJ-@t%%cn$tKYEA?m^f69D>Q+$^zRYsQ z3|WMcuvVx~H+7ls>a`VsY~9{<$#d+qbwjt+Zu8^E%>Vwqj8P zzYOdc1C94Cn62{iK$fsQQ>Kb$i_thzFGQpli01hh4Vg0=Y+YRT*w)k8`QDiY_C=yA z9mdvZ{rsAmGQ;iS_;D#q*pfc|M*Z{WfnAhlF+o&gb}SnD$gw3%A3W*p}=wqofKbQ811KcW@m4|?whj}()8)vs*Lsnj=|9OgM9ULAIkCEUQ}Iz6C{Y>fE_=dS|;~S>ov# z8WfaUSeOu-))GDp3?3R3WK1rBa~K|$hr%8>38Mu`az*HLqt-@$5O0%EI0Fg=X(<&C z>_=|tyzIY-6aYH5IF*G31!0-7u?shtHIk$D6t$OU+^i|f3oG^DRsU2MNcZ$fAf2Cb zT4to(fs=w=(Lj|$JiJx9w&@Jp^qwsOso~-65EaKfU&qS7js_bBHfXMHQ7-V4`KzeV z3*TtuK**!m1H5Dh_n&%{89juix|l!coaVaNyS@=PTzI2$ z3+0G@1qfnXgd>Pv!;G*2VMKKi4WtJV!-p%E)|jzGze9>gaU9_kK^9j`0|Xm+H1Z`l z@^#9o%Qbmy;8$Q#c~+7{MMEP?i~c{wadhII-gI@rqOBo$ojJoJPsqN{eBLl|2A2|& zR9Wk9o7Rg62&gSpUgy87RcyegNmWFCn0V~^OP{|V(N9?gVzTu?Ea)*FEfX4N%&SmX zP3_X(iS6j4?86i(7wrQy0cl7OZtEM~x=q!bUoghg+ne?xEJ%t{Zrpe~Bo2uC4KE8f zixQT)SrWEyEosYy6bcRrrGY)n9SAQ!23 zYs8}h2`Ji+h_f+IX{VfIV_v;}O?weZPf=^ZZQCU_ktp_4SMHRQcp(EN{pj4kc{?q# z5+)Kb@64lTPZ(qHcTsD@EV;6vpbeBLa8lkxUZd*U!)NfujV`@6%AiKDh=V!2U=59W z)N^?&8_C~~b|G4?)@$AWh$>S@E*0kh2DZo7Rzywl6R! zyZLEsv(2Fdts~LKr}0%nBqTba9*#pi%qN@fY0JsEo)s{m#6Q%GQae3VFp;m2^71Mey*?KG$TCR`}>g^>gZIO=_y)&RP zlxkN#$Hvl>u65+!N%TWwUcHXH5AlOw*MP9KrPnE{^rBP1$)GSp3>(?)2#RInkxjpV8qws5j8Qk8hJo-kD(M#rX1SzSzf;WELs`=1T=ZAFV=6 zCp0su*KN$b%0GXd4)}XcqEg#9V;~P@_1MWjSO8{(M zYzzgRAk*soP28JLz5d;sc(|`@GKX|W7r)oi66!MW=_2ayjxjJgtorl?)(MJ;IACLF z*j>`rTTLijjErK6c%y}sg!(TEk5LcPuHOC{Lfg_W31(7nQD9idFpLXe9qCP9-}aSQ zA<6KBg}sL6=I7^s*nnC^WCT9v&p)rPhu8DAein@rPRUH7RMA)M*{yS|r4$HQTw(MgrxES~LeXE6}C;0Qo5{7^QisU=4-}C@2otZ-hv4zxX zY?Lfb;^!W6I+NKiCMI$&)xJ3hvsh0mr?o_0Ii3|AUnt7^qDh=nF@=$o>9aAA|07_^ zrPuvNWVkx7K6Lx=6g}=!Fg!;y27oN`L(|MF3|*`Q@X$$h93n)VvjB11fWF`{sn-JodzF=~9xvGU&{CRFMaN;|Y)E#IYpPvdBe=n| zPj{p3ky-U9d-$Uy19^#Q+{msLT}x(35r4s4CXqnJRgriiyuIV}@+~)O92@r#9ql z->0J!Ty#HD7`O@?B|^!RSOjf(#nsEUi!39e`9oy>b3|Ae)kR=%F-pSxg9HTRhMmBC zNs%_f(*nibvN1S(uO=Ss%9ra zlzZM!+3YI;$U`H6;VlT@+bp>-WRUThCRQgkK3A=DX!I{1}fSk*j*Ta#fDY{M8Pj1aS&yHkgzJ>di3{AxD`{{KXHZ5?~fT} z1xIe{g2yq6??ghxaugYk#{IRxzYN1)eP z{ouim`?bsF&~iqTZ4D)5v-?LroySj)MQ8=0u!)XCgBs#chE4z)iU{**>*{j$g6S%R zh#}OE%>n0aR-5*B?q6>vQh;_i~M<*`}3k3-8%}scqBuM zS3Qt_R2ppruu(zw$6XV;ll}i*$|u*&#~5wIaEqEi4T$%%P#N+duG{jNWksi^`hR#z zy`3j^vndGT#cS=>qSw>bs?n|rx5oGH%ciE5mX1Qb1oMy~ow4h>bNv+*b|EWja8!Y@L6=aUJl7&^`||-?%xN&Q5%O>}q}N)2FY!r`}b_ zU2@s4>HoT>+BkLq;k=aGyu;(CK^`(%Y@NUN!IAeFL3E>A)-6*#+x>U2PR!QZA(=y{ zc#{cAGKrvbm#%z#GByK1DhNxPxVh1Y5r6%#n?8<%KPVHa1)URE8u4Mt$vWtTigH(Z zj(y8N8WL3}aQ8pNCz)Z+C19YD7TE!7fPn+bVbaTD2ZNAV9-vggrTF^kQ!$j~E7oV8 z{h#q4+8M|$NMm+aQHL(-#6Cw~JT;^gEqV}!Ab`a#-phPO0O&#+ zs3Pk(#6?7`XWuPOm)3C~l7oI#HOqtduYg7)+#h8;J$;b+9~XiB+C*KN3_xy*E^lOt zstH%z)`Vs!{!Fvg@2VDF@OEgVr}_2K-*f)23kS6Ims8SJ?mnOF7rS*!@7?A)yAAuU zN3i!=7T50l*9nQIU(k#?{g6{|H_=PUM80_H$4@VjAAEqly=z^hC~6!EM%X5jhVvaV4_> zox~kc?715xCFC>BMA&TU!LW{^4Op`n#IMp1Bdt~WM_siC{w&OJvZbnZ6W;}pyr8N& zuD{>mE+Y}YRXgLGrGGQ8hO8- zD4@o7RM&mkWXqp_?BDB^2y|5b_qT%o`*44uSD0W*5V;lu*h5B#gz^>N)uc`jc&i*3 z_;bHDMr_yRT+aW`m)>RE6d@Jquw|e3dQAtDsGB$6m7WZUdc625hl?%MPyuUnH31Bi zIO=~N@G#H2fq`s&#+b*8DLd?TxH?Z~qWK&FH}dWQg1*$rbr=8+6UUw0W^o*%^b$cA zSKqJ3KF3$j!BKWM@&;E1oqQd(KZatf-~BeeJN*k{=`qN)+x8?F?N*j#i9r5o{=Z2y zqVpl5WbbSe-s&{5dC$er>bSq}>;KHau|)-4|7RPz{q{2QnC8u^> zVIJlA+i<=4l=baal-mzb3-Os05QuqY$#LBSgH>V~pTq7FJUZgV9-xo=J6ccLf8-R( zL3eNO_{WtM6d{_kI>Kof%0a#Hnf?Jb2mGR)A}YXof+D z8{<6WrA6J`)FdzS5+(rXc83Dl19B3lhzw-)ga)~EbjC)$XLPM@4-`Sz9-$iN$c^DV zi7_#PxzW7v7(vQ3G9eV03+(w}9yG2(Lo%7j3b#PK056&=-0|eLkCgX)hzQI0s!5US z9=uLXr*82xu(mfXV{rb%I(!0^@W?n{U@kwAwfQQ~KUsWj9cj4T?)Y(^p(i%t*(U4S zh%avy+O|;={3mA!2xDBSB$R(lgSLqA#d%*}Yuft!>HlB>s(jqByr4^=h@iZPcJ#Iu zV=6;-=+&mrE-j4ROO_kcd3*B1(+cD4u*B;s;y@JT-LB&{n>Ghbj{r2b%w}l{b%wd9 zt3QQ0D&$xAHf;jPpPYurTrEbtS+Mgp&bd}#&W_D6X7Ag6tNKS@ zu>@&;qWIEvCXtpwy{)*tvzn?K#>#Iyk77#(W;>IC_3(qd3ut&y*npuM(f>IYw4Thf z2?-_4$_`zzpi6&BTtP|~me@!x?;gcZNSRHCYYZqTgxL9fua*Lkzawqzh)ETDua-e% zt9>!$8s&k?x!Z#N#=D3ga?Od%1&0cH5*RaRJ>#LWE^l@I8;@x=Zv4!{Rhm9cmXndW zeO&YK)YO+R<8N&~Je9FwtXZ)C(w@>Rk&qx*ZAATVfp8aks-KKLTAYP``vO%7K2TKo^HYw*##Uu?)8Z}?puF4Pxci=~8EI)fN2@dS=FR7ku443?4{!RP zJLm^dGoQu?%Erb$HgYFNs2wCS?TayYgMCpSqtLlzlj$>8Du*NN#wQ{ zlI*unS?C6=P_W)@F)b|QP2%0RkCK+Q5_0N2uTPHh>?Ja&8Tq1cypx5_%JRs{N*>M2 z;PU3)yO-g}tk%uahQsLN>&-}SA*v59^v|j)zjKQjyB@ z);yH+dVRxW9nw4mkw8^<_b(%@0c$R1zu0#Nao727^gTGb10$?q>EY?AqtP#cqSk0< zkNU!|*U%4Df%x3p5`OWs%o+o$SLD>kc;J=mofd|hYeSPyzdslesiOKmsn}G;~fBn!Ieb=}pr>tzYPcC`%3Jt@&hTB{V zJ7a<0H5|g+O0C}BUix2{*zA#XkOc>B_9e&2-3xT|SC^0i6SHrA-k8$$)G> zO2>zRdR?Nm6rd2VdV3>+p-p}|CF+N<`cng<$N129PLY(f<9qA=$SxA-=>{09#C@po zBN&>*>qZ_iIe97`niQjvDupopEKMlX(dN^lQlmq!)9w7+>|VFyBE|h>_eKT-1`nsJ zOlJVd;O-txdU?;ny6zKVG+16yliuIODfmUksH1yoE?8H1V?z%gEaAlAt5o**iHABw$3?>VV1)qEliU@b%a2! zzJ*2Q;cfd+lr`V;cHK-uuS4k6($a5b{~Hvf&3-SdA3ZX?WVMZsID>NXgxjNKsdIHv zwJI~!9h8=bc|}C7OIcR+-j8J4^9H5jl`E6v%EH21X2l&N9;DmY1%-utq>_?1xPC~7 z4j3E5&_tE2BzP{d4l9B*aN|4faUidK-9lz~$^yGCWS3vK;t6G^J zIZ5O_Y6&8~zH?}OtRdA6uW(wLm9VQFg9&asXyM1>&EgWJd3%hba&G9;@rx!PQ^#FlWMyhz{X@X=w zN;2^?-uCh0f&5qoh4hjVSi`j?N~av9e$ZF2;`(4@f-Rko$kT4zL7kzGzW%XenH>=^ zH~q#YExyF^@dsT)hF|(&qHplUty3SV&qwlozjusFt4wDY*ueTrlz&K1o~A48tg&s7 zHA*Zp7V*~8tGyaTgx{A82)|xc)s-zVrN<$)67qt7HJ~dzslVc2*K=* z`|!x)whj&%_w*(&A2`zBwDI46j}bePB=OLzAD%V7@}N;;CWybGxqCqqC8D3*JzY)% z^K271BCfu3pd!Hp-L@JBcH#9I`nI%g!^FYKY(t!zBLluEQM-z_-KthiNYpm%rB|cE zc}$=6njG)Jz}LJNjs%X$M%W9w)a@^u1P?esh-fbu2#*(E-Z=pdwOZ$9D#MdRoSI*Z zY-?@Jv2E$@uJ1IgwhmLwe)Q;P1O2W!T9SFWVusy;GsM}G-zP+W8JV0;Idk!>B}V>iD0tUaZCd1(ghN(_U+5B$$}urM)s_wa-_1ZVi^ z)bXr$DKJTEuodg4@5%CZwZ>62?*%6Kzdku~~vvz?sE-9($cc_OGFOcBovCGO8hlgh+a>!^lu~31Zc9$BbHMRHd5>!4s zJrz#HKZ)NKu>9+&tmMgO*8{X#0$Ko?K=7x5O-2Xb&Y8#pO=E{$7l0<$tc3C%?Y#u&x%*v<+#L zgBHpi+XH7DUuB=Mi9{HBoPyCzi1X&tYd z&L8{vZy`^TyAduei%gNDVo-peewY&PD;{*~gn zZli7YafJUi6VP>GJ_F2>^ApfK;ntFyB)k0sz*dG>4P=}znwm20+TT8wlr;X^V&g)M z{AG*CAgrwuAN$(bvH#DDm4P1ew8yS^!cS1%HMQ|FZRF|qnF$w8)(3Ss{r4Ug5fai( z__k|Tk|K}VGI~kQsvySQV|erSE%!Xtqc?{AsM(@IJ*7EA!WBkp)j3;vN94*Ivu zu2EyYvig{SDMBdIpdk*%hR`F+OETge|GI$FSyJFc<`4b%W!c$)sd~1|rfX*0zfVhY zQB09Au`6z9vHY`=vxzX|&dxq^YrSC5E<_`RCmr`)oy1aGtgc<7VH?T33#;G(>Dr~) zxj}CyuBD0My8kS2wj&wL6n}$0v_RfI9jvhu?#7s;9v(}ybc#zzONF45XN5g z_uuB^sN5?kh^tMZBSPX4Mj1Id_z@3B_q=-b>VfKPPyTCQ*s>jepli=|FAsO^-;glT z?@dPr`AZlWFN_|U^2t9Mu+>Q#ltMl}UY^Z4hfhDCo^IfL#;2km@bmM- z2fj@s9`6HcEztE86Pw#&Ndw?9GdK6|e%D&yZ8maoL2^Sx#5kYxGCxshALc~Gi~7vC zEvf~{70R^S6ipKj;%307#-iU+a!<&t20svxBT=RRa|!$%(qqslx@(so50ELr!9_PW zu8?gKU=8f}gruZ5U_@ZyZUOOgekH_352uQ_DGMMx zmYRwZZ8HDpRlNiTOnQM#rlI*Q!2#s;e*IuIb6KX%*%6ypG$A;Zc=T0(1*j$;e`;Ai6>30c+d**s+N(Un&6NUyP@TSPLmu)bYjNYd;I1P38t}V5X|XZ(fPnIG>NhTAD<+1 z6&0u90svrU*S2ky%`_+<@e?)5Pp7g^n9|>|u6++a0dvks`QYieZXXPbU>J@WIf@;y zg89~8FUC+A9O$PjE4jilQ|@4nMmByOtX1i=tUj+0*~kObFiB?WGo)cj$1$nf!{-V} z3y7&0H3wdrfWEuWp7%j4LMWqC5)y>-I_L!Hfp=t&t~?FgmInAB47N4=Cjk`=ZFuaz zs7L}N@M424tO`k_nAlh|iG<=}Ij84iGiV5cL=HJk45J=nS!rfAVf6p)+c!+#A&LlW zZ_?4H69;eYNp7$O_$*mIG%O4o3@iqlnw_Q+2}9*UfuNj#w|&@by(5i=Q2sYV7dyMd zsQ-6+xq(=B_RQqV`LvXj)~~OxBIUwhH-1t=a61fJ0Sf@u91n!N8n$}rwO05ddeSke z#0j8vC`r+bGEc8zYmxZnDu-7lCRUc#YMhT&=b1KreTiQ%N%7PT$4<;FSVs6q>5G60 zgkJpu>VM!7|16B9Q4lb3K&Rjpnb>UB_5a7G7c3C?M_X}G^u>@0n2Da=-u3I&Iq$hC zvl}HMAyk5)FIc8e$7VPs&ATz8#g49TXvhmJ`IoB#D~cYB0C5rQ-nGv1(Gm0Cqrbii zQvdD=q+_zacfW%@C+qg?r^W9X%k!UD`%sv^e`FZ9r2~p4;3@&+fA-87Noi>j+N=xf zAlQ=$Jo4BW_>xhw^5_e8C95-!6HF{xWkE$iKQRl(u`3168pRbv!oa+lgYqCq<@j2L zjWYbo$~Cwz)Gh;V-~Iaa4kghqrbf5lZQdKKmu$d){TZ5Z%wAz`Fr_1H1Y-w-XhsGG z&<;@ZTN@g(5P${<<_cRvcb3GzcW-LP7$+wurD|gYFZI2w?CcmAwwaKii{!W`!Era_ ztzZ%f91hsaSVxTF0y)^+8kx_<#>B|t7Qtx(rly&{Vd;&_tZQv5iDYaXTT()HU*=VM zuz~cp+}n8?lGF|qP~{X`{M}8OwhtI-k&(WyZ|g6&l33||KPPKz!2Ac=K-x$?y&;dC zBuEHtQA+sh+X!oG6hojBt|6gs9jmtM`w?&AVt=hV<(oxz@f zwmE`^q~+r{zs+=AfFG>C?g?ZR1_N0rPr(Yth;nsTn8R2NJzNA3F#mKtc94i z7?fFXgc#2Ut8k=s5Ps$%A>hV5c=&Mb`t`^OPy*Zl_!j8EjP!K;e4NwhXt2jp@Rzu~ zxV;jW^bZN)$ADDR_$gZFCC&W80xl1@%UHmh3=fUKh
#@U$}-2=aKX0u~sUm+@D z0-|4XEHG*jmBRSPk59u!K73G1_^POSB^3*F=KK2r@PJ8})&~>%84*2Q#G--P*Si+bSz)D{9d?-Knvw(!`rZeU~1QagfuiX#Q%oSssb%-v;R*PLteUB)_?*61fqI;Xyr}i_ea@<%S=NeYvpe9 z>uONdHL!86i=?;Epi;|^JZwnCDIW4M*Zj!=-ZLiD4HQb_?>`=4D+n}qv*D%VXgy?j zEpQ@rY59@=v@Vyx$9BQAxz?k;o{beE1rQneHg_JjM>|DDgP7sV36dgoh2d>`FE`f* zg*?c#pey{ug@pll=eOY4ADg324Lpt?7eDib{nx>@z*`7Z`K#~Sx0aCigJFTRlvE9r zE@7)$8vM4er{@dj${L690K z$jbv)dx( zqOR0yMp}e{FyiCWQD{XubhIg!f#569pT+ z?ngV3?4SgMnZYrsav;3K#DagD9xE~q#*K^nu!^Y(-oT{@?^+^!fb!z3BJ4oh|MtCm zAOwMAW^HMi8WUq{Z~wf15-2pRgNaiTPA(E5;P0YW_O`=z0r<|U3xD3eeCdXyVd?dy zo>z{$F|Gve3-LZGCr3npP((yn!;2orMns`n4Qw7527!Y@Tp}4~$misWBKaCDt9*Xx zGJ#`-h{b>9&D&k@83BP0uhIWX)cpL(KnF73zpR`brfeyajtBm%$LQ+%l`Ds+_0BQn z1!h+a_X%H_2(3GY5kJ6CJs){ znZd8Ry7`uaHTz_Q==qNqsGnkOR4t3QBa1D4fRocRWG$=$G>}wo#?3BEmE~Ee zMt%ah5pY1f>|YVAqsQ=~yN8nY8yZG?Tc_cm%{)!*F2AgOo}XS`T`PeD+(8epV?90L zdA-#*CFUtlQ+DQ_r5k5+FBQbc1G$r@5p-!Hu_h}=& zh_NCe;fR@8AMSAMLHsA@CU=xt-ORl-F;q8eZ@<^kWwv~9Jv51I_~|_&9t)^vY_+T3 z5p}A8Qn>EJi)#jc*i;y2{gN%}UJqs<=y!-kFz?(F?q5NbrmOWVRh6Dhb`to?)pvhW z)B24++Q&LHtFE`NCyPn?=t>XWxwvB(x|;|zV%xTzcxZ~x@g5kW9fN*C$E%eLDf>{G z;5;1K{Njh#7hCB5muIhMLoPIc72DXfM*iyWua|ZeS-SvjjzSq=cqHz=Qy-}XuKcF6 zxCj;s21VDeUi~xM?}}w&VqkE26#4k^Z%l=0n3j(oJTUJmdF;{4!NCA*d;qY!?Uum+ z!`HyFY!SpYGl^bQ1-KCbD1vGgfB=LN7)(zvvW7nxaQkIHPEvGHoFO}P?iz0@Gu3W7 zzZ_Y1Rl`-y8053;_fdo@!Q-rPfI5-N10@STRO$lG+Pcdtp5rDa2U==R``Mj1@#WJe zJ;~aDG~**jwCD_tPw;HSeqH+GO>-uIf|qyl?4&%x+hFx#&Wx5;>e+8$SS$81V^WlQ zdv7#*qw3jbG-_8l*L4|e$yi$XVrtijX@U=dIq`m>L5-6hJkt%{THAV$APsrTs&cQBpYcqVbR%D z9d%CjMs${2#XErHUcDI_s9YQ9?O12=+g{<1s!Z!XoFL59{+GcM9V(`WKpX$xv>{)QKIxm-(%+ z-4_@E9m_%ux@6o2pmkq$-JHoGTT~MDYgZ9?k*yu~tpiM;)ol21Yrxo7|N6lw(RDWz zS3f@zA)K{A@CM)zaHaQ#B9;_{PmrvS2b{L-BN#rkt;p%p1( z?aGUS@>>nIJr+Zj+0$86@3e9nWY*Js>2~=@&t(>+lXPk5dYFWy`F_G=+I{HB@|7rD zXb@_xaG3tSnfxIRKEXMVHuM z^vGi*Zur&}m;UO-a;?|2R1$F5-g3p!+1cnM1U+=(Pkw&a7sT9E?fV*Kc8>npu@`~w z4~0V_2}LXVG~L~2N)^Xt|APhC*In(JbTAwI*_4!i0LMWZ+DAuNRO9zho<^C1qSgb9 z%jsH`%%uPm$RXnjLOqVy1W7e{EG2y8jqf~y9TCbsA{T>^A&?wEDJI+t70NPpbNc}z zEB-ss)V*}(G{^ac=wJR85YnYje$h0Yn_pb+Vx~t2mf3iJ`AR_FhD1oTFIV`&8Gfrk zCWhirLpI;HRROJs*4EaBflo*3-(R>0qo@^b;N{*IC7aEiUu4?&GIGTxMR9y(p@U?j zUlOo#0mU>lupnQoCH+_wWv9MAWJ>npB%mvTs}#S%GF(D5LAEcesF=V^R2SKAnds?f z=H{TAWrNR+8o$KtgSvVXgu3Viz`id$`iPU#jKXJ%NjMhtwH5HvPlHcpZJid7hU5#C z6p9y^Q)#D1t~_12klnYbwf1zuFO^@4YkfYVFv_`5Qsz1+HB{KtZcpZ^9S^bsY;(9r zikkGc8hIg*n`2pP@7U#rNqnzqEXs#)9~^Gejs^{OWnI`G`E6unhr4a7Yc&5wpp?nv zVc>Aj?NBZl197J4!2@VY-WfdxlWh&UJF-8a0jB_Tu8a)b+O(f_yKVyzd$V%gUq(nI*9mUQsC82}JI*{wc6)aB5df7(p*-HHv*7M z>2e)_8cG6$P!|JDhDCWmi!I{wQSQ*~_{o9OE5;_B)d^y?R1%O!`I6<67}{Q#!tZfPmCKqg+N zoP&N=Z;9*u{d8aYUWJ&;olHn1pJ!5E{8srLpi4qY3LD{k3V83xh}@8Yqv?73wkqAZ zxo^Az@KH@=R_|dGxk4vel@uSZNq6UTkJg_#6rkPNxIS0q?e4(hV2pug02pmmJKh9ZbATtu#Xu9QJ_Q=0Lp?YT~2m3D$C+Lj$DiGbxPE-Mf?<~Pcco| zk4{jUvOj<)x^z3C&wyx4q?M<#&eAh6<$ODO4&j|>Ktat;P3_W(nNFhUo&`1eUhEymbO(G>3A2OsOp)!Rsgd{`i|6AGn z{oe08{?Bo|9q-oD^Q?8R`@V+rISkN!$TgvGV*=@LYB* zBzU8BYtvO6R^FB@e{`nR5Qk?-LQIhf+PRZ)r|3C6WDpbqypPXt!|sghM^Ejsb0>y{VWK6pfDq3Yzj;*Do^Vg7;MIW7?3% zQUB6&$25DgWmLmJX%~*Ub2c^gh;%#JOaCswP657tcz7y?*=+O&i&*i@nG=^~dsYQA2#XE2 zZQHgjTdrVo&A!f9)~hBrz?+>9J0WYvCHFaW?$zsT`qPmMmT>1U#O0AQNsN!bqMEM1 zf66@LwUtYjFC04|Z21ePLt{2(14_X7iFy1y%*g$%}re}A>PVH#i7;W zzd!vPXC}R8S1g3?<4})?RJw)i2@n5txViB-AuMJMACogUoS~_94JQ+P6Un!jQZ!D+ zr@m$n`8x6jK;zdM%@Rc4NW@sh=ql|214IaecD6KcB~ZIeHc;fvDV9DK3)83fazOYD zb+aBZ%l06z;fZF*(aFjQM>7Xcd}Pg0^!>4D70@V(d^qH{ZhO`0*RULa5#GfuQIo0s zempjIK9(4>5EL4E0H`ICrRk}`80tMjO3a7y#oAR0Ist5bYSJJ4`IMGeob{pN!!@Fnmd-{)2i1w za_hQ8_4ma0Nh8C2)~y@k+qmyjTW48~>3{ElEy#XKO-K+0+w0A{lW6?-^nCo(sdw>B zyd!Q-M^^j1m3`sXTasH3`*urc7jn(O=%ZQbSSzatvkI7%4Wy|&exgj9wmZM4w^JX1 zmIX*Jm9g2VktvPTk#c$&9lSzjSVEG8tVTfeXOZR!3_!r|SlE2bQ+MFn7f46ZbVYqt ztNH1P`1pmszD;nxRL>4(v9=xk>-&)%x)#?Z5n33pWX?vFi_X*oZ)}kwB_Gbb(aB!H)Q1h;RHg5wy_%pbQ9lPfBZIz<9_4*x#y+Yv&N*wYCfUhYt z`@4}`69CtJ`$j-RM*W#=-LcS*vJor<d|Kb1^rW znBm`FGsMzC= zj8b=0m+S9%X6@%jIE#f3UO&rk4hnpvSG1&+|CCtiw6MLqkHobF);LSw$4ZZ%ZG($+)Jwhhv%5#`g_aBH)`>k7hlVgUnCw5bD z5cZ3qwex5##vM*w=uSqqWU19(z(P9Ozb$9Fe|Yk)@WFIDYik*2Q_)>OxQl43(2p#b z2@pz5Q^2Ifw=U!0_3*gy;Cy=LxmGu2;U%qn`Lx>Y6j2wjM*K-bp-g+e%;a(A-ArDK zv8%&9$ryTqsH%Ep9!se_bo$tnY#NCU*a5r*~6z}Lb|AdKGttc?MG`K?vu1dld9vT!JJOUwdVl5dB;xdM%tn&6ouiE`<_`23*v|#)BHIvm!w`(WLHcY?y8=*f1 zQIKKw< zzL`nin!mr?$?YS8Zhjr(V60Yv?!ZtAMa%5SQx88dYNNV9F5HdFTNUwiZjPWUFL?8VG1;Zrar zeWoWawq$fMR0F{BLDd%}X9yK&%cCw(@Nll1 zkFgp3p7m;ePmiBu4D*M*y0Ta0I|qy_SIDodZ1_^OB>QpWwDe41rGk6P>V;k69GGhW7if+546L2uy5?nG#t&dU6 z+&_?u-2g<6l9QP;p%cIl4whn0tY6!FtvI^R$b0lOHRJxijR2$t^`C}Qozs3p6NjDp z1wSk{PCn)EWQj9cK#@WFfh5=-NJJoYb~);!4?Xti2jML1KRlVaqM2(Q!bZcbLvz?G z-}Ty>@om_{9HLd{pPIk9*Xr2-pjd4konxp}iI_p!p@R_FE)NJd1(d!<9nf&p(_($7*H=~9P z0H!zR9OR~f-}_liFgNPmJ3xV{l1WV8-d5a70-97ooINR9S$`U-0h;7LYaXa#@J=`N z60IaNPnv$e%Uf%#J$f|Cpm z^g}S!3gCD!DT7O==byiQ>nJDplpNvS*ycw1ffY>?1En-X=@sNlsF;?Kst)hjQSY=6 zCrU7wTCkwZtIoBeLP_uF6rH-sbqh&?Gy~3^KaYsoa^@M)Rt@`yLVYAXbHQV0)EJOnl*oQC&jIm&tmVe_p zju*voohkcPye-t&@b&I4_D-2C@I&tasR z>f()j*00C-FE2|Yb{YgdLVPIXpOoCgr*#QvAeP4g?BBP~+FRp0Vq1e8(h|6JKAAbK zKjU2JT4zKBs?lgs@snoHyG)0EYhsTDr5-~pM;-u}6QDr9{ISPN-R@!BURPCx^%{A$ ztcgT##PHz{-1q0tH<+SqF`<_O2_l>F*}abcZeOWvJbUzbY;Y`2Ff&cI!{ar)|y53@Z&W z9OByercgxIj()y1r}=lS-xC0Y88fcMOjFt*<8hTTr9yY{^=L`DI5vk#(3y=du5~aC z^nd3WdoA(j)cRu!iBbpSqF56WbCyx;h@Bk6gx|%vy)ErZR}#zSKwua;wD|Vz_hK?1 ztyey@fB#9-rtMtwJj%bRRP{`IiNq-8yW)*&^8&)j@gF^!MOUn8AniJgWZpC2hW_5v zM#BOcgfYY%XCCS$6Zyu7hWZ{iC;-6i4~H z?XgpBZxs}XM)7HGjC!NVx8mbcrV{oQE^&$1b~G<9FlXs|I{Ltjj{?<3)M(cC_y8&w zL%0x1w{#nm9lgQa@hp!tboJcqclt=hxn)=cv}o{tufi6{YUIS$F^DGV#l_vnT>esB z<_Ffo!JW;V1Df;Y<>g5f83Ws6v?zW9tmK&P685LPpNhzoFsrSVbzm#h?4MV)znIZ% zYgaFA>^SwPJ!HLAW6JFigGXP8AxpF1i zE5QlBq|_g@nbXdEnW9%`6~VtTwnj29&v!09O*6x9l1$f{Zzh<8T_0uqGtduHm@`QX zumw|RBQ56W_HLZ$#wghKEUm2U=Y|Gl*A$b%Zi)x{>vR&N3}Pa#nRFBU6-?2}i1{7T z?_Hwpj-DMS^3iMd5pnPG57ljZUy2WtL8akqU7aWkt6ko?vtqbW>y?*7b^QmEDS`(v zK4?g*U-P+jJ`24dRqDwLQkh6iVO6X8V_+K>=cD|uRlt$cr+v{~Lyd#Ct9KAgWHd+x z2iPa0IZKMcw~#R%H&;C+`_EsrA=G#bp9>q?{HwCLeMJ|p$KNm6A^n(Na}zN%^)d?0 zeFD(1Jdi&hU^3lX*W+!~w=?a_% zVqvB(=iEwYs^Tb;AfGz-rE6SU#p4MHW}m`@CDDYncztJQ=XAedf-gbv>D;~hcNEf+ zVeqP}n-pz~aQ|bDsTf%(3mM&)2LjVOtw@d9ZEb72U~qSSyKjQj_eoUR1WAWE@3pnN z%SrDUWb$0fKP6z3uHc_TD#lBLKIO*)9z@~SPj-md?OR)w1<{MO@?#gz*}czf(U z9qzzs)aI$5EQ97ooILx^7lJ6XQlG+}AWWY$-tU!<59}2xi2w^mKug=2=BpGGrIQoW zUsV47@H>$g*Q~aJZ>k_}WI|APxoufl#u~kuFjr88PJBjm6{FTWo1zEH3Vz8+K5}H7 zj6?3a%s(r5sETqcI52WVsNyW^VYvBPsIG8nENKlwcms`MMq^$mHw+&!0vMICe&c4$ z$n@3)8m&jDmhu1`^T=&Yk~)zr0+tP-&dl4 zhFIN^kYlp?B+&%Z97vo#R3r06ma`8-z|jU7QCAmLk#>Cy$w|-5WHQ8kOfRF=w9A!+ zq{!X7OY;2uV7Q9fy>sX0-rs0Fv77KrjY#W|vBx~7OH%=H?{!VFBw~+FqNAX0LU2Oz z^9cf(kzsI^jl#6;f{?HuDg?*_k!kPp&i73pNL6n-(N@@OwO@b2zH-Xcg30T9ht<%~ zD_>J-nXMJKbyM=!OPrGVFx=SY=oD;Tb45IGxMNfjT^26}ql??RWYeE_u^mZZcyj-| zi%HgijEz`>T^|FHgtA}92{ReIc<~!T0^%Ln3VHFQFIc|(M*t*jiYqjUYigBeA=IuE=pnbhgFL`r5G&&~hLtKM3Z<(-FU4UiZA zuDd>Ozq~6lR99)>rO;%9mg|?Wdu1k1)lUoTX7RuOG9)B7p`BqkJHW&)oVnHtd*>`_ z`7DKjf`XiQd4J!WVcu(Z2lidrMJ@sCpA`{`3322b`Td4-Eh7 zf4_x~Xw9u`)?l60b%)=SEckap$dHAA2eo->9#TT?`{JM%|TfIN5>KZH6-1S!{w!6cQ?oKydE6`3zW-=obSqXGWh zW@y?A$iQYYpTB%rkX}YHE+Cu)>C>Mt(HNR09{7yMq3<~>1jCDw&LmmfyeWCDjpZJ; zrv3EkkPZVC^xaDOR@jRV!+eo5jHR}<+pr2I?gf%B$xeBP6cmZX$(R%dDx@$jLsc~f zSCdxuo}UCc?<;a+vXuU_D9QGFBaV(DmEt5))Pn9&(t}$ohSDhFrQ}rXUs!wWdh|H9 z{;$8>A91uOHK%&kW)+9eB3tyw8grvTgLeGadvx)MU)nGI3^kF%@wlYK3;of?3*zEU z$*tXd>eRp%N(o6JIhuCB*V@X%|Ml0&52GT=(Y2;(#C}%l+SGjAxI5Q|&C;26h(tFz zDd{`}6bQG}Jp-~3i6VdnUVHweRbgM&^IW>JAVBN5dH1dn3Dbqq{rLXq@u2oogE#lA_$--;s)tIG)T2!#)3A$vRH0MKN#T)4%Fq^2K3WYNMqu}(XSj#q^A8MplR!i8GZ7iFkB z39TIzR7+Y;`GJy%YuD!4Zk-hUu%yHyTT3Xikc_~QG1)$9M4I}H#FMi?2#6H~*WS+J z`4@yltqzJN@?x`U%RdK<_+w~Ba8xEKi6_9nt zFz&nJ3TY%dg#itP1qCN#W5@O%`Ql$LfWJZ-RZ}vBfUR3U8zE-1KkpzzlA09fq6>@1 zkKIc><1-oh7o&s2S8dCC!~DqSd7(@3k2wv4iJcmq!bqk+`JM7*-~n7|1tG|^muR(v z#%dux_+zp8yMc9Mlh-Wk#=PO0OWQsec+bC*-eK6n+*49UvXwJhP0M?}Nq$=Y+nY8Y z-s*q4y>BOW5Fug0n~jR1;3KW z17q&8eED5J(6`o@=_x&k_pbPv&pWeEUsRzymp(6JDnxwELb}+5w;Z z_Q+@uEH<`#`0f!TI{2|kRqKqK4E6P2jAe2~xZg>b^?EgqwRMQk+cmZRk+&^C0S)JQ z)eiG+?Jr^+MN?~1q90jb7CXN?x}@f}LHjzNLH>!d`x&*7qH%eMpneZxC3MCYwYAe0 zX2(JoWOrk5ybK@xgnc)5zyNo$rh4gj>IXTaIXOA@ryQA2q08}awA_kEg4Mn1oV>*kH!bcP43l=Qy z>eXi%fD#s&MnLyEZ(LskFEADOg@AbLw#J!6*MBTWm0UQl{*QTZ27y~}TB}2V0(BA4 zbq2~HIcC|=R!EqP!W`m>Xaf_b#g7#8jAv>R$)q+|@xrb+2Me86LhO!YXECL)8rQOa zkL*Y``#=Br?Cw0?-eSK9K@`P+V@dlKM__7huZel}KL*i-;DWW2YW=@{$?p8`Ut-P* zyS8lQt)az_L2L-*Ky$Z(yFx z?hR8LJ4Qp}NSPG}AmFw{Ke1UOu8r_TEM))3w-D0yL=Gp9DX$cD8N_h$>mx7)5gzA& zb07d;Xk{T`WXRaAXW~cUe<0f8i3uoF%Qv+z)8e-LLzA61+zDMu&Xj8iy1Z<47eUhg zzi(o1^i}x|9pH!aQ!4=7YJ&^1g7emJ6$h-d5RMO{n+FEZlv}~YrE<h5oZ6WcL5bk^ehn|AOw-e{Y@t?2cwz6oRlYhYn4Z`8&M~N;q*C4BHbk zW9-I=Uy6hDKgLJ?e$!UYBe0d@QHD-4VSzzyAMpk}8u^KGON}m|^+eAVj}%(XZi_xg z9*8*&iep#mVYC-i>F>YYEiVR)5To_9w7#Q|VB_VLfj~M*lU-z5Nu@jwEW?!f2-G`< zGu(mXaP0uXRRC%xCxeLF&Yt~?EePz1FZ|x}f^G<=3YT*Qf}vcw;`arA*gBA*5oNT8`qaVzcR77h`uuWS&vdO z4B84svfj?EUQM932y{sgX!P#g&hzIp+VU*!{XO(XC_A3M(ywQ znN)ZO@v@xS2o6BS4J>7!K7C+KaG#ZrA4gxmt|E6G`{noRgE0z+;0VL1K3u5(q=Z3 z`!}kHl)_tTj_O5^rD!jM+x>&W9K^3fEIZ`T>{XV0)dIVjH$Hz|>Jye;Q{&cSWNX28 zGKZLN)prFSV7r1Z5Ko;;yoW%cD0GaOL_5Cx+{*DK$0Gv?Z%ZPSU;{pXV|?M-cI9rq z^Ulmy3H#kjs5V>V9Fse) zX|{nm)mCO*+y17is`!zL5bj8rTj+)u7Q7+(?t^35Y%hk#BT>St%W8;9;rCRowIset zns`18Ng2h4MWzx4_g(cVLjRqXAD-DK5UGL7@v&W-rXfQM#VBlaV-F&9q!!VC1@03B z1##sDn9DoQopaT(+dL-bGSr8RL_A(h2J#<$e$H|(8yiV54>c5_9E=8f_MmnQFPP=A z7)@Mf=Mp%}codq!k&B`65*~TTmm~uo&PrnVNJ*-oJ{}XdTTp();7JnjE z{aBujL=tSZY}vug%()?*-gvsc?;u#{{YjxE-D@I6N#LQ~<%S&2PD|URaM@X3R)eDf z7{-fl1dE0&`ns|hbym(eBm#m5UJ{7~TbCDY1oN^OT>~?!j*kMLM@bBtVl8DYvNm2= z==L2uej}4lofYTn_9w@R8`D7n2z}Pgo1MfXHm~Vf{#}D_?Suroe{F60vzYae`qdYT zZA&so8ph1KEV*+Bq*Xg$)Y?y6jHaRCo&w|HF8E^)4-a?uCt{1!==Gv}T$wn=oz_}H zBn@W}(SUF<%^9zR-ZI3uaV=v=2tnvcrfPi@S;mLS z4w@r+wH*Go6zJ^}j~&Ac8xxY!-O;%&N%TIRuPlZfX8tVRi96g#lK>VBuZT^E8`hcA ze5J~>_UVuKYuo*r=9n#9ESR`)U4`v)ed>@}xl1J{A^k{^3zH1M#xSS{^%qS-EYz>O zb+$S-uxH1HORdJ~P2P;b`g8t>cQZ`sNeob+#swnwlnF2R&T>#8bZ|dBO5O79TSSDC zYPXQ{9!>>$TSU0855d<9qC@>>V9C_|#Nj+}q=V*kbjIY-+(Q=w^>Jb!R}Zxon`Qbx zXpO%C;!?1#i#m;M9K7P02@EiRP0mpm`4m_sFa#jbUaxlA;{Gfz&pmOXKe+6->oA8H zWdh3T>Y*YCj_M;uI6}0%a%KFd<$>J1Xy5?;mfa-%M zPu3&rs`x&k%^k$waDpN#dfrnzml?yvu;OD4*XB+t>CWb{Gbun;V~S33MMV>B?7a+@ zSOelP?LoVIT+(2#x7P3{h)(g^QP*!}wo!2y@?ym>Ril86@1K|h)M8{i;0c|taCBxe zSCEW^yD$x8%nzEf6f`E+nw;{swzvOl*otRisJ>U`G5Buk!UB$V=ke20syuE-A3W5` z{~>)ItrB`g708n^$jKp2M<+3<>a2?!e8}ar%k`36mMz31 z9faP`IP&Dn=r2Px6&a&mUIyl=rbJo20~iTX{A4Lz(4=&vUZx)Df>5YG-Q50@mu^0u z`a7ez=!42UckWSs{&V0~s&wIAJDn||I)V{2|2EFOqxqkuHy5XY^Cpr*2ykm&Njeim zSvFW)hxJd>n3A$G2_e!__aEr~@n|d89DelT3YOCKy_{e%khnbIEcqk` zUHLj)$`0)jclZb_7*B|&TnN)_aPYDr zNCQ0nvzl_!la{nHsl%L@WH&;B=8O_kF;goRa4_M5)|JGRc`$>*mi^DY48m)v2QV-M zlSO4MEiBuIVOIUcw+t|nlV13?a1*Rl@X}wuYUOkyT^B5P`rhX77^R$zF(d^Kmn$o; znfA53jUYQ705+I)#*5O*M+@#u3Mf7-On}0=l*sYs_DhHLT<+~nwztf|!NO*t^k2GCFZ6s$u)IKA>kk97VRl`e`O zyO<(sQ`Y=&bki4??gp!6g#C1(#&GfCN8-bXO-wxF z_Mp9Ebe!=lDZy5T^WM+2Jm}WlyHhEQ`M}i-P(aFiUCab?d%2pLVWp?9ZK$5Hj(z2L zHaWt>%C^WZ`X`}d%OCDKe0Z9SE6mS?k(zZM85kym|2~rCKl^6cP?U$j6Tapfexb0w%HE4-Et%5_*`F* zYQA$d%&D?p4Z{g9!#>8JI`x1W-0UY8k58Qtbbh^{t}R-FZZL9q@u*mF$+wMRME`Ka z_@}7{9(`GVp#7O8^a_S_Bh=pu8F*mGHN`qh^gxz0_oKVu`M{ywUp?{I4oB)kNmAn1 zueZ$`)~sG#f~0@tyiSBM=eKf5x^k-mF+f795FQQ6bI}q-& zCS{K-($vv;4Tmf2*mfK*vgP)t=TtNCvt~KYUYe}bud#F8p0MOusf;P@HISg)Rma(U z@3`MP*B$R5Xfgsm2v~&(n(82*ZJ9mN_DEu)gl=TqcYp$x1<~$ay?QNNxN!aY^*~YF zkVW268$@4igUp+g6e7eG=qm!N*IKxrt$V zIl4H%vz)XpSPZ_Bx#gB79GkhhpC@eqX$bcRZbAFx(*-8dQMsptZ1W{3E;)GvwQssg z#Io_VYpC$7U(iuWT;G@1eTrro(ZjUu^fAGty=Y}~8Q%<-g&>WeT@)2rB+dD6a0K{X za)zK&>vs{?zkL0AH5ClLuHwQPhW4qcWhs_~zW@C4S5EFmh+rP0x8y%Mx6(Uh-ot@Q z>aK-E`TC9p#f!~U)Yl4$E)oj?@a>6@KEdIBShCc8e(bd0BYnQS59+db z>Y-6FF)@qh$2!fPT`)U78N4v|@S#IKFRt!~s4*vZ-Q0;2XBSPA5zJ)7C?)#%ak{9E zW@R;SHF>lkLF(Js{JVh`S;E`xS%&dTyQOu%{I{981k8e=YBX|U@6#R@=gL&Kn$ESHkLplPQ@ zu2G}_Z7Rb^+0pu*7uJsKC@j!+?j=HT7E_4b=*1wKL~(#=Qnh0-AYx{brfUQc0-6^cR8k{>q;k6Q{2Xu# zz1+^z3z&(EuRoWa9sGQb=Z-7SzyG33y&WcVtmM8p{blx^J1%xfE7|gd97eNe(9lKC zlS0wiQzK$d-EukU=4$9CD`3s^veci~E=co;|xk zTZ%rp?I0;Sefmr^H)o_w@J}x>f&?ABd+@5cF(FD!^N~}_4&T`M@<%D-Dcmb^97;TK z*!R5@gaj%4@2RUqxIvBb&Y)$YI5HL#NFO?L;Ln9iaM~s|HuSRoTod(y+N;?Jz=x@S zz=xvK2?+rTaYv45RPP9ULIVJ{hQ-4U%$+mGY~3Ky;oo%5K0lm7oS?26kgOHLq0fjP zR3~DFUK6i|-E_u~M=G$3d~6N_*n^DxgAlk*+*7&h-sBw8W*H4&m2UMx|C0_*vR;+? z#m+ax35*TGAm0hgooZ^o>@I*r(yp$4H?9`iPm|x;L2xuCtaOw;@rjPs2m%t+{3bJK z7OPRxT8v1Z)xC+s3s<|{dHi@+iwO{+KC%6le5$i40V2GIo3YnFmneC}y{r{qdPQ~& z1*xX=ee`7Jw-5D@{DlPTe>3Dd^o`oQr=snj@s9Bkbm$#Co1|N|D=KQD%>AMw#cBuZ ziS}~Pj7KcG)jQkKy>edEzm}(P(kusue*ODXWlJVdDT}Gk)Fl~r!-=O zckGXxG^Am1rk$X^RZL~ISp)K4cxr2Lv5XtG$Q}uo)rDjU^30#&U=o(_?Oi1`wP`Y) ztNZmOh#u$S^6*Dp6n9=6dG_X9+QP*&@-LE9Ts2|%-ff#u%YMz?lF?u-IMjz2XhEG_ zlpYCQC2qt31-db84DRCEh7hBtWf&ZXm2PN6mxO;;Q;c2xr*Geyka=e;&_yP*M$F66 z3&mott}YTg2$`NLA^8-!f4~7y@lVf6-CXfxCqCsBt{p>1J>S6SNnddjj*piQYwe(< z^w_rjKes&^@Lzwy)j%?25pW0a+x0g1>Hi8JYQmyW_2xM-%DgWC6G+qd_H=K8WG;3~@VoKVHY+u?9L_%;CyLu6_^0 zx#^Z&vSVg{h6%x)9yV;>w!e(qv1a^cQ2+kN-Z^3Xo)r_N`m9|`|2bet_1m`;pJtAl z)pqfuJ*zOd2=P`;m&9Tz<^%w9HHZgxBJ_cJGc<*xNU6 zviNT`zsCE;#p#RE(?Q9YLLP#VV~Zw^NQ>JRn%v#%{iFPw)v9bnqZ|788C?2Y+KRz= zVQJ4|qUYS>(!vl0d={s3e=4~rP}tQQH`e?3F!oCJ+pCr!V{(CCxnngvdP^qdt^K@! zwWc=$m%Gr}xvPQ#HQ;_53LrGYEn>#)AdTLr?+^fGtj@9IX8*u@FNPo70LZ{-3VYX8B#o5w!ksw zS}+sY7;hkow6djWwqfu5t|`lzoEFQE?UV)Qe1Kg`D>GmPl$Gr@H-0D8oS`T(Lx9u28D#ITD_Wis9q~q4qx%i|McluwH{ZiJjJ{J_TB-soKAxLk$rS@Anexx zrz~2usH6vJ9+X?qgf3kodDIG~l+{Sb)o>&fGl3{f10y2t1Jw2Gb!}b0X@Cdt13=t- zw3K2aFgl2}k%%20JMGxXJFK~`)5TlN9s8N;`W8%yBpp6W$#{wj|XW6%U9PT*((1VV<-2!0F6zRf zD!c8_d3X9Vc$WebmCZOlRzYz_I+q3k*b##b3^t%_>N+?)7wq5Kx{zn=U~O%(b@kfTBIfkv%NLS2*4k9Y zBjeWC@ZZh*H8yo>^(=%K`>5}=6{*Vp?^TFksUhd&=895P$W!2u!Fp}t&4av#F*;-D zpEeMqm|jXs+OPWVRfq$PhH7114Wj)EPb^ZXu>>f@(DtMi0Q6uF4T<5q7(xcnE<0Nk z97v_Bd&2R>2gYpNarz-0-2HDar^FA+s$#U1>GUdkOJ{nl5Yw#x+cBLZmmL&jiKd;4 zi;khzWUFE+|L(CnC}_BF+ErE8V|F3IvvsLBL65vsP~Z-&j9C5ap_4SQarQaYfEUnH z=vwQ60DXtYv~!q_18!DB^gRN;s9Mps8^Yf)9PMk=u0wu;z9<+Ul%TGF!4M~*j z63AihdC#ql-`m`Q$Ec z8)|%>o?i%^De*;6bv;#Eno z2n6`KL_DFf6&m6DJ{U2@+{a7-V5fGKck?I%(1^wlJ9zEZ9AS?g+wt zf1L`N!C@i(;yE;Mr*xKIalUnJnH}SO!$OnaS`SV8@YuERyDjNgNN})N?sTMEjrt@F zAV%I%j$)bD6I7RQqvCf~;>}XA{6e#CcDCcVaYwM;^tWSM&?*On-j(~~R03(9EngcD zPIcn(?7jEYW(q#AyamBxD{{UrwSAxHV?-#3C{8F4)E)jMk3_`f_UW|L=+R%(A2ENFs+a zqD6v7J&HTTTqt043lZBew<$ZU9CiQ@kcuR|FZl?Tl$GIv;^uW|;buLBvlu_q4U8Fx zkcdR)qgWmkdecgR0*T))K`=RhtRc9Wj0R=8oIP^}t-;BH37|J;Jap)j^Q-!J+>YX2 znbAl}06UuP28Lz4UPhxg08sSr4=th+(=07zU9Dd_tho7xT$ZXKEyga;wD8-M^Ol~Q z#^n&krNep$BVtr($%Ujts6Q}IL3F5yFJF3| zAKUn83udnN`sl_R_RQGq+Lb6xrm2X!nQ)1g1Z2f>7+2Kt2({X0=!+~ET8@4u%s*71wu({Ge zL6OYPe@RV)>o-H61KT4ha1qceEQ(=dCSQ>SoYCv#*{*|ogy98hhDi>O+j%3tz2bqX$4|u1sGKa85pKNv z{A3YFK+~3Pm)Z^X_76E6>^efHWkxZT7fU2kCg&1i(kfNB&SGX4U3!XLx=^Qmu%Gnf zM4Jo%-1PK1LV6^j!rUCs%+DvN8uiybewrciGTJ#xbo~~Dg7kPn6ZUnV5w?QDH$Dpo z)8>{O4#@24^A&3kdkyQU>B(NHJ@2)8H9a#M(d*PC`7A9iemSyC{oc4EFv%`YU{w;| zMr|W+vNG#7&@tgKXD;>02UskmHjjYX?j0O?{4SWwI)ZrnlOmiaVx&u#%9T~ol}IEe zDl#M`)r|bR<{{GL=pkk}o+8Myb3g4nbo_<#K@@@wEBZY6nOeTQ^bK7h{PrF}X+A3I`8#n9wEvjqWmo7j&E?eq1UH|^G)k9w>X+QUJJ=Q}%oVR_zNa??!yyuRfG?DU)tFqor zlz5>mZ8SIER<;z!7EL0I5rVRyaR1pPa+2lCPd{+8nmoCL1L!7&*f*4N;?U3%;iW zu8!rZP4arXLGjSEC9bBG0Vrm0cc^a$R_RZe;IjuN0Mh8BoA6-I2Z}jnT)v?dblbF9 zx|m0N4xsg(;_8wZ!ZkBz-~n<~gtHC@!gc%J%g8!BKjtU;&zl3G>|Xz{`lRv0c^5Z0 zc+{^Q1y!;VPap}xzmC$@u6llD`^88$s+EPstTboKPjAL+b`T!p%>8~;Dc5F2wl=Z& zy{m71$4AV4v?|8`njxriDXWwOR6~;#ue1DVS4T3nz&RII-)VS3mAkWz-jnW~y@lAnG5m777z_H1vk0W&F#y`GBW#M z3IEV~)SU!bJa=_pq=~U9-P?sDujs1ZV6hD{B<<0cf~5uR}em zSiur*ij-hIwaU&m=UvRkZBxnf9b;%Xqq%xx6}9c~y?c#_zI}6Z`cxDao&nMn+o;ga z_4Qzu#h=Y|csYh!GmVSo#d3sLP|?hDXXS}ZT?~4VtN&H~eR#+@ zn^m5R7B5D(1f2o444pBxgr-I6SAv{GEtbH2cU*oS_pKsZn|5f_`T6;qpLG!hzo^*2 zwQg;-mwilEm~~!nltJPX5}c9w;GiPrtO>rEld|Ug9BvozhbF~fuN79sC1amdsQo6} zJ8=wbPtyEQf^PYZ+B4%e%cu z8LwZvd_EC@*t6P@1!kOnvn~w>m;O0;v7nBD1Tev?)dlG;mAy}Zd{JTtVP^k!3z@Jn zvYLDbNQ$(joSBG+p0`!$UFehfD5Tn|@%C<8YbtJL0D_(!Z%`(P z>m}o#uTi-8#h|DG+S;gxaa!ooYnT1#LWqY>x3`n5iXpfF4x&3V~z^Cz9kaZp2uf|u*>hnGa?_TVN|lVA(#)WcW~&&1;& zkB5w_Re9@zH8imx_BlZ>kGuQO{ZkGPD*JsW`p z;(N&matlcM7SaZBd~vE~5u=+cDo)qxb(0xDKsxpKD!_z6QInMlq=dMWSy@>ZEf|FIMj2O|TUlk;?m0qq1C zfNzgGx4M*90%rl)8$S`Y4+t=ENZw)AO)$&7lC9kfe)rx}0b!Mhxh$$hcm>Y59TVkU@)6v4y&9c_iCTv0)dPI=})>?xI=$VTS2 zRNRQ5g~5RlFnopi)|xHOA=ZpL5&Xvm@$G`JMKP%5t=eMXBFIhR!v&%HZVT}b|9zP# bG`Cu~|Mif~#!sBYf3uu0)$FwC{LTLl(daEh literal 0 HcmV?d00001 diff --git a/doc/pics/e4-agence.dia b/doc/pics/e4-agence.dia new file mode 100644 index 0000000000000000000000000000000000000000..15136808b1d21ec45ac79849864418cd052b42eb GIT binary patch literal 2281 zcmVF!>%X=k(TUV12r zme^3FhNA4a7k!@gIrha0fb?2Fq%DgAV|JmLWI_eRA;5!!gAX66Z@>GpOoF>8U&mQ` zH9!Ckf+(G4vpAh!4gUV~_m^_;-Sx${vpD=l|C#6EGSFwFYjbopSQN$To6+e0{vIR` z>#)djki;9Xjz<3ulO!DJLZiX;MG$OPFbj*&d{=!N7DXOUHboSq;WD}!Ov35sd7f?3 z*`O>{m78WsmIrrXay58&Yd?cgRn2Ipo@eS_h4W~VN8#t@s-gZUbxPH%DBrJkxyshD zE>b+K4vI9?WB%SMQzgBxOfnATh?e zGnkSJ3M$ZJpS&J!(k)!lEnMC$T)e(nWqFZ@ad8Ma$+9F0(-O7FH__=h>uH#1iapn? z7Ol9Aiz0jB`ftNzeM|$&uYVhDuN}GbJf1y2aCb^H)N&usip9+rN8MG{{@|$gyLcT> zlBn+L8EJi1&ZVLAw^dt8Z55KfEu?(t}=Te8VNqiIpK z_frw3voN0pm%)eZ%izg|XcH38t_FXFyZyD_LS31b!h;T5WlyXEoDC^}Y`+%{HKYk( zGTE;`*DVOsc@q7GF{ERPhKK`x8cvi%%bRJIr-%07e2uXnR!0sS^r#_30Rp!_v<228 zisy@>84O`?VpGA_@d^ zN!WHRI)<-$$nEkKIpnJVLT!KKi4B`%`7Fv`Y8nLSu}xG#ggC-)Vz4xM?l_HZ*2O~- z?E^&VW?9yLqL`FCyUD{@yjefjVHmQwe|1m1=v;4Cj_CIC%#60-)u$*McmH?ni z0B~yo&}1GW2na#ar3i2{EHw_6NREjF9O*+0IOQk8E~6qGykOF1@w9NNHLW}E7`?#& zbGjt~!lB%p3Cj-5qqU}`j#@BdmpAz#A$DUd5S|8c8z;#T5W5kgzA7d>aQU_Cy;t>L z60dF+Sswo@ON%ghwsCt4@K?iVjV$7+JCOBeVxkn$;N(tv-4yVBoJaRzQm6i;t@>jD zpn!a+fE18$hZ6wSmP`waMiNwUHpUVNDd`Xq4Xye+1)QY^k8+)WDFK<3m@up;!Y*AW z0TA)6 K(&jWrQ*xj#~&341PuEdmL!nKCl8Cun zhifEcyb6a>jFHfuj1V)bPG9Q11rv6b{yWZuafqbAiXbSE;7YkQVVDV~l!OWqqVJS9 zVcvv!6Xs3W*D+yQWfj5POc#0$FT4x$F06AG_CutdfUf#4SsE9bCx7@QE*62^C;elM zGh=O?nE*%7LM#nS^lO>Fv@y7~aiWD;=jUmzF4U+cVciaXEBt$BM1SJ)eIo%=g zCd`{KZ^FC@`#L5}0&J!Q%(tfnZ@|0(>&Sq;4}Q`ASQlZTjaH50;;kK*NedA!b0_sO z#^#;~?X#$`E{j5rd+f5>blGtRi{kC95bn}oX{)I3#unVExi#K$dCTQx|4jMEf7bV` zCIMNr&OnhsAVG%+0m=n(nSmk!=M@s7WNec6m^so*Y;CCq0q*gZN6q<7M z#CX3RL(|p%#ne6X@?52+X}bUP&0Zg9&Ex+B3r&y8dl#9_M+%<)S3{|ThSr>ns*~~V z$?)(QlD#WB4})dv%{u|4KqZp|p)NP?G!jOZ9GH!5<`Kr`kYl18Gq|yp^(j#paeJMD zvA&U*wjuE|Bfu$(Ra+L@kRz4${wkL{&fjiP;_xU&CSQn!`VvXw%`+5w(8u&Lo-I?J4FslhuGAhHV$ zL@D$d6pk?c-AYu)85oDO^!n6CeQN*I4h1$IPK3)fodtnF2+T~Z6iQJB;c*}0O#n0M zty4#fx*9rqW$L3cwa!|{dTpgmG{!E&;08kiu61Zk7$DZR6VV4%LdqB?36S(xBN-s}+l&97yo)`jRn82KF(-{!0Pv&_V%z&`^M4{-BKEdDjx~^+|s$r!Us6Gl* z`=mq$Y>EhR`VQX`MKA53ktp+iESoaL`XEt&`80yAbg7PvUYPnQOy|foRRY`8NM)gsnT4xfQV2}+&BA2=F6$%8*(tfK zu9lBpocbtE?SF~~nxDv!j)P7miYS9l1OurN`w?>bc$viM=R2=W9r>m@I(lj9qcpY7 z5yt?rAp@8=bxj6@0*(=pV{BeIBDn^oxEGmDpQejn|GNx>A3l8;{fU|v<=7<6;2(ec zs1K@p5@-vkk1$015~@qgea>b_?~kt`u-CG$s%7P|{c+Fhi=AKpyuSD!J=TOeA$$M; DxuR3S literal 0 HcmV?d00001 diff --git a/doc/pics/e4-agence.png b/doc/pics/e4-agence.png new file mode 100644 index 0000000000000000000000000000000000000000..9f8b6a1b6ff893eb6afa58fc22c7191f8b81632b GIT binary patch literal 16502 zcmc(HWmuJ6*XGuzUN%$eAoGNetfsrBW_^td);fTIp-K-j`ajQlb6KDBgaD^5ctwkC?x~}n-uamJ*!rFw3w#wWY?%$2}2IhPpA4W7Y zQua%__kPq~8xH=i`Fzoic^vurUFRI;*7&Farf5B+A6B86QAKtvQ_Q?W%a3sh<#9so zj~;r)of{vr=H*M-O!Ud7w>@{OojP4Q1sC}IHxo7l7X-S*abO((T>5xedtQ`H8WmKS zm#Xr22nj>Gdpj^MOyvj#FTmHo-qTm$i#INg0_NL-cbqW~Gku|v1oM*MauVi?v*=&U zXEtE_FkoI%|JQGgdEiWZ8OL%

760lPd3?Zpd*BFNs>nmGi|n z949BIV)gMH<*c*QV;--jKr)u2tu|J#!?|d)zD%xqZXp>NnMwEUjwB&B89HKITwEHO zDtel*l#=CsdDL227 zcbAWEWKpI)rMS3fY)tD8A*F!hQ-{-H!zLW8HR#qlIk{HU88mO{gnD2;h5*|zBcX*FRtJk_Z7#h+}d2nfT4Hjr&V`JYV zme$wTfAYldZm^*3pC2iY-x{%N!1#uW^omS2svp>xnyQx=Nq?XgN>?&7HC=R?@-We! z!MA}~7fH}H{1tRJO{d0jU~tgb#N@+mjwk1Ptu;E~@v)$e2z-oswaamDCRn>E=g#kr+<3`4KN?~E=$Os=BTd2kI$4Z;2^`#}3nP0*4 z3AcU4h;H3tBo06!6`wu(D31Yc&rYnGUsMgU@F02?!LVr4LW{r&gAi*C%U_m-C8<6`wx6HdVV=w9p(% zi{i8x%uh>8i{&sW@mBYuW!3(2CsGC%pZxXqe23%*>W&0H<)Ok|m9zDl4dR}#d$JE6 zJcwe}KoVY-PvC8=-1Mu&K{OBw`Y@Q7m>^rbx`s55c8ByNQ7B#k0XJ9I%#4hj!8+TS zU*6t`08}qL-%QhoQlzg~XjIf-o*Jv0+i^of!$6)I(_6$|VObfco}M0TuspRQA-6qd zjgoYWp+fdp%LeZYBO@cNr=EKwCMY^mJRw2BOoe1!UERWw3XM`@qMnkMZ9xM3<>AVT zijPrydwZ>1Zu{%^kb@6|Otu={U?&PV)xG-dbJh{}`tS5(B)Nd&Y9MQ!6e>10HaBBs zu;A+T>rqm4ckkYf=dn?pPz+ztUeSBsx7jqH9G~0Ut0XBY8Gzb4*fgxj{QUVDGL)B} zKPocPEa^Q=5K*YVzrXqSv`?R4!EMIBq*jLwNi#io0NWE8nw^s3UC`3ibu$3P9-E(? zo!!C_o{%tJpvCh>w83_~C7c0fdUkb{IlRU1I#spTxo3xJ%iPxN?CkWkzJNeYN=iz4 zI$f2vb#u<(`=QOKs3_vl#6+s(zP{H&`B{6TBm=qJJC8TFyCZ)npvOgcHM zScM|pTwI8VjFcOPZn@0G;XVLT$4dnT2HXA zFRCcWzkE5DmFy{l>Jr=zvU?j76SF>1V_}`Ye6TsQzP`?&kknrvdlw!{0wozj$>)CX zh$xs^NK>QCcIFA0`RoGbBB0_|agdZtvM=zuuj8dHRGt&?;R8eDw8K(w28z?`%)KD% z&+qU4agBWt9|8``oUf)u$$V}(?HL#tpiSYIEJIJJvJ{f7n`2|yU&@%7-Pf8~Sdc^s zIIZUw7M>k0BufU}N_Dxzq*h3m_T|f$u&}VlUmuJ=f*M zM5TYtVG>uUFdgR`+Qnp(%xFE&STs8a#|TFg{8M9PQzoMqG9ZD-$>+jC`O1@uE?aFK9jY8bv0nRJ2R0*$kQpUqWhzQaOG`^`tI_oO2d6j83na_!vvYIbUt4t9 z+Sy63cOt~R&wOKNRvZ8dI>>8Y|eiG4~&MD!S?Q~kQfo>`NkDC-^q@#Idy%@q3L zukWr?@qd;$6;go7(;D8l`976V(VSGiHd$L!SC^E5G!uIN`tbWq03X!aOnWp7-nb2Ys;HR3V zf94X*(A`ME0{E?^(efm}=PD`(hljrY{uEAoydh)7hPXsOo0>{L{OC*+h!-R)IL<97 z5b`+UT=~8@TAnu_b>YH=^vZ>nhVMMD;$c@UE}A0o2na;n_VUk0gYx_{?iI^-BqUI> z-&qKFo;h>d!JXYeqYVEe5?fJWrhWwkvDh_F3MnWE?UHKEtgUry8JAV4-kh;MkLR{RrZqQ9 z4Mc{9hN8+`wvE@j60&aUI{yX)c6fOB-4Ea5?0;@9RRxjLvS7^B0W}X_T!ezJM6`raJQA;jWsn+urK8Z{M^kt?|h@r5;3J3u^f3wp*Q=sJwX=`r2eEm9E;7?CaPr%;>U2NsO&-t2c zb8>Q$l9H5iUQai?srHN=Hu?vuiiQv0c#`t9d$Ib`8`Xe-fcy9F`}+Da(+-SkSHI3t zE7E=Q=FRG3I^YJJG!!Ja?8k1KHHA>oN`{o>Hk+*u7n^h@@3*T_)&gutBeb!WJAD+`BUKJOvC9lIzS`~2`J$SEkG zn7(9>z3qsL$ix&ehGh4x+WpDW*Ww5SbNjD;f#%lM_W=QXE?Y*fuCBVeN#-X%Y$^Zw zu&5!}<9NP*egu%<CX zFReu>5>xv2zkcnHsY*`(Y962fpvUNv}14%2D{T0+;I#zTj>A{-3MlH4{90%dC*X zQJ*Yd2q15u2bYL0;^1gk*-7w4u_4s&lJUJXHrA}Zi$IX+XC`5|=E`A?j;iWlxy2A< zK3^!kdbO^*-KpY$-iL|^u3QO~$xsm7{BcvyJ(XV$r^$9{X$fNA@ztx#cz8#U9U?bx zk6A)(1y&IOzbbq<3*qfI_CJ^Zb*kLa{{MxG@5i$mtc{lEqpi4Iwq^k^veuu3 zp?%)I)%d>wwiV`PKYbWvE3ps_?CL=;T5OZn$EyH>?*AZB(Ejr34cc{gIWj!letTZd z#>S??86ayyLIR{BWVPK~D~W<&s-?Mk*rsndWKg7huc86Opk4j~s zB)dUQfc;}otjOLu61v@LNLb?2R3v2{EJ3FyRIkvZBr@@RMR2jf|LY^n;R<-f*TCm?y$QMEi z_2*}9qM``19l>H@y209X)wiQOh655hLJF?t*s#s?+xxd85)%s?-nCneRlwVM+1ZtL z6%8Oqzj*N*hAD@-a^(tYXHd&V$oVgDrfI$Nqv++anLmHfi@`jT&L;=95)wb_JdPnK z2aOEpyOI@9o12?3mY+X=THbszbgBFL%a<>UQ$aHs73j-QEuNOP_i%RRC3=Y|1MSVt zchdg;eN_>YltfKRYGh(E1n3pWDiX+fE(Jv6|6Y;23)BRV+`8qwyF3tOdJ}OAdq(hrsGD(Sz?AyPvGn8 z>0v`6ebA1p!)&kx$*ialf8QoBe77$nFdO4f4kf6UbOVH*cgaQ&AH)(R07Rjq!b&-l2u?uOD@O0P&_bT6Pa z)=(+HmBI(p*a89qfM|~QH%ilde6T1eD4A ztr7QILq7)FAN>8T=XL4;-(2WS3=9ZRWSRgT-^N@k!rfO4h~lG6e$jDhfq~aW!1lt@FzEvM0EATGjIM0WPPYru?oxH-HvC%8`2l~ zsL+I;RW%|kjNNHnTTgFlqQ=Sp-8;gbpMf_)B$xmdV(y1Q^g|uUtOh_`V->K}f9P#3 zKjlIC6xt@KG|6^bz8xg9r*zs|9T^@T1|>;RK30IgU$%%)Raf<;@uUUtu#8oph3w48?` zB_a7YL#d43$8Rr9e0AA|+zJZ9?DMy0#@8r$KcWZoHI$z}FLzwiM3VEqN*Of& zK*=YDDmCr^At;W|K2!7#uj6V=N!h<;te%gbV7Jy}Wi13#@Vv6Y4maRah_b#|=9GK0 z`u%%65fKsYza@ov$vusI09PTF7(%6B-BQOb0e7HCX=u8Pvxb3z1k&75XW_W0z`W4% zF>~>O$I((&03#RI^U`cUrRdew)q_D1>v3Krzx{mB84vleSh?}=$Ow_5g9BHS?epi) zS8Dbnlr z78%-1+DOu53#t7d4afBKXg6Q#Vf69A!52W!RaHRDAtgo$3xC!%#!I?p^L{W5Dg&`1 z?4^~J6)sr~=N?c6>UQ0noe6uqFJP~(t$`9S-yRF%)C=vaT=AQ|vaCcsaaZTgOW0jnlb1ihrm7V_k(RAdGl8(VH*wIggTTPLUea0UhPUKMX+gDW%t%xB!q zYQUOtjLv^}A98Rg(}xrF^k&G8#9@#peiW!-opI+AT-d{VAIq=<7+g+31@NJobCs& z3I=lb1dDOqTMILjz0P9MA=E;nv+Gj0wOKd~Qq7RP_S&EFjLy#r2GfWnp(8%T#zO8H zq`E;(?YXzAAwHU-A(Ho)%NYp&pXYCrjQ@7Hw6?VT=6%S(;ICqr1nFsfVj}WGFTRL5 zN*<~Vy@5n6spi6Lgyc2dmNRY@0@P7WRS1(Q9!> zlWA#$DbfFYg2wRQGlDtgMzB9n7;)=#EU!*>TYaZLIW&}rl9HJ$@bu&aWceRS*T~f& zC}-#9azeIuTA7MK1Y0rx4UmV3kWk;kf`X9nv%`vN#n#SJAF9k|N?1HZbLIYk!?z1@ zS7;s~OuL4;x@T#F46P+->FDV*)6+@G$Vz@VB36iQ+>k)Uq+UdfGLQ`n$GGyu40m1z zh4dDm9UYS4v)JW$1maO8lo9W$HNXjmLJIT*NyGgji(Xi!6o2nfBStwK@k!%cd0zZ; zWlmm2#NbjawDcBu?@6SHIe3VRe+S{%b!YKzqznM!`r~zhinH-5fHfT}kOfi5rT!dc z6za$FKpvEi!$AcU(AHa=rXQcuuYhC?40)vW>({Spx-J=@I1&e7MB$>ZTdfevLD||J z|A(5dxdcHBd@^7WNbq-m0w+huipt9U?d^B~fAAVVA4fB0X{#6i_QDm!D7TJU{L#@7 z=r7$f#*Dk*7wVZmg1#eOBtg?rLt zUq|Wo>nC>z6L@WXI8I5o{JPExv+TGob&_=1j{p7ry|knx7ZjVoKoSy?0MqW2$9^hU zEZ?3&tEcQ<$L)n2uE~>Y^%S?Aw>f6Jp(y;Thk&o0{M;-FpOuyMXysKCP`ZA1!$5_* zHV0D8t`F1<#|1ZU+_;hJHl%l@>@p-;Kd8`%0tx%VTLqi*CI=JEU*ePJQ>p%wB)eTv zYq9equWW4X8hU0T1Aqa94N{X_z7EmGgrO zqha&yRzu`Ao_=e08&BMAJT(al{*`(9?f)4ZBNG!Q?jY&BWY<8U zaEL$(mTbJCX zz?n?SMYHpiGTvE$oOyMJOVt#&owobDOf|dW-!R-BO$Py|X=EhU!@80DvsYvcfH>!d zaYy%i|IQr-xi*i)UcGvCes&6vXujmvK=V(Q@T*!o_|`#?!U9wKPL@Sfix`t%pwkj% zeHjrGX=g2*`fTy{Z#JXmj{ty6Qu{SOd#-#SQx~v$T1&CRccJVaB%D!>kQu0s(GW(a zJ!vH+CD3WpsFsMj%ei}f_}RsOa*U*^Dw(Vsl!2DcPV2LiL(~t?j@%pnH}}(s?zJeY zr6;_sTBO^-tyN{0A$kW5Xw%W+3J%tsg@s=N17bS0{B;4gXq(b$r5^CiRB>E2wV|{$ zWC2AH^p}9ohSST*$jj?OO9N8bV4;ox$oZqAqghF=%TRUw325edts(V;3dQGn@&$!7 zV;LfYnMK$@nm0|3aM}jd5FYoT?pJ5n7NEl9W?XBsg^m-jd}ugs0PHd|%LxpWm6B?P z3LdZsSq-`tCZE!VhKA1f#%!QiXAP3D#N2m=mLe@uunL%wX>ET}=HbBsNI5N&le(o5 zGrTz}nrdoU)wLiQL0i-f1KZ)Y#64OzwYy7M$+?5wnm!Defe~N^*2NnFt*SVXwbsTe zIoR1%hVrh{j+9%dA*-D>lI$|r?En=2fz}X^MYz-oG#xGi zsNRn9CK1u^wY9{=L@NN!^YeSq{{fx>Fwvfdg2s5+1)kPWVI7fzuWvu5QGElUFU=my zEG%62<%=_rWlbJ*U?3=B%^e-P`}_Mq;^pP#rKIkp@!8L7L&vuxjtk}(BMm^WtVp+( z-=vcgc{Kf&V0?TWdbFDs0!YkcsOJI6YHe*LD^jH+h7~DyE=LSDJiRi5=qC82RrPN# zK$O094fm(~e9Pg6H)>wzI@x;?dUx*RM9kV9aY*|{$NhR@VzPkC@7Z|0d-R310Ad=S zPr(X1FyUzYOL0ZT9&2iNy$BVbn6B>Y9Y%bLC*|c|b5Ebr$&?fm@d+#lyAP+WUHnXD z9GB!PRPjB7%=a(H>Y(KR>I3t^q+n`nWulR zxr{g1OTWe6zfa43pgW*@H_q5X>xIwk4Y^y?rRB5oqA zA26oSc&7MWQeqm&L)|%uow+_Vs9O2T?LvNN%Ug!@_t=jpn`&V@Wo*=q>1ixwYu*X( zArN_HL?`4f)t9v$oX|HpQs45Hr~xF zu_Nu-pp`tEX^*wIc#)-B6|n+z8L@r;;X~msHd9lmv?5B%Go?GEpyHP~vYhTwJXZ_X zG*e!GKx%Jct~zEb~+lmKJbQdiD9X zqi;f1g(zKGOZb3V$zL7jK_w$}0%aV#@2s8cv6Z>0srA)Hy!JS*wqCh|A`r5*p6dm{ zQefsvb$|W!BH_qroQaL1qT)N;&4R=N7OTnp+U7}JlTc4_e zk8NgcWQLQxMwcDdWJFF;hlk4&1k~O68aoHJ+giA)KRY@)O7IyUJWygJjk0=6j~Q1W zO3Z1)oHeZFHQCbsa-NZm!jy-ka#mRP?6x};_)(zLw8Gy<2l-Hp#A`Z?R)v zrn5aNgty2*)2UGm(oV>3SvB9m&*6(bINZaC>?Mo>c$c(UEJh#-%MTf?2`x^e&O} zub)46BWoP(?cJ@GgQpj!(h;_3UUR%33P$ai_AZW|iGbef<<@RmARt zrscUd%7vq#e+lv{qV75+?<+v|09Y?xx};gn!h+4Gz+(9WO*9eY#@Tlb6sVy>9gc1J zR1dLE63)hvsunqDW>voU?gz<#s>;5pr>Cc@%LW?pz_?3_*$!E*v=;#q^niw##SkR* zmrL_y*TT;Q7ob7Nyas^QJ3E^(Y7ZwxVyf=-v}pLJkd7EOT3%k~t|TFVdnR2;_*bq3 z1P3PyxmCD~UJerVm39J8L}OeWITGlR8OPMN9JL_8mf|u7gef+XmbPaNXY}w;QI)Lf z%QIyvsd{+w)sa#V|G>=yg&#CdG$SqTcjkh3BCjY-{9YTqtRyM57<#C@(IfbA+ei!q z+9IwI=6$7{o$?`F4#m0dR`ky@Pa(PF!aVKm_`U1emq*;(dnbq6AP`qSc-$Gj+kJz?A}aTM zDMN|H(C@Z&7c~phr%x?Cp^oe6RrWc`4Bwe*py_65ng5JYyV$^YQw}RHeQ@nZS#Uch z#)z`9P$_psY1*Ct0-F5L!ZwzozmxjWxFc=R)b(T- zowFM3?CO)iVDUYtTf1n%O7pBwxqsHHyu9oMHZ&eBRHw_z${>pZM=}9*44^yb{6XV; zAt1%DRKQ_qIE=3mK?96{MtB_X!RrY; z?}x!?RbR}d-E}$C&fXa3%lEE5)eikNJVLIh@BTa*!EfJUH`&(J)j=aLI54o!o!g|j zk7S3h{9<{zW>QU6wUQ!HWW>k3JT`}|grqr;QkU)dprC6)1f>zzsReI=7!Vt~w6Rg7 zOHbO{o%)L>&uK#>jq!OrPv2Zynccm)*~QqTd;I+Tcklkr0jvdzAx!q9^Gq-}Z!nTj z?%1sZ%;p))Y>63``K+tHS1<#xB8kI99+)QdTH(b*&bG23{l~~qG#YjSk>KrIp#{Om zV=3h#PgbZ_fGh&GgJ^=@O>LQqik?E3NKu{AgN#IhoWhVNAGkAZ)rxu(1>~&Doi=p$ zzBM&5aB(?+)&m-zB7RbDZ!hTW<`x$5?wA!_c_H=GGV#|3nl9ZRAe#LAd4Fi;w(nB* zrK0(!!jHSVyX>*;NPJUUfYYKh9cQnw{K9QswG7n(l+c3w zeD{ODFTh4dBp1u>i>`x6@9yq4YzhGr&?(sb{ALs3Q&-Z-NU*becEhoBM0ia#EM@cy z4EH0VqZ#Pv!1%{gz!W$>+o%kz01`(5;1o>U2?JW5o}LC1Ne8$KQS&92}v0M)xoM`hghq%isss zUCAs1S9y6k4BP{53t>2-DaHsPNx0c!9Q^)$oQT&MN0%UImoLkmn9I>?VCV7D<(O#A zZnzHnh4${<7jvzV=O+syH}HIull7F8!j@O3=iM2%_1JH-=suN}rk^4zy97}Ia|(Hm zAH?)OKLdXn*t)n>6%-VxGaGj;QBqPy+#HUJivxNB4FriNPo79fjFd)PvhaoJcQ`85 z*qtgK6`U2+`1ppccrdu*F>|I)O}3kpj2zc~VdK%k@iD9V=jqv&@UN4gS^gBu_BvhB zvy8!Bc?aQ)J}@d>t~XrD?VC;VO1e(N{oS*B0cZ4zZ<+oD35lMTaHA5loRo5)3S-A$ zxf!#muRUI`0l9K}XGhTEs4Och>nVL+K|y5OTx4V<)|(W_p4u7jM8 zPNJsp7wv~2EvV(?mX)cnm=^&mes+7eMz7wJjtrWg%Pb^;0qE7WrM#kR!sIuWmPpB- z04_+EPJc#s?;e$i=Xi|kbWzz^WWf)h9v`R#_CV1xC6lHLgY*VlX$QUw!-dr?E-nU+ zkI^C6trBK}#aTlJw}0=H$#sOHhi#1JZ|*(En8NAWl^ z_^w5e=O+i%jN8{VT7kDoF{Xq zZtS!+>HvgNo`0ULy{(Nl&GYo=xvDBL(Xk#656{c&beTJZ?|glOp|}8}%d~Wm73)+U z180Xp?-5r$WxSMwL;0YWK1*S0YHC>5JK~Ptv$H59QSDBc>jerjZHv&mczC8;MkU3m z5`j{w!{rt?+a7fba)!*v$jS~(>geh|jBa~AWSVpWkYr%09_mXtT3cJYKbL*1=~Fog zo^PD^1h0TV-s!_e=mMNpYe|FCFxZ!tH~_kX{khBCsc%O&?t$w^#ou9lAnzs@XZO1+ zzsfutv6lP%qaJ41FZ2gmkEguDnZt2`0JG%hFr_c>db!=rA2TvMdL#=NEe$?y_dn?$8mb}Z zp}i6F6B^xO6%}P3HG2jDD8QQG^r71FfYRUJpbMqsf6d6pSH-u+NmwMM^B^)8pUJYB z{L_?a;&bRMOTX?)Hk5~yL02{2Y+@hIpqwoHdiL_#SeEYWwCIDO!wcA#uHAZ+a=Qa3 z5B5bOL>`P;e%DV|Svfp5*31HPfmBUNMFo2{Je(wO`Xbh2TiZ>rNntV?lr2|h=h^xB z+~-V@GFm#bsAd;)Sxy0L&8YckLlU+zt6zhIgN==i*94Fl;X15sY0M_rW!w8ge*r}z zzl4j+GW=I&N+jg^BkIWq>b0dMX%sg%cSuNx`Ixz<7~FRtQ!Kp2NGV6fA$VQ`jMdOy zewGK|N_yq;Lqs?CE6S{AjQ!PO&_IFe!N~)n0v{2G^7M3c(1rmapsA^8>Wl67r&e4- zfJKQ6iott0+*^Q11QRw2AOAlnHY}`chpgF1MfsC9IXlQHcg5p++B083JnXeVnGzO0 z+glrhrkn`C5-ni$Lo{9|J->csR#$7@A^dy}`JS1XnGV`R8}02+85pv_rUPJ2tL%{F z8r19tY-s(NcDcK|8+XL*LJxfdEHi+dARR7rB@c}UWsD5;_nV$olv#;(l7Koa%z)6Z z1-dZ74-KI~{NXOD{MnnCncf(A<-&~MW0FhwY1|Q`Sgr>kxE>vuvlzJKftyHmOCW&E zKY@V+(|K6>V_lxih8=@zmn533QOYQsA7IIiVmuJv;ah|OOl9_3=@Q=>S0QoWZHKY~``~nUcimYgSyf4s2Ont^k7ASJ^ zSKQ6bO}4V|9k;hotII3pf)(}-8EMGee9o?kB_Z7Pv zDn&0Bm(Co=?_dsi1J*pkqTk^D=OiQy z-}(7LofjWDB)xsxEGHmX4i6qk`VL|CB{l%c5HuGrUW9<=s_ulXYWw?}FOzEivr7s9 zD?xFETF_zjFh;|Q#q8-7Nk>POXQEtOPcj2uQAS4d)SLNqYBHV?yC?&-RTg`3=9ke6x{8-_-r?31!D*8yM*?^9$Lb>5@$X6RYOZ_Wpy>b zqAoxG>4Qjq0fC``fg7ZxpCbWa8nXT{*o0pNDad-iYVx=U2BkYC*+G za$^(^K2i16E9emTJ4Aw2V{l*~n4C+->J<7JcS5CxO>ZMqFY+m*D0C%7L_G;-(5j}= z2Uj>zl(o;5Sa+3LXrnqN?WG$-v70z6GwY+*iMJXpldc+pIPVx1MR1&Wz#vCIPPH8LeB4#P+rKSGG3npZRc*6@xQL3Y5p{E=9gkq$WEUEDaogoQrAt( zff(S+@-&j)U1%BC1;^9&LKj7y2Qc5`oh8HSJ<%0j1l;!Y!vML&Lf9XcWyd>2B4hhws0<42EY=+Dec%N}7C|DE* zEv?QE^k%55LCzERd!|Emx}9tkb*2*p!|Wdb3dCk}vZqDP{!Z65fOC72H{|s>?HrkC zg7C-~DNB{zy@jp0yjJPkjqjW1;O;9^$?&-}Ug^M%K)F$$-Ju9A(D0-QNnq%HPb)(l z`1AB=t+h2wCL_xFy0;nVdM|+uT(7gKvZWm&WqA?tJyhK7RhVi1)4iV+R>s3OLFe%f zJ33;Vu}hkC4<}7ylzhF{YQ#I0 zEf)U#DKRX-WUcLmo6^T}UQ4t*e`CM74 zRxu0Un#X2x@9*D7zk7TXmuI(Zg4`BZ>px1NK*NgCwy+$3NM>_>b`0#I&ZU5Z^e917 zpjbUf1Stv{dCtr9^!(;dVK{t{5EIjK|2`8b-cMOpIXK7ixVV@jAiJc*{0I76P6|!M zWzI`9Q5C+w)us$bTZqZ_=!g>eBZa)q1i*E>v$uy#E2=wkocUFdlOr7xavfD>)Kc>P zed|D8^c7z*B$x9v(SBy-Y}uq7}2tDVjPtS~32o!XOY(EAD5>zf_3lt}HHQyZ16t^p5lC z?(KmAE-HcQ2RzwDHqRVy+9vp*ODii4Vad2Khm?p)f3~(hU|^68l{#23$jDpq>bnYr zL0jis%L;Qo;l4TxsN-vxKF$pm1Y}3dZEiE$EkkuV++Gkl7fhV_vb&--RlVC}Plk(o zTvkS>#Z8F}{h+Y_vQ1d!l2Dhh0QlD9b~%U?pSI72Q0d$Y6H&q?WA$`8KYKd3hC5D&Ff%iQvPTbRS{zKe zbhGpFj+e4Nt=5101`a0NXx4?V`;-1)Hv-!?Fw4{BfvIQ~S!5a!tsh|2)06GZj(ALC zKallIoQ~LYcc4;3Lz0eobFqgOy;#~MT>pCMeW0v=bF&ErIr*g5dHC@@&C$VY0)h=S zUER=_gU9&vGdO*LK|!cW=;7L9W&*mO1k{2tpdmpbL^BF|?(MEr!Qm{mvDFp^xBZnN zNxCCo#;5xtklAjISX60m_DHq~pB;EqsB3G7MO7>XvJRH~1T)XtRPyeqh1V?i>A}od zLV`si|LNw*!+S4vKqq)g&oOrwixAVkX}BhYv2w26UBjH+gWE^5>do^$gd4Apuxavu zGn3zLHs+-3igvQAc|)Ct*Z6xJtmO%TorX8!mWuS@j%&-C$>#}1fz;HAd?8?O`bH)$ z=7Wc~F5>)mvC9<+T{ATu9jmlY*w3J~(%PFabPenShclI%nQi)}+k6U^?r*>(&&kcL z`uw>x9Wi&WG_*lsjHAB*Q$Pgg_Wib{%(75a2u=DqIvO`R$`37S`ftLf)XL&>AeSt$~p5TU&N;Y7VYB zCy|Ule+*bzivSk`>xH=_RDApxjyhJVGuMIa1lFhkQ?N@UdmfotTNgrl5)%`98su7t z#eY9l?x?L23oLeV%OZuq)RA_Mj)UWH*bGiw1fVc}yb5{|5j{HM7Ne51G?8Da!!Qsy zID|r8!NUX3>rl0T{f#LaHUk_Yu*52M)geZ&?KN_{d^>=ngzBRtqHe#=TJC$9=ClqBIQ+-O zXNhrZ%-J0>6@5*kBy>35TZ8+-sldJceJ~pxWy-~KuJGCZ!65==Ja&;V2E=Ucev&eC zNbJcTd$)dI zW*$w0`F)WSP*$MQ3KPMpRIP%Ds#m|Uh`?|ecmt3WF~$WL8IL(bcjKRfbYkM-1ACG2 z@hck}tfY8w7|yEqEjU+WU*FW{H&^q7@~n7|<`9>Z1$!Q6ttW;LyK*{W@%HIMl&D)c80r{p2fXTyn|6 ziD+PgudTisHeE+T*YrbRAZ;43+FaFMBhe4jS4Qc;pMhA5x^1lj02x{WDAIqKoJeR0 zo1n@>D%VbfPYK*a~MrDfdDnwfQq;9Kp0*#;Ns{rl2YwR{A4npEW?Q%y8pPf;KR4wRp6 z&9#kafx)a$wFTDe2%wdX4b81vz<@M6YNwC+%A{9mt+rC}{#raYt?U;*0nfX%fx#a* zZBY-$W(vlN)QkUsJ@ZZ)^tnOl$yP0a`~!y~R^iYM9O(qmmds~QzeEkLtMhU73SN3M zv#wXq{r7@A&e%Fhyq|v$#>>YS4)0Eiz3+_WJ^#6a;zs=N^_ieblfk`MoJR~WS5}_T zeGM1W^qT&h4I)Dc&c-epcgd&W@LbtwZ(aj~wF2z_%n=nJM_B=TD?{sqKm zIxy*j0w(0TgANLUQ;82BJYe5lM>LSaDMZx*&3oZ3y?uR7tHUpr=HVm5THa;> zL+=mHv37h0W34S5FoEMv)NBUtGAQ7XqRT-!<}|wZK$eOkS*ocrC!Jp7=LB2adA%0CfeR= zB>sFt9;t(GA35(N{oQ}H)-tU%UKcRltq2)c zCSLh%*=B(hvcDpitCIq8lX(4-T{F9P=gz>r?(-*0V*dW^ts}RXm>8KX=UlyN+kki8 zb$1(Z?Ei=M?psHJg9pZKXIfB9;%6u+9jf|rL7%t$mo7aFtAm4sqS}u_jf}KM3?Kd_zL8iWAffQ3rbfTmd1kxpa&$_HAS1oX*|QcF z7Ve8fFU4*&Q7N%i#Ua_#)6?#M7Jn}+k2I&v{j7@{7M|9YJ9UcpT=?}HH&W8l(q6nU zy?XWPwQEOjwq>6Q6;_hd1Do&D z4qpqook#q1&jST{d9&-+t?j!?Jq-A3DUu8_QN&N;K5pEQy7lv`$I8OX=;-K2i_#nu zQ64M)U11RsH?Lo>9AlTf#n=A&^=tj|Ka;nMN>^8wSgk&`wmyrfs;kSG*H=|l&DBv* z7@Qic?Y@1WEZd|yB<9ouaf_BGwS!qB5WZf?nP3GKazI5r5c|&4MaD)Ikx>(7@ygV8#k_B zKVsQ&yQ|2_U}k37kjuc{pe%Umi?&}a5r10yuU)(L>1cILjb&@5iCL)PnKOcePEBbB zwcE^^UtgBko_}kozCPiMk&%($9vAMV>7j3`vVXM7|CMzdXG_tmdEhYIkR)0o?l9WY zb11!opO5dS&x2haH*D?f!o+UyT;>%M%h8BD+v+1!zU^1*;!$I6>aUAh9u4U z#*%s6t`fI)OkU5+ac{$Rs^Y#KTUf7MBq}$>aMQKU&4+iM4ev8(T2ToKuAbbRJ5qLc%r*hm9k+Qn{KhQ{g>xr z`H~Y|#hW*6IwU4G){#cY!h2`Mj(0^mu$*_IXrcL=SbFU*J*hxxU0l0-w-J7$c zt@3SS-|FjEmZwzD=VoV*Hoa;;x_)9{z|`1y`p1V2WJv_jWPf%3<(QZlgkGvNmeeX= z*}*~l#uwqj=YhoQ+nY;?Yb6YKRm;wTp^=g9 z0{a_Fvtx!Cx?Bt@&qVwCt3yY93ti^Mi=3u(|J21PIF2+CBVAcpSy)(zJMH_>+dD}+ zg}HsHtU}ar{8DabdATWq&)M1eOo)(#%dCZ=VNaz$=P5b4D!<%i|DeGVWzCwSI%YEe zV%5~N1rpfpKT=7f7Kj_+%n?i$ezv3f?%lhxtIJsz-&kUjQXNz7-TSceXQ@?xNc@RT zn*P?kG96#Ps$q&xJ=k{Csw+t5rn~#f>{z>$!)Rh!ng}EPmoHxw9_=PEF>zn6sIK;r zYDeP0AYLUTm>3#PR*RGxW9yij)`UxZYiQ6yK2Zr1zjNnK{h{r9Ws0z+k*AOg8^3-{ z&&=F&*z~Ob{gNJs@s3Z&Td>&&`uZ4?b}%q7?A$q}yMK5dd9Tc-rp?;dy#;i zjY+!93biM^d|5$%Ny?mrX^4<=G_{|enJJy$7V_;8%i$IYtQ{}2PyX0W-gCz7tVb$dZEjH;)~ zf=bfn=jTt}ThFq4_jPk~OveJI+Gb7Cwy|uEdpL35% zNMsyva&ls3X13^k$RzkMDnGj-HYw>-?&`u|l!eceQ*t^z_Q9AyMR%U#~#S8%*WlkcW;^*%lhAcYaPCS3gq>P z3a1_s6XWFMtiHVs8^T2F%jeI?euDimOsZotZi`61$8zNr6nGCG)+~^@!CT}!V{Y~! zl!u$!>-ZG5Mt8AGs8q7Doz{I;m8!w1Zq%Cil7|oJt2eD%b5cVifI=RsPuNUqOxE^U zsxHiCv!DK1mwH!?ugJDvIiZ6}Av?|g+V3cG)Ux9WtDUVa*1EMEwL!V+&&ht7*@1z9 zOHC@2C|M5HfMCD6w8E>;5`pWtb9^40@nM6#Cb-UkI@oPtu9u6%^gpwjK@lmRkuv8 zBWeOl2~X^4-#wjqHk|zY-dl63zI9O7->YSG_FL zo1F!XZ{K=SC#RXe`J32ZlIxzc0k!x zU{3{hA*r{yw#^Zr!@}+?y`*zkVS0 zy|3eDlarH8!kfN*o5GGtExOVC+G?V|+6;w!r0JF3!q=Ensn!FZS;RL4pV+rs!j{YJ z&xRR%RX{)h?@vulUCg)TCS_!#-M@byyOy7yUtL`tv-(WbZ!i*=jsHn($CvV7X|01(t#yrw=>gd40i-ZJuik_Yxu4)nY>=}#Bvk~p3(bg>6 zNCQ5`3l}eDO%mH4Wpd~n@9d_l`bD?Z%YQKW#eZBPFnFS5umneASC>1kfs$|H;ebs0 zfcCQLEXZ+Nngz~mXl}0k@}+;}`D%ZtL0(rpDsY)7VN7Zz2TxjS z!|Th1>FMdVGTE7X3-8}Af2kT3|0Z10J{eHaV|4{rGTD3aBSN7jN;d7~OGoVIG|5@q zZK!)|to-KJHZPXr+Y9UK>mTZ%a@g9~NZ1X0jy&$t(*13CcsP((brw5zEZk%D&s+fa z8C|E9<%ND0_C@VEQDmBsb4!bhmhHJJnwo(wp@3^f=H?gfY!@I!NZ8%q%C+*lVlOv? z_x<~)O-)VR-QCZgeT08UEIvPCrqQEw|I?Q*e@4j zKcFQPP(PlMof5RFk7%G%)_f)*K=S1{?)>v>3@R+}7dHN;?b~ast2tva)qqGhu}5p8 zWCvHGg$`T!`C#5h zX$7HIKivNkA$1h5!-v1s)~4ZyLxnFJ7V64ey0bkQ@N@dCjx>i=L!vrTNOe_JkL~FF zt*o;X-5&4muH#<$&;QAjw+Vvve}<*(hd*ZK{rvfp{6JSv&*sl?{sV*Z!At9vT{yA3 zTcc0@JMO^_gzhR6b)bQfmG$BUKSa+I76(agF9*jt3P8@*jT^snytuVt!)&pz#!7No z_=c@}`UVHzSpSe4XCDO&x3!%FR#F=F75vRCutSMuPPx98Fg>P%a=R9 ze7T8e0rEPlr1XQ~C3Y66PRBkY@SLo!K{rD!SYL|H+27{%X4{(;EA0;s3}?xin({Pz zTVhCXXPw_nBesfB*fr$ylocaI`4F+N>5s(-RlF^;4~B>r<7e>f?zbHNs22c{ca!YtuLK z^74*{cq=*!gpzxDdpkQiTDrT(+TY0Ho|e2#yRn*lN5+Al@z8Z=*?Teo4u8LPU+#(o~ltF3al3$Y_dT9}(U zDi)Gusrb=amES#sgP|)1W@cs=b1jm7`R=Hz4i(8~Q8xYj^xfn|@#J4Vc`VMrt1r(* zRN4PIpzg$RfhF(3?8+aP^T%9fQx&;@dUn!#^?T=PFtW^jwoee|&Co5f?3A=DQwKQg zxxs5|S{wO=9$CL<&mA8y&5`yuA}%~3At5MB{3Rvl%t~hU^SD;qa&91ujZCm7W>b{c z$t0G2py z4zur8r?ew3Bn2Jqxl#JGHu8AyWX6*xJDRAq!*~!5>`IGybUuhR@E(03c`u%)l-nA~#~B^m5yQAlZP)j^?B8BLvt) zhH`VeclWNiRo5jzMUcIt7AE^%`qYv|};Jl$E>wv%qQX7+=lqKx%V zE%^KUix`whTYo^K5#>Ej#8vY?s|Z&`6YZH&@p+|NdK=dq?g9 z;OcE@j%qrPJxQCMj{qCujbC=Dgdh72QZ*`4iXR5W{nFUj*wL|!3!wlBYvfCBe?|TN z{W~frfXLdlYtwVIy{RLNUnJj!G}VPtaXDRM_g<88kpEIh2No1z-b06Mddq!NM~8;= zhU^k7I`aHqJ$A-lLPZQReZ|Zh_!v%;K%d-Jmh&N@+&u9@k!#PvD{moqRO{zjv<4Jz zK8I+@D<8IMcy;kjf&EB{>w<<5vz_BR?$^PSC+#6_SX=*W$%sP=d+}mmur?~cn@2b6 zCJAg8(vZ=}J7I&8OY-tynFGLt9gEL89)0cZL5cxH=W6^QE-CrkZF!HlMP=KxjQjF2 zFyq`eKn$0x>L=MQ#-{x-d`Kbh+O=!@_Q&DjY?i0FSy{s}!`P~a-ro7QgS8WR0Wi&e zq{+qwOz+(uj%#0@+b_@CWazqLkeCXGv9`vFiU$cEK&u^>&TIKqFtD;pVa}0j0Jx9w z@(zMBchr(OI5^}@4+_5y_Yaz)k<&Ntqlmzm*Vh_vJ6y)HXOFGmT`+A%z29E^C9{vF z4Ikq+4`_@bPjbJoK6~jBTMAFHjDVxK5<0D_+n>TMlLzx1kYEIG|WVN~maDsjCCOcb8Qxl}d|IM2>w~XXk zQF)OWT>7hm{W%pNzo{XW?Aw77oNM;Y6aX9o1zxG95_>P$NOP!OyjY0jN>G(QOLMIS zdl0TbAa*u3{4NsAW&3w*+_Gg0aFi%2H*jS~p`)s4rxD`nuXVI1FU+B$lk-#`be? z&~b6v47co5K|ph;q7SR3}DCU>07NIpFDYzZUMoyIs|K}Dz3AZ7%ZRMz6mw@6)ec!|@n07yf>l!r=X}uFii(uq*c_E6IMeB?GrOs)gNm zwGgQ&WmtyDd34HmOG^65%s#z6J%&a`-qhN`sRdUireNopVKHdj6}_LNB-PG=$B%Sh z#8@%~fw3Hi8~BBV{n{Bwv=<}et9ROIr0w{(-D0p#!aON9HWuXXHbN1%g$6^`Y$AEy)g7t)V)pePeSJr6|GM(JadY&0 zP~6dxk+9Iv!HJ2e=g*ZXXjVY(5L`-3(tMe@7KO91y7~+kgYRBh8K?sDzk5+q?HwHr z3T~NQx$+&l@OE~|X%uH6-E>dt*|TT2u^oF`la8Eagp~aO18KpRyj{alC+8p_V3~99ddgf_&B0*9V-;jt&Bs z@K_w;9Zx7MTmq`sy$7{_9HA30_;{~u37{Yl8vxXPGE^x}1;3xe!wmkRp}R&3p(R`e z=D2gh8Wa;1-Q?P}Rp^$Zzc3n`VkhYHNUKuko9gO@kQubQ`H96lVN?324r+`aq%^GP6#pklo|Rff+eu-Bwm350dj~CE{NQsqV?6) zH=xNvk@c*{;&SakZA7^D{NWGg#{R0Ew$mgA{kepbLT;H*47ZgcvK3Q1JOb5|329kcPY7iCOoZca*;ym5b(t<(q9z7aL&Cba| zuq-SuOjTAYq7j8X_E1b107Y0geIGx+8AOuQY7 zrJK=1lq07tTes@%=iwnR9mu?e@D17xKU)~LZFsPKZ?0u$8&Fqqs&-09XlOGA2Ju-7 zXjeJ^zlRU2pkm{$vTpx2ggi@rNTsG{Wo_QRJuPVJ!<-S`v9O6Fv=MZwOd8NKdKnzd zM7msXD+xdqq6fA*K@M;KCZDlHqwr~X_*n`zql2w&+Z(IBBqm12N4pP^rKG|l;vsOS z?mB^~@cidrHg+tf{nL?s8gR{|;mF~`L`Y&gUjXS!NJx0`;yfTT zw#REUF3|Quk8u!LiJFMK09-9al8}kdjl^|^zGb@Z% zA$QEq&4pU=X)6mcZ)ZF96EyPFw-b^JmZ*bD~=4M9-vZ>z&z}Nt1 zd{V7x6^V{+I-)NT8bv2jCV=W7%^Ll9?=$*NR zc4fNg3u-HDGuS>TNW5g3sKeW8tKM&<5~dDE|gritU}*$dB0qn-J>0{r75&4+91hp?p?WRgq(f z=84KR0Y~(Mf6dPF!~$}H(#yEap6w#hY8o9My-AI_EWoqf;5l-Ab8~mT9dB5sBI$Fu zgdGYYWg6`h#J0!EvflseD{JwUH=se!o+(iYQ zdAcBRg)fzrEtw{pN$A^%e~6fMPdW8Awi(E;s0NfHPLsyK%1#e7*Bm~a1-Wx)9ROop5IxFmPp}~%=cL~@ zVj51IUOTxhIvMyf>+TxySX=ZO-yC>!EqH!~fN*SNZw*MIZRJUtP%IQF)Gp{Q?azi|&%kCrvrlFJP+n9<>ag4nZ?1 zQw|v&`(&={FnVV<%+1d$S<`+|`>e#$BDU^f>^rLS-1vbB-I6Q6d&(@dhS9>)%)eGs zS$TV9*@;4-T)7erb^+5ZC92AmpkRsRUTM(}-i1=)kxyv)n1{RycwuVv5AF+JM zP2Ya)`t_gDC+`7{8(+DykCA@smMzGRxc-NTox~8nxAR|Z)NZGc|$ z#n~TlGe`qjkqaCrBBw?8hlYmG2EYq#06_KEix&yd={a#%bTF~4t&LsEA;?k4pb24* z`$qgj_I+KJdISw^pRs&Q>a$A9Y%87l~q17OuTxLgye*V<` z@lDPP&})}o^-(dg#+H`6(Ktgx!_l!ZUX|zZ0BA2?9{~C{QSD zvhHZ;l#Gv$BXMFyaGOA|K93*2$;=F>QTP6d!VRj%8H<)xW(rEdBFfHz3)u(7#RsMq z4jnp#BI}CM1y!9{_>wM)W%BJk#Jc<{R)5bXCMf75#wT&?Sh{64z2C(`F;v`neQyc_ zGQ^?>Rz!f=r}`LcRPCFLj3o8A`x%gYR_mIYLKJ};C_>CxazJEYW*QnA7!3YtZZ05I z6dmn(x$@h$Z*6VP2wl$8kJJG6rVH;^nOIu7kF|---cdbs#?H=;^MAlBz1&GeBn>L| zjykl6Iy*bP6A`=^DTR@N!O+5jjfp7%g5s-Je})@VK7Ra&s7yb6MztX*JRB-o0c!Z? z&u24q!y_ZlQP3TZIp4>Oz-R>V4xRXSB z*Pj5_fykIH8nw_s%6(bwR-cE3?K1Nce2g|1E=A~8NaH_#{J?KhrYA~Q{jk45Q6Oy) z5qLy8GbSxf)~udu=s>^IBq3h8`+NKN7|9w#`?V|ew5Gu}qTkG^gC;5bIv)*fP?o?t zR#uiK2*#6s@bw-+B+S595|=vApR0C+@e415=>H^$#)j^@rl#{H{y`NeiCD?g6zo|5 zQ1m-C!qVV4q3?Y&SuW-)8uNh0Ch=JR#MB~nP0cLmf~fF%`L+p)T$1j~^DyzCIPCSN z1U!9u%x>T;x(vv_MxS=F926D3kY)O%nZv}~yec?9rqWfW`|aCkMHS)TV2%KDLqjsedj7jagkd|V0cq3PH3kOVUBxabNl7!Ktwb55XgRdY5chv#f#1%rEmiOE z!s$tQB_$=I4g4h@A|l))!ul0eRaGmiEp2U+3)(VFS!#T2hYSIYIT1=tuP=}E_Hr_K zYiMe+v$Kc7f^@wumOlHNoOYnQCX&s^!KpICjO65DKolUigd4W99@eKcqGa5XV`Jqg zQ0h}VXCQ~c^1&sxTWtUSI|(JgnW>yM`ubfUkjA%Mh#UOXsrEkS8hk@%DQG_deoXrH zZwAa-1b!j2F1Wg5M@dUdFE1}cMVkjyMEgcHQaayhYCu#`Edef^dF;1OpFTlI<|aec zHU1Q^|I~d~6uXeCZ<|FA9=uYW2<-?w=%A3$C^#*W3=-+jZ!aI;;yf@?A?UA&s|zvG zBU!W;IoUz~&&xZOD@$mRV zTiGLk(c&!|y^hz_ zk`b7vAtY8*fW)D>b*8?s4Xu*k{QXIk26Vdd17!2=lH-mWL*uY9=0=()a7)+`{J~B&e##NdP-M@>$8-U5hO-HGO!UqfCbQ2C^7Gfo!V8%ITlPGAm$JfUr-wR49ID! zTAKcGr}CJ1kXy*kdN+mvB7h_JO;BmyI+3(b!7I(k(sBhJjr4(U7%$YQYAN#H-{h!N z|B=$#-mdyg)QgII86sjJJn^^GpK!uAAL{0q2gk(hCyjL$?o#>Rjp!whv>iqZ8MPgV zcdm2Z8-(0(ivnor>+jcAQv-wK z=u2c02f~D*$4Nn5cr&vQai>Lbv|(}UY_-)w)!4IVxVP61z!jx1NLPX8ebG@>ef&qt zsC)~{h6Q%fqemSb9AuDGZ{3=P@Q9k;&rYKKhL#I`L|l1U8M}mSALsyDmZ4q3J2pNS zziEE$T66Bri&9dBxS_=4bNZzHL8{EF1)_%-9x3kG?^4RQgF1V96e0`da(Jy@&#kC;_g zI29rd$`a>iqm~BjAdZMLF892g~obZ9w)$bG8uWoiO$Qu^oqI3wq;J zvCg0=UTNofs-NGAj9mkW?lDP8Tag40Z3)<}&Zt2)(s_L;DJCWZNgOgCPzK7R%F}}} z%Kru`a^aT%@qYqI|7{w14$IX@n8S1iEQoASt&i+!4aWl&-u75lJp zg;9mM#{swm1%>o7|7#@Cdj;~S7#1c=D)>HngiXp7i)tOsPxBNfZ+7w{1d^eyVyQD~ z+FDwWw!e>z_^i!w2C}*81!T8ynk)jv@4&}X!J4m~{|VQT zAki(zE^`-LcY|VL;^E<8xn7huQR{f$u)(|W61W9rtB6p>MWsGc%jy zt)E~*sJ^DGoMbXOQF4R>YQWs~!^wmSFH;i}ZS^blzKL6&YY+)Ny5Px&+YPCyLc4Z_ z#>aD!A@pq7xbbU4Ly+5UHN8iV9#IpOU0w_9gO_$_e;$AyA0OYZsVUA_Y;9P3CqN=P zx?qDLuOka&Dywh@SW--MH3d#5tig|a_5_}i8is?1=K2I=$+P~khM{4&=IhrdRG1-3 zQbG!P1S_nwmR`ii?@$McYG`b14Z+-G%GuhA>U5(YBCtlVi(2)6tGiBbFmZKxsupS5 zyYlnr(f3}PkrYL@(Fw3ut1CH$X=rL_Y~zqd7vddCsx|9}4o{_sE9zZdiw0i zsEsi8DAjI?KY~(+7RxEZ4q$I*XN2JE*v-Ho3T6PUhFaEx%(A$+n0Xm=%Ge8m0%;_e z+R~E<2McEHT4Bqs7y-bCXEQ^{67=-+&Qk*_h$Iw3{0IH!%_%=)iIt}dmVY5JjNsIL zS%G>E23)e?{GsNNgqkmAV=l^}ww@7C(F!66q^LYe z)NlldE0cVGU*AW1)Yo%LN`N-LK0ZF6H`8qAXqTct;~+7NVuP%sK!IrrP$jU{J|@{l z@UHC#kquxV8g zzpHz&W0r`J5IRqsgjZ@}Y>+0BB$gP5#*KHE%ECQFCDNBuK+vW)^of}Ri9j`dZ4V^? z(?CcKN?e^Q9h0wwymPl_$rqYS0a|mlbSFn*_%H z9xX1S)>3(KdQb%^KoO*xHzqf}P+@g?z^U2sFe!nlME4HU!?dCc>-`nMmNk0TDk8an zB0?T;mGJ;r#40w_)j0v^AgGbSt#01@aynu1wzR*Z7IbMXD4n{^s^ddfex7~Lbl+U7{0X}_6`{A!gc`YWB_3mhX(sgz& zC@u9+Q~L@*F8^eF{pZi0;a&H>j+jQ)-@kwVUk4dx9K_EV!VV_wpP$VyuXBg12KHU-JKepl*Gc$exUnG5L0Nx0K6yaP@8zg#Y3o&3(!yS zR@BxOBX-A;BS)&ndwfP2iB(~I@Tfcv9^su5$pK1d&o0BQMok2TfLi(E{81P(O?H*& z#w?2o{??jI9-5diXj?uF=>uAMbDDvOl$42h*e9#M97m#q%Yu^P)H}Yy(~a`^|U`J zM$5F_40{DHY!@{?Mn%X8r_Y_+MoLOad2_S<{JtHZ;SJ&ESK7BD`$n^{kWlK!6yVrb z0+xhRmM;3eaZnt})g&53h8f53Hj++eKA%Aq}%Y^&}_CgmHocg(o}QPCB$pvD2W zgE1CyY6zgTV#|uWT75-3ZQ}fU40KEAl}Rym!L(G~>8(y15|(wthB4z+k#29& z)1UMwnur{xrSjWkg;ev2q*`b1y@J}J7{t!-iuqO{SVqr z@ZevkweLNL&z!d7IaInlSq;JsN#qSmu7Ss&#`=1V5S<5P1V||49^efyrT%_-3g8LW zm-{?gfqHK&FC$kNvvLOQI?5p?A_ARWwd)7%uC<<=ZNG>aAE=E|B`jEIpgieMh{?mv zGCm7_bNjCO)vLd8?&1;%3Km>ZjY;q7)%|GXhK2c*ln_6m=JqL@J(wt`MX*dlLnC@` zv+Y(W`5`uRZ-;Pf1x^pN`iSN>RCLIrkX=AO@J}=_Q3-Mh)^Jr$kC3d8*~uE}>Q{?% zAk4gojm0U!;pQ}19At9Z@V5XX%B`B>4>1oMD*-XoKDjUjqz!*y_+45FO*|&i_rR$9(N#`$*vSTJA_SM{ zPPBn>fw2ptF?bz&8?p{Muan#8tExYKjQ_}=ikrgG3A@$`S~ULh?Rydj=Ll}a+{}zr zhb79BFgmG^_?afiI*a4By)w(_`h1ci&(jMF3zuz(F38XS#7*06o>p8@?zu>&2;r;6 zu22w=Lq$RldZL-nz{nUM6LXT%)zvlsBYF>iSCIM5o4%+2qQ)0};>-=Gg6-{LR3H!} zBj_MbPV#HcLRcick$j&jJj>ed+TmA-w&$mkm;7J3xuxVFjDZhy1{ zGS;2R%*uiQ4-Hn3xYzf-%4LdwN7&RC9tRu-hP$x1hlnh$G1J(YzhJ@Lmlv7l(ZAMFgmyswRruO-6tq$&!BH;lJfHIU86XSLlHDrtd?V@ z{@xr4z_La2>rPM?sGhFnq%Bpi4VX^TC^d(uB=le+@)7 zuIR3gjH}Eln#y1i&dc+^aaIjRg(L72J8f8J0In4h9xgP&N6ZdgiML!|BE|UXRU4pL z911bQNi?+TC_#~tM1xs$8$@*$oGM_I^=8YlO-f8ePq4YGOJ9iD<@W7qm})yt}tO5 zn2QAnLrinVLQ8?k{o?;p!CS|Z>TT*0(j2uY33YWgpv7PZ%8H7L%F51IW|YI!SFd2} zs6*hxfFOSSGxWC>_3JXp^eN|GNrFBa8pb|;{J5~tB~8D$?|XL=_I{@cA$4rd`X9L|XSd*X#IGd^!DvHy;P7RxWl-!n78id>KZcON!= zRP;ez9L7l~QBSH9^7{fSdV^oel$a2|z3<;fDFwu@iI*sk?p?yn9S0c(_+J9+jDJIQ zKtWBav@tUP@by>x*mcRNjQAp*8f9jDq&jCcTFNl^xum^-AkJ7-9%cCZo+Y%nYFK4H zTu4Sr>0_sL4Cwd{_a*)^0SJcv!y5~~3=WM|OR@d^%7sexm`gx|6be8H7Z(&x+TT6v zF}(hI%=mdMLx2?*?XS@vlO6qFTF|=__I+0}_4R9ELFk)RM;T0JkODzcVeLr*Kto{% z7{$3NY!C(HZ5`hKX+L8OwfQ&`_1X_eB-N4z8l!uX=h_Yf8Ke?N645!VI=Z|6MO@qm z`pFBQHHXHqbWlt>s!{Qv=HZ2=^8CVr_V@p=G4#Ng`q$AC^uEoQ(pND13l`n}Ef;Cy zx&bHh^!CFsUE-;|Z}?E(wCo_V1xiqW#4p2$QQ0emDivcq;rYkOYg_4qiC{y`x2_ z3J_l2wgG*L+qZ8A+2mqxb{9IPfrdg8IA+_Y*yu&Gx2WYO&)sf7w#eL{gtN<&e)6A= zyDbJW!P?x%>YX_ZRVFl=!QansTXS$H(Yfe{Irs*$in+P?jV6n-hfMN&-T*=2Tpm9o zJ+{AAkvENKo$%M5Ai#eyQX&Q8D~8~K2Jt4eA>cFE5BZHWziS3Xd(R4(Yd_-Dk4U zY3fCB@gHz3C+RM5Ajlmb#xiqrA^Z=4O`e7%k2VfkW7~Hh^c<7)Sdk_j_gLwGaSVr! zafoQm$r+BDv?hD^OY^8W9Cd7MX?aQ|N};`D>I-ykb&Y-C+<=aU)=Nu=#AGJ)XL8T) z+fXl_813%9hu@wXZ9RP80FE)khI|bdu6J>g*7slR7%jocD#|pn0y?#5+rZbCVWJL_ zQY#>&U-Y!1H$&^Ma&}dFiA`HYF+RoO{O`G^2d_dgVemF4fXr!MfvzSk-z_YneISg0 zPf%UZK0~V1%`lV)^EEdghMxe0sHeZb5uKH1okq}fpquOED~54s=~`F_jl4s()wGm} z2Ph^$Tk2>}kL}XzO-rgh`U5zieUbukYRjfgEMOJ*%SXfCfEg&OdJ%wo4E{J$kHt+$ zL&M)AV`>`9jiwO@Zf4#oB9c8HYTRdQY-=k35hJ?X@IXQONT`_5mO=p#Qpe#-oWCE2 z%mh?Ps5M}9{)$BVbldKO(U5;{G^PGn-*Y|*$LN4FNa{Eog5xq=_XOSF*J*9O@AX~6A84*$%K>5KZ*fj-do!Si1|NsXlO~zwXq~kBn$R`CMG8G z;@F#RwC(sNtOaU1I>MP?ysD)~rv&XKC+r|>*47ZDNEqSfhQ1Br?zQ)PM%Hh&$N+h; zP!y3`RwkFI>1P?=csk^EBUoSs|a}yTMB%`23xDW>?xKqXF48Df_2Z{HjF>5Q9f0_R#) zn5v$(6UT?Kz*U<;Tqm};_3q{1;`Z9E2O$F|E@q2+M{<9 zZ9C9aDLG-uhdT@BAZ&Xl;zTzdhkzn6>GyL49d+p2pr1K8moHtaO8hi91-}3|8nMGg zwaL!##@t=E*}VDnaX2zDMcVs3VJO{#gXf4-i-cCxwTNRja@yKCYhKcb1zjRtLY2Dr zb)X)I!d$W8;o+#s=t5DtNN!%R6=x*{U}|2xd^uOP2&oB05xprqN`U2%;eXGc?;-UM z4g%(+f||ma`5b3vpau}~_3h-RPoE-7BXRtM**idyi-Hr+c_3aJ*H#^zqCHrFPHUI) z(>pjmatOp6ZB@8bH!`v&;uVGnJp@eNE=S*tmJsQZ zIk`WpFSxEiGC|BEuW>b%mdjre$JX&Gy}cfeNK_qAVv$s(zgId@9`q_rBrY~K6Dl7j{pZNY zP8{Ybdi81yj$#O0{p=SuVF%QsjUld32O5EHa=euUD-1p89%BDvK9&nmA{GVi;_18>2=uApa!1sos=H>^)e`@dCt$#S%S0ydaq2@1U@G znZh)zPxtFUkc0v^83G#6EHTGu#)7xheE9;uUoRF7p$q!kGde0%A^rhUHnIHx^NmFw zY-M%mt0c*kDqqNTl8%Ib46nF2Bkl0Lw5=Dd!FSETz)UX28X^)F9hx#ut8v95B4O<8 z{vTTbXmtbc!lQe#ZiC(dP@!<4rKuVc4XJ0m{Y`B}#mk2bH1bC0Io#u-^bq9?g9r@@ zI^wb73V@&c8#@wEVi-P!j0_uqBA7f0LWC>nsBghtfoQx&%p*mh`~6lNo(V}&QCs*j zwQs5aO%vvnPfLr;&}cK@ZwEQ_dhh_vhGnE(lrjp$B!m`TiWFCwQoM~QZE7NV{18Jx zv66l<$&>34$s(5v7V75t)AuS)tb4Ab2UdDJ+Hncot`hQb&GVVG5sRrazF2> zeN`8R7!%`Kl$+}S1)Pwc0Xl(D@gg{_QCv*SJ7*)XXU$bO!C|5P0G0|1^e48ZSQtDMrRctH7ev>@+D%;oSrE%0 zgN7D*AXjYuI{rO18i)62UjViyOe}A#49Gpl#$hId!@~FBLrCCy5PETV2)E}Y$+&SX z99$}J?seM2HGKC?J-)*nCnRw87G6m>4Ds-k4dg}OOj4K;@%_vPDU zFoG5cM&8#!Zy?3PZ3QCA6^q(PFbpb605jSpJ2t|jdz9=9GJtoyuLCsDD7=CD0yih; zhx+=-2YcQ35pIBRoROuL;ItZ)KWnz5kS)o0T2!5mftx%9&i6bRI7pbN+RvYb#KZ{r z%N+~UN9fp8lo$>sCV2|YFq@c|h%4-@1J^1>1Bee++XDx_;Akn1Hgm-Se86lKKm}UE zIZQdRd`I(BT+=4)FK}%QqVn{0F`D{!V^|d+);cf6y#FW z6z*6YHz5x37w@9=9B02A?cPxb&Hx>$s;kh~SLOWqCLm_-MD)I+JXRzK6Vn_r&*(Qi zUJ2{kh!W$Sh$4+6MMhB$a&mY5{b7^$p~9X^SX?O6cwhxg9+}-bSFgsPY6tOaQeg|R zLsNe{$qf|_N)Mj(gxKbZ1vh!T`_Nq~&hoFqb31DQ^U1af8ww*kyW7H~$=-@HhzSPXK&WG%_J$!CoBx=ct~Vni|A200D+N__R=HC=?t-v9`9ZtggNY?=&gL zq7_`)pK=S90hlyr(@v32jvgw+5&*Ds6hP4;xEx4?r|i?GB&aJ0X-WeS6mDu~9UA2XqghE{-Mt&#Wsq<` zDu`MgI`-r?5KRk#FFZulrMvm+6D$Zcu?`*rk&KEh&^bA`(rVMI900f zJHBsZq*`MR`V>6C)hfy$&(nk{1iE`yfxQob_Z1-6mIc;BWyaoCq#(<{^KPE6lti50 z_xK}5ia_|IAw(h0lIdQ!AP^Y@jrc3vH{=WXwk9|ygwJCB;p?N^Law4cBLSHNo_i)$ zWkmi6&iauc_6i(2l+h92H#{r}hYcAptMv7yd^rk0Cu*m*G(XWGL~f*HLnnY$Avi1u z4;LuKw2>EaUInc6ET!9RE~2>DEnkUWT-*T^ozj4sOEW7&PwDCDsZvn}bfHPLaQa*# zn%6H>qi}*=*HXh7b(=HGJCFvXDx&m|^~_E;ONyQ?~;?7%Yh#o#{RGJ2~ z5e0IEPx<@5TiI;ZUGnG2{!`TJs0rY2xGy*YXS@55bsn=zy|}GW_4%{$Dm|=lI9PqK zEHD7TZ^;qMPz(~p7a0V|)LMEA)^OPD1S5lpvr(3Wi3PbO315aF+=`P>=M7wcd-W(O z85l(M*P`A41fRkkL`Bt#IzV_sb2Q<$Mtx(Wi3jKV4<7(lqi<_4(0h%hX&@ux5JMc^ zZE7<0*s%AwGups1@&Wb8J9vU18nG<~gmV_7JTJ+Qokr&8PXgCQe?LCDR%Ypu=5esD zs~^IS*^qBs)n+4c^YGZRRk$Y!nWWQ&Y=pesD!g=0g#r!0_yCj>O5f1XCx_NK4l?|Q zdn#-o{8=D zGvor-1IRK#jvo2rg?{LS1mQCbxR!6c-V( z=^;qoB>%85)^-#7jU;eAgH(AH6<;d;T;`xxe3AlIFnDYnv1j237le?fTO$w5(4TGC z1kX^fqkkgwwzD&W3Xm%}6{W1Ew&Mo;AzWnS=-ld(KReZpjkzjp;J~wR1PT@M{G-iD zj!~<`w`Zw8-*meh{R39OL*B4qL+%oGWtJxd$#j%_b}}LQwwrjU(Vm^fR)MXPby-$c z7SmV0LtS5=qrxWjKb}}mPdete^(nr-Tk%-~Z^8kWT1GtP3dyI^p*89_8GX6lW5Rey z))>6~e(TcHVkkku!DTk#_sdIPCPHQ}U!$9um7Q%|IC^n2300b!19HEEIB?t|T%ARn zQ+RK435Orr*^fIP*?h$SClxt4@AV#=<-Sj47SaE_re!V$YGL~25C`w;=-H%tnPgxe zW?i0b_MrmcSKD+D#;NgL2CnbcwCEfmE92QO$NVDd$*~~M>2wYp6_u6Lu}oQ0N;bsM zCPNbwc?$ILD}|#{|ByP1oC16EMn^4jiH*ekmNx+pVe{)nxVH*N1-0lg$?#{SZKP!5 zd{xu?01f0S;_t6fwrwuqA!Y6Tfecc0r&hTWKupp*QPH#LLV}PWiBEypRb4>+QWD_L zUXD&{ldUVH$?%76P>bWSHFBfz*hT-SLAT%hHwG}o%!&eJkH4Gb% z{Rs_fIVwR^4DQWWls4WV46%IoOhJ{hD=p1`1ya56g6N){ik`=!JWQ+%MZ zGC29Qe-O8vN%4dm1vAPGe-iDi8Gf36>(+jZ8tocAx}`nJtK8fUxk2#(8tAW4E0HdV ztKi7_l>>cJe0iMe(=N+S`^k2a$yUxmR8+07vM$4EN4tU##$2g2uENWVt$bfFe(PY zf@6M0y!s3AACphwawu&SNaUROS=0|X)`GM_t$xFxB1Cy&A!rZ*3Z;%16m+Pv3ou6zgUSrYpfC`VLIOo> z{vN1t^5j2=zw@cO@7CzH#RWh>XoH$&A>ll*Ee3`5t&k@-H&9J(^~0l>HqaEV z;2_ZQ^1J1O?`o9Ykptl?8_*4 zPDPffxS+MD-wl69=9X8LE=Un0lx{!5T}EK@!wak5fI~} zVMcDQxRh52glOUjJYosx9xH!Y9(og=qQ@HxZ0WH6E_((n9}!hOkLMB1P|jDVK>4E& zpXKC;N&P>>y?I!Uef#!%$&@igAyU#TAu6GClc7R$QkfEwGK3H*w<$uJkf~_UAQY9P z%tIxSLS+agQZkfATAwq|?|pyoySBBqwbnoD`s3N2J9S;>b)Mhv@jZ_H*!TSivwAK` zs4t0;_Ihx9$Bs^0^V%fw=YW9TJmPu0_1;snIgv+YzR7!h81+1z1QYr1^j5*p!QYCD z!vqB7=FhT&pj}H9w_3MS$*!%K=fx&`Y>}qVObN1}%mT4FQ4d~c0 zH6LTI=IL}tPf0+;H8D4@3RIH`;7&#d4w9EIc7pNYC2~2-)4^2)m=W1(75%1R_BxvP+kxfvTk@*$s@91QK=0` zNKCx^EDLHFDyhPmu#PhjNdz7{emwWFIO}E}&QDjb9y{frwdF2ZEWTqH23#8X621f< z-X@6+C(9!`5Krkb#irU90#`R`qY!arF!TLqg)O3yLfw!b_u?)=}s{vSV22;sNS)c=p4#`Q7T zXD(@K&Tp&fspmxdo9n56S3moTUl5N`RW_U+=kWKP`FxUNeoIXaiQIvh80Adqsft0D z%DVf1qB~NPmQSLdTsF!!dBy^|=Oo{-F2?~>cm=A7)Z|)ERDJkx=dD7AbIG@4kdFgk z4sai9^z(yt5;Wd?88To1*+m20sULyc|8B>d=d@7i($oS;Yo`Zf!>=A6DtR z+FFk_YYLW|X@%t$#~nI!NPcNTG*~|sC8^YurBXod#S!KBD#^CoV-88+g#F3OOG`g+L46E}Um?p~sucHMUVE!Gzt z(Ux=B+1YL8^aPEK`Oi5QKp$*N{&HtUXm zgx;mxL^3qts{;b_zofoRG#X+8wc$>Ab*|;2?agR5uOiZGHF_Km52xsMBf$jDLNJ*u zXl$|C24Xp)X;`wsniB;RX9c436`X4niOs=%pMeoJ+}P7sPF7AXfBQA(d;6)bLnn>- zyP{*P`If8*Qf)=S46^H@vjW`yy>7_5wQCm-AxwgFW1jNv&R=E6PHJWOi5q4K^$BS9 zc8XX-1r{|gd^JGkY%Yb+^o2t3a|(vU*E@_*HYtu6A+Vsw&GmXB@szWgGZ}_Kh(8D3 zMph3MplSCFcrt@#3HTMyjGpk^lM`+YTPO!)#IcoEt&64Zix&a|)}Nx&_J>TNvgD@H?Nx=X$0P_bi?|W5y0-WlFbHjL_K@*_VZ*enqlh!Dt*r$o z^y+|ooKoGS6V2GYYOcv85I)fia&#-YJw4ks^DD@`{51IRY^lUApI9OtV1DtT*Ml|o z5;OLjnVN!t4!SW3!$cu>^K1iT1P@aY+M4{|%Tsb-q1VVf=j$9CJZ=UDC)u{9OjTti zyk=c86!0+3oG^0S?0cT;NnyLVpRI0FKTwMT8_XjM*l{QDFvxAoLM{ za8e$w=eWUEFR;b|H7?Xbz=vuZClhSPXehEY&f8mDc@ZRw)?B%QEDL9f=tWjGHg|P5Y}_c=A0b0M!~=dW%+6rx(E?rw zPod+>A!W_2wg)>Es4$jGmb@cgESvFgQ7s)6xw0m3M2(i@FrrFbPo!ll{qZ<-o&iQ4vq=6O*@iR_-A&2wUI$BXz{gx!Y=@FyLxVmLLnT z7!Hs%9W#ZTM8C-_J;>Jx)JE1zVG#;dG}+OS7VKE=H2EnZnKX`x4iM^)J>Jd9QODH; z6rIH(XzZ=+Hq@31oHDN)wVnLGE$U}9av z%ln|NNL{hicyWGyR8yvzxp~B-Ot4@$X|Ul1)d4|mhdf7gxq0&@&2vr>Rx6y2fWljR755JSn1G2PpL1{CTr3R9aNMp6 zDoO=838Phe&0%oUmely5WHIH5M8FA)Z;EvLtT8h3 z>u|I1pi{t#f!HnGzyAoC016N|3YfeYQ1$;x;Px!wApuaM(oqb;jVA$qG@FoJqSZ?+ zJ%q?fo2&|LDaSY|*FxC;0Qk$?inznjjF)p;VSSF()05|jBF7k_;}+fI%0!C$kH1{K zcCDqUX&YD`L1zCA_^mecLsW+8>Y6^TUa}-Gv}`yBRmyCJRIp+0kO4YGfIr&C-q8x8gnM%X7Rdx;Wm3aQN9oA5q zy597nC5K#N*_tl`4)%7mQ&ZK=9e0ce^zZ)xbM#k?xlyC`oln_tYGUl`Yqn1}oF4i> zZptv@tA`wR)23E5xL79`uOB}}ul0$Xgsv|pzOYS1JqfNwa)jyP1P@t;F z*5OR69@e+W3YBNE!7h!nNl6P{PZPz}des>&Ua`VryVLZ=kCjAmW1SY9+S>Tb(mOqK zlf29H?lxK6SCo9Y8M^VFI@O@IV_cwP_li)#fh#L1IXq|<6hw}(IuiHaUkB_{ zkDq!`cKnJbY%L-zS`>}?9fF*ce8_z(c@Yug@VE{RcU%cyioRe%{c6OPp>I^xR)BnR z?z3rx;Gko~RtFj2ERn+MEOx^|_}(;u)Y?<|C1T6$xpS9i5`H^uSUw8}ge#`eviJug zdb@vvaV29W2(Ko(Wwf3TKg&?;ym%=$=m86$=?Dxif^sfBg5o%;Yc@GM?qg?q{((dF zJvp3dgyTo$TP_lmJsZE+ZP%l)7(ZSBZ{YmUZn2&m>uE5K=+6}(-$v0Me&fcC_wt*K zjqg%K+4rT5)rGV zu~=RAEW$uf)9LCrayl5Rn7If^4rd~9=I(9ucrbxK*VYn8vHAi*nraNZe0^JUN}zdo zz-V=CQP8aME)V}2!#ZGtFyD%skQ;9) zJ=lmo!pITWhf*QOCMIUmN=1oDYk;>}N{_wgeVYreZ-8g;YY=7%osn?Tl%emG78f@Q z^DeakM;i1+qM|YO^3o!szI03AV5?`91vgHe8kU@%UXYjf;Y(Do&DTvI%FDkY&r}38 z3|Wm;S*CBhp(KWMVGd_tnIe=8_YeqNpj#Bgf`tu55oB5b6uhpDjL{G;N_O5&Z!3U~ z5ZB99DxF0_rLW_b(OKav#US$kUH*a~%HZcS$OO%`FwoP+(s|}R`ah*-y9IrkV(_A4 z>e_y^LQ)PA0UsaN2@q@;=<(m(epka}y0gZMadn(!#&_Lp?oIi|7vH;kw~j|?(X(gk z={R^A_7wRY@A3u4jZxAM+IxANy{le<+|rrirJ|xD?Y)FUmVB}7ITHU8xN69M0zw_)~da)8+`ZhuXBl>h)wY+A~tjDJfRyjKtGJVFXsk1M~Hbuwz_;|tF zh=AJj#+JYFR+3;oN<%}?@DL44if!(Jo}=SUsSO)BkI_NGoxE{O7@cFaNSfS6nB#%C zqAe>vOa`+jUCg{Ub8xU_IiShVy+Cyrs4JfZ9K|8ke$k>SNJ}|+xy#ubzZ^l^34VqJ z_V?j4&1cW9xOn%6{BHV4^50q-R&`wa4Y{F1dAC>R%;o=d*>S~c%34-6Ng7Ef3zDv~ zdfTCnSX|zJJrrqjf||1Qi|2(Sqra5YWDpVq$nnip`?HTkSgjzD;cimx%rP}}9>uOz z{s2v~rLnGH-B3x7H`hyYtEa6=bxyw|6~y_?>VRTNi`fi-VDnsMi13S&bMGC8VOY!HwVFTwNDM(oEV6dB5_N~67%WI;kskStc4s%R0L?A&uIaJofQJbkJ>uB^=qbt{xyKs8w=2C zU;f9KN_78S_V0FKt{RDc;g{cImid&^Z|aKyMPZ>Zb7$DX4r9i+N}CHx*qtr^62-<# zlN#N~hX45!i?q>NTDYh)#_p{^$cW=~EL;MbKWvhhJGkqSBhTqwXE(j?71R3-=Dl;O zK}{bz@GzSqmb<#12oJ}Oes}Gk`e)`fUL}A$l<^%Z1zED4&rxMBUw#|+o`ug-IO^Xt zGRL@r2AsRQ)9Trk-phy35f%F9#BTy&^wz^acObRE7FOf?Buo{BiX&qCL=3pd@HE=i z35)yYIfmH004f|g<-)&kM#6;ChWJNv#|mE7HO}cE7`s4W*uGe`#wx*Hle0l*)nHQI z_Gh%g(OmESAdKB0ML| z5eyG$I~yN1#E*$5Fk}RSFvV;1<%I5Lx7L+ZX82RPRv7zFfM-10>=50|F2(HXXs3 ze}@rsEU;!BE%d@mDU=1WX-!QV>{tOJFgZZhbN`TB-og~{AR#ZW8- z&TbhzOBi(`F3Iyu&I`lNi4fW*HU{V*9}B7GVmt7I`|Y!qYsITu$6k_6)vWA$^WME> z;2u0sbgckMAMb#avfdt~QN?c~j)4_%C|+u?91K!S#Lv^err3E9sSQ#`mi_67h$)av z4Ba7_Qfjw(WsFr;|B-+<1F(`XhQL?p*np;+6dnRo=<_eWNQ!JK;YWLlm?&-wDAtAg z2Fv2&MjFgBg_KjIHXY$2&M_Dfm@Tl{WwZ9N(iw}*Tq6t|I=l1gQxShqhVz(#Rd_M1 z@Evs(Vo$5Ef$y`MKc1l6gf{gI_=vU27leYr;j*pdV{NS*Mkyc@AnJ50&}~heFagh5 zLE;B`CvWJ-_U5A!xj>R@a21~K+e=IC009H~>~_|8`jbTl<9YAscbz-V3!Sj0DeRnA z8*Sh-c$uHCFI1VGVRjjihxEyKyD&TmC~m}*`-pRs0g)28obaVtnHbr0^T2sgzZJIW)Y0q8T+i|U;2we^ZA{U{<+?dWnmDcf{K=$#)xs>7d`}c3s$;7P__+|MQA07nNy-`+6FKF7V zyh&VSvEY)STfR_S>t3u=wHD~MMH=_+{rISRe(1hv`wTgLU^AG{Wrx3CAqczur*rD-<&(Y%yJ8NvE!DI{xeU^a&<&}{7T_hM3K1!t>bV& zp3n54y#p$quyumGl9tw2*dr84aeiOa=jFlB%lU zX71bmdy|vXNzM+4LYFVEhn=7@``8oqOZBh?>X71%jEvCu@G>>+xoW^ZV_DgzGKxQo zEgFrRib_jcs3DA9R;_Y;z0|TV-UrHNM}!;d7E7jut>hFH zWVQNP*v~S?Tt{q2%e9S;8U_?{#X%te$!^}`57>A^ z&?pK_Wr6XAX~rr_Q`R7sNYaut*;nA+2wO4c^fLo^yTCL^XfX*efOjuUQ&#BLFNnE= zB+>iSMvbbS=2ldksK-@y>ptaWdfk{+J^F6%H|T0&p`4VZscH4z>qA9G8oliSV#xKK6F<+@%ueo zK~bm?t*!M(*E~71lM1#&ma4ldgPA2aZn@b!7v`4=v`Z9tbjPh{&+h#;hrg!RB6te2 z;B!LbVHgwCp`ZD)F2?bxa8Y@v>L2E`fBF1OP5D*`Fb zWk^QAj??)OC-Seq?tkYyeW$j&@jBe!W_<7jspyo;$X=#?# z{E3kjqc@?nr@LD?iU!!>H+_2bDod&K{kS50!a70H8SM!8@<^j!EO&rI@@QWi)-FDp zoJAuNcBg7wSHd@SX$9pb{O2!xM9q6w6l~N?I6pDLTR@`a>L3lgh^tw|7f;vJ)Wj%@ z)lYIL7}{}wKz_Wu*)Hn--Md&XD`M23jUUwDJG`fhL$rJtR9l10sAC6fI}&Iw|0{0LMKBf>cKD*$5Ry%}Al%$}#jw-D=eo>opkfI3d-cjGd@gjT=%p_w zkJKI=E!1h(nrI>LXN4`y$$_0-|MdySD8Q*y!WW(Twu}#t1K7 zXA%Avy10Z|sJWLGMZL;cvJ6%HjV(Xx_AXz#G+t5>$q-9|@?Ygm zIpFZW_ON2s+=?um`}R_%e>f?8N}tasva~_#04goj2ApPK zxwJdFb(F(D7CjzjQaM2wFG}S_VB_Y4bF@`t)y!C=sLgn9n(r1Chb`2GGQ|K`k|LZ1 z3QB+}0D+(^bpkOkHjZs9qTv3Y z7r+CYzCDAC78;5BOJ#Xu_2#@~1vTF>2F>#s4Yn5Aev~Q9rm-Qx1yY=~jx9SJfnCD= zsOM5n4BH~@Q`*JQ689`7>wRENVY|=RMsP8X1ORR@W|#2x3#P>=>A*+4`VX9vX9+H0 z-y?U*fn2Cpdv@mXbyszR(`MFQ<5LNZWq(cV44#e zWh&deHlK@!F=r;s;lUut^J^~LCxsDOca?LOYPIi%!Q=e)Di7oaIf)Qf=WFDhjfvS( z^YV}B4Y{tLtE;!wOfxdkR`oZt%8<34HZ96!j@4z}V)k|;{uX_p7iwV^fUE0+Bhg1u zy3b3ooB?E9+5Ku}X5NhxbMZ!b6;)qTV!hpuLL%c7jxsqC0tC!rtmuOO{RlmLSF`_XxM!M6^|W=ITu zxp%Fcbfiq{;d|FA)K~<;;&734hhM{2Scu6(uRklJs4}T6GTi16yGiU}ljILq>+PHp!tJ<2L>gu+)U%dsM z$O(&0R>}Hv%Y;(t+q?eqz8gf5XEoC8j}8r6=w|k~m)WVntn((NXMWkIxR@9l@50*U zFHk`FI^WPGSxZ0H!7cICn~L*K@h7`|q*X&x6NiGOjV(XM_N;!Du`_*BCW`p_`U8=X zH}Vd)*IXXPfCxLgBOrkKzS;FLbByi*BfGh~PX_N)#F}Bje@cI&)NSR?3zh}lD6*?u zxWdH+mms}gv#KeuOHP{5go}G}6D|t7sh8sZ1KVO}9h~S^R7HBEa8`c1nvbbioEIrp z!Q;ozpQ^9FtwEHd`xMzhGq(y|~%UTc(EKPhza z-fa`C9w*Y|8u5%7G!4I!YW~&J(%Kj{&QxSEHf-VfM9m*ZOB3pQ%}a6++KQyB0@AqD z6=aKIY2^4c>vMlt6^->aD-3_u)SNsxB)#ON{k%{8EW(IuDgwAubX=7pkn}URx|Uvr zX-$$YqexP#`6Z30wby1-TBrwnLrYH6WmlDW`e`n)n{I#*`K<`FZHP9PH)?1p8jmHbis zgIx-KzP%yua3;#Hnrc@^UqAem^Jhe$fa-q%Bauj>Vw%jC;Q986E@qs9VP#<_2MY5K zK=cYnNnh(z%^GqyT(5Y1atX~_Y$Xe%P`xZ1<*@n40g1lZ@p_!CB@r}VUmVUpVP z88cvnBsWJ0p(ZslvYcMR@U#0*FS7iHV;>KXuSE%mSZ1C~P`u<_&$U;|u@MR9yyc*bcm~^xrJ_C{|K5w4u=Pi%xUT?kWR@7Inw52&G z^R1HMp9MBHk7mlt+c=S6TBvDeT+%lOJR+-MA;D|1$Vj#gC1lau3@sj#8U9ZO*9z_2R-Q5N(^3Q%MFmh&JZyEmD6OX0NGo7V=FR zc2uWNoyrsVLd}(*0V8H9wLDojZ6!&v+s#H9sDbY)E0^H`RwcVLx6+yw-weIFX%(;e>+U?>yYh^-Z4EbF3{}y`7B&aBb(LB%I|)ApA!x)+7iMfVIZ2Abgn1L5t87MJJd&0c zHedTpq*2o!pV-+^8Cy;AzEXkW$K<|Df9;;*jRzNwsW#^Tqy2cvJmK3EyL!R&X-YTW(W zzb%=z8*eaOb@iN=FE;}u#B>u7xZq%Ih+T?58XF~g_dfsi9e|!qJl>G%>35dp+2K)j z%%A02EpSI3-+K9S0u@Mx4^qWy`ir@>{mY*PA3vVvS|IQ4s2DUr+Qjt!02vu+8M~Su zx7gGtPdbGkF_no+*1y}oPwx+G)5 zWT&(&Nz3C#hZWVAsmvDnIjs8lC|-Gp@~p6gnZyvOKkt;m(D1!LZR)>|sLnX4>=-F!xo+${3k%ax4*nONMBmiS%zfLdA|8YU zTbcfj-?1b6%#vlxHAjaT|2xjx)&nwK2LvD_E4GlBM@=bze=p>f@4)HJ^A~<8UZ3Sz z*;{_8i_2ZzZoNM}i?`mI4Nbo7_HN%$eJ7HOg4?&+F8?SoW6>h>$Lo{WCFWLExnEu+ zw_Vt~chV$}#`pIUi;Bi)XU#cb#}HJ10-ckEg3CcdE~XO+h3~|kqBLwoYtQU9l+am4 zLK_|NOLqI8twM;HDePUH;_F-9796+Dt&wwcvo#0~4GjgclMITF7lvCWwtN$bJQ)?( z(zHS4?3F7ALR8x|2CuEmZBRDbUb%_f5R9gmVrjNdLA-Ule0$UP1s)!w6pv5Z^!>|= zHTFyI>}fDRIibn&frPTa{K)^}X!oD3k-7r{{e=swHwOOeuQqX_Kv6KRc=vAjf~eE_ z>tlh)RaN({>Cv+%h&B}r?ZbpUJH(8V=o(klO*!O$+8{tHb;hzTDq>Q>#%itOvv=-n z$=nniEOBaLV&V-gtxA1gi>|aQ9Olm#zybe?0ngb-#WBB}HV)Nwx90@gkS9RT4~5#% zF#CA7t|E(x`*s*BNFKIGdwu)tgyCmGhuECoAFycNy{nM}z#os!QgU1Nc0x3mAeY_I z;TXVM#@w-;DT*tBgU_VdWHPJ=__#zzuUNSfVv$Cn-)7dFe=b6bm_(vTbJG1m6XrMnH{qPVW$hyr1%4qUSvP+0fwz`)JK zzOYYY6cwGpF~f#2$m(f;Ow!^0<(0*rB`NKry}vx)=rRNXHC%W7w-?TQU-NF9Pm7+u ze!EPeipu@4VS{W+fwJi>kY$2rICfwg|0h->w?q`T;Qx-!6d1U{1u$1o6W7tW%-NtU z6F_s&(Z(h^D(Yv@<86@YF^UXzZ~Wo*xw1ILrPVd!cY(nPDNVHnm9!2DKF;1BFw$qq zT2`}g1H!E?2%|qh>yp~8O4yw{v{HI#SCL!ryE}U?;!*Xo>20qAU{OdmP>mT6kd@W2 zjshv)NWaL_+Y$K-TzH5Bq>Mb}i%nx-3B5SqL#<(ELv@%{(9}8P2nnZ8ll}ho7f2Ds z1~PuKb2Vj{ecWMgwF_C%r5V_$zU_Ty?NGtOnoMDau`$3SA)H(mS-?+;7?IKR@MD8u zug1F_!Y3m)LBF4k5tVf9DmtozU2vy+|5| z)BigAauY0ZCVQyM?7xS@CZM`MIew*7tE8KaU+yhnh@FDo&TreM{Qls%{;U4p#ls7-swNlAl=rFsi={w()+;rt{d3R8&JMx+ z5RtK>KN@<4jmmhcmnCR#1QD2VXB0=T{kvn*2w~a=~ zHIy!{vF=l(HDmht|9q_MmS2slj*;?Kk4;HR8l`_JIr)q%6i2D0HoHni5mAb}ivF>* z6g+Y|-306Py!e^x6YNEj?cJT7!JfuJfQ;{jEf`*1dCtjkLbE6}HOy(E*7RCu8%!L57e%6@dA1Es7BhFXwkp$FvwmQ6Z(L5H zD@MquV3G^z2e(%^XdMq;gn*kCpzel zLkN}$K!_RRj!d4av6IUpfwF#pU!GNW(PBh`HTuJ&CBNxwOr7OnvURJk7wsC*sj<SVw3tGmYv~^woOv>eUx;GZ5{9O=WBx=RGlQ>C^Jxzvp;N zSa}+rWqP{a{J?b#+ae?OG+M~;^auHI;;D0{Pp@2aLw$t&iGBN$rDpsio@xyhCHlgF z=)VqxA4k_f3dYgJ(Kco@?H>&d(_g>7f1meVKOvUXxNA;$(Q0R#U7@iaOB^Q^f7;Vu zuhj&MyXQhNikshdsx3h1xRfBQ|Xzg-n47hZZV&Pl702?JgHZtYwbvSH+gxU~UVeeUQsH#VkEg0>y} zYEjSji0YdpAF8U|MR@Px6-HctgN@yfb`{A10|Z+W4cR+pvCDZaeIx3n#E_I+KsU2UzcI#w<&(MONY z<4+wNj@xT`ty|ZlZ{O2;Ylem7*fbRNbGrzqbZ_4V%iBh@7$k;8Yb;UN)$i;;!RRJ-96L*M+BjR7FN%Q#`uuyv1x-6}^A@O}$e7z545GGyZ{{m{s8+~xJKa1scIn#mAy#p*w{=aDUcU|OH#KGP<@pybybjgwH);60 zLsH$QiVycD*7PB&M^bv1m6R-V8NYqVRNjP(Vx@O}er1L7meavGh24hl>UXe<*pj(( zPfK+xd{L#gWB`{dCtNNl1U06BMd(;$4w4oZaBEOs> z?QzyKDykd1?&W^88nuMj$7XQf9?eSy5H|EVt-EP z<*I#Mwm94W`feP*cliF&%NxCaU9r7wq$%^IrNL3ypu0ZpF0h=W zof;s}mEhC#5M6yTkl&5P8+ucn3g2$pv}NbjW{3|j6&}DZA-{P3Jf);2R+c9ZW$7x3 zscnH6mtm#QcV@xcx8^-M(=C6UdGzeA9jwHK!b&7f(S2(~gyl}p`amFkaPN20t{tJ) zyQR6&RdscG8{z^JTz3q3PeX%-6Rl-fUr&Wqi%_QTVC^m<(wVg7`Led=-TA1qST8&{ zcpx;n=h0h>X&G{v{O|>sp|bBloluC(4Lx^w>C6Dk4Op(4$A!yuPLb!3?dSrVQO22@(OU=8Cl8 zww(TrDJnz!a`N(se8?Zjoau%M^9L#;{OmOa6H3^0l-nIMDpo=Ag7@3-I<;ADMY5|2 ztvPxHrY0s!#tcf5T@7_aaI(?|C8|XvbUZwGhU|nVm(ArRlzT@sLE$c%S*uTGL!asE8;r3y3$xQT`56>zT z%?GRYlaT>L8djah0mTb@7#JldZ!Pv4T4xksVC}YQ6{^Zl<>gO6AYk^F>@_npb3{5E z@HT4s)^7@LxoTGJ?n+OmM`^Y%y$io6am{MsJ`-vo+|&a`WH5$fu#0M9@aZ z+q!JKMeA)BZBnx-KwziYy<@?x8&t{K|53NnWX`9h?J zP-jUXo<95(aoz!50ILuxR%bt+*>dM18C8*pC}lQhPFFwJK)7F?oCtYjbM@8h*G~?e z4V449UNnZ&2~Ck`h2fZxWn$5Xhl|c*VMzfay6K$Ec6n%~6zpC$Nx`fjl>S#I(LT#% z^1^~TQ=5v%DMc|9jMJCMN)Uk5+={Q*q)^bT|p; zcJh^n7oE15H?P<3sh*FVlcW3M(>%9twBa%sJB(}#IUFC}b+a}Sa3%dq_+>UU_%wYR z9+HEWWC1ITEg#ndNr8ljazIzG3ktxgX84anGH0cNPk%Gw85&E`$SH_SjQ_Fe$c~HF zRw&RUxO$bz+2{Mz`5iC_84VSm#P8t2gTLF_j6UkM5i-aHmnPe@0NW9bmwu~V)qBX0 zRefg?G?)BYU&)XWOE0gq@bD5I&k&DDud!|>COJ4*brM179YpfWcS|Kf+Lx5%fnAEI z4Jti6VIL@Q4P$=7**mx}3`1Ndjf$Q;dlvOPHf_FxgRFk!>4{=DxfJ#+(yQ^CzbzIW zqgfyn03M|q2sm_Pf_15WAxMT#+?X&q3htG)xihSaoE?ZWipyd8*eIC>erDsXD|2>GoyV1YU}YGqg6ZK1WuzLP;pYUWwN-4 zB#P*U7e@hmh2r(jhwp;VBJG<_qMf(adU~d$ruzJa@)gn=J+U~qReXk@`vA>c_+;hCAS8q0+^^Yqn3T_a+&ubk|x5p%U_PP%omZsl>=XK>gqo34l4EF z8y~Hvj1bui)oEoO3U=U&vi*8zeOMhwU0z zwkK?OMr&SO?IZ%vs_4CONNE1@kRRjl!%%i@+Lm3^$##6INB<|!pVLOk-tbvU5c2tV-ti#Pu6$2J~MaZF`g$2~DfBA3HxIqh721V{`Mt^9c#7GfsIA(Y{;u zI_sS0eN*#-tJ|8ddER$3Wtks)r1E0QlP@Kg2g-gM-DUW$iH9iW&sf;cpKo$%AC?W; z;j9|&t;mn8h{0~ZqXG>*y}SgYcJ7Laa}gwElKvnwWMfxda-=+mVunw%i>f(fH1HaP zoo*s9I2YvvMyV=c7gM4q-bJwn=h$1dGg6Ca52wJuJhA02x-3Aem`zh-zwbV!<~DIkk(Bt zJ;1`g>o58BtG!~^mHrSsgN4lT;L(9rnS)YCEFLqcrR5|wYt+|)8veU?H$OggV!*^* zg}vpfzf@J7I(_=gryY#Rb6c|}@y8%$I4-*99Au$pRc|!(&>Pr5!6EW$-a^K?A$Lm&W16O_8X4Ui4=_kCfNkm!Z3iL!@HNqUI4i zn~OEo)K<^|{&Br?N_`tQoqGl>VR}K%W8DPEHTWXVI?W7<|H1{NrXHWeVt1P&Jd1>? zv-XsK&tJS4xk22~@t|pp&(Du&1Ra~Aly7|dw&tqS&Ld^&Z&V{5&6(qK_LC(iSnQ|a z>~r<`F!9h-(lx*)y^9D{C;aSpknm+?oGeeWMFgb+#|gPN^%=wuT&iEe=cd@1)fvhT z;3?nl?bUT77~$8EMl<4Yw8NE$&z@QT>4E!zH^58=Q8m*9AT&wA4+;#d2_H71UZC-_1yu!? zf7Pvdt+J$Yak9PqHY4A;yZ1_1|NL2I-!1+_`S;Ca1uL@iDZC)C#~-&MMFW@w;_=Riev153-`7&-uU)AX282mber-oqeAjqf3EcsVJjxg54>&Gwm zA2AV3OHR^&efwyor;yQ~>@N=c__C`+gJ6OT8=X`K&#SqGxp^arS7Lz_=f{nuh^Oh?YvqxouiZEaFTihNwwx9{K2 z8n~Oyx*BzQY(lo7D~>!@Hnldqc<1`qDKg8k&z=9*1&QylJ?k@G(fMs|Y7+1AFEw+> z@htdr%u%Eb{$sXZK^3K0P?tCuOdO01lG4)9xP}LN&dDAkvU???hHu|6*>S#H0)Z2! zI)<>2?&sf)OPQ?z33?Y&*lS8VA5uqh5AkG@l$O@PqGE9CO2>jwNWq+aZp%&`Saa1# zfq5);K0XGvvw;9A8Zlr?@a`!dpGws*+4s+@+}!;Y`KxFB&C-dmA|rnHK4^sW`?V8T zi(UQrA065Gpnd3*LO!r~;kqVc@I-WD1PQ|wK+1>T$d8>Jo`N+FmMk3vWs#F$Fe?>;p9-us%CIX{j;>w>Mpl*DL#DfkcrWx@sW@SB(uY2%HsY$V27!*hT;A(e2dQsH-)+j z>vr|4zJ#Sy{IwKK8MEs0mImLHX*6=Ize|Y*$;w*Y2xSm)#mUZL>CdPGF&xONWKwUP4QA5j&U^Hzizvq& zq$hfh;F;**!2m5$IZ|06m1Y&k?F|Q*U0I(%c;-4f`w{kdkwcbsO@Mg^`& z^qxC=HuU?GJc*4vjjW>9O!#jVgO2S!N#V|#t`*Gehs3>JZzB^R@Mw@hn8f;mjx`v^ zh|xQqbTp4ei-DkmE7-u0G++AnAm8?y-TY{fk$30lcS_kMEfUlp*o+-JHevarK_Ws) zQG!Fao$o3tjHi1WFI@Nr%6P@AUGo<#m?LK$sHhxaVrOfse#SLtced4W?>mrITFEc~ zeMT)vII!!T0Ivm~;#NwFcTsBYel#yeW5vo#Cr@5KHR*G~7e^~A)2$KJAF7K_G&gsx z{}mqAu>Vcp&x%s}28>N-QrD3o!w1v# z<5S{f{0D{x#&;Ht8M9((>N~rJZJ7V)o-knOU;JFYApMt&C3m{%p2&h1=HZdrI>}#1 z#nb3ZFi{s0QtYpx@vq;0JbCgYrI(n|iWPB_BTkm~+PW3S__P&uzg}f*?$g)0d+$%= zJ#*GXP@eLAqSDPB#CP95XFhIaU0O;?@Grwj=l{PX_g}y0Pnd9c9O-CLBDDq`TL5pB zMZiY?dyZeFmqc9}CaE`N%G;cr9-=ta98q~q&G}EKAusTnabVDJ+n(3M^%&Y{q0rB0 zXN06kv!nS`iD(E4oJZLsNdYIgF4$yM%y!cot1)#{;foh~y0Kd_Q+Djwo_Ek@$35qR z!wgRTTK(a}MbYH5S!IU~xKv7tcfq23xGR`b+&l`PHe%lXd(O;-Wr&k-D|35lmeZ_Ug z&|2KH#qiZ)b)$(!FmP%g5!JmgDo?=bs-HM$<`)8VE`8weFijdg zf}GszZ9_1!w~~)Z?XQ52j@R*(kJ_F*_s=x*cdLUTza`g z?##&(rc94MY;WPfnP+7sCUVkx@#INA5xUNY!3!|(g<+9wfAZ+j?ov}iX}%F(MPszJ z6`!i7jyb)7k;~ZEbuuEcfAwmph&;l?!v$D9B}ouAx(rOD`MvWN{AMMIH0IpSe{M;M z?HP?XOYo^`S`;p&TzrM2!k2%j7}ZZ9BK+sqVH`HlCfsgsAF_PRpy)TABwHpqu@^6{ zad+=6!fPnnD;aHP`~h1F3xxqaQ*rq2nNF%l4%W$!lZp9ZB5ZVnydSdel@tmJ3I^^& z_gfkrIX3XYNG+{yBJ?~`UJ(D`n27vP1_s>wx7}R!fpfCvs8OHW2ankG$&RCV;ljDw zO?1IYiVnqIxl&UYv+Bwwv+b`}C4k%+Z21xT#_;mxA#Wwmd9sK<(-ynd zowpw1R`%ru99YDOy+uR|#V^L7`SdImJQ<4<85Om@t!bTTGl`Dg+ijgiG@M#dB6bo| zSEYj`AWbHwX*3Ag`iZ{VOa}9mOHmy>HFTt?2``?ml~?I#qn5y~oRc=MHnwWpY{Ubp+NE zKQ6cVVRS6v!0w5M0C99ue^@^id`iY9XvMlyTZ8vk~-th_}-A&9q_mmET#!&VCy_f(ji*CMKJF7ELV_~H5 zmc7He2m?tq%~Z_0Vi0e#lZms3y9o{{t`D^rh{VOkY0pF|x-MP1w9v12ACb*#mFn*g z{Ut|`oaX3>iAY^4q!N~~By$oLR~xuoE}1+m@Y-EMzEfe;ObO5XC~wa9kM%kUMj&>i z`kz@l3GM`vt-o6~iUb`H^_Z=J9GS8I+}KzZ#@LvfZB-nwf560k0r#p)o>ku7oi`{- zqloiH`35_zm-Giomr+_cq@T!f!Jk@V|N3?7&NxqYhHw_z6H{RiJDQ%q!1csHLces3^r`?9V z&*$)v<-;clMj(~je2->_e+buxeTCfn|YDC%!E{r4%}rqxQJrR6(?Iu-LE z<_AWv?G^lksW1eC5;|7F<2-LysMI=KTxif(8|AyE`ce3B^N564sX>a-UPXG*fDSXG zqVCukKezMnkg4@a2<&SsANJrw?W@5cF#kt&?;X$eAGQsDD3Q_-GAd+bBxIDbMP?#| zLb53;DX1QkdAWfA)82%}oVN3YW|YLFq=o0SoWwJ- zf?8ynJ^D>x8(2QAnFq%{j*dvqjhtNNmN%b=jVAPBMYXI(uhg^(JKODU$(SF3~Ik_Zgwueg3`5*yaKr*BZM%N+ZuSZ5@r9|fpgX_ zqMPW{gVAf;j72M^iz|-`@{) z8)Vxi;L!Hjs&*KPt)Sz}C@63eaN%}5b&8863@*H%+#0X4CA?6v>wS*fj@X4v=TfMu$ zi@_iERN9nE%J5Ms=Y0VXU~p)-9$dTDzFisd7#|p^Fws~|fH}>rV&5Ew(9$0Ubm|#p zfN;?L4chDadUXQL???x z*07z!jR3=eSJ|B4DT-!md;9mkr@~_&9X)zv1CPG4JbO0#T4NO8npa|m6{K+-t`v9! z#-{YjIt{%JY#~+w3$QdG(B^kVa7AD;9cG6waiqkc2_K=IDlaD{wuu1UoItc4a{B?gq|jn6?212X zhnC6>LMNm3-@knuDVdhShPvka=g+Cghux4s_9I)}$(wK&{Y)MO&MQHqi%JCpZ^j57 zM^|U3UVkFmsXPi?IMReR-v77&uMd#;Gg1X&1e>zVWan{<@j0IYmXnAF>-h}KAEQc% z7Mlc7zshoDYy>KE$9;Z?fjG!Gaf*ec`C)&h0_*R_ZIkW5q?J)0v9 z2AI}dZ7s1-XplfLT0dbZYeybv^--%3GF>TrG4alfLQJho#OO6ij; zRARb@3_IO;C|}FTsD8sParhYtt0-3q2nwRUv;?lpNK%?3>PA=?_Mu7wP&0I788vwN zQ8sc^=3TuA(-s{ahNPyOrtYeGm8{b!s9DFEsjJsRiJmd~joe#8qmz}5&fR%;sE4;?IPXh&4ZbX7?*LngnsuST#M?q4Ix>bhMTa#3C)O-ubqkhd!}On zun!Q5Y(26`xWmTAec%O+VT-aCyvaCZFW)XM(wS8FI5oB2`(W1Q)Rx>EprR~uUgK+d zz|y&qJjf>H*OI_}S2#jFt%&NEe)%l};d-r^_$H(vZkO&}`{gy0lj}ytBEi;p0%o0_ z1yHUFzdx(q9GrWHqHwII?aFcJ1pTr40&BoVzRDl_r;{Qdg=Kth(eqa*(7=QXD(s)Y zyDmrxnD{-nc$Jnz@B;#d{t+)+0}jy94KNu67BqHd+q$*Op5$+#vXA6s4FQ_Sc5XG* zf2T>m!6PLVH#mK^;0nLOS(Sg^e02y!1k_Q-rn zI+qz8?|R!OqD*jYq5~&C5@`2IIr7kvi8-JALq;$U1i<|-oCF&Wsv~r0#U2nHq-O1K zHF8bOJcl z_+C(uY79RObR7>0QjeGPp$eU_t+H|kBHNEx+l-$1biO!lAtJD65BxkYF8fxOl}$hv zWnz5mk{837vkGh1dge7fd-u)=F^j}UiEK!sni~_26&5;yt|YVVDGD@CFKr~?A^^Kk zE1O@SQs{T5nCwPW^_!|+;W`V!oi^xK<3~e4q#q@2mn6N59pNi^z^W5#+5RVqv*hH9v)}K zXGeP~@q40Uz8OY8$bcymUOBG*IgyfQluxCzMoo|)N2i!v2N zl3?|U-2X-=EVwcYBAM{4;nD$oh3Z*Li!RdcJGu(V8X}T$Au%zlun<*qPH$zB9EN?$ z-;x*TMTSac%<1m0{Rfv48WbO_ucMH2L1ULY%}zI#AEpzjlj!eo0Aub?W3-D>w`d{yMzG z$KQAG;_vE-nJ+*4z7&=Wzv++2h>MSpk5#vmOaJMFnH^jrJ-Rd#A~0v6?(Qz-uKiIl z>Pd{gp`p#GQ*Tdm)HXAciw<4>3$VTaO&Mh!v<`xU>ixwfv4k-m%O8LjvU21dMmtgK zb^ai5Z0Bi6kNIBZVNiCQhffRGTWD@y-=SCeayAm&n#V9$HJ+AwF>%N zpnFzVr-pL!?jdNoS0ZlMG!`i23VhWV!H|r(?a1+>Cyv+8GUZP z$?0hwUEK#@o?+8i8E8fM`JlqkTo-XnY+5HVpyGNaex}bF`jE2YNzGTzu|#%|@Finy_l@?OgzYf;jizMG?C=bTD2c zZT~H0>-WTe|E24 z#b{m-G#Wxvfn;`ea;J`Bqc)|GgO+)G^HB$&Kd-_$kcX`z0Pfn0t4&Y+m`q*PUghu9 z#W=_*Cm|uRe?Kb$4_aQUj{h5H2t;G^jeA&F zhRZz*i^4ZYh9c4ns~JEiW9d%CvCGP+8S%z!A~g#qW3%!`%q%UV!o%ZshX*OQ79Mw* znoepA=-mAKqWeKlHDIyz@8zKsmyxOM??0Y?Pycpf<5zHkw~0NAF)jZ9H<0F_b@3q7 ztY>%>nuH2M4DZYh>StJV$iVFXkYgkwD2R4M$W96}MjzHnlY`Uo9^?%q&js}*lsDeB zwE>kr=i%`aUJ=N9E=`T3k9Mcu_>PiC(>{`&{`}Nkqo`z^zTnsKpQuB-NE#tspv3>CpINwl9tM- zi~e2sbup;9Ko#}=6`zPGuoeLKBV5_PpELuAevnG;Y>sGoY7a9u;_ii^*YG^X8c)Z~ zTZq_#YSkKRJG*0cC{%)r`yI7nk8f=>Rt8zkq%>&!B1*K>1TZ*6r-r(R2Ou8P-~g8a z`k|;H#x`>SCLs@7#~)xnVO8aOwPn{0r_!f8^`iwCB3||0`?~LftfexS;yRfOK;M}e z8;EByyVxcoet!AVZf_)1Q0^eXx?T-9go)5@U5*Z_ib{@Ul)TZreij=6Y?=+xb;kA{ zgw$}i-OR`ccb@FgZfpd3u*XPPoreSn#&PHzg~FTf#NgVvB`R*i>({Oc2nl_@@CcM} z!+&}T0RcdH1i2^NI4aOte+`RVn)JzwL$4WncD0)$GoHA*F}Qr-1?W?8e;Nc5K_~6~ z)Bbn*_>ZACvxn&_6voEu{2+d`9;}{u@jtooX$m}i%5)7o`S^miEy9oruJl>W@i%X3 z8trw79b}9Kq6iu75NNpo3t?OU++kNz1UOuzSqRL{kPAk?{t9g3wv^L5;C%TXHBeau zL-%@E7+^xFtIx&u?elbZC%d@kuV>1$>H*{p4G%hNS6o{-`LCjg> zPm-8{P#L_zy75ot3jTmg|6ko5Z^8b!eQ?I*V<^hV_@L%vNeNBNMY;mXI0{r$X-E~o zrp2_jaheQYhR^_Q2Z0SVY1)u>U7nLG7=WcG21Z)X!^Ue#2iuS|G z2?3vx5eoqeC6eWYNG&`^;2@ws@T(C2fw>IlU>SgYgvihTL46e-f`2o#)^e-wSL8{Q+DY z983%iRjE6`jRMll!Nvx1^e*5%m7cnFt?TINnMC5F0>>xrKD;Ra((4)+godV{3qB{t}x$lX__DI&a+mMYw$W7&sZ4T8Iydu41QZ|gug(N{BNy>WB z0agIUUgUQ2&deXXIl%P}1l#ol3G|9!<%b8F2Bl~5Had9>mRNn*WV>C34zkSaTR@Z} zX$Jax(f0?!SB#ewP&S7!H)Q}d?ughGNAHaC4JmDwo$R~x3vki~;^rPR&C?xVJjTSY z*|_86(WAfHbro!EZBeR0x2K6qx**0t>pNH<1x6dnQg9u7{CFN%FXqTLc(&(X+mnfK z7;4Nn(|aU?W2aPv;17X}E?)xU03`ksqt>ooXyL(vfcHjfYCm#p3}IiBVGA>}_TTxGMQg#~5T?*Y;nRB)Iv9Bck(~|? z4Mo+OVp5UrpeW%+hOP}#eth}h*TF%lADRM8t!*;OZc$(BmN9|Qkb(GwR0Q(@oH{JZ zWRf#EtmEPF2k?^m0;bpsoCrfR!oSHDOsmK@L)6b8D8heh2w1m8hU($}>M7h5P6c`R z_~KxvOZW5hs|l$gzyk${%j?5qG?W$=PH?n<2rmE;0YIgsJIzl~tV3fc-z8SA;G-1_7!4QZ}8xnXEcIrhV`z5i%Kd$EHDI`hu@Qojte`#-q7+g8Z zA2Yu2>tIby*U%7ieg7lV^XKkz%9J&nH7onx-JWgP0*@Vp9nsaU>=5+2J_??g$t)6C zs+I|<8JPS&=W}H-nJ0_xY}L2|n%@C}SoI8a2e4uR(j)YaifZ*+Ug!rt$jATpUR&VH zJk*SMssqs*h@NY)*XSIcTYC|KlBC99&3V#HxG|JkjeQ}lpvo) z@x81yzpAPa&P1*Bu4Q0R?(9PM+ZY-iAbk-#H2h+rls{2s4SxtN7+&K&f-kvo+y0{< z8o=|AqNgW;=%Dl6JG6-)u8U|S791D-He^}8DU6$c_>4{V8vaI5YLE7gPL=0*x;(hN zB-cZT%9%1*>ly z>Hu(R2m!wm#dcUkw*SSbFm;h-jwok)6*&klqjcZE>{x{;L>74dxyQcmBUdAA#I z>O4=t=g*8~2DJIFG5yh~SXG3}1;j{FbdL7|63f^vX#Tt=?iARyHovS*jtDzgGHN2A zYd`XtWnCtBme9n9+1&eCBsgv3fC|AN+c)?vst=nxN;raYlAsNvX%ITm9%HZAY-;!j zgF;oL;mem}y~~5YNzhvc@{7p_{g;JV!oW*JBCgK*A!Bqj5h4G)_g@IBOm>eI6gXZ{ z#CpB1LCU@C)8w4N(}awS2eLcfr6|!Y@gR_S9e-qQAcT{>@46H7!Go1h^`*%BnsRLd z)trj7BE;5_Z500j+Z}Y(`d#Sj5!pB@f_kNU^X&xPRNEVD5*e;`xwme$%g8*!5^}dZ zR!UTSeBRyT%nt?5h>st!YzmSA9 zSfg_XTn+F?B>xZ%ATXd35=>Aut$FbR1s4&&WfUREXb&0^lvJQfBsZ}lFeHW4KsWz} z;1%JC{>hV#Unij~0@hm%ryWROOoGv0b=^h_8e(B)d7)5$;^A3)!Hrj#NEQX~&gj-s z?4dYyLCTR!;N@=A-}m>#rCn8-p#3`Ent9*UBz5rMVZKQ{NiD5Opsec2FWH&ZP*S(>VF|7fL^#(p#$a!!c#7O~ue@^F;l8puzY(;vXgL0LO5PhhkW<(X6P2uDAFaZ7g8CrLp!wFezu=vu6V-{(``hqIUxA?2SSGumhTh zzsh1Q$*If3-iY#?+MBUW`hs}(ApYO$K69bw#_J1%Slg73I!XvxIyqg!3qajA8J^IH zHK?yVgVPsS>xj4!A{7|4K!g9Y``%adS&NK{vb3?8?zT$}3VHB!!@DRRz4ELkC$$yUBe}_HYA1vKL?mwBy7lnC;sg&gkNuA%^c`v(>T-Sq*}PX~E@*cLA-bR) zSKv_<%uQMX{Is#gEJz!b9S8OVy%|Cbgq$i)$6a7r%o5ythTcP1wGJPC;Fy9GIj`jF zgVAUdX$*~>W^7Qoo=3S@r+g~2urN%ku7?K$9|R(}a1o@z0stXE>6xe++cwTpT3iNK zy}q`Y>iP3_hi!Wf%!`Sn1{xHmrJ;6q@X@32AOY67A|ETTv6Am~kEL;Dq{q=of7(Wa8hI z)9)tq(qiLBWhy#A`HS4e$exic%{%0>3O#qCKKbjp^=ay!|Fm(yy$H&T4%?t(v28W`T^5B*GrhaypZ#D!uF4bfD zBa5AAg75$8U>eAoTH@{>USIJXu^eb&&>@C| z99~I3eV67dkZKWR#D@s*=(HPCu}eQp9ZwKk`}X;Lc&N)RopHMy(3VpNiI*`01_#MC`{=thI0YsrVF!pU=62#>M(>46%_3um01RBH3IZZ1|1 zotYXL;8kmCZjO`X-0_zoenG*8(J-vGZO7ih)F-0Hi$9z(o}7m*C8Qb|Rg0g)yeutU ziBF9Q>(GZgr+N8L?;e+5GsLO(oUv%mAedI>JZ#_zOnhZ~k6(wL+JAA8+T?V{_?J}; zqUD@^9}0dqU^Ew?{0)?B;#+&;=qS7YO)CQ@Cv*{xc=X_+gHP?kN4|kC^6)t#k^Tu)2lGHdTJOI7tVb7yH|U2Lwu_^0pEl8wVj3yTM?c3GvRQ5kkY zk+0)!-uw$R1-u0P0y1-i{6+5k&YP>LF`W4LY=(zz*Q}W@n-V+yl2#>T9#A6;jfFgl z)t{4*P-o}#%nU6tA<4Y?bI56NNya1Fpk!^M60&#m7dlu(FJfusa>S5%i{gQsTd1$T zBJ3ZCbF@ba{tyi8ZTnj3wmB|dVsav@x`ap{k&Q9wa;~;8gi7;eqH$hR{m0MPo!fJK zHGkIS;u92&}5orV`Ol zkBp22;=1QS!-N8s1TdCBsy6AocQgg%6u)II!oJ{W%9Sf9^d{$vHW;Z8z$jv5OR}?7 zH=vhjLE*B=XD3U`;%hR6Cw&$xkTy|~xKESh7I`OLMds@-Ma?BA2K;w1jw1VG^^;N>tN|+NGa%x()|3c5kb}JN z(=y%mb}$G*+&g>vbh%?^8=saDB5o9DkY$!zYQYjPnnOd=+4-`wvpj*wxp1U=XAr4l zgsUr9hs39$At{LTf!bY>mHoi}(X}@}CV664rse#fv$CqjnXU5iP6F=of*RcS^f$S> z-h;Z2J>}QO-sI5ZeBta;XFBpMLsR2(^6zA&YjTW!LUR%DKCs4q`C_#&HJ)Eo1nk#! z79B5AR;KErI=Y+^AO~9 z8lwptF)})OV;kFDC{KG#M>-mu(ed}}$SB4n$3Di96t0XWIBfu%0U`tWWcNzh@Xeby zkh8BQrSgf}GuuvlF5{u2W9>mRIW-I9^MmH5m-cy0TvVu53vfhbVMuokch+jy)}>xP zaO~zy5IcCpVgC7rcg9zeiEZv+#4A)2Owid|Zl&BXI0-k==&lDVUOGEFnDAUS7&f{B zTl^+>n+=XsbyIPD(e{)$!Lo*ACUgu5RFTk0!G=e~p64{2qKPKa4q+l6*uK6h`#T{%LH$DLBE^D5Q zBo}gOs9QkK8GVBki-a9tzJ$ySCRz1;x@eGF<-2SYkbmcnHtElzK{l{OSq}biiH}$u z3P=(U2MYporxl(U_8s8u#3rO`n>VL}i$*dl?7a_oh`>v7nugw}>LRpgpwGCzpjtx%mdU_`Ha_rB56zOYRhQ6-}9#uVvV zPl3;aR3+=?mm{~t$Qt#XJL?Jb9mzgz;ODoz!mW&e4MuhK@^XdeS1P@@h2>|QirpJ} z>u>mT?G#J9#+CNa`q9mk4?5bOIA>+WeSE!p!9%>#nl-U&uZy{e#M7?r%*O;zbTIM6 z85ne&)KfXM+4_`m%dZIC8HdZOB)EXuZTQut&@}n`ynKu0oMfukFe+1|F^Ic6(!M=b zD9>si|D$wuhu^G6;XBgwe>( zNA);TZp{*DC^l>QN^MZ&$T{8jv<(=pMr3{0R?ibO z_A)BTCDXr8pMLDL)Y8}8oln!klgdL)m^3ss$-%Y4su6TW@R3X{&{8#n7Hmd*AZG_w z{@}r~YwjSLRQ5fdZV?U-2@c+aHuL@c{j=+6W!k1UTO9F_a};h(znZE%uv2NLLz#M} z;aKM5M~~|2G{UDEml7OIiSXK2{YGSE*+(kmz)oMm!{)mqWK+~%N?%Dt5;di z+!I6>*nyy}tX8NfrO2CQq#W`N3VHzXm5@?KWaO!}|E`FIrSE{p?&ASyu5@wTmb9TA zBR(QKLo+lDxx48(%g@~Zbd7lSWc&Ver=X?>(g-C1&YZM&sKxUotX=@ky$NZNn>h&! zSl{8(zzY)PMv>0~1AYo50v9|rHH8OGLAzTJGT`YNJuHwV)371&Tj{GEWJ~&p2wi9A zFQT3{U729py>&q_9g^R5`Vf6kMpc!00NVWNe7HEexvk)jp097OR=d!N6JK7p5F#^* zU!9^RE_CMTu;H%Q$94d`KJkam%&ef0^Gt3A&EeIA?HQ~huwE-DD1c_x9MW0zW-pvG z1aqQj7N#U`g}wfMvp}n8d{n5w%ikP-1?E}DAN3O)jZ3<2 zSkta_iY;1-k9nOA~=I0-^EaUicjZh4R0!ugb6T`-h zU*#N4P1%?4I%9DKrwUvthRn=NfWh^wBmjxqLb+(u_U&dC7S-4TzzjLsh;jZ+3BwGg zh=2spN4>+*-PU#(MU8Kyb76Qf{6(eveI|WPx|f12%1TSUh7(%X$T*6ngUK_xG183F z-qNy_ea~mmR0Nw;7Xh}COB3$Vd*DUw(t=+!SCmY0>H1U3xWBfV-d+ju^I}$ao}8Rc zT|RS`H8RHaN8IthvgzN+`pKm==twgZCi-r24r}~HFE6n={bTLG!Ifg*Tmh{_)GX%8 z8T%A_*xN79c>IBhX5L{NiW!ulP+xuT-vGBT$j7E0-oNjGnF2twEfmaxA#oA-L*+9I z|6M$FPQT6K+tWuBikXQ?|M*--hvx`G75WNJ9(39-BeUCds!wGPK{@0hS72Hse_@c$ zs`1q;(j_3r{6;CPaHQskBcDSgrV**ij@3>IQLaY+oju=)U(5cVyt%Zr*e z^%Fx56xhXAA}>A5dep#Rv1TLfteE(D0l9}4$D@aRY=$^FIhvc~qGDVrJC1eH^Opi} z0aF^bFHfi1w8Gca7azte%vvXnj#{MAZ^s*P7TC>ja=NT#gw$01-)&ESc(m^QVVcM| zmedj(;y&d%CC*8=@?povM^+8DJS^Qx3M)G(c2Yx|sr+wG!PjCy>ki6dcw1`A3h3K$ zX$EyhIP}ShuY@NWA}5TKq>YXoxp61|O|?m&$=&i~O1WgsdAn~>K?lAiNXY6y>))Mtdy04k{i9dQ&Y3aD2>{rPL`G7G}N@1rYXL^+K;Se`vT*o^@1I*Q$-Wc<0LLv!AYRWVO=M z+vuK6n=m(6|pyf{i+LYJRGrw$}4oX|kDCapO!R)}d31$eI(yxD&*Uz&WvpwP;*X zQFz_&i0^kn>Qi$~>EHRPrzf#x-<*b(SPG&?EZDM|Gbtz=q#X1t&OdJHh77Q|ML|?4 zBQLL*(K>3)AHDF^3wcD@(ATcMmJ;8Zx%zsn1dOO$Mb^Yq>!1(QouK_Ws z_8^jq@K^Jl)CtayC)AiYId!|Vh2X*>sfgX)-F+G&L^dnza(kyuDLBjl{+y)M*U`Ia zhR3-SHmTCvt?4d2WRbyOfM<4^d$idqE3BDczSOWn-y=@`(ZPee_RVCiz7B_<7_Kl$ z=sHDoGJaL{it6l?yBh)bc7m{VfSHJ9cA441Ye8Kb`OMPH7ap3;LyqDFgp`pR{L*{AD3Yr%$4rsN@q0n&u8y8QF zypTT|ekUsDQu(KuB3k02o3-87ZE}giN*NCyvaT&tRKWs}`+Z)1FT$xSz8x$A0uQ-6 zf-v5u*bGrRZ^1XAFlBou@23 zFXSE92{195jXpw9n|R3k6esgD3Lo#wUA!-oyqO7NZ;-FSy&1Uj!6XDO^54jv9x4$9 z@A5+rSjD-2WZqYFcdy8g=h}`3b*oe*+=Q77MEZyhQgsHZz(n5rs04@ZO7tcD898l$)Z<;0U}?z6vJ# zf^kx{;JjQ?t*Mv1wCE!&EX=3An%G7Txv7yJsV69tGV;P%EsATMB;sq<$F}UD>c_)X+)2yt@EYk7uyUHrtR8F{CBoF=uOt|r7-$dNJi4Tk3Q!~{Grs5p z_M?1+f2$?=+BSN6?t><7EhBzIGm^%XoWi940q5m*@o3C&>J&yh@iw!( z{7%}ZU`%IJ0_&+6;Hy4|0tn30;UD0zvH$?TLdM8Oj`a~d?q`cD!($`BiJ%v%iH8`i zuLNV4RO_1VWag^e!TgE)>EHS9WOriS=nF(eOKjye zAoanOp;&_t=)AKM4;*+ZtFN&bA9T>sVYhe`;5Lno*2=)4BO3?hmekTvqY$2X!#1gQ&>dJXww5H%Sa z-%3vQg%2gf7E<#iJ1+eY_kN4E_TFhmh0A|usyVz$Hx zzYh08M;svkI4vO(g6U4k{rK_Yq**T#xOXh6({X}$9;jrOm+;XADxs`L&Hw!n=o9;00tp-WOJHkgc~2UslOpiu4BD-_b%&RYjtJifS{mSC~SdxO)u5} zBmwTG?OKQZ8R9K)93&;Dp!}2m`S?T@ifO1$BhB?0Mllju~zZwwmHj`Smja;77 z4r35tYvfb6b_(P8l~9Kg?Fmy;M?1Tjj$^t~?0D~J`UGq7Nb#HS9XVY~e@yh%$olu5 z;&p({(CVNcgc6WpbQP8)VPz$LGb*YSR}bo0*UbU;4RFHrX$oGV;LQ?-G)dGS|? zRSXK>NHH4_2eCRx(T2J+K}L&ZH*j(Jg{F89D=T5P^##^^wmvhb{NJr2Hv?~cSHrc| zZ0lA#a*c(VzmS=PhO2^F%n$F5cZejq@FytW+)iGewc?O+j0FM#Jb;z#=`L|~hdU^Q zQ>RdGO~mEgf?zb^qgq_^Yg>x%-?^{gAq`9-R}_jHwM_BC%tfcN{jS55_;}JM9JbfO zO(OM#|GyOwGqU&m-@--+mOI`C zLCWKAg{2TXwSiyP{smb>qK7!6eb>*3cCmLQ7MzTX%A9*nQ3RPnL*^WQf@TK{I747> z9lC-aKxq@~3K6r%Qv+Mq6HQwYY;tgjDDBkJl6b^QMU)FEDP8I7OJU?~b2T#&D*$^H zVXv%a*R;EPc}jnswc;1ZK>vviG_U_DsnsOi>MFr^Pu#I1Z+Y>n0;LoK9qUXRN58(TV=ACmn$v8J(L zm-NP4h7X{4-5LgVJTz*b3Vr@PB+rnBgWb+c@(1Xnm7RH~eCZN3q%lhGOmwRbWPyJCLCap|2rNm*@@mcA?H;!ar0fJcqz zvXVy_<{O~cZA*cdb)s*CBc;me{{<{q_}wD71!X?e8fMt6V1LUFpm3P>78EU5NN1NW zHU@`;yn;>^a80T+7HiDgfLWgOa&XSq8$7Ua&>7|5&Im#12k&7#J0Dx95h3Yjz|t^?bqr|K)4AcKsr_IwKo`A_ z8#5QfK=Q=|ADSaZ!;bm%%WL5BhGmc{IgmE)&vw^Q*p3+*X3MB_8Ny@o>9%Iij{v6O zqmY@A0p=*YwMvW%Vc(+0P>`947GCymQvTrPfj%xC)0IP-qRKgCLkVXUe{t&j8h=}8 zY-5H)D~pTAc zm<-=$$G?y+)7a@QxVnNu`5jcBO`F7gX3xzl-bny9IJ8f5NdMR|*ms%!354ew`kkP` zCUdIScv)883wh)g05>V1OqLX{OP7$6 zC3wr|+n@FAQUOerf(kjZEjJnv`SAIkYDsBL$vT6_I{mF34HJbG6qdm~CA)>WyN6?k z1U`ya-~BlkukDV0KG+y?o}*52>^U1ZfB4kFR*Yx76du)jzQAXPLtKmIXW z>$rN%_uSMQ&^>F!tdoSJ)nk|)x3-=KLJ_`Z@qAG%)>gC;Iq@Rsn;SO!XU`PtjA5r2 z%FMVFfGmOa1mtsIk?2Gp*t6#+-Uh!01MyZHR(>FhNNb=+Kqcovk4E176S>%o28V{= zdq(LG?V@p@4ai7=tjn5?4cI~v-t z%QIqQ5Mm02gt`v(zK@9Jk*Hj4eRAO-!phbs3&gDlqE)lXh&UfT3q>G`-sf2563D2Y z{G7TdF0OO3NYg`3=-)SP30If`X##~8{<_F@vtO=rY(r8AND3e1!S2m5&GtsZ&>*m z!P-c+-T3ejofug}OgrpxK&X#DBj=Q;L&>0ZC3z!=TQS&u!0N;UA05>jH?jEl*OBYG zfj?JPy1c)8Mf_d9=*|h5p05(`~=d>9B3x`=GGf}v^s|NenW;$EBA|2;AI^GDuoBr^Z_fBa!^*Pupn z*+GQzD<4x4+#jgdE-1=SNuvb)6bl&Vgo}mOOoCW6t7N9{P}M{z<2nrGot_a533pzAAn1$kY;=OI0ZNEl!sFm^@!t~Ulau+BKm zA)uVNg8v#z>k-NWwHB+JpZQfHtad{VwpgRsdf=(`oOJ;aZ`IPDUg*S*iLRgo1Yw#1 zs}UZa%$%IMew54qE}>OWE7rE8*?lAcJoFW_7Vn%=ip7>bfQt^oMPF5m(f6g9Ty!W* zXQ2>tS)GbBR}ct=+mPgKF-vNiC%<2;lXL~=SC0uo5RDqoKCcjJ@Vj@@1tcYLFn~gJ zgv!EaoTdrH{B;4FAor^QetGm6wj@3kkn@)nU zz*LLPr1f|BzP>d7>ct_^04^9Aww(immg#qi-%^+@{IyprU87L420(BX{FLNUwOO^a zswyRzlyUfXnO_RGy}U5CPmc+nLh3c-*VGuisuG|AX9(aY4R*-73qHTE_Y39uP(6a*2H2oRSwsIUVC zaH0K8+d14MQ)EJdh6GGrHU;iV^@$EfBA4mEvO^jlJ*rp(yZ9*T6t7{nL{v(do*LuVx^DQ2PCs z7at0Q!lg>m2jRWoDM+X!u`kN$F-5>@xdyydeML~%$ui$e?f_WK7WD67@7pvxKTjX< z`@K~}s~Gs5)FV7g2tcz35HAUm){~NWRNHZk9depApfW~KV_+lCjfmLDfWrSFDs#okJkWBzEc< zp|nX>PR`+>`*$OH<4O;aCVS>=IAGAHWn}5++t-J+AsKQA4sFBiA-_Ubz|~49cxIFR z<^?{1L7kg`&}1Fby2BgUFHf}|X8QdlLU%IY2tll~A$tTUgtDuWHf&7K!rHLF9SYBw zdUwJ_k6`A5*y zA_mST%ww?|?xa&jS-@cyMMZr@s9~DkoCo@{8lA@!asvcHtIcqoR}~3}O-G zAHvZgj^-W}(L`T|t*YY?xR58|=2pTn;f8s3V(3&KsXLP{ffIMeR438sIHbh8A2~kaGZBI*t zwjq`!p98!#l`;ho9O2PtgVlgvmxN#!e>{aUew!FL&eSma5}*qR387^mLr5ypIlBo2 zXUrYIx3~+KLg~}jy+qP}w;0t9IwjWjsYeQsjk0FWkk>5p{LJm-XY4}Rtz#x{3PBS|?7?tfT zfAVCufXir~$W zRpLdRMeKp+0H?eylA&!-UFqUEfZu7q-)q8}UR_f&BLQe{SjNR4@5R~o7~l1$-U0h- zrA-(|Qq6%#i(1g<(CPY3s0*{;H&Am0wkS=ml zhJP;!R66lHph0x@_704hIL%ttLhK@a*jnFa9-?Ydm-{A9dvp>k7nf{o~ z@w(twNV`AYrXT@pl2xnXEut*4da2Fd|Ngq(FHJV{oj6J-_S< zO-e0ou(|_?si2_Eog!;hVCz+$U2w%0%P zchZV%_P(L#cin#0Ov->wQvW(QkY~%*lQ)t1m$B7e59i-#8oShC4?l zSi)`byY^)Qaz5AJ3O!l8Bha9^dRb2VlQ7>BpR%srUVZZ5H{-J5l)q%XZ?ruV{ zQ4QhDurMv`Q$Qu=;Uk8UpKzRJPW+uq9Vq&a^;94mJt!@GALtlG9O=-!zK_o$AP#_0 z4kKT`9;QMrOA!aa%N`sQq(>TnI@FIxH zhAErb$&->2Nb8S5rzqC+))jV|?U4#9pa&q{nk~5j|8W|WP}{YkOTg8^!cP$$UM-p^ zphlRo9dsW(Br!$%OkxcU%{axeBC&egnXcmPG@w7d)y7WO^T4IW#c+@$9AL+nusU=o z&`8bk2vE)Py=aDq7E_a)c?g00v7Jv+p!D^jk_ClaxCt9wF5(qC(p#A3J+5iyCYZPG z8UDauA!;)%vQ@i$lvEEmJHz=?a_Y~Ycdy?A@PRrS(UhZ2mU5j08iFNI$7&8C>mKp+ z7axYfZd@t$pFMl_;Ll9i=Co032h9;Jju_BjNJ;{HP$wIdL^IjuW2suuIlBdr)`2$N zaPeXI#!&tI`BSnT`w6;2{WTkVo4$%>|Ni~kY%Vocy_~#|}nJxMD?GcBHy}__lwsmuJ%i>;kCEcRnj3Z(!!L!@|A?PH6;KjAT z7;r5pjKtBU=pDa~Fb?)*gTDJkH_KX`Joy1HeXe9@i+VpxN|fK0^3Z55I)*TqAN$s1 zywqCF%(tUOE6|8-kZq20x7@B4ET`CIlXh!D^|+Y(7Avfp)}fk=EW@1_>%dwAu<`f8 zT}!>t@bJ#vnzB{^)9uv?1pxUv*g_QFDYW^C0ItJ47BmLL7<1f{880RNAlrqQ1M96R zTfV?JWzkO;KB@>?zmUVJT=S5dTRC3hvXz7J&hk)3(aokdk#+_`aoEg$_^DpEo0^>b z!X_0KjmCYr5~D&dJ$gDi`|?AQCb1Xmu$e%%B)77)X6uiq^0dHKx}MbuTqvXKXtvX7 zu`^Ggwf~^g9f4^)F$CIAsDEc1V#7i3!`JFdj4iC2HYrkl1iPj8zKEzMUYjW&T2TEZ zA8t~PA ze|*y?8%+{*s*h`D9Vi{Qrdu1b5uE#Vv$T$jY;<~#B-d|yEnVtOfJTwa%9N{ zd+Oe@L%9GXd6K&|6H8)27+|k*Zk^WD$Tw)aakKci=Ht+4oFCs0R@G<`<`dFBXBG#M-erMk8C^gjDutU0b(z7|rketr&v zy7!!Zfyk3SLWUjFN+xUg1d{+3I+E7C$L&GE(=_PS#QX0@_Q@y$to+meWEu)aE1yS- z|4O##s0|?X-}eTo{}Y6$r}@vMI&$6AN`)3&)2(Fbi2Nw-`Tx@a%hQ+9(k0(OsD00W z+`B1rg=vx0siRG&W=j``%Wl8d6_!?MjR)P0?#3Vg^xdsnj1hV^N*CA5>1=WH^6a1g`2O6S{pr<J6Mi*zVUW`VYH<%`Q;yzn{n&f#lyL!me z(IUA^U!Gkh*T3Fm%ZJ7EtZcPzcfFi1v(fux{_^abcg5@MVtt#7t@|9f_kD7cUS(-#j@z3tuoay7#y`N#XcCN=kQ?;CB_tyb7*ar5e%*Ycb4k=7r4zE{?^?Bn3r%*%n`#Bk1WFu)p1wbbm>n4AuG)i2z6|0Y&&)4-ej}s;fcG| zqUJ7-vuS>N`61A7m3RLb=AG^8z?ypm@_vf#BN<(?K+T~$t zQb^(S<>BUGHceMY#B94w&7E%7%`T3O`fj_X15TsA2UuE zNZAfAou_w~*UN0NuO@WYsRE?nll_i;;u1xG*^QUc9$2^O?B+H<1ZJ2NV3ia`NDHDJ z*3~kbrrEKcQNn2XV$xE^6yxpSR=3N?%L-lf_(FUN3a-HE;*#lu~B_m;v| z%GqU>OlJ?PLj%U?_KO|CD?cn}dh4mr{HH#H@i`-)k3X^B^k)u6;V7|*R78xqBFcm% z0Pn6fApz_RJL!k_Apvg47UNj^ET&~Avdn#DSrg>PG4j5IfRe0M!mRJUxf^6ez7FV-AS2N+u0Gtt9Oip7%Qh7~o%aCM%NUTI+h&16SZ0;H*T;d1qknhqwIXmLiozAZFpp?_a z5H?afLK@8;Gq5qKc&bYUnDd}NWc$DQ_O>gf?I7OG=JN&++ndHirAE5v_^;doI%)jo zv-`{2Wj6bta$-Qu4Oz@M3Y9E~Z6yT6MCbDL$6qwrGmBRl5hnS#*8B z`#e>9kcV#SdWR#3Klf^nZ9e_a=oSUUZHJ*ePu2Ci(R( zzAw@$g+qG_qdm?fhGco0By!-j!4$l6Zss}jV=bTiMGKwp`04= z^a^R_I5&|2ZY5({NljH-$7)naqCyfCl8zLTf21GsiZ#G=um(s8VvLp(H{66>1WF`L zl+k9gfhDF0PJ?(@;R5%`)@zb^4n2C zUjJUjS>DmK!VqhX9djaphK#0nKw1<)9PC7*nk6(FD?+ISJzNK17X#R6yO97B+<6&| zFiI9%IDCkz4vph{yYSi!Z>HYzhwnUQFW z1Hc#vP(|6-rOdGYl$q#%Z?BrY9{r5}SmlY^%dOJIyt6@sC7i-oqC!Ds$iM&uVo(4{ z1ai8VveL~i1yl@J73*O9nyF$^SYQUMZGthXnHB*JEa|-WHH&JrxT3`saL>LY zVTgP7U)7#Hsu92nMaOLJS;Z~;=f{zr6#4UU<&eh;{X{3++u(M4gJGLKQkKW8~^5tWijeh*L%8sxd$g`Br zPBf^p%CP=BVb?%hPSA?5T-vcqqiC?w!4c3%3Tv9Ti(eLzV&9KoSa!+rtsAFcFu;GCF`V0B_G9)2m`1r~KEuJnrN4 zw2xCKq;Vf-fGM}!JAKU(Y8hyk2up+NtxrITNNpz@xUKcp=t@`{a@ww6mPw-`4&0m#y4 zU%eZ@SOdL6bdZXrxdJEDylr-R(^RYy2#8XAvVkkxx?7@N@m1CFsFB2|S3Kh~9zJt)a0K~0YnOI$BbCX!X{Jzp&&RSX#rw_5@>;{F$$tF3~3olR_pwDFSAVL=}UHOC!+IZG=cQWM!XI@J}P>$|_db#YxWoU0$Ms+G;iRnK^L8O(I&so_5?uVy$8e!N{)&tmT! z8zzVuyZU)ytE6dgAkt+6Dyv;(=(dQ@BF4;b(3)6Z?v!?IxS~c`P^hh_ko9|Au$&Qt(9T=Wp^N_8=)aBr+vvY-si$iHxEUAJLBIx$m_ZCmkV%UDc2`e9%i(CKKmYCf zzeNqT9}Tra9HV+Vz-$y@x-g*Sm=kFOo6i#E%^)?Q{fxR5Afy@qIWf(N^Lj}_FSv~K z)Sm&pE0mF+hR9FWf8(2pVkg>&u)E)D7%nHqRii2{tQmlZk6A}i#+i7LqjKP1u|WRrr;aoiIVD)ece$7>*tVk)nDv^D3k=GSmWh{3B{7oH5J`!5k&vbfjsOl}^U(?%Okep%Dh9z$9HKqf z-)VbQ0vYLPi1Z}=53{n|9q&zb&~vO1#1g5&9d%BjJo&usVFtYt6GV%yx3l*4B{7oH z5J?F-$OY4UY>2U2=}aLq!3rEf-SK*y5pIiI6nAN())d+4s7OYF8X`gYhv6$?ElPvc zGAu!@afHk3bg6Qn3W8!>MuLh2)j%X8K@E|hyhFt~B}|PO3mNTHLeQev2WRVQA8ZiS zJ|Z#o7~-@iijk9s$VsLHrKxmK^T6c=O7~Kcy6AEgN?H;o(o&?QBhna|X^6~ZJIJbL zg-1GYPBlZ*O+k@St+Xy!N)CdRL}aC&SgAr1BPk7#l)yV0oDu*SpQ9oZHgI5#g9{;W zq$W!^D`2JK1F+=YUf=%que)UQm$z>&{w(qL`0j^a@cqBa-($oG#VbykJg4~Qcgtha zN@I*=Od5`Mx(dx>HNqRIY=~6GI*8B|F6KnKy?N_Nux!`bG@YNqaQL8k@Gr=%2(HP+F&`>uRTl>&*Fdh~t=mzQcFa*d zq60pUp^Nd0r_9HiUa_WEtm)-Zb{RwmWtYJbvdb!BT!mDST~m20LTLds=0a*mLJ(`$ zK&TxFSWgj)X32oHqb|lTYDZB!irP`sj@mg6{SyJ)(YTzAxg?6qpkX7Qktnxf!YSdp zywtIgkFsp8SV(k{SJnL)_x<&j}1L_(nlVawPzrX4a^6O))C zOEnS8NK-?kDesg4VTffGoU&sygp7jQK;nkNL|CGzF3mw0M18NwQT=dKtxQIa8X`ye z7nf(mT4NklSgt|_w{0K^!Hl#0lsn9q1EE?CBEKn;R8L8lbwU|Q>N%6to8^ZMj-qRh zQnZ5udZ>Z1Ccwj1)Nw$<0m-6bg)Fw_dC(ZJ4!YK4m(wlx3O43&$X!k#iX+6+v5swv zUtcY=X___P=Va1S#uVd2-yv+7R#!^fWtL2553551#!uWB?l!hUc}L_6ib`x552J$; z0s}hrBWp*>UlgF?({U%Yg$tnpNp~D zbB5}=k)F7Yp4sK{zdA(8hrXN6UQu12tyg>CQ(uIMpHlWE^5uG=FB+#l>C#8Pt7T`D z=n$2-taxIbb@$jWvi^7?%YiIK7d7$KtuVaf|g#0@^!ZafkgRwrh|@5IhO$EFaCrAhj#JM zUY=8ro{xo6{xU!(IgMN(8T#c#n@Si*j$@}ZAD`{g?1<>Y)iV1-x+WG*ly~sr=PXKj z^TuPeBVWjbq|LX}z`%f(ReZQ1F?hT8A-CZcyy2xbQj%k7>!-&ObAw+h$z*az$8sRE zg>6^i!rDsr+E(vGttiIKjEwQ=X|}^>KRiL-8TM*f)AV&8(iyu1qY zwsW^?`dnC9Sw%$BCAvJgg@rYX0yKCEJSGw{CQ1WoL?3E&kSewt7C5oXxc!hEZOJ^x z-yX&;Q{ik@8Oolb^Rjq(p+Bz3Yo=i`@ua4v-%OKXq*|hGk`KNSF?*vu;>O6xSXNeM zZf2I6n(E{0Te3Km($Jtg(%$f*z0LCPwkOe=b}~Nm;~7?EEE0~FE?jt_$KOu6c*OeS z{X2KI4N~LMua+Brdln|omB1um@T0%q=E8;5*>x9d9ymk(KrgMli+cI698v+=+aWl13djA|k##SB>xx(p>8)57yMw zw5fZN^quAan}v~)$Lz4NTd0nX4*y0XpRBA|OVw>viIq(GL{(hOiy?XI;yrP|*-Avm^ zQ_5G7lI433DX)bt?=gDv^x&5qr<4Xqd;g7gS1jHpr`goUJ{EU)>po`T?Cfl3H}uB2 zm&kYMP)0*ER@+eaM{W~$cXzIjRaLKEy$hsazPW8r&(M&aqhnXHe#)uG;z22^ebJWd z*RS769eDlvaa-E~tdPJBVQf+jFSR&LO-*HF3f{eY_vVdcq+^;%PO@qQ&#qm&9NKe3 zf`cE+xH~>m4oOW*D{%egHrR0B>17R#ZS>XWMGXzV>O51nwz07v?w{$>M5 z^<2xKFYse^^*$~vA1n2OV!tj=PMRl>2V&jtS%^nzK$qPDaZchlgRp|P{ zy5k#W&ZWg)=?Z?!9#}({T)(~hd(WOdk0qRV5&{CKp6CusqGh^NUJs*OG znhdTle#bUAkPvO*rD}F&b$LOl5-7BfCUV}r`D>(Q4`*#BA z@^>XGnx*#Mk-Y8;DQ#vO@UhZ3sf!m6wzp*4XmKs#FQ{o~zBDw5J9e}bdArYiwOU(U z5q&7QckkW<2M&mdiS6Bcj3;8NV%l`1F}*|Aix;OJ-y0C&iVAN?H9j(8ap<6gW5-@D zZ||k#+{Daw{i5}W?F|kN*BTlcWZXwJo=AohxwyFY^Z!Lf^-4AYTPh_YB0{^ip}}R~ z^HWr@^WK)8eN0?!ndeka==1XMWHk*BUt;hL?0lxOgG)_Q^Fj)KXn(@bPmhDcid_1r z>!%hL7J8cQ-D8NVNbcgQ5uF|%|LnnqvP!rg8JYO~M_f$tboD)!K&5?8*4Iy=(E0R+ zNbvIuk|rlAIp>C3v!6dFm}OmyE^!&UmHqrUmY4J2%ga87hK7Mk&ZroHO5cZu_zN@m znO>Xbg%*{f{JeHc_lUKz^vttsQfuk?^-G=Lzq-I{+VqpT&YcPKnk=u2tY@vQt*xxA z2tUTgESqwVx)mfF#$TnZShKBPP~dQUCX$-&`hZ(l>bWA~we zk*wTY9$@+gBteTSU8!$5!E=Ov**qU4Bd-j7Z4F~YEIolpZOu+ z_^s{ask|Oi{-zreF@w!%tnH2t4xPomOF@jhT?Ou1E3Rk!i+=q0k)c2P_5S!LF#%(8 z)1g9o49=5AB7JoeOktawSdAj5xU<|}1&`3(wa7oBTx7|az{batLV z&0L)Mr9!yAiT0jH5VkjIF@~Q{NGRrz)q47ak!rbt8xQob#_{VLk^A8*G9(m@{A1P$dNH%DT5?|5zJ~DEOP)b`qJ$*G< z^4GD)%y;`2GS5{qgy-bssBI!fIb2M&T%^|P=IV@cv_I`UH)_tXav!bKmZ1O0N>Mmk zMMZ@%T$qc(JvzFY%-p8i-jTOxa3JHl=77Oa!I}lbEBNP4Au}XI) zLjU~`{cJ^fx$D5^zXR_yGcF!VclHpDo~zh46LC8@ zm{s~JU!`+n8~Xy=Y25He>$#mNO0ar4887QBfV!KXKTpzb*#N#%H3Z{Mxl^9UW%k z{1M|jPo6!Sp!5_tN%r!$V}5?CIIdeeIA2c&pIR|wucz#&oQw?HhUcnh&z=P?Ku<;| z!0#XB5Xk(fG!()r@#5vn&6_u?$I*CKy>;p?#y+=kbaYfyT*n%7Op>s8zWl(ID_34> z#;Dah9^1vlbTIOxarOoMMw_i|(f8#GfzfIo9yxw<+rCrJ-1XZ?iHV8%`3p`ZD+VL6 zwjZwbMhThT<2!ymsX^>r;p9hwl9gFgFE1}F8quGCopPlZ7Og? z*-cuRs{?l{?lGi9i&$>owv9w0p&*~>y`s7%-idZ%Wb`07I2afyB;*tT$@&c&D(~!h z_Nn?FQG*9pGWhoGvr-=>CMNcKwVX`Mm<~>jAV&2{3J3^jX=#a~ z3X3<;t1)5^sbtdw0JPPTwYjw?Po7{Oqjz`v&UFG0*b3Gwk7fOSQE%JUk>?awksW2L zZk=AiOjvn`6W_FXb9)QrH9gWk*O7lEvY618XPTHx^5@L)jLuO=XKCJrLc43%&u`!M zM%S>jvjd+LIrl0LwxPhhn!WHo%}{=MybMc4-ea7Kae=}Q8Z$rIyx-{Xp}ais#*MvC zaA~PN({wzee5K;P>HUXGO#h2Z9RI(OjsLelz>S3`ARg;8$b85HWQW|~@ZR?A%`0NyirTz%WR}Eh*VY5oS=U76=jRuJMR(`s)*tr4)`_66DQ1tX%sE**}l=IrTYuAghV%#IWJ(bQL zqP6oLUS5tsD5xomqgx(?0$gLUn|Bu-(jKO-jq_Vn9SfVV+EZgx;UZ_Yea8+kIp2@>5ANSepEjYYq47k_-r(zNbA_ehBa|Z~`1lkS7o3SdFWNc;nvrhF2{_5X za8@#G`kzlXw#aidN3$XFiHql=tBj70KHoZN8=`gT(j_A!BT$9c<^|K8%!lYH@c4#I z&e`(v^1uK7o3h!*x{78xnW+L69Tz71fJK9e#Cag2ra2e3Ti&D!Uf@1?`PFh}%SLyV zcULo>7K}%ywLCmxqZubJXI1)_?6s{_@$M^&Gc*A3BvR@ts!?+DX%qxY-zXd# zIdh!Ebl3?}l^k6G4i0@E8}zu65)O!p>h3ji!JT_oInu^sKmKMTh8CWEfZ%Sfu1wKE zp`l%1Ng!6G45z1Gfzg0?fzb_qe!79Oti&8U9uPqWe|OCO`Z!eRqUh+a068s5nfCg< z#|nGQbKF(efW~QhIUctga0Bj0LVXr~mSMt~P+{j1fRv6oDN<1E4Oc z4=T!LCZk)xra9$(jGCSaTNFOHcTbn5lT7=AoQ$q#k$dT3TwFKK?Dr*jwO?_2FPVii zN=3$|j&1O4b91vGpDfB~MtJ`MTGrCS0{RMig|KO^#v4(rU~e33yy6CX`(J)5izD47 zB@M@kw%<&cx+<-O(5FRAIns&B3TPN@mo=6V_$yp*)`+qZA2_sxfM ztGwzV8i>ROW|zgSN!%ZBNKhm=G1B__8A{U2`7IljbVluBW4mK~S^xQq7q3ln)aDg& zxmJe0ybSvg!%QGm^kY#Be|f0|xFaA`t)!K2CVa^_^K3aTWP6^IKNc4HMF^*YUsJOF zB|{Gn%11V*TgHWlPhf$G7-v1lVe`qzEHxymW536txnh0W)IQiZ+;HKh#ja!uibewg zqusY}-_fH-1qFxk-dOzS@6wMPd0oG1&Dgn5T2=2DDTXh4U>jK|VcBM**>q>qM^%4~ zMlC--KLNwnsnxV?0|U0GE;;sJhcXPQsAdd&e0=)qy~oeUYCe%9qn2sOFA#byzSDlH zsacx-q7^i-GS|&KySTW>K*le5#MXcO$dzD_W|Ca$awau4E&~%2 zH3A0*hmyn(mwd1E#>_>Ef+G9{s3oK0`pmDdmPKBXM3dZ0NftpLtj*e^r?Z>oy=K!z zbT%jO5S$pQi59$envFLHa%?v8FovTqj<{|edT_bA`h1ph2+Iiqp`*m#GO_k$oL^h2 zarTw|y1~R-XNMH%dxXG*e14_nq3NN`qczF64ZqUW=y|EJ$b^m~w2N%lapH}N{T(BY zk%g)L10OH5*_=Cf1auF2kW=x3a*N;8&r@8J6BFMhMoBLejD;)yKu8H5u2@QcbFxpwb5+)=lDC;`Zhz1|@3NR&-qo=R$ z1R*ms6LnB&lTiDCi0a==tlx8AZBxqtplZ-7!*mNkbxz64d)p;F#?P>_KHhiyCLKA~ zp#6r}r@fAq0#fVT!gVqg?;G!Zq`cBZM#~X5dfGO-YsNenahK4?ED?`askm0(z zy6xMyLzy^Zx=YyXBmwNpcX~hvx&^Qw-o3`HXrh7@(hC#?Y0t_1^b7OzdS1lGk6G#2 z<$WY&WV}mnZ0&hrEc_lN2hgd@v!6YvMv$BPI8Q|8`EDpb86nWI&X$x)g?cZ~XD%k~ zIYvnF5=dF^l5pWBCt1x$qtO&~8hdZ&HO<2lVzZEpxLht@rkjP9@`OVFV`V)jt9j$- z$hVmUT7<=UIz!oICa0!$uuD(3*{AD!ZK+Ws~=r z2S2@0Pd)NW&mUJ}2+GH^=hhrTQ>aXIzq|w#*GR2^>6_)Np(|yL97ga~T>MnjJfK%nBIWE~0{uwCCkzW!ZJU60Wd+ zZ*&ci_;{0{Wu~l4&~eRJ*#%tjCo=BBM~-A;(Gky!;{5lpiiMTG*)NqzToe|6#E}w` z4|t0mgKp7VTdN@VKejdR~hzP7Hx zx{r{gpUp7z@{%^S-oT$CyYA=DpW+v4AM{p+F^13jd+ARDB{pulqhfDI;tbn$OnrBl zL5z4WSz1z3(1cXg+UmJDJy@#Y!pN(+KLMX8@3$<;%WH%715|RZVAFOsP!~@H1%=tU z>z7ZT?xAyIZibATk#YHF?L(z6km2_xpkAFgS(J9t!$XqZcX9CLZyEQYpz1e@PUh`B zJDd+_3hD?I#j?;NoS1ynJi7v|BwqYvm`X6Qd44|+52!@_BQf=E_H|#LHf1!;+8)>j2gcX{u>y;~}S?8S8jM_pr`;awL+Uq)Lp=pFJ4<+5->=m`Mb{q|oHR-)BYqG-N zm*l4>w91C~T_^9T2>7`Rvq?4^`x-Q&&f6 zX#!jeoT6T<42~QH$IjC&#W4NC2L6j{r?vYy6}d#`Gq;aR#cQ6$nxlH<-Ox+s`t@%9 zu#m8DD1;8l%kkni zd7v=3#NGaDMG3k4^XXd^*6PEnf~yoA3QTi`(zT6^A36%`|3S7(IK=_esBupk!w%GVF=)3Jw5lHJTXgb_Du37g%IVrTpHeJ@y^+PO*QTv z8CmHKQ)n*a2TJRueCjBfC5|Ew@8ADK!M~WLl0(Yn2TEFOY%I6(9qrcgO`}#{0`#k& z9=}Dj9d5}~OU%N`0Ru?kvm!OzQ%h{9sDQXDPP0ppZd04yd(Dorvg7mV^NI5_UoFv% zWn72$`?^(zafT6zcv}@nK`CCvUXUhz03mR>1`96?UR_!|C?zGu&u`b7WepZZMMZZ} z>hpPal~!#=EUP;oyjd6+lnA)x2Ca1*Sy9#J(Ucp~QVgN8Xc7Q+K2=vgMA4!zS{g+k zkK_aKxp(*O-MBdaU(IQsKWlR>*88tM%VbbjSLZsL-IYDoEhHq=`Z_C1)W)VCghAiS z4U3{=ZMEQos{SIiZI9A4efaeXU+H|6$FZ@F(CIE-d>9@c4zXj3dgDBsHgC9!DfyPo ziMZGLAC05u&%gF8eS7TjHkTEi)D2XxP`FPJ?62{AY1PNbs1Qy)I(kr8c$bqUZme$7 z(IZDpLBz!PA7NGOB|o$ysA1I6ZnQuxhNUPL5}C@Uw| zD(tpn9@HT+*8Ifbi-|8qoG-BxNV4@5Esb#0eY9i4=IsN|m6UtVC3LB&sv76J^Z{}4 z^Y8Wjv}Nlr+4`lWB}jV9K+p&I`QL(L;k|-ve^iAt;7Z0md6KHl2ipl~@6+`3^s85| zZil9kexP_@>~srPpGrr}yFJO2f}a(#7pm@jMis zZr4vnpS({*8S%DKH!)!;u>UnSCgS|X@U4r%bxBPWv@ag1Q3p6>J&qA(XJ=UitUO7E zug$)DuA(*V|M)CM(m5eJ`wDuGe*J4Tg^f%qq?}llnyF=q`BYV3?*wO5I*Bg%)M8c= zpH<9PVH@)zmze#jQzkZdf5};~QymMu$|1yM(tCO^UWujq%OA7J$;s(E&3l}G>-+cb zo15Lp2`7|x@|g!!j11Skl8inB<&uR){XW>r4%X;z@2_tboQ%bRRH(J2JtIF;u{nPp z1>{lh8*Y`*40C{abh3t@!z5Ybpwh+LwoosX2`>4CmL-1DNq58NAH2$|i&IeWnjT10 zk2cUd){`aWGk=KQ)5|N_hqE-}at3M|<;sr^4XF`Cil*;{goLD|{K6)=;^G2rQD+k0 z0;ch5K6y30^MmD07@rXXHFUB4Dxqu#Ez$-WNlv)nx(spqh_)g3qI${6h1s|*gz2&! z3MY5&;!NKbr5mLar(dPK`{dUKGC^rV2R6Wn# zma@O|1PLhE`jbGUT9igABX);jkpla}+YHT~X;+$?1iq@4zMb9k!%NF(GnMwf7?ohD zvUh}9G#*F^VH|R2OX}>yDuRv)B&JA}dBnQAxWL@pn}E%Z)>in_m4V*dYbWFP+leod z)l4D0{K*2m80{|U{_-U|A?UKeqoSY73sV4LP7TkiL51~SSLml0oO&pli1z*Ik(gi~ ziEAjbAU_{?cx>>?OE)(+2vS&gK)}Ol+WT~}@M$Z8=ss9hr?s`?wfTTE9WGtMraP^x zOQi61R9IP``3#R)^N^P>e6LV#I-sBsC->6I7CmivWMrn3=J*HaCl8C4sPv;AJdlLG z1u?~Mw$)~FGdj4?91oRpTlbs^iTJ@7n{Kj zG06(LLYvm3uFRJohO{I7+>VB&naWXc|IAv&pPH#A5AzQzL<)|&Rz{Sz3EB7KI z@P;X476Xh+(wPZ6G|sc{jzedO1NsD%Ppxp^cqO%Rft^kVxrF*yIduZe*mK-jO>B;_ zNx>l@wAci+wANd5&JKMI7;gyKbL2wb$4CW8GBRU@+&UJLYAcb^uPALP&UdyIS}lw& zE^clBqiV+uDTcZ_sv*3SPSlS~4zP+}njg-t2ZAXqERjB8UqE~Ufkh(E4Okg&lA^uzURl?h7M$E+74Zl>t6MF z;7RG~BnX3V)uwEJy_8lr+WeWDKvKTdE9rCmybmOu>({T_e0qet7{Fon_G(aIHbKwA zqVB?6nv}R#v}UsC9>K6(-&1dU-OJccwdtf+soM`IM)-HrV96%WeTlb-#E-5`$!c4? zCx57lYwOYO3o|gEnY2A+5yP9hVfT&U;o-NOD*>m3%_~D#LQ0 z`iGQr&kc{6AJq}kNd~`{#;H^0Id=NCwtNs>TSymA!;@#1pePX!9z2kCY`m-5?WRbu z_ks0tqC-6;PmimuWOY&9w3wLSa8ZW zhu=Dh9zLuicla3Zl;GYl1NKSVbyVA^akjLRw!efT?{Ba=_o?6b7)P4)4+M60@BH!m z7n@C)PLRaX_ZZ&)k3VL)Id`I_kC0C=AhZ&434w&%1ag5|kipl&BG5c6=Om{RkBPI; zEz;5)PVuY!`&|eBlB&%(Lm92@K z!rlbtAQOgs#z7C=13|;rKyjwA@pvM+|Lde@)P+u`@(in zy^F^^I(>b@cE%nGI7Ghs-{L7$G{|60&vj<*Tuu!%qPdy-yk@+8fi0{YO^y_aEk@uIPjQB{<+ zsIjM~6uo(&$6;h>+APbb_Rp?YRqEq09p$YSYGl4k1J`LGH@W zI~ubk)s#R(YNnAsWyi9Isd$66!uhqzfrE14!kV9ae_vmaO_3Wwqq{q^L3!Tzr%#_i zv;xh;I2Bg=lz4X&~8g#Lr>b$t;n=<=awMTzP>)F=1jNol?kGRj){qh zgF8p^x__U$o~xVNu1YzOz(W5udDGX`vNToC^bIRLNzhWHJ;viR76DQq&SdvN|Hbib zEkGJ-62UN<6u^GQ(JwIVmY1jMOJ9S}QH1)^pAa!q3MPHLEWnfy>zj!0oU@+fgeqad88mU6dbiDbTMw3m%A#(e|VqsP1QdoJcA~ zGyxynWpM87*&E~PeS)EEQdvM@7Fujl~z{v zquVw86ht!ML(E`nc0cY+U=tjg73Aqkhrp_CD5&EW@ycIDI0)i)=@8KI>C>lMvmzs# zU>OIR0}%*1#}Qk$w1QGNv}Ej~M>-@Zn2Cug(>f>~p_Tm-5{4}^(}SmKZSw{(6Q5VP5(|tCr(o2a46!^l)8NRGM|9J>4Tr&IG=O=KJ+R3%oa})XfrJ} zb%VQzoz9mRry|w*u+LsQkL7jy39PuMJVXMp9iw>(s4sHfq0$d;#mbdm_h2e(Tbqb^xPF8aIZ%HXGE=FLAuA!5W${eaYGh5!T*5S-HFl$4aas;UG8b9SyC)8*UQV{=^;u{%-G8~Ugu-=j=D zJ@Y+;EfE}qC1&>|5cdKggdB6i%IZ7b@y>+cBXI}*j&*6X#zaKpt^jVs(-*HMMs+@8 zm-WcVur9yNge0SD2W@2IIO03t6Ob65hZa~#wp{08Ic^ZzdpWFm9&2w^`=P0#^?)#! zwEt>haIiYGzNM|{v$8ah@+dX$7h;_~Jqgays8aKL+?aX>R07k|(j+hG>gYUIBH%oG z=u|X#B2=$d{HRBSu(3az>a)l{m7kOUiU1rc$L?a^s=ND?1{NSspfnbva|<@4;X~de zG*U`5ous5>qi?E6@!<9wvL;_BwfguI0xKQe-iT_%9gh0UU$!!P?A%*{CAaafzqZUd zrbyIZ+Xuk$NSXsJaa${hW4Y>X&57#FA-8Nr z_U-%IS2tkqf9W3d8#iyxW|Io}*EONL_44rH!>~;FrD9MivCUV8Qqpe-H9fXLr5v*3 z4igs;`1S7Z4R4cakA;0W9lx#-{vibcH8b|)Gf9Tl)YZjGyAC198@R`v_zH~T(&Y^g zH7Z`TCw2Wk>p|JDsNOfg(1Hl-8Zxb?Y7~H+Csy?=jrYS90q9;qb}VODL!Tt+<%o9eNDG(d=j)}UQvM!0aEK`C5?f`txrzUJ6NykTcQN?fXc;kG$ zPiqCWcVIlM0m^EY)ZPOhNsgT+Pn6t{Xfn@neEyvA2P6l8T%0d47yXI=9`?~_Gm6}W zvb4>A{behw4Sf=QqnErs;QRR8oR+#e@NbYuufp1L*;L_c(QwDE!izRGytP|XdtmZo zr(M2sh0#fmKaxVrHBBUR|G6ML^nMyVKu8w7%){f&A@^`2C8bjTwIxfd9320*+q$fPSIHf~&jM=70}@#f7usGL*Li~(2*0@fa1aqeFb zmSoShW_iB(5dqlz5Ql^B-a0mqk({saU%PRW(KQh^YA?P2i!j}6>J%e&rJ}WU0X>&p z{1WWzoWCdjz#2OHFE2g;{bgrmT{U`%h>oi(5>wi(e&`~IMhs@``?42GBjlK}N!$L~ zhtI}Bj|nl{dXC5v*d@vZeDbugurSH?rp`{^!G=TxnNS~l6b4dQ$Z8amRxr#B`BI89 zxcjfr-sP1QSC7Zd2opiNzz@O-?~%gxLRDWrb^z?CNM&@HH2R|n`!{pQE5pt@U&c3ja5oB*+?cqZnFT}QNqIfj-1p7;Qr z%S@PAfsMzewnJ9oRE;)a&qO}43ezG9 z8MFUp@c~4yxlv!#f8RN!$by0;)Z6LK;J2W3;8rGb2ltw&>FIeYYHAj`&$LlM#i29r z0_eGw1ucus`nUz*O6=Wx2IUwDLRctr-trn|kE8zAyVpIDI$gxpYLYmiXcd8D{{61i z2l#c1Uy=0GI(Hq271cdLbkt9$o#>#xgP;e}0>#Ud>WR8iKqmmE4gA8*848d`*x0qy7+( zJ`+^YsN(g$ox|8oWuU+hHb6=h(6YfVuz{5IsYx|1-@Vi?(zHoCX*FT(c{`z{AaCM|D zgr2*?u_Yr}l@UW2ztX=%@YZ)=zhB=pOW4Vr=l{L5&wFKi~7=L*vf3nO2;GT}4Z9Mov98xHR)IG9`p1|82h5*%V$ao`r>++`KjS^;5@h zg%&Tn?AZ4tt)Ei--+Pd}&T0}Wzp^V7kG|Ozm=@%6wJ9SerW2|%MX^O<3f9^j(!Hhd za$mwh)_im{3C)~AOpjWXG;|2|>Xt5l|H(AdBOlJoRBe`Hq*=M%Z5Evew0^z7b+lP%bQCMP+9_~AnvR`quyLOvTyDb6J4rQgK zO2?18kF+I@6*tlhZ{&61>Iu3X*L_jt{E6xDg%DA$jpXat8Gxe3c`*paw4!lh96$$b z8ch&!Bx6%k_4_4WGj64v=kc{MCD8`*~Hk` zp}Tm6QVBsGAlU3^$k^90CO5;J!a`YL$F+cU=~)jQZ{NPXgKa+B zf2}z6GR{c1As_7|qlrXXavytvENoDkMZQa9@0%#0HFiG?dF^+1&r=RDGj7I}rzKS@ zA2~d1-MBjoq0qbCpmYXWw~1Lz;<>zbCrC;T1%*-4R;U8#lN=lt1_l?bo@R${hXzL} zI(xrKzK)MSgUde5D&*vp4sho-vR?o8%uth@*o<4A<2peax9_E6_wLpGwRz5fPcX># zXKgE(;J$tD1x3BrRt`e!zd-L`Y`h>db|>Tx+efap!ouZnZeD^){TX@(leX(y8DFHC z*(m$Usv?yWqs04M{>eL5bx}%;9+4wdO4p5bqzK_#Qp_n5D*+Qn^5LbQ+Y*- z=f@a}klEk3F>v^&Fn!<8pY-9n3u6RptytL{{0xc2$H&)EvUY5xR{HMAyT_aV)uG{E*x{ouMyBz|^h{$@!*n3T2Q!R7qo z){|Fv1_X6P!>l$t46@2qer8ndh|UU$HUQPZXix^+S9VQBJ<(n$44t zEt9tI$DP?!O#CxIry+eVLoEhz&FK)qbb$fVDQuPB5#?9pz)Hu$bw`E>v?llBmkZ#4 zi=#AD$9xUJ$=KLxoz0-7Rjh|u5BElq(&pY`iU>|M#=u!HLmtot9UKg3lA?<+9RnrD z0+7BXpk@xf2_q79;WfnwYIH~0LlK2T9>vFPvlbj0`Z}27Z((4w(A|f7AQ3`iYj(GM zM<6IuUPBqBt=Tpa&76WzM~Xly3&x6negFQnOuq51nXo?w9ijFk=ON+0>f`V4kD*NP zJaCPpjvYo%wa-vS7eu3eoq5>%2D1%dceA6N?bX$)y}aT}iN^^au1~b&*fY}y-n=v9>&!cS(x$U8 z0VgN#&5J2kNgqaW$Zl{^Z{O|+%^s~Li=Ttg@Nem?Q1Z2z5K3?5sto01sB(1!=`QMdIXG_ z#N*<^BcanlqA@DdEU^z-9K^z8xH!@!gj2fEn59CY%5x{Qv=~t?GTu8zXzth7F#eku zhRB1FVYPsXpAVENpAN)g*Q?@8;Z$IejdT?iWM^j=7i^%?*1|jigU;ErJa*PGM@NS7+fNRkQwIA6nEY@q0MA~KvkKdRv~dT17~%x9jh$}JlqnM`DqS9} z*e8!4%V18=Ygf_+s$-qVpz|giK39Qk#$CB)LCV-vy!VT%5Mrseu~Fu8wo%0^Aulrs z)g9i?E6VJ<31X+iZ z0?*?2kkD!(LyhR~zc}yY)SYyi7X~AqP+)^;iy_u<6`GsD-paz!5D_IsMJGYEq|+^L zF^%yc-_=G;*D-v(t z<`)!%=1}M{(SuXLOfRf1O5_BpCYU9E$U|!VYm`hS`-(wawGb;4ROsBlYprv7Q zVaA2)%$?tj*B1X(R(=v}tgQ`ETi?XQYhltF@#&dT3LQOqvElR6W*hPoj-A!&K&#b z;w4IIdT^<$&=YAKc(y~myY0ZafmfD8-8_*})E!x%3iXJ21G zbJ7cr6BMO$VLJ>4cX&jp*gH8{W*E0gaQK-khGZ+VomGOxyiZ^+xhNke8BpM|Ito=}i$_*fwTS4QZ^I5DgtYeS?mi65g7N(7XG zHd2oNnjbTBG>o+5+1m&dUIz8XX3$G~hEg_*d?Lhaa*t32Ga2FTI6T^f(1BFwP7s)Lb%`h0`5nSyfF9)9EIW zq3fvv+R7@PF*zN6L7at?F?={3sa-svW3X@)GfFq*EVJ;ej2Of1(l4Wb<+jm3b|zP| ze>S;oi%@Bj9{;D>TAcOE%wve6(u-Yc(e9viHF4WUMRjNWo|-3C5NzOR7~wwPRIv<= zCQ}?w0h9u9vQ_$yzu$~x;aATUZQ3V1i=+303J^6wo*jdh5Tsgmxow`tYC(^loSmgO zZ7^(W-Due)$1#gF1Te;abr|C$SOsCXZ%@w5$hi*fR1eXvlxM@)w+K%FxE?fzeVgIP8X2mOe6?=O0b_k=w^^A_zIkVMI!HYm0u|vWG<7cRW zQNrdXNS{slpo#1V@frMC=MB9%12k1fgVE$8m|;EpM*J*hsd@Eba0Sy3&)BKSb)x*ao z58TRQ8DsgK<_gLDN!ENU9zyIw9RKY_NI{h~HNixLI1D6&lujh?Bp0KeVkKFbMu}Kz z66opa@jnYcBD9FM@TFzzVFAYykw5f^rQ}0`AZm60h$~Nr{zW%Lu~h)&5znCHn7Qz5 zq9+x~_P=WFEgiborFl{Yvf~f*5^d#VWr+jG!nrp0pjK1759CfW>R2|qGUW9&Mwgda zVmzLKz92m+GV%lgAg;&L578R}rPM)R1pt$jl7hN}2oILcT_Q~G#wG241_oJJ(>`UV zn-BHtlGV+NWa4=k$-ieDj-R{VOXlI_rI{d@!*$`NUzzU>bL|i&s+v7%c+dElPP4Y7 z<4OMl)EzVzNMyj>k;IncE6Dm>adR`^+lg&DJpSRs2MDW$^F6_(M~I>iQyY{OYtM6; z{0_vi%vc^KoHrnk?Abui%&bBXEK3*8tQ>F~>td&;e|l;GffCr!2!08OiOo#(R)Uhi z?81MM_CaEP_^}xx1F$R6m|8kJi}1(;#26q0=4w6nLr*57C5?6!wFB!;xWSP_>H1Jv zS^rof9UUGRa^1Rh7`U;0Fyn0pD+?ne~Vy4H2R_pCTg~gEXeqLTo=p2@kg6>%}EHK6|_EeAm`n78a z>5l(=>_nN5`RTjqJ$4N*IxS`b0gH@GOmK)-!S4{xykAyc-dJN&M6ow!-`9?KP20|dtc8vmH`%5-;=wZ**aZ%Skt1EK zaxXS^6nB1T$ZKuYH@6RH3qCL`K}qMH4}fcd>qPc|K5J>!quRqF$j3+}Uec5owWa@* z>>9Q@%zZRg$}>|yJP_$PUw|nz$~i&)118Deu0`IGLADXIc+z9e670}bD8<9`6PS_! zat1*29KXmwMgboA^$T*n9}WZxacZg{?jsHjqk5!Et@qfyF@%8O=x-440aJh^ZT5-O zPeqDTU*j*52Q`KqiPXETwzjs=T*^nJp(Zg=gjEwGCy&VvugXo&n7Wfzx;PB*n z0*yecbahLeJMQi~j(u!qZtm(UPUZUPJXaf@*MNP9>5nLFY*nw9s{%KBC9l^>p9u@Z z`!zWiASV2n^3)gee3w8Wx^Sq=>LNuu>F7R# zO$_DX?juzcU>$UlV$>sMOG-Lz_y@1v5eaic;0YTXPfuffT$v(_pdAW~jI?yK^)uOe ze@s(a`b-2umB)jDYL@;w#0L=tJY>;s1(E>kkqa8;xiB(t9?uSkHOG&UvD@f$Fq1Y^ zd=V4xR)R03%bYuaLopB|j#xC}3}$aGzyI_pEp&-$e66)$>&F{ZbT`m5Z)d= z$p5M;=~j#8UmyIsJo())b<$&;&q!mSO<$CK_PvYSd$+R+lHSJ^33Tfc=NR_h|1np& z*e(&Rt<-X!(W5wSu2-ft=Akcx)R9_w8E)#08#f+Im#h4K`MIZ*8HO?eAb?P>H3&yP)3b{5>8q2ZfDq{`@xVbty^w-~iZfZIpvnwe;i)MQhaRM=Z`ku2PVcpURQn8JTL+Bw;WnYwAuf)xhz)|rKPXi- zHtw`Mn>uyq&>^EYm%js^;3-pAh8hoMmF>F~6%_@5eKh^S-MiZQ`UgGt){wDk?IPl2xlmh0v1n@z^qWa20piH&W?xF?y0PYJ>J;fByXWQ>SQ^s%mS8fw@=| z{Cp4=k(rv$QAK^4lusx>nlIh~>|Rt@h_nr!DFG4b2pB(}OSnGo&h609TtwnXr2Waq zj}dVRu$K1TK=K1mc0)R$D)bc-_SX+3bRmFuEw`OiCsiXnNe!$NKz{Sa4I@+2vG%;M zvhQ$^1`*f9GoWCmFN_w9oskrvaE>icp&n#y2q&Tx-OxUEEC9nc$Bt2jRkj!V%IL%x z>g)d>%H9K<>-T>f{-9wcDpDdNk`YD7D65E!vPon`k+RDy6p@jUNJ3Vb8AVpf&Z_KP zRz^mVO5EpLzyJS#KgV-F_i;R*<9GD?CZF|wU)O7#uk$=FNFjDQG+MMGSLO~{G020{ z@}hW~SOsD{0x<00UQi%^%-stO-5RaZsG;(u4jvTv7pMir;{GBGar5w;e|7Z&0`m*+ zmT*PfjdX=zYXbqMhDS^1N_7! zblw(3Nu;CXc#1c?eZTc=f2a0`seJ$|8t&eOu?r{utXTxmf;BY)6PN5^@*nKhHp zrRDvZUs@{4%PaQ!d&AOl6ag7rQ&67)lq^rpEe~zR#@f!z4DItD!e;>`1y%>xVN6oN zAtSRDYfN3da!YA8dD1;VzwWalMfuo+zQz7Xg@2x52EXtP?Yf@c%d5k05&da*9aj9H zH!W-}8e3R+B((O=+%QFVUI3xgg$FHfWsa;!5w6%A*P#ak>vkaQ@k57I5%HYse z0d-+X$!>nMlu-Gpm3pD=9fOx8a1V%QEG%}gv4zk}Vp%@lf*C8AN|c*?6EiXb?Kc7}8@yReqiCGFY+YdOff|&%Fr5^3*k-(q=v2X!h1}{Dz$K`` z_PHj~oi;LJ;ea;uv2zuqV+gp~JdM4<$d7%OzB8l!?Fvq9P-wdkTZ( z6Iak9&1@Z7znlC=p!%4$F+6wUMoC4*@hBAl6;&YxVVXA+HF@z;gs@CR1Z+f`izHU6 z2aP&s&w>RT5i~A`c|%7JH^S)?83rVfp~1%vA~!H72DqS%DnbXKk7%Ay~xT| zg2Hva)UEBYuw=~b+nabI42+G{lG`?@gA`$giUl>@i+l~XOnl^f0OD}5;i#E=O;F4M zfl+)_BMj(XPL5EPX5& zL}@iOwNpO^ubYZr7!E8cx@2vQaDdDA_Gcjw)q{^bI-VZTO2s>B>*^AExRc3LnNq#- z^8TTr8kjL4E1)YBg4>5xQ!IclhUIS~k+*N(4i7(LWAhcE3zxMIp%_>W6np?p!FGi6 z>&kgWXXiy^c|!GPz}zX%CKx7%MypAXj$(Vk6A|mfq0!5kzUX^E@fBvK9Ud03=C_^R z$kkKycJ?w&s5PACMzhI zM^Q{c?9DzewlP}id3LtCE{Q~0m1;vlLE*3QW`p1atzU$7_`Z_`@O&M2D29M_jpgu@3KP9QJ_c^)?b|g78$e|MExSpdS0Ek~4;t;Ptt($Jz^Mr(3I(j(0Je6Y>W-9a zZ*Sj22b1FH2M^4JK$17Qaz84Hdu99c-_8##od!lW8=`sD@E#)Fm}@eR;lH z2kvb%Yjh!W&vTEZ5`nGwg&{+9->lobeR~8d2V7?*K{_drm)M6X0P+9Z>J6;snEm7;>HPnb!pEYTa;g|$>y0+{~Xg=&tYbi6q=H&+-oes4@G?;N03Q)@!+ z^R4$~3p`jspx5Tp!7Yoc!6ioUtQwo!aNAmRw;G03!JF%ZyWX)K``$Uyh|MmbP%!#H zM@I*xx?qKE%QzR?^aC<#|D?pkoAgN^zrve{{&6aFL`d`wmoD+i*Hu=^zS?VhS5HkX z>(#56H>ODOi-41NHix6OgiD~cgFp~$tx+{rH-N4pz(m9Ug~3c)M`zw|yJUQJQqrv` zv^~V%FRcWw3NWdngy%;|JCt#ZfWv`}6Wf^Gqm5#k+oJVWGsSCro_Pj4SkTEUD=FQ< zy^F(5op&n*`fbK?Iq+~QJlX7zYCx}L8!>lAn?_Oz$g{VJpHc01M%vZaX?7Sc&BRq$B!KYKhxWd#W0^u zS&7GYp9f7`fsQduj=Z}d4C{I8fzdWTets@Li9K|~GOl9aXrH7+93?QNX?+WFvFI}3 z&?wgD%3q+Dc6N3~r42woHZ~RDR3nXMc`&jgMld{kiy=ig25HB{nc?r( z_2nFde(h(lR7A;!%7|as8*>&PJIXs+y1Gyq?~v!6Y?TWv-J9O*~<Fcg zjz5le1!XZfj^;l%pH@@DZ2zrQK2|3-4ZL72qr3{Oo3S+dT})(0~*(-KV{FwPGjKgLP3AWG8H3xmLoq50u}H>R|^ zMPcygg2@^YnTR`SX5h5^U0hZg{TAduj^ItbwBOsEr`(G=e4at@L8FZK>I%w(4cnNb z1q|L=9L5qAyP~V7_j7JemJ-ny!k+J#+yR{d{t8bD`iW9p1woVk%1VMq`>rf51mW6# zX}TNrJ6caq$csHaJ#}@XWm#7`)F7K&V%dGBw5$wO|IF;Hy_wnlgoHJ)Lx27Gvwz<{ zl#!GBzBpz4awEtT4k;; z_+ht(#>9kCxH|k77a#_R+#%**Y`ZX4n)-C@NtDRIF5oZsK7rHL+FIYhp#IA|>Ygds zE~u*Jc@`snp^}!is0#zGe}Ug6e5d<(Qd-)brcSi@+RFlB2L>*kFJwlwe*3|_;NZ7a zRp`aNe*dspWw3Juvk#pHE=Iq+*;b-}=|f^e8+?a$m%Ix*NjWrf!Fn?-vuvU!p08_S zB6Qit+hG_SYup7nNH4VE!aSbs zxK}AUGfV{3_%+DnC%%3~VXVF^A*RG1$dE;{U6e%*UG)`U3ab4Aw?Y{rYd=XchR9ok8}*cw(s0{s#ei@0`ne7a!<%%kHHI}P&*)D;JzG*AlqlARxh%F$iP#*t8j-Cbm zQStTfR>L!Pd9`D6S&t=)3Crp8rCkjTDoCQ}nd|FqkcpQc>+j%rE3@aAM^|58X>q=t zzsy?aq?h^3wYecVFkpb2LMMVnJw1f$j1VT5_7UY>-fL~7xUP(U*55ZZWS5)Ft{3DI zUOsgpfHOC1NUKKn3n9REx@=w=D$JenB&|Yxi!t-J+D<9p#CMfVqb; zcSiLOQ^90SUX1m7fv4}YEqHmzHtNj z2pVuRaH#IT@{_(B8k%s_kw;z`z}oxw!Ea1+yQg98 z^z=iYKO+LJcXF4e)+OX5i+k82hkz|BQWDnsZmbFFjc?wN#mRiWDp6lwPdL`h4J+W< z18xF(18xy^A8l1PQD4{9)m6T*VUWk2?SjT@w6pK~+0#5Qg?kKFq-A^ZuJ30t0JQma z{XiRr*N@jye0?eMTBOwB41yB+#S4e}``pOJ>_Pvhj!nz<#Qz55)$I|KpFm7r17=H1 zvw;RcNTN)2f->XTGc?sL{r!Id(+egukd%T@5y8|U9=_@Osbh*`(KOG z%3W1ECdA0hECK4n%E}6&D!ySUn6H3sl}E-?6ffeVU%Yrn?c-VANYI*#Dl}G2^bA+q zt07kf(wgPD;JdhvP>L3_Wj!6UW{^i+|LMaA3`%z|sZr6(BL@RQ*>%jrO-G0DRz(V@ zz1WL-gHmW``w02j_z1tp4=!!@h%Lh06KKWESC!wn{|E5n4MSFW`6`Cv2%^AXki0mH zY3g?}1v#T4!zTlS!rjfSa_rK~{;OQQP^@9yymPZqymBS`&Ye4ubKSewgkB+U&y@>r zTU6((wifN*W*ZxwPGxuiGO*rXetQ7il3#asr%C&ua#b;i9?KZ5>KBLNfq?;}&D)<& z2H(Bg08WHA%-~?w4WBuXs9$j1w3B-dC5V+hfBy)tWmQ1=N5ZQ6(UCm*5<^zN2poPL;4WSI#5+A7KL#WM zD!1#ni}yqBI)SB+)jHYxau!n!qDgNFBby(3nGe)TaBf9weBW2RcmoW|icgvC+B^jx z37^dHfg1(n7>@QpUx$E+;c;(wH%vk_urOV&U3>H3+~~X;u6=)j%}2C#4Dx^oe$LM` zoR_cgJ)@%o-{=|)K-MsPC#H{U{iL=type!C6%`eOS;VtH4p4`UeLriasinpBjNj(g zztx~@FJpKC*%t-1J}OOu5RZWu@MOt&*yuwhYpkX9eg2Embn|O8nrJ)F-NZG0qc!2c z1-KUy0zhI7^ELGGh{eh-iVm6hgdkenq&57itg0HZF#Bj*zkTM$f3Yr>r!zTf!1aDe zNHd<~wf6TXfM|?SMv>V7Ue&bhW?^Z;mBg^Drly9H!$UQTuBEy8pr|M@KU-a0MY)Jn zH61X*=r4cMgzD)SM(AC;U$UMDR1UxZ5Ov=40j!UwRrjqoT3t% zh6m~a6NU~DJxK;1M{X1hKHd=?{;3Kv44&l=V`E*4j${F@7#3h%Up_o5EeDH; zULNu~i_M&N;PXII7kuv?;4j|H?S8{oB~UI~D3M7@5!6$Xfr0~D7B3P$y}XlT{Iskx zNGN+*SlmCqqhfA@(*ltAJNGA!BIUw_f>?!piZ$Y|$Vmjfj8w<=urApS=*oW~BFaOP zlR)I)3uJ`Tce1j8zgxtjjt45j-R5X&I)tQ+LJhq;ciZs^w|`qh4e0iZBT3cK5<^!d zEH=xN!zv!l5MToFW5>LJ%Uj%`@KH2dF9GMRBWxAmTy~#?ruW02xS?_w|+lPVSEMD@~!y=Tr4S6hW=VMmX{Tuqwb<_ zXl~|_qIXDt_KedHO-Mc61|P96^KM{!ATS{PzU{U9t{0I^W$355UMg@|yrdxcOwVBp zttN$MG1y^v_tohJ;;4=eV|QNIlf*=_ziV~|b2ttJ@z%(|0PYl16BC%a&j8R|3)ny@ zejMITaL}ASz39A&b`u55ufjRgy=#M%y2o6mWAM)CmJ^P7<{GnX;8Q*}7Y&sy{>mv1 z3JK{I^1fL{!HUIYMb$*jT&YAC3eti&?;)2bBq% z04TcKMz*~-i~iNUA@}Y@U8x%~x+QS$pD^;JNy^uTzt7zE`(JJ`ta1Hj1(ieFYppydE0%Zxn*lrkOk91sEMok1< z4}B0G+)h-*xBElIL`C0)=IRUZM4)77L02!pLiQYmr87z#6e!`_tuLNP)QmYj27xA? z1==CU4F#-Lzc5URy_X`N=iN{o zBfYiM)eR-6*mE3JJSe-q1!GZCR}9zRN9^YGgF%Rf3%fL1s4J|8{lfC|zvKGO+Z+cU z18HHqTNDTs9DXsUF%=}c+3!M&`)Qh|52PND;`U>45fQ%hlQ;=w=|ypZ*Yq@!IlX*h zV&aFO^6f)wez0yp;|){Y$RY500B9*^c zu>KWVHxVGl&3)p`nedazX#3F3yP=LJTHNX{^SHZodyfUrvWY_W4|cc<-Wd++;PU(Zb9N2)glEcBH31Ej_;uZ(T9%Uq_u1z-u>5y%5NrZn{+Gf@ zgxh3^(^pR4HA#%H!sL`U<}(yjj5T zxpwtx<@0-B9ss{ZT0n&Dx+4ZtlC$KSl&w$P0$d2x9z2i&LxU$AYpSrcS@H6JN4}Ga zAinry+8hpDV#%O;dZN-QAM@T2dR*bp4#oRUf&;MGFAR`Na$bFNH>O-+W^VXHG8|i6Hg?8pHyyIN`9eeC@~D<-7B+ zgCR&bph-xC$8eRt>+$kPNjE*49}%B6|>E zYj!r;;SA789ozZ%_@GpP`Wo0o9v9}27>Y6D@*rB$ZrPIYY0c8r;^M_Y3f|eN5 zKx`jS88J(MAFR5n>SYw*DC~WQ1xSZ!{=)&NMIi@T43*R%hOifF$rDHobtnE@ z1nC3-6=B8=66Bd!oYV&}8gIRG#|{`hWMM{wkt_-Y;DJ~)Xk1QfXn?uY`r*TFSry}f>FMAyq@TYlzw)5~zIPI*bpgd@m$oAL`2A0)vh)mL zs zDG4ZuIe<+ot4&n~t@Earv(IE`Z}PohVKMUU8yh2Ibwz^UT9R!OYi33UWQ~qk3^Auu zfzgGBw?Q59>$2H|QwcbQ%F4>d#_>A_cFW`c%W&~9KKoFNHo-?1Z2}%Ndm=*_1XB?U zz{d>Z(2i1RSsugI*Fs{M~X$eD9u{gmS3DRsr;J8Rj!v^g>;6MqYhx2U4u9gTL^die%0_? z0xYG9FsBj|>-fi&2nnH!SFcrX@94nkKzQJwJy>;BK!*A38MRbOdb$Jp$dwn!L7Bk2Q`cNSJIlDOTrC>3W=z8xG0%=J#ybueH-2uVQV1G4bx z(WVSSY+W1a6>TQhfNl8D#oDtpW{(qqf!nDQAcdUTVgTy zBpje24c!q`2CWr?7ymzOcneAnRQ0;<&5ey!W1X-x|Io~S0%fJjIBHUoBF7`eAjz5l zUDCaiu+#9_f0V@Dh*FC|9y@YnbKHB$O2BBI0I;N_dI=QhSl(~MFCHEq0Hx>h%r?G} z6US+o2VoX~Atf<5X=X%FDxg(OVvNa%O52a4N*yks&Y(=hxiW$J#BqC+iNGHVH8;B- z&P+`mLnHv*2j%}vsMd~uozw2?#^^uUccQSxh6HVpIEBMuqz*9H-7aAXiDg`9G{3r9 zT7Q5vpz;I@1q3*5nyu#l>YP}*IBANi8@nZU`u$sn=na2Xe_`u9zdLF z#tvM=IvqVd9M&U%`41|9`Mr0Dvra`-(MygtK1ga22lG8F9ZbB(=$Zks4M_y!rJoq! z)`DyBSj^54prN@rSGgV-c%-jL_{fu3O%@j}Bvu}Xal_V*Mn=)Y^h!datEOfQuS%H+ zSQPpn%)1qKHE7;G9GRkfKG*an=HNi?(KDm9z8m|F;>mV>Votz|QQEYu&m%NaT@jbi zw4%B0@;ZpGf9r5$BCRE_Y8DX+=_O<3fFraQmKhT%S6t4;_YQOUMf7L?I~SlwxAn zuomq>(~VE;zBuVWBP9VAC|2qVeF5I}5AwpP0YO{8@KQTydh9DXKTrTw*!5O%E!voo zo^oO6kBo!t+@<~uUzRjM;@v?_)Dx5uF)?naG~xKV&f{q5HIXwiqHs!9Aozx{40G_d^{_0uZH4Kb4*N4MSxR< z^LJ55Euqn~P?94NZ$tT!h-1?Y$?`wfcRG?_4&dZYn!!-8e>Y4wS4A)#d?007 zN%Ct2BGTk-!>eE*Y3Zkl%5eG}#ebf6IFdo0c9U2(Uy7Md?UvreuiXn69LHL=N zcx|YXY(*k6QNVuzK{U@q!EztlzqiB+364Vju#5JjlT!iQl@Q8tW`w4ZX6{;*Qp2{z z<#}_=(NLz*-AP8|^XDh86#DNQ4V{if?fSit!z#iqprfShLbEfGg{nn++#1|rP+(An z?MF#ua~`TcJnG7EQ*a0DUM^?#b#`IpOHNfg)uq~Cv^FaB2+RSn)*|w%Im)<>k=S-E^;!Uqpxodi!05O zmE*hbS(%y&1Iqz*>ZT-sIwa2& z84jL||D3~fx@UI%)MHsOc=}{yZ7)#9LA01pfss1ayx>-fy$^rs^mJa2YU6Vt{am{A ztgNie&)k;c;Dfk?guNI)U~mAHZb@-*`=?KHdPDPWxYo5MFk~|}RinDu{wde_ERxjI z?Z=6)fg1e!tFAq`21cw-BFw>HSNOH!!p-|iv&~|pgK3pjo<71KN|LHtf1>2ScCD?o z)l`@n+7pzQy3f_<<&ko0#(Z&@?HDLr1_ptwJ7e}TT9#lsSBPR6N+NXN#BHOZ8a_US zt`j6REFeEk@EZZMU^n-k(}Q-$pxmPvr3G$FQOhFMz(P#OuwVihR#yfR19BQGhBr9Q895qFah8}IrH;1tK5p*3?rE^dft+QX zFWY^bdx>=o#8OT_0C&~iSCM*=wgF;LCZaDs_yGB*hbIoTL>qw4dJ6*H#K`7z^}p3I z`>ruLYLbqo%k9jv;qpA{e3XpXy90p2VC!Ak41+_c1=3PeK@UGH-}p;bW^L+iIWd3k4W@GOK0U_sIV!#*M^TCm41A`Pt`IDil--KiSR5eA?N zG73Hg4rROuObNIW!xd~7DV#1#?eBoEyVq+uaVCMEo^d)CCr_pkR-W!Z)wjuj5jXt( zFv-cP>uQl&;O4csaNDWX;?HlkaruSP_*q`M1cIM`0^@-3X-w~>2+b2uL?C@qn>9)T zbWV1KxW*d9dBW&-`4)RuM59!ytDdx3lb<>A>!hCsm=R{-G}>-!t1?k4M-Cqb(Eugj zTRYff0MfG&?Ll*{xVG=68-}R2>8ZDD;g+H&`ILgc%J|o)NDWNKdM`&(9sj=3MQbDV zBxDpsJ`AHlcWXsYg&HE1wX?I6fN0^}wuP2{zc zUp>)rrl&SyAz_+HZjgn{heMgluMXdO{`|70W*F~mIx1M4qQJ@d86OUqrtM+1CBgvm zh^w zOoXg!SP92n^n(zO<{A%I*PrNYF4ST*A9I?}1ji#g8~@QtQ1N?4uuq{aMTrF@*zMUt zmr3La=c`x2yh8Jdy=yZZ@kad&FOI)qM5&0m0GpIcCIoKnu6$ST_Em(aQ@%jzobj_{ zeROntz1gAawGV%DUb~vpTd;!Co|}@_^J&AWU-iQCso`Yo)I{d9-VfxJIMDj&_M_hA z-a3r#vjdvW&PVdxA=>zSR@Di`3Y zYVwTBFeZK`9g=7PC3gjQjfPF*m{ZnwZ+vT+X-m4A=0~~6ND}k6gFpqOgaZ}{0qO-* zf+QPIEOfE2ULOVa{wJD5xvpIx$v(4cUP+PBxP3x#54$ikNpjPAxriq$sGa|AeP9Rm z`LVsz9i5%_y+wq$6omm?{`8R~uwF5}-VUS^a|@(4&>KJuZ;Clo)!C^hm-tou!?|(F zM09PiUs(VG3lIb0<_{K2-WQW{4+E4XSS&a#mKdCG-3ywfu7W~U(GtNM$MhB4$C%hy zP(H5UAkm~p+gcr(5LSs=25nlF7Z1T|1<1dox^?9w*%67RQ`j7&Q;Krh(12=!I)@$0 z{izu61bDyPpN>x0_Be|q4E3}1s7uh=Ds^Mqp_0aFI~b8k!|NE0HYlLAxZ+3msH4Qj zn=r^@ZC<`Sj-;V;=FBc>x2qVS%E{eCA>-B1-Mx$B2e8c--P3?cD_4cd*wW5~? z*9*}fs^uNj+{ccUw`-9bX4em2MSQ_gEFUK?IsnqZsw^lFJ+)#Ct4el1aJ2$vi1}1R z<>L$U^DobyJ%9HvGWhMMg%|a4PVI8CUq`0VOZB8TzUtK&QbX0MrWO|YllC&mt8vpK zThZc905kxmhwc@N9vc{S0%G*2z0Udb*@=m7Ooain(R4C?^FV%Rx_r@0Pp83hjaU_AZh49Ysox;#4QFTin?~_s7dr zq2(edOOwLT0ybS`}9@ddkvWJb29Jp1-h?t$)_ zK|Z}W(uWE1e|nArNE}dOW9mtqo`e(atIat4AUg2;*JNTI^&L@;k^|(=qNPy(OY21V z&4X_bv`NWP8kacLTL|iyKPxLObncx_Jx*5>#fklWB>xLSI z02sMiTU+Bt4Uyd+9-euN=}*(cFV17{H_B)CrfJMx>Hl#*LaS$xktA`wDcP8A;k2XFuX0-tv?F?Dn(V;khDVr%S|mX_w_B{--cR#PUTWA=bQ7!1~1 zTDEe)d0-7ouBdR0s8_-eiC6ctdC;UO&iXZuVkSkoe~8+H=YJsUp53Ub=&yhfh>^OP z_+Iqxv?11*3-;!BkgZiQpN)uGgq?rBpHozV34VS`S&uX%*>j@+9~Lb!{sdE@Ye#ZO z^V(`Van2ncXe&WVW_C=+cE)iUm}dwu;cVgKyu1?x6D`06a0#s3K$#j3-X#L~9n*Ut z)95A^itX`1NG- zV;SS=F^~_C<-+LaJCakju_@7@gwMP7G5`cpO>OPS@Nfot`X@1ffD& zdIf2Kyvl&upYt>8BS^+M`~VXmrshU&0`GcyN71S>+6r{!KhW5SQ;LEt*vvI z`p(P_Ha5~E{A8SuylSu3QR?*deo4u1oS<%aPwofNt_E<3EvdLarp+&O=De(FWN665 z;;u1078v;X_{e72MoB|9LF;DV5U@}|{9MPveMXvKj(%k(2tpk--$!AU-#D_ zy^xoayMO{6>n=Mdr?#dL*619fpi*J3mf4Jg4u$opE%{|AK*6Qn=i&%7fSs1WjYxI$ zwy|PhP;+R5X{xJxoBr*cd{)z2OdPP_pLHndkh24$5*WuLAf(sXjaAqbBV)}+n6tcAdYd@nCMH>itTP-+t!Sp5YEQoMrya`-M6eb8N zgx-r!Wc^JSec1!DjvJ=<0gsp`q+u)H$$A_D6vi zCa`*9D`*g=ffNR&7cQ_d6`h(MbNwcbo4obrJjn<2pI-lWCXq;_RdL5WOQ0SA8V?ky zKEz*n)29Ac=MIAG`~3O11Ivl}3_IHq2Z=p?VYhA}QXDiG4CLc$NKNH26Yp$mTmKO2 zs3IwYPf!q~zk+}$OwRFgNZvHm)QTCiBO{-HL%S&M-$Jojl6$}RBN=x?kCiVgE4NNX z)D-sYlal&5)}#-ryEBNG=jv-IeIBiI%}8gXA|mpw+mghNbQhfZB-M{h9`To9#-FB* zGI6xgH}?VP89U2n?rhE27Dz=p3aQ~c9D1Ccl~vt0jg6AYrcY_#liaRvzBkVWeo zVD^F{QolGUiF|EJPg@%-i2VaAcsJlX`rY6bfiJL*d_-`gIYvXFkG7uxarGa{Cn6*c z8N*+nY>=-8G-g^u=0@I?>vNyBNy>EoG@}L3Vl9$$Xo|YOYSA%yGVR7G5RJZg9{gvQc^6< z7G|=~A=f%M93ChIyyL2|tf{-f*2t z-T#NnkcK87MPknoGoATqkk-Xm;SK0c&$hZu>H9&nA^K;m;SSz zLlH-bzCNp~ThoY%3d&AUUom%a+a@TljLDsSQfg|=+DX7=bBY>FLH>Jzr_{y`8Em2C zkcKVN0L`4GCn#nbqgusUncX@?w(-1hh_V@JiAiKZ(@a$dhD4-x; z5CnEGF}X~2sDX5PoX`e{4|{*1+9% z^z-ob6!P12taryl7qs;Bwn9z#qQ3OHS{grEAObUgTbrSM$PG)br;Fx-d84Zy|n zHO!yKVl$0j7uA2kkMMX~i_jJ~bqR*XYHY56F|S=?IEHV~b575#=(!I_=yS(it8&HY! zB*kU)yz~Avdhf2R{$4a9_a*beX$wfz>{>V($#z;MFK#~%&&%_tYH%h3wZ-)#8M(R2 z9h(X<)A9c6jND~unR{br*p78HK^EZQhnN@^Gx3(DCN5#-ugubJnhy?2X6ZII{O0pF z?eVM1@cel&5P8s=e5CEJ5I6TI5+AbjeOy)m{P6AfYX$FSK8uM|)Hh4~myXrw+s>TB zKV>%ibiHqSJ=@R1=i;bOuM%r9`<&Uw9zLNS5T$(nD=(W3+5lYieXjrf#=6F2>2T9q zW;2Et*Id`aRZ2l-7CS6@kO$qN+x9xWOf=?zp6n~!8srfQ*an+03 zi8f4$pAIeg>|?&2ptgJfKZc3vWXjq2M~{$i>Oz!tS8xUqL8Z^VpkUCm^KTCyRVB@G5LV7tl*6~}n=C$h@ zJa!%ZT9@aOkuAA?3CmpsCE4t=iMGypklJIsFX;KKdS5q`j6WFaod{`~<4jL+&B-fM zi_5&ct;;5uOxw+WZnvB9<2`k%o-#3X??-s(bIS8ddw9Dod$q+?U1d_H`_Ik%f0k|g z)bw7ePDL3OTpd=C=d|Hx3d%@J;}4_cU_B&}@y_l6PK+0C#DVhaeS@sh{vl&#H^_fyPA-` zG8V4UTn2f#a6^Bg%~yC)qnD>s=80x{O3G-&{!m=f!XH%>@iZ7)fZeE;?} z4_FJRiSpv6CakwJ2RmUD8B`C6hZW79w6=23vWDqY9~7t20`uEbtel8x zb87JRq_c&tv*A3U2{J4OCMKZ-jYokJN|?otEPH+z=b2|g^x(^U@*xZ9Vn7-@QGIVIWj3cl#fC`|$qp`s+;9%~7CgY1#fU zO{k{_)3BAcLQYx_pJ9_#cRtyC91H9(Eh)*LzNMNyP&TvlZHwJy zMEkWSS>zKsmNAd9_bE)16zpREiG=tajCurIzC-)~WHhAGO*R5kNPyNIkJ*r1L8MdA zmi}*eb~g}ZfS3W3YF3>J*6Ioh<~V^!URmzuNf&`96vWyw#GyxXhrK6N9c$4X9L21V z=jzwK!0om4?NLv=dkkyet@u}%nrg|n_PCebFA2=`@0?5?=4UKO z5Y?MC%YPoaCy+C@3QKld7YhkKxX2S>5K_L95pi)46*J3=!8TCRw*Sy)c&pKF<;MZ| zbRXy1MD70}C&AZ^74os|3_D3{6zkn;9T1C!PLt2a*Uszmh(C92?{FA^3$?aA8eWcP z&vhZ9Se>iN4cckGAq3}n?%_xG75PBVlu*a+zGtYV<-J!J>b+OKeth6KCQ#Xc;|N~n3isxZ%fgvKURgl_>JE3x z!~A-H$qD7BzDJ$09X z)EemY*t_4^setG7+`ebxkOX(|Gi2eQFUN6p1$i#R3+KMQtmv$%u{ZL+z_J3R(?dg2 z0L}pDpzwe#r$DV z7KV`!*!{w?v%divgPa%SZaX`ar5YNc(@&JySIj&5wz93rlDB#ZFllLMJn#xV1LL{!oChr90YMyJw1~A{4`SXE}A4C zy5_fUZNJn!DJp`c$q`Xovz6Tp*L(t=>`Mo;si)9LadGK;3vE&f`4b8s=^i?|*Bt7} zg)ah^;7yi;LJ>+Zc#Qpz(ZyLRdQ$84vg_Y5O?#4+6)p4=B(&%aZ^I=Z>rhbeOuAuy z_@ScnM%m4PH{#VJsGj`CdICEG6L#zjGHmV?>!0kcu`mx!tcKbjF6cJA3Dpbl4Lj{kd#o97-I?!^Zsw z+uAN-)Drjn>ezdKd}{O2BbUjy(3TXo#vw1?W68rYdix|)NRr|dzE@PEmjln{mz0Qc z497qH68;EakL^w>d24IsBR}iAy3$Kxa|JyP?5L9@Z6H4Ho3a~G?4K88pX+UYdG5le z^t}Rt!)Xj8_S9@+=d#jN`u4b}sH10$1K)Oag;mP1&c&IN=r=A{j}nA4jJQr@1~*+z zz`^M4{x*lej{|_R^SDHJm1(Qm>0rN5bd=GNk!F@6B3b}6h9xNz7Zw^GJ?aA!jp{a~ z?8T`2_a)75hw>f~5n21G-;R-hxLr?M>)cF5!@pcC|97!-BVAfZ`ao{KZwfdHM-GMO z@-Kb;7?+++ss!v-dIP-@X3IUFECA|rc1T05x|yX7?Q4Rhv;OjOk=<)fE)BEMfB@E} znTY>DuBU{LktFkQa7&toNkJi$Lcg$v<{tnU?dXX1t2wa`?0*}g&+lMJrQUaV>P%|>h#{_zV%QBjv;`5bzNbE{Ceirq<7B9%kTAnTX?;Ou9|Alja zKw!Ur=WY}6b=e;FQ@bD^Ap4e{d$g{~*1syprevv(Y3+n>Muv&72zlpnQ`{O@o%h(jS+ zT9$b5r=oZbFcw()Y5N#=k)E)E;NRH5M=wuJ%_*~w^bX)b(0+}cM|(az`uY(-5LFIOp_Kqb_)+v#AoAGN_ zzYPod_>#7!bo3W>_$RTZ-Ay`S(=NY}@m&Juy8=!$^Xf_T`QbXeB(eqTEJdra#pUG|TH@FdncMM) z6i{MeLM;C3y33NR7dU}G5j#sPLkX1HnW`d%H5VX%R3o+|7u4Y+WTBx|I0?>8oyZE2}i z*9Ds74c;1_>)ANLA>H!j)3z9qkv91p2;f-uR@4uT#Y~Z&jQ70?7jeB3{B0>w;csWw zpE%8LgM+>S=iP=M4h_k2zIge7y0>ZMLlDaSZ$V{C|?+P8N?*iKOT6VEkt*!$_N9;9l?2 z-}AKzyZasu3;2>qrbk8`uA>m%nzi8=VCu(|G-cay)%_GXzcruO6R7w$SHx;!pltKy zPA{{o-yiK!$hIVr^d&K`hK4w%WG4w{B4kA|iwS`9UA##=Co@w;HGk}5fmvRNJp{7rtL|xj(a;Z0xm=M|U zxpqhJ{2l0g&@EM(C7Akj<3!ndpPkAP9$UFc_xwG5drRJQ z2?a?}(Rb7J-tI$xWHWMdE;3S+1h5Yi^>San+$;HMaA>SE=b{L{J>`phdn=1`7a8rK z6v>n)^Qm6%>|#zjJ2xdOF=i%lh;Ml!PF%?J9D7Jfr%yVb%c3BevmD`jS5%AEbW!^CN0yoyT-u(&nPH(KQz|feuP$vf^=(P;qINSGzKRe z9rG6kaU#KH90kq|7lKvP{k!`-`b*TVU89;VF?aD={q-OqVCR-A1FfxfxgsQXW!2Xn z^Peqs+s?Z;&HXw}s{DZUcw-|JYTqm@NwOL-64!3Y4_EQU#>Wdj*Cd%NClor!WbJV-ApiVZnsBH#Jia%jx3&(0dHrXu zsvRWs_@W!%o1(x0=fJpe2ac;T48Z{=C=$A>%hem*z!@K}LT-+wlC znRB!5se=#T3U%nwsBAChx$c|-q!^rOWLOG3;Lk7TUuS-N*OEB8_^}@vjEzk3hovq# zXPx_ouif0N4yk1cqpckdg`X-b-83@VKh+$9b34YH;&yJ|E&|~Us66oYhV~gSk2APH zv68I8T3gwqm)~sOi%(V4(vl<9PZGWe>QPS)CCTR-_FFZ~w|*t8^|iL^8Wm-_|Nc7o zQ`Ysp_W6N$`|?wqoLjg4T$-F7^o|KAdDspM^3(%cVRQ?o0C7?<^!-16tsH}J;PmPD zpgs6K;6|96pu%E$i_yXxxgPif7#a?Y<$acD?(c7}sY%VuJeQSy#A~Y>KdYeky zKb?E+;wk_3itZmmf6564!3=coA<`{dcOA9>e+_~}Om_i25u7NPpMY7I-vd&%tk8un zZqMXw(R5ATtG9}@!o$6h8E(_ggF}1i3ZxJpTN78!YtnD|-g#J(Uv>gVu;5gA&^W)^*BjGBwrJWiUEN zs|1?x-QeIIVvi-R$@7AgYKsHlaQmU+{dIhGek&(&p2ya$_KbdCB+kVX*Kh}s_jNn& zjVC04bj!*tQIL{yuUH$si$sX~=fFeqk~a1c4_sXrC%3-tnQV?w%6ay=cf49=d!0@UBUzOJ-o+D#IH_psb>e^Y;VMU- zl}SR%p@@O0Y3Y@RH_0e|E1gugaf}>1rk+9D+IQ6{^4BtLL*1)^4!jycGIu;z;qz90`O3|i$tYcvDKWlDIvR_d|j!fkx*=@5EOYKibq zS%K}K@w3*0H;Qbk<8PJ}gCeKY#c?q!$;%%>9ue4qDI_=thnrk3l>TX!nuYLVI7;t4 zByC`hg5iR&A^!TKI9{3ky%J4p27-QMWRT+1eCfA21w!mj9)~V~O9$Rc+r_k3yuitx z94A6ACXg~7`cE{Pj9#vOZ%l)I*}HdTZ>ya`l5wzKcG~ZY55dR>1d&vH)G6KDYRq~2 z5<#->fkzMjwV&Vqg7o29)?TKSwwhJE3xuTttyEYRI{jIS|E3soc+_SlZoJuGJoXZv z!vt4grrG-a-s6*evzMMP`LXa;{C^^hq+CI&S9VWU(^B~Rr(jI5QrC_)RQ_#}VzJM}9 z4O2$E^no46xRh?Md{1C05QoqKHIM?BXD_Y2z6wRD1f+v@TwLrQfWWHA$-vOwDNcEc zl{38mKDWKms7(*h5_GWrGpnoRd3jR>FBMO!2L`X?oS+}@{3)mgyn06FlLFpJn3<>< z&wkB0>#wV=?fqSCTbp-Cd%5SG)!&`ol%pnIr}7I6jZ2qjU^Gb_%5m)KkO=453@@;C zG!%QDQ|aG>>goKexph;RRXq2m?b{m58YzP-Gqw$+uIxWvpv{d50*xvI*gFFn6w4u$?* z%z5trLfFsv)z$NgiV_UPuU}L3t}Q$`j)4(F8|*AHotF;cnYlO%xzG*C2ezI)cP`e2 z$;H0-cGs-pPk)Rq!+DSS;>XiZ0zH3!Ey~P{%S>{1ye@_(O;8a}LV}g@{GFfr&HvYK z(YoH|kZuv(Whz$udko`9+pVa^=JJQ(*Wz^wK>sGHUJ@x22w>*9|E>ss;b)b!D8DlM z($8?9$H`2BL^J=tezoKCiIb~&Po9LG;w|pGUKjS}wEV-+^}?@v&t6W*DlecKMWv2| z0;_|9ADx9~8&R(Ouh!1}AIkLqbz9yZzQGFNk5AcR8jE|6lA8>1-tTv%w}`%jcoqVDO;OL|klRK@9chZg*{H@s78ipI zxxtsGQLy{dL-EwKNMfMY!0y^Uz;T)|g8={YkjkvAyxh_&gNLe-Zgsf*`0*t(ro=Pd zZ1B$l0M+K2tTt}S^x5;Uw)V%D6g*NE+oxl*DwP?^bPwS^FfyqP3C8fROs!B5umCDp za*j{#)9BR+l=E)(`0R5IkV%b^AD^vLRfQHb1>>lb`bnsp#Kbg%;+OmtkU5naOuVse zJ9jdK949a7A0L3{fI>_g>gW`!ddI)vV>LA+T7guF(bwctO zJ6Ke=Cdr%%XB5Hm&S(M7M2CT%k3uYQ1i3meT~cEp3)E$dPfxGBIc7i**g&^MR)%VF zJtlf?*^$JwG`Kr)vQ{GtUP0mIfx?csVx-wI`m}+I+l`I;g>?ZCr!tF+(cM5nAs_A1 zv~?&3Yn!$^y0z68boKS68lh6^f66Kcd|*o29@%M%IgnFIHllFU3b(hj+cN)C4y>#@ z%*@V5M}y={z;A$hyc8GL%m{=D8ct!z^Z{l7)(2?zY+iTCN^ex5@Y0-~9li%e5fQ^i zM6&^h9@^C~ZeVu{XJkn$M?g8cytXTq49QE?hk7+soRmcHUpzsV7;afUqEiELCo5ZY}KFe^TrH9;f~T3l@Q?= z4%N~UxerCVpnv9ZxfwMg(KqcAaE7!J-$<&EqYOu9c_WX9RwSP@J0i(U{tH7V@Xg{q8pO9oCtiUIuzQPpSKt02*WCw9BVSgp_ z5MEADd>+i>48qGXFat>@=I;x%9Ncff54~t_2QWZXMcrohRi=h}4YF&n>kncmz`HbB z_*|bt=dGE?DpwY{toYy%6>3R?F01W%JML_9B_!kU<-lBzmcX-%r=sfl2ICD7JtBh? z7Q0wFoS%Lp>`EPo0W9!ol+x|g}`)N+S>DM?l9Ig zG%n;0(2V0(B{%*N&{wva&=9JCu_2wDl2SERD=SyW(m!>(+2NDf4KUKND}Uw7gi6@5 zN6;TvR8&Bm7_|$Dv>uy#UD{r(-KRF|_Doag^3k^ptQaH`ozz=z^T#WWSr9lL{}#*n zu)WR;28;PdY}<7RdEY^41d{# z)x_@N%*&lQ#?xJatkNdqvkAA3!}Q?5IU#P22**v&~_~oTGVcYh^ z)5gWG;rq7AYr=%F<6g4StjPlU`|R0jQ7JQeJRKYAH#%))Ui=^|d_oJEN1tQqNEtyE z78adAs6v?_`33dF5=sXW^Y(Fiz~?0MGIfjDWB5sP8a!(Te0Ga3Wi@PJ`J9P(i4`mI zWE0wS6>*bcE`I>aq!I27Qj+FWOzVZ9Ow!HJgq7>}(ey&NCiidNw9K}>vHRxK8YW}f zvtRUTb;8I(l}wY?L-O2DMr$8EempigSyEJ_i$EpEzBpQr!x#>`aSokkbt;uMo`Mv; zrk?v#%U+4Stcz@TkHr_|cXKMvkfsS*lI7*ISQ+ovYBW@Y(h$y!=Yg11tEE5CFWJls z+w!)9Zw{}U0y;Yg>ML+gCZX3v zC*D!TPt=G7Qu4-!FjXjXtmefPjFz`%+ZOD`SeN8J7PY8j?LM0+t5o16WtA82y<>8a zo1pFIw8k%kj1_+W$jI%G?lJ(L;Dczd0 z!b=rl0RYUSwbZZU4-y^cdb@AS%@&*PMc`xCJOH!`k~)*@t}&s;0UdDbW;CWic1Tl{ zXNKc&-Pll9O=ie$9f7xaxTVcM@Ba=OhXX1db&o2T3$x%gi&(%GKh< zNhBE}E?xf3ko{-Oz%}C0zw+s({3rt$wcgy*t-$W!&ou0t3&NiSj*gE@-7LBHLS(+v zW31i#3UDnJRLMNM`yO@6!hXFmP~lNV1X~rl8uLENl1L3HLOERDxcnc8oq9hGtOyuPGWcZU2^4XftZFMc?G3 zBllAd#^=LdkVr-UVnqY138~l1mM#s0ejDyGh{aV8t)-)3*b4{^mOF4>5_k=B^Fi); zwCrhA>+;T@T*D^!z_O;{i1Is4Qy_ffw@aa33EhYi+@9KRc?z}%*naYDGFpGu9~!c+ z+!N+eWoNwuCj>YlQyNkZ?b$7x(_!M`0k8`o01R%l6Hu{dTZqJkEehz^pZG`RJ>|~> z^7vQ}{EbnVFU!{_4b5cT_|ZmPHJakHp(c{q|?* z=bY52d>O47OvHV=#l-0F>V6KrB1bY!VzD^8RZ)yZHnTaA=g&hzfH}XtqXU6Tf>@O- zI6NT?5*HWWwR5NR5WpV9~5#N48RcH{13Q{#)m?IH=I%rG88X||1D3aCH!6gUVOEG73bX5EB;>UM! zt1=BkwTU7~-_Vf7{hc052gj7gJ^s2LM}^@7_+sNZfq2LEo{#|+RzSe_AOb|P5t%L% z@ABDfHL^f-$!c(wpghMG1k5*@K{$c8L=b0BNf#vh4}W52pdW>$LGZG3q(GDo6B5Ak zUSbBhRr?$wk&5BId;mi&28?7&Drr6H`CfE1WhH`k01k5`|C=Nfej1a{X!ik)|mt6LTHX9mtU zfJx{F$Oh&UPje$*vwMTky(KbgSaRw^BMZYK!aFICiG!24pGO~xUpey$ycE_JpWlB| z3eLsVv5qK{&HznonfKx27^?Wfy~WDtvU^_s#dOuzFRy!?ff!NBA+UokG}ElN+o+Pr zZ%oYu0=4gT8)OE%yx~W{S@4QsQ$(33cQfV<^J&;Wz4#I@pfH1OK0gAddI_&%-(6>cNwR2h4vYHVa4= MJ9g4;o4B3*A4vEmT>t<8 literal 0 HcmV?d00001 diff --git a/doc/pics/e4-dmz-old.png b/doc/pics/e4-dmz-old.png new file mode 100644 index 0000000000000000000000000000000000000000..d9a8940dfe99a3d5935861a2cc08f48555946854 GIT binary patch literal 52274 zcmd43c|4Wt`!=lFO_a$qWk{@8R`S%FBkM)@bYFg}QiYA=-{QBK|E`DmxJK2vks=3iHx zj4hPunbZzGAPEv!tXeMnu@(6G7V_{l(Oo|3c2S7?r-sR+PF}WD-#{W+n@;&?`mMrP z^G7k-dr9l-mcA}k`rhCf9Z&n7Q7u$FQK>4@|0VoLe(BWpx$qk#T)@At58C2$$D;=P z+G#0YxTW-6{M?mMu|MA|U?OHw{$kWdN2Xl)EsK*x8p;=5Z>JZe{239=HAT(q>bWM_|Xn;mu>{3aJ57$$quE%vk@fk4>C_;q!rUKPK|&dx49D=S$e zDI_&@qIh*y*f@2j+@3(~Q&L@R*;D4L`a+hu`MBq@i=kn+h|fkdwoJ=rAzNEpzkG*E z+R*BLCnu-v>|!3%HOFFOV;gBcnP#vbv)RI)YFI23^tmj)spY#;PKtGVHb-Toq+{Zj zxr_1V>^PdUt=p9vESM?-_Dr;9#`~w9)YtE@Of7t^&KIoIkH0vrEY2#um>+G;j8zDD ztC#cE&+qK?&zevHoeLK(#4P1HSY(gqybx-R3vD|WB`tBSAz{;YHf?Qf-ry=N16Q-T z(N+r!i#lek?(&Y*a)muNiNulS)Y|H5WmVPgLU-p>gTgFkmY}yyzm$}f75vyv5%+lf zlDmBQvYHyXw=y8dy1fZM_43h7`GZtm9-gb@m{Y`t99zT5gToDPrdO9HrX}@P{n(G; z|8D%A>JRmJ>0L@gP5o9sx8&_%aq;&m>j-QzZdqx8%t5lVb#cnRpQ@@78B%mJuWYBs z+unYeOE;-xAh*4<F%=QUBZBt%~maZGjoMsT}Tr|t1eZS)v9SpW2@%xIB9TaRT7~$8uaQ!E zdU{e)Qkyq!?96vo6+gty{Tg8~H#bL1OM5BL!Pnnks6P4EuV1JA*bXv1&`i-irJx|J z|31xgWidND`%=D>UqApWwXk8)bCRh@ctk{d-{+vrjEtk%H#+kiiAU}G&iIC&T)bRe zaK5#*m1uhPDvy=WacyP7t9+yW zrAz(x67DOE3=Dntxk*V$WpA`nbjwRx?{40q8Kbdl*RG~NFRW2X#mtOD)9;n#-!}~I zvl}hVjYUd1XJ=-b_<1ZZOfF3Jc6N3$Q=h^WDfn}^PW37J377mRy`S$ib`9Ic#DsC@ zP8Y0?h^TT$2;0yU=f=&O8OeBREyLtk1z+>FEDOm3-TqIXKJ6tqJI_CeQr64lcUTH` z7g}lJt`O>|s5l)Xj~!_cN@^-E_aW(KTS;8~`n=G6KE#)ma)%}+y+3}~;n8<=bVMAp z^=A`R(svwbN=enveG(izTh3}orxw5|)6!*9>93=$?J&``GTxbw8%rJ;Uz#Xp-Lq7| zZY%9RXN5bna{Tm|3s3d<$_yjD<9LUTdFh>vG(Ek&)6>(%OXE_6XNOJhRnS;8zuirb zRXEqv|F}qdk|sDPDAV*a1A)PL(sOYrUMVgkE$wmWa-)H+uH^OaA09uZo4v*_xALo{ zMVm0(k{JSSlM;90IN;^$WO+2FnhtksloM(yrn#pw8X~i-X zk9L)gIBm$XY#y%)=09-YfRzdEhh#oK-nnt(#?PNWw`W`9ej^qiUSIfS9In!odt;!i ztZefRP6ylpchFY3lo{(cenJy!y%m0nGXr$W3X_wQ*=6_b-snUP9<8TB0105Y5znzDBJ_qqw*-ms7`kL29 z$+RWPBJlKTs;UTNtrkQ(Pt5!G;@OLRpBV{Lv$M>5+(()OqXwp@rpl7a%gY7)G*%u7 zkiXT}U+nd1X=$NTJAL}zy@y_Qzw20)uO+9X_$YsOEkd@lE&BaByQD-%c6FhbQ^t*n zmGzQ-sCc53H7-=1DqSBJd7sCMGSiBq+4>8;F# zE3azfy4%Wv4;2*^VV4Id(4itVABgF9EkY9c6u1u=I6Eijs*j=9ieq+lQ&R}3tXm-T z%`->sDe2S;Z_0QsZw}!KtuC(&`7NrWuD;*EtQu)-kEBBa<(`bfRk-V2m`5MEy1KHp zzo{;Np!~D14<++HY10nQFWLKfcy4gySk!a-H9l~4aoM7l;h<=6u|=@cGiu<4jQi;r zhb=FuMhIqHQX`TY$LHc-cs}`TO6^17<5SWLa?<*A$ zvA+xa=~JR#y)tb|)*-%9=WAtQ2_;F%R;#C2(?}f>71fB*$xC(`Y4Rg!rW#y2fBrlc z$WG9zVg1XIb1{)^LfI;cA$>ffomm!)m3G(@b&XSN%c6!hrm-gLCPRXFR2kGz1FD!l z)z+qJrE=0YrWzhUe%x@S1z8qZftTsQ&80aDX)PbNis|LGmF_k2L!P>pO!J2uemvH!poC~MMZ2!Z(-R*apgmdRp@LBKGz#(r=)m`gV`+Xz3k&p&c|d`v^#s*>T7Q z#4`B=YU9ZRBRTH7Mkj}zyKgpERShF(84l=74VL)OxOScv)F^Hd(UvLc8XO!Hvu;a! ztoCfteQyKzCGF5FjO0*5PetLkT3_1Q+*X%=6OVeWddxn2;P20Q`0_uMcECb%a&pXh z)YfL)Dq(v=tDVO?T$kpoS%g%>4&5G0EZhG5$B%T^>7Vy^?74E~N`}KQzt-CXR+E!= zv1!va#Kf7ZW13P$_G!!x)hl>(C26Hnvo{V+4cA1;xT63df4R?%?mA?2%SFrQ>jArK zv+b%kLn+T(Z`Wvl0C#XpUJTYFV&Gcz*_i(L2laitvMJ{FE+mQ9a{yVyK7+ETrCp6JSV zo;Y{*tRNpBay%71Wkm|5-9-cr9r}gLfN(GcoS{`&-)Eokv>^ zA3i*}y0Wxx-8z4Ne_vnUyaJ_RgSAP$@c*w|+dMRJbVeq_` zmKF^S%`7>;L6tk%;QjRBmy=GswB)OeXV zIXNc^rq3xUJ*b$nnh|2Bydr?LI3yj;^fW#$I_;}j=XR8r$Kl5i7C~>fBNq?2Cg$l}w|x5T z+c#8}xL2=?2!>clstx>JEc)M0IXKMRTDO7jE2WdzxpC2a9sc~_{W5@s@-r%&1YOFX zhpb6|zmdfivyt+J`g^3mKfwO~j~`%UVP!oAd?Z}75M$e2^ulxTAbq5aJ4?0p+ixQD zGG43twK?2a3}c<0`RmTRzPLHp+EwT-#*ZZ+s)CUCwvNAH16cu%{%*oMmcTGif#@gPktgN8kIL!`g z2$<;1_dkC8SR+XjKw|Fx9?wH_H}NFS@8YQBiV>CZ@$otP>}dFrt6x#Ze4Oc`?OmeQ z#&Wv9$)SsTO+%leD0$YhLUIK3SY>%1{X z<&V#Y>g!)A25s0(n`~Iz)v|rvk&kxzMn>O@(TJHGd-d#cfRRmWM)_dCr17q5?F#$t z`kZ1`Eodkx1&bkS+Yy;}md%_r;QBu$cD9 zOu!_UTOj`R>(dGfOG`^A)>p7AtlP3CXJ*vbqEB@A1`z*hK?k7Wcs;N2UR9ky&JA zWh-oG!nV$--Kt%8cy7xTAR^n2_r{~yR8$QP0FUfaPF9&$YKnksXA4Q@mT%M2(hewx zBwxy(L+L*3r1xRr-gfrWL@B4yLry0X15pz=B^^GMmTs^Zp`vQ!Am|3|k5u3w_);uvqq=jO>AYrw*LNpI}WTOk%%T44K-d}T~Vab zu`xjb0VZmn$jIIF5)u+fQZ$eiNWZ&`QeJKLI@^U_C3 zyFOvAcX_Y2%J2|R$=CPIpc;@~j&1kb2XliPr_38sB2zBqH`UhK0Fp){j$K!4qsF=l z^MitdQc|qfR##9<^vAh~S(nSH{d@cDT?^f2U#o;aiHxktzQMsWep)b-&*hU7Kml}gc+)*E_irQU#$v-9u-{9)I#4`G3?g-LJyT>-VInLZizI;oc+`3QVClW> zCNG%wy8QYs=i>7I*IgvF3Q-gf-zZjM*6T_#IUNuwPnxAdUNu)=$V#W!bLHv5i_0r3 zK~J9Cquq@y`sLTJ>)DowLR7YHueF=Hx^0zvyb3^<*ze$qNls2)SXjU%0SVfp1DPJE zWpx@7IVnt|p&BJk;UU!39q{Jp=x7w2%8H8DadB$1e&!N{c-FNGzTXc0$l}p`aaPU+A^>1sFqm(mC@QfQ}ayp zVk)sm?Cr3gTZ#8pqCas@;X-pj!gjTNF*zhtqAlHThC=zHgQsq{64lWmCt5P>47*+0scf1iaC zrgGSK&(R@PFcJaU#3Vb`mjO*o>C$c9-v9WDa8!a45Y$eKHZHxV94f?|jW`Ygbu&zw({h8hKrb?XZ`r`quJa&AD_% z|N3l1MrJ1Bezd<|18~ZwR_Xi9J31PYrntFMM3+;9Vgkutj-YC)YML$IwikJu>C;LXHr5| z*3$u3t}l%)b%=6$HMFufZ{EDWZC8mHExXv4uU~C|28m3&cIo`AbNTGwl2{a{fZn`s z?{KWyS_OTf!qKPZ++=UB@x}AYZknnK9Oo;q9NJ1veWCk+XRgSRBfg)=WVM#03vWtF zOZDDeGrM}VIm@D6)Uqi-oiBR?We=$NhJ!;^diqdvYB!ppDjDwqSFyyc?1iSdC$!qb zHRlZ*n~Y`!kQg%*-1~O4RKc$P)y% z!>4TQ$aCax-$_sZ(bMM!2k68jv&u&<6QwSfZ6RzX7&;OB zGke4>&;2a>{M^+3Sa`=-8}fM@@)?^}6`NLln;})E6GXr~jpkROJd=mjOi&7JTGHgU zNS2q)w;&(*erj#iY00CPtVE%s*!2 zIhSSAsr&N0i5bcUIA*t`18-oV3QBB7nqvm@+Kp@9`|7@(TCS~Yd-5(GdsL%&|Di)aIFAHdIS!HL z!1Ik>eVm?=u{c?|r@XxCTmLC^j8a3=x?j?a++t#4(DHLIF_jfDZ`|O%G?wE$wiwKt z-`;0qE9k162O8*Cgn|tNh3~;mwS2rub5ljE2G3zm>u@`1>;jkGitS=AH__|p>9Mk~ zJfJ~JVPR&bC!^e7sf~(^h~N*cZqKrya9SY>LUx}JFS5V;g3#{0j*m}L=OchRh>MF$ z-esTr+$VRxL=I_DNGzH&>9H#sE|hSfkzSC7p!2Xn!5YTL z#a()T-T333jd&&;057@sAAyG&B*#)XO|Zt=*?DyLGQNeRa346Js88eG!jGmrMb>qS z*us0=+4%)h+E9JGFL-E$N-f29N=9);ZSEM9rkLw<_CQRzOV+T% zu7IZ2R@eTj;J0tzf;BfWCeZtMd()ADWEaq^B59)0o15r28UF-8EZTIfolqa&ZumBkW-IhiD>lDLc0}t_e)w}{q>f(|4 zwtvd}?2ajOzma#%22vgi|ES4Lchz(oEM~iCDcUKj*#x>&2lgxU?C3lw_|>*EZx$c2 zy}ge51ZRq*uQXb*L(-8VOG(4&M-$dF^pYQRU$Sm5-w4@2#Ih+Fcg4#@&B_{j>((v2 zkCm0xQtDmyqHEM~$6@v6x0g~_%ug4nNhJmHrutO#M z^YKIFASCtQN2lDgR}RUQ6P2{iO@X$78xqI#hYkA3iwwW%L-S<=$xKiu9x+|Q{Rs#cs=dVdF)gJVKMZ{@E}kYhIo z2EX1DyGYza-$>4SIMVPYNGMpjy}Mp<%|Du4Jm;S8jlo{#53T~rtO+}OvVHJ)e+X1BbO@;h zQ&ngLyl;zDzjqpAD;&IXWz9@4%+T|9d3ALX%6y%cGn!mT5aZCy(3~>oX&Wcsr6w!y zu?9OPFJDr7d~JD3BbY1F#_$MGJ#r5Sl_qqRR8)lBo1Y!M{&c(WNkTwKpo{9}Z97j8 z5hLo|b9Rx?XIhPLV|c078zN1{f9ikZ6MP5C?~&~{fArYkP~aFtMk3q zJkOt}qpyjS(lR*!=8RazU3As(qn?gV`XyvXq@3a1EyG$`*ll2pHF{#QhU(&I0_E!i z)GoyYke-Wcp-(S7ecz$Jz5wWh}eF0il|RC3WPs@u0llKsMq$re}6N5|G>bs^oxiHWg_@GE7p+>NVBH7TJeV$zV%;y ziL4Mzq9DUYd&{Qsq|_oMqOq|t^dYjc&!e(RqF-=W*n3pHllN&Y`1jr{-LiE=x_0wF z|0L_>jAQWy1Oz;QyPz%kn%BKjq%7!hA)&8rZFzb*Hb9-A`L@&2HlYF>0G|fxVS_QJ zlwUB%anI+Z*XJUig@mwhaD1`Tx3Wr3%YhWLeJQTGamZd0^6^Q)0KQ0tKgeZqJb$8$ z9c`9QrS*vuAAM5)k2H!I zM>b2`?RdX+go?`S%mA4H5~QD&@71Kt*)wMzSNC^yb@kY8@LK&1gnZTAeF;}YtrqPd z!|$q!H}59%|9Am9NC|k**m2N4fi-Kter<9|CVs|# z&CSb;lDP4@BZSOzT0C*lXm1?yl%%4vVA!)4#q5cHFFC~ZDgc=8 zVDZ{Ys)OsK+VK26;tD-IMU~a!Wx|>ubV`KnXO*&oO^{F7>ZEm?qvR$s6C*S8-N*GZpVi$pDrc z_iq1Qm@i%{1P>Fh`Xa+{K;sp%$1$4@Zoapl+I;+KY~5(5efq~{)=c8opG3*pbN^T9BwSDeNqXC0paH#hgu zqgmKt)uF;5m=Z%lG!-M$Yp{L25XUY4UA(X+?Sq{@2zYIC`=4KS-8_{=GHaxyW)wMw z%|ZqRVI;sr#>tcgO2Jwh&xZuLZOfJ|J9f;^&!-Y=(5mBBdIX_uGYjf)KYbdekpY+i zmQhJX#i}W}6=kE9C3^%KhMl9MS#C+)zt@aLT*$DfqvG}Y`jc!Y;Isgzt21R#vtPzo zilAFxS`iC;QIyVpVJt1aEV1q3q&fdgX6caK*F#)KCBRR3Z)Kdh5I<8%tbu@-<20s= z@S#4-?u63&>C+io+X=hgimmK;1hRlUJv}`LE%0g=xtA(We9zmA(p)12dStjU3A+vQ z(^(<~^=SJN6}Ou4{r*+D12SE)$L}dn2ZDx0&wJnFGt(|X9$0NIUM&|QE)G+v&@bJ| zUw)~&onJ_39KuC~jnCn9XJUK&0a-T{RirdwgMtM#Xgl+{M4u|f5eP9)9xT@n2)xH5 zxB7uTaWU~C1>c2XNxkpi-y`dxeUr7)t|WA*$BY1IkP7<+1-sEaTwAF*0?u}3W(JV} zAigf$PiTuX`vMWSXN+fU5*St7>9L|comB`vfbCb)LA9X&a1mO(% zSrn>0^p5-Y?y+GV)DKLVD|+3`!Ui+?Awd5|9ZPU-C{9<*Ez}@Ugk2zjHg#m zR8P4O2>$_;r-=M3&3lDC)|CwM$H?4V%yO9pR=0{y2=$iMbqubKP1(9FD2?`fim92| zF3*__VwqXDRdpj3|E6R7)?VkG)elLU8U}Kc0nfXlw($o^xsP{96sq&D99BC5f+ae7 zFN{ZYNKw0YTYnE)Tv#wVzwhvn&Hv!bDr`>G#9er^x+`V))dNBsI@)RJwJFsf(axHY zFJ5$`(ZVKu)Cq}rFW-dm4iIgdd&z9gfIpMd+6RatYMkr&_tF~E%rcM>lSjF@PN27o=EvKMU-{(W!oCG9-dqN~U#mQ2zn znRn)E;z>?HsuS<-NbBCXE3Mn>7U+2BY}VORPfwbje0s`MRsDqNS}i$0yU2s6r>pBW z*>h@k4DJGS6cCin_!NNG`*5M^{B>LH!;C-9q)E4lsBXFakrcJfWQ~)toH3Fc?4IJ& z(+;->smY9LyJTj_2I%{xr1VVO4Lr9A4gmu%+wU2YS{p1Nl$S+{E zFw{gM(jW?_@Qn+zxy)sC_4S7KQ5zotmQVDOArM%8@!oXk5(Ev0>(_aUIc~|~x8Mo1 zUHe*65(BHyV#-D7ob{DWjaB59OSrihb|3R+Jt=B})76k3M_ya zpy3v^5oz|wbwO8ubO10mk-i&GAzPI~$BC8PxgO|4{Yu73i-uk{o^hUg9xA9pgkzbt@5t6Zq&9br(IYQv8x zX!|{Qz+hO8lH%PlE}{j>kp$^*#GV-$06ojQw8f8`_Y|N!l?+1`^ZAwZMFYkpFcDjl zDBnI*atZyGhJN{cw^!;IA0j5*s#WCD+Ze1TMJN%{3ViWG*hU4#Np|_yNn^+EqMKkD zST*6z^FFSOuq)eKG~1+STfE|AY|KToBxcjWD?MvwX}Q!NYWQGZ`JFp=u;bh&Opjg!#$HUMoWtv!+m|j)3Q5kf- zMF|~ii?h>0k7RD1P?ioPt5L_@3CEMRo?fOI*mW*b9s&;!&yQMn7zKUgKZY>>(X;e^ zihuq5Sy8;~<43u$xB4Bzw2hnp-EL1|E!=wh^@|rT(78ZDr6cR=={XO6`vIZSY8Fr- z_@Oyjisrn@K_Us_&)EgY(ehCnD1=|;sL!icua@Q~cCd>*+UO$^uF_FU@TcXc zch=R>*}7xvnFf8wpS3SuJbkL(c=h%JdCrtvIZkUo!dL$kjU<+(BGvQIUVr{b!&cDh z5oqKJpb$-m4t;}KDi24dCSNcb?YN3U$^%@8u%Wu^I+Bt@k^hn@wv98tVbN-wdq@#J zBgCw!X=p6F3Uax0x1Kk+)6wn4Zrs4h$iU1j3b+M52sV*j`GV*B(c>SWb%68F6~4`w z7(({&#Do_FX5&<>!om;s&Rxd>Ld3}c+42aGPS-4q8}E-r3s5@>7rJrPQA z47L510E$0RB#1y(tzt%aOl^hTf zXL1;{T7bX5*!3e-ukKZrm+zK#feWJ*3A5&I*G!f zbM%ltn~L~Wgso^G#G3n(s16DBk)N?sKA|U<8Jl1paRTemu`ZXBE+jC)e(>qq*1z8V z(1G$v|E66!aVaTw*(O%!ybW9dP0M=&vVYR?ke$%ja0emB1C@dR$n--m0Mp87M{edf zXT4lk7Jvn7M-yD>x@bwLa$(|I*FBP#lsos@j$i$%m9(ziB2yUuaILEew z3c%KG9pCio+Cb0g_0YjBqZ>NEjpIKI7m5< zzt7Kqc#JQ&ijqb9N4cs0t;llWxy+PQ5fn82Rcaz(P0kR~Bpxk@Od37D!?o+(u2O3F zEjCNE4=3+!JD6z)J{xwb#^x9A;ZfNo>0s{QaJ14+x^~Ad5h6!1>;(yEn4uvT8hkYq zd&Ssy$SsuOt+2pyA%Ui|uh-y}l{E;{lM@O(?y+!4T)YKxJG#N1%b>(*wrtr6hduU) zw~GJXI=_Z>mSX3LiX2EZW^{0x~1&2L?ADYoNhD#mxlhghj;pjY~qJ+8} zkzi2VMke)t%DF`={>9}@|MYyhjdX;*=%{7WC^jLOSo+ucJTZ722D$d-m6Zc<67M-? z^Sq+e@%H3jl601+A5p3eU%e;mHFTO-Uu}$Ak_YI^X*v?}LN*ur}D{g56XN z*EuTx%q4VYv9Pc}X4p3=fG?8Rz`y`(Ybu63BJ3dBf zAuQ{Vwjib?M@C*!Q=@NZW@QBe*)LR~?(hdtP|*KVGLSc9EkweZr(iagMpBFSQ;P$V zrDdqSv0H zZsDab#Ojnjk=Rmd+_UsDW?EpcuV!RdC1Cf(W9T_&x7`+@wBZ<3us(kWVZ+SCM9Cbl zUiAfQ8Kk3*Xsbx)NNj;>l>5;o>x!y$&Yifpe$Yk$3B@jxJ&>*ZIc0S9k)l9WkD-+< za+~GjN22-Sq+$MFu)Y4)o9WrvmBHA6SJg1TXvQI2dL^Akwe9WgbAxZ4{ujcRE>SxD z(bm%G0{NF|nVI`2b=$w!3M6AniiE$3;YxdJ>p><|8ya_acY+&aIq<^zzV*HrY46;< z3z3~g*uVoR96F{aR2TU#N<{b3=USg1D;Ox^*kXYjxgtd|Ci--*G3*XAYAH zt%;WOlMBm_0s@?!oI-fLCVR@ie>XA~-MiNa^r%KV@dkp9(%@~k9cdypsJ|)T^~1h~ z-k{@K5BHa*Htn`;9Drw_d$W;xuKy?jH+52f3TO>OC(8heFn3#;nH`Awaavz7_nXw8 zzA^eCj5&CFHrRNp#@brdo*Sjj6mLLL$uPK~7qT}WkTezkrdiQ~o*o8*R}AM`$8)8= zGi8i+L}~&%`K=yt2^un=-CO(@EY6msQP)%eHwf7c4eGN~qX)f#(D?b2kXoutMZ^@w zfgvFM>)6`m{@cAqqsXvr=MX<1`eZxXQS)!nx6|0z*_V*6G?c#tIRD@5BZCr?6Seh(54fcTogi^#~8 z)~hclg%!3PknNX$2o#bYL3W9&R{XbbjE=<$XxKb&YiMXdr!rh9^Yh;vc#p^1SGbRk zIVrem|6*l;PCr2xjg!6*W@CUR@~dU|4jkx5fiS!OG$e#tV`wKCt<>%*^K~a!?{3C$tn5vZy)T! zr*Tki9hoi0!+2k%4&Bv{cJ}_6`w8c+oFzX0qNGt3%+h`#j?f16cd~=}k-m`Ee5W%w ztAfkr55Q7BaE1f10E# ztSB;x>%Si#{2(EWxBKPWyK#PTE}<#)$FF$&_+3}o%$Ye*%12MmFwmG}femQB%Y6dt z{w^~UTE@55%&VC4@+s&-4cNhUlthBvX5jnxG?&TClNZg14q!7c5hyejCEa~{m|DVp zmaTHrKAsp{I?%ilCz05Y_A)eBLxS;$YHZ4 z9`0xQl_&XRvz&MXpYt)3F&Ck-Y|cs%OoVkZ`tm1=Xtr(*m$-2SO*dfN)b!dopXY3& z)(v}mh%jkrfM&zXAPBn8zb!8If;kH*XP=$HzeEfj{Zc_^*3f2?V|{z3rluZs{O?8@SP0BQtd5vi z57~MM3j>Sjn}`U#>(|rX^Ee{kLgS%ix@zxC^z##i^9Fz&$QzVi1~VK()8j4a8{TA@ zfyjZ<&;Eyxp%`R7+xH!n-$SV_DL*C)9?X(M*vSlmKJQLh_}}4MG7Up1!t@HtYra)$ z24Y%T4D!)CHYy#KANSCmd}x`PUK z-JeXM5_e%GH6Z)UeUhfJ+L_=0^KiIID06pftMkPa=NC#Xz@q&QHNIdV)Rpgdckmq+ zA^i73-l(IbpFU*`ZNj8Ng-ybK5bYz$ythISkfyu9bvON_^ctp)n3e0zt#NU1@QiYG@tz-N6kY3LD^KhmxO?=-zezZaRVO8m z_|)y#EV)s^%H7!JWn$k1Pu7E}2i``ZT9d(FC3$1fk)p`_hHtb89_;?=(D+xc%mse- z^iZU8wD=NIQd;9g@I?0k5$XDV{sa*+{Wa3v&|@~%LDfv#0Slm%*$c(MAWdeu`Oah z3mOz?KWA!()mK&aw`m!Pp1NFFM(yGLzqRt8BUd~C^3AVa4ULFcA}g%@a9z!;m2FG! zo!Git!hfkRNCMy;T-_0R$ngd9T@A10 zWRtyN0NBncEzZkp4&+*4qwM!MA_9b??{H>x$eB}R#S6BV2zoL3#N^D7@*)v}Wz4IM zG%Ox-tydSVA1TFQUSqZAp|Jgp8*rvltV%;xiJ)u%87E<*Vt9K zxy!|bt~wgB@8WE8_uV@NCO$`wWD4oO?}%4b#p8RrJgCN?d}?pZ!oqQJe@k-AK|Prp zKMO!!0>^7N-39?6)M|d^Ug0CQlbZg$bW;&%*VtMfel(;ZJ!y0j*do@QdCK9J;UIUP8MF)FycGGI z!`HmO%2xPNp5%3-<6?)#cwTs@>FQ1`j;!dIikVbcd3haYA%}z{cHMOT31U%)2oEwV z2L}U-*o#wHpFbab`EnWzk?YDLv!_bQ^M9%C4`s2Xnr9ki9wyE|`?t*R4Lde*xBOu! z#qLeX_pqVaO4t!J3&Zq<`1$x4JT0{;eJ|^l$c@0wJ&M=iJ$56p_NJ|p; zwRn@J+jbhYkTR%1u>Weaycs3!YTsYw7+3e!eO?G86gl>la_HNTgB@9KRFR{Gn^N{| zYY2WaRaTQCq^J320R&W2%1D)_vXT;HmyrfL3y%HaGlKzTkStd9#RCx{a~>CE+t*B;mLuW2|p69WzZ&W0qsCZ0@19w z5didNNkIIVPb6zD%#G#Wv(h+w_g~aGdWtjU^o8!#i1WmU{}Sf}-FMf5#g9clJI@zf zVRMK6KdTPy-BO-j5S`(lB5yw0l3ro6etA130sM&_lIAJXeQg3fd!K8a zyGprT2o~VF|C_C+ve2VbZs@C%&`7f=)rhRtj2-W{7qZwL$FDXmh; zH){LuGW@SgwFuvsqmq?qJas5s<=W|V3i08|-0t#5ossKPWKupF_~{v`#mIo0i5%nn2PyxLg?mlThiQ>+c3+~hsp5W~ z3k-!PO%KR^`+vLB%#6!+!~0?;8l4RG@o`^J%@T|oK3ZA=0shs}>>r~yMMII9K({@k z_mYbejQ{H?z*lqgOW0v}|4yCqadrJod>S4uN5o(7zkIBthiws0nTkjIUvVi<;iL zzpTieE^s@J=*J@u8JBeA-k|)-ThEaF2Em={Wm^UEPS3l91L18lryD$_qVh%0wvaNH z-E81q(_+2u$YIPFtZaHm!y>R3_X|OK8BR{hlnsW01FT&X?Q@qgu9k2y{woL<99U5I z^5kX(h01*j{ut8BmAktMWlp<7Bm|R68w74}G=nrj69+eDH)zma9s)ka3)5GKW^XGp?eRfrE z((A(65ikWni9aLtsB0sYmqM1?a~jrI=XF%KJ{rvk1u-!))`JQB_U*jMv46g7u9iIH z#E$_CzO6c&U*Gpr(8JjRlyBTGOKZfJ8~6N8d*4#gO~XC~rk8R8hEWWq(6qQ@p~#$` zJ2H4mPVOV_6VJe6^d8=(&VW&!EKI+kk%mE`14g!>P>^=;SHZ~21!onW2V!Tx>F%)o zuuXpX@&zP2p$+aO5a~Fwz{b|L82vKHa*T9U_9Kj;iBy|r0KLUv<4~zYWz$=}Y-@u< z($4O1?KC_qM2IT;Fz>`r4ebNgQHc28CRTK??8DNfnA%eJ@`lw9j7}K~yxN8rE?l;? zRV7kfL|?v?iG(;BcER+Gr9+AJoKVG0oGjT!Llx~6W=xqu+jK+#U!uD8nR4LA-Z*ex z9F@RZVI-K@{=4{|n3YmIMw!>Es;aGpFRK<(9Vr1KA+{b)ap?d4{RBn&LeX8i>9kL61L6z69 z-$1o9QvRjO+R8jo5g18+wQV=EaKW#;C=OBXe@u2$Q9YdnmxGmXfwlk7X(Y>n;*^(m z3>85)q3As;hI>E@U?M2=$&;9QU@We%`_LxPvdOqkl~D|cw~Br4Q(nqUNH6Nn(zTGI z1ux|tg=Ox@ksIK}D{Sb)azT&tVBEB=?T=pmD+eUc8P*ef1jDHG^x6?@1ei;`vqhw9 zF%U)uvGYb<%(BS}z*xX{y3@J4U)%zd7bJg$Sn zhyH~w4+k2YBRT8TxQH;6{i(T~djnX$$ieB4&fnJ@2EdZj=e#NN-e-xR*~4RFd*Mp( zHE&GRAevfR7vlVsxC;^vgWs_8;R+jVdskgmRVA*q{x!-mHVdesk9}JYuEWjiWBM!m zG8mbCF)#;j(Hrl`EoA`@c@*bWq!ukcAOVMsVARB?W@G&yfG`YCh0&Bt6y$*jATc=V zh(vFf{9B~q=2TT;z@FnQVsOl-Kfx@F;k#=Z$lo}6qUc&VR@*c^WNyVX5kPBc;NNZFPDQ)K!q6W=_z?4kdmAX1N!MlJJZd{ zF(BK}0h{D7@qMYN__;FQt*WZ}f^vGrdM++5SXaO`f@*Veb~Y?@6Rmz7387$**YYIB zFSGG(XvCnK*LnkvWBZ>YqG5E!yc63on@8!iC${}r-m|%o0S?iOL;8n@)bn?LXt(E* zAXK)FDdZu{n-js<=j7z9d$#%fhVU7I_u#D#9y|!w!x?EL8*Xj!B*Dq=UZvNcnG@ZS zmvJ@Yn0kwjzGZEJLqVX^A$q=#j366d#2_=Fs=9g!*JIONM5&6*%zw^kc~adEibM}H zK0Ufrh4r>X@OF)O7C1G5a&8N}NKihZaYbNm*~e$2Z`5w4gcr{6a!}^_cX4ws+HIzy zYFnOQU1xg@xdVELb}ywJnxCKyqCR**{p321i@~mM!yy%c@-G*_2B0lV%KJzqs^lZ9 zo#!wlPfSlwZ=?R_|I5898D$A_71Sk|m$&{Yi}<|-g@rzg>!>~qwgefs&8-S&i<(9l z)B&4-i70zEHa=d2N6^>Tr_?Y#GgOaqnkgH_BB+a#W-d*f-FRp#h~02eOHJ4vkscpD zREBvKH65d@tp>BleHtxW04jc6y1&4?oBg~EQLh4z$oCVR+@Uvi%X(0lPe@03IoD9H zh)mF`P27>m5*58}1$~y;<%AIqPy{%M1|m?3PUcV0m2emC$fP;li0b^kfwD*0wQV{`h{+C2pdRCF}qcFn@MG*&C`F$w>m z&!(WO6Y?@|jqkrqPt4LF8p=ew1(>7C{PCXS7y*O>SySM^0Uyd)E~4X&=^B5mOE#~L ze>lq>a}y=0)iwjs%_l=fNhf{k>RQE+pN1RZ+bPiki5jVxMw19(j~RTwWn0z|2GG>` zm}{qz2)JXw5l>3*p{JK4B3DV*0(b_Jzz=&b0+*d5{+T$Y4E;f+Z2PLG!D_4RHnFbJ zmdH;pIW1j#McV25bu2avr-;LbkTBD8w!5gPwtU)OA*l_t4%rXqv4HWnzEuy*__e*A zB6PacwPvAE41pWAde95C7DI~VIQQh>K?~FvOsShraMMtZ$xy-CRJrU!Qe>P;DUw9ldRdmH|>|Ha4YSD0nM@HU6MFv%?Dij*37w=7xMPXD0Bx`DZ zhj|HQYEV$Lv_i$txq1eau#c>+3;h^k+|UBM6MZA@D?0jv5zj_PhWW(B3>WPl)F?)J z<=vlg(ozhv$uH?*j35x)z6M*s(E_W8vH50ZPG#kpaw~IBDIC4eE*1`hk+&m2p9YDeW8xKSanV3WTy3zL!w=wsQQ@3#3 zmy)XL)gzzbt{MmDM+qM{H_4Hi;6D>+{ZXv{EJki@{s1lXy zyN>&Z=L?$|8@INW4=m;42)Tn-J@bF~WFDz~{`+TyEp+kU01kM7d6S|WN-Ha`BG;pq z?7)2Mg$sFTD3EUv@2Xp%Byr;=dR@6a4eCwzd`(70r{wH&35FJ?u5! zU95UB%KI?_{}G3TJrq<#R7juuQ_t<^cGJmY%Vhzc0g}guPkBo$dgkapItfJ!HI0bJ2%VH-J4Gq0;yq&`*y%p^c8`F363q>bPdqmv1BcId9CJa-EXaMT3H}=2%-Bu22t)@TwUMUc6&m7frxX=w##F( z$LISd=nRywr#KAHMS=!DtD-`bA;J)d>1Pa!JK!#S zGBKz8S*T95HH60o57S$_xGbO@q@2!%N$#zCC_^+Fgw5BkUBiJcl(Rl4N~QCJP{naa zWF0v2P@q1;R?(OUir9T)>a7i*2;rPC@!qluoRcc$l=V2XB|Rr6^cTE`Hz0IY{Ltciyf;G#C>R zkqGMpG@$GJ^%mm1J6aNXUb}XQdoD zno{HBu3hG|9w&Ui+46&y)_RGQW!D*at4Z9&9XNY-gxLGcnc9BmKh3e7b&b?GP8H4F?2J}0NMv`=W|s?r**?GZJAN-ot%*H zjoOdLXdK#znKNhBb=d}$=#VowqtB2oR8?F^=lAJ{;0e#f#wIN2+KDP2Yd-l51?Dn) zC|FDV|phTizGUlbM>R~)Y24YUWG0kaIq zAGf#N_GqcA6GbvX$nf@i_xW?y=5bxj8x>EyS+I|1iatgdVttgAWqEe4IyqH+V9NFD zHdCfpt4`T*ipTIM%oJ?^KPY!=aPNOFoQcLJHQ*EhiC?p(sU~~U&24qDz*>}}`+a;E za%f~03R9a02l_qbB#v?!Ye+HgE&7HS|H1-;CDrZJIx!(e;-PCGN)_NWfPnSomGx5( zbeOpLbKm`oZDJlFN#XVwNy0*Ga&ehZ{2_0Ivhu^+Tqh zE=>Rk_wu(={Sa(<%XjnTy)!v2%!sV`#WR{auBY~+oMra*7Zy-iyCl;{%S4{@@z6`8 zDdgo114axVHcXIGAp__(aKiIAt5KcpJx`5^n&9^PSfyBo`8#6^i+tP>DDFRe_^@%Y zo!wyh2$E#h&5e8K3f=aVD?bUK8(Ux5GsD0Dn;a89jsMZ3XgCY0Oi-^xxtVBX9mJVM z4xJ!_i?OjZXr6(AeeUa-1I3w}OV@nke)5h+6qv~dhxclV>nS0jxPr&zPI%(szB%yF z;bd(hGG>(5kcjg01l(n3$wM8I0bW)Jc!6mX78tg{&Zic$AI5at(QA5o-lN=u37ly~ z&hH^cjB?EV>C>n8oSu-lcs_DAGgZ6$7q&cD3<{SW42$BEYHsUMrGxBSV<|CeHH-@+0(Do4o(e zt2XUpVqzRtt$OOE_2Sx=^NY1cYogwzMW#6!7zCXS; zwY(@PE+Ijqc$0-^|B(_q5*KUg3k)#AGth~56z?eTR;0AiT0)WFA!@iF6*ODPR0nYo zW%~QFvgP*nSs~*CMc`A?DJ#)zdiVhfFjTqr)%BpXx4*IM^%?aBRKpY}K`Se+7+-)4 zh>G(8a%2h}ot!j$9|%YuhJp(QE6$#>er*3uo9ZZXs2Nd-B_C=xdZ@p@KZE*|7`286 zrNu45>_R}eYyCGR-v=e@#?mEVwlKHnfXG7ldwC75uyc3Ft6<=iB#0|`bkSwm>vs?Jfg9bD_MkXe`tIV$@#9zODBJ%?sr)8+xm6#ZB|HHA9|9O*jwY3x=C$t@9 zHkfpkp+-9*Vo>wJX8Agc4+Dn}9U9Fs_&|&D;R9wJkJ0*LF*5H{X({QahG@yToy9=* zfu-h_mI7W>y}T6~9>$vBV>^Q}Qct8@yY}qLJpak<5L_V}3l#N`l`TG|5gfE{U&mg( z{AKhLf&Rxje_e$CpNgltAJQW~?a%KW2$L=!9`@q9bjpT}?t4T1gh@MzI;(l}&O}6* z&zUoL?2hTFKNx(3 z9)a>XGc!{~Ma3%U=6Q64I5G(XZn!c}nbK;0ufagIgB&Zea4m?>@ zJNT^hD;5({}T~;4MOk?QS@2ZUM~j3I_*ph%x{X?kNyn=WgAe0nu7omO5QkR#wiE zs^gQOz9fSQ2NX-Jx_V!wg`@T3D1_dYFa+l4;pH&H?0^G`Si!|jHE{o`%|80G%oZP% zG?nU?gX>m3xk_5Y+-d##(_P-yL?EN#EC0$vD%0||!;Fm|VF5FO>Vcnh@|tw7ULj-G zzaz~O_ISI-)(d-$)>p|;paNWXXKG@^aJ@u=XDn#r_u{oliHUb#)d%i*9JzAYviqCm zHKv-HUWDf7x;g~XMXz)+Z;#ojpK5A6-incoDDbCelxYYnaDYFM|$So8W+ut1>X3+^cc`dn-3F8hJE z7cE)B@S`Lp!)-T8_ig35N@4>ji4C&z=q%ot88{>*E-*KrwtRei>O2z@6OL}(Bkro1 znHiiQ1Kp&I1=-oS5d=$j$>})GOr@#2V0SDj&k^mlJ=^va4}MSaSMQ{48d_RDh%Y21 z7Y%f~2B#$UCW*oQaKR2A&IK;}7|Yc}+8{iuHAz(4tNj;5fBWXNZOfnm&gyCBqqY}H zxadyO*8YBXZ%-FpcMx}r0^M!3F=1hMo;@2gapHpM)0G&kfQ@U54Uz5VbH5qA@|7> zdiOb|rdtuxU=I?TozGm(Cr%{I|NI$bom%-m6p==cEw~SA3Fl9rzWt)R!PJyQo)Lay zTC&VWHE>3pa9ov@NwSvXCU%yP7-2V5-%xTzVM65d?M=BSFzd}O+rnK&6rR4!B0jPp zMt5o$Nm3_NU)g!$WxcGgCX%Jrn;ktSiQYmk(cd-V)D>s1Qdd{Uy>5i;z$9xBN?v7U z@DDQpDVooX2e=~q;TYOL=9R?Wd-m*!iz5Xth%-{^jzYSkV&?01jYhEt=6$LecwBN~ zA& zBNsA)XQg$-9c~m|BUNiNhseS`el@8Dq8hzDgKSaZ;YTQL4jm%RO`f$&gN#B`jO_Il z*+!;n%uHkBM*4M6D{=O3^|I#RhNV*{T^K?t+`@R%kn|~3N0wV%f=R?7Zzxw+(lyg< zArk}1I8$@H?|hzc_yNIXdHB+KCjV#w-b1-XwCyy`y5ZD-X-{MXks(!EiPKeT%R8YL zW`8)m%I8?mP2wk-EAL$Hetq_Qg|1#^Wdn9*?Y&im14R786-7LFynk&So#4G)FwEMM z`5_=MP;-kbCp~9NPAo3_Bj-cpCD9pM?78IOM`Z&MG$sA65kG@SnO9ISq;;S0a>HdV zGi-NJBtV(%-=B%tpL}7mHc?~DnAaG$$wz>$B({9PTa(;9{1_(F*3ihkb!!k2hC?_) zi>vLiXU|DGacYQ)iVDIyXBvNlArl|iEKQw1=c#mWI2C%2StcgS3Uccmu+tnA(6N=o zsp`4uIWjUbJ;cZ6Z#cD>>_ZyE!X*zVFQn31(UB)A%R8AkK4HRd5W=WCk>*>9^ zx*-~Cvx8mR<&0`ioJ6n2m)(REWSBhWl(A>dtkBcD57V}F!a_T{us7uv@;xt3pEm91 zuU}YT;XU?P`7Fh7ioi!5$(< z$4cmIH>zan-@cD$p5)Zjd27~J&3K$&7A(4U>{ws1WJtH2r=z0om(}pPU@{dYB~#l- zQQFe55c~uuJb#lvh0LZ>hYxq%(m@5d?j*OTd!I~EB;pLfD2g+C|KNbk2^PI1<%M?! zc*I*3Opg&*(Ym8D=X^4&P$2+411E+Z=LIIYH%-vg?3p(2jCk#xRr@w1?n2?ueMC^= zDjFki4@6B;-bTAhS4e5cU{3anBy^@9!5rP8!t;Nf9%uc67&>U8!0&`7CUtN24iJ4q zy&w_`KuXld>sKMl1wNB|#6WULNC^7F*w=ZjIY4mwB(-?m%hE#%MMwSo)aXnY{8S!3 zJPAQB2^lXxp%ok%9b7Td!@~nRnu26Y^V&Uk8YZ>A+=?Fw-~JU0n%ai^mGTvirA_$z&YkqYNXNt7D*>^_^*3RBwCN>y|uF3T`cfS!)abU1bu-{8(2WL$}haGi+zHh7Tp*DK-S=|q<8}C+}nDe94+w$@i zt5$92E(2Hq)KJIOI8Q+Da@+A|>)6jGRe>qk^(bT-7#lCZY8mr?OneL^gBS|t|AP|d zrLT!IFf^oJdVZjvCdrKI^3#_u3rm&>O^|4r-Lj@;yWWSJof0<|0Ym!<__5IPX@qgu zUov_J6-DP*B;A-9L+l|BGe^T)qGTbD-Gii~8e`B68l7%c091j{@lvuXe*b+?+r}rs z4JpZIul%RW8+^ldpU8=-u;H^|RiF-g4E%pZ%G`SLJ+tbGKE?0$3P45pa+i;e7j>Cd>=H5LT=cBr-Hvl~Gqi$}k zSys~g+mfpwv30M9;9}t2Kioioe zS}QS<4D0bbW$^DfAr$fz<7(G}`I(iuBpPoz$N{9Or8*>UlbTY?4-TF`T1$(?7L({^ zf&W3JX}s;m78~^M8vStIk`)VdFt2|(ZOrn7-&OO4QFd`(Wrch%0dx}UfeAWc6h6_Ok? z%4)iC(g-&K<#i^`j+tKsu=-4l)Y5(~PTPZS=mJ0F(&fw1;Yv(f*^C%syy2$#5`vBi zWBW6@$?F|MEHSz0f~K5fuL%RIK)q;42#|1%_#S^o_7|I#G!UW}xfEz}B(v+pe7Uj3i4}pi0?D=ulT*PYIS^ z_T${EahmqD%j z=+Vew!~9O)bng;%{=7S<1Zchr)D1Ud-g##l7c4wKL%Y1LQ$NI z7zSfd~7_i3>J59PB-22t9|aM1GSdGe881gEg0Z|=-z-T`TEpQu#fJ3&Rd zi$_o-hLd`(I!zhFR!%-(fDT7hS63Ljo-j~YV6{#*b%*jb{g#T?7P57hQd(KiIZBvM zH#0%v0784p$OQZOu@PfR+o%W2K6$AAc{J`jC3^VrIz3L8IV*k!sHay$Ii*iibYx%* z%@SL6M7e@CWuo8zCsqF!kgY5H!8#8j6Ie0bt+CCJ-#6)7ITk&|LUA}k+HGKnC;{#q z)C6QwoX&YvG>cvLClL3`%;_O+sjA1Zcc<9XrL?jVb*&}R3MM$nhq?9lg72WiVi*7b zfnaw0qe#PNq2Sig+a{(3Z(q55xv(#0h@Yru&yvzoLHHwR;XK7R&HH!Nx3Jg*h(>Kj z)?C%NWwe0xqUhNrnlo=+p?TfjKg^TDl5y5zVY(Zj94jZdL3kYx5k%E^p=;J-_}SNY z76%8``h~QWxIAOzmMvR6bmI(7OiHVrshOB=4>QC^9IPgi+%aieEpz#Hv=%5pBI8(u zB!o1CCc!th-JAwqqN1{j>WzY;_XK}c#eRd6{yj63N(_5a6^PS$)(TZUvdJQHx<-;j zUlz3la^|K@il=EhImvzD0eu+W{_@i-EP&O`4!qRvMwMv}3N(B6b9ARZvQO$Cv%ce_ zq5P!xwOd!Cu{j*q)M?Pq@e$acK(p%W51lyi#$%tj-`~2sfcF`S4PeC0dUutOc+~dL zoehZ|BFrM-nkj^z*bKi0E+i?>!%4yG?c+n>I=^>s2LHimI+s&OrqgZ`QNKW^D0rN; zxtc&+^r^Z~_^=J8LNwiD!s0tp`)p>U}Smq|i6Ksko|j192ZHOc4BO;?7KH}mw7)Tp2k`vHk1x&G{%vnz)3jY1Tp z`Y(k!uBfP>hgiBo*FCd6)D;7W^sG&|EAw%|j+ew82B{RMUw-X2f9ciW;38&oP%yYN z#EtP3`U?t#G-RvnI(zvtm9X!pnfC(jV{kT^G-g{q38x_gc<`i7a+3DpNCzX+6?|frRc&aadh-@*C7Yq)YS87 zpHr;RXyI~l$%eRQYim1Y%1+T?>{fz;W&~ow#QSZI4s{FDT)(UB&-!}d!QqrZIj(-z zI`@-6gzFu^C*|}`_~}IhZkS$4u2%L+JCvK(sszdEHFQkJ)Rz!0o^u^Jp`+#}A27*y z6=Anz$$|w7*zfX^KS$GWPWRfnu_r)!AZAo3!a+-^Gz6bvo{lC#oC4Eyy!_)wsO9B( zF{YD#e^JaVIrgu@^mxsgp}QuMnO6D|*{EOR)6I+lhGp)k<7c*cws2q5LoHbrB zpb*scz+#9)_H>g|y`psQgA?MH@;;BFw(GYfi{m;Q5);(JB2zJ90^5MzUP+gXfQFKZ zrXAU7L2hos<;%?TZ!<73U?Rex%?ln+ICbc(1*rDztk1SwE489bV5j zuI+GY+!;PcdO8Cpqt(jeVOuRwl$fziH6MPn>{jOHd+JG*y$GQz+|Cncpw{3+0-J<%UHxn_6X6tkF<1)-Sm zgI@?!AV@!C#>6B%dG>4z-7IVOzG7E-shMo_iIDc`6GlK+{A4gS=B>4Mt)jWlzhluqhpPr06MNy z7JiR^d{<%As4DskWGN^_%Gfl-U9-*}fG7j9RH%`;Z7~Ca-hnDru@;ynHE`55rnaS^-7i4OuiDUQ&pR%Dy|!wLa5EVn^( z$vnqEL{jp^+R~bOOp6A2VB>bmN4v-&eB{N=JiC(e;Lt9oCFT1sn`S5xJRVF&7zP+L z=vH>NZ>9C*_U7j1e9K1sqgpnm(H#n7Y`}^R;lj%pM!6zrBJ#hLvKC8vrQP=KojRy5 z*H2>fr2bty2-lEm-?8OSkfEjh*|}vetB1M^jIdbk&oZvUJ%9H8rfUnAitwDg_|HP% zgf7Bx-2dH6^wvw{{t!?+{19l+A?;C}ChI7b$mWN8+q&?+ll{JP@2N5*C3bj^t!=KZ zcgg5qB_Q@gO=`b>eN*k+zpK}{(ZZ)QmXwl|JT}Qa^=RI1KCWgZT>?#NSFa72r~|jR zmYB`w)Sq(4t8^xy1OF=L7=O#UYuaTQ*tfEvWT=ZRhcY@&UTv1^+wv$9y zgG<3aH`9OvRARVf=}|`7>9;*auEV^Vedxx<=iL$+?*X544$)ZLZV5|i5- zH1w|osG{7W5DhyusC+{jS5t)vlJ#hLiHsnW7Z!AqNN>OQ;0T(ktg;%OIK{2AxsoH{ z|8#V8AnABgCoePDI8B&?6N%ryS6kYb4O1(HOSUX)(Y1~eeo8$C*kEnk=~b6O%I@y& zs)1-ZlctL2+%z#F^w)b&!}G zOfAk^Dy8ib1XmhU!xXGUApx^w&X>AkC@|H?=0?IWlx zuU%s$lbNaMp*QWJYpHaz1iiOqklC*0n;aEMdGf;HGjbA>b*R${^YioZfdA*(aIg4M zwr@i&r%eVvX`)fk&hshb11hZUweuUW4yrRU#Cv{$-XAXwT(?p+2edH ze&yF*&6rD2BvsNZKp`&fjbXGi-%Pbrg!G%zi>LrXmx2j##Wl7H+Vcbf3BxngV{j~E z*+wGW4_kYuna(L;c9<8#5=&CRc)L}n}EA}{gg?&b>@nn>b7*2Qek_3JKm zu^!S{xcm+B7^bXjS-6OTk=w|t%r-MCsdm=-vK_qzk(UaCD_`I|RuuT3$ho5#oGt2? ze=3G@$**n0c^}=y)EuZJBnHWPdt~S2ibmcHC_AEFrjKlqc}1&bTM-_~-z_Q%p7-tD zy-r1QZ@S$8CE}9;On`qT0)BF0JH7runNR95G%!ei{5a}|6YC5|H=QHt?i1NLILuvI zkK9cFQPKEQ%7Lz0y{?9Qfg55%7ga)ERQ4q*tt9&0`QYT$MON{CSFQ?sXEfC}r*{OL zooqhmXgDf0p(%}?<=)tk^yc1J9V1TFV!e07#f|x#CE}1UvV~Crn%Oa9F6(URNAE!8 zju}Wco~gm7mX;3lJ8~p0Cg#+rc4fn2x&_ZaM$Y&Dfbtz|w~;~y9)?ak_N=h$jmt%Q zg2}ev7n$3=)v10@^74LG>yN>$cSKjp1X;CHql&9$bSA;>Xn**3{o*ORv;Z3`sLMWn z6lxhIw9E1y2N)%zkO90B+e$rTb2 z9gGKj{B)V3@6r{wBi;HxU;BOatiiv|>?V40xTxi*nTVl--{!RnIbiv7V+XiX;3YIb zOmP)(9gHPu9CDsMWhI8@jn=GYnMKS_x#;EffM7+@d@d&DCu3u|h37r0oTwxboOi|$ z>yO}kmseK|g?J(Ix4`>7I(`}C_U&4IicK;%3nYNNsB}R{xk;4*j=|=!(#SXGjXNETB9BPSm^Q^claw?>SNG)B;qOhmZaO&D zbM>Gr9Tlt?w!d7!P~M!~Te#ll8)R|>?N!*}kKUF)3+Iuk#ojRXUS1uFEhKh~IFwTF zFeRCO)P_EyQn`YXc>d}@35iW4x&uBjo~XT-ie+_Tl3u=XZC5+E<+n2vEImH&?()ygQDw7VQS) zD0=$zNTsrb{V~dbb?YX#yw$uro+@|ecDp8&c&75gXm4&i$`g_Qw9tON8CMDyDv~5r zt3vWab1T3P_Isx3CsIP3HnpD8ztyfx##8~3mn>ZxdG_q;<;%CQMlNN7y!>KV1Oe=v zGiN1`5@~=*6)1sK;~g9udy4Js?7%)AeQ-h;ARyMu>Nz|Nv)VId$=YNGhp{Vi1u~|6 zEl0kIh)sP9{%7*_YU&-Ud}cDzY5oa#8Kv( z;^$qu|KPz;#7Fu0bx_lkd|zv8QQIi{KG4+CdX%0%H`QgF?*l_4qqCI#a#*wfNVqFSGIT-zr;7;gYnyi|@1OuXm(z^tTlrvP~d*U1eSKyuNBL*r+vLMLKo z2Qo?9D4iPH6e1D>qN8}2NVaHj8A4sa968WC@Um8FcZo$g$H!FtZhSVz`G?i{SKb%< z76`W^tYJdeC9X}abOuY0NV|Jikp>KF<*8G#o3=7Ddsn=3IV&S0huH~JQ-sc< zGtK0$0lF?@*;m8Su+X-&uwV$3FP8n$^^t`5g7h0)SM}~42jmP;OOj*pcM>9aDo6+I zFK@Zy+xduAHghPL2&E&vGwBFY6eBn{bcTXBpl*)r5;|(3Lqybqc=K+q{H;C$wFMvB z&~OgpWx)F4D4z__ZrK;}X<-@mUj*7+ISHhUNES)Gj#KI&lLf!y(Oj&@5o&yFDQoet8`}y@WY!Uu8T8E00?T}SU)O@^(Aq# z?VaRq?MNCv<{s4Gc{bL4sD~eUf?m(E-{Zq8LuVKn9l#*W-u}Int*cVSH3^A~Cr?+6 zTP#jnzT4FFEo`p!fw~KwXp(lsJkQQ4fco_m^^lf68X77mEj>+g#;o%?Z|(jgs67&M z4_FIFo9Jlp{q5i;Am|(OiAe+c_a`6FEbuF<15mxFu54x~#Y4n>EVYetlaH%-Jp&R1 zF%>z&VrgJSXa*mTR=pX-W`6^e`&@zg^`1#}$H;ZVtQml4?;$RjbB&JP!ftc10eQ3C znCD5W0$KaUy?_~$UDwrO)+}Gqosw$A7tRv~%D*SVZOjL{V3P(<@50%$g;iJdFi88g z&Ned@+9E8JXX@wXV~e_~_wWF`QLbC>7peEN6%`bga3(C)*rq*NEHNkv#S7D%kU&{N z?$=b*3G33W+xh0Bi9nY?&qlLmF&6d$!M}V2Py9v;R%jAh>E9NkRzN|=Dz)~~OV+Nn zUAhsTn%x|{SrYJHB=;7BgkwPZQ9MN4kLj5OhGv{+%H8e_Jey75ZSXfq4S-HT{vUlIUW04k& zyV~6E=(FbJXjC&`uiC?gr9XJ!6(#fWjlU?DL(J?iFe;S*kfKP8AZf_TW)$kkaq`GZ ze`NqL*f@FRUyYsFEKZ(4kqH`FUficCh;X$1=htd3+tg`wLw^^{4HDYvmRl(kc21+e z^!48hmQHv^Z$tyUZ0XWX<+&d~18eU`aei}>c!-R?C2hOB>HBMP5#?t*xFKc%90>vk z+4l5t_TLCITKsmxz*$ySTL?HPIbte}^9$U8m^cuZLC4qt35i0m;`?(Rd7O<6OCAXq z%s}g6l-5ndJCJuVR$3GDgGC$Gbwg9TX^Qsq$wH{q;^rlUFGHm4NTso$e zzC^4ANT(Gu{3;!QxnIUv4P?qt6$t3HznS_=H8HZc3D+N zDXBtGG^%An0eq)~eOlm2p&$sAfBnt)hLZBMoA-jO7u{ogTNr=a+)HCMG7uih{Ra;8 zN8bg=O2MAFd3tD$>Df0|EXQu$diCMMJ+q?I%W5JkzF8^!y>#C%H8j6%B~jkJSFh=k z{Pg``37A~uglp-WA_V7mP$xQDzPO<6LZbj(y^g|**?s2r*bT|Djdt?TTwau2?b?y% z(BB|tTDx}bZQHI;Zp9ZCPn|R8FjX+Hecx;a{M`fm{WpF2{N{`9;ulxWpzvAeBx7E- zkXrWIrcbK!m{abldb!=e=H3MX%@XBv#oI{)MV&hra^wiXr|R=(BFEb0%gY2My$!HDI5xeQM9DJMIto<2%cmVMrw`huo1k3OiUi9 zr7Zz=1gGWgbkCICTKiE-{yoz+7?^}*ciymRlmFwM zJe=Wt$Y)fuH2!G!wmCa<=Y*xr@$V$pIXMmXut6b;t`l(}GCM&U#g>2pIk`z5e#m>p z>4;{}o;g!qR;Djmn6fGE&09KAp`1E@Uf3PlkkD{(nro+(D`OiPKnzF9HoH?OcWF|L z+~?(`@9Zq}zEJEE_U)Y#?;znrN_s3AT_A#Zhw%yu3hbUtMr}(W;ecQJXF7|lFHls# z8i~RtXaa2!#lxEX*j|pymoB~G`YRwAib0sLD~9HTLoRE{B2@_UdU;0I;qhDW9%&hc+1tH0Z5?&KOiVE`c8Nu%2*r!)7L5h`( zc8+H>C>}1{8V!6g*fKakB5sZKEQ-uc-m|Cu2B*mD*M9>CWPPDt@!xf)EHs7wh1tZM zWCV^UPY!fMyN8x5s$scUa<8xN`D#t7Ib(PtN3imK{al-_F(CDWs4O$-2-+$hIH_hM z1n5S_#w&mze}Y?OeL(E_Oa#oPu zV3-3&Oi1~bg=}|sLqk9&nZznv0AY$55+#-M1_tX$TMQ-VJVF^MC69qa*1^#}x6~M% z>e8@#%H_3+Dk}T);{x}l1bTV~U0mO#*--0ot%+;+>V0Q@^5;}6xt4uqPoXt3rXtK@S7V3o*sZVH zB09vx5HyH6_L3=*|z1xib4Q-*v?LMf@HrL`hI zHu6eW4oA?D+M{uCpP)_{h+46F^>v0!N>@(av}(+|z=F1vxeFQ^PbN($g+9A|lsL4vi5770IP1d^BKo4dP|c=#c@ zRSS#`S|=&Ij8yNZX;K3hth=7ew&kb}eD7;>pHM09LyHvk#*+VTt4Ag$V+}l`?h&?P zq@te{nL(~WCw$j+NteHSPpP(|F3GP8HYp%fJ1*7CmM2GXj2oy|jklyv4Rz%DlI@7-}rmC#`q1cZ0#Sk$lo z^;IykRHep^y@L<(V~I$!-61{%;_1Tqgu_Ue^bxX@9Y_4T_lA?2Zdh*EfVlgoXDgN`zc32Rq3c zaY;j-v8u`*la(iI|8Do~eZNg>_0x}!X>Qg$aV||Z5m1jCa zBm*a>gt;dh6&7Q1k=3)~j%{Dx?0lo}(0Zg$ow~{DNS5i+D26M@G(&ByEgTQ5otnOhtu_ds@4nCjPxj?Iae3o<7~Q z<#iVYkJZJ!m9PB%UU@~%y*8@yX|w{54f^$dGBSFSASl;e$L|wqta;%(W5)TG!Z;yu zbl}EveU-7t&K`n26p_P&v+y%YLCDFbR-0CS8n(i&zC)(yvq>L$?e4B54;7hfR@`YvD#_lXXl2EZHp}o`n23Q zUQJ@h#wjhGUrw4;8g!?=L>U1ey6$?qLm!h`)s#lIoNCK3hVsE+^LD_5Pzrr7bKh?phppGh$J~A5ccPz>A(fI=+P!4R`bB`)90L zD*bPac#hfijKzyDUfEW%E_iCiKQ~Up$e>{Z!z94tlvGIwg#n*1E+14~A#rM9QKGu# zY*F#~cftmNP4@=>y%rBI6y=73(9z$L?pbbHiHu6XC|9m50@T)C*>;Bxf#u!Xw4v`R z&Y2C}{-5vFo{E0RLj?GMM4Z)Hf}ZWg6%=2GD^ny+wXd&l7pnWgJMMC6^{-xk@5iIr z|FIp&=o5L!%%in|QQ70J=pTDntzEjb*Sm^+)BoOZ$33)pQt}j!SvR2zMm$q&=V8=c zIrsBviFb9?OH5X-+;e5ys{EN&HVZCF{__La^z{mum2aXaXPQY$;P_VeQCczBxck0p zl?xvqhdiHu+3sFGj^s=3<@ehE_gOCPEDUD@+z^5&@+m_i4WFxalvs&5gj}ain(OPL zP7NCMpZgs&<@}z^%x8^d!mv7;o+7|O5G5Mjtheh>>_tb75=qGHN_(50X;^D@u~u-- znC994T<5rvje?&P5dXP_H>|mCSy|wgXQ`XcT1ZKV7uyFVx+(nU4XS8< zbg)=AWV3vI7w{v#W*luN;e!?Fcy+yY!4EXk{yCJn@f>&n-N%m@&XtlEfDG#W#_`XP z*5&1`c3v;xQ$X*uuj57ItAa7^e?F7nX3D0^moCMX-4_6R#7d3hZ7+qRt>tk8}87M9$l>wtz|p9}XV-mu>rdg#zjzgO1Dc@sC3ir0Nr zRkxBFq%(f}eD-#(uPc}^r^7$dAZUHn!mz-=wXVrF*Pq+|Y|pl$#N=erRAUJrv$=Df z-`)X{`SGq|wxQwF|Gd-B+iA1W3RhfJZ`8fOU2ZTkG86=-zE`hqP1}D&S6SJH$@+>+ zO^sKGzat#E^-4Bv zxc0e|^99B;$j71h^5t>s21PV{W6IuZ&zI=RQ>Sdton5KhZu=ilX7plLi8`D}@Lb86 zW-IvG6-d9F+4=8DkMxX>PYz!)RDE+_IheO!-RwS#B<`l;4AYYM{> z4`wi~ByG6%wae2RiHWtL?(zF0$4E%bXaTu+@T9M@-nQ!I{<0H-mEzr8UuoP&Z5> zM)xGge$30*ncSswZQ;oF5;AT6Ud|^*Y(lf1Us5GEd4n)4EyUL|M*;$v`>BNZIeb|8 zz8%gY-TwabIb}KFL*?bS%U=Hl!Ekr(0qKVs84#;_ySKQ1|Loa!|Dl0Gn(EYkJCi=b z$_~f?f-Z^{o&=#4^6(Q>zfYb}+OrBy57#IJ&3M%j63u7F)Nc|0rE`$J^_7*4i;n&Q znycyCEcgll3}B`Suex#5CK|eCP%Zw={vsmrFU~YmVXJ^9d#P9&9aB54yWK)Q;t#P? zMIi?q15NVpBx-!ksV9s6KHvU2Z905McOTupDs_b!yUe!VwK|xWk>zr8?Q2_~=M&8i z+%xFbFiGWh_ksTp6p-WN=Kp^RNK>H*+=?EL@Ki~u*0oco<8YUB$sj^Q<~0AGQ^niu zd-G{e9kp%Wobko8oE&}?xKju*;GKKVGbk^pt^|oX?fbGo5D(~{ug=$z0@y|5 z=d~QDj2Yh+fdP2uwlA zf~a|Vh+&IfEI~yeIMW1XLV`rkZ-z$8o5x@D7l|&AGr{I6%=m8zpc?%Zb0~BLTF{4t z_b2COMNV^`aPp)3_8*gu4u-^{0dQf*(DwehzqSi4JmPa6nx_-T8w}Fc7MyEJB_erF>$WUuzNa|lZIgSRP7$ymP0CE#=#tix)h&=znrIfJD#ni; zJAt?A;tQCUBxbhFgqjCbpioIcpVx4e7&p#WH7CU)*EJVT&*A5|~*ahbI(%jQgR zj#>zF|J1Y#=K2O~8e)>T0AIGdUX$Ekt*eV2Y#T*o$+Yv~pI;$ZG@c)@5lOa%H(a@T zwaukvKB(p?S)>FIxVvOqsyG3{iJ6MX}yxHwOnWsS2Q8WRVH3zc#}k6)taczHM%JQ>T5b zuKSEMA}aNFANN_4gD(jCn>_0rraUHWy4L1+^^n8dg>RqN{?}ru>RxBJWtHJmEBICu zwpn%4T-Dq(%73CTcCQOls5mqAaMSXj#{4bp)ip49P8r6VV0;Eh3*%g!m2+KOeuL5S z+rCg@PVdv%u(FQwX5%m9;+t)3Uchr9#b&yS55l&5xHUiya#vKcyp+l z%b&N|f8>tA&bKGU5zf!fy=eE9C**Ud`@eXCfBvj}wRX*#fpT(_Y8!x$!ak+$o)G(^ zNq4`%=;`a1L3YYr@VXr;(^sg0o(LvM*CW8&L24th6KFJhh5>@2VrR2zpp~mvu5>nA zUoP|@A90e{giGb|5aaFg+YVJ!4DGDl=F}}zJSuT!R_5kdiSa!Y80o(b2yM?P+OC2i z^(DcfuY2t6=Ic9&b#^}WM9eOueL@1~{R^^)y-!2UwN-U-Rc&l8r0-}PedYW;(QFSC-`3>t?Rz<1Jj zW24_ehhFc)$KZg>(y+do)_-4P%Hx>0xLL>4Ox~sSDybVNeSdd{57pKBeTQ3E)OlnF z{tj&)_xChm;j<)M|2Uh1X1`0T`Sv9$>g3`JazR4H-16zcygz*k?e_MocKhS4B!(}t z^Iz&2+#)||If@T_qmjfee3w>SWZiG|9#6`}(1~$}etx}we@Oe|iwj;ieZP!Yy_FXN zXptCFm$9ckH-~Qxi;fP&N$->Dj#e!PC_N|PaR<4q=5LuhLu(2{zkW?Wc1$j4mDeVx z4OPzDQioO}tsBr;JMAoZB8OGieaElXh%04eWszf|@rZnS%!bhrH~h-ZUXxh%&xdou z3Ztu%|7|C#omU{=`yVh|2j0ta-R&@&x#creg>Z&UoJ%p60j(CIU*EDXvS0JJS%9!8ap8!?(~+ zsf-%cjYa~?#P#dZsh^&SbI|^@x58LUYAP+qOf$0@l99msL0m8phLr&Es(!1a^dsn#rw>asx%E^M(jc5>Vg`3$&SLsBfpCirtgQOTPXkhW^vDOS$Vp1LA8Q>Pp5*2Z7N-4q#LObO z4txjCuB1GGKR2{xyp78TbpXEDQ_RB|Gly zm?)4LBD*zfzLb{oFAODfm{KAA>y%YH^MoBwLRD_7Xxt)Y2Ny&UO|;St657B!=jysN|?9 z%Yp?Ltf1Q#ENB$%H#*_4%HIC#r}O=AA0x%|R`BWalE(rC_2UzV)-BE zdNy#9W#WkP%+7xwDnD7xWmis&-(uvF{pICF1P<0o5362ox#8dsRx#7asHyH*XTk;f zR;?)NJ!cM%?Ggv;v@}nDKf8AIk#TV{1%5xai%yzT~j z4;{K4HvMq(ZA`SFKZdvebx0t_TJmt&&uVOOSl)G}Te<4P@R+Cbx-Ty~!|=?94}#q5 zmn;DC{SQuM+073KRFQ?U5^BPjuW(*_=j7!*DHwP={j!&}%?#74DUaXRJn-5RU$yqu zo-V7-FML$G?&uz;00KDD9{~0!q>Z>6m z-s;q(f3l@F%Y=P=v|ffYfVOGVrfpTt+3u?9Intj-kGcHu)2EJ}FSl(=!II`ihhZoi z6B8i{fsfV=8*0rO41GD*Y3IC%#%$8GZP&iN5HQi}gsG1@7L9!XYfh?B*I&MPXo8&7 zS0@3)5Nd(xbIh{o*t@3aR~GeZx-Waa%hd5BHZ{8yW*os0XvvcBru+TJ9TrQTiFeaD z+LMtci$ofMkI1K~pee7svmJhI;2FAg>lO=7ZR~g5PS3nn^0qquuGbhXEoyn$e=B^* zZH81qva(O+f8Q$Qm-e=AzkchkzMyC>T{ivNgRPS{Z~i?ce)`R&ncwBy4=k^^j`G?= zMD(Z*ApwX_KY94Dg5}8wCBj-u@pt58SgB*9SM)Gj-r?S|C7Rk3e#`FdHp#u|@`Vc_ zoxdw=_~*hN419JR2LjN33ya2ub|=&ppGZw@O7rri08oAOYN0jSI>sApRL4x1aH6OL z8ox&mA)XN|+?#4(0!}l_K)0jhk%cRXuCCybq~X}_{oY`i?A%=OyREAAip8y2$TuMYA+y*RDyg z+_o>AIyL-UrN@^qx&?DA=Dc$ndm>2F_Vl}mQOAG%kV8BW^u=`PQulEW(@NIvp7$h` z+`$ay$dQl06^9I2_V8$GpY~AC9)6{zldO7vQr{41IsMkg-iyBe`(y6kkD?G1d+*=B z#GT2zl~VFdNaU{C-wuJp_3NeI$7NQ@d1cFuYM5+j_%zqaXyL1utn(-fe0M1ui$ck^ zyU>O5{4kcYvPfA2c{&6+*#x0TyAJq`Gf<@WL#6d89O9|QXSz7EVd_7X$JrA6;N4t5 zF4AKwt*)Dm){Djq9YQDRPWWAX+I+UDX~EM^OCm4nZr#4!Ocu0(udv3vZtEBlpf|wg zBjp-?_2(EU!=HQN(N}MlTF#z*#rfjEfp=XXS~k4H)`wsRGe$e2`VYw`q=+Zl=<;mQ$=}Tw`KOGIqp?1 zDciKhtEwK_rWukZ&pKJ(w-vK=gMxfIcJ1x0%d=?X*0iAC_cjM&;^R>;>bf_%2pX2; zWS$UKYOJ2WtvbB)KerjFi`;}^(e8O^wY9d>q=bs7(j@vM7Bc3q^Fj3ZFlh?$d`q z8?U3oIFhP$;xKvn+wi;N#}`8w^2}Vg;3pa^-I34-bcF2-9VHb&yVkArN1X1_r_W`u zTIMCd5IF<7uY1cq3@@GB_Mgy;nmGC5#ep+Db8~-v_^|J)!MU9~Z}+hUC&~{V_^ayW zk*^C%)6;J-X*2apC;J(UOQoj1LYakloRiD1l=MH;X3ffm00f(&&W?(R5Q&MvJQDQa zG1+s{m`!ZgdguA`YcYjGyTUvZjK`$<_dQKRA|fJ)ZmNMSuej+_?}W&vRi7&#YfLxX z=;G%8LHFhLt@Gb4DHPm-g+$?*`~3NcPrdgH@O>bw_0U`7)Z8?+y7BVbGIreFkB?X7 z+nFz=8oK{LZm;hou_RSAaI=FrJy^^3#f|O0B8@FyWMNzq9ORC1RaxZeLK#KC9XP?+ z??H(m;lzjVeRI`^u!yLrIhsYYbnD+^`9RG?HB2?1cffL^mn||H`S(~W73AblsRWn34Qnd*wf~3wcqj1 z%atQ6oYjqYW+d%8 zwj%8R0Yg{NbLcJ}Vw|vP%N8Y%zI_iw+;?`qzR<=-ED7*n?dW(;`r4kw>L{ajPG&Re zdB{7iVRtcUprJp%2|9Vw4Imd2n(l%LI%leTCo~E4=*&;xBFuq1vnmCc2m$k1hsnf3 zbfshan>aWOled2qeDcg1jVIxy4dD@YE58iPOV^e16t}xJ=bw^qKHLG1O8u{@E#6f? zkq3O6YkHT*$FIo=X<7h+g=dttRbu&Fb|{!x4?Pp`qL? z16F5!{_@g&hRU|BkLtcPWKI?7{`wpmR>`?d%ab?oLAgVh6^rqGQ4x&_h-d!)s_n|- zsa)Ijn{kConJZJ$AWBKJ+lG``nUXOfBy&lUR*TrxmXIbQ%20b5qwKUJN*OY&6t*dA zr$o!Fke1=QUVH0&-}#;M-#PwR`KcD(_j#Y^zOU(KayY{3M~>%)5fGEp07H+DV~@l% zJ~5h!o|#!Ja+d&$(T&5A+u~_paN*=-#2X;+2C#8LVj_Mr#L`rjn11cT;;yW4_lBY^ z?Zd|mW3k{6+C%TwRDjt6-@1od^4U16BVvO(C)v-!f8~t6Ava$;EKbp?f9YmKrG6kw zqNxe1;o_8K9KhxP0pdXXu7(!(1H~#O`9^`tsApy zRjS;oR9;%q**%9Bl24-av4`0zZjn^~;a3F(=P{PB=J6gq$m55%t+kx< z=ASAUg6tp z{reB?ZZAn$Hx7T}*WZRaLuSS6dEC5v>U+Y@?iJd z?y+qxpQ&hRiIUu`V|?(S*2axH|Lq-Q)CS*esI7TYv#*eDDH*T8t$e(-b^8PNJ+x=U z+I!W2y00Jvioar=z&t4DyLH<(95E_Zd(4>%h;>I(imT6~U4ly7N>W_hhy<)rsv*J= z4Ij%A{bkpN5P$WKwzluwKnhO`+|539ea(-zQ~zl%hyvG4JAHjI%M2Ucb;6O?139k? z@j>W%AU*H=nbsDY?dmNPn!EF@dxc2Z#atO*Tr7%W=%vAWDpg~{27W!Ge0?7usxG$* zQ(EW3o%aTJjq)Ra!l1#C*y3*s|fBg;!A-_ZqnbePZ4d9=d(bm1s{ZluH zkc7-}gg2;I@oBp(UM!TB`g?2g3(Ik?@)U%r(@gCpp*71exDq7te|oxJw3cp z549$BI>6H&fT!WF?a*R$bm&k>zq{{hD&SS*Q_1cIdRZ2>EAnWR^tbGNSE{(xEv1FzCZc0N_6XIStWM8zi(WhAGT)5Yhlz%8keEO^_ z8G|tgBYf`f_we&OoW74XbnKO?^`8ioi_+MJFrK5n0=y?s4Xld5IG`o!s3Ko8{5F49 zO&iF0!e%g2QUkSiPfD6qWzY8PseAl5h{tmO*Cg)-p$Cs0d}9`I&mZ#_$&%wB1D6I^rbJXy!A_XR5>$Eu zj)~V$o=%T56BM{#@4~^1fE+|)B8dRD6rPo{mC`S3u5*ufq9lUX*N^TaBy>opYRAyj zyUxz*f~mQ=dIPhpESfoE`BpWxnyM-nmT|1o{MvT?XrLh#lQ8CiEmXu?52IP$g3a7w zqr7?KFi+M3Gx*^V42YWxH9X9HcTFUmnm8a`S+T-vL{0jISjINx*At^RH)tj^q!~Ri zVoVjUW`Ty^pVxZ8=}O}KZkL&~*(H`&wjDTtu~>WbjH;8+)C2eqH{};XFwBmXZtuHy zmat8y?RFgdctKkR&?cHw3WXwWB2ZR+1Ooi(^3IIn9~&)pp7@)CeZ3x!3JW(|7<~dR zXKnS;q*&a^=0AGQZz{>)ef|cWUOao2Oy_E&APaFDJWgmF#eHL0~xT4vZTT`vD zYLRnyB^-`eMbvcL+1sl)iW2doh%~+=S<|9rAurEu8#n(Dw1Tov9Tiv3elcXo>$FhH z)XLH_obFjZaz5W=o@Cjw9~TUL2WVR$vM|j8=0tM6t(yG8+W4Iu2q~zmuXoP0i+SnQ z4L;y+Qs59KZ;);__!K%%f2qUzK$Q6YX2}HxjQGuID6}nCc;8pzfMsxDl*azwKBljy-Dg|TsJQFhr$8c zA7t>H>g|b>`yYGE0jP>X1OkGBP@Vxb1?Y6d)6;10-ekxNp_RZPgohJ>LUd>Bm=S{J zlrTXH%x840M1V;fY>~t`Pf5uGCfDNT zcD7utyjsJ<*A44DMAn4d&dLH)H;Y6Nm=3+1_jnNme+rokAQsaYL%1%s5Nin5>CKZ-8v$Z9Yryv}_t(4MVG~+FS0!0164^{J-^qsQTv9G;x2sL;D(=HcX|O2D*wX*4arWeX}G3S{)sxDz#=VBUlCEyyj*YwYs{y#~>p?kjR*nt(lnxrhYK8H6ed=f;3zsb9$sF{AQQ`jpWwJELcIq41(qss z-3!dE&AUl8p*2sJK7`UuGon=zJ9&&`yY+E_+ zzQRF0*!tk$g4_l^E{<$aX5kY|c3Aosj_g>!nn+%467RtzMxM=S8IBB4qmcMlA1qZt z0wYQ`oE#w9`;Im`)n~x=Ul*qfrV>~weE^d-;e2w* z%#K@T4cZoXBSceQCMGI590_G{xO6gu&aJO)vOS8V6r6I$VPxy1-aWBceMh?J)&c6Q zkSyeRU1WA9CcnA%U^EVOCvhC_0US3X7D{eJ{lxQya)f5Px;s8SaVh`&$CBBZc5=r+ z927o)5D=qWeGNvwAe1@6{wn;_5eDisi=&*5z-c@Xz7rW0HTC|yG<>!Xuv>H<0$Yw~ zH1H|%JFH>X@%Q(~zr$u+s9uKE0jj#avGF0I{E^H97Tk87FtUgS!k1_kotgdvTQdMu zEOh{}pq=HX9Es4~{rziTgxGAg$2nQz+!$HA(Ca-!6!o*x(jGwgV@@20m3))qzKb>8 zAe7;D#nkHQZy#d7!#MadH)$d6!v-4{M*(2dWy*Mp;=~^YVg3pgqma-HXv(&!4Z_k(h5^dVZC%GMNkoDG92I z)m61+${xPHnn8nqLN#O}f~U+q^Q!mUw=@jYGuGf13*ZoZga8qEqsaMDb!yDonwpT2 zcY$xd{`HJghoX9mTYNDiMGfcMlk6u>av1LjxauzsB|;#1-;h9>`@<@!P<1?!(AZqB~L|FqSAT13-n=XtfTDEK%U~B9m09-IAkB^^!p{&jww2~OxQjnhhqNC$y zWo0uNL9-jy^jQr=jY9&8jUR?;2rItVuzuBgl&Usm#j^|JL?@x6QYm^BRs?d824`Nm zxdah zXqJ+34ujMAxi}z_fQAEUF5FyPSXLLcSle*ogIK8PMsMhMFf5+qXl%-^Yufi=Q8p?a&pn zn`-psAYYkrbR+``FnhA>J1t`qBWjb10Sl_Cfe@`>>%>Ek-C;G2+E+@a8^WMrZy$m~ zo6L0p&<%wgSZ`9BjN=2s7f`o47a*y$w@*CjhT~~`{De6viIj@b_W?_7`L;`{=ld5X zPi_N86{Q({ik*6@_0iA8d*!fhPYiWxXr|<4Wf>oE9C%hdL%8FOp`Z5l z^JCQ4j}H$6%T-i`^7jwy1I5K1wYAxm?;A}+{@bDbK%$n+0sP3J|7yvCdltNJewMq> zM2&}O%_tI^PyyVy0bkuvrhv$GXn1du(c>>Ls?M&*SQvImxaybcARPpfiMH3Tp;j3O zix4S>{S~37r!hg`wb+Wm1KiPG?QJN2l+zSkp2a-$)Eo=WD7`sn`m;AAhH8+6LE?HB87IQ z<_|F+NFJ7&F+M*tg1f3EKkKez~6G49zaLCVu_UHnIq zg>g^Gba8F%GN^vG__S@coxpFnD^sNnGc8cSkP^6vSm->|ckB=o65Z@w98BRet}@NV%zWe8(vAX1dE2M%>SMn7FmD%8~9~q literal 0 HcmV?d00001 diff --git a/doc/pics/e4-dmz-tl.dia b/doc/pics/e4-dmz-tl.dia new file mode 100644 index 0000000000000000000000000000000000000000..99f5627f90b2c70a007045c0618322daa162b323 GIT binary patch literal 5950 zcmV-E7s2QsiwFP!000021MOYgZX-vMeebUz`IPHPk9?uN0-Zk7aYrro8 zC6*y&=HuraD!pG8K6;ZW-~%KYhBL^ga~x z#dtP-b0!!+>lM?h*=RhyeslJZzkh%3&;IoFt3Qs$!#}`(*Yn|R4}N00z)x?^ZkEgU ze|Y`++JRFL9f@IwB_mVhu6jB zycqsg|8NdpAsqMc_r-kk!ME>ci!lsYet!RKNX>Kb&nIJ6qZTk|dj0iR-{`N(S6Y4J z@mW;7&Vnzb1#nUA7B1X%}wZF5Gx=@qRX6 z&WGdWbI8ltY*GxTCF*j1R~(PCxEfAC#I{WADXQLnJY6>S_|MHe zep3SC8S(hzi4s>nt@aQa`N9NNJTKCOyiAysYFWygv zpSMq8b5PB*hSTL3IBd8mMh!7d9aT<;@6VUB^9`QJh%~$Wui`2*|KH3$?lYqXP_Aav zDNF~{(DU~**shCaAomr;@>?4kYD5JgE9R>={boKN|Ng)8;v7V8de&PJ&gx})t0@eh zd}|0Z`f&g0iO83~yOk)vTMnnA;e6CP@4cOUI(t;dK^Y&9-kkjhU*8Iw>jw`5b>P`{ zj>}js7H3xV4U=JWk3L_oI)KZ|&F9Z?uG8yDagSj;naxL7PdPl`=|VtRL5KK)2xE9LBBJ{*nj7TXp~ z^7SvV1F!sMxzmr{`XYVn3)4Rr%(&feoVNW1!dO@(G0>K&z5-B_mjIHdwhsxwWW+(g z_!JUQig6bm5UVeH65Fy7S(d4?>=^K4A9!DzjFRk_@`z%B83=&vJ7#!LHm4{j&ukw- z4lD@sRFDImW^|ghd77zI29Sb^f@BM!-mLF&H-(c(iG=m?U_uhTJy_`*+kbqc`fJr3*;o(RYwjUU( zmo6g{fE5r*B!x%=3Brb-g+L?W$Y0ZKu^gW52sw<#SIeB7)5sF;rF3NE8JVyH_a>D@ zWhsJTeCKZd{CB>ddcgT()aNjeU&oWl9w3{^6J4c8{wy$68KgXD1t;V87dNx{_`he< z<#4ifavM>cgJFOWm*cB^Ad9<84Br=LM=#QWy57IR@2o=Ev&qUHFG)&pWGS6f;{znI zLed&|9t<)e9DX+19DN*5rx(R^^en2i_dF{tMQ_U&(?K7}+pv+Y-fzB7RiJ#^Lm$I- zi)WN`|1Z58kP(cDfk-T8@#yb8{_C4F^=zsYKP&EkcH@Wr^RV;A8y%*${5V`*-N2vI zqDpCT$-=Cd3}8(#X{1*p@0tp8|17$#WalWsa@Zwls<|(KwO)TI(8jFyOOYYUf zm(8fcprgqf88ons)sEX^U9+UrkWxcRO@m6!--}PnigUm>a1Ll~R39ub>7~zm5R^!c zS?~Pd39?qlhGmwxEIUqujWKn<(U`=%Hf|%|xhC6rOO{ccgo6B60pa(1zYcH5lh5!z z!|CFz7k6n?Sjr#$YccsypkzPYo`=7|vvZ*OEZCrDod&uthzAMdF>vdNjeDO7$3P7y zU(6vxhGAEG^tu)BzihQdV2Kw{iT=|bC8=KX4CN!*7je19xrctk-q-5 zinWr{a#dhlaNU;o%P+lu66R-yQk|QuQtv_`|`$>yAys zBZZF?J~|Te=d+3AOH4@6-ip4$fGp3M(55t#+(je_w&VaQR9Ok1fo4SRgtppwRt$v~ zH4b0QI(KaH%gZIS39+7(CJxDHbL&4VWy2Y5yAtt5@^u^`Fw0EGH1d$O$OItq5=kM_ zKqw~hbIimK9ae4{SwhOhC(VU47t&nnVy&hLq7O>+JyYIiEy8e*o5<*6b<@3#t=f533{|DB8HXPGVkdKZh#z8Wfvr<_^{5eB>swIyMpZ{|^2H&+ zG_abmHstgj3#R%gNPseMOgW=GrrHHzLx*jv)TP_Ut}@KSYB@08ln~qrr!pE^npsnK zu#)9PmRIH^frbQvk_5h}BmvZNTtKbD3o9v0Aaj-gIaW?5B;=d&peL#1dserUTe6=rBS9dpSbp&3km5IGi4(tq#HI!9e(11WI<3OweSP?$6r%QK-QN%$Z1g4`i6Na_|JV8`&tNT4cZZUn7d7TAcL7|8J(tVmcjG zu~TxMKaho17!hGXi@a&khDq*aA6;SIfL>vl3kL7_%fM}yePB&2;eI|aAw8GedLe}O zR_E;T#gy0FO0JbM)&xm;)8qo9=sl?~FPS)N8Aw8a6N4)+3`Othj{pA~4|nqYH&C;b z=A~QFik!jD2P7~&tu=!u$nx0xoJ8bb5|P)+A{nA5ZHR8~J0X*=Zs}OmA`*w@ITMVq zgIx)vELQ{c4SUQt0)}!*cGnbbVgdKEL^%Uy2W!`~(506%XQVe0n@$+-r9SrbB3qPf zQBqc03wfqri<1}umu=+dVIv)BkvN^T4r87|mdIKjjl5UPvv!i(hiWT!4#f!_FciC? zTStM<#%Q0+(A8%&W`#Aktpu#T2OoY4_Tfv@SJm4*S zr=7>{TV3vYnzm;9C~?@(%Xw+Jx4~E=*Dk~~-)WhJwMNTJ;zF4SK6{hy0sc-Q;xhhM1hN=q%oHU*O0ja^QuO~3yYm|1m} z*WQVo+9@DmnH8*Y=|D%7iUnm=tfY55@_zPZ-6ZRWVu4Fg(6%;r2KCg#1P&Z}blFU@ zFZZrBqZ8_S@}{$Dx9(uY8z`J)%Zh8-E1lOtq%@o!j%gF5z`99JL|~&-)|~jdDb|m4 z%u8q84xf(-aXJSKH5_J6+qbFh`{3cp(JOwpey@^mq)5=GJSbF{#+g&ezlV_n=@{3j z|W&!>aSp=9(cT29X|x$1&5yq$Wk8dJ>scWBl}gN zNlevErn2d#p7p5O$gHlu5=Af@Tm13h5EA*SJKB^XmTJ}Ds}M^fscw>#Yv6VZHm>o^ zsLY8A9xpZqWss(fz#KRalGp{S4-_dPrJ;edB$jExi}q$7$VirPaYiK4nmQOW80k~86B z4;m?W&TjJeK%7}&BOVHtt#XW^u6-}() ze!UpATKlpYi&bc**4fZeu?i|yLB%Rgy8(uF4Y(Ig2pY-E3Yjy}O^C95G9Vc%-5_4I zMr6T^%iI8?ZjxJvZXXA;@#Spx8wayYYx6<14J*|#?br1&b4YE{&Au5;D|6esnQ7lZ zYi${PlvXYCUh)AXQ6edA)Bv}Vw^0f5zSE7h(-&|bWzK+p<>f;?Fdj_Sc4o?H`&f8P z9b1uzv^mn|NSkX-n+pw`2bkT|hBgOCXv||vF9Wu{X55uFu{}DcWlv?UZjSXsg=1=K z{djnL32(pmILiW+na{7w$wPEGBQjUH-nw@UZ@>~$L8vzNE+FX=DOzF=n^!WOB-Z;F zV%2lpGE_39#9rI-z@dhAaP}R1P^SoOU)Hs5L{qMHY!GPLaIIrLgn4wWi@=2W0$l4U z>qoA2GRDXlBV+97+!G@kQ00UZ0_iwdkyn$u2U6A!P=Rx*47du_sbYqL%7nF>#9Jw# zl!(&FY&oMEC=QKTwGQjbyS(+GOB@Yq5cVi6i?0F$XfL}^EQ}bcwX)Dv0!akbO@eBo zdcD=&_kl8mv_3CIl}M5qB|MUp!bYm_f9Zni!j%Iesn$rUS}2L8PMfCQ&OSY1DSppV z>GkUc^BxiUAx9vIbuYAGzAu2NOjhq)1GC%5JBRI@t$DJMb9(0tEFnNV z_ofpHt{ z?5q_gJPRICydEfxZP;bZ)NRLmo(|xONYbEm=cM@ zb{%Ly4CSo_Z*y+m+9_@sD$$2(w++SD*9Q%hp7w6zdv{~|Nq*4g^)Gq9$|m2g59f?VJdi!lDeEGu$3OaJLZ`*?^Tp0JFyH++3KMh*D z7PjrZ!hC<^B62|F?6)Fo=eT94+@%OVz350cB2Q=cs+YeJxjSFeCMT3D$0T|kUCzSL z_aMTU!TsMuC(1&;+2b}jdt6x-OsSt{z236IvCJ6m1}ZS4 zWW<%B3)frTolh>$FGrL<-V#MsOC_;XH(AOwpfl-MDKcbcse2r?VkxaLxj<2FOXqTDu}QImy^t%4lq! z6GW*y$!?Gn1@GD;rwVB#a_S~I=?1Ql+E`Fc=k+_4FdnP8VUBRjArJ69*Qu5+l3Kd7 zY2;PPCQ;Q1Qq}$?$6Rtwxy43$M#n0UI^?`RYq1kyi6jAO;F%1dPsI#`qmfUc_*f%L zNCn8K02vh^qXJ}!1r=O!0>5M0S=qvQ06Y7Tq8^eOwey9xNUkL3rZku$@r`jO)@{b=_&K+T82^aQVdoX;(67K6;ix~qX$or zg_D6w!B8ofT45x5>Lxvfbb4}HdL6Slwa80PDAbe{5o2N_d~xsq9VYJ~(s$h{mqLDuHjYBZ!qeOdHWBaB2(oenbkiKOM>Y3PCcU|p040SIGB<8Noeo!FMiz->X&AsvAXn^mO-VYul{Od83;sMQ5T|$lRsqB8*hA6djKr zg6m8vI=TnkVkx@k0!iMRZaSBfQ^WE0o59m9Z<&Gz80BLr-&m#~bfruIkyBgbR4I)_ zPTeFY+rT~GQW|XDTfikVS%W1CgkMpUkVH*HOz{oWqnapZ1-lKRo5P@M$VE7|xUPB4Ij`GC<>Hwg)O)E31i}u* zv&72;0!1W&K>lJ2Io`=mXe+@#l(&@55D6Qk|HXWG8%!YVBPbG2U3GXl*6pmddv0B3 za-oW?O!m}(16ffF?-sToKc?LxMFdBmbB8zY)Zlr@dt5;N^!LY^yr;i@KbpgP@f`2q z+Ebc64zX7=ukv3iiuGU@DVSJYUv!D=jk@vt#?7!ub?rK@T^ygszKt0QO3w5w6b~I| zt()0|dm-$z_ckHJzaO{Q9Iz_!43CI;_wF!1zv-v@n}7fQ&CSi7Vjhv7Wms2H zUS3d8pnmJkG3!`QVabJMf41MHc(x%1Q08YONYs!O}Ox)_DDlaC#x z-?JxC%D~t-@xuq{N~3=##ZSXfU79E!`w) zjc+Ap+fQhx9ug{9&3sm~W$V_T;(xyIL|gWjX&u5o*@;={QUmx`HW!GC}4jY>px3%RDD}M^5>cmbAmif@12vE9s(OgL~_~}y@ z7niZ|aWhlXqN1Y4@85HbeX6u1)US*)aWy{0tE#FB-}XErLh{6k3onihF7&#$x_!lD zWk0o)?$S`K z{QUf@tE=}PJcx{p^ht<`@wl)rQ(OMgcFwp@52z~3%QsU|WsT3TE%a{Nwy`u6?K6x! zEiJov@gmu-4^tH^r6Cv~GBPs$IFX}Ajel!w*|xFLyU~+lqSo^C&r@x$uKciyGQSO-&v$JJufjAv`K7)!_Kaja8f6gGuk+wLRa)B$)2W zDsCye(wvx-Wb)_rR(kGDn>Gy$4jPvTGvK$gb8|bWsc&hX*RNL7cJ%aSWn+tWTmCJ0 z<2}u#J9qBbq;SQF^}1YP{_d;SSz21!-M#k0FluUH!H{J3^Xc+UKhT2F;$Eb~kl8p<*`T6(Z3Tw;hZECU| zYs=u5Y{R37evLWxz}skX^5>yLhdwwjaL2i?jp~>RGPZ`lcyZzRk$XEj+uIRlHgDQQ z^Q53)DaWMMA!=b}CPKudWqR-{#?Vpqv*qNEQ=y_mgM%5N3_dd9nnLTkvd8tSf|#@& zbi4Ach_hAu17FIxYd^m^Tp#P><5Nw~H)N7$)>)yw{HJh2JU}z+c1@JDa|e6tF{}=L zZMCQ$&1yO#Vq&|tZ|4^h%1ck5oSQT7Q3%bSpC9jJXJ;qwrlaF}Dq+?*QzxTL#JZBI z^{Ps7MsBfjETt|;SVPhVvr!(5#w3A(`iu5(qQA1c0?a_v{ zFE72AjQ>2+YmBIK+ zroq>?1$piR2L}Fh7j~HMBoI8FnV4v4s;GQ?D*PCO>dV0A5Y=1kD!EPFZDY+|^fk@l z3=?-bIr6$0nf1l}5mR{T_V#w7zJb9t4GpK!mK1*$F}f!a5iAjY<(b4J z>Khw7;+NPsSfN}Uh4w;qGyI)RZEX%4>uZyfmRuV7ma*p|5R^;?l@<}txw2&r9a41p z;E+RPqxEN(eqU7d@`KY<-)SxhEI}Lkv>S!bhL*mD3E7Xf_&1Asm*qG*I?Blwxhz?S zsx|j_Jbbu`D>E+-^Yvk&$1fm&JMK#`5B((tg-1?WnrdoHbaZmW2b4Q5@9fJl{nGI2 zOnb-L`pN{7_wB;s?Ch&9(V6>ya%?P8t;~G9M?oCu>%&kzyMLcNHvGPtFH<}Dg$oxf zy7E8GtYXWwuVh+?m>zqUdeUt*-_mI7*9PVUSL{1e!Dke=orAqGQwhbJvyCw3R;HX!=)8 z#QOR=2EX)%Dpu}9M^2K8eUjAC&vJDZC2P5vnWRtr{P|NUOz9FC={{Vz#QS7{6E-5KF zx3x^OZ(^dZaYi%Ow7tmjI4#y&ZF%|W2v-TWRR>WTIyyQwwwga}NNFQ2DV+1zH zb2m{@4gLDn(b3_XN7NS_kBGHe>PS-x7ASCD__H|GuN)<{1i(Q&b0+IXf$rx=BO`Y% zuxv-hx}f30Q+#vgSIv_rPt5o<1QVv2(BRa9f66seg~8-57#Q zYg+-C$u&2(;_2r%3hfZxG#xV&ue^PiSE5Mm*{8Fy%%tS_&bC07h&0J2X5JMm??p#X z-<;Qppqgjej$j`e9NhowSIfY(NbUhq(Rl>KwbhxriJlKi#N;5g2-oU&M|={lyuBD9 zW`PL~bYB_I!<7VXyca%r(DU>FdG1GFUtj#vZlY)H+l%9-Qb{bjZ7hd4H2S8er!n+W zQc^Cit{;kuzSY!>j*L)m+xEG%l$x5_yQ;P})uOlf0o5+mcJeX*-PE3o)8%5_FOC~> zad8Q17l{L`&W*Nib3PM)kjuun_c1Qw%dfL?*Esbc^0)n;E>14Ss*?_r9vYcf0May4 z=BxniOkG@x3JWo#-O7;?r-`+-wLl^#Po6|LFWFdMnf&>g!+mvXWMl;4Ykt4A4PZ=H zcXwU1Oo{a%X`NtsMoBp~mX#gg=Rg0oLReTh{T`M~TpU+u*V~V!rF~g-CnJz(e}8|w zvM@0LIB8~@ZJ6z`O5Cgzuzt{ zE+Q0Sn`K!mb7l!XmvXd5{1DR0r(tE40;JBJigua)QnEH~(O1)%fh@)*dHvCP$;O(+ z`SaU5xg#a+BBy=*@wzjs`#;w;HN!$fPZNnWPYMfHfPcy~8@sgnOx~>)_kC@(=HwDU zUbMHfD+Xf6sIt(~PDO95dU>-uj~)GKf}Q74JeiV`b^}P~`BA->k&!huHO{lcM-8fX z$L_j^We1FE@X>>ek&zJtsrGxFKH7)|G3fDK9UNwesP^hgYxku3l|wO1$F3DCYgmU8w4)lNrb{+?qm#TB0Z#Ps`Rju}n9hu81E-pSSVBGJj zXWC=l{eCkg<(t>9n_F7mouBM+o=E(bpruo2H{QX$%O^cO{aLOd(5Pw8;-Z6YeAUTo zi3$RT4(*Y&OGc@NAo1bD8p4vFuW!@aBCGxifRG8qBm)Bx%O4++z_#X1`mt*8+o@gB z(W#qR4LNk>Y-0BN)Kqii=;ZM7ni>HSk!!Ik!Ue?#4;}<~NiK?DyPcA6asGqX?Vnp{ zNyQJB$vZjyrN4L`*?KhF`1|#Z9M|PpMPV|@zg-QoP8w7;dNqh5pQ=*kkQj3)%`EXyJN zdviNYE9ni7qq17tNN-dStOQ8^GE@AY`@s1f-2@}Pfc}TNQA3_bnJd!gKjR7tge48a zVzk8>{Cuo@N-8khKiP`a%azKEb5o9Z5P=~3rY&dtl14$F_)eX(vOH~^4=J{yp5KWZ z+?RkS((_oU7@)qlWtg#XqtEgI_oJhab+@xvUjO=)e){jj?K9Ts>3vN4kn@fhY2#?p zgGGLKp!;Rn%S`YP59ps{qa%F$@$mkpsWO2PlR;`V^?CuK1&L9pYPHj164D;Srj?VE z)6;tu+eyCfl2qOP7Aiu}7XKmrvK;G!Pkk5u7TtMy3kwUq@9!p63tzi-O;=YJ=X(+IV(Dfyr`-=I~exx z(A+(f6Kf(0JTxE42p(OWsUjMwsj0!-7cz5lq>+cOUcG8%l`)-!u)j8**9!z-nDFbU zUd3b1IOK)y0vj)Hx5b}Sq9=uf0=;)rmp|Em#@lFixS>Yi)0Z!YesJ2`FW4C!H+EHf zbMY7X=cncNbOeu`a{VXvSfywge@pfB^h9teOi1u1{V{-D`y#e>Sy>qhp-x~*XJ?C^ zBK7BksFgX6-1K<;+8|8u#-p8V%P5;oULF(_1Y#&hghn9${8#=z`v(smL}=Ea@-Ox3aa%D<$&IY# zH~k`$C{Lgw5UjoOTb>`TtE$S%$y&{LDrMtg;F$PzHKoH>Xzc%|_ z*=KmT;T1x4iTlQS+-X067cDI8spP-b2HR+)EDP!QnKRaMo@=lLjf5sOUCx8jrcb|LrWSo!6g zI(%v5Gufcbsh*DOQTGnp5eRH@t|<+T&u@T^i1hLKg3vKOHkNDNJ@WgvA`wAH!g)S9 zG!zNmRRqa1BxE<2M$R1uT7=F(5?!Hn;|3`+rj@KaElm&hWzk%6b6ZE%+~YD+v+LyI zO(ZI!?T?RSgSTx*;(s#hiBJM3@+e0Y0nAxiPU6`eqw4DF46Rbm(vs7n2<31cuJC8+ zo7l{yqSMKB?A9_7quOpJ_l4gY&aim#6Ma=BnJ_FBiD<)vd9fCud2mOro- zCb|lOkpfZ`!i03V;}8f@hv`-~Ha3Qbhhwychlf#V9Fvd;_vRN6K?blB&YnriAGq@i#UyGD?jEQKnsBJy-__-fiETAw!~Scu{W4$V3a5=hzI@ zUQkwUwR=U#rs3&WdjZ7lYVp zDRiPe%WxN)#B86R5H-E{i4$8n+(QrBO(7b@X!Z^1%N45@3*TYDegBs+zCkM z@#DveHL1`k^sG$2R17*NxAT_=@|ALN@@zSI` zTLAGQ_4|;53Q#k#2|VARR7P3M{gy@JAz+YoxF5*5KiJZo^owYh!CG3naLQ&(hP;QSR6)Y~CdvyTfcr?iNxzI8U%K zQovoPbdWc(OjH%CZyOjyid)^^0i>wId)mkxscYEhm(vMdYIgn8`e{4%9DC^ft2XlM zy8ahtuI1&?G{-0`CFQechg;L45#t^_kjE~0b0NYZO6Y%^H;@#ENg{y(Eu4!{gn|bA&D+rZcBqq zq6VinQ-zbiV=){(O*w_8;-8)qa@L=+%Tm=ZSS=meTylaQ&fw6HNq=#Ls z;`Lv?{6-KY3L{jTn3!<+VzL4Q0dP@Et)M3Ju4->rFVLhIT-Nxf2=K8Wb2&v$kZy3e zs8Fn$8gzrAyHto^_DRASGt!f57UAi68ao!50&JLS^7Rbk?{ARjus6fKU%q_F%F4Pv z6TQK&o;gq-E04Ws=vwUiZ5q3$qOvj~JY4X4`VZU>s*bB}y>~}jcCd(!k&=tc;w0#g zaFZTy+WncCnfLGCN6Bfmx@g736b49pf!FPN#;wz`vL9s{Ia8t!;al&(h3?lO1w@rIHwPZNa)V%u{zvsQnYw4uY%% zvG&V`y)mOu>1M~Jk)$+S4V93070L=`oy(Ww+&2AXs+Sv;guoJmeNxxdbary0UXU~? zaUq4F@FTi%$oB~8sJ2RgsDC~C-W5`JawYlP{)ocQ?~9AqYs7lTx(oBbZ-Cpna^(sG zwdeFEAQ*&`j^yrgKPIF>@2ax0_yWo#qdBU}Uk6zp&T1ObwDA)NjhxmOZwtj1w^+`HT$3OX%sby@7|3xCo!$qe15b8(}MI>Z27Yke z4^t+BYl_01y1K6E1xl0R;L@}~%h9(I{#TY47j406?SQ5rQV_Ix8)N+I*C^yKMxS)W zVorXWj<>e(UDwd4US^}$DO_G&-gEqRSBZPc7kjcFPZBp1g0|NT=}-M&I-sPVmQg6t zG?RE9kPlRjj}b^X({E5I>L_?7dPU@e)fBfuR@7KeUgVdPrey9&)h>sj1v?_b8}xjb4CcxS4ke8D2s{ z!fv!>9E?hl_29YDH;;XNK~~w?+v^~Op=Mr|^Y!xsBjC+@(OPVRcvVM-gNaG)^5wqq@efDjVD{Ux4?P*S=GF~#!E!~4#rqN z{gjfvZ3ck``aXC-qJj3*A(p*+A0C1v=3Vva)2R<+Kw0`W*REcjloGN%81FhByJ17MsX>IHQt1Lek!x zNG#(^D{35&D|?%ql(cQjmYbY!&Tg*7dve5pfB=0ILMEk%-v~Ir!d$hW7kOik?+6{w(Putqb2-#lwsy*RdCLmG+ z0|MBO-r7W~uA!lDhV&8>70pz`Ryj)qnd!bZ7dEYx9L8s2GP-rwL2mBMuk@1}f02_S!xx0q1k~3kwS;$##?IEvn99)c#x+ zDa9_a|I<{iX!}glmuQTXH`%{y5Mfc&*5(=1i?%_?X z7r*9F5bDnkynLMBvIWfGRq1E9N~%bYxbnJbMhp<}a26n5X4us@#V3O^QX36tICd}} z`3L|~UOqS&rc-P)bTN3FvH3Y@Qts<678Vmw9Buz}IYP(baGiaUZW-#?)Z8qfk(~f( z3^Fn{f!sz;wCntfhwqj=|Lp|;Z)W{NFw>4avLfeJwpQ`{j{0VD$Cp&$oSEvxz78-P zeskCItoju~!@&Q=y?W&X@_q%l`k!Yve+y)kR=j-pYn79;bCPWj|H;9@uVICEN9W7v zl_$dkR)vZe?+e7gdGly!341V82Ka?{6*tK_mGgaloInt!JHfNDG0K%{cvF}iwbY?2 zZ-!THfbJ0Ll(QS>`?^EB3JX=*?tZCjqP1tGv#2p7WfTs=wtV_qE1#w|wYHXEPY{JM z2zEn^z%(zsy}fa%TFfCrK(!F67d)k-g9FCXm%kk;uDyL}d2TfMIDM=Vy=qlb5zUiB z?E$rQbxe$3XI8O)Z`VboWYPeNLKz3PDlL^`^r6FIzJb`_V}wA9C@42XS(6gE*hxkh zW)76{mjYT-(L8A`Vd0VbZ0m(P*89J{54!QfN!KHu8teM1x7H$_Df{WAiX8D>!iisM zxJKpd4EFYGd}hp~U{+PCn;fsGXQ>Dx<`SHJ`W@Lzj3~0tCPnMSBq_hJrm!tM|B_0U z1@Zl-xH+!>$b5?jyA>;~v75c^k6VZ5jnE$*^J{}vyMu^`E7DhH} za&x94$c`hn^n{rGjSd(8GzIvR-ME~}eQ)RK*VJ*%r)fw0nw#UmyKE;1+v9QjXXk!` zhpmwm&;Ha^X?V`p{6ts#L;hARN1JsH-RQ7OI*I=8Svve=&S;HHgb=P@h2Z^UD;Sr z4iXD7BoNM0jhOf|j+h)&khbrPGfn-;=>e|@>65ZaiH7=Dn%7$oKFJU67k8;^pfbJo zAKxu7%ouPGgqbAxFo8!j>HQy>&f=H#z=>LXYWel|%{e_xs1j~c_CE-wJWCA&iDNx8 zU2K^u$83h;)YbDx_EI{g^4sbsq={%$rQRcrAnCF)I(P=T1>D%*$8<^2;w+?m?}>K_ zvVTaNoba}LC;u6$S36IoPRsm`}h9( zGw#~pMIS6{yz(5=pgJ&Zl#wfQcYEb!$&U(@gnGWFR`Ro9P6^dBMdwW8PrmuGC-$xi z2KL`z=G_+~%E!+uy1Og-$;ema&=HDaX>!6@uL_%EQLp&a+DzC^ z1;@TScgV~pG{;&>)bc8YhwWKWb&p{E;7QgSgcG!VYN1zBCJj3+*eLF9$svT*rd0u&xjlz9?c5GnZB;_LT4qp z1U#g?nHYX%C-5YI5H^q~2_~!iWkw4!bJmLx6WS74rLmTA*-=uUE`B7~xR-F~B~^Sq zB?Fx)9f4W3aFEvW*Cih7iwf>r2u^P^zN?$@_R@1tv)<4p6lk)Q-rY>NYGk89Ga*Wr zla=zust|=GU;LBp`npQo7n{}iW(k#a1lgpVxNUm}WvnP$7_j70g3o2E{C2;*e5LYw zquOfxA(y&SnW}k{o9PJI@vg6vt3xD8XluNU|A`h_Mv@_R!@K@95!h#68gy%~@oX+; z+mp*qFxqO|Y8Qimu}%ZJHziW~v52OYPN%PHe5VHa9<~GG@5p4i4rqS&Jg#rEK5=Qr z+r)tMv7BYrx1aM><6Tr&Uq2K5sB*yJs#3Zlp?)V#>p6N7<;AvI^~Wfra4K#?`loME z6W5j>1j5yql4|rZQ@^cE(zAkq%J9PfJR9&JeTxjn_QSXord zh#2|xcAHZ8UYK=f+(Yb>-JF!hCSI>rP_H_mtV*7=7Of$u>S#yP`lWsc+%*)KEM z!kesa29w)b@`vxfbJnO{Vmn8g6p5;q)IS8 zNm!35ZZXnL%gOpRN+UdAk`b8g^=dES0C}B35L@n7l4fDVSZVe2LlGIlRv5(vVi%u_ z9!0lY>TZIpM{w+UPMG(M7*oyu6+)La3QDz23@?ukedYa`KuPduA+ZAc?!G`zowH?Pq9i8Wvsni1Y}3!*C#fr-S1ERaAeOwMj#@2+CYd<-hZae zWPI%BE)Id()>|CLyUvKf8@IFY{yuEHu^hXW5iX^%{o{(03D0iApee!s#O9du*0~&O z&uuCERYqd}N`G40Vi-2Lu+h(>ezA?&AjQeO|IT;_3mB!@zX6ey8U7zK6z?!2yX-!4 z4lx4ZbK~@Z$M96fY!1=W+OEg^nYqGpWqYt)tiTAiXQD{Gz|Ogx8u}<5q+rU}!NIL{ zEEEJTAA&>jBr5iYt~U@4!mSXvJah>EoOYoI&DU&yJ@R6>j?rO^MQ-N z+3>e-c@}~|7JyTPW_>q*6`F}PYuL+|$)64I-5#}5QfWu~;Z)WC*xY;<0sw3am4O_A zzP{iiMQ!~)E*d*dfYd%q)u$134}vDN1SSRs+9z_c;*Qh$!NI5~4{&qOPxSUyR8+t_ z3J-tymZLN`h^AqH8FuyWuvsXx_HVse{ppIqMrvhP| z8UmFxJu^e9p<%81-Pb2agwX{$3`7>wp-}Qe-+xgFAt>(dA1hJS6Sp|eXVN7lEnWBW z#Qs%dL&JsNZ=)3y6zCdIRN_kHq9;)%egAF)5&*P1FngiDe@$Mm8w(Q?947N9P3bPd zqzAJB_zc5&sLMN9^W8VrL4)WU8fN9^f{g;FXL|qC1IoL<8$G?>B_-Xsal>;Dhy#;5 zcfgVf@bmwwi{AKlylzs81GMUW4Fc_!OfrIgC3By~oVRNK>$8JCpYv@Mwa%VB>*TZy zVTI@X^Pm?mmYS|8Ux4Tj%DGxnP*O6&8(xayrC%)c^z@=I`L;AQg?Jz4<5Rb8g%z{E z!XIY3y(eA7X){nXpI%AZjj1wHj(C2dXD;V3L)ohQUc;*|wu_zoDraOg3@yrsL^O>! zpTNL@JVIHHX*ST+{fQgsbzSJ5owa3bttczg!sNq-LShJvjJ$n)|Isp*JD}}MzYf!0 z28Y<;8Y%n!FJ_Xo_BRRLe`)-)I>SgqN^J+#at178Tv(hW`m|aJti#gM($=k8TT^dn z!bJe~9d1)NT8+8jZRmtW3Pn(BvN}B*+ZuRN?P8Y`qN2~dK@>63(5Pr@7elFsRFJo^ z7kl4BG<)m3zGLt6lkfB{S#67vSFr4T9={jCqpwX-^Y)TPsBp^8Fn<0W>Y4=Ob1+Rz zO=aZe7As%HrSF=ww0U2K_S;?=GE)?3;_c%y7AtwUSej zVxI_$sHvru)e9-dY0qs;@Mb)F{@m#H?fKGeLR;uTJO7(g+}aPR!|>a4D=0OLAJ{Hp z+h*?1auN8wbZdWz`970vZ2q%Zv9QvdfaV826FzQnlI`1aPn%Rbin7&!8yz!8!5g%OT>13XAmu}p+K%}7Bc{OU^;luAx zQ-Y!bAv*^3z+6}N6!9O@COD+GRmH5HL(xDUj5)+c2-s~T59c0H)9ditL!AOuU}R`mSurE!{ZetWogHRB_P3q|AaKTD65GiS&oRadjx*FxTcU5<{YfZQa^b43O5jAHf zC-V`yK=*j_a&tfOhO&)UTjTtnZb{?D1N8L4j~-E)^{^ST6A106idDB?&ZVQ>vqycg zzSE+lMj;ARCxRA8>)9g~%k!NUfy_rsySk*r#PZ;(I(jq%0ZtTpQ%?^>m)kZent1{J z`6PzD0V`iTU=(XoPj7$S3>ZMx%E6%_`b%0`FX58S$;pAP22J+;-O=q?zm^XanhryB z^d3goTw#X;D*AdbVj&(eIym^s_3OifgL7b>UcY|*`xUV3P2P$Y_Y_v22}1n+?2ypV zyM1L_MWw*J#O^+I+S=M0@ljtt9=6$pORvDcNJ2LO;|8tdsHkXeaj{$N%M%b?c;etY zz#iamTfFBDDro^O9jqiIzP7fuO_Y>$4KRvTKHl>kt^lZtrucJCPTl&LQ;47@X(Hyk z9@RX$Bmes2tAc~@XTTz4tkr=Gp*idGxsskBYZuSnTFtB0;rr&@xBH_;Hq~EAulDq_ zf=5I}?eHCc8xKHkYN)Hb&NZuH95Dm|etw!ccbZ?Gu%X<^+Lol2Msk^_rEp36)M-8P@Xyv6 zL|aH9T#!~6-&y-4{B^5VAb~(~g6O#P(~AQ(LAcCakavoTq;Ma)Td6&{5E}OH?+39( z?RmdOa8rxI=k#`!-~WmvAab@uGBG54`MeWh{*` zU#Ns_}`c??Whpt$&BgQI8zy3(HXs~cZ_*8Ewx2z zGP(Kx&L#Mmo!bCFL7w>O(=$`C=KcR!;Psb)g5Zl(d8BZl|1-7?CLZ8{Uv+3{83!is>dv}FaIT~T>?(}d8 zh-1`3J!uV=HMn(qyf7HChQl@F#ft)9K|@1B(P^ML zfG$`(^xUcYJLS9@8o^uxiF6I=rASio0>BL@3F2L=#BB|FJ8?HXy*v^1 zPBe5Y4Gj%b)3JQ3e&EH^M3}rD!KKE+5)&w%_)ntvPe@1I=QO?{6~Ysmbe=xFtgcQP zy!jC%tzP#HS5c|k-=1T24;NjtKJbc{aSgm|Re*M%hSn~RqeqXvka1s!&WiK|zjRob z8Zu!}!TAdpaxycQ;pr(^`V|2Ykfawic8bzPJt&t;$dzGC%FF~PIVL7128$98Pi0HX zGk=TJvitt(ADr&qxihjfGXw~kVb+<8-Gwm}%`MxK-c3tS|GAcKe53vt3Zp}2rApnE zIr$IrAHXc^b>y4X%d=tGKp;ph!0ZNv*-4vmiGSSQKErT=gI0u{@gG4uC0ukTKl|P=)ItBeW{Gya8sdVJNo!-3VD+nFy28BP|r@gcskrbDJz&1w1yDS5(~D zm=POI_(_5Z^W%DYhYue-W_lr#8%Dc|9zA+V#)M+|zSCjS zdbHB=`=T>lo9qu7a!@v#}W4YYadZ3Kd7@a`yJp$#T)i!S#Rt~CC-hp4>oP*rR7BTJw1oM+($3w+$%3MW3dYUL`QxYDLi^b_b(;BxjF za#X$RL5ivZx6(l=tu-vJb>dT5Ld>@%TiXP<^6jrCQw0gX=mi>arN z1_u>hdwcZu$Uc^W=5%|+vo&Lz^&wb0bjAFKr!FZ=bUeD|SoQANQF_Vep7P<@wcXTh zEO%dycS)plN6`TtO6&6``X*d~N-CJcMj zyQjn(2UE+bY%|L+tb-0q!`0{5Q&~AQ`};fA)|H)eswo;GR(-^|JvvZ%b=;N=emA~` zpl4q4E7!kPjWPNpX;CS$kvp9>+P}^zFScpGzub`+ufmJU-p2^hznY$S`ZRRo_l1Q* znz_ljxzGIJ!#C8>=zzq&wz}F;@X4$pRu#k-MI*PcTye|Is}j?~rg{Sb-AQHZOu2{e zSiXR%1kSjSkPw(@g*39g{e}M~jj`6WUbrwJio+s_QVW&v6;)M6divuqgus9cBsmgK zHsXB7y->mH--D>L;LmB0wBzSfpB>E#BUW_xHQpe)2n*Yy00RI*4cMz_a9eXi@094Cx)~-xEgH8s@IQ0H>xa7P2A_J|7gG3Pi*(Vn|TXz7TtuKE1r* z?sbTYmbiOIbMKo#X|8rG6N2jz7gvF&Pc%v&k-O&GPq5QUJ51gL^I&@Z^y$sCFP=aD z7A>=Z&NL|f)SjhZzw*IoguKKS9$%8iDxstP&!*)eUR{=SHR)wBp(+V{_aLn}Q?>WT zZWfl#XH`Dkoe#%_QXh=5kyN#(Ty7e-({d|kDnc~twQ7Xe$K~_y-_HnEbKSDsK>@5| zH!`I3+IiE%^qNoKJ37v4KcPp2G*XPHPmrF@A)l(;u}?B?d#sFy?$0v^usn?empd4r zT-DpYndMXZ6!A>YbjR>MXDSYP0zvV~Iah(~oz|xbln-^_pVz0VYY62UJTqo@e)&%% z#nd^?o1*{^E5TYM4nQl0#Bf79I2Uqm7aa++vAq!eO^JK1R|VbIC66{$uyQ1SqWLW# z=zxB^u{O@)Z~wtcj#k{+Hisw7d;p@?_VfSBN&cajMXdklTmV5qbL(R;NqBg8Km^aV znE|eC`3q(@D=PgLa>lSf+WF6kKkk_DLv`?C-LbH!vwE3$$UMN52NqPgaRm<_=0eAt z)%3s@ZXQXizB1VK(Xl+N`)3}Dnq9`t18RpMr*7Z!F=QzIL;7$#v3D6>Zz&N{pZqf`{B zNKZfH@Yj6P4(}GTge@;Esc&d#3F+>c_xxD<_W>7eN~SLS2- z-qY&kNR*wqW@E3hFFm}Tp_qhW^l+x@ik+?lC_bq=4jH$XHEt{OW>G_+7G;TOgM0H+ z6;$^D;wp8m_Gvcqvl?g5Zeda3-3_-AQ5d!5&*p>#UetbQ6+mMP+GR4I{7=rW6|wyN zEK&}WXixzw`R5-exPt1nYizE=sOpTY73Td1pPXUWb?0h;UOy7j-}-A`YBQtn`1XY2 z;*)}csqyh;;Gh3?uim+{mzkLvFm?Ctt1#I-eLCG?l12*_MI8;y7+?^dJGw`9q9i*2 z8uWBFB3E+d12{OTb>5%}yKCSv94+xJNo*{MD!jAZW50gvhlnhR(-$0#7dku4!z82_ zl~h2=?A`kwPxIr)kFG8)c%8XA@~!l6`hkK%#m~=PB<~e$-@)F+YxA8Ts=$3b^72Bl z8iF>6(+&;}y1KEtt#SQZcI;q7=`NitXf$Vyh63+lQ01g}RJ=UG7nuV}Y+&nJ>&P~` z6U)JWQSzrhi9B(jwYRf~@{5VtV>)5(%FfE#&lNR+Aq#^)HV4SX zii)w0oKeK=@e)BcQo}W=a&f>cr)XE9j}sOy5Dy?x3*9%|x^pgScC7wDTzgtNB_)*8 z6hm|D+*`%jlC4(WW$MJ`u_2``IR`y+ zeEY>Y{XXwaED_(D!SqiL11x|aosJ)j17!h93YeBd+;Sfe&zV>i6j$gGDX*+#$$ov) zbdq5UiCB4_b}*5fzgaBg+-gd2%Q;JXW_nZYdb*tq2y3)50$FMYHFWsGOnlC5*6tiN zKlnU>a`^c_tTUaziJ}wRes340`fIj)HT=MC1dmU~!RA4?TvMo38}AIO8oir+gX6J= z+w$&RwqyELaR1{|BIwxxD+U5@#KsJvS0j7ti}@3Fk+>%_OQ;)Jj0)`?$wRL8-%jr)Rgue8ByXy01|T5aXv=yJ0~7=!JF= z!N)@U{QA2j+z{l}=krQ3p5O=x?~;;|>e4inG=tR)Tq6K$+JMZ2c!h`rW%j#Usvq)R z`7lIw$7Z{4xEdkS(%v4ySH@3uGmKeyjnHokhO;fEU~?+67O-! zD(UvztWsp9Kfb;#AxPsc?73J<7Q=wOafT@EG^@f+V(B4;h>nenIQ?!sC^|MUP(}$t z99H?R0djTM6fj%xq$jIqJ=(q}F6|8k!Q+52eZ&{>R0eOUHdX!jiqmAWd{D|r$16ZQ z+82i&FSFZQ(Lmks3T>NWIG<%~Vq#)!>^u=|D(*OWgC~URp{M88qgE@j8>HO2|LwAd zSwipggVyS$H?#;6phgErM>{e5Ogb)4NK{77SmwVPVYAZH|3w{CJ=sq|PVO{6wuH8< z(Sk3?!z>+8z%{ix?(g0C?FIc zd33ZZ>NEMzm;8S%V{c;17}2DM<_JSQv)V7Xj07X=IBBDL$&;=D?pT=Qm%>&5|LkG> ze|?D{9j&ictd&+!yhk5}D#l9xeIj%w>RoruzpKyKnrj6~7`t#;gK64IsxIqbbpTau1BirH^;x``(+U)6G|uN-GvAR(eJ zWbb)dAM#ys!r|NHH096>*@Q@CkOaIog#t`Cv@Uc zQ$u(|C)Jhcn^0*=t8f5K`V;ib@x)<$SzmBm8VuW!evb70mm7UMtIp3gg|t}Ry*oEK zxri?3Kn@vp28Ka676%6p7IlEG#yKT59yM2f4h%Gb1V?iVh+4d$A+Sr>R-wh)F&v*N zo~}m0%nd=N9me`;C9t&U>nV*UQ5Q~ghiOS$*0lqvlyLKW{L?f8d;{9qZ;krj=szG;oUoHS&fM0027bZ)qX+4v8CX^K;2aCkdbJg5e+6&R6H5P8qIekA#)1$* zOX6z(HYQ%k6+Lz=Ga+FZ+B^Kmf0cx$rmKTn-`kCoTJV6I9(kW!{6WEm!w(`R@7%n3 z^QSz(2$Ub9Fhm`kPm}9JL0X2)RP#2jez%{fYAKO!_Lj2W<$<6Fm-|GWy4V>-abA!vjqp~KsOAs zX3+?l{nM2A9hDOE-o59DzzA2|4vC7kK+q8oAoUQS$bFrbmWK0wmg#`h=ouO904C9) z=Z+(cI!Z{%lCUNInpe7cx5P8)oUE)B^iE1kOZylBV35upfsCO8Dt{L05>R~eyKC^l z7Ldv&Q04hZDusnS;J1!>KrM?zW%othn^#5#hb~=?Rk^CBhW2VRG)ExzF^ieMtbcql zQiJsm%+5f`8vr=f`_U0b%fOHWWCoT6BrBT82k|s2FEYT@fg>(~0~d$YpfeAomBw-l zVV}6KVh2(-eCSJwC96iq=rHyO4{pmWvg^2A{y$DT` zwgJKtBwUh2pI9f3WsF_}v@p1WXT?(PDA`XMQ{G@zEfzXDbOqLMk+1@kNt#ROJ!((F zVF=Qb_26?2@7(DCjs?Tki|q#Tl_Z)bCW14jy$w?SQuIL_7a$@shs!}x1m8(&@_n5~ z4poV03qa3xYmjCyI9277O9P~nRCeQ-ujvu6q3Yb?pvk0}3SE|_anQzfb@jo4f&7Ak zoLhcm9<<{2sa5qC0D)erHnpBh+IbJhq5#vbf`AL-S3idCB6MYlx(!x`B1Pl5q#dW@ zeS8$JUvEPzabJHwmMdC#fPK%C2v?psd>VxUqDE33m%c7~t;gKs&tob-u!{{G@5zP+*gNVJ2;q`6OOq7!TdeY1m84R z{6QgrHL**QnKYzE^1fCAv;sQCtFU4KKw_~w<0ung;a;cF6fm1;$|`MXv77wy3ByMm znBC|oTuA4wb-vd>aX(qBNtPJoRKCsoTKiQNUfLqs`*Bm3U*&RNdsk6mbiw+aA_IN@ zK?V9gq4h#i6f10MiCo;aJrqf2L8OELgSu zb%2;cxbgh2tFGhZ7K<7|ihb_>=er&~n$NkWOt}6~!_hfCu2}VT>!>49Amo9Czj8sjrI}J?JbY zHW4WJ$Yq9{1VMljZn8NJn0#qMbmaAA2peUKPQ%zJL7#yog%dQ(|ZK@t}cgi()?I&%c>xFdc;eKPCFMo-## z9Je$Zf_DF*@F)Yf{c_&ug@d$-X7~}GmH7AXok|~WMO-{Gr%SNpy=d&QEk>nBH922v zg1?SM2_XijifrGGb1WXsRztx6eC2xRus9iu`Ix;0^9ml1|L<)g_CBO>`k?))0lFv- z#BsvHBRxXBkuU}X-08)0=icQN<>lF*K3%@LG=rw-e1LWI=%C^?#mxN5(*ZjgD^C@9 zF$}a)P*6Gs1w*sEv~&Z~3x;k-4H%l_&SW2j_=CO96CV(Y!KKJpMXy%=U!8q-Jk<^V z{zr?9oHC=*NtvmPq_R30A(SE`H0%+Dk}|53RFtf&A|bLOO2a6!GD4gp5iPR_W&f^^ z?)$m#=l(v=_xJk!`r~=-mvYW$zQ=W4@9XV5Sq`HT-nGW0%nMNl_fgbW;`34eZ=5Ul zD7vt_a(G-g_OSAd(=U?_WBJhG#R`RsZc+V>A!{fqfPbNrQ#ysL7#c1c5TbN29T_Pp z6dK*%-}Ln~%5RX}bP9Z0a7pdk9*^j(FMwLb(0*X+x2LxaQX|%xx1fw6PenkEobKbz zgCSjfV>g|GHVGtJ01LGgGB>z9+8v4*3);bkVHEP2yEw5L8FcgJG1vzTVBT0A4uOkNhJ`X4}i5@ot=>9tP&O`r(bx8$Sh2hMPtJ5{D+x_UJ;w9 z_5ex(&>X<8EjkOzCK3T805n4;iNfHNdJNvpmBLrDvYZ37lUe{|0}X-a!U8_@;#t5iEly2GQ=e;JhpoK+Vm5_5clXs%XOo};-Udc zz<=B0*5cJ_=pDgu`}9bb?^L+SH?yn@pqRSmW}N&O@jNeh5e($2^Y z+q7@2vndD?vHQFIM{^O5 zsRwiIWIV27JnWd@56gnM`I;_K!X~-QiRTf|ai*_9%qMnNRcYIgH|nc+xVcS?)%g~} zDhG`KuaqgEQyX+HzzP~d8hFNVYf;$j^GZrjuWlHH_oRiPVV+G*G>@dwy!rD<*G*^x zxM_giNEHc6W(BX|ufW2PD<*&tV*0G2VH7!I06HQxxd^-kn2JVZLw$NJLQXpErhmk{ zJjd&%8PMOzuC0U6X*MyBR9wvF#3w(P#(!A5GL`fDvU^> zI^nvS_0#el$gEMOgm&>5JHgIh)U53xX$vpsEJ*98Sy7}aL_>}wu1m_`)x5iwmma(Q|jnZ(Sktv{jW6{W*IL=|=L zdCHa>naH@FmFNf|-f{z%gD&BfLmrAsm$x~e5LjVgOJbc>RTzxNd?562?|o;cV6Op` z7;sJj9%*E~%+^`}TYzL@F%!zm`@n0Y2LX>-iqcbz4!6DRRhi*>mm+QoY!08}r+D*a zyg_Qd)Iz__pa-CN7NwK3zd%*-kgiZZ&A(*Hp{G`4+Ca!PyVGcGZM~3+$n4u$dJ#<+ z%&edhQPa@qaeoYiAJqs%Wq5IZLPd@Fw{1H^p=B5q!6X+&bX`>yDc8!~38R6t^VwP+y7=Pm z!2Cm5R`x#NSTxC%)z!m8Loiv?)I84|cY1NlwX`Zp4K{cQ)0Qt9i#$#EE}G@@|B(FL8}T$o%y(0E#Kjko*9r3SiqP{< z{zxt=@;&^3WfWy!^O=!6k8j}%E_#}54VUu%#7qDG;yFO{)^>GNJQHwfI~u^+i-{$fW~Yg^|gZsG=N%K7jrKqrL$-_^Rv#atzIhe`2z)Sf*<~3 z>DJ>;uouH0SR{FQJ*ITxn}KlO{W&4_A`dS_A=)87rn&IHV`P}!F-l7^p#>mhvQS|} z{J^Chs?~KFkVQ77znz)#yt&y;g9X}J@9D{tB@%?w^T|tNPsT_cGtmAt6hdqq z9AwYS@qqcb2;T2ON2bX2($YuE0+&*$RA3sYkZ1w%@hiInjjx7BnlOBT(+VDAEkxv7D)^Is`0~X z>X&(;ubKfHArNE(OySI#GqeDlGYT;+)A*bmgXn3%5Q0k?GLd}T6_b}vc6kK7Y=<@G zk2iUN*V#EZaORjg#$!a5M3DM?^PM@>Xr8pC;=^9Af}2h$xy&C8C&Ub$tJ3O5MH;K~lp8S^g3!iCgIO;*?2H!XH6T`}0_%H9i0W2h zOk!uK&WH6hcz3aozoYbEvaNazlm(C7yN@A#!s)BDyc`y-&DD$cthYk4^m+FTsU(&G z;~&U{0qB8)N906q15ES2+^Aa6EZ43cQ8sbtC$MjA3Exd_T6v~Zz;#}fmM+6vgE|w| z$q{4T$|u$_+%x*Q`20LlvUn1XT1)%sij5I_bG%0KcvG*x%edge{VJ?y!IFl>&eKPA zy`8tGr(~_cX%Yuy4HUJ-&u-skDcRSOGZk#TDLK~rInM&dp7jS0KQ0{2KIZoGXaCmH zvbH$~9zE7vmp2sj>{lMqv1RR+FHLL?V_ljHeLLr*K-ev%qVFetg^f>jcp<@&-6@lf zG(_wQD|;taQy>yF>3Bv({?(4MeWuk>!~{8a6nj}c`|yzgpM!EaXHvNCYCp?7y7;EY(st6)faO|92yH)G@y3eZjqlFI zTjy-xvSuG44~6L9SG0Zh;p1XPNb3Cfc^pa`(k*z)6;cmRo)#wb5*9jqGUow-?zaG< zcV0fe3+K;|^rsE~SVLT2jc5Xb`q)A9zBh6n9_adD(vDsvVmtybSakH=CWrGB+}#_{ z4^l`EOsGa2&(;!|+K-v`@|&NL_Aa+A*q4&WL&nCEO0naL|D!zfFJ$uL`8e1Ga6qeh zPOz}}aoA7>{5sK>KWl7bdcj=;#tvDGnNRC|uT4LK`(?p3o0^If#T!Xq)7$mG07(7% z1z7MDdRu=Js1I{`W>B1&wRr#lg4_CDiSW(LJK77kC(bz4b#xs3QwvbU!7A*{8Q>Z=g=8L<80)RCm`m?^X?W7h>o^K{bPuK(qiBX{0i-`B z(l8(GDHQbx>CJX>0GA_peV`#lg^<(@CjsPTSQ$WeGTSc-bd~ASErXuA?5wm@zr0Ap z{@}?;^V%$Sg0IZHPL&I_F29^zFol-IaFmP2Q3Hw7KAK^L_zZlZOtKIT=5SRbHL9qm z4~$ERUCNUJu5t1;wb%iY>5G>x4ULW(rS64VZ=+kpOWEvxu(=4-!29;5H31ZbU*>$@ zT}*y#!DrE~fJjqUKTlaDCzm@gr)aFk1y#s)8jY-L;P>DC0+|qcT9D|Z&7AJLgT~vy z0L)=ai}Lip6C%Xna;O!(RSeAaQEMXb^VD}R??NBj>Jct$mgAbT} z*FRI5OBjRFCsjlhHB;@zKLErRO@3MrCpbC04QLjYo;5A7SRYg>dTq`-v@L_*0(y|K zkWV9yY;5cu!G9b-vom4d!HXn_ZEM3!Tk&3_g%uRw z-1fZwiz`64@L0O$9+>imh=4?Yh1wKk2jkT8d(5@xRk?zF8UQ6ixMa~C4j~qmj@B)1 zdiW0b2@!zYkb5C6z|J8``mn$71S^$psJ;!Kc~BV=6Jwi!2mmf=O%4EK;8zEsRGZ;v z(22-E$vxsku{?UA-s$_d6w|bm#xXK<^Ns20(~2hYU%)#>NcjASnqk+s^?7=yChCzH zN^=XS=DuD!m0Fm>skTIJof5swwi z#&Vd;#%PUQ#t)dUdtZST*)R0=B81j!Ssv3Xvmq?c6+}w%M#_NP(|q?op}e6*$<+)J5p#iYs?t z=x`mXU_9rKi~jR)@aZcm@RirH@|dq@Z1=MXVA3e*4wV!uziiPYO6YN3LK^I!p_ z%aSd8G$536%F5HJcW$CT>w(`HiMU0)`CeMx{zx7`+tF>8hMEc-6LK)C0>P)&?=f(SlraR(`YA$ zhdg6q99#%c?L5o}DENfb9w4#;KAiYg^e|-# zD5!|2=tKKPsI{fRm5}b}!wKqBo9Y8*;XkwzXau|t#X#Z2C9)If>zPXZ60O~qy`KK6 z#+)V}{=Dz=(_dB0EgkNGrkJ^gV-I|(}!?BPtd$?44oY~nyxHGNICretJAzspKRZAqt) z__pU@!r0WNwgAeijT=2aR$Obyy(r(<*a(Fjnt?7%rkUjO_^F|gBej8Fxc`QAhKChS zF^Z-=W~RMMWN<4GrNq~+W#{CK+vIXnz5jYdgfdz^(ZcWPn73lP^ z+;nFqSx{U;qN=X$`e?{Sc??A%Ym?%AllwL%xeHwlJ-D)M5(=9i84DDelmnb43zse|rC%0XqrhF#H~@LY$R zWoTR+?)FXeydR#QhprLyCFn=AN77KBgPVt6Bw{}F_+dR<)rUht~?GG(#o0|XS9i+SB;G$ zDbMTbzTw&dpRTX3H`t0^8&h6OXxPjEn%5Z;JKwRFmOCFJJdCSMe&9rN3CMv=v+&CV zQap~%$8g`i6DTbKmfx-qtC55?hJkm(3T>1eWWwMe?m7@nek>z_);THOh=po?%@>y!**a+-5U{n* zz5um>PC#iu0s^~sy%KbJnvJTQO2^D4)&Si<@a!ylQUJS8aco%yqb<0r_%%ou5Q?y} zWegYcFzbpkR_o*-WGT^-%A{GrhQ0fnf#qlTP{&89b5C8=MUxeg+2~* zQzMKzP9D~?#@j9tF0pZAQ~mNYmqQzWl%W8t-59&|dTZp&vNmtI<<`mzE8VlIoz$L( z1`}IJ_!RX5vG&jlSL4Zb+ie7vW<7BjJ0lZEw>l*CLvZn>lS`I#Q0C>?X(MgQ_(&aS z0chumh8wQPdGC7>3k<>#+iQ`Lo&s?}z{JLp(9h%>i#Z>(t@sxWdwkhH9kF?^p6&^p z7-ANTxlBTxl7%-P=QlGJHzQsX@*dp6XH2YzXqa%au-qeAl?J3bR;oNkNIiOuQa_Pi z0y#MiIC>W~mTS?`Ey#!6H;*<>e8k?D&EUWfGS4CU$}hbfK`p>!T%L!MNYn6KvV_QA zfNDYPe!fxufV!L9(r&FCaEouKsc7)v#DDugYr;X@(T!>TB}&!3sdy4a585QjwQHf5 zOVm!%MhOkP3l5(yz7wrvgVPWi%-;0y^M*mnZ4{X;iHq?m=m0(TNxv8Mh@e3XgB&JyF3HQ53{TvdOvZ`m|&6R|~T9 zubmK-?6)!ZL80Z!;{Q zg+v!8iR;Wn?3#li{i~)1hx@n=FT204#3yQny0=nK6C=7ZHaDryAg0+Pa=fK%Lu{f` zYkIoA!Gl>xoLlVsJ~|ghct~vx?%UEQ;N+?F>htcLow!v^LLAJ*t5SsvOn$l*!j@@o zc1pd7M{(GEL%90U60s*~=W}}R^?nec2Y#vOiRmcqU;T0TskHLG$OH9P z143u4f>jm}s<;{*tOCB4D#Bn_xJd?t&nTV}G!x=>kMNuO$l*-v_60F-@nJhK3F z#~RcLt*vHB26=dH2hstj{8Jm?`YS3DR7{^Hnu7Be=0{u^O{WWNEm2d&I+Xa`m0}p#5D`bBi_&(mCqILT+}WKd=Z2JQWFZZ zU<>j8rKk1*9PDocEX1_!;15oNMYboi%Nb_RPjp=Le9!N6_Dj&)tLp8xo0VJw=kn+! z#mB4OX))B< z#h|4Q?8B466PcQ~?ptR|z3cXg(&56Ka%JdO|GhPB8-{uBcQvE^nb$#x$p!tLX?;-z zNX00vY0C}Rm>^egdz@CyU_6Ax2g4;CH4X{Rpwv3^MCuPp@V+P-<=q z2nClA5g`u^h%0jJ%w8a;v+66Hu}9SIQ5Xy2}bNb7zl{0x8HYq za)uy8)xw{0px$?=9`m{2KkCsxG*{>C_vWELFz0C4$c818dK=gvz-98($&=ogEZxf`ng%C6P8z)yxF8B)#b;Eff z3v^_&>0Ic+h9|K3tsoG=z-aZdQh_Qor0x-gBPf6wz?G=Zn(sANg-arp0Qw=RMhwfI z#+B2(XMQglpb7UcW-)<7J`{bsG*|dDT+dN}RY_Qm0x93@Obdn3@*CuffRJ)c`yt%{ z{|h~-Gzk3UzPTOGe^YcPK!8D|34UF1)v7~Kd7|JGF){%VlLkB+9V4C+$d(~iXQe`n z02c8L+86jN904{3U;zjWW@R8lt0i#~B&*t(O%RYmZHDv zc1O2ZrUT0KIDQwF8(UmE{EX7D6yp?n06Y%;pFi`$kH*L-B0QXD`Eqk3qfy9nY^|)I zTY(QuKMb(L2889XFNm}Zf{GeGDn?lr%XxU#(Ek(MxP&oBei*i^@Ss-0h!l>B1u8Gn zg$LcEt+n;i6$ePw3IrIk0{{utGNc&rQiiQ}%mAl24;eR+P%=C&Xcpvg8zvDus_QyS%gR`(P+EFy z!AV6>Iss`Rqr+qZ(}+I?2QLN&zV3EM$&HE^%kjJ**1{^DU=TXy=1LG?Zr=+2(igjG zu*ye2R$;M_P*#%zWax=xIeTOMc?$G|y4h2HhtN-c{`3h#U2#!STRd>+h0)`n27$S& z5sWQzcR~%p{_%J1Nd>eS!|>a7sN&cwE8uqVRP&S;6e3V>OR(gH}C%ZZ{1a}<+UG@(5HRXCMbURl{9i}CGE z_I4JCpV7UO<^*8USg6p-Cv9?Qdz?pE1(|LZ1KMk?x(;JlX5SKpd~Az2#){gXoX9#N zDmXSGf2(rz{^_Xux2+z^S~EVBwSvh4zL3-n{gckAm0P#AdTMp=LZNlXBI|k;C!K;e zjuiA#62R_~bT3*pMeym=(nPJ$VJ~kCXjo*CZ37w|a(vxB+pDIfODv*It4eQe%fg1| zD6=K*6+Rf$+;L=Jy3qT=n?zZ^Wl?c2(CAbEQN~LlBP$CBf55}oP$$l@d9Ae@rY}~} zQy`4SRQ0W?goFe@r6m=m1zsadXemuSKsiG~me})9)lQxq14s{e6~p+U5fRPMIEu8+ z^;-hZvD!#!Vf4f+SFQw8#zJ<(hC)%P*pwHYa`$c(wn^01%2$(XAxQuS4&2~OQ){U! zR~9F?T@e4RL_9d3!RByr5!+3@ioy-{KY_9c*N+pH z#vocj;Gu<$UPDK(e2((GyxbOmBdFd6Q#4aG(NpdEUjf6?DS#uOdfJqJ>_2FSG#j0^ z#xK)}SWE7iLO()|^r3z8Lgfm2)8`P6lQ{{dKrn z9N`1d7$hr4^kO0wO{g1YW}u*PlV(51h|~z|b+lGuUooME9~pu=!405Z-eYPiz|Ec5 z9NKr?=1EER?H>sBjxmbg=Ti2 zp26`$FMj2HbTp@Iy2SK6WUU_5(@+GH9xjNr@$vCkO#>(|9mXEeuQqU6lX*l)`6+hi zL9ek!Cn6V&9O4F&w1*%<_imV-q2r3Lx5G#_4?n*cJ@`nn&mRr%3pBhp-?(*$+1N*y zuXrX+R9r?sUE99h?An9ZdRC9;I)`L!6v+M8J2n~~<6?M!RB8eP12m%rHWlr4mU`%=wo`LJ-g!2`xzS@{bfq#;ah&v~}< zHG}pjY*{ZO>5a-9>$~q2EJvz71vQz+-})w7GFNeY>3&C77KGMuaXNH(jH4 zAmUJ5@h7E0#qx_3zhfk^C{uR(BU8LIdOQhZ6`))N`Q|+@xxUjSwHTGvFh#mT(o`Bi`d!2L_k--$A1MEmm4G?(Br{) z{53{AFQad@2iO|Jo2r{tzWGy5! z?@d8?`r8L-V2Tm|+x#wYL^hQ*ZFP|<9=k2s_GxTjJt=+kMWZoS++wL7!44TR$?V2h z=kDE9I)*eeo)klj9RuetoHT?GgJ|OI!7dGtqoqcegFqclTCKVEvWLsqPq|->e=zv_ zYD!Z5WigU8G*l{i^MQ5!((H>93lzdZD*`k{g@NcTShbMUq%K|h7F8b=XD!j@a)!?OAteX20Mii78x0tn=1!BVD|{{ zc1T2Y8ewo!W;rvy4{8!Hq5?*z0Y{^9z_9PGZ=TteyPbAgh>CB`{z`=LMramBSn{%j zqzA`{S`6lfdtLC~?8_u?(oU3DRadWFw{8&|TW{;bEDAZa@;`t?d+7oTWONSAGu$2U z4Pd2W3k%jzgL}ZrMie>ZPH=D$(1Liml=jDr!kW8xC9dZ3IUm1f?^C=%m;K3c?;`jj z=%HZiuXEHHLSyLAFvJ755k<6{R5j>eP((t7@fz0y_#HqwNHqJ}ivViF!;-3o-DeuN zF~qS5&l~hS&}GmmFs~bV|23PBN6;;ky6XWc2$*lxIkP8F7a=a{c-8eMP7j| z!p$!`BX>-`$#MY#kdo!Ge4d5hyN&KI8kZ`#;Zue8^cw$e&DLyMSaBt4pW^c8Q4dwpV zJ%(St-OAWu<{&E5cBYT(R^oP5`@WwepIZ-cE%WkR)va@EV1K6bdI{}}!8X~r;cbZW z>rS5o;g(JgBiQLz{u=%;gqhy`ga?bfCY%i_IIoFy%*lWBb}1>!c#f5Us=IM}h>sUA zlyGk$E_P1EYZwlVmvE{m0^ql|?*~RSp`Xn3n851MGyAy?z%ato z4NPf4W#iQ9OI7Q7Vyl9R@W1ISWi1*WY+YtIM=b%$d(Yy}xR{aXz5!9=rKy4?$@QYi zB)vP3G-9arB~)oW>o77<*(O zq^Fab0F*|k>KAfy>T799ul@Y(TNWNrtQkS|f~1V5tM|#bLN3~HPm?3w2wDJ0;=6nA zq7`g%K8xBy}+LLt!!?nQ-9Blk13DpSM0~Hh$py-k; z$ST3qkG9fgyi)(xZ5CHI-Eh4OHp||t;C+MS=toCq)V>oCy3qn)Ei%(*s}gEKZY{nE zm7Bj&{r}d4l*m9L=Y^p)Aw|#N&`?=ut1%Tqt|rClk|QS2$@z|?Spv0o2?byacD0rK#B|JhlN_}yhOLc_#$+pa zg5j&JA8H?|^L|+AVR(GXS+gr!c2KS1dg+608MiiSy2PHtWNISHtrpb-2jb;+qw>3N ztM6unvFu9}bOZ^&=>7R1`$40K$%iCg?St?3=qs(6`T;ELesZdMt?_qElxb@{11@nBYT8={^nVCF3ygmYJ-t^!bb~l=4MA$@)6#|%EOv6B9oQm)JdzVU*5)%VKUW4kx zA6Ql?DVehz1?~b1N2S5bA7ahs@xw+spXi}D)so=o(Tq?>d@|`^1sOY1Bxo`Sj!;)X z&IG3N(XD)Wz#7;Vk7o|pSkUFmIQI9LlR<99R=k}>`@pKvDTp^d=!G#4MzRHu-I5af zK%Jkb!1o5%8L5to2B9{_9b(1`C5_U>uto`g#KrCF6JDUX6v#W_wE90NRO5ke#N5wx zJF@tI>T1?}qHMeCf+2p+TSq?8-2}ihqMsz)k}&r`QtySQH)G`zrb0NR+5s+ruEgBh z5BQ3aEfQQcaB0zH#QoBMs?Z2827+rY)Oe&V!uxmV6)-VKRr{?Py$Pci@x@zF0*QZf zteseAn)?;t8jK9iY1}3^l(8G~Udgkn41tOjj7@d*PT+G8F5v1hVAL1ual?&_8w-ut zFC^hc>iL8V5zMJ+A<8DFUQ@q2XD?i&qBiq8JU zs_&uY3gos9KYMi55cm|b+sm<;&y2dU&C;ou-! zgS$^hNTNzhKYc$zB%!5wnI((E{d1a+$iIi_4(HYbz!zKPS%@6e3*>2J*7#pbskv=M zxU!VZo*%7J*it7MgMM-{P1<8j#J=ZHbN=!De|+8Sk;m`)eR1OFaaYXoBe@5^z@u2c zE9Z}^`rpnCI%**HqV&F^z1=d&ASpRnpbp*= zFePB809bYa->JdETF2) z&CTtONo36akrvSC0-z{=eCWj`k%75HMcC~4K>_(V-`nwDq2J=!i3}wA**V5s(+tdK zVoVL?H~=QNzU`H00?=`uf;2hp%)y-2-pU^%K(UhooTyB(RaXFqN3s# zqVb{?iu_Q=NZHi&FCf%WJo>R=?9Yjj+4fJZI*hIP*Dnf{q8}ZgvnR7i9V_e)Q63B6#RMcjtH}~KSg}{l9WAK~P z01RR16rjWqzR2fVVp77yL|jUQ{@s zc}G5)CLAPEbf96b^q-@5<=ksl3|Ydm?N6*R3(c~a*p9R&tPo?EG4v{jjilJf?t zfld{*5|xe#7udgRC*gaLi|g>tVBI^WDv@HK5D~|>1_rX*XAcb>gL4>c#;{9qg^JHp zOfcXr#?2E562Wdo+(=XnpdL`9MM@t=dF-)OoUQ;p{ezpMrMCtWB@EJ zAfv-aK&O^|_pSi^&e}9EVuuZXd9c3TcDw#GDqsM7s0q+Lkm7H+#gJ}kmXn=)&?HTQ zJ!tr)E3C^#Tt#B~S57osZz(xHUF6t9|9}SrLuD0=7S;wC$`1 z4;v9bZz$g-uqd2Kb#iOUnp|kxjrMOqGGQaMcRkE3j@5>@i#Zu&U7^aKO*{jFbFEa- zekshe6)GOn64ge~9MeUZpN+VT(zxT9RU&oPDGxJmZ7h^0!ZeV9p=RE1)+Lk|9P^~e zrJX9@%}ywgGv#Ck+NZjUjrc3?l2QApfMp3mWS%)%NE9FJ+j3U0D2fQ%uGe)M+Urw& zo-9F?&xhn>h^p0BC(4GslrAz8$AE>s&M?~q^Gdkk;=Kk*if2vpL>2d24}QNTDSIV! z);nCo*9l7EPM}7DB^k<6)RMW_>5eD|s9EVKHtkMz9u*ekAIkDyeWYMtkBD8yj$yF1 zgsa5wOtVt>-_b1Q(JvRR7zYXM1HZ+w#7ApL?+{@CcK`{)6bz}}-R!v8mEE*=3p+7e zkf3-N$^rj`H(0w7cNO8`@L^Ngby6umwYx5i=Qv+L3qMOX;|i!A2ZrK4JvjzTm%j$L z%U&3mfI7*W-2mEhy#mAz+(py%!Yyzkq#R*F=AJQR|@dTdJ({N5QS>~Oxu>z zyMZ`QrrwXGskp_(sm8l4B~eFR+eGl$w3febQPf^QT)0P;V%~?5i~muIy(Gsk`7}Ne z#2fnWawC5O`7!)|l}3;~xE{1J{{6F+DiCv%S_{&{fJ6=cEIQbPOIQi{KSntD0B8~X z_mTg*sQAue9%wVjLV-`ipN9wpI7tj)r`+$a{7*GX{sswVV)hvDeW+;2?^{EnxX>u< z&)f%TZRXHizwNkF$De0yAx!R*vqU6vS0P9q6FDTh`9qxtagU0tI5`ZRgBU9UG5+or z)LVZYc?J2i-$$1`dp5JBMsT7pT`C$ggR zD_@2Cf!cU>i_ZV||LMHy9l0`qb0c0EBQRmghIQ}n|DQ9>yzOn;V4XYZ?F-*Hbv?CA I+JUqG2g88IzyJUM literal 0 HcmV?d00001 diff --git a/doc/pics/e4-dmz.dia b/doc/pics/e4-dmz.dia new file mode 100644 index 0000000000000000000000000000000000000000..480f6dd2ae68a9f9ba62b26bc8c88f19a7365c93 GIT binary patch literal 5692 zcmV-C7Q^WuiwFP!000021MOYiawE5uzMrRH$v3-I6b3l>4>L}A>^Mo)dNbuo)>Xby zwZyi>HASjOYBb8lKF{Vk{9-u=O=(1`n?K!+9`yvOvTVsve+}^9!}-VW|M2m8I{1(; zmXrDH&52Ysi@}F%`sU=TU)EnIuh$QHz44?SPru17^YcZX z{aXESj$hu_d-zSh*naT!&3rk*A*=hFXG1EUL*Ji_S&v%cpxNcuUwxy#Dqd;*i%-ug zd(lde)pfSGoXno%;Ob0^r2yst0GC61=ebo@Jgmv_aOd5^O}m9#bPG3Gp54qBt3@_h zJ%>D>&!>4dD^OR9+q^!`@*QqJAWIlkw{6>|>;lqLqR6OZwJ?!AM>aB0Sq<;^s^-#vxx zK^4!+W~&KuShmc^Eip|MRnD@T)7AWRizgx?&CmZgzlhBLSM$3=X4C@8#e6oy>7W{V zdNarEx@-sXP*E&?wWXm3R1~s&v3}EU7K_Pm|G&sjQS@dfgEir-UuLkLLiXfW8P4d# z!%t5{zWD6cqWpf9&BobcJUAV^oqs&}q>iI9J{i9``77Vt3ft?44?}g}*>(=gSS%K2 zMh-Otzr9DFuU8eo`T6$q7c|$||y8x654%27L2N?7=I3 zS?u)MTVFKa`a%y+1=Du_8#mkjf?y1;k{Bt&_lGzRIGNwT*1RCc; zfsopOw34UI|K)G~|ISx;^Tn^Y_kWz@A1(&(@2}72(@H|URMQ4f^Q(o2NZQMu~H{0)17AfEL&`)u@y3_6Ti#`>i!1y-%gdA& z+gO+-D#dn)-!(WHQzhqVO;T!-Qq!VR^SAuts^lDSEt~^NX*om-3>>()2SI^knQ_*Q zo**k(H!icHW!ZBQY>lbt7HrY8Y6iL~h(`%y9k|WR#)HpyuWKv>Js*xv@jk zZMYZqOH*n@cS;S3{2A4~m+ZpQouB;tG5!3X^uKQgKjD8YR~f~P%M?CnN8z(W#k}VV zA}f3ak|U&`@M#XXeJ$s`*Y_H(;9>fnl3ojk-?*2$Svvmy&@YmzvtHvjiwCc*n}(MZ zzNGM_BO!i1n`m6cLT6sCZo-6{w+Yu8EyL#@kR4`96?!TDx{J7s9h!yi5EzckVZl> zpr1n~zVESe)5;R2O#Gy|B+VshE>*Es-3HNnDTahM0 zZdqTC3?-T~l(hhYh{JFfm!c4ekObL3q^sHxGD2Wo8+ft0I@@b`RnBq8P|bwi8At+V zf;D&WK*4I;m|>cDwr_5OU0#~K3P)pSN_M-NqaIb}sHv+5)G{_gEYx4lr zqK%>oi$^;NHQInN6KNlSG&2T9PjLH@jgnN0=#~E!qL@^R7hU-O&1{v=W?30KHO})# zvQUyDBFrlhH!WH-;0}i53UeCu3d5||RO1hxn?C!%+E~KFd|(0`2X34Y!a1WNy1*op zPH_WVNvVzYkn*OJ3oJ$Nllt;G6K4%WN$_}LaOs3j(fd^6|8L{rZe0I{YL-;Ia4Q-S zGuZivgodXvdh`St>eh26BL9+zyiyjEA^M^X(cSk>K;zOa6`EQE;!r$hf{|iU7eLZ* zIU?V%qkJP|C@Z1Arf3@rc#tK^88SOsySjsGdO5QioCdmdLOTbl?&+0m(PWDzWwo=A zXY;Z+pa?j0k)KBw>3|{Pw8mJ9c?u|y71TyPDCSu?$=ySh5qpQygpL?W*P$Dm0-vpC z+4{}Ur8y?gid0C)jZb(JXaSL0~o?zTl6~0y0(d}D( zzV)=(njNCV(S=^tf#J@0Z8U5Y#I%3YGV^NVTIZz1B_%E?aWB{7*!=o1MkPBj)wTiw zjb2V(Mk}o@(!8J#y;pww=Q7W32jBhhb85WO(G_Cb0-4;6eNL%uUjOBpUf(RQoE0&( zQ$(URE7arCqK*oZd1++mq*ovLF#EDk~2Cvqmwf_Iink>tBvcN$kZ9q1q@N!Rv`vw$R?CP08|lVRiAv(KmFzVza&ky z8%?!DAd{Lp=;QV9Qng`AhdY9OWJ_A1#5trVG^J6;(g@^ zG&l8(Bh?0?y7~$f!A!W|k9$jy#8>^%rgUPdP7S^iu}mb@Pm;1N)V9#IHI8W+Ic>pF zS)-SlXi5vpfO9B`eX#makxJy$QEQDdaZKdYPjYI0(*tLe^FvN-h#D?k7+Y# z*0BA#EGA;=B{3=9LQRQap=NfPbD+j1d0-16GbJ8IzS{7MfH=S8mH?6XTpUWXh86o zcga5hab|=D(xWUTyVJFX25cg!L{j^OGO<)YSxUB`NEO~|ka5+h!trD%h8Ie93xeuL z3@;H>ms-?wc}(ooPj*r*lspE-1|k{JZj*^7simFNAU+tv0dwtU`nnrS+52+GtfC+9W9o zzzG*QrIU~(k(qF#PsqTPap`)Uq;l;M$wX2elT@Qyvt#rJd)j*E?c{Pbzsnbcci)yV zW8*}3kW4FKhU7ivQR|zL5!XPRT5M{%EWr;!QRlk;w%=)E{SLcaR>_So6S4n}VseuW zZR)?1`tPLvJ1_f2ALUwzm}u`6k(m(?Gj~^rq8~gWX#;i?x0%}{C+kHKwYThqhGw?1*tAe<7i-;r& zB&oC{*PU@DC_&EkxRqiX3wVe!r%}Ih@Yv#zdmZ(DMroD#)Jsv;ZL*fMxune{ZLTYA zPV*Md10PK6_}UyI0bS5*nA2$6E41wko7mJ&(>qX^tD0l=P+^(ec_9YAJ>c6PJkBtm z?#+m=%fT_aoQ~bNfA`*PqX{WwSky;;iTbNKPpeYlj zm+5l4jfVGBDPZZY3>&xSeSxD;4We6Di-yw30Lnoh8XzWy>a5j$nLs9j>L)?z76{5H z=Y~ib0*s4GQ3Vn(ErlbJl5{mR{u`{9eJGH}lpd?Cq13pt}_a2&k8j(##D75|xhXooiushj{1cf_kH$Y~+~UIgLw*5Rb_c zb<CkL5MN2o&w)c#iU}s0| zn&X&vgyPglDyGnw3aMIF*&YW2nl4>R%u1nv6beY8fEFUdjT7yqXVy_%GpbsMC?=pd z)CmQXLdp;u=y6E6@xrBea5@CiA&?G%=7)f9;}8%bIx8a|0s)0fIs^czEfn3#ejfsj z7A_qE=@3YVKsp2(rg@vjB^s^N5FD5x8Zw<9Dm2gvusnE$gtjVXl6Tb zMD(G+K|2$3^HxrA$50?2s@XM^USAzG5M0{3t?%8f?Fam*&FepBft6`on;|)qgkG-`3n8pklLxgAN* zw1j{Qz7NGM?@y=ar|098Jl+vSl}lw}seZDQX+dXFp;4rd%u)|Ha?MgoL2%;np0Ly` zTPBX`OpPj&$;46p-SJb2Kqh|bCqFfB*iKfLBgdq4 zUdFv`Apl8cy^?e%nKfL8G+-rMKYUS%qdIB^RUwp#rFzLymbY+GHJ9Pa5*hibY93kv zdll}g=EXfJ#`QssqLlhXP@UaXT_TT(p882oq6J5}bJR0Vy2$AT1Y=Qy3SM$uG^*3G z7xV-=HPh_QNnRq4iJtmNPtXEA`H)cOV`o44^_>kxssU+F)Q7Am^du8Kbw*Dm@|ftU zpY+r`p;|L)3W7or)wp|vk!l2naZzYbyeGz8BBzf0+2%UCCY;uBd zvy@hJb&eN>?gafHrxd*Fj+{!QF_BY0$w{|RKx#reH5J$IRKPgu;YK;aA&1=K?`*Fw zbb)lCOP5Aosca^ydVy4Rc*8Nh%|BxJnB;+1EDtZ zOK3gT$`YpbW2yaEYCo3Rk2P$kU>hg!Tc)gm4$cDv0^xvCv#l|9WSNEnSaIcJ_EV^u z;?9v;`F$h9Y>pUem=ngPmI`gRR6wn0qbq_rrlkVt%0G_UQo%M(ZP!dGFGNVwGci*~ zAAwMFGj4?XoDnAAYN2~zf_^)tZ8NybQvzv6#%GmiCiAnOo-*HD%g{0u#ZZ4w9#_p+ zBZVp)HF|<9Ecnz4Cbfd86vjkPy`(3{o70n3;8e)wR3a`tt&uGA%8*ygS(HXXHeUKZ zWJ07=h|YMbLMjta^^>PWbDnaZdkCq;TtZZyS|gzlatEU)$V%7kMw8U2FN>ZkgfY?6 iXQrp(=V^AIFTQ?N{DA*lF0$*dU;PW!dS(r*l>q<-aQOHD literal 0 HcmV?d00001 diff --git a/doc/pics/e4-dmz.png b/doc/pics/e4-dmz.png new file mode 100644 index 0000000000000000000000000000000000000000..80f542ce3f2cad2f15f81c2701b28ed0923f5109 GIT binary patch literal 31175 zcmd43WmHw~*EPHe1w~2}qy+^3rAm_rLSK@Atzy#xurqK7b$`_P+MI)|zY1xvn>l6lDm{Q=LZ;gz$l^v1B@sUqluW4PeDs5ev+xFbRujNio-2b++^36l^Pf~XvTnU2JWmNKN zua*e@>5Iqn=%h@O?W6z?zIsH!{QiNPgab%^d^`}{$?j(`JKgp*@6~Ame{(R?`k~A0aw-n@OfB7TZ`UyKeg51xf zQ`3`v&&$ip*|296!=c9ruWQ$)r>5Mumu7PwhEVetdL8b#xw(nrTcGo`9J)nzd2Gjo z+1T=*^=2jtxp+_b;YBJBcbb=8q@x=v)T_N?{53(uW59hX?SAM|Pe!nUVU&WxnCGAG z>FL)4(i~Mpsi~-_XlWBae7Nhl@Z;#n^AMYXfg#yzCsuHytXs6KD5Cj1I@N}M)bV}$ z)8R6+uY?Y zRItyT!-hRLb*=F#BL1%I?(eN$rQo*DuL<&Ub2~aa$K96;YS(HywG5+nc)V7IQI=uC zn}LBxJC%*>w{GR;)eA1XG;uwTcDFHhLfDXN{Mdbhf|0 zq2tK5H=pb?245+O?x%C)$sVs{$i)!R31_qEnVM!QV3AVZF?uEVh-J>c!RO>p^1Uxs ze6?yB`+w$x+p?9@to*aGvVz<4iW-&%`aFwl#~aogPaC>8@A(*pa?u@yj@Y%*E)Nv2 z{(X5I{cgQC6Kj^Fd_VE7U8>#mSN?HN2j#!7BK`U}o@bli`Nyktqj@a{0^5#v#|?Bb zFVEBCU4HA~^6cz3!!s5l6qV8UCc_O#kgILkcxNd56yy1QTc2ZK(?{U1;Tuz_YMIx+ejFB{yue*Jp7 zTAn&A+RSSL3YvlEpI)3{+}vm;M%z$Y4=CNc_c~BoMkY^cXKj>~@mHm7C8yQ&NVP+v zpp$mBeMV=*@QRp_`H!olS`D7nPJV-fgFk*eGC|P`IkWNb@bK}edo)y6S3i7I>-NXA zGIy()SWNo<{rl3=kufoOIGvrHQOp|-^IclHUW=CK!ur{0oz%3nsHH?ykzgOoluXtzzk6UhitUfI@6}FOX?P>+PPQ_q8Q)uXqBprjGTD#S?(OPPL z8#cx=)9)%W^(P0*EG#VWCbWW%kN83a4<-ZXrLQwENVvtv#n|q>H~Qi#Bt1$9)AS zxw?i1r(Vrt>91k*>(5CegD2>{wv<<+f4U#**16ij7G+GW*w$u?hMmZ7HMp@k+e!Z2 zcok)dUaMViNJyYLY_I7&DXVo}y%=tAvKcdQ20k=qPqqw}7~gxkvob{WN3YyGy!|Ox z{CA5li_xUl?gzHP^X_MGnEOT=9)3+m+tG7T#C_{7+*N;`MpQSX2@UBn*v4`(9EqY{ zklXsb4z^0PcHqgpdi81qBKF?Bd*hI$*egdaUc8vr zTjTh^&112LiS*fcLw$4Xz~4-R=OcmmUQOdKJf0Uj9fEM#4*I{HO1&1z4p4=~Z6t#h#kk>kX_4KHaE{;@}9eipIAl6}v&dt5GT&Yp0 ztIVal%9`_Z0%iScV3HA{IH-+S?C6QAh|?!jjPi=Kv~+en<2h5vSHyJG)tMO~OAMUJ&CS(DSzIP1wcD8Z6c`w&UZ9OStZJ38F|u=+#14TvhaAMKDrqpS<@kXDC=Ur-+O8@)$|N?A)LAmpPe zA3h(ib+KKJSh}ChQ*Jr0QMH}1z>*(1RArYoWW^W%9gF_pv+kshcN-heNvoY#<2KdzGX{%r4^5OgjA%sMAG_t1qXmz)`%N%;{9mg} zcj?RQV)fM2qRP}#>O%%vIP~lG`c#$P zVA5yN1p%*v^7g0NHI6x6hSadll#NYRBgkvpbkgR6V87_+mtO0`ei)o{5yi@$LzGo* z`aSN)j~^Qw8!lsRSFr#Te8au(P`Ft`%Ge3kq5q ztM^b;?8;HivRW!iD0%$&@lD&P-mJDZ+2!*>zwmjZmD7Bk4G-1Q>(qxuPxrfhhAAp? zJpasnPyF6yGFoWRcrs`l_C{7#w(VehIm++hmz;_h2G#cWq@n2Ras)@ra6?Isz`QQb zGRwsi${#;2n4hxxNy8DWgDH*msdSfg={eP)!hY}SA`k!Y;fhJ%#e7Zv*TeFolO(gM zW?czCv!gpJVRMm&kBp4Kc7wGvXM5dK?KgZoQ~5zar@5+p`@U)`EZyK!F4&9O#&H8_ zE7fc(R{7iSAYy`Kp*mTef2^U=+S(c{>*?v~^rHGo!(Im0Y zJ9=AnRU6gAY5LRbke<^F)&|&~06}gR_@B>U7^o>$(9J7v8|KljO$gUHQ%>-!h;erN zX#bA_v#Nzf?!`Eru+kh)y{Ta+k1WBB&w81io~Woq1OkFlck`J0M)@<5q1b-5gW9(4 z4pe&hsg7s&Av$T*a|RsjD$I#u?j`)tyn*<-ONua7xmZ0abg4A|De2~c)^m9i=p~#^ ztAZ)Yj7DAx14DScW4F*bQR;&)USNl2XjWLo240}K`)E3-;w#tiC00((O1i@)9Ac;` z&9gju9635GVjk=DyFqP$7gh-BHal1uBjV$iH_Fx<4sBdrT_L?VKg#QcBudR={)8{S z@n}=7Y-l7!;^owokxAqU=jc~J4pDs;86`hpA?RM%vy3wnOPq!zTzFxJ9m`p$>bl|CwsZ{;|3kB;pJViU8blQRdilF}7&Piim)~0|1GI2APMH{{_(^FG>Of+FRMLNySw(9ea@LCV^ke(wTC{wy7;Jl&<5Xfi0(}4W)WehBX zq!voeU$I`;Iazu%$KS{Tz&bbg0HBSK(^6zyoVJ$MVllQ;Z19OmPD>wxY`+?-+VR7q zlT}o-=}CV8zzYJw-hOl4=hS2Qahp^C(eVMg@oi|R^^X)k1u+An`K-OY=`c*mp8Fop z48{iG#g<105 zF%KnUrYc=_B8u@L$E|$U_>#^TPU3UtoIbe5$M&^kwkgIz#O$i^)Nu?pNszudZ6%S9 zh2*e&8x+TtcgfIaucwkUne7!|`I0USQInwuRJqN%LV|*{AtN@jVoMckvX#pWUn?L- zLZrGs237H0eddYEq<`)2Utu%q-j}Tm!NO-^+LcfZy+^&rt|-LMSW&()bQ1ir@@LMR z>G;)~rNr7V>b&xSYv#vCDM)cFEDu(OvlQNHhHYAWr|r@sE*dzG_)cWbKY6H2oxnye z2k`Iy{jVKStlZq()?YD^J=Pv|T?MpW_)OZ*8#A)%~$>N|iL(DVhjy`>fE^CJ&7`90M#TH_S_ z<_&-)@9ln#{^lLXc>unCr9XHNKMcvHMKXE zr;s{XZU6lF1K@rvS1k`V)-5T~qYWw42L_SVE-|1EZp<+BxpbiEsi<;^w5pyP!tX=5 zQc4uuo_I;D_~Eu8bX*~63-u7O)YL+7N`y60H7@-|hHtC~3*$9AClO*DCUq)tkWk|K1 zoMygulO`RHOEQ_cDW+m>6ISpVJeUaW5Ar5BxSG**pUl z*U{(qQFQmb3#5kQqgyt#Ryaawg`AJ)0wU)16`78(W)6=CXxm?zCNhw7=_lC;MICZOvVL73~v!?kI(H_9kVNgL@ znCQiD#YDkpF-o$sB;lCmqUt$=kdRJdQG{MGfCzf;y-E1l{%i}Nt7K&ZBTj1VXCIoR zTznny>eUDN%rdiXL0$dC;B_XaBMC;|yN6Tx0m(uxiqdhsmYHw$il6uere|frcWe%} z78y%nGnhp7*p32a0iBTZ%Ag&zJkMgFed0F#b`$D!VWB=?{lE}CMb0R|<5fg)ktGXXb z#cR9DyQrr!$ftdAGzc|$+>?AbE_zt+Dh)QG-yc*1rVh1A#9 z)&`L{zeLO3W#Q4Q!2d?}ueC`9fwc_f99e`{>|8P57SxW43dv;GCh-sjhmWje-E&B4Z2ade6oud z;om~5?H2!bLHj7IH?^KfV;Qa_xd)&~=@|fnfBRsklv@l8hAV?59y=?f;lUJ~19q@$ z(x8 z)u7~s1Op%nSgZnrMsLQ{ayyGi4eh7Ub3kg!m{0OhOtgg!BK;IHxy8dmZs;pX!hzFk zsKdN;A5dQruutczfUN{n5j#73K~B#8(Vy;n>9D;I&|%FG3Sx{<9;6w3C7?Z5jN{3v ztMfeC``z&l`e=9y48~sg0UM8jpWme;lBFa2Mw08)VpcK+?g64%ubO@fjGcLmLA|?^ zw)U{d?#TPNxZL!~ThVM9U{x%dz0pqVBaFb#jnAaKruSfnjjp2Td zMjX1GRtE1dGn;PCv}fNzXtQt@_1%!oxD(lMAD5{`51P&@NFlko1&b6dxJwitei{JZ2O-$Q*h=CM>Bq)a& z%`o6zUbaPhS52)}j+2wlev+i5q-<|*-{0TAeEBk9KKTa^+Pk{CIy&qv4}eJ?8g&`B z=8A3Dn+gsSI|2AB=DcGU!?aqd>;Y}HtddgWa$#*yaPWHFpDrMa*2d~}XmwOo-zO(? zGIGRN!lQ*9K3L-I=oyrHg#43!I#x1PM?$-9$$pMgqg9ZekbnuW=8NfWZBBh z(;rgAZ`%BD@O0JX)6!2?p99UnXg||N8r%X2)gb6ELGX68{Mq}!?8Nn3D>0T(=rNpO zR2q(yIaPuUp-pXGcW1SgO7ZpGBsB4Bp5~GcPJIfc2{O*j@Db4pUKgw2XZ49< z2!aAs31JDDiK-I?oyXSJ7O+f?tHb>TOoT=}@`6w6YjKe)^iW80oi1%=i5)+X&QwaK zBPTcIUV>sbG&BTp2@l%YGS0-rgb~=?cTm93kukGr7K<-dwiQI+;1P`gsDUg_KtS+5 zA|ewKHuOIMWXkSSJn`R`#(`Qe>4OUaT5C*=RM6~6* z*CCf-WQQTEHTdX7jDj6{J67I3TCTeeX=36Zrt<9dy`c2-WFR4w{pL-QaDZQEpnF2x zS5asqBO^&EDUE#1$+Z!kN*i`Y$fA(%;UmR7aWGnIb8E4e@gfDq{BuU&cSysRmMnr> zRJ62M7=a5_z0b1xNyufbPrp#`QP$Q*SCP71$^`1 z!GnQOy<;F{%z^9$NHhOEKI_#>jx1v_-DgZ*zgs9+Z{5=O{C$tqZD+`Al-&(frJJJ^ zk&%%%f4e9uzHNSU^SdnUaR@T_$ozg0sP)J9G5m1*jbz7aT|o-f+Bz~nDs(A*_Ly9J(xd(xWg^=DJO}Ef5t1nrWjE28048iHiHJ;+Pdwm zmHDasr~3N(_V)JBeXFSSgivz#8CM@)N{D)#L^}*h&4&*kY({IK;a&$>sEc`XxAC+d za3X+f&?Hn2i`3i+f7Q8_bdBBQ8z^oLzeJeYnLu(Hrp7%UNgs3fNq@9ncv&PAW zu*Aijb|roAvDy!GUQGczKqc&2>?KAl5mMV3+HP2Mt)-;}12Z596&1&T?6nV$(y4J; zHs!v4>sH5TMAuu~9kK^#gz8WwZf5op+ zBSdUb3y08C^>Wj%NRPHhLd^5TqlMiTC6aIH#ZJCb+g@j40(A6{whGc8&~JLx_9kO> zZe+~z_~-T?ynN9Wb^49F+iI*%fS;cq;+3CYL%OH8msU|CE&Xi#8+mAapco_q(xnGI zPQYOfa9~!F`$I|;2p0y&OB#^ShC9#T)<7fII<8jC`?QV3N8{7N3H6S>Faeu1gZJa* zUK3((0}EPVUWJOAm4mi8OS#lgMl6f!D?Il%q1--B!^DI}L)l`HR@vNZ3jMo4^GHg5 zhB!#_SQE&2Fz9{0>!F}7iCMp9wf!tGXOA8~js*P^Dzgloo3u1wym8145H7@5Zi{rly7-9no7-aAQ4FR$2fIv%};F{XG zQe|<*#tP9gqWopI!pojTbj+nVxA8YEu@)qo)1~rBJg&pnTvNlo(wDFi-|oF-e|DTX z$-VHT;(#i0WM1~I9riiI?=|$>b}46oY6?oKIJ-uTgZ;*qMf|n(yBj{&it~gVyw{J{ zFW*az-SzW?{Udyrw<*m30_D{DEu;b#?4mNL-`N^%MQ2j(>=Y>en-_o}mYt|X61iHu zq3iD}&3UjLnp708fQ^uR*%D@jWx{`wWbtU`lQz*mYbE^3R~jGtj4}n1l5`cb7BgtU zna;~b4wlslmFK98w|yR+@>m{AL^CeLVBfy`ckN$1Q7O_+T%GEw`%qg?AvBTKIk4ETEdiK+;VR}Q3!Bnd7(j!i#Z<833Z*aW@)3|b2B z$F;(*7^M8KY?v*xys9{xZkBvBUc?^AuW#_>HoRm=VGl;mz#~UjEoSOt9jQ`W}FB2cef2A3_ zpGm|6%S?w%XgwvN#5%^TvHybrO$KKt4-8U24tn30WV?z|qbKzc3edjJ&yNnY$xn@Hx z9D{}AQ&zYQSwBJPo*p} z4>9aZC{lZ7)rM?gp(*e05(b9#AK;FvKEQr>Mt6*HE_8$wK|*|ww6DtEt!0;|RcS@y z9Ij*ja*7OlO-hM(r{dR_5XQQPcJy22LiBM=PJ1ScZap7(!-So_8C;+irK&JOE@W_Y zTV7?C5EI!)Z5a^sb+IwoJ8hx==g?rJLZiOl2CG2Zn`gyebZKkVNy@&k?=?Qi2Afm>DGzIQe zmObwc32)PMpM{ir8tV?#`;RWDq;z`Z@d> z-jUwx)7}g@V#vK>jv|+&e3Y-?*%gH4{GJ-wtmYt4vfz8*r5C*3W@4tl=8UDj9Jd!@ zSZUU*e!;i6RBcj7h@wxn_Hs&e$e94w3)G0^ zL-A+FXwyjIF-dAn`Xl*bkiUNJ4^s?brPW1bLXGeDEZjwYz+l~Fje=??Hyzu>YE1jPG;HUZ@D*$wieXQ=o zRDqUQkfyKvN1Dchq5_;2;y6ju&Y*Y|>uND(rxKO_`};r(^5r}hL?INsKuK^j)k|Xj z>RlQ8Kr&ebpY02*JP!Dw{>j?}gzx{!)tGllB@uHQPW)U}r$zvTKD~&cQXugX7H*oB z*!{vCADpljqe-6jr1qyOT?|+V)?{O?711+afBKiymB0S$YKe=amnf;rkfN~*`)hu7 z;Wx60Roq?D_53V@_{zCYX>UU9umkQtTLT{EMu@NI>kYZtm)F>%{@WG8|N3(Lw;Q6L z2sn#;l{keZ_;{)v5b1Q0rus8Nvaq$qqWI4(Cr?(MMed9Hz>}JMQOms~s7!q>pW4pt zyQTi0ICO*O>gL^h9@gSLy_blaRQIZ}e0>&2h)>hcVEero;JuQd6Myp;H<65Gm44*OOJQ8(X$8hz2C>{;Gf$ARRt5DJ9~%}pgpbel{I841 zRs44WB-wr9($=Qjik0nkM3LwL9iory$kiV|^{EG|oI`4iS+NmZyrfQ~>5nT14$@=> ze|8lGe-r=g7Zft_A}-f()DE}k@5K-E7i~{B+(Dk_l6$Cu;VpLLp_S^%wK76qyy{A7 zE@$ro06bQs$km0#p>uhyq!7zZSg4HX6msOKt-)B85c7^#9^fNSNCaKlpt$?8zs$Oi zh#y3# zZK6a4!)+@l zdK_h*=izsJ{~H6{?Oydz8VLA%Gr;jJiSuS3uatG`yUj+y!eZ7I{@JS}w%z#x0;lM_ zf7O6tfg{3&1d;j~Ye3y(SKxft z(qK&ML+4M{tN(?KBO<_D+UzVuLq5=f;PC>3m};gxX*l#CUi-5#K8L@?RsO!nIdolT z+A!aL(*`Q+VKlpr^TH25YY2*~B-#6@ok=U&EVAd8$ZambcL-fNcO&1`K}eZNRL+@zJo$sVc73(Vs~50Yx*$zr{4d@kCk$y*}caskmY1mgUFe->`As0;LVqA6Pe;M)48s$gZPd-*eNR-eO%BjRHX~KP=i+S( zTS5@zEa~HJlMR#n2a=NF8yW{`+nz6Z&o}@l#2E4J-4l`9|Ahey`V2Y@G=yL?`+>65 zNLE|_&pej8KNv8cgS8I+3Og{^4C5+ih%0OD^pe&*;_SG=v+;|9B2!C^o_K31a)sAjxR9NL!y9xQU|&a|e}q7B0$ISY1f%Ob zZzjYzTtU~e;J=3WVx4(F_o8u1u9Wmbmni*2zlH%Q3DzKz1j23w&jdVFc33z8fqnQd zwT2(?aO31N!73pwy}7vwsSY#}=^0RbK;f-7HT13UpUYOpM0k$8gbL0UO@B%V*LN35h8KG6|%Bqp4s{a8G1qjtxMsf;_n? z0X^*avOisNEflSlT)wM`G1XD%ET!bP!NIB>>FMb-pkyulOoQJQ24Sl=Q$bZl6D???Ai;Ex)c6WEv^O(Q;z5<4~0Wk4YSpV_{Qj}<(I>jLS z_{E^=S4^UVoB+J~Ixwifu0lon4H_gXVI@ZvWmWf2-X~EA(uFJUZT+ML<@9Xg&Wgr_ z4AruM(5s-pz$(xEQm1`TCPBl6q5|$S5SYn;kcq-s}M7uc)L%5e^JDFw$*G?=7QFwEjcH>Dt{682`ZmtQ5?YRLD<747=YvhrV&s!SX47_rbX`Yvaw-Y&lkfXXy6sx2G;VvFtDr% zva_!O-Sa>}K|xV*r}ZLKv&u8#bT53~lO+7MC^$;;#p)vkD25RC#0LCm%8EL#DJnXp z%|<>;J>^Oa5SYxaK=mY)x&H?_zO z-8@%z8}4YczHZ&e_Ew4cB@T5Z>yNj4S|!@vJSX7Xxf4BoJ^_(vPJ^{+fwv$Uv^wA- zxHQHssBLy%2ZAAd-|lw?1c?8|+xw_5r5ydu%sL zn?WmTAe^uyzZRQ^`qQLaC#)nS;q{v3!l|h#aPK=n#e^`}S@Ap<|Hx9fjS9JN&+N-W zTGc>i_1otIdY>w5FqYrIHh>HOH~8E(p8`R<*~xiWtFm!s`43^22!hbf1Xm4+E;r$E zzqb4G8ol%249zi|Up zVaQH2!mhW$`XVGG#LC)P6Vlu_2`LH^6$|jOpznKv#~!lW9{5yhoSpDR;oS_t?_OFH zecCo2We*Gj-2Ul2`eNT_ZGfqP;IL%1?d|E2PS4Jkl?LCWj#Ho=c*IZJJ35wNTLHBV zazEs~8;tG;)@|M0jfZQs;AxNJvp#_28Po>Aa%y`C8+o+u##+dfU65?0T@C5E6101e zVWXp?=VoRC+aL`_DMQJ)91iR&h`-&j+^tW!z?H5_m-8~F&~bgJOhy_k*ZFvY^0exD z;154J+Gpef9kxaTX^`%@gxLk1=K5|NI1=oa0E5MX#sYePCzK4xv>@Duf&fq14@T`q zFvxJ$ZAgLybdiiq0|FG>#$n$cR~H^Hq=m)FGb`y$i+Ufqf^G>GSV+8443HfXxJ)`Q z`AAz^&~EArR5y&p17wROnLYyvNMzuJnF+Um?M#?tTLib+4Yzsr!j%n3Q;C4uQ&XqF zVg$+VaVhB~$m9lI+iHNip=HZ8AyUeW@-aeYMdfIFSzp6NTLLI{uHd);2bH3tB1D#g7z!Q}0DKK?u#JM< z1T$I$q`k$GwW;YG+$La&0Z8{y!^8k+V&)R+QNn&w=PXtakDUhbii0Y25MOWoYTFC9 z?}k>0Z|BP&Zdo-!qCI=z`CW^)cffdF$Z?>38AR0=)CR)?iKG2y^q&v%>ebDfq2c9s zTze-%iH>-MTzkanOnvmwrI?D_G^ANA_bf^4K0{4=muqr1o)X%}3|Y~4T+?}>w2=Hb=s^I3zo)%y#|@1wp*%Xcjwr2$*o`-K)q zGggd7d#0a}+1oX0FEyMJSviHN`^Ya{V$-Qusoxzt1bj@zXZ0a6k_W;AR-MoMhd7P( z*`3A|Cb{UN-(fz&-bYmnYlJw+gt7N>V>H3+n5tM9ipb-3|H8pzFFE{WV@Mgh$AaD9 zCkK~#cXv^CHU`bYXb(WJxJ8mGB=vt5l>6T)cH>xqL80fP z6rP#!=xjW73n))XiHWo@1tQw(3J?Vbio`s2tU$bjYygQdOCdfp1eSUbEO@YIOatEA ze*g|^gCeo@TG1EO7xIl;R5p5CiUW%u=-&i_G3W#PDrqn|J9JYZdxFbxXyVh$C_hN9 zHIPxk?n*{RX5g{POR5FKN?f_+<>i2Nslr8&s}rtw3o~9fU$fG-(8_y`#*Bmkf(1$a zbwB{5SyR|ljNl>4nlFQ=kq96dvNa5$Ow3xi-?y{-4Iq+>oBRFy_q*%kVn7uHv;bbe zmtIq&?Pj^p68{;u7O<>fGs7myk<|2k?_~z*@(p}3)5Kx^LUeug=z&=&h;Ds-ebB@K zxWd@O0J~Lk41qUHA)XIXbqTnOZrqTOPPkVO-R?v|RdgoNF^&GYj97KC?T3}6MD;Ei zLgH?>m-~GEiRnQx)mK&yfB&A0ipt`TWgO&P)}p!|=tcn^c!MYm{h+GG3qEgO%w=(= zxy@EwuW7SuA987aNVe+{VSlA%AXWMH&BJ}@=YK-Nf~EqzI7`JjrBzjTMMXuy-vR>t z)YHy#{Try|dAZ}a7NeTfk>f;&_>I-U9*SenpHK5XW%9OZMbK|;e2rSWIuV-RdjMoM zR7RgUbd6^;%ccCAuJ6Lj6r;EayZ8}Af3{#pn~^V3Q<=_?_BN^T8+57Sa+v#=E+KM1 z?GKkW&U(N2>h}(09QpPuOnOqD%8~N|AcDLb8=M zl(_-H>nys9{&@Y}UZlvCXiRalDvF|~_ULQISq-OhJ z%|hdVdH(CH4QdQ#9SX?TI4E)wBe;u~!xpTS5r+S5}TVZJFl!Y~3g43A1V?S52bq^m`#Q?laKE?VRXCQnXjUrTK# z$7(ggjHG}$FkiPC0#7yVN<2T(Bo}CD_z3KlP$Dtf{E(Fmcu-;6&UGjIY%i&q) zzJxI^!49Mv^JKnt%K{8ZjHSk{L}n&d4Mel6L6=ztUDjw|5NSG;e+}@0_rYz7Mo+IV z<8a9{XvSib{~aZ@1buHs7wGVV)(Wh|L2<|4dWJuY|5b`^pB%2A0^HH6u+ox{_(Y~8 z%%C2_7RZT(98fN^Adb!HMrwn1f$alRICLhrSXo>851^k}23;3=vjLzJmLu}jY#*U5 z)YSSrIU9vx`V6)wSUfbt)Urpp^9=kpcL2b`-)#URBH$@N9U#qr88;x0Kab#&oPwy8 z%{#m4C@J}3y9tJAz#{^65yn@b5d{W8oFz6XsR5WJ=m-z83b!Mu8lgu&fw>;%~$;heZwB;VniitgIfJ?Kgsh zf}r`y4-o3Se5cem?>2(VpSX{@|4oXdxld;HFgQZ@tQuHy%mI1AhzE@L(2BU1dttE3 z-rinSRTY@8gWta=*(9lJbuWNXz#GiWfS0#nwzF!|pSqmDve9~|bQU~mKH%DesbB-P zvq)1@dDz5~rZEalB|I_FaqS6k0K85^2w(HmCI-!XNC==~UV;tRVsa zPXf;~6*sqipmdh+=8T`7?7}$TWB2k6+0l{DVYJXw%-gB`#Mtd zMBM5YLL%OmSTQ+u!`R=EDyE{IpHr#;YrHs2VwJ@h(|%Sv%mXj63pf}|Fc|k4TpX=4 z=RI8ln9c5u4S4c}q{H`9fI|La|Bo`!R@9hjlL9CfRhQoFqXsTSjhL3v71%obR-vOS zp_q`t@Z294z7_G>=vqGKV@0dVNDyTJ6h#?-fmW%PzPYqlV*A0ge4*9%nK6i*l$a*puv^C zcMk>i1d1IP_{zO$3Y!i5wwnM9iouW-ObZ%Ay#+5Hlq{G{6kRq7g8l_oCPv>qCo}Ua zKf&y3HG(*v_dn8(zyHWbt+_x;$dksmT_C>OJ@cz?w;r%D<>ijB=5}^=X&_tOe&TzO ze!&`yRgJ3^zc4OEFw4PzM90KnOzxG7g_`>cFds9O8E+FO>U97F@oM607-^_L%$c`r zH#BymAIBJ$gll-e`UR12V2jU{kjxoqv7;m%dC~Hn=rWd9O6`DcJi%@g<^H@r#iD9Ks9O{We$d7?A?pC)g zZWhA=gO^Nkg}Nv11`tlErj9R*T9FnWlbTzP2^9YHcZZXgdUcZKO1Se_lThH zGZ^IVJ^d0$>VBS>nonMriT$S7S9pd%+{1+}f_s=QC#zGy-Gc)`5*_cmU_BrIKu7nj zif~H}i%?g0=d4qK`s2r*;H?LkW&l|cY(+q5UZJF9DO{t5u1gmX0NCy^#=u43Kw$b7 zEO&9xEB~@>TwN&xzsLP~FJp;|=;7!5-v~=v0=RJ>jHTqOfpeZO9sopALu+s2 zqKY_HtJI}|h5}b?W5e&S)DRT)&a2u00cxF=cc8ZtILs$5&OyYHbDQA#2z+uzumtm! zvdb`5FFiK0cYzeB@1U+Zf8RRW3$P`MF$X3LG7>}GWV(A;bOxa>b|blfG&MTz{K4$L zw?Fj>kh32_EuzCl?xw6s^^;>S-`B;+YISocTm3xS?N=4$u-{bE84=&{#qrC%KI}`R zHfOPst9#k4F2g|HBP16<)cimE>4+W;t?K*sFP8d;bEwUMyW5kz|7d7&=;5O6KT5hf zwKcG(Q}pdv&5vvaf?K9g2X|vj+Gh@9Q*P^DWk;q1>mwdd zb!X`rYFmm9n-Zf7{!lX8TIj8c&TE1%HZGp-2Eb>ePY=hSDO#(?50BNx;gWpY$%_jq5Yf~8&F`rlZzpd7y9%qOEiH`238rU zk=WSSXWTnrH^%^2ZS6RNCDUn0t{E8_K<9-72UCN12Av^5!2$xHvc+KPb?FxfW?5NH_J!e)*Vq*j!SMf<7SnVL_$jQjwCnOxfNPRBZ z5R5BAu>YfJIKdDm42RsStqTOxxy-XG!18vswZX&=N$q_xLIgPoIeh?c3b^{7d05${mjl?%cpP zZv^1kLR07LTybm$lmQhToehkjTK~!{>6wtA*)+VVf9}~(8y4=h)x>zgfh;AI(~j=h z_}~-Bxye2!ZjO%Sn|zFnQ$Pg_oPlM4QBCQmFxm>MT#%m+lyf~K7_;wjFp1#uEboH=$P%XOp0oGFY)AN$62?THa`wMcUR{Qs~O})$PTG4 zt!2uQHduw#)puszE5YpN?Cfk#^Yp(&QH#fgxH*hmFk%9eJAfHnLF_%;T~|_4LUV|D z?rp$e8&G*iJsENjO$(eH^Xf!lHdKdz7qIEy14F)VKrKGqPd?p;>I`pzxk4GR!J9#N z7yvenV3NbPfV5Tqto7Zkcr$KH|vmwPO1l--iy)a(z;>8QhkqkhT9>7lF>3}wL4lpiMhZWGfq5RrAI7IDd z{*^#n0cU{-1bclGAp93K59@pPT0lw^@i{qyK`0E~0!RR}E~!NY{2UyG>FH0QU<(Kc zjA^AkhY8CoK?)wLV5?c;;$6OPz-QkSQ-@Z)(P)x*)T^JDmFx!~1P*eEiirusFn|%z z=*Gmj0H(xv-mhPunVVCL<+?|?4ZdDs(68av7J(w9br~r!{Z6&I3Bw19a&om`rc_Z? zjpEU5fn}<3SwDgBfOA9+!M5sBeHHQ-UnsBf)@q{;8+D1NKb`Xg z^nS}$nLE8;HdO+G@1J4aO2Hr_}>60@>9-c}|V_*iHQq(;RQZ&YRzraKRMTc?M=t{7X`L|B*K8OVAnHCCz{OoL3 zXzdl4dx5_JLjvfu6l|Ispfc*gOcwwLO!E*Z{QC=;&36pU3k?ih=*{W|RSSebn8oZ@ zhM*%42g8IdoHGK>ic8^8U}|f1|FOb<82@)Gd`y~^c}yJ$M-Wr@zRV80LbC`2B)}O1 zkLlW-*&Q5Q%Gvp}%zion`xK5-&qg`ClpoYqi$MsLorq)aLmH4~9ExcRvUBPV* zBWYufs(~~D%sz;AdxW+Dv5JYaUApt=3K$CDy=IzmnnOH4oSD1M}kq&?7c8md-ipLzLd_>%j#=kS} zSQ>-Y4(BMrD5MUC-1

#!DALnf}o|OFVVs++Ku}P^yd#qUJ(y6z#Ox?LawVM4v?` z=-AdU_-|}k!5cVHLP{F$VHb)h$l%Z6L?k$OCg{x@(r}=k)**di#wh`R9fM0s3 zP}|H#38T1+7l0<$L#6`k^F=aPdSYm;(dU1vT#I{If zn5O{-URzxqAn0TG2%}AK76E@HGY2DZ({SAvcPZtQ-A&r zm{RgW_=A3wvyXz%rh0erMPcq#K9`aPW|XL)hz4s{J>uoRwd$Is@<& zpA?{zNQ#b8ZD@$z1_eD-Qi`E}Pd*Y69nH)LBs(L9yw8;?msw24JQkQ`fFp+Ze(F+p zmFAA>(Liz#>w(--S+D;0sl(AE6qhe6BniW~tmGntA>?E@76_hP9M}ecZGe<#b4;4} zy{}vNPskBZyTm!ezh|v5mO^_BfCBoTV9b#mBXL!MV5e7;hT^2EuP9p9B#&LS2ckDagdqP4pCS*&`l6!`nU3=?r{InrI ze}$rPuO(lr3``R00kZ{SCSn9;y#^4PV32fEBqdj!yW=U>y(B->; z5eoVQ%(x)5LoKbXwY-p~{wHTW`?OW$@fK|~X37;358SZulO|*pW%%-h1d;kEhI{qy z5Be9x=B?CAny0O(=V&4}80-2C|Ml ze{Z{f(Xp-P1#n#|jZj*I@8 zYY-RtXRv`G8;onFFiD8vw4tGc+yY7&(8KG87MjT`lx}D|1Pe_2$o5Z|P>hu*y#+13+!m` zb%IiJVJ{6|7fP=H)O?`M!3V}01Y?K4;q750sS02-a836^u7t~yd zo;0HL9#+H5@2A2}l})x<8D=gPC7NK#6o2$=xI8D&ad}`BGge&V2xGN5%|;*tUcyWi z2Vr*9y%{(d?NT@#ob-s6mGOTu^R>APVuULIsgSVxz$E}`sC`S&%Mxx6Ho%IvUwBV02zKDsBE;jy^~{sDEdW*K*)b z7vF>)y6F;two`FRsKvXX)>@6Obi!VT`LS*&aloixU=W-ES5Q}XggIJnO55_ZvECyr zICTtcBU*L7zCk8IfiKMepVq!Sp33!a_o0$8D;XoKT`8#ynTKd8G>|08m?=adsmy9G zEA337NitN%LYav)7&BCMEK^G6C}k=o-s{mh@8@&Q`JKPc@ke`$p0%EPJ@ye{CHS?*hX?VAwYAJhXI?kBs+Uzz&W+)rpDpAB^=wT_FfwFyiQBH&T`AIi#clf???wOq3cSG*k zzyIc!l$?XlT47-!%FpnyupcPhAnU9sFNg7%tN>)lt7zSLco`~tW;xiNJ$u%2IXPKU z*Vj#HE$_3UH*(1qo9b^|yq}CJZZ*HKFr4RtA=#wvG&GD*Jm68))#Z;cL{c9y=+TQ5 z6A>4mhd&Q##DhSNwV$4uxz_X7`Vl+WYhYH_iti}mO0H6zjyfukjz(EDS;aYsW zAL281q%g^a0<#UA1+rnHg(0A)rl*U__FvkN$j-~F?LD~f=+UD#Ha+Mr)*7n#2JPDT zgC)*{%kdOn{AR*s|BfB!dsFtIt>3$E#1)QM_!Oxy-$`kz3>H23Jk(I)=-_Oe zsB~UR#JO=f8=Fn}xdS(<3k8!z@8{-zpPGuZfw{Zc+V23e7;n*mwRa490TM>A&F^j4t zcIknw>UB-jKmYK=cu~qjD9mq44 z_)@;)H8=T#$hg|b_3M+^^AmaK2QrRtpOL!j#p<~VmtF++62cYPZb89?*T_nfW1JpV zEpt&jrM9|nyJbyao9W)oL2e3t!$oqHZCUSh9sEtX4(mHuE{U|OT<3FUS7^ev$gP!V zfSv}b4vH9`CDk$|Y_Hbb-Q8Mvw%Ms96{a({2JAR3$ z3TNEbJlF4IMy4}I4UM?{wl!yo9zDFlD8c;U(H%gew6wIaEj59lqV7cL zW*L8fo5K@2GBo;C%X+G&d;5zP?XFxle$QcVhl1q=VqFjAzvMf0I~yv!5_jNN>MNCx z=q;7MAu4ZQg*rgoxBm)weHi+aL?P@kfb)1FDV$HH$aYXkX&UJWLhDE7CQ|J_{o9f| zr52P#2Kks}!bNrt-Oddqui}r3du3};n0Iz#FcTCM)YH?0XnZGA_BR-K$XqiBX-M~HLN*r<%n#Vuh>MAlQR>wV`4_!~fBW}lIzN3D31=5NJ2$st z;_&F`edehD^d}|s07!el%l57ZM;+R7Ty;31>|-$c?$xd4n|h!9y&OM~@EcBf`SKTnBtG9UUFOTA=Fczp2}?NBqLU40&D_<5G0koK(M= zG1niq@vQApTFs%vKJ-55NPrLlwHp{3;uTS-vVR1w9S0S)_&x0{kt^Ai00I110CrBN zBqk;@77)<;`_*@hhV5kWmpj?h^~gaV;1%YBXsjU5*VLSkrb84^g*OlQs;#XpEiH|c zx>Rjc><|+l<>WLsG>oF+!gPJdjvYX) zigMg9dnTD~tJ8hBe1ak=Kfg&-qwOB)PhgGG9hRbAs7SD;Fj+;byqBj~p+PapNc_So zwGF)I-*eSQtA!6ld2*wl1~!W8VIe_Ui%wI0Z1P$aq7Q$$70UffqL4iH-BhUVbc*jA z&X)<5UpHI$di#KoDTwXx`GDDj4PXi2g+}R?a02};!(LodN+H~4L;-AE%=AGVZM-Elle0%fG%KIoPyz z!z=N++|WL+%^GX^hRZg6?5uG)mAd&o|+gtuenrJ+?U-*KPdaYy{K|c zU{Uz52bqIjTMPdCs*Sm+3l=5BfVN26e96~X7UCht1m$gr=2D@)#1kA=oTA>Z0(D}^ zweNK6J(qAVp;^tB-9_#DT+^XbKUJO-9OBzp@@3?`)^`@ek5(?cRfV3KkxuE}M&hiM zLN3(M?@lFwONfwb8^ft1h;<=pBjLjPD*z?o=N0O>St!!!G6P@>-=`2yzO8CdaEU{oK zqp!R^3F{%)Y?D9e`7Zv&(&bOI3OuTK8%7cX(q{eu3uZ zaPJsJJ^h%$V4#2p)sme`qM}((!4dR8-Gv!DPzXR!zTnU>j-b;Pq`|L76wwP*Hd+|C z_?C~)EMPcAr@;OW)~Yu#zcNb4Sh}caB4W$V7O0J|(WpCPxw=6Mg`EI^{=QR>2 z+DO8FeEFlYvQE&!ySg416`A=iLrqnL;tP8jeMWrTpLztFQUw&hvwbx@a7>nvNQ#eN zeZOrh*c0e<5upNq&A@+#hleL{>`^Va=h<21b2QMTp$kIG1k6P4<}y+|fL<3G{smNf z)?W@s#+Lkh#rD1)qr~vgWmck2j&~YGzpKqy-IcYpu%}OT?h6Ke{jh_&69ER@Tqn9n zpHFWA!P(l{Qmf$5RE8%7wHg+jpP!$d3WzZ~yWF%D;bir^hu*+|&;(c)%a<(^Szb8E zrFp8~0E1;ayI#C{w)L{<GX&dv1z7Ztw4 zTij$`SNNZ$?u3`=)DBu0+{E|B!&#R)f5TRE9~cHWp|G96x^F>px%)cpXv3O7s(!!m)C9<@fpEFR#b zh^VNgsVU5uufe_$t_E&G+rd&s`}yqLKgGqxQ#3yd87ZkWaJ$ex;1M^WxL!pP#Xf!n zHn*bU6sr0be)3&JgQ`)9y#}x##x{9ADkY`CX-k>$A*EM{wxuqw)_8K9j$(a!1V{o< zf+6(ts7hsJWiv0*(X?<2%O!)J1rjqTGK!bD1QIF0LpRgwnwnsabR|X%X4^yq93?i2!ma{d2f6?1f1;PBv88%n5 z%UBIfN)BrjXfM6~nAKZ&{i|Oxj^-CeBh#Il8D09XC0LVPXGVFS%_SV)h~-#-p2G%4 z5*Tz~ya?Cgpx45)`WLosb7LbnJNv`qh956<)j;g9ZUKkJWniEA-r0 zJw2-OpkpDy`mE|j%Lw}0{>O2$J4>1j3_|(>VTB5;b7`R`tG?#_8t?9i*dp%VRK*&{ zRI8J(inrX1zxAr6-@t&gm=P0N^1{I2OIoNc<-KgO(L`;U-BvPMiC@s1poA;kTyWOh zJGqvsG<*L!evP5IR40~ykg2Z7`%E>B?E?`h!cos;76Ydwxtu$5qPG9cpxC2$^zreT z5$DKU&vjrsAM}Qgt^C%lBRpMEV59ur0!|TM@YuRK@wHTdE>JJJV&aJZv^+p+0J^RU zVrN&E2L23MOD%Mywip;-5LV*ln;l7CN_+{K$2A(7ngG$9#1|$JXU2QB(1*b%^Ey8_ zH-`ro3LdD5Iy$9Vw_2C6Q!xz+3=G6bD3pS%6+^0BMlq*i%ypvbYK~WG=zO`i!NbLc zLVL?(a#81g|2|O?jTC{h3W04kr)BqQ@aGd1U1RFE9iNM130W&0P8IRk7ctyM6y0gP z678NxQ4!(bAi6K2eQ93GSvXfJf5Q8sPeBTTAL^h-AjUYZyN7SERs;S0Ff#EyH`m)1 z@%;4(I6(r)1*(M=7+gzTqj}B~KtJ{&zL7psLP6McKop1H62gaqNR9Zvz(a5-~kLPw9UnaY6pFR|+17bqibdXs2}Vg%(hLZL_-VT_f5T@LKqzg)emX zs*&y&u0$8?M1$d%8=H7lalFweMexZx0lbTE{;bmn9kgwUWWI1Lb*C%^Y5zE9&pDO>q5!1;;$tl7D7xI*BGPS!N2+BpiVdNNa#0ga zJmN0C{;|Mf3s+*{M%7KrT+)+zD&9(()GdTqy6D}#BsJ-)SZb0J%4M4F?PAqHO{e&i zK=XO5#*BrMy_mJ{Y8(9l>l(SIF}tjkmxO4bPBy+SmE_dc@7=Au!-7h<2$1cgf?|LW zDMRw%GQ$LUHQcybm^^Rglts%kl!Jt55!Y$k4(U8{Mn_brJ9SYJTnc2amRuILP$~ zOVWP^DY5>EM??N`A^nQKRSLZ$a3CT8@zo&5pTsMy85W;cA8K2`6A16t+lCl zM@>G53K9dV(YGV#-45;fr{?FhXqw#SK66&9)ls*I)lbj6Yoqk+cHu zJ&#eO3CNg1pRs)TaxkVQw;gLVR=@=mfkC|9d{JxfhBdneRkq`-3SrpcOGs2=Isjfd z+ANuk8(m<^I+0I^blVY%Axk<&0JJ{r#N;590(cefsfRJm0k8^5L@N}^vqwU>#qY9_ zzZpb!AAu*iIlo!Oy~KeEChTu8Tzaw4!asWi6?INs?xDL6Z-3S)#Fmvboaw+${WLlnN|~RZH*CfNpMi_!YWW&- z2h*59d04=c@|5e>FESW#klYd9(!W`UAu8TXB$IgCJSF74bmf&N>&%%MfPZ=U z`9A9Jp!>lq)_w3=rL#np?{?&zh0<}~`HVfCN{6Z)Z*AhYOu%$R^m0_*m+4=m9slz;`t1Bal-ITL{fN!n9+5s|8lny0o;JsjESsN~r4?!lZZZ(cp z9L1`*7`nP%@^$GNlVQ2zc*5IHrWqA7^rB$bi1G8EhQ%m6%iz@nUH~cbTam+&Oxj{) z<>ZizPe;f88}bf_fC$^04$k99m|s6fb4mY5jM{3dtH~1+g-Tx@b1B z%1AnA&{Uw`CZ}6aD5Hoc)i@t5uKv;rj8--sipin5-?;9;&QkcTX?0OlfR)<~8AHYW zs>;ESm5ZWSig$7&mw-wX3@KGe2yxRM=!Y7p|F9QC83u*Xc2IoL0pXP^KvqEgfM1wJ zMH@=-s|dmekC2X+2PMe>fc(CFaYaQ_3&1WxhDJE=LJq)SxpnIoa7) z)9S`rw^Xf2rc3b(8s@~61Ko#`OL(s`Z)nCqt>O<3(4plr_XY!PK0V&^8(0Y0 zSbhEa1F^dCIyp)&MB$0Tg=AI2;PAMc8@Z8z+wZZCxh1C-ed3fjvt6WHo?Aovb75!i zb~SDi5Ti19{M$PO&ihHbR|6R#r`hN-;Jdo%-Ln8NpFouf!WlWPIi{OY)5*)rtE>OS zkc(tb?Adc1&UEnA%AoQb@9kYFB=jBfFep24Qbm&Td@?58>{QkzOFkFXglIsB z1GC26;DMkexCW98_$Q?3*DHG$DsdqiXajoefDqQan96_N zC=oqDzfQPbYp#QIfKI`j1)p>m_6kOf2eGDTq@;7M4sue#U&06=$GxC2 z`3mZ28IuexoT|ZA_{qkKB^h&lDR9Ezv$!t+k9g; zkT^d-KWpoEm=-`^a^gu^hz96#R_NM54TH1%=}&K^sa2Rm#Xm|woZzD3R?Tf~E5QYM zF@^dEr!$;`&I)}E*zq@^N6$XKLIX-)f!@*#L4^*p!CTGt3UD_$UX2+(4Vo`6nMkjj zK$pJY@Q>E4L-@?Od3l3zHWX>}fS3oKj<3J}UME&o*5=z98=MA@%q62yK;yzeZBEjb zrL%Kztfc*);Mcu+&b`{KZIP-jQR}Rqu0IVIUd#hAenDf4=ni9sCVvC6TCoB7cWspB z$MNw>9MtjxyQ~Dvo-a5n2{r_uao3>0Y^fCcnM+35R>^@^yIhr+X7@*z-8$Iw&nj{8 zC&3HzKmnd0^exU(peOyGvlK{rn?N;cYP#Ba7Dr&^BMj)C|KpuGe7Y<=oSV86`3+4q z8X%8%Wmi#j#>MsbrfeM9t4`0>D)!n+@9M1ZFMb{)b>PbE^k*=0xPztEtuv5CFOIJ` z=Ec9?jF71=CT9OV{kw!>)Z2eRqL;9>eGkkIb8s{gm)EEMChEp59|bWP0zafBY~9FJMTlAVSzY)$>uSv3&mU;S{xHJjE_U?tYE1 z+k=OS*WW!o@vT+EW^#q&4i`5qK!^~;Jh#~z1@9X|5}Kb9?!OMWm`|SZSiwo0B!zhd zL8XIoUWH8qIL99{RCrPRA+2a^-~I$J+4GhcXBZog1B(YqjU0(%;Sn#@kqB{gQVP6P z1+}ZCgfgZATKM{zS?u3CSXAClEUCm;q=rp;spL)I_W<6}oBVy@0(_IfR+<2H4;{(L z_J_}mYwQCiI^A+HAtR->_!JOigOHZVPXeC6%iGq_Hbzo|D|Ni~J=ks4CH%{$;Z8*M z34_MsUIpLhY|T!w6`dakWc-z0--9zLY{fl1#ydMLQdHq|o=F}*6cx3foNZP!mgn`d zwtnSbU7IIAJ6rz59!iq zVEc~H_vngDP)q@p`u0F6F3LU?ki|4L9Vlr{*$NRt6);uojosu$C+}?F_|CNp1_ivSp za+Rp}l@vXie4vQ1P=V>_EKm>7E8(rpCn~A|I>zEu0mlct0L3R56fi^-9&YZr2HW{O zmp6am@#%|lQOLQfc8aGuJl&I#cg?%gtzK7Wujg-0p*vqA(+_5po($m;sTG}gREv}f zz~0`AWN*RT^7($nCpw`g&@yZFJ1-&Pkd+y1DgQefblUGj#$Xvs2+x&^$(-HJ*Yy+G z-tM1Wv%ha*rY=|M{r&80Q6jWX*O+6dpQr{7iv2ChMT+I4Xm%1eO{aB|%li9HlRAB+15@hJQg` zfu}=1M7jN|`QXZeYm#VW+ZFKBhy%jXq-cP6{g+~1*3#chn%llJ+h)`=L@IugA*)TOXfk5Kkx+ill9ez4-J0P(1n{7LMNV`Q}WW?uYMU zp29EAyLV|WjdXGoG5X!le6EDlo>^Ar_d0n803p!AA(O(1h4&|lD`7zce%kl1U&Ah6 zCS72$almcZ-<6#gV$x4V2T4ZmA|@a6PR9y~?FpFTLzzB;P5TOYrzt`0;G9Qg%<#0| z<aW<^*laCiCjJkqg+0@cmGcTD49fkzb-V{vi*oPd?8bO`2R&d#pig$8 z0|7XyVrJ4QDK0LKIVFm8Fc97YWdo?Rk5hA^Zf#Ab?c@zijC0zJt3q#nz3gSy+xhh_?N=$4sy#z_g z!QLK{pmUHg)a;4(m_wDqMZNI%-w|9W-9R_?1rUG(@@~~Xjtg$X($XpDVzDnQQAJYz z!f6z_OpHc()~FZYk%Danig2=p04)an`W7?ZknHyH@9#R?*h*H8BGA zzTJLm(#gN+%auLs;HY5Wk%W&_8GZiUEkNCKaB|2Tc>HE069HyH*lDyCC-U>6zsIL5kwsxg$&}?-;&g}I#OiZs|caE`@5y;5Q6oDTD zWEp`tPQ-3RCU)Tgeo7MY7aPBKj&0a#+rR>Vs1n8VZH@0BQ{zODI{Rs&o%1t3HVTuB zR-JEPdX174%(?fO2RDRjnLvj38wwUI*gG_B01L1;j@#5QnP)K?MW}G?aZUwc2MHcc z_~0N~2tgqs(t-^I4+dj!gK{Lt8JMh4cVfgwy5E_YkVmUvWl#;3B7^qWun^He1wYx3 z2iRO%tKD!3WL8XJ0s;d`eKcYV2-C6Q!;Y9;-D{^T(Z`sK+vzV>7cQ(B>e`ywaF!S0v5hc>iy~u zM|0-=SLk>Q&6qmpCY05AtU?3=2ZRH@o{CR%?h1Kr7X3q`?{p4xTcaKcK^!{96%lR% zk)KJ>Oc(=FSCWy5WKobLn|BW4iKANAD`*P1n&{$j3PhG3at=Xshv`m|7b4s;iv#y+J1Ld@+%Et*(sP^AVut7|U2h@g2Qs+!%XVQ?|1Jq+L=Q;df~qS2(e!C literal 0 HcmV?d00001 diff --git a/doc/pics/e4-v2.3.dia b/doc/pics/e4-v2.3.dia new file mode 100644 index 0000000000000000000000000000000000000000..1850c5748be1b66633732ae0205f5698283da6a4 GIT binary patch literal 7780 zcmV-q9-HAGiwFP!000021MOYiavR5$zUNc0n48@yu+``EegXaNP*nMhaQ~%&QG78Km75RtLgEF z@nSid&t9H@kSE9E+4+1lnO(d*`N!YCJM|}j{Oafrqsj31^uLS6@amX;W47d1FHbI4 ztLxvtc=7S$M=`x!4p;Mqm`-lQa{S_dhtuis1uc4U^3~Dt@xwP54Oc_{xAngcSF6S3 z>}EASo(-?YFHg>f=RaR8<~Os^NwI3Z?tDI-FOEM9r!P-__kR6z@?!l)FE-w3$Gcw- zFUDt!@$l#BH<$DiLcKS?9xt}v`09GToY0ch?e(K274O4;K3KC}wWLL}i?4q7wfHC$XwW{+{`=}e19fx;sqJq{CmkWM?ednQkZJL?v1+AZ9oTe!*c z-SvF2S_~(v$B<|9`E)#-6{xGl&A2|!@_aZY5!kTEYc(+O=H1cCJHg%NH#m!_iUhWa*%{3M8bh%#kV&8M$Uf1x^ zj3&$L>F{><7Pc2vyw`BHnh=K#m*Y`OOjAXbv*GpWYJR%K6A_W-Xa7AukIes<^N)w@ zs0Ebs`D{kpAv5&!dQQi6*$(8PqFDUXmW7(5l8}uT>reXiVlnyk{}$s@61~~U@tSbf zALe+yh2evL8q$tF+`W1r^2K+z7Uj3A;cPTqjE+x_|2mn`Z+)`I$r_)GUY`6-Zk~nh z2T1Qm_Q0d_oIl64@u7qZs0ZkU(;Byr>f^^&1#@<`jk4e^&n~9pdn9yW09F`}Hlx>G zqsftjR`rni$-W!UMvo-p;C+@ab;Sp@3SGSqHoLhxzux{lWy)sPo8F85@{tO<`!C0r zBqJC5bI#=*$Tm017Z#*TWl6$5-#p=Zo26kFUK=yVEb|wYL;sdI{OGH}DG+1t|G>>oKdCCh z@${4+)0ST;FGWuycA0IdKYlLgw?-62H4uB9~{X*BRc>xV|PO-zuOz_h>wAy?Brn7BL; za?R|u$ytDpr?e`rVcUFjhtj}?K>$(h0RXR&03BKjUim}=i3V&_8lZz>2B1aE$Sh$n z1duymg$|$xXoS%aHM-SsV~3o7dUxIpf-)ABQxNm~0|RaBd!jYoJ8?I>Z$sk)am6Onf4TQNo&a8^5Myho1>j_ARx)6k;I!8oho zX7N}oHWTioyw7!b8p!*}bb0{DcFJI1`SbBTUukO2lb+yoa{cadzL@;ae6|`+cW!Pg zcj3t}#F?wfc|4Hi%^4@HjZbPnq^Bu_uaCc(T&(6F$BX0F-qdB z;`r_D)!DqvNeGQ&1zt!CmMmOlLsTaLoCpOHGE#=b1N@qtU`_wfUyabpBRnWJ8BqZw z4We?kH5q+P32{#w_L1|6QXTeZ(pQ{H%` zi=}mMu|HqZZrIGbRZq#;b(Q(P4RUr5jch{W++B1+Yd0Vt(_r0fu)}28k!UawI0DL4 z5Jo#c(B#xYU5D&hc(E-!z=NDv6cVNH#);(%X>TxSC_L0oGnj|^K<+1#FHIU{O(`I(+^`7_S0|X z)6v6Y`}EK8NIjIhzFV}dn}Kf1=aXc#4%}t~lY@0d9jM`SaxuFamw&evT)V3YMOjaX zryZ9M`A4dzebtRKW?G2KDW^N}#vEst6d`6A$bcmo#KJ)$Z_LN`#;W#Nx)g&mef7u4 zscFq2b8Yv9sM5Z+g)AwZr}+2|vZM+mM~;{C*#l&)>LPckeLthJeXMK0Of_32j7iNt zZ#7#*Pp*ZO9aLWD(Hrez7W#cc0y6c`aLNv;U2+bTkfAPem-O`Jl%CqrtG|5vI(Y@% z&{d^yCc1itboGSrcJtixAgooLcn3k4HBuhlRv;i)^96*r+jxX2yq&_^DZHJ++x0Ej z(1I#Z*0>^ch&HY&D3Gl1%GpejN>I$8UMOD|x!dse^hlNwXIl$ z7F2-_*0YhIf^v~nL5^gF3*KeQ2#+DZ6HvM?a<^72AI+QVqgOw^O*U*dHf*JMCL6Yw z7f0AQS)ORa2JWE7v=Oyz>JyR^&M1{VK-Qrya=O?4qUfng7!y79GJOmi*FPvJlnbGQ z3nE5Br`G9Xn9*xuDO;qE867!&ta6{FOSOmIW{Tqi z@z2TX@;I0C|18tKjdQv+h!A`jkXcrH%D_R=%|JQ_QbvYMYhf(HzzS)Cas7=OwebKC zYO^8?DCELuue^1(QGffreOH8bpcIdYL2W~A-b-Pl6gGN1L3%XWv~wQ`gfhyI>I*~- ztP%TA@R3aO*rvJWwh+b)j4;MZ_|i;s=*~1}nSaNVsY{Mw>CsP7;jTKZ{*(UCay4Z8 zvCP~vZJ2w`0S{yJ#=5xno-dGqk=Wp~mb@7<_!O#s+k1_l;DH98w+6v$@3aaKqV}k< zn!X*W$t3qCxY}vd$>2){U(yI2#I*ti18lYfv;#n7N) z%CqOWuZ*JzC*vrn&ie%$8G77%uZ5>~SoTv0#@|mF^id}nwFH)|nq<`^tEPiw0^f!X zK!5?696=k5ss#!pCmfLsW~2astr}7bx;ApRRjBkvN8e2r>QB>A6thx5Q-VQ1 z6AW6LbrHV>Iw1hrLq)exA2LD)fRML9w;0(EtK4SEQZDGXP_$+T*YghO@+oc@y2|$H zt$1PIlEpVF(Y&g035w(@W}`eY8%P~>;=2^)4oWgqmiN~TdF_TbroTQ|JJ0YCH_Qm{ z4Cnix0+0@ziduxSF~WXB%O*E0xnYsB30e|}luhtOCHe}lQ02*%&S;gg2_k0`q$ta? zxjRzOQl!0+eSVOoXN7jg-lZC=%yT(w;la>tTv zQ8H<2UmU5%WnQ@-V3FxKSn1#$? z@M0@U^ogKMbAoaX5%Sh>(#K^e8=MTBgsEk4L{T2^kWFpm#p?3i-WXBkCU-0~0?eL; zI^WL03u)gbxCZ+qcVzP*?20Gv^^qEfeTO%zIk|piA?3QRORdB{@rX7Op+h8loS z^c%HNZ;+G`PT3-M0^qZpKnr9IE_P?r%6*o$|8?GmzP2`1Tct<7L2FZNyY%Sm*=jtS z4NEK<-8dnYd?2kHeQzRYz?ij1goM%~A))amWcly|!)>k5d+2fPQ7ez|Fsla8OO)0F zae=owqEVxS@>*JyWJnon0%9_1l2MZ?k5X9XGiGvGL6Q*iMu;9vsys@4OuxK7rn^H} zx^dM8PaD+I4Ipp}0~56b$=o4HLdv`Vaw0en(?Fl?y;h!JD%?m0Uy5QSjZpi(RjcNj z01F;-++QZHCRig`p{+I917xhtpvkuXl5G1*VN7?fy-WwujjJ?_z~CKlbr*!F(+xi% zDPg7JTKQnt$o1zccALTW>c_WSSC(?ux?!tI*-UKptTRMj4_D`x^yh3`)<|179}+?y zTPQNgw2Vnv#7w3DQbbu9*E@I}a)Zh#>~Vrf3lH!h*IEiPL^a@Dd$qVTLYzTw&}t`* z_oyMw2uZ$m@~uC=Z@sgQPd6?Gay+rq=?-G8j-z*sWQDWVWlr$?Bg~QO`}POb@l|ee z$5K*LyVq%#fBHk$S>eH^D!%rs_^`pm-|Z4W+jim9?$g`2d<_C7GfUWsy*&l$!+>A>{%)u@8=0i(+Q50*w*F=e%!IJag(|q=4TT+2d^*Z z<)^rDRS_uR2OuD7YMT;{Fl6ACL{2-N*oA%WOxNt09pZpV;psV{mEH!!!y4cGu!Quo;x+Y`r)TUOx+OE zBXLZ`)Z@-`rg=G75SnL=@rd4lQG;GQFBf>0wM9psGkQV3pkicOANjDLSJft~m-1li z5W=pdya7cUc;eF9+qS}veVGB!4@VPIu_5E=g$g0X9MzDR8Tz8kPHQajCxn} zcwZH3=)>(kmt@&!`t*mcqh0!-(m{)88aK{IMlwb`StDE)9Me9&gTV})kecmd5p<92 zO@iWY^hOJbs>e$o=OQRwe-mN01I*7@f+PH@7d5=s`R)|oz#6C`r#sLy@5JSKkX zCqFgL2Ip!4M8)I(0AxH?suasaRQ)8X<{A7- ztS5T=sD{)%4yue^_}s|@5&B_BC4%ZGLS8P8iJtmNPmOc-F$iM|fe0olKivZ(GqyZH!7>6-r*HUL0Ao(5d|cHIk575NZb@A-Q;z4lUE^>iKhBV zQ;n0#l_IZe?f1*5^)L582$|w8kjHLAj@m1diK6;RQH`_7!HN(_9)i+GRQHi1s5XnSQy`(7Dypy&RV9BVC87D6wWZp}g?5CocHuR#IcA};Z1LcoIF|krV zSqWM&oN%3)6xVEG6e+AS8F25Pb+&;|#FU6>k2EH3>L)if?rDR>)ju|TD7<9!@6*8Gfs-Gm)IEP%J&~88$b=28ycOX2zO(~K+Ze#$x z7~m#+;--!+?n*>4@zU}0?)?7EbK+ttorl`MvqGJEZeF2(31LY{bUzJOOm$$EC*asquSi{Qg`UzdO@HdYL2=Q^H5i zEh|va5dRxtRM9r~`P-*&Pp{^)qaTMCllk&!dApp>FOtF9S*F=z(M%R=KRxNj>H1O_ zV+N;ESd3bYy~ZI^)u73E;vV5KuC~|%fBNnD<*)y~8Xo`o?Kdy}r0EO!ui~pXMxp2x zO7N!=PStNVqhAN@y$=A|qjJW^X0ZynO+5Czd2DMKs=VVd*Fr>4I`sMdfdwBoEGUuO zZbkxd?018*KKEFSscFUYsM&Yp*=X-@)XII9FZH&WD@}56e!cy1?&I-6St+qOshR_Wu$Y2O-&(FP%U+V>q!k@l_c`pn6GM7M2n7P@g3D#S6V z*?y|o#wp)LaJdUL%W(_@vsSYD73- zOlERt?dD3wGFi#JyukLV4TII>dD-AyWP3FSlEMV$DU|PEDqbaLNo6DNGgB;cdRVL)_hbf`fT* zjAJHjbDv1-3^oNjn=eM=#o-Pw=pX?sVBg(DUH5{9h3(y9IGWrncRetCVuYaOFkAB` z-cDFj5sHk7$X1KX6Qu}96A*h>;Jq3sQc<;mpGBChg$J1GL{gM3McGo6ZLdCfJzSk% z(x0>Ov`ib=7Di%`1?7bT=ORzU%5hLR$MquIaDg-e8rkOym&On8AU(jzln>0$x+dB| zdVqXZqona3mBF9^>kj%ziXbV1qzKwm1mBX}jmlI&?6Q0%c*s9ysN1BrS*=$)q7h^g zjU*c7qS3sB#B+lozL{0d#*_@gkt7-Pw+$*}^f#bX>pS5PTQtgdS-#M4UXB+|YwTNr zs5g}*O$Stn+Ra}MZC8j^2{E=%=xjZm=SJV!6AGPm-nSEj%L|>A&&ApWZQ@rtm+x~& zr89j%-#an3EfzYvuEe;FM%fBg2U5&ka2)2{XEAusU2zma7E)|%{H{2q+bms)sB$4z zMq=N^7<@-H_n~=DWb!UOr=u#2n(?;AVHPd2U^NfqB3$kIkfslTPLlN^1R-Bw8iLbR zSIlzhOreinmKBA@3A&nOkgt<;4%BMaOW3DC?VDf!y&Mm3j=z5OLn5n= zx^h(rXJV^f25N(CtDFGy>7#Lnof^$C79@IdIwN2w4dlonL=VSRY_oLOrU{(ZL`!ur zeGj@k&0DSR=@r*Sa4qCPYdZi(e}>43(2QdRiEtip@!kx;3k`K)yKOiynY~{Ok6!)w zHYwbWZbr)mGwIuYdI!FRD-H)7{O6f)aj!TChwtTW(Hg~b%K^^amAz;=5JF<8ju@(3 zA`?UPlc7QjZBcv}kii_+kh(+R&;{91#_@S8?=e!n>R=Zj)8pkyTqIugR?KWu5@Y z=J~*!WG(}X1Q->wZif??Tv4^-G&h^_Qs=lR>n0)}o(^2K%krhBs4fb=$7MSpb&`!F z8x^u)T96HJ{M6`KM3)T!UyRq4!RBr1B&TN}Pq8)erK5bGrAyIR)oc`E_bEnDKKKu@ zqbwniwgq7{^c8_{A+8`6C=d(>W03E*=w;A-xOh)Cc1JdLnJgyz`gz;eKTR%v8eVK^ z%X@-qBahJq)E$)FffwF7mD7|{ka3rMRUmsZu4*DLR+sPgC*xLaa`#fN-L9pyp&*@l z%2L`pf`SHnoi8Svr(su5sJ-F8#;u!%H>>$#epA*Ks;#KpVNqx4*3+^3=_ouuOC5hK>)JUT9A}Ifze4 z6$5BPnY!QxS~wF|nR1Xi2ePI}6!V}4fjxjer-`-j_)?Zw$`VUiVkt|kv0a93SU9c4++hygO+_}_xv(wn34QO9%;LxSCcT<0MS_%O_(-1JK zr}%OzMDEg96+i~nLS|{;E_GHY9U>=|=0JI7i_4T3zQEO?AFVIm&o9!|c4z6Mr9zp4 z#{Djef;L)tN^J%ZgpS$Zo7gE7Fv@0H3gf&QpMN%SE2oV_(g(M>-5-EFTlf6RON<+%ZjHIEmM`k4w*_6yEqbQr~ z{d-=$f8X!pe%ycF|J~R7@p<@kxvtZB9_MkqUe9%$!57Xe(r(?ml^_V(vr4Dc34$UH z|JzALj(0XQhA!g=g`50YO)4s??tZmC{FB;QNzaWSwtOc2kE|r*_hW+KAkLmXsd+VV z?7Ow*uG)peeNw-+MK($%Q}I82I+z^S5tP2(V51txbkC0I<3on@ysR#FRlDsb=Q-%N zaqpx&yP5lU;>g+s|CMpJxXom2TPEF3B#lhqzkMbXtvy-fa#Wl_bn;4BaR~_;%F&(I zmAE4v?C9i4@1{{H^9dXz3sBGY`Dh_*d7cTew+P||cPsI07%bQ|jI z?w;%^dA+weG);lh_%!KLobduu;fD?$?94GeRUdPxt+lnatwBuk%aP-QV_mOV zBpiK4TKOn%X8&OKS)LvKQR>aId-p*BfsQn-bcGP6`T2SK2UB8quWD*)?iIH`W?2_i zS$TT>1Mm67&OFO=!F8;`F^0v?PtHEziQdj2b>$BSeQ?r=Yx{H8r+-%OkEp4uOQWw| zwes=t`E;Mf+RW_flP9KDR)v=JF;AcFw~3ZMapF@bn?aGI(SZX84jnq=<~DPahM9+# zS7+tyjqBH!7bdeaGc!|C+RFSl`ua>9zdln8^O_&iTdukr7Ut>dYWw3|NetUG44jt*IL9vVMXG58eq5jz40(owzdot-wodFC$}0dU|)t zx!6DdUgsYjA08gAs;qQ&xH{E$a+taP)2GdZcJ`%54<9~^i7B*d+}mHMH6dtxMJ-6} z-zA?AHh#Z}aC393Gs|fSv|n4EBjb>i)ceMH{l*Q&`+F^IZPPL`dfvE?YP>xErFpss z=jUK=kI6ARH@9WSKGr>ZYR3nMhr8Z-IypEvu(3VLGJ5-_q$GFFzM5jo_M?tHx(W&@ z4&8;0j*cwi_OCQvhTgihnUkBFJ4lM^oYI907Y>VwJ(BVDI&fU>flU; z)Au(DR9`-SzM!Ks*`C>*X;8%N7*Sq-Xk4C1#-|y}oC*9Y+hlEP(v_ixcw(yW14ZH0 zg$W}fPRx$UKf6UZ=HbJ=goTw=Ue&#O+x`tL<2zQ5A9oYUNj2bX-3|-dZQFG3SA{Se zm$)kI*PWf2(ZCUn%htcY^?d#MwQ;GJn8%pz^3tKMmX?;@URf?KbKC>M#LljM-fOBa zFfuYySI}=|-a%P;>!|Vxztv+!&q_;u)zw?NUR!q!G|O%zCMIGv+7LOpx&2KOV`HrJ z^pOb(-iuSFMBEYU^YP5J?;RHA=Au2AgR(C^RrJ8(Cd%iA)RlFz3{x{RA3c7oMrj^_ zc^ycx<@oXAF*0MZdnFuMiLoE02?nq2I)sSbvVJEr%f}1y^8PL?2=ntljr#WO8+kcq z-QT}|&CJc!l1_A$dM~sbdgneGbN%}D`}b9^T)Cp6a_|2A``53NGuLk|>uEWC`ZN)c zmE~B{VW6owyT0bFsHjN99X73q{UOx<081unL*&+h`$z5C@0IBcGu!>Di6C;k=0@`K zk7g-)w7$C7(qvHbn(Cmh8o%pS6s%V~e6rzd3%&mL@7?P=qNUaL<(Xo2b@l7aQm;Ak zfcjYBb7NKfD~pRc3hl-zX=!y#Rc0c@CQ8a&g&4igrwTNV)wu7PCIl`&;5ij{Izoi;pKO|9E?c4W;AcYwPA>HodZp+qV_Zo(->0Psyd9Fg5V4?e&AiA_fl-ZH8!=l_-ai!Ct>2?aL6ZjRjTW$LI}!d|FW@{ zIwK<^aZpIeDrC(1?9=HKPlV$!vO`)0FjC7H-5E`y?sWx$WnqbLzdpqlY=Sf zj++8petx>B-1W>pLEOPCf#1)YFJ%&|NYrv`J-rq8vYwva{%}j*ti5~pwrm&ZS;Pu{ z{T;8AHokF8nN=y{JJ>&jpQdUwG7#GM+!b zg8n7p^aG9iBqp)@)(YkyKbGf4*(F_np@gB^2-0-*_Lf~K*v@vGkh^e!&cK4Q@b9@p zhQ*)T+O)K^=Kc=WQ*7SW*B&dixT{-#XjFZI?SY3n@#p(ni7BB&92@}#d~%D{saL%D zeVO`42YMgWJ^EKXC6yOyJjObw!(`X5F8#Gc1JTxIVp$3HHmj|!R#a8ZH2rvMVX_xp z`WpJdui6JT*Nm=&vCC>-ylB%?oEsLV=I7_9qSAnNjrOJOr5LEdbn5YmYofT-YL8`7 znro`fy59S)pn)G25D<`%=%}u~-L0^=cS*6Su1-Jy@=l+Lt&Ppi9W5>TrCtU3n`vHM zRkhi?W8XF+Q@?=xQX0itWcN9~@wW61R6=@s`mI~H_I&?NmW)1?VoHNtOsmQPkz7A?{D{(Ia5;nIubyeUy< zPM^MPXNMJxWpbRKzwX;NeH|T%N3WIJ0jCN%2 z*dq!&c^W85L*q5DhtXRPcW38=3wxIW-(SBjk4lWws%^Ord_%jzwu7ur-O4*{U(KZw z*PBvRZRt8o3H(>FMt1Bwv0KC}C?X=_?pma&6wc*~7zw7t^)!KL3Kk^uogA*Oy^0NH442_r4V5 z9u3~_D>haLP|{9j`iIDC4{Wpe|KnTQ>pjIT<`X?7w|B5Jg;W6&QU>JY9M07} z;qdJ!adl?szOG=BjPG&co!^?iAX9Uk2n8X3>Qt54bVK|RvOe5#v)s-PAIJ!KdHG7S zX;R(p8?28t%e^{3)E`-2dap4;*T^C54#!Rm*@w*>{N&Q-A-`hg1Pm zYzaW$4yhVo6woFDUcP*Z8fi->>+An`8;5FqDE1FG z=IV}(jcp@Pv6w@uz^f<&ycZ^ds|MUh+sVpNNij$$t7LsmkEHOekGE(EXP~}Z-PM)J zGKzA{R2&w(h^%j@F##X=`a*S#aaTxHf`rp%!qd|eXKGo`L^!*-F@#isBvF#qC(abm zo2b+Pe0TMtAQM^_ z3n64!Ts{)UD*1PI_-ot7vtZ0t8*IZg!`gL9&!67Bp{q^e+ zDJd2LEa-%^w41AIvFoKv`*fO`o3{isG^nVlH3JZ48ER@)Mu&uil(?QfOHEiK7LRnhKOt`z5GWeE}7yu99CUL(W9E|$K&zFGDrCIo>}m6Vip>((v9 zuFlRlfrPj?XG;wY4MIsp1vN6m=&iU;mO+t_PL@vgJ_0NSC)S>A{8&K3zB61v!nT!) z0Byt>pxZY@qs!MtCy3d7ipE{oPPn+Z;Mj-s^ZV-1AO`BJtgMKs;jg^7Xw+OcOOULr z9+V&A&i(syv$Od*Iem4YqlR6TmA_V(W`LsioVa@UZ4s$dB+`?l1GDL^%T1J4KTUT2PR%4ICrmd|lCl>%h`_^OpdGwJZM<^&L3JMCqjRn-3YHFyqZf*JU zg#>Q3&#S4SShcscVLD{yyXxzI!(_%eG&DA*MC1BT$;;cerM10KO}HDSp{@?@laig? z`^MeQ1_kgJfHIDZ4Li@Zr84&zx4H`+RmLjS6xA5F_8S3tSl@n zd-kLPacr#n+S!fD_%4H3*@6fy|K5wTxlGQ<$vO1z_2I*Z-8FUhYieq6#-aP9_m=HC z(>8#G!N7a|il^sfXYR9%?(3MUTDxS!t623)@Q0oxCzrcY(51Zrr#`^L<8|#??Hf)E z^@Rhb90C%gKW1+J6)jFrVpAI(mtyD@7nj_Ef@t?s?-el_SLVlA4x0qrzP*K5ovvmN z3Wv%<77!9b!%4bzM2`1@qkIkI2*RWz%P1&3gjtxp94nccGgiomJb+EggHB$^`29Ab zyU2+*$gsqfk|=cOK0{UFHOEibe}5BAhhY#SAd}#LC<8>!wHYhS ziNr^bs5uuVzEcE<*|pQjPxO}UAkuZRd4f({ogxVBOnn8aYl~ByM22BWB;DUXU$_X} zTr*0}pzn`Spc&+`n8{4K@+^bGNyMeRCFLA7=h(*GLWe*Am=p`$^x912I=aVN-h{L|iSLAC@8p%w) z<=X^>1KASg5Lc) z#mO$?Lj-`PGRVvLtx^%s&fMQ0RQc%>dHKfrf~W+OIlXH}xAt*OD${Fa01BIDz!3E*>%pqy%1XlQCw zreXfGqa9&%75g^+bQcM8a!W`s6Oj8(;WyW3C%z}pRlM;AF;^h{yR)lnr~FnL8nR^Q zEkShix=LaDq^UT^a)E6PAX1{}_A`Z$B|m>2 zL|3sM&cw{jAn!H%hm25APzVZ7lJ+K-1H{?5!$b3$j>9PsYl z33;W*GQI?dghVV|OOcZ?QBzxskCB*S-s{)YoNFr!TLLmN1m$Z2$S4SoBS#+4{r##Y zOD1>b%w|rDzVbjKJSpis)gBBB@jNAEr~E%$4>c($9HU3bL2co*03{;A6BAXaa*K+# z1U!GvEnkyk`jOxe5s9GtJJT#nAtx_S&S|kY)lbl|v#U|ytEzU&gRN2%IKllv ztCRj46ak%`y7D!zEM6!uZ=vA zm6bKt#`jo>`{|#z)%)&3KT649xqhKBHYw>x@<|G!v(#H6C5raLhdTSX?aa)~%6u&E z&6|^?qtwMSs-eyDrPvpT`L4`^kcM;MV0d4%W_@i1?^8u!eTAsk-P$AR+=qKXE9?5_ zGbauZ^J}XAV^j;D#tWi6f=lsW3W-by0Mn=|^Qu1FL}2m1j5?oqY$vh4zT%`jj7d+{ zR~gI@)dJ>ARt`$SmooN!01GNgeLmC`vXnBP_e)9ddBK#ZQi?S|8N4s#4o-vj7moX{ zpTPU+M(?ghsMq}%7czQtn$L3bPOPx;i>N%$I@Bk10M(f#ys4*fKB@KK5uGbvH_#i40{gR=w_N5Mb6tWxZLFcBjl2!oN?(M~Tle zq8b-l;2(fpO%r4iE6Y$DUpr>R?KE|4u8mOXCwn0B8IKXVx>yj!!w4O)h@rpsB#@SIf zL7G;!LBk_BK=|;1zdmy#j44sl)KCSK`5e0P4iFG1Zs9jfv@|r&@KxoHA3tJP&wjmg zhf4XMI=~?+8i^06+`oJGDL$b6?AbGX;P(a=83ssm6yi1hUE2ZS^MdkdYwE}Sj2Q3Z z^JuyF{U!%PLstAny@c>^IX*E_QL~FXQ=+`-F;s= zBKg&;JNTr&kdP2=EN=p2r-Lbm?0p{VC zWw0VJ+(I3nKjU^^HG&?DUwQ%M;Fohid!4-p2xtu{QF+bOUS3|f!ljeO#*fwOWOR1# z-hDy2>o@JGQ>T>qR#eO^EHJ?yYpJNH;QEf-OHJiViSlhq1?n?Y6D2Fi^gm?Rttu@bkP~%X4b{^s{Tv*n^*0c0b-p;^(~Gm#38Y z$z$J^77c)R{dxrk-bSxeQ56tSnQsWt1$PF_xfRfI&G+Q1yO>ev*I!dLc$xNa@JLG= zanld~`2$)3=F)pfKz)2=P8O1KOFModgg zzeF`b9Am%gs-&c(ufMm<-qA4&!j*8D&ypx+kFg_gXK3j5GFDdB#E1yaOnXz)Cz+Xz z!doaQEv>Bn)?=8U>#w?+n3zE2DeK8Hl2TPw^^?RZl9DpeFTvWv`dG~?EAxk9Th{aB z)E0MlcfTbtKhW=%I?NoH0L_nOo9pWzXioqDrls+htwP6JUG?$nf_8#AWelao=H$u1 zd{>w&&_mW%SJApsqNO}1Aaqp5}+y=MaEX_I*Wsj-`{-r9VU`7HaK{IKDapSc!mm}@84g+`Fa0@aN06Mb#=g^ zMqvSdevjdno5olJ^V8G)u~-+!JtrE3nHd?EmY0=LMg%-ZT7!*+1O;Id{EUTIlaZOZ zG>F3h82qhIOG^Wc{1posuK@swU z*x2>);|=vUSEtRGreEjYJGPj^EKg-0J$yAUH&?IBPrClX=|s#!ApV$pci^Dj z!leQ!*X7Npe26do_38Q92Vl#(Pkn6!IoSvdzKW`<_uNPUbTn}_Mr%-pjn$d3q9O_J z3OOE4U@4Y5om7 z#o`q}`u6SH?Nzqf94?S^WR>#Bz(gDzsNCl^UhN<-EcC&rp`4+!CW)ADW;uA8n||6`t_yi4h71JHOG&L@%w%D2=2_NvE{k&MPz%b> z!OnxXcko~_#MizLH*Rm+^LKIDTzvWa!k!vG+elZA|H%Tp*p@uA)N4Sn1vnEsc#3xBbz%qL)WKoP~vj#hX8aVCh}|00`3css?qJe}=R-Bz9AMrYWDEQJ&9!T$w&qIz2s&6?}-rd7sPT&)OLmSyxEV?jx=7hfT>@RvtBX zb(LT~+Glw0;a?jqH)ddGm$hoxjbXI3v;?6S5J+zkJGT*|_3Q6W`Bz@KC9_b6x!Y%W zPnYl0E4c`<6o8EC&GPuP01ap|Iqp+{gsLc*%6X5Bir!AF43tTkD}OFnSq)(k*Cm=Ld~=GQ8srMPFo%2sX=!$<6t1 zhhz^7d@gx=%27#42;ak4g6IkZ?XQD3bv?hnE%xnjUmw8#Ds(Sgx{UX{J*@hQImNJj zzM#=Sk3)llxnsJHdG7}X%(SgEy3c-WYm_Q7 za!mN|T!3J}5J8x1{Y)fJ&D047uh|mxYZ@>eHt!AY1cR4NaqigKdB%?(TCitDV)}D7}p# zSzZC~O28Hk9wa4YJ$*_}0LionjYv^hxD#@x)J}D1>hwJh&D~DqgfDn+w*aJo664fU z%sG0?$2iE%BK5@cCp25~_U+p@#vFc8OKS~PhTB&8-~!goS8>Q>s+1oq?8zrT3gR{l6VwoMpEAn5>55+=g7Rn@mFV3Go4}rXQT&YNO=dN8* zv9Z?R(h)`+)6#y>94@{00amPK0;~q3USb3g(vxpODP}&TANA-_=Brnom?Vb`3c>BE zNz2%%#MM$xjzo!Noo*js$@$E*iI?g%FKJKs!U}?AcTRX9?vS`5(6$ z%Rnclg(8a32NE8Zy@oE3WFR-qej5k+lBR%x$%OcHRFSoc#GXuqVKW45-oZit9B zF*W@HBy1y@r@61?GY&vSz}dAIk&#I+u-~MMsyz!j86ns#d z9PoonT)e%xS#6Pa+mpK=ZJY;U8;L{ih0VIkdI48NK(p1|XB4pFadh4P?^N zJ9B3}y{8_nFq>0I$Ps;d%+%B7up-lwzte6O4s7-bokw@RN__Cpt$kP!1ShqxukYQv zcMv%T1PiD*xed^(1Qk81?lP{`?ib-i(qN+#)z^(b2dC3S*IWG zfJxI|y#jgDH87a$di^pd=fbzt6t>>_`VhLOFJ81Gq=EHMee{xkqi6zeV=x0R?Aj+- zs!$wp*~<1n%7TREuQ%KGov1l;nqG#j_xDAb*|J~E7q+~gWRTX@)}XLTyI9N$1jjTlk{7?icarn2kJpmbfdhDfCN1~Jh03P z^BJhs$zD+=&-D7w5f7vEQ|rmQMk14vF5Oo&C$$ByIa?ty1`z=2qQXL^ng|6{JBQ~l zUQBeo{*7BX*!mH@x}02Z-MopuGo8=D4sDz0%Pw2zFAb)3%6jsIvxf-&8Maq!E0HAY zf61|)(spZ6ywm68lf=|eBa8CzKP?niYL7NtB%*Kg2TNt+4m413WKfUye_ChDe%8da zu$U<8jiy_(c0u2Vf@f!AV`*)zGkt;n9RO>l{@}#KrPABco-LpLo#A~g3s$|ch-enf zE08hs?{C}%a>7}bKZLtN0(vP=M_1QiFX4$7{F z^8;6|MM$yp_ddPMJiov<6j4i3FSfNsalIvZa*Mqi>pF9%roj+lONA!9rltN_mfzAo zBj6(&|0nUT#qIjT3`lwMQ@wl@eNJ!_oQ0J9tt~%}kdu=W$TdZ zGOrGe?#6t0{l0&8_KGrJeP5LLf)}OTC#cYJr~>sTs75*KNqUZzwKattZdDgg`_Iw- zeoh}F%gwBeKCz4{hyG9=F3Ff{6IU3A$cm-btY>wft7F(NTE#NZ_zg{GTy@`K9f&wIGINV*IJ zReEi+7;M3!Lt&hs{;6og_`KBm9_%4vJG)GS@g5eI`ZqSnh+;hpw2(&O`%=FRLJD;~ zx!1+I`bHpNSndlNtbskKt_(ROFqUid&!5Zo_8`rx3LSF_PPw8D5tjD$_Cy~72yL!M zhoE>0=ww}Sb4&kZ-cD3V=2ggw_geED&vf=Ewmc%#R$+-dDF!360 zRIs|=2A+pwHj�B>o@ z%gJ$eapB|VkMsyH+gN{#Xb-$!s8YZ47CKEXLGnGg@TTsajb-nsy3CfmZ^Xzue|=)) z@s{oZrV{_XZM$oP3<|dqX%cT??|WkYuD&zX6bfWdm=tFy9q8)MYdnn}wzUH18lAwk zVy<6kACFLCyst@{l5$u^<Y-6TRNU#uHUjhM*TzATRE6LPE;y&KP{z4W4xIgc zz6cW&6TMsV<;$0SY*d$f7uC7xqc7EhGrafTkU4(*4I&6QEpxlh7buc@Sy*0kn*@%g zEtb&9Yb^l#!otuidb$m%8T;f0{{Ldp=x+(=R{6()nP~y}V>aJj?7U&zyLHW}$nI?F zCEdmi?JRMKg+Lil;T#anaA*74+&l>u?s?@(rCiJ;u5)Q=$#|Ccn5gJqEDY6$N8^vV z>@WHY`3?CdC|WR6au2=YP9?vofD!MY<0z8giSAY590(wuBuZhJTyDq0nM!!Wb z|MC|E2|ZDcAbTQG6ny$AWWLv`n9ln!ztEMY+&P2Zr}X-7tRcvORg2N~2X}$}1MAmZ zOEwCoBSO^9%t=(l>HQa>Xtp)qexHUCKM8;Y;}2&Q<8I)0%(^KNi)vfIcDcE zIbuSJsjUsi}mU2gpdWZpstCP)vZ8#RTDF_>lZUJ zsJG-9i^%exIFTrTv8w*`sU6GhZZ&Bq0#X2n6}2mHF=a;;3qP$C#{U6K@+Wop=EuUU zt0dA7u2$)4fpihqXyIxOcamMi;@rj6NwcohplEo3Lep|@!or#XMh&YzdW^O^{QPu3 z&WPg!idDO+9MuzLuZ?x-1gA-ZmbSJvW%hMd6%~((9zMe@6i62!=RikC$IQ$-dMnup zv|4R{$LH?uwEzYHio6=3aFK2D&n&+k_4r z7{ug7mJRvONNv(_MI656pS-cz)FUusn)hV#hLIp&fv)tm7-We{l{P|g0J&kGzfGJgFPHz7mqu4&&C$F<^1x6d!6?3KRJ%h~Da2;CV37C`4A zP^7WW<0N38dHlDI>!JnXxUdDK7vj(j+%Oann${1w8H1mYcm;sKd=VgB;azq8|ATGCXUPC1&mn87KU#x8@~tpu<{{d9kq_ zz@rFb-h#XfH2;BB53!PcmDSaVhSlIsbA(s5l9!mGG$RcFqBeSqV~Cm{g2;an?$D)-BuPBQO41VMn*=bPCeuQ&A44FeRmD8i4WvNKvXyry(syx zHo*1|j^3&%LN!`hTEY>iv|ggtqPo=JXiOMcv;rF0p-|MBWALu)BQni++0$4pEeD-8 zcvZfIQ>rk&RNx3grUs|XeH6jvcGXwZ;Bj@2IN3Ot%$%IU0>>n*pa8&2=qEM3`jYgU645Yiz_MOm_q*h0T=bNGY%7j;lqr zuES|PMMes}1t+P3$*WJgQKae#>>%>CulmE|ttYj#qU*n5(@aBClht6FO2`z9a}sWx z{NW4gHQ2Fk8U%85^Csi2T{sD`z}#Gs&3Ugje{OG&acA(mfJIZbHV+RjUXCMVhj%S4 zb`qh;_61SNZuj%FPuI>Y&Wn%Ni+6wDI`g|3sTIGCbrh*5XI$Ofypf6Vs3zSd2>PVE zg!cEJ8oy;b>*cR68rl6deHMASdl#Esrx_%cO8;tI`;iXQ9Ltvd_?62kVHda%8OlKW zk8V0~25Z^~`K}`St~`V+1CPh)b4buLFd!cs9T$gNm+Tb8{+wSxU`B%P;K3Zzk~Gmn z@=zX*Lzt~P(|$sBZB_#tL*BlXA{D`K`vbhZ_#-u7cgY$|q>|@0)BupWXYbxR+zf;8 zxUKzYx`s?ArjU3VF9y3%tkYn9=b+6%;1CAQNDKH3&s{#T7YHE}m zbNx5gdye@c7{99b%mB;zg({2VmyaL0`1pdOVfrn0jUxxt7v{<1at`}|n%0!g^|YXT zl=`hbG{}Gb8Y+(YAObF60DSWo4kr>9adn20}%3M_{~MS(+0{^{dvPd zPN^_OH8pn?9WyB>pge0cy-$Gz0a^q$W@*V9GUfdsJUj=27YwXz7Ix%dHuuc@Syxl( z;Hn|FiC5=S#I-S@;Vgb)0zMUBu6YmN5JQSQjwrPSd~1+_vbAgV1-Lv&0N5^sG=g4{ zLMW;|nH)Ukv^3k{On7Dx$OoBVI4xf6Kz}Y4NkA0vL)aUnx?F}D_Bej2sJKo;I^I(C z7sD%>jisI&H;5aOp>vwi?DR->yM*;+j z$?c3h8aRKjP%T_-XB+!ef_j5{dJOd>`n_Eye@OdnIb`hTw~j`*Y2GN;tg6FCb8x4; z#dio2ot>m)amBypinE8^4*+qaZ-=6Zx%so_vm5?ekO!BHc19;L^?TPuXkjm#K~a`{ zHwUM<9#MRH` zcc)NL#+@0cKJr{sX=ZI{=Z8I!U3ycwvv*PJwNZElC5&VGT+6- z$nX+R%28h4+uiU;D%F~S+XRG!hM2^T9xcu?3;u+gHnoMiwy|;0ujBOoov{sDiJLcX zuHGhxKT!P6faqIZsw>^sm@j&n(8Ae=H*n&Vk7Z9ZTT5Iy3~E z`w?Fa>O3(tfV-%^eolcI(EFc09Y7ARSPVVIfA-H83CA-)y|IT3J{|f|;>LUE&^Y>` zmaMCp*#Nv?v=^vji=zl7|F2p*|RH;XNJBQd?V# z+CB8?(n+!18%voG+OXn5dxH(WVpZW@0rf}el?{9=a*_qgS)Zw=A`q_ZP16#XIB7-7 z6htN_zQfmmyQo?}K*A->VWch^BGz_JQGA8*ip_0v2wSc^{Dghci29%+;6le%-qxvx z^!4|1KXv(JXIiV+{&oTr$PmXs`nzwjHBKY9xsSOVml2dcNo&8 z`VWSRMUEadeD5O}%4Kj0x5FQI5k5hr(zP>U+x+>1u$2gW2YmC~J$(=&Y~QpMx_eVu zH3ZvP-y*{fbLTTQkmyM~8A6TU6>2swZF0m0@xP1b&Yf#_h&X32ziDP+CqR+2nJeC z&a_`~f3PJQ6VCjlecSZ!T?(SrkI!%897vAR_@695NqAJ$EQ%`72D~+m|9~5OVx%{N zyC}u>`PW=WULHjZuKWm+4Lx;nal7IFfi$V%UY|Sh3Im2#YbKe8Dx9A6se^!s1?qwT zcBa95pOOrN!1b_#0(VW#RzO974(`#y8WG38mu4Hed3dr6OW zTd7GUE-nuH4V`QeC=vtuNgEC8FC4mzutM-bC_FbXrWoM9fdO)2cgSMHk&fYzHs9QhCX*;ei{eBEF=^>)iLpALtqe zqP4x)cvqUsJ4=j!a5SzQMf+8j>=@1rE&5+X zAKU$|A#l8!sTj(-2b=|MKYh?J1$z*(^b1I0C|D;lPq*H`_rqE`{4v$)=ay$kQ-6ml zi%oa{P9Gxm_Q0ctgYhaY4MyeyxKhuq5PSWgyN?ApIQp8;=HE78|Lr?=RD*|x zCu09$H{6}{g*ZrLz~KDSrOse&fUju_hCaZ>;0+j&7&#JQxs{%7hxHEC?EpZ0_DxyF z>rbDWf$>8@Vc)s4ADiqiU#`)@<`7tI7cDG)L1TY-)W!@EG=~9eo~U%-K7VYDKz=wq zeNF5X76f+2@Eq=!f=1MgI>^q#lJMYx#{Fs)tY|8#zJ2{Bu%EHh7!xaf`ZPW2D;5p% z_$LDYu`;kFT+EB-&q=Jzu3zmYTIMM>Ha6mdh6aw@j&)IN%XQ{nC%7>XqQNg-dEbj3 zfhj42h|eybr9r{PZNdMCf{#5N@JLR<-hn9A*3H)q(-xKyQj+(|L18O4m=+-Y;@J2cq4Yd?YD3n|_0dg`0%$1f z&_nA_$d@2rd=>HwCXC5T!CutTAMbrbB=LxkB}+RyQgo@e)LSR{JTT#zGq>a@9UL5h ztd)mRw>qgD3Fp!FLs{~MhCNUX(o;T=-#2`1b)UrhJjk$ko&m(}uJSW4DJdZduK6L@ z`;+qf*Dv19D0Pd=%ip@Yi)_AH0XQ3~9r`&q2mzG`JVH73?%k~tUK`9P8oPHRB6SJf zYMaFpTwD!ZU2J)$_-}x0uwh~~n?WG<{-dm)ax|89DO`gSSDBrv1&B5FsZI# zcNB6CD9OO)q>R!=$0B$gmI^_@{)60z-66>+;n8tSPcWUJn&jr^ueQ8sx8Gd>#mop| zD(17WAuk697FE}$PcIrWVc$ZV#%y~qeoqo}8eeD3BAM$-s;c+z+zD4IIAh!lj}3A# zSrpkWfp;1oprK;>i?E2?S%s;W@}E08oDfdEd9w<86gN;CQ7ix6=2B8o(bUnwV?*?@ zfsm!D0)LGD>wYNhX1fgZF&3D((0*=HFmqIbRO&b?U9 zCW?Gc?a}eU!NICSq0qb`8yRO`vqYu9ns|(KRC%fhl5wEDBq7?0*~e{-_~s)NOYEYs zAd4dYka1J&rihx__wd9Hx{D=Wr{0<)LD6-T9|H-AI%P{+U1K9@j$&+HswTY1$gsDu zxrV2nOdMlOWa@|JkM#=+o%aRPR4F_HQBis~i=C0-;o*G~6YJ62W$=)e>?;Pg3r88vDbI#CG84@$qrgWXjFgKR+YaML9V+Jx+sk%OZNZ`SB8JBcErZbNn~@e>YR4O$R6i1P7m`;NHC;vt62{S$JRv z+;-)$xR@AmJhQ;oNv&iXEp11J9@jqwI3gwn$>E!ld7@g&JF=+c%0{XO)ov05{UqJ~ zh*xl3kr1#90hmCf|H1C_fwCEa*q^Sz!;4LTHRDSh1DV z^m_AoO6`>wfITVr-SW2H!t4uRJj_9~^G2BE|6!IyNjGdC3F)HDqgyITCJ*0~Oeseu zL)N04>D0W$wN|!5c($M$YQ+~C;-Uve@ zqv+^pk?=uO%uC3+1JYQ2rwe*-hewUv->c=9aU3ynTl;Nksia1cWrUI{R!Is_IQ7b4 zk37`sx;KYpqtuAcby?BZBR~5zrLwEbmM(7!*D7(Fx-Dn|GXPsyTEVRlM}}~KT0`2a zXRm?I2w^27E9*Spqr;~1;Au)qRQ|nN&xd>l&co*O2BGi^IBz`(G9;aefG1D-QTlF< zl1v47F?b5l*OnHG@8RrUqRcfk3p6SDuWpR{wh!Bw8^{~`0GY0u zreo#VSy^chh5KO*Anj9vyb>}a`i6#rtGd%Sw(KBfE~TX2Vh@n^&w?6KJok*EqIsyG ze8v9#Pr*(u4S)Yw@k86({DLYpEu<>E{;#+MiT9qFT@HvUi67u3u=-?SUwU|m7x5iB zbYFI_&hReX2&JP}{*Z#NC^I^%_i*VDeDQRFD!7TLo*bJk z;=L?0<|uaHuMgY>g8qz*@E@eI9E`5VBbG2(fVxjXP>LO_5z^0BYIitkd=B6V7EK8f zhRn>dSTZpQXP>@$bqu>W@JJ~w=X-WCxI%=z7$6jDT2NgILNw6|I_8Gum-ejH!@_sE zK++Kjv;4l5v%kL|8L#xZomlmVyBzp$)uW#=Fd+CRGsh7`VShn}FUrsfZY4b?iwoRf|!XmfZt9Ww(1gU7CS z2nM;{Ja!5d^@9Bc4!MQ@G_9 z`sd);{?eG+6dW@~&-Rov6G<0!c>?;Zsm`7|x3aQ=^y4TVRROP!1iN9hpqM21|AIG( z8;>SK&sE=uX$=Ogbe$|v?(!fu{gKJ3H2jR){ewI-GiazoPhDFZWmv2>!htvF=1qqm z@4A|s!+zBi3R)7qJDTP;U!|Rze>-pN{t^K=88~w=r>UpnkYRvU?jY~#uyO|aM<>SE z0b2#5a&k&le@Jsaxkzz4X#05*ZbS(z+aZ$Ya0^8PJE$VL&e84SR-C`RZTDepe3!U%mo&phzV&dTDsR2Ywqjbs6Nd8nP%Jr(`VqDM9!1l^)LynAD`;WZyG z@5|@Ub$iokCz|{j2pOLms0KF9MoF6?zEjcCYH4fFFDztdlm6^xW8+@Tkq2YfnG|>R zt(;gs9$-tPPJW{d@BU#1$!P)b2iZ~Xf`9~M{;Vx6BUtsw13%Yc|9CMT>r}MRx#tKE zFAoo%nT39KXzSL$1RcxD^EYok)zq`{r3|CvbNSoecow*M9cx;j+uo;U`$S*8E^{QUM!Bq z$Z_N|(lb0j!DnNRJ?yu755q?kUprFq;lr&7=aJSDm!Io8!mB+cA%1=vEUE}2+g9G; z?5rX$@5nxYN4eyO3_2eZ5ec(l?(X|Q8FKe-9ZYLHM`Ur9^GsnQ9TO9@<^pU9G2J46 znHT%okv(>5h!d&U{@ncuw7AsNv&LVkH<3RPdyuelt>t;w;2@SNeQK&xZtNp5yOFuk zqG1_mjgtQB{^=ts@uKT}AAZgbC7%@9!Tt&UdcUed)p;JC?^u`9JP&FU#T`Hi$iF|{ zz_~<5wtztbSU0`=pV@@w(4row<+=apjlBWKO{+f}BDx4q+zLC|ojXEc_t1Xuf5NX8rHBXJL$=64<&eKpHpqfB}280L!sPL0|j@apf zt-EJK1p~|3)eDlNIrdj%qy}O%p*fPCvIeo{-kqy>Y6Wdl5+1IXmX)?WDoH-Y9;+jhRsF0=(9 zhsWcGSi6};3HHpJg2Dkvkm}p#G)^rVed=dt){xG$Lm6_bHWdnmn-mp76q2MwgEmo=%w#B2hC;JhgP|lcr9m{f%a9>NQu@9x&-48A zd;NNSUbhd`-q*ga^IYdz$8oGR0tag5zq)Q6YGEsQa%@Uq? z&FDU|(i!i1hG=MMB`?Tv`BrN^u0kjr(y=l9>6DTji~T}oMMc=bxh+c9J?SAE`?H$y9iI_ z#jI_0ZV3MNxgg!A<41a=f!1VwEzjp57(4b*Hv^5-5#Za0W@aYoEOmcVTiZ@S zVdBJz8(NzFb#^B85p_8YYk$z&@ZiA)@S1zqWBZQj68L7)XoNPmetpbX-O#Xo$Hp!M zuBk1=HClQ-7@qfamnb|F*YSDzv`1h}e227T_ zbj4(`+-1X0E6(0uHF4r?-jSRKrfg`PgQF^CIV)y>^}fPCA~JPpg1a6=Cw-hqh>oe+^&7jxg-}1JqHX- zbxWc%(`EYIpgDW8rEghH&jEivh3j*6 z2dQdyQBldfmATy1+|qI}#pVF(^dlQ~8VgM)=#+GWXK=2iHeTUo!oEbY`eMQT&% z<+s5(J)1SvxEX%UjjO+P_9h>M-F+P6>HDkp(XXlF)nn#Ato;{~2jmz)37+^_R@MUO z*an@8+A??L2q$g_TGr;47C=HVmAkIBNA!_EJMM-&jdP$sior88zbP%Z`B!;TWL;;}Pt$E|K=CxW!Sel~5)L2f8*}~lx7x`Y zoc}?vV{V>Ffk+ZV?~FaRa@_x92fYgQO`F$S&G=bY(nho>BEcm6b_PNL3P_433mqzW zmZeV>-2<`D%rm~UclWVlQES`=ho8GR-Kpu-$BM?^zrkyERyu5oC7{v(aG&+Fx$mS8 z$5F##W+0{j(%UR}zOdN?e*>+!z>f5Ch^!%>|ML2)cH^LF#}$J`SBKco_6-dUiv7k| zh!$`wUS6(8ceSBO++I7e`&8qa~;GzI6yu^5$4)=H)>zOlw9S(w^ z2zIk)Z|SYtqv4~XK$FAw>4dcAF1{DW-P~7rh+?b+(B9Qmwp%GYKlPK#aAOySyZC@OC;FkYpEgGfk3($yGCA~deG4Mx`1oZ zPpeO+oDib#i49aKwW6G8+R>;}7e=+zN~uII)A;G^ns+JGFs;00X9_d;zf^J zBUe|^tWb(DUY)*#zr}Yg8%0Y?tGV+e6)pBXg&rTaa)hqUcF!114Gqykge92WNme*b zBo<-Ak)hW!kjIc63_f3(Ntp&^AKc@G{y1x?$%?$IN|if`|!ih2j>9_`ZxVpPXw zACiqXVMiznLAGZl)H__n6}S44rTYRx0QIBW^5s*udj{ZZA$}Fx`M2}bG}*^i3}P)JA2^*>-wjnrwum)2TRJSOzkxO zznZU|Y`ysGK|$zx{@-UWl_I@|c_?hmi&3y}RW^UIbZ|QrxyJUHa&P5#D#v!TlhbH; z-Kkb6eXzH@px`5L@PKQi+sc&eEs3 zj~>0onTW%ia_aqu3IF@tNbSYC=d40(kGQvOGv(~smr zmJ|DVq~I2cF^-vT!{0sEDAOX#Wq}j^%`2idZMwdFyX}61DZ__9q4DzU`SVk3Y(`z4 zvt)_y+O@{7T3+0n;qrz|Kzt0`sQzi*0=E+5C@?Kr;XM0}IC;jiL8qx*CUbT2+lxHhkte$jc!ni|`# zxp7TDJ~mX{85+_jywKp?%PS*}B{_5u^CFWN(Ky!I&8Y*@D^%bMtRGJ#=JDm!coG$t z11y2^u~`+x#l;(F5#tkxccoEt@#4C}hhH8m_h|OJ_^EvA%~fW;b$c{6X{Anw4H&he z^cfaR<7eL78ogq~1417d{*K8~Efw_~(i~dKX|Q~_FiF^-S59c! ztUM>k*KpLR+WzX)EuDE1Y)Fz@9jo+zH1zeS&eO99MrYWB#*&?LJJ&k}?=x`w^w2&^ z@|F7+E?t^Q zFJs!aU4QfDh~$(tjXg{L%kQyus}aw3@^-zrWfQHe(8!0kPV6LB;Z(f@3;z2ziqJ^M zS9jlTiIJ!dZt!}DR3}K3maF#((U?bpLGS772cd90Us7dZ$Bc~%t5fnLdR!bae7woG z>$1r0Xv}WhXaQUL^?g~+fBj6=yIG<*`+FK)Cfq^7bBhOyl@ul3e1PxJEH59QRC@Ml z#kI8OQiS0C+gP)5nIsQ`!-p6cv=v^~LZyro8=<;cZft4l{?|;(ewOI$*4*&IW!%-& z)NTT0#AJJs&=Fke0qbT-d0zjP+cdM==0O{g>~BA=yI~D}D>M4dx3|YLcAs9H?z!aT zE`pk&v#mYmrQO9gy{*>O?~k$#PU@aJeY&kceqwIl&A{?OA|Us4`)<>;kB(Z^&(eN$ zS8a^4t*h_%gqrDQS!rfyY42CyBU9mz@x#M%Dj$#TPl6J8{0v7*8*>bIE$x-n^n_r_ zjD9;ju8?OxeUw1up&OokKFa$8okrou3B>ZG-CVo={HxuB`}z6)-|0XXf(w?+?3PAm zBH)C6LU%bIZ(I{8c{j_%c~`m!?D@grh{JCQqSui%ee&&vn}ID;?4N<+$W?Ib_`$g; zZ3Wtb{J(QoUOAMTPbWuGGT*8N7uYWyI#=XE2Ts%)PybM~z?qU01;I%D&rLV1CiC z@1*W~R_tHP$9@!7N}}UqFH8GI?<4ry*w6Cw8yzKDt6JJ~c*+MiHu{AhN3qgT^ywRi zjX`VMeP(-8|4$3>*YT&@T4)%7Ty>bGJq+xBkEuYoMBpT_j@~x*&sZ;V8UqJzv2I0p zAgFNM*gpe$7TDF{$IozT%8TC5{@+RV1<|DE_!%B>n@qAt-SDg4|Fsuh-rQJLROAcX z%V`Z<(Xof=Qlp+*%{6?CM9Z?w*RNgd+TC_J!y@;zt^J$9!@9&iG;k2bf38NUX=yOp z^`ms8XeNcA7%dsLgSA zUxHM^an!~fCRRF0+*_b@s#25_ilViaOeOGS40)?c_RzO#-MVSWyiQ%BhhJs~%_kRo z`EpOqlV{FI1i)kq$%1e74Ik#ncJgb&o_+gZ>E65%Dp->e&3Um`6B0UT%DUDQHdUn@ zKZ2dTeTWL=lMu|7lBrzS!|Az01^H+jaqIC9jkBGcB2=;?76O9AwRZBXHq&d_5xUW6 zciu$Ff*?KaGPY!nwzjD$>Dk(GNaFD6o93-A+d^dycUrib5pySs@HV(gH7UZ-?Xo z65(#t&-LF1#tmzoH~)y}PPoEs!}FY+?!u*w85tSY5^jZDFb&nxx9mBg0^bo86q#}Y zsHC7NIxz}8M|){B{k$_kOG{p$5l%%4-6AJoe=95GOvbykoQ9~@PINj+CFPg$Y|auvk2dkpat8(&w>BtR)MEnxJ^%uPYHZ_m)bWu0l6x$u2$r zT^(hnA}v<`^SZUAKhNtPegB%WONo78Ncn34ga$wMPs7)*Qpp14{Dn#UaOoeYTZyLU zX4I=J0Ilfn^p}~N<1j?f4xl-u*t~EvM5ecDQ!bipPZhKdGTH6 zbHA_=L>uq|yQg7$eMSr)E;c*F$B&`{4>>&llKb-I4-X8>frmycjA7p;%qb~%ckdQ` zDXDUb==$e{$O0V7N=u&{TG^lHwsQae{rnk=J2<hCN-D#Cd2~L>-!Xx(o-Ux4sF#zrPDjLvLP0 zc)RnFl$Sr(;t`7Yxcn8{<>fSd#-3wFWD?U?MTK6Ys+yW2B)t4P$yUE|IKTt|o+Ji% zF z?{76B&CZ_PmUiZhZbs3QCsmJ82HY#XbLSKR9wErfk5rZYZ-_Ln#{FX(GVY=}Box$z1HxR^Gcx!u(SF+w|#CD_=Z) zifTMIjVxPy%g8hwb&DW7ut8vPvvzz;i#TasIyyVQdiin#^>#z|AEYV8X&(E5%W3WF zC1ko9<#sDCdPG*kqXI0P(QF=W?!Ka8Z1RqIB_B{{@q&Dzky#N^EFnQfR`RzGEhy^P zkdZsY!nL=_gS@<~hZkB))0`X<9)GL-J!;9l;9$$2pUqyTdBjBIi}85e+ej8{#}4zn zzb(1VrfvP)`sZR^lImD>@|ltFPa{TvFKF(*QQD!KC9IONS)I1Zp+^++Fs7d>E9)`c zXm6?p-Enuc|JMh3yO##~UJUwkCE4d)>)nN$HZ?1#cZ<`OQXg92g>uVg_AVp-Q_c99fJ zoHuX7larH)nII+b1p32PzC45S&A3*=F820L-fw`})+AZv-&zZ31m(z1&n25;FM}jf z77>SKBA@ow;pMd+I&~_NkL|>Af&DLXzDbMdwCNjYpk23BvO?5Kb?ecCy{c@g!Y8!1 zv)egpI{36Mep5nwuM@;W6O!7*+#-0Efn|G*@L{t2B&TqP6=jy3l*d1nk;TQ$nGRI>S zGG^M1w#>zZ~2_M*hDGmuJ!vxkVe%$OgxnS;VvO@yu7l9hFUBn%rKh;Ez^9};t zV5!KsO!+s_>sGd93qMFe6(lqnBstK{CYqOXWk<(vobrKKBA`m^%}U}{WKyU*=z-rJ*s|p=SNXf)!%y6D$uqKU z&4p2_w7z`J)a9BlUYKiMToiSjb^U`n^zfZ1GZERK4xPeMDEU!}12tidH z0e3emFE4Lg6AN+NSXxnvNEbi?E*~%vk@1?xaDKIqFRP5om^Nur#pBCfqlzxa{zTR2 z{~aBIpU;L3;}WZ@s{BS8^n93jY@C1giPa&iSGM32-0uiVdu!S;zq-$RFpdyaM2R83 za>baU%PM0tBE!S09^-~4d;tsU{~l6=>zX&Oug5%}BTm?O1zT5ZedM9VH&94?8HQyz z<%@nr#z0m#*5DgDD3=Y*4C4Drzt?G{u9(!fB)wf&j((RWl8^n4l!}J`_oC8snyoFo!CJIj@U~YPNSaV9 zaat@|xNyd?Kz@lA2mSCM*e0TM<@tMHOoK#mWedVWV%A)Y4tw=l{Q<9It{?LVbj02t z2$+}_(2D#hGc$I43ke4{Dug;>^O_H$e`Wa3=CTMccpC=@C1v;-Y-TjOJ<~V3mqBg#&ebleU zTw5NJo{q6WyFBlRkmR$kDy*{&C2uF~N)cuV4Lmn04OpEidMy{F8}8f)C} z@r3ni2U4!cJU2|^(JLwn436@%D6PIXy?X67eZ8hWJrMkvIxC9%?mG^kb5I{d|8SKIf_1~TO64@s+Xl~Y`W^4 zZf*Q+LLuz54lssfz2P0%GQ1GZf;h-Li|3Kzz;ii`)sAmR2Kdifis}p#W8;rcPAO*u zHoOP3Rn35jyavdb5r`fB>ea(C5W-oLiF|kpP~G_TzX(1NYS@iq>Cr`j__Fln%j;;+ zUydC!<_cB46ES5b<}OZybaXKM^!@uflPM0v+<*)ZjD}1aP@C$YNj4h&n*Ab?EiI3$E-}j+$ivR z4*|*ie_OY<6Xy(V-ceUmPebOK*Jttdwn{5^?BCoPXC6Qxj#|XHFWu3y%m*lt&CkJ`| z6tEeB;iV&JDb0*dFN%sNc8yJ9PwKn-c zAYfQ2lT9Q$eE(ELjq2;+is<)fcn6FJi0tiw?Go(+j@%hCrsmr^FX9D*D$WxEV2jiiPN?b)MCnqPUbm_85g~?X!f>~p-o!I;ebdU7a zd{bTBMhyLuI40%^qMf^{baW4YfDcI=&W!Sza15%_zq42fU0Sl!(~or$Xrh}SnM!#f z{P_GjO63rP=ZIw5rj&JnygU1f!wl5!QCzLGfVBstN!O;rlW z-A*`cx~`MvNbfh3{+d-u-@>)G3kF%xkOlt!I7+zeSFa^?2b>kWXeN<~ElENJnn_7q z+=MWB(Xdig3Ubjln0=)w6CL0yxDbhE=gytcQhXaImGme=8lr|1eL+WoKB^rm-r@i^ z8Urciwbn5wO;$(_ELXw$muO;*Bfu`oN!>Gpx#_)nQEK_Vq3V=q1_T5MnX~UceAr1K z9afRj03iY{5h@f%cTJQvpJ9d|_;K`7{gEJ#mhC)sN=Kk?TU(~5rzdD=YRYK>F1q|h zfTU-L&3{oL8M3__g2v#%N}BXvOc&@Sv638&iD@HxnMuzOe*gM4%k0Qr|4t{7;8;0R z5L@Y`xy8jj#c30&QfR$4BB-S$LwWdD)GHBv-kVk(M_3~u1CVGU-w`HFpKdLA_x`=S zXfZCG{nUQjN)T%Dj>TYfm@x@0R?}fT+bzfv4t_q637I;Lwe#F8T?B>net^xzvRp1co zt_gE3h(1FSP3UJq7qcJCT<^<^fQEDu7bFyWnn)#v{bo5kN2=`Fvq#}C0<%+0RRC8t zWg_bkd-bZi=71qX+6xpu63xSF=)Kw+mU1)~u(=txtc z#X?Th<>G00(M2wnkSdA$>ytEV)Y7wH*VTLh|yO)40C3Ie&1%nqk%v5!kb zMiV)9FXzrlG{^0gPMz9OQx@-rlOJXKtd5-PGL@sH*r9G#$$l#R3(xqy-%2GT)x`?m z#Y|P|*FOB_&GFK=oHC-bV6aN|%y~R!6{+8PTk=r;9J_<~#e564eSLgIScQ_A2*79# z*RtUpYn@~X!zgdY~ufLC2)cUX>Ikw#AJ2=1$AJ^i+CNM4~iDT&=cWT*u z8WrdcNg(Vc!Pyb{P8i1&+?{>*!Gi?ux(D(<&I(5am5-^{)XVzv4*+Zl;Inh*%(3?9 z6c)O|4i)M$n`czOZ9^?Q2JRlrDVoOCEkawP+O_KmD!Bdt__kpW=`s~@sG!mRd4xuCz`nPyciDDCz;+vXxPj5GTn2^+_ zdP|;L_|~oFZH*@O^08U0BM3+K8yXnwn?L8CtI>f6t>3c@F?+`Lx?|ZCnsqqyuO2B_ zvS zauw8s8Y&7CoE}B*h>8;Rwy3Z|voc@nDoB4<%&E;?zHHgViSt&LF358;%;^xIQ!y9z_|o4fEr=JJ*h^jvlxK>2s;iRPPnv5Gj$Goh>QkICl>BA zaFyE?O)JE9DuO^9hSmrlp{JxE-RSdSNpWIK+@%v5sX^r6w3)9qQS6_)NunShB7i*p z{=q3!F>3^;w1%VyTLrXVLedwYjgJq=PP~)H$Yer0*{#?%%KLjMRy2X|({9wr$O=mJ)u}t=dQZK2;5FH3ig*zu60AHb zPjV*Ukt2{nb8}~7P(C-MhMpXfYo8Mo8Ih6Gh;fw7;9W>n z(G`Jb?kC0Dx9sJLPA1eVIi@<`gt)Y6DTPs zIbXjF(h6M+U>uT6oqybv&c*)fQZ4$U0;*%cz`+vq~ zqOMNFXs%D}9n$t2BnP`tA4(bf4m& zcYXZmkizkzILqJvN?Mw6uRYwuoqN7-I;rMkOB*cykps`1*t;*#bp6P~kEYr$S#mlh zWzG4A(Nm{PQ8)GVq{usPpcuFW0fpFZC#&ZCCly`F>PJ(DT%m=V$ZZDxb7RoJmjh)Z zS-YJ&cD#WF82ul3!$j_%RFlQzTde*;jrH_wrBYF)G+@9RKBA`y@abbvTdJ`(!qB1T zsZj>u)RLRa@1J7!9J|iN<<^~`LGl)^wg-$tL_I)9S|wh(?r5^o8a(;y)6y>5)}5}c z{a_I2_i96P%hJC8s6UJkr6}i0$EXZ~y%lb5l~aNpYx`bZ}6y=MO+eN>+}BUp`$oMKkUok7qAe0UI0i z=U04Y6mFB^WL~_!Mf-Nj9WnyYy6%m0B?{RWX&b6XgTN=`lbkqw`0&k}fB03r*zo;p z-)e9<5*YD_M9%-K8e^G(;R@Vh?w_wQ4A ztXMlH866ft{Mm#Atge1_H&DxQHKJh?xH{eaF$0Gh0IZtL4z_`}KRc!tFyfOgRia^jcO)*^aEDBFNAfQK{FwZJYnR*>}});|A#D-FKF) zCxk_A-RgeHDMG!3OUFdO=->lR)ymKLF6~3JMpI^SiUC^TlOkH4G`}CwMY3YETEDt( z5>f6)*^yU{Tp>c`$ym4mfhwgsckZ}M ziu7z(TYXQ@qWr;^kb)&xic?kKUb1C+hMI9Q!~wR^J<(+HX&h^|13F?9$H)OBcMI`` zL5rAwct2eisb5@|exqXp_wmKU5Athw^odPSX7ouSoFeWatK=C1cPj)Fw=v(_)Y=^U zdE1U1`i6!XX=ys4qF$5!ky-yn@4Yd0B*Y8q(W$R)M0c+LtM`2AXdlT*{Sh^(APy|k zXVfe>8Kv+ipjFYP4^|=l%~>b2MkVk37Z0k&U%a$X!|U7jyw6Vmrv*6A6UsxF%&ak{ zb|6cb_^4d8C{rVu27bEX{oj2yU{W-#NNd)us~tn8Rncm~ee5EhLFy-uA5T7aZi+_O zxy0^Wb5~3BA7qAfDmYkYX&=%1+bKhB?dqBu`UmdZa?0;jLWV&?MN!K3zIJC?xKf7> z$PH?d=8mn2t^4^a(tNviNQ7F?I?v(2U^7qK(z>u^@80KJ-ur9o$utE7xr(pe_y>&o zx+L%6!)auec6(nb$$s3=-+yuPa=AD~&Y7zlfBS}(J3h>Pb=|+KAWN27P-ftsFFGu; znMW1i9Ebi2ROYV|phMfxJh!T2V37o3vyl;r;r#<6x|-U!AIy4qH)qAzR_qzbFPk)l18C@WJQp%468Uw;sgzeVi;Q~m4WyFPC$AI2Bm)@m;lD zqMaz9$IY@=fR5ycK*@A4V=IBvqV|v>V;9}+z?e#0OUAM5S&*02ZliU<+=!!8$b<_V z@3?H)JH#yLjk$I4wgjByq^U$e$`t&LBRAe0(JM;IRr7E6V*`jjzCpN)RqeKTRU?AG! z7cBzUx1aO#R*cQS-OH%Y`RC=!!-Ig`2V*fdX0%inREZD_ip2hjKmjGrf{qzQvHpR! z?CNSpD#g1rl^M4^`X;RDm6fR2JJt&wn_MPzE-R8PPT)=*)4k`eT!l$e(Cp9Rw0cqngy>L#L&ZQ|rU2qeR1iNZ#}eAga|tg`BeN4$Wds@#W>^MRSc(Sk4tNY?=r#V&Gs)=l4Owp$U{5Gnyu=`?ooH`m~kD zxZr}8TU%QDvki1LHA7m)#uPBXq7I&n3+vanuRcu3n>R935>GeMDDw9^ckcM@OCMY60Ykoj=RYm4GIAY^KDzDQTvo5%&{xe;1v1C7Ho!vV+n zS+n-gl0-d$E%%_zlvIILPI}94K?}V6INI_JOB?tdBlI7PPfbdqKXXE0;7!Q=BQB#6 zSOVPOHqb$RBsLk?pG~tnuiiy+YZEk|NzBKJ3UhBaC0UbeO8)Cxtrolbg=lzjVjwDb z=IHIV*~1MO2Gb-2apLj8S6v;i=NS7i7}pB?E@-6P_t#IknTnRAKJ8Ca+mW{P z|6W#4BUfZ@Uk%6lh5GN5b=nG#!xnb5iA?aCsT|lUrcqR<(MAqqR>6-S*yH_`P3mY5d9@nd;+w{aL(8J7yhI*2JJ&8e7v%J|~ zNw%+++)i9r8Y-niSf?ZI)9!4u3jCZ>QinW(_C3Jh@#T)$xiw5a*t?e+Idx0k?`%5v z#3Etz=;E?6Q%z0s@F~TrsuEccmF?y=Zh5h=QyO0ue0^gUlQQw+h57B&s~1zUfm%CR zau2_?ckIkoyTN9GYLYHHAik zAH0^7WD-gs*(G*Fn!D>zeGn=ngRJ)zETPHSjNQbG0@A@m6o!0j?~Y6nDf39T+@1Kc zs2MTzDv4YE=lRmJoq-6*(dj_MQq1*wNQ z5d_S=qi@#((Ih~fm6Zbs^}<@DJu~%Q5NH2#A4>RiCX+umNt6Dd8w^!9jg+sDU*T^fp3ZYQn%p;$>j9Cv<^{U zk=gGXryaK#m}`~orVv4lTx1PSbv|&GL=KRZzv+Bx0I?ps-!Bl|)KXOcw0T$-tJd$L z9w(J`IiQ`tBn2mIQKJkXEU2ie_M*!dNCBu0E5=g0v}bB`77Wv0=7xUBsj=LjyR^_v z$xN10X>`zbfwjFMic4*=*C$R}92E`7ym&E+<)OWL9Xw{7tUogi)LsN~2~Ew{jPK+E z<%&I>7`>5=3WbDCvgkFu#gHLWk7XCFMqP)F5swiX)AsJ)-@|uw$C>~Bt5dx9k)*FU zx@^y$Zl82UIQB-UMcVPV!iy_Uq34SGO$Rm@gFqVdX!^%j!~a$0UO`F~xn>;e*Y^rx zhA-S9h-`?p>4G~t&cEuz2b+1G+N|}DP}kBkSz`wD-mri$cX-w2WFE1@(2mH2N@T$ zeEE7RT(%=-(KUBURI{F5Z>-&r+Qk3?V(r7e!`DO<+7e|bFnAI2)P!G}0_ry3}r< zqb9x-bV?58pl`q9%-8`wkTBqJ*pz7&Ke1tpQY1jhAWnMAhX!CE@Y|yrby>Wj-HmD_ zJxp><0KNpo#3`847NAeAtySY%aq69({rg|PeDP~|zn9QP<5qcjxuWWVdy2hFzzo}) z?rh5p^)70}WOX!mvEJ=O!0Z3F#$4UQtZBiI2NZnJ1)zx_^=TBKoaWqtnpt{?<8rOA;MP_e=LPxzkiDg z^x%w)b=6Tn9+}M8mCUV?%-Gp+?$N#FMej76b!hSwjG$9P?oCk98*RGp+9@8y+D`YOs*e>c8TG3&l!l-41&1_L zVvQ3oo;`7bXQf%EJ9Z?I4)&HC?3}iIFQpA6EA{cq#`6B-w=a8G(tB>4F&^!V@hV8v z4gf9zE1^hsx#qj$vV%q3$&(6Gjg!sX@D~z{KnKWzL;#wDi7~R6%FWu{xsgo>ErWzW zX18`Nq{;v!GT1(37FeStfYIKa$0)L)E9<|1r>_$bpVAe#WjLn$^gvx+t$jneMULWw zw@h@c)|B)i4ilyXT?2zZ^e*s@bk+_!YPx%NHt1f=Tf z7vHacs}|)%?_X{QHOz0e#spBF`THyB9I(9-37yvDQzyFdkNIbY$_j`U0hcGyiU3dIQKt@Qpdhy zyN!DC{3fbQ^8WxZd8*kpz30m8;ANpe9>!v2)5XtKL5^~T&vI*!9SXO^^bKFhL72i4 zvs)W|&p3}FJ-ICtH6$|L3B@eHD7u3M_vF!QFub6fZ#UVJxCz96D|Q*u z2`^zQ4eJxQZ62ZZ6Hgx&5JBJtgud)@*(rH&U(!c zvvVKqQy2u75t)}8odbA@CF7pM&BxEY%?DrT_-WTMmoIPa#|cao*|PcLiU(&lATj|8 zW-(I-Rd5xL@SCu+98;{+f`lteRXwC%967&F=gNskYgpDzUJnF0QM?(OEh)C%9&Gx#{(uR zczL-u=1g$can-hYG55qTW+ozQdlc9wP?5()gCF8gx7CIuRTVjreSZshcF-Bn@JYY6sw+M~#IES;gQV3UZrnELn5&ivN}&Ob{erfrVMHa3N#Nw>c@OF1w+f z%*vr&KyJD$dl)-5Vl&{@I>jZPYY4Rz|KMe#`$S^4=kER%=N+#w3O{D&4TlUuRY^-M z@qrrBLnafl+qCI-0;`Pjn(b$g(29GRMG#am%9sPQz-O+`;Hf$LJQjRBvdY?XGGaC1(ZRjx3 z^Uf`;XjJ$<3}w{SF$Q}LYB=)1){d>yM%1>NXHjwIjT*oI@tRNU6<<+JS@EJ8}~w0n|Y1U3Dts{l3+7Y~G;LZTy72Bs5~F zMe`C{1Qula;n53Lt$J;%?E&;n3JlW9BtzCk-MMAo9z#;g?4;6cUXJqTpK;^VuP@c| zF&FEs=g&peefRDSFcGX4G8rVglS%8FdyGAH4M7vCVS=4%(c3zrcHp~u;uX^ZrK|3v zAl$GVIbQz8n0P4SL4&MUVaV)NdlN_So=EUMA3b<5?}*(6>~32goIH0fy!H^#LFWAN zT2R~pZI_2uE^~MHiuuzv=QovUV9$n}FI4-~sl|<7fM)O*JJjbW=nHn1YqCe+ICeqS z1QVz8&tb&ff&&YMT}>^F_%-X_Q5t1L{VYHn;;kRNCT z$;8VRwEUMn9@WdN-KTq&F$$@5&6)<6tD9mYYH64h`#%1pwUID9_^Hf_8$Q*p1e+!xmo9r2qGy zI#OL8HD=7L+P_10=k%D=LG~krWE_4+aF{!n&Yxwm#T~n_| zi>%k&xd$U6@(tDZ-0-TD|2f1MO~72puXSOH%4%L_Ee=>Q#jd&;1&Tcu;qkgw`Zh?g9>OQ(y@6vXH1_?k3IoJ;O!PW3Ji;rda8&gaU-@4y3X9K^-s&n zL|V(-J*r~*!LTqV%1tig{dqHZo|42E)lfM?fQNTl8riZK35Hp#1*LhpR7>QsjcqG9 zuDFrMljEN7Q6kliMXUq+)q5Kt&8f-51ANez&tu?q!1puy5V0!K#@e4%@g|#}e0!=et8eMh)b%wYV%L|@Do+9-n6FFm;X6-V?_c4bof{e3!vZPINn@5}u$A^PO})X&DXKkxl~b!E}HlKuC8 zwtW41XiV+3akV~6YStY6w&7SU1QXAIL`pY3BgY*X?@upGUQ~TQJdv1C-r>bcs3u<$AB?;8}`MmtOTBb&A1^;Ebe* zp8472D}dJ1pk_3IG7!XbcIdr zw(3XaH!ZsS0MnyF1I$}mcAm^}=T6s^E6J5fM*zBi!jJK4=^gIBO~1lSb`sNt0nXdb zT)6NGe7Z4m(~c2K6#^n!eQYdb@?es`(@wZHBIksod z?b(SvLZdsdDXN<1S*9`zjwu|eI-fIHBXlJauU@3em8n(st{7(dyaKIuLK%q_Ezf}e zD^|or`OUJkBQ5^j{L3aK!2jg+>&-m%SwrYRP3m*V*wF29RC^DvQC71=O94T&$UlBu zy0X&%4OuN(>jX`YFBfGuAdY5EcK7fQ6ZU9DMC(}TBCx|p8d)T*TE6d}O`b5J&GUJ# zPY`3Ff}OP?ZZ7v3kmThSpQAnhJo^}iE^D^tZ<2hDrNf8&AJwIqqJi8_SEio$-|-n| ziQR+(p3=6hTX_n=a7|w~w*-jL^5La(X3gp#k*GXR@)Gr%q?jbqUG=Pd;ew!dmkgRN4XcDm`IzpJ!c8e zKOy14)t(YjMmYD{D35-jI#&DiLo|k8WC0=YvN~bB!?xP@fixb)vXif-RarU20_u4z_uX}Wm0g^9zmIPf_OmLYle4&{YM2CmOB{lapl(H8{ zTo9z8m%npFZv2oT_ZbG}?EHuNL2O&j2Nv3$IAxzWW@Jm-^Nj~!wW*NEbjELNLe#c) zlLpg~m}QU|U~!t0jrvp6E1Y%9O0`GTfKKEh4RmT7I7LXENNQpl&cW9)tY?DeGu{@u z1$3D&HVf4|*f9_cGaPPQ8Smw$1Ch=?LSVCNusg`w^aWpYkw|XuIZXc4-L3~Xg21pI z-MwpNduk=Kf4uRB;@A^sl=Z3RB}@ko&I6kPp0DcZk^u2zGbvJ2ceV!Vi$ zfLknorCkQmMnJ`yQcNRWLTq zwAj0v$M`I6N5I$tMlTn+-X0x|3T0T&yr+C{mB*q1bNI4 zSG}u=w!CBAnCMbqS{12ieRN!rt?del&#{XDYDIGu{&bB^xnDWvz-85&dpftx=|PI< zd9-55vLuacqCA8p<=Lg3-IdtW3^nKWb{%L7^|S3w$DPs9y^NPXqblOD(9;zrRTSq8 zq1l>U{}{%YuJfXzqLr_%UqLf!7-e&F;e+WBBnrTYq%AwwrL)xZyD#R^5AMdNn#%D- zV&=Zo<&tX_r4Z>Q{Y1DpULvxBmjF@pA!RAq61s3J*-#1Zfvi;;mj-5v=HNb|bvNYl5pRnaqlzTKS zS=`dq*>d3S&iy)gTzDFU0VUW&=#*0!BS%h1QQMq=zKfuU($Qge>0U$XCVV9QmG*cmgrI6eG@TA46fUuCy_`2T4Es_)r6 z9vmUl^Uw@VSM*+*oY-;2&`Ec-hZ?<2m||ni?e3z$xCo7#*EF^t&}ebcnKfx=aNhkY zZJ(WI{n3Aa|1UqNv)`3N^y!XZYMI=(T=`&{Nr3uAK4~Cg*kVy zXHXe_b>^HN~Qa5Di302u@!klfVU%Zv6ido(BM7*^om=E4YE z6QrLHs|9mU&pL1gc0ok9aTY4_m!SUeP&GuDP<2rGnsOnMUt zPvti^UZc?^rT4*VuUBOQW9@WF_B?y{>agWDUelfX34+sA3wFjP4d^fvhEgM+IoS#S z;0mU^_UQ4#CmQ&8ztON{ExFBoIbb8!s?|lW*f;xA^xjXqH};vMF&TkhOLH?=J_7?7 zj=S8|RfPSQ^=|0Q?(uX?J37MK+iX%n`L)oN=GiIw1>bOUOV{$By39V8)hs@J zb}*aKI{HY@z_aJhm9pum@L+XtdVouyiA#IMi9ewewT$QY&UZDU+;oiJx#Gv!w?Gyb z=U<~*oTviCxH&obDeu$utaL~TkM2)4RpfmPQPZr4LBdT3gI`RS4$5v~|4=JclPB0W-S zQq(l29Ufg-Q-f>*jL@`xV^aEB_BnY9qFe?NjB(8j=AM$tQLB;U#~zM$8%_t^9kF52 z=7849;$*ciTY;Q`aH)zIDul{+NappbhmM&)_HeaW`^{J>4`JO2c-b_nxeyiT*m zk(?n(M$x{o{YRCrZ?^tkb+1?3P*Ncx*XExNs9u;7R+*sKhe-rO_4NzrR-4yQo}2p? z>=6c#@*7T^I*I?HT%9y|a<7r@gl>EMAV&U5ny`wa7^3#@-o2LbPl3VmHRr2uI+*7A z#kFflRDO2$QR9@lf|&hxBah@-=o2DoDziWP?DSl_%S-jmN1K{rz}gVh`r8Fg8UdxE z$&HPe_#@Qa#Y%NN-Nz!%j;e9P#*O%SYj!Vdtm1|N)$r-bCHSxC@MB;=!&|`6&U#`$ zB*Y;)#mDj8wspTvbUb|Ih+Ob~Pvf^v4a}7=KUz*yLMQNs$@B11x_Y8Bzh|$wm?Mh4 zGQYo%d+uGZ(k1d!ftXkDjFuN=w&6s*qb44;wayj6-arTFE)fqnZ#f#&$LO zSwa=|30Gj@lIB3g$A5S*St8?&9R z=j;>s-AB2(=Ji9#;D?)-oSt!((uS3T0lxc$2otmv2aMZ*$l;SS^~7VE)CSH!f7$y@ zt}25ZNM%yJ?qU40B5LbasAWb|)6f5(jt)53Cj#QZk~$RE?F7n0(f66|7`KPdFDPaOlk#G@i5!I(qG{3mrBreRrS zWllq~0zm~izeWxlwk#s3#N-~zI}Q-!eV~w}h>`ZXd-zql!ZM>C?ZM%EyR43FA#z`Q zmlRlRZ_@Nw{Cq=!{zNaYONS1L&dtChkT#D_EMPTaTJYvoqba zZHX(dIM#~QPdny6fP7*yMTON7`o3s*1_GX~0gtzR z`Tnu&CmbEij20Do0VXBv{XfR^5Mp# z7E1o5q;FnZ)pw(PaP{|+sSX7@v_%H}@S*4_b?)Eu44Cexq7p3A8(LFS)2+P@qIfW1 z;CF}tq!W_~BTUzJ^S!PA3XtEl2wqH1?mt|8>H*hf3!fbOd1BEF zyG)%8s`>_1V>|WGw9$(0)MvC2TZKdG2jzQCPH5-eLF#8_y(e@b!~ybKuw==;Lx=8< zxo~Q&G|mp;@xf_xiO~=Hx5>+C8j(3GckDw ze)}0VNZa!>eF1E=RNE!|)I2=FF)<-wbb$7uzF~AJ{%; z9zsVHHMduvMYi-$;Nhf5qZk=cT+6I>PoZ*i}%ncmpabnFb?Kv(Ih zQd0|De0tZ%XWR0t?{S_}1kF4qZGGI?Bej# z?(8%6DCZ^k@rX7ij$@Ds3`OQkN^!hw@^I)Xz z&O&2#=-@$+Z1{h5!EuH+c@=Sjv#kWL2jTM7tHe3^3}J31u=UwPhn9PKHlMH_oKUuL zL*S!=f_A}kQx3Oj(*pm=sGY|bCWK{M?-)LH%GDbSCP+%3c$PcP2E9f+ec#w>U;Kk+ zgp~*hU=0q?!-Lk)|J~QFkO{;!Gc-PQ?UQ6B=?CtesoM<-K!|Is$pq1-EShhq>px)kLM7#rB^Lck zX7_Vsey~}ak?Q(JMukw=mX?cw%F*&S;lvTMVw=Kw+^xbVb5=8}3W$9j9?3hXtf z&OfJMk?R{B9oM|myFTM}@wIOljGdZ6ZXE8W)Xr~yIQj4_Sp0td5Mc&FWAfZVc2b`; zf|m17d~_Di=jZ2pM9oZX12SPq^TzV!xN&HcBEw=&N!q&KHMa1siE7^ni>(1ldou0L z&H}h%>_GigO-J}cpn^f=gYt{DhwAt2V1+>WpzX>u$BqGRLH!KoS5=*JdxFEx?5I$l z(^KyOo(4(}SNXrWyW`fGS>21~IZC>0d%5#@ZhHM=?H`{E{bEj0nTU35rQ7F-(Sk0u zfAEn)uS(J1LfwP1jJ_DTvahe$Wt{g^7pl+Cb7K5DE7KEz-Z-pr4jIR8BTKlhH*DFz zcDmiHt?z*@PAXH`t|8_wu6$6;NEUKpCyv|Ld+34%^V$d52;a2_+$@`Pz4*KirI}&HH2i-4v8etk0z{2j}EfYeOE2ChSg!zj+n4%HV;kI7vhu|VsSj@>4Euwv?|B_^pR zS-hS7_JnRnl0Pm=n&Z?hxr@U)oi{CQe&jB6Y?Gco`_w5jH&)i$`x{oceV-tYO2mI` zOS^UPSFawTXLS9Mn0%dO>!(eN#96}5pDM(~g`4-AW&96kbKdSj$Ivy_m5eBAOGINj zYYXHqLW2?VpO-GmmMH;Upco@>xGEl&1zD~W%}Lf+7yh2x!&i%fo&#Mf-OJ-{e`#p2 z^mi+}v9tRz>)DLNlE%@R$k&wf2hO=}HT}8o%cM~)YFxC6oSco0Nsql#j-Yy&vnn?D zT@y}GWH+(MV?lBjGg#)YWRL+h-#@?ZuQO5t$$ zpqvB7ofr_GGYP?aG^F92{rrTP;GyP2k#}Z3e~YkJ2}ql>7B8awf*4h24FKHx{pNNmopq!ykhZYouc%87Uni037#^-iwKh#X)(0Sgx zN*;r|TIjTRWtaBudfOSRWz8lb)S_U7q}9DaqPjHL>|&vYpY7>Hdo;76IAg-R zr!G9#Eh@S_*A&HE-}CvTl;o>OE3x#x?Y1}9V(&-J@;m32jJC-uaw!q*uBqNoOLDjI z&ysZNBsOGHogC~~>VCkJi?8rFwO^7ybwp*pc7SLD`Q^ut+4lDJKYn1ju@;Rq%_e8I zXL)V$(8*7iu3Y(vbn~6hRUet&S2_xHw=Qc=&!!!UG8PS_p}!^)$FkHjdna8c$>GEB zqX+KZb3M7~*s<5syJ-JEuHFM2%f9~uK8++4A)Bm}?3s-0QA8TDL$Xy$C4@u>AtjO> zEy|7%DIvQdqezHCMrOqOIlJHI{U67B9rw}kJojC>uIv1b@Avcl3^9gg%eVNVNK)~p zO-@!K9d0b_B*9uw4?m7{j5)k>%NLi6K0fI?Tk=$kgD!+UaB134Z%4>4a7@+F^RYJdMDRNLQEy+!7jTr|XM?^17C(qFA@locgv6R%N4^M&&765p z`$Dx4bZml&j}OrJ<+t0ukBmfi@-eJ8AL|KcL-g)uUTbYh6(n)}{2=OdYc7H5wmuuZ z1$DF@H#QULx{o-ha&u{H2}!)En@=bhXtG|su!W1j5^de(2Ze0X`Y7u@S6-AGdt%0I zi7fNu-^Z}8K-YqRKwL!RJD7F+nlZU{Q@@zDTr77D*hmDSXh7mGdKM5%h3ZcOtq)16 z+E{=S9H`}uMn^1Hr18Lj!`n0?rWrd3X2Rg_j(Yz=r;5hlVt3t2Z$Z_tD*IU2CG=&Mc;+XMgNy_PF<;b<3yh8c<*`8$ky@Z0*HPZ&4tJ zehQxxz%mEDMRVI;t0hH^7bL;Nz_7)jhF5H-fFY9(hJPR)pdy3Enm?|b?@!Fc9J@&e z3qo3M*+5*+ET55bviw=s8}^U)W29nW7z=$bs5Y=RMNI^6FL1MN#?lmTL7jzJ%W)SM z4i*+UkUj7oXTMVZ{~O7o9DPq$_AnE%k#chqZpTH7@dvR2Uqfi50J>v$02B`cz=oh6 z^f(uHKYw~Gvh{9xjiI6KXy2Ehvsd6$2|+NSEJqW4nUF z$NKvF_}r{?*(fQ?SbOTpnh2{01yf{3Ax3~#9- zJSEr<3ISEVesWsiSD`KcyWS1JyYTNR39Cn66$KnYa{#o|=qUU9;R&%e%OIZ2maA+A zUk|-9TK#zA#!0s;_wPHSPlT=+V{+6W2s7MfMsG#(vgH&N(K~3Ys{tUpZvFbl4J*g@77#(fYRLXF%<4cO0EHdC5LG_jD=#0g@owBWUgyyblg@Kz z&V0+yN6r^)%N?&~a8*5jOAwfs@C1AkQc#g+wLpKE#4WU6wbl;rP=10`|iqYLy zwMs(Qc_b6hBRJw69z**VV?)n78-KfTF}+!dG7w|cH2U$g%kJ+^JC%ctxwDi5FRmj{ zfrFJ5Ez@zVTi|XW-vPT$DbaMFZ}>hujQubnoMBA3nI;j1!s9MV?h_&b0e)Fu|`=g}u zLqi2{aMA{kA^;V04Pap%S}Zcdc(&^8r#Py&so$Xq*-S0)#ia+lQEVp+VXw7Ie3~^^ z;;|WZa_u)bsv*5qv_##hZa?x0H8@Xwl!ZN=v9Gy3;sW zOZBrl08i;K@9zN53B43h0bIqowpEtGXK|lGY5}E=xT@-1tqiEWCSk6J-l}po54GZ3 zw~omsDeL#AhQEJTR#Cxa^@G*|VC2qQcT!URVl--Yge?PAGWH0@K*+WVcXYyCwT<9_ zAF-42Ci#u@MHta9EbLNHz>1!lp0+6Uuz(r`+CxbIza=}JV*7O2_We1 zlD|JD$oFAxal=v?XfAdR*-~O6R$aY@wk$NQ>C>m9hKBAa{YEXufa;pw6PJS3=QZhK zjs4M0_4~0w0hU;+)qi6ybd)W}7C?RD^Jn%UTFpeK%>;^i+(1y>Yht_X*kSOwZ4XK* zP!6`k`RJT(mxsAIWaPf~c6N{*T!!-+>5n8JmV+fdPko4ylY;}+O({=btk8t)C13!u zvf?kgkJIb+9A$)0h1IRt6Kb}t^?mqMQ|8@;ZiAS5s#x@VFN72JBz;EcL;QfFDJl)xIN91~% zS3+D|Tv&2oWkC#u!G_lLtA#mPx+OOtg4!b@qG!25FFjg({@cE>Hp_PL(aAnHZTftD zw)b58@h2eq(w#Fgz8)#1uxr<+y1ElfGsAb2BRYh7VHJZzf*fLZ6$mLQnftR$V`Q@~ zTF>wApAv*oXJrkd)`lbbMMQ>RB_j9F1(FUyag9Qkj!YD^KnU=Pa5D-R;9>hdIav)K zE08^hX*QiN=aG#MECs?ihOi zh{XK2&6oq2nre!~Z~N-aic{VHJGST~x@C!pOLITBkS<5L$Es8N<8TZowz)}rrflMs z2eh!|qYFmnce%lF0cwo#f!9e9Jv0^=>;vWCEVz5Yhmjt26JFmg7%^O( z@CDZnExy=AkLH01l)mOdRl?1{gVCAY8;y52(JJ-4=m?ebzt*;LWbYQDb=w^!;ruIs za+hBCEnL@rx10c5>hE{7WN?7F_bs5)63}g82Wn&9P|8h5U;V=8<$^*xvzqVea&dfY ztpBp>Lbd`bKt`~7;XZ5!Qw3brgS#|il=x`{ckN;)5)YQ3BLX5d4-z^ptpQX8Ki`V$%WMLO*!-&}zid2Fe@VO)w*1RDc5R6DwT5urHtHT{_ezatIp!RX|G1*2ww31bY0K=94r#zw}mpE}>ay0TGSk;M2=kZ0=Um3j>ND7}Y# zdqDW0r230*rq}z^^1_e0x@}Z6vmNi>dp>_=p`5-q`hQ#i-}#l{r`5mo^-{k!H7qWQ z2`)u~kENt+%of07^cd6ZKNG$3rqP`lRJT2hu^cc@y?G`|{M)Bvfh1OfU5A?;cK*=w z+$&j}29UU8@6Ip=H(_Qnc^kjmALke98BAxfWk^N~&{lNSphvXAO0ugfQ6a?)b_Zk% zwoL^aCucW2=tbgj8uXZb6JVf`gVt!eu0hgT=^5soWriU2I%C3r(w3o#Zl zFllROZU(&wPb1&%igZCC*T`4t-(Wy$U4O;tJ~pj=b>&W~tpk0B z`QN?UL%sf4BF(Q+(_gz4lJMk?1l944es_Up>A`EENos0peB;k6+J3&%4V>s{@v+dY zARFb7TUA5Dd0Vj+H4~9N;6*vW-W3{yfnTSf`#EC8ItLlW_ykWMa;Mp2D2X3Dr=RThi zNvXi#CpId{Nztr6*A^zH; zAcI8u!SY3U;J$!Kb+S5?>Q}%!rbO@>LcXtEx$+7R3uZ#dnkQrC&;9yrAzS3^Z9IepXN-nem3El;=7#TlM`C;6i`)`qCYH3}0T;H2z+Z~9deqJy}! zV>?b?c*(KHe^jcPgYL7M=nwFxo=DS71@z!!(J>5_xVaoMPL0}fuz`+vUQBH(5berx zSCv!jUGYxqJ)2Sg0}1z5t}3CmAYdR7W2o8_PA2$txV;%B*kv&!f+BKfs zr%#_Cd?)z`{o6%oQCk7-z-zV?Tj#+8fZDnM?g6dk%g7`u(*4;h5@&$XJ2-9V0K9-> zczM}7Ny*B4=*i@FhCK%16&nM6D|k{|+}tR+x^UBjys8LqM}`zvOq&nqgPT0Q%P zvGsrI3~kI;F`9!(+&U}j9%jHako1a~0JZpocm(s_^!_>&w}F9cIOW-) z3;kSv$XcJ0Ai&XvWHqm}G~R$IR6l`XP4A!sb^3nl7$--^nK3Kf`XjLQvXN-mr(`7N zjA9EPrn1<`!~~N{uL~EpD&M?6m(D}ijv9qmJ>c#b?Yn6q*e&Sl>%*(UA7~#w48Cy^ z|3b40zL;BWF!mjB<9@uics&M{6&!vVbzd%D}937G?cA)gTmF#iJ&pB z>~Ye$t#kgoWT;@@M?a2-VBWqu-URd_G$aHZUtcT%En}3Upd_I;1F8FUMw0y2aB#-f zFp9!a3=@?%C~o0s4Nf6`zOz%SE;PCKT)=Vq4EuE4=y;>}6)&g8AL!yqJRU76XrR#E zV_c6a+eu`coIc=Y{V_4|h09IGPI@8{MP=6VLEDgVEK?$=e%UX=H3!9M!mV4~y}i$l z-_M=e&JxOICm=>t_N)7^EQ+eG1l6#BB&>dUSx{V}euleoaD<&8Iy(m&9Fr27R_vwy zV{hNa@gc69(&rm0u4Qc8iucpgbLXWUNse5;jlnnSACm7M~&p<;(fG0%|4?Otd6ZU-qFi1s6?Vd7qp&*oY?~ZtFyeZebK#NkQP)5dC z#k-xgtiq1dsGA97%&so}sCRE02OfS%a@o7@d3=h5Pwd!8TV*FDQ!1|8i+)n9Wy_86 z1s8q^N4E3zf%|dF#pUMP4~g^ZqxE1xpYTNT_UFcT?1e@Rj%P5O$LhfZgn^*eM9Iu= znhbyHeUkg;&_!UQjE%}m^lIn-)HpE+a%{rj#gEdC%%u73Ibx!OwN}}|^3fgPj zK+^rPbMT;R#iKzrp(OlBI~vRD`S}Slq!M)X$hwnkA_#uJ%wd7DrdE9Z+BIdHLqcD2 z*EtgWaSgRQ@}RZ;{(YZi)Ag;VM4BC*f|mE&_R}@0iQXi{Tp+wg)Kg4)f*NxS^r&Y% zJFkU^a|<&+#JWS%l!gH8qK%kjg1EjeG7F17^8|28;ww@$3+__*WlAa=jM3_AL01Mc>Fkrv?VwX(R^K9$2xIv3>omQ=N5Z^-`U@2mlj&lyb<)D-ZGZPbh37y>BdVYoG zPGzhk%p2%vr54~$n=LB(kkUlJf3vBIiu;pcZHuM(e^)$3O&ZCw|avRE1bUm95* z@PPl4;NXah-0JdJj2961_jhP>tI!o4c&A1|!_ERHBt+ic?{INQ84g_YgS)4|X_6Q= z;K`)d@U~$kzU1qV_al^yg3X*va8ehy_mGs3V0lOMnW$WOY4=BIU3!6OSESC7TW^nc z2G7jw!wN9K(Qe(OU@xtj2{Sk_Zl1K{$KpA15J6aA26hR5{?IrDXfz5{>a%@K3#P5* z2|fJl2zuY%Yc0@4!YpWWnIDJ>w9y0W1|GNAOYcYEJt?5V4gkwM%*njL0nH~-gSH6e z0(d5`xh&hO1Gm~2ve8;>wDJ*%R4pX1&ki2BRXal?ly$PUD>p}k>*%El1}VMO!Sj`O zHVSRQO@ZT0`~LfafA8%Vsa=$i@Pv)?#2!5}j&=vBD5CgyN|fM3t-dAM7_(F$)dhs5z-c9i*)hh2mD0ishWH4{QRz0aLP26VaND=jvB zRRkGjn(Y~k^t4XOsGzAcjQn%VC8?>u{3Yh$Hu179@;1ESDy!IW!~qR8GN8g21_NR> z*foM|12%?|{Qv$Y0Q5&KEips?aNau8%p2&$?FYl`eI|a%Vx)xsxT8!aa31tb7rm8v z=`Dcn4;bUXvb03Xu+ZzBj=lO3mPE}qHyI;L?)U(HS@0$eF(pMRibIzlJXdEyuk`+VAzS)eTO}th zAxk_iMkJ?|{O|4MBUxfY^SjO>HfhvP<2@xsc9*<5gU{<-Qo{%6K(EORbNrkfMdXQY z`u|oq*{dWZ;HoGcY^Mw{2oXP1YrmLn<0SFmu{%M$sCAR!c!H0Fra8^{{_%fb^=Fs{ z?#Hu1CD>aKyCp-PP2zC(d|9&NJO>`ec)gK=llk~16W6szM0x`|DGBR@fGJNph-01>>vQG zt-iwT`t_G!qa{Cc%y^uT>Gbqb>apcv!_q05sU~a%+(?qA7ows}w76=PUDxLGkRI?@ z%Q)<1@j39*LG3p9zm02C0X;UUCCt^DM_Wn%-Ub%MKHNHjj{jPZOSf*ahVBYFcJRJbkvdslf0rT+iAyK>}3%2;0zk%tFW~<<$u!x_4Ztx z0q?8h^}V#qnxDQ@tlf-CNt}o|YP5?0Co$b&c6WK%Qz9lSr(RK}^ul*e zL{05ghnMUpNnKsEPfsXGS$HP5;j;dSsYve>&0Y(Oh?ige zc;t%WR=(dvg8T2;AHM;7L`OZ>*9nn(hBhLhzgvdG3>qnL+mYl@w(G>IM%V4)tDeHNv0sA(WwXX!~K6F znM_Bm37-ji0=`t7}Wzqq-57tZ<6LlO?0tt*f02uDs!$&}bwIP^vS0T^_Z>HYN&i;?(iuVAHBWWFI z!bBR@QP_c_N3BT)9}uv!q78;{WnBj^lt2J?gQw2?sPNUe$EoSp#oyCJv>9%BT; zp+oq?QG`(u36eH=cR(J=5Xm(Da5Py|H3%rB4JNaQ2=QYt?(&C|o*r;yU8l)}fdWMk zlG}s%alKRUOH0S{hvRus)qv|s8?3S6mf2I={Y`sB&^l|_nTCLB=F$NbC#A9eZs8_{uc z?zwnoxj89oWwio`&hmoj{>VB7zAL_JZN1iS>+NguWSUuU1U9~r?90D<-RFMx+t{S&I1n@Idb=&4CI^rB zdHPrPq82Lu6Y-&CF*LfkAYML-Nuv~_H1nr)aV zv<=(HwZFu|q_@a(-(Ch~`x>GmdNuUQ?SCQ~kkw zDA%H*+OTmX6krtvo=Q2SM{y?6FQrWn9kPNWz$Xriy|mph1G}G{J&QW$RF==_8jk=h9n`(#ybsOXkWXZIn;-6jyC4 z5R(B?<~R2zRQpQ6U*G%Lmzds@0UY({uEY zcftCsg_@Cb1M2$y`@_&1$`x&vC^0>H-@-gT7I<{++6^VA zQ*7QHXO#SMH|ShfkjDfraa)7U6+7(i6uaQJv=fuOHn-BS92Y@Yv+{ z)b3G)9tj8?o`J);w{II_B_!%awyVp_ad&%MF;1Dq+y!Wh!1Zq3ZH}PD;lDz-^&&f~ zy`ux!QoD%a8)cNF!oRSXCpmSsU|TW(B5B268wiKzkzZ5rU7*Q^-%sL)gUK+&#y>bz zy*SeELuaq`3_PWfyU1~AZ)=+bg8**>f5635Ns71N@Lx_a^WZ2VlVW_kF!qR<8JldE z3vLxKynxh!7x&~rZmnGp3nsxj5jE1a`Oxb?TMkSo;s|LHNfkRgr{cB4IV~v(4t#dD zl&#@E!>aT15y@+aDb>r2x^ssOu0^OeAGN!7?ZpX9g&G^ZO3E`d#lIylEU(8nAMAP` zSJ48ljSet*7zDEl=qt2NfI0OVS&~D?vLkgpm!S`90Sn~F>xRxxpW+SfbDknl;A|^CH|G;M%ct>gb&JVFJhwqTs z5_y0BVLp=kGWDRiGq+oK$T~CAWUF!vdf7_t&u@y)h!}f+8y0++mv`dQ*pPhK#V?N@ z9mK`?@*MTeMti6MSm}l_meRH8O3rp2(kSAdo^>=@j zl{@kv;ijRUntin}GtB*c445wl49+hwwF)P`XBZB?zyJNylovdr8JrBFu+pS#U?>Do z1(OzMcX#APB7n)t)6?@wRpNC4ajV{4Fu29~M^}OM&vOU+{Dy(>?%lg@-g&YOpc2B} znSn&(8U49ByCE3v za5?;>r7MAFqL+Po=`7ptiNX_mf?IGed3euq-rSHTmMgZUlK$HK0oUn*xJ?oZ&on zSM&BmT>WR8Q2c`5g`_NBtTp^`m}jFJfekGa87~d}8(bz`?CnWb1IF?QSv=#yNC1b& z%9fFrkBW#$+I1=wrj9#vcTTaBR>+tqu=Db^>~sV`4C5a*AaWR^adEx1lLp1`;cesSq`za(*b#CRr> z{b^!vRh1fbk>+8oc{Iu%?d3=&fGqPgnI)$)ZqlaT&edGR;qt#Pp@Xv$~k_jSQ*zUg@ZwjE}F7_cU* z2d?5Af&Xev)a?_ne;XPf7Z(%r0~aPkJB&_Ih33^;yh+G@d$1eEZ*IAYN%b`az0Usr z$MAT4D(MkAIns6^`kJzpP0O(qE3=RVkKHOJ+-lG3?jDfHK){v1=c!Zicm8lmJiftj z{d#=hvL{n@)rSwOk0WL5YZr@)V}AVLtmS^SWRm{)vF9mu&BSSX`banTa+R3Z6o1ro zn<|$6cz*o!X<=##iRYv&MUHN>pS=u5AO<~NdVgdJjrxNwUw#SBW>T+dL=)!1r;g}A zZ0oxjCTlolP>UcAo&g%O|D;|#J%}$LsY0lNP(|q*x?m;RISK>=^7YOid2B|S z`C-frRC_=B4MZWFMq@d!scQ0nTmbwBa`o>zc{f(kPC6WOz;7H-8x>t;G`T?}CdV+J z3F&lGw?(e3r&sXXx6jS1K*vxRMkJ@c)&$f>#oqa2xftSdW5a$)si#bb zeknfrT(O{iZ~)#fXC`FvE^+i=;Dl1=u=j`B;QL$+I03<@g9nf#k6Gq7;$qnT#C@Qv~^oB-ovg~E3h zYj8l9I^6f*R>wikQZwED7gZ*yQI0PrfL;tWn!nI1JG*`9ONG2?cYI3A-=nwmvS7GR zx<__){u~_@w=53VrjaxwP4Qsng((cx{Fl;Wn1g_a3@-o8&|DZJ@85WPz5Ra-HQei9 zsDU!5GtGoKHJoJ8Z_+a|-aoJdMFEDH7#496P=0Ph#tQ@>h;hO)aXBX(Hov1nAzBZ- zWYPxhY#$l{@-#=}TWzfaeoG~fF-Z9&pJ}|Cg_9FPS)b01M0~?J-7oNVarxjczk?J4 zsk0a_6gt!)1E$RR`ODKzkkJ9~!SBgC&;Z@iqr#c$BZm$@q6>S&6Z<6ArtGw&yR}CQ zpWZ>4D^kGy8@brU{Aoqke>`&Rn3VZ*LgeSqHJj&nJS!qzV;xz3Mn)dmuNZCDT;Gqw z9#J4jhK^1`IX}_*xpzc;M^|g_e_1de4pNDG_O8b*gXS5dY_{w>gI{m1BXH;AR0qKq zQ%ofKQU*PJ`ZOV-6AeR$#3!8ZfB*h9Jq}9_2w4#!V_<9B*W66HqTcPr5?o$fgsK<$ z6Jh7}8zJr!Co^^ka>qv}Cj)0kOAk8eh5mh^FQ9LBg-Gy?fApHylp(JX@9P?PFy2X8C-{;SJ(Db5N)2|qvO+|~0huYvLfq1>gk@1EOA+SawhkYoJ z${a(>Jw^pLVn1%+En2^YEHqx=Uh2jAzRXD;?;t^L4i z|Eo55i;xIdZKtDhr=}Lo^`r}n&c^UX+b?sC_kC%vNslD53btjA@Cv9EqGL%>^D9VC zk3E<5*^YHiy+(T)vYlW?-J9~9!gl5 zAxH<-41Yd8ewOPu(mDr815MC2LpDF3=KUsXm}Fi*U-u?;wD;5E%F-ghVQOOME#L93 zfYs|;uPnuZ@&=a{fXTQZ&bWv~a9Dr~ikFv3NSri!*HCuDUM2<*;7*|a#B~0h;yur^ zK-OTj1VV_H(uu&o=QPZ_R%d6oCRB^t{8X^7RX4P9b06b~(j#D?fT8ks+F(Rfp(F!F z(bd&pbOOJam&+R19j9h1RP$S%`DJ72@Qv|dipc)LB)%2FJi21nx>Wm&JO5;H>hL81T)|NKOC4kP?x7c*)z&%> zK_MNXeBl?g;@gP)XK9zeu>fP-2@E47shbwob7DtNDk`LYjyLjO9ALV-@k$uunxB}q z2=@(x^1K{*nVbpOj(i;)#JDe8-0{}Un~15ZQ=`|L5f&C!1##b4&4jv&fE=A8C z3~-!IoY%(3S4XHbb9 zkmsFP;n?`CxR^0sZ$Vv?c z+svyl6A2oo>XiW-PtW54dq&6Be(wUCZQaITeZDNiEcqyO( zJ(hT@hG8QdyrK0xpz}00mto(I$d|NHrKRVAiGFf=*CrI{dKN%BI5Z&49`3nnw@Ojp za4p0sJ~sR=_z^_9tKbplh!0cIHi7vM&6$krf=31Ce$UXodoMThyIS$f#{(aUBO33P zO^%*8QLy#)&=GNhl`UXD=z~qi7i1|lj-L}cOtp7TJ^Ad}Zcnyb*M^5priL1S|9Jl; z`Q&8x@7pcOpE5r|nnKt)JBJ>md$5vL_4~T}w}8RLT^nL43h#?+vI^2&%lxSPD6jK~ zd!8pRe;Jc?P^Mt|H^PfDGyK|)@XkjiB|Vl4IhJ`vJKnrxqZMMXkeyi`{8Nz=B`kcQ zTv&Bd-QVU{>T*C@h0e@SdE3H8@8W{Lzyy*0rA2#g^5li-Zy&Ee-*s{3_0_9uw6`TB z*7AgYjCN_yG9|bC`q*UZ9aB&cS5UCIG+ND`Ad)uIQllgX_5-z*Lo;he+=-%YS+R2j z5gQJ+c}0cFz2n1}W9afTp<{`&3~;ZzHl?^AWhsA*e}_J8caNn|NS6m2Ut!tvc}?2# zGNnPk;*#BkEyjoS5chh_WBf(u@-&|%-imPPt6DQGP@#~r&#ANm^z>&}c8-sG40~s3 zzpmeUEk^x=@7mF0`@PRiL^HknI1xNyQL>W|I}gX~3n4fL1%BbeD7?)O|Gji<)Ma6G zAZVm$v(}wEYv(T%3& zYUVhP^#l@)!Po}f@33FSjE;`Zluso9nK;&l^OGmH|GA-;WxrP;%0!)4!1u7B;bYwf z2TxB|&%Y+m*gNhN%JQ4=yW89M;q$2OgH}HCNW$kYU+|C4gl=TMUjL`7fre4+XYaP=~DF9%&5;Tx7;nM?VdGRW8fPzUd$IXWzSqcS3=B=ZE*L-4gp7@!MeY;_@>5>Gzf%qKy@0J%JJ$ z&1pA4puP`h$!@s*`j$X5`sS7vecHsN`J(KE}RylK=dzaf@$sJMxz*^1jERr0UI|G_JI{@L(=1zBvo@-9rBd#PiSVv(&d>N0n7X9k0Wn~KEgUaKqT<`G}|=NFct@D(P_)yD}qmedIifC zOOZAMtk#uw%o8^wVc8ZL+L1!K$pL#ebc*kSA4Ge*Gz2Ta&+y>X&VG+t)PBcE?nmra z(n(B5C%l>){55MN@Ij)Pf3+&ex9DHnVRm35^lcH0!}wx$p-oZPpw~zp&y9ds5HFz4EB&R}{_P}C8fbe{(Nv*RryZq6 zMP|=sVet0tm1oa(UF7O6l-0Dh=5AU!q5XaS(V2bp==o?X>DI6J%e>004e$EPdzv~A za%kV_?aK;NGt0cibn=Uv#qd$p&dvn$jtyEQFWvRtz&TaW?v~`0Iv&uX%2qiG|nb z@1+%dT7yb%bTJUzxypz~>s{IU^yjsdlrJ#d5x)B}%XN3T>Xwfg~G&58QQR;!Ba(P z4!{{bgq@!-A3iabHfXQk#$LVt9L=`YmZ4nS1E(UqbV}HFnm}L|Q=hElCCGUh+=q#Y zUS7XeF`7sB*5Tr&wheW-w+=>K)PIahi#1G4V4`aKUDWb`P0D)#KRLNWu4XQK;kwo| zf6f#3-?ikc$K^HucXz{5?I1TqnwEKV%l=d-)XHFruW~qe*wwu3^ZX$op@&o~SMH=2Y7ZY~WXCnxqQo*#mb4wd#R1Vrm+P zup8kM!}fqraOJ{oG9seDQRTVNAR&i`1~dolX0 zyLoGTM??hkPqq?popQ>`LLPJ{8A)VbrBvRI|Nm}>!Cpr4q9?UimO^5GZWrqce}dQo zPZd+1O&ro+!9Pi?A*3Gv%XM5kwfoonw)&!A2fXB?Mh=Za-m$AR{LeX4#%I40$L-E?zd8 z`ja&2eNd|M$`{VCAj7KfD`;F2mbQ)BXN#iN-VZl7$Z|vhB6)lMq`OY?(;MIqZU5kW zv0A=v?H0*-3Vj#+=+OdNHvzZvl<^fBBe;{t@q_Sgfav_Yf9fc^*_P{8*8hfJW_miV z??p@2L^lpj$SQv1Em&DtAWZWu5)>OS)T+vCcb*%)GHq{u(X$ zMMd1IKBxU2xohkLMUI-1bc$^-cnbw6pUU|g4>}&)V3Su=WcJxY_t;V+z0J{({sAr= zN$V#m)YSjZz6YshOMDG+cvE`=b1l3! zeN_9{kNIc3Ip;XwoOeSG!RCxxxx%?5whb?D>OQL^PHDLJu-U%sxOGAE7#c%aR*nh| z&R6-B;@xK-$^e2-?^&mD5$X1DH$}Yjm3z6W%_%CkRiksCoV-2os&{l~JGX4pH+;SD zJMv!|rtWU_+!&c1{%D=I@}-|28g-)IIJ(un_AZmn+QIyojp@O`iP6af7^23q5pS=6 zI?yS&PZcL29Y|**D1LywD?OT4q#VWa@lWD_Vmmf-fffmXdU)wcJ`2R)(kGq z4YS>!KOg>nHoJV{#0iXhN)4mL2%0Mbe+xZa^@QAZxCZ@E{i%_CvLOC#?2vG$S+-2n9|F& z+g-|FL%|+**SN=%XU_cGYv&J5R^Fy=D+|%*MMsmj>eA{_FziXIcBrG1ylv>k-!yP~ z=T40sRD^ILwB=yRW3=(M=-ikYN(4yCWGNBTrE3?S4tt;8h?xuXTo4I*jFjrhq*RT1 zD__1~YhuzjWA&CN8;2Vx8_5qkJUs4A2$(denSSS{Z-5!y0Ps$u{o7P&Ohfca;T_o2 zbVH4u@HU3wwG{{;==yPuzrvsbpsa8!S@0c7zuTke?}R`z$vTK8o90k5v1N=H!-)M?Zc>HeY7|c3t&e@Lr6^BCx%%T zP-2DO!XB(>>i~M~?=HFJQcQIU+{UnX>Ndi7 zWS%@HVRegY{Vw!LxM_yHw(v*5BhyHTRHpyCk^$!prr1#s{C5Fgv|MKhCqaJS>y2*y~^X%E$=k=(WH!IxafXT?^3w<>JD8g=n zVD$LKDwSzg)y4R3f#tVv7cO38bxF7K=PxjE^~>H(O?eqdW_I?r6l0u@N`0?wZ=y;K z0f{FTA>Me%XvF4!eG%hoz)6HR7x=qn7d`-1RrbvQN;;g)KB!Uucf%rgtOU_&zvas8@H6EhX9!F1w$Qga0yleER%Z{O@>>ASR6HYqN2#6x7+uJ~igQf}0!s;zv~n?DNBp;ieC} zzORV^Sc5f}?WsWX}5^OG|4JTN@nLlCiucuDE@zw^DGK2tu5`I65AKKW1eRZg#mI2T&iAOgz*T+8nkR3arrOa5&YZ8rE}pI&t)oQB_#%KMTU0;XU=@Bp)e9M z)H`TqVzThwM4w6F&fSvrLqEn9&i%Z7rbQw+A)zwnNA~5Hc1CG?ZawHggV8uPe#F$2 zleg;rqigy1Ou*f}nUKgo_h;_<$CPa`(96P3>!P1uZ*MQAm!x=fF#|*PJj;@wKs^9I zr}@w9O-@OJu2Yni4ow(Fu&0h6FCvdt!-O5JenI>=jG(bD|9_E>xYe~A!Cq(2E@M+Z zoTnW1h7y~ZyMgB4i&@ET#1UVID&OSer!NGBVyn&!Lv!>goT~-SeWfh8a!5DuIrm!2 zMC=Rj;WjH+`mOw3`2FBPicT~V@{pDx(Ob@Z$`3WHubC-yY+Fa9 z#3QSSos|_eiw2e|%&#ygF?iR2D(qB9jHtHiPG|n!4r9}|HF;Kn2PT3YA?b$2ssR@n zwZ`m8M%2C=C-~*i^8+9GcSb76${tk2A^Cs>a=`SsTU&2D&jLv;;oepbS#h?TyVu|( z#XqyhM%c9t9g0b6+Zn~9?w7%ifIpW%A4Sk}Q^=d}$YFEWUs38Iv`k47IJ!zWwdZ$ z2Xvu}Eqx%ledkWn;dB%ZgJmzldT?Pjxnm{*QMpwPvB@!D#1jX|M3n7VgMK4T|+xze`20V3!$)J zckq`Y74Hk0zIDB&MMbaFm4N|(BUlq=iL}7fKJ{D8Se?^u?*J>+xgWw~Uqs>5Rf;Cc zWg9SeCjZ|4{;gs&VNA+i-(CYZDwsfK(AO4A$WhQ+M|mPF=c#o$v-%};>}b-u=HbUP zwU4!WWu^&`Qo#fmW|x+R)te5XHbs*f<|&ud49@<5Hs}`{Z-=*l7TVajq4x#K=Mwid z18&Uis+WJMcqF%t)W3fH^}fE2&e#5fh_DNQ;wl*==5Hh3%IppiK542hW zPYor8H9kV0dUzckIwsD^uv6NF=Uxi%`d>LJSaUF9=Pd2CF?vK&65gu3qR{zveSTX;6=UOPCA==y>QppXO0Oa6NTuDPr) z!5G0`{ZHWV(J0)YKtd>c**qhmth<&bXesm@O`!LVj-S#vV;3_(ff!tdWBv4BpB*s* z%7<;fR2!;6MmVLN`B4~TwW+@nog48E2kE7BO2n3yM9Uam|HlPbS`-CqaB&rIx4(Mw z-?S%koSdAClhmeRy8WW2DKLku8V#il)lyYLbm+(4XKUV9d626in1+3cl=6kq4yqf4 zGYDazoRKfwM@e0Hlj?CKp|KC1x=_q+yR+F$=7}0^3mgO)Y%)ZwzPI=6b{t=@0X;Mk z?p6ej0}h$#$lN2m;h8(A1JoM`bk572uF#)-K~aUzR+k*dN48PGo01~y@W$i#)O<98JWRQPLbfpI;N`l9-pVPj2F$Ijpiut>%8+ z$aF~rkUs#Vj%`}vC}m!4eI2!$e0L23CuR<0f-Ut0|206P zF#pT>)XDCm?Q(Kw;Tln=>f2^C@R7CEpk&R zz2j!Be*fPs&S{rAeFFh7P9L&7d;mBwY}E9DRiN^E&~^OXy}eh~uf4aik$>sr?jFeq z#h*?XI0UtG!t?WM=UaK?oT4Hl=}RScN=VDdY_4MJ*yRpG7Bqp2QQ`i8#_?j6j`PLM zVayk^0JQP(v*&~+zoBS|a9zQL*as`h1zC+mr~E3(v$!xhKQn_^u?7rD^QAWVTy0MR zF^CR94s>Mjo@lh*p^SUEE{Qv?VXL}yg~2Q6eP1x2^GK;xCZOn&{kw&dTTY(Zfv#G- z%=`3dro0sgCnpiE`2pbdCA)53xuTuC3_d`w{}b?^dbsz=e`l$ysY$PT`*LFA33vBi zr>^@jJ?s+&p8AH;8^h3!w;ZVHJae|A-15`*D*vpw@K1-G{H(9dp`eGGZp|h`8cdN; zS4RN=<3L~0f=wLonQoG*7Kg8uoLo_Pxka<+qr^B*udO>`o;&J&^BnoT1f~UeLy+%6 z89o6gE;PTagWSV7Me15wkU$^N;)DVnhld?+rEdR84|1}OJ{q1KulD@JQH;|S_YaJb zZLxEKL`*OHV^|C{z0!Z_Aef54Zc!B1Ge&FzWW@t7-mP2HQc^r&7BVvO%xBsGbZdv_ zID%(?el)bQQc+jmYQ=z(3}2Ilwekkxx>*BXKx;rlUufhfj!3ibB#n_AM88|c=@`3xItY|^wT&M3NyS`Akd_T?3 zAvb!6G^(NFLLGwB12vs@YYFMyt3}JJ=3A_WFM|)nF^2f9nB>C73Xb8s)YSvw6%Wbo zo4K3#@cow-Qc_d<@E7B%kIHMQTf2ZW#9u{H@+5Ev6lc)CZpGgP8W@UyE0dAYQJ6mr zp;-O=41dYY(h9tqv{?A zD15hGEVI9a8DtpE33W6dv_dqUYmK%^3GtrgSTX^9S^@g`>@Qctj${RX9Dd8 zWQ)bsPJDIzA?T+8?;XuGzsyADfF!?%e_$jZ`f*)asCJD?#nuTQgr5(7FBS1|aKc_;pNYJF{ms6nx$*8p@?`>@ zo*x2Ow~73T+arCW%=~`Vg|e!>R{gK=vvL0(Z@XP?{R<6We&tsTOI+o-Qs2Ci41}JS zfkqoM>1zMxMY!$aM)CY}rLh1FBgjoyJm!ZF3xAj0tOe8@x~PM=fUtj{&%~d!UpWAj z#VkcyQ1Bc44#3OOn-CV&-HlV{S${y2LqWjbxufE8J6Fvjy)>L;<>Wd7k6IUN6r1pw zjpjq)Ezh;F!Vln5?I!z=JCOk@+!}u5NIk1>S9MogZRh*)iV8$n%z%!FK@>V7b&MY# zKOO_^P}%!(&@8MYL$6+yG|$&4#A(KILk}erteVo=wx6Qotm&m7h$E<2nddGB0BgXJ z2+nCZ*MWe1sYHNxcP0pftUy>ZmVXvr`C#BpN~Z{^)_+V##s1o^W=VipyeiUKo=p zm<_|Jd|=1x%;$JW&n|8SB@-OZloT5<6~6cblBt`@TNXpSSCk5-|d-69+zc zi?3~ElbUh7;W}seyK8ydN?_#1fk5`%!^6Yi@+!*9;{fjX;jLQHpEHfy&~haYIqpr+ zK*59z7APKoj@I@{RrO{%%NZb_}~BZ`<>@^d_M2bdoV=8 zgyqQV!C1iY*5)5|wn+cXFpW=$IdUP;KRaXQj2YA{>y-H7n1H+?YXDzw-Nj%_ z-Npyr&{IJq*quLKr}}?xhX14(;r4h{L;DFGMtfnLO5;q%$gbpMBWRxIe8;?>IPTdm zMo)Iu8Qy0L50wryZh_^JR*w+~N%TaIW7Lz&Mh*E!>n z%i*8QZ^jaRGAG5PNgIKdg7yH0on+OCB+u44L_v0z6gtfX95Nz$53Ic`8*mpWhtsS6 zO`I+RRk1#3Ik`DCkwNBAW8(sBtNaxT`kI<*YQqqoRG@QR{%xikVzF%R>3aL|6_@{NYna#^~xz zT!r$Kp|$7WkY8{6`k6Jg=livZC;~t!@7D9F#M?_((#yRWa#mC<#gi3Q=M^tyWADN^ zX8VH>bkhHz0HD!;ohe}!Kz<&!zi=tR6zJxJN3dt(w=OGcLelQ{@OTafs^8E@q*XGMv>eGtEOd}{`;2cw%ZaDm;7v; zSO42_qHT%!&^~>FADS|B(;w80f1y2SYoB8W zUSuA<*LhBFLx`#LZbxlmqoX@2L~tivwRYLx`m=1f21fs2J9FnVk&D0Pi9fTFjWmj! z{ib&={CJ_r^})GFy};Im{EC)j&~5;#2k=fAhL)EP($sb-H)>JaBX zA$6j)-FjNmIni(6eq&0tpJJ8wTwOf^my>U9)w`v9CoNkx3MtBdUD1AL)d=08sTiE zIz2*PZBTiK-eHLzeM0`sMyJ^v98Y^w_2;8vO;W3 z43MomLR7nMs@=P9 z8t`Yjl$M5^awr62@R!~@XnOBeR%-z@?@)<1*^Y7Z)B*@VCQinpqM|o@=}11rtMV-aTuZwv(hSHU^wvvn~X$ zrE9C&lpycvsVBE|JMbnyVoRKAb~1`4nbS`vNL8r28EUmfiN7Coo2t3Wd8QC%5OHy# zTxk0_etzfBQ=JPN7nHC&QAHsFXz9pPMWGZImX{p+&i!o6y;PZQ@h=%~^60o%YTi1l z%;@+rz10J}MX$)3#V|==Myng?$c zLM>=ssFp-hj93t#U`PtsMq-2KRB2(?7GkX!QtUJh+TuIjAyuTUL`5ZOmfCkaSh_PY zt6*I0*tW8lIUA|MGPWz)1#u_VE`|5QxU|epZf{i4%8#^b08#hv-o1P89*HyGzkIoz znq4#Dk6}4AjDte}T70fgI7(b&9)-)637QH-uugjzEELPX^YgVDZ zh1AabA%f}r&)40$dev8C#ipjZF_|M1KxEQv@)*wL=7wg6d)94d;J0^<;bo{Ssr-=r z(byPXt`yQnAu7WOc9w@$tkSi19fhA^k@6m)k@DB0^@m#4RUg|gIojrd`^<9F2kRaK zeA=z&I`LVs-~w2GiHoyg1=eoWURN!gEgmoWVoQFC#RT{Yg`EMmEJ}HVvOV@%{xN)b zA;fI!jd_E&Ga?`Z{K}IBHT&ys+`Iqusa6K;h4hx?1q|y)SY*?+eOUE$wMKn>2=q2f zG24zMfNj9sgNN0Eo%m-;768Z4jOe>*+d6$z77~P`y9$qN^m{)xqg_Y3<6C#`M17kj zn0IF(o?6+^Q#>I!Z+HmP&snKX3#F}f2$;`%O1*^zovNdzRydiHN)}K>xE*MB{hD97 zjw))on%_%XS)ro^-3>GS4X4NPSHceC&rqpR;*Cb`UKefuv}?oq+2;tIa`QDM{&7{F zOzdR0HDL&|ag==yABUNS@{>JSioAa9L^9mYouhEp=fqa+p)c4P9x0h+pOVtcSSL0m zUZvSlAwap5J9Th=QOo|X5C2qKtAJKGwrza_RB7_s=m;(} zo7dp&P#*24#FZ51H(&DqayB#KGJk>%K2{!|y@FMR>{ep_%;jaIrAwc$Pv#pTF_ce- z@LWHS%!H5KEjCcyzg-@Ca?(w$j3#+)LUfRguQA(_xbWCBuhhgdQIz)SkHwldg_Yo-R#HY%>9i;O; zlzNn&_*;?kI^nv=>VskShiQ_-$i@M=YNZ@#w3sLM?hUVW(QWH=L}Uteez81u>~LU| zAV?Ic^V251 z{4um|Cxr+gq3o1;=|_3Fx%nqgQX%<&IdrLL0d36DVQqvBQ5VgfZiaM?kj)SMW3JUt z)@N{jrwi+^EjctTGbYTyQQaj%rXTmOVUh8w$BWi-!Utfy(tAm4aj$7_ z157OBr|o)ScxvD=)vaZ;v`w-dW$u>dI~%Nt{~G28IiK>52e@8I-E?&TzbYq7{V27gI-D47{p#2q$dikH-5}`AcQWKvXnKPD|$osJ|_e4MY+Ba{KOgjnz zuDi`b@R_}U)b?2u(`5xMRJG z=kO1Vy5}FOUg-KS+)O$o2bXe)k!DFFCjrIxW8cQ#VK(ApbLOm-)d!` z=k}hSB|=vhZEsIUg+GV;$Cl(DKMqp;6}zmXmTB2xb$Ym%URn{{P|}6{%A^pg7hN(# z6+V^ylqY3np-L5HWeL?ERFA)1?CIIdqK?SmMW2?IT5(#P^xu<|)H&+%lE6SBga&?m zN{{uc>B9}LW4m_k!hflF26?lOMGR*>qlp1LNxC-dT{+#rN14@7lGA9al&Q zy6Y}(G}v=T%zk2FyY}dGtF+>XS&pIVl}-~TPj1)LqkG6-$$(_K9zqlOnfpmYD<&!F zE<|7qf1*vhEb4sjm2Fh}93`%MCa*J(dzXV#qm1q}}8Kel#h zdAAAy0T7?l>`nYIKFw9Pall1><1SjwojV7{NeJ1!IZV}g2_%@%nZMG|*U?!|HGX== znq9&az%0rEHYao5Ar)CN8tuVfO$o_cf%AdNMx1q)3;mE}u+=+FfA9=iRDNA&Ex#%cvko!1F2#}{N zJ91>8--v^16I$t0bmn}?(%sof$8Z@8w`J-~${_#EOT*BmYKq>Dp`ELCiKhGjk9#nD zrF`f{NzHFLI6KKzGR$wmLz{MjU_OHGmNtMpx0AosYAu`ncj?yC6h~DvKakcA4^+AO zx1=dxspZ&5s&n$Tjn$7jcI*qk6YL^qxn%+O1!L)HbA2Q%{jLk=6sfpqHAN6N*55nf zgIww@&fh+iT<>S!_8i<0LZPA8G_mIR-$`7kRue`$vxw^K+SFcXpHn0YYWY)uuRafrcAJ(gvv{Am0WA5Evu>TK;*}1ch_?ppX zx=ku*6QKOIAeEv;J{^D(!X~tB^|%x8dNvnIB}cH-_=OUT*Wn*)s;j%&+glXqcuIsB z6kOaz;mHsdW6;wfEx`?5d*$-|hK_{f7C6YweCR{B3~>%a5kp~!VA!3!6l3E+G6^bA zx6xJRr7|X;ylr5ZSRsNQQ>N26{(P% zvH5b%8hEVmYUU19V_#F6J6 zm$$YJ8e4N)GP!|ckww|w$?^I%_$FY?V|4mOvX|-acMo6k0!#_Jsg=#Y0#~p8)xqq~ zVsM31ekA)@!iyoR)_>hUmxvpBh;kfk^hC7XB#{)!=RRs zkqLZTG49tTtiUUMzSZz1U%q@vnS>HLOBzsH1Sv zTSxYfPaoU6*HiQ{*pZxKmO$Oo&tgM~$D9EaEFCR)+1izlAJ>2UI2uHn1;+M0ed-jv z!Yfr(ftA^I+m`%)xjQL@IVcsGok{y5D+v236Tlw-QHgGOU4Y9;`x#i9G&PdzY4{*n zLj>!u^T_MU%yzZ%rR%=6C{Fy&K6nxjZobB==XbfOxhMYI2M|%ao(wnH|L=lUAdJr zgTv|}HM4;sXG*o)cr^!T{N2p)P7;oa5W(-FLjcQZTsaD1Jm6qW6r7As6cCVDIfOW0 zIU2T8#inytEedYeh0h}!&!DK zCfvVXB~8WWW0TSjOcwB43vh?*B#q+PZz=xmbNvE zOLtGGeL%>ErDeEL{B|k{B@3=*Zq^hpPm^7{(K7n`4>%lqz4+X!V^=o*JpS!(Xz245 zpA?iVyu9`;S@P)N$hD77Jox>+$L6{oS@f)vb{MtcsLO{YL7SbHrWH8(`t_v5g)>KI z6>h~8)Og^)?8ArswO4c%DHIJa-Qw$CzSQ~Ex#-cOv$ymrWdjTQ!=q!A1M~kMEz;{4 zaPZhBgWOW!>7Q%Pe{JHlDk-TL-PzyIFZr5YZOOxj*Q*LvWOZma?7v)q_sx^`sh%(2 zCxMKtzsqht38If|f2({~m`!&$s=Gh1xKio$AtnDsK|y$ z(*Ni~8P7XeG1!5xy{$3T;Elc+P0rnYw{G7Vpyg>~?nq{i4-1f%7v8is#w>7Tii^X2 z$Cp}2oHoZm29?2_%aIYZ?l3KdcX1F)v36@EjNxV~s8=^VU;JRnk~VaKirSf)!wJIEk*+Ov*-#xBcDslW$0vV6F^Fo)a9%;KkN3eG8pO4ED=P ztu1-=yVZ^ZK*NkQ4@r*O*!F2kzhSPQ4(H^Q4E1I1Y;^IWbwG}&9DwQ4d(_ti(cJ?@ ztLQjAGfPJ8b7-pm^V?D^7et}d6I*X&4NpLV$J*yIH=cbtGC^-zpKEJSRNE|iI!ULj z$Gowm1r-&Y`xe};o$Lw3p~rnf!?rG-ZX+^JSZzFQNa*j>OZBx_hkSHyc1q{;Svm}i zH~M&1`E@i+n+>|N`rA^!!e?;vRF{Jf@LS5WV%taGwiAcC09}Cp3KLyc;hPs>u4Nk( zXCR$lDOn*RS1?&p`c1bs(lJdyBKV;^Q_kB{V)KUR=!}Ol?PhAI0;4j&%CB%l?|c=7I?2@%CB>$LlFn9d{=Wn#3+ zjhv3*WEyA7Q)Sbg+E`n6^4}*PS5FsIx_ex^Q#h-Qns*E#d7A)PTSM36WI4~5B(3xP zanemolqr>Jd_k4OJL69$IVZYOCQ{zcE>JApZIku0{@B!4F7@BOzJ2yi^Tw>R%WZaF zmm)8^33stHMnI#H8Tn+k63 zpYQp(a`=`fKocMY^LYW{Rh6J9Etp3<|MHU$FvQq+CXcd}8%X#1_W5)3CQG5r=PgM( z)7{s~ymcPI&0zy~^J`q1WBbxleW}mOB!#_D-2GUcq6DP%+f#R6+l{N*5Lf`yf9E+U zXu&DC`VzD!`>4pjP!vLAX2bfYSVf?Of5{H3Oxm{f^{0ijWsMvFoSwXkE>LfjG&E*7 zIqkb*XW;3XBhy;_qI+pDEgT5&5f~5vdD1e?S3+wD>3)K^JFv$VUn_{A;2=MG&jl1s zV5toYJ5nlRJi)aPby+*8r=wi1>IU)u(n+`{n%-DhHZh6R1J0-C&u4Q!tuvX{HI#0q z^~*6I`0sTFc{RaQF|7&4)F9T-)DLIv^+I94Hmp2HmRj}-Eyb=bx&K}T%w_f?=*()ojA{u{~A+t=U<4vaGpWficFxJ^{0iuCxrlB6F|4NNrBDg5KKaG~MW8-x$( z1oaf^jzb$J^zR#Wmw1h@3<{Eyl~q?$v;83NVs7QsRq&AzCbXgHI^kCh`Ls9{@+pB~ z(&{eJi)dhJ@%u-iiJIHuzJrtDG>U*@@0%a$x@V3J;Ctf%-twI}i;OnYjV zPA3KMirBbNRwS6ls(*f0m5QZE>6$aE#EbPN^q0_hT_e<-?58g9t zR^IKfzdRn$+Yhf_=;WzW`?li8 zC>c;3ofZYRq{w|)c@8`G+yiHX?!Nt`KKG}>8T)teERloXc-DuBJ zt?g48@@s_M*42i2u=&jbEi?C~7`f|r5Zw+E&%?%nj3A&KODj#0;B_dgsKBzPTY^O3 zx>0f z_v=eb*E&3!RG1~BRB9jlwPGF54#t3c;c6H-%mKV97Wskuu=k7{3Jr5D3W_fOy*W@E z4y!&U_)cZS?c{Xg=KcdK(#&Af!^IahkRT3_22~ARrNa!&Wi<=Gfa0BknMu(+|JIH` zuyl9#XVmDN!-=oD3%cFtQ(&K1rzfrjRCPKV`tKm2T_e5W3#T5}+&$4A-Ac?lh1)%1qUam)XKa$(0-no6dcUjlod)Z@)x%2EH^T*4C|h43)1E#b3tM0?()%hgs+Zna+%#cu1(72Mp! z*ur!4OdFe}4*M&R^i2L*dwSW0X|>Uv26H*kl!;mtcuF0+$BU#cc~6OX7ts;Ih{;fQ zL8#8Dn&NvwFdxIs4Xi)_U@NP1D0Aw6TVOK6j8Xd+cn{prXj!dhBXVB_$a1d)L0bxXaVy!1rZLl#rUbWND$x|nA0t9x8Mg5e2Y+X~5TrKHx2p>akc zUAd%0hWB<8F@;It<-+8(Yu~7Ko#^~7dnn0z@`wVo`gK4U#^tA$QC`9K=sS6b=iIqc zU0r+=SH2k}^`~&ziWL_`%{)MnsVN0>jFLKB;OZ%op^df<4##nEhgnB$-}>grI5O9C zi3V&WEB9e_H4|&ZHX}@$E~*ZVe)H*qyB5@wL*Q6nRvx~#B1saH=9cE~`%PBgV;($m zs@6#Cj2L;2Wm_Rmd-dffK%QOvUW415<4P8kZ4YeZJsl$;e!%oc=f>2BhLvRF+5WwS zfKJkqm!PryW5TE25`)Rna7iE~1?Aptb{Lq1b`q86cB5y*z$oRl)#GNlx>}u&cWA7h zzvqav!RQM==pcOWn!BYEzWcfV%m7S(^UZDZW`ED-Iff_f*m3=31CsEJDPi@r-Jc$x zo{NtkOMq)ZOWrfbYUA;=5^eB_%1VbuQ%RwB3D!fjAZ*8GP}+axas^Dm&AwfdcW93t zP5ADECuhGuQuI6|};J0}(>O5%$gi4szI5*V^5)G-{lH$kgTDX8b2oMScH<>49t>?qmoyl! zP>b4Hm6*V|)p#dxuCd6bidPDDSmFX=T39ggdd$AL9h0Bgw}1XdT9^>c0ZHWVe-B6q z0hHD$`;Hu`t2!`D)ARs-7;Wb#Z~0FxXS9X&bT~V^*P|X;G)erV`VMf|&Amw{8WIxX z*w)j{VC8uELUui05kwd;)^}kW-R`HpQ0kKN$_CCj#IIXVO)mCE)8fN9x6D@b)>LthWmp)YVqz5TH=T-Lhcx7b|<@#=E zuP7VT{_RYTdZdEYKFt?Ruo>0XPA_ODonK7!m>U+Nar5BxSddf@edmqMh*Kn)_feF< zA7aiNQ6tMN7?_}6YsmsHY#o0oO5Az#BnLI4hFeW=(E9S4d&0X*zrNXlBPLz3cL+GT z_IDmKo0edJR#)onztYDV!C7D!!cK@M;s25q5pY>-A#Ma9X-Ey$n4aN@#(g8??>)8#k}~FR(Ni% z$=pR}q2@-$NaJGHu3fu~^-AxO^PeNOH?)y^RU-~J8dk#EqDAsBx7yNn+ayDeFUF3J zpK9yf+6%dxsA14+poQ84Nvf*9R#5+x*T?RR-adHVW}_`;e^d=7&l`z_EUoXUJJ*bH)oX;bo z((a`sAN*sC>#BgFXd+6N=HSL;VFw z6H#jy{57bYF9a9rTPyx*3Ost;sPE#7$B&zhbc-5g!7)E<$dJUJUmrhSQ}Ah+2=~sK zwL2l<;(sqpYKd#KdJj$x@OgHA@21^>KNd4=YV)TyOlnEENmk>JpSQk!Nrlk2cL+s+|!{e_iwr%TBV!r&|!ME~wG4`~u>NaBO%HUuL>HNV1=Uy2$di2x5d%A0A z{JlGMe)KXq!9k6$1rLnbUF)PB(URJ~doG^Uv&quHV8f)3l0f32$OVz1 zw89aOE`)@XmBs*TRx7IB+%iA>{MsM};Z}xH?CKe?sGzH^^RDG_%3?8Ve?lVU_XiJ` z?V(zqk|UCnmFZ8z4vv~|Si{k)&!itScE7H=pZBEL)l^ClY;71btXz5O^l5IgQ>`5* zNKS`9&xy4spY^x~xVxbM!c%S%qO%$t4%_OY12CAGYMzI-|cpdKpM>pz_R z_WlirL+rCXm)1W~d2>>-EBYpWlemGoKvY#!7Lr&Tn3OM{zJ17r56|42uDWCOp;Rg< zq_s`ny7d!4IN%f1DAI)*A(Vz>O^}b)m=r zn@ba4%4;uJU}KQ*e>p~Mu3EL&eK4aIJ}RD$Wm3C?M6O-_D+16(`3*lySI6VHPwEmj8Z1(A&JwAll>KYB1>)`O`>J^#v{R*Eq_oM>YnwZ#7KEB5o zWMs(VooCHzZ)c#@fh76O^N&ss4jyAA8$WynElfGpE~0aBf7Zi|FxPq1om=19)= zP0OsCBD-FDS;&W&80(&Y>`h2undV%2=hiL%wb?o6+o<%6yk%D4^)_I&o!yO1!+kYM zdLj=mhOK5p^noB;G~=By@)MmGn^!MMNl{5p)Wq}O+w;-fi=n|_z93q$b+-r2wJIrD zn6&WXkom!mHyqu4e7@hU_;~W^1z*RDjkU3f6JFjzU^`3K&q|(rp74azr>kFHJ$ZDj ztE<>(^(&n#)5tfis;nd#%}!L=z)GW_rWVW%uy3l&8Nx609No;tDQ&`1(;C9)71;$3X-MUrT z4;UFx_dI>99EG|4vhN>f{=tkR* z=7TqlO+vDarx!?iqk|#VFjJ<65Gx|26|tQOz-FKuBjutR`wepRW>AZSJ?{LcZ1sis z_!Y5cv4%0}uFl(bnFNMAJj=#tAu>C?E+EoVN2M6v)#c0U#X71L(LaaLR(60EB6!`Y z$99_M2rmSFY z%%JL`Q9j*-@?3G7b3B{tD3;2`S#>jA-ODa>$?%<0avRhqMe}DT5HM%S6p|4n_HuXHHI+$~$y-H_V0f&T97!_lu*2g)%$69GH zdL@O3>3NT}e5vOBHmF-q#4b&GR`QwP_EBxSHbTpoRp@y~Nc^*USKbBk*f z>@sr>92e-wK9e%abR3*ArM)L}k0VZc`Io#7JbI=ChN#T51&aVzeR_69{H58LD<|-5 zJDThwKgu%0>Ta3s<#jC@?dSM7^qCf$ot_-SpcT47hpvOA#j*g!6vQURP>l)nWano! z4Gxj+-v(vK_^DI<=^9#lF3rK7@|^0Kvu}0SRnleEw!!maJaq)68wuL$U-{UjvL_QS>D<;7Z0Epu6Qjhj_wCqGyS1zXx;k)R zXrdB>CmyV>awp^D&05L|#1S7nwlyoOK7K~Zc8=>)tdb1p5iW(R1F0nd_N;BhTc~n9 zc zT|Qi+DNHIVT7B}WQwR{5UGpbJogTQDZ(1T~uFWdf%JXYeWsVvM!gc(ucb`0Y^53$B z|Hl!aJ!D8~c6z0~tNHW$x!4P`CsaU`#VODltn?ht@^ytjV__!&;lkN~GN9M`1bI5n zhCNnw#NV2q62G?DTi{zLc$cl2iljf6kl|gxvvdb$Aj@^fA5RY6kAtef+YT5@$iC%p}T7G}pI&ZY5LgO@6 zN#;Wt!B&+z`Q++vzHBCDj;%OPdrcGNcN``7YnTPMwafJJPWT(C-(Aw}hwp*|>0c$a zjqth#V%XqO>&Xn3YoF%O@$KIF2*v#IN9DCuV<#r}-Ic`Oio${%Hl*BcCo4w(^xSs- ze7IbueEOF+128y&fTpU_;QwUZx)dQ)$pW%JaPxmp2N;2|^)3!uIVkCzF|%miD}zOH z^8O`j6upgHX&%Ha#|_D0r7oVr@DGO2X+X+(Ywk4VdHIQ*cxcQVKmHAnPtmLw-R$k{ z?8dB{CZuhKiH)_I?cv0QzP?39`4o=YLH*5}bq!v1QEj9Ytv-$G3~Lw_v1r1`caw=T z(CSM|dLY+)yqq9Sp2(ZGZ}rMW+HzjrBG~O|i3>a6T{iD}7u5@9PMyt1Fz-F zpEm#2wCO3S2F2i4(<42wky|USmf5z5?jDO3e)I@>qp4c;?Q4U}>W+ISxSx?xQZZJW ztSqfkazJ#RKj|{t zN6}`)o~Wq#O;4+r-DzSXye6t*!^Fvx8R9^X!OkU0>Ey5M#1B~BA4)tVZ&6wp)M1?Q zjxAgEWk+@z$?LjN8xy1&x1M#^(Zaycu*5X+$}K1WFgtjFkyg8sF(^5)Zrz$0GbEq3 zm47h((AmCy_iqTEa%=tC-|atDFFSJPyFxqD%AC&4uk3Ye@fKYI(8`53NG=~@i=ACh zx4@@gwWN^-@z+B0$&So0>ggSKaKiAQCg@=Gn|s@+`)I|UE)17W3{==#DYTDTKOj88 zcWwZAdpQ?;>~!OlkjjunENiEOp|ocGC&&9&eK*!W39@}WEzM{(l1`L4_YO=Sup{{p zj7C2yt;+I_)h~)xQ*LL04-n1n?*8fdrOcjPb5GZNFpW^!yrrq;)wN@_CRn0iA2`O% zt)J1?N=n#wt5z#p>p-bm_4w41lrvT1u9pKR{A(L-zIIwN1K_7^4A@ zguhJx*KEltACcz;u2r_q%=CGsqCO#+UK2*s_}CTgCx^o1D!Fonk=yY^+5FPRT17xO zB-h`*KWo|YzAQK8OwwI*^0o0!XYNt3d;k4cKi?k?;^YwqdX`>{S%Yt;tkA>ko~83= zkQ3qa-Kl2ec|cY+9yRJ*ZwV`3VQ^b*q%ZVx^Peg~PT+)(MPsDB`;qEPqB5DvMS zf5;C4WpH+AE)a8G#wcpM;uM*2cKJdm_*4QgzjLz$pT`Qo#J;#|YX+m=z5Y&&%-#NNfC-Wt}-Ij~8t zfv%C{rehDX3hE0+9cRz}=5mrCgzp({7FVx|8SChT$e@%6Mf0D(p2hi+gP-XZRt312 zh%wKB`zNPYiXkWP<*c8)Tay?B7asx|5_8-8av4VbbGJ?Resab*>hdZ^c!IQ?927Z- zE)o~1aEEJ5;Uq4LQ_4qbhiTOb?{djyvXU+p)F;fiXAu|FSEIOFy0j6BFJc@#08TR9 z$1T$76)Iyzp?>NS;z*JejPq;D;j;*#&o2HjgX9pRbZ#pEW?6=>wJC;i#GLpoT6CTh z-+IOf4G8b=x@??WJuDqdK!!_;yR@W!LES1mudm;kl#~h7$+(A5fnB>y{T>VyU>Hk2 zEx|!SfGmQhfdEr6pYwA(lka}#e)3;pNT>4fgwJDuQIVCvhk&*SFha=A54pp8<{w{Kf7G#^@&ug>%8pu8%wCbZ3dmgx*SR#(Gg&xOC|^_@`}(nR35VtG-yA4mxzu zL=at#OPYVEo4|^e3AM}IdBE9D%iOyzooK=zzg9Q+&p5eg-2FT!K}l27@KxE5g|ssE zA7_R6_thTOP;rj~xQ(`2(GIe|<|!#;8LV755H3{H*ybM%I>Uz(Q}AWp3Z$PKoAnOI zt5-vhh21v8`H6J)Fa6$=?t|-c#jwaoj_T5-3ktsz3nfgbF5gh<{<)u%Zgg$>{(c$7 zsgng`!Lr7E+2_LWF&-ASALG4>**Pe z_nr3p0ig+FVA|tSw^6Y#T~PdbBMtIOB8>Bm^xV1u0X>%X_0)TjLH(YWmzf)M*y&KE z^P{4Sg;S=?var~!6vA8rtrV*ev%?qury$A_ zFZ(k3%;I-r$KShsJ5TRzsnd!SdvwBHUaw*9iE8gTMd94Z^wFQ+Co-s)m6pa;tFY;+ zZ@}WyGl-mlFHa}iq}fx+4evbmZ`GYUhj~FH@^a`p!(pcUh8>U3XW97a(?O9%qvHW# zDZLq`uxD&ncf3_xyth6qylo>-lXX4!`f?CR4m>vP!RE_dR9J)AIyO?(4?`o?$L-oW zVD5pH4Z|?>hYvfIbQql=((#;stWAx4x54}9$&*J<9(Fu$WpAHf@o^)z4s^CPd<2w# zOdI!4PIdbIEP_qc*@F7{I4UtN5PD&94>GsRwbw0xS|12zK>ZF}aj>{xij5)?ahwfg z+iN(lh{~RS#LboKDQowSuZ{i)(n; zNC|o873AeFrou*>v-ZTICkg^~9zU@pfyM(Ja{YR#j~4SI=V0Cq!;)J^T40?I2uh2Q z%&*5K#KnmHRJEooisY zjX5K{R(>T_;yZ0y%wmrmpZ%h^<@lZIGl9E4S4cu&7lto;JqZCEm?4sk_do51X*{S{ zr|%Sy{CoPb3Q2`533%M=px8);0;yNe{F5aUnCGh1x9WUehYio4qCTRNA>~B z^KbKSxR%auXF3o3aJ~QFacFO~1`PN_&g0N{`)_l}@|m)IaLM)S`n`M4!#Ne57*ALt z6#SL+mwDg-oW#+aHhFc?Pi(Qe=@=rPA^AlCx$UCzj1ooxbRd!a=HFP??+n+noqiyB zP1HTY#Q_mDFJEG-`sd@5kx*RvZ+-vi6T}aVzhkU6X}qngBY*ZiJCuA{k2M3#$F0ZD zpR?GPu^#OrKipBU4zDcR47rc)9bQe$^n%%VrNGN1e`>4Rn=)w@U=cD0wh7Nu-DA!i zuZ2&t&V>B%u{bqjrlVs@uEqgZ-+dbG#XvoHhtw&od>FLOz?byk>(*H?yzVh-W$5m` z9v>1Z3?HG_#rSy4m~?769&w)cT%B6l6>{fB)VoKuSADU&V?@v3fWSc9!kt!`sJ)ECZ~5|}0@&5(-<>UBbIAyl)k>$PSH+L(qHjE((}HPa z6KBzepq?$6gSU{@p zirE+SYzTc7q;;xcqn29`IV^mpL?qAh!x;~ULw9l<1s?2+{s(1Xpa)QU@V?X{bG+v^ z>ulcWS8cWlR@9>tb z7q=q4Q&y9Rbl)qzx0~6iUrFU8Tu)Z3n6kU--@pHjyd8QR;aC$O`@ppQQB@ogxGq^X z-_dT!x9{KOLXmD#?=0mMfHjGs$HVvf-vq?Qp-{%Zi$%!(w7-1@kb~9rDG@ zY#D+Eb@fBOLudQGle4=SYvEH&>pDBGo>doqsw!&JL6YHG9`4&W#?eVHMP}T$8*!E= z7d~3f%Rp0KS^u98OGGECskE_jihcLDlr)?=CW(RNHz8x@42jUDV zPfRuqT^(*ucf*%xlg5a3h6jBY8~Ewt&G;B5wx^dDZ9vDQ9@W*=D2PagYfFo-sF;+H zpl0l=>@@tjMb^>?GD>3+ZTJ!KxI8ScH&rd4f=c_u(1DX$+I4d}8nVm8G3WlE-E*-3 z>mvNPbJQi*Sg!4ID&^|4U6lV^$XiEC&s-L|$}_-lyiuRsx^*Zc&LirEXd89x^eVR> z{%30H%FDu}#t%1XzhX(lMZ;yU4VDIIe5@PpaXE6KkdTygd7zG_W>g1_;XMa8ZgK82 zHQh*;oif(KB7FQ&+YVi;DP6exJVFki8ST_;JM&v->HxGiT>bx0VvJrKdmX6&r-fCQ z=UR{}d$qBlp}ey4F&GfWzrr8PzyBzv(CqllnIj=^L?9{rj+IwHT^TMESR+LKt!lo; z-^&gYX|vp+Vo%Fqbql7--nS2Iw&u~LOnJWkCU(0i%W~y|jq~y=BX;D($HyN&4B=&& z7_Viz8mhyo@C6_nFvrQ@B|XvQ+{&Yv5RdCtvgz0t^A+EZ4jOa^_vs%ev0XPFt!)Q3(>Y-KUCd&4@lGFzA>W-&}E?Zk! z%AP){S5^8#G9uUZ?RN{8D2_X@xqR8HlA#p6TT=8la_R@!{ErnLERHhuWz4qp@xkk-qa#UuyVPCbsJj$9K}?VJHuO<_E+-@N66;a)V$%_+dEit0BLB{V~4P* zd%KjBw}tCVhj3sc9kfaC+IAMc+VuaL(WWM38W1v}#0! zmXzttGXTY6n*M7#wtIJiq3z{`qnvgsHPdR_w zdi8pjJM}tJFt*$Cj~~0Ms5qWzYl1xjH4wKe(jB;V-2M1X4qy5C`QC|1&@KozkQE5~ zJLtU_wi2Qr4B{}i9x(Ha^7Kx3uqP6b;JtkDV#=P;A0WK}%rJ`HEt{Wwh9q(yu6r<~ z)4mu2Kof43?a+OO*opUaWkc62w$0EUK78Bd8jX?5+X~%Bt-M&X*tuELe#!nGuegfX zSVYwg88+_sgKw3;`Yg&@FY{|=< z%fI*ux*PCF?X0DQ>~2TKkIMY@j61tV$_b~w28l&N>kma|j`w1}e2)45)rFs3yft*W z|FjC7-2SB8V(5&@KJ--Iiez41SDeH6^x749O{cXtngQkmz0$zEdH#Y$=zt(EBlR^28+A{E6<;2IGeI6qe-Ka5Q zu;HPjUcDM5mrS~OEIa$`r>DK;>k;EF@_co=v~=0uzugw!D9`-8IClRVe<3X|Z~3=( z+xh4B^L7;!G#3QFnUXWqubXE5_&bfjL|@h5Flll{DE9E7`bd>wgNA2;a^USw7VO{4a%0Ab_Yuw! zub7?dpM12cFzk!+scPQn-;EvKU)Jjo+@q$$D!Q7w^>H@uqM*A${)~ z&X_h2X&(30-*3~^*Hp#;AMrMgXK7XwrXwr6sHUZx@pYHSNg0*e=qc_(9Q4j)w6u-+ zVe`*7dte#<@VYWDMD29Gc8-$FlKxv2!RLZKTe_+JX?bxhGUtg~7bOeYi2bO@l$FCj z)c$axHsbG7_xdPwk#ssfJ+1t}#k`pAgSC6XgXeMD+Yi>#N_*-g$I~Ix&VxIu=n1II zP<()`tz-Jk(=#BlCcE=093h}gv+2aRRqW@uV?b>VzB-aH#Y}$a8abi<>?6O_kuxp? zYcBBY_PWc0xpR1e+{E)nP8g6(N1H=ftKg(Ofn^X+d=>~@-?Y?1%Y1nan-oa+!)?5ALvdPaZC-fi7add#Zgh4Inm#kSdyS&Rg3k#O z&*`z~2oTo~*Y1U^d+^|V+ zr;juo)D?h*C^D~Ix)gTkPUnghT_#SL;C(+&GkKO`=cPvv`YdaFHLkbpGt#^)|nbmkVe_?<~3|#hF^lAmx9N>H;^a+Ldtba^l8bvN>n)qg9ry!~G zuI@Ao8Lj<_LYj^Ww%h~80?Z#5PtUyj@lfxBdo|DYCPWC&B&;}1Ot3eKqxs@BZ@XZy zqW4avknGtm-TzGglyOGhUEXl@?6XFtRL0kjaFRz=kNg8ko&3s+@ISltiKvL zab(ya&^>tk4vYGI6BqY*X6w&4p90@L)=fs?sT0U88lbk5WSoksA3Tt!89@G$4hSMm z8BD=Fr_}jn+gilojVhV&0~}UgAu?vFLUFd9C)xU z>5L94UwE%#$^8VdM*IF$ti1g!bp zgy;sBEM@;Eg=$^J^x8R>i%ny#?r=L{Fd?c?)ugJK=b!W+=R{&jzka#tJ36pQI0cx8 z%sM~C-VAKl{nX-gEVV5xB>T8@=|97{i=40I5s5tjg7>CtStvZk;Sa^g41BHdh~r{t zVd@V_*WynLhlH5$T3pOWY4?8H5|>#Y=5&!9+*ap^P3gGxG2I*CS5XLnn>Osjy$3IN zh^rW5^xa&oFlOr10dQo-)RiI?Yxg^->f2G>IC=Wuzf+TQbA3SpT~5ZBG#~k{;#^lY zDjLK%I+}59hsoFP$%cfqTyfKJb9Vmvapt*fs|D5ho88-6yZ9{(>SS+!+FgZ0e&n*( z>n23LxLQ&&4>MFI#H4;w8-K}}wm-7Hrha3lQ9F5U2F`BSB?E}z&o07hk0O-MfqxM{ z-@xBR_e|$<6#SR7NvQ=hBb-8aj$DyP4TNV4sEyif>j@J`PTrcF%-n~vs?zT-N9kGQ zy9L2LZmcckUjuTHBjtO4<6(im{}~(W{jZJFsSG%qTc=ARv&}osAi{nH21#?{4BB}v z;Nz@6wcmD`f}-NwxzA!mDu|(7yQ(!BjhW(hTm!5`hsJgHiQeO& z8_xr;D7u|1@jcv+y>%2z1Mumkryuj{+blUi`Al$8nYxQY*2lU>Cl8-HH!99!!8Hzq zBUUE{^`TaqckrOe24ACjwO5{~SQwmJtILJ}X1#EoNfdN(#UV(|jLvvc&?)ev~( z4gc?Fq}1_8w9HXN9mesLb9D6T>WEO|m8GXPj7#&oLlhmZjPMBpHA@lD5MMssRp)oh z;L{l<@q5XX7dFJl4;wV7;menoE$bFNhXd1p=+GvH0DN+l?=y14Vq_S#iO7`EJ8J5Y3!He$@ixO>27?z`pWD3#K|UZBm?r?+^ZkuI(RT*hCd`b9G>}UhAgd_uP_l_NBIKHlIOHSFk_4m&=c^T@H@gQ^< zYutlqG+&*TYw;V~uKla0%%IeS=)3i0iE$e?WWUd})xFhq{`@z&GeXkk-|zrnCyK-7 zQ+@3_gHw$iJ2l$Z$ko+W3XYwmR_^Utn=vxzzhZjz=xpE;@G+<_v{`&R0i6M!=-)XL zX;=7PTR)`g5A>pBG;jU!@W>#ToxTyv+Um45|4)aJU1zzVlkPVtDNosEpJy6|i;sP2 zt-}9)?BbA*yH*6smw$X*y>fx4p2wTYoMjoLKg{tN&u0Qq??H#Qa^(+Bd{a|X2{F!z zoFfmlE7W9_mB;;_IfM#?kTBcR^Ek0z9C|xe(Fn-O$%*)Q z#Wl#uckbNjFmg*(pa(F1H8a2)wH|Mt#$6?b|2t zU7CYaVCB}F67uri8z)vXUz)c6cC_zt{=R76?AK$Toi7~M+f%P!KR3JihnN0NbH$#k zy7~$8PX?&Kp%`pWVms7-_`qXPgV@wju>IVlrEl-vHT^eEXJXQ@kFnQ;?z87gNEPJI z=@%kUR*b+hM@mXcfb4Z0r5hQikeYm?nzM$Y6M<Gh7YHvnQh{#z*ej5_h!qK(BatA3t&=J8G_-?yWd{ zvKgn*bW?jQxs$b|vyu|y#wTibj|wmy{TCYMSBS|roG~+>o{u}=;X`nvg=Miy=gyg7 zQa9X9dRhh_csx2=-~*SzjG&z;zH;SVT^$#e)hRPGE*lWbhpZzKhbW%}!8t<^xO}$b z^4V-rPTqV(1I+Kbm24UL6I&24LXm1QRxUA6>0mMiC($8$?N9!a_hgvR zRsbe#d%3N;QTC}*&Q?}lh+;%`)(OAFloVb8_Ib~6HF!vK#*Gj9`K6&@jN7bP!F+0x zJh(;QoMf0o7nhingxOd;{Ztbd4GWhttX!OUa4+F=!zp;ppDvtVG|$V6(H)Q;nifMH z9kFoyvmAJbLonpekB%hy`5(y6p0vxv*wj>v7(tCf6bBRD->CL~EHpMQfF~9L-HjQ= zpA!K6;3kao&v4$dg^^5<+cb|u`_GBU$SeNLxj5(HZ-0ISXOegFhYtjzmy?xM`|;yn z77AR1M$$ST;-f>2bQzEBvMDw;BVi+L+H{*OT7D0I7sdpf7zzq6P6F9p0Se4ZW|gC%iKVr`+JP>_ArdT4r1gMZ<%+rL~4KGUOsk{ehXAN_%g#})5d;^B+B|{H9N1f6T_+3BBMG84G)WWlqdh+ z=6S#G`#avl+r#a?_rCUZt>IkfI#<=*yL}_v9TI5<)aivHu)vI@4m#{J0kfUl1ZqjzDujU7#qS8v*>UD2!P8X`<}1 z`lnKYIQv;KnDZk1dV65EtWIcN$%6-JiXtc`oafs_*+!UWQt5bv2*pu9-yv0^^8(8# z)HB6H(Hvm1qkuK+6(O;*YGX#m%v+TCd3lYOEn3#lNBBnLxMDC+uE0FVo)HpDOX+aR zUpj3a&v1aYCpL+1r~l4!ThWQ#)HDxVuKtHWVvD-iyg%a)z&2v1xw7_OAy zt{$Zrj5inPzA!>joJRepFJ4Gwhf`J*Fsu=Z!JIu|!IC9?B8Z~eoF_+?)wwrx1(qcu z5$hwIk5=j_tHU`LjON|aGsgkT3iL;(DF(xE5Yz|zD(LhYHcVY`b#;~1L4;dIfZt(m zZD*$_#A}*vR1Ai1C#a8IJ*ovJ5yZIw=2x+29R&PKL?VY1zZ%oIgU+wsFYD^Y$%6d# z5D*!PQOt*7AZ%rltd6LWEEo}6o6F7)@KlfLerV5{-N>VjT{vZ5*HD!GhYtsvpwfC< zoKhtm4Y>dL@#E=|@34NA`{(>4ETDg8;n;Ig|I7~UKD4ay!~N$>`^YJKlI;*Dl|Fv` z57ptWr&J!F$Waw|E{?1EP$0&L%gM<>q&c*=eO$5Kuedua&s!h-u%yWllHmY7J;i$` zc*uAsuuOpIqoy}s6Sw?^pLIU^D#rEO}uMRC*4ofYj2Z-2ey#t<^Sy3I%Q z!VOl?{GunwQY-wn#!=3466URyK+`exUC*9zKsR?uppgDAD~la%NE`LN{!)Px`+cb; zM;xWqNxq<}w0}=Oul!l##;rNQVO%y!YleL~lKcvS;mqUifnar733riqxibS5@T0iL zYtO$xDspzAz4tsntNRj)xSo)nolQUZg2=YThxYF;eg1_mK*4O*tesb$Bax7Al6w2( zyxXyKBn=52wF^CM|Mzd+$lk*(aSa2*Q9DM3VC9nr(HV(9kwYD?o}ct+s3r2{Cr1X+ zMZ;?Vi|>G8N(%$F^mq5Vz46?+F$q^nE`||cN@>dbamcxW)QE;!5+DAo|6zhseo|2I z`Xp2CLPr6Cd~~Y4eqBMZyQ*kgOtH_<-K)_C3mG~}Yrr9F-l6afkq;>BKK~LL8WZt^ zjvW3~I8W{)rFkh>6vO?2L%6mNdm>Hd$s7-Qvg-sQY0E~@8TEDfiL%a!A=1U9WeWhUtr)_n#H?@xUkLlnsr}fG4ws% zPs=e#=H_d+ZPW05R&SL(a~I>!cu0lywpU-sc;5d#cj5Jy!6I*UzVqdO`F6TuL%03S=#SlSb1gTXM!MhFQk(n z-@hM?@N^gTa|IXMlCUH!Ggln_nH~bJEJf;{JmNRQC|| zYi}!$putZNo7C?_motc{K-Zr!+zYcyVa61FfhR@|KN*Y|ykG%M_zCsb9A6F}2RecF zC5SOM=y+|gi#%@N|A8UO$^2Dp#_yl{x`4bTBjXbo&4c?n?~c#AEf;q>d-WDBiYubU zp)PWNEKNXJL%LjE`*OkJ3&dZ9H?ytQnJ)Mhnb+3*B#;U*`9SCV2shu9SzfOhr?skg zV(eqBmm3*-2wUb1gH)+o02<+)9FwI_o;ZO_YdxZ2(EXqjzz~>LJ$H)5F5D{$-Q7$A zoI3V#>jYY{V%ajrMumq9I`fAlW{RK=zY zbOH6A?UKzbS_HBP#Wf|x)lZu_u0?e3e~M(SMF+dtle{DgLQ@{=ncSjK+kY?LWG zhE09zInZP6NtUE$F}!ER)BwDQxo z-D9UG2pm&l34{{hZxD5-tzX~1#0V8i!H8+XQ66C9f^d?sPfA$*=c8$q$C%YkvSOju zTm2PeAb|q!4WsM8I#TWzBRVLQkcG$yAe)s&3Vl{FKTbWW@yAEa7ANkpm8#3JB{*6E z+Uy{Ob^qRB{)f{FtdK&9`}xtn*VUsusB}rW!*^FGNnd*p3Z8n@g>&x!WW3e)GxkD& z#>!9r$>O}sQEyjr(4!>ESYch{c2s0@n_KwZbe(z!23#89eN{2a16*9{{IzQ_9_k87 zG%H?zK#1?D-fq!(J}_{APK1ZLYrHGjr_puVjHJ>F3%7cx16e>G(DzjLrL{13!^}ef z`3fb&MviQQ=(ChRGXMuGtUL9I*qCdK3Il8J-_OHRPo&FGzE0o0d z7^@|mTiM7pLhUkA8tHjSmL^((*&&@vjCc@j!+EPg3Jpk-N}b1ys7Em)MhJ&<9Oc2- z&9(v$Q=#N(CkBZ^>n5j^3P*4u%0r}BKY-mP)DtuFpOdz?6FB_2q-;{az&}-C=cAR zKwO>dp&p>|3wBPF2j+UIK#FBtVsvjLW8k7Zwo*KlI?w4)kAiVyED&NRdTa$&5=53g zKRgxEPk^7a+hZ$6DDMZ6uGCXzEcvMWQg0Lxj2#{2!8q9tLUU6?Cx4O9q)aj=YN<)QAEAZxaqbnV;MaB!w$60+MJipsXC{v6Um) z<~$jNM%0Bn_x*w}a{{)GyJUrhr*vH?lmt9Jqah$B=KKdhmuK_r20XVx3gQ%Rp%6^9 z#EAT>O*om*UkV}^@ONH;=y&KRuP;2yZ#Qh#}GZZnO4jiI$>DDcku%Zq+D&|T~_D!@89YZ6ro!VuvCvw3^<**X_L7u<7h8fM=E9< zIAyGnoe8I2H!bzI-4_uObVv!dd0Omj0A0`}UDxE(%AgN!h%9)Hn-^NX50Ul}Q9h z<*wK{I`)ltT4Y5NG&$Sq3})HMUT9DwoHm!;Rq5yN&-IKV{aUX`U07Nm{*6fFu)>Ne zib%wjw?T?y%sCg~{Q2|YifdOD0s6_dCbj_qB$teI73hjkq+5HHynqLfNCfQ?%y?9? zIus6ss)9fl^Q&w&Asw6~LeYN4AXC%65hyW93ye;Y)gkt36Hb=c*_@6XIRTC)L(35Q z7Dg=jU@hu&qOG%YL|tELAvZTyRtG|7+i*Z`Me_w8-9fZE=+HDZP-r3oj!48eOPPV< z%Ib(mOlV@%dqiUK-{0~Ah4#s^MIhjUs2v}XNS#DD4{^gr76Ng*a9|f@b9mcAI^j}8 zB7wS8IPDxdFW_toRUjbdS2<)-=WpEDsEDw12Z36>P6Ta79R(!nZDor%LIU-+1jS%* z58(}cEjlm2*aai^^MbjxMABA(Ev{_Nu@MAP$6gT>;I#y}+oZJ2x)v0)Mr~CLX6}hV z=b3HEoq+RDgCg+t!c5gAE>5v2n2 zt28~gIMs+mdNw-?eJ1a)mL0y}DgC_+wT?&x>1`8^x7KMp{u(8AC3B-oJD7E+)3&6F zgUwd82ea!H;V%3B>)eonv2K%It_|`65;K>jA2ggb{sJ>i_DHNurUB*`uP@=x!@rLH8I*t&mPBDcotE{y8 zLr)Q5pL!HFW(XrdORB&o)~=O4E|RG2>;R4w1Q4V-A6pve%{jLM)OkY#gG=?KoX45C zUUCzM2ny>F8ava(4~QmzzHw`l)H`od36#)&^BNc;=Km`3|Y=AICEwtduj5t z|I%mY)A%He@-G2;XWIZAz2HYo=nt$bd+(RzAOknRZBK=7m=etSuPTjrLrt8`-BBRy z68|p4Z|>YYMp`eSt$^DWNQ95lID0sJ!@wbojtN|~>R%)RR}QYPCDoBOIk$}C?^H_* z-uY6~?EqQ+9JUdrcFC8gZls*6&;13!}vnn4jK$cGn-BlX2lzjCB zG(2@Br8PY=IM{gwNVNEig&W>xZ1}8GAs!!zd+Bp{y8at#Po9Ak38XZ~-lFZ;>m!Jt z{JmejtM*!Tx&yh{O(tNJ)kntVgl}*&0N=>v#r@r%cS&Nrus@_7`Fn*nCxEMSACabU zBcsAzo$TJNn-fK_zv2a*8_n^&vm_+M`y+cu{LIGTB}TcU5x;Id1Y+soIhqdIlzlJxJ+D1OdJ`itppiL17JnaH_Yt+_iZzc$CmQB%LzVvn7~wr9$dQ!5+A41Zw- z{lW%1ZM&rGtyha(K&-GaSuSXgY?lFNEb0th&od3&+9vX(U4(oW*}eQ!&yt^p>_|(q z`R}JA`MUud{}Q40Q+;f%G{7}^!$p_EXwB!7UBCScRxwTgOr)-Bprx{aD*rZhlhKUbtuw<$HX zPbROr80lCyHB{cB&@NOy><4u_>x1GQ)E((37v!N%+%mEC3QMM|JifTVdD5f}tsfLC z)pDnM#23RVNSY?Tsd=4;ig@)@Xj(6ru;ABoO*OSt#AF4I;68itqv|_Hw0yGo?KU8C z>ucHKQ7!L6LesPL(&C!zLgU=d%8D!Zp2uw0vI=_QQh;Z)UjJf17`>J?hz4IizJF?k4JtZ(Xv;_3OvCtX;<*V|KJIlDGvN0d8AgNqZ`po1!T&~$? zpDz~-%Qe)|x$xU|!h}6z-wpD#q{-O9(lY8hRX?x5c(>{s<>g){yQrufHHq5p=cOKN z5_Lcz?LVLyYrVght)k7E7oOYuU@}?Zd>^qDoU#V zmhQ)N!&VxoZkT?jeIO0|Hmk~hZ#fb9=joywL3nD%chm0_=Ndk2@3wTci>2lMX}k0P z`UKXE34MGuh)DL%`IcWkY4G`&{Rd~}P`&<1X{9(C2LN){h}7@>?(RN;n`U|z)yX6b z-L74;zkjN*Uma(@CwiA<-{Qr%Zvglr;z+D1P=>>;fdQ`Yc99(6%i~pot|fRQU1UeY znpb~#YO!aC#=L>WOj(9EI8?=Y$$|yvZ_bp;YElCZYFba`wsrgVzP)-eamnAZhmYZfml=*N~pI3(_^5@c|`3PyJNt079~X?OLHQeTa-NKyRMyve@~5Z(!q^HRDuQMBQwC zBRWFF!7VTYFO5z*6`86wr1dr@Qw$`1{qHt!klg}yhA|$S0?zzBnKJ(^@8;y>5X68* z7Lc7@O3&WCGtv7eYWNg$%kcj`e7dCGk$pR4%m25b2ne{-mh1XIPij02CKb8NY(h%r zo*=21VOZOYHPf}sY~|l=AvjLZG@VRM z3;Am{GnNt<_`~d$?a)AtpH^3Kvg`kO%A}qnMvUM=Kid`U_q4KT*T|(eu3hVJq^i1R z?QhcYm*i-oywBLxE79I(&F%Czi3 zJu+V6FrI|+Pl;rrz5OlR7u6TiAK4*2U5bqq+6c7wF&0mp93}w3Mn5XAW5O6|G%O3x z?YfaQ;jA33MN65$^#86L?I^@*F)MU+eTguIqx9YIOdg_qAgePZ^-%jIpC3OWxj}D& z(>!sz$sy{jEW@*<>9=K6Vig}FPAPU|6&Bizo-5*;X(L%kI*9>ZSxCKQ6zSp8B9PU0 z;@0!?_f5FJ+>1v6e)gEzCXhJX-Jg=M!8E$^+3fC$se0z>oJp`8LI74$jPo*!ygWTG z7H6E9YiH73-hNGvmRNIbI%)X>icV9j30Na?099-p`swT2OqkI4>kIU&Y2%&N7>d(6 zNls|_y#E{r62F|*@zwa)ekCfQsVZkq=(eVcBau)Ud5N>F7gnyV zF@T_01mH)JMgM;%*V@)rvujuCtg$P-X^JWctc_iHuPd!kw1*Zk7?m_wywGDA8>8ZYxfWJtjA=<&M1bFpnY&^-(lIIf?$v2x zI92ly9DO2R6DF|P-gW4D)ub&4IGoCgjSPw=&2(5IMvUzj^O_+`nRiFk334FBxe@Ed zio@0PVk}lR5iTftBtHWW7bq_bxfrEv}+Yx+_5aF3!*Oatq4OI zkMOWfv%1ozUAsQLetqTf@qz*^W6!oL8t&zJF>&ET1#BA{{xf!_rWSykF4?kSL&p-M z4;AdXE2X9Rru1_d$;gYCHGbm8_3LfJY4RAXP_lc?W8y||_UcrGf*6!?`aNts#mH4Obi&QqHCOHtXEA%#fG!Xz+^zg;?53- z%><2W582UAnosgh!_qN9v*m~Hf(7C{%=_D+icPn(GaHFI0-?}{0njtalJiB}rMZPT zLQR>Sgc9<4m{etw8yJUM{TibT++GsAv-KxH=QZgqOt||O>QSWe^^OgX=HV=@R5CP!&_iWR)yG-9(;z)WK7Trc5 zFbimVJ<8LX6tG#uq+dM&aH_p^%lerC2O zIs!NfCM?A(x)5g-_H9{$S@cMD{JZ-{yK*iK%l!b<8on||zrJp~P>3zSrk8zU&Y{}v zHF_%5Fkw}gjuO0d5;b>p6kuB&dfjho*Y5bJ6Ww%%4*d=g`i?F6pI=;jxwX?*_mi`I z3O8-woG&@84y1oFfm>UeH$d_i`$e)D16&etbNi^tP?xic}b z{$s5vmqo+F-&x@JO-lo+Gh~_{vnqMLJL7MfPJ`V2`m8r_VC4g9dwlRbYl6DQpU(yv zNZ>PvZ8_gRbMM~immO`!k6+ikkvc+CN~b2-uuQP8du!#^>|Y4AohMe1ZvLyk#daUN zuF?)il3ohJ`VtS@jZ`l(i>5j`{i4LhgI^M8_YnjY)bt7|XIJ|^zqi{TAny7Im0Uc(Y+2{ zrak?w&7JjCou}2D+tKjn`RZN!-D-!2Og=DT_s{psmfa}&{CU-*yI;P&c~`qQtoZqr zE~{3`W#?1O78xQyagHInb`2kCvwEMjlV*);$LP0i(X66IW^?=pAI+*4XDo7|xRtAXLmgxANeNDF+hh9Bcq1eI_w>d(p<+QyAb8-YF2(>^oPsOzr+Ss$vC9a7nOImLU=)3 zn+YCT6Vk=K(GUsTaO#8@lu+h6h}JKJA-Frm--L&enWFuwJ7B=%>KMH)2E}{~Cnf># zZ^-C;J#Q(q`*eViNiwZVZ-mmzi>mp*R%r{69Fjvg%n(*$dR9Y)F577A8xY_cu-87( zR3%@qONFQ@3Z6~fYx&>BGuug}d-p?c43hu3lf>c=nRm-NO+U4Y5rT=p^~55YnmOX5 zS?(>BZa@`qJ)^}y#d~j*=zWXKD&rMZZrU zOY!}`iGPf;a3@X8?Ud&xwEpp|fPh>&=n2+W#j^NzM zQf7<4;52B91yGLZIrXY^c)nLW-SI<%9=r1HTVhr6X**;$rop}ghUaFlc$7pvI0Is^Tnwkk^;h3JwBLN8_a#=|kigLj&l9mTM(ZXnuO3&D`bQ zc};49-pJCe_zxC2qw~}Os{OoqEl3aF9dn&L=FXiUAs17g!U`D^N^vCBq4bCHzge-ri7KuHmu2Sky|E{&BjM28HDoY?*O-`?y3eTFar2i}i8KJ9|x zJXVHou zHgHG9!!|8xF=xTImW+yvF%7tcz5Lr|oz)^O-RRT7ie zYFA=!Sj33Wyi62Jre*`s*>V8Vqv9wRbm&mD^z&>whv*QAogCgF(wrGg2!de1f4;kI zOH#UKnSP?39-R$FLx$Lg=$2*bmIq0hRgeV@18(7T=pDp?x>D@~M}+l!d5I+&M9MJ| z-J~}>2b#*xVHHv8m6n!nD}6x}6khUi=3KS(!ycr!Xosn=02jFbjGhnjE~fhE)?V(YvEBUJYT1{eu2k^PpsRt9O%08?@bNu7@K0;Z)zTl( zlkCEBrVaIH4O>M4DII$G_o-i$E5pRlMOTYdx#fngDWhDDCt4&Jn0;64+M`*%<;e1Z>(R5jooQA3!SZHzKa<{7ca~l(jZ_ zoOeEUrqFGSU{=9MSH5~yh+F;kJ;G?p)4R5B_xJNFq*?{&f;j?}24cKSgINtZ53RA8#HI2edIN&0F0Sf%S|l6aE{n1SE{v=o2T$k)HY zjJ{E$T&tb+UD#L7fBPksivqC+`W79`0?c0^?DYr zt~*Yg7)rDxWa*Ly5_kM2`fl-h_I-KFiMF=>k4~LHl*wG#Xz0+69Xc$dA;Gx~`hd&| zWU}c^g3pCvWBBBT*GJyR5Iw!Uog=Dr2L%N^LE1!ajv@0-zymB33;MR#gRg?$6h_PJ-Yj zLkKeTCed)rRT9{#9cTjRoJ21cEJ;*sL_%g&RaHiD5@VdOd=%vAu#OC~DLTA(4`nMi zD1Mj)q9IW?0&)hP{RebpYVppcyVplYv-e5EbyehCPR#3_@XPL2p4WlTkN*6ydJn|u zvlRm~skyN-3{Nz8;WLT28hWnX=X!qqsM*uu5<#aJ|M(F`vpENjI!rlW&YZin>tWs) zigu8oM)gb*&NwgcOLD*IJU5<{NZ;k;WxLmJqGyP$yI$*lS>1<+#nbzq z4m#I#eOrU7^I3T!2eu%vgMzpe9Zh@YWSOH4nCY3fHJVmVY#a0(|G+?=K@hRf7`FkZ zb8a0G1wB>};v*HII75%?zI>PUFx`$|9#_?7B{eVZ(;utO1xO>5N>_QDaaqUEK_l0@L{q>zS0} z@dDWt0_Ce$tu;#93gJO&Dk@w{0V4@px4CBQ$NpJzY%cKXik3-v%34|ja*hJDz#$+^ zh|ZOk7R)SYlEZbZ`h{AnHOYa!=EKdiOG`^*Crgrm(vZq5;0X{5SxF>DrTSXaDN*9& z-y|LC=0xz{D~%3HL`^f7g{X_h4@q$R^0>0mJ%ck$`Jtt|Ekf+6qpQgv3@H&7KSCh2sPDO5B8y;pHsF1v_y9pLTF!Fr!-J#04Xs zAd9lQjn$ir0Va;9xOPoP7j6v?c!SpH2b3GD4>~NyJ$CBYaWw5hm*ww+7BCgvs*m#; zNzju%oRvQnTc{yl8_-3_%Gmcg$wEgyT^-~Y<%QzrzboiVOSr;pi5fyk+6Sg+B^-Ej zD|TPbN`SC?b7W$Eg|XZ+GIzISxO6#n(^t8$|D)?*AI#|cA-S_!Aq<*yi)$kk&O zF{DWKrbQDSQrHjl@yUF%FI$5@(@N-q#uiWELU-NS#j6A7%n^^L$DF(8baT|;nr^TT zuI(n+`}2%Qr_G3>9Ozv+2Wia5#|Hw9FAfw7H8sTY_B3KrfXe63pF_EE0ai$|gStp% z%9TwRPJO4VkVL-` z6X%!734(qWPm4e;#kUvkA*+{XUMOK8f$U+2oK)zg#l>T@@5w!T=XiMhUfuj-$GFCS z(LZ$VB_jx`CkP~QouWS5GwbVIz$VT{WJCm{$@LKtbl!}setWAeJEd<1FuPpoGD?61 zfz>@-hLb{leReq~=-ep7k8ui{rNXoO0kZ)v)HF40#IX)SH1|6*tH@2LTbZl&?@vuc z!ipb|E1l}#@Ud!7o8{j9uk0M@QMtk7u_Tz&U@2c8Pc-eGipO38y$8#sY!Y4bQjOe;EdD(#Z(CC`O3W|$~- zXxmg@f90XSkadBaya@&AxvT4<%+<`!(W|Yk7AICF=y4*jy@^gml7XBvoycrta>w8| z?@g8B$hi&iU7M1>om=cbIA+U>SFaX!>_EXnNomT9-8}`pdu(KuHI}?nroW!vFp+LX zyRzPhEnW41cBAR+obooM^89(G>e#Dktnua$8~*Ie@87qNlv;c%D7Utfts7H1&mVX=wo5)>C!WY5 zhS5X5-MBmZ`}-peFOzW8K5+WPF>pM5l@Hh%$*uHpZ7ljuYlFOVpWeNP2HZ=m%_`7U zP*9+Lr?WZNECWd+M9I!ASJl*LJbp{+)TxdmLXKA74m`T(wN{d~{k6AJW)A59YcD(3 zU@%`qyYz@PCPtno%0??DZQFJqyyudq@zTTVz?L_c#4w#=T960NDd1j33@NwCp z%ctyWDqh?UAN?phbK_|fBiCE_T*g2%chVkTg&br>!P6Wt^eTuLe?~@ zAA}K@;dFQANc75}Ho)!Q6o)-?7VuQx>+7H189>KkWSH6tmmA|gRWg&T$FK$I7!YxG zmTB95eS;ljGwQ!#UoK7By=ea9Gyd*Xy@og5OdmJdzN>?ShmFlV{#R!(kYUh38yq3q zo3p}O9{TIVPY)a4wRcVL_V(>tqAi^apcc~p$$gCBlrP*Qx}AJ42)r_p)hjWjnklQsy0EZ)8T{^YCtQ8#ls9*~Mg|iJrbbKL0jU zjwK=;6w?m-rJ|_lPDUC0(xxRwxH=V6NCZk;g!JM5H?H%d9dc&Cr8-V11~#Gk6BN{=YuDclxE?+{ z<*}0NGy++G5(J5#G_L#$9RawnU(QvwC6@lei2M|lm^t!6P#pfBh0A{Gu*^=>4TcrqM29 zP`z9anLn@I8+VsaS3siKaFVL6xF5wbJrEkuF^IqxWS25-9z2Dk9vk-e!<#owA!BO@ zsE9?oqhkn8rJH2!<~9~Fy8;ITC0rEo;*?2~DoRT&3zGI^?Hu{9zB=?nP)g;+iy7e9 z5Lx&F{CoI#GJ~F;U5XL&N#83MkEpW#hg?iMciv2&?Y8#qHD=~{p3RspgqPK`%TY04 zQ`)wi{!au51!QWJ8h4?%hlFD6*S@5)2E9WGx^YtXX7uweP=>0^?WuknX2l_2I;J8`zLN2g#M)Hb35?(T9uuCQzRMz zF?M2E>N^Ue+*L7nxY8lFVkGB&z#E~q!iOaOJjByEnk!L#{qd|>bw6g(j>G-m9t44o zS~94bsp(020WA(pSM3ma5mg2hXGCCt@~%j%VTtu$-yyI8vUZq0{n&{UhjxtA-&4Nj zNb!ok8UHaO~sKTPh$(bkb=M)AV|ZU&qVQKfbQTdlik8SqfI@8-`e=ia&UAcW*xcQ z`=w#Oes90OkI1kh%aM0;JNvs5<%AgPDMzLzXw8awbAC-v*MkoZ?@ZaYZNjvgKjmAR zYo(sOc;U2cSsSxVqAg}hCsPW!l*G=~uY@oOk~$RWHYC~6G~~S6Jly^c1ozO)6Z)rg z9X4Ef{sqE6GIWG4?_Rw4Mj~78mAN*9q8zRJ`gdK-_GH?=CPp9)YoHTi;PRE9AFsQ6 zWWDlKN@zvqKTbZGp{f!ceYMa(x+{Mx;x(C_8}bUiO5krSDP6 zAlpp(xgk8dtH~|ewX5zNcKm98=)sA3xBo6(Zeg%L)i7?XhO@@mK0>-5%}4};&K$bd zmDmpP1dlh9&?GSt83}i4erz#r2-%F7XtI04xw9T6?Qp>KD(5-v*u9(CEF&%E%(^dr zGJz*MmRVH2hYfQ&{4+Ko;WOHjuuNYp@A9;%@%6Qingz4YF5mm&VAH_HMz^o>PrinJ zduH)v)tQSgw|5upMW~3B6>$i#AS|MsJJX%Dv_28aqA%a2iwI_XqI3)0*thN|3Tvp; zz%gHdt}}f|^g8TCylh}`Qw<3|mpJ?pa}duGl8Mm1Nt3 zS+VaKBOp?s@R~8!px4!n`lU2H;@!lSXA*9I_G|E|I9gAs0KZV_CbywmHs3QyvpxFn0E6Q63m zzk_c5#MKUBFBd{EmO2}>>M$=q*YSHP_ zRNxwcSn5kwQJm?(oWZ>b0=@>n^GHVe5E(Af6fA5BF>no2vdP&wh()5>Y z*6L@xf8VU_k7B+vJdNftiH$d-l263Rsap)sW5T-_`C!}`t$8=Lw>Ap zz(dy=dq6wcv?$v@!MOKXI8BWlJ0;3ImBeW8{{3ni8lo!7wz0oOac1~JtzP23Wt6#Y z(l7$%8P&0e37CdXVUh<+yzi};B-(XMPXwZaPRljZQIOhr<{(=VJAgIt(Nv4|j9>hD zzG04E=6r>A!q8Gs+bi)J>nNyXkH!PyCCP1hpj2CBp6?3X?7Mf%k<24U!eDi8TOXNm z$umh|h4<}S_CBhVakOcz;cKp?i1yW>QF6q!2pnRgdFr2PyyC1^NeDqwmgS@qWA|!! zdj48@IRHSS!*RxtU0WxlKVShGe*D-)kcGdQ*^-Jn%mhE>oxWn>*+BYS33A09m4;F+ zdXB|=NbheoODkViKc^s<%=OS}kk%${-;!%{QBG|;^H_CHDn`pW& zjc8kz(F^q*tV(nQ_V)8m%r`vN{BhphJIM}uLe^R;V`HEOQ+S60ta<>f&jT za_Su<&3|7^qH+j;2V#%&_11EAb899h7}QDL!e`Fw9U~Ucm{CoOaC1ZakfX7(W-k-Z zSas8XJbLUxz3IIJsq(kRF3?=q~^y=b#&>lpzZw9!- zwVt8e7%KE)pq}v5E-UpzeW>!eW#odZY5$@`7H`~ABi>%t7%ymd25o>*{r$&})M3hl zag=GWH;x@^fXE|O?!2!lTO4R`BjLsvBHlmP#AG$bgE}w{gro(no;}(6f394k0?LJ1 zNXR1wb($=JONr*>o1~Qfyl$cU8i+e7bE<(-lufPQ0G#K;27i|l**3s_xB&>O~u`wF|A)pJOu}qYQmQP|` zf$iY0+^Q=(q~~%{P3WDYuA5V4Y9Z*^;^v?N;Q5d9Ukt?>f#fj+wv^&nw_b(qR21DBy|I$W9E8 zR8p!VAmA5N2}xfuz$#L85uItrTM=rUso!dba)Tk z4Ig3U$}`2q#Zax#Kn6^V$;m22#N6z)?+pyXp~E!;Gl~W8 z*>iW9{>-Eax4**TMxBEejGNc5=PvO1?#VO-MBUMF#nE6RSR>-s0lDMga#Czi*3>Mo zxEg%(xM0^oJXsW4a)C}4!2k??Uw~{!00nNW`keTF`rBv)?lyMy4x9eo!$Hpw^sfK< z72+7Ei#Yv=!0H*Kow~Yesxw?{@TP>A7<6)PQO zBz0n5hhAg$^gfF*FYi$W6^~%y2MisOWDHs#-S+L*PqU&ert?(TbU=o2lbS%h7r{0m zudkaCwws&xiYzDua{}}RLL*D5cyM7M*Yj-@y}^9rNhRfh#H-@ct`ZK5W=7@2{3Qa2oC(8&o@H(z6@0U#?uE zdXxG&>H%u!7NbJ9{EjGAQgNvMBl3@hT`vFbToxuTxb??B0R00gXRX0^h-umCreCmJ z2V(Te{BSYsAN46^1sCK(DF_1~5~i@|D@bULJla-3Ab@@4ixw`P%PNL5W8ygRzgCX< z>9UWKPbYPwbdG}ZmeX4dJ9gXvbe_&(2pzSl&Q}ANI$uska1bXG!_v^J7~2&@H+`mZ z++|UPhhb3wC(#Ty4S@D8x~rSdTydrJ?9MC-_MyH6a>H)@_tDZP*PdJ2H7qC(8alV8 z5NIkt_S*C6&3&g*Ny>eBQb=#t|5THjoOAd*160O_4ZBC-eZd87Tp{8;v%Xf*J3K=nDvwc7mRK?sAkRyx`N47`YHj)T`}dd2 zy+LPecNxySDi*K1<~ZcsK^Kw*SXy^6lHCXz@r;0q_wT7YW_J)ovrl0RTFu~=pO3qL=Va{y#;Z;%&{ffT^^goJ@jrh7QX zD7WxuOzLv%ee&>(G&-Kxb42p(+qEOM6ohm>lF!>?=k!k3)z47KY6LPPxBT2($+OwF ztm#-H4+qvA@hIKI_3j;opGH2z%ayFV3H23c&Yq=Ka@MC@t?}RBz01XFSH%@|nu7Uy zwPdzx++_|XxD@12dDm61rlAnA3t9lKsVA z{nC6Ne2Q9cQ5W&dj=Hf*kwQ^+_DrZe@S6A&TP`abhQVww2}~x3~2*90LFLupN$WHPG9y! zX5Q9|1GmS=E6jh{Ozf#Y;@}|4-tbq}m}x7@QZ%IoUU%?fC)#RBRYkk6l`tnLXg4&% zQ0AUpE-BetzX?u}%HLB*UYx}Sjh7%Klj(ag@a`NBk1tQ20*#n$BMYQKo0(+#Ba{*~ z=6h`5*-onjn1Z7xA9<1EM97y@?=m;<^FfOzsZC2 z=oYvIgJkevA~Rc$kD&lM95!BHMNV|#LLHhiFB7`NT_)T)&^+m1=qu&{r~q4ORbvdNNH>KR_XXBa)N(_l&|?>uW1~=FB;;e?JIr zN?Hf%4no#7YPr!_X!yHh-VXDE9oj-o z|KC2FX^EEL4I}5!jS%gJIiUmxc|$it3_A~`nFdXkP(`gI3tjRtZS&^ojn6N8enF{% z{S8Y2;#jmFRn2F?#jk9;4qKqDB!&tIW=n?nRiy_H;G%lLvf6v`7#mPgwk-ya4b77< z-(v)$z4mXyI@qI6-PqGKxSR`q8Jp2rY8#CI<=}d6!l>zj3l~nuV)w}qITt}NYi1lz z1XG9{SJuzFyo0p%*_M40Pj{wb(&^JH>YM?^*<^QG)>| zim6-X?CsRkvC!nPos+o!#^*)8+d<5!_}~#N(vCEG{;a94-lI%DP}t+O&Frh+i`70R zz1-MI(hy8o+#rS!B>{`2xA^LO%A0_WHLo_ zF7{eo(Zz@9)Dohzfy)=bf0KCo`@8%aSGd@lD!(VCmu}szPx_YHwDo0EM-{ZLy|8RV ze)jJiEaaU(e2{?&&NKsJ&`Xyh{8MFo)=erBveSsQMQY`L3|O0^On1Un1FkwD~Mzk2mQb~y_4{E~N8*(oasib@qb zhTm*O@`X*{)g+6^_3O8EQ|sE* zM&eqhca~lgrD{@0pg9_uM?ttj)9zC;Gg6c|2%IE;%$wxW?KHQPJ;~R)Xa(Wa>ULXL ziDgt`D=JnN1N;3*Vn2X(GKO~{QV!FCrsm8r6!FUk-Yv}t3@jZB|CS6!m2GMt1Z^K7AVK ziSPWoxVZVQuim7uJ1|Y1lkD^invN~lXWeVWvakD&9b44cV;R8%Y{a+stjFB^B?ui% zCrHNG=Xp8zSVB0!!n>Ya=S^fP_`ui{ezkK|a`<)?>p~TQG$xDfJ!g)UguOXngf>M@ z!Ypk?S}4N;SI*b`m{I)u?wvcYCPQ3F_#2iG!1Ovc)8r`S%>%vN-OVH*7tfj(4^r>i zHTXc`+~hj+6#j~&9jpp+U9(%ZqTP+pm)b~610iK_N}))z{gQ{Cd*jf%yfEML z6BhsB!yU$V2($T}+L&83=6!zltOf&J>cq3d@}qX>^xsun()rqjVL(~l>JxeHKIWa!2A`pB>kfNtmf$CPLVjU#h)L~(pCf{c}+!T0bqSRjik!e0K@8D z*btozcI2Q^dZ}$CWNGona7J~PBLeBgYA%t0o?cM*e{ycL5(KqQOd!&aT*E{DbsesTxdM-Agp+8DPkROM!MQ zC4}?5NpscusHj1uj4K!?Aq;Yl2R7Rr4Hv&hsS~as`VGbF_&jp!&eeDabuV;OB_R-* zOSjTXpakhB()bSg;JUz=%3krc9x%}2;*IBz{Ye4esI+jjJ~&LJx+WtBmAHtF#wHA| z(G`VwyaKAy$4OL_l`pC9h-}XIJeqx!tH}b@ zy*Lp)Gcd-+rGP_IL=f30e$rN>HPIA4O4PRxTd1q_@$uR1#wIAk>f#f-cm;sYNK^=Z z)IlwJXK*8fN@)g)*3;9AHhzWpkA#iv9#5-lO0+mUQGGj#qDqVsA5_Yg9wz~S^@@iK zrkDix&np1pvjjxpiaN2eni7+BB8^Q}{0Ptm>F|lK*fw~5G+6p|^*@Z-j`qXm#pl6b zR<6c>se2LO^vuAD4laFFxqFHP`|lM`^))=2^t41BSt%VQ7%N7lB=!;sXpwKcAz6Dg z3Cv}6mwfLIN(^bKp%F=sm zpcp?g$M`(XsbV!*tcDk+Q&*QML8bRF-7$Vlz>YT-y;~YGs$KyAW0E2McMM9m?%v%) z4AV9nzxw=niiCNp@p)n_Qq9m6buaLH$&gjQLrU)vrN{WeD~Qh{>=!e*kzNKonrNPp zx)-IhUKwOCMx~UOV*GfN@p&99rD_l)buVmTpA48jgGzb&<0VLhxW|jVs?nmjuR5ot zhY~Jrqj5o4^J-n}m4Vj>wv&YU9)6|wfRv)IqHt)u1l@jJ;7k>-4{Sxr5Rlf=dvsaG z__0yr*?Jq5ssU~^yf88?6*c2h_Vxq`MQERRAh6hIcK${6kqjD80>Btt3NJs}j~FRF z4>O@$4gFce3xK?51{Hmd)f{hP^h)*93+kkmM3-v3gwm+)yV{cjy*`jvOKx!_OYh-D zVxs?;rq*g*fBbltacSVpJKV0$_^1$C;{TX)cr%B{cS#phlYvwuaiL5@g73>zz0OHa z1_QniRZ1Bg^=Gk@^WD|8{&PLmx|f_)i;=jg9(xfw*E4nKEB`BDffL_;?*DJ-+|mUu zvMGx{o;;h{$G6(pZRG6VTgeZnJ$C&4r6!?Yj&29F)vob#!FMd;fr$t!0CpJAE@-4_!&wuFjf$uQH?!>>H=&{q1)j2n01O!ZPu z`JM(=+qm*f>HGZI=u$;rewII5zOA%Y!uq?J=U#mYU3u=s@H-hJSBO~`wtwDUKb^Qc z(xOw(N~QIb|2I29tBLr7Y>`L6m!0ANUJQ6H{=itN-kCY zqM}5u#0y0#B;~d4!~LGi@9-bHZh%^eBp^`$1{T(%D({+F5D#bAc>0;{o}NGa$IsWZ z!B3OrYPy(zaSTEp4<_@A#dtcu{Nng;fBojfAOFXfM}HVkN57~4E|;V00lj0s;#XfB zU#-_Szkl=Q7fUgl-ip=a&Hs*Ov(X#6=*{t$M}xuR8;nQm5&v%U+tGTx zoSxsVCxiLudh*5b`RL*wm&?WNe0*G7wYlzMF!57YH}@yzG{Fq*9n89?#t zPfy!RpWMskbo}&#yLCmyUB-9x_w*v_SMqT>USFO49O)}5?tT~P?mtae)AQM+?9)%@ z>(*|6*Us&CEg<(14{vX1amC##ozU1%%*51jLYKGG@nrRkF>hZ}ai^=zWpAFF_ucCn zPR)3_x|xmco*u&PMHTlN&DT@nu+eHVZi#8CsB%8KIax1Gc6cHp(&GHTCl~9;SXYaW zhYYEqn_-lT#e7cVAsu>hv!Lg7)ehvLwpjdXN22DaWMz}(=97N4Tuy)azvbkFY;S%% z*f7rK!wfb<7(M#ch(`3&{i{bdUwnBRTRvTn=Ht5kx2ov_yHXxfQ6d$#BSuQBz*9^_jm~kEr=#(tM%P%vI{UF zGAQn@>#`i%+1YY5p5CsWnlL4|f1cx+RvvxT{L#nZ2@vT%|ACu5{p4*3$I~o9rY*lj zC+fPMLm8my*bX59ZA94m;%!6{z(Bky&GJ6CMHNsU|L{;kh^IgOk5raxo7s;abax(&0yI{kLx}nO0|@mPOs41m^MC%opR7MFmj9r~|A*1~;)?#9 zPiBv305&w>8mj>%f|6<&NI+|)V+sOAQlLPRgp{Eb1|oinUIT%+a+%EUcV!LQg z%7=P|mw|kk&SnRI?3VrYl|SWPTC%jf=0!6&o8FvVEtb>&SK|~>|F479jzc90|a28J0!NU+db7gTu?Ps>WH$?8c)mF0Gr?=)Md~ZpyGgs_jB7+#Bo@ zMO<$Cy|V2ht_nMb=JkY{zF^gbq9GuVuCQZiSkZtjgaD$3*mhho%+f0XdTYfy#e}wj z4MQt7e7HJ?#wCf0#IbRv3uCszY>*0h?ga$tKLdH*#uO%bp5%Fw=SiMFFKhlf`FUOD z3RDZOz!-MpTm|PsY*)ZYmbXWQOa;#6ham)V4Rw*%JTK3CqqG|8R7DxBBO-VpsALn}MoqmY#?*Wd8l&!{~ZCyQ2>{ny-!r`E&clu_ql< zy!X$O*-sNT_LH}Z+4%8e`|{7R=N?LF+wah}ZU(w-pD(h}I&jE--- zQvTgmaP3n&$;vi%z3g%MDgQ{-w2z$x6`*l3vT_2Q?qoIQIKEs&6=Wa*OE##A1rn{s zeC*X&)i_HpRl%9wMirpF1(|C*s8Hp7bqjeCod@}S2YHeL$dhxl4L_ ze?qf%^zP4J|BzM%-OyE~aVENYg>?0T@OI<6WEF(9*vaZ32(v-T!`lb~f;FE(c)N`$ zOyTVm-cI4|6yC0{U|kEY0IhLF=up|XuAo4&!lSbpl1o5lP%qHeMea7deY0Hre0OyE z&)ex3lZx$V(OqSrNyYYC#Wt>?CIT_23JHc$RV*Rt4H6)$SgrvwX45CE$11j!DNHIh zso11qlZvgcVnYkAKnLqtBw#=n*%jnSR=D6@hDLZ5@|*zby2#zCSbj8bZ;sx5f0{IG zHyXCmJd=j)W#ULRE|w?Suz`ChFm2Rrqjwl#-6J{S3}W^OS%m)btqK!b){Um$8=kJyI|A4!_WmgX9TGR6#zFvd#w+@v{lC(YUB&-i?~lE<+0(N9s~ zu6ix~o&IOF9vp1fdq`ig3nr7&5+j5-OvB>0j?XwM_OU(g$ugVVd~^F>)hR@Hc0nI~11 zcN5isF{4|a&&y#PB%F+6N809FIAq;}23~_VXkqpas~HKw_=nROeAEumErBIpkbFV% z1s$YdO&dNy0SvvsppA;^1qvi59FdI5$N_*NM?h{t*GBGk?;hRg=$q+s@^LgvT|GLA z{ZtxgO3U^$Eo)oYZro9?P(lFGLq(58A2LD)fROhJwJLH}wsM#ym-04f3q=o8aJ_F8 zDqoV9rFBqMpV3zGvR{+t8<+WB*TRv{UK#YnZ6I}see&}LN-|WI_azK@&AT_IzpJoz z=J1e(m=WF?u9Hv*ARRc2TD-q?_}`YFO$)KK5R06JZOI@~7WT6$kQ5#j=0$4GXiQny z$XVDFXL&W}8z|pWti6#!KS=3Wp`Ee!C7PId-Ue8#Vdx)XpKnk#%>65^Fe+c%Xl44g zVA)-AyllO)Q%I^i?hCIP?=u4sTJy@(lO&FLkRJiz2FN*`(OM-q9fo|EQ(fHGux4pv z{?c~iv|>rAqasIH9i9(8;@?Nv z>SaBQU5oceRS+^4elxO$=mDb2ah6^Rh@o$rjjQ$x`;LyA zz~(zeP$=LtLO_6t+0I?_S**ojB*tc+V97wG>4m7D&W}d(`R!=BoE#-t-`!@wGVA<2 zT&McYsrts-7%&K@if-!4MD2QZ4`hV3Dtm;hrAw+lsro8QOsc-uO?uI^ps1X6Zs^%{ zMcsOfL`^vm5KyKKX?$QsWozTUik-JD%wL_1nS<^!W&o+iFJ;V9#_ZJ=0ikWf4L~T` zyxFJ$Xf(p1En+7CKFbNTK-S=5H&!PTTve0prf2>d*{Me^Yvst zAC)PZ#(NiN4aA2m54p7)sF+(92uVq=2uT@lLYDWOHr!1_c@I6_y3ooL9;RwQd8wrJ zKwRLhjwotSpx4qWNkYn46O>A#CW)G~aUq3ee#Jr%E65T;-hXP#W2B7>seRmMUgg(# z;{wSn)Uv2luwbI@T-YF4p{+I9BV+|&5|bw;uQbLKVee=1ukl_KS{w%NfJ=cPL_I>} z6A}t5kvCQayFsphcuBYQ3h%x@6{BChRrRV;KtHo9%_@1_O z^Su)&{E$z9j~O^aL7q~`!22bfc7BLL^?BP|vpG8?Qbr^}^Q5fwHW==}Ter*4q1_fA zS}pQV>b#p`WhnvpY8TVG`H4~?-?J9AMlBbl(s0*xX@<&(KGf2_|K(q+$>?_Q?f2ij z|0?OzuFBPRtTE}*Uaq2bbOsI%*C=5HYhzLxr70^(C+#29gWflY%nxhSZtg7Q#r|JS38Y+o{etT3tGgLr6pgy2x-YD zH{RBw_%v3cL9TX+>6q_fRHmGenjNzUx<`)rZ>N8JpFDF%p1IU0lY8!YJlnJo&o*Qi zT3B!5hO~7KLtq@$HmLlNmlLMfVeN)fmm=FKvYjH^DYD%_tv24;;zVAeZ(_!_a}3Ex zlyNIi#g+3;_eZDx{o8N8O**w3omyg!Nu>5Oxb0f#4*@#QgjsFkwuji@6xlZbmA|UJ ze(#c`z$w9X@^naZ~j^3y{lbch`A)8rdH$tdLntp&*fh1I>` zD611mbsX~BHOjATP?7GQ9ARyOFDlMd>@2VV3Oj~=#rM|wq~Hr zG80ktlBkSq9*?q~b&ZOek0?+;*pLAV85~1u?9Y17nnY5ahNViZGI3NtISQI{6kvX~ z6-K3~0))IHNhxKyvd##X{m8BIFK@MIZGH7wU}dr;{+F6 zqCi=oT4(w|PLRl{qxL=J_L%sopZtW)kJ6Q>6mnN%P%>sW8fLCHW~|(1*?hLM49ch@UF#F%eWh394~Txw3pBW$v(S zRDSw|qa2q+fmAs^$v(6v5SaL>BYrA3$3##4q$k%reJ73P)3r#@pw&@xcm+}rRs&Z= z0a;)UjJ^+ro5G|_UT2xS3ZqOk)lZu8Eu1Wl8(HmT)cr3HKngPC_H)e^mz`2nij#M> z>7~LR6G8Qppc>bd1D~2Z^ulwafSC0L8yu86giH}jg}lcTzYHmtmpJNKlS~xVONz41 z+qGK}0@*`wIxaVFMcdrhuTM`;t{3y8??;!@#p-Bvx0)?3 zlVI(v(rn)}lVa`XO1g2mz7)oo;fWMhMcs|P!6B(?l*#zSJ;GyLZB-A})2A0#zx?ZZ zH2Bl$+c$sI^o9Ia@l_0zKzgMl_!9{y_?xZh*Fk&l1Az7low2c5tio;+kG*al+c^wX z-t(AmAtET9@_GKif{z;(l!}(!j0E6#-3@4czG5||ri#B<%;#s5`S{txQ7gw;eyO+3 zmeOPg7dN{f=OHeC*iCtGG>7z!ulDHr{$B=HWFyRCWD@HInS?tYJp3ysDffn2@@Ck) z*_!Ql?TnA~hH-K=X| z@?8X%yKu7{$53E4Zq{auY%Du79h8ggWh;kSdZ~4gds(ej-`%W!iI;Wi*YUCrT4?5q zLGkgj(x|9re2;`e8wWmnKvuFga+kg~dD_nUxt5z`^0giN+9q_0+l=U2VZ_5T*RFAC zveJShInCVJVGdpkzd=Gm%D9nC(3TSzb^GwYhV*qS6L??-TO0q7z*Zq{1{>X@!^^!* z8SIq7P8sain!$G1LYp}+&5-Df%;i8RZ0-g^p@Rq*eIHu&o}OG!R;whFJ8L&r zYL-bQ_cDR)bQ^-zhyGh`XW&;T+>|O--haaA<}|4ilp;c$<&zkmYWEf`fVV7{@Hw=01_u z8Pyc*e6bu)mWMBRK?ez7LG^u^sOu(Z*x1gNqw(~1_0)u^7e)wL4zo3H;_ZYb7l9-u zBC8gc7fKP3CLms2f%iB>a#6K`UqzU$g$YdiL{gM3McGo6?OA{DHQC*`%nvj!zXn~1 zG@|FY+K_;30ffM-S1BAwJwzj*b^-Ql@B?j3;30m%2y!#rfKVZTbl@c;b$kHihZbH0mMm(3_&>3EiCh_@54U3qtlbo`1_Au z!eE(krgTL=i~K_yr61Z2X=$ab!MLR#&N`i+9Iw%G37`)yM@F!*Yy2xlS$-vW$UkPN z+ncaiiGMq$;bk(7WE$nB(Y)2V=e`mgkVj`@S_a`rvJCp$1`HYf4NBrB6%b;ZM)@eq zFEpHv^}=bbdbcmg#;9a}UTgct73@fI#&g;mRn*Md28XlkMYdgYK^QK{K>SKW8YtutxuUY0NV#%0!;Y>@L8I;WAC8~#550Y?Uiuh6JIMF!sg@~_oo zbUXO!-FJzsI@ z5A`vD^XPP`4yNxa|7F|%t9u8;T_Q9u$VH*;5FGs(Tudu2aI7E`c3Hl$)eON44Rv9= z-Pkmpe^`!=-hF?X9BxOU_;SNc{hT7`0RJHCE`x=0f=7e99PM@6}N{U#8WlO@=Hxo z${u`=Ys7;}rjbme+%&KS(*VblMpF^pGyr^YfR_xGjRPeYW+*-<%fvU1@^O}4s*J^E zhplv9Tm7<(aeDdV=yFHhf8s6Mf}&C=acD)5vGZHfNFX3@IK4%d=o}OCJ`ODLBzt@~_k=liGjP1#NF{ zS7kB$#${|qXf7m+88kJyr2#K6H3#n@*ZauFGNF$gy5ApOSwHIh64S79Dq`W(`R(eg zP^V9g)d|oN_3pgxUl@ea9@PC8^5oor2+oqSqxYyo3rt?5)p4V?mEMut9iPKXi?*iE zk`)%UbUaxA5VL;W3UiMn2`TfeJvAT5Xlet$hKkTuW-wKRri##15t=GOYicTxjmxQs zzT6N+%$ADG{0;)4XcAXG(@GdA$*0T6ifVssB{2~tw4sZ7FR9oMnXNf34I&3xdFxh9 z^ZkO}xE!3`U7s&zrD~;dVHbEl6~GRIKpRxlyrdJMKvImvC)ohMX8lRO=NS-MZm5MbaWlGHFqs2cQ*2oDfJ64Bz22_a!t|xJ zX>te29VB;9du`gdP@2Rz=AACIi7WY42$oA*99Q%NDf4W)seLfw;S1EV0hY44&o9Hi zFH#lnn*leZzunXIMoOq5ciee$VmPv3@-Hqzv|ruV)~M}hzk6}Czj!?x-A$HX9u+U> Uzsu$5`pcvL2N>JjEcNaI0Gie3_5c6? literal 0 HcmV?d00001 diff --git a/doc/pics/e4-v2.dia b/doc/pics/e4-v2.dia new file mode 100644 index 0000000000000000000000000000000000000000..8dc3c4062bb6827cc0d11b2ad3ce13f1c08a315c GIT binary patch literal 5697 zcmV-H7QX2piwFP!000021MOYiavR67zUNb*=$mt@z|nNie-J4p$v<&b?5L#VxXL%G zCAlJT3<3-QO5(XV&yzfdUo1Vdphy6_B)Ge?!ZL#@(+0iR#teJE{`zOS|M;iR7n8xq ze7+dZrq2(7@xwtrJ(-=3r)SR(|Ngh{kL=-}UL5@Kbe#Qx{yCdx7X$jlbm8AUKRjP9 zFaPlD*{4sR*yMVVEoXB!8DFtQ{_Ov=$s~J57d<3_Gzs;7*`S|#1 znGdGfMgIKoI6L|6Y(Bf1o*ougt*$$nO=k1K$87Ta@S6|eb@*&`n`dkHx#!-O*;#%( z&$HjEZ_VlDT%B8A=JU#eMwGJJ+nPTF^z)vlrjIl;0FzY4wZS zdzF3BN+HXOY<@PLZp)#)nG_p=%pxLfhH}<%BMsc_$>YTxcPnnvt+;u&;>L^jm$UhD zo{g8=B9CXYNuEs$smu9QUSH1QB%6?m-M6d;tN1WpE@uyX{}0(@vC9IAUw?Vp9{c2; z&Bv$rKe%gGRNUp$_;h*x{&S@5D(-$A>FyuLi}CR!FZ=f6>9V!kU$=An&A(1S@7s?z z)P~}2mFD5p<|wcdBjYLhZbneJwPBaDFIvT!7DL6*ZSKN0hExeSKHj|loK}!c&nEee z3}w9xIWi1~fDDwB_2lJ~{Nnw|Y(Cwl3GFQ^2nl$yy|5cB(M*B6^RlLatn++)cD}q% zm<1`6(^6O=of7qA9na>c`TU`kaR$72fpi=|1J)C_IG=rbU&2)%HpGvSLKZlGzgS*R z@=XEx^y;Fxdrf64^z8jSI~`vw?%Ocr>o0gfUh&J~Nw59rL-R);)bI$HG7o>_W{*F3 zF`9M>Mp82|M9s8~3jmFmwhIW*V&GAK_$DBLmaQRj()OBGR* z4HMQ&QBIA3L=Fv8+zB01l^d^Y7e#i=fx4^6E?Ki=&APN^qA3C(FiQ`oVcOJ&#+^XG z3lc#PlAw`P%zA?cQ4LxftJ?(#P%x|SB7u$w1YntzcMY0ONRW^~wtxgKm}%=&TpV!0 zGFzzv3i!v9YavBsAZWO_U14C25I|Hu0AMAOK!aL?6*j>@f&tYO2IxUiLy!z3VgSkT zB7och&7=c4M8%YZsL`#43)|)Sr@Q;rAPA*V7y&V#e*lJeh4J+KKmF(b=Y08THvf$t z|2Nt4E;&QEH@&OVgf*`B49tp`bfdgko>6(Q7B41{Q z52SWZ$0y6Ee4~Z!+X-=iN#krcjDy${a3QQkq0mVHV;el3I|EL`r3GO=({?rA){6D= z49@F`_%NPKb`Y^%T+&zA__COW>o8J^_gqZCq0z6LWMjxCH-d$fD&&vD) z+c-R68P}kR*b41X#tagWBq$^SNg5$xfPe2PFa4sw)}WOw+$kIxGp(MmK4E>r`tGs* zP6YTb^fxOB0lUVGpBDfHJRnp|#!r%fTQ3PUjEE;2D~x|Dv2Jv3I(?r{Ps4I*EwYrp z8-XDzC7^D?nx3MQ%gygoR;7I3P5tU<2kFnf*g~6||1&rz1@Q&5qz}tku=#`A|NHz< zY%R6qv#|QCUjHoLF8ba0LTv^yfw$nhqBBGKsnCkJt}Ch_2uRRKC?=G#L&-owT_xRc|Gj3c+*IIceTY*!IXEe+Ro>$Vb`No*#unYe5Q8W(J%^r+lL{F2~apj@#T z@bOF3XuM=XG!>iBR4lXfO0WX@%4f_vC(#Y~479>$?kMr!^3TgMCWCE6;fbso`sqyM z7<`DhTO-W~Rj8i?$B*gc$vyQO!gOWSaoH~NC$@pw~k(d8nD~Q5rVgQbb-8AS8`XvF)l93Eq>wxG$9{Zdq4&ANHnuS34wDC#Jh0?})g!O6 z1v8)&$UqN-adFK+A&CgAL^ncWuAt=*IWvySJ}}tq@^Ugh`0nkSgTKChcQida_~9>a zemuCiUi@Q{$ZSVswn|?Uo!vV+yF&!2@tFuDJwVw>2+4Q}7(z(O>5-Rg2){xIDS8B{ zYMG^%3L#}*LrCP=v=&3MUB!^vsOc~2D{W_$oQ7#@?C6eUDe9hF@6rr^MN7MFXrFAr zs8kt~jooJ(TLn(0g~CD{VdDc2f-_;9>%z4rNod5XQVd7* zUahi}LMR!zRIGBHrI$*pY;Q}&Y>USYRm=Soe#oc!oZ#=L*>t=li1@Ex#>?|TQ1t&U zGro;0xrJrUSvMplQ#@uNw-;nY5Jc)dl0e#RV5k`ftQ(fti@;F}8@N;NC#FE4@7iF6 z)kZg(v+-avC?*XEVUcr`+SLZW6gNt7qxI3pr>E-_cS{+B5{kIF;t#mb>OR-WRvP11P3(0?qJnJ0H;T&(e_6yX?hHIzgsxQyAQjRg6m z9SM>o$a696q<^}!;-be?tcCsCjfzR(6j=Jfolwmt5Ix-6N^@t8Q}n}-T{I%)@DdkG zIlR5>ZH2lGf7}Q=6!h3D7jqo3kc5_6ktAYPphtwBm~n$)(b_Vnlzb zF?C(+uNQAZS=plM;dm49^$&0NY-$*AdZ@oRHa`ah3=GPlW70W{8DjF1u#hB4(g=j_ za#frQlCHxp%H-ji;0@cnq6f66AQ158(EKC2Wo<@NiR*LQ7=y@@{(!Jk4$ST*N0#7Zp#D25Lx zRd=rZ&VE+qI!i7U1RH`N85xE~k>?J`Y>y9oG~T#f{3*pO?Uf;?O#pBMMnpaAp;eVpO&(YBxFRO)TT+IU zw0}}bdp{!;0@1Ngt;|2=?0cQ35ztmtyAfI5iF+AF&nl`QNs{{jKByf=swq=97QDOr zP_@kMOX+*6(Ep9T7}jl@@DwB}DBaM{C969+bx%?>jrT7dA5R`d%HbqRQ!9rf8Xt8c!)=sC55-RNm`9!NND^9E zpTiM;Oe{*~K!`pZAODmehdd7bJEd?sO5s%LXG-Dp@Z7j)e00q*?x5&~#iLTzFM>3a z#*OaCB|k@{P*)0dRjFb^rhP`HU&m*^W@j5AqA&QQn&Xo(h!A?CaT^z)NRXEVK1$<# zY7^=n{Rq9Avl0s{o7bPJFv)%h z%t?sbRe`9T@sLL zR+2QqzE-0W=Wbcb4-`ZCQVyI59 zBn#DtA$#wRzWw=~Kirjy2fD$kO5IFYwZ~)a-(<^^bNV^W%lbyk#>XdQn6eNkj^r@` zi*U)U1aU4#zSK$jDs19XLST=pUR&6}ojhvJh=WSNo9<&S>NpIe&??l@aAhsZx;#6% z)XAkzE_D|t>15*rImRB=w+qf6( zh~a67`S4b)@t!Mv!+H%5T*{4K&m%5PPjI9{vo@b#Fs&a!{AqSPrsv?z`K{!r_Pyh?F%6uM97^zBc-CT!{ko3<1(0aI@q zz^UeEw45)>4WkLcVbsVMNdl52m`20h$hSxpT6oF2zU18^Usa2&zSIwLUK_hq@*t7p zY-s_HytMXs=oI?eeFin}H2$oxg;9UTt7pvTPc#3V4He_U2|wbGhysa>nlRd4SH(5- zjfttD#QxE2|SiumK^%($rh_(lwl&@e7T_|{3&BYOPz zci+8D{J0~2T&k6cB=2#V--D?oC0j@>Dbfnbv{iAlOG*SWB8&}}7Ol5=R`oi;)Nt!k zjw$7sQjRI*m}(ML)x5UP7oIWYqE_{h49*BiLQRlw`9h9Nk2vZtKYssX;;7wl)DneE z1htRpCEY^$+aI7nMarP!X21(MA^oi}h%~)$qQM~ZEnXOZhB6^kXBqG^y-X<8N0c&c zMEc|qnRJoke3Go9B?^Uxkq=1v$8;}9)C!}tOd!>9sBcp(6GHV7p=|Rq9T1^z#)`PL zIx8_KN7lFY3~!w61&?wbqpXicC6wy4V5dwq6HfIJr(E+;l<&|TQdCicQK1hw({2QU zac8_pk5>I*QYv9orva%FwM-DzLx|G6IYdD?WNJiIgeruPX(S?rJ|N}Kwc0*7d&Hm; zE_H=V+q#%wsgJM(Z5;780VQgmjM(*re~@FCud)T`Tdt6FT(~of?@rZQbju+&FbYFsZakYN|3 z=~fPrCVJ!gMVeA5yd!9;(8q*MeMBeQLeDgVL(8mNYx@lBOa6 z9$NhQPCf-N37dc^0n>x}n6Rmj*n}LV_R7BY3*42eRUxM{jV2#_yFZ;bK{2}tq#;mg^COP!_Zwv;j9(q1=ie>FZ^ z&OYVy!JF4*_|&*CT##c$DnUPa)ItLA6~8`3rvgG*C4_H&NK~r7joX{=-7byWfl0CU z(h>W%OIpj?%cQ>Tsc(Dg+rE!|+fC!zdm$JnRE`S#g@|JMrcgz<2kguE&38u^vuR?d z9kJ6bZA{#>k3MtbqI=GiQo|$8blg@CD>(%z^@H(9oEIx~50L5P{P%xdWP=~xy?XYY zq`$`h6n}>SFratHK^$>;^q5hxLJc4dC6AGm0MbquKQ`Q@AK*DgY!!(*I9lk*RTo#)canf2Pc=C zU*|UL9$|nkUk%XJ>+^F`rQA1iic)TQ(-n?~ z({McqVe8~1bTl`mTp^R0?W37(T*!@nHh^#)m{~6gi-O5uW>GUPf|ZpLb!01BxyM>Ts}tm5f|!yZ@Fp+1bvT zua>K1vb3FA+9qI%F}#l5lhYPjFz+a>ZD!1NHSge7k|Zi`-i?$x3~{vm%}}?pfjcIt zrLwmcA*lGSaV{JtXL={v~axF}3o>~aPKvNa762p7fhlTtZz1xvZ zkk1$6+4RjZ2zlJgr{}ZLczW^X_}~BjyN>D!|}j>g#^_|L^WyXx^bri<|I&GF@O zdHsizlaC)iiplLFTh8WUGQJUu{N#VL$s{}BK_|!G9`$+;FEGlMS@>-IX|`O>$7eUo zyf@9R@;Aq4+4-**^V!XGbi5k19(O*Q%;voh+2qafH}BW4r`voZsZtaTe#YJ#+u>v&mwg39LT;yxI<3xfk>C zX!pW>G@|4xqg(ztK9Bk<`8XaeFHb*3`jxD%ejDlPAI6LE*(Bd~_v7iZvCH2!bNNjP zD0IaA*K11L>T0D*XykI8>ncj<;$}R`7taXu<1r;yx?B%CdG5Jyj;r}-M&rfxB)i=` zh0Q@F*UF~LF>_e9$VUw^O&L{Av+KcfHrU{ah)A=u|H{uJ^Z(`S<32NL0Ofo(o$_?p z3>{q0c)2c`f!tRVS08Oys0AtuSw3Ii>D&2y{QLjS^8t(A^tiVsob}E0)>FtHe3bEw zKHR-~Ao8o<-CC62Ewkw;n~!>f-gmQ4$M@zq8{^~Ao8y0zkC(#c^W%%LIq+mT7msoE zu%s~5*8=_K8h!e_$^g#JHm^SqbDdsH@;eOe0)`q|fqg&$TB&My`6RzOJ)g~|Pfg|K zCRKnG`tIq(?sT0I8vKKovo)|T^YO*yau=8bMcNxhj+EC_4eM++ALaAsW+ny5)eDrD z00yucTv)uPTlQ?vuh~OT*b2>07t7m8z6p>|Z?0BXuPAIQIXj(aqw&pR*8@ZO_yy14 ztv+0>^vX*g>Ms2O2`9Ct{y^~pm6jq>K)}*#EJKVnR7OxAozPNZOfG0>miusmmO_R} zN~0B$H{>I70+Em;z0r~sqY=Q1Sf!1KHr5qwRKj`#eH5CX4@MO1fTUJPl97f=3$3*8 zgDyUZDcOxoav!-y)~DWEgMdbXRTd-4HJb;H^{G}8tkgzURjf(bbx7I$lrKNd=D#u_ z{G2V%FZu6jK6yY4uqFnoO$<&bO|DOZ&_*?S8HsFxguGz0wJNgX70@TJwkFEjq)y!Y<* z>TI@choEb#11UUn3-78e7#Gtg#z=03WCGF<(P=505I`= z;`_w+Uxx1=c!>X%e`i}<#HKdS zAugF_$;je9J1N8Ju^gHjG7L@2@Za-K%Pj`CYry|PfY1jJK+Z&V$rngcXhkM?U@Tb( z87agY%;!>Ugg_=wn;88gw9JC(*=J1$Rg&tqH2YLy?!| zHFm-)cs-wex=q$=JJxHdU?%Ieo15+0MFpfoeT)w77gA9}$)Ay|u$pN209pB}$jKM@ zs_3aq7!y6cYE3BG1gZ3OpMh{#-auq@)%Ww1P#cz%}hQc zu?V`NnF$eDes7KJLNgNqiKbejsWPEVG}TR-Y9b}r7z05fG-?w!CwPq{wbey&6=^D( zV9UzLt7UZ17y zVws4ln?zMRKbg%MbVcPO8#fTsp?;4f$$|~}$Us_~5mh3pJ;X8*RX2&Mb^>}R zZ&+0g7#X?9_cM}|Ce(hhb?@p`E3`~glxV6Ynko~@L{r_Qsrt$2R-pG(L{_wqnelm# zBvE=jCskusJ%ax!3Re)%1IM9fHs<^6Pg(QP_M+H^D z%!vV+tW{m;uX{C{CgZgw4&KI^G zRyB$C?_XIq&+S9e*&>M!obFmrmCYWM?w|&i^6|G_OHEa%c5XPJAYZhPlo}!CnM`*` zB$T$`hWE%QD1!up3VSMg+~v)O!< z&-eG|fbtT+0CwFAqN0J%x7l>OWa9m&{~Rwb zdj)y?^ESh#cAEA8+0NkQ+DBfrV4_k63N6=AENXT*2wnwHR)sE{;HomlOK>eW^BDK@ zEnCZMWPq%4C>6wHBL-7e8$*V7QA$cn$+w(*%gy+fud~tU@m3<1K&0kKuW8>i0HG~Y zQ9rbIc%(F5$HoWR+xP^bKYc%5F1M`1t!qEUj=pg0$TVQ@d9P%sj+02J;@W#FC@B;= zRKs8!@uo2p=2_}Oi{Q5x`Sd(LTK8uGbg4s2n?zqKs>#FE&3IDn8kn$S)LtqRA}vZ* zJ+^v3`jWy*AN*M)jF-j@!y#oLL#czS?kU+jrnFQAZ66Mb zD!Gj>`-aa&yE~g@n?kN#EfL~8&S5{O7^k8pa|i^hg7!r#ai|4JgmA(igzByir}Z`Q z1ov~j7zxgzCy*AbsY*Y4xn78sp0?V1Cp{1;O0JjWdP%OA3R4ZRgoINQ#fVCiYOLPpQ;yKp4phwHDmbsHHBAwJ&D zY3u5?eB2{zw@faRm!*@Hv8r~d8SfAQY|)s=QcM@iJ&^Ry2mgvv=nDTz)x4L~W~3FC zvep2zh67Zn4N&}S#}b)LB-Krls$B%7g*4Ix=dAV^wZG&&k_1a3%@Nk`E!l4Lm&8O< z?a)-IR3@HknWt)nBQ_%ns=bJUs$F#D1V{oO{NWm8%#CJ9^oCII7dq{lp%-3(v0*2n zz3FhHfJUC+eh~%jtqjo%(#Q`FA#Owg%!8NJDWZ@f3MrzHA_`wFqTqO|k3N*?1`VQ9 zL?J~KzLtoBqWXs3%KXy8d1Ydzj@%=mx1fd~h1cNN(v!-9>PAEXQbeJhh(f7crcH1s z^EOrO(qtugi(?_U%q;J$A~F>t5vn2)QlhlOu$8kAawr|js#$J(=WLeFbK4@3+BjQu zE5@n~;=W+U=BA5;4oTTm7$s$M52ahXVAh6%j-hBYgHGzG-jzEfsY&V}%Io*mlI%j; zSPjYV+>YP5R4S9o?Ph$ecA=LK0n;L0N`_+6)Mp^cg092XKwDoZUg{5$KvlaKp`Z=){U8`JYK}-iQUOT|uO$u@GnF;Ak46w!8#9fgkxA~8 z#(^pv_~4Wahqj<~GG-b_IEKSmecy-9qz-{!QHQ{vv*r0E|2@sOWsm9F$^R_N1|%;U z%Zo;))=3vTH9Ts4#O z$5Q@SI%wt#C7A4g_L#0+Yk^iUA@@-V<6O*wFb2XE5c7;5q7xoG^-(j=xem7|Y2pE< zgU6CSNcte@gJ<=@_bhj#ZF&G3@YfS47kJETh?#K6NVrCFj5Oq*=p_bCU}aV0m!Jt6 zd4&6@0xg`?WW7g%qFoh5RRudN;^MS4Z#u`(`{! zt-;&j_EPao@$62fyXyKCCL!%~rR}}Nm_Et}NMx-K0d466VJYDeJJ7c3=$GGrTjbeI z@9htNON7-@=hQOsOoY`Sv3G-y(F~0amcCjJNcM8|ku7V*G;wQS6vu{6P z4%PY$rgr1|d7Gs5#mgapGb~m%CSAz#CBKJq0hp3Xr-m9W55PlWNh2;(68Vx#vI zHcc00W->KZUdtP7iW^sz0?1-Ovd-BdhE;2d_a3X}+U_4$Et%$)k$j)ds$!_EY6iTV zxT-oxiZO;5KVKbaYNud^XuUS3KOmu%@-dI(V<=ohnE*8m$(V$FU>&2Y3i6964{YQa zrux7XQBC!MsXj2(2kxpNkwQzO`UA%H+JH|Lf~i9AYe|_fwe#13*nq$y4Cs`N>D#|Y z0_knhyIGUB#gQ)FcA>+3ItHVyKDT8;nL?1A%#tv*lh%VI7)iV{G}^kDd(wL(>Cn;8 z39m?p_fDdt?iAX{uer{qb;>Fg&_r1;o3eICkLsU|p;u={VDz&w7)gh-FqpWkQZDq` zBCm>kFIgRVukcanB+G{~oocW2Gwx$j${se97kt%oK)#arQ6ndUz#+bHqe>m=Q4a($ zuKwv;npqtJt2<2;^<uR? zNN6T+`c_D-qaM+_1~Nji-3uXfhu|~=qpS?vt~&=)MtMs<`VyH;B-P=)k*$A5i4mXy z;%C+=0VJ*IYsOPJ47fhvI^H2gPOK}L;*ODgQ_p0}@pNpM&H+Pt=3Zgi7rnAX+=KG= zUF5{N-E093p;_jpXCwM#J{UJkn z<{@lEX2LfQi`{Yk<$)CJk9uq%xlb>oQF%M8! zBiWuA5bLg(Nz4zCJm?`<;YjK57O(?3%;3uNcPIa%_;>OjKmT;{*XjFt z7XH2Z&GbMZze5RrAYp*?wbGjM$~iWZwNxI_n%J~fD#nS}zA&+^-cPdIeE#jx>J9(7 Sm}ght9{oSoo&}Vqc>w^>*$8d` literal 0 HcmV?d00001 diff --git a/doc/pics/e4-vpn-infra-v1.2.png b/doc/pics/e4-vpn-infra-v1.2.png new file mode 100644 index 0000000000000000000000000000000000000000..db975745c955fab6c8bb96ec840437a5fbe8048a GIT binary patch literal 166247 zcmd43i9eNX8#Sy_38^GW#9fjk^OP|XQ8J`RW@4KPk$ET~3AZUBB$<*aWJ+i!Nivfu zgv>*fBE!2b-Ou~`zV9#i_Vasg+V;MN^E%JtSjSrHI0MzsD{ZG{rlz2v*sgp=L6d@F zGXn+1rYlq%@y;vVJ5u;TX(6X7M?sMnO0#Ud8UJQCJ)@~gLE*+pLE&?Uf?^48`HWIf zIPp_Zj2lrJT9l=3yk$^X7w9!+%@MQ|vGb6o5Y+3>%24V)Z*$a;IPjgFFT zvpedu{qOyg(W8!TXV2F8(d@NjS@Y(5vUd9PY0tHlU!~dq{O>c5-8(xw$HvCGs)T5} zxBTzjgpIc?{`Y(TQFfRAzyINO_5}6v0@ZDjrDci7qQi|FHxv}!MjpN3B9)MRjF=9@ ztKWGtiZ0=*;AL}jb8qj8fB>a4XWoy>I*m1_to-?Pfs4V=&=BM2$P zXSzRJ7tN=W>r-X)>iIjC^BGzyDVj0oQnk1>Xw);bxT93kTDH^D{`m1jT_ENhCu7i6 z!5G~v#Vmys&3&|65*w7Fv@^8gxv8baG{2KWdEv*8yVWLJ ze3R1BEJ&m?X=@eM#c63u9Q1jeHph--8s|O2xCB)*Q2RBEU~B^w4oXW))6fJN?w<>+ z{yNc-Gt*s^Q(79Uk`fyihci?x_s4M5zJ4v!O6MVySZgNJm8+RikdqUtn7nWQ{))R* zd#U}twy4S0fBbkqG*nGh^=h6D-$-SYO3E3I@LDtRkP8`FXV0D$jgy{J!buelhSi#3 zJjnb%j=dfHuDIGiIv~!APir1sN^KztGX|xkt-m}CFx)ykj6v0-WgpE1U8NH6S`fKU zr_RH8Hl_Ip>to%l2X(^-!_Lf0pRU-%!#I&qk%fMFw$D^_#_U^QmwD39Ae7s*uFg_CFQD_nbyUN7!_*2Hv@LX zded(Mcgrr%k~O|qB|p5O(=T>ABqU_hRyr<*d#8gKk6(VF5D+HhZ(LYdD0cnJs~aQd zFILCpL2E?7#t$BXo^^hhn+28%Xh1MNb69S4h#%%M~#>N`htg=UsRMRYTJcXWMgB~n0h9Bc{0BtgyjVN zzJ0F0X9tWMHuD<3_E`F1>FK$`_xkr&-yJgIH@=;-v6;NJX)DGyN8-ur*RKt|77rge za^%E`#T@UI%qZg3cDC$Efm+`V*=4(LANL(Ok`^kv`njRux{i&IxVQ^OH0SlwhqrHs zX1v$_e2ft?R1i^D5RTnyT(Kub^Rj_KLTs$tM0-|hD(9w6zIa%7{QW~_cV%el;!g<) zUTdo>?d_MsITk&X`Qihio=R30Xt*>9N;iuInD=RC%eEBlgs$bkdLn90)p8r<=?w#U+(4y;o zukYTanv!1l^{cPk{TH4{TU#5RoS|V~U!V8D8$UTYx!7Lm2P!F6*RIJpPwOERT)DE} zPu||n?xa(0US3nHvCg51i3v7wJ9Zu(o1vQsK|g=~jERXskZ^Kx5{x;AW7X6gk&%)4 z=bsJI#~1=K zm6r1A75^I^ZenF6Vfv1C>(;F-HIfn%(|r|vEiFPzM!!1*#l#E?t=cdvF;5Zs47Bp4 zgXNQo?FQbAwWM`-bxBD{F&@`7v$9eNA8Kq=$E48E&~SDZ^EY-Vkveq96l2}n+dKF! zc>c$ar!8X}Z}kt51CAd*u98A;tD2&Tb>rmdcrISTY4}5wRiSRyrH=OYFJ;a%SazE> zZOW-wElo^JG@rre{QUfG-MU4)B{?T2r>v~Ir)QbGL$)9{_oVc7CjT&weN0U0`W8_t z7d15UtUI#t;C}r2WmxK{oTN?~pS2+g#|8%n>t^xt@O=F6!NJjyg;7ddOUumM9H}Lk zRkFRZ@+1d6PJ`g<{KfSMKfgM6)JR0 zwKg$9kZ9cXb76swj_&5on=%rYDhdh;o;|ag8>(fXMkuqev&+rQoY?3816iiDRKibw zU}#AA=H%ySC%NrPN$StDvc??UE?@2p-YUa6#fsH;21&HXGVC%V?GB~?{ONazsN zljP*V?&}rDxwz~c9UlppZjsxG>k)UEH9B>Q{NVVNkM;E$ja-aD#3c;aJ%9fEMSgyX zUN%D27kz8%iN*PmP&V05W`euv=^s6MBq1SzzgMg-O(3&2#EMKPpE?bEU~T>9Tio?~ z_wL~%=ARyAXl4is3SuQ9_7&N5z8RUNkdf7-xxWjHRA%Z-}3M8h^FEp zePzx$nAb^3a-0!Zp0Tm9q9P*k;`VQvn~5kTbs$teiOTN{0^rsi2O^`R#e{`leSf!K z!j*X)hVV1Y7rEPVjqlM1K7ID=S$6h$ z_MHf-NR-ab&KSOM4vjQMZgpMVuHN3POPN@cSZ%(yZx@sueQRRx>FIg#Vq0Y;g>pC+ zJc0w3C!mfn^Y&^cM+s>zt}{H0nB~v3xJ^w>+1S{2?~cHSo;~9ZRCtn>HZnQM!oXl= zWaRVmxfb`t`1suXyriULle#hf3uNT({^tm5nI116AD^tl(0d>zoS2bEXD2iBJqh{K z2Q_Zo$d8WRJN_xE)-0OO@U_##B^{m5%_(QgU%g_YeTQj&_3Bks)!>YbvE1WjWn~SC zvTQ3QSy{nVMmF6qkBf*nVd`?Za4KtZMu>=r9A&tNAck9FV4HJ!wNJ?WzPbf18S|zg zUQ#Ko1rM2v;X}&V=!7*vOw+u)JR@OWYHGT>yOVEC zU<^1p&6}Sp1FZb|H8D0e)l)LR^m77(ke!`98jdK3r8@E{K0h~?ijM9;5*?)+EghYx zsHh;*{n=SN#-N|1k9ykL&Wm$bX~}Qiydep9kpp%hdNui2h#_DZ8qx)vN>bnWmZX@EoUd_`<@%moHy-u*pnLPcsH8w70j@F!JE?_4V}u0q~-f z%k8w0Nu2ri?c2!6uSdR*EQPxek#0CRoJXiaH0#W_h>MG}-kYAC{rbiTU6cy07=a9{ z8L@3@d|Z<|3JU@U?&#=fZl>R?D;P65*_jV$h%|oSzyX|FVN*Y5O+QHV!}E&<1_l@@e}8`tWdp<~ zL{vsbMq^`ROhlaCq2v*HKu1@1X>sv{xH#?p!%4xlW^OJn2w$39k$}1PQ?rWovWtp} z5J{t>qXPrCNl13Tv@N?i73=4B8p-g+mIf{Ewx*^gga>i)&s|-y@=1s(iU-3UNjjf5 zG?eAydjIjGjgb+%kkI_s>L5fuA@h%C&Y!=O*#;mslIVT@>{*%}J3@nkgoK6P^53sA zDlRJv-6!Nezp*VdWGls+}w=Wyt?XDsB3FsQRFcEp*G^k6&;<&vyw-S zj9@Wt-n>~QC0sFCgNxzHmF}Y#Qjr4Ns;d6MU$ct7nD8?l)6O=_(?OkxImsQxEh^eh zCMP33Asi(qpW=*gb#u$UQgrR>+rUv7P2T9f*Peeczwq?a16tm`Z zW8*D$ye}r!(bQxQ)M0OLA8UfS7f}*?woW*mNmXcC@*pjK4!F}u)Ldc@W>xv3l-zpc!ellYB7q^Myx7jac z>0Y(9)z{Q)Zfiq+L{3Ff`Rrn*yu5s|9`C(84K;QNd-0IuUC;1b@%XaR(@9uY6BG0E z^KsJdqCwTqGBYLJ7i@0c6m>ItJ7BlGyo?|wX8!TvNQ~Xt6ir-4&Ha5h7A8CA=H`}` z+*C(|l*0j0xNbV#ytyztJ32Y}%H{i4@B%1hVx6u7Qdu@Xefw5n@7}$f5l86*UoVYk zzIgGXv9a-TzPYr=@7&~MQzN5Fq=@(LxkN+?U%a3XmO~Ii&;Urq@YB%H{FyGBxz<~{ z2glgG+xMWsZT3=NHpAEVn|rOT_S4e~dM^DyYIhKS6d4&AaYU`FvolM->?I=D>(>VC zJKqmGU~~cNKP5=|{fpEnYWL4nikby!$fSX}(~`>;d!n|#tvaxP*I%9x+OexXukmyn1h5B$r4TJVaN zmLqD8puK!sHg8Vqziepe-S+GvlRu6pebX7!#MRXmK^&0+z~U|c$9M0{ks_2r57guJ z=@T6-t;ghyCTbuc1qAb&P`1$Xl*-|luUIWd)DkefCU$oGOHGI=3Qq6q>h^m|=5|gZ z`B+uZBc|@$X@}Gm9!{U9bKm%3P!LV*y(hhHxL7WuOBq^x*VO3=f}nEVU873q!*<0a zbvjlFtxJ~}nV9ZMcmv0Lwt2~EAF0mu@zWN=jj89H+Vpf!_cC z3JPOmnXzgyIq@_uUAlDOgae0&$VDE;xQ7q1jxX{?@7=S<^Jkkj*6W3|^PVd|JC5`4 zT`voQ!ct?;QWJFV z9wyr9`h+<^&soh*pMrcqnOHMFF)GB!TtE9{!72=U#z9op;AB?W^ zT)iuQV_&WgkF2aL8(Sg*MV#36uCA^pbaqiHPDtb*KB%CkdjI~6aKZ1UD;C^QRyH>G zyR7W&)OYJ&xpIY1zw`&D9*QauMrT!2+?qdLK^>>3CnYY<#KJN;J}xoW>xxx|81d4! z``zGoTxub3Mr*59iQekZ4#OKIJ%A<;lj8ee&GpZ@RlU9Cxw&>IcTkwCBC_1ubF5&b z0090$WaKNrU*zm}@7^KrA!=i`pI1@QExVZo5TV7Lm6Ox(;X~=oDczGNE0bF;Y~EPa zmZ>efwtRy(y3Av7ZfM9XNxj&#CZx5swW~{4TDlySmSgJDpFh`oit{iQzrMI5mCqoJ zZKY%RT<$LBTlE=Zb=_f6nsJ;-N$sTn;ekI{z)*DCw{AG^fG@E|(6&P)*FEv)Dx zp9HiJ8xsTkIXCAJs35o$jPYR(Ha9c7=E0&y(b``44_(zW(@ELl| z_E$Z4@Br}Z&o4yZ3CvZ*d;}j?!~zt+D4Mdfr$6VJqT*^vQ!^~KGd^>MDy|+Ym@DYT zxAykBI%|+2D4p?P&}TqYX=;gz$;AS+yQ%%~EAP>xfp_ofl)E_rp2VL|l<{;Uiexr# z51ar~kU^?t?8oQNpSSJi1h9G5X2lzQHvDODa6QszFIWyKDFkVJZDn@gREE~Qn^|dT zVn_>-4AC6QywP#t;hK7S%l%cpN1Vo0Qkwn!x1?xV0(xD&nzC*DQ=;rzo3>#SN!XDT z!KvytQ~ryQ&wwXN1)&_+@qmm+dQQ%DBO@bg>;1cS33#u1fcKdCJ%m#uJQ8#=@&wW( zEiEnbncqftTJo821=iK{G_Cn6@J_%S`8quH!G)Nh6In$Mc=hjHT998ELdf;nC6OPl~LLTGCN2ulpl66UmngM;RU z3r#~KHSZe4Ly&E78bmtI2ymWCcN5dj#Ry^ygcqfb9zBY}1B6UL0mDTKGCvYv!Cuk0 zdXqfivDf-~dblKJW@aq!=la3_{<{;klCXSRbMuSm&nJ=Hfk}`!JU{jCBlGj|nP;$o)LhY0A>*@;wvI-XVXCXdSHBN4TzBKh=+eYOZ$i;hlDzXl`L z-*5Ee=UaZe&Q{tlH-&9v@&|RCaN9{b20#VB+s^6w7xZ|2IvX5vfSObnmX};5MlZcyJ}SB zgCzhcXJut2YJ1d`$Bv&cT8arLR{TqMP8buNX#!bZnVlxsklIBev}%#@VV zoDry+q>gU6klDu7{?$&r>(mWa7MAeva61-Mw`XqL5YjcK8g4qu%bShTijVI)W)?zS zdO8-8HtwF0r!mA9ya_UOsxs4q#6($4?Dlqle+3gJ&agAUbo*%i!5}TX)!>cZ&&q0R zV)A56lauOAZS6LZ!Kh=}kK*GaA|gq|-kR!;+%I}&VsfQ5y?CQeS6J5D+}4>?zr_SU}fqq(B1i(25u z>hdB;5m`~S9Ca>CR$&p5(|N-YkIRNoiwhU*C-WmZ6l`h3u`Vc8;5#8~vIe_vn5F7wiZQH>(smB+D7RnJ`h~i|%x^z@_<%aLrR4&5l+4ne(eZI^9v-a>tqmJCOixdP)UP)W zxN}EbTpVl~>gBp&2d%9jUenXLtgWqS$q&z^`uc9Vm*dsF+Mtx_jCBS;TKMuMNM|rb zUU#-NpujnNIOWNcjZyz73u5(4NqO9vN=~B(zyQSs{CPhxP(VnCyjrBN+uxYXtD$P* z*EEuS>XZurShik?2^i(k(YtiG601Vy_%cjR6vS59Pmnpeqn18PJZ8HW#>Tzf_nSJ2 zu{mh{)xygjrIL?O|495h1`;I9!-o%z>q-_E7n5|#kxf@u{-CJecrAz+bjK2*JYh<(nw1b#ElhTZpaGU+NhfM6;ucuj-eeRamRvUW{lzPg= z=ONm}I)ivXB+>}QvSV}8$S)Pt-L{R)zs2{~+-s|sIVFLUQ&Z(Pr@Ej7Ao{3_g+YxH z`xTr0zNX-4e0EL_nC8&iwyM!*b%@tPg@Xjgk5#1{&b80U!C?;C93lh=Uqg^@fGFD9 z+E=c)FaNd&FE!PV2SJdm3f@SnU_5p(Z;=8Mh|i>Gb^?n)e6zKknwZG+3vE|)vN_$jy^CJz`26?%;E}FBDod7SefM$Bjv@t#xFAh&n zCm;$oHX50k4ULRgT)ldjK2VE$kIJF6n5!pKG)+xRTCINOZc8VJylHI}{^y@tipf}s z(k`<;ipgLd#7~@1eI!nt24fw1^8+-^f?{Fan@oTD-Z}}>J;}*YyU|a(<&@+=UoPLz zpvI04=ar?O5J*xm3E#cr6cDig5P9^_)`lbJ9~FD8lz!WTAhheYMTXWAAPGbU@QfhI zfNeg;iqJTvXl7`M#vO-jIyNm*R>?ov6g8yCj|2jUj^~FQX3X?$e7x(+7q6e=pdaK4 zm=0KxfvTrGOi|YWOxTEC;f|s!TM%|)T4C0R=G9kGR&H93syDaZ+5mDCMRY>~l4y@{ zo(_2beDiww9lM0h@gCqpp)Q#J_y-SO0ym?SI2AzW7Z9-HirMsOAT`v2lyXm>K4p=- zdG60~K-xUhnkNa1O0s9dhX6?Kt*_ChV>p6%NDHZ8c6K(bgO(s?DrZ`0^hWmK2|X0N z`eCRxV%T93f9Ou(7RG?=^f} zRX%!CY4-u^7c)|BWok+42?Z;lkK-ksA4EkR*DKz+oeElPEGjI#rC3~zxChiQF+F_^ zFA@n?;xgW-9vRG-Qd{o%XCYg^41u5nPx}o!A;%z9%yj0by?*UwXSb8gAE=JYQxvBS$IFw8DyinRhtf0S;w)N`W^e>{L&HPE-79>dUNC( z)rbWT;aBD5O-q}>l*`zEy#u>|kV(4MGe~SHDTleufi_C+HPUb4VXSLz2HLt;ZKAa` zoFg%d4%J6&a56RNi)LmU)HX@y=~woHkV=597V8XGzs}68eGZ164FO{_4WpK}_Q>$? zMQ!cSS@k(FF@FBXmoic4LQQG!?hZ0$3aW1YxC+4uEC$LVU{FuTYf@l)slGxIoyfS5 zrta8_STOWH3`Fpi%a>WD-56Frloyy1-jm9@?{C(eIvi&mN_w!OKp~?Vi#$t9=Es!L z*6u)n2i>=@aC7U{0E^F?BWfM(?JY^9om7;d1(Cxm+Vq2fOtP{raxnmKVAXRdKiTZA zxEh&}VX3F5clvZSrXOZcQ-539G);=!JANK1saIhCfHEoN?(fupJjW%lpPMsE1;H4^ zT|`6+RcBhj!2BZ0g|3NW)YdZ~w{J&u?9e+)wKNZ84q6Zq zBlLhY7_bxTQ+>w)DSnU+MMd7VWVvm(Nj5etOiWbN)c1meMa0BlS{Tisj4fP!+OpJX zk!aibVsjz4a`>T!jiA>7j-jzXd;T01|LdZnU$}cP#~=VPo|kzZ0L+BeAcO%Oppvby zy3D!7cc8yN*StO!mVhMQVLSnRCHlbwQDI?{B9%3YEk`>$(4ga^qZoA$8MfnmQvCdt zW`a%feSE^na}}#Ua}XY}pjgH2PDY&BAzjj4blvdUwQPuam?Vu~=MP=KS8L`4CdnjE z=LWBE(pd8Jm+~@jAn>ce4go&txo#mhRLk80%uGz6`bEXWoKe6yIY9&Xm!lH}H?%4& zw~-OCxkKT`NZ8-%(Yt&7nDazKhE$1kftSi$v3DperAj;_^KSbM`rc+V11le z%a~)J!V6FvSPrI4?I2f7s_)Ib{=*BGz%UC9fv^l>_wJDb7D<$JraOMY?CMp&7q;+I zJih9VqO@sN9z-ID)|FZE4ogc*)OTQ*5xN9pc*Mj|%B!h0H1(Vvo0xzmnF)^Y@#B7A z0x&eAFN=ZLP&LWQdZT7+co})jw+d4YGiKv0l^Ua%9ZoSne-@lZ*1ITUKxN&lFQay1IMXR><-Y6AT(4bUj6E10K z^^`e>s-!&md552NcThE^Eh<>%5?Na&iTG8LtE1St z{99`VNP}gFm|fvC!6<4HAnGTNc<$OPzF2eMH5N6*45UN#B_DVsP$gWyejU>SE~tP1 zRY!fQp?$FA0MAx=9XB*Nd2Px{EZC_4PU+(@J8>ZG=>Wa zw@@*iY@C~)f5XJ&E0|7)pW_$tfbQI(1ha}<2-X%z#e9E+>Te5atwkGT1$D!dM?ZrQ1hO8m>9HWnJ94%w zoKgs-j~+dG{+tJ79^w@2JFqC=8n6=7K%0Cn7}^E$PDCVmeV;$y zH3r4n^WrK^tgIk}ho&7#9l|eEQkLMVL9v8{;q`kU0F(H7#mWL=FU(9;M$12Qyg|i# zH`Nfrwoi2b>CFuYRS?Yp!*9jMv%-~@@2637*3t0?oGTjd%~0lBqvt zlMWcYnwH9wJEId43=kS_+?WT@nC>kL@ZZ=>5{^0NzqAC8LB12|b7v=H00;~)N}Wm3 z#6*akvKdknV4_8)0TmCC7_kK45?uKY$_-h!kI@IJFPUKeL`4BBQ&UsJKY#^cDXa^E z>GWy8(9i}@mB_+{MS8lrrPdw1k^Ik*veMJvlgXx^9-SaSW1z9G0bz}eEy7JSF*OCqnWa3nupb!+$A@@<7ZRmPilBr9 z^I@a3mNC#oz&nz#Qoy%?G7*#sJc4?>djl0vEX20;AE2rE{_>@0Wb?Lq(HV%rnQdSL zRa8`(&wt4_hUoy`EHG~dQfxZeg9!#-g>nRE^}Ba67PCAI)E6#XfP|#-?attDtYy^R zsPUk)ACT090O$m6@7GM9Qk6Hx8#S56J9o@gLYMa{o-;if^#L?7p3XMPjR!)HFa}|q zG}?u?_=W+&p%^ET#EswFIdS9L(6?^}#db+$WpV6xA3b8h6^xFKLi4k{tqAp`eW1+q zkElPODmR3wXU{&gw~Go0?5cJ$$palxoSf`S9(X@I2l^EO6LlMw$}Wf1B)(F6-JTz>PH{(>TUb~#m%Mt_gNkFkHAC&*aiDk9u2?xeeSKg? z+35obog_MXU8*pElusgZ=fp%^ef{YcX#_9KqDYmi(E8v@Qe>-KNdlH5*Ugy~JaYr;}5@&_!}MD76g<=#b-WUtf1OH(VU3SiBmqKvKsRXsD|@dob*=7cwJ0YRTc6tG}zcrBSS+4=Jm|nQMy`MciML+ zp!NZMbop`&A~w~A6A`udVL-TXqpr5L#PiQhSJy=dk!@BY0G2H+^9u_hfq{Yd?wRCw zV!a^6fG&DpUk|*;p^R}wVn=XvTlz7UZU`d~l6=0-b7+ukUcWbx`KkTjO0mGKg=q;q z7Lb;+qhn-L6sTe3fT?Lg@JErA3jkqVNg*mJUmZ%+s1x7@1+#`*OpK)bvu|{4torR+ ztWV(h$dku-d9Ud_x^7}3I4QgxJ`ENY78_gJ!oA;31Y-bz;h!6{6Gw=ENHx0p8l2jb zC$|-o5l=7c=-kiU3}y-DuE(;ZnNK}EJ+-yU5me0jdAM9Gz0ZcE*RFwBrpL+x zO&#^%f%(;|;PP9^qF~s-W>0SG+e}LaBL$5u4mk;SPC%go|3~n>BF%Vs0J7%+JQNnT zt@7HH^nlSje&yv;SO$lO!DG{UN{=)ovhCkLF*$iI{3!+psTkS(CX*tbxxW5k`r7y9 z)1w0F7cT6E(v~&}Mi?eKAPO0o1Rw;zxA>6A4KdVwjg9{Tg-Y~l=NOzeq=fkxV~FbZ zQI(L~PA)x#K@n=?Y#N#-7E9jf3Gfuw)=;psoZm}Sh}eylx~1?7ga<^H-yW}1 zH=I7$lyoWpvq5C53pfXaNi5ypzg=2Q;FdvIKn&tV3)F5%(y(iWN@XUhq(I$&wfHS= z)UqEg4A8&6zGMXR)bsJr%B?z*gCF6kKr4lFW$)f!PYE9}ED_)rf3y{QuX!059I#@8 zGZc^rQwYTg;*wt3&Ev<8(MaC~i%DW|b98is4P?~a(>n@PFD!CTPNxabn({MoUHpQz zFS9h7+-Ii*E~U@&S1&}d)2Bi5$cKtzs)E=gN)0&D_6jttTk-ko*Lsf=1ubxD#lTH_ z7Nw(p+io|$wIQu?V^u#8Lq0nSHd8+7QYK`QZI$W^9pFS*YMQ@f`zWM z1sQ~^sD5qcqXt*3i7;~(lt##^KuMA}CmRz|c<2KY3b>o81fIb(7pNf2T>ts=@1od~ z=fgQd22JvqoO+Wr>d6kvPpUR{rHyI$`ualk9rkN4kd@mBRxRF>Ga_*Ah<=6F3eY&= zgMf_?EPE<5o)!7!V|A`Z8#B~CQyERDK6n@b&hf8SI@q}5X%2+e41RAkF^8RnJRlXz z7tBrt_i}Vy(+?xzXn4qiJ$xD(b4R&PmrrvI3zl*Vw>5f*G+s?z{i z4R%udX=X%L88PkOZ_RjHUUqNj%l#3xEH8O~G`wkt#?`CC zn4+kjNW!{^Jt`_6XvTF3IkYn9Uo8BG58uoJ#TH+Ir9DdO&Yh;4N|cVg zHDLm~$rf*QHn|CqpYy?iZ%sw&YQJ+$Fyq|s@%hQS{y3?acqu?Jd3$$%vf_;i#pI?0 ziNo~A<0ij-6Mg>l_3Krk9#;5tR-Vx+Cf}NyzV9(3{$^jR%cRrk6ip4`%oWHLPWt-s z@PFOZ3Hlmi%!Yg!n{8&5T1VyFQr7JU^^-mo~A)SZTF1$thfsNnsYF zzff^ORQ}BTX9jyv;BY`C?_f^Q3NTJs(&y*rXKH^Fx>E9cd(zXMpofT-rB2n;up{6Dv5HG$7Qvybs)YgY24=q~sOkON+ai&^~jGHpHL*_5Hi+ z%PlOblBDb*)E6MzR^V9Y;^HdCukiM~hOFLamQC~{Q8;dFZ~pCTXKxP`r=+}mg`~-{ zqWt^MACwF4+S;7%2=`O?$a05sAl}03nc-RuaCwK;wc^COEVNQou`-3Z{{cDY!v{Cv zjP<@8FC})DRo_`Opxi&V<^7#)yM=25Hc)u$l8*CI`w7a+7w)~In0#EfAibpI1TH>B z6V84pd!V0@>7!rr?j)5)f?Dr`sZJ=W_w4R*!jIfw?KEC;!ulJ%l^TrIVQrCI& z6wMNtszH6eemqGczUX4V-tRLT;DC(ytIs=;{VojclivAn4ZHLvl#Uy|epEAvaJEgg zyxl-!2l17PL%B9+Xz-DZM4AT+v941k0olR(_)ARBX=WeOzJ023qEmHz6$&Sg0!9(# zHYh^}3i`oN9}cvM7cI;gKbw1(V|h5}nSflwu*g2v5&FK%*5A-*$v?Bp!` z=>0oR6YA)z+xxQM{+%0+HU!s3v{0>&;Iah2&3-H!wi?uyi0nxdx>CCW$Pk2*)wuv* zN_mMx{dW30Ts0by9&~lBV01F7+6dc>zV^sr=(!N$fZ`pOcCTGNLUp@t_*0Bf&Bu@D zI(`ymlUMZLFDsc|yS6$Izy|Zmc(z zJ~bO^fZRRjA_ci5MKjRgAF4O_Dhl6@V1k)jrdz)~idRyO67e;I@K=P&EWt!E+PAj) z>-{jAhg4GJy;GY=Yl{uu7}Jz;8xdwoUdAAJC#dQ!gANTlQ(#QqA`zdxPZ$#F>Rfb% zO>gPNtV=hv9d%?T5manz-qR1#4sD zTZ6@#84AkpHQo`PRzx3wN&c9RL_Y_HEkg@nAxFQAF;$TO<>bG!BlKj3)|U!zZ=FYr z)ZBc0Yu{_wn%r~&jsbu61XUvkx}e)6LI&2^@u{icOGV(b!Qsukn*Wref4A<_r)hX9 zo4x$lsS0%wd7+1Zs|MeF+dxc21biQ4ix;`MjZW6YXy)vsO2E(MU2u=X5tN^veizbB zT-+LO>Wsl_j}y|;@f^xgDp!q+9_Qq&k@f-d!QSb;I-eN({j(PLPqE8yFhgF$xd&sZ zEDbd^_&ZT?aZn&orr>u03?dq%m(Zz1k&1M|10e_w)=YU9r% zrc5v0evT9LV64<rw^o2G+9DYoZvSlfVAtW~jkxVLPN83ihK>T@0$ zpb+4u+C;yD3ZHKj_&e0oC@-#BSe)euM>&h4W};NWdnbsMUAuOjFh$sp5?**?=Cn1y1C#Fri-Y3 z1f3#CM}QzJf9w0K-_nfFdjA_hCPyt&-ZF|NpqTR0N$QXdlaF!uju3So^fDCw;43e5 zI1v-Xk#@Zcv|ARSpM>-sqIImJ5sgDnbvufnXmL|2rGS`q^?A^K?80-)&FP zbcJackJZ|sC@*iHtd|seY`CM~Yt+v-56-q;N;{d{#Hp5mOVZTW_ryZ%FmT_#ehBaL z>w(GTA}A(!rGVhYzPKbOCvPJ2i^kbry$ZMCkb^4-K}cBWVSGNaEGWQqA7Mv3N!?@l zdrfIJF?Ns7{&y6QU%k$N?#WFgl>1y_4^efgsN4fbvtD#MO0cfisuQv6Mi{lN>z7b^ zgg#JaaVP>L4;mwlm=seqiBbVRFi=HE4mt<6;S>}STdRcdL;nMusI|2?AVv@N;9s+| zXU?5NAKuvqJm0^6Z*rOcWjV=uko_w>+P?<}ny7#_r&CHH_mZSWtc9W>1QxmuBOqk8Cp7 zm8*3RdP|*X$oz;KpdnCPfQZz{nBCEm2`Yz#zac}FW)m~}@utRkB9mS{#>0c5V}rBd zsiq}3KVmAJd*~x*>8pLg#KZ(75Qr#n))p3N*_lL;9i@=!2P~b{geQ3x22?b(h1CuJ z^UpspV#f(t&?$V%DTcI;^;Bhvp`EqZvPO-cF3ME5N2jJ%z)hY{kWx-=0vAH`464Nn zD|h@Po&kl6#QOce;y~I*&mO?;JN}Ol>l%|z0iTp+qj?<5JiRj47C-p{*Zbhm(uv9W zd-cx@1Sha+|FsSCbN_dHcq(Z3{oUWs?r#jT0JKJF_OA8gF3qO<`}a+M|1JlwmMk&7aDOdMPQ>2;eEwdk9p=}ch3@MY(N1iPh?o0y{n%d4 z{R@Bzl{DI@z%?|Ia&jslM?8MauCGl1dWwGSzYFgy1pEs7LB$ZMAsUn z+-T`Re9GrjrRGKaG++mhvvUwy7zDRt5et3 zE^_}hjXTBoNF4&rTwE;vo)MU{UyWvc!Sd~lQo*$%E5jI1biJvmg=Sk*dToZ!OiPP0 zl-MVL;%_|UV+bI3zV`fsb_!x}c;NFzfYVi1_c4A5g#F*_re9yH2JGnPHR6XADf`$) zuR^dJaM*&VF=krmvd%$7a7I^gM-(w_9k;x&CDw&eF@nbGj}|qsH;xjXU<%=vK+)9p z7rN@-ULW*hPTaobT<$!S&ZOgM|G0JYx>TqwK?ni;L2r|N^?J?v1znJHe;|95I|rJbKYLr0}0 zzr5a;t(k$;nKGfWafiG9Xw{{;Fs_+qkl`kgB9O)@%szzt}Nnht<|NW@sI;I0E#G~FH5D)g)>P?x(3fhe ztBI#)XMjWcC{1shVD~fBT?6ktKCvbA*^HY zt%IN&je@>PxUkVUpHuzuBdxhOF@@CTypIZ#$z*VBj{1N!6y9dwW*}vtO9*|T7+VNp z@F>LE(Y=BVqz(uet_>cZ`wb(}k&(h;VwfEdV`C*GB_~R65*KtV4P+uZF(5{u;dgk$ zt)$C%+u#{EIdq`_o?gzn1WT<@%sKFCK0XvW^kb(%reZ!+^H0LH4}UbL@*G${aC+!D zYI17B*M0gnFumMPO$gA!jfy_Z zNNYLb4!zC)Cg)BxaiSKG0WZWLbSz4R>We`t93Mbsx;i>WOsLxOeok}*0f%W5DA1*? z>d|_916NZ3zcpIXva=bfC{n= zqx}vg#1OQ!>|Y3jzy#R6n`p^zX=(X2)m>u_>NsI)csOMud2ywwqrH`i~0^&SFVblnR2Thq0y&?kakcRChvBXC3zt{}9r)QI?X z+AN^UMa;JAsb+>SAF5q_wzo4(Q7XN~_Q|(yRiS?FXlpBk%@=HUQJ>e9zZum)V|}z6 zQveKrJ839y1An8xKs}=sqlN87(AzK-*vLQ)Uv1L+eZ#}($1BbL!&U_%3O=F-JeLnL zP$wzldVO}SufCJfKM-tx{)FcUfq*yc46y6Zda*u7^hD2wp${4z$^`8C*L-pj5+7vF z)_@AEm_pqZbe}Yj*}3CkQqXQ)lR)Hbl;(`sw`Y%^@k1DpFVOH^c?qdqyW`^OVD8J8 z1|S!an2CtTDq)5SfKWvbAn;Sr{>{tUXHF8Y$_qgN<`bo<-Yj@1Y@R=wz@md(&dkh2 ze@q<&+x2nwF*b@PCQyGv2zkH;4;MWFL^1OZeW0WMA>t2F>xTtg!7Tt>M%2FLKgYh4 zFiA*D>;H}P2FKTj6Lls(4}1lM9R{!=Lp(zc`wJRot!@!Po`QnO-x#`DJkU@S^)KS0 zD@~=`-{c~XC8^(iQ2e-M3`+tnyVx`%CI%EK7|@+mXTo9iZEI;E+rLUnQvykk7c(v#_AxL8>Q3MTmyqU8H0ZLyh73N<6~>od?AXRxYyA`gS34adARS zw1EoE9UT}B*i8e-prde~lyV?W@lZ0`#$j+{sX>cBXiw#ENRFVlaUSgXA)ka!`XGga z=uo|O4c(B~!=$p3B3KcufrVhq`eqJl(A6u`#G@^@HASY>N@j;X3(Q0KH+L_)w1FpD;;72Sbj7>o}YPc@-QRIzqm~ zYWOeF&w=<(9+~gRx`GFHCcNjBtI%KH2%fKUc%S!Lc~sOzJSQh75#?}@`Vc3PB!T(1 zD2F4Rf=R(T04zPE`~q%3bWP*QVp#xcX=XUWOO4AWCN3f65&L<-^Ar>uJT*OyIFGFQ zGB0l%EiKRS2d7Z&%k+#o7v=ayV)#blTzJfHt914o9I4 zeG|4B6o2%AcQ|U*WES7{^bkJV^spTWXK-&!OvEK7s)Y}s*SlbU3CKw)sh$rXsIxpJ zKmwyxRwi++qhfWB$ejQ7{l7g{k#;l=txXuNfly-+yQX*Q)F$O{bonU-dyITy4d=j} zzq`K=+^P4_`(5E2AP3%svR%hWf{I91OptWuO>8iPK4dji^u>)vMDU)eNU+|;i>Jef zP{AX?1LX<{3Kr~NL=p3k@(a|NB69(3UT26x`N|8kZTNPc$!4n|NmeXm)|=Q7jG)A96pcL||RWYP96_Z50qsFb>3q7@cT@-AUEe-M#I0B|p(L0kQvl+Msxd@k4bk zw7;0=cS8FiLy~R({2BXM+>!ss-&i~ZMKSPDvJ84n@m=(x!>;t~2KJsf$qokr0wj|^ z>?W``p>@hn{+97W9iD48HrU#Ogu3=sUY-UAJ$A4#W&-&~Y#`+3M!9jrGb<&ffRpSX zqS=+{$+^Hvcwqz!z9UEgqXsJ67De(=CxP!2o@(stlO>w=AL?ci#tgj1#^m5&i&aDm9GSTU?G!EV(d(!PYL}(`eL5?2_W%(GPfuy(@KF;is$@$uRmsPS z-yBL1mO$TgF`#rthu?N6FeoxNZrbFu^8UYYG&{FE-XBwIhHhM#$dTyPVg#|t5~8aq z6S0lJ(nJn6JGiW?Yr^!czu!l~3l9pNSONmBQ-vLr8|6qOE@HO0gZP2z5q4@Oe+{lk zm_I==!~T=3l?ZkTh8+|y2>ocF?e2C*{~>&>XnZ2`18JbgQJ*&&efC?({7~+IFz}p0 z_KVTA@uQ`ROg?n*;BEONBPPcE`_cS|(|6jyr$=M`{X6OD<&&HEX@f#S5WN9HAi|S#;nYEE zB?!GIRcNODgcf6zt<}|=$^0^j6^JXyawwi@$=Cu2{V0%!;hX2DP1ejn7>1u1cRyOS z2E7Fvcm)SjH|U8a@+_JtrLh^ic-0Gj>4e6b-Pb_pzRv=AZD zXCI^W34tCH>b*QTH(W<>5AdVWM67LS+=KgRKeW687XT#p(-XBWc|tQ z6tiF9!UqS5&bWJu$z!Fw4Jlb!w&;Lfk6YiqnI8z(Z~Sz)plJsI|9u1(e^ZS=!a1QO6}rvUNK2ok<>CM1JzdP|<<6V5LRO z@-{S0K)nLX5SBMAPKga-LPF?FgP#V}5~gHMP*5F84Y(XG^Rx$LZ3-;5-d_>=2fk2WVn+{S#O67b%r zWcsB{?A2q>(&3ci#R@~&wQC^<&LOh^3t%GRw${)f1v!iuMGPrmZwzIGRg$P_O1XR!AD77FFQ>~&;TUv2jnCkf4hKE>F*wK}$!9@puc=Y$_~~{NZL&a$O#XoG zFLclV?Sw{1VDj})h`@(u1-xnT@!|LVH|emz(w;soAjmj#OUr$`chCP}ULiQ!S1ifY z323i&buEEa&yIMxXyze1U~!~AeG04(K`TqQ&pL4FK!u7t>qmCDij@vvkqG)<3Gn=>2?h}L z-odcDRp?UwiRH$FZ6zBAWh^T4ZgXEKNgaVpkeTw8NBYtd+ zuuyv>v2o1NMU=8K)2R9${0NNjK&Wx_h&(BApiH)E1c>8jV$*3YiH2LksA8D*|VXMZlGyJrsc{*s)AoNWT zdqaSNd<0bb3Xp2@FYv9lLeEha9U<=7Jg zIa9bAFcAzY!hh43FQ3fw!Ixp|P+~NK0fG7nu{l%g8TeDMSZEWZ@{>oeCcLv?{)k@9 z<19#9h~H3R&;x-&>OGp8xuY=G(PbKZ@17vqZL1MKz%ro+5q%H{c2Hw1>SOop+6BG` z=z};r8ZDZds!a0G>VT%g)YX7SxK4=J zut(pR|E3DPL3rgp`(3o75KAL9m7a3ffdkj9tuxiR2#!B4?igbbHtU0P5C+*_lbsjz z^=+{S0RsbiGoxZ-(ck(LG`OpqTl3ftU>ZnybOD5kWpGdkVhgMw;Qf*1@K=J0X@kx_ zjuT;j2w+K^$lRPWq873e_VvL?ha8ZOO-T4OUA4CZUm;)jt$O_ANz=>g4$0OSy`ok7`*(}g=QU6o zIbu-yUtrer%u1-Z@~(1(F>?`oJBA%PjSy(_&oMg-cQJt5z5AB-s0kCkBX<#ulxim- zuE%$SCWZddDSKrsO*&C?*|K3ui)W-(F!RI|BIw=y{*3Ub2vL8w@S{SQAoaq?1mE{J zRH+%%$r7}jIg=PC81w`Nwu6`Q#6WB#>wYn;Kq@^ZrWl}J_@=6BY7i?<(A5Q6B_xr7 z@b%++3HR6^B?kzy*YYP^0va;H7GUnLf%$TuE!CZE`eMZiuO9TV#`2G#H zk;-^}R&gx6H8@s6QDLpA8=qpWiM;^l68MESpnhHM)iwQvAQ7u~rdF{?=-=Q{fCsv{ zee>8xCkuU?vPD;F;BsZ0aA52R6J^dj@TEk^mCZlbAm*Xorfop8@2MMyq6u&l`mz=} zgS&?~r+BNPgv18y=eKV-d_b9?`9i6i;g~!B(hRh)P?`X2vicyRuG3e#8&>DXln|?j z;}$W3mF4QyR;d*@03z9WyRMCTg4qk{o|uFP41p1I&fBgn+(=3RnS$|tT9P}MBM1W^ z7nd$|1H1S=fjA2TiSY}32&!{?O*uigA#TDw%%5x_i4z0h30VU8W;(fi*|Jut)-asR zUbX+Y479Pw^2F{tZzxq?=C0pa>YlprngE{@&0GeX#H3UD5H%%2z#Pdl^Gr>}Ok|r^ z37DkelT#t}Tz)WN#9v56o(FaOdA0NUtmwDY{gAylzHjR4D$Xt=uE2XBmQgV6*uI^r zEO~-jtfl&%J3upLxz}J6?AX!Ga`EhBYp`Sh025jGYWMHmKC0n_yttt^BFCGBypc#wJ+y)sT~{=oi2=_hV(3z#gRJMN7AS zhh_yovB1z@i#s;DHJXpI+tTHYf3J*JJ;o7x)W490d^_ z^t*Q(8_JVc40JlT%a3nGfUjeU56^aoltK?dfKqWtPz~o!oOiko{gYl^ceL_Q0W)^i zHGkd;b^N~qT7Pk7p{^tyKs+&kMFP`b=<}VmUvB-m zguqWF1Us!_#^A!#EFpGf8vTJScOiQfHp8M@ZaPQU)3eV)Xf^3n!vhyNk}yR{CUz^6Ihs^ z&d(1zu(g}VK3^Jp@Cia1eurFTkR|XD>~^em#v`7@5!L67nM%~oIzMhEJ{k}I488d! z#6AN@j&;nm327)n-1|(RXb;7zEYbKn)i90K$&n>z9{C zxsG6L_8IS6+lq^e={G2l38Y8$RwGM?pf*}d5L^T7rdmAY+l4I;XAo)HCSIm{sLP5K zix>jx>tiUVJa8Z<>Hz3{bo9_zOClb<5LGN=HExTui%asy@nTLJ5iS56Yr5FsjmWe+ zFAji#HeXw6Bwmz_jeR6{09*ipak3~|?r3{aj1%cS8Yt=M3PEV{UyIxsurFG4(nhO7 z_9UMcxc4}Q9D>yZy7jh~o4;5c(V70NNu0+OT%pu7xeS|0H4BZHNnRclrsz%@zkHGD z+4G3DONg&(f%_%&FwmuJpcu!*jK{l%;Tf0^)6AD(+tAaf3Q^-K8Tfjk1Ng87tzzQ1 zWrCR^Hyml}W>O~D&Fa;ZcJT)eY=3_!MbbOhv2?UFRdQX{JP)d5joF89*0o@8yMY`? zPXk)UZ(;C`;25;tC)be^OGXI%-FQ+zl0uIFK3q+$>iP4Jzc&QG>ak(O#cD5w3=UP< z^XCQ=CdAS<$8QDj=4QRtKWC#=`REZf(6@>_pw6Cl+pn)2G(q(S!RZv=m;=g%2HFj&dDe*pXz5P03Xi#A#(DjOZgz{SEy zo!(0K#NxSg*P>)0*)YgBH3K`o=C&=wi>wy)SqJwHGB{Z3ZZK(5@*q;;U_(Dt=9BgH z|Gt`6(TFcCZwHy=ASkB)S7*612QKMTNVufJrs9i}FVnY0BH_DmlF*kpgjdq{+NYjbn($+aA~n_o((hELnX zp)7y#V$i^W2A?2tem}mVo@mENaD7P#^r)=MmuHxnL33mrN_B?_eurrvd3ine2MSX3 z`Ma5`O8A@w7SNb!j`<`Q+0OnsLp|U zxNRSv#4JFpHgjh9Ift&n zC$VQHb6>htiBlQkX^X|Lx`@tSwa|a@ zY|VHZGnY8uP%F_oI$_hpSoG^n2V7CSmzWT@(GtI-Mg@C&rqtPJ#Hi zIz&f?hE{s#_)%-{isDi}!M|s1)uT0xzem|;c|cFC!IMc&xd>6^W}wfCvkmA=5lY*a z6F(w2qRv+&$hpAQ#CssMtA8Qh}G{S zG)cn{=B^paLxbqv)^N5KxB!rqn07fm9S{sRdH`1gUEKqPuOS&j(ib{g6jE%JIBf%q z5D_C>^bpHYX2vv{Y?ASVuAI)-Fe?lO9$2quS` zd#LX+TPI8->mSA*IB<%w?&d$Bm~)QkKon)V5UoZhhD)AMK*1QIkn1T<_ZLEqkDHHx z0xL-IBbc%wP4!6oH;j`gIDXqZI3ROl9tO`p<>N@P;8(qoxi?h0bPsLeb#5@5OSLG# zPL8;n3zH5~yKV*@Gc%jX-rQHx9iOV{%a`+K&m!abbM4EGfy&B`PELV8J}rhE zgys!lJI*zUi9wVK{Bx*}LIZx`&qg1g>MYL~U~1eM&@Kzpt50Sjstg|RAUb;RAn%t# z8L0rrh}<>7$P^M3xA1zv_cMg=*|RaSDuzqTdWK3CJLu|Wp;2fucH$WT;caCkiKzr# zE2T9RFw=D`AyBdP+hJ-kbLP~>78UiFVnSQs-xeH6<@)x;_-YG)D;NEZzVX_ZhSZkP zYT&VgjPKQc=FW^C;6xk*C<0fnFywL@9K7=(_^&+iHrFP-yqY%&338a%rl zD%t4mjcd1glqYE7UN z;s?M5D|i4!gh~|RNPd$(##RJ7$sI6c z1lNNXSD*a%AN>#hC$MIj`gARm--tBuFOIf6-61^$xV*UsU97*icQd(!I?rR>MX++G zdBSw_sY)RHriqWA~J9F zZ<%kJ1PJ^;#{!Tmf4)C_m*7y+0Tl!j^kYTL$zOeHNB_`M zT?5e=xONVl+1LVrZnD=MhYRgQ;{tv6#8t@5CIZIwRHFeky z(<3y&95Wsf#-=UDYjf!}fdBL(smS~~VMRa@!W35zBP5I{ftUHT(Q2H5dAC*IEb<(x z#gr~tovh@e)7_1eVx|KM$iIaE!$2KBNQpTA_6IaK0$u_F{L%wKi1PqZAV(6{e=2ZvcFg%Rod&z~Q_pjSnjYSDXP>x2o^b2+R*(CxUUHs zE&>~s{ovj>|2>4Z80Jz1!p3jPI5ym0++)K(jLIm?d9CYA!FkiLbUEKh@k^Px;dVE4 zKhPxwUXtOSQ}xy06B-)e+E`WNtl0jywG8l!AVup)phq$@6Mq1Bi3~syb-`2JLT$v; z<5wWks-JW+$dG(V!E2+naC~03(yl0&%M%hu30#llnQG7(HcVc^sHD8yTesig&Qqqs zG^4tp;59h!%Itvca%ONVHlH1J|MKy+krvT3ns%}wg8x$Aja`!6<}_@~8l=0^cl!sU zt3GU;`qw9Gd6rM9UgG4PtE>7@@Hc&)QQCdRxu(=R*0)Zclx`X(VOn`2t?gds++^KF z&@PrK<_xgmrg~J}#oBDvz?I=4{TSq5w~*c5DFz7Cor%v9$Cjw?|7huJeW!&BC+O?j zIXL{m7pqsdqXb2C8MuH>Jq_#jf$6kqWY(C(L`=oju3mkNdoC-1i3?!)&LvvXu6tM9MdkJRe&W%wnA^>nI ziSm2_gX4=FRAs3-PCZ#kWu+UpNL7|Vj9;NE-6P*?>XD;uf47^ukh7?}K|yS6)O`z_qpdfaK**NXj%ZepI6X?R{!ixKRUeX7E8}e}U(gEqN4r?|(m2 z-pHT~df(2SMM!x-Mwy?WE9Me%sn;7XC^wfi!+#TiAM=H@xrvxgtiWTz=gn;}9GW*s z5^{!wow@OPz3*H%R9Q~+*&phk0ul%T*F(>01k8RK75`%Qt3!8bKsRn}w8V(Seo zSfN2d0vB|_?kqS;QdOCrkw?R?0k1JI-^`*0JZI;h<^z&1d314N z#2CuYS=9cXo-W!7fVCVNF43@^iga-Z9`RqpdqO`F-@-pk5~i+2sYxTq$sqxy{GAW$ z9p5?(PO*=C!uJKEGbQB>_6&S=yf}(=peOb)jT={S=g#u&kJ(Cgih7g5Bk5nR;%5#0}c?XU~QoD#`9OQjW34Ut!SAL&A^BV`l4k4Ds^w z6ICUUIs@U$%38Aqi+LZzXXPS%g1k62xQNp6P|s4p50I1NyWKXG;>%j>rOQuYsoeMP zSXF*oWHm=sPHL7~UpS=4@85H~2=5F#!#2754ELB!OC zg&B6E4*D+A-gAfHh?26hnb9fDk8?4-VABs#$wmtsO5eahV~c2Vh34w{OqvJ+CHL=B z`S%6xruKtf23o4(1L$dbE=h~yQqZ8sS=0j8+R$_*Gm^SM{q z&|&f7Zr!`1c4okY?S1aGYpY(~r)Ic!Z)(foOP9vSZTQ`c;8TVq%oo-b3rN!2!{m zY?~^0Wbp1-#z5x4Hs@g2Be`J~knQP;R1E!^0Y@;xIzk~ge(ZrWiZxL5r$B3?gs82p zCAH9kG0GicY>cDzY^({?o^UkbQgM^{_B|XoFd0#b&8Sud>B;lEV48gI;Y0K6Cyrim zVsp<(fm422X?&us>#;eAu91sUM)1Rh#xrGw6>yC75F_9TESQyWQHTie56JU(@7$Sg zZhqsz?CEs2PoL&c^fDfxSR*a-ut`*%OpcW@)v6Y3ep%t>=9s$<3ucCLSd&e8K8HC0 z_P6*F@417f(){KJEaSTr6REp#E^tfayIW{IJF9eF$ufLeL(U4Q=5Y_pL zxl&a5tJdOv%C59qb%&=+LdC!hHTE^$Z#J};IREfr4yyyF1O?LZz!`#)fL2PVX-3=Y zjv6vWsCREJh|uzbKHf&zL*f+}Ep$Qs7+~uAq}YwZk+`v;LE*7VWfMK}#mgq6AB<&;L!r^NVcX zRFwcdXz2~dWNTKeu<8s#pA+6vz|2ZYk=_d)Qm}5h;aikVX`23o-K@;sIfVxf`1$+y z?v=1mYaz*kFMwCXaifnfy#P8;vO+G)p!?t3TCX-b!GJ|b=^=( zE6E9?e+LFgKSWr6o}&@2G~5l+f-hJmHW#o1#trL4^AAl%3Z8ss0zs)XEj&hl(a zOVdk9^Hx)ML0t7?V94+0n5V?Qfci?d1~r0&DaSgkHtKxHh*fH{XVR^in|F`3Jf^dJ zH_Nb?l%m`RA0XUJG6mBn!ZRn)rXScW{1RLdQL}=8u2ONM4kXJllVEvT zU~@qaejQQ#kJZEX=S@${=PQLXTds|#!$S;H`H?@rf2YW@$ZV{U(Lc!knq$YxNJ<94 zFXi>Khsjbh+Gr_C-AyeSJ4GI5vyYESRR81iM;x2O(wpgriR2B&4r+Z7cD&J#e8XNO z7~Rmg82Lk&v98YqhAu(_*vc-h7RjC{G`EPbRlae_t+Fffmhs}aTO z0L-hvp40ZHx`HEsb#~zQ1uuszI?=02mh}hFEW8ZZ&`YJj5hm~Q?ByhvgLC3Wu%4O% z8OmfUg55vRST~(&pyvrFIWS$sdzh+%DEyQDhWa_b_;u>IDv!IyR}X3ntvWEl?c3W6 zU&G3yW@R~KOGUTr6D0vwj)&NS1koSc-sJsaH6Pp!*k6$J&`?gSqpO^E(#2@{N_CVpeG zwPs+}&tkaIYc3qaOz!EtqE7cVzESP2hD@^%hg1!kJJZlxq8IfDjJ>!8@# z(IEK2;J_{>CU&Ev{g1#K0mn9NtztUBIp*alSJ>FSVS}z^cEp>@0te>yZ6=sXOI}i4 z&?#aHifK0G6v{7Q^>;Ja6>D zgc>wsYR^{q8xU3puFcza&`lWmSZn_XnUg}xgvOgW)N&og$U3oYwI9#tAGAC{IB9U^ zE;1MT#aw%#tu54~^Uy&BWluq3?>HI3WZ7BUdP}7H-evaJvx$EEp`qvaYBt$|^-~St zs+yH=Tt24I5swG@jxwfIRKeB{VHuSpag{#VF$uQzs?*8@}XG11j^J+t?9w z!H)h3-YS$3Vo`a|K?({}6>Af-E4MId?s`4#XR%G-cc< zrpYTVDufY6H!No#=Cl>Y!m&;$VB#sgv-SA6yJbljy3k94Qt)$R`YpyC73~7hKXN3j zFk?s}n0oT<89%=v5i)h!M6fju3|_?u47uX83HBLtX3qSTVg8v}qX1eaCl?^H(bJQE zk-}J?HMPUl)w%G2j9kJ{-FSJSJr*|KO7tp*iiANF(bOuKt$1{w)|!u1jGRDiA#{HH zXz=N?Nur>`?jv8;B%&Ma7Z1Mo}5z;X- zTY8;--+f3LDYb||xbGC{f;r{jDL2y6+<_gi=wrlTY#b9n9fgLgt@;G3SZ5_hD1YP>YtXZ;OTFn8Sb0P$OvUmC&t{hMTi|AtSxPm_%qi&^LB6R_xvJknEE-LF< z0VO84yo2neF?_g;gV}Ej239P3nomD_Op(R%&n z4Xy`ByV%vh+t{{$swxAJ8Iam2F@!=nj{VwC`TAy!IW*QjOH)UuuVBr>jy^%;&!b@M z1fs#efq}_@7j?Z-#M4KQZn^0Q4wpLtC~;}!4MV{rky_ils;*{@Gs4tP!rxk&>41RA zSEam_^WkNh$ddb>9gpg+#1x$74#&JcZ3zPigjc*m`6iP;JEi{}x#N2M zfp{n0`KwT2q2RfTjTMXnumpBIwjRAk)eVSF4@JKL_^O310uR&nS)L#{axo1JkD8}q7F9ZL z)c`6_f(g@lvR-a3RVG8-6t(%pBPsyR3k*1)9`~@-iq#CI%8A&!mysa%IWAceg&#V) z3|orM9^Jb25g&(64-VzPDDy`T<0kAWtA|56@OwWt7zs5A&t&>QlaXpPTq*4q1j=R0 z`tf_&WckS2ML}LkNdR3M8;gZ4mBV_5fWptjEQ21}q5@f{@Q1B1I-cxnW1Po#(`4f$ z)g6#x8Ds}KCg_DXeGKVj@RQ}YG2#MzV(?aYaWHj)00-620I~M)keJZTK0cso1pZ94 z1w4+j809^x;Uuxn&R9$LYBm%x?ue$&W3y09j~TJSfginv^;c`0o%gY~#pRZG_fQ{z zP5LC(IJEj1jyc3S2{6HMm1VT+R0k-xm@5n{T~#h##_iSIGa+tIJMoGmRNnaQf06=_ zYY0eCYLk16WV8YRfC(rO9eZfglb(z(h>YB6n%t?c_A@tzvO_bGda|c!vani^6NV6i zHc>y4xfaO+s4nTtGlFmV%s=cN`X=girw#HGB8+~9l%1$CezF7|TZp0iH~9M6(yoPt zvB7vDV20uI8l$^_cT_3IkBevbjI0A?ptGU9`X9XycJb_)GX-P|FX#aM=tGC<>*_*n z&jmdE@_z7K>??jO<+3n+ZK;czLO4U^;Gz(wfulVtNy%JCyh~Z%Kz%2()ycY(Y$E!5 zA>u>#6gn$piwJfHZ)x7<`||vX@)s|bVA=;K9Zx~wz@M2Tq14r%e+0}7Nt{yr+|qnw zmYdiu{jVYUCJT_jh_IEG-_yTu-#6^!p_jpy$D-z&7X^Fg22W!SApIlR8a60B%&Eou zzmr3W?wpO^MN``MCCQhM8JS37ASnl0o@x@ETL~Wt< z*tOBL&KQuYa`4F(zC+rq#}9WOZ~LA6I2=Y8+;Z97##BzoJhn!0o2RzE?va7dq_CBl0{T78INjEs@-;|V70 zdv<-;(3eC9CU+Xc>XH)VFx145Dw*7wTl8q$aFxo;Mr(S$6moU)4!rME#tLD`+ul)) zP%Obc*Yq>rvvZf(&{8Qeh}!P%dIWI!JsX+RV9S9|9I+I}AkjkDM5NZYo4B~g3=iZ> zXg9!Tuq2+%MB&&R@*wdkJTj6(N_*Tm6HjT05TRB8)}kh&K%>x`(E7Y1i)J3Nw0#Bw zyeCqBpx_cb(c&`yA{aWkB}<OU^> zIIn-&7-SkPN@O5Q!k`|eOGv`Zu(q} zHTPNgDOG_K749cC0Yy+ngO46~t{hQUK4%bs`A$h9neKU*XqT$J=%{u7o7TEyYU?1_ zgFjydjpc}MvXm9aV|{iwPZbu0mWga(!m6rj;l-skE`@ZSg&1|=f(00U>|8Dnc7%G3 zq{B$eWLLJQu2M|#+jY6*U5_uCs)?-Zyl=;NI&0Cn-<1?eju%{~gULYy`HglwbwHHz zB*ssGWN$xz2IWPz4+@}p#>YM-c-^Y6jtp%(L@z40pb^@8g{QPHZWbwe!rM!cJ2WySXg*bS1C zsOuR`E#q62WTTbOE^E?L#2|wogFAi|WjkAk9Y{j1^3&u1Scli45ms5)IH(?bH zvLz5hNMAHMc;+yKXB>wt{vkbuf#Ed&y? zwETqw5n>Ia@PMEjBXx-;&G&ziijt!AvyMF^b==Vk{BO9OZGNU6F|m< zc|AJqN1k8Xv=$fj4=+}(Tq)2zXj3IZU}dpz7rm3X35+>|VZ+#rdjow*+!EgAQA7W} z86S2Di~kG*zBLf*nfvsGG@6n^myGB+h}|vJS~NWrXYhlCHO1dOQ>DsarDNMuGee+n zqhu%@^qfz|>pDz6W*pT17pOwm_%n8Fl&XaE&dQfB6F4$#DPH-pwpJUb+3ul;Wl7^~ zaD_U5nlaRwCm&c~JaAw<)fR!=Spgq%YVUcEyh;Q4S!}rYRIHYRx53N<$VN#{P8TgG zbSuH1#suX7dqgO0Y_tUY3tvM)F9^6OD?!&nrR1$V+#*^v9QZP8Y_o&OvmtSpJD@@p z{+g@3*H?04^It~ooK1WSvW6S%<%He4#~?WK`gOK(t3=f^uuxEFpqIM4CTU?MG_AVY zTI)`g$M%FHSWhqnHo2uOTv5YN$c|LoX=&X@FZ_PoDURPyzJg^9ngAm_S`8jkn9E^c zR>_2lb=feov4)}Qf2M+Wz1yl)BY)(_&w+%551wK@P?NWE)Sf-~B?Fp(3h;kxmW_fs z!#tMi3V4#m>K4&lQ}!cqqDG7;W;=WJMdl0c$nZ{`ZtJKr_>y_*T-LV4&0loG6b~x~ ztexMjTbFM0`j~yXzA5y=s+!MAF5R#RH@^jx z{4A5gbeDvqh%Wr$_xP_X7p8eam4Ohmh?VkyiEAF!Xu0o7-0CKof^HKqIkz`!Qq3dMzvTp&` zZPT}Ine@tWC9K3t31TAWtDYsHPgZ7EczF3v40ch#q`$t^Ww~=|g+%Je(jE)s7^!>2 z<@}vAYICoy&oQb}iqMGZsZ!{Afg${2QEJ7h3OvZ)yXwipzIgUAK8x!ucx_*-et2sc zFo0Z?i$b)T%O~}{tHa)%MV)OTTiy&5A~zi_`1&n6Ubor77-7CU#rXlOgdN$dnHLGQ zD!yf)O#YaGzL!r>+e;T6Z@!?=&kqXP-0N>j-J3T$L>Ty3?7G@q@-@UX`YrYb)Jn_>!IwrISk=3tT@l(P zqm$WFB0Ux)J=Y5`9wvOiiV>c%EuTJo_q+q&HWtUCaOWXx5K|Z+3*GoZ`fS zq@PSfK{UC)Vp;ePfiy~j{WKb{E&Mwr%!<+$-euP-ZHnA4a|Gl!f zSW8IxnPV$L3lO-l0u0N)rqSABE-SR9#xJ^I()s-euRB&ELnnbaLvzgzYUe@j;%}z& z&fyzjTZcVAGVjbCW}pAhyO0o1sVqO^pU>zFWz471S}DiiKd%rUHd^t z`)!B*!^(9OL{e5@7f=$Or{}9#1Y)~tS)pjocglYdm$SBYp9FL)~KvC*c5oMBz}yk{-kYDQ@ST7i;7GZ_WxBh zW$M;{;}d)J5Ou8`CR!(AJ>1@nzWV?7JFf8bh;2D*n=UY?9UKs$xpF3&!arSF5w*2r z>!-%bX&yCAE$3hScQex^xTx!jhry5Lk1Sg#y6GvJ{o}KaNL189&s^_|ANIqoe_m{= zml>QeyKMr{C-{f7w0TvEt z)@J+VhOKRXF%hAjAj)p;wbx^SwOs6`j`sa)Z@4toe4i_d^Lh94NB5SN;1uYe&fiyh zH|&dDktcC;k?6L_yX>X;AgfBIlSp#!+) zvEYhxFD4$DEwuflvmU*bvTzn5ADIt-v@%<;57@Ebq?)K)^!H!O#ZQJRe%~Y>#C5aL ziZ_c*hkEWTBN`%do6=(;z2yHc@t~cyie>tdmyhiTZt#Bl?%im+%v$p`YetBwMb@P% zSz8VCH%Ti*BqiPaJw94=T&#JdC^PTki$d@30Y-mc4*;y1$W_h_ZFFnIj`(tK4{M!v^W(QsWRPt zUNa!H%gr9a4a2uKz3Y~e5`4{oa;&)V+^vpb5}DpZG)H%v?-~C?x--1-sT-zd-S=ZF z?=Q&oOzNO~>~Gnd)TLIWtrBcp8d&POZC>il;4ZbdduIAy`hIu3NOi!~l?Icx-Pmd} zM>M-UI8Y!q5@_SC$Xd!p$L{Y&xX^3-j4!S5Xao9H1 zS?35#eJrAJg2HMtt&vH@u{p!#Bzan0M6~}}v4SI4Wo5sjmawqyAb0MUAP-i1!Nfmv zUa;;0b7c|I`Dbi7F4t{({~kTJmBs?zRD}nxi9KLiBV_Ij+mW&owAY;$v8)3ss>4vC zulSHdC7q0$gH%n}PNqNUbe-d48YiyRR-ho)+`W$0!q->B0`pg#2AHwJ25)_i{Z>Wi zEa_nE*(ZFtt47Ci+@?jpU8;qbS=XW#y@kTA6|5FInQ<#kis`Ij*{N9oUrf0a{rb+2 zLzaTJZ{x<*CdG^eM#+ElQO8$xoK$6+CI5BDfcVw1j!?tr+4NH{+>}3@~>^ z`zWKv%F2x{-L&EP2t`rt>(?z;qDSn8O0~wMxY_m3EcHTz-$!D-0=;m%mOsGzTBdUZ zZ-29)p6Q3mDMgM9U#6=xm>mMRUsP4yQ+4utxb*7VkDsDxd_N394<)upeo~})-&w~7-KptfMinZq0fTZZ1(fp z!UkHYLVPsvYzV*eMv$^f6)HsBrH|NSmV#!Lx-ZNHkdYbDBfKkU$Ea?xILs*9GBz0m*rt>zOYPg_+Z{2%Z z0nTd^zYS7Qp*9-#pWnat?$wK_%&04XS!k2-6RtwHfFK|;c8(IPS;xa!97!wu`l0gG<481;k}t zEX)ab7R(Nlqv0tmI`x*OzbMwx&Q2mW4>yxp>SG`U{EOM^wgRxOYK&`QOy#fV(u z;~kjv+I*$6gE@pi07P(ZmV1(CWlYmixcF%vi_v-Q^U}sGeGJ zPx}E78!k@JERg;~D!)xu`t^atU-U9GzI=+S&Rf7|C5@d3-n zOF3VdxWGme5u|1MgchK$9R{voqvcY^7?XGU{%*2L ztqM+V370Qkd~~+Qm09k#>pVS2SXElf(4pt$DStNZBGTM_(MCsf^Q>EyUq5x6zF57z z!?eqSbvb9<*4MeK7oLA$$r}KJMij6sy0p#M!CFVzWR^PCQXMCvdxmH)^*U&orYWhl zSR*F;tXs**>iNZt;N+%fn-?Ekbn!$qG?~(XOdFlYp#{#Y?6EGU^B(O;7QbYJn*wCG zOrLD~B|LJoVx@@gTGehkP*d!kis1?!4Dhfm=9QA%Fy4rW&bD9O%Mv^==uzx{ZzI?I z5Z;)(5xY>?6L?8w)WC^Ly{ry+o$hhkhOvOnMIO%BvG{ZzjOuj>gKEdavH#tQ^*a3) zdo56gg%{g=TGZ4Fhg-xH?O0sg97+ANTzyJ=)s{zfDHktBm(@?P5Z)@E9Jm;jB49N3 ze2ASCCagSQdWRG`crw=#k6k&(04No*!-b`HIt= ztNf{^+wR>{XYU=fd9Lhjl+Z*&JVNfeU*a(9_I7ohS~BFRajuWiC= zzfWQrVR57>%}lIUi2HTGTU;JPGxkw`Dz z2(graIDV?`SL7qQnPd{mUR4+~Z)$7Vlk+6~8ARdRt{2kNM~Vdd92^70O<=Hf5dl^I zZ^<~gB~KyQ8*G=^1hNW|2!ac=52)Fo#%!1n&73=T=f52T$MW7iOo~Bb1&w{lJ9_`^ zmI->R;}#d|M+%dkPM)cfRxZ&p;Cj1{y5I+3LDBH|>{~!|0LoN=N$m3r!=wjk$?qw( zq(b`%mmF7}gyU}kG#QTqGj$P>ED7l+2myires>WuyaMuvMFK|uS^|KVmE9Qs*af7K zKn_|$HQ)R$c9FL-H2&@)GMv2@`V^$Ftre*=_-jeY-4PKu{%9R>QQ(pKsZUeKqyz+A zG?n=bm9J+UFA-{)FmbIDrMb;TOirl^K;4tyS{K7FIcWK`aRdJ!3NNc;UR+(QRsHH! z5Ml)L)Nxu`oDTUt^$(6Lv(-6Nf`h?2M@MDCgEPbzguaG`d5hJtFyLpf`C*1@pCPXW zYVFTg=B^GooC?&;+#LDdt&xgalPFZ2irv-0iO8ccW{56idXWgzwdCm6{d?7WGQFo9 zYqp#-YgVdf4f-~xVh;CcP0X_e%Sv~3fComrOxR3{$4Lzw=enI;$W$yYPpf#Cp4s;F zUViGEK0aN|2VnBb%=w@t%%}7d(aE;S(KIJ;xnAGVbGs)CJ&NTgDp5T|Gw007u~~=L z3)*_Tc(GVL5sg-V&5dY+>jO&_AUG&arlui_iyg;I#H9VJB{L!GVw#ild0!>NTtMhW zBK#a!H$`eb<>sf3>4J$mt}%Q^J;cQ~uz%*P+wK%N<20EkqOa%Wi9}S4tg%Yg)WW5G zeld;&I!lXTE4&}+Po;nujbePqqIKls2}%)dmN3y4Bl?Rf3bp*v+Pc}Xm|Q{)oQ`oP z=N18Lt<36MK{?{!(!!W%_#l4gb-D?ddw|mQP(pH^;*@`~JrKN16b7uZkG&tz*LxV3>4$5W=m7)zY_pwvp?$S?FqtvU}R%hU3=Hh&Q8JcpQrl&4~G8u z(XjA)X3m%gp$!VP`sFJHDCK1Cuebs?v5|{Hrtb;1k#sK=Yip~u7;xAeU#Ner=vD5#vG|uXZ$TCk2uQhC`=VzzK`0!VmdT- zq&HMsKjeXwVN|U;fBoR$!@nqhaS>$c_v_Q{Qv^uKuS?_8jOS3dlZy&~cZBU;UtU~; z2~i%W=P;qm*PlN-*c!?7A$It*4Jr!VJ+h~!XXgykk3Z>|WFr>wev0|mn9NnttH*1^ zG(xf=x|(sk0400>TUjF;)+Hk1sh+FThH{T!Cz)@*4@%o=JB5{S{I@ zmM_qcWTk{cM=L`gVIyIVWQBmB?vzq=UAu5&cVH5y^Up4CnNrg~WofctU_#*e6Pt~0yBWcvbTKx`<-i@{(i+4gBX zR44bx?+P-DpgLcj!!+;g*$1{6M`9XOy+Z6peSUU+@S&2`t>W7=y1MUy8zSZC?0 z_^iX_G3aa28YzF=(}}!~904(H?AXf|s`JzLuE@6E3b!W09JW-K(8fOD1LT#9z0os&e|(9Z?MjX=8qL zd14*a&S=Lg-V8p4Ns|DzkNF>zOcZBFSqtN#t>`Dpd^PO;TAzQm%vOHPMOt$|!vwog zIoH&}BPHTX1F^98h`WmtB5-I;IL$w1Emi-;-O~P4eRiqz&Y1Z4KQMDt*Y=9Gl5;f<`#P}rV!EceJH%&IC;VvGALs=UA)wOl)0@)+WtKLHM61%Q*c!qd zQLv-j94*7RAR*z#nirF=%?fEqQjJ%vc!~&`8f4dmZX)MP)%VK8T*i`cFTx{%8i70H z+QkC8S>cwU|hkif}^;(WO;uatOcVFLSej1Q0!Igsv626f67& z0BPD7ayn^`Z_SaB>&}1T9O5Q-bv9UHaYN{X8q)#_m@pEpT%YocbHTc=r0a(+e?{1xv>AK zo0Z&kr@6A?)8{qpuPP4i%4;V_#X6m5Ik%ccjdzk~9L6{$rKR{sSa#Y#bQL7Lnn;lO zCe+pMR97pCRAY*nFhcGNtGiO{7828+TX*#6Ul8(j`bRZN`HKWX7mRH>3wUZU8INsx zIc}^!TxCpN7N38H2hDSbBH`M3CTl`__zi?%wDoru#WShm{hK#}>J~aGf%Cb;h*5t3{Ia%i4Q?mMOiz|(ed}PG_SW}Gqr-i-MaeY07{1Xvnn*^g#v5){1f@CLF{<>VA=xok>j zN^gjHaC$B`eUPyVJs<~$f3~NinuTn?uC$ z2|(9BiZmu_ID^8IX6iS(@2*kZ?x^7$ZB6v@)%)2cKDZ%GiHt3z3v}kN?V|CuV zoi4TSt=O3KvEWI1(hU{E_uIxEDq)Mm9yFnVnzgmg`X3px60AumqF|~~_U(K|M#YC> zke~kKqTN}ZJa3BH8gqiDv#g@ul9S`0)v%xrfH7Y;0f7)+j{la{-rk?q2y)7+#uVdT zi3_#eDEV)GpQww|(?53D=z1ym{ag~?`@h?}l6Jfen$j*|n;|CE)zXqtpvR6Cdy3uQ z@iR_=KkK3UM*m@bE4lzi5(X#dZtk)Dj;kOyq0@Lj_kKwU(h9k8AbUjCnJ& zQa7sTBT1%i);f(CY%zflR_ZG4PWiPZ5ZABO^+O3>V36F>_jBn%-2P3SxGfFQ(1-W$ z52Bw|Qlf>k(x{|cg+G*qc_NS^se}%zwFMNL`TLsW3HazkbO-hWr4|&OU~G(utfbk> zgMSgy5HdmXa* zN0lP(HdlS`x;#^3MVQn1e4-T1CqKq+QWmgJQjUa$+q0*|tXTt%x1j$R9$81@K>%Vq z3hf6l%irgqmI7Ye4h-(kl|&zFHQY6^-k`JN#hJ=O+rhPmcFW+bo65tCmLJ+R39wP>GP-`SoD==9; zU*W-76}pVh8C^dG1%0=B`}oI)58W{sO4`RvdZU@yZCVk)=M2v?**y#K;9lzFbOSLV zI-lp){)FdG9dqavI4g4$8lHp2Zdf2Zdo~e#3gQ&k1BJ9BbWEIAzAbz9@jK6T2`t-~ zG*$}%hoMk&G2pJXCw?@Jq71Kc8`rJyX3&Z!rCm=R*6p2DbI<`RyV9qTakPa6&iiJn zu^&%09B4b&k+nSqM~^Bu1XTr8dHoPbyR34Vrq(yxy=ixfW`sEdLN-Pkqi?wGB-8(6 zU0qj^tmF<>+;+2wh6K9>3)sEp!qR}%=Jtq<&G_3V>u7TJgZfqozw8k%AXO4H1S8{|-rpK@kz(ZWzbRv2 z?z<>}K%mo~K4Zr7zh?O7MBL>IUwX|qqj(XLS@IeNyyiAGk1suuX1@?J&@VtqVN#0G zv9T-?BPEe8$yhh=8s$r*GeVdimqz_l;Cz_H24vFYjToISe;tNc9CeE{RTQR1%F-CM z3EqpsbYaXGr%dMpoD&j0HjBJ@$2@HK#+X>lRO>5MNL$X?yFxWh1`?JVK>HQ|@tfLv z4;^}jO~c1GZ^WkU;ReAvis=qq0_PwPT`Y}@ckX{+Xg7PWcIfG)(m<0mvCR^jWwuwc zU^aa3-Ykp#GuM9}GYj7Q^5yDEa1$sZ3nqkYG5+)J| zhHwJyB_%}%R+=E^gc+>C(_Ay~&^aUFg9){77KP@0&z-L39~o!x1UDW zjd#^$wZY_L4}ZHop*?#oJq`Qjx`#I5zV`_Ac$N|NxqVS}e#@7?BchU5=SfMhE-;}+AU#?fk!$>Oq@E3+w&AYf~4EkN!V;U*sG9ohA|3e$?J>~zmjV+uuM z28^;3-6||7+*y0=OK^opQ>12C7ya)Y&C{BJc|Exc!qZnn^9Eb=HS`mG z{d#u(MfJIrHXAl%*^Odc`3>hBZ+#G1_TLHKSW$z&R9_mdlMsKWxY!fBV(p7Ug$)P@ zxE=9uN1Y!(NQJ{6reMtAn(FJpZWkTyNtTsK%0yG9L1+rtNORkx`jL8QSx=+t9 zj~zCwa9vksBoj3>(yG%aAden91_2o+GH;qb5xD^+B2`&pTwKlF)Cwsi%e)ZkSh_FF z7CMdUsG$p{7c=yxK#Mmz*S00l%j;9j`+l8MDfoz_0WG}MSlvOKSUqICi7Y*$wggz= zckl^m35np5!)&F$ErsI82$-2UlQN9q;3i6nU>uT}`F+5RL-%6?h-u3^{t^TZ?&X9D z*q6M#v2`<5C-@_{Qv(mV*Ga17CG3>2JYi{J;hE|rFrsed87g6Fyz;T8!iX4}9*Pi> zJcc>Gj&=T22Yf2LAcB(jmstWl=v$o0$k_VmagT~~yaOP2yt z9|l8=($FeQnHM?vzq5$YmI8xeHR7GR7N*1hI&xNwlTwIaR`))ru~rl&)8qB)q&#J> zD$$0?@f$}?>9BZ(C`fvs-dVPDsD>k4%&}_wN(dCTE4gb8TtcvO9%l0GK|6at~YY z>#M@t1~S2~ns}=Anp6B+5{cN<~tHB&j4+hDc>73Pq;g@744E`s4XL_kAn7z0d1h zYaQzt82>nY*iN-|eyXuwCaQ=$VsTKV&dGLqe@o*YyUnpO;HW_9y?OK1*92Nd?i>0l zBGBNg0RP~?sHMN`wuwh|F0^^TS8)F~9Ao7{FTy3e)f>`-5Fw(b>nQu;B6*wou09A478aQzD;TbXKicy=KijFR-X{JU&zCqSZqOh36 zCLF>bdYKh})BL!TKnE;PE0+DUnu5O){*09?cJ+`oFRV7;0dMy`ZzZ!+T^2$R?Y%(d zFz87B==|^R@5@V4 zNnbh(MF6fyllSrLdoFqykuyF*HTtmQ1$KgTBLV^Y9H(XDInm-$LpVUqmx#iA%xk_B*1hlkEMM6H${=-e)z8l;7qBKyOwrX;{nMic3kj$j(o4&%gmZ8#{^ID$_pj`=|!P)NN^~@MeoMeE9IX*&@LX8bCsK>{zNF%b%%!KQ1iF4(`vk zloblu+pPNk@${xb%aX z$u=kg`2HYn!(52+?bki-(J2K!DkPgcYh@pN0FFMrAKIzMoX%6{!NcLN;UZDodzZq9 z(OG8^_Zb;Q6M3;ihfdX2X5trI3J@X=C%oapLW0A`)DK5%$~G1`y|l>m@-s9H80~-| z5L9TIP%gwAKv+MYl+=IR>L)OA>`SK4m~kKR%k%?keXwp8t1{mU{=E))*w6$6$(T={ zPUlOCT0F-POIX7#E&xucQl$7J!B96+W@biwQ# zX=nNPQXbBhzAHZU^3Sf|lkY?U#J=$FBMuIeovd@L`1qI_P3_C}W)2Q-7%S+Y{#Mi^VSAF0K9vKz~ti5oqTQ(XL9uu zfzri0-cG+wY2h-@+4yCEkINP$yN!Er;&wvCOA`Pzn5x~SSsu0~f*!#|hDigEN4jgf zx}hAOE{_BqK0>4I(%skY$LOpc5uMUF8iGK#4=mqQ!WUIJCyj(*)IB&?0l}GY@^*+ zp>_@5Ej(zM>ID`|trzAAx<2pc9`E_^*|Q%>8LxOX9^T$Kh;X8p>HMInfaPt>iW%sw zX!J^=P#IfTJ~Q-i;Axn_1@y#Xp(}2EjK&#txQWmE5`4$_6VjlIT+i%y^Fr=g3q?6IJTsPk<<0gq76+?zClQg{cmkgYt7dZ}2)GNS-MLE!2ye z)I(&dDD@(ChsC3%E{DLanH5mGF%8l#2mFT}=xYWjW-a!{-2T1C*ja4P=?qH|u+dMEoRi*id#uM{kNn4%Fl6pBY|ESL9b`$JBF(w;% zlL`h0@&*s@zc$njYug!d^CROOG++f6)@o{K2m=evVmpa80&no>%)4(qoEQZtcJ<5u z+z!^GP1n=IJ7ekc%qu7^X2yZl&K0`q32};z%BpKOQpB(xsih$&oKny;fQ`@&79Blg zuiFn-51cfG)6{b})+9UgYxqM6nBl-CpfRex=5{n~fJ6Y}1LUu8JQ@0oy_c6))4UQh zK1wPUI|RpYqq7EbaWMe*T9@+|Gan2$GMPc-sa`K%{_XQI@vXsH%g22W&p2}YxYpqr z0y+r6f z*nz1CDVi|A(m%Bc&Wsbhpfd6ql#IgG55u;ogOG+%>oh(1fexGDG0B0>4N&@5)o)P1&Q$HD2T-NAoYaJoct3GdWD ziDln|2Lyu4=jBf9pWjT~*YBxn{W!Sy#r@N2=m)MYZLBFDIz~Q=Hp;?cH(@;#QTs0M zhb>uVaA4%o2N-pMQVrG6z{J|{rBHFWsv(A=iQ)8v-%_bEPtBgU5ZeweVu!{_HlOzv zIelvRMT7^+YX%_j4_qkEeZ=LY3W`Im*Czgo${BwB`)4XWo_4DdZnY;N5rr-J8?5*d z*a#xQd)P9Xob27^Fe87EsJ`{@bpI{dz zoZLgB%zuZ(YDLW6z}3OTT>I`FWWR?@wNS||YX%pI^#KhTj z@x*}_)+#G0<<@+8ox`}X`gK%D=iIwt!$zMpA`YI+h||q(VpX1GkTVapbFSA2G(22az87jF4V8@`W($Cm!V2!J@Fb%u zuB}_QF2IR|1`QbS%59ucv=za7iKQ+cYGgovHk~s#bANpKYM215XR1TEafwK!qzGG8 zi%>P5c}gmDg?T&cTP5?vC5gK2uIaVvC0&MM^#+v{W=6O-5>^$to#7^K5|(8%<5JF_ zccF`-aN>6kMk$=3Idd}h%`E@m18-^Y;rsZ8=e>a)48RF*PNcZoys7oV<;#mNEM$(O zMacIIG_9_$&tGwcgHf|{ulxU2@HE0aoO*gn`JUN!%R3T;zCrv^Qc`01CT!&K!s76U zZyoH>sR}>d;Jg`ek2z4sKMuU4h9YPi_E?ryKUhW4Mn0>X0&~(vJJ|CPp;u$ZT!Bf& z)qtD4r4Hm7=I9ONE?u#~UR0~+ZXQ4Tuj%>6W<8wHm)rl1R6y)`xNui&=rK< zqxCUtjMxOFhZ%uBbVo|6=d0hvGJP_Ucx`RM>5~6Lf_Fr;g5htBrGy{X~~ehO`*@; zcioAfmaw2SD{N}(ih8Li{u!O+@R1+=EUOgF#ZJF^hwOxjCMilz`Vf@Mgwrl2i?b+;X413b5H94RZsxkkT1h3rX#8D z?ZwqWceY=3%wU{%@@qhE1+J@R*l-*nwY1JBwcw4xnr;IWa5{r^Rq6XFMT`funF5ge zsbxyAd;}K$Ty$tM>1#i=i1P+_aNaM|QyThcrF|FBI5y?Rr%n;2t*ZL-#XS{PocR@Q z8~85s!95byg`X&&H*?l3hgI5zW+C~KA~Fr3AreIx zzOq=*M zzbBu+Z=BuoP4d*XwSRu(R@36nr)xz zQW{G+yj`LCVn^UpqyuD#Z5lD0;Oc~Ok?88uzdz&EmbuW4)?J1v{>uNGrK)51bx4Ns zr2^7884+=z)TLS$3s9}9J=oY?w(HM`4TZjEYw}gm-p>D8Mni78Uv%}4>Sw*jdP%9t z2?W-pA{5&{jaNoXr?V_Gx7N!+lcb4y%nzP-|C%ut@b4>x8iM?UrAYDI0WXLeyXAR< z?us+U;yCY(U@}XdgtoHn=P|70V1u9@>n<{#r=<289zM?6G@n8TR)&MbNOoT1;nks}-Q6R#=?iu9K4;667YpbOhCwmtg}9vrCWQUco`=5%j0HDMlw ze{g%>gSiczU}C9`dE546Q*cJowMr%=;jWd*l=9#5_4^MV0G&%{zxt;Z<7y}tiwzAU@2{->}hte8;4=xz{+? zvlYGmI%j9z?KN&m$_JZatM~u&R9n|(esI=rw_&SIR`ahW`?%Z$9jC{nr*UMy!PelZ zUin28Te?vEepl&M@SZu$?i(9z4_1pC2l(ijQgw!-*O{IxEiAfNmeJb_+$m5T)3USz z$G&73^Iidac6%AzNyJv(#N;(bSG=vvfg#>YK$rOP-j2KF=4{P>o)EyY^G~&6}m3syk!fTET_ynva0r#N(4PiZC%~ z`Lix#F~c`$)>xsQZkGRY7(VX%_wUbjJFrEXZ4JE-rV2v_501Gav%n{{r}okW(!yTP%E~a#=;g1Z=O@k+gPDL! zkt(&_LWd$MKx*LFhi6EQynvDlOq5~#mRY{I;a7XkRqT$I=?s&V_*DqiIX5k#QD*-% zZ>VAsv#ssyAU{W+3kq|rxB&F#`^axxZ8pDL-$nPFK9cgpRrN3gduySH^T|&+*!Rn-}+=v^fo`&!5bg4i@M#yQ3Y>gd8zj z=Tv~DC?Xz&Gzx}@$%BWVcR80 zaKu~xQEBSDCQ^WsZ4&WsU}fzs(T02rbY_YE+c$5>*6y-=wK)1Kbq)c+sDqHPru+Nf zXfr3>iV`|*CVw3du!cOld1EVSZUOnKHu|PrgKbC(*Z1B%-}v` zXdC;fo%Rk5h~B6D@vg?Fh;*_Chkb6jCzkc-JZo#G@NkU+Xb6lb&^Rt#LM5}(Qu;bS zUN{iFUa}?RG=+x(`*#~)^qeYXR01}GfH!5~EC{&Zq1Cnl>bt-y+0E+pdCw05rL;Dbc!Sx$L&qoKhKf22*b88-3sUiEYv_UPPwQSv_61u{Bsig9RMR5*>p z$pT@5TK6Y8Os<>1p9hLhJbC=kp^`Jx6^=}g@x~m=i=GKQOoZG`$)zsrkO53GGgTk0@KnQ6ns5E}S@1J&aT-7P8%X7cphtzk0ZRq``zhMAb+jA&{gkQy2 z^;#q~w=r&H}UD)Vu z`rZAW-~fqrD2SL?9!4sd%qjiUN&flc{SFg$cuRdJ#7C~7mzkd19aK-xB^sGu?>(YH z$BL7&=bgT(_S=6CWukl@2H|1y9$ZQU*;g)?D{x9hKK9V;Yth?x@02)Bq8oC+GY*4PBGYu&{8$!LjztZIVPJSMQn9b^7f_CDl-%^oMsZMVcy_v*O2V zz&`TIb6 z`r{p(_l90lv99Jm;-W{7K4X?bL!q5Lz|=pG>2hyl*t_K1xw3u z{nimtOQ|T4d9V+sT(Fypc;Xda6Yy8ti3y37)6PfQP3Al!*{oh`$MAfF-%FjXS(URb zr}j_pykt%{OW0IP=m{_R(>!kV^~aD{^zY@NhO(Thsr{>ctB2Cm2tqrg<{{Rm&KH(T z=|^?jZuU^WoWjlm)vaO%(ox)SV0*7F{ounrlR#vQk@Tf!QTsChpC~6buZH*=n;09v zVp{P(D0styWQOmD^*w3SsBU$uHDxC!S+j+bDGe=K*v8_V)?Lpc z6ztV?{zP?Q(HDcz`A1`wb3}$jeltal`RdzlFqksO7|sTiGlg$Wd5+=2Z?B`1ZWQdG z`faeWzlh_I|JC!s8xI;HWkp5%0WLN-Z>1c@M^M$!aR70<4VruJGb55LV4PF?b}hUpR>9JRCpq-hNWeA-Go>~!8rL%SjNSR za$AA=zrc~0wACapj}Jp8F*30Gs5<3HMJ1&)76eVNpV@8MGD%XTsVr$cP%mO$sb2NB zPA}HK@d`YqQnEU*{ARw5<$kLKoM!@Wr9r_OadgAmwqDrI7%M+bl7?2(9Fb5eTm5%e zP43J7nVF)IlKaro7FvWRUPuCq>!3g3RJrEr(zJ%v-2k$|>pa?@`tRMsmRjtQ>#w@6 zK9LE2OOMW(Qmv$z%jdaB%7QKzXwYe$-i6~(OFx8fsEC+qi*B#D?@0NXyNBv z*RQsEhFF%~%-`Q1t}EU|f|Cs>BTO4z`7!~$AFOhq2DF8JR9ag-H$Tp)zBgRU;%|w= z0mpupGo6i^HKwZT@tJ)^O^_4$`FXG2rcI3T9`0|M;ju6KuDQCQDvRax^i~T6yZ6T_ zTGyieG)2MJh{rr{a?@6T{le9*?M*fWaSV@%X;`Ii{_Tk92$Eb&bVw zKk|&~ZFF>h+}4d)-8FxFM2hX!f5)5ya~54F=P&dRl|Be_XCG;(9j|=P^qDkPKH$fh z)UnSqd%SOX>ZDTB{Cwhug*SeGzSE@_$$%Xh30xc*vkoLYx>K`J%lEeBYMty?k@^;) zFG#TkwTE6YaQRDw|EMs3Lv$|1&633jmjesGf-5p zZ>_{p>>5HAD}N55YOrfcp+lFwcLhNQt-XWO9v-b6H^ulGOcO@veO(MVZ(B?mXE=;Shh~7`SHuB(@%Lkx5CzO8#8^yM0w>g3+$Q6CM zYHwTdk1QJ(ss_A(Y120Q`u-W+oYk2rzv$QB!HH6r)vncZ%s`AQzBnn{njqS*siEP1!zlVf0&A zxxn2XTdz3TXsmqR3B&br@hhc7)dqqqFB;5jJ7BFg%|Y*JLxpX1aq+;hP88ydC3JLn zx#LijYk!*uVa?S_cy25nT0fKx)7AazS?po6f)yW~f9sdmnDCK}HEFnIj!&*{2rpS7t?6 zIKeVe6JI6Sj2}M%MucHRZQ|YN>O2GveZ^V^9dg0(L)zF zV%W2lI4x{xfrLiMM8TTgSC*T#+ObW132DBQv&`wtkfc0vhn4$c*6YA*UwqYlr| zmLXQ_fs5YKnRE_SjxoQP$++5n6>m7_xXA5joba7iC@EHa+yXp0Xc*I)Z znMQlJ*rUtt7ex5u(O%)K@A7HyXe8#y#Bl^Tc|&WhlzNwd{i5R{RXNjl)wk9xzLb{H zw^EJVsFkV)zKUu_F7CExrUicYF;%p$nU?Hc6?R~7rzVm8IFYf)UpDvFp+n5m*S#GL z-)ljqga}*y*!P||@yeBXs0J2Z#E9`}dHIq73JEEb{-rQuKI-D3R_}FR|@$TJf^tWr>j*BZf*gIm`;t=i)BdP7(b z`NeCu)*aILfPV$s-F$^)qr+`I-M!@XLR=#2yslY({S(n*Z#>W5z8Y=iQUh#1(BSel zXMWc-D_Y35pSvG!*0ca6@FF^xoodOa7KkOsO|}_pUvu6h*}bpc`{o^4;lJ1$QSJ_& zy8lAfB9s{l+JJ4>U-_Od{%EYTZuf{8Sp3&@)8IXVh?Xx~15)J#-DaU=V@*w}$D7GP z>ViQgO9@Dqj3Iukn2c{Sp!2m<)rE+U^&g*v%YX#GA1z}DwSCg0?45xyj^_NfBPH{~ zLVS*KD1{)iYEDa)Ri0pd$I&G8Wy|_EkD~pmp7^5B{Pp|w@`A#wcDH+};H3Q0H9Ngd z2C_T=Hq?%uW1HF|@cj|A{^)~T75xf>-oI0n@?=-QjCXs>2hGXkK>;l% zpcTQq7Oh-%b?K;6#iu52TuUPuIqu-$ZGl@5g1}Vbs$*nXZ??B^*tJSnakicN zmiApb_I-E{wdDI1HC^4)4NJXU?&u8LY@`!EY1VHwE5{4_tvse)Ey+?*E4(qwO}{GG zB2MsD(>(9GCXK%8EpIR+EUH7?j3nJ)df4&qm3SH0hNVgczJEdZ9T4pw7G1~&1SRC* zc8OR^gs`|O;FNx*w1GHSi$P(?NVtE;Rjj!!21Lz>i80maxgQCS^20mgefc$Jqw}rQ zzLt1WY4U3(7#diT{z%6n^Bb*>w3Xi{wdTwV0ocCTKP$7%19g6k`XmXr<<;em7Ats-IV+DrO)=X)+Y zQ|kY(ZT#K4an||}aNVx{fudi5Cao@RS)btD2Zfz)+MbNg$4vOJxjX2siPbq;r|w6r4{7H3L-{(Lm{#cC%ZOb9a6Bgg6MH&>r0 zc7a-yn`;`XVG-)%?Y(_Yl%~T&rKwAT%^9)6#uap~5+XZcMe-+CqDSo-2keS-4Ywdab!G{Ve5Z^39`B2OY$49GrTh_3aSbEPSCm`8I zd$+j+nJJ@YImcUc^6=i{WL{`=X}sU8CkIR`P1AZIVuuHfm~-pfCrqXBt~Q@z7wEX6 zB<-3K(PM+u(~0<7vXce7by<9^OtNfy_I)Qf0{5B7;l&+1cu=^Ckp|XeUi)4;R}rAsWil^8SIdN!-H`~%9xSkP2+LUd;^D^%muQEho**Dx zY>(m9@!HQTHf(5Rk%q$PSYe#jMPM1=v$3Q5(bx;$LX=xt8kh~DC1A9&Tek)c6Ta~O zEwn-_+K_L27<%A=f;fyG#@Kc&%r~QI*(>^d-+-@5s>s>#La@IGBfT0 zg|nz=XYFh{>Pk1ck+AROnA?$?<8VfCxm5r-<@b)n0tcBUryw~ zngRMr>^RG@s=?TF|KA>upJce-%RaiEi)G=S`#o(=@6NC3vBQ1E$xTK&!4>wm?t<4? z7hX>4yN>*ggo`H)4n*w@t?F!0mHe!thxMCxQu7zwikp>t>8ZrjdHjN;Z?J=7_O^2# zd$O~{p@=TZI#Rz|13UciVuubGA2mjPh^)lgEyvq;WR=zRjCPk2oVCzF;#s>adozGC zA1^7Q5wp`Ft6+mJ65(ovID-r+o>LSBT6^Y?ILdwp!D)Fpd(8829^;PLedNKuwxmNt z;u3k&=fixqg|O!AwzjSMDNoEAZRc+Yfj~_6Yns_@%D3`|9`kPFiN}Y7hb9{~LL7d6 zEgWsDdCyrD(Hf+zAX?4NX?x(P(DVzJ2dz215BSAN=0S}DU{Cg)=;60AF7tw<%n(&W zEgeMMF_g~vU1*osFvCs5v?o{G03e8PfKvFhs`#Kn8tR^H?KiCxk}h71)tU+UkTlKH za}Q}0yzyWpfp**9&X93wLm5wbl1%5%-ezXrZ~Rh@7dAC)af z_xVc4m|>DDmLI93gDcK3!M|@>lJx?myNK?hqpLn2#t=}@^Q=@&hw>vRdFo%_Bf;v1 zZtpj`-yUjeHz3%ttw5Q~nyBsfZ^5x&HMsogQv^zXS&@<7F$*h8% zXxR$B?t?M|v2Y@fTl>Gi&})w$KHO>2d)C5Hpz#9-o*Mtkw+22V!}UH=v#|!y-tR1* zXNTt(|7A)-Irv;l%d_Ps{y&rP7vpCzuKBTZBcYV>TaeE~!NA%7BZ5 zP_-aK{KNN~4VmS>dgxjF0(LoDCyg8l&>}2L^W4@N^^#&ZXB)5-znc6b4#$~Ca^0N| z&q!lUMmBcbxbm$5Babo_<|&w%-}_c`wj-f;Nrh~pG%u)$LL%6T@cYqa-}hbHO*NQD zOkPzS19Kl<@~LhACOnSnBcBIoeFH^3uS#%B7mJg>4VT%p);4yo7F`h6kA3ZkPp4h4 zU$R=gWg_oR~L=)uVRK<_*Ke-{fSQBRoZh1GbYH+Q+TR(pr>fgso51 z>~{N3YF*NCS{(K}Ba45=N}f`(-hA=# zw}UZ}&!!=(-@pFMHUZPdpSJh3lPXlY{HlI=b4ylyye6Dr9i0P6NCDZ2p)xS|39XeF z9M*&^n^@dY;^w=SJ!1sPAq>qrfgLHt*>h#=G1*I}A5JGdx^2qOb>9|8OMeruzuhvk zpF>!W@yjQKwRF_qRflo7_!f zx1RB@E?QhGa3tq}mCe(J3dGqs^pA%Dp{*B^Hvyg~BM0EYV8Lv&Z0z@t4)X^N#4VRz z0#6$}i&$?Hi_oV1S!R8UB;avs8R(%ak5YSkHy8emfj#0RCyXZm6w9(Ow95w!1udfpX z*K4@JyjXyfhtR+@EFxx0kDWUiD-w{;4EL(wnxEY6EK-+Nq;v$%i~H_}3ZCOty9f7Y z?&_MF8j2yBZ^%A32^8V*u{LyGwQADvg5{ewwedOOj>!1MI&F;ncFi&0C25(-5??st zOsUP{#VFA*#gN;HiE7;ZLOWAfDGNu$X~CDIvkKJ^j?uI3ZqUC0RaeqD(+ZzsoKk3QN0a7 z6U{#g-&=_zty`{)lYtY8NH>RL1!7R_uc?+lu>IQ1ILK>Z%X9!0P)KbKJ~k<;h>BZ< zk=LfxBtzq%#ho!D^vUY0@CB%QXcoCUug+hxt36j7a985*uR!B1Ze=msB~=ZQ<0LnH zmQw2c&MSG#L@jNp4bdj^lv?n)fq)Uii57NwRf|+3rT@zca>#RgYClSYQ+QVKf_tw#d^9{BRJojd;QY|)a6+->7$M>gy?ac#N2JG4qmWn`WhB?ibF zOGwLoxFD#hsK^lKzSYj}O+$kbH^1L3!Te-bPOydr?r33##d<}@XQvlzBLj0~LhUn# zVL{-AgQVr7AHId$*a8BKqfz>(t;gR=vVg{P0^sogMRELu$ZCsq|^_E_`cb0E= z2#C$i_A^x%Nlz(T=c%?ML~_`$n1w+h3P~;h?ur8(Of@A{r4J00`I0SjcE0`M%bh|s z;Ekcx5mfQ4`_jjq93y|^*!HOLQKe(^L?$NHHIg%WzQ|F~>uX=D7M(9Sbg1b$$?@xg z(mnO2rVUq`O5XZ`zT;?y{HQFLtAU##Pp=>7#;TVUF--H#3xS+yav({=%)pLVBnm57 zIDh_E9xT+Hqrl{`E@IT(;N`^|kH8EeUvTj4AyHG+74aS^bWGtvdQImd6C3zrwgyh6x8%94p5Xe94S2`BeV8kE1fbVpyxUHd;5V9mWHB+W+?@%%0 z#ufRZ=WcV2o+yApZBc^loLpK`!pL;&n94)BOXaKK#IDop>u}No<1AduvBq6-<+)or z$}3+ps}@;!Z$d7HyGb#_Rh&oJrW(^zw_~-xAGf816y9WBvxW8#(e( zditYO>x4Mh$imvn^xN))ISQg6_S_xT9Q)^-Ix&9X;vr{jyV3Km2Pe)E-;yH)Bg*LfH?W&L+f2n0kHoUsc&>86I~V**VNMMU&b zR1}Fw3WhaQ0|OfB3gIoQb$0$lGxaE9ECm7LT(^Gu@=pT-zlLdCn12DLps9Kj%A*-G z3}|{7T0gZ&nIQ~Isc;L`coR>aPEgkr`8-^DT^8d(u^twcl$jbkE@+3?aA2bbTYLS+ zjhMT*=}*+r`AiL>D@M2wuXPcS9Ef%DY4Wd{IYMj~bR+f^*Au2Q`PpS;g5Wh=;& z1n-esKT#krPFl)1xE_)uL;IS@)$X^GktoK+#;!nO#+;Yx?hIvDBtlv@fy*HEi(h8Y zt3;W;-*=U*z6y^Rl!HntwX)O0f5d%O4_8dz;SgZ=`o`|5q3s0|r-qtdkUF@tv+=}6 z_3Az%)|f&>JDjm1BHJbmmG_%}sZ(bEBC%=G*0&x;k{jd>OtnGvOU3Z6dsxA|2;~lu zlfEC>D+1+eP0f7cGy-eKVR zry;c%i`+T$o=hLOWk*fs&Y%C7)dsj*l~tqBfMTyCDeGtc!K>bHIIyH3IDd;r$LD#HAwyfaN^@4Glv#3x zc2vW{4?c#G@pOJIV=UphtT%iKxQ@*?JRe6%%Rk#7A7QWD`0Ll^rq@dT@_BeTrar4c zG{iuKPPXb!+C6atb%9x&lK@(yG__Q)`|+{d(R(7EJ`=m>tMqHW9aQ7%=%_K`Q;16l zCO}T9QzlPlG`^?r1i@W<7epq8;f5=DBYZA_| zD7pFd!AR^u^Tdex_pDGww4PsD>REnqQPZ?FE-qMdDw!#=4$1f26C1PYJ=QSX*L=i5 z>ZqCe1hcQPm@$KP1ovwJ@e=HeE9Mu6@jjgHPWHj^StDDTM z(T5H-5g>wcQ9^{ZR_LKa_Ny%Rg$J%sP!(6hYvb=EfigPY=;%<0jQ_K9&d}xwB)+Cw zxBW1#pGgFsvHZHW+Q3PyI&#Ft#C5Bg#MrP<6`p2ohvSQ}1Tsn1qe;cvD>pOm^QlDn z+svIyxRI17V5h(%L&MXSDdYv5DPJuR?JmfRJUl%GD%h~DKPIP*Wa!8Ld(|p3x}0Gz z?{XTuc!=T#iQwBr^C_vQpd;b7A8_!8n*0bz+&p{6<#UjChwJ=T*|4}Sau+uf@`*XC z%?2L^jk{40LY55`WWt1N1@+u=segJ|A6lDUAqd*@zkY<(1Wu7(s0Md$^pcc2e}?)0 zhZSa}-Q6OyG9O@XB#YQd@ifrKS8YCeM@Mg7NAf}CFwI`L+}x^ZcI!E5heNL8VE4D) zPa69Dsc<=Z7=G1nnC*e}HY=LJ`+hRYI+&^BMrEJNn&+XHMu#2+B%|=b144RKG1w(s z)ECF9cjxxIOk|tMclo08;k60l;!kI(*uMb|&)J;wdH}jXBH&4$d$Hf#wEDoL@8jOj zuDzg*SvJxHrKxNOapLsb3(Zz>R~;zUf7iZFF)vdDL>al3d(; zXjEuAlU_KwmmeG>@At^>8ngs*#EveuqrFW|tEcid{0;7xP%qq1SM*u?e< zbXia>-}}*$My%vZ<)zGWk0^@0o`YysD(;EJl8qr;w$P=@_JscF{EZ+5DTmDyFk;i*^UAli%qc=K2s=E)}*3yFAKS+mgk5t}fE_#0~)p@lspci3~y% zmgnaEw_QkN)MlnI+fu6cvLVRug!=7mH3oM0EX7~ICQc-ZDzbw^jaw7uwr)}W0|JwK zYgjN(;$jNm^l0Iij0Hh822n*6-D3Uu;*ysI1znu}CT|TjQaFeMwrT+vR&Tkx!g6@c8g|a74mQ7l@Z;<| zo#P4-pm%(%8NMcJ`R={P1)3UlahW?Q6+3|0JQ9e7i5K%7F?=!lG<=hcR zxw_9K4Zf4e4MN}II&gibLE<#?y+;RCl8YV(^*)QX5P#-Q^-4^JeE>_f1YAyfP z^#Cn_#o5MD_qXA{$0OW0{p6z^P|VWZqq5^%p8afV+d{TZYq;bs07&_yv`i>{RnaXmhFyr9hrLZ`5rhP*bZ^l z1!qlx1Mojf#-atbBmc4iCmA0_Rbxg?`J!bFSNb0iCObs4fX_R|1-t3gI`q*AZH*2Pcs*md} z68-ciW959Jl=a&C$u`xGht9Q;oj*TdyQHb#zSdlpwJiOJgV?h6@~w>y{Fug3Gn_?v z$v8fe8r&~ku%9Pa;^fI!1zy|EFTBX_iw}FfwP`=$LoWtw_)s~HF0N8z$?*TL$9?ci zPmKl;`YlEz6OB5$HZ>4pf5&)%0O~qpiGaf9Fe=VhXZviHQg5*+nFpp%Jrf zTg)@bkzw)`@}pO z?=8}tqpElRKsNX?;dAoR-9u{Ly?c`07BWWO zMb9)YWyHfM2hp*v_8ZKOe%xKy$7sOZgie;*uNyWM46`pDP?EK=>S9mc)TL(JTKF8; zKTQ1}tYF?%tjYYU8#()Ii+c|#cfClrx1Egf;{&9U&r7_lTLnc8zkG^^^!8gb2YQ;H z3o7iaD!tSu=a#2^%g0CC)VTm-KGeCl)OVe&x`7H!5rLk6?^o}{ocBM2yQxpC8sWS? zdw~1^dE<69MJeoz4=pO;o|WFukLlI{}nxr_V69zELIrZ4G3*&E$`?Hmgsk_>X- z3WiXwI;iObSrPnS?Z{2~Z@|Inis_zJbxwAmmbE$U)AJa~eI#^<$bHypwAPPm9#pH7bo=wvSuBTF2W z4|JtQzb_TGgSiJ!TPL8X7qlUCzBLABipzAKQ7uqocMh{jDF65ERQnBReN+foKwVV# ze_f1zln!A21wL-3@1&1Q*K5;dk^^}#KP=bnh|mDK9Me*IfJTi%74_uaEwO2t&wtTe zVDw$^*x?c-y;fe`c(cz72fs1Pt7NmbcgmHBQ4P@6+4!dZ)WImDikn}tkSo&*c1Sw$ zZ-dfvk&%SGoTx>lvHsGfL5k^bX%jI}P`3!Zy8@@a6<3h5`uhHa%LtmgW3ofn*0KI8 zjLN+wHJ1qRoRd=>&A;8lv}n{?6&dRWT7;r8{l5p^*Ee%pTkSdgOwNw;jBekl?h!Y? zR|i(N-aMkt#xeZp(N%(#M(ZxCa|!3q zqp@U{Fo(okqC#PSFeM^gwYz-E!1HZb>;%f+%@}5 zpEwv+17EM^cidj1?XSp^v|JT_@vYZ{r{jnA-2K1h{}L@F?6IC})=%+~@DS}2{gKP< zEIPSi$!PPcv$_2P{rhR*k3Y*XwP80%=+{TaF!J=;z6cj#ub1*Mw!8f??Bp| zHjR{4v{P|0F(Q#*3$`f18W$F`?b4{Jp4-Y4AB9#2I?womvVehxhW4j|U<-rl)UvF@ z$P8$SmN4eV`(4i4W6wis;1&RRIA6Y6Eua3_-rnBLEzx|inZ;m3MSj_{1)6aeT_VRs z%!txfqop?-HY^{1_qTU;GdiN&f_!kUjK6ZuBK|%k#hdp_=y|JoOaA3*Yrgy`JtQ0@&GwD}$YY$g)iy=B82*B-l^Pp%E$+O;C`yUKR|_qrxH{?@<0B2jKl;IKK9hKCIwtMP8Tf^qVz zbDc|dgc)x?1}_|W zB3-+F@r}01z!p~Z+X>cSrv}i96ZPIFBrjt8x&a}1(0n)Jdp30*)1_}m*3djqHu)?zgh^*%;RrZ99_gcBxb z1nfFcgqlW(ktSq`hQ~;uhKL(C=w>L~@NM+Pwyp8ymL1WkN(3f-*(FH_RVTf^1csMz z=aNbEz;UzOMxs*<)cXB&dyb;vZ^5urHy|HqD<@cHL_^8H$qqeK!#1aSkHhf-M`VYS z2`IqZ`_#+=ktomaI~B2l4C5c0|oK25LX^O}5bD4&ez=(vlZwvd3q zbMO;{Cw=Wp;-Uz~y21cMJ>ph~W%9=x47Z%ddWWAc)CHUjj?N<`P5#QVbHzY2T6-et z#ps$FMp^ky?~u;%5Bm7fGdJ_b7uWB-`xb62PfuKYyrF@?jr+e7z(#wir<*enWzHqhJq3HE>4=t|gjJf_GOa;=@_0`p5c%^k2UwMNCYnh+xFoHxo4;F3m zA-ZVA6~t#xP%xu+2UoxJpDjQI$5HT2EGddompxum^=eYOB)_gn@v!- z!ueK}?mf<}8{bxy=DL9VPqrBNz!GcMp_wyAgUk&EZ-5=!*TG**ghC!39vl)v^b`ME zruUzW=qz^$rAUf}yOSCf8rGa4BYntg(Lj-=u_gSRc1GHTgpR z!J&eS#x14`9BmTo0Hg`P+E2I5F8W45mZ@w%)_Mr2Se1}(xHQR_K7dn^zpqbOir@}0 z06#~#%QQ>dZ$S%t`oA}nAPd6k>51TZu`TbWDptoPszZ)m_wL;?tQ=YT(16o4$%qbV zw6Q)PVBo=%?Nb^%)n(4*mRyxK3<`a~PGP=4_n_D3APH$BY7gcuUw$eqY~{b*@W5u5 zzINMQvU5Q2EDl%hG=SvniIsLdFaD)QY1<0^h%%tJDJ9@PDDVc*69e&5Ek7sp&Of zfYrQ(=uo+n-pqj4%_?75$z$yvtHs&HOObaUW)<{KS=THE}!c?dOFwEcCUcVp1*VnyD}~ahH$5E&x?!K(P>xb z^cV^FBxRNsJF za!&vsg?-DrcW!vmB`42~n;$*Fdz!ZL!9HU(b#))VdOT?9-uV|Qubi1A?fHVm4i7MI zE3`su!$Y6|yq@_Nj>KxgY8tsRvB$0h+=`%czydJ87a31~E(fb-;RsK)4EfcoRO4^n z#7rQ{QWqy2)=BQLEXV;9{PAf(!F_Q7xCWhI=VZKWj&(>BZ z1L6k*7lspp^EU{E;N;4=M*gW_{L>!zN@?o)ls&b@As{>6nDa7lRw1^ed1JdIEV1y2 zFjIL-d50?)so-?Q2Bf|?y{Ez{X!^PLKdKyJPB><_nPbz+U%VA!b;GFcL>GSF{1;xq zh!G=vjqJF~!!EwaRwqUbV-O))i(UfmCEmS)dceeB*X)MC>u zZ&?PZYyy^ZA$cT{wSND;V|gF>V1a2uuhcYirE1;Y(KkK3yaa8h)w#ll4;x-)Wta~Z z%!hf?1gl;S8>ZlZm>343BSG@)i9av;3zpXR?g@OEklLOP<8}YYq?|aV?7L`66c5jL zxN%U!{{J-S*x%0V@AxN|QPQ>oZVC^KM4 z*eltvQ|9e&4VpNtodp3-8VOeC{P^_vgpbawrKX@nPv&FiRl$L+5Xyt}O=F_DUX@>3 z^o87T8;HxqJckuDyxb^t`w>};jg9W>hX0e$k0N~G7e923Uf)drLii>HceqJu+`5N+ zQ=45O_`7{CosM})VJ%s1a5B)9_A0-X@{VH+$z_-G2_5ko3t{)GTXYb#^4o?9cO|6#QqPzH(~R6|Inb;&p*6}GH7%A zA|T@lp`rvPcfvy#`gjFTAEI6e{(^FhAE5H5&7b81c2OZacI+E4$q;ghhQ-dwS75UU z_8$XHUh()E8o@BwwRdl?-R2lM0F}^jYAeH6TQK6Nrlw|P))(0w(GZfUiYT^F9`QOF zy;XLp%XZM{bcD>$LyGXbv=)zrTD-!EhT(9yNF6s zo#$j~PA-Gkh7yi_#%DJagxhb4W{rEERn|WW%nAbC82Mg3drFvq6hn%1O0D4Yz;o21 zR86hBGsaY4l310EIXIc3i-)iFw{7fdEy6U}L-V9o;bjHiei*nT=2rbKWnSIJk_zWT zy}kk$2tx87#hVxH{pJ3QmtSZ$e1f5}mDTNi`~G2*X*i(^?;4wKHY%7fvH!08b$>`? zJcKjugxT}fF&96Z@ zrn-Nc%Lo#Az58SXeY3_DiR|$GpejGN?bUb~eF~l!teDZByS>P4=62yxVmJP!^6E%Y z0E*)Q!$}NQQBopemTmWY+Rf{knWlMJSFZH9E;m*lbJ&g4CPt&&z(<9J6OmUj#bRJW z@vZRkyY;Qis2|&?*IRx>*AA01!;6QntAC~#pK5<hCc9C8ocFir(h9; zghWO6u$%o*L5LhyP*CvO`|UQ>A&ZC-MDpAI)C@$PJoz-|3Zjk9F-Z}o(a2Elthhp? z#Dvy&Q{$QK;^U?7jm1hnRD;M9D((*<(=F4Z)202mm#+Wv>TlbV95)kMv7107Uf29N z?M^il@byIoja4J1eP&!wO?jRrN-i!*t;&5$mr6<8N_N;jV#LK8*^_vi{C<6(5LSRZ ze3I*9n=_?PB9*bUwa_)mDM`QQO{9Ul`>2EYUAuI-qC3Soq3$mcw(`=!4w#2@&8*vR zs@Ewpx}`B&Oenc`-s^}*<7ul>qTf-~=`P1a$EkmqD6%D$FhX=h3H#Ff< zA)o-*rLpH`6gK@bDB3E-!6rX)p^fB$nx;J|FSZKth3uD6N8*2dot=SN{@oSL=->(O z+WB^zp&}hDwD@%Egsd&UKVMkj%$y~%uS$RE_hW$D)n1*XMQ5znxQ%?y6D$-<;@}!z zW{p=@&y9>HDL!wZ10S%^PCs~%;_j@t>p(}=mv%)+zUq)J*hIN6uB1ioV z<{-bJl~DuK=&ucq&b$ip50`-3z@VPqf#g#+ykrFH9BK^s3(*@yCG>}<0m4qPnPX)I z%i=1$=WNzXdI}byWPzV4OzG> z?=}s6;84jotJmXSiJ1k+q1K-39qZRxj+#8HNn{fo_awp)J9k+l*R9)2bjFN^iAMEM z`*L%z0*eqAhI^R2Dt?mJjsPOXagQZiR5X|7f$k!G)wPu-fPBw3#$gJR@y3~f~9 z>wcs2S!J|FFOtd#!IyWbBBNe*$IDxuFB(=o31s(%u`PYfdLN&L$8mc%UCY3$4X)AH zh}o*aW90K{y@X~05;u1wZ{r~B8;hJ?XZwu@&$)HWfyNVH@QT~h!orbIhe~41)Vk*v z6@hz?Bd*Z^vIF( z3r7U019dW9@(nmqvOw2`_C#a~M#D7RLF!m4hHEbgJ%0Q>Mt1ez5T!y{ujOrrw~%Db z6}PA7TAnwoG6Cb`C!d~SX?Zn6d-Py`;~X&LgWEoL7^Jwa`%pQ$Zu}V(2O@PE0K{o- z`u+0o*S84WF^F)=J+VecMs{in>TL1yQ=MxJbPglB-pv$c)Kz|pg4%KZ*+x4dzL(O} zsM$rn8^bgzuCCEIu(DW9LNG=#KJ|q#t-lRvs5Z`=S(&r-FAw#@wt0%9b-8wc>zc03 zDbqVp!#f6Q3~wCog(T-U;`CG;Lr>2&U8mSRL^44K{hmpP<54|J=wk`#=}(J_M!|{w zYug_sox!HBjv(TKRpYE#I0*_NZLh|T9x>tPHN5 zsIGiX2TS?zi4#V|HFF`Rw^SyvDZR4dE-y{GyILmP*VZqVX>^k?+Cw$Q_3b9I$M%R9 zp}z*17tF4YK89-f`=_1ZqrsODaGB8%^H)2&lNfPs-D)ht^RVTsn!PAc8mw7l&TFm;XAo}RK&jqQhpj~pc-$T&|9wazMMwW(rVUB(F+zX)MMb~6$?rBn=fPrq6|38OA{XLtd^L_69HnDqCq%JL`W<@+g*$Ohb>j5H6)tE!rayi`L2lPc(# zjnL^?lDchh!uO5QS5So_uL<6{^Dq%rQu4pA(LB*x^a+m8cV7x-gfc=9|6E)4in|FU0$F_ujn(#!ROq0LOW%UA}mcj`|}& zWR0IOv&AGt31I)3%RWQC0h2`Afz`^v2L-GwYzar=LmC!VK$p=VuoZp|{C`Bf30RNo z+W*}mBvDAxBqS{vLNYW7A%qMWqCuo+kfBl$Aru)CB~e0BX;w){5|XJ&8VJ#(q>`fd zb6d~;zmDhF$FtVnYtip_-`91X-x1OCI$%hnQ;VMr^tUQzcl$?VY2*)rk+-?HT(x`q z{m}V#6Ng2^IW)?jfjxk z&UnP>_K(QK^Y)xYcp6z$r%hWuI)EKp01>$Lx%Y&yxH~iAW)JV(x9_K|q{L3<#dat| z%|#!|dZ%dp$rQ-&nXn|L^I`C*VJV-4-q&W*c2;9TSb=!Hee>#QbqIecD=S+}xDx{X zoLQ@vk1l|#-Z?$wzU5Rpit!k8F#-Ek)z|kG;qKF=6yDGT#H2gSWDRLJB&Rb`tdZ$s zs61VYw+A~~xLr_~TF_O-hrp*hw{3&}_}jx+N&@^1)UzOT?$6D-il z-u|e+KUds=p*%`~XU~EIs|U=#{oqSwrSi#nX|CV6Jow@kh3Yv>Ja0MEnlbPn7FFO> z=Er*dt_PE783B4HZI|Ia+_QxiNEsf;Aw~1;d#BB=@BzN&4v4h^otiUo!ivRuR_aU!cp0>7+ z-$V}d>6gcmx(b>KB%b4>rMWo)te2FKLs`B1^#e1~uu|@3)!WcSh-GyhJf@F?e$nP6 zo{|?sWpkXdqLPTuAM4zsX=-YRl@AMPJa;`y7!y!ak^glzkBm^moSlpdg#{U{ssA=BY5|%1(G-sqtk;8gK3ozWtJ&pFo0nfwzZLlW~JwO=t4t zL3dvPY~B6&p-;ek+E9cJ?Mgm3fobw?gP7Sug0&7H2C9#7KHZA)6X1;CE$@vj3dA!h0A#- zgky1Y(p3M`DyXCzsr3bD_zbxtIM#J`(H)IotsI-yPtQO6!@+09Ffw1%u<}k%*EW#i zcjhA`F`dvSf#J(}V9oy%(qN z#6$_*GeuKV0?#Gju}zi{e+Tno=oNucPus!ZuqL{dFOHaVR$%@gut3gY&Ps>%PYo<) zf7u2$3GfFXiBG&>^JJa9D!FWTym?OSd7Pm_ud}AzQqrW&+T`4?MHOs5S6f=Xzj5|3 zoJ4nDpM}LURqaAijK1JiqoWKwEC$`gd=guk@9UzE`p;)7VTNAIHjdGv=2Nv?_*7kIGVPm z_s#8W%^YDmMA8$lHT}Nyoz-ufGhRG5ns*re+8ndNm+xte(eC)zTAx{(o~{LuXPNCg z=!Mmd0R8*UYf*%5m?$C)#N7F7GX1f15ugG6w&B|zGrvQJ%rv)^Balj>+BPrSNmo_YIN{%B}YARh}x+-^Ap??M)bU9TbzwTg&@t zJGR|cOiqe+d3)J3+BDjuXkUWblO<;|Hgyw?4{hqGN(~%pvGSy7sHpxoh8Vkfi=I#O zQ3GVs&8DE5+5&=u6Ns4 z34c9XYId|K78#3cuYry)*2d`C5;o6`vs?&2VN6A_V#WU&?&XVnBg5_;Ksv@|o}b0% zG=?cF@BLi}9E{mjSFg%hK@tU(n3%HQ%cY~Iwa}rowKLtanslvRl8bbn zU9ri|oqaP#xH;O{5#TTbMQfXqIg;(QYdtL_b00shbbpZy^Sbln#@2om^Dgr4-9LcvVr}N*+H`M#ID%cCU1`G|G5n-7`dF*+9y>_(?4vIHtf|`jy+;z zzleN$HkS6;Z%qG4$xvB_)4Ic?s& z?eGJg%72LX+4b?{TpDQzHob#56><*HDSd2i{E?f;vTSTrJ08gaQp(GFbS$Xl9b~mR zHBUvLxypY|CY~FNNH#0(U1tnQ-X(tfzeGzDLo`OzgmB9ogaCC>*J(EhspSP z)Gp1>Anc#(NPY5gmQZ;k{#SkLi=- zj@cxj5Slz?3i6U~obum){7{&%{s0ShPSo|l-s0kKlO5!ZUpM+#_tgu%RWC{aoQ7>5+n@)K`{y0Xz>?iJ-ibyJ|Lyq(CXSY0_ z5x7J;;-#ivc34O6i_Vmljvbh{UUp9GlpS|_7)YIbeB+WUdDh^wvHkpQ+ z@RwqJlq+58k^%rh{!;_gqqAN|QfJxsPcJmd#ZppK%y1~xN+@Ayxz7bg^? z6cm`%GSuzE5%%5wqR#B$)QD5Wq1XIulKl`ZA1nS{KLq%>y(5zJ^EkjC(XL3 z3+5Od9j)femS{Hf3>+0ops*?rk@WA+R6or5(M70#-gVxuiB+#*avI?5lm$)!>Wt6i#lJ6}&gUilVyxlUciZA6?h0 z9^beTv-#;(|;Ce zbA4_3#YeOA-MLez*bhmNhL8GoG9V=EI%D@3oO2w6GJYdTveW!8EojVt-&hdlh zZir`><@vsG1MrrcpfW925v&&@UGJPG^zI}jJlFr;(xRwoyQJC-?5Je1vyT;r9HKoA zXdYM)bGCx5-^Tai2P6g0s!f@kM;3U-4#H-o4L#@FwW$v7)@^y=9Vx`RT)6!~nsFAaUhST`;Qn?>73t$xbdC5AekHok*=tSE zhhVH2JLOkLhwDabidl#kWR+9G0-o`WCNB)rt_z%(iyFZHKdNt>AVH$3hM@^tbw-kg zgqtO07pxX41B~Vt?+>$`IrD+;o?y{#2Iz2s^Gc$YGcNO;Ff7bqcBWY8%&Ak~5qjNi zdL+*kAUqcOUVo7AQRPNT2+84El=i}_19B0mq&0D_$q(QyS)aagn%A38bIdFX)&ev( zRg;z(G)T}i3#=wA2|6Xw{E(NL(M7cw&Dktnzkf7Bqr&Jb+N+mq6QYuT1D-&rk=s3K z$`n_oAYMRwdc{g;xgmsizqdEIN6swz!RX$#i^=&t1G{pJS<0elQ^3(#jqe=DL0+h8 zcF4!=Kb)AFhbP*0UJo>XLAW1yqN2zAVK@DjBp)yn4%A8vf} zX2X_=U)PK|%hoJvFx`8@s8NRe_S?3{CMDWN*H!RP7RIcLS{nKJc}Rz{cQvp1sEcl4 zSFe7?qp%yvV04|XNWWvshxw}j-PPhwU+&H4V?}i0p3?^aSt3ghC#HvJJ~I!2O zDE5Bnd>rs=&=mRb(RKLLS@vM;dv^3Iw%a*74`TG2UIN*6- z?zLP>efXCFSt6a`y3@Te#WDZBwXyZu=l(Cb+7xqKc9=Yn-4#HeqZ$LIdftxG6~XjT_o%B zO`JN>7bPXBRfgn2@^sk-l>_y$B}|YYFzoK#i&wugCyE;2^@Ef!kIm1^6XJRqFZp=^ z(7Gs_;RxHD^p++g^jkxQ|C2@&BmM2JrKPDn`kl#w8b~ zGaJG6`>EuX`pJ2B+<&3z5S8&;qFKt}YPK_ZbWLuB<03Gk3LUNECmNkXN0j|GsiL&u z(>|K#V-EHBqvZ2mtK#_T<;#CPQU4ZMpyl?@7>m1|C+8}$E!IunH#tpn9%q`MeTt6e zl`Kp?-R<6307_(A;YGDh6}KElf%H>av<+bntKr?o2YpWb9<*wfnlwc^6-9Htm?i5# z72Xw_OD%}wyQ!_=e#&CWo@`+w#b!n<-R0&cWEHRiQE>|+hZ=zjzZ@nEX6%Kk%gETD zJEWDMcrXkbP8a(<9$@SA;xT{1hMJ8zd#Jkhdzl0u9Js%xaYAoe%EC$_3zE3_;m)M%}5M`EP{ z1FnYE!sW{kM7y+D%cfc9Tr|I9TCt_L=2Kbw*z64xi{88`x#GbQm7Lc3HllL%u-=j()kIu%Y z$oW>STC_+{G+%O%M3zrKW56oa!(BaZ$n+U9bf{mLZAw-%!sfN4IF*#_LWpmAQKV*R zBiX4SHi(H?ep>v>M5by=8^Up8G~vd#?9!^dK-4umJ<}vomS3!lN7<6|tBZfr=N?9k)>_LRPgL7i{6j6ZS3;mL^J2Ol6<>1rwZR32270rcbhG%)tu z!a}7F*&1(bHCuiSyknD)P0*~@>ISyJdF98-MO0(#uflA%fQ~1V@eSore-0Pr9Y#8&-Gm zpvRp9#p}|=ylF=k_7PK#%zkio zyWe3%Wy1-Bk621lD@_dS%{$)&5f$PNR09gk%W3ZZbtGd4S1kTs@s&xn$+2HS{0~YSmQFP+>&o4jatXC{f+cwHKjIZXUEm*hilz&C0ia!1+ ze)CY(&rFn=$SpA6(LOpNz(Bu>!ep^=dn+nifpU(^75ghv3>$jm<#=nNK1UMt1 zTy=Hw)A zWv1~(#)|8ATkZ`zS7QIGE@5Y~+JQcMGi;rTGXDHZr)k&lW$Au1E&anS`QBmIb2m8J z+SZk4g?fI^C0vU{g>M&bu6r3#S(2Ame{it5t)rt7t7gmoUiU7aR7nNQ<&VtVP8*@5 z>C72ZE~x>TSZIB}BM(NzS%1wS}d8<`wyx{eGA84VqUH8((?COD9 z?*b2D|E*eky!X34$8-Gr{l}=?J|FB+e|Bh7`@`GL;Taja+O6dYy^XtETl$VP!e}II zNby?H0lT1v$BTTeWDTV3gRow_*=%fRxUsF@k^@5XtjIxlc=NAOVaBXUpe%_($V-*lkuvW6qJHL4cEjl?`KI9Ip7G0RjM=KJ`?a}XgY1$91 z`KLB4SO9#A5w~isf{5fOX~U2U7w`_yANcM0`Q9R50{97kxbMzM@;oy8)yZ-G86Ta< zuLi+bvNuf4ze?0V?BL9p=ZP?Q!0su`ml~U7}{OxOH`WU^I_EyF+%k4kY@=}+izWv&S z&)T9^V`N_aHBU(63T^*Y+rsSMU+kxt_qn{Y0qTKzZSP*o88^dm1c!Pl8k~6X;u5FR zlboDBIdP2qPXoJ_MLCQx+VeX$2aLdq7hWs8u zih=DWdw*w+$h~qY(I&S0n`@HL4bFO?fxxkyOMK6t_Dv|(1pkivha;oR-QM?Toy)=n z0mONJ2gMSh(%I`tDF+8cS1@9(|Awfg`fkh$Q8LNmol1-7M7!(ObSiqyER)3O=-d`_m|^zG|A9tbRP0^tt(9U$Bf78S<(zSE@R0`h zxPaaA--_LhO{9H?OJuDYW7F#GS7L7<<&&}A@HKdd&CvB5KW$C!PwLw5jUjB{7#@Jv zxoYm-Ex$^&LzRJvCeUoHIp)$SXhPmFibh5X6%bB@XhcWX|9r^`!MwqYdG_47$Es%$ zWU)m2!cPd;iBA1wP|&Z+{Gq=v<8w?;4;eRX*uL7_?Up>d$CW~CqMj_(Q5rw~8!%M* zZKcBfx9nagKYP|(IC$YqlQUtDA3Rte)9cNC&_jvk*^lOw-dY~u=QpV+tJ}JRVQQg^ z8`}?Lge(u$^>86imG%!-g8<{5|GKfFAzLPY=vz_j&?4(zd#!n3;SO)!e8$j0#81DK z!PhQbsw7NZ)~Csho)v%vj11*XN=0wq64w3)+lOB0ajSDPl;Fk69r_?faZ9{FXJQ@Z%R$G3GhoCe;X&u_RayaTd&PQimhkmh66_2z1s!KPwn5#*Xa_!X7s;}fTJzv@| zD9=W|NB)`U)=8z&{tjtcb{rSlXIov$_I1ypZq{kB(xbbLtfX^Iq=PkpI2s$5oVp^~ zjmm&ovu1kt7j63S1NV_;p0e1dx|<66dlK(kUQ*j!dCzT&mZOTQ@aye{qw9W^e*I{)sC5YA$@xjw;tz^M-?u5< zQxoZRLEH6Y?Sy|`jL;1F3^rb)re8#?YFDh+3T9FOz5M1m!q7zeAjc!$gSbZ@ z1F1oS0?O{TzTsRjjY4M}8X6jqx+i_d9!j20sf?9*nzeOz|E-7fR=j@iAKE05wM4qW zIka^AhgX`sT^+s~<>T59nrm4;a(>rea{R^(8|ZAPfs|s9P3gj4-3IEeO=*MBJDMWH z#Kh0Z3-gntBr0I6v5Yg^A=zK|AG4dPG*sl?S(Lf(z=>PNdLe<1_3BZV|jIapYL^yR|BP3BRWWGvDNfF|_ znEKf+Hz&#EI5TQtg}fFKvHHAOYqOi4>C-{0VpJ%wUiyeL$t8Ezoh`E0;f3Zpg5ijyq3DrrZDCqI zouMV;7s0Z`85$j}J!rnjtpQoeUFr+AoWANl&AYO1@pssFA;8R`( z#QywZ+UKyhKfOFo)<^fF(H3H6_@({lNp*8c!b!@`GBQGH%gNyi=RQ+c--7go8aGh+ zAS40YI@8)^Y8x8v67&Z4%+kMISG}J^j`QUumT|?OEtV)tNgdc9vZkA)h~Z0!$<%El z1HPF{3e;qMJFK(3%pE`J> zmzP&ePCxeqN)^GaXOjm^zggdl+Ca#HdxT7tC2Ewlf5LV|fmIubG{vuDX@sQ$WBAF$ zloWPelmadFrA5TP6ZA^$0Ab{-v9^&LVAQzq^$v25fP)YuZrE_8B}rXj9Zx2w1eq}u zv=w~U6WKe9xBbSA8h#Ic911tZ#l+lLyOC8QA)Wg5IQg1*L7%tWoJ#X{(6VdK-;Qn@ z5SlN5kFoi?vmX=}ERKp*h^sHo9apF{^Ysq2#;aFPGcLXPe7o_nqz?Q0-S4UTR;3Mg z4Z!Ge@}$-2t7+1L8nTN-101mJo_qvK<_t#YL-56);~mB$$=C`OOWT+ya5GN^kK;TQ zT64}kd^p=%nPe`Fg%L}6w%rE;pEzX>K+Ywv?KMnTFUb|RglWh<~ z^HlU`fd5zwAPo7!b9Y`75$W2f72M*kOE1HbD}JTXc0o4dEr0+U*h)6U8tS#YS;kqS z@VVO+wfWaxztkKnEsoJ`W!cspqZZrPY_dpNk?0q8{l4V}*+>1id%YWvNATUd2Qu<0 zJ$=^`ruSr9l8b*%)$is|bsx#0n}6?!+o~Y&HcF?$Y%f)#7d)MNKp3!-wv|OK2)$Z2 z$ys-E<1OUNh*$VL&@VufP4)M1b5oP{1^2+-**c>~aM-1)VRORc(9;UknAJwdjOXZO zJGu^i4C_#QsYzOnsr}VKtJ{4uGxr@T?WINt>jRhEAvj-Z{9pp>Og*V!nZ5k_U-*Wzlf?T zk8UETR0ycs)7dmPX-&wvbGR;)gLmxDsY1%M0mT+6sFL;O5~p)_umKVig^8NZ7!;z- zaXCuBH$y!i{9~!lX)=CYnu?TI;u?qQQl27D6cizguD!IC5}k%H0!f2txBF}vuBdV` z!X{q7&Th(pS%sR0GA)U$b9tXR*T(^q-Om(=6SAwwkw-@sGpb-8C$_3;KNX|WH-VV8 z;b+9W-;O?gR@d*y5z07{_43KUlJVPE{akl?$i>sxi|FPr!2N_#*6ysaokM^HD7<-QTXl1m!*v$+k#*eDLEz+ zv5Ws4YB;;C@@(l4p9!)OC~)~4*#1JH`_UCJ1UbCwrI5o}`K)E(4x9)ae*!Q$KSD@y zE%-b=!<_rL3o6W^B)*5?OLWiU*Cbv?ckO@9Lt(G^7+h~inDLF4m1Q*7V>XP4i0HP@ z5;R!N_ms+NQ&ZKG^A@TO49({%!!Oh!ULdiSl%4{MK-Q2c*A8QKAbxz}QT-*d< zGd9|3DIo4zQOw*l#qW8y+WptzY1^;LA1mBb{YYbBY|*BT>te2d$@9zqi@8U8Z&Jun zdj4@D7u1z2SJ0nE6>yDIHIW5kX?dw{MNguxh2CifJtR$LLv+H`f=-{dShebCm2S)N zgH?B~UcKsQ;pThf2vEw=%*@Q$!{g#dtrNf4+q%4pJgR&+Dr(DIRY@PK9n*zC7a}hOe=uAqi;6Lz-7mk*iuHuh*0i{zxIssspOe8< z!8{-UqnHH*!+M=hE0^lovods?Ys!^$KqeiYJv?IRzX9{d$}E5g@~`3(t+Qm7BjyDh zGdNhj)E-KUnI`=&e>)Xb^wFadscWe`C%t(2XkOD#?(alIL=8^hwnh&nVQ|9iuKT#v z@gF0vT}=D^2TRt01GGtZIQ9)wdy<<{jPDihDnZe$F~8s5?3qCeRci;|)R35T{#k}c zxOSFuOUto{h)>B+6c1XhGAo_6@^O~E)?gVKZr(r0;Q8}W;#%T~47Y{Ez~Y+K9FI^Z z0vgwGWQjC!>><1~k#p52q6w>iSjJrVlf&2H`@e-CoDoZZgNoRgnggcfuv##!BF|3M=yL|5`aLgL_|(jyZ1c|^cX+DFVi zo3fGg5RTr}m?b&<(d}DiY2Ho`mX@S3t`Ew_{y_FS<`pE6;NQVk+weOi!TNcL>vyw1?j2)^@ceRaf;H~t>hZa*9fvy77xy}2EN&Tf zQ(Vh6Me?B|ul%#><`ts{6@~ZA@HLP1;)jVb&zOz`Y*Xm&WOa+98zz=;u?se0)+0R5 zC^YF4h7(&BvGkadZcv#IhCC0fFwg-_@G@*1fSU^!FJ6hnxf7UjA>KESU(c0B7nSXw zr{WGf1^ENQs$D)2Ik$i`BD|<-BG$n!NcV;8(4ohbajrg1$k!_^FQ=HfL&{~BJ}L9o z{fIAMTgi#BUM6k$TC>A+!Kn?aR>>CaM-{1sHV==Jsc;D;M`8PgFG|o<5e9S1dbJCTpuJo$XThv+7+c>`+N}j6yCX zszK@UaHIV{IJ3W;9CflD$J2Uq1R@>Uy@(&;dv~Mk%gfD#V!b1XH}d{h9d@Am8+<--LJ` z+-FMhWuDMo)E}aVCK5B#Y1)$=nQ88ycQI`;4zr!I0dT|p=t;{D-w;w#+8DWIH*`;+ z4uwY(RX#$Y;bKe8&F@kG>a9HInA{*mMe51$WD>f)jR;U~Hg=cEqehYK3;xO}cxz-h zw-EvVY5WWr`9c;2V)L-D$k#wD0k|zxI=ATNIO|Z1ith;)=XtX=G6;|Q>yXtR2X5n_ zByqgWv9)|GfmjYniHUXZQkO-W;-C;H(Uq~EDb~n{UKBP!bi97ouUSiP)ckBZEoYq2 zvguCA0lah>shcPGTSrFbhR?kgH#h61&xfflEt?y%WOVQty?W)X{Fo!Bt*!*QUM22r zSjpob1dN8aAstZwA0IVEtH%7zeRrx*B6e+QBqKa>KWYX-0|JP+DPADYHiATRr?d0w zJ8l!?b?_?+(LpqV;}g3k)cO=`7J6gx;O)P!!3vmOZ(t)k{ojB0T^*tndkq#?{wHtp zTZXD*hqx;d)tf~u)opvXU2?cvOjMKy1|l9B;k*#LxX-w9s*;Qh8Ye*iH%%`+Se5x1 z@KgoNC*nrdr{uQt2%*+w^z`XLIaOrJ;}8cc4?)p{z!oYN#)1@%ww9KS@+i}azV5J3 zmd`NHu82*yz<%Pkb+-XiIu-E1f#T_(e_HYv*3r;GwhSUbX?#M7+Zcfs=*?hAg zSy$!$c9Ju!td1DB4tuRxR$TnBWv~0$68i~q#|o=gTECxalcK%PgRUQcUtcZ{p~IP3 z5`7*F8e{vf)_QqaS+#)qCeqO~O~=I8c>Uw7Fhy2^2bwFK;gg3O#*AmumRPB=V>##r zSK@!G1dr4D^&cvfw*8lDLHG{(a^c`{X?Vxot4cz6Tjh|iMX|9c((*Hg0VSuU{lXUF zGTyDVr3Hy0zmoLQ9ah%rBs_I@x%<4Q0ykf~P!ucE$E@$c3=%w#;08#kNUfSL?_&i$ z1JO<3w6%T$4Jp;nTA-KHc1H(n%v$@x{=rg(9A@&Ofusdyti=Y)j&B=elj*y+VTiWN z8-_QBDEm_6k}ob>N10|=Rp$iSe~7#$!(w?~wYT8IMO662!fV}U_l5Uj2oM)^K!|rx zGw@?G9O;k;?PJAGjt`4KqJiQE1<9JQ5&7J=Ntg!sG-3pX14V*}`0zvxFx@~3vO0El zcJiNy@cEzcnPxwH*y%81u)Mss!&}XWrARH_#f5h$eN&S4`SauTRgR0KxqV_^XqJ`7 z)RtQlY@JMuiPG^=fls6B<^*~R`D5_)gu8KILg!m&NMQO*$s=TMC$X=y`LTTp5w88xrs|F1>O0%o4RTxmOBPs-!kd zjEsu%Yw0*qQrZ4~ntH!9wo3_;!zwB=xvQ|esH@j>Zt)1cxLDE2laxe2!SiRaS7?9J{mxm{3uBcd>RtyK}=Iu{V}T zs^;v!uUgvTu$Z{#n(tcz_v|b2ni(^<@7{Hn?8x4#hE}2WWZ1j;q9P)atGFl`#oxSo zHPNMRRq{`nFFk{7=ADW!$dNHTDVY`2+|_fzGHJWtZzf30Iwd_g>D5p*Go6#H!mU( zI*S1sS{!as=&iXzunZuiIKPl~=*qgf&XnM&Z&UKeWf56&jq|DHoxY5}_1Lk|5auDe zefMM{(e8r7i*MNyeMhb|qB0c@KwW)7Y*9jRwukLfk*#8~J_H_QMn^la^Gd##pUz2O z2`vZNbA&*Q`4Lh&uJS&YwVs`MTGg~wq2|y&vzMBuLqZ5O>sw2;WWiS5o4t(5CcCri zHFw=#FYAxmqQ#NRFT(%o>syQqOgQPV?eDMZxu{+6f3awd7(agTwb$8?9^o=$hkfe(Rh=~BsGF}eVXb?EHIwQT*I zwAi_YT5Ex$moyd^>9pfjV%Q8}LIU14l$w2ciGcfDUIMfMsFx5p33CqIwfohlY97b3Ott&jJ8~!RjYx}$ z@0@GJoDx^jiY)(SfUFlvYvh}D+t{@Ac2@|w}8KUmx9dABq)*$qEMHyS&xL(V& z)x`)Om}^?Nv3Br@CDJ2>aM?4p|NP@o{r-I%rAn0Du!?BmEbM<|HsViyVkE$>X2qk# zhEsb3IL)|w6?GAjkHH&U85wc(L}#xbqG>B7za{~TL}fz*#xUNN5;I;CCgUs!3dDQ< z>3QcSj38{4;gaNGM@1W1_qT~gCMG9!U4v+0Nm`S@guFTFs=Op+Z;1t;iXcU}u)r<8 zUQQLc7q>)u=YL*ZhC8Mk1@BEFB4148j(sN80QnKdU6jgeU3=;5;AEaC9oS9s)IwEx zJ~ zwtwr-N56{2oB@nJ7N?9BfsQPmByE@>^gV`~JK^VGgVYdWm>yF0O-j7kxkw?7E37tm>YnQMyRk__d_bXa$9o_wI6L(Km|DM$yg9zhR+yc?*dI z7;KsuPt&J3O81kM>Ox6C!JqOvIRZiTJ8!+mjId2t?uEy#Z+pn;|8=K3yDgI`Iv&=o}Cl@F86%o-To2!w)C`J=9Uf!pT?>9zw z_d^uI4ucwCp0`(z!vUO9Y>6}(nt}!k6&fF!GM22pN+@mT9+S)7IbOkh!GbMTR&f9e-j#9A zFSAbQrQt*PoHx@i`>o0=HQzO3Sl9Czwxo4F)aoL7$UZUu7c5Xc=7UJU#1L>PJ@^jq)7a$ zNTkA%$s`2`Fnv1OLl6L3%#_6j^zZ+^rsi#V`NhD%Oz2cIQQj_k$*@tD872`5eUets_iL8E<1M~J9@OU z)CiW6Q>ClasI|4VU!Oj;=Qg0P;X_i$Aqtbxh}=#7eM{8tY&^xWf$a5>`RZ$ex)Q+_ zi;Aq_OM;t=XOYRQ%LPu7L44phe#F}i{^8TT{=_y{cg62YketD~UCSn0>PmtQd=*qw5ZtHSb4IcM}A$( zZY{^8yq-05+-i8uCE9JFs*e>B40u-1UW5n!jUc-Ft495Al0|-qc8va+C{MZni(Kl7hEcJ3S`CaT}r$Z5rp%t9#UeFuBLL{?&Qa{Q1QaFbADog)=$fyw|-QWo$@65HvCh4!LP8CSfI6=yZ;j-T>l z0Ewp>M;Bd_{|oxCK}?i8CXt1l9gvJ65M#KHm0tVDfq!e%L4`3(U`s(|PquxWb+0T9 z1}b*>ss2JbnM4*Yej%I6-~?8^TiJteU@kK}+v5WR2OCHUP*;`)jwJhj=Y(*k zI&}x8Losjih)#xl#Dy_JYyj`nvSmaQkOJeZ(ALyMY7SoryMg7X_O=SIO|qW>k@%cs zeRhNJ^Enk2C5$Y*=w3q*JoW=7MZU+yi#LsGx9IvcSUZ;$fw*$B6rxFigqbjWtj-b2 zK{o~AHj&HW?AWj!%kSj=vHsfPPWo2s;Oc+KkK|-$BdkgrA+onu{rOE7jmQwukMuYV zc7n3qTDBE+$kwvKIWK68+H+%3NRac#$3rh)zWx|lxM@Ji|2^i<)$-{;kwH)XA4S_gAHF^~O4+w;B3 z@9fd7{h0f^u#>6t&+BWFn8t}^o21>bqq=LHh2HL#nv%}WJ|pJ#n=7S)2;=wYK52); zu4A2H5_tX9zPJuU?h)m~OTQ*!P)33PsL)^pY?(1VfgGQX`kFrD@9b5c$4SX6`mJ^! zLdEq1k4CRf@X7e3S6FB`yuY_HeHrHQ8%P(Vr_cZ?`cNrRp*qJe0;035|7?@x9vHDLVpR<4^>{HR3xRUVTzhC6fdB|nl`2-jf0(&!Ws{+MHatCz}YDs3i#;Y})cN|+9oPLIb-A3<&Zh-Z z+ECklPma;ujOvv9?j3Tst5jS&zxbbims;)W5qCcCvzcmY)s}vGdyt>HqX)SfEC_43PD}#-)6O}asXBPQ9HP~ z>iCu+>Sw28rp~uD=HY{0kPu}U~ zHkY#%d+tK>LSbZ|v96TC=0$=CcP5Dr8wcmx_uV)`IbAnk>w-7d$2!W-HBbNvi3_Px zIdzfA8KTHsT;@orOr9)^O&AX~G^7kp5Yj=X0}ZIAJ#l8Z;{%3@+O};XIYCE0LiY;b z%;239B+L?RP1w2TN35UqgRudn^i*P01L6cRC}Q&gqW8z`VSC%nIcbw{-T~yIK5t3| z5>tRiq^r2=frD?}JX+SoQD}W!S7z|w>Z+=&7*Eg=({X`MKW&5X6E)~5A=_B8DfInR zr9p!ZD$k=Ko@C3RAXN6n8lnaS17{+!Bo)j>*;7vtxdT($gW;w}d$A64c5}TVSTs0+ zBkOxRqO=E&WBraD6XexAa(yD(fBm}KR_=iwY2-+(X{l@fVD~I4ER5IBcJ{=h_J68} zSmAUuj#x^)9J+l`12UwaEZRl^0=M(mukD!kg}b58^EwrL-f^dohJ8W*K(iw_c=|dk zC@EM|u64KcNm_g|%~8LIjn@tXbXDXFpr?9V~wO;%%s&Xs`3oojP`GJ<5`=*K3pp4$N9K z(d<=Oe*QPoHl4O?k)OUp&0Cq!5DK3ZPd}?_BJ*h?sQjf%%B{D*lPt`Zgj=m-<+dD^ zUcGva5PQYUf$$B6thISBPwrKR6*h`wepld_*#)?U(y#dVq8B@5eQI|6vd&qQoS68* zZOXtxA-(_SkFTdYe)Jxdt1ap=)&KPlr#^NX5>B?Z#hG1Oa|ZA2*cf->X7tXOnidYMpCl1- zasnl>m#Uvn`Y<)-r6!xxWsk|vfarloYvGGOd|1D6@t=;FYmw&hDZ1Mxirm5lz)gkf zQn-U-I$mu#sWJ_z5kLz;+`hHMQz=~s75ZFV?P`BTR5BVG4qgJrANw_&dsTDwc<`u{ zs|NHpeF_{(2IDJR&9Xns_RVOlIxb(~+1x#D6?PT9*7)1|(=cARySs1MQj5w^N?Q7s zThpYvtH}*q2p-T_N={%ceUXK~C ze{9dsIBK;DXF=lIWcexL>BWajbZzad zqEEeyB6r~Q^{CaUeE+cOJ)0)T#qTfS`B((K(!Yk}R2@8Yh&)6;epV{sy|$M9?#NP- zz=4B9Q_c6o)aTXBxWu{DigFn>fajbQR;o#JbmUddlA_Lsv_zgHP3kuxC$UM-9&VLS zHu7jGF(#rJ$}>#B?KCwtNpq{Id7^ZenBcfLlWVWZH9;xdnp!;RD0tOXJ846ROR$aH z4Wb6<$WP}Ib!a#7d~wPWA1gUIxgYKsxHIOd*soC+&WfLt<&Lp`SZXYhK4^80e{7yg z+oE`sO0k)aoHoX~>rO?M2FGA?!e|&A`t-?}N+}(h6-DmtVclj7j78!~?yb%E&i#%v zOr#A>M6J@|v*ip;e60A8u@(k9?YXzJV%nocioxpF)!XVmsI-}C8nd(*DNEh?Rb%G* z?#7GNeE;RUs#jQ83^f~M;&Fn98MP(K(rWf)tC^ZxeV>%vGexdelT- z1Ng$!h8rO?v;qYRF|+7r-jXKod?ef21<8I2Ocv)F-T1}7B-DX5c+b~{@#+yv`-1eum5 zV>E>>Zo9q7&F#yF>}EuNd;j_U{6gxzojIu~miI?w`9w$$3h-<#c}r5W$Gb^m$L?&c z`-;*<*y@dph7>7Q`z%rGtc`tInp|HueOp!-ua&ibt9o z&J|u5B8y~wj&X}AOKDD-QdCf2m-Ln&Om);K&Q)wLpE-%Z0+po}25TL=O7c(;_BTEW z+VA)}P|czNCj6ub(44gc$tVIb6sz`Ht{cjEtckM=e|hWRo?`jZw{MxR`Eoe7F;-&c zfbck?{CLE1odJUe8Jb{STEXPbuep8LLfHoM^YbAD>(E+|%L!eKRzT<)hZi7~iv-6{ z)zzqIljGwDZnA(?z{vgHwsYrh zw9UM;C3WX6c}VmOr~b>S=y&}v^YP=4_a69&{a{V(l-3`r3lF_0k69KqIXe1n=DNjN za>q6&&AHamVbl<<=3AanJ!ALotb=`4uS@k>cG|rt=J)WE*K0RjsqckSAD&RleicBU z@oNAlY#r3~L2r#6dn|80mM#A(kU<;{+)exvlrqRGc;2y$7QQ^QeDpDY|BDkh`eGq; za>{@9Ovo5nwph2IwSZfQT~qxJy5?79z=g6BjuhnQ^)PO&!eX8JiIxhO>c<)o};se*F2f!PPw!T@*q4;{7FO4 z@48s~XWNmh{6P7+pW+ex5RhPXg1;h|)w!&#Ln)HF^43;I%#69Y1Z0-&Dko1GM)3K{ z#Rq1-=iJ9Vg>+g{vbxDlvBg6BXGaHF8wRSUvD!eyCWn|6&ii)K>4J*Uz8RHYzXC+8 zUb^%Fq~?tn#J4+lwgs&Mb3xdV{7%AK**!yV(j-C^V|ZWTmOg)eC5X@nmsoURY8)Ga znGyp`0Y*#5IyuXyg?MD+T8=bqNtlw}@_SFHGgNL!tm&%m0%9s6QanEBYRPPEPrZu% zZ7y$nD;+ONDzWzUTfh~yE@Tl(A8myul^c0Y?Vd`KnW66ah}DxzvqE)!bEp8Uz&-Y4ZiUP@?2Ecs=q@?ch|5n;lacM3-a%R$QAuPLzM$~mwu=kvPov6U7aH)+3i@dWdA$@>E!U~rO5+lSu{A^kVtUaP= zcXe@?VY83q;t9d&JC+Z~(g<197TV=$x_tSAojKF?hFxF!_2bvCv;?PjqWq9L`K9Z? ztf|D-MSqQ~t691TktG{4^4icdXA+rET-twdC=+?9VrY``FlF75!auEg_Q5pkCcQP2 ziGbPe;^M+Eil3^Vtj4|UY`Vd#g}bb(+C$&2+D$1-;|RLPd7C%a5T?P}*Q!quGEBhP zLw>Wvv>iV-i0_+mkEckps_t~_b=a5Bpst8oaTMi)4vP=_)||e0u`t_KDyQk}*+S$h`YRR0yzei5W)H2&`F`ek+7>7Us9UUBi@!-sHUWR;I#$*y0SY2PQ zi&_?$Dw9NoiSJk&kEdlC&u-|RXdSPuJy-R# z%LF4#P18gEoPE~FkB6wlxifQtr>Mc&jG!X*ww=qQGn^`hsmtGYCV*C*tcLB?@+(GX znuPn5F7BxfF*tN+?CY;wGU!-uE>T08^Y+CH%jQv>;oNuAh!DY_zjj<(V>^F0Fz(SzsPH^> zGSsFJEVy^CNOFAO|GPBAB_!V6vI1k%QS!9=su!}zf-nM$+I`*jT}oO}`nBg9`()ds z8na|#;L=v@@_F$b)#p`ajf(v9o32=2EIC3?@G)@nPtCo3tegz+XBiJkg((v6F>c)R z!aD;%8HnI~Siu*4|1>YMg3$n_bkDsott`0F1p$Nnj>8Yt*Ct!#G9>s$o z*f`o89TmT=gJ57|i;gxP9T4B07W_>p46v9F*^ ztmj~c1mX*2c1&pY8s$mask9-2#ZRD76+~i^PlYOk*NX4Gc+>-pX9Wc-R0hPo9Pb+j zQcW^c_(A_`)Ti7A=OdXJ`hrf?c_wE916Lw*;O@Sezbx-E%D%C5bQ_w~4%~FFnwo79 z5wxvgb%FCNk9F_m-`P^M@$;UUGe9lhb`8}b(8 zR9TvQwTGxdn%m~L{XsQOjyOaK+?2YAeGQYTrkrsv@aaaygs}nhg`{dl{XOpA%+sHa zRF&}~Kp$%GZ-WrWHw}%DoQySNWD+LSJUG|~KQE9J3vh>;msc0p8Nmf`1)>I|-J`bM zF@4?KWHxxj85ao27X)PKc>0M+2umg1AjTn|co@PZ z;gLA&)LDOZ9o5tA_x6Qv+!(O-__uz=3Tsm8{sFzO?_7z=g|p~+3XWOiU;ddNrYgzG zx-EFhYyK@THM;o+IQ#UEf`9jvFj(Sn{~jpS*x2YIU8B z=9c^+2nRyvvitqP!H(^7Q!W0tqR_+xp|~R2bnfigGa5ZDY=h3uABk{8SZ$vtKGcx# zZ@zO!r*3qS^J0FkoE(qm3R}dp!lVsPs9_OWruY%-Yn2c(CzN=8d~6gmx2OAl z086M_Lt4bwrAhyH!2ehSxCE!dh<$d2Vq=P$FQ?7wq?&29!63DFC+^hNJ99O%W2~v? zA=BxGPr##wdfxJ>b)JUN^342EUS9g%KbO;kGGyr`R=9@x%~SQ2QLw=L?Uf@RtAbXKlN{O+)J}Mzgn3ywW|Am z8CN>{Ip4aP8d2tL^G?+yUh-|NEpqMJlm4`N!$>8`>gFDW7Taf-Fr;0(=xz)E|ND`^ zG~lsr7HnpiMIW8o;6LKN#zL~Anu3if45aGq-8SoM2fvhK$XU4mzFUs7@a2pj+NtYZ z`F?77Q!FjX&2s*mA0%Di;awdTMyuv2 zTJWx9w>C9lbXpW3)? zhZ0#zp=}5NB*eJq|DL$1{@T-~VO8>*Jv^r4gJsOx-1eeO^MbEGQr?)Ymp!2Dma@F$ zs}?ms(-n)Xlj7zM4H+c+rR&G*{E9sjcfGpOg!$9TPfPyToYT3_o{!B^?)Hy`%7BRy zAmm1;X8tkTH1BBDZ2|}7j@kDCczl=YN6@oR-s@%CHda0+a(Q&V>qU%}9RtF>H%035O z@2-NPqsP%+%UU+s?zIy&1(wZiL3wBGUaRW1f9!-a-V_@B^l3U&$e}}}5Cmk#-`-wb zzO(l3rcnb8F@7YQZ?7C;Aa!}ki>9}?cdKrk_^-h^DN$lNSe4ov(nE_y$m5q(y3qK+ zuS;31{8x)S1BlT3a?c{ECUsx;j%CsXuU`FnIXAT8&guhU*E2J}fu0e}d|OF<>pU)4 zq>J(MRLCt${QqYs*lDH@NwT>6<_3I>hE6Q5(k6j*wvqL-RXViUI% zY6|bfcxpAxeFR`Gj8WP%Wjr5NUcGJP!j;Mr9eVeYSJgUvAh2MWR zg@35Bj=HfKU2bHNJWsEk@3BEF2v}RSl~}Q#7XIMc7^ij{-egX=)!++25$5GPV-6LB zzs_!0nR9KCV#T$^tE{YYTkF%u%ACrO$yzixOQUaJJ#|SyUSxtI$(v4J;PFwEq9Wndy={5QP--BP{h>%M|AV!j;(D zgv$jynWCe^Hwx(+-^(%2W|D_OVE$a@MZz54zIz8ZSb4wqkRjF#?xDwF^P3qmtjtD; zl^^c^uS_3glb|Gx&H0(b#k|98Jw5f!M*c`%92vR4IxqNqz|K#{_4|Ek=^2x5U9?p} zUf2EMf!<%|`d=tc+R`=4R9>Mt7Tkw_>AK5Hu3Wu3UuD3SAn*S>L@DgBr^^jJ0glU7 zARR$iy<-0SSAOGTmP7@wyy^Dul$B5Udq(Tl%`z~s+O_Lby`fLQ{83Y;tlYP^EZMO+I6OJgpdinC-YR@;3W8W_M3ad;|v5`y!UPWr`;}L&f9oJTK z^^^8U?WEqg`9<}{gvCElyIr`sd^QC3y0R4!)=5hmLBc29(+1eznLDKC4vMHgh77h2 zYswMzyHrIM6;{7KeR8JkE$V|_wJCIA#jEk1aweH6)xgVx+J0Gf_p!2B#H-BQGiSE0 z>>cOx*3^pfO`sRwUmO`HK#KQsbBP2@+SfAq&BcP}%d49^DJbN=el$kR^U8081_9ki zlnt1w7#K(jT?R1KDhF~`lm$xx&Jhqi@cW9USrpGGx(9BG6CAqR2tt$ln8mKJ7#=)n z;)s$9o&2`kyO&bot*3ir#ig=6vi|!D?eyd3AGdT+SI&g6dEr8TpP_m|14k8AR9Fw} zMNrX_+P-c@TiSQQiS?+FB3@+)j=%f9F-*t-GF{5MY+Gn;y};UfUEZL(YH=o$@Q9Af zS~RQJ&A~zCf~;YK~QMXD$bzVd@khr9i{VgR0K zQIkD}_m}jzq@|v=W|q23Kx|`%jJMCfqauz?emAdLmqhfD2-zj~1TNDs0HF4`|;HK0C&-8v@!axdOxwn>|MSa9v8kaPYWR8S5pqY_^ zLVKTr5CF&pCx0w%-6`qWF8G+M) zVvMJxbhBWK{qG8{cb`5qwpnN;AwCFzuuvb!>)p%AVa)3>BB1f&kQ*uz+ERy#$CN7% zzF7A9P@nEA&M({;K3!h-(iq8qa@^WoNQIeCC#0yV>VgsgyZMM?-nCzt^oWUhcM6E5 z_62;m9Mk7X9|1YZeVq=YA+P)_b{1b=eDEfo)Y3BH^0nXF0j13&4sOWqs2Q%VTRfnr z;rz9x@4t_g_3z?m>h$Jf{}`hib-k>*OKskE!?#l}s#n-26hWc?)f~03|44y7fPPpwavc(0JlBcgU@0WY1~RBVe#r#``CuMvd+vo|u$WlhtZUCm?yYNn)Nfjat@--7*2O0IkW% z@w1}0i1airv^$U9CoMf4(K5W90eK03j$KAfeqH(i9|(R@+)cITCwGfa50h@3xcn@t z>sOI$rqu6vr%Pe*Ecf(;ijP+uF(5H28!Ykce*CyMS?TBNtQ{QVPk#Q~;Y?oV0rw!T z2`_U{+-`N{D%w0{EGm@31-WVd3fD zzXV^ljaa7=Kn4dfqj4wtgwt7zJSwl;g(ffO-C24D;?%(Etk9F01FoLz4`%K5(`yvk z$;)eNc}(L_2flt(ai-ck`#UNG~83)~Q5x!EDXn8w!>ArT6z{gO&q!2oD9i)6lA>wY!gfg8c{g>%+Bm9sRXc zBp0PQI`4U?_{_J|5#=NgWxUorBP^!4Zckf(i_2YF<$XBqYIT!Pcs`FDEa(JH}okL=hj^_MhcrE}kV z=aio9=^8g+QZ}cJqIKNWHjwh{)MkbkRa_EbA|`!xyR&H$uaXTpNEI6-k79U?9(_>~Uuc z2+$Ws0KE0{bw<*pq(&UjkeabCsx0%C%FSDmGx`~>@k#!-<6zQpAihFu#B{vizas7r1^(wD4(yj#^nAT$tc}M&XsRJe54$YB{;aM`y|_y-#nREn4yN>D2FAyH_;i zZ+WITV;?YI#mnNg&-*?}N4NG4C$>BltWhmWrGG=}vi=A~h1G^AZP~J7kl@9OpO!3J z7nMu^XIkq6uMVw#gSRulMVi}3E8M9+Au6%40YdA5*Pqk6PrZM`kO=M|EyreNdcC?I z&mmm}9?PN)&bKl$Dmh{w#VAwu;npsJ2N`9drKf%wX;`ejr=yo@O4W)_8;)a+y}{VM`CB|>N;K>=cyvwL0&>9 z-fgLDnF6>kI4Q^9{caFs%{kT9@($-4DGk;FY5-md3gM&3HHznYRDX>4dRGZ(ORvCa@xg`TS}%B zyq+^RvQ`)d^E6KU*{UyU9&*!*l0M z$Ie&&srs3Q14$4S-bui^KQ9y|0IChUREuw<%<&u+%leZ~1Z(!pncEr_^X;P!9h4?+ z%4*Mp>kbhv9v<{2(uU*I=QiZlHRC++?(UIIEfJNZSlip%85p?D-G7oOVF#xNE?QQV zo=o;Wfw8t_%A5SGOYW>fITEVR_35-Au9-C6qmhw?^kxP@CPi`X0xQ7l?DqQP$9Pr| z9(mg8Q*7?iFTMiyC9+eu%#e$_Wu_E%?b^SLI&F%y+6Tmn^s?~xqBLwfh)EF=*B15c zvlJ-#6R=I3149czP~?zE*hdaL-yhM@;{rp=MI6JR&T8# zlFr>VvlwerE$`>%39GLsRm@M3b^F`j#?bH;DwdmVy9{Ix8q5FO{-&pxJ#V?Xgb?z% z&}G{SwtujrCe`)W@O4GDWixRqf4laPgSSmPc|x+zox2}Z(iCXpiQJRlrDo`=rC)}M zG%s(mvXfbn@?@kGD%ePDT(+#2aCg+f>t!^CU)$KR^OR&Pi~l=~m@z@=HzP(&h{ywi zbZzU&Le8Fb$qhK}edhMKfFU^SW@dg8)sQ`bd1l6ZvN0h1KejnQ|wb z_KL77|5h;S$E&ve7kh(3LQL3yZ1fyPIoJvkDYdk=(|_<67>SvZ#FqCF_pfyayL(mN zpJNtFkxO;AHPOF}dG{&nHJ(Zdm$9%oy{(`9sUc?*Usa%n!88FAEWNqWUS|^5a139O zPaZT#q^Bym?9cwgCw~*{&!6H3p=H1{DA}x_aFoyco34P$9seF4=%98h%VmsrcN$pS zAdVj0RUas})}EOP$6z9KGcN8w&HKSahlooQIPN_Im#v?2w|F0kmi0UAoaP`@L=~}& zvD?E(XI~OOO6+uo+_|o}#@+thUQ5jTwh;5sZGZ!QFZn+=xc4xCSyNL&b!hI&pF9z+ z?G>w6D=R5AzI=T(G?cu|*F11_!ge2>HqYUg7KJHab}er&))>bqGbTnGM^JHbtUvyz zQ$2CQ0j~;_hh#ZkN4A&8p^^Wx*#2zF=vApsTCLKOIWPw-%+{^fXp5oW`(vQnMwJV# zyJrrKE_$;;q5ZTy&;k=p6RpeHR9yLs;*8DzER{B+_O#U0mu{1Utz>`-%=Xnw`>0Caraxc(czuhuB{mPed zPzJ;@2rRg-Ehe^&Kx4@c#AbH(%Pz3`{JQ|5Z6USjC{Y-hby1ecWgnHd3)~iaf*c3{ z>G9+OoH-MCY{ic06xu0nFO5sqNnXiWf>ki{tVIYaJ)UlWE4a+?zlw(ZYOJqPEf(QB zux|0@e?ViHGZ%B>GlwB9E6#WY7XW-=VEl~6eqxo{CqRspl(5r(SZCz>>k^wCZ!#xb z6^a9aoX+KaD)++j%|ru$O_NZ2;L*fr2-HsczuQUpJjSa?F^i9*qM6Vv&oA^gwG=C4?n}h@g z56BmgV#99Ww^USA!2MuxO6I_8g7(Z#CW#(Qvn?@51%HtNd8MPVk3>pG5+#ktaMZr_ zUhS{gT+7Rwdr;%<)2E9^hW^i~Ix_SXrxM0DSN`SOm>gpSUhD>S$+F%7KjGHfGdH5` z!hwuA5DkvEm)D^w8_p*u@3X;|_JH8*iP@Xg-LP2A(BtBjl3Z(l8!7QjJoxYm=Mc70k;RVW z9K42<6xAuw(NR%nNOHJJ9AUmMvT3g8fVcp3SKu*-l0&_z-!?=9B;xPmJqz&sTKqs zG!n)6;pktLx+RN^rDr7El=1(?b@DN_u=osv6o*^Je@i%@P?>2&k-~`B!SU&(tkb6( zfb)?C@Ep<15fmf~fe%{0VXfS${-f#LwF z%omLN=Sh<}TT7NMngm}zKSN@K5w$`Wz!b850baAlf*>H$1ruAwTHDpqkJp`mbi80CJyBx6HsG<)`J zVXzVr!JLs{D@9wv;_F^wfBp5B9JM8$(U`ll{>etcL>7hflPAoJvF?!d&xEvwfzBkk zAg<{iJ+6Kif}4?@He4s)FM}Q(^3QU6`}z-`1HT+mBvbW4kBLJijN#0fnZ0=VvM;vg zH8sA1)I!?d2CVf&d^`;JqPpWS0c&cYWZ@H!PZxz0>j6py$upNX{Xhc0h;xvW@BI14 z#l>fNi)bggGO^X;%WCdOu|N_03(UaS#3&#CKMKy%$0jHA!wm01?qko!#}ha;Um9yf zZ7Hsfr%!*Z9-DC2K>#rYdo_Zclb7XHEPP>UWhKb=zJd&jYgcLro+U83owYhH0;wd* zghW7Gw0V>Sj2AJ%C3i>&|Abs&MRsjuBVG+~+y+bN1RVtxv+U7NTgv@nTkHwGX2JI; z0jj$xwImOueV;K;VvF0s)60J>QIFK)_Q-L50wes^tpvix;pKaH0I|5+#|H-&W5hq_ z(4^e!H!%a_fujMPIC0{TA%As_`g`qSlaUKpWn?wy>Fr*<^>^=~q2bArP&54J%ALM5 z=Fz*82vN%9e8B?FYx*BWY2cxE&~dVc?X5RZl7ZX2J70+E;Y=-cB&PKPJ0?`$ZkCM0 zD`+=sqER9G&u;~KzOpenwRG}e-`2%;7>P%+xy$V*h5TPIOQT|JKhqI2iiQ? zchB5foq^%*g}g7T`B(VD>&wv*y%y*A`0-;UtE;N6u5Q759UdDg2N&^KwY3%DBbk}W zt_UDMw{z!g=k-`(GyR4D{u=7KZqP*nB&_V0idxvPaC9YQGyRkPAf{iRK;SRo;@E$26 zx-!^M0lRj+Z)th%{a0fS15g0L$tg-ij##Mu0;YikVRoY4FyM9S`GRTLW_=57qSP? zrzwvdi3A=?E|K2J2P^S0hxz*c{rk&?RSXFQY4GdE;~7Qn->)Fu*&Z|1efyl>RA%y< z5hQC%)u7^{N>wvNTzKs0QS6j1@GbBZ1y>ke3#Z#L7Bc{8Kr9yy39#EJMzv_!!8y1c zSs4)N7&biR5=$h#uqtQUmyaJcKeqot$wCXoPs^eTh*gX+I$@-Uf>TgsZ1(wUT5Cf^ z))#y$QCZB@`aqL&_Rr{;dGK2fDn`e+nMg!UPAW?yqVUuMv_UPctsay-UAtmz-s%}b zUhw6OT0YOcxKlhtjC9NQ?&2~X`CH!&-N6>g_x(K+PYiKw_>L{fmsRtV>`2VOs zD7g|$zp%rpEW7tpbKu6J5gX`Ljvy1x6;ASt79DD{hmiH>1Oa1IV3OMIc;DvMR(>A) zf(>Bf^X%2DN!)E*(Of3qUgywb$jZs_8l88~>_r;lpg~hnOfYCmI`X!qg)qjy0;|&- zj!_`OzCNfcLKnH-&Tg2$4a*kE*g#cVrs?x%%)n7#HpR`HIjB=k8w_72yBtY~njwzw z@d*jHmL>xX*VRp6(X!*Y$q?``%6?wqlk3B>pMv>F_o-hG-*uSIsIEvsFC{axw7h)a z7W+y?>M_BICscp@s)tIyQGp)fSC_AW;LhzB_|{Vs#uH^UO&HiFM83hoq;fQ);>U%B zh!pXuR*_Zf*VSi}zYRsdR;+0o4<1_1MGg%tVuZp*h=KR;;6dd&e?`P2y<_?*(*(Hi zFm7H#jq4#!B<~WB9VCh}bWdPgJa`bgs1@dwqBL#4hPt{;UK3QYON2=vAmEA3*2GQUb_yO2C7YzxSClGGD5!mhE;!R_j?{E631j1XTf0XQ1@;MrX!O)g8@amR zrm(9h2rD?zvOM-c3rn@Qb?MdG0gviGG-QyvJ#8?x90D|YvyPE%9HW8rVWfBMur=Ry z>7XIfol9pWPj#Z6b8>=TJv?}y2*PDwe=dxr$!4OS6ALD;f4do4Eh?U>D(5}BCoU5I zeL7LxBHt|8eNA{TH*8ZVfb|unL3;7i4_YJ#Z4fQ0C91iVD^D5>$06s%s+gg7va0`nBU6|>^?dE|^rt88I#3+q z+sCS5%-@)maCjSrX9o`sICA&Jn>TOj>fpa&oPrj(al;lIMo*yGlD zen7HD1m}}>w*z~8j!%Y7Yu3CGZ1Lo@SiALC=k`e2BrGIWh4^3pen^!1J+2e~OIsjQ zW+hF=`;TV_TFD75xWOQ5;Wh=R`{13`MhZvd4Fj7IOM~ZjE^WhN56e|>c;k$d>pW{+ zCiWkd61nY1m~p(Mq-29bsjcb)g7WZC`YG!sHCNE2YX-zJR$m?eR=jaJEjyLv=rLpZ zNQg6;=Q>kVC_lU+LZlaQ3`%sxojX#fy~$JV+t=&Op}`ECNaQ(Qe2DdlN#WV$w?--| zYM=pPK(GnfFnbs87wxSb4#7rar(tG~7>?Mdy#!QIsG=O255U-?$6bCna_tsBl+IL8 zJOQpebMwB@MN>C?c5`ug$B`$vPvIJg(i0IAbY&OS*;j5SkFRpP_aAz-GSwTc3BU`* zHFQ-gk38!ovd4@RIq#)_aUZPYE|Qa$KF4XooyIRbG-umj-L-4qQmmHVx(+LXr!rp$PZTF@49^^e7^K} zAwb}RD{MgiDf$*x6FnE4HhBr^`6(PK@g^hp7k1~x;NL-pNjE~BQd2)57uMML)sqh| zG)c%<*i+r7e5~X*(}#244vb76D~TYoAFflF4iUTxFOyLfJA^TshZ}Mlbodx^*kp^3 znk)7nf6ClkaDj)~oL=GGWlJ62n*cSP#s3o2zKVP^6)guIBX?cV(xDId#eCh~LzqhU zB~|IMvCo8rjT0vXP@H>HPD;v%A9$_TTvo+eEvHub;lrP^f1W4(%>s{5Tha4T@n-rg zJRA&SjL`c}z^tHmZ#s*8$6jKtJchy;13|?An$JB`e|&Y#`=?^#m)C($HabSAZ5d4F zRmowhQag$=$Y8SmV1DByi=RBXX}v&*uk>kgL`#D37iFWLj*Y&40i8ZM>OOq<+Y7D9 z14NF98N*n~dWn-XftgXtOOC^t`TP^OM)COjic0Rgb?=2ilQw7oLtOgt{R^Er6-bwE z-DD)h@mipCfu2dn-gAd<&ZQVdeJT8|+SFed$>Kcv?w!k-I!U)}CL>`P2khRx;M4=q zSWZUlURM#~&3hpPh`I#+S*udg<>UAXHz%G%GPbGUlBi^=VrW62+KNNbJ7X0&|J8@> z(}l>OALl6eM;@A6ctr6eeg90kweQ?3x0m#ZnKt-i**&*SU8ZakhT=;u10qgvdQ7X& zo5KlhAOj_mW>`CnNo_87Gp6%;K}iNvCeO(w^~#kiphqs$;lveV((|slxl5-`URV02 z{hN@~Df!d-OBiOoe=phQNV<_QIqod5lal#jKR)J7rEt650hDCctXca*LfkaJwy3|6 zX(Tjh_>6Ipw>W_YOKiPLQ`JM9`ZQhhWOd@hZT}p8#85PcQ$# zDwNxg+P2hE)H5IU$pS7OuScyMN(&P#h6U%-f|giv><9E7MIDT(`=qI`L1-b1v1g&` zM1_XG#`^Uaj~}vpR`yA)4i>OZ87Mx#W|~j_E1XJeG}NZEf3=PlWxU&;456 zVh@iE1SI|IvaWqqed{OwU5@nm9R~Q|Y;b46t3e^S2>flBF5#QKv`o3Uv)@v-8oUie zSab}^qee~kdS~nE+RPKn+uff#G&4%F@&xxIF30fZt*oA8ojU#PKjJ5(O*sNhK?#Ln zaom3EXXhu2XfqX;zCsL0|TGcuHuTDWU)7b?dlW-zXLYX{iRRXSVJQ!v>Z z*gt_aMk*1su!W&^s-;}A7zA=*2*;nCrsDoWA}WLS?HjxP<68HrejG#>?mMUS%Tb9l zCdgS~UDCh*e8e7BK&&`*N#?Wg>LK%cMMWIz+TrhewGqrG`y)5>Mi>lTL@&s(V6?iy zI(PRlU6IG+H3NF}!kWxFAQqUS)RL%BQU^)Xln>6I6#Ik|k7Aj|_|2O=&}IOSJ&^`F z-m(u8b=tBw-`3Ib<`i4tT#9NkA`}(3X8~n@;9z`M|AAx5sz@ejenZ~2yAJ0rJrVmo z6{d5iWODZL@i8{;`DjDC$`}Y@ld|uh3D%DT(tW+YOF(S;n&;@uF=|SGVhCGWI^aTT z!}I6vv!`fo87zz(q7;@qBD$i7v~&%%5U#g>rXiTXDw!p<1!9P;HAz42_(J`6^+7Bc z3AuVf6xr~#LFbs|

?y-D=3Tq{{+)>K{4lBRl zfz>Mi0r&@)?Cf}#zJjY|HI}$vKGaX3JmzOGiiW1zi1zKriV0pNTO*YGj3m&xClT(O=!B1@D;vj&v0d`W!;BY&& zeiRp%d|FpS?I*2xV9IV1Gm(d5_zZ~}yoCnl-hro>5fYrLKYLy1v z``DW&mlggVe1wLCXkzAwZW@zH!O|YSRyl_YmP(`dlM;nd2wy`bT)uz(#0#VQrBXRp z9c3J^MsyT64CNB22-fhflhq9Itm6zvSBiN+QCV6492M#wjEUXb_ZJfza38Sh8`nHR zcbh)d?&m{3RBPXfeJWgGZj;LSr=f=qEn2W3cirNKe$hqP>*C&afOwQ?gKyltd2wx( zPTge8lBR;ROXdiTJ};UabH&F^^Zjj@>TDUz>4r4zHLrwtUDBebO`BF%yGl%Ktp+A4 zyf;b~G@gJ{Z~TQ{o3xli5j6~`F_R72pmrJ)Cz7hEOJX5SJ{4Q@o`Z)DVe=0PhJ#NA zkARp}=p2C``{p&FPX?Oi5#qNY;2Hc3D&OSfWT-2x1lZn~h8#6;*rZ9`jJZHb!v;<$ z7yI3P!Q7-*@EyE8wBrN0o|oLeEe!nG^;Wp$&OrYYC zo`EwgMfN=GnV5qy$%J#SjC(O8C4q$9y_=ZW`DHAgE;33>ng{>Sv_&x>JFV&rw={^P zNN=gE`xkRNcP}q)1=ux0TTP)}lJHnEXNfG3&^g=uAetKhVmo_#N}@Nwtfvza$}^mo zEnPZ9IMzBMK^G_uGpvM%S&~Qn({AGRwr|gHN#8_;g% z%$ZES_~>qQm$#>KA_Kb^&Y2ShV!)jaDOzb~F6ec9@yiT3WDah{{$2Z{noV=5EdW>< z6}e@0=FfLWZA5{9e;fy9+Q|E*qZqnDEECE|`gO$sFjm!x6F&vEz6YdZro)7U9caF2 z(Qe^Tm!7dGW9`4OC-&||s?&!a@ZV``vBJf85sN$(-n;;cOS-)-6-j45cuOfd`!&DN?7?gb1j@V@87S9 zw;6g{G7P|`7>xg@@e1G_8=DxM1JU!rAAaS6BYD=a2WFPx)naI4)G_b?=$afoE?U^2wB47*^@V4QTl&?-933k zoL8Oi^ zEeMqjencYa>%S_1a?SeYE34L>w^?6bHgTIf?%_+83?_q$ssLtvB^?^WW}5#*CO&_7 zl$_uoTSf_{UHo*~uFofllotYzb!6yDnvkEz=HW+6)16RaAc$DEn6;=u#61bHw296G z{)bQSQ~a|+UGR1Nbv>R%iNwH*pHA7xQvN;X74;+|4%#t4EU z8`>jD29i1arQ5pp4~vM4q=704P!5Z4hTudFsPv-_(1p+GJNn` z$BqY$V$0;(6QIGnWPxlvzZB1t4&A>$olEHFk@L>;A_XxJzd?jretG$!tUY%fG}pbl z56lPb>7XJD+dXer-}zwA(6_07bu~MPRTc>Ma`ca{3L{6Z#N?a4f_wSbHARU690gcp zF#ODyrL%B%Kq`s3*PsCdz5*klB!({{jNur$aO!rYdEhA%Va()$(I8Pv773S_XEXW2 z&(qAz?4N%Gst~y(GeO}1IH(NSbfD;?LJP{aGQ|=Qe@<$edT%C9!aacrA>&`cZZF~( zS20HC?2x&KCVilbUua^2cbhBC0$jDn=t+qax15?hD>Dpqs)Q?!2i z`0*lR2;M1UpZZHBgv_nyC4lL1-xCT!G&UxIZ{FbQ!j7hg-^4`)Yy%WdY_5^0C$P0O zSBK334p?+{iJ(rCCtIF+(DJfaq0I<9AucW#JTS06M~xzN!)MMY+`||(YiVV1L&wBa zaaw-jjW1ocjI&{Uzgt3Q02~ai#^Gy^Z>&ZjQa}DGUae5JR^H+HYH4XP8(U;$b^4EB z0ad1O5>U$iBQ+h^i;|CsPD+&<8^-_ zxDbM}K>b8IDU#dZVImRy0g@(q^;)JH z4letoq-6VGUC>rqK$w5j2DF^ycLl^^l}^dPoUq@cv+cz^PjKomtg!h*l3?(4@6H{l zoGARPMiYtKqBCTl=DQmpaWL}2V#CPtZ==J6)6ij+Wb+HZa^X(uM<&cL-6Ha}fb8e?7fs;eThGvtJOM(oNW zAU|Fz9o+7jIh5Sn=NxCQVhM48MJo`j@We+DLq$)Y*0R}|@hSdlR-*xM-$R=bMu5P< zj5XtoadLzX1OJ#23&;jF9tLeWDzp_A2`w#kI`h=v0%=0cjDN{y;Di8hsVj;GlP1-x z>D@aWscY!9sgfzESTmZQZx351PUyEA|70giaUF?kmnOSgD`?g4`7#3 zePN#GxCv-IiPE1QMi^3YApmIr1#r*__{`ukb>h$nu>@K5H~ddT$J{G8AAz>E)WGCH zgC(|<>t{ieOLG|!SWP08q3f-Ryax})Pnm-2uDZH9hOWnt9(6M~Y&Ck&BsT}3Fd--k z&++OEBSqUcl{Gc*@rXkX)1oVE9Dhw*Y7%XC1kq%)f)}MB<+-0Z`8sLf1;Oe=vf@-Th6i)sCvU^EMMdZj;1#faT*K0YLq!2*MC2%$5bjv?nD(uwS2 z&PV_Uc@i9Z0*oUP9X%f1Bd-Z2Cf6J!Ia(-+;@7Xs;rQIYZ_;9=Mt3|!Q}f`h1ByL& z{JB{Y8ELSz$4VCO>)6FDm&@vQqf4Gj!&QTU{x(S68PW5XE+6MB03EV{)v_H@=d}|% zNYqFZ|1Q(h=psttj{~UiFl5r1_kQ&(*Q;7dvqA>F4PGkS!C94n+LE{5q$( zhGFO#OQCqYDZj8^@V^sVs|iebh*8+=F#!^ooX(>eOe!S z>NXRcCQr_o|LJ=OwY0YWRl6GF6!<@c52_oM0a`N-t|)T&)_L%gG!C#xaIt!L>y{I5 zz;x!_-{=c|Nf3GauT1@%kY3T&3|#s482d9}#$p^#n2nv?TglS2pS~<>2Y?O!%qte^ z@heRvf=K27zkcw0Ve`8p|H(XBezx@KQ?xB@4-r~UI2ekqC}qml|JKdYWQ{3PqJ;Qd z&_a4Eir=IE2|<{C0-sPKyScdu?)c^W0hLSOgRFj%A>RhhlAwuO&h1~$a-c5C5U`kp z(~s8)g}>N=moplM8 z#jiITPB95G@iRE1W$yK;zg( zypZhL6}t}VT>D?HHvl{WA%|%l7atHMpCQnms)ri_0Vk$A34ea`jG&_=rUN)`{rxc} z9lGtPo__9J(o2Pec4fa_7?r$ff<+vQp=W)k#}h2@ z9u#h`&`^+Cl#jG4^-X-f7v>z$eEm=D6eObBT7f}E9N=5?9>o9}#l{l#Bnq$gQ|Gj}@~*DMA*xnQ$_(k&Q0epKm*G zne8Ul7Oouz!|_f}HB(AYN2C`V+)G=E`UULcNX>|V*tV2nN+%(=JFE8JQBq%L_n)DuspJSKaY|e%v$fwXN^iGgF`iY6K<{ z?xn2URa=VmAOcG1O6WaFYWYaJfQ!(QHyB?bYy58e-lw1DtK2~KlNR%o+STu)1VN?<%wFZc4<~V78|nGb}4G+LgWik6*I57y1KF| zOEz8xoA}pmki_&mj zN^QYJ&mzGcc2wBF!jOB^9B-avHq#(NUKzcgN!DS{4x7KsaCUCuSt`cid|60k-D+dvk< z-+x06@%@`{c+d_oFj!GDk1%wlEaZ(*^za)JA2Aw$T)RIsln(;l4oeo>D26z${TYP8 z^}?8xZ6fNqgQg0!87~q>oU~RHu1cZ$j6-O-JIO<10FvZEv3knSultfdu}TBeM1kna zT>{_pe5nn;Q~>#JZ5-vM&n#`zPgoX)h&K+Y+)RSs5WHsBrkl;{N&1CE2o&+{+qV&M zLYDpu`^gf^(UdRWgLZxvZQ9AVt)!+h5csC)53G2}g1IZgX|e1ICT zv~wyOE?vYf5d4I()}>gtG}7c*D-0XP_NV<2@6dsP#DwU$uZbFyCh?n!nY#gWgPw+M z&4SGjPmtKRXH`{qv9&_?#@-YX#t2lzgwb>gGa)S%Av&vbhtlRx_L`LQkn##8Kf+AI)ED#p?o~XmjrTyT;`cp)>+^PCZCe zN>>u0Dk?zlo3S_w3=9Ncf|+Iki3%dl;td}jKxSkqlb=gX5m=o;Qg78fbj~<8!}xfC z>Gz>S{QOs3MLVX)VozuOBG)N*(l{k0N3K_%AP4zcyi`FXl?xY*i>kweIY%X|%U1K{ z$Mk~yax?D86CmWikjg7du>?N z?$@(GBqG>vGAyBi*aY~r+WF|!B^m&xoJSPBSjw^5*ZS}isfBses%?$Hbta}zqbY}{ zGRYKH5N8)Ya{OyNseuCr!ppsrylfVIEKGO!GSt5Web5e*n(Yqng^l0mxhy;bFBrS< z+12|L(UeeQ(hn*XGBBbV*gzIJ=fkFk&R^k7m(i4UP58wJ2E)15ckiRd&{XuDN+QNIL-^6Q$$Gs}*u{G>eeftivoL zHdg0GKJ6A#b(4|3Cq=hAyj!5aF}MI>;I;a#8)PAwD>!YOTSPGd6n}yvsQg0ft-y(V z$c}^7W2f)Q(!_?3e8efB8P7AFsPO3N`M(@(0M|QBMvf0RpaQz5!>5u~lum@diWwpL4yZzRyd&9$-UO;tb04G~mxuGE-j}=*Mr}nu9|qpt~!oyWjYNyLb0V4UyRi z5=hn~&HE=HqRvBidqwpru%M#U*?#;IGYw5)jrt-dp`FOftI26TRN2ckfQU zGA#{GWHIqx2;+o*E@a4ZE-7z+iwFpivk6#%S+efjxk8W|bdHk5#Z#*$`%xO8+%Zag zGzdHf!{GsW^Yjge&qpN!?8Lwwh2RLKe>;fXS+0e#B6zl)`NPjze_1$vCL&2}+Novc z52=ZneqB7X&Xob&==~i#bO88`!)=R|E{ubipcxIKY6hmHp^ZSroedj>u`9hOYkc|;vRo)SKQV*! z?VzTv4*Rw(vbeFKK>+n>5ISFu4ME~_%4B3z9k2@stpF%f4brumMGr_edjcB6onwuJ z%&r~Y6w`<7fSCfN9Cki1xL|Eg9=3kGii%~M){jQmo)`CB@KC|fn#(}zOT$@85?UOD z^|xA|b`W!zf7F;wy_E~&!>YN5>x7Za<1^XW*$f}foIfv&oLPhytHwUJi`}q(J)o>` zmvi?aZ9vbG3d4n&7BJ4tBTX!L&`AMx)1{J`j@B9N+ef81BSls}w%{j=U*5++%Gw%| z6ibH@2C%h)VT4F#Ck*?`XiE98NlK&0(=cAaf!0Z0sSsv2E}dAIwvtYVl8||gPP%%I z3MRh{#3>x0{+Xlh1n-7}Ga@cw{12MeO&m@FR(<2f2`KR9@QIN|JZA0i_i@Tj(9-(G zXi|`XP{rA)n)8BjMeN(J-^wYM2)91)53Bz=zqZ-ElznxF(Q(?Er`Z2~z}FUvj9IVF zzs_!IG4P8sr%&T`wbEFVTY{9iqkJbk^!0$)f~_Umvyl+~I-9md5Ea^{;LZ=UjPK=q zeYPOAz`>xPAqM}}-;WQTc?A4>E-P@(@h%b)vOG&7zDO|Ofxrkna-+-`nMDuIk z0oYhFLfUsJ8GcsSz;Dgl}3|ac^zK(2_ouC>%VBkQ%b=l-fyu$UstCbP{HaTxy zNIKr$6-za=#HLv$fjCm>b`%%ago$M;Q}m-bp^g$@Q`xX#VyBtQ@y-2YWLj9okIyT= z4!i3x0I(0%ITf2zxr|uGacj>iKSn=mfW>8UBHzrS@q_NM6e1s{8Dohh8-AI4(pQRH zoLtej#W#PXTs-u3&4kpoKFxnCrBA=q{IsWzXH@#vgirsPh4pr~P=C58JX zho0$ED$_hJe=s@!9OmS^=N>CI-n=Cjmwz?=&?AqWO2d9$Im;Tq(jY$GPNaf6JF@4F zYq-V#*V!OPU^!D+pL}m&Cqg7~|DxX@=PYCk>Vw}0GNA0w~xsYyZbK2~Z zuyEmK5#Ebf#t(^lhk{y{hGyY*dToxp&D;At3%gslv~`wXLEoF-7tcl3f;jdzV&?z; z@|5&+Hspl_OMYhSDT+LS)4V_@Mi^ypPCG?T94C!MLK^hvgby#_p~(%PmMFM=8&{*b z1_t=6KJ?8#XwNToxB%QF=hKi(Y{VJ!v)3Ow37@kKR08mXzM6u#`M=*A8v^%2XM4VF z%FjPhf4m$N=%Dv&i&I7nRTR{^$ zwr}6*a$LwpLX4bXR3enkq0!Q?V+6!s5Hi0 zvY3NjfFZ{!<-c6Nj#uST#2d_qIqwlI?uL=mmRVPE+9vxSl4)L-Ux2?uPZzn<{>WWV z;BVwGXt&|rzIug5!<*{>Alg#82%!PhH{yz7jvT5gvoN9H1@fZS13$mHxSblk8*RsV zx(Xf-N}_NBcUVw7gFHDOC1yt{-{@bKQRUgWcn>p$$+|Y{=CI^ zm>fP-UcP(LqtsCU8#dlhxd{)Ove@ZTEp-wI7HxPF;xiAAF-l5wF#;yCY}qp82DYl^ zjMV4`pmU@++=UQu5-nk?Ou2NM9hIw~hlf4{`LZ^V*#N@c48*X=^k5B~VWHCg(Q5ZD z_!vq3@-)S+5Qzv8jvsE0DTn5}AQm4h`F7mrg@d+*;$azQyo4~dV2!A&M^8;Be^ z)e0t@cqJ4S!E!EGZ_6x&`awt=Qn^WM$1drQzPP#?`7AvJX91ziIKxcbJ(It3K$xB3 zaO_JK3j7D&EuWm44S~^Fdse>Ae!kL*A zxLHolP$<3h|LG^9Id<461uDBpHdi@cMzv9$aq!?lrpS@yr&3bh5l=@=K$?ANX}Hw0 zH*dy->XXLk{_XR+X525mcyi7zE;K^(0lb0-hX@notyc#h)F^7EM`KNA0${*bxUjC? zzkq$Rm_C^a6`L=+z~&L+Wl+VaQzJbuh3BXwcca8$}HgihQMGUej3z_Qlui&P+l#*f`XB?g`zd#XJ z6nH>P=ASeq_v_!EtG2Iy^2I)dDFD1+Ue9x&$GF43peoM1aA87sV-u5eROGaI3|j%` zUb>yuD@Z>efHTrfTtQ>TiWCpaJRiG)iQ z^46j149G(Qdphya@#Dv#icXv~i7j~07z~@@-Oq@6y^EyeMVlVo#O`$X#nJe4rh)Y% zYpwILabMkK2uTcr@vVll&Vi<~EFX`;GbS+~H8~g=dXa1s0fz<}1UIEJr@UxoRh|g+ z4jju!k&}v+p|Af-R48b~Txm@$C9jZk4n~G^d)qq}I)K>6tjrk62qz`=li*rR?fpZ4Vam8qtuYBhwe@@vFH)nCXm^$06&IY%7} zl#8}viv-IAx#KKe9(NrY!IGmcXX4|*`)+Znf`343#5!m^GhJ#znT5A~rHGNG$_}#w z`MlFz$+7RcdcFI!re$RpD8yNt2Q~uB@fKl(2HRa%=B0p$EXs6=! zY-&rygrI0rA2X(iqgqwfSYty}9ZZ0*F^j(gZ^G=DIeoeTeK62F8UtS`P-?D7LUAGn zLBHbis9~1DE)cY_lwWV|MfVpw{9pr>2Dj;a%5i9!Xk|`!^7~n1j!w1Mz~%-kmq`qY zh>pI@1O>bU>H@u%rF)$4Yy|C4OG8YE;BpB(3^m?^a_FKD#1AS(A}nCG6;rxR_PPex z!MAeA@~>ViE}ozGsLR%9`d+^xC(tj#w+!hkiR^&f?&~AKD*(!1P>?j2P=%ua247t_ zX%YMjPV!FjymAg`HvD>eG#qs_0*CrCA^HIK3JxD*OLcW&&dSlsse?d+tv$@wNM9iS z!b?1OQ0e^)IAa5*toP(I&>b0%3+4Fo^j zkj2#7F_Gy>Nu0r3sRKFE(KPDVpBDTGev#I3X$FR#K_dfT+^O&1d^7tw8SY_sBf!Tf7r2dRSh4$9Hg4R2v~*r2#cI^px7uEKyfjLj?|~B%w0hW>-SHc{tFQUZ4DYWTWSAY)l(-czg935Mz34*#CZ~|EU*i3hAE=*5S{U=SV2KK= z1Q@TZw3NL@2{3u`3QI+4U?n;2Q+AG`LmdG6+5U=`vMtlU=uNeKlK148$+6>g@vO=kDhZQpBfM1rlO*MCJ*2jAsC*Jr|oDg`;- z5GfUO_1|@;kEr!Rcu`^Xh4mqHyYR31G5jy@8ihh==gwYRy3{X=?9^qom$!FM9ax&> ze7G<>WuJsj@=Qa$7_ym%ji0I(7gDXk>(tqfrVdIfL^9vfLdJG6MhE&=zIt_@o9oaV zd+STH51WhxKz_(TCd+#6h)`V-OY!;L`#)!_2qnW5bS08$9G_m^T&bmf4VlKRux zNA9vmGcH}4GHe)b&U3P}qP(7mLzJB^d#R%4npadh{Z7>sYp_yXR48!DgEfKVH$2>b z>#tuoF+2Y?-BjX<69*UpQJOh^8igI5!L_XRbOvX~pJyjUh7?bzdGVs;=(XN3@%Sol zu+C07Gr@A0dKaeX*j0RW2ZQe4ZI&Y&Gks08)#&bByN=&~t&KQQ{waDI zj3tplcn7hJ%fdpTA^OnTx(Oab!jt7iC*#i34vRIOq$L8$bE>%b2>>K*b>X*JF-9QS zbvqQIUOY^QOep(HY)OC4Ja*@0{9>R+GP!%-#<4huI%Fj`ng9xHR%VRHXq1_Y*=5_m z1Af+tW?>xh@CLHgDj!Cq)ADxT4vkn4w=7NmDC6qXDCI8@Vy2b#?%6Yiu{isbq_7Es zy{L6!`nsKT^&8&--cb5}M%#x^Sh}k8ub++Q|I($g@ZqqG;FL_731{faz<}-Bp=1`^ zya|=g)IU2(ka{_A9)nPAC)^CmiFM-CwUyJHoRsCSUA-zlVuaqvP_$YwMM(OBN6I`O z?aaYR>jI2H$E#~=7c5-p!Ihn0+FwqtBIcithvx8K_fg?d)X`8kYiajfSt#K z{k694*|CHBb<(<#>^c}~7yv8DAf=%8FRiGUGIs1;{J${#qI(;V$MHd5$Ea9nVI0)( zT^?&VNsSh3*oWMJ#Q{inLcY)7d^qSMR0Y}WAn+!f`c69;Ko;~Yd787f%2std|YB_fASgf)Wj zAWd%y#}U6SLSdr3{MEa6lQS|t(vx@`u#Ku?T02}c5r$KB#$*E*FeXUjOw6#Syr-ED zxW=-`bP7U7w~|dxd~Pu{QxZ+AK1}3h)8Xu{Sl(li(?M$wGGa9;~`>}5W8g?x$hIq? zT|8u;aL5oAw5}p7YSVYG&TID*xImdSl_5deYF!_^{2+0v(8F6!5EpAqrA~!G(`oXz zw5fE0wyJ%1U+3NP$~r|`Q{aHsD8^A8j*!1rUjB^|G2|XMUK`8%Gqu)yp?Dh6Q1TTt zXr4Z+kNa9jB3#|6U!2MD;@wz6O9e$l;1xG*L~qj))Jj<}zT@23o4!&66k{c({}Q#6 zpHmpKEbS4(!ob)+R;~v_Xt2?q)*YT+%QHk)6!qTWbo9fQSvp+D-MUC`^JX9myT~M{<&I9 zu88RnPqB4;zpiobF;15Eoj!A>jEs!2KF@rd&i2U2GD;4`IGTiQ*k$Hzqf|IY@R;g%W#nw4PD4R zl%t3>d+Eq1TiAxz2t)#17qF#H^1zWjgES$|>F9Es;m8s9p1V=xi%J%6#R%hws3=6D zwJyTEOEHehQ6@;pQk$<&&%vZvLO%OT3QSgwwS(ntsakY`uz%8)*s*=PqN3vAkkMvI z({$f)XpM-&O&CD8=MGy6(~x`I;hlU!8As05O)+vdJT&QnYCb&j9zkF4%^uSO&Xf*- zuVNgvqL%zMI&9r{5DEN5?0qZUl%ysh;$?&gY%W}iiTa+mnnlfDhwjnTk-$#<%*m6n zAp&i|S8CIyA53+O_0f5bc08B1;fuTeikUNcJn+?{j3Z#Lkr5{0^)hb1VjQDT{s4L3 zT>~Z>n-wmh^Uw(b85t2rK2@(ErS)CtX#0`YyT1@@O?L#d@9iqC>#lBTAEp;Ic3Fow zlOuN}`>Ac0Qss_IwJ;oU2-8cuAR2d9o$Y8a_6iBzxcw)a9gK>aGeQdj@ZK84WqXa` zw(yn;LPmrbV{A{%pN=kXhErZK4(~fv`J;^Hn3IRxBT=oBUPbzvL2+)pQ&zrG;b_aW zUB+A>aa7AXH<*%Wk4QLkMkeek7_x(7h#o;ucTi;xAAYVfYtTuol)jvYOMG-8nk64K$@)#ukK{_wB1EL0M++D?)K{KuVQuBA?GcRgxEhJ5QY&ZTuO-EeXBb zH*X#d!MoHv#%O!)GvKTF`c&H0uU{KVcu^&dh~vJ7SKzys5q=jv`V=+!qwGwbpt_sk z%ff5e1mh&DYibBqvetjep}@LWbUws5A~cji#uXJ(N~<((<0ebr2!*T8E6bYYaoM{* z|HciemTq4usQfHdS~^jnJf4JTFQtJ6%H0wj8anKW;(c{rsi?Y6^4T4ySIx?@9JMFsu|Uw1d+O|(d8BsFbBAo3319A7<#)O2H%NJF7n@sG{WeK-xA}BrV#cSThwhkE zEz~*p{A%R6i(co3d#T7u-fCX5I#cTPa^*EH&(i0(1Uoz*6sb_EnlaHLnE&wU;nhe{ zrq|k-)G*~WQ4cH?0O~5PR~V8ZR8?4PDp=Zt2$n9 zcJtKI%bhot*}uPKv2okN6uWc7S0p=rN{GH|_>SLK8*QLFXJ_=?Fy#s128L0?!wj=* z-dbM#sMcv?&dyr}`*%hTD|Pu0P&VZVA0qm0_M+8cwlRIPSLwpiVfYScw^DH2O8zi= z&e9Tfp4F2<%rAu#%HPH;tkw(ae&;MpIzUotetO~g?)~`DGp38q3vtY11xE(R6n=xC z`=C6>`EB@nQ-Q-|?JWp9XdYF=cS)(jzIyS(A^a7H6+?IZB|m+CDn7_KtUXi zlQ&#-o$cxAt>9l&gh+GeN+h2>>%&3;86`2@ckYTJt=1=Wmq1FrJGYm&1?7Y*gtdgu zR429)_q{N;ZG4XyjMz2;$5L$Sz9Z$xVUB8^ zGnM!=2s%7+zl5b+hj*Dp^O)YR7OrkREC7z!1^K*xp)G-2<}=b}9z z;Tjqx`T2S;bQ&I<+P~K}rv5Z1u1*k0^Bf5r1E~y(gb&{&!BlAXgbIhC8bBqQQijEy z^`Q5qojuzt=wL_)mj!b>v*AdIHbR@?tmB?!ECOB9Pb8oyvUQv!ZSCqk)qKF-n2^p| zuX($ML0_+S9E4e1r=b!WfuvoxP*GvYbyF{J*RG4^L5P(2fwSmB=e)z(cHY8;3h&!J zE-lT%gH0#M&;IGzqA6wArqEN;n(N#UuylMbpb3gHsi?vhx^M>eQMR}*$_Hf835qj* z$pi((8W;ay$tN3NQ}B4I5O0gT;FD(m-RV%(b5R#3hL+!XZ=~k#m2nO7+lEFY@#4Dz zK(*^0TM_P%aT#JXl1~-Y{-yo z;gWKJbGf&MvbKlLkfB2(MW1jlMI+yP&h!|gi+nI@EN~vl92H4HiUvMlK768zN|Ig> zP{wEl{+z~Du0hl@j&t6D2q*``Cs;b?9S;tA0T8$E?YCIfS}J@ZL49SAZH$*r5UdO7 z{{6WuP8!Ec$kVdprG>R#_V%p+Z4_}kj7MsYVG&{a`<9R0xi%S&$X;9d6-tFdHVjuw zs(}kReN;?LsqBLMrs@Zae7wCk5~dDF|Gd2_qPVqHsR2JmTw;#$iMWgNy`NTyMbI?y z&CEEzu+g2$!`urU)L1EMBGGhNdkL}bfqj_fGopjm(PK&h$HzIte!G{mJP~m?4z1OhP0QQ6x(tG1=--Ato)P zD59hiO2kkZTSg@+vW6s*v{0y+CY7>fX|Yy_q$Cl2zw61&_xj`eyiK0vzOVbb&ht2r zg+Cs4GQdLo)xE8Zqru;hLcY?|3EM>_i_v0^Cxk_S z>3Ay`!?UFjj2W`xLt$#VEz@CE>|D%mo%CpW;fCR#1Yl{5Zf@D+$y*4x{rJ(zCYd4+ z09Y12u>Hn!@N`IO;m%0aUwWlYJ4P)De1m+B&cZ<#`_A6-?ZB-pV`ZZuW?nqVe1L$z z;NyMyvW_FHqT)uP8}%^yTWf7}5Md@7++~hi`E0htq1`*iTj4;yTrUCyn~fW66CBt6 z9A=p8@<+nL!@{u3X$gjczV)Ll-0Kzu2f5 zOtSLWb_+sqGR{a(uhGcm+OEs^zQhz9@LXIR?(%T0RddQ5L!eACfcm~7q@YL1RcWHf zd46US-th5bx>~52+y`Qd`yq9@|NsbG^Gp zTJDX%>(`SNjAXgDsV3~fIpF@k{~j}Uh>qxOmo=4ZXfW;D7apE$kQ?8kDOT{DO_vGS zhOgbiMDpV5$&W`;(>Yw*1g+`uC3Q&=^nz`cU)UB1`|hA-MqgkDd;$7$V1i$`0Zn`En^Ric2$l6 z!eK-m%G8DSfbrU~Fa}mzp(rz+mUSl#afO$}+lL?Mg2L{Iedq1N+c`N)F&_@Q!@Z;8 zWX6WNPKE-DGxY7-X0kMT?wTfj4X%XG0;)@99yD?Z4u8m;x7G`uxi@@xjt|an&Z-k( zqWEKT&C7G8$PK##2*NpadhTi5>ULP3wu+-{dk?DtH>3R! zPK(gO(%CYgJQDUDmrat8`2&x!N6beM9EioAYHO{riWblEC>Qtt41FU;n5A%)VAL>F_AHpD4J$LAEBs$$02e0eA;a|`#+8Z4hjnCu9w$j&}4mzRf)R~MlA%R2sw$p6lB!~%v8L2aN?4uhurkZ$d z*dQ~e}UCUX4RvwyuL(ZPGuC77o0`@aUKJ?O|=8Xf`$RGBexB_28D7Yw3_K{^aUa%h>gF z(*YXzG2F++1-zN_CG3u{y}ogS&9{OHOxPWQE|>&Ig{H${Dk_@AieWIc%W@s*0_wR! zE*q0{;=~fz6+8sgo83d2p{ekhP|?gcsl$6;TcZi;eApd$rk}rjp>3@xN!e}rg}zqK z)c*XUUt&gaq`-OsEaSo(#Ux>}z@&y_%pZYSfCjPxyV$vclX~>%X3H=4=Pk6+6z)l2 zft;lb%1#O-(%7Vq4&5Q*CEsv?PnwCj`M`itre4fvkOykT04;EY?%ck8oNt{*j5p*L z{w=RyEU>-d8cj3-N5g0ez}_aYXMcXaLv;AuEip3+aU0buu(5dK&;bLoF#%NS-#l6? z=9MqyjmuDWTvnSMcZk@}^he!{Ic9+(aBabrCjhTonU&wY<)Z}&8_+W2#EBrK{vQny zC-Jz^YIQXZke)knV%jNt@EQGY&@kwOl`Q#hxcFh5a`&~IdaqrY%#dARFpue&DWv3i zd4ZpeQwaFJSd=kIP77a?*w`*cvpT+GWCD8yb)%9c;e6KCgFoJj*y4KeF(rlZpSNAK z38&}J*|VAfatlluI2x;URzJ?kgONvSDw;22F5Ir7PD5T2Uig9g&s0e6?A_NGnTVTD z;r}yar|uTTG{lNoFW9_nHIWV4Y1(|=`qx&}>>&Q^7wU?}AxIpwL$yCXE7i^gt_e3C zqat6af!Hi6RNH%CnQpGJ$1_g~ASE!OqR9h)W&(F<+OaMnZn`Skp=Mecjv?^)0}M-b zb3vB%#7pR#dDZWTPfWa{m-?3z^Qj1@XN!}@DssxFn0ti|wUM(&sl^|lts*aQY;KsPdTNtYd6-w;(6lpWc2@bW3PHsdsUcpxcwS=D@WF;>D@NMB zYE-T}Y!wGb=kNOTioNq~Y?fUK(V=i!=08y1)C;2;ODrNF{w10d==Q1Jv11C6a{v2_zI zhV5HhU91DKklDA(C@)ozibG`S&?El*o^QjLmLnzL1QTAOHegWb$=`kW@D=8u6gt4y zFcf!9V;u01*$B)E80fDWDA|SACq&Ac8ib!cgMi{pXUu?~(|ue3&<7tG3^w2?<8v-K z6HaFvEAH&v)4V{Z*42gwrEv(ZxO9+#!*)O*rR!u1@02OB5yHclM7-oG@WA~;&+*{3 zH>4xB&4SRkKpr$MnxW1ia900%i4VE}P5k)ki28~RdDQYWE@=1e(SvGoqIzz-EtvL9P+`8h4H@1BfNW@MYfpBpz*LQf43U~7{?-0j#ZjtDV-Fg~ zXHv{rmtO?GXbPIgn${ciXg$wbqS$>@d-ryYcu6G@5n4)VE^f`d#J^rrajpu1+gTuX zG2@Wz>};KLF9FchbE&h<&pJI@G;)wl>O-c0fpumkUbANXRiy5AB_z-g%frTZCHm^> zM{@VNMZ6RY|MBBHoy%oyn1__g?nb5fz+3|0T91L93SDT-_=MBOM;*Fdsj(KL7FOwl z2lG;Yyenk^1+ciqism72fmoO>HFYXD=d>yWS6n~=#L`U-yeEbosSjxl{TklvMe3mO zs5$X9@Lf~nTO1(L^@U#r#}TxstdZk1G&Fb{SfVbY1i{2Bt(n30pSyRbte>WTHH3OD zaOhY#m~d`$_o{a7npNMdaL(zO;uj7_gfgN%D$Lo~aDuI|fo|hX!xuIYl%HLUzgKmg`ET8P z0g}r_U?XvLI{?V=0~0s;qaTNJU%ZroxW}CTMJYZk*l?Jp8{0z$Z5tV&uFEijU4q{f z7I&TBUxA;eJ~@c=tM#bC_)vzKn;n4{R%F7VvWPZJqqGOJGjmT819eHwO8Rjo8X2_* zy(}zl(PY@ui?DHBH0YOn8V`qr3DH&9Ry5&#P6dqRE8N0Im!|Sh8})-6S)*u)nd?!C z9{{S(Z?|%Uj1KTH#QxkuH0x}fY+yJV572%q!0q^$^z``;=Vsj;oh`#f9)@H(e6HBH z5PWJh`5v%#X2e+9rN|+lUO>dFDv3!kv^jZ^1~Tl$ZJVPCra~kIJbzxdvd2%q2rNZv zVF9sa0{U13*XJ@cCSf4>DX)qM0q~GO5<7jE{D(6f(QBDUcaXs_C5vo|QL7in^Ql}? zg8Ph5=FUi8(}Q*E*3C|}y#RPN>9BvJnPUM>Ffd5v|5*hO=8kOA6pm-mN2ISgHDq6; z^qlv&GD!cz6PPc;6CnE}E(>4}vbiAggm2ib^;LIun1iX)2xWO*%4IdXH7MaAb?k+5 z|NWY#nxVj}(;2{Wr1bAnz7KkaEnIy@+6hLT%a8Lv-L}0*WomAh!c96{#=!Fqo1mOJ zJ9Y4%f4X?8LNR%#keA3-_=HgG+8aObR zkBl*z(6+RPb@&Q5HzBvSIAGAFcki!Y7G&=#f9$j26HgmBk0E-_fkK z&UUQ)vR{OCSumFei{Yd;b$vdmxe#_(;9~?vH-B@4m zD!bwmN%9me9kO2C+`LgL*4AD-fRWXvVi6)p3o}bf#}cmRl`26(`)M=u>XB)MvPH;9dj>|5u9#jY6k+=@DUK2M7lzYv>OlU**MAd) zG=~}32-8Lpu}UZ4`eC_v>ODq6n_@{M8+Dc~dOL(W3?>f9isY)PhN za6`RZob%&`Fvnm-a6Bwgdq>~dGc-d<7)!Cj8-d9%Wph97$WTw!t?{p)`5(Ez9MZU) zI^b($#nf5_5aCU`80?<6-U&Tj^3)xgw+V~D++6SuMtc?s*^|SJaR+MvG{$>ApMrcB z>+7=ZGn`mL67}QsmW0a59!}TiPy6%&s164LVw)o)0@9(NQ9Wgswxdk(vU?)bltY#pvZ7s%5pFMoZr2zwlS6V?`aBr%7HUyuJ^`$`EGTRpQ*5X&U$)Z>u(YL>efV%Nqj;pG6yo8#V_JL4<7QsK zFqDjjX0QnvKy4j8bB~7^`#Yc5ITS@JpA7pW!!z`#WI2{AGrrKo0Itd?#}~ zlJ*Fx(N?^Gh8^ySeh(SV`q#h%Tu@u1aM^j|;-$dEjMB`m z?-JkGQGD#35Y*SKNp`!l;*hzd@glAYNOdy5{MbCi(FFp=nJ{GU(UPWH@Wf}&{_v#b zJINebrRV;sZ-xNMpi1-1VpzDap#>x4<5<^Gy)x`uUY|S!xUA3aonFjAfyUOF=4@o}3o!8d~BM$G6G`~nrE^04_n;5N^6!=1%| zh-qzo;!^yi@FW1I8r5T@v2PQc4#;wLeb-dxM+p2;&Rtgpqe3CA1P98?dJDJs$%Uo6 zr}Q78uSH~tC@1y>%4hF4J0WD}yl$7yBO}bn5a~5yQ9#9O+-1a(4Y{f^Yp3NncpKoU zkx|@QYK8B3!+~lfYP;%1Ks%@ew|n<)MNQR919z}DXk|3M*qQR}m^9dyOA z?|kOh9XATLzUa6$VrYHuTX#v#?8T;Xd;iL1Zf@N}7C*8By>#)l4(;AW95gg=p<7)N zZ>1IWo=@;V@PK`JQM+G*ju`ijbV|$}fD}LPt<9RMjy}=sA1k{`4e}!4n!0FxJ)FLp_%o%mHU4WVGlKn6Er<256 z^9>`{{-i(g%=z=T>k@h|u{?QqbkmFS+DAmJ6f7J(YS0;P6G=^bnvSkxlJ~>Chjj4& zRjqswjB<7#hQGT2rd{2mIBZ~mUwA^X?D#1$KB_~JyYrGIKzI5riKf>Q&)CMFjgMad zdc_bpYGa$9Jtk)v1cSb_LP{^R2bV`+HYi32SN=Oo*JX(Ou%118f{d?YR%18cuv6RN zz^g09wr}v~!C-WWW}mi$Rle$i`mz3dP65nZT=Pe}O_kIztH+fU*v|~;O4gH5og6vR zX2y=pt6lN<>D6mpVP6=W@yNTwEKw%@SNF>zCJlmDVbgI!jZK*8B3=!jx9;!4i7GLj z^4r|I$wo)4Oaw;AXJ#nCQ|kU9vy4Nm=gy9jco&u!lY{g}^XBq#($kwk(0$p@ppZF^ zebwiwMQNU63y1KNbl(dJwb7$Jf3z`XnqQe%Jn^mSgW|Pd&^8KWOfv5kFTLAQR%d?~ zauX^s+Wyj`RcXXz!#-rQNOsqo^p$IYOHV;iwudTKAlBh9(B-oSckgJI(&Om~gWym^ z$N$z8+Ic~cs?~DniTK0Ik2}C*%Q6;`4(>ytdw1nqi=pHJV0W~h=iG2&La*Ul6GKIZ z!kBFGfX}aV*gRl28uP3>3ou)QiYx)Zk@zf?5~2A=_(e4b8ab(2;1D zQD3qoI_;PU%!04T%ku=pM5Dm0?`0ci8T^7>B2rbkS1$qq<)f>Ft|ThTFI(dy0tXn! z;pSdsmiDzxo$8X!hza3ETYcjwPX#DR~4_Pi2Wm;|?w+b)RO4uI|? zM0F{w=WIIAe^onjl<)$qSO{M`6DVGqlLmJ-9n@HK*d@F3A6i zHN#6?3{L>)=UYqWTVJrX?pId#mYrVbTpLHWDKl5(o~L^ zOgPgsrP4&h{09#ns6v2(ieh%isLV@ib&w-g#8J(jcyz(c(W-yEBqbZGi-{9T5SN_{y@O%Tc%p;swMdcxW4sH!@$f!TA`=*neOPmp7 zPdESJc^x(ASDTW?ZOJS;-VQ!FAoFR05%_(eB#0$2D450fC{)d9fH%^#y(oNj0)GlTq>GxL_?vPqbKGQ*mLTHu;sb%9Kx~@ROUKmX>6v0OX43M*zH!Vc8=)( zOq+E`jE`5f<_AM^>#?<1(qvuPJz{qUhRNHvFTbM!ujY}4bQxm=ZoT^+Q-DM;%=N$5 zYMN7}&>W-~p2<~v;H1~|^(zCNC(nD~lR9F=`P@0@d_%3n$;3{(G5T74x@D}Jk>q%j z+5<#X_)w=9?6ee-!q_<4wRmd9VAy3oq)lG7`~IW7m)yzBbc6|H9(nJj?xwHv5Mu*_ z436P+meuGUSMR*`W*T!P!NHnY=ia;L`wkAfQ!-3t&DKNT1C19D2`pV{mGtD9drHcL z{PeO{2UUxYk6ZD)^8@`W?;O{LFd+qs+nAoEM10Z(%ILGAebmn+n&JCF3`XN?ip z>->s>0ZdlED*D3`kJXjtqA!<7#%Ox`Qu^=O$KP!ipmfCz!(5Js@4V)}jase~pUa=0 zQ16;R@n!$A(%hE^?dQzyE&9v&hjv{x?>=sAMvH-?IAMoNUn4dIgth$_zxZH?9xMj+ zE91L_1l^sbV-~9fy-4*--rOrMQ9Dl$-p|h3m3D)kZq(~HzpHVad-5`+YZ+^YABvV( zjRQueTr$&Y`0(N1tF`>1U?#zprsR7jR7o0L?NUy~7rpkTp>A~RG9cVpFzoJUaX!^} z_$FK~aMJ5A)EFCQMzn67e_qjE;NHD@Xq5IK2#2;j;mE53+=ldv*k_vAq_2V3A zUfm+w_srG}yTcAZu~2^D0A9L!5r~S&MvIJyc(mrbGNZeIznH!^misC8*-*5G-_TWI zWOUxTZPEsT1YBA@RQ-CS`_j#VjB_m+4&2V3BfmiK>DxEB@bFKl5L=q7CW0O`dMRBl zs!zvz7uLhacO{LT8;4zr3s~om8Ue!(;bz8Y7CWMGUk;nIGnkL*-QHyjF?6(D|9>}j z+(7E{XT06*WJr4K6yM4xy5mm8q!z4O&_t_Mn-#GTfNjt86UdZlXdXpTvU?ZFwQncU z1~4+05f-6-E9YcBCEi0~cQh<~-#*$CB!Ni>k7V(qchiv7@eKFn7Ql7<7gf?(2G)CF zDNt&|#FnO+y={(n1R0ueBurMmxK!-Bry`h44l@i3doVtLn5wLNRH)ex-$&_k#`-)Y zdB}A?Rw!3%Tacm}nd->F{#>x0w$k<>!9|Ey<97?2D9SFNKjKgpRa^0)lI%Fl0GkF0 z4uaixwIXiLvXJ{cWean9!ChX=6YeA_v>i#{EyXJU; zKBJ6BV&OcZKmGFIy@6Y|UWM`|J4_q9XY2Ob1<~qnmr;1XfRO$anIQRuJXzcgC|IC%&X>pP^a8Lj@*aT2Y9LkMhQ~C>)Erx98_i0Hs^~~|q&Z{$A ziS2P&c>Bm)r%US^NYOjLdNQA2v`~-})C~8d@oEeI!(qpZ!#+WNTVJFKPXw@A0c1_G z%hcUz6-NXiq<}R(KA(|bffrt}Pr{hz9$GgU=w~};#foxGciAW?ClVC{yi>N}ajN49fT0!Hzhh4ehq85kC$vA^9bE<%^CdK9D z=c{5u$BM;j%f(#v2SA+ZU`;s*oWhs^ty8Wis1(<@=q#i$48fozfjR%TxT%xr(uNHf zu$b)}j>1%dc@5JOK;^MTdq_ zQgwCI{{8mzG7RO246jOE$kPdh#g8dJpPoWGL#zn_!9V^LIJ>%f zhSm*XE3@fqRIXFk?=!SyaH-^R6x^bk@{A~@=dio}y;~Z4rDUhXv-g2+X{&Hoi{8NE z1Nve&YJD~VL%6zbW$Xc))(pkdfnzu94$mD&(UBWJs@ATB^-!l+K1_#nb(QQU@Zpor zqOZEOf5a9cvv4>6uyf!9o?JIjJi!)V&MBs-nGOl7SBcNwJNN}xm1G2iTagAbszAa( z=`v=yw_PBa-jIzR;)T}-s>1#OXpn7wVBk7{sTf^w?g2MTHL||yu~dc?3XU@>t6&wsl3Wz&jP!q)a5#+RNnU?Hsmnw)k%ZNqrRtB)yIQ)Cb zoYEZj3lO~ZQ%6_9{bSr5VfNq7!VC@XN46V%{e4xwKL!R^w(=B$5z?an*VoV&@SqOa zdz!Ch<$go}ZUtDGkfTxd-@`IwuTXo)43Z{YCe?e^{P~=tFeN=a{`=q~U>A<+6@TDQ zrWg|aBwka{HVfUmhcM6l)rS^VSD!A zLW0G-c=S3cC~T1FjZlmw{aacrvKa%yfBN(g1bqMQj8msiZ(&E`%KyNLbDd!75~+y| z>!R}yf9$h3eb~lp2GE(fmM{MxLn(De$RC?E7$>e@I|ho0xumGG*w%PR*@=V@^*^u@ zS|yJURt#>SWQaJ_yFQEWY5NN3M(pUw1f88@<`1JC!0QUX8U2NGv3;XBrCd&B3&jG^ z(-SF8Fe$sMR$W+K(neAvGK6I`FThhS!&(q_<1s+C@(K}&}GbKG;v}J!3K>VJ~-M~A#G-i!VGVMZylf*;ZWeKpr{Nnu&2O$ zk`v(z65g7QoX<2zv!$5U{r9%Si$d(Aa{{fr-zjP5ZI@C8GE6M2>7l8l_y=Te06;gA z-3!C5mx0G&X$)t}S6F}mN)Mn7z?O&lvIY^1&@{l_b#QQ)KVS7kY1>JDP;x)QaO+}x zX8!(et-~oAGSoQG0T})rTlYu!Ghd^TBkQ5CF%@8wY54SM&8k)7F)W~7<7lSr!Ll79 zPir_^7v|(Bo+Hf0;GIfWf5^ad5wt+Y)~U_R$`(;48dP&S$)2%r=Xlkr?fRL$gkz2U zUW}!uYL4dt*bf#b$D_g_yixFeU=)8ad=G%Ta^+09*@!U$k0vF3#5@3qxp)w!zbQB@ zyp(Z}ZbgnBI(BT@4bOzf2ss$E$p;}!7e=;Riyj?STzUpMqHe@uXu*Oqrcn5jv|21< zON}||v}5W4CNY*guE8&GuY~r&0DxcP+u=01eYxGCpC#AIEa|&w#-gLez6VAis-0`$ z^h&IRVcIIis4J~{&TFSg_!nAIl49nQoPwT^NDNF1P~h8mPSBbrtS)E(4e8a;Th z79uYlE})dY%+Q^L5~_GOuBo3Shx?!p1cofm$?P;x+#OHV9xw)~t*(937&_FIs+fRv zcy#C;M?A5IpMV=ULcib_!uNr`vGy7Rvg6b|%wxExJSFU3(rQ}geeI)k76M)+L?^j#1|#>FY zpqVK{^97X{0Gs0#1}jWxEmen6z2N4V$zg6Zc*u~)sh-CY9Dk?P0uwu+q#X3z^IE)<&l z-Uh2wd-Uyl1yi1ZGs3}$flR2)VDnvLS17LfS>n-ywE$EljZOH+WQWXeE@1?N)8-yS z`(__}MN}linZYs0ox@YszAAbKVocQp52X8!8=$rrv(#0qz%T*VM|zHwRgP|-p8|sv zWA)>)mPURRU~-tHh|u|W4jwxfTK2i%-uj()jLGc7>GLPnA^w-mH0wWp9Hn^2orwyq z_S`&4?O{)E@APMRl~)6QG?&|^u!me+J(NB5aXbhPQ9!e#Y-Byb9sZjXRyASgDPude zXAb9=;#|G!#`5iB@B$W8qdE*6)#GCq6w1SNr9Z?M+0iD4O7L+ zfATJwp%fht69^cEH*ZRR)HZCSw0+}*9Q4e86`Zwpw63EuLMj}e6IzcuzLeWu=4YC+ zJ_k?@9qjoZ-+<}?a+_3me}dTpg{~4N?QYvFkp<6Uj{(%JPUgENO=bbXI}lo0yliAc zYO!lD`lA^xrI6Gw_i5WHh<}_kj_C|UVO$V6$NxQsuh%yNMIdjWJj401wc?0ktRd#+ z0e?Yh`S0!ozrcoy9B4KlT(N)rCKMucD*roA$)Ll{x@x0*HQujg)JvDJ zjipbF!s}quuJbK<#R`91-eGyOrFYhX{Kj9ue>>OTp~^#o2or(^ma&+oU0zz)_rHCR zeSrg6Nb4z(iClDutNH{yE&RP0tbjqT^&gH-z3&96TrPe?Ac|A^r`4}}=%5SrCWCx3 zR$uW_MLJ4oP&|uamP7TEuZ{qW9_WzCm6%=%|wdFf>$o%JB`#%uW9Xh0#b3QGd45J7c}S%tq@Bx`yy!zt7O~+Mt|{9ZPzX^GrO0gc6GYe=!lw| zx18iBs|0;}d*R%e6_1x!ulhye(hYK%#mNBy?7Xhid|IE;fv{Zq^kKf8y4Fc=Y>sCq z<@KTa_HEoZ?e$1`ObT7AyYUZ)(%F1Q%Va5Kdw&OeE!p5lA$6x(#MY)_o5xDkv^el* ze6-rny>@-NzHQ{#v8Ps2#02sspnA`ig6Fb`TFZC&cG(>5Kgc8uwvYMvANE;yX=~6L zm-uhTt;12&8g2X@l28B_L5_(MV){v1;J!bKywqLrk9jPE(h8nW3$vubU@TMpshrFp zCMDR&#Lh*=S#-<$eKeA|l}T3dj21`gb;jI(Xx2R=iA2e}y7(Q%OTPf?v}8F^6Q=H> zAY8_FZ5jKqcq?@&YI4C6KP74TwUupCeE&YHz%etSJ<(tM)~yuxE2EL%D9@;EZYy!w z?EI+2e`i`Z!3ucVj>7*NJPt6Z#J9YX@SGUbi0SiW2BNhqw`3~e%F2jN3lRK}c@zU0 z2ZzISW68$Y@ZPUC)0(N(&aJIv)M~&KaI$EnI>v!8DUw>R`{#+kQBbDA9{9g4R9FQm zUq62q(2nw5&z?cKWc6}9y4SSC|AF)ND^6ZS&S1fIhippVY5}5PrKBcfS#FOP8-?vW zd;4-M3J1sF#wt^96=O#jkFR-No*!%#{0%#(1D&H~*60ecqfOg(>*0Q-^qng-huT7+ zseD7%47LsB1EYGLZI3W7FEL)v zE6P#DED{I>C$J+R$1>M=Ygw6bt?e$$<+>_U`rl?Oc#)O1$7HUJ4gGYk6Gl~oADUFItOjaFVv@=3D@Y}d+ZWZCJTg);_Qii1ws+9&V$<@mzO3LJ10 zq(gOdsAR9a)9+q%>+O@4!lY$|UG9u)7?zztEg@JlCx4L?CF2D_FZ-*(WIYy(9IaJ!l*^p<$_;mn(bHOsjfIi)x8t$*V(fc__=F@(A*PK?TO=sW3K@ zBoIP|XBvXi7;GoVXFQKmvYI*{OC4nlS76^GoTC<<*8y#@)DJrupsb`<**? zlG&GAycBoxAi*DGjx3{6h#JvjI=uXtB);SR#af}c)HKqVFYH#BdNX&av9Ey8n~vcQ z`wSZW^-vGNM3Jgc3?^G_d&jfR!di`%fccfh%$Yfxmn(LUu2N{X*tNj7(x4dp?8^a) z1YE?=%pHR7QJtON`V0k0t;8n5;WsR>NG;MdTj@_$1BMAH)Z(D5KuA~|%~LC5=1p10 zsh}CafZrYa9KfLStEG>B26Ssqxft}GrgD=F#}HgX;TQ;6mGXK5-%If?Is~*B`#0i{ z&6Q1Cx*J~zRJ<@O&KJxGWkO6H{A*6aH3>g0lQ~jCx-~RUiaoay%g$p-tD|>V#xgbS zzNMv&B+>wTNjxVYu0kuPq<-++K=FA_cgd#qvp}LD5PYgBo53S#^{Vos<3Z)FT|=Uy zjaEEPV)&vqVVyUdDNeG9OWNdr-8b!61k6NAIT75)rlPI#X;SV#1{mN57H|Js7kb$J z>hl16ljg+N-RRE=v8nxL3ev%Yi>e#=hwG6xp+Z_w(sz#u5d_UoTD~`eh%LOlW`)21 z6^oM>R)@H45ri3NC>Z%{Hp*^qK4r>D&li1{$0)9zqOH6jeg8%8*XP=`eZxz)gi@ji zj|x(_lVv!@rcdYasiSj_KXXPSfIw75kmX{X{=yNDjkOqJ0vj##X8=ZQ(P zX|3&#(J@vYto<+7ESmitAfA&85m}|B9zSaWze!F8qRAomZb>BJcn%V2@}r`7_k`Ch zXTW>VqU!bQo~o*D)s@W~`4vRkG?IeiLHLW&rW+Tg^!MdN0DDVNz+L$M8(Y^yJr@t<3S4+}(;y@E73SwL^_jL_o> zs~mc>#{lRwpD2~Du6$zDTFyOfvuNeYC+*s|gQIWw&kQr9Fg&v&83V2|KK;?w+R3YT zJT1?(`W@!(rc8%Z!jZ&wtYQ0e32f!1^p$uo4q`-C9aLJ*1%%_Rw(ga>>v9I!Gh5J8 zhus-3zi3pi_MKJtM@BA>yD%og4D}mUd&f~94DI|R@N3q#ZYQ7ky?;?`JBZkr&6|z4 zJTvl1#5i^aL=PSlb#)Dl<6B|c$7zDdw&1c=|2-Om2B9W>bZM+Uo@|eKP4+VWl|!nHXhUx;oq)mnc&vKPJ|#U_v-RVvuAgSxtBg^L}5M8ET{*JyS@jEay)rJ z4GTG&?$^zK`r9l!JHHRlD~fHM4>~`JjI=%T2xHAD^Z{(~t6LEcpMHb)-o!#=46SCd zLfRi_5=6BF`;gCbCG-X4ON@VL=!D-l3J1*>bImoo<#=L1ZPD)394YjxdGWRloO}^0 z?^QQ&d`f4|1XW_M=Yy?n_~@+nh`bD+=qiKGi`~^mfhU6m=?`9UaPvIP(3+C9wU3rA z^mowrZ!1YvM=U&N&SW{T|K!Rj&veta62rml+3`^xami&(v)NEYX@ZO8WxI#CL93twLjA# zVe8#N9S1jTRCaFLc3yjfZ#3F$3p2AM^!x87<2HuUE(OY3skzP`6Hb6eC_O}Q1u7-t znT4TvUPT>>&Vhpmzj8mo&hYj5j^Pm1BMux89#Y5Zo7zkk(F+d_TJ~K`Y+WP+n5#Y? z`it`n%-LrvITI;R8(G0Hh8O<|Y|dK6bx;RDA?2pZ*Pk;c1=fzWHRlnzNQhtX zFSBhf0?cjFFQSQt;^UxA8~Gh%YuTO6GvtNS#$~Z z!wItpV=d^36yD`P!H;zgTEOE^=hy(9D=I4bx@dR>FblaB)}K)`LSu6)4?S`BHF?^5 zXzSh&yLbc-Yy`$5d+iclt>+hSWn{z|$#S6yV7~U8r{Yp?*Yn!Fm6V>s*n9te_b=If z4Vm0(=Os&bkH}6?tUJ3B1i71<+Eu6AuB|KDr3E<<1DhTUo$d5r{w*VwFo#R@W_=n5 zmaZ??lUdom69y=NDjOi^0Hzd*d$VA{H*O{q!VMHDn0WoFW&)`XXb#ML*uG;WO}}N= zYaX?K6isn(D z=2yG_?p*FocmK2atRS6QF)dAn8!7dEAV=5!CWwM0Mz^x&NQpd4XoFP0UtK>J5sA1>D7(mL=jS>DX~Qu;B9Q zyFW=>>^PDM0Gp7xF9k3DQW zkWUO7?#;mnKy7{PZ%_aQn7zSTCc(&Wx!7QnH36&MOb564_|pc#84cx?)JG@KaEaz8 zKxt@?nJbRfKM`2YVFAtUv&TmwzUv(BE2R*YWGr?Ofzo=$Su`0;);qG5L+Qwe<9M+uOWsGKgw^guuW7Z5{Kj$C5r+DR2Vtkoi< znz!9ZdeK3PeTNRcM;=t*;fhrOH83LGm2C6E6;1SDT3H!$7C!kaD(ZpljSF*!K<2q| zp|9j{hd^V}>`k;T)_rvs6?J1bX>4uoe&&h3_zsh%8pqdn`t1E>*Z>PMWl-!BYTa9%{4V?i1B^DmIpGcs?<< zO=}P+(~F}I;^C%x!b$vaXj3_*JWpe}o;+qQ zE-qr0&4YgzKm(!%qYdbA2ch^I|7oTP2Psq<10`+52v1HI$Xvw*0pTxvzvJXiK{RCV z5Dkr=x1@+p`vD~f0F=3w`OKNq8S@qyK_3x(6M$Fz2I=fAW5Xu-f9}P(rR?H&ch)^@l(Gfm0KB1-^9Ocror(RV#cKg(W>Oi&Yi$>&} zw_Q>Fb`m9lJCS-&f1|5pW$oAFcVB<6Kh$!Dyap^)QY#<;i`tRFs)vWJ^voKn*M$pb z%At(8HZE6D6WAUC&calW*Y{#C;A?i;Ofw_9A%(LhTxUEVe&Y$noxSxhEzT(dcfL2@ zf>EpbaquuP?odBYU(?z`7gaKL_zd!bM;CWzFfpMD3I|6mL%4w%h6f;$TiLkJE$AVz zUSmD5e}+%}%S2=5goe3vtsH6z4iC3%t7_tuqCF)vLd|f$mhz7GwXWUwn0PlVPj1R7 zEj2u7kyD=@KT}R}c!lTc)x!C>byXB4<9+JLVabrHtG_(N0lGGOzjvdx_mvf6PfTU~ zj)DT|2JFq{o*(c{VLsgoi=!(pvafYpGRnd{`WTRinRDsj^63Tbj9VqoI zu-3k~$g0+GA-r%3OKKT(JorzA=6)msDWmS@&}8>srPsh;@my)A*jL*vv22kr7aYPY zW?vreaLV$2l3Brv7t9X>Pw8r!H*s6prB#=(O*wY^@fR~r;eh=7eDpT8hF85RZnBJ9 zVWCaQjHA5So+zCM1rYq=$dl8WEPQE!#~kLIUu?bs^16$t?A^}qk-*|JONR5LERik88C{`>=n4()z)TJa}QwG~jQ@7OV8YX7spbODIO zw%|>yR^PrgM6U)Z67A~L3N>P@N@F-p3;EIyw6A15OhJ}R>Y8`txxq$&k}0ei9$%X6 zv75jp^nh3=LYMNKKSQdOdR14RjhF{FA~dw*c|YC(uC@2--(NQbRbD01%qgqK2#KU+ z0AUh$j+@HJG7<+FSxL;Lx^9DtE`rq9zaJLsZ1$VZtefNe$E+Jk5!}Q{avvHRR(pH9 zwN{X0rfL1!&YmMoMQmLQrRUiO4}lGC!a_yXDBk@DX9uAv#$=$Gy%rcKRK^U*u`;YqVZvWcafsDnW=- zI9c301D-xTyfixEOSWR(x%s*7o=WtoV7!1zF=1Hiub8}v+jVUTTNWW=!b_AX6b7)+ zw-(^MbZK@`*Li2>!{*oy_}F;p)T!F<-{!0=iQu4W`%^PnAF$rBxnKR|BcDMPgW@|- zWGNsmrLbCB(cEiGV73eE8iaD7JuHfkFn}`G&2EgvG?*svqhWS|+=N25JfdDMrk52I z;PG2yF>TQtDHLL6S))Fj zSR}bU8jhXj`G!Y~LTAFfsO8kfdlV86P$>7Vyt0kN?HIbML4&3b+gG@ML^iLQ`lOZD zQv<_^b-^aqeMoKl?OV6nNu|W**&6M*aTMx;e%c;Km2Fe9bmi5Jy9YVj?2%hFNh0|^ z-Q2tYJ4US-4iI=8OddAr;7Wvg6<>6$jT}a{+k)6YfdiGr59&GjL-Qoug2JP()ZE&! zG3FM_5>#ZyRw!&78s#^`g2i5(v(O0Fpk)YQaYXS>p(ifRpk zqnBK}ng32wSYLduZs5K=VTghZVd>IAXy`UrcnsH-e`XM_bSH5`nQ!z`o8smUe_1Z_ z?X#$2ETYp>H{{e@-z=3CAP~!J6C5(}Q*tX)O1Q~*2`AU#XUdl;1UWJfaN97(Ivv2aFJ(0`8$)j;ZD?w+FWU$%(Tnn~{NZ6RXjzTNgy--mSWO?-NYuk*Q zprCD&jYf0gn8eQ2)X+&p-Wxmv;V2^GX966^>3oFSQMz*#ilVD@`UY?fa>3d z?OU8V$fZrVbN7zE)JtA|Lk?OXGh0!{q8f7q-ae#^0RbXdr4@6}_}jCT{^R!{_aPKR zL#b`kcxAGdh^*L1J7BeqBSTcl08~8B3SZ}DUUk-0VKG6X8n7kP<$Fz_<3lLvSNs}{ z>{2>&U?}al0S|zQJL9}-8Gq}Vft9n3xK+RGdGW~2vZ1B4})p){O#M%Ei*Uhw?vh{`a7!Je$Jf5t;Zm2 zC%B3HPIPl1MB9!XJJ#SB*dMw7qR=Dlf15wQ>ST1}mts4$ z%Bmh?ntlgwY%GtWqzIUBN+oDiY^c`2f_Zz7g^d{-;`|6@5+eLQ$wu?U0$_8-tG|B$ ztld^_$0nWF`)?rhePu6yjmZ$)rrNq(PxD%^X3g1y2h$hlD2*Ra;Hl~$DrZvLZJeEdjal#E@$}>C zP}+Wd_h#3|8lJZON{e(=)_pYT3#H5Aq}`SE6@i^>vIbt)eR(G)FWG1|4?q?(B2iJw zL?aHpVWmtCk|#>43OJW1C*XOS&fV$;Ry3kP!!>VFEy!mx8zYb<`S;D}tmzORf9d|L z{FyIvrGVes{qcuCijH}4qqzoow{HFFAM>EMPjrtRrmI&M(1sEOp&oz**l5Qr>$Lg) zbuS|ndVe1^ox4h)2pBBY)I{%Bf5sDNb65x9^)YQ}2X!D4h0dMbTPuX*+n7Y)fC3QB zHp1kC>{@|z*OwII0wV;7_wS3)BJRULqOXtgY$V+b?(tJ}71SRdKcHrE#yu4bX9aAN zU<*_=Vv!oM*|B)JVtY3A-&Vq7;Ubl3OsgI|5L{NQ0J&elc**Yfwq#*CE+1s4Hej!m z6Tb=m$12r%xFd zI{3Ug(xpQO&#Yhn5fMKpVV&-nIy_x>@txz-14?=ZEns0?+0fo?1H-Kq#?-?yi|LC? z4h<0n?zJGS9|UNOLTAY=sw>aWZzEL@3@55ShJ7Z5JjhH&hB zOhYv}64{1qAbr+ti8*uT=$SLmgV<4SR@A{ichs0zI7hf6ug94Gq{WfSY--_52Pc~` z!_Ho48s8_}d2LN|N%5fek|HbIUs7&9*AsA4!a%6e>{QTq_~gQx4#>@5dzD`{v0P}* z!UWQUc1c*_nyz1;j#3-}%uGYQjO=s77(s8 zDDT{ikLxD;_)HIXF0j)V3CkNm>m);1O-6+}{+K_WraUxCwFsDus=W0O&$&@?jY?Jrw zZq}68%MZFrmyu^+e{P?NMtq{{s3gzUUgTS2Ris&Z#j1mrS)OO6^v`_mh_^;H;*Z@E zKJhq1Iq(sRJJpl-Pq?*_OzNa76xa!)T}fiZzYSdC4f zl%KJ=AXrTM@_tnYT3GOH++=HAZGzc2I8qj5%Rl~wRJQrUa3W1F>b_=8$B4JX{LR}k z=%oJxqem!drrA1^xb}%DD_&YDz%d9O_U}8n*>97x&Bl!_@Ei%O{Z1@1{j7ld2uf1} zS@$b$M`L84feSj+iVfKV_Z=y796ZplaN_>zZ1!7Bi7UbKKxMc|t~V|=0$RhcULwFC z$R~MXF7Mz+A&L7HurC5j4p9yfFnAO{X>rE_Gqw43W;&E^Y=8I-DX9~XfC_-c=U4lR zbRr#{g4?%83>^52-`)vw*5P|hu6Nz`xkjO|(jffB_o=h#`SIlb9f`C^6M!TGLtpq1 zG&HPeNT!%&39>N@3s04gg7CgULaR+Uuh=cxUU$m;Y+}p{r*Tmyl_?5HhZNP(f7hpz|BWAy~+*e zGw}ShaOJ*(Gn_dSJ1BfS8+q_OQiPP))L-_zW7b zaBxgz+&-nO=HYpZwcDRsrTW0heRI>r9gZsXj(C!5mu;OlM&c5|PzcMLSyJRU25t`% zTDz1YO^yP=tfK6KIsr4?7R>}AFJTcFW7$(p@QO?A*8V2)Ilvkhod>eR?OSW$z#GMb zyjy4=Y11+@agl=_46*OZ*P6@ZS*-o)dC~SAwwFHmc7O&5qveNh(#kq@=s;&3yXgF@ zng+v>@|V3TBENlYNekTq0~IAZ$|vE3siuY-3a1h3CLFF-ZkWDn+A8iOg*DmGsQhxfzhcgcUM#1joc-d5JG_cBeGNmgZ13goTFUa9#re4yJ~v zZSkvF+t3B%8+sXYAcJ7!@bJ7QWY{mXw^#34cK>+Phd~fejd5Ij*I8Or)uO_t`mJDQ7+xYUd zRVNcJjLS=0esLXFgiC{vdECKU<>glh)?_S2D>v5f)0z3hdVE?*-VEp_QeQtj7O@8P zRBW-56j`8c$&a28B|yX_Kd#SMEH-6sW#P_`(6PeiV1T+;NsMJ_C|_d^u}5aQEP{$z zgbAzTO12@sCtvt1Dq(gdvEiu5BMX2wxpt)%fmEz5EL+B{dHbhhiQ?wGedqYM8&{NV zZ^2TcZ=XIJ;Gkk7;LBxU2N5Z;$i69d5d6&_b~20+Squk#s*zR<13pO1syV(SXdnDL z><$kDaMBsO6g1E}g2n%cYL60M#D0P<)(WjL)gELP(U43#cHXo%hv>O;?}6_4M3sey z1TF?Yk=WU{qC%CIFNIyf&R=|XLGPYDw{gPT9;R)86pY`H819c*N~sQQH-HXTZ{zo7 zD&4uDcK6>1Q+PyMu6OLF3f($UblQ1{-tAH{Ca6Gh$BXmxhZpDOrzP@^ENB44vW(25 zsG~rE+ifArXz_;B_HA;I9e;E$^ewJl-EPYVi{PERcOPOn1Ln-*4VulLq}A2Ts`PMs zB{ix)u}3bWu0TR;%`+Jgpt9?4K9e_lyJf7vIIS$X%MV7D|? zu{DUo5KEQVxvT)VsxPTKc^B(sbwUnXjY~P8;9~?Rae8x3b!w!_g8Tt*5wKy*mt$?N zeJgMo)$!0CAu1Y>E*h$&u{d@aI^gntNTi56J6CW)i41YK>MN9f_zb}w_tjk+yka#z ztm24f;|Jl_stqx;xw;yrI($&xEA{unNAe3F}qewZ>IQJWSH zW;bs>MqdrFpGOO$h~XehWc|q804+|ARP?)D-C$UFh&eMSCF4w#bQIzsi9GOOcLd++ z9xnk~9^Y5$TM&Yt`^rS?}ubS%8AJ(Uk8y9IQX=&ZuURoEO? zH30=Ke09jBrvM{XMDlF%$2MLV{9;qH(!ghbRnxQVt+)%__e!%(U`n=Q_wISIa{~lr zhjAm}2&>jEE9pxl9jZ%)PdR`8&Cs{!s_2poq{%H*)LO^E8omDK>H%3{KyioE*4~2QB6?#9p|N z1~Kp-M%wx8ISHpfK`d|R*zLKRjd1x zE8ocQtXzz^9f=qDu$(nu8}KezW8l1R-qd(2E|=ivLEXdD4v&DKAkfy*jL`;4kvUFyj+^ZdFMXqk3XtVQX^fYA^7%l&_ng&0hpXTP zut9-DJ}N5mAbe07ThwX81wSTH`uZun7tWE-pFgK-Lq^i0N6W^tGPYe-T?tW1k)vI) ziGZWclR(Ha_S(+Xq3seBq{}dTN1l20@ksdrUAJ+2;Rn_apXnPt98C<4VES$kpH^0W z!e#f=+|$Vm4Kb3xXbVl-L~C!Z6Ng}U=xF(Nlc!D%^i>W@I5$4WlR^)Vr5MXqUU+Q~ zD*4(ws|^%ouO1TVGDt>PR@EN6aG_qOa?-#-g9L*@X_51%RwN{>c34SKQ7yguMrt5D zU6wa&h4R19zsVWP!Yy0cD$8&2o7sO4<{@J6Od_F!uC5S1A+pe8(8Ro+SU#TW;pw$m zY+7*m64;WVa>IA;*e$An->bXcZ6-ArG}AEvF{O!L6yLs9jFO>Apm;OK>VhZSxX6mVv(ShsE+u8rI! zQAE>RM=f27(WDt8Z`}4Yx}MkO2>?QXJ;*&;hsc#+-1?!WixNki7cd zin1+3`rVwiCnj-E#&kJO<Vzx~FK>vD7T2d(Tpw&_59ABOw4 zZn>X+GWhcgdcU)FDR1_it;frP)U?@iz2Etd`Sjs~Z*_diwCU5ywwJ~n#VcS;RAJR+ zOn;-Io>bewvShNwQbhckGxSnx&Ss~de`4;}JaBKO1Fs4z2^!E6!Z4XvT3ZA8K_X!Q zjPD>m3UC0|`}kO|{pBl+YJN0%^5hlorIg>4^V77IAsIK%zB*9Sw?n`z@Qdlwx8f{I zOx1p~CB!d4MPR;4S0&ha@y7WtK5!I^xKy5=r%!e7U*33?P6(&wh4bc34|z$A+(%Uv z)y~D;F#Unf{+RSvSXdIZnT)jqV{pMN@kgm!w+q-h!m8ceZ&WXHoHhOY#{Z^7`N3eH z-o~K)MOzVHfPDMjy@04+w@vBx){@TxIJrw{9p2b%EE^l`WYlv>>L8*;Va0L+Nr&y5 zcywPsQ@sHLj>X3p;GInmxbgdUpQmk>;S_Cr#41j0!3VP=vtS%;aL=!*|L|tk)ec)S z695XKtA0De;h$RY&@Guwg+DcltMj%HcC*`WJIu$_{tWs;6WjS7{bqB>Y;Glnw?g!#lwB?-Y7l2J2*eb&V?OP%T$Pso(J}h`{Jcbdr&gV zQlF)U#>dmrdJZ4JqeG9Z9&*6R#*gqxOmBBh%dYTJd)fGlET6?=A+I@LdC$U4pnHy4 z30K>49yl1j8Sc06pU-!3 zV8#=gJD>T=unpKlUAgidoBXGk#B|+8EJVVpDhvGHoSZ&h9%{zZ3Q-OFId^v=I2l}g z6(K8ij6HZz-`g6xJ}N26xpAXaAeRo*km9q(!^1=tduYjkhda4%-vheyuV23sXvneT zNgr#vR-3R04xFEVQ|Z}r!awgjiG5u1^or0aV1VSmgoO89ua5e zG^~Ync7EC2b`<7=a}4KDm$d91>O1F~eH%$=Dn&WTF%*e(Eo;Kt7|u;Seq2PU;^uqz zu24%d9iYdh7~sKsQQrieEG`Z`DAia2GeDke{xJBU81JV9as5h6j5AVuS{KI0)YjY( zIz}dVC~H%Fl9Q6mOif3~UOZcEIxY2LdJ=4SOibji?Ee}y?Dg}`4dlMF?oJmT@p#I2>hf;gLP>xiA{c~9US59G=+P@4Ca9AYh1I+NClpCFn1je2 z!9T8S?D*_&t;fm!KiL;t&t-&1M2vM;DA_tS-U{oiRURHie8anU>z|bux7%opl^30G z!QA)1NF0Ws?^o{8W6t0(?%$Ck>TKJj5K-SW4>p$Dmnw7RI$&|~MPM*LgL!FYW+t~e z;s4q@_qQ7J_U|_)ESqY{ra`Kug}6tBrb0@qP}vkhsv(5XUQ~)m38CaRF-ejn#->tJ zNF|c7NgBJ9wv;GkSCM*NSDxcJzRwTOfADnNhkK&6y4H1lKIi8=-|zSNJ~J}tG(CUt z;CyCtaBfmg{L;Swf=-YLBosGGqiMtBzw?s@vkp1O3Cz_yWMosu+dA5K>Yfo^OdmLG z)sohH<)50(N2HdG|J-XGIV7A^|JmcmKn$Y}TT#XmNEopD>GS8+6PGf!k(yfmR+^30 z&4E6gQH0F~;}9`k3cHa&SzDWci7#Au2znV~68?m*{w}`^M0EAtAt4W`4!gUnkny&&L$mK8*$OxndNN8r|jPb^5Lg#bnA{rioS>lmcn^o_8L zqNMVhJ~1r65BEetVX#P^Rz9{XEeIT1a%yU>t5%gfeHxAY48;e+Z;YC7POu#}K<4+* z1NF69RR9vZjOC2PVG@dQY+(o^|H>K_OnpPv3GBF8qc4p{U2dg#H zWtOOFbu%V!$Q-F@3a0gw&~h)9vGR~@NG&Ha0NrtGxR@Y{0FIt?EFNU>x?{)o(OJ7G z4#twqW@dtaZfI(Em!90|BeMA1uB|>ho$}(sA|mRhzQ5LKL9o*LFBOhNQ#0Uf#oI0+ z3KH4>jEP~e`Nrz0g7pu+6j66y3F_tr3m)0NHiEHj~z=>BOi$G-Wxa4XuRD2)nE>?P}vTT#rTQv<>TuM#)>I+u!b1F z!4gV$4KZ7fqq5l#&hWr*`ug*l58&WWQbfFO59}nl1V3--|7_0aG@vPtB1Vf*RP|F* zQulRm7=4IMBSbm zt=TDychUQk+TegyqHr88%$^#thkyn{m45lM(aA3i^kTPX&|F7yd_?!%`xDGfzquz( zZ&>4i!9{+5Fn%E8TaXnb0K1e~((*la%uHC3Vh44I&BNX6@19Ce5Ooe9(}Uy8fWLq#N))LdY>ub zw-4f4(^L#P`P7RFshk+MPWPufw{r}${;=tRs+sA?o# zZVukfI3wYV2Vo^!L^4NH{Ue5il_{p4HAUQfUHO`}qZz&4@}GbMTTbKa9x*D}stthHRn_VbGvw``#q={Ge|y zU%q6muw+#g1s+s8y5!9#I<0`VD0!=^y`Sa{a@Bvquef*56+Jni*%c*%6FHW+VlY?h zsO^jDk4?s2mMW9M4hetN&>%P#1_cFi(6}9b;G~OR!rFD~$U6Kl_A%vtBk{Umqcyte zRyhI?J39-pIr)8d_V@Rl3Y|p;+c{%#Wmsi(Kth(FG@D|QLy5!H-X7tt10718-f7n8 zu$bqiP-K<5=Ki1H`qng$J2+TB&YVRf9EBCk5kt!bb{P<8TfI(vvCEc#01h%kRmHfX zu*Bo)OQ2FgO$k8EV*|O4_^L8ZPdX@k6jluoJ}K$xu}*ivhQ~W(;AAR@SGn=8TKtGG zw6PqgE0AMo^Cb9YXinum%MLw3fR>x(9ey-a5bnICT+)Dp@^e8QD)j%hCAuA%Ld3Z#S z;s+U5Z#te#8nS82mV)oDM!LFimr0AyQRy{5n#g9N5o&FU-IW*u-6_hN)vGu8`VRl) z7gVtnikv8E6b9@ImL^{ud_s3EJvaN}Qi+a`D#b-b@1gTjE?qLDMf8vH4!@2c5Bz(o z(FC6z1nNTFZ)2ltWF+7M_hWobK7Q@dtg`9i!aE+{+qb$m$Eam*TvZ-tbaPr(*T*;C zUH#);ROU@o@*5WhTra1lPVp<$%|TtQK{b|BI~yvD=`FVVRSmxenn@fGrH$GeLpG)U z`ONH)hq<}i`8QS7kUsgHip>ia**0ii`$#R1GVA@uRUu*-_9~oi=P*cPGlAy;2?uQa zMPj>rc@QWt&C!ZKde|UUQ}u| zM|S|4L1pLHxvV=moiXDU;67dN!s4W-Z2kJuM~|YSqg$7Bwe^teNT#W;X47#Zh1#hR z-A&^yE1aCfDk^^i^(MbO7^bPE7*odJfTH(0?$Z+?5cm2;c?fm zs}<<*U`B!tg?aZ;6Ur?=BLs>-+H?j5%w5`E=M4E*Q-eQXg6%k5F@=hgA<?_rIHDH>TA>hoLffxNmtYYxj+kt=9vZf+BPWaY{Q3l~nJH~?i^ zym*&b=z^q=l-hlO3?hvx1QMBJ-7j?{9~vA6frOpbpoWYuF?*LCokP{|Z%N5OPHlDd zqBUvBw(C7TJ^8SpjV<5TbLF10_-1yMNCH08`)HcD`{R^V9^6aHh;Z{?l$an+Nn0Ye z?L;briIq^+QtKt#GI9%1yCLoJnVEJJ=?TSX$l$5?1)iwCM3QS;Zflk@hLPQ={@G!s z2oN_)I<$X5=KRx@6Y|%jkyNPbe~ZQP&(rYGgJCYt&Vxt^+1`43(D0E*kNVTO%E7>S zf)yXO-UH<&%6n*frWtF(guL&X2(_Je4ozuhoXIl5$^pdsUrhBfGeWeCcsf zn!jR26}i&@8SCr!ROdVI-FtU`#=mTm|0Sf7j0Hm2;M60%ll(HFVqbn${euDq`~Zy} zC@!8q`p|Rg8M-tWp9kZ8_T)(!TLqN?xmCnU1B)m@PRk8!JyUVfQ9FqKSlA23P`9#j zUp`kFVx&gAg-q*r(Bf0r;ZW|%xOX>W@UlhDbg>-xk^`00JRAOzowPFL7mros(}@c# zqg00ur6k7TS87?k_v-_dTU}UKQ|nbnpDuRsTVTe72IW0|Mrxrl-i;R)bp6b#j1oNN zTRIe#9w`bWPID&PIQQHL5E4@6KQ(s4FwXfr@B23Vr12H%au|6K%6~PCEB$Tn-oHn( z&1YjqZw&f+Kz_BA&&P^I0wc%m_}toxCzZf@ku^uuE3DUJZ}Bw@itC8<%>i=UEojQAd%AP}@?+vAM zZL2ROGU+!-4~)C3{!~W9Wo7wSMer716WiPSfD2YuE7P8%0;ZO3{+rdjo5YM} zu3h2}U%qUM+$Tc;4pt$+{6oSiqo}y3G^!p< zlB<+3mB61loa)zp1lS3e85e3CM~=RjrAxKM2cnnzS!t=U+M&t9;}rNQd<4J^(0?I! zAjZ(Z(qTLML0vu4QP!JiQbVR|i=XDTk;;xyXcs%ZgW zMgxc@9Tpo>gZ8K9W-+fu3x6QbiEeSBGC;_KS#e28T24;Iqesfi2Lqu|5u{zd{IB+! z1MiJALj?H&o?n@XnTQ63AFHgKSsI7AkYm|2*q z)A((jP@T2c#oa#qv)Y|IPP#Dgl;~f=vNh#So8w%@BBNbIu%F*0i^rSm=bwKjZ6&d2 zTmyTA&<#gq`Xhlj3kzMGoGQ`0jS=+_{36&5w0Dd=Y&Aee#m~PYkYYnY6ZyHnpqeST zb*uP|573VrJ#N3z=RwU!vyp~n6t$1#1G3!%;?&ERk2UyFb?oF0li-dF$-vJ$GP3#V zi|*mpYStX9ypBHUH^|p0khh`Xo*SbtI0M029&h+P1}8tr@W5alCF?oX)*d*H$(y2D z(ALn{J~Lsy)_+OBaLSx9^=>f|680+fwf*^J>FXcI)=}}cGx`U(jB1tn$LrRb@W{8k z&u&GuY^eGmVH?7gm7E?F-YZtD0Ih6Dh%r*#ewCD`b>mJ-M>dmMMAG*?+@IKvIq>6@ z&aGqpChCr7*a2A9R0k@y%#Sl4?)+;M=w1ye=IPU;Ln1ey-c`~2!9ybAGs+z*C_)AW zBnT;d3FJSXFSmU|Izzron8HKi?#~RGzM;y*eZlh zd{u?vcMsU#q{lp@Me#Q8DspmwZ@=+~3Wbrn_V(bF2fj6Q?T(Zlg$Rg?yJ(}e3{0Rq z{jq*Ul11=!*8Qa$?W5YqyX&nx&<>CW+y!}wMU);5cD}xG`fkI*@=ZmY&ETj+AtW9k z5iFM>;j204XmE#cYAM|W`NW6g;K)h8%h@ zCQvP?j<6-q%A$mtQx;7l4<4cCGcq>2xa^*p@ch{`*f&azh?oy)=g##j>Q7BcI04!~ zo`C6sr(vLR5NpVH#2%#N_6~ydfqq1*#MG1&OACwK@r>9qMpqz`1U~=nyK@poR7S5U z-iR4v2ca#x%OYb6w$T3R?yjb+{Gony-q-Uy5waXu%+1v|`vewsV73*0;6Ug3M#jBW z9e5(O6q=hro4C1BOR%2fhDb;D4D{Xl2j~&IT4s?@j3xGeh*{q?E2bW{+61{+U+?MT zLuQ@3T(mRq2;-|w#aGHN{p8m{HA5-p_+{4&8C{>afWUtEk3X0|$8!ufAIbQvwMjfriuV*|Wy?QJCBh?d#ZrhJ&T+s8 zCQzgc-8_iBu5C_$ug*wrT>0e1ivS=-;e7t`rTW4mOyG;^F50Dx)Yd*wR9EqN25b~v zK`06squ#7Ye3&(3#`vYFH}ms%S|yGQ;jLj#!CDv+X%U49Ee*e4gM0R4M}kZ@E&2mF z5IH#S&!!}Rhlt~f;3BN?>_|_4ymc|+Q^AJc!2!^PyT%jjhG~0+%2K$mXjK@Cd42JP zt$i({$W}S#@Hx|B;&b0nN>4OznSRJDzoX1n?{E^@w&c_{78!qY1$AY2(`F0eIYVqt z^}T+518)bPtr2|}2dP7Mj-5^2FSQJL$Sh8j6bMH^j8jr3!%sn!?9`i`RDx+rV67;t{@VDaw`?j9Z{oOZ~5 zYHDgYr6GXQ;Hb$aOK;p5DUq1^+FI~%+}y@P5vQevW8_MAgQp=~8aW6oNx6XIUzV0$ zp-;bYjB&U9ofwFC1zCXBl33#!29mxKT{wfu8|^X7KV+=sF6jMrJeWOd`1@)+x; z-*v>Wf)q&sv2VKM2K9YqoFw17(mK>Cv0>Zuo|RsqV{$56{Cvk>xpMU?S|j-$rWO_! z2o|sZ;X`<$kR<5vD86E%K&+-LC+lg`J_B5083mukd4k4t;Gm*8qX)L;UH@3^L2e5l zL0c3{mI0`*8ygw42#DdMbAxma_aO&6yPLOewSWDpEI(n&lq;P5+#8VFfb4o4m8d!y zHNgRor4i`toY4qNp3!qpiVYC_+pxJDka(s7zpY$(lAwuKNtQsuC@ zH(lL`djrpqcM#KBl&LwzGK!Ew_CKU=D1nl_dMo?t?d(s)J07!G#>~I6ogG&Mu4H@8 zK{zJ9IN+&FckK9S^r6XmdOjp?U{v$3DliDpg(PAE7$YdGQi^7ZES_1~^q3O_W$_eb zJRd6UGN9<&x5H%d9X0A*c9&g>ZNomzVr;!27~8h3Q#cn69s2Pb#U!mP&pqbckul19 z?0#Jw5P%0M{?~pP=e=HNh9HEakB7HLu>oKBKHztpxnI6KFw60fbZqq9SuEbfBjW{4^S^$GYQ4G!;f4pV}(rL_#m{- zl9vUAg}bd18MVh>qPgIHb#`v!Q*&*H?le9AKo!a;wr&kc=JnNS&k>U34A~vm(grfn{JZH=2^^E!3pr3Bf#8-h+i7@`ErJ+$tK47F~eRX?DEbMS> zY{F%WsGBNTeS)2Ie?iSg6~))>C7}ak_^4PVvi=Z$Mc-QaecIcZWX7(p`!1H5_^sVU z9TOyFGomaP+$07M7TEB~lZp4+JUt^dM39SDN69SWZ9aYZA}AMd+;-G9;2gMpyRJ2x zX3>LpU&)(N+?bGBv2cY@%?1|Cyavj*ly0~P#K@L_LWTd+#DAJ3Ro*mGdZ+HA5KB;K zT>JwAI9NOoCaPydP>gB7_qV6fQUmRMEg#;|2LPqRw2@zBXW*PUpoi`6WxbKtwJ2i4 z)A;5%RY{*a=|zx_B+>Gw^78U7Iu%TeqeGi0MV(5C0&)jHhm_!e#%?fy@~gf=FCOcg z27e7Pgt*bQrHKoWv2eZP4ijs)P)rAF6wH15-JyHBNzhd6F|O**oIZW}mMv4%T<x-8z~st~_povA_sx z8iLxtV_k+>|B?aU>nOAS+{D9ZQ=nH3@GjSRBBSF4KQa9na8vV<15Cv=uOE?gp;?D~ zosQKxf&}gcx6$w7*o$LAzv=c1m6@32fXrO7`-?jcq>tk_riFC5Iz z`j}zfD{r<7AJ@}x;ITqa4G^gS;mKO!-9m)C_ME&Gccg@beBjfHisj!FoS}Kqz#_qg zFGpHIp9`ijgRXzv_q0!UEzFdgq>=$Lk;LfaH;_zlaxNJ&{}aV7O0RlM>&Bt}E?AR> zQt@&ZF5F*`*I*mMiAe|U`Q+rIZEr|SC>rSfF~oD1Ex?CgF85>$PNd|#ElQ8qZ$emg z-LK>C&?Rk08nU_L%>kF}er51EMXdgBzoFz~&Zxfrlk#$?i}adJ0|e3;l@@&huI}y( zXtzhKNvxsN32F^pMd&h)t0*tO|H`|?T*5NW%w+ylX3-L$6r87-FOPfgoH_kvyXPgv z0sGO=udUs*>{c58!kE336tCH{!!4vY{<9L+7Fx_<>CyoLlF=5}$$DCQ|If$IpF=91 zv0cw8y>a8DW#wO&eREy2rl6+9A`16?zfg-5J0y;%x72oy?-qt2h$Fv4xqZfVoMjX% zbSh9Cg&5nA>qe+NW$go1w+MH{xdfX34C>pl2;3o3x@XJ`6gcd^%(%@che2Ssi|uJe z+Bs)uk8Vf#uGKCsnH-hD8lI*B7w=wXL!4h+_xd#{7+>=qYQ)Zq!%L2G*fCI{btR_}?bUe%^j71bJ&AxUb{>%lB>+@lSq zpaxPWKZh=xV`cRxGl0WyJyLwkZKBN-%7vwoS@h_^&6`pjn+Vh-FG)$a@7;SxM(p?O zBU+s1hQ5n74V#!wt z3FQ0WuO^Q@>WgN_+XNz5_PYVyaOtY{Oju&4vz$W_`}dKr9a3(HvtSK)SO7He2qq>79TW`W1xEuxqZVP~L2}i^v9kWcSLwfeu0gTHw(bfUi z0Lcg@zr41Nw4Y`qu?RD{7V07Z9{~e_c11owPC--8(2)j!A(LZAY}*?a@t=H z&vJaQGKEZT2pT7VUq>TEh1j{#vJac}iclhN%B~T*{8&Tg=He+EefPh0DOi~TY{Q5R z&`Q$H>iYUj3G3>B!)^B24{rd0>;!g^igT)SEQ-$OVhzbM}~0!V(#Nm z;mgnd9<;ixv0ht6dBA`jNpk{nAHV6A1T_cHx^ZT&dSB{wA{`IAsG#7rM7uxpEGpwM zMg&V>I~2H< zE0+0XxH0Dlj(3}n595bsv?g+fv{QD@I=`5=HJb2SlUL*G*E7ZPG53X;C7?oY-(ob| zP2CTnYqa#YWBx|V0OzQGr)%Uc3`(>6mBtQ88KW0N!t&c`N2I7C#QB_a)Q*mcjMUxm zgt61+NhR>@L|ov!O|6KsCyyWR#%;DrR91Q6w_`&`y?M`s>jo88Y+WnQ=g&pm8I!{AoRTP3~pVZxJ1bLlrld248 zVg~8JwW76y{|B32nLeYkuK};tJ&bDo_upe}wDcxTiUBSARK`PUHZV^pX46yDHrK9D zT0#Ow&+HyCnR!lEb^E;TJtw!2dBfSPY_u96aMQeNcQ;8-@}9XB<}NO0@bErtwRKRP zDL&D!yn!&~@7h!-bz4(xAG<5;=sAdVJ{zQOx3z zb=3|~I(Gi>d|qou#cUiNCdKqGgbVR44N-D)DVFeI=P z->gwdrFZPyWATT4g{20)-3o(_=hWvcE^OU+>H8?zalPJUZ5~sejdtr;HkrWFHQ20R ztsUY4s30O?(&^L2$ExN7znODaZLXmuexFr<>BPF_CJatN5;zJyxwUkne zxS<(>dJBDvuXvcMDh(6hfe(SMcZn&Dz}dD;pPq}{Z*TY+ zp4UVSRg;sBqo$iKLOb)Tkx?Kt5a*dFp7S1b0S*9jz7QK8FE&E7nJ`y0Ogv0Y4JEA` z5L!;xcaIRUWfbNJ^LXRgI@!=WA9 zId1+VJCl&0NwF!F*3wKpUBt{UMq3~m<_>&SIX?I`*4(20{R26!=-3$`qZq)&cWH*} zQU{0OGA&985Gw8|wj;x2^`LmP_CqZd)Kp)V(98OBSjRvAx#&{2>FT6fPW9?YPW=Hg zexG4&M@L|Y&DO2c6x(TG6G?VV-){CY!)>@?`+kF$nHvh>ibe7CHsfIbjl=)Ug$px9 zgH=>G{}5L()yC4Gmbz}Jgl>dX29K0S3QYlwbP>XUV>;s5 zabbox`YaLbf5R@~v}d89|H+KRKwnY7R{-8goJ8>;IL7>gPi<-I$Nv;fGmGl_{k!>;+hUsfK8 zMVDqsBou*g)nZu%z5}4tR#tr#+erZoYe6_dZ2bM(0dz)cY64qFn9Z}a|64+|)+{U+WOBAxsp6x5~`P{ImJQ4((l8A!;3d2uAfOaT(wsLn_ zk-N>dapCCq>DOa{(EJ9FOE@M6JSAa(A!=+yNI~>a8`kpZCxFVp6yK5vO@bf`TrKT1 zrXogJ8t{aXaMs9>;>{GH55|YMq5>iv^zbrmE~+2Ma5f2R(19(>&FIV~!0 z!iCt7A;E^}*MeM3HB;>0Uzl#c$!r^wQ9KJlb47}ZPj&^8FOrNgmLQ@*wat$$Ed1gR%) zT3MtOBL3f})ba4}ex_pVq^WYs7*EC?HWhOeQNL>JCajRI0-atPd3nxgsx~MGE_<|y zQ-t!7>OS{!1PDD;<*zL1!Sf^#1;oMY(DJlt31P0Oxt zy$TeYlr(Gfp#k#6<>fT=<*rQe^!NhfRaWK*2F*f1&4lD+?_O>LJ5Uf?q{1*DVqmnV z0dCE|+uNUAe6A(71Ni{d05mc}Qr-^XemAC{E@6J`Y^kzps-w05H*!ai7q}O~Oc;jI z90Fv|JuQ#)H#)9gd+eBM-_X<*`Mp%VO-=Jq&In;Ai;Ikp&%1lK-}`ZjGy#k29zJ^} zxcAbZfmq#)231I7)e$4IC)HA>LxIpkP7S-x>^i`@@fjbp(UwsfyJ48Uglj=HSs6*^ z9){v5q2Sv*3+d0HLxY7P1e_1#n_OgIJ)9?#52B=d%-r4FkgT6|FXT2;C;?n)hz?qW zn4yGtvJ0+aZ&EYZ8+A7e8`(&kMS%qRbC20Jwm@^7HGnkP4ds~c8c^+Z;c{!%4snazcs@*Yk4wNb>D7>nzjg)3#sTnB66A~4|z1XQLVUG6pTRy%P zdMs7F5hw6ctWak) zT|W-<(ui=P2LMHRoJVxPW{dwx&&o#&JU(9qZAD5>KCAA5nYZg0^a^{rLjP3--k> z27KHO<(v=&qt7q8f1e79&7bynFM%ehiEKHz&x~sJ ziNa9HC&6Mo5@i=<0=!N9v?%7UdKQ*O^cxbMsK7FFX5?XYWZc#-OFO*gBS}PqIehpz zg{;(6Z@9HKohzInB-RyKj}?Zh-)ZgZPm)x+aUsux%QlW`xqTYy*u9X%(!iP4%|Ph} zvmqk+(v64ger3AjSmS5A-Qo+>+ zFOM}3j#-KsV}d!0)DlV}S{5&sXJZc-Hmsqk>A<&)xpBtRMvlAzdUu!|zl>#N2_pIxHi}V`v376;qdh9&+~Z1Oe*}4Jr6; zlQ<%1(h!l~Wo8;iNztK;g5g_{wD7vNn4!>aEOSpofEIaEs%0=zwk-fA8N2u<(TZdf z$u37abUB3WfdgyOo+GN!5UE8l4-h3k#iJ4yXOFh zpFUOb?X%h28*~pDz;7}4M~i}s>L3u;3yT64ign?!&kRp|)(z@Ie!i}?qCg9H@8h@V8i70cnf420R|F@_(W}6 zz{T94%XoCff8U~i;vlB=)=wX^_{8MRlS)!20oabJZXzV#Ce!X;zVZY!7rRWu?ofbvmxXFyGyCOj!_stPpFoOvptU5du_3p=yCDWofF1#w1sHSotej!LY*xR$orA*ra-wr)`bSdcx2ib*RNiMDrHPHI}je8Q1Zsmxg%w)@*bZE z=kiDvBfU}j&g`f@G9qK{(|(?XQ06@99y{d1&^iMF2xy0y8qLd-oEr}sY1gu%6Bi^a zV2iZCpcY{g0W46$%49SvLg4M&<;o*z8fhBr4fVz@a4+QJlxj|9%CY3saBrXij>az* zTqX*Jn-W0zsz~(fUWE{!@Cc=mK-NUEO=f@GaW36BP|+Xc+OQUcn?boXz7zEIv65@G znO8EX!-UeX4205b-2kCL%u#BJ3iFxiOk4mZEOu%B-WQjfgyPFF07o5z&8J@IAJhm- z>Q}F#HWU$!WfY`jo>QgQ>bA2c?sH!la-7usGuqAZ{NkDw>q-m8lrJhTXgQI7RsTZy zqO#1*OWr4Wxos#d@KS8sU;nx}W?0wU$#cXLo8Bo%%nF0*B7+txiXm|-sjFA3xz)yT4MO{>k!QlpP)9ATOSe0piC>6CSY9M zUmfLW^NIfq2>6!YHTHOK(A8eOPH#~Xz&7D)yNTvklwqg0sQ>t0_?r>?XHKHstHY!3 zzK#FqotpNdwbdFFtkJ3dS5cE=LQU{yUNOpNhMkY|3ZKPMADicf$CI zdbSgEr|3gw;-um8VZ;O61HZjJx{`vtQeAFvg!$#TX#^9wSk;Qs~b CeBt~6 literal 0 HcmV?d00001 diff --git a/doc/pics/e4-vpn-infra.dia b/doc/pics/e4-vpn-infra.dia new file mode 100644 index 0000000000000000000000000000000000000000..a61f87fa28d3c2c00caa4df1c062a8e9073e24dc GIT binary patch literal 6303 zcmV;Q7+~igiwFP!000021MOYgZX-vMeb-kA^2;tjWoJZYcl!XXs z;_6SYUcG<+UQIq;4;Hhznv8GM_2||A4knYqD_->K=<9>S!}}K)4i*FX+3Kf*#bQ1_ zy;+P7r-RGU>!Z`b*>C6b+0Ar#v|P1XcQ%{M=7;YFlh;RIycN$^T>WZr zK02L`2EUbGT=Of&Y8Ss6&DSq{c{RHp^OD8Kt4B*pt|NcmTeDhq&5NezUw`$D{c8D@ zRzLW3txaFF6l8HZn4gcQk8$|!OqRC-RX{|(9TY><-g>ybC;P*lwhK3D7jE7z-1z$B zYBpcY2jj(K$kW+uG8#;msEhf{s5;K|*s>am{PEq> zw(paBJ|7RaKe!K8lw4)_k^df_CHnDWy;hK^wU96V9dg{Kfud8`$ zhU4q2$>8JmEvzppxz=F17&C_ru1CX$n5K*>r-Q5G#q4;EClVsfPXBv!mYDx9X76{| zQ3EJvv+0z#!)EC5)r=q4>t-N#6~*O`)-2Qlm4$3HUwzYW=JW9%|2H2Uv*=Ba4p)S; z`Z9;BEe!7cXuvyqcl++1$S;3)D^Y&47)*zQ`S9@g@Y~skqfh2I8{^~Q>!W|y4~(rR8Qo$~5DeS*3VVPG$l7Xn zqsi#<!AjK=2|i)~;5tfATF zJ{XQ~uD9JV)DK_q1m5z8%O}0^qYrf-{bQqoCNjNa%MYmbCLsj~7Ok+HVXVG&%Jd8< z@PsM3prKvv!U?36mQ89$7EN>}CgcP|%Co~rWMgFcvo=19r?e5##=4@7R@vyFhe}6n zT|&VYB)deijMTTH=P35TE7CftWH++OUE~^BpT_7N0y+!cdQ2$SK#Db;4_f3JO=azq zm0gFF-A|*%``P?ACWM~{i?a*zh-F{f~|+-=zH%!Z(NCj?Wjf_oMmY&);oO z3AO>1;0auhR0Kn5HG*3L1qSLHR;9tRrKpvu4E#(KLhT#4lRi+^Jb1Z;`oJplkfD86 z2U#6tb?~{>!7nrZ;Qa8-$IH{%CJ%vXs{^efa|?Ub9$ZKn6Jw;XL~?@EN29d7x2zv3 zBR>m;(8Mj=DKL>x0bu6)%=ek^KM&vEixB@C|IRjqh+S=-$0bRb^gNF$1ayo<0le>H zR2n=Ava6i@kc{%lXgYk95#M>A8x8sB9Pv_Tuxdb=AEdLZ_3yK($Y$F`Kc)PyA5qTj z|2e#18IgQCi^O79sQ$xG|M&IL7I$bM0Am252cWQ6?nfn9#7xS2M6E(^yc9D zL(dSKgR6SVyN@a^DoJo(7qa4@|-IxH-x*GGYccKO-AjVA9#Vs;#V zJDUve%k2K&RtDMsAayeqp0(aq#`$ zzWX^FQ!UX|nQ&&hdWLkhdoCVo*CZR1I-J1dp}`xQkhY9uCv+%63XIe@Ok2(rz9D$q z;p|Hzw{W+7ydgB`E%9Fle2hu+@tRx=C_$(g$wZg)GdVw#^E014KT~GGVgsrG2uKJy zXmn{+!7UPM??e?uC8Yef0BTpb8>4LSZTQp-1fi%AKpp!0mW-E3 zpmx4$*FBT02BLDJq{MxrH>6Qn*k z<>kFqp*r$&2oW`M3v+>P4glo_+dOBy&p^_IS|y2r&TJT+0*K#r{$Y!9!uX;z_ut6g7`4bS<@HfV5IIj zXsBAsx_dpg-nprOzi44=nmV@TvuP^O`}kT=-jR^BA{%O#WJjeVke4u{_9-IfkbKHu<}DDhipBmtTw8S*M5d+}m1rrE z#7s?{q$aFgbIo#Km>UXRSRbQgv$DabU{l08)>l$oZwNmJB7>w`Y6?J9gR%wcK=BbvvzA~xIJk?E}@(m2F)aas|-R9BSv_mTkBvj6OYh@~&(^h&e zEmlU(;i=(E9bdUwEHhDclc;JJptD(np=i-2gOD=wcZ(#)BzW-BND&-~EV@t`ITO_j zwW!L(G80udiK=!vy0kY@(cVOn5f7}lWI^{bYN+)od{2n$u!jxO_d2{rm0TS zl&M{sZoINF8fjH#<0fTk`Yn=G-s?zx6BGm&ikwbm7A!%BPvvgp7UpBQ^AxB&1u9R0s&2Vr1F8Vg zdpUTG|F&sW!4gRqb0I|)Fms|H8}Drw=73+$rrCIH$#^Z3%WS-Ma`=-m4fxpF#aM5w z?5;kxh6u~UcwOxCdmu}Nt%u3y?3QhF<5JK@eE*;;+n}Fs_S5>T+_2Z6-L)ybp{3zZ z#x^i_(ZpiRttNz!cJ5+dGyp`>@vk#keZSA`7 zW1}zzV|$u4p|ioJED>NZIZ46xjv39EB2MH~Kx1RitKb+vWhAGmz3vpuVGL$sV|kC! zd(tTTv ze;x6+V6Y!&)A53d_h0^Nytp_l$m3r(88)@6w2zVP41QdD$PX>Jq?Cb*^a_ea&G(Nb zr~uX%d9ccl@N)<(H**(vi!6K3WaPkj8&F$FNk$B2JvnC_`%qTvs^^vD$a0P>KQeF! z!{I|uB9%bo8E!Ah?KuWTUTbMWME5{xybQkw+Vguv=uh5`7mE$g;l^h_XO2E|=Eyf- z?!{=e^u}p4Xw#Z|ODL@@2DH={C5w`3!}`xIUh~WMhB}oQh*^(l4_IbOJy}j zxVo86s@(!39wWtN&z!e9rVPY0me4-5U?jICM0b?H44F7(Z1+4_DLCy z06m#M%YxS7s=g-f;BK)Ory+QZ2DAt7VoVr&k@ipW6l2g4jIk!iUUKXu$6j*mqJM?1fx0@;BKs&a#FnYkGhTam1*l&qWEImt0WNZ0-7mjXy zclG5?ZZi%g$H(p*`A~P_;|@i;WpbILES+qOwY59V*h2*HK}rz4i79IxS3szucec+C zs#)Sv<+_(VWuz6Ba$XBb5yXH9sD1Kk#}b*$B-Krls@(%cN;_T5$D)Wy$4h=f($NMf zbJRLOEDn11-54*4nWoyIsZy!TJk>H!)k;UKXB2FE83kLr=PF2p5y+THV7D)&qbY^n zApL$aXxH_liWZ!gi~>bxyPHvHGBA!ihFMj>Yu zK3_&5r~nwFWEAuRm60ugd(?-og7#I`RjaRh-aJ#9VM zZe$c7XB67WD3r=&c7i)uw`ps)CR@cWj+fya-m_v0)nF!jGClFi*1}H)-I@x5>l=@Q7g(YX@ zh3FB2Lmyi>9%!?CX49mT9u(;Y#wltCfIay~@II!Urg(?tfwB55kH&`BlOYIL8NAg= z>t`2#{C+t&{Og-<`PcHFKmYXV@6)&Qf&6><%Q*xE{0=q5V-3gn#U6de3?rVhA#Ecw zT=IO(7D>+R*2P(|RJ+9kf$0Tf4`s-NPMMHlB#bL0t)Xv81(fiRR?&H%vW%~hP3}_0 zhgQz}2{t$&X6v9+mhs6cOzgmZnnUXHgxD`=LhR3j#n}b_IUQ}P9;VuT6(|;n=7$Cp zX-ZjCf^u5I63HUjzF}tY#P5-xrqJPI#u~YWJCzS3>vOs%X(@-nvf(0m$4|A&F4qs| z`r&-e*k>v*-2LcDs@+k7jv3kY*vtVFQu@IRWR^ghf%+(wWYP36D5?znEHpv`H!z<& zne{=|2U#CHsSmzmxf^cM1NBeAGR(&|6#T3qWzRJug#w8Y8L1D_Tc}Yqfv2j-&p{J3 zatn7+1%)$Ze2i$I7*}YLsscx4jYC-#WL1z`3v+8>>*wQn1z_3ec0x}1oQTw|h1t@3 zHm!wJyJ3gzEP%)lk5>pf<*8tINc@-r`M%ML4LuM`FS@G8Z8G`6o8!Uo^5D%sZ^pxX zG(~^{VRiGUNCS)=YAgwPJTroE<8W*5{ ziyRe(%E+xYc^$tWPY(vu>CIp~A01?Gtflx-nS{O!Zw$Y*_>rsKz-3XUdCSBnFiB^; zTM#o9dZ-8-g+2p&T@2VW;B6Pi`?$iwvK@l-5D-I@9LccN%h$l}vIe$F+Zv-lx*#UwIoW6CB!hN2Zz5Gbkrrhq+QE0?O4 zem{$L??&!n?()l-(cI;iyZmyO-?mN=uRJ;1I|exd!(ndo%WZxyuJU2?6iDYA7;$Tz ziM9t;`lw9W3AY3*C~(^JLC!ud91*K)9kKkRHP*~7cdAn(wp?vwG-I8!5Pixykf8X6 zMyCP5qou0WSe^sfp*fH{lor%3^p=s+%SV-z(Ug=GP@;z9<4%IWV=9F zw;gpL=ZoZ)y7qXhR7f*#Jwx8wb>z0MU4PD|BD+MEL@+{3>V~lyZ|@DXbk-NMw=LwU+d1f-+mW9A)NNn8#Gid( z;p!elrCn03ApMmEQZaMO^rhP*8ZXmVZDr(VF>SSpTbKuLXO)muLRJa&RYL8C3Rjr# zSnyfee2r6jiNq>F`~=T7ZG9l)S-jJu_BtTL(0A@1j$n%mk5$-G-HRM{rCEcJ?_aod+#C^oRyQgqJeW~ipylRVUzndkMx58I~u zlgexjs_%9NYfTVV_d01K<2@wM0om=0-i6|QpsL92+8U5;jdpB}QmM?gMwe|3*8p1) zy4XsPjFu9(vNfEFdW9T9^eJtP(oJq%8cg)tmr^V?w8zqHYb3HYut8e`S~E6kHzknF zMwFu-EnD)G(%85|l8A=JepKWPq4XpG5q4r4SG`3 z*Y6cUFDoM9(^3{gId35r=f_5HealoO0XKdhI?*uk=J@-c-Uw%9zG{cB%B3?CR+s&x z+D#Ll{pSd#rUkzXYkB3PAc+8ib$uY^2#ca)11_nbRJzIXr9oNJv~{U$K=TInSZd|q z@~Q(Lv!ArZPg-|%{63Bnq#hboVs(VtT?2t#bf=*gSq78le;Ek8i7f2Ff(!EWO2-oe zJBySXp0ee!r-Wv^qmzzOs9(`;L?UE#yh)ozS^**di2?gyB{3=oFi}U6NM9&LIj_-s zHk4vO1gv|q^V1YnCXtzyMCnOy(n0`>v8j|-x zV=&#}t1sFKY@M=71vFDuhojG-c17@QToh}?MRzi^NRdRFwHzkk$;f%q&RQ?-p{^H_ zeKP!9y36vV%%>DBJ#p|fFY)^<)heQFKF6P%jz6zQkYS(jvvYN8f|u_ngO8*6*9Xft V{NMR}aQXGY{{xUyFx#-E0RScIPVN8z literal 0 HcmV?d00001 diff --git a/doc/pics/e4.dia b/doc/pics/e4.dia new file mode 100644 index 0000000000000000000000000000000000000000..8dc3c4062bb6827cc0d11b2ad3ce13f1c08a315c GIT binary patch literal 5697 zcmV-H7QX2piwFP!000021MOYiavR67zUNb*=$mt@z|nNie-J4p$v<&b?5L#VxXL%G zCAlJT3<3-QO5(XV&yzfdUo1Vdphy6_B)Ge?!ZL#@(+0iR#teJE{`zOS|M;iR7n8xq ze7+dZrq2(7@xwtrJ(-=3r)SR(|Ngh{kL=-}UL5@Kbe#Qx{yCdx7X$jlbm8AUKRjP9 zFaPlD*{4sR*yMVVEoXB!8DFtQ{_Ov=$s~J57d<3_Gzs;7*`S|#1 znGdGfMgIKoI6L|6Y(Bf1o*ougt*$$nO=k1K$87Ta@S6|eb@*&`n`dkHx#!-O*;#%( z&$HjEZ_VlDT%B8A=JU#eMwGJJ+nPTF^z)vlrjIl;0FzY4wZS zdzF3BN+HXOY<@PLZp)#)nG_p=%pxLfhH}<%BMsc_$>YTxcPnnvt+;u&;>L^jm$UhD zo{g8=B9CXYNuEs$smu9QUSH1QB%6?m-M6d;tN1WpE@uyX{}0(@vC9IAUw?Vp9{c2; z&Bv$rKe%gGRNUp$_;h*x{&S@5D(-$A>FyuLi}CR!FZ=f6>9V!kU$=An&A(1S@7s?z z)P~}2mFD5p<|wcdBjYLhZbneJwPBaDFIvT!7DL6*ZSKN0hExeSKHj|loK}!c&nEee z3}w9xIWi1~fDDwB_2lJ~{Nnw|Y(Cwl3GFQ^2nl$yy|5cB(M*B6^RlLatn++)cD}q% zm<1`6(^6O=of7qA9na>c`TU`kaR$72fpi=|1J)C_IG=rbU&2)%HpGvSLKZlGzgS*R z@=XEx^y;Fxdrf64^z8jSI~`vw?%Ocr>o0gfUh&J~Nw59rL-R);)bI$HG7o>_W{*F3 zF`9M>Mp82|M9s8~3jmFmwhIW*V&GAK_$DBLmaQRj()OBGR* z4HMQ&QBIA3L=Fv8+zB01l^d^Y7e#i=fx4^6E?Ki=&APN^qA3C(FiQ`oVcOJ&#+^XG z3lc#PlAw`P%zA?cQ4LxftJ?(#P%x|SB7u$w1YntzcMY0ONRW^~wtxgKm}%=&TpV!0 zGFzzv3i!v9YavBsAZWO_U14C25I|Hu0AMAOK!aL?6*j>@f&tYO2IxUiLy!z3VgSkT zB7och&7=c4M8%YZsL`#43)|)Sr@Q;rAPA*V7y&V#e*lJeh4J+KKmF(b=Y08THvf$t z|2Nt4E;&QEH@&OVgf*`B49tp`bfdgko>6(Q7B41{Q z52SWZ$0y6Ee4~Z!+X-=iN#krcjDy${a3QQkq0mVHV;el3I|EL`r3GO=({?rA){6D= z49@F`_%NPKb`Y^%T+&zA__COW>o8J^_gqZCq0z6LWMjxCH-d$fD&&vD) z+c-R68P}kR*b41X#tagWBq$^SNg5$xfPe2PFa4sw)}WOw+$kIxGp(MmK4E>r`tGs* zP6YTb^fxOB0lUVGpBDfHJRnp|#!r%fTQ3PUjEE;2D~x|Dv2Jv3I(?r{Ps4I*EwYrp z8-XDzC7^D?nx3MQ%gygoR;7I3P5tU<2kFnf*g~6||1&rz1@Q&5qz}tku=#`A|NHz< zY%R6qv#|QCUjHoLF8ba0LTv^yfw$nhqBBGKsnCkJt}Ch_2uRRKC?=G#L&-owT_xRc|Gj3c+*IIceTY*!IXEe+Ro>$Vb`No*#unYe5Q8W(J%^r+lL{F2~apj@#T z@bOF3XuM=XG!>iBR4lXfO0WX@%4f_vC(#Y~479>$?kMr!^3TgMCWCE6;fbso`sqyM z7<`DhTO-W~Rj8i?$B*gc$vyQO!gOWSaoH~NC$@pw~k(d8nD~Q5rVgQbb-8AS8`XvF)l93Eq>wxG$9{Zdq4&ANHnuS34wDC#Jh0?})g!O6 z1v8)&$UqN-adFK+A&CgAL^ncWuAt=*IWvySJ}}tq@^Ugh`0nkSgTKChcQida_~9>a zemuCiUi@Q{$ZSVswn|?Uo!vV+yF&!2@tFuDJwVw>2+4Q}7(z(O>5-Rg2){xIDS8B{ zYMG^%3L#}*LrCP=v=&3MUB!^vsOc~2D{W_$oQ7#@?C6eUDe9hF@6rr^MN7MFXrFAr zs8kt~jooJ(TLn(0g~CD{VdDc2f-_;9>%z4rNod5XQVd7* zUahi}LMR!zRIGBHrI$*pY;Q}&Y>USYRm=Soe#oc!oZ#=L*>t=li1@Ex#>?|TQ1t&U zGro;0xrJrUSvMplQ#@uNw-;nY5Jc)dl0e#RV5k`ftQ(fti@;F}8@N;NC#FE4@7iF6 z)kZg(v+-avC?*XEVUcr`+SLZW6gNt7qxI3pr>E-_cS{+B5{kIF;t#mb>OR-WRvP11P3(0?qJnJ0H;T&(e_6yX?hHIzgsxQyAQjRg6m z9SM>o$a696q<^}!;-be?tcCsCjfzR(6j=Jfolwmt5Ix-6N^@t8Q}n}-T{I%)@DdkG zIlR5>ZH2lGf7}Q=6!h3D7jqo3kc5_6ktAYPphtwBm~n$)(b_Vnlzb zF?C(+uNQAZS=plM;dm49^$&0NY-$*AdZ@oRHa`ah3=GPlW70W{8DjF1u#hB4(g=j_ za#frQlCHxp%H-ji;0@cnq6f66AQ158(EKC2Wo<@NiR*LQ7=y@@{(!Jk4$ST*N0#7Zp#D25Lx zRd=rZ&VE+qI!i7U1RH`N85xE~k>?J`Y>y9oG~T#f{3*pO?Uf;?O#pBMMnpaAp;eVpO&(YBxFRO)TT+IU zw0}}bdp{!;0@1Ngt;|2=?0cQ35ztmtyAfI5iF+AF&nl`QNs{{jKByf=swq=97QDOr zP_@kMOX+*6(Ep9T7}jl@@DwB}DBaM{C969+bx%?>jrT7dA5R`d%HbqRQ!9rf8Xt8c!)=sC55-RNm`9!NND^9E zpTiM;Oe{*~K!`pZAODmehdd7bJEd?sO5s%LXG-Dp@Z7j)e00q*?x5&~#iLTzFM>3a z#*OaCB|k@{P*)0dRjFb^rhP`HU&m*^W@j5AqA&QQn&Xo(h!A?CaT^z)NRXEVK1$<# zY7^=n{Rq9Avl0s{o7bPJFv)%h z%t?sbRe`9T@sLL zR+2QqzE-0W=Wbcb4-`ZCQVyI59 zBn#DtA$#wRzWw=~Kirjy2fD$kO5IFYwZ~)a-(<^^bNV^W%lbyk#>XdQn6eNkj^r@` zi*U)U1aU4#zSK$jDs19XLST=pUR&6}ojhvJh=WSNo9<&S>NpIe&??l@aAhsZx;#6% z)XAkzE_D|t>15*rImRB=w+qf6( zh~a67`S4b)@t!Mv!+H%5T*{4K&m%5PPjI9{vo@b#Fs&a!{AqSPrsv?z`K{!r_Pyh?F%6uM97^zBc-CT!{ko3<1(0aI@q zz^UeEw45)>4WkLcVbsVMNdl52m`20h$hSxpT6oF2zU18^Usa2&zSIwLUK_hq@*t7p zY-s_HytMXs=oI?eeFin}H2$oxg;9UTt7pvTPc#3V4He_U2|wbGhysa>nlRd4SH(5- zjfttD#QxE2|SiumK^%($rh_(lwl&@e7T_|{3&BYOPz zci+8D{J0~2T&k6cB=2#V--D?oC0j@>Dbfnbv{iAlOG*SWB8&}}7Ol5=R`oi;)Nt!k zjw$7sQjRI*m}(ML)x5UP7oIWYqE_{h49*BiLQRlw`9h9Nk2vZtKYssX;;7wl)DneE z1htRpCEY^$+aI7nMarP!X21(MA^oi}h%~)$qQM~ZEnXOZhB6^kXBqG^y-X<8N0c&c zMEc|qnRJoke3Go9B?^Uxkq=1v$8;}9)C!}tOd!>9sBcp(6GHV7p=|Rq9T1^z#)`PL zIx8_KN7lFY3~!w61&?wbqpXicC6wy4V5dwq6HfIJr(E+;l<&|TQdCicQK1hw({2QU zac8_pk5>I*QYv9orva%FwM-DzLx|G6IYdD?WNJiIgeruPX(S?rJ|N}Kwc0*7d&Hm; zE_H=V+q#%wsgJM(Z5;780VQgmjM(*re~@FCud)T`Tdt6FT(~of?@rZQbju+&FbYFsZakYN|3 z=~fPrCVJ!gMVeA5yd!9;(8q*MeMBeQLeDgVL(8mNYx@lBOa6 z9$NhQPCf-N37dc^0n>x}n6Rmj*n}LV_R7BY3*42eRUxM{jV2#_yFZ;bK{2}tq#;mg^COP!_Zwv;j9(q1=ie>FZ^ z&OYVy!JF4*_|&*CT##c$DnUPa)ItLA6~8`3rvgG*C4_H&NK~r7joX{=-7byWfl0CU z(h>W%OIpj?%cQ>Tsc(Dg+rE!|+fC!zdm$JnRE`S#g@|JMrcgz<2kguE&38u^vuR?d z9kJ6bZA{#>k3MtbqI=GiQo|$8blg@CD>(%z^@H(9oEIx~50L5P{P%xdWP=~xy?XYY zq`$`h6n}>SFratHK^$>;^q5hxLJc4dC6AGm0MbquKQ`Q@AK*DgY!!(*I9lk*RTo#)canf2Pc=C zU*|UL9$|nkUk%XJ>+^F`rQA1iic)TQ(-n?~ z({McqVe8~1bTl`mTp^R0?W37(T*!@nHh^#)m{~6gi-O5uW>GUPf|ZpLb!01BxyM>Ts}tm5f|!yZ@Fp+1bvT zua>K1vb3FA+9qI%F}#l5lhYPjFz+a>ZD!1NHSge7k|Zi`-i?$x3~{vm%}}?pfjcIt zrLwmcA*lGSaV{JtXL={v~axF}3o>~aPKvNa762p7fhlT6Fg(r=wkN#tf%fsV8seJ4f(x-n_X*Gn>nN6Klo6jlsnNXYMp?4&!-!MvRx2 zmnBR_=}wov#T_Mr=V?uyED~unPA9T^eE0aO#e-Gj%xpF`zR6{uDfgb3;wNo|#l7!; zyUsHc@%uQEJ)b^%HtQm@^}m09qfwaieg6FU+S=MXcFL{b(D8qH`W`P24}pVrX?gkf z?b{>H%K!aEgZ<{soBDD=s!ALFy)k@nbHIOpabegf|L>Kb)Q$~Y|6a+l2l~am%{9|++jBJ)YF1zfp=efLV6 zb?hY<)4_MwdOvzj6u0DDR22{qP*C`^G&|zy?jFV=>r;7`J*PQIm-pouhFkAcfZgzdW-rnAj`b?vOyD}Xw6mHi{ zjD*o~aFky7aPvook>1P&+fI!jX}57f{j50k*ps_=?^aS$Vq#(%YtLKm3l%{tzy$?BOa--59&7K-#BBv(qK4qC=c=YJeq@*O3j#T@Dui`V3&ONg=H+P); z`C-RcV$I;-AO`Df-G+h7J5FfWzBA0R4DO@)`0-bG(Jccx*iwm*)4&ocXTdk@D{bN-bMs|y!6 z^(xECF8u!bjFBZZwTsYD6DiQVNB8HxeKbj#W&MI#ER@R}ld$>5Npy5|UHdJdS-8PW zPL3*VvHzZ|m9=$LLYE2hjROHFH ze=bVc)RC>yqsVhUb5z@ReO0pKs-4}+aB~`E)*4fF(_WXZMf-+*+>=y66Ua&A<9jt& z8^y=N6HJPK{P?l!SbKJHKtMp2)Egf`A*`5hYugd#94{feEBk3{gChD?cx6Z z>FIjeov~bX}#szKscI(v$rC{i7XraBO<{p^5SO)4U~D$}(FHJl?6tMsvBU!I7b7G#>v$hT|zD2e-VaC5_$%yXQ$9`|c-w6pMGvwd66#dGJ* zMY0_%7k=sP?ryiU(!ntjzf2vBsbF0!qyjhTg|y}f;ItV6H)OqQc{96t-k*()SYdcJdC>gpo99OuVP^7mpB z=Ux-@0fZ9{fY z2jFMZe+6u(zuNUKG3i$&hws^%EbGO-(;VL1dN)c3($mxJrUt52q!%YY?OA01%Sydx zzo3!zP-7xCP()YGwO;v>W_+EYC@&}Ho!i9oRJ|rlHTg>YbD6>Y29zb4g(bPZ(0|V^ zG%6~}c#v7tinakeH!@$B|GFZa` zncLddie)KY(s zQO4uCsO~XN%cI+0yNvuW^O+EpCp_ouG&E?_ z%I1F#4Y`l}$Ux*+oc^6Fw8DI(%RlaL^kO|0T0fo&+is(+nweYznI=V#7-deJ z$TTfIuchUa&cy#Z^(E3Sg2X2xNCQa2z_B?*_q}qG0UHALK(L(W)ud2F>JtOBn zNuKat66<&n8CjmckD0mJg^r&7ljK=-b!%1(JAVtKG$AS`rqk!5 zGHI!c<$F!Dc1*mV-rYe*NB1$`YjH5jPF1m|a_8Q|RpU4Ja2-DXKH29@`k%3}x{#Ho z2P%okrB7{7 zhP#R+O>gW8n3|f3m@6yjQ)ieo-LYtI719tPxO3;u!b}wvl?1Iz1_sQfiErONZtiue z$u&oAxJAS2F+YCA-oE~}`<)jrUZm>P#d4ihQ`22CWGE#+@{AiWJj49}v1SW3b#53! z$H3*Ba*31cD^9vs7_&#&sdux{c9Vt#w6tZ99u3z$A|j%qPC0(xvo<#;rfE0Khx@kd zd!!$ER8;hGNB$Ug{BCxsgkiEOQ&mku^HtkUn6s4Lqin`J zzgru)gvG@pOLM<|{v6PA_yng;uBJEV2R-d+HO*$GSpnu$kL*obcU@ovtPz}KjP#6) z$VdLMWX;IPSPT{EV(BBS}(UIvM2ODSy53jr+^e49bNOBJUG$w zQ0@8W+cPXZ3RUl~|Gn8PCMl^WiW%0hOKa6FJgxNer@+jAX-&jSPX9*W&_&>x@vfpM z83_@QzJlDy@4AKl=adFF0~%(MZG+eG)X*jVAn>amoH<%!bz{a<2b zW7n4i?x$`_WLR$u2?=TSZ*6U@yvI>gSopU^!B#hLw~LLs*mdq%?rXK`T6;tbEDODbwd37@0^Dke}3>EEO~cm z^<-s;m&jv8!dMy4{J1zdL8ezpNzYGuFO9q|z4|>VEH$&H%ly)%>JR`+z%cj8pEr!H zRCT-Ef3uS-KYTDlu(`Ki27kfPtGzN^w`KpqLb7AjovHbjY@=DL`sW$Hu5EvD>Y*cG z-V+3kuS6_SCM!{_tg|hdCM~Z`eSwbSDF^YSo(irzQetKCcdS9f_wUmcVXVaPgAx*t z?rmaxSYzYm)uco2xhK&bc%>u1x@0F{o}Mvtpy{S8&6i3I4GlazJb*t|QPhv4qxmy8 zBwHnyl$0PNSlFvLIQ-4K+=6gaZ95hGGNSRquHn=1xBlAKyD)=ot7q$trO} zp-+VCSNkX8mmj6dqzPSd`i6#5UJKU})glf{Yc}+2kMBHG z;3Q5Xo|NR&wpMVZqvDlIFY~^AqpjI5i(?df;M?L6NwzK)C?$v*y@Zyv>Wyaex zK5pnmW&{52D6p?5ZsLFor5l^5`468JHZmQm z2;D0Tq@H={JFs}tty{MM{bfAoR)*7FFO;t`7)2H-a?{nt%9c9xSAY_Pu}ZGtPoK@R zCtv#mz;k%dXksuk($i;VXMqo+CGGdKv0>AhuN~WVLc_6#G&?f`6a@4oyY%N}K)`15 zZ(Jm4V0f5cau-cWgYA&O1hT2+e5M$C^45t1PW=@WDC|1g+JKy0R#sL~QPI=0-eT%I z_+5wp%3G)3U;X^3Tqm#C*)1V<@&7vH_L7b3wu$%ek3GV@P0oi~)-mL_cQH4{o!T^a zco(w>Nn$yz?1j?l)9Oz|%D;dA{`vFgZ{NOQ9O~=s8{!p#-~LgQ)LT0L*I0(_*|uId zW({1mBBMNc>#?lwnp=;zBr-m-@rZ{YWsgy5cy8XZMUh0Zd9JfH^#h0R$|+Kg+wuR1 zp$^xlsWiX4pDQazJpPA1#`Ny`e@ia6ZTtU}tN#D-bh}(+sFMHg*s&w?d~x)%XU`r# zRwjMAMRU3R%_Za@@XO$;`uf+%i=;Omv%^>t*j2mspLiTJH{P{8P)#o&kd~tTimm|x z@#V{x!8S`XLs-Y#w{Hgw=8g|Pa9ZM0Be%4)^obKsgOGs7Mn+UgwNb)*gGo>hxVX4T zZvf*H61Z7eV-Oqf2c3&O={?piPK?GL4-ap^)&Yw;OTx^9uemQy4I=ymALQhW(|&c1 z^aeq*u~AD{_;p#C9I?H`+fzj)q_}t$sX?8@ckXFWSQt&Vlz4SnUI!4#5cU%DzmxYCxxBO}vQU47|ez;+S?Gqd~h+!bgG z$DMxBYJzPejs*QFp6|Z=E$##Mug~(BByq>CT{BZt{6az|@0<@2+&w+#M_TR$NnGt* z0A5uJV+muIeiXEu(+6^!>@0uV@nZF6cu zf@OIKBWYk{q@&2qp15Prp8Bs}uXeuuo2>aV=nrxQ1{sPDGW8(>NN%jG@AIIfvrn{M zpD#vgTVGqAAcLiSKU2QFd2!B;7RfhYue}ZxB2N1}t^ye@&FG-wg`ljL){H zl(215cKyh}$k^824vMK|%2AqxT_-0b0+Hg7T=_Fu-}CC~_k#5OPLT)%f>w&y@#9Yz zOIPQN$hoKdw~}VYizaf+*Vk5qlMy1*7bw7W31a|A3UFmn{*X^yC9x6OLr&iV9##ES ztYSh#RrmpeY={G-f!^K^A)?k_EoY~vrxUdf?aU7P^D%IzR>}D zuCC6&0ZTpIM_&G>4nNX?pul*0o+^LjuYrNAKI>TTiebqs?GZtUz_lTQ_j9we&B{4^ z7H%~AP7MU(3$CO41lEwRF<1u<_%r^li>Vxzv~3Cs+PGB_IUc zD}@b}Lm*I2Y{XV1uV6^^y*)iWi7Y3sXN?A2YE0NJ;DZyUuK|Q(ltOia|1_m&o?IS&`t+%> zp`opnRmC~Rq*t%@GBQFo$oZ~fU|=x15}B5kR#M_~>eMMKD_#P?Xf)y=_k-W{vGn12 zdE(NNk0T;<$YiUlSHFHefGc9$yO))j`M9(+eFH|s$;s*8;`8wEa4Zfk@7pVUo;Exz zj7HjFX0%N-MaLGRhPCx+Qc6k+&=6atxLxc0AV_+VQBkK!AV6I4D=RAiNp#^4A3n^^ z&Q|7DIdg`KXk=uhs;Wx#SeiLRFfcTP#6hQt_@>Ma)zQ__vCk99^m6ChqXeKhY{HNr z774p52jeqm&e+=W6OdO8^z|{L*7eT`;ZTKeL4@M#f8_<4Vje#}CM8AJfH;g*zu4{Q zVrqdn zOiWCI5AyNx2?&G+v54DR+Susp=tMk!evU-LB6dVnRNE^Qap`cl@7=Tn(mHez z6Ym$zbMW9nBJm>@%LXo+KEzg}2xzh^kPr=QHfX$JU|{gVQpK79@P3LVgl}n>c~OMt zQ}j3?=?$VhpZfDZKoL?$F8@f6^<6v8&z}mM-C{vmTi@6=%6}svcKF}C+1b@)a9+*t zT@tV@DdF|&`pls%l;!t=mi8tuG*-Z*qu3{p%o*Y`vkM9&#l*OYC$}87=>Q6Tr55vR zWJKC^RR3=OvAady%Mt_=%sHchhkm&7=Mb-{R%{F>wn}UH-83|V$L^}{d_xI0h-Awo z=iZN7$el%Q!j!qqCdRfxSbo@lEI)Y{A#A@)bpJ8e9zlYTK~6xk^*kN)jt7iwIR~FS zd6Hhm*X82o_WRgfp;!fy!mVAs$L@B0Rwea#&$Fl1U)_qJdqFXOs&4vsy+OG8w$ahi zFAklPy`KymzQvuw!nE&x`d_rj_4J>g=&28}%ZNUGZ+~_lL{)unOxaz)L)OX=g!TSo znUHRNtIX!P8)O6Q$5x43$~M1#{a9N419=mW07iq2 zwyu@ODjmE$Y$eQqH9mz@cmz99UUorOj-jb4%cl-bGC$&Z4f>f^o#FHyke-nx9h}G5aEFS(IZFh_rFDM&FX_vhmQe%eh3ltoyEi(gx6oa za`|$tL+8TZeuJZ&oPPbsgoTC4Ph~tM(oA)9NF)gTmWq#zmXTu|=_@{dyxITu%tPMn z_}EyEN(aGuQ3A#@d+FlEi=;R1(^lm74*gpR5}oM~J=oIBHk zgl(btNKJ;1?>1xU%9Lu`cF}7;<;ZNu9l3E8)Efw^&?M7O)^587`Idab`427OqNQb4 z-_0#ME&09_O_bDzOq47i#%H;1js}=*-v}V}IRw~)FCJN*Y#DlqfPh9{>43~)Sq{qM z$o9LpmrK%2zr+uFFq>GEO_{Vs0b)*eHWq3|l_Cl6V=Jt-s*rN6>K;5hg6)F^OJbHa zYrUyUvc!!#uoh^;0Eg#VneD_ggQTAUr9+Py#=2@4tsQSs~#^>Uh1sT~UoONcN2>!g3let6Hz z)NY1*F=gEmyLHFadT;Z$9PimQ66R~-sKD47le+z7NkIsr>E6s#$ys`(pEKG^9|Oc9N*A+2LAk98Lp0RsZ@lRo?S7Zem&Pi&E9L>&m2>YcM04Z>5`*Jskxd^Ibpt28t; zi!)ikLsqi}@`k5RpC&uIx$zM(8R6@R?kIo_4Gm=&=9!m67B$k>pZv`Pp}2N9m*XDj zi$VCaPe>eQijU%-1l`)hv9>gOdF}LHP*!Bqwb6?R>jvJgIknBr2*kh6BXg7OS~A(w zWU)XxJB`=gbfAdToMoo)=){wt_r=8q-gE6;ot^sO&%CnUys=bVi}>1_Z4nBc>7zVJ z41ooaW9_UWwh~U8`W{d&z3SW}LnEVHqHi3w94AxgVr=WCO`DAJ?W)gjBe;yUM?Ryz z(35TW#^ytG?uU-{_8g+`;hT&UsV@Y4Xsn~a&B@8498fSKG7_>wR{X11d};N(XCaE~ zXM;9S^3dyJW?tUji}V*!d&L~A1mK6&6#337DQ)#-Ls+zcIuvW9A!`OKWDs5|ZGk$# zYtzzSJ(Q6^829<;{O8+^X6rMhi`zdv5EXcK1ZA6*fT5n!(%f88)pFzUfb5(cbH%lU zzi%D-f%6wW9mCDKxw-j#Tv%GFIrkXFn`~n30h3Z6@AB;jkl?qAqFM(*bZt5x{9;9_ zIN^vH@=MLLBkWSn7wnl=i{8BM3ov^XILNzeefy{NOJI@5cz6P1j{qjDx&) z5HJLChEknBT3T7A{Xc(}g`}4>Zhr{nQ~m368BZ2g)@k~R+S<@&>r0cmYWvnq_DR@1 z9t{9Gn4g+@2L^05n%oHNYZ49^Biw z83>6eCiX@(>M*io)2tko^8qQTclalEUE#Ifo0*kbwb_CMRJh(s?Zvs`l9LZ+>$7oi z2wQp!b}DR(UI3HEy2(sT5CKlcx6YhBYn)?Q4GNMJWIa2Omk*t2QOeI%m* zfNAkgI0bSY##-Ruh=uMBJs?N=LbIIQwrHD%_&^e|*ZxJOJT&En$zJG`?eE=1iyWA` zH=AcKfR{y9CttF(WZ1V)|MHJRScJAcB{Hiqd{l3Kzl!xyQC02VYlYMMIiiMXTI3oQ zv>?vkL^*XU3aMq$jvM?S?mv5Gf*L)h9#U_zzArX}rl#id{Dkjx>ALup_L;x^l_clE z8pf0EO{k&*=%|yhyC4D{>9~%!AEniFcCJ7i_sW-QTToF;_?-HeG1d2(KY;!9>({px z4#*Yz`T2oalB@4KXF?o-Ht}vh1sTd+?A=U=uaikm~rQ<;?$1qL$5d3nj>y1rJN*DTe-cW0G&-n7?i+#!BFHm-~ zXH9?Jhyk$~mHNmKK&O4aK0Quyo*(b}^5rb5WOw`bpY*yu{Yx#MiI#&F)rPFjt373b zUoSrLWFaNAWf*TK6$B?|Wo4x*B^qHju7X$w|9N@uB;AzePL}?tL<+*b0gZ7{+_5%L zG$1Y*f&rW#xt9+JeD3b{fyOs_w5a<5vg{Jzij?c94fv3qT_=jWL*HLn15#M$=H#4Q zozX^0)z;Rwu&~&(=N?pvW4ydd7o3PokTRfRQjXbKlrC0RRzSilWYgw_#f=zd$2y`i zELa&Cbqx(w)}Qmk2?53tMf}|EC zxMuWSspY_HbC4z&G;qLt(LAefTZo}oR8q<@eyPhNAW-}1lY+XsJ!-nTtwK~(Wvs;G z$B%>1;6U-evu4}27w`UBm!)T9wD}|EVS9afCM|jRa3)9vs+=A(Hjv~I*+I{@6T$$n znp1UygM$Hlp`;%@`WLg*Yu_PIaGa3cVcXW7o16PGKA!j7)2gqNll;*W30N^myTthS z@82UFEJRhqrIvB5e_EQ56UcRSmq?!YULV6f_kalzd-Vg`1b3i~oQ} zLaoCoArUA?04e}%nW<6{b;f}wDzHff*kyfA9Qk(~J(^9qkyG?YpTOr{5j@6l1mMc5 z_ut!h^rp-LfHJHSYNSvmA!sPNW@cQfhLo^ZlKEG12=Q5s7>;lSL%{d?dUZ@2BrM83 zgSwH3n$FH*9S8T)4v*+9)SsG@kYC#>f0EO(fI$A^q50tW@k0ZGJb!B7V!#H+0SknS z%%gYb#wW^Ap@CX=ehb~$O(7kS8=*0d0`KCmwQWbD0wTctnOqXk zjTL2-d5jy}xiW2EHc+)1|?pL_z8M?da&OG?FeLEVt5co!i^gnN^|1N zBA#O_&&<#B#bcn$L-)chRQUESH_TAsF)|Z8r?p2_NvQ$~RNEt*@UpwJeMq6x?;M+J*k;(7$lTan z*vu=5vyL^ZPg82C>8awFuDQ6-pt`bqH<^)!|0vYOa^L+_I%e}kofnoB8^(ER_ zhAE~NPDm4@jO-__YqVIT3{q5WEv@sVJ{hSu`(n5HZYmBBCzNJqWlbU>PkejfUs!m& z(gFPYnZy-C4-YBNIb|&~haF#ETfh7zx4kW;%zrx-mHk^7j3Oup!`vYG&>YW?wzkFCdp?^3 zG`OO-1ni3aQD0W}voTRsE5-TOmnU{RjYf?GnR3O1ASPKC{pl!}0MSES{A~Ug(zgCZ z!1mjN62EiD&%eFK1r7PTx@;sXV{D5L>Wqbjg)4PogFbo>RT43{yv&gLEju`5mek3S zbup4@$9YpF$jLY7sx}8GC2&#C`6AB7v$3-WALQmH>24{P4a1(z4_t3Mh$;luWXN=5 zb#-uEbwRg>>d>@LK1BLt=nb8-f#1mC*{jOpR!A zG?bW>l={DSr=xhY(wA6mNKXr68|DX@dIVtW-F{Uey#_yxIsVG5tRwm1^%=w{kC32S zyO@cQ$3O8#6{=itf>R4}_d%=7smaOv?1)1*Qq6XHxugRAuFgC9IwI7;l817nUc1V< zKtutm_lx`tw8WHMHc^dtwpCYG!@E*jQ$vhDYEc2fT0xL$ol;~*@c>RM$bwL!V-O25 zISnsQ!v*sfyB=?xbozBxOX~p?Q&4KGmy)Gn*sBD7yjc1L9)au*x5T&a-#vdnbNi8Q z@JZ70CBLBHQ;93>|B7_j6w5=eV$YsE%WykmM{Khdei?c`YpFM0j2c-0x?R-M)Q;6r zYTn;-CqaZnvhZQ;&5}{Db_wLgJhSlLUPe18+k;gA=q$-OMhGxto{#5J|o$sNiY$sDF zB=$3$DmdG}YH8rstr||%TLLB~uJ>Gyiz>@EQYh$N8L=AMxy{MZasP?yawIIPw6d}G zxGkyXj}Z&(JMzPxE%hHer%QK;g6sSM7dj4N1N*KmT2u5~h|)RKI^i78 zEvwnjLV{$!f02Rz;>yBb%rHjuI|beMLk`71ajZx^jC0a@@;nEeYs~5bK7g2H<7#ys7Caw3g_P0~>+1Qh-7nkSqm6F!`$^@3I~$oY?7Aa<(8`|W4kzy+_?tuoDT?PjkLp+gLgUW+MI zDaM$x10O>31zWKNcN^7)WpbtN2J~yBw7cd`@Dn7SdBGq|qw7LQ>HMJc{xkujEeBO) z)MtZu!HG$V6ityXP4;Y%i-Mres}`LwqS>?^D7?O=hA!ubjJm1mdO?qm#gjD5s));Q z6T7r4Nl`IHMMjYXhlYx%UiNM{2%02K3$8u`eX{$Nx`}#s)$U7x?yzL$JV|q%=oT8t zYi(~wO7b48iNsx^-hx>y!FAleefrw9Nw722IX3TQ2vN#P!1Wb)&4C5w@uU+q4 zVvbrU1@1N}q|OyF*+3{@l zs&1fjrn5at=T@mZtZwSMzmzECPm<|Dja(vx2nxSj>OFq)q|b+&TOb+zSdKE@BGarN z2oq2}^a8jUQJ3m}OR2xIh!4a0Ft|It(?k^T0Flel%}o-pH#>X#jvZ3&QwdAYnf}B*Gp_fmXOX9IszbAf69ocA>hP2Od8;`R!*_=X>|>AW#d}1C&dic+D@E+*lt> z`b|d&KNC5+ROf)g092n%oBS1S?*@9oRZ~TO;(4htYglkK!$9HWo+8L#qjNxvAS}Pj zZfru-8$r6}aa)Dg0vsU+?lne$XX3x3iQBg&E?5qB4?+=R7%rc3goOci3zZ&~l3GH5 z0mV<)vHuCGn#IfGMF3urYzcQNNS8<JVhqSR|Q)k+si+Hcjw%A2lCk{NwpRU!b za&3j|3DZ0iBclvP50VQ>M@ws}bbVEQwXCLV7I>uc4zo6vB$67I95fq7CZ^|7F1BTU z8+02&fB{b<7lTrvgmXlolNg_!y*4g%SEiRWk9z(Ojpsf#tZ{v&l zC^WQ|BD{>;z^ZB5SL8O~itXg!Q0P9Llqvg7O2^O0*WYr3j%>9HR)$~89Ngj&7k2O>rb1T8hKte+Lqd)k>x>gJTfQw)A(=>Xi$BOqJtls9b>XT(BS+*zo5$gKsncQ`qCc~!JVQ-{dcAEMe^)Acdcrwq1%7v=>} zJ0dfj{`M&nqh&l@74Mx@q()3IbO9DchCuWXZistA(|pCNES96@n>*xd z=)?)(_wL-+u`2bP3Ef;wXl8$42caht@(%id2usHBDs3y11 zQfg)S0!nV^V^Aq-jN9%jl#H|zeQN5=MfjcS@+ap7auP(a&w1mK0&4U5=c_c_n|7T^ zVIfdRL2jB70CjSriQl>8J=@&nlibFX&B}GeF6*eBp)69}jT^Y$A8PUy{b}#G3Wh%T zoMN3{e)5$0sChu+W!~nQ*TaX_RAkFXWKqn`c$0CT7x}mYHC==(5H-Z`R*rpyEnByy zGSjWccwlNOc-ke?}RRk9#6$#fh8|Dv4Lx-*64EWVoC!@p=*- zt~q{UuShjEL*06LO6sRqzw>i){%we>&8dtX6e|i?L?^VIA3t1Sf&?}uH%FH7VjFWq z&VC6GRVuTe;F?DOvRAecs=jtRi}s)5k3?72{h*4w>}hYPbx$k#e?XqfXJll=vcM5k zZm#P>ODmss9Gsqe?oXdZ$Kx0z;V$n zG*~{*cRaY!R_@QQUlns&Gw#Uu9{~9z&wI{9F z_BhYW!SQyWg`wC~Gyq_ZDN*4J+E`Lj4iPd;ipW1NN7Zy@!=O@=ugp!CA1K>jU|zn1 zxU@Ro6FC<*Q)MFo>GwK4g_CN67!B=ZDSW*RyVJr5mOQbMQ>mBa4o0fLtO|%D2{Z5A zei-N^Ah=+orw-+J@&e~kwmNiK;GOJj2kh!kA3ws={KDsrRtj2#?0|_u9NOEnY(?tkFr@b%P`m$%wQ1Ae8(KG0>i-nRIrp!r(!!3Q-uF$nadJ*BczQik4n zj(qMJXUq}}ek4af_=uWC>St`UIW)roFN#O0{oT+j8~g(P3%33H508ejQ=uXzE+LT* zn6#qep)m+^axr*0`h==}UHTRbYpTy|vmXC*F+P6UZ?_5IkAtAce2J}0bA)x{iNqBa zf&*LBqem65dtcB{5RAJTI-6eEYSJdt!R3U6ftnh~l#X_o>2JBzQ8)T*{n7F9ujAJ` zpcf*^3hTXi`}TUp9p;r%e*nl5*D)69dELXhMXs){=O`|mwE5IguvYQOQAhwZK@^+NtO-LZ675VYMK?foejg*uWcoccO4IOBxlXaGO$1tLR ziE{`ZVbS^2(lQUMsS>N@aw&PM+GfafJ9lnFy}Rp`ItTHc`!sK4(Ei`a$@dKJT+NgaP2Eh@0)b1B^7QtD8Ru)4Rxo81{`7^jKBzGdT9jFA$Y4n}+nETu)^YTU+I3-XG z%^2U=1f77$asTNthnpEM;KX?T^r@hmQ1<=(%2&Q6CiMb;GOS;5ad9bzGsY-TH@m|z z<{%v%EnNfPCR(WU3iFYCf#Wks#7kH;FO|X;9^Tk!8h8H#mE3GA>U}dq-wpbDSVFc0 zj3#lL+)F(7Q<%BAWmY*($?%=?C0I6N6E+MVxe?1X*lDA~1A+y>n+*nCDMlVc&`3`8OWcDe-9PI`r#hNLZLIWBa8a zq&S!v%NfYB>noxJilX7mIPN=z{0lt6DV!r=ce*k ztwUD}S+|Kxm*1xMhZ1=cdd#C3om;no9J7&I;P6ji@{*ZPcBNgXMS<$sPlm&55wy(fZlMv$cdF#fUb;dS2LGtJivBdOxlsc^ zmAq_e^vXh)vUzEJe|j*=l!<{s%)Z;WWm8I>t?~{5Dk|EV%1Ud{U=sJh-A$WO+d?&O z@b_={4q$gW*J5#Fm|Lqg-j-dyaP*~N{bGvqp$LR7n?symz&r2V<0FE!va+&X8Qr+g z=OS8OzLmvzc^)Y`&;I5G=KN!6;sI!JeHZ}jsoQ;hU#Z^3i*Yt}-+ZE%X*>kY4MG8> z(<;$~LLhZ;1ymZW2kSUq7W>hrs=>ev8$N^HLrPb#F2#k6pMsGZMIlFl{s)@hKEtYm z1byl9<+PC-a^l+Wr?lhkES`M4r`B%b8vpjK{?P9(fIBoasGU8V>U9qqY8Q|L!39EG zjWo3ZQW-=dcsTxtFKI&bi;Pqx(FG^`S1ZD_H_g(@@qON5q|>FKztj`&I>80I(k%Irj4~q~7KWA~x{GZWL;}?M&=sx9Wi@UlSIFQD@J*n7 z?oz*}gx}VtPJ!gaydm|c$ISj^H6{Y#Mc5j?M3qXtQ69GUrp*CW0@~l91qpI;UVy0c zKlkY{^QQr_6uc5#0(E_qfrO_8e2B|3Q8n45n^$CY;t?@W=purodQ z_TY>&>Iw=0KK^!Ht*P%fKHN=0Rn+eD- znv0kB7s|q%@esrzr_cTyHcCAih05OE7dWenO=CiJ=^hTfBo2@*PtRqQJ-=mjgw6=7 zvetg@Xl-3sUZxMvxFT-CY-EjWe;7r2Zf@8laCSL>((@GSK32mn7$?dh!@J0APCf~6 zbLZYY7|SdS44zaxLp#!8gPepKC&eAcR#`PsujXfGWqjAX7+ooSCUNvgiE(V`Y1b1y3>5YCWXhA|^4L^t`q${TSirWDB#YD4re^5sj0=wQ%#s&~mTJmGb!7En2a^P)W$W&2CgI_d~}+LPHM_iIxSBpbaz6FdkN)n3#yA zH1%Lvr>CCmt-~lLy#0%-8vH@f&yX6qpv=G0sM3a|SOx*k4w@U7?k)#h7Tkts<@89MwKU;D{4m#5`uP)>}ZD45}C zX_x;ChG?;V9uspJ9*+M0mm}G7CJAr3S8?ZP$ejk9pENSev!zVshD}>1jZ&|y3P78Pfi z9e(Y>CRVSX>kDSy3QvxI{o0=5WU#ThaN$C-oP$L(Ic?=IJ}Zh{&c0tRxeyOMk*hnf zm)3Q->C9o@T~LaklfI%fWJ{!f92~m518zp|)#zyXbl6T1X7=qvtiqjQH4($BV96XJ z_4P8bQ-$HN5UeYzrlzKs;zI%B_EmjrY5Be0^6lFsaw!rO#I5KP?v9wKvvsRaE#c62 zmf3vW->&Oj(1E}UPX{Ea_KsRSX#hb>6plp1gyfVYe#RYC5tm_+$x%%7 zRYN0*#`jN%5~!p>P=OFnF8AM*?7~gAy+~fAnXx^G64($DUSWlHC1RQ2BY336V5T?) z_#;dWUOkb9NqP44DFWR2>T_~I$YJQDaYk2v%YR7{hL5l0odtP$LIpYdmrEgbfGA&f zGu8-2%_;KHBa9`wM29^DHGUhvb4~#)W0AZU5|X+yH3QFHT%2DJMaD9%t@>)pgES@eXHplhP!4uxW`o6UL=7tEEtEic#F1bEGzMl0zZ6eF<6Z1G9i1jD z$3dUMWUQeVETD}Gi;LcW%lG~dP=Q6H7oh(4@2LCtHLhNyxB?#^F_Xu$LtwYXK2HwC zRO87AbefP;sCVtlLcQE)8CIUwL<+=>H1U3+@|E^oQBnO9(c3{;CyFWZUqWKy_QEYN zjxki5JlgI;GBh;Q(P5x8J471&>+5)^ezIYfHtw#L@q_1E0&J^vlOGHYVOcQ=pErK8 zUyc*Y42Isq@1?l6xLbL7;4T@#%2n}dl=RCRE?sJEV*~Su!mJv_XzTD)nY*t*rV*5$=ZXrY zmQ6RLP9Nntd-du#KDk;eTq<_?$6429)aqamUWCJ^{2ae8D=O%{P)%C>Rb00W1E32_ zO17Y3545jS>la(K%aPKUoCJ)1`G+7>R#sZndcg~HtlT|d5XJc~cd~VhQOf?(uIZVlfm-7>QKqrt ze$n}+uC6Xh#}VwtvmdBAaJxoxD`u$kVvU!_esFSgiz@aKgQ-F1PV`h z12xU}_^OlEmwVQw(Dwf%Q%;6!{lNw*KQwl|di5J&pCJ}cU^uI)iue{urk+H2hu;mQ z=h zN)foK{Jgy8ZYorfpP^$H5AI5P4VX9!@vWk~91QT1{gL~RA74k`A`$kd`+e2=$KP(F z7SlvASX#OWu@~4xeG9Q$MrRDZkM#Ja4|rr#er6dL2?B%OeqLCpfX5a-JTON z0Fc8w3PyxC_fr*2Q=ueIj*%En|=2flI0AEk>^*4>xy~sd6442#A2-++LJ+WdVXOvl{N_tO%bE3%&R z>`di_;#4bwSu?w}7*COCvo~v)8)@1#95mn3bRn2Ul@zwmXcxhAVoPznlFl7*T2Jco zjmds0*^+VzEn6Nft{t0?DKco!*{E>5l&`+n)3yG~{??X@^Q`irwAiNvmrrH?(OtPn zT(DY^AK=?3%s+3t6v}Jbi>0TXbasOu;G;9@l2ewp+kype`uk%e+xRGIS=W3$K$(4j zzppWp6kCq&)it>7yePA0*uoE(0)Pk5RGZh`%zmwq4Bfd}sH9xxmsoVDfiH0K~tuB>>0`eg3p3b=nO z!_dhSbL|3Thh3Ju(yJN*RNmqatTYQfLz3W?}v)$3n}pc5)*PwT}@46 zQ&YnCF_uKQdNAKnMPB!35OnaE64^^%CBko!6ws};fa((BKdM7xC`CZd8K?>e^6fj0 zM@`|8Wq4v5cTrOS?BiJE5aJCQt|mrBN3#$J8>sNWF@&LfTY^!pn}$!+5b>qH0* zlz*`x1Fq4T= za}}x=$$nADNA(xn?t!HL`Bl;pN?7Z>yq-OOE+dQy|5{nu|Dt+nn8Bj+^Y-7mHQIJ# zG09`q3Y+t%FJDH5d&tRkzlw#m5=-Xb;{C(hQj2!GW;cC$Y-H4q>e|G9*1ueKiI>Gf zWM#+7eG|%#>`#-E$Xd(y7m|b>LS-A3HqYcrTAP1eBs%23_~I-T}`I8zZOf*nN)T^ZxyISHyisw@8AGR$%CO+c|S+ zQ%F9euO>6#iBX>`@obRXrvq)2wD;Ym4CHRt-Ol)d{=^P~VrGt{?Xv5~bFP~H;d}8H zthC*hQ+jIXDjn=m*jmLxyi)6Yio?U9z(b)M>e|}Llj|1o5ReG) zjI}xVoKK8epYX5Eh-`Pxq5EqBLvt3Q#i2^Jzgf=Mz4ObK79}M?Q_yd(|4m3v1hN3WEyR{%H|~nkeQwa*!g9|D zL}gY=k;`dH!Gli5e9Dyg2b|PxwYzMP3)O!iP4qawjg5Z^;C*<|oS}>EDQfQh`1Nbr z!n+}etAl&shR98`Jvs7_OPE;yalD@VI`*mS{8Oj$wj!op?If!mXz2Xyo14S-^DS!o zcFfZFt@ls27U0XPgubK@5TX}yZ2U3171JDNpEz{TKA_9Y zHPyCb$GXq}h=wY?`k89wuJSNValUTJv=Cwqg+hH$1)W=PCUyevXb76vnQs%a5J0edH-4LxZ}zu`~SS z%!?B@PV|hBhUVxP8Hq|T02a4z*~y>-cfX@UeK_>^ciladWYV zRO#RZzdq~NcAb2XaKL93+i?9aCIrB5KflZqunm}fY4Hn(nyQyq<{3@jHwbM(dj1UK zH6&YTZ2Jj==3dTu{rcv=Xp1S8`|{^pA4gv7a5s$dLt;Bn5s70gFI*UC6i9&HaS-s%mzOEwvtp#7c_CAd-~RckuSJaZkRe}dYEYJk!5|@IdYk5# zwtSDZE;?m;*aOAw^5c)=CnzLZg3=XGeqC%ht?sBq@L49wY;ePQV> zF@OXf49G5@*iv{v-NM3pb9Q;%-z+#M6r~$$P*lgctyYuXd9i4=YGew_WXPQ4th;wl zS9tU>QW_G#_O=^Ly3WFQU*Bcq`m5P^?o8^^`8^~c5Me>Q6I(}5ulcijMy}m>+dU4A zqwUTdy5X{M<9J6$9f8wv=7pIV&`U(F1E(jSVTCLN;|!U9lm1#vQQEVP`|^3b`k0#f zf)!x=ruLc8^5AZHT^l9!%dYqLlM`%l>qEl?3M3)P^}gzWr$hUQIA=16A)aYx5)w33 zk~9QT{j_yoD&*wXy)3$XCveHrGE2*^w#SF>dlQqC^z7-%H~ah46ZDEl?d{Q)HbZ&_ zTju>&+E^d>>RKiwlJ4!&kS?FQ4QaOW%}h`4v~Haz8pdu0(v*}y4Py(6PJ^ySdfg3K zyR++`s53v)lw?Y(@{bQ&(kv?gZyT%LwTeB)(HYu?dgCAnp+SRoeYUWkA+~^*l$3Cq z1IZuWpZKFM9Z1F$m-q?KIPq&6nG(7Zpd)x0%FOi~<=apzJ_e`MthM6dIt>U$Q{6ix zI@q>qc01y~zNVRq)Q&xTr#g79{l*xL$5@OZZJ^x0L;4eSz)`1aji(%4KR7yU7zCm_E$#cgL z*~qv!Q&gp`+jq^o7g7(}K65>(Er;W3bhkxHn4l6=XhJyorES`O3Ge><)$8toDU)~g zo1#9X->=OAq+G^q0|B)u3&7%BiM+Ea{jrm-^(Aq0d-snJIQl%s=(J zt}#>0-=y&^R4 zH05Zt-p?Q13slhwxOvmpba*9S1d{H=l)=4wuYR2}VB*C4gXe}#dau#Fd(Oj$GUn5# zKR+_WT}UslE4o}%w8SUiRzH1xnZ%FX-bsvpv|q85I~=7{Uf#)@2-dPkg|6IZvKYG$}kW zVp!ITrav7o@e9x9j^w)W;tf>n@7Gi7_d%VpaUe?>F}k3KF-t=7@Y!p3Ij=edNR&~I)_J~n-S;W#Ed zF)GS&+O%`g(SM+hr#`(e)RtNXy(zrvx#{wiD_`Gi$|?Wjao zZ@*LT!10=oBfc3?-y+V&#>Yb#J|Y+DR5bA0`J81p>Cnr_%#=yzW@8cdd6oJwSn0pO zTY45-5O7)I$iyu#o<&?}=axr20np4mDKD_RijjMj#0-U62ka}z|Ep{WCDet;03DCK z2s?D}pdjqcK5*nn;?Sci778@C_AczBqE9KJ%s!f3pt_{?u+@PF{8en4$Z&tG2fy7B z#TY97s;b#@=769dos=rDs{7v#Gz0 za71RD;45qprXN+(X!IS%s)p$n1oGAd5Akgk_VpBVT~?2Hi;eZFK4*P(Xw^S%=iI6T zu(L`%OhP~F9Sg)n0mbTi+$BDXSR=GeCX!DY1qH3gJ$%HSML#S#I?dp@Yt&=h_4@a3 zXlfiLh%~sp{UL7RC5%GI%*05Sj$ay8`W1G4Ux*(~8f#>1+-s<-LSc|f#%^L6MPXhG zFb4X&vQ#WwCn#xa$EZ$fX`U)$e(}-CK5jMB%Tkx;`ar3i<@d?d|AP2HLp9=e4f!pd zEa(#Ex(z)!bdoFer(N&gyOP1fSX`OX-)fJ#`TY29c26l$wVCR+{MFULg;xw$al}rw zwH2kUT!@$wj3;fIJXuk|$J^oPWHGx!v~XR2tBO8#d06lr+?iGrCS+f}Y=}NbWJ5@( z6d^EA$k{nL-TId{1m-P({`<>51R9F9iG5p=JEVe-qDatD!Q&t=BIqu?o#wiKnKgX~ zW>WUl@D?oS<=$u z+WJ|u4&#!@a=V@&egSti;#wCK6+uXAX}%E@WcA^1eu0b#4eblV4!e6!O*L%&sp6FT z%w4;7(Q4OLAR%%r%*{Dz;w`qq4;vC5Kvi{WT>@2O9-379zi1%SL+y`p6 zZsJY^FXHa)J0|>pE5s6y-#K%-3-8~bzikov_lwuiS_>zB^bsk?z;;u z|KE?#ba^O>PiT^|`ImPs17yw}ygp-Qg{FPNz{IuiT-C%AT25---ulbKabd~Py;(r` zeZ#@R6P2W@*j<<;(=Nu^Bc%NcKdknMpaN!KgAzR4-y>EHKXPP=yL%(hd9{=Hv~new zZ+A93mqO)KU47Om@fiofk!;+U3LzveM_I7qrk&*wmr43fS z&*6tM=7&6N1vbNQgWZOTyNiSdcQ7w6uLx<<^cljmPVLPE zH6cc(voKo-lv^XGAXh0n6(_q|9NP~U-L};>g6jX#2JnFjtz@^Ft90w; z@V}TMYRPo>A35@oM|LERrk!39o&DvX(E~S=fx*i^%DXn=sS)GIu+qGxU;V~_!Y9V4|{W)7xQ&S7(I;m)C z?)j`>GzX4@U`7mrC;E`uRlIZ;(HH;`t3a(@-u~1@EAe!r=m?fs8oM;tb?v9z4{))< zwD|H6aS3bxP!d-Y;p6Z6WA9}O^ z1mS}>DtSK1hxl(+P<`l2Q{dOBFvU=1$7m&$A{^-W3(K5DM=6 zzhn}kgJvLbKP$!}#T(;R5ApRGNb2om)7t@8fBJ-a_T1eqTg--ICUGnkiY-Fb#nCY_ zGsVroZ-)`~a6f-BEGM(e(^oCxQ>~i~~Qwxb^oJS1)2ui5Zo^p8i z?#Cq0G7*GG@oa>C!mDqty?qy9R^oimg$su|r$bJijfW(TZTWy0ZOgGP^o;h~x);A=4>IvO+E?z@`xPQMYeWYkU1QLvag9fz{ z&;|;jMH>I9UfOiPC-~u;c~(O%X8F4;C`;@iX;3w;l$p_JPFlDc*8v6mS3%cyj~4+n9lVG&}9VnV1^fDk>I?1`L4*s#32X6 zy9hMG`IqkMK1@PSL7+<*XZoTBrh`abXwoqd?IS!)AxL*;^YyOoD_~Ohs=O7fMiypxGUb4bzX`+Vcw~gJLH0 zgBGF-+xRHE@7A6Y!kMf9HdFlg=x9JAi(fIb#~5F=Oq8Z|GM7AG4S(b?b7m`l(Cxwo zdI)6ADFzszu^U;jbDWNtpuE~n1+GJPY4DC6D!nAo{A$g}e^WN_;DrdNa5dXwhHZrg z-`iRK!OQ_ttALzR(;T^Ghl^VE1|j{`D~)={tAS&j>2_)_R8>`}F<45bzP!A=yY$Yd zSeX)ni(;m8c58vsTY3}SxH9GhzAX7&r%q`~N%FIrDC7)PT#a+6;?ol&G9{BC7_sJf*Xe(kc5!w6_wQNLv{VFhuDnkhMSZJHmCv*lzrMcChXaSD zyl1v=(_t@kD{2UpWX!o4k|y>hSDlt-CMEw-%ry0FP_gv$^OL$DfRJ*;^BFM8YAo!I zLel6(YKti>hxKCEiDWX(4pMN+Vl}B#?gm_}!d5O?Bqzvj6~xS4z*Rooiwh4ERm2j- zO>-tuU~BMi#OT=IT}Fni0Ijl@4k&qne4fo~V3)4#vTWI;v%A1t?n15QU;*j4_g}zg z_x1AfVpV~%P9fvD;*~xfoUYS;tGTFpg|QEkN>}mEdZhR^euGyRN=WD%T5H65vf*23 zBS4*ijscQKCjHqn6#?q3uE+sgESQfSE0YP1E0t2?h3#F^6?cPnmP9xtI`(%} z(%Q?5;Cr!~TWPc)0X4F*FWTIs0amWQ?!p?FIK{gDr=`+1QY?6~n*gQnD=L!D8r-;X zwJ3&CPZknRdglh#oi%4{`yyy-f#F3qEuKd`GWQkrkKUVWZk(VlS$Lr9r&A~A~o^!Dp{%6K^7m8j>g%o$g&jc zHfn&S8e1ZCJ^f@Xw%Gs;q^bH#tljX!Sv`p@d)y}SN z@`|T6&3Y~d4Sw_N>C>e)Z3OnHL3j2R5h(F%oe`l*hjsNq)!t79|yeeqTF1;kAGLV6b;(ef;QAk;f?{ z4q5M9koyK}YdT;+tv|{+_r;51nevK?SvCH5x}EGP;Tyy*O&5#P9mJ6#ejofVUb>X| z48to1M{%$r1n^s9;tVXm`_5&}+O>V=2f-D#53=~#>j#P_fO;7&v}iddVnlj6qr}<+ zx!+%)N*jUC`<#ydZz4vv`S<<6)zkl0FRA1cRf!DMmoowl2asmoT=fCdkBRi2EX}n6 zAO;#biUbFJ=fflt3S`s!cTOJGyJPMeB%`13-#`OKlfO~n74hQ(bN0a3C8uxLf>J2? z(%(#6x#Ynm@Ynx7THSD@g|%zxr%y-G4%6ujU>s>}eJlcDp#JP6bC@=#&%6G=Z<6us znHPn3Azktakq+;8>*h@g=>jz58`70gqc(vJ;Fzj+wI8_>>kTurcQ0Q;VLlhU_=6hz zGI#gK2tx&=*IPb5=_xRD<90~M1A;k^ytP0Wzm$|j^2}K$F94oOjxFaMJGBdffYcb{ zYa$RZ8z8;lLeT6A{=_68LkFR&zGKeEdL+?2!}bCjgz7F%=qXhdh(x`d%Hexx6v7su zWZNnVYm{#BqYI<6Q-BJUIWiBw$>0+wUL!+7iZ3`*H{v;xrVtk7{E;J-Zk>TlNJzSN z4c`EXP|cY%VnlIPmMi~Kpiz>vY?0<(B#Cwc*?)>xsjM*hF>?Ntso0R+1aeGjRg@eIR=hS5OsITuh9Pp=?CUF(00Uqv{^Cp=E&oFW zPh@KS_oON+A^~E1w-u;H2DhKjn7uyO4U$M=5hJK{?tCybl=NW?@J=8TD&XGBIEy|8 zRaFFON-{!8Y3Xwk&yY440X(LKNzg)c4Op~O4&$n+BgvX0SfPa8P9T^J788PWM?`ms z-Ks^H!dv$cCWlEPIc}@{u^%%*O9?0)vfy@HLc(nno>G@(?|XIryHm13)%R5FHaA?< z5D<@TGv;xrNjJ1KkCwt=XHVu#7jICe%B$npaxYB5b?DJl8=FOH6`VC0wKz*DX5wQh zo5@#kxs3!>fNfc{Ln#;oerbxDu|S|2s#s66!$QVpc}iX2?Lx$fI|jY>dTqpZYRBMl z#8?S_bbTwx-i9e&qUBhTMUgIL^vWKt?F*MyggC6&z7xIPno)? zRgl-JF`P-FIAiwg9i?zI25AI3;aT*A4vH7|!Lnznj4~9ck8#nYdTOFcuS*!CM-_RN zl6SeesshDnNmhZ4gF`pVYAcx%v;vBmjyHWeW)j?nDb_dEFHvNHg*5tndrwAf&|~D9 z{sMyUMWWN{qGsSOrPn>}g@0I<65RGkOu;LRJqi>B)a&|VoDrHEWVKNfhy&fFBk(bo zBI$8c>kA)|$)_#4edY|kIzB$mMHd`~)X4-49w@Mk3={*L423|cbf{t{4UL_Vc-6mc z0I7tfW+(@XCKBuC1=pc_3RKAu?KWl7IX`XJ=`1)6{fg*dn32)lf^DJW<4}N6dM3MH zv&T?;>gr0G&F{$UYftpIaOJLr9X{Mf-~@n`z}j-ei0*AoxmgJLklUpO; zEr3x5w;n$cf&6h)zkc!pixgiq-kz@}V-B%7abhgk9`G+P$bn4rVa*p-l11dSv19Lu zxQh7^c$CScV;!7bPFH66r#Qq7GiJ^lbi>$m@oA3I=x8~CvxZOg9n)(s!ygt`0LoA| z4G^rW$)wfx9uk`)NxRcQx1xq)%Dj0R!Wh41o@3m(b33-*)ctvwy7tkdZ3UF2zGKp` z$Tc$RB9LOww72grZT$YJlYma4eC+h#Tlf+{0oVJO5-tTMi`~uiC(`qcEFx>Uav_5H zTvU|Zx|MVaa-4(j#4IJ0s@Jq>TK)PhS-xCRAcHk=59Pq1lO^jdewYXL?-$H1E#>y6 zvHQt35ZGbHm`uL>R{a_1XCZktKWiN{a`cNarlvin9-#OXapZ`@m8*zDhiMK*B76zy z%%R`n`I}!Nf19hN!c@0jqBy2qE7=q7Z3QY`yBd9l ze*?=%vVIJv@GZ$2v0Wzp@#864DoF=c{z2g`yVV)yM-2^rull;CdQy+SsjFaZYkN=h z4h=J-$7id#INwwe5#B%*1+P`kLeZ^F#uerFzhFj~DN1C8+L||`6pN3ZAXONmqA-g@ zvXm~NRlTwr!0_-HORpKqD@iTmg|#jbLf7rP73T{=YQIpoyJr zFxlE#@P`*%)IbU@_*?5{{2eW+941D;4q?Rfh0P?lf)?{xGg&G}Mu~|aS6OuZjA*z+ z>H%YUXp}P@eiCH0eFYHTqROvd7u5LAAwV|xkHDY5qTHx8AVsar^`V>mBN}VDaP%Ms zj!ArVEj7fR*X1fWG1Z9FDgrtm33OcNUXto8XHr4ZZ9+i?{GzXrLNm9N=0pAU>9CSh zwN&C9ud9k(I6RV{-{pg4RwJrcL~GGTK)R8xvP5}_yrOM{l0aU=`;Z59Q)p$fQ%yh# zrfi%YoUPl2e5b7x{_ajw+fIFC3K!B}V_K?`dUH98!MZKWoK>&cR&)p_2C zpaGSIg$`OOA_&X`0xTRezgXMAnVm1mn)6u38MZ}STdnx?CkK@U6th{rH=mV@2YJ~b zH>96;#3rM#uZ%kzp4i?)KwF}#qJXaMuKX?> z*QFHDvzoSTlNC}JY9u8-$oP|BFU+yk?{DA?jMZiZMXeQzkgQZNj`(0t3AGQk^hadxZ{cT9@H)*bqsBsHHmkM^ zg8SkKv!6cwj@c^UK=yVb)OV(IHI*m`V1mfV$m)Y;0M>R&O09*a6FBSyY5#N<*$T8x z3%86LH_q4B^hS~^rytbe{9f$^bUsODTqjZ*NW~DZhq$$GktJVgx$PM2o# z*ZObY#N0^im7)K+R$j)RSm?3^14DtH8|NJkoj-o~;8Iyrv!@aGg*b~MteQyFbNNNb zWX%y8R6zRbDjHx-O2F19_$F}=!+KGogd*ERjox ziIDW_w=-dBIsjU(9-vXnA`X@bD71aOq?ccpE=p=Y zqn8k(VO8eOd!ii1j%2@6&%Y}_8CqYO^1g#|7`u>O6$rEItGD-*fVi@Jr7n8iCCf*t ztE*GsdvHp%1x|=$$+z`iWdaYuR5S6l3~5Gy_PTB?89Hg3t_xb2xiIo@&YbJ~9nR?F zjrs9j=_E->4w2>lcdoa2pd3bBZEBaA#+|Gb#vXzm6h~mliP*|y z)Z^+0hh^5KCw*DU-_Uc4Pnwi-KZN1Nuln_nR4?E!O9shR`x9w&cKqr1iAh?c zobed0yS1mML{CpoZBkQ5a$b`WBV5EK%To-0nyvD#lU^?gQf`iZ5!5n{;?)AE)B%5XvPV=8b5gt~0Y)Tj zZ~plU7Z&XprZ=E}f9IUxp6TtChW; zE;xI7o@CnZ&jV!8=po$JuUNVi3Nse5aC^%pdzk%&Im0#ZlwwPm*mM;r*5W#cD_lEE z!s?^!4j-sAs4e`+3J=_TIqt;&X#uqVJC55?m*8>L6DA^a;L_KvY*4+l$a2C2dCR6< z3EzgULJ5(CDFKY6#Ik6fDtWvk?OLG)9qdRw$$ zm6cqZ@PyYg(dZftoQvLBTFH$s>(jND1ky!SPTKR8s@(V)GcLV8GTS$unRFo?Saym( z|Jwme@}Da7MQ*NLoy>vo@Ta%wmAi*Q({fABTFO}udPUp1FZ&ME5Y8%J5!E(gPyU$jA$;wx{flLKH=pv4Kf{gLB)jALQc+DE zn|ACQ7GLYWtXjMF?$j=@C)fr#I-qKz?oXTw4hf-^-b~zfIF}}W3rha`YuY~?nEVB1 zSnlq=;rDlUA!0=+5H0ou-n%doRyxlivwQaFfupnD2kF1+@p?^Mr034n>)fvHrM5^l zSX=6YTM(g6<(3TFA<9r5=!+IEZEuZeQQ+6nDpF-82kpI}nGskEBY znSbckty`4Nkj1m*`ENd4Q6P6V)tqW+Sx$8$tO>YBI6|2H=~M8p9pM8eecZFZjV^ow zpc=DM)a-fURX>;@$;*BKRIRN$j{R zEW}SZ{$Qhca|?+KXnc2F6Wuf?o}o`1H+>-vJu(->rAj1!u^i}zq(qsS=H+#y-tgz% zw7}rp^v&lcG40|Jr;8{1y&Zq$N5KCcj5I-8H>PGsc)|b#sE`y!9t8(CD>SF=8^xe; zvBX5s+UJu2Um%mtIr-|(~EE^?M8D8#nu6)VCA#;xQJ+_P1FC-zei~S=qwYK@Xah*oF?@8T;P#tr#nagEQ>x z1pn-Eh^QNjcj^XqBDdh>=m5Y8JeU{}p@mO=O?csh2j?H0z-`OkBV4>g>(!(K^!0B; z9N=p}Wtu|WiiHcsK8S{2*G~@OG&~`x;Cmns|4_3UrLtlst?{yA&POh=iO#*3P1<~d zibalJcMS~)l!7~*_{uxST^agZU0jL-#)Q8kt|04bY-kYDxl;62)1OzT<>4^_`Tg(G(E*~SjaN}=NHX|LOR=)i{T1IYWU}{H53wS zw^^?1V3?>F+roYz{pJiv)z;p1bEuUzvRJovGEhZWZ0;m3|4kADT`8&Dss z-IPeKOGmKClaj8GP@FSm8t6t5y32P!=HD;;Y2xvA6Bp_9>-P)(hqY?ZyLUNk2SlR@ zQu<=UDN`O(s-w*fTNQvK$q`9C^>t*pn>KEI5@t|NQUx!;uFPzrwt;x+2S4HW#R6BY zEx$=}BMl0IfyjF^)jFq;(KG5MURpwb<}Ccv0EMC!ZXcBKpm2Dn!aR)(;1%pN*Nna! zs=)d|JY5I8m_8O09X$-1kJ@qZqepSGKI78=?teFef_9JNhVG6J4;yVbSo!$)`k{t_`T6hFGniopK!pCB z=WD^^9Newj5%PIuHA%$&MVmP>D#aiMbB1KN273x1udT@Oi8G`ri9mv3mlJ4sg7tM_Cl&VyZar+y2hBEq><|`M(dX(5YwM~g(KDA((9+T} zpEvJ@x>*~M)3_Wz=TZgu4!lEX$$f7eDNVxFkHm>?RJXJJr`g%f#hZkH$(Swi%!$86 zMQRX zQ#Vnz2A?0;P;iB`p0uv3Aev;q(iCIfnNOrKoGb^L^X^uy9joN9e0dyghY-R^8p|P+ ziP^9^hleb9OG;a{E?|)6Ug{L@oS;9kLV-n)^Cv5UtyuSE?y;PGq2mYX>0v}BYMW`* zM8wYK6+2x`TAy^-x@vs`3^&KggVk03(b46o?%D73$BssCBCtRx823MZzv*~ZG&}uK zm;s5KH_e0bs7W~(HfK&T^Onq78aur0)w8G58>hjulS;TpaAzsDXA}u+D9Ly+ zJk<4-ocO>E8I&P`UEI{m-SFFt@!h2qt+Uusk`oe_3>2s?qhlirxGM?H*RnU z{HAzMn+=QN1+$A^`i!(txQ0DN&v@tbxo+#`b zGiE;Z4?+?fs$vGB@X=KtKgtU*1+bHApD9J54|sEH(|VSa$YH)EKEl(cZdjJ9;=QGK zcAp0Yv%)XL+lZ9U3Kjbek}1%(9F|nFwa(L-C}v`VV`bqY%ev zJ$-!`X3&MPs4hvm?^E*`J?)Z5VRc5WF+kYNT>*(aeEj&&u|FbYn(~;Nc!Vs85#Iyq zH9RfVx^%%44OIxd4A>R>iK=hK`FVNZf-&A@;{<%H?ozjpS@7eO;g~K{^esH?qo;qk zV~AUn{0oB6H+1MX)6OWL$&Z6qpt?+ToQi^+Irtrqg5n8em|y5maCMD|h3MdgUux)I>&|Fo^tL|FR>!2oxAjel6IyC#IrH0$fZzfg*_@dF9MY8_e0$R`rnJ8YL&3G&`>*cd zkaNzVJI!?6JUNiSBfQGaR*)a=N=Vu8F~sNGA8}v84;YL(h>j*PHoT&hq0)c4h=? z-Q88}4i>3yn~yvK?3>uvHen|xJFdqyT68c zs^giMCo#>9(M-V{#za_VDdw&dGB5)lK4^N}Vp5VLMsiV6DXoF7bzLXXM zFo$Y*HgQ%=4*mmoP^=4>u!^1a<@4wEf*8i@@%e9KmDD3s71z)tWUH+dTV`$LRzysDzp}Ic?4}2gYXa#z1 z&uE|iTO{${mc(wSb%9<>mR`_yW5fpZ@KPGJ=+x=JvCYh{GH+VOfT`d=BLn#Eu}?{% z-oIb=EvsvBLI3#|7v3c(C@Lv&Xr8{mGEgZJF^{OJ`K#o8=!d;j;+#tqX&1B7|5^$g zjp#Yp-TZ;3`uV2SEvzfjz!jdJyEXovgHX*?XdjRr^5w-@FlY(*t)h|1N-oTm;D^M` zdo@Hw4-Q(Ej@m-YrJQ&lKW?Aev3qxn=^X^ICT$dW2tH7?1Mq-X?ePDO5ro;3H&itW z?%gpwI#JQgJ@pxDkh#8Te~v8?;lBC>DsI@{6_h9s8=Ab#Yh@SrpX zpI0^8p!P>7!0Bue`3zS=z89&xdK+#tnz7+%!wuigzPz;KD1)}C5a(}~lDomQ!6?x0 z$VBnsfynvWDl6kIe2l^j)T(fK<-51{?w!HAciy~B2=I7`+5-9Yrf&}Vo*p?Wtf2n} z20M)$DeJ#ykMcjwfZeB8h1VAsYTsP0`1K#ppK0M(@-d(Vmxh%=xIZPvP2cjw^r@Y=Vpc)>uF#i9v%(Euk^P|9~>sD`;_2 z0H((8d}mCoKp)3A@@?0OrCtE7>S&)uxN!M|iYh_>~H51ZpOi|0?5Qre3+ehRDi`do7N+~)5MLd6cfHCr=(|&IW>hv{;@)A}C zsK00#9=B}Ihm3aP;6O$ib2?n3)&GA=7_wv!Yz#_#!5K56en;lco?YTPOshbJu910T z$Ci?xv1Yk==wve-_)fOW4m=o5;?raucWA|-dXEz!#qiihdG zqP@bik6YWI460luUzkIK;CI~k@#4yUyj*N&ZvHdx%CexI5r+=tJIps*#0dedyWOAU zLxgQ0iBlt1p8@_49hyrAA&3-NTIA6V9#cOI3p%*@@_rg;xF9iqoYlOGcXeB@+No1- z@4Zs#JuzL@G@bo?hQo#77Ry4>qM!jTv=k`s>o2-I6Ca?O829DRH_{ zV0FigjV8u#*z^R1y5Xbhm0+82@4(w?;FF0tr{>Jn0D~bt0B_WiS!4QzYL#)IwR{*i zT(qzT87})8O9mmv$t(naw-z5cX+2qdCZE+`yIfb#&+{x&fdenh3~=Hft9Ag9QQo|P z=!C9kY%)j_u}XT0$;qr6W4%dT(Q2^km27v0BmH4NfrkqoU+QEL<4PwzsWqowxvBY- zY+4VH5b&~_;jt=cfw+U8AD6gnVI7e^u&oW!n(PG`1nBU-qgxkq?2On37zK&xFr9G2RazKD_X;r|pUr`h|T2f%Q}J&Gi54@z6yY zD@2G*J6p=#6^KJPQ7inoq8;~T zCvV>L95PZ)h@6HdpO;Sk`G-8$5BkIOhZXAu@7l$$Z2P{mn_<$_4j`9~3lWbD+ULA% z+1w6^kKE0X)T6ociDkq%*G5!4t52FDTY3(=4MBTr8N7~pZMojD5)48QxL zu<*#xG#A4_$VdVW&uz)m_VLz?TBi0NuHC(?@}{>yr&12w=%jTO^RAP zu`G0Srlh6O>}QQ>T(F0y(4ety+}O}5j$W3XBcmexL#AbQxvR7@zOc3NptaYpE_-vO z|FXnUHM3jSrA~`mu2u7GBp?fs&*RSuNh8+-L zw#Cq|Csw~*T^1M~zJLLH0y>A4X!{6dcW1YsXeEL)sMWjApHE*gvaLv&*Ij2gM6vb6 ziJyp#v`~`dK1-8^jHKG1QyRl$}X*e>AHgQ~#Q)AJ2dtefAuc4CDh zK^D#Qk=mh#sx_KC_Ym4T9M+%T;N*sL9lLO083-V2a}~^kD69V1>p4lisN{@bK?7$w z0diM#l%p%Td(WOq0`-o27e90GsNu_NH5|%j>~Li3kf>^SK@k~V>|7O&%o}k2kN3Qy z^`T4F8!Z7C{ul)3B-)>~~ z`(u|tqx9L!gE8OuWxwoI#qP{r^Ip9=y3q4daxznPj=y%D5ITaDz;1NZKQcMg<0R37 z`wzn6Fhkn8a>WW;GpqF{w$K6V8tvE8?AjaGKi?_brhcPCMVF1H266aI!;>Iat6Pyj zw1y08D+bk7XJ<{AFyW;ql@HzRWD?|_>YL9aV2H}^uI6)l^QQQ&hUae=CJwV&Hr{#4 zl-(tp-QyG#L}r%G%-n%YL{3FCY;0`YqqCkBLU_mo(RT9j=s?%$2S|`2A{g*c%lV9i zcHdbT!<;sw@9dv%B6^XQd8mHU)O`ib!(&lwK1#0)Ba8Jp{;7$bKR*fPi^1LqUDm|4 zmvw#3l++Fi3YZ(Bf;!WGl7mAb`aT5ck00-jT^E&FwYGyQ0<~44D=u^SIxU*Lxyee; zj~Kj9b)({^s|BYs`jdwE=Ku-G>vLQ0n%Aw{sL$QL^nyB9-p+ph0~r?zlOz*QPmYoo zxL6Jnr)1Z*(rwG1(d#S91M_BvM9s|~wQ%LiG?b;ldOG!>b_dP7Itbeyl!6?KN+0EO zw}!TAtebrIUet!L{or?stKIBiQnxp6$lG}lJA9ztK-;lrbmnH( zjI~f6*%l$_f}1`v0%snVw{Yacsb+u1y?ZxSVd7ip+xxn{fx0WnW2vBxWQ~gScn=eE zv$wcnyz^^ux;%1&sitMT$38UF)ZVFZ60pZUuoy902=T`w$ z6jW}&SV1$B-!jx!_e+KK6TrtOPpbD&h-~?eRf?Tj3(Q7at71zUW@Qdi8DcGt2VD|EC3TYk&XXB{(=>7*#I>5k@^Gwp2XoxFUO6Y+O}%sH_g}s!37iRK z|6L*#Ubgs5|7dR&i(O%c?)xtv_n&(ObdH%4wErM7Q1%TFkQaY`VXE=v;{`fU@0-w( z60-bz7shl|L9nURYmBLwrs1Q*Fbq-G>TcA=Xxxyq^T`y>%Vun>EG=AHu8)L6RRwnc zK<5?$@%sT}Zr+B`^M7gGsh*r68Zv^zZ}{}0A5Zn0RY_TyD)e1K0@e)?iIJT~JUhDOz5Okj4^(8G$fclA zfU0mgpun6<;OXz$B)c>Pw-MmSu`QPodE1;BaQG?{dTXrfpsKh|wcz2D$%#$03BOG8 z>ePL`LP!)l0_Mze-Dp$Oxo<7r8Y53(<@_xaN{pU=_nj zvi()=haVmGW`pS@%jn%_7T=(71Upe#d3oh`yYp>Zw+`|h(^{bNfSD}AUFH@oUjFuG zBXd4geJggXk+tAX@a#7FgC#$Uzs0Ujb-Yb@Q~iyU62gc^96T2U?dC{!u; z$IPjG%@V&&GxGEEQCe4~s0X)g?8-^B|M-Uuh~qJ^p2`yeII3<-O~r!p(6M9Z>3S8l zaQ25NBS@uQBXX&mjOZ~&K)}1RYafgmI9J;3D z8LqVF_2sh&{9LAh2K~_S6;nAizde3B#QfzHLG1Ho%VOyudJt=U=+kr8W*QKnwS|bt zNN;)odklCmckW!jAyGQN>i1PC^~c+sm*>y^%G-zi)nI(w8Sk_^I`O}|c^wfuT_IT` z_1yo4C71u@btm0&Wno(9yC3VRaiL%M@cA=|29o_KM)!Fes&#z-L_Pdz%iJwhpj!Iw z;F<4Fnw_%p-I%tzhs0X_`@LYw3kM#+OSfnnZ|0$SnW!9xf)7TRt2Fc6CPL_YKha0z@0J?JO$jF_q~tZmxLHRr_Il@;8K7{#eOvV{4w@e@cq?ei@y99Um6fy@8PP$C+M3f~W0@PN zYv9JC*5>H9nBjJWx8#&cOG`sz5*b;_Ci7`2sc&=*nEzmJU=Vp`PqQtebIh7o?*d72 z_6L1p^l-l~S4FFbDI0zplHx=K9V#kP{9TxKdr{12O6*i+U!ZJHx;aiR!>qX>IxbF8 zpvuz6_-KdsT~5BR^R=<)-H~UH_6t=9VPbsyCWJk3?K*=djUj1Hy+PjxFW2Lm_OF)T zJ4t-!wXroTiqfY3%tg~Kp{D|sc2-xf`trqzd&_;`PSlj6WQ%PMc>4qgf=vxDNz8`3 zQ}H%~BHq41(RRjo21+}OA2&`ifBeFJ%P#L~I;jxz{prrH<%JKlbSWo`ENy!b z2Rj(c1ZwH3t4OzRm-D}Rb$CU@k~9R2p-QU`XkKi!H+zP?ef+s|4KG8VgA;(c6UL86 zb2KY3Darlu;@8)?b38rZ7$Z{65;+3@l`NRxQg4pBBrU@1MnyAw-Esx?0_2M3qKQxMrcS5{)0 zU)R_KTtiFcb^Z0rmveu&fF59oHef-c39Z1 ztpaCv5g6S4+G%?Z`FR*MaJu>j2pT#rE`Sn##Q#6)d206b&VBZT#s!~^X&yFp`!={) z&!{lEZyVcRNlKzz*Rkn9*Rae|!&}K0v~F$dY=s@^oUCr?tyq<;QRVHKAL~c-*h4@; z@xI>&10pugQob5RuaFk4VQbw%PKV0U+E^reQ1I$(wJ&Ig;QxC8iXy5iu#FdP|M@x3 zPO3lXWrC}+i>1=Sk+GM}h9sYTz95&9du?q_^Pj=3VzrHo07ngxmd6)-nLL}SJqS0t zFx2Dld)W+_zfdJ6as{9494vkK0UA(6C^`|CWF&StVh?8I(KY-jxuS?xiL-=Xc%coZ z^GSfPz6f@$+)WC_+_i!WXOXy5JzTNDaQ3`;18YL#YA6E54{9FweDhUQz3114zTwOr zpJ^Ks1*1v+fRgLj=+?i&dt8bsbU?93QYS#HO!^ocf0pmfw4i0{{QJkgfPkAUGrJQ^ z3Oj>A;>SI;1JJ?Eo;lOi!vibBm0Y{_VUsnLp|jH#G3o4>&tYAat4T>}!xryqc}uI&Qh?Sze>gh z99jJA#ft+)6Zb8JF}7K}X|KA``QnTzO@A&|oUO8b>LI%~TO7C-8R-&jxf+g=93cH; zJ?^VlpdZn_5?D!;NW?gm(l-7$zrvwSvF+5Ui5e;#>u}Teii%QPKCp_!I8f42^bzS3 zP4HLFHLQ0pIq!S-qJGq?UI1s8xtcAAD+c#ns_rND#~Iw_u&3QNe|@-d_rCx zYA|u!ry!vcxUqPgJOACOc0n9$07*v2Brgvw>oeo*DrjJ4?@?y^4F53h+=SXrM)S@j zCx2sjt(-r6E2)=5-0nG7m(QUFNt#KjIk=$Hl_bT0e&oA6bPb`2(i+)L=Xb%dm>kE- z0(j`;uqAsGei%BHuqimMpf4Z*R!$tft+RP`cBxm^t)i1B!0Ya6D)VpmI2|3WB%BLR{K}XaO-yDAzVfc z0fOteb@QhB;ON9ezprmcqob?c!4SR)%;!206Y9RkvDav;-QPv1d?~mMs+A1;r569ChF+Ud;Pkv zx<>nxd%S@PSGb&eGQ_OY(MX+0Y$d5j<2MFjJF zUOwJuxz_T|85`yz>^nW`)0OL}Ss#_xvEYxTsJIXB9A`rqf2}>|%~?sN*XSO~AL%&W zgkqOcaps*UGA*{)kMXTvI9+kQN7rb=)vMxdpgEYn1+CrPw7Y^-kXdc>J2T-yt5q(K zrT(FPx7J zxaPP-%k?^&e7}k4`ar2ctLBvibmIEPma7Zex8C%l3Q8c~OUV$XbH5F; z@E3Fxq^J8UwnMVBa`p%Vd@bn-R`@o)aNauEiS4&%c1O5C$1n=Yjh}M+jBM#D401}% zqlUU-Tc?eo5`myfb!!9FPgWUKJl1EI^)rz6vv9jnU}T5b+n+`~3q!!+NZc#jJYu)z ztEJ(zwd96sTUI_fo$3Z4H}9)8!02e-?e;nU>HOGdrdrT$lftKN18X!bF188$F5gAY z0(c8I0dOM}PH+4=B8GniLK@bvsbhMe1ThV^VEzckPc^_BbY zA8iy3feE=U-YosTP?dC|?|LuJIaI*VTJ$NOrQ8bSGH$tXrpJ`@r79Pdwr5_vd>KDV zzc+6)$l%5&nlSWH6v=k!+?gg0>o}35S-YO|1c6^KRn=7#L|K$B9yp3~KfV>p2D3F- zQ!_8Go7BGh(3d0SEcU(7dZ^Q=HgwW@w?*bVR03pWpV0o@Zd2#*7BfqmQ)YhNe>Sdp zGXY62rNLH-q8`=4$b6MdDYuDZmgAkVLG(WBuA8rW5FrFIOAP@cZ`*UNOT>B1j*!q~ zN}c-fkX@H99lfUORwTbe)y07_DD)tj?VYw<(Ok1qyKVclS-WZsqyHbi-aM?v{(T$0 zn^%$sq!e1ssiZUzX;O-!&@9cNq&XTWlm?|iqmYs&MRSSK)A94UhSLO#6Uo@?zF-ad?K(asj7 zK)z53|AVLK6y$WbH{{_d6_GpN9KPSWc6<)aHAdRW`N!E2GGbN4)${kMs;UCP#P7qT zOi0@&?Bcm7o*g1oY8oil;^L=)smAV+cO+L;i0CG%8pI(DVUHE^eTlhHD#mY^B@K>_ zZsg+9n&ARsBhN>BfYW`em>5_gP(ipGCZ?uJ2Wtt6Lowz&<+eBVaO~TbM99CU&IjgnR4L&Z|FEDi!EnH9W$tdI@;L`xV+J`HEf$vX{F)6eOeoR+~ zPF%*s+}T-5C*(OJ1}m5I&NPN%hIMdgpX9Tz6GGEkC++RSr2SvNdnY0YGK;{%vY#Rv zMyb4vfvAx*jT$C~;NI#@qGt@DpTaa7?4vWQDfp>NV2RMEqH1Og%5w)p9Q^)h;d~6o z4>^cYC(`^_bWA!=@n8{xx%q?KTr*Qs@qw|6FWjLmKsQ}kX*Q{$H8v08UBgw70iU02 z^i4udht3Q`c!)p#`LCfAMoB|gi^KvJuE?`#1<<7BBd>qtdJ9wncQ-vZcl7Jm=f`fR z=j7#mF0iH}{1H6>JK89B002aZMAMJ7?JPXD8uQtmJ9ZpBeE1h>L^4Ju;KrA?F#i4e zpd6S!2*L~m=s{oMxN+v&Wv9o{g6c)ufQ=(kPk#K_vp+nXd-J9iu`tFUjF7<|2FJew zK@y4zVIRjSdCYz$rlv?HK^NvXPWK-43ApiF4?q;#G8}%HKw+b!D%LZ0(MP!PR`MGG z8mhMK8Y;=|!{@Q{gYo~=S17Xph+_Ep9vBXQ3IJZ|_wGS3)sbiF0S|hDKgN3|Ys-c~kZq=?imb5A;5yV4XY9h#qN0h@WrI`GUv1ZE!W@WQV7B{)uj? zkEW4>tbzj9OpUX(HIBf z^i*8z0jd$I2uvxiT|2DZ0Y41fW0FuPdsxT9VhJNRkbmR6pO|ez!U77em1^_ctA_7} z-8)?^@PFbY6=P#!)b?@$IK^~?XaO$!&?5K*v#}hqI0_!@kPz$o(ebDcpL_V^*md3# zxGDHepFz<^1BKq5J=$8;*xrIy$AjdcKA~tMl-H;-`yQ|}$zHi`sADe_c*jz;KBYE5B5@cXc?B zJtQJL?98_}BvymnggyK5gXsvMX=sAj+jPc!<|gkyd9wSqW+tjI@Qw5qf47v223MtD zAS;ZM&4d*Wz!&Zi!8L<*H(ASFUUcm4VZV?J!p4TM+s7&atkTD_QeIwKzPnXI;@U4s z3Y8;*Z|+A!OkY_B=^<6)H**Nf6@Iec5z$uS_k`tgd3g;I3GNQ~erVCe2N+8@aVT)R z5R~!NfezxnRu~-!I5;6JmkQQm`g^nz<12UV*j+n#tWTcYuzB;Lp`j1*Fy()?A$9$# zO)q0u5PyIKNmmMjqT18k{HWJ{0!BO=Bu)CES+ui@yKzI~+-9YnJKOVf!;0Bawf&x+ zW`rH1Kd3eimWfHxfzi$1|IGP6V;T*Or|0x7?+(g%(2W!hGd zZ9ej9@1;#jo=|)x(wm7{Ol|c)zRh^3{z-UVDJu_{(!x!(ujiu;#;N;4#R2>J&+4}i z>&f8vIscf}y`7z@b-ah}$m1f|Rt&=x1(ZneAvrf}01zTNr%=KOuCKw-qvn|8bZwHg zYdF_;0VJ^}AY@}~jWczm@~wtmC`RVzCv1B54@)d#psb@TbMI+v*sWyN-OMjLl*Mj> z`wBG%{OM$k0UbYtC9i3fZz<|6{l9OJf1vUw?%um6c-=dk?m}^!SwC*=T;QeB)M5e-krRJH)yD0~%XId-GW*{`W7|Fq}fqem(@ zIyrJWKf`vP6gfKT#Tov@ub}sDHh*Fk=yZ5V?P9UU74j&)ITENpY8xW7E2NA*eN|LU(|&xaBe4*Yy8@r$4grGYE#>-fXfz@wI`Y;3+3oeJgqO5q*7b za#abAf4JXUH*qEO3TSAOlX*;yHAD)sLiA(J%vHq#G_>r$U1d?1g(sQY`wTbGqn+A@ z#(0!`>EyJH?&huL;);wbWz=6+%>x8fVaJZ*^70J@PupqLF@8h>h-MB#k8~6JFD2%r zVpb_CmgAm6)eATd^qE8crzbd$YKvO;>=)6y8Psz{>ct#W7gP%vyJdQWV+SU@LcP#B z|D?GCXu zJnOgUZoLwH+=s2Dzl<8i^s86?$TTZqxhNGo@b^$wUP9rBrcdqIEWoo12@mTbf1wptpwu zDmdMnayqqc{IZUK?O4Sl3D&MU$LT$)}oh<57Ypu-Nr zPK3%M5GoXvb1OOG#)6-;mLOduOvFm|VNA{W<9GOpL4kRH>Je=n? zn|5!M^T!)4^K=zEn>Wh^c@z1skhcLZ!6M!W9yXu~adF`QIGj228E6G~-rt6XFd-nJ z>%Cxa#bEW(;;ccqR3iG4?_|n{RmAjoa!t(&rYCM{>I#B8n9e4Tk%;PL!Cc`@PD_?&r@ny7R3{aVlTGJ`kO=*_eEMBAd=W7^VKt zS&Zg;fEGP3Pe|q7Wvh+S8G+NNp1>Jo+3fOM+h zEDCkY`V``O##9ZJ46+YNqy?xJ=Y5UcaXox#EYA(^W+@a}`Aw1_58sh|$(WIu$;iaC z0*@ZNnZX!`NAJ3J*d41gvsT4SN4)W+wwtwYP_#aJYms9<35-F1<>n2wjU?&=_2nig z1&96@7XVxa%n#tBh9ZVsU*|tpM0R(x{>wPw_j|(U@gHRL1buukAix!R8_Y}5aq2km zgxIvJ(C?wGhja;%Yn>*!_R!4C_xyQm_Pg+dJ(*YbCbow{#{dxm1_7AZ08jSwTY#E` ztVz0T8>0;xb@}b=8czKW5))(Vd3!2rT}XsLkln0#V8)GSf%8RQzei-o!`GKZ9@aq>FfhG%7j#wAufUbX+CdC1S%6{rNGsQf;H(UhJ zK3>Qx6VubZSQC6NBzkil2oUI#lZVd&YtMaxbK!^F^S^l^3Kt}MG{mZhTFo}IV`(fp zl8RQJegEQJZ`Im`&MkU+)Snup5D~-z{Bpd7%W;VVfzken@>Moe$8KDE6pE-cz)hSP z?-Kkm#2?hshZ})|$n<`!g^Vl(Aq}ti)R~x=;Ae{e#WGLuHc<5Z{8Y|Hz?&vz4ff(b zeR|wTWEwLe7{Y;`Mv}15S>b5sK72?Pkm%rU?$zH)lXeOMINU=})vzuF{GqCoGC8Z& zSNqOxH~5?d%iZ$+VDMPnfRsM-@ND{BPE=TnXfO|(oI;HS-N1N2I zM$p#cDBB6}gT78)J00TxfqkSXC(sAQ9`~T#_k(&Ip8)bkWKAqCmY$>?tILq3$TZZd zT7J%AcQhcdy%$gycfwoHDYfyOTEH=Ta@~6>6*iYh=fm{?3(;5npiO&oBc8K>G|gDTzJ zX*`5vlEa+>yrC#Om?o`ZREr07W2DIXODc&(5M&yIRB0U<_0`zJyoc z)9}=V!H1&i+FM60e!~<7cOGfK1+7Qvp`a92@0{=g5CzQNbTq8x+ucLl`?c z>L_clnfik9__i5b7F_!ZSa%}Rfd-nzT>OHAsjcmyI0G6T(nVp}f1tj*m z%I|!;ab8w_R?0v&}{=c`!aOvMWdOjd&`bGSQQAz0P02b^pT>`d` zM1hlst`y+CA!z$&3cjz>xNf-X7kkA8Q93=F-ZHPpoh50%j++|D;DzRP#^%ng8*_4YwWdSf`x72 z>m{(w5Uf^N=ow&>tQM|V2Ni;b0-0I!6&eZ?Bm<5gZacVIaF@o_h*;-y=gx6BW`p`K zApt*gxEga2^h```G*nH4ydT^d@TB(j^P{UpDJRU%E~~B;67g|iH99-ISPbbF=<0kQ z84N}#JAG$YFfX#EnG}CHkxnV)3wdt(^n6;0`GgAYuWIb;h5%J`YVuaKfjCpJNr->- zwXvl?9sEj|OoXQ+jo|eWwK#fr=p=NOg+U);prW z2VgFcKI;hD^EnQQ+*q&KWQ>v=Y@7x{NFt68D<)U`%GYTY=!;Ta^sTah_n#vd+)s|d4m&`!YiBQ5sn&2dp#!_)B>aZ|7%a}sD7xFFc^hDkqf(9_q6fA?|VAth9# zwIVd@%b_{K$-1!+7+tENr5Q*DH8G|6vd4$5&u-gS#Aba|^Y!!wHM}KJy_@U!_((+q zPQ>TT+rY&2rv3DoFX#9L|?!rs45BLlmtmp_V z%W5q$;-`_XTAcXtX=O#&#@gBqh#_!ST2E98cc1!gfB4=db-333z$ zJRa4c_3w4)iE^^Di9ndRxdnU(9r{ORsbL~;+Dt1P><_c04Pprf=HUa;1~Oy~Zu0Qt z;lix)_K#SGx~eqJ8wWE~Sj&18gcWmMj_518hN#D?8V0PE#Gx|U6>3QrbgdJ3;xId5Kp z30d-LuKtPhE1-G}OBiUi41B{Vb0^;#7L_wtQqQv;*Nuj*p};%27Ijo?jm|z1?WPNC zR36z}^l;FGTxzpUFbJ~KjGUb~udcgf0)!KP0onBBfg7<~W0DTwd2`l4jw`DbN zq*DCEkz46MfBwX1-i}$X8%QYhOQ=>s(SeI9+W3aAQw`R+H1nOlPqgpg3f)5RpXxx%8z%I4*6^gu;7LIg;?Xv_$l@SowP1#sjNZ%1GltLqM6rx#d&H!T(&5;L25+vz; zE(iUbJg|iE@iWBiOwEc^-Q=*g>t)FR|CN6%r;gpExnBm$hEmSR6LaL|8ax2?O=A7N zzEE`3peBfRj>`rpf*ntn>7}d9uLpZjg#W#5WYDljA?z6aa?6}Ah<|*T+OGT=$_;FI zsnp|D`_s~(p_-kQ^?ht?HxLOR&@iWiH$n&KlHHMxj8*fNJ@*+-;kQ?jq@<=q#HN&6 zw=ln_{r7@9JMd)KXKb70J>HCY$A0VA{m;X|X-^vul8 z^8w;}aq*vy*Py*e;4Xv1399#Q9@CA`|8Ch*gDNgyY0MJP)tTLs)X*=cLZjp!yO=Mj={JfVUHEzwB! znqp`_D2i@wZp3ydY#z^=)iwVD$3=Sb_;)p)d*z{APqypbs_6^Aex9zLF$r zG&nSOL4LX1msWxiWnm#Xyulz6hOj8?RuOn-cwxo^zQicXTZ9{w!@UT6_$m;i@j^j` zBy(e%S~}*osOqRbPS|c-Di#h;L;ep=Hms2fXx!s!!_M|qZ{hK=pcUo(jG5EIjEkKX zUGd}Ny;oVyUtUNM$us?PEz{v^`B9#@J9qG%jwH16n_0Qo+m8$>6bgS|ADwDho1)mo zxsyYE{6*bn^<@=$Nof_FKj6Per_10WA@yVQh50$AXn-|_yNa_)Ql`tXdK)c`Y_u&R z`rjfw1)xvpS@4p;x?Q-VW8w)smZ<&aPO8+}+ER9wfx|>vBtZZ(l%z!|Ooeb4$}U26 zP`phF$y&iae5}xR+2-v=CI4B-v}GOW>Js+1!n>in`^Va~sj~0yXqCD=`ZlDXQ%N(> zS@>?|=gaTkH-!Gen)A%*X^nj>6!XX9L4|I{yu4#AElmP^5|2%bt8327(9)^5-$d0* z?i7Mm!sU~-vE`lQdRB<<5&eKiFT$t<1!q`TV}{NRFiR9s(u|b-fH)W}g3$ghU=BJe zX{WS9s00`Y!66}ldldl=qrt`r@Ongt8;vO`5LpaJ5rl+`&%(o_^cD;p57x`_?Ooj8 zleJz-8EZadD@n0UkVN?@%~EB=R0& zd7)GtGBAULffd*EUD%HRKCFF)0|Y&oa{ygQ96z$|FIvREO0Klb(2)tX{m$Z}Do994 z^^`f6KW>(F?N{`#emtb#a8i{*AnqU=;aHMwH8eP4;oueHg>l;*s8WFQKqXD@`vwzp zz*2DU+Q+qs8}}9`-2A;_ryNL_%fgE6>e;3!es<#>6WFKA9G_#Us}~;=l&<`b>NBMzqhZp z)(Q*a0jb*Asa3J);R6EFVqywG&i)JhWyDxK2$H7BC7qv{I=AuQtE)F(Sr7iLtckhu z8;38gAAa1;5r1*H;q4J4hn~_9>;)_SB`wIknj$a%NoIkzCgBqw+H^D*P?Z$+@2WJN zxi7f}bcFwqMWjf|nl%@ZQZx0 zKwv{o@=C=&fi;*cYrpFHyedULviUp60brTnRsZ4z>dFHh&k`6tQ{R2^%f1?J^-0`ufc(<#`|2~OsMtbYFk;x&=mj-8e(KcyznNPU%yUo!t4x4z%`>93=05h_k8}$ z$H%vQ%{~hAL7dI^?{P(V48VIbo4=D-XMsThj%2=U|p5ETD$x1i2`+gSU zVihBzYMVS1Kc(QALR&Gl0`AxKz8*?i!UDdrcd06D1b7a0j6vX6*x90M#S~Hl{66ex zrzcRMarz4j7ut9)-Z9xvC)?Zpal3a+@S~V#BBim49MpY$7!iq!>)@Q$KCCm^#QqWf zir7Mcm-&oZcsfX|*rW;f{2V1XFOW3uoTH)MOD$<%R~wleUyOOyU41piGFxSta?H?PR{Y$F z6ML_e%6$3yiqoOb(n{`@)7--OAKg+89oGY!WiobFc^mv!SrtRaEFGloU+e+upXf+fCSr7_Y{3N5xMe>Dj86C!byJ zdgH(o85NL}()2J%fB*iJu9*#_v;UfwbQNpHkO&yK*ude842QO_7QcSkEN8ifD#W^K zg}vmdi8+u|Z9CA~1bI=ZyUa@dtr=DR1R-FN!MTYP2gs>6^6*@Me-cF0m@^e<=R4G6 zmgKW%bJVM~dz=)~2l`d#0)GjrYs;bc!5u^PqfK~)evsWp+&3cxdl?E|fkh-mZmb{~ znw2{C)r`{0-#8D>8ym0;EQGRiN`MqWp?c%e6?jB)1Z( z_6-|mKpR7ij3fYW5Aayf0s#-w50c5&zS>V%{d;(mA=Nd{b5&f)-=IBDzhXUW)~K}w z_FV43rp}#nne!1Ihhp#69v@j^7`tzuND%~4hO47{x%jgHRHIaEI1dCop-Qdn+r6!>H`GmAj*6iWo=+-fJ^P3u; zK(&m3ZP~52_8k&6N@3VNNLu-jZ;et2);;+GsI`K^JwbB9uAr`@Wa`iN6`KO}3Dd_d zSGw#)IXO2MI*Zq>+2omYA%Ld8Ax7o=o-)bZG7b?tw(Y*8-v*TU%joFquM-X1qF%vO z2rn>xV=4j*S_cR9YB80d2APmHVx)HyGdU{-E;MfK{7Ra0Rdp0a=RF3@+H%8C&LO3M zLWar`{c3k-=l1gnkEFO><{@A~0tRjMDwEA;fcAHIaWW%F{ys*Ce3_4iS z2>{U+>Q~OeS`Zwrp8>ysj%12rLj&o}2L>ad3Wj-AY~)SU2_zbXAo}_>0IUjd=L{^v zTeg!w`Gpe18cP59wv?8XWb|+aWzgX>3!MfN&`uEJ10+H>SJxKcV#s{R5h;74*Zcv$ zi0H>Xo;qrmvS-a(h9Ep-Fp8nNvrEj=l)MQ}CJviBQUNY=ASnhMTg|<_7Q9G|hA|@Q zc8*crIfF%BL8V~Q;^|`z-j$0%&EHiZ>w{buH%U0kb$NqN0eGmW0tiy*jDDAs{!r3( z8UhvzfUJDUWmp9T1yC{_Ud!4E&3|U*5Qd5kXD?O{H)IIy4^SSX-p?Z%b?%UudE* z`cd%kk}h0Ar)gcF5M)wECfBwdz;e*cfUJy+CA1YcxCP~N%FY%TDI!ZlUx&v8M@1c- z#*Pj}7)5{;17UL0w^&)d)Y~u80eRacE>glF-ieiFr!l@$``?p-t{pErRcsvK{g?{J zr{~}jtu~rnzCd%OG|ce$XALhed6cxSX4i!bj~&~-uuQvlsbn={5Uw9Eh3Cqq7 zy7bzS)%9sdM_IhJ+WJUynk3VZf^X=Dk}X0C9?yO)bt>o1W2fdU08l{e9338p8C&MP zd)UJC9VKye79hYc~*SuP2T_WYU%YO?;Y#^Fl^yPU2UvV=$r7hQ1FZ_IhiZ0e!iGL9|l%7h{@q;Pf zzkES?xd9p*927Dnhk7BXi_X#>pfn2qyLLd)VSK;WXA)-PS$TQ7==5M)f%TB!kD?%S zEe?S|^+vD&ZZ+zgH3VW0fH6^t!`eIf$rUg9|Hn1vx)v=21|WLyE`cq*sG6<@6th0z z<4xcgdJcRqt}kPi=E;5JP6g>>qyJquz#w^KEqpMtv7|hCS+&i`wGud7VjBwOj4##G#NNJwbU>n2-c-OjWtYse(Sw`-Cq z>Q#chXnlm6gLhZhf0YK=c!jFrw`|DW^NvjNL4#}8$j7nG?iC1n0rAJbPpqx2O;sDXj76D7ggvc zKzayzPzxWeog_g}90KGtCEpcGNVE6guYQs~TF!_E?Dx`^58qv|2vb{rjmDc`SWEiE?taQPSJ-p|7D~3+E3!t^a-zM4A6)S9r%=?CjM(H6l5LpN0dE66gLXi2Y?yMbT&Eaj4)j^|xERy$wiU#J3WxrI{7Wd&2D{Kq zfeL;CtRws>QVtAz(65+cj*YMQ)QUdfBnk@)mOTC!NgY3!aQjl9VJ;Ok>NESB+I3e9 z<~~!HGm?=7eGB6D7*`7NBLKC=X|Q(ChywmJf0XOcB)4!*)XH|_P25yWVTXH=eb7&X za6BIaksyp#Ag~AIMzRJ+y16gu*#En@vBC#o(}ow$$NhiFwD_gKv8d!^Qy}#CGX$CA z$N79n1NFb*7-l8J$1^Z8#`fTcT{V<9*HTMM7SpM%my1hDS@`mj1$vC-del(5>Ce#V zf(8qdc;M=c1dtL;%e&4vM=D``mZRe+CPwsnmLD{3$ah2heH>=7luKHy59G(~CdXw%v#ykEQNxK$X5|78N3Q zV0zUq z>=7a~Y;J{P=lAAocbtW{j*8H|jSc9|Pu%M5&^D84zm z<(d0Ek2$2=gJopS%`PTPx5;+4`3*LNp@gETt?&qFKJM6{qv$CBrf?CcRFiMYJSJ5h$1=lC z6>pnn3<3rL91s&ubY@^rVJt-i;>KWfMNsUI z^-6x{&yx-|*rm8<4!NO-33EfCvn>sJE|pQqd5*e-_nivNSrECiV}wE-&&eE^S8-eS(gL*O)kqp!Kr zB`N}r4EEe2d_jZq7e56$K!SU>_Za|E!)#DBmfpU-Y3Y&-2nJqW4CG#1s7YG3Bmq>4 zWgr@uL?D6^5TGUMqqYE^pFuJLHH8+`*S84YBW${uv*7C_u=+$mLgE3w44fF6Krp&x z*;4$iQ1GKuRS&R&j>dDeU7X;SwF`x7EPf$C-5n0AmoA;|t6l<#M$?Z@8Knvy1o9fr z#uO8Tii4OcNzX};ir|uxb%Xn9)2`wtEuwZfU9PUAEhO2O`@jjGRO*M3zhRRf<iiIur2I5WHb%Xa7c@02HL_lXxnGP0ryZhL zY!Aj_v6CQ9!jqxNjl3cE#lkmhR$)wX1QjlYAa#`9jfNM2`ZWB+ebAnR$xL|qa7+tm z1?x1?=En5kX2wh+8lnjv((=B2`}RLe8@qE5ie~sj_oQinepT=Z(D8MeID0WYC^>FS zf>HkO92Xr-cjAmPSXYYG$49E+ACWG`iKRE_b;QF33Izx#=%V9*-q4cEeDJ<|(K`o@ z$M*9P4L=KQ1ELaq048c02yM+&**>KhjMyiB`0SC+?(SF%&Q0)L`M6Mv{$GEcW;2}# zb4*jy%86Hyf_=+)O0HMMRgJZn6up<7O(D=(ugoI`sGE^%fob~UA(2cxX9oK0_QeUVa z%gd&k+|yE(v=X#oD74a09kI8zu2FgT%YWf#QPUY)hk?aAdwd*DHov)*Y>}w!_v`a+ zyU=0Y`tI(VdseSmBQgO!BfR)C`k4Z;+agV0d#{{kAGte@*p6*7lfMxsXpj;_C!-@; zR}&~au)lS%QQBD&69_ESX#eGkT$S#U1n0}xkPIW2)^r9R?H(5kY;j$;Du?5F1Md(Z zj6v$0oT9wE@EFGew(0PrXNEXs@oT>A;5n{?2d{xxij5)nHA2cp7hJx-OAT0*(VyCq zH;IJ}y55fw$}1FvYQkx2%bckXjG1!&z6fFEo$P;>h&{z`Q?g>$W`)V^rBhX}^VyQ> z^1=7!HLkZ9s2jH)wwlj2*ai-)P{-Ab#L~o$hPJGG?Y`cdluEEj@z*vBIErKDbsUxi z(v#*Y!T$Pdg;dAW>YTD&qUa6dL+i7Jc+&6Q4fG$#i?Qk03giJcpupveo@*bBg6`^| zIRz^-fYxHa*tPJD!_q|*>Uv)+?j%TUn$7w`OI&#EC(2)86d`)7^7|be%!GvYk0Tcr z)@-c^I30J|bfb*TaP6g~I9;?twG9pW-NpVFgJTzrPgq$IxBV{KVcRgoY`$4zk-UxJ zKa8@cl!K(q{7jd6>EUca7-8N(9S|BCiVKUOEyNMHCg4|0{pw3CVG}1^v)x|?%!MY)*lK~e zZWD4W4bCT^P{dl6U4$JY2u0XLfYbn32?a8z>PE%SJw3bl4qd#sjLwnfE^1q}z9?gm zlbHyRx8LWI4nt}Br_P@JIXp}u_oRwRNnx8A4&N@~X~4>zl6;@@=LyvlCy+mW5qEJ5 zG3CX@hiHW82Uv0T>>48D$=%>!hSM^BDEWMRDxiI;kot>jj(^}=^Qxz36M<;G?`Aia z3xWTJWpM}UH=zeWi3R0@NKHQ~j#!s$uoy7CLk^Yu2?C0Oib^WLAl}3HP&zKE?rMN7 zv^5T3l@-uZr1gdw3vw7?Zcc!x^&mTYyR58$lnTb;7y<%OFVPqp9Q0qD192zi;yFfpKI*>TOH1CCE4z%iY2Fd1n_l_|Tf&{o& zf#Hs=k;JL@8DX%(v$q#M{jnH1v#g9U5EU&j>*Sj^6&%|s1d@;;7=>7IGdjA80LcX& z??el>0z!_9*!liZCC0Xpr2FqxQC8kWU=G?q3BsHUsSQdl!LQ;~P&8z~{oRFJcZn2o z+9e5J){XkYjeXm3!;y+sJ+(%v#h~MUl{En6hNWXRE=g#N0Cl4AN4A7|1!%qD6zkFB z$8~Qy8ZKOQ^Y#Ydmf-&!CB!j)c1RrL&VDwTWc`Em0}5z-jWxDMzWwHop9oGiGNIGi zv(Vw3A=vS#1P+i%bfj)T5z}U%;WZOT|k|j5n!xdH&+RfE(+m4QQJmOW1MOtDYP`rwk zuWs=KEDhHT;<5jn>WCD+E zhWF=a+$DA!BU964RerRF8KSr41hpbi6R*ZvFyyV2xVS0U%);xm1I}l$t06quuym;p zHT;`55xyW(?XS)`+FVq4(Z-2yk-b+0w$2>it*)FV#`Sp6;WYsMjXJ@@?$F-R3rKe!e zCHdzQ>yB_8$(9X-Ge1YqaUA_KE*N)mUeMmk9*(>_OmKpShgUlZD;HLUMYaoh?|2yN z!hMA4$cx_X2qzg4Lij&?YqGZWZI9eY($F}(G>SWU>l+%f@ki-b#IL;Itw$?40FKd+zg0@aCtsl+BjI$_gOY2JOoU!jzW(?X0_K?**NTWdY}QsU;zJ#p;Lib zPDb?aKfIO(2FyfjD|Be9?DpaI7258n!-k1>TLSoumRr0~P1y`KxS)GSo%b%aMre0u zZ|}o^m0m*M#Kd!YT=TE}eg8y**U?luo$}@vFU%3l;y3L%6`fUDdjH|WpTR7Npn%5j zky8&{GC4*HW#A)0?tZmXWr08VE`);3QKIaW>=-Zh-56~;K>hiD945P?kG6KCt+0qi9d{o8npX8|{h^zN>}DoO z@Lw8VT3|yQe^knky%B<0;_Syh=&5BtRl72OBjCW{)XWYu_A;mMtxtVG9~@hl*+1C^DnFhNZo(0+b2!P5sq1sc58WgHwD}pt+H$cecR}0!?K}m6=!md+;A6J)F zQ8Cd>5G&GNd~?rEyDD$tRf;7CC8t^=B5WnEpeTm46o67%*aai>Y4o&eO$ntn)wtK# z6@Yol!z+1|_>w7X(}rmSFYg00LGw~~oY4olu}X&()kD8E=ub}-X7l3nhpzPu7OkarS})2sK%jw^RgyG8UPBC{~Q=0oV^uq2`T9C!GoW$U|!yyM?L%5Mujt2^_&X& zNVBJab^;U>aHhm+qtB12O6r_P-?#0+&h*s;vfEmbb|rnG@9*zFAjd7rf3rk(uo;#} z!tX8-HmL;ILC3vw8V6j{@7V@!`lHhz3_s~+m1f#NRsQV1e*u-^3lbpEwjIbf%_%5= zmrwV?j47Eg^~acdD?CyoX71d+eJ_`uUENEZpT8fl0orKr74EKWPQQ$)32Ek#+mnTb z=!mh{ngL9r;l%_cjgjOe>ShHxf}n7@ z2u*v^A^OHI-@l(jWJI4F`ffUGFxYZf{^lwc^&tH#MS!62$NTp0Z;Lo-pa#{OEWEdi*+10kFzgreW#)ftAaPhb-Dq;}b1gI$yo$Q% z98t@8 zh<`Uk6yTT~*^lQBqycnztP{dsfJw=}2k#8J_)V#N29k@~63fU9E&hr4QIbFw3cKCH z?Ff&^?lY+Y%hU@G005vfpu?Y)yWD>#3mD*^UClQvZhFVkoFKi(1%RZ8f6?x=r5E303dHJOuie}{=#o7Fz zC-d^Ct8P0Mrs;L#ZFBQ47^eU{$R-OnTo&+HzhDLmt}6Ikb0{KmPU89Fg@#Jc+i(nn z+=Xf9(P2Dk;2n5DLIltxt?Y;)Qxu2~o0NUm5m<60%tA6KVCr@f`jZU)&!mSPtQSe= zjQT3l=ms8U2slIws89f(lvI8gQOG1$G`ps^@+*& zwg9g;B^lib_mRoIovZu)=jEZNkCQ&qvw7Xi&Aqui%px0?kP!YO3o6cms+@wRQz&Fn zBgO8OV_To1={VykVdlZjUJuQOQ@=;PM~}zDPgWZKkq^-91yUwk);mgnFzjJv5Pvc zUS7)RyAEnOsZyvisK_#`^$k<+ui}-pQ`HPEx_`HNdF9QD16H7?Yqq5*{t~PBWF~%8 zyX4FW6bi-%L|TgOKj_4Qt|w^Qa7`^6l^+~HqyPmq?sHgVWa+SmvU1Pf3ze4Dx9-~6 zKlHc8ing@HYs39k(q)-mP8}GZe{Xi0HM`7iLx*V+_Fdo#{fnwQWM#Dt6##phWl`2H z2_o>}uxs~dfS@g2#EwE9u4$DYNNBV6!-v0!TLe}{27xnI;?!{#Fz&H?YWXQFWL_=? zgBqTz5N7J9cBEf0GSr^#qeCEmuMNeK)=xG7$GL@XKpiIM%MFpC;3=Z4eV(>a|9J_( zWYApD;DA&VIdVMu*gpq0Pw_TWf;iKgH-GW(p+jphY|6QES)b>5NB~Y#$JW05#E##e zKR1tyQ(*RffAYdcZtmIn>rdRj-ORn|xPIF>YW}hdPe%8f41dfAx15+l(lS9&&fb|$TUqFy=#z$GRaM@@T80W$#%Oix?8 z0a);X0|Gz7)zhLYl^=b4n{#tFgoFTLu|`8u@%=MY$l-CJ^4@T6Jm2NoPmFv8AuumKDd{nqMg)>DR;NqDwXNb~O#YiV)Wdhd zX$*gie51MJj;2%);9;tsE6%y+7xbn~tQ$+*zrBWJiw^7;Qq}(n6Lz3M=ssx!A3gd7 z+5!}1sG`B&!0sHpP2|WONSr`CK?8jNZA`my@qkFjIVt&N6n+S^N>KJ`b|vkAke zuL@Y%OdzQMA%@V$o#7#4YBSd0PT(COaH~yMUxXTZossG>E9+FEYC45Pye+%CR6bM51OEV>CMMxSd7k+XJ=blXv1e z_t#WaT>#euUq{J#+)AE5x?}@owhTXPNUQf35{s;y@?uk>Wop{rfUgQv9J#O zx~n!~GM@7jz6cBVZ~ri+NM{SJw{LW7mdb|S9iUJn>(ei9-@QAf{WQk1;FxAstWRtL zhGzwCC*XOwO!Kg_yMo#9{|PA_I|bC>Gtve|{Wp@68^5`uRgkrL5eoAXcjGHaN#k$H zEgzes&VhFVPj*aeFk8iN#7yo!CNW?}%WlRlxnBq&*ZE=|l`CVkjrCY1B^X8Xz*-4- ze%E%^4eEb2z`QwqItLE}M1ufZPwN0b?l;o@gqQW+@K3TL#U<5y1ypt+wh{@LZ|w`f#yy6ltF zAshWB@7`0HD*Sy56M?!&RFo;6FB@a^*YW4$#}7o*NgYH&`{Mc-tJZ~69oyA~RMcO+$ z@Pt(Dy|<0l1vkl`&iBLG=HT$UL;PQt=DsK-oVB zxTGSLArKo9;{V3vO-+rD z{e0M8zHxo8MgusP?8CH|RNWQu=Mjbv6!h7QAFXlsa;70vmP+;ter@7w0@?x2lL7&= zF27gTUALZpb^Yyup{wjiDlpu-p=NKVn9<+04$zM^6+MZZLlIaDexB&B|U$F)^X0+e#Ob4=75EeeHQ7ZkO!%ech@DIr04V zNj$N>xTxORCMmJ-J{G~O4dwzX=bH86q$%+m`1s_` zy9N*@MRsrFC75lRxi%z*-qCiONTlgZRX(^f(eQ*8TZF?G3rRi&xS?cj~_&fRe%>rA8oFcuZP$LJV5RSagrP4$k4t|PIt^K*ptmod40 zdO77TY!wy!yV}cF9WK6pVn4XtsyAmx=l)Q2zvx!dJtb$J+j;&h5uG=tGj++J@pxhy{`KboW$~)rgdNrTDG*RV;P! z5{hW}47!T}C8dknIL_ZsGy+FeQmSV4^ry_o-KGVlr5vmd1JT-)GyuKen&Yi`yr9SD zk}@m7B$6R;W7d`Z6l(nJNLDK72nDuMORh2*>GV0fw7THw~zP`Tc(+BPdcAF?b)=r~$W#I%4(U+AHOOU?u_g}x7Jy&Vp z(7iK$)K<{|O1R3yncILY6xL51TfbQ#`1V!Sg-VOvY>j{M96nxR~X~R}ID_38{a0!;n>=d2L8Gg*Xc9q@J1pm&{`Q-K|^)%M7ZU zvWq=YozK?-Uk(2@rf*SW{citn3Vw?>n(iD|4+{(Q3Y( zuE>|LnzVh&-@ec5;|KPf_0`uY)R($wrtxp^w(s*ar*qW-V3Z9C9Ar0v_PeN@+$@2d z-M4(M{p8-%R7^MUii<1p_zU z{r|JAv|+ywnBp)eIkgCiFDXmI{LTqX9*^$_mVQ)x)M&o7YX^wSzDa=YZ{6|-;|<~{ z&4=7Cr%5{v%$m@TMTbm1`i+DJnhbV1iY$z?AGra*8LYXzsQ?}+Ih&Th7^(D+g|Z)! z;3_4p^ii|prEvQFzVRG{lt*TzqiFixmo1@A)REr_-~o>77#|%u1-Z)@#JnOhD8#VD z(I40jj#0>J9$LbGZva-s78U3IZ9zwUbElgP<}%62q;wbcAUN+p-La%ZpR>U2Yoc2f zsO2}{GnAToSnB}$g#(u~V9^lMeg>0wD4yn_E&>EaV}&XSp+9rWz0Nx{{IIPhz+FDs%JmUDjs2()|9$}zfy21?mL(R9l$IyM#bPEF>?)U9hb9!|({1Q%XTG7q4w|S|(XNDr40JIimUA|5z7`)(3!TM!JvGrg zeRfEx-ij;-&`OWh3n_<7mam#Aut3b9*41}m0GINm{bv6CnBpTJ)ciNn4&A@61hJLz zPm^_NVRsQL@TK?tG)YVgGwwhC;>oae!?why{dEHl3OMXQM*)g*$d<1p zCW7YFDp*y5k^x$A=uL16=!vM#KaOp$pc`I1U=5ZU?kEYo%Y?g*hcv6oL1VXyDaY=l z4SkGsj{$=o6&00ixYUg>I6^gFS5C=`t(Bs;tfjxEg;O$uky@gdUcbKs&N#iE(Ah(_ zO3rx2sRxBBcrI88PkpZ$p(sETfH=prdbQ|k7z+d0x#Rc-SP>M8VJTiV`i6$f3BbN` zb@d1`sDv;R19mAzz!#wPBg+B!2^0?AfB&|U zqN>;sk`fESVuO6!%;B0m)RO2#`Mn%9&HacC`x7BoAcv@i>`de{4?U^Jfb}Qp^cF~N z)A0ysG|csWIB>oG4&gJBJK@>LyipdxOsfoEy1*+06gSNMA&j^Fk)d^1Gfi%w^;q=M zbRKh~CE)-tdV72Orq{6~XJ`HrA`;m*q9oMR3 zY^`AWIh{0y0C0`r#zk+}l43>3#|R6!=#fs7wh&t(K&^e>1>yu}FZzVf{OS*b#s%8I z_JuS!GIqx9^s^Ug?$z5wxu$Zq8aS7Iho(ee2z#Cb3QFKphu`0y29!YJ24#4H*gRWP zL$Yuee{&FfFNU&khoa(2 z9(h;9Nf=kVH<`afd?$OZa9(`DGC^$)dz{GRT%A#JamEnu3A zjr<+Aro)+0i*{OgxpA(Kb~!&&Jg7Z04O25oZa&<63N>@PJSmILrO zl+A~O$fG+e>QsrdLFY*(wlF-lWz$~{6s);@ zom2N!;~W>KzRR8DI)cG}DOh6eQZ5s#25=AJP4+zTh?w4Eoi zUa5Om9w_^2Bg?3^H*n71f8#9!-eWi?%b`QrY*W~EVZq$iK5;_sUSW~H))Z$h6A3AU~S))<-a+Sr>0{7g@{^& zv_*~=DG5PlL%^6tMaF_;$`w5GdKuhy@U;f7xUf1WOT^0RfPb1IA+vinvby>V|25~M zN8P@tDVS7m^7AX*zJ341riWv_Dl{DiU_Mmn6Ar00ee@9?Ua8^neLVT(SxIf3_uqV% zx9>kFg;6p4K2tj<-_rH|*yPOCGpLH0&r;p@sD8O4U4m4#>-72QSw?|QRqWblEiJ%N z7|F5AcihaXwAWKJxgA;182sc;^`8r5fl6uyVRgem{8*uD7KTa&?G*Xb6nD>peaDAE z%Z%+lYV7*Pt_$8G{@y8#jRWc_9hrfwb^!r~c6RA_cJyUbnq(=e0Sx#1Qz3*8MFR-{ zax=2qQ_up9ww*&Ne}AuDZ@!$BwhhK~&Q&T@Lf(DI(JsAjmFVYt;3c|ZG; zA6c2NB^?Ukx}J3XJZFa>eW(~aMlMGmqYxGka}+2ziCq>eukLj96L$wCd8tpV{ZzgS&Pet%4Np zf9DN4zG?OF^E$qB1F>%XdfB8#kfeB_dp}d}9azSD*3q~+Hm86KdTA5k<|cFcQkCaq7)Q%6yo8qqVF)S| zU0EF_8W?*6f;_2}u}eTv@i@RzeV23YufUtv{9Ujv48yRwQMB4sgRMnlPtLTe&U&O8 z*s~iuEQ4T17*>ZbsmKS==4WSxZ^O3Emjm!CvMOuVDZXp#!(>UwY})cR&3*E^Yg|pgB;V&*?1mIT4$>i%l#Rj5RQI|^>^`{rQq z`;Izn+tDMd_f=z?rziL61PvzfP|d#=zkK-u$CO3Qrv7k7A|`BtB9l#BM&l9LvEu|% z0DtdIXeq;?jIN5#$3?NVXBK`B1CL^Sgxm!h@+7^R=%cu6{C-*bnDwSh(n3%m+&AJQ zBsQ<#;8a>{YP=#lH#_^z&<1P+$t_!`H>dMrs;jSC{fwcQK1vifgBAv!C8;SXdZO2n zNM61A7KLZ4AGgG#!O5gl-St!hjhgHS@i25Z-@by@BDQ7A0@8Fs=JjQ3Q&Zp(Y48;- z)b980oBq7r{cYv>korpBD`#IL!z9^S%V5AD&LGQ}c_Cyh^3li{ZN8N@}aY@ki4Gv#cBWpD=d6J~0R5CDdTQ-$; z5S+VFmRYQ3^X1;s(qT8Zw!N2D(sY91b(&h&pOl>3PD(P4qbvZO&iDvx1V!XCKP8Bk z+|YmlJQ7?A{Dc>Gcno>H$=;=^BPjOnC5)|;E^j#~v7ZcT;L6bVLp(yBjI4xeeuUIc zZ{6DQ#;WIBpUJKOU@cl&OgOCfHJ{<~vV@$#2!@e*KCzLIB_7=1h5Q3(LH<)g4#;tR z8aBUkl7}wh>yzP*m-ff^>C$6s5#V`vdEt)BPJCOwlaA{8_;Ivpmbtc{C#!4ZT)@N_ zgMg%W&u?6IqUK)7<*E>jEp-SSYE!zApKtv{ILDrA3zLDqw*(WNrxe^8Y05#)Q|zx> zJY)jKI!8f)=)0r`K=MejMr?kXM>M;9-bA#Sd}QD`8hsI-r;?#%lGsq&zY-i zyj|N{b9N(WTy}P(RFD0(Fr}aTjQhdg@g`i9*y)t`W!5LzY5u{WLxXD0QR!n#!|EOz z@m>Z$-J;^q%hIdvI^~|R&3r26FFE}%a;%TSq~MJP2atux4^#G2wo%HWi<^!U z&!5AO5YK(^>(^?Gz))&6{!KJ;-dInzF`+GJiK>oHcvx82fm624;!SL-Ou1{yCEesf zZ{ajsfE5h{Vel73Z)AB zT7Y7nbaZzg3kaC`@q!2EVs%PK@UBUZP0{vA4W9h}A5wG|Fe*w#3Q z14PG}gBA+(h0_-i0a&O*Y>sBh&p35S{3ovhEa5hIjG{M4HkBzJ7~rEt<~#nW)6|6d z!F}x55u|esUU6IBd(IRKh4%E(t~kaTHc6Z6s=PcF0u?6)EWvmPIvO(b_Wzs}x)kPW zm;&U190tZS>KxqM^yF8sptZmz`=Fgtj#Q2%qR{ag2wT|&X3 z`?Op9)}KZbi6uGy9h@f~O=RR#7{8)C)bw2qR1ICgD21_V5O_|Z!)>Glp+(fQDl_l;tOXAi6{c3g)WaidVoTkeg#_*>{5*IFeD*TK6Gp$&qDbH!I6u^ zijaJ!{g_t4Q)+&4O!o41hR^F^C8UnJ#BKw9OgZDhBTDPCJWW4T4s8gD~_gc$^55-~dQJUUX^XWV=?MavF|+UImaC z?i|V=2}FaY>#*81nJ+8|(u840Qb`XzUyXbPk9Ze1O0bCGRnN`vEBNaN;!mvPN$z z0ET?6W(;{J-CM=9O zAabdZ=c6~OwEox}5$nt=V;gk;Zz|3P75K2=92(nAF>M4i0XHi=U||63=4?oxhdg^w za3Tq6eDVbI>|gZ6o>bX$n;NB(2+E;|DDun=gWE^yYcqxNig8%9ig7hIG{l7gboKYH zE>2+I#R{9xcJ#(R1xP7Q5gat_cE#$nuRL1$4k}qd%c?V>=2cg&><4p#X$^Zb4U*+F zC9^=P0v)ElKOI7|!$go$PrL;>jg+eC-a-&B!b)O9<3FZfoNfAq^Rsha1===j?QsVL1&!!D1pwy|X&atAdCJBMPcO3P?aXhN zoiKm}VAE_Ab)ReP+TqbrW&(vX`|PP3;#dr0^RBJ9qcs--DUgVQmWh2FI95TfGPpJq z%h~vHA{?Y79=(5`I+s_t8xj9MS=BkMI1e}{Q%-Gv>ERI9P9rUqu?9f1=#$;3Pz(U0 z-R!x!{Sp*)m?5yyEtYzi3=3!Gju(mWz|0P-3~z3+3liPZIK_|qr`;KM)M%?k&j}<< zH+g&)C$(kDYTsVh%(}UtuzLjivm8eQv{>PVtJ&DH-fYwCX8l_cG6SFpV3IH^HvI|$ zqdf3yBO7r5Uuazo#Derb;HmKU@e$aiiTP=FQO^PgJEuw-`#^q)VT2)X>h{~5_Qwct z!lLHPJRl)V`g!2qB|(q|sn98of4`NPoegFJlcLCyJu|tpwKZC@X}8lk)f=~NX>#K& zF<=Pl-hKNRA3>_9yERLwm=hxAbLdjWiLmqfaTob9vfM+I0d$Xk7J)FzD)@5>kV;FD zWK{#{hZlFU(~4m>JOBu+Q(CdWm0ERjT0-{|&;i8NOo6mnhq$YKA zrmPoCAFdVu6Cq~g8mgp0|a!0Dkz3t``@g#x$y8v1KT9FPJBM_N5%GhZGUcz7)O(1 zMoC=rB~jX{R}i7$o^rmfd1)*~w^`Uxl)j1dQ(lav@2@WAiaHWgJ-dMYW^uYv?rt&< z!{Ln;@Dp&NzUX;JOSpEQ_>PxwZu9`x9f6!(IjIO^9XMmdmf@&r>Y-vQyMvs1>XO{0&@y0D%zyM!@yd5 z9{`j4U5mXG)1g9v!~=q!x9*nXtv-peM;eO|b&7pDHkX@Lwom(|Pm;pn%cY*pyXc)_ z3Z(E0*tVs}PbUg8@*4qO$l$r*C+V10V6o5s_|9I$j}Z^CfbY?jmA?V;>OO~GUDOFkdEv9=+-2lLg00yCAX5;tCN$O-KKhQi02<8gdAI57STsfwR3(Luo zV^hJ-VbBM*-OKiNw|Do7Vq%O;O*x()#=hlVx6T#$o2{)3m{YmCt4u5`Muvx70PG{y z+wG|*3oR)3RoVM5aNg!icP+a#Q_9gc-A^WEb8I*d_{D!_-wx?Hq9XMQDqJ zFpwdtHNL*__vgy=KP~UypGIzp15{tMR$%(U(REZ|jN{NYGQzXJxL8Rcr8By^Z508W zMILJ~s{{QWMljs?4T>HaH1OuFZS2G?U=< z&=d&MgEeQ6EY5+R_=h}D5?I}I56+Ily)ox-fMI2}O$;+^441DuC3Qey~03R)tGY}bJ5S#|M2ukWA zkP)csz|SF($IETW41;hGw}Sx*7teI>0U`##3bp5=mKgT%V3(M>tkI7=hmp=(AeBXv z+Y(#eNDszyXf1+OkuTt)wW&#mI0A?F2yT#dq#UnHl;yvxa4jO+51DHjnI_Oa-uV zv|JZ27zB1y60RP+k@qL4n2*WE%uIcX7Wr6iXO#5*pZ67CYzSsF|D|MFk^q2PZ}$WE zfe;oTv!co{pGMenos6w2eiMe#fb7ZRP-n_DhNc1ka{RdB|9u`Dw&UFsmDBPVVu~L9 zv5h{Sd#$?w>BfdYc%!$Q9Mu5hlI+aPPDP&YK-ZgSnD~Uph#lnO<<$#d55+~Ej5^); zy@QF`FEm+$?Zj1DD*tamz)TYcBPe{s9z|0PGF}6axBCGe5&iqEtA@(JzI| zLh*X$(JPC{kQs9`5 z6hUG6uiw8b@7>#p6^l$bzO6Nhbh{RmlKKKG7HrdU)KH(%6t?zK_63S*5|$`}-2eCn z@=%@xi$$8&<>Y{e%kpLKro6Fmj1d#eEiN`~ych?t47>_bY$HQMOa{x>+gkY7+`0?H z?Ls8cY*gGxY>26Fe$GQ|`g=Lh7q{ZeWQQPhkoA~vIW&ay{p0X3^g{{RWKIznk2YiS2XK~QIJd#p zLt_&s{M(?VR57NQ2I1@K+4C^LZ~_!vN|ZD2Q*bqo6-BYmmoc{pZCS={ypc-xdGubw zI29d~=$gb~u#$jTIVsb@5&F6B#VUH30m%Y8a7l#s9S?#>?bQK#LDv znf!Y?`R}h}S<#quNFAZrFwq>XJ)A+Lw0gIq46BH28xd`|X24&yoe}33Lq-H=V0eud& z9Gun3oT3=-mh1?6gjI|Hk))@t{?_7dY>v^lHes61ApliT5fMdYWzXTyzSuO4VN_@` zL{>4R>T)d})d}=u#;XxdaN+dHwj3Ny|D#d7b|Y#ZoEGw}U0T{ScD;V-r-E&avYx5`wi9Zn}4%-qAslM_qVD&E6P(AhM`^ybFI}@x~7yKH&d;^e6~<-Pmp1UjGfblv}Tk>S0Ls z9&QkPPKOV(66hTk^6vxH7QKvWuYm;1+j#xV=iZ0Py}NJ7jLTX56OKMZQU0&}V=N64 z^tcdg&-f6mlDH6znR51d8Q6KJ;nzV1su1tCEnQ1~2|z~>1^NXm7>NuM;pOFpZ)QG- zBhB#~PjnlCkK~K0<~8lq-~MXFu9=)2s+bS93vK*+^Y@Wa5wH}7kS-wrK3w=At(uem zcnk8|229D>f(`rX)eJfs7PC9FqXz;Y#CzyGFR_Ei>dQF`*MU9KQfk7!ATP!>z{C-QFHk-q#6+OP3AkaU4T5_*bWF1UZqiaQ0KQL zoV(fPUc;-E>*a=k6BDH28zg_o%dol`FhZGV-El4nIQeRHRJadW*Bjznjbf!Br-yp^ znctQa?V>wVxQib%Gbq?UO&-T*q9Ym?%0low5?i*+Oirf1VMf8Sd=-yI-eaKU5H4X7 zF<=%{yJ&bI=M4$jAy$fZ_2C&}P8hs45wVeE%}~;HljG66D=j1Q0(LL*z4t3C(K@Y+ zu@aIO+lJe~jDR7-BLvidG_cdm{_Km~Fu85)3CK9gJ+0Zo2K)MA!GZ6CJ*nsGyXh#i zKs=!M07a36_ZARPUaPIfq-%BG&kc7)PCNVH4D_8MAe1n|>x^GZOFo;EQ;1ZF?1cx2 z9NVjn#1`+y2q%W`aJnv#PW{_1=!r)CXr8_A_5t1AIS>Q3N^8qv=St0~W37>BwfGWDL}uBQX#%v9lBGFncv@CDyOoy7($JWAHm@c{Xb+9 zv*^~7ARWI@17NmRX>lys0D5Ms}Hf(@4(yt8%M8x=rC8yFAMQ^r0C zh-nqB?TiHMoAAl39I=4E2V;%`ZWjt|HKEYT;3UIEfCz436YN+6(ycfrgi^$J;`2B7 z)+i`s*emiy*VLRvhd7F1Ts}Tiz;(VwGtpx`0Dk{Nd7>aSG27AP>M+_r5QBm=Nodg2r8na;g6R8%mjv`O!vSmO*@Y@BAN8i#xW@(;z`p**`125s=hA@4 z6j~pD{`Bec)vJ5#NwdgH7WIhL4KwOuuV|#fQ8}b*8J}|-w`1^7aU-Hvfw+{^rJ_2} zS&^x1SDt=(dFv@8{EjZPh8Q&VmP&a0`3W(gc%~jkq5$bPE~z(LFD!_cKt?l2Ji>}R z=ecX=&ZaJJw26Y^MkRyB_*|FV!7xDmxN!q7ODztQct_}kYk`7DNHSfL_3l%3JImTdx*qDMDMbP@UPpwo@wfO1 zgn!A|5M%EtNlV8d-xd&lJ7-ZgryFBPqS^+Cm*datHGZN+9C-^>>QMUsNS@mOcq}=g z(X}7huZH$?>gHrACh$B^WPsroQb{}?9Ncg_c*N3p^{u_jI_ouoFgY3k+lsnEyBT-> z1qk?ao>*NUumr;257odmZ%VQ(er$5{iRsLTVt(7uGrKGZKrY~?aA)BMkJCP3Q{~k* zZn?R0Lt7_#B|c`Op>%44JRX08y9TKN!C{{Yxf4plp)Za(G?dzoFbQA=8-TR+ERIj) zyhPB`kE9fHCoez$Dgvqz0dk6up`P0Mt9vd)L{M3+%RP#)TuV#mQ2jQi0N9I^JaEtZ zoFqLo)CzovwRKo%Xv^+pl_z=QKj;yCaHYp$u!>~a^b>ZYs4<)-e31v?LI#8(8cDlO zl|OvA%kuA2>6#b15nKu8x2(|O&F$ms+k774ZcA9GF{kpobEk70)M~zp4nb*gaW{lZ z$0M*Sw6~KxIj5)Yl7MY8dAtgDr=KDpak5L*k;Q)OHqAs&1p7imLj(KKrKi{lt-kVK zGysBuV1^QlTDDbI76pT1Y7)e}YH|Lb(HkXv{??o}E1OGgm{k~A;%<*vd#LwAjXM^*p+dO%SI6Uye5ystq9y^B3 zWM(p2>+)81Ce@z zdI8rMkwBZ3LO)Fe))$_&A>0NtG6v8S7f~93kXCPY5x;)p4xjqk+Vf(Dyr}(nc>W+Z z^wYzPvoXRJYF-6+$pB#Td3l}2Or_b=4j%NZTmJX;>sKpSQou2~r%(buJKG*n395UL zboD3m>X=7#3iUd>gCxT6MwK&F7-DU5YAZB3O(Q5_FeM3!@+qV=i1VDe@C4^QEW3R6 z=~Zl==kVzxlu`}N`)+iM7F-E$e?v|GpB7+AYsscw4rUdV8sv8{oB-NZf!stx3U}2? zsd)@?<{+Chyn@l0men^1gR!zie6U6+)W8sS`>O0 zk#VB8%+f8^CSZbXZZtcjUiLQCV+GSwBWKVpDTK|{`SHtH*d{S8SFcVH`B%w&C-dL$a^Qn6c zF?MK73eEE6N>{B+OeTR$8CU}hLzP%I{nM!A=j)ZS$*~6Oq&}FJY?b=_nW8LTIwz*_ z2Ko>}6`vAzn0&Q>0l{b?iBkZAQwBd(v3d+WP9aDutHHxtUroe$(C^ z#~{+*od;gOctH@L2?~~8C!rDyy6o?-ZFT?k4dWE=S4@wUxJ18>*`xNtU!w< zWOnUx=)N61$FiDQTm_6kT%4Iy0{}75jp)Zy0I_@_D(Y6ps65Yel=xj;{wOF6-jZ4k ztQd_Rc=+3RNxJ~DJ_AG?djy%Ro}&%S2LXxz0!l^0WqTHMNx)WqV9IM`Bw7d4fEPjV zv^Z%DEZ*G7ZopZJm=7;11@nyX=NWI@`|u4uer!-*`Rr9*%r@l?jK$g~yO*&2Qrcc| z#Ad@+9RsNk3N)sp1NcZkrGrr2jDFSdFczco$-7ca%B{7v!^SO?YJdwMX}FG9L0-fC zw0*yQG+uO1$a%c(D?j8pL&ZF%VmEzbbMrnU$5avzUAJ<1zSr)IENpep57qocV>JJs zeKgm_463a<3SChc^@R3F%&daaOR=Wv;{<72hoaxL@|cYopR?LPEI9-6Bq~>MEpeAF zo>rhj#Fz*DJUZTaH^pwawu|_8MGh2|q*=la~H4=B24~149kP=nsa5*JfpZzkXJr zUb|o*ipk#?(lFpu;VZU-Nu|&RT0FTsBYY!(Q{!?L#oNJ-wKpALU+TP~JQZd|ttMim zBv&Lrz8G}M7xUnyUw(`Z_Vj#McX9dS_cQ|og>5qnf2OUM9%H2|UWtu0HZ#L~wg`o< zIUdN+v5b}kIp=@M8AQk{$h(RgtIhQhXS1Y)q2dETOCD(`2f#-jKKz*+SD7SxbL%am z0U4-VIq0aSAay+Vz3{zwB1J@06sCnN1YSYPmPGCI+fJ1q3z*sdczR;6eHT~UeiKLm&h%tq~rQLdkFkJPYhIw8=1yV|hznXm?r$P5#;7aQe* zn1uRHE6=qd95e`80sh7Fhx~fkJ)v}V!DDv-nuc-sJdl){{qyG}cIfk~$6yU;VYBe9 zPW8ydiE(AX{ujdUwO0I6x{2@*&(DZe&r))d9(x0?x&SWUn>Q~ZP-Ec0FRoJy55$Ig zcry8Jb>|CXQQ0KJn;KG;&-LyPy`qeMxP^23Vxmu|c(ZDKy|nN~oU(5r)fAn>uy8Nf;{xC)Q~I z{3uTF-viO)#aI|?Yh?7KE=}r`m%?w402{Q!0mDT53+Ni~Qidm0gAm)p_me`nyj^%S z=n-Iw8v!_jb3+dUj#KSq*5O^@!a3%VLh%WCY#Rtkt-L%uQZ|ESP8#!NGIOHGdcSC5 z>-!5$@o9WfXozGmGf0`6Zk$~Px&i-yWIL9h$=(IXk~~k8*3F~$Hf`{KhoTGBMTCbp z=wIN-a1+Lb36oziu^uv|CiOIZk%VSPAerFnRui~QNcGx=?X9GP9xVr_Zosc8<{`CS8pnvR^3u-T0&$y^Sxg$lcB$*+1_HsY7EKAk2hw$ z6JE{28i~s6$rCo^ThE@g?Z5r5&mk;LrQ`Q&UYa9XA+4*9%M#wzA{)x;_ij0glxl!j zF)7BF7O{zbd~kfcAV2@?eGm9w=lj++BF_L*c?r(Lc>vnA}V6XRFBK1Q{4LL)t?E6BbFcB0rNFjx5i;=_C@V0yM z?Y?{5HGPSg>2?G#^3%PiupCe@BYjy$ypu`c0xuL2GIt;!P6Vw_dMN`}0CKz-{qg3F zRq+xvoxXd|g@F&*R0p2GHiu9UQy#~F8Ork*SX(3I>_zZ9>g&sCd@W~hl9eEx9!z6S zM-mtv%|#Dt8+TtzTT(J-Ag!E_X7&xc`D&lA)tr9%5sM-oF0%#(Q7I`r zWI}q|re?$X^~?me$6%nSaOY8!o}}FWt}Vl?^SJLCL%H?O0uaO=I^R^)$@zEEelM!4ug?q*{~S1e_q(pXz7RHPHROhvL4KB?tXmh( zOs$aV9^>3%bVK&>xC2k&h% zEX_eefHH#NQD-L?CzK39m;{+-m<^}l<@hV*Qa@fdVL?@u; zP*)FzMHBhVp)oIlwvkAJPk;!0XWaqXzZ(Va#bjcx^@D?km_uSaHz_uuq3?fLe?`uL zb}U~!Q!_o?6Mx?x$^P{k4U25#IRYfBiH(6uR}8V-MbmkKrv&fSU1#Rjky9%m4${MO zVh*l6F%iN#{H>_&igZFYD!f9Z#j(ds8Y%51*OaU!8RWN6{iSh4rqjX3q!kyP&lT66#WYn6qsRsugO&2eC7 zehrd%2-sGwT#54yo!J=Y4Nu17*xu(t!zdXyfV+^hi^$4@JYXOSesE@9i2x!Ki{Fsb zfx(eNvQCM}=aqrBDw~)ib6OF`5_f#Sy=4UC9$?*`AJ1?EVGrQ*r~CSBk#wJEC zA_xgG`uUMUq3i}_gVs}qM@au7X0VH${mEwf0ij93eFqLyp%VrK963(Dr3FXEDF7*m zoet1zEzF}zfnXR)mif6kh;A(H{C=2GP9G4alZvmSccIl97#Kk6I1s1TaRuYX_j2)2 z0lG>_NH7vOEFr-vu47l$)ci2f8--)d$?4Bu>v2DZ(rVSCot<+#k()4puoe}_yybt!fRDv(q;7^ zK{HTiw9eUQ}^uKZZ94YLFaoDqyy0)?c^c>Po zD}M(2h`kcQ{rR(#lSSww64*WS%JN}gGG;BQ?G8vvvuQ$r5ZHrzQ&(R?j#U^OS2O%p zRQnC23L;hb{SS12VQbc0f;0-=3o^;i(AP!WXm?#$SlDw}l7XDn^m}%;By`1EDJvmC z!6gKuiJq=5Ll8#%z;)+CON%=IO5BZT3I^4LDZYMiOuDG13Evl%#&|mtO+}1Ne%;76MGqvVLw^%ZkxAt1tt? zHQtw_#)SyFa-|zCmViCB9I6^YQ}9J&uomo=0t7%&fCQL_3up*eNLUz5XpiExYy3`t zJx@k*db(Z7lBEaEYy?hF6ZjiJyXyx=Bz6IhggdvlFdNO@iL_3!GKb}U`0;`eq|Z9u zI2+Jl^9fH0IWCQV8qhjc1m_b#+g?3E6_5Aw6#kxAUal3_Hh#PnBQV4jFkof;e1rZTvEGrOH zP;(Xttbop<{xQOLC(g=E0s^Ft0}xf+$1V2f=YJOUEb!sjt$z&J5s)hKto-t}dt8_v zn`BYyYU1rp?g~XDhYEBYd>Ri&k>V6PsOjijOHBo`h9Ovu(f+7LDvwQ6mzRHfbne}* z(Z9cBrFQK~Q2hE*6RA}lV|eLz5Lif`>y*ZII#Y2R6cnr^(BFeH@Cr<`2Dh^XOME(7hY} zsDJxW)Ku7;%Yy!0&eF_6a&%)CwRF1io;@VWO9b(DBn*5XE;v2=D_I9xyYEF6tr7|f zK;}}K>8xu7lJuR`)g5$oL9TP}PsR4zwr%12CQywB&ULW4xC~?QBW*`UInD>b4g(m9W)|#X zkegx-jUl&iJJL`f_38m!_QT&@l(M{OGsvA2Pz2cgHwq`{u`S~Enp8l0i-}ZrHo9*l zIRwFNy@!w4i4!{rq@_f@uGP>N?WbNAOLgcSaOVoy%e-4xdQ6bLS31SIHjww!DCEeQG$z2hc$251mqN z<((wTaJvcJSR0+mYq+`HU0uDATriWV9qRDa1d3f>kZH(vmcr=|pt?%g;- zy@1wkY)}Ye!acuI6r?Qf27RA$9Uwj3c3?a_PWcEY2T%4^9vY4=wAEp!ypuJh(7zjK zF!_rVyg#j|fe44p0c8?n5FCHWEarUIix)DEO(W4ieKE~bQ&X~~Efq27-RG4NrRYlJ zSbM*iKkyuGEeO_dR6hAjMthkcN>gAht1T_xt=X>; zXl~P%Q&@uCKDs5L2q*M$GFI zq34v;YGiDEjM8`!!qRZ;c{r=8re?B2nR(^ACeLL&ONkHF9|4Hx=Hw(^+24A7SL$g8 zgaTk(m`|)=E!IxeNCEJsa$;&JDLXBCxvov-3dQXo%7-0*!5(4~5{SS_31sGiZWpX~ zLKQaj;}-RMOilFyW-8bM5Mdjx*w#mZ`zKq3F)YiT+EHvj9p2zCt_dm0L@aSDY)@|xV69eqF9sX~1CvM_%5`k`hu z0UHZ)N73k9z}z%t8t(JF+WEl319}=YL*D zgvXqH?L~9->V4AP%}dnQ3DViu)86y4YcV9rh=yq<3npVG3iN&A;2 zjtU4K!B>UCeT8ULUF{YePWVX{rM%WJU*F#=EnVq#=g-u~!zEi;*ZzU_Yuhg1j_27l zLn*mX^<2XoUjnkeC0l-Jq#9w{1BUFWaP#m$oHamFIde>T8wLx)Bm3x?Y4EvOD2mYA z0pes1J9x3uN6XC`lCVadB&f`N)EwlBOZSJ?+h_N2zkmMx(rJgSCB0BeFa*KXiB^S>qeD=ck3INs zTTTq{$k|uzK3+S~F3Y`Oz)quagX+hRJ%7GfYtsOrkRua;_DYD0g9TWB)WgN4!|PPW zQLRSN$Dv(rx_BKA2Oqw0{hO?pnUiy)pdj(;)3B8#oV-eYVm;JN^>NT;LZ~z8ZKu_! z@|_K`Rb*4gNBYq*sAy)QsIPx<)yiMnh$byst;2Hlpi^vubPeFlwJ9knsNsnhuU?64 zvsSOo%+KHI)Uwp;j=QTZ{L0iRlYUn!v-%-k&9AdVqEW}klf-6 ztysD4(7t_J?mgH<lMv93-XYqgHth_Hx)M>x}?3^}IBvDVbr%E#=RqtB0pu3Uef zEP_zo-U|%UG+n%yw&T0PA(o|ID+hyNy->0mdC%wPh^d_2AbM|son~J5#Zm0P%rm{b z{Bll0WDA2tqoQ`7Z57zOLBhJ` z%xN4YMMbhCMgojGLenYb{^{AT*LQ_2JsCMadyJ*@Z0GG;d)9tCR&fc=Scre;V)zB< z8s{N8%i+ExD=$CfIlXfr^4hg`FJ63${>ce}Qop);$JVhi_gYI?=~mLEX9`{bRo?{D zt6}d?g8m0EYWUBey>~Um!MrSeqvGC8XLf*v9{?8nfzA4`hW!HIK0G!F6P6*v521J^ zrltzgA8Zn0g8m%!z;Xg-C=y<76t4?sL|`q1uBpIr3NrUf5rY&*WYq-)&+JGP5Yl7h zp9CzU=Z~}`iaUl0YAr0xx<64)Z+A7QDZML$c>qv5TJYugLmGYTYkldTm$B5DxxC`Y z&3CN2@Fwvmnnyum=e5=913IcmY;oaTU)bh#;ILcIl^Fiss`U@uyW0Nye0XF0!yiG* zW@auWQlvs?=S9K?{Bv{HvvQZpMX)mjUAqRj0D|I3>(gBwzIhSMXD?SEV@#Bu_mcze zg6M#R-f_iwve8FlH|_!n4WwR#Eyz_Ih&RD!SDzkqUBB60TE=^OLbFgb%$wUEKi)um z?TvB}KE=W^1>epU@C9#~pN+Y@MZVX`<$qcL$mgqG1g}|zppKEsz~fZNcMtUrSk09L zLeZxq$*Zu=a(u1PR1R$m8s{+R@|iCAG+}Om!J2^oJ54TMKHb&zw+rF{c(4O=31R6M+h8 z@iU&Ke0=;t;%0JknyjdX&Pq!wD-dNl`4#gIKAuGu2dhUiRVS7%U8=ZaM;w3jJu!(t zTj&n}0I>9LN!_QQsfuJxNlWyXPlPA%h3cyANat)GOKyr$!2}=c& ztSya=o1Uu4x5I}O=5;3&{im@`SHVHMDczVPY>&9Rvk-H6l`)F_ zqdPD=L_zt%rTJ*Ag1#a7i_*v95)vMqT;mc&j_-({|2F#Jtj*yQFW;WJUh%WaSyVy3 zbK?DMTiC@}_6h_poqhYtfh1wwzOICC1U5UdNk~Y;ASx|CPa_qbCdro4KvBwHujp^RCd95T0?GQqgL?p9tKrB-tWWGmY!LL zspyJY1!=&3i(AI1978rpPU|9SKH6vVC~lWpWK4`GxvCNqx$JK?q4P2hNj;hn^-vqa zcMFP~e_1NZ#7ft8590XW-P14xv)ZN@s5sP-EjfVsGZ7lJUsFymUlsnXp&Xt&zE*&W z5NZRZ>d}`^Tx7XY5kQUtg%7`v-j;~2Z=le~5}k=^k^#c^_U+c+b3E8F(1ans zTM>j>6zYfs{^-~3o#w}Ucv!F$<;LGs67Rgu+_q6^Y6{BB`+F^saUFe`A!Qn>dy?z~ ziUD(>MXZoC^1{%JaWM)<9#RFcE#HdN7iK~!9Ba@zIY{!3wNMa)2VPCi)0ClR-qtR> zw#O*!&6`i6yhJ>mvYK{42`-ucOI?|$dJvRgya5o(f-+vTye+4JVLrLm1hAww`Hn2nP`&M1e|OcnZ$%Blf(vK-t^VUYj33t`Qi> zxKUZ(pdsohJ1xg-2mG4;LHa2A@VS8WwRw2l%cNWa8L>#W&znNn;>0U1p1bdCQDedN zhbWVaC4MmJlpNV;|9G4+LjKsX?R%b92abRH^c)n^y4?Y=bdg1>-`Vt7ax@IM2W_cBuz3jJd9BzI~P+K zu)6r2iR5@J;M1V<_{zcU`~r9dNfskU)vQBt;S1lTFQ2=`86PfVds*%T6^4e%dVQu` za8;{*-h?eY{rHWWH|rK_8K#KU+S)7dNA1JM7u0uSl!!dw{lH)dC{aA(Op=j?f%gV6 zud}W-^}(YLT}$2EEM%FeM@!KJh-?~8AfhBYnwOgkuKFUmRG0Hnh1xNLZjmjql0AHR z#o3C~re|{(cTgc*LLLRR{fM6ufdgzWYzoJ{>orZSynTVjx%vVoLOQ7M69>ZUK_HW#OrwW9$!_SgC#+EY_lJq|+R+9cF zr~lw4!8aZN+|Ej+I)2d&XTq&!Kok}yCV|8S*;9@I6i~Pvwbe9H?#!j`4d*S|1p3tB z$dR_i=N!%jT2euw(1RAfltr6~-5#2Wyy9XGLS8`uDOpdyadxu4ou>jG~B81!fB1|02?yMx-=IF&?-IRCrAQ{z?vaZ-LYcr_H1-q^~59iis`2BS6~+jQqF*AZ*Q#g9y0G zPP4YhUz__hKWl!jmuASedAh<2O-znqL5r!y8oU8^@n_Fxe|+^67g5Fxq|#bnYyu zW=JTieLk{~MHw(&TyfwOX-=q`3a{?os5~^+tp>D*&mw8Bo$@Jz5Ey*B&iO<{CTzOY99o|Rd}iPr$d4X!0WQ*Aj3Y zkXbRR+S_M9xQ}S0X2s6zrDS{;`W#s?HK;QN;~tg9NV_tUxfyulp$k- z26Nq}G8L6EB11AZkxUITM5WX%MaD=dk(p4WiKLN)A`&8%DHI8XWc{vu@A}sIw)Nk- z-)(!h$D^nF8qV`Lk7GafeLu)WNTTBTmJraci;<%X61-C(GK->SrhsaJp#b^WVo9>%XLTeS~tGG36ZNCj2{Bgkh zYxeseIIF52d6oNZF`e)Hf`X)^q%s;6;+we_IXvw7&{`2Em-WZH!Q(M`8DmYV#9|bz zc{k9+?Q82b$Qt$DUpsUDyyCA;F*)R?4<7s<&>bY>sx_(bDoH=NIE6hTa7mg0b}0fF zG}YCsil^Ew+7xm0^WMn*B@YbusA>FFnV^vO5CR?jm*xnp;HXa$%Op0)bKO*Lzeuen&ptxI*O)Zn3koc{vy5_H=jy3{bd-5tHo=W3BY^gNT2uD z3=bx^%JdV1PRwx+*((YncZh>m=IE(Yuth+gD1r7+z?>N@wjTH!m=OcYL6BAU1dISh)lp-2v2Yf4KPM z_C*M{>p$nbNbS(wOjD?UAJScG21PiKZRgC9 zPj<9Oewp?g#JGNKopORCX(Y7Q|IL@!hYmJ8 zT#q&5^gm*av_nTpzYzYp!Ye*MCFwCY&>e7)_WMKw)-wgRc? z-Y-r68`rA`Y@)he1G7i2ug?Qe?X=*pv3XA|kF08gP0go>yL5U4X5j$ES`WmgF&rSl zecih7{W*J6{(dH}zHB~5^v(+$ytL_qy*}I-NFx=Nqez(R*}v#RI3{V{H`f7>eUZ~E z3UJ1u_NfD~>bNq;cHW#hr%#<4FE%nojYjXjh+54*O*eQ8s0J5?*Pd*uG8cq2EUauz zTv*T1NAMV?(f91@ZjaASL7;;Ex`J8U*8=DwVGo~l0B-=&&d-6M`zvTY zV1`L9E?pisUIl=FGTjy7oy`o4PfG|bxD+~y3 zzo5EWUSULE%FsT2`!aqweBVCNnEK!Oh}4W1cGGvpb}vRn^O?A=LvXZhLCC==dMSIR zm(p@XK-;!$ywKt#yIOhsorF90?hQ3fR}m<*AG?~BTuWM3UlX)2_5G%%NSe#vhYlOI zv&Tmz;rRHrFxQ;Q@Q@903H5u|OL}N74gdgIRZNs&`lQ$;xCoKQi`U9t>)XFS4U=L# zO_^Yskigs+m8ZuPLtNg(pn1|B*;4AIud93EQrS3j^Mzo#n1gu>vUY9F=x9<%pjJDLP!kERg_9VgDQ5zh72jBp&8Y)b7y@M z`r$q}5a@_yF0ro}u~5=5c~nvo{QSJEY~quonR_~D=`6x?-2p@GGiPo$V_k?n=KdWo2c9R~i}{moSpk%8C)s{e}(uK@z-pYtTFz3*SgGs3VcU?(NZLxti4q zxBM$h4V09=UAf{3r{UL+p-yEDMfyzX@`3jx$?pJcVC=qr{kvw8t8jD2n%%cI)YtUz zFr;b7q8AMR5l?>naQ1V6t`@R_<}6_2!70w1PcXM^)o#F-Mf^G`VG4oz;zbi?)BqD; zZv&u-uz-Qk$&hN9spmZUNpUeGp(g5XSUki{*mAh9Dj%L$Qva!{YC}`w2A(nvWH9Bn z^dmQlrh0w*!uJ=!&{IQeEF5ckhvmV?InxN`r3ZZ-R+A=`H&f{#pI}cAK*?6I6W=c+%fdekN*Q6t_$v&Q|NcD+qp8Df<|;a%(T26` zMK#GzZRzBt0`73WDYL!CYb29WT6Ufl4VZ)R3OmJFxAg`gMKN3}&@f02FlRO{#u z49Ni6THNnGwnAsbh{VdM#Y-OGfLZ)4blWz_eF`D_0S<6Ix?kVtq~egSkJ9=Y*GEYci+BQ)2AC68mdbivzZw&Z^n#=HkLRg+7zrG713^a z7sbaY0m|`RT#=d%?VytWF9l{D+CG(~I!)V+MXkNk3^6vJI3b;=K$Rh*si$}9#EI9m zXN5xEDw;>1WfoUL#*z{7$Ei}JO8N>&@i>8K%} zzazk%b8&&9sM+l*acrq!Vj_KJ@9aE`ye}-vvJTfveDAl*& z8y*_E*ihY~n_z!s2a`{iT^StP9`wj&dpoz2^y{nTaPK0w7dGB{jGKs^x zw{J%n8^4NP)c3H7?+BaDD;^h^y6Fx(^=`8B+jpnzn6ub_QEB68NQu!SRn;q=Mh-vX z`PS=e+Vi5*f#&80<0jmyO@d+pqn_w0+(uKM=oqJqE-&F&QB`)Aiji#i?mw>M zpQ#td)L3N!(HIW`YLv5v+>*2nbwO6AD=!bxiFsHwc;w4T44lCbE_wVIL5fY;ngR9m|$a5{OsAGt6>uug$K4Y ze;Av|s&vnAzo4B2>;MWkBR3=o30Ad$?CcWf0uP(f5pVf77a6e4X&Y)$1`q|$6O zLPsa%O+Nai)EX)fbTj-^F@59sf-MW0xDelKhefc@UKLi z8M#%jfd@x>uY+zJn8D%aMM6Rv1YUV)?KSXN^fg2V6jdrq5fZ+zQHuQLQ=ZvM`wwr& z*m|O#wsr+pHL+GWZw0q-?5LYV306>C9Nu8xehKlZ7~&Ut=I{37?m~&61zz*YZ?tz; zqmMx2$5+f5J>zA2)r8MwmawkGgWe*5djLN2+PHeecYo-tl*jm5QJ9~5m9lQhd>EJ^ zcfwfKxTW7)^aA$?HX|#01OnsmNuAv?f+zjF1EL4T>eQPJY=Yw68r^8qupF`_{j_w7 ztHy?{T8v=x|B^LE`$l8ZIaPi$j~~h7Lz~KV-UEC0{!&{ju zuPsVNDQ$LuxsCFyivv9?bK8DL>2!yQ)>8YXP#1nK+A~ zYI1is^q7Ruihp!)D4%Bf$0Bk#^X1WG?c1MnF?{Fr`4E_!VbM^Ix4fMv2SY;X?i?6( z7ZBDeQo;3CSw>*PfbkQrlXa?h>C*oB1kZ}-cufokFgBTLZ|(7#YBc-e%9PCB5v#ka(AmCe{P`&{zT9Thri{X41MgXJhG_TgJEH$55Xm7!;+nL^1bk`w zlz~ajb2`H!_JLU2pNv$A15y^GBaK7xL8@;$91Qjfci5+ z#Y}$roWyNIFT`KS)FNp>R11++QCaz&rJ*?5eC7cYS_O8XTr-eRwUVT(g{%#6P*#Y$eA#}` zLBFP_cg{qm{Si#lmo%nYPcLkuZfa&$Tqec?4=;kZ2Lte*hQg=8-Nz>f2lwIsL(1&A z=-TD8m>`gtAvpesFRmEN-@SYH#KuWkc^7`7;kq-t+K7%O7UM*9`9Jx03hwIjR$dQEFzs#bbJu1eOtWL@0xpg>yPbJNWs@ zP9lUu?=lk>Rau(1yZ~on_3Bl-!h@sX`__M2))Il(<-dP^KXSgb>34Ykq23AtXfM5e zA_vTcf-Dp7-!c|v5$yMbTKE&PJ9}L1W$3OU83v=i#QFF$oBNW3(-*$D^Yfg|eJ$yT zbb9|wmM$fKZNK93Gjs-p_wU!RB!ogN{9zC?>F;~YQ5e#w8Lh<55Q-9@GA>UZ_QbzF z)G-x??E3zSkQJ`ApVdpy8)H+)Tz4}Um%6YZVTN$e=-{};K=%%H=eBM=eC_w*;sb2J z?2P;a%C`D*{{}D%bxqDT-Pj_ZwrX07Fo1vl{5j|ng9f}2DJ`8u=L&#*Q8LI1(Ry_|@34pAE?90`zXso-?=YSwG<2^7#AA z1bk0T5t*>^?1f<~P13-jF^M|7b`5CRr(coDIF)fP7Fv~lHbYdkYv8g`Kj}xUy5-^Rn^wc#OsUynX9=W$Sqk6 z2;G{=EDli8kiO!9-RFM&Q}f_8WRKZ0@!Orb6p%Q9O^=Cya1;F5b^zWFOhlv!CoUA? zbv{` zjtgE|gNSh9LSH)lwEW~h&JOX5AD#uxKP@}kqWID}p9jUKn^ooVv1w(8+Nobof`G{t zczau|n1D`D?7scWq}>mxsA|PZ4F?TU6;R9B8nnNay&*<4Acj-dRvcUe^^0T)^8#Ua zSXj~J3LBDI{xumOb|@m}n-QV23*9Dkr+J36ncJf?*8iwfYgJ?08-n#$9DT9%75Sto zM$(i5oE!WGjLeaw0}E%DzY#cNJd0oOzP!cI&}*#|yifu|Vt%g)x*n2NHW(JJ48maM-iA*@OrA zn6@G!Ogg%uAtAM2zi#~UiusAKJUEEO5_>jNdPD>D(u8Oh(XfvjfGyBe3vo;kuE?Zt zQz-ATb|ZDS0IZ^=JMLJzU_DqAbKFSfJQN{Adm4cA3X`Y=meh$pP)sMU!@ZFZ=jxc;QoSG``$XqOURph5?1W*V4HA#5+EP2t9bie_ZMDf&n_39{=C$5&VTQ+F`D%^@0G_k`5 zFE1i4!bMD27?oi;X;LeBd2s{!fG^>O^2{yxQ|juuuWfmF z+OCPA++woX_aFbfeHi{7%Z0Q z7F~WO_#Zj)lA~YHMA*P-`so_ZCKlaB{D~f&gLJV~{Xns)8gumMM3z9|bhnQuK~}Z9 zDYa|&iX0v!rpE^ItssZa3;~pC!HFn7)PvbSSw-D0^X}ZjRJ9$#(CjMQ)f04APE+t_XF@QI5fVJxKteVz_xtSTqnr(g?9>;*!NyU92vLj8X z{PC>=IEBTi-Vm=bfhP(5n&$iaM*N;=OPhI))zgBdcXNZT$<~gVK6{nthoR?P%b9FT zuU0^|EPkFpKkOSFo3Vp}l!T2&koDZT8z>LJ`l_~L=|h>C@B zm9fm65b%}|&0b$uJ+Gp8>a`1J&x)`prNhA~Z*c^|_po%$^C=eXr|4mu$@+bX+yC|J zjcha|{x6sh4Jt~Rb!>zZ-2-tOU+xJkl{ZWM5%9qmI zBs}mA2b{039Y1;UatbRv8A~v9l)tw8W08~HsJ9}jIaJMcIR-GqU)pFy!#6srydQ{~ zq|>xIrC#MVHAf;Nr*yxfYF6Pk#ASw;Gp#$4bebgIG#FvAJgx83t5?yQiIluiS(9%C zi`~{{p%K4s?%Xb4J|Dbz=66$?ZK2|^fPm{`eot7HvhjP+Q8$Up?uGLWmMve-1S!Fv za1Pjp=M-;!ZdDh37~1A{YoG{yt*>`mxpEZU0@71K6BQ`7f`C#M?Q?*P82>A}kFBj1 z;dIhRvTm-N$Udxk9nDW>cy#vg;fRGZ&_aIRQ!BMSR`cdfQT2 zSzeFN=iZz)Li}fQ@o;41-L6W|Nx_!n{4r9)$05#6L!2IGW20wKP*wJ!dABbFM$NVx z!phF}j3x6?$#Fh9$?OcQ%iX)(Nz&kB@qR$$=$DZ(vS@sGW%quKV*e5cC_DgW;OOAU zyMjUBkJfKd*}xi^&|mLeW7(Da7fzkBDNKpqx9^1b>}$WTTH4?0DA`=FUphH4AHje8 z@u%2I{rYvElrO9&njD}OH>|s3!|hnEbdA_uwo6fZgh<_a{T9RCzkNG?%4X54!NMXN zjw9Dsy0Y>szk(%41&WqgUO>5m{lNYUcq}2p!RmxX$*&{7SzfQ@ML;fk_KEysDQ9v% zt_~JDR-CYb#Wwe*MvWM1Y>a-xE*>;;y9UuW0jp5GOl(pCHk$MZ?ksFWJDeA8+kX+J(b_NwYQ>2UePFL=XMgwie|+-f zl7Jg8j*eZIAO7>e{{0-C;;_J{=ZWR4MAy07dKntRh~7~cvq(GMc-z`Rq(fAG;C``+ z-b61hnWw?S!k%UP@%H&0kliz5mu6sZ85q8>QLT-uLjK zi~D|meX||jf`^AhXteWQ-*b-V4-=uW%I4Xc`7U95Pll>=)E+!UJs$(^LE7fMEpOjg zeCN}j= zWC;^N^5$F+#ImyJ=PCt^aPWb5W~?C&h+-7ju`_2HYL;!UtLoZ#9RpI8MfGMD`O1HO z6rwX_*Y~d;Zje90mCy|qrHkT!=nchQY*RUSZY zo|tke2tqPhZMS|3%a#P3(p{jEnmlCgtt|?Fem@^#qY}eI#i4{vAGCFArTGa!#s;%B zV{b3Xzh+uq>s6xu7azu5yM8i7j0CEp4GYNUJX3AIxgK8k#>h-zj>_Z*y^a%BjPr~y zrj1w7x|hMb!wOVy|DM$ZoTlm|VpISAQ(&4sJl$)9n*L6=n)41lcO8g`D19|QVbIts zU+X&$-E0x2A_>|Z=$SW#%pV10a_eDF=4y?oe_1`{?WP%SqJQltEuZyWSM`Yc)lYYZ z#!xMdd(8df0kiQ*?kf@w#E5>HqXrJNdbo6~!p~im;ls2aegY{;c9yK`y1Q)CNG-=c zDS8hsEdUb=@fYEq`uxVUs(6}f8% z2K*!kboXAS6+Be$(^o+en%5&<3ny9&A?d{Ie(!2bj+JR2p(FpnlQ+bBz7s#X}skgPB#(R^9Mb+ULpoc|TN|$a33S zh4#^_Rav9B5?(NAHN1FtiYDte@x&$<_zE&f3UyNM>`^Q-EG3yN9 zf!PI&j$q~)BI>EfhSDqG@g z{=Ituegqvh^wq>fW`(Z&+IOC%Wj~D3Icdc@D5>4Cw6s5@Ol;soKWwE5&fnjD@-^V8 zGS#lVs;aDjefqJ0-6{{KaE`gp=+ajqZ>h!Q(b54agEr%{W)sMgr*^ZMF=K@1+t4dl z>VOTgS6YX+iBGt?K$eD18l9au=VWTA{;!2q9eOq`_0)*LlYd9r(0``FzS$;a7vgh% zh8#NdjII@<4!-rdrYjvXfa};Ws^|Uwp=#6Gn@#kbPRc{6;*lOXF_75w%m_UwwITyjD7+0Tkd8!CX)smJZUDci<-Qyzj$E%9=D3veK$8P$3uNt+V4Gr5C zZH;SXqvuj|YDe(H0}|TuLtt?s;w|5jP7&N`z`T}1OxgaPnfX@g>hF!}%R@s)OpP?2 z`t35~f&MDd`{kj3c>f+DoteepWee6dD{!_6b5pDfC713nfCa1bn43&+72aO z*;M$ez!;u1Z5le^N5#cWAI@LG3E?T2$FxyHP*s%N@bzZ$Hy6a|k2Upm`-}i)WsJ`j zHL?J?6|N8};JkmLCJAoPtZ)-SB)YnAijN#=8mj?u;5V&)3LI^dstI8+0fq(!%1cM| zM89e^5DxiNnonmE5+31*`10kVhwsd~QgdDP`MFvIJi@=FOx%(e){BSuUsJhBwuXBS@;I#hR2$GbJOE={fLx7e#In{-1HR0Cq7sHNK zg1B{CbN8l$_4Jf$*W{TRT@H51lw1_o7Ec5An9 zZ+-7Y-tmhs-w)X(Zpfsh^$Ql1@`Y48&aN+SzDngW@Y!hEefa7V#-AsjW>&^q6Y0q% zWyFeQSE1<>%lUZI=Clvoc=7-vb@8zg?D797Rc7Kw5)BO;BXFPqs~|PGaqir5;Ct@q z*FJLyK*l3S;@yGXPrhZ#P;8~gjx8stqxN69G8#veTdDVRbKlmN`7I5FD!mY=Ku9nY z`Wg@!^j$l)Z!aU1`Y-n|@ggf{OcmNif))AcI3KO<;^Jx5%4423LEz2n*JS>!WXDdL z6mp_qi^|vNoOg9ZHKJI*DmASbdS&Ia!jRq>m)Z7vaw$4xOyTv>($=k4)x4a#^2>$r z1qb~L-rZuBlbqZUz^rJ$CYqrPDH2&z@$m$h*72wHC#Im?-m>9bU1Z?Zu@erS1bV{qcC*ew&jPA?M*3sAB zTJTP}$B0L_Zk=BLIp~RF2rx)z_FF?hw+H$$>#goypcsNh#c<((aYv0cu*j$c(*!^! zj1)iVyk7PkM|Am#LD6<&&)~&y;>0(o!^){eV-&P1FhrjLn`uj%&Nmo~Hz~S}mc|&8 zx5fvWuj?wx%k`>eYM#&qL3Tg>37e2&+bdK`72Bt2j13P93pAj;9bmxhAPhg%&-FmI9lc z_UgZqJ|}lu*BkkxuYVa^w_)4MzPO-Z!kW=5s8 zb}SG9@s3o~CWAR5{sXX11@Zu3gn&v&YT?hm?$D`|tUm*qLPMumTely$hNAag;SNjQ=<j(TSxKm@yk5ekU`VwWLO`DImgwh}*uRL^%eh_|~!&z-G3y!P)2$s_ZL z^8)!ckc3ws;TNX=zHN?;2tALafg6Ej5a>39$Ug?Uv%Jc${rc0#hhf~x!j7qPP>}>4 z&?R-s{ix#V(WCwLifvbBLo;NF5rVcY&1_$rQCm@szaM`*x89;rwp%|N)74E&jf{-+ zrlPEFDU9l=d}{%$jTV0QeaG@xLgQgZw9TU4m*ggEML;Jh>DjN6T*TgG$&ywAt(ly{ z7cY7|Z_`pXSN+L${=6#J*33*c2%CKSP>-T(B1~X(Yil6=9K%S82m!s2TvnQQnbpfb zz~6?sC}a(l@CyrN#-vj+w(~1@J*njab5yq8XTdrq|h>yhb(CYYahYTHLgNzGBsjGU0MV-K2%~l_YvNA{{ zafLdR%Lts%*+0m5gjb(Fg_biuxs|{URUe3#&U2_2hPmK3q2-X5x;TY|xSgJ+prCN` zhnH#QhlWSwoNE@Zv zf%f<^Nxpskn)!o09U9Les06e1mU`A8bx{|(MJ@NigZAd#6<$JKRZ3ZEwQc+ME>3L2 z&Q|KN-ZFxlMyR?(_U}^thnG000sjeRaQYv<)0TMsZ6mHR-MSyAH8yfCW_DH#jmHkJF$9uO;I-9j)?~{ux2QqQRTG#^t=mW$ zkHpLs&!F9G`pwrw%j*N9aFJ10g#qpcRwt#57hL=HZWrOp*RK^lyW}K^q_|hEbgKaA zW$f_y|KM{Kxx zjQ_NSvNxf_(C&=a?=0w9MfNT|KEkC?v$VU$5|~EW?pUS?nuzVRjQTyG?NxY->^yfic*H8>uUCobnHoC^-Z|agaTTtf zIk5AlJmJ;bx5Jh{>iy|Z3x9DmwMGZTpRGjK=F;xz>j0C914 zJr4Wmqvm#9~(9`|uvZA*y zq=32=Zx0`$GDj<$EbU_AW1M&^?47Edk(;3dW;-eR-wYj+&-Ne>Vz1=thN3s|Ry%e5 z`T}DI*2KMgQA5{#vi0fE#qS{rpYqfQbRp$Gg_~F(effRs8`6dBd$pTq40OQJA%@Aw z*v_ZkvM`xhQ!{wptKKFiLxR#z(g|9b-zojA$(_!25ku-ngr9i4vA(=u{q}J3?^jN9 z31^5_&OW*EQYV-A!1=y7Z8TZZFs42!u9)epYaC&38#gQsY&(muM5dx~O)P1kN>5E?dkNF6sDtj)}MF^<#k^I1TcKzLhgAqpQ z`i|IJ%Z%UaSK}RXVi@Dl>Alw7+g@H3*~_wTz>pBaar$apa* z7h4)YW{)4cfnUWTSrHQR26v6r*$Bd*PtapB0zEmVu^=L1v=rczH_4_lp0vz~(}QVg zC%^5n2B5fr`%lN6zx0AP0-rsc6nUe+>zEf4J|D|)c67z&nU8jpEB30+_apnH?)z1E zq3Z(oie9NQIi;`7pA^Rc2+_J*m)@v4#Yy3>C7~xE@UZXbU+X=T>(tEV&9JbLQnv*5 z)0o_%8K0XN1?uw3bEs(E5wtvM-pF+gNq4_I;r2Qix0VqtNh2d8RUUSAuX~-OG-1Mo z{$o9&;_92fCioFY%7t_10y=5f8bra8a2d~cYdIn@fN;P`B-+lcU23OZj^|qNqcdC~J~LzE^S~Dm)DJB|T`LMh&E|D>4Yxit>(GDxNPbVO zoESy%@Nc3HgP$ggRTTl$ilFa+Lb|C!ZI+5Ew?2Zb?oHiKQlu?gwt(dEQ?EUd=D}l_ z#%_{4pE-6S&L|%+Uj_m)q1x2d9rvGKMtc&ExeP=a!B3C0HWM%LwBO$*(I)s9NfLDg zmuJ$AI@I_XIN1$HS2GMVr7CBg7B5b4$O(?y>a69m0C?|_(oD1LsIwmHItgKu) zPX!f-4_&)%`;7q;P1vt>buIk=A)-flV?{-30^aX$k!DWFD=07;Hf)ioP3b;j&3kef z$`x{pmi|b+jsSfMK=HJ=QOJWwwh>8NG>}Nj=+Ct92Wi;Z&8VHQ=~vZha1feGccV=; zgm&GH-TyZEV#kSPvv89$maoh_Xnsb@Oz|c&de0#3&e3?dvz_7rF$U6QPc-Ze*U46a0KPcFt!-wfC4Y0e>U0{qDgt=SIv0pUxM0;Q;k?gUI zAe6%Y6iO17g{7u$T)kR!Ko#xs#G&ZW;Sv0GvWnn6?x%!TyuyNqNIKAgmkz{sOZP7A zEIey8wH+w#Z5A!MuX~rkj7-2(;(+LY136iW;dd6E!xlPsFE7cbTuPQ6WCky3ZH}%; zoaQvRs~dXkSUIOYcf4nhqJo0p&-Y@~@wws88eEt4^_TJ@1#xiD*g!eTM64PGaUL0t zBo>W{kZ5vsr@*8JoJx_VusQ$&W$b~6fL|bumojYrfFV6o);%{vAq)G>T~V!jcOOXY z10BRKBAqvHlp?o8IC<%Vu2OVC{rB%3O&tI=u1TD7-4$W{L{mU}Dl#M_1>mh*$~51@ z)X@hF$;0e?YI7*s($dmoZek#I*zHESYVN~_tLd^X$aGn;!s!Yb)%*7@jmHr(;rlC& zc+ndVQit)$X89;Xhs-B-emg>Ftz_xm<;kL`Ns$g`g!jso{d)?v z{{StEJ0kNvFHc5Tlq}pNGp@aWI!U+*J|)TC@`>kam>tkopa;~&39d_yp^lDJf}kTv zjGc+}*GD!jzx72Nb19fa@6u{&CnuV2=c?Cl|3PanRN~tA5&Of@o5S$>#w?Xf3fM;( zX7}qU0Gure{qy~aojONrxP+Q_uo6!@ezb|vils}pmJ?)Tjxu^eef54%Dt)K^qegYl zV!KLmiCofhl7jd&Sk?jpJ4YVAyYL=>B*^xu>=@dhPM<)$)JZuHN&pOkjzvdnB+jw6 zmhs1=*}mb;0Xx|-L|#d@Wf#!~dvU14SwSF>EDhDw({pT~0p;XP>=4t+9F^$qiE(i^ zRW8|J(CYfwD$={r>(rAR+Jv zl>@nVaUv&CrwQ-qO>l0{_70;Wpa z%Gt}*c`Lj`qJv{7j4CHD1Sh#Aga}C~M3lsLwO)cDY*3}34mQ=j2*zr?xfO&C%1bORBr6(8WZ>>iCBCwNtnm6Vb7Z$3R$M#H-W}K4~ME6g1&fQFr#Za;c zq(~q;lB(sFl&G7>UX(eSkg!jjMlDg|#dUF_g>mM9A$$el73Q~E_xCuBikDmUAev z%prK3o>MG)OfZDCsnl#<$@i!`{*)I)#849JB=d@05gHHJrG$cZTQ#H}8GF(#b;o;o zx=Jtm%KCHo!x_$c$sx?SzQ>Rv&C+*MpOKk91|4hu=`bc+$e)Sr4J%9e3Ik(giKV`V;ZXQF! zPY}F2q|g!SbWOosQ#;79rus#cQT59&vrN~x#h4~Xc&pW|h)psYxbj(=Z{d@Y1n;o> zrWJZmpWpJ`vCmNaU-Ys}_iL)r|LNqL(0BQl8$L{RZ>4o_(B$T{k=&UU|9}2wvbC7! zHUH`V<6q~M`(Z6!QByPU>CAt>OseuwmgGjqxAlL0lbOy0Y(IN;5epE$aJS9mAc { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-proxy' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-spec' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-mon' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-mess' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-itil' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-proxy' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-backup' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 's-appli' => { + netif1 => 'n-adm', + netif2 => 'n-infra' + }, + 'r-int' => { + netif1 => 'n-adm', + netif2 => 'n-link', + netif3 => 'n-wifi', + netif4 => 'n-user', + netif5 => 'n-infra' + }, + 'r-ext' => { + netif1 => 'n-adm', + netif2 => 'n-dmz', + netif3 => 'enp0s3', + netif4 => 'n-linkv', + netif5 => 'n-link' + }, + 'r-vp2' => { + netif1 => 'n-adm', + netif2 => 'n-agence', + netif3 => 'enp0s3' + }, + 'r-vp1' => { + netif1 => 'n-adm', + netif2 => 'enp0s3', + netif3 => 'n-linkv' + }, + 's-lb' => { + netif1 => 'n-adm', + netif2 => 'n-dmz', + netif3 => 'n-dmz-lb' + }, + 's-lb-bd' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-db' + + }, + 's-lb-web1' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-lb', + netif3 => 'n-dmz-db' + }, + 's-lb-web2' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-lb', + netif3 => 'n-dmz-db' + }, + 's-nas' => { + netif1 => 'n-adm', + netif2 => 'n-dmz-db', + } + + + + + + + +); + + +my ($net1, $net2, $net3, $net4, $net5); + +my $machine = shift; +die "usage : gsbstart " unless ( $machine); + +#print $machines { $machine } "\n"; +if (%{$machines{$machine}}) { +# print $machines { $machine } {netif1}, "\n"; + $net1 = $machines { $machine } {netif1}; + $net2 = $machines { $machine } {netif2}; + $net3 = $machines { $machine } {netif3}; + $net4 = $machines { $machine } {netif4}; + $net5 = $machines { $machine } {netif5}; + + + +} else { + print "machine $machine inconnue\n"; +} +# + +my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\""; + +my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\""; + +my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\""; + +my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n"; + +my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; + +my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n"; + +my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n"; + +my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; + +my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n"; + +#print $routeur; + + +if ($machine eq "r-int") { + qx($rint); + print "la création des interfaces du routeur $machine a fonctionné!\n"; +}else{ + if ($machine eq "r-ext") { + qx($rext); + }else{ + qx($ninfra); + print "la création des interfaces de $machine a fonctionné!\n"; + } +} +if ($machine eq "r-vp2") { + qx($rvp2); +} +if ($machine eq "r-vp1") { + qx($rvp1); +} +if ($machine eq "s-lb"){ + qx($lb); +} +if ($machine eq "s-lb-web1"){ + qx($lbweb); +} +if ($machine eq "s-lb-web2"){ + qx($lbweb); +} +if ($machine eq "s-lb-bd"){ + qx($lbbd); +} +if ($machine eq "s-nas"){ + qx($snas); +} + +qx(VBoxManage startvm $machine); + + + diff --git a/gsbstartl b/gsbstartl new file mode 100755 index 0000000..11da13b --- /dev/null +++ b/gsbstartl @@ -0,0 +1,28 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +while ($_ = shift @ARGV) { + if ($_ eq "-a"){ + qx(./gsbstart s-infra); + qx(./gsbstart s-spec); + qx(./gsbstart s-proxy); + qx(./gsbstart s-mon); + qx(./gsbstart s-mess); + qx(./gsbstart s-itil); + qx(./gsbstart s-backup); + qx(./gsbstart s-appli); + qx(./gsbstart r-vp1); + qx(./gsbstart r-vp2); + qx(./gsbstart r-int); + qx(./gsbstart r-ext); + qx(./gsbstart s-lb); + qx(./gsbstart s-lb-web-1); + qx(./gsbstart s-lb-web-2); + qx(./gsbstart s-lb-bd); + + }else{ + qx(./gsbstart $_); + } +} diff --git a/lisezmoi.txt b/lisezmoi.txt new file mode 100644 index 0000000..c14a693 --- /dev/null +++ b/lisezmoi.txt @@ -0,0 +1,14 @@ +lisezmoi.txt +------------ + +Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4 + + +Le projet GSB décrit les diférents playbooks permttant d'installer les +machines du projet GSB + +Les répertoires : + +- roles : les roles +- goss : les outils de test + diff --git a/ping-agence.sh b/ping-agence.sh new file mode 100644 index 0000000..d675295 --- /dev/null +++ b/ping-agence.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.128.254 + +ping -c3 192.168.1.2 + +ping -c3 192.168.1.1 + +ping -c3 192.168.200.253 + +ping -c3 192.168.200.254 + +ping -c3 172.16.0.254 + +ping -c3 172.16.0.1 diff --git a/ping-rext.sh b/ping-rext.sh new file mode 100755 index 0000000..e42f779 --- /dev/null +++ b/ping-rext.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.0.1 + +ping -c3 172.16.0.254 + +ping -c3 192.168.200.254 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.128.254 + +ping -c3 172.16.128.10 diff --git a/ping-rint.sh b/ping-rint.sh new file mode 100644 index 0000000..99e92aa --- /dev/null +++ b/ping-rint.sh @@ -0,0 +1,12 @@ +#!/bin/bash +ping -c3 172.16.0.1 + +ping -c3 192.168.200.253 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.128.254 + +ping -c3 172.16.128.10 diff --git a/ping-sinfra.sh b/ping-sinfra.sh new file mode 100644 index 0000000..8a9c1d3 --- /dev/null +++ b/ping-sinfra.sh @@ -0,0 +1,14 @@ +#!/bin/bash +ping -c3 172.16.0.254 + +ping -c3 192.168.200.254 + +ping -c3 192.168.200.253 + +ping -c3 192.168.1.1 + +ping -c3 192.168.1.2 + +ping -c3 172.16.125.254 + +ping -c3 172.16.128.10 diff --git a/pre/Vagrantfile-s-adm b/pre/Vagrantfile-s-adm new file mode 100644 index 0000000..ab1ecee --- /dev/null +++ b/pre/Vagrantfile-s-adm @@ -0,0 +1,77 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "debian/buster64" + config.vm.hostname = "s-adm" + config.vm.define "s-adm" + config.vm.provider :virtualbox do |vb| + vb.name = "s-adm" + end + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + config.vm.network "public_network", ip: "192.168.1.91" + config.vm.network "private_network", ip: "192.168.99.99" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the + # documentation for more information about their specific syntax and use. + config.vm.provision "shell", inline: <<-SHELL + apt-get update + apt-get upgrade + apt-get install -y vim wget curl + # apt-get install -y apache2 + SHELL +end diff --git a/pre/gsbboot b/pre/gsbboot new file mode 100644 index 0000000..b462f70 --- /dev/null +++ b/pre/gsbboot @@ -0,0 +1,54 @@ +#!/bin/bash +version="1.8" +__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +__file="${__dir}/$(basename "${BASH_SOURCE[0]}")" +__base="$(basename ${__file})" +__root="$(cd "$(dirname "${__dir}")" && pwd)" +echo "dir : ${__dir}" +echo "file : ${__file}" +echo "base : ${__base}" +echo "root : ${__root}" + +# version 1.8 +# install git si besoin +# install ansible si besoin + backports si wheezy + +readonly base=/root/tools/ansible +readonly slist=/etc/apt/sources.list +readonly host=depl +if [[ -z ${DEPL+x} ]]; then + echo "erreur : DEPL indefini" + echo " DEPL : adresse serveur deploiement" + echo "export DEPL=xyzt ; ./$0" + exit 1 +fi + +hostf="${host}.local" +prj=gsb2022 +APT=apt + +which git >> /dev/null +if [[ $? != 0 ]]; then + ${APT} update + echo "installation de git ..." + ${APT} install -y git-core +fi +${APT} update +${APT} upgrade -y + +which ansible >> /dev/null +if [[ $? != 0 ]]; then + echo "installation de ansible ..." + ${APT} install -y ansible +fi + +[ -e "${base}" ] || mkdir -p "${base}" + +grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts +cd "${base}" + +cp ${prj}/pull-config ${base} + +#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'" +echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..." + diff --git a/pre/inst-depl b/pre/inst-depl new file mode 100644 index 0000000..69312fe --- /dev/null +++ b/pre/inst-depl @@ -0,0 +1,93 @@ +#!/bin/bash +## ps : 2021-04-01 15:25 + +set -o errexit +set -o pipefail +GITUSR=gitgsb +GITPRJ=gsb2022 +apt update && apt upgrade +apt install -y apache2 git +STOREREP="/var/www/html/gsbstore" + +GLPIREL=9.5.6 +str="wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz" + +FIREL=9.5 +str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2" + +FIAGREL=2.6 +str31="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe" + +str32="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe" + +FOGREL=1.5.9 +str4="wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz" + +WPREL=5.8.2 +str5="wget -nc https://fr.wordpress.org/wordpress-${WPREL}-fr_FR.tar.gz" + +GOSSVER=v0.3.16 +str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss" + +DOCKERREL=1.29.2 +str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose" + +GESTSUPREL=3.2.15 +str8="wget -nc https://gestsup.fr/downloads/versions/current/version/gestsup_${GESTSUPREL}.zip" + +ELKREL=7.16.3 +str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb" + +str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip" + +str83="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-windows-x86_64.zip" + +str84="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-amd64.deb" + + +[[ -d "${STOREREP}" ]]|| mkdir "${STOREREP}" + +(cat < "${STOREREP}/getall" +#!/bin/bash + +${str} + +${str2} + +${str31} + +${str32} + +${str4} + +${str5} + +${str6} + +chmod +x ./goss + +curl -L https://get.docker.com -o getdocker.sh + +chmod +x ./getdocker.sh + +${str7} + +chmod +x ./docker-compose + + +wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert + +chmod +x ./mkcert + +${str8} + +${str81} +${str82} +${str83} +${str84} + +EOT +) + +cat "${STOREREP}/getall" + diff --git a/pre/inst-depl.old b/pre/inst-depl.old new file mode 100644 index 0000000..a1610db --- /dev/null +++ b/pre/inst-depl.old @@ -0,0 +1,48 @@ +#!/bin/bash +set -o errexit +set -o pipefail +GITUSR=gitgsb +GITPRJ=gsb +apt update && apt upgrade +apt install -y apache2 git +getent passwd "${GITUSR}" >> /dev/null +if [[ $? != 0 ]]; then + echo "creation utilisateur "${GITUSR}" ..." + /sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}" + echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd +else + echo "utilisateur "${GITUSR}" existant..." +fi +su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}" +su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}" +[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git +[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore + +(cat < /var/www/html/gsbstore/getall + +#!/bin/bash + +set -o errexit +set -o pipefail + +GLPIREL=9.4.5 +wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz + +FIREL=9.4+2.4 +wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g + +FIAGREL=2.5.2 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe + +FOGREL=1.5.7 +wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz + +wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz + +EOT +) +cat /var/www/html/gsbstore/getall + diff --git a/pre/pull-config b/pre/pull-config new file mode 100644 index 0000000..4566973 --- /dev/null +++ b/pre/pull-config @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ -z ${UREP+x} ]; then + UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +fi + +dir=/root/tools/ansible + +[ -e "${dir}" ] || mkdir -p "${dir}" + +cd "${dir}" || exit 1 + +hostname > hosts +ansible-pull -i "${dir}/hosts" -U "${UREP}" + +exit 0 diff --git a/proxy b/proxy new file mode 120000 index 0000000..3f32243 --- /dev/null +++ b/proxy @@ -0,0 +1 @@ +/etc/nginx/sites-availables/proxy \ No newline at end of file diff --git a/pull-config b/pull-config new file mode 100644 index 0000000..4566973 --- /dev/null +++ b/pull-config @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ -z ${UREP+x} ]; then + UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git +fi + +dir=/root/tools/ansible + +[ -e "${dir}" ] || mkdir -p "${dir}" + +cd "${dir}" || exit 1 + +hostname > hosts +ansible-pull -i "${dir}/hosts" -U "${UREP}" + +exit 0 diff --git a/r-ext.yml b/r-ext.yml new file mode 100644 index 0000000..3a16f4b --- /dev/null +++ b/r-ext.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - r-ext + - snmp-agent + - ssh-cli + - syslog-cli + - post diff --git a/r-int.yml b/r-int.yml new file mode 100644 index 0000000..32fde49 --- /dev/null +++ b/r-int.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - r-int + - ssh-cli + - syslog-cli + - dhcp + - snmp-agent + - post diff --git a/r-vp1.yml b/r-vp1.yml new file mode 100644 index 0000000..2ffe142 --- /dev/null +++ b/r-vp1.yml @@ -0,0 +1,20 @@ +--- +- hosts: localhost + connection: local + + vars: + - ip1: 192.168.0.51 + - remip: 192.168.0.52 + - mynet: 192.168.1.0 + - remnet: 172.16.128.0 + + roles: + - base + - goss +# - snmp-agent +# - firewall-vpn-r + - wireguard-r +# - x509-r + - ssh-cli + - syslog-cli + - post diff --git a/r-vp2.yml b/r-vp2.yml new file mode 100644 index 0000000..3c78dbf --- /dev/null +++ b/r-vp2.yml @@ -0,0 +1,23 @@ +--- +- hosts: localhost + connection: local + + vars: + - ip1: 192.168.0.52 + - remip: 192.168.0.51 + - mynet: 172.16.128.0 + - remnet: 192.168.1.0 + + roles: + - base + - goss + - dhcp-ag + - dns-agence + - ssh-root-access +# - snmp-agent +# - firewall-vpn-l + - wireguard-l +# - x509-l + - ssh-cli + - syslog-cli + - post diff --git a/roles/apache2/handlers/main.yml b/roles/apache2/handlers/main.yml new file mode 100644 index 0000000..645ca3a --- /dev/null +++ b/roles/apache2/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted + + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/apache2/tasks/main.yml b/roles/apache2/tasks/main.yml new file mode 100644 index 0000000..b122969 --- /dev/null +++ b/roles/apache2/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Update apt cache + apt: update_cache=yes cache_valid_time=3600 + +- name: Install required software + apt: name={{ item }} state=present + with_items: + - apache2 + - mariadb-server + - php-mysql + - php + - libapache2-mod-php + - php-mcrypt + - python-mysqldb diff --git a/roles/appli/README.md b/roles/appli/README.md new file mode 100644 index 0000000..f343482 --- /dev/null +++ b/roles/appli/README.md @@ -0,0 +1,4 @@ +## Fonctionnement du rôle appli + +Ce rôle permet de créer un serveur wordpress avec MariaDB et apache. +Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress. diff --git a/roles/appli/handlers/main.yml b/roles/appli/handlers/main.yml new file mode 100644 index 0000000..f041d80 --- /dev/null +++ b/roles/appli/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart apache + service: name=apache2 state=restarted + become: yes diff --git a/roles/appli/tasks/main.yml b/roles/appli/tasks/main.yml new file mode 100644 index 0000000..36697f3 --- /dev/null +++ b/roles/appli/tasks/main.yml @@ -0,0 +1,72 @@ + +--- +- name: Installation des packets + apt: + state: present + name: + - php + - php-fpm + - php-mbstring + - php-ssh2 + - php-gd + - php-mysql + - python3-mysqldb + - libapache2-mod-php + - mariadb-server + - apache2 + - python3 + +- name: Création du répertoire pour wordpress + file: + path: /var/www/html/wordpress + state: directory + +- name: Téléchargement de wordpress + get_url: + url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Extraction du fichier wordpress + unarchive: + src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Fix permissions owner + shell: chown -R www-data /var/www/html/wordpress + +- name: Fix permissions groups + shell: chgrp -R www-data /var/www/html/wordpress + +- name: Mettre à jour le site Apache par défaut + lineinfile: + dest: /etc/apache2/sites-enabled/000-default.conf + regexp: "(.)+DocumentRoot /var/www/html" + line: "DocumentRoot /var/www/html/wordpress" + +- name: restart apache2 + service: + name: apache2 + state: restarted + +- name: Mettre à jour le fichier de configuration WordPress + lineinfile: + dest: /var/www/html/wordpress/wp-config-sample.php + backup: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"} + - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"} + - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"} + - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"} + +- name: Création de la base de donnée mysql + mysql_db: + name: wordpress + state: present + +- name: Création de l'utilisateur mysql + mysql_user: + name: wordpress + password: wp + priv: "*.*:ALL" diff --git a/roles/base/files/apt.conf b/roles/base/files/apt.conf new file mode 100644 index 0000000..def8cbb --- /dev/null +++ b/roles/base/files/apt.conf @@ -0,0 +1 @@ +Acquire::http::Proxy "http://192.168.99.99:8080"; diff --git a/roles/base/files/resolv.conf b/roles/base/files/resolv.conf new file mode 100644 index 0000000..afafa6b --- /dev/null +++ b/roles/base/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 192.168.99.99 + diff --git a/roles/base/files/sources.list b/roles/base/files/sources.list new file mode 100644 index 0000000..9fa923c --- /dev/null +++ b/roles/base/files/sources.list @@ -0,0 +1,10 @@ +# + +deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free + +deb http://security.debian.org/ wheezy/updates main + +deb http://ftp.fr.debian.org/debian/ wheezy-updates main + +deb http://http.debian.net/debian wheezy-backports main + diff --git a/roles/base/files/sources.list.Debian b/roles/base/files/sources.list.Debian new file mode 100644 index 0000000..a5fb8a1 --- /dev/null +++ b/roles/base/files/sources.list.Debian @@ -0,0 +1,4 @@ +deb http://deb.debian.org/debian/ bullseye main non-free contrib +deb http://security.debian.org/debian-security bullseye-security main contrib non-free +deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free + diff --git a/roles/base/files/sources.list.Ubuntu b/roles/base/files/sources.list.Ubuntu new file mode 100644 index 0000000..8d1643a --- /dev/null +++ b/roles/base/files/sources.list.Ubuntu @@ -0,0 +1,13 @@ +#------------------------------------------------------------------------------# +# OFFICIAL UBUNTU REPOS # +#------------------------------------------------------------------------------# + + +###### Ubuntu Main Repos +deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe + +###### Ubuntu Update Repos +deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe +deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe + + diff --git a/roles/base/files/sources.list.buster b/roles/base/files/sources.list.buster new file mode 100644 index 0000000..520e104 --- /dev/null +++ b/roles/base/files/sources.list.buster @@ -0,0 +1,9 @@ + +#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free +#deb http://security.debian.org/ stretch/updates main +#deb http://ftp.fr.debian.org/debian/ stretch-updates main + +deb http://deb.debian.org/debian/ buster main contrib non-free +deb http://security.debian.org/debian-security buster/updates main contrib non-free +deb http://deb.debian.org/debian/ buster-updates main contrib non-free + diff --git a/roles/base/files/sources.list.jessie b/roles/base/files/sources.list.jessie new file mode 100644 index 0000000..cad9227 --- /dev/null +++ b/roles/base/files/sources.list.jessie @@ -0,0 +1,22 @@ +# + +# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main + +#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main + + +deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free +#deb-src http://ftp.fr.debian.org/debian/ jessie main + +deb http://security.debian.org/ jessie/updates main +#deb-src http://security.debian.org/ jessie/updates main + +deb http://ftp.fr.debian.org/debian/ jessie-updates main +#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main +#deb http://backports.debian.org/debian-backports jessie-backports main +#deb http://packages.steve.org.uk/slaughter/jessie/ ./ +#deb https://rex.linux-files.org/debian/ jessie rex + + +#deb http://http.debian.net/debian jessie-backports main + diff --git a/roles/base/files/sources.list.wheezy b/roles/base/files/sources.list.wheezy new file mode 100644 index 0000000..e8a28d8 --- /dev/null +++ b/roles/base/files/sources.list.wheezy @@ -0,0 +1,22 @@ +# + +# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main + +#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main + + +deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free +#deb-src http://ftp.fr.debian.org/debian/ wheezy main + +deb http://security.debian.org/ wheezy/updates main +#deb-src http://security.debian.org/ wheezy/updates main + +deb http://ftp.fr.debian.org/debian/ wheezy-updates main +#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main +#deb http://backports.debian.org/debian-backports wheezy-backports main +#deb http://packages.steve.org.uk/slaughter/wheezy/ ./ +#deb https://rex.linux-files.org/debian/ wheezy rex + + +deb http://http.debian.net/debian wheezy-backports main + diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..0e1498f --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: Copie sources.list + copy: + src: sources.list.{{ ansible_distribution }} + dest: /etc/apt/sources.list + +- name: Copie apt.conf pour proxy + copy: + src: apt.conf + dest: /etc/apt/apt.conf + when: ansible_hostname != "s-adm" + +#- name: Sysctl desactive ipv6 +# sysctl: +# name: net.ipv6.conf.all.disable_ipv6 +# value: 1 +# sysctl_set: yes +# state: present +# reload: yes + +- name: Update + Upgrade + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + +- name: Install paquets + apt: + state: present + name: + - vim + - ntp + - mc + - tcpdump + - curl + - net-tools + - rsync + - sudo + - iptables + +- name: Desinstall paquets + apt: + state: absent + name: + - nfs-common + - rpcbind + - bluetooth + +- name: Configure Vim + alternatives: + name: editor + path: /usr/bin/vim + +- name: Generation /etc/hosts + template: + src: hosts.j2 + dest: /etc/hosts + when: ansible_hostname != "s-proxy" + +- name: Generation /etc/hosts pour s-proxy + template: + src: hosts.s-proxy.j2 + dest: /etc/hosts + when: ansible_hostname == "s-proxy" + +- name: Desactive IPV6 avec sysctl + sysctl: + name: "{{ item }}" + value: 1 + state: present + reload: yes + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 diff --git a/roles/base/templates/hosts.j2 b/roles/base/templates/hosts.j2 new file mode 100644 index 0000000..2ab74e6 --- /dev/null +++ b/roles/base/templates/hosts.j2 @@ -0,0 +1,27 @@ +127.0.0.1 localhost +127.0.1.1 {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }} +127.0.0.1 localhost ip6-localhost ip6-loopback + +#10.121.38.10 depl.sio.lan depl + +192.168.99.99 s-adm.gsb.adm depl.sio.lan depl +192.168.99.1 s-infra.gsb.adm +192.168.99.2 s-proxy.gsb.adm +192.168.99.3 s-appli.gsb.adm +192.168.99.4 s-backup.gsb.adm +192.168.99.5 s-puppet.gsb.adm +192.168.99.6 s-win.gsb.adm +192.168.99.7 s-nxc.gsb.adm +192.168.99.8 s-mon.gsb.adm +192.168.99.9 s-itil.gsb.adm +192.168.99.10 s-sspec.gsb.adm +192.168.99.11 s-web-ext.gsb.adm +192.168.99.10 s-dns.gsb.adm +192.168.99.12 r-int.gsb.adm +192.168.99.13 r-ext.gsb.adm +192.168.99.14 s-nas.gsb.adm +192.168.99.15 s-san.gsb.adm +192.168.99.16 s-fog.gsb.adm + +192.168.99.8 syslog.gsb.adm + diff --git a/roles/base/templates/hosts.s-proxy.j2 b/roles/base/templates/hosts.s-proxy.j2 new file mode 100644 index 0000000..e18d15e --- /dev/null +++ b/roles/base/templates/hosts.s-proxy.j2 @@ -0,0 +1,26 @@ +127.0.0.1 localhost +127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }} +127.0.0.1 localhost ip6-localhost ip6-loopback +172.16.0.2 s-proxy.gsb.lan s-proxy + +#10.121.38.10 depl + +192.168.99.99 s-adm.gsb.adm depl +192.168.99.1 s-infra.gsb.adm +192.168.99.2 s-proxy.gsb.adm +192.168.99.3 s-appli.gsb.adm +192.168.99.4 s-backup.gsb.adm +192.168.99.5 s-puppet.gsb.adm +192.168.99.6 s-win.gsb.adm +192.168.99.7 s-nxc.gsb.adm +192.168.99.8 s-mon.gsb.adm +192.168.99.9 s-itil.gsb.adm +192.168.99.10 s-sspec.gsb.adm +192.168.99.11 s-web-ext.gsb.adm +192.168.99.10 s-dns.gsb.adm +192.168.99.12 r-int.gsb.adm +192.168.99.13 r-ext.gsb.adm +192.168.99.14 s-nas.gsb.adm + +192.168.99.8 syslog.gsb.adm + diff --git a/roles/db-user/files/resolv.conf b/roles/db-user/files/resolv.conf new file mode 100644 index 0000000..b018c3b --- /dev/null +++ b/roles/db-user/files/resolv.conf @@ -0,0 +1,3 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 diff --git a/roles/db-user/tasks/main.yml b/roles/db-user/tasks/main.yml new file mode 100644 index 0000000..81d6d85 --- /dev/null +++ b/roles/db-user/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Create mysql user + mysql_user: + host: "{{ cli_ip }}" + name: "{{ maria_dbuser }}" + password: "{{ maria_dbpasswd }}" + priv: "*.*:ALL" + +- name: Copie du fichier resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf \ No newline at end of file diff --git a/roles/dhcp-ag/files/dhcpd.conf b/roles/dhcp-ag/files/dhcpd.conf new file mode 100644 index 0000000..caca080 --- /dev/null +++ b/roles/dhcp-ag/files/dhcpd.conf @@ -0,0 +1,152 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +#subnet 172.16.65.0 netmask 255.255.255.0 { +# range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau USER + +#subnet 172.16.64.0 netmask 255.255.255.0 { +# range 172.16.64.20 172.16.64.120; +# option domain-name-servers 172.16.0.6, 172.16.0.1 ; +# option routers 172.16.64.254; +# option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau INFRA + +#subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau AGENCE + +subnet 172.16.128.0 netmask 255.255.255.0 { + range 172.16.128.10 172.16.128.50; + option domain-name-servers 172.16.0.1; + option routers 172.16.128.254; + option broadcast-address 172.16.128.255; + default-lease-time 86400; + max-lease-time 86400; +} diff --git a/roles/dhcp-ag/files/isc-dhcp-server b/roles/dhcp-ag/files/isc-dhcp-server new file mode 100644 index 0000000..26ec0d9 --- /dev/null +++ b/roles/dhcp-ag/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s8" +INTERFACESv6="" diff --git a/roles/dhcp-ag/handlers/main.yml b/roles/dhcp-ag/handlers/main.yml new file mode 100644 index 0000000..27f226d --- /dev/null +++ b/roles/dhcp-ag/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart dhcp + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp-ag/tasks/main.yml b/roles/dhcp-ag/tasks/main.yml new file mode 100644 index 0000000..063a625 --- /dev/null +++ b/roles/dhcp-ag/tasks/main.yml @@ -0,0 +1,11 @@ +--- + - name: Installation serveur dhcp + apt: name=isc-dhcp-server state=present update_cache=yes + + - name: copie dhcpd.conf + copy: src=dhcpd.conf dest=/etc/dhcp + # notify: restart dhcp + + - name: copie conf isc-dhcp-server + copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server + # notify: restart dhcp diff --git a/roles/dhcp-fog/files/dhcpd.conf b/roles/dhcp-fog/files/dhcpd.conf new file mode 100644 index 0000000..4371dc6 --- /dev/null +++ b/roles/dhcp-fog/files/dhcpd.conf @@ -0,0 +1,142 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +#subnet 172.16.65.0 netmask 255.255.255.0 { +# range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +#DHCP pour le réseau USER + +subnet 172.16.64.0 netmask 255.255.255.0 { + range 172.16.64.20 172.16.64.120; + option domain-name-servers 172.16.0.1 ; + option routers 172.16.64.254; + option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau INFRA + +#subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + diff --git a/roles/dhcp-fog/files/isc-dhcp-server b/roles/dhcp-fog/files/isc-dhcp-server new file mode 100644 index 0000000..a2f7704 --- /dev/null +++ b/roles/dhcp-fog/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s9" +INTERFACESv6="" diff --git a/roles/dhcp-fog/handlers/main.yml b/roles/dhcp-fog/handlers/main.yml new file mode 100644 index 0000000..e2bb399 --- /dev/null +++ b/roles/dhcp-fog/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart isc-dhcp-server + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp-fog/tasks/main.yml b/roles/dhcp-fog/tasks/main.yml new file mode 100644 index 0000000..9b51946 --- /dev/null +++ b/roles/dhcp-fog/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Installation du dhcp + apt: name=isc-dhcp-server state=present + +- name: Copie du fichier isc-dhcp-server + copy: src=isc-dhcp-server dest=/etc/default/ + +- name: Copie du fichier dhcpd.conf + copy: src=dhcpd.conf dest=/etc/dhcp/ + notify: + - restart isc-dhcp-server + + diff --git a/roles/dhcp/files/dhcpd.conf b/roles/dhcp/files/dhcpd.conf new file mode 100644 index 0000000..0b565f1 --- /dev/null +++ b/roles/dhcp/files/dhcpd.conf @@ -0,0 +1,142 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "gsb.lan"; +option domain-name-servers 172.16.0.1; + +default-lease-time 86400; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} + +#DHCP pour le réseau wifi +subnet 172.16.65.0 netmask 255.255.255.0 { + range 172.16.65.1 172.16.65.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau USER + +subnet 172.16.64.0 netmask 255.255.255.0 { + range 172.16.64.20 172.16.64.120; + option domain-name-servers 172.16.0.1 ; + option routers 172.16.64.254; + option broadcast-address 172.16.64.255; +# default-lease-time 600; +# max-lease-time 7200; +} + +#DHCP pour le réseau INFRA + +subnet 172.16.0.0 netmask 255.255.255.0 { +# range 172.16.0.1 172.16.0.100; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +} + diff --git a/roles/dhcp/files/isc-dhcp-server b/roles/dhcp/files/isc-dhcp-server new file mode 100644 index 0000000..3930248 --- /dev/null +++ b/roles/dhcp/files/isc-dhcp-server @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="enp0s9 enp0s10" +INTERFACESv6="" diff --git a/roles/dhcp/handlers/main.yml b/roles/dhcp/handlers/main.yml new file mode 100644 index 0000000..e2bb399 --- /dev/null +++ b/roles/dhcp/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart isc-dhcp-server + service: name=isc-dhcp-server state=restarted diff --git a/roles/dhcp/tasks/main.yml b/roles/dhcp/tasks/main.yml new file mode 100644 index 0000000..46121f4 --- /dev/null +++ b/roles/dhcp/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- name: Installation serveur DHCP - isc-dhcp-server + apt: + name: isc-dhcp-server + state: present + +- name: Copie du fichier isc-dhcp-server dans /etc/default + copy: + src: isc-dhcp-server + dest: /etc/default/ + +- name: Copie du fichier dhcpd.conf dans /etc + copy: + src: dhcpd.conf + dest: /etc/dhcp/ + notify: + - restart isc-dhcp-server + + diff --git a/roles/dns-ag-cs/files/named.conf.options b/roles/dns-ag-cs/files/named.conf.options new file mode 100644 index 0000000..d0daf3f --- /dev/null +++ b/roles/dns-ag-cs/files/named.conf.options @@ -0,0 +1,23 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 172.16.0.1; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/roles/dns-ag-cs/handlers/main.yml b/roles/dns-ag-cs/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-ag-cs/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-ag-cs/tasks/main.yml b/roles/dns-ag-cs/tasks/main.yml new file mode 100644 index 0000000..d3a88a6 --- /dev/null +++ b/roles/dns-ag-cs/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation bind9 + apt: name=bind9 state=present update_cache=yes + +- name: Copie named.conf.options + copy: src=named.conf.options dest=/etc/bind + notify: + - restart bind9 + + diff --git a/roles/dns-agence/files/named.conf.options b/roles/dns-agence/files/named.conf.options new file mode 100644 index 0000000..d0daf3f --- /dev/null +++ b/roles/dns-agence/files/named.conf.options @@ -0,0 +1,23 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 172.16.0.1; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/roles/dns-agence/handlers/main.yml b/roles/dns-agence/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-agence/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-agence/tasks/main.yml b/roles/dns-agence/tasks/main.yml new file mode 100644 index 0000000..d3a88a6 --- /dev/null +++ b/roles/dns-agence/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation bind9 + apt: name=bind9 state=present update_cache=yes + +- name: Copie named.conf.options + copy: src=named.conf.options dest=/etc/bind + notify: + - restart bind9 + + diff --git a/roles/dns-master/files/db.gsb.lan b/roles/dns-master/files/db.gsb.lan new file mode 100644 index 0000000..93f62a5 --- /dev/null +++ b/roles/dns-master/files/db.gsb.lan @@ -0,0 +1,38 @@ +; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. ( + 2022041200 ; Serial + 7200 ; Refresh + 86400 ; Retry + 8419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS s-infra.gsb.lan. +@ IN NS s-backup.gsb.lan. +@ IN A 127.0.0.1 +@ IN AAAA ::1 +s-infra IN A 172.16.0.1 +s-backup IN A 172.16.0.4 +s-proxy IN A 172.16.0.2 +s-appli IN A 172.16.0.3 +s-win IN A 172.16.0.6 +s-mess IN A 172.16.0.7 +s-nxc IN A 172.16.0.7 +s-docker IN A 172.16.0.7 +s-mon IN A 172.16.0.8 +s-itil IN A 172.16.0.9 +s-elk IN A 172.16.0.10 +s-gestsup IN A 172.16.0.17 +r-int IN A 172.16.0.254 +r-int-lnk IN A 192.168.200.254 +r-ext IN A 192.168.200.253 +s-lb IN A 192.168.100.10 +s-web1 IN A 192.168.101.1 +s-web2 IN A 192.168.101.2 +s-lb.gsb.lan IN A 192.168.100.10 +ns IN CNAME s-infra.gsb.lan. +wpad IN CNAME s-infra.gsb.lan. diff --git a/roles/dns-master/files/db.gsb.lan.rev b/roles/dns-master/files/db.gsb.lan.rev new file mode 100644 index 0000000..92a6bcc --- /dev/null +++ b/roles/dns-master/files/db.gsb.lan.rev @@ -0,0 +1,31 @@ +; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. ( + 2022041200 ; Serial + 7200 ; Refresh + 86400 ; Retry + 8419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS s-infra.gsb.lan. +@ IN NS s-backup.gsb.lan. +1.0 IN PTR s-infra.gsb.lan. +4.0 IN PTR s-backup.gsb.lan. +2.0 IN PTR s-proxy.gsb.lan. +3.0 IN PTR s-appli.gsb.lan. +6.0 IN PTR s-win.gsb.lan. +7.0 IN PTR s-nxc.gsb.lan. +8.0 IN PTR s-mon.gsb.lan. +9.0 IN PTR s-itil.gsb.lan. +101.1 IN PTR s-web1 +101.2 IN PTR s-web2 +100.10 IN PTR s-lb +100.10 IN PTR s-lb.gsb.lan +10.0 IN PTR s-elk.gsb.lan. +17.0 IN PTR s-gestsup.lan +254.0 IN PTR r-int.gsb.lan. + diff --git a/roles/dns-master/files/forbidden.html b/roles/dns-master/files/forbidden.html new file mode 100644 index 0000000..648fafc --- /dev/null +++ b/roles/dns-master/files/forbidden.html @@ -0,0 +1,2 @@ +

Bloque
+

Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.

diff --git a/roles/dns-master/files/hosts b/roles/dns-master/files/hosts new file mode 100644 index 0000000..3c35fbd --- /dev/null +++ b/roles/dns-master/files/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost +127.0.1.1 s-infra + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/roles/dns-master/files/named.conf.local b/roles/dns-master/files/named.conf.local new file mode 100644 index 0000000..28e3aaa --- /dev/null +++ b/roles/dns-master/files/named.conf.local @@ -0,0 +1,20 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +zone "gsb.lan" { + type master; + file "/etc/bind/db.gsb.lan"; +}; + +zone "16.172.in-addr.arpa"{ + type master; + notify no; + file "/etc/bind/db.gsb.lan.rev"; +}; diff --git a/roles/dns-master/files/named.conf.options b/roles/dns-master/files/named.conf.options new file mode 100644 index 0000000..cc3b575 --- /dev/null +++ b/roles/dns-master/files/named.conf.options @@ -0,0 +1,26 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 192.168.99.99; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { none; }; + allow-query { 172.16.0.0/16; } ; + allow-recursion { 172.16.0.0/16; } ; + dnssec-validation no; +}; + diff --git a/roles/dns-master/files/resolv.conf b/roles/dns-master/files/resolv.conf new file mode 100644 index 0000000..13b8bd5 --- /dev/null +++ b/roles/dns-master/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 127.0.0.1 + diff --git a/roles/dns-master/handlers/main.yml b/roles/dns-master/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-master/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-master/tasks/main.yml b/roles/dns-master/tasks/main.yml new file mode 100644 index 0000000..81e0ac5 --- /dev/null +++ b/roles/dns-master/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: Installation bind9 + apt: + name: bind9 + state: present + update_cache: yes + +- name: Copie named.conf.options + copy: + src: named.conf.options + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie named.conf.local + copy: + src: named.conf.local + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie fichier zone directe db.gsb.lan + copy: + src: db.gsb.lan + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie fichier zone inverse db.gsb.lan.rev + copy: + src: db.gsb.lan.rev + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie resolv.conf + copy: + src: resolv.conf + dest: /etc + notify: + - restart bind9 + +- name: Copie page squidguard + copy: + src: forbidden.html + dest: /var/www/ + diff --git a/roles/dns-slave/files/hosts b/roles/dns-slave/files/hosts new file mode 100644 index 0000000..3c35fbd --- /dev/null +++ b/roles/dns-slave/files/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost +127.0.1.1 s-infra + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/roles/dns-slave/files/named.conf.local b/roles/dns-slave/files/named.conf.local new file mode 100644 index 0000000..0149cf9 --- /dev/null +++ b/roles/dns-slave/files/named.conf.local @@ -0,0 +1,28 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +//zone direct + zone "gsb.lan" { + type slave; + file "/etc/bind/db.gsb.lan"; + masters { 172.16.0.1; }; + masterfile-format text; + +}; + +//zone inverse + zone "16.172.in-addr.arpa" { + type slave; + notify no; + file "/etc/bind/db.gsb.lan.rev"; + masters { 172.16.0.1; }; + masterfile-format text; + +}; + + diff --git a/roles/dns-slave/files/named.conf.options b/roles/dns-slave/files/named.conf.options new file mode 100644 index 0000000..cc3b575 --- /dev/null +++ b/roles/dns-slave/files/named.conf.options @@ -0,0 +1,26 @@ +// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200) + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 192.168.99.99; + + }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { none; }; + allow-query { 172.16.0.0/16; } ; + allow-recursion { 172.16.0.0/16; } ; + dnssec-validation no; +}; + diff --git a/roles/dns-slave/files/resolv.conf b/roles/dns-slave/files/resolv.conf new file mode 100644 index 0000000..13b8bd5 --- /dev/null +++ b/roles/dns-slave/files/resolv.conf @@ -0,0 +1,4 @@ +domain gsb.lan +search gsb.lan +nameserver 127.0.0.1 + diff --git a/roles/dns-slave/handlers/main.yml b/roles/dns-slave/handlers/main.yml new file mode 100644 index 0000000..33d4f98 --- /dev/null +++ b/roles/dns-slave/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart bind9 + service: name=bind9 state=restarted + diff --git a/roles/dns-slave/tasks/main.yml b/roles/dns-slave/tasks/main.yml new file mode 100644 index 0000000..780af40 --- /dev/null +++ b/roles/dns-slave/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Installation bind9 + apt: + name: bind9 + state: present + +- name: Copie named.conf.options + copy: + src: named.conf.options + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie named.conf.local + copy: + src: named.conf.local + dest: /etc/bind + notify: + - restart bind9 + +- name: Copie resolv.conf + copy: + src: resolv.conf + dest: /etc + notify: + - restart bind9 + +- name: Changement de droit pour le répertoire /etc/bind + ansible.builtin.lineinfile: + path: /etc/apparmor.d/usr.sbin.named + regexp: ' /etc/bind/\*\* r,' + line: ' /etc/bind/** rw,' + + +- name: Changement de permission pour le groupe de /etc/bind + ansible.builtin.file: + path: /etc/bind/ + state: directory + mode: g=rwx diff --git a/roles/dnsmasq/files/dnsmasq.conf b/roles/dnsmasq/files/dnsmasq.conf new file mode 100644 index 0000000..bb3077c --- /dev/null +++ b/roles/dnsmasq/files/dnsmasq.conf @@ -0,0 +1,531 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via enp0s8 +# server=10.1.2.3@enp0s8 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg enp0s3) here. +# Repeat the line for more than one interface. +interface=enp0s8 +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface=enp0s3 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h +dhcp-range=192.168.99.100,192.168.99.120,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/*.conf diff --git a/roles/dnsmasq/handlers/main.yml b/roles/dnsmasq/handlers/main.yml new file mode 100644 index 0000000..a9d7c7f --- /dev/null +++ b/roles/dnsmasq/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart dnsmasq + service: name=dnsmasq state=restarted diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..0a8132e --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Installation dnsmasq + apt: name=dnsmasq state=present + +- name: Copie du fichier dnsmasq.conf + copy: src=dnsmasq.conf dest=/etc/ + notify: + - restart dnsmasq + + diff --git a/roles/docker-nextcloud/files/config.php b/roles/docker-nextcloud/files/config.php new file mode 100644 index 0000000..4a8a5c3 --- /dev/null +++ b/roles/docker-nextcloud/files/config.php @@ -0,0 +1,48 @@ + '/', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/html/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/html/custom_apps', + 'url' => '/custom_apps', + 'writable' => true, + ), + ), + 'instanceid' => 'ocvc4q2htemf', + 'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI', + 'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU', + 'trusted_domains' => + array ( + 0 => '172.16.0.7:5678', + 1 => '172.16.0.7:8080', + 2 => 's-mess', + 3 => 's-mess.gsb.lan', + 4 => 'localhost:8080', + 5 => 's-nxec.gsb.lan', + ), + 'trusted_proxies' => ['172.16.0.7'], + 'overwriteprotocol' => 'http', + 'overwritehost' => '172.16.0.7:8080', + 'proxy' => '172.16.0.7:8080', + 'datadirectory' => '/var/www/html/data', + 'dbtype' => 'mysql', + 'version' => '20.0.6.1', + 'overwrite.cli.url' => 'http://172.16.0.7:5678', + 'dbname' => 'nextcloud', + 'dbhost' => 'db', + 'dbport' => '', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'nextcloud', + 'dbpassword' => 'root', + 'installed' => true, +); diff --git a/roles/docker-nextcloud/files/dhparam.pem b/roles/docker-nextcloud/files/dhparam.pem new file mode 100644 index 0000000..30b44e5 --- /dev/null +++ b/roles/docker-nextcloud/files/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ +17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA +4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/ +9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC +3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf +6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr +mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym +BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n +uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N +CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O +h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI= +-----END DH PARAMETERS----- diff --git a/roles/docker-nextcloud/files/docker-compose.yml b/roles/docker-nextcloud/files/docker-compose.yml new file mode 100755 index 0000000..1278464 --- /dev/null +++ b/roles/docker-nextcloud/files/docker-compose.yml @@ -0,0 +1,35 @@ +version: '2' + +volumes: + nextcloud: + db: + +services: + db: + image: mariadb + restart: always + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + volumes: + - db:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_PASSWORD=root + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - TZ=Europe/Paris + + app: + image: nextcloud + restart: always + ports: + - 5678:80 + links: + - db + volumes: + - ./nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=root + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + - TZ=Europe/Paris diff --git a/roles/docker-nextcloud/files/get_docker.sh b/roles/docker-nextcloud/files/get_docker.sh new file mode 100755 index 0000000..6397546 --- /dev/null +++ b/roles/docker-nextcloud/files/get_docker.sh @@ -0,0 +1,502 @@ +#!/bin/sh +set -e +# Docker CE for Linux installation script +# +# See https://docs.docker.com/install/ for the installation steps. +# +# This script is meant for quick & easy install via: +# $ curl -fsSL https://get.docker.com -o get-docker.sh +# $ sh get-docker.sh +# +# For test builds (ie. release candidates): +# $ curl -fsSL https://test.docker.com -o test-docker.sh +# $ sh test-docker.sh +# +# NOTE: Make sure to verify the contents of the script +# you downloaded matches the contents of install.sh +# located at https://github.com/docker/docker-install +# before executing. +# +# Git commit from https://github.com/docker/docker-install when +# the script was uploaded (Should only be modified by upload job): +SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4" + + +# The channel to install from: +# * nightly +# * test +# * stable +# * edge (deprecated) +DEFAULT_CHANNEL_VALUE="stable" +if [ -z "$CHANNEL" ]; then + CHANNEL=$DEFAULT_CHANNEL_VALUE +fi + +DEFAULT_DOWNLOAD_URL="https://download.docker.com" +if [ -z "$DOWNLOAD_URL" ]; then + DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL +fi + +DEFAULT_REPO_FILE="docker-ce.repo" +if [ -z "$REPO_FILE" ]; then + REPO_FILE="$DEFAULT_REPO_FILE" +fi + +mirror='' +DRY_RUN=${DRY_RUN:-} +while [ $# -gt 0 ]; do + case "$1" in + --mirror) + mirror="$2" + shift + ;; + --dry-run) + DRY_RUN=1 + ;; + --*) + echo "Illegal option $1" + ;; + esac + shift $(( $# > 0 ? 1 : 0 )) +done + +case "$mirror" in + Aliyun) + DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" + ;; + AzureChinaCloud) + DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" + ;; +esac + +command_exists() { + command -v "$@" > /dev/null 2>&1 +} + +is_dry_run() { + if [ -z "$DRY_RUN" ]; then + return 1 + else + return 0 + fi +} + +is_wsl() { + case "$(uname -r)" in + *microsoft* ) true ;; # WSL 2 + *Microsoft* ) true ;; # WSL 1 + * ) false;; + esac +} + +is_darwin() { + case "$(uname -s)" in + *darwin* ) true ;; + *Darwin* ) true ;; + * ) false;; + esac +} + +deprecation_notice() { + distro=$1 + date=$2 + echo + echo "DEPRECATION WARNING:" + echo " The distribution, $distro, will no longer be supported in this script as of $date." + echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new" + echo + sleep 10 +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +add_debian_backport_repo() { + debian_version="$1" + backports="deb http://ftp.debian.org/debian $debian_version-backports main" + if ! grep -Fxq "$backports" /etc/apt/sources.list; then + (set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list") + fi +} + +echo_docker_as_nonroot() { + if is_dry_run; then + return + fi + if command_exists docker && [ -e /var/run/docker.sock ]; then + ( + set -x + $sh_c 'docker version' + ) || true + fi + your_user=your-user + [ "$user" != 'root' ] && your_user="$user" + # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output + echo "If you would like to use Docker as a non-root user, you should now consider" + echo "adding your user to the \"docker\" group with something like:" + echo + echo " sudo usermod -aG docker $your_user" + echo + echo "Remember that you will have to log out and back in for this to take effect!" + echo + echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run" + echo " containers which can be used to obtain root privileges on the" + echo " docker host." + echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface" + echo " for more information." + +} + +# Check if this is a forked Linux distro +check_forked() { + + # Check for lsb_release command existence, it usually exists in forked distros + if command_exists lsb_release; then + # Check if the `-u` option is supported + set +e + lsb_release -a -u > /dev/null 2>&1 + lsb_release_exit_code=$? + set -e + + # Check if the command has exited successfully, it means we're in a forked distro + if [ "$lsb_release_exit_code" = "0" ]; then + # Print info about current distro + cat <<-EOF + You're using '$lsb_dist' version '$dist_version'. + EOF + + # Get the upstream release info + lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') + dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') + + # Print info about upstream distro + cat <<-EOF + Upstream release is '$lsb_dist' version '$dist_version'. + EOF + else + if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then + if [ "$lsb_dist" = "osmc" ]; then + # OSMC runs Raspbian + lsb_dist=raspbian + else + # We're Debian and don't even know it! + lsb_dist=debian + fi + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8|'Kali Linux 2') + dist_version="jessie" + ;; + esac + fi + fi + fi +} + +semverParse() { + major="${1%%.*}" + minor="${1#$major.}" + minor="${minor%%.*}" + patch="${1#$major.$minor.}" + patch="${patch%%[-.]*}" +} + +do_install() { + echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" + + if command_exists docker; then + docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)" + MAJOR_W=1 + MINOR_W=10 + + semverParse "$docker_version" + + shouldWarn=0 + if [ "$major" -lt "$MAJOR_W" ]; then + shouldWarn=1 + fi + + if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then + shouldWarn=1 + fi + + cat >&2 <<-'EOF' + Warning: the "docker" command appears to already exist on this system. + + If you already have Docker installed, this script can cause trouble, which is + why we're displaying this warning and provide the opportunity to cancel the + installation. + + If you installed the current Docker package using this script and are using it + EOF + + if [ $shouldWarn -eq 1 ]; then + cat >&2 <<-'EOF' + again to update Docker, we urge you to migrate your image store before upgrading + to v1.10+. + + You can find instructions for this here: + https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration + EOF + else + cat >&2 <<-'EOF' + again to update Docker, you can safely ignore this message. + EOF + fi + + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + user="$(id -un 2>/dev/null || true)" + + sh_c='sh -c' + if [ "$user" != 'root' ]; then + if command_exists sudo; then + sh_c='sudo -E sh -c' + elif command_exists su; then + sh_c='su -c' + else + cat >&2 <<-'EOF' + Error: this installer needs the ability to run commands as root. + We are unable to find either "sudo" or "su" available to make this happen. + EOF + exit 1 + fi + fi + + if is_dry_run; then + sh_c="echo" + fi + + # perform some very rudimentary platform detection + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + if is_wsl; then + echo + echo "WSL DETECTED: We recommend using Docker Desktop for Windows." + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + case "$lsb_dist" in + + ubuntu) + if command_exists lsb_release; then + dist_version="$(lsb_release --codename | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then + dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" + fi + ;; + + debian|raspbian) + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + ;; + + centos|rhel) + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + *) + if command_exists lsb_release; then + dist_version="$(lsb_release --release | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + esac + + # Check if this is a forked Linux distro + check_forked + + # Run setup for each distro accordingly + case "$lsb_dist" in + ubuntu|debian|raspbian) + pre_reqs="apt-transport-https ca-certificates curl" + if [ "$lsb_dist" = "debian" ]; then + # libseccomp2 does not exist for debian jessie main repos for aarch64 + if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then + add_debian_backport_repo "$dist_version" + fi + fi + + if ! command -v gpg > /dev/null; then + pre_reqs="$pre_reqs gnupg" + fi + apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" + ( + if ! is_dry_run; then + set -x + fi + $sh_c 'apt-get update -qq >/dev/null' + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" + $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null" + $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" + $sh_c 'apt-get update -qq >/dev/null' + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist" + search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst apt-cache madison results" + echo + exit 1 + fi + search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + # Don't insert an = for cli_pkg_version, we'll just include it later + cli_pkg_version="$($sh_c "$search_command")" + pkg_version="=$pkg_version" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + if [ -n "$cli_pkg_version" ]; then + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null" + fi + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null" + ) + echo_docker_as_nonroot + exit 0 + ;; + centos|fedora|rhel) + yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + if ! curl -Ifs "$yum_repo" > /dev/null; then + echo "Error: Unable to curl repository file $yum_repo, is it valid?" + exit 1 + fi + if [ "$lsb_dist" = "fedora" ]; then + pkg_manager="dnf" + config_manager="dnf config-manager" + enable_channel_flag="--set-enabled" + disable_channel_flag="--set-disabled" + pre_reqs="dnf-plugins-core" + pkg_suffix="fc$dist_version" + else + pkg_manager="yum" + config_manager="yum-config-manager" + enable_channel_flag="--enable" + disable_channel_flag="--disable" + pre_reqs="yum-utils" + pkg_suffix="el" + fi + ( + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pre_reqs" + $sh_c "$config_manager --add-repo $yum_repo" + + if [ "$CHANNEL" != "stable" ]; then + $sh_c "$config_manager $disable_channel_flag docker-ce-*" + $sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL" + fi + $sh_c "$pkg_manager makecache" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix" + search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" + echo + exit 1 + fi + search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package + cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" + # Cut out the epoch and prefix with a '-' + pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + # install the correct cli version first + if [ -n "$cli_pkg_version" ]; then + $sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version" + fi + $sh_c "$pkg_manager install -y -q docker-ce$pkg_version" + ) + echo_docker_as_nonroot + exit 0 + ;; + *) + if [ -z "$lsb_dist" ]; then + if is_darwin; then + echo + echo "ERROR: Unsupported operating system 'macOS'" + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + exit 1 + fi + fi + echo + echo "ERROR: Unsupported distribution '$lsb_dist'" + echo + exit 1 + ;; + esac + exit 1 +} + +# wrapped up in a function so that we have some protection against only getting +# half the file during "curl | sh" +do_install diff --git a/roles/docker-nextcloud/files/nginx-selfsigned.crt b/roles/docker-nextcloud/files/nginx-selfsigned.crt new file mode 100644 index 0000000..c7548de --- /dev/null +++ b/roles/docker-nextcloud/files/nginx-selfsigned.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL +BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM +BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z +LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp +bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE +BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV +BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu +MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg +HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/ +JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL +Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt +xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ +O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT +MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt +mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE +XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf +DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs +lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT +/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+ +ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI= +-----END CERTIFICATE----- diff --git a/roles/docker-nextcloud/files/nginx-selfsigned.key b/roles/docker-nextcloud/files/nginx-selfsigned.key new file mode 100644 index 0000000..e5eca2f --- /dev/null +++ b/roles/docker-nextcloud/files/nginx-selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF ++gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO +FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU +aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+ ++Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ +HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg +htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up +R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a +0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP +ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL +fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl +17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/ +acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a +O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD +HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf +ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz +iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/ +7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO +jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA +c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV +azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf +sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+ +oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax +VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq +hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn +SwyeWd4Zkt/wvqmocF5KVqI= +-----END PRIVATE KEY----- diff --git a/roles/docker-nextcloud/files/proxy b/roles/docker-nextcloud/files/proxy new file mode 100644 index 0000000..7e5abec --- /dev/null +++ b/roles/docker-nextcloud/files/proxy @@ -0,0 +1,121 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name s-nxec.gsb.lan; + + return 302 https://$server_name$request_uri; +} +# location / { +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_pass http://localhost:5678; +# proxy_connect_timeout 900; +# proxy_send_timeout 900; +# proxy_read_timeout 900; + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name s-nxec.gsb.lan; + + include snippets/self-signed.conf; + include snippets/ssl-params.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:5678; + proxy_connect_timeout 900; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + +} + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + +# root /var/www/html; + + # Add index.php to the list if you are using PHP +# index index.html index.htm index.nginx-debian.html; + +# server_name _; + +# location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. +# try_files $uri $uri/ =404; +# } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.3-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/roles/docker-nextcloud/files/proxy.bak b/roles/docker-nextcloud/files/proxy.bak new file mode 100644 index 0000000..534e71e --- /dev/null +++ b/roles/docker-nextcloud/files/proxy.bak @@ -0,0 +1,100 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 8080 default_server; + listen [::]:8080 default_server; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:5678; + proxy_connect_timeout 900; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + +# root /var/www/html; + + # Add index.php to the list if you are using PHP +# index index.html index.htm index.nginx-debian.html; + +# server_name _; + +# location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. +# try_files $uri $uri/ =404; +# } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.3-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/roles/docker-nextcloud/files/self-signed.conf b/roles/docker-nextcloud/files/self-signed.conf new file mode 100644 index 0000000..d9017ca --- /dev/null +++ b/roles/docker-nextcloud/files/self-signed.conf @@ -0,0 +1,2 @@ +ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; +ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; diff --git a/roles/docker-nextcloud/files/ssl-params.conf b/roles/docker-nextcloud/files/ssl-params.conf new file mode 100644 index 0000000..473862a --- /dev/null +++ b/roles/docker-nextcloud/files/ssl-params.conf @@ -0,0 +1,18 @@ +ssl_protocols TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_dhparam /etc/nginx/dhparam.pem; +ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 +ssl_session_timeout 10m; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; # Requires nginx >= 1.5.9 +ssl_stapling on; # Requires nginx >= 1.3.7 +ssl_stapling_verify on; # Requires nginx => 1.3.7 +resolver 172.16.0.1 valid=300s; +resolver_timeout 5s; +# Disable strict transport security for now. You can uncomment the following +# line if you understand the implications. +# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml new file mode 100644 index 0000000..08c877b --- /dev/null +++ b/roles/docker-nextcloud/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Creation du repertoire nextcloud + file: + path: /root/nextcloud + state: directory + +- name: Copie du script get_docker + copy: + src: get_docker.sh + dest: /root/nextcloud + +- name: Execution du script get_docker + script: /root/nextcloud/get_docker.sh + +- name: Installation de docker-compose + shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Attribution des droits de docker compose + file: + path: /usr/local/bin/docker-compose + mode: '755' + +- name: Copie de docker-compose.yml + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml + dest: /root/nextcloud + +- name: Execution du fichier docker-compose.yml + shell: docker-compose up -d + args: + chdir: /root/nextcloud + +- name: Installation de Nginx + package: + name: nginx + state: present + +- name: Copie de config.php dans /root/nextcloud/nextcloud/config + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php + dest: /root/nextcloud/nextcloud/config + +- name: Copie de nginx-selfsigned.key + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key + dest: /etc/ssl/private + +- name: Copie nginx-selfsigned.crt + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt + dest: /etc/ssl/certs + +- name: Copie de dhparam.pem + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem + dest: /etc/nginx + +- name: Copie de self-signed.conf + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf + dest: /etc/nginx/snippets + +- name: Copie de ssl-params.conf + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf + dest: /etc/nginx/snippets + +- name: Copie de /etc/nginx/site-availables/proxy + copy: + src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy + dest: /etc/nginx/sites-available + +- name: Suppression de /etc/nginx/sites-enabled/default + file: + path: /etc/nginx/sites-enabled/default + state: absent + +- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/n$ + file: + src: /etc/nginx/sites-available/proxy + dest: /etc/nginx/sites-enabled/proxy + owner: root + group: root + state: link + +- name: Redemarage de Nginx + service: + name: nginx + state: restarted diff --git a/roles/docker/README.md b/roles/docker/README.md new file mode 100644 index 0000000..9f2c60b --- /dev/null +++ b/roles/docker/README.md @@ -0,0 +1,10 @@ +# Installation de docker + +Pour assurer l'installation de docker il vous faut lancer le script getall depuis s-adm. +Chemin de getall : /var/www/html/gsbstore/ + +#### Fonctionnement du playbook + +Le playbook va télécharger getdocker.sh et le placer dans tmp. +Il va donc lancer docker.sh et ensuite installer docker-compose, suite à cela, l'installation +est terminée. diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..506392b --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Téléchargement getdocker.sh + ansible.builtin.get_url: + url: http://s-adm.gsb.adm/gsbstore/getdocker.sh + dest: /tmp + mode: '0755' + +- name: Execution du script getdocker + ansible.builtin.script: + cmd: /tmp/getdocker.sh + +- name: Téléchargement docker-compose + ansible.builtin.get_url: + url: http://s-adm.gsb.adm/gsbstore/docker-compose + dest: /usr/local/bin + mode: '0755' diff --git a/roles/elk/README.md b/roles/elk/README.md new file mode 100644 index 0000000..bb8cdd8 --- /dev/null +++ b/roles/elk/README.md @@ -0,0 +1,8 @@ +## Principe du rôle elk + +Ce rôle permet de créer un serveur ELK pour centraliser les logs et d'avoir des métriques pour simplifier la gestion du parc informatique GSB. +Le principe de se rôle est d'installer docker, les différentes tâches de se rôle est de : +Vérifier si ELK est déjà installé, +Installer ELK sur github, +Changer la configuration +Lancer ELK avec docker-compose diff --git a/roles/elk/files/get_docker.sh b/roles/elk/files/get_docker.sh new file mode 100755 index 0000000..6397546 --- /dev/null +++ b/roles/elk/files/get_docker.sh @@ -0,0 +1,502 @@ +#!/bin/sh +set -e +# Docker CE for Linux installation script +# +# See https://docs.docker.com/install/ for the installation steps. +# +# This script is meant for quick & easy install via: +# $ curl -fsSL https://get.docker.com -o get-docker.sh +# $ sh get-docker.sh +# +# For test builds (ie. release candidates): +# $ curl -fsSL https://test.docker.com -o test-docker.sh +# $ sh test-docker.sh +# +# NOTE: Make sure to verify the contents of the script +# you downloaded matches the contents of install.sh +# located at https://github.com/docker/docker-install +# before executing. +# +# Git commit from https://github.com/docker/docker-install when +# the script was uploaded (Should only be modified by upload job): +SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4" + + +# The channel to install from: +# * nightly +# * test +# * stable +# * edge (deprecated) +DEFAULT_CHANNEL_VALUE="stable" +if [ -z "$CHANNEL" ]; then + CHANNEL=$DEFAULT_CHANNEL_VALUE +fi + +DEFAULT_DOWNLOAD_URL="https://download.docker.com" +if [ -z "$DOWNLOAD_URL" ]; then + DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL +fi + +DEFAULT_REPO_FILE="docker-ce.repo" +if [ -z "$REPO_FILE" ]; then + REPO_FILE="$DEFAULT_REPO_FILE" +fi + +mirror='' +DRY_RUN=${DRY_RUN:-} +while [ $# -gt 0 ]; do + case "$1" in + --mirror) + mirror="$2" + shift + ;; + --dry-run) + DRY_RUN=1 + ;; + --*) + echo "Illegal option $1" + ;; + esac + shift $(( $# > 0 ? 1 : 0 )) +done + +case "$mirror" in + Aliyun) + DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" + ;; + AzureChinaCloud) + DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" + ;; +esac + +command_exists() { + command -v "$@" > /dev/null 2>&1 +} + +is_dry_run() { + if [ -z "$DRY_RUN" ]; then + return 1 + else + return 0 + fi +} + +is_wsl() { + case "$(uname -r)" in + *microsoft* ) true ;; # WSL 2 + *Microsoft* ) true ;; # WSL 1 + * ) false;; + esac +} + +is_darwin() { + case "$(uname -s)" in + *darwin* ) true ;; + *Darwin* ) true ;; + * ) false;; + esac +} + +deprecation_notice() { + distro=$1 + date=$2 + echo + echo "DEPRECATION WARNING:" + echo " The distribution, $distro, will no longer be supported in this script as of $date." + echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new" + echo + sleep 10 +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +add_debian_backport_repo() { + debian_version="$1" + backports="deb http://ftp.debian.org/debian $debian_version-backports main" + if ! grep -Fxq "$backports" /etc/apt/sources.list; then + (set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list") + fi +} + +echo_docker_as_nonroot() { + if is_dry_run; then + return + fi + if command_exists docker && [ -e /var/run/docker.sock ]; then + ( + set -x + $sh_c 'docker version' + ) || true + fi + your_user=your-user + [ "$user" != 'root' ] && your_user="$user" + # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output + echo "If you would like to use Docker as a non-root user, you should now consider" + echo "adding your user to the \"docker\" group with something like:" + echo + echo " sudo usermod -aG docker $your_user" + echo + echo "Remember that you will have to log out and back in for this to take effect!" + echo + echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run" + echo " containers which can be used to obtain root privileges on the" + echo " docker host." + echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface" + echo " for more information." + +} + +# Check if this is a forked Linux distro +check_forked() { + + # Check for lsb_release command existence, it usually exists in forked distros + if command_exists lsb_release; then + # Check if the `-u` option is supported + set +e + lsb_release -a -u > /dev/null 2>&1 + lsb_release_exit_code=$? + set -e + + # Check if the command has exited successfully, it means we're in a forked distro + if [ "$lsb_release_exit_code" = "0" ]; then + # Print info about current distro + cat <<-EOF + You're using '$lsb_dist' version '$dist_version'. + EOF + + # Get the upstream release info + lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') + dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') + + # Print info about upstream distro + cat <<-EOF + Upstream release is '$lsb_dist' version '$dist_version'. + EOF + else + if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then + if [ "$lsb_dist" = "osmc" ]; then + # OSMC runs Raspbian + lsb_dist=raspbian + else + # We're Debian and don't even know it! + lsb_dist=debian + fi + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8|'Kali Linux 2') + dist_version="jessie" + ;; + esac + fi + fi + fi +} + +semverParse() { + major="${1%%.*}" + minor="${1#$major.}" + minor="${minor%%.*}" + patch="${1#$major.$minor.}" + patch="${patch%%[-.]*}" +} + +do_install() { + echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" + + if command_exists docker; then + docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)" + MAJOR_W=1 + MINOR_W=10 + + semverParse "$docker_version" + + shouldWarn=0 + if [ "$major" -lt "$MAJOR_W" ]; then + shouldWarn=1 + fi + + if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then + shouldWarn=1 + fi + + cat >&2 <<-'EOF' + Warning: the "docker" command appears to already exist on this system. + + If you already have Docker installed, this script can cause trouble, which is + why we're displaying this warning and provide the opportunity to cancel the + installation. + + If you installed the current Docker package using this script and are using it + EOF + + if [ $shouldWarn -eq 1 ]; then + cat >&2 <<-'EOF' + again to update Docker, we urge you to migrate your image store before upgrading + to v1.10+. + + You can find instructions for this here: + https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration + EOF + else + cat >&2 <<-'EOF' + again to update Docker, you can safely ignore this message. + EOF + fi + + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + user="$(id -un 2>/dev/null || true)" + + sh_c='sh -c' + if [ "$user" != 'root' ]; then + if command_exists sudo; then + sh_c='sudo -E sh -c' + elif command_exists su; then + sh_c='su -c' + else + cat >&2 <<-'EOF' + Error: this installer needs the ability to run commands as root. + We are unable to find either "sudo" or "su" available to make this happen. + EOF + exit 1 + fi + fi + + if is_dry_run; then + sh_c="echo" + fi + + # perform some very rudimentary platform detection + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + if is_wsl; then + echo + echo "WSL DETECTED: We recommend using Docker Desktop for Windows." + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + case "$lsb_dist" in + + ubuntu) + if command_exists lsb_release; then + dist_version="$(lsb_release --codename | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then + dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" + fi + ;; + + debian|raspbian) + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + ;; + + centos|rhel) + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + *) + if command_exists lsb_release; then + dist_version="$(lsb_release --release | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + esac + + # Check if this is a forked Linux distro + check_forked + + # Run setup for each distro accordingly + case "$lsb_dist" in + ubuntu|debian|raspbian) + pre_reqs="apt-transport-https ca-certificates curl" + if [ "$lsb_dist" = "debian" ]; then + # libseccomp2 does not exist for debian jessie main repos for aarch64 + if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then + add_debian_backport_repo "$dist_version" + fi + fi + + if ! command -v gpg > /dev/null; then + pre_reqs="$pre_reqs gnupg" + fi + apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" + ( + if ! is_dry_run; then + set -x + fi + $sh_c 'apt-get update -qq >/dev/null' + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" + $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null" + $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" + $sh_c 'apt-get update -qq >/dev/null' + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist" + search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst apt-cache madison results" + echo + exit 1 + fi + search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + # Don't insert an = for cli_pkg_version, we'll just include it later + cli_pkg_version="$($sh_c "$search_command")" + pkg_version="=$pkg_version" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + if [ -n "$cli_pkg_version" ]; then + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null" + fi + $sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null" + ) + echo_docker_as_nonroot + exit 0 + ;; + centos|fedora|rhel) + yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + if ! curl -Ifs "$yum_repo" > /dev/null; then + echo "Error: Unable to curl repository file $yum_repo, is it valid?" + exit 1 + fi + if [ "$lsb_dist" = "fedora" ]; then + pkg_manager="dnf" + config_manager="dnf config-manager" + enable_channel_flag="--set-enabled" + disable_channel_flag="--set-disabled" + pre_reqs="dnf-plugins-core" + pkg_suffix="fc$dist_version" + else + pkg_manager="yum" + config_manager="yum-config-manager" + enable_channel_flag="--enable" + disable_channel_flag="--disable" + pre_reqs="yum-utils" + pkg_suffix="el" + fi + ( + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pre_reqs" + $sh_c "$config_manager --add-repo $yum_repo" + + if [ "$CHANNEL" != "stable" ]; then + $sh_c "$config_manager $disable_channel_flag docker-ce-*" + $sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL" + fi + $sh_c "$pkg_manager makecache" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix" + search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" + echo + exit 1 + fi + search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package + cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" + # Cut out the epoch and prefix with a '-' + pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" + fi + fi + ( + if ! is_dry_run; then + set -x + fi + # install the correct cli version first + if [ -n "$cli_pkg_version" ]; then + $sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version" + fi + $sh_c "$pkg_manager install -y -q docker-ce$pkg_version" + ) + echo_docker_as_nonroot + exit 0 + ;; + *) + if [ -z "$lsb_dist" ]; then + if is_darwin; then + echo + echo "ERROR: Unsupported operating system 'macOS'" + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + exit 1 + fi + fi + echo + echo "ERROR: Unsupported distribution '$lsb_dist'" + echo + exit 1 + ;; + esac + exit 1 +} + +# wrapped up in a function so that we have some protection against only getting +# half the file during "curl | sh" +do_install diff --git a/roles/elk/tasks/main.yml b/roles/elk/tasks/main.yml new file mode 100644 index 0000000..3c5959b --- /dev/null +++ b/roles/elk/tasks/main.yml @@ -0,0 +1,27 @@ +--- + - name: Création répertoire docker + file: + path: /root/elk + state: directory + + - name: Vérification d'ELK + stat: + path: /root/elk/docker-compose.yml + register: elk + + - name: Installation d'ELK + ansible.builtin.git: + repo: https://github.com/deviantony/docker-elk.git + dest: /root/elk/ + when: not elk.stat.exists + + - name: Configuration d'ELK + replace: + path: /root/elk/elasticsearch/config/elasticsearch.yml + regexp: 'xpack.license.self_generated.type: trial' + replace: 'xpack.license.self_generated.type: basic' + + - name: Execution du fichier docker-compose.yml + shell: docker-compose up -d + args: + chdir: /root/elk diff --git a/roles/filebeat-cli/README.md b/roles/filebeat-cli/README.md new file mode 100644 index 0000000..2e7f0cc --- /dev/null +++ b/roles/filebeat-cli/README.md @@ -0,0 +1,7 @@ +## Explication du rôle filebeat-cli + +Filebeat permet de centraliser et simplifier la gestion de logs pour ELK. +Ce rôle fonctionne en faisant : +Une installation de filebeat +Une configuration de filebeat +Une activation du module system(Logs système) diff --git a/roles/filebeat-cli/files/filebeat.yml b/roles/filebeat-cli/files/filebeat.yml new file mode 100644 index 0000000..bd7e41f --- /dev/null +++ b/roles/filebeat-cli/files/filebeat.yml @@ -0,0 +1,226 @@ +###################### Filebeat Configuration Example ######################### + +# This file is an example configuration file highlighting only the most common +# options. The filebeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/index.html + +# For more available modules and options, please see the filebeat.reference.yml sample +# configuration file. + +# ============================== Filebeat inputs =============================== + +filebeat.inputs: + +# Each - is an input. Most options can be set at the input level, so +# you can use different inputs for various configurations. +# Below are the input specific configurations. + +# filestream is an input for collecting log messages from files. +- type: filestream + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #prospector.scanner.exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + +# ============================== Filebeat modules ============================== + +filebeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + +# ================================= Dashboards ================================= +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + host: "s-elk.gsb.lan:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["s-elk.gsb.lan:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + username: "elastic" + password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= +processors: + - add_host_metadata: + when.not.contains.tags: forwarded + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publisher", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Filebeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the filebeat. +#instrumentation: + # Set to true to enable instrumentation of filebeat. + #enabled: false + + # Environment in which filebeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/roles/filebeat-cli/handlers/main.yml b/roles/filebeat-cli/handlers/main.yml new file mode 100644 index 0000000..e1054ad --- /dev/null +++ b/roles/filebeat-cli/handlers/main.yml @@ -0,0 +1,5 @@ +- name: start filebeat + service: + name: filebeat + state: started + enabled: yes diff --git a/roles/filebeat-cli/tasks/main.yml b/roles/filebeat-cli/tasks/main.yml new file mode 100644 index 0000000..f9d8ff1 --- /dev/null +++ b/roles/filebeat-cli/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Récupération de filebeat + get_url: + url: http://s-adm.gsb.adm/gsbstore/filebeat-7.16.3-amd64.deb + dest: /tmp/ + +- name: Installation de filebeat + apt: + deb: /tmp/filebeat-7.16.3-amd64.deb + +- name: Changement du fichier de conf + copy: + src: filebeat.yml + dest: /etc/filebeat/filebeat.yml + +- name: Configuration de filebeat + shell: filebeat modules enable system + notify: start filebeat + +- name: Lancement de la configuration de filebeat + shell: filebeat setup -e + notify: start filebeat + diff --git a/roles/fog/defaults/main.yml b/roles/fog/defaults/main.yml new file mode 100644 index 0000000..0086a1a --- /dev/null +++ b/roles/fog/defaults/main.yml @@ -0,0 +1,3 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_fog: "fogproject-1.5.9.tar.gz" +instructions: "Pour lancer l'installateur Fog, faites : 'bash /root/tools/fog/bin/installfog.sh'. Suivez ensuite les instructions" diff --git a/roles/fog/tasks/main.yml b/roles/fog/tasks/main.yml new file mode 100644 index 0000000..c1452be --- /dev/null +++ b/roles/fog/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: creation d'un repertoire fog + file: + path: /root/tools/fog + state: directory + +- name: recuperation de l'archive d'installation fog sur git + git: + repo: https://gitea.lyc-lecastel.fr/gadmin/fog.git + dest: /root/tools/fog/ + clone: yes + update: yes + +#- name: Instructions +# tags: msg +# debug: msg='{{instructions}}' + diff --git a/roles/gestsup/README.md b/roles/gestsup/README.md new file mode 100644 index 0000000..599ac30 --- /dev/null +++ b/roles/gestsup/README.md @@ -0,0 +1,6 @@ +# Rôle Gestsup + +Ce playbook installe Gestsup et ses dépendances, et remplace certains fichier pour certaines +configurations. Avant de lancer ce playbook, lancez "getall" sur la machine s-adm. + + diff --git a/roles/gestsup/files/apache2.conf b/roles/gestsup/files/apache2.conf new file mode 100644 index 0000000..94516e6 --- /dev/null +++ b/roles/gestsup/files/apache2.conf @@ -0,0 +1,234 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + + Options -Indexes -ExecCGI + AllowOverride None + Require all granted + + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/gestsup/files/php.ini b/roles/gestsup/files/php.ini new file mode 100644 index 0000000..953e062 --- /dev/null +++ b/roles/gestsup/files/php.ini @@ -0,0 +1,1947 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (usually C:\windows) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is the php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to an empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +; Allows to include or exclude arguments from stack traces generated for exceptions. +; In production, it is recommended to turn this setting on to prohibit the output +; of sensitive information in stack traces +; Default: Off +zend.exception_ignore_args = On + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = Off + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 480 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +;max_input_vars = 1000 + +; Maximum amount of memory a script may consume +; http://php.net/memory-limit +memory_limit = 512M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This is only effective in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; This directive is DEPRECATED. +; Default Value: Off +; Development Value: Off +; Production Value: Off +; http://php.net/track-errors +;track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; http://php.net/html-errors +;html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +; The syslog ident is a string which is prepended to every message logged +; to syslog. Only used when error_log is set to syslog. +;syslog.ident = php + +; The syslog facility is used to specify what type of program is logging +; the message. Only used when error_log is set to syslog. +;syslog.facility = user + +; Set this to disable filtering control characters (the default). +; Some loggers only accept NVT-ASCII, others accept anything that's not +; control characters. If your logger accepts everything, then no filtering +; is needed at all. +; Allowed values are: +; ascii (all printable ASCII characters and NL) +; no-ctrl (all characters except control characters) +; all (all characters) +; raw (like "all", but messages are not split at newlines) +; http://php.net/syslog.filter +;syslog.filter = ascii + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any effect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/usr/share/php" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +;extension_dir = "./" +; On windows: +;extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +;sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +;cgi.discard_path=1 + +; FastCGI under IIS supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 8M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=.so' and +; 'extension='php_.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=) syntax. +; +; Notes for Windows environments : +; +; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) +; extension folders as well as the separate PECL DLL download (PHP 5+). +; Be sure to appropriately set the extension_dir directive. +; +;extension=bz2 +;extension=curl +;extension=ffi +;extension=ftp +;extension=fileinfo +;extension=gd2 +;extension=gettext +;extension=gmp +;extension=intl +;extension=imap +;extension=ldap +;extension=mbstring +;extension=exif ; Must be after mbstring as it depends on it +;extension=mysqli +;extension=oci8_12c ; Use with Oracle Database 12c Instant Client +;extension=odbc +;extension=openssl +;extension=pdo_firebird +;extension=pdo_mysql +;extension=pdo_oci +;extension=pdo_odbc +;extension=pdo_pgsql +;extension=pdo_sqlite +;extension=pgsql +;extension=shmop + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=snmp + +;extension=soap +;extension=sockets +;extension=sodium +;extension=sqlite3 +;extension=tidy +;extension=xmlrpc +;extension=xsl + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +date.timezone = Europe/Paris + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < input_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +;sqlite3.defensive = 1 + +[Pcre] +; PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +; PCRE library recursion limit. +; Please note that if you set this value to a high number you may consume all +; the available process stack and eventually crash PHP (due to reaching the +; stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +; Enables or disables JIT compilation of patterns. This requires the PCRE +; library to be compiled with JIT support. +;pcre.jit=1 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +;mysqlnd.sha256_server_public_key = + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/var/lib/php/sessions" + +; Whether to use strict session mode. +; Strict session mode does not accept an uninitialized session ID, and +; regenerates the session ID if the browser sends an uninitialized session ID. +; Strict mode protects applications from session fixation via a session adoption +; vulnerability. It is disabled by default for maximum compatibility, but +; enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it +; inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) +; Current valid values are "Strict", "Lax" or "None". When using "None", +; make sure to include the quotes, as `none` is interpreted like `false` in ini files. +; https://tools.ietf.org/html/draft-west-first-party-cookies-07 +session.cookie_samesite = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 0 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; For high volume production servers, using a value of 1000 is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script is the equivalent of setting +; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute paths, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a component's typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_translation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < input_encoding < mbstring.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +; This directive specifies maximum stack depth for mbstring regular expressions. It is similar +; to the pcre.recursion_limit for PCRE. +; Default: 100000 +;mbstring.regex_stack_limit=100000 + +; This directive specifies maximum retry count for mbstring regular expressions. It is similar +; to the pcre.backtrack_limit for PCRE. +; Default: 1000000 +;mbstring.regex_retry_limit=1000000 + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0x7FFFBFFF + +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Mapping base of shared memory segments (for Windows only). All the PHP +; processes have to map shared memory into the same address space. This +; directive allows to manually fix the "Unable to reattach to base address" +; errors. +;opcache.mmap_base= + +; Facilitates multiple OPcache instances per user (for Windows only). All PHP +; processes with the same cache ID and user share an OPcache instance. +;opcache.cache_id= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +;opcache.huge_code_pages=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +; Specifies a PHP script that is going to be compiled and executed at server +; start-up. +; http://php.net/opcache.preload +;opcache.preload= + +; Preloading code as root is not allowed for security reasons. This directive +; facilitates to let the preloading to be run as another user. +; http://php.net/opcache.preload_user +;opcache.preload_user= + +; Prevents caching files that are less than this number of seconds old. It +; protects from caching of incompletely updated files. In case all file updates +; on your site are atomic, you may increase performance by setting it to "0". +;opcache.file_update_protection=2 + +; Absolute path used to store shared lockfiles (for *nix only). +;opcache.lockfile_path=/tmp + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +[ffi] +; FFI API restriction. Possible values: +; "preload" - enabled in CLI scripts and preloaded files (default) +; "false" - always disabled +; "true" - always enabled +;ffi.enable=preload + +; List of headers files to preload, wildcard patterns allowed. +;ffi.preload= diff --git a/roles/gestsup/files/security.conf b/roles/gestsup/files/security.conf new file mode 100644 index 0000000..e99595a --- /dev/null +++ b/roles/gestsup/files/security.conf @@ -0,0 +1,73 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Require all denied +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens Prod +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/gestsup/handlers/main.yml b/roles/gestsup/handlers/main.yml new file mode 100644 index 0000000..012d896 --- /dev/null +++ b/roles/gestsup/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: redemarrage apache2 + service: + name: apache2 + state: restarted + enabled: yes diff --git a/roles/gestsup/tasks/main.yml b/roles/gestsup/tasks/main.yml new file mode 100644 index 0000000..9f05def --- /dev/null +++ b/roles/gestsup/tasks/main.yml @@ -0,0 +1,122 @@ +- name: Installation des dépendances + apt: + name: + - apache2 + - mariadb-server + - python3-pip + - php + - php-mysql + - php-xml + - php-curl + - php-imap + - php-zip + - php-mbstring + - php-gd + - php-intl + - php-ldap + - snapd + - unzip + state: present + +- name: Install pymysql + become: true + pip: + name: pymysql + state: present + +- name: Copie de php.ini + copy: + src: php.ini + dest: /etc/php/7.4/apache2 + +- name: Copie de apache2.conf + copy: + src: apache2.conf + dest: /etc/apache2 + +- name: Suppression de l'ancien security.conf + file: + path: /etc/apache2/conf-available/security.conf + state: absent + +- name: Suppression de l'ancien lien symbolique + file: + path: /etc/apache2/conf-enabled/security.conf + state: absent + +- name: Copie de security.conf pour apache2 + copy: + src: security.conf + dest: /etc/apache2/conf-available + +- name: Création d'un lien symbolique pour security.conf + ansible.builtin.shell: ln -s /etc/apache2/conf-available/security.conf /etc/apache2/conf-enabled/ + +- name: mariadb en mode enabled + service: + name: mysql + enabled: yes + +- name: Création de l'utilisateur gestsup + mysql_user: + name: gestsup + password: gestsup + priv: '*.*:ALL,GRANT' + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Decompression du fichier gestsup.zip + ansible.builtin.unarchive: + src: http://s-adm.gsb.adm/gsbstore/gestsup_3.2.15.zip + dest: /var/www/html/ + remote_src: yes + +- name: Suppression de index.html + ansible.builtin.file: + path: /var/www/html/index.html + state: absent + +- name: Création de l'utilisateur et attribution au groupe www-data + ansible.builtin.shell: adduser gestsup --ingroup www-data + +- name: Attribution des repertoires a www-data et gestsup + ansible.builtin.file: + path: /var/www/html + owner: gestsup + group: www-data + recurse: yes + +- name: Attribution de droit 750 + ansible.builtin.shell: find /var/www/html/ -type d -exec chmod 750 {} \; + +- name: Attribution de droit en 640 + ansible.builtin.shell: find /var/www/html/ -type f -exec chmod 640 {} \; + +- name: Droit 770 pour le repertoire upload + ansible.builtin.file: + path: /var/www/html/upload + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire images/model + ansible.builtin.file: + path: /var/www/html/images/model + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire backup + ansible.builtin.file: + path: /var/www/html/backup + mode: '0770' + recurse: yes + +- name: Droit 770 pour le repertoire _SQL + ansible.builtin.file: + path: /var/www/html/_SQL + mode: '0770' + recurse: yes + +- name: Droit 660 pour connect.php + ansible.builtin.file: + path: /var/www/html/connect.php + mode: '0660' diff --git a/roles/goss/defaults/main.yml b/roles/goss/defaults/main.yml new file mode 100644 index 0000000..b564958 --- /dev/null +++ b/roles/goss/defaults/main.yml @@ -0,0 +1,3 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_goss: "goss" + diff --git a/roles/goss/tasks/main.yml b/roles/goss/tasks/main.yml new file mode 100644 index 0000000..a82feb1 --- /dev/null +++ b/roles/goss/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: goss binary exists + stat: path=/usr/local/bin/goss + register: gossbin + +- name: install goss sur machine standard + get_url: + url: "{{ depl_url }}/{{ depl_goss }}" + dest: /usr/local/bin/{{ depl_goss }} + mode: 0755 + when: gossbin.stat.exists == False and ansible_hostname != "s-adm" + +- name: install goss sur s-adm + copy: + src: "/var/www/html/gsbstore/{{ depl_goss }}" + dest: /usr/local/bin/{{ depl_goss }} + mode: 0755 + remote_src: yes + when: gossbin.stat.exists == False and ansible_hostname == "s-adm" + diff --git a/roles/icinga/README.md b/roles/icinga/README.md new file mode 100644 index 0000000..c9e721f --- /dev/null +++ b/roles/icinga/README.md @@ -0,0 +1,117 @@ +# Instalation de NSClient++ sur la machine s-win + +En premier lieu, installer Mozilla Firefox via Internet Explorer. + +Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) + +Puis choisir la version Windows + +# Etapes de l'installation + +Sur l'étape **Select monitoring tool**, sélectionner **Generic**. + +Sur l'étape **Choose setup type**, sélectionner **Typical**. + +Sur l'étape **NSClient++ Configuration: + +``` + +Allowed hosts: 172.16.0.8 + +Password: root + +``` + +Activer **check plugins, check_nt et check_nrpe**. + +**Laisser NSCA client et web server désactivé** + +Cocher la case **Insecure legacy mode** + + +Terminer l'installation. + +# Modification des fichiers + +Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage). + +Une fois ouvert, modifier tout le fichier avec ceci: + +``` + +#If you want to fill this file with all available options run the following command: +#nscp settings --generate --add-defaults --load-all +#If you want to activate a module and bring in all its options use: +#nscp settings --activate-module --add-defaults +#For details run: nscp settings --help + + +; in flight - TODO +[/settings/default] + +; Undocumented key +password = root + +; Undocumented key +allowed hosts = 172.16.0.8 + + +; in flight - TODO +[/settings/NRPE/server] + +; Undocumented key +verify mode = none + +; Undocumented key +insecure = true + + +; in flight - TODO +[/modules] + +; Undocumented key +CheckExternalScripts = enabled + +; Undocumented key +CheckHelpers = enabled + +; Undocumented key +CheckEventLog = enabled + +; Undocumented key +CheckNSCP = enabled + +; Undocumented key +CheckDisk = enabled + +; Undocumented key +CheckSystem = enabled + +; Undocumented key +NSClientServer = enabled + +; Undocumented key +NRPEServer = enabled + +``` + +Redémarrez le service NSClient++ via le **cmd**: + +``` + +services.msc + +``` + +Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer** + + +Retourner sur le serveur nagios puis écrire: + +``` + +systemctl restart icinga + +``` + +Les services de la machine **srv-2012** apparaissent en **OK**. diff --git a/roles/icinga/files/cfg/contacts_icinga.cfg b/roles/icinga/files/cfg/contacts_icinga.cfg new file mode 100644 index 0000000..8a66285 --- /dev/null +++ b/roles/icinga/files/cfg/contacts_icinga.cfg @@ -0,0 +1,59 @@ +############################################################################### +# contacts.cfg +############################################################################### + + + +############################################################################### +############################################################################### +# +# CONTACTS +# +############################################################################### +############################################################################### + +# In this simple config file, a single contact will receive all alerts. + +#define contact{ +# contact_name root +# alias Root +# service_notification_period 24x7 +# host_notification_period 24x7 +# service_notification_options w,u,c,r +# host_notification_options d,r +# service_notification_commands notify-service-by-email +# host_notification_commands notify-host-by-email +# email root@localhost +# } + + +define contact{ + contact_name admin + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email icinga.ppe31@gmail.com + } + + + +############################################################################### +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup{ + contactgroup_name admins + alias Nagios Administrators + members admin + } diff --git a/roles/icinga/files/cfg/extinfo_icinga.cfg b/roles/icinga/files/cfg/extinfo_icinga.cfg new file mode 100644 index 0000000..07bd594 --- /dev/null +++ b/roles/icinga/files/cfg/extinfo_icinga.cfg @@ -0,0 +1,13 @@ +## +## Extended Host and Service Information +## + +define hostextinfo{ + hostgroup_name debian-servers + notes Debian GNU/Linux servers +# notes_url http://webserver.localhost.localdomain/hostinfo.pl?host=netware1 + icon_image base/debian.png + icon_image_alt Debian GNU/Linux + vrml_image debian.png + statusmap_image base/debian.gd2 + } diff --git a/roles/icinga/files/cfg/generic-host_icinga.cfg b/roles/icinga/files/cfg/generic-host_icinga.cfg new file mode 100644 index 0000000..e6d96ac --- /dev/null +++ b/roles/icinga/files/cfg/generic-host_icinga.cfg @@ -0,0 +1,19 @@ +# Generic host definition template - This is NOT a real host, just a template! + +define host{ + name generic-host ; The name of this host template + notifications_enabled 1 ; Host notifications are enabled + event_handler_enabled 1 ; Host event handler is enabled + flap_detection_enabled 1 ; Flap detection is enabled + failure_prediction_enabled 1 ; Failure prediction is enabled + process_perf_data 1 ; Process performance data + retain_status_information 1 ; Retain status information across program restarts + retain_nonstatus_information 1 ; Retain non-status information across program restarts + check_command check-host-alive + max_check_attempts 10 + notification_interval 0 + notification_period 24x7 + notification_options d,u,r + contact_groups admins + register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE! + } diff --git a/roles/icinga/files/cfg/generic-service_icinga.cfg b/roles/icinga/files/cfg/generic-service_icinga.cfg new file mode 100644 index 0000000..4d60c79 --- /dev/null +++ b/roles/icinga/files/cfg/generic-service_icinga.cfg @@ -0,0 +1,26 @@ +# generic service template definition +define service{ + name generic-service ; The 'name' of this service template + active_checks_enabled 1 ; Active service checks are enabled + passive_checks_enabled 1 ; Passive service checks are enabled/accepted + parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems) + obsess_over_service 1 ; We should obsess over this service (if necessary) + check_freshness 0 ; Default is to NOT check service 'freshness' + notifications_enabled 1 ; Service notifications are enabled + event_handler_enabled 1 ; Service event handler is enabled + flap_detection_enabled 1 ; Flap detection is enabled + failure_prediction_enabled 1 ; Failure prediction is enabled + process_perf_data 1 ; Process performance data + retain_status_information 1 ; Retain status information across program restarts + retain_nonstatus_information 1 ; Retain non-status information across program restarts + notification_interval 0 ; Only send notifications on status change by default. + is_volatile 0 + check_period 24x7 + normal_check_interval 5 + retry_check_interval 1 + max_check_attempts 4 + notification_period 24x7 + notification_options w,u,c,r + contact_groups admins + register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE! + } diff --git a/roles/icinga/files/cfg/gwsio2.cfg b/roles/icinga/files/cfg/gwsio2.cfg new file mode 100644 index 0000000..c09b7d2 --- /dev/null +++ b/roles/icinga/files/cfg/gwsio2.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name gwsio2 + alias Passerelle + address 192.168.0.1 + icon_image cook/linux_server.gif + statusmap_image cook/linux_server.gd2 + } diff --git a/roles/icinga/files/cfg/hostgroups_icinga.cfg b/roles/icinga/files/cfg/hostgroups_icinga.cfg new file mode 100644 index 0000000..a7df306 --- /dev/null +++ b/roles/icinga/files/cfg/hostgroups_icinga.cfg @@ -0,0 +1,75 @@ +# Some generic hostgroup definitions + +define hostgroup { + hostgroup_name all + alias All Servers + members * + } + +define hostgroup { + hostgroup_name localhost + alias Debian GNU/Linux Servers + members localhost + } + +define hostgroup { + hostgroup_name debian-servers + alias Serveurs distant + members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess +} + +define hostgroup {  + hostgroup_name ssh-servers + alias acces SSH + members s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb +} + +define hostgroup {  + hostgroup_name dns-servers + alias serveurs-dns + members s-infra, srv-2012 +} + +define hostgroup {  + hostgroup_name dhcp-servers + alias serveurs-dhcp + members r-int, srv-2012 +} + +define hostgroup { + hostgroup_name http-servers + alias serveurs-web + members localhost, s-itil, s-adm + } + +#define hostgroup { +# hostgroup_name email-servers +# alias serveurs-email +# members s-mess +# } + +define hostgroup {  + hostgroup_name proxy-servers + alias serveurs-proxy + members s-proxy +} + +define hostgroup{ + hostgroup_name windows-servers + alias windows-servers + members srv-2012 +} + +define hostgroup{ + hostgroup_name dns-win + alias dns-win + members srv-2012 +} + +define hostgroup{ + hostgroup_name uptimegrp + alias uptimegrp + members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb +} + + diff --git a/roles/icinga/files/cfg/localhost_icinga.cfg b/roles/icinga/files/cfg/localhost_icinga.cfg new file mode 100644 index 0000000..c15cda4 --- /dev/null +++ b/roles/icinga/files/cfg/localhost_icinga.cfg @@ -0,0 +1,60 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in icinga-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name localhost + alias localhost + address 127.0.0.1 + parents gwsio2 + } + +# Define a service to check the disk space of the root partition +# on the local machine. Warning if < 20% free, critical if +# < 10% free space on partition. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Disk Space + check_command check_all_disks!20%!10% + } + + + +# Define a service to check the number of currently logged in +# users on the local machine. Warning if > 20 users, critical +# if > 50 users. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Current Users + check_command check_users!20!50 + } + + +# Define a service to check the number of currently running procs +# on the local machine. Warning if > 250 processes, critical if +# > 400 processes. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Total Processes + check_command check_procs!250!400 + } + + + +# Define a service to check the load on the local machine. + +define service{ + use generic-service ; Name of service template to use + host_name localhost + service_description Current Load + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } diff --git a/roles/icinga/files/cfg/netgear.cfg b/roles/icinga/files/cfg/netgear.cfg new file mode 100644 index 0000000..23562fe --- /dev/null +++ b/roles/icinga/files/cfg/netgear.cfg @@ -0,0 +1,16 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name netgear + alias switch + address 192.168.0.2 + #parents gwsio4 + icon_image cook/switch.gif + statusmap_image cook/switch.gd2 +} + diff --git a/roles/icinga/files/cfg/r-ext.cfg b/roles/icinga/files/cfg/r-ext.cfg new file mode 100644 index 0000000..4c14bef --- /dev/null +++ b/roles/icinga/files/cfg/r-ext.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name r-ext + alias Routeur externe + address 192.168.200.253 + parents localhost + } diff --git a/roles/icinga/files/cfg/r-int.cfg b/roles/icinga/files/cfg/r-int.cfg new file mode 100644 index 0000000..77ebe3d --- /dev/null +++ b/roles/icinga/files/cfg/r-int.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name r-int + alias Routeur interne + address 172.16.0.254 + parents r-ext + } diff --git a/roles/icinga/files/cfg/s-adm.cfg b/roles/icinga/files/cfg/s-adm.cfg new file mode 100644 index 0000000..aeadbee --- /dev/null +++ b/roles/icinga/files/cfg/s-adm.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-adm + alias debian-servers + address 192.168.99.99 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-infra.cfg b/roles/icinga/files/cfg/s-infra.cfg new file mode 100644 index 0000000..c369ff6 --- /dev/null +++ b/roles/icinga/files/cfg/s-infra.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-infra + alias debian-servers + address 172.16.0.1 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-itil.cfg b/roles/icinga/files/cfg/s-itil.cfg new file mode 100644 index 0000000..8f34e2e --- /dev/null +++ b/roles/icinga/files/cfg/s-itil.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-itil + alias debian-servers + address 172.16.0.9 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-lb.cfg b/roles/icinga/files/cfg/s-lb.cfg new file mode 100644 index 0000000..5754f25 --- /dev/null +++ b/roles/icinga/files/cfg/s-lb.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template$ + host_name s-lb + alias debian-servers + address 192.168.100.10 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-mess.cfg b/roles/icinga/files/cfg/s-mess.cfg new file mode 100644 index 0000000..79df415 --- /dev/null +++ b/roles/icinga/files/cfg/s-mess.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template$ + host_name s-mess + alias nextcloud + address 172.16.0.7 + parents r-int + } + diff --git a/roles/icinga/files/cfg/s-proxy.cfg b/roles/icinga/files/cfg/s-proxy.cfg new file mode 100644 index 0000000..de4f3c9 --- /dev/null +++ b/roles/icinga/files/cfg/s-proxy.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name s-proxy + alias serveur proxy + address 172.16.0.2 + parents r-int + } diff --git a/roles/icinga/files/cfg/services_icinga.cfg b/roles/icinga/files/cfg/services_icinga.cfg new file mode 100644 index 0000000..b69e5d8 --- /dev/null +++ b/roles/icinga/files/cfg/services_icinga.cfg @@ -0,0 +1,106 @@ +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name ssh-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name localhost + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Version NSClient++ + check_command check_nt!CLIENTVERSION +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name dns-win + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name uptimegrp + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns +} + +#define service{ +# use generic-service +# hostgroup_name dhcp-servers +# service_description Service DHCP +# check_command check_dhcp +#} diff --git a/roles/icinga/files/cfg/srv-2012.cfg b/roles/icinga/files/cfg/srv-2012.cfg new file mode 100644 index 0000000..8ff28a9 --- /dev/null +++ b/roles/icinga/files/cfg/srv-2012.cfg @@ -0,0 +1,16 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use generic-host ; Name of host template to use + host_name srv-2012 + alias windows-servers + address 172.16.0.6 + parents r-int + icon_image base/win40.gif + statusmap_image base/win40.gd2 + } + diff --git a/roles/icinga/files/cfg/timeperiods_icinga.cfg b/roles/icinga/files/cfg/timeperiods_icinga.cfg new file mode 100644 index 0000000..55ecf9d --- /dev/null +++ b/roles/icinga/files/cfg/timeperiods_icinga.cfg @@ -0,0 +1,50 @@ +############################################################################### +# timeperiods.cfg +############################################################################### + +# This defines a timeperiod where all times are valid for checks, +# notifications, etc. The classic "24x7" support nightmare. :-) + +define timeperiod{ + timeperiod_name 24x7 + alias 24 Hours A Day, 7 Days A Week + sunday 00:00-24:00 + monday 00:00-24:00 + tuesday 00:00-24:00 + wednesday 00:00-24:00 + thursday 00:00-24:00 + friday 00:00-24:00 + saturday 00:00-24:00 + } + +# Here is a slightly friendlier period during work hours +define timeperiod{ + timeperiod_name workhours + alias Standard Work Hours + monday 09:00-17:00 + tuesday 09:00-17:00 + wednesday 09:00-17:00 + thursday 09:00-17:00 + friday 09:00-17:00 + } + +# The complement of workhours +define timeperiod{ + timeperiod_name nonworkhours + alias Non-Work Hours + sunday 00:00-24:00 + monday 00:00-09:00,17:00-24:00 + tuesday 00:00-09:00,17:00-24:00 + wednesday 00:00-09:00,17:00-24:00 + thursday 00:00-09:00,17:00-24:00 + friday 00:00-09:00,17:00-24:00 + saturday 00:00-24:00 + } + +# This one is a favorite: never :) +define timeperiod{ + timeperiod_name never + alias Never + } + +# end of file diff --git a/roles/icinga/files/check_iftraffic3.pl b/roles/icinga/files/check_iftraffic3.pl new file mode 100755 index 0000000..62ddbd1 --- /dev/null +++ b/roles/icinga/files/check_iftraffic3.pl @@ -0,0 +1,643 @@ +#!/usr/bin/perl -w +# +# check_iftraffic.pl - Nagios(r) network traffic monitor plugin +# Copyright (C) 2004 Gerd Mueller / Netways GmbH +# $Id: check_iftraffic.pl 1119 2006-02-09 10:30:09Z gmueller $ +# +# mw = Markus Werner mw+nagios@wobcom.de +# Remarks (mw): +# +# I adopted as much as possible the programming style of the origin code. +# +# There should be a function to exit this programm, +# instead of calling print and exit statements all over the place. +# +# +# minor changes by mw +# The snmp if_counters on net devices can have overflows. +# I wrote this code to address this situation. +# It has no automatic detection and which point the overflow +# occurs but it will generate a warning state and you +# can set the max value by calling this script with an additional +# arg. +# +# minor cosmetic changes by mw +# Sorry but I couldn't sustain to clean up some things. +# +# gj = Greg Frater gregATfraterfactory.com +# Remarks (gj): +# minor (gj): +# +# * fixed the performance data, formating was not to spec +# * Added a check of the interfaces status (up/down). +# If down the check returns a critical status. +# * Allow either textual or the numeric index value. +# * If the interface speed is not specified on the command line +# it gets it automatically from IfSpeed +# * Added option for second ifSpeed to allow for asymetrcal links +# such as a DSL line or cable modem where the download and upload +# speeds are different +# * Added -B option to display results in bits/sec instead of Bytes/sec +# * Added the current usage in Bytes/s (or bit/s) to the perfdata output +# * Added ability for plugin to determine interface to query by matching IP +# address of host with entry in ipAdEntIfIndex (.1.3.6.1.2.1.4.20.1.2) +# * Added -L flag to list entries found in the ipAdEntIfIndex table +# Otherwise, it works as before. +# +# +# +# +# based on check_traffic from Adrian Wieczorek, +# +# Send us bug reports, questions and comments about this plugin. +# Latest version of this software: http://www.nagiosexchange.org +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307 + +use strict; + +use Net::SNMP; +use Getopt::Long; +&Getopt::Long::config('bundling'); + +use Data::Dumper; + +my $host_ip; +my $host_address; +my $iface_number; +my $iface_descr; +my $iface_speed; +my $iface_speedOut; +my $index_list; +my $opt_h; +my $units; + +my $session; +my $error; +my $port = 161; +my $snmp_version = 1; + +my @snmpoids; + +# SNMP OIDs for Traffic +my $snmpIfOperStatus = '1.3.6.1.2.1.2.2.1.8'; +my $snmpIfInOctets = '1.3.6.1.2.1.2.2.1.10'; +my $snmpIfOutOctets = '1.3.6.1.2.1.2.2.1.16'; +my $snmpIfDescr = '1.3.6.1.2.1.2.2.1.2'; +my $snmpIfSpeed = '1.3.6.1.2.1.2.2.1.5'; +my $snmpIPAdEntIfIndex = '1.3.6.1.2.1.4.20.1.2'; + +my $response; + +# Path to tmp files +my $TRAFFIC_FILE = "/tmp/traffic"; + +# changes sos 20090717 UNKNOWN must bes 3 +my %STATUS_CODE = + ( 'UNKNOWN' => '3', 'OK' => '0', 'WARNING' => '1', 'CRITICAL' => '2' ); + +#default values; +my $state = "UNKNOWN"; +my $if_status = '4'; +my ( $in_bytes, $out_bytes ) = 0; +my $warn_usage = 85; +my $crit_usage = 98; +my $COMMUNITY = "public"; +my $use_reg = undef; # Use Regexp for name +my $output = ""; +my $bits = undef; +my $suffix = "Bs"; +my $label = "MBytes"; + +#added 20050614 by mw +my $max_value; +my $max_bytes; + +#cosmetic changes 20050614 by mw, see old versions for detail +# Added options for bits and second max ifspeed 20100202 by gj +# Added options for specificy IP addr to match 20100405 by gj +my $status = GetOptions( + "h|help" => \$opt_h, + 'B' => \$bits, + 'bits' => \$bits, + "C|community=s" => \$COMMUNITY, + "w|warning=s" => \$warn_usage, + "c|critical=s" => \$crit_usage, + "b|bandwidth|I|inBandwidth=i" => \$iface_speed, + "O|outBandwidth=i" => \$iface_speedOut, + 'r' => \$use_reg, + 'noregexp' => \$use_reg, + "p|port=i" => \$port, + "u|units=s" => \$units, + "i|interface=s" => \$iface_number, + "A|address=s" => \$host_ip, + "H|hostname=s" => \$host_address, + 'L' => \$index_list, + 'list' => \$index_list, + + #added 20050614 by mw + "M|max=i" => \$max_value +); + +if ( $status == 0 ) { + print_help(); + exit $STATUS_CODE{'OK'}; +} + +# Changed 20091214 gj +# Check for missing options +#if ( ( !$host_address ) or ( !$iface_descr ) ) { +if ( !$host_address ) { + print "\nMissing host address!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $iface_speed ) and ( !$units ) ){ + print "\nMissing units!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $units ) and ( ( !$iface_speed ) and ( !$iface_speedOut ) ) ) { + print "\nMissing interface maximum speed!\n\n"; + stop(print_usage(),"OK"); +} elsif ( ( $iface_speedOut ) and ( !$units ) ) { + print "\nMissing units for Out maximum speed!\n\n"; + stop(print_usage(),"OK"); +} + + +if ($bits) { + $suffix = "bs" +} + +if ( !$iface_speed ) { + # Do nothing +}else{ + + #change 20050414 by mw + # Added iface_speedOut 20100202 by gj + # Convert interface speed to kiloBytes + $iface_speed = bits2bytes( $iface_speed, $units ) / 1024; + if ( $iface_speedOut ) { + $iface_speedOut = bits2bytes( $iface_speedOut, $units ) / 1024; + } + if ( !$max_value ) { + + # If no -M Parameter was set, set it to 32Bit Overflow + $max_bytes = 4194304 ; # the value is (2^32/1024) + } + else { + $max_bytes = unit2bytes( $max_value, $units ); + } +} + +if ( $snmp_version =~ /[12]/ ) { + ( $session, $error ) = Net::SNMP->session( + -hostname => $host_address, + -community => $COMMUNITY, + -port => $port, + -version => $snmp_version + ); + + if ( !defined($session) ) { + stop("UNKNOWN: $error","UNKNOWN"); + } +} +elsif ( $snmp_version =~ /3/ ) { + $state = 'UNKNOWN'; + stop("$state: No support for SNMP v3 yet\n",$state); +} +else { + $state = 'UNKNOWN'; + stop("$state: No support for SNMP v$snmp_version yet\n",$state); +} + +# Neither Interface Index nor Host IP address were specified +if ( !$iface_descr ) { + if ( !$host_ip ){ + # try to resolve host name and find index from ip addr + $iface_descr = fetch_Ip2IfIndex( $session, $host_address ); + } else { + # Use ip addr to find index + $iface_descr = fetch_Ip2IfIndex( $session, $host_ip ); + } +} + +#push( @snmpoids, $snmpIPAdEntIfIndex . "." . $host_address ); + +# Added 20091209 gj +# Detect if a string description was given or a numberic interface index number +if ( $iface_descr =~ /[^0123456789]+/ ) { + $iface_number = fetch_ifdescr( $session, $iface_descr ); +}else{ + $iface_number = $iface_descr; +} + +push( @snmpoids, $snmpIfSpeed . "." . $iface_number ); +push( @snmpoids, $snmpIfOperStatus . "." . $iface_number ); +push( @snmpoids, $snmpIfInOctets . "." . $iface_number ); +push( @snmpoids, $snmpIfOutOctets . "." . $iface_number ); + +if ( !defined( $response = $session->get_request(@snmpoids) ) ) { + my $answer = $session->error; + $session->close; + + stop("WARNING: SNMP error: $answer\n", "WARNING"); +} + +# Added 20091209 gj +# Get interface speed from device if not provided on command line +# Convert to kiloBytes +if ( !$iface_speed ) { + $iface_speed = $response->{ $snmpIfSpeed . "." . $iface_number }; + $units = "b"; + $iface_speed = bits2bytes( $iface_speed, $units ) / 1024; +} + +# Added 20100201 gj +# Check if Out max speed was provided, use same if speed for both if not +if (!$iface_speedOut) { + $iface_speedOut = $iface_speed; +} + +$if_status = $response->{ $snmpIfOperStatus . "." . $iface_number }; +$in_bytes = $response->{ $snmpIfInOctets . "." . $iface_number } / 1024; # in kiloBytes +$out_bytes = $response->{ $snmpIfOutOctets . "." . $iface_number } / 1024; # in kiloBytes + +$session->close; + +my $row; +my $last_check_time = time - 1; +my $last_in_bytes = $in_bytes; +my $last_out_bytes = $out_bytes; + +if ( + open( FILE, + "<" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address + ) + ) +{ + while ( $row = ) { + + #cosmetic change 20050416 by mw + #Couldn't sustain;-) +## chomp(); + ( $last_check_time, $last_in_bytes, $last_out_bytes ) = + split( ":", $row ); + + ### by sos 17.07.2009 check for last_bytes + if ( ! $last_in_bytes ) { $last_in_bytes=$in_bytes; } + if ( ! $last_out_bytes ) { $last_out_bytes=$out_bytes; } + + if ($last_in_bytes !~ m/\d/) { $last_in_bytes=$in_bytes; } + if ($last_out_bytes !~ m/\d/) { $last_out_bytes=$out_bytes; } + } + close(FILE); +} + +my $update_time = time; + +open( FILE, ">" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address ) + or die "Can't open $TRAFFIC_FILE for writing: $!"; + +printf FILE ( "%s:%.0ld:%.0ld\n", $update_time, $in_bytes, $out_bytes ); +close(FILE); + +my $db_file; + +#added 20050614 by mw +#Check for and correct counter overflow (if possible). +#See function counter_overflow. +$in_bytes = counter_overflow( $in_bytes, $last_in_bytes, $max_bytes ); +$out_bytes = counter_overflow( $out_bytes, $last_out_bytes, $max_bytes ); + +# Calculate traffic since last check (RX\TX) in kiloBytes +my $in_traffic = sprintf( "%.2lf", + ( $in_bytes - $last_in_bytes ) / ( time - $last_check_time ) ); +my $out_traffic = sprintf( "%.2lf", + ( $out_bytes - $last_out_bytes ) / ( time - $last_check_time ) ); + +# sos 20090717 changed due to rrdtool needs bytes +my $in_traffic_absolut = $in_bytes * 1024 ; +my $out_traffic_absolut = $out_bytes * 1024; + +# Calculate usage percentages +my $in_usage = sprintf( "%.2f", ( 1.0 * $in_traffic * 100 ) / $iface_speed ); +my $out_usage = sprintf( "%.2f", ( 1.0 * $out_traffic * 100 ) / $iface_speedOut ); + + +if ($bits) { + # Convert output from Bytes to bits + $in_bytes = $in_bytes * 8; + $out_bytes = $out_bytes * 8; + $in_traffic = $in_traffic * 8; + $out_traffic = $out_traffic * 8; + $label = "Mbits"; +} + +my $in_prefix = "K"; +my $out_prefix = "K"; + +if ( $in_traffic > 1024 ) { + $in_traffic = sprintf( "%.2f", $in_traffic / 1024 ); + $in_prefix = "M"; +} +if ( $out_traffic > 1024 ) { + $out_traffic = sprintf( "%.2f", $out_traffic / 1024 ); + $out_prefix = "M"; +} +if ( $in_traffic > 1024 * 1024 ) { + $in_traffic = sprintf( "%.2f", $in_traffic / 1024 * 1024 ); + $in_prefix = "G"; +} +if ( $out_traffic > 1024 * 1024 ) { + $out_traffic = sprintf( "%.2f",$out_traffic / 1024 * 1024 ); + $out_prefix = "G"; +} + +# Convert from kiloBytes to megaBytes +$in_bytes = sprintf( "%.2f", $in_bytes / 1024 ); +$out_bytes = sprintf( "%.2f", $out_bytes / 1024 ); + +$state = "OK"; + +# Added 20091209 by gj +if ( $if_status != 1 ) { + $output = "Interface $iface_descr is down!"; + +}else{ + $output = + "Average IN: " + . $in_traffic . $in_prefix . $suffix . " (" . $in_usage . "%), " + . "Average OUT: " . $out_traffic . $out_prefix . $suffix . " (" . $out_usage . "%)
"; + $output .= "Total RX: $in_bytes $label, Total TX: $out_bytes $label"; +} + +# Changed 20091209 gj +if ( ( $in_usage > $crit_usage ) or ( $out_usage > $crit_usage ) or ( $if_status != 1 ) ) { + $state = "CRITICAL"; +} + +if ( ( $in_usage > $warn_usage ) + or ( $out_usage > $warn_usage ) && $state eq "OK" ) +{ + $state = "WARNING"; +} + +# Changed 20091209 gj +$output = "$state - $output" + if ( $state ne "OK" ); + +# Changed 20091214 gj - commas should have been semi colons +$output .= +"|inUsage=$in_usage%;$warn_usage;$crit_usage outUsage=$out_usage%;$warn_usage;$crit_usage" + . " inBandwidth=" . $in_traffic . $in_prefix . $suffix . " outBandwidth=" . $out_traffic . $out_prefix . $suffix + . " inAbsolut=$in_traffic_absolut outAbsolut=$out_traffic_absolut"; + +stop($output, $state); + + +sub fetch_Ip2IfIndex { + my $state; + my $response; + + my $snmpkey; + my $answer; + my $key; + + my ( $session, $host ) = @_; + + + # Determine if we have a host name or IP addr + if ( $host =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ ){ + #print "\nI found an IP address\n\n"; + } else { + $host = get_ip ( $host ); + #print "\nWe have a host name $host\n\n"; + } + + # Quit if results not found + if ( !defined( $response = $session->get_table($snmpIPAdEntIfIndex) ) ) { + $answer = $session->error; + $session->close; + $state = 'CRITICAL'; + $session->close; + exit $STATUS_CODE{$state}; + } + + + my %resp = %{$response}; +# foreach $key ( keys %{$response} ) { + + if ( $index_list ){ + print ("\nInterfaces found:\n"); + print (" IP Addr\tIndex\n"); + print ("------------------------\n"); + } + # Check each returned value + foreach $key ( keys %resp ) { + + if ( $index_list ){ + my $index_addr = substr $key, 21; + print ($index_addr,"\t ",$resp{$key},"\n"); + } + + # Check for ip address mathcin in returned index results + if ( $key =~ /$host$/ ) { + $snmpkey = $resp{$key}; + } + } + unless ( defined $snmpkey ) { + $session->close; + $state = 'CRITICAL'; + printf "$state: Could not match $host \n"; + exit $STATUS_CODE{$state}; + } + return $snmpkey; +} + +sub fetch_ifdescr { + my $state; + my $response; + + my $snmpkey; + my $answer; + my $key; + + my ( $session, $ifdescr ) = @_; + + if ( !defined( $response = $session->get_table($snmpIfDescr) ) ) { + $answer = $session->error; + $session->close; + $state = 'CRITICAL'; + $session->close; + exit $STATUS_CODE{$state}; + } + + foreach $key ( keys %{$response} ) { + + # added 20070816 by oer: remove trailing 0 Byte for Windows :-( + my $resp=$response->{$key}; + $resp =~ s/\x00//; + + + my $test = defined($use_reg) + ? $resp =~ /$ifdescr/ + : $resp eq $ifdescr; + + if ($test) { + + ###if ( $resp =~ /^$ifdescr$/ ) { + ###if ( $resp =~ /$ifdescr/ ) { + ### print "$resp \n"; + ###if ( $response->{$key} =~ /^$ifdescr$/ ) { + + $key =~ /.*\.(\d+)$/; + $snmpkey = $1; + + # print "$ifdescr = $key / $snmpkey \n"; #debug + } + } + unless ( defined $snmpkey ) { + $session->close; + $state = 'CRITICAL'; + printf "$state: Could not match $ifdescr \n"; + exit $STATUS_CODE{$state}; + } + return $snmpkey; +} + +#added 20050416 by mw +#Converts an input value to value in bits +sub bits2bytes { + return unit2bytes(@_) / 8; +} + +#added 20050416 by mw +#Converts an input value to value in bytes +sub unit2bytes { + my ( $value, $unit ) = @_; + + if ( $unit eq "g" ) { + return $value * 1024 * 1024 * 1024; + } + elsif ( $unit eq "m" ) { + return $value * 1024 * 1024; + } + elsif ( $unit eq "k" ) { + return $value * 1024; + } + elsif ( $unit eq "b" ) { + return $value * 1; + } + else { + print "You have to supply a supported unit\n"; + exit $STATUS_CODE{'UNKNOWN'}; + } +} + +#added 20050414 by mw +#This function detects if an overflow occurs. If so, it returns +#a computed value for $bytes. +#If there is no counter overflow it simply returns the origin value of $bytes. +#IF there is a Counter reboot wrap, just use previous output. +sub counter_overflow { + my ( $bytes, $last_bytes, $max_bytes ) = @_; + + $bytes += $max_bytes if ( $bytes < $last_bytes ); + $bytes = $last_bytes if ( $bytes < $last_bytes ); + return $bytes; +} + +# Added 20100202 by gj +# Print results and exit script +sub stop { + my $result = shift; + my $exit_code = shift; + print $result . "\n"; + exit ( $STATUS_CODE{$exit_code} ); +} + +# Added 20100405 by gj +# Lookup hosts ip address +sub get_ip { + use Net::DNS; + + my ( $host_name ) = @_; + + my $res = Net::DNS::Resolver->new; + my $query = $res->search($host_name); + + if ($query) { + foreach my $rr ($query->answer) { + next unless $rr->type eq "A"; + #print $rr->address, "\n"; + return $rr->address; + } + } else { + + stop("Error: IP address not resolved\n","UNKNOWN"); + } +} + +#cosmetic changes 20050614 by mw +#Couldn't sustain "HERE";-), either. +sub print_usage { + print <> /var/lib/nagios3/host-perfdata.out + } + + +# 'process-service-perfdata' command definition +define command{ + command_name process-service-perfdata + command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out + } diff --git a/roles/icinga/files/contacts_icinga.cfg b/roles/icinga/files/contacts_icinga.cfg new file mode 100644 index 0000000..8a66285 --- /dev/null +++ b/roles/icinga/files/contacts_icinga.cfg @@ -0,0 +1,59 @@ +############################################################################### +# contacts.cfg +############################################################################### + + + +############################################################################### +############################################################################### +# +# CONTACTS +# +############################################################################### +############################################################################### + +# In this simple config file, a single contact will receive all alerts. + +#define contact{ +# contact_name root +# alias Root +# service_notification_period 24x7 +# host_notification_period 24x7 +# service_notification_options w,u,c,r +# host_notification_options d,r +# service_notification_commands notify-service-by-email +# host_notification_commands notify-host-by-email +# email root@localhost +# } + + +define contact{ + contact_name admin + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email icinga.ppe31@gmail.com + } + + + +############################################################################### +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup{ + contactgroup_name admins + alias Nagios Administrators + members admin + } diff --git a/roles/icinga/files/dns.cfg b/roles/icinga/files/dns.cfg new file mode 100644 index 0000000..5b69aca --- /dev/null +++ b/roles/icinga/files/dns.cfg @@ -0,0 +1,11 @@ +# 'check_dns' command definition +define command{ + command_name check_dns + command_line /usr/lib/nagios/plugins/check_dns -H www.dfco.fr -s '$HOSTADDRESS$' +} + +# 'check_dig' command definition +define command{ + command_name check_dig + command_line /usr/lib/nagios/plugins/check_dig -H '$HOSTADDRESS$' -l '$ARG1$' +} diff --git a/roles/icinga/files/icinga.cfg b/roles/icinga/files/icinga.cfg new file mode 100644 index 0000000..fde1780 --- /dev/null +++ b/roles/icinga/files/icinga.cfg @@ -0,0 +1,1494 @@ +############################################################################## +# +# ICINGA.CFG - Sample Main Config File for Icinga +# +# Read the documentation for more information on this configuration +# file. I've provided some comments here, but things may not be so +# clear without further explanation. +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/icinga/icinga.log + +# Commands definitions +cfg_file=/etc/icinga/commands.cfg + +# Debian also defaults to using the check commands defined by the debian +# nagios-plugins package +cfg_dir=/etc/nagios-plugins/config + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# Hint: Check the docs/wiki on how to monitor remote hosts with different +# transport methods and plugins + +# Debian uses by default a configuration directory where icinga-common, +# other packages and the local admin can dump or link configuration +# files into. +cfg_dir=/etc/icinga/objects/ + +# Definitions for ido2db process checks +#cfg_file=/etc/icinga/objects/ido2db_check_proc.cfg + +# Definitions for broker modules like idoutils.cfg +cfg_dir=/etc/icinga/modules + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Icinga starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Icinga starts. +# If you explicitely set it to /dev/null the core will skip writing +# the objects cache file entirely. +# Note: This is a mandatory output for Icinga Classic UI to work properly. +# Tip: Use that file to debug your configuration with fully resolved +# objects like the core sees them. + +object_cache_file=/var/cache/icinga/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Icinga with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Icinga with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Icinga process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Icinga to find our more +# about how this feature works. + +precached_object_file=/var/cache/icinga/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/icinga/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Icinga +# restarts. +# If you explicitely set it to /dev/null the core will skip writing +# the status file entirely. This becomes handy when using other methods +# for data retrieval (e.g. IDOUtils DB) +# Note: This is a mandatory output for Icinga Classic UI to work properly. + +status_file=/var/lib/icinga/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Icinga will periodically dump program, host, and +# service status data. +# Increase the value, if you don't require it that often. + +#status_update_interval=30 +status_update_interval=10 + + + +# ICINGA USER +# This determines the effective user that Icinga should run as. +# You can either supply a username or a UID. + +icinga_user=nagios + + + +# ICINGA GROUP +# This determines the effective group that Icinga should run as. +# You can either supply a group name or a GID. + +icinga_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Icinga should check +# for external commands (in the command file defined below). By default +# Icinga will *not* check for external commands, just to be on the +# cautious side. If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND CHECK INTERVAL +# This is the interval at which Icinga should check for external commands. +# This value works of the interval_length you specify later. If you leave +# that at its default value of 60 (seconds), a value of 1 here will cause +# Icinga to check for external commands every minute. If you specify a +# number followed by an "s" (i.e. 15s), this will be interpreted to mean +# actual seconds rather than a multiple of the interval_length variable. +# Note: In addition to reading the external command file at regularly +# scheduled intervals, Icinga will also check for external commands after +# event handlers are executed. +# NOTE: Setting this value to -1 causes Icinga to check the external +# command file as often as possible. + +#command_check_interval=15s +command_check_interval=-1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Icinga checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. +# Debian Users: In case you didn't read README.Debian yet, _NOW_ is the +# time to do it. + +command_file=/var/lib/icinga/rw/icinga.cmd + + + +# EXTERNAL COMMAND BUFFER SLOTS +# This settings is used to tweak the number of items or "slots" that +# the Icinga daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. +# Increase the value, if you are using addons like check_mk supplying +# more external commands (passive check results) than usual. + +#external_command_buffer_slots=32768 +external_command_buffer_slots=4096 + + + +# LOCK FILE +# This is the lockfile that Icinga will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/icinga/icinga.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Icinga +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Icinga is +# running. + +temp_file=/var/cache/icinga/icinga.tmp + + + +# TEMP PATH +# This is path where Icinga can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# ----> use the new *module definition* instead: +# ----> http://docs.icinga.org/latest/en/objectdefinitions.html +# +# Example definitions can be found in the '/etc/icinga/modules/' directory. +# If you want to enable idoutils in Debian install icinga-idoutils and copy +# /usr/share/doc/icinga-idoutils/examples/idoutils.cfg-sample to +# /etc/icinga/modules/idoutils.cfg. +# Don't forget to also enable the daemon in /etc/default/icinga + +# LOG ROTATION METHOD +# This is the log rotation method that Icinga should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/icinga/archives + + + +# LOGGING OPTIONS FOR DAEMON +# If you want messages logged to the daemon log file (usually icinga.log). +# Default option is 1 (yes), the other valid option is 0 (no) + +use_daemon_log=1 + + + +# LOGGING OPTIONS FOR SYSLOG +# If you want messages logged to the syslog facility, as well as the +# Icinga log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# SYSLOG FACILITY +# If you enabled use_syslog you can set icinga to use a local facility +# instead of the default.To enable set this option to 1, if not, set it to 0. + +use_syslog_local_facility=0 + + + +# SYSLOG LOCAL FACILITY +# If you specified the use_syslog_local_facility you can chose which +# local facility to use. Valid values are from 0 to 7 + +syslog_local_facility=5 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Icinga to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# CURRENT STATES LOGGING OPTION +# If you don't want Icinga to log all current host and service states +# after log has been rotated to the main log file, you can disable this +# option by setting this value to 0. Default value is 1. + +log_current_states=1 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Icinga to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# LOG ANONYMIZED EXTERNAL COMMAND AUTHOR !!EXPERIMENTAL!! +# This option substitutes the user name on external commands with +# the string "" if the command gets logged. It is +# anonymized in log files only. This option was added to make +# icinga compliant with data retention laws on various countries. +# This option is disabled by default. + +log_anonymized_external_command_author=0 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Icinga to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# LONG PLUGIN OUTPUT LOGGING OPTION +# If you want Icinga to log the complete text of the plugin output +# to the log instead of only the first line then set this value to 1. +# Default value is 0. + +log_long_plugin_output=0 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Icinga should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Icinga previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Icinga should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Icinga will process +# the results of host and service checks. +# Lower this value in larger environments to allow faster +# check result processing (requires more cpu power). + +#check_result_reaper_frequency=1 +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Icinga so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Icinga stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Icinga has access +# to this directory! + +check_result_path=/var/lib/icinga/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# MAX CHECK RESULT LIST ITEMS !!EXPERIMENTAL!! +# This experimental option allows you to set the max number of items +# the checkresult reaper will put onto the checkresult list for further +# processing by the core. If there are too many, the reaping will be +# terminated early, allowing the core to process the results sooner. +# On larger setups, that list might grow too much, and decrease +# performance on processing. You might experiment with that value, the +# inner core default is set to 0, disabling that feature. +# Values: +# 0 = Disable max check result list items +# number = set max check result list items + +#max_check_result_list_items=1024 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Icinga, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Icinga will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Icinga will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Icinga will use soft state +# information when checking host and service dependencies. Normally +# Icinga will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Icinga will react to detected changes +# in system time (forward into the future). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Icinga will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Icinga will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Icinga will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# SLEEP TIME +# This is the number of seconds to sleep between checking for system +# events and service checks that need to be run. + +sleep_time=0.25 + + + +# TIMEOUT VALUES +# These options control how much time Icinga will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. +# Increase the timeout values in case you are experiencing a lot +# of check timeouts. Addons like e.g. check_mk will perform +# one combined active servicecheck which could take longer than +# the default of 60sec. + +#service_check_timeout=120 +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Icinga will save state +# information for services and hosts before it shuts down. Upon +# startup Icinga will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Icinga down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Icinga should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Icinga is restarted. +# This file is used only if the retain_state_information +# variable is set to 1. + +state_retention_file=/var/cache/icinga/retention.dat + + + +# SYNC FILE +# This is an advanced facility to pass a subset of retention +# information into Icinga on a running system. This is similar +# to the state retention file with the following difference: +# +# - if the last_check value is less than the current last_check, +# then the state information is ignored (this must be specified +# immediately after the object identifiers) +# +# - downtimes and comments are not identified by an id number, but +# by other "similar characteristics". This is required to work in +# a distributed Nagios environment +# * downtimes: hostname, servicename (if appropriate), author, +# comment, start_time, end_time, fixed, duration +# * comments: hostname, servicename, author, comment +# +# If this variable is set, then on Icinga startup, the sync file +# will be read after the retention file has been processed. If the +# file is read successfully, it will be removed. +# If the file does not exist, no error will appear. +# There is also an API that will force a read of the sync file. + +#sync_retention_file=/var/cache/icinga/sync.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Icinga +# will automatically save retention data during normal operation. +# If you set this value to 0, Icinga will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Icinga will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + +# DUMP RETAINED HOST SERVICE STATES TO NEB +# This setting determines wether or not Icinga will dump host +# and service states based on the values saved in the retention +# file to the neb modules. It will already do that on event loop +# initialization. +# Changed in Icinga 1.10 to disabled - re-enable if you require it. + +dump_retained_host_service_states_to_neb=0 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Icinga will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Icinga during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Icinga will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Icinga can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Icinga will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Icinga will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Icinga can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Icinga will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Icinga will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Icinga will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# STATE BASED ESCALATION RANGES !!!Experimental!!! +# This option allows you to enable state based escalation ranges which +# will allow a more detailed granularity on when an escalation notification +# may happen, adding a filter based on the current host or service state +# when checking the escalation for notification viability. +# This is a behavioural change to the default, and therefore intentionally +# disabled. Enable at your own risk, as this remains an experimental feature. +# Values: 1 = enable state based escalation ranges, +# 0 = disable state based escalation ranges + +#enable_state_based_escalation_ranges=0 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Icinga will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# process_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# process_performance_data option (above) is set to 1. + +#host_perfdata_file=/tmp/host-perfdata +#service_perfdata_file=/tmp/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the defult append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + +# HOST AND SERVICE PERFORMANCE DATA PROCESS EMPTY RESULTS +# THese options determine wether the core will process empty perfdata +# results or not. This is needed for distributed monitoring, and intentionally +# turned on by default. +# If you don't require empty perfdata - saving some cpu cycles +# on unwanted macro calculation - you can turn that off. Be careful! +# Values: 1 = enable, 0 = disable + +#host_perfdata_process_empty_results=1 +#service_perfdata_process_empty_results=1 + + + +# ALLOW EMPTY HOSTGROUP ASSIGMENT FOR SERVICES +# This boolean option determines whether services assigned to empty +# host groups (host groups with no host members) will cause Icinga to +# exit with error on start up (or during a configuration check) or not. +# It's useful to be able to assign services to empty hostgroups when +# configuration files or pre-cached object files are distributed to +# various pollers, or when the process of generating Icinga config is +# automated, or when a set of services is slowly being phased out but +# should be kept around. +# The default behavior if the option is not present in the main +# configuration file is for Icinga to exit with error if services are +# associated with host groups that have no hosts associated with them. + +#allow_empty_hostgroup_assignment=0 + + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Icinga will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Icinga. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Icinga will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Icinga. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Icinga will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Icinga. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Icinga servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Icinga instance. Enabling this option will tell Icinga +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Icinga will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Icinga will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE CHECK TIMEOUT STATE +# This setting determines the state Icinga will report when a +# service check times out meaning it does not respond within +# service_check_timeout seconds. The default is set to Unknown +# and not Critical. +# Valid settings are: +# c - Critical +# u - Unknown (default) +# w - Warning +# o - OK + +service_check_timeout_state=u + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Icinga will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Icinga will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Icinga will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Icinga will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Icinga +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Icinga will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Icinga detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=iso8601 + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Icinga runs in. If not specified, Icinga will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + + +# P1.PL FILE LOCATION +# This value determines where the p1.pl perl script (used by the +# embedded Perl interpreter) is located. If you didn't compile +# Icinga with embedded Perl support, this option has no effect. + +p1_file=/usr/lib/icinga/p1.pl + + + +# EMBEDDED PERL INTERPRETER OPTION +# This option determines whether or not the embedded Perl interpreter +# will be enabled during runtime. This option has no effect if Icinga +# has not been compiled with support for embedded Perl. +# This option is intentionally disabled by default, because embedded +# perl can cause memory leaks and make Icinga unstable if not properly +# used. +# Only enable this setting when you really know what you are doing! +# Values: 0 = disable interpreter, 1 = enable interpreter + +enable_embedded_perl=1 + + + +# EMBEDDED PERL USAGE OPTION +# This option determines whether or not Icinga will process Perl plugins +# and scripts with the embedded Perl interpreter if the plugins/scripts +# do not explicitly indicate whether or not it is okay to do so. Read +# the HTML documentation on the embedded Perl interpreter for more +# information on how this option works. + +use_embedded_perl_implicitly=1 + + + +# EVENT HANDLERS FOR STALKED HOSTS/SERVICES +# Allow running event handlers for stalked hosts/services in order +# to forward to external systems. +# Values: 0 = disabled (default), 1 = enabled + +stalking_event_handlers_for_hosts=0 +stalking_event_handlers_for_services=0 + + + +# NOTIFICATIONS FOR STALKED HOSTS/SERVICES +# Allow notifications for stalked hosts/services globally +# for all contacts in order to notify about a stalking +# alert. +# Values: 0 = disabled (default), 1 = enabled + +stalking_notifications_for_hosts=0 +stalking_notifications_for_services=0 + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# KEEP UNKNOWN MACROS +# This option can be used to keep unknown macros within the output. +# e.g. check_proc -C $foo$ will remain. +# This was the default in versions older than Icinga 1.8, but now +# the default is to remove those macros from the output, causing +# the shell to interpret $foo and leaving a single $ there. See +# #2291 for further information. +# Make sure to escape single dollar signs with another '$', as the +# docs describe. Other than that, enable this setting to revert to +# the old behaviour. + +keep_unknown_macros=1 + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Icinga never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=root@localhost +admin_pager=pageroot@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Icinga is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Icinga will take some shortcuts +# which can save on memory and CPU usage in large Icinga installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Icinga will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. Enabling this option can cause performance issues in +# large installations, as it will consume a bit more memory and (more +# importantly) consume more CPU. +# Keep in mind that various addons/plugins will require this setting +# to be enabled (e.g. check_oracle_health) for special usage. +# Values: 1 - Enable environment variable macros +# 0 - Disable environment variable macros (default) + +enable_environment_macros=1 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Icinga will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Icinga will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros + +debug_level=0 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=2 + + + +# DEBUG FILE +# This option determines where Icinga should write debugging information. + +debug_file=/var/log/icinga/icinga.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Icinga. + +# 100M +max_debug_file_size=100000000 diff --git a/roles/icinga/files/icinga.conf b/roles/icinga/files/icinga.conf new file mode 100644 index 0000000..e19a486 --- /dev/null +++ b/roles/icinga/files/icinga.conf @@ -0,0 +1,27 @@ +# apache configuration for icinga + +ScriptAlias /cgi-bin/icinga /usr/lib/cgi-bin/icinga + +# Where the stylesheets (config files) reside +Alias /icinga/stylesheets /etc/icinga/stylesheets + +# Where the HTML pages live +Alias /icinga /usr/share/icinga/htdocs + + + Options FollowSymLinks + + DirectoryIndex index.html + + AllowOverride AuthConfig +# Require all granted + + AuthName "Icinga Access" + AuthType Basic + AuthUserFile /etc/icinga/htpasswd.users + Require valid-user + + + + Options FollowSymLinks MultiViews + diff --git a/roles/icinga/files/nt.cfg b/roles/icinga/files/nt.cfg new file mode 100644 index 0000000..fcae576 --- /dev/null +++ b/roles/icinga/files/nt.cfg @@ -0,0 +1,15 @@ +# If you are confused about this command definition, cause you was +# reading other suggestions, please have a look into +# /usr/share/doc/monitoring-plugins/README.Debian + +# 'check_nt' command definition +#define command { +# command_name check_nt +# command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -v '$ARG1$' +#} + +# 'check_nscp' command definition +define command { + command_name check_nscp + command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -p 12489 -v '$ARG1$' +} diff --git a/roles/icinga/files/services_icinga.cfg b/roles/icinga/files/services_icinga.cfg new file mode 100644 index 0000000..4ea25d8 --- /dev/null +++ b/roles/icinga/files/services_icinga.cfg @@ -0,0 +1,106 @@ +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name ssh-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name localhost + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Version NSClient++ + check_command check_nt!CLIENTVERSION +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name uptimegrp + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns +} + +#define service{ +# use generic-service +# hostgroup_name dhcp-servers +# service_description Service DHCP +# check_command check_dhcp +#} diff --git a/roles/icinga/handlers/main.yml b/roles/icinga/handlers/main.yml new file mode 100644 index 0000000..721651e --- /dev/null +++ b/roles/icinga/handlers/main.yml @@ -0,0 +1,12 @@ +--- + - name: restart icinga + service: name=icinga state=restarted + + - name: stop icinga + service: name=icinga state=stopped + + - name: start icinga + service: name=icinga state=started + + - name: restart apache + service: name=apache2 state=restarted diff --git a/roles/icinga/tasks/main.yml b/roles/icinga/tasks/main.yml new file mode 100644 index 0000000..84a2a8f --- /dev/null +++ b/roles/icinga/tasks/main.yml @@ -0,0 +1,124 @@ +--- +- name: Installation apache2 + apt: + name: + - apache2 + - snmp + - icinga + - nagios-snmp-plugins + - python3-passlib + state: present + +- name: Copie de fichier icinga.conf pour apache + copy: src=icinga.conf dest=/etc/apache2/sites-enabled/ + notify: + - restart icinga + +- name: Copier le fichier commands.cfg pour icinga + copy: src=commands.cfg dest=/etc/icinga/ + notify: + - restart icinga + +- name: Commente la ligne qui pose problème dans nt.cfg + copy: src=nt.cfg dest=/etc/nagios-plugins/config/ + notify: + - restart icinga + +- name: macro pour test hdd + replace: + dest: /etc/icinga/icinga.cfg + regexp: 'keep_unknown_macros=0' + replace: 'keep_unknown_macros=1' + backup : yes + notify: + - restart icinga + +- name: python3 par defaut + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Changement de mot de passe de icingaadmin + htpasswd: + path: /etc/icinga/htpasswd.users + name: icingaadmin + password: root + + +- name: Copie du fichier contact + copy: src=contacts_icinga.cfg dest=/etc/icinga/objects + +- name: Copie du fichier s-infra s-proxy s-adm r-int r-ext srv-2012 gwsio2 s-test hostgroup + synchronize: + src: cfg/ + dest: /etc/icinga/objects + notify: + - restart icinga + +- name: attribution des droits dossier icinga + file: + path: /var/lib/icinga + owner: nagios + mode: 751 + recurse: yes + notify: + - restart icinga + +- name: attribution des droits dossier icinga rw + file: + path: /var/lib/icinga/rw + owner: nagios + mode: 2710 + recurse: yes + notify: + - restart icinga + +- name: activation des commandes externes + replace: + dest: /etc/icinga/icinga.cfg + regexp: 'check_external_commands=0' + replace: 'check_external_commands=1' + notify: + - restart icinga + +- name: reconfiguration des droits avec dpkg statoverride + shell: dpkg-statoverride --update --force-all --add nagios www-data 2710 /var/lib/icinga/rw + +- name: reconfiguration des droits avec dpkg statoverride + shell: dpkg-statoverride --update --force-all --add nagios nagios 751 /var/lib/icinga + +- name: suppression de checkresults + file: + path: /var/lib/icinga/spool/checkresults + state: absent + +- name: creation du dossier checkresults avec droits de lecture + file: + path: /var/lib/icinga/spool/checkresults + state: directory + owner: nagios + group: root + mode: '755' + + #- name: Changement droit notif + # shell: chmod 644 /var/log/icinga/icinga.log + + +#- name: copie dns.cfg +# copy: remote_src=true src=dns.cfg dest=/etc/nagios-plugins/config + + #- name: copie check traffic + # copy: src=check_iftraffic3.pl dest=/usr/lib/nagios/plugins + + #- name: modif des droits plugin traffic + # shell: chmod 755 /usr/lib/nagios/plugins/check_iftraffic3.pl + +- name: message d'information + debug: msg="Pour superviser le Windows, il faut installer NSClient++" + +- name: redemarrage apache + service: + name: apache2 + state: restarted diff --git a/roles/itil/README.md b/roles/itil/README.md new file mode 100644 index 0000000..23e7397 --- /dev/null +++ b/roles/itil/README.md @@ -0,0 +1,60 @@ +## Comment marche le rôle + +Le rôle installe un serveur GLPI fonctionnant graĉe à php et à nginx. +Ce rôle permet aussi d'installer FusionInventory sur glpi. +Le rôle permet aussi de sauvegarde la BDD de glpi. + +## Comment utiliser GLPI + +Après le pull-config, aller sur une machine du réseau n-user et aller sur http://s-itil/install/install.php +Puis lancer l'installation, les paramètres sql à fournir sont : +serveur : localhost +utilisateur : glpi +mot de passe : glpi +Selectionner la base glpi +Ne pas envoyer de statistique d'usage + +## Fusion Inventory : + +Installer le plugin dans Configuration > Plugins +Activer le plugin +Pour que la remonter de l'agent se fasse, il faut ajouter une crontab (crontab -e) sur s-itil : * * * * * /usr/bin/php7.4 /var/www/glpi/front/cron.php &>/dev/null +Puis éxécuter le tasksheduler dans Configuration > Actions automatiques > taskscheduler + +Pour l'agent Windows, récuperer l'agent sur http://s-itil/ficlients +Il faut faire une installation à parti de 0 +Selectionner comme type d'installation complète +Dans le mode serveur mettre l'url : http://s-itil/plugins/fusioninventory et cocher la case installation rapide + +Pour l'agent Debian il faut installer le paquet fusioninventory-agent +Ajouter la ligne server = http://s-itil/plugins/fusioninventory dans le fichier /etc/fusioninventory/agent.cfg +Redemarrer le service fusioninventory-agent puis faite un reload +Exécuter la commande pkill -USR1 -f -P 1 fusioninventory-agent + +## Postfix : + +Aller dans Configuration > Notification, activer le suivi et les notification +Aller dans Configuration des notifications par courriels +Mettre l'adresse mail de supervision dans : Courriel de l'administrateur, Courriel expéditeur et comme adresse de réponse +Le mode d'envoie des courriels est SMTP +l'hôte SMTP est localhost +## LDAP : + +Aller dans Configuration > Authentification > Annuaires LDAP. +Ajouter un serveur en cliquant sur le + +Remplisser les cases: +Nom : s-win +Serveur par défaut : oui +Actif : oui +Serveur : s-win.gsb.lan +Filtre de connexion : (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) +BaseDN : DC=gsb,DC=lan +DN du compte : GSB\Administrateur +Mot de passe : Azerty1+ +Champ de l'identifiant : samaccountname + +Pour importer les utilisateurs allez dans Administration > Utilisateur > Liaison annuaire LDAP > Importation de nouveau utilisateurs +Appuyer sur rechercher +Puis sélectionner les utilisateurs afficher, allez dans action et sélectionnez importer. + + diff --git a/roles/itil/defaults/main.yml b/roles/itil/defaults/main.yml new file mode 100644 index 0000000..9d0e586 --- /dev/null +++ b/roles/itil/defaults/main.yml @@ -0,0 +1,5 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore" +depl_glpi: "glpi-9.5.6.tgz" +depl_fusioninventory: "fusioninventory-9.5+3.0.tar.bz2" +depl_fusioninventory_agentx64: "fusioninventory-agent_windows-x64_2.6.exe" +depl_fusioninventory_agentx86: "fusioninventory-agent_windows-x86_2.6.exe" diff --git a/roles/itil/files/.my.cnf b/roles/itil/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/itil/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/itil/files/dbdump b/roles/itil/files/dbdump new file mode 100644 index 0000000..f892580 --- /dev/null +++ b/roles/itil/files/dbdump @@ -0,0 +1,4 @@ +#!/bin/sh +chm="/var/www/html/glpi/files/_dumps" +# Dump base GLPI +mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz diff --git a/roles/itil/files/glpi.conf b/roles/itil/files/glpi.conf new file mode 100644 index 0000000..4c37222 --- /dev/null +++ b/roles/itil/files/glpi.conf @@ -0,0 +1,12 @@ +DocumentRoot /var/www/glpi + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + AuthType Basic + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined + CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined + ErrorLog ${APACHE_LOG_DIR}/glpi_error.log diff --git a/roles/itil/handlers/main.yml b/roles/itil/handlers/main.yml new file mode 100644 index 0000000..2d5614c --- /dev/null +++ b/roles/itil/handlers/main.yml @@ -0,0 +1,9 @@ +--- + - name: restart php-fpm + service: name=php7.0-fpm state=restarted + + - name: restart nginx + service: name=nginx state=restarted + + - name: restart mariadb-server + service: name=mariadb-server state=restarted diff --git a/roles/itil/tasks/main.yml b/roles/itil/tasks/main.yml new file mode 100644 index 0000000..fe619d5 --- /dev/null +++ b/roles/itil/tasks/main.yml @@ -0,0 +1,160 @@ +--- + - name: Installation des paquets + apt: + state: latest + name: + - nginx + - php-fpm + - php-mbstring + - php-mysql + - php-gd + - php-curl + - php-xml + - php-apcu + - php-ldap + - php-imap + - php-xmlrpc + - php-cas + - python3-mysqldb + - mariadb-server + - python3-pymysql + - php-intl + - php-bz2 + - php-zip + - postfix + - mailutils + + - name: Changement listen dans le fichier conf de php7.3 + replace: + dest: /etc/php/7.4/fpm/pool.d/www.conf + regexp: 'listen = /run/php/php7.4-fpm.sock' + replace: 'listen = 127.0.0.1:9000' + backup: yes + + - name: Effacement block nginx default + file: + path: /etc/nginx/sites-enabled/default + state: absent + + - name: Creation fichier block nginx + template: + src: block.j2 + dest: /etc/nginx/sites-enabled/glpi + + - name: Remplacement dans le fichier de conf php du timeout + replace: + dest: /etc/php/7.4/fpm/php.ini + regexp: 'max_execution_time = 30' + replace: 'max_execution_time = 600' + backup: yes + + notify: + - restart nginx + + - name: Creation de la base de donnee mysql + mysql_db: + name: "{{ glpi_dbname }}" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + + - name: Creation de l'utilisateur mysql avec tous les privileges + mysql_user: + name: "{{ glpi_dbuser }}" + password: "{{ glpi_dbpasswd }}" + priv: "*.*:ALL,GRANT" + login_unix_socket: /var/run/mysqld/mysqld.sock + with_items: + - 127.0.0.1 +# - ::1 +# - localhost + + - name: Creation du repertoire {{ glpi_dir }} + file: + path: "{{ glpi_dir }}" + state: directory + owner: www-data + group: www-data + + - name: Installation de GLPI + unarchive: + src: "{{ depl_url }}/{{ depl_glpi }}" + dest: /var/www/html + remote_src: yes + owner: www-data + group: www-data + + - name: Changement des attributs {{ glpi_dir }} + file: + path: "{{ glpi_dir }}" + owner: www-data + group: www-data + mode: 0755 + recurse: yes + + - name: Changement des attributs {{ glpi_dir }}/plugins + file: + path: "{{ glpi_dir }}/plugins" + mode: 0777 + owner: www-data + group: www-data + recurse: yes + +# - name: Attribution des permissions +# shell: chown -R www-data:www-data /var/www/html/glpi/ + +# - name: copy .my.cnf file with root password credentials +# copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600 + + - name: Installation de Fusioninventory pour Linux + unarchive: + src: "{{ depl_url }}/{{ depl_fusioninventory }}" + #src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2 + dest: /var/www/html/glpi/plugins + remote_src: yes + + - name: Creation de ficlient + file: + path: /var/www/html/ficlients + state: directory + owner: www-data + group: www-data + mode: 0775 + + - name: Attribution des droits nginx.index + file: + path: /var/www/html/index.nginx-debian.html + owner: www-data + group: www-data + mode: 0775 + + - name: Installation de FusionInventory windows x64 + get_url: + url: "{{ depl_url }}/{{ depl_fusioninventory_agentx64 }}" + dest: "/var/www/html/ficlients" + + - name: Installation de FusionInventory windows x86 + get_url: + url: "{{ depl_url }}/{{ depl_fusioninventory_agentx86 }}" + dest: "/var/www/html/ficlients" + + - name: Attribution des permissions sur repertoire /plugins/fusioninventory + file: + path: /var/www/html/glpi/plugins/fusioninventory + owner: www-data + group: www-data + recurse: yes + state: directory + + - name: Copie du script dbdump + copy: + src: dbdump + dest: /root/ + + - name: chmod de dbdump + shell: chmod +x /root/dbdump + + - debug: + msg: "Redemarrez le serveur GLPI" + + - debug: + msg: "L'utilisateur mysql:ID:glpi et MDP:glpi" diff --git a/roles/itil/templates/block.j2 b/roles/itil/templates/block.j2 new file mode 100644 index 0000000..0cec4f7 --- /dev/null +++ b/roles/itil/templates/block.j2 @@ -0,0 +1,23 @@ +server { + listen 80 default_server; + root {{ glpi_dir }}; + index index.php; + server_name localhost; + + location / {try_files $uri $uri/ index.php;} + + #prise en charge PHP + location ~ \.php$ { + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_param SERVER_NAME $host; + } + + location /ficlients { + root /var/www/html; + autoindex on; + } +} diff --git a/roles/local-store/files/getall-2021 b/roles/local-store/files/getall-2021 new file mode 100644 index 0000000..c2f3226 --- /dev/null +++ b/roles/local-store/files/getall-2021 @@ -0,0 +1,25 @@ +#!/bin/bash +GLPIREL=9.5.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz + +FIREL=9.5+1.0 +#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 + +FIAGREL=2.6 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe + +FOGREL=1.5.9 +wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz +#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz + +GOSSVER=v0.3.16 +curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss +chmod +x goss + diff --git a/roles/local-store/files/getall-latest b/roles/local-store/files/getall-latest new file mode 100644 index 0000000..c2f3226 --- /dev/null +++ b/roles/local-store/files/getall-latest @@ -0,0 +1,25 @@ +#!/bin/bash +GLPIREL=9.5.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz + +FIREL=9.5+1.0 +#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz +#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2 + +FIAGREL=2.6 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe + +FOGREL=1.5.9 +wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz +#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz + +GOSSVER=v0.3.16 +curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss +chmod +x goss + diff --git a/roles/local-store/tasks/main.yml b/roles/local-store/tasks/main.yml new file mode 100644 index 0000000..1dc1ae9 --- /dev/null +++ b/roles/local-store/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- name: Installation bind9 + file: + path: /var/www/html/gsbstore/ + state: directory + mode: '0755' + +- name: Copie getall-latest + copy: + src: getall-latest + dest: /var/www/html/gsbstore + +- name: Copie getall-2021 + copy: + src: getall-2021 + dest: /var/www/html/gsbstore + diff --git a/roles/mariadb-ab/README.md b/roles/mariadb-ab/README.md new file mode 100644 index 0000000..7c52ca0 --- /dev/null +++ b/roles/mariadb-ab/README.md @@ -0,0 +1,4 @@ +##Installation de s-lb-bd + +Ce rôle installe mariadb avec python puis créer une base de données wordpress accessible depuis le réseau 192.168.102.0/24. + diff --git a/roles/mariadb-ab/_travis.yml b/roles/mariadb-ab/_travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/mariadb-ab/_travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/mariadb-ab/defaults/main.yml b/roles/mariadb-ab/defaults/main.yml new file mode 100644 index 0000000..bf0e537 --- /dev/null +++ b/roles/mariadb-ab/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for mariadb diff --git a/roles/mariadb-ab/files/my.cnf b/roles/mariadb-ab/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/mariadb-ab/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/mariadb-ab/handlers/main.yml b/roles/mariadb-ab/handlers/main.yml new file mode 100644 index 0000000..49ba9f4 --- /dev/null +++ b/roles/mariadb-ab/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for mariadb diff --git a/roles/mariadb-ab/meta/main.yml b/roles/mariadb-ab/meta/main.yml new file mode 100644 index 0000000..6f81d2b --- /dev/null +++ b/roles/mariadb-ab/meta/main.yml @@ -0,0 +1,232 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + #platforms: + #- name: OpenBSD + # versions: + # - all + # - 5.6 + # - 5.7 + # - 5.8 + # - 5.9 + # - 6.0 + # - 6.1 + # - 6.2 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + # - 24 + # - 25 + # - 26 + #- name: DellOS + # versions: + # - all + # - 10 + # - 6 + # - 9 + #- name: MacOSX + # versions: + # - all + # - 10.10 + # - 10.11 + # - 10.12 + # - 10.7 + # - 10.8 + # - 10.9 + #- name: Synology + # versions: + # - all + # - any + #- name: Junos + # versions: + # - all + # - any + #- name: GenericBSD + # versions: + # - all + # - any + #- name: Void Linux + # versions: + # - all + # - any + #- name: GenericLinux + # versions: + # - all + # - any + #- name: NXOS + # versions: + # - all + # - any + #- name: macOS + # versions: + # - all + # - Sierra + #- name: IOS + # versions: + # - all + # - any + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + # - 2016.03 + # - 2016.09 + #- name: ArchLinux + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 10.3 + # - 11.0 + # - 11.1 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + #- name: Ubuntu + # versions: + # - all + # - artful + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + # - xenial + # - yakkety + # - zesty + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - sid + # - squeeze + # - stretch + # - wheezy + #- name: Alpine + # versions: + # - all + # - any + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + # - 11SP4 + # - 12 + # - 12SP1 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: eos + # versions: + # - all + # - Any + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. \ No newline at end of file diff --git a/roles/mariadb-ab/tasks/main.yml b/roles/mariadb-ab/tasks/main.yml new file mode 100644 index 0000000..9d434fe --- /dev/null +++ b/roles/mariadb-ab/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Installation des paquets python-mysqldb mariadb-server + apt: + name: + - python3-mysqldb + - mariadb-server + - python3-passlib + - python3-pymysql + state: present + +- name: python3 par defaut + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Create mysql database + mysql_db: + name: "{{ maria_dbname }}" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Creation de l'utilisateur mysql avec tous les privileges + mysql_user: + name: "{{ maria_dbuser }}" + password: "{{ maria_dbpasswd }}" + priv: '*.*:ALL,GRANT' + login_unix_socket: /var/run/mysqld/mysqld.sock + host: 192.168.102.% +# - ::1 +# - localhost + +- name: Copie du fichier my.cnf pour autorises toutes les adresses sur le port 3306 + copy: + src: my.cnf + dest: /etc/mysql/ + +- name: Redemarrage du service mariadb + service: + name: mariadb + state: restarted diff --git a/roles/mariadb-ab/tests/inventory b/roles/mariadb-ab/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/roles/mariadb-ab/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/mariadb-ab/tests/test.yml b/roles/mariadb-ab/tests/test.yml new file mode 100644 index 0000000..ec4a223 --- /dev/null +++ b/roles/mariadb-ab/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - mariadb \ No newline at end of file diff --git a/roles/mariadb-ab/vars/main.yml b/roles/mariadb-ab/vars/main.yml new file mode 100644 index 0000000..618771d --- /dev/null +++ b/roles/mariadb-ab/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for mariadb diff --git a/roles/mariadb/README.md b/roles/mariadb/README.md new file mode 100644 index 0000000..4316917 --- /dev/null +++ b/roles/mariadb/README.md @@ -0,0 +1,4 @@ +##Installation de s-lb-bd + +Ce rôle installe mariadb avec python puis créer une base de données wordpress accessible depuis le réseau 192.168.102.0/24. + diff --git a/roles/mariadb/_travis.yml b/roles/mariadb/_travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/mariadb/_travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml new file mode 100644 index 0000000..bf0e537 --- /dev/null +++ b/roles/mariadb/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for mariadb diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml new file mode 100644 index 0000000..49ba9f4 --- /dev/null +++ b/roles/mariadb/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for mariadb diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml new file mode 100644 index 0000000..6f81d2b --- /dev/null +++ b/roles/mariadb/meta/main.yml @@ -0,0 +1,232 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + #platforms: + #- name: OpenBSD + # versions: + # - all + # - 5.6 + # - 5.7 + # - 5.8 + # - 5.9 + # - 6.0 + # - 6.1 + # - 6.2 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + # - 24 + # - 25 + # - 26 + #- name: DellOS + # versions: + # - all + # - 10 + # - 6 + # - 9 + #- name: MacOSX + # versions: + # - all + # - 10.10 + # - 10.11 + # - 10.12 + # - 10.7 + # - 10.8 + # - 10.9 + #- name: Synology + # versions: + # - all + # - any + #- name: Junos + # versions: + # - all + # - any + #- name: GenericBSD + # versions: + # - all + # - any + #- name: Void Linux + # versions: + # - all + # - any + #- name: GenericLinux + # versions: + # - all + # - any + #- name: NXOS + # versions: + # - all + # - any + #- name: macOS + # versions: + # - all + # - Sierra + #- name: IOS + # versions: + # - all + # - any + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + # - 2016.03 + # - 2016.09 + #- name: ArchLinux + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 10.3 + # - 11.0 + # - 11.1 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + #- name: Ubuntu + # versions: + # - all + # - artful + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + # - xenial + # - yakkety + # - zesty + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - sid + # - squeeze + # - stretch + # - wheezy + #- name: Alpine + # versions: + # - all + # - any + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + # - 11SP4 + # - 12 + # - 12SP1 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: eos + # versions: + # - all + # - Any + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. \ No newline at end of file diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml new file mode 100644 index 0000000..b857b5c --- /dev/null +++ b/roles/mariadb/tasks/main.yml @@ -0,0 +1,15 @@ +--- +# tasks file for mariadb +- name: Installation de python-mysqldb + apt: name=python-mysqldb state=present + +- name: Installation de mariadb-server + apt: name=mariadb-server state=present + +- name: Create mysql database + mysql_db: name={{ maria_dbname }} state=present + +- name: Commenter la ligne + replace: dest=/etc/mysql/mariadb.conf.d/50-server.cnf + regexp='bind-address = 127.0.0.1' + replace='#bind-address = 127.0.0.1' \ No newline at end of file diff --git a/roles/mariadb/tests/inventory b/roles/mariadb/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/roles/mariadb/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/mariadb/tests/test.yml b/roles/mariadb/tests/test.yml new file mode 100644 index 0000000..ec4a223 --- /dev/null +++ b/roles/mariadb/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - mariadb \ No newline at end of file diff --git a/roles/mariadb/vars/main.yml b/roles/mariadb/vars/main.yml new file mode 100644 index 0000000..618771d --- /dev/null +++ b/roles/mariadb/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for mariadb diff --git a/roles/mess/files/nslcd.conf b/roles/mess/files/nslcd.conf new file mode 100644 index 0000000..29ea826 --- /dev/null +++ b/roles/mess/files/nslcd.conf @@ -0,0 +1,31 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldap://172.16.0.6:389 + +# The search base that will be used for all queries. +base cn=Users,dc=gsb,dc=lan + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +binddn cn=ncsld-connect,cn=Users,dc=gsb,dc=lan +bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +#tls_reqcert never + +# The search scope. +#scope sub + diff --git a/roles/mess/files/pam_ldap.conf b/roles/mess/files/pam_ldap.conf new file mode 100644 index 0000000..f23a43a --- /dev/null +++ b/roles/mess/files/pam_ldap.conf @@ -0,0 +1,6 @@ +base dc=gsb,dc=lan +binddn cn=nslcd-connect,cn=Users,dc=gsb,dc=lan +bindpw secret +bind_policy soft +uri ldap://172.16.0.6:389/ +ssl no diff --git a/roles/mess/files/slapd.conf b/roles/mess/files/slapd.conf new file mode 100644 index 0000000..4aed8b9 --- /dev/null +++ b/roles/mess/files/slapd.conf @@ -0,0 +1,144 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +# Features to permit +#allow bind_v2 + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/mailserver.schema +include /etc/ldap/schema/sudo.schema +include /etc/ldap/schema/samba.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +password-hash {SSHA} + +# Read slapd.conf(5) for possible values +loglevel 256 + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_ldap +moduleload rwm + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for hdb: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend ldap + + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend + +####################################################################### +# Specific Directives for database #1, of type hdb: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database ldap + +# The base of your directory in database #1 +suffix "dc=gsb,dc=lan" +uri "ldap://172.16.0.6:389" +#directory "/var/lib/ldap" + +# The dbconfig settings are used to generate a DB_CONFIG file the first +# time slapd starts. They do NOT override existing an existing DB_CONFIG +# file. You should therefore change these settings in DB_CONFIG directly +# or remove DB_CONFIG and restart slapd for changes to take effect. + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +#dbconfig set_cachesize 0 2097152 0 + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. + +# Number of objects that can be locked at the same time. +#dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +#dbconfig set_lk_max_locks 1500 +# Number of lockers +#dbconfig set_lk_max_lockers 1500 + +# Indexing options for database #1 +#index objectClass eq +#index uid eq,sub +#index entryCSN,entryUUID eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +#checkpoint 512 30 + +# Where to store the replica logs for database #1 +# replogfile /var/lib/ldap/replog + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword + by dn="cn=admin,dc=yunohost,dc=org" write + by anonymous auth + by self write + by * none + +access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn + by dn="cn=admin,dc=yunohost,dc=org" write + by self write + by * read + + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by dn="cn=admin,dc=yunohost,dc=org" write + by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write + by * read + +####################################################################### +# Specific Directives for database #2, of type 'other' (can be hdb too): +# Database specific directives apply to this databasse until another +# 'database' directive occurs +#database + +# The base of your directory for database #2 +#suffix "dc=debian,dc=org" diff --git a/roles/mess/handlers/main.yml b/roles/mess/handlers/main.yml new file mode 100644 index 0000000..6ad92ff --- /dev/null +++ b/roles/mess/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart slapd + service: name=slapd state=restarted diff --git a/roles/mess/tasks/main.yml b/roles/mess/tasks/main.yml new file mode 100644 index 0000000..82a7113 --- /dev/null +++ b/roles/mess/tasks/main.yml @@ -0,0 +1,15 @@ +--- +#- name: Installation openLDAP +# apt: name=slapd state=present update_cache=yes + +#- name: Copie du slapd.conf +# copy: src=slapd.conf dest=/etc/openldap + +- name: Copie du nslcd.conf + copy: src=nslcd.conf dest=/etc/ + +- name: Copie du pam_ldap.conf + copy: src=pam_ldap.conf dest=/etc/ + +- name: Recup du depot git + git: repo=https://github.com/YunoHost/install_script dest=/tmp/install_script diff --git a/roles/metricbeat-cli/README.md b/roles/metricbeat-cli/README.md new file mode 100644 index 0000000..224f3d6 --- /dev/null +++ b/roles/metricbeat-cli/README.md @@ -0,0 +1,9 @@ +## Utilisation du rôle metricbeat-cli + +Ce rôle permet d'installer l'agent metricbeat pour le serveur ELK. +Metricbeat sert à faire des statistiques de performances sur les différents serveurs. +Ce rôle fonctionne en faisant : +Une installation de metricbeat, +Une configuration de metricbeat, +Active le module system pour avoir les statistiques d'usages du système sur ELK, +Lance la configuration de metricbeat. diff --git a/roles/metricbeat-cli/files/metricbeat.yml b/roles/metricbeat-cli/files/metricbeat.yml new file mode 100644 index 0000000..72f1878 --- /dev/null +++ b/roles/metricbeat-cli/files/metricbeat.yml @@ -0,0 +1,189 @@ +###################### Metricbeat Configuration Example ####################### + +# This file is an example configuration file highlighting only the most common +# options. The metricbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/metricbeat/index.html + +# =========================== Modules configuration ============================ + +metricbeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + +# ================================= Dashboards ================================= +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + host: "s-elk.gsb.lan:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["s-elk.gsb.lan:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + username: "elastic" + password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ + + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publisher", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Metricbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the metricbeat. +#instrumentation: + # Set to true to enable instrumentation of metricbeat. + #enabled: false + + # Environment in which metricbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/roles/metricbeat-cli/handlers/main.yml b/roles/metricbeat-cli/handlers/main.yml new file mode 100644 index 0000000..ee365f2 --- /dev/null +++ b/roles/metricbeat-cli/handlers/main.yml @@ -0,0 +1,5 @@ +- name: start metricbeat + service: + name: metricbeat + state: started + enabled: yes diff --git a/roles/metricbeat-cli/tasks/main.yml b/roles/metricbeat-cli/tasks/main.yml new file mode 100644 index 0000000..be76be8 --- /dev/null +++ b/roles/metricbeat-cli/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Récupération de metricbeat + get_url: + url: http://s-adm.gsb.adm/gsbstore/metricbeat-7.16.3-amd64.deb + dest: /tmp/ + +- name: Installation de metricbeat + apt: + deb: /tmp/metricbeat-7.16.3-amd64.deb + +- name: Changement du fichier de conf + copy: + src: metricbeat.yml + dest: /etc/metricbeat/metricbeat.yml + +- name: Configuration de metricbeat + shell: metricbeat modules enable system + notify: start metricbeat + +- name: Lancement de la configuration de metricbeat + shell: metricbeat setup -e + notify: start metricbeat + diff --git a/roles/mysql/defaults/main.yml b/roles/mysql/defaults/main.yml new file mode 100644 index 0000000..c6d435b --- /dev/null +++ b/roles/mysql/defaults/main.yml @@ -0,0 +1,4 @@ +--- +wp_mysql_db: wordpress +wp_mysql_user: wp +wp_mysql_password: wp diff --git a/roles/mysql/files/.my.cnf b/roles/mysql/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/mysql/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/mysql/handlers/main.yml b/roles/mysql/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/mysql/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml new file mode 100644 index 0000000..eb11703 --- /dev/null +++ b/roles/mysql/tasks/main.yml @@ -0,0 +1,13 @@ +--- +# - name: Create mysql database +# mysql_db: name={{ wp_mysql_db }} state=present + +# - name: Create mysql user +# mysql_user: +# name={{ wp_mysql_user }} +# password={{ wp_mysql_password }} +# priv=*.*:ALL +# host=localhost + + - name: copy .my.cnf file with root password credentials + copy: src=.my.cnf dest=/root/.my.cnf owner=root mode=0600 diff --git a/roles/nagios/README.md b/roles/nagios/README.md new file mode 100644 index 0000000..864d951 --- /dev/null +++ b/roles/nagios/README.md @@ -0,0 +1,152 @@ +# Rôle nagios +*** +Rôle Nagios pour la supervision des différentes machines + +## Tables des matières + 1. [Que fait le rôle Nagios ?] + 2. [NSClient++] + + +## Que fait le rôle Nagios ? + + +### Installation et configuration de Nagios4 + +Le rôle Nagios va installer apache2 pour le serveur web, snmp pour la supervision, nagios4 qui sera notre outil de supervision, les plugins de nagios4. + +On copie les fichiers pour apache, les commandes de nagios, le fichiers des groupes de machines pour la supervision, le fichier des différents services à superviser, on autorise ensuite l'authentification et on définit le mot de passe. + +Pour l'id de Nagios, c'est "nagiosadmin", à l'adresse "https://s-mon/nagios4". + +``` + +new password: nimda +Retype password: nimda + +``` + +On définit par la suite l'adresse mail de contact pour les notifications par mail, on copie tous les fichiers cfg des machines. + + + +Il faut désormais installer NSClient++ sur la machine s-win pour permettre la supervision des différents services. +Veuillez suivre le tutoriel suivant: + + +## Installation de NSClient++ sur la machine s-win + +En premier lieu, installer Mozilla Firefox via Internet Explorer. + +Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) + +Puis choisir la version Windows + +### Etapes de l'installation + +Sur l'étape **Select monitoring tool**, sélectionner **Generic**. + +Sur l'étape **Choose setup type**, sélectionner **Typical**. + +Sur l'étape **NSClient++ Configuration: + +``` + +Allowed hosts: 172.16.0.8 + +Password: root + +``` + +Activer **check plugins, check_nt et check_nrpe**. + +**Laisser NSCA client et web server désactivé** + +Cocher la case **Insecure legacy mode** + + +Terminer l'installation. + +### Modification des fichiers + +Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient.ini** (celui avec un rouage). + +Une fois ouvert, modifier tout le fichier avec ceci: + +``` + +#If you want to fill this file with all available options run the following command: +#nscp settings --generate --add-defaults --load-all +#If you want to activate a module and bring in all its options use: +#nscp settings --activate-module --add-defaults +#For details run: nscp settings --help + + +; in flight - TODO +[/settings/default] + +; Undocumented key +password = root + +; Undocumented key +allowed hosts = 172.16.0.8 + + +; in flight - TODO +[/settings/NRPE/server] + +; Undocumented key +verify mode = none + +; Undocumented key +insecure = true + + +; in flight - TODO +[/modules] + +; Undocumented key +CheckExternalScripts = enabled + +; Undocumented key +CheckHelpers = enabled + +; Undocumented key +CheckEventLog = enabled + +; Undocumented key +CheckNSCP = enabled + +; Undocumented key +CheckDisk = enabled + +; Undocumented key +CheckSystem = enabled + +; Undocumented key +NSClientServer = enabled + +; Undocumented key +NRPEServer = enabled + +``` + +Redémarrez le service NSClient++ via le **cmd**: + +``` + +services.msc + +``` + +Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer** + + +Retourner sur le serveur nagios puis écrire: + +``` + +systemctl restart nagios4 + +``` + +Les services de la machine **srv-2012** apparaissent en **OK**. diff --git a/roles/nagios/files/cfg/localhost.cfg b/roles/nagios/files/cfg/localhost.cfg new file mode 100644 index 0000000..cc142b2 --- /dev/null +++ b/roles/nagios/files/cfg/localhost.cfg @@ -0,0 +1,159 @@ +############################################################################### +# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE +# +# +# NOTE: This config file is intended to serve as an *extremely* simple +# example of how you can create configuration entries to monitor +# the local (Linux) machine. +# +############################################################################### + + + +############################################################################### +# +# HOST DEFINITION +# +############################################################################### + +# Define a host for the local machine + +define host { + + use linux-server ; Name of host template to use + ; This host definition will inherit all variables that are defined + ; in (or inherited by) the linux-server host template definition. + host_name localhost + alias localhost + address 127.0.0.1 +} + + + +############################################################################### +# +# HOST GROUP DEFINITION +# +############################################################################### + +# Define an optional hostgroup for Linux machines + +define hostgroup { + + hostgroup_name linux-servers ; The name of the hostgroup + alias Linux Servers ; Long name of the group + members localhost ; Comma separated list of hosts that belong to this group +} + + + +############################################################################### +# +# SERVICE DEFINITIONS +# +############################################################################### + +# Define a service to "ping" the local machine + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + + + +# Define a service to check the disk space of the root partition +# on the local machine. Warning if < 20% free, critical if +# < 10% free space on partition. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Root Partition + check_command check_local_disk!20%!10%!/ +} + + + +# Define a service to check the number of currently logged in +# users on the local machine. Warning if > 20 users, critical +# if > 50 users. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Current Users + check_command check_local_users!20!50 +} + + + +# Define a service to check the number of currently running procs +# on the local machine. Warning if > 250 processes, critical if +# > 400 processes. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Total Processes + check_command check_local_procs!250!400!RSZDT +} + + + +# Define a service to check the load on the local machine. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Current Load + check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0 +} + + + +# Define a service to check the swap usage the local machine. +# Critical if less than 10% of swap is free, warning if less than 20% is free + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description Swap Usage + check_command check_local_swap!20%!10% +} + + + +# Define a service to check SSH on the local machine. +# Disable notifications for this service by default, as not all users may have SSH enabled. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description SSH + check_command check_ssh + notifications_enabled 0 +} + + + +# Define a service to check HTTP on the local machine. +# Disable notifications for this service by default, as not all users may have HTTP enabled. + +define service { + + use local-service ; Name of service template to use + host_name localhost + service_description HTTP + check_command check_http + notifications_enabled 0 +} diff --git a/roles/nagios/files/cfg/r-ext.cfg b/roles/nagios/files/cfg/r-ext.cfg new file mode 100644 index 0000000..13ec13e --- /dev/null +++ b/roles/nagios/files/cfg/r-ext.cfg @@ -0,0 +1,15 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name r-ext + alias serveur proxy + address 192.168.200.253 + parents r-int + } + + diff --git a/roles/nagios/files/cfg/r-int.cfg b/roles/nagios/files/cfg/r-int.cfg new file mode 100644 index 0000000..c6366f0 --- /dev/null +++ b/roles/nagios/files/cfg/r-int.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name r-int + alias serveur proxy + address 172.16.0.254 + } + + diff --git a/roles/nagios/files/cfg/s-adm.cfg b/roles/nagios/files/cfg/s-adm.cfg new file mode 100644 index 0000000..50a2366 --- /dev/null +++ b/roles/nagios/files/cfg/s-adm.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-adm + alias debian-servers + address 192.168.99.99 + } + diff --git a/roles/nagios/files/cfg/s-appli.cfg b/roles/nagios/files/cfg/s-appli.cfg new file mode 100644 index 0000000..e71a2cf --- /dev/null +++ b/roles/nagios/files/cfg/s-appli.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-appli + alias debian-servers + address 172.16.0.3 + } + diff --git a/roles/nagios/files/cfg/s-backup.cfg b/roles/nagios/files/cfg/s-backup.cfg new file mode 100644 index 0000000..b75a576 --- /dev/null +++ b/roles/nagios/files/cfg/s-backup.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-backup + alias serveur proxy + address 172.16.0.4 + } + diff --git a/roles/nagios/files/cfg/s-fog.cfg b/roles/nagios/files/cfg/s-fog.cfg new file mode 100644 index 0000000..0e57c04 --- /dev/null +++ b/roles/nagios/files/cfg/s-fog.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-fog + alias serveur proxy + address 172.16.0.16 + } + + diff --git a/roles/nagios/files/cfg/s-infra.cfg b/roles/nagios/files/cfg/s-infra.cfg new file mode 100644 index 0000000..6005eaf --- /dev/null +++ b/roles/nagios/files/cfg/s-infra.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-infra + alias debian-servers + address 172.16.0.1 + } + diff --git a/roles/nagios/files/cfg/s-itil.cfg b/roles/nagios/files/cfg/s-itil.cfg new file mode 100644 index 0000000..8e6686d --- /dev/null +++ b/roles/nagios/files/cfg/s-itil.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-itil + alias serveur proxy + address 172.16.0.9 + } + + diff --git a/roles/nagios/files/cfg/s-nxc.cfg b/roles/nagios/files/cfg/s-nxc.cfg new file mode 100644 index 0000000..2d9f480 --- /dev/null +++ b/roles/nagios/files/cfg/s-nxc.cfg @@ -0,0 +1,13 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-nxc + alias debian-servers + address 172.16.0.7 + } + diff --git a/roles/nagios/files/cfg/s-proxy.cfg b/roles/nagios/files/cfg/s-proxy.cfg new file mode 100644 index 0000000..feff838 --- /dev/null +++ b/roles/nagios/files/cfg/s-proxy.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-proxy + alias serveur proxy + address 172.16.0.2 + } + + diff --git a/roles/nagios/files/cfg/s-win.cfg b/roles/nagios/files/cfg/s-win.cfg new file mode 100644 index 0000000..93ad782 --- /dev/null +++ b/roles/nagios/files/cfg/s-win.cfg @@ -0,0 +1,14 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define host{ + use linux-server ; Name of host template to use + host_name s-win + alias serveur proxy + address 172.16.0.6 + } + + diff --git a/roles/nagios/files/commands.cfg b/roles/nagios/files/commands.cfg new file mode 100644 index 0000000..3cd0a0a --- /dev/null +++ b/roles/nagios/files/commands.cfg @@ -0,0 +1,151 @@ +############################################################################### +# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS +############################################################################### + + +################################################################################ +# NOTIFICATION COMMANDS +################################################################################ + + +# 'notify-host-by-email' command definition +define command{ + command_name notify-host-by-email + command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$ + } + +# 'notify-service-by-email' command definition +define command{ + command_name notify-service-by-email + command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$ + } + + + + + +################################################################################ +# HOST CHECK COMMANDS +################################################################################ + +# On Debian, check-host-alive is being defined from within the +# nagios-plugins-basic package + +define command { + + command_name check_local_disk + command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +} + + + +define command { + + command_name check_local_load + command_line $USER1$/check_load -w $ARG1$ -c $ARG2$ +} + + + +define command { + + command_name check_local_procs + command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +} + + + +define command { + + command_name check_local_users + command_line $USER1$/check_users -w $ARG1$ -c $ARG2$ +} + + + +define command { + + command_name check_local_swap + command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$ +} + + +define command{ + command_name check_snmp_storage + command_line $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -m $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_load + command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -T $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_mem + command_line $USER1$/check_snmp_mem.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ $ARG3$ -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_snmp_int + command_line $USER1$/check_snmp_netint.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -a -m -k -M -w $ARG4$ -c $ARG5$ +} + +define command{ + command_name check_iftraffic3 + #command_name check_win_int + #command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$ + #command_line $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -k -M -g -w $ARG4$ -c $ARG5$ + command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$ -i $ARG2$ -w $ARG3$ -c $ARG4$ +} + +define command{ + command_name check_snmp + command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$ +} +############################### +##WINDOWS +############################### + +define command{ + command_name check_nt + command_line $USER1$/check_nt -H $HOSTADDRESS$ -s root -p 12489 -v $ARG1$ $ARG2$ +} + +define command{ + command_name check_dns_ext + command_line $USER1$/check_dns -H google.com -s '$HOSTADDRESS$' +} + +#define command{ +# command_line check_dns_int +# command_line $USER1*/check_dns -H s-infra.gsb.lan -s '$HOSTADDRESS$' +#} + +#define command{ +# command_line check_dhcp +# command_line $USER1$/check_dhcp -H $HOSTADDRESS$ -s $ARG1$ -i $ARG2$ +#} + +#define command{ +# command_name check_dig +# command_line /usr/lib/nagios/plugins/check_dig -H '$HOSTADDRESS$' -l '$ARG1$' +#} + + +################################################################################ +# PERFORMANCE DATA COMMANDS +################################################################################ + + +# 'process-host-perfdata' command definition +define command{ + command_name process-host-perfdata + command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/lib/nagios3/host-perfdata.out + } + + +# 'process-service-perfdata' command definition +define command{ + command_name process-service-perfdata + command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out + } diff --git a/roles/nagios/files/hostgroups.cfg b/roles/nagios/files/hostgroups.cfg new file mode 100644 index 0000000..28dd996 --- /dev/null +++ b/roles/nagios/files/hostgroups.cfg @@ -0,0 +1,30 @@ +define hostgroup { + + hostgroup_name debian-servers ; The name of the hostgroup + alias Linux Servers ; Long name of the group + members s-infra, s-proxy, s-adm, s-nxc, s-appli, s-backup, s-itil, s-fog, r-int, r-ext ; Comma separated list of hosts that belong to this group +} + +define hostgroup { + hostgroup_name windows-servers + alias Serveurs Windows + members s-win +} + +define hostgroup { + hostgroup_name http-servers + alias Serveurs web + members s-itil +} + +define hostgroup { + hostgroup_name dhcp-servers + alias Serveurs DHCP + members s-adm, r-int +} + +define hostgroup { + hostgroup_name dns-servers + alias Serveurs DNS + members s-infra, s-backup +} diff --git a/roles/nagios/files/interfaces b/roles/nagios/files/interfaces new file mode 100644 index 0000000..711e54c --- /dev/null +++ b/roles/nagios/files/interfaces @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.104/24 + gateway 192.168.99.99 + +# Cote n-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8/24 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + up ip route add 192.168.200.0/24 via 172.16.0.254 diff --git a/roles/nagios/files/nt.cfg b/roles/nagios/files/nt.cfg new file mode 100644 index 0000000..fcae576 --- /dev/null +++ b/roles/nagios/files/nt.cfg @@ -0,0 +1,15 @@ +# If you are confused about this command definition, cause you was +# reading other suggestions, please have a look into +# /usr/share/doc/monitoring-plugins/README.Debian + +# 'check_nt' command definition +#define command { +# command_name check_nt +# command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -v '$ARG1$' +#} + +# 'check_nscp' command definition +define command { + command_name check_nscp + command_line /usr/lib/nagios/plugins/check_nt -H '$HOSTADDRESS$' -p 12489 -v '$ARG1$' +} diff --git a/roles/nagios/files/sasl_passwd b/roles/nagios/files/sasl_passwd new file mode 100644 index 0000000..861c6a3 --- /dev/null +++ b/roles/nagios/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 nagios.gsb22@gmail.com:Azerty1+ +chmod 600 /etc/postfix/sasl_passwd diff --git a/roles/nagios/files/services.cfg b/roles/nagios/files/services.cfg new file mode 100644 index 0000000..b67860e --- /dev/null +++ b/roles/nagios/files/services.cfg @@ -0,0 +1,126 @@ +# A simple configuration file for monitoring the local host +# This can serve as an example for configuring other servers; +# Custom services specific to this host are added here, but services +# defined in nagios2-common_services.cfg may also apply. +# + +define service { + use generic-service + hostgroup_name debian-servers + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + +define service { + use generic-service + hostgroup_name windows-servers + service_description PING + check_command check_ping!100.0,20%!500.0,60% +} + +define service { + hostgroup_name http-servers + service_description HTTP + check_command check_http + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service { + hostgroup_name debian-servers + service_description SSH + check_command check_ssh + use generic-service + notification_interval 0 ; set > 0 if you want to be renotified +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Espace disque + check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Charge machine + check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0 + } + +define service{ + use generic-service + hostgroup_name debian-servers + service_description RAM + check_command check_snmp_mem!public!--v2c!-N!95,60!99,90 +} + +define service{ + use generic-service + hostgroup_name debian-servers + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Charge CPU + check_command check_nt!CPULOAD!-l 5,80,90,15,80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Uptime + check_command check_nt!UPTIME +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Mem Use + check_command check_nt!MEMUSE!80,90 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Disk Space + check_command check_nt!USEDDISKSPACE!-l C!10,5 +} + +define service{ + use generic-service + hostgroup_name windows-servers + service_description Service DNS + check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS" +} + +define service{ + use generic-service + hostgroup_name dns-servers + service_description DNS Ext + check_command check_dns_ext +} + +#define service{ +# use generic-service +# hostgroup_name dns-servers +# service_description DNS Int +# check_command check_dns_int +#} diff --git a/roles/nagios/handlers/main.yml b/roles/nagios/handlers/main.yml new file mode 100644 index 0000000..37ed5f0 --- /dev/null +++ b/roles/nagios/handlers/main.yml @@ -0,0 +1,17 @@ +- name: restart nagios4 + service: + name: nagios4 + state: restarted + enabled: yes + +- name: restart apache2 + service: + name: apache2 + state: restarted + enabled: yes + +- name: restart postfix + service: + name: postfix + state: restarted + enabled: yes diff --git a/roles/nagios/tasks/main.yml b/roles/nagios/tasks/main.yml new file mode 100644 index 0000000..5248cd4 --- /dev/null +++ b/roles/nagios/tasks/main.yml @@ -0,0 +1,124 @@ +- name: apt update + tags: update + apt: + update-cache: yes + cache_valid_time: 3600 + +- name: Installation apache2 + tags: apache + apt: + name: + - apache2 + - snmp + - nagios4 + - nagios-snmp-plugins + - python3-passlib + state: present + +- name: Copie du fichier nagios4-cgi.conf pour apache + tags: nagios4-cgi + template: + src: nagios4-cgi.conf.j2 + dest: /etc/apache2/conf-enabled/nagios4-cgi.conf + notify: restart nagios4 + +- name: Copier le fichier commands.cfg pour nagios + tags: commande + copy: + src: commands.cfg + dest: /etc/nagios4/objects/commands.cfg + notify: restart nagios4 + +- name: Copie le fichier nt.cfg pour commenter la ligne qui pose problème + tags: nt.cfg + copy: + src: nt.cfg + dest: /etc/nagios-plugins/config/nt.cfg + notify: restart nagios4 + +- name: Copie du fichier hostgroup pour nagios + tags: groups + copy: + src: hostgroups.cfg + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: Copie du fichier des services + tags: services + copy: + src: services.cfg + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: python3 par defaut + tags: python3 + alternatives: + link: /usr/bin/python + name: python + path: /usr/bin/python3 + priority: 10 + +- name: Remplacement de la ligne use_authentication=0 + tags: authentication + replace: + path: /etc/nagios4/cgi.cfg + regexp: 'use_authentication=0' + replace: 'use_authentication=1' + notify: restart nagios4 + + +- name: a2enmod rewrite cgi + tags: a2enmod + command: a2enmod rewrite cgi + notify: + - restart apache2 + - restart nagios4 + +- name: Mot de passe pour nagiosadmin + tags: passwd + command: htdigest -c /etc/nagios4/htdigest.users "{{ access }}" nagiosadmin + register: htpexist + +- name: Copie du fichier contact + tags: contact + template: + src: contacts.cfg.j2 + dest: /etc/nagios4/objects/contacts.cfg + +- name: Copie des fichiers des machines + tags: cfg + copy: + src: cfg/ + dest: /etc/nagios4/objects + notify: restart nagios4 + +- name: Copie du fichier nagios.cfg + tags: nagios.cfg + template: + src: nagios.cfg.j2 + dest: /etc/nagios4/nagios.cfg + notify: + - restart nagios4 + - restart apache2 + +- name: Suppression du fichier windows.cfg + tags: windowscfg + file: + state: absent + path: /etc/nagios4/objects/windows.cfg + +- name: Suppression du fichier printer.cfg + tags: printercfg + file: + state: absent + path: /etc/nagios4/objects/printer.cfg + +- name: Suppression du fichier switch.cfg + tags: switchcfg + file: + state: absent + path: /etc/nagios4/objects/switch.cfg + +- name: message d'information + tags: msg + debug: msg="Pour superviser le Windows, il faut installer NSClient++" \ No newline at end of file diff --git a/roles/nagios/templates/contacts.cfg.j2 b/roles/nagios/templates/contacts.cfg.j2 new file mode 100644 index 0000000..a0d7984 --- /dev/null +++ b/roles/nagios/templates/contacts.cfg.j2 @@ -0,0 +1,57 @@ +############################################################################### +# CONTACTS.CFG - SAMPLE CONTACT/CONTACTGROUP DEFINITIONS +# +# +# NOTES: This config file provides you with some example contact and contact +# group definitions that you can reference in host and service +# definitions. +# +# You don't need to keep these definitions in a separate file from your +# other object definitions. This has been done just to make things +# easier to understand. +# +############################################################################### + + + +############################################################################### +# +# CONTACTS +# +############################################################################### + +# Just one contact defined by default - the Nagios admin (that's you) +# This contact definition inherits a lot of default values from the +# 'generic-contact' template which is defined elsewhere. + +define contact { + + contact_name nagiosadmin + use generic-contact + alias Administrateur + service_notification_period 24x7 + host_notification_period 24x7 + service_notification_options w,u,c,r + host_notification_options d,r + service_notification_commands notify-service-by-email + host_notification_commands notify-host-by-email + email nagios.gsb22@gmail.com +} + + + +############################################################################### +# +# CONTACT GROUPS +# +############################################################################### + +# We only have one contact in this simple configuration file, so there is +# no need to create more than one contact group. + +define contactgroup { + + contactgroup_name admins + alias Nagios Administrators + members nagiosadmin +} diff --git a/roles/nagios/templates/main.cf.j2 b/roles/nagios/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/nagios/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/nagios/templates/nagios.cfg.j2 b/roles/nagios/templates/nagios.cfg.j2 new file mode 100644 index 0000000..7d8e1df --- /dev/null +++ b/roles/nagios/templates/nagios.cfg.j2 @@ -0,0 +1,1394 @@ +############################################################################## +# +# NAGIOS.CFG - Sample Main Config File for Nagios 4.4.6 +# +# Read the documentation for more information on this configuration +# file. I've provided some comments here, but things may not be so +# clear without further explanation. +# +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/nagios4/nagios.log + + + +# Debian also defaults to using the check commands defined by the debian +# monitoring-plugins package +cfg_dir=/etc/nagios-plugins/config + +# Debian uses by default a configuration directory where nagios4-common, +# other packages and the local admin can dump or link configuration +# files into. +#cfg_dir=/etc/nagios4/conf.d +cfg_dir=/etc/nagios4/objects + + + + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# You can split your object definitions across several config files +# if you wish (as shown below), or keep them all in a single config file. + +# You can specify individual object config files as shown below: +#cfg_file=/etc/nagios4/objects/commands.cfg +#cfg_file=/etc/nagios4/objects/contacts.cfg +#cfg_file=/etc/nagios4/objects/timeperiods.cfg +#cfg_file=/etc/nagios4/objects/templates.cfg + +# Definitions for monitoring the local (Linux) host +#cfg_file=/etc/nagios4/objects/localhost.cfg +#cfg_file=/etc/nagios4/objects/s-infra.cfg +#cfg_file=/etc/nagios4/objects/s-proxy.cfg + + +# Definitions for monitoring a Windows machine +#cfg_file=/etc/nagios4/objects/windows.cfg + +# Definitions for monitoring a router/switch +#cfg_file=/etc/nagios4/objects/switch.cfg + +# Definitions for monitoring a network printer +#cfg_file=/etc/nagios4/objects/printer.cfg + + +# You can also tell Nagios to process all config files (with a .cfg +# extension) in a particular directory by using the cfg_dir +# directive as shown below: + +#cfg_dir=/etc/nagios4/servers +#cfg_dir=/etc/nagios4/printers +#cfg_dir=/etc/nagios4/switches +#cfg_dir=/etc/nagios4/routers + + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Nagios starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Nagios starts. + +object_cache_file=/var/lib/nagios4/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Nagios with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Nagios with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Nagios process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Nagios to find our more +# about how this feature works. + +precached_object_file=/var/lib/nagios4/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/nagios4/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Nagios +# restarts. + +status_file=/var/lib/nagios4/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Nagios will periodically dump program, host, and +# service status data. + +status_update_interval=10 + + + +# NAGIOS USER +# This determines the effective user that Nagios should run as. +# You can either supply a username or a UID. + +nagios_user=nagios + + + +# NAGIOS GROUP +# This determines the effective group that Nagios should run as. +# You can either supply a group name or a GID. + +nagios_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Nagios should check +# for external commands (in the command file defined below). +# By default Nagios will check for external commands. +# If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Nagios checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. + +command_file=/var/lib/nagios4/rw/nagios.cmd + + + +# QUERY HANDLER INTERFACE +# This is the socket that is created for the Query Handler interface + +#query_socket=/var/lib/nagios4/rw/nagios.qh + + + +# LOCK FILE +# This is the lockfile that Nagios will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/nagios4/nagios4.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Nagios +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Nagios is +# running. + +temp_file=/var/lib/nagios4/nagios.tmp + + + +# TEMP PATH +# This is path where Nagios can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# This directive is used to specify an event broker module that should +# by loaded by Nagios at startup. Use multiple directives if you want +# to load more than one module. Arguments that should be passed to +# the module at startup are separated from the module path by a space. +# +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Do NOT overwrite modules while they are being used by Nagios or Nagios +# will crash in a fiery display of SEGFAULT glory. This is a bug/limitation +# either in dlopen(), the kernel, and/or the filesystem. And maybe Nagios... +# +# The correct/safe way of updating a module is by using one of these methods: +# 1. Shutdown Nagios, replace the module file, restart Nagios +# 2. Delete the original module file, move the new module file into place, +# restart Nagios +# +# Example: +# +# broker_module= [moduleargs] + +#broker_module=/somewhere/module1.o +#broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 + + + +# LOG ROTATION METHOD +# This is the log rotation method that Nagios should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/nagios4/archives + + + +# LOGGING OPTIONS +# If you want messages logged to the syslog facility, as well as the +# Nagios log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Nagios to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# CURRENT STATES LOGGING OPTION +# If you don't want Nagios to log all current host and service states +# after log has been rotated to the main log file, you can disable this +# option by setting this value to 0. Default value is 1. + +log_current_states=1 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Nagios to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Nagios to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Nagios previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Nagios will process +# the results of host and service checks. + +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Nagios so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Nagios stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Nagios has access +# to this directory! + +check_result_path=/var/lib/nagios4/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Nagios, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Nagios will react to detected changes +# in system time (either forward or backwards). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Nagios will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Nagios will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Nagios will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# TIMEOUT VALUES +# These options control how much time Nagios will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. + +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +ochp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Nagios will save state +# information for services and hosts before it shuts down. Upon +# startup Nagios will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Nagios down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Nagios should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Nagios is restarted. +# This file is used only if the retain_state_information +# variable is set to 1. + +state_retention_file=/var/lib/nagios4/retention.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Nagios +# will automatically save retention data during normal operation. +# If you set this value to 0, Nagios will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Nagios will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Nagios will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Nagios during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# CHECK FOR UPDATES +# This option determines whether Nagios will automatically check to +# see if new updates (releases) are available. It is recommend that you +# enable this option to ensure that you stay on top of the latest critical +# patches to Nagios. Nagios is critical to you - make sure you keep it in +# good shape. Nagios will check once a day for new updates. Data collected +# by Nagios Enterprises from the update check is processed in accordance +# with our privacy policy - see https://api.nagios.org for details. + +check_for_updates=1 + + + +# BARE UPDATE CHECK +# This option determines what data Nagios will send to api.nagios.org when +# it checks for updates. By default, Nagios will send information on the +# current version of Nagios you have installed, as well as an indicator as +# to whether this was a new installation or not. Nagios Enterprises uses +# this data to determine the number of users running specific version of +# Nagios. Enable this option if you do not want this information to be sent. + +bare_update_check=0 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Nagios will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Nagios will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Nagios will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# enable_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# enable_performance_data option (above) is set to 1. + +#host_perfdata_file=/var/lib/nagios4/host-perfdata +#service_perfdata_file=/var/lib/nagios4/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the default append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESS EMPTY RESULTS +# These options determine whether the core will process empty perfdata +# results or not. This is needed for distributed monitoring, and intentionally +# turned on by default. +# If you don't require empty perfdata - saving some cpu cycles +# on unwanted macro calculation - you can turn that off. Be careful! +# Values: 1 = enable, 0 = disable + +#host_perfdata_process_empty_results=1 +#service_perfdata_process_empty_results=1 + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Nagios will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Nagios. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Nagios will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Nagios. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Nagios will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Nagios. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Nagios servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Nagios instance. Enabling this option will tell Nagios +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Nagios will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Nagios will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# SERVICE CHECK TIMEOUT STATE +# This setting determines the state Nagios will report when a +# service check times out - that is does not respond within +# service_check_timeout seconds. This can be useful if a +# machine is running at too high a load and you do not want +# to consider a failed service check to be critical (the default). +# Valid settings are: +# c - Critical (default) +# u - Unknown +# w - Warning +# o - OK + +service_check_timeout_state=c + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Nagios +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Nagios will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Nagios detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=us + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Nagios runs in. If not specified, Nagios will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $LONGHOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $LONGSERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Nagios never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=nagios@localhost +admin_pager=pagenagios@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Nagios is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Nagios will take some shortcuts +# which can save on memory and CPU usage in large Nagios installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Nagios will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. +# Enabling this is a very bad idea for anything but very small setups, +# as it means plugins, notification scripts and eventhandlers may run +# out of environment space. It will also cause a significant increase +# in CPU- and memory usage and drastically reduce the number of checks +# you can run. +# Values: 1 - Enable environment variable macros +# 0 - Disable environment variable macros (default) + +enable_environment_macros=0 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Nagios will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Nagios will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros +# 4096 = Interprocess communication +# 8192 = Scheduling +# 16384 = Workers + +debug_level=0 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=1 + + + +# DEBUG FILE +# This option determines where Nagios should write debugging information. + +debug_file=/var/log/nagios4/nagios.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Nagios. + +max_debug_file_size=1000000 + + + +# Should we allow hostgroups to have no hosts, we default this to off since +# that was the old behavior + +allow_empty_hostgroup_assignment=0 + + + +# Normally worker count is dynamically allocated based on 1.5 * number of cpu's +# with a minimum of 4 workers. This value will override the defaults + +#check_workers=3 + + + +# DISABLE SERVICE CHECKS WHEN HOST DOWN +# This option will disable all service checks if the host is not in an UP state +# +# While desirable in some environments, enabling this value can distort report +# values as the expected quantity of checks will not have been performed + +#host_down_disable_service_checks=0 + + + +# SET SERVICE/HOST STATUS WHEN SERVICE CHECK SKIPPED +# These options will allow you to set the status of a service when its +# service check is skipped due to one of three reasons: +# 1) failed dependency check; 2) parent's status; 3) host not up +# Number 3 can only happen if 'host_down_disable_service_checks' above +# is set to 1. +# Valid values for the service* options are: +# -1 Do not change the service status (default - same as before 4.4) +# 0 Set the service status to STATE_OK +# 1 Set the service status to STATE_WARNING +# 2 Set the service status to STATE_CRITICAL +# 3 Set the service status to STATE_UNKNOWN +# The host_skip_check_dependency_status option will allow you to set the +# status of a host when itscheck is skipped due to a failed dependency check. +# Valid values for the host_skip_check_dependency_status are: +# -1 Do not change the service status (default - same as before 4.4) +# 0 Set the host status to STATE_UP +# 1 Set the host status to STATE_DOWN +# 2 Set the host status to STATE_UNREACHABLE +# We may add one or more statuses in the future. + +#service_skip_check_dependency_status=-1 +#service_skip_check_parent_status=-1 +#service_skip_check_host_down_status=-1 +#host_skip_check_dependency_status=-1 + + + +# LOAD CONTROL OPTIONS +# To get current defaults based on your system, issue this command to +# the query handler: +# echo -e '@core loadctl\0' | nc -U /usr/local/nagios/var/rw/nagios.qh +# +# Please note that used incorrectly these options can induce enormous latency. +# +# loadctl_options: +# jobs_max The maximum amount of jobs to run at one time +# jobs_min The minimum amount of jobs to run at one time +# jobs_limit The maximum amount of jobs the current load lets us run +# backoff_limit The minimum backoff_change +# backoff_change # of jobs to remove from jobs_limit when backing off +# rampup_limit Minimum rampup_change +# rampup_change # of jobs to add to jobs_limit when ramping up + +#loadctl_options=jobs_max=100;backoff_limit=10;rampup_change=5 diff --git a/roles/nagios/templates/nagios4-cgi.conf.j2 b/roles/nagios/templates/nagios4-cgi.conf.j2 new file mode 100644 index 0000000..84ac038 --- /dev/null +++ b/roles/nagios/templates/nagios4-cgi.conf.j2 @@ -0,0 +1,27 @@ +ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 +ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 +Alias /nagios4/stylesheets /etc/nagios4/stylesheets + +Alias /nagios4 /usr/share/nagios4/htdocs + + + Options FollowSymLinks + DirectoryIndex index.php index.html + AllowOverride AuthConfig + AuthDigestDomain "nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Restricted Nagios4 Access" + AuthType Digest + Require valid-user + + + + Options +ExecCGI + + + + Options +ExecCGI + AddHandler cgi-script .cgi + diff --git a/roles/nxc-traefik/README.md b/roles/nxc-traefik/README.md new file mode 100644 index 0000000..b28558d --- /dev/null +++ b/roles/nxc-traefik/README.md @@ -0,0 +1,35 @@ +# Installation de Nextcloud et du proxy inverse Traefik + +Nextcloud et Traefik fonctionnent grâce à docker. Pour pouvoir faire fonctionner ce playbook, docker doit être installé. + +## Premièrement + +Le playbook va créer le dossier nxc à la racine de root. Deux fichier docker-compose "nextcloud.yml" et "traefik.yml" y seront copiés depuis le répertoire "files" du playbook. +Enfin, dans le répertoire nxc, seront créé les dossier certs et config. + +### Deuxièmement + +Le playbook va copier les fichiers placés dans "files" et les placer dans les bons répertoires. + +#### Troisièmement + +Le playbook va créer un certificat x509 grâce à mkcert, il s'agit d'une solution permettant de créer +des certificats auto-signés. Pour cela il télécharge mkcert sur s-adm (utiliser le getall). + +mkcert sera placé dans : /usr/local/bin/ + +Pour créer le certificat le playbook va executer des lignes de commandes (lancé depuis nxc/) : +``` +/usr/local/bin/mkcert -install # Installe mkcert +/usr/local/bin/mkcert -key-file key.pem -cert-file cert.pem "hôte.domaine.local" "*.domaine.local" #Crée le certificat le DNS spécifié +``` +##### Quatrièmement + +Le playbook va lancer les fichier "docker-compose" à savoir : nextcloud.yml et traefik.yml. +Cela va installer les solutions automatiquement. Nextcloud est alors fonctionnel avec +un proxy inverse qui va rediriger en HTTPS. + + +ATTENTION : Après avoir relancé la VM, executez le script "nxc-start.sh" afin d'installer les piles applicatives. +Une fois le script fini, accedez au site : +https://s-nxc.gsb.lan diff --git a/roles/nxc-traefik/files/dynamic.yml b/roles/nxc-traefik/files/dynamic.yml new file mode 100644 index 0000000..12fc931 --- /dev/null +++ b/roles/nxc-traefik/files/dynamic.yml @@ -0,0 +1,18 @@ +http: + routers: + traefik: + rule: "Host(`traefik.docker.localhost`)" + service: "api@internal" + tls: + domains: + - main: "docker.localhost" + sans: + - "*.docker.localhost" + - main: "s-nxc.gsb.lan" + sans: + - "*.gsb.lan" + +tls: + certificates: + - certFile: "/etc/certs/local-cert.pem" + keyFile: "/etc/certs/local-key.pem" diff --git a/roles/nxc-traefik/files/nextcloud.yml b/roles/nxc-traefik/files/nextcloud.yml new file mode 100644 index 0000000..fe1597e --- /dev/null +++ b/roles/nxc-traefik/files/nextcloud.yml @@ -0,0 +1,58 @@ +version: '2' + +volumes: + # nextcloud: + db: + +services: + db: + image: mariadb + container_name: db + restart: always + #command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + command: --innodb-read-only-compressed=OFF + volumes: + - db:/var/lib/mysql + networks: + - nxc-db + environment: + - MYSQL_ROOT_PASSWORD=blabla + - MYSQL_PASSWORD=blabla + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + + nxc: + image: nextcloud + restart: always + container_name: nxc +# ports: +# - 8080:80 +# links: + depends_on: + - db + volumes: + - ./nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=blabla + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + labels: + # Enable this container to be mapped by traefik + # For more information, see: https://docs.traefik.io/providers/docker/#exposedbydefault + - "traefik.enable=true" + # URL to reach this container + - "traefik.http.routers.nxc.rule=Host(`s-nxc.gsb.lan`)" + # Activation of TLS + - "traefik.http.routers.nxc.tls=true" + # If port is different than 80, use the following service: + #- "traefik.http.services..loadbalancer.server.port=" + # - "traefik.http.services.app.loadbalancer.server.port=8080" + networks: + - proxy + - nxc-db +networks: + proxy: + external: true + nxc-db: + external: false diff --git a/roles/nxc-traefik/files/nxc-debug.sh b/roles/nxc-traefik/files/nxc-debug.sh new file mode 100755 index 0000000..de78ec7 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-debug.sh @@ -0,0 +1,6 @@ +#!/bin/bash +docker-compose -f nextcloud.yml down +docker-compose -f traefik.yml down +sleep 1 +docker-compose -f traefik.yml up -d --remove-orphans +docker-compose -f nextcloud.yml up -d diff --git a/roles/nxc-traefik/files/nxc-prune.sh b/roles/nxc-traefik/files/nxc-prune.sh new file mode 100755 index 0000000..2efce15 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-prune.sh @@ -0,0 +1,4 @@ +#!/bin/bash +docker volume prune -f +docker container prune -f +docker image prune -f diff --git a/roles/nxc-traefik/files/nxc-start.sh b/roles/nxc-traefik/files/nxc-start.sh new file mode 100755 index 0000000..595b22a --- /dev/null +++ b/roles/nxc-traefik/files/nxc-start.sh @@ -0,0 +1,3 @@ +#!/bin/bash +docker-compose -f traefik.yml up -d +docker-compose -f nextcloud.yml up -d diff --git a/roles/nxc-traefik/files/nxc-stop.sh b/roles/nxc-traefik/files/nxc-stop.sh new file mode 100755 index 0000000..2775a51 --- /dev/null +++ b/roles/nxc-traefik/files/nxc-stop.sh @@ -0,0 +1,3 @@ +#!/bin/bash +docker-compose -f nextcloud.yml down +docker-compose -f traefik.yml down diff --git a/roles/nxc-traefik/files/static.yml b/roles/nxc-traefik/files/static.yml new file mode 100644 index 0000000..cc336a2 --- /dev/null +++ b/roles/nxc-traefik/files/static.yml @@ -0,0 +1,31 @@ +global: + sendAnonymousUsage: false + +api: + dashboard: true + insecure: true + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + watch: true + exposedByDefault: false + + file: + filename: /etc/traefik/dynamic.yml + watch: true + +log: + level: INFO + format: common + +entryPoints: + http: + address: ":80" + http: + redirections: + entryPoint: + to: https + scheme: https + https: + address: ":443" diff --git a/roles/nxc-traefik/files/traefik.yml b/roles/nxc-traefik/files/traefik.yml new file mode 100644 index 0000000..28a91ad --- /dev/null +++ b/roles/nxc-traefik/files/traefik.yml @@ -0,0 +1,28 @@ +version: '3' + +services: + reverse-proxy: + #image: traefik:v2.5 + image: traefik + container_name: traefik + restart: always + security_opt: + - no-new-privileges:true + ports: + # Web + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + # Map the static configuration into the container + - ./config/static.yml:/etc/traefik/traefik.yml:ro + # Map the dynamic configuration into the container + - ./config/dynamic.yml:/etc/traefik/dynamic.yml:ro + # Map the certificats into the container + - ./certs:/etc/certs:ro + networks: + - proxy + +networks: + proxy: + external: true diff --git a/roles/nxc-traefik/tasks/main.yml b/roles/nxc-traefik/tasks/main.yml new file mode 100644 index 0000000..2ee04b7 --- /dev/null +++ b/roles/nxc-traefik/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Creation du repertoire de nextcloud et traefik + file: + path: /root/nxc + state: directory + +- name: Creation du repertoire nxc/config + file: + path: /root/nxc/config + state: directory + +- name: Creation du repertoire nxc/certs + file: + path: /root/nxc/certs + state: directory + +- name: Copie de static.yml + copy: + src: static.yml + dest: /root/nxc/config + +- name: Copie de dynamic.yml + copy: + src: dynamic.yml + dest: /root/nxc/config + +- name: Copie de nextcloud.yml + copy: + src: nextcloud.yml + dest: /root/nxc + +- name: Copie de traefik.yml + copy: + src: traefik.yml + dest: /root/nxc + +- name: Copie de nxc-stop.sh + copy: + src: nxc-stop.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-debug.sh + copy: + src: nxc-debug.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-start.sh + copy: + src: nxc-start.sh + dest: /root/nxc + mode: '0755' + +- name: Copie de nxc-prune.sh + copy: + src: nxc-prune.sh + dest: /root/nxc + mode: '0755' + +- name: Telechargement mkcert + get_url: + url: http://s-adm.gsb.adm/gsbstore/mkcert + dest: /usr/local/bin + mode: '0755' + +- name: Initialisation mkcert + command: /usr/local/bin/mkcert -install + args: + chdir: /root/nxc + +- name: Creation certificats + command: /usr/local/bin/mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem "s-nxc.gsb.lan" "*.gsb.lan" + args: + chdir: /root/nxc + +- name: Creation reseau docker proxy + command: docker network create proxy diff --git a/roles/old/docker-iredmail-ab/files/fstab b/roles/old/docker-iredmail-ab/files/fstab new file mode 100644 index 0000000..c86a33e --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/fstab @@ -0,0 +1,13 @@ +# /etc/fstab: static file system information. +# +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). +# +# +/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1 +# /boot was on /dev/sda1 during installation +UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2 +/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 +/dev/sdb1 /var/lib/containers ext4 defaults 0 0 \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/files/https_proxy.conf b/roles/old/docker-iredmail-ab/files/https_proxy.conf new file mode 100644 index 0000000..ebff942 --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/https_proxy.conf @@ -0,0 +1,2 @@ +[Service] +Environment="HTTPS_PROXY=http://192.168.99.99:8080/" \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/files/iredmail.sh b/roles/old/docker-iredmail-ab/files/iredmail.sh new file mode 100644 index 0000000..cba0bdf --- /dev/null +++ b/roles/old/docker-iredmail-ab/files/iredmail.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +docker run --privileged -p 80:80 -p 443:443 \ + -h s-mess.sio.lan \ + -e "DOMAIN=sio.lan" \ + -e "MYSQL_ROOT_PASSWORD=iredmail" \ + -e "SOGO_WORKERS=1" \ + -e "TIMEZONE=Europe/Paris" \ + -e "POSTMASTER_PASSWORD=Azertyuiop1+" \ + -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \ + -v /root/mysql:/var/lib/mysql \ + -v /root/vmail:/var/vmail \ + -v /root/clamav:/var/lib/clamav \ + --name=iredmail lejmr/iredmail:mysql-latest diff --git a/roles/old/docker-iredmail-ab/handlers/main.yml b/roles/old/docker-iredmail-ab/handlers/main.yml new file mode 100644 index 0000000..0ccee7e --- /dev/null +++ b/roles/old/docker-iredmail-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart docker + service: name=docker state=restarted \ No newline at end of file diff --git a/roles/old/docker-iredmail-ab/tasks/main.yml b/roles/old/docker-iredmail-ab/tasks/main.yml new file mode 100644 index 0000000..fd967fa --- /dev/null +++ b/roles/old/docker-iredmail-ab/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Installation de apt-transport-https + apt: name=apt-transport-https state=present + +- name: Installation de ca-certificates + apt: name=ca-certificates state=present + +- name: Installation de gnupg2 + apt: name=gnupg2 state=present + +- name: Installation de software-properties-common + apt: name=software-properties-common state=present + +- name: Installation de sudo + apt: name=sudo state=present + +- name: Installation de docker + shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - + +- name: Récupération des paquets docker-ce et docker-compose + shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + +- name: Création du répertoire docker.service.d + file: + path: /etc/systemd/system/docker.service.d + state: directory + owner: root + group: root + mode: 0775 + recurse: yes + +- name: Copie https_proxy.conf + copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/ + notify: + - restart docker + +- name: Vérification des nouveaux paquets + shell: sudo apt-get update + +- name: Installation de docker-ce + shell: sudo apt-get install -y docker-ce + +- name: Installation de docker-compose + shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Modification des droits de docker-compose + shell: chmod +x /usr/local/bin/docker-compose + +- name: Copie du fichier fstab + copy: src=fstab dest=/etc/ + +- name: Copie du script bash Iredmail + copy: src=iredmail.sh dest=/root/tools/ansible + +- name: Changement du système de fichier de /dev/sdb1 en ext4 + shell: mkfs.ext4 /dev/sdb1 + +- name: Montage /dev/sdb1 sur /var/lib/docker + shell: mount /dev/sdb1 /var/lib/docker + +- name: Droit pour le script Iredmail + shell: chmod a+x /root/tools/ansible/iredmail.sh + +- name: Création du répertoire mysql + shell: mkdir /root//mysql + +- name: Création du répertoire vmail + shell: mkdir /root/vmail + +- name: Création du répertoire clamav + shell: mkdir /root/clamav + +- name: Exécution du script Iredmail + debug: msg="Exécuter le script iredmail.sh qui se trouve dans tools/ansible" + +- name: Montage /dev/sdb1 + debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h" + +- name: Test docker + debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1" + +- name: Démarrer le container + debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443" diff --git a/roles/old/docker-openvas-ab/files/fstab b/roles/old/docker-openvas-ab/files/fstab new file mode 100644 index 0000000..c86a33e --- /dev/null +++ b/roles/old/docker-openvas-ab/files/fstab @@ -0,0 +1,13 @@ +# /etc/fstab: static file system information. +# +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). +# +# +/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1 +# /boot was on /dev/sda1 during installation +UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2 +/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 +/dev/sdb1 /var/lib/containers ext4 defaults 0 0 \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/files/https_proxy.conf b/roles/old/docker-openvas-ab/files/https_proxy.conf new file mode 100644 index 0000000..ebff942 --- /dev/null +++ b/roles/old/docker-openvas-ab/files/https_proxy.conf @@ -0,0 +1,2 @@ +[Service] +Environment="HTTPS_PROXY=http://192.168.99.99:8080/" \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/handlers/main.yml b/roles/old/docker-openvas-ab/handlers/main.yml new file mode 100644 index 0000000..0ccee7e --- /dev/null +++ b/roles/old/docker-openvas-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart docker + service: name=docker state=restarted \ No newline at end of file diff --git a/roles/old/docker-openvas-ab/tasks/main.yml b/roles/old/docker-openvas-ab/tasks/main.yml new file mode 100644 index 0000000..2ffb798 --- /dev/null +++ b/roles/old/docker-openvas-ab/tasks/main.yml @@ -0,0 +1,77 @@ +--- +- name: Installation de apt-transport-https + apt: name=apt-transport-https state=present + +- name: Installation de ca-certificates + apt: name=ca-certificates state=present + +- name: Installation de gnupg2 + apt: name=gnupg2 state=present + +- name: Installation de software-properties-common + apt: name=software-properties-common state=present + +- name: Installation de sudo + apt: name=sudo state=present + +- name: Installation de docker + shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - + +- name: Récupération des paquets docker-ce et docker-compose + shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + +- name: Création du répertoire docker.service.d + file: + path: /etc/systemd/system/docker.service.d + state: directory + owner: root + group: root + mode: 0775 + recurse: yes + +- name: Copie https_proxy.conf + copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/ + notify: + - restart docker + +- name: Vérification des nouveaux paquets + shell: sudo apt-get update + +- name: Installation de docker-ce + shell: sudo apt-get install -y docker-ce + +- name: Installation de docker-compose + shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + +- name: Modification des droits de docker-compose + shell: chmod +x /usr/local/bin/docker-compose + +- name: Création du docker portainer_data + shell: docker volume create portainer_data + +- name: Initialisation de portainer + shell: docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer + +- name: Copie du fichier fstab + copy: src=fstab dest=/etc/ + +- name: Changement du système de fichier de /dev/sdb1 en ext4 + shell: mkfs.ext4 /dev/sdb1 + +- name: Montage /dev/sdb1 sur /var/lib/docker + shell: mount /dev/sdb1 /var/lib/docker + +- name: Installation d'OpenVAS + debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas puis redémarrer docker avec service docker restart" + + #- name: Installation d'IredMail + #debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name iredmail lejmr/iredmail puis redémarrer docker avec service docker restart" + +- name: Montage /dev/sdb1 + debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h" + +- name: Test docker + debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1" + +- name: Démarrer le container + debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443" diff --git a/roles/old/firewall-vpn-l-cs/files/iptables-vpn b/roles/old/firewall-vpn-l-cs/files/iptables-vpn new file mode 100644 index 0000000..c363d43 --- /dev/null +++ b/roles/old/firewall-vpn-l-cs/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s9 +IFINT=enp0s8 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-l-cs/tasks/main.yml b/roles/old/firewall-vpn-l-cs/tasks/main.yml new file mode 100644 index 0000000..c171284 --- /dev/null +++ b/roles/old/firewall-vpn-l-cs/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - name: fichier parefeu pour VPN + copy: src=iptables-vpn dest=/root/ diff --git a/roles/old/firewall-vpn-l/files/ferm.conf b/roles/old/firewall-vpn-l/files/ferm.conf new file mode 100644 index 0000000..31d5ec1 --- /dev/null +++ b/roles/old/firewall-vpn-l/files/ferm.conf @@ -0,0 +1,68 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_AG = enp0s8; +@def $DEV_VPN = enp0s9; + +@def $NET_ADM=192.168.99.102/24; +@def $NET_AG=172.16.128.254/24; +@def $NET_VPN=192.168.0.52/24; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + # allow DNS connections + proto udp sport domain ACCEPT; + proto udp dport domain ACCEPT; + + # allow IPsec + interface ($DEV_AG $DEV_VPN) { + proto udp sport 500 ACCEPT; + proto udp dport 500 ACCEPT; + proto esp ACCEPT; + } + + # Autoriser nat-t-ike + # interface ($DEV_AG) { + proto udp sport 4500 ACCEPT; + proto udp dport 5500 ACCEPT; +# } + + # allow DNS connections + #interface ($DEV_INT) { + proto (udp tcp) dport domain ACCEPT; + #} + + # autoriser NTP + proto udp sport 123 ACCEPT; + + } + chain OUTPUT { + policy ACCEPT; + + # connection tracking + # mod state state INVALID DROP; + # mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain FORWARD { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } +} \ No newline at end of file diff --git a/roles/old/firewall-vpn-l/files/iptables-vpn b/roles/old/firewall-vpn-l/files/iptables-vpn new file mode 100644 index 0000000..c363d43 --- /dev/null +++ b/roles/old/firewall-vpn-l/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s9 +IFINT=enp0s8 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-l/handlers/main.yml b/roles/old/firewall-vpn-l/handlers/main.yml new file mode 100644 index 0000000..e427fa2 --- /dev/null +++ b/roles/old/firewall-vpn-l/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: Restart ferm + service: name=ferm state=restarted diff --git a/roles/old/firewall-vpn-l/tasks/main.yml b/roles/old/firewall-vpn-l/tasks/main.yml new file mode 100644 index 0000000..b0a540d --- /dev/null +++ b/roles/old/firewall-vpn-l/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name : installer ferm + apt: name=ferm state=present + +- name: fichier parefeu pour VPN + copy: src=ferm.conf dest=/etc/ferm/ferm.conf + notify: + - Restart ferm \ No newline at end of file diff --git a/roles/old/firewall-vpn-r-cs/files/iptables-vpn b/roles/old/firewall-vpn-r-cs/files/iptables-vpn new file mode 100644 index 0000000..5ed337d --- /dev/null +++ b/roles/old/firewall-vpn-r-cs/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s8 +IFINT=enp0s9 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-r-cs/tasks/main.yml b/roles/old/firewall-vpn-r-cs/tasks/main.yml new file mode 100644 index 0000000..c171284 --- /dev/null +++ b/roles/old/firewall-vpn-r-cs/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - name: fichier parefeu pour VPN + copy: src=iptables-vpn dest=/root/ diff --git a/roles/old/firewall-vpn-r/files/ferm.conf b/roles/old/firewall-vpn-r/files/ferm.conf new file mode 100644 index 0000000..899911f --- /dev/null +++ b/roles/old/firewall-vpn-r/files/ferm.conf @@ -0,0 +1,67 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_VPN = enp0s8; +@def $DEV_EXT = enp0s9; + +@def $NET_ADM=192.168.99.112/24; +@def $NET_VPN=192.168.0.51/24; +@def $NET_EXT=192.168.1.2/24; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + + # allow DNS connections + proto udp sport domain ACCEPT; + proto udp dport domain ACCEPT; + + + # allow IPsec + interface ($DEV_VPN) { + proto udp sport 500 ACCEPT; + proto udp dport 500 ACCEPT; + proto esp ACCEPT; + } + + # Autoriser nat-t-ike + interface ($DEV_VPN) { + proto udp sport 4500 ACCEPT; + proto udp dport 5500 ACCEPT; + } + + # allow DNS connections + #interface ($DEV_INT) { +# proto (udp tcp) dport domain ACCEPT; + #} + + + # autoriser NTP + proto udp sport 123 ACCEPT; + + } + chain OUTPUT { + policy ACCEPT; + } + chain FORWARD { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } +} \ No newline at end of file diff --git a/roles/old/firewall-vpn-r/files/iptables-vpn b/roles/old/firewall-vpn-r/files/iptables-vpn new file mode 100644 index 0000000..5ed337d --- /dev/null +++ b/roles/old/firewall-vpn-r/files/iptables-vpn @@ -0,0 +1,58 @@ +#!/bin/bash + +#renommage des interfaces +IFPUB=enp0s8 +IFINT=enp0s9 + +iptables -F +#iptables -F -t nat + +#bloquer tout +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD ACCEPT + +iptables -A INPUT -i lo +iptables -A OUTPUT -o lo + +#autorise l'acces SSH +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +#Autorise les requete DNS en tant que client +iptables -A OUTPUT -p udp --dport 53 -j ACCEPT +iptables -A INPUT -p udp --sport 53 -j ACCEPT +iptables -A INPUT -p udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp --sport 53 -j ACCEPT + +#autorise isakmp +iptables -A OUTPUT -p udp --dport 500 -j ACCEPT +iptables -A INPUT -p udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 500 -j ACCEPT + +#autorise nat-t-ike +iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT +iptables -A INPUT -p udp --sport 4500 -j ACCEPT +iptables -A INPUT -p udp --dport 5500 -j ACCEPT +iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT + + +# allow IPsec IKE negotiations +#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT +#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT +# ESP encryption and authentication +iptables -I INPUT -p 50 -j ACCEPT +iptables -I OUTPUT -p 50 -j ACCEPT + +#autorise la supervision ( SNMP ) +iptables -A OUTPUT -p udp --dport 161 -j ACCEPT +iptables -A INPUT -p udp --sport 161 -j ACCEPT + +#autorise NTP +iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +iptables -A INPUT -p udp --sport 123 -j ACCEPT + +#autoriser les ping sauf de l'exterieur +iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT \ No newline at end of file diff --git a/roles/old/firewall-vpn-r/handlers/main.yml b/roles/old/firewall-vpn-r/handlers/main.yml new file mode 100644 index 0000000..e427fa2 --- /dev/null +++ b/roles/old/firewall-vpn-r/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: Restart ferm + service: name=ferm state=restarted diff --git a/roles/old/firewall-vpn-r/tasks/main.yml b/roles/old/firewall-vpn-r/tasks/main.yml new file mode 100644 index 0000000..b2d49ed --- /dev/null +++ b/roles/old/firewall-vpn-r/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name : installer ferm + apt: name=ferm state=present + +- name: fichier parefeu pour VPN + copy: src=ferm.conf dest=/etc/ferm/ferm.conf + notify: + - Restart ferm \ No newline at end of file diff --git a/roles/old/itil-cs/files/.my.cnf b/roles/old/itil-cs/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/old/itil-cs/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/old/itil-cs/files/glpi.conf b/roles/old/itil-cs/files/glpi.conf new file mode 100644 index 0000000..4c37222 --- /dev/null +++ b/roles/old/itil-cs/files/glpi.conf @@ -0,0 +1,12 @@ +DocumentRoot /var/www/glpi + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + AuthType Basic + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined + CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined + ErrorLog ${APACHE_LOG_DIR}/glpi_error.log diff --git a/roles/old/itil-cs/files/script b/roles/old/itil-cs/files/script new file mode 100644 index 0000000..f400139 --- /dev/null +++ b/roles/old/itil-cs/files/script @@ -0,0 +1,4 @@ +#!/bin/sh +chm= »/var/www/html/glpi/files/_dumps » +# Dump base GLPI +mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz \ No newline at end of file diff --git a/roles/old/itil-cs/handlers/main.yml b/roles/old/itil-cs/handlers/main.yml new file mode 100644 index 0000000..9744cf7 --- /dev/null +++ b/roles/old/itil-cs/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted + + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/old/itil-cs/tasks/main.yml b/roles/old/itil-cs/tasks/main.yml new file mode 100644 index 0000000..ced06f0 --- /dev/null +++ b/roles/old/itil-cs/tasks/main.yml @@ -0,0 +1,65 @@ +--- + - name: Install apache2 + apt: name=apache2 state=present update_cache=yes + notify: + - restart apache2 + + - name: Install php5 + apt: name=php5 state=present update_cache=yes + + - name: Install php5-mysql + apt: name=php5-mysql state=present update_cache=yes + + - name: Install php5-gd + apt: name=php5-gd state=present update_cache=yes + + - name: Install php5-curl + apt: name=php5-curl state=present update_cache=yes + + - name: Install php5-imap + apt: name=php5-imap state=present update_cache=yes + + - name: Install php5-ldap + apt: name=php5-ldap state=present update_cache=yes + + - name: Download GLPI from Internet + copy: src=glpi-9.1.3.tgz dest=/var/www/ + + - name: Instructions + debug: msg="En cas de problemes, relancez le playbook une seconde fois." + + - name: unpack tarball + unarchive: src=/var/www/glpi-9.1.3.tgz dest=/var/www/ + + - name: Fix permissions + shell: chown -R www-data:www-data /var/www/glpi/ + + - name: copy .my.cnf file with root password credentials + copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600 + + + - name: Print web instructions + debug: msg="/!\ Se rendre sur http://adresse_ip_de_votre_serveur/glpi et suivre l'installation" + + - name: Download Fusioninventory from Internet + copy: src=fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins + + - name: unpack tarball + unarchive: src=/var/www/glpi/plugins/fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins + + - name: Print web instructions + debug: msg="(i) Fusioninventory plugin installed in /var/www/glpi/plugins" + + - name: copy glpi.conf + copy: src=glpi.conf dest=/etc/apache2/sites-available/ + + - name: activation du site glpi + shell: a2ensite glpi.conf + notify: + - restart apache2 + + - name: copie script + copy: src=script dest=/root/ + + - name: chmod + shell: chmod +x /root/script \ No newline at end of file diff --git a/roles/old/snmp-cs/files/snmpd.conf b/roles/old/snmp-cs/files/snmpd.conf new file mode 100644 index 0000000..6b81b54 --- /dev/null +++ b/roles/old/snmp-cs/files/snmpd.conf @@ -0,0 +1,193 @@ +############################################################################### +# +# EXAMPLE.conf: +# An example configuration file for configuring the Net-SNMP agent ('snmpd') +# See the 'snmpd.conf(5)' man page for details +# +# Some entries are deliberately commented out, and will need to be explicitly activated +# +############################################################################### +# +# AGENT BEHAVIOUR +# + +# Listen for connections from the local system only +#agentAddress udp:127.0.0.1:161 +# Listen for connections on all interfaces (both IPv4 *and* IPv6) +agentAddress udp:161,udp6:[::1]:161 + + + +############################################################################### +# +# SNMPv3 AUTHENTICATION +# +# Note that these particular settings don't actually belong here. +# They should be copied to the file /var/lib/snmp/snmpd.conf +# and the passwords changed, before being uncommented in that file *only*. +# Then restart the agent + +# createUser authOnlyUser MD5 "remember to change this password" +# createUser authPrivUser SHA "remember to change this one too" DES +# createUser internalUser MD5 "this is only ever used internally, but still change the password" + +# If you also change the usernames (which might be sensible), +# then remember to update the other occurances in this example config file to match. + + + +############################################################################### +# +# ACCESS CONTROL +# + + # system + hrSystem groups only +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + # Full access from the local host +rocommunity public s-mon.gsb.adm + # Default access to basic system info +rocommunity public + + # Full access from an example network + # Adjust this network address to match your local + # settings, change the community string, + # and check the 'agentAddress' setting above +#rocommunity secret 10.0.0.0/16 + + # Full read-only access for SNMPv3 + rouser authOnlyUser + # Full write access for encrypted requests + # Remember to activate the 'createUser' lines above +#rwuser authPrivUser priv + +# It's no longer typically necessary to use the full 'com2sec/group/access' configuration +# r[ou]user and r[ow]community, together with suitable views, should cover most requirements + + + +############################################################################### +# +# SYSTEM INFORMATION +# + +# Note that setting these values here, results in the corresponding MIB objects being 'read-only' +# See snmpd.conf(5) for more details +sysLocation Sitting on the Dock of the Bay +sysContact Me + # Application + End-to-End layers +sysServices 72 + + +# +# Process Monitoring +# + # At least one 'mountd' process +proc mountd + # No more than 4 'ntalkd' processes - 0 is OK +proc ntalkd 4 + # At least one 'sendmail' process, but no more than 10 +proc sendmail 10 1 + +# Walk the UCD-SNMP-MIB::prTable to see the resulting output +# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file + + +# +# Disk Monitoring +# + # 10MBs required on root disk, 5% free on /var, 10% free on all other disks +disk / 10000 +disk /var 5% +includeAllDisks 10% + +# Walk the UCD-SNMP-MIB::dskTable to see the resulting output +# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file + + +# +# System Load +# + # Unacceptable 1-, 5-, and 15-minute load averages +load 12 10 5 + +# Walk the UCD-SNMP-MIB::laTable to see the resulting output +# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file + + + +############################################################################### +# +# ACTIVE MONITORING +# + + # send SNMPv1 traps + trapsink localhost public + # send SNMPv2c traps +#trap2sink localhost public + # send SNMPv2c INFORMs +#informsink localhost public + +# Note that you typically only want *one* of these three lines +# Uncommenting two (or all three) will result in multiple copies of each notification. + + +# +# Event MIB - automatically generate alerts +# + # Remember to activate the 'createUser' lines above +iquerySecName internalUser +rouser internalUser + # generate traps on UCD error conditions +defaultMonitors yes + # generate traps on linkUp/Down +linkUpDownNotifications yes + + + +############################################################################### +# +# EXTENDING THE AGENT +# + +# +# Arbitrary extension commands +# + extend test1 /bin/echo Hello, world! + extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35 +#extend-sh test3 /bin/sh /tmp/shtest + +# Note that this last entry requires the script '/tmp/shtest' to be created first, +# containing the same three shell commands, before the line is uncommented + +# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table +# and nsExtendOutput2Table) to see the resulting output + +# Note that the "extend" directive supercedes the previous "exec" and "sh" directives +# However, walking the UCD-SNMP-MIB::extTable should still returns the same output, +# as well as the fuller results in the above tables. + + +# +# "Pass-through" MIB extension command +# +#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest +#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl + +# Note that this requires one of the two 'passtest' scripts to be installed first, +# before the appropriate line is uncommented. +# These scripts can be found in the 'local' directory of the source distribution, +# and are not installed automatically. + +# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output + + +# +# AgentX Sub-agents +# + # Run as an AgentX master agent + master agentx + # Listen for network connections (from localhost) + # rather than the default named socket /var/agentx/master +#agentXSocket tcp:localhost:705 diff --git a/roles/old/snmp-cs/handlers/main.yml b/roles/old/snmp-cs/handlers/main.yml new file mode 100644 index 0000000..9d9b583 --- /dev/null +++ b/roles/old/snmp-cs/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart snmpd + service: name=snmpd state=restarted diff --git a/roles/old/snmp-cs/tasks/main.yml b/roles/old/snmp-cs/tasks/main.yml new file mode 100644 index 0000000..63a1fbf --- /dev/null +++ b/roles/old/snmp-cs/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Installation snmpd + apt: name=snmpd state=present + +- name: Installation snmp + apt: name=snmp state=present + +- name: Copie du fichier snmpd.conf + copy: src=snmpd.conf dest=/etc/snmp/ + notify: + - restart snmpd + + diff --git a/roles/old/user-yb/tasks/main.yml b/roles/old/user-yb/tasks/main.yml new file mode 100644 index 0000000..89118cf --- /dev/null +++ b/roles/old/user-yb/tasks/main.yml @@ -0,0 +1,47 @@ +--- + - name: Installation des paquets + apt: name={{item}} state=present force=yes + with_items: + - dmidecode + - hwdata + - ucf + - hdparm + - perl + - libuniversal-require-perl + - libwww-perl + - libparse-edid-perl + - libproc-daemon-perl + - libfile-which-perl + - libhttp-daemon-perl + - libxml-treepp-perl + - libyaml-perl + - libnet-cups-perl + - libnet-ip-perl + - libdigest-sha-perl + - libsocket-getaddrinfo-perl + - libtext-template-perl + + - name: Creation du repertoire fi + file: path=/root/fi state=directory owner=www-data group=www-data + + - name: Installation de fusioninventory + get_url: + url: http://debian.fusioninventory.org/downloads/fusioninventory-agent_2.5-3_all.deb + dest: /root/fi + remote_src: yes + owner: www-data + group: www-data + + - name: Installation du paquet .deb + apt: + deb: /root/fi/fusioninventory-agent_2.5-3_all.deb + + - name: Configuration du fichier agent.cfg + replace: + dest: /etc/fusioninventory/agent.cfg + regexp: '#server = http://server.domain.com/glpi/plugins/fusioninventory/' + replace: 'server = http://172.16.0.9/plugins/fusioninventory/' + backup: yes + + - debug: + msg: "Faire un systemectl restart fusioninventory-agent puis un reload" diff --git a/roles/old/vpn-stg-l/files/ipsec.conf b/roles/old/vpn-stg-l/files/ipsec.conf new file mode 100644 index 0000000..79f40ae --- /dev/null +++ b/roles/old/vpn-stg-l/files/ipsec.conf @@ -0,0 +1,23 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.52 + leftsubnet=172.16.128.0/24 + right=192.168.0.51 + rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + authby=secret + auto=start + keyexchange=ikev2 + type=tunnel +# diff --git a/roles/old/vpn-stg-l/files/ipsec.secrets b/roles/old/vpn-stg-l/files/ipsec.secrets new file mode 100644 index 0000000..65d30ce --- /dev/null +++ b/roles/old/vpn-stg-l/files/ipsec.secrets @@ -0,0 +1,8 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc +192.168.0.52 192.168.0.51 : PSK 'root' \ No newline at end of file diff --git a/roles/old/vpn-stg-l/files/sysctl.conf b/roles/old/vpn-stg-l/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn-stg-l/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn-stg-l/handlers/main.yml b/roles/old/vpn-stg-l/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/vpn-stg-l/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/vpn-stg-l/tasks/main.yml b/roles/old/vpn-stg-l/tasks/main.yml new file mode 100644 index 0000000..73c001a --- /dev/null +++ b/roles/old/vpn-stg-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté gauche pour le fichier de secret partagé + - name: install strongswan, fichier secret partagé + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/vpn-stg-r/files/ipsec.conf b/roles/old/vpn-stg-r/files/ipsec.conf new file mode 100644 index 0000000..85535f1 --- /dev/null +++ b/roles/old/vpn-stg-r/files/ipsec.conf @@ -0,0 +1,23 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.51 + leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + right=192.168.0.52 + rightsubnet=172.16.128.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + authby=secret + auto=start + keyexchange=ikev2 + type=tunnel +# diff --git a/roles/old/vpn-stg-r/files/ipsec.secrets b/roles/old/vpn-stg-r/files/ipsec.secrets new file mode 100644 index 0000000..9d46a82 --- /dev/null +++ b/roles/old/vpn-stg-r/files/ipsec.secrets @@ -0,0 +1,8 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc +192.168.0.51 192.168.0.52 : PSK 'root' \ No newline at end of file diff --git a/roles/old/vpn-stg-r/files/sysctl.conf b/roles/old/vpn-stg-r/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn-stg-r/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn-stg-r/handlers/main.yml b/roles/old/vpn-stg-r/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/vpn-stg-r/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/vpn-stg-r/tasks/main.yml b/roles/old/vpn-stg-r/tasks/main.yml new file mode 100644 index 0000000..5160f44 --- /dev/null +++ b/roles/old/vpn-stg-r/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté droit pour le fichier de secret partagé + - name: install strongswan, fichier secret partagé + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/vpn/files/sysctl.conf b/roles/old/vpn/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/vpn/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/vpn/handlers/main.yml b/roles/old/vpn/handlers/main.yml new file mode 100644 index 0000000..75fe472 --- /dev/null +++ b/roles/old/vpn/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart racoon + service: name=racoon state=restarted + + - name: restart setkey + service: name=setkey state=restarted diff --git a/roles/old/vpn/tasks/main.yml b/roles/old/vpn/tasks/main.yml new file mode 100644 index 0000000..5288385 --- /dev/null +++ b/roles/old/vpn/tasks/main.yml @@ -0,0 +1,23 @@ +--- + - name: Installation Racoon + apt: name=racoon state=present update_cache=yes + + - name: install ipsec-tools + apt: name=ipsec-tools state=present update_cache=yes + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: generation racoon.conf + template: src=racoon.conf.j2 dest=/etc/racoon/racoon.conf + + - name: generation ipsec-tools.conf + template: src=ipsec-tools.conf.j2 dest=/etc/ipsec-tools.conf + notify: restart setkey + + - name: generation psk.txt + template: src=psk.txt.j2 dest=/etc/racoon/psk.txt + notify: restart racoon + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf diff --git a/roles/old/vpn/templates/ipsec-tools.conf.j2 b/roles/old/vpn/templates/ipsec-tools.conf.j2 new file mode 100755 index 0000000..d5205df --- /dev/null +++ b/roles/old/vpn/templates/ipsec-tools.conf.j2 @@ -0,0 +1,9 @@ +flush; +spdflush; + +spdadd {{ mynet }}/24 {{ remnet }}/24 any -P out ipsec + esp/tunnel/{{ ip1 }}-{{ remip }}/require; + +spdadd {{ remnet }}/24 {{ mynet }}/24 any -P in ipsec + esp/tunnel/{{ remip }}-{{ ip1 }}/require; + diff --git a/roles/old/vpn/templates/psk.txt.j2 b/roles/old/vpn/templates/psk.txt.j2 new file mode 100644 index 0000000..12e07d4 --- /dev/null +++ b/roles/old/vpn/templates/psk.txt.j2 @@ -0,0 +1,2 @@ +{{ remip }} secret + diff --git a/roles/old/vpn/templates/racoon.conf.j2 b/roles/old/vpn/templates/racoon.conf.j2 new file mode 100644 index 0000000..d5d52a7 --- /dev/null +++ b/roles/old/vpn/templates/racoon.conf.j2 @@ -0,0 +1,19 @@ +path pre_shared_key "/etc/racoon/psk.txt"; + +remote {{ remip }} { + exchange_mode main,aggressive; + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key; + dh_group 2; + } +} + +sainfo address {{ mynet }}/24 any address {{ remnet }}/24 any { + pfs_group 2; + lifetime time 1 hour ; + encryption_algorithm 3des, blowfish 448, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} diff --git a/roles/old/wordpress/handlers/main.yml b/roles/old/wordpress/handlers/main.yml new file mode 100644 index 0000000..b8b354d --- /dev/null +++ b/roles/old/wordpress/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted diff --git a/roles/old/wordpress/tasks/main.yml b/roles/old/wordpress/tasks/main.yml new file mode 100644 index 0000000..4c6f47a --- /dev/null +++ b/roles/old/wordpress/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Téléchargement de wordpress + get_url: + url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Extraction du fichier wordpress + unarchive: + src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz + dest: /var/www/html + +- name: Fix permissions owner + shell: chown -R www-data /var/www/html/wordpress + +- name: Fix permissions groups + shell: chgrp -R www-data /var/www/html/wordpress + +- name: Mettre à jour le site Apache par défaut + lineinfile: + dest: /etc/apache2/sites-enabled/000-default.conf + regexp: "(.)+DocumentRoot /var/www/html" + line: "DocumentRoot /var/www/html/wordpress" + +- name: restart apache2 + service: + name: apache2 + state: restarted + +- name: Mettre à jour le fichier de configuration WordPress + lineinfile: + dest: /var/www/html/wordpress/wp-config-sample.php + backup: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"} + - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"} + - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"} + - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"} + diff --git a/roles/old/x509-l/files/ipsec.conf b/roles/old/x509-l/files/ipsec.conf new file mode 100644 index 0000000..5467d9d --- /dev/null +++ b/roles/old/x509-l/files/ipsec.conf @@ -0,0 +1,25 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.52 + leftsubnet=172.16.128.0/24 + right=192.168.0.51 + rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + #authby=secret + auto=start + keyexchange=ikev2 + type=tunnel + leftcert=r-vp2Cert.pem + leftid="C=CH, O=GSB, CN=r-vp2" + rightid="C=CH, O=GSB, CN=r-vp1" diff --git a/roles/old/x509-l/files/ipsec.secrets b/roles/old/x509-l/files/ipsec.secrets new file mode 100644 index 0000000..d5cfa53 --- /dev/null +++ b/roles/old/x509-l/files/ipsec.secrets @@ -0,0 +1,9 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +#include /var/lib/strongswan/ipsec.secrets.inc +#192.168.0.52 192.168.0.51 : PSK 'root' +: RSA r-vp2Key.pem \ No newline at end of file diff --git a/roles/old/x509-l/files/sysctl.conf b/roles/old/x509-l/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/x509-l/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/x509-l/handlers/main.yml b/roles/old/x509-l/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/x509-l/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/x509-l/tasks/main.yml b/roles/old/x509-l/tasks/main.yml new file mode 100644 index 0000000..b42d977 --- /dev/null +++ b/roles/old/x509-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#Installation ipsec strongswan côté gauche pour la communication via certificat + - name: 1. install strongswan, com via certificat + apt: name=strongswan state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/old/x509-r/files/generate.sh b/roles/old/x509-r/files/generate.sh new file mode 100755 index 0000000..4adff04 --- /dev/null +++ b/roles/old/x509-r/files/generate.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +cd /etc/ipsec.d + +ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem + +ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=GSB, CN=Root CA" --outform pem > cacerts/strongswanCert.pem + +ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp1Key.pem + +chmod 600 private/r-vp1Key.pem + +ipsec pki --pub --in private/r-vp1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp1" --san r-vp1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp1Cert.pem + +ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp2Key.pem + +chmod 600 private/r-vp2Key.pem + +ipsec pki --pub --in private/r-vp2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp2" --san r-vp2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp2Cert.pem \ No newline at end of file diff --git a/roles/old/x509-r/files/ipsec.conf b/roles/old/x509-r/files/ipsec.conf new file mode 100644 index 0000000..0fc2758 --- /dev/null +++ b/roles/old/x509-r/files/ipsec.conf @@ -0,0 +1,25 @@ +config setup + charondebug="all" + uniqueids=yes + strictcrlpolicy=no +conn %default +conn tunnel # + left=192.168.0.51 + leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24 + right=192.168.0.52 + rightsubnet=172.16.128.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + #authby=secret + auto=start + keyexchange=ikev2 + type=tunnel + leftcert=r-vp1Cert.pem + leftid="C=CH, O=GSB, CN=r-vp1" + rightid="C=CH, O=GSB, CN=r-vp2" diff --git a/roles/old/x509-r/files/ipsec.secrets b/roles/old/x509-r/files/ipsec.secrets new file mode 100644 index 0000000..4965c70 --- /dev/null +++ b/roles/old/x509-r/files/ipsec.secrets @@ -0,0 +1,9 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + +# this file is managed with debconf and will contain the automatically created private key +#include /var/lib/strongswan/ipsec.secrets.inc +#192.168.0.51 192.168.0.52 : PSK 'root' +: RSA r-vp1Key.pem \ No newline at end of file diff --git a/roles/old/x509-r/files/recupKey.sh b/roles/old/x509-r/files/recupKey.sh new file mode 100755 index 0000000..049a432 --- /dev/null +++ b/roles/old/x509-r/files/recupKey.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +REMH=192.168.0.52 + +cd /etc/ipsec.d + +scp cacerts/strongswanCert.pem root@$REMH:/etc/ipsec.d/cacerts + +scp certs/r-vp2Cert.pem root@$REMH:/etc/ipsec.d/certs + +scp certs/r-vp1Cert.pem root@$REMH:/etc/ipsec.d/certs + +scp private/r-vp2Key.pem root@$REMH:/etc/ipsec.d/private + +scp private/r-vp1Key.pem root@$REMH:/etc/ipsec.d/private + diff --git a/roles/old/x509-r/files/sysctl.conf b/roles/old/x509-r/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/old/x509-r/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/old/x509-r/handlers/main.yml b/roles/old/x509-r/handlers/main.yml new file mode 100644 index 0000000..719832b --- /dev/null +++ b/roles/old/x509-r/handlers/main.yml @@ -0,0 +1,4 @@ +--- + - name: restart ipsec + service: name=ipsec state=restarted + diff --git a/roles/old/x509-r/tasks/main.yml b/roles/old/x509-r/tasks/main.yml new file mode 100644 index 0000000..edf5992 --- /dev/null +++ b/roles/old/x509-r/tasks/main.yml @@ -0,0 +1,36 @@ +--- +#Installation ipsec strongswan côté droit pour la communication via certificat + - name: install strongswan, com via certificat + apt: name=strongswan state=present + + - name: install strongswan-pki + apt: name=strongswan-pki state=present + + - name: install tcpdump + apt: name=tcpdump state=present update_cache=yes + + - name: activation du routage + copy: src=sysctl.conf dest=/etc/sysctl.conf + + - name: Copie fichier ipsec.conf + copy: src=ipsec.conf dest=/etc/ipsec.conf + notify: restart ipsec + + - name: Copie fichier ipsec.secrets + copy: src=ipsec.secrets dest=/etc/ipsec.secrets + notify: restart ipsec + + - name: Copie fichier generate.sh + copy: src=generate.sh dest=/root/ + + - name: Generation de la CA et des certificats + shell: /bin/bash /root/generate.sh >> generate-log.txt + + - name: Copie fichier recupKey.sh + copy: src=recupKey.sh dest=/root/ + + - name: Lancement recupKey.sh + shell: /bin/bash /root/recupKey.sh + + - name: Message d'information + debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc" \ No newline at end of file diff --git a/roles/php-fpm/handlers/main.yml b/roles/php-fpm/handlers/main.yml new file mode 100644 index 0000000..b45a971 --- /dev/null +++ b/roles/php-fpm/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart php7.0-fpm + service: name=php7.0-fpm state=restarted diff --git a/roles/php-fpm/tasks/main.yml b/roles/php-fpm/tasks/main.yml new file mode 100644 index 0000000..eb78510 --- /dev/null +++ b/roles/php-fpm/tasks/main.yml @@ -0,0 +1,9 @@ +--- + - name: Install php-fpm and deps + apt: name={{ item }} state=present + with_items: + - php + - php-fpm + - php-mysql + notify: + - restart php7.0-fpm diff --git a/roles/php-fpm/templates/main.yml b/roles/php-fpm/templates/main.yml new file mode 100644 index 0000000..23080b5 --- /dev/null +++ b/roles/php-fpm/templates/main.yml @@ -0,0 +1,15 @@ +[wordpress] +listen = /var/run/php-fpm/wordpress.sock +listen.owner = apache2 +listen.group = apache2 +listen.mode = 0660 +user = wordpress +group = wordpress +pm = dynamic +pm.max_children = 10 +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 500 +chdir = /srv/wordpress/ +php_admin_value[open_basedir] = /srv/wordpress/:/tmp diff --git a/roles/post/README.md b/roles/post/README.md new file mode 100644 index 0000000..c00ce24 --- /dev/null +++ b/roles/post/README.md @@ -0,0 +1,7 @@ +# Rôle Post + +Le rôle "post" copie la configuration des interfaces des cartes réseaux nécessaires selon la machine sur laquelle on exécute le rôle. Il place cette configuration dans /etc/network/interfaces. + +Ensuite, on copie le fichier "resolv.conf" dans /etc/ lorsque que la machine qui exécute le rôle n'est pas "s-adm", "s-proxy" ou "r-vp2". + +Cependant, si la machine qui exécute le rôle est "s-proxy", on copie le fichier "resolv.conf.s-proxy" dans /etc/resolv.conf \ No newline at end of file diff --git a/roles/post/files/interfaces.graylog-pont b/roles/post/files/interfaces.graylog-pont new file mode 100644 index 0000000..db5ebd9 --- /dev/null +++ b/roles/post/files/interfaces.graylog-pont @@ -0,0 +1,12 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# Accès par pont +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.0.50 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.r-ext b/roles/post/files/interfaces.r-ext new file mode 100644 index 0000000..f67ad75 --- /dev/null +++ b/roles/post/files/interfaces.r-ext @@ -0,0 +1,38 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.13 + netmask 255.255.255.0 + +# Réseau DMZ +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.254 + netmask 255.255.255.0 + +# carte en bridge +allow-hotplug enp0s9 +iface enp0s9 inet dhcp + up /root/nat.sh + +# Réseau VPN +allow-hotplug enp0s10 +iface enp0s10 inet static + address 192.168.1.1 + netmask 255.255.255.0 + up ip route add 172.16.128.0/24 via 192.168.1.2 + + +# Réseau liaison entre routeur +allow-hotplug enp0s16 +iface enp0s16 inet static + address 192.168.200.253 + netmask 255.255.255.0 + up ip route add 172.16.0.0/24 via 192.168.200.254 + up ip route add 172.16.64.0/24 via 192.168.200.254 diff --git a/roles/post/files/interfaces.r-int b/roles/post/files/interfaces.r-int new file mode 100644 index 0000000..8398171 --- /dev/null +++ b/roles/post/files/interfaces.r-int @@ -0,0 +1,44 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# Reseau N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.12 + netmask 255.255.255.0 + + +# Reseau liaison avec r-ext +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.200.254 + netmask 255.255.255.0 + gateway 192.168.200.253 + up ip route add default via 192.168.200.253 + + +# Reseau wifi +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.65.254 + netmask 255.255.255.0 + + +# Reseau user +allow-hotplug enp0s10 +iface enp0s10 inet static + address 172.16.64.254 + netmask 255.255.255.0 + + +# Reseau infra +allow-hotplug enp0s16 +iface enp0s16 inet static + address 172.16.0.254 + netmask 255.255.255.0 + up /root/routagenat + diff --git a/roles/post/files/interfaces.r-vp1 b/roles/post/files/interfaces.r-vp1 new file mode 100755 index 0000000..ddb2fd1 --- /dev/null +++ b/roles/post/files/interfaces.r-vp1 @@ -0,0 +1,31 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). +# The loopback network interface +#auto lo +#iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.112 + netmask 255.255.255.0 + +# réseaux interne n-linkv +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.1.2 + netmask 255.255.255.0 + +# accés par pont et entre vpn +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.51 + netmask 255.255.255.0 + up ip route add 192.168.200.0/24 via 192.168.1.1 + up ip route add 172.16.0.0/24 via 192.168.1.1 +# up ip route add 192.168.0.0/24 via 192.168.0.51 +# up ip route add 192.168.1.0/24 via 192.168.1.2 +# up route add -net 172.16.128.0/24 gw 192.168.0.52 +# up route add default gw 192.168.1.1 +# post-up /bin/bash /root/iptables-vpn +# post-up /etc/init.d/ipsec restart diff --git a/roles/post/files/interfaces.r-vp1-cs b/roles/post/files/interfaces.r-vp1-cs new file mode 100644 index 0000000..4a3abe3 --- /dev/null +++ b/roles/post/files/interfaces.r-vp1-cs @@ -0,0 +1,26 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +#auto lo +#iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +# reseau entre vpn +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.0.51 + netmask 255.255.255.0 + +# reseau interne n-linkv +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.1.2 + netmask 255.255.255.0 + up route add -net 172.16.128.0/24 gw 192.168.1.2 + up route add default gw 192.168.1.1 +# post-up /bin/bash /root/iptables-vpn + post-up /etc/init.d/ipsec restart \ No newline at end of file diff --git a/roles/post/files/interfaces.r-vp2 b/roles/post/files/interfaces.r-vp2 new file mode 100644 index 0000000..68bdfb8 --- /dev/null +++ b/roles/post/files/interfaces.r-vp2 @@ -0,0 +1,29 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). +# The loopback network interface +#auto lo +#iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# cote Agence +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.128.254 + netmask 255.255.255.0 + +# cote VPN +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.52 + netmask 255.255.255.0 +# post-up /usr/sbin/ip route add 192.168.1.0/24 via 172.16.128.254/24 +# post-up /usr/sbin/ip route add 172.16.0.0/24 via 172.16.128.254/24 + +# up route add -net 192.168.1.0/24 gw 192.168.0.52 +# post-up /bin/bash /root/iptables-vpn +# post-up /etc/init.d/ipsec restart diff --git a/roles/post/files/interfaces.r-vp2-cs b/roles/post/files/interfaces.r-vp2-cs new file mode 100644 index 0000000..d5f8539 --- /dev/null +++ b/roles/post/files/interfaces.r-vp2-cs @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +#auto lo +#iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +# cote Agence +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.128.254 + netmask 255.255.255.0 + +# cote VPN +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.0.52 + netmask 255.255.255.0 + up route add -net 192.168.1.0/24 gw 172.16.128.254 +# post-up /bin/bash /root/iptables-vpn + post-up /etc/init.d/ipsec restart \ No newline at end of file diff --git a/roles/post/files/interfaces.s-adm b/roles/post/files/interfaces.s-adm new file mode 100644 index 0000000..6d8d72c --- /dev/null +++ b/roles/post/files/interfaces.s-adm @@ -0,0 +1,20 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote public +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + post-up iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE + post-up echo "1" > /proc/sys/net/ipv4/ip_forward + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.99 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-agence b/roles/post/files/interfaces.s-agence new file mode 100644 index 0000000..be903f4 --- /dev/null +++ b/roles/post/files/interfaces.s-agence @@ -0,0 +1,14 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-ag +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + +allow-hotplug enp0s8 +iface enp0s8 inet dhcp + diff --git a/roles/post/files/interfaces.s-appli b/roles/post/files/interfaces.s-appli new file mode 100644 index 0000000..c52d5b0 --- /dev/null +++ b/roles/post/files/interfaces.s-appli @@ -0,0 +1,27 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.3 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.3 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + +#cote N-san +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.20.103 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-backup b/roles/post/files/interfaces.s-backup new file mode 100644 index 0000000..120ad6b --- /dev/null +++ b/roles/post/files/interfaces.s-backup @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.4 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.4 + netmask 255.255.255.0 + +# cote N-San +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.20.4 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-bdd b/roles/post/files/interfaces.s-bdd new file mode 100644 index 0000000..a8cb4f6 --- /dev/null +++ b/roles/post/files/interfaces.s-bdd @@ -0,0 +1,21 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.154 + netmask 255.255.255.0 + + +# cote N-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.254 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-docker b/roles/post/files/interfaces.s-docker new file mode 100644 index 0000000..150189a --- /dev/null +++ b/roles/post/files/interfaces.s-docker @@ -0,0 +1,20 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.19 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.19 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-elk b/roles/post/files/interfaces.s-elk new file mode 100644 index 0000000..2dfa1cd --- /dev/null +++ b/roles/post/files/interfaces.s-elk @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.10 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.10 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 diff --git a/roles/post/files/interfaces.s-fog b/roles/post/files/interfaces.s-fog new file mode 100644 index 0000000..1f51117 --- /dev/null +++ b/roles/post/files/interfaces.s-fog @@ -0,0 +1,26 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.16 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.16 + netmask 255.255.255.0 + +#cote N-user +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.64.16 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-gestsup b/roles/post/files/interfaces.s-gestsup new file mode 100644 index 0000000..9e128c7 --- /dev/null +++ b/roles/post/files/interfaces.s-gestsup @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.17 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.17 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-graylog b/roles/post/files/interfaces.s-graylog new file mode 100644 index 0000000..8ff1151 --- /dev/null +++ b/roles/post/files/interfaces.s-graylog @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.20 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.20 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-infra b/roles/post/files/interfaces.s-infra new file mode 100644 index 0000000..6cbf9c1 --- /dev/null +++ b/roles/post/files/interfaces.s-infra @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.1 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.1 + netmask 255.255.255.0 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + diff --git a/roles/post/files/interfaces.s-itil b/roles/post/files/interfaces.s-itil new file mode 100644 index 0000000..55c474d --- /dev/null +++ b/roles/post/files/interfaces.s-itil @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.9 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.9 + netmask 255.255.255.0 + up ip route add 172.16.64.0/24 via 172.16.0.254 diff --git a/roles/post/files/interfaces.s-itil-cs b/roles/post/files/interfaces.s-itil-cs new file mode 100644 index 0000000..e2b1200 --- /dev/null +++ b/roles/post/files/interfaces.s-itil-cs @@ -0,0 +1,24 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.9 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.9 + netmask 255.255.255.0 +# routage statique + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + +allow-hotplug enp0s9 +iface enp0s9 inet dhcp \ No newline at end of file diff --git a/roles/post/files/interfaces.s-lb b/roles/post/files/interfaces.s-lb new file mode 100644 index 0000000..d7bdea3 --- /dev/null +++ b/roles/post/files/interfaces.s-lb @@ -0,0 +1,27 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.100 + netmask 255.255.255.0 + +# cote N-dmz +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.10 + netmask 255.255.255.0 + gateway 192.168.100.254 + up ip route add 192.168.200.0/24 via 192.168.100.254 + up ip route add 172.16.0.0/24 via 192.168.100.254 + +# cote N-dmz-lb +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.101.100 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-lb-bd b/roles/post/files/interfaces.s-lb-bd new file mode 100644 index 0000000..1ddd2b6 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-bd @@ -0,0 +1,21 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.154 + netmask 255.255.255.0 + + +# cote N-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.254 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-web1 b/roles/post/files/interfaces.s-lb-web1 new file mode 100644 index 0000000..fc76724 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web1 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.101 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.s-lb-web2 b/roles/post/files/interfaces.s-lb-web2 new file mode 100644 index 0000000..53defed --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web2 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-web3 b/roles/post/files/interfaces.s-lb-web3 new file mode 100644 index 0000000..656d503 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-web3 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.103 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-lb-wordpress b/roles/post/files/interfaces.s-lb-wordpress new file mode 100644 index 0000000..6c41c2a --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.11 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-lb-wordpress2 b/roles/post/files/interfaces.s-lb-wordpress2 new file mode 100644 index 0000000..8667576 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress2 @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.12 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-lb-wordpress3 b/roles/post/files/interfaces.s-lb-wordpress3 new file mode 100644 index 0000000..1947d94 --- /dev/null +++ b/roles/post/files/interfaces.s-lb-wordpress3 @@ -0,0 +1,39 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte reseau admin +allow-hotplug enp0s3 +iface enp0s3 inet dhcp + address 192.168.99.13 + netmask 255.255.255.0 + +# Réseau N-lb-f +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# réseau N-lb-b +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 +# up /root/nat.sh + +# Réseau VPN +#allow-hotplug enp0s10 +#iface enp0s10 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 + + + +# Réseau liaison entre routeur +#allow-hotplug enp0s16 +#iface enp0s16 inet static +# address 192.168.200.253 +# netmask 255.255.255.0 + diff --git a/roles/post/files/interfaces.s-mess b/roles/post/files/interfaces.s-mess new file mode 100644 index 0000000..9eff04c --- /dev/null +++ b/roles/post/files/interfaces.s-mess @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.7 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.7 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-mon b/roles/post/files/interfaces.s-mon new file mode 100644 index 0000000..09035d9 --- /dev/null +++ b/roles/post/files/interfaces.s-mon @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.104/24 + gateway 192.168.99.99 + +# Cote n-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8/24 + up ip route add 172.16.64.0/24 via 172.16.0.254 + up ip route add 172.16.128.0/24 via 172.16.0.254 + up ip route add 192.168.0.0/16 via 172.16.0.254 + up ip route add 192.168.200.0/24 via 172.16.0.254 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-mon-gm b/roles/post/files/interfaces.s-mon-gm new file mode 100644 index 0000000..a0a172b --- /dev/null +++ b/roles/post/files/interfaces.s-mon-gm @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon-kb b/roles/post/files/interfaces.s-mon-kb new file mode 100644 index 0000000..a0a172b --- /dev/null +++ b/roles/post/files/interfaces.s-mon-kb @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon-yb b/roles/post/files/interfaces.s-mon-yb new file mode 100644 index 0000000..8e67e37 --- /dev/null +++ b/roles/post/files/interfaces.s-mon-yb @@ -0,0 +1,22 @@ +#This file describes the network interfaces available on your system +#and how to activate them. For more information, see interfaces(5). + +#The loopback network interface +auto lo +iface lo inet loopback + +#cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +#cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add -net 192.168.200.0/24 gw 172.16.0.254 + up route add -net 192.168.100.0/24 gw 172.16.0.254 + up route add default gw 192.168.99.99 diff --git a/roles/post/files/interfaces.s-mon2 b/roles/post/files/interfaces.s-mon2 new file mode 100644 index 0000000..ef79346 --- /dev/null +++ b/roles/post/files/interfaces.s-mon2 @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + gateway 172.16.0.254 + diff --git a/roles/post/files/interfaces.s-mon3 b/roles/post/files/interfaces.s-mon3 new file mode 100644 index 0000000..4ab3b9b --- /dev/null +++ b/roles/post/files/interfaces.s-mon3 @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.8 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.8 + netmask 255.255.255.0 + up route add default gw 172.16.0.254 + up route add default gw 192.168.99.99 + +# bridge +iface enp0s9 inet dhcp \ No newline at end of file diff --git a/roles/post/files/interfaces.s-nas b/roles/post/files/interfaces.s-nas new file mode 100644 index 0000000..94c3eaf --- /dev/null +++ b/roles/post/files/interfaces.s-nas @@ -0,0 +1,17 @@ +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.153 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.102.253 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/interfaces.s-nxc b/roles/post/files/interfaces.s-nxc new file mode 100644 index 0000000..9eff04c --- /dev/null +++ b/roles/post/files/interfaces.s-nxc @@ -0,0 +1,24 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.7 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.7 + netmask 255.255.255.0 + post-up route add -net 172.16.64.0/24 gw 172.16.0.254 + post-up route add -net 172.16.65.0/24 gw 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-proxy b/roles/post/files/interfaces.s-proxy new file mode 100644 index 0000000..850da12 --- /dev/null +++ b/roles/post/files/interfaces.s-proxy @@ -0,0 +1,22 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.2 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.2 + netmask 255.255.255.0 + gateway 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-san b/roles/post/files/interfaces.s-san new file mode 100644 index 0000000..ff01320 --- /dev/null +++ b/roles/post/files/interfaces.s-san @@ -0,0 +1,25 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.15 + netmask 255.255.255.0 + gateway 192.168.99.99 + +# cote S-appli +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.20.103 + netmask 255.255.255.0 + +# cote s-Backup +#allow-hotplug enp0s9 +#iface enp0s9 inet static +# address 192.168.20.104 +# netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-sspec b/roles/post/files/interfaces.s-sspec new file mode 100644 index 0000000..03d8686 --- /dev/null +++ b/roles/post/files/interfaces.s-sspec @@ -0,0 +1,22 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote N-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.10 + netmask 255.255.255.0 + + +# cote N-infra +allow-hotplug enp0s8 +iface enp0s8 inet static + address 172.16.0.10 + netmask 255.255.255.0 + gateway 172.16.0.254 + + diff --git a/roles/post/files/interfaces.s-test b/roles/post/files/interfaces.s-test new file mode 100644 index 0000000..d1005fd --- /dev/null +++ b/roles/post/files/interfaces.s-test @@ -0,0 +1,21 @@ +#This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.18 + netmask 255.255.255.0 + gateway 192.168.99.99 + + +# cote n-dmz +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.100.150 + netmask 255.255.255.0 + gateway 192.168.100.254 diff --git a/roles/post/files/interfaces.s-web b/roles/post/files/interfaces.s-web new file mode 100644 index 0000000..9c82c9a --- /dev/null +++ b/roles/post/files/interfaces.s-web @@ -0,0 +1,20 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + + + +# cote N-dmz +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.100.11 + netmask 255.255.255.0 + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.14 + netmask 255.255.255.0 diff --git a/roles/post/files/interfaces.s-web1 b/roles/post/files/interfaces.s-web1 new file mode 100644 index 0000000..fc76724 --- /dev/null +++ b/roles/post/files/interfaces.s-web1 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.101 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.1 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.1 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.s-web2 b/roles/post/files/interfaces.s-web2 new file mode 100644 index 0000000..53defed --- /dev/null +++ b/roles/post/files/interfaces.s-web2 @@ -0,0 +1,25 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.102 + netmask 255.255.255.0 + +# n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.2 + netmask 255.255.255.0 + +# n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.2 + netmask 255.255.255.0 + + diff --git a/roles/post/files/interfaces.s-web3 b/roles/post/files/interfaces.s-web3 new file mode 100644 index 0000000..fb242ac --- /dev/null +++ b/roles/post/files/interfaces.s-web3 @@ -0,0 +1,27 @@ +### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100) + +# The loopback network interface +auto lo +iface lo inet loopback + +# carte n-adm +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.99.103 + netmask 255.255.255.0 + +# Réseau n-dmz-lb +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.101.3 + netmask 255.255.255.0 + +# réseau n-dmz-db +allow-hotplug enp0s9 +iface enp0s9 inet static + address 192.168.102.3 + netmask 255.255.255.0 + + + + diff --git a/roles/post/files/interfaces.user-yb b/roles/post/files/interfaces.user-yb new file mode 100644 index 0000000..c52ea13 --- /dev/null +++ b/roles/post/files/interfaces.user-yb @@ -0,0 +1,23 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# cote n-dmz +allow-hotplug enp0s3 +iface enp0s3 inet static + address 192.168.100.20/24 + +# cote N-adm +allow-hotplug enp0s8 +iface enp0s8 inet static + address 192.168.99.20 + netmask 255.255.255.0 + +# cote N-infra +allow-hotplug enp0s9 +iface enp0s9 inet static + address 172.16.0.20 + netmask 255.255.255.0 \ No newline at end of file diff --git a/roles/post/files/resolv.conf b/roles/post/files/resolv.conf new file mode 100644 index 0000000..ae3fdec --- /dev/null +++ b/roles/post/files/resolv.conf @@ -0,0 +1,4 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 + diff --git a/roles/post/files/resolv.conf.s-proxy b/roles/post/files/resolv.conf.s-proxy new file mode 100644 index 0000000..ae3fdec --- /dev/null +++ b/roles/post/files/resolv.conf.s-proxy @@ -0,0 +1,4 @@ +search gsb.lan +domain gsb.lan +nameserver 172.16.0.1 + diff --git a/roles/post/tasks/main.yml b/roles/post/tasks/main.yml new file mode 100644 index 0000000..ea88111 --- /dev/null +++ b/roles/post/tasks/main.yml @@ -0,0 +1,24 @@ +--- + + +- name: Copie interfaces + copy: src=interfaces.{{ ansible_hostname }} dest=/etc/network/interfaces + +- name: Copie resolv.conf + copy: src=resolv.conf dest=/etc/ + when: ansible_hostname != "s-adm" and ansible_hostname != "s-proxy" + +- name: pas de chgt resolv.conf pour r-vp2 + meta: end_play + when: ansible_hostname == "r-vp2" + +- name: Copie resolv.conf pour s-proxy + copy: src=resolv.conf.s-proxy dest=/etc/resolv.conf + when: ansible_hostname == "s-proxy" + +#- name: Confirm +# prompt: " pour redemarrer ..." + +#- name: Reboot +# shell: reboot + diff --git a/roles/postfix-gestsup/README.md b/roles/postfix-gestsup/README.md new file mode 100644 index 0000000..5c684e2 --- /dev/null +++ b/roles/postfix-gestsup/README.md @@ -0,0 +1,12 @@ +# PostFix + +On va désormais s'occuper de l'installation de PostFix qui permettra l'envoi de notifications lors de problèmes sur certains services des machines. + +On installe postfix et mailutils, on indique dans les différents fichiers de conf le mot de passe de l'adresse mail et l'adresse mail a qui envoyer les notifications. + +**ATTENTION: Il faut activer les applications moins sécurisées sur le compte gmail** + +Compte gmail pour les notifications: id: nagios.gsb22@gmail.com + mdp: Azerty1+ + +Suivre ce tuto: [Lien](https://vulgumtechus.com/Autoriser_les_applications_moins_s%C3%A9curis%C3%A9es_%C3%A0_acc%C3%A9der_%C3%A0_Gmail) \ No newline at end of file diff --git a/roles/postfix-gestsup/files/sasl_passwd b/roles/postfix-gestsup/files/sasl_passwd new file mode 100644 index 0000000..d0a5950 --- /dev/null +++ b/roles/postfix-gestsup/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 gsb.gestsup@gmail.com:GadminAzerty1++ +chmod 600 /etc/postfix/sasl/sasl_passwd diff --git a/roles/postfix-gestsup/handlers/main.yml b/roles/postfix-gestsup/handlers/main.yml new file mode 100644 index 0000000..f6ce8cc --- /dev/null +++ b/roles/postfix-gestsup/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/postfix-gestsup/tasks/main.yml b/roles/postfix-gestsup/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/roles/postfix-gestsup/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/roles/postfix-gestsup/templates/main.cf.j2 b/roles/postfix-gestsup/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/postfix-gestsup/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/postfix-nd/files/main.cf b/roles/postfix-nd/files/main.cf new file mode 100644 index 0000000..22d044b --- /dev/null +++ b/roles/postfix-nd/files/main.cf @@ -0,0 +1,49 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +mydomain = gsb.lan +myhostname = s-mon.gsb.lan +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = wheezy, localhost.localdomain, localhost +relayhost = [smtp.gmail.com]:587 +mynetworks = 172.16.0.0/24 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = loopback-only +default_transport = smtp +relay_transport = smtp + +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = noanonymous +smtp_tls_CAfile = /etc/postfix/cacert.pem +smtp_use_tls = yes + diff --git a/roles/postfix-nd/files/sasl_passwd b/roles/postfix-nd/files/sasl_passwd new file mode 100644 index 0000000..97c93d0 --- /dev/null +++ b/roles/postfix-nd/files/sasl_passwd @@ -0,0 +1 @@ +[smtp.gmail.com]:587 dahmouninabil21@gmail.com:POISSON21 \ No newline at end of file diff --git a/roles/postfix-nd/files/thawte_Premium_Server_CA.pem b/roles/postfix-nd/files/thawte_Premium_Server_CA.pem new file mode 100644 index 0000000..29cf7e1 --- /dev/null +++ b/roles/postfix-nd/files/thawte_Premium_Server_CA.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhkiG9w0BAQUFADCB +zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ +Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE +CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh +d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl +cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIxMDEwMTIzNTk1OVow +gc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT +CUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNV +BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRo +YXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1z +ZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2 +aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560 +ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j ++ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBlkKyID1bZ5jA01CbH0FDxkt5r1DmI +CSLGpmODA/eZd9iy5Ri4XWPz1HP7bJyZePFLeH0ZJMMrAoT4vCLZiiLXoPxx7JGH +IPG47LHlVYCsPVLIOQ7C8MAFT9aCdYy9X9LcdpoFEsmvcsPcJX6kTY4XpeCHf+Ga +WuFg3GQjPEIuTQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/roles/postfix-nd/handlers/main.yml b/roles/postfix-nd/handlers/main.yml new file mode 100644 index 0000000..6f511d5 --- /dev/null +++ b/roles/postfix-nd/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart postfix + service: name=postfix state=restarted diff --git a/roles/postfix-nd/tasks/main.yml b/roles/postfix-nd/tasks/main.yml new file mode 100644 index 0000000..c79ca11 --- /dev/null +++ b/roles/postfix-nd/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Installation Postfix + apt: name=postfix state=present + +- name: Installation mailutils + apt: name=mailutils state=present + +- name: Installation libsasl2-2 + apt: name=libsasl2-2 state=present + +- name: Installation ca-certificates + apt: name=ca-certificates state=present + +- name: Installation libsasl2-modules + apt: name=libsasl2-modules state=present + +- name: Copie main.cf + copy: remote_src=true src=main.cf dest=/etc/postfix/ + +- name: Copie sasl_passwd + copy: remote_src=true src=sasl_passwd dest=/etc/postfix + +- name: attribution des droits sasl_passwd + shell: chmod 400 /etc/postfix/sasl_passwd + +- name: postmap + shell: postmap /etc/postfix/sasl_passwd + +- name: Copie thawte_Premium_Server_CA.pem + copy: remote_src=true src=thawte_Premium_Server_CA.pem dest=/etc/ssl/certs/ + +- name: Certificats + shell: cat /etc/ssl/certs/thawte_Premium_Server_CA.pem |tee -a /etc/postfix/cacert.pem + notify: + - restart postfix + diff --git a/roles/postfix/README.md b/roles/postfix/README.md new file mode 100644 index 0000000..5c684e2 --- /dev/null +++ b/roles/postfix/README.md @@ -0,0 +1,12 @@ +# PostFix + +On va désormais s'occuper de l'installation de PostFix qui permettra l'envoi de notifications lors de problèmes sur certains services des machines. + +On installe postfix et mailutils, on indique dans les différents fichiers de conf le mot de passe de l'adresse mail et l'adresse mail a qui envoyer les notifications. + +**ATTENTION: Il faut activer les applications moins sécurisées sur le compte gmail** + +Compte gmail pour les notifications: id: nagios.gsb22@gmail.com + mdp: Azerty1+ + +Suivre ce tuto: [Lien](https://vulgumtechus.com/Autoriser_les_applications_moins_s%C3%A9curis%C3%A9es_%C3%A0_acc%C3%A9der_%C3%A0_Gmail) \ No newline at end of file diff --git a/roles/postfix/files/sasl_passwd b/roles/postfix/files/sasl_passwd new file mode 100644 index 0000000..861c6a3 --- /dev/null +++ b/roles/postfix/files/sasl_passwd @@ -0,0 +1,2 @@ +[smtp.gmail.com]:587 nagios.gsb22@gmail.com:Azerty1+ +chmod 600 /etc/postfix/sasl_passwd diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..f6ce8cc --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,6 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..a47b0cb --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 @@ -0,0 +1,10 @@ +#On active l'authentification SASL +smtp_sasl_auth_enable=yes +#Les méthodes pour l'authenfication anonyme +smtp_sasl_security_options=noanonymous +#Le chemin de sasl_passwd +smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd +#On active le cryptage STARTTLS +smtp_tls_security_level=encrypt +#Chemin des certificats CA +smtp_tls_CAfile=/etc/ssl/certs/ca-certificate.crt diff --git a/roles/r-ext/files/ferm.conf b/roles/r-ext/files/ferm.conf new file mode 100644 index 0000000..52fe584 --- /dev/null +++ b/roles/r-ext/files/ferm.conf @@ -0,0 +1,113 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $DEV_ADM = enp0s3; +@def $DEV_DMZ = enp0s8; +@def $DEV_WORLD = enp0s9; +@def $DEV_VPN = enp0s10; +@def $DEV_LINK = enp0s16; + +@def $NET_ADM = 192.168.99.0/24; +@def $NET_DMZ = 192.168.100.0/24; +@def $NET_WORLD = 192.168.0.0/24; +@def $NET_LINKV = 192.168.1.0/30; +@def $NET_LINK = 192.168.200.0/24; + +# mon ip static +#@def $HOST_STATIC = +@include '/root/tools/ansible/gsb2022/roles/r-ext/files/mkferm |'; +#@def $HOST_PASSERELLEDMZ = 172.16.0.1; + +@def &FORWARD_TCP($proto, $port, $dest) = { + table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT; + table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest; +} +#@def &FORWARD($proto, $port, $dest) = { +# table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT; +# table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest; +#} + +#&FORWARD(tcp, 3306, 10.0.0.2); +#&FORWARD_TCP(tcp, http, 192.168.100.254); +#&FORWARD_TCP(tcp, smtp, 192.168.1.3); + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + # allow IPsec + interface ($DEV_LINK) { + proto udp dport 500 ACCEPT; + proto (esp ah) ACCEPT; + } + # allow SSH connections + interface ($DEV_ADM) { + proto tcp dport ssh ACCEPT; + } + # we provide DNS for the internal net + interface ($DEV_WORLD $DEV_DMZ) { + proto (udp tcp) dport domain ACCEPT; + proto (tcp) dport http ACCEPT; + } + + } + chain OUTPUT { + policy ACCEPT; + + # connection tracking + #mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # the DMZ may only access the internet + interface ($DEV_DMZ $DEV_LINK) { + outerface $DEV_WORLD ACCEPT; + # report failure gracefully + REJECT reject-with icmp-net-prohibited; + } + + interface ($DEV_WORLD) { + proto tcp dport http outerface $DEV_DMZ ACCEPT; + # report failure gracefully + REJECT reject-with icmp-net-prohibited; + } + } +} + +table nat { + chain POSTROUTING { + # masquerade private IP addresses + saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC; + } +} + + + +# IPv6: +#domain ip6 { +# table filter { +# chain INPUT { +# policy ACCEPT; +# # ... +# } +# # ... +# } +#} diff --git a/roles/r-ext/files/ipFerm.sh b/roles/r-ext/files/ipFerm.sh new file mode 100755 index 0000000..ce4ce5d --- /dev/null +++ b/roles/r-ext/files/ipFerm.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ip a show dev enp0s9|grep "inet "|cut -d/ -f1 | cut -dt -f2 diff --git a/roles/r-ext/files/mkferm b/roles/r-ext/files/mkferm new file mode 100755 index 0000000..6a69749 --- /dev/null +++ b/roles/r-ext/files/mkferm @@ -0,0 +1,7 @@ +#!/bin/bash +#IPADD=$(root/ipFerm.sh| tr -d '\n') +#MSG="@def $HOST_STATIC = $ +echo -n -E "@def \$HOST_STATIC =" +/root/tools/ansible/gsb2022/roles/r-ext/files/ipFerm.sh |tr -d '\n' +echo ";" + diff --git a/roles/r-ext/files/nat.sh b/roles/r-ext/files/nat.sh new file mode 100755 index 0000000..5a065ca --- /dev/null +++ b/roles/r-ext/files/nat.sh @@ -0,0 +1,4 @@ +#!/bin/bash +echo "1" > /proc/sys/net/ipv4/ip_forward +iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE +iptables -t nat -A POSTROUTING -o enp0s9 -j MASQUERADE \ No newline at end of file diff --git a/roles/r-ext/files/routagenat b/roles/r-ext/files/routagenat new file mode 100755 index 0000000..c58086c --- /dev/null +++ b/roles/r-ext/files/routagenat @@ -0,0 +1,3 @@ +#!/usr/bin/perl + +qx(route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.200.253); diff --git a/roles/r-ext/files/sysctl.conf b/roles/r-ext/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/r-ext/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/r-ext/tasks/main.yml b/roles/r-ext/tasks/main.yml new file mode 100644 index 0000000..6988cd7 --- /dev/null +++ b/roles/r-ext/tasks/main.yml @@ -0,0 +1,24 @@ +--- + +- name: Copie du fichier sysctl.conf + copy: + src: sysctl.conf + dest: /etc/ + +- name: copier le script de routage + copy: + src: nat.sh + dest: /root/ + mode: '0755' + +- name: installer ferm + apt: + name: ferm + state: present + update_cache: yes + +- name: copier le fichier ferm.conf + copy: + src: ferm.conf + dest: /etc/ferm/ + diff --git a/roles/r-int/files/routagenat b/roles/r-int/files/routagenat new file mode 100755 index 0000000..e1d2295 --- /dev/null +++ b/roles/r-int/files/routagenat @@ -0,0 +1,3 @@ +#!/bin/bash + +ip route add default via 192.168.200.253 diff --git a/roles/r-int/files/sysctl.conf b/roles/r-int/files/sysctl.conf new file mode 100644 index 0000000..b138754 --- /dev/null +++ b/roles/r-int/files/sysctl.conf @@ -0,0 +1,60 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# diff --git a/roles/r-int/tasks/main.yml b/roles/r-int/tasks/main.yml new file mode 100644 index 0000000..01356a7 --- /dev/null +++ b/roles/r-int/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Copie du fichier sysctl.conf + copy: src=sysctl.conf dest=/etc/ + +- name: copier le script de routage + copy: src=routagenat dest=/root/ + +- name: rendre executabe le script + shell: chmod +x /root/routagenat + + #- name: exectuer le script + # script: /root/routagenat + + #- name: copier fog server + #get_url: url="http://depl/gsbstore/fog_1.4.4.tar.gz" dest=/tmp/fog.tar.gz + + #- name: extraction fog.tar.gz + #unarchive: src=/tmp/fog.tar.gz dest=/var/www/ copy=no diff --git a/roles/s-lb-ab/README.md b/roles/s-lb-ab/README.md new file mode 100644 index 0000000..4b6a48a --- /dev/null +++ b/roles/s-lb-ab/README.md @@ -0,0 +1,4 @@ +##Installation du load-balancer + +Ce rôle sert à installer HAproxy et de mettre un fichier de configuration avec les serveur web à répartir. +Ce rôle est utilisé par s-lb diff --git a/roles/s-lb-ab/files/actu.sh b/roles/s-lb-ab/files/actu.sh new file mode 100755 index 0000000..c9b86ed --- /dev/null +++ b/roles/s-lb-ab/files/actu.sh @@ -0,0 +1,5 @@ +#!/bin/bash +while true +do +curl 192.168.100.10 +done diff --git a/roles/s-lb-ab/files/haproxy.cfg b/roles/s-lb-ab/files/haproxy.cfg new file mode 100644 index 0000000..3716966 --- /dev/null +++ b/roles/s-lb-ab/files/haproxy.cfg @@ -0,0 +1,55 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend proxypublic + bind 192.168.100.10:80 + default_backend fermeweb + +backend fermeweb + balance roundrobin + option httpclose + #option httpchk HEAD / HTTP/1.0 + server s-lb-web1 192.168.101.1:80 check + server s-lb-web2 192.168.101.2:80 check + server s-lb-web3 192.168.101.3:80 check + +listen stats + bind *:8080 + stats enable + stats uri /haproxy + stats auth admin:admin + + diff --git a/roles/s-lb-ab/handlers/main.yml b/roles/s-lb-ab/handlers/main.yml new file mode 100644 index 0000000..27f130b --- /dev/null +++ b/roles/s-lb-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart haproxy + service: name=haproxy state=restarted diff --git a/roles/s-lb-ab/tasks/main.yml b/roles/s-lb-ab/tasks/main.yml new file mode 100644 index 0000000..83e62ee --- /dev/null +++ b/roles/s-lb-ab/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Installation d'HAproxy + apt: + name: + - haproxy + state: present + +- name: Copie du fichier de configuration + copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + notify: + - restart haproxy + +- name: + file: + path: /root/script + state: directory + +- name: Copie du fichier actu.sh + copy: + src: actu.sh + dest: /root/script/ + +- name: On rend exécutable le script actu.sh + file: + path: /root/script/actu.sh + mode: 0777 + diff --git a/roles/s-lb-bd-ab/README.txt b/roles/s-lb-bd-ab/README.txt new file mode 100644 index 0000000..1159174 --- /dev/null +++ b/roles/s-lb-bd-ab/README.txt @@ -0,0 +1,11 @@ +Apres avoir lancer le bash pull config: + +Creer un utilisateur autre que root dans la base de donnee +CREATE USER 'admin'@'localhost'IDENTIFIED BY 'Azerty1+'; +GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost'; + +Puis executer le script dans files/installmysql.sh qui bloquera les connexions root en localhost et distantes + +Enfin se connecter en tant que admin et creer un autre compte pour les utilisateurs +CREATE USER 'user'@'192.168.102.%'IDENTIFIED BY 'password'; +Le % permet d'autoriser la connexion de tous les postes du reseau 192.168.102.0/24 diff --git a/roles/s-lb-bd-ab/files/.my.cnf b/roles/s-lb-bd-ab/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-bd-ab/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-bd-ab/files/installmysql.sh b/roles/s-lb-bd-ab/files/installmysql.sh new file mode 100755 index 0000000..26d01b4 --- /dev/null +++ b/roles/s-lb-bd-ab/files/installmysql.sh @@ -0,0 +1,16 @@ +# Download and Install the Latest Updates for the OS +apt-get update && apt-get upgrade -y + +# Install MySQL Server in a Non-Interactive mode. Default root password will be "root" +echo "mysql-server mysql-server/root_password password root" | debconf-set-selections +echo "mysql-server mysql-server/root_password_again password root" | debconf-set-selections +apt-get -y install mysql-server + + +# Run the MySQL Secure Installation wizard +mysql_secure_installation + +sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /etc/mysql/my.cnf +mysql -uroot -p -e 'USE mysql; UPDATE `user` SET `Host`="%" WHERE `User`="root" AND `Host`="localhost"; DELETE FROM `user` WHERE `Host` != "%" AND `User`="root"; FLUSH PRIVILEGES;' + +service mysql restart diff --git a/roles/s-lb-bd-ab/files/my.cnf b/roles/s-lb-bd-ab/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/s-lb-bd-ab/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/s-lb-bd-ab/handlers/main.yml b/roles/s-lb-bd-ab/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/s-lb-bd-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/s-lb-bd/files/.my.cnf b/roles/s-lb-bd/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-bd/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-bd/files/installmysql.sh b/roles/s-lb-bd/files/installmysql.sh new file mode 100755 index 0000000..9ee2508 --- /dev/null +++ b/roles/s-lb-bd/files/installmysql.sh @@ -0,0 +1,16 @@ +# Download and Install the Latest Updates for the OS +apt-get update && apt-get upgrade -y + +# Install MySQL Server in a Non-Interactive mode. Default root password will be "root" +echo "mysql-server mysql-server/root_password password root" | debconf-set-selections +echo "mysql-server mysql-server/root_password_again password root" | debconf-set-selections +apt-get -y install mysql-server + + +# Run the MySQL Secure Installation wizard +mysql_secure_installation + +sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /etc/mysql/my.cnf +mysql -uroot -p -e 'USE mysql; UPDATE `user` SET `Host`="%" WHERE `User`="root" AND `Host`="localhost"; DELETE FROM `user` WHERE `Host` != "%" AND `User`="root"; FLUSH PRIVILEGES;' + +service mysql restart \ No newline at end of file diff --git a/roles/s-lb-bd/files/my.cnf b/roles/s-lb-bd/files/my.cnf new file mode 100644 index 0000000..1308652 --- /dev/null +++ b/roles/s-lb-bd/files/my.cnf @@ -0,0 +1,128 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +#bind-address = 127.0.0.1 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/s-lb-bd/handlers/main.yml b/roles/s-lb-bd/handlers/main.yml new file mode 100644 index 0000000..caa5308 --- /dev/null +++ b/roles/s-lb-bd/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart mysql-server + service: name=mysql-server state=restarted diff --git a/roles/s-lb-bd/tasks/main.yml b/roles/s-lb-bd/tasks/main.yml new file mode 100644 index 0000000..9f65e0e --- /dev/null +++ b/roles/s-lb-bd/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Install paquets + apt: name=mysql-server state=present force=yes + diff --git a/roles/s-lb-web-ab/files/.my.cnf b/roles/s-lb-web-ab/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-web-ab/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-web-ab/files/compter.bash b/roles/s-lb-web-ab/files/compter.bash new file mode 100644 index 0000000..9d257fa --- /dev/null +++ b/roles/s-lb-web-ab/files/compter.bash @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "" > /var/log/apache2/access.log +watch -n 0 wc -l /var/log/apache2/access.log diff --git a/roles/s-lb-web-ab/handlers/main.yml b/roles/s-lb-web-ab/handlers/main.yml new file mode 100644 index 0000000..e5c9101 --- /dev/null +++ b/roles/s-lb-web-ab/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted \ No newline at end of file diff --git a/roles/s-lb-web-ab/tasks/main.yml b/roles/s-lb-web-ab/tasks/main.yml new file mode 100644 index 0000000..ba7a926 --- /dev/null +++ b/roles/s-lb-web-ab/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Install apache2 php php5-mysql et autres modules php + apt: + name: + - apache2 + - php + - php-mysql + - php-gd + - php-zip + - php-mbstring + - php-curl + - php-imagick + - php-xml + state: present + +- name: copie exports pour partage nfs wordpress + copy: src=compter.bash dest=/root + +- name: Changement de permission pour compter.bash + shell: chmod a+x /root/compter.bash + +#- name: Envoi d'index dans /var/www/ +# copy: src=index.html dest=/var/www/ + +#- name: Install glusterfs client +# apt: pkg=glusterfs-client state=present update_cache=yes diff --git a/roles/s-lb-web/README.md b/roles/s-lb-web/README.md new file mode 100644 index 0000000..07d485c --- /dev/null +++ b/roles/s-lb-web/README.md @@ -0,0 +1,3 @@ +##Installation des serveurs web + +Ce rôle sert à installer les paquets nécessaire pour WordPress sur les serveurs webs. diff --git a/roles/s-lb-web/files/.my.cnf b/roles/s-lb-web/files/.my.cnf new file mode 100644 index 0000000..34d0e25 --- /dev/null +++ b/roles/s-lb-web/files/.my.cnf @@ -0,0 +1,3 @@ +[client] +user=root +password=root diff --git a/roles/s-lb-web/files/compter.bash b/roles/s-lb-web/files/compter.bash new file mode 100644 index 0000000..9d257fa --- /dev/null +++ b/roles/s-lb-web/files/compter.bash @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "" > /var/log/apache2/access.log +watch -n 0 wc -l /var/log/apache2/access.log diff --git a/roles/s-lb-web/handlers/main.yml b/roles/s-lb-web/handlers/main.yml new file mode 100644 index 0000000..e5c9101 --- /dev/null +++ b/roles/s-lb-web/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart apache2 + service: name=apache2 state=restarted \ No newline at end of file diff --git a/roles/s-lb-web/tasks/main.yml b/roles/s-lb-web/tasks/main.yml new file mode 100644 index 0000000..ac73865 --- /dev/null +++ b/roles/s-lb-web/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Installation des paquets + apt: + name : + - apache2 + - php + - php-mysql + state: present + + + + diff --git a/roles/s-lb-wordpress/README.md b/roles/s-lb-wordpress/README.md new file mode 100644 index 0000000..1191207 --- /dev/null +++ b/roles/s-lb-wordpress/README.md @@ -0,0 +1,3 @@ +##Téléchargement et configuration de WordPress + +Ce rôle télécharge wordpress depuis s-adm puis configure le fichier wp-config.php pour la situation du gsb. diff --git a/roles/s-lb-wordpress/defaults/main.yml b/roles/s-lb-wordpress/defaults/main.yml new file mode 100644 index 0000000..9b7cc1d --- /dev/null +++ b/roles/s-lb-wordpress/defaults/main.yml @@ -0,0 +1,2 @@ +depl_url: "http://s-adm.gsb.adm/gsbstore/" +depl_wordpress: "wordpress-5.8.2-fr_FR.tar.gz" diff --git a/roles/s-lb-wordpress/files/wp-config.php b/roles/s-lb-wordpress/files/wp-config.php new file mode 100644 index 0000000..6c0623f --- /dev/null +++ b/roles/s-lb-wordpress/files/wp-config.php @@ -0,0 +1,102 @@ + + +# sysservices: The proper value for the sysServices object. +# arguments: sysservices_number +sysServices 72 + + + +########################################################################### +# SECTION: Agent Operating Mode +# +# This section defines how the agent will operate when it +# is running. + +# master: Should the agent operate as a master agent or not. +# Currently, the only supported master agent type for this token +# is "agentx". +# +# arguments: (on|yes|agentx|all|off|no) + +master agentx + +# agentaddress: The IP address and port number that the agent will listen on. +# By default the agent listens to any and all traffic from any +# interface on the default SNMP port (161). This allows you to +# specify which address, interface, transport type and port(s) that you +# want the agent to listen on. Multiple definitions of this token +# are concatenated together (using ':'s). +# arguments: [transport:]port[@interface/address],... + +#agentaddress 127.0.0.1,[::1] +agentaddress udp:161 + + + +########################################################################### +# SECTION: Access Control Setup +# +# This section defines who is allowed to talk to your running +# snmp agent. + +# Views +# arguments viewname included [oid] + +# system + hrSystem groups only +view systemonly included .1.3.6.1.2.1.1 +view systemonly included .1.3.6.1.2.1.25.1 + + +# rocommunity: a SNMPv1/SNMPv2c read-only access community name +# arguments: community [default|hostname|network/bits] [oid | -V view] + +# Read-only access to everyone to the systemonly view +#rocommunity public default -V systemonly +#rocommunity6 public default -V systemonly +rocommunity public default +# SNMPv3 doesn't use communities, but users with (optionally) an +# authentication and encryption string. This user needs to be created +# with what they can view with rouser/rwuser lines in this file. +# +# createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase] +# e.g. +# createuser authPrivUser SHA-512 myauthphrase AES myprivphrase +# +# This should be put into /var/lib/snmp/snmpd.conf +# +# rouser: a SNMPv3 read-only access username +# arguments: username [noauth|auth|priv [OID | -V VIEW [CONTEXT]]] +rouser authPrivUser authpriv -V systemonly diff --git a/roles/snmp-agent/handlers/main.yml b/roles/snmp-agent/handlers/main.yml new file mode 100644 index 0000000..00b3490 --- /dev/null +++ b/roles/snmp-agent/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart snmpd + service: + name: snmpd + state: restarted diff --git a/roles/snmp-agent/tasks/main.yml b/roles/snmp-agent/tasks/main.yml new file mode 100644 index 0000000..3914b8e --- /dev/null +++ b/roles/snmp-agent/tasks/main.yml @@ -0,0 +1,16 @@ + - name: Installation snmpd + apt: + name: snmpd + state: present + + - name: Installation snmp + apt: + name: snmp + state: present + + - name: Copie du fichier snmpd.conf + copy: + src: snmpd.conf + dest: /etc/snmp/ + notify: + - restart snmpd diff --git a/roles/squid/files/squid.s-adm.conf b/roles/squid/files/squid.s-adm.conf new file mode 100644 index 0000000..af62dd5 --- /dev/null +++ b/roles/squid/files/squid.s-adm.conf @@ -0,0 +1,7961 @@ +# WELCOME TO SQUID 3.5.23 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# +# FORMAT specifications +# +# %LOGIN Authenticated user login name +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl +# %IDENT Ident user name +# %SRC Client IP +# %SRCPORT Client source port +# %URI Requested URI +# %DST Requested host +# %PROTO Requested URL scheme +# %PORT Requested port +# %PATH Requested URL path +# %METHOD Request method +# %MYADDR Squid interface address +# %MYPORT Squid http_port number +# %PATH Requested URL-path (including query-string if any) +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" +# %>{Hdr:member} +# HTTP request header "Hdr" list member "member" +# %>{Hdr:;member} +# HTTP request header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %<{Header} HTTP reply header "Header" +# %<{Hdr:member} +# HTTP reply header "Hdr" list member "member" +# %<{Hdr:;member} +# HTTP reply header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# +# %% The percent sign. Useful for helpers which need +# an unchanging input format. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) +# # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. +# # +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ext_user username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + +# TAG: follow_x_forwarded_for +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. +# +# If a request reaches us from a source that is allowed by this +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +#http_access allow localnet +http_access allow localhost +http_access allow localnet + +# And finally deny all other access to this proxy +http_access deny all + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determines whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. +# +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +#http_port 3128 +http_port 8080 + +# TAG: https_port +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own SSL certificate and/or options. +# +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1 only +# +# cipher= Colon separated list of supported ciphers. +# +# options= Various SSL engine options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped SSL requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is CA certificate life time of generated +# certificate equals lifetime of CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. +# +# Usage: ftp_port address [mode] [options] +# +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). +# +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Client SSL Certificate to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_client_key +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Client SSL Key to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_version +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +#Default: +# automatic SSL/TLS version negotiation + +# TAG: sslproxy_options +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs +# +# The most important being: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. +#Default: +# none + +# TAG: sslproxy_cipher +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# SSL cipher list to use when proxying https:// URLs +# +# Colon separated list of supported ciphers. +#Default: +# none + +# TAG: sslproxy_cafile +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# file containing CA certificates to use when verifying server +# certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_capath +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# directory containing CA certificates to use when verifying +# server certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. +# +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# +# +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all +#Default: +# Become a TCP tunnel without decrypting proxied traffic. + +# TAG: sslproxy_flags +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Various flags modifying the use of SSL while proxying https:// URLs: +# DONT_VERIFY_PEER Accept certificates that fail verification. +# For refined control, see sslproxy_cert_error. +# NO_DEFAULT_CA Don't use the default CA list built in +# to OpenSSL. +#Default: +# none + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for ssl_crtd process. +# /usr/lib/squid/ssl_crtd program requires -s and -M parameters +# For more information use: +# /usr/lib/squid/ssl_crtd -h +#Default: +# sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# The maximum number of processes spawn to service ssl server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# ssl Encrypt connections to this peer with SSL/TLS. +# +# sslcert=/path/to/ssl/certificate +# A client SSL certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private SSL key corresponding to sslcert above. +# If 'sslkey' is not specified 'sslcert' is assumed to +# reference a combined file containing both the +# certificate and the key. +# +# sslversion=1|2|3|4|5|6 +# The SSL version to use when connecting to this peer +# 1 = automatic (default) +# 2 = SSL v2 only +# 3 = SSL v3 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# sslcafile=... A file containing additional CA certificates to use +# when verifying the peer certificate. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# NO_DEFAULT_CA +# Don't use the default CA list built in +# to OpenSSL. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. +# +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to identify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_domain +# Use to limit the domains for which a neighbor cache will be +# queried. +# +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain +# +# For example, specifying +# +# cache_peer_domain parent.foo.net .edu +# +# has the effect such that UDP query packets are sent to +# 'bigserver' only when the requested object exists on a +# server in the .edu domain. Prefixing the domainname +# with '!' means the cache will be queried for objects +# NOT in that domain. +# +# NOTE: * Any number of domains may be given for a cache-host, +# either on the same or separate lines. +# * When multiple domains are given for a particular +# cache-host, the first matched domain is applied. +# * Cache hosts with no domain restrictions are queried +# for all requests. +# * There are no defaults. +# * There is also a 'cache_peer_access' tag in the ACL +# section. +#Default: +# none + +# TAG: cache_peer_access +# Restricts usage of cache_peer proxies. +# +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# No peer usage restrictions. + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Controls how many different forward paths Squid will try +# before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. +#Default: +# forward_max_tries 25 + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: +# +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all but +# the formatcode is optional. Output strings are automatically escaped +# as required according to their context and the output format +# modifiers are usually not needed, but can be specified if an explicit +# output format is desired. +# +# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode +# +# " output in quoted string format +# [ output in squid text log format as used by log_mime_hdrs +# # output in URL quoted format +# ' output as-is +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST +# +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# +# [http::]h +# +# [http::]mt MIME content type +# +# +# SIZE COUNTERS +# +# [http::]st Total size of request + reply traffic with client +# [http::]>st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as +# well as ICAP log codes documented with the icap_log option): +# +# icap::tt Total ICAP processing time for the HTTP +# transaction. The timer ticks when ICAP +# ACLs are checked and when ICAP +# transaction is in progress. +# +# If adaptation is enabled the following three codes become available: +# +# adapt::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# The default formats available (which do not need re-defining) are: +# +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid/access.log squid +#Default: +# access_log daemon:/var/log/squid/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid/log_file_daemon + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: mime_table +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. +#Default: +# mime_table /usr/share/squid/mime.conf + +# TAG: log_mime_hdrs on|off +# The Cache can record both the request and the response MIME +# headers for each HTTP transaction. The headers are encoded +# safely and will appear as two bracketed fields at the end of +# the access log (for either the native or httpd-emulated log +# formats). To enable this logging set log_mime_hdrs to 'on'. +#Default: +# log_mime_hdrs off + +# TAG: pid_filename +# A filename to write the process-id to. To disable, enter "none". +#Default: +# pid_filename /var/run/squid.pid + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/log/squid/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: +# +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# none + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' +# and the redirector queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# redirectors. You should only enable this if the redirectors +# are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +#Default: +# url_rewrite_bypass off + +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-must-revalidate +# ignore-private +# ignore-auth +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-auth caches responses to requests with authorization, +# as if the originserver had sent ``Cache-control: public'' +# in the response header. Doing this VIOLATES the HTTP standard. +# Enabling this feature could make you liable for problems which +# it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expire > now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: ie_refresh on|off +# Microsoft Internet Explorer up until version 5.5 Service +# Pack 1 has an issue with transparent proxies, wherein it +# is impossible to force a refresh. Turning this on provides +# a partial fix to the problem, by causing all IMS-REFRESH +# requests from older IE versions to check the origin server +# for fresh content. This reduces hit ratio by some amount +# (~10% in my experience), but allows users to actually get +# fresh content when they want it. Note because Squid +# cannot tell if the user is using 5.5 or 5.5SP1, the behavior +# of 5.5 is unchanged from old versions of Squid (i.e. a +# forced refresh is impossible). Newer versions of IE will, +# hopefully, continue to have the new behavior and will be +# handled based on that assumption. This option defaults to +# the old Squid behavior, which is better for hit ratios but +# worse for clients using IE, if they need to be able to +# force fresh content. +#Default: +# ie_refresh off + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. +#Default: +# ftp_client_idle_timeout 30 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat|custom +# ESI markup is not strictly XML compatible. The custom ESI parser +# will give higher performance, but cannot handle non ASCII character +# encodings. +#Default: +# esi_parser custom + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_class pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_class pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_class pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_class pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_class pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 none 8000/8000 +# +# Note that 8 x 8K Byte/sec -> 64K bit/sec. +# +# Note that the word 'none' is used to represent no limit. +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid/icons +#Default: +# icon_directory /usr/share/squid/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (not cacheable request type) direct to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. +# +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. +# +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Modern IP resolvers in squid sort lookup results by preferred access. +# By default squid will use these IP in order and only rotates to +# the next listed when the most preffered fails. +# +# Some load balancing servers based on round robin DNS have been +# found not to preserve user session state across requests +# to different IP addresses. +# +# Enabling this directive Squid rotates IP's per request. +#Default: +# balance_on_multiple_ip off + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + diff --git a/roles/squid/files/squid.s-proxy.conf b/roles/squid/files/squid.s-proxy.conf new file mode 100644 index 0000000..83ab439 --- /dev/null +++ b/roles/squid/files/squid.s-proxy.conf @@ -0,0 +1,8579 @@ +# WELCOME TO SQUID 4.6 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# +# Logformat Macros +# +# Logformat macros can be used in many places outside of the logformat +# directive. In theory, all of the logformat codes can be used as %macros, +# where they are supported. In practice, a %macro expands as a dash (-) when +# the transaction does not yet have enough information and a value is needed. +# +# There is no definitive list of what tokens are available at the various +# stages of the transaction. +# +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_peer_domain +# Replace with dstdomain ACLs and cache_peer_access. +#Default: +# none + +# TAG: ie_refresh +# Remove this line. The behaviour enabled by this is no longer needed. +#Default: +# none + +# TAG: sslproxy_cafile +# Remove this line. Use tls_outgoing_options cafile= instead. +#Default: +# none + +# TAG: sslproxy_capath +# Remove this line. Use tls_outgoing_options capath= instead. +#Default: +# none + +# TAG: sslproxy_cipher +# Remove this line. Use tls_outgoing_options cipher= instead. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Remove this line. Use tls_outgoing_options cert= instead. +#Default: +# none + +# TAG: sslproxy_client_key +# Remove this line. Use tls_outgoing_options key= instead. +#Default: +# none + +# TAG: sslproxy_flags +# Remove this line. Use tls_outgoing_options flags= instead. +#Default: +# none + +# TAG: sslproxy_options +# Remove this line. Use tls_outgoing_options options= instead. +#Default: +# none + +# TAG: sslproxy_version +# Remove this line. Use tls_outgoing_options options= instead. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT /path/to/helper [helper arguments] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# queue-size=N The queue-size option sets the maximum number of +# queued requests. A request is queued when no existing +# helper can accept it due to concurrency limit and no +# new helper can be started due to children-max limit. +# If the queued requests exceed queue size, the acl is +# ignored. The default value is set to 2*children-max. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# +# FORMAT is a series of %macro codes. See logformat directive for a full list +# of the accepted codes. Although note that at the time of any external ACL +# being tested data may not be available and thus some %macro expand to '-'. +# +# In addition to the logformat codes; when processing external ACLs these +# additional macros are made available: +# +# %ACL The name of the ACL being tested. +# +# %DATA The ACL arguments specified in the referencing config +# 'acl ... external' line, separated by spaces (an +# "argument string"). see acl external. +# +# If there are no ACL arguments %DATA expands to '-'. +# +# If you do not specify a DATA macro inside FORMAT, +# Squid automatically appends %DATA to your FORMAT. +# Note that Squid-3.x may expand %DATA to whitespace +# or nothing in this case. +# +# By default, Squid applies URL-encoding to each ACL +# argument inside the argument string. If an explicit +# encoding modifier is used (e.g., %#DATA), then Squid +# encodes the whole argument string as a single token +# (e.g., with %#DATA, spaces between arguments become +# %20). +# +# If SSL is enabled, the following formating codes become available: +# +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# +# +# NOTE: all other format codes accepted by older Squid versions +# are deprecated. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# +# ACL Options +# +# Some acl types supports options which changes their default behaviour: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -m[=delimiters] +# Perform a list membership test, interpreting values as +# comma-separated token lists and matching against individual +# tokens instead of whole values. +# The optional "delimiters" parameter specifies one or more +# alternative non-alphanumeric delimiter characters. +# non-alphanumeric delimiter characters. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +#if USE_SQUID_EUI +# acl aclname arp mac-address ... +# acl aclname eui64 eui64-address ... +# # [fast] +# # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation. +# # +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # The eui_lookup directive is required to be 'on' (the default) +# # and Squid built with --enable-eui for MAC/EUI addresses to be +# # available for this ACL. +# # +# # Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. +# # +# # IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. +#endif +# acl aclname clientside_mark mark[/mask] ... +# # matches CONNMARK of an accepted connection [fast] +# # +# # mark and mask are unsigned integers (hex, octal, or decimal). +# # If multiple marks are given, then the ACL matches if at least +# # one mark matches. +# # +# # Uses netfilter-conntrack library. +# # Requires building Squid with --enable-linux-netfilter. +# # +# # The client, various intermediaries, and Squid itself may set +# # CONNMARK at various times. The last CONNMARK set wins. This ACL +# # checks the mark present on an accepted connection or set by +# # Squid afterwards, depending on the ACL check timing. This ACL +# # effectively ignores any mark set by other agents after Squid has +# # accepted the connection. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# acl aclname peername_regex [-i] regex-pattern ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident [-i] username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] +# +# acl aclname ext_user [-i] username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note [-m[=delimiters]] name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # If the -m flag is used, then the value of the named +# # annotation is interpreted as a list of tokens, and the ACL +# # matches individual name=token pairs rather than whole +# # name=value pairs. See "ACL Options" above for more info. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname transaction_initiator initiator ... +# # Matches transaction's initiator [fast] +# # +# # Supported initiators are: +# # esi: matches transactions fetching ESI resources +# # certificate-fetching: matches transactions fetching +# # a missing intermediate TLS certificate +# # cache-digest: matches transactions fetching Cache Digests +# # from a cache_peer +# # htcp: matches HTCP requests from peers +# # icp: matches ICP requests to peers +# # icmp: matches ICMP RTT database (NetDB) requests to peers +# # asn: matches asns db requests +# # internal: matches any of the above +# # client: matches transactions containing an HTTP or FTP +# # client request received at a Squid *_port +# # all: matches any transaction, including internal transactions +# # without a configurable initiator and hopefully rare +# # transactions without a known-to-Squid initiator +# # +# # Multiple initiators are ORed. +# +# acl aclname has component +# # matches a transaction "component" [fast] +# # +# # Supported transaction components are: +# # request: transaction has a request header (at least) +# # response: transaction has a response header (at least) +# # ALE: transaction has an internally-generated Access Log Entry +# # structure; bugs notwithstanding, all transaction have it +# # +# # For example, the following configuration helps when dealing with HTTP +# # clients that close connections without sending a request header: +# # +# # acl hasRequest has request +# # acl logMe note important_transaction +# # # avoid "logMe ACL is used in context without an HTTP request" warnings +# # access_log ... logformat=detailed hasRequest logMe +# # # log request-less transactions, instead of ignoring them +# # access_log ... logformat=brief !hasRequest +# # +# # Multiple components are not supported for one "acl" rule, but +# # can be specified (and are ORed) using multiple same-name rules: +# # +# # # OK, this strange logging daemon needs request or response, +# # # but can work without either a request or a response: +# # acl hasWhatMyLoggingDaemonNeeds has request +# # acl hasWhatMyLoggingDaemonNeeds has response +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) +#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) +#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) +#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines +acl localnet src 172.16.0.0/16 # RFC 1918 local private network (LAN) +#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +# SSL +acl SSL_ports port 443 +acl SSL_ports port 80 +acl SSL_ports port 21 +acl SSL_ports port 70 +acl SSL_ports port 210 +acl SSL_ports port 1025-65535 +acl SSL_ports port 280 +acl SSL_ports port 488 +acl SSL_ports port 591 +acl SSL_ports port 777 + +# Ports +acl Safe_ports port 80 +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +acl wp url_regex ^http://s-lb.gsb.lan/* +acl wp2 url_regex ^http://192.168.100.* + +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + +# TAG: follow_x_forwarded_for +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. +# +# If a request reaches us from a source that is allowed by this +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localnet +#http_access allow localnet +http_access allow localhost +http_access allow wp +http_access allow wp2 +# And finally deny all other access to this proxy +http_access deny all + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# +include /etc/squid/conf.d/* + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed + + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determines whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# TAG: on_unsupported_protocol +# Determines Squid behavior when encountering strange requests at the +# beginning of an accepted TCP connection or the beginning of a bumped +# CONNECT tunnel. Controlling Squid reaction to unexpected traffic is +# especially useful in interception environments where Squid is likely +# to see connections for unsupported protocols that Squid should either +# terminate or tunnel at TCP level. +# +# on_unsupported_protocol [!]acl ... +# +# The first matching action wins. Only fast ACLs are supported. +# +# Supported actions are: +# +# tunnel: Establish a TCP connection with the intended server and +# blindly shovel TCP packets between the client and server. +# +# respond: Respond with an error message, using the transfer protocol +# for the Squid port that received the request (e.g., HTTP +# for connections intercepted at the http_port). This is the +# default. +# +# Squid expects the following traffic patterns: +# +# http_port: a plain HTTP request +# https_port: SSL/TLS handshake followed by an [encrypted] HTTP request +# ftp_port: a plain FTP command (no on_unsupported_protocol support yet!) +# CONNECT tunnel on http_port: same as https_port +# CONNECT tunnel on https_port: same as https_port +# +# Currently, this directive has effect on intercepted connections and +# bumped tunnels only. Other cases are not supported because Squid +# cannot know the intended destination of other traffic. +# +# For example: +# # define what Squid errors indicate receiving non-HTTP traffic: +# acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG +# # define what Squid errors indicate receiving nothing: +# acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT +# # tunnel everything that does not look like HTTP: +# on_unsupported_protocol tunnel foreignProtocol +# # tunnel if we think the client waits for the server to talk first: +# on_unsupported_protocol tunnel serverTalksFirstProtocol +# # in all other error cases, just send an HTTP "error page" response: +# on_unsupported_protocol respond all +# +# See also: squid_error ACL +#Default: +# Respond with an error message to unidentifiable traffic + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. +# +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# tls-cert= Path to file containing an X.509 certificate (PEM format) +# to be used in the TLS handshake ServerHello. +# +# If this certificate is constrained by KeyUsage TLS +# feature it must allow HTTP server usage, along with +# any additional restrictions imposed by your choice +# of options= settings. +# +# When OpenSSL is used this file may also contain a +# chain of intermediate CA certificates to send in the +# TLS handshake. +# +# When GnuTLS is used this option (and any paired +# tls-key= option) may be repeated to load multiple +# certificates for different domains. +# +# Also, when generate-host-certificates=on is configured +# the first tls-cert= option must be a CA certificate +# capable of signing the automatically generated +# certificates. +# +# tls-key= Path to a file containing private key file (PEM format) +# for the previous tls-cert= option. +# +# If tls-key= is not specified tls-cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# NO_TLSv1 Disallow the use of TLSv1.0 +# +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# client certificates. If not configured clientca will be +# used. May be repeated to load multiple files. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# Requires OpenSSL or LibreSSL. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is OFF. +# +# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +http_port 8080 + +# TAG: https_port +# Usage: [ip:]port [mode] tls-cert=certificate.pem [options] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the TLS work at the accelerator +# level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own certificate and/or options. +# +# The tls-cert= option is mandatory on HTTPS ports. +# +# See http_port for a list of modes and options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. +# +# Usage: ftp_port address [mode] [options] +# +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). +# +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# TLS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: tls_outgoing_options +# disable Do not support https:// URLs. +# +# cert=/path/to/client/certificate +# A client X.509 certificate to use when connecting. +# +# key=/path/to/client/private_key +# The private key corresponding to the cert= above. +# +# If key= is not specified cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# cipher=... The list of valid TLS ciphers to use. +# +# min-version=1.N +# The minimum TLS protocol version to permit. +# To control SSLv3 use the options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# options=... Specify various TLS/SSL implementation options. +# +# OpenSSL options most important are: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation +# for a more complete list. +# +# GnuTLS options most important are: +# +# %NO_TICKETS +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# See the GnuTLS Priority Strings documentation +# for a more complete list. +# http://www.gnutls.org/manual/gnutls.html#Priority-Strings +# +# +# cafile= PEM file containing CA certificates to use when verifying +# the peer certificate. May be repeated to load multiple files. +# +# capath= A directory containing additional CA certificates to +# use when verifying the peer certificate. +# Requires OpenSSL or LibreSSL. +# +# crlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# flags=... Specify various flags modifying the TLS implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# domain= The peer name as advertised in its certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +#Default: +# tls_outgoing_options min-version=1.0 + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. +# +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# When used on step SslBump1, establishes a secure connection +# with the client first, then connect to the server. +# When used on step SslBump2 or SslBump3, establishes a secure +# connection with the server and, using a mimicked server +# certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# +# +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all +#Default: +# Become a TCP tunnel without decrypting proxied traffic. + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for certificate +# generator. +# +# /usr/lib/squid/security_file_certgen program can use a disk cache to improve response +# times on repeated requests. To enable caching, specify -s and -M +# parameters. If those parameters are not given, the program generates +# a new certificate on every request. +# +# For more information use: +# /usr/lib/squid/security_file_certgen -h +#Default: +# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specifies the maximum number of certificate generation processes that +# Squid may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. Squid +# does not support spawning more than 32 helpers. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child is idle and no new child can be started due to +# numberofchildren limit. If the queued requests exceed queue size for +# more than 3 minutes squid aborts its operation. The default value is +# set to 2*numberofchildren. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specifies the maximum number of certificate validation processes that +# Squid may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. Squid +# does not support spawning more than 32 helpers. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child can accept it due to concurrency limit and no new +# child can be started due to numberofchildren limit. If the queued +# requests exceed queue size for more than 3 minutes squid aborts its +# operation. The default value is set to 2*numberofchildren. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# auth-no-keytab +# Do not use a keytab to authenticate to a peer when +# login=NEGOTIATE is specified. Let the GSSAPI +# implementation determine which already existing +# credentials cache to use instead. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# tls Encrypt connections to this peer with TLS. +# +# sslcert=/path/to/ssl/certificate +# A client X.509 certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private key corresponding to sslcert above. +# +# If sslkey= is not specified sslcert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# tls-min-version=1.N +# The minimum TLS protocol version to permit. To control +# SSLv3 use the tls-options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# tls-options=... Specify various TLS implementation options. +# +# OpenSSL options most important are: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# GnuTLS options most important are: +# +# %NO_TICKETS +# Disable use of RFC5077 session tickets. +# Some servers may have problems +# understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# See the GnuTLS Priority Strings documentation +# for a more complete list. +# http://www.gnutls.org/manual/gnutls.html#Priority-Strings +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# the peer certificate. May be repeated to load multiple files. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# Requires OpenSSL or LibreSSL. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https[=off|on|auto] +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. +# +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to identify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_access +# Restricts usage of cache_peer proxies. +# +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# No peer usage restrictions. + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Limits the number of attempts to forward the request. +# +# For the purpose of this limit, Squid counts all high-level request +# forwarding attempts, including any same-destination retries after +# certain persistent connection failures and any attempts to use a +# different peer. However, low-level connection reopening attempts +# (enabled using connect_retries) are not counted. +# +# See also: forward_timeout and connect_retries. +#Default: +# forward_max_tries 25 + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: +# +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all +# components but the formatcode are optional and usually unnecessary, +# especially when dealing with common codes. +# +# % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}] +# +# encoding escapes or otherwise protects "special" characters: +# +# " Quoted string encoding where quote(") and +# backslash(\) characters are \-escaped while +# CR, LF, and TAB characters are encoded as \r, +# \n, and \t two-character sequences. +# +# [ Custom Squid encoding where percent(%), square +# brackets([]), backslash(\) and characters with +# codes outside of [32,126] range are %-encoded. +# SP is not encoded. Used by log_mime_hdrs. +# +# # URL encoding (a.k.a. percent-encoding) where +# all URL unsafe and control characters (per RFC +# 1738) are %-encoded. +# +# / Shell-like encoding where quote(") and +# backslash(\) characters are \-escaped while CR +# and LF characters are encoded as \r and \n +# two-character sequences. Values containing SP +# character(s) are surrounded by quotes("). +# +# ' Raw/as-is encoding with no escaping/quoting. +# +# Default encoding: When no explicit encoding is +# specified, each %code determines its own encoding. +# Most %codes use raw/as-is encoding, but some codes use +# a so called "pass-through URL encoding" where all URL +# unsafe and control characters (per RFC 1738) are +# %-encoded, but the percent character(%) is left as is. +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc. This field may be +# placed before or after the token, but not both at once. +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# handshake Raw client handshake +# Initial client bytes received by Squid on a newly +# accepted TCP connection or inside a just established +# CONNECT tunnel. Squid stops accumulating handshake +# bytes as soon as the handshake parser succeeds or +# fails (determining whether the client is using the +# expected protocol). +# +# For HTTP clients, the handshake is the request line. +# For TLS clients, the handshake consists of all TLS +# records up to and including the TLS record that +# contains the last byte of the first ClientHello +# message. For clients using an unsupported protocol, +# this field contains the bytes received by Squid at the +# time of the handshake parsing failure. +# +# See the on_unsupported_protocol directive for more +# information on Squid handshake traffic expectations. +# +# Current support is limited to these contexts: +# - http_port connections, but only when the +# on_unsupported_protocol directive is in use. +# - https_port connections (and CONNECT tunnels) that +# are subject to the ssl_bump peek or stare action. +# +# To protect binary handshake data, this field is always +# base64-encoded (RFC 4648 Section 4). If logformat +# field encoding is configured, that encoding is applied +# on top of base64. Otherwise, the computed base64 value +# is recorded as is. +# +# Time related format codes: +# +# ts Seconds since epoch +# tu subsecond time (milliseconds) +# tl Local time. Optional strftime format argument +# default %d/%b/%Y:%H:%M:%S %z +# tg GMT time. Optional strftime format argument +# default %d/%b/%Y:%H:%M:%S %z +# tr Response time (milliseconds) +# dt Total time spent making DNS lookups (milliseconds) +# tS Approximate master transaction start time in +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST +# +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL received from the client (or computed) +# +# Computed URLs are URIs of internally generated +# requests and various "error:..." URIs. +# +# Unlike %ru, this request URI is not affected +# by request adaptation, URL rewriting services, +# and strip_query_terms. +# +# Honors uri_whitespace. +# +# This field is using pass-through URL encoding +# by default. Encoding this field using other +# variants of %-encoding will clash with +# uri_whitespace modifications that also use +# %-encoding. +# +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# +# [http::]h +# +# [http::]mt MIME content type +# +# +# SIZE COUNTERS +# +# [http::]st Total size of request + reply traffic with client +# [http::]>st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. +# +# ssl::>cert_subject +# The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# ssl::>cert_issuer +# The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# ssl::negotiated_version The negotiated TLS version of the +# client connection. +# +# %ssl::received_hello_version The TLS version of the Hello +# message received from TLS client. +# +# %ssl::received_supported_version The maximum TLS version +# supported by the TLS client. +# +# %ssl::negotiated_cipher The negotiated cipher of the +# client connection. +# +# %ssl::a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# rotate=N Specifies the number of log file rotations to +# make when you run 'squid -k rotate'. The default +# is to obey the logfile_rotate directive. Setting +# rotate=0 will disable the file name rotation, +# but the log files are still closed and re-opened. +# This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# Only supported by the stdio module. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid/access.log squid +#Default: +# access_log daemon:/var/log/squid/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid/log_file_daemon + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the default number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note, from Squid-4 this option is only a default for access.log +# recorded by stdio: module. Those logs can be rotated separately by +# using the rotate=N option on their access_log directive. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: mime_table +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. +#Default: +# mime_table /usr/share/squid/mime.conf + +# TAG: log_mime_hdrs on|off +# The Cache can record both the request and the response MIME +# headers for each HTTP transaction. The headers are encoded +# safely and will appear as two bracketed fields at the end of +# the access log (for either the native or httpd-emulated log +# formats). To enable this logging set log_mime_hdrs to 'on'. +#Default: +# log_mime_hdrs off + +# TAG: pid_filename +# A filename to write the process-id to. To disable, enter "none". +#Default: +# pid_filename /var/run/squid.pid + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/spool/squid/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: +# +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# none + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# Specifies the maximum number of redirector processes that Squid may +# spawn (numberofchildren) and several related options. Using too few of +# these helper processes (a.k.a. "helpers") creates request queues. +# Using too many helpers wastes your system resources. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests. A request is queued when +# no existing child can accept it due to concurrency limit and no new +# child can be started due to numberofchildren limit. The default +# maximum is zero if url_rewrite_bypass is enabled and +# 2*numberofchildren otherwise. If the queued requests exceed queue size +# and redirector_bypass configuration option is set, then redirector is +# bypassed. Otherwise, Squid is allowed to temporarily exceed the +# configured maximum, marking the affected helper as "overloaded". If +# the helper overload lasts more than 3 minutes, the action prescribed +# by the on-persistent-overload option applies. +# +# on-persistent-overload=action +# +# Specifies Squid reaction to a new helper request arriving when the helper +# has been overloaded for more that 3 minutes already. The number of queued +# requests determines whether the helper is overloaded (see the queue-size +# option). +# +# Two actions are supported: +# +# die Squid worker quits. This is the default behavior. +# +# ERR Squid treats the helper request as if it was +# immediately submitted, and the helper immediately +# replied with an ERR response. This action has no effect +# on the already queued and in-progress helper requests. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' and the +# redirector queue grows too large, the action is prescribed by the +# on-persistent-overload option. You should only enable this if the +# redirectors are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +# +# Enabling this option sets the default url_rewrite_children queue-size +# option value to 0. +#Default: +# url_rewrite_bypass off + +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: url_rewrite_timeout +# Squid times active requests to redirector. The timeout value and Squid +# reaction to a timed out request are configurable using the following +# format: +# +# url_rewrite_timeout timeout time-units on_timeout= [response=] +# +# supported timeout actions: +# fail Squid return a ERR_GATEWAY_FAILURE error page +# +# bypass Do not re-write the URL +# +# retry Send the lookup to the helper again +# +# use_configured_response +# Use the as helper response +#Default: +# Squid waits for the helper response forever + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# Specifies the maximum number of StoreID helper processes that Squid +# may spawn (numberofchildren) and several related options. Using +# too few of these helper processes (a.k.a. "helpers") creates request +# queues. Using too many helpers wastes your system resources. +# +# Usage: numberofchildren [option]... +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +# +# queue-size=N +# +# Sets the maximum number of queued requests to N. A request is queued +# when no existing child can accept it due to concurrency limit and no +# new child can be started due to numberofchildren limit. The default +# maximum is 2*numberofchildren. If the queued requests exceed queue +# size and redirector_bypass configuration option is set, then +# redirector is bypassed. Otherwise, Squid is allowed to temporarily +# exceed the configured maximum, marking the affected helper as +# "overloaded". If the helper overload lasts more than 3 minutes, the +# action prescribed by the on-persistent-overload option applies. +# +# on-persistent-overload=action +# +# Specifies Squid reaction to a new helper request arriving when the helper +# has been overloaded for more that 3 minutes already. The number of queued +# requests determines whether the helper is overloaded (see the queue-size +# option). +# +# Two actions are supported: +# +# die Squid worker quits. This is the default behavior. +# +# ERR Squid treats the helper request as if it was +# immediately submitted, and the helper immediately +# replied with an ERR response. This action has no effect +# on the already queued and in-progress helper requests. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' and the helper +# queue grows too large, the action is prescribed by the +# on-persistent-overload option. You should only enable this if the +# helpers are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +# This options sets default queue-size option of the store_id_children +# to 0. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. The value is also used +# to form Cache-Control: max-age header for a request sent from +# Squid to origin/parent. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-private +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expire > now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value [ acl ... ] +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in the ACL list must be satisfied for the insertion to +# happen. The request_header_add supports fast ACLs only. +# +# See also: reply_header_add. +#Default: +# none + +# TAG: reply_header_add +# Usage: reply_header_add field-name field-value [ acl ... ] +# Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP responses (i.e., response +# headers delivered by Squid to the client). This option has no effect on +# cache hit detection. The equivalent adaptation vectoring point in +# ICAP terminology is post-cache RESPMOD. This option does not apply to +# successful CONNECT replies. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the response to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching responses. As always in squid.conf, all +# ACLs in the ACL list must be satisfied for the insertion to +# happen. The reply_header_add option supports fast ACLs only. +# +# See also: request_header_add. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TAG: collapsed_forwarding (on|off) +# This option controls whether Squid is allowed to merge multiple +# potentially cachable requests for the same URI before Squid knows +# whether the response is going to be cachable. +# +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off + +# TAG: collapsed_forwarding_shared_entries_limit (number of entries) +# This limits the size of a table used for sharing information +# about collapsible entries among SMP workers. Limiting sharing +# too much results in cache content duplication and missed +# collapsing opportunities. Using excessively large values +# wastes shared memory. +# +# The limit should be significantly larger then the number of +# concurrent collapsible entries one wants to share. For a cache +# that handles less than 5000 concurrent requests, the default +# setting of 16384 should be plenty. +# +# If the limit is set to zero, it disables sharing of collapsed +# forwarding between SMP workers. +#Default: +# collapsed_forwarding_shared_entries_limit 16384 + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: request_start_timeout +# How long to wait for the first request byte after initial +# connection establishment. +#Default: +# request_start_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. +#Default: +# ftp_client_idle_timeout 30 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: pconn_lifetime time-units +# Desired maximum lifetime of a persistent connection. +# When set, Squid will close a now-idle persistent connection that +# exceeded configured lifetime instead of moving the connection into +# the idle connection pool (or equivalent). No effect on ongoing/active +# transactions. Connection lifetime is the time period from the +# connection acceptance or opening time until "now". +# +# This limit is useful in environments with long-lived connections +# where Squid configuration or environmental factors change during a +# single connection lifetime. If unrestricted, some connections may +# last for hours and even days, ignoring those changes that should +# have affected their behavior or their existence. +# +# Currently, a new lifetime value supplied via Squid reconfiguration +# has no effect on already idle connections unless they become busy. +# +# When set to '0' this limit is not used. +#Default: +# pconn_lifetime 0 seconds + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat +# Selects the XML parsing library to use when interpreting responses with +# Edge Side Includes. +# +# To disable ESI handling completely, ./configure Squid with --disable-esi. +#Default: +# Selects libxml2 if available at ./configure time or libexpat otherwise. + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_class pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_class pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_class pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_class pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_class pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 none 8000/8000 +# +# Note that 8 x 8K Byte/sec -> 64K bit/sec. +# +# Note that the word 'none' is used to represent no limit. +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid/icons +#Default: +# icon_directory /usr/share/squid/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %O - Unescaped message result from external ACL helper +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (not cacheable request type) direct to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# icaps://servername:port/servicepath +# The "icap:" URI scheme is used for traditional ICAP server and +# service location (default port is 1344, connections are not +# encrypted). The "icaps:" URI scheme is for Secure ICAP +# services that use SSL/TLS-encrypted ICAP connections (by +# default, on port 11344). +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# connection-encryption=on|off +# Determines the ICAP service effect on the connections_encrypted +# ACL. +# +# The default is "on" for Secure ICAP services (i.e., those +# with the icaps:// service URIs scheme) and "off" for plain ICAP +# services. +# +# Does not affect ICAP connections (e.g., does not turn Secure +# ICAP on or off). +# +# ==== ICAPS / TLS OPTIONS ==== +# +# These options are used for Secure ICAP (icaps://....) services only. +# +# tls-cert=/path/to/ssl/certificate +# A client X.509 certificate to use when connecting to +# this ICAP server. +# +# tls-key=/path/to/ssl/key +# The private key corresponding to the previous +# tls-cert= option. +# +# If tls-key= is not specified tls-cert= is assumed to +# reference a PEM file containing both the certificate +# and private key. +# +# tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting +# to this icap server. +# +# tls-min-version=1.N +# The minimum TLS protocol version to permit. To control +# SSLv3 use the tls-options= parameter. +# Supported Values: 1.0 (default), 1.1, 1.2 +# +# tls-options=... Specify various OpenSSL library options: +# +# NO_SSLv3 Disallow the use of SSLv3 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. Options relevant only to SSLv2 are +# not supported. +# +# tls-cafile= PEM file containing CA certificates to use when verifying +# the icap server certificate. +# Use to specify intermediate CA certificate(s) if not sent +# by the server. Or the full CA chain for the server when +# using the tls-default-ca=off flag. +# May be repeated to load multiple files. +# +# tls-capath=... A directory containing additional CA certificates to +# use when verifying the icap server certificate. +# Requires OpenSSL or LibreSSL. +# +# tls-crlfile=... A certificate revocation list file to use when +# verifying the icap server certificate. +# +# tls-flags=... Specify various flags modifying the Squid TLS implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# DONT_VERIFY_DOMAIN +# Don't verify the icap server certificate +# matches the server name +# +# tls-default-ca[=off] +# Whether to use the system Trusted CAs. Default is ON. +# +# tls-domain= The icap server name as advertised in it's certificate. +# Used for verifying the correctness of the received icap +# server certificate. If not specified the icap server +# hostname extracted from ICAP URI will be used. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# connection-encryption=on|off +# Determines the eCAP service effect on the connections_encrypted +# ACL. +# +# Defaults to "on", which does not taint the master transaction +# w.r.t. that ACL. +# +# Does not affect eCAP API calls. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# Limits the number of reopening attempts when establishing a single +# TCP connection. All these attempts must still complete before the +# applicable connection opening timeout expires. +# +# By default and when connect_retries is set to zero, Squid does not +# retry failed connection opening attempts. +# +# The (not recommended) maximum is 10 tries. An attempt to configure a +# higher value results in the value of 10 being used (with a warning). +# +# Squid may open connections to retry various high-level forwarding +# failures. For an outside observer, that activity may look like a +# low-level connection reopening attempt, but those high-level retries +# are governed by forward_max_tries instead. +# +# See also: connect_timeout, forward_timeout, icap_connect_timeout, +# ident_timeout, and forward_max_tries. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: force_request_body_continuation +# This option controls how Squid handles data upload requests from HTTP +# and FTP agents that require a "Please Continue" control message response +# to actually send the request body to Squid. It is mostly useful in +# adaptation environments. +# +# When Squid receives an HTTP request with an "Expect: 100-continue" +# header or an FTP upload command (e.g., STOR), Squid normally sends the +# request headers or FTP command information to an adaptation service (or +# peer) and waits for a response. Most adaptation services (and some +# broken peers) may not respond to Squid at that stage because they may +# decide to wait for the HTTP request body or FTP data transfer. However, +# that request body or data transfer may never come because Squid has not +# responded with the HTTP 100 or FTP 150 (Please Continue) control message +# to the request sender yet! +# +# An allow match tells Squid to respond with the HTTP 100 or FTP 150 +# (Please Continue) control message on its own, before forwarding the +# request to an adaptation service or peer. Such a response usually forces +# the request sender to proceed with sending the body. A deny match tells +# Squid to delay that control response until the origin server confirms +# that the request body is needed. Delaying is the default behavior. +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: server_pconn_for_nonretriable +# This option provides fine-grained control over persistent connection +# reuse when forwarding HTTP requests that Squid cannot retry. It is useful +# in environments where opening new connections is very expensive +# (e.g., all connections are secured with TLS with complex client and server +# certificate validation) and race conditions associated with persistent +# connections are very rare and/or only cause minor problems. +# +# HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST). +# Squid limitations also prohibit retrying all requests with bodies (e.g., PUT). +# By default, when forwarding such "risky" requests, Squid opens a new +# connection to the server or cache_peer, even if there is an idle persistent +# connection available. When Squid is configured to risk sending a non-retriable +# request on a previously used persistent connection, and the server closes +# the connection before seeing that risky request, the user gets an error response +# from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway) +# with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail. +# +# If an allow rule matches, Squid reuses an available idle persistent connection +# (if any) for the request that Squid cannot retry. If a deny rule matches, then +# Squid opens a new connection for the request that Squid cannot retry. +# +# This option does not affect requests that Squid can retry. They will reuse idle +# persistent connections (if any). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# Example: +# acl SpeedIsWorthTheRisk method POST +# server_pconn_for_nonretriable allow SpeedIsWorthTheRisk +#Default: +# Open new connections for forwarding requests Squid cannot retry safely. + diff --git a/roles/squid/files/squid.s-proxy.conf.old b/roles/squid/files/squid.s-proxy.conf.old new file mode 100644 index 0000000..b9e46ab --- /dev/null +++ b/roles/squid/files/squid.s-proxy.conf.old @@ -0,0 +1,7656 @@ +# WELCOME TO SQUID 3.4.8 +# ---------------------------- +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. +# + +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards are +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes. + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: collapsed_forwarding +# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: maximum_single_addr_tries +# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. +#Default: +# none + +# TAG: update_headers +# Remove this line. The feature is supported by default in storage types where update is implemented. +#Default: +# none + +# TAG: url_rewrite_concurrency +# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. +#Default: +# none + +# TAG: dns_testnames +# Remove this line. DNS is no longer tested on startup. +#Default: +# none + +# TAG: extension_methods +# Remove this line. All valid methods for HTTP are accepted by default. +#Default: +# none + +# TAG: zero_buffers +#Default: +# none + +# TAG: incoming_rate +#Default: +# none + +# TAG: server_http11 +# Remove this line. HTTP/1.1 is supported by default. +#Default: +# none + +# TAG: upgrade_http0.9 +# Remove this line. ICY/1.0 streaming protocol is supported by default. +#Default: +# none + +# TAG: zph_local +# Alter these entries. Use the qos_flows directive instead. +#Default: +# none + +# TAG: header_access +# Since squid-3.0 replace with request_header_access or reply_header_access +# depending on whether you wish to match client requests or server replies. +#Default: +# none + +# TAG: httpd_accel_no_pmtu_disc +# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. +#Default: +# none + +# TAG: wais_relay_host +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# TAG: wais_relay_port +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# OPTIONS FOR AUTHENTICATION +# ----------------------------------------------------------------------------- + +# TAG: auth_param +# This is used to define parameters for the various authentication +# schemes supported by Squid. +# +# format: auth_param scheme parameter [setting] +# +# The order in which authentication schemes are presented to the client is +# dependent on the order the scheme first appears in config file. IE +# has a bug (it's not RFC 2617 compliant) in that it will use the basic +# scheme if basic is the first entry presented, even if more secure +# schemes are presented. For now use the order in the recommended +# settings section below. If other browsers have difficulties (don't +# recognize the schemes offered even if you are using basic) either +# put basic first, or disable the other schemes (by commenting out their +# program entry). +# +# Once an authentication scheme is fully configured, it can only be +# shutdown by shutting squid down and restarting. Changes can be made on +# the fly and activated with a reconfigure. I.E. You can change to a +# different helper, but not unconfigure the helper completely. +# +# Please note that while this directive defines how Squid processes +# authentication it does not automatically activate authentication. +# To use authentication you must in addition make use of ACLs based +# on login name in http_access (proxy_auth, proxy_auth_regex or +# external with %LOGIN used in the format tag). The browser will be +# challenged for authentication on the first such acl encountered +# in http_access processing and will also be re-challenged for new +# login credentials if the request is being denied by a proxy_auth +# type acl. +# +# WARNING: authentication can't be used in a transparently intercepting +# proxy as the client then thinks it is talking to an origin server and +# not the proxy. This is a limitation of bending the TCP/IP protocol to +# transparently intercepting port 80, not a limitation in Squid. +# Ports flagged 'transparent', 'intercept', or 'tproxy' have +# authentication disabled. +# +# === Parameters for the basic scheme follow. === +# +# "program" cmdline +# Specify the command for the external authenticator. Such a program +# reads a line containing "username password" and replies with one of +# three results: +# +# OK +# the user exists. +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# +# If you use an authenticator, make sure you have 1 acl of type +# proxy_auth. +# +# By default, the basic authentication scheme is not used unless a +# program is specified. +# +# If you want to use the traditional NCSA proxy authentication, set +# this line to something like +# +# auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd +# +# "utf8" on|off +# HTTP uses iso-latin-1 as character set, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. +# +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn. If you start too few +# Squid will have to wait for them to process a backlog of credential +# verifications, slowing it down. When password verifications are +# done via a (slow) network you are likely to need lots of +# authenticator processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param basic children 20 startup=0 idle=1 +# +# "realm" realmstring +# Specifies the realm name which is to be reported to the +# client for the basic proxy authentication scheme (part of +# the text the user will see when prompted their username and +# password). There is no default. +# auth_param basic realm Squid proxy-caching web server +# +# "credentialsttl" timetolive +# Specifies how long squid assumes an externally validated +# username:password pair is valid for - in other words how +# often the helper program is called for that user. Set this +# low to force revalidation with short lived passwords. Note +# setting this high does not impact your susceptibility +# to replay attacks unless you are using an one-time password +# system (such as SecureID). If you are using such a system, +# you will be vulnerable to replay attacks unless you also +# use the max_user_ip ACL in an http_access rule. +# +# "casesensitive" on|off +# Specifies if usernames are case sensitive. Most user databases are +# case insensitive allowing the same username to be spelled using both +# lower and upper case letters, but some are case sensitive. This +# makes a big difference for user_max_ip ACL processing and similar. +# auth_param basic casesensitive off +# +# === Parameters for the digest scheme follow === +# +# "program" cmdline +# Specify the command for the external authenticator. Such +# a program reads a line containing "username":"realm" and +# replies with one of three results: +# +# OK ha1="..." +# the user exists. The ha1= key is mandatory and +# contains the appropriate H(A1) value, hex encoded. +# See rfc 2616 for the definition of H(A1). +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# +# By default, the digest authentication scheme is not used unless a +# program is specified. +# +# If you want to use a digest authenticator, set this line to +# something like +# +# auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass +# +# "utf8" on|off +# HTTP uses iso-latin-1 as character set, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. +# +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of H(A1) calculations, slowing it down. +# When the H(A1) calculations are done via a (slow) network +# you are likely to need lots of authenticator processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param digest children 20 startup=0 idle=1 +# +# "realm" realmstring +# Specifies the realm name which is to be reported to the +# client for the digest proxy authentication scheme (part of +# the text the user will see when prompted their username and +# password). There is no default. +# auth_param digest realm Squid proxy-caching web server +# +# "nonce_garbage_interval" timeinterval +# Specifies the interval that nonces that have been issued +# to client_agent's are checked for validity. +# +# "nonce_max_duration" timeinterval +# Specifies the maximum length of time a given nonce will be +# valid for. +# +# "nonce_max_count" number +# Specifies the maximum number of times a given nonce can be +# used. +# +# "nonce_strictness" on|off +# Determines if squid requires strict increment-by-1 behavior +# for nonce counts, or just incrementing (off - for use when +# user agents generate nonce counts that occasionally miss 1 +# (ie, 1,2,4,6)). Default off. +# +# "check_nonce_count" on|off +# This directive if set to off can disable the nonce count check +# completely to work around buggy digest qop implementations in +# certain mainstream browser versions. Default on to check the +# nonce count to protect from authentication replay attacks. +# +# "post_workaround" on|off +# This is a workaround to certain buggy browsers who sends +# an incorrect request digest in POST requests when reusing +# the same nonce as acquired earlier on a GET request. +# +# === NTLM scheme options follow === +# +# "program" cmdline +# Specify the command for the external NTLM authenticator. +# Such a program reads exchanged NTLMSSP packets with +# the browser via Squid until authentication is completed. +# If you use an NTLM authenticator, make sure you have 1 acl +# of type proxy_auth. By default, the NTLM authenticator program +# is not used. +# +# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package +# which is required for this auth scheme to work +# +# auth_param ntlm program /usr/bin/ntlm_auth +# +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of credential verifications, slowing it +# down. When credential verifications are done via a (slow) +# network you are likely to need lots of authenticator +# processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param ntlm children 20 startup=0 idle=1 +# +# "keep_alive" on|off +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# +# auth_param ntlm keep_alive on +# +# === Options for configuring the NEGOTIATE auth-scheme follow === +# +# "program" cmdline +# Specify the command for the external Negotiate authenticator. +# This protocol is used in Microsoft Active-Directory enabled setups with +# the Microsoft Internet Explorer or Mozilla Firefox browsers. +# Its main purpose is to exchange credentials with the Squid proxy +# using the Kerberos mechanisms. +# If you use a Negotiate authenticator, make sure you have at least +# one acl of type proxy_auth active. By default, the negotiate +# authenticator program is not used. +# The only supported program for this role is the ntlm_auth +# program distributed as part of Samba, version 4 or later. +# +# NOTE: In Debian the ntlm_auth program is distributed in the winbindd package +# which is required for this auth scheme to work +# +# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego +# +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). +# If you start too few Squid will have to wait for them to +# process a backlog of credential verifications, slowing it +# down. When credential verifications are done via a (slow) +# network you are likely to need lots of authenticator +# processes. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param negotiate children 20 startup=0 idle=1 +# +# "keep_alive" on|off +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# +# auth_param negotiate keep_alive on +# +# +# Examples: +# +##Recommended minimum configuration per scheme: +##auth_param negotiate program +##auth_param negotiate children 20 startup=0 idle=1 +##auth_param negotiate keep_alive on +## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param basic program +##auth_param basic children 5 startup=5 idle=1 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none + +# TAG: authenticate_cache_garbage_interval +# The time period between garbage collection across the username cache. +# This is a trade-off between memory utilization (long intervals - say +# 2 days) and CPU (short intervals - say 1 minute). Only change if you +# have good reason to. +#Default: +# authenticate_cache_garbage_interval 1 hour + +# TAG: authenticate_ttl +# The time a user & their credentials stay in the logged in +# user cache since their last request. When the garbage +# interval passes, all user credentials that have passed their +# TTL are removed from memory. +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# If you use proxy authentication and the 'max_user_ip' ACL, +# this directive controls how long Squid remembers the IP +# addresses associated with each user. Use a small value +# (e.g., 60 seconds) if your users might change addresses +# quickly, as is the case with dialup. You might be safe +# using a larger value (e.g., 2 hours) in a corporate LAN +# environment with relatively static address assignments. +#Default: +# authenticate_ip_ttl 1 second + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: external_acl_type +# This option defines external acl classes using a helper program +# to look up the status +# +# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] +# +# Options: +# +# ttl=n TTL in seconds for cached results (defaults to 3600 +# for 1 hour) +# negative_ttl=n +# TTL for cached negative lookups (default same +# as ttl) +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 20) +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# cache=n limit the result cache size, default is 262144. +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. +# +# FORMAT specifications +# +# %LOGIN Authenticated user login name +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl +# %IDENT Ident user name +# %SRC Client IP +# %SRCPORT Client source port +# %URI Requested URI +# %DST Requested host +# %PROTO Requested protocol +# %PORT Requested port +# %PATH Requested URL path +# %METHOD Request method +# %MYADDR Squid interface address +# %MYPORT Squid http_port number +# %PATH Requested URL-path (including query-string if any) +# %USER_CERT SSL User certificate in PEM format +# %USER_CERTCHAIN SSL User certificate chain in PEM format +# %USER_CERT_xx SSL User certificate subject attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# +# %>{Header} HTTP request header "Header" +# %>{Hdr:member} +# HTTP request header "Hdr" list member "member" +# %>{Hdr:;member} +# HTTP request header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %<{Header} HTTP reply header "Header" +# %<{Hdr:member} +# HTTP reply header "Hdr" list member "member" +# %<{Hdr:;member} +# HTTP reply header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# +# %% The percent sign. Useful for helpers which need +# an unchanging input format. +# +# +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# +# +# General result syntax: +# +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. +# +# Defined keywords: +# +# user= The users name (login) +# +# password= The users password (for login= cache_peer option) +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# +# log= String to be logged in access.log. Available as +# %ea in logformat specifications. +# +# Any keywords may be sent on any response whether OK, ERR or BH. +# +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" +#Default: +# none + +# TAG: acl +# Defining an Access List +# +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. +# +# acl aclname acltype argument ... +# acl aclname acltype "file" ... +# +# When using "file", the file should contain one item per line. +# +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) +# +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] +# +# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) +# # The arp ACL requires the special configure option --enable-arp-acl. +# # Furthermore, the ARP ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some +# # other *BSD variants. +# # [fast] +# # +# # NOTE: Squid can only determine the MAC address for clients that are on +# # the same subnet. If the client is on a different subnet, +# # then Squid cannot find out its MAC address. +# +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain [-n] .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... +# # regex matching server [fast] +# # +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used and no match is found. The name "none" is used +# # if the reverse lookup fails. +# +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname peername myPeer ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # http(s)_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# +# acl aclname proxy_auth [-i] username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. +# # use REQUIRED to accept any valid username. +# # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # auth_param directive). +# # +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order +# # to respond to proxy authentication. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent [fast] +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. +# +# acl aclname max_user_ip [-s] number +# # This will be matched when the user attempts to log in from more +# # than different ip addresses. The authenticate_ip_ttl +# # parameter controls the timeout on the ip entries. [fast] +# # If -s is specified the limit is strict, denying browsing +# # from any further IP addresses until the ttl has expired. Without +# # -s Squid will just annoy the user by "randomly" denying requests. +# # (the counter is reset each time the limit is reached and a +# # request is denied) +# # NOTE: in acceleration mode or where there is mesh of child proxies, +# # clients may appear to come from multiple addresses if they are +# # going through proxy farms, so a limit of 1 may cause user problems. +# +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# +# acl aclname req_mime_type [-i] mime-type ... +# # regex match against the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunneling requests [fast] +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +# acl aclname req_header header-name [-i] any\.regex\.here +# # regex match against any of the known request headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACL [fast] +# +# acl aclname rep_mime_type [-i] mime-type ... +# # regex match against the mime type of the reply received by +# # squid. Can be used to detect file download or some +# # types HTTP tunneling requests. [fast] +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname rep_header header-name [-i] any\.regex\.here +# # regex match against any of the known reply headers. May be +# # thought of as a superset of "browser", "referer" and "mime-type" +# # ACLs [fast] +# +# acl aclname external class_name [arguments...] +# # external ACL lookup via a helper class defined by the +# # external_acl_type directive [slow] +# +# acl aclname user_cert attribute values... +# # match against attributes in a user SSL certificate +# # attribute is one of DN/C/O/CN/L/ST [fast] +# +# acl aclname ca_cert attribute values... +# # match against attributes a users issuing CA SSL certificate +# # attribute is one of DN/C/O/CN/L/ST [fast] +# +# acl aclname ext_user username ... +# acl aclname ext_user_regex [-i] pattern ... +# # string match on username returned by external acl helper [slow] +# # use REQUIRED to accept any non-null user name. +# +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [slow] +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ +# +#Default: +# ACLs all, manager, localhost, and to_localhost are predefined. +# +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.64.0/24 # RFC1918 possible internal network +#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +#acl localnet src fc00::/7 # RFC 4193 local private network range +#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# TAG: follow_x_forwarded_for +# Allowing or Denying the X-Forwarded-For header to be followed to +# find the original source of a request. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The X-Forwarded-For header will contain a +# comma-separated list of the IP addresses in the chain, with the +# rightmost address being the most recent. +# +# If a request reaches us from a source that is allowed by this +# configuration item, then we consult the X-Forwarded-For header +# to see where that host received the request from. If the +# X-Forwarded-For header contains multiple addresses, we continue +# backtracking until we reach an address for which we are not allowed +# to follow the X-Forwarded-For header, or until we reach the first +# address in the list. For the purpose of ACL used in the +# follow_x_forwarded_for directive the src ACL type always matches +# the address we are testing and srcdomain matches its rDNS. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host for which we follow the X-Forwarded-For header +# can place incorrect information in the header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# X-Forwarded-For header will be ignored. + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forewarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# Access to the HTTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Default: +# Deny, unless rules exist in squid.conf. +# + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localnet +http_access deny all + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: http_reply_access +# Allow replies to client requests. This is complementary to http_access. +# +# http_reply_access allow|deny [!] aclname ... +# +# NOTE: if there are no access lines present, the default is to allow +# all replies. +# +# If none of the access lines cause a match the opposite of the +# last line will apply. Thus it is good practice to end the rules +# with an "allow all" or "deny all" entry. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_access +# Allowing or Denying access to the HTCP port based on defined +# access lists +# +# htcp_access allow|deny [!]aclname ... +# +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. +# +# NOTE: The default if no htcp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using the htcp option. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: htcp_clr_access +# Allowing or Denying access to purge content using HTCP based +# on defined access lists. +# See htcp_access for details on general HTCP access control. +# +# htcp_clr_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 +#htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: miss_access +# Determins whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. +# +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 +# miss_access deny !localclients +# miss_access allow all +# +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/24 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# Only src type ACL checks are fully supported. A srcdomain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Unless rules exist in squid.conf, IDENT is not fetched. + +# TAG: reply_body_max_size size [acl acl...] +# This option specifies the maximum size of a reply body. It can be +# used to prevent users from downloading very large files, such as +# MP3's and movies. When the reply headers are received, the +# reply_body_max_size lines are processed, and the first line where +# all (if any) listed ACLs are true is used as the maximum body size +# for this reply. +# +# This size is checked twice. First when we get the reply headers, +# we check the content-length value. If the content length value exists +# and is larger than the allowed size, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# WARNING: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# WARNING: A maximum size smaller than the size of squid's error messages +# will cause an infinite loop and crash squid. Ensure that the smallest +# non-zero value you use is greater that the maximum header size plus +# the size of your largest error page. +# +# If you set this parameter none (the default), there will be +# no limit imposed. +# +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# +#Default: +# No limit is applied. + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, Squid binds the socket to that specific +# address. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# If you are running Squid in accelerator mode, you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option may be used to specify additional +# port(s) where Squid listens for proxy request. Such ports will +# be plain proxy ports with no options. +# +# You may specify multiple socket addresses on multiple lines. +# +# Modes: +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# accel Accelerator / reverse proxy mode +# +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. +# +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated requests with. +# Defaults to http for http_port and https for +# https_port +# +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. +# +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. +# +# ignore-cc Ignore request Cache-Control headers. +# +# WARNING: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. See OpenSSL documentation for details +# on how to create this file. +# WARNING: EDH ciphers will be silently disabled if this +# option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# +# disable-pmtu-discovery= +# Control Path-MTU discovery usage: +# off lets OS decide on what to do (default). +# transparent disable PMTU discovery when transparent +# support is enabled. +# always disable always PMTU discovery. +# +# In many setups of transparently intercepting proxies +# Path-MTU discovery can not work on traffic towards the +# clients. This is the case when the intercepting device +# does not fully track connections and fails to forward +# ICMP must fragment messages to the cache server. If you +# have such setup and experience that certain clients +# sporadically hang or never complete requests set +# disable-pmtu-discovery option to 'transparent'. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# +# If you run Squid on a dual-homed machine with an internal +# and an external interface we recommend you to specify the +# internal address:port in http_port. This way Squid will only be +# visible on the internal address. +# +# + +# Squid normally listens to port 3128 +#http_port 3128 +http_port 8080 + +# TAG: https_port +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] +# +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. +# +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. +# +# You may specify multiple socket addresses on multiple lines, +# each with their own SSL certificate and/or options. +# +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1 only +# +# cipher= Colon separated list of supported ciphers. +# +# options= Various SSL engine options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped SSL requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is CA certificate life time of generated +# certificate equals lifetime of CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when SslBump is used. +# See the sslBump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# See http_port for a list of available options. +#Default: +# none + +# TAG: tcp_outgoing_tos +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. +# +# tcp_outgoing_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_tos 0x00 normal_service_net +# tcp_outgoing_tos 0x20 good_service_net +# +# TOS/DSCP values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. Note that in +# practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +#Default: +# none + +# TAG: clientside_tos +# Allows you to select a TOS/Diffserv value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows +# Allows you to select a TOS/DSCP value to mark outgoing +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that +# in practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. +# +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. +# +# disable-preserve-miss +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). +# +#Default: +# none + +# TAG: tcp_outgoing_address +# Allows you to map requests to different outgoing IP addresses +# based on the username or source address of the user making +# the request. +# +# tcp_outgoing_address ipaddr [[!]aclname] ... +# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net +# +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 +# +# Processing proceeds in the order specified, and stops at first fully +# matching line. +# +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. +# +# +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. +# +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. +# +#Default: +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on + +# SSL OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ssl_unclean_shutdown +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Some browsers (especially MSIE) bugs out on SSL shutdown +# messages. +#Default: +# ssl_unclean_shutdown off + +# TAG: ssl_engine +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The OpenSSL engine to use. You will need to set this if you +# would like to use hardware SSL acceleration for example. +#Default: +# none + +# TAG: sslproxy_client_certificate +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Client SSL Certificate to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_client_key +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Client SSL Key to use when proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_version +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +#Default: +# automatic SSL/TLS version negotiation + +# TAG: sslproxy_options +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL implementation options to use when proxying https:// URLs +# +# The most important being: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# SSL_OP_NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# complete list of possible options. +#Default: +# none + +# TAG: sslproxy_cipher +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# SSL cipher list to use when proxying https:// URLs +# +# Colon separated list of supported ciphers. +#Default: +# none + +# TAG: sslproxy_cafile +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# file containing CA certificates to use when verifying server +# certificates while proxying https:// URLs +#Default: +# none + +# TAG: sslproxy_capath +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# directory containing CA certificates to use when verifying +# server certificates while proxying https:// URLs +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first bumping "mode" which ACLs match. +# +# ssl_bump [!]acl ... +# +# The following bumping modes are supported: +# +# client-first +# Allow bumping of the connection. Establish a secure connection +# with the client first, then connect to the server. This old mode +# does not allow Squid to mimic server SSL certificate and does +# not work with intercepted SSL connections. +# +# server-first +# Allow bumping of the connection. Establish a secure connection +# with the server first, then establish a secure connection with +# the client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections. +# +# none +# Become a TCP tunnel without decoding the connection. +# Works with both CONNECT requests and intercepted SSL +# connections. This is the default behavior when no +# ssl_bump option is given or no ssl_bump ACLs match. +# +# By default, no connections are bumped. +# +# The first matching ssl_bump option wins. If no ACLs match, the +# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump +# does not have an implicit "negate the last given option" rule. You +# must make that rule explicit if you convert old ssl_bump allow/deny +# rules that rely on such an implicit rule. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also: http_port ssl-bump, https_port ssl-bump +# +# +# # Example: Bump all requests except those originating from +# # localhost or those going to example.com. +# +# acl broken_sites dstdomain .example.com +# ssl_bump none localhost +# ssl_bump none broken_sites +# ssl_bump server-first all +#Default: +# Does not bump unless rules are present in squid.conf + +# TAG: sslproxy_flags +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Various flags modifying the use of SSL while proxying https:// URLs: +# DONT_VERIFY_PEER Accept certificates that fail verification. +# For refined control, see sslproxy_cert_error. +# NO_DEFAULT_CA Don't use the default CA list built in +# to OpenSSL. +#Default: +# none + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers for example.com. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslpassword_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify a program used for entering SSL key passphrases +# when using encrypted SSL certificate keys. If not specified +# keys must either be unencrypted, or Squid started with the -N +# option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. +#Default: +# none + +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# Specify the location and options of the executable for ssl_crtd process. +# /usr/lib/squid3/ssl_crtd program requires -s and -M parameters +# For more information use: +# /usr/lib/squid3/ssl_crtd -h +#Default: +# sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl-crtd +# +# The maximum number of processes spawn to service ssl server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http-port icp-port [options] +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 default +# cache_peer sib1.foo.net sibling 3128 3130 proxy-only +# cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. This directive accepts a comma separated +# list of options described below. +# +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). +# +# htcp=no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# only-clr. +# +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. +# +# htcp=no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp=forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. +# +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a multicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PASSTHRU +# Send login details received from client to this peer. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from an external ACL user= and password= result tags +# they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# ssl Encrypt connections to this peer with SSL/TLS. +# +# sslcert=/path/to/ssl/certificate +# A client SSL certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private SSL key corresponding to sslcert above. +# If 'sslkey' is not specified 'sslcert' is assumed to +# reference a combined file containing both the +# certificate and the key. +# +# sslversion=1|2|3|4|5|6 +# The SSL version to use when connecting to this peer +# 1 = automatic (default) +# 2 = SSL v2 only +# 3 = SSL v3 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. +# +# sslcafile=... A file containing additional CA certificates to use +# when verifying the peer certificate. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# +# DONT_VERIFY_PEER +# Accept certificates even if they fail to +# verify. +# NO_DEFAULT_CA +# Don't use the default CA list built in +# to OpenSSL. +# DONT_VERIFY_DOMAIN +# Don't verify the peer certificate +# matches the server name +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. To extensive use +# of this option may result in forwarding loops, and you +# should avoid having two-way peerings with this option. +# For example to deny peer usage on requests from peer +# by denying cache_peer_access if the source is a peer. +# +# max-conn=N Limit the amount of connections Squid may open to this +# peer. see also +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to dentify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. +# +# proxy-only objects fetched from the peer will not be stored locally. +# +#Default: +# none + +# TAG: cache_peer_domain +# Use to limit the domains for which a neighbor cache will be +# queried. +# +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain +# +# For example, specifying +# +# cache_peer_domain parent.foo.net .edu +# +# has the effect such that UDP query packets are sent to +# 'bigserver' only when the requested object exists on a +# server in the .edu domain. Prefixing the domainname +# with '!' means the cache will be queried for objects +# NOT in that domain. +# +# NOTE: * Any number of domains may be given for a cache-host, +# either on the same or separate lines. +# * When multiple domains are given for a particular +# cache-host, the first matched domain is applied. +# * Cache hosts with no domain restrictions are queried +# for all requests. +# * There are no defaults. +# * There is also a 'cache_peer_access' tag in the ACL +# section. +#Default: +# none + +# TAG: cache_peer_access +# Similar to 'cache_peer_domain' but provides more flexibility by +# using ACL elements. +# +# Usage: +# cache_peer_access cache-host allow|deny [!]aclname ... +# +# The syntax is identical to 'http_access' and the other lists of +# ACL elements. See the comments for 'http_access' below, or +# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +#Default: +# none + +# TAG: neighbor_type_domain +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... +# +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. +#Default: +# The peer type from cache_peer directive is used for all requests to that peer. + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +#Default: +# dead_peer_timeout 10 seconds + +# TAG: forward_max_tries +# Controls how many different forward paths Squid will try +# before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. +#Default: +# forward_max_tries 10 + +# TAG: hierarchy_stoplist +# A list of words which, if found in a URL, cause the object to +# be handled directly by this cache. In other words, use this +# to not query neighbor caches for certain objects. You may +# list this option multiple times. +# +# Example: +# hierarchy_stoplist cgi-bin ? +# +# Note: never_direct overrides this option. +#Default: +# none + +# MEMORY CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. +# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL +# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER +# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. +#Default: +# cache_mem 256 MB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem. +#Default: +# maximum_object_size_in_memory 512 KB + +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +# +# Currently, entities exceeding 32KB in size cannot be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details on algorithms. +#Default: +# memory_replacement_policy lru + +# DISK CACHE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this directive. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4 MB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +#Default: +# cache_replacement_policy lru + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + +# TAG: cache_dir +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Only "ufs" +# is built by default. To enable any of the other storage systems +# see the --enable-storeio configure option. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. Do NOT put the size of your disk drive here. +# Instead, if you want Squid to use the entire disk drive, +# subtract 20% and use that value. +# +# 'L1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'L2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# +# ==== The aufs store type ==== +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# +# ==== The diskd store type ==== +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots, +# one entry per slot. The database size is specified in MB. The +# slot size is specified in bytes using the max-size option. See +# below for more info on the max-size option. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# +# ==== The coss store type ==== +# +# NP: COSS filesystem in Squid-3 has been deemed too unstable for +# production use and has thus been removed from this release. +# We hope that it can be made usable again soon. +# +# block-size=n defines the "block size" for COSS cache_dir's. +# Squid uses file numbers as block numbers. Since file numbers +# are limited to 24 bits, the block size determines the maximum +# size of the COSS partition. The default is 512 bytes, which +# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note +# you should not change the coss block size after Squid +# has written some objects to the cache_dir. +# +# The coss file store has changed from 2.5. Now it uses a file +# called 'stripe' in the directory names in the config - and +# this will be created by squid -z. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. COSS). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +# Note for coss, max-size must be less than COSS_MEMBUF_SZ, +# which can be changed with the --with-coss-membuf-size=N configure +# option. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid3 100 16 256 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# +#Default: +# store_dir_select_algorithm least-load + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +#Default: +# no limit + +# TAG: cache_swap_low (percent, 0-100) +# The low-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high +#Default: +# cache_swap_low 90 + +# TAG: cache_swap_high (percent, 0-100) +# The high-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_low +#Default: +# cache_swap_high 95 + +# LOGFILE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: logformat +# Usage: +# +# logformat +# +# Defines an access log format. +# +# The is a string with embedded % format codes +# +# % format codes all follow the same basic structure where all but +# the formatcode is optional. Output strings are automatically escaped +# as required according to their context and the output format +# modifiers are usually not needed, but can be specified if an explicit +# output format is desired. +# +# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode +# +# " output in quoted string format +# [ output in squid text log format as used by log_mime_hdrs +# # output in URL quoted format +# ' output as-is +# +# - left aligned +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# +# {arg} argument such as header name etc +# +# Format codes: +# +# % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# +# >a Client source IP address +# >A Client FQDN +# >p Client source port +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Optional header name argument as for >h +# [http::]h +# [http::]>Hs HTTP status code sent to the client +# [http::]rm Request method from client +# [http::]ru Request URL from client +# [http::]rp Request URL-Path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]st Received request size including HTTP headers. In the +# case of chunked requests the chunked encoding metadata +# are not included +# [http::]>sh Received HTTP request headers size +# [http::]cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# +# The default formats available (which do not need re-defining) are: +# +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# +#Default: +# The format definitions squid, common, combined, referrer, useragent are built in. + +# TAG: access_log +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: +# +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] +# +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] +# +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority +# +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. +# +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port +# +# Default: +# access_log daemon:/var/log/squid3/access.log squid +#Default: +# access_log daemon:/var/log/squid3/access.log squid + +# TAG: icap_log +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log uses logformat codes that make sense for an ICAP +# transaction. Header-related codes are applied to the HTTP header +# embedded in an ICAP server response, with the following caveats: +# For REQMOD, there is no HTTP response header unless the ICAP +# server performed request satisfaction. For RESPMOD, the HTTP +# request header is the header sent to the ICAP server. For +# OPTIONS, there are no HTTP headers. +# +# The following format codes are also available for ICAP logs: +# +# icap::st Bytes sent to the ICAP server (TCP payload +# only; i.e., what Squid writes to the socket). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::a %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/lib/squid3/log_file_daemon + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. +# There are not really utilities to analyze this data, so you can safely +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# +# Example: +# cache_store_log stdio:/var/log/squid3/store.log +# cache_store_log daemon:/var/log/squid3/store.log +#Default: +# none + +# TAG: cache_swap_state +# Location for the cache "swap.state" file. This index file holds +# the metadata of objects saved on disk. It is used to rebuild +# the cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, these index files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend you do NOT use this option. It is +# better to keep these index files in each 'cache_dir' directory. +#Default: +# Store the journal inside its cache_dir + +# TAG: logfile_rotate +# Specifies the number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the file name rotation, but the logfiles are still closed +# and re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# '. +# +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. +# +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. +#Default: +# logfile_rotate 0 + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use %A in the log format. +#Default: +# none + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +#Default: +# Log full client IP address + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. +#Default: +# strip_query_terms on + +# TAG: buffered_logs on|off +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. +#Default: +# buffered_logs off + +# TAG: netdb_filename +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. +# +# To disable, enter "none". +#Default: +# netdb_filename stdio:/var/log/squid3/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" +#Default: +# cache_log /var/log/squid3/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# The default is to run with "ALL,1" to record important warnings. +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# Log all critical and important messages. + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# Use the directory from where Squid was started. +# + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid3 + +# OPTIONS FOR FTP GATEWAYING +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky FTP servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some FTP server also validate the email address is valid +# (for example perl.com). +#Default: +# ftp_user Squid@ + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, turn off this option. +# +# Use of ftp_epsv_all option requires this to be ON. +#Default: +# ftp_passive on + +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# Turning this OFF will prevent EPSV being attempted. +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv on + +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + +# TAG: ftp_sanitycheck +# For security and data integrity reasons Squid by default performs +# sanity checks of the addresses of FTP data connections ensure the +# data connection is to the requested server. If you need to allow +# FTP connections to servers using another IP address for the data +# connection turn this off. +#Default: +# ftp_sanitycheck on + +# TAG: ftp_telnet_protocol +# The FTP protocol is officially defined to use the telnet protocol +# as transport channel for the control connection. However, many +# implementations are broken and does not respect this aspect of +# the FTP protocol. +# +# If you have trouble accessing files with ASCII code 255 in the +# path or similar problems involving this ASCII code you can +# try setting this directive to off. If that helps, report to the +# operator of the FTP server in question that their FTP server +# is broken and does not follow the FTP standard. +#Default: +# ftp_telnet_protocol on + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note this is only useful if you have compiled in +# diskd as one of the store io modules. +#Default: +# diskd_program /usr/lib/squid3/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +#Default: +# unlinkd_program /usr/lib/squid3/unlinkd + +# TAG: pinger_program +# Specify the location of the executable for the pinger process. +#Default: +# pinger_program /usr/lib/squid3/pinger + +# TAG: pinger_enable +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable on + +# OPTIONS FOR URL REWRITING +# ----------------------------------------------------------------------------- + +# TAG: url_rewrite_program +# Specify the location of the executable URL rewriter to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the rewriter will receive on line with the format +# +# [channel-ID ] URL client_ip "/" fqdn user method [ kv-pairs] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In the future, the interface protocol will be extended with +# key=value pairs ("kv-pairs" shown above). Helper programs +# should be prepared to receive and possibly ignore additional +# whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. +# +# By default, a URL rewriter is not used. +#Default: +# none + +# TAG: url_rewrite_children +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each redirector helper can handle in +# parallel. Defaults to 0 which indicates the redirector +# is a old-style single threaded redirector. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 + +# TAG: url_rewrite_host_header +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# +# WARNING: Entries are cached on the result of the URL rewriting +# process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. +#Default: +# url_rewrite_host_header on + +# TAG: url_rewrite_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: url_rewrite_bypass +# When this is 'on', a request will not go through the +# redirector if all the helpers are busy. If this is 'off' +# and the redirector queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# redirectors. You should only enable this if the redirectors +# are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# users may have access to pages they should not +# be allowed to request. +#Default: +# url_rewrite_bypass off + +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID ] URL client_ip "/" fqdn user method [ kv-pairs] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# +# Helper programs should be prepared to receive and possibly ignore additional +# kv-pairs with keys they do not support. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# A list of ACL elements which, if matched and denied, cause the request to +# not be satisfied from the cache and the reply to not be cached. +# In other words, use this to force certain objects to never be cached. +# +# You must use the words 'allow' or 'deny' to indicate whether items +# matching the ACL should be allowed or denied into the cache. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow caching, unless rules exist in squid.conf. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. +# +# options: override-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# ignore-no-store +# ignore-must-revalidate +# ignore-private +# ignore-auth +# max-stale=NN +# refresh-ims +# store-stale +# +# override-expire enforces min age even if the server +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. +# +# override-lastmod enforces min age even on objects +# that were modified recently. +# +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# ignore-no-store ignores any ``Cache-control: no-store'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-private ignores any ``Cache-control: private'' +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-auth caches responses to requests with authorization, +# as if the originserver had sent ``Cache-control: public'' +# in the response header. Doing this VIOLATES the HTTP standard. +# Enabling this feature could make you liable for problems which +# it causes. +# +# refresh-ims causes squid to contact the origin server +# when a client issues an If-Modified-Since request. This +# ensures that the client will receive an updated version +# if one is available. +# +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# +# Basically a cached object is: +# +# FRESH if expires < now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +# + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + +# TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + +# TAG: quick_abort_pct (percent) +# The cache by default continues downloading aborted requests +# which are almost completed (less than 16 KB remaining). This +# may be undesirable on slow (e.g. SLIP) links and/or very busy +# caches. Impatient users may tie up file descriptors and +# bandwidth by repeatedly requesting and immediately aborting +# downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transferred until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +# If you do not want any retrieval to continue after the client +# has aborted, set both 'quick_abort_min' and 'quick_abort_max' +# to '0 KB'. +# +# If you want retrievals to always continue if they are being +# cached set 'quick_abort_min' to '-1 KB'. +#Default: +# quick_abort_pct 95 + +# TAG: read_ahead_gap buffer-size +# The amount of data the cache will buffer ahead of what has been +# sent to the client when retrieving an object from another server. +#Default: +# read_ahead_gap 16 KB + +# TAG: negative_ttl time-units +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. +# +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +#Default: +# negative_ttl 0 seconds + +# TAG: positive_dns_ttl time-units +# Upper limit on how long Squid will cache positive DNS responses. +# Default is 6 hours (360 minutes). This directive must be set +# larger than negative_dns_ttl. +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# This also sets the lower cache limit on positive lookups. +# Minimum value is 1 second, and it is not recommendable to go +# much below 10 seconds. +#Default: +# negative_dns_ttl 1 minutes + +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the +# client requested. (default) +# +# A size of 'none' causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. +#Default: +# none + +# TAG: minimum_expiry_time (seconds) +# The minimum caching time according to (Expires - Date) +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. +#Default: +# minimum_expiry_time 60 seconds + +# TAG: store_avg_object_size (bytes) +# Average object size, used to estimate number of objects your +# cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 20. +#Default: +# store_objects_per_bucket 20 + +# HTTP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# request_header_max_size 64 KB + +# TAG: reply_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a reply. +# Reply headers are usually relatively small (about 512 bytes). +# Placing a limit on the reply header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +#Default: +# reply_header_max_size 64 KB + +# TAG: request_body_max_size (bytes) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero (the default), there will +# be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. +#Default: +# No limit. + +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + +# TAG: chunked_request_body_max_size (bytes) +# A broken or confused HTTP/1.1 client may send a chunked HTTP +# request to Squid. Squid does not have full support for that +# feature yet. To cope with such requests, Squid buffers the +# entire request and then dechunks request body to create a +# plain HTTP/1.0 request with a known content length. The plain +# request is then used by the rest of Squid code as usual. +# +# The option value specifies the maximum size of the buffer used +# to hold the request before the conversion. If the chunked +# request size exceeds the specified limit, the conversion +# fails, and the client receives an "unsupported request" error, +# as if dechunking was disabled. +# +# Dechunking is enabled by default. To disable conversion of +# chunked requests, set the maximum to zero. +# +# Request dechunking feature and this option in particular are a +# temporary hack. When chunking requests and responses are fully +# supported, there will be no need to buffer a chunked request. +#Default: +# chunked_request_body_max_size 64 KB + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# an extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on an extra CRLF pair sent by some WWW clients. +# +# Quote from RFC2616 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +#Default: +# Obey RFC 2616. + +# TAG: adaptation_uses_indirect_client on|off +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip +#Default: +# adaptation_uses_indirect_client on + +# TAG: via on|off +# If set (default), Squid will include a Via header in requests and +# replies as required by RFC2616. +#Default: +# via on + +# TAG: ie_refresh on|off +# Microsoft Internet Explorer up until version 5.5 Service +# Pack 1 has an issue with transparent proxies, wherein it +# is impossible to force a refresh. Turning this on provides +# a partial fix to the problem, by causing all IMS-REFRESH +# requests from older IE versions to check the origin server +# for fresh content. This reduces hit ratio by some amount +# (~10% in my experience), but allows users to actually get +# fresh content when they want it. Note because Squid +# cannot tell if the user is using 5.5 or 5.5SP1, the behavior +# of 5.5 is unchanged from old versions of Squid (i.e. a +# forced refresh is impossible). Newer versions of IE will, +# hopefully, continue to have the new behavior and will be +# handled based on that assumption. This option defaults to +# the old Squid behavior, which is better for hit ratios but +# worse for clients using IE, if they need to be able to +# force fresh content. +#Default: +# ie_refresh off + +# TAG: vary_ignore_expire on|off +# Many HTTP servers supporting Vary gives such objects +# immediate expiry time with no cache-control header +# when requested by a HTTP/1.0 client. This option +# enables Squid to ignore such expiry times until +# HTTP/1.1 is fully implemented. +# +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. +#Default: +# vary_ignore_expire off + +# TAG: request_entities +# Squid defaults to deny GET and HEAD requests with request entities, +# as the meaning of such requests are undefined in the HTTP standard +# even if not explicitly forbidden. +# +# Set this directive to on if you have clients which insists +# on sending request entities in GET or HEAD requests. But be warned +# that there is server software (both proxies and web servers) which +# can fail to properly process this kind of request which may make you +# vulnerable to cache pollution attacks if enabled. +#Default: +# request_entities off + +# TAG: request_header_access +# Usage: request_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option replaces the old 'anonymize_headers' and the +# older 'http_anonymizer' option with something that is much +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# request_header_access From deny all +# request_header_access Referer deny all +# request_header_access User-Agent deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# request_header_access Authorization allow all +# request_header_access Proxy-Authorization allow all +# request_header_access Cache-Control allow all +# request_header_access Content-Length allow all +# request_header_access Content-Type allow all +# request_header_access Date allow all +# request_header_access Host allow all +# request_header_access If-Modified-Since allow all +# request_header_access Pragma allow all +# request_header_access Accept allow all +# request_header_access Accept-Charset allow all +# request_header_access Accept-Encoding allow all +# request_header_access Accept-Language allow all +# request_header_access Connection allow all +# request_header_access All deny all +# +# HTTP reply headers are controlled with the reply_header_access directive. +# +# By default, all headers are allowed (no anonymizing is performed). +#Default: +# No limits. + +# TAG: reply_header_access +# Usage: reply_header_access header_name allow|deny [!]aclname ... +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. +# +# This option only applies to reply headers, i.e., from the +# server to the client. +# +# This is the same as request_header_access, but in the other +# direction. Please see request_header_access for detailed +# documentation. +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# reply_header_access Server deny all +# reply_header_access WWW-Authenticate deny all +# reply_header_access Link deny all +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# reply_header_access Allow allow all +# reply_header_access WWW-Authenticate allow all +# reply_header_access Proxy-Authenticate allow all +# reply_header_access Cache-Control allow all +# reply_header_access Content-Encoding allow all +# reply_header_access Content-Length allow all +# reply_header_access Content-Type allow all +# reply_header_access Date allow all +# reply_header_access Expires allow all +# reply_header_access Last-Modified allow all +# reply_header_access Location allow all +# reply_header_access Pragma allow all +# reply_header_access Content-Language allow all +# reply_header_access Retry-After allow all +# reply_header_access Title allow all +# reply_header_access Content-Disposition allow all +# reply_header_access Connection allow all +# reply_header_access All deny all +# +# HTTP request headers are controlled with the request_header_access directive. +# +# By default, all headers are allowed (no anonymizing is +# performed). +#Default: +# No limits. + +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# +# This option allows you to change the contents of headers +# denied with request_header_access above, by replacing them +# with some fixed string. +# +# This only applies to request headers, not reply headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + +# TAG: relaxed_header_parser on|off|warn +# In the default "on" setting Squid accepts certain forms +# of non-compliant HTTP messages where it is unambiguous +# what the sending application intended even if the message +# is not correctly formatted. The messages is then normalized +# to the correct form when forwarded by Squid. +# +# If set to "warn" then a warning will be emitted in cache.log +# each time such HTTP error is encountered. +# +# If set to "off" then such HTTP errors will cause the request +# or response to be rejected. +#Default: +# relaxed_header_parser on + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: forward_timeout time-units +# This parameter specifies how long Squid should at most attempt in +# finding a forwarding path for the request before giving up. +#Default: +# forward_timeout 4 minutes + +# TAG: connect_timeout time-units +# This parameter specifies how long to wait for the TCP connect to +# the requested server or peer to complete before Squid should +# attempt to find another path where to forward the request. +#Default: +# connect_timeout 1 minute + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +#Default: +# peer_connect_timeout 30 seconds + +# TAG: read_timeout time-units +# The read_timeout is applied on server-side connections. After +# each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. The +# default is 15 minutes. +#Default: +# read_timeout 15 minutes + +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for complete HTTP request headers after initial +# connection establishment. +#Default: +# request_timeout 5 minutes + +# TAG: client_idle_pconn_timeout +# How long to wait for the next HTTP request on a persistent +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: client_lifetime time-units +# The maximum amount of time a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, persistent_request_timeout and quick_abort values. +#Default: +# client_lifetime 1 day + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. +# +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. +#Default: +# half_closed_clients off + +# TAG: server_idle_pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +#Default: +# server_idle_pconn_timeout 1 minute + +# TAG: ident_timeout +# Maximum time to wait for IDENT lookups to complete. +# +# If this is too high, and you enabled IDENT lookups from untrusted +# users, you might be susceptible to denial-of-service by having +# many ident requests going at once. +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +#Default: +# shutdown_lifetime 30 seconds + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster". +#Default: +# cache_mgr webmaster + +# TAG: mail_from +# From: email-address for mail sent when the cache dies. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. +#Default: +# none + +# TAG: mail_program +# Email program used to send mail if the cache dies. +# The default is "mail". The specified program must comply +# with the standard Unix mail syntax: +# mail-program recipient < mailfile +# +# Optional command line options can be specified. +#Default: +# mail_program mail + +# TAG: cache_effective_user +# If you start Squid as root, it will change its effective/real +# UID/GID to the user specified below. The default is to change +# to UID of proxy. +# see also; cache_effective_group +#Default: +# cache_effective_user proxy + +# TAG: cache_effective_group +# Squid sets the GID to the effective user's default group ID +# (taken from the password file) and supplementary group list +# from the groups membership. +# +# If you want Squid to run with a specific GID regardless of +# the group memberships of the effective user then set this +# to the group (or GID) you want Squid to run as. When set +# all other group privileges of the effective user are ignored +# and only this GID is effective. If Squid is not started as +# root the user starting Squid MUST be member of the specified +# group. +# +# This option is not recommended by the Squid Team. +# Our preference is for administrators to configure a secure +# user account for squid with UID/GID matching system policies. +#Default: +# Use system group memberships of the cache_effective_user account + +# TAG: httpd_suppress_version_string on|off +# Suppress Squid version string info in HTTP headers and HTML error pages. +#Default: +# httpd_suppress_version_string off + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +#Default: +# Automatically detect the system host name + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' you must give each machine a different +# 'unique_hostname' so forwarding loops can be detected. +#Default: +# Copy the value from visible_hostname + +# TAG: hostname_aliases +# A list of other DNS names your cache has. +#Default: +# none + +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. +# +# To enable announcing your cache, just set an announce period. +# +# Example: +# announce_period 1 day +#Default: +# Announcement messages disabled. + +# TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file +#Default: +# announce_host tracker.ircache.net + +# TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. +#Default: +# none + +# TAG: announce_port +# Set the port where announce registration messages will be sent. +# +# See also announce_host and announce_file +#Default: +# announce_port 3131 + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_surrogate_id +# Surrogates (http://www.esi.org/architecture_spec_1.0.html) +# need an identification token to allow control targeting. Because +# a farm of surrogates may all perform the same tasks, they may share +# an identification token. +#Default: +# visible_hostname is used if no specific ID is set. + +# TAG: http_accel_surrogate_remote on|off +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# +# Set this to on to have squid behave as a remote surrogate. +#Default: +# http_accel_surrogate_remote off + +# TAG: esi_parser libxml2|expat|custom +# ESI markup is not strictly XML compatible. The custom ESI parser +# will give higher performance, but cannot handle non ASCII character +# encodings. +#Default: +# esi_parser custom + +# DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IPv4 address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IPv4 address. +# +# class 4 Everything in a class 3 delay pool, with an +# additional limit on a per user basis. This +# only takes effect if the username is established +# in advance - by forcing authentication in your +# http_access rules. +# +# class 5 Requests are grouped according their tag (see +# external_acl's tag= reply). +# +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# +# delay_access is sorted per pool and the matching starts with pool 1, +# then pool 2, ..., and finally pool N. The first delay pool where the +# request is allowed is selected for the request. If it does not allow +# the request to any pool then the request is not delayed (default). +# +# For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# +#Default: +# Deny using the pool, unless allow rules exist in squid.conf for the pool. + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. +# +# For a class 1 delay pool, the syntax is: +# delay_pools pool 1 +# delay_parameters pool aggregate +# +# For a class 2 delay pool: +# delay_pools pool 2 +# delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# delay_pools pool 3 +# delay_parameters pool aggregate network individual +# +# For a class 4 delay pool: +# delay_pools pool 4 +# delay_parameters pool aggregate network individual user +# +# For a class 5 delay pool: +# delay_pools pool 5 +# delay_parameters pool tagrate +# +# The option variables are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the speed limit parameters for the aggregate bucket +# (class 1, 2, 3). +# +# individual the speed limit parameters for the individual +# buckets (class 2, 3). +# +# network the speed limit parameters for the network buckets +# (class 3). +# +# user the speed limit parameters for the user buckets +# (class 4). +# +# tagrate the speed limit parameters for the tag buckets +# (class 5). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# There must be one delay_parameters line for each delay pool. +# +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64Kbit/sec +# (plus overheads), with no overall limit, the line is: +# +# delay_parameters 1 -1/-1 8000/8000 +# +# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# +# Note that the figure -1 is used to represent "unlimited". +# +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. +# 8 x 8000 KByte/sec -> 64Kbit/sec. +# 8 x 600 Byte/sec -> 4800bit/sec. +# +# +# Finally, for a class 4 delay pool as in the example - each user will +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: +# +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +#Default: +# delay_initial_bucket_level 50 + +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + +# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCP disabled. + +# TAG: wccp2_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# WCCPv2 disabled. + +# TAG: wccp_version +# This directive is only relevant if you need to set up WCCP(v1) +# to some very old and end-of-life Cisco routers. In all other +# setups it must be left unset or at the default setting. +# It defines an internal version in the WCCP(v1) protocol, +# with version 4 being the officially documented protocol. +# +# According to some users, Cisco IOS 11.2 and earlier only +# support WCCP version 3. If you're using that or an earlier +# version of IOS, you may need to change this value to 3, otherwise +# do not specify this parameter. +#Default: +# wccp_version 4 + +# TAG: wccp2_rebuild_wait +# If this is enabled Squid will wait for the cache dir rebuild to finish +# before sending the first wccp2 HereIAm packet +#Default: +# wccp2_rebuild_wait on + +# TAG: wccp2_forwarding_method +# WCCP2 allows the setting of forwarding methods between the +# router/switch and the cache. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment method. +#Default: +# wccp2_forwarding_method gre + +# TAG: wccp2_return_method +# WCCP2 allows the setting of return methods between the +# router/switch and the cache for packets that the cache +# decides not to handle. Valid values are as follows: +# +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# +# Currently (as of IOS 12.4) cisco routers only support GRE. +# Cisco switches only support the L2 redirect assignment. +# +# If the "ip wccp redirect exclude in" command has been +# enabled on the cache interface, then it is still safe for +# the proxy server to use a l2 redirect method even if this +# option is set to GRE. +#Default: +# wccp2_return_method gre + +# TAG: wccp2_assignment_method +# WCCP2 allows the setting of methods to assign the WCCP hash +# Valid values are as follows: +# +# hash - Hash assignment +# mask - Mask assignment +# +# As a general rule, cisco routers support the hash assignment method +# and cisco switches support the mask assignment method. +#Default: +# wccp2_assignment_method hash + +# TAG: wccp2_service +# WCCP2 allows for multiple traffic services. There are two +# types: "standard" and "dynamic". The standard type defines +# one service id - http (id 0). The dynamic service ids can be from +# 51 to 255 inclusive. In order to use a dynamic service id +# one must define the type of traffic to be redirected; this is done +# using the wccp2_service_info option. +# +# The "standard" type does not require a wccp2_service_info option, +# just specifying the service id will suffice. +# +# MD5 service authentication can be enabled by adding +# "password=" to the end of this service declaration. +# +# Examples: +# +# wccp2_service standard 0 # for the 'web-cache' standard service +# wccp2_service dynamic 80 # a dynamic service type which will be +# # fleshed out with subsequent options. +# wccp2_service standard 0 password=foo +#Default: +# Use the 'web-cache' standard service. + +# TAG: wccp2_service_info +# Dynamic WCCPv2 services require further information to define the +# traffic you wish to have diverted. +# +# The format is: +# +# wccp2_service_info protocol= flags=,.. +# priority= ports=,.. +# +# The relevant WCCPv2 flags: +# + src_ip_hash, dst_ip_hash +# + source_port_hash, dst_port_hash +# + src_ip_alt_hash, dst_ip_alt_hash +# + src_port_alt_hash, dst_port_alt_hash +# + ports_source +# +# The port list can be one to eight entries. +# +# Example: +# +# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source +# priority=240 ports=80 +# +# Note: the service id must have been defined by a previous +# 'wccp2_service dynamic ' entry. +#Default: +# none + +# TAG: wccp2_weight +# Each cache server gets assigned a set of the destination +# hash proportional to their weight. +#Default: +# wccp2_weight 10000 + +# TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# TAG: wccp2_address +# Use this option if you require WCCP to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. +#Default: +# Address selected by the operating system. + +# PERSISTENT CONNECTION HANDLING +# ----------------------------------------------------------------------------- +# +# Also see "pconn_timeout" in the TIMEOUTS section + +# TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. +#Default: +# client_persistent_connections on + +# TAG: server_persistent_connections +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. +#Default: +# server_persistent_connections on + +# TAG: persistent_connection_after_error +# With this directive the use of persistent connections after +# HTTP errors can be disabled. Useful if you have clients +# who fail to handle errors on persistent connections proper. +#Default: +# persistent_connection_after_error on + +# TAG: detect_broken_pconn +# Some servers have been found to incorrectly signal the use +# of HTTP/1.0 persistent connections even on replies not +# compatible, causing significant delays. This server problem +# has mostly been seen on redirects. +# +# By enabling this directive Squid attempts to detect such +# broken replies and automatically assume the reply is finished +# after 10 seconds timeout. +#Default: +# detect_broken_pconn off + +# CACHE DIGEST OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: digest_generation +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with --enable-cache-digests defined. +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# This is the wait time between Cache Digest rebuilds. +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# This is the wait time between Cache Digest writes to +# disk. +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +#Default: +# digest_rebuild_chunk_percentage 10 + +# SNMP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: snmp_port +# The port number where Squid listens for SNMP requests. To enable +# SNMP support set this to a suitable port number. Port number +# 3401 is often used for the Squid SNMP agent. By default it's +# set to "0" (disabled) +# +# Example: +# snmp_port 3401 +#Default: +# SNMP disabled. + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +#Default: +# Deny, unless rules exist in squid.conf. + +# TAG: snmp_incoming_address +# Just like 'udp_incoming_address', but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# +# The default snmp_incoming_address is to listen on all +# available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use the same port. +#Default: +# Use snmp_incoming_address or an address selected by the operating system. + +# ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. The standard UDP port for ICP is 3130. +# +# Example: +# icp_port 3130 +#Default: +# ICP disabled. + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. To turn it on you want to set it to +# 4827. +# +# Example: +# htcp_port 4827 +#Default: +# HTCP disabled. + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +#Default: +# log_icp_queries on + +# TAG: udp_incoming_address +# udp_incoming_address is used for UDP packets received from other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Only change this if you want to have all UDP queries received on +# a specific interface/address. +# +# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_outgoing_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Accept packets from all machine interfaces. + +# TAG: udp_outgoing_address +# udp_outgoing_address is used for UDP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# Instead it will use the same socket as udp_incoming_address. +# Only change this if you want to have UDP queries sent using another +# address than where this Squid listens for UDP queries from other +# caches. +# +# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS +# modules. Altering it will affect all of them in the same manner. +# +# see also; udp_incoming_address +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use the same port. +#Default: +# Use udp_incoming_address or an address selected by the operating system. + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, +# it is probably okay to set this to 'on'. +# If set to 'on', your siblings should use the option "allow-miss" +# on their cache_peer lines for connecting to you. +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt (msec) +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +#Default: +# minimum_direct_rtt 400 + +# TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_low 900 + +# TAG: netdb_high +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. +#Default: +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +#Default: +# test_reachability off + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +#Default: +# Dynamic detection. + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: minimum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very small timeouts, even lower than +# the normal latency variance on your link due to traffic. +# Use this option to put an lower limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +#Default: +# minimum_icp_query_timeout 5 + +# TAG: background_ping_rate time-units +# Controls how often the ICP pings are sent to siblings that +# have background-ping set. +#Default: +# background_ping_rate 10 seconds + +# MULTICAST ICP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +#Default: +# disabled. + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM define +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: mcast_icp_query_timeout (msec) +# For multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +#Default: +# mcast_icp_query_timeout 2000 + +# INTERNAL ICON OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/share/squid3/icons +#Default: +# icon_directory /usr/share/squid3/icons + +# TAG: global_internal_static +# This directive controls is Squid should intercept all requests for +# /squid-internal-static/ no matter which host the URL is requesting +# (default on setting), or if nothing special should be done for +# such URLs (off setting). The purpose of this directive is to make +# icons etc work better in complex cache hierarchies where it may +# not always be possible for all corners in the cache mesh to reach +# the server generating a directory listing. +#Default: +# global_internal_static on + +# TAG: short_icon_urls +# If this is enabled Squid will use short URLs for icons. +# If disabled it will revert to the old behavior of including +# it's own name and port in the URL. +# +# If you run a complex cache hierarchy with a mix of Squid and +# other proxies you may need to disable this directive. +#Default: +# short_icon_urls on + +# ERROR PAGE OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: error_directory +# If you wish to create your own versions of the default +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are making translations for a +# language that Squid does not currently provide please consider +# contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations +# +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. +#Default: +# Send error pages in the clients preferred language + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# Generate English language pages. + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid3/errorpage.css + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +#Default: +# none + +# TAG: email_err_data on|off +# If enabled, information about the occurred error will be +# included in the mailto links of the ERR pages (if %W is set) +# so that the email body contains the data. +# Syntax is %w +#Default: +# email_err_data on + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# or deny_info http://... acl +# or deny_info TCP_RESET acl +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. Squid remembers the last +# acl it evaluated in http_access, and if a 'deny_info' line exists +# for that ACL Squid returns a corresponding error page. +# +# The acl is typically the last acl on the http_access deny line which +# denied access. The exceptions to this rule are: +# - When Squid needs to request authentication credentials. It's then +# the first authentication related acl encountered +# - When none of the http_access lines matches. It's then the last +# acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. +# +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED +# +# Alternatively you can tell Squid to reset the TCP connection +# by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# +#Default: +# none + +# OPTIONS INFLUENCING REQUEST FORWARDING +# ----------------------------------------------------------------------------- + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (matching hierarchy_stoplist or not cacheable request type) direct +# to origin servers. +# +# When this is set to "off", Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you for some +# reason like it to first try going direct and only use a parent if +# going direct fails set this to on. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +# Note: If you want Squid to use parents for all requests see +# the never_direct directive. prefer_direct only modifies how Squid +# acts on cacheable requests. +#Default: +# prefer_direct off + +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded by Squid to the origin servers without using +# any peers. For example, to always directly forward requests for +# local servers ignoring any parents or siblings you may have use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain .foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# NOTE: If your goal is to make the client forward the request +# directly to the origin server bypassing Squid then this needs +# to be done in the client configuration. Squid configuration +# can only tell Squid how Squid should fetch the object. +# +# NOTE: This directive is not related to caching. The replies +# is cached as usual even if you use always_direct. To not cache +# the replies see the 'cache' directive. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Prevent any cache_peer being used for this request. + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain .foo.net +# never_direct deny local-servers +# never_direct allow all +# +# or if Squid is inside a firewall and there are local intranet +# servers inside the firewall use something like: +# +# acl local-intranet dstdomain .foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow DNS results to be used for this request. + +# ADVANCED NETWORKING OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_udp_average 6 + +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_tcp_average 4 + +# TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# incoming_dns_average 4 + +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_udp_poll_cnt 8 + +# TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_dns_poll_cnt 8 + +# TAG: min_tcp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +#Default: +# min_tcp_poll_cnt 8 + +# TAG: accept_filter +# FreeBSD: +# +# The name of an accept(2) filter to install on Squid's +# listen socket(s). This feature is perhaps specific to +# FreeBSD and requires support in the kernel. +# +# The 'httpready' filter delays delivering new connections +# to Squid until a full HTTP request has been received. +# See the accf_http(9) man page for details. +# +# The 'dataready' filter delays delivering new connections +# to Squid until there is some data to process. +# See the accf_dataready(9) man page for details. +# +# Linux: +# +# The 'data' filter delays delivering of new connections +# to Squid until there is some data to process by TCP_ACCEPT_DEFER. +# You may optionally specify a number of seconds to wait by +# 'data=N' where N is the number of seconds. Defaults to 30 +# if not specified. See the tcp(7) man page for details. +#EXAMPLE: +## FreeBSD +#accept_filter httpready +## Linux +#accept_filter data +#Default: +# none + +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# No limit. + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. +#Default: +# Use operating system TCP defaults. + +# ICAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: icap_enable on|off +# If you want to enable the ICAP module support, set this to on. +#Default: +# icap_enable off + +# TAG: icap_connect_timeout +# This parameter specifies how long to wait for the TCP connect to +# the requested ICAP server to complete before giving up and either +# terminating the HTTP transaction or bypassing the failure. +# +# The default for optional services is peer_connect_timeout. +# The default for essential services is connect_timeout. +# If this option is explicitly set, its value applies to all services. +#Default: +# none + +# TAG: icap_io_timeout time-units +# This parameter specifies how long to wait for an I/O activity on +# an established, active ICAP connection before giving up and +# either terminating the HTTP transaction or bypassing the +# failure. +#Default: +# Use read_timeout. + +# TAG: icap_service_failure_limit limit [in memory-depth time-units] +# The limit specifies the number of failures that Squid tolerates +# when establishing a new TCP connection with an ICAP service. If +# the number of failures exceeds the limit, the ICAP service is +# not used for new ICAP requests until it is time to refresh its +# OPTIONS. +# +# A negative value disables the limit. Without the limit, an ICAP +# service will not be considered down due to connectivity failures +# between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds +#Default: +# icap_service_failure_limit 10 + +# TAG: icap_service_revival_delay +# The delay specifies the number of seconds to wait after an ICAP +# OPTIONS request failure before requesting the options again. The +# failed ICAP service is considered "down" until fresh OPTIONS are +# fetched. +# +# The actual delay cannot be smaller than the hardcoded minimum +# delay of 30 seconds. +#Default: +# icap_service_revival_delay 180 + +# TAG: icap_preview_enable on|off +# The ICAP Preview feature allows the ICAP server to handle the +# HTTP message by looking only at the beginning of the message body +# or even without receiving the body at all. In some environments, +# previews greatly speedup ICAP processing. +# +# During an ICAP OPTIONS transaction, the server may tell Squid what +# HTTP messages should be previewed and how big the preview should be. +# Squid will not use Preview if the server did not request one. +# +# To disable ICAP Preview for all ICAP services, regardless of +# individual ICAP server OPTIONS responses, set this option to "off". +#Example: +#icap_preview_enable off +#Default: +# icap_preview_enable on + +# TAG: icap_preview_size +# The default size of preview data to be sent to the ICAP server. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off +#Default: +# icap_206_enable on + +# TAG: icap_default_options_ttl +# The default TTL value for ICAP OPTIONS responses that don't have +# an Options-TTL header. +#Default: +# icap_default_options_ttl 60 + +# TAG: icap_persistent_connections on|off +# Whether or not Squid should use persistent connections to +# an ICAP server. +#Default: +# icap_persistent_connections on + +# TAG: adaptation_send_client_ip on|off +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client +#Default: +# adaptation_send_client_ip off + +# TAG: adaptation_send_username on|off +# This sends authenticated HTTP client username (if available) to +# the adaptation service. +# +# For ICAP, the username value is encoded based on the +# icap_client_username_encode option and is sent using the header +# specified by the icap_client_username_header option. +#Default: +# adaptation_send_username off + +# TAG: icap_client_username_header +# ICAP request header name to use for adaptation_send_username. +#Default: +# icap_client_username_header X-Client-Username + +# TAG: icap_client_username_encode on|off +# Whether to base64 encode the authenticated client username. +#Default: +# icap_client_username_encode off + +# TAG: icap_service +# Defines a single ICAP service using the following format: +# +# icap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# ICAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: icap://servername:port/servicepath +# ICAP server and service location. +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +#Example: +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on +#Default: +# none + +# TAG: icap_class +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. +# +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. +#Default: +# none + +# TAG: icap_access +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. +#Default: +# none + +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Defines a single eCAP service +# +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the +# HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# +# +#Example: +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: adaptation_service_iteration_limit +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + +# TAG: icap_retry +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Limits the number of retries allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# No retries are allowed. + +# DNS OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: check_hostnames +# For security and stability reasons Squid can check +# hostnames for Internet standard RFC compliance. If you want +# Squid to perform these checks turn this directive on. +#Default: +# check_hostnames off + +# TAG: allow_underscore +# Underscore characters is not strictly allowed in Internet hostnames +# but nevertheless used by many sites. Set this to off if you want +# Squid to be strict about the standard. +# This check is performed only when check_hostnames is set to on. +#Default: +# allow_underscore on + +# TAG: cache_dns_program +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns +# +# Specify the location of the executable for dnslookup process. +#Default: +# cache_dns_program /usr/lib/squid3/dnsserver + +# TAG: dns_children +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns +# +# The maximum number of processes spawn to service DNS name lookups. +# If you limit it too few Squid will have to wait for them to process +# a backlog of requests, slowing it down. If you allow too many they +# will use RAM and other system resources noticably. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +#Default: +# dns_children 32 startup=1 idle=1 + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time all DNS servers for the queried domain +# are assumed to be unavailable. +#Default: +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled + +# TAG: dns_defnames on|off +# Normally the RES_DEFNAMES resolver option is disabled +# (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# Squid to handle single-component names, enable this option. +#Default: +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# On Windows platforms, if no value is specified here or in +# the /etc/resolv.conf file, the list of DNS name servers are +# taken from the Windows registry, both static and dynamic DHCP +# configurations are supported. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +#Default: +# Use operating system definitions + +# TAG: hosts_file +# Location of the host-local IP name-address associations +# database. Most Operating Systems have such a file on different +# default locations: +# - Un*X & Linux: /etc/hosts +# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\winnt) +# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts +# (%SystemRoot% value install default is c:\windows) +# - Windows 9x/Me: %windir%\hosts +# (%windir% value is usually c:\windows) +# - Cygwin: /etc/hosts +# +# The file contains newline-separated definitions, in the +# form ip_address_in_dotted_form name [name ...] names are +# whitespace-separated. Lines beginning with an hash (#) +# character are comments. +# +# The file is checked at startup and upon configuration. +# If set to 'none', it won't be checked. +# If append_domain is used, that domain will be added to +# domain-local (i.e. not containing any dot character) host +# definitions. +#Default: +# hosts_file /etc/hosts + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +# Be warned there are now Internet names with no dots in +# them using only top-domain names, so setting this may +# cause some Internet sites to become unavailable. +# +#Example: +# append_domain .yourdomain.com +#Default: +# Use operating system definitions + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +#Default: +# ignore_unknown_nameservers on + +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested), potentially hiding network +# problems which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + +# TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. +#Default: +# ipcache_size 1024 + +# TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +#Default: +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +#Default: +# fqdncache_size 1024 + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: configuration_includes_quoted_values on|off +# Previous Squid versions have defined "quoted/string" as syntax for +# ACL to signifiy the value is an included file containing values and +# has treated the " characters in other places of the configuration file +# as part of the parameter value it was used for. +# +# For compatibility with existing installations that behaviour +# remains the default. +# +# If this directive is set to 'on', Squid will start parsing each +# "quoted string" as a single configuration directive parameter. The +# quotes are stripped before the parameter value is interpreted or use. +# +# That will continue for all lines until this directive is set to 'off', +# where Squid will return to the default configuration parsing. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +#Default: +# configuration_includes_quoted_values off + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If set to none, Squid will keep all memory it can. That is, there +# will be no limit on the total amount of memory used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +#Default: +# memory_pools_limit 5 MB + +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: +# +# X-Forwarded-For: 192.1.2.3 +# +# If set to "off", it will appear as +# +# X-Forwarded-For: unknown +# +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place the client IP as the sole entry. +#Default: +# forwarded_for on + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# offline_toggle * +# pconn +# peer_select +# reconfigure * +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +#Default: +# No password. Actions which require password are denied. + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, +# turn off client_db here. +#Default: +# client_db on + +# TAG: refresh_all_ims on|off +# When you enable this option, squid will always check +# the origin server for an update when a client sends an +# If-Modified-Since request. Many browsers use IMS +# requests when the user requests a reload, and this +# ensures those clients receive the latest version. +# +# By default (off), squid may return a Not Modified response +# based on the age of the cached version. +#Default: +# refresh_all_ims off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +#Default: +# reload_into_ims off + +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. +# +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. +# +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. +#Default: +# Do not retry failed connections. + +# TAG: retry_on_error +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. +#Default: +# retry_on_error off + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +#Default: +# as_whois_server whois.ra.net + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. +# +# chop: The request is allowed and the URI is chopped at the +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. +#Default: +# uri_whitespace strip + +# TAG: chroot +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. +#Default: +# none + +# TAG: balance_on_multiple_ip +# Modern IP resolvers in squid sort lookup results by preferred access. +# By default squid will use these IP in order and only rotates to +# the next listed when the most preffered fails. +# +# Some load balancing servers based on round robin DNS have been +# found not to preserve user session state across requests +# to different IP addresses. +# +# Enabling this directive Squid rotates IP's per request. +#Default: +# balance_on_multiple_ip off + +# TAG: pipeline_prefetch +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging +# reasons. +# +# NOTE: pipelining requires persistent connections to clients. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. +#Default: +# Do not pre-parse pipelined requests. + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +#Default: +# disabled. + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +#Default: +# disabled. + +# TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by mallinfo) exceeds +# this amount, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +#Default: +# disabled. + +# TAG: sleep_after_fork (microseconds) +# When this is set to a non-zero value, the main Squid process +# sleeps the specified number of microseconds after a fork() +# system call. This sleep may help the situation where your +# system reports fork() failures due to lack of (virtual) +# memory. Note, however, if you have a lot of child +# processes, these sleep delays will add up and your +# Squid will not service requests for some amount of time +# until all the child processes have been started. +# On Windows value less then 1000 (1 milliseconds) are +# rounded to 1000. +#Default: +# sleep_after_fork 0 + +# TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + +# TAG: max_filedescriptors +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. +# +# Remove from squid.conf to inherit the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: workers +# Number of main Squid processes or "workers" to fork and maintain. +# 0: "no daemon" mode, like running "squid -N ..." +# 1: "no SMP" mode, start one main Squid process daemon (default) +# N: start N main Squid process daemons (i.e., SMP mode) +# +# In SMP mode, each worker does nearly all what a single Squid daemon +# does (e.g., listen on http_port and forward HTTP requests). +#Default: +# SMP support disabled. + +# TAG: cpu_affinity_map +# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... +# +# Sets 1:1 mapping between Squid processes and CPU cores. For example, +# +# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7 +# +# affects processes 1 through 4 only and places them on the first +# four even cores, starting with core #1. +# +# CPU cores are numbered starting from 1. Requires support for +# sched_getaffinity(2) and sched_setaffinity(2) system calls. +# +# Multiple cpu_affinity_map options are merged. +# +# See also: workers +#Default: +# Let operating system decide. + diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml new file mode 100644 index 0000000..d309cc2 --- /dev/null +++ b/roles/squid/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart squid + service: name=squid state=restarted diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..ae557d8 --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Installation squid + apt: name=squid state=present + +- name: Copie du fichier squid.conf + copy: src=squid.{{ansible_hostname}}.conf dest=/etc/squid/squid.conf + notify: + - restart squid diff --git a/roles/ssh-cli/tasks/main.yml b/roles/ssh-cli/tasks/main.yml new file mode 100644 index 0000000..ea32e53 --- /dev/null +++ b/roles/ssh-cli/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Creation de .ssh + file: path=/root/.ssh mode=0700 state=directory + +- name: Copie cle public s-adm + shell: curl 192.168.99.99/id_rsa.pub > ~/.ssh/authorized_keys + +#- name: Copie cle public s-spec +# shell: curl 192.168.99.10/id_rsa.pub >> ~/.ssh/authorized_keys diff --git a/roles/ssh-root-access/tasks/main.yml b/roles/ssh-root-access/tasks/main.yml new file mode 100644 index 0000000..d9f0a6b --- /dev/null +++ b/roles/ssh-root-access/tasks/main.yml @@ -0,0 +1,7 @@ +- name: Activation acces ssh root pour r-vp1 (certificat) + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PermitRootLogin" + line: "PermitRootLogin yes" + state: present + diff --git a/roles/sshk/tasks/main.yml b/roles/sshk/tasks/main.yml new file mode 100644 index 0000000..8c89382 --- /dev/null +++ b/roles/sshk/tasks/main.yml @@ -0,0 +1,10 @@ +--- + + +- name: creation user admu + user: name=admu comment="admu" shell=/bin/bash + +- name: Copie cle ssh + authorized_key: user=root key="{{lookup('file','/home/admu/.ssh/id_rsa_pub') }}" + + diff --git a/roles/ssl-apache/README.md b/roles/ssl-apache/README.md new file mode 100644 index 0000000..03a1e55 --- /dev/null +++ b/roles/ssl-apache/README.md @@ -0,0 +1,7 @@ +## Principe du rôle ssl-apache + +Ce rôle permet d'avoir un certificat SSL autosigné sur le site, configuré avec Apache, que l'on souhaite utilisé en HTTPS. + +Il installe le paquet "OpenSSL" s'il n'est pas installé, ensuite pour créer un certificat x509. + +Pour finir il fait la redirection HTTPS et ouvre le port 443. diff --git a/roles/ssl-apache/files/000-default.conf b/roles/ssl-apache/files/000-default.conf new file mode 100644 index 0000000..65c2eba --- /dev/null +++ b/roles/ssl-apache/files/000-default.conf @@ -0,0 +1,32 @@ + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + ServerName s-appli.gsb.lan + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + Redirect "/" "https://s-appli.gsb.lan/wordpress" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/ssl-apache/files/default-ssl.conf b/roles/ssl-apache/files/default-ssl.conf new file mode 100644 index 0000000..b1d07e6 --- /dev/null +++ b/roles/ssl-apache/files/default-ssl.conf @@ -0,0 +1,24 @@ +# + + ServerAdmin webmaster@localhost + ServerName s-appli.gsb.lan + + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + + SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt + SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + +# diff --git a/roles/ssl-apache/files/ports.conf b/roles/ssl-apache/files/ports.conf new file mode 100644 index 0000000..ef8a4fe --- /dev/null +++ b/roles/ssl-apache/files/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 80 +Listen 443 https +# +# Listen 443 +# + + + Listen 443 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/ssl-apache/handlers/main.yml b/roles/ssl-apache/handlers/main.yml new file mode 100644 index 0000000..670471f --- /dev/null +++ b/roles/ssl-apache/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache2 + service: + name: apache2 + state: restarted diff --git a/roles/ssl-apache/tasks/main.yml b/roles/ssl-apache/tasks/main.yml new file mode 100644 index 0000000..4bd4b3a --- /dev/null +++ b/roles/ssl-apache/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: Installation de openssl + apt: + name: openssl + +- name: Création de la clé + community.crypto.openssl_privatekey: + path: /etc/ssl/private/apache-selfsigned.key + mode: "640" + owner: root + group: root + +- name: Création du certificat + community.crypto.x509_certificate: + path: /etc/ssl/certs/apache-selfsigned.crt + privatekey_path: /etc/ssl/private/apache-selfsigned.key + provider: selfsigned + mode: "644" + owner: root + group: root + +- name: Suppression du fichier 000-default.conf + file: + path: /etc/apache2/sites-available/000-default.conf + state: absent + +- name: Supression du fichier default-ssl.conf + file: + path: /etc/apache2/sites-available/default-ssl.conf + state: absent + +- name: Supression du fichier ports.conf + file: + path: /etc/apache2/ports.conf + state: absent + +- name: ajout de la redirection https + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available + +- name: ajout du site https + copy: + src: default-ssl.conf + dest: /etc/apache2/sites-available + +- name: ajout du port 443 + copy: + src: ports.conf + dest: /etc/apache2 + notify: restart apache2 diff --git a/roles/syslog-cli/README.md b/roles/syslog-cli/README.md new file mode 100644 index 0000000..bd36878 --- /dev/null +++ b/roles/syslog-cli/README.md @@ -0,0 +1,12 @@ +# Role syslog-cli : Installation et configuration de syslog client (centralisation des logs) +*** + +Ce role a pour objectif de parametrer le fichier /etc/rsyslog.conf pour envoyer les logs vers la machine **s-infra**: +on ajoute au bout du fichier : +''*.* @adresse srv-syslog'' + +Ensuite le role décommente dans le fichier /etc/systemd/journald.conf la ligne suivante : +'ForwardToSyslog=yes' +afin d'autoriser l'envoie de log sur la machine srv qui est **s-infra** + +une fois tout cela fait le role redémarre automatiquement les services journald et rsyslog diff --git a/roles/syslog-cli/handlers/main.yml b/roles/syslog-cli/handlers/main.yml new file mode 100644 index 0000000..fb17a84 --- /dev/null +++ b/roles/syslog-cli/handlers/main.yml @@ -0,0 +1,10 @@ +--- + - name: restart rsyslog + service: + name: rsyslog + state: restarted + + - name: restart journald + service: + name: systemd-journald.service + state: restarted diff --git a/roles/syslog-cli/tasks/main.yml b/roles/syslog-cli/tasks/main.yml new file mode 100644 index 0000000..b09bbf8 --- /dev/null +++ b/roles/syslog-cli/tasks/main.yml @@ -0,0 +1,17 @@ +--- + - name: ajoute l'indication de serveur syslog distant si elle n'est pas presente + lineinfile: + path: /etc/rsyslog.conf + regexp: '^' + line: '*.* @syslog.gsb.adm' + state: present + notify: + - restart rsyslog + + - name: decommente le chargement du module imudp dans rsyslog.conf + replace: + path: /etc/systemd/journald.conf + regexp: '^#ForwardToSyslog=yes' + replace: 'ForwardToSyslog=yes' + notify: + - restart journald diff --git a/roles/syslog/README.md b/roles/syslog/README.md new file mode 100644 index 0000000..e691ab2 --- /dev/null +++ b/roles/syslog/README.md @@ -0,0 +1,16 @@ +# Role syslog : installation et configuration de syslog serveur (centralisation des logs) +*** + +Ce role a pour objectif de activer le module UDP dans le fichier /etc/rsyslog.conf pour accepter les logs entrants des machines concernées : +on décommente la ligne suivante : +'module(load="imudp"\)' + +Ensuite le role active l'écoute du module UDP sur le port 514 afin de pouvoir envoyer les logs. +on décommente la ligne suivante dans le même fichier que ci-dessus : +'input\(type="imudp" port="514"\)' + +pour finir le role va charger le module UDP afin que la machine **s-infra** puissent reçevoir les logs entrants. +Pour faire cela on décommente la ligne suivante dans le fichier /etc/systemd/journald.conf : +'ForwardToSyslog=yes' + +pour finir le role va redemmarer automatiquement les services journald et rsyslog diff --git a/roles/syslog/handlers/main.yml b/roles/syslog/handlers/main.yml new file mode 100644 index 0000000..9f5b879 --- /dev/null +++ b/roles/syslog/handlers/main.yml @@ -0,0 +1,10 @@ +--- + - name: restart syslog + service: + name: rsyslog + state: restarted + + - name: restart journald + service: + name: systemd-journald.service + state: restarted diff --git a/roles/syslog/tasks/main.yml b/roles/syslog/tasks/main.yml new file mode 100644 index 0000000..ddf3031 --- /dev/null +++ b/roles/syslog/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: chargement module UDP + replace: + dest: /etc/rsyslog.conf + regexp: '^#module\(load="imudp"\)' + replace: 'module(load="imudp")' + backup: yes + notify: + - restart syslog + +- name: ecoute UDP port 514 + replace: + dest: /etc/rsyslog.conf + regexp: '^#input\(type="imudp" port="514"\)' + replace: 'input(type="imudp" port="514")' + backup: yes + notify: + - restart syslog + +- name: chargement module UDP dans rsyslog.conf + replace: + dest: /etc/systemd/journald.conf + regexp: '^#ForwardToSyslog=yes' + replace: 'ForwardToSyslog=yes' + notify: + - restart syslog diff --git a/roles/webautoconf/files/wpad.dat b/roles/webautoconf/files/wpad.dat new file mode 100644 index 0000000..30b5560 --- /dev/null +++ b/roles/webautoconf/files/wpad.dat @@ -0,0 +1,12 @@ +// config automatique +// PS - 2015-06-09 +function FindProxyForURL(url, host) + { + if (isPlainHostName(host) || + dnsDomainIs(host, "gsb.lan") || + isInNet(host, "172.16.0.0", "255.255.255.0") || + isInNet(host, "127.0.0.1", "255.255.255.255")) + return "DIRECT"; + else + return "PROXY 172.16.0.2:8080"; + } diff --git a/roles/webautoconf/tasks/main.yml b/roles/webautoconf/tasks/main.yml new file mode 100644 index 0000000..b43eede --- /dev/null +++ b/roles/webautoconf/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Installation lighttpd + apt: name=lighttpd state=present + +- name: Copie wpad.dat + copy: src=wpad.dat dest=/var/www/html + + diff --git a/roles/wireguard-l/tasks/main.yml b/roles/wireguard-l/tasks/main.yml new file mode 100644 index 0000000..1b59d14 --- /dev/null +++ b/roles/wireguard-l/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: installation de wireguard + apt: + name: wireguard + state: present + +- name: installation de wireguard-tools + apt: + name: wireguard-tools + state: present + +- name: installation de sshpass + apt: + name: sshpass + state: present + +- name: copie du fichier de configuration depuis r-vp1 + command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/" + +- name: renommage du fichier de configuration + command: "mv /etc/wireguard/wg0-b.conf /etc/wireguard/wg0.conf" diff --git a/roles/wireguard-r/README.md b/roles/wireguard-r/README.md new file mode 100644 index 0000000..c3e7dcf --- /dev/null +++ b/roles/wireguard-r/README.md @@ -0,0 +1,14 @@ +#Installation de r-vp1 (Wireguard) + +*** +Ce fichier à pour but de présenter l'installation de r-vp1 +*** + +Se rendre dans le dossier gsb2022 et éxécuter la commande suivante : +_"ansible-playbook -i localhost, -c local r-vp1.yml"_ +Attendre la fin de l'installation, puis se rendre dans le dossier confwg +Faites une copie à distance du fichier wg0-b.conf sur r-vp2 et déplacer le fichier wg0-a.conf localement dans /etc/wireguard +Renommer les deux fichiers en wg0.conf +Executer _"systemctl enable wg-quick@wg0"_ puis _"systemctl start wg-quick@wg0"_ sur r-vp1 et r-vp2 +Entrer la commande _"wg"_ si des paquets sont envoyés et reçus votre VPN fonctionne. +Lorsque votre infrastructure est prête rendez vous dans gsb2022 et éxécuter le **fichier ping-sagence** afin vérifier le bon fonctionnement. diff --git a/roles/wireguard-r/files/mk-wgconf.sh b/roles/wireguard-r/files/mk-wgconf.sh new file mode 100755 index 0000000..b3faf38 --- /dev/null +++ b/roles/wireguard-r/files/mk-wgconf.sh @@ -0,0 +1,70 @@ +#!/bin/bash +set -u +set -e +# Version Site to Site + +AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard cote A +EndpointA=192.168.0.51 # Adresse extremite A +PortA=51820 # Port ecoute extremite A +NetworkA=192.168.1.0/24 # reseau cote A +NetworkC=192.168.200.0/24 #reseau cote A +NetworkD=172.16.0.0/24 #reseau cote A + +AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard cote B +EndpointB=192.168.0.52 # Adresse extremite B +PortB=51820 # Port ecoute extremite B +NetworkB=172.16.128.0/24 # reseau cote B + +umask 077 +wg genkey > endpoint-a.key +wg pubkey < endpoint-a.key > endpoint-a.pub + +wg genkey > endpoint-b.key +wg pubkey < endpoint-b.key > endpoint-b.pub + + +PKA=$(cat endpoint-a.key) +pKA=$(cat endpoint-a.pub) +PKB=$(cat endpoint-b.key) +pKB=$(cat endpoint-b.pub) + +cat < wg0-a.conf +# local settings for Endpoint A +[Interface] +PrivateKey = $PKA +Address = $AddressAwg +ListenPort = $PortA + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint B +[Peer] +PublicKey = $pKB +Endpoint = ${EndpointB}:$PortB +AllowedIPs = $AddressBwg, $NetworkB + +FINI + + +cat < wg0-b.conf +# local settings for Endpoint B +[Interface] +PrivateKey = $PKB +Address = $AddressBwg +ListenPort = $PortB + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint A +[Peer] +PublicKey = $pKA +Endpoint = ${EndpointA}:$PortA +AllowedIPs = $AddressAwg, $NetworkA, $NetworkC, $NetworkD + +FINI + +echo "wg0-a.conf et wg0-b.conf sont generes ..." +echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..." + diff --git a/roles/wireguard-r/files/scriptwg.sh b/roles/wireguard-r/files/scriptwg.sh new file mode 100755 index 0000000..2d499c9 --- /dev/null +++ b/roles/wireguard-r/files/scriptwg.sh @@ -0,0 +1,67 @@ +#!/bin/bash +set -u +set -e +# Version Site to Site + +AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard cote A +EndpointA=192.168.0.51 # Adresse extremite A +PortA=51820 # Port ecoute extremite A +NetworkA=192.168.1.0/24 # reseau cote A + +AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard cote B +EndpointB=192.168.0.52 # Adresse extremite B +PortB=51820 # Port ecoute extremite B +NetworkB=172.16.128.0/24 # reseau cote B + +umask 077 +wg genkey > endpoint-a.key +wg pubkey < endpoint-a.key > endpoint-a.pub + +wg genkey > endpoint-b.key +wg pubkey < endpoint-b.key > endpoint-b.pub + + +PKA=$(cat endpoint-a.key) +pKA=$(cat endpoint-a.pub) +PKB=$(cat endpoint-b.key) +pKB=$(cat endpoint-b.pub) + +cat < wg0-a.conf +# local settings for Endpoint A +[Interface] +PrivateKey = $PKA +Address = $AddressAwg +ListenPort = $PortA + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint B +[Peer] +PublicKey = $pKB +Endpoint = ${EndpointB}:$PortB +AllowedIPs = $AddressBwg, $NetworkB + +FINI + + +cat < wg0-b.conf +# local settings for Endpoint B +[Interface] +PrivateKey = $PKB +Address = $AddressBwg +ListenPort = $PortB + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# remote settings for Endpoint A +[Peer] +PublicKey = $pKA +Endpoint = ${EndpointA}:$PortA +AllowedIPs = $AddressAwg, $NetworkA + +FINI + +echo "wg0-a.conf et wg0-b.conf sont generes ..." +echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..." diff --git a/roles/wireguard-r/tasks/main.yml b/roles/wireguard-r/tasks/main.yml new file mode 100644 index 0000000..51fe16b --- /dev/null +++ b/roles/wireguard-r/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: installation de wireguard + apt: + name: wireguard + state: present + +- name: installation de wireguard-tools + apt: + name: wireguard-tools + state: present + +- name: création du dossier conf + file: + path: /root/confwg + state: directory + +- name: copie du script mk-wgconf.sh + copy: + src: mk-wgconf.sh + dest: /root/confwg + +- name: execution script mk-wgconf.sh + command: bash ./mk-wgconf.sh + args: + chdir: /root/confwg + +- name: copie du fichier de configuration + copy: + src: /root/confwg/wg0-a.conf + dest: /etc/wireguard + +- name: renommage fichier de configuration + command: "mv /etc/wireguard/wg0-a.conf /etc/wireguard/wg0.conf" + +- name: demarrage du service wireguard + tags: aaaa + command: "systemctl enable wg-quick@wg0" + command: "systemctl restart wg-quick@wg0" diff --git a/s-adm.yml b/s-adm.yml new file mode 100644 index 0000000..48ec9d5 --- /dev/null +++ b/s-adm.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - s-ssh + - dnsmasq + - squid + - local-store + - snmp-agent + - syslog-cli + - post diff --git a/s-agence.yml b/s-agence.yml new file mode 100644 index 0000000..4f636a8 --- /dev/null +++ b/s-agence.yml @@ -0,0 +1,10 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - ssh-cli + - syslog-cli + - post + - goss diff --git a/s-appli.yml b/s-appli.yml new file mode 100644 index 0000000..9a8110d --- /dev/null +++ b/s-appli.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - appli + - ssh-cli + - syslog-cli + - snmp-agent + - ssl-apache + - post + diff --git a/s-backup.yml b/s-backup.yml new file mode 100644 index 0000000..983e4d3 --- /dev/null +++ b/s-backup.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base +# - proxy3 + - snmp-agent +# - ssh-cli + - syslog-cli + - smb-backup + - dns-slave + - post diff --git a/s-bdd.yml b/s-bdd.yml new file mode 100644 index 0000000..83e4dc1 --- /dev/null +++ b/s-bdd.yml @@ -0,0 +1,23 @@ +--- + - hosts: localhost + connection: local + vars: + maria_dbhost: "192.168.102.254" + maria_dbname: "wordpress" + maria_dbuser: "wp" + maria_dbpasswd: "wp" + + + roles: + - base + - goss +# - s-lb-bd + - mariadb + - role: db-user + cli_ip: "192.168.102.1" + - role: db-user + cli_ip: "192.168.102.2" + - role: db-user + cli_ip: "192.168.102.3" + - snmp-agent + - post diff --git a/s-docker.yml b/s-docker.yml new file mode 100644 index 0000000..b7343ac --- /dev/null +++ b/s-docker.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - snmp-agent + - ssh-cli + - syslog-cli + - docker-openvas-ab + #- docker-iredmail-ab + - post + diff --git a/s-elk.yml b/s-elk.yml new file mode 100644 index 0000000..b14cdf2 --- /dev/null +++ b/s-elk.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + roles: + - base + - goss + - docker + - elk + - ssh-cli + - syslog-cli + - post diff --git a/s-fog.yml b/s-fog.yml new file mode 100644 index 0000000..9e030c2 --- /dev/null +++ b/s-fog.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - dhcp-fog + - ssh-cli + - snmp-agent + - syslog-cli + - fog + - post diff --git a/s-gestsup.yml b/s-gestsup.yml new file mode 100644 index 0000000..897d116 --- /dev/null +++ b/s-gestsup.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - gestsup + - postfix-gestsup + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-graylog.yml b/s-graylog.yml new file mode 100644 index 0000000..0127d98 --- /dev/null +++ b/s-graylog.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - docker-graylog + - ssh-cli + - syslog + - post + diff --git a/s-infra.yml b/s-infra.yml new file mode 100644 index 0000000..c7bf1ff --- /dev/null +++ b/s-infra.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - dns-master + - webautoconf + - snmp-agent + - syslog-cli + - ssh-cli + - post + diff --git a/s-itil.yml b/s-itil.yml new file mode 100644 index 0000000..5bab648 --- /dev/null +++ b/s-itil.yml @@ -0,0 +1,24 @@ +--- +- hosts: localhost + connection: local + + vars: + + glpi_version: "9.4.5" + fd_version: "9.4+1.1" + fd_version64: "x64_2.5.2" + fd_version86: "x86_2.5.2" + glpi_dir: "/var/www/html/glpi" + glpi_dbhost: "127.0.0.1" + glpi_dbname: "glpi" + glpi_dbuser: "glpi" + glpi_dbpasswd: "glpi" + + roles: + - base + - goss + - snmp-agent + - itil + - ssh-cli + - syslog-cli + - post diff --git a/s-lb-bd.yml b/s-lb-bd.yml new file mode 100644 index 0000000..c31f907 --- /dev/null +++ b/s-lb-bd.yml @@ -0,0 +1,24 @@ +--- + - hosts: localhost + connection: local + vars: + maria_dbhost: "192.168.102.254" + maria_dbname: "wordpress" + maria_dbuser: "wp" + maria_dbpasswd: "wp" + + + roles: + - base + - goss + - post + #- s-lb-bd-ab + - mariadb-ab +# - role: db-user +# cli_ip: "192.168.102.1" +# - role: db-user +# cli_ip: "192.168.102.2" +# - role: db-user +# cli_ip: "192.168.102.3" + - snmp-agent +# - post diff --git a/s-lb-web1.yml b/s-lb-web1.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web1.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-web2.yml b/s-lb-web2.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web2.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-web3.yml b/s-lb-web3.yml new file mode 100644 index 0000000..0c1dc9b --- /dev/null +++ b/s-lb-web3.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web-ab + - snmp-agent + - s-nas-client + - post + diff --git a/s-lb-wordpress.yml b/s-lb-wordpress.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb-wordpress2.yml b/s-lb-wordpress2.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress2.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb-wordpress3.yml b/s-lb-wordpress3.yml new file mode 100644 index 0000000..ed195a5 --- /dev/null +++ b/s-lb-wordpress3.yml @@ -0,0 +1,18 @@ +--- + - hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.50" + + roles: + - base + - goss + - apache2 + - s-lb-wordpress + - snmp-agent + - post + - mysql + - php-fpm diff --git a/s-lb.yml b/s-lb.yml new file mode 100644 index 0000000..7b0374f --- /dev/null +++ b/s-lb.yml @@ -0,0 +1,11 @@ +--- + - hosts: localhost + connection: local + + roles: + - base + - goss + - s-lb-ab + - snmp-agent + - post + diff --git a/s-mess.yml b/s-mess.yml new file mode 100644 index 0000000..a523a38 --- /dev/null +++ b/s-mess.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - docker-nextcloud + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-mon.yml b/s-mon.yml new file mode 100644 index 0000000..78d3cfb --- /dev/null +++ b/s-mon.yml @@ -0,0 +1,16 @@ +- name: Nagios + hosts: localhost + connection: local + become: yes + become_method: sudo + become_user: root + vars: + access: "Restricted Nagios4 Access" + roles: + - base + - goss + - nagios + - postfix + - ssh-cli + - syslog + - post diff --git a/s-nas.yml b/s-nas.yml new file mode 100644 index 0000000..357cdb8 --- /dev/null +++ b/s-nas.yml @@ -0,0 +1,17 @@ +--- +- hosts: localhost + connection: local + vars: + wp_mysql_db: "wordpress" + wp_mysql_user: "wp" + wp_mysql_password: "wp" + wp_mysql_host: "192.168.102.254" + + roles: + - base + - snmp-agent + - s-lb-wordpress + - s-nas-server + - ssh-cli + - syslog-cli + - post diff --git a/s-nxc.yml b/s-nxc.yml new file mode 100644 index 0000000..573d8ad --- /dev/null +++ b/s-nxc.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - docker + - nxc-traefik + - ssh-cli + - syslog-cli + - snmp-agent + - post diff --git a/s-proxy.yml b/s-proxy.yml new file mode 100644 index 0000000..78d1644 --- /dev/null +++ b/s-proxy.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - goss + - squid + - snmp-agent + - ssh-cli + - syslog-cli + - post diff --git a/s-test.yml b/s-test.yml new file mode 100644 index 0000000..521df21 --- /dev/null +++ b/s-test.yml @@ -0,0 +1,12 @@ +--- +- hosts: localhost + connection: local + # include: config.yml + roles: + - base + - goss + - snmp-agent + - syslog-cli + - ssh-cli + - post + diff --git a/s-web.yml b/s-web.yml new file mode 100644 index 0000000..6b5b855 --- /dev/null +++ b/s-web.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - apache2 + - snmp-agent + - ssh-cli + - syslog-cli + - post + #- mysql + - wordpress + diff --git a/s-web1.yml b/s-web1.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web1.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/s-web2.yml b/s-web2.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web2.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/s-web3.yml b/s-web3.yml new file mode 100644 index 0000000..708b134 --- /dev/null +++ b/s-web3.yml @@ -0,0 +1,11 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - s-lb-web + - snmp-agent + - s-nas-client + - post + diff --git a/scripts/Windows/addint-r-ext.bat b/scripts/Windows/addint-r-ext.bat new file mode 100644 index 0000000..6954297 --- /dev/null +++ b/scripts/Windows/addint-r-ext.bat @@ -0,0 +1,31 @@ +cd C:\Program Files\Oracle\VirtualBox + +VBoxManage modifyvm r-ext --nic1 intnet +VBoxManage modifyvm r-ext --intnet1 "n-adm" +VBoxManage modifyvm r-ext --nictype1 82540EM +VBoxManage modifyvm r-ext --cableconnected1 on +VBoxManage modifyvm r-ext --nicpromisc1 allow-all + +VBoxManage modifyvm r-ext --nic2 intnet +VBoxManage modifyvm r-ext --intnet2 "n-dmz" +VBoxManage modifyvm r-ext --nictype2 82540EM +VBoxManage modifyvm r-ext --cableconnected2 on +VBoxManage modifyvm r-ext --nicpromisc2 allow-all + +VBoxManage modifyvm r-ext --nic3 bridged +VBoxManage modifyvm r-ext --bridgeadapter3 "enp0s3" +VBoxManage modifyvm r-ext --nictype3 82540EM +VBoxManage modifyvm r-ext --cableconnected3 on +VBoxManage modifyvm r-ext --nicpromisc3 allow-all + +VBoxManage modifyvm r-ext --nic4 intnet +VBoxManage modifyvm r-ext --intnet4 "n-linkv" +VBoxManage modifyvm r-ext --nictype4 82540EM +VBoxManage modifyvm r-ext --cableconnected4 on +VBoxManage modifyvm r-ext --nicpromisc4 allow-all + +VBoxManage modifyvm r-ext --nic5 intnet +VBoxManage modifyvm r-ext --intnet5 "n-link" +VBoxManage modifyvm r-ext --nictype5 82540EM +VBoxManage modifyvm r-ext --cableconnected5 on +VBoxManage modifyvm r-ext --nicpromisc5 allow-all diff --git a/scripts/Windows/addint-r-int.bat b/scripts/Windows/addint-r-int.bat new file mode 100644 index 0000000..cefd634 --- /dev/null +++ b/scripts/Windows/addint-r-int.bat @@ -0,0 +1,33 @@ +cd C:\Program Files\Oracle\VirtualBox + +VBoxManage modifyvm r-int --nic1 intnet +VBoxManage modifyvm r-int --intnet1 "n-adm" +VBoxManage modifyvm r-int --nictype1 82540EM +VBoxManage modifyvm r-int --cableconnected1 on +VBoxManage modifyvm r-int --nicpromisc1 allow-all + +VBoxManage modifyvm r-int --nic2 intnet +VBoxManage modifyvm r-int --intnet2 "n-link" +VBoxManage modifyvm r-int --nictype2 82540EM +VBoxManage modifyvm r-int --cableconnected2 on +VBoxManage modifyvm r-int --nicpromisc2 allow-all + +VBoxManage modifyvm r-int --nic3 intnet +VBoxManage modifyvm r-int --intnet3 "n-wifi" +VBoxManage modifyvm r-int --nictype3 82540EM +VBoxManage modifyvm r-int --cableconnected3 on +VBoxManage modifyvm r-int --nicpromisc3 allow-all + +VBoxManage modifyvm r-int --nic4 intnet +VBoxManage modifyvm r-int --intnet4 "n-user" +VBoxManage modifyvm r-int --nictype4 82540EM +VBoxManage modifyvm r-int --cableconnected4 on +VBoxManage modifyvm r-int --nicpromisc4 allow-all + +VBoxManage modifyvm r-int --nic5 intnet +VBoxManage modifyvm r-int --intnet5 "n-infra" +VBoxManage modifyvm r-int --nictype5 82540EM +VBoxManage modifyvm r-int --cableconnected5 on +VBoxManage modifyvm r-int --nicpromisc5 allow-all + + diff --git a/scripts/addint.r-ext b/scripts/addint.r-ext new file mode 100755 index 0000000..e2d5e96 --- /dev/null +++ b/scripts/addint.r-ext @@ -0,0 +1,42 @@ +#!/bin/bash +nom=r-ext + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "eno1" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all + +# N-linkv (enp0s10) + +VBoxManage modifyvm $nom --nic4 intnet +VBoxManage modifyvm $nom --intnet4 "n-linkv" +VBoxManage modifyvm $nom --nictype4 82540EM +VBoxManage modifyvm $nom --cableconnected4 on +VBoxManage modifyvm $nom --nicpromisc4 allow-all + +# N-link (enp0s16) + +VBoxManage modifyvm $nom --nic5 intnet +VBoxManage modifyvm $nom --intnet5 "n-link" +VBoxManage modifyvm $nom --nictype5 82540EM +VBoxManage modifyvm $nom --cableconnected5 on +VBoxManage modifyvm $nom --nicpromisc5 allow-all diff --git a/scripts/addint.r-int b/scripts/addint.r-int new file mode 100755 index 0000000..720fdd7 --- /dev/null +++ b/scripts/addint.r-int @@ -0,0 +1,41 @@ +#!/bin/bash +nom=r-int + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all +# N-link (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-link" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-wifi (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-wifi" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all + +# N-user (enp0s10) + +VBoxManage modifyvm $nom --nic4 intnet +VBoxManage modifyvm $nom --intnet4 "n-user" +VBoxManage modifyvm $nom --nictype4 82540EM +VBoxManage modifyvm $nom --cableconnected4 on +VBoxManage modifyvm $nom --nicpromisc4 allow-all + +# N-infra (enp0s16) + +VBoxManage modifyvm $nom --nic5 intnet +VBoxManage modifyvm $nom --intnet5 "n-infra" +VBoxManage modifyvm $nom --nictype5 82540EM +VBoxManage modifyvm $nom --cableconnected5 on +VBoxManage modifyvm $nom --nicpromisc5 allow-all diff --git a/scripts/addint.r-vp1 b/scripts/addint.r-vp1 new file mode 100755 index 0000000..0ddbb3e --- /dev/null +++ b/scripts/addint.r-vp1 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=r-vp1 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-linkv (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-linkv" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "enp11s0f0" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.r-vp2 b/scripts/addint.r-vp2 new file mode 100755 index 0000000..67a1453 --- /dev/null +++ b/scripts/addint.r-vp2 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=r-vp2 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-linkv (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-agence" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# (enp0s9) + +VBoxManage modifyvm $nom --nic3 bridged +VBoxManage modifyvm $nom --bridgeadapter3 "enp11s0f0" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-adm b/scripts/addint.s-adm new file mode 100755 index 0000000..da6c9de --- /dev/null +++ b/scripts/addint.s-adm @@ -0,0 +1,16 @@ +#!/bin/bash +nom=s-adm + +VBoxManage modifyvm $nom --nic1 bridged +VBoxManage modifyvm $nom --bridgeadapter1 "eno1" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +#(enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-adm" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all \ No newline at end of file diff --git a/scripts/addint.s-infra b/scripts/addint.s-infra new file mode 100755 index 0000000..3cf7d32 --- /dev/null +++ b/scripts/addint.s-infra @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-infra + +#(enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +#(enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-infra" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-lb b/scripts/addint.s-lb new file mode 100755 index 0000000..b90a5a2 --- /dev/null +++ b/scripts/addint.s-lb @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-lb (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-bd b/scripts/addint.s-lb-bd new file mode 100755 index 0000000..325f6b9 --- /dev/null +++ b/scripts/addint.s-lb-bd @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-lb-bd + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-db (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-db" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-lb-web1 b/scripts/addint.s-lb-web1 new file mode 100755 index 0000000..afb7269 --- /dev/null +++ b/scripts/addint.s-lb-web1 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web1 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-web2 b/scripts/addint.s-lb-web2 new file mode 100755 index 0000000..13605fc --- /dev/null +++ b/scripts/addint.s-lb-web2 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web2 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-lb-web3 b/scripts/addint.s-lb-web3 new file mode 100755 index 0000000..2d29eb6 --- /dev/null +++ b/scripts/addint.s-lb-web3 @@ -0,0 +1,26 @@ +#!/bin/bash +nom=s-lb-web3 + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-lb (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-lb" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all + +# N-dmz-db (enp0s9) + +VBoxManage modifyvm $nom --nic3 intnet +VBoxManage modifyvm $nom --intnet3 "n-dmz-db" +VBoxManage modifyvm $nom --nictype3 82540EM +VBoxManage modifyvm $nom --cableconnected3 on +VBoxManage modifyvm $nom --nicpromisc3 allow-all diff --git a/scripts/addint.s-mon-kb b/scripts/addint.s-mon-kb new file mode 100755 index 0000000..be39c26 --- /dev/null +++ b/scripts/addint.s-mon-kb @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-mon-kb + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-infra (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-infra" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/addint.s-nas b/scripts/addint.s-nas new file mode 100755 index 0000000..ae4584b --- /dev/null +++ b/scripts/addint.s-nas @@ -0,0 +1,18 @@ +#!/bin/bash +nom=s-nas + +# N-adm (enp0s3) + +VBoxManage modifyvm $nom --nic1 intnet +VBoxManage modifyvm $nom --intnet1 "n-adm" +VBoxManage modifyvm $nom --nictype1 82540EM +VBoxManage modifyvm $nom --cableconnected1 on +VBoxManage modifyvm $nom --nicpromisc1 allow-all + +# N-dmz-db (enp0s8) + +VBoxManage modifyvm $nom --nic2 intnet +VBoxManage modifyvm $nom --intnet2 "n-dmz-db" +VBoxManage modifyvm $nom --nictype2 82540EM +VBoxManage modifyvm $nom --cableconnected2 on +VBoxManage modifyvm $nom --nicpromisc2 allow-all diff --git a/scripts/getall-2019 b/scripts/getall-2019 new file mode 100644 index 0000000..b37a753 --- /dev/null +++ b/scripts/getall-2019 @@ -0,0 +1,16 @@ +#!/bin/bash +GLPIREL=9.3.3 +wget -nc https://github.com/glpi-project/glpi/releases/download/$GLPIREL/glpi-$GLPIREL.tgz + +wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.3%2B1.2/fusioninventory-9.3+1.2.tar.gz + +FIAGREL=2.4.2 +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/$FIAGREL/fusioninventory-agent_windows-x64_$FIAGREL.exe + +wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/$FIAGREL/fusioninventory-agent_windows-x86_$FIAGREL.exe + +FOGREL=1.5.5 +wget -nc https://github.com/FOGProject/fogproject/archive/$FOGREL.tar.gz -O fogproject-$FOGREL.tar.gz + +#wget -nc https://fr.wordpress.org/wordpress-4.9.1-fr_FR.tar.gz +wget -nc https://fr.wordpress.org/wordpress-5.0.3-fr_FR.tar.gz diff --git a/scripts/lb-http.bash b/scripts/lb-http.bash new file mode 100644 index 0000000..019b660 --- /dev/null +++ b/scripts/lb-http.bash @@ -0,0 +1,6 @@ +#!/bin/bash + +while [ 1 ] +do + curl --max-time 1 192.168.100.10/wordpress/ +done \ No newline at end of file diff --git a/scripts/mkvm b/scripts/mkvm new file mode 100755 index 0000000..32e9f0c --- /dev/null +++ b/scripts/mkvm @@ -0,0 +1,96 @@ +#!/bin/bash + +ovarelease="2022b" +ovafile="$HOME/Téléchargements/debian-bullseye-gsb-${ovarelease}.ova" + + +usage () { + echo "$0 : creation VM et parametrage interfaces" + echo "usage : $0 " + exit 1 +} + +create_vm () { + nom=$1 + if [[ ! -r "${ovafile}" ]]; then + echo "$0 : erreur ouverture fichier ${ovafile} ..." + exit 3 + fi + vboxmanage import "${ovafile}" --vsys 0 --vmname "${nom}" +} + +setif () { + + VBoxManage modifyvm $1 --nic${2} intnet + VBoxManage modifyvm $1 --intnet${2} $3 + VBoxManage modifyvm $1 --nictype${2} 82540EM + VBoxManage modifyvm $1 --cableconnected${2} on + VBoxManage modifyvm $1 --nicpromisc${2} allow-all +} + +create_if () { +# enp0s3 + setif $1 1 $2 + setif $1 2 $3 +#(enp0s8) +} + + +vm=$1 + +create_vm "${vm}" +if [[ "${vm}" == "s-infra" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-proxy" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "r-int" ]] ; then +# n-adm, n-link, n-wifi, n-user, n-infra + create_if "${vm}" "n-adm" "n-infra" + setif "${vm}" 2 "n-link" + setif "${vm}" 3 "n-wifi" + setif "${vm}" 4 "n-user" + setif "${vm}" 5 "n-infra" +elif [[ "${vm}" == "r-ext" ]] ; then + ./addint.r-ext +elif [[ "${vm}" == "s-mon" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-appli" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-backup" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-itil" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-nxc" ]] ; then + create_if "${vm}" "n-adm" "n-infra" +elif [[ "${vm}" == "s-fog" ]] ; then + create_if "${vm}" "n-adm" "n-infra" + setif "${vm}" 3 "n-user" +elif [[ "${vm}" == "s-DNS-ext" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" +elif [[ "${vm}" == "s-web-ext" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" +elif [[ "${vm}" == "s-lb" ]] ; then + create_if "${vm}" "n-adm" "n-dmz" "n-dmz-lb" +elif [[ "${vm}" == "s-web1" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" +# setif "${vm}" 3 "n-dmz-lb" +elif [[ "${vm}" == "s-web2" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" +elif [[ "${vm}" == "s-web3" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-lb" "n-dmz-db" + # setif "${vm}" 3 "n-dmz-lb" +elif [[ "${vm}" == "s-lb-bd" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-db" +elif [[ "${vm}" == "s-nas" ]] ; then + create_if "${vm}" "n-adm" "n-dmz-db" +elif [[ "${vm}" == "r-vp1" ]] ; then + ./addint.r-vp1 +elif [[ "${vm}" == "r-vp2" ]] ; then + ./addint.r-vp2 +elif [[ "${vm}" == "s-agence" ]] ; then + create_if "${vm}" "n-adm" "n-agence" + +else + echo "$0 : vm ${vm} non prevu" + exit 2 +fi diff --git a/scripts/recup-s-lb.bash b/scripts/recup-s-lb.bash new file mode 100644 index 0000000..08323c9 --- /dev/null +++ b/scripts/recup-s-lb.bash @@ -0,0 +1,4 @@ +#!/bin/bash +while [ 1 ]; do +wget index.html http://192.168.100.10 +done diff --git a/snmp.yml b/snmp.yml new file mode 100644 index 0000000..dea70ef --- /dev/null +++ b/snmp.yml @@ -0,0 +1,7 @@ +--- +- hosts: localhost + connection: local + + roles: + - snmp-agent + diff --git a/sv/postfix/README.md b/sv/postfix/README.md new file mode 100644 index 0000000..a2785d2 --- /dev/null +++ b/sv/postfix/README.md @@ -0,0 +1,40 @@ +# Post-installation de Postfix + +Entrer votre adresse mail et votre mot de passe dans le fichier /etc/postfix/sasl_passwd + +``` + +nano /etc/postfix/sasl_passwd + +[smpt.gmail.com]:587 votreadresse@domaine.fr:motdepasse + +``` + +Entrer votre addresse mail dans le fichier /etc/icinga/objects/contacts_icinga.cfg + +``` + +nano /etc/icinga/objects/contacts_icinga.cfg + +define contact... + +email votreadresse@domaine.fr + +``` +Lancer la commande suivante pour prendre en compte la modification: + +``` + +/usr/sbin/postmap /etc/postfix/sasl_passwd + +``` + +Activer l'**Accès moins sécurisé des applications** depuis son compte google + +Désactiver un service puis vérifier ses mails (attendre 5 minutes entre chaque test) + +``` + +tail -f /var/log/icinga/icinga.log pour vérifier l'envoi de l'email + +``` diff --git a/sv/postfix/files/main.cf b/sv/postfix/files/main.cf new file mode 100644 index 0000000..8b2bf4f --- /dev/null +++ b/sv/postfix/files/main.cf @@ -0,0 +1,50 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_use_tls=yes +#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +mydomain = gsb.lan +myhostname = s-mon.gsb.lan +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = $myhostname, s-mon, s-mon.gsb.lan +relayhost = [smtp.gmail.com]:587 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/24 +#mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = ipv4 +default_transport = smtp +relay_transport = smtp + +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +smtp_use_tls = yes + diff --git a/sv/postfix/files/sasl_passwd b/sv/postfix/files/sasl_passwd new file mode 100644 index 0000000..db077bd --- /dev/null +++ b/sv/postfix/files/sasl_passwd @@ -0,0 +1 @@ +[smtp.gmail.com]:587 supervisiongsb@gmail.com:sio2018cst diff --git a/sv/postfix/files/thawte_Premium_Server_CA.pem b/sv/postfix/files/thawte_Premium_Server_CA.pem new file mode 100644 index 0000000..29cf7e1 --- /dev/null +++ b/sv/postfix/files/thawte_Premium_Server_CA.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhkiG9w0BAQUFADCB +zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ +Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE +CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh +d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl +cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIxMDEwMTIzNTk1OVow +gc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT +CUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNV +BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRo +YXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1z +ZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2 +aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560 +ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j ++ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBlkKyID1bZ5jA01CbH0FDxkt5r1DmI +CSLGpmODA/eZd9iy5Ri4XWPz1HP7bJyZePFLeH0ZJMMrAoT4vCLZiiLXoPxx7JGH +IPG47LHlVYCsPVLIOQ7C8MAFT9aCdYy9X9LcdpoFEsmvcsPcJX6kTY4XpeCHf+Ga +WuFg3GQjPEIuTQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/sv/postfix/handlers/main.yml b/sv/postfix/handlers/main.yml new file mode 100644 index 0000000..84e69de --- /dev/null +++ b/sv/postfix/handlers/main.yml @@ -0,0 +1,5 @@ +--- + - name: restart postfix + service: + name: postfix + state: restarted diff --git a/sv/postfix/tasks/main.yml b/sv/postfix/tasks/main.yml new file mode 100644 index 0000000..e1c6fe8 --- /dev/null +++ b/sv/postfix/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Installation de postfix et de mailutils + tags: install postfix + apt: + name: + - postfix + - mailutils + state: latest + +- name: Copie du fichier sasl_passwd + tags: sasl_passwd + copy: + src: sasl_passwd + dest: /etc/postfix/sasl/ + +- name: Copie du fichier main.cf + tags: main.cf + template: + src: main.cf.j2 + dest: /etc/postfix.main.cf + +- name: Commande postmap + tags: postmap + command: postmap /etc/postfix/sasl/sasl_passwd + notify: restart postfix + +- name: message d'information pour gmail + tags: msg2 + debug: msg="Il faut activer les applications moins sécurisées sur le compte google" \ No newline at end of file diff --git a/tests/s-infra.test b/tests/s-infra.test new file mode 100755 index 0000000..f35a313 --- /dev/null +++ b/tests/s-infra.test @@ -0,0 +1,24 @@ +#!/bin/bash + +# Tests resolution directe dans gsb.lan nom court +host s-infra +host s-mon + +# Tests resolution directe nom long +host s-infra.gsb.lan +host s-mon.gsb.lan + +# Tests resolution inverse +host 172.16.0.2 +host 172.16.0.9 + +# Tests resolution hors zone +host lemonde.fr +host free.fr + +# Tests de connectivite +ping -c 2 172.16.0.254 +ping -c 2 s-adm.gsb.adm + +# Test wpad +curl wpad/wpad.dat diff --git a/tests/s-proxy.test b/tests/s-proxy.test new file mode 100755 index 0000000..a3bdbe3 --- /dev/null +++ b/tests/s-proxy.test @@ -0,0 +1,17 @@ +#!/bin/bash + +# Test wpad +curl wpad/wpad.dat + +# Verification ouverture port 8080 +netstat -ln|grep 8080 + +# Affichage access.log +tail -5 /var/log/squid3/access.log + +# Affichage cache.log +tail /var/log/squid3/cache.log + + +# Affichage curl +curl s-proxy:8080 diff --git a/user-yb.yml b/user-yb.yml new file mode 100644 index 0000000..5c50af5 --- /dev/null +++ b/user-yb.yml @@ -0,0 +1,9 @@ +--- +- hosts: localhost + connection: local + + roles: + - base + - syslog-cli + - post + - db-user diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile new file mode 100644 index 0000000..9c4280a --- /dev/null +++ b/vagrant/Vagrantfile @@ -0,0 +1,22 @@ +Vagrant.configure("2") do |config| + + config.vm.define "s-adm" do |sadm| + sadm.vm.box = "bento/debian-10.7" + sadm.vm.hostname = 's-adm' + sadm.vm.network :public_network, ip: "dhcp" + sadm.vm.network :private_network, ip: "192.168.99.99", mask: "24" + + config.vm.provider :virtualbox do |v| + v.memory = 512 +# v.cpus = 2 + end + end + + config.vm.define "s-infra" do |v| + v.vm.box = "bento/debian-10.7" + v.vm.hostname = 's-infra' + v.vm.network :private_network, ip: "192.168.99.1", mask: "24" + v.vm.network :private_network, ip: "172.16.0.1", mask: "24" + end +end + diff --git a/windows/README.md b/windows/README.md new file mode 100644 index 0000000..1c3b17a --- /dev/null +++ b/windows/README.md @@ -0,0 +1,15 @@ +# Création des dossiers partagés et des utilisateur + +Les fichiers .cmd lancer sur la machine s-win permet de créer les utilisateur, leurs mettres +droits et créer des dossiers partagés. + +le fichier mkusr.cmd permet de créer un autre utiliateur avec les mêmes droits que les autres. + +# Utilisation des comptes utilisateurs + +Pour vous connecter au serveurs DNS s-win il faut créer un machine dans le réseau n-user et que +cette machine puisse ping le serveur. + +Après il suffit de changer le domaine de cette machine et la redémarrer. + +suite à ça, connecter vous avec les identifiants d'un utilisateurs. diff --git a/windows/gsb-dossiers.cmd b/windows/gsb-dossiers.cmd new file mode 100644 index 0000000..dfbc281 --- /dev/null +++ b/windows/gsb-dossiers.cmd @@ -0,0 +1,15 @@ +mkdir C:\gsb\partages +cd C:\gsb\partages +mkdir compta +mkdir ventes +mkdir public +cd C:\gsb +mkdir users + + +for %%g in (gg-compta gg-ventes) do net group %%g /add + +net share compta=C:\gsb\partages\compta /grant:"Utilisateurs du domaine":FULL +net share ventes=C:\gsb\partages\ventes /grant:"Utilisateurs du domaine":FULL +net share commun=C:\gsb\partages\commun /grant:"Utilisateurs du domaine":FULL +net share public=C:\gsb\partages\public /grant:"Utilisateurs du domaine":FULL \ No newline at end of file diff --git a/windows/mkusr-compta.cmd b/windows/mkusr-compta.cmd new file mode 100644 index 0000000..00c956d --- /dev/null +++ b/windows/mkusr-compta.cmd @@ -0,0 +1,4 @@ +call mkusr aDupont "Albert Dupon" gg-compta +call mkusr cSeum "Claire Seum" gg-compta +call mkusr nPaul "Nicolas Paul" gg-compta +call mkusr atour "Alexandre Tour" gg-compta diff --git a/windows/mkusr-ventes.cmd b/windows/mkusr-ventes.cmd new file mode 100644 index 0000000..4ff36aa --- /dev/null +++ b/windows/mkusr-ventes.cmd @@ -0,0 +1,5 @@ +@echo off +call mkusr aDeloin "Alain Deloin" gg-ventes +call mkusr sDel "Simon del" gg-ventes +call mkusr aSalet "alfred Salet" gg-ventes +call mkusr tInio "Thomas Inio" gg-ventes \ No newline at end of file diff --git a/windows/mkusr.cmd b/windows/mkusr.cmd new file mode 100644 index 0000000..75fb801 --- /dev/null +++ b/windows/mkusr.cmd @@ -0,0 +1,7 @@ +@echo off +echo Creation de %1 - %2 +mkdir C:\gsb\users\%1 +net user %1 Azerty1+ /fullname:%2 /homedir:\\cd\%1$ /ScriptPath:%3.cmd /add +net share %1$=C:\gsb\users\%1 +icacls "C:\gsb\users\%1" /Grant:r %1:M /T +net group %3 %1 /add \ No newline at end of file