From 6483da63ea2f0959db6714bcb5affe46205dfec0 Mon Sep 17 00:00:00 2001
From: Jibril Bouhbas <jibril.bouhbas@ip-192-168-0-25>
Date: Mon, 8 Apr 2024 09:46:22 +0200
Subject: [PATCH] =?UTF-8?q?=09nouveau=20fichier=C2=A0:=20giti.sh=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20nat.sh=20=09nouveau=20fichier=C2=A0:=20s?=
 =?UTF-8?q?iotp-main(3).zip=20=09nouveau=20fichier=C2=A0:=20siotp/README.m?=
 =?UTF-8?q?d=20=09nouveau=20fichier=C2=A0:=20siotp/automate.sh=20=09nouvea?=
 =?UTF-8?q?u=20fichier=C2=A0:=20siotp/sisr1/README.md=20=09nouveau=20fichi?=
 =?UTF-8?q?er=C2=A0:=20siotp/sisr1/tp01-02/README.md=20=09nouveau=20fichie?=
 =?UTF-8?q?r=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdhcp/README.md=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdhcp/dhcpd.c?=
 =?UTF-8?q?onf=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files?=
 =?UTF-8?q?=5Fdhcp/hosts=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-?=
 =?UTF-8?q?02/files=5Fdhcp/interfaces=20=09nouveau=20fichier=C2=A0:=20siot?=
 =?UTF-8?q?p/sisr1/tp01-02/files=5Fdhcp/isc-dhcp-server=20=09nouveau=20fic?=
 =?UTF-8?q?hier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdhcp/nat.sh=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns1/README.?=
 =?UTF-8?q?md=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5F?=
 =?UTF-8?q?dns1/db.sio1lab.lan=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1?=
 =?UTF-8?q?/tp01-02/files=5Fdns1/db.sio1lab.lan.rev=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns1/hosts=20=09nouveau?=
 =?UTF-8?q?=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns1/interfaces?=
 =?UTF-8?q?=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdn?=
 =?UTF-8?q?s1/named.conf.local=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1?=
 =?UTF-8?q?/tp01-02/files=5Fdns1/named.conf.options=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns1/resolv.conf=20=09nou?=
 =?UTF-8?q?veau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns2/README?=
 =?UTF-8?q?.md=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files?=
 =?UTF-8?q?=5Fdns2/db.sio1lab.lan=20=09nouveau=20fichier=C2=A0:=20siotp/si?=
 =?UTF-8?q?sr1/tp01-02/files=5Fdns2/db.sio1lab.lan.rev=20=09nouveau=20fich?=
 =?UTF-8?q?ier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns2/hosts=20=09nouvea?=
 =?UTF-8?q?u=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns2/interface?=
 =?UTF-8?q?s=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp01-02/files=5Fd?=
 =?UTF-8?q?ns2/named.conf.local=20=09nouveau=20fichier=C2=A0:=20siotp/sisr?=
 =?UTF-8?q?1/tp01-02/files=5Fdns2/named.conf.options=20=09nouveau=20fichie?=
 =?UTF-8?q?r=C2=A0:=20siotp/sisr1/tp01-02/files=5Fdns2/resolv.conf=20=09no?=
 =?UTF-8?q?uveau=20fichier=C2=A0:=20siotp/sisr1/tp03/README.md=20=09nouvea?=
 =?UTF-8?q?u=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fadmin/README.md?=
 =?UTF-8?q?=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fadmin?=
 =?UTF-8?q?/hostname=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/file?=
 =?UTF-8?q?s=5Fadmin/hosts=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp0?=
 =?UTF-8?q?3/files=5Fadmin/interfaces=20=09nouveau=20fichier=C2=A0:=20siot?=
 =?UTF-8?q?p/sisr1/tp03/files=5Fadmin/nat.sh=20=09nouveau=20fichier=C2=A0:?=
 =?UTF-8?q?=20siotp/sisr1/tp03/files=5Fadmin/resolv.conf=20=09nouveau=20fi?=
 =?UTF-8?q?chier=C2=A0:=20siotp/sisr1/tp03/files=5Fdns2/README.md=20=09nou?=
 =?UTF-8?q?veau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fdns2/db.monlab?=
 =?UTF-8?q?o.lan=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5F?=
 =?UTF-8?q?dns2/db.monlabo.lan.rev=20=09nouveau=20fichier=C2=A0:=20siotp/s?=
 =?UTF-8?q?isr1/tp03/files=5Fdns2/hostname=20=09nouveau=20fichier=C2=A0:?=
 =?UTF-8?q?=20siotp/sisr1/tp03/files=5Fdns2/hosts=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp03/files=5Fdns2/named.conf=20=09nouveau?=
 =?UTF-8?q?=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fdns2/named.conf.lo?=
 =?UTF-8?q?cal=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fdn?=
 =?UTF-8?q?s2/named.conf.options=20=09nouveau=20fichier=C2=A0:=20siotp/sis?=
 =?UTF-8?q?r1/tp03/files=5Fdns2/resolv.conf=20=09nouveau=20fichier=C2=A0:?=
 =?UTF-8?q?=20siotp/sisr1/tp03/files=5Fservice/README.md=20=09nouveau=20fi?=
 =?UTF-8?q?chier=C2=A0:=20siotp/sisr1/tp03/files=5Fservice/db.monlabo.lan?=
 =?UTF-8?q?=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fservi?=
 =?UTF-8?q?ce/db.monlabo.lan.rev=20=09nouveau=20fichier=C2=A0:=20siotp/sis?=
 =?UTF-8?q?r1/tp03/files=5Fservice/dhclient.conf=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp03/files=5Fservice/dhcpd.conf=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fservice/hostnam?=
 =?UTF-8?q?e=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fserv?=
 =?UTF-8?q?ice/hosts=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/file?=
 =?UTF-8?q?s=5Fservice/interfaces=20=09nouveau=20fichier=C2=A0:=20siotp/si?=
 =?UTF-8?q?sr1/tp03/files=5Fservice/isc-dhcp-server=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp03/files=5Fservice/named.conf=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20siotp/sisr1/tp03/files=5Fservice/named.c?=
 =?UTF-8?q?onf.local=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp03/file?=
 =?UTF-8?q?s=5Fservice/named.conf.options=20=09nouveau=20fichier=C2=A0:=20?=
 =?UTF-8?q?siotp/sisr1/tp03/files=5Fservice/resolv.conf=20=09nouveau=20fic?=
 =?UTF-8?q?hier=C2=A0:=20siotp/sisr1/tp04/README.md=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp04/auto=5Fnat/README.md=20=09nouveau=20?=
 =?UTF-8?q?fichier=C2=A0:=20siotp/sisr1/tp04/auto=5Fnat/nat.service=20=09n?=
 =?UTF-8?q?ouveau=20fichier=C2=A0:=20siotp/sisr1/tp04/scripts=5Fand=5Ffile?=
 =?UTF-8?q?s/README.md=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp04/sc?=
 =?UTF-8?q?ripts=5Fand=5Ffiles/Users.csv=20=09nouveau=20fichier=C2=A0:=20s?=
 =?UTF-8?q?iotp/sisr1/tp04/scripts=5Fand=5Ffiles/createLogins.sh=20=09nouv?=
 =?UTF-8?q?eau=20fichier=C2=A0:=20siotp/sisr1/tp04/scripts=5Fand=5Ffiles/c?=
 =?UTF-8?q?reateUsers.sh=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp04/?=
 =?UTF-8?q?scripts=5Fand=5Ffiles/logins.csv=20=09nouveau=20fichier=C2=A0:?=
 =?UTF-8?q?=20siotp/sisr1/tp04/scripts=5Fand=5Ffiles/remoteCreation.sh=20?=
 =?UTF-8?q?=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp05/README.md=20=09n?=
 =?UTF-8?q?ouveau=20fichier=C2=A0:=20siotp/sisr1/tp05/deployment=5Fsamba.s?=
 =?UTF-8?q?h=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp05/smb.conf=20?=
 =?UTF-8?q?=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp06/README.md=20=09n?=
 =?UTF-8?q?ouveau=20fichier=C2=A0:=20siotp/sisr1/tp06/files=5Fadmin/README?=
 =?UTF-8?q?.md=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp06/files=5Fad?=
 =?UTF-8?q?min/dnsfwd.service=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/?=
 =?UTF-8?q?tp06/files=5Fadmin/dnsfwd.sh=20=09nouveau=20fichier=C2=A0:=20si?=
 =?UTF-8?q?otp/sisr1/tp06/files=5Fadmin/squid=5Fv1.conf=20=09nouveau=20fic?=
 =?UTF-8?q?hier=C2=A0:=20siotp/sisr1/tp06/files=5Fadmin/squid=5Fv2.conf=20?=
 =?UTF-8?q?=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp06/files=5Fadmin/sq?=
 =?UTF-8?q?uid=5Fv3.conf=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp06/?=
 =?UTF-8?q?files=5Fadmin/squid=5Fv4.conf=20=09nouveau=20fichier=C2=A0:=20s?=
 =?UTF-8?q?iotp/sisr1/tp06/files=5Fadmin/squid=5Fv5=5Fauth.conf=20=09nouve?=
 =?UTF-8?q?au=20fichier=C2=A0:=20siotp/sisr1/tp07/files=5Ffirewall/current?=
 =?UTF-8?q?=5Fruleset=5Fpartie=5F1.nft=20=09nouveau=20fichier=C2=A0:=20sio?=
 =?UTF-8?q?tp/sisr1/tp07/files=5Ffirewall/current=5Fruleset=5Fpartie=5F2.n?=
 =?UTF-8?q?ft=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp07/files=5Ffir?=
 =?UTF-8?q?ewall/current=5Fruleset=5Fpartie=5F3.nft=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp07/files=5Ffirewall/current=5Fruleset?=
 =?UTF-8?q?=5Fpartie=5F4.nft=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/t?=
 =?UTF-8?q?p07/files=5Ffirewall/interfaces=20=09nouveau=20fichier=C2=A0:?=
 =?UTF-8?q?=20siotp/sisr1/tp07/files=5Ffirewall/proxy.conf=20=09nouveau=20?=
 =?UTF-8?q?fichier=C2=A0:=20siotp/sisr1/tp07/files=5Ffirewall/refresh=5Ffi?=
 =?UTF-8?q?rewall.sh=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp07/file?=
 =?UTF-8?q?s=5Ffirewall/resolv.conf=20=09nouveau=20fichier=C2=A0:=20siotp/?=
 =?UTF-8?q?sisr1/tp07/files=5Fpclan/interfaces=20=09nouveau=20fichier?=
 =?UTF-8?q?=C2=A0:=20siotp/sisr1/tp07/files=5Fpclan/resolv.conf=20=09nouve?=
 =?UTF-8?q?au=20fichier=C2=A0:=20siotp/sisr1/tp07/files=5Fpcnet/interfaces?=
 =?UTF-8?q?=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp07/files=5Fpcnet?=
 =?UTF-8?q?/resolv.conf=20=09nouveau=20fichier=C2=A0:=20siotp/sisr1/tp07/f?=
 =?UTF-8?q?iles=5Fsrvweb/interfaces=20=09nouveau=20fichier=C2=A0:=20siotp/?=
 =?UTF-8?q?sisr1/tp07/files=5Fsrvweb/resolv.conf?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 giti.sh                                       |    6 +
 nat.sh                                        |    6 +
 siotp-main(3).zip                             |  Bin 0 -> 550035 bytes
 siotp/README.md                               |    1 +
 siotp/automate.sh                             |    5 +
 siotp/sisr1/README.md                         |    1 +
 siotp/sisr1/tp01-02/README.md                 |    2 +
 siotp/sisr1/tp01-02/files_dhcp/README.md      |    1 +
 siotp/sisr1/tp01-02/files_dhcp/dhcpd.conf     |  116 +
 siotp/sisr1/tp01-02/files_dhcp/hosts          |    8 +
 siotp/sisr1/tp01-02/files_dhcp/interfaces     |   18 +
 .../sisr1/tp01-02/files_dhcp/isc-dhcp-server  |   18 +
 siotp/sisr1/tp01-02/files_dhcp/nat.sh         |    6 +
 siotp/sisr1/tp01-02/files_dns1/README.md      |    1 +
 siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan |   33 +
 .../tp01-02/files_dns1/db.sio1lab.lan.rev     |   28 +
 siotp/sisr1/tp01-02/files_dns1/hosts          |    7 +
 siotp/sisr1/tp01-02/files_dns1/interfaces     |   14 +
 .../sisr1/tp01-02/files_dns1/named.conf.local |   21 +
 .../tp01-02/files_dns1/named.conf.options     |   25 +
 siotp/sisr1/tp01-02/files_dns1/resolv.conf    |    2 +
 siotp/sisr1/tp01-02/files_dns2/README.md      |    1 +
 siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan |   20 +
 .../tp01-02/files_dns2/db.sio1lab.lan.rev     |   18 +
 siotp/sisr1/tp01-02/files_dns2/hosts          |    7 +
 siotp/sisr1/tp01-02/files_dns2/interfaces     |   14 +
 .../sisr1/tp01-02/files_dns2/named.conf.local |   25 +
 .../tp01-02/files_dns2/named.conf.options     |   25 +
 siotp/sisr1/tp01-02/files_dns2/resolv.conf    |    2 +
 siotp/sisr1/tp03/README.md                    |    2 +
 siotp/sisr1/tp03/files_admin/README.md        |    1 +
 siotp/sisr1/tp03/files_admin/hostname         |    1 +
 siotp/sisr1/tp03/files_admin/hosts            |    7 +
 siotp/sisr1/tp03/files_admin/interfaces       |   18 +
 siotp/sisr1/tp03/files_admin/nat.sh           |    6 +
 siotp/sisr1/tp03/files_admin/resolv.conf      |    4 +
 siotp/sisr1/tp03/files_dns2/README.md         |    1 +
 siotp/sisr1/tp03/files_dns2/db.monlabo.lan    |   36 +
 .../sisr1/tp03/files_dns2/db.monlabo.lan.rev  |   23 +
 siotp/sisr1/tp03/files_dns2/hostname          |    1 +
 siotp/sisr1/tp03/files_dns2/hosts             |    7 +
 siotp/sisr1/tp03/files_dns2/named.conf        |   11 +
 siotp/sisr1/tp03/files_dns2/named.conf.local  |   26 +
 .../sisr1/tp03/files_dns2/named.conf.options  |   25 +
 siotp/sisr1/tp03/files_dns2/resolv.conf       |    3 +
 siotp/sisr1/tp03/files_service/README.md      |    1 +
 siotp/sisr1/tp03/files_service/db.monlabo.lan |   36 +
 .../tp03/files_service/db.monlabo.lan.rev     |   25 +
 siotp/sisr1/tp03/files_service/dhclient.conf  |   55 +
 siotp/sisr1/tp03/files_service/dhcpd.conf     |  114 +
 siotp/sisr1/tp03/files_service/hostname       |    1 +
 siotp/sisr1/tp03/files_service/hosts          |    7 +
 siotp/sisr1/tp03/files_service/interfaces     |   14 +
 .../sisr1/tp03/files_service/isc-dhcp-server  |   18 +
 siotp/sisr1/tp03/files_service/named.conf     |   11 +
 .../sisr1/tp03/files_service/named.conf.local |   21 +
 .../tp03/files_service/named.conf.options     |   25 +
 siotp/sisr1/tp03/files_service/resolv.conf    |    3 +
 siotp/sisr1/tp04/README.md                    |    2 +
 siotp/sisr1/tp04/auto_nat/README.md           |    2 +
 siotp/sisr1/tp04/auto_nat/nat.service         |    9 +
 siotp/sisr1/tp04/scripts_and_files/README.md  |    1 +
 siotp/sisr1/tp04/scripts_and_files/Users.csv  |   30 +
 .../tp04/scripts_and_files/createLogins.sh    |   17 +
 .../tp04/scripts_and_files/createUsers.sh     |   18 +
 siotp/sisr1/tp04/scripts_and_files/logins.csv |   30 +
 .../tp04/scripts_and_files/remoteCreation.sh  |    8 +
 siotp/sisr1/tp05/README.md                    |    1 +
 siotp/sisr1/tp05/deployment_samba.sh          |   18 +
 siotp/sisr1/tp05/smb.conf                     |  285 +
 siotp/sisr1/tp06/README.md                    |    1 +
 siotp/sisr1/tp06/files_admin/README.md        |    1 +
 siotp/sisr1/tp06/files_admin/dnsfwd.service   |    7 +
 siotp/sisr1/tp06/files_admin/dnsfwd.sh        |    7 +
 siotp/sisr1/tp06/files_admin/squid_v1.conf    | 9158 ++++++++++++++++
 siotp/sisr1/tp06/files_admin/squid_v2.conf    | 9158 ++++++++++++++++
 siotp/sisr1/tp06/files_admin/squid_v3.conf    | 9161 ++++++++++++++++
 siotp/sisr1/tp06/files_admin/squid_v4.conf    | 9165 ++++++++++++++++
 .../sisr1/tp06/files_admin/squid_v5_auth.conf | 9174 +++++++++++++++++
 .../current_ruleset_partie_1.nft              |   17 +
 .../current_ruleset_partie_2.nft              |   25 +
 .../current_ruleset_partie_3.nft              |   42 +
 .../current_ruleset_partie_4.nft              |   68 +
 siotp/sisr1/tp07/files_firewall/interfaces    |   25 +
 siotp/sisr1/tp07/files_firewall/proxy.conf    |    3 +
 .../tp07/files_firewall/refresh_firewall.sh   |    7 +
 siotp/sisr1/tp07/files_firewall/resolv.conf   |    4 +
 siotp/sisr1/tp07/files_pclan/interfaces       |   14 +
 siotp/sisr1/tp07/files_pclan/resolv.conf      |    4 +
 siotp/sisr1/tp07/files_pcnet/interfaces       |   14 +
 siotp/sisr1/tp07/files_pcnet/resolv.conf      |    4 +
 siotp/sisr1/tp07/files_srvweb/interfaces      |   14 +
 siotp/sisr1/tp07/files_srvweb/resolv.conf     |    4 +
 93 files changed, 47432 insertions(+)
 create mode 100644 giti.sh
 create mode 100755 nat.sh
 create mode 100644 siotp-main(3).zip
 create mode 100644 siotp/README.md
 create mode 100644 siotp/automate.sh
 create mode 100644 siotp/sisr1/README.md
 create mode 100644 siotp/sisr1/tp01-02/README.md
 create mode 100644 siotp/sisr1/tp01-02/files_dhcp/README.md
 create mode 100755 siotp/sisr1/tp01-02/files_dhcp/dhcpd.conf
 create mode 100755 siotp/sisr1/tp01-02/files_dhcp/hosts
 create mode 100755 siotp/sisr1/tp01-02/files_dhcp/interfaces
 create mode 100644 siotp/sisr1/tp01-02/files_dhcp/isc-dhcp-server
 create mode 100755 siotp/sisr1/tp01-02/files_dhcp/nat.sh
 create mode 100644 siotp/sisr1/tp01-02/files_dns1/README.md
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan.rev
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/hosts
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/interfaces
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/named.conf.local
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/named.conf.options
 create mode 100755 siotp/sisr1/tp01-02/files_dns1/resolv.conf
 create mode 100644 siotp/sisr1/tp01-02/files_dns2/README.md
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan.rev
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/hosts
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/interfaces
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/named.conf.local
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/named.conf.options
 create mode 100755 siotp/sisr1/tp01-02/files_dns2/resolv.conf
 create mode 100644 siotp/sisr1/tp03/README.md
 create mode 100644 siotp/sisr1/tp03/files_admin/README.md
 create mode 100644 siotp/sisr1/tp03/files_admin/hostname
 create mode 100644 siotp/sisr1/tp03/files_admin/hosts
 create mode 100644 siotp/sisr1/tp03/files_admin/interfaces
 create mode 100755 siotp/sisr1/tp03/files_admin/nat.sh
 create mode 100644 siotp/sisr1/tp03/files_admin/resolv.conf
 create mode 100644 siotp/sisr1/tp03/files_dns2/README.md
 create mode 100644 siotp/sisr1/tp03/files_dns2/db.monlabo.lan
 create mode 100644 siotp/sisr1/tp03/files_dns2/db.monlabo.lan.rev
 create mode 100644 siotp/sisr1/tp03/files_dns2/hostname
 create mode 100644 siotp/sisr1/tp03/files_dns2/hosts
 create mode 100644 siotp/sisr1/tp03/files_dns2/named.conf
 create mode 100644 siotp/sisr1/tp03/files_dns2/named.conf.local
 create mode 100644 siotp/sisr1/tp03/files_dns2/named.conf.options
 create mode 100644 siotp/sisr1/tp03/files_dns2/resolv.conf
 create mode 100644 siotp/sisr1/tp03/files_service/README.md
 create mode 100644 siotp/sisr1/tp03/files_service/db.monlabo.lan
 create mode 100644 siotp/sisr1/tp03/files_service/db.monlabo.lan.rev
 create mode 100644 siotp/sisr1/tp03/files_service/dhclient.conf
 create mode 100644 siotp/sisr1/tp03/files_service/dhcpd.conf
 create mode 100644 siotp/sisr1/tp03/files_service/hostname
 create mode 100644 siotp/sisr1/tp03/files_service/hosts
 create mode 100644 siotp/sisr1/tp03/files_service/interfaces
 create mode 100644 siotp/sisr1/tp03/files_service/isc-dhcp-server
 create mode 100644 siotp/sisr1/tp03/files_service/named.conf
 create mode 100644 siotp/sisr1/tp03/files_service/named.conf.local
 create mode 100644 siotp/sisr1/tp03/files_service/named.conf.options
 create mode 100644 siotp/sisr1/tp03/files_service/resolv.conf
 create mode 100644 siotp/sisr1/tp04/README.md
 create mode 100644 siotp/sisr1/tp04/auto_nat/README.md
 create mode 100644 siotp/sisr1/tp04/auto_nat/nat.service
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/README.md
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/Users.csv
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/createLogins.sh
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/createUsers.sh
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/logins.csv
 create mode 100644 siotp/sisr1/tp04/scripts_and_files/remoteCreation.sh
 create mode 100644 siotp/sisr1/tp05/README.md
 create mode 100644 siotp/sisr1/tp05/deployment_samba.sh
 create mode 100644 siotp/sisr1/tp05/smb.conf
 create mode 100644 siotp/sisr1/tp06/README.md
 create mode 100644 siotp/sisr1/tp06/files_admin/README.md
 create mode 100644 siotp/sisr1/tp06/files_admin/dnsfwd.service
 create mode 100644 siotp/sisr1/tp06/files_admin/dnsfwd.sh
 create mode 100644 siotp/sisr1/tp06/files_admin/squid_v1.conf
 create mode 100644 siotp/sisr1/tp06/files_admin/squid_v2.conf
 create mode 100644 siotp/sisr1/tp06/files_admin/squid_v3.conf
 create mode 100644 siotp/sisr1/tp06/files_admin/squid_v4.conf
 create mode 100644 siotp/sisr1/tp06/files_admin/squid_v5_auth.conf
 create mode 100644 siotp/sisr1/tp07/files_firewall/current_ruleset_partie_1.nft
 create mode 100644 siotp/sisr1/tp07/files_firewall/current_ruleset_partie_2.nft
 create mode 100644 siotp/sisr1/tp07/files_firewall/current_ruleset_partie_3.nft
 create mode 100644 siotp/sisr1/tp07/files_firewall/current_ruleset_partie_4.nft
 create mode 100644 siotp/sisr1/tp07/files_firewall/interfaces
 create mode 100644 siotp/sisr1/tp07/files_firewall/proxy.conf
 create mode 100644 siotp/sisr1/tp07/files_firewall/refresh_firewall.sh
 create mode 100644 siotp/sisr1/tp07/files_firewall/resolv.conf
 create mode 100644 siotp/sisr1/tp07/files_pclan/interfaces
 create mode 100644 siotp/sisr1/tp07/files_pclan/resolv.conf
 create mode 100644 siotp/sisr1/tp07/files_pcnet/interfaces
 create mode 100644 siotp/sisr1/tp07/files_pcnet/resolv.conf
 create mode 100644 siotp/sisr1/tp07/files_srvweb/interfaces
 create mode 100644 siotp/sisr1/tp07/files_srvweb/resolv.conf

diff --git a/giti.sh b/giti.sh
new file mode 100644
index 0000000..44f09dd
--- /dev/null
+++ b/giti.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+git pull
+git add .
+git commit
+git push
diff --git a/nat.sh b/nat.sh
new file mode 100755
index 0000000..dd4845e
--- /dev/null
+++ b/nat.sh
@@ -0,0 +1,6 @@
+echo "1" > /proc/sys/net/ipv4/ip_forward
+  nft add table basic_nat_table
+  nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0 \; }
+  nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0 \; }
+  nft add rule basic_nat_table postrouting masquerade
+
diff --git a/siotp-main(3).zip b/siotp-main(3).zip
new file mode 100644
index 0000000000000000000000000000000000000000..532d632b38b17e808e54e8b57b747a4df5bd6dc1
GIT binary patch
literal 550035
zcmeFZ1yG&I);5X<4esvl?(Xgq+}&LgBuH=%?gS?|1P$&E!3pjVT!Q_Z$(fv)BqLva
z_g3Ai`|s3Br7C;(+w1A>)z7k5K^hbc8tCaWVgFj=w}1TSF9;wgASVkuXM1{86>uQn
z;kVCC75?*O$lty!0Aa9^4*2pBK;XZBSxHn-L{^l}#`ycMSR*T+cM`ygyxOdzQGFm5
zt}kwak*km*WFk|1Y!y)HkGnWp=JiLZAudJ2%(${<M;WBD0PW^@07vUX=<8(Cg)NZj
z!E1ePtL{h^Ni<UW#SxVBl_;9GF-%ZbMB-FNc&(OdM&;~OSLH@V6_678#*R+}m3Q(B
zb<CoI!fDe6<y@uAu3i3Krwu-G@?P8rxo5=c3oMzPl%ZPg55Rv`=|&^gm;#^<Ge8i(
zt7PEfY-eNOY(nQ`{#_|$wJG_5p-FiunvoT$Q5r=Gis61>W+Y`Ll=F|J8+VI~Lr8@*
z3Yb8@kN-2iu;0gbvT$-_{410Pqa?fq0Miix2<i_%`59{`S(y<9iNR4xNm?ZdDOnmS
zHHv--)jsJVS=Byy&}v~26c*@Eq&R7&IAkZ3fwQnGR#YZw-%zL1vkAX}vx~o(F3Jzj
zcD83=q-9|Gt7$)wP8{d~rfdli+`stg&(kLjuYBIY01JNgvU@>8;W5X$w6xDfd%8n1
z8n?^$`bulhd2orgi@VNN6bDP6Db8P3cJ0QiFbW>?h|(fXI!iI(k!NYj$X81c@~Ug$
zO|WT%-IaRiHdFbE?u_-I_upuT{})p<wXimE(la(U`pZ+$hqSvb0Z>vBAQb;R%FjAG
z4Gu}ts!0seD?Ke01s&C-Y`+BEn5?`i<RA?drR<R6F<?>qhNPzzC8!5R!Al&^V4<HY
zN(@OWLb|$KUO6d3LQ#AI{jS`%!zl%fShNQY1eEd|2#E5Zr}d<vF`bc}t?Bn2p01{2
zx4?$tlkpPVfWHQqMpkVtudXt<tbMGt27DrCmY7x%O)+^&f-917qwR}!Y?aBVMHui+
zG{x!hveW22Ms+b|6BTuBahwB_DZKY&t^atFwjG?C61AE%&GdZ56}(+1@Iklf(#>c>
zVSennxr2Rmd+cO*J#F<u`DD+VP|8);dGBh?MAG$#v}OAurEYfrh_1Lc&Ph{VE#3K8
zEd#v3N|`wewpreGAx3QtGANq0g-`iqD{6UiYyJy&Te2DSad591Ytp>8J9eA<-qqVx
z@uZ?nZjK(&tbpGxLaM0_yjv(=lbfAt<ZU=;XlEpcMLZ0*rCng{VATK`l;RFDLsOWO
ztE0_oa59|a%&7xuI(X;=g(-AaGw5#W&Vw6g##S^rDAA9B<$_cpC==<#C#9RHZ3~tm
zkAj|6eYtLBFt@KRMSWt~QL2)!fAwYgrC}6!iE+LzrvQ+^`S`^^Lonx@Dia<Dwhw6*
zY0)O{62v}_#yQ-3W504MO{wJ!Z(@zFvwN|~z=}f1ZGH9S<6>NpD2XZ)Art&_Vs;DA
zbX8?Uw9w!ef{x_3Eu4BE6Y8HeYh+W=TWi;uVjGm1`KiDjG@?OpJfzA8&Um#1ww4_w
zf9!#nVr;6P-Kc)^Ngs%1_jUbjh<U!6Is@eGM9SN$1Y3OV<}*{DvE^4#pD2$v`mxBU
z#WY2?<`1D|WM(b*5$3Bl#fn+uB3W||LDGFOk)WjOiiM(agHvk=mEO>&2NB-VNP-*)
zwu>fCmc!M5)?iFExwjj6kbKFgUDmC?Z+*;@Ngt<Y7>d#2vTYGVuX&nA5>Xe)>q1GF
z#R6pBDO<ZP#*q2USo*;<W;<-n)*(34JLWU!heY`tDGyalFbn&`bF_0_a=uLgq?a7K
zo}+4u15B}KH>aX-bWvWJP7SVcs558iX>_638XTrHTrU^-hlB0xBVE%y?9wDpScfO8
z8(r?~)!KT*#Uap?MW?w3AFi)Y&dAm3kW$XEbmGjsP>49Nk`Y}&Uh5DK1|3G@V_Cp}
zgBV1;B4jKcMA1g)?-XpN*ReQkTs=ue7PFPd(8L@rK|<t*u($tm?zN$VUT|<hazA2C
zJrfb2*DJ!iuUkm0&G<%2AH^;gtt$IVwe{s>c0o(G&7-r=+KTjHaog=sfb{n4&cxO@
zscjC_B)-xC9NYq(YtKrjrdc!fU8C6zZq>9HC+5i&T44B`+;yyvlq&-$Eo6AEbM1uE
z)!R@i(tI9Egn0}~cB61D|A`h;N()|dT2a&z?>i)FLYMYLOHu<da8Jp$MArS9TF2?o
z5(TVXj-@2AJ|r;#C~P~jO$b3P@mDd=G3>&Zah|86L$`f$s0oaH|Dr#DgifVYw3Xtl
zyHu;RxZ8WnB0mxl<hEgs>Lwn}UPvQA$?!a#ZWW&&48JGhE5n^+cT~%x^N`~xvkMW?
ztw6?Gp1A|b9$3Tf6G(f*xIE5Wer(WgTHV6TV{y6{t)Whzvm1TaYIBZFo~e#qWrcrj
z+qyYwKr+`8UvFknV4Fqj?8f5A&KgJXdnbyP2`Wqsd>gC8lc9FFEYF6A8OFVf6~!+2
z#cCI}yH8%cOQQ=)@{qeE#08jwqG(n3rIOXUasF86E=XJMYW8|YVrS###@h?k9;<?_
zfo#MU8l2C2r%j>`(jaRs&OyWFy%<ut>OFcG5+T7^FGR4}h&5PNFCvI8Uv3ukLSj}^
z8iR3>-kloTqX%}b>FA@i1i!A%9nqS|`f&DoA_@OJP*5Ic4N6aTnkaH1H!e8h2QkHz
zWkrX3)Qj3o^FE;?Go3^6)#cN-2xHt^y=U<St38Tk7ZeN;&f@V3xD~xz{FE(`2}sPU
z`LcUac~u><B;?EnH?NnpD?iWftPTdh_c_w+g00+nMy`>8c4psO83FdTm6_AvYV&!p
z@^;zk4N7X-J%8WX;K%e&Hm`<8QIkB`sky-W-9g^2u4jJ{-R|f@)(h2qiHYQV^eSXW
z2ipCivVkv)m;4drcaHMy=4h)BqbdSiX4JqyKqUWsbC}yXIXiv7G<2e5k^C88182@r
zk{#fLxnZf;?YBE%;+3+HQsu%NePD?DqDxOVTkh-~MoyD>1eK7ypo!P9tvoj;<jmR?
zf+osY*VSWAPLWu1d@)$Z8Dd`L%hy}3ess$ql7EQs#BMb@0E^NUmJVUTTmZ%@0hM^4
zJ>KrFxxRQ|-}FjKVS-klkFTP5ZSd$2pP^hP3iX3lv0tqXooOd5X-+=J!?SK^-WKsg
z(Ayt$Udj(QIs@q32+;Xo+?E!$&L)ng21X|TRoo|9Pp*>zwkPwgvc?_^fy5*1SOXCG
zEcoJ-PHw(KLPLqC*Mv)e6oGE(?8Ds|x|#if_3KYu{y{lVb?+c25Zz<nbYhmGL(`_H
z^uTBZyTn!nC-(w5L<+SG0QrF8$`invcj+paXP;y7aSDw3Ar)?p<!W4xBD`VS2(A||
zQ;`u7j*d&ZtK)qf-ywUYWHHI;;WQ*1v30kQ*TJZ1UwROmFK!v*4ZjF1T)`W3^WJ0I
z-E&t1f<43cPNAz4u8xeFLF#LWBDZyl0He^2;_m5vmhw=EdV)^vZPS6JC9RF-?W1NO
zU5R1#q1<j7^2kEu*B>C1CjdW^1;FP50t7_&&)der$%yuebkI7PIJ%lRe&0YgG3}NB
z9D_y&l|weh&=T_kkb1;0@+~y!Wi{OJbxWs$Xhy6_P3-u&ck8MyiHvuJAL%)LVW~e&
z8)qqD<xvXL4Y08kdQCB~7Eh8ox<C436os1*Q?8xx+irOPqlAM+gQ#yKgXUXOdH70w
zf>h=!<_TBEVFJVBv_$imJ1g${+Py&a*=E8j96emZ5mi!bD>Te7RYzkdInre&?OlCr
zCT4}VC)8b$-enwc#f0<-spND8mdZZTdN_t*iWs+jJP8qfL%#|$;STJBzk#M-%d1&6
z0)_SUF&vg)pLOM<x|j$;<4;Pu&9-Mtd>1|i8SM5b;nt}N>ZKx}Vuj^f0){x?{Fz)y
z$q}QKxhK`a!dv|*3r2%1#INDKXy@i9(<7X*eJyle!eHPM9mjOxST~#z+ckOVv{@&X
zT(s)t@v$8)F5YfWcYU~r`18RoJndSE1Z;9Dz$%gc^9tD-IRDY%35;ro?qEO=`Enmx
zyIkhaej@+6%0j70quQZb(f|4j1iVthnu)&qP=F>KmT)U0MlcoGAcE6@GuRhr(bY!U
z@k<(Zl&1IWE}LH9HE1ZqJ6S`8R=k$Cdv^115)Y|D2;^z;cZf$R0RjH{`h2pI2!@2i
z6+xZP@gC!GTt+wros=Zo$oYcI!ryLym6c@tuG!CS)ju$KTc^MDv>4sBbN(fhe;VcA
zF?njXssAODA9O=8BLytk7r?=y{rhEmnwGI49l&d6v^FrLvo^5(ey&`iDs2N8P(;mc
zsh7vHaSi95XN%C}TLekaCP=;f=nJI))|XX$e>+cRDPfNef5r3JO*cf?ov({NI!sYO
zkrgRaPH@sBXWVY4favyhF>XGU2$@63m&jiA4Q2W)6#i`C@YpNJO(vbq!;fm@l0n5r
z5fYNbS|G*yJ^LGY#IJ!G+Lqm;+CP2HLO?2_8czd0qZH-3iw=wx=FG2nkQTo%Vmhj%
z&8)h2)1$O_2KqS{1<x5{Fb<=H9*R3A0jY+yM~q$Wp|)k!yZun$^|@ikov%U%hl{aw
zvPUH6C~Gfc-Tq+d%)ZX8>1Fve^9||N+tWrjsPtFdlr7Fp6^t|85C>~JHc_T-`o!MC
z?~q|vVLE8XUs<W^EiJTyS1;F%`GvDQfd9U$zFma7Ez5A20N~pJz%%|&fv0mcas4m&
z(JcV*F#zCGwq^@+cU9r8Ayu;6V-l&>KsWmWBQI+C!WPfhzn3fqW6;4k`p}BQ-GRt+
zv~EUWOrJd^COD_TAWIi<%VtA%CO_u#-kQ=Wkk~u!-Ft~Kf;<%dET8b$dR!`%I;y?M
zvdB>9MguX^uD%pso0OL+i-xZefYA44?eT59Aw;7oO7d?&WfVfS-4*gxbzI~Od?dYY
znT>h$U%VXAZGB-gU4#+ptJL6RP#Re^qX(T~tV?PC2?M^-;q?7sxKq?Ra?$ChnCvFu
z5kCe*Bq@vnca{UAAn_)?t(lXkPo3?X=S2B4honP{uAagV8F*tmNR#`Vy^?0TZ_;*3
ztB+;m%+(yVs?&Wv_+Iut&NQFF{26d|>Fe`MfPs1d$UiWTr=9)-^N19D?$3ZAI&+B<
z*YM5&D_{U_@xw6)IJ8QS++>dS=fn^gQ?<w8%*?1gn!y@(0$bJy95X-a&Mq$WN{sOE
zL{f`-3qN(z%0`m6T!JY<9$FmDp#`6tE7sQ_qs9eBMVd9(fi%sCcJ#BD$03#!S|J*i
z_)%---xFND$tib;xK#(+FEM;S%ifqS^7$<lzj5IkoPuk76>QkM4B3#iA2h8UOk4X5
z(9#yLz5ao3JZbt1zF`ynLatK)R<w<~q+$wRfWe|exB^&h42}c20MmsjvPUlW08gD(
z0qWt7=W71NEWBb?)SE0~DAGETEKor*odz62)BFje3Z@JOGHaW7=29N?Xw`VJdhj7!
z*k)fQ{V{i;d}fpL<9={4I^(R2!4ND?et(3e=r6ioTAU2K1QcR|_KJ1yN3P2~?cdd~
z+r9CyWW;$)app)3?4rwHhA9>OT73+cB!yF1`gmB-H8}Z^EB^*4z95}P&*1F_2uiK6
z|APJuDw5yV+>?uirq4HxMI~F^HqS5p!DkjCf23y$>-+`N0Jt0haMAzsNwhVvG5HqE
zptH6!GO+%B4g;hALoP0qLo(RC<_u~!8d^dOsf#|wg&v?xjJv%@##qv?$nARn<@OLk
z8}c~Yw@Tns2xiVe-=wvMCb*pO6p?L&jw&P)cDIx*_GMu0AjfrhRWN;h$zbvdvNY-b
zlI_MKlb<Cls5G?2F+aSg+djU2B8=t@MBDYz;Y!nbiJ3=F{7`QC34E~mrUUT!E1%_^
zQ~TBu6glIu6&mCzWI?xs=P#10T5h4-wXa~Z6q!|$VDi;a(9&%J3uP(1ms*R5X&6U$
z)dM58Y{IFV=9X~(e1?VvuzgAZFsXt5E2H%XsO;>WE$nRn%V^8uhHV!ZV0%aVl@VIb
zkzSlYTMGv01nD?pLZkQqX&NFCR+%eQ>E!M-Ma8D(H_b5UOWfU^$SY^!1VY;FC%A-@
zA&%M?hz$>zJBdv<>VLW1zmTHjz#&YJLDU9=6F<qUxf(M}K>!_M@qLcwf5bo()mOPF
z%aw<e2^o8deq$S&J;@9vk_sn&l@j;4Y9QU)+~4-N{{l}sG=rntDhF!?6LEy{B1%ej
zQblimo}eJ*I<Kc)e6w`kre5~!I7$GT87Ct%%M2?$VGji%B%7F!o5!y%kx?w%K7Jv|
zc^^^goV)^DK&i$s1IF;kG9-zTYmC%$!n#}YE6oXgyTXit>u_HDi8hDee!n)Gi7TCi
zU-!%XfXb_R<583FxgDR{mZ)ercQSetOTp&pq0sUan<a0ny<nYtqsPw<<h@s-)0ukb
z+S|AL$J^}gT%rP7JZc7G<k@4ia4?w2qzx-Hsd3rIwdmuA?~Ey6)<quo4PjfRq0r|@
z$X+7xzAQY-p$y&DDXSWtahxNdO0t|<mZUyy63F7={$kjnpjg=R<(TYr*eg1F;1>P&
zE%1#E)r!f1J_WI#gzBG9i=&B?owe(qV}DL2298GN1b-kB&`&$%8&@Y_WMZdd0Q_Nu
z{_}$Y&-?!QM;i8*k>do1Pe)>aasEX>)z*pWU(>LOf1+Xb=YU8mAfWn8i4eHk^M`P1
zUU)104Pa9E|AvGy{Ur&DmbdF5zz7~ard$?=UlIffDScPaLlf4o7PpIDNd4l?y^%om
z&Ec~t>#}qlj^@#*V0@9(`inEJXa2cMN8lu=Q27+#5PDL$71OvSVZ23QXoTnswoEF;
z_oddfsXkOpD_}A+={<26#Ptnn^j$_(@h}qYRJmb|naq-uuM_+g@x|t#4WU%s*e(f0
zw%Xnxa3;fa(SUi5fWJ89i}nA?XPHZYmVG-NEpg%|nfqcX4f_j4m^415S8K~{DdX1T
zD(nZe*Zr>n%qu+-BeMLFhYKrh`gWYNAXYH5$aZWC&G8_iyn|{~H*;*|`GJek*e&l$
z{l}&g_}}-*H)4fQ&v6L^uu(MshFJXw=1;_`lK@4`%srIb-ToOdokJn9d~&gbsuJl-
zU?lU1J^ob@o8?xvNG)zTOpNR2!C#OLE>qtQqhY{R9iWm#A&*ExL+bT-D~%|S!K(Yu
zQ7LJ0zthf@a9gc-fou~QQ?3=x2Ww>$5y({~qzbF8lUYDcNV<gNSQ(xfm!K^KUFM*M
z+Q}(3(*7PL&BN{8FkyW34EhY8hw+KD`^G^zLe8@w?Jk``V99oG_D`6QM*Q8w(S6rn
zVkXq;n&Vr9OZI`TeY~#SN-bzi9qexhdoz0|pqDY1tM0S<<cDSaKzjRfktn)QlF>1D
zp)})KB|jJLlXBp``68T0yy-)+^8>DZBJBhJnm;l9Eq}_65Zr_~(suU){)s=mKi5pO
znD%QB#o`<hDw84o^r0}Uz0X_|sZkcjWm-w~?ZyPT#3X|}OtAXNc`CZAHqI&|)=qK=
z`aT4~z6=;F1Q)W+$DmWzkB1LMS)y(Ji{zn=YF3MFL>hXiUfr$ju1G$5dw0=<NStyf
z{Dtfo*Sx6+-QP{zw;d!4@Gbu}e`5Oo1%I+A{%ihZ0%4%>6y93=H~fi-{tu+!&-^Jr
zru`|%^%R`Z;I1~F1BN?<q+esRHKTMQBQM(_TTW*|LJk3a7FqY|)z>r*v$TMEFbbHi
zDWlhX{U6u!G&rErB#Xp`u$o8-Axo#wnaXBO<@gNEhzHP)OqCO<1tU2o`>i1&S=S2B
z%Z;GuoG-mv$>@?`EP}YN-v(TaiZ|6itjHgqV3bEMMW6eFL$|z*E2<8L8`QpPv%Z9@
z%+YYg@YkB6en5*;an}%-$c$C9czC~K6+7gIQj9nVxha#d7Io;qsCy0Nu5k;KrF22X
zU;=%?r7@95O|l!(QGZEUYr4CR@-l=yWjb4LZhFr9halH|c)t020En9ZhF$#$$bZ4E
z+Wnu{6(ux^7m(I(>`DT_u4bRu6&bujr!V2jSug*vPt^f&^LzCkh>16yu<({$SuA_Z
zMV~y+D)io~OSP{;?#lRm6cgYGeSAG4C~ZM>%5Vm>1LuA~p@c!%<;b2bPs+zg;`|%C
z>cr%U=?}{F8SJ;y+?3<v5oB*L_7W!*9VPsYT_r#Q*cE?5%DbZ0n%Z~Kme0vqpVLuU
zP1!ctq!h@5P~xl{e+BVb8OJIb$?yerrZEmi7cc_pmOzYj#73@*%o6$RM++32gL<Zo
z;G`~`Co>M5xC0e{XtrD3^>~re6j^0Owi#}A52e-nwTiO3S{It;@&&%1XE2u+ozalk
zcJZOnYwIj#Zc1gCwK7vR6t&?x+g8?#$?}Ivz4u3v+?)?DjPEZ*M_oR)!H>TBctQyh
z7`;t};En`q?V&LS;^YrAT*Z|fy6maAWGxj`#i)k1(ugT+$1t9g+SSE9y&inPwnyZl
z`-$q-oA&JqQ9!wvvzk`SBe=apTEVup%m(%4^fm6XXuAhIlbXjP=<gTUH-@DdzA8ro
zI8RUVj|_{6{$Dbz{{g%DZ*9W2+5tc^p82mb@k(!Qq2vJ*RRIXr&vcOaR}AV8RRn!B
zY7%lo{gSeZ5>JWh$oJ2G&q{++4Gc-E(yKjH7nDt}L-+U5NCD~~q-5y&!7LRiM(GD2
z284#j|C^cqIav3L$^d5iZ#j1ZV;c+GpLO~+hN*N77BxVhCn5WlPJbNZ=Rlp<Q&ykA
z)XtH>+1!M{$<dYex2MsXnGmR1I6Au+SQE$^7@1qxn$Z1u;m^S;-QWPve3D;;Q2#vl
zr})H^DgEw#{_#QIsq?oBO+ofpE*voElb1{MPYV4I_!w>n1U_IPR;qnM$ubD7pUJp`
z+TnTofnd{oa?wQ8(-WH#Sx|0!cOSt!J^X3wBNM`C4ouS0kZH<HXpdLO^oAvz5_2~`
z7{{86>rS9%2BBOZA(!aDbMXQ~<x!K=6K~BII24BphA53A`bBn3K~rjvad{a**zTWa
z9TlRJa;?97Hs?>;tZXPf{=r&?nVM8Qk>);t#U%eHrG63Ph=`W71zb0xGvkzy#&IZR
z1<&p2$B;KbYD9X4jK`yQFj{>!xh&vn!j42@ydNdKI9%9-tZ@CZ3j=H@{GGuvjMwae
z_XCB(xOCQ0%R0#-zUNftK|O!VsT6kWDgtsUnBMlj8K9&JgW2Mh2l#|YHhsY}M(+SQ
z71`*xox8-0$01{~R|=H7@ryWTV_B_ti7Fgq;JpKMs$6+!{Z}2h3}6dJNssexkp%^j
zCid%?eej~*t?i!-!Nnxu$1Q_<z(NrRuBfO#@0Ioq6!(>&*K!xoC)qE%9__}kcvWxU
zxBBxou0N{ml}WV}C&|I@A^*PVzU__RpbYF70F3ki7>WN0#-F10f=^L<(JS6=4R{1_
zH-B=(0hZ(x!Qrlc70R_GTDm-{?&09kb^hzYKr7A<Xws#9;(newozJz^PRe1sNtt?Y
z8ZmQsMeGW*rP6_efPxO+=r2~;A!(iM+3gWKetj36pyIji?ArvFtS^Ef8mSzcAUX%3
z(f$%9>Xj5F+jd$OXVK+vfqR;_87QEt@_$y%GNjFe4WOD5Kz>m?^XK#QD>EwHKPo#k
zq}(?=Iw&bKFf%AQv`!@_OCvQRfH(j!OSE#dRMNCc3@q#u%q)}4W6WJtmR;cAeY>9x
z63$=aYy9MGem~2<>+x*}t>&ClDu518@;7$jw;}$GIePly-&vz?8za;bhUY1nBL-k2
zzqp2eNAI_%0@4CDcD8`5fZd<c0)a8IfXFmL;LIguv;H_;ML6hlMRrj|6~bB(=np_H
zi@qX2n4$9vZr2v5hC=E|S1rjNcrR{+uaU%F8}7S%i~4`yGrGnML=3$GE_Sh+k*ZHt
zxzrq&*4*g#l03`H5_xOFtcu4V6oNpfmeF*{-XSbcqQ)hC3Jl~326B?cS5rKxr~}ml
zQ9J%Qy+_Ba^O?<+s)^Qxm|jD8j5q?Zi(E>ns&Q(c3L<1=J8(>{JLO526P2Yc286h8
z8f!shRybEshitdgFqZ~VUC)vn^NNL#(TXaEk#leCBq_BiL0(}V?V0sEi?<M#**5sj
z*x+_esj{n&Sx%X*Wy+eg@$^d9hxDwhcgx88r`3vBOW6s{M6X~z9xIA6hfzTVYciFF
zd=AIL2c^%#|9!!~L9dtTtwRWa9tr^cFS4C~1O1=;*FeR=C-`|5^j1NGFMUn8R}e0g
zR8&!wM5$JuY1<={fb<beJ@~)@50v!l(j1NqjYLKmt+aUXb&Q4NxaEZ*4-$g$<y!4(
zs;`b8E=#eRlB&k_Oz=p0Q=ZCrqj4Z}iWO7rd29pcXfn1|m$f*pT+Vt5WvdkRq4oI*
zaE?U_yrk4jXJ_P=>l2}kuKlVBnk))$4dH!Hr%cLDf@^EBvW`FTmRzwQLWG`(PdYEa
zAHmmvk7OfwM^`8XoCp7!&|FYbw-OZu>pluWhVz|Q(BvYDWKM-b{+Lsv#w{Ya+e{U9
znk;&ayrm?C5%b7IZL7_F34Lr>tG>(DqAm7d!rrCY!k`Nf7dVH*T=%xWL*I&XHyr9A
zLgdz4s;^qt-^1qLj#&f07zZrih&{<K5(Ixj{g=1zf6mnpmoJTZD0>)S$Vq?@{(}Md
ztGm|=aQD_%;4-YjHG3R`Lt9tOmJUK+e`U()na%jhdT6)Q&EmCyeB#SeO*4RJ>K0eE
z%lKw8jvZ+Z;hmoH9_-beus+et9v0y44e$zgjFv8c-f0`ZeH$x-kKO`sh|?};mOf5|
zTWXK;X<j&ZRIhuc141R@-CsS5UA1@YuZ0!<;2<yHefe?%P-g(JNB@Q({bm~e>+XHG
zZh=vimY|FXBDc4p-T4l-`_WWebSp%1_NSm#HB~b^c}Aq*2k)cgh!Q}9OiGg3nM00!
zwjehrlJ(It;<W{z+1<p8l0L_y;ReCZld5aF2kLx)A?k;Ra%YX%<?eDk-jxsqAv6JU
zLJ2n`eNAT0Q^h{&j-eNPRf)gTH=s^-ds={|QZ7Q1l|-^1A4o8Z=Al<qb2%n~tzp+&
zAJy3qWYw4DBxA7lLNwpxbIa}f(-Af4BB-~9peC@l$cz334SpZsn6mX%v_N8%umfyv
zgpPE^23&Bx4yy<??x~^Aknq&$;hj-06-@ey4<?jpwWiwse7b4F{h%%Y=-mL&qxpvo
z@n7_QNH(O$$jblbEN`ekIm??LgFSIxb;&M{C~e8uYK_a@xy3?LarpIhpZ4DFRj#Kw
zJl93eqCtr3h2)bQ?aWK!gi4br3Qyv4l@&tJ=r?1ss^TVpGfRrC=xWb=d~@nZh(SCu
zWm}tJgvc?l>_XEXIPy}xe(NaQhzxfXVt6vZ2Jf()jkeh?eXrt6Tn3}?yZXhHiG`0E
zTSN~a+$uh`26IM`mWuS(*g1Ja_evdlMP(CruTDc>$}l++1cLN43GgAZ&<~$APBvsb
z;x)X#09Pnt>R?f#xb27~D<hM9hSFNjujYt`UvLcS<x)L=yQdQ}{Or#-{xKQxPge2|
zIQ|P?`Tu4j{=c1x_;yRaHw&hEDy8QE$lo{szgeOGC)nK@$lp-AUt}bHzc8LWZwn)n
zzhZYE_?qAR&hGw(rT#w3za)5!|4i`wc#B$}%J7^3EaMlYA3sk2FFD@u6UlfzdZ~Op
zChP@-`3xsVH#7%_s#b-{19;6E6baZE((-fbpnNU@=qAVz`!a4&@cl!C#L?HZN%T{!
z*d1bm1lv+*=QyegIsMEqo-p{p^zIMC&Wck;n=wd2ueCjn=08hB@l-=PW0{o=9V11O
zP`vDT8$^XUm9WvQZgoEiXP+LiQ@iArY`GKO>da{-PZ4Avx?cla7oiFQYozR~zrvt3
zz<r8yCWR5SjEG=HYb`#%=n5;EgvUpioN}x!)w>&R!rmTUOB)uo&64TM(WsI*F!3fE
z16&h)FQ>ruln#aN@YJ?*#m8-i@E)G)tOhr|&~f#esC(upt~aO+t&on6)tpIK+C{kh
zLZMkuS3XB+wG(z12B*@hKsaEHuK$>P7v$>?1t2cjnL6A6_*H%#?fZN9|IG6g25kXu
z7=Y(h2II|x#^Cw`Zz_G|AW*dsJq7Kt{#g7bCNAgli&e&OKnI?6KR0tma#GJRi>$6b
zAvM$oHpmYy`lYcwnXb%l_mG_xvj_8quqK;myg>Q=MTvWMh;d9)aE{J>s@kOM4-<Ck
zv<&Rtw9li7jo9cLBl=d?S+*`Jo6Asq4KU}x3TwZi3_?jyd>6=r*g$~C)VXNzp)q6^
zrpMBfxpYw;9Yf3;ht2o>XY9jc{|yNdyzAp&8GB0V7E$*^%fOYeocQR;hbe{Fj<O)0
zFd5|7JmY6tC?>Ol3d^zgeWvUtoz!VzZT59%s|Loo&Bb3GbrfG(m(cEE4(yZ%3!cA!
z_CaGm2fG&2LVehei?e67lVOEOAGn~F<QAHIqZ!uXK8%`bnUFWtuH?F=W?9rt{?!i+
zIwG|@(1?KLIEMJ!oB8*n2&gc$wlJ}E{&RLSL1hq-*+$?I*Q<<%w*i)p+2Fx?#+x6U
z5ejk$udp^?N*n_%`GGC;!7EthUP=or&_qJ}=wRfz8)xpb+!wW2Wyb^Nma4r|SkiCH
z)xIi~r^;1cdN4_wp4*h+tRilR@PDkl;lA|Ec|X*vdi-)dc21O@1<sI_^Qwo5GGg>4
zG_fVK=cyH0{iLpSe~kvAO$dC=7!oW|DdWAq$MAd+oN_^0W*X*d+0I<G3ybBOx9nm{
zEuat0??wsjW)8RV$ToWA;r03|mn!nxQzBvy`l{^3!WzBAP*w6)72?=3xX`i)&!0PA
zgbHEWabNT?mb0`dq_CI|8?81+5VfWT+e9GHK4zKHo<l?3BGyjHv_$)+<^si#D}i0U
z!6brPU<)fLp|avy)$ScJ841vj(^L?s=pm5MOgQ&@U2BLgf|WfdRV~7sp<Z}#?-R=*
zCTO+pjb`5A)6GZIxp&xf+jTnGN3hkSRXystinp!ug4mcC2uVrHSX{7pd#I+&h`&Ih
zqtU~WQ8HQ<DUGH|($<ZE3$0FbG)e`;eF>KRhWX0e3nC@_FmCGBuHfDth!j0bmwG)T
zfBA)uQBW3>ab=k~$NoL!7&R8?t07=gGsS^uzSKrqVSJ1CTHr;4CY31NRgGGqo^ziD
zo3<WMeAyh+z~L+$lu-=qa1atnGmFJ6xXZ<QG%gT|x4m=g3}Qfhi!cnE-xB2_+Ma>5
zowBwqP|@41XtXn?HFtESr{C!**u!-R?|()?+&;8@)Wn9B#DrOk#Lhg_d2gVk<w4p=
z1Koy*8(33bX?Yx<@mXxn_<7(ZO+psSe*8-siq?T$)qE!@a;KViF&%Ds`KRRr=wZ#;
zi(9G==yKA|QXF63+^)DE$LHLH0TIhACvLX35kFwH6>E1b@f*44z^Ts6@;$6x!dR^J
zKd7gG4ij;`cI<r+)p-WpJ16VF4mJ4UHd_l{b^fZS#5+v60DaO&j9Sh0_?~%p8_#T9
zcVE0iw!{HW?R99_;AvH9Aw}ZqoLw&BM%$GK_iMKM-iP-a?0;r$4!S0(oq*P%uYf4$
zFN%|XGJAjBI#m7&e3gd<&^na3-r!IXT-N=^)}c335>(~?X&u@ek_-mEuef$_KWf>2
zsa;V;*T_U$Q%r^)2je=rP>vYhx>?7*C|RaKTB%~u$+y@Bhi;D+?6O@ittd&lThQHI
z*9~YLVu!2tnXy<G>5sSPwrO2pktOFCz3m~5SWzR9tMgwno?FV><nOU6NkcmsdaG4Y
zrNXw`6w7UZynjhB<<R+J^)+GL$WBj{4y|?sxPt0D<DIEm(zDV7<4K@UZu0pN#5N?9
zxu&Qqnyd+(Kva2ONo;L>EyZ^SsroU@I$%`MY&l!-NbtJ@Z2{smoW#%GuW^5d9;DNw
zF6-LItX4wxZ}ED(WcKRQq?Epx2L=H$w2yK7!aXMWo{acKZqe&?ofAJiP|he+*-moA
zF;!BS{?s^Lq5NSn^t6L0gQOeL<t8ocT?AtU%6!DYM-!_hc2XMSmK=BJK*)D-VR2^}
zBkBzUXMQhA74p%a;Vo3DY3!#9NCCO3LV@D6ZEre%nBiqHyjX$6DP83>y+R9aCbED7
zBak5HF(M|CE-M#++>Q-JuZpq7m(ljn!mq8@>)1tct1^Ze2#sNSQ+~*P+!b!)8Qg~k
z$F5|P>|BZ_i@pezR7u>Pr%q~kz%i5uI-W4Q%Mx;++>B#C$0NNx$dlftnU9%n_2GWx
zbdw49!Svuuf49*X+s+C+Iq>0J&<jlw&zNL+L0|Y;YM{?~b1;43nB{eA?#>w|z3`c;
z)_pp;UdGY5HuUes7xHaCsJs!%siZ_|TE$Lh)0Q30l=QC`vp<`I{A%l1<6(@G0Nql3
za3!DF>TN1YOo&3CM$2gcuYdjeZNA^T*Xh6p>Vr9^+#zbj2?Q_%2Pb+8RvuW;8u43U
z3(hf_7aAFQ$}A8C-B+;@pUScI+D3Zx*zMQ4+rhDOJv8n2V<pZumTs<hR_xbh0NW^r
z{7mKU*o1xB)C)cE1iLz7@zZlx-0E#fO)*EOZjy;fie-_xJfnrTyQi4hJdE5K!*)S>
zVaTAP-5PTqT+R1g{%2n~-P}D#*kd~G3g|9HIxDwRpzB616IM2_=DDypjl1-Ci(#tM
zk6q5E=KLV$L3koPCnTh8WT~k1fD9;L&1v%%;~9%5rQlQY?=G_vP)ulA9LN*N_hjHu
z89KtD&tqHTQJ*?}CPPXT-tTa=B#HEakYv67G?}+ZAhExrmk0W_Zv1d{A}$3fDfQWP
zjc8I9XfYlu`(|V(a%*yIY!&-H&5P}liwF(+(~Aq*{8yx}LQXLv;y_M0I>guqA3@Kt
zE6dgPyTiuBSIT{#hb@Qr-tB>}Shu#e=-8pT#i@_3j4*?=>c1LeyFI?qu=Z{!l2#mo
zXFN|9XYnp&%+PRX21%P0umHn65^J#!gWqGl^OHuI<WR>A#UW}@&C59_kei1GDSMC|
zbsLEgu;PwAgBHCo<lTy-wHMOKzX5@Zz~BcDQUSf>Z1?0*d1%4+<Y7W{o0!J43u>Jm
z!#!=nPwO*6B%eb2>>^4dFCb_F|K&6;7C)FS@Iem#8krS->AHqW9ge)Il-^bMIjZ{e
zvbf;b%QTFtX|6U+^tlvz9|MkrPG1KKd5O$yxw|(8fp-WK&&DClz`}ysvh}(@2;8(Y
z3H9VXfAePfc~diULs*Bw39UOCZ8V@KNHZ%7(|H?L%E;Lp1S3{#N(dvk7>iONjt83P
zYYJI3>h!gq!d9?FFoq*PgcUz2{7|N_K*ti^7iDEQdO7N{g7(Qmt`MY9lo5^Xg2F+K
z3P!txd6EYyBI#xkM<(XP;n@q++XUG!Z7=WGBJk=$Fbx@DRrNDA>Q^Ji6*gr(E#CR7
zkFsekdd_F#$yfHzJ_dMu;WbP)VwT^WKp;CbWxt3HcU#e!<*E5>zQ}{^voUzUL$dhc
zkury!a^)uTX3h7K<L0{~|1I#QWP+Ul4{+k1<Zm3g-)Yw`V{iZYPk`6+L->u0?ji6g
z_caHQzlrMoaq$0EDe4SYKKB;@WWVMB5x5bANMPjUkHhWg6lQ*5!wEI+t*tnU&*qEt
zCLdZ`riMQ~bRk8XRZib5-I>1oz%+pas){^~mTxNa%=HNNDp?=J)T5ULxK{+C5DdPm
zki&kCO55&3fbZaQ(gE$yUKAJd!41yS4zVU5kDb?NYc{h8n8@drUsc{`4_J}1Uj0B-
z$v%DBSO%zM4e%iT#Wnhi{FhCXtZjz?pqXljlBUvvnu`!+9{U_j`(rYPahEYp1a8h^
ztJs)Q(bCP8*O#)@S#du)GXF%9_}OUROR!|;Eytjw1gYTm9{2X7ib~~?ienW4G)1gM
zEQb2AGuQ!N!FBM2^7!^na&(M_Xg@AGP|J;GV8XAWFS&TUw!1?7vWVcOby_?Zuj@P=
z-Z`@XN_?#u(w<6ulK~~Zy4=*(qF>LB;V`6eDrg?>3%bs%M!DYYg2nfiH7^;|Z$Y5c
z61109*ucCIxUW3BX!`uMasF^=&-lhn8*hEd;7jXwPyJh{z^Lg|<Zs%Cek2`#(?0aA
zLgk#Y^pb&W+%=@=nL^+@7v!c=)CJtY9vz~DcO<st%NcpN43#=Gy$>6Y^~eH2sQZ>o
z3Y2gY@r39m*jQ7%mJL6*5AFS;eW>1B#RI2+!x)msaf;=%>a9u4#aX>ct4_fT20cd1
z232hM5Gr~%SyROrGwyylr>q?*KePVLInuRq+W|SKem;7dbZoH!YvCu-9!$nAmI&7s
z3P}-N`?w-gp)t%m@Xjg_ug8iqfvlc_Y)<p%w><@mHpJM%eWm%$vv#M4bbr@A6#0Am
z&|J!b!O!hO&%U(}!CE(55!+QSz1N)y+q9e+RmM+sHO0F-vs_zz`Mv1j+Y0?Lr2H@T
z^MB)c|2L}q4ZwS;XEjgxeFuO+_(c`_k6Zk|0R9kI4vb!UYLOFrzh8jRvV35QeoOdv
zA&jCf7FxTgPmYk*>x$EF91fx>{@QuOEO<r87alwwyh>~cK~*fnv~z&Uo+KB|!Ri3e
zwmnOs=D1M7Uu29kWfsr7xL8hS=8v2x^{Hv8?}G`*GzLT>%EZbmyz`^#Hb7gK@g}zS
z@ly2{-3*>V;&;Y)hvBa%M5v=+LLN%a#NIZY>g3xK1wfc3XW>CL)*rd-E7h6t14Zq>
z1ZJ@ef_BQD^6bc|E<>n=3VgpHUz<$2#d%*`G2R^EV8Y(?W5GWm6*hM%049xp7kT*u
zRR62kG3)=kRqU@!6S!~2z?N3x_IVRgcpXA#L|8vE6QwEd;s2-3N>GmVL^2{EYCyAg
z!8Ubk72glVl!J#~aFm6MdYX~|L0DYK)g8o!)+iifm7<<;_Y-ma4)*`Fiv3~knbDWp
z{)|D4>hW7kFMLAmV;S9nDSvlm7U@RII+wGuB7E12sQXvF={T!C;}_fLyfaXbTz5Bc
z8FGlxobYNC=aL-G(w!YWB2aW3gGa_R-iM;DO_Z1e0~~X{`<B0zv9FSlE%)K^JG+ge
z44>7h&23wKutva@VYU2{hk9c`ppcR7#%NGTp|bAgjtso*gIC=AW2k2cy@{6ra9p?n
z@;BM--)X`BCVtE`!we)OO!xgt`nfLP7X?==KZlFIopa8u%Mv-jq}2iPi-IebUld&7
z4lzFWB|rfCxU6n%X5<d>$YB5{0_ON^eA~*p0OPY%9+qpU5Y_d0tT0}oqeEvYX=ay%
zh`Ja=3M*^<HJeKwJZU&i-iobfdC>af;txqvz%0IhemR||*W2g;>PG%bpM{_pXJx<;
zdI0%F{Rs>G_W^#6d^?TM7phS7tB=XkN`9g*r=gP^mi3$P)F#AC?uNEV<}891;8M)y
zs4b*n=0wfosjMO4XRie78<9{wc7j#x8wF+VWD1j#0=%ro8##`d=}hUruc-M3wu>^e
z+7o#!1IRBbFa9vO-zsCi1^U0=NTkDzPw$%vTwN+S1~-?B25<i;B?zk;R8u=2@~PbL
z+4utT)Xna#-qnUNFkPOoTq>!-EBc`~<QwJ@Bkr&i;g*aq=Ek=A>_m~n3!AXYh!ayR
zfEp7|$>C5|D(yA`CCwNcURszx&NuN@?i(F8(ik3b6dm`lw$T9V#zgd-9nDl}aG~Ze
zs&K`$f3M~KdGq}ebSEQ63wviLJp)@~z2B<c{%ZN4t|@AT0qBSV<QK_I7W$t@`gtAU
zy2qh>0WaqHsJaXmN%%mC^b8>`ML?32(tlwglUqqTUQH8(ORA6hgmCx^6$KkddW`z)
zWcx7q)(%zDj8Or2jV%A4gG}VP#I;9&`u~bw2XcQkD^<WzccL?L`a@r(imcNj8*Gak
zSz9i;ae*wqlTov)_RMnEx(&Hm$ZHZUlETwYt(%!=)Me}Djg64-NSVh#APu1z4ejQT
zbQD{OY4DhZUxQvLfvPTBJ0Bm%@NoIVYXx^;a(1TT+cJ{Epa*h?j;Y4oYvR(>gD0O}
zHQ!>$jL$)!Ez`}4K)HH`jiACWTk&SQ4YXFL_Tsrdt}hxzUd}-@P|J*QdpzVw$q!*O
znUK+R>2Me?bxb3RdijQu-InYvyd<6<*{UAZAb!zMt19|jiGA*Kd@qJg-#*k5OZYsR
zBqa%;#qxsrTE_xCv<O!$Wj1aEmx+y}n;+snwJU%=mcP3meLN*-#UW|Y^7JA4`o3X&
zls+5%oEp6o@@<R~Qoph3aRD^1s5jh)=v#Sd$XguB?cCWk-4(Cyq(RBO4<c9X;Pg8|
z$_S=aaiXeBxC~{BU6&esH@L|wP|myoQU-f!FZS_dMM?}7l<;V<cP^kTHW@Z$eaaJw
zMkN_v-qk}z%UJj;cB9=FTg437tdOi`MDdR=L|55FXP;3BnFgy64b3UmWlR*$2HQth
z+v7usOU{o79JH-!U3fx{)ApEWe|3tVKwgxhM-F`$OIOHccqh|nQsQtgCnZjN5HOsL
zLy(VILsgq7E@|Il!!M}~bE}AKA6uZB03$2xkWiT*RyUzvVOO@;^eo-<xDZy0ePALw
zVBgt*SsQ%~(b<V5-Fb16X(fm4t>5NBK)!C{LRUXmV9$mxPx<*(K5Qk9u)BbI+*o8!
zNp?l{tjGtBYO0gS=fu`aeR!OHljL2+bmKm4oM@$1b2*77FfSQ)oVc@w!QfiC1oL$*
zmETJ~Ao<5|*qhzznj%852k2ffMac^$5|=6PXJaC|2HxycXSTnRN*qxRu^?u4V^b6l
zK(R2shB4VJP+M-i1Q!b&QPU_Zi%xw#+wKy765<TBkfsp(hVX_>b#HN4!~*>q!{p=8
zZ2!^}Jp*+F>qYN<Ez%kFpAQh3p*;ChjY0*0CNce7qwuQ(WaMZ9c#D~gotcHL(;r*=
zZ4_jsK^aka$lKQDAS~ODax|h1(ZSwRL1uJyvPm}idB?!d1n@7vEq|eY9=|#)vz(fo
zIn8aduY=9aRnRV=YUQTDrpD7c*{ZB16kP^XR+`tL7^}U7I}pplce79BLn3uqxIp(3
z4n1CCnNz<T3a%n2n`BG>1#$gB+BO(9aCI1F>7_j<WMcfCv|jp-u>IWQ>I}KAW`at|
zI>l<-`-G3X_R|zbCb-^0(8rDa%Yzjj!g)G+2%g^9Mvv=WtzONqJOu&}_mklK%claY
zY!i(PNsp=6FkrrpXs=x3DYL-I43PC+7Suuq4==49lMXP1{OEqFdN(It0?=Fmp!thl
z@4rU#n^F41i{VUS+5y>CK#xSfaznT<HLXZ$-Q;|WbP5I%6q1<Ct^s_T07B0G@Z}@t
z!(lVd#<Yir>iB7YBbtGLNtO%V2dFefjM_jcBv;-GeAJ~k)m#p5*RnP2gXSS9w&kva
z98Ec}iJ!kcEffba$a1F@m^x0JR!&SM48KP{`@q-|>cAxb@fM;1>-iY$Y{0djqZblM
zY$E3!NYxJKARdg6eCQ&aV1Z3Pc-y{oY6YnR8Jt()4Bd+iRKi4E6gKCis=zn5H$oy|
zHZTi*)qQh}dQ|j@&4-i7cO6uv&PWB*_<bHp+JV`(SM+3glbOnua1m#f6DK{7-<i|5
zOF1eq)~Od@++_h-gkR*Xe}$&?w_W*1>n^J@=(xy+(7Z41ovecBy>4D+EE=;>NK)X9
z2P8~aMNk1AtvRljsp&M+6EVHib$$*j5W3b(&K`(afq_uc8hpzUgU^WNzwr6otgLg*
z?EGw4koG|Uu_jS!N2mk&o$;!xu$~b^Scc6p`(z#~SG~+wm|#dF@-dQi4j8>>J!10L
z9W;3bePt;{bN6n}d3?5yXP6@c)L)}=?tQa&iW4DRcgOa57wzod$vi7T;l%LNO!@@r
zp6MW9w`$Q@z2*wtAMNB@HTh13mnRahR%doU&_gha*n#bAxQ*OZ{sbPi3==A^yrlRo
z*egV<m0Pi8TjNXYWC==#)z<f5tR}!$bU~;`boN_ja!z?3d^5E1l+rqh$2RhPwAv>!
z>80|1gp|(o#?-644GiG$QP>$KInRiY$v{LSVhT|Y7{p-o=<LaO_jrfN_u*h|#?d#&
zjum787TwLH>L~W6CLGvv+ERJ{^q}3rF7v^F;mk8BS~_noawmJM?4v>9D&=*T=&Q7|
zi6-jw<Tt(cj`8kO5TQY@Mdm)fxE9cjocXM>MUK<wC3LAUC2VIr*Zw&sfY`ke$>TNU
zEGG><fuvf_?(CyuRzlP4ip<_*F_hFBS)G2g*3)FP<xvf?2@AV)VO^h6W8NA_?%?s$
zwAK5LjXej#HX*BGLvt#g(JoK-YbaCNWb@s=FeP>|No&+a@X^qExZ#m?O3qeHu_>vN
z@<8ro&$>6qm&l{>a!u3nJIH;@DkOtw8M{U%_2?Xvk>>U(SL8L!f;RI~DzlxS{HUMK
zh9A=^=k&<UqQsXqqg^!NV&m@d{8y`2Z-h4H<if7*fPEMtY3HA}=4c}7(%Bz*N8Nen
z^XA$VNQ+hln2D1gIb9rY(=)Yg8j-wI3n|cc&cTd--TT_zH<&uZj6-BuxEilPov&1w
zl%uz=I)J_{N#^kf-osTi;bjakG+zM1^6$*Hqlt~3vx)GN@dh+#|Iu*&@g<a0a&!t~
zlk#+cmp)3uJ=Hybq8?G87#O8@P++W?c*d9|<#;;Dd=`2U8#XwWkBEg5AIt1`ri|iD
zjq=gae2Xf(7<^7XyfH_+km@zEeUSh=c`Z@(YnbmR`)6AE3!jMfuSjT)tKYH~KxGSn
z{K5%g{e@2iH`os6O8_gjs``+MzK%h+0)`sO0z#VK)6lZ0d%AfT%ae-@{#F3|{d@~7
z32lr`H+9C@fnUI$q_Te<$&ArP4xA)(fYxiX9!RpKZ7YWIz3{%49rX`4mp{a{kW?38
zp#Wz8GeCY3erBaNHnF$1^RNMw5$HJ?*ccl8aRp2i8I?L25K8matzU;3L%aY*rh=r!
zUjeOhiR3ks7K_D&=Ii3V#;8J-Ay`Ux{bK9pQXOMrWnARlDKEQ#h(j4s&e~PGNi$n%
zsn92Ij}YX8xD0CMvVq%`Dc+8$8X?LizlJ$Cv}%36@qDfh3)B(LfjWAoL3)R-UEHj9
zHT0~)5n}URQV;P+UFd~TKyEJZ4R)0aDM_HzyHmt$!cNTz3f+D%)cH4APzkqR!y{P7
zh|#!2nXQZBBd=bnht7E_@e;!@NXMp-S@e_(A60H>mW*T`Ua1kQ)4v@^jIFkjqQMNu
zqF=z}Te&?A-`q3nxp?FgUP!t^&Z}nY<3yzA_Ogzkr{X`c`!hKiBBhvI2c(Zx$$)?`
zf8OP+^iDR0f3C@B(b{*!u19^a;R6pU4vG~gN!ZORFRL)(bVQaVdSRp)*RSyaeB@73
zywvULhuZD>Rlp~*Rin)b=zz|yF3zFE7{>z`CvD%2u21lbz+zwXP`rc;<K$UmtX!(l
z5DVY14C$iKcw`Yu-KUXPO$y4iFeja<3n!zEh4|tvpkKwC^~|Y{>C^l3={nkN28d5e
ziUM_#xTHn%jitl|K5k7S9`b#?!~hG`GR=v1A{7`=DFR^^n*x7XDTn4QkrZ2~6=Sil
z0*wWu>et%lL0I-NlT`x6g%2E<*=jD?^zdX+Lp*FSP!0{m*f@~62QhBYAH$v`&C}SV
zvWA_^ZnP=T*}G>bjjC%x#g<T8XUFh49bSAAm8fxSshlcR9=KoE#s{j87h_X&v30{b
zr4-i4!Y6|u!8ULsYd+4ZPP#O#w)>eE@*1QjCQ?Qxb5z?OfyNPtrmHbg$W0UaJzf->
zR*h&YOsn|G+UylOt#5%p^P&r3gGagdffH1+Y5+B?W6M>p2%N4UH{Wf3Jz<O(S<*3e
z29D_sZ3cqQ;iqG)^XVbA{)=9lKHD_tL8CwaCInNt*5*m?j<HL-dYptkF2WACi4J8+
zv;12Un1n?y>Iq6V%w+zzMMzZ|Z;EQT5M5O{k~!`mpo@!TOvH0$xRVYZ5c!Qwp~+iM
zJgW>xTXny5rn$WYD+4_#W|9uOUmuJI%iQe>9%*j}{?vU1qxmscQ?5eJu>JGVc0$qM
zN$OSSl>IR(lNqWC<4aZ16s^7RoMIxkFX@7l!<vkK&|xxi!xVAg4j{VA6yn%@1J70;
zt{TP?sR(=e!23R8*(wbigFNDfbz~YGy-NX^7IBvF#bzk<=ck0H8<repSOI@Q_dZZ&
zQc9B>qEdVQmRUjLv!!sj+J~Vk)HJ2`wpB@9$IR#a$k$39mX9)}ZL}546<zhn*)>hr
zBa9I6im#c!XtIuF*HL|(%39(N8G$WpH-XG7Wrqtq$|oj&9}iCgeb>{e(tf?3t}3Z6
zjK;e^PyM!E2>n`0L$EcZ!ig%|KCK+cidm<KRD?XiV&Oh3U3Jcyq$|o)a@?U~##d?u
zRgA#XJ{N^1kD3BFk)%kLF-=YE-J91Ramz>`Qe?I3uqs_O1JX@|Ez?61s#<i9u{T0I
z0k1#ilSfiUw_OV8b5Tv4Bd{97=A_hCCK@$1T_z(0R~7MD;h;twQ}iVr<Xb$*2ssHT
z?YX|4MKbwn<DBF)+ZQWqd%+L+F5oQxt6)LAIS~|fBmxiru6i#qS^A*3?z$23$?)zj
zrQ$8P;Ij(L8#CN7vAfoQ;8#TT`Q+da*XSNS9-1A5zT{|O^leb@u1K&+z>YM-?#w`8
zwX%Tk_vBaEnL{Vy-nHXG2`uX9BTpa?MUHZqvT`oO3h-`hNX-XU(NoBql|m<PMPn1t
z#(Al?m&!E8gKGy6z`q3D{8Wdv01iSQ(zD-L@iGZwKMpi)CJVZ{eipUt)w*9HlM1AE
zA!hi1=IFL=mU}4&MzKs$AEDUVyapO53ZAiA@bwobN&;r%U|)L)rF(6MIy-)n<QlLQ
zlYA%5G6CW&lEps1IBOqlN?_jxCwQn^f&W9<JIDAEMf;wu(>QJ0-M_YN^R#W-wr$%s
zPusR_+qUN1cjvvAn|CKO^T$pqsbsHORjEqt@7nA0)hfy`=vS)5{fI*)|D!FhE>9`+
z3+>MU_;w$Y$PW0*A>igb;1A>?!``;+_W4cO;*O;i5qDjZbR~b$3;?^|`mY;W+<hL+
z<$#1;`JdTT8KO0J@}OMu2vG@yqLe+1KtJnh$dT2AGBM9dCEzq;xRk0&r+v#*D7z8?
ze~MOley`u2?9}Ao?$m8mrcgI9^Bl>k)9*m!NG|Ief_woAP?f+nLfQSK7fY4Xs`sAn
z6%j=m$w7IR7h3k^{AAe<`u!ZN#uD;FJk6PJ*M80r`?Yl&SI?Xj$Y(-w2CI~*6h4HJ
zwZ$fNS?ceU)pPz&n4v=3;l#Vzdktr#r=KKus&`wiFONH^?P>DhPVYX4=lVKA!s1+#
zOS+I8<t5<LaZlb)1N1WU`G2J;wcATZO@S5e!#G+AvcbA-jaXDis=}jrfZ^j{hxL!@
zuB{F<0sCi`k|?fd-;Soa+iPXz=(0ol_Nrl}H%Xew=g8Rmp<J4&cCx{`axlbqtLo8<
zKT1)}o8}YYH8ZtdPW<I8OEn~}hRn7$lJS>RC<5cdQkr!wB<X<HrC;5J`cP0L75y#v
zYQ^_@+R}lDs#5iv;E93#Faf*|(s;{-#DGh3*bKy0L#ocW3-S#xC;>y-c%!n#-~;iZ
zXJs1;><55|LF|I2#D!x5x~nW9)}kT{`*d4Y;daC`@}6567&b)A7C$*eRwqOVIWw*u
zdr?atryf`lY3)l~C#-2;B2VaZ|AU`JmLyC+$URXJPTV*}j7OHYTw?IP@>>lllYo0)
z5y^KiqhW|;1e$&3HU+zoxg6MB8$@-=$i+Fq?h}8Mi>w#q;H6mKS;N>VoC8LzOtWSQ
zzPd;lvvQsbPD3YQ7FfUZ;MUe&W{3F0^=*pe??or*;TdkSTy>0W@)X=oF|aU3_fhD-
z{nhs|X?f0vf>blBk+^-Hv27e1$A`D9j0+nlXr7%0rRBV)fVNC~`$l~N#{G<N&Il>0
z@e<^_gUA>usoMB6U%($fomZfzV)LovJwrUIevd>j0vrg3x^)OAvQ92`#RWKBXZYFc
zzM+jw0Y$NsZY!VLEhjPby>5wJ!m$N#f0A$;?-=6Z5sgK3aP!BlYPq29;+eq{)tj<}
zwr`!JGP>F1xFG#?#E(1vY4C}H-NT%|6Gtd$&GVG`DKB3DzmUQ~oMf%+b?)zCg>&dx
zK@W#$uWp~>Adww&Z}vx3__fDTUF?7nT57w;%%M^bbga|yo+IVBl4Bn<(!8GO=V05h
zC1RvVYlHykPy+QsYRDGNcK1z_A$r8G0T0EzZj6$A-8n_w#Yn;ow*tn*^sQoK7x3d7
zDmS6H;mD2wIkiX20YWWyd7&cm92A`C4vF99=aL&mnS~hFw$?%2Dm$2CH`sO)*66T)
z2%LZw)+niElawUovN$2K`Lft!fn~7^ecI!3`CMI-(@aif@_na@=pzbH#Pr~~GO|AF
zDjOz7hhfZES~qcVNrGIM=oE)B_82iCp$X7YpvjaAO!1NGH+eWSq!g3iaV7|&>CS}_
zlqy_KW!5ODlRWnr<%*OrooIuKcY;-4a^J<z&O}<AUjbiUxdiB6#Oo(}4JR|Xwz=<5
zS63a8EvhG}wmx28*DT^*$0^lcS2T-72RSF717zjY<7J5gE0IKY`?xrwTCXul^YjDQ
zWG5ySmit*D0ODkQQgE0@u018@n3Dc_!$-JsAUmymoiVZO6?ap#txN21MW+u&nS_mh
zB&IN*ZcK9(Gy1+BbvlMEI~iI$H!a#p0=OLc(0iN~p6H4TU~@tk^nbA8zsn0zB_2{Q
zL0iYRNlKi~fY7$T7nAgiuaxtwTXWszr?B{Y)4HK4b~jo{g1tUP6aCB?3alL8BBSr?
z4UEO<<p!EVzu%WAMMG_ymLq=Q9z&eRhtQ1k3Bgd*#;yZb?l-^8Ikzj4M~=TV`A3iN
z^UVkysLpYP=h7WpG5PGBPLIyADM*@BD@q7~POBB~@18X*DB@>O3Rv%|2=@uf65F@A
z(C`qwf^W&ztU_SYkS!(b{`M2y;-Qu(Y7yb^e!kQ+VTjWg1$?HDh)Wwkp{fV}s(b%X
zx1Q*Nwdr{7?s#y1#BC!ljYOc-2g0RSy(37=>`dNUE2w2}?TKL8x6$TZm)xdF<X8!e
zYR4J0y7Mv0n^6t*^j2&hGMa2?%b~+bW$33#K0M=ME5Yl}$6oJQ`ciNFZi5enNIyfk
zo}Jx;E$uhJFf`-AcLC=C?iCE*WaWK4KS_L_(b`go<zIf{&H(6ExDZgvqdt6WxUldi
z{y9u<jxmn10p;fAeC=@4Da&*xVZ+^;#0bA_zcHNh4r^@KntLhE2!mA-Lk{{>(hiJR
zv1th9WaVA5{V4oif9Sninaz0NTLxtdy$gnxksci&7lw<bKEZ4p?jTlMSekBTO|7&+
z9HGo#%eUh+jsMikRN8#5#|Ct0D-QE&R#&@P{p#i20Nyv<7=0uoX>Zsf=chpUyz3Y=
z8Rs`ZS<yFFZ9lF1(^NO{=UbSpza$yH%DKd~bp?(dmJYmZvdrVTx;$7?U`TccQkH{^
zQK9~greZc|hr+IG6owOr?*k6x{TsF4E&QjB&^At4D@Ysro~7x#b+a^yU;^%LS($%s
z5iAiZn7`QJpg$7?E3M*evk>WZogCDk@(UjLFqDB=kbwqVeM|{F8zgcE%A4j&Gceh=
z<yjVE`=U*7-<`9)6m!e&N^_{6eTjD<e}G{sJIT#RqIM%00Q%l%lbOM7;TU*;xx+7B
zrM9FJ_8E3r=^p`<jnC2e5L@$^UJ^1(gqlLOZybjrGg%^$KM>osT=b|TjdAp6dOOif
zcKdS2$n4JzRA#;55ZT3;AM0G^?gW3`OOd6a+T)lCgWbC4U#g4!hYTFeBu{*~kMTAl
zsP+OkL^ac^kZdI9R6gRBiOT71>6Wi8M(6Tp-qB+k$5{4%=k|A{p!ny~U4GtPY~vv%
zVQ<RrFCtd**FX4)mPAw=>7@>>aB%2YojZmG-b_YH-0nV7CBl2OQ~}lQDqC4w{$igE
zLcsRsEqMFqyq3NJ=>40osXRWjHvCGXpNf)HEy16HLrv7#moLdbiTj-AZ*>22iTM9X
zNnrhdQW9`lJKs6}sR;k!hw<Mi39SE(k^ntjMLs6?pJWOtnaTfwrcj~#XSwhnHW~AZ
zko@s-|0<1?Q?;W~G%DmXVCPh{)KgObf58>3|6jlrkWA`fc>k{aKgNI4m-%1k_&>{V
z{}o&zBcMd!@K2oh2crHDb>e@qD*jW1U7>u=PWl(7<=>$CKiA;@HPpWrEE88F+W)(l
z{=e&^QU3#~33TH<<ir0CLMsZdBXZzxNA8p#UAN)XLezu4Z=aBEo{Q4Ngq}n=QWRg_
zjb0#*OfvnO_+-i0_jU&efZ(kD2Lv`|8)ST!pH*IqJLyX`y}9o*9Mt8wp0p}m4y3Zp
z$KEWawb`3wg9}QJsX;@Qv8FpgZyo#U$NhS8BEEpn_DR7cx|Arbk|#%Q>VMTq|1(Qk
zs`tC}e;LaCQ*ZuXZ|MKb@_*a71jk7K2OlB$C1+n99zjGKDn~fZJRu{`WZ%f*A0NS)
zP@`}Em}YxsBvV=%H?h1tD7?jAo`%v&|8E^jF&)62g+W(Uc8!f1H$1aQRA5@5oY%co
zDdXC3ou8pg%IL1Ydf2H~`r|TQ95F3+faH%+__|@t7WfMy5<0FBYym?`<4viqcM~RU
z1Nriwta2?4y2H;M?F*k9y#M*K{AZRp#gD4VQNTdA%)kD-y%7KPSvuM~n;Yr6F#K16
z<+97t6?-h6^%e6I)!3|)#2Tnm{M^QoI=5JSe9C%TO2NkS5HAZvj=&O9sZaTr{O$Dj
zOEej6y817_r1kq%(`l*>QlwE!BO{~D1Cfi7#D>C&hs4uo#`d>?kA;I%=bMda^y+J5
zUsfHtz>SZ_sMDV%Z=~q^J+BNSWvya&wCINbzOJ_mZd{Q8ZtPOm2f>~{WD+wTD;=;0
z)DdLHc(6!V2076M+?hq{NJC4&Pi9-HOP6}4CwF)Css@MG^myB3U7f8P9Mhp(j5Bbx
zS2J(i8N-pM3^X@|l(7K!Z~g(W%J!L33FgQfGpCGG25)iewZ*TkJ^a^$EFYTlN-rDI
zy%pxu`4{ewj@R0mCa(RhEU$>t1_=cZzZC(M?UPvJN4Hu{Y|;Za-g3$9@sU>X2aYH4
zNF%jkd<Mx2-khlf7y?X^E^<y>F=&t_@)_1j@;?cP-I&`Wn0=%ebpzFAf8UIR1EmsP
z3%zDW5@#yOPy8doTIL4ih0W2VAO02?(j@*J;bJdF1-<^1U!1<DHWw3Nl!-t>Hf@u}
zNS078Uc;TH&XM9=e7Vb^hX@?cA4M=nbs7oa9Zqx)SlUhX0w(}YeOuAz{dFkGV}|uk
zsLp*n6efyWJkVOOH#b+v0_YoO(-EGNhmAHqO|W<IGlnI5K=ilOF<3g?Se{w`2J*l-
zQR0oMc=cyRK!*GSj!z42EA;VHz&GjW4@`V&#2gig_(YBbqd0Ba&{>v%D8w4EJ(q*j
zmlESua3IXp(AvIJevhkp2v@QmpBNFEn4^VrR#fSTJ(2LYzu81h9cOC+seJ&43zxLv
z91nWu1CT+2pC~c5VMr1kDWHLBU!S)?QAvc$IH|C`U6nVCIc?2OCm9f-NuFzz0P9~S
z&rEwyQ7s5W>6+3`8q6QW8NEPVOk7yW6X}NoHe8`b|7yQ?fGDaC;4KEZjO|5f=c2eW
zsLS&|X3o-LPN%_xGmkV@D)C*QE7ZD6<)ciHfLVS0Sc-%rLq6A?4t?nxVP|x;O^lbq
z<WfRU!Yw|sLNa_~=AV2R%XXh(nlLDP(97@56G%tXzcOAt;@N${-=3%AD@x2_Yierg
z_=)JDYPq}O=;o2VHn9Bm^t%06<TVp4kt`)NvN>D1z8?->MuTr|AUT3w7hR!swH9+1
z$PSckKT4``)@%{!wR?Dk3`C0E>H~2aQFB5wbx)sNiz%o+&U0f%>s&GCq~@($3%Vv?
z8>sy*HP4v(B`*A0=f6y@vzt3Y;@;aMELK6?)lu8(oHKXaF*mUlmf^qLj3%MAo7lBd
z+w=9z*3q$ZCE90X-1wyHxcL<eR-L-jd2G{JAkP>jMg>=xHRQy>Ij0*=zpMKroZMiP
zHjEs1O@ud31BIyWkJ$<Kc#C?+EYM*p3eHLwy%lM5EYe5ET<GE0_)MM)AEq{8cBS*!
z4Tcd64)Ic7%hq%0I3fR2Xti9MXycGDgb~RQMho@RKd9NVq}jAU6fTwrHh?P3rA3RJ
zeu(^)HPqTB7{r4}hyFP4v+sHAY26fDRA4Wf+hlJB{B?9Jtaj&c6f3nOX3R2PYL6u&
zGeEK=cX}IRxn9Yuj3JksB_BZw`o1S~$bjqm#{d+`eIZF_=8yY8>0>*yi|zqvm<QRU
zUVglk!uV0dDLhYL4^Mk1J8u_HSLbWCPZ(d9POP3MTP}h@EjDg+;{=2UYC`VZ7ul82
zAE}Y?4-!Oh&`-)v5{HyK;nQH=!$HNO0~a!jLUYa8)~Uco^C$`%?7lLMNu+JgY&#9%
zH^X5snAvU=I0C}y_#7flsweFhjlS;4iH*d-Q~Co^7jsAmC2E$5%3;Uot0brfT>OPO
ztr%5V|5P&Dkc&gv63Sz#csR0HVVVLkHb6~~eXlF{n>}@$?pj<=V@i+onSA@7h#e8z
z&zZjT?9b%oR2AqtS+LK>K@lPXo&d$YWqH<IIDWJ`$=$1|H{}-%{O|`1;nnOtc8G$9
zM49MIQo<ZPl|x~F$#xONYeb^P-pieDUF(IB;*X!x<|zX?`J>OUO!8h;NYdGoLBst3
zg`4Uk*Od!M-}cg<YuB(U;Yr6EYdY!v%=b?7GDFS+*#-Ly6kI!EVbnedV^|E4b{Gv{
z>2C*Yx((eoVfO`6aZztGPKF~B>tjX=-Vz}_cx~VP6sx^=cTi5|pNe2Mh<wCZy8DgW
zj=W@ql;1aVQ;+-fY|$UVm4(zx>ONw!`$=YwcIV#%M}fwegwtq<^}IrtPCCiViC1n0
z+Ubwj$kN=D-BXbwp?ynMIR1RqvO+KKsf-=sNUa-Q6P7JeVmW)!#G|vT>m&Y*;2pdX
z5(S&*Hpp%XQur(e&JB!c0M{fkhXZs8kxRxdeTkHro9n*1`}<i)yU64_P=A6xsyvur
zuhD)4H!bcU0BKlR>OavhF6`AXOXgKt2~n<?w{rtkq6N+~fMr}b)UB&;G6Xts5=Zvd
zgBFOJkCQN-VA?N;XA3WJ=#05Kt(+xK6nIt=?c$7GxEcRGnIzph@|w$kQ_WbY{~moq
zaM~C$!5yF$+?!h;9E{L8-AIxJM*D2y>WCdSC=_0YseMSzhBbc20fPkDO+Aw)<?8wR
z5ojg{lr`vy63Hup|0eEchh~&yDE<}iF}=uscl`(JS}o0;Xc4hUgO5`Y9q;oZIvwFb
z`LXowk_xVzTP`<<K4I<pqw#!iU<KPZ0Y3PMDq$pGu$dPznQK3&dmE<NPOw;FzDKsQ
zmhF+8>H}Z*X~bOKVDZ8zqv1O+#OS<Kl{j!U-G7yf*Qtcj`WJY6fv2*+=0G-gcWXEt
zAy}ZbJD$IZgu-KR@F6OFABxS!LrSQaDd|E=UaVGoDL@>V>oM7Lz#E6eDNy0mH3-|Z
zH@#rcc4Mx-$uapT2=05KfG?_#r#34tD7Y*m$=d_w+MzwtyVg=5mraT`Owjw7TW_hy
z3GeZ(-+ew^{Esdp{L8;X00p6(ZyJhQael*lKS%k&Oh!EWC0%AXr`MYBfrOW;&l=9=
z(S*rdjV^2K_lGf4yqa#r`yD>>0*}49JwvB1!qkN6F2eFOY6HqFI$)fki!c~rKfgin
zcfjxpbAL(0LszdVkMzxr)9#ZcmW+}v0qn;jSrTY|_;f?XDA_QFTp*XvzYg6Lo1sf4
zfJg&b$>2&ZgT6=Vk;uGksZ)x&Z$`};UD)YMON%O(XIGb*)J*SYTBjHpB((At3WgyG
z(ZnE8332;jrfi=Ff^09(9Y~n~XW<K-HY^A#O#%ot{_5J)&B2-#Vm37rma&2jQpx7g
zBma&p*Zhp=Wsc6<%_W0!yQ~3DHFIT-*YNepnh;|FPkg7M%9jAI1_Ja$IlT5cvZXQs
z$F9Kd?4lVd6L?l@a|9;r2iHKNa8~QqDF8t?7#tLE5?mwv#th^uI`>H@XB*<$_#Z^G
z5~bxeFo+z}%+`fhcYaT7o^YDQI|f=Si*95YvcgG_<3nQvX#z9E&{%avNW8hXvnlDp
z#a)RK1Fg9uqKHLbDKX1!U8XXUxsDAghM{sK?$u+&sS;JBMF}<CMjFq7zn?gi<!nho
zkOBI>wyrOcbf<2->D1>^h3D6~g?<M;F&U4#ZSpGIe}|-M_^N@-oY1>I2JU`^Sw2qe
z;2I22uAjT}vFUSyq9S;`^@ryp65s&14c_6b`6-~^uFz?NY@9i>Wj}~YpAP2APE|!R
zlJJ%=!y5fyOch8ztrM3z$=o%i;tOSjQNl>LmM?1P+2N5iP<1%!;dzJw2tqnu!I>k(
zb8@oV&2LtNE!oRcl5Z?!=z5!!+=h3}<ItOk^6(L@G=+t#zlR!DQ**Rr80?WS{B@lK
z2bQw7q=~SCr}FkPr3Z+S^eqCnN)r)T-m<VI#DlXD6yIL(1F$c~6ni~^#&Y95j!Xz+
zmdx77f3NPV4vDbj@{sW~{4L~@uK4h3^oSW4BiV=GnOCt217AW^meJe)fO)@fDH{C<
zd~=(0Ys&dFex&pppjJ~+n`yp(Ix#i3wLQAWb=L|klGO!8dKSAszk2p*aQIv(<XgDy
z0JCjBQe#AkRptd_dOl+MwszSGod;IQ7MlH)Ck<ttg@kR=2bK7pkxJsx8{L1fc0#}7
zRmc<TDdZ<3T)pWn(LpYVxRsWpK^CXcsPUL-7;X=aK=4?YISt^wJvg2gEQ8lZ|6{_+
z9$PAmGf*;?2;X>%pXM+>bN_9nF?F^@9!k~Bs48w<@m3u<tj!#9=1@OofRPfx@WEa@
z1H5aP6);eI((RjDd5Sa({7kLCYwb~P*kHr*KDnp7^qL&f(-|Ot3Gi@rhs6f>zE3J$
zME`+ui9?6KH_-~a@)M`6bWgbi6<J&!wr0JVov8vByomS?EH`}t`evOYFY!!mDm3Sn
z<OB<b@K8Ka2iLNE2p8LeR@>EMTuY>Fl(3vBij(0~uSdY;T%VtSDm)$XcWG1G$&YHD
z*O|Z2!^<(*&<ef`lu4RJq~KQS%NZOp>Z8<I4&y4Wn<OAU0OZ%NYxTwe)Ny5jNsYsT
z5jKq1Yw&qf3Q)-BHTg%cf-~1T@nhB1d*r$<KN50^k8BIt-OIfkn^xM^Z+huDNzh8X
z92-|S_IHM=vS+)txmJm9r%c$31Qd7#W48u@tqxDmyI|%u@4*c$w;L?iE-qblTy)MP
zpHEL#vTfVAoQdbvz>%-#cqmuv?jp1)+<sXM6B;nEFvU|yk5uuHv<Zl+YW1hQqU{fy
z4&_{~TL<lksN*8~tOUBRcIh}thb9-K<4&b@fl0Q{6n<+fteLbtx466Ci>Ut;Xd!6y
zE|@XOTVA(CbWQ*<(ZHs#NJnrnt#6V*dD4QXvhwFJ85B7nF&pZ1PP0jdoRLG>m35ZN
ziw*KiJs9|xUifRY++X%Q+@+Pg%I5+<hmoHIa|-N&qkx3O!y%3#Sou0VX9Bx*Hpi^1
zKty;rVyM=@&#cuMs|fOIVK@@>1zCgL3nD!rrMjsk^B{@gGTe+4Ys>6nfsR4p@98P6
zhWrINne)$pvH)v}(|4fuP@6Io*YbHPbSD(WEKp7>MV1B@xwFMVvv;>mann*#|L8R8
zDYBYdHBH~F9|60G&|&@1#<|b{6+M^iB_viCdmSZ*mV`M^LMZU(8x&m^1bv+{E#TXQ
z+t`c~=Mb0YC_Q1r?9)DqA)gIO52){Ywa{9;BZPHluP;wn)e)?a82Pk1fa$G50z^d6
zc-aNTt22g&1^H3MLDa!&<seB&g<5YAX2}goAy3^)aB2x_26E8eQ0LbB04=tT5@Ev6
z=i{JY1T`u^zhmB||H7|+FIR5#dY$WYIf+qWCtyIIHo11P8yv&ksTcU`caZX6y(C>1
zMxS1mnOnntb}D1pF^@-TR4DSu-zBNNAave&Ya`?P^ZW(N(jLeJB?HGQ&yqo@rS=Qt
z7Wo-&>UB>A%ph<0X)M4$`M^5EH14&68y{DgPf*WT$=6SCFXy{bZ@W4#+Bgul%36xe
z^HM-!pe&0twJQm`1B}j;*x7ZcYE)-GR5}$lk0INF;$H~~(7(Seoz{ylY$`~&OH;@$
ze};_bJE@pgvB`gGX$M})mD+VG=|h_yxs1;4tHjk1WA=|alBC!7#sVNZzkR=a{CsTo
z^>OfVaeowYawql+9s54Lt?>15UOb`G%f&3ZmC*lzg%LGSo?q;!CMiQKD>n@Yr#@JI
zf+Ebb9%BDOOdC#lK?lPJRYTl%31T0P;*W`zxXUVUcHop2r64>M*3uQ=y+SG>Mgndl
zbCM?sG7@s1>~%oE=abw&&!Mq6mzH4bwx+VW*cfhycN8+1>9og6I{={zziA>fSqx<!
z(T+J$hO_*Mqbs1D$NNh>Z~!-v8qaxXej^9@XE&o#2ZcF|oWhS40Xj=?Bhk?G!1WWL
z#ELIKDZbn%NapadMKvR}6Nc-7>C*Ce&yX_zY<6@E?S_AyD7I^O*&D3oy_&Cp@^bW+
z-4>QfECWU+O{%>ju{9MLh!}!wK@h{yRBomPz?wvK8eEaJnNG`2V{COkGvJrC$i7Hx
z$AdNZzVuv=<AU4S@$q%A_w;ZIoB6gUg4`ST&gDU4^Xd$3!}#keIhDM)&r5v|w59)n
zSFu3kXtGeGrSF#tY8I|Rmc^dH>yvRBI1K)Im^FSMAWq|CwEtHrm-VlN{~%L8oqa!R
zEqQ#tBArWvw~m`CW-7kEIv7)fn;0hPyws5hlts9VEGvQ@ux7uWkC=gU6NO2_g{#=y
zH=E~<$H7punNoObN%E{6@?Qx1bU56y+o*dow0Ht4KP1CFwgtrDjCGkl(bU^2SrEGw
z7utT{9Ky_bfB2qWVqkrwLNMOh-{(k%75^sa3~fcU=LWc()eo*cKr=~(YvKiXhpZ0C
zlX?+{zG;J}y2DG-a~d9>Tc6F^>gD(A-IcT~rQ*b%cPjAHgQeYi+U^c+<~d)|EYmtR
zLM(i`lXmA|h=0m}1$o@i1rusVvrnG?{nfkB1Q!EKD^2|dgR%Vb@H-aIvHP*%_WhdX
zP<0!*MaO9{!}_FzHG1#a1kTtnxpcSoi2=?4{I^)XpKVv7PLMcRl)eC$@bRjq4Yd#1
zoHt{-|7ga}GPff!{qCV>-z3;gir=B+<JF?jFIcFaay~{$5J?j=ETr;IW<qu-qiK$s
zZ^$)PY=~Zc1CBy-L-O6<o)1X#!^BUG#;K;v0E3BPtA2D*gLj(*<WQvW(8BSb@c^6f
zdOTz&q93OCy^g~~x9m*YB%FS_8CqXokG)NFP-7?5o${ZI?cWE}yX3C2T+(_IdX#Ic
zvgA~e_}H5xdr_=nqtG`6^)|np5b&Ap`y55)ttV4SW0`~a^~Ddu#S+}PGM7Qic*W^S
zSmc_C;QT-?wI)}?Xw~iy_MV2$f_YK;d>{$gDrd)-(0+u7_9wOLRIPxWTRPLYf4ye=
zkr?vtYCiYU2Il$R9rnHY1gOUwuvOeeaTo<2<$egKP-ij!N$M9LHfhBub3v81jjeH!
zsqL(28?T>eii}p9x!tl6n`OsYebnUNpnCoe&_N-q!;ETK3uoQ(%aj^nrP8?pEX*Ex
z9z00{y=Ai5hV8h>)};9=qcFa&M3$kp*if}uiVd7Wa?1V#4vw>?u<+@4cH%ZeOpHQ%
z=kCyYi4#1ST1o&Gu(H0n4Qn8j#t?N+AEI5C;`0UFDe>;J)kep&2N1icc9@nZlPPTO
z8pQTd#`tlHiiM?<X{+k}<9_{cWf5lbW&6$hh@*M0J0n7;(tHmCCmE!XpxhByOtCu!
z_|#htj2n@Hv=j0F1;$oaqO<t%57f4zJ*X$d=$og(^PveJ-E;PwF>yAi>EJhwEJnj1
zc+CAF8Zi;p8U;s*0(J(1)?Zd3#;NjfSP0o3WPwd8S5(nc$g8VwGm7hd(aP_CT~a>8
z%!p|~=_XmHL}nLep#5RYb9|rvgA(qJ{9*W#v-+6kwk@|r>4O1$ajVm$`VyvmNq%NL
zR`lj4QmRZ$4<RH+Y)y=l$i4V5KO`HD%-a?HnV+#Qq9@>+BJh?8DAogSt}1V}z6eFw
zd8>yplA&kW#a`_qW@iWS3x#8f!stgCkI}@AHo_#`BHPcCsU_J5?~Hd~^C9YkZS#<L
zW}vx;xl|WB<;L-+SK`aAUx32>^)V!&_J@cKX`YBGGeQ@62+b57b<wXENfNPXE>9W;
z-r19$Qr3|1@J?a4Sa@l^T3=R6S?U%$D>d9|49C$v;M!Ul$~f&*-~ap_SzMS-8xFd8
zdM~NYAexc0%it2Rm3%KBRVIuX+F8A1(k(IR3Xq<$y;c1ROikcykhS_uh$WRyAHcp$
zH^wHqshVK9ZA7^`H3OCZD^y+m6lf3lhu)Q2T4FI{E^e9KxUi|zlY$EZZPKb<o`Cib
zm?;I3;Je#Ime&#JWPND!0RbOP+HHe90p=<4&b9i@!6O_=L4}wkB!xcs(nLg+)R?GS
zA6m`N(A648?Ils$1eKYkiW71Rp|;b;Cic2T^ytX+-d-T3`;OKpinq8}VvsMSH-Hvl
zdikAyl!I(u!~vmYw1GB<o>fv=TTKD6;ZszQxd=kId7l_x8U39+!EoE`@>Dh_ue>8#
z1Y<6LN$0xPM2KBrW}Nt+ADbK8x#^Kk^2r=K10W|h?HA|y9Y!gfZ^=H41%oUNlGDK+
zs28)DiYz(tdXyVkq)pLc99;?!{Z}j!*8<~Wnd_{ZxrZWO3B%R`&EpOLuQ|YZ2u$QL
z^vj{Y9rszO7+RaR{%04ljtSW#Sje#%mlMU{jCuOQU#~!lSDx>=++s-4?nut?-}+vf
zDTG)00^#3x;I`DDz3wIoa_O)Y=+psga$0VugD7{#O$^6(h9n6wO8tCN>EaSGj(<bB
zSA)e!5Avcnh&z1@jV{dxwN4p!@CD?sW?KT}iz-$Hcvdir^~fPTEP$z(cV)5zz>M*m
zJKTe^E9@757<AEl<t)w5X}&PYln&i}LqruwBuYPwCL#+rm6GsN5HtO0@o8(1LBBxC
za@F}JDP9u|SgOz19m=3^bM`qGFEK4eN|dtdNS&PjYBo9>5lO-zDnp^pIHqx1S7=qj
zq#Wg#)T{(V!Z27OBJ=h-oWTzdbVa_Yl(S*7?8NDCMx4axc8~jyaTa@Jv0msX$S)u!
zRd7|WEEBmla#ad|hClxb0m3$!>_!TLVLG?{L42nQNCaMJKRc}=)+lJAzqItxm`Mio
z<(?%;IViv4akz&~M|FeRFdG4=wcDfiQ?^od%aeA&IX8c8NM<vlJH?Cd(j~GR^@zo<
zq565)smNAwDEmZNA(t{!Pkt)7#EV(n<xlJxB5G3aN=U?qPHRsJ@c=y@ExX#wN;4$T
zo|69Jg&bX*RwwXc3}O}yM2$ZEc(_h^%cq8*Z;v_)5g53ivDC@EKtpQ`Nr(6KAm<16
z;*efMbdmS?HlVp*L8HHUsKg%K-EOn%q*do8#9gfrqaCswtU3vWM0`p06Nv9~!$XVH
z<+hTk1J~&L(O&Z`P`|mt4;WO{YGKZ7MCkF$o78Z%PEG4&AkLCeel2k<7u}I_wskL0
zPm-qYS>U3mPl56@=*dwrD<nVogW3JQz_VFy+1J@uWOabcU~VGg&3G1xK^99)uMhd4
zOl}-i2<GhR3gVLc?MJ_~VvPZ)f1+|@ReY{6Uh?8Ux2dLf0_(>ykS~2RlW|Hzogt`j
zeYs!1&;+GK)O$geO50=AeQ_AV!jyMbvY%`x=9H?Xi&xp3T&lx{FUy?}M*tFm5-D-u
z5A<yj(`O&cHm$O?_Q9snW_28p&|(~;SQ~@K<)`MpeEK2+Czar1RM+bZ$~U!*q0T<+
z7nI=+;U_>)|BI6G%AtZjDUQAXWj|H5dcC%SBm0}EG~RD2jV!N4YI-Psgnvoz9C2M;
z*}S4Grk;Q!2N*E|<QWQW@+`q^a3TRhNraC*!hKItwa1uEY$TameU{f)a%ERznOou*
zM1R;^3hQ_L22~O%FfZq(Ebr86PEPc>*{|)HKgK@K3TP*@Vo5*Ls4M79$w6#mr5_lR
zU`|m~HU&9;ilw9tKHP+t=3>*{<;Cg4S!bDVG@MoC=iD{hJJ(v;+nXL5RTgl@xj?!(
zSRk87uzIBZg3^Sjo^Nh=aUCc0>=fDij;J3^NV46T15QA}qa>;wX`$#nXzBMN6p`$r
z+TNQT6kiAT`ATD2sUw$?;-6Rbs65V!wBUBxQ6G(3oVCL{!E!#jfP=T7TDfw`Yq>35
zRkb>v*u#I$O2E2@Wr$?RT|M3_U$lSi+!|7Haq)F9WxmVa-{^Za3Ii>%cw8#EjZCUN
zMK_<hyZ?Y}%i@;TH+HnWfpMH8)AEK**;;3BYt5TE4Q_SGI5{=7{CLDVpLJeadrqwK
z|Dkh1#gN6s#&cxLDjD64k+qs?yybq>lW>PJgRY0GrlK8!*`S29TwPkSw%wrV?_!%e
zF!4X(Jz+XA)D}cscw4a(FQZzPCy~K++#S5Ki>H)qfJm^C{k%sCGi6|&6q!GA&bU$|
zyLKU-)-ArQT6puzh%*|7AGENJq-{H}InjVo4Gb+2usYmjB8CvEPR|Pk9m8Qwm+))?
zfngPF_Gh{}Dhd`SOx@K-F>G(U`|y{#wmmeyM{~qM%M>?)JATmt^MOqV4OJKMf!?6T
zt`1J9lwh?}Lr3RqPX4ypGLs2f+i}JU*Omvml+X2OiN`rwQS*m;ntYtV70!KYytXwS
zp%$CH(AI(pD|lQh0awjj8Gh!QgE}`k5qWZWVe+hFVfE<h02`_*!1YR29OTz^^4mwg
zTXX!eQMP5<vt--3NG2<p;<+oUkZ7F2lavi62<E)+7S?2zwHCs0A8bJI=^{QktC2Qm
zN({e~NuU~2niq6lRcPJYN?JYSmTZ4yY_C^Z;;WsPcxU7Iq8aoQX@(<FpiVzoOLg*^
zuJ?&-<%F{;XNh`7ac%aTGd4L+5~d-+wu5+26LxinGohnZU#|Y}@dmd8A*(|LDrSPr
zM~_VT{`m(tFM4!pjU-5Tn69$e6u8uoq0FnHMn9#Zq13!CuiWqx3#fs=ktE`^WAuzZ
z0U{pP+chCR33v4L9NzTmi`OG2?e-Fs^@AjTA>p1+4-n>%v2#Dyl`H)kZn6a*E|pe`
zAfRH#(bj@w<krS84APrhM~=zfjb9xOv{Q{9BcJd}^LWAafu)zHOV9#~H!3i?I0*S8
z|2$PAp|}wt7QCKWVpqn7;`ksZt1)p4ER$(Z<6M0lns1mkV<z*An!u2U7&QWg-;Fh}
z8?L#SP5fkG8woK&PnS1F<lx`}sqCOP)No>tROtvnLJp9QX8}QatdLC&99GT3$*w8c
zExLh^jghgjDJYzX+_;!%$n?!BEu8R0fhY53Z?js=E}L2y^Av-T2uh>h*Oc-b3*>Ez
zH_i!B(XN79>RfcoD#je*ISX7T^a&_DdE2X&-Ki|}rFYh|A3>b8_}!kh<iL(Zuwz8?
z&$OL{c>Zmb(Kl+*w8d#pgBqvvGi2aEeQ`;%xf&EHurGAuB)$z19A2~$t<!jw#>z~^
z(h=V6RS6k8!H-$WELqhqWGt>4=7mCr>24v0zB^2{-q_XP0uH`7F@mf}auXDJ=5k!1
zHCS7SdTethy+N4q1ZXlx*MgFN+(A8?SG3t6CrPDq{jwy#csntntKdkVQCVsNfCS4T
z-SRW_y<MrwOUuF;&JnvNhvC-j<~SQ<l{xJ;&6}OfSoTrd6aU#=;_FfmxxFPLP7O~`
z5g<<woB~t&9nKBYOlxL(LpYJ##^DbIv?i0h06jAX0<e<V8}9Bg)5tCj)?<8e$w5m=
zl{H(68=yerPJb^-=YkhtI*o-m$Pvf5g3}pB7~{<G7~{V!+FM*28=YS{EPSJvX90Yf
zeQS6m=gnTNAyP3d7C$I+^XanI%^$s_YFAfUX(U6jbQFMa=V7?8I7~6cc;f5rTwEPf
zMiDL~m(AWyN={B+9F#2X3OJSNd&8(;S8J4)*{asMxSBUjGLI|J<!BRO0}R7{VBi>p
z9CWk9)LSC&T}TLFadHgQwnM^Q|I!nSREocyDTA8s2Z|_+1)oMq<g2H>ce#ehrV8>3
z2kUKk+HCmqFk3E7%8rKO{o+!&j*HLP8SkxG+b5NA8}F@L(6rS%CZUxIuwNW4{{!j$
zdobahG=)8<OCRKoTM_34rm8L1I_e<Czg(=V5bL-V;a*a{wJ@V2Lj}93@@^z6bIVE#
znPs_2s#K2YltW`Mp2)rNr*b`<Dr}1S)1>F6-8l%SRhe>53<qvxCioDc2>gjlX(3Wn
zp7Z0Ca=njlr%^Cfv4Ks<DbsXcl4NYf|K^;PoX%#;P;}AVT@`dprk2-dKrh9OJ6gHo
zSI8XsxJq4+5+GOy`U&!IvAixX^i7EeoB9UOxkoI`RzfRC>lzGa$1Xn*;YzS_%YvrB
zkNP(lBBj+d{GuMPjWMJ=nWP1~Do~(!ym3;DVQo<p<u_{L+F*)!IL)S2>q0Dc*~5ho
z=y2MLc%8RHGR6kDK#6bwVbFfqs1Lh+C3uVrFmRRL`pasz@(6|N;^A-ONjfsyb8924
zAGJbJ#OyX?Fo{}$%pmaCQ0*wK1Ty+h*0h^A1GbPR+$*gg$}ZG1i&WJZ*Uq#?<fDsp
zIBea@=@M7)OT=AfU9o(bX6{0EWv8_d7w4lEzJ5#o4Ij3kTRZ?Y*<T@Vn4_jfmY{3H
zK!=;6&ORX%#S?*Exx3>n1_fe1)CVn9-HQAu)MBH0^RG?yR-y@d{(4ehp%_6-fPEIr
zhS7v;Z|CVIa1LuY$`Qw}woQOjtWRhM4zCgaZE}#Pg!gd-eQBua4ammT=Bz-UIPm6G
z&yc|(VG#i_g+KP;tO{beUBwkbT}XQ^#N&UX(EB+0uF(KCLuX?%Wm)2*TGvjoeWEZf
z!X;%LkFb3BK0a*sb#n0jL(Wg!ZORfb;}HJP#>w&Wy{4a9cmpp>r{YSi&oPyAx%u;G
zK9zLjb*p>1sELRG;rM>IP+Iqpf6?PHWXutorE-B=6nVmK*X+1_uM%qRcMsJ#AK;N8
zGmn`lIu<qRpye+8c0-D{$+J`A22A%J__D*W_Lr*Wq$yN@4>a0eOsu>!ea5!hs?G4)
zp9fnjN6a=Q9`Bh>zR(td%+#U!%`S6)^TcHyT+)KWdPJO^6M7-(>r7Gzf|3lIthGR1
z0m=5r$WL+;@wMiBBi9{3)E$Xfh!qz$zt>tta|m|$8@xuhGKEkdfqC$}sVeO+`fg|@
z9EV$8v;zd*&{I{1MfqGBjwvh4C>_VuQs<UJs<E`y7X`C6330fj(5sB24>2Y#JvO@g
zac5v=jV;fTXw4}UQPE`ST&lLRQiq7kOBRyq^k@Yu$-oDWWmG6Uq`?Ad2MMe_20qk{
z@k|z&3@mcKh~0IiR-OM=?#8TZ2#r$#Gko0Et@<H!SBtb%vl*5s^If4~mv6k%1Ch`<
z%6C%^(9wNpcH+fFcFRuXwjSu%l34$hS~axC?*TAuV9ot=-CH$%_DM#2z3M^aMgh&!
zINL)MYQm`|N*0iFpu0gy6u*GAyi`7`vMoGrp<)*R<i5Di3`JEGY(X|%lk+(A)#ByD
zv!@eB(r@U=278-Pa(qTgj^Qy70+!I~-*olXimi;Q&%LI5p_NhQ1+323(ruyV#KWPp
zWga01sX#n`NHk?BhN_xg#2lPY`WGy48~)lK$}AE5rn$x5LlYsKq&`LqeM*<JVBKaD
zU^0E#>Q~zQlunya)n0ZAq9_~FzAtg6<s+EI<qZ&(UyLK1=C2~ZN5{7Z#K@9`(71AN
z5lgI7{B3rl=zRyFW6WzE@Qhpv=Vvr)2xTI<2}}2@%gt*LuM?i?ul9lt_PdSaolHXR
z;fT-G;LwlC<1gF^^4FdQARP*j$^%y8?D!<2Sanj$wtU(8>=X!x43<ZD3xpbe={2>4
z_OJoZaKLWiX$RM6awmfC1+c(7(quHvEbaYv)aQJn$(<S)xu%v`(!GrnrWGSsl2EZ|
z<r-uVBb$1<yAOryc<Za&^~4Q)fHmi$$}NSjH;%+3fi+QN{S!-|qstxmm|b)|y1Egf
zuTzPMYTY#SXi{6kZRQ)E)JuysWnR?-_N&58u<NIj9q|(%daR(ye^5{VWflfixP{{v
za3Tf~L3Grw>K?mY^T$*vBzB_D<@;~>24aD$2G@)X$f(+3Ibf&Xtj=IZ9bZ3(FPID~
zY>Ip3hXbs<(XS0IxB7JNe?F{vU;k`)H*EuPWnn1K9g2hs7EY`EYXy>FZycYuavY+p
z<^dt2clSq}+HG)@(ei@-f*B&H(Rt-G$7J_9I(X`2@5=zA_&`-Bq;V9isA7gL^$gaY
zrA3V_vvEjYh32ZcU93>Co}71qSMLRku~D}92`M`Uh#KC5rV>FQUqn=I!qS3vDW|5$
zZp&ae{)th+FU`v*-A6$i#3>S4XmZto<aJt@u3ZS($vrd!=zy`ZoXC4QxjD{vakRB^
zbn$#0K$S}DiMwIp0m{(8)@ke0#pQmJ%8VR&pO&;UUXyG>P4sB5sNF?p{;X$k9a|57
zCx_kcMUlaWV=0qZH-cejVwPn7-t17nP<voaW6X*drwR5_+HV}vOu{OjS17pC{MKYp
zGy}7UiwD@{@831c)Hc?ljmMpGyhw?2N~^@5C#q^rr&M+jvLrYNKcu7B{3Es%N}X!(
zNQNK-py!xr+#?Y1^7Lcv<Lhe?dd6X3e$77)WXktP$gWdB1ZqnR1E?@6Oin(WhBp;P
z63O)%i?8e%yzN&m0)t3o)4UU@<C9-E(%APW5*QQ#Lm^d+Kqq8@5dz1%p}!lK+!o8O
z(6`~>`agb{ddOqmC&PcKAB9;tAB;uOLTaA|oCaf4Rq>8O+@;e1Ptsz*)lVqBQ7gUF
zL-H<=vv||3+Fgr4<!4*81eku9xGu;71H{(fV$;SLIcMO&x1?eE_G1r!VCU>mkLtkG
zk2<q{wf)A@SJr|-_p!vbGFLg*9%m}#W~h`W<yAeb$l7t8&6lsSkkV~WL~R_D^yVMj
zlI^uy$=Z=Ja)x}LJ?0~T-j&T_yGjT0q4J{U!(mhdF2C#C4J8WWGl~2B?fYu6_5F5!
z2;lrY*gIR>+h|A(>xpkn0?ww3)K8jj_i%JAv3~<H*zwrYDv<BvziFcO9D+2f8wtD&
z6+*dm0B&k}xK`sB43jw$V*4<klFWnP|GP2uZh)~K9nbE{uyu_JDni%44GdrYS-9I?
zZF?ZX8MD2U_1M<x`g8bYZdlTqCQ;mD&fVDdNCBHk`tX>ks+EMu$BZS~2!KHNbntN#
zp8Wb)xTbm<9-3L)8GvtmUnmWH{}G7MzDCCq69e^MD{}tp83Sf-76HXwm!iXO<H$2(
zVqPhP<Eq1LXZNX|F~#Rxkm(iR5t4l>R^awV{B>I+p3uTJf&@K)J{FN@0QoK&HN8JP
zuZHhmTzjJwC(h}X7sRwJTpv<Bj_uIw3?pSux;!7=zUb6Zpn5fbN^Os*<qDYuj6?I7
zIb!!WA`u8u@2RQXD1Kk_vPfODX!w?U@@#2Db-e|zL4gGAd(=Mi$SaOCIa0zgy-BTe
z7TBvD)Eu|sFO5IxT{f}I+8~RsG2s(UUH$|`-6oUG=lb50^2`-j#ThfZ@RQLpQwDn|
zJ44P{^AN3EL$*1^{CcvST@mqXC>p#J8s9C;7ey=jXZJi(EG-@FG<>Zu!iB0CqoV*}
z6P1&fgR{4Tlbff*Wn!|e#uwR2sOdHgl1;6aVZ*?RcE!cjy$o{xzLpN=XSZ7S0c9G=
z$`+Z^!@YhmjCa)wM#+NP->aIlRpqR`yP%P-!j2>s3|dVpdA5h(IR+9w7Tbi(#rPBN
zu>uQ`EM9#dbj^z2<fvq4c?dL=EskTs_PB3QtjW@DbYuji+H9MQ>Iko{S~A?n3uzM6
z3YCpj_JzvnQp40~so_^c*<fT5@q~JUOBR@yg=g!%F<)sWXx!w_<lQZH*KA}!AW?uo
z<UZe{I|m>MQY?L076V~>LhuMQoj(e;p#|<z3ltlzSe1|sY!L$8MyzS6Bn{;PK~$Vc
zjM*~YGn3TF9GW&fqNbQnXFRH+R1qEr+&741I0Rg#xzy4yXJ&ow`5KSiHD1Zy)jU2&
zs!<+U{3}IszY;PdAchxuVlMIsS$0-KZQd0h(P2JPi<kC2M=CEkhm7sMB)94sS7-1v
zQ@i#<h;s%4fyy*90XDr!-YCCW|NU^FzNo<rgs))`O(RMXHHjb?;&-~2Y-4q1vZ7#F
zTh<J;9vU}sjOfI!13BWGAT#h$H?TFv7vH3|W+cj99{1ZIu+Z3&ady@-jy6T{C7=cS
zOUY(bBo4p;$*}ZiF=}t!oOy2!4%KNECV&B&7^pAU-~;I3Y;`WLde)IG1z77fD>3mP
z>!9@qOQAVB@Z_sNU2`FS7fTn~^_q!tr$`P}V@U_-eeusYU$1b+CPXdB(&1uz+`}&n
zDgV9StrBqyd>yH&AX~;QA;^U4Vj$K~<5cXVYpOq#-31dedkLW`{U|X2>=P4lByrTW
zy&(og8sDVC7rM<wLx2iyCe$2#ZTC6VdiMCzZ~d4raTeya<)~i(&PCarL=3cbFS2;q
zX9D4E&H^<B5q`#EAID<H$f5Z@@T#v*L~iG}-cPmT-{IjH&=YFgVhh4nE~Oli<Aorv
z+|mDZpdB@FW&bEK*z^3_|4SyvSXG?CTx7&_h{*S8y7{%C|H9|e(erjTCeM)bcz}X7
z5!k=hE)#h(f7ipq1!(_;q>3v*YN+>kWz*P$e&zDw@}escVd%r|MxzJ3+uV2NJB^<#
z(}c(DPilT0X)J;Fezg7VN*$@8%68^xaA-<*ydPmX`AZ!+UvOFsD>&)B@h)@c%7#|J
zvc1>gRZO!A`(0I`Q3$V#r8h*0fT6UE^2GCDE_{7Z0?u+c?p$i_M%IQnMjS2`0S&4?
z#4=<L#cKZ^|LW#il+N{~V5OsD>lF3t$>PP>Pib8eY(pw*eg)Q2e>i7$Dj+`U7|I^h
zMPcK5FS{t<NL*7!BfmMK$Kr}`EVrf0MusY5nWSEJ+KVRJY8^|u;bwP-e0vk}G`Eb;
zl|n+7^a5t2ly!OFSVKJ&8c5RzvsJnE_y|H^t8g>JSkJ>)ztPnTRl`7Fh0NE@*TdTZ
zr@Yx3V4-zN#PllcaARC>gIvbjaaau2Xt`Yd_JKK)l2EI0z9I_8UV72QHls(MD`65#
zZ$Y)$!GL@xq>%BA8IZs3VZ|l0bPrZ0{AJE_K0hCu0`6(tsFI<cpHt(d3nu|a>@RLy
zwkE9fh*1ul+?en^PR{zVf<{=wmT~kGF(410Y0izAt<5N<qU5HE4^t2ik?}q;CQ>r&
zd?K4|#@ob&t*F_+TdSt&CmkGKX76-gx{-JhInV%D^`b_?*RMg!pwS-*4f=43AWeik
zfE(~rQ?|6`Yp5w*__<zuIJ3}$no(Xxq7WBll+XM%mT=puHkgcKoCmR@9TC2sRh?32
z9_$t;ZR+jZTZ1Nw{u#^_mC`M2m+IDR$$<Ryr>l*<Cn9K{H3-5a3SMya4vYT9iZ?9|
zVOA}~tNoLIDEC(MLrJv2s%{c3OQv)GmOPbR!i-=0=2FB0-||)y^T8F?H;7U2+(ARi
z9iHxez5DQ$R1FSGM4G{HFOhpbXn`GB`$zF5+gSdr+wm_Vwan%+N>qxdD3V^SoMkYS
z5T8?c^f!o_`1xWUH7pWFNxH}nddR!8pW70t^x0x9QDF@nf3oTvj2>;!V&`uDeq#|4
z6aJ5K;ME!Xc}kPh*b@Ow-hSPA-RGeBgT3?M0PvQ(SYC&T(Os!7^t<3HDLO{NZXMp7
zL9@a+{T5@?&|VR|+!8G}Gel&WHbL;5(_gcWC9w1?w=9~uRXZ6+`Dmf4gxPwhjH)O;
z<cm7PZf(5?Bl4Y^y}bG9a1(E|n#8i;i8-P-!BQ-7a*jQI{Je0>vex{NL_v70jQlh0
zY?t`~`9}oksUm*?X4h&oapd33F_Grw{{l&9^yd_Ln+&jk&L`|s8+Q7oVw*i-XJ1xG
z9T#?5?yj(Hk34i5TSvNnG+q}dH#M~V?v~pjaKp}*N-hdT6R~b=+VFh4KVn@pK1b|q
zYI&HS1_q(mqig!D{^0@iJet&`Ne8cETf2(QP@vck6dq`t1JUF1wvzleHE~0|bZj)R
z**RCKI!?K5M0w#_?Yp8-!@{I;WRRBN0h4S#5KF0ZJDs4;K1IaO0?u~~VQd9Sq*-=1
z`^5$v%ekTnn_0QtSZI!n+6s0C<|#3rpfedkX<GREEFuX^4hi`6Pptk+D&BQ3@+?@j
z9EN1bs7DH3t6|m%w5?qNIlevw$Dm$}Uuh7Z*#+13HG(yQPtR0K+tqZlb?wF6n#Y{s
zbF#eQuyJhvqsip22H6!wa{t99-3XM6+;NSBP80bE16~P|m&U^%d-x{XY3W4-GW_?g
z@VVTHQwtWTi<w06IrSq(Rgh2oKnb;sfkIydtmKQ^(f<o(K$*XJL~zi4U-snO(Fl?3
zjKUBw(<w_HVhdTs0GbfMGI=%n`j~!i3O0$VsdEAogRqexP()p8>Sj3)S!-7cYt8Ql
zB2a?h6Jw~|kZEat+Q%0=M?050M;AM1J2$uDho??7wCT&!<8=@m#y@+Vu{t6nBnH>x
z=<us9_=z)TCh=LZ+ZukEvcL`K2=rjFDggA$6$viw{|XIq%zn&)SN_Viq1m&`T4!x$
z&uZ@ig|V3PlhJ)>s`oAM25JO+ikpUcjBy%gy0A<b9s7hqoeNo0bC%*xfO*4T!I>@X
z)NoA-EukOkKP<T4R=NG}4NbblyB!ngk8V5B)#3HY#clulQ~LSh^5UcuCDm}1X#1~C
zusOu`L&Ih8C)JWVJgHkf!iX+rK;mWp1C;^vlseAf&hhuYk5;B)W-<!2I^176(@A`O
zcXI+}asVwQ03XDdNK5a1sA3X3v`(cIxta+BhXEJUU#UgWIKp5h4L|QV)OCpyq|cG-
zjoQu)!8uKefk?b8;e20$CBC<u<80S3JrNqp(zu~ShqME?;<k@8vaImq-039z+Qq}K
zbScXjC&aHdo=KZNiJ`H7kDN7~1Z7l=ja~j-cDp}1ymEg2D{xN1MqF8dNXt0*kSxOZ
zp`SU#uirGO-QnaB$^Fc~qmH-lEr~4rhd2P&ikq50Ld{K=<haran0~<lVwf6Ly)UOy
z_c&O#EsIqFTtO!2%^697hl9jo+eLfDXT;&unPH<wplnI{P7Wv390J?g>6hFq2pFx?
zD~}S+4DB@sGJ*yuxFm5FMP@1kDZC?k4G#|1Hfz_Cljy?dtBWuOzgHc??z|i0*Wn-*
z%q_0s@`XY;pBNxk3{HY<UU6xkX(^?g%-!6ra>boSf$3GFNl;Lb8k{R)u(IPBBC?K5
zxXFb=)JWW9;+)g4SWg?aIJuVdtoEFwm_I%IHHs%VYLCoN&f$=)7PDo5l^Qk@dkxLw
zCwYClG~LW|%-vDJ6cqx#y4;7=;~VkZ&2*Q%WvL7d<Yl#ozZgL@v-tAR<^Pi@<Z6mg
z{QsR)c4T*;&mF{igR-FGjR0abbx|n2sS1ZHwO3qS7>1MGU2}d2h)%7kI4le&dz>(9
z{YZZbSJm9`4X5SmSc(LwA=R@w-2OpxkIBe($;3c+6@|N!W%My3te3pnTG!@Md;*2~
zc}rLWR>vv)I7PjWwZI1b81V$pv~$Pwo~2<b{qQ^<V^=ES;Hi}}9EqVQ^6c&xwUz%U
z5flMww}UU2X5)PClE?;`$^sU^7a=X@gHp>evoHx~BBzX5z8H>X8n~)^lvfc}&sWjm
z(lN?Xv#YFfg$N#qO=k^Q1k_vo;n1axlWS|{4T<PR<?-ePf=;6E<xL<bgOKmj3tm*{
zG|3-(J?nF${DRx7Ass_W-X$IIv)1qnxGk;jy^c3f)8)_PES~DU#8mt%uokl5Zk2Z}
zxd*GHgN*)1VFr1REmGk(pT&1^So}+d4e%T%FrK53;tDpVG$pYCaMXxM6`GaQ+SCXv
z08o!+4j}uvuZpWQ&*854`u+8pVOTvI1)OuIGY!ftCvWMOCtnq99oV&&i0fNv(!?R@
zS$jFka?;1g@IZTDRA2fAA^v;|_Lsimzv!En!K};uksT%x$G9h-4x}Gn^>!F06p38Q
zyjby?=$830Q3!?m3`38@*Dvh+)t-}=@{0J8o_S6Jm*uc#;J|ir@Z2tVPXD$vNr@Mq
zEK8pK>luS{C8{P{T6(K=7|*O*CrZNK>`E>TPyb4B>lI%~E*qca$W#QeWeLiiSyN~L
zeY)+6c047vDD5(TKGSW+u4o4_l4??CySrPPvFi$xv{Wxj<Q#Q55qdRVbuPi5nl`2Z
z1(s0_9Z-c0IWkJ`ZdaqOSe;WK`-5?nfy!heZfxTkJXh${JWTqUK$IQW?57n+?R#vN
zLCY0B(>Jc@gKNh0+F@o=rU&j}u3g@7qT4>XIfXPXLcaA2w5MHb`OHAp6(Q1yN-a~%
zeXU@PZqII3sAa{~wJRCXpIht^C*hPL0c9|w7^4HPS<g5RXMWJ{;V<Bwo6!l4-AHNJ
z_%v(_XODWzX|3t`RdjuO%gQ!*phsI5Np<{od;I`$nfd<o3z3Y0Ywc#y^dmt_Z~9>E
zjRPV-C2PQ^@}b7(vpI?I>D}#B06~3=%qHiISezD8EcD_c={7KFEGw9@qsk(O0vXE?
zeo4W^E@;`m)VRYQ@4;K#=QD_&u&#MaIR4c3>4##okmGgyV71$GZu;W-<%uq@S9yit
z>bvq24Fz3X69(F@S^Mcr8+LMi>K9ng<Dk~|o)rU)A}3oGskH6;ijHk{XU(&*w)f%L
z$%>9XCC+5gbtZ6^^MNF*lfbiG{*?6M55X7yJ3X9t{Nm!Ii2gFkm)!34nGoJs{X7m2
zN-Zt$GfLu#OM;|zl9=fYLk*=SPw0+hXk=AxnxJm5fo%1NOUoPvFlqa+1qq$!syj`m
z99f!GA%7c)x?D}UEgjs$CJ!HOGAic!NdKDGaNC9buMv4&VwpF>Mkk|i={%)h2s-J&
zU2($?E?XzmEpfz^x*$%UoqABD$vFCjpLq4Htlx-w<u57ZMf_TuVB2P~uLE~UJK&~z
zlFMk>-8Oxvvlp=rPpoZ_u9w(+<f>t#R9Q)|wyC2=aWc&_btW_<$$hD_jvoWQoLCl@
znYH87JSK72*Wb;928R7e=z6|5lev$1>I<HE4az;=Mdksit1+fkA8NcP(B&;VKQ!|N
z1ep)Gb4|AWBfI9}^E!2lBy$)9F$5Z(9NiuS9|>yf7fo-G6>|NeD;c5pSSo6Up32kd
zZ9UXR4f^bK5m-@gopsXjhPZ}E@K8E$H++&n=3Ws}F6y1SN0+QlVtHIX1XkE+puBr`
zmdV{=^oB5akFjHa8~<#@FZs7u+lK4jp~?Xl&^dH)A*k%H`HBRiSIhcet`KYlh~bp7
zW43J@WFH&VAZKZgeT?Ip#u}iN*vrRsRooH{`OLu~_WlbFO*5i=opY1L{k(H~i*p-D
z<lI0HZtzlmefH$u+T1k2V1Lb5FKM9v*^^UGV<wU<k@JVH6h|?Oc7JoQyL+%dIM{!A
z@apx!H{ZH;i`8L({H1dh4?Mlik-^%)QA%Cs>OOtlH2P0DFcRo?@W^z*hyR;({IB?9
zj4X4rs^Rg4j+}K@Jhyi~b$!!+!)}ADR}3(MA+$YNe21)m9QuTm8}vHl{opsQ>!V~#
zv}cKmy_(%Ax_++O7cw<%IKOVuYg)x;a|&lnWw&si+lrV&H5MI0Bo#MuI(}}nWt`hK
zTy?Fnj3QpF-orPjdZ9}6jSYbE=H{#~d8as9>eZ{4@^L&)!q30kZMDR|VCC2Qd-!_1
z=35%ndY3C3e9NQX<uhbnSUo<sc#PB41MKbYzwUnX`t{4#)C$2tcgO<^|9@_@dQ88k
z?(}Y2tzP<f-|^DQvb%QkuYV)ECu~MqtJORB_S<jKh_RYkSRT$LU6Wg4v1Y1s+CUmM
zugBtaU?SA18?q4`V#mwMWsCioj#LN38Ek`8Iq<!U#mI+3YC-(EU3lT6uC6ct^k*0O
z)(i9Kimx+nxARzzHE%MC+CxzvTc%=N<pz?qbDBK19$<pGnv7kkL(x{ae8KEfyb!Z?
znlWYil`s#MbISz=DErXSoL!A(jR=CJ#`T?s3PNdV2|jD}oxnHdlY|qj780c-><#S8
z^$|B-v_e6|3E`^VVAOyC`OcCmX_StH9d+FzTBnud-j%wG>^H<UEkx^9kH3I9Xg<>v
zjHZ4SH*YE9lV;5xkeNuHv(%4jl5`RFE-j6#Um)s_0-othDnCH1HhjnOBuZDdpTSvD
zf}m?rlIHTc@xmvQPgzV2mgMSaio!2MS_`-e^Fy`NH`iybQFL<|T*giHFe?GQ`9nN-
zBr!(Egaz{eqi=3bj^1CN-u@Yn#LemP$@SswDgC6`8j(s9?}$-mT;xY9gAiOo!+zXq
z_MJfIG}Egb?#bu*pAZM&qBVmAAsa8W_>N_{TRo01_pLz>=(id=E|sdVB%Cmx)0%KH
zOf6rXt7dGlU=qRZTlEaLG$e<ih`~Wq1EKFAj684=NcFXtcaaqFoUr1T?}E#o$jnh}
zxzT=Bs<DPqDl9-o@N9-U;U4hJYp<`1Es`h{PxM9M(f`zUwW9ly0pfp{>i-`CzqVCr
zMs(orB&pY8Uh!W0M?y|6pxG`}Z0b|Rdp&^|)<MhcZBU5u6-k}zgDfDe&81#PkBSm{
z-2-A#8G@7^7dAL^DzG50r{Jm@uhdq`1}Y82d8Y=V*}RxR%|@M>kv4r+qZA?&+hQn*
zx;gzSTg+*oX<!F4O7ke<SCvQxW|ml7S{~<(fL!dy7dNt=%S=MTYLAF!2$MWUxXr7v
zMAACgTf<pocscs5<;5&Gp{uAxePFNzk&2yMA1B+@`WF+3lxA~Dg(k+<4B9_QJG>#O
z#A$e!AUb02H;phBhX9vtJ`SGtj)ewsl!SN=vSqLe%dxOisBR0>OFDb4ARvo$7Su&j
zDS_f;`s>J$u5(8y4QE9HU9~dRAL;8|%Rw09y<xIQ-8oEyecMaL+*)|2BU1YA*eFtL
zp2=WhWe&pl^&lr*GyBfz(cu-MASXP;EJvIr&e6T=OWCRrp@I73eOsJb`k@YF!|lp1
zWr{u~SlgTCT=|{21`3&3`MqW${hxmi{|~$KKhEw1Iw*y)7$8(X!4!6H|J&X!{m*G&
zri(tm(tXWf;0S4tKj`Uz$nJ$MtC<nyy4_UIwye)u<DS+KVdIWmCHF8B`AXbx<=KDd
zW4PcRS(tR_<*|l<P;*XZvU>U3fl;R6VY_lP2_K#~g>o;b#bOcnl75uSIu$Dd+=0Bd
zR@TvZtF8J2%3~?kv%e)p-ivN>m-(#0ny!Hra^O3FK0}ZGRp83YjF>LhH~Gx^YkOTs
zSpQWvDbI?e(C6G8!9LeM3gHHycpUyE_Q*_2NryGIR3`bn5}zv#srFA-JzOde3oR8z
z`cX@+A>ysF6d)X~&u?7gP5SZh`r`D00Q8;(1Y<`u8$GyFSo}z`!G@W|ymx+PE|?dS
z!XgeIN_j?_zU=vU4WKMYNjykLkw&Jfv_?H$_)R_Cua=yN;=x?_YS!@zt*&9mlUxCv
zy2B6#zJAkBXC56^DE{0*p_H<SLt11tvX=@cZN6T<_Je}IF_*js|IG~QhhO|;mLaRB
z(5w^KZgg*}eMVD{ihqEnKnBajk8YdiXxEmG7r30Kl|IzIVpFT`WEf=QYiGG)Rojpx
zCl<U&rAVHOTx_se|1%ngLw;2K4l~g~)D9?kF@var4KBYT<^>x4ShH;C$vN(0)rrbp
zbA8cyX<%%e%<beu$p{O9pu>OPbkq%rFD9h=r7(xJD1oO_7v$@$YQ2*sbdeFC!V;}`
zirG}stzpCIn5&)`v)33<9ZXHMY7WapFQ?-#>4Mu3oLrYnbt!QND5W4p{p&|I3u0kQ
zBQu1k&yf_ZNG8-IZS)uP=a%*UftHELR-}S@X(gE8-yxIG2zPltLISdwgT}yK&^fj(
zuV!0IiR)c~Y-i-i;g(c{fYip$Ei<}ZoD7WV<h*pAlPj;xfMc`x-k4GHD~l+>6*^`}
z&$EdOy_ImThTAEd=hhhV)EVjuN;xj3vTWLud1~H)@Qeh%J<rN`tZ&uEQdrP0yrpQv
zMln+(4U+p{&@vf97mZl>HDg)7UpT8ChU5TkxyuZ~>0MDXIC|!OIVj1?7-}S4p47g;
zROcwYaCEle#1o`zW$EPG{odX;5KwmZU$v<1y1A$WzNN8#MA17qT1y5FIh2N@7~bnl
zzVe#TN~FFlAF^K`$$En*FbV?+vMdnpRX&nD#*g<<%MgDq91Ca1WhWDSVa2QQUW)%P
zM?th5l-g3ZP^`Cz%inmh1h3GtEGTz+adUEg8~yq6{dIKt<3)7+{_JGyW;^=+<oYDK
zy^Ide&Mto>xE`I{+(hrLFVCgv(b?(A#qA9ZVS&6mNj2PIoZexa9_{=}>dgK9hG%!0
zsn6eCswVX_jM5t~R+*(&7^Po4ffrApCw6#<N{XpeJ~UEhDZ*XSHB(Iy54jwnH<<*&
zC$>!--B)~4Ps&n=BvP7>Bn21;j0JPB(;G0<5}Ny94C7a!zS`lK>%dJtI&2)NDIh{U
zLkgw1<f{yx!AeS+gI$+=1OZ%>=U>5;d=5#i^Ce+o0s|#S38$ittUD}QUi!4ufK)D8
zS1cOvl6@?V-(WVPRoupbzOA0Ga3}T*S7F*-$*j#ASjkq@#;Y+ELS5=C1YT9oC9wQI
z<IGRDs9!FRH$U7nPNp^FNNA&pd<ryz)m&?9P$^z>!qw*6{!e_I|1LyIho5&DRk?m@
z35%PTbHi2M^w-mm9eoC`dcgKAhZh_=9*iJouD(L0);6hf<^0S+n%Q?v{G}uL6mOQ@
zO$17dH4tMrZS0?+`89zAa7D>p++5E?co!sjH(vzsXpr*ScRru{&tTgE8uMki@%`<W
zAV)CzbJ%fX8I!rsaN?5L2he2EsZOZH^vkCK>l(>fTSsTt+p<m-y~?NYFI?n57y;Q%
zM$=hQz<(k#GJrk<8$;+Up=0>vSHwqu`p@E|oH@q>WR?1~@YWbT@o=wZEj%#&4jPzt
zr{$b^xH{VPJaz||`V5Bu6VI8hL?hnI+#nP`*-zfK!wMdjKYp`M!pDAZAIa7C4vyb`
zcW|)3@uInJL5o`V<wjozJs?T0@bmMUT1DT;b7JCeRati0k~qI|yr>1VEZK|xT`dcQ
zU<6m<8JJ1WlJxF=fbb{@{KTi4OfMZwMBQpiUL7EgBq4LJVSqA&MF?dGc>$o~gWa8P
z;MLp;HZ5R`ei07RY~pwrk9DZCt*L_pc_qvQY>pDxaUx!ClX#JgcFs?4ZrI)|9H$@;
zTi_MY8uBh8gAM6wpUGfD%YTp${)@QsGTQq7^w!EyhZNb>R3qlv%CL~s!!tM|56P4;
z97>|zhPq5sfaS7&&MN4Imw&1o)X!ksIJv&$M-1qp%b3MJ{KDdE;oFX6o#3=B9pjxf
z<vt7**YA#^-@M%0wxo*^#;uv|)$KwHj+-4<GDtgLexUp`MIy=JeXf;n)Zk_b^CiK*
z7F*qr3Y3g>;*i4maX9<l`z-xLjPs{N<u|TOXN}L}p^0u+NAP0^3-#8faA8rkeQZb#
z>mWa}sAtt2T^|9n`YJ&+iwqV=3t}cC^S&L(2o&0ufi-eo@guFLFGg;;-rx21zM=p4
zf`emTK32W6O9QNFT`T1yHQH$+_7rlN@C7UqEb8LL2#kl`roAEMmE}0)GFMXhtYbO%
zS)h_K?{dcC5v9sua~2REmVfH)djHI|>O`l<Cl|L?(~`+j&1^1m@E{*8`bd0UrhiLX
z_$&ILK{}e??=~=t`GUI={r`#ep4=-JH#KA)#F(77P&^Qs8LS(xBy%T|R?C3PC5BNj
zd=i7fftx%sTf4-C=T|Q`wYD&w2(qaBXgRcMSzxusx0oI*q0WlE);M2wK|*uOv?UQm
z6U_|4t{9-m=H$i{$)ai47p;&iUQ&3h4jxR)FjCT>^ae7!M<8BO;09PdlH}f#L?iN!
zKPJSWRm&TOdk}r6Rr2l~Z`eh>4$GG4EeysvhTm%9GNnGW3O)nXC$ok^A4{yV6Z*aQ
ztmy_iIqf3wKg*(|D3EJV?Lur_D{;Bn;Yb`lIpZ>8EP~{+ie5VkJ-oBLu|I!i)|)|@
zd>Trn2LP9Ctev_GO+Cp6=bz_@;E_V1LiTm02D%erZP<7b9G){H1CKS^rc_<iwCIxs
zUjxfFf(%Xdaj@T~Ht4*V$~;&U&p}=NP?}ef!EvWfl~b;HiZqNVG-aF|T$QOL9LiDE
z?cQv_5nIpFjv6~YtP_B8iV`sa(imA_nnVz<VSy;2cq8^^XJf?UbIrXO?_yZQ<-H}*
zKFJVy;7zkK9lILA;19nSMP_V(Q+*&H4o-iC?`11iry^eBY{EAFaLK|m0{sXrWZg4b
zwA0>U3ekpw({kk)SgBX5!`sn=RjV5>*2)n~;Tfw52aal??C&HMV=BRRtBBXl>3^I=
z?=MboZ-iVctxnlHbY+jd-RS&n!{&A2)>4Y;qxL}LS%03nm$V<mssv()Ru@hPV^XP#
zka0O&uE!uj!4f*{T{S8t6NBU~RSQeKB5Wh*L|uvN%{3JdKxbAkPL$5stk?_NS67A8
zv{@kLS@LP7g~-%#fxV=cvmK^cz1&!meN2lyGv+gKaVkt;9umIED887~vkGu&84pM2
zKCXU#8lobX(p41}_#$}<cF#Kl;MgmSo=}y?TWgLe`mJpEcPf<!68Tbuv!%`B60gi!
zG27x^HqT0l*2?W8_MY#;5y~<Tq7$p?LZ{R?N*72A$g=HJ?P-#(v<0DZ1QzN(r%g&B
zxtQKV=$lFWN@|5?MDfi1Wo;T-bP!!@r5@9A*C<aX@~SCLY%rD(1w-zZB{!0j(L#1{
z;O`#3T3eF-S(8j~-|+Aq21!O0QHPQ6hEcb@=|Wvhm1-!YB?yYKwQLwP4Rtl2xcWat
ze(VFhGN@iv^LTe{N^Nv=bGC!*JV>Qo-p3C%hXfE1<UY_{E*4n+Ps<~XmnMTx2kfjk
znJuDp>+n-Qg7^3@B=Jc77DF2q?1jUw@rt>nKhdXrq7%r4<S&>kI?W&iE>`1Q%fgeZ
z1$r>1T1qpXSriR)dqg7;m&vNk6_$a@9Ff%%9~o=vS0b$6NTg0p`{u;6?C8s3+oJL#
zy5vX-BfaF1M%E=oUr7?2b)~k13@T&9B5fq;U3TTp2_yC8`kY)}_ph!mZ!eE7&-(8#
zez<@Q8Xw+XUiROf{{Ckzq~ZiqZhpDVxAEkmWX^Z(LJ%W<a&z0ixjnqT?cbiBpIpAb
z)fFf@ApT;(<IDARAqx;KnPM|W;~jK=*5RuT*#J*{K4P67lfWrJiPU49YCYXb^NC3q
zLq(euS}fatX6kj2(KV!5ppz0XF&=h=v*lENmNTa98Jcz@=g7K6Sm`qp!OeDYP&*h7
ze+<}*C&{op#$w+dOLbdC$H2IbI&md@QJ7zRZ_H{CI7HksZ7`pL#c7nO(~fG`7$$mk
zB_M|YcB6dh`wSiPf`$+&rcs>l+Pp6txyxJO@^rSnj{LjdLF$_oI&onfq|t?vewW}c
zv<a`=%Lc~@ThTf#Shu2>9zErUn%9X3mF|%i2;`?y_SExfcY-$h@+TOzlDB}VIt_bb
z9Evz}J(6HSP>F}ksQh&<-ji?!t5Ua5u|Qa$v85JnAD*4HYb&F-4)2hf&V!A0{iY$`
z>7c1PD>U*z@%fsu${~u2d$MBR5@sc%`pBys_1M_PzZ#cfu1UR~nF=w2U1&z0Rp$Gz
z-&tuvqYIW*XC3N=85Zk_FfoWkAG_3EsSnMHKgQ{VFP9dMtgWz?4`o9gD4Q|tT1kpa
z6q(lo2iLLY$@@NL?qySIp$5TN5|ta$t^ut23(4hVYr;yrws!R+hq7p82>$9spV?9!
z(9(7Y<vP8`94okTrM0qrrK#uxgm65XWj!f5Hg6D@#IJEl`s6OJI4@#-0*~39$Wn4L
zI6AUs<-F_=gO$;NDF0db;9SK><}Aw76V{V%F-Jlh%(iiJb#ZESsDu1-E}3^cR4^Q@
zpo_fmj^8vEv($)4K_rQsi3Uv4VOn`N?&VXhD_B`lVFs-6H2K}sHK(j^sL_|t+AW@?
zi<8?QFRy=yF0VL}jXvpq%|8uKC}ngxK;fVzWxNs3@Kf|b!}=ieb9fo(=fT<*d%gYM
z%igPX4HR|D9FkU0gD@0wS%JY?&&+3IkYf+<PE}0s4G>lFB1pE@7+&L8)vZdBoO2<D
z1ChBnXKyF6-Klp0ebdp0JP1p0--(`+)iXMO>_^B^s}g7~y(~S%AmvBLLx4R$prcd+
ziSI(sWzKrx2X?x~Jen*Sso>bUluCuzctvkk;Vq;-pNl}0>f>AwRJL4GGO;pS{ZK8X
zrLRZH1zbjn*=wA_@iER^4j^{dbM@kJGuZoH4Y!_fbz>*FvD#Y|f?BrG6!;FRTHu3|
z{$p?yoe1$orWVFmJZGJS?FKr1ONPL72PQd|AEjlGC;>8L7{U74*o95IFIm+u1Dq4Q
zoVe_TJkx9NdQY#qXYqp0<KpnPt^-2C_m8aC!nJCd7;X-uUSq&&xE9LRk5bM}TrLsq
z%pHHvmLu^cZY^hNHveQ%97x3c_U4$zqXi(H`?f&Hf<Aac@Q^NgDiB(|#$#1hho7-h
zM#0u$fQUOT;$03Ah-t0Ma?*vwEP^ZE)@E|QAZ>w5R1U)4;nlf1!RFk)N~IJig)|Rz
ztK~&5L|L;YLn2U|8d{At^;8zzmk(2|3s57AJ{@_nGp7`(C7IC04&a1t;HLZ3O|vfj
z*qx@Mk+CT)A-J|vA9NN*dWk7h%(pT!wN?FR1AdC!m+<>=QzP<?tIn|Ap$uIP5QY|<
zlbXfnrAt&+J6hZsD<0*pj*bS$)Hh;X1&!r({>ZGUc#If>`+bgNww88h?8}>*-x>Gh
z+JlZz)Vy6lk6|5P9!Bzo=+SO-*MKONrcSk}+R!)Gp>URWKjLX<9Shz&U#i=yoxR>3
zuh?aPKmw<<s8ESZ!=sf6al@Ic{HEoU7VMOPHE<qWPqtOe3^Yu<1IN4peX)B1Foto9
z;<|Un8<^I##VB3-UKCzEJ&uF}utFuYD?1c$=Ki7QZnUA%98z=i?(p{TOr&=i@sAR8
z<uXd!@-)25KH?=Ad_H34)*ls!94o?mFgQl<1BXG|pew)))Cj{#rLQ{0(A5ditL)Y0
zd~<Q}dDHr=vC4S0TKX>koViI@>&9hQFqH>8l<F+$ID9Nr15iWgo>B-Lk7+B_qscNa
za}Kd%`r&|4>4a-+i@B&}hHxzH^fp{PUTq}DBzDrRQ{w5n!(r=`e{v+5Q?7R{6tuRz
zmNx>1-T@!ee8N%@<Aw1*8cmaqxuYe3fetd{V>lOC06n}1U19k(1VF=wm3nEcZ<7^*
za9qGLxTq5a*50^SVau_!V$9gBl&i^T-5IVb<j7;V|Im1v&k`*x6)uU{COlhGUAxu#
zIG^AUxh{6fxqRkqcVg!eDdVWS3waOjDqB2<qF$__K9VWegYX3!-YO`u<S@n}rLhH?
zY6#NP%~^!%8%>(ezI~^e<NMS*x->qqbZ@*pVI|W3?_j(d14qLc4tH@IyFp=q^23|o
zN=W+eSZrw>FX&A{^b3sWQk@M0suDHqY3~eo3l-?%mV}h4qOo6kI6)nS$>4`}q;3L<
zkXKaLaa#o9I7XQ64R`ao(8KkpF#zdPYX!qwt)P{Q#VnJ_7z0W=*;YNJ9SYlqohIox
z;mY<_yK?RDv_<0gmpatP(<*gqHo{2^-Rk^MOtwg3<DQEoF3Nytd3Hu&3bxM0pR!M?
zA&U<j0>`CgfZVq_(28=EnyJO%)JQOeiwXCq$+Rz#+pv7UfvsE!@QgE&O|h>kujoCv
zK0H_Fg_-0{P{+;nKt(~;vDp4|PPWnEE_`82W1&Z!)l6|Qh*L(BSLbh4=sLS0rWyF$
zWUZ=6$=8Bdi5SdnF15nz)g1oRd%gRc+EHy?ot$f_MPZ3NS7&Oox~=bq@6q=OkyoQ@
zrU7iAfG{z!6{r3oSxD9d8jrh;>2A(B0hZKziPaMu&wyOkxtLxd;of=voHOA#QL>%|
zNBtu(AG>1=@AFiW|FD=NFneQuv;JiQeqGXW0<xyq<2^ADAv|)_h1E`s<%BJBU9E6Q
z{ic*c$uondAbbeX+8TbJ&GBVz35w8?l|EZ=1xCd&96HK*X`5}6yo+R(Sp6-|foxLk
z5@w38U<wU3kXiUt2bV*Z{Q35+C%|vy+Sb(VB1LJ{X2VRU9?<GOO)4dei)YMO!v~1y
zhw)h?Ugo&ILf4<TY2keUXxw#(moCJtNI&AlK(6__rORM~2wV`;d|oc?CA<Q57Am56
z&d_%PX)eq8lut(acZNK(%shKzjT|v&k4p$AU_-D0x9?$!Ovi6pNBM-awVFA`+@U=?
zFD*@$=dd4C&9l$VjWRkp{@#5i*~=p3EX4j9+(mb<#QhGQ&-Rh!rqWKiMjP<fbZ|x9
zl0d-Rt7dHqdTEA4yQ!0OP{f7byWMY+H3~j1zRoVdQ~51nEI7nz3fA6L*icDajLUA;
zi_1O@^YJBqhScZM)@dpg{<7YluJFgbb?y1f-tLMX{k^Ap?5*mt|5T6tpvMg{o@Xch
z<L~?LZ{%T9kZPI1W*ysr*9%*trdJM_?<6y5zY+OE=z$K&C!&Yhofc87&3baQJnxBk
znEPSSs5Ve9Y<|nB9CPukm={p!yZCN*)4~pczYbl$(S75>8Wc~DemJ=e`+32hA$k4o
z==JWm-x3;2at5M6@GPpW?FP3-o-9FP_Jp(ux7wmI$U|Dn#yzgdCulucRX9&-&?c%i
z9S~6kF4sgOye71?SG2ZpM=*)h!23}z!eD;KzUy&;Oq8`XmGiqhsRm7Vy?q}S(+Q_5
zp}VH{ENuNY;i@rwbK}a~k|Fb#<``5Pyeh;W6|Z2<<wB}>_~0HG<KFB>Be}%U?VnJ5
zu5TRlC?C%K{pECUD%TW=#&1_iU@dl;&W7=u*1HBhtu%WI>%$IRjMAeq^r6Abw1Xkz
zTVuCkP-}W&R?zJgT!76ZNjMjFvz8|j@`*PjP_)>V0<TaJj3L@R{pgEdyax`wu+{yW
z*0IL^FKSGpC+3YUxL4=s`YduOT9!Ap0&03)u1(0Z)25?5BNCp_&wh2qM4-wir}_t5
z(bF?KzGHa>Y#j~dP#OvqdhotPs%qh$3>$*~R06sFcyfLE?$3Qp%v#Ywf-E{A5{&NO
zd|-lf@DtX}BQ=qZ2%GcwRjG3=9Tl<CXlX~u7IQtsg^bfr>Sm`@5QEieC=XC0$X-w~
zz%O5^AfgktY&bf|i(ou!xCgPF2erv~EwVEv<C;ZU0v;4o?e?`<<55ncWGHsjE}Hda
zh_>02dUcHnco5cE$?(cBI8oR*1{0-B9n-4&sh5_K!kr+k1LqpB4E!r}FpACfm;S(!
z+T)Y6!#|%K_YdFS3dmc>dA8|G9Idzo(k!SPDFH-q_M(@eN;!ZgsEs7;ooXbm3vTAE
z;rN?mwB2*dJG#6$K83yc@GMxO)$UqF+RWKQUnS|_q!f*H5^Z1DD;|iSlwP8iJ!(3E
z2#PL_L_UOvg|r4YI$6}WX33<q_<;%f#*3ZY+|aiA*C&pl5Wou)#4&36Ru>5!TrWC-
z?Z_K{q>lz^a8_Y9Ab{@?JyEF{rgTnE0;K03ncM`lNSs6158abLX}e4V>m&B*!Co_}
zRSBrQB7qFK;@yx`>UHWQngn{PKD^1t<DX2@6!*~F8I;Qf-PCDxtMShCGCErVj^gs&
zyV|f>-pyti0p1*a94~WmbrJA0U|>ctJwl~r3jgr(X^FZwtpN1V>9H$aXRdzctu5ZN
zP2Gn-+%C+Jv{hCJ{<LA4PyL^Ht$ZIh2Vf*+HG$g~ppdAu6+;9{)AMv#<Yhjt>Y)dz
zq>Nf})oHc1E^g1xJJE%A=OLo@LsAS98fV)nri6@jXVYrlrC)|f8n}4FBbaU-Vr}>Q
z_I>2O7j=oJP_(U9YXUd;%NrOnk;EUiPc^iS@@UH<PCRb1&zMAGw{#iNRec)9_n@7i
zW6RvLy#~*ZDsho+Kn;_ukLyHf_zxh}A}jY@oo$&5QlZmtvj}fh0$QyV5V0UC4%^JL
z$lKm=g3g7$Wgc0fZ$10M>Soo`+D$u3KAKv|d5ekVm1Y<|G=0CLF~6-6Cy$wBqo@PR
zx{z@Z-+_XA1GCjl=Zqa{;87<P?#mJe3+N0co&;Y1Ks`(BZ#m+E0C=R*EaH)BQNSIr
zgI>a#apR<&&7(}@Y*(YBy{fd-&ESMKy{(j(1-jTS`ZM;`UD>n7DOcE}7FaGFHzr26
zn%uL+pK%%GQNg}R?$%Vp*+Y`dVt8A8c$1DMNrxw-cccUTb3U(x{;6z)KoQr0#kGXd
z4L!pX>={~?T<X01cWIGYO8Jyy=~%<9br>+R)Q{Ovqv*i7QUrx-Y<0|W5fMo;wapBY
zjx*Eh%0-e5=C~7Yc&o(|MJwxrgnW0iUIoNefRsxG?l157_I^z*ilywboI65qgA4z&
ziXvKOq*hnNt(oht7hOWQx!&T#^1<MT(A1pc;YI06*G{4V%u@&e;I2+t$9^I*Xz(Q0
z!^qMy@V0R>NiZk74Vb$i2lZSEyK!}SeXCAGqEfD@6qd6DGorC^O}6QR=Y#!P>INuw
zwW@*nZpEc@H<u6-;3>z+>K#d9;(QmD{od_TOj&X^;dVEihZxPEFI~=XoyU{zeGawc
zl<g9UbHBGMyCDItaLE6pmzcjA!;AYd39=|+{J`l;NUXd0>Odr3g=rA5qqLVEhR}JC
z&6_OjeoT=*Br(UL=73_0+<2j#Gd1WsmohD-6TRHq|8B$k3VgTw-EQ51vaEYhM$w0K
zcJNc^1nJbdp<ZA{+|zU3kx%+YHZs)FL2v>AkXmM}Q0n96taeMIBLX=?h_%Ri8)Gr0
z-vqwR$ZY~mrv@o9kDOL>HL}a9nvR2|Iu35UXe}A1V?Abb864$~|8ofvG)0~Eqfvqo
z#J|HK5AITO$<>7`Eh3^hb&(_+?V#dsy^2M$Y>4363)v`UB}ksBBTAU~I|&_2m?d}G
zBS1o4cRx|!FbuEvpd6F;%$3)tj4oon&z#YiovH>7AkMjDE&6OomRxg|eCPaXgA|AL
z#d}X^DJ;j*E)Bz+SpB{R)YTR1<P-`c)qm;L7(16DZMD)%xbF4A#%YqZI?ArF7Gly-
z?&DKrMnNXR2(Bv=*34PPb8#?|*xFAsDJ&-nSh-fT0(Mo<5KA?)ZmY*F4dk6;Tyf<n
zYa9g^YT+$|EbEfAR)UPeW#$GPS}M9ziQ$~iXe9R0Kx#!u+K&mVDEP@9C9_G6!G9r{
z)|O{gOB`%31E`5Lp(p3OaBaenN|%;#%=tkgdVtD$&|oBa%A_3oJ8xT!xvGw&Ti`p+
zzD_|bCc%)duFDWyn^nMu#_zAsEJIPSA2);x&!*G#=u&w4Jz?!5L_`avcr4=CjJ0y=
z!`9`nJC~)7O#vLId5?xd+x^@d7D`ek&6<es*zqjznc~566;12Y03=1CF~zLymU?AH
zayOsE&ALC5-^pc6jgS<oklJNF06Dm%mVIJrMfwUVQ((gAhNKos;o8o#bfUq8XhX+J
z3-Lf+-{(Tu*@cryzs7n@6SPUosnt;6{V|K8V1F0*ruJ$TiZ>c5*K1pLNq2nIjd{L2
z<3k-p-1e0#(C_4^0~omy7s5KZ_?%HK6YbidSd;cvN9lf+L$#zpvW)raH7z3K*Ycbe
zy0aLde%i-xmK~{mhNoyN?IlFytUx?7XBr8^@3eXaSj+-(ZpiLxV($vTy1ZqCQ)%{p
z>$hI-tIj}t@o!G9K~7a&8=W%;o6q=mcvLT4*fvY6D=4ihb{Z-j79OkoA<04sGW&TV
zqzlA&FZu_jUeg7><6&G8hKS?SyDY@Rk+2Np#ZqK@^`*uREO|1PHh^N{ztjtl0WCU-
zACCiK$TtSDwP>We*e;Q5B(|0dXxLPvw%g(qJf6U1FAV(i<Xq)+HR#aAv84w7MS(-r
zvI8;=^^fpDreWb-8KlZ~y|h*wKdRwNDuW!Za6Q(^T%FmvlQCz~pSi|De`x-W2k2Jd
zcDyabQ&>Lxf}M}ILsg?EOH2G-WF@ykcaNcYUaJ7Ffdl41gva<PJ`w34jjZ&m+-3GG
zomiDjBpuN0<;~79aSJ$qbrj>U8O?kV&?coI`tHNGz2oU+oO$eTP9BZQE|)P}6_ac^
z--Rg^d8@CP>-$LN&TkKk1(!Fvz}-)~yDCT`+4OSr-B0_wE>YZyF*#G*F4rQ{G;wIS
zG?r`TvdJxN4NF-u!|JB{yGwJ3P=PbJIl3~8LkU##$z{Bj43g}}1la_txvs@?iT?tP
z!pR(1D@z}57D*rl$OGJTVC-<ZnCo{(`>(!z1@x95UkgUlFE97M+4W+NTjgLu!jU;&
z(W^cL7tBc9C4|a{RbnoO(Jp<o|N6DoI&CZ2XnVUW5d&b8y+rJ6$By#Ev*V5P;l>ON
z6XICG_DWd;(FF^VRF6b+kYbOyl>uUf0YPS=IF8lQ({g4US^^QXlcS4>lQq8F`{p}W
zF<}3tTwxKwCAcasN~;E!WRk0t6(a+bm?)W0#?U-qB^VX+3jnX2HBQtsNDo#EJ9f?|
z0{ybeXRK!u-#1nYZ)ojK3<4px=Q9$nPn)xrMCiLp*Z4CCghS36abO=OQLBp^mZuUj
zdiMz`QJ?>R5sheUY(0foYPgO*;1a0Z>zrLnE*~j^qOl@>&CC86hlqD?;eo*__()R;
znz0)ip~nKpmH~f*#)OxCr2ljMzsB|dC*|pUf+?8B#RF$ybExH&SrQE5vNxn-A1_oS
zgL%r8oJ4Kr64+cZO^D79uYZWPSk@7PN}a02YNo$Psxb|dAWd!Ypy+~#ehVN~67#d!
z4jvYNb!F_oi>d@`{1;(8ctxMdduZEr#O3F{9~joE;mK+JE1(m1aOm_^9;)Syel^4j
zR{PIGtQGrPk69}lf8}?}U$@VBxWd+}Uao%u!W#lDbRhcYUl&BA)vrukcX9ezw<K_4
z@i*ne4&KP0R@Z7s!Yd`3tMWnK_e{gTpe?wAPJ8P<`P2cQ0ewFoz%V65b&oZ7ZKRIi
zIB)nlVj5w>B@$!84kExKRW019kAo`y(-{Xcnr`~gC%54YOGtJa5A`<JfysUrv8;ww
zu_d%g0h?c$O9+}kt&&!*vbSi=Naj<B6jEGSrGpJi2=2Uk1L(oc>RR<5s#;)Okts9)
zrcfO#SRsze!7#g@4&UzVetHM!?S6Xw&h4(F?rxke9m*4G^wz<(rt6P+6r2%_@OC@6
zkwHG4WD5JlkWD&eI!&SXqd5)mQMXG6)a6?qj7<Z{7oYf>@jM%fe=AHT4yjfoV-jn#
zq{R(MPqZZt225*b{yMRx5FKs*h6;5mFB~G)QqQ|7Rt%@o_37(bW7Z#6Gx<qP4r^`^
zNbD}1#&}G0+4cO_A#e_gpDjkRLk66wynZRve4F1ALn5F!0_^JE(vTxGT51)K46o@z
zR-DR5)#sTJyN;Pd+|nwxA%>hNjiI;51+Htxn$YXJBl~gpsjf|zc)t)K8_}7*EP|)x
zLFHf<=~Ticms0{qZI7o|rqoOGpON_3b_&yQh=zMACaP~319_oY_@rSzlOPzU#-GnD
z7q`dB+7X3$;nK=^zJ)JI<Eg=wV#Rv!aw%%?Af+xt{Y_lP4sUmz<)yfCa5lZ!!n5kN
zJ=rFlz-=pEwW(T(nm{D}U#F4#-y~e02OOaKhrx*CIER<}-9cIz0}<ZZ+pzdeJt4_p
z;l8M9srAC5&vftpn=!8OC-960l>s8Lf8?^zD^YHYP2KyndP9%tJI!(8Xr$H;Vjs?X
zw`;9}<a^aS-KSQ3%E~2i@hRymE|zO2^nIma*cG*pxRdg8jjpmvG-4Bb{2)0{i9W-j
zluan&i=^SO%$0S~-iZiXxC0y@vuy=@q@S@;0S^Uxm-+?T`-g#n8`8%|&!(Q)V%$~{
zqIR3upC#rR^^H?^&Ku~;^EmQD_{<!)N^k1XD7vhNq(A~)t^6aUf;`Q~j0ywH@gG;;
z^Vx7xOD_QMLFlvnx7mGfP{=qj-fX_cGBQ)hBpEe0-esEKQJC>vgC%LhYI05{1_34l
zuA2bK`R|6u1~7*Lj59|E2OL_?mo5Vaz^Zz+nnP&Gg+TzAC+?4=>(t`unu1hQV7b?;
zNT#54Ry|q8$O3GQR8nl2#9@bnjWNr~W_B&ant5+-E&|X5s(XHn5aa5LzkdBOjJCXC
z-@S?z3O-cZ{KlEBJ~j{0t+0u|hh40hFC!Y&8860jbKPcIZD|+;m>z`aTX%3-0$Rsh
zkMPdg(v6X`4PxL@-dFL8_xVX%tz)163*5>9q=t9V7WxR0lEbk_o*hs$4k_%4RZCy_
z6Kx6m|Kt$Dlq&uqEtuV9yQ)}yw<}Cpm#$csI4kzTq8liYZIk$pWx}PDBHO)&E>jYk
zmbp(wBfQ5X9XNzx)?PgPCG;GY|E+EpxYu>9x~|o>3Vqag7|){p-tKRH?b^$Svd_;`
z{i++o60bguXSL$+KAnS8%X$YCc5SM;%fO@9Qe6s9?)*XY>a)-BG=30%U$89Tw^l8Z
z<Usrseei07pPb&HQ9}^FTSSd3Ux(}L{k>1G#L>|%Mmfi+xR}<@R;@|X^~$w<ZOBbm
z?u$zgjt1Wy91Q8F75cMv9rsvu*V|vMa(i|*V%5g0ReMj*x3{v>=gheG?AR~=!6wqc
zQ<`RG_n)cyHxWWx`~v(&xLh^dg0-_nI-;sI)4d$tRIj4PWPpT#DqvaQn!6^tuV2*@
z&aNEmo9D)IfUJ)u3RYKSS3^r18MNh{v1m!oxxtCPq3BOVfz#B*263u^$px_)C42K$
zb=UD*b}E$eNc94BRt|iiV8v@FBli7Zfs%vEAaN4(W`3|RC3q(OU$qp;OBIJ#1H*~@
z!cWu5gDEjEb9I|Edtj)nQc}x$)PGOM@@{$Xo1^~*NQ>ad!l`pU9`I#)<{ZyGRG!)$
zcb0d>Ur;z`sS0Z;s9bR~)eMbFDBsJnx-aIz28%@BFukf_grOy2arxH%X@xoU>WgAX
zRo=dqq-JKxXYdo_g>yt{ShJXf&%VU!_a$Q!U#&aZ=)}D>LDfJJ;xzlvh~#*erLOLO
zrZIiy<fyTQJdxBK)M$jz88pZOEp<SxmRFd+Q*(B5Zr^ANA#=3PO)dLSEjUpS{GT^N
z1*wX_Q!R?^0R+sGqPm31=kITByBrW<?1ps6M0F7Df3x?E6T0_a_4Z#LMD1H!pZHq{
z8;6mgQ`0)!jFRva#zXCwTGLJ&eV~oq(c=o)9HrkfcZR0JroFXgYkU_pf7#^)hnUu&
z-ALZA-r}!ze-mw?NEwlA;*i-*4_#42#5|X|F0dv#<jf*0(br4c@eyg1l}!6HPIu{e
zf$4hDBxFuq;yE9&eqzN%AZnEC%P;yLNp0k!Npamg{*|UDbn&HL9F?M@67CSYaC;`e
z3_<qq_lq<cC-fCXSK<+U=KSbaOg!2BLJDzgg{Zsj<QfU4CPZeJ$SC5Fenum?fCbA>
zjU@zr%7{ki_4l;@J9WQ>f+?83%B{i!XRmVlEv^D0+0;2(QxU!U!|_GW?c&O3Z!K3W
zS~3tog0nbdU9OJD-UghL-@@KqLruD6&u<N#A&dly-0d26Gn-w`%Na2p$PN***?17r
z4BFRurKpUqOW2G9WOx12W&P9pXp*l7!Mhql`eJh`8cCVYu$~AyU9ZB~=Q^DR#t!Qu
z>IF_xYZTNMyFe<4iHO}1=km@A_cSg)Z>uNrp29p6!lLW*NC_E<DVGFDffv0aOyOk@
zGSwcRUY{J@8ghzqgGMh>IPPw)dV`5+(RgK+Nuc%(4m-35HB*3UIdD)vk;D1={{QT~
zds7_Qu`T|0^C{}!AOPR)Mvs~C43-oZAvEF+0u0Dw-|+-dbQe%oQ`M)dS_nVB`){w6
znfp=Q=wXk1&bdE3!uAYZwQE0f=VRqck@FuFf}t)X?r2LJr5+?!FLO9Yv+_dxU%S8G
z8#s0HyTOBRoyp--(i3`YmH{y0KvBs;{gSSP)VjM`jTPt2Nfjd8%Xg(HAk@ewIuq#2
zv}HP;`WL+N3m4fPdC)Ir?yx}bbV49d82jTetzBy(WE=NC7xjC!7}}6^tR6i{UowTD
zY%C=gs?c;wN`p={cB`t*gh1B{QUZlZ5-Gi1e`Bi|L<383kgn;e)N!Ei(oa#d7VjMC
z3nr~-Vhz!n*TNC%l9doxDYU@gXA0H*_N_o;cGg|ioBWP``pBsFt{&CFX&y^*0k}%v
zF_8-6>be#dH8322F0wQ^ArO|>%_wSs=!|I5<r3MU>36v&#rIAEdLW_e!pU2wDuy?4
zlG~dcF2!3=HaeA7mO>m8!2!qBjqWMSO!U_mS+FD@bi$kw4O<IM8{!RGraOGZjGA{8
z-#o>c6e4w71HwuwCMEm_ybPburEWDZ{|UsAY=_WVJFDjxlZa0uWP<UKNKW321Zl;M
zq^-NX+iF!&*FP(rIj>my-1CY<=tl~uv4z%E?Cml-lO~yr7l)@Px+MuLh1{evXXA*r
zbaAak&=Pf0EwYfG`O!7YMYir%Ue4y#Rl?b*zQ`|U8pIjbvi+BcPbF7Pu0n)T$=tyW
zm0VQTZ&rB_?z}SX<t>i;k*YTcjVw8S9p){1XXCFZBS312ExpJp9AhM4fAK0q?W73~
zAw2^j$j~!VAWQpVPQ9e29;k?C4)zv^*0$PuONO)6<u~226SBxz9FxD<A+tO(FtB!;
zR+`jvV^=%lu?gI-srqd?2NT7~BJG)JF0<tXum2iyS7mk`4u>3p<)M=%ODMOL7ER{I
z!VT3x9c51+4iEkK-QQW$8t*MIf_P33B?75^o~tmSdS93EDf<jTc_9$PS<#1w!v}$F
zsGqUy!^7bt{Es*httpJ|R8!H7ywW(~?_qM))$yc)nw^z$yM~Ix{}`+5e+_@?zZpvL
zpZ`*Z($A+TmDhwU;y#YjUQe06KW(?J`HgV;|HMx4ld7|D?DhbSgwu9L{L|-6D47b?
z&3St}ysGBzlA?q2Ca>oCWJ~{Y-QG-oW#1a;x6}+XGS`2S&6O%ykrtZxJcd@IXLUE=
z`12TA?b=zw$-1;#D+vM8y`-$h$co~$y|k=^Qz~m+WL`&{w=SjbM|%M^izJ-Og#R)=
zPEzD2mw_FY7e|L@=gO~myvGc6=n_JZl*|<wJjBs>Cyof6J?-ysp}iMJuXpz4235+*
zNSW*oYekVSbU((4FjDXe3ezt{&8Qltxcr`GqTLkwCGvh410#J2Kol%&f;Ww#ztXkR
zz)%&1f<52>pWwTlvLIdVd+SY9lCi^IoG7=;w9712Vo2D;5*S}v)kUqfc{OqdU3K1E
z&s(sY{gUW^MFJ=xu6TnWpVb2a78@;m?Am^Py1%!HYqF7`RV8$#zFR%d+L27?vN5D)
zKb~+`U|AJkcx-3UEh-;0Rh0!mxiPFHCcU%t{ut@uE$QA#(xRusX#!)K!f4Qw6d0qi
z0t|+h(GpcY0J6sQ+Ts<~r^il7C0yy2itN3h3^yL(#nX%Sylp36dRr7qMQ3z?A*nZF
zPHnm?ztGL>@q-5+7)U69^JT|lcuPMlCAvgaou~#NSfaISA0AogclIcI{d~y?fr2Wp
zs`I#13k&}=UwGxni;}Vq*>xih7P>5nf>=_c3fC{I%y{9fN>yKM%?{5@K5=Hq_>RO`
zK+7=SLRkXM8HPkH4f7;*YZj}h$asCyTUs{8oRC4(+vR_Wb4=f_z_#pb97tpIv3F`~
z8_RP#N9rX=h>hcd*`*M0f<tVi3YFF7LB3697;UG_4V(d9kLeG(f4p$KHk~0FvxmBP
z#FeWAmf5VXQ-z}MT}UW>HBbn1QW8m~#EJ@;2T7}(e3HOnr7ARi?pFBvUnO(!ErG{f
zL36&oN%UW<(sNHuGuP1X>7fX3OO();l1Z#9E$Je}QFMp<;Hhg#-T+fTtiKe5yVSq)
z!*sKBoj>g3e;<AQ4gde^hmVxTZT$5xJ9bwf>(Ss)5#-zbrWgyJR4B|KCIFix2D)-e
z1vU`qLK6odW=MKt4Me9Z&;|o8Al$*z`RuB&Vq&Rck8jYS7*{^BI8&He$%SJM7f-Cu
zxrhMrs1}Wh1#2W!MxKixg!{nO{h3TdwQ79AcqSqm#K+>AWXwe7SHefGAtjg;wL0pT
zdN#8BN(jn7w9{GL_KRyGNvohba@_%nm|X4)m4?fRN{;qu9x<1aJxCls5mvZN<A(^p
z;>AEQy4kk?gnBB(AD$=K47S8p-A+v<CBd6tH0U4#D0!RPQA#_ZQTO1dUNKT4ten<2
zc0U}QWbNF&IFZg03Ppg5v5V=WxO-^5;Pf(<EngKdp9k?-+2K_QTPTji7cYJye}1M}
zrAbC<KucI77W%-!4}03{bDlKJT}Bh-<$lgBiF_|N5E<CQNIZYIk8IEyiaEdyNRX!#
zaha}#APMFQrgay?G&^l3sD<eykuN}9c#umcwW`;xL(NIl3{!p5j$u^g_1=#@B1^3N
z^W)_m!28PzVFy;oz6RNHcX8j8#0~_Gv7}5xr}trYoWY0Ogx-mq85`Y3GC`XX=Hq9R
zUmk6CzJy@Rq=+*vXjL+ggIt>gJrWoyzomn8qTlt0Lu%u(Ce<{w_yzkR9k3e)Sum41
zAOuk<?an#F4S+WvhdBWMck!>D1nc3FIXG<vZ}d;jfuH72ngqcgs5@kL0?<^%fN6b5
zh{q94%|~xpY&;=U4N}01fBT}%W)K9L_s;V~aR8x{_IH@=`3mt%j%Rd__*xquKc0GD
zO@uAi7dpX3FChkBUxJ6rrhv@ODTA@s5GW@+Rc(Byborpe-ear3*yy#B@#u@soVt63
zO6n*5kzBQW9kDU)ng!rZCn(*S1%ZhzPCP+rZws;x&{ht~$!H-II7M1#D#`}#w?VjC
zUPvj8+u*8`y0bIAe!Azvz7u9+(AERVo(#tz{Egi~*_<r$==6Gj_`@Hzvy<Y+2PDxw
zYEQtcsjm;8UX^aFCYKfxY5eUg)tqsg7VsnFs-O@+uje{AOH`)d_I78@X~Efv6oaN}
zVtL<2g~$S|l3$mnWR*OrA`{Kz5&b?@9DFBp+e=zQ1L4&vs&W}@2BvN0>#N6~Q9q=P
zQ?ZC*ta5>JuN_$(VT(uP&b&fDcXkgtbl>TusKm)+N)~Y09+J%nui&z=(%6W<C_r1A
z0PbWv(nw8R>_?RL(I084y0&z*hD7^SrrZeIQqCKIPsWv_1pneaUFiaVRdh#dS$k}Q
zD1D+qJy6!?O_)#43HG69RJfRd=Jj0QWUiCj+nR15TqDstu?DG2>A$w*x47Z>=L;QN
zVu$>r3gbOSx`Lg*s1@_3(Nt^f)_}uXa<!|I1)pcfnuR<pIUhmwCfUCFD5P0QGVQbj
zE0q46eDYS;*gLr*A1u~8V=f;=<_gIg(uTT>2YV+c=R`*Co$C#7{&HvExLzgNgU$1t
zYy5oPYJB8WzdmkS1wp6#r?+I8^oF>nsrz0U7pOx$nJgUsFP)U3Ah%SQFqRvp&-TEK
zjt2of>t>Ez6lB);r2PUvhv{<ShXyBC?inQ%#%UOMr8kf5g45r<*?)2Vhp!)ecmDfx
ztnU8d%l*Usv%T}*?;PyE*g+^q(Xpev!o7V_=+>jN1Gl=Ce8rE#{jO=|*;02-Nl?L+
zqGuMWvrsW&`^pZ`*^tOVg4be3bb?aq(}wR!H%&P%wN|9Zh1!JrVW`t^MbZ2n{Xi*?
z+&xD{sw>rl3!9NpG|-K5rXH2k#r4!7-MfVMiZM9%zN{1r!GOgtXHU$z=v_(AvdCRv
zZ>C;@c;E}~cZl-5#efIT!ZMxW>k*B6@W`YwcSRLbli+T^%cPcKl!>dY9^;F<%&98_
z=F(b#FDW>NSI2R>wZ52U?JO;Jj^4ki+D`x7xxAX^Zk1bXrYegL-|pVY+4-Bpvy(Tc
zXL~O^blarsawiDsL8^~;YlYc1F*kPP5hqIoZ+X1pJH45V<<z~<S%&;xzq)rrkmDrV
zJ=93Pxk}xu(a2xy9iP2A|G#@DC?$FD^89rF`@_8#oDda1p~#|6OIj8#o{hLm-S|aP
z{IN4^jPI1MZ7wR0AGtqPEPrM3xVXnQnoU!9yWyJ{<p_1Cdo;LTY|c6XAJM?6wl{L=
z^&;=%lCD_jexu_Xq&~l?3c4tOQJ3TSUF;tua#Zr+F5FG{^T_*e>kE&Ssm5Ni>ruXU
z+v?O>wVH+dO5h*oulG-1@0{&QIa(|zns`A~<8|4{7$xpzsAlfZbc(EqhbA;J41${^
z5~1Grx$>*74J<d!D4)%wtez@5P?z1rR=m_D5`b(6w+8zD3bR7;BtZ_^PxS$N+82+|
z+e~I!Vte-C8yk0?mLt{8Bv7;)j|jrZ2C<7GGQ>VH1jhOM()Utt$v3knQI(hFms0Qk
z+i2Ol_g+Xv%edLjrE;zKaNH`u4E*yd^scG<fKRMg`dgq{>0DmMvd9yAZ~QLp&vO!r
zEOto#eov1Ue*C4nBo)vOjlClN!(Vp~|L(haDlx60yBxY5^ofg6C_C3&K0F?ZpUnE$
zOjRAKtR%ma)6P>JP*0SCD=|Gw=P0}LDhY}>L`iZy=SRY<={T2Fdx<J@ONwoLprJ~b
z*}Bwa_<5I)940xqS57&eHp>pDzW`9He95*SszpL3N;aeE9Lw7J(7m>Tw4E5gzwB!t
zyV|@@O3d7QueNk(R1}z3sh?TLUBtmyX`W@bA6F2DDco(Li+t~sZbosThQOG!zDd^w
zwe#P%*njt1%o&`w^=yoys#osRerXVg!fEqNzbC6n=M1I`i-WmB1_HV^y`JU55fqVm
z6qQAZyMYS#TC<4yTwxxL=5T8O8vCg74UwEv2E;<SF}vCT7~4=>Se!E@BQ0*@%<e)u
z+`D3O7ivKH-iK=#qaxUb^4(3H5FJ3g&#nkCw_CtwCl6qgz;t2QSK1f0fQn2M0KErt
z`w{9KEZ+@^T+L4Q4tCDmLCwyNvb{f??VTL%XoA7X*^4iVYaPwnFSG@fjtkyqd?eY0
zn8k@9#^X{-I>W{LVl;1sJ+JNp;q)My`)_OB%(f=w#TNZ%Tb5^hj`gN|a?kr^MRF$n
zH=r{xwnMNL-!Nm=XW~O7lsAQDIxAW~l++9qu$sx=_jNM|;+h$}ULj4RT*q=Y#0eh$
z=<Q<e#(uK@?3Q8yLcx?o#|_>o=AI_}Tgw<pF<QE~K53c;*Ij&Nyg#x}Yop1w-sQ6`
zl*gOclg;FOeBmY~`>KP=WczLkCr*I>!XBpkH(=@OLcC}4n{Z8F^W7uxHUCnbdtUjG
z+O_#@m2F59^`#AEQ$u?1nA$ZfCfq@ms+PUcgs`@*v&-T(aNAuM6Q`9%AKb`?Z-@CX
zTa{m$)lJPY^CT3m8L1<!&1Ptn6-)IMXry?a-cd~>a2uVO)K(-C#<M}ue5F1N4GnTr
z5l!~^ku_?0)~o>A9le!){W-RUDB$PQr{Y5xPl~7h*o$mu+SN^wlZ*;bj<;@R+>MNW
zW3J|vPw(tmV}~h3(b5^iibhLU>tgXnvr$WZc3eX&btmpUH!CqW2%)4wg)_wkp$e#-
z66&+bGU`!2$_eoWy<Jnno{^R24ae7Q&9D*t4EhW~I{2*yD3h@yXGm}$ther&2V{Ij
z#S*1af>1IEBc~VWdGTl`+6q{bXg+g4n{G%bO@9*=Coh_C261)Hgwf$`f#9y4RLCyI
z-KjCzq*`kAMR8RMRrsugNJfgSur13KAmpJCqyCc+-#UW~U$95qora?247ii#RBye}
z^^ns(Fz@X!+wp@lmS8u?hjB%FofRIf0U+fIdu>5_@Y(pD*ol#Y`m5@VG#`~8Rdxwn
zix?T^(fwN4ZZJ+{Q;^2S+PQG*SR7fenxfkqhHTxx^UngYS9*_dx-ltphF>Lqb3yBm
zbq%H}3nf@@CWw_Rpqj+9^61yyZplQl*7uy1q23V_02nUPSLhBshlF09=H9&|AcO4m
ze=Tz4VfRW=Utc}@7i-s_sn_Vh&wY2pW>3WHeWS{LYTL=v>gVhyDl+&d<P3TbR4Aqj
z0!KV*k&^7}>_Fm!Bl2}o%M!q`vj3&)?B?T}2Y9++TlzU|i`z~y!VElyERN;7C42PX
zt8YJS9wo#5GWx+itN3ZkK@=zaw{q}r<>24S!T&Fn1NV~P%|>@m{Z<a!D_p&B@huS_
zZe!`0jylg&3|NVi38<iUJW+b~!2LG%sUYILTxc-Di`rR@x|x<`ei+3OyG*T(ZSY(>
z@a(CZgVuP9j4Wh@*&dpCb#vp6VH%9p@s*mpUCN_nMI14WTRSoPFL0hOXLaE3*PpgL
zK_0J@Allq35#hNs<7oy**EPa}VCfE_;mE$P#q*e$(Embpk33P5knV0zQR?EA(rYzn
zgV?0^>w}A8c9}Nl+W4?On0<;iNWa_%^}+0))&_%8^dYryQAb#&9>&uu%Az^metfmR
z`zqUc`4SH4vsZiB;okoDubv;BWT$%v?r#7i?Hqi6bh3Z;>h+g%#0Ab^$dKAQlg#f;
z@&JZNu1h!Xv(fck-xC9fuSb~=BKBdQX^)@{k!Azo!5ry7=sn#0yZ{1J80aVdNBAbu
zZu*w*K>QzehHs$@_J4stDtdp}oMq`h=>Nu#^3wH_AO%o{mvub^!Mk=?s-n36Jbw7-
zTm0|i2U%3XDSE#tFCKQ@&U{6d^nFgl0J`Wx6OaDMCL-)&H0^#A-#*Yk-8YKSxEe0B
z(d`1>_keO)sO_G5?bqdF>-}t9Ut6c^ew_~QkvqG}pD822qHYTVMc{Icihr?FD*Q;`
z=Vd7NFt?&?eNiJMYANK`5yp!B_AlHP7anukeehcwnC<=TKy|@bLdim7<<<2??a!N&
zci>lGz*swWDpKu%Wj1mg3##${E~yJ&o$VgmYX$!ZS&qMkpeU;32*5n(V==1Rz5dkw
zhi{wA!XLa4CGRuo1|f0X@C4&cE!zDH=D2BmfOrz~QK?Z8(HBONT!FYs7bpWY-Avxz
z=jhmxsvd9_dqzZr?&2@1d2%^ydS##ZeKRo1RACX>PZS(T51|;*;CNwoZ=U%UBw{Kv
z9e-GOBx)_?g5<~!`y|?xu%&x#MTpu2!f6VlY*CBbn_fOb0+Z`G&S}!&yzO%_U32G0
z#|W;TX4+)m?ay^YGAjvHA+L#_+&wrt-8(%yKi)anJ3Qk%g@h0)mezi`f71O`dI81e
ziX>Tssj&{Zt3v|!NQn5*A|OOClhF1=DQ?dEnGqF@+Bz4(-r>hUb2^m>=zKcX3}nHx
zMh8x59C7jfSu5#@5_XHm+)D%L`K-QBep1`%JRhI1)vw!luk+u&;AYpe%)a1TIMaHV
z`!V(KKK?zK^djE)ZlW*}&}_MLawns?%`0DEfk+t>QmnK7)whp+!xy8k;IdFKVo=y+
zuQn_IdvgPrBy0#<A4^~HOl6)|m@;VSNA|RyjH&O15uzJNW%Hctk~g*SX!tecT#?V*
z4xepCZ8(82n#|G`lC6Y8rvMgquhAr8m~6WTCy`Dq!weW|4?^I3*zNdK+<*PkN4|b^
zc<{&cQ{faW`C2AJO2^1Vef(La{C(dOYlj442PX|b&tvMTv09|zkA*N(eQ1<8$8S!)
z--~-_A2-5!`?m6hbN<+ccw}<)MN8B4^(K~q$@v40JW_sN@14CmdJ&z(Slbu%#)rpm
z3b&vX13U)a=rYHMhvulFE7dAF#l8%vF>u&ERa?h{6)v1XZcdJie3DlqbNj4#Dy<;P
za#NDTBWcvnp-CVBvek*+LpXDC*2pejB;b7`#08M4@+8rCXwaPk-AntI5tJ<0Rn8VE
z`k~fc7c>GBEy%{+fg9=IIY(OPXpA;p(;xzCE@+CwtL(!iI6H)Uk9lnu4S7g$gStUP
zSA=v~#Pid`WRl<m7^A*%u3K=K5a;W^P-nx=kvmE_x#>jF^^~m>m#>ohJH4TX8FP(i
zzAM5QVyjVKO8r0*pGEf;_gQ+oS__{uOQU=?{hTS`UfkU|aeCrxmit?|2<O<;l5q*%
zU?)cK)=h0W;M(}Ytgy}W#E^-^7r9MdDQ9{~%P5eifQMxu7oCA51;jKvT99EVI>O4k
ztXO2V#gzVmNB#3!RpRgc<F5Xw_DEw2kWHs)T6*@STn|ny4A52o{;JF~_((;&3^dan
z4O4s-tNOiFRT!nhoZGikP0V&WASA}B3})4CFmZ)OYAfHDhCLa$t~7ct+$*=XLoN%c
zJt?D-980Hl`Og?>i#ye~ZtrB-e!EVQayg&$GpU8{uN(7qN<IZ}8se=SyX_8TB(b{s
zo)Wy*OJ+#P?HBd%doPm(wayL_sVXr&mzRYR=f|ik6~;<T0Lf({h}~Kc!r+-Ho0}$_
zA$i_A2NflFRm^@H$G9H$MOi|jMmq)~H7@ga^-Kjvq$ya@Ofvy>04k-T8c8+=n@P{L
zTv}Q4z}1ZH5Ao&ZCBXLZM;!LKD2o@QeMw-&LHLPIA^4@sRCEc<IC@nJLypULOozwy
zrgH`LJ)ex`lf1QFTVaryBIYny)bE%fuTve3vzDJ=KAtfU@nw#HhC}q2_c7Dso=@WH
zzKB>J_M$mJ&@!Q%Qmrv;!RSJhNl?2-0irSoN0mr=P!uKYqz5#%E1zrL-z{LGp!`(l
z1-@rSqb!26M)YvP{pC*2ow+)Fgh729a`x>=<&EFUO}GHpm)Obcy6c8!dykzEx`XI5
z14a#@1*1=_*y?hEJ2m15>9GY00=>J&C76~6^V#I-o0EgyS>Y}oPgy}(B(j;JRUXbZ
z+$NWQY&5^W*VBTVn~KhKogvJA32U7DjGMgnTKxc?yGm)Y^o&|?J&`iJ-xg#GuHON8
z+TDK#2@&y%QjQV@Xw@_T5%nJ>3m<yKpd8pOKv>nZvC6C@zYDF4-bov5;BBykKES;K
z;HWIPR4VFoUix&G^%=zP3s6uVI%54q6BWh|Jq%N@v%Bl0?8(mA(Mh(Io$UR7@8ooE
zAXPdRW=2w<#8=ka%@sip6Tu(si^8gysA96DzC*9~y2$<GUaK?yP07PRT7bXaJXb8I
zC^+n7AY?!rD}Sxf<C@FuIxX21ht|{*5(P{~;n(Ml(vaQPEA>Vi?+#wvlx<5sL9U|~
z8jVotwBM|-g``_sJjxlQ*ul<hEsMly3;*QpZOUPwhnFYDd(JF?1h_$TxEg=htD+rW
z42&e6-+W<}x%6f6&b>a)PR`EA2u8`faago3o^K{6XXnk?tG&as{oS4A_w%H7Oa2tf
z+qS`-&9Z5OiRA_i$K@8-X+)@nI%<R!$i7mANol6_kvRg2Z5f?v_mF`+5aZ&FKjMAO
zkRgv{(Ts8=yED5YTYL1t@?Cn(G<ULZQ@tbfuiUs@+GK0~?$^TM*w$-n!)TnxJEx~-
zuTI_sYo34il{wNP%c_?y?z-pT`Z%T^oKx`Qk3SA}qy*nzL_)|m7RACRwhIdwGkQ>(
zB{$rADspy`2{VykVQJjnnwMkp7Imm<7Q#-Zwltp?DIF@UVhB|${lJAfXsCBS&zo|@
zCqnIU_m!C-3Uo;|72mFwkbE%^lfY0NGf8ZZ%-*mH|HSNne1an41Dln7D>NvGY@?0x
zynLNW(e*P8gL4QL1qcRTMVYlbEJuK&jgSw{*2O58yTv*@6Own}<)_J;Pt70H=4#^5
zSEO74jZ}+_s^$0<W;p&rihh-<QACy*327{@f|DVq=Q=l;h#@dX-3t(RUKpzpw3U>^
zvtyTMaFb37U9$}YaxW!x`~I$<*}o=t$fhnBHo-+ytiiUX6T-mDQ-aJ%gU!}NO|prN
z4@marbT9jH|Lm312;M-FMZ4<PsQ^1w#@(=7+K{^$K#_Q3_LMm)B@eK7S-vmA;)I0o
zo9<1x^v)v_fGB_Y7z(fZmQ-Mp>qT>@L@{m!K-BAj3R_VVtbyoMVY))l^<dy2=1n;%
zJDc8&3rj$ijZX*_a}m{{9I^yFeSuSy3qPygYWGf9QRIWi!}ln1F(%QKro1V^8mgrF
z0+6&z1#SCv@zruesU3OpaPRx0v;Cd3y<h6;@l<8^+(9~{;+UJd3ushM!3S$ft0|*S
zk8?*OBPq+J=A!#i7S+3QR#(g|LJb4n?mwJ7|N8ugv%{U&dr8GBJG(w#@9cVk8iX_*
zK!gO<2OYAEBN4Wum7u2mRo#-_m`*M&NYs#dqOAwm{pqk*EQn(#d7z{%*^jn07~*8T
zDtInub6|UB%U5dK&)T_H<o<OF7nUsT#s^kVtsq;)>~mJo%!&W`tJt}#pVrmiP$7Wx
z8d-q8oK6UTvuI|BfWIzBv$}De?x+B`0FZ9j?RP|)Js(MA$LY6|NkO*Y^yZg~I`~cl
zZ#Gon;LCAesA<u=|A&+tQ6#3dFi}}=F4t=0&zH$S4+l=+mOUb^ON2&DN8LN}1sjWa
zv1DSryRCCLDBaEO9cBk=;Cz32x^uiQk~uAK75Xe<+SuJA6r`IkHwWm1)2TvQ8+sb6
z2d4KUeRC@l`roa%TwGB7+ey>w?MW76!u%GiTyizK_lHK5kk)i_fB5GMx`n$VD0=d-
zq{th-^~sgpw5JPo-L%og(rz}iFJ9dZANo*%H)h@@1>U;zl{mh_e7OZ3{F7DSvQPm|
zw5X&C96s<*SAz3h{YW9We;0w1HvY$!{^E4~Pb&iV*)`w<+r@YPT>|cZL<u+wA1ea)
zUtI$Zmw}XlgBbkpQV5RF>n~pm&VA<d%E2wx2K^%C;1*i^g$u&DaesOdxAp&iRovV^
zGl>KC$$-4WENu5TXH7sCmjZVx@QHVO$*1?+)2~=0I6JCV&DF2Y55I8)j;HjZun4i}
z{G1f24*4VA2FZ?o+zB|`*QePJ&%IE|e)ssnZyta3o5c#u2vu1@an%hqR5>@oDCr?*
zfIczAmFYf_{o`#{O$Z5*3U)j$h#WMuU$`0|nnciGTE)hTN$|tt!$^t~z@od0w!xND
z%Ay$4_j`wXCp!mAB5k624zwoO(?iwsB`mM<KM>{1Q<3wpDFQ0|Tpv5P0%soJn3$*o
z9L)hUT=a9VEC)^E-ii5O78xS|Jk%GSy{sqhwwrwRR#pau@mMCI8eiPS=DQYtZ`7uh
zKs;7dqi33L6RpC-2Wm<}p&X$8m5=jq2Ma=juuOm!%gcf0;8IxYezDsmp!sTp?nk_#
z&W><HDAT~UjBhkOzb?V>olCJS`tH=np$!eQz4r(i!xcGiieL~2h(pRN9Qx)iuNrLd
zM=($GJMR;Zu(bZE6p!oM?h80ZeK2kb17gQLoL?2f!V>#SWI?yZj2ek=?ikNAr?eO6
z!5AzU|4iaEe!^Z5Fj4+~fQ5c~nDq{PGINypYw1HBOW4BGqTjg*LN;+?AonBer<v_|
zsE{OAZw59C+f5R%XN8!e=~?P}RU}jF!dIoTOG=KQCVJU5AP=j7>+x=qUl#2$4ddiX
zx<(t=f*JNLo5QFu&n>GsOzV1ve<3&u`Hk@XImN)dd(n`$B?nYb>#WecCx%(Ib@smR
z=Pg8SI!!OSEYu^NYGzn8pCT|R6cHm>4?kIqK-Oc0N*L7VZRI466@T!oVy@TnE<zW6
zi5IB$bW)!l_FlV-o)P8%#5#0#4ZU=HX0<yM^}@e7)*TiS-!GY{Y+yl5WmShxES;QW
zEm^^;$uEmdy=pX|={FYLbX-YhJs$$<MwgxRopMx$V-C4P5xST#%{Oc%moi#TB1fF)
z-t_ynl@vbmxq-woO21Zrp-ecl_i1IHX$HrVg9NT(=y86l9LB%ORtlwLWK)s#X;M^D
zG)Y~BY?uR8u#TSO_*))fI-e%Xf#lG+1$v|Dmn4rXY$|4|S{a$>YkePt#csW-y9L?q
z-}!uf#Rv8TyNsYOK}O`KND5MVGnbPqU6U#H#tG(n$sF6T{NXp)V_g-4ydC6J4p6vb
zRwH&rhg10%y-Y9N?Ev{SU{%*bFm&jCK`h0~`3#E(d#|7U8QUpGI{dxs9el&h9621N
zL`lW49x1IIZz=ezCwKA#MiwD$5%S9@u;FUAOED^(V{^5n1NB95r*nFa)j6Ny*Yia4
zd8u@Dm(B`ANJHcF&_GHmvmnO{a!RlZ)(0aYhcpl)#^=|&S8n7Un$%#eC#cB_J?<4#
zt*kIhP?fmweJM*M3nZ69KH_6yXEuP)!ksPwz=>}7`^9?DiFAIwawn9VR#|AtTnQWy
z5fAb{P}JnfEJVN&7$i^MzklC*Q<d&JVl#PKK#veOF)YAR;y%R*S0M_nRYiI%JrDq6
zWJZmkp!`}42q%8BtA+5gmzbzrC#K#uop5U0<K3uLx7DmJw&DELCEIu?h8Z7df!$(Z
zkh^K&QA8wyz3bWp3VQ%^+hukp=rIfFd`u+`-sTMTNGgPuC!UxyLc;oRgiT!SmVQ=_
zP0r%u=hBn&k`;J{QD!M~?ldRUgQ9(0Ph%2M-d{`9E~~>##CX4#b!K6)+(%CeiIp{`
zh+bxKa<Skih7sEdhP7Px9Eb@IQ{Zn@L8auO6t__(6cY*_t`c7K4s}WVwsMZwMWBa}
zWsmyD10g>z(iex{aBWL%-u_}6-qMdf`YTEn9J0@<d<K$yT2G7kZL<PKa3PMROs-sN
zUY$w<bF}~-4VVxbEXGkI3N!UcMX1bqYcF?M;{65*T?_2nt{GDEcM$81iS)QM>bb@}
zBfq4oF8hFab8%5}DpM~{Ke%6#6sTmU`a!G^2`R6r(GeF}84OhS@h>kVdx})`zw4n*
z6Rk6&zmOxlQz^}kP~T1pCljTp?b42yoi$#l;H5>gNNkC-E2FI%7032npHU`x6z^=|
zlVfIwC=!)6L6pzxyK>)cwUoxP_UIb8tv}eVPJJZfc^UXUDxVPg&zzxE_pi><ZB;21
zy9)QyRgFZragmd8n)rs#9#C6f(YTOV+A)OH2ih@MSg7XauQhr_bbPul$+j}12Lv<k
z$}#F6f9R~>L#`W6Va1p$sRAojABC}$kYn#Pp)X{Y@I7nfLQ?&pYK*h|Hov2HVNR7O
z%{Pt2&cCR@QgT-u*0DokruTw$%wHjfv_D55&c%!CI`W!s>aGCsuzY4D@qV=`M0QHy
zJ0c5#_o7Lgi|L!u^|Q1W;cEh{`J1sn=+F9p@kOLy<<6Csfyp9<HY;eH91=)O#^XzS
z(0$Q*FwE!Ka9ns<AY4z0ekWy%g_J#(VBIE_uV1^=#iM4aGuE90eA@kk`+7DSogKVL
z$j6iA_l|fjmOxOWyC9}b@;;SrZzH+qcZ?GeV>!&K@!}dHC*P*u?WW#=W(!KaT>yD0
z?T!m~AYj{C%Ib)hIO3ydez=-tU4Uzxx8j2UrTD$^s^l3#rznw}5ZyTTF@Kxl6UtJA
z3tgb|B<|9Jw?r3<2^W9YS%|OdTiBR=Au7W-%WAG<Wt~f{udWBz1Gs9#=V^-P6M8PE
z^b@+TPJOP0+({9UzxCiQk|*9Afj3%GxSEIvF0*uiXi&l!k)-~pwTih8$-e7;f!96R
zA`A}hQXsz}*0omX#4?!JKh}}3wdr>*{d*=ldRr}+s(9ZD#R)C)c?0EdMGN24Cch}!
z+oFgZte{6HfWcRg4^zZ+CQ~k;FXe7Wwn;(;G089XPr#@I;()}%u=1;z$H4s@Vf{J;
zPYWj_d-%YnFq|J%Zq9G=_vfvqebI&6bbPqDx^Jc?Hbf(eWJ0QcPv<jYkIe@zUPtrt
z;cSR3x^`l2Am!0R5=i75w~r=nV4&Qbd>M?Hsv+{t=@6p2X_XgCJ6Z15u}FkR&BcQw
zIt`k2qQwluVQYCGBO)O^_b(eAIS0rRG`(NPpPd!(E5zf<HZ;LYo%$BM(cx^eg}D>t
zbfh^IG@nlIvc0?F!p&Y2w;fv4$bmwZg@11a+&w7ucXwXs%RW$~?4xz|U{eX(tYV(+
zjmX>3?P0p*7B*A%=xc1X*L$yzPX3tf?(DwWv+&oKCIh=EZh9LRcdg9g;nCUNc6Rn^
z|1>+^IoWx=cjnBL7e{-infoO>J>J{hfB8oen7!Wl!~W|xuQO-8@9v$RW~clAcMr<Y
z{+Uo-93Skszh^ty!TxLhEqitJWA^$DXwY7~*vHs*4s66M8<PFFe*jPo(DgfbGo6l?
z+0pa=;|}}jP#<^Co!T=mk4~~9*DXZcUGERSKSdKi?j0Psr}y^QV|nZ4&hOk`#OnH%
z@4eVN+u1j0;kuudbsvwGBMvQll7$<~JpzD4z~al1q#E<<Y`+?uLG3L)vy=S&mD~46
z@gEM0D_RhPT?xtgr`^vl@-{b>9a2Kw5iH;&4hMI1ze1e(Vp0P>B+k&4s3O49K{!<w
z+!ox>D!<#hbw7}ukF}DbR%x-3lLD8{!njxsMgrANN{MKiD&R$})oRdo-cbmULU7=j
z5p%qitTx7HaNh>V2@|duPLfFdrSP59H&ia&MD^V-I+YUL#QUJ^sl#Ut3-8P}7*;YM
zO_OD+q&X%!O=U|Py2SrDiwlx*UQr!mFX{Sf(~fp$z}xYoa^~!NxR*zT=l$$Q*MaY}
z#5J^jw4t3Qle@k;7^C?x1#~7r83o#SZK1Qzlg)e$2A;+K#)<)z0*$fwUP700Q`V^c
z5qr6HJw^AZbJF}4z%DlQ&&VdTQC`l_un(ok)ptuRfeIP7w}kA*-0$x0;cd3ik}vIr
zqk`3QFLq~N;}tr5EwX`KruU5v+neSd7r__Jg{8Z5`BF=^4S_yPw!z&1U@xqQ8-bzI
zZ)m-cvg&u-Kf}xy+c4CK7;2#p`kHm6PjyNDb}ox7&!tz8Uw(J>e3Qk+GL(PxTzY>F
zk#JsC=h9+yRj3qOqQg;&#6BmzbdB!|Or(`MeWIDS^q(lK0{$(x{zfKjY+*s7if4kZ
zSz{Sv1jcV?E4bnW9<z|31B0}<L5?><JDsMLlEHg^p>SW<s%H5~OXu=~GnRe*@R5_H
z(flqhP0uGl?3xW`0pIQ%5!5g1E{rUvua6nf@nN;I?#>7=`s}fKG@4KEqD{b6rIdqK
zFEWhBxUL3E8bcvx<dC|FlVmS<T-#EsLdzz<@cv!z7ANO}bXBkb&d%Hr$`E?EAm+*M
z=8sS~u^|(2<})<%EIBtaOas;}I~?iRR$pp}I`=;`+ntJItQKaj@TmG?2ww4)rbH~A
zj;nHHHWwc+R_&%97sfE={bxEq{b+3v@2K5mxa&x)Q#BSt+R%!pU=GaD+5Yh^(K@Ag
z{&b>`k52dh(AghNafMbIy)eJu-5oUT9fH)YyG}--CPQP@W1aQ-u6BK(#1+_$lf3;-
zyG;16*{?Zr5RuaxJNM|PP&TqqIGBHxszaCqM$5Us?&PNtr2`d+i-KChedj@BP(Ets
zmZi8%60X+OswV0Cs+d^eF+*RSn}P9KzgWrHTYkWA1kVwjYs4A6>ZDRf{oKjc+wePJ
zQ^8%p{P%vq^9&@z92ZZharS7dK>+&12PNBR-U=y6RFvwvRE<*QvcB5ao-(N&nkq6r
zg)2zVZS;3s6jsdv=xj9VaShizy}evbY4ZV)1V-QSAJcGQ(PA>Chf70m`UFly+S_D7
ze=tJHPn@NNl~WOjGjTqxC*|l)#j4I~^m``1M`14?3(~cYL>SZXLFK2z(dOs?vZI)4
zxkGPh%4S&XSr<?m4p`@ox^HONWH!ePyx2ee;a_Wc-aE~*G5?uaF5Z<4;caLm<4u`m
zZqcQ4jC=w&6PhNn?QxUhR&tjNG3G)Tc5w10^Bu<H*F`?fzJGE0(!KaS^w+z=3q&?f
zp$NS+Zn^m3gO_h!>}+QTWFvnWbeA`t2lB;Tl|%UMT$x|OUUgr0-wB-vSak0n$@!?n
zbEe`tB%sT#{Ba5M53`41898T`Qu7CO!hZ`5L0~oESoy59acbI}336HIMSE%?n8swu
zb*V;*Qw`8CI^WzNBa=01>M4;&(UDbkyGA_dn)qgAYD6BB5Ds2xEd@BIu7Q+A&0EOt
z;vI8)k*7YR#uGkI<&}$)nO*~TDcp#y?54(4!wq*CBcuS(6uY;1&%mWQ9l6Zfy#ty#
zdvi9P2xMM#uW}}ev`Ex>6HQ*)cVDXl2r4z-{g2}H1up`--|uuGC8Pze8TY9yfV<8o
zAn0-<WyiXmrwkK<L=ot!Pm%G#cFWu;gB(RR)(xFs$-S!FX&SAN9yH#dat%!85|WX!
zt!k#<0yGZwRdYf;bK`(#Q+?%$-0;W=ac;S*-81#-8Z8ku0PLtC;%1Pxs;a~u2C+o#
z*O(HnR6{bl2fuRmmEev6c*0wFl>Xnkm0a4+lB(6h4!H){%iuX)sJ$3WLLN5k7#Y}t
zB;}#frD>wD<?Ze8dOC6cMR;qgb&KO(f<C$R@VoE6+j@0;Fu*?yzWI(BP3BsWw=e4}
zzHJmE%bNM_TQ>6Dw}XejdCWGJ*`xPgPkKR1{%AbqODs~|ze_DrxG|v!=I?^iB5nlN
zK&UF=Gf~P)Y@@zuHZhIg183Ov{RJfaKN5_S>K~p~R=jn?4k$=GCm*!DqtO{bRaydr
zr8M&QtRxbHZ>m(<4^=RI?g+7Uy|V;o!ks@F%TCC$N`#Y?&;NL~cWQgLto!lVF$QYJ
zW8@ggijcYG@gtm!=qk{V2L|={(Srxs!w1fCrZj6dmv+N9>OUXF#Q30CypU?N7~B|d
z%drz2Q74H)QD2r(RR0pP!nG&!-97dnKkWbUDQX{!%Z}!fd1)ae`Te5~3a)HdBXb)?
zM2yt=uy8!Ig)@YsUszh;fC&yS8=omKfCsiy=mQMo*#A~!#G6fB9RxnQDIl;hDoo9}
z5M83~HbteX2;a_br7mt~k22_oGY1HTW-uwxJfn57I=^f{tXd)k7-id{oQA0AZp6PV
zKH{`ZsYWPE8p^=psF!uj!WdCNt@|ll7lM+uo@#h3<Xnm|s+!I%^tc{#HA8(V5hn}*
zN1I$iauuy*Qf)SGB_<K72e-<vgI2^unuCAJnYwN0fC-DxBPpy68VCvrB{$<7Dd5fW
zQ>=zg76+0cbTwB!QZdmmI_E}UaROS@2_nOLLa<#t#D5C)b1XwJV_&9OZzesCn2;3U
zag!rk4`2-MssWP)BpO27@GB$i%r?a<B}w3A6^v%lu$}2p3RAZc=!NME$!r94xZS2+
zXsJr$GupThnU#bs<~n>^OeO<ld>ACacAQ-Hq6|^*r8i&&<mTd8H*S?KJQVYW?|07b
zYw`FUJj@Orb<XX&{I+iW3L&q^eA;;Z+>$r69-Klt!Zc*v%8n16M0eLomhF;rAT!>$
zX6{6x*4Inn)>-zV=I)uA%Uc3e67FDk#xty&j^Aw|2K_B0A}7NWikkC2Iw10XpB^;f
zs?8ofSmQ32r}H+Zid{c==;tNG{OJtQW9*u-DJUcB)Q+wkgR!5pB8x=Ak}3PfzWZp&
zcg3~xk9?T8xwzZ+ESt#4M_+%lxT*8|cXiHft$d#fHtcL<fQIl?Uo8YNa_OBMwAZ){
z#AHp~jFQt+R)IO1z(gK<tma^U>qw&rK(*jo1(L$#MEUn{eww>#G$`x)4^94gr-mSv
z*_CAbO4W<0r3GQe(HgCTg^5JR$M?)6fBXEYr0r{@uyN(be`G%IogwM?CrwfI)9)U#
zfb8!cx&Qn83G4mtVdt6;r(j;?BP{Tw7{j&Zy4*=l3sp9e8*11RL@0#<Av4M_spRNp
zAiomOw>f5|v?-*7-fGOgXZB0fOq7xP%~#UvN1xhj|J7x6L2bQ;+2?mvgQ5~pE!$9-
zgMk~5k&F8N8zIMG$kt8!lgy1`BeDxN`vGAZUFBu)P#CscJS}Doi3@naTfwVTwfNHf
z#+3guT-SwXt_vUksFFkyg)oZ@f+b(9g5gkBNwLOKYX>AJ)E$er%MYkO7I4pnlff63
zAB<FLp!E|xd>UG(UTAEX8i~;(Kg@OzKQ?%SJ2`^pN&q2wwrX#$a%=Y0h#{$@Sc=W0
zmZTyN_eNWH5*S32Fwe}@U=NG=rS30})|9rRL0DzrSVejpD~F(a2bPP{t(dJY5lnW>
zpoVQUn`Wt_2axbc0+*N3GG@%Kx64{DH!eZ2f5}|)R*-@DEL?}aK91$2&E^%w0~Efz
zxPi)8kHMRb(lHVrS_zpG`_s{WEs6x>j(c=&smjpYJypStyQ;Sr5-ON`3QbxxN+ib!
zl#y<%e5|hAQi;s@8K>C5CE2)^eKjz-8r=6nsLpPFf^&jNESXPc`Uh!r<DM-Q^f=6(
z!(LBPaXWR0`{;{sLAQE?ar`{t;?=<JB-8c{c>(u@JulA8_lq57&e8***V?bRsIO;r
z1vVBu8EPOfk;E%^HYI9A3TzdS9Lx(a%$YyjOd{v{;C_6He`>b4LOa4rQZisT5qzh_
zwIl_?xV6%G<du`Rg;6t{aw+B!`Jz_rmNFY5?K?+hZg-RW1~870zO0p5nS4a*d>DQE
zA#;L5D<eoPd8+#o(_>PwQ=>Mu0ZD#hBM~BHtW0aH@<K<2l)lz^69+T%d^~>mP6Ans
ztN08Z`UCb~9%-3Z92T8~l~4+{FRvq%&jr!U(eg4&7KHvO@!^RnD%2BIfh9mOYCu!L
z_M>LFoPmouJO$ZmTi0CS>TZ>1OK}YhO3I1rNEwFpY2N!9&seH!;bXdSOCa<fOtse*
z+uA&bNktz^rQzvoud`SN1SwZ|4h*h`^iSpuNVrQd9<v7)u^JaQctmzaoJY@JSG`kf
z6-PHx-9P8(hW*<;y1SleA;ia>)i0t?&n?8LiamE(NL^#zcS^6WW?Q(|vQ?zo&qTMi
zs~dM%2qy$LDw5hee+xI274=03u#(G4@XAOcu&-f+a6I4%kv>rZ67M&s4+STsCk_c7
z)rpxT0>%oKFzeb&A@mgwY~vT&WiO#8SY@#Kpzgf~J3(dlE;2K5Ri0A}(v5}Jr*uKN
zDNTxOyVoCn^TTsYI_Ar@+Y}a3QwpK7F*Sj^llP>}SBU#$ehFj1<ev-6d@SPTB3C;)
z;4FMDd!j?_9=(3OjP<{&#aq^sy3;<e6am1bx0d!ByR$J{WhFbU5-6D!iWh$}_nbMm
zJMY7e=_xt{Y3)%Rqp@T<NZJ(&GbHb{R``;d4nu0b+eFx8J8xc|Zu;$@g&O2}QPdKB
z)lXmq67ESu(5RHUJT9gFAiBY#v1`%rPaV6#g)BYVM+T~;&f<`F<Rpowhxd*OO??t&
z(PxkuUQzjvBKD6G@j#ATClcgyqp~$-4o@wA1MP(q2Gp`8N)#dDp;vU|foCG7-q2k~
zvoCiev(6+^ZAhaj@Q5tQ$P0Lxp((jEL~2=i0fohA7Wdj4fN^QuQW}j(D8W=Aj~3HX
zZh4HyiQR~)2XE_LKHEat`eaKArQ@_c{082c;K=8E;+1pBs66+85H}~UyuKtq8XPHn
zCngz`tQBt>#R20>W@EN>Qf*LmtCKjC?U{tN6QS^HvOIQ@_0C!hXz9_pD5wJMG{Vq8
zZG!dfnM-AQ*<vaw?ki8RBhR!-xYU$xzXT+2kS;qONu%t3yk!OgU^cZR85sPSB0sdU
zv*-ZIOdlUW5v~}jUL?5J1AKsg^qW;m)>H6n{iw3>S?WWx)LWl+=Pwa76K{IxXlRBs
zkh8pc8+6&Q6oPOAaw;5HJD!~n+oxf<ybrn5V?{2=n#C+4*!;LH#dQQZLKt73Rp2HO
zotrKL>!su|jSYGs0}>t$p;fb<xno)DeVoF+Jt_!ujTn`3S4^pxDyWoT!+E9U0mq(h
zE&i<CXuYJE<Y(-IdF8a=e3I+~S$)ivOy^#noW^Lnt&nA#hdg-Z+~H$d>?3(GkR<Lz
z>u3+eD@y4VPJ$Q|6SE@07ZYKTyHbG1wJ0<V&d#wa6id#rbm@g@Lbk|Dx)G7PL0{sg
zb!WN}*tV=m)|vcJB3<H%w))8Ma{cH7I3yUC_~TB;8gM1B9rEe4$Y%>%0^@vFV^++*
zCsX4)k}3On6`nmi@irTMFVI-azE%rC?=E4F7X{0gf%2+vUkn#R$uh%Vx$76hsA7Ed
zgQXGe)krL&bSPKWNCho@HFADmwz}X_oGuH26~x3CF<;UJbyHZ#mhU!_!w|B(aft4}
zrn<#iJ5IH&>+$#@(#QSmK6Tfi`_Hmxo5r3sZRtDw=bmOCeMYm7KE2t;pV92&rOigV
z$Oq;vx}IW0$vM2#=h)uomt?s1;B6;InL9=IhHL|zii^5!Cq)I$g}^o!ioL)!bH_?V
z6bIEH(p}2S#MOkOnZ^z;%}5e&e{J{rw5W`I!o#Z`&_olqT*JzI3_+tw70&8DcVeQq
z;Z8PSiv8@tz|H%nUav?=jWUX$hC^%L!ha>Eq1v6uI>P^?WMy(&E<t7Z)i71)rhW%-
zSAjZsL93!`WCNet417O%BKTLx$PmF&;vQ3>j8bup3{L|<Cb}yKvUXv>I@9W*iC*ze
z@g|F9LpKA<=}z1P@oW<av@l=J!oRV+v;1l%PLH7G$WoiQ7}5IB6=PJxGRDz;$-whH
z;pGC>N4E&BUD2|`muFJTBzx>MWV-{VWEmkAU2Z4pw|Fom1Q?ONv<e+2k?}>quXu=N
zsR62Gv!wT&8E)9+-)UU=yRX-VhTKs7M+`|#t@(OQa~zmLbM2(z3|=2l4L=XDDh&pM
zW==|f!l|aHs79b-RNKYJ3oa8@s7}dVEQfhvDVf52FG_m>w`V8LjdAH=M4R`W#_sm|
z?|vK?<OgOuJq?(N&Kc!~T|A}PFLFk~A>ElpnJl>S{(Tz%C!a>!N}qced5XUytH8n0
z_b>Mk{sn0rlln>^2`eEmy26@Wid1+4zME&+6aCkuWWzICA}W%3Wf2$mwgMf(R$bnJ
z1WvV*r#Lv>WRoa;&9D-n*OlD*^iT8_i(@9($`>p{=^C7m$P*>FyqpQps0UG3Qbm4l
zejT)j=DeS;wv@)XMF}b&#XyL@;0XAOc>9Zd;(HJGQC&&@lm&Dx`^g<ma+v;{{WNg@
z{prEabp5-3{HxoxfB!k|hW<(3wHJL+Q!_;fsYf*)9?Vtk(ke14Si5^>4v^kz?|1W>
zF*TWF-=xgUf8xiD)lE;g*#p&VGs&CljX!Nh?QwqoG?0#rBWG!E_oSa4yc8(%+0OIs
zJN%%~r~gSQmV1BFs$PF;!Mir_Z)C#6GxC$y`>D4(cM9~4PoPYCud;4qZPS^F&Qe#m
zW$(f@hnglEKmF`}Nk+tj8G5L>oFom!o~q|9j9JKvpB_KzKYaAf&v3h3$^KXy=xD?T
z+dDlrvTXaiWCOu<RbQRolsCos^*E5{x-*6fwKj;2eE4>l4{aC&`(aatC*R1m-1NKx
z`?3+0ATu!@2QF%qPmy;X{^s$wn+rYWZ(F_7YXBC7PWKnw4B4)h&X81w4{ifle4(E0
z-M0g@98_G+<n&nA${yd4P^mMoXS6|O?m3Re4a5e$-aE-}xAJDdOkx`|4s2D+*>Zo_
z!fQb6=t~B#u@{tq9B;gzA|E6CB-#cl3~P9~FM*mh9_c9YjX~bq%D*W4=rvq-YqA01
zjF>HSR-(Uz|M<tmL!a^P5o`ubynzwD#yf2_$U*#_Z+_Z-%KTR1OMW}~aI|gS@UlCN
zI2DuPk~p{0cK@I!f0~q6RU!V^9_3)qqCl=MTap{We{~ZHcr6|gHh%zie&WBoqgDO<
z(@_68fA4EyR6eAnI4rL6gT8u9(4gxZf~tcl3v$Q`NRc1UDC|k`tt*m$KyI_yyb@v+
z83Dz0&x7KGg}Cu0N^mC??MS^|(gE>c^1B+5*BskAcH*@4+d`|pl9B-_S|BiWXTzrz
z`MXf1{hHekld`3QYb~q@y*HInAKM8tC<%FG+>H%)kU)xf^~_Lj!|mQo@KpOR6out}
zs3U-wCinZ|(poQ*Re!~$=6M3-P318zmB1L^k+4&i?F8x=`~1MuN80Nlhl=mJxhaGi
zu&UJ48lgNC>2AvdELJ1MB;1G<Dm~7p`reJ}hcCdbCPJ%x$>FhcK9)k%J0<N{948<p
zg;EoTFLaVx(pBNfjw4{@4Vf;bqB(N02??!3pvSJPXvDH{p-+C`KiG^vZTt4*%*0d*
zfyv!XsvQQ3SB0f&5PG%0x?)upl6RIr{ioTVs?}jQp%^&PoH;5b%6oir?XURL-|?5e
zpLi3t;%T<HM3@y{wM1<lyv-M-|HCZ#W-d4`|HXgmTYM)1C9vVBHb*FT;dTS~OSO=R
zW!Labiw&nFiA?d+uc@`GJ(mez(tA$q4MQ~N@0GEYCszKJFu8`aN5#8>QlZkABWa7P
zz{<M+LYC9hJd6bu;XYbdLSv+_DJ&CxV#q_`iJFmN2*OEuSqNpM-@%Ied}kMZrxIt>
zbp;IFnpz|n0Du7@5=vIWMa+pDye}kw%P5l5x?g-9<$S^YKO%i3?^PRa^R}EqsUa>)
z3mwQ&)yV#CsQ6-eEJDJ<8>blizeaHd(R&#a$)}PrZF-KRr7kR$>yC)|-I!!=Vt~o6
z<bRg;cBOP`Q_tOnob4YQ!8(85v7cZ5?!_VhGVQ#eD9PTlVqSKB+IzE~ZM@#uwHEvM
z%iybTG5PqXZ@!9l)+QU7<h=tDy@Y;<wJi-R)m~wRQlCwx`aB8c^=A6e3;$U+kZHTg
z&zPjMqtmSyr@O~`uvCouT0GCHOFCN?U#yDuvYcQYrnDZi*E=Uablyh`erU|Yr(XKO
zL85JBHpD~VPV!?84Sjg@_q2qzp5(n#sTCLXMUfZe4%JF>Ao(Q`tZ$KT@7UYe9{wS#
z&;4X-Kga$1^wyVchR=9=%G+ykdwhBmZnM}3K7FS=(VepR;-~JEXV*?JG}i#cIQzpE
z)BjOa1q!c;{V3=kPrDn`s!B@6s?7D`?`-!t?ir;a4cJ_&p+G2IOvtb)!t3bpknF4Q
zYD|V9V{O{Ndoy>}xnS4QUMklV5O?T_1{wV5+>Hg-m{WcQ?WjuNCBZ}+X8)+6>EqHm
z<gy6~yLJo9?zVEn-i||1l2r9t2EE_uN11XtL!%w~7g5#jp7$8S1{k*%mMAOzDtN~R
zgn{JZ7)M;KXaP;iGlmxK_0(K#!ro-+aKbq(!snH<!$l#`q!5X^Y9EajgqO4jaoUtv
zttxL+B%i%+7YXcKUIpx1JC!aZ(+-41*5=*nusY>8>dd(>2OY3xmzsc}nnB<@s4ZbB
ze9T>UD8Zu?%6U?xSplrR#E5Yg8nUpEEYY@j-!@_#4oGcq&ZnaSGh#u7lmQ!m_6dV2
z$@bxEUC9@kg->J~*cs``YBs};$kat4u@I}`)J)DV<~LKwtG76}&>o5`PYMW~)#l{O
zF3Jip>M(o4pBe3dGRiQ8=cXyX`O3`oYy-CZSKqih`&326SDSQ&#|~h3V%bvU)`;}r
zzNldFk2#5IM6$3-<P=*<K0VBi%u{JaE^elC0+IQ<NL|?{jh-U$51Gf{th^~cr1P{8
z>Oz|>K=)!=6J^nB=RMMT2NtW1I9q}$N;}a@i75uzk-2`Gc6P~EELBg<GBIlnKDjpD
zTD#a<`{VZ7tL?Sd+iR!U+F#h}Rqy-PXTNZpGt`=i^05{NGj82pX>~BLe`!V%F#qE4
z6crZV&Ygr`G7G0*8$zub=3y*RL<N7(b_LzhdjLd0yT5WdC&Tx`)IS?Oxtz&sxqskU
z2nB?54F*(W%og;Jf{_-!F9wro)&gDgg`MNFB_81{)<9fnIWd7Ex#(*HiOBU8GyRJU
zDJUNV_P%9LNubMZo)NCgVxhlj`dn<rWozxsN^>>M(ET+6>x)p2J`yb#?2B6Ibs%Kd
z+EcZg<Sp~IsCe<2K>j<~sxKMiI<+c7gRgF^waswt!Q*zW7wwLOag+e>Lr1W1`z{A}
zZ9AW7DIH^!LA?z=0_E?@!Ve#Ma$cc4u{zB*$X#wQIPTT?B>G+0B<Da{wHi(0Ge!5A
z_$zLYOs3)wb4E_*L7Fhy4;JK;A5s5w3aM*TD_3|xTAG&J^V=z)g~>qXL}Gjsic#fn
zt!ND70@Kg-GkWOP<`aF+|00#?)Vl?ToDFbi_rSkZ=vyd(ta?_`YNNk%&`Z8r;&*4)
zkA>@~@%B>qlK>hE_#8+%NMI7Zb()PVXDD5xtQlQ9TYQ_E&T|Iq(g$QWOSK%jm-D6p
z&GT=$>tB>t?x^=w%gZM>Qc@uD)5&1v>BF;w*VNh$i>sP0f_`FEUBho)T`A~)=KmfI
zdpawaf~l^oKb~Z(xU5%y_#s=B!=f_iz9RzD<z(-7Z}v{l<jDL)2Bz(wXE&@iM?|~R
ziEDR9f4_IOb$oPs29NP({Oq&Eho#I2I~+gxWbsMP5M$c0iPY)L+`ommftQdQB;AmE
zTViKT4*B{QbKv)IxEn8n-<<5<D_;9rozK_3jy$jETR9S}WggW_;L`@L&o+omr$+{6
zuxcMvvb~AW+ch=A4MaRTu2YR1LOCc-6}&2{f-cIWN8-q_GV-f*IByS!!&NrnzwoNA
z;GKg+o1U|N#yJced3!!9&s{g2{taZaf9EXG)1ruBLSwV1x|O^W>2_iZpl5j{X3E+i
z3S>=0NVv_PH`fYXPWpkIFCTSpf@<0$b^(s6(B3fJ8qe<A8=d7%_sYL+HQrPrvSxGD
zhU2}cb1k_B*8as^wzviRIyg)1)g7s~s}^GJEO>WEeA3#>Qr;V?^Icrn6xqUlFjO*~
z-S=*dEbIz-_M=-Pvt1$2-@7%QbhgHQk|y3vP5K6JgZqWq(x*S=Gvnk%t1@-pXO=$w
zDW5q`UZi1o??;wA`|(fArs-QbATsaG2Vn&m(@uTTEBE*F(_a6CuD|mQdD~hGwx#{O
z|GE1+`GI#n<-U7%-8(XtSTE30LqZ`QmMbhEyCz7zj@hAlh`gk{1fFo6xj8(!3ZA}f
zQPB;!J48?QQ#*9(H35aBP0NwTtZ!M$+oZLF@1uqy5+ug=QwZ`E68iW#w!*?J<Zc?5
zj$Q-N(G~46A$B3-kEqBa^){g7ygqv2R$-(W!DJ}g{MS$8QD^$3wyI5&Pz+_yt|RU2
z^!VuTbgv`ZUNxfHIoq?HH&p4C+<naFxvr<lv@Uzqc4fFQJKwu@OM&8Cy8E&Z4nx;I
z8H;b~rtQ7nf4wLEF?{uIY79mgFRK1zyGL&h&-PAE(>EJ)BUtjct<L|_%3<cR6R_LD
zxqNnS1L@4Ey)C2I^TK6xJ+Iytk^jl^lA~!_@&$Cvrq^_l?)Kg6od4#!ciQQq1^$<H
zHSI$DZdkJBb35^*d1Y%(DE{RoLI};m=T3WXrVXkbCb`0$wl139p%05-_YF`~z{v}`
zg2ca^UDV?{nN&N<_wDC?B=dDyR4Ik41EdXpkzxdqu^Z{qes79h_VVm_>-&0o%^F6i
zZFbctoJKfZ@@|h@S3L<ZF(~`5_Yc4C40_u3j*A7lB4qU@+$gY9@ykp>LGme&C8v|#
zb^)FBWs{uO_>h|_h=57A1?_}2VPi=*aGSX5?(eI7EJiU!Nnhf8_ML|6O_mE}18wS?
z(Ezm4q2(n?(YJV3+-P)Cd<Lr}u%>?rMMZ-*e<F^Zd!0n5jXrGMRk^rvwtIa3djIs)
z+q<XN)@<qa&1`gi=bwGC_j2dW!P)uo&dJ`PS;*+d>A~Ow-)@@8_BQ<Ntm@#pGI<WC
z`?wgDjk(e~E<!`jGH7I8{e%@JLL8uJs^XWrIg-M4l@|M~?iK~1x=2u@A)g@g@s5oZ
z<ERC5k{Vb^t-J&$VMAhRl8w~{2$o{CpRJ;`RW)B$5oN$18D+pfNJ!3&fq$i{G~hN7
zXb;>Wt6KA2{=7NNEDYph7oNWp-med`TsO2c0<O2WldYn}`l{gE7~dhtf)m!|;Gx_p
z-OqsItlH;SS-V~f8VgZqOQug-3jM;&^E>qrZ<RVQj6#m2oRvqcjA1BktPWN;%?sS~
zC@sI6o;6k3i~MS*hx=YyaJiC)ksW%ju^%%Bi|kZ`L897e7|w5vaOd>oLxoTrF(-o@
z!tCezV0{z$dv+4LB9xSAZg$G?)=fSkvEsPXmb_8b$)9NePKNOR(lsAMz2AbmR-%qt
zeP|n$sAVMIf`QpA&PUlabCYlc7xLf#-<k~_(}yPG$v?6=<gDt`2x)(KI@&0tK|U$(
zxV~pddJfI4@VN{8<ntH!zi>pKx=3LponB|}zkcvt(qng{AMd^PGSSJTxWeo6z3=xA
zc`@uAzR(P8+}`RM?T)lan+7Ljh>3Wa_T$dUp;L~wvjfS33a=;|P~a!i8$=^P-~RAC
zju0u7K`Yw2I|kTJ6Q^JeGwicI2`(gZddS})f;DMIUO`pXLW*ZGxL1zH6HV09PjN#G
zmC7F{N!Zh(`X|cwBUwdKhJy4}P2^s)6;37#C|V|m0m~4remVB`ET7SOcWw+#8(}4e
z3%)x~RN%3>)tz`Tog{%apmQ6~KD7nklMAV(9O>NV=q(~|g%v#-&xKekw6`z@WA66e
z)^2oF2^uEC91|b3q?`IFHv!YfSRd6X<VpRAd*HVT>cImtg}ot`V(`A0j)2>jiAz#C
ztR&7=u4<`D{?;oT0)fB_kh<v2qrkj)ErkDtX}1E(N)BF(4F4ruuM1+0KIkUeb{gJ`
zyAdr<{5U{Rqj-a58$l`@xnqK>&HGsHX;8wKSx98tjLwdHjaHRb2-0(hiUT#tF-Wwe
zT#-EwJdmK6!0R=$E<tg-9<Oh&cbrra!9WC%_CR~hN02+evhdsZ+?;f0G^^~-1X9^g
zzC>ToqIuD_OB#Oik2m~b&|unqJF(|ToT`&AEjFJ8RF}cJIv$09LrVwq1wJDKyk|54
z`V@c4GG3xj>WPbq1P%Q5!EyW&A6PbmXw^q0T?(B=*T4Q_8|jmq{FE)Uf0^y??i?r8
zX;Xv%or9L=9r3MEe?@5lcr4ilZfH54<9amL+F{;0cd`PR$5(nPH`R*8pSQQ$HWQx%
z8(K9o&DG36NwTHjvy2SkNVbTdpe<Rem)U-b-nlMVZ8{{!=w&T5mOe+6-;J6^-k!kz
zq)Xm+qOP<^WeQiMPYveh-2bz~w)@Qqx1p(S&>=>qC;7WTsZwtgc<QUGdL~*~uA3=P
z4Q|Kc6OrR9Hz0oGZ&HY1*#-?EB!0N*0GmoMk->%388f|d<6=@$Mti1Hj?P`a%%b-<
z+7ZxJ=1x&saB=Zew!YoT)H<TkN}x`U>&v4DUv2sdLhe?qN3z+M&97>7)*?%*-fafQ
zA=~v~e8Kz0ZVLRqIFSlGW_Z?zIHNV{OKn*7|NEnt0J_?ym|RlHG8zJ{v;(SI1<Xky
zRZYL?xw%4~f1}iFzWY8ZEP04-Tj-NA(}~TuxP*~D4!>Y@${JIdkm}(p>V!0srE}9{
znl8d?oOv^Z;3hdFSGtkSF*L6{L3T(K>=8%`?tTxP>z>EXj?OmRb$%T<LiGR|JRC(=
zxMV61%URg9Hr7q6+##>8aZhb;JAMAVoizb=Dgsa?kQZW|f`(3vMv<r>Oqa;gMulmR
zr78)v15Y5f&#$fI-?)=UkS?pa1d#DJi2YiA+w-Mj>E1T4r21eNq^rDf0Pw<->%Ov@
zrixV*`ca=&s$c1tn)wYU^>lu7W5-wexonApL{DM2#8uwpgP{0Py)B~+K>d;PwG<#a
z%t(fZe~gXo4!oC+7-pJjB1hjmHA+Mx?&R2`@4gt3+v`+>QEqV6Kv?Gfe=~)9YVT7g
zd!`(SVj6bvp=t&c3Rj$!l4a()$52I|N!;SRr?gLeKp`6t)r;pqn2h}%@Z<E=$TkpK
z*i0|o1I?3DluT&POys7$caf#$w#o=2DNu@%?QG3!0}%S1Bbja~JEy2!@R9u_BEvq$
zC}ratx2<_GZ@V(aT;@>%Wik>NA(DQ_IW)^s*;fL)9b5z-+vl_^Z4btCDx<ctXM*<2
zwC}%W&lAcKs#{?`R({pfD^J3+s0}(t@fr|Nhyz0%9m&|C{TL6*3h5eY8*5W3_g=R4
z*PFX@{ps)NtS+R1cV*7;$<ZJF=n)bs2!Zy#^XU#wpT6!qr(!2|TX~6ecJTY4i=0{k
zbB~o4Q=7!+f;-5hm?Y>G+)h_;IHW&E-eU}VO+sVOt~LK9$*k7;_R<DQF;8py?0uRR
zl3$$;LB0hUhwG!H>xj&aQ54&1So~gt;&^={O7+d91jdNu#VVyX4T>6Y7{2bJIW2!5
zsx*ctr3Mv`5T*^sdG+9EcjsU=_M>Pg;5JNGK_WD@o2xq^xd>XN=BRF!QlTL%h-CQy
zy~RmMuSX}St8wl&<I?3;u_vWxK;+pJ^Kl(dVZ)L#rQAo7-pZErpoQ)VP*f^q@W8+Y
zg=kjji`|Bj@E_D;{i=R&b35DSrBu0dzOB}x`=@3$I!7X*`^T}n&H0bg27khCktO2K
z_}8GDl~5+zu%iRdsp1DastICm>Ih5vCVV&XaS&%y^eQp@_qv<11y2*O5XQKPf9w5<
z2ihsN!hsXE_pcs3`bwy%yAWFK>jGba;I{`a>pELqTND9*bq)S~)$gNlW!TvaM8}$0
zAOlToRw0g7-cwZScHJK!)w&|7joZT%L1BW06Py3>ISAR>H|;E2dzNQwr_Gl8)3aAj
zL_7gQ%IpR(&us0ddF6h*-dcO&9=d7c7L|aBEux8^=A}IU(^@<E*$rLW!2a7>o4s3g
zkNNgbn{C%@r@4y~=?ecqbE|8AJz=5k+25aCui{^ka4^`pa_hjqEcqTQbGtXv3Bi}6
zw(!OHC7}0nv?`snu5~`g1(Xu0KYH9kOj494zG?Z1qeEWoSolWJSUSUk`q0_2y`W@l
zAeM1b$`H<@dP?2Jh~S|*`9m}%y@ynTfe0rHiDwd+<|Xw_BXk-@qd1eCvU@v|t7rN@
zLG29xeqq<*&QxgIxih^ku5kp#rupn7(*H@C#Vj{Cf^g{>MnU+)bR_IzMDTXzX~v=t
zHtB5keee5z3-qIP#ZaW^Y3cgv$=k%&0)uIVJOOfxH9pCfz4ZL?92?~>{=UDPSR>Tm
zU}mMUme_CQqvTwoG++-k4Qp%>c=?X|0iRK`S`a7Dhd{B9HBZt;ZOueW2}8@CNWkaW
z_7m#O&#W95cz1u!enMIg{)>N0Uqtl3`@0IUa1nL;z_doou7=jCeB)zSCk%dVf2?~?
z!qF7+yrd88gi*5WR|0BOAVR?E0NFs5($`P5t%zsVpROnDK2iBp4QB~&xoANw0?TZq
zq+i3#)Lx%98sFJfw(b<<b@l{=;x$NYNwSqmSsg355z=;lM63pLVmYp!hezgUn==%Z
zXATc&zczefZVdZE&uF1k>Y@LB)i$*=g_c#5D~Q|BwX$<?Aik~9WIe8*tvA)OkBo?y
z$IZQ|M*>Vf?yqqH?!J}`w~B>YaYYY=l|C86saQn;si!Qh61d&9tekhie&}ql1k2Nu
zobf4^vDZ7KI_4>yY$}VALV$8(P*&cVVWUO%*wQHtC2D*$Z=K?5U4|i5n}qKAo3DO&
z9vC2_Oj3DBa^MitmD++=W&%rI{RW&;@?<f_X+l8DI0^iImUmDW=iaJlMquA}7fUrN
zR2kGJE+=#G;qjZwwT1V!{FHj%RS89It0!akwVkxUWrex2WE(3+EPAnK!trCmG!)7U
zsGY(?5HVVbTXR#(x7O7_VsJ64N`aM)?}<m;$y(S;Pse5PxACl=hQ%0J-u=A7*g<=b
zO($W($hW_a*VgTMF)4gmGVjuMi=)6oOQy*JWI%C?rW&rh&RB!Gc<zKK-Il#AEIIn3
z>p}9orTqhvArcK5i<EU1pxIc$${_<rcExBa^TMhN#nVHl%idGWlO&~xWXwDxm-&ZT
z!iL~Z@WRfVx+nWT8@!dLi}hr{>c@~mfEUG`=~ig|TwaJgn%Qa523Uo5^nnNwt@EW9
zfhL#w9_qF><~<vM6_b=)pSmf=YBdi)(q1G`27!Y}sdNmE9twUW>a*@wRI{RQ{m&vN
zd2V8-xeg5!Qu)Nt_f@y(7*A?DF6*S!qR7J6x{je<SuiJ_Mn$KpqW7Y<eHh~@8xQ(Z
zl%cz>*b{x+sJ4!I^N0+J??ATC-t~SYfL4@HlcicSE-P;o<AENwp3Y!W$Qh$2OG;R(
zu7f}Do7;XZ1;FnXhAB0!Wi83x8j-%#uI&9DQJ^TDo4p%m&k<u1pBIbtXr7w&P?rzi
zHT?{hr(8$5)x}f*0plahov+d8QM~$rxckT~L(H+TN;b8k3fQ7rt}rCH+x0u0p=Tc*
zdvn*gHV~)4+{aUyy({xfe$FoQQ8_{Bn5cg=P12v`OS2O4_b!uS*?PwYRUx#Ii3@Ez
z3+>y>%2LUQqHlfV%fGpOSYL{<jx1*P*1Nt=Oy3P;lusV8It2gmH`spA>2=O_;!ZAY
z(~0VScAL*CGJv}6%-9;@5bi6*#a!=z`FJV;9=P3-?F*tFVArLJ4)(#D7snPioONe0
z(pQ-0C975or4%|Vew2k-%eJ=g__i>J!J#?&^bVcvb~<#x+e@`>Pf1jay8>vL?(n4s
z6wJ9^toqAJZ?njk`*$hvwG{#C8gWua*5K#A?X5ivjzKFmJb;LQ^)W95^_uz34Nq^M
z;S;Wa&>y66C^d>Y5Q1P3Vch=5C-^3g@uyfi;k89$Osuiv3AqDVSv<^*_P~G+xu?C*
z3U!*jaElB3ZCMGqI}P0CI#=zE8V|0-)SnC;6?;<fe=IC?S)i7cK?*sI0rVz#MKygB
z#6g`BrMNA-B6U;CxT05gRS<sKuY@R8%|3h9J|4GfM@O&j5LB1rqy3Vp6WhROui|}T
zwF9LFd9=sE0t){y;wsW*WmkgE5s%s@TdW1Bm?h%JkxrW=18rb0(2v5#J>k`X|Ng4E
z8kyo98n;@b2F36N)IA)etdj7(AyllvCrcV!k#f*+PnS06i<vH#Lo&yxlXQcNV(>vs
zijh=U;o}fdjbRh=70siJcT8VzF3)eig!iVgw@;7V>(Lt#gk=$B165KzU0wqlkylpi
z`0L`v;uACnygS%%#nW7N;_6_Pi=^K-EQGGWb#LcWrpG2kZ2*m|Sz3jeB+CXb1<<bC
zO`+C+%;InD;SM0iJ*^#;B6Ebl+8k+)k`ourrH>-(vTR1@%4(w~K}&Uhb1S9WOS7i5
z{8$=ffK>|H4z&ct{Su!N%Z1B!Dx01-p|76_7^jbzmhiF~M7dcYOA2V74V6^mG{iG?
z_G<`^B+Dfr7kZCZq?*FK^}fC&#gOKB(6~B-4Z%BgQTX2Skm)}!B!l`2yuZb5!5)l@
zL8x7N?_FVGQc$0vCPaMZ8gb>I!(Ot*K#!Qk*ALn&BU_T;3813u=IoBswuO4a@{fJe
znO*XM+uYCs!YOBoB};sgX_bqaRu~DE(Ip+LBHEh-==Wr&=SP=tfjX-*SQJlohRI7h
z7w2>*#j_K!BYAj^{v@YG@9DA%{_^Oqz4V3m^h>k3G_Se)gEuGpNyldM^zoZsg3B_V
z965{qAneSwrAKlzY1F$vXE#afOjd>#k)#tZfWhKC%2YVH2^Qpuot^(BZ}ObP(Q|HP
zFJTalqyB3ky3S&Jq*p4+7E*Ut0xa!wI;U<X?P2zj&RsMT3c9yjJpLc=+d_Kr$G_dq
zvfkN!@DqUPR~CRi=2?q#f9coh+`k=uxRK=~8ydfp?c04^1*|U$5;3vO(jk;}G6ba8
zTJN(?$2-v5sPj>jAl|6z8?y9eq>#)fsyeC76y^LjOGmaqSDGxYcXLIF&C%fMbbac1
z3%BYv+c@7lIr+7?9gM3eo<;FV_T^D`i20-(=7optvAx|_M||$lgRfHc#-70SPG@0^
zV2#;s`Wgvy&z|m_#hIr%JCP2Mh?LVN8TzZH0|$+WACmW8rSCcAF%dO#R5zMbem%QR
z&){|EW6R%qavg3K^UDUaQS;KQlr$=hiK2b0@Cb&DgbW{^DId7(bH_`)5xEW^_d8+z
z@Iw;T_vd)+*^bAe)d=z1G}>Pojki0%|C4KDUS)$VduS&cs7_^Qh0ui<;HHqzP94gs
zNULB4?-iO<w;|4exvU}w>A<{i>I4(wNcDZu-ES3*B`aTIP#zesmFV5&P2DZvkK)Yw
zhD3UK<gr#HOcQm+oCqr*NjP`{>G|wWZjP*@bhPlt6aHB}wp!EEjh=tCyuR@FBYC=j
z13CQlCI2en6#vKBlS)1b#DKO>AToC$YJ|CmF6^O)*;5O<xNYWisebmr{b^iR>uvgj
zMEdJsgfSSc)X>9ZG1KMCw&u-jYf@gQN2TMNjO(uFZF8>Kac*y;yh45Zw{bxenT`r)
zI<9EBXbaZyp~jr&MtmVB$y=aTsIIKof3tn3#f+O10Dk$wK$mP^qK<;y_U1ZDZ?i9e
ztI=hN%}%RoYwNarTMju!q2L+Tv#Tv`o|pN5%0KLkCLL8cnzkL5PP0(I3g-?epj#P|
zwQR)+b>J(gAg<xgL*ZH7@feH&H`tsNC9>0NOqxY^eT8onhWfL_g94qL6!FsxlF@Y*
zJq=HB{!RlN=<zj2Acd69d^vTPV4#OY^)}RDY%QDA*)(^5(E_bPpzIXuI}L*iY-NRo
zs;Os}twi=zeyTolYNuB@S`os?XMP@K_cp?o5V^E0$P4@~rr^>Cv3#^d+K(|{omrPy
zK-Xo+pNH!F@4m6z%NV_KuTYFC6XK*4T=G#cul!nNt9WS0hgL=DS0>$RT)dY6z;!)g
zC1V1BOwR+XTh~@r6)wNBc?%C&>x->0M1?4}m7J81`kYm#7@^vAcF5Q)NQxxsb3%wh
z2^-3tKKP;C`|G|!=z3<nl6T?<u^NyTG9oa79EBV^t^t}u*k$}&t92t09Ycv90LtgA
zu`a<Ly6hP|bFb&&bGWA=1mY@`I#oKYw{E(MP!E(ie0*wm=kW0843ea*$7<@U$SvFd
zuvCe)Cb`l}(-<udQ??$lpjdRxBg@%OkHc5u_RFx+tgOm5BqT!T{+0mzr6Jb>n_3^P
zdpc!80W}ask>hMq0D@<z?Me&4+U8iRLN(H)q$aUQ0?Nmzd|n74X8{%fFLSiUB1YC4
zBZ7=4M6)WyMZub_bRctT*s8!>wW61r*=e7KaaHi}$A`=Q_{ghca-+kw@xCo8CPpeC
z1=u6WaGSR^JP=&sO*$UT@9VGskc@Gij9J~qrIhpLy9-8nX5~{y*DP-Mq4xZuXp3yY
z9E{<J>&#()CQfQQwD{YoO*+bAW7)>Mnm{v>^H)jggaoDK-5c0(KSuBvK02=XEy*(S
z_p^x(_vS^>l1seK2pw7MuS$h%sZ2<(N|E^($Divt$(FUu2692d_FYgY<#2k1(ohJd
zkSAz_1u#OE;1DnuP6_x36aic4;RDm`xgx#~QeV~fT;mikgC&3GK?z;hg6qWtBbfaN
zI3bI03Cm##D}q!Dz=Z7cFbSUxNT3D@*5?4}96TOAj5iD>j5=2yBb#MSaY6RE2Xpa<
zt5}uK_`+ZS1zg-Itc`Kmb5$1a>B3i^(18%6VNgj^S1#^U1u!gyo58wK-0FvVN0TI-
zrl*J21BvLDvm`p1X5bxKowUXMXLgB#qlAo)rpuet6No}t4ij6>)*w~5G-C`FjERBu
zfXu69D~wK9bmnfNiw9*je=ir+PIFg{$aU7|N4&0ZX$5j|Vf$PWr{nqViqe)>LI9;Z
z#q^B}SmCapPJI`h9UZ>TFG^-Q$^<TsKSE`!1L%|ubl^{><@nipvI)RpUR;!UwI#!e
zr9lt_cKRsCP^_}AWfsadILkfnyBVc+64g)IEH{$0>8R*C5#T5j1R-&()-HGIx)YKk
z)-zu2)&+o6Kz1<SDlHM`@079$Lc#CtQgUBetOg+f(RLft=-sW?3KAu9!e6SyPe&B`
zEhZmBzpCKkw;{Tn$m9Ta@72}c>dQ;Lk$0(4;{0eRot60nlIc@|_21R&0)|cZws}_x
zg2rXCm_$$U?D6iQ6fSKU0_ADyVB-Kop3jJqxUCKJUW`5GsZ1qqKrNtNM1bvVgPo9&
ziYPe5kHSiF2IF{87?MJSiej$mB&|*US_aIO<np$i6ahd%ovFUCv!X{ZtA5Vi0XR2x
z*nM&*0HG4!h)RJ0gQL<Py=?kW65M!%$}RnF+<3O-<ch5Qa2lf~g!tjSD%zX8dCNZN
zKZ~3fUI>knh*A*lFDv4Hb7fu$*qOUwe=|`^EA+@f%6It)2p;TMy+*8}(=hqEd*spA
zUk~lS3IHU$ZGuW^>#A@eD}>)u0&nl99hX;SYk3;$4?2r-0F!e*@rA{rdVrAwq(f-#
znvd&&T5&M<RFm<sOo;Azm+8?kZg;tkR|rA4qO)0UcVDHP69W9xdgJFw)PeDQqyT0F
z78FYkwWqA!0m5@7CCOgxpKXyY(u6#xmzh+BQ`k$iFN%_o2B|m-YKyE_qb!D;9ah$E
zQr@R%78g1GV+T@#J_-`$N2_tBTYQT^sOWArDDuv!q%8-O6C>^#cxW*LQ3L!5+Y=;T
zGYOkCzy%u6nssAu+<d>Iy&AcjjP48^6@^sm?80H)W$GGxRo@~&4W%alxUIma>8=xE
zvo6gG5`fid-hI&hFO6rroC-0n&@tqKT;z>V2M3CHEJ#ezr-ZEp^%i$xR>}#AzwcDc
zNa2!`L-q)2(8*dUd-SDkanH~NWFjB*N*Cj|WoxL2h4qMlp<~G~GMpr4)btlook*u@
zxJ^on;vI_{gkfxEbzqTsNBE*2RshLf*UbAQGm}i$I*-zNJ0g<X?=+8-t|lFeCY_H&
zXgditzKF&4k2LmuslXWvnXfnUpjkviJG6nD!JRiVmyD#_UZS(e*X-5Wspby-B<Y{_
zGWLwQ8@isT9>Ax>HH85hX5;12Np^N}^yc}&-s!8Oqcc(qXM<nzKV3(fT)LW}J4QJ~
zCtT!)_AXejSefTU+$>TbW3q%<Rhm=rH_NVSz(h2yhZ?Mw=B1`^L$AC$HFUmpl2v#L
zEn!Uf5KA?r&7hDHIEjI?nk<PQXx4EzdTT07O45vYldnRixlxdjuU#oc`U2#QJWpDl
zRzneRo-|U<*ol_86+1UA?7)e(nSg;C<u;@=72KQ!BeIvc71%j;XG1>v-KJ`X_FA5i
ztcS8#?mTsiG{iQKT=(7m5<+k{`4wo>p<Ax*92|fXrfs6{Xur$}Z!9XqP6SVGFk~di
zVz{RI4_70e0Vn@!XGEbkvEYWA(1)(s7dr{fOLC)i=qI5@YvXgE>0!GiQknNJYWtyu
zx5bqBt<=Oo-(NCUqiNOZ@)?A<>aPv*TvWpD!{X8<Xyg=f1M}b=Yheb4pe2{|f$B^n
zh*nheW1&tz5dnY|P9&r!NTJ2&7<3*>l`QgiQjod`z9L?J<{lCih<g!RuO+-k%hV0c
zxrY6_9)D|H!T8pS`4$LKF<g`aJ+IwU8=IMtLxeAr8j((K^{3buVmBPJ(TYndrCP=_
zny@!25tfa{`VbAry^UGMocM1w!L3X}a&gJK*^Gyqb;WU41iy5)()T-Odq3{{@rz2}
z%XWGW%~M>)Seje%enBd_tL5%SFJVOKwBDE|DWr_nRIFI-)0;~?KR7AVa`g6&BNB*9
zv)LEr+|<q*X1O44Ae8IMW4WjqOVt@Iz;=6ki~jy^yu@W0Rz({QGGBM=b?0LU@-|Ox
zpcT;I!pg5as!@;pO%Bc_SwLJKlS@H4vkn|#x_8zeM*pMK4_pr+2%~-%1}35Wh2aZk
zO}Q&&q6*jG#20{euku&S=w(3HBDgVemix_SddO`FWq<zfbZxO{vN-!{c)4v^+(Ib$
z1U3mh7y_587G6sV#-c(YG@`_>%*lTvON~z!)8^ednZ&0GM<SZC@$2oTnaT5=G3YlF
zJ0flmLeov+v5|8`{@N)RHrja4<r1uNB5!r?`1JP~Zx(gOsVcm47LqAMDbJ>J%U}w1
zqj96HGTMwd*Q)mn%l4r^V*-ZHz7>DoJ3cw{o<Fs>-Z7a{E);c`%xEX{qc)<L67>*L
zyM(_fr&-f!Q$k3QX_%W~OW&#B0yyvE8qSl!Z7zq=>Q(5%$W+i9suwi2jJWhJnMfc6
z|E+}e#t_$TE{bBIL9LJjrfWIW?r7N}WS+DHLy|+$FwnzMfp*FVupo_uH-U$4eu3*w
zY4d}VSaHQ-#0|Y7DU(!=BrmNkZl-NaZyy#oxCGt1C$?AP4QX2z^|~e8?Q0hZ+1uh?
z4rd@XAMBTZW+#8)U97HLeCbm+wBEI0OJ|?Cp@Umu$(H8E!D>_S_Q-5EOcG4jQ<hN?
zr7yZ-Fyj5=ci*@c-2H%zTBrUWiCmX0aLrv<Dvg1=INtIi!dqWiE7FD7@x$)m4aDd8
zFUkoJUvNXX=`NWiIj;&+WvsGB-^bI9CqNo%YwzZ_Lgxf1vL`-Dv9o(%5m(zzS&Yt^
zJOnD{QAT_YM1nD(zo6l0iz}><bbU-`wc9v1O5x>w=Wb^S2++-<G{po~?jdwSOLqr=
z#xHVsQlN#5kR<c};DI?g>l_%`k0HDapHM030G{=!D&{SWO2atlFyyFUdkiR9kB`E!
z5bS@H-CMS*2uZs6JCSvYIYSr#mCy;?=L8Ee7z#*Ha%1k(Z1%G`Z5EMyM=xK>IfR=8
z&+~)|1VCk--ZOj(oLF$FyFry#*R9;~c$Om|WPV}KQ)d|$Oa$Oczpd(9)G=4a@oH>-
z!!VZ`$QHN#3MfzRBD-)j%bRN$;V-mR3B<Z7LpnQ05X>Fi1DGghZm>Q*qqV*%brr}+
z{XpE7ayOA74lPKBfr~xGMY|}>gQ7LF`C)0An!Ajd9SDhU;SkmI{@0drR=FATzJ`4C
z)*}!mk?%ny1Qi$wlt`@M1LsaBeruB78J||zcWxssyKrXhg671Ew0C48R*SPio`>ZD
zQznzjjeio|xv|j%U0MC5q(NbeMsBQfJcJ0`A8eZ^g!pcQ%xA`V+WA#2_b8;~OGtQg
z(HzzkbSexI!u{IIec9O-#SFfEk07!$7&<_$R#b}1%f+dUW^rML+hXFb7ta@_R>(`C
zCl+ZU&6W^IlRHnSqIxz#^K2uF+Q7YwE0iZgg+&0CDXuai)b`G4OWQ1AFZh%nIlvb)
zmJ{N_o92(0odjs;BAN<ut?tu!6pK2U>%;uQ=U1AKPB-(;>F)l%kUu^8`fD|aR|F}>
zOHI+({s@%SyL$4@3%Kb0JMXf?joT;|qfO2@*(Kc4VY~3EMKXWWS9Zi8yG2>3J(MT1
z$y^t?_qZRfC7kHY^zekZ(Uwi3WG96Nl}m7OBXu^5Zl>7k-}}Sa-pS$4L3aA)m@@77
z<mmg8o!6&d&H;cx!}y$J+Bq^BV|@3-K#iuv;aMlCoDgAfc^D!JVrx@AiTz-q>1*+g
z+)T+Q%Ul#`CU1nfHsE5N0$)cpOrqIKI@v`r^T#ltdF5`+PaaYj3=fzf!wY4v2t`Dq
zzI58}_C|k>1HIK%G5g25!%zs{U*4Cr?QU1(*M**lUa~@7G(~6^J~FOfE4|u+AnUvu
zki;13xGFWR>LdHRuaE5|rJI9)K*=o|3L@Ma9vM=2O#jlMsP|~`XdoPUviIZ3{+EqN
z%x9BxDRo^$OLlf05p|d)B%}eJBa^CUB>{|qs+I9!5nMs$Ys3QG8PxoI4CIzzKY<qw
zKYO4BV#$#XtAr&?v#OxJK;@(1Emvu$cr9`CMJ};11P@y$k)q5C%hHznvp_=3R+0`H
za?eD}7K}i$57B)hgOiI&Yuhi@LqH{u@OiZ#m8PCLUT~w;q-41TH){+!>6D-3w5W;`
zGo*-@L3_!}1JCwgPTEdtshCz-_LE+_gZ&rTlhfm8KU<RnY{Z}NC*eJ8e$Jj89z63-
zuy_N>1DXsWo8BF^+!RIygEiT@Jh*PdI18PouSF}&Di5T<4OGvGnFl}AcTTHx`|Y~{
z$Rp#9i|drnH0Bn;hou$~>AT3A@5ObPHce)0?Bhp2WIsug*VD%j4u8gcJY5CPfY_`j
zi#tT=S5U=#u5<}T=I35s4@ZnygueLix_o8bbDb&Ka#UHkRi>4|F|J=U8)Ch&G<fZm
zftZGXy%`Cfj2o}(2ZSp)eKY!Qvz<MD@UZXx=MnzrG5+T_WT<l6^YMdk)mW@*Pjzi?
z6E3bgupJ!6hg?&`Fu}UN1`Bg5EP|X`Euatyk5CZ>1M18*-d~T}ji+5ZBGtDV1A9q?
z(G$&~0VOJ^id%k9aceldO;;!>RtyE+N@3IEc^695&9oe}Ci!_IY=;DN(phXl2*&@A
zIi1!{7iD-n7Dds@n|Y9}x_QL>kpe>xo9|Xk_H>ebN5mA<U;(^9QN5;(Cc3c_8T2UO
zeE>4SCRP4LZhDLC(|v`FY(OhqovgebRU>0~-f6Ohx-?)5W1Q@Y2m2Vqz?7M=3L)g{
z71*#_wbUd$)}}P-w#`B`V61r=A*Utgb@o&s>_WJ3{1kEvHFjE}{TDVce*8g^=iOV*
zO-nv%?b*GPlTUy6`K#<FoeDV?pxNo|Sl86p(24LdRxuI+M@xi5!0X`H$|VRrco@LX
zfu{wsb6x)}IyK5|XcgEc*;q6`1G&V_h<#Nt0Yr=t>5U2N4Az|cJ1+T)`kh}k#*)au
zNV#N*M3H<pdFfj!xqWP<!mjrsd^Bm#VO^fL`PEaW6>%1=1`a%B?r%Yu=#qe~YN3YI
z8Glb(6Xs$V{l368s~(b~B*urL0YZy9iB%oRM&*Sp5b`Yik8_X~$@J@~)Q}#j_!lc)
zWqy<3c+aO}Eh&gs&}GZ0nqM?%Fh1@VaGaPnoKyDcOxtb#N?SHEotUmRx~Xw^g|9?i
zRi$ZJu}U$zE+=C*{>b<Z_n(t~CI93r=#1{%*qSVII^t8L-|wedhymVAJUy`L<<`*P
zp+PQU)ub3**XsF-1$^|el7)!E&AQ-H@5mn#fFwKgLmuK~bF<P-DzU<90n=x<L+uSK
zD@o~LZ?IaX`E8YL$ZPebwJ(*S8s)1ocb+9SWN##!pswAGdF$ONO%cf<{oqDEd^^mC
z*{b}~tZwSn;?)2sdvi%|4b76NN?!pS0nanE+uXT-zVVlHW1(5M?Y6V-D2y!nXNwe^
ziE;z@#8Ux^j3>p@G`m+qBwB_F6WP3VV=S45L-w?J<z3c2YfMwoaW`f_cVQ{qtB99#
zC}BcKP{x1(r`~+DMv9|U5457ZM%|e2UEsdR35ehqHjkR9BM}cat^{TgQUeoXok3IT
z<t|&xZp~+HytLv2W{a%cgUaU<mN6T{SI)AqIb44baW)3^T8q!}|6}i6yBf)^ZNbm*
zE5dlx0DL9!$cM{$oOPQ5vWhlI<^i(G9@TC+kOBy&q|jAJNpjl#-+Rxw*4mFyh$QRf
zbKUkh$F4#VJN9$!^_;T=zF9sgszr_B5N<bhf=AmD=EKy(#b8k$Kcljp)x|m!zc167
zd@?HgB=yZ?t5FPm?fF&V6cS0TLP`_w9<gD>T_FH6aP9d|B9kHx5U@wg7P0&rTinIe
zt~ouS>!BnM$wCKyaOU@OgWNMMxeWXsk(hefC?=HCuEJVvLx1*-H8k{?mp(4>(Wn>&
zxM!{Ql2XLU&~w-pQETEM%;Ed**7N&OVYV5f<oS?luRR-u>l?1jKroOibIMmQGt^}%
z5J}`Fw)8YOB;2_h_&8{!kCiOL7AR=OOj#l$F?kWr*G@Mzx-y%oonQxHCf$R+20g%l
zn0bUNpwRG#|9rrp(JZY1|B3~pSQDJ=v#^=lWi_Amjtqc(#ZC?VRk3R(5vY-zXQH?h
zwVpZNl87Ab7X{&#DlJ^!yejR@tHN@<?A0YP%J-X~$2JPrK?)>ym&Z5N)jh(aF<qNP
z%=Uk`)Vxn8G`CB0K8(Vee`cA$x)l@JZnN*D#Y&;b&TY7k?6Bx;NTuk#K;`zbH`b3%
zkSV+pRC6wnRhZ98rkq5a+7X42P70zFv-hS1d(>;)uufENkfp1_k=ekgRj1Vl>_?V*
z)KP)+6G)52+}HvXKnLm7gIRe+3snu&YSP8sDVAH;H>eY$9NW56+n;@DDr%x@82O}r
znr9dap|_1xW1Y=}GSQ<8$pdhx<+UJshbd50@0sT9`%${thgi9nt=Bv*>%R@UF9?>w
zKos#`q!J?f*p}6RgcHiZ2?nGn50`gU7Bi9gptso%!?Lg>93q*MXQU2A@AD{a*Mg*x
z!Kd%iJg8IKQs>Vq5AH|>yB1d(I2C;i@Z_N<qVnSmPl;t9?hm7Ma39WMsaJZOctKj%
zYz5g8vcY8j?L1OrqUV>iq>WBDg9vRZ{r;}kzjj6W+KVOC%iVUh7l6Ed&s23;`HBKs
zJ6-Qn(8%w!0(Oxk?q1ERyIL)K-r<r?@GT&IJv&&1qMCa#bWA#gz3$C@-15nbWe_K^
z_>LoqLTWBmuPUcU8lv+#X-eCXGclDLJ1}hK@s-*L{QLY17D!6WAJ!PV$kdM95c)9e
zSzUBV{$#38Bl3T&G#aEE6IYe)19hD04H^uWL@#QjzbDZ#$tUf8DBaS7+OqP~<iD=Q
z{zTKuU1QhtJ9Nc$JlHwrbi)|2A^_V}4EW~vF{{jtN6C^UgGt+Ds^F617ML(9Eb(1Q
z9Ifq^=WI(Z#p>N1?am~69zWyb0B&1ofLs~JtcDXXAHmLTKnf}PO@v0+X5K9W3VAFc
z*0c(s5DYs4ar~0VLY+*39cC;+qQ-)KC`FpMF?;P3CD(DHIlBKt-D!tsA=o-x;G3$E
z=NDh^*P`=#0jXI6i~3$Q4Qu@RdNU&Ri<%IP;|4N>HW5oclFOGxj&}blj_vwySKO%{
zry|r&YYJ;rfa{$iu`DuRBVXn)uR@V29XB+LeLBgaZnh9`1uVZp?hia2e_p!S5#@VU
zhw?am8QGU~^0-dkr$jA~VL@L?)L{lyeOiO6A+>45c2&0C87<eenhmg6Rv$~%2$S^G
z<<M24-Q=wK6k>%dWA%#0l5p&(w~o`Sen#15y=>z@7nKv_8}=x>TYH*n!W>LV5-PV+
z1jIeg2eV3$xLxDKC&IPUd?K#j>4{%;N`g(4OXl{FKs49NY?;@$*;aR3H&|2UpfW6A
z%z-4wC!<Px4RGAJ+Ow@TrzKFh@x@p94j}+R<M-8UoQ?0x>B}!h&dR@ssB-@}-DqDh
z81EIZ;Y@uJc2~Iyy{P1B#W$vaULvPjb`3VYxhhgc7S9b4?u+!;BA65yXu#3%{^xb8
zrWfU~rN>$Pzg=g?(pzi4zWk%~;j8Qi)6QQ0@qcjxb?pyd30{6kzO)uqOC??y68hFm
zX<^1!4xO*BMK=9c2PdcR&W{CflZROJe>o^dnlclB!@{mxc?Mj__wJTZg>zI@?}KZ@
z?3x?KWbnA#mi=HB^%D?LD?nNrBerQHOqJsBXmJvz&s^oruoiai2gwMDQ!6em-?)LF
z9Q|@x6#}|e{)nU;!V8@o*-#{Hj(4&Gg%$V0Pb@i#PQ<dP4pQNIG12YI>aDT{5=X_*
zKb;`zJZk0)NN6j`9MJSr`nE#`f%kRD245L`UrHFTu)BNyfbp}4QXxrlXiWoXIb@H>
zU1*E{H$(r7nTzO*qWN6AZaK6_bJ(M{HgPC<(?7o1h~Y&J67@$y2TLI9slQqnA5!+@
zD8%*{g^I$a$_O@~dE`?DWWG9<8LcqRxeZZrq)Tv&(I>Vt?k0{-A2VwYwk?Ue<zQP1
z_#8(y>K8v_ux%}73u(z=@==OqEO>=NThlJbAuD~kj-sV*UZ?rYbQn1iLKwrq`@OQH
z!TQh{%?SbO#)3P&YtTz*;C(S+V2-D+oS<wa5Oh$(4SPMdgH1z<-J#5HBKnBtH<i%h
zhKqrO<s@guQfb{(f7<h@XQSoK&xw{vE#IQZ+PtMsKxvmflS6Ja*)x{v%oGqaaj9}G
zRS}cWTBJ(~1MFRxJv*h&?sF~N_NRzI%qAXIM>30|^UQ6D|HwTV1CZKXHW4;Wy#yP!
z>i2G1!)Immz9~{G!U!EjK9W!<;J@wuqbK@~&8f*9&4D(keGlwWacD7b-X9Uz;X_eH
ze_xpzY<>Ev+OThj-5UN_o!FZB$*OV0w)!(@$ky7=t0*@X<FmD7|Ndvhha20bEk?X9
z1uj1!Mhw5Uj}m7;I!5f8(I|2D?-=pFW5oZC5&sM^;yOM5KP5oyV>_P+4y&^D@5u0v
zjtry4v)1siYvxW<ZhuO67y)K?rhnG(@N&raQGs4aI%RhLF@fHOFBoZTpC9N&D8`3+
zv(FFoy7!x*-gtvPGSG`1+YI$){|@y2JJ9>zBG9{}e11-p*T4L;2gppn4bibIi?E(@
z`n%+94J6h+5&wU`5SpLIpBg{29VW4}$H&dWx&Noe%;FAze!R@yCOE9UX>Xvy)0xl{
zV0E<w&b(;pM1eC-vD0Xb>4KVsYzf<DW>_dDob1jZu{=z7R7Bda^p?Y5jor{vYk2t%
zo{a4B+vDu;;PBhyUl;&!U7#~mgilIa_C)*hn-V&QmJ}qsFzX(MrHpd=)A#08<SLb!
zUWQ9Z#31~0k`|DVc}kMHmy8YX%s(^MZr`<&2e@cMG?$`t+p>PlB0fo7$?i~EvR)C=
z9sqL$1cmgBnAswyy_4rR&_*Pi!=9#MVs>IwTI8J{9o31V4`|WjRFhNcj;^XaK>>#@
z5`RUfR4(J+$*V82L+!V^Uo4&dJzZ9}<$Pyc)<ILqz5n>E%HrNmNtNom`WrlQguSUN
z$f{7fR&P~3#^#d0;0tW?;(<lS5PIx53K06PmC$#oDw3uFw};*ij7IR=yk6?*mV0tL
z?r$&ZZ`xJGdyP655N+(Y->HniK$d1Sj1x0X3Fimg+Bf{Vx^u~_J*Ic-N%j;@b}e<K
zB!m({NL;RXgG;ofWB%S-sYbT&ks%Wi=x<;f$^hfs$G6-7a&_hq>i~2ceYci<f#yhd
zH*4<-z>W5(={4#*blZxO3lDcWVC9dyL9UFFJ~wbcsX8~mqBl)mBpnPwaz$4=3^i@=
zglznWR_L*ba#a%?)}(5VENbUd{W4%OkEiIH5@{)og^kwIucQgvzPj<ES=W~I7^Rn8
z><wS`CoCo&kuH(?vF@bJ@{+Pk<tN=zTOdB5>vXQZ9-9!DBw<3fmooaKkLw`=aFR?c
zu$PU5PA@3`-Jxk2a)P3086MFkjXuSMAh%b?&V(gsy~$|$;KvpHS)s2TKTn;2jUOFA
z^|DR~VcGh{(83C$yLDl?fu{a5+>y(y?Y~vwFj%-@jg{BOnFwR|XN_~vv5UG-##CLi
zuk-0^H_Uo2DU4Zf(9=eNQz`!4H1aRFWYOOZf`Fc5wrAbJHnEIUyR&hs72M0Ox;(99
zRH&5p4iR<Ni~H3~o>5gz{Q%y~hEC?V6($~mR$=e&?soV8@Q2V%y)q~FI^f^fYkua4
z2P5K*nYZF#6%2DMrYK%3x}Kg8Qr->}n)*JwBXeJ>XL&*a_i_kUM}37+#G4aDPCP5y
zGV8X*+6VKq$_?L}&zBrJ%v4aUGli~IsHo)7!Tnrv<6-6YSC=3>^>TBEWo&$H!7^|=
zf{&3oVbA>HQs?K~UE};CPV1;x3t3~S%?K1sENA9M1axz{aTTSPZ!)k7*<w)_!OG+D
zZJbCj(efV@w3n$9I;yop@dLvmpCPfte2>j|yX$gSKJ0OGW5ymEP`2leeDOXEwb2f}
z`wZ4KKk!4hM5fP8@e!UwWJC=xJlC>?@igTpo_(vkE<VEPP<vnB;lagm_u}~M;^gw=
zyJI1qffcbXymJ&#-O?S0iIg07Je*m#On`wmUzd|ja|T9~-gIpuN~#z03Vvnxk0r=e
z@M6e9A@0JEOo5yOagBNwJbFbXMB+ZYE0OTq@&;C599ieRFub4SW5nO!4IX%MEeSCq
z$;d))DhJf>L<tdI$wcGzzTJ8LUR}QKp;<MZ!6BJ>@>tHyTUnt^$tcnF!U0w--m|;9
zKW)hjFzF5ca0C$|zHU6zHkme)Su~Hf)!XJ#mn{D%ooYQjAeHrf`}C@<{1(^Duae|e
z37jkdAd$>R@~N)ERPoSvF&CjQC34!)yNPqV?lWL3#nae9#*%q2^(4IT2e!-3@-_{B
z!xX#u<sWASJZ)~X&#P`p6vQ>na_Y)Y@n0rYmohc}8!3GRP#{QwmuF|%I%mVTEctVM
zMB@@^KeGacB<>I#a*BH}xs(Q}>ybkQQ>1kV7|o2u<na74Td#ffj+@-}>37$wpkP|!
z*moyyP7f}RFW3R*^LYroEK5_{uZ!G}83sJd<Z*<hGb%mkS-{1VXsRl37N-H=+|ud=
z^HQfrWc&mtwVRb53wvG&M#dT^oj>njB7N*h;Q%GQ2**<AMfb9@G_R2gjG$+XNYRFb
zpv6-OS%H!~>fT>hObI=u?1Ux<<#Q#k<>?o@H(7q&k}KA~vZJraE3P?ejy}YTWIZtC
z^ekmL+0>dlR|oKLw~;*p*Wdmok8f_S2TTn;e<~G)uoTT@1o!m0fA;i3GhWtCuDh?b
zQ(Z~oRm2?k!<iGd-PZ)2Qp}l-A@o}P$y)NkTc#$Rx~cJvT60X$f~Y#a%x|<g@x1um
zn?1C3fBv1D2n`hukD77qeD;|=mz@wgpFOtc>}-4IO}>ThyQ}qYe-lwLFi~Mo#oce_
z!sZ_2wPjd#P#&`;jbY){&t4N1(GQPGANub<sOV179~8%5avOk|Bnn0oZt5=K4*-Ba
z=OSA^vzD|$Qwy&O#IIW1QL1v1J5PmT$W%B~Tq?+qyStc{AEg5N>@a^B8ogF9+M;_8
z^Z>~2rvpCHLn1LxiJ<zs`{%8)SGXH6l^nz+r@R2M^qP`=cQPrL!*@0#W1QXUWy?@D
znn$+A5F1Z4ofDzwMmooyFKXd+9^@FomBJP=KQjw-ZH*RumK3KZU^VN!#af05P`H>i
z?Ihfd*SQn|Srp%OL6iqrL8jx4#qFJsH2*?izjgNA-h(MrD53RQ!fPTe_$;Xx-be`M
z&dsR00#hr~WW+qlYb9{cQ{SE2A?mAob$)#DExxX||5r}p+;y^I1V7K^!Raww==cZ5
zYH#p_`(*O!Xxx?2XMZ%^yV-(&7A^cSQ$(=%nRP3mNKG+e1!sMf1`jmmCQRZQZc+jw
zwjk++a;eFoX60^Cdm<SUlTRWH#zHERVF~cYjI%9le*{8!Vc8|~0J5_d6S0-%z6#V{
zRYvnb1|$l(QrEigr>xqRb!X_mT5(otUrS*w&|a+Lzp{hjkOJ1IK#>U9oWa7%t?Alg
zZY)}8KK6fK&!;ce*7lx0-Cf(?{bFrzclXQP<)?0{shjK<@*Ey>|GV^*GhDZJ1~+B*
z%9#L3K(@aO|M<WD=XS<tmmln{t;yG(KG~15HQW&zyzjdX&*pu%Ro1rt^!0XP<2N42
z_MT^d`g+Ct`NvPZ@0864-k%QUYg@Xjw{?q&D2j01aTPc_99}uM1W-2^iMo;^x+woc
zHe^oO$MPyf`$y#8-BM#X*WtL=;0bmOZTq`H=}AyHQ<pQv_m$|3P*`7_p1j@0#(VGK
z6UiZmq>A<5ipEDG?6F${g>keb0{8F85mn%3q)kkvCYZIOSMGoA%AqrJ2wyNI;@s%o
z1}C@!!-T7n;}`A8rp2o9EsKk6OMI>l7HET`tPn`Fb)<awbusUQ6&a<xgT|jTqnBY`
zDq+CH2mR<mF_ImqzG3n=8=Gr0Sqp@bOO*=O;8(O%OdPTg`DpbQLe|}8WBaZCf(*6&
z11s8d`*qU?FXQj~o%ZM<EXB<x_u(nifUxZ&@Ji8D)ODi=Ksd@6xn7=JQi?VwL<HsL
zuA7+6q&w_~??Ww226y>=9r|K=40DMJ*?xNYkt=Vh2l!HVPd~LnNVr+e{_rezCFa9^
z4$ZZHlTVe$)>8j2TQ;PZ8gifT`HT(V8K!t!BIA0RU}oB%fC_Qs3i9D?U#QDQHZMwZ
zGLW>hO<^}FZb;11pU+3B5BQ>xy{AoOm-x|Hxu>|6wk|JEg@8ttmMCj)?NHfw=<p_+
znUa8HTNYi~h-f1Kq*0@0M?}rW)7_^~*s@n{4u=~Og|@O5k{U^mNB3P_Sd9?e^0X+v
zy3<8joK;+TMhkU&ni|(|)O6sJBXN>$A<8W+&nhL;KGFa+SKdv7X&zBcrh<aVlC!>2
zu|5_Pp?^^yQW8lFI;v;f^XV*HWE*%K#5+2>&@$<EhLum+xUrG@qio!a27))668hY*
zwX$6R=TvYS1sHur+3XJ|_44+6x58l>Uk;pK57vpfh=WUOM`1;ty9O3+6}Fx{-}O%O
zrTCWR+t*-1TvHZo3RyoE?Q1&H=1A;wEyt{NtSgRI+k)$HOV?d9wcz>nXcr@r(aIG0
zS@d%iz580XviBhG=~7Ajtn@qDhXw2~-oQ{9<3vls*PdVG6&t~(XU~=(5~<LN`_=We
z8$h4^mAw2P5M6fv-|O}M8bUT(_-#A;ffM-G?1vwI^H=u_m<9eCmFu*6-LLbRRheNv
zukIN>p~FqelcY)~JExkiV$D=99%=@`%?;peTjF{1<-6NzR2auHF0HHLzM3dcHG5&o
zO#<hge2U51bBP)#N4phWyT6^ixl~&&O3{;wBWKr7on*rJ<Yt*A%{m3s%}LEDFc5N`
zoZ0*RYiP!6lrHY1d-B_?IV8PntcD0aRwrKOA%I>heWz0r$Uxc#JpS5^p#=Zt@>;90
zq_ga?(0xk!z4-!oIP;l^eFhgR_Q|OiNVc#dXzwhA_D6#q<AHR;os!y$@*96h%{?^~
zr2y5e$Vg2Utu&Z>++^2I(s56<n2wv+wLXR?FZi)aacJ0>+}ipc|9LaXOV_FdDgNgN
zJMLcZWUt--yT#M}H>so@DLe3=k`D4-t?R|u`gf2?E-=QR?k>O2g;P-WMbJHE3Q{m}
z%$(<_YqYxwTXu7)aaH2Nu8VaW`37s_CQ2HnWP>8y!U1vL-S43);C@udmp4@^_(>=E
z2m#NGK<eO7>#on<zR<c)?WLBGW3p5@690nhYS9F0#j#<cW;~=iGTL}n(AU6bos^0v
zXH=uF$+6XakG9-ix?aGYBLo6^0OT~!D^uoYPT0<d5xI6y%F&2LPPJfz`2bGw^yb|{
zQPfwKbgSmm7Zrx^GHY8Z_RT^z?a1ye#(eSt=)+YuY*{#{n;kiG5ign}Sa!v2HG$St
z#t~fa+H-?6_t>yS{dykXL+ga4P-MDHkm-uahjLa;gasCxiFAHfG<?;tMoB8Vuuj^$
z84Mil#He)hFV&kTbE*DgmHPXFw0QHmoJ$SzORaDm41+i-a%^Sb$EA)_jTx#Y>U)2D
zagz2~c(eho<2FIAbhg6mN!KmA3>C)us_7xJclq2E>?6i|=PeLdEvp<&Yco43|8Ucn
z+3Dk?uWiY#ildLZ?Hj*<__gEd;NdtJ!^Ih-p1Df3#92-_t46C4BywY=_ntVRm)?Zd
z_!JIrUsEUPCzBy^I*Ktl&PN_ChYnY8iVx`YMk)rep7fD8j~qJhsPLSU#yqr6>Q|y2
zW|vjfrRo@`NCeKs<<AQ!zH4F%?o@53gQ}KpJ%(3N+i8$DvKW1+?a3S*nzuv;JkBRM
zRM<@<-EL+|<2HsFISA-R7^r(WS|a3nO9BqJuM!z54#C3nXSS7tG`51QP;<ZND)-&A
z_OBL$_f)qpF=z9Zy#N(Xo-*&RM9yvjq~Q6}PNDC5lSh@=2}=BHEg+s(^L!MwFKwEh
zMeW%d$Ciad#vPQLQ5v#+G<V;AYeCHN;4<-U((=;sm|w0EMlTM9itIB$z%xlN=vr#=
zs8(u4gA_h?SLY!l7lRAAHnyb38Ix^fPSBA+XeATwmqBzK)q?Sz=TG773I)9GxK*rU
zSC;|!K9%Q6iHAPqGbDd9;V~a|tLv^3X@R#iAH1)<dsHioNns%ssS&u&FcYpzQjW#-
zE%KJ;$0^lK?$aB!>_g5hS+&MdPF5o$-<*}c)jPpTn8Z`nI5jJlOC~B_Ri`xk5^L%q
z)1pO{^xgl)YZ@(OGo3U7m{O*+=6aZa9(kW35J+7L42ZsP?(^3-bR=2emX%vxUfBg#
z)$l%AUVn{ph3i(V6*ebK&?yKQ+Ukk^AkM)%r+z7>ck(j##oKq6J8$1yTt+AYPH(4!
z-kE?|f}{a}p18`B6ovSlRACaE#K$*frgYoUDBn1lP<zX?SZ_li$O46r`Fp9Gppn1^
z#Jm{dj%-E2wrvhem2)u@X}ICj<rv#hO&sLj%I4t3-S-numuy%cozRH6+BRcuJn%+@
zHDzQ&onZ=Q5CLl>o8hdo0BxvTe6S;r+XL!Q4y&13WSmi717JA}MeYGs=)+MVCwsaY
z7hF&s9X%qV)TnnO8q_DI^4Z>gve$+BwLh&SCUzh-*RI>n63Ysq+tumpK>ruZd)QgB
z8nF-839~^!qwMhf^p%hzg@6PHv1)^_D?PWkMAb`7KfJKhHran&JJyQT6V3|q`DHDg
z5b&mZDfamO`|nLxln)c9N~F&DtHb^0d(S;%;M3loq|Ou11@?sD1W3xB$<?dH&CNYK
zzq9AeUQ0G<bo!>4KzW6w$~HnbH)~%Ym`n^(l$|h}6YK=`E3y<c7lcp%8IH$QIgFCD
zzdn1_F$v^)vuC}bM-{RYell?Ck%v;*r?Vv~63^mt?Q45x{m)tQdh9EC*fM9huhyHO
z0U|5>|JIN6Sc8*nXsy4AUrf%*8+UJF!85FQBn3$4$rbBkllK9AgZsQM^SD+`{sD;L
z-x}9!3QS>7+pI@y-CIh*7pRA40?M%T=r$|n30^`e>wDyxOH&d0LKm|Cv9I3DV%VqL
z3}az|h02F=n#{x}Mx0=re<<@X1MY6Xy|5KTe-si>^c}aczAN(tKtHew(%2JSA`j?B
z*vWblQ}G7kx}-C?Gl(U>P0ZsW^zAjl`(tsU+ZB@bJJhe-@D^kkEaaK`uz8jye7hqt
z(J+!_&t;yVKtqCtwMsz1hA>bskECitGgBmgFG6J)(w*qjwGW&7^9<i9oljoA*p=!d
zP6&GomSB)x_snmaTV@vPD=VhXV;ajS0Uknv2A3hYc;`_?a0Bo4j+bU>DN-PAyOMxX
zI+qk5Rp}zMDVA`3b9^a?|HlVMVY6@rOhQ>B6#aVtiXVs7bc+U12-7sg#i&+m5_!XF
zXyzBQt-X8=vek~;yjj|Vg#1a$3$6snhMNU=3t~kqnIC=_=oLooW;z*kFZ+5yUzj`5
z6R9H5OvIT&XHgn@;)E?m_Lb{^a~Q>3w|yQg6eGm0#5Dtl%IH4ezhQjuOLAU^8$q+T
z?&IXm4~r45Gxg9}0B|%~Xt^`32PU*lTKE*2`=NcesIKm@V%}MqP|MGH9Q#6Q4RQDn
z?xzrt$_(=FpB<T9Ps_T59$OVjm}r~%q?+81oyw*|tYf+Y_XHeCLN{#>&Ni(zo)nyH
zjsB?G0L2n9!m5FA4sfwZ?Gs-VBR49t!+h2h*W(IFCswrzuskbXDT~pt7BJ!PqfeY~
z8MtKE1!J;W%x}0NiS=aOXvuGl+|#Dkc^S&E0{FA}{%tk&CA7J1(1HS6Oo}8|cw1cl
z+OrfeM7c7h2`L;G{08FG;5FP_ACQ4Mk8kS_#3IA15~Fh;1OGU75uqxoQRURek}Q{V
z&6Gbs{?FHMj%==q2<a?WNNOV64a*PZ5Y#Gu&eG{ZERpM>%(!tVE?%$fRYJ-<w^-ad
zlDwR0DAcaC67IGiJmM9ZVw`1rz3iL_M%;<<sVvYWy#`L<#b0{*%Kpk%HVH(q8P!bK
zyBZ5$_wc$}<9h3kY!~j0q2JeVP;jr&BQ2XFZ0_26@nm%`4n`x*fBL?}xsqcQ%@E6z
ziABeM;z^2=W%F9HqSd4p^owiS;5=I!@*XX$PV6s|RZ0NsToVzD6N1z=i+y~f*#;!v
z$|g&HkhLVWv8*bOG*CD3W5C7}m~o;}8;GK`WAPHDzGVwzDn1hYocWpc?A*{Dd1o4<
z4@b~G`cZK`*P%9x{X5i=T?2)r)e0l7fwNic&`C{1AsbTD3waZtl25GpNsHQ$1ll+L
zD|)JM$>fqA-~QNnf!v|lBc6QcWKs9v24W;U>>htJ>nQpP0l<rJQ#8i|_spa!-FQNI
z&u5J2U@^aS5=(i##e#aU$8QnE>wflYNgdv!UXaS>?rAZ(fqDA)H!cC}@`&e;XqkWd
zxo=6v@agATiozZ<o%zi;f6S8yg7Eq1C%cDEFyh2L{*B{_6QfKedGsr%`Q&DSkj>*3
z$np*!^8sg4CTBu*1Vr#XnY-vV*i$2eM-&+qIexW0ufzA2A=XEuq)C&!TN5yH%Td$%
z0OjZ?hTHAl#k#j5aImb>E_d;NTZOi%*Cnge$)rvx$|zAorX^7+hTWuC&+B$2q(f{K
zD@lRQ03}V<7)n}%ZPC8Jg8zw@RzfQAPr7oJcf^HERC<vtKlc6i-%}*xu4dHyQ!kvB
zllQ;EjkEmW13UQf@qfgCKKVwtmmdGlgO^gv<9flY5|gXnXurf(Ki_tREkE6Mfh|8}
z**>3quu*~h$;T~+;t@;JcE>$1TPyCA<u}ejTGbT-qE9}2S<Xj~*%aD~qq3Hi-Ny`Z
z_0`sT1X?e))c9R}wY3SepXG8}M;grMTyJegM7ZIyRc1zf&1vA#y=DIYRc}SA^4Vfu
z4`%tapuctN@a@j)|H!`VUX_~k7++0_i39-^Dgb%w$U4)2()pp8Kk-1z?NiNazK+&n
zxt=LDI50cBC&rmEA5rx}c9r<LT)HQdMek^?cXW9!uV=iLW{Z{A3QF}*_F%FX{c0Kh
zU$kh;kF_tEy&A1t%d2{Yy{am#7K<nKKR<q%tc7&7mXF%%wXzl-ShBR64{JEGZpmUM
zZTw6NnC{2n@PWhTeidW7%SDral+>&r7+`a%WcJqw&K(-~bN7(CS@-ZD+c-RU`9)oi
zUcC4UQP4gs>t`EYiY2Q#9M%ml;VN%m<mPLNz|V2_ty{t(9Ddo4a`*Wr1YGX(-F@(p
zh{G>?oV)K;SRcYCkxooKsrOoH)^uLcy@KJIR=M<qWny-ksHKuaqruB{DQ^(Of4&PR
z@u)OFBxYB8q6u3PRJE2Bh=6K;aly~yv1dH*AM3@&L7Pw<Iw69R1ruM7zuBl#V*nkm
zdwOq>(SZ-C_0JUvJn|T6o~FUcj*HoiCr6C7KEmlGW4AWjtX~tNN;~`*i~NPtJPYiE
zVQS}AM_VsuGt@8OA-<FxY{m+awOZ5zcVD@^=%#0)99Twp#TN|4UOW9}!g&2S;2+c3
z*R0Y|SY{-ZMvmZe^7q2CI(T1Oh%z12miC{Z&39C5;g{61LShKLs=hwUZT*^`wj5R<
zsLet$?=5M>49#pwq|^_A0*Cl^D$R$Fzu1<fV*1->%f!a(zpO;Gj5tO1h*AXY01k_h
z)ABTCo(M*<qPLT{bJoN`|H(2=xPv|^<1XGp$R%CzV#taxaJUw{r;&_*_~z{F`0z5*
z^nib10U4-+{w*Q@yGck(BmFf+WJAIjb^2rFWK+UEBq`m(7Y)H=H5=|28*FmSZRj*;
z*-mbj>babXKp>#8M)Q#&YjX%x5aoQ7Jj@`b+&9(@iDQHLtv7CGOg92#g7Olergd@y
z5!umtoA~kd0RHINg22#KOZrRB93_ix8_(wte|Lj}Y|n#>h;h~w)BZa-CGPF_#r=*P
z31Pw2^inqlkev!I=@<Wxd+PtitO_k;6cptj-LJ+;F1L&R7#J<b_pjt1aP>sZ1+v0l
zF9+{|3wD${<H$DI6mf-_W?uaRxhm^Sb&isPvyE!9;c;~|F`N;DkeiMfV4@6RcDh8#
zD1kCTsi{_`)muqf?!pPbE4Qhtg+RI}OqZ{Kjj&98K2r=W8N3ZzS3Rg^aGXf$4--Cz
zaxDGlEhaj_@1yd+4BS&}Q@$-gpUesK*?9hX_8=Ns?6raU+K@JLCi;+EOZRgjd{7zT
zv$1Y+WEjmC^i&u;oFGZuhPa*#fOt`On!xB|Zh`b$jTh^f)iF}s*O@EPxTI#q-;KK>
z$>?d>6-m0@pc;+xX)U>lm=`zHwJq5<+uk^irO}|7V%bLD#;YqEYe}<jXIjBgP-?oH
z(pq>c(?l`v(0Au2DY*!sA%b5a&hHH533VpAn#_rPAvW^~uA|vcoh-`!48xbi49}Gn
zyav~(chq*Gex90=0`bL-9+N9eV(C~-TlBe;)s=4t2xM-`HvBql`1x>hH81B;9a>Ci
z=u<+p9bX;~U;@EQlPj!lOokyS=b^l#=Ue&K?a&U<M;c?VH<-;=XB)mkCS;Mf_r%n#
zJE_H-8P;}0*vrF-J|q<)zNMBHHsZCsjH6^s0j#;M5%|;#S!<z=(i!&eM@tSK4ip8C
z@aBls*5SuM{D@ftHbk_1x{0@pd+%P|!uqjo)Ac68^&yMlWsq+uWDmiKHMzf|juhed
zp{istRc3kYiN(Y|9(p5=xL)?HRLFLy8NqV~9Bp8~n=i)6`B7oKjn@RNM(%oZREAwn
z^;U3W%K=n6-tv&#h+Jrys1?$N{@hSY7QQW+5On?rE&r@Wi?Q6}G5Kt!Flf#FRR0yG
z*j?dz>XxAPMM)fztXaG_tfESmp(Z~QQYhn;sT$X&;F6~mA$9a|-R+E^dQ3bb>rKSs
znn~I;Z?hSoXg8FB#5WP(+{59{0@#_;d!4>AGrEF`wBzj7(j34h6f`jdmydx9d)ayP
zt!T=_E^}AA9BgcKJ1*EwD#RzS$e`J)jYHMo_1kWKN4hF)hJ|1(Ns_|9T(BP|(i9T8
zyHQ+Zi5Mj=j%m4m(zMgIC*nwb(USh_jS2s9e4JS$RWGhY1;y1pDsRg8CQ|6Zm@L5Z
zt*&|X%BI0p9ekn)qT3dT*F2KvOrgF!e7kdU7@Vs;;|*Rp&QBy7G*Eh+5)8FT;HkqN
zU^#x9uOS>vg`96)lhX4SP8fLf@%-rhDXFkEvs5rO%*^U3+0%i=1C~e-?W^*I>ji~+
zLI&rt9^%KD>OIf45|q|BhDIbdd3M|PV&Z?ceuz0_T|gO5OAp*b>_GG5F?RH)zTQ|Z
zLYzADBcBKAFA+LRKBp)I#yoO^#P>vCJi`D=qJuqx5ZeN_=;VIeta9km-egTESDUtL
z+g?adu%{GMt3Dh#&{?e5N-*R?(fh6I!m!VoW+{w<aw^VIghr%4EEo00HNBzCkHzm|
zJ>%HoJ5&Tj0;XniYEh3Xk$Xxw3ulA2CeW!05<GTx89fzEV>~z7ZN)g_OLBDw@1U*N
zx>Xy25bWw+?iur%q<t_l@2D$Mbxl`Rgps-brB18KXx2%F3}!{w@k|#Wl_1LlZ-yA!
ziw-th0iJiS8;VJ2%N^<S<|7>y`3G-YiX$RKf#w412e$JVVe;AT?rw|nttqIXj5?-a
zfBxjlr_o@haFD7SMj&gzA6?f(#mf@#38F;Q>0I@)Q_PMABC$<4Ebc2`4k|zsbTAQU
z0rNm|JJ(S+Y`bU#W=zu4sV7mofe6Qa4vTB@ClaF-&mw?{O5pEZMiPjNd>xUPq+3BG
zzsLPa2s$aZnFv%)KDeH0jfm7fx6F5Hjk$KJg}YD;35g}fT0k5OKd8EkNf0J($9hOL
z!Rp{E7zO5~mLhXZi=>K0t*UYYkMgLZ6$QT{ZAUEr{bX=Et0q3XwRvEZMW7TFmoLS*
z&{Bx|c~qp8?%TX4Sp)66pu3|@nRvn3P+ICMAi%LY%va#pMFHXDXBNtGe67%5?~Bl-
z`?9|%E+>j8H7lnc(lv>j%AOLWF<bnZ+muVP`e8{c=LmB7^5pgLn|GJLAPk4jAdz$2
zMsA^33N`JasJnr3s3#sSI_CdM5xz|4b*cWQSo53a^V`UtRv-YmbZ_LwT};y{YjiYw
zx{S@I7wwN7i(Ape&UgBuH7Ty>sI!D=<&q=&vyl8u!>&!;B{DhC6?9qz18eBPP&pam
zxf3EBj5D5@rly{Z(t{L6fR(O4{hx6%z*QuR=%z$&o=J!Z<T8F`7j9zDJP8<A&R+Qo
zi{qf67zkucwyOiu8v$RAN_i$QIIk*dT|UUOsa@&nyPF}&*7a+Xed?oon?%QJpkcO5
zQ`FxEjBe{Z9%$7OAS(-xYa3~NdeckR9o<<`7!U1k2_%FcymxMXRF|wW=VAX4tk=W+
z5wW+d*-Dnf!uOt_vW}2_Nl}yTUS1Un`wfw$etJ&p@%efG{P^Igud*koDlwkbGdq1P
z7`}dEK3hJbce8R{Jg_J2UHs!L_l90BoH{nCrm}#2Ij835i6r<qzG6_{(5kVM&0E8p
zv?AOQT|fgV^JPHM-IJ{g#a^fDM63b7L^{0zP9w9$a%-hPao{y3$Z{p^MX|@|KzR&P
z#5b+KQM<#%Ou3|0C5klXymkXCX~6gsk~VE5(CWEg53rCAENZf5t*dH*HGKxb+%`Gl
z<zssiC#SxIwnfz<>N!9juAEkPJC@w{mQq>k-UGcO0^z6n82rWlS^}=(PwQOr<+d&w
z^ng>r`%|?2m~MvbF6%0#-V{VD@QOv~2~l^0x7hefBh^>dr|BA6)wyhcc_i2KX+M79
z6XS4p#;fK4((6TmUR|@$WeEg~WCB7fX*IdRUk?j+O>pDm%W*S<Q6*$Gcg1J~S?GR%
z88Xk+ho{_Lb{K4Yw1Xa68*kE<px0PR*K24n?Nfs*XVr!<T*RiN43IjhoDYyXTUWE{
z&Rs{_OVyDA;cwGZgq#>j36#Wvo;vm2zs{9dw~!Kmb;aSm%|F=O@$({6olZ|0Ph=%5
zaWrg$yaCR0N&d^T!_zkx$NldQPA)Tnabe3yc9;jO0LuCsr)R(uulAN}z!&G&w+k^q
z!QS9Z3Q5Q?mp%OtlVT2i-tgTs!eu5;Osi_vj!d(?tkWRg>m+A>-^oBM5=l+>=d(AL
z$1l=Xe6om-vuZvI?AO@DcN;sL**ogggtLtT7Rj;^_0SYA(X9e_{FReR_m&;p*iV|G
zOQSBQtgH2Kc|@yXOl(o9Ky?RhNs_pgxfey9TK=erR=VR(TIO-MRiJuA#v;)ZqHI?G
zr$~tPn-U)TYnfuBRb=_$?zyY?K2nf*jN1>_5ujD!g3tpNrtCTquF*_j-o6)zwFWE5
z2r+~lWJO)dq}JED!{Pn@IB@Gs`_^Cg{_9bIbX<L~d5mxOiMLUj;?HgFQMQHT6Q8xV
z4X&x+es=%Ic<qj``J{S<69!SqM(9yQ@v2OQQPo;}<1m+j_>`^>?$k~^)~?`QZ@Br{
zSb{o~<S3|LAhk|VWg+7svb!UOgrYskOozhTULMOqjDlI*j=L;`56Z|84atD{aOyQ&
z9ye9G#l#{T<PBk9FFF|Fp61EI<sgv$*tc|!yRC>21>j(09kEG_k5S0K%w**86O>1B
zYL~N6NGEDQIg`XXNL)o%wZKw`qVFy&nFu1dg=n<^F-Yc#@q#c@>q3kY2Pk~bU1M|A
z5kKy|s?+50=>-ZMO|aP9-OT36`r_7B*zwpdOHOASBg1Vzy6*FE8EO+DbGQt8Ymi3V
z-3+`G;=C8|a%%L@O<mKVh2&y}oq0^nduM?Fyk2t?_xM2xwyqms4-%iqs!<rrmL~xR
z=JH*^OcwONEBzN61rijfMfS(Y_24Tk+j-{_DkG6MEs`2BaW!(b_O~-*J9P(7Tv}$B
z;DO$TV)SZRNk}-s8dge%6ZPPIQA{}_je}^Q_V!gZ%nJVVBsRo6`|3mzZh9sOWEH{S
z&23doitAE6qA^l7a$pGuBq&AeWDcTf><Oaj11@l!-n@F1?zfiRltw<qs&Cf-FZEWU
z61Y;tD;}jlZIN<bgLc;Y)H}H9do8{mVopT;d9BwLk4~&<pBx>ZT^gT8?5*;7P)6qh
z*E;eLBmf9)K+|*@ZBW{~MV>8cNp2-cmvYV-QhB|oA^pwEy^N%Kb+4)<9Yd3Q8By@j
zN*+-T88m1(aFVe{tR8VhOC-RGyPneN;^dpl<MY?pp6(yNefL&(4$}=fk!lQem}S(w
zXg9ocQRmnO@{{dKgTq3Z@k}vhHp)mLK4p7*#ZXciRN&3UF=l=bo~%f>g6b(3mG1#Q
z>@>iGiKpYUeH?j&#-d&795r}4vrX?o3-G3i!@4n%4M*9*(d(15lZ(sq1JK83Zx7B7
zULU(@{RKVO;@lhG;20e{lV;R4EI}vT0a|XvJBBU}eAsx@+;DEKG~ZDk9#WPxHU5pe
z;!1LQHyVnjbt3amL=*(B^}bS+0}bUxRwVtz3bO~br_O40WZCnkOd6ZaSN%WSMs~-f
z?=*-x=_8s^<Hqkv>Fa9d1a#X8rkhzlwz<vp-+c-+!F5+m-*T@v@Z^SMbA)VjYm>R)
z6i4^5bJy1-yqlCCb)xQ_-uCeYWB;5=Yr+kyobuZHBYzNj9K_hC%1doH%w$PXQh3W#
z_FYP+C7uZWOLOyyb_B*Ch`z{rBG-jx@;YHsRqoC<GCNf^agX`;cNE+H-O16;Hz!AC
zk~5DxqC)|D(emc>HK6NEwsmdb1du_Z#{)0B;Xjr-&D^n;?VJuvT3S7HZABFz&+8No
z!#~RbZPvc?eAV45?(MC4j`|6+APDdYAZR)fws{j#ZxzEF0F`_f`CsOdz-#;~@&OPh
zuW!q#zui19pU<$LEhYvE?E%@)>x7v^O)B|XXx5XKq+`?cVTD3m_sP%lI!rM4f$bH2
z$(`UaeHkuo%k9y(!A9-o;-*;j?cB3;4>dD|Rz8J4##KfeE^<t(9?m^WEG{UDRW*-x
zAbtwD>95~iT+)3}SUSi&KGyDac6b^2q-^kWS#-m!waX$OW5>Q(%!IE>^yX3|C95Ue
za?f(wY(ng)RTC&<7znzCOvQj{-jZ#inyOo9J6^tsrM`C(dkkd8a<HU^A*D?pSh@VI
z2S&dh*(>w;blAuKh1~Be6?R{WfdVS)g+8Fup^s@D5%XeT3P%-MwI;H?KGh6&Fs(F3
z@!+>pJy)|4{B_YdI6_v!yGl=t6RZAeDJLmBdQE<(j)WK>bIHV!WrVB)!B9s%LFAed
zO~_5^O)<A7x3<?q@rp2AokUoomeX!okEJk~Lm8bZd@k@<HG^N$fll6bqbRf|N0tK{
zdAvg05zb=3;8{e4$fEQ&rqg_|m{-U=5+ZA<7L;=#I|zefIa-+R#^t;`+vzaJ#F-5}
zk%SQU)@F0vHp9pO<167TeI1Na7I9q{%C1C%0Buz?MNZeB`fE}~)x0GStEn7fSwo8A
zrJWRxg8rqSk4mIMugA#hBJRK$D03eCn+Tshq_ZrX?)82>kOcDIHMKY7BNY=SV-D5E
zmmml(H`cf~8BAtd?xdk)Px_mf?GYhNMWqQi=29V8DK7wYaxiD+sU8-e+s!tR`;FHF
z+yMtEbH|l!khRE{clUpf!73|D_Ug@fcKPjbc6e~;{`>s+8&$pEoMjis=ii+i9{=om
zw-@FH|L%(~eI7wbRobdl?b^;X2YU@EQHzPd9vV`&MH$Q%lz@X~aJv0pjHW)5rXl`~
z@d!Iw^C&>!LArJK>fbB=8{VFQ1KPur7BjH&`J&l_3Gie?&%F5~5W)zgz)SY-=<T+r
zLMv{h8{#O7>{!jNO8_kJMl$rM{j)chkovHx)rl62ZBZA&MQm^P#mTy<YM>9xx3@0%
z;(CPa&~>t@laK156;yP)SuAZ*HL0?0_)ejQDO43PuBJlVwN?(oKSvfBrWU%c=CZ|K
zkVTg2RLkIIsRitbVUYy$)lKw$afNed^?G-Ay>cdDk4Z7#VOVPClIa4oofxb>ow@aZ
zm_~w4x)_*dY4(inv}i&tQ?s&V(I55tQ0dgMilaHpI`w_^ic1Rtv43r?(JzfoB)3V+
znufBPwjpAP*8>@{zm~-t?z<Fk-l%L)FWK5d%X$8h&{xD-=&ZEAh>aCP<;R`T{Eb<>
zR4x5h9@ER)6um}p_aLOLZ@QyBO1ZT_w`R+r9=a`(K}EC1G5%~b##wmejPc7)_MYq+
z0oPIY;PCMH^w>#tC+mN4HZIW;S&h_Z4f>4}nti53U)aCa*;aG{i@Ic?EX67G0;hiW
zp%wP`db_>b`FOO=Ks#OB28~;KCOa5=WYh!zm~jToNv*~jiLWI(3uyqV*s);O`<_S&
z*~lO!Lw@XB?pQ`6#Ct5cwk!G&MJeW1evdB*go65*yHpaCnotZWthB}d!CF6@bcHQ9
zJ3Kn;o;s~5AVy?cAkz5q*_Y27Kw(WS$<qSTjU9|q`J|IBy>!8r)=MJi!Js&oNP0AH
zp4eQXP7;MbI@>0R<U%fQU--Y_m)>yyP!->0&V5(Dwb20o7s!9pU27%elQ5RdXxgJ?
zTV=(dQcJ~cKC7%Al~*6fqy2vrAE&vT<&jTV__H&N@EA4O@@fXZfjZFWZDW~`Q`6=N
zpaJh)i0q-eNG}jBI?>zIUj{0PNq8AJ7S*ASz*}#pS<=tTyxY|`yEs0{*sb3>9_)c|
z52EHhYEk0RAdJ4^umfu=cgWH4>A_#Jw{PB@{wj`G*8KGmWcF!%Uiq!lvITjT0ck6T
zRSM%68)2RJ+1}8DjyD+PPCeR>-j^_n|LKX9i{iJAvM|WLQ$j`e_4xe;ON@=e>#`mF
z3!ArpiQrJthJ+3yEvXeBAex_Sw>fQW-lk0~WtlS>7Sio=tE=QU#s4=8B=Bz5Sd_0>
zDWO$yb$Z5vq=_b6tJ&yxm9-(0)UjeqTL7DN|EDJ%4X+BHu)xTv|4FFM)cShS)Pq>S
z7|qR7v4?)^{vql?@}PWj&-H^3av$u8thNs7x-{R}cRM7!vmd|nWYs%Qq)YnFllYyd
ztKNB<J&WFX8o%>Q-|_Bozm@sBK)tArtpi<KJ9amaQk7fe+(>jZM<Kttfya_yCGI~$
z<=Kmy+0TA#GZ5OynWONYWE;URvSC!G16(8%d5Olu6+GMf&oYDHf3k1RvXi$To*Ii&
z(!nP`dYnlIvkgu3`b6jUe(yWC|1@;Yb5U7H-u-9wh_kl#<fTW9_-Q)gNwgWmzUUZs
zk~C{RiF{-v?wal?UfQd?E(0N@`;T~k^Y?}MeJxaj$4%ex*{gKiy8qDm@qyVoUCci`
zCXB!~p<s;rcug(BnC~JP>$9~rUz-RYwUw+#MB7ZVnCCZ6KPhy5kzI`vUf1quv&N4v
z1^-8iCm~88)#NIG09S&nnw;sWEKiG)qkEJ(ziR*`Wh%3r*2TOlmN8NrgQ~zZJpXvg
zH{!|Rdf5RJTvdPY*gDDG5%Hf=?kXmaDkL5gDo!RmAr(fnLGk_GRd3MansvWwJ9C)n
zjp0W8K)Ubwz+lw_*1{nBooo1c_CK=WhVN2$|3!ARD55YGd5X(9JzNB25y8`W(s^pP
zJv4HU462xBYdj#HlKN1^JJ#WuzNgi!vJyBB?v>~Mm45>F-fESB{f-y=AsaM)F7ixR
zd^O$}WpaB*WQ5nw1Y%ZcB|S?v8cYT$@qmc%D%1Qnq7<PkQa#FYnQEnoCJpX)P~5JS
z;N^tAZT@g3v0O>)jQXZ!Ot)f|hhh^=K&BZpl5Dm{`4^r0s5kV`cgnsP*R9~RP4rW9
zGuoo>NE*274KSOHc&`PZzKk60NG<ALl{Y^3r<_O|?j=<)q()|5=lxMRpF4}K`KZp8
zUf#(v?5U00{7lP(F%W(7)4sOR)`ymdSGM!S0JkIL_b7wzk$anGo0A%C?jwA2QCniF
zTwm(dl#dF>4RaM!oH)M|sGBa?6}}5?T5`kpoTpmuajN$sh(Ng<?2!#6SKnAFo+$wb
zE`*|a#E!>PCb>B3)^ARVMg&Y%jjwZw2O)*QZPpiIdE{ByY~iob*yQvE1*q|r*sf`B
zcK;F0CQ+}(7oL3b3r`;N1xv(#;7d<G`K6~n?n{~EXf!_e?315+w)%5UDVf=NKpbkE
z8?@nCGwl_6JnvLEc~AFWH!BO~=*quZe&}9AXXpN-zlJmr6FO=(<>oX}HL+;{nlk3+
zW=+HOrslK-aKc2&0g<M+bW?Y5F+5Shx)!GRF)b&dRj<d_*_Npcp<!LawZ}AT>#fZt
z{q+rE2Ry1ZQK(y*dTLGS(m$#-D7I~lJ=?Y_eiAVU_ef~Mi96)X&Pkz4$J>q;CK%YG
z{#hsqQfCXHCcs@V7xk{oM8UDZJnDS0>q-P#6ZC2w<aU(;>*2j^DiD(Fml3C)7)zr2
z$+$WizLDJ1(n3u3hh~=&4s!M9n>{z@4bMz_J6Dmj1Fnaqv$)dFp@u^9>W^*&?ODTz
z5Gz}C5d3s)#0Z{LXar5f=f$xq0O%In4Z;;!iR$wF>7U$u?zowBjcqX$=Ng>B-&${X
zJdZB^<{=t7nj1PP<jQCjMtjsPvoCjdcX#k#qNu}b%5s7)vya)Af6BggbB~W_PThB1
z$+R!M#?$y7Gp{z$=w_^xdbgfut+y#YP_(<{scpDg+NRd~jFPF1Ga<BMKor2ppZDy!
z&8V{+1!;<pO6G{0PR>8sF8q$4La!!pWLS^J+fu8MlM^($K)8<K^`~yC?S0K7(@kvq
z-Vku)Lz)jJ4Nz4XFz>UtV&0DWLy=_*F8hLb3jQgcQ*0Zx;r;z4O0R4}bDIpsHp518
zODD*8HFPjEzK+TiAg|b$YN-K8kY`ryw0&n7Vwds1!-mVAuikm?jdbsE*`nRIwwB3*
z%}ts$wy8bnK9(g9VkNR<KjYMkz0y&|a9O*EHlS`iCn33EDE<}Y>Z<V5>ZWvW|4S|<
zzdWgw_nz@&Ca+^nYNNED8wi!w*V9m2HM372nAzt~@lSit@kjo*4zZ!F%Me?P&`+A7
zTG-r|{o5ZEABvHaP{j;;uaoU|_jY%;Rmst3ZLjM?n$oarzH(|1bdvOWo+z1RZGess
zi4=)B+Og6NtAZ04Fq)cfuY=*8TD-(pIYv6s<{*(z9M#@K-8jTXudatk8A})~Fm<G*
zmVV3<1X)#iwxDluqjvwh0bdzM(FpRbp5W{mqXCDfC&&Q#m4h}~A=whUF-&cb36d%m
zT3r+eax^zjK)qo#Bf-8H8l+MDrQccV^>S9ka*trO#JfCwA~j8u-`cz{EzR$)n2t}L
zhDp`;*GvN2Z@a!$RW~^)ybb85j?N4-jNN@<ALBy;)Y(2-6gou(CCqLTbeT|&sov)e
zo|%ofiqR)Zdl%5jTeoyWCShDf4I9R&rZXb0Im|5Q?Jw?XhW4i90t$;nyfY`KbacFR
zCjKg5;CZ8B{^@@ebWFzIlf>Zbl0cPGLnB^cPRI?MLQ={HnVZbkx~6}xny-g9+Ny)O
za_c;BlG{#J<h^KY7BAmweWlCN#4ER(@5&)6T+Ig^0MJ6tmgG|f2=!HGL)_a?9u!+@
zY4*&`RWihbkT{BEPL2XzU(4C@`$wiX{s2^BYWewa7|;d6ZK0Ngyx83NS_{=wpmJ|#
z_!Lg5Y|@&h=<^mO(S?twE$6o_wu3Ilwc-3F5Q4lUR5$pf#ERANz1{t%+5Ya+FCThr
zKYO;f&wCwcU#lhEW3KU*7ao>P@s^8JA~jiq_jbh&(_Mgf`fjU4xTyJH)R%PTb<F{6
zdC%%^ViIss#Y%NmvnYh=oSjgA5c#QN|Fg9q9_Z4@BPkXm=kSA`XQ#`7n}XZAsI|6Q
zGKVOg9vVg`ZY?^%rE##U0vU2P-KV;~J9hf$&^85%2w}1ktM<>*Fb<<NRo@UtU}e^{
zp1fm6-M;pk5gwAq!#{;7^kfk#kcmGSg`?nOfcY68aeF4lTK$zGG;0SwP73W`YhZj?
zbXr<%@5$gT--fLKlGTZ^xkq&o#1UXY2C!VHk4u7PDOZG&<&kov5jJrD--n~Aue$20
z=Pg9=p`6y?*&nGtS$@p2f8XmCKZk?gGOnVpe(H`47`#8?o^1J^a2)+0pL@wH{J(lU
zXZ)t&C;e#b-Y^*#Wh;v~c+qr=cGX9>cG>V1R@ZXnrXEq%i?(=+?f?k$(q~F#g52}>
z#bluQ=lG8#ibo&R`*U;2Lu<bz7(y%EbJm|?$?X>zRGM%Sby8nTyP7R^QfI|F>1EE!
z=~{A5fA)M?XdeIB3?FPv*U}G<o-KDxu9&c<L;bPywKOYXO{s@=rMa#cDJ}MSo7JHo
zbVFF)8CozI*4Lf0t!lQtGy;E#BSJ4es1T&+u)bvtR25`(sNx;7++wuKo?Xa`t(If!
z@z}kuBfS^lX^R-w9!1-;>LcsG1oFC*(Vav!qmTr{RvDoV5eg&?1;l(%mmwS|zc&EM
zS4yo!{h|bWNCA7Gfz^7Ll+s8@fhikBK9iqXOG9FH4EKPlVbt)|(1d#BM6$5EZTa%l
z@_L)8WgNkVz6^XrgXGR@cqZ#C5yUa6kmoItg-HDWzt|1-{o&!;4}00c*^&I?K1lgq
zoqY37%dmd&jQzX8VA`Km3*i~_^a}y1MN>LirGhSIfBV~QH7+(cGkHtTNkqI9H5n8%
zpMQrowm$4_XZBHjV}I!tU$Uq(BfpCU%r%b)JU|B$r}!946?6HCXvZVYi2u6rp;=|D
zYl9<`obGhF`9n*^Ox)#vPuz-$bKhPubyh%ZidsUTz&_5LUGo8P8%?q?@H!;JEv9}p
zBp5<mA0$GOppjvh$q?``z!}L7%X(1REI7F_NeC}ogQ)c{1DPNp*%uS0-OX%93~V5j
z?XI27eG-YfJV+K|v!fEwuNy!Rt3gHNNXj*P@TtaKC@+zZCWKnUYOp}%mOxzaRSoop
zj7J^1LgvUoPu^T)dwaco4L{AC#yjJjVz9DDWZCTdPXr9u&GIJWx6+q<uAI)=gnK($
zclQy6=)twEYcq(zo}?7j{qadB)D^fk6lK$Ve)9xEx`7xQZItZk(%CDn7UgKz2Q<-o
zf;?n6LlL-Cf_Q2eBS3#*8)_++U@2Nt)NKR$n)?fhpCzT%$-&t5SrQr={Z0FoP_xO;
z5gW`HMe4Ylup0Zu#~!7@H+anC`PyfAsE397dZ%_<3N<;Jn`dy2-+{L#CL+zD+3-uE
z7dYK1>t^4aAA{5`pVkXO)z7wK1aTRxBpAC#cjVMBocYW0tkHhv+BkKRrjUc&`nGJW
z)BGOc+@044hwgEOSl&(%=iI$s>n6+g_Ippavq5}>6WbsC!C{oWFSAfI9ziGK-ia=t
zRgsv}<$c$(P??*m<xL3Ofyb?+VibJ#DoUM5E>3PATepJfp*u%I&2?nK6bLx}z3`t}
z_z147$TrF;*E2j=d}OJX8~BEY`~jAs#_CMMR58>NFMw-juPG6)II-(F<WHSn7iLiy
zT!6v6YbjZtjiR3FmJ2jUOw0)gC<=xsbI>A#qHWo>Z^J}9ZtvQrh3k*6`m2p}DeGi$
zeR#i-R;8PLi~k9qr)poncR#$w|HMDwri1=-Q%sP_LbbZn*bwnT-=-~ReqeM=rMo14
zZ=8Pk0g<pYYclx8+-fO*b4KaGGtEpB&keFb7|JkdGpnAWBlAVJVenNO6bc)|duN`M
z0|UV_Y%4q+scBH~JQ~8#O)fm4*_Qjq-EAd9lXjw~JU)j)jXm4LYVSXLCN<MF;eMbz
zd2|HXwaYDO2dGYY)Rsc}2(?qkZbYZD<BQ>c_zQd}MQ9-pIGNZ!A#CI*1YdYGQ8F2p
z0ImfcV18ZI3N$h)y$>|!asd1kQj4e;=(uK-y*_&8A81sy=tP>7K>5*dDA<G>hDi1D
zkM>VrZFq#M$<SA=ThmUykMda_2CFV#Jypq=!hYCY`>j`ZHt&inaeQxv2f`*zTd>vq
z5-lt*E~i$E0IgkDCy@J`>l1ka7YaE+N<LyEMA7<{9rjRNFR!a=2|(#n<5;rH;#G$0
zMaQ95i5)w?Ij$G8xqyF!xLs7wXdDULx6CMWx}vX79)bWY3Cvs@F?-7*$;SI*IsD42
z^=>cdKYit<F~6x_{t^H4RY(5Eb68JjW##V8dps}y^py}+x<9!8anJLAdZ8oUiqe6z
zbwmsPM^?`U{c_re1nXqOdT#$BKQi({Jb~y5|F3Za`DmUtVt?=t@wN1^<WGE%<LJwG
zefKG&3G1Ur3Ub9wdqG@KWjks{LfR+%%iS>Db9dFtJjaue_8^_`{inM+(_e<<v=>bw
zL5b&cdUW?_`JvGyxOX?(j~uqdrci%9<YJVUNt}w?lf?<5fT%ukqlriEs)9jp<zr&R
zA`lgUGv6{C<pw4Nfg*=Wz)+(3wmVRML59ZeZo{V6KwgVGL~VFGZQdmImxy^m*OAwy
zYE)YBcp2H?9=lqg0wgneGPJrL?@|p7#Goiz{pJIw3Lb~3oDew(*4C0p`K;l&v-aP9
zaBq*#FHSBlkv4Yt=IreFkS@n>56+HGPtLyiC7_?O1L13O*L8wOykX7~V=6OvsHN0|
z2+==<iGJIPiEnyd$Ul+bFg*hc#GF?EEerp%CIC2{$#RthOr+`RQyhmCZSgh?UtdlM
zY9CbMJWw#_pD=vIjs7PMKYV=|q52WSZ+)cC<efgD`JiokXuYUTH`JA`=pEZ|Z!<Qp
zD1Qc2XTD3QAY>4T;3Pub8~}kq2@=e2YlnPZtzVTSfOIxKImTp01Q(`%H3R;P;Crtt
zc)cNnhnwiST8IPz!ORSk10&g85c$Za2uk}kGZc3Adb_LoO?#9a$f#Sk#1uf5<OJt-
z_E|1!dz1%mblw4_P2gbN^JBS&NccCpm(C&&R=y$Ys50{F`@sF)SY?IC6=FPJ5IvA=
zLAdldNxsu8%uj$8-EFxT7aAKvSutUwCRWcbNn!yR+?aiuDY{E5VsJA8uy=Iw&GE(M
zFCWtxmN#HJ5xaRFdD#^pDTE*AL2IBoudm?JA{<(F#HM6#AUndqwHokr@xxj8u2d75
z8B|74vDh)-dNDj3c}BGRuJqq3G#i%q(%{llA-^KG9%6-rnD^_UF1k_KRL(sFt4zaY
zosNa3&U(NPZR1AMNBJqO5&&N2#Q4Nti>m;;?%nxmwl!V2O+3in7x&wkhbvXcmJyks
zwT?U;TlQ>e@aBM)+}pJ+-L%_{X`p|aAs+KYCL`BYnjkc7pUC#eP14d4;e7jP9bp@_
z6#9dxenp4kPp#@ueV0$&vF#6T7nAqQ6kU^ak7k#e$r-vwl74vtKHoE`v=MffOoBr>
zNrl~`Pj~<D+$!mw{^@I_Yqa3B4=%Y5vWlm5kjveVnq9dK<mr&L(O!@d#-3!Aw+<T_
z8sH|@+9D_fGUgx>%=sx^%Dvq$+S+<>Yc;#=8o>}R&R)O$<t1o68GAfRZ-?rph>3wl
zyduT7$DVo0w#;Ka;#S5_ri;}P$eFVZ7Nt-=N1y0rZ^OU1*PlGyWo2P?J-5_O^X*7C
z*uI-1FhwS7uvtrh6W`j{-N?2~rP*G}9`r-b@VOLI49&L$a`}qSZaJ`AIi^ug=tK)#
z_UtU$QTjbiDoG#U5a<9bCZ!lJI+h;Yf$n#)@1rlrIV(T>=CAo+#7vf+cY^$ypdMjD
zv!yQbFDm=VD<N2$$%6rMp^<UoGfY<ImNeJJs01Uk_5Xx>VpP5_vdzVC`H4*-?e<$M
zU9Hwe*Q{16dCAl9DBF>^2tDW}%Phi{Z83pczoquD966zqLZ)NLn+&!3YGXHTV-kqz
zxHO!`z91XGaINE)(+PEwmn1T)C$#y*BPO)@N;08IPbH)yad!M5lN!(9$#r{2Jv4tY
z_v{f1^{Fz?L)Hs(S+`GpFMBfyB!J?jU&a_WL1$_<D}2QmFl=S(5sQ2b<fW|rJ-8%K
zoiq(DK41oQR%{MpF13!{xU{s3e$>ihR{CPRE7!+#Vsx>ZVE(NgkX(uUbNnwShrhyA
z79lG?bdw?7L1s~DZEAK;=U;Rj!uR077>TxG=Bwr!h*pkdp9^8sA(@b#>^<3CPFc6k
z@#kcsPukP2Zs$LGINx4=&UoB~gkZhEqs2R2PZ1k<`sM!bmj~thnBn(iRO~~`utwEQ
zA9JDI3(%`L)2LU9*CHwfh6*8NJ?;<Ur5Tgnluq?waLq(#R+a=6+gO+Hj?e!>nl6rw
z`LhI*BlFsn1uX9G;4($Fj{Az6)O>UgjJRZEjS(b9S=(iU=3D-p$Up8QFaCr{OBT#>
zx7HLb{AY2ax&|I2=6GG8Yc^EhH5%GcMz6n1c9M?>8e7}wed)7G4YyDo?iqnHID(v5
z8&^YO<7EdU*SwZ2Q>Y8Wqa?RoOR2HCRVmHJP}ygC`FJ*;wu>v0wyoVnXWHH~S-Y;7
zsXtBD>V5rrS9SYv*4qBOa<B2?B5`x|i|w=%C1QQxLM9|n%k=jiyHVp!x_lX9uRe4g
zC&o?ORB{62NeLUfO$GU9Z0u#J^WR}(Ly2hp{EyHf!X<xOk|BOnB)3PrDKr7iO@9B|
zlS>H--~|mIR#$(Ax3v=!Po<QdK2KC}xl8fJ&I(B#6G|hAc5quT;FX!`=ZQDqvK>~S
z53dysJ#edRx}Hbh(X`daea_iP$V?GJ1#xu}1bVJy5kh5Mz0dFMA~!pngY(y|{iP#K
z>34lEZFO~Sq~xGGF6$cA=)S;FXe``~IuraXi9x9^U2=C_^Xbk=)-lB@9}6W-U%cM^
z+iF@%heMXk$sz0o_iuv9xVXOVWYhteQFdKO>Jyh8F12+_=ho8HP=4=;9y5G~l<8?d
zTRIab=r(?y&F5=d<GL7Z{|Y^JA9LRyIpL+g`cL*AZ#<2I+0Kw0UiAew5`rGa`(2I@
zz&Ho}yV`T?{J6;L#Y`ABK!1xW*Itw%K-G#b^IhGRniV7;;v+GoqI?$U^7fvV)_@Mo
z9U0s(>KJQ~Oj@b#mh19%_J`eFO0+F}VVfa)_qb;%2wjtL@xaf3sRFDN8;oUHc&-YM
z;$Y|snaq^7k!cH!6b748bgDVi=!i~rvrnHj*M6N=PBp=c{{Jx3{Nmp3@?7Jv#Y8rR
zod!?7PVO~KG<5|YJP#J{!yqh2FW^Cwleh4QY39SP7Xqo{1oxEEQ+<5OHm1&+<)Ftk
z-Vl1?W~E(o0NFEpFpLsP%DuBh#?zJ8AksZ4*dd#109-($zm1AA+n2kHB-S29;DpTH
z>eA>KeNPks_r4e3Bol=L?2u|xTgtX8kuP3g+g3-q=>uTs_@*RzvnfeCL|&j5mBNlO
zD{tWbW6%m}PZ@<N-kqPap2bYxaGfr9Uvt}F5}Mye!CjIr*bMoz$XVKo*(Fe;j}0~H
z2o}@ewyH$mM12PX$wG1zm1Xc51<;mfbVla3G4oM&etBt|CmD7)VW46{ZJ}Z)Kw(gZ
zu6wtiiqX(!CK$_6`r^jn>6?q=i_8AogY)CF%l_+=i;E586bl*GZZD+{>1b<)U6)?k
zbBSoUapza%sGQ%2O&PlG{!g?GECN36SHg}PG&cOuKYR1)`10^u>Q!PtAX#32HC%R~
zzY$!klJsDvEo0^27f^viK&)F9_5N2et1!{&u$H=?j?V1;drRX9xBM9rAQ4%Q7CT?!
zHWX+tcYR})vD9+f*rvtURmG0cBar<)8FrnpoOTVUXeRh}p@A~q_jdGw8#F6*A4|i&
zAGjtgHzw%7+2+zHHzjg2sU}@c8{5(S;u`R5+zHg`>yy*dlZ)fSH)lr|uJx)D(!=(<
zqN->d4P)NoW*-f0w{1(Um2hA%>S*Wy&CX@}#C40q2bx~!iG(7%L5sEfk6B5z+p=_Z
z7_9L#sHu#29^pXZw4p!^Pg5kpjv8U#y3w;<PcQ_vY+$Q)7sxZqvY<d|DXav0I#Q9Q
zQ>xZVVK9%9+5?Zht<6!zbFf%$O`%F;DXz<pfc)0OC20>n33@x-k__>Yt4&|CUlk+>
za=m5mtl-XGxe~IVORDuhZ^ddfZmr=;M5+Vw#AZ~*Rd`R>3AeoSVlucFEMpkS;!UMV
z^xgm_0}B5G%Pn8{ms##r%NXZ#T;+rJH<Wdv^$;l-&vh3Q!2vzAgdV^nN_f~7T~vi!
zDjCIdZFVf~b~CEOH@Z_AVMXI=YwJXm3WeUjes_9#a(HlY`Rhb9#)BLQK&0rl2rsaa
z1Jq#dsbE=fgXfLXTkJ=%>%H<Mc0I{H=_aAt6y7a{vHv~zx_;vhjFue_+(aWo@D6Gd
zL^XCTRAzYwW{Z+Z(MQ2hiR@uz(H(^Bmz*w|O!tLS|LM)vXL?$HSv%3R45WGs971yM
zogW__pL}-=+rdvrxFq$o_$x1*mW$)Fqc9JuCvM^JMBWXt(en8=?%PO@jDVoH1wWKI
z$IrHK2PR(&gbm{CvlKPgIQ}X{7mWDY`Xu^lW1)>?I{*z@ad)y@^B^bks0s7HS@svH
zC!8KMyvJ3Jr;*Y>iD}gVX&JdfRqr4k_Jpf1%+dZE;7}#f(~Pp!?S$9SG&_ZBIxl9X
zw}}$<>fk>U>cnPxg8O|(fwJB)RU$bl+5VG1^!E0@?Cm|r|7837PkXz)z25$=Wmo!a
zKKUFLWU@Jr1MZXir33X)rGk7Ojxl;T-QUGdZz|SgbMayPI89KJf#yEfZr$jPyGLH=
zh-Q3od47EGT2lt&C0I6jcxAawupw?wI_{X67od851VC?^pvo<65}EKL@%y*fR}m#|
zt_6PiRb7o1VEDsQ7c=l5^MOb<ctL^}hSd^LcuNp5n(q00^efMHoI%DbYF>3mIHgMG
z9hERga+MA}x4HbEluSMgOQY7Tuj*%-*?LHsGZV`Ewy=b=dQeRZXHk_scW=85pWeO6
zJh`7+r%-~-|Fk)b1KaaY;ZSWhPTJ<m0b8*BS?ieHHB=3Y{`=zoS0A~0E$DXeN{foW
zaOSun>baAdWA(qeF3;|#bMA|H{`BwYwj0jM`3NJ<{@nOabA}$!xL;XmFFQ%Ml1b6P
zOf4x15GuGNHxQ2~>J3RGpuaJ|f6K)p?kPt5DS~-6WJV;vIKG&DrjE>l#-+SQbW03C
z*MO!+h{hwCx1j@6>~H<ey6l`Is5nMV*TFvHZBzr>CU~_eb8>che13Lt>Sp5Cz&I*h
z7uDHcF&q4QqnF}OswD#zZOG#2y3hcF+EMQjh9)n{&Z3^}kPCQ+x9<+$Z-j8-k7X;~
z@O`@(Rag0_Z{RU~qP`DI7=#iBpSthEv$}?SlY#P_AYICkCs+gW&91fHmDYD6$a&F+
zg<3)mp`2wlBe{FVfQ8MckO13UfAR|p^&oeev-d(E4>jD{3t~3&cyB?rTN_e{K3&YF
zmBDE>k$?!({2u3A7OI#JGT~<_=BghFUG7J{G0g8*3dS0cc!5=nMHezKs-pnbt7@_)
zOTs=}k=1NMs+1Vg!P&sKViE|8LsTze1qgI-hV{l#UAnB>7dfr(x<y4SH_u`=($L-m
zfHqJ<`HoC1M!_l4D5j|gK7>vV>bdu$j)oy^f%tuJ@5*u`Yd8Z&wjjcRtOcLZd2wG$
zG~C&Oq?4_SaBqAT<MJcEqGdYtbg77&RUffbO(3BpZE1xG-Iy_*&Exa)H|N>ggKv(1
zdAY)(tVFPwyHTsd1y)_GP0Xlb8P%a2m!rWo#`-Qm;BnIroUu}kk>Jl{2N>^*a&D3B
z@f4SYQ*rKfOY-d<R6oJr5}Gj+C2UVw&XTwrb2FR;QAQyfzdtxXJ30F%z4^I?Y*Bda
zbVvE*W`VqXO{iX%ifR7Gy&(gdGU2zpj<_h9DJTX8uqKhzAOe`Dqo|cJ$Q^si71=UD
z;gA%oJNR(nQ!40_&a5+n3TSGxwn4B&O&O5mj^LGbpBhK7c&Nq?JRXhPpdW~XEXEp6
zSSf&p6v*Y(f)aoW6MctX6FY3K4J20JWImK#ei?Oh^-MwfnIaI63*$u$L{b|T<i;G%
zs%e)qW{<kLjdvO-G(Kt;5hrGXBY5YhGYf+h(UK62Plo9#tKd`^=&7@?-Os?|)Yg^`
zjx^TyzZ(I3P&s@@<eI93{HvEgzfQhyceOD)zOnKik~{8W^kwNT{4l|S7YH~{04XBh
z$?fCG4XAE?c;=t7x!YQdRyu6<$$gkc!>_lAd|x(EuOGidqrLErl?~d=_z!Yzdd-zb
zvZx=G`{-%KbQt*(gL62P{t1D%6Vq90JSBeyv$b$`=A^i(<|QRxl^jE3T9r^V96t7_
zKQlP)l1!^f?x^GiQnWcp4SRMj*t6iejAe$uwHT4OndL*Rq(y0A*q_Z_MU&SuC5dL>
ze($3Rr#0LYVuh*thZh&wh5rNn<W%U?GhWtH1mpdsYX>SiF+ERe7K5I+|3lMtR0?x<
z*SmWn1u*#Fj{AM5If7;nvmK|Zsm9B1vZ!rP*Xg)!=i^a-UVOxezP)^Xn&F@0h<s@`
ziB*p{o8-0A2t_l<vyHJ^u6c#TE2yrLQ>Dpf=Aogk>ek7fRD%5E5`55Sv0Aemx5oda
zyW)E#($W)MMX~R)Hp1#guM`S#!MaJt=i-|=YuwCRQjV<xb3=;7H^ME=z!z<l50cKN
zeq8tPW-@D=!sv#Zp2)f#2@FHg%d;;|dAS=k)pAE3a@`e}S5%$%5iCwpDO4Hlq#PIY
zZc?=z@b)y}9K!56jegv+a$F0q5IOBl#W_+7zW81pJKGFOWgh#Ez00nu;XQ9CBofND
zcYS3cmyx4pe>}*(JwJZ+QuoP=FYdnhe&eez?*6!Q@Kw5plL0p>?I-t!BczViEc`L-
ze$kf)Bkm~Ggu-KbntHw7>Srzw-}cXsFODze5wijnjv&zIF^x0FZ1qLDK<;_d&%D-(
zv<X}#**g)x`lb@BXWmVr4s%H}QlG+L1pA?YGa=WDCTc^e3lTEg^kdL1$txH#)Pe)V
zZMJWr|77z^aF>H@3YRInP@_ao(*~@2{6)PXF>gF8=tiFKnvO!&5^CxPZBD236be~A
z*C+%5qlIU6tt)vY(%T7%E$5Xd=4fJlxxJ2m%}2POVLRbxYQyN8K!-NoVFoMvG=ifF
zz881chvCzc2%$F~og|W~DieJ!UbT$PI;9hDgq#UZTC=TQ_@t;^gR=I}R|Em)qjx}P
z$cGyCaB?-D3c$L7A9ehA@ogRi^}{um`0(Iu#-bqizXs2Q$2F+-mMrz6bbGxTmXjDn
ziNYtuj7ugMPL!FG#C;D)v(A!o0}vxh+JhKmcVFn6R>u<^N}RI8cNdp$UiS|U505V{
z`bWoSC&x!l#~=1@7WZ`$KbglyI+fIor@K!wcg<dvL)Yj=FFWu-zj^lb<44TLvyUGU
zn-d)75Nx=*ry5;;3_!Hn-+(><|E0tT-9L^5^S<ca^s=YBPhYI+yVl>*9RbUF#A%_R
znHR3(G6rt?T2=Ct@C0F!`xq|Ii!LpsnfV57{&Ty^aZ&64sLmp%@@iJyQPI;l%nfTu
z4IR+u5Bk|b1A@#U_mF6X`Au!5enb<2FB2RJz3kkuHGO_1P8lci$?iV7^knz<*zz7+
zd0k*(cJ_LE{BE5t-V?WYoc;$FPBj5IPBJdcliepT^fpj3m!7lfcO-D<#`NmV`RjvA
z+&vepC;K9IXA~+h7e2|k>t$~hHBZyL<ci(qYX|PNQxqCU{^LNm6B$A=V$hxBE>3LD
z+0xgprB|S?$>((B@sEZ3<1rW17pkv)aqRyX(VO#^Tlb4>D>xg4S-}1ITleR4m8?<|
zkon(A_nWW^q2C9-m}l*a*U?+A4d!$0i#P7i@0^4j<Wq#|L^;DAhU&{Ou~V7^q#M`K
zZ84f^zbp6V>(6+88g(Eo)?fSLZTy=;&V@mpN5AS3AeG1$m+ps4WZlf&p1@Um{^~H>
z+uMJl+nW!)!%8gRuFTyXfjg0nM9g(~%!#rsY}^YCsxa9HY9BZI?__%{9@W$rckZzR
zs?(x%@%K=6&SyS`tzg6a0-Mk2!2oVGCcmvOws~GwP>`v=E;~7Ub^7l3?C|95o9z7f
zKi>f}$DN7q56+K%30Sg_AYDzo``FEf-YTuJ@gUvlGN~rr_)V{h!Ff)95)50K_@+bv
zb70%*9GdyOYMLb(q6XsN)bNd@7vi{(f)>dssUzOCS}em^s1gsXx^Nr7@1M|cIIRxl
zMovNVI7{%^Tl$3+<TxSXbGt+^*I{tjWz|9$xXUqabII9v9~4h`c1y^1eldb+P-mmS
zG!Vov3vL-YKcYloRFqAE?*u+Qoz6&_wWSSHS_>-km3JsG@*{yT2xP?OiP*?egJ!dm
zJ~n}MrkiBRlxo>XDV`a}6}DI-Uv{oV%KVTnpHhI;^9W=_{Xr~{sm8MIdF=*HPy!*k
z77Y|oK`d#r;dtg0Nq(_e#eq(qyC$z$Tr6cd?_b|5e34M|w2%4vT71s&cr^(Svz<?j
z(7~%5Nq?A}3}@<MDz}fj{o?My!tm%DS_Ts5{3fl&6PX0d>cZ^xcu}Lk!&3i8U@IMl
z*s5ol8O#a$wshhfPM=15aaOftRxvs~gXvWck@n{;aNG*N-+!_ns3)*9jjGO{!Eph<
zZdo&UpgVazumD-HpV7`^YvcNxm9Vkkt5WA}^+936tYE_;Q+fQ2MtP^I6{?joCd34F
z`UY4PD0!uJ!r*h3$E*ZKx}~(V%OYa9%%mhMZBsAb69K9A@48VSW`0`57E_6=>ZQmC
z`VsXEvJ4G<RIfjpxK^+Lg!%yW6ijr<0xU;G6h<r!;10UElQxu@EM9Y+9=tcw=<vd{
znl8jdbTb+vjf`SWy778{b9@<J7g6<Ma9pSNMJ|9ewn!(}-QPLQCLfX^W-XZpMeGx*
zd5_#@d#DbAKJ0h6((`+w3rO0^us|BntQe}qk(HTLjYTKqUb5clc&@KE&D|gw3Z9SC
ze>xr}xB9rUNmYNp8|!O1wZrZOYj)A3`|FugLAtMDR@+n<3VQr8OQc<zATLOAq&T3c
zcD|_nJgqCUaJ0QbY%pJ%2TW=MCA3W<B-e?=wZnCyZmQ(Zp8!e%uZg$WAT6Qs79-x=
zwSq&?j!XSa8u5oYdHVgqUoHqBFBA~6d%Xl+x`@O6VL>RQr|TNCUV0fUX5+f-M2Xun
zmeIX^q?z$RWF`NB@@7&=9UEF!@n1zHz2+(4`4bdOX1_D30hg%OS-`Eqrn}bku%4^E
zGQRK0KlLVb&9Ajgd-}3@mUT=v6qs0kI5yCZbjv#NN*F}lguEiSVC%>D)4CPpOX*%I
zR8nK7FU<s(sG3eIX3MEiCGVMgYcswCQH%YTh<*tw(_KDO6>=l}I`$TQe$|Fm9$Cp>
zCR6I}^Nr+=l@8+#`H;Fn>~l&nfIUkO9k9QZnj@zK?Rt2HL0&5lIw_GP@{N~z!L8F=
zOmE(W)wDnLT%Y`cKCt>(^5D{RG(PnB?ICMtb%i%oK8g}z;#)Q*T+!X*b>Y!{y9#`D
zk87ax`CxNzYS7&&_kejwlE7|iE%fyL<d3S?31e>XCV4f<l7!@5oqObgUb1JKsX#*I
zAeW-X3VHcnhJ3YkW@=Mf4hf!7gC^1_RG45}7pYKWRfjjxyu3F6D<vLK(t)MQ;Q%e?
zQRRsLAkcC^q{7<%tQd3AweVK8Cnkf0bbQt50xDa$pn7pN@Q2v`&<kVvXs*03l1J6q
z8zjngbDFcaA>Cc4Ir0#xN*<q!7;9Nlx0ryhx&cW|6FK#myDPSf<J&7cJO1wYJiWT&
z10;tBl11(F<?D%b@|*;Po6eQwM~#i>(;baJxTlf$W)VfXxm2ofPkru16icGikO_jw
zi<rhEB8J#eiA}|+y(P0=Sot(7?w~ws`HCjAOV`T@3<rMR-@o#r214Z3M-0tcS~0fI
zm)}24EJp)-Xwv@K@_+!Gz|v6<rWFOP76k`K-yNJC9v`{=fBF5J^FP7k_RDAE8tM%o
zaNOyhNdnHdMgHMF`%qQGs$%67s)=x*H|HY4ubd&_{=p}}KpdEl3Nv|N`s*zJulxUr
zswV#`w%U7*QRhP>0cb!4Ks>C^aPKz?Fc{1l-GKh%c3f+w>9{YTJiURqReqDE{<e%P
zd)_i~0L1-kjyxJ!3<%?YA5Q9j(UC_ZYe3;}J4~z5s6U_&=3ijc%~54vrX$8={OgT4
z9#wP1g8BHbHsW|x@rZLm^YyRGk&tJ+nia*@7e_CA-Ud}gXh9Qwc58n-lgA~!3kX+C
z;NZPRoN6sJ6!5#PdfRGQu8VxW5DRu%%x?2(9WeD6pwzD`+$TAB0>htLFYnzwUyMRx
z36o){QEpnlgr&k9R&;8^HIvY+pe9zxQ;5mqG$KUM$Q@!{BBP1)xR7?uOM1lMx{pt9
z{b3umJ|TT4hLM&YA`$5)_i%2;KaFDMHqjx>?2x6N`A<IFz0-2C`1m62=>wf~`{1Yb
z6MiHl7$Aq??PdSy_|@?_`fhlq;=o}1#Ah2s82+BMqmqgz;(V~vFV8l$Oyq1C`rk^M
zvZDycA279&W;_q^exy<9G`bVB_4}1`cl_sr*Kbdc-PHXy(_Op%+vG51eqZ7lPIU7L
zbo_zTJ>?WCr~PsMvB46A{AwIYEkI4-6vD_8ejMc=5AO4mw`OPcvICR^rzmVVg^|Dc
zs<@G|dSs*1ZcKJU=3S%Ox@-po2u2lr%-j!55^TmVEi{^2RFR{hJ6>wY#m|kyX<(Dz
zR8wLRPKN3}d!Q#h+IWbucr-x|{RjI}bEB*<OL}*1;zw6uc%@3XmGEpu>FwKX6&Lh=
zRY(;BSRoCDAu^zhebA%Lekk*ho}h&^V!E9jTq6IR1c&54&9&cSN$I&_`e~ZM8dofo
zvv#(svr4Bp0yqL=eKGjZzgk>3_%tq1zM{xH@Zq>8e4ttaC`c(1X%CC~tpPORMq4Ks
zd6Cz&zqLexX0izK%{pcVc!OQsNK7#AVO&n2T|h^d5jmUin(UsTy(wPz!LI_?olpC+
zT~<Pv`8xALIwjDlcIS1L!?j6)qHn(m=j49S1JMtdDwhdEds|JZ$yEdEi&Dkpf{t91
z#M02@KMjOv#645u^&4^qAS6uw`f@HnvzEkSsc^h=8L7-A)?dYLO?n(8lYbeo7yYy=
zBT#`-y>PaDV+MLHFC(#%DWA#PEiYOPUnrn1K2AsFpqxvJLx*JoQmmU##p}peM`-z>
zEN!k>S^0wG1RLh_)(r?FJ8v?~<p%<Nu@+^LAsy*zL?Wz?{Hj|n%Ccx%I7B+RblGPw
zoW}HJ=^BR=H)ELKbRsODRA25>R;|eu_XFZIg}bTlyF+)C-ezH{{;CTs4~A(<uS6>g
ziEBUR)re&;f=gONlO<K5xa!ihNiB$+Bnhxc<FNFD<?q2)$P8rbVkaDXPd!?%OMR<%
z_2AQd#QQt_y;=%=nOp_eGgP?BhEd5T=j8yUG6L1BIB8P-7j>kUeXsGmsBbzp^#P)D
z)B*^K9qQ-cU&W=S08lnT+<8#}jv?a2f;Ud6ST`y|H)OJ&CbQzFuo?{&oGQ&AT{o~c
z5}b$4AwdQCi))2;nKzy!$lwkuZrpKBxg{5DqlnN_>RC4Qp&TygW>jWC#NQN`WiD{m
zgrIVg+X;cWKP#2xPb#R~1Q#?+KrEos4TQeTO$fA~VsgXCvBl1l{qFiK5TyaaFcD3#
zS|*Uyg~0EG+-{pkh^{gwqSkU=AH(Dd_(|u1SWJg{r5fL})P56^UBSrH)r|y02jB_$
zY)Jf+Dv_kzUUMz9UY9B+^TxwV`&)Mvx@Dete&~$kL76A=^WAiE!2`}ICB-UHg7@Ob
zmv7ZoudNVNU<CevTq#&g{+dDE)+#B~v}9yF;mkG8h+jID(4nk9+Ffol-ynF6O|POi
zzNAII#3y$HM|VR7iU<(<u3&NqZgW%;>DCiFRK^D8Fp&mCl8aB~ty^s*hz<=O4S~!;
z3)!A{%&``IrgciQy)T<nPZs9lZb`qoG?DsN9`H^Fy7=o<<ci*+RG)HT@lvyd<12(0
zDlO9mUW!OaT0#>wi06VXAkSB@_Mo}bzhhYuo<B+6MzvGUn1j18CSn&AlMm&rnlR3V
zjjzM2oosRa7jw86x*M5&S8Ljznj^*dedq{ANh`2S5YN?ve<vt%@yKH!ckPPi{Xplq
zDrF@4OL(^Dg^9l_AWv;6%9x<h-9tkaud>CfNvPDb3iWg)HQO)V(RD+%K&X2uoh)=X
zQJVA=Dc1ofjcK{PnE$I~w^7?(+PTeVCM$L<jFyHfTC0U+6KY-)1F+K2e>9w)>4kEi
zj7jAUT6Omu$`%di3ywCQE0EVEJuod7aB3X-g@yIp7{>nY^QA-Q{+4aM&1cl44<)m1
zJ4!F3GeNo!Lw6#jNw@htI+ake@qiFv(cTHpAW2Uxq+rQ1&=||j)oG_2cim_9^%U|Z
z6hc`e(59<;?)sKMa^sSb^K4zQ0a$W`j|Db{8VxGJ6^8Z&Wk?HhW%sXsmq{C10IjT~
zidK@yaD|_?MYOvAUiKO(#nB$|hgbw0T{f<Ht#<S5!IoAr2kV8F8k*0Q^I{!jveCL`
z<;af19mC8EJFv~s#k|#ac7sYOUJckuAF5JQ@Izhqg9mgyp=v_KS7Ud!AJX{u<^eSr
z1HDZJdo4MqmzSpz3|d2(waw0bJ*1ak%a`2Ve<N*n(Sjr<w%mO!9mt+9U3{$^+X)=?
zJc3(H5_On6-OdNCJX#GIvn1m_P4FFR3j3&I=zA|_d+o9HFQ1Xw%bn!loQ&&|#oqF5
zM|()zd+4{dmJij;`g2#Rj=HWfnRRTT#GLAx(iy$ak_9n^U=mDUyl|FxE=`?GQ<FD>
zj=xaGnq&^Z&EChAM1~40$BE{3<$R?+o#ta!Miy&6tS%u_MyOJCk|dth_Ug0k;N4j+
z2@Q(5%(14%NHZQITkzM03A{HhW4fYbNcNIqwb`L&GH}9cL=BS5g=LOw@$gG)le)To
zIUbl`-}e@uS!=7|I?%X~e2Z<UZ<69|#dlhc(Td*t?fOoC_(b<)9+!_kGzYf~&!6h5
zNLVP@6OHZgh(6k)Elrwk6R4rSkU=61sqGQg_PR2LSvlVlfQlQ-+$sFPN??*i0Ou%k
z*IxF6?wMY%_g8so_#!(wV%851WB$Le8(GHfwu}ft7TGdK%!(W4o|wjb@lqZs3`Q1_
z^iG}E3OKu%lxRL5S9BwcQgIaSv<90iy4e`Z3+$zFHH1#c455G6zq>2k{!mXFPv{@)
z5q$G9>M<r>dCmnHiW)~GtAf>_hcneHg2tbV(t>c<@51-Of=KgBJu~E$`@-M#W-q$+
zk{$A5XGbm+)@S399sQ=2OvZY89@+ZH+R_6pm{e%4{&ah|vp4u@;K80`wd=lAvWFC^
zS?)_O8lR6A)AzvFU?_%Ko$Wn&`m~b<*kms7x(BmVY`hKWc(XTTM=b_0PgOAryNGH8
zy-^pZJC~;yUEgNYZChts41^kzY6s$%-P}VbH8{nW0yeWGyxBpu;Rb7%>2Bx8|M~ij
zgyYYTFW$O;URPiu*-~|{=_@NHmOq)#ErdU&HvX5iiab^VeF?m9=BWo@F_Y}XP^R5D
zMRiZ}%+V~hSc@4G*lap7Q80-8`*|%s^SqV_S?CDy3u^tIH%09*V6qe=!H1(Fk#DFK
zq0-E~OUGa|Qh77EDCEmdg)ikMZ23`;+^Jy5DtUJg;Z+eC&;lcO_<@-_&FPDd&EyE&
zEtS9+^GkJ}O0y!3#gYF~?v{V-{bQHsG+|YPblu$BY;|L2bEyDw(~K9*l=HQp_GIuO
zDF>23{EV&@7?;kF*r$NP8swdz9;BefppIB6PLwQz*e4?$DAUj0<+fcFiukMwt_5vS
zD#7rw%muRp!VK&_X51mZ#I<dFLGc_}q|W7!U@`D^%oObdE*jI8Oxv&7vt?477twx4
zOy74ZM7*R0w?W}W{PF8dLE-@hA`*%~YFQWzUs#i%WKKtz=KC;QiMYstprh2}VMu|U
zIFnT5s{LwLQBW3xw(;lgnR~u_VGSjweb6(-Gv6@?3YjeeVvh4}IAz91U{gSuf%|Fg
zI7e|IN^e@O)QCkYRS&W^8WvqkR!sKy5P2Dy6dE>%A!k+-gt^6K2k~Lfs;B}q2;xNu
zldqe|cx9Ta0yp7cRtcTufc2wZu==~6GuKcI0_oNSzSn#ds~**CXwr4<Ty~#Th1gz-
z_p#q|jq%HdNfwa_?mBOx98Nzxf9bVjp;|?FB#Mk6NCPn4!Fx>>sCx-iG7T9d_v^2m
zXkXBM^7g~iE<MB1ZQRS23OHjQh88uhvHC|7r=+RpOHFA=&2>-xAW5`Q68tA!tPJWj
zUtT$F<^4ZITKxlIg@5oe))O7ezt{Q4?qT#DiEl&+Z^mfHQypO#C8|5!Qz1ebDFzI{
zWZCaBcIicC5DOy0M9TTqQ|T6<D)=Ht@xlZ>9@xM@yB^bIBbg0*55oqm7o#d$I1|~c
zlUHv*lCf}hu0_Zjfp0|MtOd@QYl3^0@Mu<hh)%T5ob2Y4Np|s?DIAK=aYm3&Vu*95
z<lmfJsTX672t~b*x+BZs*1PewowJT*j#i7CTRSv(Tff9ZE46k4EuL(a#F^zy_YIlr
z4LAWK$u56oJuWu^<kVeR7aDpt91BdeIONt*@%NDn^fI8Ryi;9Cx}y;=QNG$IGxq57
z!`H3PO82Ez^$d9Z48DztRv3k8?FK0MNGcqK3iPG>EeHy3(D3!XSH{uA!QpAk{9<OS
z$wpJj4>#HtNDVq7U$}&(2Ah@R`{AsHTFr)SY7+E<3Kzo&7iH6WFv;GaVp%pEfMe7N
z>O1l1q_f^Glf(}9K{X^^y8p1Hi)<%zhKYB9;)jTdGuBeQ*%eR3mW|U{^S$jbFOY)r
zsrjhxf>z_@4lKK!d9_p5qaFMO7J5!_MmPQD&G>Wg+3p{*=x3ADLSq;+_VUG4q}r{7
zkG?PN({GYVVNDizIunBcTmva8n#Tz)K9tp>mXFvN5?`T6Wc`xee?fZ*FG0nkyf77O
z%>${pGyeAYwLpm}dLlYO%Z>ZBF;Ai)`@Tn0Tq2qBrCSBfpAi*@1?pJg9cO}O@=(2E
zN@b`D!H0ESno@Vfx(b{9a<6yhXVX|qv6H3-vZN0(bC{R~G^aE}ldrlieR$#xF?>Mx
z+slwD)srVpRmr|1Io*qFueTdxD(v<4@L&7BtJV@G<U&nK!1%f)&E8Cl38rIIUd{5^
zeQGqV(MxgmrZ2s7|2ZmaF}3HRppZXC&tIIJeRF!;Kl--+?&6q#RRHb-$;e0m2C(TQ
zBcrxy*QWu0Q=v~g#T1ePde_mne8FNwb@bJP(^G}5JeGKfjqqx5!<#B6S6Cf?qF&tG
zNa`QTzi;!|7(#l3F-4h|`01}<XNmpdvwWRyw!j%zr$*Aavr>@w!o*U9n4A{w^fHrW
zKEK^o!2N&!@bb?vk1b;21leE#cS9a(QTZ-2n|*#FHh9lMGN?r^J|G=a>YOXC&%S0r
ztgS`iFw-k}W^$anmuqb&@bDl$d+CuuCOv`nR00+8X^CI^|Ju9S<~FYD{F(R_TX>uh
zDFBg@rNm0z4lPl(8cAeD$#z?J&?T@Ww*s&Tb|H$M{`lVKIp^G$#e$R^JLz=l%tRot
zd*APQKhKfF`&Q&5Gi(qm+R*}HB&Xf%*MrQ$*$q7`;){T|IFYDMW;)<y>R1-*sUx@+
z%*(yKpg>`|dRyGIzk;TDG0!h$fG-6xZ(Xbk%jhO%h}RT|lpC)b$SSYaQ3PintzJI!
zhPmy9)S<N(GrMykeLS}vA2;n6?hY63b2Pg3oZBkHi#drS>1GNfedL};8_P~Uc0Ae}
zR<WDP@D~9l^392^05VzP9Q$K#r040$t2dMHj$c22_OFxE<Kx$Iw~m-`kS=55@r4W5
z7FH)P-fHjZ$;+eXLbLZIfk~dcZJzRUjMlEt2(+B8K{#0dj+6Btd@FKf7=^b`?)8TB
z=gCn>=Kzm9c@>sb@`t}7cZtU)u)dC;&QL+4)GAD@lF@bVL|{p`RK4a)AIMgOFn)B!
zcRRKmcB2-DPY1^r4Nnm+_jOL(M#jQZM1kda8>jw+5s``OL<|@{_{hgci)q3$$6A6-
zX9YbBG$3vwO2^3~m4J{GELG8zQahMEw*q9m#pC_-Yp8rg7fM_l<_f?+hvUUfKw5bW
zEA>5jT(yp`4z}BU0dV*3W@~NteyiQM;b7^yD-L@)&ubrd9j%Wk@Oj`f>P({Fs~rv8
zWA(psnW}7v^<xknD<@yDbZbs!3PvSEbpe}P&hn+D;EVCt^8eUuon05|d}*<#H(^B9
zux~Glo6<@cdck^t0_-w9$0lt!fxYFHgHTYLu6Oysok8znH}9pWV9C0V4RNAnJ2&iV
zgNMFSrIJnrZiE?;bDUa%%5ewT91c=>2v;B$8f29TZ>-DOJ%!@0l0s5+rI7eqv4)ry
zk2Wr_m*S%D$`&c^aN-upnRZVUKf_UL1!ex<U;CH%YvZl>b^Nu35NSuSX4Tr<s&tI~
zlOS#XW_nqE#qtop39RHRV=}>6v#FKoCu0T^Bl3{|21z(_0ywlMkngylk=Zf!D?q#q
zHg+cl(C{wbZY>fkIS_g#xAWk};6&kb*6Jh!XCxa&rbuzVI2anxx<UU3{DH+^)gM^w
z^ox0kWZYqxzS|#|rOrU^*Qfadv(y<#)7uVzV6o*7%)B$Oy#N3<#0nhTy#n3|Cxmde
z)z@vF!K~#LL>q0-VAlHYukR;p&;D=bC;VUU<N8@<>f$dlQ^$Gmuu-cJ71@FFQtQ+#
zP~LYP^CjMw@p{~hGph%(!`#e49-RU%V{UoXqOcTyeT5}fS(5JS!!4acxuB%!*W=gY
zO?}VFpzp8=I0paZs4*|3xZF%>;Z~(>-_P2DL1*LdOQ+X96I1}<h+nbp())|?^y1RD
zf1Bz81_<IckrZMUo?O<=dV}<NkKHMFu5s?1@m5Veh8YQFGv#tUrlKgz^-m-T677zq
zQtG@szxNWR-F$w;p#Al@t~!VR^7!lwRUVI?9-Y29f<XQ2%hlanl?U{RdFq+7z?)2I
zV~2tk$st;`7^0M+2Rps*3JMyaTilJ;6N<#zG|bjlMf3F_I2MrZ9a<Tzp368~3V$3X
zf895Tzsw`K%u;%9m8gXq0#MEAzH3caAPu84oR~6D@{rg(6_oa^FySnM#%)5V9bT1I
zmQo!oY9wKfIEv*(Kr>e+9Sg*vAoZTPSd!ev+H1(hK;WEI$IN-i9)S$rh#S77b3Mwn
zj3?IQYk>Tnud8>#lbXb51Zm=i>UdA9(}HR>CcHvk%Z^&j2;K#AXWJR<A>A%kQAC$t
zsBS~s_*GO)g~8Y<k8+Kuf6uL!Akm5U(A(5#5DODtumFcS1ts{;q6aUMT=p;^EQX&z
z(^^5FoGHfi;8CVQtlglU9W?31kD)f&O9BslKBQL^yucsV1aOkV+6M#S>}eU*t|Ke<
z0bbc;VCZQWvBHjlFsSgln9nWanmd(yt9B@y>sN|KhAr>`8ABuacx6pYMe#{E?!&#V
zH|y29q>y3QfR?q~KBn$_sU%=$bssRO`MDEv21Bb{Y4^zW5_Tu-+eO}poc^YmUM)pn
z8(Qx9RpH+uo3-=K0#%xQ>H|w<PExDdGQPX=B~)+Pr4yxmd>3sDM##;2E^PI5?O4(J
zCVcTV331#;)@nlyjw~v<*7`gA{JL0FV2wL@@ol3|7>xI|if@WmsP#=G%wFZ8%8}qo
zu;%iz7@gmY+&>bprpcetR8%f@8bi4%SRl;UlS13~6zM>VUv60LevQVWfZNbuZPF!a
zhLYD?nUsux|KG`|-cNr9lafY%88#(teJZ2UP4IL#R3wf1va4Ac9K;s8is$p|av$m9
z)A^5;Hmcol>I<cIz5r3(vUlieCI|{Nt!@=!7I%2Eg%=iG9?h~*M&EDA=KVI86S9^#
z3#wGX80=!GGUmS(OEm}V&tVk8KcR|65ymOst+Rdg>>95OwiUBsDAc|pth3-uJ&2iI
zw#Di+U=@L2!?<-}Sia$4Wl=`ZaTCqxvV9jmku#|1ek)&)wRTj;&b4N9DUtVVA&d3A
zk0bHkg>fdycgt;L9Hh9acSv&$qXzbpd$&E~m~eJud6R^8zNtzAY4pxFaTps3Q4H#I
z>*No+4V*A$x-S%<8?-6ZtJHlZg%%<u#ckyWDoTm<S8Ca2XQ4gz90gVdGi4O`9TP+i
zsjJ_WtCi+Z!=&J@>GYl2(aSX~7K6v0ca0*WC_b<x(N@Yyu%XL4eIchKC$Noz<kXJ`
zrVnmb;oCS4JXkFq6S<0yOWii$Dfx(VE9Ee~(E>lC=hBh{LJtxfpfHwj7L?-+Z<W8f
zVw5#P90+L}tIY~fda25mRz?l%5=aifQQYlQ+ybI}?h!^=&{PY;$RHw&axyJ?4~AY5
z^j5dJsaEx4Iw@USeV+F|2RsbUdyCae#uhWh2xL3aKE?Z)XMNltl&O}6msJ;O!#KTD
zMkXjT@@$X=eXAPvORVnmJVs!wmho*1J_Exb>Ecca=W5fS<V*wtn=no?o5UTsgQ~VD
z(_svt-Uc!sDweGr9VsZ>_PO0AIkWa4ztLFhy%!~`7-6abQO7?PY|Wy~VPPe%s3Uot
zOYh}bU!?;XVk{9HZ*4;xvB>dzzSd0GvcpG_B3CXEwx?2o#B-k)Hx+W78!=<XQP^($
zhmY9(jI4(SV@D~L@Zb2E0gMKixs^K{Yhk$4b;<m;VW=h&J<e{;+2+xEd~9}XHV?%M
zZk@RvW*b`cl#C6ugQe|Mb)|l;&VwMmw3vKy2F=rOxI2lv^IW(E>^w#y$b6U(VqhjY
zem%|k2gmCWbbMfTkpcn>EU~WzRpaX=<IP#FwNy8=6*mz$6N@JBF_>1xi-)MxqUU+m
zsAnD`W6t{LR7T`$tEPtK-NzJ$a&Q38xynmIedN>#=<F`6=jTb!af=MGsGD_lLn`lM
z&$pMuq~{Qxk%C%<5#C5PR2CuYQMeY=+n!d>!nk~?o2soxB-y1RnyBEU$*6AMOk0Te
zjCLOZ#nmcg20@@JBf~tu$s+fWwyfzxZboy(UCFKfX)u$Q%ezjMA8zqW4%Y|!85{PX
z6z|KrY~cKsNY?!Ud@Vf!GOO2`7Hms9^3%%VNu@k`_q5`2sg1Z=qis~lL8d}8)w$e`
zCMCP^?s7<FY*pC4iS@Kvsa(wLEn50yfx>~KJ=e>v7HJG*y;h{!XYy{lh<gk(BKIfB
z(?}R!*8*ifjLzJA9VtGCB=+><v<6)B*1b|NBm*%)WW2kfc~dbG5|vuD+Ib8|;o7iD
zccxlcJb*{$P5~tCvDQ^%tg%!YrL$Q3YAsd+saFi`R2$Px9Z?zZ6cBSvmN)1@_hJub
z1Td$;zfyRI?}y|*C%2DgYh?T|zpS;GSp-PZQRe702#Smg*VLgH%!2}?Lh%K`77)>t
zNXbYAcxzLe71UkNSc-Fd)Ld7-_F$UXPK8TCLD6bYkn(Hg&^ty&5tAB1SP0h*f)t)n
zdoPlbXrCE`)2u)se{$ipT9F91Rjpb2tkA}%FEuQ^y|6!wp0cq+DJnLJ9+ocWm2kd~
z=#30vU9iGWT{s!3>F&|#<*vWKdsh??4dglLY>}_ur9F|Y0I0;PG5v3{!@du<>1h5a
zMnf5WBLJTA77zSvlGl@O4*j|8^IY{K7+x(EpCemsGk02Tf>;epo2m=dMyhH4c~jv|
zxEt+Ot}mFYI^5(Z2?~Oru%74jRkr`*fJo6ShTfCfijJW(KzKb2p>jdDuxh}tN(#!c
zdzGm{)~G1X09WAXWB`h!6v1yoRp?8U9f!sYQPALcbU%s(49EV*zBKe>zt5Fp6m@&?
z^%!$OYg<Md)&&av^CgYzd+sZZ3;^&9?~M=5=x(#?zNvwLTAd=Nb?}*ac~O92h|rgg
zP<&T9z-^lbqj1?g*K<QHxGAEy%{l?&q2!o&+TznDglw6mUpgDy89WRB){QX{(5a-H
zF3tr#U;#=oxi&H}^^uLmmSDdreusv(=OK3{$)2}Eq)3iZ`<8iH$XKKMVO=5NN95@9
zYNoi@+A^)<>_}6AWve7Q+7Epk;DI>dJL=gf``kF@l{Xq=B$Lz{1e^jevK4+>xS2#=
zK{FF5<4&Bk%-y;olxgnPWH?AuR@<;jG6Rks+H%K!-md1_OjO4mt4nFI*es1jYYf?)
z^AP)+&P0}eNgzI{!P~WhGYO9t7Q^>95b*#zTdUlqg#~u4OB-s^&&MEIF(>yEs-OMp
zVIVXxO)Txg)WRA$s_<tLil{N~rrO7?P-ecA*CBsd0|E<(94*wmW7G%4V^sR)1uFC9
z)LR)?1HhkG*(v(p8m7;(@mex+o3w~#8{w=qjTUem7Ih*Ogr*g*{9FG=U?jCqLUsEw
z^^O`Ld45XqQo&WtB6@DTwC`Bq@C7&&sz(AID6U^{abd+E+fxV7Df`uGNF?F9d}AYU
zoTe5J!a@}qDI%$;tu+W4>RWhltp!QY3sD&gN79i(cZ?^@w|mbx&F9OKZkF(CX1{XV
zabTT*jl(Q@w*OVa*2rjQVsjwsH%oU1b1>ewP#_XgA~6VUPR74uh!LE1GMiBU0X_VS
z8{v%+K9fZ~`DKEp(tH}mY*IIBB2deHm_R&gGn&dO%(McgGT@NJETQ>vq*H5hI=Toa
zI-SufN2L)I#c^%F%s()FI8aE|Ey?5|LDr>Ut~p;6F^-=S9iLTn5CRF-+Ltr~34p)@
znG@<R3*V4W22m<8FD~<GpbB{5?bB0Va+a*z<Fi-U!^8VJGRs%trKkiun`_5=<8egC
zG6>b=Y4<MjrDBHZz3C~WYbi>Xp-gk&ad~%^gee!AII3njEU`OiBJ;zZ?>2-1uwt{L
zWD;O9v)8^gZ9WtVGKQs5%RaKcVtNAlfMro@AykUGjd}`Ctw@0u7N$cGOX?P+{6MrF
zf6tZ@djhJHn-?hBWLC^U(}xca4s@k`2{A{ykkOp|mpdfYrIX-&wv2*Ln#>_w%`r(B
zgx6N1Hk9=#NXx;~SPVe3QX#@fscHtdx*n^!mPO}+tmbxqyf0Rr^Ve6^Jd~wZk7<Gk
ztg7Cbgz|)@C8t43=?bavX*4sH{X*}urS5!P&MAf-KaCJ;3GgtT<~5xhZ*?WgWdhKG
zvpM?H*I@-=slu{rmEtI;(n`gTQ>#%>PZ(vcT#jG`Ii02(#@>&bYNWFa1jG_n-C4M{
zq!)RJx7ALwUh9aQaH4vtXDJnNcaxlA&&OE5g0?YN`TX_q8OoErI(m70=65vCPqRjy
zP>%qFHDO-MX8*y!*SlLuU1zOitw9G@WwFlJ)2kb^hw^m0N5w?WoU0L}1xJ&X5yzDh
zw(}b_Uda`RIjF++ZN1NThoR1pw>G5<byi?ZBre*7BhH1dV(fXUO?#X!CKWSxgqjIQ
zxfer{E(0SD0K0IM`<F;O0kjV#T-}>&hj&q~E<J`E4D#D%;vmV!Qm`1ec$}|SxtA4W
zzPe~3#1^t^5$6dgx{}&=#Tq)gs;1Cgek#`0DD_a=Xd<}&o$J^h+ntNZ-wUhiEVwyk
z9g9pc6hMd_!|M46D|vbUIRXr3YdGTTf#p$aZ4x0qu*it9NnJngHO8FFVHZONJ@RUP
z&AxXe5BAB`JZ~U>)k6Us2uMP~uuN|)iciz(>-Mv=>7g35yXT<_YLmm5;={IV6zk#=
z)={to&=43Nk>9Zl0qsw}eRA54G0-HbH1o|Y#O+<k4iCoo-(hz6<^A#D@9(?MU))`8
zjLEm6RfP@4J+4vs4^w(!Py)&Z@Z(61i`zJiV5GYTxv8289y-Oy-035EZD{W&zV9=^
zClkIvb73wR1+Et#&Jg(>4cL^mQbyU^<?nvTej{ZH0iPxN#X<9TTlH6O?%h8)ICz|W
zE*-wEs^;?_W#SL+|48fXy8h9<{G+{0e2@M3c{?y#J2V1Jnm+!~G4^FMNIL!D6rDc!
zbvs2*X}4c~xc3r3VA<!_1n~a6-MW4q&cBHf?G~ThT)Mv>@3q!dZHqB{2xOIO#A`;7
zgVA{!20sy1#d0;#gEB!`+X}da6aK=B^zUXE`41&Na-*0Q$gIH7%NTo4c5byztish5
z&3vC>CSF^V7?EnR(At9WOya<eM#31i1l(rD!UNHD1ig-u$RLORb|`EfAQR_45JewE
z0MT+bQLf}8Srl@gU;1cS2u>m+%P)Gt=-ic<#0Ya_iP8s6P=^P+lX72d@l#44E_A%7
zLG6x53b!EtHii_jRWfhS<V}>(0o9&>E*#%aXRmRKm!)^^Ibu*&O4DNS9nfM){JjpU
zeCQ7(Jnc)-GZheLHHxKxp%Zm8t=S|DYQdUE68I?wHg5qb8{@QyMQ^Env1_h1w=o!!
zA~{Tvl>4)2uGn3js{hW-eA(i!Ux)HpYSB@H3(nHhq@shAbr!wYq&9D4jybJHxvhQK
z7D0@~w>*Y8(;B@beaZ;M#utpB?y8`M3za@>qNr$=(*gr4<Vh!AT)OrRS6L!(!l1<|
zB2$MP6|uGRn{)$1bq!{*rssV3BBm8IRvgqsYKI1GTq73-ovJ#PnMG)s7bj1)dXJiQ
z?D+l{+daBz@9n$uFfGV8I$p-Ye0i|_=2dxl6~8JW!mg*GyQbG8v3261(RD5^pY^+7
z=CFZx4;ZgyUp@?-Ui^8s{25F1>|dU~x^02dX8jVqe17)i_{EE(SH~xBe@z2wOw1<|
z2ICYV@n=oM1+o{{{a~U^q!qerRb4JIavH|^sgumgqHUoB1Y2kxAyow6H>&F5i<0Z;
z+G9kh)=$&eLGR4-9Na5ol6kH`JG5l?1wKwlCb_4hh0@0`_`^j8b|gMnRuL>%tKFS;
z9*iJFKgNdKk66ysx+|ptC#$NO-@edrq-K1KuJt+PKSa#Jpt4zFq62LWN|2Fh4)|ij
z3TmtqO*fnrRAexwTdPIsPHg3s2&Kqa5$G*Wi!7ZQEYW2Pb{xR-HjUbHYabIO@n2X|
zGsb~NrRx;WI-x@G4_Y=f)G>Zrdy6s6A!#FzNn+ctXAcjumtR|ms>&%jd~qYFhna##
zw-*|Y?y7FmOk4W<S*H7r4aj_rQ`xaG0x40Tuh<{Z2&91=WK~jDG&00_2}n!=G{{7Y
z&rxvsx4`?6(_jOm1R{eNvXHamb{EA6v!ki){J&V2n?nfDu--Z&gN0Wyij_bMS~j|S
zvAMQlQDp&X5>dIEW&+Yfma65PF~kr0A*A7PYtxp@mfG4V_rVsu0UyPPbBuN<f|Hpw
z&mlggW!9UjfquWB56o8{4FSY{!F-**s8E(Ztjk?$DWOIAlcEq=A+B4N>Og8dNw9U3
zo@c9+Wjeo)O@oaT{%y55mtF*p51jdeMD=E|(tJu^Ur*D<LR4!I_cg`L_kdsKmDmq2
zZ~)aZFR`aQKyDLO%{cqEx`rcZsJ$a5z=LE>YNydoY<QMn#LOxIlbqRa&DA=WioF)h
znv$E{G{o*Yu6khD65J*VmD1M#rrX8w4abY!=gksV<-cbIT;s`U6I6xhw26Ex!xEs5
z-`0`r2!FtGE8?`yq^L8-;iy0)vX%`EW|AVRp+7&2p4pJ`>9JTX#`nh$T33N5L)0uA
zTE1q*g3e~V5Sca-Ek!z2fw|BiD)&ySK_ADoB#pVwx2|em7Bp>Dz7qravMJZQTi$BU
zHmcteJr>n_@nSJ1U8L-GlPYuxhhNR}sUns5B4vg;R#^~iOFoNFQNpVzwJk2!6GYox
zgF6@sB)_QKmh+O@bEfq8u!FZy2e#VrZ)Y0YqW}2th)Sa5N_#+~iebbSIdhROb2xaM
za=+22G(v{LPB&oW-NOY{#l1%d`XR5EvvYn3aa9aX+nb)lWW`TXPztT^&uX!Nh*K>z
z>P$#__B;8!fgna(ixt&%LLVa2C$RL%4@;@BK^r?hK^b@Q($vX%jl^>7dGQ#3IO^2U
zdBLBqnr5Yyx3qr31+i&L`Tv!F%~1;ZXNh7nut>{X9qFB*(7d3O3q$0`iwjtACay0?
zrJT?Tu^0S+%Jj86%Tulb<X?3G%Y%-lDJZJ^#j?D;&kR-4FJFDNX_&pqw-}N;kp=R9
z&sf}M&xuoWWh?meeVNCze!rObp}W6-=ahHzYxy|c;7!u}!Qg=R_KF^&#pGDo0UU~8
z;E|KUTZ&VQxu~spi$CUeaIFet5e_y<ggn<D%WI<jY7dqU9Z(}U#AsmJBz1tOQTl=H
za>+%1SKRPtq!aa3cnQkCf7|L?#*yohb)$VpC89C2P3(9Ak_`WoCviAw<F4=d?b>?B
zuU#t*=T+qg>O{$8SJg!t5e@1l%QEp!=+&K_Cn`qlm9Va-)qJk`D=QRh5Hd;QyrZyF
zmh)jq3xYv>vvvexRmlGq(@eb&6F0+2xk#&ClIM3gx`q;&sk}}hwKZ}_V);-<)<9yl
zKm_ZZE6Q+g)Lx4#E;;?tOQ7?*bsC+O0Ap8{?KGs9U~A{=>Y5R$Ebj60ESB571cjK@
z!0RFU0!+t%J{dPsEbEO}h#*PHKzx*j!Ywp#9xG(JTK|Hiun**ZTLVZ|lK<d(d*!a6
zO(G8IOVSKsak5NuNskU4McdWdm{duXX(3Xj`h;E6MPF8uXANQZKmSvj`t5I%<y84x
zvRrtRcWw^@-Je$8^!45IlNU#Cj?aSV<-?8?7~LL);ZIA6PpRcF;R=JFmtIp|tt<C&
zVYiD>5foUJW!D-J=htgRKn#T{7t4S!2ii7PuDzTw=gCqhtC=pfhWJf1tgg2+iqHuY
zV)<@>8*hiQK)9PD%U6P~CUzB2*e7w_2+>Eyf$!g^Ia-ice6VO@ZHW>@qd-I(hXwr<
zA65w2*gD2EibgdDY=%*w7ZmbgOQ-Egfa{H=p#VET#J_j+Y%>UMjD0CfF8+-f^>Ve#
zq3+*7CT2L4X3}>x=vDbRcp)@bZ&xxn2$k?d%HM%TPf%stS1Z0+d<Su44DKz)+b#|y
zb2HR%nkwf`9-5ojDWa9Zxr{A07D2B_530_E>Zu2XDXR!|M0Zdxs9kVAu!l;^aS&<y
z6d8UENL4hLa2UZ|E}<YU#V(=4L@d`tw=>pPLjbAmx*n6Ef75><(9NyKpjII)COj6U
zErnjw3-+|qy7ZmrrXI(H4e`1L2A3!uC$AFiZ!4DeCQH}>&#A?4dALXK5)hlC<Dzbt
zzc_f1?YoUUFK2FQ1I!U2Py5d`N-8_XyN={PJU9f=e2C`_DwMjJFZ)Z=rnLI-;6B&p
z;lUT#{x^=LI6kS7!~+e^CFito@sJcq4^SDU9B9A-Bj1-kcKm~C7e4+)d~*z^kWv$t
z{;g#`w0G(0)ybRV$6{ZQ)stln*N@rghVO(%na5v1t@ED7?=4j#<o8DiP+I-~kI>#F
zJKv_g@rJhoZR^SPRaMp#kLdpWw<pgnJQ8DMBqd4x(U}rscPBHMTlh-7v=&AgVq7(N
zhQKgRLK$*5nc(rh2nVVa?V64%;~(R74uJG9c2ikUyUKNayv2@rHewyW;G87ek77T>
zC6N$<c`zMH+)280n{_z}PHFB`E@EY6(TK6hlQ9nA`6P(h+~Y*~wHhB{AfXfBaYo-j
z_uGl9fLN3w`MiA%h|4{H-tnCVHm+kv0h0Fm*^~PZzI-G_Q=dI~@Z}#KQ4wVl-`t&j
z1a-kOOAqTsc3CXlK2Hftj0dBWUP`i!oz^KjZLSgP7rn%eD7m;%>TN-K0Rk7^Tt&f!
zwaNAJy~>`HBN>0!f4<~KVh{?F(vOgyI%mJ>oc^Q3N8SKRO*@)yl29${3cdjK?eW%t
zEd<?Q{V-iMO{%ablR+olJF1yx%6a8bIJwtklK3qI><M@c8LO$`9?-;NE%g*fyIj&G
z!cCJVOP|k#6qr(=BlFBH)I2~P$pVRXFEd@`Yx>)->8WoGX<c2F=Vjw_kMN>fH_29(
z)sxcPkN56ay`5*CRurw@4m<DKidng_9{&EpAEcM*Rkgaa58WX=yRu~5LToe0cM3xo
zYsEMmchN2s`&S*~Nr@BjlCu6dIzsEZsFW(~%$*CYh6FF<*@J^azmMiggjv!Ospa%V
z1S%y%LJ8tzk#$9Z@+{!DM-^;j^OQsjH2bU~$P`}NA7Jj3rAtX9D1U-mKqEz|6NsV^
zuv%esa{}<%O;&qG^)A=QWno#WU2QQ;d?<WDQ~8u7_lQjD#>7j=_~*I6V*|b7;Qkk~
zjY8BT%hZtkT*5pqHEEsvug<kHiqH3lsRw&NVU<RkofQ;hRSlmG0ACkH!^rpu&AQf1
zc`$eXEM@1ve-&{BOLW$)2eB8IaFE-E-VkJ<pm8L<idr6#z_8?esALF)k2ALCUCNc~
zQx9{jrEb?S){tFyt>K8C&kHG!tODe#022|vWSV~rZ@yXKmt;jEw7y;pE*%ZditNQ;
z&<A2JP%P!;?7Eyu;JD)f3uf~NF%3zIqF-nZL@cT4RtZj}M&Wm6qDhTY+3QxgebmOe
z>*5`v4`00G5MEi<!@WNhYq#uG-O5w%l<48#1g$OnNt#7=fe@<cG?$5q-qai>s*~;Q
zFY01C5J8`|qh*1@cAEwcy;+&ZLGvXG`M^0_3u_QxvDfL`WhQ1;rV|!PN7A-MZ#ux*
zTzXSwf(TGk_+5%RPQDq%Fk}mNVoFV(X(iZf#~yROK$f5IsYwVq+McD8yw*9hVlDyg
z2F)DdgULkQi-}wO<0q;XxlfpA7zest5!)5B{<ul2571ATqQT?jhL=*0GAK=;rOKlq
zUYu{rc@rTME5On>uij=a#rr712DIJ6eIJ(9`-?G$eN+{)>|IJymyV*a1*vE1`&YQZ
z8IGYYyHr9EPxLRp>US+=Jx7v084{da@7ygZfvGRYZ(w%5M#aaSK@<W%Q!f1kDnpn<
z2Xz`u5z*VYHy<&CfiPM^!%?7lEA3`;<SSRjd?n46%|=5B$i~x9mURIxR%@F99al4K
z=g6*d<Jf;+uHm#suNs5E12xR9%)hOwu@)qmSAzZO1cO=6Lzxv4dVpX`4wU{cwQ>Sq
zLW5~_h%LXXM^Q3HKslV%6n&fmC=)~hx4UzJZ6Nxh8$=}Qh7?5Vn-T^UB>~7KRPmvJ
z_y8NkVM2KZmSPU=UgT;#mL90~>B*u%Jq@Cslq<N&MdV*pPUi6r`CszRzC5$pwKE>%
z-B7YY)>}ssdGS>%kwg<M^c{QnoUBmHFYJsW#FuDaNDGA%Ghp;mpAQHQayUMe0w5^m
zuZbUMfwpqDog_GNr-R>K<N~yXs?^;7X^w5(&$Cn4(v4Xqa`DwT;`80<tL#$kKB9OI
z7!soqJ=7|x(&UPD5{G9+`d|`S8ikbZ$v(;4xlZ;}$O?*T_DF`8KYG!Dx#dtKzM^7N
zP9&*FC{Uvn1?4*)`s26HVIg~Y^u+HVac9CJ`<g0oB`x1@8he(1m~4BX&kC!f(T?nF
zJv+>bl0!T%v|cR4&yF}}sY}0BsgLO+NHUM|?q5q}18rLgDv3K9u7|Qo6t0Z~ztq(Q
zID!5lo2U{UH||NiWkIORZJSuxmYros^O~utQtm{c7H(Fd=#Zw68bro^flzb1Y%SD_
z&S-CpHS;6I#oXxh<LI4fF;Ox&Ij?3nFb=y$Hs%SBDaO=FsyRxXSu!f5b4TR!CU<Mi
z!Wn_8VrikK^aKIpnNwIC7hjr%%G|1X*4N^7Po(pr@6DSQ&mDQ*7-yw%Pt<vuNZZC7
zyr$zc1?u03GK?&*DV$fFre?x*up`E{pTsI-i68yr502Y5k3qCYQyYKJ@TM~HC1C2h
zJTL@dH59J&?9It*1G{s~Ns}wZi7Ln2dW-<9(44iijU3ehwYe|ku|UoS$!=aM+spmZ
zYPQt&+aQPld64W{MaX7M$AAKY_yN3TsL&#fru;V8K8r|W=)dU5Gbf|WNFy;AA26OQ
zGIvww%Oln(lxv8F>v?pP^p)gs878f<OtDB1xHY3%^ia-1LpH*A+}_$S4j(!W-a4*>
z_HmU{8lOvSsO$ZvX#UQE3?&*vfhUXkyx!KcZySYc<j!$`Vql}IYp2<(pD{SSTIXx$
z;emOtz?z>)#+=vQER&05q*e*JHDkfqWAv@~XEZOB_EEQ209_~0OSBNZC}o#|og5{b
zT<D*|*>-pWWr_8owzIKCAYdMKBZ6i0DcaZ4Q+UpJhgq&$I<gz-CqcC`ermJ2T)VsL
z39VId#{hkuN@1cSF;+EdEtCn3bV7*vcZ)cs<JnVJaS@qU$5)5n7eKrkr(OzgNuL9?
z|A;kQM&`~7M1-<l^fZ}EEUC!j|NZ?32ich#MjnlSZvoLNrun#N!3t^A#wo&>^l1KD
z=}SN}maJLTlv5|5Gyz%Jo}oD=hU*bgmBvIT8xR)(!XAzfG_u;PiN1OmWOp{ER@yL{
z7Vlv=0nCB!L9hol+hg8?4$lXSXe{CFdz$@&ef-C53??67XcpoU#_ztp5ksdTKU-uS
z$y-8E@H%7o(aD={k6#OCp?ZsufwBo(&x|?pm#qJNaejs>A5DMY@$z|PLy5IKBTAWa
z>D*#h6rfGp!Ew3wpg$OA$DRFAoQF|EUKTeI#A)1kr#Yg!V^qRHxoInA$e+iQ=lMi1
zg4q@lJ+0(MuT4eo&n((zHypL^B4@^r_0&QLLP>`(>g>A#3K2Vr%U5p@lRUI=I8kr3
z#ufPc?WaJ9!#;~O-3)>YHK4O2uup@Mf5%u6dBsMzV_RKEs3BBkr{ngUJlJ4saz3I&
z_B?GwV}F;KcLdLzWG#&dagY`yf7SbFG<L_<QR+}Z{tlI>d=90ywh-$GnmncFA@qJB
zDe3AwWW^mUt{fb$wN^DUK@8%09S=Y&k<v?{=Z42%9NUk=32Va9jt+{vlAYfBLA&$o
zzSaV9FuAYS5x_p|#UpM80y(^!d}N0x4DsH-s&X%tJV;bSgpU(XqrY^;toE#(LWS$s
zb`&IU5M=|D+ih5BC%{xEw)${-<w5M|sb0$fwAgA-aB2}e;yCyFa)$F4#u~<HiLvF{
zhxsJcXSA5r(UTXVKrZ8sVj%h+OCTwFy*fye-4e1D?QU6z5OSNa7N~(240Sf@y9PkS
zdYN#mcX~K3ge1e!w1V6qpio;&FKFkv@@RC`-41<OzOgrcgZ!%;2%jQtw8N;&ZCP@Z
zeOjc?AAe$J?Ie#(*TtQhCHKq{DRjWPz_He2&|`MzG@rm!7)sfmpz|Vwb#@YVpK#Ot
zv!!f{8BHC;Cc4x&%O?L2?TPX)t8x*N#N!AUkVkhg;MWzKS2)wQHnvTcK(JyER}^-n
z!uVmff99pJ(;!~8WbojjigTx<Xc`Uh&f#YS&I_U$QkpN4;8Fs}pLnm(<BeZ66^PTV
z=n~Dsd?N`By~x~r;41!v7py?kVzI0?msd26n8#U>=*Wg;UWz)k6cagpoG^M2ukQ90
z^NJTUvNvloCE-J4vP5UnY6>yLmPBeuz1yt^jYLIg^se!FPJmLS9tN3Z$1m(rs4C2%
zBkpVeYsX79=4+50zkWS={_4A<7tfzg09_sxR5tAeAWcCb@vg;r#aLy3OJlH~TO=Th
z9ROL&K-AQJpmZhHe+H&M24O<L<$2;e_M%7NXWflm)F2NPhn2!AZNSI`x`4rpl+Bxs
zoA5k{x+^y##^wm!-ErOXIU{+ZOiSkWW|m~4=ttn2sp!(t<bnmu0h!3sTsSBugJGM|
z;!qEnVH1l)ng{ypqg|P#Cn<H1b-ab{A}4VFTr78%1C6uz_};zi@?ANmQYf+6<7$0*
zkIVWj|Fe8Jn$EYYys%QcibX+MycG0h@tjA@bxuH%bs;MZ@d+*&1uSVjn}A?{rli`4
zNTefW&#LN=WFMNF0%mdYr@Mt-_g+A4z4K`mGDA@mj!HB=eyOk4$=JSjJGCFdX48;G
z-l?Q(aCgtHjeCcmFjDjxjq~FsX3b}xsWo^bxGzEN_{jPGG)xM<x-ZOF!LP`yaPy{~
zkbTSh^le_hR4nKdGBnXX@1E>WGWOdW`?!X>OWvfSgE8=-*64PsA}Vd7IHhu2JEO|T
zW4Ed#d@*wjp0SD3)I26~%YN-qB4OVcxfW^WFm_E`#Lnmo@+Vw=#+OF+vos4e4e;^7
z(Po796(!5m<gCtA3ld)z*Gb@q`MI200zH~=&`SCh8`VE5kSf!SNk7?}7iaRp2Nws5
z?c;B!fF!)|aNLMd#U&EXnF2X`oGt4hELSg%pOK+RxNR;~Fz(Us1k@*zQ70ipi6BDv
zB;HCR`80x=cB3Uz;xQhm;cf>PtE!2l(%N|8>B-rfK|oZbx5HOEsw>}kXj>}L_!Jp8
zC57L%7T-#PA;)64bqa_h)?b(PJLnJEn3*iFt*~0TZB3TQ>yjcMSOzOoC5Jwbzw!0F
zfLu8*b}e{R5<82W7iGJY8V2btuo7DkUl!w?XfQ5%%gl?;s}bZ9lXQ^FZl>U9fNFfM
zi^9jkam8%Gh9TAKl16}bbbn7Fh0L+D6zm8(Y&A1uD;+>Gp1LKto??wcko&je*C&&+
z=l^y*Ir;jZkDt83cHsN(Uq63yJaL~+UT6E*nKZA%Da8ZrR2X>Bygbs7S0@X9BuGm*
z!^riXZf;6^f)PnIK5wz#NpWEEAq`Il&`1)+*3pdT^|7676+H5CTTUvzi!j<4->@!#
z<d_q8amF*aBmT|S;BO<5dAVtiT=vYJh1v7^d)MQYo5pM0Dy?A(64VQc$lZKN4@XBc
z370%Ucxam+5Nak6pH}2#yhDsENBm-NM&zs2&7`;~&fNg&b{<fO+vD<ni-)sgeK^~P
zFW?Uk4jv95+)MpOgBMCmT_Hefu@O(goPpjFj_=c;5Ou{e)13+uMICz-vMkUOx*xTp
zx}z|XMv7Q!Jc61WM}VZS#5btY*^!zE=ngX12c|1(tw4C-sP!~Qub8zgYb&*u`gy3V
zlAVPzPkg9Fxh*viXL-j4UFIu=R*;3;(Sn%{b7ANu4gH+Gm=|)Zz5a#)bk)4Nyb-+S
zzBb%vFMSTPkHnzzav33lCZTsdOAMX`m@>EY*OE}6_~-_6{5bQPE}lDb{{_f&A{*mH
zt1zu9s2!8GV9|<;eSZ4>kvg{{khy(El5cH`rW&8V|005ZC7F<;!OHE)P&Faxu2FUf
zK-=T|BD-ajtrm2gkJ52sq*p*?UEgt=Ep9~MU-WkLk~&mr7%p&S8mW>zXF)Yc%aV4v
z9ufXck^PdlYO4dd$lux1nT?4<EKzDTdx46HYYo%u87hsq07A5Ne19bTGKi|~*~Ph|
zdbB=)b*Hx=2wvUOsOScrTiB#vAfVEOnhiN1b4<e-D#i+NT~Zg3;~eAo`?TDuqRraz
zTfwMGGa(smq~s(La6fMUh<vX=@~)l3gKR&I9t0!<3zDEyKwC(t&U~J)YF|P<vcL2s
z?^a>qM^0X=8J%4BBZyLOc4%<{PxEVqd9hMt`8<_bY-!8{$ON-n=$jhOc06EVTQRce
z?W=eH;lZ7J&vp9?@jUFlaJ{UX=j~=<t{3{lZ+f4p(D27h96pHGtxd_Z3$o4S6fxb5
z%!KY;qMmz3L(<vHQ)YUiQx7h$C8CUDM@oWQ6W55^M+Lhp1mj6NC=e8k*iN-PCr4;g
z+V~Jax1<|V^%5OpR-G3&TSJh|){HglQjxx<74xptwAD&duMuAJN0x_oYv=g3&raE5
z&i)Mq25FL1$5KSnX4rXz3wc2TW(jy#Y9d4JI=?=#T4V`OkLgBJ7iGRABWou)m%yHb
zxG6e0&32Th<DwP}gkV{Oq0gAQ<3eB|*&S5L;PmL^3naaNGiqQX{s@Y|63t>KT`v@u
z#L6l*LC9&RRz(t$1&-T=m6Kv3)tw~7ihBIT)MG2~^&==o7SjtF06(2#WPx6o={cep
zUKMB1fz$<6%e2r2-G(F>ugF@LR^Fp$S!ydMnN}Ovz;57Qu2KDf_O0_x4Y9!!F41cG
z=ao~oulw8Axt>=RZ>n)nXk{)5SUJHdq$xv8h@!7OQXsP|G+w)oS5Tnzyf`Z7QpS)%
zez-GzwnGijqR)&`puzV-t{pbZH*Ak0cOvreYxV-;o5Z!Rp_DzAD;n8}kFgPJ+o#r{
zjL=d(fwJAEnDnH`)lRCW#s<YZtnVaP5C+&#;S==I=sqe!h2SGvtN*)+6*$Q+K&ld4
z&8|$!E$a0@P)h>@3IG5A2msP>gjl#lzGgR#0RS#G1pq1l2>^3xZ**`kb7^yOF)ws*
zFg7n{X>4V4UtwfzX>Kobadl~AUv@GsV{dL|Ra6B40nL{VX6(IbcN@u(Hu@R-71hxA
zlC%ME(b8>><#Q>Da`SC&CMmZ)at}@cD3E0WRd7{76#UNp?>C-UGP4Q*DYfOX&zzCn
z5((rQ85tRSJZt@Ue0p?ob{ySYMAyH6fAThZ+52|mS*!cVpN(hK;N~tZBl>@Jmqep{
zIG-k26<2AVMdQ5SPp|(vPe;)(&&KKPywLB`Nz$|4^=`vBi{eR{M}vfhm}jFX&n9V>
zL~(UMJz95FH9OeZd3bo}l^D4@jE8qgFE4I)-sZy{nP-RB_NROvP2)xMkd}8*l}D32
zzo%h>Ro&&&B$~yyG&)W6klv@ZZ0i2*@b~<2PQMoQRX(+n@M{`$>3g32UHsRl+8yz3
zjz7iI*(51F!0R9@@A8K-dbrcAjgoOZpHwAp<zrl=`J8&BMKY|?j~JzO7tdx%29OMr
zUKE{-qXmI#lxLe&lqJas-wf~KjNlRs*x^<**?cmhK_*H3QNHKn$>&v+^FT$!+vwpa
zqBM)9d0El1mPy&;9h}gL0eAi=YG-+tw4)*!Cq;>gv)m?(%A~5&>=tJhPbMAe`*25?
zgF)p`WQep1x?@2f<H<b1YVb=w1CW5r{Od5E0&=AuG!1>9EFSV=M5B(<VO-Jh=;+ZJ
zlVIf=&!Xt4hQ=~<$v8W}vWAoSh`={5v1;^f>t}6$06mOzA|FRpd`}yQ34|qs4;O>C
zq5XQ%@8`L|fDv>u8pg$ldK3wUDd)3UUR245Asa>SXite?OGiG@aiX1BT;1(d`Hn4e
z2UG3HNyWoSPcDvh($%?*Wl33KTQjUIj_zm)-C>TMj*?k*hlTIGiYCd&WK#0>7)j$|
zkXA)pEa-H~sz`?nvy`_tE2wdXa~sZ!lAz)i$|sp*Lm+Atjf;Frs}O+7ouzI`ArPTX
z<1|a@$mnX%A|MBWu__h}eq8u?gi)4>PpJU=12Bc|PD;BNENGxP4JQ{(W{ZbI+F}`%
z>EHCrC|CUDkBVdx12+DC^`gVcg!-5B;a%`Cj?CTLWF%9@4%G!^M`<~m#8^HJ5c7O;
zXWsM7vKZ<-SST=PP^Lv#dl_|k5BU9uH}uO7=_Kb(ZSC#uzu@o6ZG3x%Z_kq3*qZ+i
zAN(%051Npv(rE~p8~U}oym6wn#l7t;N%?}d(Y4E6+fiOn=irlWIi+je)@>0m+&n$P
zpu}T$umIgL7M;aeUM6(5qiCx+C?1Uk?{%6Ei_dB{p*zUU@T>o6nr3qW5)nRZpf!pY
z_~#)>?(r|tkt$1X?<#JcXSDfl^n5p>W}vmLMG_bIWbft6Z@>NZ?(TQHQ7~B<ZT)4A
zyZ@1(_59UK?#3$`CBt~M;xNitOqZh*{gns<{`F5(IZK9VJOSx0;vwCV5Rny_!An37
zUlC6ew0mM?VDr-0z36&g6#POnsy9b#kMj9|h_#H??nUoQfKh00a3A}6^UFTB9Q8lS
zX8k(pCMQ{pu^5BslJGA~ymec>RXZ(`cmzr?TtT$M<uZ{;KGDxvjGHS&*c0(`K`-qm
zzGuGIR$E9a8fWxb8;2IqUv5r>6)#u*!1R4oR-=3xr{Ux@Oi~Sn4)3_8z3Nki0rkll
zrC2hcAMQjR({Z;XHXxBVP3iT#ls9}zuS;Y1H9ml-cft%78p$N3T&{@z&@=d(ql@#m
zCpRY-=fBkt@u%185o~Yg6GH5Dqoa{_`9QBi@-w>sq<v_K=~#K6B*I{TUxk-M&N7||
zz0il8c#3q~?nG@gZ3`N=d5|`ZF~w~o7*&f|!ds^kPKzji$e51-+LyusB*Zz=Q)FwU
zzUx*i*mr($b9@jTX1v5M4dH-_rDl26c&@RXGGVskV>+74@#-n?^5o5Mo&3pE#hfY9
z;pBm+MU>#i#Fa1(_|70djs@~78}gUd@;50xO1DYz+vv6bIXJW9ztZ~BY613%fS;DQ
zNCcz@a4Ot7%I4Dn$O2XgyuCiV>|W_3aTbFJyE7c;Ky-f6sgb=T#1qVloG4I9w`j^e
zLWCBW{oDW5Hho;W|Br6lECv--&X2f>0(^x~0&Pk>CN3!T-b#A6y^ipwd;0Hwhsa9A
zJon!A(j>g8&zpuirX%_^9j8gr0XITa5qwbAfKjB&pcT;M&$sci{gqFYH(i2c)Q6@M
zQ*PE~E|cP8It2F6^(Su07OtN+phNSoT6l918Ug(xzYV_&S_xsP@E+YvFAj6lxL>$B
z%2J)?xAY`Vi8cqP?mt{USe6muY!MObGsI5kRY^11jwjZYNxw1C#G~TdyjXM?T+PN2
z_|y6{bgzFQvx_8wyUn+}cFTC=8QwU842`XQ94KS3>!X+?%B}7;fhWoIQ6pA2D`R1D
zM|mPQevwqfF4G&9WcmE|4h$<V4~+n~SQ$SM2ok&k%23FMEDV9i#Y1RPf{1$geUb@@
zh(E^Zgx^FJ0afb5yIqlV>#!$SqfB&&*Bi`ixG>1f@dU5u0>Ja56A}sH3`p41?J-%L
zPSc8+S_5hn0Ig)Po{mFg`ypRRlG(QCz7xoeRW>9nzu6XYE<=#aGr=kZ{){awgy40i
zCE+A+u{XP$+dw29N`%emJZHJlP>#=GkU;QddB$YAo5SB7M1un0B;KP~^hx^2N5X@%
zAfp^Z>W|cOrpAePpVM$}g_$Qp9YLz~qce5k!N1;^2{B(qe;Uue;*iP%^+^aLneDDm
zs~+Bez40gcP*}bqc_>J1>l0DAB~Iw;&0q^BRGK9HyR`axLyxku|M5kCoE9ZUy-KDz
z>py5nrha-gGKifSh`r-OXDZWHV4y3yR~5K5+{w4+*U=$_V6ZJuBhV~KioURryaFbe
z!fkur^6==iWZDw+kxTd31ZiT2zH)E4kAsA6PzwEyaN`U(Q<V5^J36*@uCkoa!GBux
zhcUS4l@pS%5LJ`1PmjTEPIs~IbuH-gn#l!GsLz}StooPEgFat4PdXE6=}YF}K3_P`
zBqapu50e6~G;~&9I45=dSu+xc{be&zhcBCGJc)11FPnqAeAz78^~>hbf4^)d66;G*
zKmLPex+5+vE{1mtqIvlY9KzbUVwM8>!bCZyH>40kJakq_LD2Y`M%Z+Az8Cna$Lam8
z4!nL%!-?t(q+y@>gmNG>(Ro%C`NTK}YH-Vs^P|(!t(bkrq-gfYl=%8HCQNU$yh!@#
zl+H5iPt!H~1rh!J=H_x|ueTSC=^2<CllR~RVWFy<0%MFsWSLmRbVQeY^D$Tt;t9AX
zUH~;nXY~H1t3jZmMN)v}13SC<eLR~jqT@wEqfE+8!j#*b9_YJiNBY@_-IGiIojs;X
z_eqSSm1fnW&)D5OyH7^6Cz5x{sz1m_3u0kD^`T3BWUUG$2Ruljlk|zn?7^lj4Ps_v
z{%%kt(WVWz*#yLwz#$=k(t-A2`xycMg6Eu9CpRKnc_{+Tl*&4r;K1{26L%Uv4`^?r
zN3n%EKE#Dh&3D4-WRzLJoV*O82?Q<T@G)x&!6Q05xxS8=8a&EWj4QfaM3MRr>1fUS
zYX+4hdUtavrZ`oC2irWN+4M?+ItlBGwq<WvmY+i<^@frVK``v^?e2c@1s%^PlSQ3r
zRNehk6mb04QIq~FH_D1fwwTHFrxgH=Zlia<e|rw%8vWw8huE-+wtC)AO_<I=1q5Hd
zaAIf#2!{!en7%_BP|8An^MwncTb)kl)4s@Q{dhDg`c;u8rAKuJA}t`pnG^|s+hjHG
zNZuAx<fs!71tQ6g^|~tz&Vz(jg;!4OLr;ha#E=(X;pXv3G}NQFZ9W_EZKrj!Qhp8U
z1sJyq&se;z@&b26)Po{!%joEpLh&s2rAL=jOq>Kp;1`|Ha5ZOlorp$ZGidmF)9{Ey
znA%`>>10GrKIcXfQeh{=RQ~;k;Kq9N6!0EE@@J%8xmk!~HCir;0=D>7aZ$}@Pf5?L
z?C4LE>MkFxp5t&biTFW}v=tkoL3Kox6PWlugTDMNDf0ecJ{~h(ttWpOy$awk3ziku
zv#osn`B~cATe*Bk9@il0<JW+M{gJ$SyS-np9RK9#Pc-~4!JBS5mJG#Xl@Gy;eff-k
zo89%HbbwXo5Oe`(Q$ic3#D-aL!lb|EC5awzqwsk4Im|cTXwTzb6QC1OD|esME{ae@
zH>Ri738WUS7X9W}Vw?d42>s}$vxyJ<xVf_s>O<GXl9>(8<0%oxuxaw>11<aqrkwP%
zyg!>(b9y(*;fk%y6;hjOe(R!f7mZ=MTx_x!hNWW6K2GU#0QeB6;Be`=@89Jrx&(B9
zJxdsPn_lYJtXqvfb9hxXex>0rE@2eAj^15d!G=MfJmx9&#eaew<i)+b8Rud<Ad<^!
zo+bN05w*2(o6S4)Gpm8nx}yJJ>e)SjzfClX>E31SXqu0b4ng6b-qd-P0oU4m;!*b;
z7C4wp_M{7K(%LgAq?1loEJTNnw)AqsD0+UNUC!5cD5I^km-ITAho{*#S0VeL6D4#+
z3J+DVCvh=Zu!@&8;!Y_nGswueNocG#7qFvAR>xC7Nf}}x#CDms>xYk}C<Ti277%iK
z;bu1P$75F3FH|r4zNBYq`J1S2UMgQ-?sYErJ1~q6iG?X&AMJIH_;)dDCv>m(4)zFq
zvl$L)kW>%QV>fXC8#%gsFN5@!yn)!7_vBjkI{TgHofo>2J^J}&=UeVh-H0@n!GwEs
zj|w(yykJ)fUV)l%h*(U`Ok_&aF>4P=ZjjLxm#`(ih4?UfwkNxG8{v0RR!4;2^<W-$
zuNPg>VWnthM>A$Gfs*d?sDGPOw%M)yZC;*yQP#gG7lan@G@4A*ntP@q?=rwlOM_)i
zlj7ElHrGkQo{Pby4Up%Q7^$2D&6pRj^No^WI!Xc@D(`625it<cyjbArx~JByJo~SF
zJf<mr)MtP_BFcH8P7t^Og@9qCLqswJ+aI0%W&j?qt)sTpfui0V#+9qXGd66Ql@JgY
z#vDj6VH<(Gki@*iC7xAfkHk?&%)9bPmlL?gKyt!II2aYSp{&4pbf9K}8bK{&m>i29
zR`VDVmtXy8UWieKXcgw^L{mUf{2PZwT;7=_9v4;CJ}=oXDO)u5SthsaF~Pf{m(6|`
z$GX;lk-8Fa$Vk=^J~GOJ5`#J=glOOov5~gW0DkkC=nuHVHa8?v4pLOk>G@4Ya96n{
z3N&G+U~DhG8W(kZNJAb@Y^o%-myl}GF+bZl12C(EiK1c)9~@z1mP{fdA>az+0c-=8
zr$iFdVcT{HCloQ$M6-O74j0kZV2;Z>%V(?~05vYMNXCP7C<g@wA+6MceoB01!AGlp
zY85RXesr+ixuX>hNX&(^nL8aEadOLdY>+JAxaE9XbrUQiOeX5)rz=i6y3^XOv_}cq
zXc660uTs}^pE@tR>yzKTd4ElfZsAOVlY>oEjiw40R)GNgguO#Eez+BZ7^rc5vS484
zc$?-KB)%%oM+ec55Lg-2@1an*qyH+HcPnUP*<b@}8`I4mdr;CaDrd=MFXhHA!OPi5
z-CZ#&vX}T_(`5r_Os86kIXS$Eu()><Ch!N*sZa=b%P3A%`h>?H^AxBmHxT+7oWaS?
zMK8LPpG)SV^##r!)XuCU+JdnfC0KBNjfsdlygofSJGtqf9iN?E9Q_boTnpe~vOhY!
z?4Mj7_4y0fX9g*JQrLe3gOOO3H1%#P32Fpt>X~37%eZxYLI`MEF;0I3rm^My1;NJv
zR)n`5A&xO4kYi&~JZGw{oKBNbN(ea-*H@5FyM*b8L_qEdT@(o+*-#!cupGq4kCM2$
zV~d)4Q__uZ+X~zIwz2NR+>qEaZ=43^xWG%|d+muC^&!o1m*aVr!`eUOi>QmVhwRAk
zxWn>gqz-x7I~2kaxaO)C1q~uf3ZM<d0;kaS<k;Ex9lr^c%}0<5l6A1qiQIno$}`h9
zVuxOa-3`5bjHR?aTDkcG-i7<*5%?H8a3NP8cBmA^eR+OsF5>2h6TwMSN!L|Uck|+4
zgyDo5h+|G|DjJuG26F@*@%59NGiE2I3~pVz7|@ei=Q^gYM?+d4`<^!Bj>Gpi-yfgf
zoE#nEvwxfjLb!6*XOG1VAMar<hU}eEb0xL74~slNci6s%>a@t5*)%Cv7~tgqTB6no
zCyu0#pC<aCu>n6hr?R{tQVSiKxGdGDjcigN@r>|GoUqL+N@VENi`{IW7v5FI<wsZ+
z!OSe)QAUY0Q+ZK>TB4KV4Fp)gmN1y#l2}u1ikal<-BGmvYVTWbyx10vDiPPT5*lto
z_8>0Pp#v43QU1gt5@ZEXVl4b-I>J~}+bP)S5}x%*0Pfn(ML57SWK%lu;TL!$AWUME
zzz14EU1Chtv=W;45H})@$HXo@lsJ2SVMZx&%R{iw5W6_4gm2_9zs=w>??DMhXUtr^
zEgkv|EL0dQ-t@NmlH*aGR|*J*026-i4V;)8w2r;S+GURRV46R##Mcu8iQkEUQ1AVP
zFr=#yhgn^=0C>9A!Lh-mi6x%_!}@Ms;n8Exmwpyr-@S$W%6sD0i;h^c?cCI+G2GtF
zp=_-36#TV5#zD+L;V2aFt#{mu5b1<5ENF+w9DB=+#qT7#OC~cAS@YYPXKn-roO~~s
znc&?LkX(wsoqDLCA>lXmM@C6N$qY?HB9)gW1Sf&aImgu>A=_r-060u6XEbdL1zcfo
zUP9V<q@K3y@{GnrY}uGi_`*m`-%WDjP$KbgRQX?7&@D06V}efPe<m_~n|u<lbMuXo
zL-@t%#qUneo%>>-jIQEa^<UFlVcZ!U<?d*w32YfmB^&z*Wo7YWgZns~(dGzw;axP=
zt$+^VgC;I`u1LC#`Lg7Jh7c$WX*}^rGH++odH~f235KKw%2vbyP=K9_85_|BOMX1O
zIzKtrha%VyA>?KiI(f$8e@H}}xeNA+Euij}7n7#|zY~yT3<!M7?%8D!^e>*=8{bbb
zD^l!6HJ&ktY_R-um&lTZlV*uh7|GZS7X#I<qUp`i<<7~aS2b5TcDZ)35$hSg+wBM%
zhXb2_3ut@E-e1s*;siE>@isfrrW<gR>DXq)>)m7;x_ocEz6l_I{rWZW+wRE~^RJ3R
zM*n&dwc^%oC3o#;I2}RfiAVNY*~YTw$7_$b!}eeqd7<y~n}rVvWd3X|$z)oC)1PO|
z^?)il;tPGg@vb^DR49+dL%tIWS-EpKqIczcrdp*k#VvmJNSq=Wh=a70sHxJ0H8v2k
z;D3iRWb>yJP}=v&qEEXnV&SsI-#CC$43mT+9z?AfhfdHhc5PUhtVBRp1V}buBa7-q
z?cZ~-i_K*`HUuMBy2Zn<B@sEiZtvNwPRw-|=xnjn0t1Bp^IzoHjED=_fPyig4qze7
z+G>P@RZni((3`lXfiiW<3QP(VHa3?G68N4gR2aXyiabNpahAfDL|bJ7hbYG7Uj%ec
z-+755F>hjj?A{Zb9uv<Ss#?VlBVZlgsrKp)v5Flfy)2nDAF$}8Y6RwB2x_ElgkzG2
zdS1HtDRIK5w~;?oQ@jW)=+81Jf77HC%)pj46}N5u5aK&OmVwL(rUrZiyLSW!M*#59
zVTKVym_pfcYon1Yqon&p9Ms9BMBIQkQtrl2B)B10FUdZpMV^5@>j<5PBM^q_r!#gs
zp`&2GI0<V><VHeTWMxzFE27xq?4p7i5LiMfqBa_|iQ%Dc_eSMuOolvO%D9xMTDmpt
ziK~hUeuMKeku8~HE>6(Bttz1m6Fn?YU4H_J=%veH!PYsP5>~8HMkkkyJpvacJhZ|I
zk!GPT%aj>!lCs?-Q`5V<72kseq)v<z+df2tDHBEz$NDAt#)$h$a?P7e1-tn<A++Ey
zD+?VUJm4SZj;AS!S~D8b8mDZu_H-|0=fHxQEj9|oWr^S{MMOv+Z<v#>e1JLj&~_Z;
zrv(#!HVz~Med60a>-{#p1&OHYkrF~mm_hZjA}dp}5nix`>wkW8dd4d|Pj2%H+L{&J
z#BE3y-8T1zwpt_dv2%F%pi17?=RZXs($OU0A3~prbA+?CJ`i%wiFA=1#4YlyizkeY
zQdJk0RKzU5mJki;0g<iv$Vb(MK8oa+*BU$elP75EZetNfbZE7gJFwXhPSCUR0J_99
zo`d>XxmV?RG)|0(=Obo;j(R-Asl%VCID=ZuQ;P)Mcz6#V4Vu*x%7`{2-pQgHDK+Ga
zB>+tSqr}d%3^nQ<G+vtC)Q@RQ_jC*Ww~2?XU|lgm5&dDmoUm?(Jyq#Kmyhf}cm(Xs
zgkIs$oNb2=g;+X`^S&pTD3edrkA13I@f2J+)L78xP1B5_Pt!U?FuouBshBS8J0n6h
zIW7RYoCdQq)c3Z?=QG|B$KNvvWdviEIy2QedjurVb``Kz4H+21IxrzmX0pX|re6hY
zRRi(80J*Dol0g5;qg4R35T{MKTqdI646x5N^R5XEh5}Ebo=Pubfyu}Kb>DS5CLo>k
zDCOD9Mc#JN6+jVV7-EYeXUC;V2)|H9W<7O%w|GpLDAO8t-8*IEmPG(la9Li0*eEx&
z{U>ipOiLys71r`B6rgtK#?A<dBr!%!DcCYcTJNtR>?E^P3iA>)Q-P$h!X(8_c=yB@
zK#zgzsM=GVS!UF8I`U^E5;FL3o~1HQoYhjWLu7#hfSD_UD?Uy$s9cn*6cepLplc8a
z?~|u(ONg;dp1AQyUMm4bk3(S`mnjY8fyuz8rt)Mn%?0-GHImc;pegf2J-6M~SuEol
zkbyQl_^$d+s@B{3E>U$JpjX39+laiB`@d}V2|Si#wSwYU>4xS-T%?4!$)_PZ)U!RH
z6{yK|=niZCjb{;-lD<`hh<V<&y%Z!tupTbBSN2sjiGg2J;nHc(&o^8;gHnu<8m$Pe
z;IK#s-l(<uSweq3ShXSshyUnH=J3I>HVh>>eQm<Jd7M&1;E0PN{m5K^=mJ7yg`Slo
z`aC@NPS~ca=y{|&wunYKPB}K-kfEZ#k}$~;`On0|(oCrCN|wQF7-0*1P_+vGoy75w
zE38+BbhjdykJMVM4leYwSf_*ZN{WK&9Ba~e6dhk(X=mn=%W$<0imc{=o>?%c6&k6^
z`9K0Vg>?@%>sxUz@hKZQ2ThvV6CX|cBFBlN$;?>8eU(aDWT`@(-(JEUC<Q>6>gzTP
zli2zdJew(d)v{_nAa%D^7CHi94zZ}yd^9II%!+3a)!RFH?e(nzl?br=5hl!Vo3DGh
zVvUTbI;uEk-4Y$9*Oy4EaOP^*jR(}vWh4lIqJ$z-IiSJ6+oLd?<jynJw>H0xmM)vQ
z;Uq4Z<dp2>hYlbX9`^cv5rdMXADJw$V8YO|H%FFEa$zAS9z!4yh%8wOP5d0I3udH?
z>4dmuR&4j|YmO%ck<&=PX3P`NTPEk?$YY>tF!c!Stg19sRL5A59M6CVMFIN+3+8l5
zJmO`^1FE7Q9L2nFrK{hvo1^1Oo-AmeGNo&9Eo+`6bAd49G$sv&$n6!%k^mna?kAsS
zY){Wdb+iKS=cO_~dnt=^=p)L1mWu0(nM%T&<kMXYW&%3K6*o~&z^T)cSwEf-_Ov7C
zzSPo8W6t!={1zS7RCOMg?{9W4FRpJqEmk#$vQL07PYnTXi3YF|VWFmwioJY156Inf
z7@U+&@wtlqT8Ss$&0#u#LS&MwUChIaUyDrnqLf7(qpm*g-IV@ud0(nzuFGR~B_#g#
z*ovOIDHj8{PR4y)E}d87??NcQFO%_n!dIwNC3mRquPZFro=5T<>x_Uea@2^EiQeD5
z>wXtmIJ{ZQPv0J18czPG`uQ-xTBCz&8a;NaJY;6AdrI8)Jibi=-cKE=v9#N{`2;!Y
z6D~f8&2Md;Twl;=bj01gPIPp+xBqgFb?LnBZF|euKua%n6&Oz$8y<2uoTkX&j*o23
zwD3IiU`criXbZ6ptt&3Y4BILQYuMG*ZExEx!o4@m<7R>9F6T4nV_iZK)A`qMNT@5;
zQ6x?qbKu17aFHrXvj>uFPyF%{h-Wc0%tg}Wb(-y1C+>D5&R?bMtkd~`nvi7155#J1
zi!Qn2Zs%GISA&P9L2TsUGb0B>t(l;Q1IZjVnMr%K0t_}nwt+M4<)np3A(!A`6l1!%
z@%w>H?r-E}@)mO(7Mn<94(9is1%3^g1BY2fegoSq8?A+st4TI+SQi&Mww3;N-DpmP
z+23^<iCs|u>`|Y3w~-v>*I0oL^~Chc9Ymk`xbAOd$1F$C>up>Nh@$k_rUqA=m&W!#
z(h2Hj=SB5=_cMF2H8y&=y9C9oq8)sdQ^Y`Dbb#U$@!50#c2#dT;Y&B)%atdl%{}p`
zs!6oZ9!igeAcZ>ezC>FzPi;dSdBn32e!U~->8?#_Gn0w&PLeChRMJ9q*iyLR-IUnm
zJW9IsGP<!;)jzM&N%}WA{Vl|MMYawkQY@M0*_U*D&ar-rxH=AOsWpuD6nD0J(M4wF
zlte8g8*m5um_)aE4rVVdS=O!letiaT0w=H)0Hresp%;sm{{PXJC#3XrxQif?^VY0t
z+(GPGPAZ_TEEni2Eh<~?sjJ(7M}n>o?@A&*a58(1=Kv$hVBlsW=ZSN3bIRO&!I5Ai
zCBA$@kAMg$_b5ElnSw+)PH=hZUr?w0#<gz-#-~kKiXbaA99>)pGCW-vV}xMQ+7phQ
z;E~wIgK$@k$tcTwn0ogeehn~DFOpmYkz}G|>*Iz?QTA%rq^WJiqeAUXQ#jNcin)2H
zC#_|852wwzmbzB+!_YCzXEZ1K3dtDI2*%@t4_}R8@Wd_Z&XIbxx5a~Fm>1Aw5ji<M
zgep0(;@R^!iPbq1i3!1`$Ql6&dex`PLE|e<j!suoaMJgOM@Prk*U{0%`OVeE>GeO(
z)6wNWiieXvoLn~QPSob<<h>(?BtlFW@hv96<Uya>$TCkut1ecDYF=tQ&eDwHp7cTO
z5I@1u^X%}(r|;F#KbShOxaA0FH3ePFYB?MUkgu~A-!XQQ5$SwvnLkGAvs=1wEfx-*
zzvA$C7IpQOZR>!<VDRDgd1P*c!GjU41#cO43mcl%+S~&kKGnpABp?kFTID62VKQVZ
z!+na=O#HMXj4$F<Y}uXIy2C^1q~Zyw68FHwGrMvSZeiCDOEUL!<}8uSIRLZgmzoNY
zvRqcDkCCmIC#4myHoIwPsrRI0uV{IgOcm3zi9|z9)9t_7-+S@G$E8NcG3PNG3Iop;
zZw{J}ZPOXg*{8Eo26g}CE6ML``ezr5;N9(n#PR^5Di{S5V99XmpUA^t>w<Rn4zgUC
zn-iD-knL1Cz3`kYV8Z4UZtVMurqy{`2qtrH=V@Vi`Gi&tIh<m_lc`Udx$_V-gZ_9h
z?udlZ?%-t%k*wpXmkb0?8ctoEj4XXkKAH~`Rb$eR=C7q!2@2hw9kDV)T{>UI^Rs0G
zD_wqn+10wrrd63xvnwjV1Bzi+BiB6Rxc33}z1(iD!Wc4Li3%N0ti<fRK5j}49z=&4
z*2iGA(W;e-`gZkdcb8VnOrtFI{K+M<VKRpJ&)^U<B=^O6ly$o(Z$}c+z~L!|<!zXF
zCkr!Dw2G9UUNvwgK3F7`T!_w?6q<#p-+O2HbSdORR0y`c=e8Z#L$g-R{DgeyQLtm>
z4jJkBtqkm%Eneb;rwqJ0z4ZoWPU6BO7)Onqx`fcDKrE?WVu|C~8zzv?GsSVwz?%En
z#yIX6n0nMZs$q@`A+HpLJF2;>X|++i8h^~W+0Di^QDa@pbP6?to})z^DUwI~zpS0O
zg4oQ$ulIW|TSv%&Tcr|x#NlxKTu2T<YEZvJHN9vQrL&JOq8<G6sujANn!OpK+dLCj
zB1ygud{?(Yd2#C=GosGRyBbJ#a{2KUgIVJ7G*+n=7)GNgTfq`inG||0)FY5nr^13B
z=2P`-u)Le_hL1Gen7RnL+!Z>&;Y1B9-ho`h*H}maRmc_|SmK@~uE&~qV-#00Q*t$6
z2Z>IZZ=aW9w5ho=0wSB;&7MV&JKu1<+Kn8s|L%O4?9zoR;!DFxlx>*UB^2cVV7TnN
zWf|l33+gEc#q6BI2R?1#_6#L{@%HfMP@1EO<LQFXF2_wsaRi^$oH1e(c!ub4TluEC
z9+U}WcGWejGwGIC&RcDpM_td_B)!6t$xi1wj%p<J%6Y>}eVM%eFh#P1zSH=dd5$*(
ze{$|3r<P`%?pIKfO*B?}p&lPF6Te28jb>q)NP5Y|ICp4f={!F%@+exkjt_S!9RQ#q
z4;whW>Q3Ar<+@qP4}87sqiP|v@2^g~PC1T{Y_LD-WY}`h)$Q>GsY9GC_eA<=eUo&U
zij~w2NOVO~FdLtw^4Kq)VISM-GwJN;(owxw9`5qV(sbe=sVNdTdocIYVI{1A$L<)a
zn8w5(^#ICG0oyP3chw3&ySTnSt*QQ5(eAQ*t4}E-?I^KPR$QC+*T+}=qvNX^LIE1_
zJ*yFXmP?$^<?)&K&knmBeSdgzzPcL;%W3v#=l-WpYo;vcgTJs-Z$&^H%;}R)pTf?E
zuK(&4m*pICTCI1GE}rAS+0I$ZTOFnW$|ulD3+ib)NoPzNB{L$+apg7Tzms@y_k6qJ
z1-$4F-hanr%dWVd*B%D_3^WEF9i{SSKEJiH<&L=r_H1x@9=%ycdf2~2jlMygoXNH3
z!)=OlpW8_rD5>SN9V6lBEKF1Orz;H|sGMw^;EF~`NxYSl0V;7v;Jd1Cf99Ep_%=q2
zYCs}NhvTxgkQ0zA7`T3|T84x{&=9NFvSP|!fFEu;<luoe${lzV*R$@brAA|NoY~YM
zzvQ%6^L9&JmNl{Ur_gkfj3g=z;XBRwjbwDdY+U4-^A2vhzV%caxuPeCkTRb}Uv^bd
z?H1YHb4pw}Bdgkw4DWKRF&^F{h)tL5k~G9&d?dV=J#!K`HB5vS!MU$;!3K7JZbIJ~
zw$O>vJV18CXOS=T-ZnAWqG=e>#E*{k{zX#Fiwvn#_}6*@l#3sBj<2qE-h8imgAF8C
z9|^Z(wJzu>3=?bwY>BIX!DEHtFw4Y&wGxle25q53zLrz4gfv&G)Ci~p#1kt~019S<
zUi`43c6;y)mD-sgh$Hzur?4_Mh<3iz)+sNvQ?t*T@6qK@Dl9P1#<?M*e8{Ne7$*yW
z)Eu@dyu`Lm;mTau1D}N-t}>>H+SIu><sPb!7#~8T>KTq-0`x4AY(1qEv)0}p$<>_;
zPpkEom5n2Jss>SLfnN)^C<<X_F}FCZ&xBI5@xBh4IlJ!`rsC$W!(6`VvZf<UK}~Lx
z*R3=80fFxD5j2XTh755AVnva^_=q!cd^#~~xy#uZNzzV{wZ%&T))#n@0mU8OTdYn5
zl0ln2oFREf%mjq}1f4~KC2AIK<y$BOgopHDrkwcAiTu>c31b8W8vQy9>~c1dAP*{u
zGQoy~`$=N7@v=ni{<{f=lL{#ovp)6_9hxlwtGzk=oe6l(Y3SzYGIZVInKTF&ta+Gg
z(X4&04p*29)2VOyZ0<jHXK||jf`=q>IYOaIvQop{A&xmZX|9hKKXlm54_*b|>lmDG
zNZVQYJbj2QTl64lFq^VjdIa(M;u)mxBy~r|-Zl*LTFt0vt1YHCdo|@j`*WlOcF|}~
zWBoZOP{kAK{pZDr;Qvra7Of2=1`E4~W~d;#%_#_&#1H{#WGra?nFCLwKWCD_5#hI%
z_m7$#32L9d)6_&@d^Ls&pi{7^BPieP|C8Tk#9Uubg{P7a+xRr%&)UI<z39*FH~HYt
zZTHoB1MF~OR7H~)9SV&)Wg(uvJLb?TOS8=ttF-nAoWSG-Ml^%Z&N*@MJ@hjagSdL(
z>!fAi@Rg6(^Wp?+5~S=`WQDZM38}KuES&BYc0s#TETX!}WnwSvxWZGbTD37t+dX6f
zn<U?;<N^*=%?TQf$q!tL989b$wsJSP4D?oASU!0>VazQ#T78^?hL(s^SP*lN7ERaQ
zc_H}FO*_9z8-9P1qnUUS*wmay@zLS+argT8{QBhP<PXQ3CWRy6X?U2RS`cWv#AYHv
zDU>)Jm-nHY>dLs2a3?JPc3oq|H*WqbYwno08T(fv!iO`S+$U;Ok+jhgY;0zjZYpr^
zX05lHx51R*j6`ZF<f9U&E#9KkD3z8Hjo<R$ikU(qP=ky#feRInw{>!<eYH@AM9;Zr
zLegonid3Jx+H$sB-3_Uclp~tYq;TU|9vEdp*XmI+oG@94rfJDjgzx|jdx(pSeTDc{
zW?(3grXOC95>|ZDPB|FtQZhDK!B90j-=#C=mO7q90i!K#kBjMxyIvn8Bmho8vA=o3
z?3-kXti<2O#1UVXjF~biHe{6nI6oOw3^E5lRG_WKqegAN@OE$z-v6KZMRC+;PAteO
zM`WuTPiAyM=t37nFWgvR^+7&}&uj@`cENCnU8c%sp}LPn@R>%b>3hM3b1zB=?NqxJ
zJli+Bn|=x~InvI5#7vgad3G@9Zej=)e<c5Jh=!{uhb71==jANORnQ2l;$pb)Tiaku
zvr_L;o*CtdS&b_3xguBP{Jw(@jdE3E`qG`Ope0u710wEz0*1Th{AMDnL(qpd{{dM5
zf8xApPXzE=;bZyXkiiN_jpqeF6hZtkgXEX^!&mF(PnXBn(cvEsPfictoE}H~jijXv
z=zLiWqjc8Qo4YfO%X<*})-&f4jS2>OuVvXQMnHo-9%MfpqF|Q`sI8rM$I2l_bSfXZ
z*-vX$0zCkd-EP(w!_aPw#JP*<cCQ#HdKUH$cu3_R1=nqT8_&{l^#1y|&&9p_$L~)X
zGsVSBD*a94q0OaFY1k~8r>|acQAYgGXc*C&96<2P+2Ii}_wP@-FVq_sKU04XKhWw=
zpAPE(2RU}RUuYa14FqPB*2(TU62ze?Ch)*odI7o3^*o!UtqyVAd2!Fd@uz7v|I~@D
z^9kx1cA_7N;^hzY!@D9$-dw+xSQx%YRs<D8&^Kaq7B`m0`Uot2eW!v%(!m2Iobe`#
zHEdPhkh860U`i{omQK{ArrQ<0YL`Z5iHqR6L!b=cXrbRchLcsC1V8|*uhk`s6yIVe
z%`zf2hUZ~UE<e7|zV(=uBC+sCj$16}gDk0BOq$EA#o~ny;L{yQ>rj<#2`q{49C6Af
zuK6nqsc(S|T~2}Jo^j*X4zDhIZYNMpr@<krC$pZ>#5u%?@l3ZZc7dAhOiPj0u7rXk
z9l<}exM#BXfv@RL!M))3m6mvPaejVwc=dx=ze1Cl3ks=Sp|{7ESI0+(H^*;%vhq!<
z|K$4c%$q^N?Uie6cKEtWb-i8QX(Cjd%PWK57t42C1(W2uyM%6DKCF<TkM$nIbQ({#
z-8CJ%iZeW(@VK{hm$C-KWosqsX1*{whUBN_O>&bu^1LruRIP~9C(Q3+OH~1-;v^ju
zqDAF)F1awSBR|2WvI+0y1f-<vhFc~J0{@Q7iN|~zGl@lNm6kPbv?`Oym<97PvAwvH
z;6yPp1Wc$}ErWeDT^rc3AJWW%2gM%6_ZH6m<^({1(PVHU_^&)(4j`#SBkZY0j3_R|
zK+(c$N$TxTG>>UIWgAyx6=C*9G02z92J@0+HZ_QFMTb(R)2Z*6nPnnp%dN-gETcZX
z=gMeBQE!~*J>rA|WasRYrHLUOEjTY!i{96jud=VT$FKZ~QQs!eHEDE#<fh_*@$|3b
zI%r7EH};{M{uKQg!~S_`wfNrg>bg#G8C<_oH!Lmov&YtDuejle=kOo^>ei--8!%-b
zg@TRPbV<cM7Q=92Hin3E1d~W@5yaRBZ=R{Q2JfZ~g+|+&>o6{PS#8d-*P}MT+=tmj
z%n!@#4Q*uU`z5aC_!GOiup2~8%iD<#udNJnE#r@*MPVS*lcwtAFav;7jWDN7SND5*
zA2)F^?AE9xfk|x)%lgfO;ETiSXM6iE_QYC{P3+cch6e)dLKyMsLe8#76zjm<CxSw0
z(<mG;nh}qsQgN$BlOR|>&{LiJwa%j?<Mh)@$A+H#!*p?(tUNet5#AvFv8(Edb%!a)
zW<qbwh!&R46z@xIEcp{S!4TTL=E~{5shElQh)51)4s33I1mR-Y`{lzZUUcKZfDpH&
zYk9YKFx~6k?H^3{e_FN9C}^%{*1C?m(KTI>Sl8D&qYuvV;Da0b;D!*yfAS-J@?$c}
z!q2`(tGjs-eDsb!dRL_WgG0=P<ZJGuDB?9c)7(Vl5JG$2#nP@tdF@W;KUGXzPl34X
z36u<LsU{66*$jEa5C0i=|905@kKOLCe|mIOj3@m#g~jrqaJH_~;@fomZ%>YiZh^#A
zM^MQa7=61N?e9gq-M!uY7m(tZ9}Zp%SOB<faQdI~N2OD(2Tfo}n)_l|l81i2xBnf>
zqSn<-`ji;?*^4>9<Qj89)<md~^N~g&r9N%^=6AcBOVFAwupIu;7VC!or4;RuM{f<V
zAr(l>DXPl(-h6bTHgS@}nlYq0Q}nyzn}{Ql!zF}8LagDMVK@bwxco=^ySvfz-M#4L
z?rt}FL4Up2eI6i{wi3ZM6Q}fb!&;cJCv>x5B%^sk+<=|bwtILhsbD$MmXlVft>Uj*
zdr0!<ZLgctil#M5?4vVZNhh1OM$_y&_&16-Hv;-6>d#$D(pSkk!||z&^{}~C*5Lxc
zmR|;L6|Q;tK~VQ7w`LibURfCJ9bbi(SkTq+@86$X9lwoK+cpz5E_9I@d?LB`GST-5
zRG(b(QUcmF>(>1JjAKj5S1t8xBL|$*_1c?fFqqFIvqu=U74F@biTFM#P5%tRP;EW7
z9j9t}1XQB_v>tV7=|@Y0y)s%W&8$#QSH3TYB!ZDZq%zcOA}V@})PPD_Nq=P&oBeBx
z5Z4>c@_)(UsE5roo{Y{e873<#ysHle(Z~Z${pI8$Q{%exr%p7V+MSK5ty!N}tS!K%
z!bH?KI{xF$@zwd^X%lQd7Kx8AR|(CQu;W9*eLBUGNrZ8SVL+^^wYHyF*W>Abck20c
zHL!%|Dr<=pBqN!q&4Oe}cw8*vN{%wngX=EEL~YJiOW3qRJjkZAzB*u63!@AE!W~9S
zUn00mJlnOHiTb5ppPyYuLU9|y12e`4A?$b!n0q!KOh^c5EJHqBexTw{c%ywPBT+V3
zW(!UyUU7JoOPnM$pssiJBDIe-_>GMD+lD_v86kB!EvCGK7kzDCa{Ll32aTepn6dCl
z9%;g9oQbagvHQ-lsC3^s*$5UVZfgogOCuu*uve(H!i1q8y2M6*0W2hSYEYI22@KQB
zqW=p+{W?Ir>XN2(>Q|9bR|lZVt7rx=7eZ=Y@KAADQjwXD|Ej_EWE^$NTDs(VkQPvJ
zSan!_;<Wj=I^yAg?z|(=T{E)y)2{`6A?%V13`uZUk7zMlDRr1`8OGvp(g&z&7ap2}
zMbs{k!e}~KwB2fgOinz`mS}7^r@5%cAy!G~SUOEs#-E9G*fHNOFhw$yZ`W{8Y3D?<
zJ`2}L)WYRxk$j<34J4GDaG(#+#5GjhP{T=~2Mx{8^sY`j>ES4Ph=pd-z#y8tRtuyF
z1scc2wA5%i*(5DtPtrcK;hF(yNpY4jUck!@wEB%sc3CF#QQkH1>l^RmdET(L#k+l4
zchRca*<1!+sBaLwjZmga(nE`)Hrm?lJ%9du8|pIk2;SP;d2Z(b0T{5CT7|5AJpg-T
z%G#~x2QRl*?2Q=FDPe%b!7|T-U%UM4O4-ZF?X1&e<U!lIPpVePs@&tMX?HAt)ln@q
zv(;l_7m)dk6X`(>DqinQ5ZE}&B0x2VzhsEyYl$M;C-BaDHv^42)!Gf3D&4Z7=o1#U
zhG&NQ$w(01N(d@vBL8$nN&+Z}0Q|Yfu={flci<6df>tODB|~IAOAp*J&f<kPI7yU`
zu!9_8Fh{^s!XLEt9dCDtHVD7p=G)wMXWO>d_2_iH=rQ}ss4?TRM`3z1=7QO$>oJr-
z>e??wiuF%rElFOpC`B=!B$9ht^8dJp+BfGWYKW5${qDr*&t-JAnuPV|Nu=nka+xau
z{*S>VEY0E3KM0M=b$H}FA~<NjFMD$CXoN_1Mqvn;>69f8v4t#R08I#BnY<c(eN4YM
z1)D_G)H#8PLD)zTD59=4b+ep@thFnJwdQvN5hy|Mi80h}$h0&+?YHMUM>`igN9Q}I
zJJ&bjho??7wCRhJx9cD{jDPkzV|7GENDQvW(cxEJ@FQo=OyZMbw>A7SWq}*e5$M5U
zRRHLhD-vAV{}meKnEjXoul$v3L$fEBwa(hip4Hw33S%+nC!_n&RPS5h4b%wu6gLg?
z7~?d~bYYn=I`#>JIv290<}AgX0P}{wf-_s%so|OwT0%e6e^_w8t#bR{8=7>9cY8~q
zKf38emxou!=QsWDPw40Ki}T}7lvKl2qV2yn!R8R#4-J>WpHxfg@T6|_2qU_f0g0FW
z4^#%wQ|dT_JICMqK3bWInaL>7>TrMQOegXA-OUM@$pN&K0DKT*A}zi5p^8cD&^nb;
z<Z31i90puWf29^h;|PP5H2l2dP}e0+kUmGQH)=aK1m`p<1|spYg!6p~miW$cj<a3E
z^h9VVOXG$T9nucmirYTY$g;wZbElK=YZni{(xohCoDjd-cqVQ7B!<TRJ#yA`5|mLf
zHg@@U+3o)5@Y4DDufRD48*ya;A}!<KeX<DShkoV|zk1!Ic88M(B=<A_jym4Hw<NOg
zAL0O9D{gB32sJldlH*DzVEP3Ih+%3}^}d`+-Q!@{wk%c!a0Qv5H)kXT9u5+VZ5Qno
zpAm;sXNHX$fwCp(J2{+Ca|mo}r(bZdAYimkuRKaPGql$n$Osys;F82y6q%_Er0|aD
zH9R<2+pJwnPNEB+uP(wE{9bhkyYp_0UxkBMFt@mh%NGjad}4rDF*pgbdBvrDrlpi}
zGIw*g$`yAS1*TVxCP6_#YH+TI!OD&&h{!rJ;U*UfQ6q7aiE~cFVm)ox;^bP+v)Xf#
zV*d2-*C?Lgs68@6Ifp~GTFjOKR%+Nt>@_rxpXBxJ(sVP=F?UA=Q&b4}>T(}ek8i|t
zH`876mZdT<keAgS{$d2t%;L*Km;aBZkgF*|@&9*H*^%9WK6eo74a$O!*8+&u)J386
zx+)y5)LwCQVHi$!cg^`BAUd_C;;=BB>~X@Z^&|Z;Tvc<!*PNECV<{4#hE&h$aQg?%
zJtiaDB@+YPRTS<@meI$EuwL?NYh9a5@d*^_=Ph9kSRJSE;}rEi)&d*!W5g3Y)6N~!
zdzOZ&^uzObh+V0KgU43Ra3qGJ$g|sTYAgRyA}9jVZU<j3&BpoOC6Ns>l?5z-FG5<*
z2c?!{W?>S}L{1sAd@&r&G;mdSD6b-{p0A?ArDK$(W>;C|3K2XIo6Z`r2&lLE!=XzX
zC)d`@8xqlt%Hz!o1f4|R%bP$>1|i?4XS}G;X_7zode)~#`G(u8Ass_W-X$IIv)1qp
z+?H1NUdJ1#>GEfC7LWB_Vk-U>SPNNjx5~Sg+=ErpK}P?hFoV3u7OC)?&*IxSEdC|K
z26&DW7|&5iaRnPwnv&Q6IBG<s3e8GtZE6G-0H{YZ2ax^TSH)GD=Wthi{r>9IFsz=9
z0?xV9nFeK+lQ;Csqpym#4(wV>#Py9dY2uLdti2p%IqBnLc%a=gsxN(m5P!Y}`%7Q(
zU-ZrMVAkdS$PSZ;W89-p2hxwPdOHjgibO7DUaWXcbj$phD1^d&hM~vd>lb$ZYR}1Y
zc}4t4Pdq1q%W_yVa9}$*cxo3sr+-_Tq{NF)mL<>r^^C!p5>=BeExlDbjAz!Z6D8qq
zb|sgFr+=lm^@^_~myOSIWGaH#vIOPMtSK~rKHYXjJ025Tly;dvpXoMZSG0o|Nj0gn
z-QBIt*mZ?TTB;W%a*n#32)!DwI+x&2O&imI0?Vj|4yeM092uo|x2sWCtj;Nr{lU1(
zKxHx!H@0yNo-1@}9wvQFAj%GG_S1@^_B}Sspydjm>1$W?!8K!g?JzSb(*yS~*Dmik
z(QO}JpFkQHA>aB1+S9JJd}1K$iV$f;rIxAXzE-eCH>cMt)Ux90+LesxPc8O{lW<Cr
zfHIg-jM0JDtY@5uGe79}@E7pT&FF;2ZlpA9d=j>Wvq!z<wAS?OGP=6CVPzXU(4(#M
zq<Z^id;I`$nfd<o3z3Y0Ywc#y^dmt_Z~9>EjRPV-C2PQ^@}b7(vpI?I>D|p`06~3=
z%qHiISezD8EcD_c={7KFEGw9@qsk(O0vXE?eo4W^E@;`m)VRYQ@4;K#<uiz$u&#Ma
zIR4c3>4##okmGgyV71$GX8Pj#<%uq?R(XZs>bvq24Fz3X69(F@S^M!z8+LMi>K9ng
z<Dk~|juiuqA}3oGskH6;ijHk{XU(&*w)f%b@rsT<CC+5gbtZ6^^MNF*<G{0B{*?6M
z55X7yJ3XAY{Nm!Ii2gFkm)!34nGoJs{X7m2N-Zt$GfLu#OM;|zl9=fYLk*=SPw0+h
zXk=AxnxJm5fo%1NOUoPvFlqa+1qq#Jsyj`m99f!GA%7c)x?D}UEgjs$CJ!HOGAic!
zNdKDGaNC9buMv4&Vwu;%Mkk|i={%)h2s-J&U2($?E?XzmEpfz^x*$%UoO)2C$vFDP
zPrUk8)^9|;@|P6yB7Ut+ux+#0*MYmF9dJ`U$z`<cZkxW-*^5|*C)PGd*Gp_Za@DX=
zs;nef+tg8`IGN^|Iuja_<i6Bd$BzMDPArSd%-Zp39+Noi>+j}41H*nKbUj;~%G_^x
z>T{lX4az;;Mdksit1+fkA8NcP(B&;VKQ!|N1ep)Gb4|AW1H0zp^E!2lBy$)9F$5YO
zAKe@T9|>yf7fo-G6>|NeD;c5pSSo6Up32kdZ9UXR4f^bK5m-@goOROihPZ}E@K8E$
zH++&n=3Ws}F6y1SN0+QlVtHIX1XkE+puBr`mdV{=^qMeukFjHa8~<#@&-u3(+lK4j
zp~?Xl&^dH)A*k%H`HBRi7t8uzt`KYlh~bp7W43J@WFH&VAZKZgeT?Ip#u}iN*vp4>
zRooH{`NY8?_WlbFO*5i=opY1L{k(H~gL4~5<lI0HZtz@wee&eq*xWS0V1Lb5&uO6l
z-jh>LV<wU<k@JVH6h|?Oc7J`ayL+%dIM{!F@Z#mct8ZPq#p*CX{?fUM2cF*M$Y5>Y
zD5b7*b)UX&8vUmn7zuPccx1ZZ!~e}X{w4kxBg@>ZYIuC1BWK+e&+VO0UElQIu-hQ(
z6$6Z52yIUm-y-WDhdv?Y2E7h>KlqL7`Y72F?OCE?uV#0OuAZv)g-lHw&aYeanpW}I
zoWdDX*)5#swj$<GjYWqLNyUwvj-MNC8RxbQS6yo?qlg!)_wWs>UZ@g%V*{YPzCP_s
z-YJfjdhz19d>oIH@bm9>TP^V~So!t-9=;y0`IZK?-sQ>$-}30U`3#vCR*%mu9^!QM
z0DHUpFT1Z^zI^_YS|K>-7I|Rd|Idw9kLmZ+o!(BX)l2{GJ6>8@cGqtH<*#M;gw056
zwR#8Ne)}yNF;+7R%fq>(YjR60)=YIy8%V?E^;nz^OoTdhLpFj#?08wZY_T8Hk?LSL
zgKdy12flZ)82M00Er?&Y3om@s<<-R>|KuXydSM=2@pZ=Sb{@;I=1oRXdnoE-%T%nZ
z+(5E+PLs#h157Yild&sxDB22_FPMFb7h={<Gp0<x6z0KlZn?k!Wgj}4v#Zgp5kauj
zxW3a+K`1RP!Dp?$6Zpn_l5m36LZXy}y@7qXKH|o+Rw#%#AzalPj2bW?-&#^7jna{@
zqpn*->!gz0yHa<N{f4-vg=pRC@fR=$&1af|(bTWv<}GD>(yZA7G84&jmikdmk}ksD
zrKNH83q<`<z%zYG<p+q>hVNLOMCr=*GdN315Ogg{(p)|_p7~_*DT}GWl3X24QTT;O
zYXMhbeyEoE=K9Pvif%50%ebi?W+k9Ee~1T<B*y5NuwWiw^v(70(fg~Dn?K=^xITG%
ze06wpLO*G?Mx@fjJ7Sa>7x}@;AOx4tuphUYeJ9X4&GagVd-8eyC&U4`Xw4u&$i_1*
zzGGSLR*&P$eQVGI`mKhJOQk9-2`9|wv?iPkQ_EN9su>$Bm_)GqRz1Tl4as3BVsOyZ
zK<GONBM)2zQhhDvT_i<3C#?A8yWp}XGIJDLZnU43YOG<D3JZ`CJe#3TxCcD*+Ux6L
zizEug6Ma#5^gs1ot?0gFfcS5w`u|Jd*S0Fnhz{JHB=uU%E8c7WNXW?rG~1<$O?|3(
zuO|@0I%t`_4GJ;7BB^tIkOic*xzy|EK~X}ldq6BILy*$r!Uktf1s3G>6kJu~mD)<#
zK&62=@6<pvn-?>v*{Cx!(x%U9ltN@;TMQ*pH>Y1^i#ZK64eVe>X&yxUsuIb-%o2-B
z%j3Kekc<88`L(R)B9oA?+9RSF!X%FoZu4p^k+cr>)^HXXUXFfic`*x4=qhSa9~dk_
zq+%!6$H{iJ{>20$rP*9kp^33IgZ59-4sS>*aT?wwh>qC%O(TrOA;4vukAtVZW1&GD
zB_W=JY#FS=axCl=s@uZ!lFnW$2*@Ix1$B{BN}za|{yH+G>)a7a!&#9)SFKF-NBVl#
zauCLNZ<s7ncMj8F-}X{5w-(;%h?KrNHi{IRXEK;rnS(HXJ;+Jd%)WDSba;s<$O#WI
z%MoXZb9C?eQno5YXrMlM-xjBqey9W4aJ%wLnWB#g*7l}3SAHk1fkI|hey^EG|NGy=
z|7Can+u5B!2c<9;1BB`)n8NPuf7{!o|2YlJbkXNmx~~}w93k!T2R$7S*}c$ZH8Y}I
zx0~w8mi1X{+|wE&Y}}En<Q`@sUy1vzJo~SF3>VxZ3zH7LJk}5pYR<__Rxf`$Fv>JM
zY*&sZ;lmTBQ0@h_SS;dR(vNakr(#8bJCN7b$~ro4wN-yWc`U_x_P3<Sd(n07GM_bA
z(>1U{4txjDC+N|?3S4=a5!2=RCZAY;ZLjMH>%Yn-<ynyw`kcEX*yq|uA>802kHf#j
z9+_z=>9EF@$|Rpx;&Y`T)&A+KhfC#Qp{1foKWfP}M7&j&0))f$`HgG5Nk1N5ou8Z&
zfZnr!VC;xyqX%~iiyuig*f6u0ch1ku1@mH3Sj6E&DbGmLmpvb^0h9$Pi3jN@(#TYm
z)~Kfozp1DD)siz&JeUh#%{pG8)ivyRlq;Z9cNoIJ*Khji%%j5!#h*JUlu{OPNQ<mS
z_EO=b&DYD<eo*i?=91UoznDS&@Xb$V8M1l`%{qbYM)$VbXEgPw_y=eTWUyTP=(c%|
zc5Uf+fy;SX=|k-+Hnr+bhCw#Ic9ttvwGByfV!?}4isZS-#Ri-8-=lFj<VV%-FcTd_
z?SO(8Gl(kK;PNYCUZBz6YL*Q>ImdmhI#Jnct}i+-4UCPGxt)9{8DSw1bolS<j=CZ7
z#e`J96y~rNCGd3Wf_%MIt#`77E;8a{SfUkAF`G)dHEcK;bJY`L_8J4KgQ<yD&0(47
z<#hZdU2q$Mlk0M+E+y^&r4*#7fBnE_K`d-(WQGv+Ig+9k$%LAujsAlE+_K(3&@vI(
zid0Z9tppSNJ7f|X;Wp1lNI({I&=}YYI>)x<)og1ialI>$?Tj2b+>(kAklNU}Wk$D)
zlYudvoR`jXa^;m7aBLRe8#79NWf3K~LT?$;^K9ZmZzY_o;daXAxiyA7b%wfxQjUwM
zESvUZo|<<cJR`wx&$BWf>sz(46c+T2w-jyIC}wJ;L2@4qS|&s2q7e(fW-ROXjkD@u
zNDk1JyUZY*-WD~3qi61ygOa?Ap+?f>N$m?vb%xRlN2eQ3JVClvmQKFi@9n*UfU>jy
zg1;sisw9FBm6uES*-fKrycZ3>i>9xTGA0`))yF9RE0_}g?Ky-+AlV&m(qG~kRQ3D~
z)|*V@+l-Z<B{MnnS1~~;z9=3SoQ-uFPf~=P&_DPR&TmD0PZxtfh*5;9BGONHCSSz!
zX~HX|_2HqVFGh5O{A%e!RPzA~P=w6GWRU0g{0lwk)RKQ3r6t1Z_~(sf*f|(EXgt!U
zwvKgYMGg5ReniPYxT#D25<%&Pn;p2FOuq7Z<Vs}bEFZF0BuUDHC@`tx3T0WK8d2#|
zvOquFL8(R3jqrP%TbNyR@P(EB2Dc&J*BnFAb~x6SqK{(xMplE3XG_os?ecPAPtLE8
zuWq70UA(`FE`B_ZuHK&>Z(VOk-ydHcM>iMI;pyqckA#&+$Jf`<yQ_;cX?k>ea(sSs
zO+#21^iEO@cbFpVFhv;c{8Fm){rzTpcZR9YeqO2``ZG-W8_!l5^;ekmpFM&Vk6do-
z@DOz<Q>hzi4}m3EcPZ;ku}2*Ea(v@t5{T~DHu1w>ks&!QOL=0D5Pl>H)HvKOn1fvg
zfuWWT-iNXnw-4pt4o9p9PX5th<48??6KZKvm=q-2XTU^MQV<@(j%0HP;Gz=K3YPA3
z9;7-~7p8SEP;!iQD$3ltySHWaPfHEw<&uBJq5&`2$I|!>RxMh^s~sq3;<+++Vo&g7
zrYo1c<h+5EOj&Kb8cQbBrOtqXC-FQMYfomJH|qw~--Y#Iwr9qv$c7w8ZZwfkfkv>3
zb!`pF1usOn+T@J>iLA}vg-Ge}^Dd*BCQdBfbMta;xVokOdit@W&*1bA*gEL&f&=e^
z5#-F()2h_UFjcO6v$>bE@S|zdbR?f3&vN65IBt;|;wnHJ`)BCQO`HQ<QScZy*K=Ur
zflJ=aX8}AKq`dZ>&xZdqnBIWKd>L+hfAb~C5sdy6c3fM&Y3?(exKaQCG+FSh6KXM>
z^J%~~NmA<8(dpH;tWyQo@^SnN7x@oHK(;c{bXHRFpNNbMpwGa@5IRff7=HN`@zJ0D
zlQ=17&e0TEr5-`NHAYW7+^bm&4@|#<2BzI=F>D^Lj&?nd-2tXPf#LtebEYfNh?X-a
z62(uBGO+EidW@yFU+<IXw%^-FYWlr{w{N~XIN0BK*4($CMXmdCqpyP=ki%DaNqRlE
zqHp9mG4WQbEVpk-oL@O!)WU(5tZo0Ub{Rr2f-CV1%%o>YdV4oOaG8Y7;!{mUm<}eQ
ztTq+74iHC@&brqy-<i25gfc|r0MPNl?#?UtgtvlC3mBts!a<r%91r8M4pquE@p2%q
zgn5+B%>+A6#Ak34FOt#D*~#@aTkD166y#z51qHMw3=omQhIEzVWU!%SkH`mqA+EfP
zw!S~Pu_E3fMRpbGh`F{RHYD}%49-MGG9}EelIFOfY}5p5xvZaaGJ4_VpXx;RGuSpR
zO(5AN1A6H4jd28ou=rXwxFb0`IO$EtcxNqG05i|kyQApW&-b=1Wu*kcYn=dfTG4Xt
zW(Al0+b$9UC_hb+hI4qAYuz9<S6aCNDUYC~YB!{QCu5zs^Kf<{&RzIEOFt3g{3%iS
zjqCbZ<Fj~ZqTA&Wyg<S-$F(V3P+4ss8&Uy0$Sy6)Z8hfCN5HJU#!}6mg~ic=n90bz
zXAJTwg_e0>jht8fK<nv?i-273?|OT$=s(ec5y!lIta@jc23XU&RtQNd+|xwtXXWY$
z2v{W4)<xS97!SQiz=jm3mgAJmTuI%yj#VsRfr_gf>KThanX1;!)j~Xg{;9X?{S()!
z6P>(0KEJVwpiGu(P6r|f5AxBXkF@b+`nRNozoHKs;-u*jZvvyDFIOzN6F#xln0w{o
z<cGYC7?ZO;ivK1vgLTuN<UM85YWah?Kr_m%Phv1Q2r@ukaF_P+?DF}hR%WIXK@OT9
zEdyCChptvg7sHLEBU-W78t2OnTxf22$|N3ZqIosgkp&dlTm+dSSu7HJ@)eQ;P0F^_
z!GmcTMoJo#-auye2*gVYoG7aYlH7ZerbXWIhlCikYI(zOuA=X>#^9af4ZEmzV!0;0
zea1M)@LNs$rqqX4!Dpb_c-BzpV~JIELa!m8bKXEFr(Fczds&ne1u`|NRgG<vB`#Mx
z9EpQZXI!L>MUY%p(Q8Mce|(lV_UF&cdNU}KPeZAb0pPNQx>I*Rs;5Zd?EM^1JyIxC
z$X(CWKzAan4V!*~!*fP>;IZZ^m6~;$RDQDHYhbxrkl(644)*)l2AvOBnFovFIjE~2
zO0!ZjIBwM?b;=cEk;F2Eri@dot1^{@LpiFt*8rQp#8S4jqsER8>ja>j!ZHycjgbYW
zNd)m47KjpxH)3ygHbyoBu2?wZT?~u3yt5SK#~I=_ykT3WV@EBxOTcSLkr^A{L@5X-
zgv(^%d)bQBC5x9ho3MvOxMblOfqsM*vhEoz+G+1Fg=j;;X}Mw+tkkPjG4ANWs?CxY
zYsDO<@GI7I4M(*^0PiG`Wh$YHtBBY2$$uP2@6S(eu7zAHtxnmuc4d#f-RSI1!(w>u
z)>4Y;qxL}LS%03nm$V;5`UGN#)@Du!V^XOpk#R9$u4W-2)e?B_9bGCV6NBV7RSQeK
zo^B&#M;)>2%{7q`KxZ~YPBYKBz}Sb~*QSNbxmh6QS@LP7W!%*5gMG}Gb48|Ey;xh4
zeN2lyGv+gKQ9evy?i0SrC|#M<b24yY9uG(7e6L=T8sH<B($!=Z_#*WTcF#Kl;Mk{*
zo=}y?TWgLe`i*S(w<?tf68TbmxFsFr0=djuG27x^HqT0l*2?W8_HhHk5y~<TqGPLx
zL#Na@N*9I<$g<^G?P-$iwFRMa1QzNpr%g&3zL?%a=$lFWN@`_$MDfi1Wo;Umbr4-?
zog>q7*C<aX@~SCL3o(`e4@2&jrG}D|(K3K>5G@eCT3eDlTT^s!-|+Aq21z~|QHPQ6
zhEcb@=|UZJm1-!YC4`KzwQLwP4RtjeyLyjAe(VFhGN}Dkix+ThN^Nv~eY%6(Mo2_n
z-o^JehlF1c<UY_{E*4n+Ps<~XmnMTp4D75pnJuDp>+n-Qg75t|lD4IOi=mAQ_QFBy
zc*We(AL&y*(h1~3vOi1~on{CJm-=yzdEv>`!ekgzEg>AwEQ$uYJ)#ka%VbsF56j<W
zZrmEjfP6poD-l+|BvPl25#|E5>?X}Y@1pV}y5vX-BfVtcM$RflUrDi?b)_<g3@T&9
zB5fq;ZFcF-2_yC8`W#<f^)Ih3ZZ3{4PW$iAe>jH?8Xw+VT=d_Z{O)Hhq~i2kZhpDV
zH}T}YWX^Z(LJ(npe0|fuzB#<Q>EE239bde^(G@5<AbMrN<IDAR0Ur=8nPM|W;~jK=
z*5RuT*#J*{K4P67lE5iIiPS@!YBl0Yv$07KNJX0zS}fatV(N8}(KV!5ppz0XF&=h=
zv*kpHmT{-;8Jcz@W6QclSm8Jm!OeDYP&*h79u3%wN6D}}#$w+dOKo69$H2IbDtje7
zd6-{(Z_H{Cc17GWZ7`pL#c34z(~fG`7$$mkC7g)>cCCEr`wSiPf`$+&rcv7P%6wNF
zncrLC@^rSnj{LjdLE@klI&onfq|v#OewQ9Gv<a`=%LYeTTgg8y_qU=HAwA`XniY!&
zmF|(2SLCNs_SEx9i-I=#@+TOzlDB}VIt_bl9E!NZJ&<5QP>F}ksQh&<zNc`dt5Ua5
zu|Qauwk2k6AD*7JYb&F-4)2hf&V!A0{iY$`>7c1PD>Slb@%fsu${~u28naUA5~L=h
z`na_m)$G{DzZ#cfuIRm<nF=w2U1&z0Rp$Gz-&tWsqYIXkXdUW>`6=sZL@|iOZo9;2
zsSj+6KgQ{VFPE0xtgWz?O=d&gPn#J4v<?>+crvdA4ozgullL6W+{>oaLJfkkq<J@_
zT?1J47m~}#)`XRKZSCqu4rS5G1O}_qq-IN1R7=|-l<V{!bEM_UmDY+HmZqW)5W?|j
zmNTa0$i_ij62AuOk|no!#aSim6L`$-M3&H$!O@X5E9Yg07_5vAMETFchc+ulGG|eq
z9J8Kui#Zb7V785$tBX^sLmlLwbIH8hrh?&M1zqHgcl@TYn59NU3L;5^O*CMV4%5mz
z!7ra`UBSwd3Nv7hr^)Z8t~q6WLyf+C)^71Eogd%)cyaYZbaBaXfb>cCYyN3?LMfxm
z;T;DpDT0n@ke{Lt8WahcpM&#2KM&Tn*z4{0p7&m?YoMrG=8&|43XY+W%L)wEdS*VC
zg&cc;cdBB7Z-A(Z7eT7J#_$>itZr43BA&}w9Ei-t8IL=W?M}T5=$no{<Uvq}`%d(n
zte(;NV?RQUN}oV;>1D|^1}Q%}9s=z70Uf0pNPHK1E_2ok-?Pg)=FwEsNTkQsrBv$c
z#w&WW3U49R4PE@E)Nbc$s<P#pl8Kes>W69xL47q(E`Kvh%wFRZjt_C>GAOaTp5->;
zo58UQYPj`;s~bDXjn&?&5Y(cVroeYl)$%A@G6935WJicEGPN+i;yLRqY}e4~TPg{r
zJ21(y{3tDhG!u{^!}#CN#x88yeaWhR8Q_fI<-}z#<e6TB*L!l=J&hN19_NQQbsZ4W
z<$q+o7Oqvx#Bg&M^%?_K!?n&Y58xP$_qSXk+L=54o-IeBbKF`^(`^39VqlQQ`pxxQ
z8jlu$Wcb?xAq$z|3Bg0U*t0-r^%{>=IWd05N*M)PhXEq)xO@R}h(JthU6zwBBxVs@
z@wPToBL+zyT$*<f_71PkRav&sfK@7`Kq;hIv|BANav?^YH5n4W<J8b<tf?mg;l6yB
zYF&UDS@h}1DxNu|NG(N&E_MJXbOSftr*4{c>BsIg9gU1lX$ir#o%)cyFiuWPnPR?`
zk*TffKO68<<i3F4hnpI4gIu$R^$um|a)2Pd;GEPfJ}+IGx7yL-&RFR!cXf0$IHtZ9
z>ndn0uk%M{O~qrx7~Jo3qyo02MPpwa-u%wECs%HCgrer{0(uPV0P`@CZAFiEo4W=?
zu{3q6#UzKmxekT1y!#PPL+h>Jz4N8Ix!l?7?eU6T{tTqQN{b40%rv-MnGiRe$;z)=
zPHDkT8CU~n5%y$T#mqp%#5-`z8_*ZK7XV`zw<xX}XuN@GO<Ro8weLmY)zjlhID9Qs
zLc5|(0cY+XdhSLW8qFa!NAC`A4o^jTml6LUA!{xlw=GYD<Lo0|lELRAW^VmKfyj|I
zya$70^geJHv<<rQ<v@)v7+3nLQw&|55WUJ?ZO+%{=btyN&$+9NSF5G(^3R!@gtcy5
zb_G*;utTYBla9m3LNx$2gzhPY!10*2Qaze1Z#8FNdrLnYFe)8$g>o?$wagHXrJdY_
zi^r>t)S|>rx^+r6g6?qGI^mxjN#=z0T??eGZLj5xfT4H5$26a?RK$2;{EtS{q+{-A
z>2sii4EY$&<Q6~=??G2sehmT8;A^E`8Y$gmg&-UkunaEhM1i$8F4EdERIL~@b}Qvt
zJX*DfYce_V816qbp60Ve%W{QFVzvp-meeM1wLZ=#I7F^0o^mFnIoqAsc|?j}>h40`
zgS*NW&!DImYp9Q83icp;fd&T)N-Q~yu}EobfhKB#^mKh1p>|1==Cg0#N#^)I^^Pu$
zPb}RVZ%<f>q6s?~ug1X9Fowfj+{SKDR-ydx`Zp5L|63MYT5lKhrXczSMs%rdhXGZI
z8uqkzhP#Cdba6{U!dcPSFFl-~j>2T{LpxG8fkenF>Jzyw0&yH8O!tPn`AqWRdej(z
z<g>MM>#bJM%0;r4$z+THB^ht4o)8dafx}LdbezCv$yNSbJ3MWX`2D30_3^aE-<pkZ
z3P`s)KNOQKlGwQCB8iJKAX=WCQJ8|QbJ4r(lWNG~1BbwIX%Qv&tq!!J*r(>XaX2*+
zOyN?@{b@4oOWZpw->+dS7Xm!vJZ@9$tI8{S53UZ+)OlehStrzSb3IT|&UP%e|D02m
zbhry&*wR?&5$A+cTnwVT(d5P18x^`vuZd{}J~vsbYEtsGAXXv<bDK-0^?EIgKlWbk
z{<?NlTbIXYTBuT3BG1*C+N^HtyXJfJeM02b=$dH&8z>-5Ol+mSe@GURbAra>ZezNe
zb50*7)pBC>#Ktoqmvt_tS4g<Go<HY2LQa&d=MYl=2+YUs7{j|fmDEWr<_OGQo8PQ|
znSfsxbew>!DfW0z3`7Wz9CcxpCu2Eb%llU=`%=FtrBL$BpeYC+LbSGq-(_=rSzCf4
zwB+>97F@qlaSVr!VrbfC+a&KInI%@ej5A1^RJ(+k;wzX!gAHUBKGnhHkR^Y<ed`JE
zYq_>Hb-PGWTJzd4)2RovHd2#H$>QP}GuH3{BKl!`7KxWRuCLJbM{Zhp9{?J69pa@6
zF)PxKI5CiG{%+|qm>>cd#5A9mOM3~gfSrYkD4sL)oj{t)az5pgQU0AF&nz>~-dH0?
z%-Q1-!U@<AY{2b%m?BT~>()^|;as<7jxl#=&(2FrljS+=2Q>%nb91ANj^BRoK9k&U
zk#ZJd{|xS;yI10V2hV5w$TE9rr(B~AcxyViB5z3`VD43OUIo20zogyNNjfOv!tdSg
zH^~|W9~WO|7vQP<mM|6^;xq+o@9LANBre8fH|zODpN9GP96v+qb4mX+5e<J?Z%<eF
z<KDXV{AF)<MUVd8V?Fj(_1J%`$9~Y`ni$X1<Nn+4`|q#iVN;N5k;Y~f;DFZ)TcaXc
z4w&yGGibjN`9tV|4#_8?huN)`psdY$e6&38v3QvKVbG{HP%mtL!-+6+@vN8^Q0Tk(
zZg<nd4uQW8UBA&?<H8ygPmX>#z6twz!JZ*`_3r59?zi6(8cS*mqCoI0s;%uBw?>{U
zL1OlVv<SD_qB6)sS_sHJuE{58Jy}&aPioL6sx=)DQ3Wp7L?gT=w6qtrws1!<iPXUR
zQ7^(^e#^e=ae+LZwKbLV+gqunO?SP07Z=kBCwrm0ruQst{U+g>JA8BF%G{D6^Oxor
zR2#f1#2*!}V9v!>s(5(s9vI`^>_#Is$I;CnQM#{h9P}t3&i(!6WO^#s6p6-fS4m(k
zc6s84@$1&R20g7b_YCX94qc4WgE91>!OXOSA>&(Pw_;FhdSO=3?G;>r%_AvH7k0Cj
zClT_AHzZKB*p>pXP!WtF+CBd0i(kA44!y9|-Rss{js0KLm_$#^8(VO%&e7Fr<PzL0
zZ)ye9^txP`kY}e&M|nylJfWZc>WYa#l}}Ff54NJmXLfwY@(S2G8p@$G6zUt{eTh`n
z!aW%_1plc7a{b}>>g3&@`k0utqJsoEh(aV7-M#+61nJ->teZz_A{`Mn=kKdh=UO@{
zVx`g2j*>0rdWZ`dr=Qf#PN^UUtJ6>(phl3rpk#nwzEVL%Cv4epbdVRpc-C+aVml8i
zyYX6NXH3R52e$+~D5l!&YqQ3qoJ7e`?5JHd>&p;rvnTcH8WZp!th18gm0@tAuyG6~
zN|`#QRrgabEhB|HL0SjSHDDR|SLk3Ao9i$Afg`nVk53Q(bo{n|`2I#f-g=v7o4!EQ
zid!Jfg1Va$Km=zmdKs#e189QEQqtb3M&i2QX5Jc(zez^hJ-580i}SZ9us0u`21~Tc
zXRAn?IeX}<BpsZTqOne*?F)Ow1M!p6OVqMQO(zgR(Z!L-hw!kF*5F1bi~80q6_=Kd
zFhSpVvE%D&+E)MS*fA6WcwvG#Mor)9BB6upMaQrmdE<}t(I5@Z$;<`>@I9g@Dm6cs
z&gn^j^!x*pn}8OHa|rvPd-5l3muX;q#6CUPYeuyi3$<4ykReyR8<L2=PMt)PKu^_&
z*ZFw-lS!K59-2FYa=D<JI*o2L-kDxTXG_3QT)cZ%8#c?k*(@W#o1>58WzH|p1AYb!
z%m}7OsI*MsA6`B!@b|hEfId2T>k9vwtDkvmi??i3_u&t>3o|5bl@)?NZCKt||7Tt+
ze#p%M7)kg|;P&M^B<gI%5P{P4EFBhknUAY_=s_weqn2ECTCJ_~o71ySbne}Gh^YOL
z6oZ7u*>;L4A!FUyw3>H0Nfz8vU-Jm2TZdTNJ-c}yx$i|?;wcnutJRvo4gTU9hD?+|
zfbCNaZKFKevWOFpo9r_t(bz3rMs!)9hVeaUC+OHR_iV4h^P@^!q#IDfB<tfkQ5yaO
zNL0zneOIMi=7Ln{^xG`LTaATQYXw9sh>F8D^DOeVcbuSep>LT-R_I&LzOcGk^|W@=
zj*^e2R&w5AVtJ(*hWAb1?`X_#tHjA;X4xpJ=&~+kT*SAa;NHM&Rp&WlhZ=a)Nrn5e
zguwzjgNY}B*FR9t$|6{Xy&wP{iAalhq*@ek2kfAiux8viX=n2&6FJ+}=xDDhEp;<E
zp-pcqC1!yxwu}CZeQjL!tZ~W}HmL=cOUI3g(XA%;Z1HDYgnCr4Z<4z;)o^y7B(oUa
z79U=xqe;@?3F#f_K>wW2E1`cX8zE4{bzpHVVRS>!@C18?mL(U8FaKRyq?V9B<ybn_
zaBCF{j4ai6Hq<COaIO?V*&kaSb6iA3l1yzggQVlkw7PPUWP>?w#T(u#8AZ{`>M9}M
z-K_QjaTOrtLW}#$JHEMFQ^{i~H!tUo(A(g`|EwO17HO$fWpQifs`W*e5N@uw_^`Y;
z_#rek=XiKgy3)0iXaMsR0sy$HQ`WJchzuG$$@MU@v<$p$oJ<nT$!-JYF33SW7s75_
zUR>R%(~zi?Ybu519LtPoY+RFVy5RX>zm~cIie0S<VZK{&>D<jF!~}TCak6?xl9)K(
zh1CvlyA)HFoK3jh4d)?7Gw4f~GhFBKq<fb`Ejf)Pd!)JF+m+pr09QEVf6`0LUm>+4
zLKu7&MT{RfeF=$mH(woy#H%n30(O-4(!&rs53+fah24)S(uXAGSkxR)Y>^w!v~#8g
zUFTA!g@~f(d;8yQcwd3<cE8)LJ5ZK&56UR|kj@T%3Y{RGIyck{%!qq>$~*E=-^fOW
zIywkWAOKR!j1>x{T%Xo%X>>#&X9%$tS#M)3ru6H;w;8!jpy|{gMdp#yYOY3hSyj_<
zuvEvvjc2VT<8-XYY%YVN-0^=dL4u~J(|$Bc5Q6x3IOM@yN-nv&aHT~=G^Z|-WTPF_
zORm=dNtO)}T)83}#jFI$Gj&7>)21h(V+ph5PJ0AM$m{MW3LJ*v^&S+n@}9Z!`jpXm
z%=ek|L9<iUzyZWLm#jsf4aqTV&XVt(Uu}@$u)cWj2`y#$SlXpwm=mkt*MPdZQm33k
zVWj#my&7ZZQlza`dI{IPKG---vQ|gg71lybI?8=~ip(g;L>R$!Wx|>{%NH*WMiN{5
zX(na)L;)+;idMj`3L0XmX4Y->xTS%-bBrrZ9c7K9;4(M7WsqfEl2)3KQMgFofI~|~
zcPcTQ(;1D#J{m}^2ub@PVHE{G*`s7O$uamhl4)&uR<*>z_A-E)SQC13&I{Kj45@T!
z8ONL-B%%kXtOpH7lBZ0H*}wC))tGA%NxB8T<Lv7c#9|T*>FT=t%C%VqY-s%c>eMn6
z1^aPBxbSQ`O^+^xr{5FSK0-vaP>P2lp3PV*r#@_54!d(%>ev*(ahi8%D74+ry<wpw
zWzwuD`HmgW0-q@!ELYLAJ`F%pBpOr9+HR@#RwTFcN!+ZOB>A0O#?%N&p$e(|<^zy}
zOKRCCmR6*%pfUv}jBZG3p%kv|JWD4UOo%pgtS}P~<n?_ngq>YDne=O{$238kw47Q6
z3f>>HC<^v>fp2QBR^NG}k+8nDWtVivN8Om`%M(7-LBwrexdQ!8jyiymD-a^AlZ($8
z)iTkp4T?2sZ*`RJXE{_$3M8vHpkC7=LVhjJX`wrd0jke^e6{RI?K3<@TWK#LB8SV!
zDLXPB3B&KSdIea_0&#B0?rLK13c$L&WrR~{_W$a)Uhk{UKz#A9kFP*ZRb3mMF$bH^
z_;z?yFJ0I+ORFm=ttxgJDjgOctNcF6LJ2bac_O3>#CR|I2c}-r1-|29TnUSa<I}q=
z#KV!W4CKX9WPA0c#ttlbGL|-gV&X6Ag~xyvoy3oC17gTG2C=nhq`KHHk!&QkmJ4Xu
zRHL@r;uJidz-2EC{PW~o<#aXZ(8aN(2L45XL)EeaG7a^Q@Ij_w;awS|%67f9(jGsm
z;Y%um9IkLZ*2!Fz-nx@9*CCj>#zKE+{*DLeR^WELEyPn;KKp{5kGDfrqbEyC{9a@Q
z%R+aLp?O}b0Iz`q=0JqU_%S{a=^%})^sC%u_AH%Pl}scZ(9Om5&RgOZaQ^Bj#$hv>
z`68fAN<sA9hi`kw)5|#X*x#Hy8kJox0=X(C*>b)MQ!4USUo+SDIU#?k;j6S#UEuDg
z-CY$Vk!*Uo`R=FvU6&|s#h9EaZkH>$X_`1RTpG(YbJ^sUwuYswm|=C({oSQGM5w?S
zTpwK;#-V_$`Q$QQO9n~yV}fh~)m+!&xx{~gM&V=*td*sYH;W{Y0^|X1Ixu!PUCh<H
zqx~1(z5sg5k1qwI>6hpGuXerI<5oFXkZ@$qSM;h6!38rCcL|~LVU?K6VYEvh?Z14f
zm15gUHrn3qO2h!zWG@jr+p(iO@$7ixe7G?~!-P0iu)R>$Ky<-^B-I1a9HiJ|Ze@U2
zVL*^sD2`*b^t7BAhn7IZ?D*(B;$)4__g;PHDhBL7mn$p+xCB?lMQOG4l1y@yvSMU_
z0v#n2${3mltOTQCegWX6v&M;f2I;|SVaLw-M4(?*`Hb~U;`_!*;SH^Pia{X6_IyUd
z^=Wg~k_dfQ=^B3qfpExKBM$82Bx-eW!}3%@M(;jCCF=A4526u`jjg8;OAXi22V4S`
zd!4gu$;CHCP&8KLuX))Y;}G%gEj%z-1s`cDK{IwkBlJ+<*fQX6(3tSjkMzIS|7%?T
ze^Q>#N0@?XT-<XOHiueXnI*v>E_*{d_VGeRGMJ}a2TRmuE`iM@(}d{k@al(Xi)9@#
zsMM)StY-T2q#DyO3DVRS_lhov=(hk;B{4sn?cibYS69aVyQoUA#(xpkgIDyKyoa`3
zM_hjH`+;GtmY|&0zXCdO2Zv5y<)K>M=vPCmV731|#9Fbx^_aD?@mGGg{B`@BhbwHo
z>gD<uAiN>aLI<LM{&hh_TK&qzbr+|fbxQ&#7JpMd?BI?3X?3lJB)n3hxhn7Fea|%f
z3)+HP=(M-)l20A*8PNCh0Sr?@RQFhO*GB3Hj`N0}Bc>51Tp}?h>>vU>Qq{t(`Z%cK
zKb>(Pqv@s(eR3Plu!Ll%@lbDb9hmHA5zA^=6<b1^6tMY~xrCqz)GBG^>Y|IrjATBA
zNFk-ERXW(Pgy7DrH-H}8tgcl5p{fPe6`4W<U<%c-f)(PZ91OGj>F~|Y?x%Nv-tMQD
z@7(S>>h8wr(xE(|MsFNkYr6iJN5L7<2yeE78yV!&Nv5z*4B4bprqdL9Kbq43A9cHQ
zKwZA&!PqpAeDR6D8PBt!__xAj;*e@ZGA6M$OIqBJ^h8_YV8FC?=C2c53enN_Z>UhG
z^1>lvE%m&cV#RPOU7x<5HD>*BHItvz<gn%zfyD08X^h82mtD_)9RlZ|_}OA4J7mC_
z%IlXx&A0h2F(d+tBfzfiEDbqAqovaG$ncsjWW}j`RDGTqvFn&Q#4W928)C?b(inP+
zT;RH9tO>ooJF*{lpX%CliT4W;vJsu>%OZG69@JfSkxnICaycb%)b@CaWlFs?{~3vo
zZKp5|hiJH`VxsznF_0IUg-;shGYNumYW(@ka&dc{tQ}F97cQ-w=Ue!aG@cq<DORip
zFPEYQ4^rwf)ZfHq?C^HiSzd}O2WQipEj+7U+mmg=3EZ~wRhz1ns0l>k|8W|*|4G92
zS-=6Re;ABNj&pdv-yNitF%aRcy$Oro)Dw~n7Ve9xmRc_?nN9cZzZl~he*({FP#GW+
z`$sMdy%Ocd*wnpCtJn0HzSA5hjz((zAok(BbGz0mNWNFS(_L!Cr>tBO7oU>8;$pdW
zLf=;!hFwwnh&w4i*XSy%L?bq_$M=#0mFP1ZO4)=WzDODl%UoF(?VX6Qg*(6jGTT<b
zNBS8n74T57cd1{Xy?+=OxFLOf^la*xEyisXA!@gY{aN6Qq->Z!b?3Z+t~`$;KZMWB
zajW#E9*v^Qx=#uu(ACO6QYy&Pe9WjYz#RW^06;*$zxh3%4JWnq0stR`KHGnr-Sq~A
zj1%L{=4&h?Glfi&QG?@MruiL(8Q(Qnk~XX+=VW3KU?SkU36PxsZg^|}b11+#b98XP
zq2+w(GGG9#s#mKygqB<w1b}(u{z$q`Ej_O(NHqnPd%cQe3QA|ylU0l?z}845#g<7N
zb~xA=vz%;Z*FvnB_vYpz08OB}=f?;!uD<x|*B`@Z%NzFHt5~7nL$%FsoZ0GQ^AOz%
zoA`U!#hUptqEVgkVmvq3ZKl<hhCzVoL5RL}2bU$Fb<Fh$@2oA|7&+S@1}^1&6|Z=o
zpS0C_>+^qsTRDK#@GjayA0bk5IQGc11B%8Wg<Y{~=_`MtEn)v39YUB=#XqD4v%73p
z6|3)dg(>UO73&gb#a>u+10}L;65p~+xRg?4yVuZVN<z~z_o--v_n4#uhcL|Ai-*62
zp2PCL)$IcJx~^5%wc1vpj~Wl-S+w8V{q?V0d-+iI`FW~ebz@lK)u-{yduG8M)1`B8
zYFY1q!mdp<cNusTTdGUp$(=ulUVZjCp2qjW?+ca%{MM>Pk{pPiq7Pne@RQRUG-?Rq
zcZ;ZT<?C>ry}$R#r8qj;#VF@E6&KU`*{U^Zx?Z`quMN5B%6)O^!O`HmgM%Ucv_gNj
zuHzo7?t1&HRc=qtMy%R+wQBG2`Sw<J`kWc}o*eu6KiEVXcuLdE?EW)V|0Y6ci(i1>
z2$!pdTd;PvNJmt)X1bTdo9adMkPMIzPz5XtTyxh%_w~zq!r7H$y?Saa2gv$pqF{AJ
zb~UuLkwIJD8H<+WoEx0z8;br^6gW*?Y!Ig!m|PH>QL;C0Rd*e~VW&bVk5n&EXXU^L
z3Rb*^GGgBk7AQHm3=$_nZ{`OJQ-WvW|5Zzoyi{>`H87mWFZ?u}JeU##Ggr4svwMch
zDkZh7NB#G7Ebo>Fzd8DEfV2pHESx&$;{ji$XU_55L*=R6ac6l~`~`)Bma4Fpg31*)
zQ_aw*gz~*CtGi+zY_Lf54b!U{Mi^QW7ME}BpH`Stuf8aTRORh!Nor=6d<H);UN}dT
zhBb>x`0PupeqS;+@zuJejZWNK6I2ZpAx^UojYy7nS?cQkXByLIPL3K|$P-D;L5)TT
zok4>v&{7A~YI%kEJ2ht~=k|@Z5Hd&m+|;rU)q)cR!T)(PRFJ9&Jk_Gu9zei6DXL4D
zeD?nOrpo~l#%@T5OjHNa{;R!LPUzly(c6E15Vdb?ed2E+Y#c^{PEG4@GfKi!7!S2y
zYE3(B^no^ZOOGpLbCiC|+!>k<oA%b0t?^yZ{ACyC9Aa97b|ZPedW*l<{dKg3B4tFf
zi9=>LJ#<A85%XN;y1<&~kTZ+0L|-p$$48`5Rx<6+INhb=1*YpolaM)eiRXO8`iT`6
zfv8ckFTd!2B(;%?CdGC0_*a^q(8ZT}aa4+qO1MMp!tI#=GX&Yc-!IZ+oX}SkU5Q8Z
zne(GxGVx^h3n|306{7C8lWQcHnh=>?BBO{y`WcPn0v0SkHI@+gDI*%4*Wc6r@6`Pk
z3Z`KCDz^#`oW08Fx3~(3WK-vCO-1zX_y0e8@7fi|b*&43Zhl2=G8jNkccY8#*ovfa
z5Fm?V1O!l=9LIxEbQe%jQ`NhxT8Lc!`@5cJ&bcntjV_6mz4v+JF>Fg+wN|amTyxFq
zGj|V%eip|8y|q~~Xh9%=24{K3I$Z6K(FVlix3qWvqJnPO^_!40l#$4gyO~fo#q4I@
zOr6jHbck5Y#)VK;u)fY)C1o^Spk{0!!}S}F`lsj7G~ciUFB5_c#pYBsk}{uhJrOiI
zSw^!TYqTFZJFJPA7YI^o95fWW02IVT)b5N}-u291jf>aY@(+bbVSWi|(dl=jgpA~r
z3jk6SMei9?eApwT+THz=y`3{7PBCt{-e)BOch{HQ!A@w=d}Zn+F#ATE9s7g25TIHP
z9NbUza2{Xb^B-k`p)MruXiFQV93)yVb2vw{@<QxiJHOu>IC1j3!Gmv|%HdPe6L@Tv
z0Wjb|5y?XRk}ikTy1QD973a)x6-Kz1?@AFsD3MQeB`}t0%XB=oFL>b>CbB!?pkK_~
zVS(J~m_UFq_QzpbyWWJ!Hts(c^?TJA+K_du7ClK{GJ&9MEF~AB&~!>jgHAPetE$a}
zK-UXW0tHDDDZO2LW2+fN150p_q3NmAd0^}^P7$*f?;IHm7OiMv3DLUO!Vzkc6&F}3
zu)x4)3f2Agtw3XT*4@^d{El||NU8Ux9+knV9!qiouu9)CkqYzbnidu%FdTqxWNC6j
zz$`({C~5%jj7ZVt65gTdcew|}_eKI*AR+6*$Xll(hF5Wt+nX3J#alo&I+0ekLJSkZ
z0LR^p?kUSm^w$?rup}RJ!kiIxTMJAZ{0&;BJAA~Hns;R1JjIz5B6XwzW+fGq68r;R
zhA-w)x0;v#1nfx2A@tVH>iNYa!jlM@U_2y}lQ$zkT5%(3>yCC?tt#rqXQeae6-%Fc
zTyZe{NB}jo(7KAPT?S{;B#W_oc#5K1lE6~PO)6_Pj$lg{_gWY&qfV+t6!J4ayJk7d
zR%+$tY*t+boQ>*>{Bo*6oN+DWzl41%xN340!j($o4iZ#yQQ5dz<w3CX%5;>sIPOO(
z-oQ1o<oI=vw`iS>zoLi$sV27cBCBwWk%0Zhs|>Z1CK!bD3<M`b&p?4J?Tb0}lA3y;
zES@>oTL4<yYU?eT&Q=%SblXnIB4%+6{$_{F^2mU|+U;6lQqK)t?Tp7JV85o~x5*q#
z6eo(bN2a;VmIJ*0YrtI<*>yM^at4-%PM9o#+)`LHSs!yZR0B1XJ$pDj^z(PWv!*rL
zEg*t;Ob-PDsePWSAfb9&m*FY<3_)oSfZ?p@!^7c&fHu_6SoY!J@DctaMnvlhvpdyP
zbOWz6O!#|{Ty=LmsGw$NrP!{a;_yF)>iS=UpZafvQvCB@ictFb5T(*gz#{I$DDCwW
z>HE{Db<GpP>Hiay;1^X_;n>jtm4wrF#`vetTTmhus+sflc6e3I-6cf>=S^PC^U0R}
za^2ocer4Yp=(ki2GcebG63vw&S&<f+_&kJGgJ*R&;P~?pTJ73dg2}pcSStwt(!HRp
zhRBNIw7s;fgcB-j-DF-zT(>Ty?ng%fF^eFa%b5Q%JWfL7CzpX8mffSnvvb8)Jl<o5
zI%Ej}NJ`d<2p(c+yc0u&uAYu}xX|D3(d+Gfxj_|jG7=`c(^}EU7n&dAL>MV}1%c@o
zf@V|+Q%ru(GLdcy{St9M41tlh1Vj`p5W$;9qrcL<QpZpgxq^Mb0Y1UDow6WZ?0Xwc
zRFbiSUz`ZH%cRRJ6=De3#1a@^TGU0YwRtsi3SD*HT+dseoBfi}{~8IPfVg4}0)JKu
z1W;_W@UiRr_38fJCa%dwoK}^<mHJ`zJZeX>pv&fvs{MGwU4dm)eBrsBMYpJY&_q=h
z03~5qNlaR2Y5g(K!&}0=6Qo5?hm!=xRE5!@2PrT_V+}AET1HD$`2dkMZq(+lurWP$
zLMp?RZYjv#8<gSZBe-~a(Vn;M<V%x9p-^-N2N;riBjnVkyYmaf%pN~@@PUbh0ytlG
zJ{E83r=>ubsHzjy00c_34(-D;3**inWv^c>nIWQ}%B$);F4e-qKg}23IpU(Es6%$$
zh=GMBOGZH~sZoXNmsMswb5^0MFS=$2XC|LGHDr88;4DPTFyBH^0?inPL@jmmBz0>R
ztEk9)ebQT6HpYyQfz{jPe~EKU+pmOe+1EIc#^7V`RM$3?=X8zKN{|2>#|5)X0pJ9N
z*hmE`tIdOao6KUgoiI0W3V1!HJ?Q@V!tmO3rfA3>YT^-7t^!zQv${?NioQ1?q4d>2
zLzt72NU|hWRLCqyTIJ-E7!E5{q3d(E!`J^Ro`Y{mc-$2v=j)q9{<SJS_tZ3V9sQmb
ziqKlTguawaqFrf87Xgl<Iovx>T~E?dBHX3^ou8&#rR)4*AOC&y^*8+g*AE{ljNAC@
zVRr1UK-Qzdp<<A4_nV?Dcu=9Rf>;0$NgU|PC6%y&02i7V0I@<c8tWiBRRJ~_;R1pk
zJe|+33M(d-3ikL04T^E)Bl9zbm6cpL=5X=E`kad>Kpxeiv9LgmgviKq5twivv2}kY
z(on4upCFzIiw5wqm?r5nk@Xe#k?TkSCPl1{#-)~xEWZ+f@()outJ{8YNhIkNP)BY!
zh$1GI`$DDRGJ=w$KAK0!r9=-B!%q||T&Dg*xL?sQK#Xqo%>kj73bBXhNj8IRu~oNI
zRY^hc<`)eH2nR~u=600QL8#X~*r`_xln6Vg^^M(wqm!(iyM_}PEJL9fpknA^`YP@o
zYA-mw^kvIeC790#@mbm7RdHKr9EmSp{8WB^u34o?MrnwauujbNfrB4t+RJkuG|XK_
z6UF6zL6Stimz#)8Y+)uIKiqpZs13y!;1)=brx0<O?uA4W%r%(ST@2Igw3(n5rsG7u
z0CnMmTso;$y>1<9E}~|b>YH{9qbjfWe)JJhV&%_|mk$8#mleVesE~bivgPjLz9|_y
z5HQA)G7X*4ht+WkA953VCvs+Nb{ok8ZHk+ZpG}@T+U$G@&X`FNXIxOLWF7~xHW~ED
zz)*RXPSUY{Hy%!@jpv$F)6n7<9ES|RZWv_2Oy&q7h)QX9&KYh1w0s=a0Qld<zj_gD
zgiF@ow3T?He{v1{GJnz{Nc@4CLv|(znu-uGZ43$UIJ~L(=q-zlCxEJf3wZW#U$oT>
zj6n0=d7j7)z;x2_4zoR9A%4m6jP4O%Yvbd`Q}3&Zpym2PC%EXv#o+5p@Nn4@5ZO6J
zF!mAx`Gkk6jqj8$9(15R_WFy>UI!V^zWB_gyO*h?cG4e-Rm<k^jge{=0&hA_>CP%h
znAqaNGbrtCLDT{2${{%!J%j?MNb5{l*}y#;gsWv&N@?5%Q=QbEo$2+{Js0+!uo{E5
z9!U0NI0oT24hLm(vdE&->;2&me|VCe6gS=>iQ!RtLcE&V`ta#h8OCaIX(5ru-@a1K
z8MkQxJ3_7k3Ipi%TnA%`@)X?O?yNZ}I6IMI&=gH9@7tgdS%6jY>+%$=k|$MoqNzM0
z-=~6uA7pN{q%}0)UY(*UmxawhwXJ-8_4qSthtzp$ETSl@+@Rb`M^;DJ{1LfRuQ1N-
zor4bCce*IbaWYwwg}7`Vl1&e<#ARcrL5RO-fVOslxRWQ5L~7z<KZ3N6ex#=A`qJ52
zB-*bs#YT7{<-8H_NxyQG;9tC_DP00!HM*m<tUdO@D1AnQ`aoHqH(@q8$JmD+QQ=|+
znAdX&Cv$^*@<h`O1ZyN}6HAb~mHul>p2Z!<k1up`i5~Kg3XJzC=^E_(MYWhWjiy?I
zT0<P(lB->fEciSJ)-2><$@vJPH^KJRMj_owl4++OXrZ*{<de6$$KJ>l*<i8X8FTr-
zGFJ%JkapBXJlH!qIcH?#-nrfY=P$SS4eM3BJs_SJ+~XJXR{bNV`t@<sY7lfvKfNW}
zq&LJpUESAcT%Zp1WU_GhzjRWD2DzoogudLcd`1H^8XhF*S&2C^Q4m?<ljsF@4wL1?
z4h>AM+#^b87^lU+E4+EE7o7g?&HnEBAHII@-TCj&vAg?+FZU1k&-TuLzkRU3yA4;4
zM#qlw3itL!p`=G+2X1vO`HF{v{jO=|*-~>($)JKOjh<Pk&O*V6{VO^^hai!I1gpi2
z(FqEvPaVD|!!+Tz)LM}~F4Pv(PeYA{D;mw;kq;E|$lY@kq`F)^n6T*yMF(9kXKGP7
zUEEKd(!E=FFB^k#@5^$r;0##&a`x1Wi{6y<Jd4Z))-tsk#1mg=-vP?=8UtQD3)^&x
zuSYQM!6K9T+%>A0k_4#%jR`G9FB5lLEyfpjnG;tA%%wF4Us7-kO~-M%wKhz%c9s@9
z$LQZwZD;)MTwcv{x63Vvsmh|mx3hP0cK+t@?Bvbq+1{=X-8SyJ+z3K=km}>ZT4A<L
zjEx;x#EBBYTOLjPpf{7boVo^`ZOHGnt9vs9F;23bL-pjFsnj)%X1=?3eD>=6|L&cj
zl;pw7^V9wB5BGMtAj*D1kwsmWv@Be_8u5_2{)?peV`ti!-zl4IE((tyxj$Ace`WEw
zxYstCO%r&#?wdHu5#mtyXpmlP%{mSrk-#aoH*)FqBJ1Olp_uD_qhlMSJin;|x(I;L
zkmL1T93MDxRPy02+)em-<n6chg^!h~#-6k5QNEXKb!n|y&BA>p;UDL(_fKDMpY2FF
zT5Kq~*rllPx@=^Q;&-#CX3}T6L{`K@6PoA-!A%meP;dKO`Bhg3mYZgj&t_6qPX!%_
z%Wh#SUh3irK(>S118u*;tdKlOkc0G7eL$b~#Uu1Kla&_Vo_+Yn=AEbINR^l*6z#@G
z1Yu@_*hCR2VxQ;&<NAH+d#ShNo7vN-%FFUgsdxWvw5;vD7gEvEZ?=7@SS#Kgw~Al}
z{=5pgYwAAW6DyWJ3s5Va%gay}d1CMN-=*VuK|qnk0m<+8jA-HEFEu2ofOcr;74Z*$
z-8uZbALgm}w1)0-=nl{)E=I2GTyy#GdMJJ}>w}o8I#gLno)go~Lmf~~l!7ZUJWJ;&
zyYnguia10`ay-{Z+^p$5msNX-DsxMUZG501N|@TZ)MWU1myaAKIk;C&IG#4k4yV5W
zP^)|i*$-7CArd9K(R7YweSPR&TS3}R9KXNpYahGXyiH2f+<ULKbZQh7m{+NvS;t+(
z$yjNgWw#%95Q-_xZDELP_enRSm{5ab%xT|*>w?(%?_2D@`z_`a&f9u6Mp4x(cWS?M
z5Qm1-=9zv^c9X^#EEhHhYlRF13~hQn%LOAS0`n*;^AdL*6|Pyc81=crJRHs8RtGfb
zsPY{VoKq&mLb)-z+5j=Op}4RZXG(fn9O2CFLOR^LVsaO1K>5*!YZ$X)unqaUTRH(c
z0DGTZF~Hnz0b89s1e*k;3yXcFeqkG^k%<yO?*qC040R2bQ-emXW+!_G+h^{eW@ks)
z-XG5PP7b#<!QkX<_lw50j%Mu_B0+`Yg0&eRNvII3II)QFxRjEvaPhtv&09gwtGj`4
zdJxV0w>58OTa)r)i}tfE%QHU5ev?1B_x-jaIg|Dqz!@0YA<&9%m@(@!@xc<xn?f_4
zHCjKE)C>@?n#teybu$NIni;%aAxxuO$8t8r2p)d)dNHZ7pU|J(QY=6yF(uJ)gLR6z
zrwRVnGDK3$mL{%GTBgBuH@-5akL=U>XtJ$$`D_d2@h0|WGdUk$xJAjn>O^I-f477a
z$H0GK3)B4sSo*pU@0t82SQ8+=dl<gvU#fA>3qMl3HovX14e6r3w5e>WOYa?1yJp3N
z6lAGt*&9s=YwJ3@EN%m~-E}c>Qfc(TjePiam=Cj6dD5(IYL1x)p>W+u9ck@0L#M1*
zs!bq~;(c02HI2X#Iy0%QNF<bJ3q|vl`Y<(gNTOmi+2cpnspVO-0&I8oR{HhlSQjFL
zpHH8O4PiVfp7~=hyq#%RH$_e`Dui;pbt~g;WQ-eYHLrYnXU{r2OhXhcoiXfav~{&^
z7H>40wbW<FHN;YPV%~GB5@Ulflr)HNCb+;=0kKnDeYRKzJ<3<PAikit>q^iwveK;K
z_`2;G2*IzQ&k&@6-)ev|8B218Bo2i2);;oo%&(|eqBKenN)}<{<N`e}KH7=80=6Vt
z&)l!3n-WUX-$cd9izb{wT%9vPba-39xoamCyo-K!N=&w>mRfyLT$KV9J}beJkzy-o
z%W?$>cqrJY|0LMAt{~kP91*G0qG-7S?xZ=<TW@qd<kSz$dOOUv{p1WK*iG_bT+v=v
zg-2_Ekn#muTi_miH@+vf<H$jMs&XUMN5w}KDuHPcGs8N%r<GBIVIrG=G&a=Eg;U4k
z$a>Wj-O<ox>;BH4CB$CgJ;Le6qRi=j75~izwLjK1m?|$6XT7N)R<eL%63@z`Uw4Nk
z3&~pFb5@3W$Cv<w;Uay7=FoF+=;dkd-Ae*I$WH&)!bcu<uN1ZQ)w6%Gbp4rfjZXaB
z4>u5d!d~y2RrXWcPM%diXFpMp!Jm*b=q*s8m?{7q@v3=Bva_=T@ehuO*F`By0*)2^
zFWqOi9^X8`+YS5D&uL#IJB<;h<1u7$ET@+2(SxtP{jhqJO!v#k2lwparwIp<pYY$p
z!M}xre+viyzZ4E!BZ)T~-97W99LOtNy)f}DVIPjL^h`&CXDSA?#K{CuP}?3TJ$vAu
zjeRPJST7ekjN(P@tVY93%Q8QV{D@to*2V}t*8x0#=GLG!+#&-DSz)$^W?tRgxMP?)
zV|9L|=5CkrYFROkn98l4nEhRx=gV0g@cZ@AmIuh=brM*cYZ3vTOE(^7aCBY6JqVQU
z;2Mtf`&ulIi3<HM6!(Y|B?;;7_7tHm-YLCSgER;ty<Z+&WV6epLD$EJ<-zPzq(R!{
zJ}3`n|Fkq1grX0Lg^M!6GVw58RuLA>@b=@Y{he3Y_RE(rNT0ph%MSPUzkl`O=p;Mc
zJ8-`t7-{?9`=gWnvsbUboFOh?27`yx-k4-|Z-NKVMRHxbb)Su{@A@7XKx{pVd=Q}z
z`%HT{Z5U}b5FE^r{z32I=I4bVKn(-^#D4^D68)yF`~c#AI2g9V5bS>eKPqa!Y|XOt
z5BlHuRbIM&5u^ah@UpIl0C?8{OH~y2&*O)WzQunZKggmAPEq@&ym;7Yo%xC^X?rfi
z0J7*p7mxnQE~41QXxaTNzI~uS-8YNTxEe0>(H#QX`+#!Us3$$O+ONyU*8ADIHe09Z
zew_yIkvqGJpD8oIraln_ih$)B760O(l=%_B&+|~wFiBBJU&ILUS_=4e6l2A4`v$kg
zg^xMyzWA+8%xM2ffV!YBp=6=4^6L7c_UFy<JK!tOVXOl?6|VNcG8;LM1<`nahtP$u
z&UTKiS-~H{%kgV)ilR!61egbTERO1S&7Zk{*xGm&e(+3`xX*+e1jlvLlNfJG(e5u;
z<EHTr;z^80rAkEvUl?(64a8NrK$)n?X3~0}v*SRjdcale84wYMi(gdo<aXHd3Y~bm
z85m@$por`z0uH!`K#Zt!ys*1B&wLN!F_o2$KP)&BwU%;0a%2a668(zX(luKVpf(BN
zG=Wh_)cp1)myeLZ<VKEjnhZE^``k>|-TBcmoU5mqcG-9IxeiZeC9W#uHSv=>2S=xS
zr)THK+b4U6XKYi53!!3Z?U(x}-KR1N2sT#)$r?-zb;w;E;<!gb#D_KkE`pi3wkHa4
zbLP*Ch-j47xe3;W9|O$kR6L;b=~y$6C7v}pa0=syi}%l3Nl%2ZTXg0c4P@lA`a<zZ
zjna8OK7rJ)+nCn*w=YQSdX_mBd<$n<4|6|;9^S{_lSMCL!gmXWnE+<Xos&D6&23)!
z0t<|kF($=2>tB8Q=r?Q_eFc|=1|tT6U1+so0oa=xgh@h&u>G<06^~TrafQi)hJI$x
z>dBb$UYH?<fmAk+xh{EA8;^!xgU=QD%u)DkGwQ=JgwbS{_K=Vg4xI+DaCnU-5kqC$
zIXH=AYMEw;q4q%tYzJz`r{eMJPapaE(c!@#(@%v{u;go*Oevis6ZP@4a{2qdC)y4H
z#12jxexAqFLu0i_!ygM^rrOZRagN`de7_fu&^~T}_4aMW3+MWA2=UD1=!=x5>FZ6*
z1C#TIIPysNeZ6<~>S#AQiLtaV;*EEY-xO{`$p&}~ywYWc5g(ePg057n<P!TbpoYL<
zbgH_J4_3Hv3b`3MF7ioUjm+$`;-RzxFUw6x5{slkKZh<60g$au^d7>Qle0#2`63D4
zH$YqjGF2WV8ZQmHOQ5v0e;I|61-;7YB1J#cy6XmwKt&6@v3KBRI(WgE7CIY)P1iJt
zfSL=K;?R_1xCCa0VDB-n?V=$LDQ-|ViRg-uAq#tcc9<*@Yye}_H_nv=moafR|Aht{
zC`axn!Q`e9MfX!kCoW$l_jh_j4KwB%&-_pXF~oMGzLffb1U`%IEz((fyIK#Qvr40U
zHvOC>AuaA~pEx;jHp~63T!eFMV#&A!Zm?q`XmwLt4!Cx{uqx~`JuyTg@kMTvCgn^o
zX_*D`6!5Z4<f1c?q=1-aM@wWFijJ`IE-MyUZ83#^;8Fj)UKRLz|F|nZsy@<~0A$N)
zl9rx*Dc6Hj3k7u5w_lZY1|F$MmjPzFBVmfIVpYGlssf`_m~(VH)x>Nk1A=3$%4AmU
z1`|_gB(}1>bnL;vb*C|U!CtvF3b`z#_N2^8ax9(H<v(MfE$&p`I@-yy{dS!!<#Imh
zXHpB@UpHp!lza-rX^6FQ?8qI$NTPN1JtTOqm#mP2+b_!D_g*FoVx1i%LRDgUE-woM
z&X1$6lo=~90XUbjAP#GR2?J-QY;KxxhU9&39MmYmt77)s*vIv-FTxTEHQF%{u5p>a
zt7pnMB1yrDW||796HqP{)kv~A*h+e=<<iQU2drk0KiHRBmk_pxA92{{A}n4I_9Y1`
z4$Mzv3W;C3Oj(zN8AnaEFyy#=$8>mHZ@N|x-}A|6KFM1fwG{@LX~Y~Ri~1ci<aMf{
zan|w^%*QhXA~xm>s5nHgc^fk=?)fCH?hB9QVJ}((I4u*%DU})n2}T#1EQ0Di8Xzib
za8wDW2SicQPkKOOz4C?T{oNu=6p){4yukNNX_QTH+K3)bn7`cVxieFz_b{k!L(aY(
zsl4%|+=L5oeTkmDu2eTP-Fxhq&>dKxDKM%CEhv4W#a5RS+^G>hNRK^`5$N4DE`hW>
zn9nB9-kcot&I)(&c*qL!BH_(st@3iV;fP%R*l2!#ucrk!H#Iub4TfR%OHkw7XWZho
z*J=mw*i{OXrDxQf>j{_P{kFhcaQzN|)9(HqBtXO~3OULsK&z&K5K;e8qVQovbjktU
z0)SOb8;i^e^1INx$eq-|23`kC-~(I}1dhsvOQoVd*QHN$S)We)z61)&OGm7qXsp7}
zp@(4!ws&?Mmp$1&J37g>vXi~v@130P4WvrP!pcbMli137JGn;CLq+fh`=YQaCMuXL
zsqfJ1y)JV9x|iw<e^c@>kQU&tH;)y|B?<;RnFtZk#)@An@VI7jyG~1X#jZ8gghT+7
zS@`{VqcCLmjY_SNhP#7?n?kn46XZT>q0uNRo%)*<wvcpd^G7*_6cp^#*0M;9wy;m$
z-liA^dU$zayyeUsNC-EG4p-w3dsVdKi-Cc}^P9U?nM)gsb?)_Xc5-$`L@;vRjl-hd
zeX*IGob5Mful5el_II|I-_MiUZTT|@Z%-`T*)*Frs90{oFkEf{oko~isH4WP0--Av
zm=tDOUzx+9*p|_$b}w0w2Yg(-@khL`=`!T8ESgb{WOrs)WNVKeSiVcIndXl7ZK`#I
z_LUn)rA@Zx?|v;D4zgZb8%Fay-ab7&dv)?AX!HEtSLR5IEUR3)NOdoO^>Iu)IG5nZ
zAAcNdO9{Te2!{|d7Qw<NwhIavGkQ>(CAYZul;vzE3uY|A+|szcH802bE$UF!EQFmb
zZD}?yLON7h#So%a`hg2I&`|DtkvHXtZ-m<8?kh8iD9|m{RD8QyLh{8xR050Ym`P%L
zr1pkg_$OBX;|ml4AK0qwTcJUT$Trw0kIUCt6x~0QFt~<5Q2=A`Rg_t~!*T>T+bHtE
z>AIK&bGKNBXF~7}G=7$}d}j8bHdhsgwj#v}Xrx+XR4vEvFx~MNQuM1-i6YX>2uNdo
z6`Tw?J=eMML`;D>>YjnP^Fm*ZL|aKoJUe!I1~ciT&^_CLBll8Vx9{)znf*1nLpF88
zKm-?2u?8be$Al3tPYyCC3^sccG07G-J|Nkf)4lA+{j*n2B6tH%7E#r&QwDabh`V9C
zv?F&j03z|m^eHn`N*-YEvV32J%?SzNH{F|X>77R;01^K3F$7-sEvdjH*Nf&*iD2AH
z08y_8C~S?IU=2hk3eyyVp$7#AK5z0#p=??+E-V362%jNT%tcg#a>x?!@C8m#F8r!`
zt=$`8MUW2`4?m*F#F%(jn)0RuYN&$hOMs+ZD(Ktqi?5a&O6|y-hkM^2o$YU*?fp_$
zkB2I|=MK^p6~o-rT|lF93Ora7T1^;ra-2IF89`YtH5c8_vZ&sbv$|q#5o#FlcK_kz
z#n<OQoE>hz-b*T8+1d5^dS}-Q&>)2AKtxCoeJ~))I1*+nQVD9>U)3$)jcMf4f<z6G
zC)#=d>QAS=Von@8$pZy#$$m7_po^3Bs$jXC%@Nx(TfS3I{HmRMLGE9-abe5SVSHc*
zRSU9R%syuaO`Z6kzl)u_`dMB54HW{ou8{`l%jpF7H;ZNl5BTeHG^-mo=#B`03jpbc
z-El{t+4GTjcAR`WnG{3|PH%p>sDte^;ATS<4z?Wkg_;_@`#-qch%7O!g^9{~bGcR{
zd%i3NMmTT+x6p|6E*=_D9hG+E3pN+AV#&gIb6e+dkh`1SJIoGL!TJ95bo+Q;ICEOy
zDvVj!w4u94QIKxE+!|mIPNoWJZ5U}R9+=#Z^v$hI;D5K`a&bZQZzoN!w<lSQ3G!Pk
za>>=`+7AsVA+71=e)#7Lx`n$V2zv6dq{th-^~sgpbfgP)-L%ui(rz}jFJ9dZANo*%
zH)h@@1>U;rl^DLldbtf9{F7DSvQPm|q^P6{96s<*SAz3H{YW9We;0w1KK{p+{^D}|
zPb&iV*)`xKwu^25T>|cZL<u-DA1ea)UtI$Zmw}Xl0~`GBQV5Qr*I&LCocqk@m4jQX
z4f;jO!7cRo3m1fQ^ZxWAZtMU3s<^p7Gl>KG$$+@SENu5Tr%gZ>mjZXn@EPy+l5g+1
zw_mYHaCTI!nyFunAD(a|98cjzp%G%!`8g?49r8!K4w4=HxE<nfU!P__yzopV``zOQ
zzj^%CZx$;s!&PMk#Z@*`SLNIQqhy3!0ougiSEl(y=*R1>nh+8^6&!e65IIO_zi>4`
zbP1=yw2GA%<KTzKhY=TN0E<!=b%QM@ltn(K@AnS(PPPx0c-lnt9B56lXNM~1i(6j#
ze*nstw<6<TQ-rASbA9dH3Y_@>$3#UP;Ajq*;i8{=WjSc#_fFIY)5z!n;Gw?o=w&@I
zx83Bkx3V)RjK?ww)%fBrR^PSod!st7IO4IR>OIqZn`jpvK2TK>0_6bpue_g!6f6-M
z49i5&VtF~x99%MMr5C$RLNs4(q5BbTsM90d6w1`GE%O^q&#y}$eCJXui?%zpacD=w
zZ0|i>#xO<Bn<6O0A;clY6%J!_msbrm_#>#N`JK0kN3pd2tu!9j_uZG^7`4H;EesJm
z?&bWd5EPc!ULqU%MAWE}*yfJ$K66TYaUP6?1>?^IPU9!6fdmuf?+4iEXNOtuz$Y_D
ziNBUU)X{{^JuUK`TOec;Ckk>uiv2XT9WND<<m%PHW`W!!0ee=6Dw>|9u2n@c#V&kR
zD!ZiQ2x_92T?6v6D!4x0P4dekDpNO3zGP_Bfz6p=-?BA~3iI5uio>+7XZQ<)qmbVS
z+n*B*%(@p%`HAF!>S>)7n)gIEtM<;(_x-vBuT7`xMU#bEq*KWZo90slCWS`CNUVon
zEP5d8v4%=msL$KVaU3iD;8DfgsHH7j7k-Nup!Rf8pB?sIyNjM4<`9T===2&|>G;lS
zcPeUye{-x9782htnW${Rf>_F`4ue>_ILThJf>o1W7Mpt2s6*2e7R_|rNoGACBGip0
zI~hCqs7%KUa)-inv0$2S*h(&Cw4IC`ajbjO(`_p$e8h7Dh-H+1t@c7$aAxmQ%RbW#
zjwJ^PSjCXzJgFSUPlc31DH$OuqCQQEN{S|_sgNCWq8hBDCprF>k1(B2lkGrq=-eE=
z(eg`@#}$Z*nW|PsCi+_6J7GbsS9P}_+x?W!<}2Q@C$Y<L`ZCCf_!LP&O0VW}ab;+-
z#9leUS}$2+o0dQP7WP<I#UO77IfVlh?wHl^UD4oF{zWg-OLsefKMh#bwU8J(48LG3
z#mo5&n+JWbpZyu+lp`Jf-u(`?;bx8;j#9j&qF9d<){eIn?A4Pyd4QQkk+yL8Wn|be
zwcDi_70$7>S~7t8qPWvFJ;&~xPx16Tk$he%T-~M90^!n7KRqOnlEN&&@dBTc*aaJd
zfslh6h!W%T>s^x@xrZh-Q0p1g<e466#Y8JB%o0Q;ZhT+L63GV1rI3&Kn&_DgLTF)5
z7YE=(3I2Yz9%Le2UoYGV<fc^?TC!FW4hWA2aUaNP@?;gFz!4}U&)&a(-+NP)?mMD0
zd00RnA#h@`084@UG)}k*UU01{(qrj?5HLn$)F>2`UyB3689&*TLU`GWPgJfG6K|W2
zJ2f8hPSmR-HLHtlaeiu&ZG0$(DIe&8!(w5OyJ_L0hzJCG*VPF$>;cGam)V&_kC{v7
zV<Ks=HfN|uQo*%6@xYu>B&>Hw*uvFr>u2TI_$)qtE+aWFS%GI5WtKAMPIEGSP_*~!
zsZS!x`)e7s%jz%_QQq%Gomto{_tBF=d}WOZqL*2mTrBYu!wBsJ(^@Wj4n&2AD)2Xo
zpi=TsirXj>iZKNrt`Zu0gSsSsTRF$;BEUn)wnyXRfsn_G@WtU7u5GE!+h6R%Yx=Q8
ze?`H9L-tvf&j6B7?P)Q7+q8fYOo(GClPi~+7pGFkTrB~Q7MKt^EXGkM8fNMv6(KU`
ztu^kV#Crk>LksBJt{X!0cOupsW9e~e)N}QFMs`URUG@>?&CNy0sZ6ar{a}7cQlJt_
z^^;g(B&0M^r6Vq~G8m}r;~Os|dkR<e&-KuziPo9HU&xW&t`ufRpl>II<B3w#cIm*&
z&K@sR@Y14L1h&N4mDyH}vSa(M&nS~Tig&j0$uYA-6tPNMAo6FmUAgbJT1sPCe>4r;
z)*tLwmp<b0ybL^z$|nT=GpB3S{ncr@tqP^0SK)rTs*wmcE^;DHGrr-oC)CzgR4!zd
zwk^Wy1N~T7Sg7XauQgglbbh)o30axa1Av)#<rwvkKXg{`AvX*suwu@YRDl((kIYy~
z$Z_<V&=;~x*v>k+kW@d28sjX#&F^Skm{TN5^GzeR^Dio}l-w1Eb!?EB>AfHW^H+#P
z+Mi<#=VHZm19?p|b(ewouzY4D@qV=`M0QGHJ0c2!x1vd(i|L!u^|N#o;cF6D^EX3(
z(8v0}_#)C^<<6Cs0m&i`ZPuW1Vn`q{8LuxLLARleV3^Od;kfX;K(L+?`A*6f3n+Wc
z!Ma^4UcU~h8;_c$##na_@M-r4_w{TvIy=}+z{ivA_l9_GmV}^2cR>uB<ZUY5(MEjF
zQ;cH~V>!$!@!}dHCf}x~b`$Ravjw5vE`Yq0e#eD75YTNcWp%_$9R5*sKU~eSZh&i?
zx8j`urP#gERPu}<Q<O+fh;AJFn7>W&2}LQwg)X7<1n$y;w~Q_p6)yg+(-2?Px6m>B
z0#t^1mepLr$~u=?Uri5g1TfWx&r=o8C$wBnX(x1Fo%&o0xsxIwe;dJF#813B0&BFS
za5WJSTxRJ2(WC@1B1!#GZ53-Bl6}|x2CsXtMJODkQbc}(t!u5&iDfWxe5@m3d(-b+
z`u8k!)LJ!|s(9ZD#0fR>c?02ZMGN0kC%-7#+oFgJtbj*n0E4d}AC`#eOeS1FUdkOs
zwn;(;W0H6GPk^Wd;DE%!u=1-I$G|;~V*NS*PYWj_d-%YXFq|J1Zq9G=_vfvqebI#5
zbZoe|x^Je&Hbf$dctR?FPv<kn9-9qZtd3^o!`TpCbnV#OK+2<sB#_89ZXZp|z=(2l
z{ADm^s)q14Cqsznrd3`n?PR%G$2<`}YA&7}qthT+CsNEX9JZGCF+377a^KkC$T>ll
zpy~ZO{_L!PT_K)VwxJ1LYScI9jZSBiJ<J^=ry<RWp!sxqm+jpZ7jE^MxbM)TdJZ&X
zS@8E(fZc;qe|P7FHujDpMIWuR2b&7mW)<^{HX>_7cZ4a)Ef7=o=xdPL>%G@UCx6U#
zws&6bnfvQYgMr-?H@%IEyH-~5@aSysNp|*X|1>+^KG}Y~cjnZT-J`wJ%st6YkN0-=
zU;dE*X0NyZu>bna>&$8IJA0?6+3EiO-GeZ+e<qL@#|PW)_iQ^m*niF6vR6kxX0P7>
z25onDA9LG2uo<&#NcQ9Y0fK4}UB8W%>2kcxj$Zs9ci2yd`nr4X)ZTe{bdnvpVZr0>
zMt}JIDZ2P^@8H0_y|>2^ORJaLzjMEc*7Ysh?e3jz?^|f$x?h!b?~j%v4k>$*g&WJg
zf&hsSi!Vo#V$83z{c3OqvA6WdPV)OJNB2kZ4~NASHHg8Exa9oX?(uHk<|eX(OQ<=5
z1)Rj-;EwKB@H1abYJ?AoF?1!W2(WY#PLu_<1qoXDcU!ma0nzzbD=F%g8XGYwaOo_}
zi`8JnQSG>tu%@X7yr{NX4cbl{4FS>+99U*V9d9M8js6+jw;|+&30HI{iKqTj@J{L*
z3YTu7`tFG?rFb{d9*{kC_^idkJGBjpl}t#}WSJ^yhKWvB+0u?K@gJvgfiuo4ienrl
zO<!#~(C!L&J$_WqoPH1U@~H5*pZ(}M@Pih=hSra^Xs5~KuCE5hXgy2-ok^gK2HJRO
zp+n~hF<%3LXK}o-U_hZjeJp;Ikfq#`HL8EaR&L!-kv;01Fuw(27aQ7Vgve}`mos$i
zT`6+)-BL=RKt}Qwm))53?(QDmW(z&}(q1?!*ge;<yZY*{(CKTD4N#fhH#Tjrn)|p2
zHZ&8KQs?rmmTVga`Y_oBcLM@@p+($C7&`5SHVP@Len<KlX1>^lMU9A}7RI2>Y$$z-
zOY+;fY_hzUUO|5Q-PQ9=78lD<{Lyn6{W(~|d0CxHkI_}3Tx^L9M=lcEob=K)ye}Y;
zR%-N#R^HNoBDV_gx7_|4n6ROR1&%6~37TdNWsDvePtI0w#W6f)AwdQPXmNuaZ@6|k
zT`MGmxBNojzOGfw@{5+P<p)<R`}*M{$4jI2UEG?UPk`7l9n2iQ-8EuRzwEmpvYfs?
zrbEZO)y}$<5gPjJv3fL`Pwyfk;I5L(L8=!X#$#MpgC(7zkTY^f-NH$-mpiU)sa2tc
z$S=Ho*PF$O`5;4;SOBMIZU|%uEnHyp#CP*YD4f`ki8%8a8hMtS8=0mB)-5|6>Dg9W
zYVbPuKeXDNies!6W~T6{`eJZi@s=h>ES-$2d}KBk8!vY4rXClDFy`%Nx<37AZ{Y8!
z-D0@wNVHQ`7DL+5iicnh$kEyU@eZSPO0oRuLLVQU?*E}fA5C$EUK+hHzu(yzH0>Rn
z)UCTtMxiD{W7T7w_WG`NV<5+sup7sD`<;H7@LzLWbL1c*r#Ck4(N3XgWT9{{f0e33
zSOa>?NndyJXhiNn0pg;dlyKj95FV6|+PP&ZF5`r&b+xKV`o1bAc6dzJSLbG+zt(S7
za`u)V@EeKeh|V?q3|@3nuA_GDg!DE%1#D_?7h?W<Kj3{jlA(@^CDbr`wAa7@ed2?H
zZ8UEMlq4!jbzQ1NseD<R_I0F8YKNqXj8DM|lIS+tJ1z>V=78vIbn4?8u6cTUxvJ7;
z10V>Dw(%cRcVW?DF=d2HU2pmZPDDD|WJ7;2K*>*BrG=eS7Kk%(KCLI^=uX+Hu4?o=
zljo7!%lm?KuOk-5G<-n$>2$O^8i4F5rc&<EYnnm~izDj>l!gP=xufozS~i)@u>!mM
zr$78_HP3sOSqSr=S>@tgNf+LRb~4_SRVIlpU1Q`ExRuZ}ktaTGQp`&3l3|Rw0EQi$
zyvh84@%nX<PqXiLPhYx*-$Q=A8|=cfaSB1`rD4m(FCV;ov%CEyJ0KeQ%OJbF@i>sX
zcU2DNyM1ML32W-U?!FTS5n|E3eI)0r;?J3i>5u_kcIA&tsDD^JOv}JIvlN;?h!g%>
z=m-p}3CGH3rHxb7=1d}&bzO9%=7MRAmt2>sq&U$49b@p#4KgxWqo$rR@+dm8DsI>C
z2VFD1S&<r%$0UG*S6WK}#;I#W%A)2i_;>M+xxL6!pHboopQrH3P038Ifw>fB#8#-O
zG0||tUB+-JAZUui+q`Gu(w)v+R_)#i&78hD8&4!;USzLwCW5qZ)OiyvUOIMPs{#>J
zs=oV&V)X?s0*Bx43?T)iMO-uPQ`rD_olgMJ<z~u(bq7x#CIE@T&{duy;)7Ak+zEr6
zMK)G~&adQNRqQnNR>%k%uTZ%TCUbGgNZD3Z({B+p4)IlULOpWhfM-)}<q6;LkrQIv
za#y=Y>eW43!fFt(ql$=ILF%e168kWSC1St&lyIe5B%^!rE2m#c+%W>4&<d~8{#&<_
zOWWB})mk_p*8xWvEXNDA7lTU3!v>0xi7jwa9xC0MCURTe-VU#)6ZbFNTU)K$9M=f)
z<krLQzWZ+L)$zdqe;9o89W$EDv?8r9>npZ4h>>O8eD^Io`R?1n!{0n+AItR7`>!Xx
zpe27aUh*XxsnYLKjTB}~2!i>$Ahd`X!F3R-O888avJ%~>Z<0+6<M+TRc71;V3I2~b
z<D~kBhm{p;-LMlBB$ks8YTnW844^74fx%K5`FmCpiGy#dl-m!LF@5d~LAu^pf-~XH
zAC+atWLYJ`amp8eJli`p+AZsTe0B_hn*JC$MzSMBZh8C&CnLHF)a8LmJ%04yLH6*0
z)11l8n$4xd@SXb4M?NvWC>k%g8Z`zt$J=u37)LZnMxm%J%OI+M30~p)llAT%`;Q;?
z|M(QKkHuw2bIH6k7m_^xsDXkz+m*;1p$LnSIv?hahqQ18cl55M1rC_t@Urol0s~lJ
zJB2=gKo0u1A|qaH>dGLn(M=Ho8%KqyIv2c4l-;JNR29Xyb6BZ~+v%fp`r*tWghDfz
zG|)VwcCk9YYyhlUA_W*_+oGI?sOWBlzbrQ5v`?u<C|erJz~ZQvb&SFoK|rnhC0rMP
zlD3|zdo1K!iZZH_&MoA)9&<HAeJNolbOA?1E-tx>+A^Uwo44YV2-SmI#n(YEq9V<K
zKjl>2HVnX+MHrD3)&>j&nS_Fyag8+K&GJ*MhE5hclEHK}S3MFj(J=<+W?+5-YSc+Y
zhPQ-(TzrWC6yoPtreMmxEVJHBdK|GJX@JK~j%+;yV|Y^ykSxH_;M#^=8E$9xDOM>-
z0xzqeG>e4oREJWKx(z@tEMG`wV?c+aHnl=aRT`hsMml6x5=hJq__ml#2FUoZkN~4N
zx$H$4qTEYszzV?4#j<YLD&6o<tQ)@HIlHgL;&<>cJ9yMNx9jq3-NqGMUXl8=@%n`&
zZ)iO@4e1EWkaa6NK6D)2T_;(#L(GB9aO0Y}V})8@FAcZOvfY~0Gc}X9IH<(k!QqT&
z*f*WOBOyBd%_Sly!vl(%@jf~r(!Ng%nqbvtj~=X%%H{36jiF-K4<7n;2|j-sL-ZKC
zZfpt4NISKoE5~5$*R04Qmat^WzOnB<TJl{nt^6Y&X53sn?0dFNc;ut6zgZ;e{C=v=
zN!E(@slkRFLPpRK-s-D{AWAN+lY{memw~9PshLr7ddeywM>8;y#~!;m*xx!*F9M=k
z@T~$#VRE8;JDi{9t{M%>`u;<cf8MEKkjm^zvVEoM#njS*u;S>A+QGs?V&LO@R+7&?
ze<`W^8YpaB`SBlF&wE!$2L4G)l>PL(hb$obyGQPSpTA(e-#zSH^WhZCt9*nFo)lx4
z*4&Ug$!Vd=CUQe9wgetZfk4O%GE6Etx)sQ;B<R}=vr^g=TtaU(X5TaWCF&;1$o=Lk
z8TF%29ku`JvbvzQU&HM4hpJ9daj2GUD9k~}jgOIw#{L@t$DzyCE&J2V&0-_c3pV>9
z!Zf<d%V43f*mAM7m^LIP;00?1uTqubOS2o3|I2jU5T3gseEg#d63HlpS)>pw`C=6m
zhq6kFHI`aCAUUD#SiD_+K>e|Rc`lp`HduZzQm%pCPw?_-=$&$*p<${gMvwe3+lK$x
z!W-Plk!Y?YASBOLt@SENv#&}FK_x{~Y$mlN75Q*)^mQkWL39cA%uEgTvZ!Bb{_@e9
z(swios|*~ANN;1|5OD8^<sx@0W~)mWlN~dNVH?e+Y3djOI6RWTr7?QOirMvcS?lG-
zEeQHAk!#*cWMDoE*P*YEV>xNFc}4aBfiEv^ATrit;AW$AjQEFELgvK&bhKZKAOXJP
zUY%R2G9-5oRdD03>L&{c70f+_BrOspl4B&4k!GxXtft&jfz0_CC)mIw*|?s4H88mv
z-1ma3&Tf7N=LD5lGM`NK58UX+y<2L~<1l*xeLYFV?bIReV=RIN-Rcd-`SXN}RRh#X
zr0pBx0`3cXUYwclH#@AHr3XN+wWqkKuV-}yG#0!WY9KI?#0z(}B&tM8*eXJDur7#U
z&ivtK5;^w=_v17CsoCNVZ3`+%Nr&M?;ycB!B`FYwt(C4LubjLs44UDTTQQHo7qw!y
zl-USr-#IFCyPMp1fO&-UWv$H0<Re1oL+RTOnG>8^8HLmmr@AjbJthS^F=|sgkmM(J
z5=Eqp6={uCUTCP0($~6fVqj*TkB=X|6Gs;PDn3Jp_JIADM_T3;hea1*C6t2gOLMsL
zxgnZ4T3%+!hR{AGHat;91$v??umvbajnGt}{iqr)XW(KEOF_2U)-`vyx?APh(zpgX
zCFR6*xD4I;RPTL_XKdBA;4$5}Ef9DQrrK+dZEcprq@s_d((v@P*ICR10+%a11_t*-
z#wY8BNVrQN9&-fdu^JaQctt29&ZFnkRd3W<#nFvK_s==HfquJ3cgF)Q1pm0x`i1rB
zxdj_lw&yMjscX#pPT|#6Z438Wwu)5ynaH+wb>j{T?u1}QMN)g`w{TNgQD3+KE4i#B
zUKvRQ_BG59h6lVM+$Tyv;{E32p<tx+z#+k+Ix&?*g0X@o%)0hc2z|u|w($$?vPKvQ
zb{VKXsC(~&oglJ%6Pc;F%FoFLX~shHDNRsrNs}VmuKB}net3aJ$9lPbo5Eab3L#WB
zCMJ+Nc~9DU1;0<`w=fQv{BvQMk44;FWNOC%oQBVBPh_Z_qt~yOq5fC3Sj&1+ciKCa
zq5v=%t)>0O=4`B1SqY_85=v%;;>Dg!nls~er#<wTo<@fttv#w^G?q*UNxMQ}hNMkv
zg)b@T(52>w%?O)p`_0SKO-~M5s6pNrK`oJ2{Q^co!aeB-5|u)i$EDOCL^oJ8cP$$J
zsdKk*Axn?;o`Gtqu{h)%IZoo?;k}_kQ=ddw^ciFpuc-J(5&B07e;{YB3kmSKQP~<Y
zhliHGf%L)!L)5Y*N)*B4p;vTdfoCG7-q2k`voCietIi}+?MS^Tu!t<l$P4i@LlbhT
zh}5$45)>9kv$$q&5R6OZmfUDeKnbP_`DigM<(9|sII$Tqwcu^N%V%3iTc2!6p>&+K
zhu^?D6AbxWPc%7~jLLH#5aQP4m6w;~p@k!b@5CU3lC|Phqu615$!yHFPO1&6Y;_X5
zvOSWp4k8qOO}58Qvff#X4lO-87X?M2?M4t9C{3`wJ#(o{E?Z0`#eL-=cI2H_0hgN6
z(MyQr4cukhN75*|A8(m~1TdRel1vPCOyM6|*;!-&MW&ArpfFcVRWB0U>mhuAKYC)7
zlJ#W#T0g36e3tsqH1*b}-T6xd-NZx>84cYK26C2HZ-Xowwn8G@5IGeNtR2tJhX77M
zvA^xp&|Kb!T<Wn#F36t6C?X(!+?HZG0v}-*U!GOKCJ~vNCIcI#<S~sc^g<>iI2r=0
zW+QXQvex@J4g2;{L0D_}s1&<mO2JfvN*Qc8ue3bi*u$;GpS2sUmlTuy3_6%sP72N^
z2_4ApW36O4_wwX4M$2u5EZaQf!87L$AJbwVNy7k=xE<}Iy%6sxxmP#|qEJjsiv(Uw
z6pP&D0z9rop=oe-j#Z#oa*kz4yCw<QCNCLA1nvfTiA3wpbR%KgvL{(*@k5Dp@h95u
zBg4y$qmRHLiE)WP?qsY1cLL;)Pp3sbTObL{^IeTqG5wxMjqeDi?AKLr_Uy#lYV<ur
zV=enyH3Yr81U+5^EMEr7i@tqPTr5hK8UBi0zvxC4<)a@ojfhqwwusW9+*tz^wDi@;
z_<h;xhD&j}EI3x+6Qjp`$q>{`VJ=&?Z6t>wWO?Hd-G5DWi?w!)YFpRi@k6AK`_+Bs
zu0i+DvUi)t-Zg3IJN$D`w~s!f+ee???c>kr_VLngBU$7F>lR&4aYV^EtkmZq@AFF{
zT>Ic{$48kvMe~M`0Zzq5-L{jW0_H+Mn+wHWV4AsOB_gteY7ogT<z-@O!qH59hnJ=#
ziM7ABdwp6|hCboLs~%8A6SQ25mHAi%jV4t%t^3@uiQa}g*$7kYXAcH$-8c1mMM`Rv
zQ3Np@Qu`ME6`zJmcf#u!{wF0XliPAhREFOT6NPT-cL?q(PzNtaRWyxk;8U9c?<Y?f
z{|XTqqOg>B#1tr_R9pkYQwNZ-?h1^oU6`=0v|4DQCf+FCWHE2(W?(tli9`^uHUohc
z*2`)5H<ovnU(Lkm5yTwXYGW58Y9G2|^lDhfIEF77czz_jT!8xMHo^5PQg-<AOlp~A
zkDY{Ucfgb=BaB6t+llfmUQ7W2Muab|!hi{6d=cVTe28YL4yt9Vr1zXDZlLn-)UW*A
z*K0$I+)(*P6iH33`Fc%r9GF6L?YQ9#Rv$nOzX-l6bp``wPD+2msHRa-jf9F(Y!@3Z
zuuNE?It6>N9Oi|sWD4`WQQ8Y}dv@a79G4zO^m*TD?2^}i_v5(0Kd{>AX~0T!&L|0X
z@swu2$QcEObY~T1v0%#k_i6l}d>W0EKKC&46n{rlfrF#(U+y3L3(`6!^_7GqtOUpC
z3Tt+0q{36+-8|2p>R*$R4bN?hC`jg&d0bp;4Ri>ky1WB%oN6UcF>t!YCQ$mC#YzBP
zS90sqpJ*)>!%WbXFIa}sbvPdpCraY-awb5d9z<P975TZ@b<iKW^LD=4QX1#xC8)d?
z11|c4GvE`k_80lYj~?cux{~oJ3g}w)lRKKkF#S3EY2g0->A}x5{kuQ@)sgMre~yQt
zKS^6_=!=?~D#DO@RO8{nT-711BBO$}yJuzq>8<vDH?QealSTGj%F6sF9&W5|dbrIV
zpk|v%-du0|X*24N>+`393}hS`OM5#f{p{eSgd(49zv#B%2L(R;PYSWz`;%7n`cn(s
zwSjMu2@=o9FJAAb-p<?!&^JDTG8w({x{b9>rzSd0UCoxg3)dZLnr!^^vwM=vhzB!_
zP;)s68VZ`K=Pi_3@QR-vKk7ex^v%yOyIcu<tPONFVuS6S9vfJ;{Vv%+FkRJG=Qrg|
zaeh4x;JNOMp+c=qVj~~E9p*!u#=stI%Jk$Lxt5!rS3qAjpb}&z#`C~Mjq)kd=HYK1
zf4jLbVm{mIon9kgQQ&lcL1M^uv~-4~GJKE>Wb*}jws#)|XgR33oXP32?v=g1A+A!V
zUeBn5%Gz@tjhl!~dcAj&-)`m2fSJTLXB^n7mb2x4*g`Wz>}VqkudxP-K#msgr^v?$
zk3`x)g<*9s_r+1O#v>gizR}5hTlt1UN3UVJTN46=F=DnbSn>Wc{Kvm07W#~LkHls`
z#TyvVYfNdYfe+$$w)`}D$~-BtktZkbjyB>AjooR)shAX(jB_iE`UgGvX;NNQh1g?z
z<byr)0=cnlNp1xH>J}2=wRlC){1LG86aVgxR`v5wL;Z99-q*sYyh};ru(-<)`f4#j
zhi+_est%?s$RRr*MSeV@um{Drp-BD#vCU@lN`O^l24vSg9~37j#Emaef;*{bM{4zw
z0f+^Y-&K#i=GfM;5vQ%+7FzX{kPJxC0)VMI8$PYb--XKU*Bm`e%9aMMwXh?!-c$yC
zY$wb@Nr)@sZfux?B&3K}&kXf89Q9@rPqn|RQCRLl9R-MKa=$Mwt@Scl^;b-49w$Ir
zDvoif0LJ)^xSg_WJ3z<S=La4>(wc`HDz<lPQwTI*RjH*lit^A%ciSGsVl`4s!p&Gi
zrN{YH+ugWv_yXLjBD9K^99}!;YiWpjr=%T=<Ag{_fz-s|3xlMTbX9n;<0!E5hDeuE
z(Hyzh3<<4+qsOkSXvRXgkS9Oz4~X%nC%!*9GclAxKyr7BYKMXBRl`!%3BB51U9l<)
zNt@+w|7rH8YIPV+C??Km&K#8zr5)c~`zwC>JAUc=g*Rp^mS*!ygjMlXOH|iEYc`be
z53}T(xx{h#FaA^CVw)%^fgMM+IYPM$M-9L))j}qgUBfdiI-G(eGR057rrNHKTo!!E
z=((^rbkUr@SHxDHSotkMat&vXf_DX>Lb)+#(iT?%m34ntw$sBrj3p|<eYCCw#z>oK
zSSH3qmxqQYYDR`d5KhX=LLehO1#8^rJG<yRl{llJYrxR0iA53vfM7tdgp!qT;d3Ge
z@2=!;8ANhg_lwO@&KKDKBf>}WUbX2qZ_6o!8pdU5p#wRp>e=536<;imML<}1;}m26
zYvflDxtBhXd@32!Cg(_6>cUpJ;Ru`Gi9z-z7BJc6{Lk~=j+9Pq>bbj+v;AWOSm)zy
zd;IcuyNCQ`+G(IslD+4}yzD&Md$XTyyx!ii9{c!Z@YT0ieEjK~uOiCYWG9oncR-+*
zFb>hSrDKKKE38oJ^T|}-C!oCEOdo3SpLGMCwv#-@BAp$bZtb4#9P7bSHtuWjJg+Wk
zY*}nr742m?!9Gl>J!G%9Pk!jMM-P5#%)_T#`oT$}Z)7&aQy?YzIfsruJo|fkLSIkw
z-l^1zi^ign7sL+LN^$`CB@nFdk*&9_HORxiWc9h9PVI3#zEAIc88LiD>nU%qMe_Lc
zE*!Dg3_hJwo+_m*HvCjdd4BB}LvxLQ7^i>OX8IpRR3P)3*h7i_@vyr=tg57BtnysX
z{?2xe<B^dYQi08-8VZ=w#e@i(!n}?S4~f1CtHxv)GS;RItT%IaolERmI!eWwLc|?L
zqD}@sJ9lHjH0Fd~iFQ;W@RGqq8>auLqUrt8I_0tn3A=U+3w2w$VXw!*DM_e$ErZ_g
zjH67koFUN;eM3~WyQdvp*a*h01trQ#ze>Dg1HeFHaf~CZR`h@_<sFL_?)6k%Z31mF
zbvVHs7UuKH>ER*}Xi|uHU3H8G3&Km<2XWexSgk6rR3x9hkBTJhT$&>6TL+bHB-0KA
zMb_5c>aaTDHyX^jF9#iB%`P<oK_!ELcTiixQuvs=?ofh9A(Zo^NV5j8`Vu3CS!j`k
zg=C4g#rw7q<#0e~gLA$e6_^nXDx?h9{IgG(Oi8p4U+YS~&@6l++W=*xC#%^E6p^Wk
zLVO`s#i^N`U(9c&;8$;PZXrDsS)LRSI;+jdmtB+<!l=XQ34Ufo0cDh73d>DXeDjs5
z>)8f$`LDilclN2Wimx_l3XcuI?!>aE$gB~`!F>_I;)gkbYJ{_}O5_wIC7&K<M`o$C
zA{RH)IRlaTT)3{#Nu#Go>_cWTI4f_856L_&n7Y7bOQ3r(tr=y}Yv(<}dIuD%jW}C^
zB1${aONl84*^!xkn|5}|CYGwFYMH3D7CyN)-delZTKnUZwO3EpUO!no&DQ?HUaxxJ
zzdrkg`<$WHOq7qcIGJ(lXr<N3K>wv0$$<IY!&6jPd^>j>e#t7F0&NJjYM6(yL=ctu
zd-f~Q9lfWQb0T~%EdBH0)61DO%l!+_gDW7MYapN+VzxvNX)w~l_eEhc$y!3!d|~If
zY>AI>7HuFdw4A6w5nuGRfrRDyikZG4T?&c^0ou3hDRFc;;u+z(EEdL_rq9J{T(;KE
ztTb2C4Bf9$u)Z+$=p)f~LBFUKUI$Eetvyw}Nm`k;McIqb1oGd>R(;7BH>g!%8f?0;
z);7bn2ansiUbNfd#!&#g4;{h6(OnMg+IBwEQaXkxgL)f$1;XEzxgS3C=Db3AVl|p=
z5WC#M;7F_UN%UOMB<F~<YSo*>cZ%*i@mCy;Or~NFb4pI<MXE454i@B-hp2x#1=qEu
zl`A|%TAGyH^W+qwg^57sSYmt=ic;lot!NI!0@Kg-Gg|1^<`aF-Kat9GYTbfC&L+6M
zbKqMQ+6pC*RnAI!ZS*-Oz2vJUo;$sMELca4*O$Ui63|${=0M0n1}4#3r`gDIhSELC
zn$fk>#h*~pc|m7g`hrliRLh}xId2-kJpYzdzgu3pquy63FQ42<NrA{tCzF-856=!>
zQ))Xbu4<YH`iWL`4ZC@Dr9uBQ|9dp;>8xN1rkb+;c#^H+vR?h+hip|2i}IlRjtEqj
zlfB=)**iUxBl8mxn4bJRyJ59CMzlMbxOR8+_j_ks$494Uuo!Q~?>=9AS;~xX!10?;
z7vJOx(Wf1&NS(pVeJl74JcryM=!V?e;yY_{@YlbX0l$aC-FP1S=4Ag~_S)C#e7^2=
zWO>Ed%8|rc=25)_zHQ<4*#;xiX_0{%tkMUCY_B5pc1+B06A_D!8&o5QP!5U{1+R*#
zpouaWkr;BUjQlDM&QFHJ;VQfEUwBnlu+D*_P0v|B;~WZ(w4Tq(b2m&Ue<QNlw>eAX
zw8&$az}W1mY$a_X*-mr;j4ZE2O<5a6j;x6=2}k^SbFHDv$vBYn<-P7r5KViGU4Wq~
z^fydN<N1BG(b?XVR{nLn@um`%HJht69Mht%wd5LD{}*@JA_?|&a+cbw6sfnX7Gmyf
zc$XqRY42q#?{(GrAubR_wm=USl}uyzy`+%^s*ra-N*b9_g}i?+X*}(a#(kV7CZ;BB
z!Q0?|X14V0Px;I^X=qiZ?)%Krw?E}G$4NsfhWCDC$-5u_#B7?j$`K;--fR$7fH57^
zCpEc$oS)YG6NdiIcjR?zE!dWh_x|_pALIwxe9C?I{JM8!D6yWQrHX`xcv!Bm1lcu#
z>vhx)l|!VF;u3hkb>`;q<ZAHrWs8b#h`WRLR6n&%qh1rDkhE(#@>umPOL?2LcJRH|
zP*{Ta_<jmbzCv6dKgU{FScTjz<I>ryBRaaGeN2d5$oLTzd8FP3gq+t$yKWaonh{Kd
zvdw?}G9Go7Pim{$G6}>`_WU}M&Q6by4o~+wyzNyZqMg${+j&EgZpq!pe4guink?(G
zrbd<F!t8wS+HD1jb1C&@ADo8neKHr{)lJ)bz5jYo>|^-q-P90_Fke*t$##z39G>l+
zoTe=sGb32?x9!gV(#m0GvXfx9g>(7*-VV~0Q+-=zvFDk~=z3ngEh77q<t0bUwB!pI
zm@Ti#B3<&`?41ARx_8<cqB;JT4K*D?+%{}k^SOg~+PtzoXDI&VC0q#2!skwVZ>9~Z
z945KKoxU!b-l2Dkfcgd~D&Y79O+jK`&MxZloh+&y<@@NlAMt$M78Oci>Huhi-=sK#
z$k2^+Yri+aE_-=)y!CxOy=Dy~)Hb_nG@M2-UGnaT+)zCTFk?{mU+*7&-<kBZ?Hv~j
za7D=KO|Vg*r{c*>gM#E!K9-zDdZPjw>&qrNukj%_Q4kK3ZVx&L>%!)e5^$TC>h2$_
zd@PP)ijuy>`0NJ_(VHk2$OhWfmeB;X(xK%gO3}A?RorZJQG5ogC9tNygrcIsnm-Z4
z&b>yW(?(ym;VNI;INLcsf4zTt>h;~zYwNajbTb=W-}!fU_g-$lIXF8%-agqoGz}TU
zI6WAA;M+|zdGZ8yc2;$8Lz%pQ(S2Nu%EnA-9TTBN&eCaQR{aDOCW<&f*A&Gsl{k{Z
zb(I$TtnL;Wp_)igq#>Um^YM<I72~J}Gm=`cl4^NLoP<q@rAanc8$_@atNm;hy{)SH
zvI;K)ex#QHe-M|Pn*)EPs5Bs%NN5ktA*)*RU4GsiX66R+z6+1v3G3GfQLY>686mE>
zx1Ft`#QLhlxzWGFAPX*77lVg<r*w}Ij<af?UuErjEodx2p)HX<Z7cK(Gmr1ogTGbk
zz|adhl5$o)Vr2|PX=8P;x@lJ6o{!S<)bzZm%3fqwJ3ZX@+=APcyo~J7bM^h0I#^_<
z>I@RmPTg>xG{T+JlMfXFam1VqVhD4b>x1=8<nP%@?6Ocorn%KA$6Gh~gusg9PG8cZ
zs*|6o08WOm|I#!cSiL7f-767Ctv<9(O2jgPZ$ZIq7T2R}nz?Z}1{d=0|8K2^&gnyo
z@$?@d4mqp(HeA{tUXC_$X%J7!8?Nt}lAc2|D}3$-KmGg-{x6)-r*2Z1NoUmA`>!8-
zmyFom=*N4nJx_EzDX#GPV(<I?LtYGfhr61AjoVvIqurSnY1hDn3_cOh(|+7OIdsC&
zlk7mUph6Qx0}A+LdV{DZ=-VG&#2z9IWzdSY?v6ohr?FF@hFR>hz6mTOVtUB$V8NO+
zBTZ11wUFXjbncbo@kA5#^iw2=p+foNBnf(2RR2Wrek7|%%1{u#s)@{Nw!_I{A&QpC
zVTfgjcE22ZeU|TNy*oFDrj24Hh6}bk4^-e|bE`YCVmeL&X+YODUVTanek2!COF5Fc
z&Cpv!)(R_nG@c8vR_JeG4u;(At*u?}ssc1j1UV)?Xvr}3Q*HsKkFh^0Q^=e85%<Dx
zlc)zDkSXX5F&BgN#bgBBzD!(_(qSdzT;-~ks^o9Iz#$<JXaKH@(L4&si`N49Uzl_&
zL0QScizCB-3DfHWTcZuSiO5dfd+{)$?TKGU5Y#9puxul6g(G)NaJ6|G%RL>6`!WlO
zY@5;9k*`s!(h5O(?oe@{CO8IxmJ}<p=K~MKDJJ3dnpu}bak~+(KUwb>sUm=ZC_vf=
z+G{?7-1(Kc-^S-=q&uTpWj`~J${zU=eLeH$MP!$B{PZ91_`^Yi>G18uo+ELpPQJ9*
zeHNm+EUc?zQ3!Ep>14jZXJmr+%qE0B#h<c_m*|sv;$k2{3x50HJbsA}ESo{J>!Xq;
zh0dnyum2b!eR7wdLPGnO+5XP<aZ;T&jS!%5(DJ+^yfw<NC@lbsCHue)Eyr_QkLFrC
z%xmY4S0MBFN>AmcYO(nF$&<Ft#OA<`Rt-#ZHM5{3At~4_BSkpkEn+8VOV;XTwx34t
zTo<f19g<`8vKAOipCiieMqMLsPs09WNZxj$rnE?83Rk304d&<E|2bfzelx;tXsR1z
zh>^)j{w`3c)Ef;v_0?5960L04%@k1$j$-kN$nce0Abw<T(h$S44H7~~{BX+wG?kzt
z0}H7$XIkaP#iS&U_DH9kox6OQMelF4BSc%7IYnW?#l%zD{&p8r>xf1>fjT{IERP<1
zwdpGexm&Rw39&C*UzO;rN0wH-+YE+7_UqmF67LtADe!!8AvN%r?pg2RjP|H6wPDr%
z?~h&*(A74@<dQ;`!4PPr9YED;z?>9P)%2U5TPx)GHww+>hwr_@l85NXLf@2?PISJ-
zEsW%G*af3g)|kkIR1aTKC!~=qU7IG;bP-<T%$s2dZjwWCrG#vTp?T#2vO}U^kAbAX
z?)QOn-SgO?=xoDX=hp!vR1ctqhok5Uw@mqAISW*4bKSJc9nyS_H1*_(ljqOdSrfue
zg#juD@=UB#(9p5b$P*Qq=@MSrC^HSbR5_sz;3?Sl`L&h&8+Y;u(rq=905bjtv0clP
zJsTBEY1^!lYJ*+iuF~QF!3$5X`-*Cs3RaQpM{QcEe5G@0<~Ll_)A`Mf9bXyevMmlA
zJq^2MT;)wZ2!bEQ+cF{m%8y*Hr2(SDj9_^9W2|g<!h30mVWycTa`eqoqd+8LPL3`5
z?u!w)y)H$V<py^RfMxFgn`yYGjy^TAXNrL+s$nNSRMmh&!xd+xWSP0)(N)oB61N!d
z$?X#xP{;;E_2M}qOvauD{5*X%vJJQvHq%S@K=b4@N+$GYDst1_yU9{>TX}?m6evW=
zlWfgP17P}{Bbkzvom12<_y|1-%dn5pOWF9&jWjRjZI{QG$vjG+OlATlMAGlLhNf96
z`bt2zgNfi{bWXj}XfR$=nYEQYlW4z8$Np=MJb@gcxE0o8<ySqu^29xh+Msh3uK@ss
z7%<e(k<1;^kKv%K5U!EBv38YW?`3O$y}3KrM}JRObs-JB%X5xTj{fjRA0eTP5YgUu
zKHb5|)7PE%l<mZ3E6<V64t^hGky9&R?qj7z)h6({#2sW(OcL-4j?y(a9NeEX@6m_7
zCa$sP*P8#5WL9f^d+7tEn5Q*u_C8Gu$*)d^Al`z^!;MkWb%f`}Q4~*9vG~0@#nF5t
zO7+d91jdNq#mc2NEfh7xVfea>X0-f$sL~kTlp0h#LRdB&=hcIwo$Z6w*p8xufY~tJ
z1@X|-ZmsSF<RVCwnxnc^N`;27A(G{T=q)ZvdObQuU5#@`j7zs$*`Ac10gz`?%*S=S
zgbho|lyV<QdMkU<gBFG>fud3=g9ipCD0s8NSnM{Gg#REO>sR%In@_SQyp$?;&Y!5Z
z=>F8qM(0Q*bblPX+nj%tKKKaKB3s1A_-l~ON(hr}py+^es_}yz(FDFXHH0N&6TF-F
zIEb++YRVY?d(BPRf~5(u5Qeykzx95_1MLJ`!N3XR{i{chz7i<vZV0W8bpfwH;<pDc
z>pELqTVw%$bsheF)zeY9GVE*ypkvJ}kclQbs{ltU?kOsDyWtOzYF!c3#?dfYP*`BW
z#O6Of2O(Sgrk!PL&+}~UwApe$J%8m`#8V)o%x)0onXUaauiV4yt+l7_rJFYHQ306P
zBf9u$UdsDFt+kV%-PE-Y(BIbD?A@w+&G&!WJaOH2y1OWmuJ8|Zx4QP%6BgQ@{r&m%
zD*lRugTeNd+Xw!#<a?~l?OLP@f-gsX;frx2MDOS5RR(E8>wJzIC?!&V^l=L@NKu;j
zrsXG&4tcR-;~R;_(iN7d4_zIj1qEXRu#DqU7U4Xqr<7d`2p*!7KSWc)dq_1HuyCS~
zcqD;oUQ*sPK&N3ei!;e7yLT|TTBiRK(9W>$7j`XfPX)G}l<8%0^&@C(n$J!m{GX&*
z%yJ7y5G*~5Q4stvoe75+0lb}gn6c=CO}d(WKl;8Wfqt~Fn2HoVE!|i>c$?T-pfIfv
zCqQno#wXcwlpa5xb0goy@B2H6HbVIgYF6rNiS1V2OU^Ay9rh5@u*c?sm+!a-_>8L6
z5^(}~2oU?&^CWH5_DrOdFtzNdIDDQzc}ltYxs~Gr?(WaoPe|**zxZ3)5Z?dpb7f-T
zBI=HTX^oa$4XIV}#>dc3==^%}vEe-pM^nJ_k}+@)2FbEtNl>E(B7|5SL^e>Q^z~DX
z6!Fgbv-JesCn}$+?kvGA7b%EEV401SjBA*g*z40q<2$>`)}4U7&XE96yatFZLAEj}
zt78Q>LfY<+@YP^VEXUR3@W>iH;R;3NnZpY@t_@$98`HkfGg>H=dKkaowM`vNp=H(N
z3L+W0UbYVo#I`k>tjG1U^`=_(krCtNadU6#kpPm9`!z1W-Pe-gR<TekuIPcV(kEjW
z6|2Z0^^B!e0=B!BmGcJJ51kE`V0o5;Gd{yM_IigD$2^3SEoD)X36O6L%E}uvY_`ZA
zTe_s7M2+|6t&?4?%QU2FlfYen^VJV80s>@|Nh&W%4jg>CQd{uKRA9-g-+)m{-YmvA
zO>k%#CV{7CX@j~r_f|zS0Q<hXSgKK>!k~6>Ihl(MkKa_REwtD2Q)+!zAr!f-9*o`B
zcG3cu71qj<ZLAov$i<oo$BzlpP$(~;dI}FgglHvZ%}p)eT2}+{!NpNk8d%x*k@$!^
z*$Zp*Y+M$98_()#*o=|o-Onq`9kBNxI&l+5w*7T9TetT`rSN6Ryh+<_js_N5GEEjj
z1~hKbM8kDA80%0s&z%s3+p^YzlA{gX2$J_L?H?f-!qFhHNLgnIG#iUsIb^^HRg9*x
zF08sxJUeu<>^;Ri2~rAA#>^vfnSGcgY#7`LT-cct_k{kl!CQH|SWhObb_^*5cv0M$
zY=!R6r9ouT%ub6ogjMK39|#lCI$wGbXmY6^p^~*B@7WBjn55+T)J-u~t$6^D_96*o
zkZ=$wm5#~LLcxzjV^(@aH7nZI|15lx=O#9q>(l@tl}{}CzUmeo<4JADWu25-6khmR
z_c7Ef3+lwPsOVHx^mc2b!#JL@@j-tYW$3OejznKKsI6n(Ji>$GJCOZzbiE%LKr2G1
z@lvfBmz6gf<AD*j9?oD=$Qh$0OG;R(tb-r;%_n{@C4k>;3{z@c&svhbH6VSdUD^9R
zyg*SpH%B+jUckpBHZK<G(L6O9p>7|(Yw{U1Pq~hAtBa`t1oV$IcfLlWkK)x2#KT8s
z8GMd~RkEoys(?MJ<_blE)UMy@Og;PP+?%_`^#MNx);?a!>|L2>@;JN9N96>iW1{g<
zHAx@Kmu4mS?_DOvvh|J)qC)5+6BF8#Ec9=U6{V6MMc@0#mw$6~SYL{=jx1)^>Rn$K
zrtc;)$|nz49fE)S4ag5Ny{_4IJjkVeI#%7!Zu4111W-rL^sT`U;l5H_%=HeKkEi0`
zf!Qq~UjX$Wc3rCIfDYd59-H5A)?LL&USXb>>{>05QW&h*Q5IG$+uFkGPXs{>2F=l@
z59n;CGoS<BUMh8aNTOogWkAbhhc7jupw9JT(O-7@35$HWze|a)ttg<b5hG=!4Ss%W
zukD$03{t7Z0|@(98}ouwubJQ6@bvcSKH&}s{6Xr6Ql+R9LJ$-p%-cVFif`f=e~P9P
znk_10qKzF-h#knv;$dxc1QzI!d)N!DP^Z}ox45w1mX(0JQ^9SnbCvEW@!(2K?a7c)
zL6Z{y$HGFF1!`GYNFkRo1ieYTqN=`0#6g_`r8tsZk-Dj6T+yq$D{w#UR{|8PYM;Gp
zACG&rqoY@MaH`Ak(Q(PriEd!9S23Mf?LetP9?@9XK*1k|Uqyzj=t__|;#vD-i?t9c
zW{LQ*r_&b6f;K=4w4<<d4|sLpzrSjxMy7a&&aKv{g<|*u>OLH#tP=OVMW|SZPnUGK
zBITgtkuL4f7c*Tfhh&CP$LR(a#o&W6DF#wug^z<rH4dAQuV@}+Ofh}Exjer465N}{
zTAv=f=243%gk>?x2BM@|y1WE7BCf3H@z=$T`6s9jcyqAD6;E@a#MQwnH%Y&5u@Jfg
z*S+meSsq&u)dAGAW@#0sk}R9N6hOOjH-%~gvWma8mpcJ5?rj~Y6q#fAtF4jdC^>e~
zTzW6EZp&tLuB<j{;<QxbH%TcaFU^|L@?)u!0a__^JJb>o^Gke6EEg`@u55YYguZ?z
z!8m>Rv;>#cLX?{Yu%r;pv!R@7oVs|XPJa!~kz~6h$c5J96{)5$Z@sNANin249we^L
zWP|fgO%#5#JY@Rkg=A1)f%mt#EjWU4F$lFw@4YL`O$z8U)P#u7TqC9&4A^tFIM5?T
z@%5AT!pN3ncp^~I4RdzKW!pkMVfka9aAuc$;WoEu0l}2B#F8a8$+XJFOe>58&FGSb
zRblN-66p7IyXR+@V1YWVGiVe~w}(k1U5j&?lj7Bh(2;z2jy{spqW5%J1$%jP*IxR<
zd-|o>T)NlX{lS}){bXRXdHVWIFNw=CoE$le{lM(Zw53OKGwIZuKW8^d?@U&P6p^G8
zF9d_dd6X%0atkbxCw6xJm$c+LiM{6}WzS*Yj-&i*L3EwX_{gY~l`W+1u7t3(&l#MW
znRJBNM+SG%h%4ycVe$BXd~6Hp#UKB6JIi`!_l2Jzn0{p;(8nxmaqcheI-UEsgAX^d
zoMel}?_~RSUsnd}i-JT*Y_oI<Wt~g`>9scctTXUV=xsFk$V(6ts@jGueHkev^NEU1
zsxw77zs=H_Ex?r~o9oS7QDSp6xjNmSdfvjU`h<O)@130dTFefHRTQtH*d+V%syoDd
zQx5aO%l6vd&Z{H7_vpb_sd!^=;CiRAFpgl2(Qf+c33KnBZlA@Or@A_k43Myt(<Yhv
ztELkU8Ua5f?OvtrobZ^i8ab*PP0GKXU#DmAy7RH+t)5<oo5k$1L2cB$G%F>IN@F5u
z-)eXS-9`e256hHyT=q%vQg1}A1MvNhTR%KV-1`0;uRY)Pv1m11{I-ntE4}e{2lzj^
zKIT<6*s_<lvw_M~7OfD55C^zv$Y-YxWmTkAu!8jpU8>m-XTVHWk%4qz);BeR32>y^
zzG&{ZipG+aFFq(A7_XJ+-Q`W$EyN$ine`2U^zz7Jt&uQIG#E1?tN<k8;3>H0^FO&Y
zvVqdj!iOjPSuM6&)6>nKzgk{j`29%UE?__ozrN(J;!g2D&Yo8CNkj~2{|rPX6{1F%
zd+EYndYC;kw~He)CrkCS2kxhFU9Gq21M&3NK?$QXTA`tb$!4b8mu=0P+18}IP>V{(
zHW}Al&)eo)v*R3Xqr5_W`?qmH6`6(#r#h}^xoC6N@ukL$=LUQsC&_D|SE#P6vHzy~
zPKz0d69N44z=AH>zjz%bcH67#D80?GAY6?mOAtG?s;#Zt@@+Zf90h`BSkJDuNIWm|
z|CB#$k0u>aI9j%CmQFKQzcS}eP(ZgbBx~7<5$eEKP=Q~=orl7sy5lt{18%Z8D@tUi
z*H|?3?)nPfC=B&y@dpJsIVs|&86>0YEP5N3;{2UDI56UC&Oiz&o%wR=P{9BXiRx{r
z!`NCjsncoh{-On11wh#e)_3X#m#~!;7OJM4UAE%cQ~s&)$f=!P#b|{KBcJ(o6zXjR
zEg>>#nUfdsyI6ut@5J)n66rsV0qd-~_yW2nLp~m=@xR+*xs@?$axYViDih+Q6x{Mr
zP_O)6Wvh5;$d^_{=vO4&YFxY*2f%ebVI^Y*0GXVJux{O3*;SbQ%H}OBWUVi@LKhXh
z*j92<KI(H;onVA&*V!R`vj8cQq|XUM6iVn&?)1S9?b@&V3Zd(n;Y!|#9mHxtn#+iR
z5yU9u+;I(19Rii{bFJ2mgm(-jeh^STXN`4n_RwTc=b3AshtJ`j1`~*@Q0h|YvfjGo
zDndO_#^K{rJKKkcM`z$9Wj$6^Us-P1{)eSXtToA%UYf*cewecL5epiNu6blR$LZtn
z6}bH}>@+K@vJY{I(73-P0shjF>w#UZ57#}MGD88?5k;2cbW#Ka&rsWy8i4i9xmJZr
zq)ACl#v(~jK4#_fLKt!u!UAArj`mpC$Xa7Sknw_OR)v@-ShJM|WG)SRl`vPW=%s3Q
zI;LS<6+Ha-aM_QKyf`K|I!qhy+oED(qz0rQ_DC|^=4}lN1h;sTh6l6z`s+U=V_YY5
zR&#MF<-FN;K`GCyeCp_$#SK5ypWhVikv*7!F&uGSInZZfq_#tg-$rdRP!=1@Hs;j?
zl98OhN>V4pDJ^YppvV0fg~#yKam{Z@mXW`ojdi$|7ez}f@j7GZ$l`dFD`ZP~LV8sS
z&&NFeT+a!%tYtQk3lhk8L7<ew=><xQLNI|miAGomM#z#l1gwP<0zMLo01|rmz$AO_
zh#!O0S2dbzoZw|)$=~^)gl^b^8^r?ynEgm_LKej(EDuXqkw~==n2>#5Ou}aeBv66`
z>T?L`96TOAj0pw{Mwu&*Bb#MUaY6P;gSptlm95HWd|@yI1zg-|SR4Ja=PE4TGlZ``
zVF1BLL#L9au3X%y2w<@kZUyT`<5oX3I;te;GCe!A5r{{>oF(4LGz0I@>ZC2wpXntU
z93^0UR9)Vjo`4m~b{N}ox(1=br5i)Apic~_2Si>iTS0WfrZaaFLp&&}`Fpvjwwt?Z
zM69zuKjLMDODm9z3)|<4I2q3mSA@2_5&$Tr6q7eDpoP0}I`Lg(b`1DBzbKjMC=0ka
z|0pVB9f3~SKqvlmT8^KuCqw`Y^Wvh+t1X#M%nbq?u+v9AhGLa{EwfOz!C3Bb-%TmC
zlc;vmX1S82T}MUV83B$mL0}Tcs_l|e*Bz4_v7YgAvn~QiCCCoyTcsu9{GC!Zfhl;}
zE+zMs#cJRJ5NWqDiQe6Mtwf?kM)*tR`00$oxJBio>sJL_JR4%z2~Q5e?!CJDTYY({
zH}Vc8N}L~crL!`hgk<`ZVEwyVU4XFZTAOv1LD0BN7L(}7o_)M~D1}R1hJo@_bwD_X
zA<t)wlDMrc=)D+w%u`uP+<;m@y@&#~vkeYHTq+{qFn$zTl2aJRgTf*ygsEuEHI1aT
z@n6e;xsqJowv!@&P*A6;FHlzW3RcyxxjO*oCJwt#Zihgq#5ST_U_j@nj7Kk<K7<4}
zAAxd9zZ-X+Z8^Rodq14UQ4<3Ea9$PdP2Rla81&D==LHu+y(A(Og!{{ixZhlvRRVhE
zPM~ilN@;~2nMnCAA0dJV6sy;WRdgCAUw5xO`ugjk{i^|h3~!sDQrfx-T*wOH_Y}a}
z+iAz;RoPme#`=TKrW`=!oKJjVv8WzkWB};^n!E1fdZ1Pu%)QlQd@U28d){SwGz{Ba
zuHzMkAY9SdEVsL_QqBcI{L^~l*Ga^I@qDBK%y2AdEIGuUvU-OQo+~Ly_G<rZi*S*~
z<hi`eq$-@iUZQ^ylms+L*-;Q%WWO3kG34s7vUZc=K1Hjzi18mAkdo-5z)^m*8fQx4
zTMUGX?p6y$-aeJI<q+jWkGnb^TC70S0Uv=p0rE8yw@HJzKnt{H-Pjwq-tVZdM&>4i
zI|D{VA=Ns&;jr#9b)CJcZ{eVZ&=Uf<t-z<rt`o*)U78gn1Xibc_d)i*G@R{nD!{k`
z$B;|pB5#B`7*NDwL12nLIcz0SZ}A{zrJSJn`%c7+1THx_M30~Zo$QsOM_(F=dxS1T
zCh|oubkToXwiXq!upd!i=vXq0EKU+DYVwPSPJ~mnxJ`14;vI_{glTMMbwH7M$M8iz
ztq>%8T{G{K$V{?a>pV*9?TC@wp3;1rbT#Q{H0gRIOxtm&@kPwGf26YSO9jqY$b7w#
z7fmA?+Mx~D4DP&{x?~{T)`-R;U$a+hr<ytRlem96%GfgIZs>ZVasb~F(-bCXF&i(B
zPO`I;qc<-O_D)|N9i0(cI2-(u|8xy$a_MS@?il3|9dnTz+M8g#U}csQF|$a0jL8yY
zRq0OI-z>YT5hkK(J(OUzG%qEE8(QVvsiE<$ldQs1XbEG2hghm2Z3=~yz)2LG)nrTj
zM6-^$(Q8v-QIc-NntT;9%?*N#c<l-)(w9Kq$nvD+Y1I`0<4Ggsj2&y4Td{MK!VVm3
zn@KQmqu7SzrV=-2&WP+KZUqjG!`YCJez&R8p*71hg7uIW%bllYk%qC&BR70^zXTWD
zO@0N~bjX&g+Xn~0glU`TJ31~i!W)Xpu;am#8w?o<vKg+c{=?M>XTb6Q+9^?}O)PQ4
zO&CL0?Td|sW+l1NI`orJqqXrl(6q4KGE$lMFKYXthquL)@mr~ifw8}2u13?U*5xw@
zan)a2$a7H%x(|y>mw=JekQ=B6?^p{nAOtPBqz_bP8iBQ<q8|%&`h^GqSm8v1djb?%
zY>q+Zu~f+-e<ua0i(o6_<!9z05rIgHAib91JzA!2XvQ_r?|S^Lbq&V1Ud*<@5EYAy
z(m>B^_twT{X5bLv%Y;Ux(Oc~)_J!CChitUsl0vDL@r)MijdFx#v#~Km({Zh_%2*Ts
zttOb22}mv`dAFMJbh9oy?y}&QPFMPV`)u#W?LU4|4t&{8&mnn=$rxL6OWZGTMR&E_
z-RLC@FP+vK(<Fry(VBu4t9^QPiRT9=Wm=Bj-f>0};?ivPML0LHvxZtO5jSAUb>(BZ
zC>cxD87;tedwYxV{%<tmwhXJH4F{Rc-G1G9AA+>zsSU6K>Red)m5*xFBY%?vb4fN3
zm&fE%qMTU=j$yiYHXeHaqtp*v55Wneb{9G(A^e5uOU#;LSIR;auEU8h0PULcDOU6{
zMAyQ(F>#vv&1QPYZ3~4y|985#*fiOkeO0_1Sr)fo3O<2NTn`q3%Uui2l7g|QPzZ@A
zu`6@&-^f<ulf|@ocTObnsfHslnzHfx?UtFz^PM^9HxoS~?hj1UE#k3(b42#qDG)Z=
znC5bERymfpx_5l~`;0e>n&VUy-aZS-6e5&o)463Zg}TwW(N^hghM#NITZV;vXwR4c
z;j?eWpZAVW&b;MM^{sbIrj!ds4JI?{3H_*#$fra(gwQVGH^nq-I(>=@DN+q{Q*3EF
zmAC+|`?!YjWN@3yVYGS`x-qg8w1(;h4U!R)-X#+W1mM3Fx84}++O0)VEOe+9a)5L#
zhuR%2+l0)6mS9S9C>lC?I4i(Tc?TA_k>Doq(9JJ!-6?E-FcNEAu_$pvFG$KFl_SYZ
zYm1v{8^ha&4Gtzj*Y?C{H6}<SS=8$mcek%yAYgBcv>eVrtUlP2e}<C3FcqsQ7hn2R
zg4Vk>kaYH$1Rcy0OGui8gWaa!?IW|@Gzl<WPgzDqgudvC!HoBh-+kkHaQ6c;YMuCh
zBz#>+;F?reDvW`<INtIiLaVQ=7a2lq_~CHS0{%JvMKJ;53vLKA-6gXm=T%{%j8)d?
zdw;s&1V~41?almF=$rwH9EtZ*Z0{VH$JNLwi=%TU4-pmfC}VsMSb`y-?^1EJ%@tHg
znm(qp+7Zr;LU?)GxuYxz0(7e=T`_@`G=xED>FyAq@rxXuG|)n3NRat|@W7m$bq);m
z$KYOuO{kP~0FU}q74sHKrNubtG~}p&JO<>f$4B8<NbG-<-CMRQ2uZs6JK=R2a|Sm6
zDxouQp9?I&U??C(&W*KCv)Rw))LDe{9ld-h=MZKRyw4LVAppwj^q%2cz{G+{-A$^z
zx^Cr;$Ge;XL*^G~o-)h0U?Ko_`fXL;qK>&Dj#p!|8-}%1N4A*lR{(i(7wLtgS>9Yj
z3E$OT#S!b44C(BgK~Q&a4`893y21MN^w#>W)Knld^%HR<<!&O2I5a06CNBCEH|?S@
z3yRjv=7*(gO71de4j?4Hg+o-+`d?ehS>;yD+ZyuGTOWZiiEIzTAt=CzqeOfSA2@fq
z@LQAo&hWGX-8n*9cHzw01<8pOY43<ctQu#7JP*qQCQl}m8-Ehnxv|*<Sy}C+gh64C
z25zi;Jh%wl4@Tw*Aig7z`OGj+J5N<}k6cQ=goIZY&0tMNr_3M$+^;>~7s@s-X0Yx1
z2qHU!VE~kBMWndATwK~{6&F^xEhg@I@pxgXg}fAaV&NvzZ3%`nx$}T3DrYljo_%Cd
zAGmjMh4N%5vj~A@8dn(sYJ20frEQkb7ktW(9N>!?%L#GgP4b7&P8>8e5lscSR_QdJ
z#iC5+#xTF|`ITm)Q)1pe-Pzw4@TW&#f2|7fibRU>QqyQ`e+0_vT|If{8C=x<&YSFT
z<2D+L(I#h{=n`)0KrXy$k<8!p6&*3~ZV?u0AIcNyWNwJ0J<`LqxD%b49^Mc$+OkEI
z?4;14VhJu1QioWSm}0Ge?+<5tCx_by+3A~O^0ecVqwi0)U!Q(C0{|Qi<8y*(=g4S`
z<GUvo)M!E+-gTVHF%deKhry#Dx;FWf=nv+az82fa&6Ieu%teuI@<xzrLtLyA;OnS{
zNwj*&AiGh_d>AG)uiUNq$x{lG;Q^D#@IuimLJ^T@ES>(lqtVB)qqn*$X8+i5=n7%`
z<zq?v?hZwsE{sIvk`>~jX@qv+J>&Yd(u*x{vd*gkL5v}et5DObJhH#@`q&yN+#Ku!
z3U1ku5#iqOks*bT>0de(wH_@V4Y(su_I^Cs|FRy5`D}77rLK!;%g(MNpbpc71T?^7
zWK#63#DOtTu`)g^5?7G<8nKA(3}SvhM&y>nej;8pJobSW@FhnwtOAxW&8mX<0+El3
zw_K&2;<b#UFLLpX!Fkv^jud5HSeCZjp9K<Pwvu$vkb5R<wx9=+V~Fk(nVeiyTHAiH
z9s(+PgwLz~s4(@E@q!txCM3%(uvz1vlTP_bE{lpdF+z%18FZA)Jn(1_W~A+;mWpbX
zWk2b)JJ{dNo}L~*|Jk}6fDnJePl9{c{G2^KJb3PnU@-y73z`feMDGq;ZUUnQgEiT@
zytr=DI17WOtwk%$Dh{NC8>pNUBM*LP>|9nE_S<&@fJepy7t<-<Y0NBw4@)f~!gmoj
z-?QtmY?{p0*vF54$bOO}uV;@R9R7^;c(w|h0nu4c7AZvGS5U=#u5bwk=I0u(ha<);
zLSOuMUB0sJvCb51IjSt&D$+{87}qbF4zb=?8oZ9mf|!N~dovI`nKzp22LvlPZ5e&H
zd6GST@UZXx^9cWWjQ{+G2vv?eA3yk3mBp&|P}kO);o>R-+rgoK$aOUg3#{}tSXf&@
z5#-Wp0fmTpgo-GbP-m^tem&|pUUnUbRNrbW*h@T&9%v37C{RIF-12)Gw}!*pbeWRI
zilM+;DQJ2;?*fUsnU;grBtNf&Z4-b_1`84dWBd<U(`oHwQM$)tRut{LsR!ArTSu%P
zAu#l?`C-LiPbbNDgiSFG7J(Nis@Js9LN`_-gBB&UM?fafq{_d@O>drkny)~}7HEa5
zla<$_YGicJJ4v=slLmBQ%#%a$!9IpCFl8pJh7huO1vKndH8pXMwJD6cky-Etj5RMK
z<g~=N&K?ScLkJg+UqX^lW2Ysezd*ov_=85CcW*hjEcvLlclS<CKK<nvud<(XDdboH
zW~aApLsMl#7sC5kMM(%4Em0f-nge4i7bo=KVF-Q>I4$6v>-x9o)F`&0RbZE7W0CwU
z$R+MZ^s9;qAfklGXpC8B(B|Clxa2SDcYfRGOCkaz`I03PMf}<LrSGXE`Pfbcs`o5>
zG-=PFU7ol3)iWm*aTTow4lHHvx4=wvOMq6jP($jB&(q!nxfn{nFL2GOhlD7J<3rH_
zLyJ0zRUOVo;e{v=@-FO;bAT4f^6RNommZ<`7b{+6o=9-K=hLy46hspY*)po;7Y#a$
zkNX7-CngQ&<bAr*cALM_o()VVhO3QkY8+m{D^XKbX;M}!QjD(4$=J<5Qhvkz=eS?V
zpL_+K(Vd%HlSM{He2Vb<{ZtCEfHz}L53G8*bu@TrAs4Y|QjD%^wS2`4KKfY6LPX(a
zT`;M4_zwX<5(@p0g?QQ8taOt~tgu>$>9gCR_KKC2r1W8L&|0SXZIx|Ev-;Bdm&#C$
z;?<Zr&k`H5H<C?I*Y3u=_2!hOi1?6xa3deS9sYmpy=!+H*R?J9nfw(MW_Xay1;B?M
zadaZzrb)_XN2GK}%1(wmjTC_*SrLH3MFFCCI{n{!&$-sxk3xZ>{K~oMc-(tp6IHwR
zbM5t<Gw)>^@=Lw3tyhaz1EB0Jq`WmWOQb4&1?dQQo}u0P-u?U7U(U6KX5F@Xku^tQ
zV9|fINWrBjH%Om&DTyM(QSmaZ?v)UU(okU{>-TPqCChM#p0=2Hm-U)8rlsh(8#82g
zVJY0Jh?jFHVL}K{#()8*-h8wMila~uw4%I5U7PP+(tS}A5T#$(JZhniL_FBI0+>aa
z8kiXC44P6ecR9D})_gXPmsWhhY>~`8U_Kv_#%u^*IcZ^Yxc(sGYz*qP7N2Dae6xH~
zRErwLA>3~21dp~Q%!jFmi@~Bienw?GtBZ9eeqW|D`D9e~N$Q))R-+jB+ViWzDI}6w
zg_I`VJz~R%yFvhD;M((_L?%TXAYhM}En@jMwz!L_U2}Ru*F#Ajl7$ZZ;LPvm2DxWi
zavAtNA~E%{QA{YOU4^yUhW_juYiQ^(FMV9%qfs#maL-!pC8dayq35tIqSnMin8Wwq
zt>^cn!fZ1{$@3xAUVAnQ*Ed|5fnXq4=9I5qW~j?jAd<*UZ0TumNVs!1@Nv*cA1hgg
zEl|*mnX*JiV)7!KubpmcbY(VEJHZaZOu7es4SIk9G4lvlK%wCe|M`GHqgh%3{uK*G
zu_id#XJIq9%W6LB9T@=oik%wzt76woB2Xha&qQ%2YCUtjB@sE=FABmfRa&^dc~#n*
zSB2$z*{e%pl<zk|k8KpLgA_>aE{|`jt9yh;W4bnpnC<^=sd=AHXl|G0d>Dl_|I9Lh
zbt@*c-DclQi<Lr=o!f97*<sPykV?^efy(V=Z>%4kAX9iHsODTCt1zFHOgV`-wId24
zofJeVX75c2_NdpoVV$VlAWK(;BeQ`~t4^yA*pDprsG|bsCy*A4xv>Q(fDY2D2ea~u
z7OEPk)ufBNQ!KZxZ%`*hIkt7Dwm<vQRMbS*F!D+LG|w;;LT?+X#yXn`WuiwHk_X^W
z%WFaO4pX40-ZRbH_oH;P53zDDTd#Rs)_)sxUl1&Vfhgj?NF_w{u`R0s2`7|+6AVaE
z9xm^yEM_9}L2t7khGk(%I7Bih&qy7L-se%;t_4XWgHPY3c~GaerOuyK9^8=%b}g<n
za4Py3;K@TzMCHdBo)XJI+#g2i;69wiQm^zl@q)Cj*$T2HWP{24+j*qMM9(j2NgJJR
z1`*m+`u$z6f9;C$wHHgOm%Ht1F93P_o~i1x@)ZTNcDmlDppoBc1?(b8+`XDrcePsf
zyu&4(;9EfadUmi1MK$+g=$Lc}d)=G+xaE@<%OFl-@f}AJh16WCUR6$yG(_if(v-F%
zXJRThc3{}d<14ih`1ko2ERd9#Kddo!k*OWIA@pI`v%2V#{K-_GM&$okX*5VTCax;o
z2kJQ08#EX$iC)x5e@~)gl26+GP`afDwPod}$$wpq{fVZRyT-2Pcj$`ic(8NK>4q_4
zMF6&|81T*SV^*0PkCG)z29vhQRKX?1EihqJSmL{qI9l5+&)Jq-iq*S2+MP-CJbuQ<
z0o=CG0J$=bSq&#(K7yUwfD}^nn+T1t&AeL%6!KU?tZ5ZMAsBW9;`k+zg*ur6JIq*u
zM2!XeP>M8hWA@r7O0MHXb9Da?b*CMkg<$J&fp4lto?m>uUyIJ~1*B#PEb4pJG_3LK
z>&=MNFKR+GjvL4j+C(h*NG@L%IokcJIJWD*U2&&+oQhC8ttqTg0j_t7#IneMjeMEI
zyb498bllJ|_UR;xy4ga&6|npYxj*o9{CVkON0jeb9m?bMWn^E{$>TbCpAxk|h6Q~o
zQHL2+^=S>NhSa7J+f~_mXS7_?YBs=PS$!;3BTUj$mqS;Hc9XN_Q-~F=jMXa|OTw|E
z-a1aR`Wa=L^|FosTvSewZ`h;kZtZER33D(dNvPaP5fJw{AIvI2;&zP_p9t4Z^NF~A
zrzd{ZDG4@FE}7dy0?}M6vt?f2W?S8D-C#|XgUYagF$a<ypNuN)HNbJ>YR|UXoR&c0
z#us1ZJA?oPjo(+ZaW=j$r!T)4IV=AjqRRd2bfbO2V7ynrhBNg^*j?o+^rDih72lWw
zdWoEB*)`bo=Bh{)Sv)sHxG&OUi(pb<paDn2`=8gXnqHK{mL6yE|8|`nOK+|H`tpy`
zhp)09Ognq|$N$9*)U`i+C3yKE`O;ccEtPm-Na$NLrG*(^Ids0h7TNS)9h|&=cYZ8@
zn>@s#|I0x!(v+D192R!n$}`|XzIV5TDx9OLdLLXH06##$zh>9mFeZb?-L~upv#6hd
zh*|;C(ipK#8)2#xhewN(Fn#7KZ-%w7b3aH%NSs=6arwp#{N(7D%c>C2wem+K<q%%z
z<j961X>+`j6)3E@7k*;NQFJ1fMRkx0*Ncg6Usi9GHIO(ehW_aUQRh)JXFx(*N#=m2
zpVGG-G6=k{LpJ!z;QLa-fQ8-N^9PKdMU)Cjl0$16K+7R}MD9Xc{J$CcXUtqgXB5rn
z+I7pJMViANwY7;u$(#Q1%|;9_a*(J$5;|A{Sx^1d!uXJ~Cr2T+$0$@3HdRKj0nH<y
zG9dHSvCL?Nan5ask|SM$V~jqrm2o$5bo!WCd$4Uu)GY_wQo!dps!_lA8G~(WF<VGW
z4wH{kEMvhd6xy10ISyIr%XJhjb@MvSXQso*i4ejV2Hx+LB@Nbx&S*{uP&XFb>0N_f
zLIdxM2?KLHedPpYD}kVc8gAI@u^nt0QtS?8eiPA0G{32Y7B^fBBrGR6GnPv0rux&K
zPdytgZ+=d+OltWSMb_pmbplGe?3o;LqsgAJRA;7un2Af3YpIHugw`TmQW#+G!tB{8
zb#|X?;kG|T1Y$PvusV`i6rE>oOZ+4EWDG!RciBYPH1!f}*s9;VX$_y1(fg)Itq3D@
z6!}O(p@9Fk`$tdo9h*~=JDLM+Q2QR(qvFtF-n>5|u)~L<ivGSbHQ4&}Q?+5=4!bq{
zu{yCe^OIHMh;8*}(2%XQpI1?CEXHSR$^QM%hz~cmO<Rn3T?$-&LW~%GZ677hesql3
zHKS4D?B6lsf5(Xb9V7l3V#IZN{(nk<*vEE05gb-!>)(;#9~~J+i)XFjVb{!^rriFN
z@Gt_*?o9uz;o;?w@1p{}kaWuI{9^*W4PP+Q*gikdi%^UY^=6+R=ymTmL%s0^ePo~)
zJGL3>&Hf$e{db`EzeS*TN%{PoD6fC{XAh8>ejB1=Sr%bE<@9&S+Zsr$eIow<ejzkJ
zk3ThjW;;w`XOEAYg>(N;jhV$A{``2Ey-jdfd(+-Pg{L#2C&21z37mP+(uo3RoMNZZ
z7}Etc3E2|1&CIY+OgPz{L1KBB?x={gVd*W0!5X`vrPlEB9XuJ?<+sP#;lbgz$G<QD
z;<`X*s0g2ww(N=a=QkyE4lOB2cwyE(3`-g1^r!F5tH@O<GrbI#kcdI}=Ois4A@h_Z
zbuSqk-kE=9tlhqACl7GZhG;HD=eA}2m_>Y&x{}?Yv}C;^q&)!U2nY)488Nd(PJ1WM
zZ=j7xHitb;#l-BysI<sCKRT)tMIX?j$EhZ#)E!+_d4d8CT_paBPN`hRzmr#AWQW>s
zb-!3T`+K^qZp-=3xU7SwkbD2}S(U}Tosufmcl9@T<Oq9HSCCbqbgka1dW_8_f58{n
z=EVbxjv@5eaTFl*T`QsQQdJ~P18xt!9T<(^w|TwP(=GSpcHG}y)ZetLiuW3IE+E?2
zZ@*I+fq^W|Xc#AEoD$9txV3Nib#>>GS$j<H)|2choa|caN=XPMf{?ge@dlS@OUL}Z
zw^EI4;UhyPBGBK!Hk1LzxsPwT0p#k;A=UxtHu`QY`vT38>~7ZH6@VM<QPXSGcj&ei
zB^Ms<a=^+TcY|CRC4Fw-fKqjCenoGZyhu72gyf2@b{J~f;0f9I53SH+6XmKVIIKz4
z99h)Pr}|~UWFAk^Hzm?i8Veh(rC&)CwtaQuMYFCg=`l(#yVx7P>`z!sJR)5p^<&*h
zo8={Cm&#ANrM5tPK-cM9eLXfIFiFCMY%gW>Ngvlk2H+%_SYR(337uY0{<}ldGUNnB
z(K0-uOB#KO2|;eJj-3fh(0Y^6^udoS`m;h`JAR%z0UJL$fa+zP5W=$ci=l-TM0e}L
zasy5MXSgGmS=)cB!eOv*!x}5Ek24X*?#~+Mpko(xpNy%xW>53!sT*cJmlVdVH|S}j
zz^N4fZW{R)T(aoz20=j2G2655V4GM*s@>T*)e7$AS6!Y~GAdL`dxwa+>&5+QCeNs<
zrhWi#W<w`)+zJzqK&!C#cXzw{fA~Y_re2wodmZp^>@`1g#Dfv>#>`uBunLAb7E=_j
z6<tqH2q|v|3Qc{V-I2L3)w4XIfO|OvtE0ZcDB{ftA}5}eZJBl3V(o+ZS>=ZB&F4!F
z9cC&h)|o=rDpXW*=-_@Xx$&@a`>RV3o_e{t!!kC$wqO~!9l^)QoUmtpajElj?yhnE
z5vO%jtc9$x)Mf+<CYCdEBLccP-MEU<%QqQVg>12?i(uvP_%==?m}vPg3fjxm2_4ni
zq4<Gek<XA=V!p>_yxn!VD<Af_xiMpp4Jg}lN4|I;hT3R{-hBq^njiR~TO!lvruYcY
zAu^%{7@lj{!g!kU6VJZYT^AqWbf~?r@9^N_xO;JYc5!lf^4+lz&%laU7v4DvsBY<w
z!$eAsJ08xgTPDE3o2TVu)0}}3r8ixhh?45Xyn<iZ{c8zw6}%X-P>8!QBvT;gKwP7q
z1&>})36Z!D?@A>6w!DEA7)RE5FAVP|`55sxc!LL?TuVZXNHVg}o5}(8J5fS}S2EFf
zy>EA(zgL&9duUcoXK+Yno;;Q_^Hx@9Q!+|)y>Nh4i}&oV?oV4X15A2@KO8}Xh_4&Z
zv`wbXWERb%ZS}T!)FsP5N~c;+4@hNw-#)!+E5F4x^Q$DeRRSjq07xYBk$kGFFjYMC
zUCc!&Oo^O!^lswZuKNtwO7S#ykg;UmOFaoM{DJMVv%F2i-!R2)e)-2)0Z*IT?DMKy
z5(RNhvz)r}Q~Z}n)ul|0|3*q50Tc*Q;N{tww$9n`Eld6!AJMo(+Rv<jA&EN#hn(Ub
zOfIEC>U!i5!4zrT0Y)=pF*!Vc%+_mPz2hdgefr(?DkzwiIQHGio7V@I#~17X^Z7gk
zUY4b)?bk(a$P5FXW%4+}(ixQ=^eo_FN;Fj!IE&K&aBgY!f_bUaBQk!1liJNnkA*!i
z1S4aOlg^)aFp)m?q;P<eUW8+*^P+oMS(?{K1xC;_Mx<y%LeS!=gsebG9(C`pE2e~=
zQg%X<gYvnO*Yfm>-J2}GZpjtvU)j-D<Q3N(HAf%fMY0|ka(b4soNQ{%ovQ<QxZB7c
zf$ML7lgBqV*8`@8o<Eg}LRgCCGJ<>h+&_DIp&2i0C)eFm?NnEicoi|n{cz@lZTFO*
zQ;Ip$F@#>LKUqsYc+1qJ*KTTjqt+Y~v>>XEFY_C1PCPGu_ht`m-JgHwCPG7n!=q+g
zJD+`K&t)fs&S#J9IXm0ld6RFU`|fJ}+uuY~3`|tmQ*rm3xv;qhd2Jb%9hAqcNn==e
z^|RMRMfAg?(ue;04=TD-^asW9m)r(mCW(U4gqylc_yYjo&$-B!&#WbF(A2`K0`aRB
zca*A}<jzx}7%~+O6_*O~<L)k|<wvQ2K0C}`hDNUyjJD|B13dt;`{{s>^pHr*QzEGT
z?*4tN>=o_?OeF_#$tf>DEWM^=-<?d#<?x-&$QWn0df76RjpmW9F~r6bP3J`DxslGX
z=Zji+od-EaaHX(C%+JgMU0b6CpC!eq30TcKZ?TqP0u(N0O*;v9<8>~DKo-S!T@d8~
zR*>m<V{v=uBh9}M*l(SExA$NQ6-sEmmhhTL3qDKgg*Os{xpOnBuE5mFG#N2Z@>&Vp
z^VE0ec8L0_UY#Fbe2cH^?f;dNICq__7{SkTdGPv}E_D10W3@MU!hJG%bu{kE=(9hX
z?%iy`KZ_Rrm?<Jy{LH!)P^6}qu!6HbN`nU)a}y?U4L2zP5nGV-Lb=rBP_uHks6CMk
ziODAs24f)=$*=@?W5(GQwm$+Pys+$&c>vj2i;37ub6*8&uPUQ?AOjMGT&Zi__fuAF
z%epi4U#&PRwXdZx7icfm@qe;|;gAB>s6dej*_^?`%B|_zVs0#2Xg>CTU(cs6*4Fl(
zKHXj0-~D23Z+G|0-Q}lls;Qgo7xEk)bN{>alrvnnb_O?P_sW?J|M<WD=XS<tmmln{
zt;yG(KG~15HQW&zyzjdX&*pu%Ro1rt^!0XP<2N42_MT^d`g+Ct`NvPZ@0864-k%QU
zYg@Xjw{?q&D2j01aTPc_99}uM1W-2^iMo;^x+wocHe^oO$MPyf`$y#8-BM#X*WtL=
z;0bmOZTq`H=}AyHQ<pQv_m$|3P*`8QK6$&1jrZQeCz3-BNfqnA6^)NX*kiW@3gc)=
z1n$3)BdWm7NSl~SO)zUmuiXFKl|yId5WZka#JSPE4Nh<eh6z_C$1mEGO^a3ITNW4D
zmiSy9EYJo=Ss{>U>qz<V>tfyqD>6!X2aP{xMlZv>RKkFX5BkxCVkA3IeZ%B$Ha6F0
zvK9y<mns#m!LMkkm^fq~^3m!qgsi*G#`atN1sQ7l2UfJ__Uon(UdG?|JMGa!Sc;oX
z?!!~20b$!m;FY4QsOv@#fN+#Ca=kpcq!evVhzQEfT{khCNq5)}--lY54DRy#I`qZ#
z80Hccvi<b(BUj#15Adb#o_=bDkZ`k_{oz^cO3a7-9GYwYCZ8&gt)>25wrof*HRL|w
z^BEh!GfeTeM8@?r!OXNj0TtrN739O)zEGEqY+jV+WFTp0o5F5V+>n^1KcA0MAMiyX
zdrzCnF7czYa$n<G+Pb`aEd(^Gv_x5ZYlq6dLx(rn%#;Kq+p_4=MnoF{AdMO|J0fZ}
zp6)({!j`>qb2!|PD72Nekkm+eJi71d!fJ%zmZwGW)txTN;;iDzGg_$I)6}?zqoxC&
z9Ep>33sG)qc~&Wz_K^mtx$<rrO!J6pG8Gg=mYnsKiuJLW2>pxtkdjDZ&`~|(o=<1t
zBHO^@Al}j0g_cRTGpu~l#*K~KA7$faG!VSml+fpft(ENpIH!WsD8T3|%4UB!sh79k
zyA=-8_;TR<dazE+MI2mOI|?iE+%>RptFZOt`L1`GFU7Yk-@XPD;+nExQ^@+UXkXKj
zHb-KgYdL1EV_k8y+7?`oTe|L=sRhrkN4pr2j8>+|&!V5J=-pG@%HD&#r%NUAv(oQq
z9~Q8~cmqRaj1w&hUweL$S8N2Eo;_QFNTfn5?pN2>ZUBAuSMu_IKy=yt|6Z^6*ATMV
z!f)Hz51hciW<UJ!o4>kez%20Bs9dMj>wcZjtjY}Yd3De52_0@yo+MQ|**Vp86>Fw?
z@lZ1eZf*c)+Y-;4FW=o(qry0racNx@_tivss@V%uZW1`}<Wo%6o=em~Iohr0+Wqb9
z&86CMQHq{a967sw>Le4!CpXJ1Y1S#2Zcb`Ofq{_g<jmghPoWvFQM$O3?#XYn=8*KR
zu^J-ySe<y8hX8u5^qo#gAOmR|@c5}4Lka%P<+WC0NoUz(q5G8dd-DbGaON`+`wT8t
z?2}V3kZfT^(B4@J?T-dK#slewJ0-Oh<v0G2ntN&}N&%`_k&&7zT4^x%xXG@aq~o4y
zF&#ItYkdq)Uhrd;;?S@$xwZ8@{`+Q<m#$R_QvA;kcHF(*$xhw>cZ;X{Z&FD+Qg+}!
zB^~6wTGxxQ_3t2)Twshr-Ccg43#Xv$i=cbT6r^C{m^sf;*JyVWw(RCo<Eq4kT^H*%
z@(tF;O_VfD$p%HZg#+TgyWc}q!2PI@FK?<;@RLsR5dxkWfz-jF)?J^yeW7)q+Dk1V
z$7HE+B>n~0)uIX1ietk>&3H(4WVG?Dps#_=Iw=)T&ZtITlVhv<9&Ne3biIH(M+gM;
z0LW>cSEkI*oUok@BXaGal%o-goNB=a^8uXV>CL-^qNuMd=~m6BFDeY-W!AP-?3;yb
z+L7H`jQQjP(1)vR*s^d?H#>6XB3?8{u<VN4Y67jPj3c<-wdV$D?y+Hu`t>}%ht>&8
zp~!TZAk!6-59O?y2n#GW6Y2b}X!xpOjgnM!VV$&hGZ;A9iBak1U#d4x=2HE~D)sjT
zY4PTBIhPvbms;UC7zS}v<k-r<k4qh=8Z%T))c5}Q;w0^}@Mr^E$8CaK>1>7BldfBK
z87hqRRntRc@AA1T*hh@_&RZa^T2?ul)@F86{^6!Cv(v{(U)z#f6-OU++c$mz@oUG^
z!NYMdhKn;uJ#&?6iL;z=R*hC8NaV&!?>%usFTDw^@hKeMzNSvnPbNd;bQEK9oR2(O
z4jr!G6d%y(jZ_R`J?SHH9yxU0QQ<iyjd^ID)UQN4%r2{{OVu$>kqDfN%byoeeAmPj
z+^O152URWIdJM0kw$mVQWHI_s+mkssG;fIxc$`misIZ$zy4}o_#%&BUauCpsFi`h$
zv_#1DmINGbUnMeB9D;@C&ul9PX>0{qq2_+kRqnfK?O!bh@2PHIV$S9*djTq(JZ0Wr
ziJaX6NWt@`y@tN)O&(QdCn)i+wSahD&GS*zzO-q27PV(<99tF+8Fx@}Mrp|Q(cFFe
ztpzd5gUiIbNy|&iV}7|x7`-?YDzeW20na48plhkcqgtsI4N~~nU7d%JTnsMc+SrmB
zXH2${IYCDPp_NRyUk1@}R13y;o<D`RD-`g$<5sbbU0nv?`&6DQB_8^a&yf7dgvWf;
zt**ODqy^s6eDJ>Z?oq8UCWVDmq(<O6!%Vm?NjVnRx5!(XAE#6|xleD@vJW}4WYro+
zIa!U2d~;U%R__EWVG>VO<J7EJE}5u!Rh`oCORTAfOp6v((s%zGuW7WD&2-WTU`m<N
zn(JZydE|YDKp=G~Fd+KExzAtU(2-<;TUKs)d1V(|Rm1yedHprY6|P&cR@j^{L8l;K
zXsajsgE$B8ocg7h-pR|{7jNHP?!0|-aT%cqIK7<?dS?P=36cf?dg3ZiQWWBIQiVxu
z5+C1`nbK`XqkQ9JLhUWnV!aK8APW>e=I^C$f<^)x5c6V)JF*o8+qO9@RnEmsq~V57
zmt$;4HF1!8E1QECci&GuU9w?)bV4KMYTJyt@xU7q)|8PAb%rUJK?JOkY=*PS0<@uW
z@xhKfZV#wKIjm-Ck#R<S4S?k^6uAdjp$|ueob2gpTyQ~kbo7XbQls9DXi%S+%4d7~
z$zB)g*Z#DUnAm~TT)S>NODrpdZda$X1N~nt?_p=jYQ#QVC(H%`jk3e@*RO;WDFh@q
zh*cYWUFo^SC8}Ox`r(D0w#okM+Obxwo^V!>&o67~gn&2QOR>lI-+ynqqI{S*RU&oH
zUmfm0-+S&E1E2QxBz2y6F0dyICqPp6Os-xnZf@?``JFvy_FA$@qtiFV1j;KcRkjhj
zxmo)H!DM2PqU?m(oM0!gUy-GtxgdlB$Z$Na%3+kG{q@<aj!7Wbn?36dJ*tqM@RNa4
zk35vhKAkN|k$4uDYhT+l>wnIY*JEGF!<IS2eYM^M4G>x3|F?dm#~PeuLu>s_{9<xe
z-ne@c3!Y)cBPl>SPp()Wo4gO`8{Fr8na8zi@((}^|JJx>Q(y{v+Gags>)uidzCb-Z
z6HtbwN4HrqPw)~-S>GeiT$+l|7rK!BkA3xK7Q;T}W*7?#EL1*}(_|(-G2#T{{6m?C
z8E|(4?uD%&`lFD5qVKqk^<9}K0Q!Mdkj9?q5_v#3!cNwcn2I+L*Cn0Fok1-5ZDJl5
zp>L-I?~lcaZdXX!?@+&T!&{JHu#ji!!{%9<@a>MoM8imyJ(qcc0u2co)+zx38^S=n
zJd&yn%}kN}y$F?INOz)7*FJ3S&og|dbUu0cVppn<I3esUSb{-%-7~*wZkbuEudJ9l
zk7+EU1b7Gu8eE3p;+;no!416EJ6@WlrAUFe?Mebl>0DBLRHcj1rdY!D&GDrm{vRJ4
zh0VehFbQRiQ1t8lD}EeS(=8f6AxzT{7o%FON#qTyp_yOIw)XNh$W}XU^JZxe67nZ0
zFSrsQ8*UchEr=DdWPbQzpjQ~Ro9SfGz3l4+ePQlIPo#=KGZAMBokeNri4(RM*;lRu
z&S4aD-S&B~P>c|}64wkIDx>>=|Az6sFUffwZUoKVx{s4LKP*PL&eTI^0l?8{q2<oB
z9+=QJY2j07?uYi>qPn`rig{;cLM=b*aqJ7JHN@dRxSv8mDl^Exe|BVcJuT}JdTdoB
zVWMs3lWKB5b}E|=v5x5q+!Jsl3Ei|kINP+=cv5h(HTt7!0~AZd2&)FdIl#ptwNHFe
zjNGWm4)a-4T#qXxomkZ>!1Ankr7T9nTEK+Ek3Mm}W#E!s7mUejF~8x8B-WF8qb0vJ
za!;FD=Vd6v3gFM?`?uB9m(b?6K?@3OF)5N<;capGYtK@^5ar60CZup&@EeFzgV%6#
zeLx24Jie_z5Q_}2N{r5Z4E*ERMTDxTMwL?=OR`+fHB<il_&-nI9NAnI5z<+%kkmxB
z8<ro+A*faSoTbx+SR&U$nQ`M#T)bY{tAvz!Zn3y^BzZa0P^evNCERU4c*H9*#W>6M
zdf7P<jJOlyQ(2%%dJUYyi@)^rmHm~kY!ZlIGpd=ecQqEi?%{Q{#`V@6*)H50L%*-#
zpx|DkM_M*V*xa@C;>qe>9E?Vq|MY!{b0x<rnjw}a6N`@j#*-8$%jUIYMXO0I=oi<t
z!Fjee<ULwgo!DO_tCRrNxh5hQCj_Z$7W?={vkgeTl}(oZAZtl#V_8)mX`pW6$AFC|
zFylm{HV{Q=$KoYQeajZcRD2}(IrB5?*}0)R^3F6yAC91X^rPZ>u0w4W`*)}#y9NqL
zs})9E181|?p_7`3LN=tP7xE@PC7)RHlNPlh3AAtgSM*fjlF21KzWuTD0=Yx8M?Cq?
z$)fJT4a7)z*ggJc)=~5o0)Q9crf7}_?wLtdy77eap3fN3!D4>vB$o1eiv{&ykKZDS
z*Zu6*k~+Lcy&#p%-PgtB2IlGG-?#*@%OjpYqGkT+=e{Kw!>6BXDGGbcbmlkX{4q}+
z2*T&1pX?qw!H5(0_&1IxPK+{@<k7FZ&L=kuglrzSK$ds-m=8FUGC32fBOrqB$=pS^
z!JZl!Jfg^`$nmS~c^$sD46!~MB~6;--I{=rTaKF62Pj8JG2CwVF4nyjfrDk0cDalH
z+bXn8y)Id$P9}9qQAUXxGA)TpG3+MAdS16HAsu3?SV;<W1}JH=#!%8CY>W2&75q=M
zv=UN@f6|q+ydy4TqSA|G`LXZ6|DGZlcQvEtpL*eSIeGsp+&If0KCpuyAOA-T=#y`R
zd+G7-Ja{R!JgyhaDlxhGjrL1y_4934*z(hD7ufPsmhJP&2OAa0pM2bMC?2siZFk%Q
zv$f(*S$^Xjq*YxZAo}FPm*sr)m`$O*I4WyN*?r6qS6^+dN1*j$OO4;vS6iDf`&llx
zb)><3&h^%2M1&hITV-a%*PI3(-CO4WU-ed`DxWRp^<b7y3;J8P4&Uya{zvv@_o~#S
z$M|YeOe6@XPyxtWN7k7Jl+F*${D}uzZl7va^L4Zq%k@mL!GYP~Ju%LV`G~3)va7_`
z<<dQwEP6+Cy`#%>c|GH`G+V5^R#2*kvImpB=vT|||Dr`(eyn}T?A2)HT3*#F>{V4^
zwOBl<|NQu6vKG?ST0Uy4*UDOWV9C;MKCI!$x+RO5wDB`7V7ecN!v_wV`&EqTE*DMy
zRZ_ElV1Ui3lG$G$ICp5^&)q}nX5GVsY~%3Y<rj55dhy~bL_zzkte<UoDVD6}a9B6I
zgsZ%Lk(;k60zb#yw{8iGaQJ0E%H8Li5OBHAclW_ZA`ZXoaqhlXVSNanL^?6`q~2?(
zS<`t%_X>t<TIJFcmWkPEqLxYyjRr5*rMy89|M@PQ#G}#xk(gcWi6(4GP}N#iAOfoW
z#RWf)$DZ-Lf2<c92W>)e=!6JL7EF9S{$`^}jRADL?&-ZjMh8Bm)<0Jy@W^ANd71_%
zJ1%B7o*XgS`Ut0&jNRI7vwls8D(&!NEb<pl^DM9vhN+!f9c{gs%}~F9hxk%*uo){v
z)@o4?+<oQtqMM$Ha$p(Z6<;tEd+qd_3FGzSfPYM9U$aU>VVRLs8aaZ?$=?gl>fn8C
zA<A@6TiSnuHs4XLg<n$33W*`~s`~mYxAkj&+HzQdpf(H1ytkwgGc>a$ky1Yd3LN6w
zsWcxx{$g8_is^5kEfX8B|FRO%GU623BT5mp12`;3PRrAnc_J9air!A*&RG)&{U^&f
z;STzwjJtRXA(wQ;iy<q*z~Nf(o<=hM;hVFw<HO5L(*yp61!SNO`nQDq?<OHFjr7+P
zkqrrB)aj3vlT8Wxkfd}AUo-@h)oi$9Y_Q2Ox1rOZWjnc9s^@Yl0)c?W8qG(Btj!@%
zL6q}R@-Ty#a^F}tB#sT{x8As&G2IA|3Cc@=n%2n;L}W+nZQ{q*1Nft73j#w|E$J^g
zbCfK)Z9Jbp{M`)>vONzjBF0%$O#AQTl(@Iw7xz1IB!mT5(@WhLKz1s;q+k3$?y3J5
zvnsTZQBahBbiW!Wx!f-LV_>u#-@lT7!POHr7sv{Ky&Sv;F4$4-j3e7*Q^XZ!ntAmP
z<f^PQ)j3KE&NiyahR4;>#BfFoLT)-{fQd4M+36A`qXfzXrKVb$R&OO`xeF)!uH2@o
z76R#_FkQX^Ho`LX`AjjiWbig<UG<=v!Eqv~KTP->%CYpHx0vVzzmLlQGH_3^P5HI}
zeKIG^XXE+n*@I|kvDXIXYeU-1ndn1uE#1$B@IhsS&&ImRkzq7n&{JXXaDpUp8{&F0
z0OCdAX#%5<xdqa1HD0V^R>w$jUuUjF<C2;ce>d)mB%`NgS0w3rgK9L&r?uoJVqV-(
z*S2KeY<uH4mPUhSie(#p8?UZxtR>C9ooNL}L8<9(N^9Y*OcTYtL*JdBq~s!ih6sLz
zIKMNHC)AnfYBDGGh1kp|xQ=E&b+Rb?GYnr6Gdx#T@ETmB-cj3$`uW<F6o@Zw^q5>(
z5=+Nw+M>^$tgd`JKp=Bdw&B-d!_SA4t9dz(>d<0BL!T0&?fCL|022sanp|OZV=@du
zIS=I>J>SZ=ZijY=KGGO_y}@k0I@|CSG9in+y(gw_-AOIx%&@j2!d@Ou^dYGb@h!Eq
zuo182WgI1A3SiB3jlic~$XW|^l+Lh!KU#9|aG)r7gf~a5whliA;z!IHupy%5(@nf(
z+<W)x7S@k#o31wzt`AuZFN1tTA$tf;tjYZyb)*Qt4^<_LsWQuBPb?<(@z5J_#Pzao
zr9!qt%?O?|;AjK;-Fz`l&W{S?ZM-IEHFDRRqcZGrs<(n0TMnSo@s@|=M&v@vM6HlE
z^yh|JvhZ!mgrM_3X!&O~T8!l$kI82<g+XiXr~0oj#qJ8%Q?~@QFG}K&WX<BeVHH)f
z3^n<gkU|-!Ox3tH1(!Un2&tow>uzTR)nnojS#Kg1*G$r;d7I4uMZ2L4B)*9N=N=As
z7QoJ&-s|+0nb8$gq#b9smgWF9p`eKwxO@y;*vrnNZ$(occA2}{<zQo@+i}5eQXxKp
zMF!1YZ5*lwr*FIY9qFpH85V-EBuNVYa>0I>NK;7U?nZHuC1RAgIHu+LNz+c-o`@s$
zMN9gxHzxec@o{F2RK2(o6%<$ZsJtoTn@FJtW3m9tx4P!lE1L#ab?}KIh;CaTUh_zv
zGllx{@a@jYVQ{YYj5m1YI6skS&_L;NN-)$Wfu|08faUmYzJ_ox6>`3HO-j#SIAP$?
z$Md82r=-Hx%u>PBFf*&CWKRbc4_G2Ww6Dq+t``*Q2^pNndWauqs`otGN>Ezk7#fk-
z<k@ZCi;4f)`XT0!bpd5KEj@4#u>;MI$Jo)I`g&uv2yyDnk9;1ezeMOP`JAE<81u*t
z65kVn@eBhfi4OJ%LTn4zqLce=v&x}Mdy_SxTy5H}ZF?a-!Jbl3t@?1}KxeUHE5VQp
zMenz+3&TEVnx!xb%BeU<5gL*Huw2v|*Yt)mKNi1>^^9YS?@$pC37DG6sYN}mMD8i!
zESwG6nn0&2NbuO%W%N`ujq%)Qw-w`zFUi#%yo0u4>sD<9La?iQxo6C4lJ>#KyrZs2
z)iqsN5k}_zmpZK`qgf{zGME)z$1`1kRDvuIycuF>FFM$41$f@QZYU<9EqA2Pn~!u<
z<R83oDUOH`1)2-2AK1=ggvn>SySpvQx2B+mGU}Ly{rQtGpGJe3!a=HT7=f$-e{@|F
z6)#J`Cx{YJr*qZIUSoDN5Q%NVVR2via!>)9po57(3z!Fz+qsUqVcSI`Fk_OQPCbdz
z4MaHZb68xHKam)%coqRnR04nRGLk@C<m-sUB;5)k`91DWLeNRM%|xJb^1<~~Yeb~>
zxn;gnYs|G%E!>4-NJuO()&k;S_(9cOOoA|RJJv(0304PR!6+~<wG^3SS|n90YE_jJ
zc$7yKttj{vX**)^?<a%XSvB$5t<3|QECQvdxO^$bg_c6x&!Zx(bl>JZ$r@<i1>GHO
z%ESxKhSE}B0RfKHVZH*#E(!=IKeJGl<7<WfdS8St-Ix7EaXC>$saZMokgiGGRQ8l0
zjoISQ+@@TT)elQrIY*GomnWykZ{A)0f-oF9gGA188@YvEDb%!wqV5LDp`LiS=$QX2
zMfftE*QNTKV$E-w&u=4pT7dxM(!G%zcQH+;tkKcz=`uE-UbH`UEN(>;JKyPt)}*+i
zqs|hhl}nE7&qDGu4ZAjVm&oKmSI}t@46LCCL*-<M=T3-lFwS^pnwoktN)J*P0am*H
z^nb?509TPLqMH)Ac_twukjwa$UAT!o^CVzgIeX<VERKVMVjz$)*{%*qZv=cfD&?8L
z;Jm7+b@?FArgo*P?{0=9Ti35m_NkBVZ4w=?fri;KO;LXvFuJYtc%W5BfUGP$u5G08
z=}j+LcXVe(VLY_EC6Ew)@ZP!kQC+gioQM5GuwD=MN5tN;W-D0^3*UQ!$~r>!B}GlT
zdwEqT>^DS~`sq2X$LHt$^W%e~zRI4Us>FC!&+PQIVEFot`E2=!-p$H+@xY$6ck!>Y
z+#7niaO&8kn#uz9<(!(ICz9af_=-V&L#xJ4Hg64Y(u#0LbO8;d%$EU0cTcu16nmYn
z6R`&T66y2?IE~B}%dM3H#evtDAj_4s7sVc<1LZMH5#O}_M(qw4Gv$(2l_=7j^V$up
zqyghkNZPcKK&$6|J-|Xfu&BwJwXUiK*7O+!bKB&Imyhj9oSga++7?xdsOJEAxN=(E
z?O1Z(TS{fEdk^%E2!x;NWAGRIYYDiDKdp1gm)p8%&;w2d?@!V8W4al#yR55}dQ%Xs
zz$+G^Cq&&1-eTh`jZ|M*pQdYQRp+w(<&j*^r~UYaPmIIa8LyfHNUs+KdUef0mn9G|
zk_iZ{q}AjKe?2VRHNlOKFUQRcMwO7&+!dn{WTE>3X2?8OAD(i1*<rBp(GGfOZM;ca
zf?i`OU9X|Rv`-DLoK+jba1oo5GC=C2ay~%nY+cQ&J9iyzFI7hhguhKs5prTAB~TIv
zdg|17|2bD;-9kzL))j~MHveFA$IpvQbviw1Jdu^K#L=(~@&-81CHXJU4qv~yIPQOc
zaB`Umj0;;vvco)J1yI)CI6VWNc(u1&1HL%FzFmj`3ibwPQb<CEx$NnGm=ts9^M>!9
z5iT=%Vp>(Rc4V6EWt|4`UMD&8`%VU8kw|K~KcBt1JbsbB;*&*uoK^E#V86yDzT4R0
z%-&I_CY)^)ut=7TsE4L_iEb6Z<FA}ly0`4$#(vTiT^e;cWnHa@%OhG9V`7U+1*$u6
zOOnK`%)Kb;)bd9~w9*}S(lU?3tpe2}G8T!R5M{IaKSe^U-<0s!U&|C5ts=`0ch6nD
z_mP6kW88kYjsUF+7la<LFlE<?aE)dH^Y*<!tTk9cMu;KgAS>!pCbhoK9S-mJ$AMdC
z+PD6?_g{|!q~q#?&0~DKPrQxN6n}1WkFqT!pZKh`ZE#Hm_p|$djMwf6n@_4&IAIW#
zY=j;~6tBu;7*(ysHx6?dh)?PI;7;wtW9<s=^@f|DjU}i<Nsfa01ybt-RTeTHBD*_c
zNGRHq%ycNc?d7o?#3-1>?YPTA_@Imo(U1(752s$k<#AJ`TTCpnLEaDs_M(F!?rEMZ
zTn+;1k9|w$xZ8>dQ2-7`))AY;_!x!!%S=WdKS6mEr*=6Dg><3@lru@JgTz&IRSPV2
zDEjWgl8GRKTZmQ*5QAi%7%vDjwJyXcae%_-+%+~=9r5Gdt2#{{pI)HQ(FBXl-OX&C
ztS@eDg&mLWvgCBOF*4ldqw78om!UQhGKb5cw+3m%-Oa#DA<laNFQ-Ni-PAP=T1YNt
z*qO)FymuA|!0R<PagQIAVC%X8_8{?ztQv)}Y<UuJU@qSk%w$3TyV8HLQ6NEqT4aBW
zTo1m&vYmG>p)wMA(;}%66IUZ=Ykxa4wo`ZT#HD412_EQeC`PZAm4t*7tYM{OI8hJY
z7sZq_(m03)YHwdv!>r)HPhvyNv#(Ah;ihMjKvoe9-rQEjq_{5CBN`)RBL|jnK!Q@V
zPUaw*#-1RWKHvh!>CLNG>3(b3O=;v)ton8h@KSFjDuF9Syy8&`)D|h{HE3tOPrZYy
zzSrXGA?8HXpHscIcywY-`{d~O?9%u&VsDktgEBf7xYm(}AOS#V1DdAOXoJ$;E%Izp
zOL8kox|DOykjm>t4e4)Q?qwv^t9w-?=@^>a%ZP%HR`Q5)$e=;Pfs>3qV)ck4S|R~f
z-1U@B7bo9b9-p6Ld%A!9_T5|EIZQX`M5-~=VU|(zqTTS)MV(_C$WOK_4Gs%s#xup3
z*(f80_>}GK6+=m7P=PlW$C&v&c(Nkh3aY1ERK5rJu+sn!CZ3MZ_HpD98jE(RbJXDJ
z%r?CTEx?;54(rB5HXLOKN2e!eCl{CJ2cVD7-X5GEoF2Pr{RKVO;@lhG;20e{lV;R4
zEI}vT0a|XvJBBU}eAsx@+;DEKG~ZDk9#WPxHU5pe;!1LQHyVnjbt3amL=*(B^}bS+
z0}bUxRwVtz3bO~br_O40WZCnkOd6ZaSN%WSMs~-f?=*-x=_8s^<Hqkv>Fa9d1a#X8
zrkhzlwz<vpzkLcc!F5+m-*T@v@Z^SMbA)VjYm>R)6i4^5bJy1-yqlCCb)xQ_-uCeY
zWB;5=Yr+kyobuZHBYzNj9K_hC%1doH%w$PXQh3W#_FYP+C7uZWM|1Oub_B*Ch`z{r
zBG-jx@;YHsRqoC<GCNf^agX`;cNE+H-O16;Hz!ACk~5DxqC)|D(emc>HK6NEwsmdb
z1du_Z#{)0B;Xjr-&D^n;?VJuvT3S7HZABFz&+8No!#~RbZPvc?eAV45?(MC4j`|6+
zAPDdYAZR)fws{j#ZxzEF0F`_f`CsOdz-#;~@&OPhuW!q#zui19pU<$LEhYvE?E%@)
z>x7v^O)B|XXx5XKq+`?cVTD3m_sP%lI!rM4f$bH2$(`UaeHkuo%k9y(!A9-o;-*;j
z?cB3;4>dD|Rz8J4##KfeE^<t(9?m^WEG{UDRW*-xAbtwD>8I~5F6q7~EFEMXA8YqI
zJG_j1Qa1RxEV^OV+GUZCv18vXX2Mq`dUGj~lGPG!xo0_THX(M@stJ@a3<O<6reeS}
zZ^<@MP1P;59WP(RQr|m?Jq9vkIapG|kkY0PtX%%q1EXJ$?3MX^I_zWrLhkpK3cD}G
zKmnEYLLboS(8sinh<PzEg`*0sS`*n$Uu%Xtm{uC2c<|e)o~zji{<>%!93d;=U8N_+
ziB*5Kl#>)5y(Yg?M?wscxn$zVGD6mYV5p;>Aac!!CgdjdrkGokTiffQctx15P9iK(
z%W1c)$5NQgp^VNHJ{Nebn!zvWKqqgzQ54#fBg=t}JYFI02xl>1@GPQ2WKsGX(`i0f
z%qwIb36Zr_3(C2W9fU!#94$<D<8oe}?R1!9;>?DgNJ5BvYqPm-n_*;t@s)6vz79qy
zi@2@}Wmlp>fVL`{BB$$5{WU40YTlBE)l?3#tRY45(oPCTLI2XvM<r6B*JEUL5qIDW
zlsOOnO@z-L(peTx_j<n`NCNran%W!kk%|eEF^6j7OArK?8*5yg3?{QJchXR@C;d&#
z_J|OsqS6E$bEy!llotRxIhZr^R1b^K?PeRu{l@D7?tp`ox#P+<$XevfyZgV#V3n06
zd-di#yZrVzJ3Kga|M&d(8&$pEoMjis=ii+i9{=omw-@FH|L%(~eI7wbRobdl?b^;X
z2YU@EQHzPd9vV`&MH$Q%lz@X~aJv0pjHW)5rXl`~@d!Iw^C&>!LArJK>fbB=7v7$M
z1KPur7BjH&`J&l_3Gie?&%F5~5W)zgz)SY-=<T+rLMv{h8{#O7>{!jNO8_kJMl$rM
z{j)chkovHx)rl62ZBZA&MQm^P#mTy<YM>9xx3@0%;(CPa&~>t@laK156;yP)SuAZ*
zHL0?0_)ejQDO43PuBJlVwN?(ozeg4srWU%c=CZ|KkVTg2RLkIIsRitbVUYy$)lKw$
zafNed^?G-Ay>cdDk4Z7#VOVPClIa4oofxb>ow@aZm_~w4x)_*dY4(inv}i&tQ?s&V
z(I55tQ0dgMilaHpI`w_^ic1Rtv43r?(JzfoB)3V+nufBPwjpAP*8>@{zm~-t?z<Fk
z-l%L)FWK5d%X$8h&{xD-=&ZEAh>aCP<;R`T{Eb<>R4x5h9@ER)6um}p_aLOLZ@QyB
zO1ZT_w`R+r9=a`(K}EC1G5%~b##wmejPc7)_MYq+0oPIY;PCMH^|6!cPS*e8Y+Rxx
zvKpz+8uS|{H2X}6zOetSv#sa^7In!&S&CEW1y23$Lo4j>^>%x=^YLh#fp)sM4H~!f
zOm;B#$fyYbFyjoElUj{65?@Pn7SaGzv17rm_dSsmvXMbdhWyyM+_8*Ci1%1>ZCCUm
zic-w2{2pHr2nF>qcc~;OHK7<%SZRy@gSCD*=?YtJc6fBweeJZSfEbZ&fk@-aXJ0;V
z0EIQRBu@)SH+C>e<&#dj^wI@eS}%#52ZQ2VBI(h*d17;kI!P4%=xm!Lk_)-Kec}Ix
zUwXs+Lsfj2Irm-p)<y&TUm*WYcdeC>Pr_I-qiK(pZIu;+N-Y()`K+>fR9<}?kM{pj
ze4OTTmPbBe;m^)6!ei8A%c~ju2I@egw~b{&PEDI9fCjvGA+m?=BE3Mk=tOT*e;KGG
zCgEk^SX75P0&l&YW=TIU^KMt)?Be(&W4C_mc(4b;J&2n3s6~lKgE0Dv!w#&i+#yHD
zuMhr`y?yiM^{?WHWzAn7L1v%E=at_&EnARh8IZPeSfwzIu@TmZpY07j=y-!s?$o3G
z=zR&J_@ACwxhQ_?C<}w^J0(<fUyt8!u*BFXye`|(zp#1xj|dJGZAj=a(vn*70iyZI
zcAL}2=55-<QkFTBVIkc<x4KGxQ~ZCkKmzY(jYavIl@eMNSEpwzNSbKEwVI87S6Le}
zNgXS;v<0wP_kViQ(eSG92@8yz`k#dAOs%gMO+APOjM3aY6?^En?q8xFBoE3b_gp{t
zAoszZ$ZG4Lu1oWseYZoxJNxlFPgcG2M7pH!Jc-|Vy6T;$*|X@Kr|~<_^d0XW_gk62
z3)GA1*gDX)wPSY!DOI^e&W%Jza}@HM8+a@UR^t8<D$icr%zpM`n}N_q&K!mJB-;pn
zkqx6d9pECF$V)UHuHf0;f0h{p|C4=lmYux)@YGnGk`6xk(c?@ym~CjH*C#r+_j}*D
z{imUGo{P#t^6sD2BhK2|lb0Sb;-~3|C(&jM`=VpmNz$zOB=V7wxNEwncxkWlx(tMr
z?jP~~=I;yh`&y_5kDI>XvsdZ3b^p-$@qyVoUCci`CXB!~p<s;rcug(BnC~JP>$9~r
zUz-RYwUw+#MB7ZVnCCZ6KPhy5kzI`vUf1quv&N4v1^-8iCm~88)#NIG09S&nnw;sW
zEKiG)qkEJ(ziR*`Wh%3r*2TOlmN8NrgQ~zZJpXvgH{!|Rdf5RJTvdPY*gDDG5%Hf=
z?kXmaDkL5gDo!RmAr(fnLGk_GRd3MansvWwJ9C)njp0W8K)Ubwz+lw_*1{nBooo1c
z_CK=WhVN2$|3!ARD55YGd5X(9JzNB25y8`W(s^pPJv4HU462xBYdj#HlKN1^JJ#Wu
zzNgi!vJyBB?v>~Mm45>F-fESB{f-y=AsaM)F7ixRd^O$}WpaB*WQ5nw1Y%ZcB|S?v
z8cYT$@qmc%D%1Qnq7<PkQa#FYnQEnoCJpX)P~5JS;N^tAZT@g3v0O>)jQXZ!Ot)f|
zhhh^=K&BZpl5Dm{`4^r0s5kV`cgnsP*R9~RP4rW9Guoo>NE*274KSOHc&`PZzKk60
zNG<ALl{Y^3r<_O|?j=<)q()|5=lxMRpF4}K`KZp8Uf#(v?5U00{7lP(F%W(7)4sOR
z)`ymdSGM!S0JkIL_b7wzk$anGo0A%C?jwA2QCniFTwm(dl#dF>4RaM!oH)M|sGBa?
z6}}5?T5`kpoTpmuajN$sh(Ng<?2!#6SKnAFo+$wbE`*|a#E!>PCb>B3)^ARVMg&Y%
zjjwZw2O)*QZPpiIdE{ByY~iob*yQvE1*q|r*sf`BcK;F0CQ+}(7oL3b3r`;N1xv(#
z;7d<G`K6~n?n{~EXf!_e?315+w)%5UDVf=NKpbkE8?@nCGwl_6JnvLEc~AFWH!BO~
z=*oXue&}9AXXpOWUqc#*2^}??a&sD~n%J}eO&RlZv!>yCQ*+t^IAJ2?fJoC@x~V(3
z7@nwLT?<qEn3j{!s@LP|Y|B)J(6FxI+GCov_15N+{`v;710L0yDAX-YJ+-EE=^xb^
z6x+7Oo^4wdKZ%%wdn7dB#2s>G=cG`j<84O^6AbK8|16XQsk4Pp6W}hGi+a~(qTpCy
z9(BIhbtM9=33{~-a=S`__3+*{6$nZ8%ZO7?j3v?iWLzB$-$?FhX(1;2L$gZ>2f6z5
z&7Pa{hG(X|ovX;%0oTLQSzPJoP(z`4^+z{?_N?JUh?T862!6UYVgyerG=e7L^Ws<)
z0CWrP2H}dVM0I)o^iOU+cic?6#<m!Wa}CbmZ>_gGo<|pd^AHUk%?+Ita%Hp%qdn@D
z*_XS!yF2(lqNu}b%5s7)vya)Af6BggbB~W_PThB1$+R!M#?$y7Gp{z$=w_^xdbgfu
zt+y#YP_(<{scpDg+NRd~jFPF1Ga<BMKor2ppZDy!&8V{+1!;<pO6G{0PR>8sF8q$4
zLa!!pWLS^J+fu8MlM^($K)8<K^`~yC?S0K7(@kvq-Vku)Lz)jJ4Nz4XFz>UtV&0DW
zLy=_*F8hLb3jQgcQ*0Zx;r;z4O0R4}bDIpsHp518ODD*8HFPjEzK+TiAg|b$YN-K8
zkY`ryw0&n7Vwds%h7FfJU%m6(8|mKTvPHXZZ7q`ro0~LiY*TyCeJo2J#7bnze#WU6
zd!?g_;j(rSZ9v_4PC|0SQ2Z;()m7oA)lKQ%{+C=zetA+U?>*zmOkT&D)JADPHxMeV
zucx85YG$84Ftg8};@|e3<B$BmI>d&yE<<cFLO*GSYGHF<_HTbwd?-dvLKQRYy-v2<
z-P_&WRwYNDwY{znX-dPg`O2w5&`Hwgd7@;NwE;RlBvK^iXva!7tO`zGz-Vf^y$*(V
zYVi_Z<rwKin}b9?aa4N`b>k2ly}BMEWh`N|z|@hJTKX|d5M)*5*@C{sjoSV127F~4
zMI*?!dV;fOj0POOK0yY^uN<_|3dxq(jbUngOpsKm(CVT%kfXVI0_qK`8432q&>)TC
zFa6F^ua~nTmU{%NCEn%f6RByM{MP1uX=#3U#dLh~G)$_#zh)BHe%tl6s=CQZ;cY-a
zb#!K!VeIY;`xqY*pw9NuqR=TSC}DP!pv#1EO!Yo*@XTz)Rg6AS+Pi>G-nyk5G6~}<
zYS=JFHJuT0&0%IaZ+~%DGqg7)7f@Iv;+;7;rK97mGx1je1J4^3^H2Y)pkp%ro+Jie
zmjtSm8XEBmb3$(56p~Ut$lPSM);0Zm)qFj?(N-PIm0Rb5liYT)BJV|Gvv~Pd>nmNB
zCSJMSd{+)p;c7nU0Du;9wj`e_K&Y=e8{*!E@}SsKOS5Ngu96`hgv3!Sb8-~$`dZGG
z-#;?F@duz1Q_IhX!+<UjZVR;}<i+OB*IKBi0+o9^!>4dcWs}x4MW44Qi7tFZZ8^Vf
zu^n_Vt_|lefe_>+p}N5*C04AC@9pkC&GvVne)-U2``NR-ectOp`&upO9&?SiyzsDW
zinm;(5~;}=ytgZMnC=3+(|21X!bQyoqrRjwuWJrq%X?OT6O(|8DpsninnfW@=j?>~
zgUC-E`=6}^@j#bG9!aqnIfozgJUd+u+!Wl_MXj~fk~u`_^w2Omacj{5E{%g-708gY
z=|0u<-Lcb0hqftDL<p0WShatahH)6JsrrUE0xPqo_2eBp>h`tQjPQ^=9{wpzp(l$_
zflU0tC>#YJ1I*9(h}$zU*6Obmp;<fdaZ+giS_9+DqSMl9drt;$`8I3?kgQIO%{{7%
zAdUbFGJxemeOwYWOSvMHERU2Ujj)0H|9v=``l_q0dfq|=AIfPRp8b*fljX-O`}e(W
z@pCx%E#oTs>Zk6=fWiAC?#Y(#3CGb7^0}AH!vCwsbH;BPe$tP|?hTW1QMR&(gBMM=
zXjgr7YnKgQVRbE6Zt4+Ly=aTK=njA|FMXy|CdfU1UrYv?e~y17Q9Syf-k+OG9$Nb)
z!4O*Mp0oZGOK!i&pwfhssFV6y+SP2SlR7KbNiTC&PS=ui`m^WDLi6}%GkmZyT}wYa
zdbZp(xnjba4)w>**V3$nHKiWfmFBu)q_o)QZB~bV&<$aEXK2A>SYLO}wyN3o(g^$|
zjtIT@phA$M!}^vrP*srCp^A6Ra*NR_dv+l&wpxy@$7A=tj`UuHr!8V!dlYTYs*kJ#
z6UggMMt2g`j6xC&TV;egL@1Cn6cF=4U50R={N4a0Un#W`^@|ehAqDJ#23G4~Qc5Es
z1*U8i`AmLlEe(m)G28>HhEc;;Llf$i6UoBvw&lxH%j<2XmT?3d`ZDkh4U#*r;hC(n
zL=eZMLY}uo79#Qg|6(`T_lJjXKkQ`(XGij{`yl0eb@I(SEyMc7GxqNWgK2+OEre&x
z(=P<57ES47l?u9;{q1kJ)wtN)%;YUSClT>d)MQZ5eEuEU*!r-yo!LkAjs2xpe95BD
zjQlPZFxNaH@Bkf1oZ@3FRm|llq8*PoBmV2ghh~+rt__Y%a=O#y<_|3uGjW&yJ#i~0
z&V75u)L8+sDQXFU0{b{~cFhOGZ8XWo!0V6<x0w3bkYEULeUJ!Af<}g2CPTo(0B0mS
zEbBpKv*6^$Bq6+T4Wib+3}k|YWM52}b~m#bF|dJ9w!3yR_emt`@*r7=&5lYyzit3Q
ztOga4BPrMH!KWH`p}a&snh<IYtHA=5TLN*xS2fTZG9Gp43YjAVJ$ZAH?d|pUHT*Pl
z8t;sAiowbrk!7>*KM^osH_Mxh-%4NdxpF#d6YlM3-Q7nNq6gQuuFW6<dy-OA_s1ul
zP*>pEP?Syc`OOmu=>}qKv{ACBOJ}dRT9l(<AJ9bW3G$HP3`O8l3F4_?i~#+KZK$PO
zf~9CpQMV1~Ywj;3ewLJ4CkJEKXGv&i^f&ESLd_;WM{F=-6shBG!fNarAA6Jr-{3Km
z=WCzgp&l0Q>z&$dDb(a>Zl1w8eh1!~n20ooX2UOuUf^`6tebsvehgB(d|EFARX^K`
z0AE0$zY)Y`u##Zx9^H{szi{R+%d<xNnQP;<lQe}K<kq)kW4+Gr5zgH?JvelaE5!14
zia6))^;$PswzuDVx}6Q;Bb?a&=noE~?0uPqqVWhi5%*4X0j-L}oG$OXmW9gPR4s2p
z;0`=)B^9IKvsY2-L~?O*``Ee_L=W9L8fva13#LH8@$ZHI)WSz_Wkt48PPv}p!QvxJ
zwcNlrJme3s3^i6~5~hlwmUsbNJ9|xuc*Tib&mn*6{JJoU!r%f7=3Pt4@@y3KRJUB9
zL1JP~KtNG2M45vY85C{HwtX8W;&FS|HZ5F#eAQoVq)S;Ri|fPtjkGG=>|6X#_&inn
z`n~(%6#o<dfSV5b&rLBwCJWW-PGdvF3w@imocV##F_rF;_`PxZ;Ri&*(yYng8*{6r
z{LLAq2hTJ!O*}Wq0%0h_q|K~)ijK?|*@nSaZBQs|4DX$JQVt9R%doBRbfl(1!SiSc
zLpQnbgl1drUw5~a3{BdJp7Qt{3N`j@539ZZ?3vU|*M$3l^5oGGWY;dYq#d9-<xyJ-
z=_Axm9lH^o%8oCF|KTt2p%kHoJm6$v`-HHOqY!-I(L~8)SOT~fbb$GFRV&cQr1U<}
zoXY|5Q%EhMUZCTeQFeOt%s<emYSD=_DS`5%;ZU#%Hw=;L<sa?ezS{5zSCgTyTDPX1
zd>`erJPcM{zIv*XF@^oGyY^eJ?rh!_SK|2I3=f1&nzmr8`6XIdUR+MC7y(+lu1+BL
zIoBuh0xlGCf|Pv3Mu?*ID?99=x?Wya)e?Zxr^c~lnZ>IN*Ncurtr9zSesf$eW^)1m
z2ywfpp3yiGxNn(J=5$40pF9KsSQ41IHe&XcMUsv8$8z|USL@wg(0}{NO=Esjzx*Tq
z=c|tVkLR$S&dSQ&oA-EL{_QIvtaN{H|KpzL|MWsfycMMbXX}U-{Ew`j4f^G@4++-E
zhV|V3Lw;oBg?Iwd6aGKr2J+E7ZN&cIAL482W67WRAji>{@A~djMibUYj}+vJoA!dZ
zpvrdCjD)mL_?Nq3y65hymwApSA?-mr;rmZ_b*8@z$!RZ|LV^;{=k)0A(egv1NpSCO
zwjViciA|yYddS5nFOxVGw<n7eL;+EK;zkpX+*JjG-pa?sh(#bO0%yKuILZx73IatA
zm4Kl{^KEya{DKUP-Q9*wuYtT4cZk~XcG|p2>@N}Xg03U4OVy~f;_))F!98}hKm|x<
z@?>arJ>I1n8i+wrwEE2lP8B>3Q8^)U5Ui~wk@8u?b7$?p{ovjnpI@9@Tq14k@XguT
z@gZG~-yWPDy*@en=9hqe$_|9D$z9h8BJqYfON^<^;GvdM6Cy<a6ejv@D<;0_c_IHq
zg2VI-ED&>E0kkaq&zb<>bSBGH5-^dbt50zpR<y<2FnoPEC8&K+iSt0goPWab6*u~y
zH2m=OWrXTS48Qe}K9hI)gyw^`?V<IeI^9rLx}tY%!@bSeyrTRWP@VZMp@NV>AcB(!
zb#nj&1|>)^zpWked9{93k^s`#_~aOq84+BV{?!clGlK8EuHf~C5FT!#>uMnq1OziP
zOb(1>cR}PMn<6Of*UV7Z+3W4D>No9Cav-B_*%DI#S&|c++u3KisO?c6xY2nBls18b
zb<dCG8Y1D}=w3RDJXraLtfR`vukQo*dt;RqB3Fp<d_nX;vIXJN<0Sb`voJpaT6DMN
zVq9o!2xY~Djha|JyCjJPWN>5lX{P8dt%$+R2*BRa$v4Lrm%n^WXIS2V=|t@2dE{kR
zfTR$9oCmFe>b$;!ON(%5*%6zPy@Biq1J`Q6)5Q;G;k!~zWM)tqLB(Rnfa}HZY~&fy
z?z_@|tI%v%;!A@|Plf!7+<J%=5@O!3hq~xSWm7r#5Uer{n{_%CnmX$NKeUY-O&{f_
zv`PSYnG@p^KNVL2cHO)4*V)!|;WqIgdtcmdV;-(lAzMade%3njbZptPrNNs6T5@mK
zwsg~OH>QF9X@+>r6Pb)$TWNyOw0$DmBR5G)M}+h3r*(vF)KcgVqWTpbia)igL-k!g
zb;q_pxLr)%GgEX;(mk48Y9?ps9!dJ;3HW@^q|!#%T`~y{<s=n$k3QY~!*i>od-|uZ
zm9Ei((>}Q5I>;)X)<G_JKWcX6Hjt-7)<%0lMi_gNRo*&mWN3h!SZj-*5XhK=NHFK8
zcq#XGzi4ag!L8Nowrd1Kyf{03`^!tvdNTHSl->^2O%W3Vjd(?hZ;w6mlx>;Edc>`a
zpG+64Baky^8!Sqpe2zZR%if0naIZgky35MK>UwUeo#xw-Zm@kfM_`If)?l-i04Kh+
zvAdCNnM$+0ls)K&oZ)jRrWl%U3FPt>pWSj`xpGXSoY09Dxa`?kw4?NUnpBcLz#-59
zSWHSWUUV!yx&z(sV&6w!j&oLi_|0GQ!HAhGJ?{khH9<YXgl0=!<X=?wlUG8pHj@Vf
z<U%9k#AleS%q?lIi%|(iX6ye6_r$1tUu2t$;qnukLfY-OR=QfPjjma(R`Qak<59LF
zaS?jZOO{!LE!$!Ow|-0QVL5U_C524KkT)4>_0`61+QuXh({X7yjeS8jfZ<xlFQ*gg
zBri#1R!?a2iAPLm^Oa;mlb%XQN8;@GK_)ex!ISIuj(TYRV(!@^7V1-Fo`<X#=CW>|
z`d;>C5=a2WOTUaUZi3F#Y*zS+F<{ur)*}}A7|2Um`+IOno;qn7TztR`>a5rt#9V3}
zy>V%27yYP}#jNzjcvr5E>BQ(_HNpH_J0Q6d`RDjwP7Z&Ct1LoRe&{Acx`WK3(%RJQ
zp3cAMIE3%PfiV(o#mraDH4v>F$vzjts6#R#J=uG*yPUFao#W5RM4z;$UER)q^l-kt
z{G9Q)3kkt`fk%sXx}G97@bt_5-!Bi!_c6oo$*9<emSK&mn?B}3yBDBWai&qP6t6{8
z3JeuO%6i-%#7i?Ky(yjQ!{C~U&a5m6Dz>pM-yNU-g*06p8}nxgCP(JADGONK-@#>y
zY#sL%H>vsP9vE@S$QmO^jIy@N2F<tpIgx+dM_&91la?%)<!-GhTKLc6Ms*E5M$GZL
zK-X-jzH2nJql{jEm+T}T5j3{8(fiV8l^SlLI@~h?WpD&Ju{N%T#Ky}GMy`1+S*B1I
zhDS+myOvU8b*oaEjiIv7^z!j+K5Z9QByC%}iO#gWXR>x(F;jn<tkwJa^RDXl;jFd&
zdF5W?#YN)g>KEH-CrZTnz=cdmo|ftFJ$9qUn{@dy#$J8sI!=t6xT)j>#*-2@cAE<F
z&)C?@Qs=+J#)cBn`uQKBLxfBIwj@LRs7P*)cvENsnw$Low<nhp6u=7_KCG_(4sUBG
zCZ0+uJAIz0;&PYbjhz*eIwq7x67Ar&V8AOg)z1@ez-2qEKp$Q!8hYSX*>pXRzN2ZY
zkNcdnk&u}pgbL#7Bnb3e$s&Zxx_Y1A+eL16I0xsiTl-5#n$qw3UfSyF+(^kmcU;yr
zs?mLcqtIBm8+9i5SrUU%U%KS(y5`fJk*s5iRX!F<n!b3w`?uA!mJWw3nUh1<3+}%J
zlW}o<-N~o}Fr)0ckkltGJ6vk(md>rEsiFMd6Fp}53@OvoeztTbPS9=qJe$wgw#Ica
z*!~rI>^|ncKXSrLef6L0J>Ga42eX|aIlSr%Y$OCdjQ6`7A%JlX`ggVG*!gjh*Nd4j
zY=Hh2Rj$1#Lx8FkU*@~IEj24hKEy|2N=5lB(B<ttEv*3^m^(7KVbn3!AeppM-7VMU
z?d%V`yOd~K_`)_r_U>`dQV_Z(<Klsz0aFE7DK;3(vhZ9L9>u}X6*8GAZ6nhb8Yv7m
zrRY?1rqL0d>SmulYp(q|t(<Ct7ybWXruoIa-Q~H)VT*}u3Ofy+e4X5Dm}u$>Ja`@~
z-iJY0j$XinCMR#<5!1|vUoQkw#|iE!rKkG%lx<9%HOoPdYrG-!#LY^(<^Zy1_Fxz#
zl$3jCiHxT!uR)}HQm{id*BTXNwl8-XNvu7JzzLbX)uquf`kp8N?tL%5NhS&h*df)X
zwv=sGB450~wylnI(+9xN@l8qcW>b=Oh`c~ADuo?mR^Gt<$DkF|o-ztkygPr*dKNQ%
z!*#mcea&ryNoal>1$RlhU^C>;B4=qUW|u&XJ~q^(BUns>+o}?M6ZIVoBn!z=RF=VK
z6hK>^(HWWB#>_|A`Q@c;o@ChJgn^0)wS|hI0EIyry6)Y6Dn>(_nP4nO>5ChOuiso8
zUtIRz9-JSaUG`5;E-p5VQ!Hd$yS<b;q@%4Fc3paD&n2Sa#+_f4qjG*9Hf89#`+uTs
zU=i?fzY=!bpt0eH{@I&X$CroSQm+#G0m<_EtKqT>{f*#Sm81tVZ5b;EzkmuH0%F~=
zsQ15$S%ryChqcuGbaZC#-&-0_xaH4~0Ex(YwAlF)x1m6Lx$7IVjHQ;-#x^a+t}1qn
z9)axd$*}8$<+N)+MKi&-3k{U<zPF<f+@M*h`&b(G{lGP0xiLWp&Ni1uxhavGNj2$m
z+Srcn7uSGi<4&MfPfuRIKDjtPd~<em;aaacAw6urE2@gd(J<yMZuZg8cH6epS_uaR
zqmG6S(Cl2cPh7V+e4y!to=7ON8?;!v|Cp6jyDdvshrt>@gPO{S=MfGhP8$l;@H9md
z?5Gj;ts6b-^#nsu%LcY;cY!>!EDH*hmcmM~ry~_<I;Co@6bADssXg%6+u9seJO_*A
z))cBlmg2hn2*__eT$1+Slc2ZLEy)lcx!UwK`&B`LAlF;=&I<1Al`A0&x};kF^H!`z
z<JKCkM5H<(Pi#h2T!r_9op8%LFD8R~!7_%CEZ$U_MDGn?GNAB3u-x*6f0^Z8wTy8-
z$5lRfe?wU(S`U$e@mzN?5ggD%OXvYSqJ)QS(M46rrIJxR*Jj7!Za1Ske4{(15mq#=
zwzf`0sZi+c>ATmLCx-_Ym%mO#V?4-_07Qyzi|_&)IY15Oo(h%)H+bGCy~TbMyWT5L
zV%L-GlWr2KP2t^Q82jIYuj@DNz-Za=z)dtV1n;0WK~!VcLS>d`V74fk6nzv7mB=1e
z7TrO}e#z;g$#h>R^`G8seWs`Nm$eg3%Rs8Pz#$~}-udz2@yU0`upRt_giBISi@);1
zX}LH)I|}oldg2xiPvqSY8!ex2<Gzjb$Os6ETku1fbNp-zcVP0hK-eJ8K1)$^jpMIU
zbis(Ptxuw_HWu1Qwgb?h6?Z4gH4kzkkD4$KoMnHJdcx^J!+Tuicp54FlbBW=kd~1v
zRP_$xVNbaF!W`|t0S;9nJ<TXv-A*`-rr9Z6(|Iv7y-k#;R|o%@P$xFi6Ws4R3Y7JZ
zsS?Ra$@ZW8p|`jHWpD2}{wLetf7;va?e+F|ExXcZ^U3G1Ad}5`9B`l9FCD0dDi!4O
zaE#Hz>HaQudQ-6`n~M+Q$7zC+3^ez-cI!rW+&%I_M>OM$%k$%dQ%xC+mtfiC;g#h!
z!G^d!>9}KNUV!TL5dghuf-1MPNo2y0#P8o?UqzI>xfb~4S9LX7fZ-2IUCh9L%m*Ub
z-~|a@7*<O};VnVLXu9X~(XTw)aRwQ$sCm^L;gl+!cT~b0$yGY^+~)FsQZo50ER9;T
zzN(*TX6qqk&P*ut+rkpg>OnOvoJCdk+`a8Ke0ujL^W=VRok9sR|I_9$4s6dqg+sO3
zIBA<J2W-LiXRTv)*HASq`tOVTUw!22wV>O<D=jMi!kOcSsOL^*j@AF>x;(p|&bcq*
z`P09n+io~3=Oc_b`*Y);<_tZcalf+CUUrghC6l6onOag3AXIQkZXg~})EkmWK!0O^
z|CWnI+*6G9Qv~yD$c#vSaeOiROdXj8jZ1lr=$06Ot^rMt5RFGNZ$k&D*x&k_b=f&b
zP;rc!u7iEX+o%S%P4H?{=H%@1`26hPwVR1w1LLT4T~ud(#cc5Jjb4gBsg?{>v>}V5
z>p}wzYDc|C7@E8&JBxa@LoVPQ-o870zY)TTKbEa{!}slGR9)qxzJbT|iTXY;VGv3j
zeCoar&*~cTO$N$yf^;cEo?s2gH@nt)S6bhRAm>FN7HSDOgmRYIjO6Ya0~R))LIP}a
z{mCyZ)Pvk<&fW`wJk)S&FNoR9<GlshZf!^*`gAdyRtBflL;@mA^Lw0gS*T(@$b_Gz
zn5%vybh#h(#xTEMDHv-&;ssVQ7G21|sEz_yud2zKED8H?MOL#3sZwG{2WJD{ib)_W
z4pF^?6(G>T8P*#|b?LHhU*xpD>lPKU+&qifNJD!M0NOwa<vTL57zL+DqnM^1_z*fd
zsOR2~IvR$w1>*O?y(`O&tl<n8*@6fMvKD+s=f!<3(Qs!Al1{cR!oBfXjLVPsik9in
z)1@MAR(-@$HGzbZw51g$bYsSJHjmHG-<)S}55776<>d;CvJ$~!?nbQ+7g%+%HZh}$
zWmJc9T#g3U80)(LfyYfhaK=hCMuI<+9bmjK%DF|h$5UJqPQ|&`Ey=fcQ2hjdOK8SS
zl(0QzIZNVh%*}8XL>Yx_{Qltl?Bwj5^ycRlvPI#w(;elLn+5XnHKBT4DyI35dqV~^
zWx{WH9dS`IQ&0>HU`-;aK?E>QM^P(dkURF2E3##R!XYVEcktoDr&Q1<ompoD70}dX
zZG&Kmnld2A9l<N>J~fVD@lcH)csv@nK|c@&S&TKDuu=dGDUi#n1tkC%Ci)J&CU)3d
z8%V6c$$Tig{4(n1>Y0M{GesaC7siVih@>_w$c;IiRnsnK%pP@f8}BqwXnfQxB2LT%
zNAS*1XBGx2q9q|3pA6GgR>7$-&{Jn&yPtu_sjV#?9BHiYe>Vd7pmO+*$Td|5`ByK0
zew}>Z?rLLpd}HN3BzN4$=*!Yw_+f$tFA#8^08&K0liSCW8&KW)@XSADbGNk^t#sJz
zllw4@hF@<J`MzwTUO#?^Mtk8KD;u<#@gL;c^qMP=WKlmV_tDoC(_!RG49?+D`X>b5
zPE2R1@s#`-%+|u$nUmtCnwOM(RdNiCX;nheaQN7x{><RGOERq{xucR7NYUmXHSF2B
zV9$c<GL{+s)?!5BW|j}Nk`|?fVShGz6-{2tlq8yg`@N4QoYrtph!v*lA6{H!7yb|Q
zlT)En&v;o+5sdejt{tf8#PmF=SqysO{vVpIqf(f=yWZUsDS*KTciitg%@H(vnC&=K
zO*LMAlSOTVx=zP+J0Fkw^Wq~$^zG&8>kR)MN90SpNvwLr*(9e<BNWXb&o;(xx#krT
zub{e0PL(E`nTLkDs#_;_QVH^tOYlLT#cIuN+#3Iv?uze~NJ~$26~(^G+6b!~y;3N|
z1?wgmpNntitZ_4MNjbI(%nd0P-w3xf17EaJK1e#7`f=UEo5`$g3ZoltdLrv~Brps`
zFVDVs&CA`Wsg^tPkn66%yrSy7k6>|<N}<YVC*`=Hcay5+fVZa!=MZMsY4qckmE&4?
zg~(}dD$bEw@WuD)*x6=KD)ZQP>|J(M4exnFA(2qFz3VFrxr`h&`{P0O?fLPmm%2}0
zd~x^1_Zwe*areiagRjy(oD8^8X+OC)93geAX5o)v_lv$f7;#6bCKMji)70zrRzGuj
z__lw3d~tj!kC+vxa0G!qk7=AaW~(pK1#-`ue&)4Sq)p%|$=-?h)i;%3J@ak~b(l+<
zk@^${BiIiGoC&#JG*KH$U5Jp`rXPcDNnXK_p%xq<ZnJ$0{U@7Wg1a1KQ@Bjog&HM#
znl@nF<1gwBiFxB$K{xV**K`!JmQYhaXmdKHr%=f1xke!f7%e=jYhB4Jk={;7Y&owy
zF-H^Y%k6diXFkIH4BH7mQyWI#1Uj_w4l`KUrx6@g@V&UhJ`A6pL<qg{=p>O;Rhj5>
z@v3EP)+wEMBjikQ(wc4c!Y4)T8kDt%z9I-XAH4%YLq627hm))MQ~=fu{HWu{i*NHF
zs2{Ge#D@oOGZqE8|223fJgz~tw`8dorQ7S(u$;soN)$dJW?VACaH7ndB<_1anst_x
z8-N&5(jLShyZb`lv^t*XP~wywzPq@5bJ{;RJUqU*=pP-Qog5!I9e>!rS=`r2{A3;*
z=~PlTp6))$+%<bu4qc-gz3jjT{pQ)zj~_7~&pv)cY)){PL$KlMo@#XYF#yqOe*^je
z{Ff3VbpJXM%=@Bu)61UjK7FyO?^=ILcLXf!5vPTMW?s0C%NV%nYgNfp!V`o^?qj$-
zFS@jlX675T`Oobt$3?CGqdJS6%Bxv*M@3KLFgL6rHFQ9qKj>!%4G1!a+(V)j<~OyK
z`Vmb8zD#f^^s;lq*7W(6IAxs3C%gOT(v#iaW6OJR<#mCD+1cyu@w;`pcu(Boarz%z
zIMoE;ILWv$Pj;WY(Az-CTzbx?-;uzb8`G;d=cfmkxO*;GPxeLb&L~u1E_{-6*UR22
zYM!Qf$rZcJ*ACokuTf|m`HutLPGkthh(ULfyEw5qXG>qZmR^CnCZE%h$3GVCkH=h4
zU#PzJ#j*cmL~qVtZrv}kt>A1FW&!u-Z{45IRkBJ=K<0ld-EYDwgnl3RVxF}xPNTO@
z4d!$0i#P7i@0^4j<Wq#|L^;DAhU&{Ou~V7^q#M`KZ84f^zbp6V>1RAYjXIDP>#u$B
zHvUZ^=fa@QqhIw1kV@o>OZUSivTo*XPvELOe|4Dc?d?C&?ahbYVI>xDSLW`Hz@5lO
zBIY_g=0w>RHtvN6RhaApwU3+qcd|Vek80|RJNMWD)oIbX_<JZj=QAI}R<L1yfz9Xi
zU;wuoli$`C+dMBTD9F@bmz|uwdj0PB?C|95o9z7fKi>f}$DN7q56+K%30Sg_AYDzo
z``FEf-YTuJ@gUvlGN~rr_)V{h!Ff)95)50K_@+bvb70%*9GdyOYMLb(q6XsN)bNd@
z7vi{(f)>dssUzOCS}em^s1gsXx^Nr7@1M|cIIRxlMovNVI7{%^Tl$3+<TxSXbGt+^
z*I{tjWz|9$xXUqabII9v9~4h`c1y^1eldb+P-mmSG!Vov3vL-YKcYloRFqAE?*u+Q
zoz6&_wWSSHS_>-km3JsG@*{yT2xP?OiP*?egJ!dmJ~n}MrkiBRlxo>XDV`a}6}DI-
zUv{oV%KVTnpHhI;^9W=_{Xr~{sm8MIdF=*HPy!*k77Y|oK`d#r;dtg0Nq(_e#eq(q
zyC$z$Tr6cd?_b|5e34M|w2%4vT71s&cr^(Svz<?j(7~%5Nq?A}3}@<MDz}fj{o?My
z!tm%DS_Ts5{3fl&6PX0d>cZ^xcu}Lk!&3i8U@IMl*s5ol8O#a$wshhfPM=15aaOft
zRxvs~gXvWck@n{;aNG*N-+!_ns3)*9jjGO{!Eph<Zdo&UpgVazumD-HpV7`^YvcNx
zm9Vkkt5WA}^+936tYE_;Q+fQ2MtP^I6{?joCd34F`UY4PD0!uJ!r*h3$E*ZKx}~(V
z%OYa9%%mhMZBsAb69K9A@48VSW`0`57E_6=>ZQmC`VsXEvJ4G<RIfjpxK^+Lg!%yW
z6ijr<0xU;G6h<r!;10UElQxu@EM9Y+9=tcw=<vd{nl8jdbTb+vjf`SWy778{b9@<J
z7g6<Ma9pSNMJ|9ewn!(}-QPLQCLfX^W-XZpMeGx*d5_#@d#DbAKJ0h6((`+w3rO0^
zus|BntQe}qk(HTLjYTKqUb5clc&@KE&D|gw3Z9SCe>xr}xB9rUNmYNp8|$f@+F|#C
zHM?li{q@YLAl*}#)ixD|f*ya&5^0wv$P1DjDGn&AoiA!XPwUDo9Br=<8_bvH0h8K5
z32l=I$#o)e?Qor_n=1M9CxDW`YvOG-NK0tE#fUd|t>6%}<5EA9M*Lw;zW)B;FBb%m
z7YYd3y<P$@UBqGkupkuD({+tmFTD&FvvFN^qQq?(%jn)d(#&`uvXcKmc{8b`jtwoV
z_^+apUh@?2{0Rysv)`H2fJ;>CEa28)(_L$NSkKj78Q=Hh-+B|e=GR)LJ$>0c%Q_|-
z3QR0N92;myx@DbsB@Ci&LS7MEu=Qj7Y26C)rF5?pDygy4mu7-XR86N9v*lE%lK0HL
zwHaT6sKx$EM85=;=`NqC3b~Pf9eayDziPuOkF4Y`lPPug`9^ZbN{8`=d`R6O_Bo{(
zz@DXt4%pvH&5=`rc0IhpAg`4Nos>ut`Nm7V;MQp_rZ?}xYTBQAu1|hJA6We?d2neu
z8XtQ6_K>x+y26_(A4Lf<@huw@uITRZy71_}T?M|n$2Cy;e6YDUHR$e?d%!#-Nnkg%
z7JB-A@<-L{gfTaGlf0T_NkVe3&OP!#FWIxrR3M>pkV{cxg}i((L%!NNGqou#hXl{4
zK@({dDon7gi&QAGs>7RTUfvskl@bpq>A+IuaDbNcsB*-A5NJ6dQeka>R*bpmT6nA4
z6O%zgI=*Uj0hKLWP`$Vs_(N=e=!LO-G*{ji$)oD*4HD(LInCMIknXP29C?UTC6CWV
zjI}JOTTH-L-GHQ~iJW@O-4)x#@$HqJ9e;Oxo?cz?0g}T5$)fi8^7TYIc}{}DP3KDT
zqsB(`>5j%9+|x*WvxuVHTq;$#r#|;0iX~BM$OJ*;MNH!n5ku^##HQlZ-jZ1_tbCdk
zcTgU+d_@!5rR(Jch66wE?_YUQ10nM2BZg)ztr*+q%kQ5imZO0^G->~Ac|ZV8VCkp_
z(~5#ti-Lor?+(rmkB{8`zx@8q`Jdo%`{lE74fO^PIPP@MBmw8!BL8roeW<EoRk3mk
z)kHYZn{yH2SI&@d|Kby1AP&q&g_%4s{dJcA*Zu!QRg-@eTkXBZsPiF`05qTiARg9d
zxc3_c7z}2OZb1KWJFYd;blewEp58#*D!)lne_KYDJ#QH~0OI~NM;?tV288jy4=44%
z=*XjyHK1^~9j4W2)F03X^Di*!=BTnS(-C7b{`E#2kE%Ih!F>Ez8*x0Uc*HrO`TE!8
zNXRo@&5Gjdi=!7lZ-c5Lw4jMTyS2Za$>WmV1%xXmaPVFuPPG;q3i#bty=}ED*F`>G
zhy^<>X1DpY4w!ljQ0mte?vormf#FZBm-p_TFGeA;gvl_}C^xNN!ct)lD>}8|nn`F@
zP!lWUDa7P)8WAFB<PI?}k<mnYTu8g-B|Tzr-N&c5{;-W&pOC&2!$?aHk%;t@dpI}a
zpGGlro9GZ`cF0oC{3jpo-s^I*`1m62=>wf~`{1Yb6MiHl7$Aq??PdSy_|@?_`fhlq
z;=o}1#Ah2s82+BMqmqgz;(V~vFV8l$Oyq1C`rk^MvZDycA279&W;_q^exy<9G`bVB
z_4}1`cl_sr)3>jW-PHXy(_Op%+vG51eqZ7lPIU7Lbo_zTJ>?WCr~PsMvB46A{AwIY
zEkI4-6vD_8ejMc=5AO4mw`OPcvICR^rzmVVg^|Dcs<@G|dSs*1ZcKJU=3S%Ox@-po
z2u2lr%-j!55^TmVEi{^2RFR{hJ6>wY#m|kyX<(DzR8wLRPKN3}d!Q#h+IWbucr-x|
z{RjI}bEB*<OL}*1;zw6uc%@3XmGEpu>FwKX6&Lh=RY(;BSRoCDAu^zhebA%Lekk*h
zo}h&^V!E9jTq6IR1c&54&9&cSN$I&_`e~ZM8dofovv#(svr4Bp0yqL=eKGjZzgk>3
z_%tq1zM{xH@Zq>8e4ttaC`c(1X%CC~tpPORMq4Ksd6Cz&zqLexX0izK%{pcVc!OQs
zNK7#AVO&n2T|h^d5jmUin(UsTy(wPz!LI_?olpC+T~<Pv`8xALIwjDlcIS1L!?j6)
zqHn(m=j49S1JMtdDwhdEds|JZ$yEdEi&Dkpf{t91#M02@KMjOv#645u^&4^qAS6uw
z`f@HnvzEkSsc^h=8L7-A)?dYLO?n(8lYbeo7yYy=BT#`-y>PaDV+MLHFC(#%DWA#P
zEiYOPUnrn1K2AsFpqxvJLx*JoQmmU##p}peM`-z>EN!k>S^0wG1RLh_)(r?FJ8v?~
z<p%<Nu@+^LAsy*zL?Wz?{Hj|n%Ccx%I7B+RblGPwoW}HJ=^BR=H)ELKbRsODRA25>
zR;|eu_XFZIg}bTlyF+)C-ezH{{;CTs4~A(<uS6>giEBUR)re&;f=gONlO<K5xa!ih
zNiB$+Bnhxc<FNFD<?q2)$P8rbVkaDXPd!?%OMR<%_2AQd#QQt_y;=%=nOp_eGgP?B
zhEd5T=j8yUG6L1BIB8P-7j>kUeXsGmsBbzp^#P)D)B*^K9qQ-cU&W=S08lnT+<8#}
zjv?a2f;Ud6ST`y|H)OJ&CbQzFuo?{&oGQ&AT{o~c5}b$4AwdQCi))2;nKzy!$lwku
zZrpKBxg{5DqlnN_>RC4Qp&TygW>jWC#NQN`WiD{mgrIVg+X;cWKP#2xPb#R~1Q#?+
zKrEos4TQeTO$fA~VsgXCvBl1l{qFiK5TyaaFcD3#S|*Uyg~0EG+-{pkh^{gwqSkU=
zAH(Dd_(|u1SWJg{r5fL})P56^UBSrH)r|y02jB_$Y)Jf+Dv_kzUUMz9UY9B+^TxwV
z`&)Mvx@Dete&~$kL76A=^WAiE!2`}ICB-UHg7@Obmv7ZoudNVNU<CevTq#&g{+dDE
z)+#B~v}9yF;mkG8h+jID(4nk9+Ffol-ynF6O|POizNAII#3y$HM|VR7iU<(<u3&Nq
zZgW%;>DCiFRK^D8Fp&mCl8aB~ty^s*hz<=O4S~!;3)!A{%&``IrgciQy)T<nPZs9l
zZb`qoG?DsN9`H^Fy7=o<<ci*+RG)HT@lvyd<12(0DlO9mUW!OaT0#>wi06VXAkSB@
z_Mo}bzhhYuo<B+6MzvGUn1j18CSn&AlMm&rnlR3VjjzM2oosRa7jw86x*M5&S8Ljz
znj^*dedq{ANh`2S5YN?ve<vt%@yKH!ckPPi{XplqDrF@4OL(^Dg^9l_AWv;6%9x<h
z-9tkaud>CfNvPDb3iWg)HQO)V(RD+%K&X2uoh)=XQJVA=Dc1ofjcK{PnE$I~w^7?(
z+PTeVCM$L<jFyHfTC0U+6KY-)1F+K2e>9w)>4kEij7jAUT6Omu$`%di3ywCQE0EVE
zJuod7aB3X-g@yIp7{>nY^QA-Q{+4aM&1cl44<)m1J4!F3GeNo!Lw6#jNw@htI+ake
z@qiFv(cTHpAW2Uxq+rQ1&=||j)oG_2cim_9^%U|Z6hc`e(59<;?)sKMa^sSb^K4zQ
z0a$W`j|Db{8VxGJ6^8Z&Wk?HhW%sXsmq{C10IjT~idK@yaD|_?MYOvAUUrI<;%JZf
zLo5Q0E*sapR=aujU`wl*gY`m74bA7ud9e;M*=Sv}a%9Khj$!779oXjRV%};yyFsNC
zuLkU-4^^ot_@S=*!2`OUP&J|AtFb%V4{7{+^MD$Rf!?Nqy_THQ%gfgh3|d2(waw0b
zJ*1ak%a`2Ve<N*n(Sjr<w%mO!9mt+9U3{$^+X)=?Jc3(H5_On6-OdNCJX#GIvn1m_
zP4FFR3j3&I=zA|_d+o9HFQ1Xw%bn!loQ&&|#oqF5M|()zd+4{dmJij;`g2#Rj=HWf
znRRTT#GLAx(iy$ak_9n^U=mDUyl|FxE=`?GQ<FD>j=xaGnq&^Z&EChAM1~40$BE{3
z<$R?+o#ta!Miy&6tS%u_MyOJCk|dth_Ug0k;N4j+2@Q(5%(14%NHZQITkzM03A{Hh
zW4fYbNcNIqwb`L&GH}9cL=BS5g=LOw@$gG)le)ToIUbl`-}e@uS!=7|I?%X~e2Z<U
zZ<69|#dlhc(Td*t?fOoC_(b<)9+!_kGzYf~&!6h5NLVP@6OHZgh(6k)Elrwk6R4rS
zkU=61sqGQg_PR2LSvlVlfQlQ-+$sFPN??*i0Ou%k*IxF6?wMY%_g8so_#!(wV%851
zWB$Le8(GHfwu}ft7TGdK%!(W4o|wjb@lqZs3`Q1_^iG{q1)N<>N;IF3E4mRzsW=LE
zT7%6M-E55I1@_Xo8bT*zhR{FkzugsXf2gO8C-e{Y2)=n4^%xVcJm-Q8MU5kpRl#b|
z!<p(8LF3OwX+b#bcj0?sL8N)6o*DAWec|tVvlrcZ$qsq3vm+M@>$CC5j(*chCSyH4
zk8FKpZRvp)Oe!>2f4V)~*&F;c@L*4}+I3$l*+UA|Ecc}sjn7Am>3iU7Fcd?r&i0->
zecDL_Y%&*k-Gf;wHr|GGyxAMFqZR|0r>Yo*T|_m4-l&V$JD0C7y1vb(+qTZO7zi~a
z)egijySax>YH*4#1#D(Xc(a3Q!wuFj)7{RG|MT>XgyYYTFW$O;Usqrv*-~|{=_@NH
zmOq)#ErdU&HvX5iiab^VeF?m9=BWo@F_Y}XP^R5DMRiZ}%+V~hSc@4G*lap7Q80-8
z`*|%s^SqV_S?CDy3u^tIH%09*V6qe=!H1(Fk#DFKq0-E~OUGa|Qh77EDCEmdg)ikM
zZ23`;+^Jy5DtUJg;Z+eC&;lcO_<@-_&FPDd&EyE&EtS9+^GkJ}O0y!3#gYF~?v{V-
z{bQHsG+|YPblu$BY;|L2bEyDw(~K9*l=HQp_GIuODF>23{EV&@7?;kF*r$NP8swdz
z9;BefppIB6PLwQz*e4?$DAUj0<+fcFiukMwt_5vSD#7rw%muRp!VK&_X51mZ#I<dF
zLGc_}q|W7!U@`D^%oObdE*jI8Oxv&7vt?477twx4Oy74ZM7*R0w?W}W{PF8dLE-@h
zA`*%~YFQWzUs#i%WKKtz=KC;QiMYstprh2}VMu|UIFnT5s{LwLQBW3xw(;lgnR~u_
zVGSjweb6(-Gv6@?3YjeeVvh4}IAz91U{gSuf%|FgI7e|IN^e@O)QCkYRS&W^8Wvqk
zR!sKy5P2Dy6dE>%A!k+-gt^6K2k~Lfs;B}q2;xNuldqe|cx9Ta0yp7cRtcTufc2wZ
zu==~6GuKcI0_oNSzSn#ds~**CXwr4<Ty~#Th1gz-_p#q|jq%HdNfwa_?mBOx98Nzx
zf9bVjp;|?FB#Mk6NCPn4!Fx>>sCx-iG7T9d_v^2mXkXBM^7g~iE<MB1ZQRS23OHjQ
zh88uhvHC|7r=+RpOHFA=&2>-xAW5`Q68tA!tPJWjUtT$F<^4ZITKxlIg@5oe))O7e
zztj9<_b~d7#5baZH)FKpsg5v=64jmVsSu%z6axlevg~&myYwP6hy@X0BIW$*sdNia
z6?~DScwvGb4{TtdU5{z9k<5m@hhYQOi&2#=oQdq!$*VUY$yhi$*COPNz&9dr)&l3u
zHNibgcr>d$L?>EjPImLjB)d3e3WwrzoDt-c7~-5M`7b9|>cv<iLQ(Id?#Obu^=^D^
z=d5Fyqt)W()(#Ec)-UnUO0Athizk~Uab|hbeM9DY15Ut5vddptkIPK}Idxaog@&FD
z#{v^A4!Lzy{C(sCy$mQS?^IWk?q~!|l&|*5j6M4N@OA66(tT-FJp*1pgKuM^6-HrN
zy8%i*k_tzm0)6Rz3xa|hG<?19m2ot2aQM1qelfGvWTUC%hZ}7Rqy`<4FI+-XgU!nE
z{cu)8t!BeEH3@n_g^OW?i?V4wm}GBIu`C-7z%l9s^__Th(phhpNn(flpc)b{-9K#U
zBHPKFVd7n&_#tBAjI~s6cEuC1W#e?#d~Z9<3#6cYYCfvFpw)P}1Iun_UhUNNXa|3R
zg`N|f(M`X3GydFrw)=-H`q|{P&=|&yy?ikhsdg*jqwkCR^qXW-Sd#^w&cq-9*FcJj
z=5d0H4`sEe<s&wR#8)U1S-)iWU(jB{OHi>WFHFT+^FS)@jK4iT6(})9PednZxpBWX
z=1DYU-}h*WOC(dibgQ8GGos?KKpiW*<4n*@9;#PNsSH&i_^_@^Q|gXbS7EbX?)A?6
zY#M7RcGA>9mh?ep4imG0=9Fe=@>SQR4^O-yh7ag|dl^!tdh(>HD%p1=r+bm@^>$-S
zg}vS${?ESes<ng(xlof5Fura{vp3UXg6SBQSF?O}pBhbT^irI?=}Yh2KSyOPruIA(
z6!ORD`HPdYZ(bkwkG}1{yEx`w6@dFdGBOf?0c<+S$f#}F|G)OG{<)3oy8cZ36<c_m
z5Ge?elBL8--3~2LHXBJ~Map(tchDuUB)0;v2zDWgp8oND=iGbW$6`TBj-7NmO{WP(
z?!JBB_v_qq^=Z)GROr)#Vu_mqde`%B`GUoW>gcP7FJCHc<&nfgY=jr<D@v-IwZiK7
z6ZQJ)N}zv8|Gv&wb6nDW#uQ~<;-|lcoh9~*NBKJ4Y>hLnPK~5-XQcr6LSQLEOil}T
zdYRp29^Y;&;QoL7?ED9q#}+Yh7ujSDcS9a>QTZ;B%^shK4L-7v404f+_kd$co^!?Z
zd8i18ot-EgW_l&hOpbH+)lSz5e0CV0z4XWcNl&6Zy@87Ow8XE;=6x&rkvTTV747Z<
zawMmp*{uhe!P$*HERu_$xHu71Co>)JGHoowdTI}Dg!6J|Cm2u|uAUY*?5|*HUe59>
z>EJ72%v%-9!ZNza8R9JkGUdkehHI5a>oB6Tk7h5QddJ-6L~7UClbPK+ksi-&+s6(2
zr8~og`#I{}YQ|-i?!}VCUFqfu<o(Dsj~136`PlyG*D#CSw+#Ox#6-S1u@!Jlme|LB
zo7>g%{N(ld_`9Pw$1nbMe0p^BM$XnDGY-;eOd`Gr;o8LN07e__JwJJMcr17JjwCS2
zlXs0%o{rht^%<d-(>Vwm>))}n{)2BtfegFh4a&V*^Zt2u7}7Z)BTrt3X_frpuP9yO
zz6q_blc!Tu&?vPE6RTu&ojXxj(k0cX`N9L)iU8xsr}%EilEZJ*lJIHg_@ePCBILfx
z$=gUQJXI8UjyHMgPl$+2LMP(D@Zcklj~3U27ml@nO{WDT40Ir_qnnO{M=Aj+DOjqa
zDW!HWzuW@Ic#p^X$=5LX$S#zGI4l%^|2Y`VZv)fHQ+TN#$m42te6_#X?n{uncQ;#W
zyANCK#tjEg*L^tb$t<ru?mC(uGvM<eXEd0^xK|qu+++2>a*>*B!1@tH$I8i<EZv&Z
zn1WNuSY03{7t?%UDfr?%w){UfTW2?g247m@={)qv8usl)xGAlKp$Du7D!?w+bL`Sa
z5ZHTe*$E}J>3WwB+zWaazj-fZ1xx0AWQ-Fn-??#D8$I;38kGzpa3RczoMYDtRgT-p
z7I2WtLpTDl(jc=;dSji|?jaO^l@yYqD}}_@iZ#ZxxVLeEy_6SyTee7XPY}0A_OyGV
z_!)s(D=72-@!G#6UK=mPuM@8=<dSw5*0fq#Se1dXe-ftc-%PH`uUH=9H$jwqWkMzd
zYu2?2{iM$jVq`uN!XSYoCxk;gLivsZ8o3?gxB}G6;A3}c03Gl0+l@(LB?nT^<hCDN
zADk+D!CIXZ;6$>aXUY`ki-Vy7tsC@zARbu!RpWuh*0`A0NJbrw>HFh>SsD!FdVN|v
zFiV4hbiHkf2NoOgz|02&+Y<m{L(IVb{WIW$aB>k&H@<aOWH4)m1<^)3GMKgg^Vg3P
zwnzUrixd8@k8%AhH+AtBxvAqkc=)JQiHiKdd8u`3<|yyGiscf|%V;%fMw!(E+2U?y
zCl60Smoc-vYB5-fzrMi|n=Hxa>w^uOLZzUj>DQw-qjmkj>7ehh2-pVy<ZfdgNC~-_
z(ZZ!l+kTj}6@$*k-<Qs=eIcv>A`!o0-KF=Jqsir!Z~rdS1p*M4*H}`BS$J|$H>)+$
z=RJ3)@VUmhb0%9g^%!m>xXo0`^_YsHBG*5WBuKPBER|Ac<;8<naP8)^LxT2Kqq^$s
z{;Q+2GgNsze13R(eh7v7*Vn7Nr7Ab*GmF$SXMrb~+Qt?GEz(1@YB5wPV-I$A-!%+0
zP`9`fuR9cpwJFTjS4H#nAlMgN-CL|Ocs&;}Tnhg<NdEQEDE>0f<T6d~d#gk((h!7d
z&h}ktx&rSo2E)lI10xTK%@bj1-+&2c5jAcTpmumwT3JYSu&9wlIASZ7mx0Y(g><YC
zhl12Q7Gg<q8*6VNn*c#@QUfy=A$tTmcq3u>lEL*T*D@YhldnMXcd@G8g-B|G&j{MY
zEzR+sR;R_S)tK@MeJwj|H6wf%%$;p#u!nTJ*hCRqey+9+edE_rF%^QbQyJwN(fFR5
zEn%XQ=%M$i(IFNFJZAw83knMO&(MRHNiKWn5GKP9plQvZPtFu)dWa~~A=Ylt_70l#
z>c>zU?IplNpAYE`1+VbOH36Kau<~Fa>^&``+O=iHKfoiKbPQh_MxwBzBLo%R6tkIS
zTyv#z@6`^4bNx)w$*@5_Abn^gAFr&*sVFfCCw;iq^?J2jl~gi}8_=?r+uPLrUMdOL
zUfl%^YJTCAoWam4SK2vpUkR%d*6lKHL{C32Cf5s5*oKySeqH!?C}wTHvp|(*pL$@a
zj7e%$TgG=+zJ%IM+iap#j&HjggA;PSnu%CFT{%&-x(&bhnip~0M%HRW9gZw2xzhSO
z{P|5WuOJ$?%Hq3vp9mNqYn9j(y-=&$NSVFPLzN@pm0-=~MX`5ryXXE#@M@a;84X4C
zVrMaw%Yp^MOgt&IeNUMVwD{$k<?dH#ECSqy25ZwUd1vVLdZ&<*9`L_A1=ah>&k$15
z=r1Ftq^(aCRJsWM-VGH=qi@;Ktc(s~LtMq<`E{j_eB#sPkCis6U3cnBz3qGfqPpep
z(Ai8F6zE#rD8ww`@MH-u4P73MvQa_bZ|Ua!wv>}=EeRG>sev)rCQzl%e=Ct{0ob1-
zC`5k36pIkXsobrzU5)ITtPH*t^I<5}zA~({;7mP;g<ZBG>J+dFAlNW&T?CeIICxo9
z5OkbGbGmGvg-?_Ws=D7P7i6y8tz-LIv$^z=_hKQ7?Yxh>;(Z9?Op@;wo6I;!an<OM
z<{Cx~>?G%IbHwq*+0Et6E41@XH4=D7Z+#P+u@Q)3FsEBPf7tEdgfr9qLJ7KYH-&nY
zx~{yT<&u)(w(<uWN{RPZYT0IIp*?;%0#*e#Wd!_=FGPjZ)$hvXQgf)`QgFv~@=pEe
z<q95)!Ba20_9CY!eqc$Wjg*t%Lzj2@a-Hrug>5frPW`xJ`rvvQejDS!gV)jtk?VN7
z)NKczULSF8rEI2iE%38<EG-ETdXV@4MX-dupb~F*r~b_uqplHfAiUdHZB~fVOEtE%
zGHMW)U~&MD;`W&01`*}4XBcHcQ!NN1orpNfDYO_p7<xm{d)?}$TGme)q;zfdx!?Qj
z@Gu1L4Xc;*Ef$Iq$#!CWO7t_&`Zz%-Q!NcIs;;XI{q#W@8K8{Fi$NCjt!mUSvAWN*
zn1Qic#HTI942*-MOFAWzt9=J0dm>!0iQuHLNy33!Zq?S!bPyA$w~5S$%4I8CM+yqJ
zV{Uh8&a6Gi-ze64=Vi$%Mi^>f)bWo6U$Yo<m{`FTbtI2->b*Yet8^ekj3t8OrETaV
z7CnB)*P01ScJL%J<jMtLd#V)(p8KM>t&r>7h#NCTVY~hxJmKf36g_kpyPINx_>CVK
z$Y{WsTe;1#5`jBemCSD&hH4_w<NT}z+dO-Z$7aWF^H99t&XMb8wys4_N#AgHu(X|;
zuC&iJco4LgmXJ^OphX%EwkL6S?h7}8o!dwhnGa)93``}*uctZxka!)6jt6EJDIu`X
z68l<EHGaJy-kjxHOARwyaTB34F*Je4U|JO~ZlY3)p66Mkk$I?$IqRR(7?EFFH8o7{
zE`~6ajRShlWnPl%Bd0~cV0U3(K2E+Iw@8RZ-K?rx-tr!MzBwJHJqLJ3N@^8)cq`dZ
zS;VYI<yu&8ds;mU{qm)5s<s`GWS5F+qKcCyqq=o7Yaw1U`hA2HSF4a21%b|tbo1gi
zi^50RvZfEY5zUl$CAa#g!A)K+?%P$qyTvcrT@Us%G3-ex-j{XRAowjv*4+VOEj<!4
zYt)(^Y)d=x!^+}8r80W^u;Oy5jf7gGWmL^UhC(;hg`AEiy>{c(WtYm>tFU<z>q)g#
zy_nfs^z_LDg$+l4uGd=)X$)q)7E<jqdAD7}J*F9v^ONLhB!aJNg0dg>&fIw2ReS+W
z?D@x84LIhlbERZRMq&bFygQ+JQxOS?O08P$Jf@>?ZCIr{Gc61c;F-Bo0!e$Ub<~J8
zmP(@x7VEcKlhr`$6-PVG#&l8lXbkup5MxZHH`qZB;s|C$FsI;ODZIn?Lvo+f+xMm`
zWc)C{tTmZgL`c$6=IAsiio}I$>QGGPK?PE&_<~{!ifC%26r@7DwXV$z>W*iu#kn<V
zZYp1UFwJbI!6i^owAvG<{8}aSmR?cCq=gVB!hHrHg%`Bmi=-slXGY;PEdb<C4xCmi
z66Ln4HA|lr+W7R9!qVFl`@`OIHg+II#m3RY^2u2xlJ6tFMuD&@SmCEGoQ~9Vf6>|H
z?t6dtt|*`y$aC_sdA@p=eu-iQL?zyg>3@?Q^gZ0Bqxr*_4Q1~eA@G#9xZ$VcydHmZ
z;P+*p`>G$&@M@{}9NB8?nX_sW#%g%l)Lf|6Qcd&E>k4PWooF|6ec@cy?k0Z{P!QsT
z^(?Qiv)vyDWQt}n^q$mKbON0K;ngre<$`Tt)qvrZ6qaN6DpP~3Q8AoBuE5?&2b4)E
zqTht6&=-^)yT%Mr+`)10eiRQFw*8NNY3Rp(pEE}kb$jx48*@Tyn?^d;g$n)i1)b|V
z?pKNo0PzgZjfZA*x7l^x)ImV2PMOm><jkzREFdsM=}UVku`BK1rcZ+?TsF`7T+<3}
zis)_gPQZC6IVS#Y@o5usZJDQEJ~p@)Jd60&tqBp_Q%N~p><dP~0+nKNY-C^>BO8e?
z!TzTF9SUvFL+(tHJ#U*xnH;6|E%UUHvBvPjszSn#=+PI|RC%$rWqQZ?Ax#CAr4n?s
z@A@dv198Cj)U#9Zxpu-UZxmxBgVY)X90EA9m3~^JnINxVnF*C~Cr?`DPF)eoG<RDv
z?4%j1ZCWK60s9VXxnn)=HgjzxYU7SHq%@ze7bc<=Lw4^t#Q&xvk*Qyhh)-(pcFo{a
z;L##t`2HFy9%yH4)w{H?z_xj5Q%(Bu7)2|_<o<-}XTLfOgbt>$rCpd=SR+Rj@k~+?
zH5T1e|F{*(%op-H^e<~bXaSL<g_?IneLy`%rEeafGG9!*mw`0^{C<^{V*IUP`Yao-
zB_p><i)gkP&RWB05yxRt$5KIPQt`;Y_5TQhr1nXuZapSGP$O5KA5uJ32vxI)p6f6D
zJ61S+4he<ok)Q{P>la*JS~1A>&_Q&{?`kz9Ug0`@BfH=@Of4RSi7FH+BB`jYIS3i*
z8+>rB2}#%sQ5gzb(p`ma8;_Z9_ntV-<3-6ZOZaPMf90}c!#V{Un_28^|5t&nQP57s
z=RnqPmhKMjV7zZoAYP<oVvxHz>Hn54Ms(K6XhQu5eBobQ4{z<_GhNhQzf927JD-j*
z8`Q132-I^Q1`zk!oTf4hQ>}oh0yrcw3p77QI<*F;y^DCF(-AFmR2o519M|@%`~%a6
z!wt#0C7C=V%(_&}HRp>e#?f=K<FkqmAdnEPeMvJA00bV$oKkmH_=bEkh~5&j;wqnn
zTLCY;eSYdo&Qg?ne)cMReDF|vX89^S6qRsibMAO<Jdfx|I-!<4{oX~sP|h$tH$A0v
zEyd_EmT7i8F7M8gFy&kmN7XHdDRvu8bbk2r-GUGRD?U4FCV?h1d*fTv=0l+%6IhB`
z07F2$zxK%bis=dX20V*e3!zfhZPZhEZbb^TurLFHm{K<(<p;9u_;a=p><Mn2+@e6y
zBC}!+nm%~EzppdxONhCv3mMJXf4NOkT{#WjXUi!0r0E<Y)tr!oLwIF1YC~C{f_FJ&
z8jAsFRw`5&DOF8ytNUU#)3WHCkmbzIkB`M_aQ^1HnuW6T8Zk{6fz{MI6DUt;T5=ks
zl&)MAK8<Fox?lLZEUDXHS2L=iN6#b1S`s`=CV9;u$6K9=a*+_UU~lgI>FY3q@Kj;i
zwMuc6Q)#8*N2%8+m?uP;tCS;ILC&D*n%MijrrOg{h6}_JR^48>v7{Gyh^N(dvmWc{
zI^jU|P*2la#GOq_iXD%!ehq75ruzAtqcfBzdwuxo=*+KZoS$ZmI;9=}gcWIC%Vzh{
zz}LH5N?m8IWUZis>#|totI74P`9rz8-J{|nXU^3gv;}u3Eh334C2VK6XuOgm5KB;{
z?b~>t?+!zqA@6NUC+e&~pLn@w6Yg>@d=+CaQ*GFzbTVm}xh>R;*~^`nl5`OSaUj@5
zpxnR2%M(QVFv2yw$#!@a<>)eE$j%_YZ7KnhY$OGXaf(OzYMFaoLB^|-79h6JU5hwR
zK-rblzboF*z3XZM+vTTXRqdq_YU@oz*S~ch+kLxt68ZPSsyYjAPFcq)Q%nUAuw$4#
zkFb)LcaH%un640ruLqV#t+h$y@_|Q2oJ|_~ajy|`E}LB(8H~uQ`!)OCU3u_NE@ycI
z{i_}d;Xq&#3XWw)Yf*ffUSGGKolOtbq1`<WHBg%z&J+*ZvR<r;D|kmC5^#sW@reA6
zMF6xv|MuBw8)KkJQfcO!d5GJqkR9xg@P7x{!Iuw52fu&le*WVAa$`)s6{{*NFwSv}
z!haajOQRA{F@Qhr$#!uIhaT+d>OpU+Cc=kKH8OYhNM0M;`-%VdnedZ|T%fx!7mfn=
z6%S{K;*Lga%33LV+1thMe#m|!WeP!`CF{jb^Y1q6ug@Pm+~41Sntd)Gd{b4;=ReB8
zA3gk$-q}_CqkH*Bdzt(myYch3VYGH=M3^*r`lA!<i)N5~^oLV?^wF>TQG6-=?3W)N
zyaEwe_W2D7ygzTZuD=fZ-_(e9i_dPa+`pghwB}WPi!pr&bd?+6H6zNwXg>`@oQS4k
zxg6_88KbOi1>V9j|H6ax@8%f!550WkL@_OpS%KjzBdk5exz#qY3Rl;3^L>VqcxzEG
zBGr7ZwFTpm#K4V4V2oM<ZoOpTf#^8mzK)W}pojl<C}JKY6Bizcq7MQ<w3v=nDtRP}
zQttDY9xV&SNpxiSiyklrcLkFeagHod`k)Es@PKDh&WlZcdeesk9j|FHyW^fBEXaSG
zK#IgFg|`>-rpjoCYJY*wo!n1Hueiml(g*k4Wl&anr^VzuxQiw6_a>O~;d{8k({Cwz
zrV`>T_hKzz=v3WIYc`31nzQDS06)dS<~<-~W0DqF^p@Edhvr&i8$lo`lfwi_xj*a9
z6~C)9_20RXFIw{T>rg&RJv!=e!CrcvRCJKC&SDpv*5;kev7}X$+sc=15yn{jmfH|}
zTG31LP3fWd_<|GE9Tn7Yq0xs$6cf#ITHs)XKI!y}E7!j9DhmQ9bXtNUGIZ!skyyL9
zO&2g!*I*WFy3e;yVp>6C$xe->c4)B16}d3zG}ST9EJDk?IC--5^{81Vjvs!p`9(ME
zon5ydCI#h2$IF<QFZVa!ye_Y<<5vYD?7lQ~$Mj}Te4Th`?<SX!&+1)pb6Cf_JB-(|
zFCT}GUjBKy_!(35;$NP>zH5TgX8jbsIzD@L^z!B5>!Xvmzor8<zRbr0gK>tC#Iwc{
z0@;b{elXD{vI^a?s;(C3IUQsDG)QJ;(Kc8Df-f|Wm?{GC8%=eIMagk=?GX{G_0tqP
z=!1D)f_r03GS8K0ho0=d(8tM@N$KhCLixrp#KT1gc2|7xtO6`ptKXe|9`qofA7e-E
zM@(nx-IdaS<7HLN?w)7_QZqir(E5z}9}u%}sH_(l=s;V85oFgiJAAoj1vS=*W*ANi
zDiVz8=4xKL9b0)LLT_Zu2<#STMV8JC7IfL19}eVs>qdRKwZ}vW{tI(z&N$pr={&`w
zPHv(24_Y=f)G>Zrdyg^QA!#E|dBwJ0&mQk*uf8^js_H2@VsU#g4>Ki=Zcj7<-BsPB
znYN7gvrP9r3y}F5r?O%r04Y(Ruh<>X38X*{iYh598ad*;1|%*4I%J~BXD>MY8|3}S
zX|Rq_1CdS)S;*N*yUSt^qob?s;=fpzn_URhu--c(okdhJ!b+e8EgRiE*_>PPsIq`G
zFHt$0<^s}9mYU@pG1L#nA*A6^Yta_WmfBb-_k&G(138Kw=jiQF6en|QUO;_H%d9t5
z1N(l?7?`g-8UVz8!hD^+s8E(ZtkYd;DWQ4!ld=$5A+9^7YF}zR3D~+x_p?>XGMnFH
z)8HdTd|N%vrB{LD4QH_+F}+!=G@mfm*VDAIfNBluzNVP@FW@h;O8keH*nsMp7wjoF
zkXwXhGs?cLZV*Ts>eqn@@FZE|+F7(?>z*YTF|$g@B&YVb=6aP&#a;umrq|8(JH*a9
zj(QN-0&Ww7O7GVHX4u8a4JV7;&+7$_%70G_gvOKICaen4ZWH}hx+O#%zpW$P5%GY<
z2I92Nq^L9c;ckIQWi1;z%p^rrp+7(Dy|6Chr>Ekz7(E<4Y8?gc3^B8;Yx#;53p$(e
zN@UtdG!^Mkh2}y*RPLQtgC57U;2m?5ZyeRWOlaDw{7xL?i>6#{Z+W9RTd00Z^_W-h
zC5lB%x@g($CROPY3BR1>6J;v#MaqnItTGU6OFxTuQ6j6Twau?qW1#JBARUYalE0|j
zlJk(-b7u5-*uh(v0~_u5w=>1I=>K?lL?tM>(jHJ$F`U?<XU_9QjsTA{?$?S+BV{Q3
zbOR#q9?xki?mXGoAM$!Jz2FZ4S4D8z&g23vEB+(}rO*ohS<UBAajLnZ&g4qZekVV#
zp@`AfVnubG(g$Sv7@j`)!$N9o(8rFSV2nF`Y2tLfMz9<^UOmP?-0jpbc)>qiH_cKj
zZ)yF6OLEhc^50AUn!73Fe-<b<1CO+f)m^<~6q*;7auJC9@$wQLoU!{Bv{DXe3G4-b
zKxO*c?d1t)0s60ofaO7Vrzt6_{EKCId!HGrq@TX}dfhO4lW!4{JC+IZ|DLkA&5l#2
zW-3<j&-Y~>kNW+5?7Qy%{X1v8TU^WIbVD>r^9Mr!-uo+hK#R$?vJE&C#lSNsg}0Qa
z7GqIg@rHcNZR1)M$RccPUJ>$Ke<ZJo^{Zd7bm+hu!7fG}(<W&HM2#{IY==t@`n%$m
ze?~e{UzL|&{QI}9zGaMDkGvc0Gb)J2%oefZ31~9>k35OZNgsFpz%SRvJAUq3X*jPd
z-%+PZCabC;(&*BlZL%nn=!72K=|y5<#8C<R^rV{2G=F7@VhwUl(mC&L*a^$|5YhrL
zh;P=mKx_*6zr}Z^o`<m;;kcZqRWB*?I|5xpL1wC~Q%Y?`?g*9-b!3esRtrS1-np_2
z=XTp`am59PzxN94yl$TM&PtH6tH^d1(kqCyi&b?)L@JAWygG~ZcCSGJvl?VQR9}$k
z7||zjBgLX#i-!oBlyt<SG?Z?kLGV~9)7ASIG=*I-_uCvmvy%J=_qEsV2-+ZGNMDj>
z2#=Fxl1qAY_)xT5t%XUAR2deKD%B^fnojznl00iDyZ`y0($sH%n@p$b=aS{Zle~3#
z2y}m5dDqu>$0sij&yUW6>g8caN{nug!ttl2#3!_Jm~e&8&q{A8FIScOac-xJs0b>o
zDza-u#QFJJk`P0w%EdDv!hybxrE4!I<~*6|WH!^OR*2tNVRgN&C_<-9i08WjZ@g{F
z0&q8XEnf?}n)p?4!#<1aMu<Hs0et^H-O<9l;=!Vcw<Sstjev;O4+H%aAC`b@Y;0pX
zMWdPnHo^$#1%rIpvT1t)aJ{uO^o}pv2tpWRSIUx0d}B(xT>WyW`?sHo8xEzJ^j!tL
zsvL(bgyrh}N=65v8h%Lm+gJ1iO~zgI;;YAZ5F=x7ZqeU%aUdC+v4+!CIdl5Z%+yX%
zt&GlPWVx{by&^rRx{zB>BPdK+1=JCrgLy&gg5!ZdR9cQfr0rc~{580$qRxcP2<dVK
z192gK3GF7ZTw`6%*j^0)Qd@Q1CPV+G|AkODw;qF81z1dYEJ|AnUri6#^GfT|ckY{d
z6klw>>lztcVsxCmPOQHTEbVQUhy(6Z!*6-IM;{UppQDqaZk4~-f0XUIg}f-IZfFCH
z5s;_dV?{}2M|js=`H%MxaA`iq^F|d)+sv2!rE61KeZ2pWbMturi){BBCsLf8R3!00
z!MT*21{V)Wfs6o^QObb=7KnUbc<lHGwJtpVMPhS=Q%I=^OaIm~ANqCq((9A+qo?9u
zklB-I4abk!=*I7aMw!Q7z^wC;#_ugvBINf+3{YDB0FTh$B`e>)d*cOf0d4E?&2?4Q
zW6$XR{kJE_29HD^iKOIJe|V;su{)EQj4k|1qqGL23>a4h&yX0#X(&UkCKEi~7hyxS
z(5`8(GX7(<%0ZAG`fer*YFD{WA8m+Z?v2>SFE}R2_M_SlbxAaY;2uo75`QF}y7j6Y
zhoCf9Di^h~GBjfB@+8I~JfDD=Ej&(^U#syU4iW|do@R^<bibX13dlt%n$O!ept#)e
z`yIbiVB;zl6u8pfym<ET(U(u8XzGh+kG}lF6B?pS;+wg>4^S68vy8A_W>>|+t@DJm
z#CR~;>7^vw*lwNRqs<Mle$h+(5H%OqOFb<}F92}i{5k>`)~46X?^XAt9!dON|9HWL
zL?@Iar5`apb&h`BIs7LFPrL(^mUcAUB%xa76><UQ+tZB>8wA~G{V-g0O{%gdgTY6-
zS5!02RPxHEaC)!lB=K7S><M`d1*@6ip3uZ|E%lT~yIe3N!bOuNOP|k#6qr(|BlFBn
z)GSaP$pndYFC$&%E5_Sz7^!b{X;od97iHsfkMN?KH_29(*^|=TPj~K_y{&tmUKFk0
z4nOb8idnh79{m2%ALJ{O>uP!LH*|&Y?9!5P3-Qe$-zjuqq!r_^-Nm|4?q3azCnZiK
zO3M1<_z+sxNu^d{d+tJLH3YnnXOH#|{5o1B5pGFKq?X+mT~O&YBsW2vEV8PoP@V<;
z_Nao5ES_G`Ld`y{NHT@jb_W<cb?H(P3Cf=k7Eq)pZ2~bA0#_@XZcYJSxxwm}QN7DG
za#dKCYFAr?i4R3CXeytI<Q|zxU7vUeiGQ96JvP`Y_8)#B%P5z6<e3^$o(s(5N|V+p
z|LR;TqxgJ(xO%V#R95M<*;+wCX4UxVK=5^0G(^TnY}U1A%0syOXQ?~?{p(07SfaBo
zJuZ6*2?xDx=p8{u3K}EnRn_v01jZ%jp^^azA7^aOx{NFLP2J3~mAYBOSRuRaSR)WU
zn-x+XSry3FfhHn;$t?ev-h92pUy>P#*!p@gxpdSyE3y}pLGO#ZK)I9`)0=WCz;P!7
z=FH{~Y8sLh#lFxSh*(q8r4pV>Md5d5qDhTYS?d<uK5FB_ec~O^hc92T3$HEf;lZDZ
zm7DgeZsn<WYV?S2;;t?HPMSu3fdJKXmdn^wZ(0sxwaIpN=XEg|h@wy5(V{?MyLE$r
z-n7hP(0s{4J_yd%A{r!C>}@)Cn8}%y>3~Jkk+f~GoAxm`SKd{bFap$6eivenQ*K5W
zhHUP3OsUB;tpuA*>@mj+X8AFn8VAVH<|v)!waS?la|LQQSmuBaCIfXZCSmc9AE<id
zK4GAtANcH&+^!h)#|>IzfPTPK4W1?^yp(#B!Dzx=sxk`d#l^auH4!th5-ff5`fc_~
zqK^VLpzjvp`!KCOUW_s9qN<Q(?^2VxayJTFkb0*6`${)B#WvJwmr5uSiT>qh{l2NJ
zXGqegKthn~ojWBZIQ3=w4b0EisQS1SL?QGu<-!l3GKM*PpiaRQ(R~|#%_D};5uzm&
zjsnYD?`}3nxpH01meOq5tQAT?F`hzMRt2P3t!)N&T+OhZA-l@;WA}ZzLeLstRSW_*
z)G)iY__mtHT99N`3HPg045mF#WmX9E0ANaXl<_b1a)Mt%!L-`NR@~LID48Ij9?oit
z9;bkt395iw-I>rfkbTj0BGPq33L@=Ifk8z{0CEUbeJG$lzz1=V+&lwIF^6?8dNm$P
zH&lD~WD!tLLDb`Ni7>gS{PW7`JU$@*OP<+RXEwTa#)G^YN;b%RYfqvmzFH-cXrhI_
z;|QPA6^hxV?NLB{$@Yb`Py{gpM=$O9z~CU8<3lL~f>QpP{DB6vm9y<M!9BM-_}j}|
zh_+Cbn(IHwv8=m!cIsNXHLpZ2u^M;ze0TafyHdZ87@h+{VieIstCA*7u3RTEJS(yX
z6J%)wDczBElCg81?5U6y6xHmJ3@^X+q78G$rbuE%#kw3zQjy$1jaC$t-*M9)y*-A9
z?A75jzk=kQ36tz=s>GGFe8VaBEdMaxj6k0iR!5_a>})+d%!-m-yePC@EY!~qoU_!W
zU#Zr|^bsVPM|t;e1ld5}R>Df+wubvc*(3(nTEH)LbqPtJ|ByvgjgAZVEMBsp)aABJ
ztZd7VWrwqxsi{)#M5q>Sm!as8rjQy%#%=+qxgE9^>qRHp8-2}uPjN8UI{X;DGbzS;
z4UR9W=`EbYu93Ax!s8obVkOnwO`TaXDztNV$>&Y(=9+~w!mWy_g_+V528<WZU~y7>
zVIC?AtL9l>i`PAqj~9LK-ZVUS6nP`gN^wuLd78-D#u&V%<17W*-#{5gp4XJlD^620
z<vREgW8Y8Wm9fN+{?P{~ZJVdKwD%^~|DN$pWfDuk&~<v?2*PYAUFq5R$r~fPbHYiJ
zD<z03+uObv5m=!)YiE-=s)K5CSFXnbIUBro^HRlL?x$9>r8eKjg$R-d$*xs~Y+^bF
zR1hQ%;4MR?7HKr)x54rmB8||0v5}`vN15`DL}xr;Jeg#!rjD0etWhf0fQIXNc9is$
z<Z<aHy|GNONEo;^qgw1xjzS?Dp+9bIts4iAodj=f*Fk%`$}WxfB^K0u{kCZS&OnBO
z#!%wPVm7Nc?d-dH;TpNOAGk5F(AABz>^069f?lotwRQ8ry;oq)&m?2cTW^-h#cQNi
z4Y@U9;n^elR^l_7mrDPrTPu*RljtRyh+dSkOT|vMk_|3=pUT-LJb}8zYF^vk*tj6z
z9(6r}XY@JR*V0pX&SZyqu3I*;>**&^wGuzIUS6%-+4UE#Rd7cKeVs}XqI=@3YSddO
z1KQI80rT%Bal*i}zg;CnWKkVo9e!5`@oMaPDZC}$9H{?Cyy4O_w_l(ll=Zx)$z0+|
zMIQg}A3oa8&eSpTWb}IjM5~(SanZsR(x{J9lrj0D#c$<XLYlE)&8nuHI0dB%%*yr*
z-7zs;kEp72COX}Kya-VCuzg^W)#gp~)x)5>voZD3hTgPf58(uG2f7C#9@uP;c@Nq>
z4;WD_;oWPR{e%7ZkDDA!9$;u5;u6m9zP%Asry)OEbREfCLQ(KKBmC&({M(~9B3WqO
z0y0oGVd<GMNBNTVzb`J%Q01fP4?JH!k8CKhmS<!sQz@Mrc0~!=v>j}h2ao!LQFhe%
zJ*x9?YRJnHCW1PR6YnfXRCkO@IH)vjVTSyEOl6)=1S6SkA?RtnZuHnxjQ&icWp>?B
z|1NT7d|yuuLJ&$igkERg4N!>KX<WW~gSg~jg(HZ1t2M45-|yZ9ayjg>Skvtwgir%J
zJAi!(O8y<OBJzs$Zp*T|521!om7R{-Z*pTptjYd}64~>#5yk#4G9L(@I?Y-dk;_3^
zko;92qfzXR&7;(zg8m&UQTZH7ZEY^z5j1(q$V2%0rKF^5@Q@XEFuAgEIM-U$$P_WC
z>vh}#twhQwh3*?}gHh~13OlR`TRYk)@=A94;0OJjpZAp(h=a?0wTcM#;V<6fVgShD
z!{mFmi9#12{Hq%GQptmtYC!ln^)&jI&Y0DnwOy!m{o0O_<PD;1fO4}9EA0fD>cm$c
zcCS2$6+P8s8Hg5J?FmmUz#~p_zb~iQf1$6TpOzR~t~|^qsXn8{tPY>O6a#V*e<&uR
z@391uve#>XBv~!FwxZQ7>i{9Q0c(L8M8QyJqrR^LWUQ9~x4zB@$E94!2sACBHwY=z
z#?%Yjd9E@VpXzRhu`J)%xnCgvDm%ibcsJT+)akY?IqE*GtIuzLa%XM59+|F-Gc`@l
znI%$ahjoHutH-Fv?96FCftfJWvi*h5gACExd9nM1o9;hb%C@-CG(c>sOMSa&@(<CP
zsQj`j7a>VJM!?{DbQ=S4UGaH^J#BMi%VY@zOM<u}*pVvZ2ifkK*TznRdezdwLxd{M
zosQ5n3h>SmX9Uj+&<yFFFPh*&0OZenROsp2&zdU4=~8s5W?{UMhK8@m*gS9*|3nn5
z0BW&VRO_p2x<)MGtW0zi!!j;qomz;CoH0%~J;+yg_l$YNiy7JL6@`+>AqrWtGif!2
zm|{zi8dC3e<3YQkA~t&0_$((usoow&nPuBAtWl^c%&r6XwfnV`rHc6)WJhn_jE`S`
zclh%7`54sYQ9)(1UO>_m3=$t&oK?gs`%@Z|{oJ7e8Fm2IT82wa{Reul#P-j??8l%?
z2)R6We8*b!Nc^m;vF$d<L&ageVfAi6&xE>w;6>`@&Dsrk7F6A(>k+Xza_??A?)i*J
zo+#6jxxJYsnJD`a<Yub6bTm0<!E#V0vNRVqis@ijX0$leO=jH0qLJp|{`F{ACh18^
z9dsS<p}WjU+&>e~o#jAdFFt+n;HG?6j%XALHhWa9t{!k&U*vz59}Xw8%_=Xf)UIk#
z&=#+ReOV&sk#L=nkYrWJ3`2cFNJa@uTF)jV*q`ZDZI?)7BV{kD>W>s3nwtV)aq_48
zm0tH=U~RqkX;m^qQ55z{EIs~GU#*kAeeG6iH=@m^Ba5<Audc!UUv_OgIQWE~;+s)F
zKW<>weD;}ogV)0Q63mW|9PdxVq~NRjg*hwuD+()|yotZazU6uPHm_eP7xW1QnpmIr
z5B4YN``wLwTtnR@Z&KC41o%*EbURZKl{QhFQYEhKQ5EEISXC0fm^p^X*w|TWo)fv{
zzxFJV@New77U||NaZO&tPV@!k6AnM|rIG(E%|cB9J{}xxPH10IvP@mh8ca2i_@cN;
zfFBm;a%KtaXwpIJ)vw&B{!yV+nXFCw$<AM%$qyb}9Byonzny@R@Y2(91EY#VB$6{F
za`rr1_JJ^6y%;|uT@ko#E>$odFzy7_CtjmYLx>VV<lYm!l_L2R!A!r=f+_Ln56p14
zg7an7L|SQWvheie?0gUy6&daD)sE`QHy+xSN;E!2#tlj7x2?su(qPE37;fwW@`&|U
zW&IBJgEnR^3oI+VR&H67De|_YC<vCp%2dgr&*N`=Jufg<&Wddl9+kw-qTof@E~SP}
zdJn8%3*y6KvJ(x)MQ@pT(Rnn2USgUKa@oxl9Cc8g&vj9FEF5RdCTti|y{_m4Xrudk
zN-1Q4orQ2mFkq{h85`*UlJV57!S$4D6pGxx9lbdjpB?|((fH)+e?EG4j^)7bzkhRl
zel&JJoxI6*u`+31hck)?`cV<!!SeD<L*AS${FdNd!VyNH_jGa7%O^OI)Z+6V`>i()
zTt2+R(+)I}M6t0o<8giLM>Yx`dA%*?Exzqyv_77*E`a2ilXr2-J-7w`W^?ej(a5~s
zv_mO-=Jvw$xc=UK@!AdJ4NjHTFvS(r3yH|xa!EHwM>C0(JOMnkEe}XF6E2??axz{a
zBFlka48e$exx5`0x5b6)K;6y*3b;K^@3(k3JJN@<UBm+Z@M!<>0Ls18e>8fbwA2*<
zQuDP$5@rN?3mo64K>>BeGSi&~5>*|06uK<f6S^O@t-7T!k|IScH6EZQClR3O>*X6v
z>FiKl1PljR=mWzQvsNfPu+@5+qgPB@p0%ZVOZ_-hSIN#onI}Hfy16Yi5PNyc0$t@x
zrB;xM+tPx$4s#LcB^~`7y|@>0tG#|s09`e!u5N{|xvvfP`ISDq*+*hfd9{cbK@;d*
z&k}>Dfu_t&{f#6PC_lQ<96!yxrHkhd-G2gQI+=~}qE(ny6V$dzTd`>2VvkSXKhfZJ
zL^8KaB>Bd&XsYq)`!6EuS6&mcHCVYl>8d6q-Pg+w1!%LMUu1Xmvekn2^GVuI^z<66
ztgCxYv*AXB{zXqmFR4S7!f?SW(@2%%84IdGTb8uT)gI~Jl-VzNtF}6T^ZcDXomrpQ
z#S*1fvzMrtxKfy2&sb?B1Q5{H@%a(>Wl&Y!v-1mg>(ToJ(Vd=xpm=o;qhc6zX0S=&
zKtQDlbsMrn7MMmbRGbwOx}+^4+d1a(_i4FRMW3~kx581CW<nBeq}NHL;C|ftk@;SU
z<Xt-l``K=a9t0%=3zFcYptcaG&TN)1YhOY=^1t*X?^bEy_nf{~6P;Z5BZ^Y*c4$cf
zf9Kaq^J1mQ@>#00*wmN{kO^jY+;8eQ+wy?Hwqj<{yJzp=<NbT(p8M=CB=fNPBK5Lv
znYUetxvwxDe%t#@m4-iN67T_Dw>Bfs4#=jIQ^s_2GLyP@fqL#49Z6@ePMPV6k9u->
zEfHlBJ2Dd7oVZ5RKPuc^0gNZ@pg>S?Vms6Ff)b&9)5e<swk5-mYL{pqv+AO_-ROcW
zwq~r^Cza`IQZesJU0bar^&0S+Ke9Z$n>#1BeRj%*aQ1Hi7^F#39a9l$n_=Yv7xIb(
z+!Bbc)MSR*wtszMwdfMKJtk{SU6k?i8d*8bxditd)J?I;>9(Uj9T&AA5Q1e9hCXBJ
zo&$l2<mX^YhM-5MT;SFFH@gk2#~*Pcutc-?Nmp~_C9$%KO;B>$sa27NWWaGdu(DH3
zrMmYDv7#P-@$InzeEo<UBa80~IsiZY#>m2bVXo)s#_*;%K?hP7R6WyjH|R1XV7wx0
z9a?#hk!7i^oMc+9;RCxxe7Q#T1Nyfv)-}`ye{qRb)4!;kv3=9uJkIs3GQ6qcpwP-p
z60mZTQ%F<Bm=K|_JyRgFEEKO@$1^BYdR`rseJOoNDL>qvKHFjjXwhe46zK51lw*g*
z@(tUg$eoBH{F=Q$e3OLs6-wD-xuQMW@i8}IZR^z9lo4CXC){jz874g`a<%nVQ)h$n
z9oF|=SWpJoP~j8wQgj~;p+fi(t=0eCmlY(*FK|^QyqaB^lpD9#{{T=+0|W{H000O8
z(r|=Wt4go!V2uF)ur>t%DgX%pb7^mMa4&Odb8;~+bZ{^>FJ@_MWpiI)WNm3~FLQBq
zX=Gn^GcIFqZe~?f1poofmkws^y=iwF$&oht8T=L1(D;(H0dUdMZI0!0DT;FQZEhwh
zw>@$XP5~&8Wdc=jRY4T|&i(H<o>(%o3IHj!<+0D4k=+sr<Qf?n8GAfy{djzOba8eZ
z-CRW1zkh%7HhS6ncH>#A`^cY-XVl>4E-fSae|48cqkK4@CRr6%X`V&nyx>o-|2j`c
z(J;@(>FvDG@6t)qv)=V?!#IoLNts83goc=BqbScNX_iEBbwE8@cU3hz*x7k_c<7ZF
zxjT%9cS$cVZg<}1!yTDthu8L}d>&2XMf8xCcTtr`lRUqtVS-iN<<lgZ#kVv%P4tl7
zr?zbB{_gPi{Bcgd7WGv=wUY2_8g%J<p8Z|?*QeSY@otVk#nag&DLugJAS>_khcbG&
z)2)q?aXg<?C2!?pT%`G&dZa}%tkRDdrF9q2W=RH+43b_Hos6Refohazn^lx0$q3&J
z@8XQ$5)9bkRy5gsGNM5yN&Hd1=i|xeRh08UMa0|a;V7asi>7&5(Xp0E+2b9Y(24<f
z{wQi^d6u-JA{i$|iHWn^CXC9Ys?zKhXBJN;9qRjVN0@^_<xpgZv<kXoK_BDEJi%)4
zOFjdTfXn>rFrNZ)r5-d5eV;5I@?u1zj?!UV(eUW#(HfIr<r~kU=%|LqGIYr}JHWDr
zllh3iH!rbj^lj^BZGQkgjB_F%M^$`J8;A*nC4&zagSVmmdeQIaxxj!CbTS&o#fW+o
z35F@>vsqqL$%r8vMek@&iC{}dKGAWaompJn?Ns@WEpi7_?Z`>R!%0srj&#!1xs7E>
zSz%i<tSpZ1XbIh6j-8H@S#^hn@4bp9$;V_;^7a@><6@9jMO-ZCbjqqohYYinw>K-O
zafWjn&Wn<u;ugv$nPfvCY7~u&d`hbjfXbbvZb=~!p-$s8OX<kyYR@7d2Z6CF77Tt|
z_;`d-mWfZP0Q&<lh3-yDyBI8Jpg9dE7foi1heO(88I|eZ^vft${N;~|WD)~5{(kkM
z!^wpDm-FFW@G*|e-P>d&Q^pR}1!YHRIh({-J`E7_d~#>r^USgs>O5E|FlbPwMOb?o
zb$Ji?{f9U7%Ma-!=S^+x?e4$e@5*g_dxme%lH1st{|+DgF0~Jukg3vX2$>uDwY$7=
zqP4}n?JP<8g0|7M%U#=1UQp-YlWsYsYu(mu5is05J;I>GV|TCs-7yxO#aUh^bhe{t
zt2rnhjRo&@nhuN4YBr%e$j$Jp|7n_La{&?&K5U>hiWm6jAxZA>FVT@IOK<NgZk=be
z`EK-lH=<^swXH=G7x-lF<;!os{q^qdce_zASs88pWsbZ5k)ZYb)l2TiD;g!kc(md$
z%2`a8qZ9p=2m}80PgFTehG{$j=`P|S-I5TI6_~+GKo4ILPZP9zVq{?R(%8M|dR`R#
zLNls2M{AGr`GAPEjMnZ&?@NGDXmD^J`+D=sKDQk8KgwqPI_V}SS&Xq5gXog*FHF33
zTfJ2~Es}TyN-$hOw8P~xkx4$$&smI{D@526@p3^g?I*rxzSmY;NGcj<^jRB+7SLaA
zPJ|UNSN_2CeN<MXd>W_W<TOlD4TTQxxTd}8Q-uNb$r+_sGN2#sL>|*|w<I<okvC20
z^}Lifd`hoNWA`;afT(xE3>F&6B&A%gi2l$s_?x4P^S38ACl}|x)erHf*Xt2%Z|4(2
z>~*7~k#_k&uR`)Oy8onoXo=}qd7mW0V1QqRmqgAoo(R3rhn#qdblmPlZ8U8Q8n=0n
zHjOdGZ6g>}i&?^3rxQ+#D1XS9j{(}3!T}`2Inq;PYo)&HRx8+desObr5FKW`#4Zit
zfQqGNdDVEXv7Ituw&P<un#=L(De&^-&2XLk$yCLhDbnHOfv824;Ksz2Fb??6AU}=;
z@+%wim)7z(DLqQJN%7n0wf{Ldv*W+g`qF9v_KAR>mbgd+qz7;++&aqU(*ei=Rtdbl
zKD+E*=_7F#g9y7b9OpoEe$uIty(GjF%!-^SP)WCF$~{7a7MT6p|J62qT)O{{Zrdyd
z6;;lUxQPOMg-`-*N<1bmDD~b-dbhof@TYtF?|z5KO2j<(-uBWYys6KdhB~Gr`ZOJ<
zNznl}LR1laP}YD^q|2Zc(B#jz@v{AuPn0)Zf@IW(rV~?c)@Ck~;$u1l_R#ewZpjv|
zpEsaG^RHTXa}XK<{UW~&zYAIkVX5#Q-ApeIbJMtAxH`&Go#wanBu<Go2dC~oTs~Nq
z5#nqS5$iL=PUlrgGue(O)|E-WG10`M;@iAfbQoOC#u50_`ZRQ}e<8DrB!Rolx4d@C
zc;p%0ID!m~t$iFQW3cO^m?X-r?lyrZ$@EbpRyQkSVRA=#A~$}KRKzaR8<u4G{PqqE
zD=!a?0Jm5fKM)8KyaLKl$cHQpfyc!|Xi|cRdii~l35ke5#_5FLL=^#5>chKTk#y^@
zCs?CQbcoj*%xt(Y$jtEsujc~5^P>|I3E~V$*wgJXS)5MOikVsiY7_viWU-!(LuC6Q
zUrCbLw&=bS$c<GtBrLz#7IH2_kjyi|Dg^$FEi8oKb*3fZByh1eyPMlUBpynH&FDO5
zxzSLL&tZ^2@MU?%WV)Nf-yKAQ0^lUxqgeDw`p8GZgR>x`97F1l)N`iBiFcpVaBqc~
zCqf-Ts`aBYb>YFk-k1q7Uqyc!&%WZ2$^-RD2qT&8u1~8T-haLEC;3oVz9M-jNNnp9
zQMn~f=<Cg33nx^XB>lUz`g%i;va<j2MSq+YB}TnUra9|BXh^1hdNneLof(L|<3ndE
z(^g=hE4o(|xHa6#x98W<A%tMCEl(rREJ=#Ku#mh0CYZu)d*1T!=(J?o67-Qv_t*q!
zVu!wRZ@7<xgl<p@{f=<s3^-Gi_-#8nwsx+voY294TJ(o8xaXA<lCTg}ld?~b!EH`=
zvF~*)=<}M%1yQKaoCmD>m(GJeUpP-X6KUy7=HWhHIL{;{1nLiy0<Sc5R$n+Lb^KW~
z5{La|Gf{^xn`k_VZ_6*6gS&j$EZX(U=Fxw@Y$g)xOHn`mgJ!xTE-fyGcMGC<`3xMw
z+PPwu0{X&4Ii@$H5JEh3R!Bk6_?kx8bauWM_^QY0{jCnXeoe!P>I<Y{pZbJyAT-f=
zRu%cgI0tHQ%a8M;)6%V&ea56{_Q;g@`ZFd>Z?n8e`stL;GV4#%HTwk-{r=|Wa%Zo%
z7meu|m>ZM#-~?fzs+$61j6`IaSj2QhmwfXvSP$X}xF=o!HArXl{-vuyprS=mfaL=_
zyZL=Qn=PW_MM9%Y%1y$Q+ngTgyJ<)I*@)efOaGlcrb_oojH8ui)uYeY-8{QbMzklA
zcgm_i$VUreVLtVtOMPUm3M2<SNTHMTiOKB2rY#L(W@G+tP$bc&4Y%0@#FxM!A%N0>
z_F?-O0sn&MoL46|B3pSW0?m}lI-B6Y^K27$8b1$cZ=*-Cg*raOg-y+O!s%p`S-_mU
z45A4HE#mMoYYM?5Iy<?(j+h!e%2bRix?Dt&`VZ-7&HHNxl_Yw1b19}cRe}fGJfhk3
zN`g8G>x;H!Z&;R}LnZZwk`O^K?C<UFe(?nz&nJ^booQ6v{ZkZh{MS*F{wp`iibuAX
z$@Qld0F7>=cfWso4&oa9;<ty`u!^>N-cL=K&OikOU%qf+Xaop{36Ge*LmN=aLVojw
z3!z(`PUq9U$Z7p}G%EU4ktU@_bp|3WAj6py34hyUHSb8?7E|P?6A=X>$&U59D-6zq
zgjR)DPV7TZhzZ1y7hmD#@klh(qql878}V(Yb+b}_4eA9Lw+hc#ysh#AcSO{KB5up*
z=#@h8EcT^Gms3of1V-Q&ozQSKXLp^5Mqx8(_<Gauh(ws$V0Y<cL`^>DMiNqCC&X0#
z{fFSjdh`_V9zgPEq+YpMh+{QcE{X!S_*HRH&1X+Z&#dg|Pm}5{AFZC_a59PbL65W*
z8=^sVM3obm_&$Ta{4FW+{$M^HGhVGHe;K_B;4ll871pz@eEs=Z+S^;Xd`BMFAnD`R
zfQ0>#yn4I6U#}eh<mgW{{4T+pZaJ0=#bcEZ!Hj+RjDMTm^`UftRp$_N0ccY~8>hsE
zS#ZLnzvd;09&n@Zc=kEWH{WQ_<6aY>6HzO7pVKaiP((MTr`8Fi7OfWj=2&8!0R#yB
z=%%xY5B#{fvk>Y-*Ts^V4bI~!5y!A;^5_FC{0F9-^s~G_n^tprH_G9Pt;`itn`(aR
zqH!0EVY*ywvKWS?V$42H>2m=15U1d9>ACOU<tn-abbvie7<ijr>e#GXjXraDRW*L4
z;V&*>6uXYzU0lJ2L7zP4DfPvFf*s_=y}TLcVmly`%W9q_`#=%3wQ-xxJM=TFfzZ05
z|6uCbJ%GPWG>YloW$kF1kCF~S;hx^qd6og!+I-?s_Z${Dm`wJh3vJTcGbyB#PF5^L
zhmN-Na>6KjexO~>*LNtRt+bc)I+%y2*)~@p`=ApgbVLddRj?;<F<G#Rmo?%}DJ(O{
z$hb*ptTq?0qe)iBQ$R@>Vj;wKnYQbPkEJLDiu4u`a(m%sHt)w{R@N_6FZ;fvXKDGH
zsBT^=UtjKZF84byj1Gx~DPJG$b&mLVF>5DuulEl22z;{{4r!27571*baR3`Rx_mE#
z^p?DV*qZm`TJ}2oo#&kwx{^Km`DN!@?oQo^G?u}HdvuQqHf+3LR|;N%nsJC&OwCMW
zO4BiG4@qv2(G{1lCBB9DFnYEpyLKDlcTrYHgx~dG9(J!6UD08sXl6$<W-oz~?(?XB
zn^d;ht^I9Yo_tZ(zbF@k7VtEhOw^itrXue$z)VYnWlfXf){HjSNy46s!KDq5=ad+!
zoCM977q9b;l3_YZ0vsyuXw(rg5YxO^;OV-j)~!7IuY5eFDSp&vfITA0d7(}axB-QL
zVWdMuG6dTno&9D29<QyVw$*{6-W<l2tHU!kY?+l15EsTANHAd=fxM8!yu>A*Rb`LF
zQAf<X@<^8xxW+(o!bdn56}F+Qz<G3_W`Y_)Eo7J+iyl_<7!sFX{b*i@QHE$0=IKOJ
zKvDb~hecf8nI#?<Rn|T)*)J(uH1=60x9l;&yP}uPeiz5O)_{?^5^%^!))783%7PMu
zIwgc?;198pw$K26^O@)mxWhI#BvKAiRL<%7O-686xg`oTVWwbgFTNTVb$m!e9!_kk
zB(|53YSJ-3+c*O-tAvT7VhbM}VPuv}A|fH+3giK71DB^n64PPZb_gdFG1Ek|e3A|q
z(biy&%R9?wtRDb1F0x3*gLEhd1qLCl)PjCWd}hH%tA1(~Egyb#u-&<%6%I(ug|nGE
z9UO6T%Xe&$Ea151d|P!BEFw%M>gJ~_PCB~N+OD)m3E5~7-BYhp*L0scFTCrM-@SQ%
zO^t5hOoEexO;nAh3Kv#^0Q`i#Lo<H36@eJ2aecC2VC8t5<{2cuD$hp;(T@;V8P)Hh
zP`IQ2DwuaGXk*!618W=8%^rJD(l9D#$z?C)#xB9j*+|`8F)Ol{_+is!187XAT8cS2
zyos>5cM~S?2hpie2zbjVPE`7Y#~<?)s46!Q`Wl?U$<9SDx|E+w=A!il&L7mytRvcj
zu^J^<aDI)6h&sGJJvlqM>7N~+on9RM5M5jg;9;^qI=t+kTpsoL3)p7{DST4ce*=S&
zSd}#OZYv3D1ZwJ;U?R)7b$vnzXj?H(e*~tn<^2W0#{gD@w;dslF(Z&;V^Tb4s;!((
zlTk_tIT6=akWagW>4-!??g?EK2_e}~9y72U#K(`4xVmGDntD^xjc?lu+xoV#?!(-W
z*fVdO2IjcHOX7R&i5c}F&2g9Gd6mQ3Kje$3i?oOA$ndzs@@1qBdD=S^!V<XVsuu+f
zB1#IN4a5Sc(Dvlm+4vp536;%9kP4D@u+WLze)q~V(>G#=UWVNby?l(Nv^`q6`2yaB
z`{WV$7&~wwS08q$6vcgcerqn`=7<x)NmEJJRZ@5J;$Vc~gc^urPHie0mx%^*1Re49
zlbbVUC#DQ;UAh?1lUnCGrmjarS|9tKHsp@O_cz}kpWmDu9pbZpoCrd=a@S{%#SI_t
zVJ?R3ol<ipwYU$9JV1BYzK80x$eh_UDOVWa<p5fu)(Iz$q>rB_`k=7^KRKteydY8w
z9htZ+)u)YYQXuh+@JpPq%_~Y|=+ukdY@Zk2RmSB<SQf#|EZ$K@i8NDrQG!~clj98p
zSiqJrnBS6EQ*DZw<m%l~wEt@FTW`GB7L6(q*R&EEZbJ4TF4Lg{6`oQ4#3B-81yEuv
z{AN1BSX0|6*ys|T^+^Ek+RjBdz%yi1I`H8acqAZ9VwAuKT0vc6Ox3g!n)eVlB96zz
zE<KbudwyX?DRIj~u+I>?II4ti<S@U@;4<$)2}WnkT)izF`VA~p7%blOw)&FeQJq%`
z2!;R?e(w#Om>aZ?y~WyPj`m=hKd;2s69b9giGWb={e>{3s}YA;UA6#ty4Jz5!KH~M
zp8>=AZeHQhW6qa;7GB@Ih5X8U;?|3fShMZi)TS}q-prwFtnw86wLZo{%s}BN6!5Kg
z+=~$DgfT2=hsYdz%Z<hFB)Ur`GZ0zx+nQ%?1O}XZFPNF&-4c*oioTtCsGuR?H}ywG
zNkGXAO+zA;mnH-!fy_C_)gK|-X5#=jOe|+KZ43omVQ*eS+IXa%w(RnZ#zbt{m`(V?
zNKD^Na^g@T@o-f6Us=#CG1g;(PUL?kGJKnS60dXfjgmw7#p%WGPR^bCVxWw!;#>7!
z(_3NO864&AXr~Em8B8S``w3-b@neJgIGoYu2zlXMG}f(v4&s9*E_kj;x{dj=<bj3|
zC=6*l@klanXVZEB)dvZNqz1}X!~sx%or@V8(FIF>JiIzTIoF3G*bgD(W)(Vl#^QfS
zM4Y(`_KGc_?v@vmrvSebkYo%9e9P|HWf1f)p4=PXPcSP|>_#=7F^6oh{BxJcl7*9I
ziBcHJ*bEl~)vluH&C%t~$)#5{S2=dMcCiub8NS=?2pWe2n|=#ud&%Bk(2L>(HiPjt
zJJF^aaFglSX2t8>WE#4BZ@j(<Ab<V(HSyc-$rbajib6*JdJ(na)@>zs?Pxe1LFb7_
z_FCD-vgXHYkGI42U>SL#@AI354+&)cY%R%TT7%P{XUz40Dmmf{eZKLoIx<u!kHtg2
z6AM|nb2y@R<$I=Dr831We)dS5A{mH-w3Mi+(uFlP5VGKZhcjgJrxQ@x_sOD9yDnnk
zvc=yxfKm*Tgd!e9tr>?-&@XmvSedLuKvx7vHee%*>P79}bFhoeWjr<nBUrk{!>=U~
zIlOM~*{n{?br<MtvD5+sg#Pni<k*ae3)z5zF`y1$A<Wupgo9O2ZraeBxTb+Jb;=4%
z3KTXrmkbj4o-0%szq*P%L(_4V!k0u_WdesN#^qlGbWY!Si6Sv?Vt?%36Pq3r&l{>*
z#SbH39p0(->JG7r9VNXinKU1;=%i`{=3oeFq-}&_l81U;y7(z^!l$>9KU7n^2rTH&
zGAMu3q!i4+mNgZ(ZT%49J3p3z%n7Cjd;`081P4a|@X%p~5kr_l*>P*5ku0O6`$Qbn
z$)!ZxfHzX^#!n=;Ay+TSKBh&Ufj#R8orfb3hU%v?b~>S>V81vCYf0orLRw^HQ}HXJ
z*y8M>f*KH5LMfs)8nlVwp>Fp^<!MZYJYLGUl&D&|HSCG2iV1#$^D>bwnPV<a(7mlH
zp$ro}EKps40*UCQ%VELRIh+z!tWicMmyA6E7bQHj!U>UPp)Sjm8E=xZ-6T`fySo+N
zg9W5cj1${FM1v_4Mi9sPCHcmP`$}@nn@k0}`8gr9;4mu-9Uwg5ALfpyDT!J$8qyl4
zY_#@tFJ<Szf|)Hg3dCiJ;4DQ%NFQ&QldpV$Irh+Y9OS136Mi-hBm;fo+db?3HoXOj
zsOpgtLQ0rH^|B%>Q?e0Wu!ZY?esg-pD?3ka^9tIU72U*bNEh8U_lCAwBl59xc=(`7
z-q+_pMIX}9B;g-IpNVsXv$Z}Da?Xi#ksQP=@~n#|jEz!N7nW4SEWefz4e0@qt@y}C
z)rCHa<e1kQJNlC+XzFfb5k_=qwU;}v*$__9v+@AC#5A6R`dPVG<#{wtjEUzXW`T}+
zJjAKPpQ$*5TFg_61l@Re4<8Mh)f38yHY482q8lkS<clQ$O#h?A&a@0Q>K!y*n%>lp
zX-xNY3;nl=hpk{;F+maiVZWTPZihWp=|Y!}>_2z}?97B-;n19IhYp2UI*s$bCzvRc
zPt=cns#@_BTshQO(C1CljG<4{Iz%wOAN;A9F6=uaLNz%q0J@w8voqB9w#er*-Vw*&
zGYMq`W0pEI)jE3wB+zyhuvQHj7{WR*Ax~zq#dD@#1#DFV@x1`Kt9Oz>|H`9P0JIRN
zO}ShqqTmd$&o%R|2@Qq<PokbmFJgho$N+WUbvh;>o%AT>*~>-VcF`3;5n~u)iy~*o
zrAi3DP)24wb$z#ZOqeLs8g|_~W#pDc08?;TUV_*tH?;jHZ%Ir`CL<Nr@+=gfcId{=
z2#F*yMolT$GDlkPuOaLtvs4Q65;RkRq_M&z#Z7qk#27%2f$ON+Q=M66)N?xWXCx9b
z_;8-3GESV;Qm{j0fdYV;D}yUOPBW-nl&cgItw5k_5D4#+r)^7!u}q%0@km}P0Y#5P
zVH}q!4dj8zz^111WHZeL_V6{5)B&I=^F%$j-PTzw;~S8HHaz&Q`cA6W+xjk1bsnHs
z!%f?Wyp;RDZ1xE}mSeSo;#ld1=0#kjgt*D4Av@HwJ)jk+$#v)sYyORA5tfp^RfLFn
z-nP9IBtftqF1T0rRWyl#UsK`IY0u9$TsnhNjFB3x2(93-NC)1iwfb2?e?3^WA_j;5
z=u77C!Lc?BB{_X<!n%2!QbXW~iz5BVT!82TLS%)Wl_UB*Jorx7rmN_Aq&v2VMmbJ7
zHr|k-qQ8<b$r1U_#KY1|sP0OZ!E6{|3w%(u3jdwN@sKO5SB7-ABAAcVTC5H(^s`u}
zgY-&@g6bS=(s&ddUtMWu=90^BwGN7`=7FABFsKz8sml340yu?r4>#*uaWC;H8#xC}
zn%WZ|P5UCpiKEHPSi^mlN?K&8LY?1U!W}3DK$z<5HVl*4`V~BzDSOqjYCa%!w^kN9
z0$~oZsMCBjCpyfEXAsrfJ9+K(tpSw?u=^1v%y65pd%0qbjHo)QIA+}v9j4cpNULz>
zYS@hj)X!xk2!Nu5B2zh_!N1$1Fr4JhGuF2@zm1kIo4Mg6E}7(%?Bs_IAQm3>`hF3E
zlB6G*EU;k0(6cv3mQHeEAtxR~AP|TwSqe@39IFdvq>Jf<xMo&t_v~wqCk2tyNWf;y
z6VO{G=i<m?plUGn2<@z@G*wi`SdbjgfCxna`veQ-bV)qoWyu4oq8}W^yl|zf-?E#d
z<4T?^XrD5rYj7=Vo+NXDFyk~P4TZ?<70QwTA06%|pJr@N&qj5$0`KRgGCzAMi*x8B
z%72!M>x-F6!kgsNT?}RdI>r?@QBT0B(~?;~o)Gr5Bj>)<(oAE{^v(Ph9oAHJ9+&TL
zb}lcjZ#*qlHHWfKfG<xC0d9!~uo7XRrjUxgd^``x-E$b6luq%viv3!NC*RFsI)FlC
zlB-?J!;4>wO!=aeMI589KJML={&9I<s${OqV|FDZ{`T04p1LU)1GrAceOxY`SL5$O
zD8Db0@qEHps8l6)sP3;TEZCk$@*C@nfG={?h?9xl-@NO77g;#GS<6q~9$p$w{;2x-
zFu+=)gKHW+cB?#OX03Zl-1a=aO#<Fe9jURj+qwA!IqDNGK8Ve4ZJk_S&}ekT-Mvn9
zbh)?xa*uWCyzXs#%h*6mFLo6ePZ=8?ayOi&$l#8TY|XUrJoI2mc?oC>u@0>(F2xMn
zDhO-X)zxip+bzPqH_hW_f#)vgGv{MnLJ`yX*KkOvE7nmYP8)OJ#O-jADoV2ll59`>
z@)C$=F*M9Y(&crU?N}%7b|cPTrR=QJ`GA^`WX2D~YHf=yx#Mo<S`1f%ho(Vn<lr+S
z2Scrypoas=95$Ird$j@#HbS<6GwtQ1g-9Wn;9(SFy1DWDflTgi<Yn>}a~u|%NMsJ?
z_nrlQ4VeRnSw(&W+bkQcg_5gDHgH%M7dp0;{&wAHPK4RtbsC9XQ2^{wpL(~E9Oc(o
zfe!V=^vfMYpZU1%Z)L|UN6_nSTnvb!^x38cSDTl{_CL}I>SpIf^?dg;d$2V&dbzs<
z#jK(oe3etgKwor#;uG=NbN_Z#Z#Usf06{>$zc=5@l_#dnJ@KfjNwm)%N{@vgg*x)S
zL|ZgZZ9^P+#Iq27y(8!8u1#q(lZo+8k}Jtn(n59EQn=yWl-T4vO1ktiy0KK%Kd;hB
z`ZqcKEyR08whkmxEScxomvns2v3`rVIu2~9HH`KYceZ=cMP}xdL@gv6a0mLBM7Mbk
zW-l&T)~)+~eFks>C$JR&r85Yj7mJqu|IwExr1W&Siy)Ho)~ssWLF`&iDxj_`7w9W3
zDqHTUtJ{D_g02tmN+LdRGJB2Z03*s^;ASJ|iF0#v%G`XxkzgYwzI;NDfCwn}C_K`c
zf<!q^aCz!qP^bOIwQmN-r%hOjAS*N+U0et<JY5)LgkaIy6ONtWk=VwAa954VD9e19
zdiNcE4KPtJl3WClWTIs2<AzI7_G;IpscprhLhVgcIMf@8xp}B3tz~!*r_H#Qx>obU
z&@s$sG$;EC$r#WG#^Zz!UyWh##4YO1k$Sba#e-v*7tmx8IXOLqDmk#?+4DGw)j1Q1
z3Bjhw8UYD<)u+or<10>%PFGWK()Wi)N5|LK(b2{E&DF)}^*_$j(d9pihm$^>TsG=X
z)aL2ry(5MsLQEL(EhfO^L7&>lGEYORE>?$XUTQqf(v0Gs^g-<qKf%%S?C{2?@72*i
zm^!ey<p^js1zpT)IUEU)ud^24F?Ny>>3nRNKSt`aTe@&977m`j;_!GDb@i5Q>wv^y
z@Zt7(WNw7PgAuI-Zy9zA8=BSH+yfpy)x?G*APo~*<t3b9GGr^meTvge{InyCFXB~f
z*`3(B!$aw$;t8n|_rSz6yK)e2Vb>5#GWT=lERoDP0JG<pnhKDzTvn%#k*$~~r4_F>
zyJ={t_oQU6XnB}S71OebL_<x}?Z4XJd-1}@rAEgw=P?@!1J4$34w{f{(;3g%r?XN9
zb^qln$?t3WXBUg$-R*?L@&KYL7zGnx$#CkQ$irakf_C-}vRs*)6PN&y?Nm9v@SH4Q
z!sZli?E8zR)p=S7CUbA+X<>Q!gjNkXoMOR~sZW}@^AI$H{&+C%h=kGZ;AISvtmCPd
z3<OUaPF<ahEPYKrnhz6IW73c2uccQB3f-O^u`)wlI$y=}vt<J-U4DPr)w;^2Rhdw;
zD=NSPieXnH*F596_W}03+-|PI7&2Xn3LQ_Z#O%C2Zb}UvM28yI$6&S5s+EfRcJ*p^
zmsZP6qb&9O$tAL3GKToi;1Dw;_r-aXb-O5UM-tM&;VFjYZJ2l`3o}x*ij<#THE<?A
zSR|EPh|ZW4nuV#~duRA`Dda;`2)4cFwjJ0*vsTUggnZ~xuw&&88R_}04D6aMUgCtO
z47@tM^#*26;=&{tM~$4igwUrzEU8~&iR0NDCXmlF#c|KTn)}(tIPMsjdel3rVU7zS
zuM~wls=2FawNbkof6Ter&BirRV_nO13N?eCqeUDkl1KZ$tev=m*v!JO_j@l}N63L&
zr4oI_;c)z1NDe`2P`^Vpy=WArvyU&L9sKjE6}p_7y&0n0JQG(UNxlwzSGPfVaqAv4
zqRz{^8c23>`SBHlS>o|DR;d;kMx!WO!4guL6nZVxBal<4!h#;=Q}t}HyqoZbk2Kww
zx(K=46*|D-L=7w6fn3AaSV#d?$QB-0;+`e0$C`L!6jw1*ay4KFiB6espO<2^skt%&
zBAeaKo<)#5-*CO!jU2K6?tGZ+(uFJHOT$T&ZJ5|46y*S5xa_-S8RPW}>L~}s?3}^}
zK5gOl3?+W?_VDIVnxl#1>4MNM$4y9a1fSKMF=7*VhUjry`KG!alnG>Z)itX#>6Tc|
zTWy<1UC-Jiy~2{oPUkv~Y9#f_dBaP6nY{imMY4mw)A*ZtjyD8<a_%ChmS&vpS5T5o
zG*)||9v?6hzebsjW?`8~ddbB&cW7qmJU=n=C|bCV4|gdY0H7fc8#uk{PTU{mx>?B&
ze7)?WY9X}muTHy8IgXHQus`Z#*mBU-?ePVvL!2%5MEYoblXRGhmDCMLbVX7y8=s`|
z*e{-8AKU6P>FnszQN36m?()gfbmAbXDH1q)F!$48C9HwR?ii|=#>5}>0Lo7R+b{Na
z)e1nnxV}EEss35f?y`KVPbnkqD6vsiT$}gT$5;KM<EtA&0UGf=s}X#bOPtT;@tOC}
z4!azEe|U1fx*G}0Y4&L6{-;lCrYz@!zpztpML-<P>61^N!p?`T|LPT&<s5Qat#^<v
zp5wsT&RNS_9i{=wC(ud@>S;PjXG|I;Ga}1z<u&EMlX!6Ve7oWWyyy?!f5&9YuDG7p
z9tQmkGzK0WrSfJzzqPXEj=2Z+Y;buVy;(+j*uO-LzCoOv$+hOgZHjZB+esTJspYgC
zBjM;QOjGu!D-9i}oNS!nibhFEyp@vyDse~PyQ*)0=9!52Hb#tUKq5+q<FdAp6Obzy
zxPGl#hJ-=T5Uba+V#;2CA8tD2;DI*E9e5Piv+k;;Mq_fE+0-Dv<g{1wc1vBBHL>-l
z&~%ZEBq|NzJI(oxWOTr6T;!Sa4sN=>^;8?Vq9=%uGM`3Yc2!aB7TMi%N?bW3tJ;tZ
z?{cg$9^NB}O_%JFG{j+iB)peBa}qc;OoSG}xvz4;26lgLLf;v-(23GKKz74tkuUV#
zHZj?vX&BMOkB;^JMN-X+45?H2*Lnh!iywB5uda69e6M<g4J20|3AbalF6b!?6Kn)*
ziK~CXV};=`%fx}T5|7XZZJ|THmQ%2VG*_zB2&e<Z6Dv^w3TA^|{IH>Rd+-dE+L<7T
zBl$h2urfA?cD~fsDKE5Bv(KCF(dAGoEHKZ;xgn!`$f)EPCkueo9JVUF#I{Z0%3Rq4
zpM@W;GNy^z)VVk19;%NRA3~$*8IE59^emBVJ*5=0*4`h<)tw7ZtM!(ZjU#ue22p5%
zUkkS=3Snk3w>YfNgi^Edz7Co>yYCjJ;^wczT)yhErXx&2O>UFdtuy%nf$s1TG>W2z
z3~>fxMUlVwh%<3~Ix%dy%h?%8(oT`J#Y+L!7kH5Y#U0*TtWE@yL7P3CA$dp41cdzr
zokfBrY8GzgTPOsChxB2locPU&{M5<`V*~{n{W=WnayF454=RZ=!G?tUNn*6|vPA9v
zy9tJq3Mm$|KK2nEnk@jUy*d1y33$$F=;r7$blu{aGzb^0d6;X_tbMKySC|Xasc-pg
z?mu>CajO1;ha_@2LZM2sQp4RLjyXDMu8$W#blA-gUIpLl7@TiN+gbTMeTXev^dM<4
zo3dGY1o8Uf8Kmzdbw|eDHVpGx&8TRrEv7enHRVD3bEE`z(P&O%{W&O5#S`lN=f#QO
z|4>L4tqmjw3%iGAs35w{DF~Rv5CLgqENK0i15cwrXOh4X;kTCekD46`YM;K-)I?x>
zHHHeHQ?RKcDBtb>liy{;TwhOxr;-ob_%!0r+QEmt=+Esp`QXoO_tkm>>~LaKMUxjD
z3XM8tA)dZF=Flojv&|K&wDt&`z~lu+G=tC1IdSnl^fMHLxO(C1q-Egnm5<l+;sk3F
zr0iE@g|y5Gsj|{6obDBNLAz8eqPodtVlV8t!c(hSwJ}TEJ!Ao!B;Tmy0uEKp2^x*b
z4_t~IOsp%mayPgP^j2M1K6yJ~%q=-ueVl@ZmWWeW5Oa_gP1oLeA^6ZuJHJXBet(jq
znRpS{)SO50(c$%R_xkw!`sC*1567G)g(Kl<c$lDC5NNx^W+Fi;lsFxi_o18W%D9to
zCoKPVU1P;JZvHE4?wGe3`&S~uhclksCu&rYw9yi5Y-X5lDsb;+t+$%D!Ia^QL~1GI
zqY|er-lEhfm6j5X-}2vznL;B_gN!tR3l)#Ib#keFwNQpc&$(wp(rL1aRG+-sa<*LE
z4XKfoBbv{oaN}7X7-d4&>QOSBFj<JEX~|QB@Bj^ah>MJUh4@uwU?`BLA6}0VR(#S<
zIT-9xGB#PkP&GT>r8DN1I-W!Uqb+TZi|LEIULPbRdBW_QWQnZA-^RodUzUuSGATA>
zl>s<E8B`212R~Gxt;VB9ZNKn#a1h@ApZP^`)MrjC$SOx<s~b;dbV2As7ep`ISYh=+
zK8Vk331D`?aEM)|%4eavk45mAMyct0!G?1$N(k*#yA?d!H@lmD3NSg+&VR&AmeF~3
zFz9Y#2o`@N|8Izft0;#h$SUXMEXY;R2&>{^xbR!sU`w-7?^2!_<%wC1D)G4@SLOV^
zgAR>yRb%?novffGR_X&H?tTJ>yXO36BCA8thc^EKSpa|HylGDa@LS<y`Qebk3P_FT
z1wRx){4s;%m-xe1>*i0F$Jf!}9}Z7W58s>~NBoVXr3~nNSq!6e*43N4GmXo85c}3M
z=Ms$y270e$*(*jsgFPN(KOCZ9mkX$^op;B|Ax3m6AG+C3YgPh10FvEq))&LjZj8ja
zi|KZ+7$|xc_6~SR<sSvtZG9Wh(sA_u`nb=<z5B=SPZ~4D#Y`&wP2-`>rB7+tESaaT
zUT{%H{Lp9^(V84U@XOiZ5i$4gPr5JE8y7!Qe-A&<>QA2z>i-8hcDY|@932e=W|P**
z?l}^~p(!Ttz*>3%xy|)Fo29J|aol-v&%yDhX*U1ViLUbr>KS&TABp1S5A?&kB1zs{
zzm-@RzDQOC6+_TBVssWamd5%BEPZ{af<)5610|gCCW<v|Ro;-Ztz%$HE3uYN)TO4|
z6}@VgMrVnO;JQPg4B%*?-#mtsRh$Gs0IRRnC5sf_VkgZqA~lBRVNNbTzR<q)n3W>2
z@JEhYEa!tPsa#B&%dExXg%04;9Z2g?m2C+uiSHb7$|kP)D+{S_fel?wf#sfY<JS(a
zE_-e#P)(=7A*v^{p3%fP#EJ1tw=H&on(a(Wk=Cw+f+HQlKeV`KviO0o=}*DE;P;i5
zcyw`oes*~EgIK>plbH(&sa>JB$Cp>fM~64ZZ+)`zO{@Rp`tZz~LBj2oYixG-x=VGv
zUEXOTRGiBzgWng+cU%RN<hr|rZeBjDkfD$D9>a7RPqy7P9lMG%Jf85lw{(}X2E%1*
zCF*9rFgk|hr{+y^lREOeFIiNrh|?#`?_x_;0j1(39TcKP<#sN)Fs>s%!KSha@8txf
zr0a%TCJO@pj?0P1d>S)}MQW9nHEy&jlgXF`^D?o$xRc;SF){>9s9G(9eKcJg*s&kd
z%z_8S9>w<-&i&>DK!DL?a3c7xJYEhUsYD~}sYZ+_F2q35!fQ$D?NBt2X*y*aS7Q}n
z_C_(tm&^w9l4LeDh;T)RQl`_X@0gioB4^93$LK7hKE3D4Xhl(Poaa5_gac&f?31O5
zAssC^FI0=(*OjlbueHao{EAWECeSr$bb;ii;(_t>uj4vsNX<9)p_~2`{Tajld1<xy
z-tp?XPH`Drzfw0WE%vj=)@84_;fUw(AOPytrimLcWgmrtjo5Ta#XT0oaAG!wh;sy!
zNNo|s*avT(ska92rVWKg+nVbzE_qpP&au~{Ho)A6*+k3_%j^wpWa;}QuIBg?yScC%
zL`}=vi4L!=400{wkEBImAk&kk>f|s3fK!byr%YG(dwL%?aWU-Hs3d_&Z4Ar$&4b{J
z!|P{z`!DvyT98fb)@p_a0_;K<@##X&u16H>z}+W;LTS?|959*@kEK#^t45O`SU=EH
zo%^-Uqa@?>(@V#Op8Ugfaha?<IBOB!ApWtd>WOuSDad9*Z_J1mmd+IKOKmLq6F9*T
z+P&t=>AtC$iTH>}4rLB(Zhi#eV%huU!zf;K<H3Lsx1?)%w|6kz>)!1jO!t3UwazGL
zu4mS|j=Iq`U6EMV*E*vQ&hp@c8~Wge5X67-BYpB?GRnfwzDKLOc@cc{jy`%<r2d0L
z%!TA@?xQH;H9OPXMC1@cd)~#;u0?t6PUk;WOk7Waxa<j(3~Q+-4Jp|SdBhL@8F&A7
z*!_>)?yrA(bX1Hd{Wyii@}O|GuG8Y%bo_5mj)`u8#8pR7$ru=YyBqEAMZ4X--TfDk
z;+P)}UJF<NxNUIypYunhQ>_P0U`d+$Vp)=he!jQ=9m}HD)lK@882Q<YIltr@b3xWb
zsF3rKMj@p>ZT#kUyPHeUnl7*${?QiehW@1#?T|-r4X_~<NX#j!%K6@WbfPwKlEa!Y
zq&iddyW^XPBa*`<ghfKE;hJGM1)I41NBg_G(evHC=;iKiH+n&Tz1V#oAeFWf!8Q}8
z^mW5pn6W2xvtT5nc|zQPoz%8_cq^%3IntJsR;aDwuUdOZ^5<=@o70M>HA(EFGhaz3
zo3=*N>^t~3iZ?d``X}noT}skd$vVUFsg3opxmMQU0>GAE25uFudHF$5_b9h!8JJ#K
z80{Tjg_c;*)$#A&pIjZkja1t<6E!Y$kr{j<x%V>B_X$*=T=G%^+BNIe{QZn$OUYL)
z^=l&soYVE%n`bbX&m^-)7_}Ad-I$5^J}FKA48c%sJ+>XEYIy`yqW-iVb!q8GOM|^K
zS}V=0P)}FBFNY+8kwBy})NCRudW_V7N?J*OWfYtJYl{%q8_n{6$>FGn%`~2j&Mp}y
zD=NIJ4+hc515N$q<RVk!y7Q+_G@sg?jj63!pI59cz^1}P)Hpi+<IVBa`Qd33Y(5r=
zk1$sW&6cp^L&AMJ#ga*cafe|*tg5xPpIF!9>3?_X`E)g~gy$-2i4-IwnW)WzWJ!2j
zEaFOzGSGwTF2zJ`&Q?p<v_d?{rn9~}U{?#H3;x0#MoV8JxJx|SwU~+erCy((T}DE2
z8^QxK#s?wncnz3)HXlq#2xu%rK3#sG;!k*^eJUeSHdtm0PA6V*c$7<=Bs8F|clIK+
zk2Uy>jQQJ!KSCKHbvZ4jyn`2gZC`Ty5-bOeqNbR!@JSwN!fBj|uK%(7&a$X<-#OU`
z7AJ0N3PwvKBMGoqsI|g`p&z=$Mt=b;Bz0;~mIet7)6Am(3q$=nK)mXbrgZ98kx^F%
zpvtRg1~3;wYF_YAaavN5nUDXf!S-Yvb<0}1<a&@6P;ppwSbpNP`M5gb;ehVEBhXzl
zviQ@l1$`mxk_!w;a9EFMF<U8hm~I)y;&9RjsA?A;nuA5uE|9`#I$5;cYJyBoJkFMA
zY&fU6sKy~yN$6NQO;*OAiFMd9-!3pkGL&!Ea8POIM6*5%*GbgE<!F(7p;HYcl$>y&
z575LlRNPR*NudV~&Cv9&PCM!0D0+y6X41eQn!8pDqzMHY$HlbNXgb*>En!d6KC|JP
z0clBbmN8zy%MG;pjZSu1Ci79=HSp^j@8fyiu(rj!eOh<Xs@mCH24ARe5WJ00rb^O7
zi=sB#+U-4m{(KwiGW7`F+S_?<=Kuj1u$NketbIKIdt}Pmt>*_Xw^!_q7||(VfW*Nv
z&x2pP{Od~D%gODm(`4j9+qzGxR>-Q{<Em+QEPvHeEj6>%V`3MO`HU0kK@BQi?@SQb
zILjhHHHW`sh~#UDBHJhM&U-fljXKrZ4Vo(5vZ3e`7Pf|GhWg1!5Z+1%DrX}9bVW)6
zD2V|4xyP{ka}Rgm5om%|C=4Y-WIam{+%eALg*P}!l#j539AYp>z*E8>wDlctcZfC!
zzu)HD+;(T%w%7IObiL>?`^u;><FZF#dNbyN*{AC<ltAj*FGY&=Ph~AhUb84gF`p!o
zds_1UxQE&|=O${1lMnsw#OTjubhVm<_2)^X=&W*?D*^tG!6Yor;n6<`jmmX+<UArc
zXumIea_(q^NOneH2$<=VB@eNMEMfpn2w<7K8hw3Czc&S&MAg(efr&xbNDwHZt~GVD
zoQJHnD}}Y@cLNb9LGXz&)NaVMG(YXP=Q~F`7duDiJEuF>H{yq<PBgUXi<7tOAUKSF
z_BvyAL`FyquE){gS6%QUXU<IGlVZ0u{4!;M8_*Hx!D3Ya=$9)JT-yH?8swP$m;<l;
zm1{$@CzrL(+RUES-USL{G3O_v`_NSHTi^}U2>28?4f7b|G|qHknJ_x`34=NpvZm%N
z#hn22hQER{TiU7NniN_>Kh%F%aKEi```;UybcuI+OQ1ix=|q=@SI6f!{qIlc=kts6
z<4%-R!&Rc~zc#_<5Zez8m%*P@OX~2XZuJNwx|jipm;Db^2GCRLID<RK-}^pVnTnao
zDA4L~f9Xso@%i1&37E+Nw3GmR5Mv@Oz4xJtN$k)%l~UwtCJY<~TugtZ7DeL-gOxP=
zyyH;UB~Fk&N3J(&J2wR9G${rm@v?;TeF>KM&T@{kUBmQ5XedkLh7ujp4%~{{KGMjt
z!jE&OlkjU755Ll-EN7e$zuI^vZTcjJ#{NBW)^rk-Q86}l`FGjv{^;=1`T4KFIRzVW
zWdR~B<KTU=2;+x-<`BPn-K2JhlLsXCGyje{-oCdavhW|`09-3>YW@f{H(iqBN+)3Y
z1qX;>YE<>UoJ!r}VA-}TRt0bcnV>gkBn2K05{qpY?G>L9hf`;UjT(WnCFwgkoKSNJ
zY-^`qaIYX>v`())N;osL*Br<Q8ld2k#90)XsSKp>j_5T!I9S`PT}w`)3!kqp!WjHs
zbqKrjZj4`rgIF-PxQfdc3gLWWfLJj&39@;`rG2KQlyWk6bGOPBcNztzSB)k?K|yM8
zu86_Pjwgu7Ix^uV7Yb1$ag&L2PQzk7ZP?=ETF$fDbCP2I^zhdxp5UlGGDA6sL$+GX
zmH}33*huU(G>@O;_3hGhGtV)1M+H+<2>9x9A6AcV#B(>(UGkQtGBA*r)gJz01kudm
z%R`s{kEW2TDMIo8cT(Ar-GM%L5bF)ff{xb$h}G0Zq4c^c9In(}adlxBPIh<A`5_=W
zwWi{*Fr4gh!mRZp{V`lsbHmr1maAha5}<}u&+2gd2hBYuBikht1Km{=?n;)?$B3|A
z@@i{cn@jNt6zb<KVGURvr|{zx^*+`D8}wtu6Fk$-9n*W3hN<+!^LU6|sf2^aR?cuF
zhN8%`+iz+s|4||+0@7{=UoOqY`Q9aw4KkGlEPyXUTFwWhmSbjN63#?U8MAyb9L+Rv
zRd*<_BCMXTqQj+Ql%-}@S>*~5JP@1C8n6hcxBA1OOB*NG*326c(T&RE%?kvbMBmGs
zKu!iB-=}B1sL*MWKlXaor$+gP+p8fRLrLBx9q_Z(@D1FSR`*`V8>s2>XL1&g^<H8s
z{uNjYS#Y<?yO!L8RnkF5|D!O2yvG))@SD%#+c+%#CBp`IjuRNqQAlwG8&jH+*Z??c
zM5GGMN@{It1Qr0OM>7YI{oGf@Rhs8;SA6~c>eMi-o{a*|xzm{jWtNjS^vk2Kinb2y
zT1&+BjWlWEko2s*9A!D_<70TB-7~5$eS;8xz6JYBU-4h`&GTT^<^ISHlZa#7qfZCY
zkFR<=3=@h(E@fV<cujQ6{Fo?&!hMFJ$KmT2cK&M5$#Z!{{76qcCxOdySTk^7J2`l2
z7d)qbTbiWAi%*s%&;Ip{!I=_OlPxX1RXU7k)~ypI;cs>&mxiZ*rMUHquOyd^&vIlc
zg4nVI<<6`rG=M(cc11fL6I+yanLnTDHe*+`gBVFQsk7bPt<BhVg-Kef7bS9zx||5T
z8m~H+;7?5((|`iYsD=)x!iF3frFXZhQCF<aDUkiaxXM6fG7&enaSfg;bZQ<ZeN7<B
z4s7<*ilg>DHp`&p3ZLm~SM<R(V|wi{Gbz&p_b}Hk?>NzIA77t98W$no`UTq4uC;t(
zAnS?{X+))#spY;_utqnh*DKVr;_BL!jOb4-_K1^kN|Asvm{E+;f!C~OoQE?%==bm!
z@XpQXgvM^9G;DklwuQ4tz2&sl^z1Uay18Lx8$8gXt@EUM`(}In0CAc5{`3oxjDc(I
zX3_K`K}&D?VC{_qB0nW-z^C$|#^<v+iSX&&&1C>VeT&Q{=ZsjK7E&zq;v(rbFlj6+
zn6jhFB8LJQ%MgA^!Ne|T*}v4d!yfO!TioR{h@P;nc}qC{)b{CzVzZFrb^Ktp+jD06
z;`-%@F0NL2h2ZMD@)HdOU0f3e+OApq@k<+aa((I-SkL32*7lAS1C1glTNbIb?fZ(3
zZFOhOv$3}K;py>;jy@&MWYKjdaF_FeB&*}Vvt9m_^x_Y}7ydgvoVWbq;-rZFGRc?R
z?)8}v-dO!S4i8E#E$}l+;)zRwq;-;*=?y~-r6y14j$~+LRc@M~Zm@xD^@vN$90o9H
z`>+KGooA{$O{W}LnpGix8;H7GO}Q-{+`}dhA8s-#=K4tgn%8jKh5fG)d0k?e*TP08
zqj2dwrC$g->A+oa!w)W7C)6!*#Fe@rPM@55P^8H?`o>SZ`c~F&M7{Et6!Ic|txd3P
zv)I>xyQCd(Q$5LLwCrx1zSG%@ScfOpHb~b?Y(8?;uu-b4Bv{+jQKLAS=9xMZ8j|F`
z)LF-m0bfomi_6T~@o65DIPB~1=0O9)ek61~Tb#<=Z+Yr-o_P(*J>5m-0jaAord1zm
zyeQD+EjvFn^92N%54dwpw*3RU=Hl}@b&Di(7z8l{8Xh0r90VT;YU>wGZ;=&p{h})w
zq4!uSYKET5)9GzJ)J6^Z>~s-WQE!}e((#74hDh*GI&U|8l0fEO5mGMdow`SttWIKi
zTs{O=*l3`<dv}(}-C^{aFnEu#V}Bd}Y{k#{w-?)n>)xTt0T<9YbZ{Z4?63KX1fv(r
z`d_XPYy^nml(J*CZ5w1C8`U6ZX^wr2<C?}Apq1Fmhjdlk5)Jvp!6Ekk3l2>)qI{im
zlg0hKb9;kx8%X5bKo4&4Tz-A><lflaG{9hg%~#K9p#R>JQ%_?ik}Z+*hprSyF^hJ8
zeXzTGus=B1e}3@d<-x0OUAx8VFhKs&xrzs#-sZ?)ZQv-Su5)#tzHS=*ryLjwbUS!t
zy5PhA%{u-i{um?6+^lMNe4!&}-4)O6oljlg^xv@CAnO$aj9>_DPZr-I>mP?cA>{_W
z4tYQLjqCa-*%IwpqGGRRcZ#l_s`iCUO&iXyTlAV%@!6ch8B^IUoaeS8=1`4AhY(4{
zjhv338*LfqwhdQZYb>LP7pwR14XR$K5`AL>puE05?MvP%j+T1y;<<brkCX88?{-@)
z@h@2U_5L2d9<TY92DRSh$_C%^=(qU{nHN@%&n+I}boBsxyZbM@uU@`<{*qcDIOrC6
zVB!DIjaHB8_tc%<POH^R|L!|pT3L42ZvN%3W%q>5NNcrv2j71CEgCUaGYiYZxuk1y
zODxt*bxs>d!{+r^oDNKcI(0)ff<x?hS-EVnAJdWQU^s(qkSYhhcd;1xP)IF^U$+Y{
zeAMOD#UKCVBHwyp9$oQu#_e_<%dzH7Mp1hx>SN1PtgGBWvUX0B$JPT(FjteYD|IN^
z3YRaKeTo-i)=o2~OurQ7!E$c7zyM_*I-0Yq(X0_cu++G|(@;SuEiJ)kt-cfZ#(a`+
zg4IHzl!U#3eYrm3#<Nx^h&Ul!)f<c&Fd*MrQYDSjk+7q#TSV)mlH9vecai;uxTb|@
z-RkidFbB<Nnu5{Puj1w{Wqi`C*#j~Y$#a(aQB9IA!rrB&arFyC{ZYU(eM#j9h}DMg
zSe``b%JwrjOG*%QElSc{J~y8EWb!GCslk$59ZgaAg-B}wS7Cmrmip%U%r%N`E`!Us
zsUBt}pf`Vr2ahDi=$Noz9$@s%_3_dBtCO2Q;gPsLd3$_ycymHOX|_hB(!@Jrlo=QK
z!O9>6m(Z{ux0-z?&^gWYDu;XWdHyHF0k~+*AVJ8+GcCSjS?*Sk<I8<(&;$CdhK@_6
zDl7>n%;&TwoD5UTSLdo38!VVau=`d$!z~TTVJKp7(9}TaI|w5WTm({mE#_S$MLZ|0
z_~pCcvL`Zg6kBezpOtE?VU!9BkP$qap-#95JoDP?>tc%}3dIwBQF!z}^<Ay#zGQ&-
zZ>IYHOW@bGD$R%v+?^!#TFfinYyU{d$ptjqrHV~`s(7y_5W_lXnY|4PF}@<HbA6Bn
zq_w%!>*zsILa%#3EGk2g(&NGgXHEqc<n<I>RpXV~O4&fAfjIBfKs1{dGpO09Gc(er
z&uWxHWMW$kB~dr0UuBCq4KxkxU`A;kMEt4}$-vAKi%ZMnyb+L#{q6a+tmh(=kg(b#
zq8Y*@j}dP3YAlho4))e?78zcSertI#3r^@NYEd5;EJ37VC)dZxcD4S+1R|x`TvDNl
zu{DGCPtp!=NGfp}-X(~R*!xW*jKv|qWt)$Kr@dpLK^!F^o`Y-|tip0E>=dfo!t|2P
zUMmR5BAo?wkyJ{cc$xk>GNkL=5lX{Zkw90iO!Y_lde?Fg#&~a-EK+w4(_r8BQZcs{
z-sy;xzB@LG6q{!<m{^&EFn&GAN!QH2b8>Wei73bk4>8LTXNhxk@A^`<Dnw|YK6&33
zr<Q)G1KDu9@=KYbj|tZHra4!BC$51)W>$W$nMnWp-^2f9cmCVioj?brFct%Z>L-}O
z?(Kiu+ok_G4a{`W=U2L~84MgD?ePaa9T3^Q&}B6<qFlF|>dBV%S!>+W8X|1mk*nk$
zW+GpS`>j0tuY3#_+#?H<4!u0q5D;q4$xK!+e>*VBG(2oqjwa#56Q@w_1+`c#;$G5^
za#^QhMSwey*Vf89I&ZaAe?WOG#d`L)q{w^Gb?!2sHCWR%utE-e2hb<z(Z32@d6^N@
z<@zR{SbuG=>j>+=$|mJmkreuzyCc}=+D9SW;3JR2zr-GyX({Qj#+J$?pI72@r6JY+
z>8giI<zb<vqDVh#$u&g0Rh9yT!}a-%YrIK69$uZFoD+cFvw&dih-RY)cM6LiNjBIp
zvzT|z&&&n$Vp3Sd;X^6UNYj@+AFlzF1u2OK=_u03RF&4KrwhNSr~B2CGf_O43t!DT
zUZK@B?0A$bpi_4k!ob&W`svK0!wSWpJ1CS=7I8?6tVZ@y;iS#i%h!HT@Hgg?*WkaH
zLH+Q}Pi7gidJ4@tf$c{3w%TVj^{Ds<XbNPoT>R*^d5(5%>3D(5d0Od1?JG95>Q071
zHokV2D^|4)NpfPri&To_xyZ!^oAuwLaX92h)$cG99YpPbf)_K0D%jxiD`H-t(cfy8
z4Lv!>eXKfB*=w#ZIxh{3jgz^Zd?*=VArN%<@9U1bA@Rk8RKFDFuoflobn1e9y;ZGu
zvV<-&;$v8%6;CmnO1d>{I2m)*6Jz!o1FD0miB`>Fnds$o{3Ts*8-kPTa;YvQ?f|6}
zq^N)Wz-B=#Y-wbM5cN5dq7})6nxu{Xg8tmH-apVX5!s4VP%o_n6Z|`55*pz)&qqi=
z7IV-T*b6$xw&m4qYbkNPE0FDs968*QiV%?6*tum!w~Ld3F`b;3&U13*l^Jks7T+5)
zN`7S#CAdOw8PfA?;zDmFoU7q>%I3K>hCFqKx`a}Wi>WM|_GF%#cOX0?!EevAG9K$&
zwXqZy^o_R^ZP+MgYNSDO9}HS1L+GLr3%_P8>-UYb>S0I@(3ZQ*Ae`P7HG`vP?w5m-
zyo{kn(&b6*3rux}(hEnY8%{hyx>lA>zTNNby@G(Uv;Ts>CK;+Ef)ACKOZeGMqiVbt
z4Zn+~uaGh(8z$AqDE}*%68`Nughe3P9d6QJ;u%!+{0-KdOyk>(m7pavIrLXCK`Fi{
z9v7UAbsA4ngq_eo_!7=<MSM>egFlE-gsLLaPj@C?#PeywE2Z_}p`|ZIbc6hA=|WWV
z0Si!s%)?}m=lA>zJ?PYue;lPH!s_^E9_%hJVq{_K&!qkgGLD>e-;wxsu)EvcdqID1
ztT+b`t@;2fn%0;5NOL|tcS>%CN7~eeUWYBzka6Kh6fK0Kykt<3OVx1n1HYBYS6-7{
ziPWCuL-xxgS$z-%Mtxl3EDMw~D&I;T>W4e1)kwY)j+3(+vy%|Mu;Sz3cf|jjqgdJw
z%iB_RQmpUDtFZBG2^yhifRK!n^XucQo9Is$@2{eZAJ3z!_ov5O*W1ze$5+SE%|&#0
zdV29A-HW5+>+9&<)y0`KJvu!(KEJu9AuJGkC#i-zOp|t)CXIG}DRlz>e#ZfKhN;iL
zUaBViGn@)Go~?2#Sm9Lg>=CSZguGyfhp2>^O65v>iY&#uOPXh@MUnxQBP=JAKzV>|
z6G#3PS)${zlt&IJ=|_^njRXFIIoN3t7-|XWeK3v58&E&)aLjxVW)K}Vj?@%Lp`Iv(
zQA6^L25d|vCFvn<Nj`}HE-JIFU@AZ7Nv!jgVPXjbB}aLuqE4<moLgOiwA6rNE;?8&
z8t{^REREk_7Nb?%;(_u;o-cGK_5@dG+Iq>1&Kp?C7S_hAF@-{1>MS6*BG2Wq{$|FR
zyKYc_UYIXtyk?vXZOD=AMicoIXauX7*Vdq5aASn4P2TLE$Xxwhh?EXL?=q@!<irwA
zH!tUgtDNeuryo1|3|ZrV?UN2KIP^alLC#!#y-KZ3Q{~FJn}a)xUz)g0NAfB9EIXel
z1T0oWoE2ze{|wE&36y{<N-pE(dLGcbkjcCGEPzLYl-IuV`S^bZ+a1uDFT;)RZ@vUM
zg3+JCj%&+!&3%RwSBxNlCX2pxLM^6yJ`Gq$NlxB6I=$MKb*kuGK8}CkBLBe%$aYSe
z&Wbwz6OoYt^cmO~LT3pb!!N%gKKj#t5+~)%Ii4e{)F+9z#^{NMdo^p}f$4Y9z_eQ}
z$IZjl(XQvQJHXT@F#Ml*&U7Uj@p|UQqWH-|l5K|-bSyvqdY^>H{oX#3<L@23ee>PH
z!T!dx=Dr0jYTcI`eI4|GCSZl1rq{G9`bM4;6MwnNvJ02Q`IX~EEg)&h-uLfn86pHD
zxDwC6OnR22w|4`Cw@KhGKGkH1>0l!2a#Pal0C6M<wR;T%q8Xe*C__jO039Ff?!1Cm
zdMntpfHC?e9HiOA@h~3iP$ykeKL_$kn9123U9jUsycQ?%A{p(Rom^kDzkqO@f;{X&
zp@7zu1tK!okgj%}3^ug<75U&V#FdxP*7qkjRz^Ie$gU<HG1pc`hol~!!5QgDri9^F
z5-m5>otnZem-Ta2NH4tnQ{C8p2HVEP5hTB5Ko4EUGmgO!7GDb&cO+{Fr`_oo@2n*g
zU}(B}cNG2l`QElA&6F^FtyG|HGg>g-?C_ES+{I!5<)<kUfe!C-tz4uAQ!98N1sb$i
z?uJwlWvmm2BF=Bb*%RMq=_g{GKP4)^ab-bkd=?K)bh|u)A4*tgxi*ChYpd;JLu!x*
z`K?90uI>c&5iqN-@>H{^VR5t|W->DGn}du_p>F`NM$RjKp!M{{NkOjncfGw=^q*+q
zh+|$pR=u-J1FUIXE5*c$Moh$>UapdXfJK6RUA!NG@zDDuY)E-*IZnCEl~k_lSj_|$
zsJPCep0RkesdC?(J;Vp;pL)CAKXI)((aGE6^Bb#4%4DhL_8@ZbARjIINL*j0e@j~U
zEBc^8R+^ykCNOLIg2|G-;S=kvxmPZ3hR7U=F*)y~c#twPST{aO=2a%Gmcf`yM5EyQ
zBnE?nFb8BNcZny@E}w5|ZD=|XWWo8-a-h|+_-c)IF&$Y#q!oLualY(AhUS(jO(Mc3
zn%RS0X+V+9Ns%d%MMJSKVIf)Aq;OmvJeZbYq@+RV4P<tYK)j^Djk9_n$-O6uV&olv
zNQgnJmNyLdF8WTZ9NszJu#0*tmhIA8h>UX#ztzNZN_}V*d<JR{U=4*nmRMyc^jq>-
z?+tWv+C|_$m_<oZAXlW?_1HRE;&QdakvRNy#%1DI1j%I;y>=9O=x2FjfBwv@H-j?y
zG?Ypm0503eJ9QVRdXg5dAHWgaBZWeR?D<R$bSJ{vu<<E4Jm&@gJl1TfQZ-N0+D{gI
z4J=y>GHlhy!G0gxpz}g2^I%at2X*yBX<keQ$E`ZWPPt|+(rBj8lyP!*Ri=_~C`VQI
zTVMm6*y@&c)Y$Q1odA?m*hT`RF|xoki6CCX0#QQoM(oYb#>l6@H4|sNi(wI$ca{YG
zI78%!H?7Nb>?#I_4fri7GGharss#a!aM~<<FI%xXh4B(+6ZX*vmn=LZ(2vkU);*&|
zJMA5&5N#+pEmuy1m3p;0${jsewVLu`t(?RZp3Ryt;;5F2;GLw>OeI)y74f=0`H$o1
z{rSnwwUBG2)hT=TuI#b58=bvr*euW8T1qi})E<aD>(4XylJ<jGqd*MN>d*;cOe$3^
zGA?J#^)w`?TSDKxt4*b3VvyXXYGJ8Y^lbzUsVjKBxu#MA=*)`AiS9WY8GF(D>bP)v
zHw(l(OFqrCkeoW6u$TLCw#qcCmy1iXk7<!-#(X9&&WH)jeZn^x#WRz7RtPQ)<l*St
z|J6@ZLyY87x~k9uUnIZ5?s;bb9DDWA6RPrfYt0cwzmX09R;BVlB43J7x3q^`qL*1K
zW?S6L=2<DxTDg71K5{`gLRscPbZk|5=#&~q=>nkvS+;$vJx$WhwjflFz(U>Sv`Hxh
z7}I+QeKUz)Nv&{@D4w~$tW8714x%fqv}9WD8s+IkUNyyuDaI0FV#wXH<WzDpT8J<X
z;uXSIYfI91YmyM|8y>#HAjya$>M#=CFzU89U8sw&QVoT)1hFx;mJNfZp|0kGSO1mB
zk9~kw2Gz%E5eu$Osg16$Pj`@A38~P_yZGMbkN^;Z+y}bL#RAL!X?dja(q!<-ft?j6
zvqh9{9e(OZ@c#cs635hUF|<*^UN~$Xub5l<BYnz8I)PkB{)x$=(+ncvVnfa~Fg&?h
zpblfIrKIDTMbSXFM>GO)nXJk@Vj0BDkz6Awka4JfCBpifMC#Nv!<?{|9kn^^UQ~WW
zmmEo9q?a7v$eN|-D@mTSuG9vRL1m0sq>UuK%`V+JVWhrXpW~~m{^ixh&Bf8hY5)EC
z59hE!<HMVai~gIF-~FtGRGc8p%`dn4CZ61v%=xZe2x9z?uW$O-H-}d@{hO1s<BRt<
zx&lQ9#Lp~ve7U|Z<OHH6Q*6d)yo2t~I(*e38{nzWN37FB5;z4Yk$Q+zt%qD`J~#<O
zsc4fzi)H&yOuY^=x`s3hbW#E)#>0+qww#L5a{jbEL(^{Lj9Iq`D_v(IxY;faY6rvN
zs{woQC>fT=SnS(lsZOlu7#P=4=dXk>5%Y`hjadx>zld9=4dzp@IE^xc+EEP~!$hyH
z1XK~gu9Yu+pP^%3&=4ZUG>R);nfGiX_k1f{p3b({k$?9)NL{o-CoYVGG&)z(?-DeI
zHsO_f+2A;DD>|qJ2UiqBq^JB)^K$W^(mm1wkNi~1o_aoQQqV?U{sf~|@)j^vr(utc
zLlK9(2NEm@D)EpRmA}r#`xVZ7RqFOB76=Ozx75(>!_(7tZDsV<;T=-bd9bmr-!$Yq
z9W+&Eg+?APK3_9dIYe=BYgVjX!sKLBA32w!o*vuySL0I5HO1F6Qz1sM3(d&0%6$Lz
zJ1Y%obiuMBtwX&qLuNgZDF%_~ahIAc^`Uj~$2gtv<<i2RwH4O#*=(o-Y%>ReRs!P^
zQ|7h6!I7+a^1iE?d)bs)s6jB6MDvEUYXGbMLUK9Tny?bDtzG@dp)6XNLSc2H)@-Sc
zYiT=#a-H5|j`du*(pp)?(p2;TLO34HveuLwTRDhJ;@3c3vg9_eIIm@W0*~39$Wp2@
zI6AUs<-F_=gO$;NDF0db;A+K4<}AvSW7d;yF-Jlh%(iiJb#ZESsDu1-E}3^6RWKZ^
zpo_fmj^8vEv($)4K_rQ|i3Uv4VOn`N{N+=vD_B`lVFs-6H2K}sHK(j^sL_|t+AW@?
z^W&QzFRp%wE-pC|kv{2u%|8uKC}ngxz~rDMW!Mpq@>BFd!!jZBb9f-==fT<*d%gYM
z^WKYf4HR|D9FkU0LoyU{S%JY?&&+4jkYf+<PE}0s4G>lFB1o3k7+&L$)vZdB)N>(?
z1ChBn=W-{q-Klp0ebdp0JP0ds--(`+)iXMO>_^B^YZPcMy)3=QAmvBLLx4R$prcd+
ziSI(sWzKrxdv=<~Jeuqpsr=ZwluCu)ctvkk;Vq=TqKhDv>hWC9RkmDHGO;pS{ZK6>
zsjnx>1$ah@*=wA_@gdG!4kvckv+PQIGdOxe4Y!_fbz>*FvD#Y|f?9Ud6!;FRTA+oC
zHehfR4GHl@rWVFmJZGJS?HW3LOJ>1z2PQd|AEjlG=mIii7=irR*o95IFIm+u1Dp}O
zoVe_TJkx9NdQUF9r}2W$<NWZZt^-2C{*SEJ!nJCd7;X-uUSq&&xYqgQ0bH~3{+3Hb
zJ9Ee1v*k#9kXy@Xn$1616b=$;zqx)(<Iw_;j(=MqWI;PTA$Uj^{T2wVUgNPUE62}R
zDWhQPFhIl|m$5(&5r}E6%W~3%#4Lg<-qvPv#vtv4OEeF{-r?1`I?ooIuu7#AD1|hS
zcdO+^E=0+*CPN~KoEln<HT6^^+?NkitqV{ii#{EB%`>MIsU-=~#SY+vZs4Z-)J?N4
z{n(wRqmi*GEg`tJQy(-KM(T+vQ_QzAGPPCxX9IqU+!yfsa8o04k*fx=-k}U#4iH8d
zoRgZx=cP+DS36qV87uzfu8xid$JEziT?LKhb^ge#sd$VSgZq7sWW<&>Y3$3>o8KAt
z<l2#rP}IC#K#yS^U>-*Dz39<ybJu_<mZna%sOZo)*P(EhcR%83XuTD@cfM3NmpgmC
zJzlZP;DH2OX;Gn)nufP46XJ$5S^0I#DJ|G318d+s#-41em>Fo8cn6Mo1Nvh30$>c|
z7R7Z7jW;l@X^T<1_Pr>)dU_lQ2hfE|Xje8W;LQC)&)sN4qdBDJ=-uJX;i*XPGU6X3
zXwGE>x8-Sgo_)kiGWdMN%&k8t5INR|_h4|0-UkkYwn0}w9jFn81500ZilM6$qF33g
z&H4KL{PU*uS$~!BYPIxT{yB4#u-1*su3#z;b|}?#(sB4$s0N^h&^@IPI3Ckhsz;M$
z&gL9&Z|R2vMx|q}kuK(<mKnmaw3C}~@p!e7+?3c!w@%52&>aq2C;XEm$(%C3YoWZg
z?X|oSF!T=inC26fiWo19|Iuigbj%$sfe&<$As@rJ<O1m7J?IL{uOR>${;kwYW3`*C
z5QO6bmcd1xD6sa%#d=$gtQBL%ZlzoeNb3f1RVYUu!~KWG(|nd_VX$yX%r@cKlIrNK
z*2nn-hsbr!Q_jUSXS)+Sk4PC#-Cf9ga97#l85H$m4fT;s!5)M!(C}nIi6w_I7AcJ_
z&{R>7o~}<LR8MKreD>`-$sFIO-qEG;iKTnv?FlPUwqXb3)fhM$#&Ecc+t>{XJCq+@
z|3*>@{FcR**4qWWDTsc75nZb5VL(-)hCS__;clS<UEGq8@>VqVOAjZgqc9o#(2mqi
zAQAG43Q2B@Kpe*i)4kztK9_yC9yJCa{cWw_d#e?+a<Q~!G8tn)NeA4jrzAvS;;_>s
z9VZ;mXSGMy4o_Poet)S$eLSr)xMm}qgwn0f55;7QBsT83NaCUlh?Zw(6sBP7T>LQm
zq#CmLz#(v4TE@wJs{^elH>#O-98Qe{Q@9v(f0|7D5_u2H_iNb7g#gbuliU>hs`857
zgR8?cbzYcB-V1fyTn|(f)E$fMKj&mA9qz&xwlo%c#98SS7lSx+G<k9MMuo1^Yhs##
z&rQ~<nv{Gkh?R)J+~!j2y<UyukG+?>zpfqC*5&b;mdX^C$a8h3HmlqEuK6B)pAdO9
zx@H={1_}rh6I*fdACiS+y`b^9+nDa=oD-Nyy`ES-vGEMZWu1%Z6%y{P=g&ElkrO5B
zS&Y;_0`svu#_%prC3zEzIRdlS<~QqKCg9fv9VZ}biap*F0};X_M_pL$%UDj>G7r`Y
z&(v>9DU>`jXbQrI5Us7@ci9|Y)|Q|MEmZ}w1y|5i9K)fb9GkY;Hp#n4W{K5L;~dr|
z)h=PC_zI@bU;~+jPjzrPWXYdz-+BW4TCQzP-7Zp;R^2wtbm{@E&eWt*vbcE0j5U0K
zh<+HKMdD?S>nn8qk((CY2Y|+1hj{5i%!>3QP7LIlzgxNtCWycVG0o@Y(q6(VU}vEs
zisuY{Cy?f{oKN{=lz(T)Gt11gH`d4zbN0A|Z~`_28*uv`rpQ$Nx^<LKINPq7W6T}e
zv-8r@WO)wzLDfV1+}tRm<G0_t&m{X?q@0D=KZCpI?v=RT!SmTZvfN_YDc5KN-kJ`s
z$XgN!n0wW%TR|_)aA`Mnk`9Wv@O!uWO|nM8$Hmv#1$ZjIC5#1!I8DLYy9y~PiHmXB
z&3b;(r(r%m$Ip=ZT-rfRg~MOg+tU^PxVNr7f7#nz(WAfjSdYC`J@y~#u^;rfCdTvh
zxc~P1{`+fr*c7B%CbC(FIN<fd)~Lyr1Lix)4BBr*{t$YgL-L8}VRoxUFl)0OA1%*&
zEFR{57&NL4)C-&6a4ODRJS*k}6#6c{+ugLVL*TDN*Kc&!xUdGrlcOJwZ^C|FuxChK
zy*qlj`|Y=c#*$ovC=fi0YHPd3t&t~7keEFoEyAs~s0{LumLhVGYw`(NPgWJqlNz*%
zYE1`3RDsJi(Fm^zE$s!ZE!+`IA~o=S)Qd2f-?Hy|Tp*KZZB6C;_ExHS(_L@h#l>{O
z>1ODz={*Zuze%|258vFlGPh*N{G~Yt)dsH$@khlgm~*+8Djwdu2gbNJyU|Dva&+@Y
z6c6kh2R+J%bANw1ouA4zMWXTBRT5Z>U8cHW{JQn7K~F2qe#82(Ll>j;U<`d|Ff;97
z$oSUStr*mrUYHehdj%I@^GFiah25;>NrZgj4G9!2wxz%;R0Ly)c8@>$;ur6MLoaM~
z_qz2~WB(U5Ceah~#unVGb98kYxfDCgn_2-iy)IWK<k@M{QJxYBPv~dAx?&<w<&#tW
zgRSWCnH}G;yaKk4hH@wkg$he}Um{hta8HH}!G9`&Tz@#eI(he}J|<?Z=paEBq!0;4
zcdtJ%K|1&e>*kS~NJoUt`TMHWxt5NKSZTDhqhyP@9^yjA=_hrwQ!0qT>NJ!Gs1al@
zC>h|FuT&7x30pQC9pptYo;BQq*v^C6a=aGV8Iy6%0xkg$im7({+N|*?Cs8sKJ8Bor
z`Z7e@>`A@4#soYF>#SsWWf+_&Y#f7$Ql^e+)&0~<%Sho)kk)~74Oj;L6*?Hj=K4#2
z;7IM;<I}@G9lz}#zP}NWx8CO2rY}*o;uc7=pz@~#5W(4tUWO{=0Ggn-m9%%Nk+?3n
znYV`HZ<5h=&n@rh;{5Fi?9GR#!4j?Z+A7j!&K~+INe3sTXsnZH`@&xFK>Vci61D76
z(+NaSba5o|Av`RkHMr5qqP{gt2ByU;Owc!8?D+bcw$;Bnb_|68UYH<`QPa1&Na)~t
z(J^dC-uNSZG)RN9LbCw@e2?gfO3e_ab9xdWJ^#SuCZI*)9KwF+p8QGMWg1u?u}=^7
zno+IFL+up_WXKiohNQx;Qzy|R&{Or{bv_>dWRj-1hvv?pTrTLQPNN%*ccz!o*%ELR
z7w_KHhRyPBHp>X`=IG;ine)r@fS&;aGlJ<6DlJp^hnG)F48Cp!ppQ=8y3&K@>Sx~C
z;w{_MefY!e!VF1UWrg5R8<x4&|C!gyFLHALMpBLwxP1W;i8@;`M4&W1ONT{X=Hsd!
zdXP%Ws3ljOR%`40=Jc!+oqKm4B5FS*#UP<^ww+>1$XItat>#@$(*?KG*F1vh)*;q*
z&u-pF?t4*}cnU?^YPBYCgTJ_jArnOyVEa@<+bEB=EaJrDCi{#@G<Hju5nTXFK(xQs
zr(t{#+6g+g%sty{@cgI}7wHDnFv<G3PLziK08(YLa^KZSm$@JnI{h|_@K)ua)mi}&
z3!>t%%{+^|?HwoRT<BZokrn#ZvoEY}Rz0oVw4>yssg<0!m{?wEhT(nF_d6Q%+bVJL
zm{~T8I=-w685i*_D7ZH;Tituk*r5g<byDHJEMc&K&S2t6;PnsGv%(CP<1Yw+M=I1J
z9;p@u+yOi2C9D}YPTJW#%0$j~H9Fd>N=w}gPH5BHN{LyZi|wL6V_%(@J!_nDg-vRK
z<<fCuVsxv?JzM-4m%$zt?3?6nO*Nd|C&?^^x5bCo>1dL4ctUzdI?zAo^GfKS%0>tj
zaUED(OBmhIGd#hbp=HUX>dSwZ7O9m4NI8~{HQZW910zfQpA9vN4xB4RP<Y5z#~c?C
zkt9>w%pmDFGp(*%B-vn&Tk(dsT1rv0vc5~mcQ@;eKwJe#xzywS@{Vur*3=SN$_~uA
zBlI@7@IR{vqh(@hbz$6^aWRvkO9(gDTYOmF8~hNOnsYq7C|&8=Ni=|Y3IPDz)hX-P
zPecX{p5%HMSy~3(Hclo9=47`4a~I^Go(o|&E-$Wb)M-dm$~Be3a+YUCG&ZiuHeK+1
zuwP5v0L89Wr7+*ExODF35@G^8<v3ZrBS}o0@4~7VxLt}VOU@?T?uPRaqZ#z2%Nefo
zc+$Pgp_ZJ+lE2d2@9oNNNPsIG@;~V%=C6=k5+Mveiz3DkoW6v_x|^>KMB-JL1_3)t
zd+A{aod?;x$-?f(6zM|}b1Z5OD7MIrXWBVagRXNa(^5#$^S%A=HoULEce~&1)*UFz
zx(8(xeMn~qKZQ<^PMsU-1!lxOJ>?zwsBdH=LmeFiClCOsWyT7nTCPuPw=_B;kTZl>
zi>$XX7E}6l;M<JcCeU<hkRtQQX*E|PyR53|I9RIV;KsAol5slLV>Xw;QSSIZmmon?
z)M-B&B?v+MI~?-hE+v;-UAWRBBAQbdNwU!nDmK@vkR;272(F!xjbc`U<e566go)de
z(6NMBa;H54B;<AX69o>#@Olr*X?f3Fd40<0Jm&k%8L8Q+YTy9koJ-cC&xT|<HfPCq
z&aXB|aadox_k@<hfGq9OFwBY7?`uF^U9nY8p)gYYmtKvrb1BkRE4_s4ULS0nCRwYa
z><VikCLQHIK1F5}WFm~<x-wzSoMo&R2P28C{WO!pfTDnvYeg$yR|O5RR5R<gdfd`L
z-Z{n<$BwebQE;Ih-ZIFtE=g-$$S7PUaKNFZqC1rs&gqOsVjm5pR)nPekg$q^pX^aG
zo8%b$8_Be`JgZvbV0#%rO{@t$Ip>9I6NXf}w2WiU4-(M>RMvwABgs=1b54bK-nJTZ
zRU}Ebz;~Q|oq||Qf+1a9m*KfKtAGuS-(Q_thN56UZU`5iO{eM6rSSB7!rDiOh!#rm
zP{gwtYvt63t;=C|E=wJo0ys|d4h@C2`?)tPl%!0WH7(z<<5}P{#e?N4n%1WQNQy*b
zidow&_2!D?c0P%lb(<u=lgpSIAt_WLwdZ^Qa&Sp4`^3_U^c7U5z=Y8aNiCGZwVh|_
zM1u*@hK`kn;(@%r&xNqF3n!C)jrEu&Xp@#xtAWA$V-`ih{x0xM?bRwwZ!}Wo*S74E
z?)a!1^L%;2hdPM3?JHNH-^o!2FmfeIgmrT9Iip%8+O<KkChe_`()}!lYDs})6%W*F
zT13dN<vA^MXE8wiyN|Dy9jSeWr)VqfB}C+K898M~<|ASFomQ^^i&-Gf4cT2y>|Fs^
zm$!^?D$V|1{nqP!)ftE{{`K({$f>Gpqci4U^BLa`kLslh+h%EX1*KKRPD7=`!ef=+
zCs`;#W<O7abb%P}MgPFmYr4R9Jd7)%5pjHamxXvZ5|)9ySc+_~zSP)(B~QlE22f1=
zMZNGC(4v$0@ohj1`Nkl&7L8OF+a;2X#MW{F4V!Azc3Yf+#}l~hg@J#boU5F!1|7OM
zw$#ACC~&A+c0i_~{t-UNG%UO;gH+kBm)82@M>Tv&Wst)auE#o=s}o#zGUiGMGuK$?
z56$240No1Qj<<z)3d?6-u=DYDsA}|NX^G#9tYli~?lCmaYZc%%aKIdh@EAYFCn6oB
zk(GXxyUd=Y6RVPmqyxISxZZh7+yc&D9mP0oMl)Xov`Hz5zWeZP?|6C{XCC{TlSiYn
z%Vj86#UxwKcVS9J-s)@S`aUP*FExCXR;ml!{j|HQf+UhnFE`))w7=^T#jO~VGsW$4
zEjdjShlWdIxn?e#+|t&tlod0qZo0p_G=~TkID_k>OT##nur;4t#%swS$$m_bO`w|V
zT0EEdFVHBQ%z?GC^zmkq1X6%Jz)c6n4yTK`dUv${;@cNMZ~5`1U^M;meE-$17kk_)
z2MZF8%=wC5^&z-mM&d3ZR6eW{b2*H5>7)IZFSS-}TggV-+g*tm0GsS3VrM&clqa4Y
zZ=4S|W@wlY#|pL=${L6+SdgT8Aew^|d(5p25GxD_G7H6Vtd^dZGvm+_h?pH8okyIk
z@%i4X?_9-z{pWIpMF5xJs<<evnqQJhu2NQv3{WDZWI`E3^MI9LRLm~`ymZz$QO_Vf
zSS{?>IiCph%POC-o=JS)SSh@rwO26+gxH?XNVq<2&RP<o?<!s6&ma&EIcvm$eVjzC
zE^b(!O33KlN2o-7{{KNVqOq~{6k@62I{JW1pmMKsb}hO5rwEG1iu^S%`(qp;-o1qf
z2CLvBO(kf?ZfJxa3LIMo{0$ltUiy*#_xgX0>;F&6)A<NfFpZ0Q&cfzU%PX@a7{q07
zNXI^2s7MC$lq+$G+RP=exn!CUogH5N5N)xnBL<Z^Rf*M1f1Xrh8YV%S+Tvc(1rhxg
zK&m9>XR{qVEdJ`s*nbyQ3D)>8!g}zEK9l#*w(E$?&wW2ItW`6V)B0CHC+^_T>8m_c
z%NzY_h!w2%pNCj0_O~9hRyO|1@0P!ApYw2qtyjHV{{n<J1X}1o^v}O8h)AnnnYixa
z^s{bB;Kbr@%7-1ikw2}j)sTc&N;FsHy}a+4hJQg@a0{LG)?M<c13m-#em;O<N{H$n
zYwp@e9l>$l@N>j8!h}mC#)KV2fJdrYxK$qqRs5$j4rDal^r25~!x@&4>@*(gZLR~8
z{VZZx4Xa{HXp;gqzcQB)G=W+rtz2bx(U_6Urw}QmIJQa$8<r5<dG!X+gPYZr>OWMq
zz`7z+XaG#1I##ek9F>D%c0V1y+1dT{4$#~E^zxnCT}R#BI9)oFC)DVTgKJIKAM+?U
zBO2k&c5owud^*V#_K6{zbjoy^Lhna&8sMXDmky}Qw>%h|29hs6@i*gnHWdF>m`of}
ztw_cs)@DhI8<L)AOB@WC*3SHOVoM=9+Wrj{>Qr7hM69KrcT=nwPNnP9*R#f~Kdxr-
zlbRgX+#-<JT{?~NnCP<W`L9FZ927rWjAVxlI8%B3QmFYhza@r5Kyd`v)t#jwM`*Ov
znjRTm(}k=!m5-{=Gb45#Gl#gPRcu2HIZ+xzZ;=aJ*Niox*LO$u<L*;kn=bKwAwo8y
zGksYEPsxMI&o0ubgi9``1diGsPq9p?m*zhs@v-d`rr{6`_f$+&-!KO9LbLEm!+a(|
zFiwp>pII($kCU|{3iHCHmGgWHUy{aCgDb^~_2A`F)Zjr%U55IbxQrd%?mEj$apmA_
zdb5RR)oXjQO*nzuR=#RewGuUfNc=xeBlkZ^xIPOwK=luU5y^25&-c57v@!-FytOxB
z@tb-=lEK1#QPooGg+;sR-u)M2T;osR84W4}L}LHQWuaH1+!&j>cWL#S9@BT4<HXTO
ztslfboOf>5S_R4Xs&~3et@xCcOXA{F(pOw8*G}mBO2e=#Y9DbY<>wk*WtC{eCieJV
za-b4@hC?ZvP{bEW!(o{#>!Q6A5w>s#I6!9G3iwDrW2FKf3idAb3$*tS0|PgtkB^>B
zJ+sBQts+G2HnBeooRO3b^QZ2dH_(;mapZ^anK^Ei-qfQ}bXoUFfdsl*`A13xd76(I
z6$Y5&KQ6!Lv*DzcUI5^O&}aK^v%B7)ka1$X*?f&<WTucwGHP(V%QU~EFyp%hOVWnb
z<eW?l0!##4Hvy9K-wlrqU=9TsXO0dIIJBHET?Pz*RrP8$htQG>g8(p(+#gBT*%FRG
zQ;=#3Ecbd9$rO~%swb-$S%9sPN{TI$IP7q+F=jd0%&vu4Gw;pKMF5&Wb<d9xVqAUk
z*RMZ@(Uv#tyH~M7!G~&_-#D|?$L1lr6*lqru!}YGWkjPo<HdMxuG>tjEe(SJ(}NIw
z>kckUK<k+65#Cu_x-oLLK@42V`zl`XK0j%z_15SA0=IGiso`C;g+4;0<Z$efX9pCG
zLkhcM)zVk~L|elCKRSdkrHX$@3ubrOt}0gF?Fv)Yr7PAY&WgRT=mtt;+a$hanQ$qk
z$ab%x%anwsW$sha2=6gT2M%GFwHFV62|b79f2-RC?sZ+Ou4}ceLLW6A#<OU@xBKf~
zx%Tp*?DO+fzv{-Y#H&x^nfJ_sJElwL;MB6-0fk+gYVI=dD7I9W!jn6H5WV{Bb3Bdj
zh2Iw}3;3;7izGP^KSdwB+TbUrH)zxl#P1eS<I30JI(vWblS^@Qw2M*BaVjpR^|MuL
z(saFYZC@L5)0O+;(u1SHcLxVU`e}v!Y+c7aR^9dXSF7BfoQ+tu@oLrH<MZvU?DRP^
z?map7^MA03H1L$Bnc4kks{T!c&=$V{zY#814Yy$JY>|$rYRz;nhd0%W=ph*(A)pFa
z7P#iFiSFx{^@Ou4$9nbDSPqc&(L}-OitK7=X(NNSyfYRp$vHPT(Ki(RsVH!oy4WC2
zH88m#Hlt*3-m308e#1_MQXZ*Zpw7yH4-~9;4Q0f>A1qLEa2X^{g5Jyz7N!Kx#Q&?7
zB6+Fe@M>T<kze>}I(aZ924=2qlV<k}l~qb=S&#bf=~&(^4}Np>-vDV5{8%`3&c_43
zOwXL-xrfSAyW`ICuJ{WI2Q5`$Ed`Y;Zl;={Q3>UHSyp$&JlJ57=o_Y2HH<K{BrGo9
z+CQx@r(S(g45`Z7*OJuCEcpz6V!UvUC=F{ClknM>SpB|aY~rhROB<cIw<f3>C_<cO
z9~zMy@3Pd@{m(R}&zu}JwvZ>1nu8jR5ITbfS)ip3sMYcc^LJ{_PR{KcZ6Rci_PMEL
zAF2f>3WERhW~d-l5qPRau|0r*c~VrDF!}8L^-Y%pB8=UT4w<M9qWxEUubj}m_oBD|
z{2*%I*!slZLfANr1f81J;bxSCr!XFBztoy`+UNsq?3Nx^$mS^hmbo)D9X9Q)EnDNe
zp!v%#&N;-i2JJ@je)SfAvHR<23q{I^WD|$XZhGj7A|mFw%yoe^(IICRVTrz8+K!J%
zqpW1wpK-cN#|uo?izXp+>JrcSi1iaIE&@@bWM6*K|43>h7fp)m=JBsIJ)w&)_2Q@$
z9hGp0*oE6O0cHrYf4^U($vB~}D7q4l=riX>zhvUc?iW&sV=F}6Z70`AFf}3a|IgmL
zH^q@1+v0yWpP~*90`To_^q3jX$dckBKqKxTz<@mV9ZwKNcL8NJReiduh4ACM|Mps$
zxgXVy9`?xRocpsQY|qeDyY@48K31+IBr?mG($8%q2XIFFsndlBr;KcL_J64Fzf|}w
z98A&Y+uABTkiE+Lw^#*4*wo3^G|OK8ZufBLM{yk3Tbm`F76t-XaF%DR-PQJpHXtXz
zrM>$Hm2}Il-()+(7>OLYo5}8`n%&HssZ%<@4iT%_xDd(;-q(4nTN$q|>}D(=;rfkd
z{nPVkmT#DXm&t|<#pcvBk}{uhJrTTgvTV<O?4|uE*kP}Tdx0diCP7273s6B!#O%(<
z<z3JG)wp=QE&otJ3iC@yi%!2IC1fP0TnLaN6ulQr@nMgcYIpZf_IA!}bBc4rwLU8W
z++AOG2Ro%j^Ob3n!0j6?b{r4tQh;hXa7aI~!+Cr~&VN)0hPsfrqb+TedXQMX%;6l(
z$_w#-?fiak;MB?Q1`ob<CWlW+Pw25(2Ed2|MI{UMOS%$L>+WhbR-7{@Rfupe-<6_(
zP$Qq{OrS5*mg#uvU+~H=Tx56TLBE)}!vek234uUi?2p5=cCCq!ZQTD{)bG_|XhYVq
zdh{fH$rOUJv6Nh>LenWJ4La4>t*SN?0$nRe2^1ztr1W<Ejjd)74J^Syx~8X6$AP{}
zKSj-2ymO>4n6#paHAHJ(3rDC+RzhH<&;o;>DOC5{w*rmXS$A1)@;mzJBctBCdQ=Ce
zc`V5V;3|E`L@JD{>snaUz;FP%$kOD5Kv-foqo@I*GonS8OJs+p-{qbZ-#ZEDfrPFL
zCvTmq7~aH5Zf|n96mLP<=u}!+3UN#X2OL*7x~D8N(O+L=!IFH?33Em?Y%Mfxh&O1N
z?(h*aYTi+N^Au-Nh}3Nj2rH?Wl<*($GJG+Yy4Ae=ClE)n9YSmEte#&?B0h<b3C2Sr
zIe9Y@q!l-kw(j<Bt5ro^|EzT8ykhBd&nph0A1R>57Ft)ax69~Enq)F|4^L5aOA=TL
zxk+Wt#u07l;#!NKCF-PFWFbHEqidFnY~8KAoXxANgtJk7kzdX<h%>Hb`!5lnO0Jq*
zg$SjRxq}-jxu~q)tnwh-d1czmTO9WzRc{a)S#tb3%v<!%#$QoJfYcIOdXZH)#z?^a
z;#G#)NfR7GdImy}p=YE(miEP*dPz+^P!Z1@>@5(jZMF553}>s$Z@O(KWRbHtCV#U-
zW_e^_VC^=oG^yvtu6D*_6S!Yf_1km~CW@0q+B4H!X3Gg)|25>U%IrEE4mkqLLnlp^
zP;MzLn#_-d8>)di%AP$O9{TaSzq6(_-dkV<@tht?1XBAvS7Ac+zAoca_8EfmLLi2-
zq7M&;4+7gzKV#X4hr>tsA8{gDQyAT;rlK2prE$XF!{n-~<4FZIJ1gaO4Hbv~F;>_A
z8vfLOGnC>#|D_D2pHERLuL)VieH^8|o-%!Z+HPI*8{zc-iJjmlRcGPY?ExAIr|pdR
zr_Y;EG8L+u^Y(UlRn6TcMF;0iUd{8#mj30sy_x*VzBSNqsTpQuuKy&PD^;>0Ej00Y
z46R1b>TbaC=P|U}wX=kib!oR&5(1=qNm-4N6~$?LX;}%URMxu4ypA|;T}s`L_5x}a
zNjR4Y|7Cofq{vS$13N6cM~7$U%CC65#|(Ao5<-xa%oQ0t#L;*sjtHGS?eB1*z1^eN
z+xv2ZD&=IPOm>I0qR1DzALB$ADR>2i=@+7AR1H&He$O(|ZVLSpc|VMSk-h{V3KllO
zn?})J=~`)EsER_t9&mt9@ZC;XkS_PV^(HFG*x@ful-p(6WtJ*2By3^{j4!R~qSo5H
z8aacmI&ZG$E!fR|N%X%W0hAC|yg`u9>VW`@jTSz3ZNEO<-`m7B*+|f;61q~~t)6G?
zNG5dI7*ewzPq-_vtcou@wzKFKl@FS#$^xL=7*-OK-dTEojP&r9bnhf-(bM5HfiX>C
zH0VhRjL}#D21Cnei7FoeS>t+b@e1qHW2dANu5?R9_Fhni8;|hf=|y|qwv#WtEefTg
zGdjSK)EhCUHr<t9=w|l#!GjMBBox5;vg0wlr5~0OU81T^R09w!(b}~Sk1X^%dz8I?
zv1EimL6uk4d0eW6g@2kaymI74Nm+;Nx)BEpU6w>aEU8h2>z7q#yl_^fsxP)?hi4|A
zI5T8?N8&7?WteZFEP>_>L!y?3d6K#{i&a!)ygunIEgNG_$RO(N^1sA6rteo^TlO^$
zq%r!~JGHfq<vE=r^%5k+#&N;yQV2M~AvRKl%4+i<-zGDRwo~Q?&H%5+^atHPUN~Nx
z&Jc~+LtQ-L%2fi(Y*yE)LecjwB$U1yD1<pFi6m2EMTN|Rq*YEnN#L+j6`DSGD}4R0
zk~#R6z~io<IbYu-`ma^#xu>R?Yv}j%P=vQ7O6W_;B-WLdbP?hxy2E|&)U_mU3c_9L
z-}zy>S-Q?2_VK@uzW#>)|MkO1O5-;EdYB!%E0FbQaHt6K?S4~?1y3pzW)KsAO%elL
zIi&&{2y~%|0}wMLy|D(OQx#}~0T&SN;OTsJRah~xRI$f5=unI+A6c9!%&g?XF^7vM
z*5_PA0C`l4#>9d(5-KClMG(S$VC()&rlDFjK4Cl)5e?#FaZNI2BJ(TZBiE1;Op00^
z^-Db)S$-u1<saJVtZw_oHIbxMP#wAM07XnL_k~KsWke-Mdo+)jOUWK2j-LoCT&D3u
zgkSMupcvikTL3~m72*%ilWYcCVykYarjnB2%`X~s5CN3D&Fv_qozSRz@KdiCDG^pq
z>l?ctj!v?6?p~ZoX9<NOK*iX_^ikYBv|ey}8OxTh3YgD>_^j;ks)Q{RN8*bYKb1c}
z*R0Ycqcor;tPu-+;NXWn?e#fN8s;veiSly4;Fd(bmm7!-Y+)pxKio$)Xbr_2;07ef
zQ;N7u*Fum4a|P47i(#6bHWSpsbdtyype{VfrIT9K>(-&>Bx;7KK554=s`7g8M<0<T
zR{r_%@($qrWreT<D`a1TY`MF*Z%SeZ0>@ZVrlHgOFgwoRLvBLvM9z$jZX=nXO$qby
zv&k=yHalNJFlJK385guFna4q{O@bZ?43*!~K|0az`okf$@mP~;8e05<{g4jW4TCJ0
z$s7=ZsFZf+oZ$w*n~%dBfd9MrS5JcVaLF8;wt_eMC+EOV^CwM$;1ARtvNHi_Dq_I2
zJ|x8Bh^FSFw=6cE5UK_#;Kjdv(PlFU0?m8pd7?Og&`J9{%=UbR_$9|Px<`DijgKEs
zy{{(1mg@_h;G&lhgRd{a!(~%IX6KZ_*lP%s6P~IzzEiq<&|&Yf)n9D%+R1qI#b-|4
zy+S4Rlm1AqTE33h7<bJA@TL=#?#zO~#1<!>ptQFISqEq<hva0m5DJ_ktuqy61NYk?
zTrIm&O5--T>ZI=MOs}8rxv=kq*%-9-K(Z&pF$jNScThGbi#$5L-XH$(hbP%dapMD$
z=pMBv;MLUEhfl9cH&&BN3yC!T_LXYRxJ?WA5pq>f2%y(<9h@a9Q*e8`v*xtm>_mz|
zQ#G-?Z=*tF0anSc%TuySo>Y;EX7Y%BpDGT%lez6Bt)YSN>J(ME3^oJPw(|AW<Ikuc
zQpc%SL@`#mK)KhBtd6k7BXVb6p`Y732OYZabW&8}WHKcSxNHx}W`tL8*;r|8#9tJk
ztxW)T@+8toO<n9ql=jgdX{oxlbhL&<`&Fjg2v4M(HvpfED@O_b#e2Ha1puq)j@GjF
z*alJhM1y*utk0V;pPUoyL(iyiF$2x(xxmR>C!ajgbOYfUiQb7dNL@<*wI#pB4aYxU
z=-?7N<R4WS?=jL9?EFQom^Y24T4T2c9Nv<vU7alWJUiAb<YCGA2&y;9_SHur%}SDK
zryW?K^ylQ0x4OpO$rbrvvECVT`5-b^NY;=x)MY%_J2^QgGIH-+Z-Dcc+xy1#D$yQn
zo)=u>7xPx*Bd7ZHanmXYI^93LCCj8Y#63;j_tLmP9qP$s;qZUyqznbQrNV@<+%SE%
z2WE6U2<TZibL65Rv&JXw7x+0$mlHoUIJt7qD4{S;!@w)Od2AP){_f5G?)e|Se(>G-
z@6WNi`-d<05BJaZ&VRpsu)n*FP>!NwM|p*N`=ZdTM`s6abuIadABFo})6BD_?wpdK
zf-6POEL3NqV#M~99iX!zk%I)U#f<0#rPQYl-;-{da$IVyNRJD(3H8HJr{RjC`8)c7
zQXaW`j*3)Qss|S~BcW)Z8|6$rDyNI<sYAMV3GWqSaPECsDHehOi(k&3nsd>+lAdRg
zyTIN|y$12X7vAp><#~$%51xf(I>px`8u#FlNn`GcDyAmE-GG-#EyXAkS6e;C7k8Oc
zR|d?bwE$mIa15`G<8*6%G0oapTI?LXe^a%c{=0K|HP78Dx7bWo79GBwy_2)^H-~2@
zZ%)tlc0F|4r0a4g2<btpk9TW@*)}mZcH|K!O9XFuyy82(nT+Msz0g^P{9eDhcSDfl
zB-=UENWQsB-K){aclVCZUY-Bny%Us@Ja~D2y8r#*-YzFZ#ZM@*sMC^`g^On+?ou~?
zkraRI3>)J+<!hUZ%Hv1wj}^;bSv)T8v5jWa6y9$5CPq0z9qJwp?iZW0PQXVraH{Q%
zTzb98`?#bl7P{Z)_y(!ZZ>oYW3SiXbczzfA2Z<b&e7FmD6aGB%{@eP(V`Zwbm+X3!
z@7=aKwN|ZW;l2|1$NB61)7RT)J5r7o3yLOoscO6~8yTa--3-;t{h3aY74gu7CWb+9
zlSCra`#x8G)wO};rWxh4nUvL2MF;A#o7jq%x<mqy?cmlx-(O)?NS-9fLHnsbU{Cwv
z5qg`+OiOIfK73>2&eL+Fx|sxucH<F27}+3pQACE=Cx*Z{e_#4u>Mi+Z_B5*Uviwr&
z-G3V`d-vW8sc0ED+rCt;6(5dU1(<<<UWMK@bszAF6-$2$R4bj!%UBk9V(*RLrTuw9
zLXpJ|$=~nk(ZY|vRF|Xz+M%&m#DDnf&f(vEH%}#|HFTFlw}U=$F$!hpn#+gBL-CVY
zADgMFLzR`}cXHZ!ssrkYQg9`vXXzYecU~ny5r-&Aj_3SHm^B^evT83;Wo}8ajSn<b
z2{T)lx(q+>@{z+N2lvV;$J1un;q(^(YLze9_CvKu$VACzG@WBvTOYdDR*<$6<M)?+
z?PFJ)_eqJFd+*hj4vmTe^D6Z->$r<J7%R=Q?Dpdd!Z3xqEp(CZebUV+F4PbhbJjQM
zx}bLc`xg7}ev3JS^R}LiQB?KHo!T!A;!rqkp6T~wHR+tebYXEYSI9s>*QVFATsVRv
zGLNFNC~-GX;a+PNQJ*W!!_gdW4M1ZbRlXsTbIO2NC^u$T8vtV)iVKT#revhWZJgO%
zNQZk@OzuJrDBt^V4P#UU+fcr{sS~0Di1*nQ0p@lK*zDv1Y!a9*4Esv^!WK}Gi2|Va
zKyE)morC4OL6NK3$=<>CnLDW2*-^IlhqJwt!);A4I62$>qPW)4to=e;Q0chfZN^8E
zU5Htn7-BpwrKB@lye~%cR@n3EE)Y%+qPhRJ=FMztQeJG)f3{_L#^+dX$|v`{Usfb%
z(tiUw17kY`Tk#DuW_>0;L_&E}Xr{BG^+QR`Kmn_n{C!_Hb0Dsn!Rr;$G|F`>XG5Ie
z;g8-f=5FjK`_FDE79bQ%Np#%conr23!oRhQkrbn)i|do7X>i@eSH}Az`?NNiZ0lV<
z+d_G~i9Oj&&c_#SQnIf)s7$u+rf}i}_%G~Xx_<+fzAnUjCcg>S1UBD20$=kl)w$=D
zAE{lN-&Wa%G*MsLP&PHB_l~Juvtq&>WT|S|8%+pn>pHtEZUeX7bun>TY4pL3eE4>l
z53^PIrCHt795YWs;hK>;(%Ni>Mp>~`Ux7x7=jk2QGy=ELnMrL$B4Iom6wO!a!_d$m
zHx<!jj~`j1mS@chu-(yH>DQlQTZjUFK7A%Wgz=<!=8wI|cBWn36gkPL0Ofe=X2#vf
z=r`tSUitLSo;7xuLKH2XF|25`bhR!PZ!{aV)Mv*v#8P+S-gC1ObAu2{8dNw_To9^&
z+9{zvn=GRq<)fSsU(nk%CF~hlY2I*r-PQ~n!Ox)25Tt|OYJf5sOLB$;2f}*mo_RpV
zS5z!f8YKuNlQ436fu0wScA~9-C5h%U_p|ASgwpgkQE~F331<*j=S&zK-WCY%+DV1%
zV%(h?lTE6nR$mlXrBH>>N{D2n*b3XSTmeEJ3Nh+G3GuBn$nXVw#NBBqTF!twX-@Ul
z8(j}M?E~}P4zq1PIAaNRgM1iQwAWeT(Ha0!zOdI8qz9jk?}_agIjFy?-bnLN`B7z;
zz_o~xVIJMDmF))OL^cI!Y^<FNr;f#u^{Oely<y1K{X73G5PPNf2&Ws9GH3Wz;x`wx
z{#e&ws<Kdm^=5)t$pWfLJS&fW-R+i4Bx`-oSsCgbF#&+#B7KGK&~r%W<!SESO9C>;
zPXE^;M;>;s6!rDhvwyL6{h4}=4*cAAH*EGqyxupe?5DP!Jga`rexf3Se?rcn_dtbW
zsvvO0qZTR2&dv@bJ~$#@7qu(_94q@@y3TGszIlMB8@8pN)3&(n6eG;QW60uIzFV?K
z55D^L!{$*k+%Kaa+_Q?GrW{0Z!hb6V|5gtEtsMOSQaNxh3EpgU_snnQu)V_73m4xK
z@!>X>p6RIbOvQkeIGKP7YTFZ~XAj(OW1k8l-phpsBfO}c)u@|kS>}gP9I?yP+Smrq
zwFA$exjAT!x5&ssR+#OfnO8SA?ii-QSRG%fx!a{YT2{mn)3~)0v%ib;d^xKFf4}~;
z<q7h5odnV5UWo|Lr5R5%IJ&M89t2Bw2n|Q}eJ!5H#DxAAs(a*#l7w`3dx}yQuasV^
zK^w#-y<Z<(6tl~;LD$BI^}*~@v_bmiKBy07|Fkw3l%fx*g^N1EGW9T?R#6ts@%H1Z
z{he3Y_RE)WNT0ph%MSPUzkl`O=p;McJ8*vk7-{?9`=gWnvsbUboFgu921AC_-kD^6
zZ;}TvL~>oad7q80@A{q?Kzu#Qd=Rk@`%HTTZHP1*2oL5+|3UBJ=H~?vpu#{u@jt>h
ziFVVsd<WwHurquMU9kTP{87>S%jPUg|3UvZew3H4p9Cp@GQ6zoAqd{J!%`K+{paz+
zN8jRqA3w;V3Qp1cO?mOK^LFMdvZU{G8V1ls7n*qVPc{)@7o%zSqxklL{^`C^jK<Y)
zp^a`A@V*C>%R)Wrsn>p8KDOS^*7db@y6)HM@E*CdtNfWV0xaqiVW0?Hu2JzXc1ndG
z3H-ba#UAEXl&vpnghVZc{5rx|vETlM+v37wPP-3&YXh^r|0GadFqTlV&{%nOeNp@K
z=Hwmt6&Ntqj-85BdtjN39LIucyuU;0!dGWI$M#ymKSGw{uOTRkDmel$5BgY)>UOU`
zbN}JnCbRGdFGR`vOu9ixTsJ(ycvFjZ|AIMg8Xq8@#C%k0R7CWJktA0juF?g{KutH3
zxA!?ZcBHBYoW-6I5uv;Ii)x-+4x3)tCw|`yj51YNMD`N}2hu|*Ml?8H*xj3Fz6FVx
z%1p-}79NROOSvF9vco=!b|q}-URx2OHi2-O!YEtR;`XMOkC4FRdX96NbU1JOTuj&8
z`Oz_gtEZVZ*?0SM9g)mRLRH9X;wN_wj!ySZ&(4pxPxcPa_)Z}qgo>rLU+$lDf0bT9
zvAH5i)?jL^L+<L3z&#QoKC}o35zHjCJyD9AGk<18MWeRPMX-1HG0>b&B?3C1jx_^W
z@T}2+QyNEHynoh8dZL8gqA~Z<Kzcr_FO;9ub~?|;Cv5fWHs0&}w=cNa^(?b5_!iEz
z9_D^bJ-m;9PbR&HH@=%Fj07}W?ws7oXm0b$7g!)t#)K5>tbg_Gqu=nw=qtD^6pR=Y
zcG;^93&7so0450=!q&&qS3Fah=M|<58v2nvt0!aXdtrp=22$BP=ep!gZ9E!&4LMij
zGq=NMn^7B1AdDunw1s3V;m|37h23j3i5Mo^&cR8fQ_C;|hT4M=_#SpUJ{9+0|MZcs
z9~~b2G5u6H1xvn`$&k`9GEpCYRw;kq_r%&Ef!M)G!_V`WdTOi|Y4~Fy%v2v5CC>4i
zlkfN99@@u^u-?9{eBqowb|D^_9DUK!G=05^WngmtfFqBT-`9I*ua0)3lNf9JqTcxM
z_)Xy!lwyF#z#CoW81c{?Rdl6VC8yYz0W}5=+ox*lc(B5SGsw-!agk5*YGiJo6;GuV
zWLa)Xl6WMI`Z+WS1VFYr(R&DIPR<(H<%<NoZ-lr2GF6@=8V?P+Q=ofk|1yG-1-r`G
zB1J#cy6b{QV4?-t*gJ3|9lYR33muKorfV8RV9f<had?$|xCCd1aPKj%?V=$MDQ-|V
zi0F!tE{k}6c9={Od;nwAH_mknE)(K>{TJ$N*g0}X2`4w5D7v1qb>i|>a(|~c)G%YN
z@yvHc7(;9|>Px8~NaC~T-r_z>Z&z#Kb7pCj&!(R<CESZU+b2#>oXv87D;MD$n_4n1
z!5i$v2;RD>EeBj1UzioPnVuLjk@zCF$t&edFKHPC@)Yo}4CJCSkfeZ^W=9J$3`Iv+
zd6yN7thSiaKk%r3UaLy{y?@-*AJradOaZd#G)+s-zLe|1sf7W$>fc|Lc?KV;XqSOz
zx}#x=uVPidx2g)GRG4%7cB+ZlP6vd<Se3!7+6^YI&`53N`_ix{1J{*C?}dBi)^^Bc
zA+;xERFY%qv@ZV{BW-b~`qu58EZc9_DN-)ylYS<((EW8|zD~)f08T@^m1DQvp^PL}
zSKm{D_j<_;DY^Zk9)9m-vY^)4K_XQprswjqFyj0eb)~{si3uRNOa!r83qlw?Gi7tr
zgfk@1d*`5{1h0zOZ{rx(!@ej>DAZ`jK%~ZH{;r;>;D|H@E1GF0pbkK#R8%9$#$Yq)
zxt2>SYaY0ovHc;w+`I(X9{z~KJ{M*2g0wFQtT+fi(J2JKbeW1Sff+}yYGKH6`Ht!E
zxZZTGpuXpm(R`A()@v&aGE>AH28;R~GvsxuqjA>q6U@gm1|q)95zugm9`inCdff9#
zT-_HD%fntY2MAgwlvAoThAkLfXfg?E_b5PA=HRFjNe_ymq@DDD#&+ck&HK9rOca!#
z>b$`B%xIKFaMp+(PPo6^>A5pkr;jkGZ$r+$9jUzWTe%4r;QA6fd0lti&}{Fq6GC?o
zeP+O@A+%uhi4|L2PH?A2{2)EHKtZ5)*SG}J@?bujJbQC;&^s&K#p5X}D2qfkQ?$y%
z*@oNX@{f(?_xE~QaC1}9nXWU0*)L&@bDwdO*Iuh1z;jnAO_rWf3$7<phWFcoY{B(A
z08hL7?;s%}UQx<Xq5!R$1|XvTqh#Sjj~J8#y9EfVnl@IMmE?D!b<sO%gAKe5me2>d
zR{$K91(!-iea=gt?y^3E_<aEi%0ox2pJ<}O*rA7E3buE4oRmG;K07+ewz8AG-|wBA
z?hT|$$HL4=>XZ1&dONuy=wTxGgMCq06%$oVmehCX^<Edbf81+z#=j|f7)T57*PG{x
z<rD>noeYEwXk+EC6?$BAxm~9vyW-HAT0)|L$te8#yippm`+B9`NaNkXi<`1-$tTEl
z)Iy^XDxLP56}FIcYl}xYgA_a1nXP4!IBnsdyuD314D|5w#CXq{1&{zYhz?id4|`R#
z<BNfj#PgfGR+&p*7Vq5a<Lu<@jErEEyc>r_yZd4@IXT;J&R*>up6%~!FTbBBwOjIM
zP~M&x+}SLfHkep$z;Ik{ft^N#TBxH&Sb^*-RhX1!S|6DspxBntsdf(;$OADh-uNTl
z*9;l*SQgDFN3uJ!E3&mm4=mrM*GzLK`!>}(LjTH*+oesm=I?$j9FA?hwl<8$dAxmk
zdiLt%O|a(qcVC$!EwZe7>Ef<?0j`f@`oTE`KmPdRU|UM?{Y4~%Y-3R@d}6z>fH9*7
zrCD;ry{95)JDD&O2^N;d?X7t^CT~%Ps%9bVWNJ(Ed6Ckg(kg~fwbBn<sDp-j=Zm~4
zM|>jG9(P}v38FxkR8#ToY6-~~12G8<)iIOA_Q>oFtME_E{>LXMB0jKL*|$Q2g2*=7
zD9_8+nG{_=(=a%PU{Qcz@KuyqyTft>INAvL;A~xtg1K9)!!sdy2VQ=by!p)hL2a%k
z4t+(+70^hv$f#P5UtxyhFQn*KsTxIOnURpj;wm^9a(b?FlZhAtbJV>6ap#4x8bMo0
zNjy7tc?LJ>q|i0nKp^*0Lbvbl`kDP}a))f{f?*R}M8z6xYdRqeygVhyoHW>MP1Gct
z*!X~CZ%+5JANS8*IgQ{ABw4hpew_-iQ)S!@%cTvun*kJwH)c<nqf+t!dza<=A}mfw
z2*2sxgiG%{G69J4mye<Fx^GDZCb?cThe{OVRscl39;mPtHNhH)P8Fsr1YHjX4r1Pv
zld`kv&A6}xRN451P%#%#9m*j~z|$8vMY-^^>aBL~gcU_TcszWMA{S#4U1`dj60D(0
zsxJUZyHwD&Ul(63H<a3uClB|&KRVmrKHK}Ht{zWScF!H8Gb)a`sk?wi<rI9drnH(e
z>hw5wG%}L1Txu@5A7xR!D`$1Z+#=L4;O+jy$&0Vge>gkbe!Z7eyt1?F^YzZI7pOr<
z(*Z<CP<_xL%QzBYD_RL^+F#Wz>5b{+(t<<{nJ3zMfZd-Cd&Pn{c9I85+LHZfTZ17^
z)~kZ&ayAFHXSRH$p7>ci_ln%VZsEd`rQP_z3aS-ktC)Sx3Yt0bKYtZFclEQn`Wq?)
za9$$|(3jH*;cphr3=#0x<!DwnuG1YA02ct#4ZHo0NVDf7iR?K2b}}i*7M$Mva#080
zY2eL<Dja+{?h7?7diVd3awCewv=$~R>&@j_jr{pC8R+4_DcrJ0q;-kVi0P<%N4{WV
z5igcZjCZ$n4hN;X*}cQ;Kn<MlPfxdx_eC<N1+GG$MNAvJdxU~?^X29Mop3r;NNYn+
zWA(uFexz@1WkUbE6_<+(s((9adc8f#VoaFdVwFp-M)&^Eh!WD8Ztf5Nd_lKxcLYUG
zK9&@D!?!-UvYYmFp{|=Yx>(xHhW5p)yWvA0D)7e4+oZr-cfJzGSC}uipo4$13S1T{
zz=;->RDr_>{^?3^zN;T81o!VEaMH&A*wSB|uK#I8;6A$soM5~7?!QaG{f{UCN8w{d
z;Qp&?z~M5GGH?)s|6K~f5qkaQYr(nCd|o-Y#oC}>q#WEri@$I|I5+N3FXFcT->-_B
z`)4L`z&;s}cbJ9k{^qO+=;Bh~P6a;kZZG-to_qQgiv(v!)vCGr)%oE!j==GhUKAD~
z7M-7yBGn;(#M>a*(U02!hx__8`{9KbD%tNIKlsh#uYR*wff=DHD=4nIp@u5wMi?bM
z<P6X!hPX1_C$fLM?WzeOAyUDP#|4pthV~0r14NSu8ceI$crginczhU1aROL$chNT3
za!OegWBPvYaPMUMU`eD+RL_CdBztzKdcK6^RsIK}e0eHz{xwBFg`ewV=T_j%0~`|*
zb%3KeV1|o+?v>@BN!&XzAIu_S1b~P7!n2q4#NBq2&)&+)pfDcGBvj*zyV!i!!tagR
zv=WHNifZ&s^KGJ4c=$j~Nhp*9)W7m^9`0a4Xb_eO&|-Nx&>UO}Yuzt)n*=mpZP5LQ
zH`Lh?ZU|)>*p~5)rsvls7`}5UmPOy4`Z%<qVYc@kA!E2A=S>j|;s9|-d4)sY+~rk+
z4gLt`X@2K@;t`hCKb7KfecOEj$EXj+Enz_HxQFwrLReU0e~B#U6EUMk;+s3h^UNvj
z#d$CW3&uZ_IE|mM7X(a{zaL<spB-ks1E0(sCH`9aP{$Is@U-Z6Zi0|aoEXUc2>WSf
zJ02<|$<>>I&BAt*1ngNMrf7PWx?UB@6ua<MsqB)HBdCd9b`8kGYT$ajo8*^8yG+A4
z`I4^D2DV^^eaq%BD$H}sDh|`Sp5b2zjzWGTe1A?cFz;S8<R_8?s;6~UXx<aUtlBzz
z-}mztqBfnT7hM+Wkxn%;ESgUdm=ubL5v+%wEJh&fu|g#b>hrd8632=^cvdmjYk3!;
z3%|q*RC_w9&klR9-9^s`a{yu;I=hBmIzF@79g2G4-yG`>3yJTSOjI_oAf~daLnoF_
zPO_G)VAbT8#im|08qo9`i*7ouB(t6m0d=FxPWnzcD#I~{+@T0vOqk{ywvtO3Ehmv9
zPIPbjecMV3ANkxsVi~1htG`etoZ0)dvd=VwW641RS26TBzf}(7Uu7$WQZlls$oe!X
zDk++zu0l4<fht%>PjdV%k1(B2ljT5i=-dLm(ez7_#}zgeGgYmOO!T$B55i)%Ue(=#
zZ1?YczP{oEdxBj?(3c=1@>3)QDZQD?$(63j6no<YbG>AaZCL*B8|<;Jib38Eaw-QX
z+%c;WyQ0IX{EJ?um+p3ed>XK-YatjqbiW{$;^lmX#e==q&;E?<lp`Jf-t`W?;bx8;
zj#8qeVpxxq){eIn{MC~?`2iz~khTc<Wfa(OwcDi_70$7_TGD~~qPWvJJ;&;tPx0${
zqWQd3y1Gke1tO%Oae8PVC6!r_;{`b-*aho@k&r_gh!NxS>)k6iat}>vu+|gQ<b@vh
zim6ssm?fx6T=>3}C6Wb_OCcZeF|jinKxpAkmjK{IH~jr#J?KO_zh1c$%1x^*v}CRX
z4v2^cc^@ch@?;hw;0O$oXYb#?@4cx?_Z_jBJT0I{2%H!eU@38*;)JUZ1=p$~J(eB_
zfH5+oMo>_GEe3=WKiSnnc-c!#RIU?KZ<|gyHSY0F)T-NRRu|iFe(I8KJQTx>546B;
zu`tNpwD2e*62abeZ32ZofVu55I}`Mng>*iqk_K;chI%9wLdz3R%o!nJeK^7<u69d5
zE5{~h@$qx%$$7~NJi{onlsR{rlj%XxKCY)Ri74-{C2E(|VJ2d{-^)6)uvqS+Cxyhy
z8dF3svpBg}@Dsy`?F7SGu6qu|goi2cH>#jg@=%J~C=-ea1rJvVFM5Z%Bz{{t$Lk`{
zL&&m6{o{d<pBL$i!*95@r8aMWu?=tO#~%F^B?}JOXH`A}Nj|NoMf|o|0VB8&$5JL&
zE;X-CrGdFx0FMSt2n`nFs1b#kdZZ#$=Df9+yDag3gM_XH_HEY;srfsI^~OYcTpIOU
z<DQXUQdO6Iz`VJ*C^?m>m!}`xFG&hivQzyaR)~a@SJdc;i>wR=s{8nt7m__is`}sc
z(58vjnbBX!k=?G8W=E)RCxw%VQq*>7$IH$dFI4c-qFE%i#Mzb6R*i~d`>xL@lRS!d
zw(!X@vqKb#N}C|cXZ2mV@3vY>V_AE24cyirY*(i~lJUF@{2rB02>oZy(5m}aXX&=8
zl!{%2`{}AiBHXyh$v91X!)Fhut*>ZY$SiFe!s-L<7%VJQbMx04y&^h3U6*8Anb8A+
znRn$F^^ZSvR`4O$4X3bT%#~Du6|0ZJSW3vT_nOcbvP<}$HF6=Teo!^WS$><}(Yr9G
zN|ffCMq=k*RA4E&D-P?}Au-c?K|1EI5JTFZqYvle#dRHdO*eH{fOuFwGm?0}S`{KY
zrSKh*g}{5!q|L?j&FK1B+Kcct0oMG@*dO#~{lEAkQm}I8O3T1x5ks35G)@i)BqrnW
zr9J4rXgwI_^K3XSyetr|r$oP#vc*Em9!s!plgihxUFzadv(y>u&H+B{{=t1c8;#Bm
zb`$dPWcj@#o{J?A)aWjVX_LH9rQ6#`?)e?#M8sGQvueD!hRDgc>36%Scc9sVQg0VP
zUP`;;!W{_MwwAIw;w6swD4HLxW?2{D8t1L}AV4X8Z@embM$jorBqu~Sj(yDEruc-i
z6yZV_=sbzLwBRk##bUz6-*pz^tNIo;W?zWPFwU}?D_L3RQtPYh!Sw*H+VFXr;`xN0
z%PIYY?yFOuYaw@1MC5NhxQpb8H%H)&mK3fgB7(~-9UvN%Fh(S)KWeRFu0yi#x?kXR
zPqqkygS!;SZ-{lR6*{pDCiahYBy4T^olF0oiH_b@3#KaGw?c73i+tWd`CHM#_q53`
ziuSfBA_ptz(FtJi739MdF`dbj3+PL^+mUUOkU>oH?*0iFl|USjco<fG74sOlpChba
zhu~@9WMmH?*c68Iqsq<sP5%D8)wD0VaGQ<~7gzVq)Wn8pM3GEL_3!C?M(nZqz{Trm
zUOt=+kww=|%nhVGdPo9^eB<`f#0?CTo0BhtF;g`}zBwI2R5z{iVreJK-8vSD@Tj?X
za73p;vre>_VK{6p?_)$Hr04!+qa)`4S%Rkb>-e*?0)B;fT-k;uc&St0f;T#xO|~$1
zf}D;tr-J6w>0P#WS6sN+YvQ&;iyApl$g=S7t$@1+rT*^D3w_xKij;k{&K_(kVVhOV
zv%L{{8@fGAx7@;J${u}<t@e8F_0h>6vz_goS9=!z`qE@zH^ohF<KnKBSv)*C+k29o
zz1ly`j<-*?U+<kcGiCQ^?=*A2WT(e_JNqyHNCLCh+ke=9{pNM%toNP0)6?v9|Nrhm
z8QMP+%8TQJZTI(VJ3H8a&A(-@j(*HuzX1)}?(ROuwtZkDX4#PJ$Nd9<YJjfa#+&JM
zyv&YX{2zDNPlx)rd+yYpd3kh_9l35H;_iBX`28uG_;K&xz&*XU#~#aDFSmc^{vuY_
zw|sAR?`(VDpoQyxR@QwyT8=oh>`4}GEcXZi5&?@ZN0MsHue1GXa0a!v^vq83_g8M;
zAH{z-EUsul40a?W=bv^z@8)f8Dm$cvx+7S?NgNLD=zfJb^TnhFd`O(3D^W#&rGs#)
zEVwPWp;dmjb?bg0J0EK$MXl0eBPRteorQ6+8jJ+0os<&MG*!ThTC3Hd?YyH9Acf$-
zGb84BD_L!f&)~idkP{|cF`Oik`b*(Esc)!Ux{2z$Uvw%Zx{3Ee*;9wl8W!G}Z7{54
zK$<4YR7rD8behVRHgt*qaTXUO<Gi9e#$M9()utWo&VaY$N9D}f_i!(d3eWr5kFEpX
zX^CrS{b)lwO(u7JbudQrVG8I>fHDfS@!CRXpC_C78Vo#({f!j^Dg_#2@x6pD<)*Ar
z`y=*p>w1drQRk%jEr4BY=%0~IW~02Ep<y3Nk*n{PS^^a^Zf^<Mjk(|5-NV~#p(S71
z3r7X3=U(j2zQ!wb_*!HGyG-vJ8@4yiJuZSTnhQ&J=kleNY#Rc7m~4Z)0l;2Z5jO%u
zr{B<eA!XI?xPOM3FScQ*5i!(4AM`crN}uYI{Ow#8S)NO;Aiw<X>iH&%i)ASP=(+U%
z93tVotj?vy=&DdDwnT@c6p4LKdg&V97nn#Zb^1gzZ|Of#SOxrBZvBl+*x15?L>12j
zU9-kA#t4kx&Q@^62|Q*YK?eqDaf2LhgmyYjD<y;X{6gWru2s$Qla|iq2WKq%`r#ud
zOQZQ+T$-LwfY>n`%mTjMIU=ZE)?FA`PG280pyR`8XWg9<Ui8^x^=LGo-bI^$t4b*c
ztzKjpk8xcMmNbS!&d4Ek6DP@D?zpz4R)v;Le&PMQ-Yrhf2kEL{0i2z=A(SEXa6!zI
z-_0MPaAHFy;>>4g<XLiVWS9o5TXs0ov#q|=5OwZ<Xtp~Q$5<`QT;Wmm#SpyWElr77
zIvrQ#$ZRe?UaZ<pJuZx4%=^!De)`ecAl^~C$#B<^Sf^?%hP0s-Pr)3RqqF_v9inwg
z@%-sTA0M6W|Dm%#n&JwrG<sovzq2!F+B*cPTX&s|LQRIos>eF(^<C}yK#41`8z*`D
zopzb<U$b9x<RBuaH+JsPPoZpNp>Qz&DpiLt2aJ|;f8EJXBT5G<5Elitg!|5e$e?`G
z&MixEnIv4Tt5r?X_f;{m!efTMIyVF3wSKXZv$y<!-w2)~I@gFZc-2Xzj{3Qit+(NK
zz@~z`fcfwJfae)VhB+>tP~+^;R)YZai4RJ)(YzH>lBg)vb*UPq%4L1EuRUc_J2X{f
zd<s{Ppxfy0xG1ce1JK!M)Z-eid3t-fn$qS2APJ1V<3Fb1!lK1wN)MNY-t-Bah_tuK
zg8pEHlAkzB3oEB05NG0iT2IQ+or+bR)#v~>K*+!MOn#5TUOpD2YaNL&rs0FiPluz;
z(E(&fG1YR1-qMuKu-LOMpfnt?&K-5%(6Y&Fjv3h9KmFlfYkA%~&9X87nOQF0l?>r+
zXd~lInPqO#rE`pY0yh(yCi2ANCdIAfE*WCXg)r>k<W1%~jK{Bwe42f~d-~G7_&xO3
zyTL9Z8>di&UK+Pt{P4lcH@n+UvIDY_zYMy|8_xr|dspQUzS~#km#|me*WGtQCju7T
z`$uv<D)F4DxDE;EvMYaF!u-SRVOU1anWfbHL7nj5LPHQ(O*mFQD{Y*bHfMrd)_KvM
zS_q~wS#n*fk>XSXG>pzSH^|6jjhcE&<WY2FRo$);54tA4S(zG<$0US<S6WK}&Z%o4
zWl{4M^1FD)++O6V&#3W)&r^BjqGYDmz+DPAVk^6;G1YLxUB(D005rw!ZQe6*X--Ej
zvv%)*X3pN6jVA(`7u~Czi6Si$b>2jim-gM)ssMsY&3FH!czwZ(!0z`uT}TOOfosNn
zDhuGQ^9cyL+(_B6Zs#e(gdkA_y6RJ8e6Zazcgi3~k&Sgj=T~yCDtDSjE2IaFH>g|#
zlevUsq-?92>9+ulLw(hpP|w^r;Mr7Pc_KGFazdP2?rQf;y}CwAL=6BtYKXWQq^+td
zv4=q{QTsKfge%pMjPAj&oP8y@V*sA;79OSlw{9huwzH&awXj330roO@ju&b#29uD7
z4Le2#wjfD)sB~$XC~SFqJG`Dw+<y_?+G^e6xR;<$Zaw_&yYIGM9Ulzv4})*MV@8v?
zR^;u=`igHG#mKT|zWbJqeE03(;cp(Zjb--e{nwLT(2_qIPx%syRQK;vixh55D1!OB
zptOh^!8H)7O888avJ%^<Z<<X^<M+TBc71;V3IC4-<D~kBr<E0N-LL}+63@v8E$?V_
zMo^WOz+fqj{5>m)#NeAMmG(mwOrJYKY+dgx!I^O9kH)eSvaAx}B;|`gp6#95-Yx5X
ze0Ge1n(-JpMzSJgZh8C&CnLHFG~|InJ%04yLH6*0vz#f-n$4x%@QwP<M=>!zC>AfI
z8Z8Dl#@ll21V_|KqEOVAWfaxFgsgDw$$WQ@{l^dce|(DC$KtZ1xny2i2uXhbsDpwl
z+ttY2MiCJsbv`T{4{hNL;pkmU3mh=P;br491qSfIb_#uffgJnaii~)(sjGv)M>hoo
zHb#Z1ITxZ!)ZM12R2AXd*{#&Y?d(wo{cz?0q0kH_1)68HE>`E44Tx1sqyVFATa?of
z72S>am&He%wkg#JWl2LBSRD1Tj#(HZ3aE8Ih3i64($-TAkA<8|F-BF>xrH9rW3FbX
zFD2rHA>e3}OGvJwwM?qb=B>meLiONQ`E}5Wm`HQ*PdQV!4IMCH5qczrwLt?xA)(}E
zoFfIiS$>Mu(8=OJGK8+?sz)j&8b;^b2rN!Oi#kDMcuxqni--76p?;2K2xjcdH0#Zz
z#}N~f0z7VVWa|Np;axRgvVcTGXd8ZIgq_)@c%>u>ysU!JEE={m9ZF&9HUhmceIc2R
zfDX6Y)C(<DX?#W-_aU>Au*F=5Z;Q!ffQ%1=1lW#~%U+Zr>b>*^tbp8HJnP1-(uId&
z-thg-*?lb@zk`R_!K2Q(U6<e1tzRMJ6`4;PuU}a5hSq~qNJp54tXtXfp_AzDI?1vf
zat>t18`sR8DAf9TDcm~Cc5CjQskyu*KqcW0c4s`py6O1c7GlufLLzc9JfWyL@1p}E
z@Av6J6Rz6q(StSaa(Oy$W2)HogNJ@zLd>7e5Ix4O8JmJKvQF*j$}t%GIV-YABrKV-
zZ|u8|mV8%SEC0xciJObNeb2IqjC}O<H;bD(zkgTf+}6tXsbIs-Mh0jIPxaM85F?k~
z$w7OK%Ro%l)XgY4J!KV`qX|spvBzo-_P35SiU3p#zEvP8Oiq-459g=3t44#ezW>nV
zpLc2qQkh*zwy#vZm|9v8W*n{2I#`%UbbNfzO!BwSpGw-kMhY8Oe*8z~^WGVfj(^e=
zWk3DyAq&X<?veYy&!4c~?;dup`EUy6RX)N3Pl_>IYp%<k<g`#_6S<*=EkT4*C=fEE
z43kQZZU*uz0ezceR!W;fO6aY|?0aUvM9oAQx!-&xy?*qmz4l*SRu|OPYnXk0S2ZXq
z0oAe%g*h0w@ff+N@4pdp9ENP&v_H+<C^jOyV6z_(rqNYi1`mZ{%f-`T){wY>7rYg`
zN>z(5&2LQkFT-_Rc<#FJ@sBD=BvA;n$RJqq#VQyMWt9|bEVXt(azfp)c)R?7`eOn2
zTsRqgVfn#Gr3P9*!NaGab?Sx2hN+PlJ@UhB8}Va<H@K4{Xs!ehl4q;-_A0k#UyT@&
zN{Xe}OlnCg@^Ejobti#AGzs&}Tn+ZHm|yDt@@P$II~s&l298yvx3O{vx_4l?DBX(L
z>Jq_Z#|&!NMzd*_I(h&Jk0fw;87*VR?0UPb^>X791pAlFHE#tOn9ss>=<DNHPTFi<
zQ9MB5%ZnSRjP)42*(e<&@u8KFIk7(-?bo76K<>Cl=a#Ar&D~QK+_<ay$wEQ}b5Eg3
zi$;m$7=bd<jg^npm0K#2IX~kR8@MDJ*Rrn$CRc;|UI^9M%};PnFo`Ae$xQzsjc(kt
zrGg%Z*$dd~Nh)rq4sjoS5iaOfZ!nIZCtSQ5*qvnBz9BE*zOd)TnfZRP!^~NF0Q6e>
z6&LmOtggVuf+s@_1SXPr<<6!=jYxs50+NGy0fssAhnq>{Tp!$z&+t#p7FTFnSV>9-
z3@3u`l(?3pKp3}HI*+_^^0qK)hEp!ZJR)DzirrFXBcy%jsLbtda^C>P5z?2nGAomh
zNSzO(Z$D&CaA;)&sU=T!Ut)Sp3U+GLrZynSPi!PYq>Pnmja6RgsF2dvI&b1&W}c77
z58p{3i*Xg7p+kSb{>vjR^NPcwlduv>!S>~Kgz~u{nmJltX32ukKP5gqF-3)XqAIWi
zC`JuvD%gJ143{%-F^8uhTW#x_D_q^J@@y%tfk8<*aUChcus+RuU*j1|buD~MH*N`p
z-h-+3+G1Oq=P;@0W2rPeeeHD?%YY!|3eSPT^^pF_ya5S!3C3ggz#>-T;s%e%&WQ8q
z`Rl58YOUhvMymVg9Nn;gyGM7&6D@@JxU>32^y#^U7*(<7E(@t^%==F1)zxeZ_gc1!
zRQs9ewsv*n4h!Lg;6_DKd*^TArm~{G2mw}dSqWYlNd)#aj1Z0oJR#C2N<iZM=JcW9
zr1Zog!J|4clSIH+!4hU&dntsz;(=}aLc8oG^aQI6Rv*;8_h2We?A}FYCa%hJib1-u
z@cNW4C^w}^k!|<-!*70gfl0@FxptevLTXAOR5qq2aCh>awD}5gpUf{|44C|LVVRFb
z++5^pM+cmR&t*?^sGXzNua~j@SG9P{dQx}V2bLlLnDo}teq(nwW~;1Zr&R(avqJIW
zPv)L8=XU3P*fBjthajyzs$(>kOb1E3LScsFoz@CpQqy5b&3Bs!n{4~d%hOH29kft`
zJTHn`qObZ1j6lLYX$TsXQkTc2)E`7QSTuGm8vdzcH@J|cNBhV?wbWT0@{XJ&@$~TC
zQK6|%qAdChGQ%q>|53#LQ6e75k?TZ)d~Q^>#?0ZV<!_+9aKeCEwnT{{L_GA0jy&*8
z#MB$Q>uC1nZe-S(M5+yGGzA`!B^h}EFEcbHmxf3!D=(n17|r5ddjl{ojay2iF$pD@
zD&)~(TFNbt@i?&?G4<eWy~}4?NL!z5NuhL{wuj%qI};rFoKL)RE*X{Q9uVT@<dxT#
z<VS-eh3~{9gOau4O`|wqe93Igwoa-Is%~`>hq67Buy!I8eodCgPO{!vivcY?Iu`|1
zpzTH&8mLXMzCClPOfOqZCB=Q^DR$(URtcAy((RXk<PFkg+aqa|-H*4-Kmg39mLvm%
zA5-LqR(2L0K$+>|11Q23L)D7}_j-U2@Q;48O38W(eytx>Ha<&zXqI~G)9(Bwf@b1P
z4;>B7kOp#=S8szZ8<s*4Za_|j18c{#^I`imESL8omwK$o1zEG0MFg84x23p_AV&z}
z%d-mHB%*WEWnjIOJf^WhFJwT%qan0v)-!i3YrT(C*tbUoVXhIQQtpZ=6;lP35^OlH
zv^?P0)2+pywHvLM6qEdneK4<_7MxF#eITokxsvJJ%ahX>O}7=YZ1a!@&zw7aOpARa
zF9wpt?PwkCfp|qJy~0TlgJNP<B=}+?EOJ*0@VFL*roq`cR)u28IhHQ%nkHn6yrdfu
zxf}E)Zd!My8-Z=hnq-~H4<*tio@lF&3@_J@K7d1lafv_fbgTha0^1><PK$iDuq80g
zcQt0k?0Ygbz9X5kpI718vlDN#(f0z4wd`xP5cKX6_IOdSd>JUO`u4?eF_bJb{FS?Y
zF^nq4M?Y8^(O!+jB1(sHWsOwO(pMwr_hqXKF2(7x5LiJ>j1luCT~IfLg>3n5BRLEq
z%NvL2{%fjRthM7*+qxc)A0mC+&+apK4Z8m<d$wupS<{xj!+-8+_R(iF`{>h~ef$~C
zK3>{vq>FrD-lFR%MwFbxOMQ;*eSS%XYY*Oba+JAKbZ^Kuz^S;X+jde^;9Ll7bD`J^
zTr+p9L_~2=4I<s8yi8n8IGSnf@Y0MV@%GntuTP80*e5)^>H$qOVaqkF%*PNknpEMe
z?sF$5dK>O!1E$!|9t_;PZ|e1ml+-Ar2x>UA_AUHZVj8O5iL4|1PfAuMx8)L4hF=X+
zg>LG10CyFrgBP?ax<)qesm;LmlP7|Ig^UalEG6zS70M_T*U0cR0A!-Of*@-b2COr!
z9-8PC?-XycST=Msu$=D1O%TsEfj|rM<t+Rg%R9@jX5#b+YK|<miHi}f4_z@vH7sKs
z-IokJ-xFRgV10Cp;Mx@}JA8R2wM??dPD8dkU`mz|V$tPxqJE19Q$m0d=}W87VG<c%
z1pJDJXqFnFS~g31&za$dUH+ZMmB0IXZD`01)qlj0)YO`<*EGk0DKytk8qVPL0oCw}
z5UbK)Flgqa^e3EZii&CkDn_+ke7xW?VTJ0H?8S1J7nYJK%=e<S7jS!a;@lXQ9!9iz
z-)Zb_umA4HaY24yw$syqndqERZrH_Bn*AbY6dcl>S(M3wEAQW@@qhAZw5{~HhmoiF
zJF*HK9DV<C|KMMc)-kEC1d^~40;4Oe*`-K@r{KGJo;}rnO-eRAw<V$?nO7EZac?Wo
zA#By<4M^ZrD|w28(@i#s($@?t0eW4@txx|%Z?QOLf~|bPGL){t`G`DGg3HU90F8PO
zbtP5g=jPWzduY!4`D#mPoLiKj@=*+g=nIa3zlgWL$S1z{a39r`^iNqp*Rr47(IkiI
z&)H7{_uro${7l!s`^Ue!ZTt71<8J7m<XwBw7d16ggphhv<Ke+v)h?|fqk^@&XXXIu
zt@eI5uNhO5N%l?3%={;Q+*sZ8bela;%{G&~x!(BGX4D?%=T8Ia$T)JA_I6JC*}+SJ
zBA;!)=)S`b3Vr&Ylw!H}C#~xBrxv_x1OG-QOgtk$dA*-{J9DQ%-}nT|r1vW8Hr6(s
zndmHabzAl>Tyv;tvhmZ;?w4dlJeZ+}n#)PjQ0%FC-oluLtoZ5iqyEE3-~0@>%a!bp
zwSkUCe6YRKV<XG9ze_d{Tvzqg`AvCKoL`Rvd9FKSs8DNz*vN-(hxyQkF|Z#tWq9(9
zT+2<*E3hvcQ3)~=<8k1kM)?$Z=izT2f4jNRWB#_)JG};AQRsAk!Of8EXz2_|W%%GW
zki{43+1`CSK+8eJ<xEbGb*=324GEPx^Lj=bROX)JXxu<-(CfXE{B|pE2FxV3G2_5i
zwVW;Yhb_DY#E!mX@EUtT8OZU*`zi7<!cU@Ypu(_*m-`Z^S>ut865kl)y{-I<vX5TF
zb+;xP5YC9%LT4rVOZbm}Og!`%?;gQsz{DFE(QCZZR)ZYG-}&aJ?WfFdCBEdhlMhGR
z<_#~q(}+_sDK3d~D{c1=dh(}9c~uqSkL^(o_ACnI`m!at5&Ty-k$~6Y5n=NOVCN_P
zyE|Id&p!?IpY!*=7DnYmN{YkcDnIC}#{><!z9FbOn6e;;tbi2x@r=Tr6yLfc`3K}S
zo6RdBR*?}<T=zUEPFRQ=U!nweQqhjo>m?l!4<^5>5qZtAtz#!nTfZ%|>MJQ3kfH?w
zQ+GCeT9LmCRobt){V*w8I=I%tiqLyg8TGN9FoTkiSH|7ga0dybh*!@H^)}q@%>+-i
zzpE%L_d^{4#5B3z7njz0nXLLNE;Y{+Aa5#<aj68x_>P2~vTQq0$Jplwo<7oE4>?qP
z-_1=S)PPl`p4JHEp-6XI9$>K=DJJ1YtWfE3KGpYbTt9pPZZ#2F<x38ao%692qTVTK
z$Kp5vDJhhiIDDa#)RL|WPj(yuD{shjDHY9;i%m#q9RfXeWkn;FjSGG91OLHh{OO5r
zPtHtCr4X3h-K5%Kpm<eSss^D~`>QKfWg&TI`O|-z{i#|Vh7*c`6U~{UQlh-aC)fUp
zKm8ql>HCQ{VJn_yi%W!A@l{LI*1_9+QTjj3l5ggM<MLnpr@qB^B2WSwj%ss+au;ql
zfWK4=nOJrW&$QTZN|MMFKmD3oyV`S^@Fl(H#NIGObN*f#TX|yTZwZrYID1sQD<~Bz
zjX9FGxC*SS`@6E7p5|dJs0jDbx)K^AeNADR=o3R83QyFG3_}o3%F9A1BmE9m+~+&H
z=sT4-qpmAp=+@LC!2kdZ2$4{-5-ws+<lx<v{4JwMPV0X0b(Hf3_y36Wk-S%JxXs&g
z3Z;g)EG={(M^z*HJE7u><*^6}3vZla?Ef0Y6-4i4OeCL5#<b}<l9sx#RIWQB=67O}
zy@>%PyORHT-rJGVsZBk17jm|LYy|84dE0(|`Mcdi{$<*EK~a*u=f%A2{IvIGKihb{
zy<;u*@t46@-(vFdPv3kM?W|2UGRb=fBzg(`5Nlf+R;s<i3Z*`uO!avZ%InSap%?zM
zZXnZklAke2XGf=7yQe$HdazWC`&vBDt4lgt7GJE2_OhH{9j3G%ve(-uKXl$l3w~(K
z!>3;Q!9k*JWH!V@;7;;m4h?;H^!K!cww~s_Q>hgf^+k~v<POzJav=F75v*^KZ*SY%
z*dG2NtIz#(YCp&Q`}EeAZHCWyd&=8uaeI7v6K=EE2tIwMJk_1D_~NJTl;_t@Ff`Wy
z#5nuI7SsPxR0RsJiTx<(A5Xg*)T&BK#;VNq;_qzdIPMvxAr07Es-ZwAT};TZDZ=aM
z@R01Q@M=tkA!BXYz<V=y*STQV(q1ap6cBgli3S<`=-iD3*O*g&1?{Lx;3dIC8)pBg
zq3Pq&I^?nm3A=U+%kH*v!`_ZVP?A*jS_Zw}=|`DzIYXlz`WI2v?w<D;!Uh<(7M3V0
z{VI6J284m+;uuF<t!M#F$}@%*?)B7MZNlDU>Ttq2EW+oNv%^Ip(4-KFx@sSd7KE3y
z2XWezSgk5=R3x9hZx;#dTwVq2TRW95B-0LrMb_rs>aaTHH|or}F9#j4W|x|PpqfG8
zJE$#TDSXUbcPPQ56v}y0q*(#1zQl-e78<g!kSx)*c;7Z+91ciraL%Wr0yAPkg_Hps
zfA$H3DarQXYhB3~nuSkf8`v4?$!a#kj>yzSA+Zpv;?zveFXlH>$g8(Fx6mGnEKdpu
zoz>>#%Pz_aFzPUS!k-!KfHKN3h3BRzzWK_`^=t#S{8!(&JNr~c#aEkjg~twHcVgL6
z<kpDv;J&C}@sBx)YDBWIO5_w<N<KZzj?7bOMJ{fpa{`h1yGUKxCykyW@ei5D;H<nU
zKBV)s5b8pkEkO5TS`%f_Yv(=EdIuJ(jW}C^DoQ)iONl84*^#+^n|5}|S1eUe%`!1-
z4L-Rx-delZTKnUZwO3EpUO!no&DQ?HR<C;Bzdrkg+nk}+Oq7qcIGAzk_DZXRf&EJ}
zl7RW$!&6jPd^>j%e#tDHf^7)3YM6(yL=hGIJ=+y@NAKz7oDAO!Q~!MU^l~Pz<^F-^
zAruhKH5gEhF<a0>3PxJ^z8FlVSqpT{7j}-zmUx7-SOamP<-`Pv<f5+)BqG;W%=9lZ
zq@a8d*!z|}C4nxtc}BP{i-rEC>2t9em#wukE6vq3L-*GRtS>@6`be}~urF$**MX2-
zYfsf~lDEv;qT<D80{QP`tG;B6>(r_U4Zgau);7bn2ansiUbNd1#!&*i4;{h6?YkV@
zwe5VSrF4u@2K6@h2$a7o3qO45$$5qH#OgHLAa}XJ;J8=kljwJ0lbi!-)oL_}&lKHf
z;;*<pGMS1$%o#bI2Wi4+KUk1YenkD#DWtAVtz6*&X=z$=&u^!I7A6Ck6N&LnC`OgP
zwW2YQ3rs)T&*-6Fn@{vP|BF<nQ|}fWayG#2odf??p>LrCvg%n$tBwB7K`;4giQk=F
zKNhZ|#@kEbPXcHx;Bz45Ac0Br)@e4foS}4$vSxJcZ1E@5bY3u6mp&l7S*qpGy_`1<
zXr6z|UB6pixuf1!Eia$kNJ)XnPbY(wrw`8#UQ=s3EUs$02>OXtbq&9Hb)}&Hng4q<
z?CGpv3Z}ZU{&<qD;<8@-;fHKh4vWg5`;G`qmy^BUz1cfGlOyvJ8JM2@JiB4FIU?Gf
zPF%Y?`un}Jt>dH9GkA<Q<7b~QJ}hNM*x~rer;AT=h8WY1O{7j|=Kd|j4ZMWhAnAtO
z+Y&o#a>&=em;=9u!`*lp{N`l;Uh&%3>U_TLb>w+P-^!6-E%T^e0-rW`eYQblIz2Kl
zgH`*WlI=}|-j1mmZXn{(ah+=95XwPus^C>o6?9Q1JrYNbm62bi!}-Z@I9z2D{tK__
z3f?(LwCOqPXPm>pk+<iw^4xXP>EA#$`*+R~JuQkDCNwsCs$0oBk!~lp0D6{JVy3JO
zqCnO}goNAtd2_AM<)k0T`SMZsCa9)8Vi(}33hfQkt?~T6z0q0Tbg%sDR^v@2B5O8R
zZ8+YGI@gkGVC`SrWs6&|uY<GHUfq#;yJ{ik&VqM$#3!x2EaknSI^V^GO_43^2SX*(
z*?sTU$il9WXFs|%GTRmM{JmS_X=iKPCu!o%)TD3lHn?AyEq(e^J~K{Uv?^2geP-#?
zpYoaG<V6~W_kLu_vmgJ&Y?{8610wU@d=OTEG40eRy>fp)KkfBT==wX~khiV1U|ZVX
z`=7hNlOK5JQ|`Ox*S#ZSiS+_4H6#?`VY$KrvTK6W>zEy?hsaCHOW+CDnVZ9ttKjL&
z78TuqyF>I;KebJ#UK3DA+O!;b%=(t4yiHm=_&#bVB0*w&KZPJ)A)$|-V=FAoLhhz<
z>F6~O9bM5L6Ji%K{)mb^Qf~uF&g-LHw+bW82qr_>=D&U#k2=#QwN-7JgkmUrejRCN
zr^iQ!r+XdQ_No!p&e@*ryrD|B<nCiW&viXbrghn?wkyMh+4<hJTM88C(%qMRa2UGw
z$yj_-H*N3r{_8#QkKwC#Q)4i~cv1By+c|o3c(!+Pn!eeX8^MylZFT;aRt__loq*jI
z&gJua8%SqP?QI#wo)<2o>v{FIi2P5MmmE#gk}sfRHoc~cbhqzj=lnO<z0*z?E%3jr
zt7#YFcf*o3pWBJ2%`01TLh&yz5khDdK6l!CGi^}iFv%6}v~|(+4t-bzyKjJ^0#07g
z6(s)U?4lmu$)ws*zHdMGBbl$uqDm=T9UyJ+ixeY>jNM3=_Ip$8vX^JaTi@5yYt}GA
zZL_OJ;WWbOl6QOLy6Q=Qi9y+ay?^+9XVBBOcU&yc6(OrP;YNX-ieF|53X)HGEIFO@
zwhQR2FPr4N#)sTgK?F>?EodjK2^&kgf!oAYcYj~yV=;;;O8OG#v+p!iZ?aq<8)#GC
zj0T{U4lOTHioV6O;zpyB;xkw+fi?Y0C@LDf`4e&M-0LJdZS-O5uFA!Yvz_Df*ZZfZ
z-rhaEwq{GWZ)T(GJOAwN-plPb2WRKU+b4U6W+9^+rw4-%e7k8TPoBWf&Z-WsE0Y&+
zx{r%d*_bP><03TVEQ3bo)lXPqBE$ijrYe4^n<FV)S81`&>TXdGs*40g8uAG;AMe;$
zF^*a=C#ivz)XGb65;i23CfQhRfM6+B``Id5TUGOA6;THKkx>TxgM{SV82DGJN&{{a
zf%d>1vZ^)T<<FbL%)&rEcH#Lu;r;p`%XLFLBj9>_+u15gtgi~rjqx3VEI46Z4j#&#
z()|oL&Z>QWm9^`&ps^5zwq*LWrO+?TJik*9@m8q=!zkoP%2|2D${2>y#_C{o)4aev
zkJ9qH>3LI?y~wY2dbsbU1(z#%7}=rc8v8MGu*gm|7$mBlhT;6y2zO3TK2!+B5py!g
zA<TZR57sx4zh@`0D?&+`=4PiHZ{6e*5-W~7ZOI!|o&1>w;A9B@FJ1FN)cY-{YbENa
z)rYo0iCRYTEf|>1;(U}%GdBrGa3TNw|E<~3F@0z<p8g}7L(Zx`jga<-r=yKR8swAm
zj_Z4dr03Aw3ZJ{cPd|Tw{|iU-sf!dw(&=^f{_6+dB|UaG`tjatFB6?iiYvUn*!zC}
zkQc+=;jU(2<Mvk9Xm_MV+B7&JLrlcWv>&%m4xMuJBs-8SsPKxi0R?_Cy+Je*^z9EX
z;s}vK8MLCUyJLXuG;s>nFvC9Uli)%kr-%F<B3P4V<P}t9Eu?rBgL~z8Jkdlw{S-IE
zP^tWJl7u}is(+$<Kay1>Whh8r)kN+!Tj6A~fTCq`7_bb{>X&10&+-|qcjv~?v=LTf
zxZu0<L<Jt3TiuBl(@7F&13I_y>{DCtJ-Lut%8|}(j@}~jR#?%a@mz?tLVF8iFy?OW
zZS6)^m7rlF%rWsnOS-9_auYCpjP+5SLY~x*xCeflpdLIRQ`j3~DF*M0=?J)enYbjS
z!%E^@<*Jsd<Zr#gArJ_>0I7@KJPOQ<*FyMTn070mtmNRu$namn^|~O|=!0&eZKvVA
zxEs;(#E%06HHtS_wh^Slkvk^1+PshDo(3g+nT15Q&FJjN*JxE~g&;k5s5nrQ9D_tl
z$`#r3zyk@23A|o2>k<^V>+$-N^^TJ&A{dAO(jI89`3Q37R~CL7pPQ5JjAoVnnLsN0
z$(QKsSu`)&c1goe|M7-D3>r+kZzuK~iBom*rN!p6fa)?>SI46eaA@gZzQAW>fcK0h
zK%e4IS;kBBNj-5fk)VO!J~)nF;seV@5Uu*Cq)VZ*==#@xY$JVglb^DM_Aj&jo$ceK
zI&F#&pmWgjyd%Cf>aQp*0FNcxzzr?Ob6k(+T06{J=T252^Y}_n<)&J(`16w|ZJUYD
zfeo!1ndWL{pd{H+@L5KNa3ovAPtcaE)yr%@Meke}tTr8zWAw5X8cUxe%I`)^BX3V&
zf6^uIJ5g6!q%wso(x(RVbMF7yVcY%Ygxk<mH|P)})06yNpj4?h3Ox1IRXr1}EZ5Bx
zs0O!V@rlUsl^YO0@;52Ouxx{d5E4J!bbw7In8@Hl>WrCQxp6TmDWg5pDM#lnUuMz!
z8|?^aD|4qPEx5RNDqG*~WNIDJXeCgm$MxmWgReGy1tE7U)+5>M%jQ=#I%|=oRqr-~
z<B;w8FuvgZVmAeTUz|t<9y2`aL!8kX^`$nf`v3jWO8{MMQ%o+YWEl;CR@wnotpetx
zkgBHN^xRw_&%aS>Hs5_86_z|iw=MKZnd!vlTU^3OABSHsI%SQiOi1<c6?H-y$<n!L
zGEEoZHO{;lLU5BDk}KWF<`|k+o*+9U3ib#j1$Vy(&UMdYXGdon?mE8?9HDvu4IYl7
zD_k;_hvh8nS{v)8Rql}2*SM#iJaPK`c{^(Y>{JAxN+2)9It2}#7>y!PL6|O)rHu;H
zAWKyeY6qS|Y@c6S$-i+Yk04!Ea|s~hZxH*n{I=&y#nQcPUP<-AE=X5-;{f1=r`LUD
zHBA+(DD<N~tyI6#F*WlWPU`9W=Ejb%^mEw~2Z^4-Zi%bB$p=C4qk3CL8-V&F=W8iI
zbeNG05C0e&+Z}i>9Wl%_(?pKGd1{o1MBK@-N8f!hBDdG62&3HKs)4Y~{r_eP_tf5}
zPWDVW5XCg?;6v36C={+ZD<#X!b&sKnK9jh`c~5Dd_<%w-AgUM7fiM~SJ>bXbtC4LW
zw6K|8x(Avkrzn}wo|(u^d+#Dk&25ztMpB>@B~P+7uMI%xcaCJbrR<!dcELyXlZXua
z7^9SpZ``)##k}px7;~9N36#l5V1!8e9p}(2OJ!dP>~?Swd~Bc7uCzTE&#8>s%AN_@
zFVnvNnmtb_N2qRv`B?c?Pp>=)&!RTy9K~xuKp_qcb#x?ShxTJUC@Z9Eq;0HCrQCbj
z+Fx((&h@9ir?a|{2Hur9$0tXB_@hTis2~K|`_893IDPuM^PGyE*lpz{(%Hf9gD!Gv
z1<XBGT1;&cp9}6FlVXyfS8zLB!Qqhp9C?p1>@^9EJ-^ocmn5@V>)T5kD8)Rj>9hA~
zT1b9%It2L^WE`%KlCC2%H%3uBQN!Z*8WhLt8&RrnE+sHVBrjGewP{e)fWz>07tLw;
z`%tAZJSjD(c!V%*IL@mFM?2dGtFa$NI{~+0x(X7Zsoh-N3CTs!Dm6!StCR{2VL>Fz
z2k0$MN_ssyL0ye=w;7i%w~9R}Jp&@orkIcGcnTYqlquytlJr)#qz5f@SAe2YDT4<F
zE+|B^LSO7Ql!X7F9_v^2gPTvXC%lv@cg~-vwdnq-nT^hoNa+4?>~3@ZqqM=Fuv=t_
z_%r@B=w>C9$u{ihz;mkj!H#Nz*qb`SlD-MwO?({0*%ZA>4FA3Erfk8}1T2IxZsOm1
zzv6**imh<qgzf#SM~}V|D(WtTR{OfZS0MQ9!OObNR@W9qz+YX1e_!?cC|ntKHUrVI
zW){dm6Ps0tqm}m*mAYN`2S~N9NNVHuFhx+9VBy5(e|!!?w)Ras%hsOf+1hEd<^J^i
zl@k$9!H_b$0n9U7`)OXeAFsF8p1Ox_+PFm}U}B4C;-`5j&;PX6PJVVn*EX>Kw$^6v
zR^4O1{nO@&YqrzeMTvBUf1tV5wZERQ(Dv-_&#zbUuShr;Y+t!`;9r(}kCnOI8|j4L
z%TZhSV*C=&`#D;bPFmMGpW^~biPRrGZXqTqN)z9-{KU~AFLo?^BWNt0VL^T9?ATsV
zGByy)I4NZa=TSYS?qWpnP@ViCnv&i_s=+{nlZC`H2~6{n`lb;&4Wm(<Nlw|loypZR
z{hy$AhJU}XYjJxjwC&uPUKiImf@0Hrb`t6TB+X)$8yrEn^bDgQ{9!s0b}=G&JM%PS
z(FdD!Hv7K!eZK|z(Yj(NQuMTRef8vR;%kAyv_hT$xy2fvWXoQ9{&<d!au<K!-$|?y
z>TfW!(pXFExAIYPE>Rk=hnj{pwg|j@$NhlMs97zD6X-*r*vFbDX`{AgqNRkPWltsG
z^ZdzE>dnus92a<Zf6jhFS`Yq<e@kCP^uPPN3bAkzb^E}yM$4{-)~bBtV^}8)em(hE
z_nwBMDdc%cAJ_?_WZAC-)Tls&fYkxAfhwi1pK4nX&#XUNPuP8;@~Ilm65evrf>;EW
z*+@yhhMB3oK5aC<v#V^~Dah;W2?)h&kl2!BE0eN1R&XPv?f!^Z4d%phTs;qu%+V9h
zP*k2dJfQvB@P)ZC><c}kg;J@9{`*zi)Xo%IR!y!TZbR3~_Q8SpwnmfnxPG?YRLedx
zB3>Rh_of~RF!{K@#s#?hS~A=!7HY*6JrGv<WDKWb6$PZ8v9wCycGt3U-U0iev%wN9
z&r)*6XIREw?~v-4r*N{VEJ_Li%8fx;d1r==7TIG<r!<tP@zK0>imP=QhE#15y6bPg
z`r$=jfQ&Lp<sr#|Lrhm{3tpKCEP3@Ca7xLO#Tcgv0WISs@cUWbL0z1CtD+f!ecxRy
z)u>QqP@A}%%*BVtZz|Uo-q-R|>U~!w6uGUQjNR9E(gK$i=E{<7tQfKA#hMAnj|tOI
zC@-LP3J*cVXeDmVO)cMAR|AQ`#i%L;RyMvT9&smYVJ|%!m&M=4vw9j9V`O>v^9o}J
z?L9V~gb5?x{yJV;x97#A@MX!oOWQ4u0t+pfCJT@O#Vwj@xb8Y*4eH{#6QXom_O`I(
z=!>og$@7->4@ibcG-xbR)>(jNV+kvV3>euJqp8dbt1cAJ4xKK0PccuDlp>Nb^Nd{P
zA7%*~f;+(rJ9Fxu?Eh@=R-P`_lL4zALka<26nCauq4{%pA@XQur$rlJ7244UB1E*#
zmtF*#T<UwM+uE4-Yy?(JQgVIjrWmW$JOD|1kw6&)4kD$}F*tfC_>rj3x?fSvioW$f
zi=5=SiJj&;G*C$86GPuu-J)YWsqMI|lTwQ!3t#IxhI(beoOl)$ovMo7Zf*N8##1&P
z^rt98cU`e3`nXYT9rNZ985G}vY@faB{YU_<D4`}xwPsva-YCWcJ#0Ol!K9EgMo*TM
zuvA?Kf8aNt__Y)Ozgrll)VP+lBztQ_`ck{H_j^QvqI7QdZkWA5j7fZ6EYhQSYSu$t
zK77~oGgzK-9pzRRQvn2wk2H6_Mx#gZ>IdTPBeM)K$HFSv)QT!#i)y*Tkl=3D?{tQq
zeRS;2UE|t7oC0$nPi6M5%rp5pyUa)B1f^r5{?Rl^f0i%JO32^4Op0ae9UD}I&_*UM
zv?p0;-(FUhN=6iY>my(O&F#bbQjB$EF}t_k^>t$UZXlz4@_^ML_>aHA_JdBZbG99K
za%r1RRQI#nd{&VG)NN<R))0qqUnwr;dI!wMQwi|E?Urm`5cL4NE>(1}58mt^TikHg
zoyACBVV;+)S}l}P=&blr7G^Em+QQ>cgh31r&C#cK=xnFcp#$Dts&#uxqGH??K+AN8
zFEyZG&h=u|Usn1Fi+s6%ml9uF5umOSCuL*}e*W9u+Oyyov{J(Zi1=3@^FmOsncv*-
z^!6D(;R*=-K^lirqo@NR2nG?x?SFiVZ{iq#ilq}?TQtVR8atklJCK#d!`x^O4Cs)1
z+6%2vr`Zd)xUk=rm5{sBz-_K`)$XYA;7UyW$<R@;Ck6k<!a|n?YFQbikkc4IZ-Q4;
z(>FmJ)G1Ml+p;TCH?@o_dUaO?;ivsdh+@_3vuEw&ajSN8^y&^lbvZuTFPS>A4UG0G
z-X~T&P->7zdn_!V@DC%dB3)K?CFmUSsC}}<T7ZgKB7Pj{v`I412KEB|C~VvlULE-F
zubQioDc+%Rt2Js+3|~Oq!$Ha_3Evw+#TtCNq`?&_2OalxX@kC)>0&t~bBsDkH@GMU
zAH<{>Nre?Y4iVKDHX&cpJj!^-^!4WQ{N_t|ZyJ01^w_-~y%9lJ7Ev}(CDqgAHLwwR
zWyOxaE^aJ7L36;ngAG?a&1EO94pzBH`hCMf=n7o-wm)ThY(mrq(8!vlRhUV#Z17S5
z?aJL0Y7NLN{?;Du0Ak$J+EFPoNBFDFk>)5lanW4*D6%fgW^}HsHfj>IROdIhQo6k~
zYf8(Hr9lQ*rLgT#OF-N&@hP!fxNN(!>4_8i`k8=n`iN->FRMY6n+39@facjyNi|MG
zJX2@ChTurDTmo{T_jpCBDa>2%>q}A$X^sbtt25XTyi*s2?=26R{_{dIsIS2LTih1x
z!MGTN+NJm26&5B1^%-hH#AmJ%R}MPtC0h*ih*^C7puIA(B^jOoD!OjY?l^5*s3$D{
z*e9LYB_FuW4J{y?a+X-K#3z|nxtM8%kzg5J(y=O{y-9$6Pq%x1bO{%zvpR!C@pOBb
zyrgq+PIpo~I}tmQhv(=|a$5ABF00@#kM7z_UwBWyG@DEFn!7)EbF!awY&K6Hzv(5o
zEaS<Mv)B*9&Rko1BsY^rz58=^leErcWoQveI`IM+EY71$g_E0LL7v#z`CsxT&q*9T
z=T`O-2H`mBzXqb~EXGHArJ`&hb$2De(mtni>Sod&W*_O?MI)i0d%MNs|M9*pq!)ku
z+wCmto!tjN0hoSe0qA3%wK(^eex1(!+u?^BSx&N{@jKbR-N#kH`l28a6Wc5uLRlw6
zKzgn9KI?S61HFwpA4Lh`jjFyOOJ7C`$$X-!liEyC&Tq4HWD9hq$>Mr9SCrTs4X#et
zr=GWPt3F{H=X)n7zZSQHaTUe0C_c%)Jn9ZHpOnMA@UT6$xAW?V&pmqZRjS_D6S&^#
zEQ}GXG22aFBVq2@)9tf3^HgUi(g6~Ya@r(Af7Nv0pb_yy^4_cTJ*PY-qDGGDMw7~~
z=hx{OyzYE#`CCt~!_8uT*<dzmUYeDXMx`-Pv~Lw2!LX5#;lnfK1DAd7c&Rrc*8${y
zC#)ZSNW%L59Irj!_E@wUA%2@i`zxdIb_e)>a&643Y_MeyZD#}3sSK?Ux)1~06!O`r
zLs=DR6|CUBLX+w?#2GM`RpcNYnD<ScU_u<JzAw7_t)j7H<x3381LL(4y}P`ry9NAF
zoLS$HNH32(){2B_qRyBTVFe@!2TvhApa03tk#&@g7XEm`KdZ-9YkIoT^RJfI7yf=E
zPZw|?hrhn$UnQL4|2TVE$tQsr(Dn&L<}O5yF!#`fJ@hbpW?>h%&73aP&mOoxjq7T?
zO@EL`e;tf42BVc4dYCL`x_sHzyqRrH$_w?VbbOO>-Sxa}&NVyE?QN7-sBix^E@&dt
zQQ=I-6)hKS!8$(FnDg9-FXSY73-k)rl@<GMw(qo<adQH|FFzRQlI=^>QLx+ITu13`
z_62Y?x-7BTX;p1)-Ij05A;%~bJi~f+wZ+ZzGXGEchwag%qY6jUw$0LM7V1~w+yMo2
zD?_rDtvI0$d<7N6HQae9JgYk%gE8O+o3o-sc6yCTv*@m`@QuPyf0lSqpp%m#ewslt
zy3V4f;VI7FX@CPgzUBy|kkXkirw$Vg^pL3DhB}O`Ws^Fa=I$?Apj8Nzonn2bVQ_)1
ztguiu_3W~h$ezki)kjY4^eRUyLKykX&!g<#M%WS}mzD*2f#1axT>2oEkCsULF$SzN
z>k<p-x(xaAP@VtXH<o)DqgU<~icw`koRoq~J__cQU#n~t4-NUyswn-+q+5-P_YwfO
zt|zQyOaPGSd4P56+RCcJ<ySUu;UQ~%u@#1>5XH8Vlk!oYv+5KhRJ+a&8Jh)3ktBUi
z2vI0uL%GujKeT&)-B$=*&x}{{PW&KN1JXi91V)gfkYmR+KywJYjGt?@ZX}{(DDeY8
z`J6S@CD=okJ%eZN^*nqI_cVk+T!m7nN~iVKO;-`>ff9$0Pwi|U9v+=Rl9csWO??%)
zW&0nNDzVliS9)n0qs3v$)*}`ai>`TOIs55x_)6S<8CIH=RoRAwMCjb#5`e!n<XT`;
z>%(<Vr%WiI2BIi(oJ|Tq@C>zGX#rT<9BWmmMw*n=Bo;|P`52YY3nAnzzyjc9j@DSj
z$Xa7Wknx0QR)x4IShJN5WKIoR6_~45^infB?b9%>3LgIWaM>Rpd38)~bhtL&w?)Oo
zNCl(-dn6fd^R|Wuf=j$f$AkHO{q-M`F|Ly_tGl?Aa^8G*!6?tHeCp_$#SK5yo?jGg
zku8{mF&uH7Iqc8GNo|J~e;c()M_Ftv+n84qXhw4WDoLG?ptQVu13T`=2p+>n$2Gqt
zSw{YTHqqhUyeL|7iPssSBa8i2sgNy|3F%cSG9Tmkb3G^7vX<FEE=btE3ksziPOnfJ
z3c(ce1dXr&M#vHz0_MUg0Uv=PU<*BbV46Kw#P>n!tJ<DxoZ@A$<nKHvp$l7Zy?9^*
zvmXH`WDzc5IV@pCkZJ*#kbNE|;j;k=)F8q793Y*8$HRy5hQWkU=gMPbv#cpD$UgUA
zF8**8tMVCN7!06*i#vt2F)n+q%Hlm;`05in5Mne8DrxG<#ht1EhNW;bST~AW{ZQ{{
zlBCo0?9h535&d$OL?_b>yhE##wz&VyE>Uolknz!Ud2@OKQ7Fq{V$0bYqzad2jKP92
zF|Zzxd9`eX(Fu#r+)Z@xpseQa<)Yed?y3>F&ied_*A*_UKrSw9pDW^YJl|bW+VV;W
zpme90zHtF7-1XC`@1nD#!`Jym$xKI?z{T-LsEl<0ow9)r{OPnDKVMHa0XWQyi!!ga
zWH_-j2x7oaALST|Rra;aLfHmqx#xX1qts5K`bnGRMv^ui6@4cH9A$zaB#zbE<xX99
zLUP1<#>?Hh0FVmE4(3~>CF1;@QZ_*-_`O|9?kkJcAOs-VZetp~yY*T@qC`&kOO^QP
zh(f=`<YVYp6<qu_M7I-}9Ki0qy82svd8s$@4mC=g9}T6mGM_*)eM+$YyLw%~u<715
z?<zsixJ(w4=qa8(-aVAUr7c6CJWU;J9AL=v8Br3qwSnG?vFALMsl*Ma1=NcOu$^tN
z6B1Gp1&8=iSV_)c91jXZQixDd%r%{)waH)0fVq-f-nNq>04S(4)faYF^ay6v&$&AQ
z=cW$3Pi_YwRN@;^DKKDgRQjWrO&>~v8;?-ArQeMk&$gUgk+mOAW7LEYKb%)Zdy_YB
z*$4e+k@La}p-~c13c~$mMci+$%qsyqb0_R?CQ50A9vMjaE*}BGgB`2ah*fkNCSP}t
zJo@_Uq5W3@fP}YAP$_L)6)t3j@Ow(&?ftal@~UhtPh<T-XHgDda?U5duvk<NFmix&
z2+dvdaXnBg4(6U}GCr0G(LL`nJsQUCF4yr2AqZD=Hp}hqtCVv>fPY$V{5**|FrJST
zz>L6xV#%TQl+`;xc&?-**{l7tEz(7rkmvL=ld5nEdx`c%Q4-Q16-PmBk@aen#gMbZ
z%GyoJ`xMRMBFBI1KuXX@L8AO<HO_R4ZxIL;-K_>i-aeJI<$!Wx#9adqEoLBUfIne-
zg5+x^VUq^9Km%H{ZtRVl?{~CUBX^V0oq?mGkZPS>IIO!&U1P86TLh?~^aKF675FsW
zbwX^`rFlUDusY4V54!)Q@obk<A;uLthFp+~yb<c)KoO4xi7EP&u$7?R;!ey;IYIIF
zor)PLTyk>A9zhK{Su16azO*gw8M=T><bz)6V*Ivj4HdDl9uY8fEEz_Ilf;ag{vxUq
z=~NB3Noi5MV{wBpjLobLEHdv1U-ZKYAld7hd7orvlIdFKQCe?DL~{F`=5f;1q+`*f
z^N|Q`C!xj{vDp5R#=b8VIAbC6^+p~vi)d(vHgGez^JeCfk#yTjbQbxVy;?if+@YT&
z{nK8?o-ubr*AvwP_>{P&FhIj>ygWL|&Q6Zryg1l9eRXtnMrz?~@Js%u>qwJJS2J|S
zD2M2Ti`>xO1?v?n^PGsAMe1WrmN2VIb1MF3*;Nggh^F;WgVoZ!)D&*$m3OCx&bLmo
z3QwUWj0qoNsfM%}6jA~wF>qFsCGi8zI_^eqO@&EGnh|gERme0q3NrGwE2T(ZfV`3C
zNz2n}C<4xtM#>pG(K5GU=ca`nIMFr}FmR*XhLom)o3mg<_7b-OJIC&9$Vb21RPE4S
z%QKSoP!`Lbr*4sk*yfSzzPn#S2<|4o0&O~U%hm0J18~B$P4pe@mpS2$MP=BD;K>b!
zj09N>*Hr)EYQ!_(<bUmqDAXnv+;9{6&^7yFC!u*sZnO^lB-Chad=4}{Y_~)z^ZrF`
zKeX_+m=eF0ni%N&OXg}cty*0^gAiB!wLzYXO4xl^T)G5}oI-A39=u~M%)k(|<dQy6
zooNKoii&<L)afT80I<S|g!BX{wD=r@&SR;PMgC3-QWwEj#LLgzL!tt4FJkMpg!gEf
zx}iDOuz%O%Z>=jB-&!%>0wF4fi&CKHwR>t~Gc$6C@MTgX(&?@K6#GK#hC?=5aY?0A
z%Xmf;_C_Vbve8%{qT#r=G0T_}|E(stl}Si0E_pYb@o=-QIPQwzm(EuDe*0|i$L&9U
zQ3-t6PS2rvipv;Fb4%VYNJV$G+}-FUj3}Mf8`C6(l+l`s6{~%EbBX5%CuLfW-rjLU
z0&!_J`=Xqi+F8Ra7sL&Oa$R{W7d2z4I->>HZf|eV-~Wx5xGck}Xv0C~>u$a7d<;R}
z=BW*|0vcRc`ISdC>XE<6!MP+0h|6PgDJW;wfg?=!&icdXf0X)x>mdYT)bGN;B$U4}
ze8H?Kccn~J;ToLy0?_VN{)!pB4Cq<}Hzv+<zu8O=xh<jW&;OmSEf!4{XI~93w=IiX
z2nC<OCZPvI;BwW%Ye~UaR49Z-l=zi7`EO*Y@yTM^ygMh8_*CIYL{m0?z1=i3dA>6S
z{bpiE#O*<7x=B1Xa*oJfI|ai=8}GSXf>loBt?nJ4{yyW)qV70Vg}2W_GKDDR*>r9h
zOrdTxZnRZKn-S+)^`2qbKJ;fy!0_3(;?H}>CuiRCr}ox6CR56Vq7IW8?Sy{RMif(`
z9ztrD@Hgc&YdUR82q`iRb2Dt|I~802=Y3qmc`~@o<uF>k3SAhP3VK8Jg2t8+m)<24
z354Lkm9X9z;@ZtcQ7km56>`9IEr;42En9@lla^peawr-GdN?Z3PWb>9q>=C@@X*aK
zaNQ|wesB^iu2_t?p;shjlFE_frM1P)w2kTQ!vY7FpnLbk_G-K#ZOfuww}iWW?E)ct
zTinax48-Px{qoQ3<S)F7)s>4ced>nRyEbg;>@zoXa7!%N(%d*$Z7SX#neB#2g6Vq7
zGAg3<MOO?)ynp=e8`pxnACOV&)c+%q>#_x|xeH6BF>n{hTV6zX>nm$Tx)3{l*d4rq
z_#FR5IRWAeZU{HsC9@>wRbi@(Ro3YHc)IZfNJDMy-TYSQoB&1k#78N%cMdG#YTGG`
z(K(ZcK*c=Dh|hsYFb4Ep8jiNO!U{>($8=V^jdP<EUfy@^c9wtu-7HE|Okm|6LMOCz
zcK~SoB8MjhTF3}VGXD=An3J>4fua2v!prapm68tNS)Zz6-omIfjDrqCjtaKNfRgq2
zC>#sH{zuupWvhyiq?^AJS*MsYgaJ?qoxpugun>cxfD|P+=0444KbzBL5y^M-@}-<Z
zxJmFlPpCiuRMzP|!>7QB1(&)TRC#sX${mkqIRZlF7xp}LmT|#E0Iu}gs=h@Xb7dT_
z#^yH+bE$!Baoewe^5ibE3rDlOxrPzGtF1~P)=e4G**St>?%*E4L^*SV_30U{^-Za(
zKt}2Z;<l8#i41XQK{^av>?tnVMPVKkt(naaOViZcWz6hANPG*2sHXS7wv@BV&6xK!
z<fFG9fiQ`D4<aF`z(}A(VhtZScRKM~ll;#3w8Fk~8)?~vGiw(#Csw4rBNMS&oDK3k
zEDxA6nN)84ljzQkjV9>I>Mtb?3R^UCW0m6}MBx5l+dLt}cN=6rGtSe_uWGqRAthfz
z!kdfcu%@6>VUQ5+*Iw?+&bBCK@a=m9k)6TN0cy3PQe0jxPHi-c3p3mn6L-CMzA&{y
zUJ5<2NE2zcgg~0yc|sM{vk97K8(Gu_?p<7=JQ*r10<cVRl@Xz~cTQW{W(j-2r~JqP
zzL>F`5EtGwf5hx0KtmVNRETSJpT?tD)X7{Q<`+J{(tLEfnYT}O_V<PS>Cx9;t3kXX
zNHJb&ipKUwpse22lXqUgMepBvmmO~0MzI)ea>mIn;g$~Dg;y<-`J2A7BL>+m%0lg-
zJdsW2y2!o9{ctVeL}#XlC&Z1mY!W3qDKw~Df{PoevsrXA#Z~}6K)}EM-XG5PP7b#Z
zveP%mlxfE&N8g`pzdrqP4gdri#^)r{&XLg=<GUvYYBVJd&pJuvgb0Jn!w^vrTbuGp
z><0@?UyE<#W=cL;=AuY5c_YlV0T=5O_&Ta#63t%H$u5eSKZXI#D|c&t@{qz{c)$c1
zUMPD-C?XQ|rPF@5H~MoN=&i1b*+14DhC=xM^1h^Pce^6LF7!n7k`?lzDMGvOk#YT6
z>D3klS?AS&B*sw3RjFxJAKBk|eQYl&-5mS_N^aRu5aHhN$dJNg`j-wxy+?~j1L4S%
zy&q5ZzidQeKAW6Nsp}$Iva{=msKYEFAr0^xnN&S131AFVt&9(g;0iKdBNph+pyuae
zAh!hj3A||d*#j*QOOA9{B`jf@RR#40DjyARxk@|5Yl)*Ta*2&0c-T6L6lGpmmbToV
z1rlPml626JdnRJGU<8tVi0%^^oLp2|+kUYg0xEfg&#V2YH1*W+f*Y+SCCe?iS!2*i
zr~D+RMOB=bAw|3l+Dm30c(w;~(soiy#k9(@pY+-t?C)kzPmiDfY)uZZ5r4v;g!i!d
zIeU6|@Z3AW;teDZXflLsdUx1zQy3Kt)@1AQ;JOXtEOeT_7OgO=Jdgr6P(3GR9{f<>
zIjz#|x9<iZkBmDmu2VkKm|FxNmRdxl?;>x$7uR9hG?}fjk01Sz{Uk|V&mKQG{2BA{
zY!y5MVzZts?hvJ4K^614(j^#~pL=;d95H4Q`r^Oq@|AVZb*5y?QDxy)nN|YFxPH-W
zi1o(O;I&r<Vj2SWW+ZqrZoIA^5U$|#&FH($lkD+>hkf@ykMKW_@jt&ILzUZ}j~{%i
z#$r`_s%v|jaB<av?cgvz<eD0W3D*5JSeRR35#-cr0fk6-go-E_P-m|3{(97IJnh;M
zslL@1*h?aeo@fpYC{aOG-12*hTf^aPx<W~@Vkq!d3Y#9!yHKKTrsbeD$<G^M+a#cq
z&SDEfF#d<k>9lsbD8u8iD2i6z%!6#z%_HWI6c~Ege79n<r<3G6BBq!I3*ZHc>NRaN
z(T$bJphpSs1CR+esq!y!(_3Vp?kj9$16twgWaag!8X3d$PLnOvr2$(Q<78Jn*vA+K
zrp$y@2q9muz=qwbr6%FAHl<OwZ5E;dW6jG5IV~}-v!?=K7s7?(r;uByvC|Umzp#Pv
z;}42F@7{85TJlkA&+eU^eEP#LUS&V&RLHRa%}#IIx~9g4PK1xKijfdFS|S_*UI)ik
zE<xzQ!vKB`JS~u&>-ulesZnl2tH3VF#-jNd$R%z@?5m0iAYz0_Z%kNcu;$#~amioQ
z@BFecmP7_d$|XxAisZA&OW#t-?PDtycD)zjqe*)X>+-zKubw%rh_h%laNsF(e+$Ay
zmjrB83pJ$9_<P!#Fc-t<_XVz5^^g=LF+LOx5L(nptm;TMDlcS#kZ0k4oP)GTre9B`
zhV)3qzgY1q^P2?6dp;d&NkP1VE?Y*`{GvgF@o~R^<HWS#oU%`6+HUh#+Om=9#B{aM
zO^w4Vd?o6tDox9ZRf^GdIT^e0N5*fs|D5zI`6pjNXLRSr)?|^>5uYOcem~Vh4De>+
z>48-*w}u7}4RR5yCdKHwR?k-~;G>U~EJPG;)&-Y(NB)oiB-x=K@(?eZo0V=-i4|50
zm_EB5YHwIsNlFiUgVi$4|3CKLwY!b$+7|pw{)!4SJV@pO;6sl%I+1VFBxSQBQaU7M
zC&Qgaia?R92teVY08u=h{_nl#Tx;z|p+Hf7<=k{U?me-Is$KiJ_Il2FH_5i-wd&g1
z7iOqh@oLPSXN3*fJE<n9DtBYvd3Q=(L~=+!xRv+b_wru0A-~ic+j_NlH2})qLdsi1
zvqY-WSCEc?=Na0q@7=$T{pDO+Xx44J7g=)@1{VESixgana)b1Vmy#$l92GCq>Rt(v
zC=C@RvVQNzSh5U<=xK|IcUiAlV_J%iyD>v{7nZ`kig-DP5+;NIWegZ_>di-Mpg0Qk
zKr6~?)V2BECEXV_0a5ye&7&6TNW_DUD}Y&)sey^H&Y&sva+h<fZp~-&cxlB4%ofSq
z1LpG)Y0QT3m6H}WhwBd_&c>i#Yw=l@z&Fb$MYX6=9K!9UPVi`3!hD!|xEL(T<7ZU1
zv$|Mk;`e1blTSuvpQOH-Y&D93uRXsioI)b0RY+;#-6J-PxGMxe2ChB-Nn}#Q0Rr}j
z*&>#IV~e|(+BK&qbUl>hAzA3a56=94ZjgJXC6|HUBN9_D8^wfj+ErMqZRpRwv4(~o
z^U}v9J{lFH0QaobUQ&uU8F~)eB5F-MggJcw-FkjMD$F)Rlsq3&?X_p4aDBs-83+b)
zWls6(Wrn&e1tN*u#Fm~0hlD$K10M&C^s$m<*a8L3m?=wSBqlGy`P%8GMptGtwG-?h
z%%pqJ*PsU&5HpW(1r!?o@ShJDG@7Lq;9s#|6l;Q$eHJ!zyR7E3-jM;Yuh^-fzbbak
zBmy;(^Gp<XqSiCVTN06@{h}b;Ql*9Kn^&d1c~w}hm%X|qM)`gd^w>t>I!J-!?(+Di
zy1GYrG^T5lh}r({mYVnJgywc>&WBN0^Uo|3Shr$A+imu}v{)$=*|`nZksTJD4XG5p
z7pUA`_Qv|r2{MIOf@;nMvI_HA$&{0bQ#+y%(n&#-V)ovYV2^sO8`g=+4YG7qI5Ha;
zwd%C`fc?l)k2)%FegbK+m>XMw0_Y&UdN3=mXrZcsT1~pRJH>MA`UZ7Elw(_WYWuS<
zO+`&~4I`h_PxA~zA@sJ9YOJ%FP$qhGA$b4}wY(NY?=S_5>OIrEeLqS!`w%Plvh|wB
zW&O87_XWW+7>FYNi&R2HAKS7TkZ?j7IKhAv<>B(K%3>xmAM`f+VOSQHghM2A@{H7>
z=zSig?OKpDGWhgeng?}iTk8B-<-r}PVAtYG1E->o0iHbcL{xs9;VH2U#QkBE4(`KQ
zEcHr{6E8^XnynyPLN=Jpznw>FO!WMcmbB67W)PuGrQhH6`q!=~Uwg5ndb!)K_5zT%
z@0qGDD_>DSYp3gd3L5#HR=_Tj#NDe|byurp&pTYw3BCoyuV)9VP*ig-hK@;xu-Co0
zk6S)@u?*rQ7T<9sQAo|D>Q&|RNJDf!CrxQPawev7V+V%KJibyJfq$QW!2(H%`NJAx
z7n$0T8$ut3J*$f@$)8O1X+-{yl}3YfW8$jPeV~q0y+MQFlITT^^!Fq>Ci$e@52agr
zP+L}hn*7(**q>;6xohlteuu8Ojt4u(oNgE+Rs>+XiUHsJK4z7<@hDlcWH4!)Och*G
z+yWCug(bc#iKDgM@|<nSrC7bYqurTA&*Nu&9KdZ04UjA2nALCs<|Ej-4M-tHzlqQY
z+swOVKp~GM#F|zC6oO$#AdX)WS*VjKu)~ZcNYq%c52Z*GH)gMWqU1VGG)MRUP<Ptl
zSqQcc7x<=X<oU(d`?cu&UO;M=z@olaO~V?$zTS*T{h}sB<G6tgp-se+kL2=Yk)z$e
zietO}+ZA`J$EgUl)0)B>72tZONGyvC*vOYT%&SmjO2-WiW1mj4sGBVWTmj3kkoyBq
z$Dfxjc0~D})uB92Uq<#Nojk6S_bE{eWLVIb5_OnCRiD<NYDjGwv0as|cSg%Kt!4u(
zmet2nHNqr4bvbmEXg4`)K80A}%2>Uku_PQj>aF86tDjM}Sufl8&qd_~`G!5p?$(~B
znlJ}bl7z~w6ajIM^TDhVByQI@@riKlG@pp;cY5MioswV^<&wEQBoNKDGF#^LZMN0j
z)(zHFIj9T^7;_-W@yV#tUIQFAuJ&xJ&1ne~ZhY}ozC#E=(D;2d8)xJDa{BU%k+bse
zA*$TJPB+>Y490r}Y&cV&gxyuHLN6-0TJeo3pqI$0mR*BQZ?1||k;QXEg!>{rwg@H#
z1{!cQy#IOKs_8{JZ0T_p|8LjXvGms3uP^^7efTQ-!L+lNfBawEKwbO8SAv%xk}s`A
z)l!KUhJ?N~Q(Bnul|$$2YmrU=)xpW@cjw0fxXD8-`oA0$BTbnJz+qw6tvmxR<a>8Z
zsKPm_s`tUQVRp?8V={Q$ZOeWzi~0$Os1+bBjS<_l5vEFUc(gbP(`T;oW>^b5_k(1F
z#Hke*mv7v_PmX@MtO@~LD}O{%4&jAPj%+BBHpe?zfx?P=;U|_HMJHleR0pYWy_o3s
zW%X8B1Bs(z=$}pybsjZy1|+nVWDaQhDSg`^gTVVbWP`5^zAq&VSlHb?f57-zM5&M@
zIkct$v>dWW<Sw+u|C^zI#>_=@M$vq(UAG)sq&e(STbnqPyy+j`Y{c*)2Z{P4p@Sum
z_0(T2j1MV$aui~Fj6y|WQ)L7j&^+=f12SJ7%ZyeS=iG)UInpIK#^@7U8Fv#$r;nMn
z2iulJ-Ey!k1$>U98ug2xG1#^ivxT(eF!?COG8Vi-p{;3`<B*lUTu0GTH?PxtW;%?V
z2qBDN;Qd}%(qMh)jOK&@bz{Mu-ZkhYH1NKdFfhl{S58p25(qk|;fB2)+rg$G#qLn%
zHxYeA^P5U&al^$x!g7)`W2v-msz2@d)U(m@=I2Dqq?T_{WNqG3C!n;;p2;CMn(P@%
zb!G~PnYdKBma2$JXf4tug#q?1%$}W6XZN`lZu?V2AZ8N}t0S33(Rt>!#6NOR#sH*t
zmraCCQ!l}Wt@^#2*6>*wy>E)tiZDV)k&h%43ixlkfAmD(u{kxlqdCw9weNvFDh@5?
z&HEz)JA5dr=<h32gRM_LRU7v0uv^0)s}ox@KUp=7*j9fA4cS`zc@^cxVtlri?BD;4
z_;6#}w8e<mrNHGU#E9Y7_EF;ON5_a=Ga4n%{v9L!cZ~SoG2)*gMqH=o|EC0qeQf6w
z!C_Ul{v8?q(UD=ac-9&ocFo*r%I!}H4<o?r&h*b39$pUlJ}S@)NvF)tKPJ%I@C74{
z?ehb@2*vnNZ}$0tUiW@8)EjTmM+SPaW1FGg?B9Xje+PR1TLgNSl+VwJ^7@y5_5hjb
zw;?)~Wf9g>PJfrYt%1baC*uF_7ee#%_*3I&w!<WL_V~D2IQRe5m|5K6&ySbc+XRQT
zH|-5ncsdh$0<5l<z?l~<ohWd|DRvr-F<nrTkS$@`%nS>~gp=JFB$kKij*3Vdmfmt0
ztg#zfY7H;n!IP0)etVo99vpsq{0jpht_yUAittHk%bsX|ep5o{(2|0L7iQhVu#{0w
zfBN3Mid>~K)5~xPi5P@`PSOGrGEYfT_mZ*Uo%v_R+U>h`@&FfYh~`psZd=xmS;Qx)
zE7=`NOV%qw+5=#YfS{0`5i?ulw0H9S2HJ>ZbJ){VOw3M<N{hVnqoX=e^Z_k;oN97P
z-O*K*Cn(_1MdGjMl*(oNJ9+g*cBuVU_lu>ozo*OUww&*b%Q|QZx%VHRRaxBIDXCI@
zSAT;?j<7d%1z8nJ*XpgR$Jku*7kq(jUOceq7($O7M*%|LwG#R+RYlS?;P%klfzb$l
zo7YP{-EvQE$NlX^{Y|^7c&}0C0-}xm_B)jk7|7C$hH+xXDdGHpTl<DzS9dO%wa4^s
zJ;|QJ$*!fYl!Q<s2#L!TZ*YmWbj;s-E7iyrJ~Ct?0{snaLm6P4`}md{K(5XlVjX~P
zqwm(TFVGyx?q=;>0l3i~HN8fChi+R@a^c}F2dw;YH^`My(&q*aC{^d?SM;XIi==}=
zNUrE=hoPnoo{)|I&<Z^^QLbu&!<tmhkwxu%s$T|7=J6DLQz9*;v9Qrv`js?c+gCSU
zH0#=u9;5WKi@o8?{)ENEBhn>OKh~YJSzc0hsr;l{Y74{%be+!C*JBd`lO#;Y_EJWl
z^l?3808WyL1@^L$(CG!`zdJN7Lrzc>EyE+aq|v9C5ajmi*qN{dtv4A>AN;tYKP&XL
z<L9Xpu<@e<s9x3yAuL<J7+P3Cbhj=nH_+67hC6bZwf(m$90m(Ftg-U?I1^#){;Y8h
zI(AX_$(X8Z_B5ZKx?$FHNny--gPt}DoJ#TUrjdWaC5!%U5Crrbvpwq$wuxn=+MSJ4
zt>9jM)#Yg=qe7*$cZjIFUfi!{@{Fo#>Id*<Hgqz_tuXNjv<iEFcelI$hd+dF>XkXU
z*8%^=Uh^|YJQxvg%)Au`t6-R8F-7rO(e?C%kn(n*(A4+Y9hv)5J<AgcxR*n)I_fKo
zBHo-Ja^hLpmRYwg);^e@Rc`p+e7@w+VWxs&ohfv!LPaHq4({iY8xJeDzq$nBsh68O
zEMwzq3zmV~5qyly347)jmpVV^?i%MGaau>kTF4qpZAPGAVmUK6BA}bojjJfVe3OAy
z$QFyb2v#1CZ{tLQiI)GOpuJ3;&{3@&iXRvj`3#9A=6h_$+g+Et@?npg8#DIUfU-Sz
z<cs%VsEu~$-Dj|_`GFt0B{F?(ijVLdA|q;m;klMAjHf9-@$6gOb@35ShuZu44i7Gl
zyBEi27blk|-yI9_46KNC;hm#^>Xz;}Or+$v<KfJ@WdaPmd0I|3%^4U`degOuD5+k|
zEBKY&zm_0Z!HXdag}4htG6ixD#5L+!@aPql5Q+Qnu0+Cb%NtmMab%tM!tj2Qj}d=^
zH+bO5wIsxdBqIyGsT@$h6D34=B@>O;`*!E~dv*D`hi27u28U$k$zwS)Z)JrxC8I>w
z3kO)Wc+c+Y{<I}Cz@#_$!x2P?_`2~-+hp2IX3;#_R&Sd}U9$Y6bgK3AfK=A^?bEBa
z@>^Upze<u@C2+C;fJ8DM$)~ysQ^iBy#ax8Kl*nmE?<UUey3c^E6i;IZ8B6B9)RXYS
zAJ{HC%iA>k4O8sqmw%iU@U*$jKCikZQ4rTO%c(0r#ebPpUCPw>Z>01QK!G3yUY?z4
z>zobWvgFV45sgcv{mcp&lDI=~$SLl@<Wd@>u15|LOp(?dU^Fuplf(1JY`yl?J8p8@
zr{7(#f`Vy@W8a;;d3|tse8CPdpU*?!Wm%fqeqH2-%rM|tCXXX5ol)sQ&jK!{L{n9P
zvp5X^=ayD4n3p;|BI74GsokvfSlIJIFf!IS>HK*I6X|153I{0ZML3o^FS?hNrFo51
zU<5s5M2a>f1TCIQ$O@F?QTP73VoK;KWhXQ_D4#2NEl<DLy~*<HmRzy^l^uOWUUAJ)
zbMzrzB<q18r)Me4$)?uaxjKM{yN&D-xc>Gxd3<woJz#3+`BSMVgr#UMBe<u}{j;YR
zn(?xBa@{@EPIV=TR}pjE4`)u;c25a9rI<4vL+G{oleOf7w@giX?WV>zYRxf03!>`y
zGQZL0#Pi~JZ}!mE{rPupA~aMuJZi?Z^Vw(iTy{d}eD>I$v$O4;H~AL2@2=Lr{Y^y0
zz(j>T6?eax3!8h8*Op<~L3zxYG=_y&KYLA7L_a(#edxdcprSiPe^4BM$!!2;k|-EW
zxT(8@KL7y!oQrJv%v#b0O)b1C5Wi}1N2$t5?mQKWAyeT{aj76b?(Sk*ev}I6v%~yl
zX!KgaXp8PW&;ua5pAPs)4~fJ)C4%bj?%%h{Ug2)QRB{lPobm$1(rZfg-N~d}4&T{~
zjB$3Wmn}otXdc-bLu@?JbWVhx8|fT-zNm%Qd5~iSR|;Fi{LC!SwKZDsSyG&ufYq$?
z7Hb(MK;dH6w3Bc*UguH>WKn$A1yLSg1(}XF7Pogk()<g7{npucdk>~ip@i0J39pH?
z;IpJ&cq1X0J2#{13QVm`lM(YIua&?(Pknc8hp4aW)%o$oxA?l={$DwXbJxj=5&S%t
z2d|ImLdU-_R(pdd+$WP)N8_%HKKrBT-pv;LvuNRunIeM4&#YSkMQVx(D>&<;G<cvf
zH(?UjaFY@cu?0ylluJzxH7j?E+7ro;n0yjpFcwmg3`>AFW}Izd`y&v-3(GE<2auh$
zn24=3_f??wsxq1fG9XdNmAck_KV{XntUE*h)rzxH`&tTff%ak@|0g>b4k=)b3KWTu
z%^57L+?uW}=EkCh=41c&^?dqbZEf%A)7`cG-7nVmc6YzrU4H7On!3q;A<yA4_rFU|
zIm2~pXK+(?ubj#7kN@j`ZfAUU`N7`Wntbi)ll>@L!yTc)`@ZY&Y~FWUWo_$EUvDQi
ze&c~`?|Js8uUEXEfBeMzPT73m{pn!7wxzpzTep~qq6pU=SAny`;gxes0Cj_rs4FR=
zi}F8YL*|ryEU!Yee?<P>Ej5O79gceqo?zF|w!a&co&<$6bvaXfUy05Lh4sbjlegR0
zc<()YB01!cRI&bB(fCM&J$6f=Fpic);Qkvqq6*xMw27(I1haPZ%Kgt>Ido<Y;R~ij
zoEzQS-~@MIm~d5c{GvVCv{*I1WpR;hiO<!+0&Q@V6#|L2j+76-F6Mo(BBPXd(D-v^
z^fJs#B@CGOpdVc*MzRCdH%$I!V{>gLYk@FwsZ!w@{EC)}i9_}wAFcjE$hzBXY`@iC
zkfFAJU`2awzi#^AW&C}=(;hv9rMTJTK0IX_5Vm~;UMaeYx^DCU2uB$s*UOVjO3~(o
zh@jlubrZ9hbcg-$eW-=W;4Z(fLtjjfVJ=Z2+fOe)a^)@c0AK3v>8Dl*2{)_RAD+do
z#C+J#p}F>N@~QIJTI%0r%ZBt)L+%qkpRoZv!xV2zWL!@Z%uM?eP$7<7K|Z|g3w7DZ
z=0#~v29kERDeNZ24T)L$^Z6+C0bdld_q3_(5<faC_cgAit;@^TLO`QROO&;@cBt$-
zba<1^Oi4hpEsHK~M6?kA(x_3hBcf*G>F!e~Y}qR}hr<ntLR(o2NsXk(qx-HdtVRfK
zd0G@--RYt%&MK}vqlLOXO^s_fYC7=AkvK`W5apJZXO)s^A8CM^EAOVkG>@nzQ$ayw
z$yr~iSRadt(7&h;DTyQo9n~}L`E(X8vJE^A;vJn`Xqj|7!^$UZ+}OzdQ8sQy1Hqe3
z34LzZTG=jub1FEE0*t<*Z1#tfdU^Z3Tj4N`F9*)A2kXRK#KEPtqp%{+T>}fZ3R_Q}
z?|P^CQhdwu?Q1Y0t|<#Pg{&Wo_B9=8b0qe;mSfgB))hyqZNc@prR%PlTJZdOw2KkR
zXl080Ec&^M-aXZ=>^;bPx>OQBEB%i4VF5dgH!xJjIMI^uwdWUk#YV8{*|Q~xL@Ko6
zesz8A2GD1JB`^O6M3>$F@AZ0r4I!H?{I;F_zzO_o_QMaq`Kx;d%mROn%5_@3?$`Ou
zs?0E-SN9B`(BUTKNm8Ygol{L$v1Y0l4>g0}<_2)KE%Chh^4)DUDvV<pm)2ErUrm&!
zn!PaPCV}%#KE-71xkL?=quq+G-QUjMT&gV>rRYh;k+bWkPBLM9a<j~mW}SlR=A>p6
z7znve&g}jE6q@lGrHec1p8Pgz4oUACt097q)rpsR2%y(W-|3VDGLW_bkDt0Rl;Gc7
zUTZa$be269x=%^JH(vk`XFe0L&){OkJ~{OQ$re@w?VY92{%EjcJdkd<Q&L+|e&Y|R
zxu=Gr6rh?F8L6qFl?HQ<o9x<2I_{|!({U5K*2nPV1wU3P4h<WVTU+1bzi%da=~|T_
z#sB<Z$KC6l?9}~#w|Kh$CY7`!We5IK(m~#<b-fr{{|++A1;!ZE-R1YWa0<%42)d_C
zK?)|0ne!ZVjdnL-%Wf_;u1Z|kb+K+E-(YRrL`lPxY*2(-I3Vu3`#n?z+>Z+R@}^1!
zKj|bNA>f%2NF5w%-Syeq7h3nJz0?wNOqL2q;$LuGEt){BI5tewjE7W5MjOux`Wo1*
zlTz{IjB4~XIkvj*(U#jw*9*9Fgg`(KfSl%eWy<`_3ESB)BG(Q|IU2FZsTOQ7AHXS|
z-n?5Viu%fuZq<DHqQVefW^GHwzFEko9ofCbm`^?ceYnboEei*Avm<9N;ze@=%dWVs
zCeWJ7ID+e4dv1{C9vil(U(e%vXq~VWicFUYGF>tGP|m7}u)tz7k<RamhOZjdC`m;Z
z)=7IegMp)+7?p1RrF!#ZF4cdmQh#5N7H>Y6bE!dosTGccVGu_}j;##*xYTi~F+<fv
zeeaJiPSQRLk2b({+$PAC&Q_Q`>AGc?p~6^SH9bW3E}y%CeZ+Y0yanQ_WtF38ZDuFs
zA8z_GJAIt=wJo_-ar9BQed8ApzjizwJRApOxHyB<GgqmWILirV)o3+>L~g9~-V-PE
z(wop4pTgnoYw9HZWHLlfM=>VH`N*T?(BTSB@d2IQNW~!5lRgsXkwfPl6`oVln1|L$
z{YtdM?6Ru5R2}0KiNLwI{CNSzcTG&eovQ70P}S0{$M7m@I}P$i7NZZfJ(+_;^Oop<
z$N40O3cHD<+s#aA+{Q2?2Las(19dM)ON3l+Nx<RuRU$*hAy|0+%(iln##WFOYVH?Z
z<-VKN{?%gep6d1`=4{@w7oft)Q|A4Z$k{D`6g+?0Yv{Y)<WXgIf)f8)3y9~{JRe2v
zOPi)=QG2$=v1Q?qaR()5l!j~{&E2=(S`f25xJ<m8w7j%D=9jC4(ThW&BKr&w@J!MR
zx|Uizs+C&NAcc?J)p-cX#o$7&jV-Bh#$+3r6LcgHTFHd_We^=lwP1Yb`BQkiLIJNk
zZWZg;)nx#_PvyB%;-L@u49TBNc+5xL>bk2$THr0s2k&d|9@PqCQdmeuY6Pw`%!KQb
zlw)yyi@c@zaY}WQ`}9UF`;aqBR;_WAlhw$`H)o}9^-i!7Ch=4?PR)wtl8K5})hP|X
z#F~1@v}jQ!efPidnnp|6Oec*1rj#kIxgO@9N8V=$1X7m*1EMdS`~39{9Z43rW#yKa
zS9ZZwHN20O*I%Pt;kp%Th0O^QbP587wtAvJh;#7Hsb7leoxIF_@%G*2&f7N^ml2A9
z)7$BwcP3z#AZY-gC$91&MIk;XRhYyk@$pTWDcyE7$~R6X)ZQ{J*4t1BvOwWu{$A=P
zXe6)!F)xO=BU@3hZJWbV<y_1}8gBS>ImUKW69>7svN?Eh_x;4vB^%a9Cp2QNw#}Fu
z54;g!O&QrxXPAN+M8F!!W;m-XKpQF-AMD8E_JBH+!)m4$8E4ej09Xz~k$Zp@`fyap
z$)2vp1s7CDM~{doHR|1n2K9-le73ir>~*1j?N2L-i5*DIwd=OC#Ii!@c6B;C(Er8q
z9(I<jM(o3N!fX)GC_6lV{YprYLO_CpShc~|m7ZH%qUt54A70pLo9w@?9c#tv31<cQ
z{IZr#2zb-I6nlLC{r9FT%7=+lB~s`7)#3j0z2}}W@M&*PQs;^10(-)60wiV6<m%Pp
z=H{NA-`R6!uO*u_I(<`2puECTWgDTJo3$?xOeO{?%1)Tg33dYe6<G?J3qmM>49DZD
z97ajnU!T3|m;`dY*|XlzqYBvxKN&dn$U~{@)7g>~iDz-S_O(5;{^u-tJ@%D6Y?(9M
zSL;pC0Ff2`f9pqjtiee(wASCmFD7T@jk`Co;2Bmtk^-dj<cjsN$@_r5!F}GBd0eX|
z{{Y1BZ;fj<1*Wj4ZPp{U?k%O@3)I6i0cBWvbek3P1TUeK^*!>;rKt#gp$pmn*jI06
zG3--rhOw}~Lghm_O=jW~BTg{RKa_cx0e3gxUf2qvKMDyb`i|RJ-<5d+pdVNTY3zwE
zkq2}m>|{NOsdxi%UDBD{8N`y`CgyPw`gTh2{#cyoc7>$<4)rTHyagEs3wfqKY@VeF
z-|k3EG>l}~bD1Y7(2$^Etr8HhAq>>ZBdOZZ%oNGri%=PcbSL_B?Zf8&Ji~WN=aZK&
zcBT4=6T;qtB^adFJ@cF9mYK!+%8IG;n8q?nfQOKv!DR?8-g#6J+`xOi<E2?ziWG?3
zt|Xw8&Lzc1Rk{dmiX~j%9A66J|M9_5*eqNDlTg+OMZey^;>Te%-J$^$!ZZzWF{;&?
zMBcC(n)$_SYcF4eY_;PyZ<h8TA%Bwcf-3>C;bsBef>;qt=7%2!dWBKDnN9}X%f4RF
z7v@g%M5+ih6LF@{S(JvJIAM#CedRjf97ZwMZJ!4V#R#!0am~P?GP)1=Zy4YElAPD!
zM$qi7`#5>?!(xQ%Og(fK033}LTJB8ifeCGs7CwdMerVq<s;hgfn0Hnt)bg_)$G(tS
zLmd8t`zZvZGK2j4XGdn&)3Pq1$5urWCfa5`sV4Vhr?Tk~>zJ;<Jpo6O&`sNevrTJ_
zCj}>4qd%%PK(R!OuxcQj16(Xp`@|Q;$c>8ZFrPKW^|(UPiB+uvEYFHp%3?IE1xz^n
z=o9B#1}@ok!I-QT^Bb;6Vm+BRTJl>X_q3^XUWPKP0RC*ge_Ks`32km0w4lHilOo9#
z-WHd?_ACVqQLapBLJG$PzkxV4cnvq#2V|hm<J<ZJvB>bM#OU0|z(0;%M5u~tR5`V=
zB+KPoGv&{Z|MT?Ck<C>RA)Vz4Nlj$CVfmpPf?CDTSvp;aC2~EK88;5a#p{*5N=TXK
z7K>X)l9w|Lh1#`N!rk_RN4z3ajI(U7mz@*Ah&wSpl?9rl*T5;f_)AY;*<bm}CV>bx
zqnZhOS7YJp9$r^#TyNcx?ZUk=^!pkP3hp&}q-Ar2&0SkBo~-W0!DyuUPv4g~S8}YP
z8De=dvFP}3JV|k~Y+g%Nw3^g{esN73oM&r8-lK)piTy>gN(o?{Ya)ViLXf&<v5#*w
z+koU-*<|StvX-PamR04E2I?k$4A^)AGfp&W15uQAEMB72w`^fd#YcjlGe5JQog2C%
z?@VL#;RxDCKPs;0I@D&de}_7<YoL&{T4BUBa5jq_I;n{$WJ79tA#dVS@`*J+X;B-J
zK>NmjMNbtjnOxH2+aEhGkUKPc#FOuwEb1QIK#YWk-Q#a&9YtRu0C*8@ispFWo|#mo
z8&4?j`HT@AEataPVkxh;SWpl4_${J%-Oqk4sl$8J3sTwKeO*j$V4gnyjY|N#JmUEy
zTIQdA?pu;EeEPYTqOiwIXMQuzAM@maAbdXh$?l;Oj5u+Rf8%)K#3)lq9{tMed~&lu
z$mVeiWO;{=`G7MilQW?@0wVaH%w2RF?5UB#BZ`cQ9KYJ0*Wr815bL8+(xge=tqB;p
z<)~?WfO2#c!|itOV%=L2I9OI`m%I4CtwP(>>ylOKWKyRTWt6BP(~_tZ!){Wn=XJXh
z(jm5rm83vtfRZL_3?(hXwrJm9!T&@{D<PHmCtW$qJK{nnD!oXSAN&6M?<taTS2Jq<
zsTW?CllQ;EjkEmW13UQf@qfgCKKVwtmmdGlgO^gv<9flY5|gXnXurf(Ki_tREkE6M
zfh|8}**>3quu*~h$;T~+;t@;JcE>$1TPyCA<u}ejTGbT-qE9}2S<Xj~*%aD~qq3Hi
z-Ny`Z_0`sT1X?e))c9R}wY3SepXG8}M;grMTyJegM7ZIyRc1zf&1vA#y=DIYRc}SA
z^4Vfu4`%tapuctN@a@j&e`H^FuS!jNjISoeM1p_{6@a{TWSwb1>HN^lpLn3<_Nity
zUq@@PT+b969GD&66XVR7kEnVfyGndrF5Q#KqIWdcJGwlV*E3#Av&G751*Li@dobCH
zezgq$FIu$a$J&?7UX50+<yF1HUR4!Vi^Y@r&yQawYav~&<)gNGt*nIymMrb&!y1mP
zTe6r*8$Z(mru%U?eBiLTU&Wa2a?#{pB{k~@2H2b`nf>*FbB6~0+&!dj);&DPHVzM7
zeo@z>7cag-6tvIE`q_q;V##U_hjqhCxXRlXx%rwR@N?XK>z1$xhhO%i+<m?Y0hjxH
zcOQHt;_%BJ=k9wI)`##(q!Uw5>b;hlHJw*<uVA>QRW3bYnV6j>YN_PVXz+4f${Pgn
zpYOs+JSq(kiP_bjXu_5RRjp+OBB0t|T=4UF>>1Dd$9l1G&?XdzPKcmn!Nk|&Z#Jsb
z7(mDCp57Z|bl^j3{c}YEk32@2r)hAq<6?H>$q}Qik8pa)*saYr>(_*+(hfhyB7fmD
z&jLGPnA*A3(bkLE4D}0mh%Y4vo3TP<trqpb-B)fey6KrH2bK|D@dZP%*G|8gFkU|n
z_{VhiHLElfmKjN<kt4XA{Jrq34&K)mqD%+1rTr&p^BvV%_$9ThkQhR*s;|#-TfgR~
zEr%5dYO|2cdrKNILo-_vDfL63z#+b!O7r34FSaGAnEv+JGO_XcFDnr(BTkV$q7*?p
zfWu<sv^<TOCxTI|=<Ou#oHcRKf3l1d?x0V~xQn+Ca!FUb7_uS^9IgfLX(ZzxzBxNP
zKD^8{J>XwhKnCide@n>!ZW7YcNPkTc*^n?so&H!k*_5ykNlLfyMME%I&4xS12Adpn
z8#)bIwv(HsdM>9T5C~|j(R^gc+8hEEL^&TN4>O1<_l<Q!;@Dt*>y6tP(~SU`pu7aA
zX`S3aM0T{^CVqT9fIoV+ATV^*lKzr2N6Dhw#`F2Z-`(IK+w<TeVw^R_wEs>{iF^Bf
zala!+LRfG$z0{2XWT(PQ`o;g_p89_=t3nGI1x5Ks_p5P|%k82+21d*A{VVwwTs={9
zfvoV?%fWl#f*s|~II>MPMO<N~nOFZnuF5)7ouj1SY@?cNcw8M#3}?h3<fdZ=m?%S-
zoi0%_N}x<oYO0lK^;S}ryKutq%5AD@A&@Q#)8#8*BP>&&&lE#T25*DbRS&8e94C_c
z!-UVF983Rsi-}I~`>6ac1NRi$ly3{rCv(DlHlDwpJ&1-Ddu?F8Hl)p*i9RIP(*0Zr
zA5=#8Y^<9c8AkI3JrxEICrA>vA+9F_AYK%nCNTP#TOj>b<Hb5=b&M4Eb>>PmE~#1Z
zcjK-|GJ0BeMUt*Js79lFT1##s=EV(lZA<pewl|JrX*6i2Shmr(@#@OPTGH&>nO1NV
zl$!3Qv=-jVG*Qeu^xgSMN-hFuh~QU<^E(51LY;}OCUat6h|PS0>uB~<CyTN_!|)|B
z!*gW?ufa9y9krdPpRY|xf%xJ^kI9uKv2?7aE&ANa>dLnR1Tr^e8-5)&{CqgMnwRsa
z4lO1$^eG|QjxUb~FoEEu$rV;NCc_Yv^HAQ=^R0aAc4&v_BaN}w8_edbvkhM%6SBzL
zdt&O=oz!B^3~M_g?B(G^ACd|Y-%?8p8}V9R#!)h+0M=aB2z=^=thG=_=?we#qa_Cq
z2a1A6cyq*R>+oYBe#EQ+8zNdh-NakQy?3u}Vg1;)>3S34`jEx&GRQX+vWMWrn%v(}
zM~d+KP*t*+DziNH#A0F}54{mbTrc}pDr7s<jNmx~jyAC0%@^b3{HQSA#%qFBBX_+y
zD#I?PdMmiG<p3%jZ+S>=L@u;U)Cy@se{QHH3*VMZ2s;0RmVZ{G#aQm~n0z)<7_{bo
zs{aa8?5=P<bxTnDq9hJU)-2u|R#7F(P?MhtDU@-_RE=v>aLLn(kUILf?si5{JtiKJ
z^(JC*%_MD_x7iF(v>VDm;+qI??%{A}0qo4_y-r`58C^j|+HrPkX%1i$3YwUK%g4Zl
zz3e>tRy5^dm$|E54mLKr9T)5-72*?EWYFx@#-VC(`nH?jk*-RcVIdexlBDo27wm_L
zG=)U&ZWI?;B1VaeV_L4CH0`wQi8xYUw50!fW5T~2A7|D`)r%`pL2-4D%9}F2i4=M;
zCJV59t7~4pvT1Nt2cIZ{=(YvoHIL*uQ>ZTw-|n0o2Ip$ec!O7t^Am{%4U`_I1Ve2S
zc<QhRSdQQ3YX}EZA?I7yr1boS69yiAJU@DWN-Av4EEP-*GqZY1_H<zJfF%+{`>K55
zdO@L{kimJZhxl=(de5`11f?~Op%IBqp56AnnE0QqA7Tz!7f^=N(gXJpJJ9@ij2-={
zuQyhU5U0-k$mfCjON7pn&nXIlF^}9J@jVe3&oF?J=wOc^#I}GfI=SCAs~oztH(3+P
z)u!#*winV9>?sA+st-pFbQUYN5)8Re^nUBQFzj=tSqh_|oQiW4p%Lj1%SF9$O>Zdk
zWAVFK&p5XD4iy2BfT@|BTGZo8<en1F!r7p$33RH01dp9vMo&f47|)G%TQSb~l3d-v
zJ7_DmZq-I01iQMId&aybX&;QtJL-y5UDK5nVPx)qsncpQnst&PgIUpaJkte8CCKu?
zn<0kwqJzy=fal%ohGG)ha!2~S`AA1a{=plU;)n=Qpt->Mf$cm-n0&UoyW66CYYJ*8
zqmF6VpFjEXX*8HA9Hi=o5y%?wN7pq`@v;Pbf+!JnI#<2yHD*Txk=Q027Wb7e2Nj?R
zI+zHwfO#Ofo$II@wp}y=GbZWj)RQRPK!oEyhs8Dd6N%A^XA!_eCGhtyBMHPszK%#t
z(ybtp-{bxy1f7)IOav+?A6!qhMnr0#Tjo2p##}qq!d)nagv1hKEg%ktA5`7NBnT6?
zV?CsrV0G{ni~{pgOOZLIMN-A0R#iEHM|o7yih^H}wj&n*elob7RTH1x+B~qyB2bEo
z%a>wYXeq?~JSx&k_if&jtbz7j(B09dOuXQ1C@u9B5a3uH<|}aQqJVJnGYe%ozE<e3
z_eJQ^ec4|WmlH*lnw3)z>6*k%Wlssxm@WRyZOSEC{jj8!a|F43d2)LE=H2Bl2*aT>
zNaP&1kz44MLQQ)p>TaMM>WPPoj`_b*gfG*1U8=t+*8HaV{5G<u6$n5s-5a@a7t?gg
z8Xe7^E@SiQMf+pN;#M@V^PPTZO^Pcz>MUVex#Y<HEF?eEuxnFyiA)Z31)Ubbz#4im
zR8EF??t};j<BVsfsi`NU^dN;1V5RF%|7V;Ga23fSx+#&HXA&X;xr|@gg`3zjPXfl3
zvseDY;y5TM1_BwA?dpK^M!=V&Ql1G6&Z~-Amk;u6YFE1Y?q*1`b^Y38pZe(DCeiU4
zXqYY26!o_OquV-<2U>Lm$jZXw+D00m-t>}nM|V~f#zVVX0tw*<@12_;)g`OUdDuS$
z>-BJdMC>hVwvy$r@VzIftRrM!Qq-iomsf?tenVubpPtite16_PKR!6>tLzD?N{naq
z%uZhmhOgh4&z6tq-K?A!59~>M7ymlTy`h&2r;bgksVrb$&Z+r%A_+c@uNc%fv}){R
z^VaYttq6BS7tlb;d>K%5_hjorvDfK35o^FNkxp-b)5vVG+*&D69C(chvRp}fQS31~
zP#(h+@lES*)b4OGQ!Z&$i6YH8uid~(8ZiEZq)i(Mw0iE>11#hNi<+!i>#AB{O`kz9
zw@r?C`PiPs$*C`)ZBey|dJd3>E2q`njwScKrBv3s_dxH6K=`RX27j@?mVm4H(>j-Y
zxvh%^J>XRE{uFILrkf$V%eqRbHwDoOykZf0Le$;hEjGT=NcENVX}X41buQaq9?A85
z+K*rO#5kOt@v1q1^m<XCSJy0bSpoqgnSjtrT1~F-*TceH6WsXta@@>dR0&zlT`?L#
z7P=o`hRk#I;VHM59R?d8?VyL&#+$Sy=rxwo^%@#X`_$mdS+yYy7qKZR1EfwW=L4k9
z*43=KbJx-KQgx(2_}lapAty#s0wr;vr%rwMpK~SFEu;isU2%AC^A9$6{Jh9ir_+<h
z6IlsM91YtbZ-Db$lK=AT@b#OE<No&tCzqMPxUgj;JIn)C0A>A+(=*_SS9{Af;EVI?
z+l3gQU~h0Hg(PH{%bxy+Nil~$Z}{#R;WCpard2g-N2b|c)@cy$b&@l`?_?kriKM3c
z^Vyrr;}_{GK3T-aSv8*p_G@h7yNw;r>>YJ#!r4Xvi)7h|dT5H5=vDzd{>n+Ed&>@P
z>?cjprBRnt*428rJfc-GCbp<lpt=LMBuU)L+>4@4Eq_!*E8TG?E%P|sDo{NlW0B|y
zQ8ugpQzXRtO$m?vwM?<mDzf}=_uSQcA1TN@#_fme2+*o<LFfSsQ+AyQ*Jvg%Z{G{V
zT7wm2gcw2&vZ5|!QtRv7;qZQc9JqC+ee17#|Me(9I<7w0JjS>C#M>xM@#i-8DBD8v
ziO*Ww2G>+@KfC|Oc<qj``J{S<69!SqM(9yQ@v2OQQPo;}<1m+j_>`^>?$k~^)~?`Q
zZ@Br{Sb{o~<S3|LAhk|VWg+7svb!UOgrYskOozhTULMOqjDlI*j=L;`56Z|84atD{
zaOyQ&9ye9G#l#{T<PBk9FFF|Fp61EI<sgv$*tc|!yRC>21>j(09kEG_k5S0K%w**8
z6O>1BYL~N6NGEDQIg`XXNL)o%wZKw`qVFy&nFu1dg=n<^F-Yc#@q#c@>q3kY2Pk~b
zU1M|A5kKy|s?+50=>-ZMO|aP9-OT36`r_7B*zwpdOHOASBg1Vzy6*FE8EO+DbGQt8
zYmi3V-3+`G;=C8|a%%L@O<mKVh2&y}oq0^nduM?Fyk2t?_xM2xwyqms4-%iqs!<rr
zmL~xR=JH*^OcwONEBzN61rijfMfS(Y_24Tk+j-{_DkG6MEs`2BaW!(b_O~-*J9P(7
zTv}$B;DO$TV)SZRNk}-s8dge%6ZPPIQA{}_je}^Q_V!gZ%nJVdBsRo6`|3mzZh9sO
zWEH{S&23doitAE6qA^l7a$pGuBq&AeWDcTf><Oaj11@l!-n@F1?zfiRltw<qs&Cf-
zFZEWU61Y;tD;}jlZIN<bgLc;Y)H}H9do8{mVopT;In`^6M<>>_PmYeyE{#tk_Ez~k
zD5G<MYaMwA5&(oYplLddHYn}gBF`4JB)5{JOF8EZsk~m)kpAZ7UPe;Ax>r?_j-koD
zj41eMC66eF3>q{XILX)}R*yKMB@$r8T~FzBaq`XO@%bsXr~B7$-@VnH!*qjAq#8pV
zW*Idv+6^yV)H$|+{A9b*;IL3;JX4IBjWSY*PubpHF_csW6?k)TjG5nqCo9sepnA$h
z<$Hh+I}Pw);_3KoA4eXcv1pe%M-86NY}0$t0=#MBux?Cb!%=o{bb4}ja&dWn0Q&gs
z?ZNrM>9L#EU(j<c&b{#sj?u9*X+~Yc5_HlXpyfuqW9Z_*hmA+g4d>QM^Bv{kA!SKZ
z<KMU|t|X^-qoHV8Co=y;L_y$M?<++)&`@4vMbb~KFndsY>a0dbmOXFEq_N3-)&Ik7
zWOq#ZPJ@_}KB5^lZv38<zOH6YK)0P>x|!u;o7+tP+owPiTzAFvE%$l@Pi{yyN60p}
zHkk`fadaO$cYRI5yGi*`C+gnmZ69AS_Rp!bCfu;fDX+ah@&}>EL5zK>ywrxnOqLWS
zg||Fq-=%a~;)&pYG&i4UM_>$s=!>i;a$RU9uM;L!<?d`Fvr}ag_n3cwN3reSogD3a
zb8=)RIrF$9Iux)MEpJX=1G>&+Th|6o02w5DJn*s`{$r`r%pGgl&grnErPV{%R#XA<
zyiU<D{IeX;X6-xASKY1R-rkz$sGl$kf&iZYf~FH;n>P{lRx!*0P|0_Z|79KtyvDyG
z9{_Rk`nH_<+s*Ux`3(EnVq&1s9*_;aPMAs5q>`_NW<6<1IyOxoRw%@EpZqMZ!vu35
z*j~|>+zB4jm*LX3+#Y=!Y}9TpZi-dk&OJ-_P%~3#<x}`$TxGQ3BFD7q;oP&t;)0@B
zRr6>E;-`?Ce){g>lJ1Mb(n03&v39Ss!^_AgWrLr~q8nzdT^9KmJNC_DCVW+*H<uzQ
zSuNp~dzRB?6JkfLnm`%DK+rX0Dh5pRmTVK%RNX?`@$yA1^}UnWV<0n@gC#W#DQ)_|
z%H?l8F#7e#UYXCQ!#?&e<bGeNu=`RB6i`_&^Z}g?eN5|!m=^<6II7U9HIeP~wPv`3
zX{9lW2fv-_xtfjOuZzaP5wa5AReEBaSoK#+IZ5HsYw|mFB*XxjOD2viBV-*2hC1pA
zBG-&)LT*xTin%qpwY?sSSA^;6B*GH4oOa84EQQG&%IHktbAiXI8T^tCbn><vMWH=8
zvK-jR;}znLa25jw&mt;B7Nx&2o#unZyh7%Y5LrvLpqvZYK^PRv(ZX~$F6ZUhPKP-r
z&TQz3B!sxPHk<3V8Ab*eUkPXF>tK|!i0isgb|o4FXse<ra=QN1Uz0Mb<}G<xP2~{F
z8d4N5?WAxN^e_E<R3a66Jw{d+aR<&one*V^MEL9>on_&4ulMVLB#{5Dsl6c|shBVs
zbEr1H1VM1QvBt&8U^3fsCk-Wg(%-~vj|gEZDowyKmkPm3c>$o4gE=!#^|1KdZnlBk
zZ@eDh4me1eJFaYltVO=OyZ?I(R#{oHS8vX<%Wsdf!-GTjf6tG<QPum+S$1)J{@uyp
z@z1Vzdtq+y@4oob=MjWdrL9WUuI)^7u-A|hwU`L(p&@l!l)-F42{>p5r`!L<XzDX*
z8sgs=kFcXPj{+1Pq+55d{=MRV;q4hXpglZkF#{`~FPc4=08cjb%$q*~A&fu@ykzf=
z-fnv;wBkm(A&#=hj@9hC1i%7sBtwtdKYMctsSlf4ooK<>7IhI^#P)VyoUEIw2Kumk
zd+UNPu1ClYT_>A5`KTURK}ENl#nL8KlPc?m?-Xj7LRAstYAVECYvmyPdt{MeYN6|D
zE?fKsS!AhBwG3{STELzd7D+H)-9+CPS2%Z8uXlIXD`yh+m=yCJhNX5cnJzHfiNWgA
znOhHtX(ZUBi-BpDX3ywOizd`EH7i>d{ZX$El};V2IGVGpQ{PvwxU>)u``6YQ{nF?}
za+|cQX(+2{8zPo?J&+;$YgxSEzDx1ujmie~lC3?ooaY}2eMPK=&Pw}>*jO=Ce%u+&
z-<ZWq)zWX}F}=J^(Q5>E4?^1draRiBlv@jQYqkvPq1z%ER5WWG<Igr@oP|fu7{B~v
z@5!DKa2<6I4iArCA3Le;Wc@GB#wA)JtC9MwLBDZAv(J?13;WMH+lo$LQI{-~r8tFN
z;MDIvw8H*gZ?|_lACI;fXs3(Ypm9sjWCvr9jG6!dGtPiHsnu8`@wG%}Aq_wkI~MGE
z-xEn88yUo8$d8@N9m{Bhc#kF5c10heD8<~$@9_nJP*5Lpmr8<C6N({)mA3dlSnG$A
zuCV21hev1K*G_8+h!NQqh%~-@_T}>iP*_t-^0a_-V+W&DKIx=OFI}*u^^(YWFeuI?
zk{->QCpMR;lSJW<&bCP+xsc1-7yfVfr8nF^RK<6hbKjM3Z8X6D1@hl?*IEhrB#b39
zn)YbfR#`Eq)KYPq&nl}&<<-aWX#XF@$7wESdE^ro{_G4RJVs5nyqdvppbj*8+gK*#
z)U<g5Xux|HB75jA(hG!(PV_eQmw`%R5?%(5MRlkn@YdUDmh|&7?{@XgE{;z!cI&r}
z2YVpggQ$6rT9kM+2&1n!?7-T}9ddO1`rt3w+c$4s|0<4H*8KGmWcF!%Uiq!lvITjT
z0ck6TRSM%68)2RJ+1}8DjyD+PPCeR>-j^_n|LKX9i{iJAvM|WLQ$j`e_4xe;ON@=e
z>#`mF3!At9h~QAshJ+3yEvXeBAex_Sw>fQW-lk0~WtlS>7Sio=tE=QU#s4=8B=Bz5
zSd_0>DWO$yb$Z5vq=_b6tJ&yxm9-(0)UjeqTL7DN|EDJ%4X+BHu)xTv|4FFM)cShS
z)Pq>S7|qR7v4?)^{w3-`@}PWj&-H^3av$u8thNs7x-{R}cRM7!vmd|nWYs%Qq)YnF
zllYydtKNB<J&WFX8o%>Q-|_Bozm@sBK)tArtpi<KJ9amaQk7fe+(>jZM<Kttfya_y
zCGH=g^6bUU>}Nl=83=9U%u#qxvW?&u*)Xcp0WOk>yhP*S3ZCu#XPH6pKiM~D*~!}v
zPmRSX>EHlaK&HQwA3e^bgV}~AdVQjEd%yRc+kYB5=eejXB=7!NJ>smbJ$dO7BYv8W
zcoJ>KurE4>og~egPa+=~iMytIikJ2(uggG4>HZP#Z~ne8zpsUA@VMz4K6{mpTlWv0
zA0L>l)5ZM5W5Nh*6AH$-kJr>9jQK8-u|8W{^R<caQCrD+M6}H$i+O(I^pir@7unS)
z;dSkfHf#L&Qt*GIcoL!nQcbP`2yi9Hs>zw2%JQ@*Il4!w^ScI6Ql>J?X<f{_Vi_Z~
zF{lbm!}E`)d?TJ5u9qD!!BzDKkFAs39TER2<*s7#s6yf~q2gr16H;MB8x-H~UG)Y%
zu37i1wljyB-WYDg52X8^4-8g4U@Z)?-?@gLXa6G`Zul;B_g`d3iy{hBk*Bzv)5AqT
z77;w1C!MEu+e0Jw$e@a8w#EbEDX9-tyki}n>3dquDl38G;9hy|U->6+@2yrD*zb6;
zAF@H?=OWL9#aH8vQ6{%{L`Hb+Odw{JR?@R%qrqg55)X(7uQJVVBT5mvBGscTm#J2Y
zXwu+*2gU7L30_X<+vX2v63dmu&Zuu%#&j!Yc_=o~1Z0{qBgtlKlz-8=k9tE7eW&b;
zaoq||+eAM#H=`~3j--LR-T<@Ni1%6m>dVN{j?|+5Re9rcf69rp;a*Y&LuzE^b>1J9
z^SQIwnvd#i>E)d)!=Bo>&Cj$v7z5EKKkaK9ZGC8Ycx5|J3~)O_evdNf9=W%9wmGTM
z=03tV7qum(%JrpQP5G#B+%Q)$#fkGffx79EUE#aXrX@Fg&v~ll9;bRQf(Vq$!5-OA
za`la+;+Ya~;6f;xN9=e!Ws-}dZvEz@XhgtN)%ZG>co0$;+-7|dmPekI%@+O|jZIE(
zP=Fd=iS3&9X7?Y_Y!dZqeBsF_zwqQSU$8{{2fp<5lV5uJ<Gz$hjz;5i&p!FNXRANw
zl#-dP2gISqxj`GQHPc?9$Ma5wllOH0b+fWyj;{Qt<%jM?baw6^{WYY4n9xzPDL1E)
zs)<bt(3CMhH)|TMH#Mg%fD<NC4u~|prJK5gi{Xh1*0nIjk7+pxt$IDa&bCZt2o38R
zu05t%TW@VH>921PJK#~Ri9+4d)KhCpm;O<$L9uOX?Af+e@so%-xJN=0PTV19c1{Xa
zI^K4)Fu}kc_0K{{kUCokH39B|xu|ztCJK%P=27R1T~{K|nxI$fAh)X&SP$=QQ-P3V
zzl=Eb#8?vDPsY{J@Qvi2mKI{NKQz0PaFDA%-|V?LZ+K?f+qsII9dJD?oyC=Y4mA{-
zSATRPXwMoxgjm_CgW#uYBS!F~LL+D*J}-_{0YJClZV;}>N>rEUPygiRbH~l3Yix_5
zIM?6|{?>ZC<9T%PHxJR!(cI8UAy-DLFxsPTnSHstySsz`BZ@k_rYtA;GW(c)`KRn_
zH~08>=G1-Hl}!86YdnqbG4pB@jc&$Dsdwvn)_R-b14X-Ap4x`1rEO}x&nTJNI1@rE
z21Egj{CUrw+l)HPQIMwisAP_~>E!&A?ZWT)DfDUrM~3xiye+jFIXOY23xw+!UVrMQ
z+TPbZGTp?s?+pP*KBW0z(g0PJ0rNhKE9UK}KNMNE;Ic1>r{JIBImNb78{Xe<qV&op
zG`Go6Y%^>mw{(JhS3?Iw<LjtQ0rHA{sg@dm1bJrFPTO~eA$A%6Z`g3z^VK`gy^-!c
zE?czw*48q4u(?UI#x}JF-N&-zL99fU>}Q;Mu~#~(7%poU(FW9w=OiRI48^~qTwN7@
zTHTcH?SILo<d-Lv^4>F^%;a^fNo|z&a|5B$`g$5_t7i7;12g;lDgJHmIsVB1t3zyP
z>oUX^BlMGIs1`Q&W&id^#fM_#BvdiO-s@z$-M!u2ZB=sgS=;OSkft;&o3ET21f3*(
zo+nCXSsS3^Ln1|Dj&`hc!>Zr}28^br+v{L>rxq{qRgRHPv^hxR6Gyf8P&W>-(W~nr
zQpOTS3rrnpsihyY1VL6+o-OEG+^F6EZopT@Q8a>lt0y>n#%RFd>l0*v{K`Qat&nVq
z-592}#{@~03au`R138+TC!pT2nvq~%3=PsK{?hL(^?ErgV!21KTH;-vK9QQH$!~4m
zmzL&tS4_tzPs60@`)ekF?YCWDtE!uv6y65(Q%7fp8OH9uu#fQ}0qSfYEef5Yf)Zvo
z3A#)u$5ik02G7h!T*c@UrM(O2<gHt}A(Jq!qJ|A)RMQy|*BoY+^Y#~aHA8z-ash=!
zBHo#kQ#v}{Ium~tFz~!lG5_?x3OXj^?@40tbxEK~si6_CFel^&P9Z7fgUn54YhBa7
zSIyVM8*SCWT)A}~ILU1%EAn16Hj9^UwZ772Y2uaJ&3EMx6|Uxk4ghE&XG`*_0)+ai
zvmx$nC=ZG)wKRL?<|-NDK}a0MGABm?udn57`TZl)8-D;QF}3`BI1K0l;kHmqLSAg{
ze659QDp0w%GkglCR5oc%Q}lU@lIX%m)Ryzx7TZA=<Jxfk5(q(F5~>?~QewsG_}=dR
z(`<kD>6Z^Zwx2!Q+vmLww6E2Y?lISR%L@<7rg+OmDv_G3!F#)6hv_cBJAJoRB3#sb
zFzQP>^Sb5$w!CNcH!%sgsA8qMs#z4mbk0twKZyL)vH#gx5D#=|<dGDMk#qP#&$H9z
zz)itzUDR4zEtx}<P7e*E6So!};L<qQRe=mSo9<Ix-yJ)BbZDCbMT9U}iB<b&X&8sm
znyPPzBd{`ST2J1wqi$b&%?J<4<Kdse6ne4<70ARNjKWdyF~IzckGMS(W3B#55t_9F
zA18(OuQf2fEIKW%w)bT4mT$vW0Lkja*xaMK2;vB^AOlz~)W;=3vy>}B$?`}!(g+*4
z|KEqBsjs@~s^=|4@S&X6;n^RlKUsdvvVY&}7C(oB-!iVEuYT%|3>dsW;+|~zo^Txf
zAfJ25Ed0NEJZJo-;V1oQ?A|aL7iBApIC#-?i+0sVw|3d^6;{`B<)$7{)r+=xi|zmj
z^U`NZWrE!E_r+wO`RDjY62+qr>ixO7<e{}+5)7f0?m6pEvE=rP3@S}Hi8`sTrCrUI
zI;pc_o%Awi<#a7Mr$2kXEHsaQHp2%S)3x-&qi4%qlPe~y=}>>{d@apNSX1huU1_c>
zMoNo)-ez^^2i*{scZL>BhV^ylY^$1WFO9%o;)u|T4=MyHI;?M5162iC9jbW8EVme~
zvS%0aVyorYdOUXT>qzfKc-kVywMWtRtoq10FoC@8WOOG{%_t<nuvJE=LxciJLjf@#
z)MW?<%I^(8@|996QNJj`9#X&_XkfJ-CZ#kIQeetPk<a9(*3ytz9m74KY8W+qH8i1K
zIgu>vZd<-QwY=VDY8gkcp)Uj9&>*?<8lK5IO9XLDD&%=fWFZp&|1WlfeSdiP_QPIw
zaCRjBx(`ymS0~@R(=x1IJY)ZEFqrmd)k1j2JpDp|YSENVR;i$i+28(lTaAm&%}n0X
za}p6RMNI|;&F9~tjja!R+nIe--`HPz#g{DV%*gLz0dvhG0uRuE#3??;QpH?;BHHnY
zGvdE)d}vk~>)PPRB&R!FZvN0xF%x(B-xIfD;@r1aOq~@Fo1&HwD6o$+XV-i{+(wgZ
z47?7>aEqy*4GD%2*9VD^Bxq#VWikXj3~)xW!?GS!HVaN}OcKHi*C1;B%RnYbNcP2q
zX?HW55d#|tWxH!9bDu<_E)SB0*zBkT^y>x?#A;9xIg)bC9(<~C7s^ZIqY0tbuo^5-
zxg`)6d{qOzA>&bpu8=u0(33Y8+1_4nU&Bu`r}54>rx>j45m`3-{u2QMcC)<6_^tFM
zpDU-cHsRim*4=$XA$o9a>)H$=uqP=+b$@))33Uao4Mo{BpWi%zkZvHxMjIu2x^(u6
zt3^2)_5n?_o*)ky&QJs{l^~uP#t6`#*oIolC0L5q6m{ExzUKZy;%7;zb#gFveU^lV
zMt{?OCDd&4bHoNSMv*%1CalK3@v%o~@C_a_dA{};9_nG?zTT<bmO@RA=H?lk<9Fb#
ziHS&aXg2(k=mk!9%DUM%=f@zm%cu21Q1!E|7(rYHD+$K#(H%MU3upeaJZrR{xi(%q
zNmIx{Zhc!e*6aKp;oP0mgG2YYLM(5mh;!~<uXU4Ud;7ho+u0yK!invV{@^gm-j`V@
z8jqk8aqmPI(5gtx>GHm7S*XlS)$%3;?!e<#QZWiXdljWlBo`;QkF8rl^w6E7q2@ZW
zU<w2r|6ce{Eqnx5R%9FHl<OHDEIzVS%ME<PL;e8EP-Ar_VX7Evi5I}Nv)7b}SDe`O
z9P+2muM4v%3@*T6-nEo0&qh&Cb;|`BBqrtr1QZ2BlsRaTLD9Bs+qYpN9=CUG)57(~
zSN+vSx|DUYxIVn!NUPG#zQzB9&r`Lp-@6}9@jvkoxapw(+!PaJvQVw=G&V%M(6?#J
znI9M(Q|T^=-y5eNen2EF&6*6pF}GUE-<(l;@Jut)#B+lz5QZ{L+RUn_=*WDLZ5Vvj
z28F`L@ZOmx<-kC&4BHA%M`{`rJdcJjbdw8DXtw44b$46I(4?K{DUZ*gP-D;bu-g02
zo=MGgO}HN@PaYjXcI|RY+5xIl9<`;AK0@u(u^Z8;?D%5%AN~R#N)cMf15PHkPY4@1
z3c(j1O_WTAC4g%|2bf=1wE~SyO78>Bxf}pLh14SI1v;)7Wv55a`~!`u7M)0w5-2|!
z4h5TV!w{)n{?Y#Js|}BEH5vM<b!*zm_fbB}!(i3rtEVa%Q`ir?YrpmC&gNZlC64dS
z@Ict4X$!WRU!sNO#pTqB5uml}>I8D1bA2K&;6foMNXbWRgeY3Svcn##>*aM-EdeNf
zY8*?JS-i?{z34d9DzRhdH^=p2HW%=Z5Vwo!8I2=>`<5AHPFM8x$wLr;C4rf1BW7<|
zB-wa>EQeotwchOo{kN~&H0C$;%Rl0OzUs*Tcn<67tgPI<d5`Di-@X#UO7{o%Kkj+{
zPcL-DTTwc2wvK4Q|H$gupkGe=kYJr`SkLW0<VQwch$j#|;r}ykARo=sM(hv%A-<MA
zmi&niavXj6uJ1l&G+}-8NI|Z+X)lNis%%HiNJ#sHf4Li`d+x4!ndf*C(jKG}zW;Pr
zXZp*Koc5wABq;HGPLJ*$Ek87x1o!S{`;o(z*c9rohg^*EGKo`hd$Kq|6cE)XZZz@8
zT~#pXt$a+3SOlUXaOPWvqujuxAW-B`2^dN=-*yMeFUZi?-EG+P8pvyLho}v2r_Gzh
z{t_`S=sNPcRE<h29xo#s++$Y@RDfhAPli_4<6Wwuffy7;tKWR!RKepAl@lTd!P;69
zDW5ewch>&f5AN;p`Nhe_CDO(Y-<+KtAJXOc?ZMg6>yxu@ehKKO>_GUM+;yEG5^tEZ
z#F)wq9%?ByAwu*|VWQu*V&a>g7xGUeI84vL0x{<mK+D4atO)>4XR=%+0TXGu`V_}u
zMO(ZL!`GKng4zd_I1d!e`6motaijl9!w+9yMyP(o@LM10GkK>^Xg+A$9$GJ|(+zc{
zD|*K^+}n)JE6Se%)tT=SDhL?_A~=aqHwQpqP=W;W+u9+YSL;_L2_T(~PmVE}5y6G&
zU(J9&BlzCy3SMsr;o&B_t`;IeKrl1I<iJRF7eqd?DT2~|%?yQ|z25Gse$yT$2QuoG
zEina<B{{*loqd*z+8*VB8=ZGRX%jeD_xxC{Ark(L?xnNHgOzW{I;xEP`aW>KH&$68
za)lVr7eo&vTM#ZiPLl653-c48MR!{+#)Za)P*zOXsEO6HOOjYX1~+D(W{U38iWuCC
z0PG!|d~<wp`OC+2hUE>IPQ-4WM_zUXNDAS{dC(fD&g(0<v<Qcm9kD6d8_13@aIFSB
zUHotszAM#4W(JiJR4jH3xLyp;MxGJvzAOE=3eAQkzBIV>RLHN$t%q14A?E#hsEck?
zHkES^!79_RS*K&6sk0vNL)*B~^ih6Fs|0|TIWa!*Q*jkw*S$M`oo!7QZW9l(_r?7-
z=HW^evSmc(XRRYo$Cf=?8oW86CHHo1OE>LyV;bn6W{Af;k;%xll_m&H+b6O;a+9=l
zL^$7mT1VJMErtFds$bEe_*1JoRNv)OcWnEE+r{KPGey@V-J{v1W^#t^k)&UqfY0|#
zDs6<_C6nM#PEuj_=+oUlJhw`^r+@ld=^8CK?So6MgRJ6d9prNNqh?ob19>`RZL}9;
zgs~@C<*ma;h6cEawYCTffs8qb1ap3hmvV3Si?+5N+*-|UyGAg?i?h?Wzq|ykCu5IC
z>FrS66frT-h*zZe_SiE|*_L^%N8HNz$#k(g0y%TG!J-t(=jao?>}~iD_xh8kyR0m%
zuIHB8X}%rl2HSUY1g6Mj4K`~DaN=7VyBpb-sWjV5*@J$_89tX{ilO<IKrUbL*)0c_
zE5|g-37u$x%buM@J4(N&NhRq690DDH#iSJDMaR;kJJ9_u_I>o_IA`UD-~2TnjF`#N
z^G=Xo6VxM2XtvZv{zYX!c_jpEGkGvTE;KSue1^%&+>++H7?ogTw*H@RPmId<MYg#Z
zE<dp;q}_gNrK{E2=$h4PB`<k89%VZc7oi8eWSK?SvMnZX>$lV%mLn%rQpj`+d6S`5
zUv2EBZA=0&9hZjF*cW627_N2vayp?-@{&Ym^@KK`c*KM@Ur8o3>8XTtB+iZ>WK!c9
zJh^V~sE6h+=AJ!bp*~gSdB}QUF6;KG?`3Z$fdo*z^vf9ICg@DfW`(a91BR_^Jz|lM
zfxMKpzXzA(sgtI`#Rtrw&Wg=J%%#@R8<&=L(T`eL%t~L3cjfw+PK+*A6U@K01ClF|
ze~$m<<nULx$|7Xthi)>YJIE|5txe7D>HLe1L--yX7$ebE%zV{c1JTNn>~kTEIwTX)
zlf5Uq%PH&DIsTkX^htZ#)$RO859iy<&l!)qkPxgFc(iz@>nUObPruy%{qmrEA2a-(
zjEa3|8P=$}>0>UmdjWbCXBzcN@mfTsz)&HitjGO9yfkCdo6@O146d2z%*v9WVjJu7
z-SPQfNYll!F@Kg|a%5hcvVg_?9bBf!)^T5PlbVn2ff1LCtTBSbC~LcH(0t3E6Zyw|
z<i(#bX~}|F?$(;3h5syWRM)^`#2l{+bj^n9yGBDh%INiX$xiYSL1Swhy)S)Mso@r?
z!#yKV21k$+YvXE2Y`pAX<eJx#WeRm+c$DO}YbiBWw<@LC7%KZrFCWk5({^!1(zdmm
z=uF#tCTrIfGxev*TD`A7@2YMe&RW}_SMD`lTqJI;ezBc)qC~6@T*!pvX_@}sV>fEN
zNtZ8U?A3>^<HWd$n@Ub#JSkygx2YiijE%i4b^beSY$y?}pZ^g$M7ZQ{OEScdisbf)
zH-#pkxykQ;dvYm30lc8$!|Lkq@V0hh;;EFf)8~mQE_W&3*jXW|V?t>p(GG442D~y;
z{XFpoT(-js^x?Ilp$Bf2P1p12JDRroxX(Eo37IKEs35LRf<VueEJCQPtM~c6UF2qm
zb8!B;wZC+vDgCbRrLC^cjg%a8$7Nlk8r>H-3XO%kQD=gmB{3-VrAzLvYd+l>$vUQ3
z<zu0w>5JF9e_Ks!>2S!BIXQ&A;QmW685h^ros2pFGs><DNqyq7!=<)v>D*eH8p`iI
z(PM_skTN~(XG>?|1l`8Zv-x~&Yg`wD?O&nC?qlxzBPYDnSO3Z0<Bg|rFxwfD!>hi)
zMncfTc)!aL0vP9@e^+~sogWu@y_gBZ2Iy~5<=Trf1gKi^WxlK1QnP~OLwqErRFuyG
zUEbc)(i+f#xg&!cMjc}fl1VGo-Ev*t&i=5wONq9HFKjbp?;iIo1)*y)E*|(9Fjat+
zVuP_P3(r;IQ5+0iA(NTXHZpCYk-}h8icU3W8XeK8ZuaT3=Gw2*%Bd!J(f=Q2nqS=8
zU7l+kwwTDKu+!kl*U7zxiKec=gXh8GeHeu0=mk7za`F})G0lAV^+F(ZoZy~Pda934
z*~ZjavmEre#v4LU+^n=~4j_AG4~9`fNx65H$auQ)8brD$1v_MOtx-{C`*N3&#M+|>
zoRHaDT^b#u?}-B7-uL30WTJ3@9a3#-OWAfM^2G~m+v-R+eE<v{-;^Y8HYI6?$P4tM
zQrIzO<qh0_3|c|$DWfpOyYttqXED<^T&K(3*W5Okgyy$VaF?VDHbed_a+bDYb_vwz
zV?#|kg2gnrtt!zsQQyHpvXC4_Wf^=%0kq{Aosqe1%zTucUtZegNroLx7^s*~Tc{Wc
zP#Bb<>)!3BVl=dw3C41izPNGt`pw1h#by8P!TIsoW&iZ#;$p)%#X`ol+e@iKI@+3H
z*QJ;CTp}87-1${GD(ClMQ--d)|0mi876BjkD`CeC8XJD-pS^i?e0lgS^(wI+kSwpi
z8ZNug-w3W%NqR8Tma%g13#h;$Al5C5djG4KRhZ~>SWDecM`!l_y`}MlTmB3Qkcg~D
zi=8iV8w#|SyS_2YSZX<KY|~=ws$$3J5y<|Y47*NPPP+zFG!uNg&_EgQdpr8T4Vsm@
zkELPX4_p(L8xwTkY;$Rpn-aO1RFf{JjqT`uaSeDj?gVP}^yKyHlZ)fSH)lr|uJx)D
z(!=(<qN->d4P)NoW*-f0w{1(Um2hA%>S*Wy&CX@}#C40q2bx~!iG(7%L5sEfk6B5z
z+p=_Z7_9L#sHu#29^pXZw4p!^Pg5kpjv8U#y3w;<PcQ_vY+$Q)7sxZqvY<d|DXav0
zI#Q9QQ>xZVVK9%9+5?Zht<6!zbFf%$O`%F;DXz<pfc)0OC20>n33@x-k__>Yt4&|C
zUlk+>a=m5mtl-XGxe~IVORDuhZ^ddfZmr=;M5+Vw#AZ~*Rd`R>3AeoSVlucFEMpkS
z;!UMV^xgm_0}B5G%Pn8{ms##r%NXZ#T;+rJH<Wdv^$;l-&vh3Q!2vzAgdV^nN_f~7
zT~vi!DjCIdZFVf~b~CEOH@Z_AVMXI=YwJXm3WeUDzI%Ona(HlY`Rhb9#)BLQK&0rl
z2rsaa1Jq#dsbE=fgXfLXTkJ=%>%H<Mc0I{H=_aAt6y7a{vHv~zx_;vhjFue_+(aWo
z@D6GdL^XCTRAzYwW{Z+Z(MQ2hiR@uz(H(^Bmz*w|O!tLS|LM)vXL?$HSv%3R45WGs
z971yMogW__pL}-=+rdvrxFq$o_$x1*mW$)Fqc9JuCvM^JMBWXt(en8=?%PO@jDVoH
z1wWKI$IrHK2PR(&gbm{CvlKPgIQ}X{7mWDY`Xu^lW1)>?I{*z@ad)y@^B^bks0s7H
zS@svHC!8KMyvJ3Jr;*Y>iD}gVX&JdfRqr4k_Jpf1%+dZE;7}#f(~Pp!?S#{4nw`Qm
zofk9H+eC?ab?~1Fbz(C;!Tr9YKw0mYDv_L&Z2!q0dVBj{_V%9Rf3p4kr@h_YUT=Tb
zvMYTypL`ArGTEHR0r$!M(t&!YQb9fs#~3}F?(br!Hx+BLx%e=CoF*vAKy#mKw{CRD
z-6Jn_L^Hm)JU>1-)s(?_36@PBURiDvY>3;Fjyq=N1*l#h0nnQ!sB%l2L?--5{QfQW
zRYb{~Yk^;WRac`082+%-#SHw%d?1nyUXb90VYNgQ-V#KNrh7gg{mQc)XOQuVnpfQs
zPN~v)M<vXWT%|+LZ7%;OC6mv>(x^4-tNNK{wjNUE%!D$(EiB=z9#qr9SyW}u-P>-%
zr+05MPwwZ|DU=}dKWz@<!1nx8I8>XBleW2Xz!q$O);eZ)4OPRU|Gv2Y)km&g3%VV=
z(xT!ooH=fYdhTTASp9FV%d`9Gocki4Km9wp?S`{*KEjBzKR5nq&d>uI_bV&yWhd!Y
zGASCEsU;-=LIs!P2I3J#y&;JN^fw0hZ@E~+J;i80MKI5X%!uR{#}~8D)R9@xxRlq3
zZixZt8qo9z(Rd{DHgtfB{jI-Qmz{G2700OQI@o8tjcQ=q1g|z_PR=fm&(98CyP5bk
zFpf&sMRoR9%m)A7=%x6RYRN!F8?rdME;PWPcGP=>p~;J~v#4h~<O1H|?YqPG8zG$d
zW7&!~eBW+H)m1*~8+c5gsP6+42BE~kr|$dktga#7WS~4JNS89?3D$sovumw)rS+W%
za$fXdp_Y(CC})|?Nba67U}5tqB)~S;pZvl?J;<Hr?7a}kLk+j~f|$)b-dm9E)`k?K
zPZzUkWpG+eBp|{xzsEV3g(~KQO!!%fx#~wkm-|s~4D<Vyg0Ti9USJht(S;0*>L`Hq
zs+z3HlCTd~WHp<RDkX+=a5nI*m;}P&5Y<aq0RkPIVZCuwmoDq}MNaFxZc!1-&9j(|
zG_>~spbeBzz9SQhQE-YhifQVB522HTdhY$GqhUx}Abua*yRzKK8qR=`Er@U+Yr$u9
zUfkCb4R^L6>1697+#8?8xcrE(XqgT@T`J;c)kiE<6G$jYTUud4H)c#{^Z5My&3X3r
z;G5%LUaqhxD-kT_Zq({<fmIi46Emt<Ms+C1<!Eq?vAzosc--^@XRK6XB=|Gg0ml2H
zoLgjjJjEs9RGfR=l6-py)lcxZgl5b{3ENYavn1}u+ze+ylu^jW?+?z;PR_nbZ+>ne
zTNGY9-BCWdSs*W86ROvxVw(TBH)KFlCj6Gy5f>#h1;xMs)+CY|L;&-26tyx2xnobc
zB3mXX9Fk&n2OlncN(Ft=nRP}`0ZnbzHVBreDFbrc5xlbQQ{xC057qdA$D?r@^aF8_
z#aP1$D+SPy0=c|ePy%paqVLdaVu#JOfy4@&%!jheFQaa*o+(H_Qv~91VZ4ZeNNU4^
z+?c~zHSKc7>`^zj@lFGU#z)N};>1jF1n>NGW?_&bS`wo1$uM1I6`TqKJ#`kg`x$tg
z+S<~=k;eM|cO!rgDu?fgTvK(BfA#X`*U9(ot~O@JH&)(5a>sp)zAW8^A0}Av0s-d<
zAVuUmxqUpj0oAP!&-_z1cUz0mN{7upxewE5`1LlC@5?6Y_2YMFv=_dyvO${}|3R)z
zuetI_7WJcYAAMah9Y(&y;2aL6e?s8x#B`P#PsyLbY%QFfIVo<cc}dAvCCAX1RwWb-
zhmSq#&kT;cB-3h=J1TjB6m1St!=9ZB_AIzAW0~P^Ek-16X8BMnX;E4j_GhzK(d4yE
zNun9J-}`97X$|*;SYfLE;l)LE;r~ECITbqfjF<Hk!FYe^+JTBrOwW^=#h@qd|DowR
zDuubb>)kz(0vLR7$Nj$396_^(*^X1yRO970S=2VD>vUYV^YN%ZFFs;K-(H@+&hYPX
zM833}#HvS}O>*iqLeUKJY-8+}YhEGo3aYE*RB5uAd1$Dsx^;3Vl^{R41RwNStk&$t
zt?_^9uJ~SwwDd$*QS7^{jj+1WD}_Q_ux^s^x%g(z8aMNnlw+&F+>m1Njc`jd@I@Qt
zgQT;mAJ;v+natXzFuLKUC$erw0>e=B^6ZP(yxfhNYPlm1x$X+gE2_@>2o@))6snAN
zQjQCHH>p|<czc>~4q<kkMn7&@Ij)6Qh@AGO;vA_3Uwp5QooxoCGLL=7-ep(S@SZmm
z5(#D7yS}oJ%g9l)KOSV?o*%z@sr%%`7k6KLzwy-<cYoYD_$uAQ$$%S`_LF<V5mLu$
z7XBD^zv#<@5qFeoLg6tzO}$=k^)r`;Z~N!R7sr?Kh*^OOM-b@qn8ul7w)!GnAoslK
zXI^VX+61nW?45{TeNze6Gw-HQhq<H~sZU`rg8fjynUL#66Sbk#g$S8#`Z4I1<P{7V
zYQX{GHruz*f3o={xXVE{h0By(s8OP)X#>_h{-WNHm^YpkbR$oAO-CVX2{rYDHm6g1
z3WcnmYZQWj(ZaL3)|I>x>FtEXmh;LJb2PEO++N3j<|EwCu$}NTwPEy4phFw)FoTtS
z8o^No--|o!!|>@zgwPw0P7+B~m5DwVuUf`tozjUnLe2yyt=U#Dd{We|L0Nm~D}sRY
z(K{eC<U<X6IJufn1z_F4k2-$5_%;uM`r#T&e0cCSV^NU%UxR1D;~G?ZOO|?3y1iZv
z%SjBPMBx)+#w8OBC(6u8;=Tu@S!YSP0f-SL?LiE(yD#)jtK*3dB~IDlyNk;=r~QM&
z!{dvK{?YN-$?=iX@rV7J#eJQ`Pv)_aP9=5Y>F$%vU9(r^&^5Zz%MN_dZ=OB<_!0B*
z?Bhqo<^+d11RJjIsYaI{0}!qDH=qx|e<?9S_pc+tyf1n;z3l1k(-*7yuJyNcN5HZk
zaat&7=7sCHjDefJR+T&@JVBV`K8DNlqDu>DX1+n2|J<%}T-5qMs<X(cyqZ;aRP;0s
zbHf@^LkINvgMN0<fFN_oJtSITep6eiAJIhM%LIo)FFQAEO`l(hQ^tvWvb&EiJ=y&|
zw!8;dUKd!HoxR>3zgwq^_rxt8r~ko)Q%wMllZ*@VWcSGny$zJirRQw=9SPjIF}-?o
zetK|;yXS)SWMAa&j6wzG!Y4U*z3i=`=4qOjT(R4H?ZCbE8imG@|2WX?M21j|7<4DO
zixZo3w)C}Y=@qDJ@;M!O{A1z%c+3U$h3acx9Q!{;^yd8K*8L*e3eHAh7I1(5*8TZh
zC9Bi~Wd66({U)qJ==Xsy=2`pVG<xgQU_RHrc;o*3&Pm8YK1HZblr!vMsJ;vnJEciL
zx^W%d7Ne>5yK--ye#Z0Dr~_%S{@NFB<KGl=E)42C`c;nrsYJfGbU$1o>t^ou1g_fi
zSBKf&-u@Ha-hAjCR$>8nW$x|>+=*-?Vy?quPLyq7<6dY`g~>ip`?%SEC);E3sHVQS
zbB`TRoffT&zlXAOKJzhb1smoU*nCb825_q}`E7l%&GWK?f=vB&*~!_f*YA$c4o}X$
z$<B}e^BpjA+?n|P;QZ*9fF%nF($&PfkKJtOt<oAB57M13lWNk9-}I^&oagi>!LX%?
zZ%PC(2ez%wp_$LCrdg69Y9J0y4c|z5A&v_vXpx+fI^tcc#WI|QD)GRo3%3FM{s|3-
z)9O%e<P<cIvjm^LrC(S<juRq2w@U<b9R`P8RxN~qyBy;-mz;g~LGgrVw}fox7bBPk
zbv6o213?V4;Fh8DBT5uTMcE|yPT<qi>5QaVTiP(CwV*Ozd4~ccKN1LoKt^nyh>a{Y
zXf`Y9V-r|sx=EHysg{kD;+b(=VT(2LW#?L?%n#}EDFs+Pk3dG$AH)KgYAoxX*KXhh
zB@m)((Leze#F91}j%QAh<QJP&9O&e^Yx0`K#Zs2@{`I}W7YQ{_`<Sn<#pfK4SCarS
z+xf%@9lXks^oPmGaHcM%a{IX3FYX>J43EB{Wgv0RZ_;W!kx8(uF3et!7c~kzEcJf`
zw$fpUt$LQ3!JM#fODDeJ^l7vgXH`pP6{FKLm|o=&X@A}V$F1=D{U`f@dICGssOtO~
z92fBGmNkP1x|7!f3y>B28SOl_Hm<)}2^$N(Ds|pg9~36c3N|b<mB-&`ly|CHp;{?p
zLQGJnZ-7;Sl2>Xc3_fRh%t~OSTS`m2EFy->OiHrSHuds75s+&Ct{Vkn=BHI`F_p-w
zUW$yMA5qUB%h1qA_4=cUYXu8Hs1Hz2!9<rVz;aYXVZ_n^?x34HX+xRG;x*Ul!FwZ(
z4lhir=|W6IH=`la$SCHd8?W~_$CvSS5mhe+$8~yN<N`=zi*$0`{hiZn@*x>w){<#Z
z#6F>#_sD&=hw32c!+wV=J-;WqfTXPq3#0+filIszS(!=ISad?}CF`Az=lXin+zpbU
z;Q2WHr{iIAtB)(2RQ30}v7XAQ9d<8Rvx_F(U(cKh(mjP)ZBt<==<&xak#=c<ydcSu
z;((&s`J(pow64s;(e?_l!F*{RFsTic&^C#XTqhFO4%dmgsggf`0w@W*Cf;U)w1mc6
zjCga`3JyU#F7-2M#2@D5>+cW#azOxjp@5Lx>m~5gMI81I3qm11UDufP(#v2m8`otg
zO5B#QjPC6t&5Q>kEBOzUH<L>0*wC_y|0*i!HBSN0pP*ne`<+P*xJ0$i0&Wd9-L<BN
z^<3?h@qJJJtv8`-eywHN)0fS&tYfmFz{K*yv4M7^Th@tJ!XWA<<Q2gMTR+C1)~z64
zO7}{kk{UaGX(qTt)pS}hTTX>4dC%NioAD)xTI|0>^h;2g?(&(ckQ?dOvA5{+t2V6i
z$V&b)nNoM3ZzOlDbQo{Qhtv&XpHqqf>{)u~fc>r1962Ru*TX9e@>+S&Nr@zpZ@knC
zZk^_0dh;%<rv0hs`s5e%fz{8F2bZR!@uA0W4_P~_E4-=lQIrr9-?A~`itZk-3y<#G
zRp6_8Tmz-g2b+6SgYHhb2h2l~1a?zvp{MUBe^k9r7;}R+$*W10BqaCh+#?V4l0Dl@
z1rjO;xfC^4$jkRK<g2YSQ=8IqNbrmrG?7N3!UWs8NQEM+I=qSI<-Gw|De-`k4lGp;
z2WUBuDo6YWftCXz71s7=#h8n(g}16bF&QMJ<Eus&P}#x-)r+fvKg9NjUKq<qbLD-J
zJgUy#AW^QH)118x>Fzqsk%vfC^7vfDSj&>S#RPoS4M=L5$f?KNU9nvp-(K0-@ps4P
z>D3h<AUQmcENY)GUr(fy=OifHbgm>nYHUQG?r8kMJ&nXSizv#?rBa1^>T@rmSQ4d%
zOb|p~#55ieF~p8aY${IeEt&Pg%BNXz2jx-AS2Uqrx?WCTIPmlS{*@Os5F)QWVrbUV
zim`pZ{QhZTIU3kQllIS+2L#{*mX3Nbtte=<C^$I!?%?e3_{i=5%kSTu{|O$qUp^bx
zP;UT%<4*TX5^%mP@(=gfhpHM@6)UGuO@srzITsOr<qQe;FFpYV;=p`Vn8^dvUuXG$
z-TzNiHThSu)!u82Iv*klKm#fO;$eM;d%sbD!C=<t2J|1d<61LK$9)0i=?%oK@|!gE
zw`FA6^OlhVAnspt<k84tKp6k~a8mz^jyxJ!0}6-RVOotw{Q-S2{{o|Kjw<^y9Wf^3
zUvI?msG1`d%*TJV5yzv7N1PLyuYX;RggoQbtSG*|IC|mpHmE8>3!3P&Tl?FYJTB>7
zK)7N82k$lFRBNH3fZuJ^+g8hRUF7qHSg_M#cAHP@fT_m-rG8!EKFPro82;3HdGGG|
zViXcfm<&UWa?|=HEEVRkqEj2LnS^EqHL*gTLQEc~5g~#`?hx}58BL_eg|us4(jx}f
zeSCWB58J5q3F$jAjI{I+iAX=WhjTOjX%sWJi4I|Ahb;BXfAZn(y)Gw<k1x`mKF~?G
z4}Mxd;YUJ(0dg4LUiOcUUmc&L?}m3O4h+Ume6~S^;qO^HDyeuP&IddF@@!MfM9!9>
z|E;tsJBo1p0aGh!#`6&GM;et*qdPHMzh60b$A3OJef#>@P2F!Z-L>n#O%7A$_a&a;
zL^q#6#~(=DQ%<3B+8^g18!SP{uf~zo0@M^vA&flX$5H<A;66WjYj##IJ3vWrio%9d
z82Ov8iW@1bM>aa`#$+dC-ZiSN%XUD3U{t}!%>BS5!Djr@LZi7w6*(HZ<E4gN{M<O4
z1~&OkH6<3|WT@`52YS+@jfWVEM-%kWf3Pn#H_8gLq<7~gesmRvSE__t3C~uP-oD*d
zaY64_g;X(s71CfBA_L0U2R+*ChcXZ830g=arrX)UCGyWna7gacT>Cwil%6Z5pQahC
zam7M8YiFxEt8|JZfFm&07lRM|tHpJLPvZjRD~ikmAC7y%2dX82f|MeW_OPhm8bBj%
zv~_}!7kN$lTT2vZCW|27tYc<?H`v9E#02vm#^nUs1$1;7k+TV}$?h52o8omJ{3?Lm
z`Lr+FWhI1}uQM;CQv#i8cV1^XT$>aq`u3Y}PVNUi5dDCua+xr+x7C!ITs5%1C{;`@
z=*TrmEDcTm(?Ezu+%qL!zaeJ;Lc-*)FXsX@Ye_7Y3dcK_k;+_R{Z;JNq{l%r`IiBE
z(NDWF0u?CL3uoImW}w&dG7>A9@|nEd@}kx7g#zm0<8)LG%DJRCbXX=J#k%=aypD`@
zgq9!5(&mbll`lw6uwg!L-GDH%^CrVwejv~nYf&Z{(vhx4B*N;*ue#-;EQ_{<L!^^S
zmwooaX-r?1u5n0lGlmIHC&Kbc_2oWg)tX#!KOjz1xSQ&}J9Jm+Z5F2Lue!kUV3?-#
zO0=?&xb|aSjac>~xTHliSyB~>t1eBO)Pl%Kk^qY|4og2+{vLdV%s{p-cEYju)T8yf
z)VF$94?fLDyuZ`mtEJGF$yIPYLxrns7?o^tUJg(yBT&7HlP1-FQAc{&_Zq*8`le%3
zA0RqMEr6idp?(hjRa|Nc0A&-zofj407$QzAc;keMb)zzLLniBKGAn)xtI<%wsnQJ6
zbpvZ7!Fkvm5>$}CxK?PFdE-ff4DPVv#vSLBTXMlRiU=*Go@GNH%He`;Mr8&>{7rFL
z<^pF;2r4JJoe-G&vr<|9q=L##a6!Wa!~#0qK<LZdgh2Z#CO3>6TkJg9@2<}RQ5ql&
z6VU{#Wdd1U2>edS?Y4P@=qh6(YAxsWF-)$2pL8CG#dN4ws_{Kb?KdIW6^uMx-AFKW
z0G^P~hQv>)5=qMKHP=Gxb*W-9Z#=xTzjarkTjq)9ht5bIlzAdQ-%TeMJm8#CQmhgs
zcrSi@`Bq)^+6qAhM&J*~m4e0OuNl;Bt&&1bOGd^M&RpY+_@z?`9m@Kn-Q_m(4T9I$
z^eTGeOIqYhd~!E%bT?F>hybzg3MPl(Hb*6qZauL>Wo%#$6KOysx%gz>y46O4=+N-d
z5XdaFknM@b9Ba{MTBkJI`?5LpWMMAumh`Jj6RB_I0q=C6i@#1quIMdF^(hw?FEvXz
zzCw7R(lTA(rHF*2B{WfkcrNGy@_Yqr51KpuJC+sU`IF>rR6FI2Ik*dBB6d+R`B2WP
z3FBPY_&U7W$rjgtF^7wxyOG&<wWj^4IZ}+@hmK&Bv;xZn@mxLlcY-1pk30r)*RE*Z
z4|I;JQbwY`glBtRnE1N_^3;~1j0qauJv3DDDqFmogi1ZDP)}D<v;E>7T{mP4gu0i~
z$wG${rAbebavgBen3mg%`M+9r8@27Fo!fk7vSP==XlbaTwOUv<q2@I)04ojsN5kov
zUMTm;m{i`NRd>IkY|((e;Ar!?0(o811JiN=r^caQSXj@EVeIcdUpjQ|Z`sz{d`3<B
zP%`Vbqx3R56QuhvbSF}pbeqqkQwb#-4+s$!?VaEZlJwL<3YIJbjj`NZop!o$*L`MR
zPa$tYA(S-&ZMv%Gu5Sq>H!c}D&(;+ifF(!xSYTtQ(V!AsVQ61ahO{78cK_;knY5t=
z(8@}xXeEgZSNLgLM63JnWv56fj`oN@#3JD6vT@C8wVP)TwzP^lSTD5H(0s0(7waIC
zjn*|QM|K?U7-nABfo+a1=B>7~8&pd1YQRqVP?eg3AL_avJfQ0dRTC<{8oRUokjB3^
z52(Qy=xr+4YsopiynG$Opf!|P+w9!eLwfnOe97(oH_~PoEl6Tw%iY(~f$aIx#n;NQ
zoxoAgBe=yRQHQzH?R?P6qt%cxOET`$1mB^iu#Y;1zV~9b*B)E{@)?=E+({13$+#|A
z>@DARw1>pKhkjdY`B2TQKX;|-sOuV&S;rPi%&DF!ozeR&SrAhQCc*T@3uk%f($vW`
zHF+cG_zPvMN#+3D?0sBGWT>!moM>KG&R6QwX+CCUWU=PM>Jl<#gep}hN#a>;uRhxj
z-ks%=(4d&h9BXQfG~+R{1%GXrz<c8|rYlN@WG^XJn;mK<11G#j)F8QBSmwAE55KfF
zsjKUk<ADkGeQ)uZwYD0r1C0yGx7ddICMn)le5d6Yt?0equJ81RPjpY_arx*&b8yS>
z{Hd;rgoTnl(bx`;=%X##(xmA&fg0)y86?t>+8$wTuPbAimGdnDsJOArox%^S1SUxY
zaE>x}?PWjcp6T^^f0dVpFS3&(X8qtW=Kl-3k!9R&%ZLzUku7t?thizBiD}FiFXfTK
zU}O<V@6<U}z}dy5MDzK$q8nk9ilcC+HP~Fy&Bj<>U@wiUA#_4!2>rwU+g;)IhkDw0
zLjPco;G36Gk1_Geb1ukG)Hotp6|4q5oT*+BH2z$a7KFoo7rqx3M4D&nnIW&-7yhm{
zd(o|z?2s2bJ9440J{ynh=r^roGS<`c$ks>JmL6!qq(XD`r`yAwy}?fd5B4OhUH7Gu
zJ)}_0a$kDU_<XdOz6ZVrLow9qZ12g_r=2vwCUb$;J(#6p<84UCo4p}BYB7L$s)|wA
zMN}i`jk<WfbNTwB>)UL)ZR>1{flxzI?Lhppn|tV_2B-K^z-E?&H#?{{++Yne-R=DN
zKTqFCIR5<j;;sAlbp<ApEmilLzOrIs`IGtFLil59<9|u3$YUkYm%s~Wo_YWlGs#X2
zW!jBXRQEK`9L-XTwU{x1&88z01%ueXpV#6u&ufX0g^m!vpw{nsQ`8OvCQC6Ad^jo+
z`G#5%D$U%xbPPr#l{b@%LcZ)&_)>1dmLCPloeGAml6UtIUKNo6EiiJ2ADFq*oWAJT
zOpd_aQVEPPzf|X`G%M0r9QiNhZu!UFKX!Re6IL}y*Ui1nRyTGwmkJ;^&3MsFIbZu}
zPX-^7av%xB&*)l#ap??+eF`Y7LEZ`KK?+(7>WG!%M9DIUeKOL4GX3mbZrfF%h|j9v
zTF?fi5)3cPTrfKz%)str#vS5IT-(MM6wi@G>RkQ^76Wg`Owm5zqA_jBwEdbrTPC%6
z5$$)x^nIs7#7kOm8x&r|AHU8NBpzTOBB2PRmW9Fag*6FE=5&N<z7NBdh>IKuI!a9*
zh7{O|Gf73R+OKvM1!Xa48-MPex#znV)=*;F2R&0f^Bserkl7+2<~Z+$Q)YYwHU*R!
zxS!UJa}*b%^rq!XjaZ~o^&oqrVbQf@#bkdEk(ZH4p<#0va%MF_m|I+S5Fh5OiYh>Z
zAYOzp`MQaWSEjita1#z@mC#uZSU>6otH0|xa}C8HkZw)jd(B6&>QT*xCSBLgW%pTC
zi0!3#ANxJm7{6?oWD%L*uJb0!;q=4vmtH#-s#SzXqR0q>Gyu~byw_xbx|cvD(~v=O
zzy8XJ_66N1Z$CWk(lZ?0#=UH*fHU@CXi?)DtA8|cN}77U)RczQT=&!ul0+LN!GF@l
z%Aij3<(1P`-v2|S)jtqc_y;dzJ<+lJJIz0K52No$d?QMDGe$d}>IlOqQQhgD3K7ak
zF<<~D%YK)!OD{5mSP&5=QqHfQO1A)2!52A-7bfWOzy=1|^_V6b$!yqr7&c(N7**NA
znaEz9ym|wYjD@pvEkfQ1d?Ny9EpX0U6Wp_eN3+^PbfR_UWH+BovWruua40^<89_dY
zA<mhS|8jDrUW_#&6!kvpjx2{;@5a}5&N`MkS}ksF?a<(D{SptY)Y=KOc(Pd%XO=hJ
zH)O6i-~@~$yZn{)xZDJgQ+H)uXz1B+EHKgHkXuK^-$yRc%YdTtPIV>ejz+*l`D&lc
z*rU%6U$;Ih-IrF?GvM_z_%<e5VHBpd8=&MPsc;l3(3kGFASk#&!`J&>8AlTbhp$`a
z7c*N;HkwL)xY4#iYS0n+!X-2{*sL7i4`(&hYBp?Blb{z=xEMybD4W)UN%jU6%d+7B
z9HUN9--$;jo%ME^BzCwDsv+^x{lk_nvYpHsCf)^#A0j5sSWES0S3D70Hcn^F_qM~l
zKnlvI=A*g`T8)=Gu<Ul`)lOZHcJLQi=sCd|-SnF`<IlZkyMM@{pG{5+jbY5#%NJ9T
zYPS+T`o6eNzey&AHCf>4Obh~W4Wy`O9w)f?P*#gtK4N1?e1#&B^-FgD1??rg1Qm<&
z!c?p^52WJG_}k-Cff7^nM0A3d8~1Bto<u|TeUGNNL^9<|w+fm+BPtFH)Um=l&IHZm
zp?bxX%1{-859_)#rS6Dz6*l|jUhmA$rm>b{Cru4xNgrh9Ffj{gPHBcFUv*vj@WdNp
z_<-)WmmyWECr_HHl6^;Vx)<4AZ#TwN*z4`#|Lps&T1%La3pFVL<Lj0*dowL2n2u3-
zHOpuBsnN7XFU8rLzVy!h^Z&JX_0Mfw*Y#)Ouh_!lgh)Y%lq@Ay>UL<6ve`%?D@wN8
zx`Qr(CAk%VMX(D|^z@JKJLlf}J{Aj7a_pqjX*x|Pa`)}~zF+5_dsNn9YBwRFkbjJx
zKR<c(&5Psl(YNEb=g0i55^x_1A|oLfz@`&KMs3rsPlNuZLZ2QKOWYLDyN<r)3l<})
zqpu#mc%ihF#}W^*5nimXD5-MR3ajH!)a$D&f&L-=`#N9EaY^?XQ<Qm$pZ*$lme?;I
z<?D2_HO{y?HIl}il>*=kfu#sBIW64jWp<Z&e7miH`~UH?H$T8Uwup(l$R=yJ8}g8g
z%6Exu_V`3>@R5aNkc(Wr2OLxKoGY%+Lq$OB>_p)((<^yqa-6%bcDhdBv%~o8rAG!x
zdJ^sF4OGOZC4Nmd?_1H2%&|ePXm=NoBRT!dZav5h&Ti~skz54D#i^h=ndyL+X=54I
zQ+seDoR>R0!GOYW^|ZKQe+5hPa+Y672VV+f-l|v@meEbl5N|1vDL0-sT&p}<hY_89
zG<*5fJLWbgQoGik%<SHY^muODK5p1A+!-$1&r$DIGcK!iFP0?kN;g*^??<kAw6Ofh
z$M#3RhFR>sW%w5%Ci2aRt$=H?#6I@h+^(LZ(^qfC-yOd`dH%2Cv*Y8}a<&ecaga`9
z67fX{*Ctj6FxqJE==9~`iQL&clE5TS-Zf5nI%aFvXM|c#=OApXf5*=H555%zGVF#o
zDEDg3`{&tVNauizJbe|WRq}_wqI8M-CbYgzo=#Cgqtq%)tdh}n?nGfpmsF$X3lC%~
z0*oJ@;=3J74!==L!l#|%i^ivjkozhpZzHkrR8inL-sGu2B_c8jornX&gO5BuT3i!e
zIMxC-ofeER(1Ey)ZaNMgsRX2?V5y3xl-j}katk2iJs$5TU&G`hyHFD1uuuU0=U_Cy
z4NNOf;iY~ckE_-3)&6F?FF@|z-E6JxK5VrcHyk`&_u;T7v%L1W>u7$=fX{=R(O?qe
zUTrjRkJbOmMQXAE>qihBD<@yFbZbsy3Qi?sb%B^%O!I}M;EVIv^8eUuo!t}~d})cN
zH=#$?ux~HIO=%?zJzzah0d~2bW0y99z}|DqPAI8O*Smb+UeLSv&3h>;STgS;W1MLD
z&W*d;=%KIGsALd<3t>*=9J^Mia@<C?fP+*X!V!p-2AO5j8|$=o525(0q>vO{DI~sD
ztTCp=y^Ra(rM&3dvPFt}g1AMpr`;39&j{37L7D%L*Zw8(+IT5`op@~_m$bXErq#;A
zstk<%lQ3=nW^z@2#qtop38LgH6EY!Kv#wR>Cw+zxBlD3E1_>NFAspHf%6A;l$n6-%
z6`)=QAG=cn=y;dkZcGv@IgolLxBcMy;8fuY*6O4HCz1_4Q>Hjy91IO;-Jt&i@xbD*
z8V@YC#>KowGU{+l-yaXm(qJIh>(k<aSsDza>upOsu-J$PW<D6$o&XRVVg~l_p8+3)
zlZ$Y=@vXZegIOyqh&I}h!L0S4zkZysJ^H^{obZ2rjO%B)sf)kJO&#aK!$+-3ROAQF
zORZBgM|s~>ESGp*MypXX%B&v97I!l{d3Xl8jG5(Ci@{R-^$nKTWJx|>A8gnZDg`A?
z05?F$zrP;69<A#KP6vI5MZh-rCwCk3KuXBXj213c+V;b&tr&DR{=Rf}?Q>xT5Q+E|
z>n^>&98E5-eEWBqE)amYyvCA3%)*n4x>>D}KJU3Zh0it4oio|0smE|5!EL5euE$gq
z6}kS2BtfG6VX2flD=!|rgljjS9TK#^8r4;2_g@~LpQFm-;nCsQn?oqnzrJ4GEmgTe
zpIM}yISV|=)Hb#lXptVGRg0lY8GEp^`>tW2fx5+=c-^5$tW9CIzABop2f@DJ>fU0N
z!Rxt*;Zpd=LGrJMM)8+<CYNb?-&-YWk%k~tbGGkF(-nA!F&Iux85ns;Y@P^9`vy!n
zi>Ps%0JX!b(#k@rgGG%b!Vz1sybNsSDx_nDI25Gbu@Fm=+gN)G*#roJlNy-02-zdh
z!5ay~mkh2)xt8(3ntTP4zl&A%E<{ojd`8eFZfTD9v^p(rt;UpB=xf<ws~O?DVD4-?
zgFU3%#U_f_@^iIq=o`O|im4EcoysWJh{pHaYzY&cL=U}BjSjIe;5iF$SWr;Fe}*2s
zOmf*nhcFp_08MKKeR8Ha(?dj=4zYHFws+8^S3ic@XfFXC`g}-lD0qcGt_k2Yg_Q>b
zVee@f)vhfo{sA7@q+|HfFcO6w9U-XjrkKqv<C-g#d#`pVoa<+bPKFKg0qH{{`FLeb
zPDP1HIO)T+uGg#Os-%)(+<=y~+}@_{_fko~_UbNZQ1c6?<P3&Zxzf&&`$|}yux^)m
zBYOIqVsgC@g>7iL=huaQhho<DI}224_NfP!%9x~9wPk#F<x8mDw9O_;<@mO{F*qUD
ztC@(^vy~G?tK0C4uXz#2ZDg%B)ZxgYk}Ivh!=GOl^9rJIt1P~&_lbb<u~vyq(F?V@
zjg;BzJXARnUJ2G*UKD#5w|nk?1h1yapV3fMFLo9~xhz;9%*2yY+xL{|K#O0lS?+#?
z#v;INXs|Zzl6Qt)uXhS5=>h+{Q&7F1{0t!_js7xXO4|BVL8Xh}@7++5H2Rhu&C2K?
zHpEpto?ln`$R|Es{#a?F+I6SC)Z5M%AgWvb4xP<}L4mH-jY7;44o{Zw($MA6C>s^@
z{g!UtZ%aA3){<aBl^Pg>Z30#L{I?RR7J&UZf<ojcOtA=IoXXug+ttXf$;#kcF&~Cf
z?JL7N3(nMoSlDG7qD}#;0D=wU)<t0XhJ%+y1wqG2G^fkvS@=ZBpsM?wazW<W-8#0f
zHJeK>c`p{S*v|X7E8d4N&L#P7vB`{s6jzN7X|7?^z)o`RHb)#^oZVdByh1zQR3m|R
z^wu}A85@Bp26MW#^M~CIPB=5&FO;AgcT=cWsq4xcS}rLmZYzJFp_F)krIu}W9@^uV
zBVbi<Q%1n=_(D`jUHz_HE;WZ5E(Lc?C-2mcUasJ=7(Df|YcFz&;s=%_+DJJGK6H7f
zFW2dwQ`q)`=G2cnrVp-{;kPjkJa{dg5V?-GOWk(h>GcukR?232qXmBUPNXFPLJtxj
zpa_<*7gXX6@6^9JW7IVQ4up3btIY~gda1^iRz?lt5=;)@QQRI=+#sSn@eHFZXsQKa
zq!STGIfWLZ2SaZNdaqmERLlA)gOskVKKFZ{9Ug|@y<zo|zQsZ@BH2!?Pl<l!Ssy0|
zWvZp&Mb&k+p`Sh|BLkEXc`?X>zEzF-C06%&7Betbi}<vKn1OMSbV;W~a<%WEWKV<(
zHW8c@Hc2>e%dOhFnGRwC^)`|DP`PYn>qtT2cFgTA&6%|a`5VPr@4P5k#Rx+Uj5_|Y
z;A<9R4ihW5qK@QoPQBM>eU%Pmh_OU)ytEB{#G=RV_*yez$qt@GhFrM-Y)`cU!E;{}
zw-s`o8*yXCC~VjNgD3p_l%j_YV|P<55Wn#w0~rlCb1SzwRw8gGtCIO`!%$5mdYqrN
zV4G*}@!0IxZ61mj+&OaH%+|H&Dd`*T4wkl4)0OtQ1`mSv(h~B?9<)fq!S*EX&VAt~
zuyY%UBJ*KPih-%*`1LgB9}=%a(ec3SA|(VCT4G-ds>ZJu#GA8RYpG#oD{dlmCWa>P
z7)-0;#Z6Rd(epfOG%^pBF=zdA8YA*+tEPtO-Ng`wvT;Dqxy(yaedM$V80;?W%O}Z~
z;}!|AsGC)F%Uj-K&o`&TwC4cNNJ*_i4{s$KDvOx)s9X!{ZBMIbp<lk#P1Uv|lI&7Z
zO;mBxWK_3qW-Y{PM!%1c;%XH#qae_kk#1hxW>NS^Th{a;H=>#HuH;t#G`Pvj#eKWV
zcenT@yX(PzCWbvJ#rv`@8w9@v$+|m0tffanW{q0YgKcR?epp#Ns8mL8A68s0wUJP3
zw2Z1b$WZ8}x{%Y+q}Oh|y6jRJdlfcMVm+yrsuweRi=IB2ps?ZS&-Hq%A&tST*Fvg&
zChxY3xW_aja(<FLjYRNuO;Gm3-nkpEyNWNMi5-2M)qrE(I#)`DWF#g)#=8@mHx-eP
zsMM;}&SN?X*M?QPGt<KG0G^pUC6KhoT1SmoW2rRCV6lFyHCYX`UU9V3Y)lt*kH&z%
z0Wrp8dV?MGAdX;01ak`hmBKrGKP2}#y?t-GLdFmC%UY9}MT8_BWsc5*qDWl0rVhnq
z9#kNeiZ3X(popeMN<k{bTkG1qpze6aTAW*>=BDzs2h+@U8e9SeMXNnw%CA*IZ|N0P
zOj-zGBHU*HQg}}5y+}%;eP$F+(*i*L<iKgQB2jLuTC?<7p^Z;pDJ;D`u|Mn`v9SXw
zDmIQDmQT(qk$fNVH421P!3sZh;dG>?`-{#lci;QFcSQl!K%SG2&GXf}^h*>gAS&@@
zO#hqgpzq-}9nBxcY$$u*2!W@(#SK3l=k@rT1HUi(+*kdGhF43)=g3xD&zx18Fjm9U
zrshJmmTH=RURO91?nJwp>kH?qb~pKxfPxSwtY>+Bo$dZOAX7Apq4%V=q7&!@2(N|#
zDi>@Es|F0Oq_7;jSD6}Qjf&w6as~EII-pES5&b4ig}$Kd*fnN|;tq~`_oH~gu<d{B
zOG7{Q`<ywVsN0jT+n5tt+ceU#E>!5BFX&v~alcYz0ElOJZag%jyUniirVavHb;_L9
zA!lagWdVU9N?+PTiCt+2H+>pJ;j($o=bBb<Q$%l@cLL5s$uaSFi%*-7Ys)<S^0C3a
z;911CZcT{bo=VE;VqY)<7N``HV<Q987}-dC3HCST?@(xa9&%@r?0MTn%H$}uZ<(is
zj5UTIRuvL{M326xrpk-0Ez>*B4{0i}ER~?6eb+~U9*6_Jr=FdP&$Sa?d7~I38Kl-A
z;1Ix(t@P6(%>;P`%S@<@J9*MFcj}5zrn%daVJFR4ZPO~r2-tU6%N^@^x0!1rQ5$!p
zA*K0zy)Y527_xiEA^tZViA?>1M0`?%w`&Hc0*@9E!}r%v@jyFUtKOxB1-8vgn`+XJ
z$0%AcCif>)Kl{~TAapQ|E$zb0!WucMh-Z?DsIlm#`p2zMX1<Wup?_HeLJNo-E!4at
z>I3RADt+?+mHA@gy$q}Y;P<Pn6yt9V(`VUuEg88@T12zWaMl_|i#QIGI+hATlZr?F
zt^Y?5B(+aMb?Y(lff~8;{E*_QLa3TW^jv@G-?75sb4Vyuj|4qXT)*J*(uzU0hYq4s
zepjm@@e0@J8`%ZNVQTRpOjMyr5lKaD%|Xae-{6C5O-RCCh{{mdlI|*W+jz`;yZ6Lt
zo-9g+S;Aj4`zx0n8`de<*vw*Q`@afoje>S6J_oXXvvhZG2jhK%0`Vdx6NB8%N&mNW
zF`~0hMic5k;0yoadU$IWpXs9h`elNq-uZNl*`RLKMWCMhFo3w%<}{UAm}&(~6~G~h
zS)lnb(y28#?OntZosMXkqtXb9;<&b7<{y|o9BxR~Ey?5|Vb-N$t~p;+F^-SOj?XGO
zfIvdD_9e|g01$W}b4uM+;T!VFAbLy8imQAQZUwyX_UO!)oTVuD{Oncs_~4=T%<@%u
zC@SI3=G^hzcplM_bV4n8`n`*Mp`2lQZhA`TT8hzSEYs|GT;81}VamBCj;dP@Q|vaH
z==|{Ky9FTtR(y8UOae`2_S(0m&4)rkCa@H>?2+{q(-ZIwcowx5LZz(RsHbpbMGCaA
zFav^^Qa2&x2eR$>bG8ud32vR-qCn9ivtkaKK6t#puQTmSh`Fl^8O_;$xlK}CISt-t
z%P9Gz=^P@}oREY=cx5$eLs_4KcR6Gliveg>DpVLLRZVcK`(icIvgn+U<;>2HkHu<m
z{^q)xg|hS-F-;hO)zmu|C{JiwavG$Ru3Qy9jb^I4U--H#soP&yGpeD-M-gK!2_7bs
zyk?N&t<FTbNC;Z6H~0SZb(leTsxa+Zr8vr|v{Lb-)N2&X6Qayj%8{%fXV7#_?EPL-
z?dd4P1!4)SZZF(e(u+LA(`vg}k9BmNaG-jqr|B)?&L$<rj>lNPg0(SI{rvUuIm(m0
zI(&J2?pHL<PqRjyQV#&aiZrifv-@b^>)kD-uCrFMR?xw9S*-Ha<oee9q1@f>QE`zo
z=V}kyg1eIzk;Ih}wzFF_Uda)NC8*N&ZM@HShoR1p_co;ybzY!Pyj-*icR3fnim{ie
zHtbP4nKaDY7HY=q<xWgVx(I?e5bPpQ?qA~N38H-%;Tqm#J3NbWbQv*ZXOQ1El>kXL
zl7huJ#iM++%)PE4<JCzE5L@W3MVu#~>`Ln26>sR?bv1$Q@>8*@_R<Ko^(Lb0-#U-&
zzTG>C{Ci<lorO22tYeiarUD4qG0dJvSjo$~Cjb~sR|v${1Iwe<+9Y!Mz#}8hCJp_#
z*N8cn%`T1%M&#A~ntkuCJoqP<v%G=+RS$)5ATS99$1<a}C_YWEuUpT~ribd#?jDC4
zs7(%Miid4kFIL4ByrU2axI^H0M1IF20NRhfeRkHy7-*7In)zlP;`S<J2m2%Z-$8cp
z<-^gz?;pCKzqr5L7?W?sstOB?b6lhFABOb8s036D;E#K<UEIQ<2Yb4D(3`4>@S#(U
z%$+@w*T(jK>c4$1{A3~*=q}8KqriQ|!x^HuqY<03R?1%XcJaF(vfoIVLeOW)da={|
zyUqHmHxC}}@9#g&K9>)^uBztqA7$W=9{x!0?5h6Jz5JuSOn#5u_<7qfT01l%Oqx9X
z(FyiNGe|!A!x=vM=-2%yzLb9U%MTA;f(R`8{DuVHpSN4rUx)o~YDBxmXSY}G-%od1
z^QykZm_7u$$_?<E5#?aCpN1h$L{qU`j&-AqQP#EsZ{e7K;X(R$bBz3lUOsZ7m=?&a
z!0?q3)}G?rYMWSvt82RXKEp`7wI~>oYChN6g7HXV;6@`bMlAuiUb65&bR2PCM@eMR
z!+$#zF%Oc73lBum2LT{jOvfsfJd#Bz_xVeYmWARZI<ovl4;X{Hf=P@xM;0i3&;)aM
zz%wc5#U?+!>BE7J*EE>jaZeEz<iAZIMPil0+Y5P9Wwb-Jzd+|s?x&+y+~QT~gM02W
zC@a0wV)7l_#gh1Y6HNK=JzU}Gx0F3o32~Ntu@*3Ns&1w=n?yj(S@TGMpW<Ni9+0vz
zNee7`%j}CobFHzBAdr;FVS=RGpLOSo-_@D=@7%~2E&2L&D4(Ss9d)>1FC8Tn9i*(Y
z*u|!`c_(u$X%*$R@?~3uF&4k&HpHG*^pbp2dMG}=-~@F?1vOk~^kEUjM6;Y0I9Q=i
zI{o6xwQs!2g1`x#mY|3X9ePwG)-G<-1q{_Sn8ljz^X-$ER?t|oQ)8(e8mw_eE(|(N
zbxbph&@wMho@{+RYSxM4hhJ=d(G7cN*X@T%LAlZKGA8EB{mnP8%d6}7Re=b*FAd!>
zz1b6ACm!0n$tC2odKcUr*75ER<F)L|$Kj)wf1WOW#uPpOm!nsAO;FmbpQ4v1=g*E`
zyf}PyeERm+bfCtU`B-2u&JdD#)>uLyJ8|6)CfY<+p*vR9)dD@IW2~PB$*e5e21`Kj
zh2{}cMIe5osV=c7IgYM9B0{x(nqmiiFwaYHZ;VOixf1Qrlie5kIJq(@J>6X>-x!8?
zxah#{iVvPufCX#yyVK8u9t8Ab?8yCy=}f)5QW|i)tg6}F6OBM>#>W_1pHcq<VipdS
z^#TJOXlpQn?3!kWFW0P~#yZgq!%0C!f-&7(%}cjqD{n;Tjf@$A-Qujs(wV`6E}Qei
zfjn>Bs4utnm?*)2VNT5%hdU~rr+C!KEfoJj%Z7$J#&2uyF{V2tZR9Dh*!Jt$<NfUA
z*9K8lJtaphZV%>RrlisBiAJEis+%;^mhpa;>Aq(HGGF6VR%`?yB?|Nvy8}9b6v#nQ
zC1ph;N1WGy#3ew7Of>oI1*d<5ydOCY)-h@z(upApIXh{0S?pnSbhTal7wdAf3xOKe
zduODxh$=={3ACVPqq`@Yb1NQI7Lev8DreJNK)T6Nvz#M_`oTDaG(2i8+Jf0q8w=%r
zut{$qN73UPy&a0;WNyt1s84B`^`>fI-_IEX^OZ*ffY?u%uhSP5%F>5*x=Sr3G%tTr
z79uOeb;nfgON}Q1TQ})`wn|xM^LuO>e58nPtH-(YDsa5vEEXiDH;a|#6UO>_nl=_t
ztwG(_6f^$?{AE^&|L_tUP(Aa4J>>>+i?D1)*|*gV0!c&tIxqpABx_tdi*{_?vjih%
zRtcHp)c)37uX3r_Yhc#&y4ik**jdL>4+2}jZDLUA-TL1QyEwVwWU>2sy}(iV?`eV1
zc(U7sRUz7KqTfolgs9`Ub)-8Y9<bOzoYt8Xbw)qjEfA@!WkZLVq=+i?=ZC%L)@A(k
zRJ<0WhoeWWqrjaZW|nm=U$J6AXER=jOdE-&A|0yGTquajz0+#Y<Cqq_V{Y<|quQ4V
zO<R@UiGzI6l&kG6Z!~8M)o-aD^Xk1sv4}|*ExX;MDqSMsm$Q7LOeMZZnX!&l27+zr
zXYnpdWEHix`PFI+wA~G)gRwyJ7nNIb9#VVGj2;g=cnfo2qaFWtrq~w!9}kbH1SMD6
z1Bxn!6I=AmdA`UI;Bm(NT2X1F427R=K;+%yIZef#C;R$CUN5E>{2}0~2u|CXT)<_;
zpQNA^TH!yd`5Y=vHCNP`T<O{G<mWXMG5T7psIF7`fJ`65(<gseNR18p*zpsLai=d$
zoUYdhmSe}O$M}c4of-x&_^0cpS!(4it)Fm7Zkkg5d+A?uH--Gq0>x(Fk(RN#t9Oh-
z^TJXt0+BynUc!SjcHe?l$^k8bz2Fb1OkcabJmD-r|J4w%Jm~H;B}J8gu`F-zGh>zX
z(^p@w8)k3vEkbg~GC}^|Qx><`aq84e#R~rUzRcrMzn_nN*WJH==ZtrYYk8b*h$d<N
zU<kl_e?<>yG1*qO0f(X(c;=+=mh#kMEb1%XkdL`-T&n_EgpJKBLZ0i7<TbH=^$V5`
z9atmS#i(Q2ByE7GQO1GoaLGY`SKRW?NGIy6@)C@H|F+e)jFIb+ccXnq1<{z<B6d6h
zO@{xGC$Tx{<E|h0<=S}1&s{4G=T+r9>Qu>ORW(E!T^h7a7G)Bh(4#xONKA}4Dq)|V
zRI{1puPjllL9R(U=iLoEVL2Z{S^x&|&Ds`-O(Flc_|DYxFm@vxm-DphC1rj`plc||
zOqF#?sjbKz!SbPwtdYcOfe6++SC--2ZhI}RxZv>jUV@$1&C}j_2{LvS+0H_G39)vu
zs&0r#WpR&}=ds@IH7H<KgRF<@3o;!e`Xp|oSk!Cr5J8iYj(C)Y(k(Oy9xG+KdjEo^
zunXpXn*(T8lK<eo_R1YW8$=B0OVSMCak5NuNskU6ik7RjFsYF$!va#J`h-=}Nnccw
zXANcdKmSvj`t5I%=~Vq(vRrtQw=NHX?njk(eSLRw`r`1-@p(|aJnTq`(d|(<{<M_%
zgjNm{uF&~e=`H2us&YTh?Q{_pL4{RCcCCmwKVM4{VklL)cm_l`(6_O4?d8OrCsUow
zW;)dh@f$0wuD2CM=#&ZZd^g~Yw@q09?&hxLYhhOtzY1>HXK~#Ku}39<@8738T9{Wn
zSTymrL<yo15YhT!pr7Ky5|E9JZA_<VRCB;a7y-RtkPllnZBGEMx0Z(9@nsu92xII@
zS#pVQOlg;^Uk-Ku_A_zAp)`}etDskv<B)~0T)kh(=pa<X4=I29ik_g!xT{`#_4p2A
zWDL$N`r9rJBx5tyaJnjIP9K_?+9|4)(YcH)Hx{5*qz6?Oa_eaXg(<6mI^uIMFKAtG
zJn)A~%Q1+wy^D;$23J+onXnllU9MmtF2paP-2|3vtjihOs{uf2tFGH*=->3e5bEaE
zV=$`#iwTcKX-na&=>a>cv@U(;zNts?#Rj~tk-;TK$LXuY`rE+L-e!q7;663{mZy94
zAp!9@Iw|T_`HTHW*{)m2i*o9QHozDGdD=ZulvH+%ciol$c>e&G=3_i>RH3xZeA!>R
zHl@|a`wuxckN3aGcE52V#mPxU5)TxdOUY?)@sJeA2v8ZN94KIc$oGZEj(<?=!sA~g
zHb*#xl$x;gZ!PnoUzabvI(>8eRQwAvdor!z_%R#Z_?^%w^Y{yxbw1Mgy`@To{Qigm
zO3NSM5&FAi<=b~}yx=XMZ9TrZuF87s8Qs7C_VmQyk?13ll)UN>&-F5PXEKwqg<olu
z)?kzY<Er2p62mwRWysZJg2($JY^WC6HSJZ#e~eZ+2+~8}&16CCD);H*4ROr95!?6$
z$0XT)RQsVWiG~o|gK1adkEBz#UX|kzl;%q1qE=RhMvPsa#5jcK6A-h7$I0?*H9o{a
z!XUuYjIn|4x06r-xhO^RdHWg^mpgvH<97;dT*ZO{SK906&mKPd@`)5peg5pxmw$Ld
zLzGE;Gq?8v>VjvM5!TD>s#v&no{*Lp4@Nt^lw=#*trL8-xdGNMdWj#R=Hhy(rv>Q+
z04}__j=+Vr>Gkq^)jg?45`Wh}S#TlI2_;GCM@&zhqhEIp|H;7<?*OHx9St{0sFrz!
zT!8uZbfd!tK{r}I3|C!~s_e;N@R9Bn)l4&$ys{~r-fKEZ{1yOvLS93`YG$}6H1S+Z
zJ>}6Z7YvDT(WJ@J=QAM%rWESPJaZE@3sgrkL1Nv@NSFDF@%9@=>RVk}RoCT3+4$Te
zyy)glvXy1_q%`-_oqJ|)>z=0<MeDc2&%3f>R<5rHzkl=x`O4(FTHgB&T_HTXv}D{u
zd^5;*3SAg!#W-wtu`ZPRR|Dfoi4%#Evi>+egw}OZsa4pXyAWCp0Waj)qx}QFjuuIT
zThbD#W%orFRC*1`O%NxGtSTy$=YhXHs$e6Fr&qL4vrj9MOyRZN0me>Ux|BqM@+X7^
z6e&uZKn#Vz)e5JZQ-D`)u=-_G?{bY?6_%yi)fQpmLy-%b%BLc^M`lvjCmurLpJzgk
z4fcxthhNAt%B3E8riPT~0`s`iq;<-_I@ii5KHnd%9;^YCRXT09R#1>xHGVn}d|eg|
zk?|3mb*-855bpk2>dt@vDv}D8=&VbR%U(jlL2ny+N05<%#z=ZqwLBw%amjh8WB|g)
z8QZfi<H~(gH*;*IZq_hX$gVrq2t?0jg_K8D1@cv(iHKh^%Ri<!UoY{OWJV&kzFtf&
z9d*u%?8Riz`{FK8F6G7arko0J+{u7Bv-yLXh9pI?FEj@t*3@*Vgr`zb_??+(QsY$C
zx&^n7+PH9^cn9?1i<j)eE6aL#@TX$sroF0LdFq`SJ>r|VYYV@VrjcJDKsBA^GB(wl
zmcv+WvYp*|T}%d|=+k$!C{WmL-5{VhE%O*OU$T%7g0r=V28k7Wo6a3(a%N>ZV9|6W
zZCmW7eay|3cU2~g05z50g_z@%n-PW~o4XxTYVu4g!DbVC%<+O*e$1!F0dllCN~d|P
za%RO`f!Yn0IpBlIK;4T;Sp4G$svfyd7-;ARKD#8hD@OfsgVq?JA23yer^yK~r5<H4
znsAq@jDmV`u`Xv##7wLNOW(YDo4u6iqks+QyG8guOskI<V+^~fDrDKa)TFN5jlveB
zo~i%7(hW|r4RzY35{g8kfB9LzZz}5<lJqH%5afF2PDu$)ec65k^Yb;TK5hk32>ndC
z@B^rfVGbXtQ!qtz-^O3_h#_=@XbFX*!1C6+o6S+KTo<#YG+Q=ng%VJVr%;wv0V!5%
zn}HoyGi+zbu5$g@eP6B+w8mEzgTM_n%&slIt){USB$-vh{pu8hY0p!c6#_i~n35f3
z{7b!@;FnM^t#+{$cl9hvCJ3m9vznsEDd1*;D&SUkCbSJ?Uv!;_bls4GNPAOYP*D<q
z970te3aAh8K^!DE&%jd5Vcm;fjmOdr)!sc>1k_Uy^|)LjOfD+_ymC5^56J(LXZGc}
zjjo;XAn%5f4Km-_lPHR>R*58<Xrb>o!sm2_Vs>eJ6cAsseIYFrLCnC>OM5;rILPMs
zPzr&dl)ol_paE^=Y&%VG&+QKW_A(cuEmWoE`cHB!>u#Q%xt4CtE0IgA#$7(&oxRGg
z)bAsP=YWtHMfA|Bq)C%2*GUY|itNDzSsFn~cVwMp?3^ciDr5ykHG3q(%Wu7C!`!hc
zl2}o(F2|BoBsWl_6$RyY-1Nt9Pv9YYdHBq)AbDrPB>S2waV0I^aEd+4Ka4jc(C3BK
z(P$$(Th9)&qGT5@3au9l^|J%#EOqHus`W8_1WD#m-u-JqHqf_~u#&i~;l5BdiNUoN
z@Jn4?LK5gdWD!-P<H9|Qmn<lCxh)eb+wx=C;jCtAs+2nss)gHSC_1Dmq(+gkTL5Zq
zhpokW(TVm(Uo+oR9L%*2KSu9Nim_gU<BMu~3+J$FWNne~_{Nx6Ni}y<XO@f#?c81R
zd6T=jX5ox*t72+lru2jX<GC|foD^S}hswgLdDhqBb<gDEMc=zO4bL4#-iWhO+!Jk{
zCbG6M25;#&OM&(`P==A`HKp^4)6`744t~Vg_mg;KEb*g%{J}}v<|!`iy@~a|XM9tc
z#1b%cogO%XFdIr&dj970wUOO9;iSox5=52lZC{KCtk9gbv&kIQLAALn*JFX44PLu>
zsbVkpQ>)ohn{VSn1j&PB*D6CcF&zUc2oeYImZ4IMG@A0;VEGJ@M(DrT$Wy1IOnFD5
zGafLWOfpwf$IC6&D3xnK!}UBnO8QFjxO9`=Sf*Gc4BVPgEp{kJp^%NxAGfyFjf2Nd
zg15HopuJsXm&W@N3+ldpTQq-XAVWc8DDh-5o7J0k_FcVjjojN0+!$Es>c(028fOea
zuh#zBx_RK<D=_Ehk}>D4H_PPWHBzgF+#0d)>=At{@fpoarGM0|6-d`f^b$=(FG|^^
zVkcY41{c0h<!lq4KwV-ruWfH^To7=Nx*owZdW811^c0>m*<qgRmW}Ls`bku+#80i4
zS1WgR{Y7gP+|fZ_r&5IIo;a%-^%ly2_H;nN{JTk<F!1beR|yeWRL56`-xWf<8oOQ!
zZ^<_Y>i-dMxb)2J7pMqjJ@08Umv~Z<$N&3>kM^^3b&Nb2{oVl4s-}5dv~Yzq>f;n;
zOulIGTltodW-M5<swpQ<L1_ZBvOPn0Oib4!sw$m{PB$Pg0+c;$A6R6yc@us0FzD`V
zOue+BH!ayiI04*&?m>tLHrr#~gLcmYMifhU_nKz^U_bujCI^!T7@CK;g!8*^Z^YDT
z$j=sCNAi|X6uiy|KRSK$?eS}oEHrNc87P~u^vsx}e98LX7Z>NK^3n7Mo-dzAHk4S)
zGqRMal+F#iq6BT)4z|mKNBzMlJMR1*)p<BI<YfsHL7m2lca|fnJ4PiORGPLhLw-M|
zGS4T1k<7Lb^t4_#dTc62f2PqgyY8re7dbP&uV)4!2qhgtue0w4C`9ZuE?>PtT=KBO
z5k$S!8ds3-ckcqZ9Clf(>2?r8sDYgwz&-^f|BhG@dBu9SWm(;aP(!H7&PMGwxv?SE
zWPe17?0MRVVt*Hz4+Kx0W-X1#<sdCc{;H4BD0au@QR+}Z{|=R?d=90yHW%**nml9V
zA$<K(Qqnbe$cj6dT-i9BYprTziWt=OI_`j0B4w09_YJqfDE1$P9oB@c9c>hOB|CfY
zgMQA>`$`MM!R5YMMFjis7w>T~0Oast@;%!`p^FdxRgHV8<iSfdAbgy98vRRW%xcft
zE>yaHZAVG+22nOZx!H!5b^=Xx;;Rq4S02QQp6Rg+M2oHVgr^qZ5huCdms9M&(AUsU
zON=d79_Eu&pV4AghtFP!0lA1j6cf?+SOQ7e>oq`<td?9`(dw3UfRNjOwLlG`V5qZE
z-`4>$*2{ofUuT5lQm$kKnwHQTgcNFH>V@q*R~d~@b+^M<mT&BhUm*V~JHn@UH`->@
z>9#C6>OQTj&u@QnXKlS6nXZd7HBHW$B~oaIb%JB7$Ee5b%xOM>nK0C{{e{kh4AI$n
zvHOIZ?mt_~wz$zWKy0c@eY<G#57C;a{IV(+AxS(&z~Fjx8v}7&@p*+kZF6JGWC;XI
zg192skt*W{+3va5#?FFz)zZO3geuORj?gp;@Xiru1kVf54C$ROn&3hJ<j;Im=;_+e
znkvNUQgo?iVZ4!shOfxjJa85NL=>z5YOz>U>#J+JMl9m2Omq~(GA?DET8N9BF-|x=
z$X9pwjCsS08QJR<g_6i23R$u<X*GqIVoQ)3Qtx)-LA#<NHhS0iEGI#!-X2DoW!o>T
zQK%}+t^@bA`?Zs$iuoF3$FE<HPhNd@_~PVf4C?Zzpt4ynAZZE)i4QH#Dq@xWDUHc~
z?$Ce?JAi8~!=<MF1HD&b`)6SGV^Ai9T%J3=V=a0le%964b{piO;;`PZdN-hFLR~=c
zB6ag-?FKvxs_xSDh}aytcefn(d`2WslxfM_-prCrl>G>DGgVzWnw+y>IVclZnhP7n
zbTBM4S{&*oGj3whNb_+2dbBH(^dzMYx{mkIUFIb2pNZ$ra-gvnpFVhSQ@$%lGztZq
zJ*rk$4>+yQ^FPZEhm+Z6l^0fOSG6c;i&w(FERpj_xXwsOvMOYTp*|rbql6``XA=_a
z&-ALcOC++9vgcLxM~V;4O@XjD{nPzQuX``Bw%+@+Dw&}u3VS7%9)GE?)=A&Kb}O|T
z(Pq<;McJuW*WmsyyEYyid_qt0&8VLrH!y2H`%JyTYvFwfX2(a4_orb}@YVgooE7{P
zg%wWT#9w6J@;rT;*DsX|`ji4qtk3%g`;+wj?#4c@q3)75sp?<?e5f_LovDaQn<!4H
z64&;q3i3FtDhXfA97AMm>?}3UiQMvEdzMJ}H}+hMbaR-vCNE+q`hxNahoAV;$bXh*
zp{4*I4~{k`w67>xrY>g<rW#0mQQRcJ4~ug-vjlcD>7e!MS8i1Qs8Fg*)~5YrZ(f|s
z4<1|`ZfuXgoq&??($jGRql!Z$k~1Z8_B>nmfiPXY7(XLj5x8wGRWKef?gZ8+UZYM!
zh!R2M-V?l)BKZ`-Oux~BDe>qJ%y74Y^JUdUT4`;v@a**b%^)x;GTPy*9o3a@JhUy9
zXncx{8<Ns*TZ?a{!H{Dy+}H)=5$mtY`W@^CZOmL2SXOwg+_EN9<ZVe&5G;e0sggsV
z$KUvRUSO`A7275}Dv6y%!Hcq8N)4U#9$3K^#D~RXCmM{4-ZJx|^JoOU#55h`vYRV7
z>YzHG>!R>jIL??&*f6AeUC{~9M)&uWQpf^33*nAnz*aLeHqrqk<EdMN>nYbL6uEyp
zetkMVKl!)g@#)w9eEjSUmIJ^4{`JY5<FWhc^mVq2l}YnDoKZZ`kBR^fmX~K5^5$gW
zw*>DJjxY+nr;D3jKEa8k7N7UnZ@qEg^5GqxcA$|YijA!qkLzPUvQhBJ>uou2@og8Q
z_3;hs0!WTIc^9YLgIn-#HV1zjjm+y!JCw5LZZAwv>hIkbuiY?S<5X!4Q(Qs4kciwZ
zmvnP<G?PflQ@}&p@_<w`;qqxAC*u_&vK;uu5RAx|%iD2rTU@vf)a^W=fZOBrev5~*
zV|_T=MJ(VCkM<uApxjISN23=?OI-mVHD604VMd_0!0~+=6i`<zGu>$*QPr_Wq053j
zq5DzWs#^*pDN@8z;{j@N5&@dNUcSMU&JNW@z;KX-J}_J{YlXrCTdk)#dd0NmSzD^N
z)Q>}TmFzr}dE!H@o7++Yv6r_j&{e)vY6Y3NEiIVqFc*Pd($UY+i+drr+Usu!psQxp
z)vfR~_qE|ZztU$n`$!BbuNDy_Xac?KSz_=s(3H8UzmbFj<wrM~<ENRobn)Dw`%j=u
zC$lkLv<lN|g4#A|D;6zW?8({tCmP(2Nal8lB;QyTO*KAy|3yUo%4<Tl1}nEGUDbr7
z`+C`-0B!d3i|meGwp!4BK1utDo?e5Mb#>2aHr$BNzv$`cC3UD$7%q5a8mW>zV?i}&
z%aV4v+9Um&GW#WO)m8^^p1-rFGwTz(SfbQw_5u|XR|?bX87qy100P=NK0gA#463So
zc7EY*J$j!Yy3<n-6tC`KR1Aa83^pko2&gonZbNp+0@DbFinBsOm$XG>JI6f!J}tMZ
z=(Be6RyeBCOh}@Q^g4+Y+>cv7GT$qayldxRKif^wgP>$!K@xlv)D{BOna%QL?MtXf
z{+FKQ-6}2op3~QAqLb@>L{aM94lOC*@BCV6UaS;ZK1+2Ln;LTgGQsSQ`%N8ZTOKgj
zR?IAV_v}4<ynnCUbD#Z%WFA&uq+Zr7^R^2y_Z7y&Z+oAq((uPj0zSa&)@J0{0ojyt
z%9w6WW>WVqP|rQ1BkBC*88bccQBN+fC8A7XM@E916W56PM}@m9fbpaq6bK4VY-d_t
zP$IN%+ISPdwqzJm?Go){R$Uag8(oma){Hg#q%wU?D&}3OYpa!{UISk9N0x_obLZr?
z&raD8&i)MmgEUF1V=5wTGpsz|LSB)8TLRIQn#@q!_ODN@7F`0j$7HRki!xqbBP*vl
zm*Ad*x+yj}-FDQc<DwP>La;2t&}U5Db09F0{2WZl5cKGj3%q*&X19U$_#<uvmS`3~
z>1wXLBvw|j2}({owJOq(3^;BFR(6W1RQFyXR@CD!zCAX8uOD$^Wbu7L2jHjQ7+JV4
z%=H}I7~T{o=s@a%s%Kj623>{(j8|l>Lo4qwvMjZglT52Md|<bTFW0DkK>yaox`x`|
zFD|ia`WKZmwr~2I$GM(WhBs9l6k3@{0#;6P3Tet16C(7rX9{GNh2pjAcm{<^&#R-d
zFQpGD<%iqT=UdDGE&5E10v*1Wa_q2JzF~V5xf4-@U$Ym8Z<5fyLMeMJSF~q4KITTO
zZJk=1GGa^lgq!Uy!=xuguD0H4>TFQH!}{I}3(5c+Dtv-oiteK!R0uz!wfevNvVtV}
z1+J=uSF<aVa^v>;A5cpJ1PTBE00;omaD-TimWQXKjR63CHw6GH00{tdX>W9JFLP;g
zaxpJ-a4<G6W@&6?b6;U(ZE0>Vb8&TPWM6hPE@N+QW>r)L00GUH4rc7VX?GjRkv94n
z{1w&c@g->k;3BCPj^%SHin91NH<Ogx9=Qjn02IhFfhu%WK@|MX{qHxPSTeH;04cTQ
zvCo{5-4Y4p8W|ZGdwkvc@%Z%U;_NuOxrna+@b2Vw^rH9e#@DUxBY!r&rUo~6X&KS~
ztGgr`<-_?j$*Q<Y^DG+Y1%G<|^E@3z!#o?OxAQ{3OD9Rsde^%R<1C6NWgZO@8e*P}
zqCA_VSrWz70rhCzRn_cZXXoMJp;uz$?l2zSCB3}3-Fcl4cVwO&UfZAZc{Gg|(L-9^
zMO7Y6^8B8L308HNPm^dC-_qzb(L;Kl+Onzpo5Mfw$2t94)K~e`O2V&c(53Hr_BZj*
zPqjPZ-5h_6r?W{?dVtqKR^H_gW%O{TTN@?gcs{90-pYr#Nb@=MNQ-1xr5`X#>n@(n
zk_;djB)up)8Al5O)hN$4t0+s75xyDT#TmgR7_h^wXtMcaM1xF{_=9}U$CJ;iDCdES
zh_}(hQABALP4lv%V=a@i$2&No6$9@4QPj@zENMqYGERyT6KA<i7?nv?rP(dcES^j{
z)c4_zFb9Lmp~w(v6?DgfKE#uGg4N)cd<Gx^m-*LWJ_Y1TJ!l&GK3P2E#fU~7rNg+Q
z;nC5fH73EzH@=RdqZ%5^&?V#S0LvOq<|6{%yu_-}x2>PG{Q>ka&WU^+Rq;J-ASMu&
z3_e^8-iG$;MSqy*0s}_S$!HiCBkEBk7^a-hW_eL1BZh1gy`eoNf-N2SM8}DCW^r}5
zQ{_9h$Q?|zBPSIPCq211(n(k6HkKu2g>B8SvN*b<C3J^5b~;LC)g2bT_f0fOJ|vTp
zx5r2t7lX7a;$lIkQ&vSfWSFJAy;(txGo0ISUX%nCw@^OGBpU)zqi9^@Q(A=pRPHQw
zOA3JqbsDExN=HUldlmsX2#i&+VDRI@$0LlgOngcO*dKu@baztP#b7}L&1pEfXfj(o
z9MTrcs7(K+Uq-p&FMm`dlNhk^_p28jPA1g9oDc7Uk8xz~-X<fNGIppgC_75a*(ApD
zX@HpLlRNW{XO_iK=fOgOL4z_a!rIHI%X`4@KfIz}en=-dZ)$6AcmFwmS8n6mGkklN
z+{V`Y_xRxVseRCdOqEVU$lTDc-Q|rFtu5|tXGzKzw2iJ^?%Iy>f;tDEbjvAS>$Yx-
zfZ^up5e6k5yMqPjj<M)0&hj#$vmHfS%|Y>KEO@WebXa^+vkBcnZiZj|Pt!D;3y_HL
zVFRsEyud#XNpg>WiH=lRdV5!K>pY{)ccW*!5j6v?Z7q_xz$bezUVQuQ_q)5_?MA_5
zWwiCzIqv=kg4VNdUT`;F(I^?lqZNly&SJV8o#<yG4EWbSQROTdrtt)%yNHK$OF~3e
zU<NM%J$ywxP0;R%k%7%iWA~!#c~S5S&8XfStv$-;10vQkTDup$D*;BK!NGm(>&-9w
z+;Y_aAe;5;q??>%F~(vHqD#WRF!9!H^;Ye)Na7JF!Ego94wuVBCizG|XEAQB5MfWm
z%LTo(ANij7UR!M;sc4+hXKfr>K!3S85mvlh`2*AUQCW@hX`F_W(=bUj6gs@)n)a%X
z6$aENXOv>efPT0Wc}&OMlGuPm-ZZ7x^HSdMDZMU@-Pia4qTUHJSZE}ZlybQu`a{p)
zZ;vj{U!UBZT%7+-Kg6G2uSc-Golgj{*Nu)w+T}gH3dt|%{*(5hC8lHLeUb=+0e%%;
z5;@CwBJ@HZa^fk{ak~?>(X=gS+~z^rG{zLSjbKzQW(jYdPB<;1{2^mL254Uj2apiw
zNKcWimHMt*tzh5z#m(_SbeQoHyEKFYDwdk%RpYtFcFKg=jt}W*F2}2<z{`_2!*%i}
zQx$WjNQaXLq83qt8xvQ;IN&>j{5TfKuWZO)TFc+2^eEjX#qXk*{^#J#j(?{0rPTuL
z69GRhaghi}58za|b(GDg1CRx*5_o%kcG<nsN8&675q4)d&VlIsq*Eh%Nr)$y6**C$
zl5WwIdxQurF#EUvt8MzYbpIdSwpk1+s+=Ej69xDRp#<8LcuZVS>b;fpZhIZ!PxtiS
z{SJ|ph<Wb4?WIY0Q=c{sbxcR}X*y1mq62P(s3Q2FtO27)mq9C_$)9cGW&4>=ls8?1
zWYmYI6H{*1W-gQBLplWZ(Df&7$ri4kH=slFuUdF>5E=pfBEJp43t9<bsqh}%OfL>|
z)3{%_I?7U==C|}DPKh=Lr|v&oK3J9!;%pHS>odeo=T%8F*^VdHl}W!b(Zr+T+q_tG
z7+lT95%|;kG<2_jC9{hpfxFGOymrfY<Qd*Lf((tVeH<ubu<N6kB+9MsHi0L}^id;L
zH!EXdaz}Y0H-3>+#4ghtmSp+-_6`gyFAt3Xw^$iJ5C{^y0?JUxhb#<%$HhZvQi6zj
z`F)ZJiHJYM>4e`z6#-T1!@FIPbnCDuSffmIh}Rp;Y`8GU%<%-T=K{d<qZ1Md;tWXG
z)9o=?oKDk<nOXyC6acMcv7U}YWcwjsNs`&N=)M!kja4=zEWg?oaxO!V%rn6%1pbUI
zEQH{7rX}GdaIrVLo7+Gn9!iAG=sah+(NK=hVUR%ZWqHPAx|_q_A4G!!;3VFoSoBHy
z$VbA1vmm1!L+X#zbEd|Lcc0O4uZ5W>LLEV>^`kR&;laP$m<cgoMSmL4zTl9`1NBJ=
zBbn{4Ppcl@f4T7|`A}HCB6%oCZ0i$Ixg}2M%gta5Csdjw{kydKazl@@vj5?Ef1DO2
zM!ia=IqN@YNTz;zH8O~u8Hl~(LuV?}R$!njx>psrHQdS9=hx98gkZ2OPb1JQNs7L(
zkh}sWn8Iy)-tzG1v}D>6^pQ*V*aT@}hrV)exQ~N`ZcqySj&S1)I8&7PZ96))cCNCV
z(7}IP^oKFH=amzZun<*~vQLk}ZBBQw?{zKc^ODI0QK(Ox2dw(%&VxRmIZrwhY3Xz3
z;Xa=^&m<)T>JO6wuQYU4pE)OW{6#Yohy8goQHRf)XgrB;%g>vGyL{d(+V%71(SJX0
zCKBsQQ9u5JX1XITEiQ(43!-`X3>?DRxnh<A`ocsxrZ=PzLOgU<NI}r}nnu`kcD@(*
zs>kX5tq#0?O~Z-m3#4J6`h;>IG|_oh75T(C2WoK3kMpC`(yf?%!lY>S$dvf{6DCY=
zv%E<9>6Feg>rc})`vnnwdvkNSv)9{;#`Fx#jmdj(g0N84O@T2+BC<>@VmhKrzWEre
z2k`{l6EA=oq%(T|($yeP(IP3p@`0V*d>hYZi|BZf&?u8~lQ88rrw96O+L3-XV)x|I
ze`k-W(tQ%+Xr)>8=reXV&+d~E?TO@_vg!}=(Slf*kA3J;A6csc$pH^i=p=n&GJCLT
zOM{r%n7<noNwjIhZ8ib%IdDh_pmd;p*nUR9zu-CN)ya*>R$hugGo`Z5COGgs+r*v5
z&jZ@q=uvE;jt_BRQ}dm0IvHgaFefjAXaYftIDE{SLhy*rPOh&brUs8P72}F77g41C
zLpoaX{+dB0iQe2?iYZQ&;K4SJXg0l)piaX2qHWn5mgT2VNxh*YL=X)7d%L@zeL=_b
z$z)My8dZ1y6a^grJZjQ^<wjZY$QCoX{<H$1(QWkR53kQbT%%w8?hqSR(N@p<sR`2=
zsDR+hXHE=_0O2s<5z}{Q14>!QZ$EP(bgR?peA*W|tsjp@MZYT2r1YrHK%@m^IFlmb
zZ=0;<9m(5biX3$!qCh0sv0itD!FiC-s_@E*edq}>ff(}Q3*0;&iH3Ugw#{cFzU{Pb
zR?4qIy#V7@;Tem!RbJqZh<Z@OZ5bWCQYfCqzVzsFiiwlJ2>hZG8m{K-t`pHHYz7Tq
zZW<nu2vZyEE}e|1$*0^%LMrTpn99HZ5ZqXgo&w$jNdAn}D>n;qtVYX4QNR|zDlV$|
z>?!G)l^y+QQr+dF)pHz9CJ{gAk+xz(G^mcKasm_IC(xI_B}LvJ%*SKKtM%kBqgMeO
zX2G(;dbX9XKR-)*dn=dk$m1F$ef%1bus@PlZ@2gT%JEN*{!GK~61?e_W64lFR{0Rj
z*yqpqx7l4EN(WeV4nY@yHYK!iN^F<~CrtV|FG=)(8->TSPhr0KMtdIjngE@MTDkj-
zc2R^Px-mVqP9U{twdgm;65|XYK<Gy|olSh;$IYFEP#?N3mdtE$9#4rlhE0=4A86q}
zFy*A5<^9>Tn$x>c4p(etu8`VP^II2<yJ!s4<zkb?Ff0{g_Hjy|0>Fnj1&2$|eg7_3
z(Iub*>{-IV+w@Y$X5DJ^iNmX^@e2)qaS5Z?b@b-q3N{S-<S|dF&;AqaATRFa%{Uj^
z0g+r*^DNm1im0uP+ic#UpIHrr))oB+Q_t=J{B5F9O!qEpN7H<ibO;Lf^rp_U47k?j
z6OX#*u)x7&vL{_=lh&R|A)R!xVj((ow5695M$z*F?Q*`pLm6$Qy`<N{JUq>|xeD0_
zohYFrQh2C>J&B9Sf>pe%5qC;qnL$RzO+sU}xqux_vO1muO3DxmA-2o3T|ay*MJZ6E
zw}6n_3pcZQKOVEPexZ8VcO^Yb%ilzG^HTZpa<6l_-+^ItNGweG@@TJf#J`JKJE42M
zcd$p`o6T@YgQR+Z9=nMH*vQf4I~k<6<PF5uyeHSP*V*qp>pa($?9tCJI^S}4>PDoo
z3?|&8dsMJt<2k!h@Cww7L&RcgW+GFXj#+z1a)XSnxP&e7EyRb>*L$*Sw-J69WpzaO
zT@U7A_j=J49af5Fb~I!55-90DkNUSsWt-jF-{$4X7iIm6azSVTPov31t+{6^@-73+
zv@}@OG%0S)Xmgz;?70|R+5mY@iIK`l(2RNUI^QT6rlTalq4JJK9T5XD&5H$|u6t_T
z%CrB<$77n}M|}p^Bchxa>I8usPzV@CIz%Kxu>H~5ZwBD;+B#}m9VqI}VO+U7JY&O_
zSqTAgVa$O96Sfh^3rWmNT;f?(_DCFc#JnqybUA@*3?wIfgo9CG8_EitM+a&qs1ejc
zhRLz$VKt8-arxDc=7kt#h*n{qPBaA+#lLY_#O0k?;&D-B?emiTlCni(pJj5(9uvGP
zdfDuEaja_%7^y1(hm2$$;Ul9gC^4v0LWl<b5F2R=4d6GQiT;2)Y;!{*<se1noSxrg
z1b3BNqCgX73dZ*0t8r1shcx8j#HLDOdkLu~9rLq|GXS$nm?$c?@WByAX2~QX5(2J3
z9>6wmc}gTP9ky+Ua6%C?O*G3V>2MKk4d%GKvwX(-0Z`*2i)1`VhjLJ05YkF5=%>VI
z7JRhor&iJO;YSDCojY3LfW%xlo4M1$5hu5N#|Fs)j$6*RRX4#R!epXue!AkMqdTqb
zN_&)$jTX^8^(u8u_o?&3yFU5-t9RGb=oZc-I62rv)o7}4VHF6#PuM#&<A+-jh=Cf{
zCkqBvj<;!^LE@|Od~^`~2!WMR{T>R1JNmDJdAEW#mJK$rwlUr8u?Hm$qjHv9_EK)_
z61<#^)ZG=cB72D+HeEJ=#&oKsn3Kbs2#b3+VFG^;oeG73w~XRMrB8VLAy0v-as#2S
z!5N(FT=b$#`MG2+T3_J&LG8>sqAeJ!QGx~M*O-W?!|T(Nvy+?t+40%w#nBJZ#kBw)
zCi|nq%l^sbQJ=qneP)otCx!htFc^tdNmK8(lAuPQrk)8VvW#2TCxn2u731_rU>aNA
zUl4o@U`2S_5#ks#0y#D&#dD_G%IP#2rG$_ZaeW2(v`d(dNCf1b&_$6Dk`3iC1Is~t
z{3wa5JGQ8)HznQpwym(OZyW1A%ngY>^Tugljtjgb-fB<Gs1Iq5yByD}9M=9JUqoG`
zJ!D6Q#~qe0BX!8r-k}hdz%^IBC}<E-QUGlr7C42rC&$jl@AyrqY(9WgkgS7+PUQBx
zSDu-^5j*rU>~84gV=SfZ(aOyi@GjgZkHE*+feX3%utTLN?#uIAa}hU3oCr>uO1iF+
zx|<gVBMc|hKpb;wQ_;9gG?*jkh_9dAoH08wWpL}##ekmFI@d9EJsQ&b*!Q#{cO1UE
zd3$_*b8>Wu&;D^D2;s_IpFI{ge7uLb7_xUt&6U*RJ}mM8-C_G4s?#EKX49lxVStwd
zXo*@UoH&v`ewygL#s>W4oXYZoNG)_^;<8kqHnK^9#52M#al$sQD3PI4FLtwiUU*j-
zmmgtS1T(XEM;Rs3082o$zf9#t32KQ>jyDis0b9ageoJCawJBzjt2al{{x^HydgH~m
zXjF-~rj^ie6S4<!nGPMO@Qm^&7Lgz;fD&WjH`5Wun%YjmMwjrcPXch)b}qsJo*|pk
zfe*jHBLQI&qXa(C3hEMLs-~6Dyob0EaXcn=>7m5g^9wUdiCZ3meTLY@Q6+pMhxu&=
zmw69LFgj!A>TT)JZ(yOqVDYB6)t4NP>bz1wFa((JdvD;x+@N*rE!Hk`v<K7tc_qG{
z7)bn11cZ9;FN7gojX2EevIW4?wGNIAE=?@?3>emT^9qk1bH4Pm@cQm8<X7Gkw_bF_
znr-K%HjUx-W)5Xzm8amZ^&t*o1`0=^fN#CyUW7;|jA21LMCRCAZY+K$(Ooi`fykQQ
z);x0~FyQ2S!OR5jmVo3^^zGC`1q}(msXsDG0!n6R8WO3zG$A+%WX?IR{s`GN8wbE)
zVmYH}V<_MXd-D>~#v}E#WtV3(CSuFRY{C~tV)|~96NeIshoj2>%7Si*u^tn2BL6dy
z;oIb+c%7SXlpMmZPA`6ca_-z017&m-->Uzb-U{Q+;3#)TJ56BAU@F<zPbe#k9~<1q
z;fyv%$P4eHv2F!)5Fa#g!E;5@ZOoS?4>W{8VMybNN0NCvo7MxUK1eVmHBh!94uAse
zT+G;rE?Dy8;nn%cxjq!Zeh48qtI)|a7XL#c;>=yJS8M@wx4f7<1^AtSBx69}TXxSb
zgP?!$<lgvxf?1JbH>&ZBIb?(7pSwhsESxk;l)^~HX1Exrb`?!;jxKjjF1@O`%CXC}
zi;Y;%@ZD}l&^R2}^jkpNOZNVPUKA&=8H~5ti8kGUn@q<xD_-v=)6nI6<MmAd`OB9t
ziQjflu9$yS6f*kPi>MX1ZY#NKN5km|I!`>Z*UC1QH9uZ^ydAa&%g76TpI<F}NFeiP
zYe^>48l3(-W3C5O$q`@Z^Nn}ak)c9)EFSWWSjftq!x6nJZ<%V9$`rTw*&}g^WFQXG
zQlh3x7uMK7$b$bJ&XCQYPC#kjCyPGqx`>6#7JuUaN-<0lig*yUW*j;}zu2{5WwH_h
zT@fJJfQ>Aw7q$Pu!7etJ@z@ZIVCfbQzm`Pg@VdQcvpO-?U7)kYQVR?a`p<usV>2Qy
zWCIGufI5JMFl(z34pu$6X+v+~ng+_$DJw83P}ta9GDzTiu25n8>MHUKO~+XZUlMJV
z2^^vrmwy$|Ieq6Pip0E${jqybY<f&QZ>VY&Ka7BNc&FN{JH#q>l=QM>(tN<8ld2Jz
zgCVGqwh@j=9_o4N;-|z3pWa6PP)+e7u%JK7p!`jfQZNHs)>PcK^+Sm7{8$DuCzu-W
z4eZ_#92^0_Lx&kg3}Fgo$E}S<vW$}M6LC-{mlAOU-blF{Kat>uT)iawkQR9c_N*gx
z9*#g5s-Mo->4c7g{o*97C6OBmX_1vp#czmWi?fRgYCvEKrHI;S&?bh5y4@R<r!g7w
zcq!vjqH5{ZuqUo6Cio4`%S5(hj=4BN_qM8pGEDTaKz02IB%+rthXq^ba7tLQMj4%4
zGWG~ul<?3BCq$Zsx-3&>yh+M-lT1zT?pAyc7LYnIPHg)S4W>*OK^*Is<QpUIE6Fu)
zG8OFR=Y-IL!>lZHfbf8Sm^+@PBx=oQNNb$3(c06!l$`?$X13TU5SJx_vlI~_eY|2$
zzVZR)*hAZKkRKOJ_}Ms+4D^X__pJBp^cEzdsz*u)DPacH%ZjW_$wqj=7OwyK&FLAh
z>^!;6D`;z0bQ8BBU3A;r8`^4($j8p%;k_z(U!MOIy-!DzgntNqCe9Jg)_PCKIVaLZ
zauB!3vo4-6HcC}pSW*$Q{8B<Rqz6Q{;sYO57y2lYV_s_P=ue)Ysk@Cu7}25CUhcqV
zLpVXt$^+;U(|8W*XXRd%=g~MZCZ3O&1v={S5T_1*rs520F;6WLbmQSYd^BiQPbeeW
zjCd!DZlu(ZFO~o>{f`nm(=ybkchGogdQ(57G2PQG^xq~Pwt{uV1V!|R{c^&(9rjeE
z3tc|4|KJg@GZT7+LvywrIuv5*G|u~;V4_SuQ9t&nYQ<A<<xpcmpEpf2hCWT}5W)C<
z@TX$Bu<wir)#SJU=yDp&&QRamBA?HAM;w38B$N@1S?bJG>+BJbK-*QoS~X-~2<yOv
zJekQB&zXJ|uvHDj_X6au-bn)eE00zI&_bLx<#L&bf-}HA*UY;nG#CmziFzu%hy^Ai
z1Jr%j>6n0Y(xa4TFBf^+MOOetjA4i^ikuynDk1zr8JYFe_1)qzVWLcH*mdueky{o4
zOu=P&31Xw%(Dt9aCNV9Uj8s_5vrvHAp&L6RB$C7!HKkz79BIA3hOm>&QYp+!&`brA
z#tM@ZH{snAV*ot{uA^#Cb!M4S&*{jYkx0nk!+Dm<IB`}>!48oH3IJxV46gV%&7g8o
zu2M|20)ehUAiPhWwk;vXGI`?0BYCX^6g>`waa^V}kOw9Mo0`g#%`_L-!`Dbs2Y{x`
z6ZPD7TW7J1Z$Jjx@Zh`ZJE>Z4>$^nNd4OIGH*F*GQttn{*(dN=j@1f^W2GCK7jcmi
z;wB%5>`>44fL5R;*P%PC`8S?LSW5a<5hCV!+xAkB1i^Z^;9l8R(If_bO@&LRJwMxU
z=?qFSMryPow1UGT9eAVG>Sqc4^<dSC7##kiFPXy!$J#KI<n*-(>*jGv4S^#riu40>
z0ip{CkrjGYj_C97;5%WPuA*m=?${z4<v8WocteJY{z}3mN8~>f4@)zlx+_@*vtfiS
z@Iloo{C5(^L$0u18PeT~U_Mf7u{yZW&tjbp(km$ns&lMK<56^cb)}t|OD@CJIw-Q5
z2YP0~pjK$4D(3?U;1t$9+^lcKy~L+%<Qz0<YEOJL?TZ{IjwUl>4fj<lX_2K0b$)vZ
zcc2siVXCj&Fic|WSMY46>{ZLE`GC~jT3P4_ggL~bPV>>6=rAjuK~!(=<h9qg22>)z
z?njs~!)?Cq<%%^jqUxyPm~~5Zm|kBZt-_hBVK*L7KbMgp0E!ZdOyz(E|89@MaFRRE
zSl`<GHd?xD=7y8FWRg>|lOH;OSa{g$`$Y^&l73*az=8=w&)ytaI?08FoOld@Kp?VY
zDKznOtS*?5E~XRWnpv^kv#&Xx6huxV0h=*TKyR6xizAPLs=?GFw6m(xR8bvcL2^6;
zA`}Je6D*k1CGm)tB@d{IesC1?!j-Om%WjU2D|xb@eae)s!L_V;lFS9djMJDj6e71*
zC`$r-bhw{<oUuJU8`aSYyq}lK{OqMH&Y_Pe|5+-oFJ>wUZ<3F9F_;PH7+2gxJprdq
zOJ@CeLfF%eocmHsGmSaZH}hL`SX0$`T)w;6xxBc(@w8ag9LhcczC1MqxFs6EN`!@)
zLMrz1@jM`R&tY&<I>qNI_G=}cd^d;b01A;wu68jGFMcgD<%?1lag4h9xOY?f$K`#g
zlDRIA*_Dv^+hZ$w>ZV)_;5r%iak+F}jlT<_{H{#K^9f&}QkC4Hy1%ZlV0#|PZ>%!{
zzQ|D{P9}PH^QQY<Wa02;EkAvIcxgEKqw43w0Bem7u4(kxt@4nWweBf#+w=G~33xws
zq{h;2=jIdSs86`~AU40Xb#i?{qtOv}_d3zh<=*~_J=Uf3y0`5uV*@R{*i~RWWo&rJ
z-Ef*BgF8O5HPgcL(1RuAC7><DI<&616f<nAAgp0mSGT=ww+Q#%G>@AFp1YjSoR4)0
zMNH>k!y%!rSVxgKZOnlax5GuMD9s*7vOV$3OCX-b&@dNCm)B{wW1YC$jW~amva?R-
z18PE&89xxKwJo~jj=P;}F<cEEng+3vgU^f{47Fy09u6dP*kmT{)e11!2-ybCw3m|>
zB86Onhf$2_=Em;_GP%Ezm&seqaae33kvW*(`#SJz$Q(G#D)L*{X4z;hlw3`+fy27E
z(6O!bck4!TBFz4-(@5-!0$`8&)Vq!3D8IxCbf_n$U+y6K%*S<qD?4U6f?jXqVn7t7
z&o(u<+PpBf|B+5mH#;w?XS<)+gRQaAi`^wCW)<z=i<}|``m6&KpNLPM`**8)y9r;o
z`ChC%F>UUNM^#OtefCg#ECeakk@qFqqIqf?;>aVOh4AYgIZt<ON}HKXjCYb;Nv4t(
zs>7DT4ezGJCg)MorI*o-rK<jUl}^&X$?0z)-Yc?oAdzCpJkP$Q<8zMnTg26IU`wrG
zw5PbU-HR?VGp8hKA=!XC(1#?t&2un&amli7-S_JgfD<@@tpF&UK?uEAwDkXvzC0nN
zr^8(Yk({??RpSm~*K$$;b!E9gUujX<a!*~|20RjUeRx+A@qv@sYdi-SQ3eAy8#zy$
zo10VS<_nGl8!7SS6M6(hK)FZZk<Jt(%5j3rQ~!cG?KiG{GcZ1F!cqiTq2cJ_LXhF<
z!Wbh2i`JfS>;#X*HXek#YD`91=EKyx@9=AYiF%RbB8VgtC0idiT#B-9c1@bvRy-=y
z-ZX_ny`h+!hkDXlhWBvVjBBZDH9rg;!+b__vagVg0gYfhPWbTE7zR(=qV622S9@DL
zIEHxvO%{=p(?h6|11p|AkCRxPGm)4OY>KQAkf2w6x*RmV;^gRbH3cVqe|U6se0?1q
zU7X)sU7TM3<2)T*{-by}>BGroqwYj)o=)C7Vn`yygc09j0!$wCsf{f2G_>ksb*Sd0
z#^Wr_DDFw`)ei9!96iqtZ+!Y*9sRwj1B+XZfL2q`#jKXYkpTHJYw;apCmE5>$CmkH
zq&~Z)3)f=d;Mq4E9?zn#-m+~SkQfX;+&+)YjWBpHqP5^H!){?ivs#;bz{97S*pLLI
zVM43CgfmQrY-PAlahi#rc7*XoyoxQm6I*w9D4kS1AywiYn0RJa4#F+$8e&Q2e$JdF
zk~s%p_WV*)0aBLB>hv+P74xLD;?-t14K4Mal<XBP50j~4S~ihrsA;<WZ}#_|KlgE|
z(Q(Xq%!b0iv&EZ(CS==m#&h=Rtdv3BfANjv_ci^qi$(D6c0yu#08tf;f(fu>IQ38D
zVX$>UJ9`INuFTB|OaRDss+?YUP8Kj>a|$>1{YBI2JS_y1xwrGQu)KUitA-p-vEa$n
zC(Yb>2%15EJQ#OG!f1E!GKNUj@zhHOf+r29u1-dlz9t{dhl#2&=|}U|(yIi8ZqJTb
znV~M7uj2XHvVoN@zrXBiU1ig%OsLrv72pBIu&a@4o^jm!0Q+8SH&<Z{nXW{Ijwe=P
zc3vMhr3Me8Lk;U=u-a(VN=1FUdbPVtt7WE9mU{l=64@{rL;PoOh#8Xm;ylW_U6i*Y
z32ET)6vOg1OuUnY87W#t%1^HvI1?W%l1eT_XG{vs!qo4bGkm%f@*ye&+un2A4(y>>
zt7d*eKJ+Nqv2uru^!!!^cFh(qal%suUY*{012ZRaVG@j^MowKq=u;q;)X%ZR@$3x~
z$fud&xMyI^{bXYtcMMED>K)ZE$AyqriozY$+|{(&s9lXe=G^RN<C>_ku4OufnnBOe
zB90Wvqy1mkPFz83X5p9ny%((`<iM>`i9X_RIDRf9hafem-=UgbG>X#Mhv(4_{`saA
zx}2K58KT=f6IUWhz7Bj>w?TPv>mD<r&da+RNOp4h;Ts0C#N%nKQY|oyMp3qcC8RPb
z^jfG#Ag4}+1wG8C>e*m<H{lH*X}U3W5puaJbb!N&8dkgmxrVQ?kOHcZEj+NqJxg4V
zHSxwMu41O-YQPQ>oig7(FU4q6b7cfXHoKcWiy(Kt;d-?jIb#3a`7qg~3s=OKhLb4U
zFtJN0$^pP|*>}q_#_LzqQx1yRIfV~=+QRJ_O8n~e;mx5mM-#`>1)*Jzn~>rNKC3xn
z#3t|z(c`xAO?5pe6UgkUYgT8{EwP-p+BT26p0!DOg(Z`n&UGBsNa~gIhL`#>dHrFE
zWCwkx@i+4vZwUV6+(k|;%{bk!pd_1UtoA}ZK42z(jWQd}!ZMNcl8bTf(9F_#eq`iP
zv~V3C?ov7cKtmojaC+69xIfBuvyvb9df7+SLTKMzopzma93k0Yf7Hpa<)EwE;|o%U
zI9u+C^wIhz=`a;5sT+{!ilksRK1t=VUww^zY^%?tv!hE#^<sIr%O^|IiG!r3NZ{<j
z+)sy<um&ExW2j;p6MxhLC_e>kzuMnbD*)}{`uen{`e#ME%kr&0rHr(r#70?hZQflU
zU-gfUuWkqhXvBA{M(|lKaXy#FXWl<M>~i$>@Z@}THxic9?9tBsj~~}eS<VN4WvAYX
zfH;`bCm%nCoey3A)hjN`Ipnlj?;u?~$APn*vzE6yOaqippp_QX({z%~m^4aeM3&>q
zYs!Bw@!;<HcEt;L(eJ(gj>(o?aXqg+4Eh;p3_LnY<;{G4Yh}wFa}Vs<;PO0rvyAkx
ze~B7>gE%>pYt4t-6z4v-lQvLN%V|4C!qHinrtD8w8ahxp**L)!jgpdhD<=a~;*P*~
zRp0*1GZFD^j2P8`M3fH4Wo;oRAXhMO{aUpQ34@>^R<C8nl)V5y+;qsn18tN$@F=cl
z-BnAC#^gA&sX>0pX|Lw(mbxr!V(U+#=^`0PR2sr}n)4gU=z!U{$TR01+;n~GsWx&&
zPY@wxK8?QYs-oI0vb*P$xN=5TwILba<yd1pyhjk5F4-k%h{O0ucrSbAByeh&2rYth
zU*&=g?Ec(@zB6p06Qy~8?1s-GU+BGUVzNckFrtYc9qavzq?#8QQm62*^#mvvKkOV|
zUG2Pjt9pYCBv&5^w_~*~=qU^nYy@nHtAD{`h2b#E#DTREkI)8fp+mluQ?P_ISE|$q
zr~||kD^UOnW`kb*u%UK)@C=pOnIMQG`8}twGB${IzSPz!FSJv$&#SlSawruRm}leM
zkWoHlRC0`y1wd*JTNPen+oo`3uIz!&!Vgy&(?o6R+?#R_)klmEp;7e=$1eeTmPodq
zQi@q??~ml_&V{Gddd<qlkvmm`D73&Yg<BMbFteCj9M)$-so8j62F;w^cMDT-^Os>R
zUv*j25vHIfx5>-anf!o2clZbzMNvbBI0Lbw$X|TKnK(Y37`EKy?2II7r^wpkr2y*-
zyvTs!4(}~iCj!Z!%^uE>yd!1;!hV9zBEb?h3%Bwu6avCS`Y=;Y{N_Y{YUPA6f&z_x
z9R_wen@Ercl|-3fL&E(eG1_=pqIUn?1j9*%6pL9O`-l$B7J${>9RA(}Jm)lYb95QH
zZt+YSgbUU@%(ZCNK39h;%!TRHw|qADAG)(RRe!-l61g0qP$gNZ;qDN}9Gx`R$BQ32
z?B)lrg10&b=Nr;?Rz6Q3V#^jiNE*zhY?dBDyuNq_={rf?k+HW8!@O2AD%xs`>CIkE
zdC>k6DS=%yn$uW+2?|v4gnIvZaU%FX6p}@21Bt=H?x7hfh;DNV0wys;KpGhfT7Tid
z)95dmBydFdt>yirW=DeBr*AYh5g1>Mp#ta>Z0ZQgcl-b3cNsC)*HhuC<ij>Tjrg;6
z@L@0dOZ!zm_)FV;wcY?boETNn<VA-<qfS|fr|*tAw93+KbHysHJpv~%d4Unl;Ing1
zTzn7x48<U>Uidm`89039<Mq5a!I}gq`xRLsEptMutTYR!dxc%lE)|QYZgQE}3p=jx
z)T&l(%+hubS->XAH!8V+LsfHvMq}~=mm&uf>x!-14K4${RTq{|-cA^EOO93_r=X!F
z;uIFd9Hd3lwRc_!K6KO0Z_<X}pX6vJUIaEZ=TUrgczxWxK0d!bxjFgcF{er4NO&3^
zCa4w!+Agt~NKgtTPRHea=%%_d?j+m^%fDUMSn-XU|Hhg-=55CQm5A`+j3@Vr8dW51
zv;-TQ8K#>G+`C!pwdQRwWjG^|S_=87#A%DSC^br@r9|Vm{I_DJ&<NBZBTe8!#p7+A
zTxwq}lp)b`?wOEunyez#C$F}gEmwC#Y9!@|<})eWc$No7nb5U*lnf_K7NTid@)RLF
zK*Jv5B4b}6ew7&*3Z&`#m!pIgpR`jB2D_AuO;#{e&CYk}jJc(bCsDv?OWWgO`r@wF
z2MI}@F#9H1A}jH?F>%C~C1a*ciVaz10M1Va6@$#d4;5&u@u*STFT5Qbg!lhveo-9t
znG*}L$`RS>#*-Oc5W3I>(F-?LSbdNW;uBi}m|ZX&Vwb7%S*Y$~5qzdmYWiNV;oOT7
zLOa!N1<&@)?xvptOpdhkA2E|<be<gyx|<k+#UIK48=~PV%3%qz%6T~pauqbfs<;>~
z{MI(u(yY|GlxIeHVpgL{e6Gk<Ilu3qL!(^Pn7(u;D`<(8dXI>^pMc@6Ilr06>Japy
z&A&$$z@Ip8+7ki%R`^(cIApK_Qsa5S4@D4v%pmzS{_xeh`Sa!Rb#(a0!;{m)SEt7j
ze<Nur13F(8!zi6~_2%wO<MJNFzV)?piADtjz1Onr6(gX*9uKk~4pFen1=QBgyJO`L
zBRZA$-R!3|D}f#W$!<66i(zOtM&jJXbh}p!6n!1`4tPlA9|hNKeH&k=<LKS>ai5EO
z_mAJ5G-is6nN<3l#zUJ+pVF{dGEcvG&P5sVL!)6tYjOa=FK35G#N59-={{F)T>MP^
zJ^VncKYl!@{~zSo<$j@YbTkl{O<E_r=SUETrkKD3Yv~2#HrMlPmbN;?ap%Q72gjeL
z+5BTCy3Qx4XV{5;B#M_m&<}5lBzblHT4G`NB3Ths3_;(B(OKMB8tWsl^!1$z5=jRS
zlyJtIDAur5c|*>&j)5ty#9BI0mzr)@^r~GNoh2@U>kff3fTM+e^B7K6aS{LltiD#4
zEK+=noixjc)EJ(JIl27sT>I8zR*J;JA31KZoDZ_3axrNxvlfdNI)G1iAgx1Hwk5D6
zzH`JWo4Dq$ETp~#Hgq`!mV3sHUpu_I?75vlHJt{BsGiJvMib`{C&n|~w%7$~wlgh7
zTDuYoj&ub7(BhuS;(NZPKLz)K-&b1V(Z%`s+2Pd>V*LtDW-chCc7<LaUtS#_9o`(j
z_Q}dOt^Ski!!vIN3Ab0SvDx9vF4gsRd8dg`aW1b6eqSu#aTQFG>+TY|dHJwHhCbGN
z4AW^m*>=}->?+Ric*5h}(p}0L4418ysGIr1=opfpnm5T!>d5o1WKp#uPM<Kpi!D_J
zl!}vdP>2?l+qvYzxQ_e;o607<mlKeZt{ZNdEC~ENE+-!IY0M-Rsa0CmxY4RiCSw-N
z%f$BLPJ$D~$Ph50YPAgZ(R6KK$9_mN3mz1E6yIAo_nQ*{0Y;O-iQvETcsYQi5{<B@
z8Zn}{5CcUEuO+FsL(x2@>6C3;ja7u%8^s`BG8@cGlG)TC!WA7#nNFv^V`i3#oGrH=
zqqB_q^qwoD6-B*qp7)3o4v?L*PnITzbhO~SP%V02SH8-=)*ip|D@J{tK-Z+v1(KVJ
z2gcLCj_aTyHQ(6#Zu(R77YzHCrPbnl$E)i)#bt2)O5L!u*iRl?m%ZYKBc8*90H|A=
zCT_r#eH02dV$&rR_gD<WiP;z;&Jj!^wM7tPAG~>{-Wt4{HWV6dYp%n%<Yl!v$6k-x
z0COK^6EQz5vp2MnrSF%xn&Xe`=E80eH7#!^I=r?r$hC|=k`{%5Oi!Aslfw)EPBp@u
zGF{!b^geFlV%V)wNdlAF7?$;$2f-JI*I)1LKi?B;K{l~ls~H{$unS?trwci|9#O0V
zcb^CfrA?!7z-UH1mP*B~8cl*={XkE3?$<hxl8n<&FC80t@(<I+WwP?%tVMW(_{XlQ
zC)ORNAe#xjF(X=7I#awawXx(+-~>Zx_mV58`=(+h;v*tClsT}u`4NPRW$%~wqj=Gc
z2LnRflCI_5-obRQd$)fu-T!ITI-{Vuo>}WU>PFXeMPglF>x@1)%YzSY=z|+V5dX=K
z^vRFOC<{M(i&l5@BKYVHee|YC{RfAb3(42qM^VIUcBZ+B$RULGyo;q>i}Ko?&VQ<y
zxSj%W*%K%k)>2IxQnDHHi0}V1?*8qt`yadA?|*u9RE#J6IEBUXpm4UX)8gB7{BKW=
ziEe?!RYy?C7#MxK8}08!yWPFr{pXP4m>&*a3s?ZSZE*UZ@<*jptp`nDNt*j&S(1l-
zwzvNs%c9oRP5P7=`N@kpzvLQoLDod5kn@p7A*DWT{N{JNn@iA|F0dT_(H855{<ReC
zkVkI~upt#l%qgnM`QChVqBe1o!<sRqI#cxf<C};hlEWp0MMA9MnqfEvo4EW(`@6f*
zv)#Su#qMr5dQN{m-+dM!m9`SWHWR1xb;DYiu_tu1U?ih?Lfn9z)V6zgE2&^P(w37}
zsIB5>tvw|9^S0N`X+_hTB=*snucVVrTcc_A9sC=`n;QZB6ZPjVCF!eVo#FV@#(LOX
zE9-CpV9PH9w+h$1{2-`%lv}e5Os_1A_KvSYODyQ>_z&++u8v<vs%@Kz8W+0A3_g+E
zdzt9_1gcLic_{(ynssabe#Wt-<g1qYwUGnP>3Z$WGZ@TglG!7S+6wn>%tU;jl%{`%
zV5qhp+m2JUJOV0Fe_D^awDhB;!Co1ym1b6`rz_u=LlVJAAW|7>HW3v)MruGMt)#y)
zip~DDMTqN-X8FJ5aMZ(Q8c#-Nmkg5?72eecgJ|S|rv7qrk*RUr`BNvFPwmde)Yh!e
zE7lfZQ(+=%93B7Z=J@LT@U#gwAB)6Cn5%?lOW5%t;Xa*W$t1$K!!RIL)mqz6tn2ag
zzdQAOx*Ax*bCtD33X+jb)Mi1lBs?w_aV19?=)rZDVxl%@t0in&As%GYSzjHntA)`8
zf8h?Jr7scOC7$hC%tZZCug}jeBcZqr;ei?BgAjJS2FyL14<;l8G?pQsE<aH5N4(KK
zm60eLEVBit6R$Wt$|X(`8c^3edy(458vItq{9VHzp^T8aoEB5w!Hd4OFFAe*mV-u7
zQ_NWSB#$)VG|oiV|I~eBSyZ}joNNS(6Sp-5qot9N1lTLoT4BP__g!M6KLZw$IyERu
zg9L_YX3_tJp?)18UUf-RI`yl_sH+1|<yABTm<u5_FL<apEvd-N$A8sedoqr?Wi4HD
zJxB|vIIKD>KXKZ8TpjUnKzH5|=&l)A{OQ+%z7TfF1%@OztVgt%t&}=Uw+v%(IOzja
zwF?i;!6IrGNMSUcEZS~0K_(|2XG=6ToYP!X;}EMPbS#}FE91|^I_#Kl7nmX$%C~Dc
zsI+sUS)YaLBx>Puv`D_tsRj~CPB_p9XyO_wZm8j;(1V6%XnI$to%C=NJ;XvYX<!h|
zU8@DsgaVD@Vp?i6ootepuqSDs*>KH(w4^x87%$-E23q|_C%Y_@`6%xi`1OtV@jS0s
z+v43mt-EMd?QAZCFVr^(-bN@>CF!9>Q5$XT_MSa^wheWedIWFn?L4z{fB+2GORYlI
zz8-)*GG*=7vx67gEA~c==#(%(;$WHQ!LMEZb*1d(<aX9+GV-8p-6vHmWL55Q)wDa7
zzv`%#n%U|xu?xt2#)<Tx1{JS&CJ1btWf7p7!(TE)^0h>f?Gt$Cy_<nXooej{O_grh
zQ1l54Tf;L${bVEvZzTkkGm(F~A|(NoL;(KMW7z$rhdb~HG(jsAhLRz&o}~xw7-#Xq
z8=NG{N7z9QF_<IZDd7*=`i{3dL>q+PZ}V+#yR&WE>w0v$Ui6rKVbqv$*`qMM8FRtx
z)AbliAa(8MBE|ZrvX&&TS(KufPZG&JE%|@kL+zV$6E(!ihkkcr^yf0VT1~?G^CVJq
zR=LcT0RP8e5|-xh=pTee<vKia9uXY0-<Lf(cQisIJEJfJ%yi0<huA_EF@PonuuNW!
zzCNbkn}SWEYU-T8#2{=W2ozD*nz~ueL)O}r!dmmYfe4f!_{11$H)L9xpZ4qXoui$L
zoul)e)1B)Z@xxOm8rt;5$?J6x9LB$Rov}J1BP0gb<LK~<F8Gl%XD0DUvD+Gcp0dCV
z=m_*+u_^%c^A!m$?f(i5a?F0rfmi;@wV~OQ%UWk`X3uKx0)?@d^OMniXsY)u@CIrG
ze2SZfd5m!yXS%RV7#;hBL7fX(Q*)N$PJnsCU%{Cz?bL8h3N4`@>OU;F-&VQ(?+s15
z#JjyF&>!7&qRYdp<MW&T+Y|cv{Nnt$6D8Gfm1z5~O|Ut{_I<-;@F&%hIy|XcJ;I1C
zW<cU){{xi)^prZz;Lh>)zK>R>VrDW5v^v~hI@3vfdUtaIW^w>6B>*49m`F?SeW+p*
zJG4%v6uFuS1BU?@(_g7Y(Ky0jB@I9CIMj8C6Qs|P>y6sZ4Z%50ih)SHEa7}#f+fDQ
zoa1cQFg+0(%F?)@M2EBkx8k;sG_tJl<J{>a{MyCCuXHKP87IWAHl9hFK8c~Re~+9s
zodji6jE!CXU3R-aI=pm#{wr`!!A4wJfJn<Yc%Ll7_@Q4o#BW|Usomk^0m=Q$zoU+~
z?<|Qd{D(LI*NU5(KSIq-m*lw837CGt0b-aMRlP5#QujDmwk?ZQ0bD^Q=*<~Pfro>{
zV%tS~#b?Cf)R|$UMxbm-`c4if)Eola+UZx^D+m~^(<_e>&J67}2Qq>ND7YkX7DZ+%
z11Y>CdJPW_);4R`l9TAd=c|h_2ESJw!tT5q<2T_T7R)WK;_`(;IG-3GRt!#pY+i9`
zpJ^$joXp+at#ZYkMuF*7qe)OukQ$sTVz9E~2_mwNOt{H~LexmyWa6CDuvkwUwm7+#
z^Q`uqq?kWF{56UvIBJi~P|o3ytroLofR!3H5_=8J<41XYyENU*bIjdQ!4wq&zPj9p
z)#DrS+|6{Cyk)5j4CH0Chrbv>G_&~f(B=P=DdcL3Q2hUmRCZ){pidpddV{i{<Fx={
zHFZ%ay{rm{E45c#T^NRw-Cc8j2#8LtsW>bQCwrVQYyC)n3Rl(K@HMC9>R5^ds3Fy}
zI^6z2bC1c$cFDv*cNK-Zl4bNUBCMCZ+FIA<QhWl1`gu!O16Ic={5VCukF~%C{TT5C
z&$M&L^q!?*D*f<09%5H2;oz~AGaQMbDDv#~tJ=zcln9D|wA;a#OS5slcS&S}Ol1KJ
z;ERx!^FgWQm|2*FGm%rqEME*qGYwqT9m=Z+tLLleaOoIjso7Olxk3aF#HO<bECTAS
z{&48h#>urc^M*upqw;w30zoIy_wpu?lR?P$>1$q8=rqY6dp+w@qkP5f)sT*%B=3?A
z_(^N{3T{iQd#~dS)O7g^Ig7`7FEJJW3ao`JxLf62OYXrc=^&&3QJ6vAV~bSy&1dm#
z92WnQVFNtJ35@3`q_~2ODNRXi030<UQiWzEwKg>Z3joxknFGjv>Z{@^&2zXbzJ7Og
zY8Y0}MgiyC=}dz%%gHPH<<VC~TL*TnCF1%@nly1pde&Z!vYhnsF+9-j8P%7*L5M%!
zg8ikh_%HhASupEze`JSA#4+yCrvvH7SG^sE2}L58GA~xVCc0&QOcX-lKEu%C@bwEj
zf3fG}nY<!?q$i$}z-2kC891<=96YrPp3}cAO;X~;C(Dv&|9ZyYOo^(=mX_Ws9mX^3
z)`^nvH@lKc!_&V~+<L`VlFP<tIWiSNY*~VGXVw%NK%Z{Aq8*QkElRu0pU-rgu`Aj^
zjHH^>+3xPvX6(AcBrVm85;;d*PJ~{KSDj1nr>2c*K!IgcLkCo0LynBnyW7>MD^}+e
z$o^nlWuP*dh#T9u2G12bH4l@%CJ<!@Hv4JCQTra7Wzcek&-Aq``rw)|y>^(Hl<9$c
zm}{4JoanZXuTLP2i;!>q0_|znT0Sw5bw!9YqEgG$a$hT0qnp#~6>3>=b?r(<^rsek
z#7Q`%NI)6PD8}f(Yt}Q)!<irSE&K(%b2B=ju^TB38=r)2;p|awIjuE4yNs@GZdlm{
z5A<m3JgHv4+Fn0ETxPyM{X!&T;99#`H2p}>(wjb5d*gt}PstkaseGvM`D{)ie0p<p
z89-3qBD2XkBNnHH6brq$NV*M78p{f%?5MKHp+LqmgkMrHu?t%EFE#G4$9wP=clivW
zC#-AU5{^H$efpu;EaZ3{KUnSdoSDA3etDvct5sehxcaXAL_<Lr*Mxz#Yu0}J(uSQ}
zpZW#X^Ejxry<^2dqsYmYMJjFkzM^AW-C6T&tnGbxdc2~ePl+>Gbe##@<$NH?>NxOh
zmp>)F_(Sl8|4t9*Ex))pDWbnj@+G%>eI|rAR=<qHgHlTi{EU)#;*ua~og`*@!%#!1
z$rHLG85&uYn<l6mY#>`b;?gpQ0ZiIHY(YZjnd(l{DMyxORmk54qApicZc7LEu*t)R
zn~aLNKGMJDHQaV#|7%2EmssYdu+hmVTslwb7lKYYa97;$gUi+lbxRy^r7nomC#N11
zX)=z!@)NJVmGv7@ulyy2yog_G6KvZo_I2PcX$Ra?PjVS8yW6JkboL_F;fb{k()ALX
zk6blulqxF;);4w2C{Ct%rp|<hB)Knj*70M&mlMn4GP8Dkn#Uv#`}(_i(7>=C30=<?
zr!x0zp8A|;UW0N^caeEO>S~N>)rT4{3UqnP&JWFe0YT;i?p%{?|H!Vn_`FWtBFP*E
zK@5S0$455@!AFAH`bE=QWQAP6=t@TDJ(h}^p{Me6dRq^*QG-4^T?AIt8)uz#ydkb3
z5<Ha7+YO&2khxccl#6<&?$ITylUN>?4}ldn8Yu7Hon>-&7`-G6-ec_8-^M>%@iYGI
z`L^M@cc^l}1#}J_TnH-rYrZ1E==rk#mn#Gt0b)3%?3iua2HD3(HON_-V;|$Vrm+TS
zCHC?mT@|-PLq2hEh`s-eL(_~XU*_Coalh=`Ug6vZ5;-@}gBv`PU!Od=S2i~dFxX%7
z)iWCCzxU+S)0l~5OXU2aE5%XFqTTNgc6Sf<2M7Dl4xYa__~u*JZm~KHkiT@U;(@2P
zIWkxqI7+GOT-~Ryn@0aB2Sx(j4j!2<`0#(Tj(?3m#K<x?s~R3(=*U@j#dCY-W7jwR
zH|#dZdc^=E7(&~V#ka`%$DvP1xk0Z(-Vc7`x;{#_M0=K~*sIx{qN}H>eIZlRhV$zd
zy{1)sHm7jLRCWvJxvhvfRAbR0L{f1hr{m{FTgJI<!&TQB%P8W->OFjesu!w6-`D^s
zudh%0l6Q)urJg^3CLhP+B>eol-BwHd3s!!;zlX2KYrdsHt#`Sy!M8m6Z9YThh1KJ8
zi-$N}J;2`X{)_H6FJ3%*L9GxRbc;N&@c-vVtH<<v>P~N`)#{~x_Z=^-EW2wr|KfYu
zJz+D_TCLu}x8Ht?MvT?W!t!t~>6+XUi#1c7(+1M8c|8`V0~4W6-H?so5IbI0E?ew}
zbfh{M&R`p)%7O1)EJi*QQVZhO?ZOKmb$NC1r$4*Mw_cb>SA3muyPd~!ta+1B)E<iZ
z*fJICDmRd<ozvv8^#Bvh)nx2S9g4QX<qKw?;)R&C(~K$8uZ4NAoLeq1K-q_m=Im-T
zYeWz%HLmY8R1iu_OYm8%?*zUvpCp`MwU8(!VQ*kxu8+9!bt@D^oDi<+4Mq(ZkZ&!i
zl1AxB*iqLlqIFV9?p>+7$bLgy(?Yav_4o^zgXS|$!D#ANar2fkK55qM0hx*9IZOSh
zCP^1z@6yt^`URr?DBzjCr1AsAYQuLdPoi{X`x%@iB?!6}C22078(;fm@+pg{!IE4Z
zO;PxTNNWLCVScEV`sVt~HHvO7gUh(79%dz=H-Cr+k0i$En6O|TVD!!P@zJ}hlbb)|
zk+?p2eSCFzb3#99wnn7V#5-b?85jA%${+-n(6Ar3ntdnGInDGchkNpQ{wKr%xM<BF
zLCD6}T71W{+^rtRm;2VB2lQJF9hXW~SQ1W{&uL9K8K#!6&Q&uuSTKoT_pN${TN;wX
zP{iP%se#aU5Jn!j2&DR2%)3a6curXH%Xh(LPh{pOw%lmHDAicQC>0hUBX~ALop29$
z=C#+?#TH2viYNM_@aTW+yIRqG$pG=+O!fblz^`ppnh_niJ4x!bm{+{l{*jQA3uv}W
z6`T50@m^0LhIP;~dm9vDd__{{`XCEPYjdgB(SxFdUiW}lRE8j>$At~foC+++>nXUZ
z#w)dzvVlqiao(tbXf`iqP_t2IW~5D@)hLC?#I_hpqHa#V$`*4PXd2kTjM6-a_*Es6
zfte*1mzKwQBOn+1>+@?_&qXF7VYNp@GlWSVBi!cISR!d1?5*J}GQ1r9*79N&oX}O&
zqCPNKf=I<qu8))LYW<4|L`t){q(T#8YX<F~q#fRnRN^$eOAsBg_nSr-i$j3RHXjF1
zd&fe9I7&i12iY=Mh2>b-DO9(G=_Q@LRuGUyIt%I|sgywRGW~UANY}X|l!mh+fv#Ga
z>W}pGuH_(%@!l|5r0yK1!M^RKVs0(G(-A3scWe|XHqT@*u`&l?{Cbd+u9<!3<mm7c
zQIHcJVwNM$66fgN^`&f8h|oZN^1dxjE&Wgjvf*~+moh~k6Rhn`bFTbOTmyy7to&Xx
zk^c9;hyTm&{I|0^feuPxECvYGPcVhu+yAz=OaF5knCYU=uXJBC7&t=O;}3c|AhLU*
z%W7ssxo$VrlP&AB*0`rNMA*0^SIIrhM7|RDTY2_h`4}#^M;0a>dU>oNAk>_bnXF#^
zc3_lgc-XESO~QvKPNCcjYOz?vy`&%IvQEW{0Cym-t(A3j-fFA<fbv+1_3Up+k@uqO
z++{v%u%>HZg&g<}pij`Fe-*g$G9#wT^-Vsp{@PyG5!Qc|P0F((DfBsaN3hSek3zV?
zM;?cNi9IsYQqp0KEtN?=uf*p{L#qALRS%cS!$M0%k$%vUYlwKOECmRM>+>7ec$0oS
zygENQCjh-;0m0Z2%|;LI6c#^{Y_MTwG4Gt8nG5E{q_Bv?hf<!ArZ0OwUIQo#QW6i+
zQKXTnDy>mZ7k*Pu_p2pmqIfVDzM6HsLaS@o@hDe7r|vL>fv?~6)0szy6^cK1P$;D=
z;*b_ujqIhuNt>^iul=ClZ_FjH!GAG>`u?k*%ra#46q<Dc+l}sRwa;kkQSlGZ6v$w?
z_|a|i9PQfD@dB6gw9<##S8Qt4oeYC)eC;e(tZEyQ<ivs(sT9d`k&6vB>%T|iaLA9U
z-(e;?h}r=KFJ=%`u)*b5#JoVGzt$`pdUB5YSaqVZ*IZw8UK$u1Cv!XbP%^?oAn5Sl
z*By03;)@BXeksghElS|&)CKu^t6J}530-8w$FM{zo?<qYbZgjfGUlo$#_Tl)R0mTN
zt(wC!(aY)hOS<4T1Si+!Qe8^i0ZJ)IQUCgZ&4O6i(#Q-U>T@JTE0PH{NgMqI{kdhm
zf1qU|vK6VIURntz_;<)8G{SA3kC1>Y=AbdK7j%wo%d6SeQsR17Aln%^a=0ZGAt1G}
zbIXiw7bgQ_Iyo<$=j6&OGvL@PzBgu+{K6tiaD`qor03bhh2BaySHta;&2wuEdFl*x
z38fqtQ&~3c$vidhKzK%i-=1e>Jl3~rV<{}?D{m><uu;s^NQ2})7_>}=&_yE_e$80c
z?<;53!;l=HEq9qgIK3@u21n1_F9#)g8AFYv%ahs{nCc9r7miLhoOptCtt_2<yWiXU
z1_H{?{&W6X^;tyh%X*8w-QBMHW&gzsZjG6io4)W3zyF@wkz`iVGXh1LOC#D%qiVbt
z4Zn+~-yji9HcYAyQT{Vn9scbZL{Oma9q#8};~5M9{0&x_Oyk>(RjVblPV`qXL4m(0
z9v7VBbsA4n1hddT_!2I4MSM@!jX#J{+Nz=lg>GWLi09LUS4!){^G#oj=wABO(lx8*
z0~X8ZiVTxMp5OB?aIqt<pO!vKOT_B&r(nj47+Krgukzcth{`OU4e7<>Z`?0qF;L#+
zMT~TC{h1WPLF$vUn;+l4AxZK8NAR5f-dKSW;lb55@kCp9G%MQqW2-M~MbkRm9%(Mf
zxpGqe>Z!FG{xV|!hzgAG`j>PtLLnMni(noz`O2&1D^WpY`H-DVqlaV=1s)2ZNLdzW
znp9Yqq}mU6&=HcbDC{$*YG#iod|{Q;!MuqxJBQ@7-IZ-i4NY++K$3`!ua|%jx;Y5_
zJ2}5TzPgG2eDUroy7=)tx_Wndymh@Dy*<7<j&3fZ!_(7?AL)`G9baEZZ>}!Rr0LP=
z$?^HkH4R}=<vU3=++hN{!vuD;^J^)3`1gB3IMR~(Wb&n|^*_NwV&m&oJ`yWDB))zG
zD;}Yh*x@0{dZto_)819fSMM?anx2#dn&oiO$t2K(VB2($z94^hT$b`;BftJg^3ieh
zVlW4LU;;xeyS|SMGT{lj)E!O$5X4MGhm9jOZCI%EN@1aq<f#EqR<XRq_6$jm5x_+S
z&=nl=r@ZfVCOOQKVW8xY^;C4@b?<pAl8}}f9nBRKi$w!ovX7<l8=P;niuFBEM$a?3
z?!=y8an1A~Y2JAQD|y`7cr^}Js7sxn1&ildR#ryMI1Sm&9qLk45<r#1zYG4uLk`O~
zn#iX>BUk~zwtEfQz||(B`A_5&|1LyIho5#C)zWif*|VFMbHkN^_1Dvn9esk}bil?|
zhZmg3AQ(Z;Tpia+EwoeRDu$T1KFgAtg-%EE`35c3plCNN@I^c?Xk-5jGlWUUfGg@p
z<K}vX*89WByZLnhj|M5Pedmh{`~n#wpfR6^8*gtu2RVY#pTdr7OW)0Xh7(s=A%G^!
z@pVEieh7RTF!hqqzjbtawJqyZJwW+5{)LPD2O}UGZD~5IQ29?pMh4I)U}FfKC3FnG
z{DS!CPyb1rlr!hxl&n$*E8ZHTCm!zAtc3@r-$4V@Znd^J4_8OKp2zM0Q=h=_f8sgQ
zm1qPXnoo}6CktA(9o9Co{QCVqMBCmzGX3uzynglF!NLB<*UfzkTGYBPH~KQ@0ky^o
zr&Dh>Q1p#FCnnB+m8D89iSsMRi&}KmlJWB2)yzc*MsOvbftmCyNpJ54h}DxQWPGZb
z9n--?bpK{?&;jB|vV->;)=;yag;0jZApmrIu)FgOT<lxHrUi`ASK%PdCXR>kScjtT
zn#VejSHiT^=Cy+zC*p!Ri5JOe=j`PAnw=kn;}qm!cMt`%=3fwz!G?5&_++r5CF95k
ze<iNGjJDpM+*nQYkRrPRf5co{O(2qbcm`*2B$*OcY{?qk(A{c2x?I-JDK5S6@=x{2
z`vq(pS9*|SodG>`>DxG<L|A;S!rYM*D4av6W4yE0e}L8O>djH~{j<Go%K$1l1+?sf
z`T#Mwyi<XsGk1X{K>2Bktfs@eT+1-2_1CI5NVN&A{JSCLP#NpQJBpJvaVp4nS^AL}
z=Z}fXZ(JtP8lS~O6WuP4;8YV<jjm1MV)SbJ*pPziL9%YK6{v4SeFV(vOIFp)gIF9b
zh?$JcI~pN9Rp{sdtdaAIA80*&@wkxd{atVG8~RUFio`K5AFJNkr2*EouGN)dttlpA
zw>4LmLBJxB%Px44z<B5#EH<Rpw;ZQj=1R)&b*umc3shV*QqNf2^VCvdo-5)|^-sNB
z@1D3;o#^EC@%fDvSY@(Q^WhLVc#w}4ePrP;)4wGx{1v^|h%wDJc@x-Zef4KaMe&i9
z@Z2jGpGl;_#F(5!Q`}*h8LV4UC5<eTR!hgs^{!F9eiDPhLCglyth+3lXP3`5wa_)4
z2vYj|XbIhFDT%e<yx74kyVHuj);M4GheLBq`zGOS6HQaXenFtf=5fgs$wIr>F|v@9
za#97a4jxR)FjCT>^ae7!M<8BO;FDTCkmTNztT*zGKP1GURm&TOuNr-)B^&P?Z`eig
z7)#yh&0WShhTm!yJ*7Uh3O)lhZm@<zA4{yV6FOn}6#fP}Iqf2FhRmX*D3JJ4jg)Na
zEpfTp;Yb|IJL8&nEP~{+ie5Vk!ws^$u|I!i)|)|@d>l&I5dfDB{++r%S3Tnl7enCi
z^pQfLLMZ^I2D%erZP=0)9G>%O03K`VS1AFgIr=9Hz6O^12I<1;<6ys!ZP2;Ym3goz
zo`bsjp)|=SgX2~`e5YK17db&wXv#QKy(&{lIFzHRJ7KUjQ4EhuJ8JCsuucHVDNHf}
z(imA_nnVz<VSy;2cq8^^XJaIX-~x~{-o>zp%R9^Hew-l;#`_7#bnN#A?-Mv-DKcXN
zoOcG%nead@d@ozEdbsftXA^cf370H9BhZh~Le@Q_MLX>srVwo?I4xHjgq3==qR<^Z
zSTzCjVy!mD6mHs@{o<&WSK*E11x+RLa~1KrKKYO1=-v6r&9#tgrPV3BDzEIZw;P?k
zY8YV8-C9a9ebgR^JnPRh_mcL5z^OnC(Nfn5VN5C|Ix?=!%*8<@LS5qcz28u!WMYuq
zrfOlSmnUvSK&fAQy}9Ov0_e;n%USz5wHk*6_)@>{;5Q4zJWD>#v?`u@(Xh+@a_Y@A
ztJl6uvJYvIXU2RcE@+Ag%zeT)8I?ejdWs9KbL8RZVj0xwRO6-OQo0h?0$*hE!R~oy
z035q0(i5ukcx%lOMZc8||4yayKq6lXx3?UQTyL0JD`s2V%jQ`r(OS8E#6Ao|I6_(G
zL3C^-hUk<UN9m%v0a-TWt36F}=e8hJj=)0Q<+MquY8cad2z@h&UrDVBk|>_JzpPE;
z+zz5EEgNN8?i%IkL|!$;SvJNJFJs8vvP@fYGFnwJ4uUVjS8Gdhk!!{i?i(Jy!yrlT
zBkC{`-Z1L6H(jW|vr-L(v_#}Fww4WprlGDTw^wJJ$d7%1R|cijYT*~IO{tBpuTOW7
zDhhes%e(mA=8$L>g4}z$%f$lA|7m%o@zP{)FoK;GC$mMAZXJH=M+jy3O0wY8Z!xq{
z!Cp8A0A4Y-^hf%Xk8}dLkYpN@MW-1N!<CbqpJRA(wWuS;RLif&GmD~uZjWdL;xbv4
zM#a*hnOD4qg&=)W{Yr$zM2Xa?pNV;tEqk4F4gpd55nXa5g^^wonj;06qOWAE&bm_Q
zL<W^HVv#nI^ftS6=Y)~^a(#}kuKJf(7dID27pMJq=Rcgo28|DIE-w17PJaK37E*Dx
zGdI87=9_qOUoz*rb|FYuaD08!zrH!Vy6NAXoE=}hyU`UWIv^Nm!Q;#Ib@4M0Etz67
zM&liHf7aov4%q-teLiBH9+JQ*K#9~toN96BN|W13Oie|b6k06Xe`4x&kkK`yS)h{=
zFfkr>gtO(ml9s@z?HQVOBLU93MOYm^6T!`PaZo!Lj>Qewi$}?@JjP<*9!sfZMaRIn
zj-rJn9HW?Dd}qvR5XDB^GHo!Qg2idnOw^8Q*cc{ybtO8C0Cuf>>AMUa^MZyDDW*{=
z^2%I+8;SH=;qr90y^j35-$5Rx6*_TY9Hh~?l75$MGPDV=+{*?Bty={}t)94|vLij^
zhni%J2bJ!TR;%QvQufsIIiP|z`tm0jwUW1hsX7gNY#fSs7e0_+K~RZ@%&7c47gt_*
zCRVB2r&u5?>fQ2Ow+~NG+qIR^TZeZ@P3OVJx_;A;?{v^qofR5M$@qNDSmhAK1>src
zd5QUxQGFO-j^co9<6n(SF&9W*&rF3F!7el-&nol%*YB*(rO^dT@w5*0!gQbYtgIMB
zLg8JWxzxuA#vkHz!k0^{nATQUOU|>Q-n`9(3R>2T>t&hO0!MnX=E*zaX6|KEYM}<f
zShD6D(yjrl`U}bBWNX4oyta1rBZsnRWj=`2S!c7QqO_&$5XyCWk2!F408c=$zvW76
zH6lw>(FX|Ocr;7FQ*xl_ATEht19i!g+q~i=o%IPkW_KdX56j@_$eNY&vO^43MhBw&
zXW=8o6(gCmC{K=APrAh%32iXj#?95msnwwl@=v*B-V0X2aIk_d^2R%U(^$+>BO(Qn
zWECeGFiD4L<zot#PqnUKWl4n@u*TEmcT?A#vc924Up{HKc$UtOZ+^VE`XRcw<giNm
zr28fRG(4e{(dB5FgO=2kM{vzg(R+<Ch0M>fj-a0hYg_E~_IuBI&(}3j)Gc#JT0ud~
zP{?Hk25UVtpBhAtJ-|CvF~K)LRK<%R^Iv0l4XReRD#^IdRY49!=Hdj>oyc~l-Uakc
zM<4PaM#g<7dQMi)==`xCAxGg<pt<z2TqT2)9~}<?_WXd3QVk@&3q6-P>xJ(*0s!-9
z=5FLAWb0BY<%;7Ky;+5~kYbT89G3Sg#c5^BH6;@(v(*pP@~isds9a5Gl$gE7DI6c-
z%q65^cRfoL#W#aPLDX>T30F6Ek{heNRUxP~L`{M3psLkoxB>+RM+KA+Uu0@we8qFt
zS=g?j)3?kVOm|?CWBE~923b2GLx$nhpNw7DwEL1({W8EA!OMxuUdS`O2Cw(zvU?gY
z=seC3Z|XWAR3G@jdM#Y5mWko!FzPi1tcGiyUmn0E9Pe+rM6@$^{5@Na1UtF4oTl0Q
zqlFY9EBLGH*EAk20JR0S1ws~q#1n#tbfJ8K(CRfFt5S^of|W7~whjYC+;Qm_<Pd?F
z*19YwT}aF#xZ-VXW||CgXt=ETAnYApohw>xkrt~|N`X>HlajYuUgSc^KWj219LlMo
z)mT%{tHOQxFx9#MHL~c_k)%CyN|9Q|6J6{8PUr@1x=-CS>(Y<iX*wDio6-`3YdiH3
zkYU)Nm@>tDD<e}|)qghNr^tN)zYjMx!Z5i666+nx(B%Lzk-<5sS$tl)ta-Jg#htNA
zX71|fXmCt@Db`icSYGFk%$kbFh%vZtb7WSw98hERQ)MHz_?>Z2E`;d_Ma|m<^cdCw
z=3yjxjUMebcMXVQY3fu9@eX}+9SUc8_XD1W)@#9g=Sy{SxwF^X;}yGfB*-R~78T0E
zX{^37A#OO6m0z};(t@2bum(=b?8&x@nSq9hci@;epf7eW0LCzGQCx)4cmva#wiu;r
z-;2Vlr^k_SG+?NNb~Ug9&fGur+>JIgnnP-i-W=W>o{ID?BmPk$09|@>Tb{-m+DE)3
zgU<)d-1?&ekpq`_4+h8RUEnZi8+6s+ff`|Kv-DM`7`i$kdX>G}oG;JMKW$o{!dMxv
zR!iUIUotldYu&i)3a0X4hf*pi9fyyFY5-~o-BSvI<1uZedNf%Ya879VntnK7R66E@
z?_w@$nIRlYJGluLk5?O+T8W)>>y+dU-Qlox!aq5Z%=!Pj7MEPxUdtN+L+^kOX+B}8
zi1EVsAC0C-$K27f5kUtT@-dtkFMuB2gRZdr8UmoP>`J{f@Vv<iK{zg88C=wf0&8zv
z;JPLJS}|tqR?4M~v<MQHxN_t%+<$01&1Z>LISZG>Y!jX>DfQlJeV9*hh+L#S<-}5R
zwmY%&h}0C--G#gdca<%kK~XQ(P#?(@>_PYfjkOk(SaKL+k<!=#&3gsu>H0K6DVQeB
zXWzb)%<+Bd9bFoqSh_dfp0E-%D0VPjje(<K42Qe8joqM1Mfv{aZzVs%?^tYUy<X6p
zg6J0*(WO)%22>?#*wfw_?iMQ0#VrZ>dqrcv^l*YY3X{PP?MU4O5+ScB_vE$+#Bq!;
z-5c)a6Z41bQDXpd`PQn}w^~6f7Z_Y7lQ9OA+{UeXennJS4m(ZKal$cyR!DX2@U%tZ
z_m?`<$J3IDYc|3eHQnm`P)xQ+V&k5RBreK;XnA%<VG6d+1w*q>sv(OH90JFsHL2XU
zI?#&RshT#(;nYYlg)3Y4r^&Q0X#`;TehFK-5a1c7#hYSZRbJ71aCLa5&I>b1;-QY4
z>w${uz+<uf=bZVa!(I5omc~MlIK`ggVh}WsCeP1asnB(LO-wWJxyf2plaj9mu@W(u
z+gu9Q*Gr51srO>{``S@$T^^rl-A`eOJXdFGv%0PCn(xuugvhJWHPZk#P(YZN*ea#}
zkSrvH2aU(w#&kF5oQ+M255?+<jb}hE>s(B)kZ^B3f6i%{oG4jO$)x@fn2+5thIe@?
znW$LI5tzL+zghn>0lzNjI00Ex?D3u$h!7q*>cR?n#&W`zMzK~!r+!mPq2!rCQxHCc
zXl)I@&*u2Dwgg3JDUpyZxE!eB7!Dn^<+RPVN!~>=ORN|iC*(G%b_p}ZS1^SJ8^|nt
zs)NfROa6TO))U~Da&2qsc9EjAgt%d*Qx9mVsV0?@#l<sbtl<Mh^uzcp5-)RHU!m)d
z+_dmM05tA8#7h@qR-_+rVj$Q2-O^<+K?E*{X+AHP_7YwJI|~(2JZI=Tfi#!pe99-I
z{5wOQS!SNSu||%Vv&SWb6R;uJfZO*lMcVC`t)qOxse{cNWA4zNotKs-%X8QdN;ul*
z=0+JEzkcgJlT><<au#C$4DO=4SK@vL&u9C{5~XRUT%!$mYdW|hZ%H6v?p0HW1-&#~
zr`^;^Iw<18@7?Y<$r=S87hh)=;HmtUFcuu*GzDw#%Dt#0F2-dy>-j~WhWYReKSSzs
zITSUo4}V#2PgnTE-n#buWp8&ykN)0cJ@!`h*nh0Ye$eBZ7|+w={_D5>ch~Z;DM+>E
zWwWSq!0UyrQD80y%y*I*wBLyQA@o3p<Rj6;>{cs!)@D6ETAue<Jk0$tXjB`h7dF4)
zyrQ{yR?G`1^j&<nyJ=yEz+Z>1-{`J!VGW8WM?W0jg#El=&yc)&bM#{O+iwYtB~u7d
zAb1wl)^?3sBTtqfF?&K<gj;P<8RQ|YtK=Tn<Ri46tSX!*HE0vnnhuDl0+(x|5ndBo
z+H+c4xFeWEYT*5#7hy2JW#9F<Kw8w=n#%d@t&}FGyWYNwi|K@O=g?i#dlt5Sm2e3o
zzPWK_Zpo1OOLGjW4PF)EkBV0?=h`(@JiK=gjB#&vqmk+4=;lwTgxEI@dXx|6{{C`q
zLX~TZMB}%sB(N5{w0pz&W$R6Yo>rR5hxK8HE=K9W82Zp)X4=7!@vX62F{m}YFe~Wx
z3NFCrk&LhlyIISV2>HYt5-3`1OMzFY2*wcY9)I-3FWv)(UfAmHW$U%Z{x51wq9^8!
zEx1?b=;}0b`GS@=wE}8-U9L>Xv(u)dJS7sI(9eE##YCXWC#U)cThZe)JHBIi1#BG+
z<xm<5<)ZMuM5=1xo(vm;|5O6G{&;+K^5)NdOw3x*L4uS{Arg%4UcP67bnp|_%_B9D
zjtHCc_f@HLEgcoH(r9T%$rf`x#D$F0kLqTpR1kyJX($g+BgkG*GQclisUV^gwrn^$
z$ctb+Yq$rood<>TcrCIsCgYmYTml{xQ|<P(S>sVoqGTv`)GnI!Wr()flX`WH33w3J
zS;_FqFgQ`zI0h4?OdZpz`>B_fk;0uItpn#8unhbwbTEp|^_Tv@k=obCr-y$&e%(KO
zcOxKgz0R{uUvF#0Es$nG8B+-$g0mOB3{}bjG(n**Y421cab0jTZw<%aB%|$~Ti(&d
z`Rfzdn-5QeC0Zf5Riw?FJ@i$Q4o*tZSSQi;g}vf|_(|y{YT2Wv6NsSb;z;B}cvwhl
zaHEq&eQTE4Oe=Aipl`g`@%1%rtABOu7zzQrFhLxnrf+qT(82YhW7v+o@kjb-kOrr?
zW&;BF9?=t(n(j>J^dvxf{*lQ|K#RmVg#FMx`IENGG_XEmpC0Trqgu&|+A9*skSpE|
z$?IRIPNGSmr|SL7d_4ZiBu#M-&7DEHT+mIOMmHMoOfRFeCEzG7-n^*|o8{eXmJ#61
z(Z}&J=a=UJKLZA41k)o_TBh(1FQ3*+eAx;>ADz5*brj9j&%Cw8TehkD@Q2%l8Ircj
z3c;T?EDf*!Gq2T><mLd3<WDDX`)Vi>b+%%NKxulG4vW0Z$5lP_AeEF+ORhSt*4FvW
z=~*W__wGDI)P6{cK|<qfJH?ccvF>bI&AXf)3~s3}c?8p~L#*wd-Mow3_o6QG6pFUh
zYE9q<e{l^%CMrt6_Nj)pQ66ns#EHjE_8F6C?3OMgx~xyb_#U(qbZnV>w%6eKQ6(<Y
z4X9y~^>Ljj4gUe;{bc37EBY>TK`M0mZ5H9JWJRmB0wNYf#bKLy7J1t{PSCl~x6C6e
z^sQ%KSlz68TDxgS$p=#_Id3tsywVKA`=;-AH0HNe;^Z;2Y!pR_Sr;-c;#*K~Z(!Cu
zB9gH~4Ls_k!hKo7U;&-M#FN15AE;+lCM;oL5CD(7u0=djEef~;cF;>$Gj5!;vw4(>
zob76Kv{#jux*43%rni+6vp^TyMSsS=)G&M2IOPhP)B?+;<Hp43R+D?S_%p8QJu28Y
z$=#Z2IJ-}hSqyKB_b=1YB<b*k^p13(f6nKX&_9)p5Gdk0u(*~mx}j%yf;~ga5_Z{9
z`R~#qwfY7r$I`KeTZ@8VWGQB}p+?bxbEOEXDB0?m<02xGWNMokBpqj_)s>4R8_aPl
z-tbl!DvDMXs|oq;X7Ln=s{kq2t=wPU@y*?u!YE6rjyZRP-Ub)`XXS0Q=1r~0jaxG=
zW>Rzs;pTda56gRlA3{@ej)xbeD_uK@1~5+{0D!wXWgYv8$e_WKTn{5l%fQ>l$t1y?
z>^5NTf*jOyA?(KG#np{E4T(y*rczi=S<Q&X#x>cd3!V@5YpENc*wqpn=DQV_&fQ!>
zOn|2xC#!cPiHY-FSSbd#OEG21*@WBOa2{ebgT8b*!*w1{x_3F$lG9kyW}5rGUD*u@
zaD_wuN4>=S6>?f4gu!P~#Q1^JmylR@^VNY!yb9AGU`J^$Jq)4qAe%Q?*!_?qeMn-C
zMa==l7P;}YcFxqG>s-pTu2b}EZ~wau?<?@#?svO&2g<VUK^aBw)7imKp%bK2=Z1QL
z8F5cfc}G6#8`;QEM+d<P1VCz;u|nOM>(kmTjgAQ93?bGc>urq1lztufHY2wQG@Tlx
z$UJgd&DF>*t7<w9mg+dT@pWs-I34RTo6F!Rcl@7Akf15*v>%NUgdqMM4ta2wl1r{G
zTxk&z&8dqd*=Pslr|TtEl4U~#7XryfF)KmxOdV0eEc8j}Si&s1(;fj5^1Azp0*7IE
zy$7|yyl1YwK4o+s^L^&@+U!&{Z~$@6C2P@VLsB-Iv*a7+R~w`_tS{bsLQ9oHmUd|v
z=EUmvHK4ApaxAA%7^(hCug2K96ltrKUcz;+4>nGdtkqF=g|!fqj&dI#BQpvz5k_!b
znXqQg((j9dk;K-1oJo~KQNYTzq7|^Kf`(YCnRQz|ZfPLz9OEi|M_J=2xM~n@8Dv?P
zq=h?V6s~zV;LuXhok|SnbVehwj|NgJLehRnSVh54_9&T6at!{JWLjIERV{I_y$qlx
z)`Xs%^TM?WLn>Wb#xdsyiRb|;>p_E&<SC0er@|X=TaCHIlcZbVJI=mNK`bW0kgl#v
zS6!P`z=p=}u1+mOQLrC3gbUB6)AZ<4c=|nI?IT1)3#E7{;@OO~a_Ym@<*+-KrH)Mj
z9H)7QhC<u@+#423QYOs;op0FjEby7)!EzN%>(c-vMWQjqtnHTKc|~$NpTx}~RFdDx
zWlW8b6snLydOiR-xTKbSVrfPC3Mx}z!sv#i7E0mT&a-r)!Gvf-$Ld`1KwjVHLfF}b
zlS#kEdQ20vNz17f^x*w5i=tqE6Zod~YUQ#w8u|ZgTXsozeAJD3zC7VW9Yoyrl`GKi
z<fsD}xq2(YI=T3qQ7seg+MrmI_Etyfev(7Aq(HLr4eB*5BIK9yoEEyX7@(Nnhi{f0
zseOj0Xe;d{MC5Q8Ib}!YBVqWRR<8hySs>00*<DTST>)5^w~TNq&Hi8g*6V%M8Hg|b
z_3;(Rsj6$EGv;9P8Q%_%>ZJ?YW@&W=rB%gFL#4yQW0l`0Stvnfzf6R5ff(;Z|G?C1
zy1;iljH?I|aeR80g?Km;mVvxjifpgG)YyR~PsY*)P)z()z3>>&qLcXXbwCXH#vry9
zjZ_!gC6bNA)^Y(2n`+c{TbzQ&6S(Y!fq$NytDLR|9lAKS)WE+eaHv{#K&GMo5kAN?
zEW9g&RN1bV7B1vRHGD~Bki!+O$2yrSdR%uh=CTem*I4Ke&EN3=-3r`}w}p5L%V%G(
z^YM15YV>4jiQkK?{#)qoF*MI>72q{+z#NG17(d1*A|0fWm421G%$}tatCESN1G>4m
z-g!;j0?uC@#W-w6GhYO>NhyfF`|xe=czPLU9{Zb<N29XKH8oeoBwNmRVM;~b>TBlu
zK9aff+rwhP#kDSQ_v7xa3X(`Rz1)2F<NmHo6t`kb&J?%Hh4C~^92zc-<(j!{a!Xso
zQdZ2cy6OJz(i|dG;0&&hE)C;QkJo&18LuUSB>OQzHi2rcYw=v-zd)mKG6&Ym(#M-c
z5=a5^05=^NJDe`&>dn#q^KYL6z2(Ojg3<KLv;A*&z1ZVcIarWzWX@Ogst>^hGZJ?R
zq4Hssn9E_bOCRmOc%g-N+e$Xt-tJ1o0N7+N5j)$lqdf8Kc;kGyF+;<II99MdSJpsu
z!Ga{!1JN9$*kf*GfLLKbkXa~>W3}|OoEe9fK*a3$=se<NjnDSJ`OZ}g*ncKhSOjnh
zu8ND&N)slT<SJ#w$N=?DN+y&sG!Iw_M#cOBz)NS16ZH(zgVn;0o%4x6zpU~Z>zTy&
zjg`V1T1XayK#1-6jD+jc=By<V`mWM7{saQykh4Y{*vCoK>f(mwsf3K)eS}KX=l>r>
zBN`i9Pa&2XuA>jQ1S<DBXV;QznTnujtjN!K*&pK&@$M}=Fjxg2X(~Z8c0(idP~g}y
z;BU~F@Y0X;zt{guT>pPkp3X;@f@xgba~3v-T3(qY!5}VsLpt{HLPau|r(9M{)MhS$
z%_Y->=<M+7hiHps9WkiXsY<M7`tzh3(=Z9r)E4)OE{N#208%9}znJadVewa2#{Rpg
zO0dR%5!QoO^ohKOwp~YDe(C#xVXZWyoYubrI&lYwPG97qTHfdvL#$x6|2)K6vA^}0
zwX*RSez*K}`;><(Y`yB``WGO)A<#kxqJRE%K}1^p%EWaSr(bkS0w)%KQ{M03jr?hK
zt%fALQlhyk@8x~ZH2e$Nf?Mdcx9*aU9q<{@_wxY^Q$ketSaa7#>IjbWhMyy*5hh$B
zF(&LF0z6XH!mau^sNz4JaUi4VrVo8`8_uwVWT){^Z*v`(>}L_nYFHIpLYow@`IWhZ
zpb69}Y30hyi^hy(K7~jjmA+Lv*sz4)&Z{?o9^9<1RR5u>1=barLIYq5)v<yV;;0-9
zv-|Pz)z0q6H-O&m#}{wh?mFu3#_7_bJfTLf99(O<{+LI>8PN!@wu2iP<kLx}uulxx
zq*JET6na0J(*PfJyL3QZzU9H#G?0Apk-r(wv!VF6!eru*YDF?8u{KLu+>rD{TjF5A
zw07pN6I%+=(e`hsP^a?3A!04{yqjXha4KD&zMeH^{c$yupVZ{A<`#j(?$T+D$3&N1
z&wm{P=b-q>VkA3cz?sVHmqN|A`7JRd0*WKRuI?-iIYOhQaQ4XXnl5C;seDv@o*A+0
zm^s8PtzsKu$cfSzdW&4(x@N2iy}moLA9tVX+H{Hc3lXvro$1RWcuF3Wv38M8C0uej
zC2-XCc#368y)^$BiH~ikFb#)jxTj*G`i3!(7n+4n8s;+zf^lm6`OI>0dz`EtQJ5Dl
zt(@mu_>wf98eAz>tOqZbq6QCA>N3>d#AWR8cGp>6iYo_a)0-_kt6tlaZNdrMw(?b*
zs+Fh-MB@K(8oB>T!u46e0jhr(j7W}ic(&giq?Iuc;jO(1i{I1}k_;B^i>j7dFRVaL
z_wK(K;~IYg&uCB?AQJmWE(^U9<;K|5y-TZ?^q9WU94C%OYW*Pg;k<LZ)+$K8SH06+
zYQ?9lToM<blD^_%xpqR|R~m+0QTvEHDL>cfDyu{zHnGR|k^`0KGaO3Ugd)C38V<``
zSr_e{h_Hn_zyUJbR=`L487md=P_TEYU!c8z7#O%AeSGw6>X|LZZ51JEw~75(;Ebef
zm_K#ryn(Jfk0U>X&&+YF^rjw-qRYBZ3MA0g%0E&n$kTkxs4&1B|8e=2&xVs)dI5kB
zLZ9uw&F*@GLdJ>lX7e?ck(oj!$*95cF4O#u!i?`4EJ+(ylXEgL2rv<F-2_O^e>Xff
zfH@RkoH;r;;LviubQv%JR@JN3970Pj3<AJBa(^UUXG=H&O+l(Du-xlaBvVj2tDdZ4
zWC6BDDk-*1;;_TP#+c<~GrJaI&Ac}^7XfGj)jdB(h;jABU%&nsMqA#n?_R|U1s|$y
ze&ftmADf5hR@lVf!!Fj$ml2KXj2Gj%xo$J9wloX^Ob<fztvk3Z0j*=MM|fv#>Bh*}
z1~G6c@2hyl`~0M>)@z^t3*5>9q=q-q7WxR0lEbk_o*hs$4k_%4RZCy_6Kx6m|L73H
zlq&uqEtuV9yQ)}yw<}Cpm#$csI4kzTq8liYZIk$xWx}PDBHO)&E>jYkmbp(wBfQ5X
z9XNzx)?PgPCG;GY|E+EpxYu>9x~|o>3Vqag7|){p-tPCmaqZ<p+2^OJe$|a(iC3S-
zGw+!NcTAVg!Kr1v0}8t~)!b#^QEaI$g(r9ZAbR!L=Xe_53%@T|7VulE7D;j-ev00E
zwZTtLZ_ubAh~F)u#+9$bb@u+=Czs;rXcwcL<5XNs>nE$$r0II)+P*gArYrZwr3XiY
z?+y-z^wSFc*}9H<th(#%uU5G|IUBKR<JGFY$LHHy+38be+<S8DXa8UmY2YbMGqd~8
zRQ;O>p)Gy^ej{A28g9Yb*&-cL)tc#E4sWXG(L*voLO>O;EO5<T6W!OZ>j`I9j`ht`
zV>v+9M-v6BE3&JhrHu^Q^3GVaB<I}VMBh;Kr=q}V>SBX9)xhL}*o>0Bd8@kX_zgQ1
zN_nJufjTP(K2WgYHIxziey~8v!DWy*33@X>SeOz#6aTMTisYq=!>fVeM1J9?>Eywb
z7?`=bO`6>^R8}deWj*S@r(=1yJowGge*>gN@MGcBIUf)BGCgyS=N>9g?T$OkyW%e>
z9JEx0wG>pYxS48(MkSQ*Wm(-7^I(HTqHma9)iA=)lCZdZYyY&uoO<;|F{CPQUrSOm
zv*a`QiSfcYqBN{oOu}bhV)gryv5BwNEp2q--kP9lpa^lAeP~2-yvtHo_dnB^K67%^
z*g~F2Y7S~NLg)+{WPz4CpjOK(%-^XwJ2|&+w1tp4+UKU0eW(_kC<y+~o1ubKMc}Cx
z#r6OK=1Eaq!sN4e*Ed}bh%k0TI%J|ci1xqP`^E{~d(V6O&kmyYjjd1oErgB3NYJTi
z9d1TRcnag8_Dij4r;R?)#%}3xg=~(}Z<#wo(_z!z+Ojpi3!1;|;+#WFYtU{a?^kc}
z=eyrWTPRXSB%3&7cGE*w6cI7cWv&aXi4Hll2ut+!(sq1A8fEqWv-hrDaa`BB@aN`N
z)Fy)g<a9T>*p9788V3QgI7UDK#mR9z7)5sh6*X18yQ+oA<-fn{dFGt!Qr+m1SlN4@
zHy*>b)KzQMy394#ygpMt`w#5y!uEpF^`J@0oQA{`k63@P;v!Hr8piUA{YRjUd^RbL
zTcE$j?1VnQG^nFebX3wEa-VKb2Fw*?e190E={Rw$D4IGMF(Bt>zb5l!_=ObW*oaAY
z)9W>oOzjAnA(2_elzx(t9Kad%r_K<fIAvs`bNoYX|5C$mVPJ|r-_};)f#_A<zQrma
zf~HQirdjs#ce{r}Ka1ml-r6h~v>*^bgR?wi9j^ArXai#MTiUySQ9-xt`c23g%1C6$
z-At&PVs<lcrcUSpIz%jH<3cDaSYPL@k}{euP%}1=;rfk7{nPVknr~QwmkB|JVsok*
zNtw^Mo(LM9ETh?vHQJAy9o9t53k0b(4jPJG019FvYIjB~?|SC1#>MMx`G-QJFu#Pf
z==3{MLPm1R1pq0EqW6p`KI{=v?e6}`-p-j3rx-U}@3RttyX(vDU?;R_zA|+Zn0=$o
zj{QMh2v98t4(=y<IFGOJ`HwQeP!|$+w55$w4ic@GIh><ec_H?%o!{>boH+U2;K8>}
z<?t!#2|PB-02pwfh-9IDNtZ)v-CeE5igV_;3M1Uhcclm*l*lK#5*W+0WjdbP7rgKb
z6WJYc&@X20ut4r~OdvoQ`{OXJU2no<8~2}!`n_rlZOA%Si=Lz}nLtoBmXZrmXgVdN
zL8ltKRn=xfpz8%Gfr2E7l-{nrvDFNsfh9P|(DYR5JTP_{r-)gLcaDq&i&iwTglOGs
z;RrR!iVLh1SYY5Yh3bC$R-iFE>u&2!en&ffq||#;kILXwk0rSPSf%fnNQHTIO$&<>
z7!E);vNSm%V3wd}6g7Z%Mx^L+3GdMKyWE4~dm{lYkdSp@<gHT?!>c&S?M)1q;w>N>
zok%NNA%=-yfaC5)_mpKO`s<4*SdtGqVa|xUtp%nH{st}69X?`8%{#Jhp5jajkvh@<
zvyzHQ3H|{u!xwX@Tg}UV0(K<i5PEB8_55NI;Yox{Fdh=g$(s=%t+<i2bw|6cRuy&Q
zv(lOKilxszt~i)}B!C)PXkEqDE`u{^lEv6PJVnthNnk1DCY3cCN3f-fdo7HXQ76?R
z3i+9zU9+5JE4A`+Hmj}z&PMe`emT`3&bSuxU&1~WTs650;YuZP2MH><sBGM<@*voG
zWje}R9QPv?Z{QkPa{M~TTeQx`Ur|JWR1;fzkySXxNWlK$RfgJ06AVIn27;5JXP`iq
z_QjlfNliUa7S9~)EdZ@;we^-vXRC{Ex@{+95wkc3f3rhod1OFf?RKp&spp2ScE)29
zuwPU0+hh(ViW5cJBhy@F%K={hHQ=s_>^d9{IRnc>Crp+=ZYeC9tdF@Hs(~8Ho;@5M
z`uV%xS<@Qr77#%^riTK7)IQHukWjs?%kY$ahM+VEz;IUd;o<N>KpX03Ec@_q_z3?I
zBcgSM*_~=Cx`9_3Cj31}uDUxOR8X_CQf${yarhrYb^WiwPyIJSDgOB{MJWAzh*D`L
zU=jCWl=gax^!;hny5<St^#2J;@QbReaO`M+O2TP7WBk+SEhv!+)y#Q&JG`pq?vkQ`
z^Cqw6`D9Cfxo&SJzp`%)^joTi8JO!oiRMa?tVjz@d>%rp!Lzy>aQt})t#<7!!DL-J
ztd#@+>0VG)Lu5s9+Fn{#!U>hNZZfYUu3HyU_oJhLm_-oIWz2sW9w#C4lgq#k%kI(P
z*}38?9`7+j9kPS~BqeJ_1P?JZ-iaYXS5L<~T<CB2==Ju#+@K0M83~i!X{~7F3(b#l
zB8(Kgg240(K{Kj^DJH*XnMgN<eu=mrhQLT$0wM|)h~Q15(O>Casbi>$T){rz0H0vn
zPFavH_PvcJD#_TvFHVHpWzuDq3NZw1VhM~dE$X7y+PoS$g|0epuIDY#&3?(~e~koC
zKwPl~fj_GS0w^|G_}KOR`gDJ96W3%TPOD1bO8u~U9<?J`&}DN-)qcF;uE4S?zVO`6
zqFYoxXrd|$fRZq*Bqpu1wEh_A;Vt3b3DTmc!$|^Ts>0~dgA^E|u?83nEu$r>e1OOr
zH)``&*q9zWA(i1uw-jXW4a#uy5nMdIXwTbr@}<e5P$)Ws0}M&M5prtN-T8%KW{)2{
z_`pO$0h}*8AB(s2(^8;IRMm-U00JdihxXx_g>h$(vez$`%n(sf<yCbamug|*pXLki
z9C1-n)FHcW#K1z6C8Hpg)TqMs%PKRTIjd0B7hSW1Gm}r88Zy2ka2BFvm~Wvdfo2Rt
zqL#XOlDajERa9iYKIttj8)HVu!0PStzr;DF?N`FK>}#AzWAL$es%sm{bGk-qB}jmc
z<AT|x0B{0BY@`B})#gFIO=dCLPM8}w1-u^99(4bFVR&siQ#51`HSvfkR{<=uSzV_B
zMc<o{Q2J`1A<RihBv}$GDr6QUt#a~742PAf(Dk|7;p=}D&%w7OJnjmT^Yu+4|5}xv
zdup1wj($%IMQANvLSITI(XO<livUN_9PXW`t|w_J5$;m|&QH^=(sll@kN-aU`WycL
z>xYjN#%=udFgtcvAnVcKP%+52`%O_6Jg87uK`a1>Bo1`tl1kV>fD26wfLI|Jjdc*6
zssI~|Z~?&%p3Y}ig%uM^1$%sh2F1AYk@=az%1SOAbGUe7ea=M`AdhO%SXiJ&LS*E*
z2u!$-*t$OxX{c6-PY}<9MFaR)Oq2AP$oh)=$aSOulOk3}<5J5;mR|`#`G+W-)os7H
zB$D(Bs3SKVL=h9qeWB8D89~WWAI&4=QlbZm;U|g}E>r&@+^=XDAVxR)=73O3h1kRM
zB%8su*s9y9s-z%z^NR)pgaajSb301uAk^y~?9?j;N`#%$`o`|T(Mi_MUBihCmZ4A#
zP%(5deHC{PwHKUT`m*J#63pj=_^j;ks<<sQj>H!)ekwmd*R0YcqclWISSRNCz`+kR
z?d3TS8s;veiQ;m<AW0(M%S}WkwlEWqAMQOH)P`aVa0?{JQ;4`s_d+5G<{C`vE{17#
z+DuRj({UnSfV%KOE}hh>UbhZ47f~}z^-Vj5QI*$wKl+F$vGV7~%Ljn=%L-u!RLH(M
z*>ZPr-;|6U2pD5YnTF2j!|FJN54j1w6FD<ByNzUlHpR`y&n8bEZFar{XUwFCGcKrA
zGLM5;n+$qnV5mGxC+S$f8xN<{#&b=oX=w2ajzb1uHw?01CUb-kM5VMl=L|OhT0RbI
z0Q~RbU%d!6!X;~P+Dg39Ke+~enLlX}B>q6nAv+TUO+^TpHiiUv9NyG?^p?fO6F}9#
z1w8w=FWPDbMxc4`JWpf?U^?k|huNO55WnPjM)!!Xwej)esrS`H&~kmD6I}G-V(|4P
zc(`l{i0qsq7<&nUe8NN3#&=2=4?55ud;P^`uY-(dUwr1$-OE%`JL!+as%3Nd#z-{_
zfj1qebY~SLOl)!C8I<<6AnE{h<&d0=9zuarq;;mOY~Y>^!qu`Xr8I7XsZQ$7&h+}}
zo(ua<SdBqj4<vgs9E0#1hl8>?S!B`a_5SdOKRn4!iW~2c#PBFRAzn>wefadM3}ZF9
zw2(;SZ(phAjN7z;9U)f%g#q+>u7j~ec?xcCch;N~oSjH9Xo@D5_ia#!EWj%Hb$JR_
z$&)HP(NrFh?^D6S4>C7e(i$3YuTD{w%fe=$+E%{4di)u+L+U&=7EzQ{Zcy%}Bda59
z{)pVER~YB^&Orz6J6#mzIGHTTLR_{F$)<-_;<B;RAjDrZKwG;&+{u$jA~kWbA3@qj
zKT=b5ed%m1675%+Vk10}a^48|q+dBo@Gsuelr90V8r{)a)*ky{ls=<DeW0w*n=qT4
zW9&nZsBkd@%<H*?les}Yd7|kCf;AGgi6uzgO8>Pb&*F~b#}_)eL=X8#1;%@nbPaa?
zqFT(GMpLaptsxF?$<?k#7JQxqYZmgb<a`9tn_&BDqmXVT$+XiCv{2e}^2uA>V{hb&
zY_QnxjJbSZnJWZqNIU8x9_*c*oHH_V?_6(y^OxKEhV?4m9uUt9?(vIxtNxKw{rb3R
zH3&MTpWc#f(i`HQuI_6zE>MShGFdqMUpgs6gWOVPLSJrJKBIvd4G$9Zti&9dD2S}_
zN%R6chsknchXy8B?hz$4jMHM^72Z773r>IcW`Fnm4_`m{?)>-X*xmiZm-~nNXM5+r
z-#*yi-G(biqhm*Tg?sy=P|~BZ1Gl=Ce8oe-e%CbfY^gb?WKhACM$ar%XQ5!k{uLdd
zLy*Wpg4JTi=mdq-rw-qfVVZDUYOP2g7itUYr=do}6^-Wa$Oj5}<nB2NQeCbdOxW~<
zqJyrNGqtFkF7BsJ>E128myN-=_hq?Qa0V=XIeTixMQ=)ao<-&YYnfUN;)yS`?*Qd_
zjR7y7g>5>;*CQDBV3A3E?iy80NrKdX#)Oulmx;Tr7UPS%%!w-l=F*yjFDW>NrsFu>
zS{tTWJ4=h5WAtyTwljWrF0baf+vOI-RAtfO+u1ugJAZR{cJk)*Y;V_xZX0)9ZUiAb
zNcHhytuWgr#>S2;;zWtyEsrLC(3{CzPF;h}Hstr()x8;l7$@1zp?dPoRO*^WGvD1i
zK6`ckfA>yMO7h_4`RV@mhkLtR5M@81$f7PwS{5!|jd)01|3y;#u`_MV@086p7lp@<
z+#f5Jzp{8-+-n=nrU|@V_e~t-2yv);G)OPDW*vu*NZ=IP8@cp)k@a!OP|S6|(XkCu
zp5IgfT?D{r$np9vjt?9;D*131?k4;^^7h;M!pF)~W6#<3DBnxAy0liUX5qe)@Q?G?
z`=_tB&vv97EjAQg>{8TtT{bdD@w-`6GwCy3A}ivd2~Bi^;3kP!sJDHt{Hm)1%S|)N
zXEQ0Qr-BZ|Ww)>uFLm(*Alt$1fwo^^R!E*C$U*w4KA=zg;t_hA$x4fF&pv!(^Ul+9
zq)JQ@igx28f-ti|Y@&!1u}^e?as9sZz0_Os&FpDZ<z@M$)Vu#STGsa73#n-7H`~5c
ztQGH$TSYJfe_n;$HFY2Gi4{wq1*nzI<z*;~JhAus@6z$SAfU+NfaLdkMzrwoml~2(
zKsz+_iui}W?i~Kz5A#%fT0?g^bO-1Y7b918uDN`8JrqBg^+8Nk9jdG(&xvX0p$;e~
zO2L&Fo~3h?-FcM+MI53eIiBkyZq{_3%c{LZmANIwHa^f0B}{EyYBK!1%SR5A9Na4>
z98a5NhtppGs8zm%?1!q65Q&oAXgbHTzCLuXtsreDj^AJQwU1qG-X<k#?!8xAIyDLk
z%&XMTtm7`?WUMsLvfGb42*niUwlGAt`=pyuOsK&z=Cp6ZbwTX>_bv9{{T6cy=WRV3
zqp0eYJGEarh(p6^^Gv@dyGi2=mJ6GMwL%60hBm#P<$@6ufq4{_d5OD@3fHVzjQU(*
z9**X4s{<NzRQZkw&M6aOq1+f<ZGaftP+VAyGbKGOj&NpoAsy~rF}Vvhp#12=HH=v?
z*oOSwEu8=zfW6PI7+`L<fUQm*f=vR_g~h&7zpxF|$V3UC_krAghPnpJsX-%Gvy;7p
z?K5{!v$LaY?+<5tCx_dbU~qD_`$gkgN3-?|k)XnH!P<<EBvgo1oLIzoTuMn-xOiWT
z=B=RT)!jfiJ&0!h+nP7Ctx0*YMf=&7<r$x2zsaB6`+i%IoJso);0z4y5NO3W%$W6=
z_+Sa;O`)028m%8nY6b{c&E)U<x|stp%?w_z5T;SCV>ugQ1P?!Yy_nS4Pw3BXDHb4<
zn3CwY!8*m<(*%EO86qiWOB2^8Ez{t-8($gINA_ubG}+d>e71%1coTcGnVgR=+@fS(
zb)quazgxnIW8lBAh3S3*EPY*w_e_2htO*d`Jq%y-FV(o`g&(P1o8MO1hICP1+Eg~x
zrT31hU9)0B3bItS?2RUbwRN3c7PkT0?z)&bsWkfFMm~Hy%!k>kJZV-pHOI_@P`GZS
zj<j~0p;J~Y)h3Wg@jk7innvIVote~DBofNAg`)XNeV7_LBvCP%?C~S()bgxZ0k%7P
zEB*R&tP7FB&!^AChA^HK&-}3$-p;hEn<6I|6+$`Qx|MM^GRBRynpZx(vuB+hrXh-!
z&KPzy+PYddi#M9hTI#do8e*wCG4HumiLpT#N*Y8s6I|e`fY>RnK3gn<9_6cC5MR*S
zbtUK-S!vdAeBJg8gy2`uX9&{3Z#6)fj3qfk5(mP1>mGSP=2uiKQ5q!(C5td}a)F)~
zAMHe40b3HSXYN<iO$nvxZ=&MlMH9{-uFjbtI=n65+_jSm-bKGVB_>-`ORc^ru1bLl
zpOs+ANU;^PWw`<bJQQrye-i9lSCH-tj)>H0QM6nEcha2btv9+Ja_R?Wy&Y!TesYEq
z>?Zjzu4u2T!lN}nNcjS-EpQLM8{ZS#apa&rRk@MsqvE3qmB6%!nPDB>)5@s9Fp*6_
z8XIco!l`3%WW8#N?r7+;b${p25@N6L9^rIjQRZ~NivQ+<+8^s0OqCakv))t?D_KA>
ziD%`}ue-yNg=DSoIV(fGV@v?TaFM=3bLcrZ^zt<K?j->pWT*dY;Uf>bSBl#D>e;_o
zy8cYLMkjvmhZ~4JVXybiD*LHzC(o*%v!5u);7`aI^cJX4Ocel*c-1^5+1c5F_y<SC
z>!Oq;0mq8|m+rG$k8d8}?S_5n=d>@9oyG{$@ffl=mQzdi=)qUtepo$9ru${&gL`)I
z(}aV_Pxx=);NQZ*zlDSUUkV4Vk;I#g?w)y44&)WCUYPinun$LAdZwenGZh0`;$#9S
zsBI6Fo;`5S#y%B9td|QNM)9I{R-<92WtksFe#9<PYhwhS>j0iVb8FBVZjph7tT5X{
zGp}xL+%Zg@u{ys}bGJ)*wX7INOy$;2%>FLU^X04#`2G55%LC-`Iti@JHHiSvr5g`3
zIJ&Ok9t28va1BTLeJz&9M1}qrihIO~l7w`3dx}sO@04DvK^g>+-Y*X>ve{+QpzGtq
z@?iEU(je_}ACw2Pe_9$0LeYoB!bKTjnRpm4s|br`c>D3y{?4mx`{hd*q|aXMWrutF
z-@kfsbdsI!9k|~RjI@35{n5$(*{j!I&JY(cgTX^;Z%i_~H^BqwBDpTzy3a<}cYO~G
zAhsSwK8VnVeWpE}HjFeI2oB~*|DgA9^YcOwpoW2d;y;2niGI^oegN@591L4w2=>2#
z9~HG<wq{xS2mNpSDlc8X2vPuLcv;s&0KDsfr7DX1=kdcw-{QZIA7oJlr>K2XUOeoy
z&U{6dv^|$$09kaQi%0)t7g6kDwCsKs-#*Zv?wiGETn!ic=netxeL%Tv)RUfC?bqdF
z>-}t9o2}DyzfObq$emrq&y*QpQ=bR|MZj{6ihprX%KQl6=Xoe-n4~DAFJgpvEd~5K
zim~FjeS_QL!pEF;U;Nf4X0-n#KwZ$6P_ocid3AkJ`}5}b9q<+CFxG*c3RinznT?#s
zf@r+IL+HX+XFJE%tl*E}<@hx?MNuV30?dOv7Dsiv=Fi+eY;8OXKX@ie+-JfKg5$dB
zNsKq8X!jSaanpDQ@g&BhQl%n-FN`?32I4AQpiI<cGiklg*>NCMJ>V+#42THB#V;y(
zayx8!g-$%(3=A?=P(=0<0SDYeAV$<VUfA86XTAsVn954W9~K;mT1&YgIkJO3iGIax
z>6)zwP@9Bsn!qR|YJPi@%ST9HawEq%O$MB|eQu`f?)>N&&ehXQyX-sqT!$yK5?2-S
zn)u0`gQL^E)3fvA?UTL3Gqx$jg;24y_RIZ~?o$~B1e+^@WDTZ<I^?bnaoi&z;zOGN
z7r{(i+Y^PjIrC>mL^Mk4+yraGj{)X%Djv}JbgUW363-ePIE8V<#rtQiq$fhyEjn|J
z1~T$leWCcIM(I2spFrx@ZA|O@+ZQBuJ<A*mzJ)Wbhq)g^5AWme$)XoA;k$*xOaQax
z&dHt3<~FZ<fdxj&7?Wb1^{>8t^cyyezJkj_gAs$kF0|UP0PM{T!X%+X*#21hibpE*
zxWeQ?LqD@;^<+$WFU%0bKq{NZT$jA5jYq?;!RLy6<|ur&8TH{9!e}x}dq_wLhfV`n
zIJ`!ah@rCW9GpZlwM;X_Q2QVRwga`}Q}Ouqr;mL7=<wi=>8HXeSn{<@rj*W+iTe0i
zx%_?K6K#h8Vh1M;KhI<8p|M(|;g1C{Q*CJEILB{JzTb;SXdgGgdi%EGg>(Hlgm`9h
z^hHY3^z|m@fywzp9C;-CzTP`~b+j9u#8}!F@y5HyZwj}eWCJ_~Ug<K!h!4$CL076(
za*2HzP($D_I#pfA2P<4Sh1`rB7x^TwMrQU|@laZUm*plTiAB<&pF@|30LWG+dJo~u
z$yp=1e31n28z3$MnJNzwjh6=9B~V)0zl=i3f?nlxk)j`J-F1UTprQrd*gJ4D9lYR7
z3!RO@rfV8RK+OeAacIghTmrL0u=kkPcF_=r6gQ}wM07>SkcB-zJ4_Y{Hh?ke8|O-b
z%a}Nu|3ZTelp}YPU~<!lqWdYN6PK@&`#Zg%h8c5>XMQMx7-G9oUrPNz0-r_q7U?X#
zU9E@DS*1}vn|{uckQR5gPn?`Mo8|siF2XrBv1D8VH`uWew7RJ+2V6T}SQYk}o){vL
z_#(GSlX9k)w9Eo|3V2y2a?zPcQb0_zqa`v7MMqe9mlcbwwwS^{@Th-YuL}IVf83QH
zRUc_g0J7yYNlVYZl<UE%g#x<j+po$x1CLas%K$Uokub$pv8vx&Re@0|%sIN9YGSsN
z0l_g=WiqRFgNZ3L5?k3`I`&}Ty3-iFV6WU7g<KX=ds1d4IhIc9@}Du#7I&&|9qnY<
ze!EVVayg&$GpU8{uN$*<N<IbRG{jmtcH|CWB+<J19umCQOIAq1?HA?ndoPm(vCa+>
zp(?RFmzRYB=f_c3%8V750G!KM5QnwEgn=_tHaAT;L-M{i4r-L(RWbW*?Bjaa7hws7
z8toVe*SO5z)iY%rk)&WnGff552`HC}Y9!elY$ZL`a%pAF16DK0AMDGmO9<P;k2vge
z5f(29`;vqe2j(X-g~TsirmRcCjH9Mn7;;>`V>&#pH(e`;@A+gjpX9BL+6sfrG-3{u
zMg5K$@;cSfIBWR{=HnRx5gT&`R2-t$yp5R__k0pp_l3vuuotZXoR$gXluC_(1fvU0
z7D4qM4G@(zII4ux1EMJDCq1CCUim`v{%#Q_3dm12Uf_GCG|DD8ZA1?z%wO*G+?lD<
zdl=NVA!px?RNi<}Zo&n)zC=%6SE?JD?mc!)=nkyU6c|;67L-2GVynvu?$ih$q{kk}
z2=wk6mq1z`%x9BlZ%z(+XN9|XJY)rVk?>}+R(Uzwa6~SDY&5^W*VBTVn;M<z2E#D>
zC8%-kGj8$PYqbM->?(!H(lct#^@Pjtep}!zxPAw~X?On)5+LFgg&buRpjFdAh^YT4
zQTQ+-I^}?F0l=!JjYVb!`CaH;<WA~f1FwT6@Byv~0!L-TrBYF!>(ZyWtWPI?UjhZ?
zr6bl)G*)5g(8I6<+dDgs%bskX9i3!b*~#AT_fAgt22!PCVPz!sNo-}kom?a6p(6N$
zeNk8y6BSIB)OYChUKhE4-Ai?bzbSbbNDJ`So5zaf5(R^uOoRw%W5ur(cw95NU8g0x
zV%M5#LLz|4Ed2hwQ5drOMy1wB!`(r{O(9$2334B`&}bBuPW{aaTS&UK`J<dd3JP{=
zYgr^lTi7RWZ&M5dJ-j?I-g0IRB!nA8hpX|2y(-%A#lS$~`ORIc%%zRRI`{fGJ2^We
zA{aUE#$nO!zSvAo&i0$LS9^zN`#amq@8?PFw)`1{w<i|vY?@6QR4g}P7%sPfP9sb$
z)KOztfzXu-ObRotugu|4Y|H3WyO%7;13oU^_#@uebQ$tk7R@L}vOBXYvb9GKEZ?Qq
zOmoNkHq|;p`^t@@(k5H;cfS@62U)MJ4WoG;Z=ar?y*halw0ZvSD|4hpmQ^lYq`DWt
z`Z%T?oJ;WIk3SB!r3Bw!ghL1!i(ugs+XV%T89gY?l3Uz+%5t`o1v8dlZfV@!nwMkz
z7Imm<7Q#-Jwltd;Ass5MVhB+y{lJA9Xef8S$eVJ+H$v@k_m!DM6zG;}D!yGUA^Bn;
zDuG3H%p|crQhUQL{1dDH@db*24{TNTt<a!EWE*Uh$K~rRite9D7+gc3D1b5eD$1<g
zVL1YvZ4~+7bY0AXxm&EmGa+~f8b3=~J~Mkzo2!aLTajV~G*T@xs+Qw-nC|!sDf(5a
zL=kCb1f(&)3QmTcp6lFrBBsC`b<aTDd7-aHqOGJPo*lb9gPC+v=$>uBk$Wkw+xK_<
z%>J6(A)C5kAcBjiSc8$KW5S4+CkL4m2AjQ!m}CnZACT<L>0b8Z{@E)h5xfB>i>T_?
zDFZuI#NDu6+L5~%0FiiO`ji<eB@eK7S-vmA=7faso9<1x^v)v^fCzv27y_^RmQ-Mp
z>qT>@L@;h8fT-646t+f9um++Ng=q@G(1U^lpEvoWP&Ta@7nXo3gwGHv<|3*=Ib;cV
z_yQ*=7k*W}*6xk4BFG1ehaXX7Voba%O?guSHB>?MB|y?H74+@*#aGJ>rFP`a!@cj1
z&i1#@_I|0W$3vCfa|h{)ieYZ*E}&641s<#kttN~*InEu8jG!!+nv3pdSyb=JSzR%=
z2sI3NyZ><V;_LGt&JMR<?<Ezl?Ckn{y|e2DXb{45AR;7)J{XW?90{`(sRT9cuj-cY
z#x!ziL86Ap6Ky>J^{3NbF(;0l<bi^=WIq~d(8bAmRj^#n=7{Z?E#Ijpe$~#sAos7^
zxUgmEFg~z@ss-6DW}mZzrcV6N-^I>d{j9G3h6({(*GL2O<#dAkn?*B&2mEz8n$?XP
zbVmfh1%PzJ?zkh+?D<GMJ5IixObVg}r#HV`)WLQdaI+x_2V0K&LQRd{{U2OzM3$J=
z!bD}gxm>G}Jzo|BBOEw^TWCaj7Y~i7j!HZ71)Galv1DPqxvg_J$lXov9cBlr;Cz32
zx_!JaoH;FU6~-)V+R)vjC`h+nZVfO9CsT#AHjFeD4@~Yy`sP+9@V{Gexws(ux09yV
z+mkHD1o<r%x#Vhe?S}@Gkk)i_Km79r-NM}w1U>m!QsfQa`sB)PI?{!@ZrbT$X*ZkN
z7q9My4}GY>8#8Z{0&m^*N(^6Nz1)Tl{>dtES*QRfQdCj}4j=fZE5Z4pexwlGzl*?0
zAOB-Ze{s3~rxk(w>>6+q+r_s3E&=yHq68e7j}?LYudV@y%RtJ&ferq5DFnyR>n~pm
z&VA<d%E2wx2K^%C;1+uPg$u&Dd4GBlxAp&iRovX4nZyD8WI)_u7PkAF(<UH`OMyFO
z_>6aZ$+!31+pkz8I6JCV&D5{P4^KD}j;HXV&<L^V{G1f24*4Tq2g#0p+zxTLuTQfd
zUU;UG{qFID-#q^6H;WaR;i|HN;wl@et8#9DQ8GfV0BvIME7N=;^y76`O$Z5|3JyFj
zh#VxeU$`0|x`fkUTE)tXaqz?A!-$JBfJLc`y1|wc$|4`r_j`wXC))>0JZ&O+4zwoO
zvqP2h#VxP=KLF*+TaodvDMD2ExxRL81<rhcW1^xCa5M+ZaM91bvK%z=dnf9HX=L;O
z@K9fP^s=6q+ivpNTiF>D#$%a;YJ71QtM6L)y-}T39P!vu^`2?IO|%OSAE+t`fpUQQ
zSKiM<3YG{BhGimXvAi5;4lbFs(u>_DA)2qY(ESKE)aem!3T5ipmidjQ=hr0=zH=#-
zMcbX)IJBc-w)Y+`W0)f6O%W905aN*H3Wu?|%c}+&{1MdC{Lb6NqgY!1RvM4%`|e9{
zjM`w_7KVr&_i}z!2ntJVFOdy>B5Kq~Y;(tWpE;$yI1k3cg7Iepr|}ckK!S<#_XBM7
zv%{=+;FFo7#9vDv>S)5|o)-DeEfBJa69u^+#eSOFj+Y8aa`kFpvp{Z=fITZj6;01l
z*Qz3!Vi&$Dm0ePD1U1pit^s*j6<i<hCi!I%082o$zm=&QCtor&>cHmAuy5HKMumB9
zS;b*m*E9Tu!BNO>gze7>24>xhru;;5K=riF3e9_>n^k+~==*-%g4d?g^`gl_Ez+rE
zhE4M+0+T``VkFkXFBUzJ^;knCEY#<1<v5NNfAFYcZq(8it_#1#3s8HysLu|2uiZsY
z4|52_I&^vst#o{6wL2BH!oN9I3JZzvmrPW)U_mTpRfj<=U7TbuS;4BwFN;mRYSf|W
z35#Yr?j*CG4-x7{lbwv6d{m}m2Dw9Fx>zvHH*6)BGTKf?jyTr6>FKtW6h7j)0mL#&
zzgBypEI70Gsb!yO2FH?v1gv7nah_BT<EKJOp_Gge6;YoiMI}X()KtihIZ+MP(UTm1
z%SV{br^$98IdpE0-e~zH$>Rz{#Y|NzBNKhC@13xq)~mW(knMiTXY&>B*pt|0IDHvp
zM0|>*Af;DxxwtYkSz@o8V6B&|u}#Y#ehYi7t74G1gPg(v3U|zE_^xPhD*vLF>7~0J
zz@G-J>RLz)9fn^pmg41nhRuV%*U$b8a>|hofA4+=+i){S4o4|oQc<i&3Tww(3ij&B
zojkzIqDWh~{4z3ZnA+`9j0)%2S}hqseNo)$nx12K&Zl^Ko=83~6|U~mX@PKQsGlAZ
zNJ(K9;CO*gN$i4+!9d8t4Md6Y`Sq^Jjod?%8mRRQYVu5vv|^%_6=n&d5;wjtWr<{i
z<Wk5-d`<Ms1|hUCr;7t{q6B|GTMsgkuCEvF1ai|V3oThI2?vD7gSZc5HF>fMQQ!y^
zl4tMVzwf=NO7|VnnLI3@j}SPqSb(L#eHtfR1uwW(73s0`KnNHkGHMhG%CE%%;f$Z`
zN+G=L#V0D)iHWyO$DJCFcqi)Bk($-Twm3gE$u>R|!;}y7z+tg4$lbK?QA7lSz3b`(
z8ukF>w#)2HqQ}go^D&V$SerA{BdOq8o_Ju+C=%AYBW&SnxAn7fY<w0UKbMi5m#n}u
zj514^bEi3(J}BDz_0%U3<^8pc+GTZ^i74;)qRuRAmiy>QA-=N41kuYZPA-=CiD86x
zf@v+6JqMz~LlyWNMNlbuD8+3Q3B{O#4_65dy+K_Pzpb3(brIkpWZR?h@j%GqMfl?I
z4A-{Q=It-`;Who(qQ9bG!6Eys%4Yz{r}nfMzinE;2qwg_l*yG#&5Kj1W3HBfM+-~{
z9TwxL6Ad%<k%|zR^VS-7QQ|#;grNoWZPyK<`8yHojj{B&H0rtfJtMoMiZ1&I^XBHF
z<W#0so_;XDBq>k{rTR&%FcMOlsL~M^Ss4se_VJAul0Aj1`saFR(?sjc;4kFJZdVGk
zBha^#!tq2YYP)pcWoM5UDtKwpECO5N?8<DbM%l4_*JqST9>qJ`_~e+`A&OX~EfD#$
z+OFJpTP>xrtUsCtZtD;Bt4km8cwPpcM&%O%|C!UZ>i+69-ByKC(W`JjUDZg08y7hd
zry1Yy*%NB(D=HVVO4}A;^?`mYEG$%W^Vb@!B04|amxQcL=>fpZyK;>B#~(T?_>dch
z6Ie0lN~*w$)<<S6CFD4IP3Q~RC2VJ%Tu7=PM2&Hl-{yC;F3c$srTL~2+xZt2SW51S
z!#Xxd%=BK6f%z-MBJIyHhI6svx`Di=nYznBd{{m+l6b#b6(T#OupJSFz+2Iz&&Bl3
z==xbYitsfFtofUvKj>rqUwjd1uyW^0%YbANhc;`_I58xUn2gt#j-cDnMlj6h*>GHV
zULaUciF_wziv^TD=3w0}6|Y~1)Qv~YQe&(;2l%x6gZp|m8l4^NCg9`A_IpD-H%mfL
zqq`u6P4YIC?r0;v=PAaqh_M`Im3VOt5tDDzQ@e?GfZ2jjZx=vbO26a69SG>Qma;nH
zB@X{6x*x7)SvSBn&Rg+LfKu$<XexO|kSR(eCqy@neazpc_=KVq;X;?tc>;H7!COWb
ziwYNi*J+5a>RafTeE}-NJj-gXU}c?4t*@pBHv*Vy!{@1r=M!2kr?eBguTFigh1^LI
zkiU)KF5)L%9f37kQn;E32rjd9fM`;J7?Gs@sJ4o=4#~djeuLLN*di1TQYj+8!Pd1_
z=)^LZI6l^qu)XPbF8zBJI%=&NOjW#Z1>%Gn`MiPfx1xpbsgqw6?QKy+23EkMGl0QY
zkPl15bS4unATQ;PBHJV(gE7gw`zJtD0&qZLVOaT9jAP&)N3nh#fTx9%kv)81OBl|N
z3ODCB`TO%$)4piJZ8|nwT-`TQV;dq7MLZ#uzo+vVV~@=SE>=gg^5JX<FS>SYZXo5+
zLlQ`28@G=pW?)3QIsP&jGgU+Qo0B0#bkiy?mUgn-tYe-CA2k<Gj?rn5tP?3_7!F&@
z`xqVx8M$w4aO9jIOVIRw9e;LKz^)L_E8EZnFE#3$^G2t$$sXp8k<*aoM9_RXz03CQ
ziVL@TP26|rQ9TD5vMl&}E5PnSslU7PLK}NWk)n^**@I05Y_p1aMjMf}p*zBq<Q9l2
zd-OF(?e*U4qmw^oJKH<2_RRhDrNO{%iksfX#a%0_czATS_ar-ewSSr&Z=Y<x-aB(@
z%I?wLY380}r^kCc`!D}U0JGQIf7pNh=5^+@_np1d)9iHr|L#E;+CLM>i{pcB_j|UT
z9qhm6Z`rG(AG6nQ0E4!>yN|hTAJ~jpHYEFT{{TTXh_2s8%XB$jW=Ajnk2~zALw()7
zcWUpvJUYpa+_2zrccVZ2{uEvOxOZ^i-rn2eh^5ub?ccdyMC<yN?RNLhw)ZWxaNV!U
zy7x!R5r>pL$-<50UO|9Fh{cy9NipWv*?u)RgV<YoWGDIkm81Kk_=m&diW<aVM_h9L
zZTEOLZ*vpb!6noj!2(WVaBxTWEBKi&CN;u`#2C5~RRmZ%2`9<|+kynG{JX7N_kiep
ztd$h?N{x+}6u5L2=EZ6-;;439N?6lW171{Htp;tUjfMbe2o5YWqK>zc)kgme?%NP@
z!h|cjlf+YhDR?LK4TVd$P<{7Amr}f&Xb;GqI(*h*;howB#Y!fmX|ha}G{Z!vt88gU
zm-vs<xWF0b6~!@*lBTaV9cXt2ydFO)XHLI|d3jWL+|Pb=9r!_uUqkChTeQ<;a@SV_
zW3(P7fX*aPMgwiUw9ujRgqW{^z_U2sSTLYapgtBqO2|@f$r{x^Vk@`qr^p_4PMF^U
zv5O7uGeTrG%gY%$_O2AU`fe#DP#`0Di_30IdUtmZZ?lD-d}%Kn73`jC*j;_~SLpP$
z$OfoP?;D%8SIvD~1RI(OOR01DR!g=G1AUlmgS!ENz0e|VBn+K)LmP#ZRlg(s3^QMB
z!=gq+Q43?xW;T>Q#U=UeTsB$WORpfm{qE}dCX0(@DE{cVjQ$)f;k>NQrN`*1P%gGa
zh9eh=ZBBaW8r~O>NGmn^L@RIUKapDn_*-uO4NTb3!U9JX%LGlchB8JEj3;L+xZ)Td
zvydPI1GKn7jyGI8ovsy<!CQVIa9`IdX8A=+*YblamVN#3k>jP&`Yvuw&nH0am=0zR
z-|iYQs9*M75Lr%NAJd`Z-D+oD$_Nd8_E<d{&8K$}5pY+@<sj7y592YetHF}aP{<iM
zq;BCP*~=Z*w$!T7LgW|TzU$56#C(vUN-TiWGdBb>gcdHadE&eIBNR?-$V8m^42?WX
z&W%jd0_&C?j`VD+Ej4(Z`yX2EPQ@`+3o}!ARDCfxuXsz7BbH9aRX#GCi;Wk%c2kcF
zLm2b+GhLs4v^Vf~)NV1{btKxUDvKd)XvIS?2ju8%|9FSdI;B|tbfJ%rPWS)Np^v7x
zLNAS8nBVX044U>1PU_ZOC!<i4p|R?*PJ4Y<yD^aCO4yC#y!}qUO!%)kt~qiLk<%L+
z_h_e3G_p`Qn7>NZA*=zt<)p7Wc{Cz-pa5}EP)fM(JO~fUNA29Q6qj+r)w){MBz<2M
z6FWSn>#K7!&|m8}D>-}15BQD5b42GFeg-c(Dc4aucS3p_o&q*CxC=4=y&v#C9m!C~
z#S&_mJ=$wvfIjg-!8V$=0!k7UrMfOvqEx=DP5U}hCbdISMaHLK1xa)p?Hw0|RdYae
zHahij4c9!qy<AmkvjGqUM%(z0sk^Xfv6wQ#rLH%911BOKZL*<17@*`QuF}HJDGS7z
zIG@&&a&)I`RaZ57p2_pb?d5$zy4Mj4V;Vl7{B%0n9SuNs6jLd8=rv6thQ*O}14_dI
z>)cWIO)Z<u=2(H<{nH=*wVLO>%PfTX&#ZFsuA~cZLpvF7$|{pYm##7L3EWC(n#dC$
zHz{T%cgZluTmZukPTpjGz<B+-$fw!&yQeQ*!|x%#-VJu)**JwD^wO~9;+GFzzS-S=
zk{u9@{AG|`-gq3y-McCW^WDBOyM#4$Uw7XLg9x$c-aeA^Rq^Lc#dOGkF1zx_CDcEx
z9;RjBoLLIZAH)g&Ep!Bi)r4c^v(m<?YI7!$%epQ)QggvH#!IeCRZ^U2fQ~Wv<^~y=
ztWi@>8F>^PSrxZy_=Bz)->gWD$YT<~!7Ht$0OQm(B4ttY7W}(-$J}1zsn00!gwIoW
z<)&mN*T7r~Gh!>$)R<_v;Vxsi6c9AU;cebCap_KHE~|F$gl10PoQ)?EGB2`MITJxz
zIO@EK7B3yUuT_BvDplY8L$Ue-7lFg?cZQGx(ju-I_o-}vyUr&7=yEgVz`BDc4-<ey
zVdyGP5%IyOW$uJQ&LSHtLFZR;uPSz$dMjiEjaR5#2a~zDWTb4Xs_C}~8i)9*IiVi8
zalo^ww(^8;_{a${Zn>-7BlYSYEnzhX*il8qtsr$(6^VTq#1gSzeM-1eEt1i__?6SI
zB<>giPiTc#Y5%QT$))XVscJ18kn4b>43^`C+KWLY<Y5EF$ix;nDG!xyO%u5-Z*Pa!
z(~0{R?yarXZH{XMd2;LFci(-t_3HRwfIker`HmS)W?GTfm-Q7}8^p-6Zod1LoqYH0
z;Nfo`vyWx^=>6A|UeJ<18ZY@0ja2D(sYVJjCIrF!T@YHtjNm#5RV92TN?D0+)Hlf{
zhVgsg6uZ8^fCT?XoN-e9!^6sowQkr63KGl72Q}|#b_P(DmcU>sjr=_;iNwJ-Rm$y$
z%9uWPh9F&UEWw#@=a0&=W3sFg;W*`sKc4NK8ts;KKR!E#Kuv#)93$BgBDXw#gp(0n
z1?uv^q#i$d@F08mz-i9pX3gf(Vfaq{=OdpOUlffOT#Xuoo8xUcc8nt$B%@H&mSqst
zzXY#v{mFWFkNw9F`+t0j*vI0sqq$^WnhQyuf7C$1o$X3wj!=ZfNSzOJ$3t2;gFAZH
z(gFueaCq7HOo0I`u$@95Kp+SGTagj3Hg#nX*yyGRfsLcWRGkanCCYA7RH};N+c~V%
z#O?G^I{k3w5JI6DOd4pOQM*{3Up4?%Es+9@vTadLLsWD(!e15}aoVR;Ba|%-WngjC
z%Q{A3j3A)a{SvMVKuKFq)jbw+E=3ttN#_=FT#vb$p}v%`6S{ySA{UojMQxc-o6TGC
zNrdXbt>WvT7g3Ssz@KueZW{(*%p#0P3Tp!ff=oie&A3Jy@MifbRzoL?9m!z2nyVg(
znCKXTb2BhM0X6C*BEwrkKrTMSe+uz)EK@LLUzS;KCOwW=kTk&KCP%g&f-$_Q21pj*
zXmD-At_-&``xL8`B!QPzP?|-;cB(@uNZkgY7nUz1voWB<QJY$!r7DfjXd@jmD+wg#
z27FsgCIe)ASV(|ToLu%I3{mc-HDCqc=3-elY?W?!DAo<%@0{J&V(~k8m>oRooZEGI
zwr=AJF0V*^+IaoKk~g#-oQ8CSWyrdf9UnT5?yi$8+acyaX1H<9+_6Hfua|~fXW4E|
z>Y19!TO3s4?%;67Gwhqr-;ofV{^k;qli>kH&3GRj5NY411x>JOvqulsNagZ&-o{X|
z>jw}0x&)s;jUjrBT{pG_Wu%?j(UoH`_G?yT5ldLIWZ&3#A1(Q=m{$Ig4>N8q9`-%k
zCOq=d*WWA>b$&lp=Ok;z`_y2=4k06G2ygXOLl7mG*2zJ8jmtn(*3`@>IXz_+kfRxx
z$YYP)9PDo$sTToJE%;V}q%b*Az8%g_b61T9Wqtpl$v^MZFi2%~CE31G^<rviL0ED0
zM(to>Au;grJuAs)pTCsUeGL>guKf6qtmnNeBm@7XCCYyK-9r|T{oNz?zt3N=-tQiE
zuK92Z=2bqz22YAHOlxk)o#eDoWfQrf7Fz-jr9dEL1{o%m9Nh}!R}%DXhFK|X3NE3y
z8nf@2{StK(W#oSIm5ln)r;gfxby;0d+pl5v`9oEws5n&1HWcQd<HpCxMPvVsfaB0*
z>z4g#=4P=G=>?np5Mdf!<z=u?SZujiT1*=f6Yzqyf>)_Z@uk^~$^T`#ZV1oa5I+7<
z1&L%7!Yon<mVB`aibGi?#TrYk9gv(*cP!p6KcN0tz&saD1{*9t7%A64?<aWqH1tln
z(9kf|6Qf6dm~F#<Y~c;=<VZAE5)hJStJZpzq}f*`hM<z7DK?W@l8St|H~P90#~`|d
zdS<2uds);kHGlbNP3b$DgjEKPMWnZ}a0s|}#B!0l6|>bPjLD7}#ITKK(=>IA0304k
z;L;d9W5w)xyR7wc;}!({m&i45B{DFdh3nAQ$FZEW*}NiqfWVg*HxL=?F>td{I!63M
zD<N}Ye>&Q)MUVjBaj(uTRT+}Ihbp*nSM`&HgbL=KLXsAV63H<V%1AR-K2}q1sX*rZ
zj1z2Nl5AYhz8aWZ4eoovRcALpgL8sPESXQH`Uh@w<K8Vb=y906fWDrj;&$o~_c0d1
zf^PK&<NSHT#i{}7B+~W`aRK)QJulA8_nRG7&e8)Q*V<ED)Yr4R0vZe63^fp#NaBS%
zTM|_wC2SQTIan9OFlYX7Gl`u0gZuFr{?u%7hqeWkq@=@eBJrK#*OC+n!`4dIkylRM
z76#35%B`43;EP(ZTgq&NwC^01x!q0fJHR|b`m$DLW%3cB^P%+Zhs+61t&BoyiBsJd
zpB|Hfofx&L9Z2#MJBcDv#)`DYDlartNa<@`H!(0X&&S6P--#oOeifggLwmsf%OfrG
zio>Fduo6na_N6&o`P>lA94#-iWJ7455*wbVq5?fp71#n4qef^d(0)`6mosoNhovA}
zZR?slT-~kmY-wBrosx3mI$VZseX94q#xu6+TJV@|+!hGD2UG2}$F?@hVN%h@QfYYl
z+UqRl0fEaE9s`5>A>)&ELnPcK5RW+m^H`0G8@wWv5$DnK>8dwst>WlLqWk9@-9W$H
zqr2mQ7J`4=Y5l_b^xT4tD%*3Hh150XeW&p1s<wrDEn7vZ{Y+$AySj0Q1$RO)qavxj
z^IN#7tf((sfR$WU60eLT0{a?f2*U&35bhHtAn|^4@=!2Rdf<>?QJt7dBEeWe6J}j|
zDTKb_1Kaq8c3C5g1iK7WAJo0~!A=m_y@||JT;=CvgEV8I`IIIox1>ptZP)zaH$S|<
zqGP>WzfEB-HH8o=8xs>qoxCS)y@KB-^II4PO#ZpB%*P_`E;6-a08Yc_wkI;w&e7}F
z%TWKTTC8O~sXOf*OHlxrjMmbAV{<lEtE`05DhVaCLh)ixCe4{~yVD+eOi!ajkk%g6
zF&ayzgQQ)dFhkO&wZfN_bm&s^!)Am{w*BVi>82+KEz}_Ii=dXst9}8aAmN^L1c^$a
z%i~h&5270^n!6Sa|J1o#xR9ksd(S|%)L0zyjvOcP@bKPHp{Y+IEcy&Gi&s?qqX_+@
zgg=lo*M$W5+^B2~nZrZN-#~idf+1?z5+#b@@z5(evcNMDQ*Y?5q1l(akyU3Bsdl8^
z6j(%-WaNc-nV|`}R77goc?k-Oqgh<DHweb1a!YPBCZGgUg?zM_mU7GEc%0abm|F0*
z-sQ6`q^(c3q)<9e+rw{Qoe73~t|ywDOGf3n4+wE<^2*Cg^3cMO!gpejLCIS2s!{AP
zzGOCLTPM{9Rkk{bUD+N<SO*abzb4ybCt2^TMTeFior{7Z&~_sT4U{HW-=4WtCYLRy
zlH$Jd5IgcttAI;Q>F6ay@&@j*?IURv-H*4-KmwReEJ-E?JErgtt?Vo^fFje!2T+(R
zrm7bS?)4Bpz#l!aO38XMeytx>Ha<&zXqtNK)9(Bwf^K4>hm3}92m?9GtG7Xx4O<}*
zZit);2iA^f=fn1CXfE$VF7;R=7i7<36cG?VZc8y8fsZhZFV8AqlZebslYxy=@|eaJ
zdLa`M91Ve0vyr)DS?hhAhJE{}AgncfREk|OrC_Q-r3^NlS6Uu$?BUkp&)SXFONvQ;
z1|7^RCk5w|gbrl)u~xF2dwFsiqvf_jmTeyL;F)uWk7==wq+tL_+>Z9qUWj*;+$)>}
zQ79&+MFKA-ibd{n0Up<)&@?zZ$0|@PIma@jU6X`tla~x50(XPFM51+Px{<JL*^{iZ
z_@P9)_!DjSk>TaW(MRBr#JI#CcQV$1I{|XYr_&;zEszA}`L4#Qn0`;B#&-l$_UkG*
zdv@Y&HTs^Rv6g+U8iL+kf*vmdmM;V4Mc=+CE*2%r41dM0Uv#62^3e~PMntO-TSVzl
z?yP|dTKZ~a{Jv~;!=*S~791<^iP2-eWC&`eFqbXcHj={-vb=GK?!TtG#acT?wXN&%
z_#x8A{pvn**P#1n*}F|+@0zsq9saqe+ee?#?W0fc_VH(Q`*>-$ku36ob&Ia2IHKen
zR_b$*_xU9eu6^*f<D<--qIpBe0H@-jZre#w0dpas&4pqwFwNYt5)s)!HHc)F@-i_s
z;b^A5!%I_=#M)omy*@1}L!a>BRS&4530khj%6u$>Mw2R>)_v~SL~p~LY=kNHvj+pW
z?wfkOA|*A-D1sOcseKFoicdqOJK=Q<|C5rH$!)nLD#P!Fi9$E^I|O$XsDl@zDw;+%
z@Ttv!_md}#e}#w)QCLbmVhWT|Dz1UysRPJZcLhe)E=*WgS}inD6K@o6vY0n?Gq9ZO
zL?Vb+n}I+J>*X~38_PS(uV!NO2x5+GwXus4wGZ7fdNnL#9K)9kJU<d%E<k;Bo8bBt
zDLZ_5Cbdkm$4)}FJ77wb5yqm+?L_$&FQ$M1Bf^(fVZa13z6kLvK18!r2i3Aw(tFMn
zH&FR^>R0~m>$RapZm9etilnC2e7&YQ4osoBcHD3Vs}G=tUj$#3I)ec-C#64ORMV)a
zMnc6Xwu_AySSGAcor1ks4)elRGKKlxDD8!~Jv(u3j!O?C`n>NncFF6%`*B?0A6V`5
zG+-q<XOslHcuKQh<ctDCy0eP1STN=N`!xPfK8;37pL-a2ioYYOz`@b?FZU1r1!*0V
z`bt6)R)S-6g*Cf0QsF7^Zk}gP^{+|EhUd0L6eRP?JT9)a208>%UEYB>PPLM!7&zTx
z6DWPnVkH2tE4lUQPqY?`VJ7Ix7c4{RI-HM)6D4tZITN5!52CK5iu~N{I_MAGc{^Wi
zDUEaU5>(!c0T+G28Ssf%`-^<yM-TH+UCH<q1#~U@$sJ8%nEssoG;sg^^x$Wj{@ow{
z>d5x*KgYw+pQNod^hHfg6=6s{s`2n(uIi9hkx{|g-7_<Q^j3Sno7eQI$s+qMWo7;o
z4>wjfJ=|swP_xY>Z>~4~v>Els_4(641~QI}rM;b#es=IuLXpq5Uv%5>g94xaCxuw<
z{Yk5O{iy}++Q7HS1c_(l7q9nIZ)ffV=o_CvnT%d}-NxFcQxl!0u4c>Lh3gJAO*Ve|
z**!^S#Df_|sJWa34Fyfr^A^f1c*ReTAN3zT`sQbtU9N;a)&@EovBCCEj}0u_ewS<@
zn6B!p^PBRfIKLhT@LYGsP@&c)v5^no4)dW+V_*+9WqR_BT+2<*E1)kMPzf><<9Xns
zM)?$J^YAy1zujCIF`sSqPOlNLC~&&JATeY+S~^2g89qn`viSl%+q;hfv>a4i&gAr1
z_sU-15Lc;FuV>UjW$ihS#!bW~z1};?Z@2Phz)WJBGY)K3%h_^2Y@rz<cC?X&*H{BZ
zAV-V$Q{-cWM<Q*Y!mzrR`{Jls<B^UM-{|DMt$ahFqt`IqtqB3b7%^KItayJJ{^MU0
z3w_4BM`AOe;tdSwHKw%Hzz6X=TYefnWuBDS$di+IM;q~m#_lxYR7{FX#<`V7{ezzT
zG%2sDLhP|U^1+^Yf!tWOBsYS8bqk5`TD&4?{s`FliGO!TtNQt;q5e64?`vUH-le2*
zSls0YeYKdNLpL@!RR>cR<d7YZB0nBc*n{HRP$d6=*k-eNCBP~&1G4L$4~i2M;>MRK
z!JSmJBei<T0K|gH@2W>$b8PF_h||_@3$6M}NCu>60l?Iq4WCxz??UDFYmOc!WlICs
zTG$a<Zz_X6wi9NdB*c|*H#W>c5>mvgXNGzkj(RhRr`q4uC@lA&jsnCqx!)I;)_R$&
z`YR?ij}ss*700+#0AqYd+)i1x9iU_E^8*hbY0X0p72CVDDFhm@s?^dNMR{nXyKN6*
zu^K5R;byF%(&K!p?QYySd;xA%5n9Dd4zHc_wKPP%Q__ybaYCe|Kx*Rfg+WqEx+*-_
zaTHj2L!?WoXpUTLhJ@C^(PLLuG-DxL$de!V2gLZ(6W^blnHWkTAi29mwZlO6s$r?>
zgkJ5hu2_|Yq|NfT|1|qkwK@zZ6ccAOXO2pV(vEMg{S`m`9l!Mb!W**{OSAbU!m9YH
zC93P7H5<zKhgtH?T;jO=7yqemu}u_|z>cHZ9HHEWqXyuYY9SNLuHl&$9Zo?Knc}Bk
zQ*BpAE(^Y7^jz2*x@gYdD`G28to)WBxrVbx!MlP`q1>1=X^X3X%DTTR+v#B*#u63b
zK3Z1-W2DVAEE8j*%R|ExH6z0!2q)!bA&`-tf;H~*on7>uN}SQqHDKu0#3G3SKrkR!
zLdi<F@Hr8KcUSVa3?ezL`^Dxc=L_ur5#b|wuiA8*x8)Q<4db%3(19FP_3ZD2iZ7PO
zA|Nchaf-43HS#Nn+)JNGK9!7VlXE03bz!UAaD>h8#2|YU3z+P3{^xmbM@pwQ_1s;^
z+5WKstn=}<J%0JS-9!E|?KIFR$=>r~UUnYsz1hz;UT^PMkA3_y`086MKK}I0R}p1x
zvXe>PJ0Q?Y7>8)v(y>DA6;>$q`DCi^6Hs1nrVlmv&$<Cm+esc{k<N}zw{}l=j`d(E
z8~3$%o>!MNwk$TRiuSUcU>~N`9<tZlCqH!BqX$1V=HXK={oo|gH!>UIDUg!<oI^(+
zp8Y*Np|7WT?^J5VMPt#(3u1?AB{_in5(w7!$kyA|8sy<$vijUlr}j7=->3J!j2J$n
z^^~{QB6)mz7miqL2A@tTPnA*@8-6OKJim5~p}9stjMG1CGyRVuDv)_i?4d;ec-Y+_
zR#j3mR(Y;xe`h<#@yN&xslet^4Fyc;VnT#XVO~dvheTh6Rbw&?8Eex9)|<Jz&Lws&
z9i?JTA>s}rQ740+ox8DM8gs(0L_4Ywc*$U*4by*A(e!?4opRZPgk8IZg}SZWu-D_@
zlq6KWmO<}##!;qN&X8z_z9FjG-P4XPYy{)hf)Zt=UnSnL0bn4pIK~lHD|$ee@{UCd
z_j;<XHi0&oI-Fn*3-fv9^l%XfG$};9t~y481>q&_gE(zTtX7p*Dw5CMM@15LE=>{k
zt%FK8l4%EmB5Uhzby%J78x7{%mxB(mW|x|PpprqrJE$#TDSXUbcPPQ55XyN{q*()4
zeTfmnEVRhNLb62L;(gnQayTHg!8zZK3e1QG6;cLl{@Eu?rX<>juXQC~Xcj(^ZGbY;
zlhtenipbPNA-)i+;?zveFXlH>@T<2tw~!u+EKdpuoz-UK%Pz_aVbo#u1V1yPfHKN3
zh2^FxzWK`3^=t#W{8!(&JNr~w#aEj&g~tY9cVgL7WY&n};J%1p@xz=zHNsg~C2|Uq
zl1~q_BePUmk&Bz@oPo%EE?igWq|s9(_93$voRv4lhh&}>OkH5JCD6T?){L^~weucf
zy#tEXMw~4{5v85zrNk72?8r>NO*^|}6HC=owM^7n3!hvYZ>?Qyt^M)I+N&pPub-@)
zW@~?8uUEbAU!VQLea=v8Cd$WJoXog&w9@Kip#M^hWWfCH;VCLCzMVS`zho6ofi{F%
zHO#|UB8W=-J^PjDj^5MDIT5}Wmj3zh>E%qC<^F}|!4(kBH4sn@F<YXCG#F{&`=T(J
zWG$g<zOZv#w!}v`i#8A!T254;h%fruK*Dl;#Z2FjE(OJd0PS1$lsLK^@r-a?77OD|
z)8}F}E?aA7R+_76hVIuWSYMcW^pR-0pkLGquLCB#)}E@~B(2QaqU^<I0{QP`tG;B6
z8`P>W4L03aYn$QPgU9V$FWPN!<0t^$hmK(3=q?9#Z9AW7DIG(ULA?#W0^#q<+z%gm
zb6%l5u^P=bh+S@BaHQ4wBzi7rl5<2_wdzgcJ4N@M_$!V^CR4G8IVGp_B2^e22MhAa
zL)1T=g6rDS$`u|WElo=9d2$NT!bBi*EHS<bMXB<)Rx}4<f$3-a87=f{^NGIapGajo
zwQj*6XA|7sIq<CtZG{rZDrY6VHu{{CUh>rv&z)XB7ObPj>r3G$31}=}b0Fj(1Cwa2
z(`;lpL+Ku6&FI?c;!h~)yr8o#eL<*Ms^!qUoHq?%o_|ZK-z~4)QSYmimrrh_q(Ee+
zlgY~4hi3<`DYYFIS2axp{Y0y}hTXin(xCsD|2>-abXG70Q%zZaJjqsZS+D-^L$)f1
zMS0MDM+B<N$=>hY?46#;k@<-TOizBE-LTpmBifxzT)R8^`@OTR<D=6vSd2I0cb_l5
zEM-PG;P}m_i*Is;=+ll>q|RXGz7_lio<nXBbVKfK@trj}`0HQHfZxO6ZafcubFzOg
zd+lp=K414bvb<t!<w#;J^Qc||-?s4jY=e>Mw8%gWR_TL6wpS5)J0@nhiHJqV4XTkt
zC<n!ff>%XV&_tPxNDMhvMt+qB=O@GAaFt#7FTAQNSm(gersu4maSjDXTF+<Yxf`aF
zzY*E&+ngnGTI4ZIU~KkOwvslHY$v(^MwVBirmPJjN7h7`gd_gExz^C-WE{x(@?Q5Q
zh^9TpF2GO~`WvRC@%%p8=xlFFEC0IPcvA_>n$1-jj%iWXT5=7n|BJh9kp%lXIZN$T
ziqzXx3o&;#yh{<EwD+==_qyu*5EqCdTc8JvN~W><Ued?{Rmi&^C5_CeLf*fZG@f=y
z<33Ik6H}A6;B9a}Gh6!hr+j9dG_)#H_kCvR+n@58<D?-K!+Srn<lT>dVm3`%<p_~^
zZ#D=kz?cr|lbYN=&QELp2}6J9JMy}<7Hmt$d;fd)5Ap+TKIOi9e%(7VlvvNuQbj^T
zJS<mOg6x{W^*U;Y$|2H7aS1%&I&*V)ay5ARvPDHV#NEMrs-N1XQLhP6NZPd=d93=D
zrMyjAJNVvfC@evId_M&zUm>oKpJOd7tU~UVap~;U5glF8J|@I2Wc-MVJW_81LeA@>
zUAGG(%?Kt!+2+4~8IL;4C$&{=nFL}edwv~BXQ#(Uho^fT-u9{y(a!0f?YyB#x8&|)
zKF@VMO_p_8Q=`goVRpWE?Y08Nxs>{{4^Bh(KADT}>Za|z-haI(_Az|*ZfXcdm@lgS
zWIIQ14$t;ZPSci+nGr1c+ji%FY2`38*-5b5!nu5YZwKkhslF|<*z?R~bUm-$7LonQ
z@{*%vTJi-9%$C<=kuLdecFuou-8=0J(H#HFhMEo`ZX33&`P@M~ZC=@)GZg>w5-x;h
z;d7_GH`4}H4wGErPG1*I@6fwNKz#!g6>$85rXaB|XBYMOP8QXU@_qE&k9fXriwdPM
zbpW)%Z&DmVWavh^wcndym%ThY-uk|tUbBV~YMWg(8crjaE_ruEZm1pvm@z2(ulEnX
z?@W5y_Ku4MxFTfrCfF#@Q}JY`K|%5<A4^Uny-@*;^<|Ts*Z7c|C<up1w+9`BbzyT!
z3Ajy6b@z`|J{CtYMM+;`eD;He=uMOhWCLw#%V+{x>Co~LrRZC{DsDEqC_aPL5?Iq;
zLQ&CR&7X*2=UyYxX`?UOaFs7^ob4Q+zurGR_4@AVwRKxMx|xlx@BF*FdoQ=&9GsmW
zZ=dWPnud&FoE{85@a?9VJb3~;JF7alp-f)D=sqq+Wn-qaj)~ABXX!LDtA2tC6Ga@L
zYl`BRN*qbyx=M?ER(FexP)#H#(vVM(`FO|9igDC~8A&ZzNwvHrPQs?d(j*(J4I)^I
z)qb{$-d0t8S%sGYKhn#9KZr}t&4IsCR2q;>B(w+SkX5buE<bM$GjjuZ--XBTg!Su#
zDAx`3j1bq`+s;-|VtrNO-00t7kOdd4i@`&_Q@Y0p$62+{ud;T%7Bm*1(3VJ_wiWt?
zna6kP!QU!%VCaP$NjWPYu`-6Dw6Qu^-83t3&qrx_YI@#OWiPU;ogVIcZo%zJUPgB4
zx%z%g9W1g_bq0xOr*1e;8sX0A$%hJoIATr)F@!nJ^}+fk^7rf{c3CJP)7<Km<E@)~
zLSV&lr!Q$y)ydCP04GD(e`%TztlpEL?v;q6Rv+3XC1M%Dx1eA)i|bJ~&D=N~gA4ih
z|F>2{=k%e)c>0eJhn!V?8!qh+FGm}>G>9kV4cGTfNzb8~6+U-^pML%Z{};~aQ#UEh
zq%-R5{nrn^OGfN&^y9tPo+mn<6jykCvG@J{Auoo#!(Gk5#_g@9(e6x(v}<5O2A_!M
zX+LhC96I6XNp>JvP@##U0R?<Ay+PCy^z9EXVh@pqGH69xcgG;M)7U9c!z}h$-vkyC
zF+JpWuwYG^ktV3hT1fFMI`_))c%q4V`Y95`P@(*Bk_0_1s(+$*Kay1>Whe+=)kNks
z+u>xf5Jk)6FvK!MyI+pIKFfEs-kqC6(?+op!v))&2P*Kfxz(LmF&!s?G@xr6uRf&(
zKavZnr5wrJX6P*<YlRg(8qWn-EA+Q82Se`m*4D0fRRJ0%f*cbcv}Bn2DYpRA$Jig0
zDdbK4h<o9;Nz{W6$Q1O3n2W*sVlo15UnVX|>9CS<u5wjNRr0r9;E)gqGyvDdXdVUR
z#cKilFHE|XpseKJ#gXB^gz0sGt<eVEL}aJ#y?7YW_QbCv2x=4)Shf+k!jU^BxZ1pp
z<(>}3eVK(sw$145$k(V<X@wv?cc?f}6C8s;ONtfQ^MMEA6qE3J&8$nJxZQ}?pR9L`
zR1v^H6d>&b?KK}k?)=K!Z{u?_(w$MQvY#19WsiJ`zMgsWBC<<5e)^Ah{NbR%boh2+
z&yhG)Ctq6ZJ_}J@7S`3VD1<n)bTVJyGcv(@W)ni6;!jz|OY})SaWRmf1;2f89>2r~
zmdzmA^-)QaLTA(U*ME$VKDo<JA))=tY=39_IH^vXMhMV2XnEcd-Wugsloo)+l6~NY
zmg70DM{}(m=CyOjE0B47rKfUJwOIW8<Vo9RVsl_es|KdInpseikQ8i|ks=)N7O@kw
zC2RFE+fSo+t_xP14#_ckSqqG%&k^N!qpp#+Ct-gwByT%WQ(7c4g)7ph2J>_7{~WMU
zzZu~+G}R3<#K`0%e-|iJ>Wv1T`s%74iB`7jW{Ri=N3r-sWcbQ05I?dvX^3Ij1_>b~
zez@fTno3ZSfrZqWGp%ytVp5Vvd!$p&&RxFDqW3r25u&ZkoT9McV&bW6f4hsRbws0`
zK%E{pmPZf1+VmBK+^txTgxHs@uS#^*BTK8^Z3e?3`}J;oiT8`m6nMV4kQ#VQ_pEnu
zMtjtk+OTT>_eU=Y=xUo{a!Db}U<kC*4xnl^U``6DYWhvjtrhb88--@`!}nfc$wPEx
zp>N7cCpzEa7Dn<o?1IrLYfNN9s)w(r6VgbQu1%9^x(Kgv=FKn!H_0KnQbIPv(7f^h
z*&$J|$3RkG_xr%P?s@D`bhhEH^Xq^Sst3@*!%=jFTc-T5oCT`2xo%qJ4r#tdntJlY
z$@Ay!tO;SK!T^;6c_!8=Xz18z<cSK*bO|qQl$i!zs+>><@DyzO{Mt(XjXQY+>9(3l
z02zOS*skTto{fs7v~5;NwZSfMS7~v8;Dx8xeML1*1*^#Qqc*KnzS220^BXSe>HOx#
zj<1Y!*%k+mo`&5ruJR@y1i_EuZ5a^&<wvg9(g4w6Mld}5F;=!a;k`7(Fw;yEIr?U)
zQ6LgAC&w0j_r(a@UY8=wa)Y}Dz%uv$%{1IoN1qzmGsQp@)vyyEs%k)?;fk|TvdrA@
z=&I;5iCc{K<o1aTC}abodhr|)CSy+nexAM>*#=w-o9U%{pm}l{B@_BH6}f5e-DIh`
ztvtd&3KXK`Nw(&t0Wkf}kxWU-&M9gae1x8aW!T5)rEGlXMw%D%w##G8WF93@CNqH&
zBI$QrL(?o3eI=mV!9?&eI;UP~G#Ia`%-YJHNwi<4WB)Zro<NRJ+zRWl@~fU+dE%Z$
zZO}Q2*8qS*3>a$YNahad$8b<q2-is6Si4HG_p-IW-rSw*qra!Cx{wCm<vGVEM}PRE
zkC0GCh-mLSpYGt~>FdsW%64M2mFGxj2fq)p$f*@D_p#EVY7_We;tnz?CJA^2N9h_I
z4(`vH_vpi36W7@DYt4U2GOM+|z4U=n%+s1Sd!MF-<X0y{5N|=|;l?QGI>K|~D2gYl
zSo~g{;%L4RrTXSl0%Jt*V&zhs7K$3;FnrxbGg|&WRA~%vN)0L=AuJn?^XkFT&i27-
zY)8>Sz-*ZAf_P|Zw^nxoauK9T%~9Pdr9wm45XtgE^cEK-y&fH-uEx0|#--b>Y)?wh
z0LZf`=HohE!iFVfO1Y0Dy_G%bK?}o`KvAib!2<&m6uensEOr}8!haBt^{e{9%_rFt
zUP_fa=TB5ybbo4QqjMw@x<8KHZO%VRAAAIAkuBn5{58mCC4|W~P;|gK)%d}VXae7x
z8p4vX3EoY79K_fZHDwI{z2>HD!P10S2t(Y&-+I5|fp&teVBiGu{?(&LUkMa-H-uKl
zx`0<8@!Nx!b)BuQEwX^Wx(@%o>ggz48Fn@U(6MF~$V3yJRe+-v_Y{@7-S7uUwXO(i
z<7k*HC@ipGV)GxLgOII#)6TNB=Xthv+HAR>p1*P|;wcbPW;Y1)%+`LISMK5U*4k6|
z(oGxpr~pjt5ncQ=FXjE8*4oL>ZtB_x=x=Ln_HNa^=KDWwp15v1-CdMOSNI3ITV4C>
z2@7q{{{H-W6@Nv-!C?E!?E`;V@;z4Ob}iBc!Iz`H@Wr?hqW5$3DucA4bw0-ploF{w
z`nZJ{q$o{%)AAEXhrHOa@r^`d=?Y8Khpvv%f`YLDSjKTFi*O#*Q_3y|1P{^4AEGJY
zJ){~8SU6EgJd(gPFDY*tpwlp##hK)k-8-0EEz|!AXlK~>3%eG#rvlqf%Jj0h`VllX
z&1WYO{!h{@X1RqU2$r73C<uO-&V)mZ0N&0#%vkinCSA?GAAR4GKtI}7Oht;GmTs&b
zyiIH^P?%PT6Ck%(<CAPTN{=7UxsmVU_x+tj8=?FLH7oVC#C9w1CFd5U4tt1c*kkj+
z%Xi!Zd`8u3i8z5g1c-g?d6G72dnQs!m|FH!96ryVJf+<H+{$qQclYP)C#3b@U;Hg?
z2=9OQxiYbE5p~DFv_{LWhSaKf<6~$ibbdYg*zlf)qbcBd$rv~YgJjvSB&bmX5kjmE
zA{!`D`ueFxig;)J*?NNR6O~U@cb4Fmixk8nu*^nE#x=}L?Dc7*@ts{|>rOyk=STo3
zUIWCIAX}M~)v<ybA#L|Z_-e2wmgDMicw~*9aD}4s%;5zc*M=|5jcH%#87&k_J&fP)
z+NKVs(6VZB1(6J0FWUzPV%r)`*5mrwdQ&a?$cXXsxVbm=NC3&l{TdhG?rX_#t5~QN
zSM)$w>60;xidE#0ddAW!0oz^6%6S9qht38|usln_8J}Srd%Z)7V;;iEma-_x1jsiA
zW#x?-Hd|zmEnU)3qQ-mk*2%8cWg1eoN#L%(`Ra!k0Rb|~B$byW2M#`6sV#VADzN0$
zZ@?%eZx&;mCOEVVlfcunv_V~*d#j=ufPLRxEY+w`VNkocoXo|B$8Rdu7TRn1DYd?<
z5Q^MZ5613mJ86N-3TtJ_Hdc&S<YLW)<HrPPD3ljaJ%xuLLbMXI=BAc!t*e3f;Nqw%
z4XkYZNPNVd?1eRYHZF_5jc4^VY{tm)?&lTe4%mATowx}j+x|M5t=s#eQuwlD-lXj|
zM*|BjnI;P%0~)tzqT#w5jCH7+=T3;iZCPtU$<c;x1j+lB_K%PZ;b@Rpq^z?9nvKP+
z95P^pDn?UT7gk*;o*g<__MT#%1Sy3lW9AXL%s$K#HVp0rF6_*SdqV%&;H|t}tS1vz
zJBAbjyeRHWwnF#k(jc;EW~W6P!YXv24}^(moiDuzG`ZA|P|4bm_iP4MOj2@v>ZTa0
z);s`6dy#}PNH~a;O2_1Aq2NcNF)O{IniXy9e-=K;a}yiQb!vc+$|n|mUv-O)@uarn
zvQA1Z3NL)E`xxq#1$E+CRCKB;db_pJVH{7{_@F<HGIZA!N20GA)YdU?9^pap9mxJU
zy55frpcNt1c&XNm%gP&#@xTaM4`(nb<c!ghB_%9X*1-?_<`ch{62R{^hAB0!XD!Lz
z8j!x!uI&9DUZ5zQo1+_MFW_Smn-`1pXr7vlP`3}?HTevhr(8$5)y32R0{TaqJ71&G
zNAc<h;^8B+3_i!gD%sQ;RlpuqbA=*7YS-^{rk;It?#*4}`hcGTYacIV_O8q`d7NG5
zqjG}MG12&_nxv2AOS2OE_b!uS*?PwYQ6cn^i3#mV7W%iwic(3BqVIj=%fC4~tS?1b
zM;5bd^{%fA({~dY<&y`j4#7YE2IL2sUe|0p9^}$K9joqVxB09h0;nTr`qtowa9=4d
z=6VOr$5V0e!0eWgFMxUwyDn99KnHJjkIip5>#kxXuQ1O`cC8jjDGXNZC=08WZEfN8
zCxRdbgXZYd2Xwa68PEZ5FO|AIBvCQ$GN5I$!<U*+Q0IEF=r23{ghjsG-=)OYRuoXz
zh><eV20y>G*Y?ag2C3BI0fhaljd{VT*UWEjczXMEpKu2R{vh>3sZ!JlAqWZ)=ItLo
z#W!(`KSk3C%@&n0(Z-G^#13R-@vt^J0t<A=J?w>6sMG9)TU^+0%SyoAso*x(xk`7G
zcyJ}A_GHMYph=1UV_~7o0=29xq>#%Pg5D%vQB~h0;-F4}QXI*yNZr&juISa>6}X@F
zD*=jCwa?zQkH@{*(b20rIMwC&=(uF*L^m+ltC&u#cA(TCk7z7xpx_U~uOdTMbS20f
z@vMEa#aajzvqb#Z(`k!jK^ve2+ELiK2fRA)-(NLTBU8LX=T>XfLNR;+bsr8=R*C!G
zB2=uyr%O6qk#f-SNSAi#i<vH#Lo&mt<8*_IV(`J36a%TS!pFg*8i!5DS2T|@rkK9o
zTpr(i3GPi}txu0#^Qc7>!m=1;15r{fU0wnk5m#39`0L`v{1a3MygAt7il@0y;_6_P
zo21{jSP0#L>)!UKERQXS>Hz9lv$P6RNtR7s3ZPxNn?kh#S;gPl%bkE2_qGmHip(+m
z)z(OJlpMQgF1;67w`DUrS5_M}aayYJo1~PImu5|A`LWc=0Id|d9cl@P`6WIjmJ63{
zSGGKHLSH|VV4OaDT7t`JA<E4HSW<}Q*-%b3PF*}xr@sd0NU~iL<U;H5id0jWx8By5
zq!>~i4-!{rvcY+$CJH}V9y0y&LNchY!24U=797F27=+rT_udueCI$2vYC^<kt`SoX
z2JAUo9Ox0F`1(nEVPs1(JQ1kqhB>?AvTdQBu>7%4II~N>aGP7SfMCj5V#yMlWLo87
zrWHnlW^_rzs<8GZ3G{oq-Se|cut1&G88nKg+ry-huEjacN%87L=tw?1M<2;)(R;eA
zg1tPtYcGA_J^j*bF5PSH{@~5YeloDxJbnG9m&9cmPL7<#eqeTH+R`JrnRM#SpR=2!
zcP1-Cib&Fl7lOg!Jj#?gxdoQU6FWQqOIq@r#NKm~vga^x$5H;ZAiB<Gd}LJ0$`(?0
zS3+3Y=L}BGOgh5sBZIqW#1(Y!uz37GKDLGQ;*Wp3on^hV`@&BUOuw=a=wp_(IQN%!
zozDH+!G{}JPO?Sgcd~uEuPcM~ML{AYwplubvQDOe^jaHz)){yw^fnrN<Ryp+Rc%9-
zzKj%-`9wu0)tRE4-)8B|7T`*g&GlxkD6u)3T%GPuJ#S%FeZoG@_fAfJEoKM9DvDQ8
zY?6I>)g5BKDTjICWqWOJ=hYG4d-UL|RJ^e_aJ|!57)P+iXg7WJgt>Q5x6k6tQ(c`%
z21r=SX_HL-RnrLvjesALcCXTQPIydMjU3gDCgoqxuhTPl-TBz^R!^_P&0==hpf+k=
znw649r7;n-Z#6uEZX*H1hh@q;F8ic-sW&3m0r-B$tsfpFZhe1_*Pd_tShN~0ep^QS
zmEL%}1N@&{AM+|3Y}rfO*+69~i&h9jhy&a-<g-(UvMSOlSiyRQF4b&^GhimG$Ur(U
z>zf+E1UOP{Uo`hyMPtdz7ax=ljMqx^?((MW7UGZM%=(5vdU<5A)<~Ep8jKkcRsfQ4
z@D$wh`Jdbx*+6M%;lmUDtQK3X>FH+AUoEdM{C*^F7cd})UtjW9ai{nnXHP5nBq9d1
ze+D9x3Q;4>y>wwOJ<Oh&+r^QYlcoCE1NYOouGZW1fq44spoGyGt<ccJWHZz4%eLmt
zY->_ps70k?n~dwO=WTPY*>R4xQC^|G{oA;picCX=Qyo{dT(mjs_)=rWa|6DRljJqf
zD^yq3*niV~r^SrKi2#0iU_qDcU%ZYIyY1C=l-}l85Uxg(C5W9`)z;Q+`L-N#jsn3m
ztY=qSB%YV~f65=WN0W{y94*^6OQ)HuUzu|!D4<&zlC^Bb2zB5qsKBq`&O_l*-SHZf
z0XNy46(zFMYb=_1cYTF#6o&e<_=5tRoD}iX43g1x7QGEiasEyn92oI6XCQ@?&U`s_
zs9=DHMD;e*VQej%)af*Lf6)T10-)>!>pOLWOW4W^3sqCjE?e>JDgRV?<kU{DVzk1A
zk<a`(3iUREmJpe=%*l)RT`a++cVc;OiS!@GfOS?~d;wjPAs-Lb_}^`@+{zd=xtA$M
zl?icD3U2u*s8@ckvQ@k^<V&j}^ed8XH7?$Z1K_%zu#zzYfK1LqShw!2>?%xtW%Cvm
zvep+{p^FM$Y%4h_AN4t_PB22X>+F!eS%4Ht(&vOB3MF(Xcluz5cJ0@Fh0yiPa3$}=
z4q`PR&1J;E2x1g+?zjf14uQ(}xmN2&!aIf%KL{wFv&OnOduXz!^UO8R!{=~Mg9*e{
zD0QiHS#RBP6`>v|<M8pRo$bTJqcd=lvL36duPnE0|HD!x)|%u>FHK@JKTO&Bhy{&B
z*F3VE<MeU(3fz7fcAAw{*@w79Xx!hD0DtMo^}w#yhwC0rnW2E{h$72zIw=BzXQ=H;
z4Z!;5T&qGQ(xjv&W052%AG7j#Aq+VSVF9o*M|&)6WUVnE$aq0Ct3pf^tl3HfGM9$E
zN|>uw^inlD9n&zb3LbuZxa`MAUL2Df9j1-<ZBa2XQUg*Ddn6fd^R|Wsf?K>v!-Ls<
z{q-M`F|Lz205w3$zpJ^plycr|yP%Y3Rz7uf&Eke1>d$YA_Q)R0z!;9Wt{mtyF;d&1
z#c!iF87Pa5WgGKq0?A0uUnQv%;*^%QH_+pLjKX91>bT~&B+JO(&&E1j%Zs8VmUx{p
zbYyY7$`!JuJR!X*h38`)f3D{QTh=lg$OQ@HyC6`?;q(HfMIo3#o<t)o1S4cg90JzD
z2>~AoMF0ssd|;A2cf^lD>Z=;fHBRudu;lN2P(n9s!Hwd90nC0RI3bJT5|)Q0tVpC<
z2u#R6FDBu$0}?1f0`)nBbPgU5AI1cO1*6QB$C1slr??>dq`_S5;mTI!Grlkwf&wn?
zG^~w&*>e>Z?-{~ZpD=*nqoGqtQ&%qTR0ObC3b%rFqj9Sr8XZ-VbeWzV+6cs>U(OQm
zWSW6@Xm!#S>Cf~M4UQ5pKB_KnPEWuJWjl;*IbDNL;nIyESkNa1)B_@~maQN<Vbhtr
zi6I`8)%?9&RNKv6H6qqopC9qE!lf0+#f9y2MVyT1hbux`UI_q{Qi{nN7tq4pIGy+|
zGCKx*onMs9bd&{LoPQLRv5r8eY@ic=IxWY~*ApTDhIw&O=GB%=C*}r$4cO@;A49Rq
zzLr@i+h8pBxbLQv+DTM9X|r5O(ypVT?~DLPnIJHUW7T#^sq2nOj#$rlxmgzhq!MHY
z^{vtpasEyzo4^!2ZI_b!%3?Ke0f@BQm_+Yxy;dSoA|w2za{P2gVceqf(e<kWE}jiB
z?1U$WVE0~K{jI*d)Ejw+5+%-$y3$#hPeL+%O0fQ2tu8>=bgj+0${=W5CW}e*WY0d{
zJ(R+wF2g{1syZMX#E|DRMoHY(7W7_>J?5z_C2l}1pk71)+t~&OAubgWa2P)dEy*d2
z<3VAO6v9+A=9)&*+W4<!z+6c#Z`(-`Kq#nF)fXr$dIhWM*W4X|a}$T%C$~c&RAL)Z
zE-;{TRK}y1O&>ynn~y-brQeM^&$b+2k-Z;I<ERM%emJj+_9k!Mat!)s;q!tEp<WUZ
z3c~$mMci+$%qjsrb0^R@6Q#65k4&U|myZy^1B%sa#40)sldrp19)11w(Eil`K!&$X
zP$_L)1ukTT@Ouj2?d`PV@~UhtPh<T-XHyQKa?U5duvk<NFfxF20L@+ZaXnBg4(8r!
zGQO4x&^_-mJsO7XF4yr2LlCZLY?j;IS1IR$ApU8+@#`ewz<55=0A@HAG?pA<Pg%V~
z2+x(2Bzv`gwnex|WAa>HW>OVSU@y_X2ucDPr0gh&EwW#Yq8M^@SXsMCai5}9T*UZ~
z4M<7!QQ#;)T8%R$@ht{IMR%)(B5$8c+H#0;qQ_kw4=q+8>VS_xo&fopiQA+>T%ZM7
zvu^B-Tkm(&S0i(i!JPr4qL6Bx-EdfUnYzwi)wgg^L+A+s+*aVzWY-B}vo6gF5(2B!
zy!#;gUmDJKITc`Bfn&%ea*;Pe9SkU9u^=!-pB%Q5sJD0!vr<k_{Cy{4Mgo_d9HK{1
zf=>2I(W5Vo#63b6A`|(d7rN-bEnAC<SlEv!Fmx;#MiwWD6*c)qL?^<jTHGeNMe&Zs
z4Z<`wvpS&2ykq#HpH>Kxy{?(}Nn|Eju5})z^>)NaZck}GPP&?OG@5ih5~l4q)c7K1
z+dop-_oV`7EM&gk$cv^C4eihdYzBAUOkFaNZfitik+0dSwNuR;`bpeB9c648b2oH7
zQ8|EbiD?QGw3v;TM<?0Y$<dn^2YaWlj*iX<Eu0O0$$z?rG`Vy&LwAgFh>p3)4ed>^
zUa&IDiI`cWKE`ATvZ{2a>~EG`)d&;Ov>r;ZTAG)V!VRtR?$pru)=5_3DYS$!!9y%n
zkv4@wO5h|4&T6tHexg~&+~~Ebuqa74VokmZndSyTM!a@~6zNMKZ)ADW^0exTfbpb}
za>kCe%&pkDNnr<$wap|LxKV6Fa#M+$GiOBh61M^e$Kh<qN59)t>Cl?x8NqtUi{;K!
zvq;0(=8+q|yI+C}?k2wiY&vAi)$M}=V8XOb^c@|S8Q~2@W!UlH$qj~#1lbJNRsZ2?
zgfrmyf9;eg)Fzg=;U<istM<i4LbH<GXdU`VsL|T^9B5kDZW*b}`xmwS(8Jqe%J{8R
z#lYBKGFPK%RqOH@gt+RjE#$eV1l@<lrAxrbX~+%KgLkZj84!Y&T+#<BGmXGnQPGcu
zI{iX~0IYB#!94*AEjGs>^H{26k-w9I)J3or@$xhCkcdE}MUY<0@E$EwH#FlK=yyH-
z*187cTQ6o?V2FyvMQNbtwR>x0Gc$0A@MS_H(&(-B6#GJKhC?=5aY><6%Xmf$_C`6v
zvf0=eqUpHSSY@n<|5g*s$^;}Ale}Bac)D4a9d}vqOQ$P+zkRm%<MtoFC<nf5r{|D7
z#bk`Fxh3uwxT3pS?r!uFhL=w3jcJlXifB#2iq$^7y2SH?lQJzwZ|^uG32|vQ`y!m1
z*jYm@mxvoM<+}2*T$GHZ>Wmg(yS=@|c>gyVaa)E}(T0P}=5D|4ybnQI^V9}d0d+2{
z{K`i)>XE<6fw?3bh|6PgDN)X>1IIAkI~xzZ|554(u7}`+QM(HrlMw#G^d)9Zu`6Yv
z3fJMp7l3w6`4lU98KP_9+?Y7c{bn;g<hF%EpZ`1ETWp$a&b}&Mjx38?Fa@8$CawpI
zz~!!mW=X+VR49Z*l-QNI_-|yZ@yTM^ygMh7_*BD@7){yu{dUXD<oV7V^qYwu5%&kC
z=@#+Wz&Rp&?Gy+bZA^2yIIA4XTirW8{e8xpMa^+43U8l<WC{_=v+3M2m_prX+-R%x
zHp9=g>Mg@UKD1{{fbiM3;?H}>CuiRBr~1}ACR56Vq6U*0^@M)ZN90qY971T9@S9?q
zHJv`ig%qiVxhb}^ol0B)*L_^Wcrv)n<uF>k3f&l43R*+;f(FTmN$--01Oo8iid%0C
zcJ0=pC>A=@3OPW!mP751mTf}jK}#?tITQ^YJ)9L_r@R9T+(>W}c<AOAxb74-KNyKM
zu2__~p%)}&k;;+erM1P)w2k5I!v+VFplf?#v>Fqnku2(Ui@V#`E)cM{MOqGLAXXpj
z$v;EMUzm#3l#4HYDnaXA8%R3)Oo9$(i6taW!ohA+@b;0}Zkhy`uBR-cB0^tu#bCz!
z$M3#zJ-GV;8MRLQKN7w!BydeCEEUGUT^w(D5uw#r){6`wHvDinXaWBm|Du=x@dY=8
zneLKVlJlxCQN}83^u0gbZ~~;Gw)SRzD|F5PMUKRKDYkbG%;Re0l*Q3GlZS|kd6Y3e
z2Q0x5(08dg+U5!>BuyXFS?vhtMj^bs?c7n81Od8Ll&+Y-N*cl-v~+g}(D+3TPa0?;
zGbG6TKX_nH&N>H%`eSe}!zNTpI)F!gs)~6FrP5*?bQ*G0Kpq2f*5jjaEF|_n%I+;&
z6@(<+{GISRjX8rG0F}@gxX%R^U@#PrBIm~1r`hahbLuR@`Ho(`lye9(3Et-kl@I{s
zb$ZY6Ens57r0ynFUR}3x$KzejfFbh>G*6jjTrd%UJN>q*Z&Alw5yz{s*$u;5sv}#>
z_A7uqxr_9|(JXJSp@i>hui}VxONMlI&LF5exCgLMPTgRAdU|VpS86Jdnfi%1l5#hZ
zMI4%w4iguBiko&(m<2^^X7j_+H6?eMGY1e7-@+lPY5lJ)<*afm=4}o6=&g@Hm_)V*
z;SdyH#8D!?h7X)OUHGj@erI@Ef$kh3ExT}L?SkaQinMn`B36yFL7s=@0h1>a%8fsX
z?A+LFf~>6eQo^9HM*}xjJ|0{I?gu0D1Q6d5$b4p)r=6#&xkoM~UqZsGi)OGUqf=&(
z0PfeG?+ay{7c<!QeFTx6!7u<ywIWhnUM?<ew2BKW+!hmey?DGZ)k0nhJh5;S>9zzz
zn%sFn6_v9YG|xV=s1Mw`xI%d{lv#wpGL5T@0JXhw+R`>l=nFpOM-K4CjOB#5@h17h
zXD1FCnuw+XT&r{%&tg#~b7Poa`20$<(J3)+pYH7M3;5HcufJA>cts+`c&TYLwm$-8
z^{$@0^9(L(f9FkhxN#ee#b}c=PIL*kbs!gBwMgb~`ihPic((`(wGZWqbTT(Y(jMvI
zTHJ|FO%HE~8Ex4jN_JA{P_YCT38_OYN=&iVzxRi;y_3W3gY5LpF?rhY$<g;G+pkZ*
zoB;rihVePUv~y%M#_`<~3u-hW4(~cn<(LSa%fsMN5M7)6N%RMEO<#*`<Yr1dS>~ch
zH+dt-wIMFn3Gj7P!z5b0WRTq`W<CrPnpf`D{NyQx$?$+lWO$+I6`_boG?q^P-O=dd
z*wI^E6|;YAICO=u{qnJ-eRqc<PZvfaa>)vD(KJH4@Sbt~TIt0WI9cb_fFQ;Y$5p6l
zRUX;jd3|h+6mAao0R^{g$cS)n_{fmL$Mi3qidv5rj|SY4Cwo7h?0;F0#C$e6mr~b7
zv}I@45m1L|LIN7#F)}H7R^q@Is8|^v7Ktm!e2rK{cLp&(A0u*0Vm}ct8Xo&V3;2>F
z8CC&Hm}XT$e1XVE#aph@PVrjC(HFV+#^5|`9Y=~XFDy%2?#}`VF<VJGXvjSiHe1jG
z$uUItiA+u|Dy?n5SPub}Ji_Nye^i)y%6P$yRuhut7TBzD&`GEKB$q`+oERZRtPDCz
zW*&I72Q$)kQcFd(%CevI+8ylgW=~I#pZ{!K4nT-M;U~d8Y<|w39v(dRMzENG<ONNJ
z5TbX7EjNKtgTb0?U0z(bX`F>Y)7GLDW)%lg!VOf;iIE3CG<Ghl4Eyc70l*{Ufs5&s
z?=)r>!H1<55#hUtoA23mST;>&YwY7kKV&~ilGn4x4-S9EdOTYN&VcBwCyNxK@GGcd
zK3BK|1M_o@*TWHG7NIZxyDnc@_gH5Nwj5O!ZWU=IV2tY*O@~--EDc^qWkF0sguNLE
zp3ED~^#g(xoVJX<+dRo0KX}-8|9OP}JjQ>1Lxd_vo{t}VtIA?kd#Gz`&2Vv*f$iYX
zKjgX^h6Pso8Z4}>pa^nlwSYpzJVHejOsKQgXulry8!x*KM5=E!7VIS+Mh`TH4iu=M
zDsK5bja$RvZMsZJW5rP5trRppo_B#n-Av0tYm%Q=!nO%OCxZnEf-(Mwtm(9NvMAl-
zF)NC8-qeF^)vY7ej}RDo*!-|!u&0ycJHn=z28+N86xD0mXrUV`kwJ?R+9MznXj0{0
z<fb>zKFwDkWDB&y)yc~1Q8hBU=ba>5s7V95Fy_gj_+TGH7??5>RznEcyaF0_tD2g)
z$J!J|-N-C>1IC({5pr5$TxSmj!XbnU$1fpCsIk)$(O)27Jp4f;&%3vrTb6v(+Pixv
zC!hZEi&xoCx)gFO0JGEEwxOxAp$p-CtfC|YjFu=40nLH2m5UR4@Gt~F2b>o0&UO7;
zbZQja&?>M?vav{h7UU9lBl=av1Q1a|WHiRCGiY<}cU<xp^*g_9^d%92k$lM#i6Z`N
z{L=SSl6-8Z0@ZsKKAN=W&@Rv0{OXyLinxka0|%Be_gi2lx+OrXTBsp)#^-5of?N!x
z-xs)M)k8v*#POl%fT2a5#HtQwqwqo$2zeLw$2mZYWcl?}s!NYh{EHQ@GEXEp-t*~L
zOA4Y1hHM#C^NR)@#>f2vh7*&9bMii2X}ir|Y0n0x6T{U;H#H8g;FYMUsx&Dp7AZ#8
z<z(#UA1S}#{&U=~<WIhW&glPR?_ImwxUOx%&*ZPDFvEjnE&x6xIgU=`+YCwB>`0Uj
zNyW)<r;#F1Br5_@xF|prPpAKT?>X06`%zV(D8F)UIvMvK+eFo_{akxJ=e&1gtFy@I
zh))rIzn5wumhficY1i1xt)c#&rCh|SNin*q)bkY!_~>ILiHO3@+H$Ek<PQNrk{$Yx
zhq!BQ)|*8oMywWc`s{Y7ykTXOls@eZR?95En`T?`T6JaZ3o}%$cs1tEv%-e#om3N4
zmAf(TygQ{XA~~cV+{y><2l*h|kYDPJZM|B&8UST)Ddnx9St3>GD@aGc^9=3Q_wL_s
z{pDO+Xx44J=UH<U1{VESixgala)b1V7m_G4o)j<A>Rt(vC=C@RvVQNzSh5U<=xNKT
zcUiAlV_J%iyD>v{7nZ`kig-DP5+;NIWegZ_>di-Mpg0QkKr6~?)V2BECEXV_0a5ye
z&7&6TNW_DUD}Y&)sey^H&Y&sva+eFMZq4V5cxlB4%ofSq1LpGyY0Sp(m6H}WhwBd_
z&c>i#Yw=l@z&FdMMYXI^9K!9UPVi`3!hD!{xEL(T<7ZU1v$|O4;`e1blTSuvpQOH-
zY&D93uRXskoI)b0RY+;#-6J-PxGMxe2ChB-Nn}#Q0Rr}j*&>#IV~e|-*)^vpbUl>h
zAzA3a56=94ZjgJXC6|HUBN9_D8pVWi+ErMqZRpRwv4(~o^U}v9KA9Ag0QaobUQ&uU
z9eWPjB5F-MggJcw{d#dfDa<xQlsq3(?X_p4aDBs-83+b)Wls6}MTWX81tN*u#Fm~0
zhlD$KBOeEi^s$m<*a8L3m?=wSBqlGy`O4|0MptGtwG-?h%%pqJ*PsU&5HpW(1r!?o
z@ShJDG@7Lq;9s#|6l;Q$eHu1%x2)!~-jM;Yuh^-fzbbakGy*k}^Gp<XqSiCVTN06@
z{h}b;Ql*9Kn^&d1d0AMlm%Z8&qkO*!dTgU`9i%{VcX@nMUEU)+8q>8&#BBdJt>%3?
zp}Ad}^I;U${4>i0)~%S(cAI@KEmjIec5cJ<WQRp(Ln=k@1uA!ty|I4uf=uC+pqg`m
ztipU=GUX)V)Q%{GbW#wdn7=nA*rQ(ShIOKHgDhPYj?4x|tvanfU_Y|dqmBxkpFmnH
z7seK#06Ivo9?i>3TBvHER?|N2PO;qjzCoQ3<=EDp+WqVcQ&AIL!^kJ~(>%ja2)%8j
z8tZ&6l!+c)NFIPgEw2U9J4}J1de1d)-;dJGKE%qsY`x}jS^ss=eL=7c2BL`nB9#!)
z$F{5nB%DwNPB0)vdAPW%vY3g?2ffXH7?*`5;SkB3JR@}|dS66oyA~vk3_g9A=0Tm>
zmO6h{d2mN6*tNLQz^UlB08bu!A}T-5@RV2v;{Gs72lwGDmU^Yfi5H}G%~p^tAsbBQ
z-_9d7CVGBJOWNpkGl<Zo((mtj{cBg0uf14Oz1ZzmdjZHh^h{M3m9HqEwbS=L1&#d9
zDqt5$;_l_Vx~tW)=N&HT1m6PU*Rz9FD5|*^L&u~;*z4Zh$1R_{SO#$ti|;s+D5U06
z^{R4uq9Hn;lcuyCITKU4u>-?q9$%@Az`xJGV1cB>{9%o;i%jjv4WSRip4Ua6<WHvh
zG$Q}UN~1x#F>zJtK2XQ0-k`y7N%W#d`g;-`lYG+thte%Qs4Xi$P5$d@>`yhl+%<N!
zxI<T5$Ag_?PB)AZD*~`x#ei>qAG6Bbc$6$zGMKbYrV1`8Zh<MI!V=$=#L?PrdCs=v
zQmo$H(e6y5=kYT>4&b(h2FR6h%xX9R^AYUa2BeUp-$ZDHUFKaIP{?Bmv8Gi3g<#kb
zh~wu(7V2dR>@a5u5;Yd=Ln+e4jXCI^D7lUk&C&fo)SdQt7J{wA1-`Btd4BQrekD4;
z7m%7Iu&nP@)3C;`t~Mi5zo-e(IIbZ>XcMvIBe{H8<Y@P=;@GbLdc~dUaVkRXw5G5|
z1-RZR63Ze3Hu7Z-iz*bE(s4t>*r$^$>t+i9SHSWs<o>|Z@#m$BJyE{rbtsS1myvx*
zCy(poeM-~<85Z=VL>*>O)u%P68d94^Y*%IHozZbktJwgHW%aRCjW9`1ZHKNB?Ivf<
zrw}V#8mm_{mV{$Ry>*;s^)t#g8)O^*xvZQZ->^s7-P+Ss6Xsw>l2EyoA|USDd^E2F
ziQ6?!d?H*s%_rjeoq_mOXC&A}xnyn+2}E<P%$9k5lWq04b%Qlk4l2U}#vDj;d@`!E
z*8s<jt3A7Fb2<Wr8((~#?+^kIG=5*tZ?oI`a`xhjiL>(WA*$TJ&NjLi490r}Y&cV&
zgxyuHLN6-0TJeo3pqI$0mR*BQZ?1||k;QXkg!>{rwg@H#1{!cQy#IOKs_8{J?C5b8
z|FiGxSbA&i*B8H+K75^hZ`#?5-~TUepuYX#Yr)G8$(PomYN^BvLqgx0DJ{(S%AxZO
zwa8}p^5EpvyR%~f+~gq^{a+4>k*3TA;IOdkR-OSD^1ZtyRN<Ud)%)PuFuUfOF&RAW
zw&gIGMZ*L{)C!PVW5hOXgsD;-9xYD7^qH%?8P>wi{U8}3acaf+#Tz&9lcS$6t3p86
z${&!FLwKQ+BO8jO&GAlFps?az_=zP)(TP|V)j=v;EvLGDS-n-(K;ozv`lk~_okz`_
z0SRp-nFE@BO5b+KAn?8p+2AXK@2!LZ3%k4L4;Vj-C>4?<ht4#Bjzji{+=Z_Ae>3#Y
zn7N3~D4Nf;>z8ATG>1KEYZHf(H~r(AjTm0!AW?rLbg%@np8BhW@gZeTjzVmYQK%?v
zs*GSGnnylmK<2Awnb8X4oZAp3N4f;Z7=2<Z<8I>U^f9yUU|UPnwS#Rb;By?+sGt9Y
z!M3%SEu<rd$ww*LSnvvkwx(T<Lst579Ysssyw38u=`eC4gfNDI_j_eYgY}^^niB%l
zjRkjl-=LS!!24p#z#LCsIYrq@An2fm8}@o^2b+czyF;1ZMD!8OZz`e1jh7<{%Sq0R
zrP8{o{<P;)&ql|apA#*UTE1nGb$LsjfYL5|CWqW;vga(-nJXY>;!@>Wsv;(#wMdr~
z2H3kWdv;2l-RD}k8O{)am`^>dj${@^=b76Q|C4(%1|YS&Y$|M;dI>gc)$iQ2hR@3A
zeN&`Xgb_N4d?cYzz<=BQPfzq6n^TiJngeZ6`ySY%;?QE=ygwqa!-t}Z{=PCb*!uKi
zwPD{5yEXoyI<YnLqgCUGZS^P6kgc_!R#9#&#%F8E{{7F04>z_=SB!XF3S53fj2M1x
zA0^IyaE#bBqfz4Q-!bBU$B6$OBmN0u#C3Z9e@uYb$96su99CuP-;v=T92rK7r=8(p
z*UX)!-2RyGFapf(O#h_e;daRPQGs4aI%RhLA%Wh8FBoZTpC9N&D8`3+v(FFoy7!x*
z-gtvPGSG`1+YI$){|@y2JJ9>zBGB7XK0hbQ>tFuK17xP(hUi$9MOaTc{ay051`=zZ
zi2uJ|2+hyqkBy(%4wKl~<Kt%G-2YQ!W^so<KVD{U6CBpwv^P-U=}hP;u(~<|XI`}Q
zqQDua*l9GzbU{r*wuEgnGb|JnPIhOISRST3Dk5!IdhIY+V>fiv8eY7ECnLM~_BcB{
zIQ;hbX9hrA7w8NX;nUKVJ<<OBri9L+B?SpD%({nRDWjbJ^u0wDxk_cG+i(eq7=(XL
z(gG4PPf1eulCj~P`De!3?YnmJ02ghD=2CQSTh@<R#3!jM*&Rwt)+<8V17MDTppc#s
zGh5`eck=ui+K6Ox*wa)@%ub9-i@furr#eye0WEr*X>v;4(^ZuxDB#dV;;-nG%4Pf;
zdG&dAsQp&=i>0%_r_1W5T<qMIb<h-Y?>|1RvbeW1Ql<K?{tAyAVQ=aRvMQ9W)f-ih
zvAN_g_yXHJe_+uugaJE_0)(M!CG=gYilk}4?V-0LqY?ZzuUkFca!+o@{T)R8O}nai
zuTkd$qK*Cb8<i0lNNYyJI5FdtaDKp@eZ#M-JD1GbV|urqWKZE_*HTwXLMRc0#N~=N
zxI|le=I_0cYGex^88Q)p{zkT;3^2}pe9H|WS7#2f4nVgtbZa>jXpUrev-Yk4+~|Os
zUZcK4x2-6-@NkzSR{ppf<kBeVa{~vIs&n%zdeh{2(!n4kS9G<<P}2ra$i{zYg&vzI
zS2e+5O{?a}qIN#jF9Rm?c#6I$k(Sa}*k~R7N}90ks~azxb!|zHQF__M-te|RVLA1P
zbcxiDbti3>my}&9KkAm+0`UP|rwjG<*o43&2@|s2%IK3mu7?c3X)>|EUN#asy`cPe
z$EIb-35ud+ctn>p`V<p_++MwPCM-egO-9oPe_PR?75duq^VAF2_|XAWFYA;LmYrV=
zEvz8ATNjoaXzD+~9oc4W|FsH-(b5g;R(XA#iE!)wtZ@!Hc2W1qn5t{`bv}FThFLEp
zg)tk92HGfaD#gE>M*antEc&}a5YThX_N+VDCYF(EcQ#J7f_wQ@m#3AC3YF5{A)@Yj
zale|$GpVYXAHbXW*vTBX!o(xcD(wB;-TwaXeiyo_SLXCy2mC90&CeY1U_`tz^Hv<J
zf?<xu6vb;r*V7Y1%G;4bQ{QKIWbRA#EKexlUJk+PsIM@JcyoftiDzY7X5F?}_h5cf
zx#4^B`I1A2nF@+^rqFc?6_p%1xSvXHJgnUQ;u3_XUT*HNjE%1?Sq5%L@G&wc?3tfk
z>im?u>o)(0(>f{ELe^MnGXez@%bB?m0o|N#Tt(^Sn+&W%wpi3fu=03(8z&M>wEPzZ
z?PcnOj%w{t{J^lt=SVCu-(xf0?z-HU4}09)n6bwOl<m1AU%U@PZL~x0K7)154}9M*
zk?C_?e1zu^8Brq)&$Vn}JWctDXW#0si;r+R)ZW*3cyNB)KR-S_Ke;&h)3FfGz=~KG
z-Z=`We(8?GR7#F}9?q;^Ccwa(ugmGCIRhg~Z@M-SCDn_01;4WU*AnC^crj$55O-lr
zra;btxJEq-9=)OxB5@zyl}Pwac?~Ntj;!-u7~fCxTg2bs4IX)NEeSCq$;d))DhJf>
zL<tdI$wcGzzTHLsUR}QKp?Ni%!y%b@@>tHyTUnt^$tcnF!U0w--m|;9KW)hjFzF5c
za0C$|zHU6zHJLV(Su~Hf)w||Vmn{D%o$5S2AeHrf`}C@<{1(^Duae|e37jkdAd$>R
z@~OVURPoUFF&CjQC34!)yNPqV?lWL3#nae9#*%q2^&~v^2e!}7@-_{B!xX#u<sat-
zJZ)~XFRFe?6vQ>na_Y-Z@n5D@pE5Q68!3GRP#{Qw7pJG%I%mVTEctVMMB@@^KeGac
zB<>I#a*BH}xs(Q}>ybkQQ>1eT7|o2u<na74Td#ffj+@->>37$wpkP|!*q=_`ygIlz
zK4%A*&*vfVvMfz)zbbM=W*G4-lgAO3&ZP99X8{*eqN%FDS)2xdbFI}2=A}-L$oMHv
zYCkJI7WSeLjEpr-I)C25MEcm1!U0Np5sszKi|%D*X<j207(ve%k)jO=L5rsnvH~S}
z)V;s1m=bzQ*$GV!$`?vr%hNA*Z?gQlC0DF}Wk+9;S6p+{9DRrv$$DVO8Cc44vZ*z9
zt`6YgZX<gHuD|_F9^c$t511Ny{!}UoVJVu+2=3`~|Lp0dX1uJOT=idTr}~n_tB5)7
zhf^nP`>zQ)rI<54L+G{oleOf7H%v`><)+3rYRxf03!>`yBEQz=#Pi~JZ}!mE{pojZ
zA~aMuJZi?Z^Vw(iTy{d}eD>I$v$NfuH~AL2@2=Lr{Y^y0$V7!b6?eax3!8h8*N$P?
zL3zxYG=_y&KYLA7L_a(#edxdcprSiPe^4BM$!!2;k|-EWxT(8@KL7y!oQte|W-V!h
zrWRfmh+nn1qg3T2cb*Exn5l56xKxlIcXu%@KS~Ak*<t=NG<vOIv_<zG=mC)3PX~OY
zheTqY5<&HM_wQTfpl~-}DmjQtPI&=h=`|($?qyOghwp4g#yGn*$l6dgnn$+A5F1Z4
zofDzwMmooyFKgj-9_1LprNS05KQjw-ZH*RumK3KZU^VN!#af05P`H>i?IhfdSGg1d
zSrp%OL6iqrL8jx~irYJ%X#R!3e(UVJy$4gMP(tgqgx5q`@L5vNy^#>io$E<;38q%2
z$%uK9*Gk}?r@lM4L)2IG^6dEhTYOz_|F50Ix$9-c1b&{2gIC9Nq2pf|tG&h(?vu%@
zliR+GKKs4t-pv;LvuNS>nIeM4&#YSkMQVx(D>&<;G<cvfH(?UjaFY@cu?0ylluJzx
zH7j?E+7ro;n0y*xFcwmg3`>AFW}Izd`y&v-3(GE<2auh$oQkcq@KvDpsxq1fG9XdN
zmAck_KV{XntUE*h)rzxH`&tTff%ak@|0g>bk11e{3KWTu%^57L+?uW}=EkCh=41c&
z)nfL1ZEf%A)7`cG-7nVmc6YzpZ9jEg&D>-^m*?=9`)BJZXSi<djIPW6r861+@qhi#
z?TpX19~`W$$=9Af*^ja{+z}eRAG!|D7elvI*0%omhwa41Z#<CgeVP674=di!KYrqU
zr))m({%o{Z+tOXVty@e)QH1M`tH9ae@XEO*fV#m*)TI>BMfo4HA#=(;mRBL#KOz6_
zmKwvk4#&L)Pq1rf+usdJPlCdkx|}P%uS92r!utHx$=hvgy!ReHksNYJs#yQEXnZ8X
zzI98WFpic);Qkvqq6*xMw27J21haPZ(*5JE96K|I@C7p>&Q0!ZaDqE9PPi&Le$k$6
zTC5u1vbe~$#OLZ@fi^hG3V}phN6Lp^7xO+?kx|M!X#6>IdKng_5(Z3t(2p(@BiVuK
z8zz6VvAH&rwLloTRH<+Uenm^g#3B2TPgZ{+WZi8xw%_V6$WXgKu%bP;UpIa5GXB2b
zX^$R4D{eNu4^No}gl!*zSBkEpt{Xi7!coS^b$fD2DcYP65tN&|Zeli*?yw)e54A8E
z+~xOm=!@ww%q1#h`|0IJuDn(c@TLBqerkn~aI>2I?pf?g%*VqVn(Od7pDB;6rT$%X
zY)CIP<UZl^85_VeO!2lv#`QG8%(OoN72?Ph<ip#(P?wEtUX<o!AZcft!fskzlbB_=
zSWHqM@OdG7Pn*gv@T0SGU*THXy0~~H1T?C&L|J=lhswS~hd0^GlmsN(vgp!AL>mDh
zjT$vOB5F3C?mmUWmc4XyINp#bw3W4x)JS?fx$o=3YJ}j1r$zDAoi57atm4u$TBzI8
z)VPMDrU#!KiIa2-QEq8@Rw<eGkp`%_@@^VT^N4CP6%<64ob{E8^|71^{fqjLl1O6E
zQ9a|HPiNsG+rZ->-qGo~mPvOrtbEeOjg8zNWaDNu5WLxx(C3D&mF)sJr-IWc!00Q=
z=5Rc%+uQHm3WsTYIdFbGSSRKp4lb=7g%$bIHL!H6u=V82UGFq+#kVZqz6KNGnzCS1
z$ojEpU(=B`M`EArIA)z=U2(L!7F>^8y6&2(1<$WXyO@xSR;I|$qMxhi-PgL6y$5+u
zmrCMirQgv$EMSN68ivX(PP8O^?fFGsu@P)~_G}3vkqWJNSY2JY0Swt+$;<y9(Pj7l
z2ZO<1L&#<ezinsVa{~XGegFNh{_36qv%p`Ya-B}E`&B--Dl^RI<vqhEbht@*l2qwr
zXH?TwteNV?L(L$#xdEJQOFVDBe0Nh#3gcMDrFB`{S5xJwW-m;+N#MMbPcd10AyEV6
zXt$zk_qWqG7i!BzDSA?I<m~#HlS~+&+${5?S*KvSIjI>1212frGkd>%4b6Cs(#4&0
zPkx&<hopCn)eynQ>cq<;1kh`x?{rE68A!W;$6vcKl;GcNueBOWI?Eml-KV7An=gQe
zGoOptXK=A%pPYJuWD6^T_Rdmhe>B)J9!NLbDXFa}zww9E+*3nQ3Q*08jMP-oN`tw_
zO?KrZ9rsj+>9~nq>tlHGf*-3ChlY*Gt*!6z-#3%IbgfE|;(vay=kE1h_S*e_w|Kh$
zrj@iKWe5IK(m~#<b-lc`{vBkJ3yd+SyUXu$;S`j85p++Pf)q>~Gv_(#8trbvmfdVM
zu1Z|kb+K+E-(YRrR7t~>Y*2(-I3Vu3`vX)3+)oPm@}^1!Kj|bNA>f%2NF5w%-Sz3)
z=UVrvz0?wNOqL2q;$LuGEt){BI5tewjE7W5MjOux`Wo1*lTz{IjB4~XIkvj*(U#jw
zS4+5agg`(KfSl$<Wy<{A3ETNNBG(Q|IU2FZsTOQ7AHXS|-n?5Xiu%fuZq<B-qQVef
zW^GHwzFEko9ofCbm`^?eeYnboEei+rvm<9N;ze@=%dWVorqG(oID+e4dv1{C9vgS4
zUth-e&^lo$6qzm)WV&Mdp`2G!VS&YFBAwqQ4PP~^QId)-tdsU`4g*I!F)7{rOZDc-
zLaP5*rT)GkE#6`w=Td|GQY#z>!yt}|99tRqajD}}V}`1U`raR(pQL>j9&Lc@xJ{5N
zovko?(sj!&Lxr)vYI=z5T|RdS`-t)0MF+%H$0|qD+RRSMKU@!Gc7{0VYg=-w;^?Dp
z``Rxce(iZWcsLGj;o=NZ&s?Qi;w&eeRio7e61lO`drzFuOK(DJd<KWNuc?#tlj#^a
z9mOp<&L<u%hYnY8ijU~@Mk)rep7fD8j~qJhr0|@Q#yqr6>Q|y2W*1e}r|KA|NCeKs
z_U8o@-!(A<cdEA2Lsd(^zJ*s&+i8$DvKW1=?a3S*nzuv;e49^msIZ$zy4}o_#_bkn
z<S3vUVW95iXo-;PEeSZ>zDi`MI0Q@2pV?Io(%1^JLe2f6t2}hmI=ozt-c#Maz?>~Q
z_5xHmdCI)M5;?m8kb>t=dj);hn>?z_PEq1tYXR}1TI7?ceQDG5ENaizIJPVtGVY+{
zjM9+pqq+O`I}2jkgUiIbNy|&iV}8C$7`-?YDsspG0na48plhkcqgtsI4N~~nU7d%J
zTnsMc+SrmBXH2${IYCDPp_NRyUk1@}R13y;zI+OAS190h$E{)=ySfa(_o+NrN<8!-
zpCkE`36J@tUtRT;NDI8B`RIM^-J@DzObQFBNR7aC#+h(kl5#ArZ;`h&KTfG`a-ZI)
zWgl{8$*Of5<zzK7^37T4TfGykglRlgjZ?E?xn!c^Rdq_k&#|T+GA&wEN#Ff%yr$7o
zHq%KXfGK54Yp#d+=aKgr0)f<}z<}rr=RSXZLr0PY?pV3@^2#o_tj71z^7?C(D_nPC
zt*|*^f=)re(AGfo2XPMGIrU31y_1)@FW$bp*m?Wr{31dTaC$o(^v(p#5+n@(^u$%3
zq$tGaqzaSRBtE_=Go{;(M)}6cl-gUS#d;eGK^7={%->7h1dRkXAm+socVsIHwrz7*
zs+^0NNW%@EE^o0N)x<&Wt!xfn+(SR{bjgPG(Fu*1t8Fvp#shCeSTja8)ETB=1`)7E
zvKdY*3($tj#Rog`xILf_<*=HmMaCKRH2{{wP~;w9g+3e=a<ZqZ+ky+KqoYSelp6JJ
zM1%UoR6g6=PxiV{zYb@W#KaDy=Gt}JSz=isbh|p8J?Q^pd5?Q7s}cKfoiG~&G|CRo
zUcD4jq!5tcAXaVgb*1MPm#BJ)>4z6~+9vz2YsXr#dct`@KEJG^69V3JFU20;efOQ|
zit=INREg9%dwID3<=&T`G4SbNPg3WJ=K_1eZ~`P{&*bXm^7{Ioo!{AWX0IiiG&+4<
zOrgBOQe_*Vo13*S5KJZpDauZmEeLi3`xRLVnhQcGfDFguvK&WA+J88G*)s{`db4M}
zp+^<66Miyq>XC<1*{8FX6p3fCUHjUdS^ra(ydL{X9=6OG9;)>wXn@EH|G)Jk1J>Xq
z8(Qmc;un*%^2XhpSnv!h9!UYxd2+>u*yKY%-{3wU$~>-B(|-VB_}9iYn*vkV(>Ci7
zTlbby@CEAOxqvdX9^GceJi$vSWqpr4b7?9<pX)*nKMvKKS&WC2n_(<0uu%C>&XSq<
z#E27&^ABYnX29JIxEHp9=#N4IioWAE)}P8e0niVuf;9F-m&gOU5q7ek#8kY2xGw2T
z?hIndZxi#l2z`4^@cvkw=yrvq{S)d}u6YYG3>NZCeb_up6TaP%m}(fwvga~SP@o|}
z!&)UEU_%(Fmq${yp_wU?zZao04Czkv>Dq_Q{dtD(l+GtFU+hZt5hsMb1xqkUuY2Y<
zEi5yO^_3M<=P`|ClmHJQL4(T>T)gwBBDjI~ddExCT8b2i+pZ*_lrAL2M^(BAZHgsa
z-yB~E;{Wl%QP?b80h3VH2t~i%zv9PXHQllS6v8wOaWSgZnnd2P8k+gVY-=xHgKV|q
zwrH02AR&L6@`5V?vf*X{-hx;WE%U<<1HHni-ApHg9%O%5(ii4V^i-+{G!t>I&{>p*
zo;YEPk$vSl;2cIV*KMB%3&jYrD{;-hp)$D-_-`2B`;wg3;YQHxt@}86^TTq2>r6d#
z766<~mRjyi>wyVv(+)m`=6>kjEvl<~teAIJCe-n>9><}OT0<QEgZn82q%wp2`)5aH
z*VD2tp~qH55+>SaKCPzrw@zi#A=WWnfqMduB%zzO2j`pC8czyNwnl$cZGd8l7-7{w
zI0v{`r1ps~ijf-?*<n6witF17Nhemd3a~sYUMY*oxE3(s@S{(h?-;mb*9Bv;S}v}+
zB8l~6-e}2hjoj0w)_EDqumbqA`Tk8c^Ch&oZP0=OTTF^1S9n`o{@Sw?FhsdBr3on<
z7yJg|)ZjJTTpy5ux`=P<55ywFs}iGg9|Qk5b`hZ}s!8S4#*!?T3(b^2JO0ntZ;ouP
ziU{c}S4e6i+l|W)<rvf|e$LYALM)N%q0G2(C@x;F>}5jAys%i@I+DDcX(-gLwG!@j
zA3Wj}nPQw}dxPwZ2u9qA@u@7(B)tYs;l*DD`pW*wS2hVmuo=}%*t;4FU-$63TH|`-
zj%*+9jj`X?a8Pis(IYLJBW&*4dhuj+FAgRX&42o?#JQ4V70nRKlZi#gf8$AtlV$T-
zvZB?b7W9iN+Tc7}8}c44tX}Ldl2u9o>s%8Nj1z*?HH&?GquB-|-^wOSe~`5#wXv)!
zk2Fv>^<%)s6PR(LQ5%S&v}5rSrM_hgw^V#2_&N78>)E-XJMzvnMjwu#d-RjyYN11I
z7W?<8BfAC)Nvjn`Tmxsb*rAh}h(b1`rWf)iJ|&-6^OKgfAqjME{Fn4p;gZQEJ-+*~
zvjVw8^G7`S&dH+w!8OE4c-TGuX5Lfu6#{@4;ihPg2kx0^Rl4zn@}AEa(ZO<Y<0O{y
zdW!}1V2|G-ir4?_*OEHCN4+4G&HY!!^cv>r<KMUdu*)N!KcZ#+>F2&B8N;Wa>nI9)
z%yj10xA|k9JP?G>M?cv=bb=8l?(uINPn{TLD#@c?d6iGEmk8NBZh<WC@G&27CS`Ia
zR7XGr-;=qEZi78FF?d9gQIX?U+w(g7pbfD;nIuh`<lUNrkz0<M)(0p@M={>+_Ab_g
z6@i1cO55(@|F#NkQ?E-_sh3HeQj}4mhD=AIQVhFEv7Xo6N=T2`DpryLodHUktTB|d
z2-~82e+B;&Ev<x9;-7Tow0Fe0OjLT2v>*HKyYDEHaaS{H{;3yUmDBgXz>U-X@PQrt
z`1n6!K%aag+)Iyt=fO*<<8i%UR*A{gZ**T`tDo<>!rD)FU105}EZgUk4>l^0Kl!-j
zP&{I3y6(6KW^2Wr(thI%q*Z+(Ao}FP7v*B|m`$O*I4WyN*?r6qS6^+NN1*d!OO4;v
zS6i1b`$;ahb)><3&h^%1M1&hITV-a%*PI3(-CO4WU-ed`DxWSF^=O{Y3i?~O4&Uy)
z{*Uad{$;62kMY%{m`D&%p#qS%j;u2cD4idg`BM+H+&$H-=Id!Kmg|{fg9Ed}dt#g!
z^AS}qWLJr=%ho-aEP79Ky`#&sy`J$}nk`mdDJa!L*@MYm^s8m~f6=0~AM0K+do^0Q
zj#u>xds$UjEf!De|9<!~SqtfEwU65BwXzl-ShBR64{JEGZpmUMZTv(FnC{2%_<_Ub
zeidW7&qb4emDH^78DMj&WcJqw&K(-~bN`UKS^w}L+c-RU@kL!vo<IK@QP3eP>*pI@
ziY2Q#9@h;o;VN%m<mPLNz|V2_ty{t(9Ddmka`*Wr1YGX(-F@(ph{G>?oV)L3SRcYC
zkxooKsrOoH)^uLcy@KJIR@r*OGBJBi)KbZz(ctB}ls5?CKi`Fucv2c560@s4(S$7t
zs#?nmL_oE_xZvmU*fXB@kM&}=L7Pw<Iw69R1ruM7zuBl#V*ov`dwOq>(SeVt^)D0&
zJn|T6o~FUc-WKy~PmUOEeT36X#%^u4S-&Pkm3H_s7WoUOc^=pa!_+RUj<#OT=cr%6
zLwqSY*o+k-Yqh9H?!Iz+(M``(Ik1fIiZ2+7y>|M|l=1r8fPYM9U$aU>VVRLs8aaZ?
z>E8>_>fn8CA<A@6TiSnuHs4dNg<n$33W*`~s`~mYxAkj&+HzQdpf(T5yf>r~Gc>c7
zNU0wJ1rG7;RGN<;f3dZsV*1->%f!a(Kd(fzj5tO1h*AXY0FH}^)ABTCo(M*<qPLT{
zbJoN`|Iso|xPv|^<Idkg$R%CzV#taxaJZJdr;&_*_~!KV`0ygr^nib10U4-+{w*Q@
zyGck(BmE^sWJAIjb^2rFWK+UEBq`m(7Y)H=H5=|28*FmSZRj*;*-mbj>V=$&Kp>#8
zM)Q#&YjX@#5aoQ7Jj@`b+&9(@iDQHLt=Dd6%r*jKg7OlergeG^5!usvoA~kd0RHIN
zg22#KOZrRB93_ix8_(zWe|Lj}Y|n#>h;h~w)BaC#O5EG;i~Aip62gM3>7{NAAUhRa
z(l7oW_tgK3SruByC@9K5x?hcxTy7WrF)&)*-oKQ8!POHr7sv{Kxg5L)F4#%#j3e7*
zGsG3<ntAmP<f^PQ)j3KE&Niy)hR4;>#BfFoLT)-{fQd4M+36D{qXfzXrKVb$R&OO`
zxl1SfF5RZ8mICRbFkQX^Ho`LX`AjjiWbig<UG=D%!*L?1KTP->%dzyIx0vV@zfa2l
zGH_3^P5HI}eKIG^XXE+n*@I|kvDXIXYeU-1ndn1uE#1$B@IhsS&&ImRkzq7n&{JXX
zaDpUp8{&F80^&vCX#%5<xdqa1HD0V^R>w$jUuUjF<C2;ee>d)mB%`NeS0w3rqiQnA
zXSL)eVqV-(*S2KeY<uH4mPVsyie(pl8?UbHR!f?FJF^Oof>P7nl-9yqnI?*PhrT;I
zNy$Y34H5hbaeikYPpC7|)nrcW3$d9`a2?Hl>Sa;(XBfUDW_Yfw;5E2Hy`#1h_4Ab}
zDG*=W=rOsnB$nQ)X^TGhvbyr^0D;U+*@j<-4L=`FuIA+;szZwj4Sh<8w&Tm=0Zbrx
zX>x_tjma<s<vf&k416o!x*ggh`bcB!^#-%~>TJVT$b>BN?w**sbtko$bHmz>2zz-r
z(TAi$#JAMZ!bZH77jcw~DS$QCH3FY{E^95+Q98r^{b<R-!-1mU3ErHr+B*Cgh#xU)
zz=nvHPdD+Faqr!$TUbA~ZMxo6xISbtybSUUh3p|Xv8MNT)R7|mK2((~XUZ&(J+YkH
z$3t(#5jV)bl?vG&H6wV=fTIoUck{(KIX@|kxABUg)yQ3Mj>@phson~1Y&n8T$6Fqf
z8<7hw6SYFx(4T8+$-=iK6N1ivujQZBWO*z1cuYQ<DGXY3Kh=MQDRx)5p1LKdeNhsJ
zBx@G$4Xdb<WvI!|gcQm+Wva%tDY)cmMMxceTz5Mos2&rK$a+(;xaN{J&D(4aDB2BW
zAn{EEIQMY4vjBGH^j@d0%#E&~BJDW4)tUp?gn}k!;PNqW;UGJUz7<V**k$f&mxGOs
zZpQ_?Nrm_n78x{qwQ;B#ynfry??_jr&9D%RB}r2Fmkaj8RGLB}cRz}Yw1`pS;+T%>
zCrvx;dLoY07ai%p-k9(&$H$p9QuXpuR8U;qlk&QZZz6>rjL8Bl-|C82uWTAz)xjr<
zAi8aVc+Deu&J^m4!?!yphrzizFy7#m<NQRTK?9}7DZx;i1fDwV0hZ%;`5MB(RLJ?x
zH7PxR;go?#AJ328pOFe%GfM?i!_2IKl06+*JfKB_XkV2tTrDZo6EZlD^$<VKRPRN$
zm7ui7F*G8v$+O$O7gPVU^+U`d>jKJfI(pz9Vh5TZkFlda_4UST5#rRDANe9se~Hj(
z`JAE<81u*t65kVn@eBhfi4OJ%LTn4zqSO0rv&x}Mdy_SxTy5H}U3(!t!Jbl3t@?1}
zKxeUHE5VQpMejGR3*#YYnx!xb%BeU<5gL*H&@SqYYkEVOAB*3`dd9KEcc=)61We83
z)S|wvMD8i!ESwG6nn0&2Nbs$*%jl_S8soXqZY#zaUy`dkcn598)~(tIgkYEVa?hC8
zB<+Kdc}HE5s%yHkB8<%auXI{XMzc;bWH2kbj%T_6sRUUbcr(P%UUab83h=yp-B3(I
zTkc4oHy`Pw$Uk`FQXCN>3bYVdKd_z02$RotcXvCKZ%siBWz;bZ`<G9?dKwL81_!CS
zVFa=U{LytyRJ<$!pCC#^ozB%DdxhE2KqR&ahsAy6%RvQbf(|AEEnpr<Zs$7chHV#(
zz>G<HI`t$<HxS{t&tY**{zPK5;#mYRQ3?FLi%0@-k*^{WlXNSH<oCEg2|*|2HWPu$
z=?B+Str3yh=Z^VKtufb5wR9JXAtABESPO`Q;RjWBISs<Z?N|?~CRiPO1*5>c)KX-Q
zX^~X1s8v-?;8C7bw4&fwr0s~szn_k7=GD|^w>A%KvIvx-;_{^!7g`E&KTnFZ(tVrv
zBx|637j$=YDHG2*8%j%k2?RJ+hxrN|yC@)>{LDgGj;|H^>wOWrbYJ!t#pP5HrRL?#
zL%Jq$Q`u93G-iuGcbl>$s~?uMa*iOEFHT+`zj=4@Gs1A_3=%oVZR8GmrBKrzin<#p
zhkD}SqGSHA6yeKsUX|)^iZ#DkzPO3(X$1n1OZQrC+~q8tvPMU<r)_LLy=Z^vSlo&x
zcD~aOtx0i3N1Y{1E0-MEpM~US8g^~!E|JNBuAtK*7+7NuhRVqh&z%tAV4U&HG&S{P
zlpdro0<3iX8UBQm0j?rhL^maJ^GriTAeZqgyKobG=1IV~a`wt!SR4lh#XulqvRxgJ
z-U#?|RLV1j!FgFx>+(UKP3=lw-`xyJwys~B?9&k4+ax+(0}Zodnxg(TV01g@@j$DN
z09jdhT-!+F)0<wh?&!{n!gy$ROCTZq;JtJ6qq=03IS>1XV7(shkBGfx%~rA;7QXic
zm34&dONyFw_wuSx*l&m|_0w}&kI&AAXU7LeLzO*2Rf+Mep4sW^!0`1O^I7|d-p$KJ
z@xY$6ck!?D+#7niaO&8kn#uz9<(!(ICz9af_=-V&L#xJ4Hg64Y(u#0LbODW|%$EU0
zcTaXM6nmYn6R`&T66y2?IE~B}%dM3H#evtDAj_4s7sVc<1LZMH5#O}_M(vK5bLEm&
zl_=7j^V$upqyghkNZPcKK&$6|J-|Xfu&BwJb*`!f*7O+!bGzh-myg{^oSga++7?xd
zsOJEAxO7_G&8_6Vca+Ln_a5jS5ePrk$KWsa*Aj3Qe_ZF1FL!m(pa+}^KAfTL$8<Af
zcUe~{^=2SifmbX-Pl&o3yv4>>8mYdrK26uqs?KHm?U7t9X2bY}PmIIa884dyNUs+K
zdUef0mn9G|k_iZ{q}AjKe?2bTHNlOKFUQS{CY6xY+!d1vWTE>3X2>E}AD(i1*<rBp
z(GGfOZM;caf?lJQuGi3Dx~B$L&Z-SzxQI<j86b61IUgW(wl3$@ox6^<Th);Q;cwGZ
zgq#>j36#Wvfjafwe=d|*w~!Kmb;aSm$v@cK@$({6olZ|0Ph=&uI2yJ=-T>#hB>&~v
z;j1_2$HVUqPA)Qmabe3yc31#jK%u_`tN_aTYo}+x6R-A`Yrq%h*EdTsK*8SNObSWJ
zFqb|357S}+ectfhGs0yiPt2-n-i=JN-PUOk?{$(hzwc!r7Kx;$`}66Wi{t0%D?VAo
z$5}O>1@>!f;=7F<&g>m^YQot@0gGhWh<a#>m*`djJpR&2rF+W`ZtN#b(WOzBQ`Xgb
zxICg&aZ7AbsX%oHt|dv_%G`^hPAz{@L@V8MCoS_h+$vB#B4d&02~jqy|5GHyhD`~N
z{ne(}=oDFgxO?vEy^j=R9^>xAbp&WtxFGa^g(<sAgljYtn78i)Vy(dnGC>R>2U$^{
zGO6=*?r?a&KaSiw)4uiBz5jX?Aib?V*gVF!`_$VgP4VY8_axgw@`=w{+XmNEa6h~M
z$9V0Iu=%8Vg%bu*$wuf=MDeOjhEdg8eB&^ef%ufJ5AM`XJ=U(^UT?Vh*=Ru>N^%s`
zFOXU%sIrjp5ZV0+LqgG>WTr#mZ7+}IAV$GFZpU2~!Utt!h=ydqd^q(Qw#QACZaKBc
z26;mm*ozK^xTkrta5)I1KlUx1<8CV=L;*M$Sx0OV<6{)^FEbf=`~>AuoZ96)6w-+r
zP|hW>4iZ<<RV}d8qv*Q}OD2K{ZXsGNKn#+3V!R;C)VdI(!~qJQbJy5hb;OT*uj({;
zd<KC+M-wbIcQ>;|vc9;r6?Qzf%aYUC#mI1zPp*bMT!z|2$Q&+%-WsG4cQ*qsg*fj8
zyqp?6bW_(fXd$_nVP_sw^WIq?0I%2F!~=d%g01TY*n`9;vT78@vgJv@fw_EFFp~xS
z?@Ry1Mu7wcYLWdhay|G8%WmGegvv<dO^2jLOk9net^MuH*iPNS6PK15CU{`5p%}ed
zRuU3Uu!fbA;Y2-nUlcRWNaG+HsJ(qv4YPv(K8+1A&%Qd9gqwj$0$D{ccyn77)8eXB
zk7$gPjT~6Q0SQXcI+=rL8he6h`hW`@r#CNOru(g9H>HtJvFf`uzze;Vs06MQ@rp+&
zP+O#&*PxyCKJ^Z+`d){xhnN#le_rdg#iJ8z+9yZHrx(Vj5qqnA9+c6!z_pG%1PK5_
z8_+bJMjMp&ZjtB9T9R8y(xsephE!fJYe;|da<`FGFYi^Aq+@7$FCz**TFE2IA%jK@
z2Tn5fh}9#GXo&<^ao1Biou7PjaeVd~+tdB)x9{HS&SAPiFH()64zrA!7wv|ZF6tcH
zKz_1aX>eF5GoC5N%to0g#HVa;uNX=yg9^NbIL6HH!IKr~R!}|VqVhe!hn)s^F!gkN
zwvQu^(5+~fI!6tj&TP|r&;q<^;;?Q^WW!N*aP<1*^yK{F>;Uxf+1rD&gV)DyT7O2*
zwK(@~uW^iyok=t48<wDx?f@+};vGX52R>{(YHm2UR+{f9505EJni~JcU2!Qny&DZh
z(>js)Cn5?0*ZNQ?%7KRRJS&oZVujg*+EZsWI@0#MDU-$~^Hu*3w~^g389EJOLHdYh
z)VT3`Qu?}@IRV{vg6Vpm-`d<}`rkeUn&7%Crmx-W4LrFa*&HF;+}dO=IK|O@?A-M=
z3Gb%mN1dp9r?-84&e%Vv(wcC?Drda*e$O9-9tSb@netK_4l`L&loa0blzo@dX^AI-
z|Iyrhq8))T2%;~tp2&5fnY>PzRF%84jm%D!P26Mt{T;=&e|K`U^UcYTndHplj_6Rp
zUew;4z6Nxi$+oTyoB%RN40zyWH~dGd)65;~*v{#&q@~qE*H%;k^1M#bF#NL|&}QvB
z&sW{8;@;j`<fxx83xWWj0D`6yVVgG*^;R*=0Z_?zk^f~L3B1O?A|C*8^7^Kn`P<F&
z^7#z=`EqKY&>oNty-t`()TENHg=RfzNjf%7A66*Db)Wn!ufqg$AJ|^em)r>+)0g4W
zw%i_l8*J2WF0PAJ-_AWt_gFJiXysG*V_apl;UdSh>fzk8#NvXYSXGN?2jZuYoBsOU
z`32n<g{6Zm;$!VzXNTL!CuM`5%c2`*tz8uPEq3gi<y`oxL~kxdQnFgYE%!X9%_hW-
zS~Y<(hLNCa$W)A&<}KMKs;Rn#w&UfCSn7Kxv2TIQSdLn17*g8wftAbOd0_PGk-f55
z%*I3PU&#HTQeh9J7$~5!p6dfT9r~Eo5iu_Yrf^iDRcj*K>sOlL4yKjHC?5QFs^@Ap
zg1;^r2S><CcvtC(abne9E#)+YN3Y56)RPbcWG<OFvW$>*AQ<YYCx~1#q6xW4y)G8k
z<kt3jC|(h!tCI*z)N<M_>#-Cjb10*8h0g^Zt7h;^I?&16eiViF<j8VhBac^zJHlBE
z7(9!p5LuM|#&ntwmWv9RM?z#R)q-*^WCvkTEJq8|-MF0Fvz-p}mN>JaCz252-r8)g
z+h!OUV0<N<rLTig$|A1oLfMsQ5TLD!rpW2~Gk;CWsG7IrVKtLOENe(n+}cUuDCl2?
z`J_ZD^m>e}F5(WHfima8zlreKLpsaS>0a;G14$tNTT^>OK2kAdGUixqd<lZ!a$}8)
zlfh)R<xUz)_N2dw*&Y$XR8*RPV=fhfmGS~WCr1lrp6X%ox!r67x!-s_z#VXqGIw0r
z23d=Id3XP}7_73gWG~;GWf$KbXNL!e?*E=0f1|4Ro73$4`0P(7hsQs;-tC3C!N2?B
zOP@y&QkAwURlBw`&B0znO4M>Hu!n}!ZBYiZ1ts918Juqa7n7OKq-ltMV?4r+);tPO
zc#v-0z54fx|An{b;DGk<q{SSpe7<P*U<y3h&@*rT2!t>KDe#iLJ9@kAsnCjR>4rGU
zB0E;I>k<G9ypaq&YX9`j1*AS~YIULoV_Vcka1q<vLvgZhsv79S^4+ZqzPKJCJ9NEl
z=H#P#XayDBZWc?MR86X^8@^MhVG316jH{UtcdeD9@b8gDhN*?FtGR6P7i5v8I@L0`
zS!w}$Vq7G_e039jS6t%US-sxf-JqOH*kf8Ob{Ll0xnR1$d?yC0PiJmDAf}OElP(6P
zS(-hgJ1v?}%harFS@cJ}K2$pOtm0_FvQB+pz2eeBK<r;zYxGN_6UlATv8JJ{rfY~;
z;`Km=?5}0<hWjqXn>Q*O)JwMZ&~l!CB=i-r7CI~KFJfcGQ2B9ZG=F0rFI7jsmB;kr
zCPl9i+&u_s>znRqk5X<e(5=}qsE2NgWKhwpag0CNjByqoIb;0tlf5T<M!<E{KR7%*
zes%1mx|8)kI~$j1iL6E%vIhOy3C$r>qR;I=>uf7Jfkj=iP?q8pdVy2FhtLX#dxPD<
z&Ej^l%|JU{+y;$XdL}y<dt}rE0GM$GEJ&@!8i_whbQaP8RI#^$UGIA$DP$9am<;)`
z3%O$%jS%m#<l3(2LlmW0SouA^AP@@bWA0N)P-;Rkq_EN!{|9URc-j}X-0bk^wExO!
zO#v|?+X9isSI@rsvH=v<)RH_cAl=x(D3wn-=`u(cthHVeIS&TKnMBf~dGo~P5_OU&
z{L$$)NhFtYdHcfu4Zrk;`-iIdK6CE-@~w>q_`g8@o9<dGA)kb?WJc2-wQZFZgGwzG
zxB0BHdQx6~yq)a-qxd+><t$Hp!or`OVT8x1$(EOM_zl#7MsFL-gq)hTNB|9Z??Pmc
z-9>tiaM6k0rv5TeNle1az_F+fbp+l9JI#`QUgrJ2zS+m|Nycvd*70BugnJM*?@@~q
zj|O4%C5IhYTe(Ayj$a-8C42kk&8uI;5zCstA%e_4jn6B;by~I{&oUrw<*-U&9AhJ_
z6F=J<deHGkliaCC`_cOnM)5yAv2s!T)>9S+*>_5)=)NAm-(ZQcQFvXpr+;Dd_8$=(
zD%z0HVWcH>;sZqUlkGOAjm_J%iKQ%aCc{FyeQtG?{HFN-=79v>%^HjHH7g~wDy~k?
zSdcW)gljb${jRb$WRiMTY-tN%v+n=&q^IFk;S&}ZIrTpY)tOpf&zpJ>3mBuhc`EkM
zuid{yJxCsuPwu&X@Imf_J(1PcL0y;TJNs^jgm?Dicb=?z=ZSPl-+2<h^K{iaPqSyy
zJ5S?xp6NT@J?^(Me;241)v<M;Yiq~u22!eWi<}#Yj^-%j*Vph^60F4iPpCWxaWnhb
z4{ZiQ8#!|n-qUO&_(e91>U4yQWGXMwc({aTd;eKx5d2T}%~^Kx_QO+SaY{P)<Oh#4
z>0q{@iC&-R+}>|}=k}k5&Ur2>3(33xtsZgK)t<cch!H<cM?8%-W7rox!%mWB%_osh
zjKp2jJ;h6Vnb&0?q;&ri?{EITFu$*bYVf$}8$NrLj$8LXIzK)zTc?lthsT5w*d`Q=
zaUZX#MHus4Bx8NHw&rUS;iI;a^@wPjNfwLz+UX~St}n8yQNrumoov?l@rB_3Nbw{@
z38b1_1rXp$kX4g2J(cBYQF3&TQs;LKprlM?meabJcf~SBYGY6pn1<&cPx(eXIou#S
zV1lda4<1`5xjQ2MQ_5Y%<WYshV?xErgeRoJh&Cv`Ke!x>23)iL*Ij20Grck1h#yGz
zJs%jYdcay3WxsI^f0_M{Y`o#S)Zc%e9W9F}OhumJazPIl0a--w^q%yd+HDVw+#`c3
zrr8<~h^M4JRPl~=c&6`ZHLI)yj)QyUOaID0fqQSY%D{fdi~W!d8b23#CM>=hZ;Udz
zy(2QhD`x^RtF)4yB^wPUgOqqcM0k~HaT8IB&=sj3Ww}hXQbdym_j@RA*GlkmO5Zkr
zIF(qgBz8u9(=w(TG0Q`-i6$V^jG0I_TciAo&VAGydgwc4UySQkaN4H&sf8JB(RU;b
z-1P>S%|^V}0Z?B?j&`IL4KK@UpZilzr49FzDi~5Dv#9goq+BeV#nyaOXG<^dWEu9<
z#%+G4<G~n+KKW^1+vw^;$HObzd18Ru5%PPKLHEeL&9lu(jW+iYzPYR|F;%WF^=isT
zh2w^~iYZQ<-wD)BTXu!-LYJ1@@IB|LmV2D)y$B*uE(d#LL&?=QTE#OZ;J}4YG>_Qv
zc*-OfN8S3(NzsUasjBgHF7Y6wFu2Y7JS>kqE1NC+H5!|o-k<<Az7pFt-OcVlqS++s
z)%e1bPk!OaW4>UC_z!&P=_kMR^oM;ZlN^o4=bnA?bI(?P&M75xTMvjsjdO!GTx+Ji
zLXYR23McRB{_AID!5m%rPs<P8i|Fj!|Mb_824X@-&8FO(Mye(@EkIMo{M@W*xZc#9
zt^iJ$NI4+V^p<Yw9xjF_Dp=RT6hEfrB(&=F_&VD%l_4~&Yq<89W^KK-xun0oLF|A>
zwI&L6M^jI&DP8(UwFbqutFdR>R>e;u=HMO)O*nCfoY@5_ROxuz(ZU1+d(=M*B|++J
zA=Cu83l^f@^_eJmD=?2bU+lUPfz|}QS_ipZrNDZ4Z<`8)B>QE=sVByg=zcP;o`!EE
z_q4PSll`IDrG$fA{rP6kEqKE-)85Wi<m`a!p>-Bl`Z?54XkPu%ji5bi_z+@cs}6#n
zu8kPMlM0QXiTJ!YRs{gvg1bSuA}di{zI^&eH=jFhCS7A&48^$y=kT}I+da>ti@$k@
zhMwkzP7Ap*I)%|5b<6Cl-QC?C{2x)&;WcGB!B^SG?5jU!e{ge;k7rKZcU{S}FN4O@
z_#QK_Hqq#2tdx4Uo@cGMDLzoNyY|#JTrFKw>wQMa)W(?*S}`CBVC2tx_NC3Jvm6C!
zijPX>h?`E%KiMw)j-NrVCU9g}kH*_ltC5ovG`c{zj^XvEZmR8l%_GxIZ2R62aO6Xp
z4<-#zRT(kwv$$m5j`~B9WeYC*f_Mu4DV|eo8@1v6{U%DUY(jIJjKwy?MsiCh$agh#
zFf_i7$`l~4*q3Ul0Z5Q%R_(NXXBc9a@&ASmmwmZ<=eal1y~kyXcHi1sCJ#0@Y1Y`L
z_MrP%mOO}+$ddhxQ!n;PPZh(qb`fnr-FQwya>G#kE6UYn;iuJ2>E8ZVTuOd<S}E^6
z<H<~3$C}heX}>TKDy^@lp|)yfpFS|NUp~dZ?R|+q^8e}(8``=IvBL=cq#3G(%|qG0
z!%6X>m^cYl%(3@+*=~PtcXwNr9DUaIx;~^S4Q=z4Q-h$Bq|ft2$t-IFbbLspNX*fm
zm2OxSoWOw5)O33t4DZz9CBDir(uuYJiG1Ry_8#iSAvSt-Jw(b_!f1i1BOSH$w=6-B
zRh4H8`W828_s<RZ$~cNfkZ<(_XU`Z7IDB=243J+qXrmR99kCn3)b^MlsZycUMR6cU
zbMpk$8&)$C?2EBM8pU7wjip|<vm)9(g4Gi5^7M(+G);c%^1gI5zq?{OK6x6Z)zDuv
z32eXZ`dU@p<fQO6pr1NAGt4k{_l13o4+&6b_h?b*6cv;(yGhVxLOG^-pEr1BHsUHq
zpD68JKqqhA(v6vfaTzsi7^9lbh`8oBvz)iTxT_i3o01DCEE4g~oSf3p@z$C8tAK&$
zjf(lF|5ea28Gla_gRe>gRZ0zwc!fD3*Ki6+DIa8RGF$7K{=I6x9^PoH4(7_O^T0{&
zI$4qTqOn=Le5>`9K1&lX-EO`s$Ea{MA9Mgf3prboPZc24SDg)UZ$o)dY^m1lnVYL*
zhzB8Y6w90(1-!nFv*q`XOmF-FsKnIr^YJ*K3xwN3EeUzCx%0Ias;NNb-p=qToKo4O
zHBHgyElQ#bA5mK_ZaQoSU5qQk`AZ-Kc}b{l@JWdktK)mS`%km|-KSqY^w@s(Y;T|U
zI?%pWOS;Eg;~g(NESusj7pX*QvIg(%iXEoA0PhUlR*7&?^U-7|>CEez1K9DN)!)P<
z;G&9^>Z)c@2-7)xq5dH9Q^)>iYe78FrIANcEJn`Z2R+YDmjgEiw{=l#ZM9?$Q93;|
zj9%PYbbw3aU{?h)<ZQZ6^?i5j^wFVh3KS8-WF=PZpVlxAqcv6E5JzBT*0i3yV@KV-
z_L>nMlE=e8g(>u85h{?0KNy9h;A4RK86R<bCdOL*g(5U-2R=>;?O$tPd|7l_T5a#i
z;4R;VtpJkMiLr%8brHl7U_l13T&RyNLDR|=p=5ca9BG6N-2WfK(KJ+Db=C70BKT0w
z>hSCj)SoOrrtRPNy2Vf7;J1vc=&PT)BLfES54a~gz9$?<-^=G-Fbn^$9?u!SY4}M$
z8oM`4#zoo6A`YH6-J*T<(XCxHe1+AOT)C-7RP~}Q-l97I!o2XAQkfw4{CzncY5qC>
zCyC<G2lf8kY<Xzymjpv-rF+i$Q?%TEkwK*iCs8N$wX~~QtCKn_)=4jOR!&#TIsMu5
zWubZeZ!>(bF<q@69z9#`np`nqO^5np=c_d<VNI!r_NBSL7%3h0d6(6pA9O=#?+h)N
z4D0L8*;X~*ZjHcS;)u|T4=MyHdaQ3*162iC9jbW8v|Ef;*|Q6IvDI;GJs!LFb)@$q
zJZ%x<+M{TDR()h0m_S~4GP;wfW)zZO+$kf}Awq$qp@5hV>LP>#<@W|4`AVsks9%&|
z4=G>|G_YC^lTsQ9DKKTD$mjA?XK6^Rj^Q3qHH;d*8k$hAoJbaSw=G|uT3&54wTvU!
z(3gR4Xpr1_4bNnqC4x9674p0#vJi>?|7W|wzB@d8`(ZCTI6abo-3KY(%ad>3X&Khf
zp0R&78qJ3DYAHNpo_--fwP;Ewt5nd%>~DX&scwtS%}n0Xa}p6RMNI|;&F9~tjja!R
z+nIe--`H=x;!75FX5@FVfVt)ofd}Y7;uIfasbVfa5$$-y8S!5?J~XS0b!~8DlGB|o
zH-G4;n2Edm?}=M6aqinIrp^k8O;Jk-6xhePvui#eZlg&y2406`xaG{xh6F>1>w`o{
z5;QXGG93dR1~?<xVOftVn*}E~rU~JNYY?^mWgrtIB>Qs8w7a>@h=C1+vfZ_lg-;?;
zmj}s0Y<5%v`gH>cVl}FW97(xm4?fkn3*{y9(S%TIT#c5f+!BZjzN&%VknyNPSI8V0
z=*gS&Y;SL{ui>Y;(|G5cQw&!2h%B3Z|A~MByIJ03{8svsFO<_+n{aPO>+U|H5IwlI
zb!|ow*prl^x<5YYg}MUQhN5hm&u@`HNH-8;qm7b1ZJoX1a#>EsLqHR)C&)vFGZcYK
zC5WenF#_}_wxO1C36`QYMcp=_uZ6#m_*qhFogCb{K1)JFqrYjt5^6U2IbwskMUgu0
zCalK3@v%o~@C_a_dA{};9_nG?zTT<bmO@RA=H?lk<DbA=6BCi<&}{f6(F>gJl=ZW3
z&W=H9m(S{@pz3E^F@m@ZRuYWeqdRiym(KiUdDdh<b8WnGlBSS@-1)X_tXKIx!nr%I
z4-Vbq3bDMMBF?#cz1B^Z?d=bqZfB$T2q(5b`h&wLdtYXuXgq>W#Jv+;K&v7#r|o^$
zu~3<ts`e%X?!e<#QZWiXdljWlBo`;QkF8rl^w^!FvF19mU<w2r|6ce{Eqnx5R%9FH
zjO!U5EIzVS%ME<PL;e8EP-Ar_VX7Evi5I|?v)7b}SDe`O0`jNMuL`p$3@*T6-nEo0
z&n8h%b;|`BBqrtr1QZ2BlsV{-LD9DC+P7gM9=CUG)57(~SN+vSx|DUYxIVn!NUPG%
zzQsSn=c(G)@7)it@sIci+;q@?u8S!$S*TX`8XF>B=$o|V%nyu?sdSgb@7<;!en2F&
zW=#g)m|HF7Z_X$^c&3?Y;<-T<2tyerZEn?5bYwoyHVnRMgF<0reDBPYa%3P_hHZtX
zBQ*^Qo<~C%yUB$oG~06jy1T7pXwpvfl*i{#sIg~zSnd61&!lF$CfpB{Cy$OGySCku
zc7W=XM{Oyjk5D^x>_&7dJH8nIhrhtbQiK-rfRl+G62eA~Lhyx06D5;j3E*1L0p{0L
ztw1A_()&PjE(gF*A+?BliH>VV+3TZc{((kSi%z6T36vj=$AV3`VTe>OesBNw^@c~d
znvQ+dx;5?O`y`*|VX*4*)l-#>DeQ;cwO@O6XY;PO6vy{wcpz-jv;|wuuh2q!aXGbO
z1ZeHLI)U8hT%X7bxKzjqQt}ZSA&S<o?68OGdT~`%EdZrYjiY6m#j6b0i;hFB5<7N&
zb6hRw3jzNKal5FV(Kr&gZ<$f%bVXmEJO%++5}3I%V)l+jl8yKKa{RSd>)l?^fBV`^
zV}4z~_&xsdbx;1`Ijm>%vU2z4J)W0;`&tMq-5=aP-1Gd$AaulAQ95w8j%dOE$m;oM
zSk8u!V7+WyFYG_$M@C+VClEd1|1)kNpDfZw><|7SzLq|g{D}{897Fl8?>=QTVSV&S
zL9V!IFNh1OY)8#VNcV()wHu~;;jVg_=Xes*9;6e#|8!Sp`m2zf_Pi-1DDiwwkM15V
zKQx*I_wHu*k;9hQ6zZ>sT#WKEiBoZVvN%B$5Y;EHHSx$@RWRtSd`yg31fn8v<{O5i
z+`yzDP~=bv7)mtXbqC5X$k5o`ZP@f0$m?*2s10wY&6~vj5-~66I`X<yjY=yXFCrV<
zV^<4QfMh05$5z+lU8<ph7!*aT-+bUy!Q&8>6Cww}+G>fE&l;XPYya&B_xAYg{N(%s
zX=8_PPEU^y>2mz`;PmL#$>}#g2lP{RAbd^kx=s*@H_TaLOl1ZS)k;l>5dBk_=(nAi
z_@?KD{1XWd(=)I{%y|XSvhY7^0)W$*ELTauM4GNX#c^2C7H`Aw^>#{7_n;Ezfr2^z
zh~X=4^gn6%;p=UL>PHN}^N}HwcZP)KgSPFV^`bi6P*=L5cWlGG&Dgx6{25T4`7WV?
zkU=1VlL&Ql00aglNHD*x9rAf~epQkH(%Jar7?T+hT$thI9QZSW@4c?z^@b20ZlbGd
zDG~$(GjmK1jAVB~<P)1BDD79wP}tcU?5^rJ?NM?dqi)#}Qvg|#6P(-GXSt~DQ69L_
zc?Xm>frE9=-^w*a!oSJAbQXEA@(o!>m63nA58UsKRaS^xA;$9s(Id$ggiDW;<U7s6
z`~+yx-ImMSLSsWHD<*8z)auzKNh~0P8?#R{MYpvg1~(%Bdq*eV9G_qO{4t$zc@3r$
zv6~l>mt6spLilkJv<9m4`U);B!l7kHY)bY9vLg&!s{v0JKb(c{N;Q$0L1hFLiyZ^5
z7sIoWXGFX2OaHAxvtfz12A7@+`4zeK5Gy3ayk8G>(T&Qca^WFZWg0f?bSyM=)&qWM
z7dM(d%1>#P0Pr%W#wY$-Tm{&5@6KLjTeGFx#G~wealeguxKxF#jmZ40bL8pRvS+Qq
zn*&;MZ`ZbT({4AWf&OWRc+3--j9go3g3xq*BHJT3Nk>P7^X<oVgl*JP=nta$6&;E{
zwW>q)T|RTib~w6OPTw<AbWPGdnq6upXXqYD`sE4ue9xrPM%Z042@d5X6?Tt4-TmE{
zR!R5tkAG0QMhi~+;F9Ygt9UvG+3tSS?8<E*Plv3H?t+Xk_9UykbJ)nx05`GL7C|A9
zF$a-g&QI}D?(Kfj)z*VstJ!VW2!?om`ugq9FG1_+t;eJEcBpQOm>6inD^h%W?3t%*
z%RJU2Ze{#rx>y~7oH^TISqkNI^oc?CHvETs{mIi^Ru)!Q3rp=Z-;Q*H?YlVwQ)IFR
zo3#Wu@vV*Bjcm(Qn(bEhpdWIE&!w1RXuczm%U67M%Yo&}F^zIcCtBdLXJ^rl((h?f
zN%{bXKnGwkEyZ}zu?*-Abia#zAALE_S^54~f6Ye|X0i;t6Xcf!^#~K1wYtc^sO%@N
zgkWtZ4+hAEM#hQHFj<*f(p(p#5{%5&{}b+sN%_9WHkae}6PrTX?YCCCTAhuqS*=#`
zlBeTQwj*&7deBRjS%fXyVFGu4OYLDfazZ7AOvjKn8EW;_#%|iiBoNbaX*i92K{kNl
zTE{P^6Y3-{Nn}<}X!D6jOlb3!WI~gkN=QfI?D#<@HJ-tftL~0^X#Qg1*&~+fQ)Qlq
ztQY38?w<NV_GTJL0L4q+#uzt2XKFSpe8m_rY-Q^ai+l{^rL6ru*pjDCng$miFoSw4
zHU}}6I!A9@TG~ZFYGpAieKFpp>ti}Gx>!vx|IQ9bu0;Mh{+E-(U*IZ>kd+_0$&l_K
zv#7K-HM^(tFFFq4dvIWkL|ZZQRdWqQD@U@=g)r)nOh`}mp6s?$)~$2=Ihp8_?zF3$
z#Sb3Nw-=u?9(N%jSTFEs@lMxM#0H*zwg21ppnM-Q{GN=8edrk0q`DqrF0^|AdKG6H
z^-A$tM5Vw`A*8Iw{Xx7mx1=|vQ+*s<GtrrqB|*hD*5yyfXMZ707stl@S%S%td2Pl5
z7Wa2>nIc=qeZ@^`KDh@*Tr#r82oj^L>#{-f9e+;bANP?Lf5N0C3ud`nYl;^Bleke`
z1CJ4Nye`l+8>;Ub4ecnS*WV>O$wvf@t!wnY^jW2bTc{rQj6fM2K~AjQR%2r0Wd{@2
zyp}9es0+iRB)45jsj<3MDa~%7vd{JM@oYX_7gr>0JG+U_biHS?c3m-3f1Iq<`}*^)
z>h9sJb^UqeUgO0@;^yjS+i53C#QMO6Oh}%N=^s3HqsE)GeHmk~K6D)?#!cK*asuN?
z2^+gh1^H)e?6%bT@366<M09@s2j~#tlD{d*5I-rB+aul-nt<jefB5amg#-ogf`$*P
z%fG|h+KY*&Qp!%BC#tyIrFdiKg`|!NrIAECxGfm)%1rh1#2awgjw{fI*NTQ7xK%b?
z&!g{X+Unyz=WHZorU;>exH<^}y->0Up|Y;t=l6Dzn;p)<`RmsH(vzn2yS|sUx;i&f
za?rmm>l)SQzQ9pvEZmJc7yK-VL8&iYa(7+x>CQ;jF~uss6-t_+c)f==)vT5dhb)<s
zL)Z)MzXX$Ud3Dvxr~@#g?5dE|CoVf&YU`HHt);1<{N58iX7~&#)6;%-bS6&FZTvi6
zEY`Me>teM13-s81%zc02gqQm2KiPY{@iY!*J414OITYAP2znUrcR4};w>jwF)t+PL
zZ;QNM&V^wE^tY&T9Yh%dRIT_j-_>oYSwZq4J`z(Z%4dNtZ|`Yo4d}q!k--h4j<E*G
zq?PJ!xh`*KzuVoVMBBm_wi&W_k9(Ga&@~ws5BwaMD!@vy!C01s=c@214u-Cf$xLY*
znYPeKVX!Ghr<ya3j_6c3`}A3J?bm7LR1>`D{|__GFYfKO=NgACCbB8)G<foLa<5^c
zsVnf{d9ZjN24OjR0S}s-yroA>Gar7v6i6K>xM!4}>f=+kF?H6ogC19SL+FW{m3GYm
zWY6ruFiI#X_s$ZzovpkEk?u*s4%u95RFv7i++`%O_9y};WcF5<M$hPbq5!z}z4#`X
zC>&siRGZpTwq1#Q@dDenI?_!a07J(&CCQsjN!lUu0==jdc8qy>4fh{|R#1D&C`|G0
z>=o--%=8V{X}kNH+Xj=+{5A^il61jl$e%^d(pJnaff{{msA*5Im_|2MCHf}nI~Yh7
zlB1|BgU={{wmhRVvapSrPqMR%3)?)&u)_%h6%%R;6+;0EgEDm8yZuy5#x^s-SdP*c
zHx6IDIX^zX7`{C?J3hS_zCJlW-!M+Gka6wyQtFV7wr1FM>7~7ph=v<?epyb+#eLY6
zq3iDdiMD}7z{mYc*l~l#h98EfZ(bf>9DYl^O6&(D%j>U(%P#acf@@Wh9?Z05tQ`CT
zDsTvhb;F|G|0?DcCOREftNZEb%-+AZG@fwFpCSPgk@aY?^A@+EKzq6C8?%h1mea;I
zEyk`Yc8nf@?C<Hg?}X*7Z$L$J!M6(yl<~f|qYvDmd8zwY8utCbHDS3iK?lw@Tcg~R
z$j!8x_Bm~ANB4_sz_W2DP^+&`UcEXwKR$eOdUWnuuX-UpY`-t6ipJ3}<}Gga$=G(=
zw$xe)2L_{#h7Qo|T((bKw>W&D>4lz1D6$*0SbO-Gl~lVeOIL@%8b5=Y%82I?4kS(+
z3e@m4MH1|&3HGfUJ?r%ZLr}{GwrY2QJhLnd3Y3n*O0cIR6=^o3YONFoizul*@Yvhh
z9929A%XVuDRU%7qRel8Iw;nD@d+<rn+v%2Mh>u)t`kMW!AVHAp9eZa5clOGakOgh2
z*8jW}tI@c%hAR=N4#*RmQx#X?J!L1{@-B+$=w7glVI+$;l_t@91DFgb{0}U*eBoba
zxmPV?oX>HYkKSKX)``|bq+mSPUrq%F^w1J|0FNl)VOw-j6>_O$6wkHUvAEmKs1D!g
z&uD}djjOGz6HzJ@di(m_tBaGvgY%1DCZcgW%8>v>if)VW0vkC%4d$K-mIXI>-YC7r
zeiXajD^FtAlkAgj5~@w%-C`X3--EB~SMI=Q+40CtG%^J5pf*8NW7k4umS<qLD47&}
z6bzNf9#$6JQOJJD>7vPWUnupT-fTmrrw!ZMiKb;B)mz{Yl6&v$`0)7TPsgww{Dg!{
zQcsJ&^1^93KR!JQ^Pqa-77kD3-4GisUu@&Pjr7O}2#Q<qLz#2@Yzuc_^0h$NAkIEZ
zQFD#suTpfuh_9_rqOUd<+DNto(4ZA}C(E@6aw3nKFb|w%f025^=|SUrT;+HgDgD!!
zRvnO*kt<a74&q@?x%$E!?Y{vIRU$pjDO=r6cpXi%Q@Cb}Vs3hyC{ZsD{xhLYY^Eo;
z-**%!>m5@il9Q6{Kl$BYZ~v>o-k11Cw!i;$ushfr?C)B3rO)P*&tXBPn~ON$KD}=p
zsD~;Q<nwTh(ZlKfE_QlTu_l{~597yaf|3lh@VR#DMt9sl@<K;6<MWHN<Ac|lG8ivG
z+vMSu<u<{FxIO8(V`g4}>h%!-y=j6f*V-g9;YZ^4@35~TO5R)x{PN4Xnk>Qahovs&
z;6LUAk!<jS1TT!M7EyRd5HXtW#bWXc&vu+a#w%)3^(Q!`O6MJwFh_Eg4n4QI{GXIe
zJ_}2u)~v7UXPVi1NSQMe%KWylgtK~7%?f8xl>>KgyA7Y-y~#YepF5{eg3SN4IgA6_
zi%;QDZ8lEY=E?zEu>D!*nB6s0jf>&?;{F#Oxq2<=cJNAziobB?xFPC=lbN^be{)@)
z-_I7@7xDb*-_dP1oR#wtMx6b*@xSH_J)m*Fw9;O7l5QoFqJf!OQW79ka7k_;9#PaA
zl1M;*V}Spbi$&a1jP_Fm^K8hBNPcmAG5bs%nFWnYd5!3X7=W$;O^*<bM>20i2dLQJ
z_?xxuoFk|>MorhjKI3gv1G^@8wJCFQdU1Sqdhp84#4mwyRJtyzv%g|C_;*Gx#h+A5
z1}fT^#nE-40S2|B-Xjc6UX-0>J>MZ0@D6X^9lqZP;lv-yR=nZ+c0H*s^U2V_V}?Y1
zADJ)+B@RAy--l;)4f!Sm<vBsRlp#;B2IQN4YrQY6??jOEq7MtTgd9RS%WOt+_lyAx
zn@=GDwz>Y~7Z&P4?lfobg+Lx^xV0C=Z07Oaf^4@oq!4|!oX;wQ(`q6C5vKV)&bcg9
zu^45-&r&Q@KN7m!k9uR6->(#mH6ZZ<s~C$eWMEWB0jyWmWKEWYeYhg4`IJ;CF{FdD
zfp5el5Eh51Ucw3x=->?NjicJSth*OEt?#-)MJzYZaz4?}-UEO(P(t~ROe{vhDbgsW
zsRurUP7dmY_oGh6A#H*9eQ@u}awBUv14gzW!hx&>pV4`7UrRLH`I4lQor`d9d=|Im
zM|?%gbm-|)5jU?sVyT)yLP^@v3KP09V>+A1XJ>EDvbP7{9RK`sg+*D3U@>>2R)-6$
zx>%c-QN=Q<Lpd%-gKLcSU4X#jrXM+DrMg9eKa(9`yf4dzMYeBexFnp4bFW*HZ||V`
z3I3MQjF~85d&+W_#NAk!;Vg(U3fcJG!P)7_={M=k&n;w&!fU5L$*0##<mGEZ^}19{
z^MCFQ8PJRgzvWfLMafJ-F))BNiKGS*z&ssAt&BnL*i){^mI(@nq*&d-hYO!lL7#MH
zoe@+(Q=7F7f+cFofE;%OudMsjID*APHGbsrXxs+<KpbQ-)^Nf~0W_pQE-#mq09=^p
zJM@~^VRLODu>vRaq3rUDsGF;23ewLMfp}aPFJd5)+OQ-y=6GJs`kXO))Xi<Y(?Fr|
zQL~6RF;g7DJ3pOS7^H}nglK#^PFGn4r@}zboQ3Uv1|Fxj);c)S*wFuO1n@!S@EwtB
zst)q6ZhwBAeBbVBV|ILF<vk>K+{ft4(p~srf(0)SaGn5CM81>T$J1+2-TLs%KV@@w
zwHU2**zD8$FpY*^Zxi{xY@%L2euqYT;TtO(w3+cA<k}3HE01JRKPvapR~6G?<Vy_B
z;ZXV~1l~?eXQ}a&{29#F(%G5Q;<{Rtlzdfk42@}3LeX&e*rWc;;J8aNttPpnk{3wP
z<{&lf*@a-wg6lGt8UEH{MB;j$kF}B(rG;UCHhUFKUdNOqnt}U$h$fuYa8HO8rs^M_
zpJ(U(5A>5$p;OOzS<euR_m{36sOZEDJgHd>dgA^cny#Z#n7g~d-4iK*!3THT?>o&A
zG<%rsI8{wGUVf8BZKJwQ$91!~oeUSnM~vv(i`TC*{CgacFYP9=>Jev?ymlI)Xa;$<
zaqE_AQ6cdPs;lHwX|kDlXsD~Yb#f<_AV0YTAM{zQ*8JM7@qg*A_)dwm^h8%t?7OUu
zu)5JJg+g4iZj$l2_-4);H}jU1W2?a2kYe$Ta7#1rMH}UVq_e3X*FC(M%-W_fy5XiL
zvTjcT!%+0{?2A{t+>M&5-I0e}cLnAZRp&zli<49eRYrR$#|6EcR4qrmJxw@=FuP8p
zAGfR=*TO4APJ2^vj?{uLzEj7}HiJ@`$G&6lvde0G&l?JfgtF~jUs=dy<fz&253+C1
zj$gjeee(Q^yDz@m`1*^x-|rlJo$ldez>P}#>Am3ysbe(@e+;`{^ySfnJ4!X7@R**a
z!C<iZnTx}>!?WY_;|qDjtU!e$2=sYO<IFKzLy<0!d*1XjueBm=0#`})PQ<UisRZkp
zcT=dtT+)oxr!bnpekkBf$n~O$+ED63gv>Vm7<5bW3Wf}|-~e%(?OW(S+58gR<sh5F
zWy&tpDACij0qY)rQEy1h8_x>5i6^|KqmZ?Pn)*ST(<wcLLRK#{3PHeV;aOelOJ0fe
zc1mK)MdgV(npj_Muj4=S3GQduPWYMHF#0CYp^bN#!OA{O;HZM{#U1u>`1CYF=#57w
ziKME^M4yXSEn~Az>BJi$XM&T~Y-<ocDQefKtUdG<LBRRw9S|Dwv4%aIT+L?!ux{W-
zJwIN2n+HMtaE&ECJb0V2D9HWO;F<8a2G!n@rCyY7uUErz5`!pF_=K3TWrE>EnK?<^
z_kc9(EGahtF`}eBh(UJuxxQ(2Jkg=VDLZ_3e(~n@@Zj+9`22i$bbNYpeB^Ze@$h<i
zUnlXCMQo%~N!@t5`y_MM>}5H2jcyFG10VETWKTbS#C$ya_z|%=!C?-;hRb`Z(dEYg
zM63M`=mYRyN{rC`>qIc`i^26Ed%FAd`KrEa{Vm-Qu&gJX77Ch0;W{p3;HIxtB~J-Y
z5GJ{g;qtub(n6ZKZ_wsHx2qf%wf;kO7CDud^XiU@p2lIWSwm{*fIffF&kh<8WDdE9
zL@Ug%Yb*65nh1QE;7}N3XNIlm^DA-6IFV0w_tB*%yT8Sj_u$Iw0t>UVH`wEM>vZv+
zxW(i2Ke%wJ3BYlZabce9K6$RUfs(lloK3$Yfjc**mv7EqA6($>IcGiD7r8s5P=UGd
zNzUCMd#k8<n&u@}>^5IJaId{Wp>gCt4s<(_ArvD9-AV4^)aINm{lT^L64W*Mf{r}?
zv2cGp=7Rb{^|ddK{U0NGbN+JUevxejXQMC+xIcgE{(PpARcZn<|6A#P6ILPg`@k3T
ztbOr1dh4~pe6D@*#{K!7laQl)hESa-XV}9~eHkWpN|S(e<2t%2CNu4K<=%Y#8PCt6
z4y48UYhS#Le^bc0FsQTWS3Lrx68Yl7{cwS-n}ypGxN6T{9%g%c`%iRx^PzWGi6z{X
zxw|89C$f=<xekvxQMQGRd#*thCi_6`<7WSjY>(xmn)>3-J$68KTC^_y9?H)7%*U`5
zY?xnQ^Eo{jz^%sQxAny~&&vu5GWFMGC#Nr8y*oZVJURU)J3Ic*cfibXXX3kqv!kB_
zmMkPlS5xmkcC(?kN@r|5NO!tSs%bxd)2m`|p3|QM!<Ht#DG|UN*tR-{W<IZ)W=V#q
zfjBrdd?V?FI4-21MRH2&h<B|P%Wxj5!~?4?+y?ObCo~*Rt3$bwQ_wul5`6ZSeqjYU
zPKfy2E)mRi7#wz4wG;;K@)ozb<m|f-iYGj~A!Iwh7{N5Cvr%9g2x6E8w+x*hQKB#^
z%BI100-v5vXC%$K(uOIm1(o^II}{lCkw6#(GGg;YY-FiHvsp<Wo5DKNP0})@IyO>@
zXU1`bE!N1FU1*UqKcvg26kzot0vS<%5DR3gTUqzKb^|9Ufe>Ab1`4PkmbBS$JadX9
zzu2teKqt>#k=HCPma?4pKin&Pkx=t=kNN6Ke9rNBH3<;2ollL>!K)lef0&#MXX<h$
zw~xF1;_ku1@aP*_1`_A|CauO3nFPz~!tC{UQKP^^tN#<Qm5xJf)w9fu7KD9ko%n{+
zr_o-VRV|rSj84yCdX;0O{do%<x597tpX>+f3G7Uxs`F>?wt!!^tQkDeoxC1cfUMZh
zXy>uDasACp*jVsYsq?n_pfF)puwjv@JpM+byi?T*)k+x?VuCt-1FQ;^yiz-1@Hxw4
zRstj4Qd-)!h#0q-lw_rC>g9VPAl3d|HwwhePpjBsDv?#a6d6H3qMkvPp`nlJ^+yv|
z3KoD+AE2Isi7r`y<)nzhh@}DCK{t2OhBA}IYp&Cy_eL5WUYJ$0rI?6rMnj~LQOs#S
zUhi*?FXHPWs$L9^>-4_J1(3!T>Ex>a8>iXiV=~07CDWjYeL^+wk^5{9)j`mQ{SH@p
zeou4(Nn05gNCTP|W0g3vGSjND=!D!$);k@~)zzlC8ze))^Ktr5$HU}SzpZRi)!*;N
z`dUuyxPQ)?T{P+bdg@e={%e@kHWh|~9)HXdX<HNI1xbz+2NcyVmbIU!b!8TgwpWM^
z=B;_aq&84OyCgz#ok(0eTqo+LO8)!_pd|2`c$*E<5*lwY;mutuI0Wsu)X$_5f0&c6
zzB~BKIRWH_0z!7Lm%y!yIP4!5ghG0{t}*LnkilX$uFGDOxGiIu+}lT*84pBO@*gO#
zr<K&Pp=A~SRaDYzo&ugfLBVA9JCho4iE5n%+!}1UZ%vQuh1x5(_XGL2!IZA~wT@{|
zUpCLOj>(1s6Uz_B2HKNuStni!gQ%O3mjoB={1|^)w}N~r-7AGk>elH?bHOF5X0wXf
zaw=5Gd*<HSj4wgdV*e$gUxLbXm(Nv&+(^HUy+xm2wPBS<R`Qq0l)C$TBe`Rx!+1kJ
zq;3%VoKg&6&(cE&>~E#!$SFbl9$sOT*UE!VN+gMV<E24x>ogbBn|EO~?N0;OC%>Q%
ztbUd}*qV;UhaSH@WbLf3@Vd$;Q9?|7%f^H&x_i7XJh|^yfiLfI4U|3~Y~f7}x;y0_
zFb_!**iEg4fxe&oQS~}u%njZouO?ZNkld>ak329)_G~j1NT?j-Qq))>FW-xhueQ!i
zZA!~A!82;mL>h$(6Kv}u6^g9t@Ftp<_Xc34!~;q?(5f5`&~hGCj`$A(EeAv@tnE*V
zF&AA6Z&iC@GDt|rSB);9vV{w35LW|#i0u!(Fxp3R<$aMns?OdZQLdWPoV^X{?mEqp
zhe%cO_*}$T%aXdq1bo#ENNSqMsmI)1v0WVBUfJpKpN`Mct1CW0a(EzF)IM)tPo$IQ
zBq-c;t|UKdY($^#Y5c)Gjl?&LD9X*HQiXf!b1$M;5~YSr5JX<YG#(K##EwdADo*V!
znf1cTr+IM)<x$I5G@)I(UQS^+@bmuul@~P-BCkGTXx7q-v3<V${&8YC8rVaV_Rp3F
z1mFagj(RYyC}_1PI5_&#!Rg`gk=y?l-@Q5eBRp<De>Se6-T(r}o$k3L;Cx%;AMUdc
zRW+_ER!*Us2nTv|AtL<J84~Vad;$!_f%&K~lLw~1&h!7e|DUL8@~>j6z1J9ZK1LFN
z22=pV!}<*Oexm?`!K}$O=s#|5Yt1yh9SSJVU?gspU!|$P9V5%W>=-!!;{G*99*ryp
zgz>+Rr}e++$fJ=ppm4YyX4Pae9MK2!FEHxnsIsrp5o0p`^+p_zsySl8eEe4%aXhMc
z#5tk)hF9f8$TMEfi{cOGN6&rU23199K~sHpYkxbF$0fZB2v<zt;JrqiYArMr@Vl*g
z+iF>^ihQvY3wBn_Z}M3kF!dOq)UPYtCpmZm!=G9&@7+CLOhRG_lVPY)Zd$*DrNSIm
zbZWyjlhCZ7CRWH(h{@wLB1F*09b#T0qlxsmkao>Wdc^2zh)-|*ZX2~eA$=!?k(M4J
z5$Q+waAC$jjbi3D(IL$2kXFz9Cm-(Kt8%*h_&n|D1D$mH;K%h7ek3FqAcx`Y#qj9(
z<?$K%Zg{8Sz+n8uXB$Kq{+_j?l8Ptde6Z6mPB*no<g^X_Z>3GyQH0|Um|96QUW9l*
z(x`MA-HF-y?aH}3{`0}>x37-f)crcsUAzA4<S=D^U*Z`~bn^*x{DIUx<rFGs!`u90
zgCz+0)i{z`fSST7gpnuwILbdB+~+56&CVKR2Pg?nQP^+_BY*Q{aV=%_$VR8#nCyhi
zyGFHj*$xO0Oe*-8xgVG$*o<FVXf(H|B1c1ayws43pBsnMz$U+`X2c?#j@5nkKu-p=
z@epJ2Xo4R45B8<zMp<E&^zO{WkFLV_Qk8Hk;n|AP+qb(aF6jNLkSYeSLK+NXWI!4F
zphuhiQ05^$K?`ZbbUQt`K>j%i4#|C*Yrk(LrRS3Ar)dUjT(MBjyV<HvE1lv9;0TQM
z#puKEa(UI@(>O=@iX!vChvS~`foch$Af-s8JuK?C2GEEbZJl7`MPAeX))EDp$s))%
z>zEnf4R&!OF~PitaXEo@0Ud24ayH>L**!yhQ@rkjUj(o_pABWZtb{Q0b>@Y1N}yBi
z&g-?qwMl`ZZ@&rW<bKctF$|b07YRdqS52wORRimbQpMzgj$D((($M5T4TNaKJyYWK
zYjOr4BuxJLav?yomc(MIaJ+LFsmvwTU&U@sdK@H^zYW-ne%h50s6eS+INQE41A~s2
zkyy!;&*bfn7p;ab6i^o*XOnVNE+oaF$1(va*3D<)b!4m~wER$(Hdm~yd_i)84fA>H
z285BFHyP&g1A)F+i!#lSj&wO85mrxr)h!ogS#&KNBAr~i?6Vh6WBRgmjYEo?F-&ke
z5tdJ?FApiJ*5r!&9&wt&-BkDevAardvM^PD)diLZ!!)H=qLqcjwI7RW!m<~^B`u=K
zlB!T#b!pn97DP^y1X!eTSo%Txd+-%91KGOR3&-A5kJjr_-|AgG_%t8!{!V|dmO@`9
zSHaaB6|S;jRI<r=IY6n5K=mq4npFQq9T{ZbY5Xqgn~qI=fan~x0D@wN`Z@Slaj7W)
zluZzKUQ~c%h&Zv}jT0)?jmppsnXISDtoSLcCSwJsN;62;4Xlj>=V5b5P(l9UTA^L$
zjVB2*xWkGY_co{8k_)y`L})4XEF1bzj+b;ZDl;JBZ;H#Z5IAc>P&vu%guud|mCEub
z6;y7D3mPUM7SQPiLSN=41lmtAy=LUtV&}<zcYPL!(g0zYh$dJqQ^@K<;CDi9x6LC&
zR~ZvgYdNovVR8lhr1L;5XJfrmjqh1%zX{2%VC3oQMuMRS@PvFmCVonlNK$UEg%(<`
zOBIuO<Kd<KwYv)4GEY4}bVl-^%oF+fZaTT(0q2yGVwEVtd-3D#TXofID+Co7fj=Nu
z3Ko;UW>B}aN(wbC85vJFbB#0Nmrf;gDC>`Qm)p$O2wr2;tLTj{X^}7S$=$%w-B5ud
z0>r*6m>h!J9F;`6^~4U9v4J^EqydrS;*)vfRvQVTW5Y*7AhXaywkIBQtV5saoYHLX
ztLD^`g}JzE=~ovfQs2r0-swOWf1Qe4(OZ=2Q!XrCYL;+(iSR<DWxBvi5eZ34XsQPB
zLeK@|`3lw^G<W)UEGxqEC&}BWcFGxZa2Li@?4n}&p`2G!#<{TZb$GRtEw2A!4i{s0
zBeU;nP5V=Gq!_;s9l<DR1(pfoxq9&L1Vt_$c?{&PUD3QB=p2`&j6{D4&knpW@plE}
zsVzkr6EwPeXsqH@ws<uSm3mg8p01>3`^7uDZpao0buXopg$^f5lb#~wI^d)+Eq4&}
ze|79OYTK=y+k9raV#mU0X{e&LT39xr<~1<@D-Hce!x@-fDEG-Nsk}j}?tVkrq5*xu
z(dKgn^17r4rsD!mjYGe%u$~*k*x&uKb?DsRvaPrIoSO8ZWY%p*>1A{#NcUmrPNg*I
zCSOFS5=u565F#wvJHZ(w>8XVjELjE`W4XCH?R4X=`^>(9Lf(WzC~E}TbX6~0-x5e}
zTrzT=tt&PFOOEidz{XIcK_$4t(7vDyX+f^+{?+d?X+sO3m6cS{N)j2a@YA-4R`);1
zUL&PA+9UoDi-4oc#x<|iZk|2Z(kd2Uz0gua^SN?ftb<H8TGy-`*>SjIn0a9bwmG_(
zx7yBbP$|W$0XykKRcZ=;sOx_4fUYN0O{n;4?9T2(8vourpax^0x2a&SCFk_w;#CBL
z)=*|`vvXgM>E+k*CAatANSl4MAc=_`cV9;bvM*Z~Unj?Q0!O`w;1-ia9p+AV^Fb?*
zRzt?LWZb6-zC%sn5OoYg?*L9fvA@Oau06K?<#RH7xsx26lW|?L*jv8sXb*{d5B;{*
z^0As(f9^}wQQtKtvyLs4m{S8&I-~blvLL1qOoG|-=g#uZrKyuyYVt<V@#o4|lgt6Q
z*@w82$WUSBIMKYWoUhcU(|pXz$YRZh)g@%g2vw?1lEkyxU46D4ygTiZ(4d&h9BXQf
zG~+R{1%GXvz<c8|rYlN@WG^XJn;mK<11G#j)F8QBSmwAE55IIasjKUk<ADkGeedv@
zb+#I=1C0yGx7ddICMn)le5d0Wt?0equJ81RPjpY_v3>NRIk;u`@~N(hgoTnl(bx`;
z=%X!KYtnR^Kn?YU3=(NbZI7_FSCui$%K4T6RNPqRPT>bu0+S>HI7gYg_OkDF&kP2G
zzsgJF=h?{-vwm<G^Z$k2$TDuXWkd+F$d)-`R@|`g#5CrMm-0wqFtUiGcj~-Wz}e-r
zMDzJ=MK{7E6-VJtYp}VZn~kwN$6mUv#?T3wA@mRXZ+C^;AL?1-3H^gTf^S|#J;uZ<
z&$%E&QR9eYRj?ZLaHe`i(D-vvS`ZHVP553|5NV#NXNJ6TU--M;>_xX;vO}Kl?8t?}
z`fNP1qu;cW$yiU%BU>L?TY8`clM2n%pKcF#_69!<JlK=0cHNgs_K-p~&wc4d<MYvC
z`X2Zi48>5Zv%M!zpZ3xKo6H4X_h6Qajkh5kZ}x`lsKp58sVYWc7g3F%H|qS=&c&<q
zzHhVXwym=*20{%<wFmLbZtkIz8l2)w0h?J8-t3^-aDz3>bhoqP|9t&M!trOv=WpG=
zuPZQ-Y^i$C^pzD;%b&~_7Q(-!HvX5iiab^VeF?m9=BWo@IhX9jP^R5DMfE`Q%+V~h
zSc@4G*lad2Q80@A`*|%s^SqV_S?CDy3u^tIH%09*V6qe=!H1(Fk#DFKq0-E~OUGa|
zQh77EDCEmdg)ikM?D$cT+^Jy5DtUJg;Z+eC&;lcO_<@-_%jt`b&EyE&EtS9+^9yyJ
zO0y!3#gYF)?v{V-{bQHsG+|YPblu$B>~v#i3#kBd(~K9*l=HQp_GIuODF>23{7kMC
z7?;kF*r$NP8swdz9;BefppIB6PLwQz*e4?$DAUj0<+fcFiukk&t_5vSD#7rw%muRp
z!VK&_X51mZ#I<dFLGc_}q|W7!U@`D^%oObdE*jI8Oxr)OXKhlO=h1#gOy74ZM7*R0
zw?W}W{Nd|NLE-@hA`*%~YFQWzUs#i%WX>j-=KC;QiMYstprh2}VMu|UI+Il7s{LwL
zQBW3xw(;lwse8VEZVe@-eb6(-Gv6}^3YjeeV&3NcaLSC2z@~sQ1NYO~agO3bl-_h)
zsS%4*svcx-G%UK7teEWYG4e7pDKu;jL(Z%w2y=_e4&uX{RZ#_K5X6fRCSNy^@yaw;
z1#ZI8yb?Og5$i|2VD)!BXRe_b1k$Z3e6RT=Rz0fu*re;)ne0BR3bDNu?_<B`8snD@
zlPn?=+;!eWIh=j?@`cxqg=!Vykti~PAPvBDNAERRpdKVp$uwk;+^@fKqJ2U4$=eT4
z`}7P)xA7or6>!Er3@vJ0WA%?FPDxW=wwltAn(LnWL6T^rB=}GJSQ*r5zPNPS%KLwa
zwE73a3jg3`tS35_f3Ne8{ln-x65ogt-i*<Xr#iwgN>q2cr$U4>QVbY?$+F*M?9%hh
zAQnV~iInrJr_wDzRq#cQ;<*WWJg|X*_C2P_Mlu`r9)=BAFGf|ia3->sCokWCBxC99
zT#Jx50^f+hSqq#q*97-0;nA%25S{3pIoZu8)9m~;Q#cf#<CGwu#1Q99$$vSyQZH{c
zA{6yL>W(ajTkpo#c20YiIa)2RZ|u<EZT%7tt<>5Hw0N>v5@(h--8W>eH{b+}B)j~T
z^|;&wkW+VMU1;dpa4ay<;*eWM#otFR(2Ibg@=kRn>5fLgMEUBT%-EyP4_|dYE8Uk?
z)idDrGx#>9T45BXwI875BdKr{D$rZ^TM!i7pyBI7uZ*LKgTq%H^NX3SrW;KqKip_r
zAT{WTeBlzB8f;dM?}xJ*YBd|SsY%caDqIW`T$D}g!6bWwiluEh0LQ2o)OX_1NoT!X
zCW#&HgK9{;aQ|aV=h;r?3={7H#Sak^XRM`qvn!s6EgPq^<_FthULXbKQ;SL62d&17
z9awfdi)yE?Cp-8HEcBe<jBfhPoAKwtv)$ii(a$EQg~l*u?B$E8NVQuDAAMikr{5%#
z!kR4bY%T@?xCT;GG>;Qpd?>4BEg!KlB)&qC$oeI_|AO`sUV@56d0{Hnng>#GXZ-E)
zYk?9|^h9)mmK*nLW1d7q_I;10xI{AL3%3fIKO-s*3)Hc~JI(~n<e_@Sl*&*Qf)DH3
zno@Vf`U;!<VsCKjXVX|qv6E&7vZN0(bC{R~G^aE}ldrlieR$#xF?>Mx+l&9Ny|4dn
z<GQZ>nfNQF@Jd3aAVf-*6D!Z{q9w}aizKq5WV@}q&>=7+rvfm@%s>>q`p3V!_c`Z&
z3<jj+*hyE{OIH($oVjzq&(}Wt1gO+lo-|b@`;Nuwo@9sPgP2p{aD0gWdg!}qEnz~=
z)uaTCuUpdWbX6=d9rN;{&g<LMXxgEd;??OydguQ0tZc;8ZbL#L{}?@ge)8&@7sr!l
z-%j41AM>|Lz<nf$jD%nSn@$iJjZM2g4f>l3eR@!=a8p3<diE_}uozJjef8+Y3#F|*
zmUxJb@M3*MNtLr!SQCGuSzlcV^bhIZ*Ll6bB|T(JQRXFn`fJ!(V!wEluhY%eIOFQn
zNE&xm3V<&JmLkODv~Z`F*<I%G?Y08$|0hr1`~dUVA|~!4o37z*$U`nF-zBoy;}fyL
z#}<-7E^_f6a7@W_uDCuA6#=oc6NSS}ujHA@aqhm_={tc>kK(hJ9vL9%NwlXoP!XS&
z_%+$QZ$&>c#|F8g-CaPA<n%MU&0c13c4H5V<RU08P6gG;Ob5J78_Tes+JhV6yxiFd
z1{8*?r^OBXD_EMB^ZZIW_)-}2>S9$`MmIS_yrn><+<4w_t@3CcMRfMj?Bz4>nA@C4
z?OJy-vwJ7f<GF47xM9C=XSi@bN4=}(Tvq8`EJ@szZmvMyk6iO;Vfm4d?T>y9v)F&j
z@GnA4<eL*)0oP=SeeAcnT|LiEU%i=pcl`R~`M*xij*nl<**apzK{|~|#1|o4n^+yd
zc%!{%r!S9A<j&ra1SWa%u5rrKF<ZMnBh+#_2VrCVJ9gH8@U1A2VK=-%x$8CWpQlG5
zodYuR^i`Nv$shiT(k1Sj(E2)gIzt7GQmZhrN=Dzg6NM#RQjMA~J&>&kFn)ZB@AfP?
z{6-xKpLUKf8lNIU?sZPyMq=TqqQG;!$y0wyL}U^=5eJ3`A9;MVxF)=CYy@mND;Qy*
z192VQbR0ZV2}nu7QWb3}wS)QP4nW3xJl;>ghRH{Ep(Mm%p#c2P;dpTym{y*^OZ`9|
zSF7WzgUxndfZV;m*+$!a*l9OzIC#45!(mV7dE;@{(fpVJp9eXk!6e4Lx@h15tN)eD
z)MNwJk03f$PQGO6)||!^oJz*(0x`Lq<x5M!7w56%|FPL7yD2pI(h*N@LXWIr-(G~9
z(n=V5zy_cK>~lTGE^P#Xz2}ylP*R(|clp4*pm*_`4^mdJWZuWdIMMN)8+WzQLtm>=
z$sht3!koxCcCAq5xQ%Q92dO-SBM>VMGRvel)@kh@Lh(0AAu0M&NPMkWV@!*C8yDD1
zdC|9Jixl?+af@V6yC;gD5va9-GXFnb``5&4<E8j@;<bfb((b~VRkejx85sL#VcP!f
z^s4-d<sp6>M9EhsWJ0iJ-Kfw{`V1jP<|82t5;$@~IJ6^_?>L~5+cAzSK)nn;cBcl=
z@h-pJm?TzmAoWac`@!|Wslpem)ky(PBpZ6BOmV(A7#h&JLH`TlfyLi69$0LRi+PP?
z+~b(OKOUH+!9cFpr^N%aG#E(N+m?7>u@Mi<d@!&(0U$QS3>@4)13m~R7vXH<TX#hU
zvrbqLZFD1pS?520`#52D^nbTF;s5v;*UxfO7k`zTI?jWKk6M+e$Pb*CTBl}#^1gK}
zmv~;r^|&2pRu5#0yP2IlIs;wC-14f$U@89g21{(RB%f~%H*5-(f|91+j9-t}%>$={
zzQZD58~n4ojd>s?<Yq<-mnv=hVb)a)dK-UVI=l9{umXrg{EBs#-d~QVmsh_1yG$1d
zKwMrENg-z8$z{{lYoyP6?oQ!zjdSNrwrc7z+(>YnsgxTq6-7m^e<Dec=zdr#rOwNX
z2QT5;&F4o1?bqX`>h1o^<MVS=c|3Y{boS;53iYqASNBU*ZqTO|sb|gtPcpTQEe2Yo
zhiKJes8Yrr?Cid47-*nwaVK7PC=zQ^n60mh=IcSQFSxq5SY_~fE@QY9{&AT6>!DHn
zWuD1pmfrVPiCUx~2-TeJTWh)k?=S|#$teRP4~flFVQJrh31<;CZX2L>cvV_iN_DWP
zkwiFRE0&jm&0K|atPqES)H@bpNpc$-Zy}oiL2yz7GZ!Iy1Uh&tVfd24^(fae9$1^#
zAo;tft9K!in&2~nHgQXHe4y27aci}vyh2~gjylZ<-vx7LyBX{u-7Yp!#Fk&EZA0Jq
zbyQ4+VC+;zxkfa;=VnWo=p=gReQI=wg#j;EfWv}<0{%1f;AN7_9y)}{@B?T&Gw72u
z#hD%=%5;cz8??QHCcXMG(nbdf@X+T&dPBi0{BcbHrzzAP41~R>WmNmNtoR3bWRs5J
zOQT2>_H=}x!kc0~w~TA9RPMdnp>VFBDLNT8$Oohkt>ojC4LKDhCgG$H*ScBPtGc9;
zVcdY0wcOpN?)Oqj!1n4cXi)PDr{wI7ta7EDBlnfCI$_-|^H%iqH^uaNDGJ-ja?h^|
z{|?2h?ROTa((F?YER``yt!m5o?#q`@yJ?$El*;jKcVlouuIsso)w9}(qWU)c;%i>S
zaT{5u4RtuOsAR46clh(`Vo^afZk5G%^*#|WKGrI+DSDym+en$c&O?<W;gw*`<z=yd
zal7ySNAPNz{22{J^<rl+l&gXT!c06Vwf#Vu4z&2?n&s|mG!_AFLxYWJm%KCddc9Lf
zNe}qny@Klf^k)buY4n#7Q_|L_3MyR$fA5Bhq|vwRXjVoCu_3PF@%*~dM?UfC^2bUW
zHLg3&rQUYF08!KNcj#;;3<`9uZWLmcaCowWmxeBnM%k*MA9i%}VOPq@wUz`6s?@;P
z+a^$@&wnqGY5~}vBPc|E!W4@T#;M$GvR#ernyd`I74u;z)xI*Uv*1j#7Yn;=L)0l?
z6+p02+`0%X-*E7<s37P$iRN_KJPV&F8B}$@Q!dC{yIaThwPthaCGW*T7Tb9rcg6b<
z#<?WlEjO8Qkm9P*A<Z?68rVtB-R6kni?g50n^$P>n`$KRj^6qvHe)Lg#b8c%cK)c}
z!3k%k`-Kv8<8BJ|Ds^3XL(3&4#ckyeG?WtWuhg>5&O>|ras;djZpsMw9bbqFscYVq
ztCi+Z!=>Pk>GYlY(aRbhi@hgacI`(_QT)J?L>nn5!G|vI4COlAcM98n(42;G$MnJV
zD*QIafd{Xp6C&5~c4@i}JiR{R+)CL@Z?wSA{)x0CK<K^12PlFi>;;v0qdWC)&KPx#
zfCJ&(#%i-dlwPW_rIk^GxCD~}coetC6gP+{PdvjY3z}*{80kdBQBI-7=)uSvg5K-a
zwAHG4!XTw<YsmdRWQRu~cyCy}q;IiMj7YW<>r<kic{aoeLYZo5cv<ybZRn>D%E$m^
zL|zQCpl{Wneu>q6p2rM~)iOS9A!cA4Bz@8;kzCz7DA^O?f=vV`g-sF;+;XdSZl=SS
zK)p+3K2k1Q**a2CxEpi3OLJ!JLH<Uu);ljsRx!d*1EY?AEclwmn8U;huBaz@oKx@h
zSzo0C8DcCE94~E4AF=51JHFOTShB+}B15iR0=B1Gf#A6>irWgg&aJpHV-&XQ|KS(>
z{EVW94r6yyED^u)BLf)?ICCqvIcgEO)4F7S+bC2Mi5}-?E!gJSdptHfcAJOd1$T~I
zH?wsudP@3+yMv|e)O4kNuEB$#y>x_pvIi~FaJW5*yLVr>3GCfQqR4!hkYZpaIer7p
z`G>^oQFJ^oyGRLvg_hXYf@<*VCGqAg*IH_r*@~M8or$3dJO<OMcySYzTJ${6T8+#@
zWz1RsoW_X!+N!BxdUr8|k!&2$bFT7|R3AAl0tUMa`|?Th<+w#cESk2iZh6al?D^(&
znD!jt87Zk%=;5toLuC=O9+hihy&Y)vEcDBlx~aN$M3P-9s);I2nvCk!&8&rZ&FJ?L
zQe3S<W)uWEGt$kA+bjwnY0H{E<VG}C-j&?yp9VL1xx8;z`R*3KWOqH-&&04NrFdU9
zWsBgqAX#_!5NjEbkXfVF^k7@sksnqT4=R<>+lLjGOKm088ZD!04l)$FsV?MnwCS}Q
zuP(b(#$JWZlh{nFmFmUJ-lC^ZCMaw;`g6VBYDi-+>vfQ7pUJ!3BJMHGh@77!Pa_e0
zeG`=Zuz&8x>#pJpXkyPk&T7Ch@0=?oLoyN*AmiN$&D)AdNK|UoYUeQ>g=@nq-I-}&
zcmU7Lof1geW1XW$tg%!YWw2Pk)tRgoTCX_TX*Q;dx=&-k-+&lnGQGhLdJso2BZ4^v
z|4QK<z8{kNoZh}atC8`;{IbquW)UGtPnn~$pePa-uBk&YnFkd}rQ!>UEhwU?ky4Nf
z@z%OAFQ_}7u@>jnsJ*Ft?ZGs&od%acLDA|!nDQHy&|7*%6_XZ1m<ab7fE1q7dM}ca
zXrCE{)2slHKRIw(tw@yHs?jWcR%qkXR|-q-PV5i+&)C?Z6cw9956dU#l}Nsi_!<R5
zU9iGWQ#c)|?f;^)%iZ_>;ayQcHIV1zV~f0gmwt(21w<v@j2V8D9S%L*rl<L%m<?tB
z8zJzNx47YFlf0RHbLjWwko#&F(eP@i_#D}4>$$UP6UJ(I+SFXA)>2LLFY5|t!kuV0
zb3@@=)$S&L5>OE0gv~r}uCv`A_sA5@V(0^@t>^?g0mAhtK;?pMVby@)l@yj^_bO9^
ztWhzXL9W2wNe7fkDWczmsW23j9lOR1QQX0C?|u{y7`FY7Luu&8;gB;&6m@s<bsKX+
z8=FQt)`bfFH%mI#cigWO835uLo*NI%=x?*{ys3kLR-H1Z^~jldd09YUh|-t#P-0iw
z!A+kAQMhcL^SP!K+!oQ>=AD4^P;yNC-Qv?G<k~V%zkF=(Uhpj9Tel`ea8D)Wbg?fO
z0Si=$$+3}vX^d<vz6AT5@^>h-JrB7vN%p*LB4u)v+PBQpLdF`y4|RovAJL;Ps+sa)
zYs>VG^Fx{nEK4QmXy5g5pa<fB@2O{};&bhUSKcbdNCv4j2si|AWGnr&NHalR!7>vn
z<6fS$%$>R-lxgm_WY|eFR=c!HG6MD;)^g8!-fiaENYut1Ye;FaST9XPD~9aeafts-
zM<P?dBoUv~;O(2inZTn(#PIz!R6NkmHmY}NVS#P)(xsa8<1va>jLH28)z5x)7ziCq
z6HB`=v#>#qD&m=>B5EzVss3>*l$kH(b?9H#fY1UWM+-IYi28tfj7r};KxMw1dM^WO
z0QmhXE5-O*%k)_`-bhAnn-<aRGMsgW(IJk*q)w!Q(6r)_f9wAd1WDtQP~Cb=eV|6J
zJU^s(st~GX5k1#m`gg2w_yQ6N)gwU<6xT1fytHDF-Jyf%l;72ANW8*z`o?y_ahO^>
z2oqH(QbbZwJ97{+)HnFxIunwx7osv0wxqiX-8P;u-|jtenkUPWVV3aM%>K${$A)zZ
zHa4@^+5WErTce<ziO+$o-z?o7+`)L?pg_Dx$;2RcbJG7UU5x0glhK6w5BS2rxE|ix
z#b>&xzkZpZsdqjdV>YN;brGoNJ`5o4wK+{?7G_!jQw4BHVistAjCAS@PJ0*eM5iNK
z<)}1*qBySYm-z>#4~H9)bxSgNNSJl0m}|}#RgB|jWXER}9Y7!<T8ENmAOHwFkU6F9
zs_+f@WDvb2=EYS$4YvYbc>C<kmz<?2_x$Wt_W1Cj_RR8Ccql62&gR_l+;|?*v2;Q$
zdHTJJe5ssadTs_v=~{}>Wh~R|cwF9{C1J{iCXT9G4pZzln&|xS=eq?V09Jf<)Jy_R
zX7<{*rp<>!K_;*iwd|4g71I;&4R{u{7DA=0+o-4T%!(9fVPOUYF{N%o$`54Q@#kzQ
z*c043xkZ7ZMP|huG=2E^;6P{Emk@JT7c!c&|8kq8x^f!4&z4d0Nz*w*syQJEhj48*
zYC~C{f_FJ&8jAsFRw`5&DOF8ytNUU#*RtrGkk#DIkB`M_aQ^1HnuoIV8Zk{6fz{MI
z7bs6?T5=ksl&)MAK8<Fkx?lLZEUDXHS97YN$Il|hS`s`=r+LF5$6K9=a+wgcU~lgK
z`Rg!)@Kj;iwMuc6Q)#8*$EnvSm?uP;tCS;ILC&D*n%MjOw%XTGh6}_JR^48>v7{Gy
zh^N(dvmWc{I^jU|P|wm^#GOq_iXD%!eg$h|uKM}w<8zcJdv)~k_}s5(oS$ZmI;9=}
zgqk$3WxM-m&)2(KNnK~HWUZis>$0fxdU}0p{!s32_o%qYnRB%dZNc41%Shr%3ETNC
z8n5IC#1d3#`!?R^yQ5HN$a|a8i8?RPCtfbvgu9#zU&YwVR2%j<olF{LZVR;&_Hrkt
zBwYqU90+z1DEBY%@&wU7jBpKavK^j9Il7D(vNOnUn@NBq8%x1roZ@j_uX3*|$ar<q
z0>l=&YZ2!OD7%vScf}jJe_c&syZltt)qWbGw%$Z^{afd;+qZisk$*3&s<ZIslufKM
z#Z&+RJBHcw2rGGc_XGfgS&cw^vuAnKTAM^JA9!TM*`%Q#_Zl(hvf0Iv!HB%NU$gJs
zl?VUiYM!^yznYN{4g@Bl;8<p~7R9IO^>ypn+w@2s+Wq5D1GUZJO!2TS>qT8$!8;0(
zfI9?^N91=b1EBrcw@=Ty7z0g`N;BWgL)=}3?C@ZW|2xbMzkE18{KG@{^XK=M8)NdV
zSXE(xagG}l{=<-77?psE0sL`awu@Uh^k83C4|-EI6+U#Tk-4)+^2XTSPyM&gg`Z61
z0^NnVa1^+&csN58cQj&C)=JsW-Y$RtL-t!KQwaJjSub{)f45nG_2$9DgM))7*>B{7
zudAy4&5tthM-P9bceZYRbT9vCFO%P6H-6qWjMff~2$QByesqF;+3qDD{oxEBee~;o
z6kkd|`{joRFF^#B{pN-Q-oNR#uD=fZ-_(e1i%)N_+`pgfbmmoki!pr&bd?+6H6zNw
zXg`fYoQS4kxti!knV_s~1>V95|H6ax@8%f!550WkL@_OpS%KjzW2`;Jxz#qY3Rl;3
z^L>VqcxzEGBGqD{wFTpm#K4VKV2oM<ZoOjRf#^8mzK)W}pojl%Bw`*U6Bizcq7MQ<
zw46;;DtRP}QttDY9xV&SNpxiSiyklrcLkFeagHoe`k)Qw@E*^koEMw?^rjC7I$qOY
zcE>$MSdjlVffR{V3U4puO_k9OHU0u!IJuvWUU7?8r4R18%b=|EPK(KRa2HGB?@ch}
z!}oB7r{7ZcOeMrw?Z;Zc$f>%S)@%|1wP4L70e*^u&3iz~)+8;k=pC~!4$XDOHike_
zCWk4Ka(~vHD}GmJ>c4X%Uv}i{*P(otdUVv`g1z)CspueOoy9ITt<5``V@azhx7wF&
z5yn{jmfH|}TG31LP3fWd_<|GE9Tn7Yq0xs$6cf#ITHs)XKI!y}E7!j9DhmQ9bXtNU
zGIZ!skyyL9O&2g!*I*WFy3e;yVp>6C#ZFD6c4)B16}hn2YpP?KS%j8(aq?v6>rt~#
z96$Vg^NViSJG*W_Obg15o|iE(Umk3}d0k#z$FB-R*nMf_j_J+5_&V{>{!K0+pZZ;J
zb6CgwJB-(|FCT}GUjAja{25d9{9m5Ex@&^cX8jbsJUM@Q{NlyYtK-wRzor8<zRV{A
zgK>tC#Iq(60@;b{elXD{vI^a?s;-vkIUQreG)QJ;(Kc8Df-f|Wm?{GC8%=eIMagk=
z?GX{G_0tqP=!1D)f_r03GS8K0ho0=A(8tM@N$KhCLixrh#KT1gc2|7xtO6|9sNbD_
z9`qofA7e-EM@(nx-IdaSlT}sC@1AG`QZqir(E6PE9}u%}sH~S5=$^I)Bgn34cKCA5
z3Tmtq%`lu4R3sSF&DElGJGSyhgx<)Q5!fxxiY%QOEa<WYKOD&O)~)(-8;^++{1@ib
zoN>6L(s_zUo!mn4AGB;}sAK%L@g8HkL()c`@QUreo;^OuUVd#5Rn=2+#Nzg09%f1!
z-JNIzx~ry5Gi@2~XPNGM79jIAPG!Z$08*krU$MJKCy)X;D5|8aXyl0V8j!dI=#Ysf
zpS|GpZ;<yRr@=Z#4MaLIVj*WI?JkRbjE=6hi~nL>ZgwG1!+P(GbQV#?2rGdWv}|<$
zWOHuCqsju(yhP<}nhQubS!$MZ#85vNhmeNHokd$RTWVvW+z&SCE#xSAoTIlRQJl=J
zc>(n)EwkQME$sURV_?4WXaErV3G;ROqC#2vuugZWrGyscPs&1Mg}CmRsspL<Bw*_{
z-OpAj%WQs+O@ogV@on`umtF;qH=M<S#Pnvd(tOHT-$2vG0;)Br`<i0rzkt8YEAby*
zVgssYUa+U!KyDFM?Ku0kx<Mdmq+bUnz>{Q68fVc?tb3MV#LOxolbqS#+Uq)(ioFJA
zO|P5ncZi*J9Q7cu1>7bEmENuY&9IA;8%`FxpVvzqmH(a<2#qJZO;{D8-6s02bW4aj
ze%D00BjN$e4a8}aNl|C?!`%Xr%38K`m`RGLLVtePe{NmIPfx^aF@89H)Hw>=8DeHx
z*YcVb3woRJN@UtdG!^Mkh2}y*RPLQlgC57U<Q;R9ZyeR3OlaDw{7xL?%eJhyx4hAu
zE!421dMv8<62&4WU9{|Old5!ygkR0`sWO%LB4x%pRv8Gkqo2jQD3Mjv+7?&!1ZcY(
zNC#tq<S#0><UFMIoEbeHcJLPFz(za%?M$&P`ad2XQ3*<}v<DPb3@5henTvdxBf#T~
z`?aFdNEr%0-5!y5j~6r*cfL5#AM$27yWkH2S4D8z&h!E<EB+(}rO*ohSuGY&ajJ!)
z&g4qZelI_-p@`AfVnubG(g$Sv1fD+m!%}K&(8rFSV2nF`Y3g*nR<Im9UOmP?-0jpd
zc)>qix9v(RZ)yF6OLEhc^4}}}n!73Ff0igV1CO+f)m^<46q*;7auJC9@$wQLoQeAu
zv{DXe1?&ZXKxO*I?d2(F0s60ofaO7Vrzt6_{EKCI2cH?Mq@TX#dfhU6lW!4{JCO<U
z|DLh9&5l#2<|<b3&-Y~>kNW*$;=Att{d;G;TU^WIbVD>r^9Mr!-uo*CK#R$?vJE&A
z#lSNsg}0Qa7GqIg@rHcNZR1)M$RccPUJ>%#a4fHh^{Zd7bm+hu!7fG}(<W&HM2#{I
zY==t@`n%$me?~gdP?eWp{QI}9zGaMDkGvb*Gb)J2%oefd31~9>k35OZNgsFfz%SRv
zJAUpuX*jPc-%+PZCabC;(&*BlZL%zr=!72K*+pVv#8C<R^t77KHGgG=VhwUl(mC&L
z*eT2T5YhrLh;P=mKx_*6zr}Z^o`;DW;iO!oRWB*?djee}L1wC~Q%Y?`?g*9-b!3es
zRtrS1-np_2=XTp`am6KvzyA{Kyl$TM&r6W8tH^d1(o2Z7i@LfYB9+BGUY^H#yVszA
zSq-utsxQcNjOdfNkz(1b#X|&5N;=|E8cMg&B6zHn>FWIpn!+xa`)v-OSxNqb``Rma
z1Z@y8q%TP`gvZG;$t68Hd?;G3&cdWdstgNAmFg2#O(%U>NuD*7-T(YgY3g^sOQuux
zbIEeyN#43V1iC+~yzA?`lhYSRZ;sD{>g8caN{nug!ttl2#HX}!m~e&8&r5G9uj<PE
zxUkbjR0I`P71@m<;{1HANQj|S<>DC-;XvQU%C(mhbDm6fGMnjCE5vW2u)4uk6rocl
z#Pi*PH{Ld70l1sHmam0fP5dgjVV}lzBg7t+0KR{p?r33N@nF%!+Y%*+MnFXChk<^I
z4=X@6HnuUHqEXEO8({?Wf<Zp&*t7!yxZYYCde4__1R;#ED`m+gzA>X+u6{Yx{X59S
z4TsW9`mTarRgOaz!gBR~C8L8-4L_v(9VmK&CgZMp@zvwI7b9bEZqeUvaUdC+v4+!C
zId}Td+|*7{t&GlPY`L)jy&^rRx{zB>BPdK+1=JCrgLy&gg5!ZdR9cQfq}^R){580$
zqRxcP2<dVK192&S3GF7ZToYZ+*j^0)Qd@Q1CL{l*|AkODcOHXT1z1dYEJ|AnUri6#
zvr6mI_wJi!9A9j}>lztcVsxCoO02&PEbVQUhy(6Z!*6-IM;{UppQDqaZk0bjc$DqB
zg}f+dZfJWLBOp(^CyJ8Fj`6O$@*f`@;?jJK=Zz|qwwW*cOV_5f`uN}>=jQRj=h^Nz
zPNX<FsYv2I1?N(78eBXi1u_CuMkxmhSRnF!>9OM<)VlEa7m3XgP9dcxEd5){eCXHZ
zORrAf96u5Ng3O*wYdC()MmK&ZG|D{w0%o0$G=6WX5+T1oVt~@}2Y7`3E?N2R-5W1>
z2WZ<&Zmz4cnRrI`@4r1gF?b~UNF*h%`lEBbjNO^cWNhJA8l^QDWx%*9c!tC<PD2@S
zHJRY?z6cwtgLX}OmGK|rItM{|=)0LLs9ohgeY_!#xi?}Pzu=f8+mC8L)Fsgnf_pIS
zO8k*@>eh8R2|;PDR4!^|WoX3M<w=Y~cs>C!TX>u-zgFWz93%_^Jjoav=zlv26_ATk
zG@rMxL2<d`_d9;4z{WZj6u8n}KY#l0(U)IH(bVTpAAR}9FKCD|iEr-qK0saY%re4y
znOzl2x6V`2663*Wr<am!W4m>VkG40!`b97CL)2VcFZHw_y#T<4H`fukura+}ey_SG
z^+@9Hh9^rdBs!raDZ_~Asdx12-r;|7_=R_X($bEGn<P}ryh1L(e0#FdVS}I>tsjP~
zu1Qt)WH9(h|B7m+nMz*S6i)9oog{t>fIT6vp<p#L+!LC3uBCzUXqQWdM7U_uWa;yn
zkOET*b!48oiJAwhBbgwv?q#H_yk@-phLQSCm+I=eyeM0rdxRI=yh*mQ%$}6yezJ4V
z>}}oi^rC3}cKCT~D`w^TdiaM&f0VCGudCI)-_RApvnxx+EyOp2e5cTbu~v-3b{FeH
zxqme<o|HI|C@JfY<3ng&CzV=-?YRq~)e!JPo;^A^^y_GmM7Sj_ky>_NbU~%pklX}u
zvPfM~p*#=#?NJ3ASv<X>g_?a<kz@+5?e1ah)TK*FBq)DESU{1Yv<bve2wbgjx;X{7
zc7xR~qk5NX<f^bN)xNd}6Ca6O&{RGZ$pbQzx<2s`68}6GdTg*)96bD7mQgPC$TKyf
zJQtY9l_srI{x!K)M)CRnaP?pfsI1ayv$cYP%&PIzf#B=1Xo-xE*sL4Pl!tKl&r)~(
z$5)Y5utaBFdR+Dr5)OLX$UB0J6f{QCtE%N035-k5LnQ+cKF-*l_Ze62o4T1}D|NGm
zu|js;u|^<zJ};y^vMP|T0!>8xl3D&Sz4>~Dza%pfvGomNa_OjZR%9<GgFX;<fpRG?
zXE)_cfa6XEESSw7)HEb1ihZFu5V5AFOC>y&io);BM3Wk)veq5AebmN<`@}n-4_~}w
z7hYM`!-GE;wVU>;>Ex;RYV?S2;;t?HPMSr2fdJKXmdnIcZ(0r$waIpN7fmtU6GflC
zqh*1@cIy@ay;+&Zp!t%8d=Q*%L^MdO*xPjOFq1PY(*cX7BWc@WHyvPZuDq)<VFYNX
z{4T{Dr`(J%4B5i%m{OBxItezL*kg_t%<>aHH3^WT%~3kdtInAfa|LQQSmuBaCIfXZ
zCSmc9AE<idK4GAtANcHw+^!h)#|>IzfPTPK4W1+?yp(#B!Dzx=sxk`d#l^auw-Gb3
z5-ff5>TUK?qK^VLpzjvp`!KCOUW_s9qN<Q(?^2VxayJTFkb0*6`${)B!#31umr5uS
ziT>qh{l2Me=19_~Kthn~ojWBZIQ3=w?U|piRrPTzh(hRR%B3GbWejupK$C(gqWd=f
znnw(wBScFm90iuQ-ra1Da^<?1ucX<sT`QD;VmyVi)CHtiqiqIuT+OhZBfHA=WA}Yo
zBWR7UDh7cYYLs1Dd|ORpEl4u2g!|Pg2D5>uGAjgn05Byx%J`RhIl(WXU|Q{BC+_N5
zluQs%4`($+k5j<S1XaMT?p$aa$iC=05$U=i1(Eiqz@VZe06B!JJ`_+N;Db0!Zk|0$
zF^6?8dNm$PH&l1`WD!tLLDZ9Sg)q6O{EN!zJU$@*OP<-6=Qg@-#)G^YN;b%RYfqvm
zzFH-cXrhI_;|QPA6^i+#?NLB{$@Yb`Py{gpM=$O9z~CU8<3lL~f>QpP{DB6vm9y<M
z!F{(o_}j}|h_+Cbn(IH!v8=m!cIH~THLpZ2u^M;ze0TOLyHdZ87@m8C#3-VNRwYfE
zT)9qScvfT&CdkqVQo1ASBxC11*;64aD5}{b8D4(tMH}XhO_9Wkigh`Wq$0V2TCFH3
zzvHGqetQBB*~_D+eg(-p6DHZ$REaBT`G!;MS^i<N8G$}8td2$(+1Yt^lochrcu{D*
zSg4;pIA^I#U#r%~^bsVPM|t<J1=&E~R>Df+wubvc*(L_pTEH(&bqPtJ|ByvgjgAZV
zG+wfx)aABJtZd7VWk>Udsi{)#M5q>SSE1;TrjQy%#%=+qxgE9+>qRfx8-2}uPjN8U
zI{X;DGc6{14Nfkq*)5#Iu93Ax!s8obY9-a&O`TaXDztNV$>(kE=9+~w!mWy_g_$xC
z28`#<U~y7>X&x#ItLE8Ii`PAsj~7Gl-ZVUS6nP`gN^wuLdD_U@#u&V%<17W*-#{5g
zp4XJlD^620<vREgW8Y8Wm9fN+;qeD2ZQCcfwD+gh|AFyMWfDuk&~<v?2*PYAUFrFo
z)7M6J=Y*3cS4t37wzqvTBCtYp*3Kq#R1ekWu3V1=ayEGF=B0|g+)u4$OKrZ53lSs_
zl3l9|*~E10Q9+P6fVT{lTBOyK-xkYfh%`d~#YUbv9c9Kl5}omY@nn*@nmS%?u~w;E
z0~&7N*-_G0lE<Z+^u{v9B4OaxjB2q%ISPerg#Ng-wQd|fb`rd^UH7`%Rd#8-FR`HR
z>$gSw4+b(6G=>sS7V~+tX=mTn3)jfK{lJZZg|2R#Wv_9@5cKNoudSO0?!5wYel8hv
z-g>i4E?y&zYRH`t3(p?Ww-TSxyj1!}-CBWkokTCuL=2*oT`G36m27a~`&7<0;R)0w
z>P2IFW8;E=d(`y^p3!G$UrSHnIg=gcx$fA=uBV?w)k^%-dUaL1v+FNftKg0f`Z|>&
zMEAv6)vC8p2DGmO0_NXM;*^1Bf4fSE$f7#FI{dB>;x*XyQg}<gxu^ag@rFy!+<t+I
zP&SK!CUc1=6?y!Bc=+fbJ6FfZ7vnz|AX?QlkBb(rkXC)1qKwHGEq*KC64Hz%YgV=8
z)F~)!U{<zg=#Gi$dPG&FGtub=<VAq8hwTH4tTAt*uO0^7osFrNHuR<=dk80hJJ3A{
z@xW#W%zM!8dBBKb3GZIh?El!0|Fp@$<N=1}Aui$k9@-l*bsF-sMc0wMB@_j3GQy8e
z-+X)gS|kh2TR;ZNHY`0e<|tpX;rGSGIjVfL!#&TJ&m$X3tmPS5%2Z0{hFwvDHf;yn
z<-w!j-Z(q%{T|hMI5p&D2@^q`#))^9BdR+_B^*?mb}&PJKc+IzCxVg8wh;8RUN?Gd
zDn@^1(K5U4sDBqZGrq591|bL~9YU|O@AgoL*lAq8dV{#+VTB`zdaE_AAm8ua1#&s;
zvRKpYUI?KEc6I>!6qNjXVnyT?>)n=Rbss_vp(;BYci-g3hFFvR5hb$cX(NjLU1mNI
zJad}0G$NOSv>^GbK1QS19h*m~Lk0aiRHE`Zl-k-tyd!AxjFE@%^-D=f*We*5?qG6d
z<8ZFEs*x#TP}iHd16qlcQ3~BR+y>*=e-w6D8@6_|QRJ2E?7<KEIX~~U7Knq(y{;pI
zefW#_xflR)_%QjtZKBY{2mh+Zy;Snxr5X@EPCbqOr88!=XKfcMUB9-YBzb#LHbA-A
zhLv^#O?Bd{54%?$#EPEju?$3uo%V#M7T^&lx!;#F?7z_0&`(Q@Eo%?+Nvh9iF{`7e
zFT{Xc#vh7_=m#u;r0n$?AW2qBuB~Ww%O*g`ZNOTf22n87*=X+T02%9Lz@4u%!f`2A
zG6GF2=nX;&wK4U=cAl$@#;5w*VJyox_Qo%ef0Z5KQ@k5(GwO6(mK=4T&ei9)Ke@BE
zUXM)I#hIEV=gbl*w8J{VvDIVLV|L~=pTJBQYT5om=Rt<(?7i51!cG65EoEEWXc{0k
z)up*zw)ux>O;mnam5Y!h9wT6IJ-Us7xUTrT!k)Idv1PIZf)znr5$s5n@xyHQ+-qZJ
zLA~ne;2}a4=T1jx8U=Xgh%<uc1!#u!&KFH^DFE`PJ}UHN?PpCD;&dtcRI@PNNJGO{
zWNaR|ihm*sRsgkFEUWd^HC-bXaaJZeieVX-vQ90<Ma~!}oF3$>yL-mG;l+&Xbxolp
za)?5f>`YosA*R?8q=wYH-FVQhsECc;H9pTtP^!0wQD)ip3u_dr3bX6LeeHhjWT|4l
z_Oj#GuO}z3zB_tx@@xX?@~EJ)SuY@I3I>S}EzT=qmHjD=$$sw8fDAi;Yc0d2rv3xH
zS7Q5T&+NybObEF=cYM!U3`qQ}tFi4i$V0_py<zokK+lA_fZ#>y=Iz=Icpg;UmFp3)
zIdboAIqvzKNS-LulDWN^C7CGu5#(m7y7V-;V8L=wCbBdaHj3$BSZ1_1(oJUE#G;Yr
z;r{h#S0?F6N*#0^@1eWQN!&jd&z<E!V=q2=@ZhF=SB_~E3O0LO)mINVt<Uqn$PY);
z`DT?DR%%zZC}@jU!oDn#^GLYPNk~!`GQ&`x5Ry^ClFqXU3HE1tRof*J*+|**s`?Yf
zhvue0Se*X(ex=vF7g$^GeOi^wP!xr|5=)Q2)K{CNZ(qBW+Kp(l>Byq&)T?Xn{x7>W
z9vpr`Pw~yDpC30cYd-r-y}@hYeF<jAM~?TWQBv^L{lc6T{1t^2PTtgCWZ&{UeVaEg
zl?(cm0!^&X`v?1z^!@I}KCYquk~gX9U;=!kHM*Uth)SC%PN@>t_NWT-IIJoOU(6gs
zWNhLrHP4CM@n3tENccDQU5j*cn7Ae{VlVoF@(G8Z_|nLKmS&-*03Q#IHYc>NC|Ra1
zXAPzrNPJn`B)|`gb2+mFb~Ndr_3Bq{RR5?@s!Z3W{bX-moXZa$TpVs}kH4LQlJL^g
zaRZ}@LnM+jC35yWTlRr4U4s}uBV7@=Z7x+X9x(0%)+b)0PD6+iLFC>Oyp<yP6v0ft
z(UK|g=nu?rw}OjR)ka!rW3uq<^!&|UU{qwZ!&f_MD&Kf$TPo4`6d5-prQfy|-%5ia
z$6~ax3&<ljtjp#d><4YkTozbXc&*&BCR5~XNl_3igO#b0BcI3L`g&equACR!COj&M
zokhWmvRg_Go%9}9!4|}a#bhTMjEmkf^P=}?1ii#G9pti`D>&+)I-i@O@K`v`m`&Iy
zq<US^3D8CN50p~K0y|6Lj$pu6Gcz{Q0VLz8UxOPc*C-UZe>;ACIypc2x8up_*Z=qU
z=^HEue*gXJlQ+i`_tWX?Y!@q&=5;uucuzkn0z6n=o@vONlZD?Byh}L3DD<8#ZhH9y
zCz4ux-ebS@#(~R+cX--?R+1<-wq`u8kNwC-!6UD?<-EnWU5wVpH>?XFIp*YDoN*6s
z!N1uY{CzYsuQ%;b%AUKuFgt0!cVE1A!+4ETr8P`(1r0(Xa=%>C&C%0LA|+1&5ADhW
zQq6?Rr-Ph~SBS`R;1@$MB44d;C&g`X;X2TC^MC?wkJI}t9?p*S;cOSNfImJuc)SPY
zUg|#@y--@}3IM6aS|SN^0=)%}@6(`wx?-8>UIU4$jy(!p7VHWAkJ?t<QW!~*B9<Bt
zP?M7g(De244W@K<q%H!6gDmuc;fh%+6du@W1I^JZW*yJkO1-6i9IC5i=b_9KAL`uP
zmKun?yk&u|@|996$i!`F!CZ&A2=tPUevV$;3%S)^e?tIWHLtF2g|B(24G;O1A-g$5
zVo-Utj2J-^=-t2)gJ*%J%uW4`Bort=y3rgz$-JeD=Z@Te0%baxjq##Ym{t?iwn<m9
z=-^^c&fb5a!R?4-ZkI^%jb+hP<FoglN7S#pCS+@{a(mKMO-Q=0mpuy5W<NjA?&xKw
z1?}e-X+P1^Yp}A`_nc<KjR^gVo{m9Mhbo2Pf>)-MD#>#eRD-rGX_xgr>ED#uFL|r6
zI)ID(ojsjdpV-9`rB<^SsF+wQOmASUG!g;`XzTd=2>ddrs_xmvg}e3WeS+vtPeD+;
z`iD_53_3U1q;Mdh(uBGV*&z!|BN!^q3JG1(7Ln~7^Z5I;+^V9_+R0nts7f;-i8j*f
zBvNocZvDu7uSD{$ox_7{H$@MEl7R(D@KI1(2vlc2&sU8vp&t2P29kHHwD9{*Uu%d?
zZiW#>sdqbcq=3Kk8>M-%Qe^o&)mdz6%mv5<vpeoLb)0Q^z+hW3v*_Kk_wez-y>ice
z_7{?QSbdRtS-;HNF2vkd7!SW4e5OjnpE3#f0I%Dak!J^FQ_3l0x;dFi-Md6R_l%CD
z^OtAL^u$L!xxAK$GKn1-32shYBkCU&?ydmFlXg%bC^)g5X?a13(7kEnO#s`HVMw)0
zw2xVJQQU5HK^9vx*6fqY^fj%RccreaPLg^9c+H<!9^TEJliNN!WkWdoHvkOMB&nXM
zh_ubH@_-9@MFMUKL{}OzLv7o?KCxPK3EUpjwWco0czKP~PIE57JqLADY;wBos87d5
zEeM2QS%i_#n7ZdcU?TZBn35sr(JL2t_5R&%1MBfe+z2euEPm2@p}ZtkR<R9APB*nG
z(vS=|ZU<I&im6ohULjW0<FCFwHh`}mabslheL)A{r{5S^xG&809Nie+6es9F>Vm3g
zTJ8p2h6IdPWSv7R?=iA0wUv`ht2KOJw}>w{sD42I*2TJk+TbrPv1*1Fl{2<)hMUK^
znOBB4RU8yrnM(pzPI3xq$`}(O^tERSWR`{EwVQYbg-Xw>qp~lh4=Lq`+tcS;%m6L=
zOpF2@zL#?Buvorfdlb17QG{Q!7l?0?(7r+`2P{{#Z#zEbMr>@II-4?LOZkMG?JmP)
zAVsdW-fHS>P`<<F-U|!L02?ZNf?kU5qajoXKccnzKl`$RB>4rds)SdwFOzcP_WFNN
zO9KQ7000080Mc-TSe(BT^zw}X0Dm|I051Ru0CQ<?bZ{?oX>)QhFLZD)HZNvrY-Mv_
zVPtJ-ZZC6jb!lW@b~RsNb#!PhV{dL|Ra6B40nL{VX6(KDciYI3Kl(HES0I|rm6Ro^
zhwYh(HqN=SEN65_uSjwxS!b39BtZ!g2`~U?nYnxa_gkNObT>dyvL};G&YrK6u_dyf
z)z#JYuCF>joSYqBo}Wawm(k7d-=DsXUiH7(_^Q);;?Krc)Zq3$EhGAWb)Q7ze6*M)
zSru1lo<)<q;7@P<x=6>-D9<M8-J;O%(rMDS-t}&yIE&(GnMcEfhFE0dD9@&8mPB!N
zNIg3DRW(1{-F<v~?3Wn1H;PC1Nk1>{cHicsU72T>*Y>A;5zXRd^q7|SQI$v2Jb$2J
zf>qt;vm~0wcQiUp^q4-RwruMD?&$aYaZbM$^;JH%lJIL9bme=V{ayUm=h_|fZcaYM
zv-vbBJ;3WAEAR8iGJ3q%t&NjOyqH!cZ{=fLr1^q+q(w5S(vKLWb05#=Nd}M%lYSJP
zPNF4&YMf_VRg@*k7~hQU<BZ@E4A|vXG}&T0ra`7j{87H=<H;9Ql=DDE#M|iOD55lr
zW_elBv6e~M=N+8ViUD{2DB8^OEZK~TWResmCeCu3Fe;O(O0zqhSv;L~sqf=GVGahB
zLy;lUD(H>{eT=7z1gpU>`5Zt3F7vOWd<MvsdeAiVL$Z9#i!qHlPDgP?!=s}|YfOTb
zZ+sO+$2ByTp-aZuA(l0oF2)4DMTu3T@1}mX=?|cfaZcsqsEQwG12KWHWbol)@HVtx
zKl=S57Z@;tPRFCT7*mfT!7$}wKF^CP88c*~=pF4T5p3zoCpu2FJCCdT-74R;Mebs%
zT{)?EH0{g9kxsfgx3MfKD{O0ymBrCLEulBcvD0xfukNw%{jZ~G@-dl~ygf$JxEQ8Y
z5f@83ow6#@5yLFy?ad2noZ;L?i=rf`xP|gbCfNvx8by;LpV2A=pmJxaTT%!_sM93P
zQaUoa+Vcp=L13(kC4(OqJ|1I~RpL`B!2SSCp}UjPE{01QXhFltMU&a$(TKKKMrHap
z{W8iGfBB;#nZ|&PzhC|6Xga0-<zjRne2gP=_cj^Jl(9o~LD_Ly&ZjY!PXoj}pWK=E
zJhLo@IuDl$3>uVa5!PNtJ>CO;|NagA@_jnZc~jf_dj~K1yK)ELp5xo|<Sw@6zrzQ=
zOYMUuWU6!)Lgto!?X7N{Xl?OeJ4;f&pquF0<F1=gUQp-YlU_NaYrU!4B4D_A`h-D=
z$L?SOx??Oli?h5;=xoQ)c5_fX8cW{mEFBe})oe<4kelIG|I;kZ76K$9eAqx|953<D
zW0E}JU!o&bmfqc0+&a%_^S$WBUPR46Ydgy%F7V0zt5@HA^Xt96Z}*~LvNGEK%K~@*
zBSGuM*RQx6uV|c%;&IDil=GM_M>qN_5eEG0pQv)4jM8`t(p|(Ox+NhZD=>qXfF8ag
zo+W7a%*epzm9hKL&7vsyg=SQ5j<z|@7egY}GTLT8dS3#JLW6_*IMAD44!Grb@KHAF
z*GV@y$zqJf7(|zZe_`US+v>ONv`FGHD8Z<OXot&XB9nZgpR*V@SBS7D;^mTF+E0AX
ze6Q_IA*pDb(Px`Dw1EC{b0VyGx$;M*@8hx>=d(BsC#PYOY9w@c*EQ`|pDGNfPtG{S
zk^%j2C-Rt1dL^*|iM(k_uNS4f;WK(&8oRIY0YtqMX0XsmCMo4|Mf8WB!QUKTUc5cM
zJ-xj6t$v6<{eGWdd$*VpVy_z=jkL=LdKHqN(EUg4LrY92%KIb{1_S&myd-j#@l@!A
zKIFtxq?65Vw27vhg2tOX$R>?3!)+rNRm*w8Tc;CFizt80n2!P4m%;%g#5vMaWNW3q
z>sBk+cX4@pau^+Dyu=<2;ed*zW_i_kuCbjmVYcIAI$p@}>M8K@<jruM{K-_sf+^C`
z^pU7Vl;Fn1l`szY&LBUD1@f&8`Acj0o0J}<yQKJS^xFR%oY~1=X?<z61p7q5PfJ`R
z0@5Qm6>c46i`ful0jmVw-ke|cuJw^Pk3odp8BTH_IzQ>u$X*iS3Fbvk6sV+IG~*s2
zLJQ3P?f=y_16;cQk8ayM1{GD#kGP2fe1%W~ZAv^QE-3ZhPWpHKuJEV(`tL!P$V$XK
z06{>$zxV#m$|St0&zpuirepdvouo<81vf%e5qwbAfKjB&pcT;MFLv;<{gqFYH(i2c
z)Q6@MQ*PE~E|cP8Is*34^(Su07OtN+phNSwExb7hjevfU--h1>t%R^tc#mGD7l*lN
z+%H@mWvR~cJ9-jlM4N+C_aCkvEXxRSwv34N8DXc3s-&50$5ZRdq~Dlm;!*K!UM#x|
zu4dy1{Aqm}y4Syy*+r7T-R4_fyJbA`9B&*!hQ`)D4wNz2^>IuR<#um}z>{S9s1d81
zm9a3n<2;cYzf3A(m+1{lvV3uO4~CVOhem)~tc)KB1PNXNWhmrB7KXs%;vqCCK}5a$
zA<2Y9#2@2y%5S2IfGYLj-L6Qwb=VWEQ6@UV>kVc$To`2Lc#79^3E=tB35f)8h9vCi
z_LwZrW@*JttpPO(fL5|tPsbs${fMt5$!yzn-wEW#DjO1(zt|CSE<=#aGsP+d{){aw
zgy40iCE+A+vA23#J3u5JN`%emB4@eLP>#=Gm_YDldB$YA+oRtdM#BQ&B;KP~4oLdQ
z$HIfNAfp^Z>W|cOrpAf)UeIuFg_$Qp9YLz~qce5k!GFFn6JoxK!7QHtj6*69G$0|2
zWVZVOt$OtE^Nl~vN5b+I$zwrc+klA59dSZG-wd{JLZxXkxKFE}Z|HGW4nDpdOwyvn
zsMpCXXZ;5a$<$A;Mh3An1F?5}=v-ym3Ji2b_o@Q7hCBK8;wCzR5Dd2Ec?6m#Nih%>
zl2^b4Q@Cx<TOJ*sl}uZLK62@vnjlT=&|CM0`#4PK2BpyN2sh4vGewEtwxeTf=PJu7
z9sH-|U=)LUZk>>Xg{YdA19}YZa=MEHuWLb{*Gw*mLVe~uVAa2L9`yObdD6K^OJ6b%
z_xZwkrYRxNV3ZVirJ=L>!a1qqPnwZ9>@S;%I(*qglWBZce%Tz{<;!N#u3t8f{`+M!
zkyu}f`tct$(>-x%aWT4I63xr!;1Jf%6|)pD5GKkoy&;7V;-Rxb3WCPhG{UB{^S!`V
zJx%ZLbl~-C8ckJSAPoo9CzJ!BiO#dC$fw3RP=h;uoS&SQZpHjFCPlL+ro`8uF=2X_
z<wY_`XLOd?V3w}gFNo-Ox3^cj`~CfBLeId$n7l_P2n$u+5*TA7BFn@grenI~TTj7y
z7*D}H@dBtpI;Zz9Z3lsh7D)k?5A5vLckz6_j82vbjWR8_2vhEIdZ6!TUFl~d_D-+-
zclMYn-6t`QR+?2$K4bTb>>(M`o=Dy)tHCfIFNuZuG=MJkiM1+_9Pl88PSa;5vj>~D
zG>n;z`MW`pL|Zo8Rud3k0*8bEN(VZC?Pm=93!Zaco!p45^-=_yDV24$z=7x47Vb2D
z9@5^%Phtyoe2fd5n(u_u$tbgcIe8gG69`(w;bYbmf=6_IdUF#oHF%P#m{fGRh$0Oh
z)A5@3*9<C2^zQabOmV6N54L$sv+0!tbrRMWZOi_sEI)@z>J23!f?zn<-`o4*3p!a$
zr^`CisJi>-DB$F;<0k!AZj=>|Y%!DTPb&Z#-9_(y|MmjJHTvamkFa4CZS}mLn=qY&
z3JAV@;l$7g5DpU_F@1+Npp=FD<_i}>w>q6IW&@Ga2Jv`Y45}hcN{{LcL|Q<GGbs}O
zw#jPVle{ga$Z<C!3Ph3}>vdZU&clROg;!4OL(hl_#E=(1!_DK7Xs9P|+hRWE+fM6d
zrTiMy3oxz?&se;z@&b26)Po{!%joEpLh&s2r6-qDOq~Qq;1`|HsGYOBNkpTt6*PRk
zWq3p)Ol`3HbULOcpK~J#sjw4bD*ygNaAQ4r3V077`7=_tZWiKLjh2g|fGvJiTvUts
zbJ8;_I|j3)y3fb$a~w^l5kKgWwqipxsE(*|0u$e7(3ig@MLrlVCKJZ1_2e(3R{<Pm
z!Lq`7ww13xKTG@jt;=`haSf6_eGN$1AIqz^*Z+0v_@~EzqT%-l-gL{cWGEi1d<16f
z%V+%C{C)tX1FSknpbJ2o652Q=Hq3$(CjB)pN%Vjlg~zkcVZQlBdmi_O0G)_hx%Yy0
zQG_D8F+H_TAhl?<95lxg;|w4`=tno5O?=?T&7Fl%AG$7<%xrKTPl-5&O_L`dXyHFF
z<#dqcgZZpl(7RENTDG!KNNuV4t%t@vG=}MNxy51_mWnY4IHk`4;A5PE!=>kbaG$H_
z63_wmEMeend8uQoZZ-PM;Z@c6GYx-v1*6za^zQN+HVpdYDNm^{{uAsVFCOI0xDeX`
zkz7{utk?&NXj2<+vU!JoW;GC6SM(oDJ$r}nw~59v-Mefvn&so9OHg>AH+7L^z_m?2
z@u+tJ3mi-)`_hFrY3-R5(n%*R3(=vYZM~c@ie4OQmy7is%4j?7C;cww;c0fvRmeW*
zMhP8}!b278NnA{qtm0*jxKj$t3^Foq5*n+`1?*^&)$tTiQifOvv0bK}`r%_KN`WH1
z1%%vQxS1~o@r0H2OV!K1FX>rY{U)lLm&(^y``xR9E)1h1VqwbH$NSx5{$0%43Ek`c
z!+iqZe2zmJCe<VK*i9V3MvkxE%OL#~Zy>hjJ-e3u?m_oO_oc36pMHMT{f4_!HzJK?
zFyTJkqk;_^FWHrXSD<DbA{H|<6PeO<!rDWU8)S6FC2WarAwG=0+Lv9sjqtlDt0Thi
zdN2>W-;b{8uu?R$qnWUmKuPy`Jh)3L+wAti4lhr>DC=L8OF|2H8cnBa%{^C<cNJi!
zrNOdhNpWXJo0}wI&&A-<2FP<pj8sm7X3UG%`Nqj89VY<}mG?C2m>7szUM%r+Jy7dT
zp8a<|na~tJ=rh0`5#^##CkWhtLclQAAtD)q?T^lWGX#&fsiSVH14X?#j4Rhi=WN(A
zD<L2*j5&~C$~FRdA&Gg3OFXN}9*Luln0MuoE~jvff#igba4;%tLs^0I=t9i|HG*2m
zFgX@IsunRMF2DNmq7b7D(JIW-jb?zN_&1J<xV$$@JT9uNeNnPsQnqaDvrO*TV}f@@
zFPr@?j&+?OBXuR<kddq-d}NdbB?fgy2+_bFVk2##0sIzo(I0S!9d1aZ9HgjR(DR#&
z;jVH=6lls!!NgvCH7@G-kcK>**i=buFCo>mYkszI24GeR6Gg=qJ~+b2ESW|`LckTs
z1GouXo)Jk*N1L`oIH8D{CYtBdbhM1NhYMWZc|K?T0H|@1MKT_wLpdlg2x+Aj^fTf!
z3qD%)Q>$qC@S}t6&K<3AKw>VO&)w<Zh?6_MW5Z+#$1UgEs+(XDVLDYeKV5Os)t%OM
zr9Dc>M$71ddX>7ShtzrD-JJgJ&HEc_bO&b=oE&VTYBW{2unGj=C+r=W@x!eM#6XSf
z(<K8d$J?~XAn{dsK0b_ofWXSA{s4u-J^fd~yjwvV%LW@*+n8?l*@KdXQ8`O4dnq?|
z1zyfZ>h6kJk-fwZn=TtbV>;DR%*o+RgvGs=Fo8de&V)k1TSjrB(kDFrn5RHhxq;Bv
z;0#W8FZ<Dz{9G~@tuJu?sCH%@(H4x=D8YjBYfMDc;q}?+`RVQ8{N()X^7#Ac@<sp;
zll}40)!_8%c)(x4J~K?=lfwQR7>vZKq^WmnC8!aosb_+TEaTP<2qB<t#W;g8n8uFx
z7X%*zSP|ZKg*e8HK#q+`@tmo)ayCoGDIw%kTwg&x?GmPA5&^j<bWtRPWFvXZz;X~D
zKThK6o-JzXO-VO?(^j~tZyW1A%ngY>^CoFvjtjgbzSEwVQ6JJAcR5~EIjsF7zKFU=
zd&rIrkGm{iM(U8Ky+a`^foraMQP3cwqyXALEN}{KPmZ09-|?GJ*?a`4AXx_soyzTZ
zuRJq-V|M6e*xl00$5=|+qm`R4;C;AH9)XXs3m0<rVTVdl+?N-3<|1y6I1!vQm2_Pv
zbvG{#Mi@=0fjH*WrlN6~XfQ|66<<HOITLnb%HY<eivc~Ub*^LTdNic<vF~X^?l^jX
z``yXK?dkCmKKsXsAcQOT1NK<l@bMnzV#wYpHCIxL`>@CZbcgMGq)v;>naz^2#Q-k{
z&=IvxIB_I>{4~)AjScwGIhExFky_};#AT^IZDf-IiRXl0;)HEpQ6fX9UhHQ3yzs6v
zE<eJu2xeySjxtK5naYb2)DoSZY#_h_wuIs0j>MX3OUxwK?~bE`ulK+4#)}=%s1k8a
zE1}^gWDnyq9XU|p8RbtbB0*LFCC1WkrYnp!wVi>DF5y|91mLdiT!aHWLpG%YAAW&H
z0>UK534EXx)FsALO)H^!A8{k%cueflV~Mlp7iOFiw>$#-46%!&O87>O^1BQ!^B$C7
zbSBKz+tQ)mz(R$=;!W?UFF797MWujX2r%LI-oS~uLF?GttX<}452pExN_;&rkocVl
z2=(4y3PakCILzv@1;Ep_E{+W@O)U8g8P@lU3XdLhzVx&3`tB{{SKbr1ess*5ZRe&o
zi{bWW4rLRSr{J&kF%Dt|3P+)UZ~c>ggh(fhVL>}Y=Ga?qB7P^)eKMVc$eQ2QB6A}!
z;N*M3%mnY2faFT_?bJgB4GF)gKQc-JN@i#p5~;j2Avg(S&N;6B2-!9p2f$%sIiqP~
zDBucv^Agg=WA(IUmuEC4V#~&C!WTwj`fi#NhZ2d0qssrvf^Lhk9ussU|1*){yX2F2
zottlz9KtWpE`N7=;oKJkWpowassEbZ3ggb;D0fdgO<>DlD%sdiC@YH}8{Eg?jJ80?
z3-6+_ZUuA@A2fBrb4Ai?%$FsPG=xB5MB|A^l6gCu)&r<MOfV!hP_`ltfCB7X&e@1A
zSn|Ws^~LFhJ`}-z2qCws(8)6v|3f0;%w4coYyow*yqG)%_?>_xV?f|r_P{QKpnvi7
z!T5fHS&?Els_~3DWP|0O`$U#3oHR?6!brwuxEQK-6-{rCuXazbysEj%vCFlKjabj{
z?Os>VI2_pYTR__@_Wpui6eqA1jJMT|w%mYQOvkn=Uhfvu(A9h6^-Tcz>({S|-*!)~
zn159iGWyq#s1>)~RC2c&jb>x$Jn_ihDBD=p{CMs0cGw;)BQNxQezWu;fy|$+C7DcX
zaQcgkxgJm@M|`2rH{Ml8h6?4Wc*u8RAuD%}#`Lay$5g9Srntk;9*I*V196a+5;ax2
zu*L>L7X0sUhHU<H0?Ot?vK-K^i&(g9@iz{j6vHH;hzC(?&Y=_Zi(MO5CMyxp6#<eB
z*vO*#(dO?t*u~~D9vgxYEZySa*O7=EUbpvbRww4V3v{+zX@LPk|M@R+Y(~U|Y(T*n
zPzSIOW^FaX!Kx=WZRky0(?FRzr3I4$g^kT6g9N_k3Khn$o+8i4beyH|CDC@7z#)op
z`IiBm(|2B?NX(nqAG`O&rpLtdhN@Qa!w6VM_o}_RN33F3NiRz#%?B(xtr~$j7=jvU
z8{wGbp<a|OeoCD1>22f>)f6uR3;MGR%HK381v9W^O~q|nKZ5wqk7Xcpf~f)D!0sKv
z!4UvFbeLhp5T;Oe+}e07%P8qS5eId8B@s8^jg-6b6A5m})l0IEX_04O&$>eA;RuAG
z2I-ugPUtAuFHXW*61kC(7FpR;{5w%>aduHb4G1iu6wxLcY!bsm-5!j})0hl-yp(Y%
zQMGhy*b`S36Z{6}Wg=TL$6TDCds|gP86|pHpt}A9646VSqk^q-I3=uDql`|k7<&XR
zN_c36QzFemT~;YG-XvwaNv5WEcRPLn3rL+9Cw6>@22&=CAddAb@{JMqR&vdoOa;67
zIU%&*Fe?ikAUxn77LKPWiCQxn(i&%MwDxo_W#_<xnJqR7#AS)#EJZ{}A8(kGuY7<x
z_OR(V$WKcq{A?UZhWf;B_O18Z^bRDVsz*u)DPacH%ZjW_$;NoWmahNB?b$i6>>|0#
zD`;z4x{2G6E_&148#dJ%kx!h%!v|IJzP|V|`jC#N3I7oKOk5zGt@DA9b3vqw<REU5
zXFWV&Y?P{cu%sep`L%>-NDqi?#YaA>9`sQp$Gq0q(H}iQQ+FGSFrq`Nz1)G#hH!$O
zl}FGertuuq&&s_j&!b6VOgtYk3v|@uF-{%+%)}YgVxBrA=*FW5_-N3qo=`@#8SzdQ
z-AJh+Un~J&`X3~Aremm4@1XJ0^rn7HW4fo?=)XfeYz6Cz35w_s`{k5%JM5`S7rK06
z|G^_*XD0LthvsZMbST8qX`J^1!9<ySqJHdC)rn`|%Av-BK5v$041Jo`A%gM!;7`SL
zVc!`Ms>yKy(B(9kouR&WMZTExjyV3FNhl*2v(%ZX*4ZN<fwrrFwQ9t`5Y~YSc`}zR
zUNHSCV5=I6?*+(Ry^{p`S01ebpoKVX%H=W<1!sVLu9<gDXfPCb67^L25erO42B`a<
z(=h?*q(>>wUM}*si>?5Q7{d@-6gfLCRYLfMGBWF_>$}5a!bF+Yu;<<>BeyI9n1ajl
z62wNiq3u6?OJZ6w9jmaGXQ2SKOE-2-NF<3dYD&S5InsK64PhslrBaxepqUCJjTI&-
zZpynS#sGQ@Tu0TO>dZ2up3|{EBax87hx06zapJ6&f*m3Y6adUz8C>yknnC5FT&0+3
z1p+;TKzN@#ZCgQ%Rr17*$MRYUDEb@<<G4&|AP-CiHZ_$en`thvhp&;O4ggJAB<i{C
zw$5T1-+&CX;n8>1cT%<9)^~-f^8o!CZrVoVr9Ajmvrpi$9IF)+$4WOeFXAF4#7#bp
z*rA^70i8fiu0wZO^KU$hu$1(zB1FvdZrV#h5(Mkvf_r6OMbjAgH4`qK_WWYQr86kS
z7^%^U&<c)<bm)y*?avbW>%poOF*y7uUowXej<sPZ$?0no*3ILT8UjaL6zNCi0z?-O
zA}jQ)9MR|D!FR$oT}3Y<-LXY9%5loE@rDc){gs4Cj>vx|9+qZ8byu<sX2S^E;Df3*
z{C5(^W3I4n4e9PgFdwP4SRGvGXR%HP>6H`()j8Ir@hCdEzShpnC70o99TZv313j}~
zP$x7}m5ZSSa0=@lZq~QrUgA?Wb`F{}wI@EB_C<~pN0XVchWjd&w8&D0I={VyJ5UOM
zFxA&>7$&jxEj*hkd)2aPJ|K0sRu(z}VGgmVvwXZDI?Re^5Y@YTdF}PB0hI`_`w1q@
zaGS4t*|J7PR2@|uv+jrv)9Xv5RXB4s?8Zat=Q0umKv6=GsT|PY-|bNtO>^fN>sy=O
zMn{*;+;9??Oma$g@<Rs@3lDpJzlcFe(vM6QSTJGe*_$IvC%LeY6OSPf2t-yag(iMZ
z)CDur#dJelGb^@x_BF?og2-tkU^C_k=q;0TapW;jHJEyYc2-rIDynNNNRDSfgrb0b
zf(3K7A|COw<N;OD4~}A9xYE^c+s)B&B~KQ#Pnps+xRy0flDR;baT=3`LgY@1vLwJq
zhx^H=Ios2-aUHF|`+2F%&tA&n9QugzpQYmZVrG)?Ci!$9gPDMivE?S}2{?6HG9ScK
z!k*2@xi57z)0i`TGrvWLHB+6()%)AstIL~PPm5K}q3jdj%Tq&uTcH80L|CdRq+%~0
z&jWJz90n()Q+%#szgFVOcXN~up%9toY8UhH;@2Wmz9?l8$Ed51dpD(jTt1X4nd|bH
zT?vW5J+`8!Zpy^~u9I<}mP;4a<l7L+@5^MenDP}WRmmNy`|An|w&#)j#yTV5iySrL
zWTN-C?|R=x77lOL^0T)`SB8^6sD3^Su-53{nnsV^Dvy|1>zxs|y@>CUfcH~JYAo$;
zVLm~Q`h<%QV)HxOr#F{08Xa+OzZ)H2?H|0_XI(n4d&k}~Hqg?GT?NKd#)ik-4W}tG
zxZ@LBGc7z1JzP;<0@^~XL+gr5F~hbB!WwpUb=%u<i*WBv^SD{yxzG8``B+y_#B}~O
z91`k^brgxy#vD3vJ6xoS((HjG+Y`UM1mal?4Rew7c%5cD)`@$)i1Sw|JL_~lpe7`l
z@dMGWZP6un-R)e9;cD>EG>DBHd}ices5KMxa3Gn(CNpWbE5KkQWE(isUQSww6mkh3
zMlq(F8^0gO<o-rpCT}svVX=us=3svBtH7@zbKo$m$ZueqWuvuFay7{Y4(sAV$F|bn
zt{csXFb8{1Be5q6fPLyy?>3gB{5e*jLp?M7Y6sD0KCSy}?U>~VdcBK_AyJe8+tlD{
z^UB!%Cptmh?7XO6?0serw#G)U_Ew;nRkVYj<rFc{7agGZM11z#zisR7CVb`Qd)0bk
z+T0V5s+vXz?4k5j2vVpcA4s%C^VBxPkw-iW;nzEMp6=R|HZz?X?<BdBOeHN;hb@I0
z-c5;3&f}y<FQXevRsD-9ou+@2)89tCS7hrzBE^z<o&!n8=N#*|iL2wlmRiGTUvX!r
zA6;f<PD#{4vH^FXk4bcw=V12Yl4aex@7HGlCvXC50Vth82)$Ue^#7N>JRzm0!(9fE
zoOfnb;|^lia#8_xWw}6KX;Im7PhH&xJQ8$$cvlkffs@&5JO>z21_L)6J5QY3+cW0o
z3yuUEEAizMdICg1xhLU~&J`reae~WJ|AIR0H?DmvFg|U;QUqC{;ppN*km2dV7$XFW
z)}C<e1dqfv9)!DUOh#Geqtv_a@N0mH`jO-!h$IswTOT)Ein6cwOq$wJJSx=QG=oFE
zp_rS8deT}(4{+LyYpH8BKMWniVor0iuaJxZjbJ=U`0&*j22b3g?i{ICdq+GtMtK2E
z7Lk*)BdC%CE1o@%(^#D|k(dx{imVZkpjUmi8Z_Q=a&)?yf|I^KIzB$RxrvT1FK(|d
z&u;#4o{ld6Q9POs;N-GVccL~=C+{6GA`xQBh;K0gCJ*}5MwWRRT6M8HREtvMaaLv&
z_oNSMhxieWp65rmK7Fr_{=w9N#T`dLt10MmUd!P~fP9^G_>QrYj7aAb%lt7`pWV`h
zYq4<f;%g3%XHi#g*^UlK3<e+WfJf#=7(5u!TJV-(x3HmEt<62);Zsd*NCMI*p;cbN
z874!vGTf&)&BRYT!uTRy#g^TPtvfuFPAZ;|Dsc}@JhLkY;TCocu_SXpXU-DIoC7fX
zeyOPdDa&Pb`WV@Yc~V+&yV*@cOT8y0dqvB`WU82sO(Ys>n(pB1gZ-B;eOzjE5_2B2
zkudOV@#dfj**2Z=f_*wGWl#@ZeJ%NYP5<m-5xl#dkXRl-R0ZQ;0xTI${Zn}uY+caK
z-b0ovb8`X{0J5Dbrx%`+1x(qT!i{}@(X={G3&CXW?K~|kFQ3q=5r<POc{24$Gj|?>
zX3!rG#yycR+8w-%A(C}H^^$?$NyDkDld+|*$;XRPqH0X~(fqaaDnX&!w<A_&s7L3k
zcz(WWV5Q6NFS}Y-*|aJXYIa2hctA1iYUG+{9QQuJzE?ZVRTx92D^a22nU$EG*T+q%
z!Gq{f!}=JkHfmd`sBha>ySK7hW*TLw7tbz{4U;j%e+Gw`A-ONkqpaISc{`Gj1`ba#
zEN`R4J6V{KqEn>&^s0d~@xdag<U(}Dq|hu({oXsnr%NFpqC&9keYfqv9-4J(<|pJs
zkAfX5cgRT3Z)ITD?C=t&JZ0e3>8&>~a}pOO!8mH<)Fp&I1!7745=$J<-Y|iDo+*xd
z2G-oqHpX$sz|^DOQ4Mok2zjL_+)>S4O{<OC)%au1&2BcXsT%7#rc<aH^c*eXNRd1`
z_*L!16~ty1etpn?)j38E+$xpmBMyh-=R$G_QiJ*(s_8|eD4l<N8SUbquREd3so9$$
zx-BwsC6eUpz;|^Uloz+|F(c}{yr+R=r&k}pW-v=Up2jNG0>fw&Wh+=hDw9I5g?a>X
z>Qq?J!+ffq4VHHk-tdv88&ek{m%Bm-IGU<q#XFE|_!<i-pbFX2154bq#PwJcZ;azA
zW=gIG>>$x8^X-dLj5ak_MnGh%x7D`@a_1YaSG$oT_CK5tlU=%SMSN*EiLwn7yM&?~
z01TIXw=844en~y$pqQOg_`s(v+@7JtFW(;B9!YaFaXeiR+U2+jDURT?nlnah0nZRU
zZY$qX*Ml;F%&xj-btc^w%Xw$h=26$PO_E+=$z-Q<9Y-~idgZ*~rM^sFf0!cKLEmZo
z%{<2&f<HNTkyA@EPWLM)$tD`By-<%2n2TSd%to`YOeDSJVq7>hvvi)H7<m*eT*t@z
zlnwyUkcSPNUUe_-k8<6t<OjZ9^-;AD+V|IIJ*ON;NH*9Xbu#QY=<4?Pg47|-mU|+7
zw7zLNO2ta*1|+&7DVU8<QhDr`Utu3R>NDx==+aTWSRU{5>B@BCAgL)5ID0Vn(_tm7
zfyeF|s+h*aAN3H*PXXI65BAgwK)blPIjgDuS<&vYe5+3>Bkee`QChCe`<s*N!STuU
zEujF7_@31WKFcM}=j!C#`)7w;j=wuPy=d=7!g88D*?I8k)0!#E#qcle)LRh{hYR}T
z)2FcWk?Y^S;<8*oPOJ3}(#3NeINLdEd8@-TK=~9}X+b?rC+Uny<77@`Ij+2>{C5%$
z?w)T~ynq+|!Tax+Y}pgn^V-9ppMl1}qoY*b%;&dOw%jrIz@7~*&!acXNDup$sL?lw
zlQX&2e7H?<?sGe710}Vbwqq<DorP)2{&c0G1C^7F6I{_KDT%joGC(En2z*!d?aw?D
z5#Pm#Q4L5$>2O@u7IFe|1q0Wwwq-~d1P#%?mX;~|0e-mYkb?)>D0kpdT+h0zmKu%8
zab{D4{EE|F&D$+?S=PkXpF-0`GLon?gzq%xH<Hl-vq_O>&O5m2`qo!%WJ^yFA!R;|
zzU--@+AXrT@07T5Mpm^U8QtetV?2655SuR9C25Gm_(*s!d*&o?YM2Twf^%Qxf(`8c
z+=jk0Y@rjSd4TMO&mv#wy=`K$Mbj{%i60&7{fnep6d6*d@UQg*D3{;wo?Kt=zWGk|
z1{+AOJ{E4rYF*G%7$(>V*b-O&g2xKOVOEI)YbBnb4cbD7d@ZM732ClXsS!{Ih$mK}
z02Isyz5ISd?e^dqDz!5~5J&QRPGMzi5bb=Wty5lTr)Hlw-=WKqR9Il1jdMdr`G`@;
zF-{f$sX1&_c!_PB!j-wQ2R;iwTxCoXwWV`!$vspbF+PMw)iWHw1n5~J*?LMTX05$H
zlB+uxo>u2AD;vk|R1Kog0>2h+Q53?=Vs3L-p9!UA<9!`8b9UctOvTM#hq-*!Wlcwz
zftuVUuRG`R0|MRQBWM&w4H@DL#EK$+@eya@_;g~}a+k9+lBAs?Ym1ixtS|5)1ByGm
zw^*GBB!f14G)MA|m<b5`2|9}eOVljf%C}Gm2oLGQOgZtJ6Zxr?6UGP%H2O^#*yU^@
zK^{~RWr7U}_mjkE<7J83{dW_LrWH~wW&`XaIx<@TR(pH&I}`An)6nhlRp`3KGieYm
zSo1K~qFMV~9j-7Jrc>YY**tvg&Er)41&>JNa)d&aWTl3?LmYE-(p(=ezwfe}AG`{_
z(=j;TkhZh(dHN7rw&-EfU^Zp5^a$eh#WP6XN$QS_y=@rgwVF}U_NJKL?A4S9?az@C
z*kz+RjrHfCKow7@_n#Lhg8yS7S+q8g7%c1_nxTT|Hm4w95<>)}k+GojXAV4#{+vky
zM}*&6-al$~EU10<PE!+s@zoeAfKI`tj-Y(E|DXImBj);MCOnmVxQS0A{%kY&upj+-
z^G!bd^QQZ1y#aPKHL9Y?i;jdwov{#4-<@!1m8IF{id9;B1WsV`0wbEiXXl){_#XNh
zia}hx@O9EMaQMo{>v?g4H3?GoE3!gb=7dyPX%<fR3cH|PDi%@Q<T9}rc3k19wpN>%
zWz#)m0h=V>sN@0;Rm}++jmZyOiX2R=E4FesxD51GU0ObQJ7LT%Ia+<3f`*oeQ&<pl
zkQPnX-bEq!&`Z1jo;LjcBu6vxBCx4BkK*H_o0Hzn$;Hj-?dcy*I86#i!qf0DL3JR|
z_K3|yf>J1Px-RcSFV&TCC*e+5{_VNOif`Qf->tc0-sbFIi3lIgc=C{_QAN^5OR%w-
zVS1^+y_a>~YTgD@hBFeWrI3$GoVIw2QlnH_N;H1Qe=BARjX(`D(gZG4Jl^){mG;#_
z84^9`o(V~($tqHP@@mW3c6B$TMpBMwK9j<YXL)3l30<ql$!N-CA)2KnPZ7ccH0&`h
zGWHeXSDAsKK$?AcJx*BhNjv3Wuq(;fWCcUj?0lcjnOo|55(SL5v^_4SFYbALkdWjl
zvu~0mvJ!tA6GwbmGG@x8*pO8Q;QVAzF~}VJP=U4@j~Z?Ig>ME2;r;)aUld1u=EQ=m
zazwUz@pMiXgf4VJ^umo5Rv+Yp_{^37W)BR9*k!7G9;*9T1fOe^n!XooIQOE2&`z~m
z!Lxm<x8<h*lOyf?N6cgyoo5Gw-WG;n@kjFihG^JEIV?d|xhUsBu7XBb6&J&W-`WOS
znw5H&^2{ht%xYAL&lR~U=l30SXq>AW)0ggK1ud~s9}sc(BQV@G=Qk5s9fCfz`47kf
z_#@{{dnSP23Lnc4M+{a#YO*N!p$OuS86>~LAHG_*f4VxkiH`nobb5C5=IkWmZzL^c
zK<CS16s7Z?-rU_;Tt0x<cfN8i(Wqdc_ga?SG6EXx^B@P|5CywjKyB^3J6eYr)2V#u
zWk0T23G@I+cDq$y3`4sy66Y?a+ubry^i|k9;31WN6kNCUZG4qZqW3o^11|18IC+2C
zm?<viQt59Nk8Cb|O2cN!BK`U$7iGi`jfN4e$pHkvoF5$%bN~Ld_foxa@iX=J@B^*>
z^y#qve~@FB`-R5Q(Li9fXr1hyBS9RRVge7Wr5BLfT+g#v+UgL;ofi)r9DkN(i%;F?
zCZD37VK@4LC|>?ZKfEiF<ju`niG|^dWJORh1brh$XK`a`tdGDl(03|GBpp0Z!WnO&
zSi^SZ4LLhH2Bx$UYw1*7YI;4<tM+JgmbeJ6y9CMrju!gOV>nsGNdN?}`dVGGNbxOp
z(kvrVV|X6s^y=eF?OTsoDH02R<haFhG0c+6#iY5+S}b1Z06yJ;v<_9-mcWwu&M~KK
z;+ns*kop$b(B%|Z?in|J?dbZd?{)&!bQ&C@dNS)7O`SuW7|(RuVi%~{&a@P1?Mf&(
z(lPu)iw7o)ANZR77~BhfUulWQmlqf3N7vtr^(!=)xuB5R6?%Jeb$xPtbbIpFCoA8w
z`cJM8&%6~R+-_ZCv%}B3RM*?(ohCxXxx6y?eX)GURWM1eyHDum<)aE2`dIHVN@wwO
z$6eEjt2o2s36Fb6cPVQyT((xCZsrT4V@Q5#-Xu4vBhUMiMb(NpeZu@6wp0~RDo)d3
zAzD;!=aLKKI`R{2Dx2_LPC-g~Zn#ylAn@<HoOsNqF_T!NR%uz|MyoQJPFOH66WfbB
z2~HFvL%@Wp)iT&e)3t#e`!UTdcu?$7d~f00Z%zON7)=Hzf`9ArasWvs8eva0VnlHv
z28tG5OHyx#qIpcy8QZuTs|d3<ib1|)Hkg+rv#CLZD>{@iolbqv%q$Z*TW&o@XBGA7
zJy%96iu#j0?-M5+AUkKDEKLmQYQcG-TJ*lQzRJGV9>4M}qrOd`YtrZf$xX!r<LO_=
zb<mKSZ|p-a{W1D8hW+!(YVp0})pecXGPr)FZdh9EXOFGRZn@!z=kOo^>ei--8!%-b
zg@TRPbV<cM7Q=92Hin3E1d~W@5yaRBZ;`3D2JdDQ3XM%`uEV(GWwkjcUXR)U^8jWO
zF+Z%bH?)zJ?^n2*lTYmC!fp^XEpInEy0J3IwTwTK7KMRKPnxQe!wdjUHNu=SUES~K
zecZyuuv?>&1SYjHEbBK9f-jD4zS=){xi8j&Y-+bwGdvJrm%@n8mU4D|qF9ISJ`og3
zn?~V)(TsSkl!|K`O@d(kK+km^)H;uojMGoA92<J_53}V}(t2>#BD_KTV^7r+>kd<p
z&4k{V5iKm8Dc+abSn?-uf+4hf&6U%AQ!x|q5s@6q9N5DA2*Sm(_sfTIyzIrpAt7!_
z*YbY<aJJvOKRBEn{Mfe6C}^%{*13s#(G6XZSl8D%rw`8a;DcNG;Fb`?fARx;@<TGt
z!q2`#tNTR}eDsb!dRL_WgCop^<ZJGuDB?9c)7(_#5JG$2#mcTldF@W;zf??IPl34X
z36u<LsU{66*$jEa5C0YS{&v*+&%NHSe|&OOj3@m#g~jTiaJH_~;=6S6Z_kd2Zh^#A
zM^MQa7=5!B9qdPYz5Ts|myqI^9}Zp%SOB<faQdI~N2OD(2Tfo}n)_l|l81h=fAB5K
zqSn<-`kWZ~*^9Zj;u>>7)<md~^RY%Dr9N%^*0+0GE6|!Pu^j%<7VC!ol@#reM{f<V
zAr(l>DXPl(-h6bTHgS@}nlYq0Q}nx&+lV8Q!zF}8LagDMVK@bwxco;4dwbD~z5VFb
z-d-<yNq@cEdl4X&wi3ZM6Q}fb!&;cJCv@{*B%^sk+<=|bws&+VsbD$MmXlVft>Uj*
zdr0!<?W~*Ail#M5?2|KJODCJQM$_y&_&16-Hv;;n>d#$D(pSkk!||z&^{}~C*5Lxc
zR$m5g6|Q;pK~VQ7w`LibURfCJ9bbi(SkU#!@86$ZpS+D!+cp<9E_9I@d?LB`D$(}|
zRG(e)N&?z7>(>1JjAJXwS1t8xBL|$*_1c?fFj&kbvqu=U74F@biTEKYP5%tRP;EW7
z9j9t}0#u^@v>tV7=?6=L-5RZxW>%=DC*PMN62V9yQW<JK6%{>3YCt8eq`xwX&HlAT
zi0h4J`M=_D)T3q^Pex~#43iZV-qi<#Xyk#W{&I4Wsd3%;Qzx2F?as#3)~wGhYYVWc
zFcCG5PX2g%a(!`h)&!f6MdBmORYJ2R?D~*!pH8u45@Fn77!a#!t(|Aq^>q5*-FiM<
z4J_fg%32}?$w($@vmjX#9v6$alA{dt;JQmOQJb^X3O2Qf2ia^sPzUU4X>`F~xT9$0
zO9Xd`XS)_NQNPrii}R~UC~iY|V8-|`gdMK|bI%vUDG33MWyq(i4^;dKZ?sQkB+3TM
zY{BWoD-MrxiIao|)b-9@r1r4}zmYM2+weyyBcv{;#gzB(qOa{sj$eZ1pi$HmGZsF{
zBTYGtGtu=w_TE_*mEJoi8^PklZB4;wX=Ee;c8gjoOc?s1M{M*Lz(P`|24!iGz%b1$
z`oA#LuLH!ZE@?`qeia$DJpff+MKgf85K{Akhl<mZip+idR}HqOlc-nL(k0h}w1A4E
zs>|{dr_IOJ5f2A+=N*CWnvunyel6$=VV7KBNP@%qM2p!<sl)WjFcycCK0sBw^w1nG
zqs;;-jAqm2rdv&r$%)6=7L5((G#Ax4#3~6LOJ_-I{FzvX9rNu1QzS$AP7Mc@c1|_x
zvv8e6EnJQk$rn1)Ktjn02l@a_TtmeTHJlWB(9jG`@9MOZ9*&}iSZXE>45GPfwLqFs
zph;ZJN{yzIP0|wfCG9gCt{IS)6lWFV1-#rqtKaBkS7ovo=RE_zzVSYu=M8IHyxXUB
z7p<zD%~kM)`Ub(<2xY1yJ+vrlqwT%^ix)3;pe|F7;O+h07j_O1fB}1{Rmj@cL$F7t
ztlfTb_-dzRZ^Ves2m>SzmU$lh+T&kaWiKbUvrdzd2W{&<saheca*wN~-Ld>t$F<bV
zR*#8YKo)aOqz5&qc)c@0VB;){0M!Eik|C0>C5mjHz&r2V3^eLgYd2`BbjyaKPgvL*
zo*C*VBSCnr5LC`Y{^^O71W*zI_;a6O_vb$Dz!T5}txy<BhRAxB9=Kzi$4hT;k|-Zx
z2RX!Gfq<ukKiJfFe6vfmLHPYmzRjENY&Y$7Jw976ddz=j)R=SGqcFW0bHVJ>^%P1V
zb?uiT#rmhRmL#uPl%iNn6UjX-`G4F)?VEEGHN?q>es^N@=Q6rlO~U%~BvN!%xy)98
z|6?!-OLKVi4??4I9UeK42oBmG$ex@#8X=OMQ5XVdI%Ua2Y$1ynKobI3Ca*?cAJgwm
z!6s2PbxvSn5H=D7il}Q%-7M!JYwb#5t@+(R1WFKmVhpt#GA+$d`|ZW<@$TjB@x|`h
z?#-?E;i(f1ZTj-`?K%jK;-9?ESRIiO5`*h;eDt#}_=z)TCh=LZ+ZukEvcL`K2=s8-
z76AI?iUgPTzeR%_vmbNdmEXEHG<$Yg>#WV}S?yh*Fcx!uGP(~<^}Yq(K#hP;anmr5
zF;3%57nTX5W1ldnb0KSL&Qjb7FmL!PIJ1?V8m>v9CG<o6hb8yhE_eQ;p-Go`x3>iP
z<J)d@b##4laXa|#lzzUryg2DbNi}K{ZU40iHiy`LXt)gis9I8oCv~ew7}3QHNWAKQ
zpfZ4-Qr8*WIsV@F(aKcJOh$oLhx<!sI*HHkZce~V4xpt3;DZ<wY3aQWRZL=s)|r$d
zS2JPYFyLbPE43&ZM;NT6;pZKPx-M~o^f_|9QQNs8IHyT55Q&#1obOAp#P^nSob4K>
zCqhG68aI^akj=oYc+*E3SyuQ-?sO7<?c(8Ax|HRN6XI7J&!x?P#L(EkN6wl~f-)+`
z#xDOZyWJljT{%Dh7MxSC5my!<(kc!<B+D><=qC>G@2{KG?r8dm<bLMgQODc&mP8i*
zLmYr>#ZAp0q2{Jba$M;IOuyg&F-(oB-j_3}dmJp=mc^<7t{@Zi=8UAk!(n2v?V`Qn
zGvaXS%&<`-P_`v~Cx;Vi4uKu*^h@p)1dP_{l}8C@hW45R89@UST#`78A~ThN6y6cN
zh6e|0o3(4nNp#`!)k7GA->VK`cixTh@8KX8%q_0s@`XY;pBf-q1}8x_ueh|&tdvqt
z=5Fp**>a~*V7hHI2?`2QgL6d;R(3o?MAnfBH@Q%V8i|`uopTx%>uJL_C)aYG)t-|S
z^QVWuM)3qk?U5PEIUKUpVzvyhQo}}Kuc3MTB(HCerki_?xi>DDqC&t|m;11Kd?TK_
zneLLeER}(QysY-{7bA#f7GEB^{C_lsTul**|G$&Uj_eNfxr115P!@E&5kRz47lqR6
zs&Kecd&Sj-VKm*_Gv|kZ=+v5u!@_8~&k3{EkMzfIRm~0Ga9XaerAUApQa!7~?H@Mx
zn2c?gObm2aQMfBv#sDM2ddaJ;b!{%iCs3%Lw}drdb)3SFQ`Gxd3vAGj5l`_<J9kX)
zSsJF&56|N<cBK*ypISM?kr;|1&+dLvTlo(XK@pI4JNR;CHqQ4hiENOmEMNhA5z=xo
zEVUdn3zKjra>|(1i{WUdfvdVlc@<&xd=(uo9iuEYyUHq8h~R<Pbk=}HK)ux;4qY~J
za+{iYLn69SdAxanppzJQc@xOVAmsb>6)!4un&gkYp7ps=e!=b4kdC1w?~)GqS!?(O
z+?LvVuj38WbomoGi>G?8Fctp_tc5JNSLHoR?!hYQAfx|rm_goSi&Xf{=kZ+}7XOlA
z13bqGOcp4l*uut?rX)51jvEoFLbH-un;L-y0P4}q0c1b-RdJQ(IouUrzrQ{+46A3O
zfOGC_u0fgQ^bP&;<g22s1H0A=aeX6Anm8mqYcEGxP6zlH9%v7Y>MP$M#Gh}$!OB<s
z7k%?0n02*3vcn|e829AUf%M~TZ--$*k;tXYi<Z|!x6F@;LMYs47<wGOeqraI?KycN
zuZSP%ndc;MSq^Ik4s9og&+UTe^lwX(lz8#UvgFyno-sIAqH40GrMF5)@!Yy~qa^&z
zuH?$_^sf}RZuv@b+4w9+rXq+fOHl62nnDBU(;Zi|<0-L4X_xu)nQk+7MLUR*RFgW}
z-QC)ZU00Z-rFu~!=cvnx(68~T3km+zv@s1Ru#9TxfGTXrkx_bgyBc-H>YM`EAB?LE
zR3=k#W1H0A*`ibPFd1k9QFdUnpIVOE_t+|fmMuQhH?HV|YsU22VP;aMhwfpnUEWEe
z+djEDg)}ZgzV!>Vr#)-=%s|!^A<~FSEmO;VtzeCA&u&`Ovf}F6lZ@!kE%um`a7vMY
zGMG_}(Sg^jXPifKKj?Sx7x2!_=!C{@q%>@N8n%VAN4@2&*7W=;y1u<-Wg9%uqwR~N
zdi!Q){Qz;9`Tq0^k&K~h?Pk&RBSA}V`e5yi10p{qYrv=Sp~mO4If?M;-R)HXL4AwN
zCg+S;oEB0n^x`7vHZW~0E10sY$|8pX8OsoUNx{S}XxYEixWgXr!CTztbBLa>u6av1
z{?zvAhhnpk<8}OCwcB%U`r`WKi7v0(yh3pGUHOTIf-bHJ1Dmed=F^up?Bx2?FR-4+
zVXf^wD+U@xPPQ#lX~*{!9b0>6&9kw#_tDu&OGlp)XS(b;6S&LyK$6u-;Mp#JN_z1}
z;0ynQ9?m;{adA>af0^V<Zuk032yd)@8ixm^mKOLKC-KxJLDD)&%=Ct#hEkI!bVo8Y
zvMM)CP&e2>wtB>+Wex+Fw0+ougwAu-ou)I6EX}HrzYRoPuBN;x9o)kv4<BwaD(3n~
z|C-nErVIODBl5b$GOvY=PR8NVc}l+!bkc!);)Wkwwr;3f;)pACL7Y81^{_~jN%RXp
zar>>T--vqUFDc|j{MshLc9X@vF5D&UfSc+`E~904+w`5zUc@>)v9>|FUSac*tA>qI
zWhKGdrj8oN$t=&*nb43V_odFdehm0>Vp&{f){al}n8aaUe>V>s81@69>-q9b=6=gl
zU+~OpQ11CIG7m^yjWMkTP~$~`E^pQOp_wlr$b7(^YqISh*fkfQ*Qr}1nZqE6A<*#T
z`1UaPNKjk9XnKpZ$o0#fWQ5*lsi+xxDo>}k^-vo%=(E#BU`4%k)=9@3;u<2sL+QNT
z@JRxhyCtMt)H`*LE?J$#^0<5mtgz8QdH3$DlDnhmHDT~RW5>Y`{@IRS@NX}74A;Fw
zl>;uIbL8McP&ruh6$wT!SM|SKA=n5I!zpFQY}+=-J~paB&e9zFn8Y=WH9#w|myc;%
z+!77>%)ue{{tFIGGot)F=O&B$Y3KF^=QfncxuG81@P+*P?8&{cxoLpm!J4mL&_MsQ
zC#RmqOe8xZ=Z{<|j$$6|{rYfk@9<!Fc<|!z<*UQ5zj5uB?O}lYrE?VzJiX14!P>x4
zN?qsbK7GA3`Y$;!66kjE$n?O6|C@FEOZ+iLmbrP=@c2SU&blj}+q<87zUjYVw?Wn`
z1{lE*+MX=FL)JeIeL~6&dL8mX@Eh0lQL-i4vqZ&S&F&OkKUeJwnVL47U$^Krt>Uve
zg)^qITR6{cMa-cZi;f_YiW@l{KR4Po&TR*-y4F}m5ieHn;Tu%FP$l}t20(dpb2gB?
zQyeYz^5qNpIG!Zo=ilyiI^ti@`t`v+zMic4mIk%nWov_Pc=Wq`j?4?~<8zD0IBg$b
zfA8Q`@9S5uUc91K2oAbK9$5JQbEEb#{hoTWyIIw~^l!iArIlrG?dD(oT6Ry^jI>tm
zJNV|CZ_tRbnps#L&Lv%wTVk<hs&m>v8aA)T;&fml)TtY?5gcO2%gSYo{g{qb2g4a`
zgH$>2y^F=jheB#W{JLFu;iImuFaP)_7x~r?^XQ7NGj6x@SdKMsGK$(mQ6F2TVqN71
zlC^W1JhmQSf`yulU8zISR=9k@>{GlHvv!&>W%`vc50-Pw1qLYl(AAt>jb@Dqf|bVg
zorVfRX=w>QYxSMLH|EoX6RZ{zr6lYP?925LH@@nGf`}8sRlUKe0R!@#B~{WW9SJ+?
zxkYqNE6Kepbr;!hh-+Gi)~z0Y0dvq|t|=Hz{VHzWQpP9Enmr&hkvwOqAJru3BJ5pS
z8dtwS)E@;r(^ph}fLLw#uH{LTu53Spv!nz;*P<lN<#XdJpG-bwF*R6{tD`9jzYu9H
z;3~`y)luJEpSecS&1G<zG}Xhb1oY+)@!*lf7+n(<%ma+Rxj8w0e|>uUCp;22r*BWL
zk8V%tC(YJ~RGN54j56aQKUx`t;1U}4<5sip1UjdgUgdC4KF|M@H~<%|86*hV_)3fK
zSeCo?aeTRN4SGPocIdcNs=|_R!hB9^!pShTe08pxvEh<Q1iNq5Gu+aU9EKtW2Tcux
zzQZu`z(pX{*J9p9Qp9u0ieJ79E_)&~N3rEb`$?(B8b+zG02#rv8R~?4z%#GCzAm;%
zqEI~17lp^*)4<h=9!Lg=|6!{Ce+c~AR;3xyfxFYBUW>Wqz4niUoLoS&U8>mBr;7J_
z0x_(Emf72&5aTP7I@bqTKw6tiy^bCgCG@%n#G*0;DLpQ1aOPBCL0(V6RW)9z?UW5v
z8i?~w4Mg)rF^8IsIx{0}`m9DNL?*VyND_5(`c<}=(?GMp4rY|*QN*t*kqpc%vADE6
z&Km)_*xz2<$a*d_2??t`BAOvg@)+SZw_}N<b+EUFv&isr^jph|S#UyEQH%P(U<o1>
zJGnkiwyX6oCJ-sj7Lp20jI9~8f0A~1LsE&;@Ge1g#NKZjVJr>-F57$@JndZz4dN&X
z@f>8!U=@~QVW&{t7N(bU_F6$e7U?Xg%cN2Q#mn^9ks)2@j!+uTiUhi9WvV~Y*SnU3
zFvfesWRbdam<Ic{mx{Ty@J>gh^xd&hq}V)@!NkfOgz@V^PP%6Hozvr^D?~v~d5C$A
zI7^(Pd)HU8RUtwH^~ndeIJNXc9ms~;)-Pp>0VY`6o91l&PFw?p%(Q;5nMnWV-^2gI
z?);ClJAn>LVJrp+)lV>m-9PxIzeoRb8kpH~z_0W`GZ;8R+UF1YIv}!pp-Ve6qFlF|
z>e-g{S!>+W8X|1mk*nk$W+HFJ{Z5|!cRqm&?y-eQhh83Q2naRjWG3y)-wBK|4G-Ja
z(Ik9$>J-ZTpcaco+)MgVF6&gZ1h@lvZLO@M^Hy8+2b9NBtY?2qio74)<Sz4BgEd_P
zE9Ag;0DXoY{j0#0ml-i#u5a?0_1E^gj<Ei#Y*L;TNukfVJA!?#eH6kCKJhsGOYD)E
zmXZ!@VyR5>MI}C08dB|_u6nps9u`_Eiu9wFTtmcLWhp>7T%X^##+&rR(e=gY1p(+i
z3kb%JXf}Fqr?B{uWP=Sei+S(-%v>-pCWS>DK9ur|G=16g$r?aekdk<ijw6jsRcVcS
zy6~HNx?e3h6UD=Y@YSs26<S@xjwiVSI(3I341E1&kj_0iv?%`EL7|kgh(lUrHL{lq
zCvCo7zV?HHzcH7*2LH_r>W5$aXqF+Xr_ihuxY_8wsrDI7Ju3bIngSUt7eBh2JjZ5j
z>3D(5MOx`Y?JG8Q>Q071Hona)SFGAJB*}>dFH$Lz=OPyyY}Wsb#^Hz`RlmbbbP%-z
z3SP`0s$hf5uZVepMt`eWHuU5i_tAEuve#T+bY2=58z*x+`A{;#LLlh!-#1-#L*k1G
zseUEQVJ%AF>C^@JdaGLRWCdMh#HX-CE1qIDm2_*^a5~|tC&uhG22=-A6Rn!VGSSQF
z_)EIrHUuZv<x*Wr+yP1{NKya#k<Efw*viNZA?kB1MJtjiHAx%&1^u~Yy?>x(BC-{!
zpk7)DCir*ABs9WZo{y1$EaspwuorZWo0eB|Q%i~KU4d+8<jCQcRD^)k#?CEsx?P+M
zjOpZ}be@x~S7ykuS$uEIDETvsD8Uta%aC4VQx|$G;am;3Q#Q}7G32Q;)D@I+Tuf!v
zv?ue_yaVAG34VK#mGMO1s*RPfpkH`P(T0s;rbZeh_raiLGJ-A|vG8lgvVOmCRy_>K
z0ornx8HBUDqGoXP%>8Oml9w^mNV)(@K()U*seM6HU8&Jm#BR-{g%hq86B4_|4;w*(
zFd{+pxLA3r-9=gKPSfEoAIUC%Imkw3ET-e#q#Eg0W?3#*2eXRI(W{p4e7-s)FxtoA
zE=Y_6gw9bh;`odWcRXF2(b|bzNI}aI*Ea|K{jVW(?H;_8zM`X}2du2O*x%dhxnB-m
zz2eq@-fGiVzTvNb&Fx6qEa_>4a?qtl?WIvQ*^frwMzgPxTqheP)yF9RE7&*w?FGbY
zT*rIRoWI0#7&Z7CtTLI!cNwdTOJ)b@uVRX#g;6{yIB)GNo~8)Up?~lt+ysmGfk+5{
z5TjgIMUNy=mwXv7W(lv9)(4h^z8Dj&@v9}$Q7winYSOhICBr;_;9uZ2NRkXKeVmqv
zKjcrrU=}gZ!u=}0O^T?@;`xYPasI~rG7+QeeO|;!aYqNwdH|$zIlukkyLTiVAL0mJ
z(%*FAtCtW*-Gct>J`T>gw&!Qsx|3{a=TEu5i<YK!Fh9{;?q}<y{MB=7H+07x`2jU3
z5%(YoafC)T{5HWpXY!RdOjM$T$?_4q*+!4aFbaG$K$Ej9(6y<$Leh#q-a|`D;<5-3
zoUEFCzVL<Bk_Y=L?))5-wCRY}rc@CXX9}dr*!XG%2BD*eya1;cHz(J((Vs5gUq_ce
zTtwIJ&rY^)cB1c2u1})d%joFr?D7Yq7sn?zH_^N6%X4XZe0F+raeG5USX_NTwD^e`
z@BT{4KK}iFAdV2FKAnE4hK<kg5!v{v%}b=kN93y~km8Bg0y{iHVbfF!ks4=V8T(xh
zMAH<LNVgg=JDmo)AZ(ki(a*@?o|L6L2&gbHmW+HHzZuNIKB&M@t1sYVqfC5+HhGs*
zAOuk((NW__O&=Jl{ZiPdBz<hal~yb<vPDPIg9LC<5xhl4_#6(WE+&L|LJX7~w4aJ~
zpdLS9Wg^m2<HNazWU*|(OZKrceuMXq+L-@CWpzE9?@sI)Cf|%NlIWf{(8}f4#;fu8
zLS5<{J(yh2w6i*H&WYG=?@^hfk`S^S9&YfU9&us<qltV9G=h~t+;oq@CUCXMYX1{?
z<-ZG&($VK#MzwXFTK@3n<=k+EaQ*f4V@IDMIv%pQ+2I9eatKC{GgsHWQcDe0xe8(y
zufWo@=Hb(ke8xpfwkY}?3;hw_6WZ86!w_To0l*a%v~hDiOYc1b<=y-$fJcLr*S_=R
z6@G#g70{S3!;SB5zXUmg(VxSP8%to$eMVDPTOxoaYclGDT0AlMG+^w$OQP-Lv+EsM
zr)omVr|~ab<Ubez*=$YIS&hzrA~G_7J_8#==&Yb)_~p-tkN)(Z#Ys7H4$sLdbur_u
zF?!<RZf7k#F#Qf1n0BYt)p@u&+Vwql2blT{hW``KnXW`5{L;LV6hB!kv+c0Hm8IQZ
zA3zZ9AE4I3{^8p<-yR+wY<$(+x1dF>`)Z?~2R)$JX>q&th7(2K$a7-i{#aSE=#n_U
za<Z(&m#vs@|3eLZgkS_$;u)Ap&yw`+eu!vAiNnUHn%goRPR06RHWwWrjwC;NzhMtH
z`(X%W=qCa|$A^2nUn9t%6Kq<*82us~q}jyrFdpkr_Fgl22l7gonA`l8u;WCWP^a-S
z8SkE--rTVJhj5&NJnRsofYuBYA~M*Jt`wmRHnMai`S35qm6y@>cc-^j6+WcMuEZfR
z*H#sYq#mBZ*<4Acgmy{tW;e9gnvpM;^>dO>FTDIyy%K){+s3snBwcAh4_yK~4yh3q
zU+YkJB?$~?QR*7+tQ9a|H@tp#9R2#m{*L89m8=R{ctX9P7+l`1LK3>W&>EopEJa?|
z(S5FksMP*#^(&;_hSombkb<y`b>bh!>8dyx=KC!DM2z#NMCCUw6lsmm<B^GOSI2NG
z3hQRqrf^Y;wS8<zN%<gMxmZioJET4WX7xq8Y6em)juymBM&@0ukf1Ac^#In$dBu;k
zo`LwB$o2lVzyCG;Ckja7m{*Tg@9fF|Yg*STYq8!K6S3o-D@-9^k=Sh)zDZy_@-8MD
zQte!hQ!aBQg$TP=0)quAE}N-mEDnllt1;glaVh(!-mdr0T&r$$`u61F)=JDWS*m%l
zh#Wl3$IAig5R~cPk`DfgK4{FG=G(jttkk~#wIt*C#AXQYm5bLX5`kh&P9rJ~!ORTS
zZOM{Imr1K7q~?m>2?_4g7z_@gR*-1k<q<u<da<RYzUf4e)aVCGX;(|i%vfNSK+A8{
zvez2t%N~JfZi(+Cz;CLFTG%rR6xn=EnIc(m8@q-Ul2lLX0M@~SX&FXJ8kF8ZX7>oh
zOA5Slt4EUD`;zxZ-totT7_@42!|>Ll@3d&;z2gmgD4%1=OTEF*ILGi?%_FGPhgQL7
zpynOcQ0QZcRdz!+G+)HPKqseN1n!_&loSP0f2x_5jol?K*Jd~pM>Eg4>K}_BxvZkU
z8HE8CS>D*6KQrsipiDlEr0@!W%PtSyx<^|*=MI;H-~j!xLZL!21f~YM6Jc%GmKYqK
z^XdQ|Yw}wuf~Zvrrc1sCmiz|^)9T}3zfWz@ITe<9uqd8`y859s%_)Q9PJNtbT!I)`
zQB!EjI9I<aQ%N|KqpG{1usu~wuPZxh?D(io0LmE*I04caSzww(5U*i@D4}>G_GV`j
zq{rYAm~-C6sEEsZ%V~d-ArQ!WO2~BV`3L_SxS=UBV*{Ld2l1)!!7Y3*Te151@e=1#
zcDV_cEIcF7kI+KaJ*P!G?H#5NZ74V`R~?0wdbP6HT|HPeg7adnI>-!;>YD%KxRzPs
zon%H$CHA$Ac-@@-=SlSb;`H`L$hFeyl%2I(d+hH;=WiM&=nJ=&QcNGU2O`e~i_E>G
zE~ua`hG?<xgfJ$RA|)ADr{?k~5~DAf47}%5rDS55+@)$^sTXK&#DJ-1f4#Y8#scWf
zD9v>XIJq1LMfhUJh+!}b#3D;R&9yF|`Vn!^!fNu-G^<ztOR|q?k!QwyCN6A@3Cu&n
zHyO21lX{X5uJq*L=%P8)?N%ek<WjmK-vVFcGQ#e8X8;^KY0?v_@_1*>5k<d|4gXf9
z@<1YANjP9xEV<$`vsTQuxR=edQlhnT`-puYig1Lo%){u!iY(D7HICB7wF9#3%Aoc%
z$sXK+P&oz*b)VBFrLJR4?;-TfBz`5eI#8l`=Kiuajr2Q=uC;KMX}N2ZryF_I6z3V4
zNW_pKcgJ##$;oJ4$v6l<316*k$;PfZU$}30_zr_4!I7xLNO;4jJKl7m9^Xne6w(rt
z$k<vo44Q_zn%-aCks?3#Azm32ldA=wxHhFWy16;qMY1epwlDAF2b)9Uc?fbJ=q?va
zEdR&VktQpX!Nm%8R-DW>QMz^bsUIPj;}?<#sD6u~jSBX{SrG7wxurkRr+lIl$c3a6
znJ&A{m>{kl<vcyZldHvDF{WCEL7rI@4Rm`%BM_HKTOt`t2xoBt8W@8FQuQklmQy8C
zr=B+EQ@84O&sh{i<wtbMkrYOHN$HLxXo|j)vpefasTUbk#)w7QNYcCP%AFHN8p!oI
zxxOA;U0>c_9$%gf-d}uw0UI<vyuG{}ygB{dPg+RD`QF_8a+`1C=|jn!@7jgH`{m^3
zc5rihbbULxJv~3Ue1EGeP;@{z)RM=S>+2$jAX+lTW{k!==>Dw3R~@nep89;mIz1+V
zQ-Bhw$2isU)|ICBlc=JKHYv1Nw*So3>mZ|RNV7mEC17Ga><VYgnKdni)23%=HXA8`
z)-A#+5t;~Ywu{5s!EiKkz+OB_hUGC9`}RbNO)EME#&tMLm2eGXe(}9At3ezeam%#9
zd<GV$Q8iLKs$pZ4=+%|@I0D#>@}=)Hbj%AHLZp~Rt;}n4hHjJ+=!DDD+4j5g??D%t
zs9JR5!Z=8y3nl$7-)3kNZr#fUhwWPpNv$8*QrnWA@*_>N#)C@tNb7a-Qz?7u`z%;N
z8-4i`j9STCz*L=vJuwbN{3{<xupp?!BW6_ox)5h(_-0nA+oxC{EbiYjeQzF}oo&`u
zMsFS7AvK)`8|(Q^L%!2NQ*~Boq-EptHDi@S6c>ibBD!#DZd4x#nWH=++xXjYDdrOK
z>zSz#BiMyz>{(^L|N5O(`ZT&=Nv_tRUYPK-o|hJbNHPGIX)pDWlJUnlo$}?<I<B=9
z*3uJgs6TTvrGyrC<BDPCwZO5ita<XT$eDZDlv=1kFqXOjhO}z{tNucAIoX=fir3bz
ze&kRVwPwU<&%2wgl;tgLhfuE5d(5G`tt+in$t+DpA0UL|(JTp3$)U31><Q|UC3ktn
zX-ex8c+BobmLZqH(UmnT=VgZ&tc(ss`Om_~$}2`PXHlM>u%2|AITG4nwu76ii&LvZ
z9ps;L$-E!1g5j`*F7n2^e$!aYN+Ti#k>ph;8Zb>qY2~9TR!_CAU}Z^#8L-CF<ablo
zoU*>5MqfT_w|JH=PHum=y#7AAyyC!8`lR=B{%LqZDWl8rLWdn@m_H!A=*Q@TM%hB<
z=V(vR&%?DX_WK9@7yXy(8Yt?PIV7#1Bxoq)vI2v(o|#XMBF7%!ovN7N8z8FUWsv)@
zF}#MAt6P=S9N@Yrhaz)v3hi!WyHoE1`lhQ7c@QP!z7stst7mln*pHB-bS%(ZdRexX
zVakt=hX8wiKu4(t65oZM%bfMX4;%x5c{F!9GBdJuDV2iFaZ7Jj;Vq?HrV9w>y-Imr
z*>X+E#L8^-L$wUEzC0|~QyM2`uW<^;$2fB-x!7ILl4bGD;9wXv+<L;*i=E`gYHw8t
zY86#e;5(>ly&bN>fx%G&Cd3z+I&`>q7PcGc^es0D(;b-PSbmh2LEaL`kYPaiXJZ#O
z?Y?AHzYK6r@N(j^7xGN6!RtM}>Yc?)I**H^+qw=2^%p*}UJKW%V`8{DjCzd$tKm8q
zSBG#Q$NO8Z5bewzf8UlP;a+YnXKA+hWI<KPi~i>3EsaMDKy`&3fsn;u@r2+ZT`*%H
zw0ez4TauNZuu?|B&QXAfyDkBR93l|YT9@Ut2Z>n(SG=vwT$@1_5mz?=guTnFb7i|N
z)}&3P6exu>EqkZqMJ^;gU`>VuggG^|8f)sAWw<XNrdk)EMizZK($r^8DN@V%qKh5E
z3EjX=_o<g=J^HaXOUGklQ#wL$ZKpm4Gz`2HQ>K`2Wn^lr`p*XZ6uB?q_u-~SASxGu
zV!cBdx*Q-XG&m<Ui!Vx-H?VfJxHDGE&0QTG4UVa=#kvX_%j^7sSyS;CF$VX$9J!?}
z3)V#aRN06verMd1OMyB<QS){IJ%)9Fc^FCGqer{LT?3+6nmW~j+(X}7hr(Ij`-rEZ
z^H%WQ`BL3p?e6#YdBrXv3-YO@MTNq6nyo;Y5I3C3%C9?4X~9kzSOce}_GDYd%s|7$
zJ8;Y!&=<QG0Am=pC@w>3yn$&=JB-q`??vI&*W*Yy9x_xyyDDG-XYL<*?nWCLFCaBX
z?~ZPd&O~~b5&s}DkS@WyEl;B@?IT{2!RI4p?)*W4$e~-j2ZLkuK5!Vc4a&Qys1ZhY
zOJ8-0p{o<3SJ|)4`TFAG^QQGloR#tFbo5>RDRYys){D!YU@8xGB*l`_N%&Z(2B3z}
zeWegM9@AE;N0TK&=ahbL>4!r`r4ufBFXp0-8N#u&)7x<Ic(swMme@(RPDyXk8;v@r
z{F5WeTmhkHk=eEFb-WQU^bYu#=2Mo67%z<f(P)}<!W}Ii6LgRvAH%5u1L)yB=n2cO
zApjc9uhdIJ@0+X;gyRC1!DXE&u=d7<?pw;UmN8?uQZDYKWuUmomm`ni{zKzwK2NmH
zTeu`<oA7K&vHMQv<6??K<TCXsr`B4q-HDw?q^hd!F62G9t8DQcih8kz`bef=55gB{
zw7H<fio+O-l*Sfl<}XN3H)j!w;WTMJ`}Un?j_*_N=+gMa(!KHagq5hmv5WC)3>*z(
zINZZ+>;-i?$`7x9BN-xo%VJCC?ULRUM8Cj@F2xctpej+rp7zdgw@`sDZb`^sEE@Zj
zhZEFMm<)bs$Lc1K2zf=pE4M`;j$?%B-f%Zxnjl<{8Uv8c*zH$nb<oO%MwiKSf&nGF
zbElqR5_P7-PSbRfa0H>1l3hDIZISr>l@9gsv}oj-jc`s;w>m!*lP!|ixaTs7i!vZu
zo}E#cf~|Am;OvuX$l?Qsz;S6+F88et)KWcG6DK*G8VjayZSTP>nGGb70xaLJVJjB`
zJm<uKGwiF%D|!#EkIvP3VJ>M*)Nyk?P*ERwBDVjWbKi8i3t!mMSm-e)8B|;h(gvW(
z%kwuXbe-K0(+qrWvR2i!<ZD5!L=5IOX9ZWIxXK^<ul9ajJF4xglXI<nDlC!b>P&4`
zxAoodJ^C&o@@jO=G=L2h5GE$JTJhf}OG#ov<8ikM-OUB(qm%MWv3g?T8Ia4m5YsCp
z+&j;ob7CqdO4gH7sec6KV|R?veV$4#E*5hHX0Od}*1t@^uS+^kK-Ls{ye9@Cgh!6L
zuu`V6oUkR5tkn^!-;`1)d1lZQgbyKFTf^_N1-`5;K@nPtL}W`Yh^jb-Lq~NzZL?#N
zcah8!D~HD^$xW(V!A$WLOrgOBG7F#T;Bv&0Ki|If1o*XF+nTyvq$n+-ZkXxR16pjW
zNu^|Q@thfJ_y7_8Fg}aK%N*BN==u{kExZo^jk^x<%7vI0=|`Lx$Tferav4kzfeT`q
zFUpm@gjc}MLPZqM8Tw8j&1Jcm@yRIv&X8x8nP+dTkt62paS7oBYzQ{s_B~3Gc>Hze
zIG=LzWHZN@JG5u#rKQR89QK1EmiD>1QAQ_kzjL2SGQmhW3$cF&chTJ|aleD-vwdW#
z;<Qt)(FVLV9bA#OBoHw7s!7y>UYfAfZt6507IESCZugsHje?Jhud@sARDMes3l4Fb
zfwgx9Z&VT&<FcFe;&MR4e0+hQA@#W|lA76wzpS^XEBtYPU3>nrzt_@Zu>Vw#{k9$l
zPxUwmdfX7>d3G{*``zIEjXZ1$Qmy*gEGr%GdSPpn*vkR)-DD2!HzI!sJ<uWfMD#Gb
z)0(EWSx=5v=RFY*b3Y6k)duQ^&2KrgYA&7?ivkLL7vJq}TG%1**P-h-zHeMugW~D&
z_b0buKQGubB(L8czuNoe8$x5rl|mE<o<+5_-Qd>9lO;&Zo{$#dR$EjCc}OcuxyLp6
z1g$5l3KvNY+C;TxLn5lc<(g=O*Mye#lGYaP2quvlct7ez7%uMEcRenU7`C>ia&dPj
z#o6huZ{EknY|7b#=&tEK3tPWQxQG+q+_*BgWXSxbIR@1RuL|);#VeR|^`0soJ-7$P
zxHr4e$n|o3`$yD*92f^Z&PNM>e>pp&$~8rz@!M4rSc_fa!BPCW^R7WpD@|s^`miGx
zqx5JDeP}Q<?O@3G*4V8W)S6zH7P{TS1=u{26L)DhYjqMKpLjz8MT>1I@Cp^d7^2<N
zkG}ZDd*ILuTiw6zyw%wMWsOPn#JsTu_v##9pG7WX((0yKpr+U5+JrniZ92*`BH;=B
z>{nMz1*&{<s(-K*Jw3DIJ62b~*3nQ7rJ+zT3-3#$suu3aup#)*B#`S5C)cO%{xrbE
ztQ8$5NNN=#!TA352PQ~|KVscHQWNQjusMHUl{(kbQ4uSRmUfkFG1o&}$Rz!wZgxrq
zF<703@&Gl0>;)wQ{OXkoB06EqhNFYL2*$I9dl1`sP%4nuB0FO;u1Vb`;6X9fZr>(r
zJj!X5jKq%GL$iSlv1#_CeqCb%9)xvPGQ2VjP82qd!9*!j$8_p`>ZN6*a3@IXz_|u2
z1OEygjAC>Br9X6}_U*~p(VtG<4vya63dlQe^K8pk9Ba7+(kv+CDgi`r_M(@eN;!Zg
zC{-ryooXbm3vTAE;rN?mywi8fJHEVldkTB=(OIxWE2Y;)+RWKQUnS|_q!f*H5^Z1D
zD;|oUlwP8aJ!(3E2#PL_L_UOvg|r4YI$hScX1U$87KsV^#*3ZY+|afL*C&pl5Wou)
z#4&36Ru>5!Tt7O2?Z_K{q>lz^aFTB}Ab{@?JyEF%-*iq-0;K03nA`-kNSs6158abL
zX}d}T>mv^6!Co_}744|KB7qFq@@`0FgF1B*O#(etA71B^$&V&!ihF4849ew_Zt5($
z)p%!m8J#TwM{)V?U2WJb?`89h0B?>yj+eQ(x(N6gFfe179--1Qg@1VYv|{AzP5}Do
z^sTETX|8_etu5ZNP2Gn-+#bx3v{hCJ{<vX@i2a{Mt(qn`2Vf+FJb~NSgORASmLUSA
z>3KRT@-m-P_0WS<Qbw(~>U28W7q@5U-RQ!*^AJ({J}HI?jkDtvQ$ogi^I5g%aWXNu
zrM~77Ot%iPws(H}K62lSy2Mi`+E%ACg&X|k4Gfv6sR7%k8rsHrv~3Y59yi%%Oro(n
zx{T<mJ`Ll0&`!{?WA52rgXc$;xJWmkhDp}Pb)q!<2ax%cmHV#jz03uv(CN2Xgtwv{
zolXlxEQpH3HuEg<ws)MMbD{5;M^@-t&%Us_S@pDb(~gsmrdD#^Vq$rv8AcCH-|uL`
zZ>z+~V`kYX$}+PqWKzU;py1xXta(HvV}}}e)JcW=vV_3`I)jNPf!9A!&+2Sg%Ell7
z9+_>6c&u6!a0l$5m#}8sIB93|C=)r`c678?m6o~{oY0oHl@hZ+7u!XD#=h7xd)7GR
z3Y*jd%cbMS#OPL&d$##Au4+Cm*f+`DnrbwENRoLBZ;KDF)A2Ov@`Ut`bfJIF7nRUI
zm5mT6;ySRnmN2@ZXLy2rL(39&*>U+F(jv7A4=Kmev4&gAqF`hx=d__l(V=st2<k}L
z>X_pqB9dfkn;9luXQtJaizFM&aVOsJRvIgcTFdo>e0Q^a48&D{lq+{0tnT>seobkZ
zm1NJHJ3?=R3;(kMKU(#tR_4d885c7tdW3Kby~Ri6gTW7>sX52Pi_(>@okRnerw{<Z
zU7fOy{X}HY;7P8Bk)>teZR2E;U`}=$Fn2)?>bVql<LdJIR-J}KrCd`ftS0SdL}TNc
zY|{nL2m7_u4N&ZAkrDIVic9BiE+HnsQ;w6>JCel2`7W&(h1;c=vgB;S?QS>^F`7YN
zx}4#<h^M{#9BRo~EJ-%a{obzZh6K36A^($JV*UylFcHGwvnXQx!0Ag!th@Q@KqOv;
zX%MiZw3i-+(0P!}n=I^pOp!h$F~_3jfMSc>_)0rxYS48qWm?%Pda-}-?S}Ui_;&Bx
zy}AQsS@)ofq7Ui(@W;>z(y4Ppy}+Efr{}yQpY)AvWT>Nq-~<97wai$d^3Kg!?UqKz
z1agKDYmxOf#$rmp34EK8+XR|U4N_ztIjt6IWS3Pn9S2Kw9NhS-vtpc%^_b0NaGX2-
z&m~CE6m{B<MhQX?{|<*dxJ$_;R~N3dh=}IYMUrg1ivryBqB6;<A%aVxWaF5XAbF;a
zC}AG{By=ocmfUHN010{B{X~JoFudM_>S*3GS6-hox`_EcbAoYpsv0_gIOmeJ=(8b7
ztIb*Ro%5>=QXJM7?>(WV&Lc~^Gz@cM_4^u7S64fiQz(p8|D{)B;#`WfRjZe9-Rpym
z(<Ezkm0e*i#I&p2$EV1Qf=q-FTvsNnnX>`};$S4PwV&ov=TQ`}a;<0u?5dz4mTG3*
zQIA_1$UDclTIW&LI0~+t#9Ibg)+K4_5*dZ7J`OpwRCK2j!#SJNNbIA5)QXU_9}`wl
z@RL1G=F=R5|3WgYt<I{JIM`l>P!nrHPtJMa+JqsME-mAP^Mge60G0Ki!ASCy#hg>&
zowu#VT;xj9E$|&@U#B1zlVC_!*Cp((%_?9+<M-ERmZ2!vj~l{;XVYnVbSXUjp0f54
zBBF&-JQneM&RRM3Ve4_&oy$_krT~u9yhlT!?SAeJ3neL&W{J{w?06RVOz~j3il+5x
z0Folnm}1s;OZmVexm!%*W*IKY@8mM3Mo0=(NGU-dfE-*>%RaHPB7FswDKKGlLsAQ+
zaBb&Vy3ue-w4rO2zIY(7?{gvS?83>UUt>LH3EHIP%u1T@{+LBku)hm@Q~R}o;Tw$#
z2(>M{q&q(9#ynr1@u3bPZU@R0=y!6|0gPP58DX7Ve9pL*iFR#JtVw(AQM#YyP%SBt
ztbm1jO^XQmb9qh+-B}J%&hX>ctB%w@!&9`K_7fs<xQv{#BlD3k{7$P^fW<5j=Z5UA
zCib=f*5xfDoJzC*Tfg;sUv&oJi+^)+4RWgL+UT4)*nG~n!=rlX!nRpjZK1TP*lDPA
zSa_`Rha?Ln$n2+ykS-A8z33m9dd-&jj)!qIQ6i2{@39aMN5V3Y7fX@t)t4GOu;j^D
z+7OC~zo-`;16p(vKfDcyA>SCp)}oQ>VtYigk=R-;pkY&u+U|%`@MH>?y)f|4lXI2R
z)u2Nc$CeuS7X=Pgs}9IC)IY)pnTCaTWsoY{_0rOf{HTU6sSI+|;(Dx;xw6l7Cu1&b
zF?WrH{?Png576zv?RZCsr?7nX1v?+_gsMhQmR9(^$SUB4?j9rayjB5T0|(532#@ho
zd?M088d(`sxy$TXI<YF5N;;t1%bVS|#4X_b)lrPYW;F9fK%10;=(`W!_O7RwaptkV
zIe9cLdt6ntEhgD=z6(<-^435z*AI})o!=f73odVTfqS3!_EeBWvgy_4d!G*WT%x#^
zF*#G*9+w8xG;wISGL~!RvdOJ%4NGa6p}pzB-pU*zRNxG5j;{>kP?6Ytav85BgCzSg
zK{kPEu4nOF;=e$na54wh%F@SMMG{B>@&Gp-7`vP<=K9_7!OL%60=?zOSAx;>%Zr1r
z_q^ESRykafaAeL`^s0}*1v3)&2%+*(m6*$6v_~Huyn3ajhc}gMY<jyZ5d&b8y+rJ6
z$By#Ev*V5P;l>ON6XICG_EK2`(FF^VRF6b+kYbOyl_6q<0YPS=IF8lQ({g4US^^QX
zljDnslQq8B|N2{3G2q~ZTwxKwCAcasN-NHoWRk0t6(d7bd?}ew#?U-qB^VX+3jnX2
zHBQtsNDo#EJ9f?|U9Aq2&sonTzHh7)-q2FI7z9FW-)AITpEhSLiO_eIuJLCO2#1_C
z;=n#mqE;6-EKen5^xhLxqCWrsA{x=y*m?@F(r_Jpz$H+**EzeET+LMkMPo(&nwNtK
z4iWF((gTB4@R6nxG-Ee3LXQQGEd%}rjR`OPNdM>h{~Xu<pOmNb38r8c7Z03;&7qc8
zW=SxJ%ifSqe7sPR3>PUERui?EOJH-wG$A@ay8b@eW?4rJDs`$7tC{{HsU|c`f;6?o
zgQ5!}`YnJ|Nz6}XJ9t?9)swORE~*l&@n3}X;1zu)@1bqi5tpC(eqdNDPARALuYgY6
z!J*U7@=&dA^k+k?V731|#A?~!ddzBV{4>8>{<?k6!xgq}d%6Av2yY0q(1GZme_arf
zR=+ZF-NorA-IBnG#ov?<yLcmiY_HXjgjY&5SLK7e@0o^wL0fPKo%Z&9@~I0x1NweG
zfKf__>K<$E+DIM2ao+HA#5BT$OC-jW9Ylafs#>^H9|u+Zr*jTuG~M)(Pj15*mXPc;
z9_eka1C#wMVp$EVVoPX~0ye)gmk>08S|ycWK_8M!GM_@EkXq*|9c)-aaOc$<Ko4$K
z*Q)<e)dK5^OrZfVh3Z(r3UO2phS~dc^k#SO(>p+K@6)SyZg*XEcjI*FP@YhuHx8~f
zU4P7@;EZU5H#@<N4D#tDGuS6aY|<&ySqi-$&1ry-dObRz9^dj{Y#K<u_{85#7THMr
zTVXPBNY#>zNvzG17B?h4(Y81kFs+^Y>%^8qbhP~&D%7dGaEMq-J@2MiF`P=*r>|#?
z*<e!5<tH^cthq%Xv3qnHlL^sf*YjV8z&R*>wiw9{8E~fZ`lV3wZGKA(iGbn=u&aAZ
zLypjBDIGpGyrv6TaVj5GpJztwx@Hb>ORLz17;>UChTb9<xULy%La*<x?8n`wx;9<n
z{X&FnL}&W42%eG$g}hy)Qwf(`P6-@sdOXE4rCyr<jKs%Hr!WnNXt<|hqWXq0kQbVT
zPa5TO34(EI{KedIaeJJs9Z{GUF0GvBTlkVRo*G;!R;&jvm!bv_QtC3)-^69?@OIaE
zUWzLRXVaT6J*!^ZlWoEY+_v(zP1Q=&1S0YOI*r`_CgJ)#-~iP>3`Qi!IlMUN4b#dP
zi160lhQ)8{2}y=a_eE7ptryl{r+fF`jB$-WfoC+R3=oO^BUgo9iE?9X>fNW+YkExI
zX^s;|Bei}I`*7a7U27F2->cr~KDFXgRxXK)Pf1^Kv0OW$?<)<%uBd&)os^$zbd^=2
z5u4cK2g!jtLY-;#bQNDD4Toi}tcUhaMA*h1-~gE&E8rvjjFk#_DA>EyFVNmU3=G_m
zK0bOj^~@IIwu%t7+r<7Xa7I!#%%8e*-auEL$B`exXXdz7dQ*=^(Pcd(1rq3L<sT^(
z<Y_);R2X26|GfH+&xVs)dI5kBLZ9uw&F}leLdJ>lX7e?ck(oj!$+*GsuG0Lj!i?`4
zEJ+(ylXE&X2rv<F-2_O^e>XfffH@RkoH;r;;Lviuav3lHR@JZ7970Pj3<AJBaepLT
zXGb^!O+l(Du-xlaBr{MttDdZ4WC6BDDk*kM;;_TP#+c<~GrJaI&Ac}^7XfGj)jdB(
zh;jABU%&nsM%&)7?_R|U1s|#%e&ftmADf5hcG$$<!yeYmml2KXj2Gj%xo$J9wloX^
zOb<fztvk4^0Ih4TM|fv#>Bh*}1~G6c@2hyl`~0Mx&Rd`V3*5>fq=t9VHu?yWlEbk_
zo*hs$4k_%4RZCy_6KxCo|Kt$Dlq&uqEtuV9yQ)}yuP01dkFHpcI4kzTq8liYZPWOU
zWx|z|B0K$tE>jYkmbp(wBfQ5n9Xf<z)?PgPCG;GY|LtB6xYu*7dal)u3Vqag6wjlB
z{@$<u-L;nwWuKp?`c*fE6<&Q7&%I|B+%a7`2d9?x4k+x}RCAYsN3o^46rSAqgXq;~
zpW|8lApE{yS-@|#Et2Fw{1kogYJ(r0-k?!K5WibQjVoV=>+Jo#Pp`z$(Jn^0z^S;H
z*3VY0Nz?VpwF7O)O<VWHr3c5uZx0Vg^izxeY+c8FR^9av+Es4P&PJ@-q+PZ5^nClR
zojzyA{b$F1@eekU2A<M1GrRxH)W3-k+Ts`BH^Swr;TEi&Ez%KHt(orS@TPhhJtjjW
z1XKab0@vI%(S7}@o^ZBxtgoLN%K@@JnkZOZkzEZfZDi1vcgCV6Ip+o^`i7!E6$MUH
z7aPQ>1|}E8W|ZvBTh(31Z`r9($|Kba)LA+3p@J2!p^P~2g9S<sE`!8L(3|<e!j#~d
z_<z+>B(GE)ZU=@F`GudRlLu2`VCL#JY4*TSX;V_mdenbU$MSA@@SCImhDeLx$HJ*|
zJ|6I8dgdI@JyM?99e0-Z#9vT2XsHToDX3g=Gt~@@ODNyVvbrx8!3K*&-!Q$ZVT7S2
zVR8A^{%M6d_3DdaNLAjxmZWB8$>;DB<ArlXX;`zEgwKJ*>JKDi6JM=6+UV51H9^%t
z5#lua(3s?Sm!+=mf2J{g=H#fcg*=he9Moup&>1wy0xfkwt(I4qzf*H|a&F&f8zFPF
z&n+$cP%Sx85d5FFLItUcz%wn1?EwVLlcKtW$>;BHZhIUMVeE!<$V7Dz9eln2wG+Dc
zU-l1P97dbBwm$K<5H{}rXYbvc;>eC|@xPl-Q3nSB_;xpX%#3GbNpTUN5qA(^Kpy*!
zCy1iEfU=sZK3&y9`0?F;d#%jekLpGbd*pM@{n-(=XXvV3`<Xi*D_5c=_|&uxH@75^
z!nmkIR}=5F$p<&ED|flVHb?2V%CDjMu-({JWoSGL%3pSL$Q09LwmangiWdLs!FSmP
zij+B#?KEV<^zbT*h!}F2b%B-Wkjx^q=+n}6Tq4b~lF$AFtGlqg*y(!EBxOz^@#G`c
zzgTe*m>LbS{Nn!+Y9pUbisKgcUt@kkpI;ixQ7Jkq=?=M1x2FK+3=-cTI%zgej1|SJ
zPDc#P`Pr{2JPE&$LL3|M*4^}WjU-dMjZ8>nmNBKD+ei-JjP_Hf3lUBk+34*5P~U&4
z@LM>TqR+RrRd^tKmG^J43W%_&ldWl%z5Lzo;n0ubIIy=iOFAtK1hC*N&se*w?GbH2
zPJT;!_YW%RmR-Nec7`z$IdV6X-Ay&SnKx6XbbuWqR<m&-loh<M^H#SqUR~JDSU|${
z8_)Wu=g}<RFa<A@4H=5fsc9r-KI3{Kc<E%>p8eQM`%$pNUJ>^KNoq}khGG|>f|!We
zosrACp82bB@p@bSp@0<Tmyi~nen(2kNKUyBAVny8FPP%P9x>JK?w{=KoZ03S=Z0&2
zRsy)YzU&TmN{i+z(<Xu2H(KmC9@M1()pFpFeqx97_==qWs1OWwA#q1r+9>rPv3i-q
zIhvIh;{V$D{ocT-liv*<eCtdOpOT)?W3vo^5eJG&7V4LDC8XBf)oQFbXHKdR;a<Kg
zMFF8kKGB&#U#2b7@zlTIm0!5X?#P3FF>{9ndZ!Ztfx_4yhiUCv6CvBU|GB8&tHscU
ztYh`)N&1p01Z86>xlo0sQ&Jjqs<B&DZ6*Y|R*(`XOp-|H?fM&A%^(_Bf`fETPo<6n
zeV2ZUnzeZ6NMA5%MH6d?*1Q&uP?xNPz)GP720v4%?ze9R8nd(Rvfku(^wUR1y?6Df
z4o>q}k_*69`i_ZI7+2S|u&9CI0CbV1$q9k5#BN4W14L&;i!PVQ4o$zyJt@9-63_z)
zT^CN?I#n^eiId#k<Zvn8g0j)6w6YZ9m<SFyu5NTsS!SZYzQ}?l`JfZ#jA+<eXxb2O
z&@$cOBWBdRqxj}2&ZH2j+Zqs7QZXsvKj3BfVlH*7dHGKuj$}K8*4kM;znDaP5+M_e
zheUGnW+X@}ZX|8p?cG+Zin{(;>CAb>(&wI696~=*K#eW5u3~SO(U~;KWb7WEqUe?+
zuoQBW%AAcO+S0|f7C}qYNwvsAe&$ElEEn0jTX{K~S62yVqxvGhoM{keT+8-fB0iN|
zHMt5AN+oj#H&k*_S-)B3LAdkEw3oLy?nkQLAT+Y%_;r}K=$(zfqKp8kCARb;t8k2w
zfc?d*47HOcIE3^JgdjuDNP#Tvi#hd@ntGrjo;lcCAX?jM>n$11R+ry&+fK+LXK_sa
zW{1r3$iTqbZCYtk&y8K}jK?N$zozQ9=^RWHCyTUarn$_P6TJRw$X%7$bvPVy1eS+R
znk=E*Qd%^b9}72B19g-=dpJDw<9B~&O>4ZjzzE_wJ(LKf_Ia+tgz9}=#;5Ev1m%T5
z3};0j9u6M_wxNE;vJVf3kMKX@M6{+bx>HR>H}Xp3gujQ$RaeK83Tk#%%Iz8|4*z4U
zuKzXsssCmu#ee=w8A?B&qEucJvWWXQN_#zJ`u?=ty5={+>HiZu!B48r!m--}G!jnR
z8Szh_H=$%IR5$1C?eMCayGx1=&YQfN=aVh{%XND*`IUWZpx;t6%*b5-Nj6uiWJOwN
z;`10<jh@xrfaA|&Xtir+2`B5)ZmlE)NcWPm8Y3%;)ArJ`5>BbCb&+`;ao)O=x*zQY
z)GU&4E))LC_&7<CpIioZSay#N&(4)!@pz9J>d+;GASszEGI)ri@lG5OI(ypR;X-@6
zN3XZ{<px#C$w-;(4r@h`FLXb~i7-;|3JTLNM9rugrnvl`Wun~_`X%yy7y~1H2|yGq
zY=Sq9qQBC$(!fv^g@Qfc0H5Hyow6WZ?tAM^RFbj7Uz{kn%e2cZRboik#1a@^TGd6Z
zwRtsi23>XDT+dsuoBfjLe?<Z)A+C6XAfMF(0TvrAeC*nOeY(H5iEFZvpj9PwrM_D|
z&)Shp=&~`SW<Q>AS72EcUwCY1(Jd+;G*y)aK)ErjBqqJH^!^y>;VtRjNz$UH!)XFz
zn!;$%lN1=Eu>uT+meCSbJ^-@D_1fYU)~Cl#NhMtAmWu4XpbR%2;l<O7_PlK;UwT^<
zN=0XMfFY?jVoq(kE5Fdq?D2yK9~ej|fb(U?V|YtHEG4=`Rh_5?AXuWcYabq2=y&!g
zd;Ma`2!Vnsud4I7R0|9LG+%h-$cvJ)4%u}h4i>sBiGo;CqYBqAtIT-etV&g1Y|ReO
zOg?dD$oP)LSwPD$-$Gde%^8M7Ee-P|b!!%@sK|JI(py?K#+;Br)Z68MiE~WfufVqK
zYaB>p^s#qpYa7dRI!EdyNQjN&g4v}IaDqc@qzaYQ=0UzqW*BX!%nh6YUXSSyx_`WI
zyf&R78ncJGc*K>f1eV#Xu2Y4g?_EeJeKk-Bb5asXro@U0nFmR$oP3hNVWlcGeePEH
z`d=k;@GXJIT|slczDe|7tI~5%O*7Zf@9CikZ%dTWmy$`WD=q0F#8GsI`{1c-N!}EM
zyVSq)!*sKBoj>g3e;<AQ4gde^hmVxTZT$5xJ9bwf>(Ss)5#-zbrWgyJR4B|KCIFix
z2D)-e1vU`qLK6odW=MKt4Me9Z&;|o8Al$*z`RuB&Vq&Rck8jYS7*{^BI8&He$%SJM
z7f-CuxrhMrs1}Wh1#2W!MxKixg!{nO{h3TdwQ79AcqSqm#K+>AWXwe7SHefGAtjg;
zwL0pTdN#8BN(jn7w9{GL_KRyGNvohba@_%nm|X4)m4?fRN{;qu9x<1aJxCls5mvZN
z<A(^p;>AEQy4kk?gnBB(AD$=K47S8p-A+v<CBd6tH0U4#D0!RPQA#_ZQTO1dUNKT4
zten<2c0U}QWbNF&IFZg03Ppg5v5V=WxO-^5;Pf(<EngKdp9k?-+2K_QTPTji7cYJ)
ze}1l6rAbC<KucI77W%-!4}03{bDlKJT}Bh-<$l2}iF_|N5E<CQNIZYIk8IEyiaEdy
zNRX!#aha}#APMFQrgay?G&^l3sD<eykuN}9c#umcwW`;xL(NIl3{!p5j$u^g_1=#@
zB1^3N^W)_m!28PzVFy;oz6RNHcX8j8#0~_Gv7}5xr}trYoWY0Ogx-mq85`Y3GC`XX
z=Hq9RUmk6CzJy@Rq=+*vXjL+ggIt>gJrWoyzomn8qTlt0Lu%u(Ce<{w_yzkR9k3e)
zSum41AOuk<?an#F4S+WvhdBWMck!>D1nc3FIXG<vZ}d;jfuH72ngqcgs5@k50?<^%
zfN6b5h{q94%|~xpY&;=U4N}01fBT}%W)K9L_s;V~aR8x{_IH@=`3mt%j%Rd__*xqu
zKc0GDO@uAi7dpX3FChkBUxJ6rrhv@ODTA@s5GW@+Rc(Byborpe-ear3*yy#B@#u@s
zoVt63O6n*5kzBQW9kDU)ng!rZCn(*S1%ZhzPCP+rZws;x&{ht~$!H-II7M1#D#`}#
zw?VjCcBPcYZE)2|-PxI5KizX--wCrZXzPJwPljU<{>JX0Y)%$=bb7r%{NWEzvXkP*
z2PDxwYEQtcsjm;8UX^aFCYKfxY5eUg)tqsg7VsnFs-O@+uje{AOH`)d_I78@X~Efv
z6oaN}VtL<2g~$S|l3$mnWR*OrA`{Kz5&b?@9DFBp+e=zQ1L4&vs&W}@2BvN0>#N6~
zQ9q=PQ?ZC*ta5>JuN_$(VT(uP&b&fDw|5RYbl>TusKm)+N)~Y09+J%nui&z=(%6W<
zC_r1A0Pf^Tq>-As*pDdfqd(G8b#3Wr4T<)vOt}%BNI7o+J{ebz68wwzbfpUbR?!`;
zW$m#IqV$Od^*~vlH(@?GC)kIcQQ=|+n%8rIletbld7|kC!Zi}T6KjyVl>Tc=ev2E9
zf4<PcC3eU^sxaPTq$}9@i&`;n8cnsvZVfoRC0DyTS@3ywtXaszlJgN%Z<6h+k3yQ2
zB-2hiutMq2$tQ1hjlGjA^1))gGv@L^WUi2`A#JG3c(8YJa!zFA-nrfY=P$SSjq6pS
zJ=i=ixW+H$t;R=A_3PuNRS<N#e|k%nNpFaIn!4|$ae+G2lgYy2|I$er3UW(@31hio
z`fLx(=y(v&vu@_dML}kbPuef=bC@nCerRxV<(^SOVVs76S9<f<E;#+&oBiGMKYab*
zyYt_lV|DirU+y37pY5Ihe*0j5cN?J`MaPcv3itL!p<9p64&3Tm@)bV{_q(Q<XG`5V
zB|!yOik?}h&O*hA?JGM#XG0<f30{jC(FsbaPaD1`-8AL6)LM}q7itsghoMfx6-D!R
z^aG_la`zk+sjgHHE^J0Z(LguKnR--C7uQpVbng=0E5_j5`?69j1OpbooIN$?qIV@d
z&mwn$y_tFq;(;%`-yzEL76TqU3(IthuSYcQ!6TE#+!a+!O@g}tFOyn|Q6{dodW<jb
zGN-N#m`iH`zNFw7ULD8j*7{<awX?L?IeP!5YCHXR=kjWvyH#$nnW`*0d^>w5XXkGY
z&raT)p6%^==(b7M<xUXNgH#{y)(W$2Vs7lnBTkkG-tu_GcX~4!%c*;zvkdvYes%AL
zAje6zbEuJgbCtSRqml3K9iP2A|G#@DC?$FD^89rF`@_9mPKb)1P-Ic3B`pgV&qmy(
zZu}xC{@58d#&^osHW!u0kK7+CmcO!iT-;+D&88{5-SAC}a)dh6JsR9EHfNoHk7(dj
z+Z(y`dXe{WNmnd%ztQmxQlH;c1zi-tsLS#EF7^)+IV$;Z7w#tfdF1`K^@YdERAVpM
z^(f!FZFOp`TFt_JCGd~)*ZZfhx6gK@94!_UP3%(DcwII!Mv1!_s+s#UogypZp$Sb4
zgWx8KM5y<DuKcQN1ItY_%4ahvtEY+%)MYoZ6)$y(1R&eNt%1J3!mN-yNsxo~Q+>dm
z_QfOgHj|l_*q(j(#>Sne<w$ii2^8(dBZ4rpLF}T446#oPfpPx6^u5$u^3CjNROMy)
zrPRCsHd^-Xy%$o^GH$kgsaz{Q9JdNE1OL1Vy=&?|;1esB{uZcKI+vHREb_$O8^25Y
z^MZsTiye}`-_xUoAAhMXNd>e+W3Pz+@YkKgzx!^UN=$3$E{ARhed1yi%FZ>H508i9
zC$l~_Q&op5E6MNVwDVL4)DxxPN=(nvIm+(5N`fK|QIZ_b`H?VdI?iR)UZTp}l42Vl
zXs8lqwk~xUe%|FHhe;0Zl~azV&9cMkF96gkU$X6oYLSqMlFev3$FjCQbg!)-Z70U>
zFZ<fZt~T$J5;OPSt1TTG6$R#1>Sxw*7jZCFnrGSV#}$NO3U^!RBH#O@n^9b-Au#5w
zZ_;%^?fmyG_TT*$a|Y*aJsYE_>XkdSUmC=raN0c6@5yS?IfLoK;$W_jfq<?}uV=Y%
z1Vv;XMP*UqZlJ=w)-0kvSD1&RIouk6#y+ZiLnP;v0kKeS%&s;7#x@ie7UxXKNQ>Jz
zv%8QE_pX@Sg&I)4_u(4Gs0g;9e0NhPL<bP>vnvA3?G~`v$phFVFkKk-mG*@#pdu3m
zK<|OveuO#)%Xfn!SF@A7gY7eSP_wh6Z0`?ednbq6nqY8pw);hKt)p4{g|?v5alzY+
zk0iSgvp6xtcw9<JXSjG@jOMMd=ha;xoE}7T|832i+18}I*rNYz%kqrRvEGzV?s>ng
zNY14H26P6-b_llO8)nS<Oniuh@}|&CXGQCWlA3`6Rx|ngzHa6~Tr-2$E2L?Z>sZc)
zIKjgoy<N=R*iZJK-BK(-D43GyxWPNc+|z`AYZ)UcMoSmhCr#7fx{I%j_eb_=Z8X`|
zyL`5V@^}+_vYDKZFWjVLUv*HKY~M}c#0l_U*u!-H1}uGDi1$o>6RrttzIz0|=3lCF
z&nrJtyEebAvJGjXzO<oiYDn)LQ@duxggeMm)v`C55Z2apc3Ip8ZoBJZ;<VD}gB$tq
z?Jyr^tMW^;x~Vy4o`k|RBXy*;*$j=cVyV6YjTFz*JE~~}Zlg1k+KNQNcs3}SuhfU3
zp+RmcqRAdVvPLb>niXKXqqowpKgYHZ1^j&aOneCAN%71ddy(x-ySgcIl2HN5@z%|Z
zyOGgv%+<W|>76}m>@bBWS~_D`(P-&vT`b;cHfpKQj%$de?!>+4W+mnZA(S+zaHhB*
zQ~|Y9LVY$_Mm@?$IU&BFw`)q+GqTdW;rP0(88(8SL7yQ=2fx(-WipoJ3<(Z|_0~P}
zfQ+xGSfVsa5K1Ot<n#hPFCOhgTLDWF&1dds(+vrw>2IRq<V6$CAg<1tFgm;~5Ztws
z3faZDJ2fVoR7<VCD6UGO3ZIn_$w;vkwq>~jggg{t)PEA<TW65r3-*Y+(@?aW0e8}z
z>a91r9&*|T=Di(e+kSAy66^-~Fs^8?v%;e_0Hl0juPsOqJ{#W?+c9!be^tGa=A-hX
z$}WLx5hKGqx?d~X4aSLV3ewnEI~PtJizDk*Q*?X7kgfZ7{#hXQO79U)HzsAy@T<gc
zE@=I+uEA7gp#<yA1hJ9@RFimC9{sx8EtyEx`ku2g)H`AV0K-N43f-aSkkHH1+`E?q
zWRRWyuSJeL>|QDA>#Jw~V(t1f^%@=cx$kb+?1^~2Z&cY&Z992Z{ha+oMF#(boI&q_
z3dK}G;D|>pQj(pW9Y}m|M7}O+Spqm#_P=zU-F$rW08ck;OFyS=aoZ_In1RQT#j$+1
zWRD(v_3ekvqhz>WMnAY`6+cZmh~k9*Ru2BH9Q<23`2VGH;9e5E+34<>-^yWog{v1X
zz9r(rZ7e<0QRkV80V{Db0TtA?CrZyAxZlP;6-2z33k^niQ9G+qH`B7r52H9@m#MX}
z4W4TUo<DPQ&>C-%k%g=<+e0(2Zf@K$OoOpHzEX3yOL?@ch$E(PYbR!Z7w7qMRtNrm
z{b|b+<ncNQqRqV$5uQsko@Q`#T_ZdQmhKQ5j_mtdJdcS9{V!Da$P*<A>F)Lvr7m76
zy;g%Zh)sIGKDa1mmuZ8pjSuUC*{5iO^viuvAI$z~Z7?WBA5se!b%bT=VLYv(ESlr(
z$5;D1ud?lzFX50rd$pGx?(Kj7>c!DXcDi@q{su78_QCf@C;MlwUVk}9T;L3b45_^{
z$^70V4`7Jox^(kC8(rV^Ju!gzdX)JfVjuRI_6XV#X*LiZ%#r?s-owq$3m`y+fqvqD
zgl`h<rf>NU#Q$Mu_!hcg{}=e9qW720S(g5T{%`y!FI_(gQUGOmS=U1lylaQ0DvJBh
z<A;yF#s5BjkVO@oqW7Ef;$i3Q%vWSd-{&+8po=av@#vpyBEl|4)9y#{?F0SOeWMtS
ztKmW$-7esL4=9&~deT#`{knW?y`Qb?YwL8~uhZc@a%WfhGi3x=)F;9~5x88V;$Q5P
z3O^F~c^Qg5%&jO}U(^VRS_=7fgt213{R_9ng~yzBAN<w^W_$lhpt@izp=6=4^6L7c
z_UFyXJMb$oV5}WG6{+^XG8;LL1=V<eht!3y&UTLNwSs?yEXQ9%P!v^i1YjQYu^83u
zUVrBP!?#Ul;SXMjlJ}W(gOIpxc!Ke!7VZ88bKEpOKs<^0sMM&4=nErBu0UL+3zUJH
zZYFQ<b9C%TRS!6eJtHDQckvh1Jh>b;y|PdIz8M&0s<4RcCkhUvhfs`YaJ;a)H_v<v
z5;2vTjz26s61A3cL2_h=eG=_T*wVeWB1CNh;WUL&wy4GJO)noIfywn8=QQbX-uAhe
zuDSE0V+2=EGi|c(_UAexnU#d9kk`ad?i?JQ?wy{UA8()R9iH)>LP7`?OKZQ}Kk5D|
zy#P}{tiOO_b48M@!PHoX+|?n0dn81BXb})1m`P}Rq7*l0{>+GqMs1yoVDIo_pgEmN
z1av+fYX-95S)&7|G>*7<|E!htL<ze^WA3Ga^n6xdC_ky~be@k-*y`79yw~|}UvRVQ
zS!Q4GEu3jR%>9^pcpv|sOnMP-d^b@T323(5Ik}V3+~$=put21Y2`ScD|LWUEzu}9~
zS8!P<7%?d9vR4}xfW5f^OcFMPt&gRzc&0MXD@++Q^doy#PsY^u!U)j~q_TO=b;+CB
zcr^SPa<0f{Zimk{qc)sC7)@qr3&~c(p;G`0yVqzEF-*3dgOf<7mSF}AwFe>aJ?wUT
zD(=7j=_6l1Iz0Ge`l)aVmV7OfA*EwvqCWntQvSa0iM2xlv4fL_pXV|4)L1Rj@W(=!
zsXjDHoZ~kq-|xjew2vEMy?tBx!a0BJLOe1#`l6+2`g#+~z~uY^M;<A^ulLSg9qmRZ
zG1m4)z477ko5C$9#Q=|iH@eI*;-NXJ=t{LpPO&coY788<Pu14(V1)~3keid^BA?{d
z$lN|Fo=PjovfPv;@kko=b7&F>fNXW5_YlsUoHeq`7YTUZ2yp>qsys<F9vXC~K=;!A
zWdtP)c9pY5ihihd*9DEhL<_R9ci=`kc)^htIvS%**EER0nhToZ@GARo3C<4T-eX?d
zMMEA^+@Nj{(G?+G7V-S-FqtIy0LG|qoa+``CdB#rFVxwvbL5T^PHs9;bUkJ3#O15x
z{!VYGVa8nJneU1)hS+M<mr_5F#AngH#eJ6EuGYfm%+e^IO+RN!xEFV}Pn@1Oo8|si
zF2XrBwPaj^H`s|0ymeDs4!AbHFe_{`Juze=@kMTvSIU`Q(lQF<Dd1rl$VF!$NdYm<
zjuvDXijJ`IE-MyUZ84>P;8Fj)R+adB|G29^sy)(}0%X%^nwFk@Dc6Hj3j=i3zrQN;
z3_eoPE(6VUN5d3f#j1X9RTW05Fz5E|R1>qE4hV^{DuY?I8%$iGk=n}lrD0D7t}Bh+
z3-`*c?U2htYER0jB*)TeUH&sh+Tu?2t=l_Uw%@K(q+HG?{Y+}1`|HMhosv%hoQ8NS
z$8Nhr8A+_JzNZB5^^zG<a{EO+{NBrCL9MfcM5;<m&*f!d#Q8DmN`<i!6F_pA2x7Mu
zgfMt!%I2mCXGos+&Ot>9UKO+7#xbskeNmQBsL_srNR7+<T|HC55oromG}BB#9e_%y
zs78{F!DiBPEtgi-Ja9E*`$K%Wc?qyR{1JzJF3REsX<rgpaS(o@QwV<PG8J6{Gmc)>
z!jR+g9n;})z3E&*ea|PO`6O?x*H##0rieKV7WF%3$m>)`<E-T;n2%=+M0}Yepy3cb
z=6%fcxaX6&x-TM@hrMVH5VTAvr&MbUTQIuNWD?ZwQGlq-!BHiW9u!4MJLv(9?aCLL
z_je1JC@4SGd4cbl(I|`HtPwq&aDTbeb7!tjA7N16hMavnQhDRIauY7V^(A)ly6(E6
z+1_I(gzg~v%z#ltXu;?cE4I3v;7*PBL3(U~f<W)CaS5j7!F)D(_U7cEcUHKI$5U2N
z7Kv=8XqAVv4Y$eV9~;f@@Ab6c=BA=EU1tchU&0#aKI0~@y;eVf=dMzkEIp$ZTu-D7
z@3#fng6nqxo_6=&K|(~lqLiaV0a`T;Kt%mV$-;*oF(?Oi3lLT{ZLBgY$?rnzqIc2;
z8+aQmp$~Ac05~cOE|rS<oR>b`Wqk(m`vMe{hmKf3(L{x@Ll46gZ13ziDSNVgc65?$
zWhZ;T-#a<o8%ULog_)7mC-If_c5+3~!$j~0`=YQaCaRb$sqfJ1y)JV9xYz28e^c@>
zkQU&tH_sKzDGCld83-BB#>!tS^tk47yG~1X#i2E|ghT<8QTX+Fqcmjq^-8^w#=C<T
zH)Y$BPmt@Vg+?P(I_)<rY$55^7LRfUDR!_kTgxJG+QL71dz*3?=;7sw@t!jaAOUU=
z9j?Y7_Nr*d7Xu@S=Qnq)GMBzA-nrMu*~!@%8Nn!dHx7$-_r+#%a<<=`z1llG+uzw<
zem_rYx8%>Dygf0vvspH6FtOZ#;keuaJB<jnP)Cih0@+upFe%NnJ~Br@u`Q!h?H)3a
z2Vz{j@khL`88YOtESgb{WOrs)WNVKeSiVcIndVORZK`*K{*@cIOPg%X-~C!R9NT(r
zZ5WO7c>DD9?A6JeV9oRIzA{HzWLfpn#a;ITTp!2ugL4Xg{PD-Zwv^!ei%1CB#-dpG
z#CBl;V@3~3v*d<*PesmlGGQhXEG&)NTk~>E-l7gw%|h78)RyM+BBev6RScnOr60IZ
z2MzVk7kN{T_(Z5Z?!Gb;M1d};rsCVx5|S?lViFjtV<w61k=Ywo;h&iOk55oUd|<P(
zZ-oX0k!`e5o|msPDY|~9VQ>z?q5#3*t0=Q}hvf)xv=Q>b*}517bGKNBXF~E0y!<SA
z^O^aB+FVT>`ihh*ppj~kQMDYu!VJe>NYSrSHHyeGBO#5&Rd6!o^jzmA6EOtlsCxn8
z&I@BTg0_;9cy{da3~tg%p=-8*K<=f4Zr|VaGyB)%4%yTN!zQ?hiZ$5QbV3+-c}kEu
zX|UOvs7W@l@d3%+obF{m?w`GK8o?V#vS?TRIu&52%D5YrOB-@G11J)2%$_nwrQ`wj
zF3a~tSe%d$e$%}Pm)?0~0ubddA4B1F-;xSUa=mB{l_<uo0El`$P+==-f;AAGDoj@h
zx*iN1#JnjdWoOfyabXFlvhfL_VlJXOltY$)r!R1da^YvyTkYNnD~f#Zc=#SgF2*Ff
z(v&wPSVNUmUjUMJsi1AYF1}iBD77O`9`1dAbhf{Jw)ab2J)WxUo;yfqR2*|tcL9yc
zDfnPbX*Ffk>2dC8WF%#|)Le8w%A$H#&gzP}MW|uG+x>@=7hj+MaCW%;dM~MXWoOst
z>z!RMP=k=B1Bj5I`k+IWaU{Z4v=Y>`zp7i(8`H_91&JCmPqg&_yFVTFiUo1(BoCCd
zCHv8~21A^zR|U`IYz}PCZ23w(@w0aB6}f-i!i6PEyYYb)R4d3<G5eeqG;`vA{wj9v
z>SuNJH&h7VyhawFFQ*g2-z=ILBH*vf(X4J<r#mVDE&!w(cKaQXX3s|w*>U>qWKxhV
zIKBDhq7J^(z?%(KIQVkh7iwDc?*Ad>Mihx@ElgC_o6EHt`SWEm(8GaKxMhz>>k^?6
z(^2=1e8I*dUM!gy?{4cH4oY{kdxzP98aUsdo^BuSi)2m<T!lW1m^OCz2nFfp%gq5g
z;dH8y)`p(O>VfI~NZ;Jbg#LFcE*BS6|8~;!dV7+^m@vP^DwkZ1?){+=C8Rao+#mk=
zf^OmN2#TJ3EGhDaZ+&uQH|^;{T{mrXv9y~F?Tc4;!-qap;EkELNrAWSd?k*rFkfy#
z2mfRhxGYqF6D=yK0*4R$)0N<SS3gn+?%ze=q>cZvrN1~`|I>=VeRd5v!FKW8f0uy!
zA5j91!pDlh{a4q3!(||4;2;M7yA*;W^!m%!f^(nwymD}hwL!l~Ik<%uf8l~~Zrq<<
z#BKe*Ullj^&rITgeKH{LFbmuL%~=!B#ihWV3Vh<-Uh?TZ_w*|k3C@nHRde;L^TTf(
zf#WH?C@exOIzJ~xszd&Ww?VR_AGZSz_w{M^!wWA|vfn*^@SDe9{bsQOGeT8XP+WCG
z4OPyKFiLvJ8K6%Lab>zsWdC^ERTDx&q=Frf3nB*%?H8^Fh$ay<m{zgzViNrD_%M><
z1hDAtqHVC{l(Hzs^!?u9-pTgCl1Q7Vo&&8(_Uusgd<n~|{0~I=@>JyfYl?shKi9|3
zt-zTFI3_0Q07rAc3>W>}E6YKXxOZYcm_^1201x$rXD{oCyX_{Qy_J<gVLX;esKys}
zvH7lr-y5}QB@mAl)##b#+eEAI@PV3=P$&nef92ym+`)p-AS@H0#qx5XIk*(ox?k)z
z3246Bp!*STsIw#75Xv;LE#n(a&#y}`eCJXui@rPcacD!sZ0|in#&AW>n<5y*0pgJI
z3WvVA%c}+({1MF4{LcHtBP^|dD#hdaw)+B(Q6G$3!hqOu59e2fu&~7b5?RnEVn&U`
zH+PKZnN!+}^I!}XjDIF^8b4t#2$(2;KfppiJIs0qKAAa6{I&F<jwNj2Y0>Z81R<L^
zF_8Na_S4LEJXA=Mt2YCih3zH@*t0@R(ex~Jy(*F^cHyg1*(D`MP!qlE8jy$8!1Z`H
z$uEm`nTB!lC0(NpY{3lsmd#;QnCF&N9Hw<W!@m$5h5SbN{+wc9-o0qZPb3FaPwTAE
zyeEcPwRQHs@8>N<Z8}Xax-8TqooZ%SG@l|cDHIVSSPws0j6l|7g-RII=WXRAjun6K
ztYWU$@-9Lbeu)>T_H<I89rj+ki=GkY0K__Ub`8CBd}g&f6!pTtIo2H(65lVGsBB<C
zOl4JvPAr|AWGz|2s>v^lO}%O~py@Xj-E>?@W<4JQ>PDBH^qq24hGP!7LlL@|FwHk?
zC6_W<P9jH~=-%}Ewv`k<^0|S;GD^Qzf1yk`v-fFbpJ@iil7j@UV(4*xs~pC^%2o=c
zWMos3^=VR6QZz|jg>0AuRj`hp<oH`2VLG2C%Yo$3xdnQo>6avrD{Lxes#+PD=xco+
zgvD;Xs=Ec*?%(-*eZ>d%1iOr&FF{7+r$`D?dNY@kD_xT*_Qnb3ddVEyu>9dS*kfH4
zgS;K&R1Q$MV^$+}MTb-Q7rjg`-R%JRG+<TNLNIjbenBk7%lQn82Yaud{TbUSM>_ny
z>m7W<%^W!#r9?@^upTL`9d9Z4t0#Bz14b4hZ4vUzD6rvbw@Wc9oMUsfqyzOuai?>7
zj@3Dz;@9&;^LeRsb(hWxL`Xy9^w2;`DzhNR3vx=Z3)TlCA%`>&BgW^~yH{@H9-7o(
zttY6-3q9@?Q?0BpOHh@#@O>#uBnu>$LO$YSVrMph(88TA0l<lF`1{3r(1~<@y>cg%
zn^sw9$y^B>5D^dZK2X%;$t*;`5f~)T-oJm}dsCI}J7P0=T0oBwI58~1QsO?v30ENs
zu2n^PEIkkaV`N5+prHI(3<xKFva5ygvX_{sTqma9Hl1*4+~b|7RkziwF1F$P)Fs<^
zD25pyXo1~gVUW9N;ZZ~+g1zh71PXfqbK7NhCg?E>>3mEj4c_Jq^++m&mM5N=GeW}p
zaD+`<?UsI4j!n+u<LA<o^O6;KhEZlIbM7=J(}SXYTu);XQQlum)Gn*TOvHG<mvv@g
zvD`;b3W=39rifl<adNTXCx#K*35K;?_Z)}`4^!Z8R6(WWp%k}KCKMA29<CBz^bU1N
z{I+tA*F~U*kY$hh#{(fhFVYu>-*9b9ZQlN38{X27J^Cw3796tAs(c2Ld|FS7_-(TS
zMsOjHrA)3|YF?d619P<i9u1ff8Z5?9BMLM1NJXg3d226sS>pW$30({9+pZZ>^LG&I
zjfwQQH0rs=JtM!QsxJG0d2?}5aw=0VPd~U{k`$<9r}{yx5D6)-sL>G@Ss4se_wg?;
zBzuZf^}p+(O%ts%qrZ?NyIm>Gj!@rD3MUh#sO{2@mz_0UsNkhVvq)@-vn!*m8WqR(
zU7t}Vc@*z#;ge%#hbR)2HbIon>br8^ZMBrfvi9g2xUE0fu1<X<<9QkQJu06N`p=x9
zRrjyX(rr~K6}t-e(^ZW`xN(t_ahmvs&mK@)U(vXbS=u&))d$)!SXij$=C3t+MRa_+
zF3GksqXz^t@5(XiAAjhq;6tt(PGQBEE2#o2Rv(42l#pZZHK8wLm+(Dn<U&&YplXb>
z{5HR%cVSMID9tyG#LmB{z*2Ho9M-WzVy5?kbj)8NhO|FNAI`;#>pJq9ZtAW8@vwYm
zB=LT=Dnxcl;X5J=f%l?Gn~Uk2(e<;m7vXCHtofU<Kj_c;fAK}6VCBx0mVwD4hBhl`
zoE#EJOvd9&d(eH+dN9oA*>GHVSs+|biGC+#i-nXumSEi`m9JmB)WxG_sWaA{1AN;3
zgZp|m8l4^NCgkJE@_R=-7fT?h(OnSJCV8Jqx3`hp^E<|gh_M`I)p&6Yk&|!J?{-t~
zK(hs<-Y$T=ly=93I}osKEoF7YOC0f0G(TL;vM#_i&Rg+8fKvS4cvbR@pi`7cPKa(C
z`<TB?@d;%q!i6r-c@lSN!CRt>#e|E$>ny}q^(}17z7UmRoMkmvva-&l)>qeq>j7M~
z;qx@b^9endQ~C+rSEoMLLhhu9$lrQ!7s(TEj=&o&DO^oN1eaMlKr|>}j7U;{)LO+{
zhh*P%zrgFBY!L<rcPWtH5bIhibYdAy>>uk$*xK|vm;OBy9lfm<OjW#Zh2n%3`MiPh
zx1xpbX_H?R?QKy+4pz{k6Tsjr$cHInI+H0E(3f(zBike)gP7#q{Sz=MfjA)XFs%G4
z<}q+TM_9iO!PCOY$R0khDGcXFm7DXM{QY^WX<u~VHXR=>uI`(ui4D<+BAJlt-_!Yw
z*kkj7i`UV-d^j5-i>{rR8%TNdkOUI>#_gkt8yF}zCtn6*rfP_Mb2@~mZd&EV(oUAU
zbu1F$QFHO&h)#oMooF$`aM)Vj$B0Ns&;83rN6rDV1WoVP@n>fR{0i~7vJFk}Qm4KJ
zZ*(}DY+>#MIUQ+E1<j|^yKL{SxNx)A#BGNbHFBVkW#Qjj0e25d{oS1x`mzrcDf?)h
zJ=j#jHmjItdn58TbbFX?xrNP?J^C73?e*U4qmw^oJKH<2_ALDMrOCi<iksfX#a%12
zczATS_ar-ewSSr&Z=Y<x-aB(<%I?wLY36>(PLKC?_Fw*y1ZJ<d|FHl1&Fjor?>l>^
zr`hTL|J{Q!w0|a)7sm(N?(f-lcCi1Nf6HDS{g}Oe0~)m5-F=L0`@lxbvLV@z`v(Bk
z0A0V0H`D2OnH|0OKkl%f4)t;O+^IeD^5`Txa@|72-Sz(P`%^UW<KDr6dwOq=J(jm#
zZvW2xMXauG`QGl{+4jCc3)lUutowMh9C2vblPug=?hyba0v2D6B-NN-XZzLQ3~F!b
znVsbCuiU;rivMs}T+xCU>_|w?Kka_r&D-2mc1Q_zN3ejCI2_#3{R(mBi%AXmkT^qE
zqKW`Z2jNs%a9eOgtNd>3*8M<sKGsT#TBXHCP6}K)3*%xn7ztE6DJ7z5s(=@@R;xkV
zc}F2Y3c-PAM$GY6vf3D*!F?MbCrr3vI7uS)m%?{a-%z=96V-RW=u}E{6Yqnvrw*Sr
zEW9(@U|7k3G)<PNlIED`G?guF=o0_qEG|gKc|~=My`<}_O*`710dL2T%9*q8;a(mU
zp7*mKT?f9?64%iB(S~-KOz!&XV2tL&6wsLfWfW-RwS~?;Pd4*47<d-@8!HA>3N*&z
zdkJ02O<AM%N9^U+^%UKs&PnrI0K3@GKO>vWMtM0y!#<QESKlqQ1S(|Q-V(AKbHBU0
zhqu{6OTM%hjtW-Kz1W?7jaTUKwa5l`ncg=xY;T%-Tm)Y<7nbhM<x4HuHU#=G*#>t5
zfW5FHZUlx-zoGR)%BtUS{|qx<Y{O6^VyJ~a=xf%MKGh}p+qo>VJeOWUe)-+i^Gy~P
z%TWH&bLss#M8bJlolA?+RiRRBi4I3868oI=(lx#>Fp*a3^oeHP(to0`3i!9&`Wu<B
zv4sVRDxL|tW{qWx5g5Ont>B6ic+5hA4h+)b207jc?R1(}N(S%wg~EMZtD5B}EuG5`
z&RF*K!$(e*M)SM4G(DdHv12xv1$?`6L{Pu1yD+kxzCLC^$A{I<x;rDh=(ES_(P%!s
zi#7pQl~N8`y~r>g<GLCwX$*y&kwfYxPLjRcacxVj3N4%b!uxl<Tb!H^(pA9%I6HGg
zC`0Jsf|w`2n?FL~#D+}7na|M3v*g^!Fb!C@>~N%KTYae^>fHa(Y<DV-v09k9!lUYo
zA$Y}Gni8>eI<Cr**<5_QShbsaTo}Wc_n+zf^rN*wyrXuL;jSaGPSscpX+tZXf;lip
zXZy!HMC+8|`O}F$K04k1LuY?9#T8m<^uqjpXJ^o~cL-9q?m8KTnhcFqk9F4TyV~`E
z5?5e1PV)9U?K0uNX20ghK}1e(?A)WDLfObd;b8t%st#ce7%k`ix|5$qlnzuNE(&T1
z_nilkLHVeiTbAN7Nw`{9tD2<mt72k>#|(XSZU)9{{bD6&Z}|bg5j;n9t`TSOs*_3`
z^>Zg%Z^Q3^O$B!W^WXac&oht=b6h;3#@VB-1_9_3ACzpPc`KwOQBkVvQZ-7I%lc|x
zd&;DCXsXEg6s{max6$8mQCKwxptI4a$2DB@^!9Q!rOgLG5*U5Qe@w%LMT^Ol9xe^N
z=@U2+X>XGS{lN$&KXH~8R!&7A&cyk&o|L0I6{|X{(eIi39)-PpEJ)Wn5@Afk2bG@=
zN1LMq$c|#F<qo~2DVt%jXI(&PIAEPS>b{|6li3_Iu)BZy!@t(@ymy*qWBxO<T)Zn8
z!rRbB#+x$B+@ee882JQlCNxdtiN{TfTghEA#Fz_V*ulx0%y$@%Ul;i_`+oQIrF-#v
z=&yH!T|_ocp$NS+Zn^m3gO_i1x1VGOWFvnWbeA`t2XgnW${~EWugouDuez_h?}SbS
zEV}oP<a|`(Ia6^R63}H={<wtshuOohjGQw|sriFC;lG83Ah4QntbA75I5lm~1i7s9
zqCK?`Ok=X-x>O^@sRn2moo{ZCk;xi0^_0k?=*X(NT_YZJO?<O5H6o8m2nVmUmI9np
z*Fegm<}KuR@s7E@$WxzD;|ZUq^2$ZYOs|2v6mG;;c2i@j;fA}65mEqXirw41XW-JD
zj$CH#-T}>=y*V3C1TrtWS2+_!S|sYci6$@YyRTIN1eKca{zvipf)|0^?{~V864C<K
zjQdm;z+LAP5OlebvSZ!OQ-%paq6l==r^xtVyJhZ_L5?CD>xRy+<X%<oG>ukB4;pV!
zxdtY43CT#=RyEUa0UC$;syU&axpBa=slM_=Zg}K`IJex@?wNXZjh2WS0Cv<6aWhC;
zRaIgSgIJ>WYfK4Osv#NOgI_uON^r*jJmD=oO8;-&N-k|@N!4m$hg<{fW$+v?)LslG
zArBjNj0|i+lJZdL(lk-n^7eLkJ)OA!BD}TLy2WuXL7&`u_}zEkZM`}^7~mfU-+af6
zCUdRG+n4nf-!_VoWzBr|EgSjn+rh)%JZ2lq?9uzLC%vF0e>9%*B^Igf-=!8Q+?Y@V
z^LIgM5jTQsAXJs`nJ8r?wo%_So0!J$fivv-{sI#I9|^`u^$$-gE8e<c2NWcplMh<n
z(ddkzDlLJ*QX2VtRuYN9H&rU_hbovpcZArw-dTb(;m#k8WhZ1=CBjL{7k@n4JGH%A
z*8TYG7y~uqF>;J#MabOp_z_M<bQNgG1A}_}=)r^R;R9zmQ<^oKOS|D4^`DPoVti06
zUPv`s3~r3K<=6?1sFOsYs4vSXs(%St;o6h=?jHM(ANK$F6t$1VWk++#ytELK{Qgk~
z1y{DKk-3c`B1Y<bSU4Wq!WqKRyOtI>V1mQT#%Br);DPNF`Tzqt_P-Sw@n%z32Z4`n
z3J7eB3R80~M3<<$O;M>T!nd<qsf*j$qYV1t%mG578B7W^&uCq&&MzAftCmOsM%lI~
zry(l38}ToTk2q~psu9YPhBB}?>SZ0XFh&$m>wXH?g`lLZry3p$IhSILs-|-bJ+8-G
z%}`%T#0f*d(I%IWTt#b{RGZCPiAjX&!L9P^pcOHZ=HQ=lrfwTLV8SBwND6C%27*FD
z$;~)N3V5^p6sw_=#erl9UCmXGR7^CC&bbj-oPZW}g2?cm5NsC@@t;Ed9Lo^Q*q3S6
zn@Nu&CL{%T+~mmC0~o`*YQSUxiH6WN{K^PBvrX|zNfLNj1*2IsY-c)@!qja9dSUuP
zG8+LMZnvoyTB_3cj5h8=W+h>ZxenhJlgR)X9|j4q9VeH)C_~hH=?z!`xw&}Oja#J)
z55>IU`<=7<T0DLS53_?uopZY`zpY!pLdYvJpEh2<u;dM`2d9vZFb!F^vg1Q1(cN{D
zWjo{?$c#6xnLAOa_4QJ?b(Zbc+&xosc}svw!X50+c!qV;@w+X=pudGg<Yah4QFGo$
z2SncQ(}N~lwb`QwYux4Xbl%2PvFis9{k(*jKb;|Zj9oJ}1!ZKN+R>F`F!pm+WRXZ%
zGG*V`cONbJuDDkIkq;9$7kB%fWfK|s=<9D5H+6phuFkowmG4u*hMkQJ&=8*LtA!v&
zF1?e3_8OOgn5?OrQF409DlkVAn8;&~)g0_^9cdH+s1|&yKvI~TDE}VLPjgp|24#K!
zp~*k*)DWaHyOL~Qsd_QBv>?nlTBCKaFp=o^_@0^MZ=XMvw0(^fHm>~mkId)2GbA1V
zq$$dN`rShokp0~w_kW*1VZGly>|FEV6wIr9gaw`yW4P8_mpjR6p~@z5Lk(Mk2&GUU
zWJVb#l^op+<W~avHpi@#HieYXTaDTG%zlZQi86A(`AT~I=u>;`zq+h0sIAv9`~0qI
zP*eh{Wg7}}FmU5Ba#7!ZBjh*?*}7?enz>PIM0UYuKOjt_tGo;z3d5F*r^T!xaRD!Q
zD|nTv7GIj*nDSqS>$>pVb>ZV5Rgy@e5N44<u;hzXFdWJ%Db`qO?SSNjx?}Nn`2qFE
z0`9qRGWf#sgON%Nw0?qzPebd}3ylp^BQbj9huJpb#|Ce3Cr8j+2_PiTR_*OoZq2?L
zF(j1~OR<^Ml2qj3-e~Ji0)uE0=9#$~>|rs#)cxhrn$mVO2&)Vnt4MES<q&l5z;aQ#
z6|>bPg2|2<)Ub_a(=2uL01_Ta;PNtB#*EqZc3JD?#w7^$FPUrJ3NkRCh3nAQ$FZEW
z*}S57fWns-H&7YtF?h34I!59{D<N}Ye>&Q)MUjBqagWX|RT-MQrz*H{SM`&HgbL=K
zLX#Ga63H<FWuzM`AFC_3R3dYJ#wj*%Nj9!!UkyyI2KT)Xs<WG);GAF*OXicA{y`eu
zxMxcRJr1)Mu-B7R+)f?hKKdeD(5>EJ96wLEcr~y)$+Ue#Uch}}&x<qj{bGliv-AMy
zwe~A6>g!oufsF-Eh8hS=B=O3fO^F(j0$T+n2lE09bLI~>lgPO~xF4V4pPDVM(6+FW
zlnfY71m7ufElGheZmo14dFAA7Vblz#T#9)_zNi(urOZZ1`_56B+uh{80gNN0FKcC1
zCLfVHA4cDP$eiHN$_P?Rp6b5D^q3Uv)Tm8uK$4%>NQ6ikE7KaQywFi0rLT3~#KFuw
zACDitlRy^ZDn3Jp{($|LM_T3;heao0C6t2g%j*c`b3rt7w7krc1)+aRe0XAt3iU))
zU<pu+8qid*{iqo(XW(KEPeHcY)-_kSx?APhQd|Rrl5*lYQifrDn)klOGnVRF_?T|o
z5(vEqQ|-0Iwl>dUQqjj!X?XhD>nxT5LCO`L1B2@!{gZhE67CX=$LxVctj5I+9+909
z=h5@mRqxbV#nFva_s==HVgGiI?v5u~2=Q@e^^54!a|<!5V$WR`QrDRGozknT*%t1#
zY!#{YGtq7B>c$-w!U@5Rilp|=-@;90MST$htmLv1yfTsq>}wby91nOxq)(K9#QV+Z
zL%~Vui9>=%bz&xofU$xl%)0hc2z|u^+xUfc*-PjNRvD~5sC)0hPEgssi_A=1mFE<L
zbYtQ5DP2%*N|Pen?)8V?{O|&kj`?!!Hid=MltQR%OikeK<UMKg72-abU&0tL`RBqi
zAB(uT$kmPxI18W4p6F0JN3UNmWBspc@s{<Z?z9gqMF24At)>0O?rh9fS;<bT1WIOw
z;>DlLJ!j7C&ik-qdWsG~T6<K-Xe^lyl6Hl{49PpK6~3gV!;qTqHW4=2_M4Zdn|?cJ
zp$2(g6tzTO^%EF@gnQBuG%BSok4vdPh;FcG>{>MZQ^#&_Axn?;k%4NdvpD1(IZ5K_
z;k~0mQ=ddx^ciG^S5*F^i2b8PJdh*Ti3IuFsBDdy!&A%OKzreY0kv$25=Dr3=oKA#
z;F*Z2H+0w0?91KAtTTyJ8`5YBJR(an@&aCFXi6>(ky=(>Kw&YO#l7|hU|brvltyC`
zN-$N(qs6q8TOQ+aVmD&y!P|P5&$f`ZKG~8&={Ri<zkzoqIPy84c;#F&D$hM2#LdYo
zuP@1u21g3tiAe?}YsH&JalrVJ*_dseR2x*?>Ld<jdnRG+L@4~4ERUUJy|WerT6%OY
z3aUWcjW9G&n_zu==2DqnwwOwa`^r=7$TO`HE;XgwF9FFLq|3HP(kQzhZ<&Drm`yE7
z1_nQ-$PcaTEINQP)5ix;ge!)s7YXk503YBV{brSt^%VSCKdNkemio{v_134|`AY=N
z#G4*E8k!*u<Seh=23<BRg&^F3oC*ilj%Vk?_Gwry??W#2Sdj~|W-*HhHa~7laUDU9
z5XP5h6}U-6=cdcRdMSBKV}oAEfP_awXw|G|?pW4(AE&Tyj|#$EBSxj%6;mpv3MwVo
za9(M7z_F)Wi$7~OS}!Rk`5F6QUO6o|pCtQ0Rv&XE)47)?r!kstD`eT`ArGE8clekV
z`$%34B#GP6I@$yAic)%olOP7g#H>j0#Y9--t`y*LEecJ8vvaHp#gcO@UD`EG$QF4?
zHzIO3=u6zR?o2lV+m<!SI+Gttq)R-}Rv#H&t{;5>hXmsif86O<1Fi(NLq44r`D|fJ
zV4Ux2%!=9fWNLgzGG#xn!n0>5-e#lk1sZGF*J>f?-6ibtqG0(lP+s-zi{WA@S!Vbv
zcl}}*Rg8~*ur#8*8i_@e4&}-ksi38=M$YfcRu^1~(`6yBf|wX1=1aPuZVC(8^4&&q
z7($je4$=MBRJT}b$Emh;Jsv+q`naFnXYLww|5^5I)7Z17Eq#ao+|%r%&uI41r#Jif
zGn#$8wAn}(`M|tI*HerrIfs|}9NYW+k_^`#yzS&DbEoLukZpidaZ$JJq^Q8T5ZLBI
zu@|^z?pTS4;-DHtx=VSPxSDV@)7asq8A;;pukBu+7L~D2czD$VnrOn7Ygn0&A!szI
z!dcztPE7PR+{p$^v7bE{xOv~y>lG=fQAQEeaA@sY_^-q?RJ#*dNBEzVtW0jpC8!L)
z8m0=})b9Z9Do_V6XjOELY~WLyf$t|z1pf*d86sFp++!+~Q7W#H;b{QKM0W*2)-DWK
zXIecp(JS65-ej?C=w@I!-HDqZo^1kw7Us)Y_&1h!mS4@p=@HZ%S!xp(BU&H2VvK57
z#yGk!8F;=Yyj;Ng=oZ1XD_VB=@=R)(WRIPOY<IwvEF;9C%k4z{77wO`03*_uR-wZr
zGQJ4-6%WxYH9)m&mh_%8!wtLqJB=%U_x0M)kQ=K1h#{$|HD9l3jssI@uAMZT!RrI6
z;TIuRrNLm(%t`4_IMoyt)d*CKYP<M&!DYe<)hXGF<uETSB~zI1MQJbK_Uy#DF)lrf
zX!E|)*xg?L-H+pf{J?CdrvWq3IiuXLi>EaEMb0QVq&u@HlLc4azfa@;<kM(d>2nVw
zPw{tT6*xHh{^kC`zaXt+QeO!qVI>4cS6H)4kqS@2ck?`Zs{fjlY<O-<L`5>MEaKwc
zR-i-Js>>UYz^PX96bGl9Y!aof8CC-Hx{_O;{)ygVam)l;`GRFAU4!!xd7=cDmootx
z^&sj>s>sjHuY>l`ocHt9meM%4C_&|;7zoi9907k3Z-0?beDC2tsw?TAvVg8-Ke?kx
z4%45rp9b!~KRx)Fu7CHBe|6jT??1=g&_Bt$_M$IpYNiMw^{B?fgSo0*T17?$Yj@Ag
z0n%IT{cc_}rY4i@o0OUPPyD#Cy6NdQd!U+aCV6wc@u$tGJ<iXc2GWsn<Sgy&ob<DU
zmjXpT+kVk~haVLB^gk)Za_>)C)$30!c-IF0jZBz$Mt<^oKlOIzPJzDh36x3iRn~2+
zZ8|g2S?cPx>|MC#P}5}Nr=Q&~$%uF`Lk~5Vlcb^8Q}w)sF$-Do)8j||hmXGb8E%&=
z*&k~I9gX;4d#A@nmTiBRY#_L<>Z|jc@}@Yy9tZMVcg9em)&{YW58n>+p$%hTKWxhI
z<Qut`o1Rx-UpAr=WG2Srz(tMnDe}(4-#q?ybD_ulZL4>B4Zxz%>HdP7A=}Z?8IsEI
z!EGRmFVwTW`*whqgNn<UoF401+2b1$Ds|@dj5esuJ;%|wf!LtednftrR^AMlNo-@r
zfvsveTka2AcnydheaYZ8_JT5y<Bj)I<YR=NMB6}xVGS?$B~Y`*BON8aG01yc`4?p$
zy@u;<O*SB$5wnHPO7xfTAODzm=ri6ug3W-5H!z~tc&DufIf%dW%}?7;ncqr$$!{kg
zj<(GkUUsJur(#lE66aRh?jQ8zPm}VhD#Rb#qa5s66v*{uOL8OluWlj%uf-$6<`2Nm
zPyBaxw5p$f8tOmi?|m(d%7>H`hs9NX&{vNM8gzX_P<1e6K@M2~De~hPg*_?0bw%<I
z$Za;8S3;~JBcQnMc~G3N5I4R=3GSq#9jVt#Iv^fQepe&%nqynXPMo%WTWHl+QZgV#
z3k0U_Z1}Vye;2B>Uvv9mQnqw(t%Vh#_og!HV>@96B_XejyRqR85=arRo*C+GxZRrx
zo@#$rQCRMWIs%Aka=$Mwt@Scl^;cYKo+m)wR376}35@X_2|H!kcA$>2&ksC(q`e+;
zsQA8{n?k4ot4cks5z0f6?zTL@Vl`4s!i`v=(&K!p@7=h5_yXK&BDBhv93DI8V<|+v
zQ__ybaRO3OC^d2TLMN#uT@{|}I09DQkm*t?nj;sRkkC2=dhE)IMl2f_`s4@xgU$HU
z6W^YknV3o;FuA))wZlO1s<2cILa+8$SFFlH^3L+7|1|qkwK@zZ6ay!kGe@OFd5=%7
z{S|-uJO0x56K}#+Jk1uD2(#j=mZ+_RxA~&<f0!lT%mv5gzxYpmi|<6B1U4Mi<_P63
z+-?AWsTMM^>>8eFvEh^?ktu%qHMMrN=Q80-de4cyVTk7Zy)w4)#LC|iCf9KGsCZXU
zDpVSCByDjOSXuXXWjQ^~!&p!e?xS@jG)DTG!ZOh(hCCFWs2LfCAe@w!g-}NN9jv&|
zcXrWtDse_#SHRG%sYQYT02mM=p=2do#GJ^%yDRxyMv<J>{o?B==L_!t5$Pj&ui9{%
zx8)Q{4RKjo=s=FDM)r3?#TUzC5fT>OIK|liHHs^U-piOsK9!7V({m&(bz!MocSOwZ
z#3XwY159=$|MR@JBc)TDdhRadZ2#B@*7@_c{rvKGyNCSCwDW?ZBzw<`dD;1C@6CR;
z@p^m5TI}O5gRj2D<l~>d`6}93n`~r~_YO$(68a(5wlu6%dxaHBeLk7$^CXnlo9RO@
z{Ab-jrtKs@W0KB}PPcYXcaHU7sTlXQc%E06bha$MSQYJMIl($iX+31Gw@-fPypI<A
z(3po$z4U{FMBB)0h=;(P<i{Ku`ta!QX$fsT&3mU(D=zAbA}`1ts+HtG@=GFE-y+}M
zwzsi8{6kis`{~qvj{EoNtuNaQpYisTx7XtK`1B^+X0Z```c8SOJ7w|3Pu(fcubp6M
zt^tT~_J=K||D&i16kZeiQP4l0b~mV1m6VKCnd`;h+0Jp?GfG1mu(?!2fl#`bkYQ7V
z*U{l2*;nD!m<&V4+O&c9X6~+Y!LFsfRIVu??$8qrGWgNC8w;*6r~C@qQI)_;f{8ZF
z{!v5I$E9`1WfKy1?G~2ZZRLi&9fzPKsp_>1dcV_;GUalHMmzK`qN?3J?=gf8Fm5d@
zQC9j@@Qw`#1IfiPj<{OU0-BU(3@zO2skz#Oy~)(!gmYMg&nst#i$b7DArf`fJ{m0u
zFKG|rv?;M#Ro<vbK6~FT64<%C3fQ-HDqTpX9SDo8&AZiMb;@tlnR8zbI$+H%H3302
zgTQxCTf$QKn7i&!f=4No^Q1_#0$6>C5#ua0WMLs$qHXcMZNxYnklNs!Pe%o2#DWSb
z12+Eb69!X~?Zel)k}ot1pU5__Gt!gQY=#|?sf$8lAy&nynVetDZ>Eq}Z*gv+Jrr4<
z6c9SA&B>QtloepqVfKVSGui=Vlwk_bO;ddHm6_|=25kASzHxW<sfvoPHt7nF9l-9y
zvZcta5$VBwQNiLLa}w2vWMP%aDYle+dYB!Vr_zdC+)U>LBJ+2Vy0T9iJw@UlGLOMo
zc~g8y=V>9-g*ID&?!~kw%A(iKd!+RaELIzFwggp_cA}ROQw*{rbNx2$?2@los-Bu<
zV%8dba&5e|cCoeg$0uvAo~*rovUZxS{e`Vw^}c_7_6xT;L#>%8A8T<i<JRq!RtE$7
zmu4gZ^Sg(qsId5U?j-z@SvUpT5Ng#h4`YcUD)@W0E9j2i)5|#-z89wc`S9uGOkT_V
z1J6S!Ae?J3pc-SgpobKUwD5f~m`t-4=$bF=9G5Ne2xqYd;zG-b2^7giUmHk7uCJKs
zUt~x@`5>_OEqh7=U2gM?a9tJ){Y}&7VlysVYiCxPt7(SruMt>ZgnIOmXt`it)Jm@d
zA-mR|s@)`SnYTs7i_Zk|-^o^e$r#tERS_C|bz`k<hHDQVw{yK{w<V0D1b81hf`!|6
zIk;=v`Akdc7^4j8ZSWB&e^(ZM_|TK{3gwB_X|_S`a)ZHfug)jY@4_ZI2hyt5XcC_(
zy3fR4aeHJk6@QpBayk#vgwcMmAfNn*`lnM!U7K3D!UNLMwB(-OP5~`U1~MlS<C{>7
zDt~K5V;~opezu>{L%%kk=yU!TsZ6KdEjZ+CfZIC<{;fjaLJ4HmvyxUD{hfne^3@W*
zJG*`?Tt|(!m%^U}&{)9dK*~V^ljyC}Y-Bk@=^ACt=-S!hPpIj<V6ZNIKz6fK%b|NY
zZyL}%|CYOcx4d#ky{}qcKDm*S0+F9i1}je=o*lfV)^=E2)pQZ`6RYYPe)H-|LH{%V
z_h{JDS-})cb!GkWBwNL0z52rs*{U2Cl|lC%5tuF~d%t_LcX}pA<|i^RJ^6Wd!)kLx
zv^$-+c6apmduLn6N2h1-7;nbUK3{xT%8anX@sm#%pX3ZNrX8C|ozBetTZkKY3AsVi
z4Y{`^cGl#OuYWNIeh-Jc@iO?$$^O0KwXfCreBJBF^NPNeBf(ncQN08{ZSeYRgUEDx
zWMBrX_CY1vn+UxfQ#0H^#G~Un)yN@~gW^=dtD-9CqD*=ujvOl^ze<Pmli_f<$|n35
zUey)6bC77$bJou|hk+w+&u8Vi>!#Dcfo%5goF#f%6fsO_Z1z;Ql6NBAPHX}6EU&~&
zSsO%wtceH-xB2ttTA|BHKalg~qwY;mO?$*Hz)=<28>U<1`F(q%v%KkE`PZ$+n@U91
zY_8gHyccz@CD*{(zqrd5w_slfXQ{oqBlULGLd=~7@9v0CT6<Z_dqZ`;iwm0~Ti6eV
zN~W{>-mQ^^T_MkYbZca`E9Cimx5m@X*0@j7#G9!}-{5U<zc5?+^rw7goV;jNrtbU9
z(x*S=Gsnq`Gz{<k$dYG2{)yQ%eJck<=DqnKtN>%$sZV<4{(gSi>z~l|cfKKSTWi6#
zw7>U1cYh~8@Xn{)ch9eTN5&HC1zKuID8$2Zg#~2S1gY0CJ5&#mmz0;l6RtBihbLFT
z)0ZtOx&e2G=&62cn@+tZppdj_Ir5nGElYWuw07`))KEl%#Q1&+LB2vlA3w)dSeS*}
zP2<whYalwhqCF<WE@b=>6?vrI29%uFN4stnMw$^!hO*6n{WKnRrcY|C+B6BpQ1<*f
z(#}qgj}A}wI<oCmBdVRVJ==Lhm2S!1$9$gadYVk@vR7?ah6}Uvy=%7=D9)w3FZ<vy
zbnTO|_@-{!-s}C>d*UC%SMR3AV1)6a>QA<F^yctv@8mRnvoSY<C4bxM{4cE>W-dDc
zyDgl{=l3>{&YarYGKxJfTt?UP>TMDEpDZsqnx-XRK*wx)O&95I-_6eXZ?1c%oi1A7
ze_2=4F2wJKC2Kyn6Hl90w&sN5UtS`F&@6oJwD)G(pvqyAE8J=8qUjy_un2bF07V6y
zyr3&c{L9%zJ-(AkwWECBe(pyyUzbIdQn)%m+Ta%{Mi3dhkuL4`rr2dK&yKggucz0n
zVT9UdSB=7HgwrMO_Q-YBlK>Ngvj2Mj@cYi7r)}@JSfDFHR&T<M0y`DI%oG$PpYm98
zI_Yf}&{<zL$$5<rxv7E(m~>mvPFNE*mUIKRiL37ZzRJg96jPM+CC+ExX{g?0xj;71
zroI^sKr0<uUZNCzi)Y1+MkmE*uv!9Z`j=2tG<fqT;@G*@Np#xi!`5AuiyLP<$LFv2
zPfxwQdwOlnmTuq7M%Q=#+1<UD+iwoe&X2cG_72TLMmJ6m1|Rr#(@dT`fuEgK9b8u?
zFW__^7o)N<S6atKXvkRxjm)c`u);)$12j!l{8BeZQn;?tVxQIBq99Zk35qo26J$Q#
zv9V$twO~$C11qVOm*6C9NGwgVvDyH^Qmpo~RkXIM=F2Lg4EQ6X4EP5L$+<D`uT+%=
z+$I9;fjeYXYre~$H;0*pfqd-3^LN7g^+A^FhIU54_4c;2Rg_p?6`UL6I|Ny9!nzzh
zlsl#S8E~9c`}`_v*K0vzAqs8D^l3|>UzmA*ryk<1QU``n$dQz@@`#l&45f|L!Rn@Y
zfqNdM<#*HbrYd`pU+wg8-%ATFSMo5jL(et#W9DFyooX;hR67mB`K=M|oSuBB5Q-z_
zWROFc{ahccZz6xsPGVPtk}}QBPC4GX$tNUM9CzB1H>x`MGY!DW5dL4f=7XsBTTs_Z
z)KRMsZG#fEjO1G|Fq_5sD4S+(5{}?P{`>!1v!P@9&}2OQM>dC?Rec&E?GH~!8-+B;
zC*>X2_Y6tTp}7@4cY&XN{sR9Oj_6YtDU77k>+Jp4557x!>~8eqz1LnQI++w#czv<=
z{r({@hP}gG&A`U(t*+7TNQ<;-a6*Qdh?i+UZl4@F<>*OvAX!l16=eeo{A7BAXe8*{
zA6~=}B84(&MO$~r0NZKe6s%!}eby(zg+xvd`8!0gCe6qzsLEPM@hk@S%JF!jiF*1e
zZit~$`Qs!Bds<ZgMEQOst4PXFkiM#k+-tVN$z%aV%j7U%8KTuM$KIahGg|M?jiG5H
zti*7^cjt);JT|ww6ECKdB+v$QZsXafw%~hmA+?kvo!cC}MdYopqDSMo5Nn0@7RF%A
z-QL^Ujjk#|!$g>4;)9lSQ$OV<VEP#AqdJ8=sUL9<{5C;7ctEDGH^fp5-WSsmaQiZG
zNlJ&6#JS2<Emg_idWAzE5O@Jn7rl8Dm=~{w@V_waRzO+F!HbdMzl7^`L9EdS-9+0?
z!+UWzqUDJn2MB5uZ?J45NQEPJOmMY%AIm)rO87DhiENwE*^#f&s?rKUdhSqhpe8v6
ziI$Wrvgd&Z5)>17y=K-WC~nu|^(X5cCsjl+5CNn;&|dQq<j$`w{5C!}C*2v%D*H2m
zRQ8iE(buzRUbO9!hM)f94SyIkn0DVz>^Tyr>f}p{&1V7CWw5S}M<L+Q(!qRz&&UAp
z8BKsb#h<c_m*|sv;$k8}1HXN69KXZ|mW?1<^-)QeLTAzSum9La`s5}*Wee?JX8Swa
z$4PbC6d^$8pyhc-d~4KSQCa{VOSXX<T8`(q9?i9On77WItU%`Rm7dB?wPNw-Cr{co
z6Q2VcS~W7w)yzOivZdg&j11vOwuqmgEm^CV*?x-Nxh`03IwZ&FWi2$8K1Y<_jhaT@
zp1}U3OWt>)uCz#H3Rk304d&<E|Fgrk`^^crp{Z`rAx5Sr`MW@=Qg0M^>Z_}ICR$mp
zn<-EYZpY#ik>e{jAb#X;Qix&M1`Q!3ez@rXn@TW|!G+WrGre--Vp38@d!|#4&RxFD
zqW3r25ztoVPElHLaq(2PzTL^xI-=1^piYnL%cBQhZTbpA?pCZvve}o-uWEGGB1@~@
zZ3f37+x205!TZH-3jDq}kqSI!c-DtFqc!SFZCLgH`=gfty4t3gTvEw08Un4f1FBjD
z%t;|tO~2{6xk8?QqttA^`#vfxd5CUX=#w(jiOsjTgpocDzhHFA8dI5&>ftNugfx<+
zbJJv+F2ZY^c{7CICOITmx{=K>G_O2Cc1RTL5l9N|eh-}Mp2yCP&Nke2ejPYM^#B??
z97R{SWGWBKS=hBU)=jJ2A+N7-Pd$0!^!f94)&$t82tbuUUWj!H8ago=MWTW*T_Q^x
z6{bO!swC77JcZakzqXQp<4ztyx~%3BK*rx7_G|fV&zFj&d)vH{>VsX7uJXnKzza{W
z`^svXDppbGM}1nUex+k-<~N+w)A`Mf9bf6^vLy}@J%!y8S9y~Ug5pQ@wv09a^+(Rv
zQh?|%BN-n4F*de4@LoD%m}#bo9DVcDC=rRclVgv*`(i|HuTv35xxrNfVVV2?%@ppb
zy-%I&nQ|bCY1qMssu@ryTya)PmYM4wLlu1{af|bw(mwG4g=|1nFP;NoGWL7GkJDEp
z+dybxGre>VG*3=ZGNC;)k(>73MV6Y|DkF@fKq*R|WNTg<fY9$8$#hHEIYsS)kL)KA
z8TK(oDI4FoZOw~$+m$iqGLI4{laas(k@P#xp;?y7z7p8&;3D|gKBrx2doZ3;8MT!?
z6SQBZeg8Fko=}cZ-3s%u@~fU+c@myQZO}Q2*MNXR92n~8NX8EB$9PayNY_Z)Ser_@
z_p-IW-rSw*Pk&Embs-JBD|3!dj{fjRkC0G72(<T|Pj_(o^mXSs6+5xp%1flPgWm^T
z<kSk7d#tpW+9W;~+(9PABtfs>cDjPYA^kb>9%I;R5*mAct@$rWX0_J0mo`v}d0NwF
z@6)u9{OWWF@-4_XTpuM}M`Uh{qIjZ)#qTvJj@LJ$RNq`mV2ns!tWs*zpr`?d;p;A%
z)AIMBN@I9ZYEbbAVcKw<R}YSMwhvZgKZ<q&Zo_mHBtlcWxw;dQi=b6%j_Ot^6&k{V
zNR|)KTbz{idUS%i8s}~^E?sUFds2D^M4nACAJ_2|HY_Pq%6%m1t!zmTTIj9-MWs>(
z4-8yTh-QVp*lj2Y|3N+0uj&UkpJY#XDOK*AKT&JZ{Zlg=og<OZ{o~l(=KM!#gFj)n
z$P)2q{A<w7N+^?U*wKOKRPloy)daCOb%Z5-6TX}HIEb?;dX*Udd)-ahf~N^s2xHvD
zzx95_1ML)B;lK&o`&W-1eI-=XT?noAb%C!y@Y{ozb)BuQEsB7@x(5Hg>i1E&GVE*y
zqGQc0kbx#Ps}M&k?<p#EyY3H=YF&}k#_eH>pfJJ0iOv7`9E5D`n|7A1J<qeX(`L*4
z>G>-sBA$XFWp)FYXSVj!ymCKYZ>>Fb58bqJi%P)67SY5{^HQGwX|0|7?1rvwVE=8c
z&EBoL$9(&z%@fybr@4y~=?ecqbE|8AJz=5k+25aEui{^ka4^`ua_hjqEcqTQbGtXv
z3Bi}6w(!OHC7}0nv?`snu5~`g1(Xu0KYH9kOj494zG?Z1qeEWoSolWJSUSUk`q0_2
zy`W@lAeM1b$`H<@dP?2Jh~S|*`9m}%y@ynTfe0rHiDwd+<|Xw_BXk-@qd1eCvU@v|
zt7rN@LG29xeqq<*_Ec!wxih^ku5kp#rupn7(*H@C#Vj{Cf^g{>MgTQH%D+MQ!*nF<
zVnpzE=4r;F4>sv+_I>aBehc)Yb;VGm=xOQt>dD*0*8+oSg**Xri#0yUmc8`+@f;iF
zF8;p1lUO6v-(Y5?v6k3x<)h?WqBLL+H4STQ5qSBI`vIR(vsw@*(1$>=k2O!yMs3YR
zO9?~Eo=U*y`ID#Ao1a@bF7WRDoc)Bf9{d;omcEGSfA@D4V&Nj{_JL`QmR$|4Rr$up
zuud5Kdh)UEJq<@w$n%muuoFhfvR?_PQGo~ns{>>MRZ3q!)wUv@S%0>ku=_;iQ#G6=
zyyc<=u?Q@)k&=E5GgEtg+Gu=dSJ}E#kk{E05Q^6zu_eh?CS`T3;6_N>{SmPm%!%c=
zdLAB`qbHo9s62CcK>M}f3v*-G7kWkurBV<5_p7$4ohh`enp{ELhOU+Eg9GtxjV9}H
z{cOFdmVIPIygY91O+6A|@^OES3vl<fWVlr<)QT&5AguJs7*5413P?R;X_dh3u4U!C
z1NK8_gC$s=rR0pyu#COlA=NQY;bc=;loSG#8-ud)&I}tZvd5NAX(&<Sqj~ETSL-qi
zsoErT*WY~g!;8QG8D)~nLy`lBn6A_oyfPD5^6EF>l#(ZlF-{W#TE<D>_p`i%x;Xb%
zMKc2XzPnheQK8D9HgP$biw}?ARIV+&ujQxI`>skTa$7wayRYq}1uiShl_lF)F=Ek+
zH4}~>6Q-e1UO?>>9)gI`O5B>8TE4Ze1`>mdQB?}8Y<y2V;!f7WUV1hzi@%L$^)xKT
z$nx&z6~+$Qdu%!h6Gp!Mb-cE2&x=Xn%aVDQwp$zp7Fse*79azPTQt>h-F3zq)Wvfr
zMCrEdZDGmL7hMmM=Pm6YkPMM%&{(9bvjEM;5>^fwFtRH~Q<)c5T_~O%I$idjVxA-^
zMI>Y98M(|q%n~*PcY+so=F~me|JmTJJYB3O16DtV6au^`?o78r^XKwH<k8Gdi#EV2
zw4)D1h-jTJy$Ce9)b~)gwK4D62&|Z-<oeW2F;=U20Fw41fiegjL`tP&aP&~{BT=7q
zzoMEIed~V~ImvSqJI!@yppeQZhQ6=5MaOtj+i_VZr4~gNzSeaN^~!=d@hmDjRTaJ6
z+V)|Lr))gvPf>>Mx?)fCaiiKg=FKBAD82*PK6}^ukpNmzLQR%x&A6<*QH%$A*m^pH
zNg-#9o-8S0sk#pSz;8bBYbgMJw=hhpaV={}_ST5>rFLcS_lN>T>D=tyFnfU*llZ(?
zq(}4AtcSXM_^#<^usr2D%B?P@0tgr%Y3_WDMvvmv55(O^W*K6Rg;lbt6;;3%)pCU)
z!QHOk=?p#l=-8XP#<hVs1?E1U%Isa4XYzA)nUBf|O2<U~qiK@<EMJ<HkiU1C6wB5-
zHmC}rjZ9o<PqNUyy{s&ij41lnN51@<+lTd~80*Mlc5l7w>%{ckKt}oG0jopsAAf`G
z2c2H$Y&-7c(l(u_?q|38tRe%b+s=%wAr9fbQe4dS4w#Rp65xT`E!n;x>H&6Ls_0-J
zyxBdrxZ$iji;=#<JTF<bS}3K^S@EMR%v!d!g~y)=gBTo|qfhV9*-ocJ2fV#h>-LmH
z#kebgmgx>(YCyr9>&2?Stn?EW`Evg*CBC*IKwTqF%E%i0{I|WeXTdROrG^I(@vlDS
zg`i$Dzq#S*?K6DB6%hJ^G!CUkQ3pa03?hu%|M(Q&#4-L9ODDXxXpD(9c03_>AS;W9
zxzQdN&>{D<7h0iCvlni0VZSXaA$O;N+g#_W-BIJgm6-aIp`&6?3jU9Ug)R%!vNA{^
zr!j!u1h1&3Z-O|eQ=$~NWmlwbY8hAb>aGgHPy3Y+#j4q7&)Uc1R_*BM)g6NBa(uL3
zGIe4b80}TOPpo#J)F6-cSXe;eA4Xh7x~%L<&^h8!`(%r?02Q-D{5aBSlVqR`>;?K!
z*tjRWI`H3LHCH23yhGzwYt*0^zJR)igOpVgzBh!5HTZN%gDX-FI_~Mx27NKp#d1jI
z7<H0va8V3Ch)FS$3M+gZBC0WLLcXGTl<|(~>&@l)&6n`rH1_uCv3oswBZ9CjqHLf_
zs;A3qU?cL%iXDGl+*o{q=74tx8?Jbo%T8P!ta6d``-X+k6}awgf6DaOgs2Umku^)J
zFq352;H3cCmAfg_8jxB1tv%cU#JH!mqf%s!@K>87%~5jVqPg@@WL=ic=v-NC)Ff!B
z&Tnp|bbD#ml$IY$gAA}rVcVgWfVf}cQ)0Pr*>+{q6DRcbGXdlD5z`W0R)Z)v3uH+F
z&9kABYMh36rp|s1!I5OS1mr^R@rqPan77{7m!ufd91j{-XRsl7r!ETLTOKm~=Y?cY
zUxD|xxGmU&aWM$BOYglaEKCaOGt`8L&s-y}9CX-AwixIUv-tW!du3!xGCToPblsfY
zaoV;}Pgwr3Pdc+pK5&~GT0l7EEU{#XPcp4?G1Ceo!7{p}V^u_ZlK}mmZuk7?5-w0@
zbq0&#>Gm*rN$296?xc8jB6cJX&(WXcwCFuuR>5B$-L;p#@Sc8YHkal#cYpBaWIyTH
zY@R-T(@St!#*-swu^)t;xwiC3ZYGU-_vh>;X`RW+&?1s_;sr2RoJW}oCpW=@Jh8L$
zzvNAxlQ??Lt?VTX!g17p4Mf*jjF0q6McG2??n;2AeNN}p&7?idKGM01MnXaNc8kaV
z<9%C5FaG$q+ga8-yAOT>F#XB`(8oM$aqchuI-UEs!w)yIoMc1ecd~uEkE?+7ML{Aa
zwpluavQCD8^jhnE*6DZ$dK+~<iW0;dReeL2zKj%-`9xJGwV9%v-)8B^7U)Wo#r1Bk
zD6u&jT%E2@J#XPweZn@*_fAfJEp7+nDvD=Oe3E^6)E#0zDTjICVS8+E=hYFPd-UL|
zRK2k$aJ|!67$aC?wwu02!rZf`+h=j+sm@NM10*8lv`L2ks_DQ%BjShTy;tdbPI*j3
zjU3gDCY4{$uhTPl-TBz^x1L^yo5lRH!EDsLG%F>IN@JpE-zq$UVIv{KhiA$MF8kc^
zQg1}A1IYbOSU>!bg!TP7UVFanv1m0y{5FmDS4QLQ4)Fiv+L%|_V9Orb&IYPe8CoH9
zAqKc9<g-(UvMSOlSiyURCe>|-Ghi;O$U!<V@0&Wogg8=tUv&3dMPtdzml%`>#%m>d
zcX?BH3;3frv%VpbULJX@6$#TsoiQiE3P=(To<e#)|C5^|>nI&9{PBc;R*$XL^mL==
zUoEdM{QXFtF5o~8e|^cnN;t*;arU&5PXaNZ?GuR1U5FZC?x72N=wbHE!Y*!`IbEus
zJ#c>-*VTHP{veV5Iv8OLMk_V+Fj>rW`LeBfGuxV!7wS>z_$K4J>v`LpYj&L5+bFM4
z-~Me}&_t%A!kLaMS}xjxb$qBX=eZGI$Vu`R=oP9fEB4=P-)S-9<^+IWelXA_+n1=L
zV7I-wj?&xg3*c&WSz@!(s@mGRE#H<yj!`IhhV|@fi<{?V{-5#>+oMTG6^^EDo2An%
z)UU$10}AL?hGZ>UaY7yV3Mz<exbskWR(CuGW55kIXGMwZ^cs_9(OqBR8-=0%Eb*W~
zCnrVxG=pSxokdT>Q=Grk00(+}%@If;r88en9VQs)AyK^zbr@UACUrK=-Cwjos}LwV
z#rjUe-~wA&VWDd3*<~w{J(ZuTkDS`+RgPAKF!Gt7N7=oNuq8w;EerAjzl$lj^g%2i
zEs^$P3|ME@B^J<i8S>|$I{&+GEcY@-uiPsXqsoLhDFv5&6wE8XR@o{Z8uFo4QTmlh
zw;C7kB>-?;Pgu#A03g%z0PEJZl~skyuWa7JL)Q9YD-2N~iftt)<)c1l)hR}(cAXtE
zHVcv>N&1`+qENzya;Fb|X!riQuMoPP8L#A>_(7}&q=k$Kj37rL$Bt`&<`8xnKi6vA
zNJPg_;s=28Icuy-u!k;t2G88<dH5XeX$XP13Z+h!PV23kt|HU}B@Q2-+SxulJUW9U
zDeJMC`YLkE_CG9DVy#K8^wKm&i^G(yM=U57UGvCt_S56=mAL&ftTZdDvJDA|(7C@Q
z0Do!7wZNv<hwGkBnNUCtL{a28n-qZH8EU)I0<g9@)~ZmAG%2Y`ERuloF)E)ILdaQw
z1;EQ3t+9xawZ@1b;|bBM3UN`eW-A@YoEo+&FjuYUrDk^8r(s+bJpA$DvOhlZ>X_W<
zaBaMAi;9Vn3P=I=NHW~!Z4D0umw1zo2lM;->pvu8Tqk2zcX27@y!q~eQJz`()X_DI
z8-A!gzbM)wTQCP>IN~~U*q@1$+72!LHfocOve;O*F|Q`jjO6@Pk~$$lX?gbscHEB<
zJcf^sYko_zjQss<qQkv;QMBX|uQNhN7W=DGAzLaF(yLNrKF0CqdQP%sEwh1Kkg$Ch
z6iPXqUZFG;f+^$)8esv9kR><-%!N||J_1F+7JB%=G<&Xy?}OA=wLRB3#mivH-+53%
z7q;Mf@xTaXKLSq3B3#09Si*`R)dDaf`#em-X9E(bL4x%;KspDHhY#Zog9)R~mB+|t
zSyNn)eeS_r{NXBA<ukr87(f9RcM5A`T=ra*#e2H&)hBcy#Ap~)($tlUJ5>P;OW|g)
zZWOorq2AFXNvG-Aq4hu_`sFN%PNo@nhgK(TasQcJqTnbY<D=>F=JW)jP?p2Qma{cT
z6)w#fg9T$^U_Bu7YS{{-6BeDho9N;}S<T<eMYY}BRU>kp_4yI6D_mNETwK^bSH$Uf
zzPqBd<&_XX=}s|y;{sN=>!(xSMQ2Bcuk(wNnT|4ni{p<_8S4N#Wdj}f(`h+=zMgCX
zaF`btWnOK`aAIi?#DJYX$}tqH>}#2YvJK91&--phshvdilQzqZByBn>`c4Em$^=13
z9ILg<ox1LX<cRf*m%DWVAQg}u%(qHQ#Q8g=Y=Thmd%Kj}R~D;52tc&m#x#0&>$QSJ
ziJb74D)G}1g?@|4$I!1TxcF^|ZYMH1fZcm_^|$)+Qg7rPYLqxX8cJtnK7nNVlwkdL
z^}2vz)4grpRf3>#nJgyJQ#^aTdnkoVTZTY+nmX7xz>w!Nq9kr>1HBhx&v`0Si5pN0
zs234nJKJC<B%~q=4)LR~lAOUf9u$V85TT-&YdT45lfRY$b0xXFZ6`$lP*7*8FYK)7
z5zMNeb9VsFO&xZh+zvpf#5bZ+V8Gz0^hYn7K9mGE9-(qezZ*B6Z8^CjYd@UEs0kr{
zIIoKKCU4%d5Bkp{=Y<zSqa>mfg!{{ixZhlvR|0nCPT1c}l+p@4GLZ6JJ_3RVJ65j|
ztLQXLzV04*^!3+6`>z5332&RAQrfyIT*wOH_msff`)SAJRoPme#`=TKq8z~FoKJjV
zv8Wzk<N)aqn!D!XdZ1Pu%stg)d@K{9d){SwG>qF_uHzL#5U%KKmfPJ|Dd&U$|Fqut
zc@lMCJRd258G!}Gl0)q&t9O9#TuDi?SNmsMq>D5m&*^0*RpAu&677qkB&0zqj)K}E
z>(wZWA!mn`wVRapDVoJaj{n$!l%S7-METKboaq+dA`mLNTMdf5eJW|o0p-Mqy9ORw
z%s|utf5P?z$=6K6CJk_b2DE0~*c&(B?`W?^?k1x<14l(6)jGRySa+Ga#$MI82v9@m
z2>@;@@M*g1gxIW0^MV9mb((h{bpK1^*)FF-j4N~uxgZyLBh<lxA|4A8Q}iieD?z=*
zotTw!g5vKx6*E$}<m8Y&f*N$PR>~fIX<OVgbOD*j2ffn8_-)x5Dq>+hB4FrPGK>r-
zi5WHhMN}u!sTyvR(xQ0B;s#+Dn^_%LWZn_J=!X?Rvez~9KFQ1^)3wf{wBC-0<n}ww
z<D{!e$D&E+BN5t8LX9tCvHc^BeP1eY#zN-njXY=;(a;WU;AU{=&CDeu>9&{XEb=vb
zwRWnxLqAFSr@f3lWA28oC#nbVDRE6<fQH$4d32JUogBS+aj<v#>gec<)WX@|m;6uH
zktUa}X6TMl4$%o0xuLxa)+<)#IT1ID)W?`CVOEvqRQ%1ds~Rv7P3xfstEG9VDcsO2
z?@kS!Z=GZno<d6)6F$UJ4QVqdqy$c4;H)M~;s=^_+>PFv3X_sFBi`hzkZEodWaMjC
zN|C+*c_Yu0mZ#NF1e_<0lrwgsWp2gJO$$44qHQK%;6}L(DNO}8XTgZ<C2j?Fj@{Xi
zkAAnQ+M&IcXC&*PES5V@-69RK%_G-+cfW)X+)aK3+H~latJ?<$;Dl+L=sVgkbHW>o
z%CHl`lN$^f39=Zjss6*&h-bjb|JoT*s7)-m;U@H<Yxc!XLi3W`XdU`VsL|T^9B6vj
zZi!Up{fpXuXyI)!C4MV4G0^vy%++XGwYq!;A+GvsgFF|Nu=}vMbO{<ch1|eAc*k0p
zfgxzgC4Hbe(+Hv!75!MK(@#VIV1*M2=?PM3@i_*a$5JJW{GAk}E`qO!m!G+ZL<Qnr
z#MWyG@6j@KLvyZS|E|a1T30Z>wPL;nLR1VFr9jVX_teH_X5<jz%cMr6(_8&1_J!CD
zhitUsl1izT@r)+yjY@=Nqp?0j!*Oq8mN6&(TTO5)laO3o@@_Wc;bvWN+!etuovrl!
z_SxQ#+kgC`68N&6o<s8#mob*+mb_n(itcK;yU|M+Q97+Rrb!AZqcs&PR{Qkk63-7#
z%CsE4z2k@k;?ivPML9RMvxZqNh#Lsyy7E{qYQ|D^Mhmdr-rl0W{~IrHS%y{7hJ(!4
z-Fn^m7=pabQyXXnG`O(xE01c_BY%^Fb4eBum&fE%P|mCaN0{!N^@q{_DD?x^LkPmC
z--UrmD1Tx2f>~4UN|~s_H8}AFpxvwd6*GDn(6tC|Oq}I@vzZ=pTSD2N|2th<ESfCN
zz8YR`TNbwv3O<2NLJx+(<*J3(l7g|QPza4E@hfxk-^fzqlf|@ocTOhpslt(nrfmFr
zyJ=?fd}j>$&BTs~+k?<_lXz_89Ff0v3Wkj~-gCJGtDMMN-8(-0ea4$b-Epc4Z=Z!^
z3Q@|l>D)4yLfvTGXse7iBhIzzJ;Snn=+Bsd;j?eWpZAVW&b;SO?X7oArj!ds9VRo{
z3H_*zD5gX`gw!tKZ^~)bblQ{<Qe+zDX4ukqD!2g7`?!YlWN@3yVYGS`x-c>o^oHsM
zjV&WCy-Ow%2*H0VVZAZLwVR8gSZGiy<bdf~4z)X4wg{OgEy0lFP&5qma8#h3@&PPJ
zBjHWpp_^aex>MTx;3QUDu^4efuSm)yl_SYZYm1v{8`Il|1r9Dj_wI@9)p$eNmPNg8
z33vP21w!_=xR=8jh|LH4<)7KfUw9X*D;Hn-)D5k7ZP?P;XKv`=mRPc-xpA=CRJ=Vh
z+YOTh)Af{PR7B~Et{9AX|M=ZEt_62LAfwi)|3@O%WeZ$$7nVw6;4Y50yom7DSJsMj
zA$I(*J9q=}IsS`s0>l^G5N^6lW=YPg!c-ZntkL)JbmIw-hT7V@`K{170gCL2k5X*!
z99YEFwo?|Pb0!agig}a~p97I#4CuQw9Bpxh6_T!x>8y4e=SC^KyzkuYECB(!S(K)j
zz{)*@PH5@w0MPhF4o?cSkP(t({vSLrCuf}lL;Ep=m*EpCB^|)CK2^oMg;8l32OWkS
z6>N_ICF}7~I2MBakFtBqRuv&hH-9IxPBCW)1E3N*f%}|bAqGPMDN1h4eVWaFHmA)Z
zlJDr{OF4&dli+!tP=NrbtkZjjPk|E)E_FAk^6I*kJ08z+1cb~l?0M=e<AR9*T<Nz}
zeTzEg$~az)&2JdyQUlrIwqF6|$z5a@j%Imt4I_M4Ta`epn=+)ca|FTM!99S9a^?o>
z(=%G@n^ISSjMNXrZ7FvX8RF1_bQrkUQ(Ux*!aOKiGn*flrm4BhnAw4l_!bUPP49ng
zDQA_NG4E^0M{hj>VG{WsL_$!3kwA&W8a{CDbmF%r`JM4;g?;BX(y|L@)-GsHtVnxD
zCStWX8{~Od9x!DxsoeM{(VZI`P0*FqUrHJjwrJ$WD#t^J!2Q9tc|wTqHpqNtoTr^%
z)pCzQO1^}IHy6!eO+lx^AR*kZz1)|bZBfkN+xG|}JA<JE)M`bgxV&7P+GrLRX1FaT
z?t1ZjVQPiE6nbKjCemyPfi$`Eget0M6Ex2@vZxK*ySPGmGE`UuV4317BSLNOoVK*h
z683^m`H=&BF=II)F1%^}h}lVihAyJ15ZCHHjYqMlles?3FMNKb`RH^rZ=de$?+f|U
zqp!bKgLp-dV!YH8jqQ&>S-q<#@4SGE-oNuMJKVU9Vlmp}jFVl$EgiNCuUaJYH+^MC
z46<94h1x@TBAd*0k$aE(;ab9p&P)$ah#PI$BuaKtXi&KX7dKL8v*>1ut^U0~ob8<)
zZXaZ)Z;mO`j!%xhKiPhL`sEw|2sDh(Nv546qcO&JPYl#(N*tbblFA7Y2A78+q9C?5
z<&)SC7Mi{m-^k6Be6q|%k!JEnm}>(r)+z9HRKp~iy`+;}6f=Je1DaRv*8Jolg~9NE
z2{OD;_KHwMB<f42{cdmc=Qz+?T@|x`tUC;a@crd|N!#vrMSflAiRdLO<V912cHtxA
z`nA%lEeNvCs{u)jp^mFk)2cqQzw`RoUQ)U__y?5SvY{Ztz2T7|g~#+S9g2F77LNwP
zktcgUp6q|wh{Sw0IhRt`MYLpR*AY>NSwcb@;5jm>dR7v^7^qqq9~QwCWWGi$(49fe
z&&NP+3HB3s(eSeeS|FAj>99&z!ZfQ2>I+mp8s2i1c8b>$M_=R;8$<B0brLDcys#{7
zxjzde#B3$$pdt56#B9L`B>NEECo(v>sI<2IVm$;@@(7<-`%!7?spADVT1`rpTX3_+
zpp#DdNluHZI59(tcp0>p%slXH59Xxpq?U?lm1RHawL93~&7PhfKmXa99AG2<gg*)I
zVe@nL^zh)hcY?(mNFLB+2-)=Ru;r#ODj2NE*5$!<8^&4aG<_{vVODt{1#X~vPRu;`
zp}uokrQ2`c4L}|lcU)Yje5NtC2tF*eh)CZ>-h3~v!?bBKTVo$T`XT#ClDwWhesK6R
z=HuBacm~8~Jz3l#O22|C=5wV>Ffu>)@_IO8%p&x~f7j(J>z?aO$(Eza!mTo`1deh2
zqS+AZjiteBuMEUA1nkX7@MPS0T|XdP!RedPcbg~K;|CA>?tdQPe;(t1enW;Tw>=*}
z_*RX@s`gaZ_BP?-ssr1>VSLCnH4GE1`)jZ;x56UGsnr4sk?;r=Q81v+T;u)qsNHzl
zwIfn}t1+;bL>N8M92!uff~vUX_Y}8=!`pO)l48YB;H?xkJ)U==MBPlwL2HtqH^R0_
zKqsBW7KC8@51G?x?Q~Iw$74|xt-P5B*{YjI%pWN*^sxDE#bi$>$#+CdF%1^L3l!CB
z+GwI1E0IBu65a<O6KqoDU*x8@$Ufay*vJO7!qv&j>rpi_hUc9oTc}F|wlK!Yu6VGI
zF$_$Z39Ar7zFvV1yH!g~!eebpqi)+QL<7c}ml1MWVqRxY1;Q?b3&&3(w@_oJCE9;s
z1LMaZ6nWmg<=nL7qt>3?J30CEhhMzPe$uIsV*#3--nMm3jSZa$A7d3GA#k)rI0U>7
zj;&mR(1V8o{2X{%AUoIf-=b5a+=f<xU6PGO^D~f3+>F>)6%#<j2$9~Hu+Cu3xxeF*
zzo_5&Wn(Of42+aZmPi!IXOow{rIOpnRx0dzFTzKY_8ivbd7EE7b6OE+(Q4qpQ|A5_
zgo!Q**s2z4NS*Qbv^8NahSBc}T(jySDN15|C>kKNsFPULk!)06$O0kH!v8o2X^~97
zo=Oerk&6HSWA9zN+qkZ6!O!Hcs4&BWWG(<cBsq>w<l78M+3ZM^4oStyaHo+XP$Vk?
zQMf2T6i=uBd+#~dTKiE|peVm`ZaNwF9@|9KuKiqlJ?CsQUS)oh;CL@*W2F?tE9kOS
zR4p%SG#DTEOE^wU8_p^Fbf)b#|5jTzFr65#HoB>Ccm=OST~(!NS+Pnnx+y1PH~z@@
z4fmguekK3p8FWVXZftcHIUVsS!teJ|EyNPuOg!xxd$~2#-?Nm9ST!j|H<fz6VgVn0
ztRxXpxLI2+^@jW*07$Y!AMy})&CPnVsKkiXLQbFE4wW~ojFQr)y}@dk<#*F;OJ1w4
ztbJjIsui!s+<8{mkiC;?f~s;i=ACz^)I}tR^n+XZ;Qb&UWE=8Jy|JxVi&q1n>@B6d
zH8e}4Dt!g%2zZ{M-TL1B`>ns6YYWY~ZTCEDj>5pA|7wwf3sG*6KJh{lMaGljMOxh}
zArhsb!bH~Z-55)j;SfD-IrT2<HET>u(Q!9s$nL^YxK|M`=TO3g5TJ|!15Um9Xbluc
zp&n>Od5yX@-@Byyq9!0pzp#1KLLG^CuyF-2i!wDZG1eJ0rC#oGVb!hqd=W3L_<-3W
znR~!|J|T_S7`}4S!sc-OLB!b@)N3t1%M$oz`Lw8(HHt&H-P8#lZA+LBGY=PoMS1*;
z%63*4>s<W4OlR`RsO*!}H<PVKG4QqLmxWVEB((}DO}u-=h7os#0LZ|#=Rb)|ia0>P
z9x+?Q@^5T$movNO^n|X5k~|~}9r(eS-_H$l&$Q$+@OwmJ>P4fNP)@rFYqbsi**DhE
z&|_ZuxWp%uViMq<wc1Nc5vOC%VOvD4iH9(U@4sI!?k9!WW{8sKW2(LOY!t3<xH1F5
zK(5RwU%$vum!&`?k(=1k)8LSB=WgWVppiaSvJ6|Gpcyk|iHyYLML1tM-PGvHY^HXC
z9fX;55BeJP00Uy?5w3tj!yo?h0fR=fv;zDq7K~y|aI#OsX6}~NeAYWM0QMC-HS|}-
zu9-%lMsl8s;!f0h=6FjYa<pF*gj=e#aDDTtv^Osc%k{EXTVj;&H$jhW6t065NbW9=
zZ>r0Cghyk#Hi?++|EATvPbW0DOLIPq!kT|(nZUXg6WVUG@1?~`p~%i{xSs5==xj)(
z=)FMY4zf4ak6w@|yb@G%E|682&r7D9M4Z|Yg^*4Pq7?J@rUZM`Yu&I;RBn)^tHP1l
zz^GNH)d%cHmU`4tf%6kci{--D0u(?8>D8loc}WXZ4b*Dd$K5HGTi-XR6QUg3x>LKK
zePJqUqH7rWq<)%b7z&}cjZ|Zu&xJD4qYKFcaH!?AAbN)>P*m@^=I#4Yy4i<VxtFci
zJTB|M4!SQ0mcc+2@n578BKp{t)qsQ(%D@Q*q$m#;cU2ZMk@=vv*$?Bgup}HJnUiOv
z4n^;aC~en*q>;g=@6tS|Q`=JK&nge@NCmqVR~k4K{TATKV^2io#~Gdy%Rt;8M(N-_
zoW)YF^f>W?w656-vL$4L$^6@Sq{c+gFKI~|oo)sZx>Wl8U9W%bit@D=OR5*U-D)oY
zd54~<>Z0-$1+;eh-lw3E-&qChB1zo6oL6_XTK2rdC7s|~K>T`kunI*r_hRUnbO?Lh
zoBO!slNZY%PGa#LM-qk9T&iAGPERyM=X27Owj*a^DmQju*v#WAwGsID`4=pZl$bxP
zF?Nxu9l0U&Vc7G!=#%`(RG&uV|5#}>NH->~D%}U_IMo|87%quk)JT6%qGOUz+W%0x
zr3bZT<)_JiU5)*zrkA_Mt`>LbitBi=bIj?6F=9mkwyPNM&F^DYnH!IiB})dAw#ih%
zCB-c;WmH(=yOKCs+bz%8mRyR}yF1#QN%TB^#>WBNw$K2%GLBgdCtyB;o!fvEQuLb$
zjj+qSYXb^-EFspk3ZM`SI|6b1oXA4GOo1KdEJ32if_*4Onz%6s-4i9(aiTf8|A)HM
z9?wFsb-2LSRU^+YzTU4y=l23qvjmp)y=ofP_|?^BMCuncAsWXuWC(2{mV6|aFN+-Q
z{#6{?^<S^JQ$0>asGZgn)~Ep2J4IqyWWYwg%wbW5B2zkUXc+r+l4ad&A>ayFeudm0
zcsl;Pbg?JO_q-0}ar!c{FX`lQoxD$pS|G!MzLcoL466FH23139(}?Y=?7TBNu4y$J
zV6m(|mZ}jZ>8b6|RifSGtoamTg-c`gipG*~?5MYn)2x0**=B=m<3E>`6XYBAD7#yG
znrgxv%t#U{w^9VeeVdQwl^}7u#)(gaYp3}{T)#6Azv_$xn<$se?ID3^u9ev`uWz!g
z{<dzgrpiHOSiqPANsdoOmG&CoxN)^-S8Yy5pm5`huk#&30D{Kv>-lYVdtc68d@*rW
z{yjvM``6h<_kzKAuYe6_>XWd$%2nt^C08rHF$MGzIn}aju<6ZJkt(uyZj5kWq{kM)
zq`*J}j)wO?uUj>}D2E+A&f<UeogGVWt^NAq_tJ;2v+qqid-41K#SPTAKYT5C`62nz
zT2w8ScwtEBTQjAF8DBYczM&S`3|}6cyn1(bEP$Il#G?PpK{3*lxd0p%cHPP|;6lE4
zw}dL3ld5_jTpMQBTr(zv$KAFZ2D50GfQVWFQfrLZrj0OFio>JDNtix!l{dp$*ts7h
zBP33(IKOz~27Yq%^JP^C=vw&$l5z+ybaG@vk+eD9$qE!!+zUUk<S053%c43+g{$RM
zw=b)=${I)<6+{1Yf~fPTnKK}vtt4|m(@*K!4jBaA*C88xW$?X~FkoSK_xu6lXAz}B
zlH|~t2GDWH9+A7y75{IB{uwhD(HTYaxpw_>Y?0=$M{RB5Q1YgKe6tb5iyS2CkAx1E
zK-N=#wJ<)U?8#Ax?J)`!g-w+aY((?Orwqt^^(-@5VVrXtqU1=I;25J%Y-QX{9GyO9
z)*WnXiMn>MEd_jzqZ;+|pD@_A7PEzP<S_XtMH>rVq0rW}%W=p`U#_EQshihXJ~tgk
zPJ|G~Fz|k_ENQSlbVhSRfV#2ZPVXD^5*m14Oc|Kt=_{uwTL}am)NsRIkL_U7kYaZz
z^P7l1qWMiFw7BtdBw;zpnXyz_H`Sl^eCpZgc=L0jWm3zxEV3?dsS{AzWzXc08%_3{
zr8;v3#7tbOTuW8NB(xUklEMIc7iP~+sk8fB3pc|VA`tVbht-kHqUbzxTjGCmPsRYG
zc9%_sO;azyhOPRYo7V7I8NF|c)QT`dCy|dN6bkrnyZ`BlzGHK0az}HZ4Qk&5dsG}+
z%$xT|1a|mPRMFp8rUqM|eyld^+hMoHKU62SW`4A49I>tb1RAon_R}iLjm7wEE!n^S
z8S&x9w&{uyuS<c;kBAY&ukEA6*$<8pyJj>>oc%jS{O=g?zhlHdL5#Rg&;O4J5c}B9
zCxXMOZ2dbj{DULIXz{c&JnWje)0EpE6COr@*`4X1G(6l6`93Pp3rVNU&Oap3+wcV=
zjqURTy$HqlP;d76fnN81Gt?Vz&_@P(v16N|-t6Cj-hT&r|62rlTgvC>M0x$oKY4)6
z^xF^}%d!aTDW|_n-qt{3?Gy3;_Y0x<dHk{QGuvSjJ9~WGES&p)YRoL|@aM<N>}`U>
z+MD(UDm<MDJq1=*N8rqhmR=M%;}koM#+WXsNywJ4ZDxjrV#3Mp3=+%3bVo&`4NI>b
z25anwj#|TuckpCn7vCOdhX;q>9{<b$i0cBKp(1=*+Oj9wpWl?wIkco8;e}cEFf3)1
z)1SV#s3KRX%yb(rArXV{&q-Q9Lgpz+>RvK7yfgpISi61KP9ET*4bfbR&TY&3F^l*l
zbtSt)X~}v;NP7Ux5fBv8Gh$|ooc2zhUqc&_Yz}*xiiz2YQE8EPe)Lo)iawx4k26h9
zse8Jr@&pAOx=8#Lol?1se<QCx&knWU>VC0w_V;vI-IR-++p-RtLhk*?r&SjBc1EgH
z-_>8?kt6I)T|rib(zSY{>M=H#`~_cNo97QKI)*S{$5DVVbghKGOI49H4Y)n@c4Rby
z-{y6zr(5pH?YO^#sK04f74J3bTtKw3-+rSq0t0EyXc#AEoD$9txU+Bgb#>>GS$j<H
z)|2choa|caN=XPMf{?ge@dlS@OV9khH&Tsk;UhyPBGBK+Hk1LzxsPwT0p#k;A=Uxt
zHim93hXT!!>~7ZH6@VKZP}6JFcj&eiB^Ms<a>U9XcY|CSC4Fw-fKqjCenoGZJWo0p
zgyf2@_84l~;0f9I53SH+6XmKVIIL;a99h)Pr}|~UWFAk^Hzm?i8Veh(qhCoAwtaQu
zMYFCg=`l(#yVx7v_9rZ-9+57Q`mye$&GM46OXWx1Qd=NCpzCy@z8;$pm?U9Bwp$r}
z(#Q3X0XR)27TC*1LZ=s$|L)kd3^_qjv<#2vl186mLXg|5x6XtmXuZj3`rvOX`m;h`
zdw!mJ0UJL$fa+zP62h|ci=l-TM0e}Lasy5MC%7ZqtnI&6;V@ddVcjaPk24W&-Jdni
zLB}rYJ{ePW&A!fOuiY@~g`_ZMgV8`61x}^-chktf;F3juHwXfHj@h1d2iwFlQti&h
zsa9|=zv}X|l2M^j+B-zlT`%reGkGReHS+^_Gaoyd<5rk>1X_i?zq{Mt|K0CGH}%S#
z-s^yWWv}^}BOZ*1H)h_7gH<rhv6!NGt>}7sLP&W#QfTV??2gQRsh;Ht1>DOaSRM5h
zMiFmL5IOOzY|E_M7V93&PbxQjZ$4jg=rB`3vCb5_PNAZbLkIU$$&H7V+h1IQ@YKuA
z9hR~2wI$2I?Fc?b=7c@-vrC<ya(CV4A8}eI#ahT3OKnD=U}8BlHzJ^$(~YYry?m2_
zRmc{Lx(HStk8k5df{B*@qM*G@ozPLO9f}_q7Wo{BCFXl<#@k(&`|@Frn;SFs*nqM<
zcjSxrVW^FE=-p?quK9uQ`z11cu8WWG93mrXgyFfCEsUorKk@8a-F5L1PKVn2`VJ4y
zkNfAxr{^aZCx1E?;u%;G>%u!n0o5<vahOWUanHk<^~(epc=L5R-85%lMCnb}CZeQz
zF|XiPcK=#}Tm>(NEEM7{jL8(pIS|*VXThUaR6-=~!@Cj*zbUU_1;&we-V5XVX?~0N
z8@$0IPp%~)MkE<o=uPE-`kg2t!Yi3*yxzCF$lt5W*F7|^W^*_sGfy7NnRzQKv?&=S
zx?VWIs>OSDSNEqanE@uf!5@wwLd4gNXSycSW-^QB(YAWmJnE9=AEi^Brw636zHgsi
zwUyuEn)y|d+$w>S1pp+H`A9z1SC}du`ab3&6sAN@J9;;9Zr6PVY^8V_JIGiv@1>rE
z=l;O<*;(GE;cu8?H^2Pjynv_8ZT3agFNuP<rddvX`6>R(wCYo)#(yKFj{ph;De&U-
zR9ok4_?9Jqj*n<uBJF2Zz>vfpf<sPm4<?t=Aay-*h+v9z?f|2iv6vj5KW6K-uikN!
z+dcj6dKDB*OC0;t$(vUP7su!90Q31g1YVY<sqI%qZpaKHo@Mel!qS<P9`r2WVoEes
z6*!C20C29gdcnNZ=@A(}#YydFrN_cv6oQel#!2VTJD5lxdr~++NiV{&)OpdptSrrI
zqyi)886#4(At7k-R6<suB#*lH*A-JjPboX0$wB!-$!mG~#qLd(U$^9n^{?#cEAonK
zj+&zn@gi9d3^@Z!Sxz>!=FZgtJlt($kHGb}zscj9o9h8nL(iW|MIkIja~Z)seeRz<
zz0{1CwUev<Ywc8Dl6Vy{$Ng~Xgl+#dL8laRre_GfR)4aVeDH>;Nw3`0_(rWcCTKxa
z9be?v+MIY^{O-*j+PXje&P{}d3WrC{xOP7K%%00m2%XO!+jDldyYnXBLigR(`nSJ{
zs2G{3u&3hgH*;Zg5AxbEEITNVS(C=F@aku;iHhilN2L$__a9Vrr|1ug<1e`lz)TVa
zqX{>4m+%Jwz@KxGwa=_2ZP3)hs{-+>7I&1YoaD|^p%^n24i%RQ^5gC<rsYSefId6S
zUxr4n6^yp%-UB@Vvis?PkMxj8%u^z${_g&Ls~i;W223Rfamgt!KrFqcWZ%6^%H{B#
z&Bz#Mw+2}o%0~0Z))->riKcTR^xR12*z;vAyw0N>Be+!9BIajifv&C5g3prT)C8<%
zowr!aFaZh|v!<PdyYVWQLLiIcyDo_G04vCJyjyX5=M&Ap5ZG^>eYf{u3KdFdy_WEr
zNDDqo>bW-(g1K`&sV>3P$}|}<Px4v`-1F3T=XQwts$QNQpMQ(5>+S!wlQ?(1teC*h
zb8+zMm@ahu3uCp{c*1=$d3AEzm(gdxH{HA0f`1k*{614eu=tsEE1*bCF<}K~eUt_d
zH0CBu;u>yJ0wT5`>4kEs$)RTDZc%$884{CEBMinuDw1Id@Wza@Eo^@TLU>`>CG!BX
zvzAk_l@`7V)LvCa^FRh93b|6(y6>l~+Lm=^=)YQVR%%~MVJ^^KtmFS=2jejXtWkj?
z5wbahg_T>=wZ+_6w9tI)|Grwxp0BO#J$<^nw!izu+TQN&SG(<}uB(}w?C0_v9&`U}
zJ>?A7t)0<z*}rrq!$1D7|GAy<+4h5jwKe(L(<l2;wuU=GqxVDC;rU|dw#wSpAOEnO
z*!YbHvb`^}KmK9G`}xODyzi9F2i~8J7HeC&tG9KFi71M2-EkE-I~-m)w**i(7>T-+
zBDyI5LpEei*~juKMEfV?-`!GUIM?C0*Wd|u4Q>0oLFq|QI8&E%#rKuyj8IsgzdCul
zjg9x-!zYqM4oMa3zZQ*;MA)}(2^7ZBk_g;?BS%z$n~^p#lbT@Gj$XQd+?8Wz<`BMM
zM#Q<vy$w!q2gV6kCC4w?lTC|N<69ON*_QZR9W2lWM_D0|XzNJ%@atmU2P-m4c?XR@
zXHGA}qEy0wsSo<mg<>Q-P<_MXZ#Fj9X0jFtBbO=_uE4KoshBuqAM(lSFNCbS&Bpdy
z{RJ6n_Xk$A=l1KS4_?OK_dD&;Lukd#ruX3~(}1w;Bk)SmRn&E(2S7N=7`bjwE-6Ku
z6C#3gbJtDGX3`z@!}p;UCWE{Dz7BmcJ%+hNg={~){K%Ep>H)sg-_uX65E5=yv)?_7
zU5WX4m_u_NUgtCAv9;8{i;fNHrH0%md_H3Xc!nw7mdLoCCYYJ_C!j(cxq^In+ZXDx
zk<E+JoD3xGY*W}xi)#|I3>S+@>H|J6WbbKH*#&-dR_-fYOIsHguY`a`m6j-LZ|zXo
zcj)jYo0*b;WLp+p+K6Z)0Hjf)W=BNL#?#%WP}s7UZVtyA5{0(17LpoCk0<wiU096}
z-0-w0zPi&zS)5f|dPWO%dzu>8aMbkRlOu7GZXwDoEzc??(>~GwHCNtEgJ~X7O{Ri^
z$da?ZQn5akQ=xxRA5s!Y3_7Z3-1F%yTx1(~9K<_1J=ZenZibal+PJZi`-5!Uj0S=?
zn-comu(h&X0OwS28U+}AMcEvVr*(V#y<6chjV}kzuLtYIT*SepwWF{iU%CdCZWXqk
ze7WnL=B@aa<=fX_LR?c8YzkRF7VT>~(&k9)a~;R5bF3?lR@Z{-aZA@-GqvFP^=KCp
zlF`Z(`C0UH6}|gfx3c#j@99!W{H*jl+J^<~FkZt@xy6Z=gs(ln$SXF2P0yY!K_pV4
z6%VVcD>r~4`zv|*-y^#0{{LVw_-hE+Y~i=<?0Zh&U$gJO|J7gJGhi0@YgDe&>2<%#
z=T>Eg`MkVm_=FBODNm9ro$QQix{5VZy?Ce@1UEN;vu%mz&6n?Ps!3rS%eb^Ii~DM-
zJk{)lDK`n6ck(GFYcC{fpd9U1bnX6j`sPAyxhO?XDvq38KXZ}^<CB|Zo;2$eOgASr
zqrgDOb#i9!x38fYuTi?VlkUlHv*wWWuCW>-_*k8IS%d(3t@NEvNgxAh7x4INH--}Y
zo9(q$V@YS(W1;($^n3FK@NnjH5&H}-R_v2gFOY0uMbO?^3hj>uJH`X)hC3y-73DYn
zkeYjHC`tjUS&@;NDq3kU_qfTfoTTHP>M$KQv1@${PhRk2mEzE_F}bz%J^uS<l9#Sk
z2~zye5BA)>-pgLQ|L+!0_usUVcBJgUe@Z&Yd$q2Yx7NRdOmcxS26cD&eJ-4WvM++}
zDN~SwiDTwGM_r@cP1v%Vt;SV}3%f4XZR8uQjhiZIn34^Oa0>^-eRqF=s(|}RAz$89
zso*D_<Rb(;GXklDL#?|$efwPNKDC!xLXOE&;Yj=ouB$~8s1?VCiJI|{>d0v0SwUX|
zn{`quo}5vQz9z?3_dVKjd+BNkca9JU=mC(^yr@i>pF3eYA4lZcK`BQg7CF^|4dw$l
z#nYR2OGQy%S<<bV&rnnt!pp2}sn|CQ*|a0Ow;1!uN1zW^*|25dpni7b%tgFtj$qjp
zH`NqcQyE8ay=%`6(%fU?4)yEH_#Rp(EQKP|Wr9psOh1(KYAP(S*i5AJyQJZ(hBZo3
z(S>!=-pyg)XeTD6n}4a^JXuKfAFI^g7o^2oEaY5jkY8$r<6s!XQITUS13xZxoNCNa
zHBsOD<MWfW&%&b(a2>Y^a;38sW>30q*=49O)>lmrk-f|3E@2-r-n;04xawHtXj+@u
zN%@ECq0G(@Cw*;8ZdDw8)NNn;1;npCPX`aj!7W^zLF$>SR7;%YgtKb2nm{5qR(kJ=
z6ME@QXpPU{@b)!zl72EBBd4RdCCB;1qvg=y3QqA6o!&^rAl8#U66cXa=baRuQ_`4+
z)=B+Jw8QM8s`^wN;}nU&x!C@^fa1F*X5dcMc6z94>DRaLDr!3o@<tY;kF`CSgG2L{
z=zwqYX$}>36G^w5nbNr3!i*dRbR!JZy&NqOa=j%1huc?)3>Al9>G?Ce%0U`iK~|`_
zUv!m+Zd!+z%h7wP+ZUL#MaN!%3MWsQ_g5lkHvm%b{AsVC?|PF*mDwpu{A(>BUQ~;G
z616XFnw~}N*&4@|g+s<2l$=o-vVAmn-+pI7OnY#dcsFTzX?e`gR|%sRheAaT86e=9
zq!)B8wRlu3wW2`^AG@pb5R!|*g<Kn3Qsa!tHZmvZNFcP53HQq&I*w|=_|BJ4;q3|q
zyzaPFtYcS~0r)<Z=Sqo(KIC&Ge=^}QpY*G%z7lDHw=^HUuf2OzD~w5DAr+|+xXw5e
zu1ivm#q}-nmgdJP)lKfx8@231&MaBAZlj#6Mn=9lD}AeXf|W3hr>b#kRxFoHRJ^KA
zY4|zT)I+94iz?~6|Bcr)TFPcRX#_B(Oli&aF#kOAK0_dox)c}?ec{~auW#r`vcMfH
z*Ir)P1(((MK3ZOXjdF$SPOKF+Crr>O2pHNLi2fkX!8@mZDW-SwGWW&XcNaTv-<)4W
zC<0Dzr-R;^fLVg10f3&k%99j@_?%Q>5}U-wH)W=D+tDcBIGIv=%d}W;Lm|ilg^&4r
zshgmYzy`#;7~+m>MZvah4oj7DF%xOH;nU?UwxgOj$i0=#!Haw7C!Q|Zus%AW5p%U|
z#@u+|jR<ST$c8$@6wDw3)<`zPX=MT0P`UVEM;^Ba)S(<!GquP#qrL{fau|x-1FX=8
zqe4#hbah*BL3MQWh=@|7-i>HbpP0&Ld;7^=7wXsHtdf}6fz({PZaYgXD}-)Wr?UtB
zUo7u&uVpo2AFdN-gMdca;n}N~LW&du5*);;4Zg1Q+~N{dFERb_!cN;{|8?zHD^^c9
zFUaSYb#y|&o9?C9<Gb&^GhI<WOq?o_I%h8r_rKix(lZ7=9qdW!Jn>v$PZ&;sr0kho
zy<A>j-?Q^Od(P~&WRpgxuZt;^S6HfSBXo1K_635;#2`i439|*kPGG+xOF?r%2nCSg
zcwCm_C`tPdr!RXZfn0C)tT*(iLUzJW22MTlP%8U$){-LeEVgT3yEE&5%97V(U&+Ik
zIm1J>-UJO0S>gY;eq_KJoMc05{Z0I0a#r5BdlL(uVZ|dUKsryZ*btk12<RK!=R=vt
zwQBkgKn(xdxMove3VYgSJ!0$LQVPC6Jv<jshSsCote7Ww38k#>k!LPVMd))~$l=GK
zdNYghka9DOg#{KWAIe!W6Q3Ayf^q(#%)<=0y8-vYRuKJBNI=nd+{XG-nI{1HfmM*k
zp6C*JKsUlp){~fuHxSn)oyna+EctC>9v7i+uL<5Cixb_hkhFh7{mM0OL59IXo~aL;
zXKBK>I}%e3BU$!b<_QWkBxqQx1O#jd1NHJqsx~w;Me_F|RE8nli9TKXu(?0a@SW26
z<mHQ9sXpR_u(x0d2I+Or{HBFvX0g7qV(L7mv5XSnAtY#U8G?&<9#sT4@LunDX<AE>
z0&&}w1eDT+r1+>x7oknDgzKB*3qkxpJ~#@Sg)3kZ${L~Q*ZWueIIN~yHh@ByrXemy
zwOW(N8&*RzznE?9<!g|wcH9=t(jFw_Pg7oSB|tXZEWle3E23q7_+g+|7`2<}WYB}`
z4@>&O+=-q_6@g|V&J{X~($EtpY%#L0TnC)PDCWBD^I)MEA$BFM88}oX_W}P6<9lC{
z^E%uJn!R-&CvSdOPH>&6ht2|klgU!cooPKVp>5j1r_kIF-Md9~b&nPE&dP*3e%9kS
z6jE!5!+&r;g@9CMkbnQ|$n1Jr)+O}Vsz|~_+svoc^#0bVY&yg`rYmqyz>y?$)Arze
z(^}(6!O7O>kE#t&ED<BD8VKhA7mL(B@kKFmqar)ZXH9W^TOsMhs#XD(XT>XJF&Wna
zCLDhBiSr!;m+ZP=OjgUqHCH6Dp3EC9`K^(A+SEEPLm5^8e>UI0sb;=}Hn$C0P+*Hm
zk>m<*i_2eomI8(-SEe)}h2w(XK%5%9hMVgHGEf)sZT*2*WO!9#bnau|AIB~tR7EwZ
zoZ48D<#M5!@@L2Y`TEU~%~cU0o#hHiO=P=q`Jo(xTE)*<I$ek*ay^t8Hx9+c>y^Ds
zNSPNFi(5yMmop88+O<}~-R^@&ydqPKvutmWoe{x^J25_$1)8MSz$v`=%Rpb*U-`-=
zfe1FEnhASXW8v!_URP^eZ`_gX!@V)~`x*`k?lpR(WpjkhU0W}ntnS6ZWTN>`-<3F5
za;%~mVtF#L==g6uNpZ4lUQ1TAn$&`RaYY-PXKO>=qlMLr{YA1$31FRTB7$*3kh*5E
zk8d>FfaF`*Wa$sGmZUb8RppTe>ZX1S*mwdnPBdx*QIvKpUZT{uY~hxQj|4yGer7#8
zH*`ndna1eD5p<7!Qd})`sLf*k9(82bKp|<h!ia0&Y!*9oQWH_ghSc;z-o&Tm6Kj6b
zvNj}v?v4MFo+?~2xunN;KXz6icWC~IC*L_))IYd}7zq!%$KT9*ioQYs@FLt4&GEoJ
zGp$NDo>1QN86!GaE^eH}QeJPdpdRe;TSW2tpZ!`=hxe!#q_VmHs+eBGJbnBd7XWs7
z#PdhA%s>6yw<Kfu^m83WVUL;4{Q5S3%##O#@cHN``-e_2;>11vjpL~kqf8}v^eeCO
z>GcvJo5wAX<sCle1J0yO&V=d+h~RrNchPOIrzQrEC^9N?{Azn%haa>d)+dvsNt3)=
zQ!sMNQPcVW<>)BJ+uh#9daxpJ&{k>NUHsoxp>67Q$tv|SsZ)wFO4N|)NK}epH!0Th
zx?2h95nIJdQlK+HNs~2(k``fGbnma=f1;(8kV^cMuAKIcIG2e^FOv3S-+lKTMKbPc
zM$JF<!mD!n{uj7$+8;i!gC8INM-1qbZ-jg4@$Wo%DRn%q7tAU#x%!RnOKkP?T~}E9
z>8=Z`{gh?<eDc9Y1@b2!w;YN`EKS!P_rPqexKrA1oPo5eF9bxNeE6bVOdhi-v=>JJ
zNI<v0Wi2VYj~U|XtF7}0bY5(!@w@tJ>k?)^$>p|=G?>r1-nxv4aKmM*%#8S&)4-#9
z%l!YV-ilP^)8(Qb&GT77f9uxa+nv|{k$u&_EH&vdzM2#h2?8oq0P@z6b*2HO^FuR#
z>VcNKr<&D#J*~xZJyUFOV0L&<j5A|CqUwe0D)DvMx+jxG?`f`gba}SdGhR!x#mXxM
zrFtlPFxiWKwG96+TD10K-AiV#Ml09xs$O9)s|u^d;z|AA4__v0AziKZQCq!M*1`iz
zmUi=D4M)~3S<Ix3pJ)No{Wu;!aM;|hVodkBX!5U;n)N*cY)+NT{`$bVLj!;AA5u5#
zA0A{IhX*gdsO!n|=U*cVI%H-2e8WqzWHra*y5S{U<?V~yd`%JfIqtr7OIU=%FZ)66
zKHr3Z%YDAP4?Yrc_+^iC_q`13L--`piK!>`UQ5lI&MUfCFkI6rTTfUfX0M4_DmgS7
zyj+*^20{GiyKoXuN&`e<cC{y(uq8oNYgvH^sP-2Z{5&3e#`FHMUhFn#6N*D8L{PF|
z;_LA@8&zrypyzc@?+r3K@G-Uig(87R9wW`uG&tGYVt(z(5u>e-aC*tut<5&;*Mz9j
z4nM{sf8jLG13O`u+J)88*30=E^$U22FC_<?u|j067WK&8S8gx5>6t1AmJwd@1w*md
zPQRHlUVj_#kLm1dR%s|KGm=UpM{qg)d*N9fyss@pnGR}8`%lp3d#bhYOKMpmF@#=K
zU!Uc+e$7u?4l5AU<{_E)hBRV^X4VoZ^+TY*A-<hT^YP;^ww6>(fBS5i*m(Wtm57!R
zr^p^ril809aWQdPp2o}*!6;Vrb`p2anmFh`TE+=?&?jZw`CACNq$^$wSrG;f*OK=%
zlJO7UoSq&ZUSygc@GmSN19i~9CFFlM32AAhzodw4NEo9|f2^ErO4x@arCa!-A(*UY
z!yRLTO^&$@odzx2$<0!|kW&!|1T@xYJ~Cu&j)4lIoR5-+8N`(P#=0SKY%ss|+U<<l
zMu1FEUINs#POl*%ds=T3KfWHoA3a+T7`kdnf61AnWYKNo`TYLxZg7z8d2kUi&YEJ{
z|4B}Xd;5KHzavLNSa3DH)QtgTr@~A6#sA};`hPL2LJJuMMfpeft8tRc?V>*hM$6m#
zm+~*TdZOk6S>Z32gZID%JIS4KWSeY;xWZgBul|8tm35{%M@hliMm62=xH_5`&WJ(C
zO~(u{QHC%(eWGNPK$)P_R4dc!t)wh>>4e{<+f>z3AYBxu%U8fgSf)OoDTbB|-Uh9!
z9#wNVP9*h*37=y*mj3e=6P@DsN%>y}?kTn@-xi=x=7jldJbyiV5DhK%+Q58mNSiqm
zeMqjQ`?(N4sEqL0ST{K`jOGh^DhwV@kR)zHTu(<pyeK?PVDvG!K>Dr5i*?NE7%A@S
z%#~<dQuE^P#$AzQ^mOcsBwcS*O(yxQmfS?liyP|Nmh78tZyd+cXw*!x?4obu)s@|9
zNwaTfR>4tFYPy@!T6indL^1EscV{Olxd@;kf?pxd?+oM#btbx+%!z#=HuDLtquEcr
zEXw{2!<WPi&y^Lt23M$e)OMnNzA_~R;)@$SCRdik(pxoc(dS-PSH2w}khv+_@awSQ
z=fla>yj(<eXfdIoPYKa>e0e;82?Q@quCTf>8HS*ohw_erZ{=IJLwiIYX^g$zU^ZW!
zZTJeAkVW3z6H~YDq!x2-Slba{FApdBkW`5HmO5J4h}ZHWj*>A2u;#i(;8V|Kt%W*D
zXV||VEjf5NP!v4Dn-f-BhaUs+BW4ZQ5Yh7KCf+jcy?b>F>&LcD*P9C0hb)GdLB64o
zJp?D#^!|=IQiR`!s*>eQndPx3mQ(w9=#4ny2HCe#A={&71kV|8w1NF@z8ELxCx!7g
zUJ<k!x$DhQ8Fo3<TfvPjM^Nc_%R_P_a-n6SR!AHAb4@K-__kz1(E0DR{Ii-YZ{;43
z$!9Z#L2K@(`mZp>?h4maw*<8>O5%`Y&Emab6;-kfHTjv4LK&w_)wnhVmprWqsiTkU
zZf6A5W8x86Zz>koT+*g_o6P}5yP*suzKH<m9u9XFz|NfB>-3em(G^sr9cQ;%a{!xA
z(8LT}J_arvWM|R0qA3r%%w6qru(8qYxL`M_5TC*#gJ!Qb4poEKZ~OTj>8i9D7J{)P
zNecgR!G4%ZQ%L0QM{$uBF-lw<({cTzX{TLJ#F6@<BmLJK6aMA+II~8oUS5g{imQ84
zUYGGrq|k#gS%BqRUGeIbO@pgC_(Tyzw=EE_c_h!7LVa=gcIV_UI9CV88@zIypGY)l
zp!7H;7;2NiQ-?jka{Mk|LpYcUIp4V^rROi4GVti*`O*6`QekUmsbFfDnKe+drvr-z
zv`7%`tMY}bC53uI2IsLJ;>Vfly~wr_l-4+gMkF?QcH8%2>VLL=h&g0kKp9R)58OlS
zK=b1<cJ!yd-dHU{oI3L(Uj*te5jriOQxpPY9=So{dm=ENVE`r3!5%?~Z2?<!dcSQ}
zIdo}nvL=+PP206=FQg~fQwpk8AC4U8ELLnK7;>TL{l;}+JmgHX6h=Wg73U~IBhnw*
zMZIxNZz%I)@w-^hIJWo>6#<ceshONw)VGz$Jtdrlvq4)E=u`y>zIApPJrzx3JU7~H
z#W>?ja&-sqpsm=tRU3g2?DAgj8S|Q?eK0cbs4G%+O;=Wgk-7hsPOHgi)=7p8W<}TW
zOcx-PAj<=9h8Wt54mMi>o_DVsib-h89qIGtBb^la2X9=8BO*kB76R)Bw(}Ta^4ae0
zZin)%DX5{0I;LU&^2t|EqruGJAXPVvK-Pdix~_?emnGm6M2V==xf*1zFgqHE#5Uou
zxUYOUr~pmS!9<`1%mc~oTu0ro?V=HwF-cFSo<!*eA{_TQEUw9)NQ_oIivT7nfxmYV
zNgyurRYYQvZUvG29``39=%n0cB2YQ~;CiYxB2xR@G2f{*=Gv*2?m{snB$gO!0dX+=
zpz1ECL72E5>mk(ytAnp#6quJ<ip()Bk}4Lps>%sG%9Dy#6#R;`9kKZL)6vbmn)>Y4
z=7CKXfl^dlz7*p^OCj#(Ns(5%Z}XmH4Ycoq?v5^H;yGtSX{j%P0LSVuUx8y61%#8I
zSt!f#wL*WrFG82@%l@LcoGPN!yqtMR*CcK#drFYTZ1LxAQ?_LF!;)6c5#;j4$?M}c
z?=F5u7!I95BIme`+(EAtYT83lcLU{6Pdr?7%>R`le3{OxQvFS_<~Pe1H<3N9Kmc;-
zUdxTUoTXFN=xFw|jm@VQ?GGJ`ThYYMclx0<DX!?KvxI5ok|X=Gko-);u1(z~GC9x{
zbXo)hYwW>LIT_-)6CxapGoG2Irk;$_gA_)9m99U-pKvn3RV0h(rbKR@X^05qGJa(j
zZeq_o2^d$-Uik})<Dj4z2xLsQs{_&-0bh<vd8RNpFDq(YKFG7FUFqw)n<2^8^=p%T
z8lrofM8|8OVRlSY)ZYe-Zs$B6Xw?xQD+`Zn8)<xc(@WMJ-C0o>5AALVB!nNlcW!=E
zm#i}9VgC@U*Tel0vA3+*N|wXI_nx4#j*xvxQIqaoUKI-a4UwgOdQR){+1c>y_~2-$
zvL~o2F`m^kJAEA(zJ6mqYah|OdATSa*pv1y{&k*vLoXLj9h+2BS-`%WQ}gpg5_}wA
zF{p27)!51At>H~t5$=dCpplgMGN9=0$<BphuhVrR)_`9ko!$Vak=bIowNjus@EQ|j
zxsvvx*kg2{JccRao7Uf`-SKj+T+*r%MVfP7yMdK7VEhS5n>G??_1v!qSjYz!HCeOH
zRkgsHK7(LxmmKl(u{(*AQ(r>cqG}QK93T&uPOH1QmE8A^Qd#TX1HB^x;ivi-{KfuS
z0<PkZ>s<2Xt}Yt%fK$PTGqnAfZiehG>nf$*3`8sNibd!NQFnv4*!W5#)mPT1=^9$q
zxop2ZlB>mR7{Bm|aX35UWpe=O^`bzpu36}^1Oi4f0il(&nq1+p$A!BlxbgAjxS7$U
z60(}RVlsg&bU(lhS>)=&Q*JLi3^qR6K@Y8sH)%`IYqZk!8X8RZ)ZoflwIK`_u_-A7
zq)sa51EkK@<-EFc*U@&XI#M9~ZF-836C){sk~lC>r@s5og%ax)QUb89IJ`Ic2b(*7
zUSz7%=}F^>tb`Uv!#2np;5?V)zdSp9_2&F|_}#(DMJ6yVY#GT8i+~kCS%2;H40z(z
z-f|82;{5t%DF!Im8=OfY2^r?Hr~hGEETGRDzI#Tv%;bq#Rn5DRX|~%s4dT5{a_0BF
z48$Ul)O3G7eRFaAJblF{i}*OJ=Ci<ljZJ*FvBR0YqfSjY+bCd>EE`b|P4N=lDuBmd
zI;nJT*};wdq$#>I>T=4uS`U{;v?^|iEh-hL?!dJqiCdX_QPipBPl{-zd+wxV9*0{6
zsz+oj5<MZxX7zuHgxIht;jzEk6dRo)%MW+YUA^~_g3M#weYlPQtqK=}9<VTFSBY?q
zW&-o}oj|NLSV1O;A><${>Qg3lzRn#E@At=%TW8w0{<`;Hj{>B()d!o$_;#Oq8>K1!
z+~%HSTSz|fS!>(inhNe`_x~8L-4QmQRIhNtAS&4iJ&Gt^mB}!wT8nQS<}whU()Gce
z+NsCd72N9$H$NLKs6$DPg8Btg>jYI6G9DtkKVe8H+LO$5D7@|Eu^hxGn8)q7%R=~|
zj119`444n6Uc>gdsnRW{7TF+g2m^c3!4UT}PZll*f%M0|rE}bEMT95-2P5l<O=5hE
zLjGkYBafe;Jc?7hoQFa>Q3J}kB-TOVD!Qr#mU<L@cVWpy5Wy`(s|AQbGEa;bgqd0w
zVw5;Q;dAa9o2!oaaqm@~CXde`Q0Qoa#pdp2wn)|&x3<EL$97qAI=dJdZt}_1kcZ1q
zn+Tc1WzbuLG~(`N;H41fy?~cfqla$lng%T-7c=b4V`|<z3k2ZxnwxmQ4@$6g-2i)#
z_(WEX!dSLE2{<s9?+RwJp#Od8zt|{{pg=9MKSr(xUt!tJJC{%yiM;8M)QE|zk+ZeG
zof+GyJ9y&KGQ$K93^o*_SIbI5!U@)}QZk&V2k(nw#u;fGL<6<Auc~2I@ZYDgA?Ddv
zr;>0pFi9Y*2nKI%t72MQmFf|Vk+P8kOE@4wDOx9U5KUuG5KSL&f#dY%<;!%xb?l}z
z@+nq*w+48jw-S}Wl_Fm8C<SVZl=B+2v)-rP!ByYu@bwULBI?g;y|#FCVom$x==k))
z_%vc~mCu7RIv2Rsk%u4wKxhM+rqgJH(%vodd|69!D@nSPbIy>;>tzk;Z(i;;lIrEX
zs*-dJP48ty!AC23L^)*8sNuj##vZYH#1So#04wf#N~iOaZ!V6{USoT@fBp8|TirQK
zH|RyGG1Os}QS+kR@X|${V;jg%wkr(|3uVSL#hBSB6NUJc?d=sqNo7!hw-Cpe`8{~D
zBHaqAr(9IN2l%kl01u{~j?eaS<Po|R?NaBc!PA*-dJkHFH%%PYjfreH$_|cRpPZhY
zUz{C)K0bSUaCY$e*iGxt=(!f>-t9Gx(XlgWCVj&abkZH5<wm??=;FYKjYrK5=hjN|
z9p&LMWl2-x-?%F-C8u|zp=eqsGXF$GLEu^+Dn&WaP@ZQ+(od`~dr*7otVT!Lo;PLE
z*kr!y|KT>WJ0?S?K`clg(To~5eosnYS2HJ|+fFcD&+}WG+f4u4r$7^2cg6Izd%b}t
zHzb=QWSd)?%mt@7x{sZ^z9!+_wEU<Ob?@}HkIxzV=Tuq~Zdm1v*WT~>gV5t3#y(SC
zYQteBONx@hTb{D-QaUa1MDRbFn@_YOFa|;NMb;C!E;N(Z36rXFceat)sj`WC%)h^*
z*!J&Ej&{B|IWm)+dE5~l3fPO<o72~Tt~1%zwSf~r28jU=yzGYmXmy&oV;$Q$9hS7T
zdg$7UDnOpsDH?`<mIK<XedqbAyH(uVTZ<g^6J|jW;1fX5bRul?CZgUdhB*K#`7ZLm
z%p-x<_*diuAWmN2lrw+3d0sxBVLx9^4HVh~vZ2=rGl`m1^0m;cCoM_Grs=~9g}CmM
zpXGI!VD1CkEBcZ<!DIR|T-uh~qi=(a+RepvvFh8oXXzemW(uu*3V)2Nj5b{4m{vWU
zdzM&SP!y|b5$!<y6mrvFzdOI6`=YRPkVSl~-Rtad8~LPc@N-#o!>qN7BEQ9seY2bk
zUzO<1rASIvOSt8p=d{^`*iow{P{uG4bPbt`5!1XS+e9^0x6pRHd=X21?<DpukQvKS
zOASLxn?A5|`8yAcem$~R7K_<<i2Vz>KU6C0p%eoJRMvBSK&L|=(>fyN#lRGfDzs`%
zWPANeGu*+n(ip{q-%j;h%|`IoMdRQISqbkdJuyzK`m3d!rts)B`JH+aVt~vg6GxU2
zvJM18J@o{UYeqC7H>uaf!kXOLUJu19!gO^KVToE!yJbC=!ekC*bguBZz+=@6en|&9
zdE1Yo(4HJw4s7J{3UNm`ivfdY5fvhf(%+a)^TBdaA@fLxtfg8|&V}qC42tDwVY(Za
zb9=VaVcrsFHuOXiLfl)M&2`%hBLj@DgtPQ@FiKg(bzLaC5)A^hRnZhVU4Q1UNf}l1
zmOQLxa)@OODT-S=DI5j;%P^mmNQGXHk<~@qfiqC%Joq;eK6^-KSvuY8{dyn?<bP{w
zZ^%a~rcA~htBo%~5L|Aoad9%3%(mP~W67TMH!<5ILYRt56L8F>La<U^0O;gs!OT-V
zEIzlJZ6Nm>uLrmT4pQchE88GzkuUG={}zK)R+jALo3rfV+vDu;;L!cwv*T}6^?q}j
zogbh5>E!VEC)c~ZFgN&jUwrBF2tumTR;6m!cBVPlYe<P&P6hVRkh(3(V78zH95jQ|
z?f+sj^O-aa@o$Vr*wLCt0SXV&t-DwMUh%*1_8c709-g$AgO$%0%^pmFCmVX^%^!gf
zMj!=VvUf*sw>=eFaV^~tM_FXYYIa=$V1YN1p-1hXzPW(ZhfS?cv|wzDx(F^}dwVEO
z)=gCdeOSJ`b-@?cBV>oJm(84fR1dA7qT9`4X_Kl+m36~+3N=ijs)%tl6XLG5auohO
zvdA#C&~-JJE&hTmvQ(#91~*GBU{8#TB$%&mqVI}JoI9)6ySp2da|wG)i^UGZQacw+
z7ntwFVD;(Dtp~(35^U1Nz%)y<XLP4U6Ka{7l`V_@sMm)|r=C?DEm+p6@2gi_S_p{!
zYio^uX>=mFO*+;zl+|<%5lg%t$dLWDEZ%V6rFip3WrKRj)*f2U^N)nSBGy7@rTs;0
ztQaak?u_Pd%;Tl%=(qBiUfiVUHG;bbA#Hur9qm!dtp&O@I|lX8ZIKKrnl+B`Cz~<O
z!XsylUw*RpWX}k=j`|0OhsUpuom6+S{%2?75-pL{NJG}3Upt{WWJ>h8{b!wRMJKSR
zOBTvfoI)>f>h};@;c#!TJGfcgPPQ3nr;FR5aZAr+2V;+nng9SZ&VU7})mS6(2Z_!?
z8h|SHR<P@RPb7tGVi1!dKXxH^ETa+PJ(gVC6@7@J6bmcA#}@=bL4C}9DhWzWD25bP
z+T#CUtshVO!j_vI9-a1IIjt!mMr2zc()jAxS6?=O!kSu=rv;=NI~b+%Nhe(f>4LS^
zOCsmNpg5CAdNgmI*j%Dc5`{lH-6o0TQZ8>__`l(o-f;g=72jvheP6z{(E$G!$bZva
zYbE59FqX_{+M~9uvSLuFrQ$Z9RaQ^R%a6B{{eKi6XStl^iBDMgvonnF7&Y1Qat^<N
zI?(8CW0{as(-sM!0q<Ri?6JE@&k-&<(c9Et1}ce3co{er)uE2S+hC_z($CAh-`6+$
zI6lePt=~Ex?169(qUJqnQR2}cjK1Ws18XaH$kFkugTG{N-@JMCi#TFg^EX70*{AV&
z<+o1D7UWq5q^%rQDU4%mgmvO)dqWR8-e{6L^=LnOU&1K<rzch}ir;$5!XW!j2^HPf
z<M$gZF*XXX%l7myY~KDOf<r|c5;}~uq)vQ*XnwNY=CrYSn>MkOWzJ++NVm_eu9Dvr
z|KB{2z`I#vQNCuSgjU7X=@|=>CYo@qW~1L#)`m<{&x$Q=0c_U&pPuwIyefRc0wbsX
zC!so1>+5+_4`KmhG&fJh9{RQWm#7EHgYwBe*AG6(eXu98+B&G~(tKy%?U3-!e*Dgp
zRqs5JF6lc@;&+~|dgp2OEPCf@{LV9d$GgY<R_5;l^`bhq4s>np*xf)%Rc?`UBhk?u
zh5Y&&9!r9ixc>>2=OAuoKl`E0KxiXpj>3DIZ3Mr_hEbi4aFI;qB^nQx@NDlt%M615
z$-X(uPTqcaYAjAk2cP`laV8ziHZ;-e6P?@pt?%6a)6hB3MP(s*_rKL6&br!@mmV?V
zr|F2N(Pj+$qG#Ai(yaL;@`;hSYr3a+X)p7-41|>Kf8zbk-xuchwNMQnH+{oruhMbr
z{zvD>2WIQ^G5_$GFaq0zf-&ynHMIz1zKdk6&(_v_Z6bWsR<a%uZ8OPYkzYIgq|o(6
zb~Q?PUAvRb8b7`e{2wWvgeZYjldAv%TnVyja;B%UJS|F&?osOet^t&ksmyX(7xS)I
z#z<`psshvS{NpL#h$n{|WCu)eRsF$Z>m+wa#D7Y;tC&2hka$d}IGON-R2b0)#rFr7
zgVBI%*8jTe%weWC#vAbi>AvR!qg4-B3#05euHi4U|B;P1e3$zB&$FXt5rwJ9Q(P|S
z;UXZ52%g@P-c!5np^<xJP{lM`;{oxM)Q2kGu@2AlJ*{SymB4XuuYBoW`6qDityUS>
z?|88vvO(kLBF}`ySL2OQCbxG)MtJ2+AZC?T(z9fv!DNsU4~Ph_GA(W*N)fsu)uSwz
zsaA?;(%^m%#qC-NUQX%T<`1V5%az2=sBc=vbR%YYC^pdqWSTJ($!2Smf6=**dP5I=
zr|gSy-3m_IR6n&aqb>T5q=CEM0JGVM_c{RT%gE7=)S}^KdF^w5%Bi&BUQz`^YGf95
zKAe<`g|pb2kLqmc<((|Up4zz0&vZN(1JNfx?Q0udedu_2Wjjv{a63YNk22^Uxwm<?
zIjPa+KEgMbwI!y?^`%}-`KWN*Fjq0fiSs*wx@pU<@LlNAk{iC~Jk@fKQ@s~K1j^-L
zk8CKp`bMjGrUV?g5Q^pzJ04G&<l?AXzd0!y5inIXzRo2cgcJt1S)YgHk!NMIg}+8)
zlhYd%pvG5XyQaI@{YNyLM7<hcc=E|FJbBC)ED`^KFFpO_m!AHxFJ+RW(fHi6Pk!#%
z>d!f)WNzyLaj0=_(1vTxv{&fyyi?)iJ>7r(tSp$LEB|Tvp?eXXo%^5u8qz>a=&0G0
zo6|_u#HIyk%9x*<H4WFBn$s1)2@@#?M4H~xP2I!A@I(dcTA1R;w48)iy&hj@Tc$FE
zhII|s9@DI?w>Fpb*EfhA@Tk^Aq3&qvsWqib|ESiW*mgDcY}=~%NyHr7BcTZ=?vOLP
zAcZO&Z#!C;U|^5>XQ3oWoh^i#0C&Mc)Vn?t1#boBQRj<YS0d1wpjYc4x2qIb5ASVL
zfskasj5zhgSQ6b&#?{mCjpUw|7GknLG`o~=kgGr6?70PRcxKw$xr&?}a6Pon;z~b<
z8Vb#;Ke`dLXAK`htZdam@YA&sBY0Aw5i}8>7ssjqpj&V^2v=k!s>_#8|LEp($IYZ`
zY>S~d*Weuf)_S|=d35nN57E%m+|X$uS4O8W+M{lneYLy0yMzBDiaNZeEGPIX`<Q+8
z$LtSo?(y-=sr#-gnf7JScpBeh=G7(|-Heq|@7D9I^)|%^igwqY+J>v8YihmED4E(g
z6GAHnL;;NadC$JI8FiMUAWiX6$sBRh$@wSSh2QZr=+y*{4C~Q&TWU3Oa)L$|2-h*Z
z{?tviy{~y>x`}Py8v>4eNb|v@0jeq^=6x2I%-d0aD6(w9WnU0a!9T@wifyAdyuaT>
z>6J}rZj-UtX4pt>=>++%h7N|t*HM`Q<Q4l;Ej0iM^31B8w(kr>>@xn}u;H>VSMNOc
zM!NU7Y|-vpTg&9Z<|fS=+teO(AIp*lu@YIbpK<ENUg@b~*w!wh4X7K>Nl0!Oiho79
zx-9&(x+&e;|B6e=FHbAwy=Od`$?I5?+9>T8212Fv^)%F0&Fs?$X7<ac__w_;@kjn&
z9b!XUmmzi-p`SEEwXk_8`*%1gJ`@utp^7>7UN772@9pkxtCFM7+FsX(G^L?!zH(|1
zbdvOWo+z1RZGessi4=)B+OyIPtAZ04Fq)cfuY=*8TD-(pIYv6s79f#N9M#@K-8jTX
zudatk8A})~Fm<G(mj0F{2(qg3Y(d}RM(zH&0bdzM(FpRbp5W{mqXCDnPLKie3kPkq
zLb4-vW0=|=6C_nCw7Mt`<Y;c5fO^AfMuL4YHb|rROTV$y>vmQ|yGO8E;$5CTk(#E-
zZ(ZJ(j^=k)Ovfir!?YUuYbJs1w_RVWs+*h?-UjqjM`wl^#_qnbkMSV^>g*mZ3Z0^Y
z5@t6Ex=bj?RPXZ!&&)<##pn~Iy$k5%ty{V=lQ1r$h7Ds>(-{%h9A}pE_7`_GLwi$l
z0fj{(-kFnAIy&AuQ-2jO@Vrqm|Mb5KIws@qNn-F-NuWxpp%JezC*&GVAt~j9%uQx%
zUDLl;&DX;lZPmeCxpf{m$z3Na@?JDHi<fV;zS3uD;-%ZocjXuruI7Ud0B9j+OY*4#
zg!-zpA?|G`4~i|-nmu!Kl??G9B#vU4lcRvw*KxM|{*md8KLC}OT7Etr2XujOTc{-=
zFE)3+)<QKEsNCBbK7~^%o3y4W`n*L+bm1dv%f(HH?VyWsWjKEcgdi^o)eSx=v0`<6
zZ+HJ`w!i!ItA`%j&z|k=^Iiwq*J?@km}|V_g@<KRyyYU5NKMw@y<M@xbQj>Aq1!4E
zE^0oS3?-d;U2_0C-n06fm;_u@u~J>tEDB*dXD`$rM1Jbn|7<OY2f8%!NQ%YCIsBmK
z+39lNrr@?NYOSr7%ppprhlbIMTZ;~GX&mgTK!%)6_o=?`j-5U_v`v8`LYS<?s{PX%
z#$mLk>Koz+tjwC$lXvW>+t*$*!b9?S_@^+1o-9HIGVuqaa1?wDFhAoXZqLM6tG`f$
zX6?YoNum8~4U8{~PD`upJsG^^+prZtvN|!g@Te|=I07ul0G12&u_b6)xgwM-kCY>g
zuz~ykLpYj-s;jPg-a-T)%2^$r{ek+E<;S%B`(C&BDIENkaTR^_Q+H&*;QayjWXJb}
z<LG<&+zV#m|JCC;<2MaI=|^MthRL`nTUo@x^QK$0uRgl9i-xbTx{@n5^@yrow8dL=
z2SAt?K2s_a<etATrz6cj$NwZzJo=#CpPMZYt^JZ<2(5I_S$~R_+b=SxG~p!bq`sDR
zHEVTJXT>_{WzNd!YB{Grd%i3*kN<6k4>qQ&^~0lQ%UzQzCamdDf9!m<W+kjC_0YaF
z*B2wD!#?k_I`o5X2<@Gr1(RWY-8tK;=G(0i_)8oSdhtPpAVrV$Eo-2vAge<a@0fOr
z(JFg(AuqN%j;+UI_r8wwUWBJDVqAL^ZO^KYtOFCs>rO^@64i`C5{x@#ggQhhkTet!
z^FdvNaG?C&03=^2wG#D<66_%b?12VW>tRw#BOwK*Y!vxie(Ed@iPbUO1FD8m!&gHS
z>Xj48!tS=^%Tvp%ZKjrS1RMG?@C^-;JFnrHtg}QA$D~4@w?q~q@&Es9H`sTFhi^aZ
zWe2B6@~`_K<$HPZ%{wi_`q?w~??$89a9%BiXUx+t1gI8G>134(x|sd#Z#UI#vALPa
zTY63+;-#p`prHBuJG8O&VQ)LLkLnxytyg@>qRx!`E*3D?JR<M_9Y~zwV=Pt7<tL&Y
zk2oX#>&Ay>m9ef3j!bg8)8*z59ThWim;XI+D<;l;d&SgQ0kJ7+34sFpICpl<2gGeO
z$;QCzkPNq+`Pq<Q2yuOo2uXrQhFzv(z{3D%Bs(nYQDw8><i<21yl@So*1rs7f`nvW
zPMLN$w;3_8fl#))cCzqEB<k`YS%}S!N<hDE070xq6_Fz;*X+Tk8h4?*L_V4jYK^PW
z5|vv5aluzL&>J!yb?6G2BLh8obDr((4fZwsG<O>BoO6o7${vwrv+q9<Fkm;!n~dK|
zU-E@=I%^Z|?P%TIM--w5*S4<BC<1$uQdIZHC%sTt;M!1>P4oFJ5(w!AVr;ZgvZt-H
zS6nX3$#@88qV)uM$Z&=taH$0G)G$VX{=_!aQZB(#w5F)r2K2S?7ZN{9O0AQFTi0hv
zXlV2|?N>t0CO=1PFt;dD$K8b0*f&1*C=I^BV<yknKEp#jEZo;SwcApt$<f?AgLC{7
zcxz%J(j1x%za)Br)19(@_RZNbNbT}jy%bdaY%4|(m%&Pcv3qn!PW{rEzbwz1>}Rfx
zS5DFta*#XUmW}l)zehNC=k>v%dt4!ww^PJ9cdysF$+Eru!PD(*6d&Ql_D6qk7-jFv
zEEJ7L(22Nrq6=tMB<8fe?>ZJLb5qscguoqm+)64&!Dp|c)QRNc<o2<3D~KMub2Qdm
zM;1(hfaBi_|EYzK;L3_@qnvR)!-K^~mTI|yZ+OTbU>Rzx&Lm6~LoM+FxN`QI67h-?
zyIw&4)cI9m7KOnD7|gqtlI7VX>ZxwIK!e1@oPdC$V2CmY9Wp4|mR<WcOvK~%u5DVl
z{`jiD+DMnOP8QdP_Zw+d`q{VmNBBHd`})26;Whpd|A3ng`p<PSMJ5Z?>Rw|*#0!0s
zww(Ea(J__olK8#b^urH`gx0Ld;2U$RrTonqr3cS6Gfg}<$O2&~!=%lvdWw$B=h=qA
zS8Y%zY>e-nc~XuH1k13k@N}f6LBaEA2xB+7@PuYt?q7Gel?+YViJtQK911n|Y!9ow
z|LmF6OxJ|_f%4?h5oFi4Thb0to${zHh4c|>r;go-PG!dz<Nxp%_*jb2LLP83u|q=G
z$WaKs@MxlBGAsdH3p&93x~dguWKwz`XwKyT_$j0oQ7_SP%_w_)^vpldsA|!PG%11d
zqw!d<2{#Op>c#Kv-@e}P2v^gwuUfaJoqV6<^E?bzUA}s%k}-w-u)FqaukLK#6_?`p
z-V6_fO`5h~tN9gLXfH0OR*V3xT~{ZN`<&|&c>$LSIYCN3Vk1P+`js8_P+c#ss;UK`
z^r>;QEVFo(;d;?=s8wRe&To#Z<$NLFA0ciR)iWAL0{1O5%ABs~>yyVI080WhS4Pa<
zu}HG<eqWBi_G-P`3;J(gyJ^g?>leSrKfdnCKRk!^Y+hFG-n_^2@^4=YVWs<n`-gj;
z{}_ahcq>W=&ejnv_#at49}Uad5E87Hjq8Q|hy2LM3-JV^C;WfL4djzW+KBzZKg8G4
z$C5wsL5^c6-}T+6j3%s)9x2EbH|+&+L6z;O842m0@UM2mbT8ahFY_EvLfV6L!uOx<
z>P&wXlGC0yg#;y@&*{<KqveN2li=Rn>^^eX5}QK(^^l8EUM6uWZci2`hytSe#I+_K
zxvL5Wy_JuN5sN@n1kQZJaFiRE6a<PKDgi@@=DY4d`2`soySojWUITd@?hv)%?X-E5
z*k2;%1zks8m#R@|#p6X}gL~|1feMh!<muSzdb~?DG!TQLX!V;9oGN%6qH;pyAXr;1
zk@8u?b7$?p{ovjnpPiqaUm$Jl@XhJz@gZG~-yWPEy*fGl=I4NZ$_|9D$z9h8BJqYf
zON^<^;GtTn2@#@y3KRXd6BFO`ypVq)!C`s^mWVm809qFQXH5WbI+Nup37AOJ)u%WP
zE86017{1<43F;nH;yh3==N~bA#f|<a4L^LnjZpoF;deeVWb)3C(0tIgJ+xj_ryJ@@
zSM-i;xVIUbSCl^ksx#juR1h)<L~s(JZVrIJpaco#x3xn)ug<SZ5<of|pB!T{BZ3Pv
zyqp7nM)1AY6};XM!oy8;RV_t=fM8~h$$^pVE{J?$Qv{{`iWv$!dxPCo{iZ!i4rJ6V
zTVe_zOLBs9JNqmbwLQuMH#+Zt(k5`Q?)h7}hDi7~xtGo&4_3Y*>!>pF5BGuly|Ky)
zkt@V_z94!e*@AHCaguzeS(u*yExOxsd0S{~2xY~Djhb3LyCjJPWN>5lX{PA5R>a_D
z1Yqyz<eTI3i=RKHGcK>ebRu^1BJ#2;KvD=lE`ruTbzWb=rA0Wj?1)Xt-avMQfonD3
z>Eeg8@Lj1UGBc=*pklFO!1ZEyHu8*U_kHQVRcJOW@z&tdQz5@1w;p1JgqZj1p)R^n
z*;Fn(1glKLW}S|Orp|i65AEVc(?|I!tr7rU=G6GaUyG{%yYAiDt88nwbenjTy)W*!
zF%OrjkhKw+pLLEr9b5LSHF$GCOYZI3mTubZ#x&4B%@B`yB9oD8D@_oZu1{op<R<Cp
zh;Y9BxQ?)mS_=I^RKKD_@uyaGsJ_c*?${1TH_PdJW{R#!x<|81&EyQ-BT2tJ0iW-g
zRN4r;OD4ggoTS3;(Wkq=`_d}up8oL<O4n$?X&+p29b^?x=OEkNkD6V%4dm&Nwb5OW
z5yqZmm3Iys85-aw*4iQ{1Ty9z63qE2Udp}QFS^=#aBDTY?Ha)l&re^!{rM$mJ-zjK
zl->^2O%W3VO?X9$Z;w6mlx>;Edc>`apG+64Baky^8!Stqe2zXb$liwkaIZgky35MK
z>S|%Bo#xw-Zm@kfM_`If)?l-i04Kh+vAdCNnM$+W${zGX&hWVuQw+^_1akR`&u%%e
zTsfvuPU%DoT=wiN+EMyFO)5zr;1K8lET*LxFFKY1-GT0RvG1cV$2lwC|LU*#Xu?dE
zfp>!ZlAs=8LbFyE`4^S_<dqPt&E&xVxzNZs@fjv7b4!}*VpM{W+4_INJuxZY7un`=
z+<szHNW1;kN>{71(KV~pN?!7GJj!+?E<z7_$uf(uWjjpZ&TpwbEJseLq>$+t@+L#A
zzS`JL+n5AmIxY>Tu`kF5FkI{S<#a-w<RyvB>IrQ=@rVg+zLHF6(o+fPNSqx%$fU+I
zcyiU<Q4h^uEIfO}Qhln-^N{tzT-M!FKgixp0|}sb>Dw6NCg@DfW`(a91BR_^Jz|lM
zfxMKpzXx0L)JfCe;sa(-Z^h;y=2GYAjY~_r=tr$AW~DF2yL5d_Cq@^m3FhC~0m+rf
zKga)aa`+2eWf8LSLpK@H9b^`j)~06nbpA!hA$$)GjFD(7X1;2!foSDO_PG#79g+#@
z$=;LQcFMYSjz1?8ebSwFb+h=v!}<2&bH?K?Bn0aP9xdMKdWzV<)35e_+a8qfV}{?8
zQLzsl!<tmrL(GMCFF>#2Oru^YUW=#{7%GI6^|(KXm*$rArgW;0gKH)_v$7<p*v7j2
z>G<p~r0L?=m_JJ}IWn)!Sis``4lYw<>$tDDNzEtsz=%sm))+xzlyzM;XujjmiTvX}
z^5RdJv}D07cWX`2!haGss%zjeVvg4Zx@JT5U8A8LW%T;HWGDHEps{t0-j_bB)Nl*c
z<DL;HgCod^wcBb;Y`pAX;+ofzWeRm+c$DO}D=9Trw<@LCEmZcoUOt}9r|aU1q-|$6
z(V4FIOxCU|X6lcVwR&HF-c{W_oVBh$uiR_AxJcYw{cJn!M2T1*xR43S(=q*n$8OYk
zleRBo?A3>^<HWd$n@Ub#JSkygcc~!%jE&uvI{zIuHk63Y&;I}&B3$w}B^lx;MRI$@
zn?e)N+~g0xJ-Lve0AA4WVRiX;cw2ih@l;CL>GMPtm%9{i?7WcFF`+b)Xa~0i174Y_
zex7&(F57Vh`tVxO&;z&1rt5k19Zg$(+~=H)gv=BnR1jAuL7*2(79mvD)%*P3E^@QO
zIXHja+FyFolz!Lu(pFdJMoJF)w`E<U8r>H-3XO%kQRjl6B{3-VrAzLvYd+l>$vUQ3
z<+nmfGZe4)@TQv8(&3OLb8-lK!TpzDGA^&KdKq;9W|UnOlKRADhf8hU(z&%XHI(0b
zqQ?xMA!T~n&yLQ-3A&A+=ZnSK)@@ykwts;hyN|i=Pn_^lU;QV0k2jvi!E9$pjxUD-
z8wo)V<NYp22;epc{kz(8?EGz!*UPyuY=Hh2Rjz|5Lx8FkU*@~IEj24hKEy|2N=5lB
z(B<ttEv*3^m^(7KVbn3!AeppM-7VMU?d*5EyOd~K_`)_r_U>`dQV_Z(<Klsz15*W9
zDK;3(vhZ9L9>u}X6*8GAZ6nhb8Yv7mrRY?1rqL0d>SmulYp(q|t(<Ct7ybWXruoIa
z-S%ALu*F0+g`EaZzE18nOf+=`9y|{g@53N0M=#((lasgfh-v1-ua^R;;{^AN(o=nW
z$~LCXns(6R3U3HKakJ8{Ie_e$Js3s_CFR~(BDb@Z*C5h8DcB*KYmJIB+n2kHB-S29
z;DpTH>eA>LeNPks_r4e3Bol=L?2u|xTgtX8kuP3g+g3-q=>uTs_@*RzvnfeCL|&j5
zmBNlOFR$VLW6%m}PZ@<N-krT-J&T#X;W}-1Uvt}F5}Mye!CjIr*bMoz$XVKo*(Fe;
zj}0~L2^Q1nrm95WM12PX$wG1zm1Xc51<;mfbVe4oG4n}wc5z{wCmD7)VW46{ZJ}Z)
zKw(gZu6wtiipkh!CK$_6`r^jnt2gJz=NH4b2WQ8p7sJ;l=jR*7DHbxW-Cjx^($Uro
zyDq)77ZTBM<IXS3Nx8TWn=*9W{Xfw*un73LUkN*I(Ae<9@bt~g<BP*@saJ{pfMj|7
z)o|H`{zh=EO45Uwwv3g7UqA&80kLja)caq>yuw7M!)kRu9i7?x_m;*JZuwIrKq9gp
zEq31GHWX+tcYR})vD9+f*rvtURmG0cBar<)9rvBEob?T;XfF76p@A~q_jdGw8#FI<
zA4|i&AGjtgHzw%7*=B2$n-aO1R?|MGjqT`uaSeDj?gVP}^~tMOC+Ek9Z%&WSUF%gZ
zq=)VIMOD!_8pgcE%|031ZrhexE8)Ok)X~rZnw`t`iR%`J4>Y~d6A49jgBEKKAG4Bb
zw`J+-Fj(VfP*WN4Ji>v*X+wb;o~B5G9W}web)#p!o?r-S*}zuqE|6!IWkG?`QCJD~
zbfhB9W>l?}!e9|4wFe%1TbrYb=U~}xO`%F;DXz+ofc)0OC20>n33@x-k__>Yt4&|C
zUlk+>a=l~ktl-XGxe~IVE!Fy;w_-IKx7KhaBGmzTVsonED!ixcgj?Q4F&*6tmNATE
z@ut!wdT#)e0fqm8<(4n}%PjY*WsLJVF7wg*Ysxy&dWaN^=laX3;D8=lLJ!~(B|L14
zE~-K<m5k!KHaiw~yBXEt8~quLu%dCbb#)?2g+gy%zk79Ya(Hll@ykRsZbvy1fJo78
z5nf;;2dKf^Q^B&}2G1L%x7d$j*L&qj?0S-Y(oI6ODZE>ZWB+^bb^Xd67%e*<xrs)G
z;2qQ^h-&OwsLb*V%oZh+qK|^164}GbqB{!NFF9Q_neGdv{?nUn$n>;fTRYLT45WGs
z971yMogE(@pZw_<wu7ILa7pTE@mF3rE$7FlM`0dRPu#-ciM$(PqveZj+_#Y)8393Y
z3w|hbj-PGe4otol2ph!NXDMo~ar{+^E*SB(^-1*A#zGs(b^sc*;_hU*7C}zrQ4{8Y
zv+OTYPdGhje2=RfPa~y&8q=x+(lT;|s@_37>?v1Yn4|qSz@bW{r#WS-+X=6uX?6<N
zY*EZjZxbcz<-va@)QQdX1o!)n0%g5pszh>9vi&E&8|>|WHQ4(S|H$_DpAL2hdxQO5
z%dYg<eDXOg$aHfN2i&LktpoK?rGk7Ojxl;T-QUGdZz|SgbMayPI89KJffhd3Zr$jP
z`$t~rh-Q3#adv$0T2lt&C1{&Gyt3RT*buiT9e2#k3sAj20-!fdP~}>iL?--5{Qe#G
zRYb{~Yk^;WSyz)K82+%-#T@*{d?1nyUXb90an&LU?+7AB)4f<se&N}UGst*FEvo(m
zr&Q^@qY~ywuF|3BHkbdClF4UbY1EqaRsBpeTMsF7W<r_Y7M5^UkE&VWEUI$g?rpc>
z)4MmBC--yb6iSf!pEieaV0-Z?9IDO6N!wgGU<<ZC>m0MYhN^Kfd|%xE;v-kD1>Fu_
zX;JYP&Kx&Hy>K$~R{d|T%k%r$g8L$#Km9wp?S`{*KEjBzKR5o@oS_Fa?w3~D%TCg*
zWKuLRQ%gz$gbFUn4a6ggdP5Qk=x+@0-*T~tdy3J1ieR1%nGwk^jxT1PsUx$XaVf76
z-4FxNHK6GcqVY)PZRh|M`x}3=ww-eX700OQI@o8tjcQ=m1g|z_PEIe5&rT0sxtaJS
zFpf&sMRoR9%m)9?=%x6RYRN!F8?!jNE;PWPcGP=>p~;J~v#jSk<O1H|?YqPG8zG$d
zW7&!~eBZ7o)nz^z8hFf*sP7{a2BE~kr|$dktga#7WS~4JNS89?3D$sovu~~UrS+W%
za$fXdp_Y(CC})|?Nba67U}5tqB)~S;pZvl?J;<Hr?7a}kLk+j~f|$)b-dm9E)`k?K
z&zAF9WpG+eBp|{xzsEV3g(?=KO!!%fh3ZE_m-|s~4D<Vyg0Ti9USJht(S;0*>L`Hq
zs+z3HlCTd~WHq0XDkX+=a5nIbm;}P&5Y<aq0RkPIVZCuwTbFhBBB%9TH>il^=2^}s
z8rpjR&<08<-;s&MC^$tL#WeN6htSDEz3_h2$vC7f5Wf%ZU0H5q4QIf}7DPCZwcs;4
zFYarJhC5%9bh2|1?v2mlw)}{%XqgT@T`J<{)kiE<6G$jYTUud4H)c#{^Z4xS%~|&L
z;G5&0U#_qyD-kT_Zq({<fmIi46Emt<Ms+C1<!Eq?vAzosc--_OXRK7WNbqN}1B~}&
zxv<Fg?F^TMQ*rKfOY-d<R6oJr5}Gj+C2UVw&XTwr3p1PrQAQyfzdJZPJvsd*z4^I?
zY*Bda^e6fBdWpPzO{iX%ifR7Oy&(gdG2yqoinu75DJTX8uqKhzAOe`Dqo|cJ$Q^si
z71=UD;gA%oJNR(nQ!40_&a5+n3TSGxwn4B&O&O5mj^LGbpBhK7c&NsYJRXhPpdW~X
zEXEp6SSf&p6v*Y}k`jOm6MctX6FY3K4J20JWImK#ei3zZ^-MwfnIaI63*$u$L{b};
z<i;G&t685jW{<kLjdvO-G(Kt;5hrGfBY5YhGYf+h(UK62PsiyhtKd`^=$W&y-Os?|
z)Ye)DM;aUY-;Dr1s2si{a!u7i{?+ZzuaocFU2V*cZ>+qB<c|9oeObB-KTNRT1p>|!
zK#ItBa{G9C4XRrop82P2?yeT2l@6PIdLO3I@at_N-<M6)>&NfVXfJ$YWrH>|{)1eb
zL38DiEb2$)KKiO+I*fdY!8sgC|AfHXiRmmgo{~R<*;+a~b6Q+ii;|MBN{*p1tx6~w
z4j+5epBWr?Nv72#cU1BMDcT&QhCRCw>{)PK#xld-T8v0s&-1ZX(xS95?9XPeqRH!+
zl0-9bzYo!b(;DsxvBFgS!}Ig(-2Z`oaw>G{887P@g7N;+wF4EMn1LrXi$PD^|3lMt
zR0?x<H@JHu1u*#Fj{AM5If7;nvmK|Zsm9B1vZ!rT*Xg)!7Pph(qWFjreS7ixRfd0$
zBl4x)Bvw7*Y?9YbBNWXb&o*w|axE$(UO{!0oGMK=GY<`QRku#=q!Q#Om*9gwi`AN6
zyEXnV-4)*{k(Qq5DvEuVwGmb~dZkc^OV&*?J{RB2S>tBjl5%Vnm>W_oz7cL|2EJ&c
ze2{cD_2asSH<MZ06h=4P^hDO}NnjX?UY>pNikG`lQ?)ztkn66%yrSxSh+uJ&N}<YV
zFXgzPcay5+h_|N+=MZMsY4qckmE&4?g~(}dD$bEw@WprP*x6=KD)ZQP>|J(QjqiCw
zA(2qFz3VFrxr`h&`~5-o?b-3m7rIZLe{uK4cN<@SargV3gRj#)oD8^8X+OO;93geA
zX5o)v_lv$fns7&{CKMji(=-?iRzGub_;z@9e13c(kC+vxa0G!qk7=AaW@{+Y1#-`u
ze&)4Sq)p%|$=-?h)i;%3J@ak~b(l+<k@^%y6W9+0oC&#JG*KH$U5Jp`rXPcDNnXK_
zp%xq<ZnJ$0{U@7Wg1a1KQ@Bjog&HM#nl@nF<1gwBiFxB$K{xS)*K`!JmQYhaXmdKH
zr%=f1g+?I=7%e=jYkkQpk={;8Y`LgBF-H^Y%k6diXFkFG4BH7mQyWI#1Uj_w4l`KU
zrwJTY@V&UhJ`SIrMhLy}=p>O;Rhj5>@v3EP)+wEMBjikQ(wc1z!Y4)T8kMz&z9I-X
zAH4%YLq689hm))MOaRsm{HW*0i*NHFs2{Ge#D@oOGZqE8e;Pa!9@n7STe8%P((UzX
zSWaRPB?_MqGqy}HoG3FViTfUqW}PMF1|UY1v<ETB?mpKyt&S%;lsILF@6IpYydEAL
z9v+{c508#dPmYhAjz1n=FYoIlezJ&-bSkMEPj{bW?wY+U$F9+hL3ZGSev9ns$B&qg
zXCFTzHYYgDA=q$vPc^#y7=UQCzX5#!{!57wx__Mr=6x}^9%N5<pFUsJcdfsrI|7#V
zgwsMnvnX80WenW(wW{PP;R(Vd_c2_a7hPINGxrVJ{O5L+<D%AosLmp%@^W6?QPI;l
z%r$FB4IR+u5Bk|b1A@#U_mF6X`E_ljenb<2FB2RJgY3+(HGO_1P8lci$?iV7^knz9
z*zz7+d0k*(cJ>B){BE5t-V?WYoc;$FPBj5IPBJdclierJ^)^s4mw~hCcO-D<#`N;d
z+3SM~+&$;4C;K9IXA~+h7e2|k8)R=4HBZyL<ci(qYX|PNS12@&{KtWACo+U$#GpIL
zU7XsSv!y?{mR^FoCSTBz$3GVCkH=h4U#PzJ#j*cmL~qVtZrm@jt>A1FW&!u-Z{45I
zRI*A<K<0ld-EYDwgnl3RVxF}xUPo`eHki+~FW$I6zjG3Dl+O^V6Xgth7^*MB#7=1v
zkZxQ@H^pS8{jS`buRr7YS=52FSbyz{xAAWZITr?X7X7M6fK(!1T(}=Dkae?gdjePO
z*~`OhZ*TvJZf`#H4lA*QyE1oo1nxvO5;51|F(=BluyM~dsKR6)sD0e*zme^+d{k3k
z+_}dNs7{O4#ot5OIiL9$wt@}w3v5282Lrg(nEbZB*yedzK|!Yey6oii<*Rqcr-vt}
z-(+XU|M?D>Iqpn+cW`#}bHI{?1nFw(-N$Y=^j7JNjR)yYmq|74$8UO749;`<lVI4=
z#5W}Zm;>8Z=g`dORnsiV5H%17r-pANy%5KR6tqZANgeU7)nXaWLzQ@7)rH#te*c7q
z!)bLWH*yM^$612U-qJ6uAjb(2pW7vZxekNFE~}Qpz+K+rHkX`z_d)T5XE%gw=NBWG
z26Z+HOanm-v*4DY^CL<WMn%~)_)g%{)9H+)Sy$RHrL~|kUwVfEBR>)dgFr@Xo`{Vs
zHE1>~>0?t^XSzvRrc}p9O7YA%uCT=#`LYWwQs#$r`IG{zUPK@x>JMUpOm!>kp4V>R
z1SJrnYtcXf6~vM@8;)mAk>nSfRUGK#xhwLT#l=#V^Zti>g)b6np6)SUU5U>*9<L?=
zVz%?C5juF4Bk2#5li^HV&gAxSw_n^nSQs9C07XE$zeCGF;+)^4)p#P4U|C(5y&f-W
z6nJR$e*(7Bafq#YmYLCluy3ss-*Eag+KaQQC9{gr={ZcVa*VV;Z-L`h`0f6a{Xji|
zooQ5c{tVt0@avW}g9o~k*8>ZX75f?OJhnEjzj+B83%)9K-c}zJCd>*pEHahH-)NL~
zs#>91DPuxRP^WKzRe_RMY9|anXL-y@V5D10OWPI^<2I9$th7zNd`|?V+P~{YftdMe
z6<bUtvZ|LNBj`ueGsrSD^ijS3XyQu20ubs0)Kf6gB@3{e6j2zlG=Mwk=1$sBX0mwA
zb$ayPNTb6Gvud^!6Vc6Rh%_>aIqk>m{mt=3d|gD<i@|Z7-WRz5(%2%MT=jqBG@E=(
zhM2Wv8WgclsOCL#pY5SK2>P(!;Y!c%i7p^%E8_xbK=Wd(5=T~MS~V7(kbB8`r{lT0
z+BA2AWGHw(PXFn6nB3~Ol})Pp``uVy%c&jr&snpJCf#38oeI)_4YS&&!cfrTk69vZ
zYl6HW$&uoKqT0o>_Vcu^%)-(33bDbwH4m8721;m`L`bd^iED@JMBP-$pFaVV1YQ$w
zvq4%y<1Hq<xoZW7pdFX`nKa@LbMn=92Y)#yfV@yZ$nNzLxOEYS{lkJ#NKe-_X1xqD
zSj@(C*^3glWh|3>`$#k6fyhe!1LgI!k~%iDtm40lN_x#x!1E_4n9P1>QUfkgt+Rkz
zgH89X>2bYKd*$|iApbU)(lx)<G41Kg=2_M;*-&6&`Qg|=d(tiI#7kiibrbTE;DVhW
z<4@~WkT0csrBF%TI(=y_xJ1=#Rxw*ng(`W^+*_ORC5T$=zeMy)P?_%XxvG#G>DRHh
z=<};Ktn$c8{xX?Tcb{)0cdT?6Z^(z#4Pu{DiUI6ddgy@tt<)SjC1~HnD~$45dC*CT
zB$02tGze~;=3;vDF07{gY2f<g7xaPE&yojQ)6w|Q<F|*boz)dySNSALh>366m~cgR
zkJp7K_uVS+<vp%}(&vLMys1HVr`!YPAxQ$eskJcB_me-WUMGyX!JFjOBuf&Kdv)QF
z2L{QWZKeVVm4jT08Y|@GdlB;0)|shIX*ni%Mh%)sqflXjZC#{7kyRbuMDz0A0IZaF
zKuHH$mBRsA&ZEi^|3RSTfJlY4{Yf$AqHE!;YEMiC3F-K%(FIhta6t{?YTysC{h=2|
z`)IDbFOo;q*&8IvRdbrNw;|nKr#bQvsY)K7ix_KJQn#3Zuet$AO%plwn7b>si{slX
zJ3ao>@mYFx#Ro_Z4<w7)=k4o>bn=`8g`3Wm<VTH-=+ixoKe(rn_+}ABxw%xTa8G^i
zMHEY-)Q|~+$cvc9BO->_QHf2(sl6q$URe1wFYcf`YWa#Lv`g2^DGUdG-rv9Sq6R|b
z)kh4?T3Ru-&zIjnPAo?QduY=B+46t@oWRmi52h6btri6bM}ImvJv=^g`~Tv*H)nr@
z$L;6O#x>L%K;XF3J(mQWZ;SlHefFWM##P12DO3~TKyNNYgkL&C!u^X+fPpwL9~EZu
z!1UL7{$Kb16ID(ARcy8Q8l%p~NCMD+3V?W6pW)tb6ksrzHMs`;$IWf6nWncx0p%Ht
z#I5qHH1)S*WZ9P;BL_g-zvjrJk;Q;8{`c{;{udp2G_nR14!6UsnoNcx`e6PAM%^4$
z_EkD!Ovb<7h~rT;M=Y3+|7s(SM-`7aCp6#is+<UU#>;t8{NeoQxzF36st7G;s?Toi
zZ)ftjq;~<~iU}ON*N9WCg@yutw^eUjEz4DrFP37#&Wia>KC1(!9s`v6b%pyR2Tx%5
zQ|sluyXT8ZNGxG83^mG4>zA-pn8S)rZMbF<nibT<3V8}Kd7MUs2pYLV%u8f6kscS)
zu6aq17+nqV>8;;wqt+*+@5C_D(nBO7{pcPp%=o8K%-kkAgqa=E>Y4xK!`*vTPM05_
zr#*e3lWrgUxPHQqgaiZRFuc7O9v#0tK11IP?^GNZjGy>yg9yXlvvyQc@kE>tcKXHX
zrk07EwxR#6v?)7^aQp#ND{01y5bsACl}@8OF<ZY~Id{i@K6w51)v=qpUuU{&*MFTH
zrp)h4Jj01@K7o!ukh-UwLgj3Dn}2Mu1R=i~M^Xz=Q#ge%@`N8p`NxC%{N%0KS%d5V
zCBZ2Q8%|;5Z@w(9rK}#==(HP?osfCgsJ1TK0Re(Z1s^l_1Cs=s@k<Mh<`z}tXy}fY
z8glV-<8T_-<TurfScKEDy3Zcy$$&N<Vk{m_&_n;hzSP_(E6kGKotgO2RTy8Y5^g0t
zTTy!Zc2~s(y<Zhl#Q;`FgJFyeC}SV=XtN*6JftURA&r=Brw13vKPSN<xleQL_pPM#
zTr&MM&0viy7Rq@yTh(c$Qyc*tfw8_AeHdOYuNr(B=O|xMWFGi%+!H=fEddmy6p6Hl
zMg7(Q8gZko6O6pbYuevhqChiQ1o>tiGXuQAE^Z_ynD;O)C(tgSqisaaCcGxQXJ~JV
z*M0Dd0CwlIp=_6x5N5v4ypT=_bgJEXy>_@ZDNyw7H{qPz4|*Vm0aN87VQBBFDK)uj
zV0}@lm|W12Ym!(Rn*67M5RJHJO1yqe&H#jj$zNYC1ZdWhSS%HecP=B9xy1Ub*sV#A
zgJklz0ejI;yD|b5DAfyR+c#!l(D5=7E1B|{yxsAl)$oM^>f+;UQjW@nq&W0gCLqPS
z`AocyjCF*TAIj3^ij|cwNKUX}K5yNCFtYO|!(4tK&=+e_rWw+aE+-_y>dCLV<)SQ$
zu7yLSlS`L<_QGjQUzV<MNO3cU2~H=%@=5jOA!XH?TyftcPE)v>>b^gASLsa_rs}V{
z!17?2ru0g*vXHp;V^K|5_9D2XMKoDb6^g4aO`Ft$$Z3)Qi!=^PKWKjszCvaoTNiub
z*n8^HdR^*Uy{iYG<|E$U>F?E2=*#3PxSFHFRW^)DHaRZ`D3uYYUd2h1>c6NXgX}wv
z-$i}Xv8fLboud{&Q0!1Y2mdNAH3fjO3F6L+3UCY&Cl<VMLdCjK8M+~p^)#6kKZVs~
ztl(5>2I;ziwUOXFYz_%3$X{G5w9CBlBtZsuSaIXt=9F7<!8VErEv24iLm$fVl5R$2
z21NW#aak4uXH5tyC%K&vSopJ2S^lJg%1v=W!vw?vI^96%%iM%O`zfZ^j2v6+JlXHA
z&jL{zAPf`H1gm8VSzQSHPRQ-Hd4%XHV<KuT=k+m6u7IC(9*E^^tXHb>JxlF3A=wp-
zJYC&LF!TVPkk7}&PpJ|~%I&q#LhE&@Vlr<$ytKb|SD{<xspp5zNFJ1VB0t|vCl@^6
zoKjM(5+!&qe!P9Fu6k{SpaLWC2joh@V)EAv>b6!%p{6Ax;|XW3aYp>ose}$?{n74n
zoB0~SYixQIz40Y2@+CgG8#uZfDo{j#*mnh!LvWj;l1R6n*r75uFo%gWAd*~sGH={!
zBSCa*_-F`Z7Fx*m#AA+i=rf&Dn(cknoO-e_7k4fF>cT|oTY11c9q8h(Q;{ori&A~c
zg~dzF5{@qsUZ}K87kDWmA!!Ls)gWF7x_~@i!P<l7PXCT&MR@)sc^lPEIb#m)!kCI(
zR7^jV^J>aC7dE~QuXeJ<^<T{4V(e~Y_Fb)Me`<~t<M*K>7$vR1GC@375B{B?$i*X%
zf!wt#n)d^p<Fb^I=r7^fffpwJu7EtXr6^;9Mt2X5RlLd;uco0=&nnc@mDFs%ct_U_
z*#e>NrF62;;Y4ZDQ>0u6oHVB84r2bVj@?FWyR~zh&rDbBSQsr0RkT(M%O=#kCI(=o
zq5o(&1JeuTKDi~8H)z$}Zzx+dpf5Pue6B!Vm-N7NT)?Su=oc2&b7L6$yI-~ro%>t1
z^){bVlRlKpy6q^vjLrn<J`CNdlqTKei|ABB$;JahghhKNID;fTwUB}(%Rpl+H&>^f
zZrpXB**8$gn@|X4jX;~O>V@lD0?Ca_M$WT!#Rg!>5k3~!7-}@A1Xmc^7nC6_$d%o{
z`dub%XaTgck}6tBBEuDa+7{93{s-A>q!dSc#2;c2aCF(Y=C#_*vj<yR#R9AsT54!M
zSI&!dkjX~tnw29v4tESQFYLfJM;G%}+u02&rFb=9Cw-_&O~DU!-47nn^@OSk6<>|r
z*?mak-<t>2U<~v&73{U-oL*eKieS(h%B*d6?&~qV{93-`_Wm1bvyT=eF|p(B>*zrC
zW$WVW<k(K&s2363Vv?xC-05yUXywsr$e5Ol`!vCKs3{zxj$!D%nBBF<*1vpCW-oV=
zgL5*jOBQ>}w;k;vaqpqu)>=MRGwaWNsXFSr#$?v9g%WdWU`l87K1&wF6oN@Gd;Z*6
z-nle&GD}U~2s-{;8EcX`05|&(R}vX2tQ;qr*Ol{?`gEF)Ss7WZ`LMc#Oc|j{)k%_g
zR=cauwu5)4T@o4;bD3jJjge+NMz-LujT3lpT*h=o$&l<N#cH!d&1B$&*N7S<mkY}r
z*W%%q&L(wr{c=1o!M^VuKC{kN!*!r>A^8^DP~RlQ+ludW9HSMz_uKWI{_u(J$vn1?
zJ~Rin3|~IgRgthzvL_nb;SqhbMQcr(ZWE}XzK}s84XN!B*7mA0hFLk^5`c;u%iJma
zz)E0}L;&X~bJt$>z3!R8VDMLYY5Y7pIbzli4rBhmup3#%?Y4{vK^ECEN6d;F7M_^K
zeDP8qDGWvyk@QZT*9thhoR(-lzpdy-n55z;+-VIqS9G&6mgm?@x78RrAv1*jVgK!}
zaQj0&YdoQUut)ICi>Sw#c;z`4WGHGJk*o?<gC5RQuLv4{E=mi+VZRCA3kxF6Gxf}n
zSMCdc*PFfQ)=PHC^PL^JP*|UhM|Sj^Rx%mu>3L-9BWp_!v|v)9x%$)X;m+RRr-281
zlGU#JQpp}tsOGsZy=Z(sT1?*qUxT3-YIU~v<muC18eo&T!0R5&QnB$iq~p!rkR7!c
z!8}#PDC{Dt5%fl#zuLKYb>8=FHr=*$w#7iGA*uEte%Z}EbW(#;d?{cvOTwESR2y!v
zhMDemcKn~O-$*$A?D+hx`}cJPCXy{x51PKRVru!5`NBf@x75b}l2(z&N}w-+7tTEO
z04(Q{ofyir8>grqXr4Kmr50;3V*;DaCMF6-v420W#b=(^5+Ms6A$~!v-}9!Z9R^I6
zVkG!*R3!2ZwIWoSxp(Opj7BPNCKrW#*{SfQ+=LxJ3X(e&3|S@b?jgJ?A_H1r<PJYD
zb7why(Xp8vfxD#=7-N2+&Qobtq_H^iU&!6^kG+5F@|-5DYLKp*dz+nZ>}(+wKyI4x
zqM35O_S2pWJ|yKp5{RG4l>+0^84~*xP*{V!6V!tgv>4P8E5(VDWf1#hqyuI8*}L4f
zt3nZ<R>8HP4N4^#UY5CFc0ibc-N%eO#Fx0XjV~ykBa76z{1Ge$-j11~eZWOy+LCGe
z2llK@YV$nW?}+L9PKAh<wBR-<yof)1ohe8>z(7Po5lAfygW(Hn5|qr@1k-#UhAR;l
zIS_P|nmi0Cuv2G}id?l{?J5e&V$e4J+&^{C_s^}N#Iz53rg-Li20<aSML^8kydO@P
z@e$Y*P-ftMT072BT!_+}jw>}{kxJEr?2U#+*OC>J{XIrrMka-Z&0)xy)dXQ~aoIt9
zn6oOX01bk85yIr_CNf@`=BmI=IGR^NXE|d1s28mMuIJ1(6oWvzHHGgrpTw$1H6NRF
zT|1NAXH_A#m*Rcw_grKAvSE@%WP-cSn<$5~4`06U+ObfrB0LgBMi8U{nC|GkCJWSq
z1S*+^43hixS5CAq=stP-;c1_q;pjFVWUT_u*oUD-jccs_(Znff>dRJB8d7uJQ$I)&
zZIlH6X&)<tI?WfCPFs2Z50O^?Kv>})yo~ik$MWxW{;_`;eMjOOQNo)s+VNCJ7)FWe
zPWM!ZP)3RY129?kn~Yt0o*Be~h%k|Ie)Uwk1*i(X$Wc5uL5~MEFwnloG}%aI!`{QN
z0qe!6$`;N<_VVQA8<1oyot<kD@<!kr5jbmsbLN`ho+Uh*)gGb~oiiu9`DB`%zh(-D
z;&Yr5<dYcUoGJM)Cs*p_tww~R-bdY$<#6lW_}b2C&oW1=<@Jpn8oaGv;-QsVJAoEY
zHcR5n@}~QS%=HGGfRSXEzp@^en*eg^uB;0UJsXY%CR!YF>!|qq$OU>4P*mQjt|Z;j
z2$(2e-IE!6^!eed&S$0j(yDp}ynY7X##Aee!nF1Slzb!=jzR@`>wXJ@f*Uk^edv{O
zG;whFs$+gJv(<E?spN+nZ40CZJ&`Y5LQ{jy%JKbhRzt03!!|VudO?MYVS<aYX+4-^
zZ&0zc4F}*D^@93NJUZ#Dx6354!+lT<i5KpFZ0S7P$(&*0U7+|OV&aUoRBv|06R~CE
zbk_V}JIo8DpnPgEsr#VSc(DV^Zf8;L)b(Tse}RRb6P(dazj-tMJb1SIyDa+I<h0Nj
z#*DpuF%_wHE8(N>i~IDOWKvj@1)j~tAOP1uii+lOf{PDjwXEeMHipDkC=yw}WcOdt
zUcyUIu_!N0#ai<~D(;NGJ$@}vVv3%KPSA4We*OR2`}*%TuIt*LiN9hBuOvhYLZoCV
zvGUX|TB2;eNF*ytw%fW39RfpgDgc9E2BPTIKmOgl&pG#FFd!wzPP)2Yx|&er%$@sv
zzV_LtHBX`;`@Tn0Tmnq_%&mgrXGFzef;v|Cfipofd8pnpr7~2d;KRCZOsP9!drF)A
z>|k`_XVa>dVka$)WJw<+a+sV2G^Z4y$yZ&MK0NY<7(Sr;?OA|IjpRvFRkH6`obG9M
zFxrnf6%IxR_^*e)tJV@G<XlZk(D=F~%}$ra0@E=oFIM^LHZ_`d=%qM09ZT=re_oWe
znA%N9DC8fb=g*H%zIk;te(~-2-T4uJs|4JKg2+e+2C(S_kx|>U>(ijWsnDkf#S%9K
z^sX1*@&$_#)zMcEU%gV=$|H$~*a$DySCmvaYlYSEC+hXpl|cWH{(YUV=D4K$j48^z
z#7}<>J4@^rkMec8*&1hDof=8w&PoCBg}_pTn4A{w^fJ54Jigsl!2SRD`P(009$Uo3
zU1XCr+zoliMdiChHhX*`Hu%UwGRQ?PJ^+p>dCnEr=b<7Xc6Oq0nCX=~Gda%Pvz@LJ
z`1~+Fd+Ct@lAc6+dIJ^lX^CHx&HGODBXew!E85)!<Va3Gvs(``gR>iZSR@xgad9fB
zPG&mbW!hMV_0%5R2<PR_PB5S_Ts<vr*w0{TUe59>>ELT&%v%-9!ZNza8R9JkGUdke
zhHI5a>oB6Tk7h5QddJ-6L~7UClbPK+ksi-&+s6(2l{>?Q`#I{}YQ|-i?!}VCUFqfu
z<o(Dsj~136`PBaC*D#CSw+#Ox#6-S1u@!Jlme|LBo7>g%;`HS0_`9Pw$1neNe0Fs7
zM$XnDGY-;eOd`Gr;o8LN07e__y*Pb+cr17JjwCS2lXs0%o{rht^%<d-(>Vwm>))}n
z{)2BtfegFh4a&V*^Zt2$7}7Z)BTrAlv`YT)GfJ1ZZ$j(q<mnU@G)k?)#3~tG=S~!s
zbV)U8zVJY{BEb0ZDZbmW<nSA{Bz)RAzG!@k2)VCv@-`9+PZb58<4vCWQz9ah(1|!O
zJow1tqs2Ahg<~yX(`ms7109I#=%(Y~kxD>H3YMy9N~s;pFSh_P-sACM@-<98vI`|4
z4hsd~e-1|T+rYH)6kh5F^0-<Z&-ORleFbv&?q+Lk_hGBuxZ&XGx(|mvndP;|T}Sg{
z27Dgmj0Te!_iCeod#wIfE>e>XSU-a3SULHUrCW0vQ*bI7s|&>BVwx{31z()UmjB0Q
z>+Gh`;7dz9y$wCGhJAYxZb~a*=mG123b4!d9J{m;1ooa=c0x&Qy58jj_k!NVZ{AB;
z!IF6&8RJCDcW&I(Mh|_hMkRv?TnKX_=h(GEmE$(D1stUE5RO2sG{`KI-dLx#dkDqf
zB!#5tN+I#JVvR8^?rmIPFXctwmMv1;6T~f&J?)+-enz0y3d;Qdc<o;kuZ@@D*NN8_
za!I=jYg(-=tjfUHKMT|LZzosfGnR+=Z4f2TOvr>_&AL{hpY$0*jLb(u7$k7ygm7p_
zDBp2FBe!E5SAcpMeC$pQpyOSByD>?u<Us0~-1dX(gHwesSgVr)oJcnGOqt?*aWFKX
zb%XvF!~=`JX*{sl8W-~#$*99IeSbVKOM`)2ug{AIW@#{xuD31mz+xjFnE7B}djddg
zh#A<we+GOIPA<af#<%W@3}&scAlhh02D8?G{`PUg_UQj^al-%cF|MEGrY`;}H+7r`
z4<EHEQIQ`wFSSn19OZpiv0UPL8LdXmD6@JXTing;<l!0UGG>-nEe1>Rw>MZ~lO_3l
zeXwCus1%em{d)9fw5}gG9rQgG0o&l8-EGVRDIqsATDVkc+Yht0V$j+6htk=#FNGCA
zB;qsHUHWi2np|G__U|%XAOLZBjU|Pcg(nwvvsxp4-g9>fpKF{uXR=jOkKsmw+f1cg
zkEtjsa{UuYf<*hnQYm#-UOadW*KR&LBxrv%s;kcKzdkxYN0rCJ7l&tW51~;1`g(P@
zROJSJZjpNCEbt^#+t^~DMS6%<Eru#(?7`0NyM}=V>K1q6b%!FcHig;xs%X9*1p9)k
zdy7>Duje9$OW_{}$-f>N#b4%`T&C%LZ<VM;8iG*G*}f}HSKuASU^qEtVB{gOc_J+B
z8!+K4qQ-3k)DEvoD+{R(7B!LxM{LFNGO(Gekd77NP>_1ZLM%ycW9=<u6CemqYGCFf
zWRE}xZzK#~GPoY)TE+uw@)bz_E>_k15J^q&89|%4r8(Zy>a@7E8dF}OuVsg=W`ys8
zxwGvI_K<EDn<!$-&(*e}Z~Qtcra~}wDx+K@8sBrXB}{Y@J@h^`I>f?&=PbZsK|ulk
z8G7(C$z=~6!esaXG_4u*$(iCz4-sWL#M%wo-a(UI{TOPay##pZ^C7*V;1&M3CV<lv
zRvrw5y{BbVySA+O2Y6(Yj^RtgNECK-grLHkVm7mkYpzu8z1pF0uAeD788*lVqz{ec
z<CQfz6(uI&qz~7+Uayv`l1heg16tN{dz-r7OC<r@tGl2<%`cpiGZ<RsN;^mHD`9oQ
zx?Sdt=;?2Z$@M}MwxQ*oUl;xzidoz5EKsG{ryf`;W0G3cmhs({FQInRHk&Aw<J<1W
z;DlVSW+GP4R!$VHZo@CW=0zO0k+s@Tha-zhuC)FRe|}TUD~QIeviPpvCj!RDS|v6`
zFVyNbQf9C7P~}K?C0KKLQS4pZ?z#UFyqYF|Mnh4(*jWtavS5KQ6HiKQ-&3XoEq=LX
zx%(9wivYKw!P>M--Whtm-YKM{2mJ3&LG@wsGlY~h`pbwZY3p+Zl`ew6cSA+e=v#I)
zE2D$h5LfYdeqHG!pZI+FW2KF1*PZ%OZ#!RrsBZZ?bT$(P1-e!@3NcGKJXyj^LzhRR
zY*f(qTe^9_E#>4|OM(SeYG4eu2~_Fx-%F%g0QTny3Xz{M#Ug}pDtGH_S0lS7D}!&v
zd>Bf#uMF!fI8zT|VV7-)It8o(2sVsc7lGv)4qg@&1RW>QoGzPZ;WH(Js_u8n1(|Di
z>)5{5Y%aazy;#U%JMYu3cpt(zm*l&}CNmCFTs1nRxrR{#JIT4*9C3Vcc5`|23hjJT
zjRfA&Ti?WHYy_eh%<0z7A9g!9;mmZuP=apUO`%?;t}Ab7xum4Ht^9$8QsVuUTDIAF
zXpdixfK|aw83DiJ3sE6;_4{(U)EsKK6x=bLyjMSZxq`=H@YKt$y~rtwA6SxTBjqIc
z(B+-JT&H_ZVcQFuQ$OyQKDb_n-^Mub;I(u@<T~Cib=!fb*GHUNDVyo77WmmamX-tv
zJxF|jB3Qy+P>DCZQ~&0SQP&7K5Z-O9HY-Hwr5amW88wJYFgbunaeGX0gNX9jGmNsJ
zsTPEhPDC8#6k3cP480-fy>4|=E$gQYQo6SK-0yvMco>5BhSf{@77N9QWIM4wCHk3X
zeVibasg{NpRoB&qe)^z{3{Xbo#UKm%RyFFESl#DY%)nSJ;?ovl2F5|sC7lw<)xLw0
zJrOS0L~v5rB;mj<w`%KVI*19>+eGF=<+7EnBL#)qF}J%kXVxC%Zxn02^QvSOBMdb#
z>iEZkuUU*aOswFFI+DjZ^<JO#RXUI%#uCBt(l+!Fiypt@Yt4iuJ9rWqa^(WBJ=F>X
z&wWwcR>*a3#EluFuwDNTp78TiiXJ+Q-A%DT{Kk(AWHjK+t=#5ViNKw#O6Io>Lp71;
zaemf<ZJxcyW3ywoc_?0R=g4(4Ti2qeq;I%8SlUiaSK8+qJP6uLOUNgC&>{^7+mpCE
z_l29l&TS-$%*Qb)2BwnZ*VCMTNW2b3#{;vAln_{GiG3}o8oyo;Z_aY9rG}ZUxQWo2
z7@ELiFs+IgH&LlY&-1L&$UIcWob}IXjL5I8ni{5e7eg4z#sNL&GA~K>k<%hzu)DA?
zA17aqTO`DyZdTPTZ+VYB-<%H9o&!81CAA7Yyp?RIEMnH9axJX4J*}RFe)&>2Rojk8
zvP(rZQN>A<QQf+kwGgiv{XRm9t5wL1f<R|Rx_NP%Md2fDS<{Eyh-S*Wl3V@L;3h8@
z_w6d*-Qt(*t_S;>81|$TAIiFH5d0P->+S%tmL3V2HEK-{wxu2UVP)~4QW?E{SaG@3
zMnbL8GOFevL!q1MLQY4MUc2$?vP)&`RoFa<^`u&=Ud-$*dirF7!iJ+i*Xyl@GzPO?
z3#s;nyxT6~9@C7-`APCL62aFsLD>&`=We|2D!zaw_Ttm51|0L&xl%GDBQXIo-ks3A
zsfdI`rB<zW9@9~{HmuT}nHGiz@XXvPfuudwI%>okOQlf;i}hQr$!ehWild!oW4fq&
zGzR<)h%qM98|<J5aRf6Wm{aht6yD+cA-T`#?R(P|GJcp})|$*LA|&Z3b95FIMdHFW
zbtoqDpaQ8>d_l1VMKm>13Q{57TG!?Ub;mQ-;@lcFH<hnFm}a)q;1Vb(TI~r_eytLE
zORuP6(n1Im;XVV9!b@83MN$&&3!`wF769@m2TrRMiE>-jnx)SQZG8GlVd?FO{bBC~
z8#|DqV&mvx`Q)q;$@d9gqd-^{tngD8PDg6Gzv%38_q~63UldRc<T?4+JYT&}zeKSD
zq7rY$^uNgt`W|l6(fnb|hO+mK5O~U4-0;(JUXQ;y@cXjQebtX>c(qh~j%>B{%vrSw
zV>LW&YA#f3siygtb%itGPPCi3zHqK;cauK}C<t-FdY0GM+3t@6GDWi(dQWOAI)P4r
z@M;*Ka>2H+YQXSH3d^y3m8n72s2I*5S77g?1InZn(Qm?3=nKk@U1NqQ?%=q0KZ*wo
z+y2MCH1uP?&zU2Nx;^>2jX9yUO(PxaLWTaD1)b|V?pKNo0PzgZjfZA*x7l^x)ImV2
zPMOm><jkzREFdsM=}UVku`BK1rcZ+?TsF`7T+<3}is)_gPQZC6IVS#Y@o5usZJDQE
zJ~p@)Jd60&tqBp_Q%N~p><dP~0+nKNY-C^>BO8e?!TzTF9SUvFL+(tHJ#U*xnH;6|
zE%UUHvBvPjszSn#=+PI|RC%$rWqQZ?Ax#CAr4n?s@A@dv198Cj)U#9Zxpu-UZxmxB
zgVY)X90EA9m3~^JnINxVnF*C~Cr?`DPF)eoG<RDv?4%j1ZCWK60s9VXxnn)=Hgjzx
zYU7SHq%@ze7bc<=Lw4^t#Q&xvk*Qyhh)-(pcFo{a;L##t`2HFy9%yH4)w{H?z_xj5
zQ%(Bu7)2|_<o<-}XTLfOgbt>$rCpd=SR+Rj@k~+?H5T1e|F{*(%op-H^e<~bXaSL<
zg_?IneLy`%rEeafGG9!*mw`0^{C<^{V*IUP`Yao-B_p><i)gkP&RWB05yxRt$5KIP
zQt`;Y^Zy8fr1nXuZapSGP$O5KA5uJ32vxI)p6f6DJ61S+4he<ok)Q{P>la*JS~1A>
z&_Q&{?`kz9Ug0`@BfH=@Of4RSi7FH+BB`jYIS3i*8+>rB2}#%sQ5gzb(p`ma8;_Z9
z_klRg<3-6ZOZaPMf90}c!#V{Un_28^|5t&nQP57s=RnqPmhKMjV7zZoAYP<oVvxHz
z>Hn54Ms(K6XhQu5eBobQ4{z<_GhNhQzf927JD-j*8`Q132-I^Q1`zk!oTf4hQ>}oh
z0yrcw3p77QI<*F;y^DCF(-AFmR2o519M|^i{3Fwc!wt#0C7C=V%(_&}HRp>e#?cG1
z<FkqmAdnEPeMvJA00bV$oKkmH_=bEkh~5&j;wqnnTLCY;dvWGV&Qg?ne)cMReDF|v
zX89^S6qRsibMAO<Jdfx|I-!<4{oX~sP|h$tH$A0vEyd_EmT7i8F7M8gFy&kmN7XHd
zDRvu8bbk2r-GUGRD?U4FCV?h1d*fTv=0l+%6IhB`_Q?8*=?VA-Jd0Wjp;Fdu)Khq2
zMGCaAFav^^Qa2&xN3!ksbG8ud32vR-qCn9ivtkaKK6t#puQTmSh`Fl^8O_;$xlK}C
zISt-t%P9Gz=^P@}oREY=cx5$eLs_4KcR6Gliveg>DpVLLRZVcK`(icIvgn+U<;>2H
zkHu<m{^q)xg|hS-F-;hO)zmu|C{JiwavG$Ru3Qy9jb^I4U--H#soP&yGpeCSFCxZT
z5<E;MdCeflJDrJgkr1?CZ|?p1>o9}xRAJh+N^z7^X{F*vsn;l&Cq$X6lp|R|&Y<a<
z*!#Vv+S5^n3&avu-Cnq{q!)RJr`2||9_#2j;Xw6JPt#k(olQ!L9gnd-fweJH{rt_*
zIm(lr9KJp}_bVFbr&*&;sRsaIMVi;L*?lzd_3oBZ*I6rBE9l_5ELQnya(!$5Q0{K`
zsJO_PbF~L;!QDxVNa9Kf+u1D|ujB~C5>#pXHs0sE!%%0)dz;dUIxo;CUM|{%yPOMO
z#n{VK8}=xjOd4ix3pHc*awn!FT?9cK2zC)D_b>7C1kpZ>a1C#=9iBxwx{MgIGsth7
zN`NFANx@>A;!(a@=3ZBj@#>@nh%I#2BF+;~b|v-iiZ^ucx|+at`Kee{dufE)dK1z0
zZ=J_>-|n46{=KlO&cd5h*0IVIQvn3*7-r8StmNh0V*m`MD+J=}f#p$aZ4$YB;E@q$
zlZJlWYs8$(W*0{WBl7Bg&AxY69{iKbS>8bZs)s^25SWC5W0}!f6rZNo*R5w~(?fM=
zcaK92)Fy{B#lyC&7pvk5-cg7I+#zs0BEMr10PQcneSX%)7-*7In)zlP;`S<J2m2%Z
z-$8cp)x*)jA0E1&zr4TP7?W?sstOB?b6lhFABObGs036D;E#K<UEIQ<2Yb4D(3`4>
z@S#(U%$+@w*T(jK>c4$1{A3~*=q}8KqriQ|!x^HuqY<03R?1%XZt?pcvfoOXLeOW)
zda={|yUqH^+XoN#_xGP>zmX5VsjB8TKgz%#J^Yd0*;W0cd-+FunfxBR@$<G}w03Aj
zm^69%qZ90lW{`aJhckTi(Xabad@23xS05j|1`$~Hn;Q~%|EAr#{yOY`QzP0fKEJ(k
z|9-mDnpgEL#`Gc3Rc?USj3@`A{WJ`5BASZja;zI=jIy>Bcnin;3lGx2n`7iZ^zxAt
z#k4?X1%|JTu=W(^R@=lXTwT-6_XS4ctwq6zRP(vk7K}#{12-ChF=`38^^%1LqT`7B
zI!Ypg9{#(bh<T7qTzDXgJ_rEOVmel-<dG~&xzAsEv@8@S(UIjZdcYXm6-;8pIkG_M
zgC>~61D;7aFE;t<O&<<)yr#kIj(du*ApdOwDH5v`-d@O?Dx)2${RKLAaz7ot;ufz;
zAKY`7L0RdY7L)JbE|$dKn_$X^@8JqhzoqP%N{F-Ei?x8EQ*|?~*(3sL&YDL8{1gY9
z_kfg*Nm^jhTV`Jznrn@11c9VX4ihBh{;WG!{I1T_fA2=VXvx>FL-{QA=%~X5d+9||
z(Lu^Oi(PD5n|CtDl2%b}D_^!n7-R8UZbR&8MK8%WrHA6<3r<jXR8Yf(MjsYYOf<`B
zfrAzLq|-01T>HkWEC`&?X$gwR(4j{~V(sEKUBFOXgITQUKHolxX$6fXJ2jTtp}`tg
z<ieoSRL3;42rcvC<jL08qh_5re)#3)7u~RTcHMrM6qFksFJof9+TVQhy1crMUloY3
z`_j-I)0;i<b>gADn_NOZtM|dpVIA-8FkZ{PdK^A_`IqV9XH3z{e|d3o*94`_`YC#S
zeE$6C)vLpkqtkc4rUNy;%*O(QafXn@v&Iqv*@^3ZFwrKm3f-})t`_Jy9b^48NM>cx
zHdq3JFEo#sDgyBvO?8Py$#Hb;5fQ5O(-b@CgLz(pdt*#8&y{G0p6tHR$H|pR>FMr5
z`NlBB!$k*nSA6iS0xVdo-<^IQ^dO)gV@K{MOlRudmC}IYWmV1Yo@fM8Gd{-9`i%M?
z5VLTotQQ#QKwE<mWY;u1e7R-?HP(q{7)}Z*5{&8QYF@e>TX`cwZ)D5}>=tK5md*?o
zblIFA4&-_3Mt!-p$3zMK3v+7DINVX`JjJ6<ZlU-OS~fJ)F@9Hjk1^dLX(La0#kOD1
z9`9$bzcz@f>M1#5aeFWiGbN2~Pc#DERo$eSwv6|)O!qwtkog*?vSK3uDN&%W*d5Rb
zq(BaeDk&=(IpVwqBrX9uWTMGuFF5@h<o(ELu#Qm!kxmR*$k|D|%VH0sqpR)WzgU->
zT?o{$-a8|mMN~1uN}vTT8{IwGoLljzvVb%%Q8}CD0@6*En&liZ)DOlXq~TF((H6{>
z+E^&}gH3t^If@?V=<QGxCv$6FKz&NftT$By`+m+Cn6Eq<0K|U6e4W0iP?kQd(_LyQ
zp?Ud}vJhDzt~;h`UurxF*t$vgvsKD6o8M#8;3GwRTRqODSApXVXR#nLy;-a@pD@<f
z)3mXGY7OeXrkMFJ;4iaE{D+s=fa;kS>?t>pTZCmZ%D$~`5J(#8*MSM}Bw6FyS+ry8
zo+TJDvr5P$r}nqzdX-DXUIVkH*Uk1j#Lha7dJxzGZWDt_@7Dij*u}{WCyU+B>jjR=
ze@_d9#*^J9tP0U?6a7}YB}5&+t0UbJ@qon!;<V1Bs5AQEZh=T;EgL$_Bt=xAKR@if
zv@YYPr{c93Jsdr19R=<TF|({|`HB?_I-BuIWZFnH73olg=0ZVK?wwYH9>=uc9dna!
z9M!%|Xxgg$P8{Tmrd(}rd80X7sD4ZJm{%VpibYJiXxZ&1Rp}B5zntY0Wh(JS%8Yfa
zG7xM_KZ|!!BCDvi&97EtpzUrT9gGE%zo^`j^N`weX7qU2!8@1(8}0bFGsU*(|9E&r
zB`CSl9#B*<oY<mg&htf%0FN{7*NRFbWhne~10wGp&uJ>|JlWSD@_I47;12;;MR3~A
z<N_`${v-vZ&<g)q&F4^Ys=1=h<Vw$eFF&uLh|$+#MRlFh2W0vfo<8}*LTYT#$Bv(1
zj5~d4;&i=6upB#HJ;p!W?bI-M!9QI$%~C6GY5jyta?_OZ-%J0RyD8*<7AQ6YkF<={
zUA<!znirOG5s3Wp@)91LvHKRZQVwVd>;->7W%}Cf<q2m2`mct7<w19+DJiP_i)DFx
zUl^;TpT7Ef-7tHTZxNC^mI?Czp0c>jj#H;*Dpv5%4`m*Y`onzeyYBw|duO~`T+8Eh
zLo`YA2SWhf`zv}ti^;aK4LB6Vz%wU>x0I(AV^Lr6hJ4Iz<60HSB5Z745%OGrB(I6}
zt6#8m=)fAmE=C>GCTRmijWP~whf5Cn`{I^=MmkYnm6u@r`?syWWsF>pyc_K^Du~9+
z7O~?AXfphdJc-RoA9wx0FW1I9e(qXnI470ws8c1ARn-t_bZO8wS(Hh1LXYnBA~7-I
zsDyobQq5+Xzp_NJ2Dv8boOd_ugynn)X#p6-H)~rUHii7(;yY8%!`O{*T+Y*~mz4P(
zfv%w-Gga0prM4n>1j~myvPKfC1tM7QTv>*5yY02O;)289dkuD8H&1)#CCJ!SWIGG#
zHN@J*s=6T}mBl??pT~N;*Pwt|4YD4pFUWL^=##jSVo|TfLj+AqI^t0pO1ID;c&wD^
z>ir9v!Y-KmZ4RJWN&bWT+KD@YHi#I~m!uiO<7AoSk{%sC6fIY4VNxSih6SWb^%<+C
zlfI}V&l<|^fBvU5^}F9C)2aHoWV!GpZ(SY&-CtDR_4VEH>8r!HN9RHH@~|T%Mz=@d
z_|sD26IwY;xI*V=rMHxqtIGX2x6?&b1Qk{l*|j3#{Cq7*h@n*F;u#R(K;OpFwU-lf
zo=kNzo9R?5#BZ#yy53e4p;IQr^WA_q-Zo_cxSP9{uZ3Mr{3^I%pT~70#2%FZzJH(Y
zXklLQV9~_e5+#U6Kt$_@fqsgQOF%X@wlSTeQOyAxVFdJoK|XBRv^@d1-dY-Z$Cqsc
zA&jvrWyvMJF{NFuemT_r+t0)ehtf>?u7X}wjzbp0a`k>Cqk~WlKcxKaD|&(^<F0z~
z)#E#ekuf;8=x@6?kc`b(!|AG=IelnmYNx1HM&~lJ+*p8KksefC$gQUl6sD{K>WI(5
zyr6Z#@xUJ{Eyp0z_AWC18eCOTXToNLbh(0oxDdaDb`w~xu`Xw9uLc0At-5ZLp?}l=
zLa3WtkHM@0EG9e_r7eZ8rU&drrFH2$_f0*DFE-$HjSMa^I!;d#>u&=~dz&TVfcw<&
zTb}OGhXlmu=%lDy<uCUiWxH-6FUqMK+5lq&<Z1U<QBv6v-gQ_0<NX6%nve0kQH9br
z^JRbO+LTrw??2?+Jl_8@+x^Cg6elMYNjy++E+wbI#Y0jcBS2-8a-e_(BHtGtJN{9v
z3y*)1*c{;$Qfk7|zqQPVeqFwFa{Bh@srVOU_GDVa@nbf+@jIbW=J6LW>wKi~drOrF
z`TY?Cl$JlhBlLI4%D3;{c)?ph+j@L+U6u9NGrE8O?dh?>Bhg19DS6c&p6g}o&SWNI
z3%}ARt-&Y*##O;HB!+Ps%8;wc1dk6z*ibFBYuc-f{}`=u5Tu8`o5_OORqoSA8{(LI
zBewAij!ClpsP;o$5)C1^2h*;^A4#Wfy(-5cD9x41MXjt1jTpN;iE#+eCm?1EkCWxs
zYJ7-;gh7C(8Dj(8ZzrJwa#4!r^X?5OE_eKX$L|!_xQYb@uCzBVpFe!`)e|Y2`ttds
zum1RihA5NxW^V5T)CJEhBdnL%Rk3jEJRvPH9*lN+DakgrTPOHva|5hj^b$Wr&BgUn
zPYcou09<%`9f1pL)9dB;s(Vt8B>t{{yx>Bj6H1cOkC>i1N5AeI{*!|z-T_KWI~s11
zP%ZNcxd8L+=|+bQf^M{a7_Pb|RoRol;3M5Ds+ndgd1X^Lz1MV-_$>hTguI4=)y!~D
zXyUn+ddj0+E*KKwqDhmb&u2mkOexfndFCc+7O0M7g2cL)kuLKU<Lx($)VI2{s;<k6
zvhle`c+t(9WGl<;Nonq<JNL}q);&)ziq>z3pLb=&tXy9Y{_yCJ@|DSTwY>Kmx<Yt%
zY00>S_-2sr6uL0digDQPVqGZruLj1G5+@QRW&Lq{2(9a+Qme2%cOkSI0$#|oNBakU
z9W9awx1=Rf%kGOVsPr0=n;=dWSyfah&jWvZRKZ3TPp@d9W}j9hnZj$k1B{)zbSa4h
z<xdC;C{mO*ffx#bs})W+rvR_qVD-zW-sKv(DlAL2t1ZIBhawj=l}|--kIba5PdtRg
zKhK078|)SP55JUUluJGGObsc|1?F+3N$Zq<b*`0Be7-+iJy-)Ot906It)L*YYW#E{
z__{0_BI6@A>smAAA>945)SdtFB$5i2=&VbR%U(jlL2ny+N05<%#z=ZqwLBw%amjh8
zWB|g)8QZfi<H~(gH*;*IZq_hX$gVrq2t?0jg_K8D1@a`&M8q$d<sZ|Vub22sG9wXN
zUoR$?jyh*W_F^*VeQ_5km-1qIQ%(gq?qtB6+5ACGLz1G{7n%bRYihbw!c(az{LV}?
zsc|Z6-GbXkZCtodya)R5)oXU)#Ihb9{JB`UX|L*5o_eQ7kN76;+QRRoY2+6OP)%pK
zj7{~X<uF#8Y-e{~7n6Y~`t%(w3KX_mHwfrW%RC0nmn`Ii;A}0TL1M+;rgMjxoLQL;
zSTr3;+ZMZNA9Hi%U6lzVKuzU$A?7&cW`tqL=5EK7nmp4=u-U{ObG%@dAM>ekfE;a(
z(rI3+oLMnfpmu|04)|a)Q1@aI7XS2tsz>fK1{(T-&o0UBicx>spfv{Q2TaxAX>!6#
zsYe-%Cfubeqo7_~tjk#wF%v7n(l;mXvey!Q6tDq(w+P>dY4!19jA0j5g)DoQn$(rM
zQP_giGxgtBy1^;7p-#J0LXk-HFF)(|O=Uepl0F3zf?V(2DJj9JFWYZme!fQ4$E_d=
zp`R%iegKs*%;5ud3Z{te+xTl9F@%l~EunA}Sl)VfvpLF@>teQ)X3J)+Py&ka6w0zH
zAjN8JGqB@ohV2a5RjwbqAIcSi*7&Mo5V)a+*|o*D)il<EB(qAmU!7tw?RhG*LZAl#
zQ?jFsf2o%f{1OVL)h@Q;uAW871OfGMR#Wsi1>8(f1>EY+gtmd~i>?!qt{YMiX>SS)
zDoO&7L#XOQ0rdesh=b(j8CZ%rtb5U`@mRW{+Pf!<fO-m|9+yjm$wlR#S5D{g0r_9@
z%)UOi(X}%k<lRuRLFQX~5=HUVDv?AJE%Y5n_?)g#%r0$@0^&=yFQkPch#5F~Y0n1+
z2iY7SOCb=H^4H`KG@z}VZKnzDx!u9vUgkoyg{stC|4EKz-OaNz*V3(dC31<?xXb6e
zvy<#f{XSxN4hV@+L=UY>nl!m`oy730$R13Pr4gibN7hNk&Uvz@LRL^zvqv(#{ML&$
z%pIE|i4_&=ax6(jasxG5QBZ!zO@H+67#_0MhtK^Al6NLdvahKUSJLtgr`WUn<9IUy
zeO_1{jW)8g_3SV!N_O$0(0Z{@KRa;FQkQ<ES|8I#kYpa^-M<lJ1ASWwD~a10?h9p;
z7+h-sztq(wB!T`z7Ev`iF5L5Y$%0as+cL4TEkBkW&T6KnO1TrETDV<?qC=WOY7`l}
z1)%13*jlU?ooH|LHS;~i!CdR`WAx6X80$4SzNn_Ra1Ogh))onmZ;XkRRC70VX340~
z&fO)SH@TZ@7S0H_Dy9}@N>3OtUOI!tN%4hws4T3SXMHVR_gp?+^u2r2@Z3@4jW{dC
zJ<;ZAB5NCC@Rp9V6li|~Wf*y0Q#!9WP0f_+;75#oKZ#ey5<mJ!ADy&qp5oHpn^^yQ
z#y6EoECEB;>475%v!QgQ=WkEn7}=c@PMTaPK~&k^_Qi<63e8zNo6J!iRGYhUJr>B>
z;I*5VD)w?ewVExp`8F;@kUU6stuka2(=nieAaMY187j3%qba`)md_Arg#L?-JaszC
zly@XL;{oHzBy%-&yxd}qQn>~+T+g$kq^~58OE>9_Wr{_@z^xh8Vux}R3fTz#acgVc
zIC$(Ncx$^3+S^rjX}mA7pziCpMe`2^G88n15>FPhS-ojz-_;A($i4l*je&)(Zk%PW
zamEnzYVEJBn+NW_0&{*Y8FSuxvrH~tBeiPCtq}{)9?`cFpV7Qj`bXVbfpncjFVRHw
zqLf`KcCwXhaN+w@&Nkr*)FoE)+V;lA1p)V{>k&MoFVMc0p2Bk`JIr(4vXNa+KZ~lB
z_^I{sYUR$Zzi6$3J38p=REiMY6K7SU-a;ABo(>3@e>aH}2A=)xDj_0^>iFvLyF!Rp
zW7kXJE&1j^{XgOjm!7%(0u`aG=RHm45>G1f`2X<m(SCNWj*%y$KNuid)ijTb7Os#+
zeVn3<$rmktE8h~*j0I~}HRZ%9C{18iwrA*$iRpSoRi!i0=?3IQfU<|}1B<LSZ=$ar
z2Hl;Fsh2kNrX_m_CxAQ9JqYo@W_!$g(C&G_h++xvUeoOV*pL6T$-(3ShUOtI;r#B~
z8!>en^0P(Pk-Q}o1+O#0k51oyd-O&m3(Z?V2FfNZJu~JgU$Xx9#l<<Qd^G)m=ga4j
z4JFp{j4Wj;rE|lsC_$UHgYEL*QGYPXjyk_bbskO)d0E0lP^WR?o#lw?j!_8*m8LDs
zkl&A~%=3w0B(p69J+0S`9-E5MpJ}wrt~=`AMb3=x>zP3aLP>|v>+HJ$3K2Vv%U5p@
zmprU+1W|9b#ueoI-Mc_8hg}wHx*dcNYG7vvuunnBzb95iUa{V7SyuNU)DWt&vr+p^
zZfuA(*&k6Nd!9C;*xyCw1Hn_LSxX~wIY<kVzv^Q&iruk!lsZ(<ze6P|pF^pw&BZ%{
zCeIjo2w%UHlynUqvf>UVS2hmkTB{nFA_jH6jys^0NExNjeZy@qiv34nhc#hqM;k?6
z$<7}9pr7;ezS075aJjEm5y3wE#d}-~06Bb^e9tyf=;DKaRpVYNdGJyV2p^}OM*q?o
zv)Z$^3ze>4+fkCdL6i+pZnj~ioj_Ba`0B&%l?Sn+XL>9H(PFDT;i(09#7XWC<rMob
z^fmO;5@XAihxsJcXSA5r;qzBwKrZ4B#YFTymOxVWdJT{yt0mV~w7O*-Amlb+El`6f
z80u`)_jQ1b^)ler*BRlslq(s5rX}<SA%)tQdSN@yRYv1e-R&@z<r{nJ7s$WLj_@ho
zjkXzex-CnNx=-us^V^@?SzE71rt9KNO_OtGi4@vlo#5E&G3qfpbDB?JCJeP~f1&dr
zLv(gt>^|Y9`_GoLEp9Xo5S!{!-!7W`W3(nJzpTndND_|`Ft{Gw#z0(Gd|qKs+uYbP
zSpvb5Ag%~@q{{d~wtMciv9q9FwRG?hp^9^-BQ%WyymQ1E!Sez%Lwe_nCb$p)`Ewr?
zdb;+rrV4So6kV!W7;mJZ;VUvW4_w7R5d|xNS}YdT`s$jl5sNr06CK5{j7wRk7UCjj
zj1x`|^3~lvW8Uy$M)rC|p(JvMLYC}IT1_FQ*b=0M)Vtky(5|S6jovjr%SlkGw}(+?
z+4c)-6siid>%e{Oe(hwbV!j61(VI8p<CE_WUmd>~gStE_sBG2?NScB{;zNtGidbcT
zN@KF0J2W7}4&YkLaH*;PK<|~<{u!A47?cSim*<Y}Sc@KspLI31-3EE6IIK6U-VNxP
zP!|xqNZq_yy8+LFs=IVOA~r|v-7UvGpApFuWm+<~H?t%YWj})4OjVbTCg&_z4$4H9
z=E6oX9SqBi7KggYjGI_A(mdS19_`8`JxQs9uH!v)mpO_1XX3fD9BAytrw<<7l<&(C
zjY7d@kE+$x15WG9{4esu;bgX1<%N~nRV@nI;+3#3OXNHft}_yntO}W7s80yVC}BzK
z*@Oi93%#oC5{Yc2>}6H`iQ+?ZQy?r(|9rpF>)s2jt@l2yN@ggE!d{7`$6xBJb<(%5
z-Ae67wAplIQFiLpHMsxFu8ju=pV3o%GwSE34a}O)zEE%QT6kZA+3|_v{b`sKe09Gt
zX9a&nVTF@7@fX>*JWt=|^=svVKBYht>+}A>{v>_ByRlDesJrA%sydheA8L(mXDXu7
zCW=$4#I-%Df;<kZO2QX2#}FACJ4?-TBDeh4o+T3gjXl>Q-5e&a$&1*DzMy=<;U~T{
z@}I?hc|4SB*#D4yuappyeH+Wzce2ZxU6#SfJ~Eb6$`TS<QDn;&Dx_p-Q;M=w_Uulp
zbV!Ay)bE}%r_3{EjNbEmKkw7$razkR_qwnBzTA(B9ZSU;TjB~k=%*x1GRoQ<<H~3@
zxUnnI&osT*{X{Z`$4u4d_F_7Bua<b4_?a4Ct$`u?x1Zu@ITE>tUZO?v1#iuU4mXy*
zU`u+nGbvl+X-3qxo%YhrPmS!Ug3g<6N})|ri<wL6FYRV4&||CrLWM3i($tsfMqhU~
zQD0n#7``%o&{5%(ozr<qbv2E{YIG^bQo<Mf48vY?vj&<9api4)nNT!4)b~QoSLT%i
zlTtWEBzR@A`Vi|k9d5)~>WodU61A5fvqw5xvs1OXqsm`Bd;3x8PA<nei9HW*(4R2z
z*kd(Q5OCIdhsbSOyDI9BNZElTnwJH&?YAb>xpbsu&1mcYe#3BFwe-o`22u6R#}VEe
z6`9Ih?L#TAcP?oZvsX7h(XA8MQq|j@k{Swoyl=8^e1EF~gZ}i`@zLz#Pfz@u@;SIT
z_fup4kIii{V~2mfS(xg4z7)DBJoK=&D3a%iDDQ-!el%@c8-h6!Q$6Dx8$oZlC4RK~
zp_z2vxSn<L(*u9kjw%O#onf(1duFuZVRK(f%Ul`Xfatzgb2qYU7j7hXE-qw*Q3$qV
z-%8#!eNSpZ>3rPX69#YQN_b2LFtr>dEpuO{llz0Vpo7b=Cx}(#yBg_DXP7pqsAd@#
zy%HP05E!Xlo*Df0`pGjN8P+?peD|O;c-8iLs;*87zMFP3oY%5(YVZEL51R%~X=YDt
z-#pV|`0WI(<#h3n!cNBG;tJTwtV*HNG6K(>#}_o28A>HGGN<KFmQFq|e1^K0`)sK+
zuvaSn6uX#5*+-ayN)pV>O?nKx$(1;{-Cg;SF5i}lb2Yku#a!v@-g?_(@Y7|fUgyb{
z3k@dWyshdVFZ6W;mc=}8bKX25?j~LnyK^{Wb9>miWNqnp6K^LT-ahF(HCIdZ%=X&k
zq}@W+x53~%w|CdhM+wrT+b17gFCQ~HCn>v+%cpg?XUs?!{62E-j*s2#&JFvfpDl@4
zmYf;bBJC9KtDqBj{`#im&G7k!zneBP2N?=tZt9&zOD30a<wY&X6&!l4!0#NFK6IwS
zPq!=T_TQG#ir>DX!VRUJrF^vVik9>&D(|&6G`yAP4$_-&n+=^kt!g92#Bob5)y6pY
zYChL>l=02oQ>T8IWiFkr^}DoA`RUkDcjjD@i=>sG!h!f>NfPnz=2FrPbYT>MJb8RE
zZZx*N8ftfgYk6;5u#LPEqdR8*MMgY9XAjMJb`~m|EX!JcHLn<7svQp<`7f9bZm-Vq
z<UO31;cPqWs1_-))z(*7u+w0FjvmAG#VdT7AJUCRYcN%LQza8RmU30w=rtMq7-J^e
zy}wq^3-t*6G`08?l)m}U(|7&~osYw`3Pk6E5;NFmA`V@Vm$o}5nOCfuY?fLN%XANK
zSt>bxO^S6(fQ0wv+Xv=(HAnB-PuD;Fp)1FFN!nWaeMaO^{JC!oFaHAn3yqEM!Y*M7
zzVR@B#HYWb158v<JC#HbWd}G)-{y9n3jMK|l9{_uDsr}egO%`A0fBoRN&b3Eh4)7`
zHSX(TVW6TGxq*<97F|E66nKl?-C2&QEIesm_7eQqP%8Y9hktWcly&AE;Z2__dTM%2
ztSc!hziw=6x>=728QOC(fNsxEnrNLY!Cu)-r*3fC@doo(8Z}DAOqiH?mj-_87qLr*
z#|(K^_x0#=N>`pr@6I+2eyTIVem*-$ZL)i>6(c3T!)D|JqGVcy?VQmemJ%<z{h_VY
zuD1`@4mIxoPOn61DxaJes$lQBLE_SLDxr%xPMds<Xtvg_lTdqTQ+}Y5O=9w+{TMHI
zW4}e6Z1uvO{B<**(J7L{9B=j?4`M<e+ZehnOs5wi6%hyDLD?)(-FG4V%NECs!B+4q
z#JDu8oFAO^x6#T!{NBT5N8k*{SqFus<W|lhrKOISyPt|Tofl_exY902At9m?FON#0
zU%xnrpq6XX{Wut=9;aLUw%2OlY*%91r>3cQpQXH`H%AE@#ITH+s)Rd8j#X(K8%`3v
zUpc_|K*`w0?LwMHhQ#1C9zKjf-wpFCW}H`x4>os%pG9_^*>3NQRtQrR9YaQah^IzH
zGjGz=k=Fmx$tHe;uhVHMFUnEp^mj^o+xwRW(v9o)9$3<{G+jr<0K-0A!ABha`OCjw
z*2Cyw7+-W~ur$UO6Cx`e8Z4tEZEHgfqv$xx;!XN<+lYP6+cyA(ar5>KK}8?~0#?G%
z{X=i$u%KNF=rbu`F!eRSc!q_9pn^i(Lc#z#D%33)84~J?a+8Gzd58X%wC4CdhWj#1
z+E3>tLS~e8W(t_@>ieCqckge8@0gsp>pYS`=Nix3>hJnlQt{P#bq0lCs@Ypp5v}Gu
z;U`!}q<egSUZ5@3%j2QktHP{ukFL-u)9y^-78?G;kum9l2Ipu8*(#nL+1KAmX~=L&
zu;YY6aIn_~AJ3D;aPiFJe@zwoHVMB7Y;=t_X{LK0ae(@LnPOaO%-y2BozIIWza^`q
z#Xg_O=<OQ4=vt+gKJ;||C-p~pgV$Oo>3=C0r<ot@!t*zQW-e3yC(Xz~G*f)46RR2h
zy#C5ZB99JQJwTrt^ybPoGZK(X{5joNwu5ij;oXk<`p18jtd}sMqfZroPATm8syNv~
zAs5XTHfQahr#U&O^7$KAOwr9vy$OR2+qY^6vFX1~wo=u8KmOi9fbJ=cvRqz5kd=p!
z|KcLe5q}0|J=8#5LDe?4_}+ZUdx_B=AHII!&`=tfx%J*vU_9-W2crI2oQPM2L#69W
zz8UF)r+qQama0R~L%)vM#a}b~+7lDS`*WHXsvRw9ZhH^lGqu$JNjnILc5d6W1;xp*
zslTjzzT-GE<)R7uoU?epVn@0A&1NgT^*>#?gD+TRX|w1Xoy!^NZND4{4@sjesyf%i
zNLO}dGIvI^wXIUNfxa`gRklHhKf7?fp%Xicajj#vX5b4!^J{|Rr7mi$ng^aC2VOQE
ztuNs<ec`2jv=|+4IDFm{8SiWKV4hvbM<7MjA??F6Hs#2GD;gYbumi=KB?E)`az5`V
z#$xQKtGVi|_8S(^IhK8+iJj^lq;u)f=G-`#yF-h$pgQ_Vig#~j*Zzj=kRXHfcl*T`
znu9vZF{M0hQkZjg&AJ)!K2`b52DV`+{jZaDh=aOitn+-5s{G%Y-WF`z!Y+00Kt=m0
zu0#4(qIvo*VOk?)KGH|$Gsfj@b2|A_3ld~id@-T**U!_2Wju20Iy_Y~Iq2G5UTtdr
zS}^Kr8dCmvFK8g|mEZInRvOk%F1g;G<E+?B{~<Trepo5XKhpFL1=NTMR!bFwz=${L
z|C15rAx3;?I|Pi#6a{ztD^c@?=(C{0@_DI^0?1SY<BX#6EicB-!W<pYyPbS(i>>*F
z9%#0(2#a;lztZbuca3?q^>KP4x5VgSHGi)wj@fGOo3Fh|V+cvPwo~Aq@NC@MM}~*k
zwkPkZ=;oYx7|q3)*T>Rr%$#trXM66kF+|)1+61Am_pal#%TCOAEM2&z{LkpFxHBij
z>r|5Iqj@~@T+ndQjW(O4?odCG%VLkFe(8)>EPR}+L~m5>X{xi&PCHxhh(xL|L(#Ex
znqn31bhTKHZAK-5&+Bu9zN${Z@*DQNzBTQFD!(t=d|yGpA^e-1tg}ibx8uOfwNb&r
zGl&b@^wu4WJ(MS>%ji&PpRTr7MCW-~TwH*-VgcQE+gG%;pPt*>W`sH#>CdAVePM6q
z-_nMOjO<X=GUxuO-I5y0%1`SQZqV-8`apJbT_O*+=205EpJlbSVR70!q^BCHO?NjG
zI6Z#XmC#c>vZx=C^-wBy?8#lp5lm=m3*%mw=I!hkat(H0UUI56q^om;g~VR|sb@Z>
zQOy@R7-4cFg7J)B`|GZ~A6%5y)!&&=i5&^o{(EQb+541l=9n)Zo-)($vumdJZrzug
zeN!czXIQWyBGtU}RjT?4r<RR#PLaP07cM^@ns|2&0i0(K$dBS{s2sjQp{NjVq$djV
zyG{h2yl37d!<6tLlEL&Q%){7TaiWf&-@GwCr!HSUtl!7iMQFPGjz*cHL-AaO^8A;>
zA1TArnJt|XE!|~C-)xDNI6_k|au_xwvuJ(Zq0cZd=ZU9;f{f)`ex{hKn;D;(QEZxP
zq#CT!@M}J0ZMsi@RUtAZ|MbBt1J)Q;ioLpb28K=ebp^So;sbhATwL~hU6|I}IjFB>
z*z;y^YlTq!bU~~Dvc*~bfyk?$F<RR11FtN}D1F#E*LJKfY=pPU_smRiLJnNSeSBfP
zK&aI|CJMVDn+je;<|Eszqfy_ZDieKeuk)UDVXSA_Bx>=%Z+Cdx1u@4+Nr93@u`4Iy
zo;<cpEphV^ot`t<ko(u%%LC>L=gYl6ms=FtgqkS%r&m~TUp=JxX6ZEs?yZ(O@T5gh
zuKvh(N@xH(TsH_)0yWADthLx6I0U^f67Go(^8RfD%ucvuhonhOb*reDSXDKHXlrGu
zjU^>!c8-~OmMN8KE=6jV>53$iB-3pA<@&9s6xcTw#xcU6a+G^CZEXNDYy|#*Sc5Nw
zpu9s+7@yzW2^{0|TOeBtQ}cDQOe1gEORm8;Z}6|MuIJpdLCj?PP-eMOEN0eY9|Pm_
z=N3=*^GQqZlVYwcQjyf|Y<*(MS!7X|8gu@!j%b><WKzM7$b(|tN5XW)?<<un1h?~;
zqeT{ATe}1%U9Mh5a(=sc!gMl3z_F?N>|Bc#Z{E;Vjj#}nliVyDG(~bR2*uf4^gj7c
z=|<Iqoz+YIKdc(}&40==-_`vx)y4xZX>kohnKsI-V8U7Q1ev|PqVBuFEmaP}<l5$%
zB!mDu*$I}!nskCe2ZTe7WBT~1S$q2~(I@TwZN}{{#m&tmO`b$!K5xM6O5T;+YMso^
z^xH`7R~emyDSjJfWp~L#T8LoJ0AvuU77@`aX!sm#!W$S@gd7I3C_iBp)FeZfFc!s7
zbSI#DbFIsP_}qMsZHm5^RfXk>tb()(ZVVNf-D+e#_&s2JSR@9HiZ$Bc=Vz>aAXZlu
zb6Z#3q^8MTZd3*p5SYd&scw5xKaHlALUR57TpdmspN0!vCY)T#d*fpyI7?ru<_p6=
zY}32@NV=uJSw+@k+f30tt%`4XnZk=od(J+2BZW92mGIu}42#IMlLN&y)eoGC#uzOc
z9lE2#zM{4E<ZA8jleOT;mkWCRnc^l#M1HBphONyG##G@$-l;ibe8Ue9<?W61`}Xo)
z6hSS;H@7G`Edl5MKeTlaDwLG1mpToa2Z62q$=Mo<LDbf!z}8H9UsS1M0=f#)r`VYX
z8E2{LVN%^!*&OBdR1?sAG{%R0BEH|r9B4!yrHtB1#bYdbRfvLzPVU|P*Hp3+>AZ2N
zA5&zJ{ui^6uj`{P7sxj-yHC51Q>RhHH6z4b#0nEx;W8oo>*jVF^gQ}Xe`JC-^4sEg
z&PD;6*kkfG5p$E@nj?A(5yf$lrtQ0u|C;SDY8sFf4F5Rjh?MB6OtfgUd2tlA^g&C=
zHJ7$etiv#0z4uc{;z$;^Wlt<sqKmx|Ro0gr^gQ~`d`HDzL({wCi~deG8KDVp&DO^1
z>3`kYyrlgN6A~VQ@*rhyyObLDAz*GlVD43%_FoX9_BJzb(q@YPf?+TnfyEkc91K}!
z{)|z1<3-Lex#P{|g~Pn|Qtb5MKbA%ha4WM|<)28(7oZoqA(+2TN7$t<o8P;*%d<+>
zRYo{qDh+X2o#Ui!nn5i^I}g*XXgT+1`*eyWP_r|SsSV&>`MGUJxm51PvMp`bn##M4
z@pzzZc`9MD!c`;ap#5#-U8-5N57cY6JUMKpn%$x6!BLsB>Bjb@$OW36LdPBYe*W0?
z;&q^VPS-)o)^5Ae4^_^Xb;q1ej#s^BNYY;FTv!~hy;G5uqvp6s-QRM3;KMKnX@iTA
zRrmili&KE+iukO61_*(B*#7;Fn;iVEqn4(>K8)+vv}us9a=<^G28;FI4+FD<M+z+5
zhpqK>^vv|(fnFq0zB-)t5(WPrTiLMV3haYJ!G6P`Aj3k@fyhu4epO$VW@TYwf^5b8
zHx6zHLQ<5r6GjKM0lgkrn;@c`A%IwITPww3hls-pEI=@mk(H8>!;dJao_`2+{p|)s
z@&gN7a<LCiLnb7k{!BbRh<H;ZFmcl#FCWif(vm*f@b0Y<kj@w^Z1iIvoTP|##5awH
zN?d4;by#o3Ih+Z_`m#wd9>`*W!LT9o3w|o5l{`FFaxZ8zgmoc&{JT{K;$;9-0>~@~
z!N-o*h}jHJd>=F>bon4c2t87q;`tdsHvnj;=nLebiKNM8@5iaeVjK0e8Ndz$)`R1T
z4uh#Nkrmw+<0*wzj}!(K5{?Ri#0S29N<TdqKMpn_4v2*CNTy;&n8}g^Aw$<1zEFp(
z1=e0g_dyt0(he!RZ+8K4hg>3$O5P#cBG~r`0cCsuT9<+-B#o7<&|V&Jur1jDqz4@I
z$|RNk?)E4%C*ZgTIAkFl%<KP<10I43C&{B^x-gpujQayDsPiA%K$d59=dWqYelZ4M
zgTOYR&hN94EHnw{$M;Lims%Hl0e%R;mxie5EIV2JAY>p4mlxmxXisDSNd<Lib4OhQ
z40a&bKn-z!)1R=QgF}7MLBvu8u5#2En6JYYMC`&I!LbjZg-yjg<RHsKtWQ|Z6)Q^<
zG}JV=kRe#5N~Q1Zn>GMq8iNJR{YS{7k`J|_lsnR20W{x=P~+qzEA$#ejjdLB9;<4}
z6`|(M^@kj*hT0>&d#%Jn?G86tp4CImOt_7Wc&L?bB@4ZVP(#rm9k6w5ctxo7^N__~
zbEqw)6#G;H2FDelwvF#kSjdH%W6EFVf?zk;1r0S3ezH7&8fw3qTNn)6UuUl*K#;Cu
z)=A&!Ex@O2z~aKo2{2d>F&yIIM5^)s)l=dG^V+^*=Ll(BpM&%Y^o0y{e)Xxiyy9(o
zol61;h+V=EAxp_&k{5WE>S_dNGGN$+-+RDd+XTo6jExwq>p?O*P8qo7$<l1bJO$ul
zYshwp;E`*=hNg0S;AC%96*g%-0=|qLbYUOxSMXrnj-aW5YIzN@n3#~ueF|Vn14scp
z^r@J1Au{MBn=zb1{Eps@R0PP@U_o<vurL|qKaGm5{|b(CzB$tHUO^b5)d%N$PPYm^
zi34e|3+f)qA|xgL2XZyn!)fD~AEP?9<uw4=2tP}}U=?JrLEQ;N2Z0U`y`sg#cN4d~
zgD(7lfF2M)n|Cp>)rE%=tSCD85nrcepbU-zFzmwb?_jVzpfnP`_>YFj#*d`WF{NYx
z+YJ^!o+H9w^J{=69X><6A3l5pn5{rJ(1h|B<e1e&UamAGgI+2nhJFr!e+A%@5TR+o
z_+o9~L^?)%yW)3@P`g^d*GxgIhT)S`?nx9!fPJWg1<f%QGOLsPX{bVb#b>0^vByYX
zPZY6ohKtsE&09&oq7|B7Hp`Nf`4=krfQ`{8yMsN$V?aFNAIo5{6XfBcAw|-C!Y<^w
zr~wWez=3}nfWcURHAuM6uPs11NQ5me`RLV5Fsuh0Gc<&5dO@B%kB?`7FSuN@a_oWc
zL3>?M=bOM-Wf9a?{Nou6My<RS3Swgw{LEvG;!X$0VK5^k^w2GuWbw%+A658|cx>?=
z01KMe!q$dPI{ygw^}QMeumQl%P{r)jA}ctF0*<eE&zqn0h!1V{Ym>)cWoUy>f}cd8
zo7k#LmShcibjgJFI<|4z3zUR^_=dq;cKiW8nN-Rz&aHMCFgUCTx1(TMOD5cwcL67t
zP1`wcYJkKBQv(ZH>r=qtmJH9ICRFH&fZ1>bfjqGkipvWsZ{{zV10n6ff}RNUiQ%l4
zG*?aqegWc|vL0f9*pa*&Xd_8WIFxWIbQh4$4J`cj6wKDaNRB|2^3uNnR}&St_pn_E
zJ8Z~b0SnsfRj-QtPuGj9O+@ngN;UkF8mES1V6w47YK&)yZ*VBa4H@JG?jC>}jHLBJ
zzaUxzA_Arl7PR5$SsOBW#fTIN)J%inMb(O8;b*co;X#GMz&$b0F(H0B5%#bU!M06R
zAQ<H!ZPO*QHBoqmpukUZcB1$A24RQ~gmFf;J$Nf)9uSQKB4~mA3jBTzhQJZo{<9;z
z+aSx+FdWZ`_|upcpffX20in%;q2-!*0&rVdO=+rST?f3tUOs>&4^f&2h>$hxB?J|S
z4n^(2st(K!iK}g;|3dQ%KNubmP$`i1)`IYuQ70g-FId0Q0k8yk9EstO_stEq!%Xx5
zVGJy2ot`BI=!FUnKt~2*Zw6zKfgVWWd&ZftT}ZV1C1_r3!Re6`qFy6AB74RJdXQ>}
z$m!4@Sdl=7illY8weHrU3eXs+Py{+GB!;t^4p#~Wo!aoAhzPc(sSO>%@hC445WAp<
zEF?M1)da>_reAzMCk+5&FN9;SEMXs<7qycE2S-ou2ru}*Ei;jPjbngIEPl)csFna0
zDt@&$8I}BESiUJnm>aeh&)TP_P{3y7sR_D)b9=~uWA=vmdbx$mlJYd1^mTf7yp>WZ
zU~ol3f<v<uD?JV0p#Kuctxj;sq;kp~5LB%opov|#CIZCj1W6f*7YhMFloH_%YFVk*
zL?FL9LH6B^v!4LLVP$H9{_;`|&6)@l+(2*PLyBc(WI@yBX9+q&7RW0U&>84I9{%qa
z>`N55hYfs_kR*bGGbpiFDt^J@{DknO3M?!xjzZP|yQWtx2z{UMZG~mZ6e;pMAwda!
zcY%<S@D+e%%5wPsm=gLz03jveh4p1hw9NmQ5_)}|kdpA4^D^aSIr5ZiI93wg;aw(>
zkta_;<VG*y4hS#jE)&$Pfnc?(x`a&lx8exuhXVPn{ONfNT2iePNiwXs-3pCX!uzeu
z`bj5;xd!v%>jXMHyQxG*;{T=)4dqqf39f)b6+(CkbXg%W<S_q}LdsOgNc^V?!QP9+
zJ^!S1Rg&;4Z%INmLU>PdStG$@LH|%C(4kM38abJX>x3E{DPb@)_@fLiCh(}!fgcQc
rqL7}7vNDP?3J5uGc@#oH2C3qKP?7akQC2}9l@t)lUS0?fZ}0yH!H104

literal 0
HcmV?d00001

diff --git a/siotp/README.md b/siotp/README.md
new file mode 100644
index 0000000..f20bdd3
--- /dev/null
+++ b/siotp/README.md
@@ -0,0 +1 @@
+This is a file depot, storing all files that had to be created during practical works, and that I might need in the future. It's also worth archiving these files, as the Virtual Machines tend to be deleted once they've outgrown their use.
\ No newline at end of file
diff --git a/siotp/automate.sh b/siotp/automate.sh
new file mode 100644
index 0000000..8cab151
--- /dev/null
+++ b/siotp/automate.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+git pull
+git add .
+git commit
+git push
diff --git a/siotp/sisr1/README.md b/siotp/sisr1/README.md
new file mode 100644
index 0000000..a85be3b
--- /dev/null
+++ b/siotp/sisr1/README.md
@@ -0,0 +1 @@
+Each folder bears the name of the TP (practical work) it belongs to.
\ No newline at end of file
diff --git a/siotp/sisr1/tp01-02/README.md b/siotp/sisr1/tp01-02/README.md
new file mode 100644
index 0000000..07938af
--- /dev/null
+++ b/siotp/sisr1/tp01-02/README.md
@@ -0,0 +1,2 @@
+Each folder is called files_{Virtual Machine's name}.
+First and second practical work's folders, combined.
\ No newline at end of file
diff --git a/siotp/sisr1/tp01-02/files_dhcp/README.md b/siotp/sisr1/tp01-02/files_dhcp/README.md
new file mode 100644
index 0000000..533f58f
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/README.md
@@ -0,0 +1 @@
+Files for the srv-dhcp-ge Virtual Machine, from the FIRST and SECOND TPs.
\ No newline at end of file
diff --git a/siotp/sisr1/tp01-02/files_dhcp/dhcpd.conf b/siotp/sisr1/tp01-02/files_dhcp/dhcpd.conf
new file mode 100755
index 0000000..5ffbf53
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/dhcpd.conf
@@ -0,0 +1,116 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+#option domain-name "example.org";
+#option domain-name-servers ns1.example.org, ns2.example.org;
+
+default-lease-time 604800;
+max-lease-time 604800;
+
+option domain-name-servers 192.168.0.121;
+option domain-name-servers 192.168.0.122;
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+#ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+subnet 192.168.2.0 netmask 255.255.255.0 {
+	range 192.168.2.5 192.168.2.99;
+	option routers 192.168.0.120; 
+}
+
+host xp-master {
+	hardware ethernet 08:00:27:77:70:0D;
+	fixed-address 192.168.2.167;
+}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.example.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
diff --git a/siotp/sisr1/tp01-02/files_dhcp/hosts b/siotp/sisr1/tp01-02/files_dhcp/hosts
new file mode 100755
index 0000000..00fba25
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/hosts
@@ -0,0 +1,8 @@
+127.0.0.1	localhost
+127.0.0.1	dhcp-ge.sio.lan	dhcp-ge
+192.168.0.24    bookworm-jp.sio.lan     bookworm-jp
+192.168.0.40	bookworm-jb.sio.lan	bookworm-jb
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp01-02/files_dhcp/interfaces b/siotp/sisr1/tp01-02/files_dhcp/interfaces
new file mode 100755
index 0000000..89b033d
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/interfaces
@@ -0,0 +1,18 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s8
+iface enp0s8 inet static
+	address 192.168.2.1/24
+#enp0s3 static
+auto enp0s3
+iface enp0s3 inet static
+	address 192.168.0.120/24
+	gateway 192.168.0.1
diff --git a/siotp/sisr1/tp01-02/files_dhcp/isc-dhcp-server b/siotp/sisr1/tp01-02/files_dhcp/isc-dhcp-server
new file mode 100644
index 0000000..26ec0d9
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/isc-dhcp-server
@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s8"
+INTERFACESv6=""
diff --git a/siotp/sisr1/tp01-02/files_dhcp/nat.sh b/siotp/sisr1/tp01-02/files_dhcp/nat.sh
new file mode 100755
index 0000000..32d00a4
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dhcp/nat.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+sudo sysctl net.ipv4.ip_forward="1"
+nft add table basic_nat_table
+nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0 \; }
+nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0 \; }
+nft add rule basic_nat_table postrouting masquerade
diff --git a/siotp/sisr1/tp01-02/files_dns1/README.md b/siotp/sisr1/tp01-02/files_dns1/README.md
new file mode 100644
index 0000000..3d11bb9
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/README.md
@@ -0,0 +1 @@
+Files for the srv-dns1-ge Virtual Machine, from the FIRST and SECOND TPs.
\ No newline at end of file
diff --git a/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan b/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan
new file mode 100755
index 0000000..64edda3
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan
@@ -0,0 +1,33 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	deb-dns1-ge.sio1lab.lan. root.sio1lab.lan. (
+			  2635478965	; Serial
+			  21600		; Refresh
+			   3600		; Retry
+			2419200		; Expire
+			 86400 )	; Negative Cache TTL
+
+	IN	NS	deb-dns1-ge.sio1lab.lan.
+	IN	NS	deb-dns2-ge.sio1lab.lan.
+
+	IN	A	192.168.0.120
+	IN	A	192.168.0.121
+	IN	A	192.168.0.140
+	IN	A	192.168.0.141
+	IN	A	192.168.0.142
+
+deb-dhcp-ge	IN	A	192.168.0.120
+deb-dns1-ge	IN	A	192.168.0.121
+deb-dns2-ge	IN	A	192.168.0.122
+deb-dhcp-jp	IN	A	192.168.0.141
+deb-dns-jp	IN	A	192.168.0.140
+deb-dns2-jp	IN	A	192.168.0.142
+
+dhcp	IN	CNAME	deb-dhcp-ge
+dns1	IN	CNAME	deb-dns1-ge
+dns2	IN	CNAME	deb-dns2-ge
+dhcpjp	IN	CNAME	deb-dhcp-jp
+dns1jp	IN	CNAME	deb-dns-jp
+dns2jp	IN	CNAME	deb-dns2-jp
diff --git a/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan.rev b/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan.rev
new file mode 100755
index 0000000..0ba0b04
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/db.sio1lab.lan.rev
@@ -0,0 +1,28 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	deb-dns1-ge.sio1lab.lan. root.sio1lab.lan. (
+			  2635478965	; Serial
+			  21600		; Refresh
+			   3600		; Retry
+			2419200		; Expire
+			 86400 )	; Negative Cache TTL
+
+	IN	NS	deb-dns1-ge.sio1lab.lan.
+	IN	NS	deb-dns2-ge.sio1lab.lan.
+
+deb-dhcp-ge	IN	A	192.168.0.120
+deb-dns1-ge	IN	A	192.168.0.121
+deb-dns2-ge	IN	A	192.168.0.122
+deb-dhcp-jp	IN	A	192.168.0.141
+deb-dns-jp	IN	A	192.168.0.140
+deb-dns2-jp	IN	A	192.168.0.142
+
+120	IN	PTR	deb-dhcp-ge.sio1lab.lan.
+121	IN	PTR	deb-dns1-ge.sio1lab.lan.
+122	IN	PTR	deb-dns2-ge.sio1lab.lan.
+
+140	IN	PTR	deb-dns-jp.sio1lab.lan.
+141	IN	PTR	deb-dhcp-jp.sio1lab.lan.
+142	IN	PTR	deb-dns2-jp.sio1lab.lan.
diff --git a/siotp/sisr1/tp01-02/files_dns1/hosts b/siotp/sisr1/tp01-02/files_dns1/hosts
new file mode 100755
index 0000000..3d57c7b
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/hosts
@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	dns1-ge.sio.lan	dns1-ge
+192.168.0.24    bookworm-jp.sio.lan     bookworm-jp
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp01-02/files_dns1/interfaces b/siotp/sisr1/tp01-02/files_dns1/interfaces
new file mode 100755
index 0000000..3ead9e3
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.0.121/24
+	gateway 192.168.0.1
diff --git a/siotp/sisr1/tp01-02/files_dns1/named.conf.local b/siotp/sisr1/tp01-02/files_dns1/named.conf.local
new file mode 100755
index 0000000..65f467c
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/named.conf.local
@@ -0,0 +1,21 @@
+//
+// Do any local configuration here
+//
+
+// zone directe
+zone "sio1lab.lan" {
+	type master;
+	file "/etc/bind/db.sio1lab.lan";
+};
+
+// zone inverse
+zone "0.168.192.in-addr.arpa" {
+	type master;
+	notify no;
+	file "/etc/bind/db.sio1lab.lan.rev";
+};
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
diff --git a/siotp/sisr1/tp01-02/files_dns1/named.conf.options b/siotp/sisr1/tp01-02/files_dns1/named.conf.options
new file mode 100755
index 0000000..61d68c2
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/named.conf.options
@@ -0,0 +1,25 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	forwarders {
+		10.121.38.7;
+		10.121.38.8;
+	};
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation no;
+
+	listen-on-v6 { any; };
+};
diff --git a/siotp/sisr1/tp01-02/files_dns1/resolv.conf b/siotp/sisr1/tp01-02/files_dns1/resolv.conf
new file mode 100755
index 0000000..37acdc1
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns1/resolv.conf
@@ -0,0 +1,2 @@
+search sio1lab.lan
+nameserver 127.0.0.1
diff --git a/siotp/sisr1/tp01-02/files_dns2/README.md b/siotp/sisr1/tp01-02/files_dns2/README.md
new file mode 100644
index 0000000..3c31502
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/README.md
@@ -0,0 +1 @@
+Files for the srv-dns2-ge Virtual Machine, from the FIRST AND SECOND TPs.
\ No newline at end of file
diff --git a/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan b/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan
new file mode 100755
index 0000000..8485ce9
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan
@@ -0,0 +1,20 @@
+$ORIGIN .
+$TTL 604800	; 1 week
+sio1lab.lan		IN SOA	deb-dns1-ge.sio1lab.lan. root.sio1lab.lan. (
+				2635478965 ; serial
+				21600      ; refresh (6 hours)
+				3600       ; retry (1 hour)
+				2419200    ; expire (4 weeks)
+				86400      ; minimum (1 day)
+				)
+			NS	deb-dns1-ge.sio1lab.lan.
+			NS	deb-dns2-ge.sio1lab.lan.
+			A	192.168.0.120
+			A	192.168.0.121
+$ORIGIN sio1lab.lan.
+deb-dhcp-ge		A	192.168.0.120
+deb-dns1-ge		A	192.168.0.121
+deb-dns2-ge		A	192.168.0.122
+dhcp			CNAME	deb-dhcp-ge
+dns1			CNAME	deb-dns1-ge
+dns2			CNAME	deb-dns2-ge
diff --git a/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan.rev b/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan.rev
new file mode 100755
index 0000000..597ce23
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/db.sio1lab.lan.rev
@@ -0,0 +1,18 @@
+$ORIGIN .
+$TTL 604800	; 1 week
+0.168.192.in-addr.arpa	IN SOA	deb-dns1-ge.sio1lab.lan. root.sio1lab.lan. (
+				2635478965 ; serial
+				21600      ; refresh (6 hours)
+				3600       ; retry (1 hour)
+				2419200    ; expire (4 weeks)
+				86400      ; minimum (1 day)
+				)
+			NS	deb-dns1-ge.sio1lab.lan.
+			NS	deb-dns2-ge.sio1lab.lan.
+$ORIGIN 0.168.192.in-addr.arpa.
+120			PTR	deb-dhcp-ge.sio1lab.lan.
+121			PTR	deb-dns1-ge.sio1lab.lan.
+122			PTR	deb-dns2-ge.sio1lab.lan.
+deb-dhcp-ge		A	192.168.0.120
+deb-dns1-ge		A	192.168.0.121
+deb-dns2-ge		A	192.168.0.122
diff --git a/siotp/sisr1/tp01-02/files_dns2/hosts b/siotp/sisr1/tp01-02/files_dns2/hosts
new file mode 100755
index 0000000..ecc8df3
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/hosts
@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	dns2-ge.sio.lan	dns2-ge
+192.168.0.24    bookworm-jp.sio.lan     bookworm-jp
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp01-02/files_dns2/interfaces b/siotp/sisr1/tp01-02/files_dns2/interfaces
new file mode 100755
index 0000000..0980572
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.0.122/24
+	gateway 192.168.0.1
diff --git a/siotp/sisr1/tp01-02/files_dns2/named.conf.local b/siotp/sisr1/tp01-02/files_dns2/named.conf.local
new file mode 100755
index 0000000..3d13f19
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/named.conf.local
@@ -0,0 +1,25 @@
+//
+// Do any local configuration here
+//
+
+// zone directe
+zone "sio1lab.lan" {
+	type slave;
+	file "/etc/bind/db.sio1lab.lan";
+	masters { 192.168.0.121; };
+	masterfile-format text;
+};
+
+// zone inverse
+zone "0.168.192.in-addr.arpa" {
+	type slave;
+	notify no;
+	file "/etc/bind/db.sio1lab.lan.rev";
+	masters { 192.168.0.121; };
+	masterfile-format text;
+};
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
diff --git a/siotp/sisr1/tp01-02/files_dns2/named.conf.options b/siotp/sisr1/tp01-02/files_dns2/named.conf.options
new file mode 100755
index 0000000..e96cee1
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/named.conf.options
@@ -0,0 +1,25 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	forwarders {
+	 	10.121.38.7;
+		10.121.38.8;
+	};
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+
+	listen-on-v6 { any; };
+};
diff --git a/siotp/sisr1/tp01-02/files_dns2/resolv.conf b/siotp/sisr1/tp01-02/files_dns2/resolv.conf
new file mode 100755
index 0000000..37c933c
--- /dev/null
+++ b/siotp/sisr1/tp01-02/files_dns2/resolv.conf
@@ -0,0 +1,2 @@
+search sio1lab.lan
+server 127.0.0.1
diff --git a/siotp/sisr1/tp03/README.md b/siotp/sisr1/tp03/README.md
new file mode 100644
index 0000000..cabd08b
--- /dev/null
+++ b/siotp/sisr1/tp03/README.md
@@ -0,0 +1,2 @@
+Each folder is called files_{Virtual Machine's name}.
+Third practical work's folder.
\ No newline at end of file
diff --git a/siotp/sisr1/tp03/files_admin/README.md b/siotp/sisr1/tp03/files_admin/README.md
new file mode 100644
index 0000000..898e802
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/README.md
@@ -0,0 +1 @@
+Files for the srv-admin-ge Virtual Machine.
\ No newline at end of file
diff --git a/siotp/sisr1/tp03/files_admin/hostname b/siotp/sisr1/tp03/files_admin/hostname
new file mode 100644
index 0000000..83f1bee
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/hostname
@@ -0,0 +1 @@
+srv-admin-ge
diff --git a/siotp/sisr1/tp03/files_admin/hosts b/siotp/sisr1/tp03/files_admin/hosts
new file mode 100644
index 0000000..4c962f6
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/hosts
@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	srv-admin-ge.sio.lan	srv-admin-ge
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp03/files_admin/interfaces b/siotp/sisr1/tp03/files_admin/interfaces
new file mode 100644
index 0000000..a3fb3a6
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/interfaces
@@ -0,0 +1,18 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.0.120/24
+	gateway 192.168.0.1
+
+# The secondary (internal) network interface
+allow-hotplug enp0s8
+iface enp0s8 inet dhcp
diff --git a/siotp/sisr1/tp03/files_admin/nat.sh b/siotp/sisr1/tp03/files_admin/nat.sh
new file mode 100755
index 0000000..9daac43
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/nat.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "1" > /proc/sys/net/ipv4/ip_forward
+nft add table basic_nat_table
+nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0 \; }
+nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0 \; }
+nft add rule basic_nat_table postrouting masquerade
diff --git a/siotp/sisr1/tp03/files_admin/resolv.conf b/siotp/sisr1/tp03/files_admin/resolv.conf
new file mode 100644
index 0000000..330985a
--- /dev/null
+++ b/siotp/sisr1/tp03/files_admin/resolv.conf
@@ -0,0 +1,4 @@
+domain monlabo.lan
+search monlabo.lan
+nameserver 172.16.0.1
+nameserver 172.16.0.2
diff --git a/siotp/sisr1/tp03/files_dns2/README.md b/siotp/sisr1/tp03/files_dns2/README.md
new file mode 100644
index 0000000..2534959
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/README.md
@@ -0,0 +1 @@
+Files for the srv-dns2-ge Virtual Machine.
\ No newline at end of file
diff --git a/siotp/sisr1/tp03/files_dns2/db.monlabo.lan b/siotp/sisr1/tp03/files_dns2/db.monlabo.lan
new file mode 100644
index 0000000..03287fc
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/db.monlabo.lan
@@ -0,0 +1,36 @@
+$ORIGIN .
+$TTL	604800
+@	IN	SOA	srv-service-ge.monlabo.lan. root.monlabo.lan. (
+			  2635478965	; Serial
+			    216		; Refresh
+			   3600		; Retry
+			2419200		; Expire
+			 86400 )	; Negative Cache TTL
+
+		IN	NS	srv-service-ge.monlabo.lan.
+		IN	NS	srv-dns2-ge.monlabo.lan.
+
+		IN	A	172.16.0.1
+		IN	A	172.16.0.2
+		IN	A	172.16.0.254
+		IN	A	172.16.0.100
+
+$ORIGIN monlabo.lan.
+	
+srv-service-ge	IN	A	172.16.0.1
+srv-dns2-ge	IN	A	172.16.0.2
+srv-admin-ge	IN	A	172.16.0.254
+pc-cli-ge	IN	A	172.16.0.100
+
+srvdns		IN	CNAME	srv-service-ge
+dns		IN	CNAME	srv-service-ge
+dns1		IN	CNAME	srv-service-ge
+srvdhcp		IN	CNAME	srv-service-ge
+dhcp		IN	CNAME	srv-service-ge
+srvadmin	IN	CNAME	srv-admin-ge
+router		IN	CNAME	srv-admin-ge
+pc		IN	CNAME	pc-cli-ge
+client		IN	CNAME	pc-cli-ge
+pccli		IN	CNAME	pc-cli-ge
+srvdns2		IN	CNAME	srv-dns2-ge
+dns2		IN	CNAME	srv-dns2-ge
diff --git a/siotp/sisr1/tp03/files_dns2/db.monlabo.lan.rev b/siotp/sisr1/tp03/files_dns2/db.monlabo.lan.rev
new file mode 100644
index 0000000..ca1b0a4
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/db.monlabo.lan.rev
@@ -0,0 +1,23 @@
+$ORIGIN .
+$TTL    604800
+@       IN      SOA     srv-service-ge.monlabo.lan. root.monlabo.lan. (
+              2635478965         ; Serial
+                     216	 ; Refresh
+                    3600         ; Retry
+                 2419200         ; Expire
+                  86400 )        ; Negative Cache TTL
+
+		        IN      NS      srv-service-ge.monlabo.lan.
+			IN	NS	srv-dns2-ge.monlabo.lan.
+
+$ORIGIN 0.16.172.in-addr.arpa.
+
+1       IN      PTR     srv-service-ge.monlabo.lan.
+2       IN      PTR     srv-dns2-ge.monlabo.lan.
+100     IN      PTR     pc-cli-ge.monlabo.lan.
+254     IN      PTR     srv-admin-ge.monlabo.lan.
+
+srv-service-ge		IN      A       172.16.0.1
+srv-dns2-ge		IN	A	172.16.0.2
+srv-admin-ge		IN      A       172.16.0.254
+pc-cli-ge		IN	A	172.16.0.100
diff --git a/siotp/sisr1/tp03/files_dns2/hostname b/siotp/sisr1/tp03/files_dns2/hostname
new file mode 100644
index 0000000..f30f6eb
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/hostname
@@ -0,0 +1 @@
+srv-dns2-ge
diff --git a/siotp/sisr1/tp03/files_dns2/hosts b/siotp/sisr1/tp03/files_dns2/hosts
new file mode 100644
index 0000000..9f062f4
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/hosts
@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	srv-dns2-ge.sio.lan	srv-dns2-ge
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp03/files_dns2/named.conf b/siotp/sisr1/tp03/files_dns2/named.conf
new file mode 100644
index 0000000..bc71baa
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/named.conf
@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
diff --git a/siotp/sisr1/tp03/files_dns2/named.conf.local b/siotp/sisr1/tp03/files_dns2/named.conf.local
new file mode 100644
index 0000000..82e1bfa
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/named.conf.local
@@ -0,0 +1,26 @@
+//
+// Do any local configuration here
+//
+
+// zone directe
+zone "monlabo.lan" {
+        type slave;
+        file "/etc/bind/db.monlabo.lan";
+	masters { 172.16.0.1; };
+	masterfile-format text;
+};
+
+// zone inverse
+zone "0.16.172.in-addr.arpa" {
+        type slave;
+        notify no;
+        file "/etc/bind/db.monlabo.lan.rev";
+	masters { 172.16.0.1; };
+	masterfile-format text;
+};
+
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
diff --git a/siotp/sisr1/tp03/files_dns2/named.conf.options b/siotp/sisr1/tp03/files_dns2/named.conf.options
new file mode 100644
index 0000000..61d68c2
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/named.conf.options
@@ -0,0 +1,25 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	forwarders {
+		10.121.38.7;
+		10.121.38.8;
+	};
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation no;
+
+	listen-on-v6 { any; };
+};
diff --git a/siotp/sisr1/tp03/files_dns2/resolv.conf b/siotp/sisr1/tp03/files_dns2/resolv.conf
new file mode 100644
index 0000000..70b715d
--- /dev/null
+++ b/siotp/sisr1/tp03/files_dns2/resolv.conf
@@ -0,0 +1,3 @@
+domain monlabo.lan
+search monlabo.lan
+nameserver 172.16.0.2
diff --git a/siotp/sisr1/tp03/files_service/README.md b/siotp/sisr1/tp03/files_service/README.md
new file mode 100644
index 0000000..c139bec
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/README.md
@@ -0,0 +1 @@
+Files for the srv-dns1-ge Virtual Machine.
\ No newline at end of file
diff --git a/siotp/sisr1/tp03/files_service/db.monlabo.lan b/siotp/sisr1/tp03/files_service/db.monlabo.lan
new file mode 100644
index 0000000..450151c
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/db.monlabo.lan
@@ -0,0 +1,36 @@
+$TTL	604800
+@	IN	SOA	srv-service-ge.monlabo.lan. root.monlabo.lan. (
+			2635478965	; Serial
+			    216		; Refresh
+			   3600		; Retry
+			2419200		; Expire
+			 86400 )	; Negative Cache TTL
+
+		IN	NS	srv-service-ge.monlabo.lan.
+		IN	NS	srv-dns2-ge.monlabo.lan.
+
+		IN	A	172.16.0.1
+		IN	A	172.16.0.2
+		IN	A	172.16.0.10
+		IN	A	172.16.0.100
+		IN	A	172.16.0.254
+
+srv-service-ge	IN	A	172.16.0.1
+srv-dns2-ge	IN	A	172.16.0.2
+srv-admin-ge	IN	A	172.16.0.254
+pc-cli-ge	IN	A	172.16.0.100
+pc-secure-ge	IN	A	172.16.0.10
+
+srvdns		IN	CNAME	srv-service-ge
+dns		IN	CNAME	srv-service-ge
+dns1		IN	CNAME	srv-service-ge
+srvdhcp		IN	CNAME	srv-service-ge
+dhcp		IN	CNAME	srv-service-ge
+srvadmin	IN	CNAME	srv-admin-ge
+router		IN	CNAME	srv-admin-ge
+pc		IN	CNAME	pc-cli-ge
+client		IN	CNAME	pc-cli-ge
+pccli		IN	CNAME	pc-cli-ge
+pcsecure	IN	CNAME	pc-secure-ge
+srvdns2		IN	CNAME	srv-dns2-ge
+dns2		IN	CNAME	srv-dns2-ge
diff --git a/siotp/sisr1/tp03/files_service/db.monlabo.lan.rev b/siotp/sisr1/tp03/files_service/db.monlabo.lan.rev
new file mode 100644
index 0000000..d9380af
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/db.monlabo.lan.rev
@@ -0,0 +1,25 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL    604800
+@       IN      SOA     srv-service-ge.monlabo.lan. root.monlabo.lan. (
+              2635478965         ; Serial
+                     216	 ; Refresh
+                    3600         ; Retry
+                 2419200         ; Expire
+                  86400 )        ; Negative Cache TTL
+
+		        IN      NS      srv-service-ge.monlabo.lan.
+			IN	NS	srv-dns2-ge.monlabo.lan.
+
+1       IN      PTR     srv-service-ge.monlabo.lan.
+2       IN      PTR     srv-dns2-ge.monlabo.lan.
+10	IN	PTR	pc-secure-ge.monlabo.lan.
+100     IN      PTR     pc-cli-ge.monlabo.lan.
+254     IN      PTR     srv-admin-ge.monlabo.lan.
+
+srv-service-ge		IN      A       172.16.0.1
+srv-dns2-ge		IN	A	172.16.0.2
+srv-admin-ge		IN      A       172.16.0.254
+pc-cli-ge		IN	A	172.16.0.100
+pc-secure-ge		IN	A	172.16.0.10
diff --git a/siotp/sisr1/tp03/files_service/dhclient.conf b/siotp/sisr1/tp03/files_service/dhclient.conf
new file mode 100644
index 0000000..4b35e9b
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/dhclient.conf
@@ -0,0 +1,55 @@
+# Configuration file for /sbin/dhclient.
+#
+# This is a sample configuration file for dhclient. See dhclient.conf's
+#	man page for more information about the syntax of this file
+#	and a more comprehensive list of the parameters understood by
+#	dhclient.
+#
+# Normally, if the DHCP server provides reasonable information and does
+#	not leave anything out (like the domain name, for example), then
+#	few changes must be made to this file, if any.
+#
+
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+
+send host-name = gethostname();
+request subnet-mask, broadcast-address, time-offset, routers,
+	domain-name, domain-name-servers, domain-search, host-name,
+	dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
+	netbios-name-servers, netbios-scope, interface-mtu,
+	rfc3442-classless-static-routes, ntp-servers;
+
+#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
+#send dhcp-lease-time 3600;
+#supersede domain-name "fugue.com home.vix.com";
+#prepend domain-name-servers 127.0.0.1;
+#prepend domain-name-servers 172.16.0.2;
+#require subnet-mask, domain-name-servers;
+#timeout 60;
+#retry 60;
+#reboot 10;
+#select-timeout 5;
+#initial-interval 2;
+#script "/sbin/dhclient-script";
+#media "-link0 -link1 -link2", "link0 link1";
+#reject 192.33.137.209;
+
+#alias {
+#  interface "eth0";
+#  fixed-address 192.5.5.213;
+#  option subnet-mask 255.255.255.255;
+#}
+
+#lease {
+#  interface "eth0";
+#  fixed-address 192.33.137.200;
+#  medium "link0 link1";
+#  option host-name "andare.swiftmedia.com";
+#  option subnet-mask 255.255.255.0;
+#  option broadcast-address 192.33.137.255;
+#  option routers 192.33.137.250;
+#  option domain-name-servers 127.0.0.1;
+#  renew 2 2000/1/12 00:00:01;
+#  rebind 2 2000/1/12 00:00:01;
+#  expire 2 2000/1/12 00:00:01;
+#}
diff --git a/siotp/sisr1/tp03/files_service/dhcpd.conf b/siotp/sisr1/tp03/files_service/dhcpd.conf
new file mode 100644
index 0000000..edf08bb
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/dhcpd.conf
@@ -0,0 +1,114 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+default-lease-time 600;
+max-lease-time 7200;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+subnet 172.16.0.0 netmask 255.255.255.0 {
+  range 172.16.0.100 172.16.0.200;
+  option routers 172.16.0.254;
+  option domain-name "monlabo.lan";
+  option domain-name-servers 172.16.0.1, 172.16.0.2;
+}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+host srv-admin-ge {
+  hardware ethernet 08:00:27:6e:32:49;
+  fixed-address 172.16.0.254;
+}
+
+host srv-dns2-ge {
+  hardware ethernet 08:00:27:8e:f7:39;
+  fixed-address 172.16.0.2;
+}
+
+host pc-secure-ge {
+	hardware ethernet 08:00:27:01:99:b3;
+	fixed-address 172.16.0.10;
+}
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.example.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
diff --git a/siotp/sisr1/tp03/files_service/hostname b/siotp/sisr1/tp03/files_service/hostname
new file mode 100644
index 0000000..30790dc
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/hostname
@@ -0,0 +1 @@
+srv-service-ge
diff --git a/siotp/sisr1/tp03/files_service/hosts b/siotp/sisr1/tp03/files_service/hosts
new file mode 100644
index 0000000..916d9fc
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/hosts
@@ -0,0 +1,7 @@
+127.0.0.1	localhost
+127.0.1.1	srv-service-ge.sio.lan	srv-service-ge
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/siotp/sisr1/tp03/files_service/interfaces b/siotp/sisr1/tp03/files_service/interfaces
new file mode 100644
index 0000000..5eadc72
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 172.16.0.1/24
+	gateway 172.16.0.254
diff --git a/siotp/sisr1/tp03/files_service/isc-dhcp-server b/siotp/sisr1/tp03/files_service/isc-dhcp-server
new file mode 100644
index 0000000..d3164b9
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/isc-dhcp-server
@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s3"
+INTERFACESv6=""
diff --git a/siotp/sisr1/tp03/files_service/named.conf b/siotp/sisr1/tp03/files_service/named.conf
new file mode 100644
index 0000000..bc71baa
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/named.conf
@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
diff --git a/siotp/sisr1/tp03/files_service/named.conf.local b/siotp/sisr1/tp03/files_service/named.conf.local
new file mode 100644
index 0000000..dc57d68
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/named.conf.local
@@ -0,0 +1,21 @@
+//
+// Do any local configuration here
+//
+
+// zone directe
+zone "monlabo.lan" {
+	type master;
+	file "/etc/bind/db.monlabo.lan";
+};
+
+// zone inverse
+zone "0.16.172.in-addr.arpa" {
+	type master;
+	notify no;
+	file "/etc/bind/db.monlabo.lan.rev";
+};
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
diff --git a/siotp/sisr1/tp03/files_service/named.conf.options b/siotp/sisr1/tp03/files_service/named.conf.options
new file mode 100644
index 0000000..2273cea
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/named.conf.options
@@ -0,0 +1,25 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	 forwarders {
+		10.121.38.7;
+		10.121.38.8;
+	 };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation no;
+
+	listen-on-v6 { any; };
+};
diff --git a/siotp/sisr1/tp03/files_service/resolv.conf b/siotp/sisr1/tp03/files_service/resolv.conf
new file mode 100644
index 0000000..93b6764
--- /dev/null
+++ b/siotp/sisr1/tp03/files_service/resolv.conf
@@ -0,0 +1,3 @@
+domain monlabo.lan
+search monlabo.lan
+nameserver 127.0.0.1
diff --git a/siotp/sisr1/tp04/README.md b/siotp/sisr1/tp04/README.md
new file mode 100644
index 0000000..c81b01d
--- /dev/null
+++ b/siotp/sisr1/tp04/README.md
@@ -0,0 +1,2 @@
+Folders bear an explicit name, unlike the predecessors.
+Fourth practical work's folder.
\ No newline at end of file
diff --git a/siotp/sisr1/tp04/auto_nat/README.md b/siotp/sisr1/tp04/auto_nat/README.md
new file mode 100644
index 0000000..58dba92
--- /dev/null
+++ b/siotp/sisr1/tp04/auto_nat/README.md
@@ -0,0 +1,2 @@
+Copy to /etc/systemd/system.
+This file is a service to automate the NAT on the Virtual Machine.
\ No newline at end of file
diff --git a/siotp/sisr1/tp04/auto_nat/nat.service b/siotp/sisr1/tp04/auto_nat/nat.service
new file mode 100644
index 0000000..d3d2afd
--- /dev/null
+++ b/siotp/sisr1/tp04/auto_nat/nat.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Running nat.sh script on startup thanks to a systemd unit.
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash /root/nat.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/siotp/sisr1/tp04/scripts_and_files/README.md b/siotp/sisr1/tp04/scripts_and_files/README.md
new file mode 100644
index 0000000..fa103d8
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/README.md
@@ -0,0 +1 @@
+This folder holds every single file and script done in the FOURTH TP.
\ No newline at end of file
diff --git a/siotp/sisr1/tp04/scripts_and_files/Users.csv b/siotp/sisr1/tp04/scripts_and_files/Users.csv
new file mode 100644
index 0000000..9dfb324
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/Users.csv
@@ -0,0 +1,30 @@
+Ermengarde,Berthelmot,eberthelmot0@webmd.com,Female,Accountant,
+Kassi,Bunker,kbunker1@xinhuanet.com,Female,Production,
+Moises,McCallum,mmccallum2@i2i.jp,Male,Production,
+Patrizio,Lune,plune3@upenn.edu,Male,Accountant,
+Blanch,Everix,beverix4@php.net,Female,Accountant,
+Stafani,Kibbel,skibbel5@marriott.com,Female,Production,
+Ignacius,Mosdell,imosdell6@cloudflare.com,Male,Management,
+Jeana,Waller-Bridge,jwallerbridge7@mapy.cz,Female,Management,
+Elroy,Dressel,edressel8@opera.com,Male,Production,
+Thea,Strettell,tstrettell9@nature.com,Female,Production,
+Solomon,Insoll,sinsolla@utexas.edu,Male,Accountant,
+Carri,Feedome,cfeedomeb@ask.com,Female,Accountant,
+Padraic,Chetwind,pchetwindc@last.fm,Male,Management,
+Solly,D'Ugo,sdugod@uiuc.edu,Male,Production,
+Konstanze,MacCostigan,kmaccostigane@seattletimes.com,Female,Accountant,
+Roxane,Powlesland,rpowleslandf@pcworld.com,Female,Management,
+Orelle,Kennealy,okennealyg@arstechnica.com,Female,Production,
+Sukey,Soitoux,ssoitouxh@shinystat.com,Female,Production,
+Nelli,Syce,nsycei@blogger.com,Female,Production,
+Clarisse,Shillam,cshillamj@dailymotion.com,Female,Production,
+Carin,Gueny,cguenyk@naver.com,Female,Management,
+Donny,Riepel,driepell@addtoany.com,Male,Production,
+Daniella,Ralfe,dralfem@wunderground.com,Female,Production,
+Lexy,Clynmans,lclynmansn@furl.net,Female,Production,
+Gardiner,Adamthwaite,gadamthwaiteo@spotify.com,Male,Production,
+Woodman,Lippett,wlippettp@purevolume.com,Male,Production,
+Nadya,Munnion,nmunnionq@flavors.me,Female,Production,
+Llewellyn,Habershon,lhabershonr@alibaba.com,Male,Production,
+Isaak,Greatrex,igreatrexs@seesaa.net,Male,Production,
+Darill,Frostdyke,dfrostdyket@cafepress.com,Male,Production,
diff --git a/siotp/sisr1/tp04/scripts_and_files/createLogins.sh b/siotp/sisr1/tp04/scripts_and_files/createLogins.sh
new file mode 100644
index 0000000..197c424
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/createLogins.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+rm ./logins.csv
+while read line
+do
+	touch ./temptp4.txt
+	file='./temptp4.txt'
+	echo $line > $file
+	surname=$(cut -d "," -f 1 $file)
+	name=$(cut -d "," -f 2 $file)
+	group=$(cut -d "," -f 5 $file)
+	initials=$(cut -c 1 $file)
+	id=$(echo $initials$name | tr [:upper:] [:lower:])
+	passwd=$(echo $RANDOM | md5sum | head -c 8)
+	echo $id","$passwd","$surname","$name","$group>> logins.csv
+	rm ./temptp4.txt
+done < ./Users.csv
diff --git a/siotp/sisr1/tp04/scripts_and_files/createUsers.sh b/siotp/sisr1/tp04/scripts_and_files/createUsers.sh
new file mode 100644
index 0000000..6ddd41d
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/createUsers.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+while read line
+do
+	touch ./temptp4.txt
+	file="./temptp4.txt"
+	echo $line > $file
+	user=$(cut -d "," -f 1 $file)
+	usergroup=$(cut -d "," -f 5 $file)
+	passwd=$(cut -d "," -f 2 $file)
+	if ! grep -q $usergroup /etc/group ; then
+		echo "tentative creation $usergroup"
+		groupadd "$usergroup"
+	fi
+	useradd --create-home --groups $usergroup --shell /bin/bash $user
+	(echo $passwd ; echo $passwd) | passwd $user
+	chown $user /home/$user
+	rm ./temptp4.txt
+done < ./logins.csv
diff --git a/siotp/sisr1/tp04/scripts_and_files/logins.csv b/siotp/sisr1/tp04/scripts_and_files/logins.csv
new file mode 100644
index 0000000..0053371
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/logins.csv
@@ -0,0 +1,30 @@
+eberthelmot,a0faa388,Ermengarde,Berthelmot,Accountant
+kbunker,cc9b1c09,Kassi,Bunker,Production
+mmccallum,81f11471,Moises,McCallum,Production
+plune,0a52910c,Patrizio,Lune,Accountant
+beverix,f0736efe,Blanch,Everix,Accountant
+skibbel,f890d6d1,Stafani,Kibbel,Production
+imosdell,a97cd2b8,Ignacius,Mosdell,Management
+jwaller-bridge,9c43389e,Jeana,Waller-Bridge,Management
+edressel,8831e520,Elroy,Dressel,Production
+tstrettell,0bd22c22,Thea,Strettell,Production
+sinsoll,91c81969,Solomon,Insoll,Accountant
+cfeedome,be5d9acb,Carri,Feedome,Accountant
+pchetwind,f60802f5,Padraic,Chetwind,Management
+sd'ugo,8b6cd4c2,Solly,D'Ugo,Production
+kmaccostigan,4114aff4,Konstanze,MacCostigan,Accountant
+rpowlesland,05e19a95,Roxane,Powlesland,Management
+okennealy,04f8d927,Orelle,Kennealy,Production
+ssoitoux,9e931572,Sukey,Soitoux,Production
+nsyce,29a54396,Nelli,Syce,Production
+cshillam,8a394f6a,Clarisse,Shillam,Production
+cgueny,6d30f53a,Carin,Gueny,Management
+driepel,45db9a6b,Donny,Riepel,Production
+dralfe,d14bcb76,Daniella,Ralfe,Production
+lclynmans,98d3e926,Lexy,Clynmans,Production
+gadamthwaite,4d6313a8,Gardiner,Adamthwaite,Production
+wlippett,9423f972,Woodman,Lippett,Production
+nmunnion,80f1c167,Nadya,Munnion,Production
+lhabershon,67c2be97,Llewellyn,Habershon,Production
+igreatrex,90715fb9,Isaak,Greatrex,Production
+dfrostdyke,4abe7ab1,Darill,Frostdyke,Production
diff --git a/siotp/sisr1/tp04/scripts_and_files/remoteCreation.sh b/siotp/sisr1/tp04/scripts_and_files/remoteCreation.sh
new file mode 100644
index 0000000..af7f04e
--- /dev/null
+++ b/siotp/sisr1/tp04/scripts_and_files/remoteCreation.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+scp ./createUsers.sh root@$1:/root
+scp ./logins.csv root@$1:/root
+ssh root@$1 "chmod -x /root/createUsers.sh"
+ssh root@$1 "bash /root/createUsers.sh"
+ssh root@$1 "rm /root/logins.csv"
+ssh root@$1 "rm /root/createUsers.sh"
+exit
diff --git a/siotp/sisr1/tp05/README.md b/siotp/sisr1/tp05/README.md
new file mode 100644
index 0000000..df67a65
--- /dev/null
+++ b/siotp/sisr1/tp05/README.md
@@ -0,0 +1 @@
+Fifth practical work's folder, withholds Samba's configuration file and the script for remote deployment.
\ No newline at end of file
diff --git a/siotp/sisr1/tp05/deployment_samba.sh b/siotp/sisr1/tp05/deployment_samba.sh
new file mode 100644
index 0000000..b2bde3d
--- /dev/null
+++ b/siotp/sisr1/tp05/deployment_samba.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+while read line
+do
+	touch ./temptp4.txt
+	file="./temptp4.txt"
+	echo $line > $file
+	user=$(cut -d "," -f 1 $file)
+	usergroup=$(cut -d "," -f 5 $file)
+	passwd=$(cut -d "," -f 2 $file)
+	if ! grep -q $usergroup /etc/group ; then
+		echo "Tentative de création du groupe"
+		groupadd "$usergroup"
+	fi
+	useradd $user -d /dev/null -s /bin/false
+	usermod -aG $usergroup $user
+	(echo $passwd ; echo $passwd) | smbpasswd -a $user
+	rm ./temptp4.txt
+done < /root/files/logins.csv
diff --git a/siotp/sisr1/tp05/smb.conf b/siotp/sisr1/tp05/smb.conf
new file mode 100644
index 0000000..fa316cd
--- /dev/null
+++ b/siotp/sisr1/tp05/smb.conf
@@ -0,0 +1,285 @@
+#
+# Sample configuration file for the Samba suite for Debian GNU/Linux.
+#
+#
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options most of which 
+# are not shown in this example
+#
+# Some options that are often worth tuning have been included as
+# commented-out examples in this file.
+#  - When such options are commented with ";", the proposed setting
+#    differs from the default Samba behaviour
+#  - When commented with "#", the proposed setting is the default
+#    behaviour of Samba but the option is considered important
+#    enough to be mentioned here
+#
+# NOTE: Whenever you modify this file you should run the command
+# "testparm" to check that you have not made any basic syntactic 
+# errors. 
+
+#======================= Global Settings =======================
+
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+;   workgroup = monlabo.lan
+
+#### Networking ####
+
+# The specific set of interfaces / networks to bind to
+# This can be either the interface name or an IP address/netmask;
+# interface names are normally preferred
+    interfaces = enp0s8
+
+# Only bind to the named interfaces and/or networks; you must use the
+# 'interfaces' option above to use this.
+# It is recommended that you enable this feature if your Samba machine is
+# not protected by a firewall or is a firewall itself.  However, this
+# option cannot handle dynamic or non-broadcast interfaces correctly.
+    bind interfaces only = yes
+
+
+
+#### Debugging/Accounting ####
+
+# This tells Samba to use a separate log file for each machine
+# that connects
+;   log file = /var/log/samba/log.%m
+
+# Cap the size of the individual log files (in KiB).
+;   max log size = 1000
+
+# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
+# Append syslog@1 if you want important messages to be sent to syslog too.
+;   logging = file
+
+# Do something sensible when Samba crashes: mail the admin a backtrace
+;   panic action = /usr/share/samba/panic-action %d
+
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone server" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+   obey pam restrictions = no
+
+# This boolean parameter controls whether Samba attempts to sync the Unix
+# password with the SMB password when the encrypted SMB password in the
+# passdb is changed.
+   unix password sync = yes
+
+# For Unix password sync to work on a Debian GNU/Linux system, the following
+# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
+# sending the correct chat script for the passwd program in Debian Sarge).
+   passwd program = /usr/bin/passwd %u
+   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+
+# This boolean controls whether PAM will be used for password changes
+# when requested by an SMB client instead of the program listed in
+# 'passwd program'. The default is 'no'.
+   pam password change = no
+
+# This option controls how unsuccessful authentication attempts are mapped
+# to anonymous connections
+   map to guest = bad user
+
+########## Domains ###########
+
+#
+# The following settings only takes effect if 'server role = classic
+# primary domain controller', 'server role = classic backup domain controller'
+# or 'domain logons' is set 
+#
+
+# It specifies the location of the user's
+# profile directory from the client point of view) The following
+# required a [profiles] share to be setup on the samba server (see
+# below)
+;   logon path = \\%N\profiles\%U
+# Another common choice is storing the profile in the user's home directory
+# (this is Samba's default)
+#   logon path = \\%N\%U\profile
+
+# The following setting only takes effect if 'domain logons' is set
+# It specifies the location of a user's home directory (from the client
+# point of view)
+;   logon drive = H:
+#   logon home = \\%N\%U
+
+# The following setting only takes effect if 'domain logons' is set
+# It specifies the script to run during logon. The script must be stored
+# in the [netlogon] share
+# NOTE: Must be store in 'DOS' file format convention
+;   logon script = logon.cmd
+
+# This allows Unix users to be created on the domain controller via the SAMR
+# RPC pipe.  The example command creates a user account with a disabled Unix
+# password; please adapt to your needs
+; add user script = /usr/sbin/useradd --create-home %u
+
+# This allows machine accounts to be created on the domain controller via the 
+# SAMR RPC pipe.  
+# The following assumes a "machines" group exists on the system
+; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
+
+# This allows Unix groups to be created on the domain controller via the SAMR
+# RPC pipe.  
+; add group script = /usr/sbin/addgroup --force-badname %g
+
+############ Misc ############
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting
+;   include = /home/samba/etc/smb.conf.%m
+
+# Some defaults for winbind (make sure you're not using the ranges
+# for something else.)
+;   idmap config * :              backend = tdb
+;   idmap config * :              range   = 3000-7999
+;   idmap config YOURDOMAINHERE : backend = tdb
+;   idmap config YOURDOMAINHERE : range   = 100000-999999
+;   template shell = /bin/bash
+
+# Setup usershare options to enable non-root users to share folders
+# with the net usershare command.
+
+# Maximum number of usershare. 0 means that usershare is disabled.
+   usershare max shares = 100
+
+# Allow users who've been granted usershare privileges to create
+# public shares, not just authenticated ones
+   usershare allow guests = yes
+
+#======================= Share Definitions =======================
+
+[homes]
+   comment = Home Directories
+   browseable = no
+
+# By default, the home directories are exported read-only. Change the
+# next parameter to 'no' if you want to be able to write to them.
+   read only = yes
+
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+   create mask = 0775
+
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+   directory mask = 0775
+
+# By default, \\server\username shares can be connected to by anyone
+# with access to the samba server.
+# The following parameter makes sure that only "username" can connect
+# to \\server\username
+# This might need tweaking when using external authentication schemes
+   valid users = %S
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+# (you need to configure Samba to act as a domain controller too.)
+;[netlogon]
+;   comment = Network Logon Service
+;   path = /home/samba/netlogon
+;   guest ok = yes
+;   read only = yes
+
+# Un-comment the following and create the profiles directory to store
+# users profiles (see the "logon path" option above)
+# (you need to configure Samba to act as a domain controller too.)
+# The path below should be writable by all users so that their
+# profile directory may be created the first time they log on
+;[profiles]
+;   comment = Users profiles
+;   path = /home/samba/profiles
+;   guest ok = no
+;   browseable = no
+;   create mask = 0600
+;   directory mask = 0700
+
+[printers]
+   comment = All Printers
+   browseable = no
+   path = /var/tmp
+   printable = yes
+   guest ok = no
+   read only = yes
+   create mask = 0700
+
+# Windows clients look for this share name as a source of downloadable
+# printer drivers
+[print$]
+   comment = Printer Drivers
+   path = /var/lib/samba/printers
+   browseable = yes
+   read only = yes
+   guest ok = no
+# Uncomment to allow remote administration of Windows print drivers.
+# You may need to replace 'lpadmin' with the name of the group your
+# admin users are members of.
+# Please note that you also need to set appropriate Unix permissions
+# to the drivers directory for these users to have write rights in it
+;   write list = root, @lpadmin
+
+[sambademo]
+comment = testing folder
+	path = /sambashare/test
+	browsable = yes
+	valid users = tester, @testing
+	read only = no
+	create mask = 0770
+	directory mask = 0770
+	write list = tester, @testing
+
+[management]
+comment = folder for management
+	path = /sambashare/management
+	browsable = yes
+	valid users = @Management
+	read only = yes
+	create mask = 0770
+	directory mask = 0770
+	write list = @Management
+
+[accounting]
+comment = folder for accounting
+	path = /sambashare/comptabilité
+	browsable = yes
+	valid users = @Management, @Accountant
+	read only = yes
+	create mask = 0770
+	directory mask = 0770
+	write list = @Accountant
+
+[commun]
+comment = common work folder
+        path = /sambashare/commun
+        browsable = yes
+        valid users = @Management, @Accountant, @Production
+        read only = yes
+        create mask = 0770
+        directory mask = 0770
+        write list = @Management, @Accountant, @Production
+
+[production]
+comment = folder for production team
+        path = /sambashare/production
+        browsable = yes
+        valid users = @Production, @Management, @Accountant
+        read only = yes
+        create mask = 0770
+        directory mask = 0770
+        write list = @Production
diff --git a/siotp/sisr1/tp06/README.md b/siotp/sisr1/tp06/README.md
new file mode 100644
index 0000000..0ba5512
--- /dev/null
+++ b/siotp/sisr1/tp06/README.md
@@ -0,0 +1 @@
+Sixth practical work's folder. Practical work on proxies with squid.
\ No newline at end of file
diff --git a/siotp/sisr1/tp06/files_admin/README.md b/siotp/sisr1/tp06/files_admin/README.md
new file mode 100644
index 0000000..e79eb86
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/README.md
@@ -0,0 +1 @@
+Files for the NAT replacement.
\ No newline at end of file
diff --git a/siotp/sisr1/tp06/files_admin/dnsfwd.service b/siotp/sisr1/tp06/files_admin/dnsfwd.service
new file mode 100644
index 0000000..f015871
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/dnsfwd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Running port forwarding script on startup thanks to a systemd unit.
+[Service]
+Type=oneshot
+ExecStart=/bin/bash /root/dnsfwd.sh
+[Install]
+WantedBy=multi-user.target
diff --git a/siotp/sisr1/tp06/files_admin/dnsfwd.sh b/siotp/sisr1/tp06/files_admin/dnsfwd.sh
new file mode 100644
index 0000000..c73ea90
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/dnsfwd.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+echo "1" > /proc/sys/net/ipv4/ip_forward
+nft add table dnsfwd
+nft add chain dnsfwd prerouting {type nat hook prerouting priority 0 \; }
+nft add chain dnsfwd postrouting {type nat hook postrouting priority 0 \; }
+nft add rule dnsfwd postrouting tcp dport 53 masquerade
+nft add rule dnsfwd postrouting udp dport 53 masquerade
diff --git a/siotp/sisr1/tp06/files_admin/squid_v1.conf b/siotp/sisr1/tp06/files_admin/squid_v1.conf
new file mode 100644
index 0000000..4eeac1e
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/squid_v1.conf
@@ -0,0 +1,9158 @@
+#	WELCOME TO SQUID 5.7
+#	----------------------------
+#
+#	This is the documentation for the Squid configuration file.
+#	This documentation can also be found online at:
+#		http://www.squid-cache.org/Doc/config/
+#
+#	You may wish to look at the Squid home page and wiki for the
+#	FAQ and other documentation:
+#		http://www.squid-cache.org/
+#		http://wiki.squid-cache.org/SquidFaq
+#		http://wiki.squid-cache.org/ConfigExamples
+#
+#	This documentation shows what the defaults for various directives
+#	happen to be.  If you don't need to change the default, you should
+#	leave the line out of your squid.conf in most cases.
+#
+#	In some cases "none" refers to no default setting at all,
+#	while in other cases it refers to the value of the option
+#	- the comments for that keyword indicate if this is the case.
+#
+
+#  Configuration options can be included using the "include" directive.
+#  Include takes a list of files to include. Quoting and wildcards are
+#  supported.
+#
+#  For example,
+#
+#  include /path/to/included/file/squid.acl.config
+#
+#  Includes can be nested up to a hard-coded depth of 16 levels.
+#  This arbitrary restriction is to prevent recursive include references
+#  from causing Squid entering an infinite loop whilst trying to load
+#  configuration files.
+#
+#  Values with byte units
+#
+#	Squid accepts size units on some size related directives. All
+#	such directives are documented with a default value displaying
+#	a unit.
+#
+#	Units accepted by Squid are:
+#		bytes - byte
+#		KB - Kilobyte (1024 bytes)
+#		MB - Megabyte
+#		GB - Gigabyte
+#
+#  Values with time units
+#
+#	Time-related directives marked with either "time-units" or
+#	"time-units-small" accept a time unit. The supported time units are:
+#
+#		nanosecond (time-units-small only)
+#		microsecond (time-units-small only)
+#		millisecond
+#		second
+#		minute
+#		hour
+#		day
+#		week
+#		fortnight
+#		month - 30 days
+#		year - 31557790080 milliseconds (just over 365 days)
+#		decade
+#
+#  Values with spaces, quotes, and other special characters
+#
+#	Squid supports directive parameters with spaces, quotes, and other
+#	special characters. Surround such parameters with "double quotes". Use
+#	the configuration_includes_quoted_values directive to enable or
+#	disable that support.
+#
+#	Squid supports reading configuration option parameters from external
+#	files using the syntax:
+#		parameters("/path/filename")
+#	For example:
+#		acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
+#
+#  Conditional configuration
+#
+#	If-statements can be used to make configuration directives
+#	depend on conditions:
+#
+#	    if <CONDITION>
+#	        ... regular configuration directives ...
+#	    [else
+#	        ... regular configuration directives ...]
+#	    endif
+#
+#	The else part is optional. The keywords "if", "else", and "endif"
+#	must be typed on their own lines, as if they were regular
+#	configuration directives.
+#
+#	NOTE: An else-if condition is not supported.
+#
+#	These individual conditions types are supported:
+#
+#	    true
+#		Always evaluates to true.
+#	    false
+#		Always evaluates to false.
+#	    <integer> = <integer>
+#	        Equality comparison of two integer numbers.
+#
+#
+#  SMP-Related Macros
+#
+#	The following SMP-related preprocessor macros can be used.
+#
+#	${process_name} expands to the current Squid process "name"
+#	(e.g., squid1, squid2, or cache1).
+#
+#	${process_number} expands to the current Squid process
+#	identifier, which is an integer number (e.g., 1, 2, 3) unique
+#	across all Squid processes of the current service instance.
+#
+#	${service_name} expands into the current Squid service instance
+#	name identifier which is provided by -n on the command line.
+#
+#  Logformat Macros
+#
+#	Logformat macros can be used in many places outside of the logformat
+#	directive. In theory, all of the logformat codes can be used as %macros,
+#	where they are supported. In practice, a %macro expands as a dash (-) when
+#	the transaction does not yet have enough information and a value is needed.
+#
+#	There is no definitive list of what tokens are available at the various
+#	stages of the transaction.
+#
+#	And some information may already be available to Squid but not yet
+#	committed where the macro expansion code can access it (report
+#	such instances!). The macro will be expanded into a single dash
+#	('-') in such cases. Not all macros have been tested.
+#
+
+#  TAG: broken_vary_encoding
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: cache_vary
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: error_map
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: external_refresh_check
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: location_rewrite_program
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: refresh_stale_hit
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: dns_v4_first
+#	Remove this line. Squid no longer supports preferential treatment of DNS A records.
+#Default:
+# none
+
+#  TAG: cache_peer_domain
+#	Replace with dstdomain ACLs and cache_peer_access.
+#Default:
+# none
+
+#  TAG: ie_refresh
+#	Remove this line. The behaviour enabled by this is no longer needed.
+#Default:
+# none
+
+#  TAG: sslproxy_cafile
+#	Remove this line. Use tls_outgoing_options cafile= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_capath
+#	Remove this line. Use tls_outgoing_options capath= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_cipher
+#	Remove this line. Use tls_outgoing_options cipher= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_certificate
+#	Remove this line. Use tls_outgoing_options cert= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_key
+#	Remove this line. Use tls_outgoing_options key= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_flags
+#	Remove this line. Use tls_outgoing_options flags= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_options
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_version
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: hierarchy_stoplist
+#	Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+#Default:
+# none
+
+#  TAG: log_access
+#	Remove this line. Use acls with access_log directives to control access logging
+#Default:
+# none
+
+#  TAG: log_icap
+#	Remove this line. Use acls with icap_log directives to control icap logging
+#Default:
+# none
+
+#  TAG: ignore_ims_on_miss
+#	Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+#  TAG: balance_on_multiple_ip
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
+#Default:
+# none
+
+#  TAG: chunked_request_body_max_size
+#	Remove this line. Squid is now HTTP/1.1 compliant.
+#Default:
+# none
+
+#  TAG: dns_v4_fallback
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+#  TAG: emulate_httpd_log
+#	Replace this with an access_log directive using the format 'common' or 'combined'.
+#Default:
+# none
+
+#  TAG: forward_log
+#	Use a regular access.log with ACL limiting it to MISS events.
+#Default:
+# none
+
+#  TAG: ftp_list_width
+#	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+#  TAG: ignore_expect_100
+#	Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+#  TAG: log_fqdn
+#	Remove this option from your config. To log FQDN use %>A in the log format.
+#Default:
+# none
+
+#  TAG: log_ip_on_direct
+#	Remove this option from your config. To log server or peer names use %<A in the log format.
+#Default:
+# none
+
+#  TAG: maximum_single_addr_tries
+#	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+#  TAG: referer_log
+#	Replace this with an access_log directive using the format 'referrer'.
+#Default:
+# none
+
+#  TAG: update_headers
+#	Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+#  TAG: url_rewrite_concurrency
+#	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
+
+#  TAG: useragent_log
+#	Replace this with an access_log directive using the format 'useragent'.
+#Default:
+# none
+
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: zero_buffers
+#Default:
+# none
+
+#  TAG: incoming_rate
+#Default:
+# none
+
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
+#  TAG: wais_relay_host
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+#  TAG: wais_relay_port
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# OPTIONS FOR SMP
+# -----------------------------------------------------------------------------
+
+#  TAG: workers
+#	Number of main Squid processes or "workers" to fork and maintain.
+#	0: "no daemon" mode, like running "squid -N ..."
+#	1: "no SMP" mode, start one main Squid process daemon (default)
+#	N: start N main Squid process daemons (i.e., SMP mode)
+#
+#	In SMP mode, each worker does nearly all what a single Squid daemon
+#	does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+#  TAG: cpu_affinity_map
+#	Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+#	Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+#	    cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+#	affects processes 1 through 4 only and places them on the first
+#	four even cores, starting with core #1.
+#
+#	CPU cores are numbered starting from 1. Requires support for
+#	sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+#	Multiple cpu_affinity_map options are merged.
+#
+#	See also: workers
+#Default:
+# Let operating system decide.
+
+#  TAG: shared_memory_locking	on|off
+#	Whether to ensure that all required shared memory is available by
+#	"locking" that shared memory into RAM when Squid starts. The
+#	alternative is faster startup time followed by slightly slower
+#	performance and, if not enough RAM is actually available during
+#	runtime, mysterious crashes.
+#
+#	SMP Squid uses many shared memory segments. These segments are
+#	brought into Squid memory space using an mmap(2) system call. During
+#	Squid startup, the mmap() call often succeeds regardless of whether
+#	the system has enough RAM. In general, Squid cannot tell whether the
+#	kernel applies this "optimistic" memory allocation policy (but
+#	popular modern kernels usually use it).
+#
+#	Later, if Squid attempts to actually access the mapped memory
+#	regions beyond what the kernel is willing to allocate, the
+#	"optimistic" kernel simply kills Squid kid with a SIGBUS signal.
+#	Some of the memory limits enforced by the kernel are currently
+#	poorly understood: We do not know how to detect and check them. This
+#	option ensures that the mapped memory will be available.
+#
+#	This option may have a positive performance side-effect: Locking
+#	memory at start avoids runtime paging I/O. Paging slows Squid down.
+#
+#	Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
+#	CAP_IPC_LOCK capability, or equivalent.
+#Default:
+# shared_memory_locking off
+
+#  TAG: hopeless_kid_revival_delay	time-units
+#	Normally, when a kid process dies, Squid immediately restarts the
+#	kid. A kid experiencing frequent deaths is marked as "hopeless" for
+#	the duration specified by this directive. Hopeless kids are not
+#	automatically restarted.
+#
+#	Currently, zero values are not supported because they result in
+#	misconfigured SMP Squid instances running forever, endlessly
+#	restarting each dying kid. To effectively disable hopeless kids
+#	revival, set the delay to a huge value (e.g., 1 year).
+#
+#	Reconfiguration also clears all hopeless kids designations, allowing
+#	for manual revival of hopeless kids.
+#Default:
+# hopeless_kid_revival_delay 1 hour
+
+# OPTIONS FOR AUTHENTICATION
+# -----------------------------------------------------------------------------
+
+#  TAG: auth_param
+#	This is used to define parameters for the various authentication
+#	schemes supported by Squid.
+#
+#		format: auth_param scheme parameter [setting]
+#
+#	The order in which authentication schemes are presented to the client is
+#	dependent on the order the scheme first appears in config file. IE
+#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
+#	scheme if basic is the first entry presented, even if more secure
+#	schemes are presented. For now use the order in the recommended
+#	settings section below. If other browsers have difficulties (don't
+#	recognize the schemes offered even if you are using basic) either
+#	put basic first, or disable the other schemes (by commenting out their
+#	program entry).
+#
+#	Once an authentication scheme is fully configured, it can only be
+#	shutdown by shutting squid down and restarting. Changes can be made on
+#	the fly and activated with a reconfigure. I.E. You can change to a
+#	different helper, but not unconfigure the helper completely.
+#
+#	Please note that while this directive defines how Squid processes
+#	authentication it does not automatically activate authentication.
+#	To use authentication you must in addition make use of ACLs based
+#	on login name in http_access (proxy_auth, proxy_auth_regex or
+#	external with %LOGIN used in the format tag). The browser will be
+#	challenged for authentication on the first such acl encountered
+#	in http_access processing and will also be re-challenged for new
+#	login credentials if the request is being denied by a proxy_auth
+#	type acl.
+#
+#	WARNING: authentication can't be used in a transparently intercepting
+#	proxy as the client then thinks it is talking to an origin server and
+#	not the proxy. This is a limitation of bending the TCP/IP protocol to
+#	transparently intercepting port 80, not a limitation in Squid.
+#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
+#	authentication disabled.
+#
+#	=== Parameters common to all schemes. ===
+#
+#	"program" cmdline
+#		Specifies the command for the external authenticator.
+#
+#		By default, each authentication scheme is not used unless a
+#		program is specified.
+#
+#		See http://wiki.squid-cache.org/Features/AddonHelpers for
+#		more details on helper operations and creating your own.
+#
+#	"key_extras" format
+#		Specifies a string to be append to request line format for
+#		the authentication helper. "Quoted" format values may contain
+#		spaces and logformat %macros. In theory, any logformat %macro
+#		can be used. In practice, a %macro expands as a dash (-) if
+#		the helper request is sent before the required macro
+#		information is available to Squid.
+#
+#		By default, Squid uses request formats provided in
+#		scheme-specific examples below (search for %credentials).
+#
+#		The expanded key_extras value is added to the Squid credentials
+#		cache and, hence, will affect authentication. It can be used to
+#		autenticate different users with identical user names (e.g.,
+#		when user authentication depends on http_port).
+#
+#		Avoid adding frequently changing information to key_extras. For
+#		example, if you add user source IP, and it changes frequently
+#		in your environment, then max_user_ip ACL is going to treat
+#		every user+IP combination as a unique "user", breaking the ACL
+#		and wasting a lot of memory on those user records. It will also
+#		force users to authenticate from scratch whenever their IP
+#		changes.
+#
+#	"realm" string
+#		Specifies the protection scope (aka realm name) which is to be
+#		reported to the client for the authentication scheme. It is
+#		commonly part of the text the user will see when prompted for
+#		their username and password.
+#
+#		For Basic the default is "Squid proxy-caching web server".
+#		For Digest there is no default, this parameter is mandatory.
+#		For NTLM and Negotiate this parameter is ignored.
+#
+#	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+#		[queue-size=N] [on-persistent-overload=action]
+#		[reservation-timeout=seconds]
+#
+#		The maximum number of authenticator processes to spawn. If
+#		you start too few Squid will have to wait for them to process
+#		a backlog of credential verifications, slowing it down. When
+#		password verifications are done via a (slow) network you are
+#		likely to need lots of authenticator processes.
+#
+#		The startup= and idle= options permit some skew in the exact
+#		amount run. A minimum of startup=N will begin during startup
+#		and reconfigure. Squid will start more in groups of up to
+#		idle=N in an attempt to meet traffic needs and to keep idle=N
+#		free above those traffic needs up to the maximum.
+#
+#		The concurrency= option sets the number of concurrent requests
+#		the helper can process.  The default of 0 is used for helpers
+#		who only supports one request at a time. Setting this to a
+#		number greater than 0 changes the protocol used to include a
+#		channel ID field first on the request/response line, allowing
+#		multiple requests to be sent to the same helper in parallel
+#		without waiting for the response.
+#
+#		Concurrency must not be set unless it's known the helper
+#		supports the input format with channel-ID fields.
+#
+#		The queue-size option sets the maximum number of queued
+#		requests. A request is queued when no existing child can
+#		accept it due to concurrency limit and no new child can be
+#		started due to numberofchildren limit. The default maximum is
+#		2*numberofchildren. Squid is allowed to temporarily exceed the
+#		configured maximum, marking the affected helper as
+#		"overloaded". If the helper overload lasts more than 3
+#		minutes, the action prescribed by the on-persistent-overload
+#		option applies.
+#
+#		The on-persistent-overload=action option specifies Squid
+#		reaction to a new helper request arriving when the helper
+#		has been overloaded for more that 3 minutes already. The number
+#		of queued requests determines whether the helper is overloaded
+#		(see the queue-size option).
+#
+#		Two actions are supported:
+#
+#		  die	Squid worker quits. This is the default behavior.
+#
+#		  ERR	Squid treats the helper request as if it was
+#			immediately submitted, and the helper immediately
+#			replied with an ERR response. This action has no effect
+#			on the already queued and in-progress helper requests.
+#
+#		NOTE: NTLM and Negotiate schemes do not support concurrency
+#			in the Squid code module even though some helpers can.
+#
+#		The reservation-timeout=seconds option allows NTLM and Negotiate
+#		helpers to forget about clients that abandon their in-progress
+#		connection authentication without closing the connection. The
+#		timeout is measured since the last helper response received by
+#		Squid for the client. Fractional seconds are not supported.
+#
+#		After the timeout, the helper will be used for other clients if
+#		there are no unreserved helpers available. In the latter case,
+#		the old client attempt to resume authentication will not be
+#		forwarded to the helper (and the client should open a new HTTP
+#		connection and retry authentication from scratch).
+#
+#		By default, reservations do not expire and clients that keep
+#		their connections open without completing authentication may
+#		exhaust all NTLM and Negotiate helpers.
+#
+#	"keep_alive" on|off
+#		If you experience problems with PUT/POST requests when using
+#		the NTLM or Negotiate schemes then you can try setting this
+#		to off. This will cause Squid to forcibly close the connection
+#		on the initial request where the browser asks which schemes
+#		are supported by the proxy.
+#
+#		For Basic and Digest this parameter is ignored.
+#
+#	"utf8" on|off
+#		Useful for sending credentials to authentication backends that
+#		expect UTF-8 encoding (e.g., LDAP).
+#
+#		When this option is enabled, Squid uses HTTP Accept-Language
+#		request header to guess the received credentials encoding
+#		(ISO-Latin-1, CP1251, or UTF-8) and then converts the first
+#		two encodings into UTF-8.
+#
+#		When this option is disabled and by default, Squid sends
+#		credentials in their original (i.e. received) encoding.
+#
+#		This parameter is only honored for Basic and Digest schemes.
+#		For Basic, the entire username:password credentials are
+#		checked and, if necessary, re-encoded. For Digest -- just the
+#		username component. For NTLM and Negotiate schemes, this
+#		parameter is ignored.
+#
+#
+#	=== Example Configuration ===
+#
+#	This configuration displays the recommended authentication scheme
+#	order from most to least secure with recommended minimum configuration
+#	settings for each scheme:
+#
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 20 startup=0 idle=1
+##
+##auth_param digest program <uncomment and complete this line to activate>
+##auth_param digest children 20 startup=0 idle=1
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 20 startup=0 idle=1
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5 startup=5 idle=1
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
+
+#  TAG: authenticate_cache_garbage_interval
+#	The time period between garbage collection across the username cache.
+#	This is a trade-off between memory utilization (long intervals - say
+#	2 days) and CPU (short intervals - say 1 minute). Only change if you
+#	have good reason to.
+#Default:
+# authenticate_cache_garbage_interval 1 hour
+
+#  TAG: authenticate_ttl
+#	The time a user & their credentials stay in the logged in
+#	user cache since their last request. When the garbage
+#	interval passes, all user credentials that have passed their
+#	TTL are removed from memory.
+#Default:
+# authenticate_ttl 1 hour
+
+#  TAG: authenticate_ip_ttl
+#	If you use proxy authentication and the 'max_user_ip' ACL,
+#	this directive controls how long Squid remembers the IP
+#	addresses associated with each user.  Use a small value
+#	(e.g., 60 seconds) if your users might change addresses
+#	quickly, as is the case with dialup.   You might be safe
+#	using a larger value (e.g., 2 hours) in a corporate LAN
+#	environment with relatively static address assignments.
+#Default:
+# authenticate_ip_ttl 1 second
+
+# ACCESS CONTROLS
+# -----------------------------------------------------------------------------
+
+#  TAG: external_acl_type
+#	This option defines external acl classes using a helper program
+#	to look up the status
+#
+#	  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
+#
+#	Options:
+#
+#	  ttl=n		TTL in seconds for cached results (defaults to 3600
+#			for 1 hour)
+#
+#	  negative_ttl=n
+#			TTL for cached negative lookups (default same
+#			as ttl)
+#
+#	  grace=n	Percentage remaining of TTL where a refresh of a
+#			cached entry should be initiated without needing to
+#			wait for a new reply. (default is for no grace period)
+#
+#	  cache=n	The maximum number of entries in the result cache. The
+#			default limit is 262144 entries.  Each cache entry usually
+#			consumes at least 256 bytes. Squid currently does not remove
+#			expired cache entries until the limit is reached, so a proxy
+#			will sooner or later reach the limit. The expanded FORMAT
+#			value is used as the cache key, so if the details in FORMAT
+#			are highly variable, a larger cache may be needed to produce
+#			reduction in helper load.
+#
+#	  children-max=n
+#			Maximum number of acl helper processes spawned to service
+#			external acl lookups of this type. (default 5)
+#
+#	  children-startup=n
+#			Minimum number of acl helper processes to spawn during
+#			startup and reconfigure to service external acl lookups
+#			of this type. (default 0)
+#
+#	  children-idle=n
+#			Number of acl helper processes to keep ahead of traffic
+#			loads. Squid will spawn this many at once whenever load
+#			rises above the capabilities of existing processes.
+#			Up to the value of children-max. (default 1)
+#
+#	  concurrency=n	concurrency level per process. Only used with helpers
+#			capable of processing more than one query at a time.
+#
+#	  queue-size=N  The queue-size option sets the maximum number of
+#			queued requests. A request is queued when no existing
+#			helper can accept it due to concurrency limit and no
+#			new helper can be started due to children-max limit.
+#			If the queued requests exceed queue size, the acl is
+#			ignored. The default value is set to 2*children-max.
+#
+#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers.
+#
+#	  ipv4 / ipv6	IP protocol used to communicate with this helper.
+#			The default is to auto-detect IPv6 and use it when available.
+#
+#
+#	FORMAT is a series of %macro codes. See logformat directive for a full list
+#	of the accepted codes. Although note that at the time of any external ACL
+#	being tested data may not be available and thus some %macro expand to '-'.
+#
+#	In addition to the logformat codes; when processing external ACLs these
+#	additional macros are made available:
+#
+#	  %ACL		The name of the ACL being tested.
+#
+#	  %DATA		The ACL arguments specified in the referencing config
+#			'acl ... external' line, separated by spaces (an
+#			"argument string"). see acl external.
+#
+#			If there are no ACL arguments %DATA expands to '-'.
+#
+#			If you do not specify a DATA macro inside FORMAT,
+#			Squid automatically appends %DATA to your FORMAT.
+#			Note that Squid-3.x may expand %DATA to whitespace
+#			or nothing in this case.
+#
+#			By default, Squid applies URL-encoding to each ACL
+#			argument inside the argument string. If an explicit
+#			encoding modifier is used (e.g., %#DATA), then Squid
+#			encodes the whole argument string as a single token
+#			(e.g., with %#DATA, spaces between arguments become
+#			%20).
+#
+#	If SSL is enabled, the following formating codes become available:
+#
+#	  %USER_CERT		SSL User certificate in PEM format
+#	  %USER_CERTCHAIN	SSL User certificate chain in PEM format
+#	  %USER_CERT_xx		SSL User certificate subject attribute xx
+#	  %USER_CA_CERT_xx	SSL User certificate issuer attribute xx
+#
+#
+#	NOTE: all other format codes accepted by older Squid versions
+#		are deprecated.
+#
+#
+#	General request syntax:
+#
+#	  [channel-ID] FORMAT-values
+#
+#
+#	FORMAT-values consists of transaction details expanded with
+#	whitespace separation per the config file FORMAT specification
+#	using the FORMAT macros listed above.
+#
+#	Request values sent to the helper are URL escaped to protect
+#	each value in requests against whitespaces.
+#
+#	If using protocol=2.5 then the request sent to the helper is not
+#	URL escaped to protect against whitespace.
+#
+#	NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#
+#	The helper receives lines expanded per the above format specification
+#	and for each input line returns 1 line starting with OK/ERR/BH result
+#	code and optionally followed by additional keywords with more details.
+#
+#
+#	General result syntax:
+#
+#	  [channel-ID] result keyword=value ...
+#
+#	Result consists of one of the codes:
+#
+#	  OK
+#		the ACL test produced a match.
+#
+#	  ERR
+#		the ACL test does not produce a match.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	The meaning of 'a match' is determined by your squid.conf
+#	access control configuration. See the Squid wiki for details.
+#
+#	Defined keywords:
+#
+#	  user=		The users name (login)
+#
+#	  password=	The users password (for login= cache_peer option)
+#
+#	  message=	Message describing the reason for this response.
+#			Available as %o in error pages.
+#			Useful on (ERR and BH results).
+#
+#	  tag=		Apply a tag to a request. Only sets a tag once,
+#			does not alter existing tags.
+#
+#	  log=		String to be logged in access.log. Available as
+#			%ea in logformat specifications.
+#
+#	  clt_conn_tag= Associates a TAG with the client TCP connection.
+#			Please see url_rewrite_program related documentation
+#			for this kv-pair.
+#
+#	Any keywords may be sent on any response whether OK, ERR or BH.
+#
+#	All response keyword values need to be a single token with URL
+#	escaping, or enclosed in double quotes (") and escaped using \ on
+#	any double quotes or \ characters within the value. The wrapping
+#	double quotes are removed before the value is interpreted by Squid.
+#	\r and \n are also replace by CR and LF.
+#
+#	Some example key values:
+#
+#		user=John%20Smith
+#		user="John Smith"
+#		user="J. \"Bob\" Smith"
+#Default:
+# none
+
+#  TAG: acl
+#	Defining an Access List
+#
+#	Every access list definition must begin with an aclname and acltype,
+#	followed by either type-specific arguments or a quoted filename that
+#	they are read from.
+#
+#	   acl aclname acltype argument ...
+#	   acl aclname acltype "file" ...
+#
+#	When using "file", the file should contain one item per line.
+#
+#
+#	ACL Options
+#
+#	Some acl types supports options which changes their default behaviour:
+#
+#	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
+#		case-insensitive, use the -i option. To return case-sensitive
+#		use the +i option between patterns, or make a new ACL line
+#		without -i.
+#
+#	-n	Disable lookups and address type conversions.  If lookup or
+#		conversion is required because the parameter type (IP or
+#		domain name) does not match the message address type (domain
+#		name or IP), then the ACL would immediately declare a mismatch
+#		without any warnings or lookups.
+#
+#	-m[=delimiters]
+#		Perform a list membership test, interpreting values as
+#		comma-separated token lists and matching against individual
+#		tokens instead of whole values.
+#		The optional "delimiters" parameter specifies one or more
+#		alternative non-alphanumeric delimiter characters.
+#		non-alphanumeric delimiter characters.
+#
+#	--	Used to stop processing all options, in the case the first acl
+#		value has '-' character as first character (for example the '-'
+#		is a valid domain name)
+#
+#	Some acl types require suspending the current request in order
+#	to access some external data source.
+#	Those which do are marked with the tag [slow], those which
+#	don't are marked as [fast].
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+#	for further information
+#
+#	***** ACL TYPES AVAILABLE *****
+#
+#	acl aclname src ip-address/mask ...	# clients IP address [fast]
+#	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
+#	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
+#	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
+#
+#if USE_SQUID_EUI
+#	acl aclname arp      mac-address ...
+#	acl aclname eui64    eui64-address ...
+#	  # [fast]
+#	  # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
+#	  #
+#	  # The 'arp' ACL code is not portable to all operating systems.
+#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other
+#	  # BSD variants.
+#	  #
+#	  # The eui_lookup directive is required to be 'on' (the default)
+#	  # and Squid built with --enable-eui for MAC/EUI addresses to be
+#	  # available for this ACL.
+#	  #
+#	  # Squid can only determine the MAC/EUI address for IPv4
+#	  # clients that are on the same subnet. If the client is on a
+#	  # different subnet, then Squid cannot find out its address.
+#	  #
+#	  # IPv6 protocol does not contain ARP. MAC/EUI is either
+#	  # encoded directly in the IPv6 address or not available.
+#endif
+#	acl aclname clientside_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  # DEPRECATED. Use the 'client_connection_mark' instead.
+#
+#	acl aclname client_connection_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  #
+#	  # mark and mask are unsigned integers (hex, octal, or decimal).
+#	  # If multiple marks are given, then the ACL matches if at least
+#	  # one mark matches.
+#	  #
+#	  # Uses netfilter-conntrack library.
+#	  # Requires building Squid with --enable-linux-netfilter.
+#	  #
+#	  # The client, various intermediaries, and Squid itself may set
+#	  # CONNMARK at various times. The last CONNMARK set wins. This ACL
+#	  # checks the mark present on an accepted connection or set by
+#	  # Squid afterwards, depending on the ACL check timing. This ACL
+#	  # effectively ignores any mark set by other agents after Squid has
+#	  # accepted the connection.
+#
+#	acl aclname srcdomain   .foo.com ...
+#	  # reverse lookup, from client IP [slow]
+#	acl aclname dstdomain [-n] .foo.com ...
+#	  # Destination server from URL [fast]
+#	acl aclname srcdom_regex [-i] \.foo\.com ...
+#	  # regex matching client name [slow]
+#	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
+#	  # regex matching server [fast]
+#	  #
+#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+#	  # based URL is used and no match is found. The name "none" is used
+#	  # if the reverse lookup fails.
+#
+#	acl aclname src_as number ...
+#	acl aclname dst_as number ...
+#	  # [fast]
+#	  # Except for access control, AS numbers can be used for
+#	  # routing of requests to specific caches. Here's an
+#	  # example for routing all requests for AS#1241 and only
+#	  # those to mycache.mydomain.net:
+#	  # acl asexample dst_as 1241
+#	  # cache_peer_access mycache.mydomain.net allow asexample
+#	  # cache_peer_access mycache_mydomain.net deny all
+#
+#	acl aclname peername myPeer ...
+#	acl aclname peername_regex [-i] regex-pattern ...
+#	  # [fast]
+#	  # match against a named cache_peer entry
+#	  # set unique name= on cache_peer lines for reliable use.
+#
+#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+#	  # [fast]
+#	  #  day-abbrevs:
+#	  #	S - Sunday
+#	  #	M - Monday
+#	  #	T - Tuesday
+#	  #	W - Wednesday
+#	  #	H - Thursday
+#	  #	F - Friday
+#	  #	A - Saturday
+#	  #  h1:m1 must be less than h2:m2
+#
+#	acl aclname url_regex [-i] ^http:// ...
+#	  # regex matching on whole URL [fast]
+#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+#	  # regex matching on URL login field
+#	acl aclname urlpath_regex [-i] \.gif$ ...
+#	  # regex matching on URL path [fast]
+#
+#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
+#	                                      # ranges are alloed
+#	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
+#	                                      # NP: for interception mode this is usually '80'
+#
+#	acl aclname myportname 3128 ...       # *_port name [fast]
+#
+#	acl aclname proto HTTP FTP ...        # request protocol [fast]
+#
+#	acl aclname method GET POST ...       # HTTP request method [fast]
+#
+#	acl aclname http_status 200 301 500- 400-403 ...
+#	  # status code in reply [fast]
+#
+#	acl aclname browser [-i] regexp ...
+#	  # pattern match on User-Agent header (see also req_header below) [fast]
+#
+#	acl aclname referer_regex [-i] regexp ...
+#	  # pattern match on Referer header [fast]
+#	  # Referer is highly unreliable, so use with care
+#
+#	acl aclname ident [-i] username ...
+#	acl aclname ident_regex [-i] pattern ...
+#	  # string match on ident output [slow]
+#	  # use REQUIRED to accept any non-null ident.
+#
+#	acl aclname proxy_auth [-i] username ...
+#	acl aclname proxy_auth_regex [-i] pattern ...
+#	  # perform http authentication challenge to the client and match against
+#	  # supplied credentials [slow]
+#	  #
+#	  # takes a list of allowed usernames.
+#	  # use REQUIRED to accept any valid username.
+#	  #
+#	  # Will use proxy authentication in forward-proxy scenarios, and plain
+#	  # http authenticaiton in reverse-proxy scenarios
+#	  #
+#	  # NOTE: when a Proxy-Authentication header is sent but it is not
+#	  # needed during ACL checking the username is NOT logged
+#	  # in access.log.
+#	  #
+#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
+#	  # to check username/password combinations (see
+#	  # auth_param directive).
+#	  #
+#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+#	  # as the browser needs to be configured for using a proxy in order
+#	  # to respond to proxy authentication.
+#
+#	acl aclname snmp_community string ...
+#	  # A community string to limit access to your SNMP Agent [fast]
+#	  # Example:
+#	  #
+#	  #	acl snmppublic snmp_community public
+#
+#	acl aclname maxconn number
+#	  # This will be matched when the client's IP address has
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
+#
+#	acl aclname max_user_ip [-s] number
+#	  # This will be matched when the user attempts to log in from more
+#	  # than <number> different ip addresses. The authenticate_ip_ttl
+#	  # parameter controls the timeout on the ip entries. [fast]
+#	  # If -s is specified the limit is strict, denying browsing
+#	  # from any further IP addresses until the ttl has expired. Without
+#	  # -s Squid will just annoy the user by "randomly" denying requests.
+#	  # (the counter is reset each time the limit is reached and a
+#	  # request is denied)
+#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
+#	  # clients may appear to come from multiple addresses if they are
+#	  # going through proxy farms, so a limit of 1 may cause user problems.
+#
+#	acl aclname random probability
+#	  # Pseudo-randomly match requests. Based on the probability given.
+#	  # Probability may be written as a decimal (0.333), fraction (1/3)
+#	  # or ratio of matches:non-matches (3:5).
+#
+#	acl aclname req_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the request generated
+#	  # by the client. Can be used to detect file upload or some
+#	  # types HTTP tunneling requests [fast]
+#	  # NOTE: This does NOT match the reply. You cannot use this
+#	  # to match the returned file type.
+#
+#	acl aclname req_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known request headers.  May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACL [fast]
+#
+#	acl aclname rep_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the reply received by
+#	  # squid. Can be used to detect file download or some
+#	  # types HTTP tunneling requests. [fast]
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname rep_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known reply headers. May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACLs [fast]
+#
+#	acl aclname external class_name [arguments...]
+#	  # external ACL lookup via a helper class defined by the
+#	  # external_acl_type directive [slow]
+#
+#	acl aclname user_cert attribute values...
+#	  # match against attributes in a user SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
+#
+#	acl aclname ca_cert attribute values...
+#	  # match against attributes a users issuing CA SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
+#
+#	acl aclname ext_user [-i] username ...
+#	acl aclname ext_user_regex [-i] pattern ...
+#	  # string match on username returned by external acl helper [slow]
+#	  # use REQUIRED to accept any non-null user name.
+#
+#	acl aclname tag tagvalue ...
+#	  # string match on tag returned by external acl helper [fast]
+#	  # DEPRECATED. Only the first tag will match with this ACL.
+#	  # Use the 'note' ACL instead for handling multiple tag values.
+#
+#	acl aclname hier_code codename ...
+#	  # string match against squid hierarchy code(s); [fast]
+#	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
+#	  #
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname note [-m[=delimiters]] name [value ...]
+#	  # match transaction annotation [fast]
+#	  # Without values, matches any annotation with a given name.
+#	  # With value(s), matches any annotation with a given name that
+#	  # also has one of the given values.
+#	  # If the -m flag is used, then the value of the named
+#	  # annotation is interpreted as a list of tokens, and the ACL
+#	  # matches individual name=token pairs rather than whole
+#	  # name=value pairs. See "ACL Options" above for more info.
+#	  # Annotation sources include note and adaptation_meta directives
+#	  # as well as helper and eCAP responses.
+#
+#	acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+#	acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current master transaction.
+#	  # The added annotation can then be tested using note ACL and
+#	  # logged (or sent to helpers) using %note format code.
+#	  #
+#	  # Annotations can be specified using replacement and addition
+#	  # formats. The key=value form replaces old same-key annotation
+#	  # value(s). The key+=value form appends a new value to the old
+#	  # same-key annotation. Both forms create a new key=value
+#	  # annotation if no same-key annotation exists already. If
+#	  # -m flag is used, then the value is interpreted as a list
+#	  # and the annotation will contain key=token pair(s) instead of the
+#	  # whole key=value pair.
+#	  #
+#	  # This ACL is especially useful for recording complex multi-step
+#	  # ACL-driven decisions. For example, the following configuration
+#	  # avoids logging transactions accepted after aclX matched:
+#	  #
+#	  #  # First, mark transactions accepted after aclX matched
+#	  #  acl markSpecial annotate_transaction special=true
+#	  #  http_access allow acl001
+#	  #  ...
+#	  #  http_access deny acl100
+#	  #  http_access allow aclX markSpecial
+#	  #
+#	  #  # Second, do not log marked transactions:
+#	  #  acl markedSpecial note special true
+#	  #  access_log ... deny markedSpecial
+#	  #
+#	  #  # Note that the following would not have worked because aclX
+#	  #  # alone does not determine whether the transaction was allowed:
+#	  #  access_log ... deny aclX # Wrong!
+#	  #
+#	  # Warning: This ACL annotates the transaction even when negated
+#	  # and even if subsequent ACLs fail to match. For example, the
+#	  # following three rules will have exactly the same effect as far
+#	  # as annotations set by the "mark" ACL are concerned:
+#	  #
+#	  #  some_directive acl1 ... mark # rule matches if mark is reached
+#	  #  some_directive acl1 ... !mark     # rule never matches
+#	  #  some_directive acl1 ... mark !all # rule never matches
+#
+#	acl aclname annotate_client [-m[=delimiters]] key=value ...
+#	acl aclname annotate_client [-m[=delimiters]] key+=value ...
+#	  #
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current client-to-Squid
+#	  # connection. Connection annotations are propagated to the current
+#	  # and all future master transactions on the annotated connection.
+#	  # See the annotate_transaction ACL for details.
+#	  #
+#	  # For example, the following configuration avoids rewriting URLs
+#	  # of transactions bumped by SslBump:
+#	  #
+#	  #  # First, mark bumped connections:
+#	  #  acl markBumped annotate_client bumped=true
+#	  #  ssl_bump peek acl1
+#	  #  ssl_bump stare acl2
+#	  #  ssl_bump bump acl3 markBumped
+#	  #  ssl_bump splice all
+#	  #
+#	  #  # Second, do not send marked transactions to the redirector:
+#	  #  acl markedBumped note bumped true
+#	  #  url_rewrite_access deny markedBumped
+#	  #
+#	  #  # Note that the following would not have worked because acl3 alone
+#	  #  # does not determine whether the connection is going to be bumped:
+#	  #  url_rewrite_access deny acl3 # Wrong!
+#
+#	acl aclname adaptation_service service ...
+#	  # Matches the name of any icap_service, ecap_service,
+#	  # adaptation_service_set, or adaptation_service_chain that Squid
+#	  # has used (or attempted to use) for the master transaction.
+#	  # This ACL must be defined after the corresponding adaptation
+#	  # service is named in squid.conf. This ACL is usable with
+#	  # adaptation_meta because it starts matching immediately after
+#	  # the service has been selected for adaptation.
+#
+#	acl aclname transaction_initiator initiator ...
+#	  # Matches transaction's initiator [fast]
+#	  #
+#	  # Supported initiators are:
+#	  #  esi: matches transactions fetching ESI resources
+#	  #  certificate-fetching: matches transactions fetching
+#	  #     a missing intermediate TLS certificate
+#	  #  cache-digest: matches transactions fetching Cache Digests
+#	  #     from a cache_peer
+#	  #  htcp: matches HTCP requests from peers
+#	  #  icp: matches ICP requests to peers
+#	  #  icmp: matches ICMP RTT database (NetDB) requests to peers
+#	  #  asn: matches asns db requests
+#	  #  internal: matches any of the above
+#	  #  client: matches transactions containing an HTTP or FTP
+#	  #     client request received at a Squid *_port
+#	  #  all: matches any transaction, including internal transactions
+#	  #     without a configurable initiator and hopefully rare
+#	  #     transactions without a known-to-Squid initiator
+#	  #
+#	  # Multiple initiators are ORed.
+#
+#	acl aclname has component
+#	  # matches a transaction "component" [fast]
+#	  #
+#	  # Supported transaction components are:
+#	  #  request: transaction has a request header (at least)
+#	  #  response: transaction has a response header (at least)
+#	  #  ALE: transaction has an internally-generated Access Log Entry
+#	  #       structure; bugs notwithstanding, all transaction have it
+#	  #
+#	  # For example, the following configuration helps when dealing with HTTP
+#	  # clients that close connections without sending a request header:
+#	  #
+#	  #  acl hasRequest has request
+#	  #  acl logMe note important_transaction
+#	  #  # avoid "logMe ACL is used in context without an HTTP request" warnings
+#	  #  access_log ... logformat=detailed hasRequest logMe
+#	  #  # log request-less transactions, instead of ignoring them
+#	  #  access_log ... logformat=brief !hasRequest
+#	  #
+#	  # Multiple components are not supported for one "acl" rule, but
+#	  # can be specified (and are ORed) using multiple same-name rules:
+#	  #
+#	  #  # OK, this strange logging daemon needs request or response,
+#	  #  # but can work without either a request or a response:
+#	  #  acl hasWhatMyLoggingDaemonNeeds has request
+#	  #  acl hasWhatMyLoggingDaemonNeeds has response
+#
+#acl aclname at_step step
+#	  # match against the current request processing step [fast]
+#	  # Valid steps are:
+#	  #   GeneratingCONNECT: Generating HTTP CONNECT request headers
+#
+#	acl aclname any-of acl1 acl2 ...
+#	  # match any one of the acls [fast or slow]
+#	  # The first matching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple any-of lines with the same name are ORed.
+#	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
+#	  #   acl A any-of a1 a2
+#	  #   acl A any-of a3 a4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	acl aclname all-of acl1 acl2 ...
+#	  # match all of the acls [fast or slow]
+#	  # The first mismatching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple all-of lines with the same name are ORed.
+#	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
+#	  #   acl B all-of b1 b2
+#	  #   acl B all-of b3 b4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	Examples:
+#		acl macaddress arp 09:00:2b:23:45:67
+#		acl myexample dst_as 1241
+#		acl password proxy_auth REQUIRED
+#		acl fileupload req_mime_type -i ^multipart/form-data$
+#		acl javascript rep_mime_type -i ^application/x-javascript$
+#
+#Default:
+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
+#
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#  TAG: proxy_protocol_access
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address using PROXY protocol.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	This directive is solely for validating new PROXY protocol
+#	connections received from a port flagged with require-proxy-header.
+#	It is checked only once after TCP connection setup.
+#
+#	A deny match results in TCP connection closure.
+#
+#	An allow match is required for Squid to permit the corresponding
+#	TCP connection, before Squid even looks for HTTP request headers.
+#	If there is an allow match, Squid starts using PROXY header information
+#	to determine the source address of the connection for all future ACL
+#	checks, logging, etc.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# all TCP connections to ports with require-proxy-header will be denied
+
+#  TAG: follow_x_forwarded_for
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	PROXY protocol connections are controlled by the proxy_protocol_access
+#	directive which is checked before this.
+#
+#	If a request reaches us from a source that is allowed by this
+#	directive, then we trust the information it provides regarding
+#	the IP of the client it received from (if any).
+#
+#	For the purpose of ACLs used in this directive the src ACL type always
+#	matches the address we are testing and srcdomain matches its rDNS.
+#
+#	On each HTTP request Squid checks for X-Forwarded-For header fields.
+#	If found the header values are iterated in reverse order and an allow
+#	match is required for Squid to continue on to the next value.
+#	The verification ends when a value receives a deny match, cannot be
+#	tested, or there are no more values to test.
+#	NOTE: Squid does not yet follow the Forwarded HTTP header.
+#
+#	The end result of this process is an IP address that we will
+#	refer to as the indirect client address.  This address may
+#	be treated as the client address for access control, ICAP, delay
+#	pools and logging, depending on the acl_uses_indirect_client,
+#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
+#	log_uses_indirect_client and tproxy_uses_indirect_client options.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	For example:
+#
+#		acl localhost src 127.0.0.1
+#		acl my_other_proxy srcdomain .proxy.example.com
+#		follow_x_forwarded_for allow localhost
+#		follow_x_forwarded_for allow my_other_proxy
+#Default:
+# X-Forwarded-For header will be ignored.
+
+#  TAG: acl_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
+#Default:
+# acl_uses_indirect_client on
+
+#  TAG: delay_pool_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+#  TAG: log_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
+#  TAG: tproxy_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address when spoofing the outgoing client.
+#
+#	This has no effect on requests arriving in non-tproxy
+#	mode ports.
+#
+#	SECURITY WARNING: Usage of this option is dangerous
+#	and should not be used trivially. Correct configuration
+#	of follow_x_forwarded_for with a limited set of trusted
+#	sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+#  TAG: spoof_client_ip
+#	Control client IP address spoofing of TPROXY traffic based on
+#	defined access lists.
+#
+#	spoof_client_ip allow|deny [!]aclname ...
+#
+#	If there are no "spoof_client_ip" lines present, the default
+#	is to "allow" spoofing of any suitable request.
+#
+#	Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+#	This clause supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
+#  TAG: http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
+#	http_access allow|deny [!]aclname ...
+#
+#	NOTE on default values:
+#
+#	If there are no "access" lines present, the default is to deny
+#	the request.
+#
+#	If none of the "access" lines cause a match, the default is the
+#	opposite of the last line in the list.  If the last line was
+#	deny, the default is allow.  Conversely, if the last line
+#	is allow, the default will be deny.  For these reasons, it is a
+#	good idea to have an "deny all" entry at the end of your access
+#	lists to avoid potential confusion.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# Deny, unless rules exist in squid.conf.
+#
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+
+# MES ACL
+acl localnet src 172.16.0.0/24	
+
+
+
+http_access allow localnet
+
+
+
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+include /etc/squid/conf.d/*.conf
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+#  TAG: adapted_http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	Essentially identical to http_access, but runs after redirectors
+#	and ICAP/eCAP adaptation. Allowing access control based on their
+#	output.
+#
+#	If not set then only http_access is used.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: http_reply_access
+#	Allow replies to client requests. This is complementary to http_access.
+#
+#	http_reply_access allow|deny [!] aclname ...
+#
+#	NOTE: if there are no access lines present, the default is to allow
+#	all replies.
+#
+#	If none of the access lines cause a match the opposite of the
+#	last line will apply. Thus it is good practice to end the rules
+#	with an "allow all" or "deny all" entry.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: icp_access
+#	Allowing or Denying access to the ICP port based on defined
+#	access lists
+#
+#	icp_access  allow|deny [!]aclname ...
+#
+#	NOTE: The default if no icp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using ICP.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_access
+#	Allowing or Denying access to the HTCP port based on defined
+#	access lists
+#
+#	htcp_access  allow|deny [!]aclname ...
+#
+#	See also htcp_clr_access for details on access control for
+#	cache purge (CLR) HTCP messages.
+#
+#	NOTE: The default if no htcp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using the htcp option.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_clr_access
+#	Allowing or Denying access to purge content using HTCP based
+#	on defined access lists.
+#	See htcp_access for details on general HTCP access control.
+#
+#	htcp_clr_access  allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
+#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: miss_access
+#	Determines whether network access is permitted when satisfying a request.
+#
+#	For example;
+#	    to force your neighbors to use you as a sibling instead of
+#	    a parent.
+#
+#		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
+#		miss_access deny  !localclients
+#		miss_access allow all
+#
+#	This means only your local clients are allowed to fetch relayed/MISS
+#	replies from the network and all other clients can only fetch cached
+#	objects (HITs).
+#
+#	The default for this setting allows all clients who passed the
+#	http_access rules to relay via this proxy.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: ident_lookup_access
+#	A list of ACL elements which, if matched, cause an ident
+#	(RFC 931) lookup to be performed for this request.  For
+#	example, you might choose to always perform ident lookups
+#	for your main multi-user Unix boxes, but not for your Macs
+#	and PCs.  By default, ident lookups are not performed for
+#	any requests.
+#
+#	To enable ident lookups for specific client addresses, you
+#	can follow this example:
+#
+#	acl ident_aware_hosts src 198.168.1.0/24
+#	ident_lookup_access allow ident_aware_hosts
+#	ident_lookup_access deny all
+#
+#	Only src type ACL checks are fully supported.  A srcdomain
+#	ACL might work at times, but it will not always provide
+#	the correct result.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Unless rules exist in squid.conf, IDENT is not fetched.
+
+#  TAG: reply_body_max_size	size [acl acl...]
+#	This option specifies the maximum size of a reply body. It can be
+#	used to prevent users from downloading very large files, such as
+#	MP3's and movies. When the reply headers are received, the
+#	reply_body_max_size lines are processed, and the first line where
+#	all (if any) listed ACLs are true is used as the maximum body size
+#	for this reply.
+#
+#	This size is checked twice. First when we get the reply headers,
+#	we check the content-length value.  If the content length value exists
+#	and is larger than the allowed size, the request is denied and the
+#	user receives an error message that says "the request or reply
+#	is too large." If there is no content-length, and the reply
+#	size exceeds this limit, the client's connection is just closed
+#	and they will receive a partial reply.
+#
+#	WARNING: downstream caches probably can not detect a partial reply
+#	if there is no content-length header, so they will cache
+#	partial responses and give them out as hits.  You should NOT
+#	use this option if you have downstream caches.
+#
+#	WARNING: A maximum size smaller than the size of squid's error messages
+#	will cause an infinite loop and crash squid. Ensure that the smallest
+#	non-zero value you use is greater that the maximum header size plus
+#	the size of your largest error page.
+#
+#	If you set this parameter none (the default), there will be
+#	no limit imposed.
+#
+#	Configuration Format is:
+#		reply_body_max_size SIZE UNITS [acl ...]
+#	ie.
+#		reply_body_max_size 10 MB
+#
+#Default:
+# No limit is applied.
+
+#  TAG: on_unsupported_protocol
+#	Determines Squid behavior when encountering strange requests at the
+#	beginning of an accepted TCP connection or the beginning of a bumped
+#	CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+#	especially useful in interception environments where Squid is likely
+#	to see connections for unsupported protocols that Squid should either
+#	terminate or tunnel at TCP level.
+#
+#		on_unsupported_protocol <action> [!]acl ...
+#
+#	The first matching action wins. Only fast ACLs are supported.
+#
+#	Supported actions are:
+#
+#	tunnel: Establish a TCP connection with the intended server and
+#		blindly shovel TCP packets between the client and server.
+#
+#	respond: Respond with an error message, using the transfer protocol
+#		for the Squid port that received the request (e.g., HTTP
+#		for connections intercepted at the http_port). This is the
+#		default.
+#
+#	Squid expects the following traffic patterns:
+#
+#	  http_port: a plain HTTP request
+#	  https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+#	  ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+#	  CONNECT tunnel on http_port: same as https_port
+#	  CONNECT tunnel on https_port: same as https_port
+#
+#	Currently, this directive has effect on intercepted connections and
+#	bumped tunnels only. Other cases are not supported because Squid
+#	cannot know the intended destination of other traffic.
+#
+#	For example:
+#	  # define what Squid errors indicate receiving non-HTTP traffic:
+#	  acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+#	  # define what Squid errors indicate receiving nothing:
+#	  acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+#	  # tunnel everything that does not look like HTTP:
+#          on_unsupported_protocol tunnel foreignProtocol
+#	  # tunnel if we think the client waits for the server to talk first:
+#	  on_unsupported_protocol tunnel serverTalksFirstProtocol
+#	  # in all other error cases, just send an HTTP "error page" response:
+#	  on_unsupported_protocol respond all
+#
+#	See also: squid_error ACL
+#Default:
+# Respond with an error message to unidentifiable traffic
+
+#  TAG: auth_schemes
+#	Use this directive to customize authentication schemes presence and
+#	order in Squid's Unauthorized and Authentication Required responses.
+#
+#		auth_schemes scheme1,scheme2,... [!]aclname ...
+#
+#	where schemeN is the name of one of the authentication schemes
+#	configured using auth_param directives. At least one scheme name is
+#	required. Multiple scheme names are separated by commas. Either
+#	avoid whitespace or quote the entire schemes list.
+#
+#	A special "ALL" scheme name expands to all auth_param-configured
+#	schemes in their configuration order. This directive cannot be used
+#	to configure Squid to offer no authentication schemes at all.
+#
+#	The first matching auth_schemes rule determines the schemes order
+#	for the current Authentication Required transaction. Note that the
+#	future response is not yet available during auth_schemes evaluation.
+#
+#	If this directive is not used or none of its rules match, then Squid
+#	responds with all configured authentication schemes in the order of
+#	auth_param directives in the configuration file.
+#
+#	This directive does not determine when authentication is used or
+#	how each authentication scheme authenticates clients.
+#
+#	The following example sends basic and negotiate authentication
+#	schemes, in that order, when requesting authentication of HTTP
+#	requests matching the isIE ACL (not shown) while sending all
+#	auth_param schemes in their configuration order to other clients:
+#
+#		auth_schemes basic,negotiate isIE
+#		auth_schemes ALL all # explicit default
+#
+#	This directive supports fast ACLs only.
+#
+#	See also: auth_param.
+#Default:
+# use all auth_param schemes in their configuration order
+
+# NETWORK OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: http_port
+#	Usage:	port [mode] [options]
+#		hostname:port [mode] [options]
+#		1.2.3.4:port [mode] [options]
+#
+#	The socket addresses where Squid will listen for HTTP client
+#	requests.  You may specify multiple socket addresses.
+#	There are three forms: port alone, hostname with port, and
+#	IP address with port.  If you specify a hostname or IP
+#	address, Squid binds the socket to that specific
+#	address. Most likely, you do not need to bind to a specific
+#	address, so you can use the port number alone.
+#
+#	If you are running Squid in accelerator mode, you
+#	probably want to listen on port 80 also, or instead.
+#
+#	The -a command line option may be used to specify additional
+#	port(s) where Squid listens for proxy request. Such ports will
+#	be plain proxy ports with no options.
+#
+#	You may specify multiple socket addresses on multiple lines.
+#
+#	Modes:
+#
+#	   intercept	Support for IP-Layer NAT interception delivering
+#			traffic to this Squid port.
+#			NP: disables authentication on the port.
+#
+#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
+#			of outgoing connections using the client IP address.
+#			NP: disables authentication on the port.
+#
+#	   accel	Accelerator / reverse proxy mode
+#
+#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
+#			establish secure connection with the client and with
+#			the server, decrypt HTTPS messages as they pass through
+#			Squid, and treat them as unencrypted HTTP messages,
+#			becoming the man-in-the-middle.
+#
+#			The ssl_bump option is required to fully enable
+#			bumping of CONNECT requests.
+#
+#	Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+#	Accelerator Mode Options:
+#
+#	   defaultsite=domainname
+#			What to use for the Host: header if it is not present
+#			in a request. Determines what site (not origin server)
+#			accelerators should consider the default.
+#
+#	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
+#
+#	   protocol=	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to HTTP/1.1 for http_port and
+#			HTTPS/1.1 for https_port.
+#			When an unsupported value is configured Squid will
+#			produce a FATAL error.
+#			Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
+#
+#	   vport	Virtual host port support. Using the http_port number
+#			instead of the port passed on Host: headers.
+#
+#	   vport=NN	Virtual host port support. Using the specified port
+#			number instead of the port passed on Host: headers.
+#
+#	   act-as-origin
+#			Act as if this Squid is the origin server.
+#			This currently means generate new Date: and Expires:
+#			headers on HIT instead of adding Age:.
+#
+#	   ignore-cc	Ignore request Cache-Control headers.
+#
+#			WARNING: This option violates HTTP specifications if
+#			used in non-accelerator setups.
+#
+#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+#			accelerated requests are denied direct forwarding as if
+#			never_direct was used.
+#
+#			WARNING: this option opens accelerator mode to security
+#			vulnerabilities usually only affecting in interception
+#			mode. Make sure to protect forwarding with suitable
+#			http_access rules when using this.
+#
+#
+#	SSL Bump Mode Options:
+#	    In addition to these options ssl-bump requires TLS/SSL options.
+#
+#	   generate-host-certificates[=<on|off>]
+#			Dynamically create SSL server certificates for the
+#			destination hosts of bumped CONNECT requests.When
+#			enabled, the cert and key options are used to sign
+#			generated certificates. Otherwise generated
+#			certificate will be selfsigned.
+#			If there is a CA certificate lifetime of the generated
+#			certificate equals lifetime of the CA certificate. If
+#			generated certificate is selfsigned lifetime is three
+#			years.
+#			This option is enabled by default when ssl-bump is used.
+#			See the ssl-bump option above for more information.
+#
+#	   dynamic_cert_mem_cache_size=SIZE
+#			Approximate total RAM size spent on cached generated
+#			certificates. If set to zero, caching is disabled. The
+#			default value is 4MB.
+#
+#	TLS / SSL Options:
+#
+#	   tls-cert=	Path to file containing an X.509 certificate (PEM format)
+#			to be used in the TLS handshake ServerHello.
+#
+#			If this certificate is constrained by KeyUsage TLS
+#			feature it must allow HTTP server usage, along with
+#			any additional restrictions imposed by your choice
+#			of options= settings.
+#
+#			When OpenSSL is used this file may also contain a
+#			chain of intermediate CA certificates to send in the
+#			TLS handshake.
+#
+#			When GnuTLS is used this option (and any paired
+#			tls-key= option) may be repeated to load multiple
+#			certificates for different domains.
+#
+#			Also, when generate-host-certificates=on is configured
+#			the first tls-cert= option must be a CA certificate
+#			capable of signing the automatically generated
+#			certificates.
+#
+#	   tls-key=	Path to a file containing private key file (PEM format)
+#			for the previous tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	   cipher=	Colon separated list of supported ciphers.
+#			NOTE: some ciphers such as EDH ciphers depend on
+#			      additional settings. If those settings are
+#			      omitted the ciphers may be silently ignored
+#			      by the OpenSSL library.
+#
+#	   options=	Various SSL implementation options. The most important
+#			being:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    NO_TLSv1    Disallow the use of TLSv1.0
+#
+#			    NO_TLSv1_1  Disallow the use of TLSv1.1
+#
+#			    NO_TLSv1_2  Disallow the use of TLSv1.2
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    SINGLE_ECDH_USE
+#				      Enable ephemeral ECDH key exchange.
+#				      The adopted curve should be specified
+#				      using the tls-dh option.
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#	   clientca=	File containing the list of CAs to use when
+#			requesting a client certificate.
+#
+#	   tls-cafile=	PEM file containing CA certificates to use when verifying
+#			client certificates. If not configured clientca will be
+#			used. May be repeated to load multiple files.
+#
+#	   capath=	Directory containing additional CA certificates
+#			and CRL lists to use when verifying client certificates.
+#			Requires OpenSSL or LibreSSL.
+#
+#	   crlfile=	File of additional CRL lists to use when verifying
+#			the client certificate, in addition to CRLs stored in
+#			the capath. Implies VERIFY_CRL flag below.
+#
+#	   tls-dh=[curve:]file
+#			File containing DH parameters for temporary/ephemeral DH key
+#			exchanges, optionally prefixed by a curve for ephemeral ECDH
+#			key exchanges.
+#			See OpenSSL documentation for details on how to create the
+#			DH parameter file. Supported curves for ECDH can be listed
+#			using the "openssl ecparam -list_curves" command.
+#			WARNING: EDH and EECDH ciphers will be silently disabled if
+#				 this option is not set.
+#
+#	   sslflags=	Various flags modifying the use of SSL:
+#			    DELAYED_AUTH
+#				Don't request client certificates
+#				immediately, but wait until acl processing
+#				requires a certificate (not yet implemented).
+#			    CONDITIONAL_AUTH
+#				Request a client certificate during the TLS
+#				handshake, but ignore certificate absence in
+#				the TLS client Hello. If the client does
+#				supply a certificate, it is validated.
+#			    NO_SESSION_REUSE
+#				Don't allow for session reuse. Each connection
+#				will result in a new SSL session.
+#			    VERIFY_CRL
+#				Verify CRL lists when accepting client
+#				certificates.
+#			    VERIFY_CRL_ALL
+#				Verify CRL lists for all certificates in the
+#				client certificate chain.
+#
+#	   tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is OFF.
+#
+#	   tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	   sslcontext=	SSL session ID context identifier.
+#
+#	Other Options:
+#
+#	   connection-auth[=on|off]
+#	                use connection-auth=off to tell Squid to prevent
+#	                forwarding Microsoft connection oriented authentication
+#			(NTLM, Negotiate and Kerberos)
+#
+#	   disable-pmtu-discovery=
+#			Control Path-MTU discovery usage:
+#			    off		lets OS decide on what to do (default).
+#			    transparent	disable PMTU discovery when transparent
+#					support is enabled.
+#			    always	disable always PMTU discovery.
+#
+#			In many setups of transparently intercepting proxies
+#			Path-MTU discovery can not work on traffic towards the
+#			clients. This is the case when the intercepting device
+#			does not fully track connections and fails to forward
+#			ICMP must fragment messages to the cache server. If you
+#			have such setup and experience that certain clients
+#			sporadically hang or never complete requests set
+#			disable-pmtu-discovery option to 'transparent'.
+#
+#	   name=	Specifies a internal name for the port. Defaults to
+#			the port specification (port or addr:port)
+#
+#	   tcpkeepalive[=idle,interval,timeout]
+#			Enable TCP keepalive probes of idle connections.
+#			In seconds; idle is the initial time before TCP starts
+#			probing the connection, interval how often to probe, and
+#			timeout the time before giving up.
+#
+#	   require-proxy-header
+#			Require PROXY protocol version 1 or 2 connections.
+#			The proxy_protocol_access is required to permit
+#			downstream proxies which can be trusted.
+#
+#	   worker-queues
+#			Ask TCP stack to maintain a dedicated listening queue
+#			for each worker accepting requests at this port.
+#			Requires TCP stack that supports the SO_REUSEPORT socket
+#			option.
+#
+#			SECURITY WARNING: Enabling worker-specific queues
+#			allows any process running as Squid's effective user to
+#			easily accept requests destined to this port.
+#
+#	If you run Squid on a dual-homed machine with an internal
+#	and an external interface we recommend you to specify the
+#	internal address:port in http_port. This way Squid will only be
+#	visible on the internal address.
+#
+#
+
+# Squid normally listens to port 3128
+http_port 8080
+
+#  TAG: https_port
+#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#
+#	The socket address where Squid will listen for client requests made
+#	over TLS or SSL connections. Commonly referred to as HTTPS.
+#
+#	This is most useful for situations where you are running squid in
+#	accelerator mode and you want to do the TLS work at the accelerator
+#	level.
+#
+#	You may specify multiple socket addresses on multiple lines,
+#	each with their own certificate and/or options.
+#
+#	The tls-cert= option is mandatory on HTTPS ports.
+#
+#	See http_port for a list of modes and options.
+#Default:
+# none
+
+#  TAG: ftp_port
+#	Enables Native FTP proxy by specifying the socket address where Squid
+#	listens for FTP client requests. See http_port directive for various
+#	ways to specify the listening address and mode.
+#
+#	Usage: ftp_port address [mode] [options]
+#
+#	WARNING: This is a new, experimental, complex feature that has seen
+#	limited production exposure. Some Squid modules (e.g., caching) do not
+#	currently work with native FTP proxying, and many features have not
+#	even been tested for compatibility. Test well before deploying!
+#
+#	Native FTP proxying differs substantially from proxying HTTP requests
+#	with ftp:// URIs because Squid works as an FTP server and receives
+#	actual FTP commands (rather than HTTP requests with FTP URLs).
+#
+#	Native FTP commands accepted at ftp_port are internally converted or
+#	wrapped into HTTP-like messages. The same happens to Native FTP
+#	responses received from FTP origin servers. Those HTTP-like messages
+#	are shoveled through regular access control and adaptation layers
+#	between the FTP client and the FTP origin server. This allows Squid to
+#	examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+#	mechanisms when shoveling wrapped FTP messages. For example,
+#	http_access and adaptation_access directives are used.
+#
+#	Modes:
+#
+#	   intercept	Same as http_port intercept. The FTP origin address is
+#			determined based on the intended destination of the
+#			intercepted connection.
+#
+#	   tproxy	Support Linux TPROXY for spoofing outgoing
+#			connections using the client IP address.
+#			NP: disables authentication and maybe IPv6 on the port.
+#
+#	By default (i.e., without an explicit mode option), Squid extracts the
+#	FTP origin address from the login@origin parameter of the FTP USER
+#	command. Many popular FTP clients support such native FTP proxying.
+#
+#	Options:
+#
+#	   name=token	Specifies an internal name for the port. Defaults to
+#			the port address. Usable with myportname ACL.
+#
+#	   ftp-track-dirs
+#			Enables tracking of FTP directories by injecting extra
+#			PWD commands and adjusting Request-URI (in wrapping
+#			HTTP requests) to reflect the current FTP server
+#			directory. Tracking is disabled by default.
+#
+#	   protocol=FTP	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to FTP. No other accepted
+#			values have been tested with. An unsupported value
+#			results in a FATAL error. Accepted values are FTP,
+#			HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+#
+#	Other http_port modes and options that are not specific to HTTP and
+#	HTTPS may also work.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_tos
+#	Allows you to select a TOS/Diffserv value for packets outgoing
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_tos 0x00 normal_service_net
+#	tcp_outgoing_tos 0x20 good_service_net
+#
+#	TOS/DSCP values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: clientside_tos
+#	Allows you to select a TOS/DSCP value for packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	clientside_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	clientside_tos 0x00 normal_service_net
+#	clientside_tos 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any TOS values set here
+#	will be overwritten by TOS values in qos_flows.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter mark value to outgoing packets
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_mark mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the mark value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_mark 0x00 normal_service_net
+#	tcp_outgoing_mark 0x20 good_service_net
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: mark_client_packet
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter MARK value to packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	mark_client_packet mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the MARK value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	mark_client_packet 0x00 normal_service_net
+#	mark_client_packet 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any mark values set here
+#	will be overwritten by mark values in qos_flows.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: mark_client_connection
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter CONNMARK value to a connection
+#	on the client-side, based on an ACL.
+#
+#	mark_client_connection mark-value[/mask] [!]aclname ...
+#
+#	The mark-value and mask are unsigned integers (hex, octal, or decimal).
+#	The mask may be used to preserve marking previously set by other agents
+#	(e.g., iptables).
+#
+#	A matching rule replaces the CONNMARK value. If a mask is also
+#	specified, then the masked bits of the original value are zeroed, and
+#	the configured mark-value is ORed with that adjusted value.
+#	For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
+#	in a 0xFB marking (rather than a 0xAB or 0x5B).
+#
+#	This directive semantics is similar to iptables --set-mark rather than
+#	--set-xmark functionality.
+#
+#	The directive does not interfere with qos_flows (which uses packet MARKs,
+#	not CONNMARKs).
+#
+#	Example where squid marks intercepted FTP connections:
+#
+#	acl proto_ftp proto FTP
+#	mark_client_connection 0x200/0xff00 proto_ftp
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: qos_flows
+#	Allows you to select a TOS/DSCP value to mark outgoing
+#	connections to the client, based on where the reply was sourced.
+#	For platforms using netfilter, allows you to set a netfilter mark
+#	value instead of, or in addition to, a TOS value.
+#
+#	By default this functionality is disabled. To enable it with the default
+#	settings simply use "qos_flows mark" or "qos_flows tos". Default
+#	settings will result in the netfilter mark or TOS value being copied
+#	from the upstream connection to the client. Note that it is the connection
+#	CONNMARK value not the packet MARK value that is copied.
+#
+#	It is not currently possible to copy the mark or TOS value from the
+#	client to the upstream connection request.
+#
+#	TOS values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Mark values can be any unsigned 32-bit integer value.
+#
+#	This setting is configured by setting the following values:
+#
+#	tos|mark                Whether to set TOS or netfilter mark values
+#
+#	local-hit=0xFF		Value to mark local cache hits.
+#
+#	sibling-hit=0xFF	Value to mark hits from sibling peers.
+#
+#	parent-hit=0xFF		Value to mark hits from parent peers.
+#
+#	miss=0xFF[/mask]	Value to mark cache misses. Takes precedence
+#				over the preserve-miss feature (see below), unless
+#				mask is specified, in which case only the bits
+#				specified in the mask are written.
+#
+#	The TOS variant of the following features are only possible on Linux
+#	and require your kernel to be patched with the TOS preserving ZPH
+#	patch, available from http://zph.bratcheda.org
+#	No patch is needed to preserve the netfilter mark, which will work
+#	with all variants of netfilter.
+#
+#	disable-preserve-miss
+#		This option disables the preservation of the TOS or netfilter
+#		mark. By default, the existing TOS or netfilter mark value of
+#		the response coming from the remote server will be retained
+#		and masked with miss-mark.
+#		NOTE: in the case of a netfilter mark, the mark must be set on
+#		the connection (using the CONNMARK target) not on the packet
+#		(MARK target).
+#
+#	miss-mask=0xFF
+#		Allows you to mask certain bits in the TOS or mark value
+#		received from the remote server, before copying the value to
+#		the TOS sent towards clients.
+#		Default for tos: 0xFF (TOS from server is not changed).
+#		Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+#	All of these features require the --enable-zph-qos compilation flag
+#	(enabled by default). Netfilter marking also requires the
+#	libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+#	libcap 2.09+ (--with-libcap).
+#
+#Default:
+# none
+
+#  TAG: tcp_outgoing_address
+#	Allows you to map requests to different outgoing IP addresses
+#	based on the username or source address of the user making
+#	the request.
+#
+#	tcp_outgoing_address ipaddr [[!]aclname] ...
+#
+#	For example;
+#		Forwarding clients with dedicated IPs for certain subnets.
+#
+#	  acl normal_service_net src 10.0.0.0/24
+#	  acl good_service_net src 10.0.2.0/24
+#
+#	  tcp_outgoing_address 2001:db8::c001 good_service_net
+#	  tcp_outgoing_address 10.1.0.2 good_service_net
+#
+#	  tcp_outgoing_address 2001:db8::beef normal_service_net
+#	  tcp_outgoing_address 10.1.0.1 normal_service_net
+#
+#	  tcp_outgoing_address 2001:db8::1
+#	  tcp_outgoing_address 10.1.0.3
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Squid will add an implicit IP version test to each line.
+#	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+#	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+#
+#
+#	NOTE: The use of this directive using client dependent ACLs is
+#	incompatible with the use of server side persistent connections. To
+#	ensure correct results it is best to set server_persistent_connections
+#	to off when using this directive in such configurations.
+#
+#	NOTE: The use of this directive to set a local IP on outgoing TCP links
+#	is incompatible with using TPROXY to set client IP out outbound TCP links.
+#	When needing to contact peers use the no-tproxy cache_peer option and the
+#	client_dst_passthru directive re-enable normal forwarding such as this.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Address selection is performed by the operating system.
+
+#  TAG: host_verify_strict
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic, Squid always verifies that the destination IP address matches
+#	the Host header domain or IP (called 'authority form URL').
+#
+#	This enforcement is performed to satisfy a MUST-level requirement in
+#	RFC 2616 section 14.23: "The Host field value MUST represent the naming
+#	authority of the origin server or gateway given by the original URL".
+#
+#	When set to ON:
+#		Squid always responds with an HTTP 409 (Conflict) error
+#		page and logs a security warning if there is no match.
+#
+#		Squid verifies that the destination IP address matches
+#		the Host header for forward-proxy and reverse-proxy traffic
+#		as well. For those traffic types, Squid also enables the
+#		following checks, comparing the corresponding Host header
+#		and Request-URI components:
+#
+#		 * The host names (domain or IP) must be identical,
+#		   but valueless or missing Host header disables all checks.
+#		   For the two host names to match, both must be either IP
+#		   or FQDN.
+#
+#		 * Port numbers must be identical, but if a port is missing
+#		   the scheme-default port is assumed.
+#
+#
+#	When set to OFF (the default):
+#		Squid allows suspicious requests to continue but logs a
+#		security warning and blocks caching of the response.
+#
+#		 * Forward-proxy traffic is not checked at all.
+#
+#		 * Reverse-proxy traffic is not checked at all.
+#
+#		 * Intercepted traffic which passes verification is handled
+#		   according to client_dst_passthru.
+#
+#		 * Intercepted requests which fail verification are sent
+#		   to the client original destination instead of DIRECT.
+#		   This overrides 'client_dst_passthru off'.
+#
+#		For now suspicious intercepted CONNECT requests are always
+#		responded to with an HTTP 409 (Conflict) error page.
+#
+#
+#	SECURITY NOTE:
+#
+#	As described in CVE-2009-0801 when the Host: header alone is used
+#	to determine the destination of a request it becomes trivial for
+#	malicious scripts on remote websites to bypass browser same-origin
+#	security policy and sandboxing protections.
+#
+#	The cause of this is that such applets are allowed to perform their
+#	own HTTP stack, in which case the same-origin policy of the browser
+#	sandbox only verifies that the applet tries to contact the same IP
+#	as from where it was loaded at the IP level. The Host: header may
+#	be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+#  TAG: client_dst_passthru
+#	With NAT or TPROXY intercepted traffic Squid may pass the request
+#	directly to the original client destination IP or seek a faster
+#	source using the HTTP Host header.
+#
+#	Using Host to locate alternative servers can provide faster
+#	connectivity with a range of failure recovery options.
+#	But can also lead to connectivity trouble when the client and
+#	server are attempting stateful interactions unaware of the proxy.
+#
+#	This option (on by default) prevents alternative DNS entries being
+#	located to send intercepted traffic DIRECT to an origin server.
+#	The clients original destination IP and port will be used instead.
+#
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic Squid will verify the Host: header and any traffic which
+#	fails Host verification will be treated as if this option were ON.
+#
+#	see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
+
+# TLS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: tls_outgoing_options
+#	disable		Do not support https:// URLs.
+#
+#	cert=/path/to/client/certificate
+#			A client X.509 certificate to use when connecting.
+#
+#	key=/path/to/client/private_key
+#			The private key corresponding to the cert= above.
+#
+#			If key= is not specified cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	cipher=...	The list of valid TLS ciphers to use.
+#
+#	min-version=1.N
+#			The minimum TLS protocol version to permit.
+#			To control SSLv3 use the options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
+#
+#	options=...	Specify various TLS/SSL implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#				See the OpenSSL SSL_CTX_set_options documentation
+#				for a more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#
+#	cafile=		PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	capath=		A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	crlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	flags=...	Specify various flags modifying the TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	domain= 	The peer name as advertised in its certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#Default:
+# tls_outgoing_options min-version=1.0
+
+# SSL OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ssl_unclean_shutdown
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Some browsers (especially MSIE) bugs out on SSL shutdown
+#	messages.
+#Default:
+# ssl_unclean_shutdown off
+
+#  TAG: ssl_engine
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	The OpenSSL engine to use. You will need to set this if you
+#	would like to use hardware SSL acceleration for example.
+#
+#	Not supported in builds with OpenSSL 3.0 or newer.
+#Default:
+# none
+
+#  TAG: sslproxy_session_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the timeout value for SSL sessions
+#Default:
+# sslproxy_session_ttl 300
+
+#  TAG: sslproxy_session_cache_size
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#        Sets the cache size to use for ssl session
+#Default:
+# sslproxy_session_cache_size 2 MB
+
+#  TAG: sslproxy_foreign_intermediate_certs
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Many origin servers fail to send their full server certificate
+#	chain for verification, assuming the client already has or can
+#	easily locate any missing intermediate certificates.
+#
+#	Squid uses the certificates from the specified file to fill in
+#	these missing chains when trying to validate origin server
+#	certificate chains.
+#
+#	The file is expected to contain zero or more PEM-encoded
+#	intermediate certificates. These certificates are not treated
+#	as trusted root certificates, and any self-signed certificate in
+#	this file will be ignored.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_sign_hash
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the hashing algorithm to use when signing generated certificates.
+#	Valid algorithm names depend on the OpenSSL library used. The following
+#	names are usually available: sha1, sha256, sha512, and md5. Please see
+#	your OpenSSL library manual for the available hashes. By default, Squids
+#	that support this option use sha256 hashes.
+#
+#	Squid does not forcefully purge cached certificates that were generated
+#	with an algorithm other than the currently configured one. They remain
+#	in the cache, subject to the regular cache eviction policy, and become
+#	useful if the algorithm changes again.
+#Default:
+# none
+
+#  TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	This option is consulted when a CONNECT request is received on
+#	an http_port (or a new connection is intercepted at an
+#	https_port), provided that port was configured with an ssl-bump
+#	flag. The subsequent data on the connection is either treated as
+#	HTTPS and decrypted OR tunneled at TCP level without decryption,
+#	depending on the first matching bumping "action".
+#
+#	ssl_bump <action> [!]acl ...
+#
+#	The following bumping actions are currently supported:
+#
+#	    splice
+#		Become a TCP tunnel without decrypting proxied traffic.
+#		This is the default action.
+#
+#	    bump
+#		When used on step SslBump1, establishes a secure connection
+#		with the client first, then connect to the server.
+#		When used on step SslBump2 or SslBump3, establishes a secure
+#		connection with the server and, using a mimicked server
+#		certificate, with the client.
+#
+#	    peek
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of splicing the
+#		connection. Peeking at the server certificate (during step 2)
+#		usually precludes bumping of the connection at step 3.
+#
+#	    stare
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of bumping the
+#		connection. Staring at the server certificate (during step 2)
+#		usually precludes splicing of the connection at step 3.
+#
+#	    terminate
+#		Close client and server connections.
+#
+#	Backward compatibility actions available at step SslBump1:
+#
+#	    client-first
+#		Bump the connection. Establish a secure connection with the
+#		client first, then connect to the server. This old mode does
+#		not allow Squid to mimic server SSL certificate and does not
+#		work with intercepted SSL connections.
+#
+#	    server-first
+#		Bump the connection. Establish a secure connection with the
+#		server first, then establish a secure connection with the
+#		client, using a mimicked server certificate. Works with both
+#		CONNECT requests and intercepted SSL connections, but does
+#		not allow to make decisions based on SSL handshake info.
+#
+#	    peek-and-splice
+#		Decide whether to bump or splice the connection based on
+#		client-to-squid and server-to-squid SSL hello messages.
+#		XXX: Remove.
+#
+#	    none
+#		Same as the "splice" action.
+#
+#	All ssl_bump rules are evaluated at each of the supported bumping
+#	steps.  Rules with actions that are impossible at the current step are
+#	ignored. The first matching ssl_bump action wins and is applied at the
+#	end of the current step. If no rules match, the splice action is used.
+#	See the at_step ACL for a list of the supported SslBump steps.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
+#
+#
+#	# Example: Bump all TLS connections except those originating from
+#	# localhost or those going to example.com.
+#
+#	acl broken_sites ssl::server_name .example.com
+#	ssl_bump splice localhost
+#	ssl_bump splice broken_sites
+#	ssl_bump bump all
+#Default:
+# Become a TCP tunnel without decrypting proxied traffic.
+
+#  TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Use this ACL to bypass server certificate validation errors.
+#
+#	For example, the following lines will bypass all validation errors
+#	when talking to servers for example.com. All other
+#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+#		acl BrokenButTrustedServers dstdomain example.com
+#		sslproxy_cert_error allow BrokenButTrustedServers
+#		sslproxy_cert_error deny all
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Using slow acl types may result in server crashes
+#
+#	Without this option, all server certificate validation errors
+#	terminate the transaction to protect Squid and the client.
+#
+#	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+#	but should not happen unless your OpenSSL library is buggy.
+#
+#	SECURITY WARNING:
+#		Bypassing validation errors is dangerous because an
+#		error usually implies that the server cannot be trusted
+#		and the connection may be insecure.
+#
+#	See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+#  TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#        sslproxy_cert_sign <signing algorithm> acl ...
+#
+#        The following certificate signing algorithms are supported:
+#
+#	   signTrusted
+#		Sign using the configured CA certificate which is usually
+#		placed in and trusted by end-user browsers. This is the
+#		default for trusted origin server certificates.
+#
+#	   signUntrusted
+#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+#		This is the default for untrusted origin server certificates
+#		that are not self-signed (see ssl::certUntrusted).
+#
+#	   signSelf
+#		Sign using a self-signed certificate with the right CN to
+#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+#		browser. This is the default for self-signed origin server
+#		certificates (see ssl::certSelfSigned).
+#
+#	This clause only supports fast acl types.
+#
+#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+#	signing algorithm to generate the certificate and ignores all
+#	subsequent sslproxy_cert_sign options (the first match wins). If no
+#	acl(s) match, the default signing algorithm is determined by errors
+#	detected when obtaining and validating the origin server certificate.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#	sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+#	The following certificate adaptation algorithms are supported:
+#
+#	   setValidAfter
+#		Sets the "Not After" property to the "Not After" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setValidBefore
+#		Sets the "Not Before" property to the "Not Before" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setCommonName or setCommonName{CN}
+#		Sets Subject.CN property to the host name specified as a
+#		CN parameter or, if no explicit CN parameter was specified,
+#		extracted from the CONNECT request. It is a misconfiguration
+#		to use setCommonName without an explicit parameter for
+#		intercepted or tproxied SSL connections.
+#
+#	This clause only supports fast acl types.
+#
+#	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+#	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+#	corresponding adaptation algorithm to generate the certificate and
+#	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+#	group (i.e., the first match wins within each algorithm group). If no
+#	acl(s) match, the default mimicking action takes place.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslpassword_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify a program used for entering SSL key passphrases
+#	when using encrypted SSL certificate keys. If not specified
+#	keys must either be unencrypted, or Squid started with the -N
+#	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
+#Default:
+# none
+
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
+
+#  TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specify the location and options of the executable for certificate
+#	generator.
+#
+#	/usr/lib/squid/security_file_certgen program can use a disk cache to improve response
+#	times on repeated requests. To enable caching, specify -s and -M
+#	parameters. If those parameters are not given, the program generates
+#	a new certificate on every request.
+#
+#	For more information use:
+#		/usr/lib/squid/security_file_certgen -h
+#Default:
+# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+
+#  TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specifies the maximum number of certificate generation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child is idle and no new child can be started due to
+#	numberofchildren limit. If the queued requests exceed queue size for
+#	more than 3 minutes squid aborts its operation. The default value is
+#	set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 32 startup=5 idle=1
+
+#  TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify the location and options of the executable for ssl_crt_validator
+#	process.
+#
+#	Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+#	Options:
+#	  ttl=n         TTL in seconds for cached results. The default is 60 secs
+#	  cache=n       limit the result cache size. The default value is 2048
+#Default:
+# none
+
+#  TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specifies the maximum number of certificate validation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each certificate validator helper can handle in
+#	parallel. A value of 0 indicates the certficate validator does not
+#	support concurrency. Defaults to 1.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	a request ID in front of the request/response. The request
+#	ID from the request must be echoed back with the response
+#	to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. If the queued
+#	requests exceed queue size for more than 3 minutes squid aborts its
+#	operation. The default value is set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
+
+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_peer
+#	To specify other caches in a hierarchy, use the format:
+#
+#		cache_peer hostname type http-port icp-port [options]
+#
+#	For example,
+#
+#	#                                        proxy  icp
+#	#          hostname             type     port   port  options
+#	#          -------------------- -------- ----- -----  -----------
+#	cache_peer parent.foo.net       parent    3128  3130  default
+#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer example.com          parent    80       0  default
+#	cache_peer cdn.example.com      sibling   3128     0
+#
+#	      type:	either 'parent', 'sibling', or 'multicast'.
+#
+#	proxy-port:	The port number where the peer accept HTTP requests.
+#			For other Squid proxies this is usually 3128
+#			For web servers this is usually 80
+#
+#	  icp-port:	Used for querying neighbor caches about objects.
+#			Set to 0 if the peer does not support ICP or HTCP.
+#			See ICP and HTCP options below for additional details.
+#
+#
+#	==== ICP OPTIONS ====
+#
+#	You MUST also set icp_port and icp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using ICP.
+#
+#
+#	no-query	Disable ICP queries to this neighbor.
+#
+#	multicast-responder
+#			Indicates the named peer is a member of a multicast group.
+#			ICP queries will not be sent directly to the peer, but ICP
+#			replies will be accepted from it.
+#
+#	closest-only	Indicates that, for ICP_OP_MISS replies, we'll only forward
+#			CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+#	background-ping
+#			To only send ICP queries to this neighbor infrequently.
+#			This is used to keep the neighbor round trip time updated
+#			and is usually used in conjunction with weighted-round-robin.
+#
+#
+#	==== HTCP OPTIONS ====
+#
+#	You MUST also set htcp_port and htcp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using HTCP.
+#
+#
+#	htcp		Send HTCP, instead of ICP, queries to the neighbor.
+#			You probably also want to set the "icp-port" to 4827
+#			instead of 3130. This directive accepts a comma separated
+#			list of options described below.
+#
+#	htcp=oldsquid	Send HTCP to old Squid versions (2.5 or earlier).
+#
+#	htcp=no-clr	Send HTCP to the neighbor but without
+#			sending any CLR requests.  This cannot be used with
+#			only-clr.
+#
+#	htcp=only-clr	Send HTCP to the neighbor but ONLY CLR requests.
+#			This cannot be used with no-clr.
+#
+#	htcp=no-purge-clr
+#			Send HTCP to the neighbor including CLRs but only when
+#			they do not result from PURGE requests.
+#
+#	htcp=forward-clr
+#			Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+#	==== PEER SELECTION METHODS ====
+#
+#	The default peer selection method is ICP, with the first responding peer
+#	being used as source. These options can be used for better load balancing.
+#
+#
+#	default		This is a parent cache which can be used as a "last-resort"
+#			if a peer cannot be located by any of the peer-selection methods.
+#			If specified more than once, only the first is used.
+#
+#	round-robin	Load-Balance parents which should be used in a round-robin
+#			fashion in the absence of any ICP queries.
+#			weight=N can be used to add bias.
+#
+#	weighted-round-robin
+#			Load-Balance parents which should be used in a round-robin
+#			fashion with the frequency of each parent being based on the
+#			round trip time. Closer parents are used more often.
+#			Usually used for background-ping parents.
+#			weight=N can be used to add bias.
+#
+#	carp		Load-Balance parents which should be used as a CARP array.
+#			The requests will be distributed among the parents based on the
+#			CARP load balancing hash function based on their weight.
+#
+#	userhash	Load-balance parents based on the client proxy_auth or ident username.
+#
+#	sourcehash	Load-balance parents based on the client source IP.
+#
+#	multicast-siblings
+#			To be used only for cache peers of type "multicast".
+#			ALL members of this multicast group have "sibling"
+#			relationship with it, not "parent".  This is to a multicast
+#			group when the requested object would be fetched only from
+#			a "parent" cache, anyway.  It's useful, e.g., when
+#			configuring a pool of redundant Squid proxies, being
+#			members of the same multicast group.
+#
+#
+#	==== PEER SELECTION OPTIONS ====
+#
+#	weight=N	use to affect the selection of a peer during any weighted
+#			peer-selection mechanisms.
+#			The weight must be an integer; default is 1,
+#			larger weights are favored more.
+#			This option does not affect parent selection if a peering
+#			protocol is not in use.
+#
+#	basetime=N	Specify a base amount to be subtracted from round trip
+#			times of parents.
+#			It is subtracted before division by weight in calculating
+#			which parent to fectch from. If the rtt is less than the
+#			base time the rtt is set to a minimal value.
+#
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
+#			Only useful when sending to a multicast group.
+#			Because we don't accept ICP replies from random
+#			hosts, you must configure other group members as
+#			peers with the 'multicast-responder' option.
+#
+#	no-delay	To prevent access to this neighbor from influencing the
+#			delay pools.
+#
+#	digest-url=URL	Tell Squid to fetch the cache digest (if digests are
+#			enabled) for this host from the specified URL rather
+#			than the Squid default location.
+#
+#
+#	==== CARP OPTIONS ====
+#
+#	carp-key=key-specification
+#			use a different key than the full URL to hash against the peer.
+#			the key-specification is a comma-separated list of the keywords
+#			scheme, host, port, path, params
+#			Order is not important.
+#
+#	==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+#	originserver	Causes this parent to be contacted as an origin server.
+#			Meant to be used in accelerator setups when the peer
+#			is a web server.
+#
+#	forceddomain=name
+#			Set the Host header of requests forwarded to this peer.
+#			Useful in accelerator setups where the server (peer)
+#			expects a certain domain name but clients may request
+#			others. ie example.com or www.example.com
+#
+#	no-digest	Disable request of cache digests.
+#
+#	no-netdb-exchange
+#			Disables requesting ICMP RTT database (NetDB).
+#
+#
+#	==== AUTHENTICATION OPTIONS ====
+#
+#	login=user:password
+#			If this is a personal/workgroup proxy and your parent
+#			requires proxy authentication.
+#
+#			Note: The string can include URL escapes (i.e. %20 for
+#			spaces). This also means % must be written as %%.
+#
+#	login=PASSTHRU
+#			Send login details received from client to this peer.
+#			Both Proxy- and WWW-Authorization headers are passed
+#			without alteration to the peer.
+#			Authentication is not required by Squid for this to work.
+#
+#			Note: This will pass any form of authentication but
+#			only Basic auth will work through a proxy unless the
+#			connection-auth options are also used.
+#
+#	login=PASS	Send login details received from client to this peer.
+#			Authentication is not required by this option.
+#
+#			If there are no client-provided authentication headers
+#			to pass on, but username and password are available
+#			from an external ACL user= and password= result tags
+#			they may be sent instead.
+#
+#			Note: To combine this with proxy_auth both proxies must
+#			share the same user database as HTTP only allows for
+#			a single login (one for proxy, one for origin server).
+#			Also be warned this will expose your users proxy
+#			password to the peer. USE WITH CAUTION
+#
+#	login=*:password
+#			Send the username to the upstream cache, but with a
+#			fixed password. This is meant to be used when the peer
+#			is in another administrative domain, but it is still
+#			needed to identify each user.
+#			The star can optionally be followed by some extra
+#			information which is added to the username. This can
+#			be used to identify this proxy to the peer, similar to
+#			the login=username:password option above.
+#
+#	login=NEGOTIATE
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The first principal from the default keytab or defined by
+#			the environment variable KRB5_KTNAME will be used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	login=NEGOTIATE:principal_name
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The principal principal_name from the default keytab or
+#			defined by the environment variable KRB5_KTNAME will be
+#			used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	connection-auth=on|off
+#			Tell Squid that this peer does or not support Microsoft
+#			connection oriented authentication, and any such
+#			challenges received from there should be ignored.
+#			Default is auto to automatically determine the status
+#			of the peer.
+#
+#	auth-no-keytab
+#			Do not use a keytab to authenticate to a peer when
+#			login=NEGOTIATE is specified. Let the GSSAPI
+#			implementation determine which already existing
+#			credentials cache to use instead.
+#
+#
+#	==== SSL / HTTPS / TLS OPTIONS ====
+#
+#	tls		Encrypt connections to this peer with TLS.
+#
+#	sslcert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this peer.
+#
+#	sslkey=/path/to/ssl/key
+#			The private key corresponding to sslcert above.
+#
+#			If sslkey= is not specified sslcert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	sslcipher=...	The list of valid SSL ciphers to use when connecting
+#			to this peer.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various TLS implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	sslcapath=...	A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	sslcrlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	sslflags=...	Specify various flags modifying the SSL implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	ssldomain= 	The peer name as advertised in it's certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#
+#	front-end-https[=off|on|auto]
+#			Enable the "Front-End-Https: On" header needed when
+#			using Squid as a SSL frontend in front of Microsoft OWA.
+#			See MS KB document Q307347 for details on this header.
+#			If set to auto the header will only be added if the
+#			request is forwarded as a https:// URL.
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	==== GENERAL OPTIONS ====
+#
+#	connect-timeout=N
+#			A peer-specific connect timeout.
+#			Also see the peer_connect_timeout directive.
+#
+#	connect-fail-limit=N
+#			How many times connecting to a peer must fail before
+#			it is marked as down. Standby connection failures
+#			count towards this limit. Default is 10.
+#
+#	allow-miss	Disable Squid's use of only-if-cached when forwarding
+#			requests to siblings. This is primarily useful when
+#			icp_hit_stale is used by the sibling. Excessive use
+#			of this option may result in forwarding loops. One way
+#			to prevent peering loops when using this option, is to
+#			deny cache peer usage on requests from a peer:
+#			acl fromPeer ...
+#			cache_peer_access peerName deny fromPeer
+#
+#	max-conn=N 	Limit the number of concurrent connections the Squid
+#			may open to this peer, including already opened idle
+#			and standby connections. There is no peer-specific
+#			connection limit by default.
+#
+#			A peer exceeding the limit is not used for new
+#			requests unless a standby connection is available.
+#
+#			max-conn currently works poorly with idle persistent
+#			connections: When a peer reaches its max-conn limit,
+#			and there are idle persistent connections to the peer,
+#			the peer may not be selected because the limiting code
+#			does not know whether Squid can reuse those idle
+#			connections.
+#
+#	standby=N	Maintain a pool of N "hot standby" connections to an
+#			UP peer, available for requests when no idle
+#			persistent connection is available (or safe) to use.
+#			By default and with zero N, no such pool is maintained.
+#			N must not exceed the max-conn limit (if any).
+#
+#			At start or after reconfiguration, Squid opens new TCP
+#			standby connections until there are N connections
+#			available and then replenishes the standby pool as
+#			opened connections are used up for requests. A used
+#			connection never goes back to the standby pool, but
+#			may go to the regular idle persistent connection pool
+#			shared by all peers and origin servers.
+#
+#			Squid never opens multiple new standby connections
+#			concurrently.  This one-at-a-time approach minimizes
+#			flooding-like effect on peers. Furthermore, just a few
+#			standby connections should be sufficient in most cases
+#			to supply most new requests with a ready-to-use
+#			connection.
+#
+#			Standby connections obey server_idle_pconn_timeout.
+#			For the feature to work as intended, the peer must be
+#			configured to accept and keep them open longer than
+#			the idle timeout at the connecting Squid, to minimize
+#			race conditions typical to idle used persistent
+#			connections. Default request_timeout and
+#			server_idle_pconn_timeout values ensure such a
+#			configuration.
+#
+#	name=xxx	Unique name for the peer.
+#			Required if you have multiple peers on the same host
+#			but different ports.
+#			This name can be used in cache_peer_access and similar
+#			directives to identify the peer.
+#			Can be used by outgoing access controls through the
+#			peername ACL type.
+#
+#	no-tproxy	Do not use the client-spoof TPROXY support when forwarding
+#			requests to this peer. Use normal address selection instead.
+#			This overrides the spoof_client_ip ACL.
+#
+#	proxy-only	objects fetched from the peer will not be stored locally.
+#
+#Default:
+# none
+
+#  TAG: cache_peer_access
+#	Restricts usage of cache_peer proxies.
+#
+#	Usage:
+#		cache_peer_access peer-name allow|deny [!]aclname ...
+#
+#	For the required peer-name parameter, use either the value of the
+#	cache_peer name=value parameter or, if name=value is missing, the
+#	cache_peer hostname parameter.
+#
+#	This directive narrows down the selection of peering candidates, but
+#	does not determine the order in which the selected candidates are
+#	contacted. That order is determined by the peer selection algorithms
+#	(see PEER SELECTION sections in the cache_peer documentation).
+#
+#	If a deny rule matches, the corresponding peer will not be contacted
+#	for the current transaction -- Squid will not send ICP queries and
+#	will not forward HTTP requests to that peer. An allow match leaves
+#	the corresponding peer in the selection. The first match for a given
+#	peer wins for that peer.
+#
+#	The relative order of cache_peer_access directives for the same peer
+#	matters. The relative order of any two cache_peer_access directives
+#	for different peers does not matter. To ease interpretation, it is a
+#	good idea to group cache_peer_access directives for the same peer
+#	together.
+#
+#	A single cache_peer_access directive may be evaluated multiple times
+#	for a given transaction because individual peer selection algorithms
+#	may check it independently from each other. These redundant checks
+#	may be optimized away in future Squid versions.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# No peer usage restrictions.
+
+#  TAG: neighbor_type_domain
+#	Modify the cache_peer neighbor type when passing requests
+#	about specific domains to the peer.
+#
+#	Usage:
+#		 neighbor_type_domain neighbor parent|sibling domain domain ...
+#
+#	For example:
+#		cache_peer foo.example.com parent 3128 3130
+#		neighbor_type_domain foo.example.com sibling .au .de
+#
+#	The above configuration treats all requests to foo.example.com as a
+#	parent proxy unless the request is for a .au or .de ccTLD domain name.
+#Default:
+# The peer type from cache_peer directive is used for all requests to that peer.
+
+#  TAG: dead_peer_timeout	(seconds)
+#	This controls how long Squid waits to declare a peer cache
+#	as "dead."  If there are no ICP replies received in this
+#	amount of time, Squid will declare the peer dead and not
+#	expect to receive any further ICP replies.  However, it
+#	continues to send ICP queries, and will mark the peer as
+#	alive upon receipt of the first subsequent ICP reply.
+#
+#	This timeout also affects when Squid expects to receive ICP
+#	replies from peers.  If more than 'dead_peer' seconds have
+#	passed since the last ICP reply was received, Squid will not
+#	expect to receive an ICP reply on the next query.  Thus, if
+#	your time between requests is greater than this timeout, you
+#	will see a lot of requests sent DIRECT to origin servers
+#	instead of to your parents.
+#Default:
+# dead_peer_timeout 10 seconds
+
+#  TAG: forward_max_tries
+#	Limits the number of attempts to forward the request.
+#
+#	For the purpose of this limit, Squid counts all high-level request
+#	forwarding attempts, including any same-destination retries after
+#	certain persistent connection failures and any attempts to use a
+#	different peer. However, these low-level attempts are not counted:
+#	* connection reopening attempts (enabled using connect_retries)
+#	* unfinished Happy Eyeballs connection attempts (prevented by setting
+#	  happy_eyeballs_connect_limit to 0)
+#
+#	See also: forward_timeout and connect_retries.
+#Default:
+# forward_max_tries 25
+
+# MEMORY CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mem	(bytes)
+#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+#
+#	'cache_mem' specifies the ideal amount of memory to be used
+#	for:
+#		* In-Transit objects
+#		* Hot Objects
+#		* Negative-Cached objects
+#
+#	Data for these objects are stored in 4 KB blocks.  This
+#	parameter specifies the ideal upper limit on the total size of
+#	4 KB blocks allocated.  In-Transit objects take the highest
+#	priority.
+#
+#	In-transit objects have priority over the others.  When
+#	additional space is needed for incoming data, negative-cached
+#	and hot objects will be released.  In other words, the
+#	negative-cached and hot objects will fill up any unused space
+#	not needed for in-transit objects.
+#
+#	If circumstances require, this limit will be exceeded.
+#	Specifically, if your incoming request rate requires more than
+#	'cache_mem' of memory to hold in-transit objects, Squid will
+#	exceed this limit to satisfy the new requests.  When the load
+#	decreases, blocks will be freed until the high-water mark is
+#	reached.  Thereafter, blocks will be used to store hot
+#	objects.
+#
+#	If shared memory caching is enabled, Squid does not use the shared
+#	cache space for in-transit objects, but they still consume as much
+#	local memory as they need. For more details about the shared memory
+#	cache, see memory_cache_shared.
+#Default:
+# cache_mem 256 MB
+
+#  TAG: maximum_object_size_in_memory	(bytes)
+#	Objects greater than this size will not be attempted to kept in
+#	the memory cache. This should be set high enough to keep objects
+#	accessed frequently in memory to improve performance whilst low
+#	enough to keep larger objects from hoarding cache_mem.
+#Default:
+# maximum_object_size_in_memory 512 KB
+
+#  TAG: memory_cache_shared	on|off
+#	Controls whether the memory cache is shared among SMP workers.
+#
+#	The shared memory cache is meant to occupy cache_mem bytes and replace
+#	the non-shared memory cache, although some entities may still be
+#	cached locally by workers for now (e.g., internal and in-transit
+#	objects may be served from a local memory cache even if shared memory
+#	caching is enabled).
+#
+#	By default, the memory cache is shared if and only if all of the
+#	following conditions are satisfied: Squid runs in SMP mode with
+#	multiple workers, cache_mem is positive, and Squid environment
+#	supports required IPC primitives (e.g., POSIX shared memory segments
+#	and GCC-style atomic operations).
+#
+#	To avoid blocking locks, shared memory uses opportunistic algorithms
+#	that do not guarantee that every cachable entity that could have been
+#	shared among SMP workers will actually be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+#  TAG: memory_cache_mode
+#	Controls which objects to keep in the memory cache (cache_mem)
+#
+#	always	Keep most recently fetched objects in memory (default)
+#
+#	disk	Only disk cache hits are kept in memory, which means
+#		an object must first be cached on disk and then hit
+#		a second time before cached in memory.
+#
+#	network	Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
+#  TAG: memory_replacement_policy
+#	The memory replacement policy parameter determines which
+#	objects are purged from memory when memory space is needed.
+#
+#	See cache_replacement_policy for details on algorithms.
+#Default:
+# memory_replacement_policy lru
+
+# DISK CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_replacement_policy
+#	The cache replacement policy parameter determines which
+#	objects are evicted (replaced) when disk space is needed.
+#
+#	    lru       : Squid's original list based LRU policy
+#	    heap GDSF : Greedy-Dual Size Frequency
+#	    heap LFUDA: Least Frequently Used with Dynamic Aging
+#	    heap LRU  : LRU policy implemented using a heap
+#
+#	Applies to any cache_dir lines listed below this directive.
+#
+#	The LRU policies keeps recently referenced objects.
+#
+#	The heap GDSF policy optimizes object hit rate by keeping smaller
+#	popular objects in cache so it has a better chance of getting a
+#	hit.  It achieves a lower byte hit rate than LFUDA though since
+#	it evicts larger (possibly popular) objects.
+#
+#	The heap LFUDA policy keeps popular objects in cache regardless of
+#	their size and thus optimizes byte hit rate at the expense of
+#	hit rate since one large, popular object will prevent many
+#	smaller, slightly less popular objects from being cached.
+#
+#	Both policies utilize a dynamic aging mechanism that prevents
+#	cache pollution that can otherwise occur with frequency-based
+#	replacement policies.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	the value of maximum_object_size above its default of 4 MB to
+#	to maximize the potential byte hit rate improvement of LFUDA.
+#
+#	For more information about the GDSF and LFUDA cache replacement
+#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+#Default:
+# cache_replacement_policy lru
+
+#  TAG: minimum_object_size	(bytes)
+#	Objects smaller than this size will NOT be saved on disk.  The
+#	value is specified in bytes, and the default is 0 KB, which
+#	means all responses can be stored.
+#Default:
+# no limit
+
+#  TAG: maximum_object_size	(bytes)
+#	Set the default value for max-size parameter on any cache_dir.
+#	The value is specified in bytes, and the default is 4 MB.
+#
+#	If you wish to get a high BYTES hit ratio, you should probably
+#	increase this (one 32 MB object hit counts for 3200 10KB
+#	hits).
+#
+#	If you wish to increase hit ratio more than you want to
+#	save bandwidth you should leave this low.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	this value to maximize the byte hit rate improvement of LFUDA!
+#	See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
+#  TAG: cache_dir
+#	Format:
+#		cache_dir Type Directory-Name Fs-specific-data [options]
+#
+#	You can specify multiple cache_dir lines to spread the
+#	cache among different disk partitions.
+#
+#	Type specifies the kind of storage system to use. Only "ufs"
+#	is built by default. To enable any of the other storage systems
+#	see the --enable-storeio configure option.
+#
+#	'Directory' is a top-level directory where cache swap
+#	files will be stored.  If you want to use an entire disk
+#	for caching, this can be the mount-point directory.
+#	The directory must exist and be writable by the Squid
+#	process.  Squid will NOT create this directory for you.
+#
+#	In SMP configurations, cache_dir must not precede the workers option
+#	and should use configuration macros or conditionals to give each
+#	worker interested in disk caching a dedicated cache directory.
+#
+#
+#	====  The ufs store type  ====
+#
+#	"ufs" is the old well-known Squid storage format that has always
+#	been there.
+#
+#	Usage:
+#		cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+#
+#	'Mbytes' is the amount of disk space (MB) to use under this
+#	directory.  The default is 100 MB.  Change this to suit your
+#	configuration.  Do NOT put the size of your disk drive here.
+#	Instead, if you want Squid to use the entire disk drive,
+#	subtract 20% and use that value.
+#
+#	'L1' is the number of first-level subdirectories which
+#	will be created under the 'Directory'.  The default is 16.
+#
+#	'L2' is the number of second-level subdirectories which
+#	will be created under each first-level directory.  The default
+#	is 256.
+#
+#
+#	====  The aufs store type  ====
+#
+#	"aufs" uses the same storage format as "ufs", utilizing
+#	POSIX-threads to avoid blocking the main Squid process on
+#	disk-I/O. This was formerly known in Squid as async-io.
+#
+#	Usage:
+#		cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+#
+#	see argument descriptions under ufs above
+#
+#
+#	====  The diskd store type  ====
+#
+#	"diskd" uses the same storage format as "ufs", utilizing a
+#	separate process to avoid blocking the main Squid process on
+#	disk-I/O.
+#
+#	Usage:
+#		cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+#
+#	see argument descriptions under ufs above
+#
+#	Q1 specifies the number of unacknowledged I/O requests when Squid
+#	stops opening new files. If this many messages are in the queues,
+#	Squid won't open new files. Default is 64
+#
+#	Q2 specifies the number of unacknowledged messages when Squid
+#	starts blocking.  If this many messages are in the queues,
+#	Squid blocks until it receives some replies. Default is 72
+#
+#	When Q1 < Q2 (the default), the cache directory is optimized
+#	for lower response time at the expense of a decrease in hit
+#	ratio.  If Q1 > Q2, the cache directory is optimized for
+#	higher hit ratio at the expense of an increase in response
+#	time.
+#
+#
+#	====  The rock store type  ====
+#
+#	Usage:
+#	    cache_dir rock Directory-Name Mbytes [options]
+#
+#	The Rock Store type is a database-style storage. All cached
+#	entries are stored in a "database" file, using fixed-size slots.
+#	A single entry occupies one or more slots.
+#
+#	If possible, Squid using Rock Store creates a dedicated kid
+#	process called "disker" to avoid blocking Squid worker(s) on disk
+#	I/O. One disker kid is created for each rock cache_dir.  Diskers
+#	are created only when Squid, running in daemon mode, has support
+#	for the IpcIo disk I/O module.
+#
+#	swap-timeout=msec: Squid will not start writing a miss to or
+#	reading a hit from disk if it estimates that the swap operation
+#	will take more than the specified number of milliseconds. By
+#	default and when set to zero, disables the disk I/O time limit
+#	enforcement. Ignored when using blocking I/O module because
+#	blocking synchronous I/O does not allow Squid to estimate the
+#	expected swap wait time.
+#
+#	max-swap-rate=swaps/sec: Artificially limits disk access using
+#	the specified I/O rate limit. Swap out requests that
+#	would cause the average I/O rate to exceed the limit are
+#	delayed. Individual swap in requests (i.e., hits or reads) are
+#	not delayed, but they do contribute to measured swap rate and
+#	since they are placed in the same FIFO queue as swap out
+#	requests, they may wait longer if max-swap-rate is smaller.
+#	This is necessary on file systems that buffer "too
+#	many" writes and then start blocking Squid and other processes
+#	while committing those writes to disk.  Usually used together
+#	with swap-timeout to avoid excessive delays and queue overflows
+#	when disk demand exceeds available disk "bandwidth". By default
+#	and when set to zero, disables the disk I/O rate limit
+#	enforcement. Currently supported by IpcIo module only.
+#
+#	slot-size=bytes: The size of a database "record" used for
+#	storing cached responses. A cached response occupies at least
+#	one slot and all database I/O is done using individual slots so
+#	increasing this parameter leads to more disk space waste while
+#	decreasing it leads to more disk I/O overheads. Should be a
+#	multiple of your operating system I/O page size. Defaults to
+#	16KBytes. A housekeeping header is stored with each slot and
+#	smaller slot-sizes will be rejected. The header is smaller than
+#	100 bytes.
+#
+#
+#	==== COMMON OPTIONS ====
+#
+#	no-store	no new objects should be stored to this cache_dir.
+#
+#	min-size=n	the minimum object size in bytes this cache_dir
+#			will accept.  It's used to restrict a cache_dir
+#			to only store large objects (e.g. AUFS) while
+#			other stores are optimized for smaller objects
+#			(e.g. Rock).
+#			Defaults to 0.
+#
+#	max-size=n	the maximum object size in bytes this cache_dir
+#			supports.
+#			The value in maximum_object_size directive sets
+#			the default unless more specific details are
+#			available (ie a small store capacity).
+#
+#	Note: To make optimal use of the max-size limits you should order
+#	the cache_dir lines with the smallest max-size value first.
+#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+#  TAG: store_dir_select_algorithm
+#	How Squid selects which cache_dir to use when the response
+#	object will fit into more than one.
+#
+#	Regardless of which algorithm is used the cache_dir min-size
+#	and max-size parameters are obeyed. As such they can affect
+#	the selection algorithm by limiting the set of considered
+#	cache_dir.
+#
+#	Algorithms:
+#
+#		least-load
+#
+#	This algorithm is suited to caches with similar cache_dir
+#	sizes and disk speeds.
+#
+#	The disk with the least I/O pending is selected.
+#	When there are multiple disks with the same I/O load ranking
+#	the cache_dir with most available capacity is selected.
+#
+#	When a mix of cache_dir sizes are configured the faster disks
+#	have a naturally lower I/O loading and larger disks have more
+#	capacity. So space used to store objects and data throughput
+#	may be very unbalanced towards larger disks.
+#
+#
+#		round-robin
+#
+#	This algorithm is suited to caches with unequal cache_dir
+#	disk sizes.
+#
+#	Each cache_dir is selected in a rotation. The next suitable
+#	cache_dir is used.
+#
+#	Available cache_dir capacity is only considered in relation
+#	to whether the object will fit and meets the min-size and
+#	max-size parameters.
+#
+#	Disk I/O loading is only considered to prevent overload on slow
+#	disks. This algorithm does not spread objects by size, so any
+#	I/O loading per-disk may appear very unbalanced and volatile.
+#
+#	If several cache_dirs use similar min-size, max-size, or other
+#	limits to to reject certain responses, then do not group such
+#	cache_dir lines together, to avoid round-robin selection bias
+#	towards the first cache_dir after the group. Instead, interleave
+#	cache_dir lines from different groups. For example:
+#
+#		store_dir_select_algorithm round-robin
+#		cache_dir rock /hdd1 ... min-size=100000
+#		cache_dir rock /ssd1 ... max-size=99999
+#		cache_dir rock /hdd2 ... min-size=100000
+#		cache_dir rock /ssd2 ... max-size=99999
+#		cache_dir rock /hdd3 ... min-size=100000
+#		cache_dir rock /ssd3 ... max-size=99999
+#Default:
+# store_dir_select_algorithm least-load
+
+#  TAG: max_open_disk_fds
+#	To avoid having disk as the I/O bottleneck Squid can optionally
+#	bypass the on-disk cache if more than this amount of disk file
+#	descriptors are open.
+#
+#	A value of 0 indicates no limit.
+#Default:
+# no limit
+
+#  TAG: cache_swap_low	(percent, 0-100)
+#	The low-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above this low-water mark and attempts to maintain utilization
+#	near the low-water mark.
+#
+#	As swap utilization increases towards the high-water mark set
+#	by cache_swap_high object eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_high and cache_replacement_policy
+#Default:
+# cache_swap_low 90
+
+#  TAG: cache_swap_high	(percent, 0-100)
+#	The high-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above the low-water mark set by cache_swap_low and attempts to
+#	maintain utilization near the low-water mark.
+#
+#	As swap utilization increases towards this high-water mark object
+#	eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_low and cache_replacement_policy
+#Default:
+# cache_swap_high 95
+
+# LOGFILE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: logformat
+#	Usage:
+#
+#	logformat <name> <format specification>
+#
+#	Defines an access log format.
+#
+#	The <format specification> is a string with embedded % format codes
+#
+#	% format codes all follow the same basic structure where all
+#	components but the formatcode are optional and usually unnecessary,
+#	especially when dealing with common codes.
+#
+#		% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
+#
+#		encoding escapes or otherwise protects "special" characters:
+#
+#			"	Quoted string encoding where quote(") and
+#				backslash(\) characters are \-escaped while
+#				CR, LF, and TAB characters are encoded as \r,
+#				\n, and \t two-character sequences.
+#
+#			[	Custom Squid encoding where percent(%), square
+#				brackets([]), backslash(\) and characters with
+#				codes outside of [32,126] range are %-encoded.
+#				SP is not encoded. Used by log_mime_hdrs.
+#
+#			#	URL encoding (a.k.a. percent-encoding) where
+#				all URL unsafe and control characters (per RFC
+#				1738) are %-encoded.
+#
+#			/	Shell-like encoding where quote(") and
+#				backslash(\) characters are \-escaped while CR
+#				and LF characters are encoded as \r and \n
+#				two-character sequences. Values containing SP
+#				character(s) are surrounded by quotes(").
+#
+#			'	Raw/as-is encoding with no escaping/quoting.
+#
+#			Default encoding: When no explicit encoding is
+#			specified, each %code determines its own encoding.
+#			Most %codes use raw/as-is encoding, but some codes use
+#			a so called "pass-through URL encoding" where all URL
+#			unsafe and control characters (per RFC 1738) are
+#			%-encoded, but the percent character(%) is left as is.
+#
+#		-	left aligned
+#
+#		width	minimum and/or maximum field width:
+#			    [width_min][.width_max]
+#			When minimum starts with 0, the field is zero-padded.
+#			String values exceeding maximum width are truncated.
+#
+#		{arg}	argument such as header name etc. This field may be
+#			placed before or after the token, but not both at once.
+#
+#	Format codes:
+#
+#		%	a literal % character
+#		sn	Unique sequence number per log line entry
+#		err_code    The ID of an error response served by Squid or
+#				a similar internal error identifier.
+#		err_detail  Additional err_code-dependent error information.
+#		note	The annotation specified by the argument. Also
+#			logs the adaptation meta headers set by the
+#			adaptation_meta configuration parameter.
+#			If no argument given all annotations logged.
+#			The argument may include a separator to use with
+#			annotation values:
+#                            name[:separator]
+#			By default, multiple note values are separated with ","
+#			and multiple notes are separated with "\r\n".
+#			When logging named notes with %{name}note, the
+#			explicitly configured separator is used between note
+#			values. When logging all notes with %note, the
+#			explicitly configured separator is used between
+#			individual notes. There is currently no way to
+#			specify both value and notes separators when logging
+#			all notes with %note.
+#		master_xaction  The master transaction identifier is an unsigned
+#			integer. These IDs are guaranteed to monotonically
+#			increase within a single worker process lifetime, with
+#			higher values corresponding to transactions that were
+#			accepted or initiated later. Due to current implementation
+#			deficiencies, some IDs are skipped (i.e. never logged).
+#			Concurrent workers and restarted workers use similar,
+#			overlapping sequences of master transaction IDs.
+#
+#	Connection related format codes:
+#
+#		>a	Client source IP address
+#		>A	Client FQDN
+#		>p	Client source port
+#		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+#		>la	Local IP address the client connected to
+#		>lp	Local port number the client connected to
+#		>qos    Client connection TOS/DSCP value set by Squid
+#		>nfmark Client connection netfilter packet MARK set by Squid
+#
+#		la	Local listening IP address the client connection was connected to.
+#		lp	Local listening port number the client connection was connected to.
+#
+#		<a	Server IP address of the last server or peer connection
+#		<A	Server FQDN or peer name
+#		<p	Server port number of the last server or peer connection
+#		<la	Local IP address of the last server or peer connection
+#		<lp     Local port number of the last server or peer connection
+#		<qos	Server connection TOS/DSCP value set by Squid
+#		<nfmark Server connection netfilter packet MARK set by Squid
+#
+#		>handshake Raw client handshake
+#			Initial client bytes received by Squid on a newly
+#			accepted TCP connection or inside a just established
+#			CONNECT tunnel. Squid stops accumulating handshake
+#			bytes as soon as the handshake parser succeeds or
+#			fails (determining whether the client is using the
+#			expected protocol).
+#
+#			For HTTP clients, the handshake is the request line.
+#			For TLS clients, the handshake consists of all TLS
+#			records up to and including the TLS record that
+#			contains the last byte of the first ClientHello
+#			message. For clients using an unsupported protocol,
+#			this field contains the bytes received by Squid at the
+#			time of the handshake parsing failure.
+#
+#			See the on_unsupported_protocol directive for more
+#			information on Squid handshake traffic expectations.
+#
+#			Current support is limited to these contexts:
+#			- http_port connections, but only when the
+#			  on_unsupported_protocol directive is in use.
+#			- https_port connections (and CONNECT tunnels) that
+#			  are subject to the ssl_bump peek or stare action.
+#
+#			To protect binary handshake data, this field is always
+#			base64-encoded (RFC 4648 Section 4). If logformat
+#			field encoding is configured, that encoding is applied
+#			on top of base64. Otherwise, the computed base64 value
+#			is recorded as is.
+#
+#	Time related format codes:
+#
+#		ts	Seconds since epoch
+#		tu	subsecond time (milliseconds)
+#		tl	Local time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tg	GMT time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tr	Response time (milliseconds)
+#		dt	Total time spent making DNS lookups (milliseconds)
+#		tS	Approximate master transaction start time in
+#			<full seconds since epoch>.<fractional seconds> format.
+#			Currently, Squid considers the master transaction
+#			started when a complete HTTP request header initiating
+#			the transaction is received from the client. This is
+#			the same value that Squid uses to calculate transaction
+#			response time when logging %tr to access.log. Currently,
+#			Squid uses millisecond resolution for %tS values,
+#			similar to the default access.log "current time" field
+#			(%ts.%03tu).
+#
+#	Access Control related format codes:
+#
+#		et	Tag returned by external acl
+#		ea	Log string returned by external acl
+#		un	User name (any available)
+#		ul	User name from authentication
+#		ue	User name from external acl helper
+#		ui	User name from ident
+#		un	A user name. Expands to the first available name
+#			from the following list of information sources:
+#			- authenticated user name, like %ul
+#			- user name supplied by an external ACL, like %ue
+#			- SSL client name, like %us
+#			- ident user name, like %ui
+#		credentials Client credentials. The exact meaning depends on
+#			the authentication scheme: For Basic authentication,
+#			it is the password; for Digest, the realm sent by the
+#			client; for NTLM and Negotiate, the client challenge
+#			or client credentials prefixed with "YR " or "KK ".
+#
+#	HTTP related format codes:
+#
+#	    REQUEST
+#
+#		[http::]rm	Request method (GET/POST etc)
+#		[http::]>rm	Request method from client
+#		[http::]<rm	Request method sent to server or peer
+#
+#		[http::]ru	Request URL received (or computed) and sanitized
+#
+#				Logs request URI received from the client, a
+#				request adaptation service, or a request
+#				redirector (whichever was applied last).
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Honors strip_query_terms and uri_whitespace.
+#
+#				This field is not encoded by default. Encoding
+#				this field using variants of %-encoding will
+#				clash with uri_whitespace modifications that
+#				also use %-encoding.
+#
+#		[http::]>ru	Request URL received from the client (or computed)
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Unlike %ru, this request URI is not affected
+#				by request adaptation, URL rewriting services,
+#				and strip_query_terms.
+#
+#				Honors uri_whitespace.
+#
+#				This field is using pass-through URL encoding
+#				by default. Encoding this field using other
+#				variants of %-encoding will clash with
+#				uri_whitespace modifications that also use
+#				%-encoding.
+#
+#		[http::]<ru	Request URL sent to server or peer
+#		[http::]>rs	Request URL scheme from client
+#		[http::]<rs	Request URL scheme sent to server or peer
+#		[http::]>rd	Request URL domain from client
+#		[http::]<rd	Request URL domain sent to server or peer
+#		[http::]>rP	Request URL port from client
+#		[http::]<rP	Request URL port sent to server or peer
+#		[http::]rp	Request URL path excluding hostname
+#		[http::]>rp	Request URL path excluding hostname from client
+#		[http::]<rp	Request URL path excluding hostname sent to server or peer
+#		[http::]rv	Request protocol version
+#		[http::]>rv	Request protocol version from client
+#		[http::]<rv	Request protocol version sent to server or peer
+#
+#		[http::]>h	Original received request header.
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Accepts optional header field name/value filter
+#				argument using name[:[separator]element] format.
+#		[http::]>ha	Received request header after adaptation and
+#				redirection (pre-cache REQMOD vectoring point).
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Optional header name argument as for >h
+#
+#	    RESPONSE
+#
+#		[http::]<Hs	HTTP status code received from the next hop
+#		[http::]>Hs	HTTP status code sent to the client
+#
+#		[http::]<h	Reply header. Optional header name argument
+#				as for >h
+#
+#		[http::]mt	MIME content type
+#
+#
+#	    SIZE COUNTERS
+#
+#		[http::]st	Total size of request + reply traffic with client
+#		[http::]>st	Total size of request received from client.
+#				Excluding chunked encoding bytes.
+#		[http::]<st	Total size of reply sent to client (after adaptation)
+#
+#		[http::]>sh	Size of request headers received from client
+#		[http::]<sh	Size of reply headers sent to client (after adaptation)
+#
+#		[http::]<sH	Reply high offset sent
+#		[http::]<sS	Upstream object size
+#
+#		[http::]<bs	Number of HTTP-equivalent message body bytes
+#				received from the next hop, excluding chunked
+#				transfer encoding and control messages.
+#				Generated FTP/Gopher listings are treated as
+#				received bodies.
+#
+#	    TIMING
+#
+#		[http::]<pt	Peer response time in milliseconds. The timer starts
+#				when the last request byte is sent to the next hop
+#				and stops when the last response byte is received.
+#		[http::]<tt	Total time in milliseconds. The timer
+#				starts with the first connect request (or write I/O)
+#				sent to the first selected peer. The timer stops
+#				with the last I/O with the last peer.
+#
+#	Squid handling related format codes:
+#
+#		Ss	Squid request status (TCP_MISS etc)
+#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
+#
+#	SSL-related format codes:
+#
+#		ssl::bump_mode	SslBump decision for the transaction:
+#
+#				For CONNECT requests that initiated bumping of
+#				a connection and for any request received on
+#				an already bumped connection, Squid logs the
+#				corresponding SslBump mode ("splice", "bump",
+#				"peek", "stare", "terminate", "server-first"
+#				or "client-first"). See the ssl_bump option
+#				for more information about these modes.
+#
+#				A "none" token is logged for requests that
+#				triggered "ssl_bump" ACL evaluation matching
+#				a "none" rule.
+#
+#				In all other cases, a single dash ("-") is
+#				logged.
+#
+#		ssl::>sni	SSL client SNI sent to Squid.
+#
+#		ssl::>cert_subject
+#				The Subject field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Subject often has spaces.
+#
+#		ssl::>cert_issuer
+#				The Issuer field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Issuer often has spaces.
+#
+#		ssl::<cert_subject
+#				The Subject field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Subject often has spaces.
+#
+#		ssl::<cert_issuer
+#				The Issuer field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Issuer often has spaces.
+#
+#		ssl::<cert
+#				The received server x509 certificate in PEM
+#				format, including BEGIN and END lines (or a
+#				dash ('-') if the certificate is unavailable).
+#
+#				WARNING: Large certificates will exceed the
+#				current 8KB access.log record limit, resulting
+#				in truncated records. Such truncation usually
+#				happens in the middle of a record field. The
+#				limit applies to all access logging modules.
+#
+#				The logged certificate may have failed
+#				validation and may not be trusted by Squid.
+#				This field does not include any intermediate
+#				certificates that may have been received from
+#				the server or fetched during certificate
+#				validation process.
+#
+#				Currently, Squid only collects server
+#				certificates during step3 of SslBump
+#				processing; connections that were not subject
+#				to ssl_bump rules or that did not match a peek
+#				or stare rule at step2 will not have the
+#				server certificate information.
+#
+#				This field is using pass-through URL encoding
+#				by default.
+#
+#		ssl::<cert_errors
+#				The list of certificate validation errors
+#				detected by Squid (including OpenSSL and
+#				certificate validation helper components). The
+#				errors are listed in the discovery order. By
+#				default, the error codes are separated by ':'.
+#				Accepts an optional separator argument.
+#
+#		%ssl::>negotiated_version The negotiated TLS version of the
+#				client connection.
+#
+#		%ssl::<negotiated_version The negotiated TLS version of the
+#				last server or peer connection.
+#
+#		%ssl::>received_hello_version The TLS version of the Hello
+#				message received from TLS client.
+#
+#		%ssl::<received_hello_version The TLS version of the Hello
+#				message received from TLS server.
+#
+#		%ssl::>received_supported_version The maximum TLS version
+#				supported by the TLS client.
+#
+#		%ssl::<received_supported_version The maximum TLS version
+#				supported by the TLS server.
+#
+#		%ssl::>negotiated_cipher The negotiated cipher of the
+#				client connection.
+#
+#		%ssl::<negotiated_cipher The negotiated cipher of the
+#				last server or peer connection.
+#
+#	If ICAP is enabled, the following code becomes available (as
+#	well as ICAP log codes documented with the icap_log option):
+#
+#		icap::tt Total ICAP "blocking" time for the HTTP transaction. The
+#				timer ticks while Squid checks adaptation_access and while
+#				ICAP transaction(s) expect ICAP response headers, including
+#				the embedded adapted HTTP message headers (where applicable).
+#				This measurement is meant to estimate ICAP impact on HTTP
+#				transaction response times, but it does not currently account
+#				for slow ICAP response body delivery blocking HTTP progress.
+#
+#				Once Squid receives the final ICAP response headers (e.g.,
+#				ICAP 200 or 204) and the associated adapted HTTP message
+#				headers (if any) from the ICAP service, the corresponding ICAP
+#				transaction stops affecting this measurement, even though the
+#				transaction itself may continue for a long time (e.g., to
+#				finish sending the ICAP request and/or to finish receiving the
+#				ICAP response body).
+#
+#				When "blocking" sections of multiple concurrent ICAP
+#				transactions overlap in time, the overlapping segment is
+#				counted only once.
+#
+#				To see complete ICAP transaction response times (rather than
+#				the cumulative effect of their blocking sections) use the
+#				%adapt::all_trs logformat code or the icap_log directive.
+#
+#	If adaptation is enabled the following codes become available:
+#
+#		adapt::<last_h	The header of the last ICAP response or
+#				meta-information from the last eCAP
+#				transaction related to the HTTP transaction.
+#				Like <h, accepts an optional header name
+#				argument.
+#
+#		adapt::sum_trs Summed adaptation transaction response
+#				times recorded as a comma-separated list in
+#				the order of transaction start time. Each time
+#				value is recorded as an integer number,
+#				representing response time of one or more
+#				adaptation (ICAP or eCAP) transaction in
+#				milliseconds.  When a failed transaction is
+#				being retried or repeated, its time is not
+#				logged individually but added to the
+#				replacement (next) transaction. Lifetimes of individually
+#				listed adaptation transactions may overlap.
+#				See also: %icap::tt and %adapt::all_trs.
+#
+#		adapt::all_trs All adaptation transaction response times.
+#				Same as %adapt::sum_trs but response times of
+#				individual transactions are never added
+#				together. Instead, all transaction response
+#				times are recorded individually.
+#
+#	You can prefix adapt::*_trs format codes with adaptation
+#	service name in curly braces to record response time(s) specific
+#	to that service. For example: %{my_service}adapt::sum_trs
+#
+#	Format codes related to the PROXY protocol:
+#
+#		proxy_protocol::>h PROXY protocol header, including optional TLVs.
+#
+#				Supports the same field and element reporting/extraction logic
+#				as %http::>h. For configuration and reporting purposes, Squid
+#				maps each PROXY TLV to an HTTP header field: the TLV type
+#				(configured as a decimal integer) is the field name, and the
+#				TLV value is the field value. All TLVs of "LOCAL" connections
+#				(in PROXY protocol terminology) are currently skipped/ignored.
+#
+#				Squid also maps the following standard PROXY protocol header
+#				blocks to pseudo HTTP headers (their names use PROXY
+#				terminology and start with a colon, following HTTP tradition
+#				for pseudo headers): :command, :version, :src_addr, :dst_addr,
+#				:src_port, and :dst_port.
+#
+#				Without optional parameters, this logformat code logs
+#				pseudo headers and TLVs.
+#
+#				This format code uses pass-through URL encoding by default.
+#
+#				Example:
+#					# relay custom PROXY TLV #224 to adaptation services
+#					adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
+#
+#				See also: %http::>h
+#
+#	The default formats available (which do not need re-defining) are:
+#
+#logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent  %>a [%tl] "%{User-Agent}>h"
+#
+#	NOTE: When the log_mime_hdrs directive is set to ON.
+#		The squid, common and combined formats have a safely encoded copy
+#		of the mime headers appended to each line within a pair of brackets.
+#
+#	NOTE: The common and combined formats are not quite true to the Apache definition.
+#		The logs from Squid contain an extra status and hierarchy code appended.
+#
+#Default:
+# The format definitions squid, common, combined, referrer, useragent are built in.
+
+#  TAG: access_log
+#	Configures whether and how Squid logs HTTP and ICP transactions.
+#	If access logging is enabled, a single line is logged for every
+#	matching HTTP or ICP request. The recommended directive formats are:
+#
+#	access_log <module>:<place> [option ...] [acl acl ...]
+#	access_log none [acl acl ...]
+#
+#	The following directive format is accepted but may be deprecated:
+#	access_log <module>:<place> [<logformat name> [acl acl ...]]
+#
+#        In most cases, the first ACL name must not contain the '=' character
+#	and should not be equal to an existing logformat name. You can always
+#	start with an 'all' ACL to work around those restrictions.
+#
+#	Will log to the specified module:place using the specified format (which
+#	must be defined in a logformat directive) those entries which match
+#	ALL the acl's specified (which must be defined in acl clauses).
+#	If no acl is specified, all requests will be logged to this destination.
+#
+#	===== Available options for the recommended directive format =====
+#
+#	logformat=name		Names log line format (either built-in or
+#				defined by a logformat directive). Defaults
+#				to 'squid'.
+#
+#	buffer-size=64KB	Defines approximate buffering limit for log
+#				records (see buffered_logs).  Squid should not
+#				keep more than the specified size and, hence,
+#				should flush records before the buffer becomes
+#				full to avoid overflows under normal
+#				conditions (the exact flushing algorithm is
+#				module-dependent though).  The on-error option
+#				controls overflow handling.
+#
+#	on-error=die|drop	Defines action on unrecoverable errors. The
+#				'drop' action ignores (i.e., does not log)
+#				affected log records. The default 'die' action
+#				kills the affected worker. The drop action
+#				support has not been tested for modules other
+#				than tcp.
+#
+#	rotate=N		Specifies the number of log file rotations to
+#				make when you run 'squid -k rotate'. The default
+#				is to obey the logfile_rotate directive. Setting
+#				rotate=0 will disable the file name rotation,
+#				but the log files are still closed and re-opened.
+#				This will enable you to rename the logfiles
+#				yourself just before sending the rotate signal.
+#				Only supported by the stdio module.
+#
+#	===== Modules Currently available =====
+#
+#	none	Do not log any requests matching these ACL.
+#		Do not specify Place or logformat name.
+#
+#	stdio	Write each log line to disk immediately at the completion of
+#		each request.
+#		Place: the filename and path to be written.
+#
+#	daemon	Very similar to stdio. But instead of writing to disk the log
+#		line is passed to a daemon helper for asychronous handling instead.
+#		Place: varies depending on the daemon.
+#
+#		log_file_daemon Place: the file name and path to be written.
+#
+#	syslog	To log each request via syslog facility.
+#		Place: The syslog facility and priority level for these entries.
+#		Place Format:  facility.priority
+#
+#		where facility could be any of:
+#			authpriv, daemon, local0 ... local7 or user.
+#
+#		And priority could be any of:
+#			err, warning, notice, info, debug.
+#
+#	udp	To send each log line as text data to a UDP receiver.
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	tcp	To send each log line as text data to a TCP receiver.
+#		Lines may be accumulated before sending (see buffered_logs).
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	Default:
+#		access_log daemon:/var/log/squid/access.log squid
+#Default:
+# access_log daemon:/var/log/squid/access.log squid
+
+#  TAG: icap_log
+#	ICAP log files record ICAP transaction summaries, one line per
+#	transaction.
+#
+#	The icap_log option format is:
+#	icap_log <filepath> [<logformat name> [acl acl ...]]
+#	icap_log none [acl acl ...]]
+#
+#	Please see access_log option documentation for details. The two
+#	kinds of logs share the overall configuration approach and many
+#	features.
+#
+#	ICAP processing of a single HTTP message or transaction may
+#	require multiple ICAP transactions.  In such cases, multiple
+#	ICAP transaction log lines will correspond to a single access
+#	log line.
+#
+#	ICAP log supports many access.log logformat %codes. In ICAP context,
+#	HTTP message-related %codes are applied to the HTTP message embedded
+#	in an ICAP message. Logformat "%http::>..." codes are used for HTTP
+#	messages embedded in ICAP requests while "%http::<..." codes are used
+#	for HTTP messages embedded in ICAP responses. For example:
+#
+#		http::>h	To-be-adapted HTTP message headers sent by Squid to
+#				the ICAP service. For REQMOD transactions, these are
+#				HTTP request headers. For RESPMOD, these are HTTP
+#				response headers, but Squid currently cannot log them
+#				(i.e., %http::>h will expand to "-" for RESPMOD).
+#
+#		http::<h	Adapted HTTP message headers sent by the ICAP
+#				service to Squid (i.e., HTTP request headers in regular
+#				REQMOD; HTTP response headers in RESPMOD and during
+#				request satisfaction in REQMOD).
+#
+#	ICAP OPTIONS transactions do not embed HTTP messages.
+#
+#	Several logformat codes below deal with ICAP message bodies. An ICAP
+#	message body, if any, typically includes a complete HTTP message
+#	(required HTTP headers plus optional HTTP message body). When
+#	computing HTTP message body size for these logformat codes, Squid
+#	either includes or excludes chunked encoding overheads; see
+#	code-specific documentation for details.
+#
+#	For Secure ICAP services, all size-related information is currently
+#	computed before/after TLS encryption/decryption, as if TLS was not
+#	in use at all.
+#
+#	The following format codes are also available for ICAP logs:
+#
+#		icap::<A	ICAP server IP address. Similar to <A.
+#
+#		icap::<service_name	ICAP service name from the icap_service
+#				option in Squid configuration file.
+#
+#		icap::ru	ICAP Request-URI. Similar to ru.
+#
+#		icap::rm	ICAP request method (REQMOD, RESPMOD, or
+#				OPTIONS). Similar to existing rm.
+#
+#		icap::>st	The total size of the ICAP request sent to the ICAP
+#				server (ICAP headers + ICAP body), including chunking
+#				metadata (if any).
+#
+#		icap::<st	The total size of the ICAP response received from the
+#				ICAP server (ICAP headers + ICAP body), including
+#				chunking metadata (if any).
+#
+#		icap::<bs	The size of the ICAP response body received from the
+#				ICAP server, excluding chunking metadata (if any).
+#
+#		icap::tr 	Transaction response time (in
+#				milliseconds).  The timer starts when
+#				the ICAP transaction is created and
+#				stops when the transaction is completed.
+#				Similar to tr.
+#
+#		icap::tio	Transaction I/O time (in milliseconds). The
+#				timer starts when the first ICAP request
+#				byte is scheduled for sending. The timers
+#				stops when the last byte of the ICAP response
+#				is received.
+#
+#		icap::to 	Transaction outcome: ICAP_ERR* for all
+#				transaction errors, ICAP_OPT for OPTION
+#				transactions, ICAP_ECHO for 204
+#				responses, ICAP_MOD for message
+#				modification, and ICAP_SAT for request
+#				satisfaction. Similar to Ss.
+#
+#		icap::Hs	ICAP response status code. Similar to Hs.
+#
+#		icap::>h	ICAP request header(s). Similar to >h.
+#
+#		icap::<h	ICAP response header(s). Similar to <h.
+#
+#	The default ICAP log format, which can be used without an explicit
+#	definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
+#
+#	See also: logformat and %adapt::<last_h
+#Default:
+# none
+
+#  TAG: logfile_daemon
+#	Specify the path to the logfile-writing daemon. This daemon is
+#	used to write the access and store logs, if configured.
+#
+#	Squid sends a number of commands to the log daemon:
+#	  L<data>\n - logfile data
+#	  R\n - rotate file
+#	  T\n - truncate file
+#	  O\n - reopen file
+#	  F\n - flush file
+#	  r<n>\n - set rotate count to <n>
+#	  b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+#	No responses is expected.
+#Default:
+# logfile_daemon /usr/lib/squid/log_file_daemon
+
+#  TAG: stats_collection	allow|deny acl acl...
+#	This options allows you to control which requests gets accounted
+#	in performance counters.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
+#  TAG: cache_store_log
+#	Logs the activities of the storage manager.  Shows which
+#	objects are ejected from the cache, and which objects are
+#	saved and for how long.
+#	There are not really utilities to analyze this data, so you can safely
+#	disable it (the default).
+#
+#	Store log uses modular logging outputs. See access_log for the list
+#	of modules supported.
+#
+#	Example:
+#		cache_store_log stdio:/var/log/squid/store.log
+#		cache_store_log daemon:/var/log/squid/store.log
+#Default:
+# none
+
+#  TAG: cache_swap_state
+#	Location for the cache "swap.state" file. This index file holds
+#	the metadata of objects saved on disk.  It is used to rebuild
+#	the cache during startup.  Normally this file resides in each
+#	'cache_dir' directory, but you may specify an alternate
+#	pathname here.  Note you must give a full filename, not just
+#	a directory. Since this is the index for the whole object
+#	list you CANNOT periodically rotate it!
+#
+#	If %s can be used in the file name it will be replaced with a
+#	a representation of the cache_dir name where each / is replaced
+#	with '.'. This is needed to allow adding/removing cache_dir
+#	lines when cache_swap_log is being used.
+#
+#	If have more than one 'cache_dir', and %s is not used in the name
+#	these swap logs will have names such as:
+#
+#		cache_swap_log.00
+#		cache_swap_log.01
+#		cache_swap_log.02
+#
+#	The numbered extension (which is added automatically)
+#	corresponds to the order of the 'cache_dir' lines in this
+#	configuration file.  If you change the order of the 'cache_dir'
+#	lines in this file, these index files will NOT correspond to
+#	the correct 'cache_dir' entry (unless you manually rename
+#	them).  We recommend you do NOT use this option.  It is
+#	better to keep these index files in each 'cache_dir' directory.
+#Default:
+# Store the journal inside its cache_dir
+
+#  TAG: logfile_rotate
+#	Specifies the default number of logfile rotations to make when you
+#	type 'squid -k rotate'. The default is 10, which will rotate
+#	with extensions 0 through 9. Setting logfile_rotate to 0 will
+#	disable the file name rotation, but the logfiles are still closed
+#	and re-opened. This will enable you to rename the logfiles
+#	yourself just before sending the rotate signal.
+#
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
+#
+#	Note, from Squid-4 this option is only a default for access.log
+#	recorded by stdio: module. Those logs can be rotated separately by
+#	using the rotate=N option on their access_log directive.
+#
+#	Note, the 'squid -k rotate' command normally sends a USR1
+#	signal to the running squid process.  In certain situations
+#	(e.g. on Linux with Async I/O), USR1 is used for other
+#	purposes, so -k rotate uses another signal.  It is best to get
+#	in the habit of using 'squid -k rotate' instead of 'kill -USR1
+#	<pid>'.
+#
+#	Note, for Debian/Linux the default of logfile_rotate is
+#	zero, since it includes external logfile-rotation methods.
+#Default:
+# logfile_rotate 0
+
+#  TAG: mime_table
+#	Path to Squid's icon configuration file.
+#
+#	You shouldn't need to change this, but the default file contains
+#	examples and formatting information if you do.
+#Default:
+# mime_table /usr/share/squid/mime.conf
+
+#  TAG: log_mime_hdrs	on|off
+#	The Cache can record both the request and the response MIME
+#	headers for each HTTP transaction.  The headers are encoded
+#	safely and will appear as two bracketed fields at the end of
+#	the access log (for either the native or httpd-emulated log
+#	formats).  To enable this logging set log_mime_hdrs to 'on'.
+#Default:
+# log_mime_hdrs off
+
+#  TAG: pid_filename
+#	A filename to write the process-id to.  To disable, enter "none".
+#Default:
+# pid_filename /run/squid.pid
+
+#  TAG: client_netmask
+#	A netmask for client addresses in logfiles and cachemgr output.
+#	Change this to protect the privacy of your cache clients.
+#	A netmask of 255.255.255.0 will log all IP's in that range with
+#	the last digit set to '0'.
+#Default:
+# Log full client IP address
+
+#  TAG: strip_query_terms
+#	By default, Squid strips query terms from requested URLs before
+#	logging.  This protects your user's privacy and reduces log size.
+#
+#	When investigating HIT/MISS or other caching behaviour you
+#	will need to disable this to see the full URL used by Squid.
+#Default:
+# strip_query_terms on
+
+#  TAG: buffered_logs	on|off
+#	Whether to write/send access_log records ASAP or accumulate them and
+#	then write/send them in larger chunks. Buffering may improve
+#	performance because it decreases the number of I/Os. However,
+#	buffering increases the delay before log records become available to
+#	the final recipient (e.g., a disk file or logging daemon) and,
+#	hence, increases the risk of log records loss.
+#
+#	Note that even when buffered_logs are off, Squid may have to buffer
+#	records if it cannot write/send them immediately due to pending I/Os
+#	(e.g., the I/O writing the previous log record) or connectivity loss.
+#
+#	Currently honored by 'daemon' and 'tcp' access_log modules only.
+#Default:
+# buffered_logs off
+
+#  TAG: netdb_filename
+#	Where Squid stores it's netdb journal.
+#	When enabled this journal preserves netdb state between restarts.
+#
+#	To disable, enter "none".
+#Default:
+# netdb_filename stdio:/var/spool/squid/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_log
+#	Squid administrative logging file.
+#
+#	This is where general information about Squid behavior goes. You can
+#	increase the amount of data logged to this file and how often it is
+#	rotated with "debug_options"
+#Default:
+# cache_log /var/log/squid/cache.log
+
+#  TAG: debug_options
+#	Logging options are set as section,level where each source file
+#	is assigned a unique section.  Lower levels result in less
+#	output,  Full debugging (level 9) can result in a very large
+#	log file, so be careful.
+#
+#	The magic word "ALL" sets debugging levels for all sections.
+#	The default is to run with "ALL,1" to record important warnings.
+#
+#	The rotate=N option can be used to keep more or less of these logs
+#	than would otherwise be kept by logfile_rotate.
+#	For most uses a single log should be enough to monitor current
+#	events affecting Squid.
+#Default:
+# Log all critical and important messages.
+
+#  TAG: coredump_dir
+#	By default Squid leaves core files in the directory from where
+#	it was started. If you set 'coredump_dir' to a directory
+#	that exists, Squid will chdir() to that directory at startup
+#	and coredump files will be left there.
+#
+#Default:
+# Use the directory from where Squid was started.
+#
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# OPTIONS FOR FTP GATEWAYING
+# -----------------------------------------------------------------------------
+
+#  TAG: ftp_user
+#	If you want the anonymous login password to be more informative
+#	(and enable the use of picky FTP servers), set this to something
+#	reasonable for your domain, like wwwuser@somewhere.net
+#
+#	The reason why this is domainless by default is the
+#	request can be made on the behalf of a user in any domain,
+#	depending on how the cache is used.
+#	Some FTP server also validate the email address is valid
+#	(for example perl.com).
+#Default:
+# ftp_user Squid@
+
+#  TAG: ftp_passive
+#	If your firewall does not allow Squid to use passive
+#	connections, turn off this option.
+#
+#	Use of ftp_epsv_all option requires this to be ON.
+#Default:
+# ftp_passive on
+
+#  TAG: ftp_epsv_all
+#	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator, as the EPRT command will never be used and therefore,
+#	translation of the data portion of the segments will never be needed.
+#
+#	When a client only expects to do two-way FTP transfers this may be
+#	useful.
+#	If squid finds that it must do a three-way FTP transfer after issuing
+#	an EPSV ALL command, the FTP session will fail.
+#
+#	If you have any doubts about this option do not use it.
+#	Squid will nicely attempt all other connection methods.
+#
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+#  TAG: ftp_epsv
+#	FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator using EPSV, as the EPRT command will never be used
+#	and therefore, translation of the data portion of the segments
+#	will never be needed.
+#
+#	EPSV is often required to interoperate with FTP servers on IPv6
+#	networks. On the other hand, it may break some IPv4 servers.
+#
+#	By default, EPSV may try EPSV with any FTP server. To fine tune
+#	that decision, you may restrict EPSV to certain clients or servers
+#	using ACLs:
+#
+#		ftp_epsv allow|deny al1 acl2 ...
+#
+#	WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
+#
+#	Only fast ACLs are supported.
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# none
+
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
+#  TAG: ftp_sanitycheck
+#	For security and data integrity reasons Squid by default performs
+#	sanity checks of the addresses of FTP data connections ensure the
+#	data connection is to the requested server. If you need to allow
+#	FTP connections to servers using another IP address for the data
+#	connection turn this off.
+#Default:
+# ftp_sanitycheck on
+
+#  TAG: ftp_telnet_protocol
+#	The FTP protocol is officially defined to use the telnet protocol
+#	as transport channel for the control connection. However, many
+#	implementations are broken and does not respect this aspect of
+#	the FTP protocol.
+#
+#	If you have trouble accessing files with ASCII code 255 in the
+#	path or similar problems involving this ASCII code you can
+#	try setting this directive to off. If that helps, report to the
+#	operator of the FTP server in question that their FTP server
+#	is broken and does not follow the FTP standard.
+#Default:
+# ftp_telnet_protocol on
+
+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+# -----------------------------------------------------------------------------
+
+#  TAG: diskd_program
+#	Specify the location of the diskd executable.
+#	Note this is only useful if you have compiled in
+#	diskd as one of the store io modules.
+#Default:
+# diskd_program /usr/lib/squid/diskd
+
+#  TAG: unlinkd_program
+#	Specify the location of the executable for file deletion process.
+#Default:
+# unlinkd_program /usr/lib/squid/unlinkd
+
+#  TAG: pinger_program
+#	Specify the location of the executable for the pinger process.
+#Default:
+# pinger_program /usr/lib/squid/pinger
+
+#  TAG: pinger_enable
+#	Control whether the pinger is active at run-time.
+#	Enables turning ICMP pinger on and off with a simple
+#	squid -k reconfigure.
+#Default:
+# pinger_enable on
+
+# OPTIONS FOR URL REWRITING
+# -----------------------------------------------------------------------------
+
+#  TAG: url_rewrite_program
+#	The name and command line parameters of an admin-provided executable
+#	for redirecting clients or adjusting/replacing client request URLs.
+#
+#	This helper is consulted after the received request is cleared by
+#	http_access and adapted using eICAP/ICAP services (if any). If the
+#	helper does not redirect the client, Squid checks adapted_http_access
+#	and may consult the cache or forward the request to the next hop.
+#
+#
+#	For each request, the helper gets one line in the following format:
+#
+#	  [channel-ID <SP>] request-URL [<SP> extras] <NL>
+#
+#	Use url_rewrite_extras to configure what Squid sends as 'extras'.
+#
+#
+#	The helper must reply to each query using a single line:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs] <NL>
+#
+#	The result section must match exactly one of the following outcomes:
+#
+#	  OK [status=30N] url="..."
+#
+#		Redirect the client to a URL supplied in the 'url' parameter.
+#		Optional 'status' specifies the status code to send to the
+#		client in Squid's HTTP redirect response. It must be one of
+#		the standard HTTP redirect status codes: 301, 302, 303, 307,
+#		or 308. When no specific status is requested, Squid uses 302.
+#
+#	  OK rewrite-url="..."
+#
+#		Replace the current request URL with the one supplied in the
+#		'rewrite-url' parameter. Squid fetches the resource specified
+#		by the new URL and forwards the received response (or its
+#		cached copy) to the client.
+#
+#		WARNING: Avoid rewriting URLs! When possible, redirect the
+#		client using an "OK url=..." helper response instead.
+#		Rewriting URLs may create inconsistent requests and/or break
+#		synchronization between internal client and origin server
+#		states, especially when URLs or other message parts contain
+#		snippets of that state. For example, Squid does not adjust
+#		Location headers and embedded URLs after the helper rewrites
+#		the request URL.
+#
+#	  OK
+#		Keep the client request intact.
+#
+#	  ERR
+#		Keep the client request intact.
+#
+#	  BH [message="..."]
+#		A helper problem that should be reported to the Squid admin
+#		via a level-1 cache.log message. The 'message' parameter is
+#		reserved for specifying the log message.
+#
+#	In addition to the kv-pairs mentioned above, Squid also understands
+#	the following optional kv-pairs in URL rewriter responses:
+#
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#
+#		The clt_conn_tag=TAG pair is treated as a regular transaction
+#		annotation for the current request and also annotates future
+#		requests on the same client connection. A helper may update
+#		the TAG during subsequent requests by returning a new kv-pair.
+#
+#
+#	Helper messages contain the channel-ID part if and only if the
+#	url_rewrite_children directive specifies positive concurrency. As a
+#	channel-ID value, Squid sends a number between 0 and concurrency-1.
+#	The helper must echo back the received channel-ID in its response.
+#
+#	By default, Squid does not use a URL rewriter.
+#Default:
+# none
+
+#  TAG: url_rewrite_children
+#	Specifies the maximum number of redirector processes that Squid may
+#	spawn (numberofchildren) and several related options. Using too few of
+#	these helper processes (a.k.a. "helpers") creates request queues.
+#	Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each redirector helper can handle in
+#	parallel. Defaults to 0 which indicates the redirector
+#	is a old-style single threaded redirector.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. The default
+#	maximum is zero if url_rewrite_bypass is enabled and
+#	2*numberofchildren otherwise. If the queued requests exceed queue size
+#	and redirector_bypass configuration option is set, then redirector is
+#	bypassed. Otherwise, Squid is allowed to temporarily exceed the
+#	configured maximum, marking the affected helper as "overloaded". If
+#	the helper overload lasts more than 3 minutes, the action prescribed
+#	by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: url_rewrite_host_header
+#	To preserve same-origin security policies in browsers and
+#	prevent Host: header forgery by redirectors Squid rewrites
+#	any Host: header in redirected requests.
+#
+#	If you are running an accelerator this may not be a wanted
+#	effect of a redirector. This directive enables you disable
+#	Host: alteration in reverse-proxy traffic.
+#
+#	WARNING: Entries are cached on the result of the URL rewriting
+#	process, so be careful if you have domain-virtual hosts.
+#
+#	WARNING: Squid and other software verifies the URL and Host
+#	are matching, so be careful not to relay through other proxies
+#	or inspecting firewalls with this disabled.
+#Default:
+# url_rewrite_host_header on
+
+#  TAG: url_rewrite_access
+#	If defined, this access list specifies which requests are
+#	sent to the redirector processes.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: url_rewrite_bypass
+#	When this is 'on', a request will not go through the
+#	redirector if all the helpers are busy. If this is 'off' and the
+#	redirector queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	redirectors are not critical to your caching system. If you use
+#	redirectors for access control, and you enable this option,
+#	users may have access to pages they should not
+#	be allowed to request.
+#
+#	Enabling this option sets the default url_rewrite_children queue-size
+#	option value to 0.
+#Default:
+# url_rewrite_bypass off
+
+#  TAG: url_rewrite_extras
+#	Specifies a string to be append to request line format for the
+#	rewriter helper. "Quoted" format values may contain spaces and
+#	logformat %macros. In theory, any logformat %macro can be used.
+#	In practice, a %macro expands as a dash (-) if the helper request is
+#	sent before the required macro information is available to Squid.
+#Default:
+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: url_rewrite_timeout
+#	Squid times active requests to redirector. The timeout value and Squid
+#	reaction to a timed out request are configurable using the following
+#	format:
+#
+#	url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+#
+#	supported timeout actions:
+#		fail	Squid return a ERR_GATEWAY_FAILURE error page
+#
+#		bypass	Do not re-write the URL
+#
+#		retry	Send the lookup to the helper again
+#
+#		use_configured_response
+#			Use the <quoted-response> as helper response
+#Default:
+# Squid waits for the helper response forever
+
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+#  TAG: store_id_program
+#	Specify the location of the executable StoreID helper to use.
+#	Since they can perform almost any function there isn't one included.
+#
+#	For each requested URL, the helper will receive one line with the format
+#
+#	  [channel-ID <SP>] URL [<SP> extras]<NL>
+#
+#
+#	After processing the request the helper must reply using the following format:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs]
+#
+#	The result code can be:
+#
+#	  OK store-id="..."
+#		Use the StoreID supplied in 'store-id='.
+#
+#	  ERR
+#		The default is to use HTTP request URL as the store ID.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	In addition to the above kv-pairs Squid also understands the following
+#	optional kv-pairs received from URL rewriters:
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#		Please see url_rewrite_program related documentation for this
+#		kv-pair
+#
+#	Helper programs should be prepared to receive and possibly ignore
+#	additional whitespace-separated tokens on each input line.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#	NOTE: when using StoreID refresh_pattern will apply to the StoreID
+#	      returned from the helper and not the URL.
+#
+#	WARNING: Wrong StoreID value returned by a careless helper may result
+#	         in the wrong cached response returned to the user.
+#
+#	By default, a StoreID helper is not used.
+#Default:
+# none
+
+#  TAG: store_id_extras
+#        Specifies a string to be append to request line format for the
+#        StoreId helper. "Quoted" format values may contain spaces and
+#        logformat %macros. In theory, any logformat %macro can be used.
+#        In practice, a %macro expands as a dash (-) if the helper request is
+#        sent before the required macro information is available to Squid.
+#Default:
+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: store_id_children
+#	Specifies the maximum number of StoreID helper processes that Squid
+#	may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each storeID helper can handle in
+#	parallel. Defaults to 0 which indicates the helper
+#	is a old-style single threaded program.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests to N. A request is queued
+#	when no existing child can accept it due to concurrency limit and no
+#	new child can be started due to numberofchildren limit. The default
+#	maximum is 2*numberofchildren. If the queued requests exceed queue
+#	size and redirector_bypass configuration option is set, then
+#	redirector is bypassed. Otherwise, Squid is allowed to temporarily
+#	exceed the configured maximum, marking the affected helper as
+#	"overloaded". If the helper overload lasts more than 3 minutes, the
+#	action prescribed by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: store_id_access
+#	If defined, this access list specifies which requests are
+#	sent to the StoreID processes.  By default all requests
+#	are sent.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: store_id_bypass
+#	When this is 'on', a request will not go through the
+#	helper if all helpers are busy. If this is 'off' and the helper
+#	queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	helpers are not critical to your caching system. If you use
+#	helpers for critical caching components, and you enable this
+#	option,	users may not get objects from cache.
+#	This options sets default queue-size option of the store_id_children
+#	to 0.
+#Default:
+# store_id_bypass on
+
+# OPTIONS FOR TUNING THE CACHE
+# -----------------------------------------------------------------------------
+
+#  TAG: cache
+#	Requests denied by this directive will not be served from the cache
+#	and their responses will not be stored in the cache. This directive
+#	has no effect on other transactions and on already cached responses.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	This and the two other similar caching directives listed below are
+#	checked at different transaction processing stages, have different
+#	access to response information, affect different cache operations,
+#	and differ in slow ACLs support:
+#
+#	* cache: Checked before Squid makes a hit/miss determination.
+#		No access to reply information!
+#		Denies both serving a hit and storing a miss.
+#		Supports both fast and slow ACLs.
+#	* send_hit: Checked after a hit was detected.
+#		Has access to reply (hit) information.
+#		Denies serving a hit only.
+#		Supports fast ACLs only.
+#	* store_miss: Checked before storing a cachable miss.
+#		Has access to reply (miss) information.
+#		Denies storing a miss only.
+#		Supports fast ACLs only.
+#
+#	If you are not sure which of the three directives to use, apply the
+#	following decision logic:
+#
+#	* If your ACL(s) are of slow type _and_ need response info, redesign.
+#	  Squid does not support that particular combination at this time.
+#        Otherwise:
+#	* If your directive ACL(s) are of slow type, use "cache"; and/or
+#	* if your directive ACL(s) need no response info, use "cache".
+#        Otherwise:
+#	* If you do not want the response cached, use store_miss; and/or
+#	* if you do not want a hit on a cached response, use send_hit.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: send_hit
+#	Responses denied by this directive will not be served from the cache
+#	(but may still be cached, see store_miss). This directive has no
+#	effect on the responses it allows and on the cached objects.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives.
+#
+#	Unlike the "cache" directive, send_hit only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	For example:
+#
+#		# apply custom Store ID mapping to some URLs
+#		acl MapMe dstdomain .c.example.com
+#		store_id_program ...
+#		store_id_access allow MapMe
+#
+#		# but prevent caching of special responses
+#		# such as 302 redirects that cause StoreID loops
+#		acl Ordinary http_status 200-299
+#		store_miss deny MapMe !Ordinary
+#
+#		# and do not serve any previously stored special responses
+#		# from the cache (in case they were already cached before
+#		# the above store_miss rule was in effect).
+#		send_hit deny MapMe !Ordinary
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: store_miss
+#	Responses denied by this directive will not be cached (but may still
+#	be served from the cache, see send_hit). This directive has no
+#	effect on the responses it allows and on the already cached responses.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives. See the
+#	send_hit directive for a usage example.
+#
+#	Unlike the "cache" directive, store_miss only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: max_stale	time-units
+#	This option puts an upper limit on how stale content Squid
+#	will serve from the cache if cache validation fails.
+#	Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
+
+#  TAG: refresh_pattern
+#	usage: refresh_pattern [-i] regex min percent max [options]
+#
+#	By default, regular expressions are CASE-SENSITIVE.  To make
+#	them case-insensitive, use the -i option.
+#
+#	'Min' is the time (in minutes) an object without an explicit
+#	expiry time should be considered fresh. The recommended
+#	value is 0, any higher values may cause dynamic applications
+#	to be erroneously cached unless the application designer
+#	has taken the appropriate actions.
+#
+#	'Percent' is a percentage of the objects age (time since last
+#	modification age) an object without explicit expiry time
+#	will be considered fresh.
+#
+#	'Max' is an upper limit on how long objects without an explicit
+#	expiry time will be considered fresh. The value is also used
+#	to form Cache-Control: max-age header for a request sent from
+#	Squid to origin/parent.
+#
+#	options: override-expire
+#		 override-lastmod
+#		 reload-into-ims
+#		 ignore-reload
+#		 ignore-no-store
+#		 ignore-private
+#		 max-stale=NN
+#		 refresh-ims
+#		 store-stale
+#
+#		override-expire enforces min age even if the server
+#		sent an explicit expiry time (e.g., with the
+#		Expires: header or Cache-Control: max-age). Doing this
+#		VIOLATES the HTTP standard.  Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		Note: override-expire does not enforce staleness - it only extends
+#		freshness / min. If the server returns a Expires time which
+#		is longer than your max time, Squid will still consider
+#		the object fresh for that period of time.
+#
+#		override-lastmod enforces min age even on objects
+#		that were modified recently.
+#
+#		reload-into-ims changes a client no-cache or ``reload''
+#		request for a cached entry into a conditional request using
+#		If-Modified-Since and/or If-None-Match headers, provided the
+#		cached entry has a Last-Modified and/or a strong ETag header.
+#		Doing this VIOLATES the HTTP standard. Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		ignore-reload ignores a client no-cache or ``reload''
+#		header. Doing this VIOLATES the HTTP standard. Enabling
+#		this feature could make you liable for problems which
+#		it causes.
+#
+#		ignore-no-store ignores any ``Cache-control: no-store''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		ignore-private ignores any ``Cache-control: private''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		refresh-ims causes squid to contact the origin server
+#		when a client issues an If-Modified-Since request. This
+#		ensures that the client will receive an updated version
+#		if one is available.
+#
+#		store-stale stores responses even if they don't have explicit
+#		freshness or a validator (i.e., Last-Modified or an ETag)
+#		present, or if they're already stale. By default, Squid will
+#		not cache such responses because they usually can't be
+#		reused. Note that such responses will be stale by default.
+#
+#		max-stale=NN provide a maximum staleness factor. Squid won't
+#		serve objects more stale than this even if it failed to
+#		validate the object. Default: use the max_stale global limit.
+#
+#	Basically a cached object is:
+#
+#		FRESH if expire > now, else STALE
+#		STALE if age > max
+#		FRESH if lm-factor < percent, else STALE
+#		FRESH if age < min
+#		else STALE
+#
+#	The refresh_pattern lines are checked in the order listed here.
+#	The first entry which matches is used.  If none of the entries
+#	match the default will be used.
+#
+#	Note, you must uncomment all the default lines if you want
+#	to change one. The default setting is only active if none is
+#	used.
+#
+#
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+#  TAG: quick_abort_min	(KB)
+#Default:
+# quick_abort_min 16 KB
+
+#  TAG: quick_abort_max	(KB)
+#Default:
+# quick_abort_max 16 KB
+
+#  TAG: quick_abort_pct	(percent)
+#	The cache by default continues downloading aborted requests
+#	which are almost completed (less than 16 KB remaining). This
+#	may be undesirable on slow (e.g. SLIP) links and/or very busy
+#	caches.  Impatient users may tie up file descriptors and
+#	bandwidth by repeatedly requesting and immediately aborting
+#	downloads.
+#
+#	When the user aborts a request, Squid will check the
+#	quick_abort values to the amount of data transferred until
+#	then.
+#
+#	If the transfer has less than 'quick_abort_min' KB remaining,
+#	it will finish the retrieval.
+#
+#	If the transfer has more than 'quick_abort_max' KB remaining,
+#	it will abort the retrieval.
+#
+#	If more than 'quick_abort_pct' of the transfer has completed,
+#	it will finish the retrieval.
+#
+#	If you do not want any retrieval to continue after the client
+#	has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+#	to '0 KB'.
+#
+#	If you want retrievals to always continue if they are being
+#	cached set 'quick_abort_min' to '-1 KB'.
+#Default:
+# quick_abort_pct 95
+
+#  TAG: read_ahead_gap	buffer-size
+#	The amount of data the cache will buffer ahead of what has been
+#	sent to the client when retrieving an object from another server.
+#Default:
+# read_ahead_gap 16 KB
+
+#  TAG: negative_ttl	time-units
+#	Set the Default Time-to-Live (TTL) for failed requests.
+#	Certain types of failures (such as "connection refused" and
+#	"404 Not Found") are able to be negatively-cached for a short time.
+#	Modern web servers should provide Expires: header, however if they
+#	do not this can provide a minimum TTL.
+#	The default is not to cache errors with unknown expiry details.
+#
+#	Note that this is different from negative caching of DNS lookups.
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#Default:
+# negative_ttl 0 seconds
+
+#  TAG: positive_dns_ttl	time-units
+#	Upper limit on how long Squid will cache positive DNS responses.
+#	Default is 6 hours (360 minutes). This directive must be set
+#	larger than negative_dns_ttl.
+#Default:
+# positive_dns_ttl 6 hours
+
+#  TAG: negative_dns_ttl	time-units
+#	Time-to-Live (TTL) for negative caching of failed DNS lookups.
+#	This also sets the lower cache limit on positive lookups.
+#	Minimum value is 1 second, and it is not recommendable to go
+#	much below 10 seconds.
+#Default:
+# negative_dns_ttl 1 minutes
+
+#  TAG: range_offset_limit	size [acl acl...]
+#	usage: (size) [units] [[!]aclname]
+#
+#	Sets an upper limit on how far (number of bytes) into the file
+#	a Range request	may be to cause Squid to prefetch the whole file.
+#	If beyond this limit, Squid forwards the Range request as it is and
+#	the result is NOT cached.
+#
+#	This is to stop a far ahead range request (lets say start at 17MB)
+#	from making Squid fetch the whole object up to that point before
+#	sending anything to the client.
+#
+#	Multiple range_offset_limit lines may be specified, and they will
+#	be searched from top to bottom on each request until a match is found.
+#	The first match found will be used.  If no line matches a request, the
+#	default limit of 0 bytes will be used.
+#
+#	'size' is the limit specified as a number of units.
+#
+#	'units' specifies whether to use bytes, KB, MB, etc.
+#	If no units are specified bytes are assumed.
+#
+#	A size of 0 causes Squid to never fetch more than the
+#	client requested. (default)
+#
+#	A size of 'none' causes Squid to always fetch the object from the
+#	beginning so it may cache the result. (2.0 style)
+#
+#	'aclname' is the name of a defined ACL.
+#
+#	NP: Using 'none' as the byte value here will override any quick_abort settings
+#	    that may otherwise apply to the range request. The range request will
+#	    be fully fetched from start to finish regardless of the client
+#	    actions. This affects bandwidth usage.
+#Default:
+# none
+
+#  TAG: minimum_expiry_time	(seconds)
+#	The minimum caching time according to (Expires - Date)
+#	headers Squid honors if the object can't be revalidated.
+#	The default is 60 seconds.
+#
+#	In reverse proxy environments it might be desirable to honor
+#	shorter object lifetimes. It is most likely better to make
+#	your server return a meaningful Last-Modified header however.
+#
+#	In ESI environments where page fragments often have short
+#	lifetimes, this will often be best set to 0.
+#Default:
+# minimum_expiry_time 60 seconds
+
+#  TAG: store_avg_object_size	(bytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  The default is 13 KB.
+#
+#	This is used to pre-seed the cache index memory allocation to
+#	reduce expensive reallocate operations while handling clients
+#	traffic. Too-large values may result in memory allocation during
+#	peak traffic, too-small values will result in wasted memory.
+#
+#	Check the cache manager 'info' report metrics for the real
+#	object sizes seen by your Squid before tuning this.
+#Default:
+# store_avg_object_size 13 KB
+
+#  TAG: store_objects_per_bucket
+#	Target number of objects per bucket in the store hash table.
+#	Lowering this value increases the total number of buckets and
+#	also the storage maintenance rate.  The default is 20.
+#Default:
+# store_objects_per_bucket 20
+
+# HTTP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: request_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP request
+#	(including request-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to received FTP commands.
+#
+#	This limit has no direct affect on Squid memory consumption.
+#
+#	Squid does not check this limit when sending requests.
+#Default:
+# request_header_max_size 64 KB
+
+#  TAG: reply_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP response
+#	(including status-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to FTP command responses.
+#
+#	Squid also checks this limit when loading hit responses from disk cache.
+#
+#	Squid does not check this limit when sending responses.
+#Default:
+# reply_header_max_size 64 KB
+
+#  TAG: request_body_max_size	(bytes)
+#	This specifies the maximum size for an HTTP request body.
+#	In other words, the maximum size of a PUT/POST request.
+#	A user who attempts to send a request with a body larger
+#	than this limit receives an "Invalid Request" error message.
+#	If you set this parameter to a zero (the default), there will
+#	be no limit imposed.
+#
+#	See also client_request_buffer_max_size for an alternative
+#	limitation on client uploads which can be configured.
+#Default:
+# No limit.
+
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
+#  TAG: broken_posts
+#	A list of ACL elements which, if matched, causes Squid to send
+#	an extra CRLF pair after the body of a PUT/POST request.
+#
+#	Some HTTP servers has broken implementations of PUT/POST,
+#	and rely on an extra CRLF pair sent by some WWW clients.
+#
+#	Quote from RFC2616 section 4.1 on this matter:
+#
+#	  Note: certain buggy HTTP/1.0 client implementations generate an
+#	  extra CRLF's after a POST request. To restate what is explicitly
+#	  forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+#	  a request with an extra CRLF.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# acl buggy_server url_regex ^http://....
+# broken_posts allow buggy_server
+#Default:
+# Obey RFC 2616.
+
+#  TAG: adaptation_uses_indirect_client	on|off
+#	Controls whether the indirect client IP address (instead of the direct
+#	client IP address) is passed to adaptation services.
+#
+#	See also: follow_x_forwarded_for adaptation_send_client_ip
+#Default:
+# adaptation_uses_indirect_client on
+
+#  TAG: via	on|off
+#	If set (default), Squid will include a Via header in requests and
+#	replies as required by RFC2616.
+#Default:
+# via on
+
+#  TAG: vary_ignore_expire	on|off
+#	Many HTTP servers supporting Vary gives such objects
+#	immediate expiry time with no cache-control header
+#	when requested by a HTTP/1.0 client. This option
+#	enables Squid to ignore such expiry times until
+#	HTTP/1.1 is fully implemented.
+#
+#	WARNING: If turned on this may eventually cause some
+#	varying objects not intended for caching to get cached.
+#Default:
+# vary_ignore_expire off
+
+#  TAG: request_entities
+#	Squid defaults to deny GET and HEAD requests with request entities,
+#	as the meaning of such requests are undefined in the HTTP standard
+#	even if not explicitly forbidden.
+#
+#	Set this directive to on if you have clients which insists
+#	on sending request entities in GET or HEAD requests. But be warned
+#	that there is server software (both proxies and web servers) which
+#	can fail to properly process this kind of request which may make you
+#	vulnerable to cache pollution attacks if enabled.
+#Default:
+# request_entities off
+
+#  TAG: request_header_access
+#	Usage: request_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option replaces the old 'anonymize_headers' and the
+#	older 'http_anonymizer' option with something that is much
+#	more configurable. A list of ACLs for each header name allows
+#	removal of specific header fields under specific conditions.
+#
+#	This option only applies to outgoing HTTP request headers (i.e.,
+#	headers sent by Squid to the next HTTP hop such as a cache peer
+#	or an origin server). The option has no effect during cache hit
+#	detection. The equivalent adaptation vectoring point in ICAP
+#	terminology is post-cache REQMOD.
+#
+#	The option is applied to individual outgoing request header
+#	fields. For each request header field F, Squid uses the first
+#	qualifying sets of request_header_access rules:
+#
+#	    1. Rules with header_name equal to F's name.
+#	    2. Rules with header_name 'Other', provided F's name is not
+#	       on the hard-coded list of commonly used HTTP header names.
+#	    3. Rules with header_name 'All'.
+#
+#	Within that qualifying rule set, rule ACLs are checked as usual.
+#	If ACLs of an "allow" rule match, the header field is allowed to
+#	go through as is. If ACLs of a "deny" rule match, the header is
+#	removed and request_header_replace is then checked to identify
+#	if the removed header has a replacement. If no rules within the
+#	set have matching ACLs, the header field is left as is.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		request_header_access From deny all
+#		request_header_access Referer deny all
+#		request_header_access User-Agent deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		request_header_access Authorization allow all
+#		request_header_access Proxy-Authorization allow all
+#		request_header_access Cache-Control allow all
+#		request_header_access Content-Length allow all
+#		request_header_access Content-Type allow all
+#		request_header_access Date allow all
+#		request_header_access Host allow all
+#		request_header_access If-Modified-Since allow all
+#		request_header_access Pragma allow all
+#		request_header_access Accept allow all
+#		request_header_access Accept-Charset allow all
+#		request_header_access Accept-Encoding allow all
+#		request_header_access Accept-Language allow all
+#		request_header_access Connection allow all
+#		request_header_access All deny all
+#
+#	HTTP reply headers are controlled with the reply_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is performed).
+#Default:
+# No limits.
+
+#  TAG: reply_header_access
+#	Usage: reply_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option only applies to reply headers, i.e., from the
+#	server to the client.
+#
+#	This is the same as request_header_access, but in the other
+#	direction. Please see request_header_access for detailed
+#	documentation.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		reply_header_access Server deny all
+#		reply_header_access WWW-Authenticate deny all
+#		reply_header_access Link deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		reply_header_access Allow allow all
+#		reply_header_access WWW-Authenticate allow all
+#		reply_header_access Proxy-Authenticate allow all
+#		reply_header_access Cache-Control allow all
+#		reply_header_access Content-Encoding allow all
+#		reply_header_access Content-Length allow all
+#		reply_header_access Content-Type allow all
+#		reply_header_access Date allow all
+#		reply_header_access Expires allow all
+#		reply_header_access Last-Modified allow all
+#		reply_header_access Location allow all
+#		reply_header_access Pragma allow all
+#		reply_header_access Content-Language allow all
+#		reply_header_access Retry-After allow all
+#		reply_header_access Title allow all
+#		reply_header_access Content-Disposition allow all
+#		reply_header_access Connection allow all
+#		reply_header_access All deny all
+#
+#	HTTP request headers are controlled with the request_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is
+#	performed).
+#Default:
+# No limits.
+
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#
+#	This option allows you to change the contents of headers
+#	denied with request_header_access above, by replacing them
+#	with some fixed string.
+#
+#	This only applies to request headers, not reply headers.
+#
+#	By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: request_header_add
+#	Usage:   request_header_add field-name field-value [ acl ... ]
+#	Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP requests (i.e.,
+#	request headers sent by Squid to the next HTTP hop such as a
+#	cache peer or an origin server). The option has no effect during
+#	cache hit detection. The equivalent adaptation vectoring point
+#	in ICAP terminology is post-cache REQMOD.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the request to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching requests. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The request_header_add supports fast ACLs only.
+#
+#	See also: reply_header_add.
+#Default:
+# none
+
+#  TAG: reply_header_add
+#	Usage:   reply_header_add field-name field-value [ acl ... ]
+#	Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP responses (i.e., response
+#	headers delivered by Squid to the client). This option has no effect on
+#	cache hit detection. The equivalent adaptation vectoring point in
+#	ICAP terminology is post-cache RESPMOD. This option does not apply to
+#	successful CONNECT replies.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the response to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching responses. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The reply_header_add option supports fast ACLs only.
+#
+#	See also: request_header_add.
+#Default:
+# none
+
+#  TAG: note
+#	This option used to log custom information about the master
+#	transaction. For example, an admin may configure Squid to log
+#	which "user group" the transaction belongs to, where "user group"
+#	will be determined based on a set of ACLs and not [just]
+#	authentication information.
+#	Values of key/value pairs can be logged using %{key}note macros:
+#
+#	    note key value acl ...
+#	    logformat myFormat ... %{key}note ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: relaxed_header_parser	on|off|warn
+#	In the default "on" setting Squid accepts certain forms
+#	of non-compliant HTTP messages where it is unambiguous
+#	what the sending application intended even if the message
+#	is not correctly formatted. The messages is then normalized
+#	to the correct form when forwarded by Squid.
+#
+#	If set to "warn" then a warning will be emitted in cache.log
+#	each time such HTTP error is encountered.
+#
+#	If set to "off" then such HTTP errors will cause the request
+#	or response to be rejected.
+#Default:
+# relaxed_header_parser on
+
+#  TAG: collapsed_forwarding	(on|off)
+#       This option controls whether Squid is allowed to merge multiple
+#       potentially cachable requests for the same URI before Squid knows
+#       whether the response is going to be cachable.
+#
+#       When enabled, instead of forwarding each concurrent request for
+#       the same URL, Squid just sends the first of them. The other, so
+#       called "collapsed" requests, wait for the response to the first
+#       request and, if it happens to be cachable, use that response.
+#       Here, "concurrent requests" means "received after the first
+#       request headers were parsed and before the corresponding response
+#       headers were parsed".
+#
+#       This feature is disabled by default: enabling collapsed
+#       forwarding needlessly delays forwarding requests that look
+#       cachable (when they are collapsed) but then need to be forwarded
+#       individually anyway because they end up being for uncachable
+#       content. However, in some cases, such as acceleration of highly
+#       cachable content with periodic or grouped expiration times, the
+#       gains from collapsing [large volumes of simultaneous refresh
+#       requests] outweigh losses from such delays.
+#
+#       Squid collapses two kinds of requests: regular client requests
+#       received on one of the listening ports and internal "cache
+#       revalidation" requests which are triggered by those regular
+#       requests hitting a stale cached object. Revalidation collapsing
+#       is currently disabled for Squid instances containing SMP-aware
+#       disk or memory caches and for Vary-controlled cached objects.
+#Default:
+# collapsed_forwarding off
+
+#  TAG: collapsed_forwarding_access
+#	Use this directive to restrict collapsed forwarding to a subset of
+#	eligible requests. The directive is checked for regular HTTP
+#	requests, internal revalidation requests, and HTCP/ICP requests.
+#
+#		collapsed_forwarding_access allow|deny [!]aclname ...
+#
+#	This directive cannot force collapsing. It has no effect on
+#	collapsing unless collapsed_forwarding is 'on', and all other
+#	collapsing preconditions are satisfied.
+#
+#	* A denied request will not collapse, and future transactions will
+#	  not collapse on it (even if they are allowed to collapse).
+#
+#	* An allowed request may collapse, or future transactions may
+#	  collapse on it (provided they are allowed to collapse).
+#
+#	This directive is evaluated before receiving HTTP response headers
+#	and without access to Squid-to-peer connection (if any).
+#
+#	Only fast ACLs are supported.
+#
+#	See also: collapsed_forwarding.
+#Default:
+# Requests may be collapsed if collapsed_forwarding is on.
+
+#  TAG: shared_transient_entries_limit	(number of entries)
+#	This directive limits the size of a table used for sharing current
+#	transaction information among SMP workers. A table entry stores meta
+#	information about a single cache entry being delivered to Squid
+#	client(s) by one or more SMP workers. A single table entry consumes
+#	less than 128 shared memory bytes.
+#
+#	The limit should be significantly larger than the number of
+#	concurrent non-collapsed cachable responses leaving Squid. For a
+#	cache that handles less than 5000 concurrent requests, the default
+#	setting of 16384 should be plenty.
+#
+#	Using excessively large values wastes shared memory. Limiting the
+#	table size too much results in hash collisions, leading to lower hit
+#	ratio and missed SMP request collapsing opportunities: Transactions
+#	left without a table entry cannot cache their responses and are
+#	invisible to other concurrent requests for the same resource.
+#
+#	A zero limit is allowed but unsupported. A positive small limit
+#	lowers hit ratio, but zero limit disables a lot of essential
+#	synchronization among SMP workers, leading to HTTP violations (e.g.,
+#	stale hit responses). It also disables shared collapsed forwarding:
+#	A worker becomes unable to collapse its requests on transactions in
+#	other workers, resulting in more trips to the origin server and more
+#	cache thrashing.
+#Default:
+# shared_transient_entries_limit 16384
+
+# TIMEOUTS
+# -----------------------------------------------------------------------------
+
+#  TAG: forward_timeout	time-units
+#	This parameter specifies how long Squid should at most attempt in
+#	finding a forwarding path for the request before giving up.
+#Default:
+# forward_timeout 4 minutes
+
+#  TAG: connect_timeout	time-units
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested server or peer to complete before Squid should
+#	attempt to find another path where to forward the request.
+#Default:
+# connect_timeout 1 minute
+
+#  TAG: peer_connect_timeout	time-units
+#	This parameter specifies how long to wait for a pending TCP
+#	connection to a peer cache.  The default is 30 seconds.   You
+#	may also set different timeout values for individual neighbors
+#	with the 'connect-timeout' option on a 'cache_peer' line.
+#Default:
+# peer_connect_timeout 30 seconds
+
+#  TAG: read_timeout	time-units
+#	Applied on peer server connections.
+#
+#	After each successful read(), the timeout will be extended by this
+#	amount.  If no data is read again after this amount of time,
+#	the request is aborted and logged with ERR_READ_TIMEOUT.
+#
+#	The default is 15 minutes.
+#Default:
+# read_timeout 15 minutes
+
+#  TAG: write_timeout	time-units
+#	This timeout is tracked for all connections that have data
+#	available for writing and are waiting for the socket to become
+#	ready. After each successful write, the timeout is extended by
+#	the configured amount. If Squid has data to write but the
+#	connection is not ready for the configured duration, the
+#	transaction associated with the connection is terminated. The
+#	default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
+#  TAG: request_timeout
+#	How long to wait for complete HTTP request headers after initial
+#	connection establishment.
+#Default:
+# request_timeout 5 minutes
+
+#  TAG: request_start_timeout
+#	How long to wait for the first request byte after initial
+#	connection establishment.
+#Default:
+# request_start_timeout 5 minutes
+
+#  TAG: client_idle_pconn_timeout
+#	How long to wait for the next HTTP request on a persistent
+#	client connection after the previous request completes.
+#Default:
+# client_idle_pconn_timeout 2 minutes
+
+#  TAG: ftp_client_idle_timeout
+#	How long to wait for an FTP request on a connection to Squid ftp_port.
+#	Many FTP clients do not deal with idle connection closures well,
+#	necessitating a longer default timeout than client_idle_pconn_timeout
+#	used for incoming HTTP requests.
+#Default:
+# ftp_client_idle_timeout 30 minutes
+
+#  TAG: client_lifetime	time-units
+#	The maximum amount of time a client (browser) is allowed to
+#	remain connected to the cache process.  This protects the Cache
+#	from having a lot of sockets (and hence file descriptors) tied up
+#	in a CLOSE_WAIT state from remote clients that go away without
+#	properly shutting down (either because of a network failure or
+#	because of a poor client implementation).  The default is one
+#	day, 1440 minutes.
+#
+#	NOTE:  The default value is intended to be much larger than any
+#	client would ever need to be connected to your cache.  You
+#	should probably change client_lifetime only as a last resort.
+#	If you seem to have many client connections tying up
+#	filedescriptors, we recommend first tuning the read_timeout,
+#	request_timeout, persistent_request_timeout and quick_abort values.
+#Default:
+# client_lifetime 1 day
+
+#  TAG: pconn_lifetime	time-units
+#	Desired maximum lifetime of a persistent connection.
+#	When set, Squid will close a now-idle persistent connection that
+#	exceeded configured lifetime instead of moving the connection into
+#	the idle connection pool (or equivalent). No effect on ongoing/active
+#	transactions. Connection lifetime is the time period from the
+#	connection acceptance or opening time until "now".
+#
+#	This limit is useful in environments with long-lived connections
+#	where Squid configuration or environmental factors change during a
+#	single connection lifetime. If unrestricted, some connections may
+#	last for hours and even days, ignoring those changes that should
+#	have affected their behavior or their existence.
+#
+#	Currently, a new lifetime value supplied via Squid reconfiguration
+#	has no effect on already idle connections unless they become busy.
+#
+#	When set to '0' this limit is not used.
+#Default:
+# pconn_lifetime 0 seconds
+
+#  TAG: half_closed_clients
+#	Some clients may shutdown the sending side of their TCP
+#	connections, while leaving their receiving sides open.	Sometimes,
+#	Squid can not tell the difference between a half-closed and a
+#	fully-closed TCP connection.
+#
+#	By default, Squid will immediately close client connections when
+#	read(2) returns "no more data to read."
+#
+#	Change this option to 'on' and Squid will keep open connections
+#	until a read(2) or write(2) on the socket returns an error.
+#	This may show some benefits for reverse proxies. But if not
+#	it is recommended to leave OFF.
+#Default:
+# half_closed_clients off
+
+#  TAG: server_idle_pconn_timeout
+#	Timeout for idle persistent connections to servers and other
+#	proxies.
+#Default:
+# server_idle_pconn_timeout 1 minute
+
+#  TAG: ident_timeout
+#	Maximum time to wait for IDENT lookups to complete.
+#
+#	If this is too high, and you enabled IDENT lookups from untrusted
+#	users, you might be susceptible to denial-of-service by having
+#	many ident requests going at once.
+#Default:
+# ident_timeout 10 seconds
+
+#  TAG: shutdown_lifetime	time-units
+#	When SIGTERM or SIGHUP is received, the cache is put into
+#	"shutdown pending" mode until all active sockets are closed.
+#	This value is the lifetime to set for all open descriptors
+#	during shutdown mode.  Any active clients after this many
+#	seconds will receive a 'timeout' message.
+#Default:
+# shutdown_lifetime 30 seconds
+
+# ADMINISTRATIVE PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mgr
+#	Email-address of local cache manager who will receive
+#	mail if the cache dies.  The default is "webmaster".
+#Default:
+# cache_mgr webmaster
+
+#  TAG: mail_from
+#	From: email-address for mail sent when the cache dies.
+#	The default is to use 'squid@unique_hostname'.
+#
+#	See also: unique_hostname directive.
+#Default:
+# none
+
+#  TAG: mail_program
+#	Email program used to send mail if the cache dies.
+#	The default is "mail". The specified program must comply
+#	with the standard Unix mail syntax:
+#	  mail-program recipient < mailfile
+#
+#	Optional command line options can be specified.
+#Default:
+# mail_program mail
+
+#  TAG: cache_effective_user
+#	If you start Squid as root, it will change its effective/real
+#	UID/GID to the user specified below.  The default is to change
+#	to UID of proxy.
+#	see also; cache_effective_group
+#Default:
+# cache_effective_user proxy
+
+#  TAG: cache_effective_group
+#	Squid sets the GID to the effective user's default group ID
+#	(taken from the password file) and supplementary group list
+#	from the groups membership.
+#
+#	If you want Squid to run with a specific GID regardless of
+#	the group memberships of the effective user then set this
+#	to the group (or GID) you want Squid to run as. When set
+#	all other group privileges of the effective user are ignored
+#	and only this GID is effective. If Squid is not started as
+#	root the user starting Squid MUST be member of the specified
+#	group.
+#
+#	This option is not recommended by the Squid Team.
+#	Our preference is for administrators to configure a secure
+#	user account for squid with UID/GID matching system policies.
+#Default:
+# Use system group memberships of the cache_effective_user account
+
+#  TAG: httpd_suppress_version_string	on|off
+#	Suppress Squid version string info in HTTP headers and HTML error pages.
+#Default:
+# httpd_suppress_version_string off
+
+#  TAG: visible_hostname
+#	If you want to present a special hostname in error messages, etc,
+#	define this.  Otherwise, the return value of gethostname()
+#	will be used. If you have multiple caches in a cluster and
+#	get errors about IP-forwarding you must set them to have individual
+#	names with this setting.
+#Default:
+# Automatically detect the system host name
+
+#  TAG: unique_hostname
+#	If you want to have multiple machines with the same
+#	'visible_hostname' you must give each machine a different
+#	'unique_hostname' so forwarding loops can be detected.
+#Default:
+# Copy the value from visible_hostname
+
+#  TAG: hostname_aliases
+#	A list of other DNS names your cache has.
+#Default:
+# none
+
+#  TAG: umask
+#	Minimum umask which should be enforced while the proxy
+#	is running, in addition to the umask set at startup.
+#
+#	For a traditional octal representation of umasks, start
+#        your value with 0.
+#Default:
+# umask 027
+
+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
+# -----------------------------------------------------------------------------
+#
+#	This section contains parameters for the (optional) cache
+#	announcement service.  This service is provided to help
+#	cache administrators locate one another in order to join or
+#	create cache hierarchies.
+#
+#	An 'announcement' message is sent (via UDP) to the registration
+#	service by Squid.  By default, the announcement message is NOT
+#	SENT unless you enable it with 'announce_period' below.
+#
+#	The announcement message includes your hostname, plus the
+#	following information from this configuration file:
+#
+#		http_port
+#		icp_port
+#		cache_mgr
+#
+#	All current information is processed regularly and made
+#	available on the Web at http://www.ircache.net/Cache/Tracker/.
+
+#  TAG: announce_period
+#	This is how frequently to send cache announcements.
+#
+#	To enable announcing your cache, just set an announce period.
+#
+#	Example:
+#		announce_period 1 day
+#Default:
+# Announcement messages disabled.
+
+#  TAG: announce_host
+#	Set the hostname where announce registration messages will be sent.
+#
+#	See also announce_port and announce_file
+#Default:
+# announce_host tracker.ircache.net
+
+#  TAG: announce_file
+#	The contents of this file will be included in the announce
+#	registration messages.
+#Default:
+# none
+
+#  TAG: announce_port
+#	Set the port where announce registration messages will be sent.
+#
+#	See also announce_host and announce_file
+#Default:
+# announce_port 3131
+
+# HTTPD-ACCELERATOR OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: httpd_accel_surrogate_id
+#	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+#	need an identification token to allow control targeting. Because
+#	a farm of surrogates may all perform the same tasks, they may share
+#	an identification token.
+#
+#	When the surrogate is a reverse-proxy, this ID is also
+#	used as cdn-id for CDN-Loop detection (RFC 8586).
+#Default:
+# visible_hostname is used if no specific ID is set.
+
+#  TAG: http_accel_surrogate_remote	on|off
+#	Remote surrogates (such as those in a CDN) honour the header
+#	"Surrogate-Control: no-store-remote".
+#
+#	Set this to on to have squid behave as a remote surrogate.
+#Default:
+# http_accel_surrogate_remote off
+
+#  TAG: esi_parser	libxml2|expat
+#	Selects the XML parsing library to use when interpreting responses with
+#	Edge Side Includes.
+#
+#	To disable ESI handling completely, ./configure Squid with --disable-esi.
+#Default:
+# Selects libxml2 if available at ./configure time or libexpat otherwise.
+
+# DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: delay_pools
+#	This represents the number of delay pools to be used.  For example,
+#	if you have one class 2 delay pool and one class 3 delays pool, you
+#	have a total of 2 delay pools.
+#
+#	See also delay_parameters, delay_class, delay_access for pool
+#	configuration details.
+#Default:
+# delay_pools 0
+
+#  TAG: delay_class
+#	This defines the class of each delay pool.  There must be exactly one
+#	delay_class line for each delay pool.  For example, to define two
+#	delay pools, one of class 2 and one of class 3, the settings above
+#	and here would be:
+#
+#	Example:
+#	    delay_pools 4      # 4 delay pools
+#	    delay_class 1 2    # pool 1 is a class 2 pool
+#	    delay_class 2 3    # pool 2 is a class 3 pool
+#	    delay_class 3 4    # pool 3 is a class 4 pool
+#	    delay_class 4 5    # pool 4 is a class 5 pool
+#
+#	The delay pool classes are:
+#
+#		class 1		Everything is limited by a single aggregate
+#				bucket.
+#
+#		class 2 	Everything is limited by a single aggregate
+#				bucket as well as an "individual" bucket chosen
+#				from bits 25 through 32 of the IPv4 address.
+#
+#		class 3		Everything is limited by a single aggregate
+#				bucket as well as a "network" bucket chosen
+#				from bits 17 through 24 of the IP address and a
+#				"individual" bucket chosen from bits 17 through
+#				32 of the IPv4 address.
+#
+#		class 4		Everything in a class 3 delay pool, with an
+#				additional limit on a per user basis. This
+#				only takes effect if the username is established
+#				in advance - by forcing authentication in your
+#				http_access rules.
+#
+#		class 5		Requests are grouped according their tag (see
+#				external_acl's tag= reply).
+#
+#
+#	Each pool also requires a delay_parameters directive to configure the pool size
+#	and speed limits used whenever the pool is applied to a request. Along with
+#	a set of delay_access directives to determine when it is used.
+#
+#	NOTE: If an IP address is a.b.c.d
+#		-> bits 25 through 32 are "d"
+#		-> bits 17 through 24 are "c"
+#		-> bits 17 through 32 are "c * 256 + d"
+#
+#	NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+#		IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also delay_parameters and delay_access.
+#Default:
+# none
+
+#  TAG: delay_access
+#	This is used to determine which delay pool a request falls into.
+#
+#	delay_access is sorted per pool and the matching starts with pool 1,
+#	then pool 2, ..., and finally pool N. The first delay pool where the
+#	request is allowed is selected for the request. If it does not allow
+#	the request to any pool then the request is not delayed (default).
+#
+#	For example, if you want some_big_clients in delay
+#	pool 1 and lotsa_little_clients in delay pool 2:
+#
+#		delay_access 1 allow some_big_clients
+#		delay_access 1 deny all
+#		delay_access 2 allow lotsa_little_clients
+#		delay_access 2 deny all
+#		delay_access 3 allow authenticated_clients
+#
+#	See also delay_parameters and delay_class.
+#
+#Default:
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: delay_parameters
+#	This defines the parameters for a delay pool.  Each delay pool has
+#	a number of "buckets" associated with it, as explained in the
+#	description of delay_class.
+#
+#	For a class 1 delay pool, the syntax is:
+#		delay_class pool 1
+#		delay_parameters pool aggregate
+#
+#	For a class 2 delay pool:
+#		delay_class pool 2
+#		delay_parameters pool aggregate individual
+#
+#	For a class 3 delay pool:
+#		delay_class pool 3
+#		delay_parameters pool aggregate network individual
+#
+#	For a class 4 delay pool:
+#		delay_class pool 4
+#		delay_parameters pool aggregate network individual user
+#
+#	For a class 5 delay pool:
+#		delay_class pool 5
+#		delay_parameters pool tagrate
+#
+#	The option variables are:
+#
+#		pool		a pool number - ie, a number between 1 and the
+#				number specified in delay_pools as used in
+#				delay_class lines.
+#
+#		aggregate	the speed limit parameters for the aggregate bucket
+#				(class 1, 2, 3).
+#
+#		individual	the speed limit parameters for the individual
+#				buckets (class 2, 3).
+#
+#		network		the speed limit parameters for the network buckets
+#				(class 3).
+#
+#		user		the speed limit parameters for the user buckets
+#				(class 4).
+#
+#		tagrate		the speed limit parameters for the tag buckets
+#				(class 5).
+#
+#	A pair of delay parameters is written restore/maximum, where restore is
+#	the number of bytes (not bits - modem and network speeds are usually
+#	quoted in bits) per second placed into the bucket, and maximum is the
+#	maximum number of bytes which can be in the bucket at any time.
+#
+#	There must be one delay_parameters line for each delay pool.
+#
+#
+#	For example, if delay pool number 1 is a class 2 delay pool as in the
+#	above example, and is being used to strictly limit each host to 64Kbit/sec
+#	(plus overheads), with no overall limit, the line is:
+#
+#		delay_parameters 1 none 8000/8000
+#
+#	Note that 8 x 8K Byte/sec -> 64K bit/sec.
+#
+#	Note that the word 'none' is used to represent no limit.
+#
+#
+#	And, if delay pool number 2 is a class 3 delay pool as in the above
+#	example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+#	with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+#	individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
+#	to permit a decent web page to be downloaded at a decent speed
+#	(if the network is not being limited due to overuse) but slow down
+#	large downloads more significantly:
+#
+#		delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+#	Note that 8 x  32K Byte/sec ->  256K bit/sec.
+#		  8 x   8K Byte/sec ->   64K bit/sec.
+#		  8 x 600  Byte/sec -> 4800  bit/sec.
+#
+#
+#	Finally, for a class 4 delay pool as in the example - each user will
+#	be limited to 128Kbits/sec no matter how many workstations they are logged into.:
+#
+#		delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+#	See also delay_class and delay_access.
+#
+#Default:
+# none
+
+#  TAG: delay_initial_bucket_level	(percent, 0-100)
+#	The initial bucket percentage is used to determine how much is put
+#	in each bucket when squid starts, is reconfigured, or first notices
+#	a host accessing it (in class 2 and class 3, individual hosts and
+#	networks only have buckets associated with them once they have been
+#	"seen" by squid).
+#Default:
+# delay_initial_bucket_level 50
+
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: client_delay_pools
+#	This option specifies the number of client delay pools used. It must
+#	preceed other client_delay_* options.
+#
+#	Example:
+#		client_delay_pools 2
+#
+#	See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+#  TAG: client_delay_initial_bucket_level	(percent, 0-no_limit)
+#	This option determines the initial bucket size as a percentage of
+#	max_bucket_size from client_delay_parameters. Buckets are created
+#	at the time of the "first" connection from the matching IP. Idle
+#	buckets are periodically deleted up.
+#
+#	You can specify more than 100 percent but note that such "oversized"
+#	buckets are not refilled until their size goes down to max_bucket_size
+#	from client_delay_parameters.
+#
+#	Example:
+#		client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+#  TAG: client_delay_parameters
+#
+#	This option configures client-side bandwidth limits using the
+#	following format:
+#
+#	    client_delay_parameters pool speed_limit max_bucket_size
+#
+#	pool is an integer ID used for client_delay_access matching.
+#
+#	speed_limit is bytes added to the bucket per second.
+#
+#	max_bucket_size is the maximum size of a bucket, enforced after any
+#	speed_limit additions.
+#
+#	Please see the delay_parameters option for more information and
+#	examples.
+#
+#	Example:
+#		client_delay_parameters 1 1024 2048
+#		client_delay_parameters 2 51200 16384
+#
+#	See also client_delay_access.
+#
+#Default:
+# none
+
+#  TAG: client_delay_access
+#	This option determines the client-side delay pool for the
+#	request:
+#
+#	    client_delay_access pool_ID allow|deny acl_name
+#
+#	All client_delay_access options are checked in their pool ID
+#	order, starting with pool 1. The first checked pool with allowed
+#	request is selected for the request. If no ACL matches or there
+#	are no client_delay_access options, the request bandwidth is not
+#	limited.
+#
+#	The ACL-selected pool is then used to find the
+#	client_delay_parameters for the request. Client-side pools are
+#	not used to aggregate clients. Clients are always aggregated
+#	based on their source IP addresses (one bucket per source IP).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Additionally, only the client TCP connection details are available.
+#	ACLs testing HTTP properties will not work.
+#
+#	Please see delay_access for more examples.
+#
+#	Example:
+#		client_delay_access 1 allow low_rate_network
+#		client_delay_access 2 allow vips_network
+#
+#
+#	See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: response_delay_pool
+#	This option configures client response bandwidth limits using the
+#	following format:
+#
+#	response_delay_pool name [option=value] ...
+#
+#	name	the response delay pool name
+#
+#	available options:
+#
+#		individual-restore	The speed limit of an individual
+#					bucket(bytes/s). To be used in conjunction
+#					with 'individual-maximum'.
+#
+#		individual-maximum	The maximum number of bytes which can
+#					be placed into the individual bucket. To be used
+#					in conjunction with 'individual-restore'.
+#
+#		aggregate-restore	The speed limit for the aggregate
+#					bucket(bytes/s). To be used in conjunction with
+#					'aggregate-maximum'.
+#
+#		aggregate-maximum	The maximum number of bytes which can
+#	   				be placed into the aggregate bucket. To be used
+#					in conjunction with 'aggregate-restore'.
+#
+#		initial-bucket-level	The initial bucket size as a percentage
+#					of individual-maximum.
+#
+#	Individual and(or) aggregate bucket options may not be specified,
+#   	meaning no individual and(or) aggregate speed limitation.
+#	See also response_delay_pool_access and delay_parameters for
+#	terminology details.
+#Default:
+# none
+
+#  TAG: response_delay_pool_access
+#	Determines whether a specific named response delay pool is used
+#	for the transaction. The syntax for this directive is:
+#
+#	response_delay_pool_access pool_name allow|deny acl_name
+#
+#	All response_delay_pool_access options are checked in the order
+#	they appear in this configuration file. The first rule with a
+#	matching ACL wins. If (and only if) an "allow" rule won, Squid
+#	assigns the response to the corresponding named delay pool.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: wccp_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCP disabled.
+
+#  TAG: wccp2_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCPv2 disabled.
+
+#  TAG: wccp_version
+#	This directive is only relevant if you need to set up WCCP(v1)
+#	to some very old and end-of-life Cisco routers. In all other
+#	setups it must be left unset or at the default setting.
+#	It defines an internal version in the WCCP(v1) protocol,
+#	with version 4 being the officially documented protocol.
+#
+#	According to some users, Cisco IOS 11.2 and earlier only
+#	support WCCP version 3.  If you're using that or an earlier
+#	version of IOS, you may need to change this value to 3, otherwise
+#	do not specify this parameter.
+#Default:
+# wccp_version 4
+
+#  TAG: wccp2_rebuild_wait
+#	If this is enabled Squid will wait for the cache dir rebuild to finish
+#	before sending the first wccp2 HereIAm packet
+#Default:
+# wccp2_rebuild_wait on
+
+#  TAG: wccp2_forwarding_method
+#	WCCP2 allows the setting of forwarding methods between the
+#	router/switch and the cache.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment method.
+#Default:
+# wccp2_forwarding_method gre
+
+#  TAG: wccp2_return_method
+#	WCCP2 allows the setting of return methods between the
+#	router/switch and the cache for packets that the cache
+#	decides not to handle.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment.
+#
+#	If the "ip wccp redirect exclude in" command has been
+#	enabled on the cache interface, then it is still safe for
+#	the proxy server to use a l2 redirect method even if this
+#	option is set to GRE.
+#Default:
+# wccp2_return_method gre
+
+#  TAG: wccp2_assignment_method
+#	WCCP2 allows the setting of methods to assign the WCCP hash
+#	Valid values are as follows:
+#
+#	hash - Hash assignment
+#	mask - Mask assignment
+#
+#	As a general rule, cisco routers support the hash assignment method
+#	and cisco switches support the mask assignment method.
+#Default:
+# wccp2_assignment_method hash
+
+#  TAG: wccp2_service
+#	WCCP2 allows for multiple traffic services. There are two
+#	types: "standard" and "dynamic". The standard type defines
+#	one service id - http (id 0). The dynamic service ids can be from
+#	51 to 255 inclusive.  In order to use a dynamic service id
+#	one must define the type of traffic to be redirected; this is done
+#	using the wccp2_service_info option.
+#
+#	The "standard" type does not require a wccp2_service_info option,
+#	just specifying the service id will suffice.
+#
+#	MD5 service authentication can be enabled by adding
+#	"password=<password>" to the end of this service declaration.
+#
+#	Examples:
+#
+#	wccp2_service standard 0	# for the 'web-cache' standard service
+#	wccp2_service dynamic 80	# a dynamic service type which will be
+#					# fleshed out with subsequent options.
+#	wccp2_service standard 0 password=foo
+#Default:
+# Use the 'web-cache' standard service.
+
+#  TAG: wccp2_service_info
+#	Dynamic WCCPv2 services require further information to define the
+#	traffic you wish to have diverted.
+#
+#	The format is:
+#
+#	wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
+#	    priority=<priority> ports=<port>,<port>..
+#
+#	The relevant WCCPv2 flags:
+#	+ src_ip_hash, dst_ip_hash
+#	+ source_port_hash, dst_port_hash
+#	+ src_ip_alt_hash, dst_ip_alt_hash
+#	+ src_port_alt_hash, dst_port_alt_hash
+#	+ ports_source
+#
+#	The port list can be one to eight entries.
+#
+#	Example:
+#
+#	wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
+#	    priority=240 ports=80
+#
+#	Note: the service id must have been defined by a previous
+#	'wccp2_service dynamic <id>' entry.
+#Default:
+# none
+
+#  TAG: wccp2_weight
+#	Each cache server gets assigned a set of the destination
+#	hash proportional to their weight.
+#Default:
+# wccp2_weight 10000
+
+#  TAG: wccp_address
+#	Use this option if you require WCCP(v1) to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+#  TAG: wccp2_address
+#	Use this option if you require WCCPv2 to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+# PERSISTENT CONNECTION HANDLING
+# -----------------------------------------------------------------------------
+#
+# Also see "pconn_timeout" in the TIMEOUTS section
+
+#  TAG: client_persistent_connections
+#	Persistent connection support for clients.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with clients.
+#Default:
+# client_persistent_connections on
+
+#  TAG: server_persistent_connections
+#	Persistent connection support for servers.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with servers.
+#Default:
+# server_persistent_connections on
+
+#  TAG: persistent_connection_after_error
+#	With this directive the use of persistent connections after
+#	HTTP errors can be disabled. Useful if you have clients
+#	who fail to handle errors on persistent connections proper.
+#Default:
+# persistent_connection_after_error on
+
+#  TAG: detect_broken_pconn
+#	Some servers have been found to incorrectly signal the use
+#	of HTTP/1.0 persistent connections even on replies not
+#	compatible, causing significant delays. This server problem
+#	has mostly been seen on redirects.
+#
+#	By enabling this directive Squid attempts to detect such
+#	broken replies and automatically assume the reply is finished
+#	after 10 seconds timeout.
+#Default:
+# detect_broken_pconn off
+
+# CACHE DIGEST OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: digest_generation
+#	This controls whether the server will generate a Cache Digest
+#	of its contents.  By default, Cache Digest generation is
+#	enabled if Squid is compiled with --enable-cache-digests defined.
+#Default:
+# digest_generation on
+
+#  TAG: digest_bits_per_entry
+#	This is the number of bits of the server's Cache Digest which
+#	will be associated with the Digest entry for a given HTTP
+#	Method and URL (public key) combination.  The default is 5.
+#Default:
+# digest_bits_per_entry 5
+
+#  TAG: digest_rebuild_period	(seconds)
+#	This is the wait time between Cache Digest rebuilds.
+#Default:
+# digest_rebuild_period 1 hour
+
+#  TAG: digest_rewrite_period	(seconds)
+#	This is the wait time between Cache Digest writes to
+#	disk.
+#Default:
+# digest_rewrite_period 1 hour
+
+#  TAG: digest_swapout_chunk_size	(bytes)
+#	This is the number of bytes of the Cache Digest to write to
+#	disk at a time.  It defaults to 4096 bytes (4KB), the Squid
+#	default swap page.
+#Default:
+# digest_swapout_chunk_size 4096 bytes
+
+#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
+#	This is the percentage of the Cache Digest to be scanned at a
+#	time.  By default it is set to 10% of the Cache Digest.
+#Default:
+# digest_rebuild_chunk_percentage 10
+
+# SNMP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: snmp_port
+#	The port number where Squid listens for SNMP requests. To enable
+#	SNMP support set this to a suitable port number. Port number
+#	3401 is often used for the Squid SNMP agent. By default it's
+#	set to "0" (disabled)
+#
+#	Example:
+#		snmp_port 3401
+#Default:
+# SNMP disabled.
+
+#  TAG: snmp_access
+#	Allowing or denying access to the SNMP port.
+#
+#	All access to the agent is denied by default.
+#	usage:
+#
+#	snmp_access allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# snmp_access allow snmppublic localhost
+# snmp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: snmp_incoming_address
+#	Just like 'udp_incoming_address', but for the SNMP port.
+#
+#	snmp_incoming_address	is used for the SNMP socket receiving
+#				messages from SNMP agents.
+#
+#	The default snmp_incoming_address is to listen on all
+#	available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+#  TAG: snmp_outgoing_address
+#	Just like 'udp_outgoing_address', but for the SNMP port.
+#
+#	snmp_outgoing_address	is used for SNMP packets returned to SNMP
+#				agents.
+#
+#	If snmp_outgoing_address is not set it will use the same socket
+#	as snmp_incoming_address. Only change this if you want to have
+#	SNMP replies sent using another address than where this Squid
+#	listens for SNMP queries.
+#
+#	NOTE, snmp_incoming_address and snmp_outgoing_address can not have
+#	the same value since they both use the same port.
+#Default:
+# Use snmp_incoming_address or an address selected by the operating system.
+
+# ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icp_port
+#	The port number where Squid sends and receives ICP queries to
+#	and from neighbor caches.  The standard UDP port for ICP is 3130.
+#
+#	Example:
+#		icp_port 3130
+#Default:
+# ICP disabled.
+
+#  TAG: htcp_port
+#	The port number where Squid sends and receives HTCP queries to
+#	and from neighbor caches.  To turn it on you want to set it to
+#	4827.
+#
+#	Example:
+#		htcp_port 4827
+#Default:
+# HTCP disabled.
+
+#  TAG: log_icp_queries	on|off
+#	If set, ICP queries are logged to access.log. You may wish
+#	do disable this if your ICP load is VERY high to speed things
+#	up or to simplify log analysis.
+#Default:
+# log_icp_queries on
+
+#  TAG: udp_incoming_address
+#	udp_incoming_address	is used for UDP packets received from other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Only change this if you want to have all UDP queries received on
+#	a specific interface/address.
+#
+#	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_outgoing_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Accept packets from all machine interfaces.
+
+#  TAG: udp_outgoing_address
+#	udp_outgoing_address	is used for UDP packets sent out to other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Instead it will use the same socket as udp_incoming_address.
+#	Only change this if you want to have UDP queries sent using another
+#	address than where this Squid listens for UDP queries from other
+#	caches.
+#
+#	NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_incoming_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Use udp_incoming_address or an address selected by the operating system.
+
+#  TAG: icp_hit_stale	on|off
+#	If you want to return ICP_HIT for stale cache objects, set this
+#	option to 'on'.  If you have sibling relationships with caches
+#	in other administrative domains, this should be 'off'.  If you only
+#	have sibling relationships with caches under your control,
+#	it is probably okay to set this to 'on'.
+#	If set to 'on', your siblings should use the option "allow-miss"
+#	on their cache_peer lines for connecting to you.
+#Default:
+# icp_hit_stale off
+
+#  TAG: minimum_direct_hops
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many hops away.
+#Default:
+# minimum_direct_hops 4
+
+#  TAG: minimum_direct_rtt	(msec)
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many rtt milliseconds away.
+#Default:
+# minimum_direct_rtt 400
+
+#  TAG: netdb_low
+#	The low water mark for the ICMP measurement database.
+#
+#	Note: high watermark controlled by netdb_high directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_low 900
+
+#  TAG: netdb_high
+#	The high water mark for the ICMP measurement database.
+#
+#	Note: low watermark controlled by netdb_low directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_high 1000
+
+#  TAG: netdb_ping_period
+#	The minimum period for measuring a site.  There will be at
+#	least this much delay between successive pings to the same
+#	network.  The default is five minutes.
+#Default:
+# netdb_ping_period 5 minutes
+
+#  TAG: query_icmp	on|off
+#	If you want to ask your peers to include ICMP data in their ICP
+#	replies, enable this option.
+#
+#	If your peer has configured Squid (during compilation) with
+#	'--enable-icmp' that peer will send ICMP pings to origin server
+#	sites of the URLs it receives.  If you enable this option the
+#	ICP replies from that peer will include the ICMP data (if available).
+#	Then, when choosing a parent cache, Squid will choose the parent with
+#	the minimal RTT to the origin server.  When this happens, the
+#	hierarchy field of the access.log will be
+#	"CLOSEST_PARENT_MISS".  This option is off by default.
+#Default:
+# query_icmp off
+
+#  TAG: test_reachability	on|off
+#	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
+#	instead of ICP_MISS if the target host is NOT in the ICMP
+#	database, or has a zero RTT.
+#Default:
+# test_reachability off
+
+#  TAG: icp_query_timeout	(msec)
+#	Normally Squid will automatically determine an optimal ICP
+#	query timeout value based on the round-trip-time of recent ICP
+#	queries.  If you want to override the value determined by
+#	Squid, set this 'icp_query_timeout' to a non-zero value.  This
+#	value is specified in MILLISECONDS, so, to use a 2-second
+#	timeout (the old default), you would write:
+#
+#		icp_query_timeout 2000
+#Default:
+# Dynamic detection.
+
+#  TAG: maximum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very large values (say 5 seconds).
+#	Use this option to put an upper limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# maximum_icp_query_timeout 2000
+
+#  TAG: minimum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very small timeouts, even lower than
+#	the normal latency variance on your link due to traffic.
+#	Use this option to put an lower limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# minimum_icp_query_timeout 5
+
+#  TAG: background_ping_rate	time-units
+#	Controls how often the ICP pings are sent to siblings that
+#	have background-ping set.
+#Default:
+# background_ping_rate 10 seconds
+
+# MULTICAST ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: mcast_groups
+#	This tag specifies a list of multicast groups which your server
+#	should join to receive multicasted ICP queries.
+#
+#	NOTE!  Be very careful what you put here!  Be sure you
+#	understand the difference between an ICP _query_ and an ICP
+#	_reply_.  This option is to be set only if you want to RECEIVE
+#	multicast queries.  Do NOT set this option to SEND multicast
+#	ICP (use cache_peer for that).  ICP replies are always sent via
+#	unicast, so this option does not affect whether or not you will
+#	receive replies from multicast group members.
+#
+#	You must be very careful to NOT use a multicast address which
+#	is already in use by another group of caches.
+#
+#	If you are unsure about multicast, please read the Multicast
+#	chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
+#
+#	Usage: mcast_groups 239.128.16.128 224.0.1.20
+#
+#	By default, Squid doesn't listen on any multicast groups.
+#Default:
+# none
+
+#  TAG: mcast_miss_addr
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	If you enable this option, every "cache miss" URL will
+#	be sent out on the specified multicast address.
+#
+#	Do not enable this option unless you are are absolutely
+#	certain you understand what you are doing.
+#Default:
+# disabled.
+
+#  TAG: mcast_miss_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the time-to-live value for packets multicasted
+#	when multicasting off cache miss URLs is enabled.  By
+#	default this is set to 'site scope', i.e. 16.
+#Default:
+# mcast_miss_ttl 16
+
+#  TAG: mcast_miss_port
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the port number to be used in conjunction with
+#	'mcast_miss_addr'.
+#Default:
+# mcast_miss_port 3135
+
+#  TAG: mcast_miss_encode_key
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	The URLs that are sent in the multicast miss stream are
+#	encrypted.  This is the encryption key.
+#Default:
+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
+
+#  TAG: mcast_icp_query_timeout	(msec)
+#	For multicast peers, Squid regularly sends out ICP "probes" to
+#	count how many other peers are listening on the given multicast
+#	address.  This value specifies how long Squid should wait to
+#	count all the replies.  The default is 2000 msec, or 2
+#	seconds.
+#Default:
+# mcast_icp_query_timeout 2000
+
+# INTERNAL ICON OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icon_directory
+#	Where the icons are stored. These are normally kept in
+#	/usr/share/squid/icons
+#Default:
+# icon_directory /usr/share/squid/icons
+
+#  TAG: global_internal_static
+#	This directive controls is Squid should intercept all requests for
+#	/squid-internal-static/ no matter which host the URL is requesting
+#	(default on setting), or if nothing special should be done for
+#	such URLs (off setting). The purpose of this directive is to make
+#	icons etc work better in complex cache hierarchies where it may
+#	not always be possible for all corners in the cache mesh to reach
+#	the server generating a directory listing.
+#Default:
+# global_internal_static on
+
+#  TAG: short_icon_urls
+#	If this is enabled Squid will use short URLs for icons.
+#	If disabled it will revert to the old behavior of including
+#	it's own name and port in the URL.
+#
+#	If you run a complex cache hierarchy with a mix of Squid and
+#	other proxies you may need to disable this directive.
+#Default:
+# short_icon_urls on
+
+# ERROR PAGE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: error_directory
+#	If you wish to create your own versions of the default
+#	error files to customize them to suit your company copy
+#	the error/template files to another directory and point
+#	this tag at them.
+#
+#	WARNING: This option will disable multi-language support
+#	         on error pages if used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are making translations for a
+#	language that Squid does not currently provide please consider
+#	contributing your translation back to the project.
+#	http://wiki.squid-cache.org/Translations
+#
+#	The squid developers working on translations are happy to supply drop-in
+#	translated error files in exchange for any new language contributions.
+#Default:
+# Send error pages in the clients preferred language
+
+#  TAG: error_default_language
+#	Set the default language which squid will send error pages in
+#	if no existing translation matches the clients language
+#	preferences.
+#
+#	If unset (default) generic English will be used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are interested in making
+#	translations for any language see the squid wiki for details.
+#	http://wiki.squid-cache.org/Translations
+#Default:
+# Generate English language pages.
+
+#  TAG: error_log_languages
+#	Log to cache.log what languages users are attempting to
+#	auto-negotiate for translations.
+#
+#	Successful negotiations are not logged. Only failures
+#	have meaning to indicate that Squid may need an upgrade
+#	of its error page translations.
+#Default:
+# error_log_languages on
+
+#  TAG: err_page_stylesheet
+#	CSS Stylesheet to pattern the display of Squid default error pages.
+#
+#	For information on CSS see http://www.w3.org/Style/CSS/
+#Default:
+# err_page_stylesheet /etc/squid/errorpage.css
+
+#  TAG: err_html_text
+#	HTML text to include in error messages.  Make this a "mailto"
+#	URL to your admin address, or maybe just a link to your
+#	organizations Web page.
+#
+#	To include this in your error messages, you must rewrite
+#	the error template files (found in the "errors" directory).
+#	Wherever you want the 'err_html_text' line to appear,
+#	insert a %L tag in the error template file.
+#Default:
+# none
+
+#  TAG: email_err_data	on|off
+#	If enabled, information about the occurred error will be
+#	included in the mailto links of the ERR pages (if %W is set)
+#	so that the email body contains the data.
+#	Syntax is <A HREF="mailto:%w%W">%w</A>
+#Default:
+# email_err_data on
+
+#  TAG: deny_info
+#	Usage:   deny_info err_page_name acl
+#	or       deny_info http://... acl
+#	or       deny_info TCP_RESET acl
+#
+#	This can be used to return a ERR_ page for requests which
+#	do not pass the 'http_access' rules.  Squid remembers the last
+#	acl it evaluated in http_access, and if a 'deny_info' line exists
+#	for that ACL Squid returns a corresponding error page.
+#
+#	The acl is typically the last acl on the http_access deny line which
+#	denied access. The exceptions to this rule are:
+#	- When Squid needs to request authentication credentials. It's then
+#	  the first authentication related acl encountered
+#	- When none of the http_access lines matches. It's then the last
+#	  acl processed on the last http_access line.
+#	- When the decision to deny access was made by an adaptation service,
+#	  the acl name is the corresponding eCAP or ICAP service_name.
+#
+#	NP: If providing your own custom error pages with error_directory
+#	    you may also specify them by your custom file name:
+#	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+#
+#	By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+#	may be specified by prefixing the file name with the code and a colon.
+#	e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+#
+#	Alternatively you can tell Squid to reset the TCP connection
+#	by specifying TCP_RESET.
+#
+#	Or you can specify an error URL or URL pattern. The browsers will
+#	get redirected to the specified URL after formatting tags have
+#	been replaced. Redirect will be done with 302 or 307 according to
+#	HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+#	the URL. e.g. 303:http://example.com/
+#
+#	URL FORMAT TAGS:
+#		%a	- username (if available. Password NOT included)
+#		%A	- Local listening IP address the client connection was connected to
+#		%B	- FTP path URL
+#		%e	- Error number
+#		%E	- Error description
+#		%h	- Squid hostname
+#		%H	- Request domain name
+#		%i	- Client IP Address
+#		%M	- Request Method
+#		%O	- Unescaped message result from external ACL helper
+#		%o	- Message result from external ACL helper
+#		%p	- Request Port number
+#		%P	- Request Protocol name
+#		%R	- Request URL path
+#		%T	- Timestamp in RFC 1123 format
+#		%U	- Full canonical URL from client
+#			  (HTTPS URLs terminate with *)
+#		%u	- Full canonical URL from client
+#		%w	- Admin email from squid.conf
+#		%x	- Error name
+#		%%	- Literal percent (%) code
+#
+#Default:
+# none
+
+# OPTIONS INFLUENCING REQUEST FORWARDING
+# -----------------------------------------------------------------------------
+
+#  TAG: nonhierarchical_direct
+#	By default, Squid will send any non-hierarchical requests
+#	(not cacheable request type) direct to origin servers.
+#
+#	When this is set to "off", Squid will prefer to send these
+#	requests to parents.
+#
+#	Note that in most configurations, by turning this off you will only
+#	add latency to these request without any improvement in global hit
+#	ratio.
+#
+#	This option only sets a preference. If the parent is unavailable a
+#	direct connection to the origin server may still be attempted. To
+#	completely prevent direct connections use never_direct.
+#Default:
+# nonhierarchical_direct on
+
+#  TAG: prefer_direct
+#	Normally Squid tries to use parents for most requests. If you for some
+#	reason like it to first try going direct and only use a parent if
+#	going direct fails set this to on.
+#
+#	By combining nonhierarchical_direct off and prefer_direct on you
+#	can set up Squid to use a parent as a backup path if going direct
+#	fails.
+#
+#	Note: If you want Squid to use parents for all requests see
+#	the never_direct directive. prefer_direct only modifies how Squid
+#	acts on cacheable requests.
+#Default:
+# prefer_direct off
+
+#  TAG: cache_miss_revalidate	on|off
+#	RFC 7232 defines a conditional request mechanism to prevent
+#	response objects being unnecessarily transferred over the network.
+#	If that mechanism is used by the client and a cache MISS occurs
+#	it can prevent new cache entries being created.
+#
+#	This option determines whether Squid on cache MISS will pass the
+#	client revalidation request to the server or tries to fetch new
+#	content for caching. It can be useful while the cache is mostly
+#	empty to more quickly have the cache populated by generating
+#	non-conditional GETs.
+#
+#	When set to 'on' (default), Squid will pass all client If-* headers
+#	to the server. This permits server responses without a cacheable
+#	payload to be delivered and on MISS no new cache entry is created.
+#
+#	When set to 'off' and if the request is cacheable, Squid will
+#	remove the clients If-Modified-Since and If-None-Match headers from
+#	the request sent to the server. This requests a 200 status response
+#	from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
+#  TAG: always_direct
+#	Usage: always_direct allow|deny [!]aclname ...
+#
+#	Here you can use ACL elements to specify requests which should
+#	ALWAYS be forwarded by Squid to the origin servers without using
+#	any peers.  For example, to always directly forward requests for
+#	local servers ignoring any parents or siblings you may have use
+#	something like:
+#
+#		acl local-servers dstdomain my.domain.net
+#		always_direct allow local-servers
+#
+#	To always forward FTP requests directly, use
+#
+#		acl FTP proto FTP
+#		always_direct allow FTP
+#
+#	NOTE: There is a similar, but opposite option named
+#	'never_direct'.  You need to be aware that "always_direct deny
+#	foo" is NOT the same thing as "never_direct allow foo".  You
+#	may need to use a deny rule to exclude a more-specific case of
+#	some other rule.  Example:
+#
+#		acl local-external dstdomain external.foo.net
+#		acl local-servers dstdomain  .foo.net
+#		always_direct deny local-external
+#		always_direct allow local-servers
+#
+#	NOTE: If your goal is to make the client forward the request
+#	directly to the origin server bypassing Squid then this needs
+#	to be done in the client configuration. Squid configuration
+#	can only tell Squid how Squid should fetch the object.
+#
+#	NOTE: This directive is not related to caching. The replies
+#	is cached as usual even if you use always_direct. To not cache
+#	the replies see the 'cache' directive.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Prevent any cache_peer being used for this request.
+
+#  TAG: never_direct
+#	Usage: never_direct allow|deny [!]aclname ...
+#
+#	never_direct is the opposite of always_direct.  Please read
+#	the description for always_direct if you have not already.
+#
+#	With 'never_direct' you can use ACL elements to specify
+#	requests which should NEVER be forwarded directly to origin
+#	servers.  For example, to force the use of a proxy for all
+#	requests, except those in your local domain use something like:
+#
+#		acl local-servers dstdomain .foo.net
+#		never_direct deny local-servers
+#		never_direct allow all
+#
+#	or if Squid is inside a firewall and there are local intranet
+#	servers inside the firewall use something like:
+#
+#		acl local-intranet dstdomain .foo.net
+#		acl local-external dstdomain external.foo.net
+#		always_direct deny local-external
+#		always_direct allow local-intranet
+#		never_direct allow all
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow DNS results to be used for this request.
+
+# ADVANCED NETWORKING OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: incoming_udp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_udp_average 6
+
+#  TAG: incoming_tcp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_tcp_average 4
+
+#  TAG: incoming_dns_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_dns_average 4
+
+#  TAG: min_udp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_udp_poll_cnt 8
+
+#  TAG: min_dns_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_dns_poll_cnt 8
+
+#  TAG: min_tcp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_tcp_poll_cnt 8
+
+#  TAG: accept_filter
+#	FreeBSD:
+#
+#	The name of an accept(2) filter to install on Squid's
+#	listen socket(s).  This feature is perhaps specific to
+#	FreeBSD and requires support in the kernel.
+#
+#	The 'httpready' filter delays delivering new connections
+#	to Squid until a full HTTP request has been received.
+#	See the accf_http(9) man page for details.
+#
+#	The 'dataready' filter delays delivering new connections
+#	to Squid until there is some data to process.
+#	See the accf_dataready(9) man page for details.
+#
+#	Linux:
+#
+#	The 'data' filter delays delivering of new connections
+#	to Squid until there is some data to process by TCP_ACCEPT_DEFER.
+#	You may optionally specify a number of seconds to wait by
+#	'data=N' where N is the number of seconds. Defaults to 30
+#	if not specified.  See the tcp(7) man page for details.
+#EXAMPLE:
+## FreeBSD
+#accept_filter httpready
+## Linux
+#accept_filter data
+#Default:
+# none
+
+#  TAG: client_ip_max_connections
+#	Set an absolute limit on the number of connections a single
+#	client IP can use. Any more than this and Squid will begin to drop
+#	new connections from the client until it closes some links.
+#
+#	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+#	connections from the client. For finer control use the ACL access controls.
+#
+#	Requires client_db to be enabled (the default).
+#
+#	WARNING: This may noticably slow down traffic received via external proxies
+#	or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# No limit.
+
+#  TAG: tcp_recv_bufsize	(bytes)
+#	Size of receive buffer to set for TCP sockets.  Probably just
+#	as easy to change your kernel's default.
+#	Omit from squid.conf to use the default buffer size.
+#Default:
+# Use operating system TCP defaults.
+
+# ICAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icap_enable	on|off
+#	If you want to enable the ICAP module support, set this to on.
+#Default:
+# icap_enable off
+
+#  TAG: icap_connect_timeout
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested ICAP server to complete before giving up and either
+#	terminating the HTTP transaction or bypassing the failure.
+#
+#	The default for optional services is peer_connect_timeout.
+#	The default for essential services is connect_timeout.
+#	If this option is explicitly set, its value applies to all services.
+#Default:
+# none
+
+#  TAG: icap_io_timeout	time-units
+#	This parameter specifies how long to wait for an I/O activity on
+#	an established, active ICAP connection before giving up and
+#	either terminating the HTTP transaction or bypassing the
+#	failure.
+#Default:
+# Use read_timeout.
+
+#  TAG: icap_service_failure_limit	limit [in memory-depth time-units]
+#	The limit specifies the number of failures that Squid tolerates
+#	when establishing a new TCP connection with an ICAP service. If
+#	the number of failures exceeds the limit, the ICAP service is
+#	not used for new ICAP requests until it is time to refresh its
+#	OPTIONS.
+#
+#	A negative value disables the limit. Without the limit, an ICAP
+#	service will not be considered down due to connectivity failures
+#	between ICAP OPTIONS requests.
+#
+#	Squid forgets ICAP service failures older than the specified
+#	value of memory-depth. The memory fading algorithm
+#	is approximate because Squid does not remember individual
+#	errors but groups them instead, splitting the option
+#	value into ten time slots of equal length.
+#
+#	When memory-depth is 0 and by default this option has no
+#	effect on service failure expiration.
+#
+#	Squid always forgets failures when updating service settings
+#	using an ICAP OPTIONS transaction, regardless of this option
+#	setting.
+#
+#	For example,
+#		# suspend service usage after 10 failures in 5 seconds:
+#		icap_service_failure_limit 10 in 5 seconds
+#Default:
+# icap_service_failure_limit 10
+
+#  TAG: icap_service_revival_delay
+#	The delay specifies the number of seconds to wait after an ICAP
+#	OPTIONS request failure before requesting the options again. The
+#	failed ICAP service is considered "down" until fresh OPTIONS are
+#	fetched.
+#
+#	The actual delay cannot be smaller than the hardcoded minimum
+#	delay of 30 seconds.
+#Default:
+# icap_service_revival_delay 180
+
+#  TAG: icap_preview_enable	on|off
+#	The ICAP Preview feature allows the ICAP server to handle the
+#	HTTP message by looking only at the beginning of the message body
+#	or even without receiving the body at all. In some environments,
+#	previews greatly speedup ICAP processing.
+#
+#	During an ICAP OPTIONS transaction, the server may tell	Squid what
+#	HTTP messages should be previewed and how big the preview should be.
+#	Squid will not use Preview if the server did not request one.
+#
+#	To disable ICAP Preview for all ICAP services, regardless of
+#	individual ICAP server OPTIONS responses, set this option to "off".
+#Example:
+#icap_preview_enable off
+#Default:
+# icap_preview_enable on
+
+#  TAG: icap_preview_size
+#	The default size of preview data to be sent to the ICAP server.
+#	This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+#  TAG: icap_206_enable	on|off
+#	206 (Partial Content) responses is an ICAP extension that allows the
+#	ICAP agents to optionally combine adapted and original HTTP message
+#	content. The decision to combine is postponed until the end of the
+#	ICAP response. Squid supports Partial Content extension by default.
+#
+#	Activation of the Partial Content extension is negotiated with each
+#	ICAP service during OPTIONS exchange. Most ICAP servers should handle
+#	negotation correctly even if they do not support the extension, but
+#	some might fail. To disable Partial Content support for all ICAP
+#	services and to avoid any negotiation, set this option to "off".
+#
+#	Example:
+#	    icap_206_enable off
+#Default:
+# icap_206_enable on
+
+#  TAG: icap_default_options_ttl
+#	The default TTL value for ICAP OPTIONS responses that don't have
+#	an Options-TTL header.
+#Default:
+# icap_default_options_ttl 60
+
+#  TAG: icap_persistent_connections	on|off
+#	Whether or not Squid should use persistent connections to
+#	an ICAP server.
+#Default:
+# icap_persistent_connections on
+
+#  TAG: adaptation_send_client_ip	on|off
+#	If enabled, Squid shares HTTP client IP information with adaptation
+#	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+#	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+#	See also: adaptation_uses_indirect_client
+#Default:
+# adaptation_send_client_ip off
+
+#  TAG: adaptation_send_username	on|off
+#	This sends authenticated HTTP client username (if available) to
+#	the adaptation service.
+#
+#	For ICAP, the username value is encoded based on the
+#	icap_client_username_encode option and is sent using the header
+#	specified by the icap_client_username_header option.
+#Default:
+# adaptation_send_username off
+
+#  TAG: icap_client_username_header
+#	ICAP request header name to use for adaptation_send_username.
+#Default:
+# icap_client_username_header X-Client-Username
+
+#  TAG: icap_client_username_encode	on|off
+#	Whether to base64 encode the authenticated client username.
+#Default:
+# icap_client_username_encode off
+
+#  TAG: icap_service
+#	Defines a single ICAP service using the following format:
+#
+#	icap_service id vectoring_point uri [option ...]
+#
+#	id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		ICAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: icap://servername:port/servicepath
+#		ICAP server and service location.
+#	     icaps://servername:port/servicepath
+#		The "icap:" URI scheme is used for traditional ICAP server and
+#		service location (default port is 1344, connections are not
+#		encrypted). The "icaps:" URI scheme is for Secure ICAP
+#		services that use SSL/TLS-encrypted ICAP connections (by
+#		default, on port 11344).
+#
+#	ICAP does not allow a single service to handle both REQMOD and RESPMOD
+#	transactions. Squid does not enforce that requirement. You can specify
+#	services with the same service_url and different vectoring_points. You
+#	can even specify multiple identical services as long as their
+#	service_names differ.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. ICAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is treated as
+#		optional. If the service cannot be reached or malfunctions,
+#		Squid will try to ignore any errors and process the message as
+#		if the service was not enabled. No all ICAP errors can be
+#		bypassed.  If set to 0, the ICAP service is treated as
+#		essential and all ICAP errors will result in an error page
+#		returned to the HTTP client.
+#
+#		Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next. The services
+#		are specified using the X-Next-Services ICAP response header
+#		value, formatted as a comma-separated list of service names.
+#		Each named service should be configured in squid.conf. Other
+#		services are ignored. An empty X-Next-Services value results
+#		in an empty plan which ends the current adaptation.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default: the ICAP X-Next-Services
+#		response header is ignored.
+#
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
+#	on-overload=block|bypass|wait|force
+#		If the service Max-Connections limit has been reached, do
+#		one of the following for each new ICAP transaction:
+#		  * block:  send an HTTP error response to the client
+#		  * bypass: ignore the "over-connected" ICAP service
+#		  * wait:   wait (in a FIFO queue) for an ICAP connection slot
+#		  * force:  proceed, ignoring the Max-Connections limit
+#
+#		In SMP mode with N workers, each worker assumes the service
+#		connection limit is Max-Connections/N, even though not all
+#		workers may use a given service.
+#
+#		The default value is "bypass" if service is bypassable,
+#		otherwise it is set to "wait".
+#
+#
+#	max-conn=number
+#		Use the given number as the Max-Connections limit, regardless
+#		of the Max-Connections value given by the service, if any.
+#
+#	connection-encryption=on|off
+#		Determines the ICAP service effect on the connections_encrypted
+#		ACL.
+#
+#		The default is "on" for Secure ICAP services (i.e., those
+#		with the icaps:// service URIs scheme) and "off" for plain ICAP
+#		services.
+#
+#		Does not affect ICAP connections (e.g., does not turn Secure
+#		ICAP on or off).
+#
+#	==== ICAPS / TLS OPTIONS ====
+#
+#	These options are used for Secure ICAP (icaps://....) services only.
+#
+#	tls-cert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this ICAP server.
+#
+#	tls-key=/path/to/ssl/key
+#			The private key corresponding to the previous
+#			tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	tls-cipher=...	The list of valid TLS/SSL ciphers to use when connecting
+#			to this icap server.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various OpenSSL library options:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list. Options relevant only to SSLv2 are
+#			not supported.
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the icap server certificate.
+#			Use to specify intermediate CA certificate(s) if not sent
+#			by the server. Or the full CA chain for the server when
+#			using the tls-default-ca=off flag.
+#			May be repeated to load multiple files.
+#
+#	tls-capath=...	A directory containing additional CA certificates to
+#			use when verifying the icap server certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	tls-crlfile=...	A certificate revocation list file to use when
+#			verifying the icap server certificate.
+#
+#	tls-flags=...	Specify various flags modifying the Squid TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the icap server certificate
+#				matches the server name
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-domain=	The icap server name as advertised in it's certificate.
+#			Used for verifying the correctness of the received icap
+#			server certificate. If not specified the icap server
+#			hostname extracted from ICAP URI will be used.
+#
+#	Older icap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
+#Default:
+# none
+
+#  TAG: icap_class
+#	This deprecated option was documented to define an ICAP service
+#	chain, even though it actually defined a set of similar, redundant
+#	services, and the chains were not supported.
+#
+#	To define a set of redundant services, please use the
+#	adaptation_service_set directive. For service chains, use
+#	adaptation_service_chain.
+#Default:
+# none
+
+#  TAG: icap_access
+#	This option is deprecated. Please use adaptation_access, which
+#	has the same ICAP functionality, but comes with better
+#	documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ecap_enable	on|off
+#	Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+#  TAG: ecap_service
+#	Defines a single eCAP service
+#
+#	ecap_service id vectoring_point uri [option ...]
+#
+#        id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		eCAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#		Squid uses the eCAP service URI to match this configuration
+#		line with one of the dynamically loaded services. Each loaded
+#		eCAP service must have a unique URI. Obtain the right URI from
+#		the service provider.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. eCAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is treated as optional.
+#		If the service cannot be reached or malfunctions, Squid will try
+#		to ignore any errors and process the message as if the service
+#		was not enabled. No all eCAP errors can be bypassed.
+#		If set to 'off' or '0', the eCAP service is treated as essential
+#		and all eCAP errors will result in an error page returned to the
+#		HTTP client.
+#
+#                Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default.
+#
+#	connection-encryption=on|off
+#		Determines the eCAP service effect on the connections_encrypted
+#		ACL.
+#
+#		Defaults to "on", which does not taint the master transaction
+#		w.r.t. that ACL.
+#
+#		Does not affect eCAP API calls.
+#
+#	Older ecap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#
+#Example:
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
+#Default:
+# none
+
+#  TAG: loadable_modules
+#	Instructs Squid to load the specified dynamic module(s) or activate
+#	preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: adaptation_service_set
+#
+#	Configures an ordered set of similar, redundant services. This is
+#	useful when hot standby or backup adaptation servers are available.
+#
+#	    adaptation_service_set set_name service_name1 service_name2 ...
+#
+# 	The named services are used in the set declaration order. The first
+#	applicable adaptation service from the set is used first. The next
+#	applicable service is tried if and only if the transaction with the
+#	previous service fails and the message waiting to be adapted is still
+#	intact.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the set. A broken service is a down optional service.
+#
+#	The services in a set must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	If all services in a set are optional then adaptation failures are
+#	bypassable. If all services in the set are essential, then a
+#	transaction failure with one service may still be retried using
+#	another service from the set, but when all services fail, the master
+#	transaction fails as well.
+#
+#	A set may contain a mix of optional and essential services, but that
+#	is likely to lead to surprising results because broken services become
+#	ignored (see above), making previously bypassable failures fatal.
+#	Technically, it is the bypassability of the last failed service that
+#	matters.
+#
+#	See also: adaptation_access adaptation_service_chain
+#
+#Example:
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+#  TAG: adaptation_service_chain
+#
+#	Configures a list of complementary services that will be applied
+#	one-by-one, forming an adaptation chain or pipeline. This is useful
+#	when Squid must perform different adaptations on the same message.
+#
+#	    adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# 	The named services are used in the chain declaration order. The first
+#	applicable adaptation service from the chain is used first. The next
+#	applicable service is applied to the successful adaptation results of
+#	the previous service in the chain.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the chain. A broken service is a down optional service.
+#
+#	Request satisfaction terminates the adaptation chain because Squid
+#	does not currently allow declaration of RESPMOD services at the
+#	"reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+#	The services in a chain must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	A chain may contain a mix of optional and essential services. If an
+#	essential adaptation fails (or the failure cannot be bypassed for
+#	other reasons), the master transaction fails. Otherwise, the failure
+#	is bypassed as if the failed adaptation service was not in the chain.
+#
+#	See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
+#Default:
+# none
+
+#  TAG: adaptation_access
+#	Sends an HTTP transaction to an ICAP or eCAP adaptation	service.
+#
+#	adaptation_access service_name allow|deny [!]aclname...
+#	adaptation_access set_name     allow|deny [!]aclname...
+#
+#	At each supported vectoring point, the adaptation_access
+#	statements are processed in the order they appear in this
+#	configuration file. Statements pointing to the following services
+#	are ignored (i.e., skipped without checking their ACL):
+#
+#	    - services serving different vectoring points
+#	    - "broken-but-bypassable" services
+#	    - "up" services configured to ignore such transactions
+#              (e.g., based on the ICAP Transfer-Ignore header).
+#
+#        When a set_name is used, all services in the set are checked
+#	using the same rules, to find the first applicable one. See
+#	adaptation_service_set for details.
+#
+#	If an access list is checked and there is a match, the
+#	processing stops: For an "allow" rule, the corresponding
+#	adaptation service is used for the transaction. For a "deny"
+#	rule, no adaptation service is activated.
+#
+#	It is currently not possible to apply more than one adaptation
+#	service at the same vectoring point to the same HTTP transaction.
+#
+#        See also: icap_service and ecap_service
+#
+#Example:
+#adaptation_access service_1 allow all
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: adaptation_service_iteration_limit
+#	Limits the number of iterations allowed when applying adaptation
+#	services to a message. If your longest adaptation set or chain
+#	may have more than 16 services, increase the limit beyond its
+#	default value of 16. If detecting infinite iteration loops sooner
+#	is critical, make the iteration limit match the actual number
+#	of services in your longest adaptation set or chain.
+#
+#	Infinite adaptation loops are most likely with routing services.
+#
+#	See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+#  TAG: adaptation_masterx_shared_names
+#	For each master transaction (i.e., the HTTP request and response
+#	sequence, including all related ICAP and eCAP exchanges), Squid
+#	maintains a table of metadata. The table entries are (name, value)
+#	pairs shared among eCAP and ICAP exchanges. The table is destroyed
+#	with the master transaction.
+#
+#	This option specifies the table entry names that Squid must accept
+#	from and forward to the adaptation transactions.
+#
+#	An ICAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by returning an ICAP header field with a name
+#	specified in adaptation_masterx_shared_names.
+#
+#	An eCAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by implementing the libecap::visitEachOption() API
+#	to provide an option with a name specified in
+#	adaptation_masterx_shared_names.
+#
+#	Squid will store and forward the set entry to subsequent adaptation
+#	transactions within the same master transaction scope.
+#
+#	Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
+#Default:
+# none
+
+#  TAG: adaptation_meta
+#	This option allows Squid administrator to add custom ICAP request
+#	headers or eCAP options to Squid ICAP requests or eCAP transactions.
+#	Use it to pass custom authentication tokens and other
+#	transaction-state related meta information to an ICAP/eCAP service.
+#
+#	The addition of a meta header is ACL-driven:
+#		adaptation_meta name value [!]aclname ...
+#
+#	Processing for a given header name stops after the first ACL list match.
+#	Thus, it is impossible to add two headers with the same name. If no ACL
+#	lists match for a given header name, no such header is added. For
+#	example:
+#
+#		# do not debug transactions except for those that need debugging
+#		adaptation_meta X-Debug 1 needs_debugging
+#
+#		# log all transactions except for those that must remain secret
+#		adaptation_meta X-Log 1 !keep_secret
+#
+#		# mark transactions from users in the "G 1" group
+#		adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+#	The "value" parameter may be a regular squid.conf token or a "double
+#	quoted string". Within the quoted string, use backslash (\) to escape
+#	any character, which is currently only useful for escaping backslashes
+#	and double quotes. For example,
+#	    "this string has one backslash (\\) and two \"quotes\""
+#
+#	Used adaptation_meta header values may be logged via %note
+#	logformat code. If multiple adaptation_meta headers with the same name
+#	are used during master transaction lifetime, the header values are
+#	logged in the order they were used and duplicate values are ignored
+#	(only the first repeated value will be logged).
+#Default:
+# none
+
+#  TAG: icap_retry
+#	This ACL determines which retriable ICAP transactions are
+#	retried. Transactions that received a complete ICAP response
+#	and did not have to consume or produce HTTP bodies to receive
+#	that response are usually retriable.
+#
+#	icap_retry allow|deny [!]aclname ...
+#
+#	Squid automatically retries some ICAP I/O timeouts and errors
+#	due to persistent connection race conditions.
+#
+#	See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+#  TAG: icap_retry_limit
+#	Limits the number of retries allowed.
+#
+#	Communication errors due to persistent connection race
+#	conditions are unavoidable, automatically retried, and do not
+#	count against this limit.
+#
+#	See also: icap_retry
+#Default:
+# No retries are allowed.
+
+# DNS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: check_hostnames
+#	For security and stability reasons Squid can check
+#	hostnames for Internet standard RFC compliance. If you want
+#	Squid to perform these checks turn this directive on.
+#Default:
+# check_hostnames off
+
+#  TAG: allow_underscore
+#	Underscore characters is not strictly allowed in Internet hostnames
+#	but nevertheless used by many sites. Set this to off if you want
+#	Squid to be strict about the standard.
+#	This check is performed only when check_hostnames is set to on.
+#Default:
+# allow_underscore on
+
+#  TAG: dns_retransmit_interval
+#	Initial retransmit interval for DNS queries. The interval is
+#	doubled each time all configured DNS servers have been tried.
+#Default:
+# dns_retransmit_interval 5 seconds
+
+#  TAG: dns_timeout
+#	DNS Query timeout. If no response is received to a DNS query
+#	within this time all DNS servers for the queried domain
+#	are assumed to be unavailable.
+#Default:
+# dns_timeout 30 seconds
+
+#  TAG: dns_packet_max
+#	Maximum number of bytes packet size to advertise via EDNS.
+#	Set to "none" to disable EDNS large packet support.
+#
+#	For legacy reasons DNS UDP replies will default to 512 bytes which
+#	is too small for many responses. EDNS provides a means for Squid to
+#	negotiate receiving larger responses back immediately without having
+#	to failover with repeat requests. Responses larger than this limit
+#	will retain the old behaviour of failover to TCP DNS.
+#
+#	Squid has no real fixed limit internally, but allowing packet sizes
+#	over 1500 bytes requires network jumbogram support and is usually not
+#	necessary.
+#
+#	WARNING: The RFC also indicates that some older resolvers will reply
+#	with failure of the whole request if the extension is added. Some
+#	resolvers have already been identified which will reply with mangled
+#	EDNS response on occasion. Usually in response to many-KB jumbogram
+#	sizes being advertised by Squid.
+#	Squid will currently treat these both as an unable-to-resolve domain
+#	even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
+
+#  TAG: dns_defnames	on|off
+#	Normally the RES_DEFNAMES resolver option is disabled
+#	(see res_init(3)).  This prevents caches in a hierarchy
+#	from interpreting single-component hostnames locally.  To allow
+#	Squid to handle single-component names, enable this option.
+#Default:
+# Search for single-label domain names is disabled.
+
+#  TAG: dns_multicast_local	on|off
+#	When set to on, Squid sends multicast DNS lookups on the local
+#	network for domains ending in .local and .arpa.
+#	This enables local servers and devices to be contacted in an
+#	ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
+
+#  TAG: dns_nameservers
+#	Use this if you want to specify a list of DNS name servers
+#	(IP addresses) to use instead of those given in your
+#	/etc/resolv.conf file.
+#
+#	On Windows platforms, if no value is specified here or in
+#	the /etc/resolv.conf file, the list of DNS name servers are
+#	taken from the Windows registry, both static and dynamic DHCP
+#	configurations are supported.
+#
+#	Example: dns_nameservers 10.0.0.1 192.172.0.4
+#Default:
+# Use operating system definitions
+
+#  TAG: hosts_file
+#	Location of the host-local IP name-address associations
+#	database. Most Operating Systems have such a file on different
+#	default locations:
+#	- Un*X & Linux:    /etc/hosts
+#	- Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\winnt)
+#	- Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\windows)
+#	- Windows 9x/Me:   %windir%\hosts
+#			   (%windir% value is usually c:\windows)
+#	- Cygwin:	   /etc/hosts
+#
+#	The file contains newline-separated definitions, in the
+#	form ip_address_in_dotted_form name [name ...] names are
+#	whitespace-separated. Lines beginning with an hash (#)
+#	character are comments.
+#
+#	The file is checked at startup and upon configuration.
+#	If set to 'none', it won't be checked.
+#	If append_domain is used, that domain will be added to
+#	domain-local (i.e. not containing any dot character) host
+#	definitions.
+#Default:
+# hosts_file /etc/hosts
+
+#  TAG: append_domain
+#	Appends local domain name to hostnames without any dots in
+#	them.  append_domain must begin with a period.
+#
+#	Be warned there are now Internet names with no dots in
+#	them using only top-domain names, so setting this may
+#	cause some Internet sites to become unavailable.
+#
+#Example:
+# append_domain .yourdomain.com
+#Default:
+# Use operating system definitions
+
+#  TAG: ignore_unknown_nameservers
+#	By default Squid checks that DNS responses are received
+#	from the same IP addresses they are sent to.  If they
+#	don't match, Squid ignores the response and writes a warning
+#	message to cache.log.  You can allow responses from unknown
+#	nameservers by setting this option to 'off'.
+#Default:
+# ignore_unknown_nameservers on
+
+#  TAG: ipcache_size	(number of entries)
+#	Maximum number of DNS IP cache entries.
+#Default:
+# ipcache_size 1024
+
+#  TAG: ipcache_low	(percent)
+#Default:
+# ipcache_low 90
+
+#  TAG: ipcache_high	(percent)
+#	The size, low-, and high-water marks for the IP cache.
+#Default:
+# ipcache_high 95
+
+#  TAG: fqdncache_size	(number of entries)
+#	Maximum number of FQDN cache entries.
+#Default:
+# fqdncache_size 1024
+
+# MISCELLANEOUS
+# -----------------------------------------------------------------------------
+
+#  TAG: configuration_includes_quoted_values	on|off
+#	If set, Squid will recognize each "quoted string" after a configuration
+#	directive as a single parameter. The quotes are stripped before the
+#	parameter value is interpreted or used.
+#	See "Values with spaces, quotes, and other special characters"
+#	section for more details.
+#Default:
+# configuration_includes_quoted_values off
+
+#  TAG: memory_pools	on|off
+#	If set, Squid will keep pools of allocated (but unused) memory
+#	available for future use.  If memory is a premium on your
+#	system and you believe your malloc library outperforms Squid
+#	routines, disable this.
+#Default:
+# memory_pools on
+
+#  TAG: memory_pools_limit	(bytes)
+#	Used only with memory_pools on:
+#	memory_pools_limit 50 MB
+#
+#	If set to a non-zero value, Squid will keep at most the specified
+#	limit of allocated (but unused) memory in memory pools. All free()
+#	requests that exceed this limit will be handled by your malloc
+#	library. Squid does not pre-allocate any memory, just safe-keeps
+#	objects that otherwise would be free()d. Thus, it is safe to set
+#	memory_pools_limit to a reasonably high value even if your
+#	configuration will use less memory.
+#
+#	If set to none, Squid will keep all memory it can. That is, there
+#	will be no limit on the total amount of memory used for safe-keeping.
+#
+#	To disable memory allocation optimization, do not set
+#	memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
+#
+#	An overhead for maintaining memory pools is not taken into account
+#	when the limit is checked. This overhead is close to four bytes per
+#	object kept. However, pools may actually _save_ memory because of
+#	reduced memory thrashing in your malloc library.
+#Default:
+# memory_pools_limit 5 MB
+
+#  TAG: forwarded_for	on|off|transparent|truncate|delete
+#	If set to "on", Squid will append your client's IP address
+#	in the HTTP requests it forwards. By default it looks like:
+#
+#		X-Forwarded-For: 192.1.2.3
+#
+#	If set to "off", it will appear as
+#
+#		X-Forwarded-For: unknown
+#
+#	If set to "transparent", Squid will not alter the
+#	X-Forwarded-For header in any way.
+#
+#	If set to "delete", Squid will delete the entire
+#	X-Forwarded-For header.
+#
+#	If set to "truncate", Squid will remove all existing
+#	X-Forwarded-For entries, and place the client IP as the sole entry.
+#Default:
+# forwarded_for on
+
+#  TAG: cachemgr_passwd
+#	Specify passwords for cachemgr operations.
+#
+#	Usage: cachemgr_passwd password action action ...
+#
+#	Some valid actions are (see cache manager menu for a full list):
+#		5min
+#		60min
+#		asndb
+#		authenticator
+#		cbdata
+#		client_list
+#		comm_incoming
+#		config *
+#		counters
+#		delay
+#		digest_stats
+#		dns
+#		events
+#		filedescriptors
+#		fqdncache
+#		histograms
+#		http_headers
+#		info
+#		io
+#		ipcache
+#		mem
+#		menu
+#		netdb
+#		non_peers
+#		objects
+#		offline_toggle *
+#		pconn
+#		peer_select
+#		reconfigure *
+#		redirector
+#		refresh
+#		server_list
+#		shutdown *
+#		store_digest
+#		storedir
+#		utilization
+#		via_headers
+#		vm_objects
+#
+#	* Indicates actions which will not be performed without a
+#	  valid password, others can be performed if not listed here.
+#
+#	To disable an action, set the password to "disable".
+#	To allow performing an action without a password, set the
+#	password to "none".
+#
+#	Use the keyword "all" to set the same password for all actions.
+#
+#Example:
+# cachemgr_passwd secret shutdown
+# cachemgr_passwd lesssssssecret info stats/objects
+# cachemgr_passwd disable all
+#Default:
+# No password. Actions which require password are denied.
+
+#  TAG: client_db	on|off
+#	If you want to disable collecting per-client statistics,
+#	turn off client_db here.
+#Default:
+# client_db on
+
+#  TAG: refresh_all_ims	on|off
+#	When you enable this option, squid will always check
+#	the origin server for an update when a client sends an
+#	If-Modified-Since request.  Many browsers use IMS
+#	requests when the user requests a reload, and this
+#	ensures those clients receive the latest version.
+#
+#	By default (off), squid may return a Not Modified response
+#	based on the age of the cached version.
+#Default:
+# refresh_all_ims off
+
+#  TAG: reload_into_ims	on|off
+#	When you enable this option, client no-cache or ``reload''
+#	requests will be changed to If-Modified-Since requests.
+#	Doing this VIOLATES the HTTP standard.  Enabling this
+#	feature could make you liable for problems which it
+#	causes.
+#
+#	see also refresh_pattern for a more selective approach.
+#Default:
+# reload_into_ims off
+
+#  TAG: connect_retries
+#	Limits the number of reopening attempts when establishing a single
+#	TCP connection. All these attempts must still complete before the
+#	applicable connection opening timeout expires.
+#
+#	By default and when connect_retries is set to zero, Squid does not
+#	retry failed connection opening attempts.
+#
+#	The (not recommended) maximum is 10 tries. An attempt to configure a
+#	higher value results in the value of 10 being used (with a warning).
+#
+#	Squid may open connections to retry various high-level forwarding
+#	failures. For an outside observer, that activity may look like a
+#	low-level connection reopening attempt, but those high-level retries
+#	are governed by forward_max_tries instead.
+#
+#	See also: connect_timeout, forward_timeout, icap_connect_timeout,
+#	ident_timeout, and forward_max_tries.
+#Default:
+# Do not retry failed connections.
+
+#  TAG: retry_on_error
+#	If set to ON Squid will automatically retry requests when
+#	receiving an error response with status 403 (Forbidden),
+#	500 (Internal Error), 501 or 503 (Service not available).
+#	Status 502 and 504 (Gateway errors) are always retried.
+#
+#	This is mainly useful if you are in a complex cache hierarchy to
+#	work around access control errors.
+#
+#	NOTE: This retry will attempt to find another working destination.
+#	Which is different from the server which just failed.
+#Default:
+# retry_on_error off
+
+#  TAG: as_whois_server
+#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
+#	queried only when Squid starts up, not for every request.
+#Default:
+# as_whois_server whois.ra.net
+
+#  TAG: offline_mode
+#	Enable this option and Squid will never try to validate cached
+#	objects.
+#Default:
+# offline_mode off
+
+#  TAG: uri_whitespace
+#	What to do with requests that have whitespace characters in the
+#	URI.  Options:
+#
+#	strip:  The whitespace characters are stripped out of the URL.
+#		This is the behavior recommended by RFC2396 and RFC3986
+#		for tolerant handling of generic URI.
+#		NOTE: This is one difference between generic URI and HTTP URLs.
+#
+#	deny:   The request is denied.  The user receives an "Invalid
+#		Request" message.
+#		This is the behaviour recommended by RFC2616 for safe
+#		handling of HTTP request URL.
+#
+#	allow:  The request is allowed and the URI is not changed.  The
+#		whitespace characters remain in the URI.  Note the
+#		whitespace is passed to redirector processes if they
+#		are in use.
+#		Note this may be considered a violation of RFC2616
+#		request parsing where whitespace is prohibited in the
+#		URL field.
+#
+#	encode:	The request is allowed and the whitespace characters are
+#		encoded according to RFC1738.
+#
+#	chop:	The request is allowed and the URI is chopped at the
+#		first whitespace.
+#
+#
+#	NOTE the current Squid implementation of encode and chop violates
+#	RFC2616 by not using a 301 redirect after altering the URL.
+#Default:
+# uri_whitespace strip
+
+#  TAG: chroot
+#	Specifies a directory where Squid should do a chroot() while
+#	initializing.  This also causes Squid to fully drop root
+#	privileges after initializing.  This means, for example, if you
+#	use a HTTP port less than 1024 and try to reconfigure, you may
+#	get an error saying that Squid can not open the port.
+#Default:
+# none
+
+#  TAG: pipeline_prefetch
+#	HTTP clients may send a pipeline of 1+N requests to Squid using a
+#	single connection, without waiting for Squid to respond to the first
+#	of those requests. This option limits the number of concurrent
+#	requests Squid will try to handle in parallel. If set to N, Squid
+#	will try to receive and process up to 1+N requests on the same
+#	connection concurrently.
+#
+#	Defaults to 0 (off) for bandwidth management and access logging
+#	reasons.
+#
+#	NOTE: pipelining requires persistent connections to clients.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
+#Default:
+# Do not pre-parse pipelined requests.
+
+#  TAG: high_response_time_warning	(msec)
+#	If the one-minute median response time exceeds this value,
+#	Squid prints a WARNING with debug level 0 to get the
+#	administrators attention.  The value is in milliseconds.
+#Default:
+# disabled.
+
+#  TAG: high_page_fault_warning
+#	If the one-minute average page fault rate exceeds this
+#	value, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.  The value is in page faults
+#	per second.
+#Default:
+# disabled.
+
+#  TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+#       GNU Malloc with mstats()
+#
+#	If the memory usage (as determined by gnumalloc, if available and used)
+#	exceeds	this amount, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.
+#Default:
+# disabled.
+
+#  TAG: sleep_after_fork	(microseconds)
+#	When this is set to a non-zero value, the main Squid process
+#	sleeps the specified number of microseconds after a fork()
+#	system call. This sleep may help the situation where your
+#	system reports fork() failures due to lack of (virtual)
+#	memory. Note, however, if you have a lot of child
+#	processes, these sleep delays will add up and your
+#	Squid will not service requests for some amount of time
+#	until all the child processes have been started.
+#	On Windows value less then 1000 (1 milliseconds) are
+#	rounded to 1000.
+#Default:
+# sleep_after_fork 0
+
+#  TAG: windows_ipaddrchangemonitor	on|off
+# Note: This option is only available if Squid is rebuilt with the
+#       MS Windows
+#
+#	On Windows Squid by default will monitor IP address changes and will
+#	reconfigure itself after any detected event. This is very useful for
+#	proxies connected to internet with dial-up interfaces.
+#	In some cases (a Proxy server acting as VPN gateway is one) it could be
+#	desiderable to disable this behaviour setting this to 'off'.
+#	Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+#  TAG: eui_lookup
+#	Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
+#  TAG: max_filedescriptors
+#	Set the maximum number of filedescriptors, either below the
+#	operating system default or up to the hard limit.
+#
+#	Remove from squid.conf to inherit the current ulimit soft
+#	limit setting.
+#
+#	Note: Changing this requires a restart of Squid. Also
+#	not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system soft limit set by ulimit.
+
+#  TAG: force_request_body_continuation
+#	This option controls how Squid handles data upload requests from HTTP
+#	and FTP agents that require a "Please Continue" control message response
+#	to actually send the request body to Squid. It is mostly useful in
+#	adaptation environments.
+#
+#	When Squid receives an HTTP request with an "Expect: 100-continue"
+#	header or an FTP upload command (e.g., STOR), Squid normally sends the
+#	request headers or FTP command information to an adaptation service (or
+#	peer) and waits for a response. Most adaptation services (and some
+#	broken peers) may not respond to Squid at that stage because they may
+#	decide to wait for the HTTP request body or FTP data transfer. However,
+#	that request body or data transfer may never come because Squid has not
+#	responded with the HTTP 100 or FTP 150 (Please Continue) control message
+#	to the request sender yet!
+#
+#	An allow match tells Squid to respond with the HTTP 100 or FTP 150
+#	(Please Continue) control message on its own, before forwarding the
+#	request to an adaptation service or peer. Such a response usually forces
+#	the request sender to proceed with sending the body. A deny match tells
+#	Squid to delay that control response until the origin server confirms
+#	that the request body is needed. Delaying is the default behavior.
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: http_upgrade_request_protocols
+#	Controls client-initiated and server-confirmed switching from HTTP to
+#	another protocol (or to several protocols) using HTTP Upgrade mechanism
+#	defined in RFC 7230 Section 6.7. Squid itself does not understand the
+#	protocols being upgraded to and participates in the upgraded
+#	communication only as a dumb TCP proxy. Admins should not allow
+#	upgrading to protocols that require a more meaningful proxy
+#	participation.
+#
+#	Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
+#
+#	The required "protocol" parameter is either an all-caps word OTHER or an
+#	explicit protocol name (e.g. "WebSocket") optionally followed by a slash
+#	and a version token (e.g. "HTTP/3"). Explicit protocol names and
+#	versions are case sensitive.
+#
+#	When an HTTP client sends an Upgrade request header, Squid iterates over
+#	the client-offered protocols and, for each protocol P (with an optional
+#	version V), evaluates the first non-empty set of
+#	http_upgrade_request_protocols rules (if any) from the following list:
+#
+#		* All rules with an explicit protocol name equal to P.
+#		* All rules that use OTHER instead of a protocol name.
+#
+#	In other words, rules using OTHER are considered for protocol P if and
+#	only if there are no rules mentioning P by name.
+#
+#	If both of the above sets are empty, then Squid removes protocol P from
+#	the Upgrade offer.
+#
+#	If the client sent a versioned protocol offer P/X, then explicit rules
+#	referring to the same-name but different-version protocol P/Y are
+#	declared inapplicable. Inapplicable rules are not evaluated (i.e. are
+#	ignored). However, inapplicable rules still belong to the first set of
+#	rules for P.
+#
+#	Within the applicable rule subset, individual rules are evaluated in
+#	their configuration order. If all ACLs of an applicable "allow" rule
+#	match, then the protocol offered by the client is forwarded to the next
+#	hop as is. If all ACLs of an applicable "deny" rule match, then the
+#	offer is dropped. If no applicable rules have matching ACLs, then the
+#	offer is also dropped. The first matching rule also ends rules
+#	evaluation for the offered protocol.
+#
+#	If all client-offered protocols are removed, then Squid forwards the
+#	client request without the Upgrade header. Squid never sends an empty
+#	Upgrade request header.
+#
+#	An Upgrade request header with a value violating HTTP syntax is dropped
+#	and ignored without an attempt to use extractable individual protocol
+#	offers.
+#
+#	Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
+#	checks that the server listed at least one protocol name and sent a
+#	Connection:upgrade response header. Squid does not understand individual
+#	protocol naming and versioning concepts enough to implement stricter
+#	checks, but an admin can restrict HTTP 101 (Switching Protocols)
+#	responses further using http_reply_access. Responses denied by
+#	http_reply_access rules and responses flagged by the internal Upgrade
+#	checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
+#	Squid-to-server connection closures.
+#
+#	If Squid sends an Upgrade request header, and the next hop (e.g., the
+#	origin server) responds with an acceptable HTTP 101 (Switching
+#	Protocols), then Squid forwards that message to the client and becomes
+#	a TCP tunnel.
+#
+#	The presence of an Upgrade request header alone does not preclude cache
+#	lookups. In other words, an Upgrade request might be satisfied from the
+#	cache, using regular HTTP caching rules.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Each of the following groups of configuration lines represents a
+#	separate configuration example:
+#
+#	# never upgrade to protocol Foo; all others are OK
+#	http_upgrade_request_protocols Foo deny all
+#	http_upgrade_request_protocols OTHER allow all
+#
+#	# only allow upgrades to protocol Bar (except for its first version)
+#	http_upgrade_request_protocols Bar/1 deny all
+#	http_upgrade_request_protocols Bar allow all
+#	http_upgrade_request_protocols OTHER deny all # this rule is optional
+#
+#	# only allow upgrades to protocol Baz, and only if Baz is the only offer
+#	acl UpgradeHeaderHasMultipleOffers ...
+#	http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
+#	http_upgrade_request_protocols Baz allow all
+#Default:
+# Upgrade header dropped, effectively blocking an upgrade attempt.
+
+#  TAG: server_pconn_for_nonretriable
+#	This option provides fine-grained control over persistent connection
+#	reuse when forwarding HTTP requests that Squid cannot retry. It is useful
+#	in environments where opening new connections is very expensive
+#	(e.g., all connections are secured with TLS with complex client and server
+#	certificate validation) and race conditions associated with persistent
+#	connections are very rare and/or only cause minor problems.
+#
+#	HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
+#	Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
+#	By default, when forwarding such "risky" requests, Squid opens a new
+#	connection to the server or cache_peer, even if there is an idle persistent
+#	connection available. When Squid is configured to risk sending a non-retriable
+#	request on a previously used persistent connection, and the server closes
+#	the connection before seeing that risky request, the user gets an error response
+#	from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
+#	with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
+#
+#	If an allow rule matches, Squid reuses an available idle persistent connection
+#	(if any) for the request that Squid cannot retry. If a deny rule matches, then
+#	Squid opens a new connection for the request that Squid cannot retry.
+#
+#	This option does not affect requests that Squid can retry. They will reuse idle
+#	persistent connections (if any).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Example:
+#		acl SpeedIsWorthTheRisk method POST
+#		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
+#Default:
+# Open new connections for forwarding requests Squid cannot retry safely.
+
+#  TAG: happy_eyeballs_connect_timeout	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
+#	delay between opening a primary to-server connection and opening a
+#	spare to-server connection for the same master transaction. This delay
+#	is similar to the Connection Attempt Delay in RFC 8305, but it is only
+#	applied to the first spare connection attempt. Subsequent spare
+#	connection attempts use happy_eyeballs_connect_gap, and primary
+#	connection attempts are not artificially delayed at all.
+#
+#	Terminology: The "primary" and "spare" designations are determined by
+#	the order of DNS answers received by Squid: If Squid DNS AAAA query
+#	was answered first, then primary connections are connections to IPv6
+#	peer addresses (while spare connections use IPv4 addresses).
+#	Similarly, if Squid DNS A query was answered first, then primary
+#	connections are connections to IPv4 peer addresses (while spare
+#	connections use IPv6 addresses).
+#
+#	Shorter happy_eyeballs_connect_timeout values reduce master
+#	transaction response time, potentially improving user-perceived
+#	response times (i.e., making user eyeballs happier). Longer delays
+#	reduce both concurrent connection level and server bombardment with
+#	connection requests, potentially improving overall Squid performance
+#	and reducing the chance of being blocked by servers for opening too
+#	many unused connections.
+#
+#	RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
+#	10 (milliseconds) to "avoid congestion collapse in the presence of
+#	high packet-loss rates".
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_gap and
+#	happy_eyeballs_connect_limit.
+#Default:
+# happy_eyeballs_connect_timeout 250
+
+#  TAG: happy_eyeballs_connect_gap	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	minimum delay between opening spare to-server connections (to any
+#	server; i.e. across all concurrent master transactions in a Squid
+#	instance). Each SMP worker currently multiplies the configured gap
+#	by the total number of workers so that the combined spare connection
+#	opening rate of a Squid instance obeys the configured limit. The
+#	workers do not coordinate connection openings yet; a micro burst
+#	of spare connection openings may violate the configured gap.
+#
+#	This directive has similar trade-offs as
+#	happy_eyeballs_connect_timeout, but its focus is on limiting traffic
+#	amplification effects for Squid as a whole, while
+#	happy_eyeballs_connect_timeout works on an individual master
+#	transaction level.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_limit. See the former for related terminology.
+#Default:
+# no artificial delays between spare attempts
+
+#  TAG: happy_eyeballs_connect_limit
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	maximum number of spare to-server connections (to any server; i.e.
+#	across all concurrent master transactions in a Squid instance).
+#	Each SMP worker gets an equal share of the total limit. However,
+#	the workers do not share the actual connection counts yet, so one
+#	(busier) worker cannot "borrow" spare connection slots from another
+#	(less loaded) worker.
+#
+#	Setting this limit to zero disables concurrent use of primary and
+#	spare TCP connections: Spare connection attempts are made only after
+#	all primary attempts fail. However, Squid would still use the
+#	DNS-related optimizations of the Happy Eyeballs approach.
+#
+#	This directive has similar trade-offs as happy_eyeballs_connect_gap,
+#	but its focus is on limiting Squid overheads, while
+#	happy_eyeballs_connect_gap focuses on the origin server and peer
+#	overheads.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_gap. See the former for related terminology.
+#Default:
+# no artificial limit on the number of concurrent spare attempts
+
diff --git a/siotp/sisr1/tp06/files_admin/squid_v2.conf b/siotp/sisr1/tp06/files_admin/squid_v2.conf
new file mode 100644
index 0000000..4566ebc
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/squid_v2.conf
@@ -0,0 +1,9158 @@
+#	WELCOME TO SQUID 5.7
+#	----------------------------
+#
+#	This is the documentation for the Squid configuration file.
+#	This documentation can also be found online at:
+#		http://www.squid-cache.org/Doc/config/
+#
+#	You may wish to look at the Squid home page and wiki for the
+#	FAQ and other documentation:
+#		http://www.squid-cache.org/
+#		http://wiki.squid-cache.org/SquidFaq
+#		http://wiki.squid-cache.org/ConfigExamples
+#
+#	This documentation shows what the defaults for various directives
+#	happen to be.  If you don't need to change the default, you should
+#	leave the line out of your squid.conf in most cases.
+#
+#	In some cases "none" refers to no default setting at all,
+#	while in other cases it refers to the value of the option
+#	- the comments for that keyword indicate if this is the case.
+#
+
+#  Configuration options can be included using the "include" directive.
+#  Include takes a list of files to include. Quoting and wildcards are
+#  supported.
+#
+#  For example,
+#
+#  include /path/to/included/file/squid.acl.config
+#
+#  Includes can be nested up to a hard-coded depth of 16 levels.
+#  This arbitrary restriction is to prevent recursive include references
+#  from causing Squid entering an infinite loop whilst trying to load
+#  configuration files.
+#
+#  Values with byte units
+#
+#	Squid accepts size units on some size related directives. All
+#	such directives are documented with a default value displaying
+#	a unit.
+#
+#	Units accepted by Squid are:
+#		bytes - byte
+#		KB - Kilobyte (1024 bytes)
+#		MB - Megabyte
+#		GB - Gigabyte
+#
+#  Values with time units
+#
+#	Time-related directives marked with either "time-units" or
+#	"time-units-small" accept a time unit. The supported time units are:
+#
+#		nanosecond (time-units-small only)
+#		microsecond (time-units-small only)
+#		millisecond
+#		second
+#		minute
+#		hour
+#		day
+#		week
+#		fortnight
+#		month - 30 days
+#		year - 31557790080 milliseconds (just over 365 days)
+#		decade
+#
+#  Values with spaces, quotes, and other special characters
+#
+#	Squid supports directive parameters with spaces, quotes, and other
+#	special characters. Surround such parameters with "double quotes". Use
+#	the configuration_includes_quoted_values directive to enable or
+#	disable that support.
+#
+#	Squid supports reading configuration option parameters from external
+#	files using the syntax:
+#		parameters("/path/filename")
+#	For example:
+#		acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
+#
+#  Conditional configuration
+#
+#	If-statements can be used to make configuration directives
+#	depend on conditions:
+#
+#	    if <CONDITION>
+#	        ... regular configuration directives ...
+#	    [else
+#	        ... regular configuration directives ...]
+#	    endif
+#
+#	The else part is optional. The keywords "if", "else", and "endif"
+#	must be typed on their own lines, as if they were regular
+#	configuration directives.
+#
+#	NOTE: An else-if condition is not supported.
+#
+#	These individual conditions types are supported:
+#
+#	    true
+#		Always evaluates to true.
+#	    false
+#		Always evaluates to false.
+#	    <integer> = <integer>
+#	        Equality comparison of two integer numbers.
+#
+#
+#  SMP-Related Macros
+#
+#	The following SMP-related preprocessor macros can be used.
+#
+#	${process_name} expands to the current Squid process "name"
+#	(e.g., squid1, squid2, or cache1).
+#
+#	${process_number} expands to the current Squid process
+#	identifier, which is an integer number (e.g., 1, 2, 3) unique
+#	across all Squid processes of the current service instance.
+#
+#	${service_name} expands into the current Squid service instance
+#	name identifier which is provided by -n on the command line.
+#
+#  Logformat Macros
+#
+#	Logformat macros can be used in many places outside of the logformat
+#	directive. In theory, all of the logformat codes can be used as %macros,
+#	where they are supported. In practice, a %macro expands as a dash (-) when
+#	the transaction does not yet have enough information and a value is needed.
+#
+#	There is no definitive list of what tokens are available at the various
+#	stages of the transaction.
+#
+#	And some information may already be available to Squid but not yet
+#	committed where the macro expansion code can access it (report
+#	such instances!). The macro will be expanded into a single dash
+#	('-') in such cases. Not all macros have been tested.
+#
+
+#  TAG: broken_vary_encoding
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: cache_vary
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: error_map
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: external_refresh_check
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: location_rewrite_program
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: refresh_stale_hit
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: dns_v4_first
+#	Remove this line. Squid no longer supports preferential treatment of DNS A records.
+#Default:
+# none
+
+#  TAG: cache_peer_domain
+#	Replace with dstdomain ACLs and cache_peer_access.
+#Default:
+# none
+
+#  TAG: ie_refresh
+#	Remove this line. The behaviour enabled by this is no longer needed.
+#Default:
+# none
+
+#  TAG: sslproxy_cafile
+#	Remove this line. Use tls_outgoing_options cafile= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_capath
+#	Remove this line. Use tls_outgoing_options capath= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_cipher
+#	Remove this line. Use tls_outgoing_options cipher= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_certificate
+#	Remove this line. Use tls_outgoing_options cert= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_key
+#	Remove this line. Use tls_outgoing_options key= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_flags
+#	Remove this line. Use tls_outgoing_options flags= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_options
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_version
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: hierarchy_stoplist
+#	Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+#Default:
+# none
+
+#  TAG: log_access
+#	Remove this line. Use acls with access_log directives to control access logging
+#Default:
+# none
+
+#  TAG: log_icap
+#	Remove this line. Use acls with icap_log directives to control icap logging
+#Default:
+# none
+
+#  TAG: ignore_ims_on_miss
+#	Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+#  TAG: balance_on_multiple_ip
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
+#Default:
+# none
+
+#  TAG: chunked_request_body_max_size
+#	Remove this line. Squid is now HTTP/1.1 compliant.
+#Default:
+# none
+
+#  TAG: dns_v4_fallback
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+#  TAG: emulate_httpd_log
+#	Replace this with an access_log directive using the format 'common' or 'combined'.
+#Default:
+# none
+
+#  TAG: forward_log
+#	Use a regular access.log with ACL limiting it to MISS events.
+#Default:
+# none
+
+#  TAG: ftp_list_width
+#	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+#  TAG: ignore_expect_100
+#	Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+#  TAG: log_fqdn
+#	Remove this option from your config. To log FQDN use %>A in the log format.
+#Default:
+# none
+
+#  TAG: log_ip_on_direct
+#	Remove this option from your config. To log server or peer names use %<A in the log format.
+#Default:
+# none
+
+#  TAG: maximum_single_addr_tries
+#	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+#  TAG: referer_log
+#	Replace this with an access_log directive using the format 'referrer'.
+#Default:
+# none
+
+#  TAG: update_headers
+#	Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+#  TAG: url_rewrite_concurrency
+#	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
+
+#  TAG: useragent_log
+#	Replace this with an access_log directive using the format 'useragent'.
+#Default:
+# none
+
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: zero_buffers
+#Default:
+# none
+
+#  TAG: incoming_rate
+#Default:
+# none
+
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
+#  TAG: wais_relay_host
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+#  TAG: wais_relay_port
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# OPTIONS FOR SMP
+# -----------------------------------------------------------------------------
+
+#  TAG: workers
+#	Number of main Squid processes or "workers" to fork and maintain.
+#	0: "no daemon" mode, like running "squid -N ..."
+#	1: "no SMP" mode, start one main Squid process daemon (default)
+#	N: start N main Squid process daemons (i.e., SMP mode)
+#
+#	In SMP mode, each worker does nearly all what a single Squid daemon
+#	does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+#  TAG: cpu_affinity_map
+#	Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+#	Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+#	    cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+#	affects processes 1 through 4 only and places them on the first
+#	four even cores, starting with core #1.
+#
+#	CPU cores are numbered starting from 1. Requires support for
+#	sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+#	Multiple cpu_affinity_map options are merged.
+#
+#	See also: workers
+#Default:
+# Let operating system decide.
+
+#  TAG: shared_memory_locking	on|off
+#	Whether to ensure that all required shared memory is available by
+#	"locking" that shared memory into RAM when Squid starts. The
+#	alternative is faster startup time followed by slightly slower
+#	performance and, if not enough RAM is actually available during
+#	runtime, mysterious crashes.
+#
+#	SMP Squid uses many shared memory segments. These segments are
+#	brought into Squid memory space using an mmap(2) system call. During
+#	Squid startup, the mmap() call often succeeds regardless of whether
+#	the system has enough RAM. In general, Squid cannot tell whether the
+#	kernel applies this "optimistic" memory allocation policy (but
+#	popular modern kernels usually use it).
+#
+#	Later, if Squid attempts to actually access the mapped memory
+#	regions beyond what the kernel is willing to allocate, the
+#	"optimistic" kernel simply kills Squid kid with a SIGBUS signal.
+#	Some of the memory limits enforced by the kernel are currently
+#	poorly understood: We do not know how to detect and check them. This
+#	option ensures that the mapped memory will be available.
+#
+#	This option may have a positive performance side-effect: Locking
+#	memory at start avoids runtime paging I/O. Paging slows Squid down.
+#
+#	Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
+#	CAP_IPC_LOCK capability, or equivalent.
+#Default:
+# shared_memory_locking off
+
+#  TAG: hopeless_kid_revival_delay	time-units
+#	Normally, when a kid process dies, Squid immediately restarts the
+#	kid. A kid experiencing frequent deaths is marked as "hopeless" for
+#	the duration specified by this directive. Hopeless kids are not
+#	automatically restarted.
+#
+#	Currently, zero values are not supported because they result in
+#	misconfigured SMP Squid instances running forever, endlessly
+#	restarting each dying kid. To effectively disable hopeless kids
+#	revival, set the delay to a huge value (e.g., 1 year).
+#
+#	Reconfiguration also clears all hopeless kids designations, allowing
+#	for manual revival of hopeless kids.
+#Default:
+# hopeless_kid_revival_delay 1 hour
+
+# OPTIONS FOR AUTHENTICATION
+# -----------------------------------------------------------------------------
+
+#  TAG: auth_param
+#	This is used to define parameters for the various authentication
+#	schemes supported by Squid.
+#
+#		format: auth_param scheme parameter [setting]
+#
+#	The order in which authentication schemes are presented to the client is
+#	dependent on the order the scheme first appears in config file. IE
+#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
+#	scheme if basic is the first entry presented, even if more secure
+#	schemes are presented. For now use the order in the recommended
+#	settings section below. If other browsers have difficulties (don't
+#	recognize the schemes offered even if you are using basic) either
+#	put basic first, or disable the other schemes (by commenting out their
+#	program entry).
+#
+#	Once an authentication scheme is fully configured, it can only be
+#	shutdown by shutting squid down and restarting. Changes can be made on
+#	the fly and activated with a reconfigure. I.E. You can change to a
+#	different helper, but not unconfigure the helper completely.
+#
+#	Please note that while this directive defines how Squid processes
+#	authentication it does not automatically activate authentication.
+#	To use authentication you must in addition make use of ACLs based
+#	on login name in http_access (proxy_auth, proxy_auth_regex or
+#	external with %LOGIN used in the format tag). The browser will be
+#	challenged for authentication on the first such acl encountered
+#	in http_access processing and will also be re-challenged for new
+#	login credentials if the request is being denied by a proxy_auth
+#	type acl.
+#
+#	WARNING: authentication can't be used in a transparently intercepting
+#	proxy as the client then thinks it is talking to an origin server and
+#	not the proxy. This is a limitation of bending the TCP/IP protocol to
+#	transparently intercepting port 80, not a limitation in Squid.
+#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
+#	authentication disabled.
+#
+#	=== Parameters common to all schemes. ===
+#
+#	"program" cmdline
+#		Specifies the command for the external authenticator.
+#
+#		By default, each authentication scheme is not used unless a
+#		program is specified.
+#
+#		See http://wiki.squid-cache.org/Features/AddonHelpers for
+#		more details on helper operations and creating your own.
+#
+#	"key_extras" format
+#		Specifies a string to be append to request line format for
+#		the authentication helper. "Quoted" format values may contain
+#		spaces and logformat %macros. In theory, any logformat %macro
+#		can be used. In practice, a %macro expands as a dash (-) if
+#		the helper request is sent before the required macro
+#		information is available to Squid.
+#
+#		By default, Squid uses request formats provided in
+#		scheme-specific examples below (search for %credentials).
+#
+#		The expanded key_extras value is added to the Squid credentials
+#		cache and, hence, will affect authentication. It can be used to
+#		autenticate different users with identical user names (e.g.,
+#		when user authentication depends on http_port).
+#
+#		Avoid adding frequently changing information to key_extras. For
+#		example, if you add user source IP, and it changes frequently
+#		in your environment, then max_user_ip ACL is going to treat
+#		every user+IP combination as a unique "user", breaking the ACL
+#		and wasting a lot of memory on those user records. It will also
+#		force users to authenticate from scratch whenever their IP
+#		changes.
+#
+#	"realm" string
+#		Specifies the protection scope (aka realm name) which is to be
+#		reported to the client for the authentication scheme. It is
+#		commonly part of the text the user will see when prompted for
+#		their username and password.
+#
+#		For Basic the default is "Squid proxy-caching web server".
+#		For Digest there is no default, this parameter is mandatory.
+#		For NTLM and Negotiate this parameter is ignored.
+#
+#	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+#		[queue-size=N] [on-persistent-overload=action]
+#		[reservation-timeout=seconds]
+#
+#		The maximum number of authenticator processes to spawn. If
+#		you start too few Squid will have to wait for them to process
+#		a backlog of credential verifications, slowing it down. When
+#		password verifications are done via a (slow) network you are
+#		likely to need lots of authenticator processes.
+#
+#		The startup= and idle= options permit some skew in the exact
+#		amount run. A minimum of startup=N will begin during startup
+#		and reconfigure. Squid will start more in groups of up to
+#		idle=N in an attempt to meet traffic needs and to keep idle=N
+#		free above those traffic needs up to the maximum.
+#
+#		The concurrency= option sets the number of concurrent requests
+#		the helper can process.  The default of 0 is used for helpers
+#		who only supports one request at a time. Setting this to a
+#		number greater than 0 changes the protocol used to include a
+#		channel ID field first on the request/response line, allowing
+#		multiple requests to be sent to the same helper in parallel
+#		without waiting for the response.
+#
+#		Concurrency must not be set unless it's known the helper
+#		supports the input format with channel-ID fields.
+#
+#		The queue-size option sets the maximum number of queued
+#		requests. A request is queued when no existing child can
+#		accept it due to concurrency limit and no new child can be
+#		started due to numberofchildren limit. The default maximum is
+#		2*numberofchildren. Squid is allowed to temporarily exceed the
+#		configured maximum, marking the affected helper as
+#		"overloaded". If the helper overload lasts more than 3
+#		minutes, the action prescribed by the on-persistent-overload
+#		option applies.
+#
+#		The on-persistent-overload=action option specifies Squid
+#		reaction to a new helper request arriving when the helper
+#		has been overloaded for more that 3 minutes already. The number
+#		of queued requests determines whether the helper is overloaded
+#		(see the queue-size option).
+#
+#		Two actions are supported:
+#
+#		  die	Squid worker quits. This is the default behavior.
+#
+#		  ERR	Squid treats the helper request as if it was
+#			immediately submitted, and the helper immediately
+#			replied with an ERR response. This action has no effect
+#			on the already queued and in-progress helper requests.
+#
+#		NOTE: NTLM and Negotiate schemes do not support concurrency
+#			in the Squid code module even though some helpers can.
+#
+#		The reservation-timeout=seconds option allows NTLM and Negotiate
+#		helpers to forget about clients that abandon their in-progress
+#		connection authentication without closing the connection. The
+#		timeout is measured since the last helper response received by
+#		Squid for the client. Fractional seconds are not supported.
+#
+#		After the timeout, the helper will be used for other clients if
+#		there are no unreserved helpers available. In the latter case,
+#		the old client attempt to resume authentication will not be
+#		forwarded to the helper (and the client should open a new HTTP
+#		connection and retry authentication from scratch).
+#
+#		By default, reservations do not expire and clients that keep
+#		their connections open without completing authentication may
+#		exhaust all NTLM and Negotiate helpers.
+#
+#	"keep_alive" on|off
+#		If you experience problems with PUT/POST requests when using
+#		the NTLM or Negotiate schemes then you can try setting this
+#		to off. This will cause Squid to forcibly close the connection
+#		on the initial request where the browser asks which schemes
+#		are supported by the proxy.
+#
+#		For Basic and Digest this parameter is ignored.
+#
+#	"utf8" on|off
+#		Useful for sending credentials to authentication backends that
+#		expect UTF-8 encoding (e.g., LDAP).
+#
+#		When this option is enabled, Squid uses HTTP Accept-Language
+#		request header to guess the received credentials encoding
+#		(ISO-Latin-1, CP1251, or UTF-8) and then converts the first
+#		two encodings into UTF-8.
+#
+#		When this option is disabled and by default, Squid sends
+#		credentials in their original (i.e. received) encoding.
+#
+#		This parameter is only honored for Basic and Digest schemes.
+#		For Basic, the entire username:password credentials are
+#		checked and, if necessary, re-encoded. For Digest -- just the
+#		username component. For NTLM and Negotiate schemes, this
+#		parameter is ignored.
+#
+#
+#	=== Example Configuration ===
+#
+#	This configuration displays the recommended authentication scheme
+#	order from most to least secure with recommended minimum configuration
+#	settings for each scheme:
+#
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 20 startup=0 idle=1
+##
+##auth_param digest program <uncomment and complete this line to activate>
+##auth_param digest children 20 startup=0 idle=1
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 20 startup=0 idle=1
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5 startup=5 idle=1
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
+
+#  TAG: authenticate_cache_garbage_interval
+#	The time period between garbage collection across the username cache.
+#	This is a trade-off between memory utilization (long intervals - say
+#	2 days) and CPU (short intervals - say 1 minute). Only change if you
+#	have good reason to.
+#Default:
+# authenticate_cache_garbage_interval 1 hour
+
+#  TAG: authenticate_ttl
+#	The time a user & their credentials stay in the logged in
+#	user cache since their last request. When the garbage
+#	interval passes, all user credentials that have passed their
+#	TTL are removed from memory.
+#Default:
+# authenticate_ttl 1 hour
+
+#  TAG: authenticate_ip_ttl
+#	If you use proxy authentication and the 'max_user_ip' ACL,
+#	this directive controls how long Squid remembers the IP
+#	addresses associated with each user.  Use a small value
+#	(e.g., 60 seconds) if your users might change addresses
+#	quickly, as is the case with dialup.   You might be safe
+#	using a larger value (e.g., 2 hours) in a corporate LAN
+#	environment with relatively static address assignments.
+#Default:
+# authenticate_ip_ttl 1 second
+
+# ACCESS CONTROLS
+# -----------------------------------------------------------------------------
+
+#  TAG: external_acl_type
+#	This option defines external acl classes using a helper program
+#	to look up the status
+#
+#	  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
+#
+#	Options:
+#
+#	  ttl=n		TTL in seconds for cached results (defaults to 3600
+#			for 1 hour)
+#
+#	  negative_ttl=n
+#			TTL for cached negative lookups (default same
+#			as ttl)
+#
+#	  grace=n	Percentage remaining of TTL where a refresh of a
+#			cached entry should be initiated without needing to
+#			wait for a new reply. (default is for no grace period)
+#
+#	  cache=n	The maximum number of entries in the result cache. The
+#			default limit is 262144 entries.  Each cache entry usually
+#			consumes at least 256 bytes. Squid currently does not remove
+#			expired cache entries until the limit is reached, so a proxy
+#			will sooner or later reach the limit. The expanded FORMAT
+#			value is used as the cache key, so if the details in FORMAT
+#			are highly variable, a larger cache may be needed to produce
+#			reduction in helper load.
+#
+#	  children-max=n
+#			Maximum number of acl helper processes spawned to service
+#			external acl lookups of this type. (default 5)
+#
+#	  children-startup=n
+#			Minimum number of acl helper processes to spawn during
+#			startup and reconfigure to service external acl lookups
+#			of this type. (default 0)
+#
+#	  children-idle=n
+#			Number of acl helper processes to keep ahead of traffic
+#			loads. Squid will spawn this many at once whenever load
+#			rises above the capabilities of existing processes.
+#			Up to the value of children-max. (default 1)
+#
+#	  concurrency=n	concurrency level per process. Only used with helpers
+#			capable of processing more than one query at a time.
+#
+#	  queue-size=N  The queue-size option sets the maximum number of
+#			queued requests. A request is queued when no existing
+#			helper can accept it due to concurrency limit and no
+#			new helper can be started due to children-max limit.
+#			If the queued requests exceed queue size, the acl is
+#			ignored. The default value is set to 2*children-max.
+#
+#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers.
+#
+#	  ipv4 / ipv6	IP protocol used to communicate with this helper.
+#			The default is to auto-detect IPv6 and use it when available.
+#
+#
+#	FORMAT is a series of %macro codes. See logformat directive for a full list
+#	of the accepted codes. Although note that at the time of any external ACL
+#	being tested data may not be available and thus some %macro expand to '-'.
+#
+#	In addition to the logformat codes; when processing external ACLs these
+#	additional macros are made available:
+#
+#	  %ACL		The name of the ACL being tested.
+#
+#	  %DATA		The ACL arguments specified in the referencing config
+#			'acl ... external' line, separated by spaces (an
+#			"argument string"). see acl external.
+#
+#			If there are no ACL arguments %DATA expands to '-'.
+#
+#			If you do not specify a DATA macro inside FORMAT,
+#			Squid automatically appends %DATA to your FORMAT.
+#			Note that Squid-3.x may expand %DATA to whitespace
+#			or nothing in this case.
+#
+#			By default, Squid applies URL-encoding to each ACL
+#			argument inside the argument string. If an explicit
+#			encoding modifier is used (e.g., %#DATA), then Squid
+#			encodes the whole argument string as a single token
+#			(e.g., with %#DATA, spaces between arguments become
+#			%20).
+#
+#	If SSL is enabled, the following formating codes become available:
+#
+#	  %USER_CERT		SSL User certificate in PEM format
+#	  %USER_CERTCHAIN	SSL User certificate chain in PEM format
+#	  %USER_CERT_xx		SSL User certificate subject attribute xx
+#	  %USER_CA_CERT_xx	SSL User certificate issuer attribute xx
+#
+#
+#	NOTE: all other format codes accepted by older Squid versions
+#		are deprecated.
+#
+#
+#	General request syntax:
+#
+#	  [channel-ID] FORMAT-values
+#
+#
+#	FORMAT-values consists of transaction details expanded with
+#	whitespace separation per the config file FORMAT specification
+#	using the FORMAT macros listed above.
+#
+#	Request values sent to the helper are URL escaped to protect
+#	each value in requests against whitespaces.
+#
+#	If using protocol=2.5 then the request sent to the helper is not
+#	URL escaped to protect against whitespace.
+#
+#	NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#
+#	The helper receives lines expanded per the above format specification
+#	and for each input line returns 1 line starting with OK/ERR/BH result
+#	code and optionally followed by additional keywords with more details.
+#
+#
+#	General result syntax:
+#
+#	  [channel-ID] result keyword=value ...
+#
+#	Result consists of one of the codes:
+#
+#	  OK
+#		the ACL test produced a match.
+#
+#	  ERR
+#		the ACL test does not produce a match.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	The meaning of 'a match' is determined by your squid.conf
+#	access control configuration. See the Squid wiki for details.
+#
+#	Defined keywords:
+#
+#	  user=		The users name (login)
+#
+#	  password=	The users password (for login= cache_peer option)
+#
+#	  message=	Message describing the reason for this response.
+#			Available as %o in error pages.
+#			Useful on (ERR and BH results).
+#
+#	  tag=		Apply a tag to a request. Only sets a tag once,
+#			does not alter existing tags.
+#
+#	  log=		String to be logged in access.log. Available as
+#			%ea in logformat specifications.
+#
+#	  clt_conn_tag= Associates a TAG with the client TCP connection.
+#			Please see url_rewrite_program related documentation
+#			for this kv-pair.
+#
+#	Any keywords may be sent on any response whether OK, ERR or BH.
+#
+#	All response keyword values need to be a single token with URL
+#	escaping, or enclosed in double quotes (") and escaped using \ on
+#	any double quotes or \ characters within the value. The wrapping
+#	double quotes are removed before the value is interpreted by Squid.
+#	\r and \n are also replace by CR and LF.
+#
+#	Some example key values:
+#
+#		user=John%20Smith
+#		user="John Smith"
+#		user="J. \"Bob\" Smith"
+#Default:
+# none
+
+#  TAG: acl
+#	Defining an Access List
+#
+#	Every access list definition must begin with an aclname and acltype,
+#	followed by either type-specific arguments or a quoted filename that
+#	they are read from.
+#
+#	   acl aclname acltype argument ...
+#	   acl aclname acltype "file" ...
+#
+#	When using "file", the file should contain one item per line.
+#
+#
+#	ACL Options
+#
+#	Some acl types supports options which changes their default behaviour:
+#
+#	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
+#		case-insensitive, use the -i option. To return case-sensitive
+#		use the +i option between patterns, or make a new ACL line
+#		without -i.
+#
+#	-n	Disable lookups and address type conversions.  If lookup or
+#		conversion is required because the parameter type (IP or
+#		domain name) does not match the message address type (domain
+#		name or IP), then the ACL would immediately declare a mismatch
+#		without any warnings or lookups.
+#
+#	-m[=delimiters]
+#		Perform a list membership test, interpreting values as
+#		comma-separated token lists and matching against individual
+#		tokens instead of whole values.
+#		The optional "delimiters" parameter specifies one or more
+#		alternative non-alphanumeric delimiter characters.
+#		non-alphanumeric delimiter characters.
+#
+#	--	Used to stop processing all options, in the case the first acl
+#		value has '-' character as first character (for example the '-'
+#		is a valid domain name)
+#
+#	Some acl types require suspending the current request in order
+#	to access some external data source.
+#	Those which do are marked with the tag [slow], those which
+#	don't are marked as [fast].
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+#	for further information
+#
+#	***** ACL TYPES AVAILABLE *****
+#
+#	acl aclname src ip-address/mask ...	# clients IP address [fast]
+#	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
+#	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
+#	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
+#
+#if USE_SQUID_EUI
+#	acl aclname arp      mac-address ...
+#	acl aclname eui64    eui64-address ...
+#	  # [fast]
+#	  # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
+#	  #
+#	  # The 'arp' ACL code is not portable to all operating systems.
+#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other
+#	  # BSD variants.
+#	  #
+#	  # The eui_lookup directive is required to be 'on' (the default)
+#	  # and Squid built with --enable-eui for MAC/EUI addresses to be
+#	  # available for this ACL.
+#	  #
+#	  # Squid can only determine the MAC/EUI address for IPv4
+#	  # clients that are on the same subnet. If the client is on a
+#	  # different subnet, then Squid cannot find out its address.
+#	  #
+#	  # IPv6 protocol does not contain ARP. MAC/EUI is either
+#	  # encoded directly in the IPv6 address or not available.
+#endif
+#	acl aclname clientside_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  # DEPRECATED. Use the 'client_connection_mark' instead.
+#
+#	acl aclname client_connection_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  #
+#	  # mark and mask are unsigned integers (hex, octal, or decimal).
+#	  # If multiple marks are given, then the ACL matches if at least
+#	  # one mark matches.
+#	  #
+#	  # Uses netfilter-conntrack library.
+#	  # Requires building Squid with --enable-linux-netfilter.
+#	  #
+#	  # The client, various intermediaries, and Squid itself may set
+#	  # CONNMARK at various times. The last CONNMARK set wins. This ACL
+#	  # checks the mark present on an accepted connection or set by
+#	  # Squid afterwards, depending on the ACL check timing. This ACL
+#	  # effectively ignores any mark set by other agents after Squid has
+#	  # accepted the connection.
+#
+#	acl aclname srcdomain   .foo.com ...
+#	  # reverse lookup, from client IP [slow]
+#	acl aclname dstdomain [-n] .foo.com ...
+#	  # Destination server from URL [fast]
+#	acl aclname srcdom_regex [-i] \.foo\.com ...
+#	  # regex matching client name [slow]
+#	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
+#	  # regex matching server [fast]
+#	  #
+#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+#	  # based URL is used and no match is found. The name "none" is used
+#	  # if the reverse lookup fails.
+#
+#	acl aclname src_as number ...
+#	acl aclname dst_as number ...
+#	  # [fast]
+#	  # Except for access control, AS numbers can be used for
+#	  # routing of requests to specific caches. Here's an
+#	  # example for routing all requests for AS#1241 and only
+#	  # those to mycache.mydomain.net:
+#	  # acl asexample dst_as 1241
+#	  # cache_peer_access mycache.mydomain.net allow asexample
+#	  # cache_peer_access mycache_mydomain.net deny all
+#
+#	acl aclname peername myPeer ...
+#	acl aclname peername_regex [-i] regex-pattern ...
+#	  # [fast]
+#	  # match against a named cache_peer entry
+#	  # set unique name= on cache_peer lines for reliable use.
+#
+#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+#	  # [fast]
+#	  #  day-abbrevs:
+#	  #	S - Sunday
+#	  #	M - Monday
+#	  #	T - Tuesday
+#	  #	W - Wednesday
+#	  #	H - Thursday
+#	  #	F - Friday
+#	  #	A - Saturday
+#	  #  h1:m1 must be less than h2:m2
+#
+#	acl aclname url_regex [-i] ^http:// ...
+#	  # regex matching on whole URL [fast]
+#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+#	  # regex matching on URL login field
+#	acl aclname urlpath_regex [-i] \.gif$ ...
+#	  # regex matching on URL path [fast]
+#
+#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
+#	                                      # ranges are alloed
+#	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
+#	                                      # NP: for interception mode this is usually '80'
+#
+#	acl aclname myportname 3128 ...       # *_port name [fast]
+#
+#	acl aclname proto HTTP FTP ...        # request protocol [fast]
+#
+#	acl aclname method GET POST ...       # HTTP request method [fast]
+#
+#	acl aclname http_status 200 301 500- 400-403 ...
+#	  # status code in reply [fast]
+#
+#	acl aclname browser [-i] regexp ...
+#	  # pattern match on User-Agent header (see also req_header below) [fast]
+#
+#	acl aclname referer_regex [-i] regexp ...
+#	  # pattern match on Referer header [fast]
+#	  # Referer is highly unreliable, so use with care
+#
+#	acl aclname ident [-i] username ...
+#	acl aclname ident_regex [-i] pattern ...
+#	  # string match on ident output [slow]
+#	  # use REQUIRED to accept any non-null ident.
+#
+#	acl aclname proxy_auth [-i] username ...
+#	acl aclname proxy_auth_regex [-i] pattern ...
+#	  # perform http authentication challenge to the client and match against
+#	  # supplied credentials [slow]
+#	  #
+#	  # takes a list of allowed usernames.
+#	  # use REQUIRED to accept any valid username.
+#	  #
+#	  # Will use proxy authentication in forward-proxy scenarios, and plain
+#	  # http authenticaiton in reverse-proxy scenarios
+#	  #
+#	  # NOTE: when a Proxy-Authentication header is sent but it is not
+#	  # needed during ACL checking the username is NOT logged
+#	  # in access.log.
+#	  #
+#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
+#	  # to check username/password combinations (see
+#	  # auth_param directive).
+#	  #
+#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+#	  # as the browser needs to be configured for using a proxy in order
+#	  # to respond to proxy authentication.
+#
+#	acl aclname snmp_community string ...
+#	  # A community string to limit access to your SNMP Agent [fast]
+#	  # Example:
+#	  #
+#	  #	acl snmppublic snmp_community public
+#
+#	acl aclname maxconn number
+#	  # This will be matched when the client's IP address has
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
+#
+#	acl aclname max_user_ip [-s] number
+#	  # This will be matched when the user attempts to log in from more
+#	  # than <number> different ip addresses. The authenticate_ip_ttl
+#	  # parameter controls the timeout on the ip entries. [fast]
+#	  # If -s is specified the limit is strict, denying browsing
+#	  # from any further IP addresses until the ttl has expired. Without
+#	  # -s Squid will just annoy the user by "randomly" denying requests.
+#	  # (the counter is reset each time the limit is reached and a
+#	  # request is denied)
+#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
+#	  # clients may appear to come from multiple addresses if they are
+#	  # going through proxy farms, so a limit of 1 may cause user problems.
+#
+#	acl aclname random probability
+#	  # Pseudo-randomly match requests. Based on the probability given.
+#	  # Probability may be written as a decimal (0.333), fraction (1/3)
+#	  # or ratio of matches:non-matches (3:5).
+#
+#	acl aclname req_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the request generated
+#	  # by the client. Can be used to detect file upload or some
+#	  # types HTTP tunneling requests [fast]
+#	  # NOTE: This does NOT match the reply. You cannot use this
+#	  # to match the returned file type.
+#
+#	acl aclname req_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known request headers.  May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACL [fast]
+#
+#	acl aclname rep_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the reply received by
+#	  # squid. Can be used to detect file download or some
+#	  # types HTTP tunneling requests. [fast]
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname rep_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known reply headers. May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACLs [fast]
+#
+#	acl aclname external class_name [arguments...]
+#	  # external ACL lookup via a helper class defined by the
+#	  # external_acl_type directive [slow]
+#
+#	acl aclname user_cert attribute values...
+#	  # match against attributes in a user SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
+#
+#	acl aclname ca_cert attribute values...
+#	  # match against attributes a users issuing CA SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
+#
+#	acl aclname ext_user [-i] username ...
+#	acl aclname ext_user_regex [-i] pattern ...
+#	  # string match on username returned by external acl helper [slow]
+#	  # use REQUIRED to accept any non-null user name.
+#
+#	acl aclname tag tagvalue ...
+#	  # string match on tag returned by external acl helper [fast]
+#	  # DEPRECATED. Only the first tag will match with this ACL.
+#	  # Use the 'note' ACL instead for handling multiple tag values.
+#
+#	acl aclname hier_code codename ...
+#	  # string match against squid hierarchy code(s); [fast]
+#	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
+#	  #
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname note [-m[=delimiters]] name [value ...]
+#	  # match transaction annotation [fast]
+#	  # Without values, matches any annotation with a given name.
+#	  # With value(s), matches any annotation with a given name that
+#	  # also has one of the given values.
+#	  # If the -m flag is used, then the value of the named
+#	  # annotation is interpreted as a list of tokens, and the ACL
+#	  # matches individual name=token pairs rather than whole
+#	  # name=value pairs. See "ACL Options" above for more info.
+#	  # Annotation sources include note and adaptation_meta directives
+#	  # as well as helper and eCAP responses.
+#
+#	acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+#	acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current master transaction.
+#	  # The added annotation can then be tested using note ACL and
+#	  # logged (or sent to helpers) using %note format code.
+#	  #
+#	  # Annotations can be specified using replacement and addition
+#	  # formats. The key=value form replaces old same-key annotation
+#	  # value(s). The key+=value form appends a new value to the old
+#	  # same-key annotation. Both forms create a new key=value
+#	  # annotation if no same-key annotation exists already. If
+#	  # -m flag is used, then the value is interpreted as a list
+#	  # and the annotation will contain key=token pair(s) instead of the
+#	  # whole key=value pair.
+#	  #
+#	  # This ACL is especially useful for recording complex multi-step
+#	  # ACL-driven decisions. For example, the following configuration
+#	  # avoids logging transactions accepted after aclX matched:
+#	  #
+#	  #  # First, mark transactions accepted after aclX matched
+#	  #  acl markSpecial annotate_transaction special=true
+#	  #  http_access allow acl001
+#	  #  ...
+#	  #  http_access deny acl100
+#	  #  http_access allow aclX markSpecial
+#	  #
+#	  #  # Second, do not log marked transactions:
+#	  #  acl markedSpecial note special true
+#	  #  access_log ... deny markedSpecial
+#	  #
+#	  #  # Note that the following would not have worked because aclX
+#	  #  # alone does not determine whether the transaction was allowed:
+#	  #  access_log ... deny aclX # Wrong!
+#	  #
+#	  # Warning: This ACL annotates the transaction even when negated
+#	  # and even if subsequent ACLs fail to match. For example, the
+#	  # following three rules will have exactly the same effect as far
+#	  # as annotations set by the "mark" ACL are concerned:
+#	  #
+#	  #  some_directive acl1 ... mark # rule matches if mark is reached
+#	  #  some_directive acl1 ... !mark     # rule never matches
+#	  #  some_directive acl1 ... mark !all # rule never matches
+#
+#	acl aclname annotate_client [-m[=delimiters]] key=value ...
+#	acl aclname annotate_client [-m[=delimiters]] key+=value ...
+#	  #
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current client-to-Squid
+#	  # connection. Connection annotations are propagated to the current
+#	  # and all future master transactions on the annotated connection.
+#	  # See the annotate_transaction ACL for details.
+#	  #
+#	  # For example, the following configuration avoids rewriting URLs
+#	  # of transactions bumped by SslBump:
+#	  #
+#	  #  # First, mark bumped connections:
+#	  #  acl markBumped annotate_client bumped=true
+#	  #  ssl_bump peek acl1
+#	  #  ssl_bump stare acl2
+#	  #  ssl_bump bump acl3 markBumped
+#	  #  ssl_bump splice all
+#	  #
+#	  #  # Second, do not send marked transactions to the redirector:
+#	  #  acl markedBumped note bumped true
+#	  #  url_rewrite_access deny markedBumped
+#	  #
+#	  #  # Note that the following would not have worked because acl3 alone
+#	  #  # does not determine whether the connection is going to be bumped:
+#	  #  url_rewrite_access deny acl3 # Wrong!
+#
+#	acl aclname adaptation_service service ...
+#	  # Matches the name of any icap_service, ecap_service,
+#	  # adaptation_service_set, or adaptation_service_chain that Squid
+#	  # has used (or attempted to use) for the master transaction.
+#	  # This ACL must be defined after the corresponding adaptation
+#	  # service is named in squid.conf. This ACL is usable with
+#	  # adaptation_meta because it starts matching immediately after
+#	  # the service has been selected for adaptation.
+#
+#	acl aclname transaction_initiator initiator ...
+#	  # Matches transaction's initiator [fast]
+#	  #
+#	  # Supported initiators are:
+#	  #  esi: matches transactions fetching ESI resources
+#	  #  certificate-fetching: matches transactions fetching
+#	  #     a missing intermediate TLS certificate
+#	  #  cache-digest: matches transactions fetching Cache Digests
+#	  #     from a cache_peer
+#	  #  htcp: matches HTCP requests from peers
+#	  #  icp: matches ICP requests to peers
+#	  #  icmp: matches ICMP RTT database (NetDB) requests to peers
+#	  #  asn: matches asns db requests
+#	  #  internal: matches any of the above
+#	  #  client: matches transactions containing an HTTP or FTP
+#	  #     client request received at a Squid *_port
+#	  #  all: matches any transaction, including internal transactions
+#	  #     without a configurable initiator and hopefully rare
+#	  #     transactions without a known-to-Squid initiator
+#	  #
+#	  # Multiple initiators are ORed.
+#
+#	acl aclname has component
+#	  # matches a transaction "component" [fast]
+#	  #
+#	  # Supported transaction components are:
+#	  #  request: transaction has a request header (at least)
+#	  #  response: transaction has a response header (at least)
+#	  #  ALE: transaction has an internally-generated Access Log Entry
+#	  #       structure; bugs notwithstanding, all transaction have it
+#	  #
+#	  # For example, the following configuration helps when dealing with HTTP
+#	  # clients that close connections without sending a request header:
+#	  #
+#	  #  acl hasRequest has request
+#	  #  acl logMe note important_transaction
+#	  #  # avoid "logMe ACL is used in context without an HTTP request" warnings
+#	  #  access_log ... logformat=detailed hasRequest logMe
+#	  #  # log request-less transactions, instead of ignoring them
+#	  #  access_log ... logformat=brief !hasRequest
+#	  #
+#	  # Multiple components are not supported for one "acl" rule, but
+#	  # can be specified (and are ORed) using multiple same-name rules:
+#	  #
+#	  #  # OK, this strange logging daemon needs request or response,
+#	  #  # but can work without either a request or a response:
+#	  #  acl hasWhatMyLoggingDaemonNeeds has request
+#	  #  acl hasWhatMyLoggingDaemonNeeds has response
+#
+#acl aclname at_step step
+#	  # match against the current request processing step [fast]
+#	  # Valid steps are:
+#	  #   GeneratingCONNECT: Generating HTTP CONNECT request headers
+#
+#	acl aclname any-of acl1 acl2 ...
+#	  # match any one of the acls [fast or slow]
+#	  # The first matching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple any-of lines with the same name are ORed.
+#	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
+#	  #   acl A any-of a1 a2
+#	  #   acl A any-of a3 a4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	acl aclname all-of acl1 acl2 ...
+#	  # match all of the acls [fast or slow]
+#	  # The first mismatching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple all-of lines with the same name are ORed.
+#	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
+#	  #   acl B all-of b1 b2
+#	  #   acl B all-of b3 b4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	Examples:
+#		acl macaddress arp 09:00:2b:23:45:67
+#		acl myexample dst_as 1241
+#		acl password proxy_auth REQUIRED
+#		acl fileupload req_mime_type -i ^multipart/form-data$
+#		acl javascript rep_mime_type -i ^application/x-javascript$
+#
+#Default:
+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
+#
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#  TAG: proxy_protocol_access
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address using PROXY protocol.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	This directive is solely for validating new PROXY protocol
+#	connections received from a port flagged with require-proxy-header.
+#	It is checked only once after TCP connection setup.
+#
+#	A deny match results in TCP connection closure.
+#
+#	An allow match is required for Squid to permit the corresponding
+#	TCP connection, before Squid even looks for HTTP request headers.
+#	If there is an allow match, Squid starts using PROXY header information
+#	to determine the source address of the connection for all future ACL
+#	checks, logging, etc.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# all TCP connections to ports with require-proxy-header will be denied
+
+#  TAG: follow_x_forwarded_for
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	PROXY protocol connections are controlled by the proxy_protocol_access
+#	directive which is checked before this.
+#
+#	If a request reaches us from a source that is allowed by this
+#	directive, then we trust the information it provides regarding
+#	the IP of the client it received from (if any).
+#
+#	For the purpose of ACLs used in this directive the src ACL type always
+#	matches the address we are testing and srcdomain matches its rDNS.
+#
+#	On each HTTP request Squid checks for X-Forwarded-For header fields.
+#	If found the header values are iterated in reverse order and an allow
+#	match is required for Squid to continue on to the next value.
+#	The verification ends when a value receives a deny match, cannot be
+#	tested, or there are no more values to test.
+#	NOTE: Squid does not yet follow the Forwarded HTTP header.
+#
+#	The end result of this process is an IP address that we will
+#	refer to as the indirect client address.  This address may
+#	be treated as the client address for access control, ICAP, delay
+#	pools and logging, depending on the acl_uses_indirect_client,
+#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
+#	log_uses_indirect_client and tproxy_uses_indirect_client options.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	For example:
+#
+#		acl localhost src 127.0.0.1
+#		acl my_other_proxy srcdomain .proxy.example.com
+#		follow_x_forwarded_for allow localhost
+#		follow_x_forwarded_for allow my_other_proxy
+#Default:
+# X-Forwarded-For header will be ignored.
+
+#  TAG: acl_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
+#Default:
+# acl_uses_indirect_client on
+
+#  TAG: delay_pool_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+#  TAG: log_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
+#  TAG: tproxy_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address when spoofing the outgoing client.
+#
+#	This has no effect on requests arriving in non-tproxy
+#	mode ports.
+#
+#	SECURITY WARNING: Usage of this option is dangerous
+#	and should not be used trivially. Correct configuration
+#	of follow_x_forwarded_for with a limited set of trusted
+#	sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+#  TAG: spoof_client_ip
+#	Control client IP address spoofing of TPROXY traffic based on
+#	defined access lists.
+#
+#	spoof_client_ip allow|deny [!]aclname ...
+#
+#	If there are no "spoof_client_ip" lines present, the default
+#	is to "allow" spoofing of any suitable request.
+#
+#	Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+#	This clause supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
+#  TAG: http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
+#	http_access allow|deny [!]aclname ...
+#
+#	NOTE on default values:
+#
+#	If there are no "access" lines present, the default is to deny
+#	the request.
+#
+#	If none of the "access" lines cause a match, the default is the
+#	opposite of the last line in the list.  If the last line was
+#	deny, the default is allow.  Conversely, if the last line
+#	is allow, the default will be deny.  For these reasons, it is a
+#	good idea to have an "deny all" entry at the end of your access
+#	lists to avoid potential confusion.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# Deny, unless rules exist in squid.conf.
+#
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+
+# MES ACL
+acl localnet src 172.16.0.0/24
+acl mots_cles url_regex -i tf1 c8 m6 francetv oqee france3 canal chine japon france allemagne corse inde irlande afrique mali somalie iran irak italie angleterre royaume
+acl urls_interdit url_regex youtube.com facebook.com reddit.com discord.com 
+
+http_access deny localnet mots_cles
+http_access deny localnet urls_interdit
+http_access allow localnet
+
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+include /etc/squid/conf.d/*.conf
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+#  TAG: adapted_http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	Essentially identical to http_access, but runs after redirectors
+#	and ICAP/eCAP adaptation. Allowing access control based on their
+#	output.
+#
+#	If not set then only http_access is used.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: http_reply_access
+#	Allow replies to client requests. This is complementary to http_access.
+#
+#	http_reply_access allow|deny [!] aclname ...
+#
+#	NOTE: if there are no access lines present, the default is to allow
+#	all replies.
+#
+#	If none of the access lines cause a match the opposite of the
+#	last line will apply. Thus it is good practice to end the rules
+#	with an "allow all" or "deny all" entry.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: icp_access
+#	Allowing or Denying access to the ICP port based on defined
+#	access lists
+#
+#	icp_access  allow|deny [!]aclname ...
+#
+#	NOTE: The default if no icp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using ICP.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_access
+#	Allowing or Denying access to the HTCP port based on defined
+#	access lists
+#
+#	htcp_access  allow|deny [!]aclname ...
+#
+#	See also htcp_clr_access for details on access control for
+#	cache purge (CLR) HTCP messages.
+#
+#	NOTE: The default if no htcp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using the htcp option.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_clr_access
+#	Allowing or Denying access to purge content using HTCP based
+#	on defined access lists.
+#	See htcp_access for details on general HTCP access control.
+#
+#	htcp_clr_access  allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
+#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: miss_access
+#	Determines whether network access is permitted when satisfying a request.
+#
+#	For example;
+#	    to force your neighbors to use you as a sibling instead of
+#	    a parent.
+#
+#		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
+#		miss_access deny  !localclients
+#		miss_access allow all
+#
+#	This means only your local clients are allowed to fetch relayed/MISS
+#	replies from the network and all other clients can only fetch cached
+#	objects (HITs).
+#
+#	The default for this setting allows all clients who passed the
+#	http_access rules to relay via this proxy.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: ident_lookup_access
+#	A list of ACL elements which, if matched, cause an ident
+#	(RFC 931) lookup to be performed for this request.  For
+#	example, you might choose to always perform ident lookups
+#	for your main multi-user Unix boxes, but not for your Macs
+#	and PCs.  By default, ident lookups are not performed for
+#	any requests.
+#
+#	To enable ident lookups for specific client addresses, you
+#	can follow this example:
+#
+#	acl ident_aware_hosts src 198.168.1.0/24
+#	ident_lookup_access allow ident_aware_hosts
+#	ident_lookup_access deny all
+#
+#	Only src type ACL checks are fully supported.  A srcdomain
+#	ACL might work at times, but it will not always provide
+#	the correct result.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Unless rules exist in squid.conf, IDENT is not fetched.
+
+#  TAG: reply_body_max_size	size [acl acl...]
+#	This option specifies the maximum size of a reply body. It can be
+#	used to prevent users from downloading very large files, such as
+#	MP3's and movies. When the reply headers are received, the
+#	reply_body_max_size lines are processed, and the first line where
+#	all (if any) listed ACLs are true is used as the maximum body size
+#	for this reply.
+#
+#	This size is checked twice. First when we get the reply headers,
+#	we check the content-length value.  If the content length value exists
+#	and is larger than the allowed size, the request is denied and the
+#	user receives an error message that says "the request or reply
+#	is too large." If there is no content-length, and the reply
+#	size exceeds this limit, the client's connection is just closed
+#	and they will receive a partial reply.
+#
+#	WARNING: downstream caches probably can not detect a partial reply
+#	if there is no content-length header, so they will cache
+#	partial responses and give them out as hits.  You should NOT
+#	use this option if you have downstream caches.
+#
+#	WARNING: A maximum size smaller than the size of squid's error messages
+#	will cause an infinite loop and crash squid. Ensure that the smallest
+#	non-zero value you use is greater that the maximum header size plus
+#	the size of your largest error page.
+#
+#	If you set this parameter none (the default), there will be
+#	no limit imposed.
+#
+#	Configuration Format is:
+#		reply_body_max_size SIZE UNITS [acl ...]
+#	ie.
+#		reply_body_max_size 10 MB
+#
+#Default:
+# No limit is applied.
+
+#  TAG: on_unsupported_protocol
+#	Determines Squid behavior when encountering strange requests at the
+#	beginning of an accepted TCP connection or the beginning of a bumped
+#	CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+#	especially useful in interception environments where Squid is likely
+#	to see connections for unsupported protocols that Squid should either
+#	terminate or tunnel at TCP level.
+#
+#		on_unsupported_protocol <action> [!]acl ...
+#
+#	The first matching action wins. Only fast ACLs are supported.
+#
+#	Supported actions are:
+#
+#	tunnel: Establish a TCP connection with the intended server and
+#		blindly shovel TCP packets between the client and server.
+#
+#	respond: Respond with an error message, using the transfer protocol
+#		for the Squid port that received the request (e.g., HTTP
+#		for connections intercepted at the http_port). This is the
+#		default.
+#
+#	Squid expects the following traffic patterns:
+#
+#	  http_port: a plain HTTP request
+#	  https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+#	  ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+#	  CONNECT tunnel on http_port: same as https_port
+#	  CONNECT tunnel on https_port: same as https_port
+#
+#	Currently, this directive has effect on intercepted connections and
+#	bumped tunnels only. Other cases are not supported because Squid
+#	cannot know the intended destination of other traffic.
+#
+#	For example:
+#	  # define what Squid errors indicate receiving non-HTTP traffic:
+#	  acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+#	  # define what Squid errors indicate receiving nothing:
+#	  acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+#	  # tunnel everything that does not look like HTTP:
+#          on_unsupported_protocol tunnel foreignProtocol
+#	  # tunnel if we think the client waits for the server to talk first:
+#	  on_unsupported_protocol tunnel serverTalksFirstProtocol
+#	  # in all other error cases, just send an HTTP "error page" response:
+#	  on_unsupported_protocol respond all
+#
+#	See also: squid_error ACL
+#Default:
+# Respond with an error message to unidentifiable traffic
+
+#  TAG: auth_schemes
+#	Use this directive to customize authentication schemes presence and
+#	order in Squid's Unauthorized and Authentication Required responses.
+#
+#		auth_schemes scheme1,scheme2,... [!]aclname ...
+#
+#	where schemeN is the name of one of the authentication schemes
+#	configured using auth_param directives. At least one scheme name is
+#	required. Multiple scheme names are separated by commas. Either
+#	avoid whitespace or quote the entire schemes list.
+#
+#	A special "ALL" scheme name expands to all auth_param-configured
+#	schemes in their configuration order. This directive cannot be used
+#	to configure Squid to offer no authentication schemes at all.
+#
+#	The first matching auth_schemes rule determines the schemes order
+#	for the current Authentication Required transaction. Note that the
+#	future response is not yet available during auth_schemes evaluation.
+#
+#	If this directive is not used or none of its rules match, then Squid
+#	responds with all configured authentication schemes in the order of
+#	auth_param directives in the configuration file.
+#
+#	This directive does not determine when authentication is used or
+#	how each authentication scheme authenticates clients.
+#
+#	The following example sends basic and negotiate authentication
+#	schemes, in that order, when requesting authentication of HTTP
+#	requests matching the isIE ACL (not shown) while sending all
+#	auth_param schemes in their configuration order to other clients:
+#
+#		auth_schemes basic,negotiate isIE
+#		auth_schemes ALL all # explicit default
+#
+#	This directive supports fast ACLs only.
+#
+#	See also: auth_param.
+#Default:
+# use all auth_param schemes in their configuration order
+
+# NETWORK OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: http_port
+#	Usage:	port [mode] [options]
+#		hostname:port [mode] [options]
+#		1.2.3.4:port [mode] [options]
+#
+#	The socket addresses where Squid will listen for HTTP client
+#	requests.  You may specify multiple socket addresses.
+#	There are three forms: port alone, hostname with port, and
+#	IP address with port.  If you specify a hostname or IP
+#	address, Squid binds the socket to that specific
+#	address. Most likely, you do not need to bind to a specific
+#	address, so you can use the port number alone.
+#
+#	If you are running Squid in accelerator mode, you
+#	probably want to listen on port 80 also, or instead.
+#
+#	The -a command line option may be used to specify additional
+#	port(s) where Squid listens for proxy request. Such ports will
+#	be plain proxy ports with no options.
+#
+#	You may specify multiple socket addresses on multiple lines.
+#
+#	Modes:
+#
+#	   intercept	Support for IP-Layer NAT interception delivering
+#			traffic to this Squid port.
+#			NP: disables authentication on the port.
+#
+#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
+#			of outgoing connections using the client IP address.
+#			NP: disables authentication on the port.
+#
+#	   accel	Accelerator / reverse proxy mode
+#
+#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
+#			establish secure connection with the client and with
+#			the server, decrypt HTTPS messages as they pass through
+#			Squid, and treat them as unencrypted HTTP messages,
+#			becoming the man-in-the-middle.
+#
+#			The ssl_bump option is required to fully enable
+#			bumping of CONNECT requests.
+#
+#	Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+#	Accelerator Mode Options:
+#
+#	   defaultsite=domainname
+#			What to use for the Host: header if it is not present
+#			in a request. Determines what site (not origin server)
+#			accelerators should consider the default.
+#
+#	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
+#
+#	   protocol=	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to HTTP/1.1 for http_port and
+#			HTTPS/1.1 for https_port.
+#			When an unsupported value is configured Squid will
+#			produce a FATAL error.
+#			Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
+#
+#	   vport	Virtual host port support. Using the http_port number
+#			instead of the port passed on Host: headers.
+#
+#	   vport=NN	Virtual host port support. Using the specified port
+#			number instead of the port passed on Host: headers.
+#
+#	   act-as-origin
+#			Act as if this Squid is the origin server.
+#			This currently means generate new Date: and Expires:
+#			headers on HIT instead of adding Age:.
+#
+#	   ignore-cc	Ignore request Cache-Control headers.
+#
+#			WARNING: This option violates HTTP specifications if
+#			used in non-accelerator setups.
+#
+#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+#			accelerated requests are denied direct forwarding as if
+#			never_direct was used.
+#
+#			WARNING: this option opens accelerator mode to security
+#			vulnerabilities usually only affecting in interception
+#			mode. Make sure to protect forwarding with suitable
+#			http_access rules when using this.
+#
+#
+#	SSL Bump Mode Options:
+#	    In addition to these options ssl-bump requires TLS/SSL options.
+#
+#	   generate-host-certificates[=<on|off>]
+#			Dynamically create SSL server certificates for the
+#			destination hosts of bumped CONNECT requests.When
+#			enabled, the cert and key options are used to sign
+#			generated certificates. Otherwise generated
+#			certificate will be selfsigned.
+#			If there is a CA certificate lifetime of the generated
+#			certificate equals lifetime of the CA certificate. If
+#			generated certificate is selfsigned lifetime is three
+#			years.
+#			This option is enabled by default when ssl-bump is used.
+#			See the ssl-bump option above for more information.
+#
+#	   dynamic_cert_mem_cache_size=SIZE
+#			Approximate total RAM size spent on cached generated
+#			certificates. If set to zero, caching is disabled. The
+#			default value is 4MB.
+#
+#	TLS / SSL Options:
+#
+#	   tls-cert=	Path to file containing an X.509 certificate (PEM format)
+#			to be used in the TLS handshake ServerHello.
+#
+#			If this certificate is constrained by KeyUsage TLS
+#			feature it must allow HTTP server usage, along with
+#			any additional restrictions imposed by your choice
+#			of options= settings.
+#
+#			When OpenSSL is used this file may also contain a
+#			chain of intermediate CA certificates to send in the
+#			TLS handshake.
+#
+#			When GnuTLS is used this option (and any paired
+#			tls-key= option) may be repeated to load multiple
+#			certificates for different domains.
+#
+#			Also, when generate-host-certificates=on is configured
+#			the first tls-cert= option must be a CA certificate
+#			capable of signing the automatically generated
+#			certificates.
+#
+#	   tls-key=	Path to a file containing private key file (PEM format)
+#			for the previous tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	   cipher=	Colon separated list of supported ciphers.
+#			NOTE: some ciphers such as EDH ciphers depend on
+#			      additional settings. If those settings are
+#			      omitted the ciphers may be silently ignored
+#			      by the OpenSSL library.
+#
+#	   options=	Various SSL implementation options. The most important
+#			being:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    NO_TLSv1    Disallow the use of TLSv1.0
+#
+#			    NO_TLSv1_1  Disallow the use of TLSv1.1
+#
+#			    NO_TLSv1_2  Disallow the use of TLSv1.2
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    SINGLE_ECDH_USE
+#				      Enable ephemeral ECDH key exchange.
+#				      The adopted curve should be specified
+#				      using the tls-dh option.
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#	   clientca=	File containing the list of CAs to use when
+#			requesting a client certificate.
+#
+#	   tls-cafile=	PEM file containing CA certificates to use when verifying
+#			client certificates. If not configured clientca will be
+#			used. May be repeated to load multiple files.
+#
+#	   capath=	Directory containing additional CA certificates
+#			and CRL lists to use when verifying client certificates.
+#			Requires OpenSSL or LibreSSL.
+#
+#	   crlfile=	File of additional CRL lists to use when verifying
+#			the client certificate, in addition to CRLs stored in
+#			the capath. Implies VERIFY_CRL flag below.
+#
+#	   tls-dh=[curve:]file
+#			File containing DH parameters for temporary/ephemeral DH key
+#			exchanges, optionally prefixed by a curve for ephemeral ECDH
+#			key exchanges.
+#			See OpenSSL documentation for details on how to create the
+#			DH parameter file. Supported curves for ECDH can be listed
+#			using the "openssl ecparam -list_curves" command.
+#			WARNING: EDH and EECDH ciphers will be silently disabled if
+#				 this option is not set.
+#
+#	   sslflags=	Various flags modifying the use of SSL:
+#			    DELAYED_AUTH
+#				Don't request client certificates
+#				immediately, but wait until acl processing
+#				requires a certificate (not yet implemented).
+#			    CONDITIONAL_AUTH
+#				Request a client certificate during the TLS
+#				handshake, but ignore certificate absence in
+#				the TLS client Hello. If the client does
+#				supply a certificate, it is validated.
+#			    NO_SESSION_REUSE
+#				Don't allow for session reuse. Each connection
+#				will result in a new SSL session.
+#			    VERIFY_CRL
+#				Verify CRL lists when accepting client
+#				certificates.
+#			    VERIFY_CRL_ALL
+#				Verify CRL lists for all certificates in the
+#				client certificate chain.
+#
+#	   tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is OFF.
+#
+#	   tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	   sslcontext=	SSL session ID context identifier.
+#
+#	Other Options:
+#
+#	   connection-auth[=on|off]
+#	                use connection-auth=off to tell Squid to prevent
+#	                forwarding Microsoft connection oriented authentication
+#			(NTLM, Negotiate and Kerberos)
+#
+#	   disable-pmtu-discovery=
+#			Control Path-MTU discovery usage:
+#			    off		lets OS decide on what to do (default).
+#			    transparent	disable PMTU discovery when transparent
+#					support is enabled.
+#			    always	disable always PMTU discovery.
+#
+#			In many setups of transparently intercepting proxies
+#			Path-MTU discovery can not work on traffic towards the
+#			clients. This is the case when the intercepting device
+#			does not fully track connections and fails to forward
+#			ICMP must fragment messages to the cache server. If you
+#			have such setup and experience that certain clients
+#			sporadically hang or never complete requests set
+#			disable-pmtu-discovery option to 'transparent'.
+#
+#	   name=	Specifies a internal name for the port. Defaults to
+#			the port specification (port or addr:port)
+#
+#	   tcpkeepalive[=idle,interval,timeout]
+#			Enable TCP keepalive probes of idle connections.
+#			In seconds; idle is the initial time before TCP starts
+#			probing the connection, interval how often to probe, and
+#			timeout the time before giving up.
+#
+#	   require-proxy-header
+#			Require PROXY protocol version 1 or 2 connections.
+#			The proxy_protocol_access is required to permit
+#			downstream proxies which can be trusted.
+#
+#	   worker-queues
+#			Ask TCP stack to maintain a dedicated listening queue
+#			for each worker accepting requests at this port.
+#			Requires TCP stack that supports the SO_REUSEPORT socket
+#			option.
+#
+#			SECURITY WARNING: Enabling worker-specific queues
+#			allows any process running as Squid's effective user to
+#			easily accept requests destined to this port.
+#
+#	If you run Squid on a dual-homed machine with an internal
+#	and an external interface we recommend you to specify the
+#	internal address:port in http_port. This way Squid will only be
+#	visible on the internal address.
+#
+#
+
+# Squid normally listens to port 3128
+http_port 8080
+
+#  TAG: https_port
+#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#
+#	The socket address where Squid will listen for client requests made
+#	over TLS or SSL connections. Commonly referred to as HTTPS.
+#
+#	This is most useful for situations where you are running squid in
+#	accelerator mode and you want to do the TLS work at the accelerator
+#	level.
+#
+#	You may specify multiple socket addresses on multiple lines,
+#	each with their own certificate and/or options.
+#
+#	The tls-cert= option is mandatory on HTTPS ports.
+#
+#	See http_port for a list of modes and options.
+#Default:
+# none
+
+#  TAG: ftp_port
+#	Enables Native FTP proxy by specifying the socket address where Squid
+#	listens for FTP client requests. See http_port directive for various
+#	ways to specify the listening address and mode.
+#
+#	Usage: ftp_port address [mode] [options]
+#
+#	WARNING: This is a new, experimental, complex feature that has seen
+#	limited production exposure. Some Squid modules (e.g., caching) do not
+#	currently work with native FTP proxying, and many features have not
+#	even been tested for compatibility. Test well before deploying!
+#
+#	Native FTP proxying differs substantially from proxying HTTP requests
+#	with ftp:// URIs because Squid works as an FTP server and receives
+#	actual FTP commands (rather than HTTP requests with FTP URLs).
+#
+#	Native FTP commands accepted at ftp_port are internally converted or
+#	wrapped into HTTP-like messages. The same happens to Native FTP
+#	responses received from FTP origin servers. Those HTTP-like messages
+#	are shoveled through regular access control and adaptation layers
+#	between the FTP client and the FTP origin server. This allows Squid to
+#	examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+#	mechanisms when shoveling wrapped FTP messages. For example,
+#	http_access and adaptation_access directives are used.
+#
+#	Modes:
+#
+#	   intercept	Same as http_port intercept. The FTP origin address is
+#			determined based on the intended destination of the
+#			intercepted connection.
+#
+#	   tproxy	Support Linux TPROXY for spoofing outgoing
+#			connections using the client IP address.
+#			NP: disables authentication and maybe IPv6 on the port.
+#
+#	By default (i.e., without an explicit mode option), Squid extracts the
+#	FTP origin address from the login@origin parameter of the FTP USER
+#	command. Many popular FTP clients support such native FTP proxying.
+#
+#	Options:
+#
+#	   name=token	Specifies an internal name for the port. Defaults to
+#			the port address. Usable with myportname ACL.
+#
+#	   ftp-track-dirs
+#			Enables tracking of FTP directories by injecting extra
+#			PWD commands and adjusting Request-URI (in wrapping
+#			HTTP requests) to reflect the current FTP server
+#			directory. Tracking is disabled by default.
+#
+#	   protocol=FTP	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to FTP. No other accepted
+#			values have been tested with. An unsupported value
+#			results in a FATAL error. Accepted values are FTP,
+#			HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+#
+#	Other http_port modes and options that are not specific to HTTP and
+#	HTTPS may also work.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_tos
+#	Allows you to select a TOS/Diffserv value for packets outgoing
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_tos 0x00 normal_service_net
+#	tcp_outgoing_tos 0x20 good_service_net
+#
+#	TOS/DSCP values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: clientside_tos
+#	Allows you to select a TOS/DSCP value for packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	clientside_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	clientside_tos 0x00 normal_service_net
+#	clientside_tos 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any TOS values set here
+#	will be overwritten by TOS values in qos_flows.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter mark value to outgoing packets
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_mark mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the mark value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_mark 0x00 normal_service_net
+#	tcp_outgoing_mark 0x20 good_service_net
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: mark_client_packet
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter MARK value to packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	mark_client_packet mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the MARK value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	mark_client_packet 0x00 normal_service_net
+#	mark_client_packet 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any mark values set here
+#	will be overwritten by mark values in qos_flows.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: mark_client_connection
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter CONNMARK value to a connection
+#	on the client-side, based on an ACL.
+#
+#	mark_client_connection mark-value[/mask] [!]aclname ...
+#
+#	The mark-value and mask are unsigned integers (hex, octal, or decimal).
+#	The mask may be used to preserve marking previously set by other agents
+#	(e.g., iptables).
+#
+#	A matching rule replaces the CONNMARK value. If a mask is also
+#	specified, then the masked bits of the original value are zeroed, and
+#	the configured mark-value is ORed with that adjusted value.
+#	For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
+#	in a 0xFB marking (rather than a 0xAB or 0x5B).
+#
+#	This directive semantics is similar to iptables --set-mark rather than
+#	--set-xmark functionality.
+#
+#	The directive does not interfere with qos_flows (which uses packet MARKs,
+#	not CONNMARKs).
+#
+#	Example where squid marks intercepted FTP connections:
+#
+#	acl proto_ftp proto FTP
+#	mark_client_connection 0x200/0xff00 proto_ftp
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: qos_flows
+#	Allows you to select a TOS/DSCP value to mark outgoing
+#	connections to the client, based on where the reply was sourced.
+#	For platforms using netfilter, allows you to set a netfilter mark
+#	value instead of, or in addition to, a TOS value.
+#
+#	By default this functionality is disabled. To enable it with the default
+#	settings simply use "qos_flows mark" or "qos_flows tos". Default
+#	settings will result in the netfilter mark or TOS value being copied
+#	from the upstream connection to the client. Note that it is the connection
+#	CONNMARK value not the packet MARK value that is copied.
+#
+#	It is not currently possible to copy the mark or TOS value from the
+#	client to the upstream connection request.
+#
+#	TOS values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Mark values can be any unsigned 32-bit integer value.
+#
+#	This setting is configured by setting the following values:
+#
+#	tos|mark                Whether to set TOS or netfilter mark values
+#
+#	local-hit=0xFF		Value to mark local cache hits.
+#
+#	sibling-hit=0xFF	Value to mark hits from sibling peers.
+#
+#	parent-hit=0xFF		Value to mark hits from parent peers.
+#
+#	miss=0xFF[/mask]	Value to mark cache misses. Takes precedence
+#				over the preserve-miss feature (see below), unless
+#				mask is specified, in which case only the bits
+#				specified in the mask are written.
+#
+#	The TOS variant of the following features are only possible on Linux
+#	and require your kernel to be patched with the TOS preserving ZPH
+#	patch, available from http://zph.bratcheda.org
+#	No patch is needed to preserve the netfilter mark, which will work
+#	with all variants of netfilter.
+#
+#	disable-preserve-miss
+#		This option disables the preservation of the TOS or netfilter
+#		mark. By default, the existing TOS or netfilter mark value of
+#		the response coming from the remote server will be retained
+#		and masked with miss-mark.
+#		NOTE: in the case of a netfilter mark, the mark must be set on
+#		the connection (using the CONNMARK target) not on the packet
+#		(MARK target).
+#
+#	miss-mask=0xFF
+#		Allows you to mask certain bits in the TOS or mark value
+#		received from the remote server, before copying the value to
+#		the TOS sent towards clients.
+#		Default for tos: 0xFF (TOS from server is not changed).
+#		Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+#	All of these features require the --enable-zph-qos compilation flag
+#	(enabled by default). Netfilter marking also requires the
+#	libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+#	libcap 2.09+ (--with-libcap).
+#
+#Default:
+# none
+
+#  TAG: tcp_outgoing_address
+#	Allows you to map requests to different outgoing IP addresses
+#	based on the username or source address of the user making
+#	the request.
+#
+#	tcp_outgoing_address ipaddr [[!]aclname] ...
+#
+#	For example;
+#		Forwarding clients with dedicated IPs for certain subnets.
+#
+#	  acl normal_service_net src 10.0.0.0/24
+#	  acl good_service_net src 10.0.2.0/24
+#
+#	  tcp_outgoing_address 2001:db8::c001 good_service_net
+#	  tcp_outgoing_address 10.1.0.2 good_service_net
+#
+#	  tcp_outgoing_address 2001:db8::beef normal_service_net
+#	  tcp_outgoing_address 10.1.0.1 normal_service_net
+#
+#	  tcp_outgoing_address 2001:db8::1
+#	  tcp_outgoing_address 10.1.0.3
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Squid will add an implicit IP version test to each line.
+#	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+#	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+#
+#
+#	NOTE: The use of this directive using client dependent ACLs is
+#	incompatible with the use of server side persistent connections. To
+#	ensure correct results it is best to set server_persistent_connections
+#	to off when using this directive in such configurations.
+#
+#	NOTE: The use of this directive to set a local IP on outgoing TCP links
+#	is incompatible with using TPROXY to set client IP out outbound TCP links.
+#	When needing to contact peers use the no-tproxy cache_peer option and the
+#	client_dst_passthru directive re-enable normal forwarding such as this.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Address selection is performed by the operating system.
+
+#  TAG: host_verify_strict
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic, Squid always verifies that the destination IP address matches
+#	the Host header domain or IP (called 'authority form URL').
+#
+#	This enforcement is performed to satisfy a MUST-level requirement in
+#	RFC 2616 section 14.23: "The Host field value MUST represent the naming
+#	authority of the origin server or gateway given by the original URL".
+#
+#	When set to ON:
+#		Squid always responds with an HTTP 409 (Conflict) error
+#		page and logs a security warning if there is no match.
+#
+#		Squid verifies that the destination IP address matches
+#		the Host header for forward-proxy and reverse-proxy traffic
+#		as well. For those traffic types, Squid also enables the
+#		following checks, comparing the corresponding Host header
+#		and Request-URI components:
+#
+#		 * The host names (domain or IP) must be identical,
+#		   but valueless or missing Host header disables all checks.
+#		   For the two host names to match, both must be either IP
+#		   or FQDN.
+#
+#		 * Port numbers must be identical, but if a port is missing
+#		   the scheme-default port is assumed.
+#
+#
+#	When set to OFF (the default):
+#		Squid allows suspicious requests to continue but logs a
+#		security warning and blocks caching of the response.
+#
+#		 * Forward-proxy traffic is not checked at all.
+#
+#		 * Reverse-proxy traffic is not checked at all.
+#
+#		 * Intercepted traffic which passes verification is handled
+#		   according to client_dst_passthru.
+#
+#		 * Intercepted requests which fail verification are sent
+#		   to the client original destination instead of DIRECT.
+#		   This overrides 'client_dst_passthru off'.
+#
+#		For now suspicious intercepted CONNECT requests are always
+#		responded to with an HTTP 409 (Conflict) error page.
+#
+#
+#	SECURITY NOTE:
+#
+#	As described in CVE-2009-0801 when the Host: header alone is used
+#	to determine the destination of a request it becomes trivial for
+#	malicious scripts on remote websites to bypass browser same-origin
+#	security policy and sandboxing protections.
+#
+#	The cause of this is that such applets are allowed to perform their
+#	own HTTP stack, in which case the same-origin policy of the browser
+#	sandbox only verifies that the applet tries to contact the same IP
+#	as from where it was loaded at the IP level. The Host: header may
+#	be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+#  TAG: client_dst_passthru
+#	With NAT or TPROXY intercepted traffic Squid may pass the request
+#	directly to the original client destination IP or seek a faster
+#	source using the HTTP Host header.
+#
+#	Using Host to locate alternative servers can provide faster
+#	connectivity with a range of failure recovery options.
+#	But can also lead to connectivity trouble when the client and
+#	server are attempting stateful interactions unaware of the proxy.
+#
+#	This option (on by default) prevents alternative DNS entries being
+#	located to send intercepted traffic DIRECT to an origin server.
+#	The clients original destination IP and port will be used instead.
+#
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic Squid will verify the Host: header and any traffic which
+#	fails Host verification will be treated as if this option were ON.
+#
+#	see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
+
+# TLS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: tls_outgoing_options
+#	disable		Do not support https:// URLs.
+#
+#	cert=/path/to/client/certificate
+#			A client X.509 certificate to use when connecting.
+#
+#	key=/path/to/client/private_key
+#			The private key corresponding to the cert= above.
+#
+#			If key= is not specified cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	cipher=...	The list of valid TLS ciphers to use.
+#
+#	min-version=1.N
+#			The minimum TLS protocol version to permit.
+#			To control SSLv3 use the options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
+#
+#	options=...	Specify various TLS/SSL implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#				See the OpenSSL SSL_CTX_set_options documentation
+#				for a more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#
+#	cafile=		PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	capath=		A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	crlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	flags=...	Specify various flags modifying the TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	domain= 	The peer name as advertised in its certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#Default:
+# tls_outgoing_options min-version=1.0
+
+# SSL OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ssl_unclean_shutdown
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Some browsers (especially MSIE) bugs out on SSL shutdown
+#	messages.
+#Default:
+# ssl_unclean_shutdown off
+
+#  TAG: ssl_engine
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	The OpenSSL engine to use. You will need to set this if you
+#	would like to use hardware SSL acceleration for example.
+#
+#	Not supported in builds with OpenSSL 3.0 or newer.
+#Default:
+# none
+
+#  TAG: sslproxy_session_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the timeout value for SSL sessions
+#Default:
+# sslproxy_session_ttl 300
+
+#  TAG: sslproxy_session_cache_size
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#        Sets the cache size to use for ssl session
+#Default:
+# sslproxy_session_cache_size 2 MB
+
+#  TAG: sslproxy_foreign_intermediate_certs
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Many origin servers fail to send their full server certificate
+#	chain for verification, assuming the client already has or can
+#	easily locate any missing intermediate certificates.
+#
+#	Squid uses the certificates from the specified file to fill in
+#	these missing chains when trying to validate origin server
+#	certificate chains.
+#
+#	The file is expected to contain zero or more PEM-encoded
+#	intermediate certificates. These certificates are not treated
+#	as trusted root certificates, and any self-signed certificate in
+#	this file will be ignored.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_sign_hash
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the hashing algorithm to use when signing generated certificates.
+#	Valid algorithm names depend on the OpenSSL library used. The following
+#	names are usually available: sha1, sha256, sha512, and md5. Please see
+#	your OpenSSL library manual for the available hashes. By default, Squids
+#	that support this option use sha256 hashes.
+#
+#	Squid does not forcefully purge cached certificates that were generated
+#	with an algorithm other than the currently configured one. They remain
+#	in the cache, subject to the regular cache eviction policy, and become
+#	useful if the algorithm changes again.
+#Default:
+# none
+
+#  TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	This option is consulted when a CONNECT request is received on
+#	an http_port (or a new connection is intercepted at an
+#	https_port), provided that port was configured with an ssl-bump
+#	flag. The subsequent data on the connection is either treated as
+#	HTTPS and decrypted OR tunneled at TCP level without decryption,
+#	depending on the first matching bumping "action".
+#
+#	ssl_bump <action> [!]acl ...
+#
+#	The following bumping actions are currently supported:
+#
+#	    splice
+#		Become a TCP tunnel without decrypting proxied traffic.
+#		This is the default action.
+#
+#	    bump
+#		When used on step SslBump1, establishes a secure connection
+#		with the client first, then connect to the server.
+#		When used on step SslBump2 or SslBump3, establishes a secure
+#		connection with the server and, using a mimicked server
+#		certificate, with the client.
+#
+#	    peek
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of splicing the
+#		connection. Peeking at the server certificate (during step 2)
+#		usually precludes bumping of the connection at step 3.
+#
+#	    stare
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of bumping the
+#		connection. Staring at the server certificate (during step 2)
+#		usually precludes splicing of the connection at step 3.
+#
+#	    terminate
+#		Close client and server connections.
+#
+#	Backward compatibility actions available at step SslBump1:
+#
+#	    client-first
+#		Bump the connection. Establish a secure connection with the
+#		client first, then connect to the server. This old mode does
+#		not allow Squid to mimic server SSL certificate and does not
+#		work with intercepted SSL connections.
+#
+#	    server-first
+#		Bump the connection. Establish a secure connection with the
+#		server first, then establish a secure connection with the
+#		client, using a mimicked server certificate. Works with both
+#		CONNECT requests and intercepted SSL connections, but does
+#		not allow to make decisions based on SSL handshake info.
+#
+#	    peek-and-splice
+#		Decide whether to bump or splice the connection based on
+#		client-to-squid and server-to-squid SSL hello messages.
+#		XXX: Remove.
+#
+#	    none
+#		Same as the "splice" action.
+#
+#	All ssl_bump rules are evaluated at each of the supported bumping
+#	steps.  Rules with actions that are impossible at the current step are
+#	ignored. The first matching ssl_bump action wins and is applied at the
+#	end of the current step. If no rules match, the splice action is used.
+#	See the at_step ACL for a list of the supported SslBump steps.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
+#
+#
+#	# Example: Bump all TLS connections except those originating from
+#	# localhost or those going to example.com.
+#
+#	acl broken_sites ssl::server_name .example.com
+#	ssl_bump splice localhost
+#	ssl_bump splice broken_sites
+#	ssl_bump bump all
+#Default:
+# Become a TCP tunnel without decrypting proxied traffic.
+
+#  TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Use this ACL to bypass server certificate validation errors.
+#
+#	For example, the following lines will bypass all validation errors
+#	when talking to servers for example.com. All other
+#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+#		acl BrokenButTrustedServers dstdomain example.com
+#		sslproxy_cert_error allow BrokenButTrustedServers
+#		sslproxy_cert_error deny all
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Using slow acl types may result in server crashes
+#
+#	Without this option, all server certificate validation errors
+#	terminate the transaction to protect Squid and the client.
+#
+#	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+#	but should not happen unless your OpenSSL library is buggy.
+#
+#	SECURITY WARNING:
+#		Bypassing validation errors is dangerous because an
+#		error usually implies that the server cannot be trusted
+#		and the connection may be insecure.
+#
+#	See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+#  TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#        sslproxy_cert_sign <signing algorithm> acl ...
+#
+#        The following certificate signing algorithms are supported:
+#
+#	   signTrusted
+#		Sign using the configured CA certificate which is usually
+#		placed in and trusted by end-user browsers. This is the
+#		default for trusted origin server certificates.
+#
+#	   signUntrusted
+#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+#		This is the default for untrusted origin server certificates
+#		that are not self-signed (see ssl::certUntrusted).
+#
+#	   signSelf
+#		Sign using a self-signed certificate with the right CN to
+#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+#		browser. This is the default for self-signed origin server
+#		certificates (see ssl::certSelfSigned).
+#
+#	This clause only supports fast acl types.
+#
+#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+#	signing algorithm to generate the certificate and ignores all
+#	subsequent sslproxy_cert_sign options (the first match wins). If no
+#	acl(s) match, the default signing algorithm is determined by errors
+#	detected when obtaining and validating the origin server certificate.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#	sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+#	The following certificate adaptation algorithms are supported:
+#
+#	   setValidAfter
+#		Sets the "Not After" property to the "Not After" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setValidBefore
+#		Sets the "Not Before" property to the "Not Before" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setCommonName or setCommonName{CN}
+#		Sets Subject.CN property to the host name specified as a
+#		CN parameter or, if no explicit CN parameter was specified,
+#		extracted from the CONNECT request. It is a misconfiguration
+#		to use setCommonName without an explicit parameter for
+#		intercepted or tproxied SSL connections.
+#
+#	This clause only supports fast acl types.
+#
+#	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+#	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+#	corresponding adaptation algorithm to generate the certificate and
+#	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+#	group (i.e., the first match wins within each algorithm group). If no
+#	acl(s) match, the default mimicking action takes place.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslpassword_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify a program used for entering SSL key passphrases
+#	when using encrypted SSL certificate keys. If not specified
+#	keys must either be unencrypted, or Squid started with the -N
+#	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
+#Default:
+# none
+
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
+
+#  TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specify the location and options of the executable for certificate
+#	generator.
+#
+#	/usr/lib/squid/security_file_certgen program can use a disk cache to improve response
+#	times on repeated requests. To enable caching, specify -s and -M
+#	parameters. If those parameters are not given, the program generates
+#	a new certificate on every request.
+#
+#	For more information use:
+#		/usr/lib/squid/security_file_certgen -h
+#Default:
+# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+
+#  TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specifies the maximum number of certificate generation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child is idle and no new child can be started due to
+#	numberofchildren limit. If the queued requests exceed queue size for
+#	more than 3 minutes squid aborts its operation. The default value is
+#	set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 32 startup=5 idle=1
+
+#  TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify the location and options of the executable for ssl_crt_validator
+#	process.
+#
+#	Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+#	Options:
+#	  ttl=n         TTL in seconds for cached results. The default is 60 secs
+#	  cache=n       limit the result cache size. The default value is 2048
+#Default:
+# none
+
+#  TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specifies the maximum number of certificate validation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each certificate validator helper can handle in
+#	parallel. A value of 0 indicates the certficate validator does not
+#	support concurrency. Defaults to 1.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	a request ID in front of the request/response. The request
+#	ID from the request must be echoed back with the response
+#	to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. If the queued
+#	requests exceed queue size for more than 3 minutes squid aborts its
+#	operation. The default value is set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
+
+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_peer
+#	To specify other caches in a hierarchy, use the format:
+#
+#		cache_peer hostname type http-port icp-port [options]
+#
+#	For example,
+#
+#	#                                        proxy  icp
+#	#          hostname             type     port   port  options
+#	#          -------------------- -------- ----- -----  -----------
+#	cache_peer parent.foo.net       parent    3128  3130  default
+#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer example.com          parent    80       0  default
+#	cache_peer cdn.example.com      sibling   3128     0
+#
+#	      type:	either 'parent', 'sibling', or 'multicast'.
+#
+#	proxy-port:	The port number where the peer accept HTTP requests.
+#			For other Squid proxies this is usually 3128
+#			For web servers this is usually 80
+#
+#	  icp-port:	Used for querying neighbor caches about objects.
+#			Set to 0 if the peer does not support ICP or HTCP.
+#			See ICP and HTCP options below for additional details.
+#
+#
+#	==== ICP OPTIONS ====
+#
+#	You MUST also set icp_port and icp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using ICP.
+#
+#
+#	no-query	Disable ICP queries to this neighbor.
+#
+#	multicast-responder
+#			Indicates the named peer is a member of a multicast group.
+#			ICP queries will not be sent directly to the peer, but ICP
+#			replies will be accepted from it.
+#
+#	closest-only	Indicates that, for ICP_OP_MISS replies, we'll only forward
+#			CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+#	background-ping
+#			To only send ICP queries to this neighbor infrequently.
+#			This is used to keep the neighbor round trip time updated
+#			and is usually used in conjunction with weighted-round-robin.
+#
+#
+#	==== HTCP OPTIONS ====
+#
+#	You MUST also set htcp_port and htcp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using HTCP.
+#
+#
+#	htcp		Send HTCP, instead of ICP, queries to the neighbor.
+#			You probably also want to set the "icp-port" to 4827
+#			instead of 3130. This directive accepts a comma separated
+#			list of options described below.
+#
+#	htcp=oldsquid	Send HTCP to old Squid versions (2.5 or earlier).
+#
+#	htcp=no-clr	Send HTCP to the neighbor but without
+#			sending any CLR requests.  This cannot be used with
+#			only-clr.
+#
+#	htcp=only-clr	Send HTCP to the neighbor but ONLY CLR requests.
+#			This cannot be used with no-clr.
+#
+#	htcp=no-purge-clr
+#			Send HTCP to the neighbor including CLRs but only when
+#			they do not result from PURGE requests.
+#
+#	htcp=forward-clr
+#			Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+#	==== PEER SELECTION METHODS ====
+#
+#	The default peer selection method is ICP, with the first responding peer
+#	being used as source. These options can be used for better load balancing.
+#
+#
+#	default		This is a parent cache which can be used as a "last-resort"
+#			if a peer cannot be located by any of the peer-selection methods.
+#			If specified more than once, only the first is used.
+#
+#	round-robin	Load-Balance parents which should be used in a round-robin
+#			fashion in the absence of any ICP queries.
+#			weight=N can be used to add bias.
+#
+#	weighted-round-robin
+#			Load-Balance parents which should be used in a round-robin
+#			fashion with the frequency of each parent being based on the
+#			round trip time. Closer parents are used more often.
+#			Usually used for background-ping parents.
+#			weight=N can be used to add bias.
+#
+#	carp		Load-Balance parents which should be used as a CARP array.
+#			The requests will be distributed among the parents based on the
+#			CARP load balancing hash function based on their weight.
+#
+#	userhash	Load-balance parents based on the client proxy_auth or ident username.
+#
+#	sourcehash	Load-balance parents based on the client source IP.
+#
+#	multicast-siblings
+#			To be used only for cache peers of type "multicast".
+#			ALL members of this multicast group have "sibling"
+#			relationship with it, not "parent".  This is to a multicast
+#			group when the requested object would be fetched only from
+#			a "parent" cache, anyway.  It's useful, e.g., when
+#			configuring a pool of redundant Squid proxies, being
+#			members of the same multicast group.
+#
+#
+#	==== PEER SELECTION OPTIONS ====
+#
+#	weight=N	use to affect the selection of a peer during any weighted
+#			peer-selection mechanisms.
+#			The weight must be an integer; default is 1,
+#			larger weights are favored more.
+#			This option does not affect parent selection if a peering
+#			protocol is not in use.
+#
+#	basetime=N	Specify a base amount to be subtracted from round trip
+#			times of parents.
+#			It is subtracted before division by weight in calculating
+#			which parent to fectch from. If the rtt is less than the
+#			base time the rtt is set to a minimal value.
+#
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
+#			Only useful when sending to a multicast group.
+#			Because we don't accept ICP replies from random
+#			hosts, you must configure other group members as
+#			peers with the 'multicast-responder' option.
+#
+#	no-delay	To prevent access to this neighbor from influencing the
+#			delay pools.
+#
+#	digest-url=URL	Tell Squid to fetch the cache digest (if digests are
+#			enabled) for this host from the specified URL rather
+#			than the Squid default location.
+#
+#
+#	==== CARP OPTIONS ====
+#
+#	carp-key=key-specification
+#			use a different key than the full URL to hash against the peer.
+#			the key-specification is a comma-separated list of the keywords
+#			scheme, host, port, path, params
+#			Order is not important.
+#
+#	==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+#	originserver	Causes this parent to be contacted as an origin server.
+#			Meant to be used in accelerator setups when the peer
+#			is a web server.
+#
+#	forceddomain=name
+#			Set the Host header of requests forwarded to this peer.
+#			Useful in accelerator setups where the server (peer)
+#			expects a certain domain name but clients may request
+#			others. ie example.com or www.example.com
+#
+#	no-digest	Disable request of cache digests.
+#
+#	no-netdb-exchange
+#			Disables requesting ICMP RTT database (NetDB).
+#
+#
+#	==== AUTHENTICATION OPTIONS ====
+#
+#	login=user:password
+#			If this is a personal/workgroup proxy and your parent
+#			requires proxy authentication.
+#
+#			Note: The string can include URL escapes (i.e. %20 for
+#			spaces). This also means % must be written as %%.
+#
+#	login=PASSTHRU
+#			Send login details received from client to this peer.
+#			Both Proxy- and WWW-Authorization headers are passed
+#			without alteration to the peer.
+#			Authentication is not required by Squid for this to work.
+#
+#			Note: This will pass any form of authentication but
+#			only Basic auth will work through a proxy unless the
+#			connection-auth options are also used.
+#
+#	login=PASS	Send login details received from client to this peer.
+#			Authentication is not required by this option.
+#
+#			If there are no client-provided authentication headers
+#			to pass on, but username and password are available
+#			from an external ACL user= and password= result tags
+#			they may be sent instead.
+#
+#			Note: To combine this with proxy_auth both proxies must
+#			share the same user database as HTTP only allows for
+#			a single login (one for proxy, one for origin server).
+#			Also be warned this will expose your users proxy
+#			password to the peer. USE WITH CAUTION
+#
+#	login=*:password
+#			Send the username to the upstream cache, but with a
+#			fixed password. This is meant to be used when the peer
+#			is in another administrative domain, but it is still
+#			needed to identify each user.
+#			The star can optionally be followed by some extra
+#			information which is added to the username. This can
+#			be used to identify this proxy to the peer, similar to
+#			the login=username:password option above.
+#
+#	login=NEGOTIATE
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The first principal from the default keytab or defined by
+#			the environment variable KRB5_KTNAME will be used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	login=NEGOTIATE:principal_name
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The principal principal_name from the default keytab or
+#			defined by the environment variable KRB5_KTNAME will be
+#			used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	connection-auth=on|off
+#			Tell Squid that this peer does or not support Microsoft
+#			connection oriented authentication, and any such
+#			challenges received from there should be ignored.
+#			Default is auto to automatically determine the status
+#			of the peer.
+#
+#	auth-no-keytab
+#			Do not use a keytab to authenticate to a peer when
+#			login=NEGOTIATE is specified. Let the GSSAPI
+#			implementation determine which already existing
+#			credentials cache to use instead.
+#
+#
+#	==== SSL / HTTPS / TLS OPTIONS ====
+#
+#	tls		Encrypt connections to this peer with TLS.
+#
+#	sslcert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this peer.
+#
+#	sslkey=/path/to/ssl/key
+#			The private key corresponding to sslcert above.
+#
+#			If sslkey= is not specified sslcert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	sslcipher=...	The list of valid SSL ciphers to use when connecting
+#			to this peer.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various TLS implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	sslcapath=...	A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	sslcrlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	sslflags=...	Specify various flags modifying the SSL implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	ssldomain= 	The peer name as advertised in it's certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#
+#	front-end-https[=off|on|auto]
+#			Enable the "Front-End-Https: On" header needed when
+#			using Squid as a SSL frontend in front of Microsoft OWA.
+#			See MS KB document Q307347 for details on this header.
+#			If set to auto the header will only be added if the
+#			request is forwarded as a https:// URL.
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	==== GENERAL OPTIONS ====
+#
+#	connect-timeout=N
+#			A peer-specific connect timeout.
+#			Also see the peer_connect_timeout directive.
+#
+#	connect-fail-limit=N
+#			How many times connecting to a peer must fail before
+#			it is marked as down. Standby connection failures
+#			count towards this limit. Default is 10.
+#
+#	allow-miss	Disable Squid's use of only-if-cached when forwarding
+#			requests to siblings. This is primarily useful when
+#			icp_hit_stale is used by the sibling. Excessive use
+#			of this option may result in forwarding loops. One way
+#			to prevent peering loops when using this option, is to
+#			deny cache peer usage on requests from a peer:
+#			acl fromPeer ...
+#			cache_peer_access peerName deny fromPeer
+#
+#	max-conn=N 	Limit the number of concurrent connections the Squid
+#			may open to this peer, including already opened idle
+#			and standby connections. There is no peer-specific
+#			connection limit by default.
+#
+#			A peer exceeding the limit is not used for new
+#			requests unless a standby connection is available.
+#
+#			max-conn currently works poorly with idle persistent
+#			connections: When a peer reaches its max-conn limit,
+#			and there are idle persistent connections to the peer,
+#			the peer may not be selected because the limiting code
+#			does not know whether Squid can reuse those idle
+#			connections.
+#
+#	standby=N	Maintain a pool of N "hot standby" connections to an
+#			UP peer, available for requests when no idle
+#			persistent connection is available (or safe) to use.
+#			By default and with zero N, no such pool is maintained.
+#			N must not exceed the max-conn limit (if any).
+#
+#			At start or after reconfiguration, Squid opens new TCP
+#			standby connections until there are N connections
+#			available and then replenishes the standby pool as
+#			opened connections are used up for requests. A used
+#			connection never goes back to the standby pool, but
+#			may go to the regular idle persistent connection pool
+#			shared by all peers and origin servers.
+#
+#			Squid never opens multiple new standby connections
+#			concurrently.  This one-at-a-time approach minimizes
+#			flooding-like effect on peers. Furthermore, just a few
+#			standby connections should be sufficient in most cases
+#			to supply most new requests with a ready-to-use
+#			connection.
+#
+#			Standby connections obey server_idle_pconn_timeout.
+#			For the feature to work as intended, the peer must be
+#			configured to accept and keep them open longer than
+#			the idle timeout at the connecting Squid, to minimize
+#			race conditions typical to idle used persistent
+#			connections. Default request_timeout and
+#			server_idle_pconn_timeout values ensure such a
+#			configuration.
+#
+#	name=xxx	Unique name for the peer.
+#			Required if you have multiple peers on the same host
+#			but different ports.
+#			This name can be used in cache_peer_access and similar
+#			directives to identify the peer.
+#			Can be used by outgoing access controls through the
+#			peername ACL type.
+#
+#	no-tproxy	Do not use the client-spoof TPROXY support when forwarding
+#			requests to this peer. Use normal address selection instead.
+#			This overrides the spoof_client_ip ACL.
+#
+#	proxy-only	objects fetched from the peer will not be stored locally.
+#
+#Default:
+# none
+
+#  TAG: cache_peer_access
+#	Restricts usage of cache_peer proxies.
+#
+#	Usage:
+#		cache_peer_access peer-name allow|deny [!]aclname ...
+#
+#	For the required peer-name parameter, use either the value of the
+#	cache_peer name=value parameter or, if name=value is missing, the
+#	cache_peer hostname parameter.
+#
+#	This directive narrows down the selection of peering candidates, but
+#	does not determine the order in which the selected candidates are
+#	contacted. That order is determined by the peer selection algorithms
+#	(see PEER SELECTION sections in the cache_peer documentation).
+#
+#	If a deny rule matches, the corresponding peer will not be contacted
+#	for the current transaction -- Squid will not send ICP queries and
+#	will not forward HTTP requests to that peer. An allow match leaves
+#	the corresponding peer in the selection. The first match for a given
+#	peer wins for that peer.
+#
+#	The relative order of cache_peer_access directives for the same peer
+#	matters. The relative order of any two cache_peer_access directives
+#	for different peers does not matter. To ease interpretation, it is a
+#	good idea to group cache_peer_access directives for the same peer
+#	together.
+#
+#	A single cache_peer_access directive may be evaluated multiple times
+#	for a given transaction because individual peer selection algorithms
+#	may check it independently from each other. These redundant checks
+#	may be optimized away in future Squid versions.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# No peer usage restrictions.
+
+#  TAG: neighbor_type_domain
+#	Modify the cache_peer neighbor type when passing requests
+#	about specific domains to the peer.
+#
+#	Usage:
+#		 neighbor_type_domain neighbor parent|sibling domain domain ...
+#
+#	For example:
+#		cache_peer foo.example.com parent 3128 3130
+#		neighbor_type_domain foo.example.com sibling .au .de
+#
+#	The above configuration treats all requests to foo.example.com as a
+#	parent proxy unless the request is for a .au or .de ccTLD domain name.
+#Default:
+# The peer type from cache_peer directive is used for all requests to that peer.
+
+#  TAG: dead_peer_timeout	(seconds)
+#	This controls how long Squid waits to declare a peer cache
+#	as "dead."  If there are no ICP replies received in this
+#	amount of time, Squid will declare the peer dead and not
+#	expect to receive any further ICP replies.  However, it
+#	continues to send ICP queries, and will mark the peer as
+#	alive upon receipt of the first subsequent ICP reply.
+#
+#	This timeout also affects when Squid expects to receive ICP
+#	replies from peers.  If more than 'dead_peer' seconds have
+#	passed since the last ICP reply was received, Squid will not
+#	expect to receive an ICP reply on the next query.  Thus, if
+#	your time between requests is greater than this timeout, you
+#	will see a lot of requests sent DIRECT to origin servers
+#	instead of to your parents.
+#Default:
+# dead_peer_timeout 10 seconds
+
+#  TAG: forward_max_tries
+#	Limits the number of attempts to forward the request.
+#
+#	For the purpose of this limit, Squid counts all high-level request
+#	forwarding attempts, including any same-destination retries after
+#	certain persistent connection failures and any attempts to use a
+#	different peer. However, these low-level attempts are not counted:
+#	* connection reopening attempts (enabled using connect_retries)
+#	* unfinished Happy Eyeballs connection attempts (prevented by setting
+#	  happy_eyeballs_connect_limit to 0)
+#
+#	See also: forward_timeout and connect_retries.
+#Default:
+# forward_max_tries 25
+
+# MEMORY CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mem	(bytes)
+#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+#
+#	'cache_mem' specifies the ideal amount of memory to be used
+#	for:
+#		* In-Transit objects
+#		* Hot Objects
+#		* Negative-Cached objects
+#
+#	Data for these objects are stored in 4 KB blocks.  This
+#	parameter specifies the ideal upper limit on the total size of
+#	4 KB blocks allocated.  In-Transit objects take the highest
+#	priority.
+#
+#	In-transit objects have priority over the others.  When
+#	additional space is needed for incoming data, negative-cached
+#	and hot objects will be released.  In other words, the
+#	negative-cached and hot objects will fill up any unused space
+#	not needed for in-transit objects.
+#
+#	If circumstances require, this limit will be exceeded.
+#	Specifically, if your incoming request rate requires more than
+#	'cache_mem' of memory to hold in-transit objects, Squid will
+#	exceed this limit to satisfy the new requests.  When the load
+#	decreases, blocks will be freed until the high-water mark is
+#	reached.  Thereafter, blocks will be used to store hot
+#	objects.
+#
+#	If shared memory caching is enabled, Squid does not use the shared
+#	cache space for in-transit objects, but they still consume as much
+#	local memory as they need. For more details about the shared memory
+#	cache, see memory_cache_shared.
+#Default:
+# cache_mem 256 MB
+
+#  TAG: maximum_object_size_in_memory	(bytes)
+#	Objects greater than this size will not be attempted to kept in
+#	the memory cache. This should be set high enough to keep objects
+#	accessed frequently in memory to improve performance whilst low
+#	enough to keep larger objects from hoarding cache_mem.
+#Default:
+# maximum_object_size_in_memory 512 KB
+
+#  TAG: memory_cache_shared	on|off
+#	Controls whether the memory cache is shared among SMP workers.
+#
+#	The shared memory cache is meant to occupy cache_mem bytes and replace
+#	the non-shared memory cache, although some entities may still be
+#	cached locally by workers for now (e.g., internal and in-transit
+#	objects may be served from a local memory cache even if shared memory
+#	caching is enabled).
+#
+#	By default, the memory cache is shared if and only if all of the
+#	following conditions are satisfied: Squid runs in SMP mode with
+#	multiple workers, cache_mem is positive, and Squid environment
+#	supports required IPC primitives (e.g., POSIX shared memory segments
+#	and GCC-style atomic operations).
+#
+#	To avoid blocking locks, shared memory uses opportunistic algorithms
+#	that do not guarantee that every cachable entity that could have been
+#	shared among SMP workers will actually be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+#  TAG: memory_cache_mode
+#	Controls which objects to keep in the memory cache (cache_mem)
+#
+#	always	Keep most recently fetched objects in memory (default)
+#
+#	disk	Only disk cache hits are kept in memory, which means
+#		an object must first be cached on disk and then hit
+#		a second time before cached in memory.
+#
+#	network	Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
+#  TAG: memory_replacement_policy
+#	The memory replacement policy parameter determines which
+#	objects are purged from memory when memory space is needed.
+#
+#	See cache_replacement_policy for details on algorithms.
+#Default:
+# memory_replacement_policy lru
+
+# DISK CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_replacement_policy
+#	The cache replacement policy parameter determines which
+#	objects are evicted (replaced) when disk space is needed.
+#
+#	    lru       : Squid's original list based LRU policy
+#	    heap GDSF : Greedy-Dual Size Frequency
+#	    heap LFUDA: Least Frequently Used with Dynamic Aging
+#	    heap LRU  : LRU policy implemented using a heap
+#
+#	Applies to any cache_dir lines listed below this directive.
+#
+#	The LRU policies keeps recently referenced objects.
+#
+#	The heap GDSF policy optimizes object hit rate by keeping smaller
+#	popular objects in cache so it has a better chance of getting a
+#	hit.  It achieves a lower byte hit rate than LFUDA though since
+#	it evicts larger (possibly popular) objects.
+#
+#	The heap LFUDA policy keeps popular objects in cache regardless of
+#	their size and thus optimizes byte hit rate at the expense of
+#	hit rate since one large, popular object will prevent many
+#	smaller, slightly less popular objects from being cached.
+#
+#	Both policies utilize a dynamic aging mechanism that prevents
+#	cache pollution that can otherwise occur with frequency-based
+#	replacement policies.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	the value of maximum_object_size above its default of 4 MB to
+#	to maximize the potential byte hit rate improvement of LFUDA.
+#
+#	For more information about the GDSF and LFUDA cache replacement
+#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+#Default:
+# cache_replacement_policy lru
+
+#  TAG: minimum_object_size	(bytes)
+#	Objects smaller than this size will NOT be saved on disk.  The
+#	value is specified in bytes, and the default is 0 KB, which
+#	means all responses can be stored.
+#Default:
+# no limit
+
+#  TAG: maximum_object_size	(bytes)
+#	Set the default value for max-size parameter on any cache_dir.
+#	The value is specified in bytes, and the default is 4 MB.
+#
+#	If you wish to get a high BYTES hit ratio, you should probably
+#	increase this (one 32 MB object hit counts for 3200 10KB
+#	hits).
+#
+#	If you wish to increase hit ratio more than you want to
+#	save bandwidth you should leave this low.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	this value to maximize the byte hit rate improvement of LFUDA!
+#	See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
+#  TAG: cache_dir
+#	Format:
+#		cache_dir Type Directory-Name Fs-specific-data [options]
+#
+#	You can specify multiple cache_dir lines to spread the
+#	cache among different disk partitions.
+#
+#	Type specifies the kind of storage system to use. Only "ufs"
+#	is built by default. To enable any of the other storage systems
+#	see the --enable-storeio configure option.
+#
+#	'Directory' is a top-level directory where cache swap
+#	files will be stored.  If you want to use an entire disk
+#	for caching, this can be the mount-point directory.
+#	The directory must exist and be writable by the Squid
+#	process.  Squid will NOT create this directory for you.
+#
+#	In SMP configurations, cache_dir must not precede the workers option
+#	and should use configuration macros or conditionals to give each
+#	worker interested in disk caching a dedicated cache directory.
+#
+#
+#	====  The ufs store type  ====
+#
+#	"ufs" is the old well-known Squid storage format that has always
+#	been there.
+#
+#	Usage:
+#		cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+#
+#	'Mbytes' is the amount of disk space (MB) to use under this
+#	directory.  The default is 100 MB.  Change this to suit your
+#	configuration.  Do NOT put the size of your disk drive here.
+#	Instead, if you want Squid to use the entire disk drive,
+#	subtract 20% and use that value.
+#
+#	'L1' is the number of first-level subdirectories which
+#	will be created under the 'Directory'.  The default is 16.
+#
+#	'L2' is the number of second-level subdirectories which
+#	will be created under each first-level directory.  The default
+#	is 256.
+#
+#
+#	====  The aufs store type  ====
+#
+#	"aufs" uses the same storage format as "ufs", utilizing
+#	POSIX-threads to avoid blocking the main Squid process on
+#	disk-I/O. This was formerly known in Squid as async-io.
+#
+#	Usage:
+#		cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+#
+#	see argument descriptions under ufs above
+#
+#
+#	====  The diskd store type  ====
+#
+#	"diskd" uses the same storage format as "ufs", utilizing a
+#	separate process to avoid blocking the main Squid process on
+#	disk-I/O.
+#
+#	Usage:
+#		cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+#
+#	see argument descriptions under ufs above
+#
+#	Q1 specifies the number of unacknowledged I/O requests when Squid
+#	stops opening new files. If this many messages are in the queues,
+#	Squid won't open new files. Default is 64
+#
+#	Q2 specifies the number of unacknowledged messages when Squid
+#	starts blocking.  If this many messages are in the queues,
+#	Squid blocks until it receives some replies. Default is 72
+#
+#	When Q1 < Q2 (the default), the cache directory is optimized
+#	for lower response time at the expense of a decrease in hit
+#	ratio.  If Q1 > Q2, the cache directory is optimized for
+#	higher hit ratio at the expense of an increase in response
+#	time.
+#
+#
+#	====  The rock store type  ====
+#
+#	Usage:
+#	    cache_dir rock Directory-Name Mbytes [options]
+#
+#	The Rock Store type is a database-style storage. All cached
+#	entries are stored in a "database" file, using fixed-size slots.
+#	A single entry occupies one or more slots.
+#
+#	If possible, Squid using Rock Store creates a dedicated kid
+#	process called "disker" to avoid blocking Squid worker(s) on disk
+#	I/O. One disker kid is created for each rock cache_dir.  Diskers
+#	are created only when Squid, running in daemon mode, has support
+#	for the IpcIo disk I/O module.
+#
+#	swap-timeout=msec: Squid will not start writing a miss to or
+#	reading a hit from disk if it estimates that the swap operation
+#	will take more than the specified number of milliseconds. By
+#	default and when set to zero, disables the disk I/O time limit
+#	enforcement. Ignored when using blocking I/O module because
+#	blocking synchronous I/O does not allow Squid to estimate the
+#	expected swap wait time.
+#
+#	max-swap-rate=swaps/sec: Artificially limits disk access using
+#	the specified I/O rate limit. Swap out requests that
+#	would cause the average I/O rate to exceed the limit are
+#	delayed. Individual swap in requests (i.e., hits or reads) are
+#	not delayed, but they do contribute to measured swap rate and
+#	since they are placed in the same FIFO queue as swap out
+#	requests, they may wait longer if max-swap-rate is smaller.
+#	This is necessary on file systems that buffer "too
+#	many" writes and then start blocking Squid and other processes
+#	while committing those writes to disk.  Usually used together
+#	with swap-timeout to avoid excessive delays and queue overflows
+#	when disk demand exceeds available disk "bandwidth". By default
+#	and when set to zero, disables the disk I/O rate limit
+#	enforcement. Currently supported by IpcIo module only.
+#
+#	slot-size=bytes: The size of a database "record" used for
+#	storing cached responses. A cached response occupies at least
+#	one slot and all database I/O is done using individual slots so
+#	increasing this parameter leads to more disk space waste while
+#	decreasing it leads to more disk I/O overheads. Should be a
+#	multiple of your operating system I/O page size. Defaults to
+#	16KBytes. A housekeeping header is stored with each slot and
+#	smaller slot-sizes will be rejected. The header is smaller than
+#	100 bytes.
+#
+#
+#	==== COMMON OPTIONS ====
+#
+#	no-store	no new objects should be stored to this cache_dir.
+#
+#	min-size=n	the minimum object size in bytes this cache_dir
+#			will accept.  It's used to restrict a cache_dir
+#			to only store large objects (e.g. AUFS) while
+#			other stores are optimized for smaller objects
+#			(e.g. Rock).
+#			Defaults to 0.
+#
+#	max-size=n	the maximum object size in bytes this cache_dir
+#			supports.
+#			The value in maximum_object_size directive sets
+#			the default unless more specific details are
+#			available (ie a small store capacity).
+#
+#	Note: To make optimal use of the max-size limits you should order
+#	the cache_dir lines with the smallest max-size value first.
+#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+#  TAG: store_dir_select_algorithm
+#	How Squid selects which cache_dir to use when the response
+#	object will fit into more than one.
+#
+#	Regardless of which algorithm is used the cache_dir min-size
+#	and max-size parameters are obeyed. As such they can affect
+#	the selection algorithm by limiting the set of considered
+#	cache_dir.
+#
+#	Algorithms:
+#
+#		least-load
+#
+#	This algorithm is suited to caches with similar cache_dir
+#	sizes and disk speeds.
+#
+#	The disk with the least I/O pending is selected.
+#	When there are multiple disks with the same I/O load ranking
+#	the cache_dir with most available capacity is selected.
+#
+#	When a mix of cache_dir sizes are configured the faster disks
+#	have a naturally lower I/O loading and larger disks have more
+#	capacity. So space used to store objects and data throughput
+#	may be very unbalanced towards larger disks.
+#
+#
+#		round-robin
+#
+#	This algorithm is suited to caches with unequal cache_dir
+#	disk sizes.
+#
+#	Each cache_dir is selected in a rotation. The next suitable
+#	cache_dir is used.
+#
+#	Available cache_dir capacity is only considered in relation
+#	to whether the object will fit and meets the min-size and
+#	max-size parameters.
+#
+#	Disk I/O loading is only considered to prevent overload on slow
+#	disks. This algorithm does not spread objects by size, so any
+#	I/O loading per-disk may appear very unbalanced and volatile.
+#
+#	If several cache_dirs use similar min-size, max-size, or other
+#	limits to to reject certain responses, then do not group such
+#	cache_dir lines together, to avoid round-robin selection bias
+#	towards the first cache_dir after the group. Instead, interleave
+#	cache_dir lines from different groups. For example:
+#
+#		store_dir_select_algorithm round-robin
+#		cache_dir rock /hdd1 ... min-size=100000
+#		cache_dir rock /ssd1 ... max-size=99999
+#		cache_dir rock /hdd2 ... min-size=100000
+#		cache_dir rock /ssd2 ... max-size=99999
+#		cache_dir rock /hdd3 ... min-size=100000
+#		cache_dir rock /ssd3 ... max-size=99999
+#Default:
+# store_dir_select_algorithm least-load
+
+#  TAG: max_open_disk_fds
+#	To avoid having disk as the I/O bottleneck Squid can optionally
+#	bypass the on-disk cache if more than this amount of disk file
+#	descriptors are open.
+#
+#	A value of 0 indicates no limit.
+#Default:
+# no limit
+
+#  TAG: cache_swap_low	(percent, 0-100)
+#	The low-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above this low-water mark and attempts to maintain utilization
+#	near the low-water mark.
+#
+#	As swap utilization increases towards the high-water mark set
+#	by cache_swap_high object eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_high and cache_replacement_policy
+#Default:
+# cache_swap_low 90
+
+#  TAG: cache_swap_high	(percent, 0-100)
+#	The high-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above the low-water mark set by cache_swap_low and attempts to
+#	maintain utilization near the low-water mark.
+#
+#	As swap utilization increases towards this high-water mark object
+#	eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_low and cache_replacement_policy
+#Default:
+# cache_swap_high 95
+
+# LOGFILE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: logformat
+#	Usage:
+#
+#	logformat <name> <format specification>
+#
+#	Defines an access log format.
+#
+#	The <format specification> is a string with embedded % format codes
+#
+#	% format codes all follow the same basic structure where all
+#	components but the formatcode are optional and usually unnecessary,
+#	especially when dealing with common codes.
+#
+#		% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
+#
+#		encoding escapes or otherwise protects "special" characters:
+#
+#			"	Quoted string encoding where quote(") and
+#				backslash(\) characters are \-escaped while
+#				CR, LF, and TAB characters are encoded as \r,
+#				\n, and \t two-character sequences.
+#
+#			[	Custom Squid encoding where percent(%), square
+#				brackets([]), backslash(\) and characters with
+#				codes outside of [32,126] range are %-encoded.
+#				SP is not encoded. Used by log_mime_hdrs.
+#
+#			#	URL encoding (a.k.a. percent-encoding) where
+#				all URL unsafe and control characters (per RFC
+#				1738) are %-encoded.
+#
+#			/	Shell-like encoding where quote(") and
+#				backslash(\) characters are \-escaped while CR
+#				and LF characters are encoded as \r and \n
+#				two-character sequences. Values containing SP
+#				character(s) are surrounded by quotes(").
+#
+#			'	Raw/as-is encoding with no escaping/quoting.
+#
+#			Default encoding: When no explicit encoding is
+#			specified, each %code determines its own encoding.
+#			Most %codes use raw/as-is encoding, but some codes use
+#			a so called "pass-through URL encoding" where all URL
+#			unsafe and control characters (per RFC 1738) are
+#			%-encoded, but the percent character(%) is left as is.
+#
+#		-	left aligned
+#
+#		width	minimum and/or maximum field width:
+#			    [width_min][.width_max]
+#			When minimum starts with 0, the field is zero-padded.
+#			String values exceeding maximum width are truncated.
+#
+#		{arg}	argument such as header name etc. This field may be
+#			placed before or after the token, but not both at once.
+#
+#	Format codes:
+#
+#		%	a literal % character
+#		sn	Unique sequence number per log line entry
+#		err_code    The ID of an error response served by Squid or
+#				a similar internal error identifier.
+#		err_detail  Additional err_code-dependent error information.
+#		note	The annotation specified by the argument. Also
+#			logs the adaptation meta headers set by the
+#			adaptation_meta configuration parameter.
+#			If no argument given all annotations logged.
+#			The argument may include a separator to use with
+#			annotation values:
+#                            name[:separator]
+#			By default, multiple note values are separated with ","
+#			and multiple notes are separated with "\r\n".
+#			When logging named notes with %{name}note, the
+#			explicitly configured separator is used between note
+#			values. When logging all notes with %note, the
+#			explicitly configured separator is used between
+#			individual notes. There is currently no way to
+#			specify both value and notes separators when logging
+#			all notes with %note.
+#		master_xaction  The master transaction identifier is an unsigned
+#			integer. These IDs are guaranteed to monotonically
+#			increase within a single worker process lifetime, with
+#			higher values corresponding to transactions that were
+#			accepted or initiated later. Due to current implementation
+#			deficiencies, some IDs are skipped (i.e. never logged).
+#			Concurrent workers and restarted workers use similar,
+#			overlapping sequences of master transaction IDs.
+#
+#	Connection related format codes:
+#
+#		>a	Client source IP address
+#		>A	Client FQDN
+#		>p	Client source port
+#		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+#		>la	Local IP address the client connected to
+#		>lp	Local port number the client connected to
+#		>qos    Client connection TOS/DSCP value set by Squid
+#		>nfmark Client connection netfilter packet MARK set by Squid
+#
+#		la	Local listening IP address the client connection was connected to.
+#		lp	Local listening port number the client connection was connected to.
+#
+#		<a	Server IP address of the last server or peer connection
+#		<A	Server FQDN or peer name
+#		<p	Server port number of the last server or peer connection
+#		<la	Local IP address of the last server or peer connection
+#		<lp     Local port number of the last server or peer connection
+#		<qos	Server connection TOS/DSCP value set by Squid
+#		<nfmark Server connection netfilter packet MARK set by Squid
+#
+#		>handshake Raw client handshake
+#			Initial client bytes received by Squid on a newly
+#			accepted TCP connection or inside a just established
+#			CONNECT tunnel. Squid stops accumulating handshake
+#			bytes as soon as the handshake parser succeeds or
+#			fails (determining whether the client is using the
+#			expected protocol).
+#
+#			For HTTP clients, the handshake is the request line.
+#			For TLS clients, the handshake consists of all TLS
+#			records up to and including the TLS record that
+#			contains the last byte of the first ClientHello
+#			message. For clients using an unsupported protocol,
+#			this field contains the bytes received by Squid at the
+#			time of the handshake parsing failure.
+#
+#			See the on_unsupported_protocol directive for more
+#			information on Squid handshake traffic expectations.
+#
+#			Current support is limited to these contexts:
+#			- http_port connections, but only when the
+#			  on_unsupported_protocol directive is in use.
+#			- https_port connections (and CONNECT tunnels) that
+#			  are subject to the ssl_bump peek or stare action.
+#
+#			To protect binary handshake data, this field is always
+#			base64-encoded (RFC 4648 Section 4). If logformat
+#			field encoding is configured, that encoding is applied
+#			on top of base64. Otherwise, the computed base64 value
+#			is recorded as is.
+#
+#	Time related format codes:
+#
+#		ts	Seconds since epoch
+#		tu	subsecond time (milliseconds)
+#		tl	Local time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tg	GMT time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tr	Response time (milliseconds)
+#		dt	Total time spent making DNS lookups (milliseconds)
+#		tS	Approximate master transaction start time in
+#			<full seconds since epoch>.<fractional seconds> format.
+#			Currently, Squid considers the master transaction
+#			started when a complete HTTP request header initiating
+#			the transaction is received from the client. This is
+#			the same value that Squid uses to calculate transaction
+#			response time when logging %tr to access.log. Currently,
+#			Squid uses millisecond resolution for %tS values,
+#			similar to the default access.log "current time" field
+#			(%ts.%03tu).
+#
+#	Access Control related format codes:
+#
+#		et	Tag returned by external acl
+#		ea	Log string returned by external acl
+#		un	User name (any available)
+#		ul	User name from authentication
+#		ue	User name from external acl helper
+#		ui	User name from ident
+#		un	A user name. Expands to the first available name
+#			from the following list of information sources:
+#			- authenticated user name, like %ul
+#			- user name supplied by an external ACL, like %ue
+#			- SSL client name, like %us
+#			- ident user name, like %ui
+#		credentials Client credentials. The exact meaning depends on
+#			the authentication scheme: For Basic authentication,
+#			it is the password; for Digest, the realm sent by the
+#			client; for NTLM and Negotiate, the client challenge
+#			or client credentials prefixed with "YR " or "KK ".
+#
+#	HTTP related format codes:
+#
+#	    REQUEST
+#
+#		[http::]rm	Request method (GET/POST etc)
+#		[http::]>rm	Request method from client
+#		[http::]<rm	Request method sent to server or peer
+#
+#		[http::]ru	Request URL received (or computed) and sanitized
+#
+#				Logs request URI received from the client, a
+#				request adaptation service, or a request
+#				redirector (whichever was applied last).
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Honors strip_query_terms and uri_whitespace.
+#
+#				This field is not encoded by default. Encoding
+#				this field using variants of %-encoding will
+#				clash with uri_whitespace modifications that
+#				also use %-encoding.
+#
+#		[http::]>ru	Request URL received from the client (or computed)
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Unlike %ru, this request URI is not affected
+#				by request adaptation, URL rewriting services,
+#				and strip_query_terms.
+#
+#				Honors uri_whitespace.
+#
+#				This field is using pass-through URL encoding
+#				by default. Encoding this field using other
+#				variants of %-encoding will clash with
+#				uri_whitespace modifications that also use
+#				%-encoding.
+#
+#		[http::]<ru	Request URL sent to server or peer
+#		[http::]>rs	Request URL scheme from client
+#		[http::]<rs	Request URL scheme sent to server or peer
+#		[http::]>rd	Request URL domain from client
+#		[http::]<rd	Request URL domain sent to server or peer
+#		[http::]>rP	Request URL port from client
+#		[http::]<rP	Request URL port sent to server or peer
+#		[http::]rp	Request URL path excluding hostname
+#		[http::]>rp	Request URL path excluding hostname from client
+#		[http::]<rp	Request URL path excluding hostname sent to server or peer
+#		[http::]rv	Request protocol version
+#		[http::]>rv	Request protocol version from client
+#		[http::]<rv	Request protocol version sent to server or peer
+#
+#		[http::]>h	Original received request header.
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Accepts optional header field name/value filter
+#				argument using name[:[separator]element] format.
+#		[http::]>ha	Received request header after adaptation and
+#				redirection (pre-cache REQMOD vectoring point).
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Optional header name argument as for >h
+#
+#	    RESPONSE
+#
+#		[http::]<Hs	HTTP status code received from the next hop
+#		[http::]>Hs	HTTP status code sent to the client
+#
+#		[http::]<h	Reply header. Optional header name argument
+#				as for >h
+#
+#		[http::]mt	MIME content type
+#
+#
+#	    SIZE COUNTERS
+#
+#		[http::]st	Total size of request + reply traffic with client
+#		[http::]>st	Total size of request received from client.
+#				Excluding chunked encoding bytes.
+#		[http::]<st	Total size of reply sent to client (after adaptation)
+#
+#		[http::]>sh	Size of request headers received from client
+#		[http::]<sh	Size of reply headers sent to client (after adaptation)
+#
+#		[http::]<sH	Reply high offset sent
+#		[http::]<sS	Upstream object size
+#
+#		[http::]<bs	Number of HTTP-equivalent message body bytes
+#				received from the next hop, excluding chunked
+#				transfer encoding and control messages.
+#				Generated FTP/Gopher listings are treated as
+#				received bodies.
+#
+#	    TIMING
+#
+#		[http::]<pt	Peer response time in milliseconds. The timer starts
+#				when the last request byte is sent to the next hop
+#				and stops when the last response byte is received.
+#		[http::]<tt	Total time in milliseconds. The timer
+#				starts with the first connect request (or write I/O)
+#				sent to the first selected peer. The timer stops
+#				with the last I/O with the last peer.
+#
+#	Squid handling related format codes:
+#
+#		Ss	Squid request status (TCP_MISS etc)
+#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
+#
+#	SSL-related format codes:
+#
+#		ssl::bump_mode	SslBump decision for the transaction:
+#
+#				For CONNECT requests that initiated bumping of
+#				a connection and for any request received on
+#				an already bumped connection, Squid logs the
+#				corresponding SslBump mode ("splice", "bump",
+#				"peek", "stare", "terminate", "server-first"
+#				or "client-first"). See the ssl_bump option
+#				for more information about these modes.
+#
+#				A "none" token is logged for requests that
+#				triggered "ssl_bump" ACL evaluation matching
+#				a "none" rule.
+#
+#				In all other cases, a single dash ("-") is
+#				logged.
+#
+#		ssl::>sni	SSL client SNI sent to Squid.
+#
+#		ssl::>cert_subject
+#				The Subject field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Subject often has spaces.
+#
+#		ssl::>cert_issuer
+#				The Issuer field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Issuer often has spaces.
+#
+#		ssl::<cert_subject
+#				The Subject field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Subject often has spaces.
+#
+#		ssl::<cert_issuer
+#				The Issuer field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Issuer often has spaces.
+#
+#		ssl::<cert
+#				The received server x509 certificate in PEM
+#				format, including BEGIN and END lines (or a
+#				dash ('-') if the certificate is unavailable).
+#
+#				WARNING: Large certificates will exceed the
+#				current 8KB access.log record limit, resulting
+#				in truncated records. Such truncation usually
+#				happens in the middle of a record field. The
+#				limit applies to all access logging modules.
+#
+#				The logged certificate may have failed
+#				validation and may not be trusted by Squid.
+#				This field does not include any intermediate
+#				certificates that may have been received from
+#				the server or fetched during certificate
+#				validation process.
+#
+#				Currently, Squid only collects server
+#				certificates during step3 of SslBump
+#				processing; connections that were not subject
+#				to ssl_bump rules or that did not match a peek
+#				or stare rule at step2 will not have the
+#				server certificate information.
+#
+#				This field is using pass-through URL encoding
+#				by default.
+#
+#		ssl::<cert_errors
+#				The list of certificate validation errors
+#				detected by Squid (including OpenSSL and
+#				certificate validation helper components). The
+#				errors are listed in the discovery order. By
+#				default, the error codes are separated by ':'.
+#				Accepts an optional separator argument.
+#
+#		%ssl::>negotiated_version The negotiated TLS version of the
+#				client connection.
+#
+#		%ssl::<negotiated_version The negotiated TLS version of the
+#				last server or peer connection.
+#
+#		%ssl::>received_hello_version The TLS version of the Hello
+#				message received from TLS client.
+#
+#		%ssl::<received_hello_version The TLS version of the Hello
+#				message received from TLS server.
+#
+#		%ssl::>received_supported_version The maximum TLS version
+#				supported by the TLS client.
+#
+#		%ssl::<received_supported_version The maximum TLS version
+#				supported by the TLS server.
+#
+#		%ssl::>negotiated_cipher The negotiated cipher of the
+#				client connection.
+#
+#		%ssl::<negotiated_cipher The negotiated cipher of the
+#				last server or peer connection.
+#
+#	If ICAP is enabled, the following code becomes available (as
+#	well as ICAP log codes documented with the icap_log option):
+#
+#		icap::tt Total ICAP "blocking" time for the HTTP transaction. The
+#				timer ticks while Squid checks adaptation_access and while
+#				ICAP transaction(s) expect ICAP response headers, including
+#				the embedded adapted HTTP message headers (where applicable).
+#				This measurement is meant to estimate ICAP impact on HTTP
+#				transaction response times, but it does not currently account
+#				for slow ICAP response body delivery blocking HTTP progress.
+#
+#				Once Squid receives the final ICAP response headers (e.g.,
+#				ICAP 200 or 204) and the associated adapted HTTP message
+#				headers (if any) from the ICAP service, the corresponding ICAP
+#				transaction stops affecting this measurement, even though the
+#				transaction itself may continue for a long time (e.g., to
+#				finish sending the ICAP request and/or to finish receiving the
+#				ICAP response body).
+#
+#				When "blocking" sections of multiple concurrent ICAP
+#				transactions overlap in time, the overlapping segment is
+#				counted only once.
+#
+#				To see complete ICAP transaction response times (rather than
+#				the cumulative effect of their blocking sections) use the
+#				%adapt::all_trs logformat code or the icap_log directive.
+#
+#	If adaptation is enabled the following codes become available:
+#
+#		adapt::<last_h	The header of the last ICAP response or
+#				meta-information from the last eCAP
+#				transaction related to the HTTP transaction.
+#				Like <h, accepts an optional header name
+#				argument.
+#
+#		adapt::sum_trs Summed adaptation transaction response
+#				times recorded as a comma-separated list in
+#				the order of transaction start time. Each time
+#				value is recorded as an integer number,
+#				representing response time of one or more
+#				adaptation (ICAP or eCAP) transaction in
+#				milliseconds.  When a failed transaction is
+#				being retried or repeated, its time is not
+#				logged individually but added to the
+#				replacement (next) transaction. Lifetimes of individually
+#				listed adaptation transactions may overlap.
+#				See also: %icap::tt and %adapt::all_trs.
+#
+#		adapt::all_trs All adaptation transaction response times.
+#				Same as %adapt::sum_trs but response times of
+#				individual transactions are never added
+#				together. Instead, all transaction response
+#				times are recorded individually.
+#
+#	You can prefix adapt::*_trs format codes with adaptation
+#	service name in curly braces to record response time(s) specific
+#	to that service. For example: %{my_service}adapt::sum_trs
+#
+#	Format codes related to the PROXY protocol:
+#
+#		proxy_protocol::>h PROXY protocol header, including optional TLVs.
+#
+#				Supports the same field and element reporting/extraction logic
+#				as %http::>h. For configuration and reporting purposes, Squid
+#				maps each PROXY TLV to an HTTP header field: the TLV type
+#				(configured as a decimal integer) is the field name, and the
+#				TLV value is the field value. All TLVs of "LOCAL" connections
+#				(in PROXY protocol terminology) are currently skipped/ignored.
+#
+#				Squid also maps the following standard PROXY protocol header
+#				blocks to pseudo HTTP headers (their names use PROXY
+#				terminology and start with a colon, following HTTP tradition
+#				for pseudo headers): :command, :version, :src_addr, :dst_addr,
+#				:src_port, and :dst_port.
+#
+#				Without optional parameters, this logformat code logs
+#				pseudo headers and TLVs.
+#
+#				This format code uses pass-through URL encoding by default.
+#
+#				Example:
+#					# relay custom PROXY TLV #224 to adaptation services
+#					adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
+#
+#				See also: %http::>h
+#
+#	The default formats available (which do not need re-defining) are:
+#
+#logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent  %>a [%tl] "%{User-Agent}>h"
+#
+#	NOTE: When the log_mime_hdrs directive is set to ON.
+#		The squid, common and combined formats have a safely encoded copy
+#		of the mime headers appended to each line within a pair of brackets.
+#
+#	NOTE: The common and combined formats are not quite true to the Apache definition.
+#		The logs from Squid contain an extra status and hierarchy code appended.
+#
+#Default:
+# The format definitions squid, common, combined, referrer, useragent are built in.
+
+#  TAG: access_log
+#	Configures whether and how Squid logs HTTP and ICP transactions.
+#	If access logging is enabled, a single line is logged for every
+#	matching HTTP or ICP request. The recommended directive formats are:
+#
+#	access_log <module>:<place> [option ...] [acl acl ...]
+#	access_log none [acl acl ...]
+#
+#	The following directive format is accepted but may be deprecated:
+#	access_log <module>:<place> [<logformat name> [acl acl ...]]
+#
+#        In most cases, the first ACL name must not contain the '=' character
+#	and should not be equal to an existing logformat name. You can always
+#	start with an 'all' ACL to work around those restrictions.
+#
+#	Will log to the specified module:place using the specified format (which
+#	must be defined in a logformat directive) those entries which match
+#	ALL the acl's specified (which must be defined in acl clauses).
+#	If no acl is specified, all requests will be logged to this destination.
+#
+#	===== Available options for the recommended directive format =====
+#
+#	logformat=name		Names log line format (either built-in or
+#				defined by a logformat directive). Defaults
+#				to 'squid'.
+#
+#	buffer-size=64KB	Defines approximate buffering limit for log
+#				records (see buffered_logs).  Squid should not
+#				keep more than the specified size and, hence,
+#				should flush records before the buffer becomes
+#				full to avoid overflows under normal
+#				conditions (the exact flushing algorithm is
+#				module-dependent though).  The on-error option
+#				controls overflow handling.
+#
+#	on-error=die|drop	Defines action on unrecoverable errors. The
+#				'drop' action ignores (i.e., does not log)
+#				affected log records. The default 'die' action
+#				kills the affected worker. The drop action
+#				support has not been tested for modules other
+#				than tcp.
+#
+#	rotate=N		Specifies the number of log file rotations to
+#				make when you run 'squid -k rotate'. The default
+#				is to obey the logfile_rotate directive. Setting
+#				rotate=0 will disable the file name rotation,
+#				but the log files are still closed and re-opened.
+#				This will enable you to rename the logfiles
+#				yourself just before sending the rotate signal.
+#				Only supported by the stdio module.
+#
+#	===== Modules Currently available =====
+#
+#	none	Do not log any requests matching these ACL.
+#		Do not specify Place or logformat name.
+#
+#	stdio	Write each log line to disk immediately at the completion of
+#		each request.
+#		Place: the filename and path to be written.
+#
+#	daemon	Very similar to stdio. But instead of writing to disk the log
+#		line is passed to a daemon helper for asychronous handling instead.
+#		Place: varies depending on the daemon.
+#
+#		log_file_daemon Place: the file name and path to be written.
+#
+#	syslog	To log each request via syslog facility.
+#		Place: The syslog facility and priority level for these entries.
+#		Place Format:  facility.priority
+#
+#		where facility could be any of:
+#			authpriv, daemon, local0 ... local7 or user.
+#
+#		And priority could be any of:
+#			err, warning, notice, info, debug.
+#
+#	udp	To send each log line as text data to a UDP receiver.
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	tcp	To send each log line as text data to a TCP receiver.
+#		Lines may be accumulated before sending (see buffered_logs).
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	Default:
+#		access_log daemon:/var/log/squid/access.log squid
+#Default:
+# access_log daemon:/var/log/squid/access.log squid
+
+#  TAG: icap_log
+#	ICAP log files record ICAP transaction summaries, one line per
+#	transaction.
+#
+#	The icap_log option format is:
+#	icap_log <filepath> [<logformat name> [acl acl ...]]
+#	icap_log none [acl acl ...]]
+#
+#	Please see access_log option documentation for details. The two
+#	kinds of logs share the overall configuration approach and many
+#	features.
+#
+#	ICAP processing of a single HTTP message or transaction may
+#	require multiple ICAP transactions.  In such cases, multiple
+#	ICAP transaction log lines will correspond to a single access
+#	log line.
+#
+#	ICAP log supports many access.log logformat %codes. In ICAP context,
+#	HTTP message-related %codes are applied to the HTTP message embedded
+#	in an ICAP message. Logformat "%http::>..." codes are used for HTTP
+#	messages embedded in ICAP requests while "%http::<..." codes are used
+#	for HTTP messages embedded in ICAP responses. For example:
+#
+#		http::>h	To-be-adapted HTTP message headers sent by Squid to
+#				the ICAP service. For REQMOD transactions, these are
+#				HTTP request headers. For RESPMOD, these are HTTP
+#				response headers, but Squid currently cannot log them
+#				(i.e., %http::>h will expand to "-" for RESPMOD).
+#
+#		http::<h	Adapted HTTP message headers sent by the ICAP
+#				service to Squid (i.e., HTTP request headers in regular
+#				REQMOD; HTTP response headers in RESPMOD and during
+#				request satisfaction in REQMOD).
+#
+#	ICAP OPTIONS transactions do not embed HTTP messages.
+#
+#	Several logformat codes below deal with ICAP message bodies. An ICAP
+#	message body, if any, typically includes a complete HTTP message
+#	(required HTTP headers plus optional HTTP message body). When
+#	computing HTTP message body size for these logformat codes, Squid
+#	either includes or excludes chunked encoding overheads; see
+#	code-specific documentation for details.
+#
+#	For Secure ICAP services, all size-related information is currently
+#	computed before/after TLS encryption/decryption, as if TLS was not
+#	in use at all.
+#
+#	The following format codes are also available for ICAP logs:
+#
+#		icap::<A	ICAP server IP address. Similar to <A.
+#
+#		icap::<service_name	ICAP service name from the icap_service
+#				option in Squid configuration file.
+#
+#		icap::ru	ICAP Request-URI. Similar to ru.
+#
+#		icap::rm	ICAP request method (REQMOD, RESPMOD, or
+#				OPTIONS). Similar to existing rm.
+#
+#		icap::>st	The total size of the ICAP request sent to the ICAP
+#				server (ICAP headers + ICAP body), including chunking
+#				metadata (if any).
+#
+#		icap::<st	The total size of the ICAP response received from the
+#				ICAP server (ICAP headers + ICAP body), including
+#				chunking metadata (if any).
+#
+#		icap::<bs	The size of the ICAP response body received from the
+#				ICAP server, excluding chunking metadata (if any).
+#
+#		icap::tr 	Transaction response time (in
+#				milliseconds).  The timer starts when
+#				the ICAP transaction is created and
+#				stops when the transaction is completed.
+#				Similar to tr.
+#
+#		icap::tio	Transaction I/O time (in milliseconds). The
+#				timer starts when the first ICAP request
+#				byte is scheduled for sending. The timers
+#				stops when the last byte of the ICAP response
+#				is received.
+#
+#		icap::to 	Transaction outcome: ICAP_ERR* for all
+#				transaction errors, ICAP_OPT for OPTION
+#				transactions, ICAP_ECHO for 204
+#				responses, ICAP_MOD for message
+#				modification, and ICAP_SAT for request
+#				satisfaction. Similar to Ss.
+#
+#		icap::Hs	ICAP response status code. Similar to Hs.
+#
+#		icap::>h	ICAP request header(s). Similar to >h.
+#
+#		icap::<h	ICAP response header(s). Similar to <h.
+#
+#	The default ICAP log format, which can be used without an explicit
+#	definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
+#
+#	See also: logformat and %adapt::<last_h
+#Default:
+# none
+
+#  TAG: logfile_daemon
+#	Specify the path to the logfile-writing daemon. This daemon is
+#	used to write the access and store logs, if configured.
+#
+#	Squid sends a number of commands to the log daemon:
+#	  L<data>\n - logfile data
+#	  R\n - rotate file
+#	  T\n - truncate file
+#	  O\n - reopen file
+#	  F\n - flush file
+#	  r<n>\n - set rotate count to <n>
+#	  b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+#	No responses is expected.
+#Default:
+# logfile_daemon /usr/lib/squid/log_file_daemon
+
+#  TAG: stats_collection	allow|deny acl acl...
+#	This options allows you to control which requests gets accounted
+#	in performance counters.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
+#  TAG: cache_store_log
+#	Logs the activities of the storage manager.  Shows which
+#	objects are ejected from the cache, and which objects are
+#	saved and for how long.
+#	There are not really utilities to analyze this data, so you can safely
+#	disable it (the default).
+#
+#	Store log uses modular logging outputs. See access_log for the list
+#	of modules supported.
+#
+#	Example:
+#		cache_store_log stdio:/var/log/squid/store.log
+#		cache_store_log daemon:/var/log/squid/store.log
+#Default:
+# none
+
+#  TAG: cache_swap_state
+#	Location for the cache "swap.state" file. This index file holds
+#	the metadata of objects saved on disk.  It is used to rebuild
+#	the cache during startup.  Normally this file resides in each
+#	'cache_dir' directory, but you may specify an alternate
+#	pathname here.  Note you must give a full filename, not just
+#	a directory. Since this is the index for the whole object
+#	list you CANNOT periodically rotate it!
+#
+#	If %s can be used in the file name it will be replaced with a
+#	a representation of the cache_dir name where each / is replaced
+#	with '.'. This is needed to allow adding/removing cache_dir
+#	lines when cache_swap_log is being used.
+#
+#	If have more than one 'cache_dir', and %s is not used in the name
+#	these swap logs will have names such as:
+#
+#		cache_swap_log.00
+#		cache_swap_log.01
+#		cache_swap_log.02
+#
+#	The numbered extension (which is added automatically)
+#	corresponds to the order of the 'cache_dir' lines in this
+#	configuration file.  If you change the order of the 'cache_dir'
+#	lines in this file, these index files will NOT correspond to
+#	the correct 'cache_dir' entry (unless you manually rename
+#	them).  We recommend you do NOT use this option.  It is
+#	better to keep these index files in each 'cache_dir' directory.
+#Default:
+# Store the journal inside its cache_dir
+
+#  TAG: logfile_rotate
+#	Specifies the default number of logfile rotations to make when you
+#	type 'squid -k rotate'. The default is 10, which will rotate
+#	with extensions 0 through 9. Setting logfile_rotate to 0 will
+#	disable the file name rotation, but the logfiles are still closed
+#	and re-opened. This will enable you to rename the logfiles
+#	yourself just before sending the rotate signal.
+#
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
+#
+#	Note, from Squid-4 this option is only a default for access.log
+#	recorded by stdio: module. Those logs can be rotated separately by
+#	using the rotate=N option on their access_log directive.
+#
+#	Note, the 'squid -k rotate' command normally sends a USR1
+#	signal to the running squid process.  In certain situations
+#	(e.g. on Linux with Async I/O), USR1 is used for other
+#	purposes, so -k rotate uses another signal.  It is best to get
+#	in the habit of using 'squid -k rotate' instead of 'kill -USR1
+#	<pid>'.
+#
+#	Note, for Debian/Linux the default of logfile_rotate is
+#	zero, since it includes external logfile-rotation methods.
+#Default:
+# logfile_rotate 0
+
+#  TAG: mime_table
+#	Path to Squid's icon configuration file.
+#
+#	You shouldn't need to change this, but the default file contains
+#	examples and formatting information if you do.
+#Default:
+# mime_table /usr/share/squid/mime.conf
+
+#  TAG: log_mime_hdrs	on|off
+#	The Cache can record both the request and the response MIME
+#	headers for each HTTP transaction.  The headers are encoded
+#	safely and will appear as two bracketed fields at the end of
+#	the access log (for either the native or httpd-emulated log
+#	formats).  To enable this logging set log_mime_hdrs to 'on'.
+#Default:
+# log_mime_hdrs off
+
+#  TAG: pid_filename
+#	A filename to write the process-id to.  To disable, enter "none".
+#Default:
+# pid_filename /run/squid.pid
+
+#  TAG: client_netmask
+#	A netmask for client addresses in logfiles and cachemgr output.
+#	Change this to protect the privacy of your cache clients.
+#	A netmask of 255.255.255.0 will log all IP's in that range with
+#	the last digit set to '0'.
+#Default:
+# Log full client IP address
+
+#  TAG: strip_query_terms
+#	By default, Squid strips query terms from requested URLs before
+#	logging.  This protects your user's privacy and reduces log size.
+#
+#	When investigating HIT/MISS or other caching behaviour you
+#	will need to disable this to see the full URL used by Squid.
+#Default:
+# strip_query_terms on
+
+#  TAG: buffered_logs	on|off
+#	Whether to write/send access_log records ASAP or accumulate them and
+#	then write/send them in larger chunks. Buffering may improve
+#	performance because it decreases the number of I/Os. However,
+#	buffering increases the delay before log records become available to
+#	the final recipient (e.g., a disk file or logging daemon) and,
+#	hence, increases the risk of log records loss.
+#
+#	Note that even when buffered_logs are off, Squid may have to buffer
+#	records if it cannot write/send them immediately due to pending I/Os
+#	(e.g., the I/O writing the previous log record) or connectivity loss.
+#
+#	Currently honored by 'daemon' and 'tcp' access_log modules only.
+#Default:
+# buffered_logs off
+
+#  TAG: netdb_filename
+#	Where Squid stores it's netdb journal.
+#	When enabled this journal preserves netdb state between restarts.
+#
+#	To disable, enter "none".
+#Default:
+# netdb_filename stdio:/var/spool/squid/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_log
+#	Squid administrative logging file.
+#
+#	This is where general information about Squid behavior goes. You can
+#	increase the amount of data logged to this file and how often it is
+#	rotated with "debug_options"
+#Default:
+# cache_log /var/log/squid/cache.log
+
+#  TAG: debug_options
+#	Logging options are set as section,level where each source file
+#	is assigned a unique section.  Lower levels result in less
+#	output,  Full debugging (level 9) can result in a very large
+#	log file, so be careful.
+#
+#	The magic word "ALL" sets debugging levels for all sections.
+#	The default is to run with "ALL,1" to record important warnings.
+#
+#	The rotate=N option can be used to keep more or less of these logs
+#	than would otherwise be kept by logfile_rotate.
+#	For most uses a single log should be enough to monitor current
+#	events affecting Squid.
+#Default:
+# Log all critical and important messages.
+
+#  TAG: coredump_dir
+#	By default Squid leaves core files in the directory from where
+#	it was started. If you set 'coredump_dir' to a directory
+#	that exists, Squid will chdir() to that directory at startup
+#	and coredump files will be left there.
+#
+#Default:
+# Use the directory from where Squid was started.
+#
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# OPTIONS FOR FTP GATEWAYING
+# -----------------------------------------------------------------------------
+
+#  TAG: ftp_user
+#	If you want the anonymous login password to be more informative
+#	(and enable the use of picky FTP servers), set this to something
+#	reasonable for your domain, like wwwuser@somewhere.net
+#
+#	The reason why this is domainless by default is the
+#	request can be made on the behalf of a user in any domain,
+#	depending on how the cache is used.
+#	Some FTP server also validate the email address is valid
+#	(for example perl.com).
+#Default:
+# ftp_user Squid@
+
+#  TAG: ftp_passive
+#	If your firewall does not allow Squid to use passive
+#	connections, turn off this option.
+#
+#	Use of ftp_epsv_all option requires this to be ON.
+#Default:
+# ftp_passive on
+
+#  TAG: ftp_epsv_all
+#	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator, as the EPRT command will never be used and therefore,
+#	translation of the data portion of the segments will never be needed.
+#
+#	When a client only expects to do two-way FTP transfers this may be
+#	useful.
+#	If squid finds that it must do a three-way FTP transfer after issuing
+#	an EPSV ALL command, the FTP session will fail.
+#
+#	If you have any doubts about this option do not use it.
+#	Squid will nicely attempt all other connection methods.
+#
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+#  TAG: ftp_epsv
+#	FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator using EPSV, as the EPRT command will never be used
+#	and therefore, translation of the data portion of the segments
+#	will never be needed.
+#
+#	EPSV is often required to interoperate with FTP servers on IPv6
+#	networks. On the other hand, it may break some IPv4 servers.
+#
+#	By default, EPSV may try EPSV with any FTP server. To fine tune
+#	that decision, you may restrict EPSV to certain clients or servers
+#	using ACLs:
+#
+#		ftp_epsv allow|deny al1 acl2 ...
+#
+#	WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
+#
+#	Only fast ACLs are supported.
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# none
+
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
+#  TAG: ftp_sanitycheck
+#	For security and data integrity reasons Squid by default performs
+#	sanity checks of the addresses of FTP data connections ensure the
+#	data connection is to the requested server. If you need to allow
+#	FTP connections to servers using another IP address for the data
+#	connection turn this off.
+#Default:
+# ftp_sanitycheck on
+
+#  TAG: ftp_telnet_protocol
+#	The FTP protocol is officially defined to use the telnet protocol
+#	as transport channel for the control connection. However, many
+#	implementations are broken and does not respect this aspect of
+#	the FTP protocol.
+#
+#	If you have trouble accessing files with ASCII code 255 in the
+#	path or similar problems involving this ASCII code you can
+#	try setting this directive to off. If that helps, report to the
+#	operator of the FTP server in question that their FTP server
+#	is broken and does not follow the FTP standard.
+#Default:
+# ftp_telnet_protocol on
+
+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+# -----------------------------------------------------------------------------
+
+#  TAG: diskd_program
+#	Specify the location of the diskd executable.
+#	Note this is only useful if you have compiled in
+#	diskd as one of the store io modules.
+#Default:
+# diskd_program /usr/lib/squid/diskd
+
+#  TAG: unlinkd_program
+#	Specify the location of the executable for file deletion process.
+#Default:
+# unlinkd_program /usr/lib/squid/unlinkd
+
+#  TAG: pinger_program
+#	Specify the location of the executable for the pinger process.
+#Default:
+# pinger_program /usr/lib/squid/pinger
+
+#  TAG: pinger_enable
+#	Control whether the pinger is active at run-time.
+#	Enables turning ICMP pinger on and off with a simple
+#	squid -k reconfigure.
+#Default:
+# pinger_enable on
+
+# OPTIONS FOR URL REWRITING
+# -----------------------------------------------------------------------------
+
+#  TAG: url_rewrite_program
+#	The name and command line parameters of an admin-provided executable
+#	for redirecting clients or adjusting/replacing client request URLs.
+#
+#	This helper is consulted after the received request is cleared by
+#	http_access and adapted using eICAP/ICAP services (if any). If the
+#	helper does not redirect the client, Squid checks adapted_http_access
+#	and may consult the cache or forward the request to the next hop.
+#
+#
+#	For each request, the helper gets one line in the following format:
+#
+#	  [channel-ID <SP>] request-URL [<SP> extras] <NL>
+#
+#	Use url_rewrite_extras to configure what Squid sends as 'extras'.
+#
+#
+#	The helper must reply to each query using a single line:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs] <NL>
+#
+#	The result section must match exactly one of the following outcomes:
+#
+#	  OK [status=30N] url="..."
+#
+#		Redirect the client to a URL supplied in the 'url' parameter.
+#		Optional 'status' specifies the status code to send to the
+#		client in Squid's HTTP redirect response. It must be one of
+#		the standard HTTP redirect status codes: 301, 302, 303, 307,
+#		or 308. When no specific status is requested, Squid uses 302.
+#
+#	  OK rewrite-url="..."
+#
+#		Replace the current request URL with the one supplied in the
+#		'rewrite-url' parameter. Squid fetches the resource specified
+#		by the new URL and forwards the received response (or its
+#		cached copy) to the client.
+#
+#		WARNING: Avoid rewriting URLs! When possible, redirect the
+#		client using an "OK url=..." helper response instead.
+#		Rewriting URLs may create inconsistent requests and/or break
+#		synchronization between internal client and origin server
+#		states, especially when URLs or other message parts contain
+#		snippets of that state. For example, Squid does not adjust
+#		Location headers and embedded URLs after the helper rewrites
+#		the request URL.
+#
+#	  OK
+#		Keep the client request intact.
+#
+#	  ERR
+#		Keep the client request intact.
+#
+#	  BH [message="..."]
+#		A helper problem that should be reported to the Squid admin
+#		via a level-1 cache.log message. The 'message' parameter is
+#		reserved for specifying the log message.
+#
+#	In addition to the kv-pairs mentioned above, Squid also understands
+#	the following optional kv-pairs in URL rewriter responses:
+#
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#
+#		The clt_conn_tag=TAG pair is treated as a regular transaction
+#		annotation for the current request and also annotates future
+#		requests on the same client connection. A helper may update
+#		the TAG during subsequent requests by returning a new kv-pair.
+#
+#
+#	Helper messages contain the channel-ID part if and only if the
+#	url_rewrite_children directive specifies positive concurrency. As a
+#	channel-ID value, Squid sends a number between 0 and concurrency-1.
+#	The helper must echo back the received channel-ID in its response.
+#
+#	By default, Squid does not use a URL rewriter.
+#Default:
+# none
+
+#  TAG: url_rewrite_children
+#	Specifies the maximum number of redirector processes that Squid may
+#	spawn (numberofchildren) and several related options. Using too few of
+#	these helper processes (a.k.a. "helpers") creates request queues.
+#	Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each redirector helper can handle in
+#	parallel. Defaults to 0 which indicates the redirector
+#	is a old-style single threaded redirector.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. The default
+#	maximum is zero if url_rewrite_bypass is enabled and
+#	2*numberofchildren otherwise. If the queued requests exceed queue size
+#	and redirector_bypass configuration option is set, then redirector is
+#	bypassed. Otherwise, Squid is allowed to temporarily exceed the
+#	configured maximum, marking the affected helper as "overloaded". If
+#	the helper overload lasts more than 3 minutes, the action prescribed
+#	by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: url_rewrite_host_header
+#	To preserve same-origin security policies in browsers and
+#	prevent Host: header forgery by redirectors Squid rewrites
+#	any Host: header in redirected requests.
+#
+#	If you are running an accelerator this may not be a wanted
+#	effect of a redirector. This directive enables you disable
+#	Host: alteration in reverse-proxy traffic.
+#
+#	WARNING: Entries are cached on the result of the URL rewriting
+#	process, so be careful if you have domain-virtual hosts.
+#
+#	WARNING: Squid and other software verifies the URL and Host
+#	are matching, so be careful not to relay through other proxies
+#	or inspecting firewalls with this disabled.
+#Default:
+# url_rewrite_host_header on
+
+#  TAG: url_rewrite_access
+#	If defined, this access list specifies which requests are
+#	sent to the redirector processes.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: url_rewrite_bypass
+#	When this is 'on', a request will not go through the
+#	redirector if all the helpers are busy. If this is 'off' and the
+#	redirector queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	redirectors are not critical to your caching system. If you use
+#	redirectors for access control, and you enable this option,
+#	users may have access to pages they should not
+#	be allowed to request.
+#
+#	Enabling this option sets the default url_rewrite_children queue-size
+#	option value to 0.
+#Default:
+# url_rewrite_bypass off
+
+#  TAG: url_rewrite_extras
+#	Specifies a string to be append to request line format for the
+#	rewriter helper. "Quoted" format values may contain spaces and
+#	logformat %macros. In theory, any logformat %macro can be used.
+#	In practice, a %macro expands as a dash (-) if the helper request is
+#	sent before the required macro information is available to Squid.
+#Default:
+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: url_rewrite_timeout
+#	Squid times active requests to redirector. The timeout value and Squid
+#	reaction to a timed out request are configurable using the following
+#	format:
+#
+#	url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+#
+#	supported timeout actions:
+#		fail	Squid return a ERR_GATEWAY_FAILURE error page
+#
+#		bypass	Do not re-write the URL
+#
+#		retry	Send the lookup to the helper again
+#
+#		use_configured_response
+#			Use the <quoted-response> as helper response
+#Default:
+# Squid waits for the helper response forever
+
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+#  TAG: store_id_program
+#	Specify the location of the executable StoreID helper to use.
+#	Since they can perform almost any function there isn't one included.
+#
+#	For each requested URL, the helper will receive one line with the format
+#
+#	  [channel-ID <SP>] URL [<SP> extras]<NL>
+#
+#
+#	After processing the request the helper must reply using the following format:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs]
+#
+#	The result code can be:
+#
+#	  OK store-id="..."
+#		Use the StoreID supplied in 'store-id='.
+#
+#	  ERR
+#		The default is to use HTTP request URL as the store ID.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	In addition to the above kv-pairs Squid also understands the following
+#	optional kv-pairs received from URL rewriters:
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#		Please see url_rewrite_program related documentation for this
+#		kv-pair
+#
+#	Helper programs should be prepared to receive and possibly ignore
+#	additional whitespace-separated tokens on each input line.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#	NOTE: when using StoreID refresh_pattern will apply to the StoreID
+#	      returned from the helper and not the URL.
+#
+#	WARNING: Wrong StoreID value returned by a careless helper may result
+#	         in the wrong cached response returned to the user.
+#
+#	By default, a StoreID helper is not used.
+#Default:
+# none
+
+#  TAG: store_id_extras
+#        Specifies a string to be append to request line format for the
+#        StoreId helper. "Quoted" format values may contain spaces and
+#        logformat %macros. In theory, any logformat %macro can be used.
+#        In practice, a %macro expands as a dash (-) if the helper request is
+#        sent before the required macro information is available to Squid.
+#Default:
+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: store_id_children
+#	Specifies the maximum number of StoreID helper processes that Squid
+#	may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each storeID helper can handle in
+#	parallel. Defaults to 0 which indicates the helper
+#	is a old-style single threaded program.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests to N. A request is queued
+#	when no existing child can accept it due to concurrency limit and no
+#	new child can be started due to numberofchildren limit. The default
+#	maximum is 2*numberofchildren. If the queued requests exceed queue
+#	size and redirector_bypass configuration option is set, then
+#	redirector is bypassed. Otherwise, Squid is allowed to temporarily
+#	exceed the configured maximum, marking the affected helper as
+#	"overloaded". If the helper overload lasts more than 3 minutes, the
+#	action prescribed by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: store_id_access
+#	If defined, this access list specifies which requests are
+#	sent to the StoreID processes.  By default all requests
+#	are sent.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: store_id_bypass
+#	When this is 'on', a request will not go through the
+#	helper if all helpers are busy. If this is 'off' and the helper
+#	queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	helpers are not critical to your caching system. If you use
+#	helpers for critical caching components, and you enable this
+#	option,	users may not get objects from cache.
+#	This options sets default queue-size option of the store_id_children
+#	to 0.
+#Default:
+# store_id_bypass on
+
+# OPTIONS FOR TUNING THE CACHE
+# -----------------------------------------------------------------------------
+
+#  TAG: cache
+#	Requests denied by this directive will not be served from the cache
+#	and their responses will not be stored in the cache. This directive
+#	has no effect on other transactions and on already cached responses.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	This and the two other similar caching directives listed below are
+#	checked at different transaction processing stages, have different
+#	access to response information, affect different cache operations,
+#	and differ in slow ACLs support:
+#
+#	* cache: Checked before Squid makes a hit/miss determination.
+#		No access to reply information!
+#		Denies both serving a hit and storing a miss.
+#		Supports both fast and slow ACLs.
+#	* send_hit: Checked after a hit was detected.
+#		Has access to reply (hit) information.
+#		Denies serving a hit only.
+#		Supports fast ACLs only.
+#	* store_miss: Checked before storing a cachable miss.
+#		Has access to reply (miss) information.
+#		Denies storing a miss only.
+#		Supports fast ACLs only.
+#
+#	If you are not sure which of the three directives to use, apply the
+#	following decision logic:
+#
+#	* If your ACL(s) are of slow type _and_ need response info, redesign.
+#	  Squid does not support that particular combination at this time.
+#        Otherwise:
+#	* If your directive ACL(s) are of slow type, use "cache"; and/or
+#	* if your directive ACL(s) need no response info, use "cache".
+#        Otherwise:
+#	* If you do not want the response cached, use store_miss; and/or
+#	* if you do not want a hit on a cached response, use send_hit.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: send_hit
+#	Responses denied by this directive will not be served from the cache
+#	(but may still be cached, see store_miss). This directive has no
+#	effect on the responses it allows and on the cached objects.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives.
+#
+#	Unlike the "cache" directive, send_hit only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	For example:
+#
+#		# apply custom Store ID mapping to some URLs
+#		acl MapMe dstdomain .c.example.com
+#		store_id_program ...
+#		store_id_access allow MapMe
+#
+#		# but prevent caching of special responses
+#		# such as 302 redirects that cause StoreID loops
+#		acl Ordinary http_status 200-299
+#		store_miss deny MapMe !Ordinary
+#
+#		# and do not serve any previously stored special responses
+#		# from the cache (in case they were already cached before
+#		# the above store_miss rule was in effect).
+#		send_hit deny MapMe !Ordinary
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: store_miss
+#	Responses denied by this directive will not be cached (but may still
+#	be served from the cache, see send_hit). This directive has no
+#	effect on the responses it allows and on the already cached responses.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives. See the
+#	send_hit directive for a usage example.
+#
+#	Unlike the "cache" directive, store_miss only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: max_stale	time-units
+#	This option puts an upper limit on how stale content Squid
+#	will serve from the cache if cache validation fails.
+#	Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
+
+#  TAG: refresh_pattern
+#	usage: refresh_pattern [-i] regex min percent max [options]
+#
+#	By default, regular expressions are CASE-SENSITIVE.  To make
+#	them case-insensitive, use the -i option.
+#
+#	'Min' is the time (in minutes) an object without an explicit
+#	expiry time should be considered fresh. The recommended
+#	value is 0, any higher values may cause dynamic applications
+#	to be erroneously cached unless the application designer
+#	has taken the appropriate actions.
+#
+#	'Percent' is a percentage of the objects age (time since last
+#	modification age) an object without explicit expiry time
+#	will be considered fresh.
+#
+#	'Max' is an upper limit on how long objects without an explicit
+#	expiry time will be considered fresh. The value is also used
+#	to form Cache-Control: max-age header for a request sent from
+#	Squid to origin/parent.
+#
+#	options: override-expire
+#		 override-lastmod
+#		 reload-into-ims
+#		 ignore-reload
+#		 ignore-no-store
+#		 ignore-private
+#		 max-stale=NN
+#		 refresh-ims
+#		 store-stale
+#
+#		override-expire enforces min age even if the server
+#		sent an explicit expiry time (e.g., with the
+#		Expires: header or Cache-Control: max-age). Doing this
+#		VIOLATES the HTTP standard.  Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		Note: override-expire does not enforce staleness - it only extends
+#		freshness / min. If the server returns a Expires time which
+#		is longer than your max time, Squid will still consider
+#		the object fresh for that period of time.
+#
+#		override-lastmod enforces min age even on objects
+#		that were modified recently.
+#
+#		reload-into-ims changes a client no-cache or ``reload''
+#		request for a cached entry into a conditional request using
+#		If-Modified-Since and/or If-None-Match headers, provided the
+#		cached entry has a Last-Modified and/or a strong ETag header.
+#		Doing this VIOLATES the HTTP standard. Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		ignore-reload ignores a client no-cache or ``reload''
+#		header. Doing this VIOLATES the HTTP standard. Enabling
+#		this feature could make you liable for problems which
+#		it causes.
+#
+#		ignore-no-store ignores any ``Cache-control: no-store''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		ignore-private ignores any ``Cache-control: private''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		refresh-ims causes squid to contact the origin server
+#		when a client issues an If-Modified-Since request. This
+#		ensures that the client will receive an updated version
+#		if one is available.
+#
+#		store-stale stores responses even if they don't have explicit
+#		freshness or a validator (i.e., Last-Modified or an ETag)
+#		present, or if they're already stale. By default, Squid will
+#		not cache such responses because they usually can't be
+#		reused. Note that such responses will be stale by default.
+#
+#		max-stale=NN provide a maximum staleness factor. Squid won't
+#		serve objects more stale than this even if it failed to
+#		validate the object. Default: use the max_stale global limit.
+#
+#	Basically a cached object is:
+#
+#		FRESH if expire > now, else STALE
+#		STALE if age > max
+#		FRESH if lm-factor < percent, else STALE
+#		FRESH if age < min
+#		else STALE
+#
+#	The refresh_pattern lines are checked in the order listed here.
+#	The first entry which matches is used.  If none of the entries
+#	match the default will be used.
+#
+#	Note, you must uncomment all the default lines if you want
+#	to change one. The default setting is only active if none is
+#	used.
+#
+#
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+#  TAG: quick_abort_min	(KB)
+#Default:
+# quick_abort_min 16 KB
+
+#  TAG: quick_abort_max	(KB)
+#Default:
+# quick_abort_max 16 KB
+
+#  TAG: quick_abort_pct	(percent)
+#	The cache by default continues downloading aborted requests
+#	which are almost completed (less than 16 KB remaining). This
+#	may be undesirable on slow (e.g. SLIP) links and/or very busy
+#	caches.  Impatient users may tie up file descriptors and
+#	bandwidth by repeatedly requesting and immediately aborting
+#	downloads.
+#
+#	When the user aborts a request, Squid will check the
+#	quick_abort values to the amount of data transferred until
+#	then.
+#
+#	If the transfer has less than 'quick_abort_min' KB remaining,
+#	it will finish the retrieval.
+#
+#	If the transfer has more than 'quick_abort_max' KB remaining,
+#	it will abort the retrieval.
+#
+#	If more than 'quick_abort_pct' of the transfer has completed,
+#	it will finish the retrieval.
+#
+#	If you do not want any retrieval to continue after the client
+#	has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+#	to '0 KB'.
+#
+#	If you want retrievals to always continue if they are being
+#	cached set 'quick_abort_min' to '-1 KB'.
+#Default:
+# quick_abort_pct 95
+
+#  TAG: read_ahead_gap	buffer-size
+#	The amount of data the cache will buffer ahead of what has been
+#	sent to the client when retrieving an object from another server.
+#Default:
+# read_ahead_gap 16 KB
+
+#  TAG: negative_ttl	time-units
+#	Set the Default Time-to-Live (TTL) for failed requests.
+#	Certain types of failures (such as "connection refused" and
+#	"404 Not Found") are able to be negatively-cached for a short time.
+#	Modern web servers should provide Expires: header, however if they
+#	do not this can provide a minimum TTL.
+#	The default is not to cache errors with unknown expiry details.
+#
+#	Note that this is different from negative caching of DNS lookups.
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#Default:
+# negative_ttl 0 seconds
+
+#  TAG: positive_dns_ttl	time-units
+#	Upper limit on how long Squid will cache positive DNS responses.
+#	Default is 6 hours (360 minutes). This directive must be set
+#	larger than negative_dns_ttl.
+#Default:
+# positive_dns_ttl 6 hours
+
+#  TAG: negative_dns_ttl	time-units
+#	Time-to-Live (TTL) for negative caching of failed DNS lookups.
+#	This also sets the lower cache limit on positive lookups.
+#	Minimum value is 1 second, and it is not recommendable to go
+#	much below 10 seconds.
+#Default:
+# negative_dns_ttl 1 minutes
+
+#  TAG: range_offset_limit	size [acl acl...]
+#	usage: (size) [units] [[!]aclname]
+#
+#	Sets an upper limit on how far (number of bytes) into the file
+#	a Range request	may be to cause Squid to prefetch the whole file.
+#	If beyond this limit, Squid forwards the Range request as it is and
+#	the result is NOT cached.
+#
+#	This is to stop a far ahead range request (lets say start at 17MB)
+#	from making Squid fetch the whole object up to that point before
+#	sending anything to the client.
+#
+#	Multiple range_offset_limit lines may be specified, and they will
+#	be searched from top to bottom on each request until a match is found.
+#	The first match found will be used.  If no line matches a request, the
+#	default limit of 0 bytes will be used.
+#
+#	'size' is the limit specified as a number of units.
+#
+#	'units' specifies whether to use bytes, KB, MB, etc.
+#	If no units are specified bytes are assumed.
+#
+#	A size of 0 causes Squid to never fetch more than the
+#	client requested. (default)
+#
+#	A size of 'none' causes Squid to always fetch the object from the
+#	beginning so it may cache the result. (2.0 style)
+#
+#	'aclname' is the name of a defined ACL.
+#
+#	NP: Using 'none' as the byte value here will override any quick_abort settings
+#	    that may otherwise apply to the range request. The range request will
+#	    be fully fetched from start to finish regardless of the client
+#	    actions. This affects bandwidth usage.
+#Default:
+# none
+
+#  TAG: minimum_expiry_time	(seconds)
+#	The minimum caching time according to (Expires - Date)
+#	headers Squid honors if the object can't be revalidated.
+#	The default is 60 seconds.
+#
+#	In reverse proxy environments it might be desirable to honor
+#	shorter object lifetimes. It is most likely better to make
+#	your server return a meaningful Last-Modified header however.
+#
+#	In ESI environments where page fragments often have short
+#	lifetimes, this will often be best set to 0.
+#Default:
+# minimum_expiry_time 60 seconds
+
+#  TAG: store_avg_object_size	(bytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  The default is 13 KB.
+#
+#	This is used to pre-seed the cache index memory allocation to
+#	reduce expensive reallocate operations while handling clients
+#	traffic. Too-large values may result in memory allocation during
+#	peak traffic, too-small values will result in wasted memory.
+#
+#	Check the cache manager 'info' report metrics for the real
+#	object sizes seen by your Squid before tuning this.
+#Default:
+# store_avg_object_size 13 KB
+
+#  TAG: store_objects_per_bucket
+#	Target number of objects per bucket in the store hash table.
+#	Lowering this value increases the total number of buckets and
+#	also the storage maintenance rate.  The default is 20.
+#Default:
+# store_objects_per_bucket 20
+
+# HTTP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: request_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP request
+#	(including request-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to received FTP commands.
+#
+#	This limit has no direct affect on Squid memory consumption.
+#
+#	Squid does not check this limit when sending requests.
+#Default:
+# request_header_max_size 64 KB
+
+#  TAG: reply_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP response
+#	(including status-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to FTP command responses.
+#
+#	Squid also checks this limit when loading hit responses from disk cache.
+#
+#	Squid does not check this limit when sending responses.
+#Default:
+# reply_header_max_size 64 KB
+
+#  TAG: request_body_max_size	(bytes)
+#	This specifies the maximum size for an HTTP request body.
+#	In other words, the maximum size of a PUT/POST request.
+#	A user who attempts to send a request with a body larger
+#	than this limit receives an "Invalid Request" error message.
+#	If you set this parameter to a zero (the default), there will
+#	be no limit imposed.
+#
+#	See also client_request_buffer_max_size for an alternative
+#	limitation on client uploads which can be configured.
+#Default:
+# No limit.
+
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
+#  TAG: broken_posts
+#	A list of ACL elements which, if matched, causes Squid to send
+#	an extra CRLF pair after the body of a PUT/POST request.
+#
+#	Some HTTP servers has broken implementations of PUT/POST,
+#	and rely on an extra CRLF pair sent by some WWW clients.
+#
+#	Quote from RFC2616 section 4.1 on this matter:
+#
+#	  Note: certain buggy HTTP/1.0 client implementations generate an
+#	  extra CRLF's after a POST request. To restate what is explicitly
+#	  forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+#	  a request with an extra CRLF.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# acl buggy_server url_regex ^http://....
+# broken_posts allow buggy_server
+#Default:
+# Obey RFC 2616.
+
+#  TAG: adaptation_uses_indirect_client	on|off
+#	Controls whether the indirect client IP address (instead of the direct
+#	client IP address) is passed to adaptation services.
+#
+#	See also: follow_x_forwarded_for adaptation_send_client_ip
+#Default:
+# adaptation_uses_indirect_client on
+
+#  TAG: via	on|off
+#	If set (default), Squid will include a Via header in requests and
+#	replies as required by RFC2616.
+#Default:
+# via on
+
+#  TAG: vary_ignore_expire	on|off
+#	Many HTTP servers supporting Vary gives such objects
+#	immediate expiry time with no cache-control header
+#	when requested by a HTTP/1.0 client. This option
+#	enables Squid to ignore such expiry times until
+#	HTTP/1.1 is fully implemented.
+#
+#	WARNING: If turned on this may eventually cause some
+#	varying objects not intended for caching to get cached.
+#Default:
+# vary_ignore_expire off
+
+#  TAG: request_entities
+#	Squid defaults to deny GET and HEAD requests with request entities,
+#	as the meaning of such requests are undefined in the HTTP standard
+#	even if not explicitly forbidden.
+#
+#	Set this directive to on if you have clients which insists
+#	on sending request entities in GET or HEAD requests. But be warned
+#	that there is server software (both proxies and web servers) which
+#	can fail to properly process this kind of request which may make you
+#	vulnerable to cache pollution attacks if enabled.
+#Default:
+# request_entities off
+
+#  TAG: request_header_access
+#	Usage: request_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option replaces the old 'anonymize_headers' and the
+#	older 'http_anonymizer' option with something that is much
+#	more configurable. A list of ACLs for each header name allows
+#	removal of specific header fields under specific conditions.
+#
+#	This option only applies to outgoing HTTP request headers (i.e.,
+#	headers sent by Squid to the next HTTP hop such as a cache peer
+#	or an origin server). The option has no effect during cache hit
+#	detection. The equivalent adaptation vectoring point in ICAP
+#	terminology is post-cache REQMOD.
+#
+#	The option is applied to individual outgoing request header
+#	fields. For each request header field F, Squid uses the first
+#	qualifying sets of request_header_access rules:
+#
+#	    1. Rules with header_name equal to F's name.
+#	    2. Rules with header_name 'Other', provided F's name is not
+#	       on the hard-coded list of commonly used HTTP header names.
+#	    3. Rules with header_name 'All'.
+#
+#	Within that qualifying rule set, rule ACLs are checked as usual.
+#	If ACLs of an "allow" rule match, the header field is allowed to
+#	go through as is. If ACLs of a "deny" rule match, the header is
+#	removed and request_header_replace is then checked to identify
+#	if the removed header has a replacement. If no rules within the
+#	set have matching ACLs, the header field is left as is.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		request_header_access From deny all
+#		request_header_access Referer deny all
+#		request_header_access User-Agent deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		request_header_access Authorization allow all
+#		request_header_access Proxy-Authorization allow all
+#		request_header_access Cache-Control allow all
+#		request_header_access Content-Length allow all
+#		request_header_access Content-Type allow all
+#		request_header_access Date allow all
+#		request_header_access Host allow all
+#		request_header_access If-Modified-Since allow all
+#		request_header_access Pragma allow all
+#		request_header_access Accept allow all
+#		request_header_access Accept-Charset allow all
+#		request_header_access Accept-Encoding allow all
+#		request_header_access Accept-Language allow all
+#		request_header_access Connection allow all
+#		request_header_access All deny all
+#
+#	HTTP reply headers are controlled with the reply_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is performed).
+#Default:
+# No limits.
+
+#  TAG: reply_header_access
+#	Usage: reply_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option only applies to reply headers, i.e., from the
+#	server to the client.
+#
+#	This is the same as request_header_access, but in the other
+#	direction. Please see request_header_access for detailed
+#	documentation.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		reply_header_access Server deny all
+#		reply_header_access WWW-Authenticate deny all
+#		reply_header_access Link deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		reply_header_access Allow allow all
+#		reply_header_access WWW-Authenticate allow all
+#		reply_header_access Proxy-Authenticate allow all
+#		reply_header_access Cache-Control allow all
+#		reply_header_access Content-Encoding allow all
+#		reply_header_access Content-Length allow all
+#		reply_header_access Content-Type allow all
+#		reply_header_access Date allow all
+#		reply_header_access Expires allow all
+#		reply_header_access Last-Modified allow all
+#		reply_header_access Location allow all
+#		reply_header_access Pragma allow all
+#		reply_header_access Content-Language allow all
+#		reply_header_access Retry-After allow all
+#		reply_header_access Title allow all
+#		reply_header_access Content-Disposition allow all
+#		reply_header_access Connection allow all
+#		reply_header_access All deny all
+#
+#	HTTP request headers are controlled with the request_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is
+#	performed).
+#Default:
+# No limits.
+
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#
+#	This option allows you to change the contents of headers
+#	denied with request_header_access above, by replacing them
+#	with some fixed string.
+#
+#	This only applies to request headers, not reply headers.
+#
+#	By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: request_header_add
+#	Usage:   request_header_add field-name field-value [ acl ... ]
+#	Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP requests (i.e.,
+#	request headers sent by Squid to the next HTTP hop such as a
+#	cache peer or an origin server). The option has no effect during
+#	cache hit detection. The equivalent adaptation vectoring point
+#	in ICAP terminology is post-cache REQMOD.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the request to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching requests. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The request_header_add supports fast ACLs only.
+#
+#	See also: reply_header_add.
+#Default:
+# none
+
+#  TAG: reply_header_add
+#	Usage:   reply_header_add field-name field-value [ acl ... ]
+#	Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP responses (i.e., response
+#	headers delivered by Squid to the client). This option has no effect on
+#	cache hit detection. The equivalent adaptation vectoring point in
+#	ICAP terminology is post-cache RESPMOD. This option does not apply to
+#	successful CONNECT replies.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the response to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching responses. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The reply_header_add option supports fast ACLs only.
+#
+#	See also: request_header_add.
+#Default:
+# none
+
+#  TAG: note
+#	This option used to log custom information about the master
+#	transaction. For example, an admin may configure Squid to log
+#	which "user group" the transaction belongs to, where "user group"
+#	will be determined based on a set of ACLs and not [just]
+#	authentication information.
+#	Values of key/value pairs can be logged using %{key}note macros:
+#
+#	    note key value acl ...
+#	    logformat myFormat ... %{key}note ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: relaxed_header_parser	on|off|warn
+#	In the default "on" setting Squid accepts certain forms
+#	of non-compliant HTTP messages where it is unambiguous
+#	what the sending application intended even if the message
+#	is not correctly formatted. The messages is then normalized
+#	to the correct form when forwarded by Squid.
+#
+#	If set to "warn" then a warning will be emitted in cache.log
+#	each time such HTTP error is encountered.
+#
+#	If set to "off" then such HTTP errors will cause the request
+#	or response to be rejected.
+#Default:
+# relaxed_header_parser on
+
+#  TAG: collapsed_forwarding	(on|off)
+#       This option controls whether Squid is allowed to merge multiple
+#       potentially cachable requests for the same URI before Squid knows
+#       whether the response is going to be cachable.
+#
+#       When enabled, instead of forwarding each concurrent request for
+#       the same URL, Squid just sends the first of them. The other, so
+#       called "collapsed" requests, wait for the response to the first
+#       request and, if it happens to be cachable, use that response.
+#       Here, "concurrent requests" means "received after the first
+#       request headers were parsed and before the corresponding response
+#       headers were parsed".
+#
+#       This feature is disabled by default: enabling collapsed
+#       forwarding needlessly delays forwarding requests that look
+#       cachable (when they are collapsed) but then need to be forwarded
+#       individually anyway because they end up being for uncachable
+#       content. However, in some cases, such as acceleration of highly
+#       cachable content with periodic or grouped expiration times, the
+#       gains from collapsing [large volumes of simultaneous refresh
+#       requests] outweigh losses from such delays.
+#
+#       Squid collapses two kinds of requests: regular client requests
+#       received on one of the listening ports and internal "cache
+#       revalidation" requests which are triggered by those regular
+#       requests hitting a stale cached object. Revalidation collapsing
+#       is currently disabled for Squid instances containing SMP-aware
+#       disk or memory caches and for Vary-controlled cached objects.
+#Default:
+# collapsed_forwarding off
+
+#  TAG: collapsed_forwarding_access
+#	Use this directive to restrict collapsed forwarding to a subset of
+#	eligible requests. The directive is checked for regular HTTP
+#	requests, internal revalidation requests, and HTCP/ICP requests.
+#
+#		collapsed_forwarding_access allow|deny [!]aclname ...
+#
+#	This directive cannot force collapsing. It has no effect on
+#	collapsing unless collapsed_forwarding is 'on', and all other
+#	collapsing preconditions are satisfied.
+#
+#	* A denied request will not collapse, and future transactions will
+#	  not collapse on it (even if they are allowed to collapse).
+#
+#	* An allowed request may collapse, or future transactions may
+#	  collapse on it (provided they are allowed to collapse).
+#
+#	This directive is evaluated before receiving HTTP response headers
+#	and without access to Squid-to-peer connection (if any).
+#
+#	Only fast ACLs are supported.
+#
+#	See also: collapsed_forwarding.
+#Default:
+# Requests may be collapsed if collapsed_forwarding is on.
+
+#  TAG: shared_transient_entries_limit	(number of entries)
+#	This directive limits the size of a table used for sharing current
+#	transaction information among SMP workers. A table entry stores meta
+#	information about a single cache entry being delivered to Squid
+#	client(s) by one or more SMP workers. A single table entry consumes
+#	less than 128 shared memory bytes.
+#
+#	The limit should be significantly larger than the number of
+#	concurrent non-collapsed cachable responses leaving Squid. For a
+#	cache that handles less than 5000 concurrent requests, the default
+#	setting of 16384 should be plenty.
+#
+#	Using excessively large values wastes shared memory. Limiting the
+#	table size too much results in hash collisions, leading to lower hit
+#	ratio and missed SMP request collapsing opportunities: Transactions
+#	left without a table entry cannot cache their responses and are
+#	invisible to other concurrent requests for the same resource.
+#
+#	A zero limit is allowed but unsupported. A positive small limit
+#	lowers hit ratio, but zero limit disables a lot of essential
+#	synchronization among SMP workers, leading to HTTP violations (e.g.,
+#	stale hit responses). It also disables shared collapsed forwarding:
+#	A worker becomes unable to collapse its requests on transactions in
+#	other workers, resulting in more trips to the origin server and more
+#	cache thrashing.
+#Default:
+# shared_transient_entries_limit 16384
+
+# TIMEOUTS
+# -----------------------------------------------------------------------------
+
+#  TAG: forward_timeout	time-units
+#	This parameter specifies how long Squid should at most attempt in
+#	finding a forwarding path for the request before giving up.
+#Default:
+# forward_timeout 4 minutes
+
+#  TAG: connect_timeout	time-units
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested server or peer to complete before Squid should
+#	attempt to find another path where to forward the request.
+#Default:
+# connect_timeout 1 minute
+
+#  TAG: peer_connect_timeout	time-units
+#	This parameter specifies how long to wait for a pending TCP
+#	connection to a peer cache.  The default is 30 seconds.   You
+#	may also set different timeout values for individual neighbors
+#	with the 'connect-timeout' option on a 'cache_peer' line.
+#Default:
+# peer_connect_timeout 30 seconds
+
+#  TAG: read_timeout	time-units
+#	Applied on peer server connections.
+#
+#	After each successful read(), the timeout will be extended by this
+#	amount.  If no data is read again after this amount of time,
+#	the request is aborted and logged with ERR_READ_TIMEOUT.
+#
+#	The default is 15 minutes.
+#Default:
+# read_timeout 15 minutes
+
+#  TAG: write_timeout	time-units
+#	This timeout is tracked for all connections that have data
+#	available for writing and are waiting for the socket to become
+#	ready. After each successful write, the timeout is extended by
+#	the configured amount. If Squid has data to write but the
+#	connection is not ready for the configured duration, the
+#	transaction associated with the connection is terminated. The
+#	default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
+#  TAG: request_timeout
+#	How long to wait for complete HTTP request headers after initial
+#	connection establishment.
+#Default:
+# request_timeout 5 minutes
+
+#  TAG: request_start_timeout
+#	How long to wait for the first request byte after initial
+#	connection establishment.
+#Default:
+# request_start_timeout 5 minutes
+
+#  TAG: client_idle_pconn_timeout
+#	How long to wait for the next HTTP request on a persistent
+#	client connection after the previous request completes.
+#Default:
+# client_idle_pconn_timeout 2 minutes
+
+#  TAG: ftp_client_idle_timeout
+#	How long to wait for an FTP request on a connection to Squid ftp_port.
+#	Many FTP clients do not deal with idle connection closures well,
+#	necessitating a longer default timeout than client_idle_pconn_timeout
+#	used for incoming HTTP requests.
+#Default:
+# ftp_client_idle_timeout 30 minutes
+
+#  TAG: client_lifetime	time-units
+#	The maximum amount of time a client (browser) is allowed to
+#	remain connected to the cache process.  This protects the Cache
+#	from having a lot of sockets (and hence file descriptors) tied up
+#	in a CLOSE_WAIT state from remote clients that go away without
+#	properly shutting down (either because of a network failure or
+#	because of a poor client implementation).  The default is one
+#	day, 1440 minutes.
+#
+#	NOTE:  The default value is intended to be much larger than any
+#	client would ever need to be connected to your cache.  You
+#	should probably change client_lifetime only as a last resort.
+#	If you seem to have many client connections tying up
+#	filedescriptors, we recommend first tuning the read_timeout,
+#	request_timeout, persistent_request_timeout and quick_abort values.
+#Default:
+# client_lifetime 1 day
+
+#  TAG: pconn_lifetime	time-units
+#	Desired maximum lifetime of a persistent connection.
+#	When set, Squid will close a now-idle persistent connection that
+#	exceeded configured lifetime instead of moving the connection into
+#	the idle connection pool (or equivalent). No effect on ongoing/active
+#	transactions. Connection lifetime is the time period from the
+#	connection acceptance or opening time until "now".
+#
+#	This limit is useful in environments with long-lived connections
+#	where Squid configuration or environmental factors change during a
+#	single connection lifetime. If unrestricted, some connections may
+#	last for hours and even days, ignoring those changes that should
+#	have affected their behavior or their existence.
+#
+#	Currently, a new lifetime value supplied via Squid reconfiguration
+#	has no effect on already idle connections unless they become busy.
+#
+#	When set to '0' this limit is not used.
+#Default:
+# pconn_lifetime 0 seconds
+
+#  TAG: half_closed_clients
+#	Some clients may shutdown the sending side of their TCP
+#	connections, while leaving their receiving sides open.	Sometimes,
+#	Squid can not tell the difference between a half-closed and a
+#	fully-closed TCP connection.
+#
+#	By default, Squid will immediately close client connections when
+#	read(2) returns "no more data to read."
+#
+#	Change this option to 'on' and Squid will keep open connections
+#	until a read(2) or write(2) on the socket returns an error.
+#	This may show some benefits for reverse proxies. But if not
+#	it is recommended to leave OFF.
+#Default:
+# half_closed_clients off
+
+#  TAG: server_idle_pconn_timeout
+#	Timeout for idle persistent connections to servers and other
+#	proxies.
+#Default:
+# server_idle_pconn_timeout 1 minute
+
+#  TAG: ident_timeout
+#	Maximum time to wait for IDENT lookups to complete.
+#
+#	If this is too high, and you enabled IDENT lookups from untrusted
+#	users, you might be susceptible to denial-of-service by having
+#	many ident requests going at once.
+#Default:
+# ident_timeout 10 seconds
+
+#  TAG: shutdown_lifetime	time-units
+#	When SIGTERM or SIGHUP is received, the cache is put into
+#	"shutdown pending" mode until all active sockets are closed.
+#	This value is the lifetime to set for all open descriptors
+#	during shutdown mode.  Any active clients after this many
+#	seconds will receive a 'timeout' message.
+#Default:
+# shutdown_lifetime 30 seconds
+
+# ADMINISTRATIVE PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mgr
+#	Email-address of local cache manager who will receive
+#	mail if the cache dies.  The default is "webmaster".
+#Default:
+# cache_mgr webmaster
+
+#  TAG: mail_from
+#	From: email-address for mail sent when the cache dies.
+#	The default is to use 'squid@unique_hostname'.
+#
+#	See also: unique_hostname directive.
+#Default:
+# none
+
+#  TAG: mail_program
+#	Email program used to send mail if the cache dies.
+#	The default is "mail". The specified program must comply
+#	with the standard Unix mail syntax:
+#	  mail-program recipient < mailfile
+#
+#	Optional command line options can be specified.
+#Default:
+# mail_program mail
+
+#  TAG: cache_effective_user
+#	If you start Squid as root, it will change its effective/real
+#	UID/GID to the user specified below.  The default is to change
+#	to UID of proxy.
+#	see also; cache_effective_group
+#Default:
+# cache_effective_user proxy
+
+#  TAG: cache_effective_group
+#	Squid sets the GID to the effective user's default group ID
+#	(taken from the password file) and supplementary group list
+#	from the groups membership.
+#
+#	If you want Squid to run with a specific GID regardless of
+#	the group memberships of the effective user then set this
+#	to the group (or GID) you want Squid to run as. When set
+#	all other group privileges of the effective user are ignored
+#	and only this GID is effective. If Squid is not started as
+#	root the user starting Squid MUST be member of the specified
+#	group.
+#
+#	This option is not recommended by the Squid Team.
+#	Our preference is for administrators to configure a secure
+#	user account for squid with UID/GID matching system policies.
+#Default:
+# Use system group memberships of the cache_effective_user account
+
+#  TAG: httpd_suppress_version_string	on|off
+#	Suppress Squid version string info in HTTP headers and HTML error pages.
+#Default:
+# httpd_suppress_version_string off
+
+#  TAG: visible_hostname
+#	If you want to present a special hostname in error messages, etc,
+#	define this.  Otherwise, the return value of gethostname()
+#	will be used. If you have multiple caches in a cluster and
+#	get errors about IP-forwarding you must set them to have individual
+#	names with this setting.
+#Default:
+# Automatically detect the system host name
+
+#  TAG: unique_hostname
+#	If you want to have multiple machines with the same
+#	'visible_hostname' you must give each machine a different
+#	'unique_hostname' so forwarding loops can be detected.
+#Default:
+# Copy the value from visible_hostname
+
+#  TAG: hostname_aliases
+#	A list of other DNS names your cache has.
+#Default:
+# none
+
+#  TAG: umask
+#	Minimum umask which should be enforced while the proxy
+#	is running, in addition to the umask set at startup.
+#
+#	For a traditional octal representation of umasks, start
+#        your value with 0.
+#Default:
+# umask 027
+
+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
+# -----------------------------------------------------------------------------
+#
+#	This section contains parameters for the (optional) cache
+#	announcement service.  This service is provided to help
+#	cache administrators locate one another in order to join or
+#	create cache hierarchies.
+#
+#	An 'announcement' message is sent (via UDP) to the registration
+#	service by Squid.  By default, the announcement message is NOT
+#	SENT unless you enable it with 'announce_period' below.
+#
+#	The announcement message includes your hostname, plus the
+#	following information from this configuration file:
+#
+#		http_port
+#		icp_port
+#		cache_mgr
+#
+#	All current information is processed regularly and made
+#	available on the Web at http://www.ircache.net/Cache/Tracker/.
+
+#  TAG: announce_period
+#	This is how frequently to send cache announcements.
+#
+#	To enable announcing your cache, just set an announce period.
+#
+#	Example:
+#		announce_period 1 day
+#Default:
+# Announcement messages disabled.
+
+#  TAG: announce_host
+#	Set the hostname where announce registration messages will be sent.
+#
+#	See also announce_port and announce_file
+#Default:
+# announce_host tracker.ircache.net
+
+#  TAG: announce_file
+#	The contents of this file will be included in the announce
+#	registration messages.
+#Default:
+# none
+
+#  TAG: announce_port
+#	Set the port where announce registration messages will be sent.
+#
+#	See also announce_host and announce_file
+#Default:
+# announce_port 3131
+
+# HTTPD-ACCELERATOR OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: httpd_accel_surrogate_id
+#	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+#	need an identification token to allow control targeting. Because
+#	a farm of surrogates may all perform the same tasks, they may share
+#	an identification token.
+#
+#	When the surrogate is a reverse-proxy, this ID is also
+#	used as cdn-id for CDN-Loop detection (RFC 8586).
+#Default:
+# visible_hostname is used if no specific ID is set.
+
+#  TAG: http_accel_surrogate_remote	on|off
+#	Remote surrogates (such as those in a CDN) honour the header
+#	"Surrogate-Control: no-store-remote".
+#
+#	Set this to on to have squid behave as a remote surrogate.
+#Default:
+# http_accel_surrogate_remote off
+
+#  TAG: esi_parser	libxml2|expat
+#	Selects the XML parsing library to use when interpreting responses with
+#	Edge Side Includes.
+#
+#	To disable ESI handling completely, ./configure Squid with --disable-esi.
+#Default:
+# Selects libxml2 if available at ./configure time or libexpat otherwise.
+
+# DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: delay_pools
+#	This represents the number of delay pools to be used.  For example,
+#	if you have one class 2 delay pool and one class 3 delays pool, you
+#	have a total of 2 delay pools.
+#
+#	See also delay_parameters, delay_class, delay_access for pool
+#	configuration details.
+#Default:
+# delay_pools 0
+
+#  TAG: delay_class
+#	This defines the class of each delay pool.  There must be exactly one
+#	delay_class line for each delay pool.  For example, to define two
+#	delay pools, one of class 2 and one of class 3, the settings above
+#	and here would be:
+#
+#	Example:
+#	    delay_pools 4      # 4 delay pools
+#	    delay_class 1 2    # pool 1 is a class 2 pool
+#	    delay_class 2 3    # pool 2 is a class 3 pool
+#	    delay_class 3 4    # pool 3 is a class 4 pool
+#	    delay_class 4 5    # pool 4 is a class 5 pool
+#
+#	The delay pool classes are:
+#
+#		class 1		Everything is limited by a single aggregate
+#				bucket.
+#
+#		class 2 	Everything is limited by a single aggregate
+#				bucket as well as an "individual" bucket chosen
+#				from bits 25 through 32 of the IPv4 address.
+#
+#		class 3		Everything is limited by a single aggregate
+#				bucket as well as a "network" bucket chosen
+#				from bits 17 through 24 of the IP address and a
+#				"individual" bucket chosen from bits 17 through
+#				32 of the IPv4 address.
+#
+#		class 4		Everything in a class 3 delay pool, with an
+#				additional limit on a per user basis. This
+#				only takes effect if the username is established
+#				in advance - by forcing authentication in your
+#				http_access rules.
+#
+#		class 5		Requests are grouped according their tag (see
+#				external_acl's tag= reply).
+#
+#
+#	Each pool also requires a delay_parameters directive to configure the pool size
+#	and speed limits used whenever the pool is applied to a request. Along with
+#	a set of delay_access directives to determine when it is used.
+#
+#	NOTE: If an IP address is a.b.c.d
+#		-> bits 25 through 32 are "d"
+#		-> bits 17 through 24 are "c"
+#		-> bits 17 through 32 are "c * 256 + d"
+#
+#	NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+#		IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also delay_parameters and delay_access.
+#Default:
+# none
+
+#  TAG: delay_access
+#	This is used to determine which delay pool a request falls into.
+#
+#	delay_access is sorted per pool and the matching starts with pool 1,
+#	then pool 2, ..., and finally pool N. The first delay pool where the
+#	request is allowed is selected for the request. If it does not allow
+#	the request to any pool then the request is not delayed (default).
+#
+#	For example, if you want some_big_clients in delay
+#	pool 1 and lotsa_little_clients in delay pool 2:
+#
+#		delay_access 1 allow some_big_clients
+#		delay_access 1 deny all
+#		delay_access 2 allow lotsa_little_clients
+#		delay_access 2 deny all
+#		delay_access 3 allow authenticated_clients
+#
+#	See also delay_parameters and delay_class.
+#
+#Default:
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: delay_parameters
+#	This defines the parameters for a delay pool.  Each delay pool has
+#	a number of "buckets" associated with it, as explained in the
+#	description of delay_class.
+#
+#	For a class 1 delay pool, the syntax is:
+#		delay_class pool 1
+#		delay_parameters pool aggregate
+#
+#	For a class 2 delay pool:
+#		delay_class pool 2
+#		delay_parameters pool aggregate individual
+#
+#	For a class 3 delay pool:
+#		delay_class pool 3
+#		delay_parameters pool aggregate network individual
+#
+#	For a class 4 delay pool:
+#		delay_class pool 4
+#		delay_parameters pool aggregate network individual user
+#
+#	For a class 5 delay pool:
+#		delay_class pool 5
+#		delay_parameters pool tagrate
+#
+#	The option variables are:
+#
+#		pool		a pool number - ie, a number between 1 and the
+#				number specified in delay_pools as used in
+#				delay_class lines.
+#
+#		aggregate	the speed limit parameters for the aggregate bucket
+#				(class 1, 2, 3).
+#
+#		individual	the speed limit parameters for the individual
+#				buckets (class 2, 3).
+#
+#		network		the speed limit parameters for the network buckets
+#				(class 3).
+#
+#		user		the speed limit parameters for the user buckets
+#				(class 4).
+#
+#		tagrate		the speed limit parameters for the tag buckets
+#				(class 5).
+#
+#	A pair of delay parameters is written restore/maximum, where restore is
+#	the number of bytes (not bits - modem and network speeds are usually
+#	quoted in bits) per second placed into the bucket, and maximum is the
+#	maximum number of bytes which can be in the bucket at any time.
+#
+#	There must be one delay_parameters line for each delay pool.
+#
+#
+#	For example, if delay pool number 1 is a class 2 delay pool as in the
+#	above example, and is being used to strictly limit each host to 64Kbit/sec
+#	(plus overheads), with no overall limit, the line is:
+#
+#		delay_parameters 1 none 8000/8000
+#
+#	Note that 8 x 8K Byte/sec -> 64K bit/sec.
+#
+#	Note that the word 'none' is used to represent no limit.
+#
+#
+#	And, if delay pool number 2 is a class 3 delay pool as in the above
+#	example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+#	with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+#	individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
+#	to permit a decent web page to be downloaded at a decent speed
+#	(if the network is not being limited due to overuse) but slow down
+#	large downloads more significantly:
+#
+#		delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+#	Note that 8 x  32K Byte/sec ->  256K bit/sec.
+#		  8 x   8K Byte/sec ->   64K bit/sec.
+#		  8 x 600  Byte/sec -> 4800  bit/sec.
+#
+#
+#	Finally, for a class 4 delay pool as in the example - each user will
+#	be limited to 128Kbits/sec no matter how many workstations they are logged into.:
+#
+#		delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+#	See also delay_class and delay_access.
+#
+#Default:
+# none
+
+#  TAG: delay_initial_bucket_level	(percent, 0-100)
+#	The initial bucket percentage is used to determine how much is put
+#	in each bucket when squid starts, is reconfigured, or first notices
+#	a host accessing it (in class 2 and class 3, individual hosts and
+#	networks only have buckets associated with them once they have been
+#	"seen" by squid).
+#Default:
+# delay_initial_bucket_level 50
+
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: client_delay_pools
+#	This option specifies the number of client delay pools used. It must
+#	preceed other client_delay_* options.
+#
+#	Example:
+#		client_delay_pools 2
+#
+#	See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+#  TAG: client_delay_initial_bucket_level	(percent, 0-no_limit)
+#	This option determines the initial bucket size as a percentage of
+#	max_bucket_size from client_delay_parameters. Buckets are created
+#	at the time of the "first" connection from the matching IP. Idle
+#	buckets are periodically deleted up.
+#
+#	You can specify more than 100 percent but note that such "oversized"
+#	buckets are not refilled until their size goes down to max_bucket_size
+#	from client_delay_parameters.
+#
+#	Example:
+#		client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+#  TAG: client_delay_parameters
+#
+#	This option configures client-side bandwidth limits using the
+#	following format:
+#
+#	    client_delay_parameters pool speed_limit max_bucket_size
+#
+#	pool is an integer ID used for client_delay_access matching.
+#
+#	speed_limit is bytes added to the bucket per second.
+#
+#	max_bucket_size is the maximum size of a bucket, enforced after any
+#	speed_limit additions.
+#
+#	Please see the delay_parameters option for more information and
+#	examples.
+#
+#	Example:
+#		client_delay_parameters 1 1024 2048
+#		client_delay_parameters 2 51200 16384
+#
+#	See also client_delay_access.
+#
+#Default:
+# none
+
+#  TAG: client_delay_access
+#	This option determines the client-side delay pool for the
+#	request:
+#
+#	    client_delay_access pool_ID allow|deny acl_name
+#
+#	All client_delay_access options are checked in their pool ID
+#	order, starting with pool 1. The first checked pool with allowed
+#	request is selected for the request. If no ACL matches or there
+#	are no client_delay_access options, the request bandwidth is not
+#	limited.
+#
+#	The ACL-selected pool is then used to find the
+#	client_delay_parameters for the request. Client-side pools are
+#	not used to aggregate clients. Clients are always aggregated
+#	based on their source IP addresses (one bucket per source IP).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Additionally, only the client TCP connection details are available.
+#	ACLs testing HTTP properties will not work.
+#
+#	Please see delay_access for more examples.
+#
+#	Example:
+#		client_delay_access 1 allow low_rate_network
+#		client_delay_access 2 allow vips_network
+#
+#
+#	See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: response_delay_pool
+#	This option configures client response bandwidth limits using the
+#	following format:
+#
+#	response_delay_pool name [option=value] ...
+#
+#	name	the response delay pool name
+#
+#	available options:
+#
+#		individual-restore	The speed limit of an individual
+#					bucket(bytes/s). To be used in conjunction
+#					with 'individual-maximum'.
+#
+#		individual-maximum	The maximum number of bytes which can
+#					be placed into the individual bucket. To be used
+#					in conjunction with 'individual-restore'.
+#
+#		aggregate-restore	The speed limit for the aggregate
+#					bucket(bytes/s). To be used in conjunction with
+#					'aggregate-maximum'.
+#
+#		aggregate-maximum	The maximum number of bytes which can
+#	   				be placed into the aggregate bucket. To be used
+#					in conjunction with 'aggregate-restore'.
+#
+#		initial-bucket-level	The initial bucket size as a percentage
+#					of individual-maximum.
+#
+#	Individual and(or) aggregate bucket options may not be specified,
+#   	meaning no individual and(or) aggregate speed limitation.
+#	See also response_delay_pool_access and delay_parameters for
+#	terminology details.
+#Default:
+# none
+
+#  TAG: response_delay_pool_access
+#	Determines whether a specific named response delay pool is used
+#	for the transaction. The syntax for this directive is:
+#
+#	response_delay_pool_access pool_name allow|deny acl_name
+#
+#	All response_delay_pool_access options are checked in the order
+#	they appear in this configuration file. The first rule with a
+#	matching ACL wins. If (and only if) an "allow" rule won, Squid
+#	assigns the response to the corresponding named delay pool.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: wccp_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCP disabled.
+
+#  TAG: wccp2_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCPv2 disabled.
+
+#  TAG: wccp_version
+#	This directive is only relevant if you need to set up WCCP(v1)
+#	to some very old and end-of-life Cisco routers. In all other
+#	setups it must be left unset or at the default setting.
+#	It defines an internal version in the WCCP(v1) protocol,
+#	with version 4 being the officially documented protocol.
+#
+#	According to some users, Cisco IOS 11.2 and earlier only
+#	support WCCP version 3.  If you're using that or an earlier
+#	version of IOS, you may need to change this value to 3, otherwise
+#	do not specify this parameter.
+#Default:
+# wccp_version 4
+
+#  TAG: wccp2_rebuild_wait
+#	If this is enabled Squid will wait for the cache dir rebuild to finish
+#	before sending the first wccp2 HereIAm packet
+#Default:
+# wccp2_rebuild_wait on
+
+#  TAG: wccp2_forwarding_method
+#	WCCP2 allows the setting of forwarding methods between the
+#	router/switch and the cache.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment method.
+#Default:
+# wccp2_forwarding_method gre
+
+#  TAG: wccp2_return_method
+#	WCCP2 allows the setting of return methods between the
+#	router/switch and the cache for packets that the cache
+#	decides not to handle.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment.
+#
+#	If the "ip wccp redirect exclude in" command has been
+#	enabled on the cache interface, then it is still safe for
+#	the proxy server to use a l2 redirect method even if this
+#	option is set to GRE.
+#Default:
+# wccp2_return_method gre
+
+#  TAG: wccp2_assignment_method
+#	WCCP2 allows the setting of methods to assign the WCCP hash
+#	Valid values are as follows:
+#
+#	hash - Hash assignment
+#	mask - Mask assignment
+#
+#	As a general rule, cisco routers support the hash assignment method
+#	and cisco switches support the mask assignment method.
+#Default:
+# wccp2_assignment_method hash
+
+#  TAG: wccp2_service
+#	WCCP2 allows for multiple traffic services. There are two
+#	types: "standard" and "dynamic". The standard type defines
+#	one service id - http (id 0). The dynamic service ids can be from
+#	51 to 255 inclusive.  In order to use a dynamic service id
+#	one must define the type of traffic to be redirected; this is done
+#	using the wccp2_service_info option.
+#
+#	The "standard" type does not require a wccp2_service_info option,
+#	just specifying the service id will suffice.
+#
+#	MD5 service authentication can be enabled by adding
+#	"password=<password>" to the end of this service declaration.
+#
+#	Examples:
+#
+#	wccp2_service standard 0	# for the 'web-cache' standard service
+#	wccp2_service dynamic 80	# a dynamic service type which will be
+#					# fleshed out with subsequent options.
+#	wccp2_service standard 0 password=foo
+#Default:
+# Use the 'web-cache' standard service.
+
+#  TAG: wccp2_service_info
+#	Dynamic WCCPv2 services require further information to define the
+#	traffic you wish to have diverted.
+#
+#	The format is:
+#
+#	wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
+#	    priority=<priority> ports=<port>,<port>..
+#
+#	The relevant WCCPv2 flags:
+#	+ src_ip_hash, dst_ip_hash
+#	+ source_port_hash, dst_port_hash
+#	+ src_ip_alt_hash, dst_ip_alt_hash
+#	+ src_port_alt_hash, dst_port_alt_hash
+#	+ ports_source
+#
+#	The port list can be one to eight entries.
+#
+#	Example:
+#
+#	wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
+#	    priority=240 ports=80
+#
+#	Note: the service id must have been defined by a previous
+#	'wccp2_service dynamic <id>' entry.
+#Default:
+# none
+
+#  TAG: wccp2_weight
+#	Each cache server gets assigned a set of the destination
+#	hash proportional to their weight.
+#Default:
+# wccp2_weight 10000
+
+#  TAG: wccp_address
+#	Use this option if you require WCCP(v1) to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+#  TAG: wccp2_address
+#	Use this option if you require WCCPv2 to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+# PERSISTENT CONNECTION HANDLING
+# -----------------------------------------------------------------------------
+#
+# Also see "pconn_timeout" in the TIMEOUTS section
+
+#  TAG: client_persistent_connections
+#	Persistent connection support for clients.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with clients.
+#Default:
+# client_persistent_connections on
+
+#  TAG: server_persistent_connections
+#	Persistent connection support for servers.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with servers.
+#Default:
+# server_persistent_connections on
+
+#  TAG: persistent_connection_after_error
+#	With this directive the use of persistent connections after
+#	HTTP errors can be disabled. Useful if you have clients
+#	who fail to handle errors on persistent connections proper.
+#Default:
+# persistent_connection_after_error on
+
+#  TAG: detect_broken_pconn
+#	Some servers have been found to incorrectly signal the use
+#	of HTTP/1.0 persistent connections even on replies not
+#	compatible, causing significant delays. This server problem
+#	has mostly been seen on redirects.
+#
+#	By enabling this directive Squid attempts to detect such
+#	broken replies and automatically assume the reply is finished
+#	after 10 seconds timeout.
+#Default:
+# detect_broken_pconn off
+
+# CACHE DIGEST OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: digest_generation
+#	This controls whether the server will generate a Cache Digest
+#	of its contents.  By default, Cache Digest generation is
+#	enabled if Squid is compiled with --enable-cache-digests defined.
+#Default:
+# digest_generation on
+
+#  TAG: digest_bits_per_entry
+#	This is the number of bits of the server's Cache Digest which
+#	will be associated with the Digest entry for a given HTTP
+#	Method and URL (public key) combination.  The default is 5.
+#Default:
+# digest_bits_per_entry 5
+
+#  TAG: digest_rebuild_period	(seconds)
+#	This is the wait time between Cache Digest rebuilds.
+#Default:
+# digest_rebuild_period 1 hour
+
+#  TAG: digest_rewrite_period	(seconds)
+#	This is the wait time between Cache Digest writes to
+#	disk.
+#Default:
+# digest_rewrite_period 1 hour
+
+#  TAG: digest_swapout_chunk_size	(bytes)
+#	This is the number of bytes of the Cache Digest to write to
+#	disk at a time.  It defaults to 4096 bytes (4KB), the Squid
+#	default swap page.
+#Default:
+# digest_swapout_chunk_size 4096 bytes
+
+#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
+#	This is the percentage of the Cache Digest to be scanned at a
+#	time.  By default it is set to 10% of the Cache Digest.
+#Default:
+# digest_rebuild_chunk_percentage 10
+
+# SNMP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: snmp_port
+#	The port number where Squid listens for SNMP requests. To enable
+#	SNMP support set this to a suitable port number. Port number
+#	3401 is often used for the Squid SNMP agent. By default it's
+#	set to "0" (disabled)
+#
+#	Example:
+#		snmp_port 3401
+#Default:
+# SNMP disabled.
+
+#  TAG: snmp_access
+#	Allowing or denying access to the SNMP port.
+#
+#	All access to the agent is denied by default.
+#	usage:
+#
+#	snmp_access allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# snmp_access allow snmppublic localhost
+# snmp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: snmp_incoming_address
+#	Just like 'udp_incoming_address', but for the SNMP port.
+#
+#	snmp_incoming_address	is used for the SNMP socket receiving
+#				messages from SNMP agents.
+#
+#	The default snmp_incoming_address is to listen on all
+#	available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+#  TAG: snmp_outgoing_address
+#	Just like 'udp_outgoing_address', but for the SNMP port.
+#
+#	snmp_outgoing_address	is used for SNMP packets returned to SNMP
+#				agents.
+#
+#	If snmp_outgoing_address is not set it will use the same socket
+#	as snmp_incoming_address. Only change this if you want to have
+#	SNMP replies sent using another address than where this Squid
+#	listens for SNMP queries.
+#
+#	NOTE, snmp_incoming_address and snmp_outgoing_address can not have
+#	the same value since they both use the same port.
+#Default:
+# Use snmp_incoming_address or an address selected by the operating system.
+
+# ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icp_port
+#	The port number where Squid sends and receives ICP queries to
+#	and from neighbor caches.  The standard UDP port for ICP is 3130.
+#
+#	Example:
+#		icp_port 3130
+#Default:
+# ICP disabled.
+
+#  TAG: htcp_port
+#	The port number where Squid sends and receives HTCP queries to
+#	and from neighbor caches.  To turn it on you want to set it to
+#	4827.
+#
+#	Example:
+#		htcp_port 4827
+#Default:
+# HTCP disabled.
+
+#  TAG: log_icp_queries	on|off
+#	If set, ICP queries are logged to access.log. You may wish
+#	do disable this if your ICP load is VERY high to speed things
+#	up or to simplify log analysis.
+#Default:
+# log_icp_queries on
+
+#  TAG: udp_incoming_address
+#	udp_incoming_address	is used for UDP packets received from other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Only change this if you want to have all UDP queries received on
+#	a specific interface/address.
+#
+#	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_outgoing_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Accept packets from all machine interfaces.
+
+#  TAG: udp_outgoing_address
+#	udp_outgoing_address	is used for UDP packets sent out to other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Instead it will use the same socket as udp_incoming_address.
+#	Only change this if you want to have UDP queries sent using another
+#	address than where this Squid listens for UDP queries from other
+#	caches.
+#
+#	NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_incoming_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Use udp_incoming_address or an address selected by the operating system.
+
+#  TAG: icp_hit_stale	on|off
+#	If you want to return ICP_HIT for stale cache objects, set this
+#	option to 'on'.  If you have sibling relationships with caches
+#	in other administrative domains, this should be 'off'.  If you only
+#	have sibling relationships with caches under your control,
+#	it is probably okay to set this to 'on'.
+#	If set to 'on', your siblings should use the option "allow-miss"
+#	on their cache_peer lines for connecting to you.
+#Default:
+# icp_hit_stale off
+
+#  TAG: minimum_direct_hops
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many hops away.
+#Default:
+# minimum_direct_hops 4
+
+#  TAG: minimum_direct_rtt	(msec)
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many rtt milliseconds away.
+#Default:
+# minimum_direct_rtt 400
+
+#  TAG: netdb_low
+#	The low water mark for the ICMP measurement database.
+#
+#	Note: high watermark controlled by netdb_high directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_low 900
+
+#  TAG: netdb_high
+#	The high water mark for the ICMP measurement database.
+#
+#	Note: low watermark controlled by netdb_low directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_high 1000
+
+#  TAG: netdb_ping_period
+#	The minimum period for measuring a site.  There will be at
+#	least this much delay between successive pings to the same
+#	network.  The default is five minutes.
+#Default:
+# netdb_ping_period 5 minutes
+
+#  TAG: query_icmp	on|off
+#	If you want to ask your peers to include ICMP data in their ICP
+#	replies, enable this option.
+#
+#	If your peer has configured Squid (during compilation) with
+#	'--enable-icmp' that peer will send ICMP pings to origin server
+#	sites of the URLs it receives.  If you enable this option the
+#	ICP replies from that peer will include the ICMP data (if available).
+#	Then, when choosing a parent cache, Squid will choose the parent with
+#	the minimal RTT to the origin server.  When this happens, the
+#	hierarchy field of the access.log will be
+#	"CLOSEST_PARENT_MISS".  This option is off by default.
+#Default:
+# query_icmp off
+
+#  TAG: test_reachability	on|off
+#	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
+#	instead of ICP_MISS if the target host is NOT in the ICMP
+#	database, or has a zero RTT.
+#Default:
+# test_reachability off
+
+#  TAG: icp_query_timeout	(msec)
+#	Normally Squid will automatically determine an optimal ICP
+#	query timeout value based on the round-trip-time of recent ICP
+#	queries.  If you want to override the value determined by
+#	Squid, set this 'icp_query_timeout' to a non-zero value.  This
+#	value is specified in MILLISECONDS, so, to use a 2-second
+#	timeout (the old default), you would write:
+#
+#		icp_query_timeout 2000
+#Default:
+# Dynamic detection.
+
+#  TAG: maximum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very large values (say 5 seconds).
+#	Use this option to put an upper limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# maximum_icp_query_timeout 2000
+
+#  TAG: minimum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very small timeouts, even lower than
+#	the normal latency variance on your link due to traffic.
+#	Use this option to put an lower limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# minimum_icp_query_timeout 5
+
+#  TAG: background_ping_rate	time-units
+#	Controls how often the ICP pings are sent to siblings that
+#	have background-ping set.
+#Default:
+# background_ping_rate 10 seconds
+
+# MULTICAST ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: mcast_groups
+#	This tag specifies a list of multicast groups which your server
+#	should join to receive multicasted ICP queries.
+#
+#	NOTE!  Be very careful what you put here!  Be sure you
+#	understand the difference between an ICP _query_ and an ICP
+#	_reply_.  This option is to be set only if you want to RECEIVE
+#	multicast queries.  Do NOT set this option to SEND multicast
+#	ICP (use cache_peer for that).  ICP replies are always sent via
+#	unicast, so this option does not affect whether or not you will
+#	receive replies from multicast group members.
+#
+#	You must be very careful to NOT use a multicast address which
+#	is already in use by another group of caches.
+#
+#	If you are unsure about multicast, please read the Multicast
+#	chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
+#
+#	Usage: mcast_groups 239.128.16.128 224.0.1.20
+#
+#	By default, Squid doesn't listen on any multicast groups.
+#Default:
+# none
+
+#  TAG: mcast_miss_addr
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	If you enable this option, every "cache miss" URL will
+#	be sent out on the specified multicast address.
+#
+#	Do not enable this option unless you are are absolutely
+#	certain you understand what you are doing.
+#Default:
+# disabled.
+
+#  TAG: mcast_miss_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the time-to-live value for packets multicasted
+#	when multicasting off cache miss URLs is enabled.  By
+#	default this is set to 'site scope', i.e. 16.
+#Default:
+# mcast_miss_ttl 16
+
+#  TAG: mcast_miss_port
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the port number to be used in conjunction with
+#	'mcast_miss_addr'.
+#Default:
+# mcast_miss_port 3135
+
+#  TAG: mcast_miss_encode_key
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	The URLs that are sent in the multicast miss stream are
+#	encrypted.  This is the encryption key.
+#Default:
+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
+
+#  TAG: mcast_icp_query_timeout	(msec)
+#	For multicast peers, Squid regularly sends out ICP "probes" to
+#	count how many other peers are listening on the given multicast
+#	address.  This value specifies how long Squid should wait to
+#	count all the replies.  The default is 2000 msec, or 2
+#	seconds.
+#Default:
+# mcast_icp_query_timeout 2000
+
+# INTERNAL ICON OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icon_directory
+#	Where the icons are stored. These are normally kept in
+#	/usr/share/squid/icons
+#Default:
+# icon_directory /usr/share/squid/icons
+
+#  TAG: global_internal_static
+#	This directive controls is Squid should intercept all requests for
+#	/squid-internal-static/ no matter which host the URL is requesting
+#	(default on setting), or if nothing special should be done for
+#	such URLs (off setting). The purpose of this directive is to make
+#	icons etc work better in complex cache hierarchies where it may
+#	not always be possible for all corners in the cache mesh to reach
+#	the server generating a directory listing.
+#Default:
+# global_internal_static on
+
+#  TAG: short_icon_urls
+#	If this is enabled Squid will use short URLs for icons.
+#	If disabled it will revert to the old behavior of including
+#	it's own name and port in the URL.
+#
+#	If you run a complex cache hierarchy with a mix of Squid and
+#	other proxies you may need to disable this directive.
+#Default:
+# short_icon_urls on
+
+# ERROR PAGE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: error_directory
+#	If you wish to create your own versions of the default
+#	error files to customize them to suit your company copy
+#	the error/template files to another directory and point
+#	this tag at them.
+#
+#	WARNING: This option will disable multi-language support
+#	         on error pages if used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are making translations for a
+#	language that Squid does not currently provide please consider
+#	contributing your translation back to the project.
+#	http://wiki.squid-cache.org/Translations
+#
+#	The squid developers working on translations are happy to supply drop-in
+#	translated error files in exchange for any new language contributions.
+#Default:
+# Send error pages in the clients preferred language
+
+#  TAG: error_default_language
+#	Set the default language which squid will send error pages in
+#	if no existing translation matches the clients language
+#	preferences.
+#
+#	If unset (default) generic English will be used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are interested in making
+#	translations for any language see the squid wiki for details.
+#	http://wiki.squid-cache.org/Translations
+#Default:
+# Generate English language pages.
+
+#  TAG: error_log_languages
+#	Log to cache.log what languages users are attempting to
+#	auto-negotiate for translations.
+#
+#	Successful negotiations are not logged. Only failures
+#	have meaning to indicate that Squid may need an upgrade
+#	of its error page translations.
+#Default:
+# error_log_languages on
+
+#  TAG: err_page_stylesheet
+#	CSS Stylesheet to pattern the display of Squid default error pages.
+#
+#	For information on CSS see http://www.w3.org/Style/CSS/
+#Default:
+# err_page_stylesheet /etc/squid/errorpage.css
+
+#  TAG: err_html_text
+#	HTML text to include in error messages.  Make this a "mailto"
+#	URL to your admin address, or maybe just a link to your
+#	organizations Web page.
+#
+#	To include this in your error messages, you must rewrite
+#	the error template files (found in the "errors" directory).
+#	Wherever you want the 'err_html_text' line to appear,
+#	insert a %L tag in the error template file.
+#Default:
+# none
+
+#  TAG: email_err_data	on|off
+#	If enabled, information about the occurred error will be
+#	included in the mailto links of the ERR pages (if %W is set)
+#	so that the email body contains the data.
+#	Syntax is <A HREF="mailto:%w%W">%w</A>
+#Default:
+# email_err_data on
+
+#  TAG: deny_info
+#	Usage:   deny_info err_page_name acl
+#	or       deny_info http://... acl
+#	or       deny_info TCP_RESET acl
+#
+#	This can be used to return a ERR_ page for requests which
+#	do not pass the 'http_access' rules.  Squid remembers the last
+#	acl it evaluated in http_access, and if a 'deny_info' line exists
+#	for that ACL Squid returns a corresponding error page.
+#
+#	The acl is typically the last acl on the http_access deny line which
+#	denied access. The exceptions to this rule are:
+#	- When Squid needs to request authentication credentials. It's then
+#	  the first authentication related acl encountered
+#	- When none of the http_access lines matches. It's then the last
+#	  acl processed on the last http_access line.
+#	- When the decision to deny access was made by an adaptation service,
+#	  the acl name is the corresponding eCAP or ICAP service_name.
+#
+#	NP: If providing your own custom error pages with error_directory
+#	    you may also specify them by your custom file name:
+#	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+#
+#	By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+#	may be specified by prefixing the file name with the code and a colon.
+#	e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+#
+#	Alternatively you can tell Squid to reset the TCP connection
+#	by specifying TCP_RESET.
+#
+#	Or you can specify an error URL or URL pattern. The browsers will
+#	get redirected to the specified URL after formatting tags have
+#	been replaced. Redirect will be done with 302 or 307 according to
+#	HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+#	the URL. e.g. 303:http://example.com/
+#
+#	URL FORMAT TAGS:
+#		%a	- username (if available. Password NOT included)
+#		%A	- Local listening IP address the client connection was connected to
+#		%B	- FTP path URL
+#		%e	- Error number
+#		%E	- Error description
+#		%h	- Squid hostname
+#		%H	- Request domain name
+#		%i	- Client IP Address
+#		%M	- Request Method
+#		%O	- Unescaped message result from external ACL helper
+#		%o	- Message result from external ACL helper
+#		%p	- Request Port number
+#		%P	- Request Protocol name
+#		%R	- Request URL path
+#		%T	- Timestamp in RFC 1123 format
+#		%U	- Full canonical URL from client
+#			  (HTTPS URLs terminate with *)
+#		%u	- Full canonical URL from client
+#		%w	- Admin email from squid.conf
+#		%x	- Error name
+#		%%	- Literal percent (%) code
+#
+#Default:
+# none
+
+# OPTIONS INFLUENCING REQUEST FORWARDING
+# -----------------------------------------------------------------------------
+
+#  TAG: nonhierarchical_direct
+#	By default, Squid will send any non-hierarchical requests
+#	(not cacheable request type) direct to origin servers.
+#
+#	When this is set to "off", Squid will prefer to send these
+#	requests to parents.
+#
+#	Note that in most configurations, by turning this off you will only
+#	add latency to these request without any improvement in global hit
+#	ratio.
+#
+#	This option only sets a preference. If the parent is unavailable a
+#	direct connection to the origin server may still be attempted. To
+#	completely prevent direct connections use never_direct.
+#Default:
+# nonhierarchical_direct on
+
+#  TAG: prefer_direct
+#	Normally Squid tries to use parents for most requests. If you for some
+#	reason like it to first try going direct and only use a parent if
+#	going direct fails set this to on.
+#
+#	By combining nonhierarchical_direct off and prefer_direct on you
+#	can set up Squid to use a parent as a backup path if going direct
+#	fails.
+#
+#	Note: If you want Squid to use parents for all requests see
+#	the never_direct directive. prefer_direct only modifies how Squid
+#	acts on cacheable requests.
+#Default:
+# prefer_direct off
+
+#  TAG: cache_miss_revalidate	on|off
+#	RFC 7232 defines a conditional request mechanism to prevent
+#	response objects being unnecessarily transferred over the network.
+#	If that mechanism is used by the client and a cache MISS occurs
+#	it can prevent new cache entries being created.
+#
+#	This option determines whether Squid on cache MISS will pass the
+#	client revalidation request to the server or tries to fetch new
+#	content for caching. It can be useful while the cache is mostly
+#	empty to more quickly have the cache populated by generating
+#	non-conditional GETs.
+#
+#	When set to 'on' (default), Squid will pass all client If-* headers
+#	to the server. This permits server responses without a cacheable
+#	payload to be delivered and on MISS no new cache entry is created.
+#
+#	When set to 'off' and if the request is cacheable, Squid will
+#	remove the clients If-Modified-Since and If-None-Match headers from
+#	the request sent to the server. This requests a 200 status response
+#	from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
+#  TAG: always_direct
+#	Usage: always_direct allow|deny [!]aclname ...
+#
+#	Here you can use ACL elements to specify requests which should
+#	ALWAYS be forwarded by Squid to the origin servers without using
+#	any peers.  For example, to always directly forward requests for
+#	local servers ignoring any parents or siblings you may have use
+#	something like:
+#
+#		acl local-servers dstdomain my.domain.net
+#		always_direct allow local-servers
+#
+#	To always forward FTP requests directly, use
+#
+#		acl FTP proto FTP
+#		always_direct allow FTP
+#
+#	NOTE: There is a similar, but opposite option named
+#	'never_direct'.  You need to be aware that "always_direct deny
+#	foo" is NOT the same thing as "never_direct allow foo".  You
+#	may need to use a deny rule to exclude a more-specific case of
+#	some other rule.  Example:
+#
+#		acl local-external dstdomain external.foo.net
+#		acl local-servers dstdomain  .foo.net
+#		always_direct deny local-external
+#		always_direct allow local-servers
+#
+#	NOTE: If your goal is to make the client forward the request
+#	directly to the origin server bypassing Squid then this needs
+#	to be done in the client configuration. Squid configuration
+#	can only tell Squid how Squid should fetch the object.
+#
+#	NOTE: This directive is not related to caching. The replies
+#	is cached as usual even if you use always_direct. To not cache
+#	the replies see the 'cache' directive.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Prevent any cache_peer being used for this request.
+
+#  TAG: never_direct
+#	Usage: never_direct allow|deny [!]aclname ...
+#
+#	never_direct is the opposite of always_direct.  Please read
+#	the description for always_direct if you have not already.
+#
+#	With 'never_direct' you can use ACL elements to specify
+#	requests which should NEVER be forwarded directly to origin
+#	servers.  For example, to force the use of a proxy for all
+#	requests, except those in your local domain use something like:
+#
+#		acl local-servers dstdomain .foo.net
+#		never_direct deny local-servers
+#		never_direct allow all
+#
+#	or if Squid is inside a firewall and there are local intranet
+#	servers inside the firewall use something like:
+#
+#		acl local-intranet dstdomain .foo.net
+#		acl local-external dstdomain external.foo.net
+#		always_direct deny local-external
+#		always_direct allow local-intranet
+#		never_direct allow all
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow DNS results to be used for this request.
+
+# ADVANCED NETWORKING OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: incoming_udp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_udp_average 6
+
+#  TAG: incoming_tcp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_tcp_average 4
+
+#  TAG: incoming_dns_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_dns_average 4
+
+#  TAG: min_udp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_udp_poll_cnt 8
+
+#  TAG: min_dns_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_dns_poll_cnt 8
+
+#  TAG: min_tcp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_tcp_poll_cnt 8
+
+#  TAG: accept_filter
+#	FreeBSD:
+#
+#	The name of an accept(2) filter to install on Squid's
+#	listen socket(s).  This feature is perhaps specific to
+#	FreeBSD and requires support in the kernel.
+#
+#	The 'httpready' filter delays delivering new connections
+#	to Squid until a full HTTP request has been received.
+#	See the accf_http(9) man page for details.
+#
+#	The 'dataready' filter delays delivering new connections
+#	to Squid until there is some data to process.
+#	See the accf_dataready(9) man page for details.
+#
+#	Linux:
+#
+#	The 'data' filter delays delivering of new connections
+#	to Squid until there is some data to process by TCP_ACCEPT_DEFER.
+#	You may optionally specify a number of seconds to wait by
+#	'data=N' where N is the number of seconds. Defaults to 30
+#	if not specified.  See the tcp(7) man page for details.
+#EXAMPLE:
+## FreeBSD
+#accept_filter httpready
+## Linux
+#accept_filter data
+#Default:
+# none
+
+#  TAG: client_ip_max_connections
+#	Set an absolute limit on the number of connections a single
+#	client IP can use. Any more than this and Squid will begin to drop
+#	new connections from the client until it closes some links.
+#
+#	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+#	connections from the client. For finer control use the ACL access controls.
+#
+#	Requires client_db to be enabled (the default).
+#
+#	WARNING: This may noticably slow down traffic received via external proxies
+#	or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# No limit.
+
+#  TAG: tcp_recv_bufsize	(bytes)
+#	Size of receive buffer to set for TCP sockets.  Probably just
+#	as easy to change your kernel's default.
+#	Omit from squid.conf to use the default buffer size.
+#Default:
+# Use operating system TCP defaults.
+
+# ICAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icap_enable	on|off
+#	If you want to enable the ICAP module support, set this to on.
+#Default:
+# icap_enable off
+
+#  TAG: icap_connect_timeout
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested ICAP server to complete before giving up and either
+#	terminating the HTTP transaction or bypassing the failure.
+#
+#	The default for optional services is peer_connect_timeout.
+#	The default for essential services is connect_timeout.
+#	If this option is explicitly set, its value applies to all services.
+#Default:
+# none
+
+#  TAG: icap_io_timeout	time-units
+#	This parameter specifies how long to wait for an I/O activity on
+#	an established, active ICAP connection before giving up and
+#	either terminating the HTTP transaction or bypassing the
+#	failure.
+#Default:
+# Use read_timeout.
+
+#  TAG: icap_service_failure_limit	limit [in memory-depth time-units]
+#	The limit specifies the number of failures that Squid tolerates
+#	when establishing a new TCP connection with an ICAP service. If
+#	the number of failures exceeds the limit, the ICAP service is
+#	not used for new ICAP requests until it is time to refresh its
+#	OPTIONS.
+#
+#	A negative value disables the limit. Without the limit, an ICAP
+#	service will not be considered down due to connectivity failures
+#	between ICAP OPTIONS requests.
+#
+#	Squid forgets ICAP service failures older than the specified
+#	value of memory-depth. The memory fading algorithm
+#	is approximate because Squid does not remember individual
+#	errors but groups them instead, splitting the option
+#	value into ten time slots of equal length.
+#
+#	When memory-depth is 0 and by default this option has no
+#	effect on service failure expiration.
+#
+#	Squid always forgets failures when updating service settings
+#	using an ICAP OPTIONS transaction, regardless of this option
+#	setting.
+#
+#	For example,
+#		# suspend service usage after 10 failures in 5 seconds:
+#		icap_service_failure_limit 10 in 5 seconds
+#Default:
+# icap_service_failure_limit 10
+
+#  TAG: icap_service_revival_delay
+#	The delay specifies the number of seconds to wait after an ICAP
+#	OPTIONS request failure before requesting the options again. The
+#	failed ICAP service is considered "down" until fresh OPTIONS are
+#	fetched.
+#
+#	The actual delay cannot be smaller than the hardcoded minimum
+#	delay of 30 seconds.
+#Default:
+# icap_service_revival_delay 180
+
+#  TAG: icap_preview_enable	on|off
+#	The ICAP Preview feature allows the ICAP server to handle the
+#	HTTP message by looking only at the beginning of the message body
+#	or even without receiving the body at all. In some environments,
+#	previews greatly speedup ICAP processing.
+#
+#	During an ICAP OPTIONS transaction, the server may tell	Squid what
+#	HTTP messages should be previewed and how big the preview should be.
+#	Squid will not use Preview if the server did not request one.
+#
+#	To disable ICAP Preview for all ICAP services, regardless of
+#	individual ICAP server OPTIONS responses, set this option to "off".
+#Example:
+#icap_preview_enable off
+#Default:
+# icap_preview_enable on
+
+#  TAG: icap_preview_size
+#	The default size of preview data to be sent to the ICAP server.
+#	This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+#  TAG: icap_206_enable	on|off
+#	206 (Partial Content) responses is an ICAP extension that allows the
+#	ICAP agents to optionally combine adapted and original HTTP message
+#	content. The decision to combine is postponed until the end of the
+#	ICAP response. Squid supports Partial Content extension by default.
+#
+#	Activation of the Partial Content extension is negotiated with each
+#	ICAP service during OPTIONS exchange. Most ICAP servers should handle
+#	negotation correctly even if they do not support the extension, but
+#	some might fail. To disable Partial Content support for all ICAP
+#	services and to avoid any negotiation, set this option to "off".
+#
+#	Example:
+#	    icap_206_enable off
+#Default:
+# icap_206_enable on
+
+#  TAG: icap_default_options_ttl
+#	The default TTL value for ICAP OPTIONS responses that don't have
+#	an Options-TTL header.
+#Default:
+# icap_default_options_ttl 60
+
+#  TAG: icap_persistent_connections	on|off
+#	Whether or not Squid should use persistent connections to
+#	an ICAP server.
+#Default:
+# icap_persistent_connections on
+
+#  TAG: adaptation_send_client_ip	on|off
+#	If enabled, Squid shares HTTP client IP information with adaptation
+#	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+#	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+#	See also: adaptation_uses_indirect_client
+#Default:
+# adaptation_send_client_ip off
+
+#  TAG: adaptation_send_username	on|off
+#	This sends authenticated HTTP client username (if available) to
+#	the adaptation service.
+#
+#	For ICAP, the username value is encoded based on the
+#	icap_client_username_encode option and is sent using the header
+#	specified by the icap_client_username_header option.
+#Default:
+# adaptation_send_username off
+
+#  TAG: icap_client_username_header
+#	ICAP request header name to use for adaptation_send_username.
+#Default:
+# icap_client_username_header X-Client-Username
+
+#  TAG: icap_client_username_encode	on|off
+#	Whether to base64 encode the authenticated client username.
+#Default:
+# icap_client_username_encode off
+
+#  TAG: icap_service
+#	Defines a single ICAP service using the following format:
+#
+#	icap_service id vectoring_point uri [option ...]
+#
+#	id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		ICAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: icap://servername:port/servicepath
+#		ICAP server and service location.
+#	     icaps://servername:port/servicepath
+#		The "icap:" URI scheme is used for traditional ICAP server and
+#		service location (default port is 1344, connections are not
+#		encrypted). The "icaps:" URI scheme is for Secure ICAP
+#		services that use SSL/TLS-encrypted ICAP connections (by
+#		default, on port 11344).
+#
+#	ICAP does not allow a single service to handle both REQMOD and RESPMOD
+#	transactions. Squid does not enforce that requirement. You can specify
+#	services with the same service_url and different vectoring_points. You
+#	can even specify multiple identical services as long as their
+#	service_names differ.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. ICAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is treated as
+#		optional. If the service cannot be reached or malfunctions,
+#		Squid will try to ignore any errors and process the message as
+#		if the service was not enabled. No all ICAP errors can be
+#		bypassed.  If set to 0, the ICAP service is treated as
+#		essential and all ICAP errors will result in an error page
+#		returned to the HTTP client.
+#
+#		Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next. The services
+#		are specified using the X-Next-Services ICAP response header
+#		value, formatted as a comma-separated list of service names.
+#		Each named service should be configured in squid.conf. Other
+#		services are ignored. An empty X-Next-Services value results
+#		in an empty plan which ends the current adaptation.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default: the ICAP X-Next-Services
+#		response header is ignored.
+#
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
+#	on-overload=block|bypass|wait|force
+#		If the service Max-Connections limit has been reached, do
+#		one of the following for each new ICAP transaction:
+#		  * block:  send an HTTP error response to the client
+#		  * bypass: ignore the "over-connected" ICAP service
+#		  * wait:   wait (in a FIFO queue) for an ICAP connection slot
+#		  * force:  proceed, ignoring the Max-Connections limit
+#
+#		In SMP mode with N workers, each worker assumes the service
+#		connection limit is Max-Connections/N, even though not all
+#		workers may use a given service.
+#
+#		The default value is "bypass" if service is bypassable,
+#		otherwise it is set to "wait".
+#
+#
+#	max-conn=number
+#		Use the given number as the Max-Connections limit, regardless
+#		of the Max-Connections value given by the service, if any.
+#
+#	connection-encryption=on|off
+#		Determines the ICAP service effect on the connections_encrypted
+#		ACL.
+#
+#		The default is "on" for Secure ICAP services (i.e., those
+#		with the icaps:// service URIs scheme) and "off" for plain ICAP
+#		services.
+#
+#		Does not affect ICAP connections (e.g., does not turn Secure
+#		ICAP on or off).
+#
+#	==== ICAPS / TLS OPTIONS ====
+#
+#	These options are used for Secure ICAP (icaps://....) services only.
+#
+#	tls-cert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this ICAP server.
+#
+#	tls-key=/path/to/ssl/key
+#			The private key corresponding to the previous
+#			tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	tls-cipher=...	The list of valid TLS/SSL ciphers to use when connecting
+#			to this icap server.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various OpenSSL library options:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list. Options relevant only to SSLv2 are
+#			not supported.
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the icap server certificate.
+#			Use to specify intermediate CA certificate(s) if not sent
+#			by the server. Or the full CA chain for the server when
+#			using the tls-default-ca=off flag.
+#			May be repeated to load multiple files.
+#
+#	tls-capath=...	A directory containing additional CA certificates to
+#			use when verifying the icap server certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	tls-crlfile=...	A certificate revocation list file to use when
+#			verifying the icap server certificate.
+#
+#	tls-flags=...	Specify various flags modifying the Squid TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the icap server certificate
+#				matches the server name
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-domain=	The icap server name as advertised in it's certificate.
+#			Used for verifying the correctness of the received icap
+#			server certificate. If not specified the icap server
+#			hostname extracted from ICAP URI will be used.
+#
+#	Older icap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
+#Default:
+# none
+
+#  TAG: icap_class
+#	This deprecated option was documented to define an ICAP service
+#	chain, even though it actually defined a set of similar, redundant
+#	services, and the chains were not supported.
+#
+#	To define a set of redundant services, please use the
+#	adaptation_service_set directive. For service chains, use
+#	adaptation_service_chain.
+#Default:
+# none
+
+#  TAG: icap_access
+#	This option is deprecated. Please use adaptation_access, which
+#	has the same ICAP functionality, but comes with better
+#	documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ecap_enable	on|off
+#	Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+#  TAG: ecap_service
+#	Defines a single eCAP service
+#
+#	ecap_service id vectoring_point uri [option ...]
+#
+#        id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		eCAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#		Squid uses the eCAP service URI to match this configuration
+#		line with one of the dynamically loaded services. Each loaded
+#		eCAP service must have a unique URI. Obtain the right URI from
+#		the service provider.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. eCAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is treated as optional.
+#		If the service cannot be reached or malfunctions, Squid will try
+#		to ignore any errors and process the message as if the service
+#		was not enabled. No all eCAP errors can be bypassed.
+#		If set to 'off' or '0', the eCAP service is treated as essential
+#		and all eCAP errors will result in an error page returned to the
+#		HTTP client.
+#
+#                Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default.
+#
+#	connection-encryption=on|off
+#		Determines the eCAP service effect on the connections_encrypted
+#		ACL.
+#
+#		Defaults to "on", which does not taint the master transaction
+#		w.r.t. that ACL.
+#
+#		Does not affect eCAP API calls.
+#
+#	Older ecap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#
+#Example:
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
+#Default:
+# none
+
+#  TAG: loadable_modules
+#	Instructs Squid to load the specified dynamic module(s) or activate
+#	preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: adaptation_service_set
+#
+#	Configures an ordered set of similar, redundant services. This is
+#	useful when hot standby or backup adaptation servers are available.
+#
+#	    adaptation_service_set set_name service_name1 service_name2 ...
+#
+# 	The named services are used in the set declaration order. The first
+#	applicable adaptation service from the set is used first. The next
+#	applicable service is tried if and only if the transaction with the
+#	previous service fails and the message waiting to be adapted is still
+#	intact.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the set. A broken service is a down optional service.
+#
+#	The services in a set must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	If all services in a set are optional then adaptation failures are
+#	bypassable. If all services in the set are essential, then a
+#	transaction failure with one service may still be retried using
+#	another service from the set, but when all services fail, the master
+#	transaction fails as well.
+#
+#	A set may contain a mix of optional and essential services, but that
+#	is likely to lead to surprising results because broken services become
+#	ignored (see above), making previously bypassable failures fatal.
+#	Technically, it is the bypassability of the last failed service that
+#	matters.
+#
+#	See also: adaptation_access adaptation_service_chain
+#
+#Example:
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+#  TAG: adaptation_service_chain
+#
+#	Configures a list of complementary services that will be applied
+#	one-by-one, forming an adaptation chain or pipeline. This is useful
+#	when Squid must perform different adaptations on the same message.
+#
+#	    adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# 	The named services are used in the chain declaration order. The first
+#	applicable adaptation service from the chain is used first. The next
+#	applicable service is applied to the successful adaptation results of
+#	the previous service in the chain.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the chain. A broken service is a down optional service.
+#
+#	Request satisfaction terminates the adaptation chain because Squid
+#	does not currently allow declaration of RESPMOD services at the
+#	"reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+#	The services in a chain must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	A chain may contain a mix of optional and essential services. If an
+#	essential adaptation fails (or the failure cannot be bypassed for
+#	other reasons), the master transaction fails. Otherwise, the failure
+#	is bypassed as if the failed adaptation service was not in the chain.
+#
+#	See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
+#Default:
+# none
+
+#  TAG: adaptation_access
+#	Sends an HTTP transaction to an ICAP or eCAP adaptation	service.
+#
+#	adaptation_access service_name allow|deny [!]aclname...
+#	adaptation_access set_name     allow|deny [!]aclname...
+#
+#	At each supported vectoring point, the adaptation_access
+#	statements are processed in the order they appear in this
+#	configuration file. Statements pointing to the following services
+#	are ignored (i.e., skipped without checking their ACL):
+#
+#	    - services serving different vectoring points
+#	    - "broken-but-bypassable" services
+#	    - "up" services configured to ignore such transactions
+#              (e.g., based on the ICAP Transfer-Ignore header).
+#
+#        When a set_name is used, all services in the set are checked
+#	using the same rules, to find the first applicable one. See
+#	adaptation_service_set for details.
+#
+#	If an access list is checked and there is a match, the
+#	processing stops: For an "allow" rule, the corresponding
+#	adaptation service is used for the transaction. For a "deny"
+#	rule, no adaptation service is activated.
+#
+#	It is currently not possible to apply more than one adaptation
+#	service at the same vectoring point to the same HTTP transaction.
+#
+#        See also: icap_service and ecap_service
+#
+#Example:
+#adaptation_access service_1 allow all
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: adaptation_service_iteration_limit
+#	Limits the number of iterations allowed when applying adaptation
+#	services to a message. If your longest adaptation set or chain
+#	may have more than 16 services, increase the limit beyond its
+#	default value of 16. If detecting infinite iteration loops sooner
+#	is critical, make the iteration limit match the actual number
+#	of services in your longest adaptation set or chain.
+#
+#	Infinite adaptation loops are most likely with routing services.
+#
+#	See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+#  TAG: adaptation_masterx_shared_names
+#	For each master transaction (i.e., the HTTP request and response
+#	sequence, including all related ICAP and eCAP exchanges), Squid
+#	maintains a table of metadata. The table entries are (name, value)
+#	pairs shared among eCAP and ICAP exchanges. The table is destroyed
+#	with the master transaction.
+#
+#	This option specifies the table entry names that Squid must accept
+#	from and forward to the adaptation transactions.
+#
+#	An ICAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by returning an ICAP header field with a name
+#	specified in adaptation_masterx_shared_names.
+#
+#	An eCAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by implementing the libecap::visitEachOption() API
+#	to provide an option with a name specified in
+#	adaptation_masterx_shared_names.
+#
+#	Squid will store and forward the set entry to subsequent adaptation
+#	transactions within the same master transaction scope.
+#
+#	Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
+#Default:
+# none
+
+#  TAG: adaptation_meta
+#	This option allows Squid administrator to add custom ICAP request
+#	headers or eCAP options to Squid ICAP requests or eCAP transactions.
+#	Use it to pass custom authentication tokens and other
+#	transaction-state related meta information to an ICAP/eCAP service.
+#
+#	The addition of a meta header is ACL-driven:
+#		adaptation_meta name value [!]aclname ...
+#
+#	Processing for a given header name stops after the first ACL list match.
+#	Thus, it is impossible to add two headers with the same name. If no ACL
+#	lists match for a given header name, no such header is added. For
+#	example:
+#
+#		# do not debug transactions except for those that need debugging
+#		adaptation_meta X-Debug 1 needs_debugging
+#
+#		# log all transactions except for those that must remain secret
+#		adaptation_meta X-Log 1 !keep_secret
+#
+#		# mark transactions from users in the "G 1" group
+#		adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+#	The "value" parameter may be a regular squid.conf token or a "double
+#	quoted string". Within the quoted string, use backslash (\) to escape
+#	any character, which is currently only useful for escaping backslashes
+#	and double quotes. For example,
+#	    "this string has one backslash (\\) and two \"quotes\""
+#
+#	Used adaptation_meta header values may be logged via %note
+#	logformat code. If multiple adaptation_meta headers with the same name
+#	are used during master transaction lifetime, the header values are
+#	logged in the order they were used and duplicate values are ignored
+#	(only the first repeated value will be logged).
+#Default:
+# none
+
+#  TAG: icap_retry
+#	This ACL determines which retriable ICAP transactions are
+#	retried. Transactions that received a complete ICAP response
+#	and did not have to consume or produce HTTP bodies to receive
+#	that response are usually retriable.
+#
+#	icap_retry allow|deny [!]aclname ...
+#
+#	Squid automatically retries some ICAP I/O timeouts and errors
+#	due to persistent connection race conditions.
+#
+#	See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+#  TAG: icap_retry_limit
+#	Limits the number of retries allowed.
+#
+#	Communication errors due to persistent connection race
+#	conditions are unavoidable, automatically retried, and do not
+#	count against this limit.
+#
+#	See also: icap_retry
+#Default:
+# No retries are allowed.
+
+# DNS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: check_hostnames
+#	For security and stability reasons Squid can check
+#	hostnames for Internet standard RFC compliance. If you want
+#	Squid to perform these checks turn this directive on.
+#Default:
+# check_hostnames off
+
+#  TAG: allow_underscore
+#	Underscore characters is not strictly allowed in Internet hostnames
+#	but nevertheless used by many sites. Set this to off if you want
+#	Squid to be strict about the standard.
+#	This check is performed only when check_hostnames is set to on.
+#Default:
+# allow_underscore on
+
+#  TAG: dns_retransmit_interval
+#	Initial retransmit interval for DNS queries. The interval is
+#	doubled each time all configured DNS servers have been tried.
+#Default:
+# dns_retransmit_interval 5 seconds
+
+#  TAG: dns_timeout
+#	DNS Query timeout. If no response is received to a DNS query
+#	within this time all DNS servers for the queried domain
+#	are assumed to be unavailable.
+#Default:
+# dns_timeout 30 seconds
+
+#  TAG: dns_packet_max
+#	Maximum number of bytes packet size to advertise via EDNS.
+#	Set to "none" to disable EDNS large packet support.
+#
+#	For legacy reasons DNS UDP replies will default to 512 bytes which
+#	is too small for many responses. EDNS provides a means for Squid to
+#	negotiate receiving larger responses back immediately without having
+#	to failover with repeat requests. Responses larger than this limit
+#	will retain the old behaviour of failover to TCP DNS.
+#
+#	Squid has no real fixed limit internally, but allowing packet sizes
+#	over 1500 bytes requires network jumbogram support and is usually not
+#	necessary.
+#
+#	WARNING: The RFC also indicates that some older resolvers will reply
+#	with failure of the whole request if the extension is added. Some
+#	resolvers have already been identified which will reply with mangled
+#	EDNS response on occasion. Usually in response to many-KB jumbogram
+#	sizes being advertised by Squid.
+#	Squid will currently treat these both as an unable-to-resolve domain
+#	even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
+
+#  TAG: dns_defnames	on|off
+#	Normally the RES_DEFNAMES resolver option is disabled
+#	(see res_init(3)).  This prevents caches in a hierarchy
+#	from interpreting single-component hostnames locally.  To allow
+#	Squid to handle single-component names, enable this option.
+#Default:
+# Search for single-label domain names is disabled.
+
+#  TAG: dns_multicast_local	on|off
+#	When set to on, Squid sends multicast DNS lookups on the local
+#	network for domains ending in .local and .arpa.
+#	This enables local servers and devices to be contacted in an
+#	ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
+
+#  TAG: dns_nameservers
+#	Use this if you want to specify a list of DNS name servers
+#	(IP addresses) to use instead of those given in your
+#	/etc/resolv.conf file.
+#
+#	On Windows platforms, if no value is specified here or in
+#	the /etc/resolv.conf file, the list of DNS name servers are
+#	taken from the Windows registry, both static and dynamic DHCP
+#	configurations are supported.
+#
+#	Example: dns_nameservers 10.0.0.1 192.172.0.4
+#Default:
+# Use operating system definitions
+
+#  TAG: hosts_file
+#	Location of the host-local IP name-address associations
+#	database. Most Operating Systems have such a file on different
+#	default locations:
+#	- Un*X & Linux:    /etc/hosts
+#	- Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\winnt)
+#	- Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\windows)
+#	- Windows 9x/Me:   %windir%\hosts
+#			   (%windir% value is usually c:\windows)
+#	- Cygwin:	   /etc/hosts
+#
+#	The file contains newline-separated definitions, in the
+#	form ip_address_in_dotted_form name [name ...] names are
+#	whitespace-separated. Lines beginning with an hash (#)
+#	character are comments.
+#
+#	The file is checked at startup and upon configuration.
+#	If set to 'none', it won't be checked.
+#	If append_domain is used, that domain will be added to
+#	domain-local (i.e. not containing any dot character) host
+#	definitions.
+#Default:
+# hosts_file /etc/hosts
+
+#  TAG: append_domain
+#	Appends local domain name to hostnames without any dots in
+#	them.  append_domain must begin with a period.
+#
+#	Be warned there are now Internet names with no dots in
+#	them using only top-domain names, so setting this may
+#	cause some Internet sites to become unavailable.
+#
+#Example:
+# append_domain .yourdomain.com
+#Default:
+# Use operating system definitions
+
+#  TAG: ignore_unknown_nameservers
+#	By default Squid checks that DNS responses are received
+#	from the same IP addresses they are sent to.  If they
+#	don't match, Squid ignores the response and writes a warning
+#	message to cache.log.  You can allow responses from unknown
+#	nameservers by setting this option to 'off'.
+#Default:
+# ignore_unknown_nameservers on
+
+#  TAG: ipcache_size	(number of entries)
+#	Maximum number of DNS IP cache entries.
+#Default:
+# ipcache_size 1024
+
+#  TAG: ipcache_low	(percent)
+#Default:
+# ipcache_low 90
+
+#  TAG: ipcache_high	(percent)
+#	The size, low-, and high-water marks for the IP cache.
+#Default:
+# ipcache_high 95
+
+#  TAG: fqdncache_size	(number of entries)
+#	Maximum number of FQDN cache entries.
+#Default:
+# fqdncache_size 1024
+
+# MISCELLANEOUS
+# -----------------------------------------------------------------------------
+
+#  TAG: configuration_includes_quoted_values	on|off
+#	If set, Squid will recognize each "quoted string" after a configuration
+#	directive as a single parameter. The quotes are stripped before the
+#	parameter value is interpreted or used.
+#	See "Values with spaces, quotes, and other special characters"
+#	section for more details.
+#Default:
+# configuration_includes_quoted_values off
+
+#  TAG: memory_pools	on|off
+#	If set, Squid will keep pools of allocated (but unused) memory
+#	available for future use.  If memory is a premium on your
+#	system and you believe your malloc library outperforms Squid
+#	routines, disable this.
+#Default:
+# memory_pools on
+
+#  TAG: memory_pools_limit	(bytes)
+#	Used only with memory_pools on:
+#	memory_pools_limit 50 MB
+#
+#	If set to a non-zero value, Squid will keep at most the specified
+#	limit of allocated (but unused) memory in memory pools. All free()
+#	requests that exceed this limit will be handled by your malloc
+#	library. Squid does not pre-allocate any memory, just safe-keeps
+#	objects that otherwise would be free()d. Thus, it is safe to set
+#	memory_pools_limit to a reasonably high value even if your
+#	configuration will use less memory.
+#
+#	If set to none, Squid will keep all memory it can. That is, there
+#	will be no limit on the total amount of memory used for safe-keeping.
+#
+#	To disable memory allocation optimization, do not set
+#	memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
+#
+#	An overhead for maintaining memory pools is not taken into account
+#	when the limit is checked. This overhead is close to four bytes per
+#	object kept. However, pools may actually _save_ memory because of
+#	reduced memory thrashing in your malloc library.
+#Default:
+# memory_pools_limit 5 MB
+
+#  TAG: forwarded_for	on|off|transparent|truncate|delete
+#	If set to "on", Squid will append your client's IP address
+#	in the HTTP requests it forwards. By default it looks like:
+#
+#		X-Forwarded-For: 192.1.2.3
+#
+#	If set to "off", it will appear as
+#
+#		X-Forwarded-For: unknown
+#
+#	If set to "transparent", Squid will not alter the
+#	X-Forwarded-For header in any way.
+#
+#	If set to "delete", Squid will delete the entire
+#	X-Forwarded-For header.
+#
+#	If set to "truncate", Squid will remove all existing
+#	X-Forwarded-For entries, and place the client IP as the sole entry.
+#Default:
+# forwarded_for on
+
+#  TAG: cachemgr_passwd
+#	Specify passwords for cachemgr operations.
+#
+#	Usage: cachemgr_passwd password action action ...
+#
+#	Some valid actions are (see cache manager menu for a full list):
+#		5min
+#		60min
+#		asndb
+#		authenticator
+#		cbdata
+#		client_list
+#		comm_incoming
+#		config *
+#		counters
+#		delay
+#		digest_stats
+#		dns
+#		events
+#		filedescriptors
+#		fqdncache
+#		histograms
+#		http_headers
+#		info
+#		io
+#		ipcache
+#		mem
+#		menu
+#		netdb
+#		non_peers
+#		objects
+#		offline_toggle *
+#		pconn
+#		peer_select
+#		reconfigure *
+#		redirector
+#		refresh
+#		server_list
+#		shutdown *
+#		store_digest
+#		storedir
+#		utilization
+#		via_headers
+#		vm_objects
+#
+#	* Indicates actions which will not be performed without a
+#	  valid password, others can be performed if not listed here.
+#
+#	To disable an action, set the password to "disable".
+#	To allow performing an action without a password, set the
+#	password to "none".
+#
+#	Use the keyword "all" to set the same password for all actions.
+#
+#Example:
+# cachemgr_passwd secret shutdown
+# cachemgr_passwd lesssssssecret info stats/objects
+# cachemgr_passwd disable all
+#Default:
+# No password. Actions which require password are denied.
+
+#  TAG: client_db	on|off
+#	If you want to disable collecting per-client statistics,
+#	turn off client_db here.
+#Default:
+# client_db on
+
+#  TAG: refresh_all_ims	on|off
+#	When you enable this option, squid will always check
+#	the origin server for an update when a client sends an
+#	If-Modified-Since request.  Many browsers use IMS
+#	requests when the user requests a reload, and this
+#	ensures those clients receive the latest version.
+#
+#	By default (off), squid may return a Not Modified response
+#	based on the age of the cached version.
+#Default:
+# refresh_all_ims off
+
+#  TAG: reload_into_ims	on|off
+#	When you enable this option, client no-cache or ``reload''
+#	requests will be changed to If-Modified-Since requests.
+#	Doing this VIOLATES the HTTP standard.  Enabling this
+#	feature could make you liable for problems which it
+#	causes.
+#
+#	see also refresh_pattern for a more selective approach.
+#Default:
+# reload_into_ims off
+
+#  TAG: connect_retries
+#	Limits the number of reopening attempts when establishing a single
+#	TCP connection. All these attempts must still complete before the
+#	applicable connection opening timeout expires.
+#
+#	By default and when connect_retries is set to zero, Squid does not
+#	retry failed connection opening attempts.
+#
+#	The (not recommended) maximum is 10 tries. An attempt to configure a
+#	higher value results in the value of 10 being used (with a warning).
+#
+#	Squid may open connections to retry various high-level forwarding
+#	failures. For an outside observer, that activity may look like a
+#	low-level connection reopening attempt, but those high-level retries
+#	are governed by forward_max_tries instead.
+#
+#	See also: connect_timeout, forward_timeout, icap_connect_timeout,
+#	ident_timeout, and forward_max_tries.
+#Default:
+# Do not retry failed connections.
+
+#  TAG: retry_on_error
+#	If set to ON Squid will automatically retry requests when
+#	receiving an error response with status 403 (Forbidden),
+#	500 (Internal Error), 501 or 503 (Service not available).
+#	Status 502 and 504 (Gateway errors) are always retried.
+#
+#	This is mainly useful if you are in a complex cache hierarchy to
+#	work around access control errors.
+#
+#	NOTE: This retry will attempt to find another working destination.
+#	Which is different from the server which just failed.
+#Default:
+# retry_on_error off
+
+#  TAG: as_whois_server
+#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
+#	queried only when Squid starts up, not for every request.
+#Default:
+# as_whois_server whois.ra.net
+
+#  TAG: offline_mode
+#	Enable this option and Squid will never try to validate cached
+#	objects.
+#Default:
+# offline_mode off
+
+#  TAG: uri_whitespace
+#	What to do with requests that have whitespace characters in the
+#	URI.  Options:
+#
+#	strip:  The whitespace characters are stripped out of the URL.
+#		This is the behavior recommended by RFC2396 and RFC3986
+#		for tolerant handling of generic URI.
+#		NOTE: This is one difference between generic URI and HTTP URLs.
+#
+#	deny:   The request is denied.  The user receives an "Invalid
+#		Request" message.
+#		This is the behaviour recommended by RFC2616 for safe
+#		handling of HTTP request URL.
+#
+#	allow:  The request is allowed and the URI is not changed.  The
+#		whitespace characters remain in the URI.  Note the
+#		whitespace is passed to redirector processes if they
+#		are in use.
+#		Note this may be considered a violation of RFC2616
+#		request parsing where whitespace is prohibited in the
+#		URL field.
+#
+#	encode:	The request is allowed and the whitespace characters are
+#		encoded according to RFC1738.
+#
+#	chop:	The request is allowed and the URI is chopped at the
+#		first whitespace.
+#
+#
+#	NOTE the current Squid implementation of encode and chop violates
+#	RFC2616 by not using a 301 redirect after altering the URL.
+#Default:
+# uri_whitespace strip
+
+#  TAG: chroot
+#	Specifies a directory where Squid should do a chroot() while
+#	initializing.  This also causes Squid to fully drop root
+#	privileges after initializing.  This means, for example, if you
+#	use a HTTP port less than 1024 and try to reconfigure, you may
+#	get an error saying that Squid can not open the port.
+#Default:
+# none
+
+#  TAG: pipeline_prefetch
+#	HTTP clients may send a pipeline of 1+N requests to Squid using a
+#	single connection, without waiting for Squid to respond to the first
+#	of those requests. This option limits the number of concurrent
+#	requests Squid will try to handle in parallel. If set to N, Squid
+#	will try to receive and process up to 1+N requests on the same
+#	connection concurrently.
+#
+#	Defaults to 0 (off) for bandwidth management and access logging
+#	reasons.
+#
+#	NOTE: pipelining requires persistent connections to clients.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
+#Default:
+# Do not pre-parse pipelined requests.
+
+#  TAG: high_response_time_warning	(msec)
+#	If the one-minute median response time exceeds this value,
+#	Squid prints a WARNING with debug level 0 to get the
+#	administrators attention.  The value is in milliseconds.
+#Default:
+# disabled.
+
+#  TAG: high_page_fault_warning
+#	If the one-minute average page fault rate exceeds this
+#	value, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.  The value is in page faults
+#	per second.
+#Default:
+# disabled.
+
+#  TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+#       GNU Malloc with mstats()
+#
+#	If the memory usage (as determined by gnumalloc, if available and used)
+#	exceeds	this amount, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.
+#Default:
+# disabled.
+
+#  TAG: sleep_after_fork	(microseconds)
+#	When this is set to a non-zero value, the main Squid process
+#	sleeps the specified number of microseconds after a fork()
+#	system call. This sleep may help the situation where your
+#	system reports fork() failures due to lack of (virtual)
+#	memory. Note, however, if you have a lot of child
+#	processes, these sleep delays will add up and your
+#	Squid will not service requests for some amount of time
+#	until all the child processes have been started.
+#	On Windows value less then 1000 (1 milliseconds) are
+#	rounded to 1000.
+#Default:
+# sleep_after_fork 0
+
+#  TAG: windows_ipaddrchangemonitor	on|off
+# Note: This option is only available if Squid is rebuilt with the
+#       MS Windows
+#
+#	On Windows Squid by default will monitor IP address changes and will
+#	reconfigure itself after any detected event. This is very useful for
+#	proxies connected to internet with dial-up interfaces.
+#	In some cases (a Proxy server acting as VPN gateway is one) it could be
+#	desiderable to disable this behaviour setting this to 'off'.
+#	Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+#  TAG: eui_lookup
+#	Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
+#  TAG: max_filedescriptors
+#	Set the maximum number of filedescriptors, either below the
+#	operating system default or up to the hard limit.
+#
+#	Remove from squid.conf to inherit the current ulimit soft
+#	limit setting.
+#
+#	Note: Changing this requires a restart of Squid. Also
+#	not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system soft limit set by ulimit.
+
+#  TAG: force_request_body_continuation
+#	This option controls how Squid handles data upload requests from HTTP
+#	and FTP agents that require a "Please Continue" control message response
+#	to actually send the request body to Squid. It is mostly useful in
+#	adaptation environments.
+#
+#	When Squid receives an HTTP request with an "Expect: 100-continue"
+#	header or an FTP upload command (e.g., STOR), Squid normally sends the
+#	request headers or FTP command information to an adaptation service (or
+#	peer) and waits for a response. Most adaptation services (and some
+#	broken peers) may not respond to Squid at that stage because they may
+#	decide to wait for the HTTP request body or FTP data transfer. However,
+#	that request body or data transfer may never come because Squid has not
+#	responded with the HTTP 100 or FTP 150 (Please Continue) control message
+#	to the request sender yet!
+#
+#	An allow match tells Squid to respond with the HTTP 100 or FTP 150
+#	(Please Continue) control message on its own, before forwarding the
+#	request to an adaptation service or peer. Such a response usually forces
+#	the request sender to proceed with sending the body. A deny match tells
+#	Squid to delay that control response until the origin server confirms
+#	that the request body is needed. Delaying is the default behavior.
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: http_upgrade_request_protocols
+#	Controls client-initiated and server-confirmed switching from HTTP to
+#	another protocol (or to several protocols) using HTTP Upgrade mechanism
+#	defined in RFC 7230 Section 6.7. Squid itself does not understand the
+#	protocols being upgraded to and participates in the upgraded
+#	communication only as a dumb TCP proxy. Admins should not allow
+#	upgrading to protocols that require a more meaningful proxy
+#	participation.
+#
+#	Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
+#
+#	The required "protocol" parameter is either an all-caps word OTHER or an
+#	explicit protocol name (e.g. "WebSocket") optionally followed by a slash
+#	and a version token (e.g. "HTTP/3"). Explicit protocol names and
+#	versions are case sensitive.
+#
+#	When an HTTP client sends an Upgrade request header, Squid iterates over
+#	the client-offered protocols and, for each protocol P (with an optional
+#	version V), evaluates the first non-empty set of
+#	http_upgrade_request_protocols rules (if any) from the following list:
+#
+#		* All rules with an explicit protocol name equal to P.
+#		* All rules that use OTHER instead of a protocol name.
+#
+#	In other words, rules using OTHER are considered for protocol P if and
+#	only if there are no rules mentioning P by name.
+#
+#	If both of the above sets are empty, then Squid removes protocol P from
+#	the Upgrade offer.
+#
+#	If the client sent a versioned protocol offer P/X, then explicit rules
+#	referring to the same-name but different-version protocol P/Y are
+#	declared inapplicable. Inapplicable rules are not evaluated (i.e. are
+#	ignored). However, inapplicable rules still belong to the first set of
+#	rules for P.
+#
+#	Within the applicable rule subset, individual rules are evaluated in
+#	their configuration order. If all ACLs of an applicable "allow" rule
+#	match, then the protocol offered by the client is forwarded to the next
+#	hop as is. If all ACLs of an applicable "deny" rule match, then the
+#	offer is dropped. If no applicable rules have matching ACLs, then the
+#	offer is also dropped. The first matching rule also ends rules
+#	evaluation for the offered protocol.
+#
+#	If all client-offered protocols are removed, then Squid forwards the
+#	client request without the Upgrade header. Squid never sends an empty
+#	Upgrade request header.
+#
+#	An Upgrade request header with a value violating HTTP syntax is dropped
+#	and ignored without an attempt to use extractable individual protocol
+#	offers.
+#
+#	Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
+#	checks that the server listed at least one protocol name and sent a
+#	Connection:upgrade response header. Squid does not understand individual
+#	protocol naming and versioning concepts enough to implement stricter
+#	checks, but an admin can restrict HTTP 101 (Switching Protocols)
+#	responses further using http_reply_access. Responses denied by
+#	http_reply_access rules and responses flagged by the internal Upgrade
+#	checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
+#	Squid-to-server connection closures.
+#
+#	If Squid sends an Upgrade request header, and the next hop (e.g., the
+#	origin server) responds with an acceptable HTTP 101 (Switching
+#	Protocols), then Squid forwards that message to the client and becomes
+#	a TCP tunnel.
+#
+#	The presence of an Upgrade request header alone does not preclude cache
+#	lookups. In other words, an Upgrade request might be satisfied from the
+#	cache, using regular HTTP caching rules.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Each of the following groups of configuration lines represents a
+#	separate configuration example:
+#
+#	# never upgrade to protocol Foo; all others are OK
+#	http_upgrade_request_protocols Foo deny all
+#	http_upgrade_request_protocols OTHER allow all
+#
+#	# only allow upgrades to protocol Bar (except for its first version)
+#	http_upgrade_request_protocols Bar/1 deny all
+#	http_upgrade_request_protocols Bar allow all
+#	http_upgrade_request_protocols OTHER deny all # this rule is optional
+#
+#	# only allow upgrades to protocol Baz, and only if Baz is the only offer
+#	acl UpgradeHeaderHasMultipleOffers ...
+#	http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
+#	http_upgrade_request_protocols Baz allow all
+#Default:
+# Upgrade header dropped, effectively blocking an upgrade attempt.
+
+#  TAG: server_pconn_for_nonretriable
+#	This option provides fine-grained control over persistent connection
+#	reuse when forwarding HTTP requests that Squid cannot retry. It is useful
+#	in environments where opening new connections is very expensive
+#	(e.g., all connections are secured with TLS with complex client and server
+#	certificate validation) and race conditions associated with persistent
+#	connections are very rare and/or only cause minor problems.
+#
+#	HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
+#	Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
+#	By default, when forwarding such "risky" requests, Squid opens a new
+#	connection to the server or cache_peer, even if there is an idle persistent
+#	connection available. When Squid is configured to risk sending a non-retriable
+#	request on a previously used persistent connection, and the server closes
+#	the connection before seeing that risky request, the user gets an error response
+#	from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
+#	with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
+#
+#	If an allow rule matches, Squid reuses an available idle persistent connection
+#	(if any) for the request that Squid cannot retry. If a deny rule matches, then
+#	Squid opens a new connection for the request that Squid cannot retry.
+#
+#	This option does not affect requests that Squid can retry. They will reuse idle
+#	persistent connections (if any).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Example:
+#		acl SpeedIsWorthTheRisk method POST
+#		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
+#Default:
+# Open new connections for forwarding requests Squid cannot retry safely.
+
+#  TAG: happy_eyeballs_connect_timeout	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
+#	delay between opening a primary to-server connection and opening a
+#	spare to-server connection for the same master transaction. This delay
+#	is similar to the Connection Attempt Delay in RFC 8305, but it is only
+#	applied to the first spare connection attempt. Subsequent spare
+#	connection attempts use happy_eyeballs_connect_gap, and primary
+#	connection attempts are not artificially delayed at all.
+#
+#	Terminology: The "primary" and "spare" designations are determined by
+#	the order of DNS answers received by Squid: If Squid DNS AAAA query
+#	was answered first, then primary connections are connections to IPv6
+#	peer addresses (while spare connections use IPv4 addresses).
+#	Similarly, if Squid DNS A query was answered first, then primary
+#	connections are connections to IPv4 peer addresses (while spare
+#	connections use IPv6 addresses).
+#
+#	Shorter happy_eyeballs_connect_timeout values reduce master
+#	transaction response time, potentially improving user-perceived
+#	response times (i.e., making user eyeballs happier). Longer delays
+#	reduce both concurrent connection level and server bombardment with
+#	connection requests, potentially improving overall Squid performance
+#	and reducing the chance of being blocked by servers for opening too
+#	many unused connections.
+#
+#	RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
+#	10 (milliseconds) to "avoid congestion collapse in the presence of
+#	high packet-loss rates".
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_gap and
+#	happy_eyeballs_connect_limit.
+#Default:
+# happy_eyeballs_connect_timeout 250
+
+#  TAG: happy_eyeballs_connect_gap	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	minimum delay between opening spare to-server connections (to any
+#	server; i.e. across all concurrent master transactions in a Squid
+#	instance). Each SMP worker currently multiplies the configured gap
+#	by the total number of workers so that the combined spare connection
+#	opening rate of a Squid instance obeys the configured limit. The
+#	workers do not coordinate connection openings yet; a micro burst
+#	of spare connection openings may violate the configured gap.
+#
+#	This directive has similar trade-offs as
+#	happy_eyeballs_connect_timeout, but its focus is on limiting traffic
+#	amplification effects for Squid as a whole, while
+#	happy_eyeballs_connect_timeout works on an individual master
+#	transaction level.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_limit. See the former for related terminology.
+#Default:
+# no artificial delays between spare attempts
+
+#  TAG: happy_eyeballs_connect_limit
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	maximum number of spare to-server connections (to any server; i.e.
+#	across all concurrent master transactions in a Squid instance).
+#	Each SMP worker gets an equal share of the total limit. However,
+#	the workers do not share the actual connection counts yet, so one
+#	(busier) worker cannot "borrow" spare connection slots from another
+#	(less loaded) worker.
+#
+#	Setting this limit to zero disables concurrent use of primary and
+#	spare TCP connections: Spare connection attempts are made only after
+#	all primary attempts fail. However, Squid would still use the
+#	DNS-related optimizations of the Happy Eyeballs approach.
+#
+#	This directive has similar trade-offs as happy_eyeballs_connect_gap,
+#	but its focus is on limiting Squid overheads, while
+#	happy_eyeballs_connect_gap focuses on the origin server and peer
+#	overheads.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_gap. See the former for related terminology.
+#Default:
+# no artificial limit on the number of concurrent spare attempts
+
diff --git a/siotp/sisr1/tp06/files_admin/squid_v3.conf b/siotp/sisr1/tp06/files_admin/squid_v3.conf
new file mode 100644
index 0000000..8e8d29e
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/squid_v3.conf
@@ -0,0 +1,9161 @@
+#	WELCOME TO SQUID 5.7
+#	----------------------------
+#
+#	This is the documentation for the Squid configuration file.
+#	This documentation can also be found online at:
+#		http://www.squid-cache.org/Doc/config/
+#
+#	You may wish to look at the Squid home page and wiki for the
+#	FAQ and other documentation:
+#		http://www.squid-cache.org/
+#		http://wiki.squid-cache.org/SquidFaq
+#		http://wiki.squid-cache.org/ConfigExamples
+#
+#	This documentation shows what the defaults for various directives
+#	happen to be.  If you don't need to change the default, you should
+#	leave the line out of your squid.conf in most cases.
+#
+#	In some cases "none" refers to no default setting at all,
+#	while in other cases it refers to the value of the option
+#	- the comments for that keyword indicate if this is the case.
+#
+
+#  Configuration options can be included using the "include" directive.
+#  Include takes a list of files to include. Quoting and wildcards are
+#  supported.
+#
+#  For example,
+#
+#  include /path/to/included/file/squid.acl.config
+#
+#  Includes can be nested up to a hard-coded depth of 16 levels.
+#  This arbitrary restriction is to prevent recursive include references
+#  from causing Squid entering an infinite loop whilst trying to load
+#  configuration files.
+#
+#  Values with byte units
+#
+#	Squid accepts size units on some size related directives. All
+#	such directives are documented with a default value displaying
+#	a unit.
+#
+#	Units accepted by Squid are:
+#		bytes - byte
+#		KB - Kilobyte (1024 bytes)
+#		MB - Megabyte
+#		GB - Gigabyte
+#
+#  Values with time units
+#
+#	Time-related directives marked with either "time-units" or
+#	"time-units-small" accept a time unit. The supported time units are:
+#
+#		nanosecond (time-units-small only)
+#		microsecond (time-units-small only)
+#		millisecond
+#		second
+#		minute
+#		hour
+#		day
+#		week
+#		fortnight
+#		month - 30 days
+#		year - 31557790080 milliseconds (just over 365 days)
+#		decade
+#
+#  Values with spaces, quotes, and other special characters
+#
+#	Squid supports directive parameters with spaces, quotes, and other
+#	special characters. Surround such parameters with "double quotes". Use
+#	the configuration_includes_quoted_values directive to enable or
+#	disable that support.
+#
+#	Squid supports reading configuration option parameters from external
+#	files using the syntax:
+#		parameters("/path/filename")
+#	For example:
+#		acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
+#
+#  Conditional configuration
+#
+#	If-statements can be used to make configuration directives
+#	depend on conditions:
+#
+#	    if <CONDITION>
+#	        ... regular configuration directives ...
+#	    [else
+#	        ... regular configuration directives ...]
+#	    endif
+#
+#	The else part is optional. The keywords "if", "else", and "endif"
+#	must be typed on their own lines, as if they were regular
+#	configuration directives.
+#
+#	NOTE: An else-if condition is not supported.
+#
+#	These individual conditions types are supported:
+#
+#	    true
+#		Always evaluates to true.
+#	    false
+#		Always evaluates to false.
+#	    <integer> = <integer>
+#	        Equality comparison of two integer numbers.
+#
+#
+#  SMP-Related Macros
+#
+#	The following SMP-related preprocessor macros can be used.
+#
+#	${process_name} expands to the current Squid process "name"
+#	(e.g., squid1, squid2, or cache1).
+#
+#	${process_number} expands to the current Squid process
+#	identifier, which is an integer number (e.g., 1, 2, 3) unique
+#	across all Squid processes of the current service instance.
+#
+#	${service_name} expands into the current Squid service instance
+#	name identifier which is provided by -n on the command line.
+#
+#  Logformat Macros
+#
+#	Logformat macros can be used in many places outside of the logformat
+#	directive. In theory, all of the logformat codes can be used as %macros,
+#	where they are supported. In practice, a %macro expands as a dash (-) when
+#	the transaction does not yet have enough information and a value is needed.
+#
+#	There is no definitive list of what tokens are available at the various
+#	stages of the transaction.
+#
+#	And some information may already be available to Squid but not yet
+#	committed where the macro expansion code can access it (report
+#	such instances!). The macro will be expanded into a single dash
+#	('-') in such cases. Not all macros have been tested.
+#
+
+#  TAG: broken_vary_encoding
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: cache_vary
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: error_map
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: external_refresh_check
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: location_rewrite_program
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: refresh_stale_hit
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: dns_v4_first
+#	Remove this line. Squid no longer supports preferential treatment of DNS A records.
+#Default:
+# none
+
+#  TAG: cache_peer_domain
+#	Replace with dstdomain ACLs and cache_peer_access.
+#Default:
+# none
+
+#  TAG: ie_refresh
+#	Remove this line. The behaviour enabled by this is no longer needed.
+#Default:
+# none
+
+#  TAG: sslproxy_cafile
+#	Remove this line. Use tls_outgoing_options cafile= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_capath
+#	Remove this line. Use tls_outgoing_options capath= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_cipher
+#	Remove this line. Use tls_outgoing_options cipher= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_certificate
+#	Remove this line. Use tls_outgoing_options cert= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_key
+#	Remove this line. Use tls_outgoing_options key= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_flags
+#	Remove this line. Use tls_outgoing_options flags= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_options
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_version
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: hierarchy_stoplist
+#	Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+#Default:
+# none
+
+#  TAG: log_access
+#	Remove this line. Use acls with access_log directives to control access logging
+#Default:
+# none
+
+#  TAG: log_icap
+#	Remove this line. Use acls with icap_log directives to control icap logging
+#Default:
+# none
+
+#  TAG: ignore_ims_on_miss
+#	Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+#  TAG: balance_on_multiple_ip
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
+#Default:
+# none
+
+#  TAG: chunked_request_body_max_size
+#	Remove this line. Squid is now HTTP/1.1 compliant.
+#Default:
+# none
+
+#  TAG: dns_v4_fallback
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+#  TAG: emulate_httpd_log
+#	Replace this with an access_log directive using the format 'common' or 'combined'.
+#Default:
+# none
+
+#  TAG: forward_log
+#	Use a regular access.log with ACL limiting it to MISS events.
+#Default:
+# none
+
+#  TAG: ftp_list_width
+#	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+#  TAG: ignore_expect_100
+#	Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+#  TAG: log_fqdn
+#	Remove this option from your config. To log FQDN use %>A in the log format.
+#Default:
+# none
+
+#  TAG: log_ip_on_direct
+#	Remove this option from your config. To log server or peer names use %<A in the log format.
+#Default:
+# none
+
+#  TAG: maximum_single_addr_tries
+#	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+#  TAG: referer_log
+#	Replace this with an access_log directive using the format 'referrer'.
+#Default:
+# none
+
+#  TAG: update_headers
+#	Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+#  TAG: url_rewrite_concurrency
+#	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
+
+#  TAG: useragent_log
+#	Replace this with an access_log directive using the format 'useragent'.
+#Default:
+# none
+
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: zero_buffers
+#Default:
+# none
+
+#  TAG: incoming_rate
+#Default:
+# none
+
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
+#  TAG: wais_relay_host
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+#  TAG: wais_relay_port
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# OPTIONS FOR SMP
+# -----------------------------------------------------------------------------
+
+#  TAG: workers
+#	Number of main Squid processes or "workers" to fork and maintain.
+#	0: "no daemon" mode, like running "squid -N ..."
+#	1: "no SMP" mode, start one main Squid process daemon (default)
+#	N: start N main Squid process daemons (i.e., SMP mode)
+#
+#	In SMP mode, each worker does nearly all what a single Squid daemon
+#	does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+#  TAG: cpu_affinity_map
+#	Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+#	Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+#	    cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+#	affects processes 1 through 4 only and places them on the first
+#	four even cores, starting with core #1.
+#
+#	CPU cores are numbered starting from 1. Requires support for
+#	sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+#	Multiple cpu_affinity_map options are merged.
+#
+#	See also: workers
+#Default:
+# Let operating system decide.
+
+#  TAG: shared_memory_locking	on|off
+#	Whether to ensure that all required shared memory is available by
+#	"locking" that shared memory into RAM when Squid starts. The
+#	alternative is faster startup time followed by slightly slower
+#	performance and, if not enough RAM is actually available during
+#	runtime, mysterious crashes.
+#
+#	SMP Squid uses many shared memory segments. These segments are
+#	brought into Squid memory space using an mmap(2) system call. During
+#	Squid startup, the mmap() call often succeeds regardless of whether
+#	the system has enough RAM. In general, Squid cannot tell whether the
+#	kernel applies this "optimistic" memory allocation policy (but
+#	popular modern kernels usually use it).
+#
+#	Later, if Squid attempts to actually access the mapped memory
+#	regions beyond what the kernel is willing to allocate, the
+#	"optimistic" kernel simply kills Squid kid with a SIGBUS signal.
+#	Some of the memory limits enforced by the kernel are currently
+#	poorly understood: We do not know how to detect and check them. This
+#	option ensures that the mapped memory will be available.
+#
+#	This option may have a positive performance side-effect: Locking
+#	memory at start avoids runtime paging I/O. Paging slows Squid down.
+#
+#	Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
+#	CAP_IPC_LOCK capability, or equivalent.
+#Default:
+# shared_memory_locking off
+
+#  TAG: hopeless_kid_revival_delay	time-units
+#	Normally, when a kid process dies, Squid immediately restarts the
+#	kid. A kid experiencing frequent deaths is marked as "hopeless" for
+#	the duration specified by this directive. Hopeless kids are not
+#	automatically restarted.
+#
+#	Currently, zero values are not supported because they result in
+#	misconfigured SMP Squid instances running forever, endlessly
+#	restarting each dying kid. To effectively disable hopeless kids
+#	revival, set the delay to a huge value (e.g., 1 year).
+#
+#	Reconfiguration also clears all hopeless kids designations, allowing
+#	for manual revival of hopeless kids.
+#Default:
+# hopeless_kid_revival_delay 1 hour
+
+# OPTIONS FOR AUTHENTICATION
+# -----------------------------------------------------------------------------
+
+#  TAG: auth_param
+#	This is used to define parameters for the various authentication
+#	schemes supported by Squid.
+#
+#		format: auth_param scheme parameter [setting]
+#
+#	The order in which authentication schemes are presented to the client is
+#	dependent on the order the scheme first appears in config file. IE
+#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
+#	scheme if basic is the first entry presented, even if more secure
+#	schemes are presented. For now use the order in the recommended
+#	settings section below. If other browsers have difficulties (don't
+#	recognize the schemes offered even if you are using basic) either
+#	put basic first, or disable the other schemes (by commenting out their
+#	program entry).
+#
+#	Once an authentication scheme is fully configured, it can only be
+#	shutdown by shutting squid down and restarting. Changes can be made on
+#	the fly and activated with a reconfigure. I.E. You can change to a
+#	different helper, but not unconfigure the helper completely.
+#
+#	Please note that while this directive defines how Squid processes
+#	authentication it does not automatically activate authentication.
+#	To use authentication you must in addition make use of ACLs based
+#	on login name in http_access (proxy_auth, proxy_auth_regex or
+#	external with %LOGIN used in the format tag). The browser will be
+#	challenged for authentication on the first such acl encountered
+#	in http_access processing and will also be re-challenged for new
+#	login credentials if the request is being denied by a proxy_auth
+#	type acl.
+#
+#	WARNING: authentication can't be used in a transparently intercepting
+#	proxy as the client then thinks it is talking to an origin server and
+#	not the proxy. This is a limitation of bending the TCP/IP protocol to
+#	transparently intercepting port 80, not a limitation in Squid.
+#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
+#	authentication disabled.
+#
+#	=== Parameters common to all schemes. ===
+#
+#	"program" cmdline
+#		Specifies the command for the external authenticator.
+#
+#		By default, each authentication scheme is not used unless a
+#		program is specified.
+#
+#		See http://wiki.squid-cache.org/Features/AddonHelpers for
+#		more details on helper operations and creating your own.
+#
+#	"key_extras" format
+#		Specifies a string to be append to request line format for
+#		the authentication helper. "Quoted" format values may contain
+#		spaces and logformat %macros. In theory, any logformat %macro
+#		can be used. In practice, a %macro expands as a dash (-) if
+#		the helper request is sent before the required macro
+#		information is available to Squid.
+#
+#		By default, Squid uses request formats provided in
+#		scheme-specific examples below (search for %credentials).
+#
+#		The expanded key_extras value is added to the Squid credentials
+#		cache and, hence, will affect authentication. It can be used to
+#		autenticate different users with identical user names (e.g.,
+#		when user authentication depends on http_port).
+#
+#		Avoid adding frequently changing information to key_extras. For
+#		example, if you add user source IP, and it changes frequently
+#		in your environment, then max_user_ip ACL is going to treat
+#		every user+IP combination as a unique "user", breaking the ACL
+#		and wasting a lot of memory on those user records. It will also
+#		force users to authenticate from scratch whenever their IP
+#		changes.
+#
+#	"realm" string
+#		Specifies the protection scope (aka realm name) which is to be
+#		reported to the client for the authentication scheme. It is
+#		commonly part of the text the user will see when prompted for
+#		their username and password.
+#
+#		For Basic the default is "Squid proxy-caching web server".
+#		For Digest there is no default, this parameter is mandatory.
+#		For NTLM and Negotiate this parameter is ignored.
+#
+#	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+#		[queue-size=N] [on-persistent-overload=action]
+#		[reservation-timeout=seconds]
+#
+#		The maximum number of authenticator processes to spawn. If
+#		you start too few Squid will have to wait for them to process
+#		a backlog of credential verifications, slowing it down. When
+#		password verifications are done via a (slow) network you are
+#		likely to need lots of authenticator processes.
+#
+#		The startup= and idle= options permit some skew in the exact
+#		amount run. A minimum of startup=N will begin during startup
+#		and reconfigure. Squid will start more in groups of up to
+#		idle=N in an attempt to meet traffic needs and to keep idle=N
+#		free above those traffic needs up to the maximum.
+#
+#		The concurrency= option sets the number of concurrent requests
+#		the helper can process.  The default of 0 is used for helpers
+#		who only supports one request at a time. Setting this to a
+#		number greater than 0 changes the protocol used to include a
+#		channel ID field first on the request/response line, allowing
+#		multiple requests to be sent to the same helper in parallel
+#		without waiting for the response.
+#
+#		Concurrency must not be set unless it's known the helper
+#		supports the input format with channel-ID fields.
+#
+#		The queue-size option sets the maximum number of queued
+#		requests. A request is queued when no existing child can
+#		accept it due to concurrency limit and no new child can be
+#		started due to numberofchildren limit. The default maximum is
+#		2*numberofchildren. Squid is allowed to temporarily exceed the
+#		configured maximum, marking the affected helper as
+#		"overloaded". If the helper overload lasts more than 3
+#		minutes, the action prescribed by the on-persistent-overload
+#		option applies.
+#
+#		The on-persistent-overload=action option specifies Squid
+#		reaction to a new helper request arriving when the helper
+#		has been overloaded for more that 3 minutes already. The number
+#		of queued requests determines whether the helper is overloaded
+#		(see the queue-size option).
+#
+#		Two actions are supported:
+#
+#		  die	Squid worker quits. This is the default behavior.
+#
+#		  ERR	Squid treats the helper request as if it was
+#			immediately submitted, and the helper immediately
+#			replied with an ERR response. This action has no effect
+#			on the already queued and in-progress helper requests.
+#
+#		NOTE: NTLM and Negotiate schemes do not support concurrency
+#			in the Squid code module even though some helpers can.
+#
+#		The reservation-timeout=seconds option allows NTLM and Negotiate
+#		helpers to forget about clients that abandon their in-progress
+#		connection authentication without closing the connection. The
+#		timeout is measured since the last helper response received by
+#		Squid for the client. Fractional seconds are not supported.
+#
+#		After the timeout, the helper will be used for other clients if
+#		there are no unreserved helpers available. In the latter case,
+#		the old client attempt to resume authentication will not be
+#		forwarded to the helper (and the client should open a new HTTP
+#		connection and retry authentication from scratch).
+#
+#		By default, reservations do not expire and clients that keep
+#		their connections open without completing authentication may
+#		exhaust all NTLM and Negotiate helpers.
+#
+#	"keep_alive" on|off
+#		If you experience problems with PUT/POST requests when using
+#		the NTLM or Negotiate schemes then you can try setting this
+#		to off. This will cause Squid to forcibly close the connection
+#		on the initial request where the browser asks which schemes
+#		are supported by the proxy.
+#
+#		For Basic and Digest this parameter is ignored.
+#
+#	"utf8" on|off
+#		Useful for sending credentials to authentication backends that
+#		expect UTF-8 encoding (e.g., LDAP).
+#
+#		When this option is enabled, Squid uses HTTP Accept-Language
+#		request header to guess the received credentials encoding
+#		(ISO-Latin-1, CP1251, or UTF-8) and then converts the first
+#		two encodings into UTF-8.
+#
+#		When this option is disabled and by default, Squid sends
+#		credentials in their original (i.e. received) encoding.
+#
+#		This parameter is only honored for Basic and Digest schemes.
+#		For Basic, the entire username:password credentials are
+#		checked and, if necessary, re-encoded. For Digest -- just the
+#		username component. For NTLM and Negotiate schemes, this
+#		parameter is ignored.
+#
+#
+#	=== Example Configuration ===
+#
+#	This configuration displays the recommended authentication scheme
+#	order from most to least secure with recommended minimum configuration
+#	settings for each scheme:
+#
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 20 startup=0 idle=1
+##
+##auth_param digest program <uncomment and complete this line to activate>
+##auth_param digest children 20 startup=0 idle=1
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 20 startup=0 idle=1
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5 startup=5 idle=1
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
+
+#  TAG: authenticate_cache_garbage_interval
+#	The time period between garbage collection across the username cache.
+#	This is a trade-off between memory utilization (long intervals - say
+#	2 days) and CPU (short intervals - say 1 minute). Only change if you
+#	have good reason to.
+#Default:
+# authenticate_cache_garbage_interval 1 hour
+
+#  TAG: authenticate_ttl
+#	The time a user & their credentials stay in the logged in
+#	user cache since their last request. When the garbage
+#	interval passes, all user credentials that have passed their
+#	TTL are removed from memory.
+#Default:
+# authenticate_ttl 1 hour
+
+#  TAG: authenticate_ip_ttl
+#	If you use proxy authentication and the 'max_user_ip' ACL,
+#	this directive controls how long Squid remembers the IP
+#	addresses associated with each user.  Use a small value
+#	(e.g., 60 seconds) if your users might change addresses
+#	quickly, as is the case with dialup.   You might be safe
+#	using a larger value (e.g., 2 hours) in a corporate LAN
+#	environment with relatively static address assignments.
+#Default:
+# authenticate_ip_ttl 1 second
+
+# ACCESS CONTROLS
+# -----------------------------------------------------------------------------
+
+#  TAG: external_acl_type
+#	This option defines external acl classes using a helper program
+#	to look up the status
+#
+#	  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
+#
+#	Options:
+#
+#	  ttl=n		TTL in seconds for cached results (defaults to 3600
+#			for 1 hour)
+#
+#	  negative_ttl=n
+#			TTL for cached negative lookups (default same
+#			as ttl)
+#
+#	  grace=n	Percentage remaining of TTL where a refresh of a
+#			cached entry should be initiated without needing to
+#			wait for a new reply. (default is for no grace period)
+#
+#	  cache=n	The maximum number of entries in the result cache. The
+#			default limit is 262144 entries.  Each cache entry usually
+#			consumes at least 256 bytes. Squid currently does not remove
+#			expired cache entries until the limit is reached, so a proxy
+#			will sooner or later reach the limit. The expanded FORMAT
+#			value is used as the cache key, so if the details in FORMAT
+#			are highly variable, a larger cache may be needed to produce
+#			reduction in helper load.
+#
+#	  children-max=n
+#			Maximum number of acl helper processes spawned to service
+#			external acl lookups of this type. (default 5)
+#
+#	  children-startup=n
+#			Minimum number of acl helper processes to spawn during
+#			startup and reconfigure to service external acl lookups
+#			of this type. (default 0)
+#
+#	  children-idle=n
+#			Number of acl helper processes to keep ahead of traffic
+#			loads. Squid will spawn this many at once whenever load
+#			rises above the capabilities of existing processes.
+#			Up to the value of children-max. (default 1)
+#
+#	  concurrency=n	concurrency level per process. Only used with helpers
+#			capable of processing more than one query at a time.
+#
+#	  queue-size=N  The queue-size option sets the maximum number of
+#			queued requests. A request is queued when no existing
+#			helper can accept it due to concurrency limit and no
+#			new helper can be started due to children-max limit.
+#			If the queued requests exceed queue size, the acl is
+#			ignored. The default value is set to 2*children-max.
+#
+#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers.
+#
+#	  ipv4 / ipv6	IP protocol used to communicate with this helper.
+#			The default is to auto-detect IPv6 and use it when available.
+#
+#
+#	FORMAT is a series of %macro codes. See logformat directive for a full list
+#	of the accepted codes. Although note that at the time of any external ACL
+#	being tested data may not be available and thus some %macro expand to '-'.
+#
+#	In addition to the logformat codes; when processing external ACLs these
+#	additional macros are made available:
+#
+#	  %ACL		The name of the ACL being tested.
+#
+#	  %DATA		The ACL arguments specified in the referencing config
+#			'acl ... external' line, separated by spaces (an
+#			"argument string"). see acl external.
+#
+#			If there are no ACL arguments %DATA expands to '-'.
+#
+#			If you do not specify a DATA macro inside FORMAT,
+#			Squid automatically appends %DATA to your FORMAT.
+#			Note that Squid-3.x may expand %DATA to whitespace
+#			or nothing in this case.
+#
+#			By default, Squid applies URL-encoding to each ACL
+#			argument inside the argument string. If an explicit
+#			encoding modifier is used (e.g., %#DATA), then Squid
+#			encodes the whole argument string as a single token
+#			(e.g., with %#DATA, spaces between arguments become
+#			%20).
+#
+#	If SSL is enabled, the following formating codes become available:
+#
+#	  %USER_CERT		SSL User certificate in PEM format
+#	  %USER_CERTCHAIN	SSL User certificate chain in PEM format
+#	  %USER_CERT_xx		SSL User certificate subject attribute xx
+#	  %USER_CA_CERT_xx	SSL User certificate issuer attribute xx
+#
+#
+#	NOTE: all other format codes accepted by older Squid versions
+#		are deprecated.
+#
+#
+#	General request syntax:
+#
+#	  [channel-ID] FORMAT-values
+#
+#
+#	FORMAT-values consists of transaction details expanded with
+#	whitespace separation per the config file FORMAT specification
+#	using the FORMAT macros listed above.
+#
+#	Request values sent to the helper are URL escaped to protect
+#	each value in requests against whitespaces.
+#
+#	If using protocol=2.5 then the request sent to the helper is not
+#	URL escaped to protect against whitespace.
+#
+#	NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#
+#	The helper receives lines expanded per the above format specification
+#	and for each input line returns 1 line starting with OK/ERR/BH result
+#	code and optionally followed by additional keywords with more details.
+#
+#
+#	General result syntax:
+#
+#	  [channel-ID] result keyword=value ...
+#
+#	Result consists of one of the codes:
+#
+#	  OK
+#		the ACL test produced a match.
+#
+#	  ERR
+#		the ACL test does not produce a match.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	The meaning of 'a match' is determined by your squid.conf
+#	access control configuration. See the Squid wiki for details.
+#
+#	Defined keywords:
+#
+#	  user=		The users name (login)
+#
+#	  password=	The users password (for login= cache_peer option)
+#
+#	  message=	Message describing the reason for this response.
+#			Available as %o in error pages.
+#			Useful on (ERR and BH results).
+#
+#	  tag=		Apply a tag to a request. Only sets a tag once,
+#			does not alter existing tags.
+#
+#	  log=		String to be logged in access.log. Available as
+#			%ea in logformat specifications.
+#
+#	  clt_conn_tag= Associates a TAG with the client TCP connection.
+#			Please see url_rewrite_program related documentation
+#			for this kv-pair.
+#
+#	Any keywords may be sent on any response whether OK, ERR or BH.
+#
+#	All response keyword values need to be a single token with URL
+#	escaping, or enclosed in double quotes (") and escaped using \ on
+#	any double quotes or \ characters within the value. The wrapping
+#	double quotes are removed before the value is interpreted by Squid.
+#	\r and \n are also replace by CR and LF.
+#
+#	Some example key values:
+#
+#		user=John%20Smith
+#		user="John Smith"
+#		user="J. \"Bob\" Smith"
+#Default:
+# none
+
+#  TAG: acl
+#	Defining an Access List
+#
+#	Every access list definition must begin with an aclname and acltype,
+#	followed by either type-specific arguments or a quoted filename that
+#	they are read from.
+#
+#	   acl aclname acltype argument ...
+#	   acl aclname acltype "file" ...
+#
+#	When using "file", the file should contain one item per line.
+#
+#
+#	ACL Options
+#
+#	Some acl types supports options which changes their default behaviour:
+#
+#	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
+#		case-insensitive, use the -i option. To return case-sensitive
+#		use the +i option between patterns, or make a new ACL line
+#		without -i.
+#
+#	-n	Disable lookups and address type conversions.  If lookup or
+#		conversion is required because the parameter type (IP or
+#		domain name) does not match the message address type (domain
+#		name or IP), then the ACL would immediately declare a mismatch
+#		without any warnings or lookups.
+#
+#	-m[=delimiters]
+#		Perform a list membership test, interpreting values as
+#		comma-separated token lists and matching against individual
+#		tokens instead of whole values.
+#		The optional "delimiters" parameter specifies one or more
+#		alternative non-alphanumeric delimiter characters.
+#		non-alphanumeric delimiter characters.
+#
+#	--	Used to stop processing all options, in the case the first acl
+#		value has '-' character as first character (for example the '-'
+#		is a valid domain name)
+#
+#	Some acl types require suspending the current request in order
+#	to access some external data source.
+#	Those which do are marked with the tag [slow], those which
+#	don't are marked as [fast].
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+#	for further information
+#
+#	***** ACL TYPES AVAILABLE *****
+#
+#	acl aclname src ip-address/mask ...	# clients IP address [fast]
+#	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
+#	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
+#	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
+#
+#if USE_SQUID_EUI
+#	acl aclname arp      mac-address ...
+#	acl aclname eui64    eui64-address ...
+#	  # [fast]
+#	  # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
+#	  #
+#	  # The 'arp' ACL code is not portable to all operating systems.
+#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other
+#	  # BSD variants.
+#	  #
+#	  # The eui_lookup directive is required to be 'on' (the default)
+#	  # and Squid built with --enable-eui for MAC/EUI addresses to be
+#	  # available for this ACL.
+#	  #
+#	  # Squid can only determine the MAC/EUI address for IPv4
+#	  # clients that are on the same subnet. If the client is on a
+#	  # different subnet, then Squid cannot find out its address.
+#	  #
+#	  # IPv6 protocol does not contain ARP. MAC/EUI is either
+#	  # encoded directly in the IPv6 address or not available.
+#endif
+#	acl aclname clientside_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  # DEPRECATED. Use the 'client_connection_mark' instead.
+#
+#	acl aclname client_connection_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  #
+#	  # mark and mask are unsigned integers (hex, octal, or decimal).
+#	  # If multiple marks are given, then the ACL matches if at least
+#	  # one mark matches.
+#	  #
+#	  # Uses netfilter-conntrack library.
+#	  # Requires building Squid with --enable-linux-netfilter.
+#	  #
+#	  # The client, various intermediaries, and Squid itself may set
+#	  # CONNMARK at various times. The last CONNMARK set wins. This ACL
+#	  # checks the mark present on an accepted connection or set by
+#	  # Squid afterwards, depending on the ACL check timing. This ACL
+#	  # effectively ignores any mark set by other agents after Squid has
+#	  # accepted the connection.
+#
+#	acl aclname srcdomain   .foo.com ...
+#	  # reverse lookup, from client IP [slow]
+#	acl aclname dstdomain [-n] .foo.com ...
+#	  # Destination server from URL [fast]
+#	acl aclname srcdom_regex [-i] \.foo\.com ...
+#	  # regex matching client name [slow]
+#	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
+#	  # regex matching server [fast]
+#	  #
+#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+#	  # based URL is used and no match is found. The name "none" is used
+#	  # if the reverse lookup fails.
+#
+#	acl aclname src_as number ...
+#	acl aclname dst_as number ...
+#	  # [fast]
+#	  # Except for access control, AS numbers can be used for
+#	  # routing of requests to specific caches. Here's an
+#	  # example for routing all requests for AS#1241 and only
+#	  # those to mycache.mydomain.net:
+#	  # acl asexample dst_as 1241
+#	  # cache_peer_access mycache.mydomain.net allow asexample
+#	  # cache_peer_access mycache_mydomain.net deny all
+#
+#	acl aclname peername myPeer ...
+#	acl aclname peername_regex [-i] regex-pattern ...
+#	  # [fast]
+#	  # match against a named cache_peer entry
+#	  # set unique name= on cache_peer lines for reliable use.
+#
+#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+#	  # [fast]
+#	  #  day-abbrevs:
+#	  #	S - Sunday
+#	  #	M - Monday
+#	  #	T - Tuesday
+#	  #	W - Wednesday
+#	  #	H - Thursday
+#	  #	F - Friday
+#	  #	A - Saturday
+#	  #  h1:m1 must be less than h2:m2
+#
+#	acl aclname url_regex [-i] ^http:// ...
+#	  # regex matching on whole URL [fast]
+#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+#	  # regex matching on URL login field
+#	acl aclname urlpath_regex [-i] \.gif$ ...
+#	  # regex matching on URL path [fast]
+#
+#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
+#	                                      # ranges are alloed
+#	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
+#	                                      # NP: for interception mode this is usually '80'
+#
+#	acl aclname myportname 3128 ...       # *_port name [fast]
+#
+#	acl aclname proto HTTP FTP ...        # request protocol [fast]
+#
+#	acl aclname method GET POST ...       # HTTP request method [fast]
+#
+#	acl aclname http_status 200 301 500- 400-403 ...
+#	  # status code in reply [fast]
+#
+#	acl aclname browser [-i] regexp ...
+#	  # pattern match on User-Agent header (see also req_header below) [fast]
+#
+#	acl aclname referer_regex [-i] regexp ...
+#	  # pattern match on Referer header [fast]
+#	  # Referer is highly unreliable, so use with care
+#
+#	acl aclname ident [-i] username ...
+#	acl aclname ident_regex [-i] pattern ...
+#	  # string match on ident output [slow]
+#	  # use REQUIRED to accept any non-null ident.
+#
+#	acl aclname proxy_auth [-i] username ...
+#	acl aclname proxy_auth_regex [-i] pattern ...
+#	  # perform http authentication challenge to the client and match against
+#	  # supplied credentials [slow]
+#	  #
+#	  # takes a list of allowed usernames.
+#	  # use REQUIRED to accept any valid username.
+#	  #
+#	  # Will use proxy authentication in forward-proxy scenarios, and plain
+#	  # http authenticaiton in reverse-proxy scenarios
+#	  #
+#	  # NOTE: when a Proxy-Authentication header is sent but it is not
+#	  # needed during ACL checking the username is NOT logged
+#	  # in access.log.
+#	  #
+#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
+#	  # to check username/password combinations (see
+#	  # auth_param directive).
+#	  #
+#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+#	  # as the browser needs to be configured for using a proxy in order
+#	  # to respond to proxy authentication.
+#
+#	acl aclname snmp_community string ...
+#	  # A community string to limit access to your SNMP Agent [fast]
+#	  # Example:
+#	  #
+#	  #	acl snmppublic snmp_community public
+#
+#	acl aclname maxconn number
+#	  # This will be matched when the client's IP address has
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
+#
+#	acl aclname max_user_ip [-s] number
+#	  # This will be matched when the user attempts to log in from more
+#	  # than <number> different ip addresses. The authenticate_ip_ttl
+#	  # parameter controls the timeout on the ip entries. [fast]
+#	  # If -s is specified the limit is strict, denying browsing
+#	  # from any further IP addresses until the ttl has expired. Without
+#	  # -s Squid will just annoy the user by "randomly" denying requests.
+#	  # (the counter is reset each time the limit is reached and a
+#	  # request is denied)
+#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
+#	  # clients may appear to come from multiple addresses if they are
+#	  # going through proxy farms, so a limit of 1 may cause user problems.
+#
+#	acl aclname random probability
+#	  # Pseudo-randomly match requests. Based on the probability given.
+#	  # Probability may be written as a decimal (0.333), fraction (1/3)
+#	  # or ratio of matches:non-matches (3:5).
+#
+#	acl aclname req_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the request generated
+#	  # by the client. Can be used to detect file upload or some
+#	  # types HTTP tunneling requests [fast]
+#	  # NOTE: This does NOT match the reply. You cannot use this
+#	  # to match the returned file type.
+#
+#	acl aclname req_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known request headers.  May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACL [fast]
+#
+#	acl aclname rep_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the reply received by
+#	  # squid. Can be used to detect file download or some
+#	  # types HTTP tunneling requests. [fast]
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname rep_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known reply headers. May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACLs [fast]
+#
+#	acl aclname external class_name [arguments...]
+#	  # external ACL lookup via a helper class defined by the
+#	  # external_acl_type directive [slow]
+#
+#	acl aclname user_cert attribute values...
+#	  # match against attributes in a user SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
+#
+#	acl aclname ca_cert attribute values...
+#	  # match against attributes a users issuing CA SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
+#
+#	acl aclname ext_user [-i] username ...
+#	acl aclname ext_user_regex [-i] pattern ...
+#	  # string match on username returned by external acl helper [slow]
+#	  # use REQUIRED to accept any non-null user name.
+#
+#	acl aclname tag tagvalue ...
+#	  # string match on tag returned by external acl helper [fast]
+#	  # DEPRECATED. Only the first tag will match with this ACL.
+#	  # Use the 'note' ACL instead for handling multiple tag values.
+#
+#	acl aclname hier_code codename ...
+#	  # string match against squid hierarchy code(s); [fast]
+#	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
+#	  #
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname note [-m[=delimiters]] name [value ...]
+#	  # match transaction annotation [fast]
+#	  # Without values, matches any annotation with a given name.
+#	  # With value(s), matches any annotation with a given name that
+#	  # also has one of the given values.
+#	  # If the -m flag is used, then the value of the named
+#	  # annotation is interpreted as a list of tokens, and the ACL
+#	  # matches individual name=token pairs rather than whole
+#	  # name=value pairs. See "ACL Options" above for more info.
+#	  # Annotation sources include note and adaptation_meta directives
+#	  # as well as helper and eCAP responses.
+#
+#	acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+#	acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current master transaction.
+#	  # The added annotation can then be tested using note ACL and
+#	  # logged (or sent to helpers) using %note format code.
+#	  #
+#	  # Annotations can be specified using replacement and addition
+#	  # formats. The key=value form replaces old same-key annotation
+#	  # value(s). The key+=value form appends a new value to the old
+#	  # same-key annotation. Both forms create a new key=value
+#	  # annotation if no same-key annotation exists already. If
+#	  # -m flag is used, then the value is interpreted as a list
+#	  # and the annotation will contain key=token pair(s) instead of the
+#	  # whole key=value pair.
+#	  #
+#	  # This ACL is especially useful for recording complex multi-step
+#	  # ACL-driven decisions. For example, the following configuration
+#	  # avoids logging transactions accepted after aclX matched:
+#	  #
+#	  #  # First, mark transactions accepted after aclX matched
+#	  #  acl markSpecial annotate_transaction special=true
+#	  #  http_access allow acl001
+#	  #  ...
+#	  #  http_access deny acl100
+#	  #  http_access allow aclX markSpecial
+#	  #
+#	  #  # Second, do not log marked transactions:
+#	  #  acl markedSpecial note special true
+#	  #  access_log ... deny markedSpecial
+#	  #
+#	  #  # Note that the following would not have worked because aclX
+#	  #  # alone does not determine whether the transaction was allowed:
+#	  #  access_log ... deny aclX # Wrong!
+#	  #
+#	  # Warning: This ACL annotates the transaction even when negated
+#	  # and even if subsequent ACLs fail to match. For example, the
+#	  # following three rules will have exactly the same effect as far
+#	  # as annotations set by the "mark" ACL are concerned:
+#	  #
+#	  #  some_directive acl1 ... mark # rule matches if mark is reached
+#	  #  some_directive acl1 ... !mark     # rule never matches
+#	  #  some_directive acl1 ... mark !all # rule never matches
+#
+#	acl aclname annotate_client [-m[=delimiters]] key=value ...
+#	acl aclname annotate_client [-m[=delimiters]] key+=value ...
+#	  #
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current client-to-Squid
+#	  # connection. Connection annotations are propagated to the current
+#	  # and all future master transactions on the annotated connection.
+#	  # See the annotate_transaction ACL for details.
+#	  #
+#	  # For example, the following configuration avoids rewriting URLs
+#	  # of transactions bumped by SslBump:
+#	  #
+#	  #  # First, mark bumped connections:
+#	  #  acl markBumped annotate_client bumped=true
+#	  #  ssl_bump peek acl1
+#	  #  ssl_bump stare acl2
+#	  #  ssl_bump bump acl3 markBumped
+#	  #  ssl_bump splice all
+#	  #
+#	  #  # Second, do not send marked transactions to the redirector:
+#	  #  acl markedBumped note bumped true
+#	  #  url_rewrite_access deny markedBumped
+#	  #
+#	  #  # Note that the following would not have worked because acl3 alone
+#	  #  # does not determine whether the connection is going to be bumped:
+#	  #  url_rewrite_access deny acl3 # Wrong!
+#
+#	acl aclname adaptation_service service ...
+#	  # Matches the name of any icap_service, ecap_service,
+#	  # adaptation_service_set, or adaptation_service_chain that Squid
+#	  # has used (or attempted to use) for the master transaction.
+#	  # This ACL must be defined after the corresponding adaptation
+#	  # service is named in squid.conf. This ACL is usable with
+#	  # adaptation_meta because it starts matching immediately after
+#	  # the service has been selected for adaptation.
+#
+#	acl aclname transaction_initiator initiator ...
+#	  # Matches transaction's initiator [fast]
+#	  #
+#	  # Supported initiators are:
+#	  #  esi: matches transactions fetching ESI resources
+#	  #  certificate-fetching: matches transactions fetching
+#	  #     a missing intermediate TLS certificate
+#	  #  cache-digest: matches transactions fetching Cache Digests
+#	  #     from a cache_peer
+#	  #  htcp: matches HTCP requests from peers
+#	  #  icp: matches ICP requests to peers
+#	  #  icmp: matches ICMP RTT database (NetDB) requests to peers
+#	  #  asn: matches asns db requests
+#	  #  internal: matches any of the above
+#	  #  client: matches transactions containing an HTTP or FTP
+#	  #     client request received at a Squid *_port
+#	  #  all: matches any transaction, including internal transactions
+#	  #     without a configurable initiator and hopefully rare
+#	  #     transactions without a known-to-Squid initiator
+#	  #
+#	  # Multiple initiators are ORed.
+#
+#	acl aclname has component
+#	  # matches a transaction "component" [fast]
+#	  #
+#	  # Supported transaction components are:
+#	  #  request: transaction has a request header (at least)
+#	  #  response: transaction has a response header (at least)
+#	  #  ALE: transaction has an internally-generated Access Log Entry
+#	  #       structure; bugs notwithstanding, all transaction have it
+#	  #
+#	  # For example, the following configuration helps when dealing with HTTP
+#	  # clients that close connections without sending a request header:
+#	  #
+#	  #  acl hasRequest has request
+#	  #  acl logMe note important_transaction
+#	  #  # avoid "logMe ACL is used in context without an HTTP request" warnings
+#	  #  access_log ... logformat=detailed hasRequest logMe
+#	  #  # log request-less transactions, instead of ignoring them
+#	  #  access_log ... logformat=brief !hasRequest
+#	  #
+#	  # Multiple components are not supported for one "acl" rule, but
+#	  # can be specified (and are ORed) using multiple same-name rules:
+#	  #
+#	  #  # OK, this strange logging daemon needs request or response,
+#	  #  # but can work without either a request or a response:
+#	  #  acl hasWhatMyLoggingDaemonNeeds has request
+#	  #  acl hasWhatMyLoggingDaemonNeeds has response
+#
+#acl aclname at_step step
+#	  # match against the current request processing step [fast]
+#	  # Valid steps are:
+#	  #   GeneratingCONNECT: Generating HTTP CONNECT request headers
+#
+#	acl aclname any-of acl1 acl2 ...
+#	  # match any one of the acls [fast or slow]
+#	  # The first matching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple any-of lines with the same name are ORed.
+#	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
+#	  #   acl A any-of a1 a2
+#	  #   acl A any-of a3 a4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	acl aclname all-of acl1 acl2 ...
+#	  # match all of the acls [fast or slow]
+#	  # The first mismatching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple all-of lines with the same name are ORed.
+#	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
+#	  #   acl B all-of b1 b2
+#	  #   acl B all-of b3 b4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	Examples:
+#		acl macaddress arp 09:00:2b:23:45:67
+#		acl myexample dst_as 1241
+#		acl password proxy_auth REQUIRED
+#		acl fileupload req_mime_type -i ^multipart/form-data$
+#		acl javascript rep_mime_type -i ^application/x-javascript$
+#
+#Default:
+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
+#
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#  TAG: proxy_protocol_access
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address using PROXY protocol.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	This directive is solely for validating new PROXY protocol
+#	connections received from a port flagged with require-proxy-header.
+#	It is checked only once after TCP connection setup.
+#
+#	A deny match results in TCP connection closure.
+#
+#	An allow match is required for Squid to permit the corresponding
+#	TCP connection, before Squid even looks for HTTP request headers.
+#	If there is an allow match, Squid starts using PROXY header information
+#	to determine the source address of the connection for all future ACL
+#	checks, logging, etc.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# all TCP connections to ports with require-proxy-header will be denied
+
+#  TAG: follow_x_forwarded_for
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	PROXY protocol connections are controlled by the proxy_protocol_access
+#	directive which is checked before this.
+#
+#	If a request reaches us from a source that is allowed by this
+#	directive, then we trust the information it provides regarding
+#	the IP of the client it received from (if any).
+#
+#	For the purpose of ACLs used in this directive the src ACL type always
+#	matches the address we are testing and srcdomain matches its rDNS.
+#
+#	On each HTTP request Squid checks for X-Forwarded-For header fields.
+#	If found the header values are iterated in reverse order and an allow
+#	match is required for Squid to continue on to the next value.
+#	The verification ends when a value receives a deny match, cannot be
+#	tested, or there are no more values to test.
+#	NOTE: Squid does not yet follow the Forwarded HTTP header.
+#
+#	The end result of this process is an IP address that we will
+#	refer to as the indirect client address.  This address may
+#	be treated as the client address for access control, ICAP, delay
+#	pools and logging, depending on the acl_uses_indirect_client,
+#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
+#	log_uses_indirect_client and tproxy_uses_indirect_client options.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	For example:
+#
+#		acl localhost src 127.0.0.1
+#		acl my_other_proxy srcdomain .proxy.example.com
+#		follow_x_forwarded_for allow localhost
+#		follow_x_forwarded_for allow my_other_proxy
+#Default:
+# X-Forwarded-For header will be ignored.
+
+#  TAG: acl_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
+#Default:
+# acl_uses_indirect_client on
+
+#  TAG: delay_pool_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+#  TAG: log_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
+#  TAG: tproxy_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address when spoofing the outgoing client.
+#
+#	This has no effect on requests arriving in non-tproxy
+#	mode ports.
+#
+#	SECURITY WARNING: Usage of this option is dangerous
+#	and should not be used trivially. Correct configuration
+#	of follow_x_forwarded_for with a limited set of trusted
+#	sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+#  TAG: spoof_client_ip
+#	Control client IP address spoofing of TPROXY traffic based on
+#	defined access lists.
+#
+#	spoof_client_ip allow|deny [!]aclname ...
+#
+#	If there are no "spoof_client_ip" lines present, the default
+#	is to "allow" spoofing of any suitable request.
+#
+#	Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+#	This clause supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
+#  TAG: http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
+#	http_access allow|deny [!]aclname ...
+#
+#	NOTE on default values:
+#
+#	If there are no "access" lines present, the default is to deny
+#	the request.
+#
+#	If none of the "access" lines cause a match, the default is the
+#	opposite of the last line in the list.  If the last line was
+#	deny, the default is allow.  Conversely, if the last line
+#	is allow, the default will be deny.  For these reasons, it is a
+#	good idea to have an "deny all" entry at the end of your access
+#	lists to avoid potential confusion.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# Deny, unless rules exist in squid.conf.
+#
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+
+# MES ACL
+acl localnet src 172.16.0.0/24
+acl mots_cles url_regex -i tf1 c8 m6 francetv oqee france3 canal chine japon france allemagne corse inde irlande afrique mali somalie iran irak italie angleterre royaume
+acl urls_interdit url_regex youtube.com facebook.com reddit.com discord.com 
+acl horaires_pause time M-F 12:00-14:00
+
+http_access allow mots_cles horaires_pause
+http_access allow urls_interdit horaires_pause
+http_access deny localnet mots_cles
+http_access deny localnet urls_interdit
+http_access allow localnet
+
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+include /etc/squid/conf.d/*.conf
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+#  TAG: adapted_http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	Essentially identical to http_access, but runs after redirectors
+#	and ICAP/eCAP adaptation. Allowing access control based on their
+#	output.
+#
+#	If not set then only http_access is used.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: http_reply_access
+#	Allow replies to client requests. This is complementary to http_access.
+#
+#	http_reply_access allow|deny [!] aclname ...
+#
+#	NOTE: if there are no access lines present, the default is to allow
+#	all replies.
+#
+#	If none of the access lines cause a match the opposite of the
+#	last line will apply. Thus it is good practice to end the rules
+#	with an "allow all" or "deny all" entry.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: icp_access
+#	Allowing or Denying access to the ICP port based on defined
+#	access lists
+#
+#	icp_access  allow|deny [!]aclname ...
+#
+#	NOTE: The default if no icp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using ICP.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_access
+#	Allowing or Denying access to the HTCP port based on defined
+#	access lists
+#
+#	htcp_access  allow|deny [!]aclname ...
+#
+#	See also htcp_clr_access for details on access control for
+#	cache purge (CLR) HTCP messages.
+#
+#	NOTE: The default if no htcp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using the htcp option.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_clr_access
+#	Allowing or Denying access to purge content using HTCP based
+#	on defined access lists.
+#	See htcp_access for details on general HTCP access control.
+#
+#	htcp_clr_access  allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
+#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: miss_access
+#	Determines whether network access is permitted when satisfying a request.
+#
+#	For example;
+#	    to force your neighbors to use you as a sibling instead of
+#	    a parent.
+#
+#		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
+#		miss_access deny  !localclients
+#		miss_access allow all
+#
+#	This means only your local clients are allowed to fetch relayed/MISS
+#	replies from the network and all other clients can only fetch cached
+#	objects (HITs).
+#
+#	The default for this setting allows all clients who passed the
+#	http_access rules to relay via this proxy.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: ident_lookup_access
+#	A list of ACL elements which, if matched, cause an ident
+#	(RFC 931) lookup to be performed for this request.  For
+#	example, you might choose to always perform ident lookups
+#	for your main multi-user Unix boxes, but not for your Macs
+#	and PCs.  By default, ident lookups are not performed for
+#	any requests.
+#
+#	To enable ident lookups for specific client addresses, you
+#	can follow this example:
+#
+#	acl ident_aware_hosts src 198.168.1.0/24
+#	ident_lookup_access allow ident_aware_hosts
+#	ident_lookup_access deny all
+#
+#	Only src type ACL checks are fully supported.  A srcdomain
+#	ACL might work at times, but it will not always provide
+#	the correct result.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Unless rules exist in squid.conf, IDENT is not fetched.
+
+#  TAG: reply_body_max_size	size [acl acl...]
+#	This option specifies the maximum size of a reply body. It can be
+#	used to prevent users from downloading very large files, such as
+#	MP3's and movies. When the reply headers are received, the
+#	reply_body_max_size lines are processed, and the first line where
+#	all (if any) listed ACLs are true is used as the maximum body size
+#	for this reply.
+#
+#	This size is checked twice. First when we get the reply headers,
+#	we check the content-length value.  If the content length value exists
+#	and is larger than the allowed size, the request is denied and the
+#	user receives an error message that says "the request or reply
+#	is too large." If there is no content-length, and the reply
+#	size exceeds this limit, the client's connection is just closed
+#	and they will receive a partial reply.
+#
+#	WARNING: downstream caches probably can not detect a partial reply
+#	if there is no content-length header, so they will cache
+#	partial responses and give them out as hits.  You should NOT
+#	use this option if you have downstream caches.
+#
+#	WARNING: A maximum size smaller than the size of squid's error messages
+#	will cause an infinite loop and crash squid. Ensure that the smallest
+#	non-zero value you use is greater that the maximum header size plus
+#	the size of your largest error page.
+#
+#	If you set this parameter none (the default), there will be
+#	no limit imposed.
+#
+#	Configuration Format is:
+#		reply_body_max_size SIZE UNITS [acl ...]
+#	ie.
+#		reply_body_max_size 10 MB
+#
+#Default:
+# No limit is applied.
+
+#  TAG: on_unsupported_protocol
+#	Determines Squid behavior when encountering strange requests at the
+#	beginning of an accepted TCP connection or the beginning of a bumped
+#	CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+#	especially useful in interception environments where Squid is likely
+#	to see connections for unsupported protocols that Squid should either
+#	terminate or tunnel at TCP level.
+#
+#		on_unsupported_protocol <action> [!]acl ...
+#
+#	The first matching action wins. Only fast ACLs are supported.
+#
+#	Supported actions are:
+#
+#	tunnel: Establish a TCP connection with the intended server and
+#		blindly shovel TCP packets between the client and server.
+#
+#	respond: Respond with an error message, using the transfer protocol
+#		for the Squid port that received the request (e.g., HTTP
+#		for connections intercepted at the http_port). This is the
+#		default.
+#
+#	Squid expects the following traffic patterns:
+#
+#	  http_port: a plain HTTP request
+#	  https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+#	  ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+#	  CONNECT tunnel on http_port: same as https_port
+#	  CONNECT tunnel on https_port: same as https_port
+#
+#	Currently, this directive has effect on intercepted connections and
+#	bumped tunnels only. Other cases are not supported because Squid
+#	cannot know the intended destination of other traffic.
+#
+#	For example:
+#	  # define what Squid errors indicate receiving non-HTTP traffic:
+#	  acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+#	  # define what Squid errors indicate receiving nothing:
+#	  acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+#	  # tunnel everything that does not look like HTTP:
+#          on_unsupported_protocol tunnel foreignProtocol
+#	  # tunnel if we think the client waits for the server to talk first:
+#	  on_unsupported_protocol tunnel serverTalksFirstProtocol
+#	  # in all other error cases, just send an HTTP "error page" response:
+#	  on_unsupported_protocol respond all
+#
+#	See also: squid_error ACL
+#Default:
+# Respond with an error message to unidentifiable traffic
+
+#  TAG: auth_schemes
+#	Use this directive to customize authentication schemes presence and
+#	order in Squid's Unauthorized and Authentication Required responses.
+#
+#		auth_schemes scheme1,scheme2,... [!]aclname ...
+#
+#	where schemeN is the name of one of the authentication schemes
+#	configured using auth_param directives. At least one scheme name is
+#	required. Multiple scheme names are separated by commas. Either
+#	avoid whitespace or quote the entire schemes list.
+#
+#	A special "ALL" scheme name expands to all auth_param-configured
+#	schemes in their configuration order. This directive cannot be used
+#	to configure Squid to offer no authentication schemes at all.
+#
+#	The first matching auth_schemes rule determines the schemes order
+#	for the current Authentication Required transaction. Note that the
+#	future response is not yet available during auth_schemes evaluation.
+#
+#	If this directive is not used or none of its rules match, then Squid
+#	responds with all configured authentication schemes in the order of
+#	auth_param directives in the configuration file.
+#
+#	This directive does not determine when authentication is used or
+#	how each authentication scheme authenticates clients.
+#
+#	The following example sends basic and negotiate authentication
+#	schemes, in that order, when requesting authentication of HTTP
+#	requests matching the isIE ACL (not shown) while sending all
+#	auth_param schemes in their configuration order to other clients:
+#
+#		auth_schemes basic,negotiate isIE
+#		auth_schemes ALL all # explicit default
+#
+#	This directive supports fast ACLs only.
+#
+#	See also: auth_param.
+#Default:
+# use all auth_param schemes in their configuration order
+
+# NETWORK OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: http_port
+#	Usage:	port [mode] [options]
+#		hostname:port [mode] [options]
+#		1.2.3.4:port [mode] [options]
+#
+#	The socket addresses where Squid will listen for HTTP client
+#	requests.  You may specify multiple socket addresses.
+#	There are three forms: port alone, hostname with port, and
+#	IP address with port.  If you specify a hostname or IP
+#	address, Squid binds the socket to that specific
+#	address. Most likely, you do not need to bind to a specific
+#	address, so you can use the port number alone.
+#
+#	If you are running Squid in accelerator mode, you
+#	probably want to listen on port 80 also, or instead.
+#
+#	The -a command line option may be used to specify additional
+#	port(s) where Squid listens for proxy request. Such ports will
+#	be plain proxy ports with no options.
+#
+#	You may specify multiple socket addresses on multiple lines.
+#
+#	Modes:
+#
+#	   intercept	Support for IP-Layer NAT interception delivering
+#			traffic to this Squid port.
+#			NP: disables authentication on the port.
+#
+#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
+#			of outgoing connections using the client IP address.
+#			NP: disables authentication on the port.
+#
+#	   accel	Accelerator / reverse proxy mode
+#
+#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
+#			establish secure connection with the client and with
+#			the server, decrypt HTTPS messages as they pass through
+#			Squid, and treat them as unencrypted HTTP messages,
+#			becoming the man-in-the-middle.
+#
+#			The ssl_bump option is required to fully enable
+#			bumping of CONNECT requests.
+#
+#	Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+#	Accelerator Mode Options:
+#
+#	   defaultsite=domainname
+#			What to use for the Host: header if it is not present
+#			in a request. Determines what site (not origin server)
+#			accelerators should consider the default.
+#
+#	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
+#
+#	   protocol=	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to HTTP/1.1 for http_port and
+#			HTTPS/1.1 for https_port.
+#			When an unsupported value is configured Squid will
+#			produce a FATAL error.
+#			Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
+#
+#	   vport	Virtual host port support. Using the http_port number
+#			instead of the port passed on Host: headers.
+#
+#	   vport=NN	Virtual host port support. Using the specified port
+#			number instead of the port passed on Host: headers.
+#
+#	   act-as-origin
+#			Act as if this Squid is the origin server.
+#			This currently means generate new Date: and Expires:
+#			headers on HIT instead of adding Age:.
+#
+#	   ignore-cc	Ignore request Cache-Control headers.
+#
+#			WARNING: This option violates HTTP specifications if
+#			used in non-accelerator setups.
+#
+#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+#			accelerated requests are denied direct forwarding as if
+#			never_direct was used.
+#
+#			WARNING: this option opens accelerator mode to security
+#			vulnerabilities usually only affecting in interception
+#			mode. Make sure to protect forwarding with suitable
+#			http_access rules when using this.
+#
+#
+#	SSL Bump Mode Options:
+#	    In addition to these options ssl-bump requires TLS/SSL options.
+#
+#	   generate-host-certificates[=<on|off>]
+#			Dynamically create SSL server certificates for the
+#			destination hosts of bumped CONNECT requests.When
+#			enabled, the cert and key options are used to sign
+#			generated certificates. Otherwise generated
+#			certificate will be selfsigned.
+#			If there is a CA certificate lifetime of the generated
+#			certificate equals lifetime of the CA certificate. If
+#			generated certificate is selfsigned lifetime is three
+#			years.
+#			This option is enabled by default when ssl-bump is used.
+#			See the ssl-bump option above for more information.
+#
+#	   dynamic_cert_mem_cache_size=SIZE
+#			Approximate total RAM size spent on cached generated
+#			certificates. If set to zero, caching is disabled. The
+#			default value is 4MB.
+#
+#	TLS / SSL Options:
+#
+#	   tls-cert=	Path to file containing an X.509 certificate (PEM format)
+#			to be used in the TLS handshake ServerHello.
+#
+#			If this certificate is constrained by KeyUsage TLS
+#			feature it must allow HTTP server usage, along with
+#			any additional restrictions imposed by your choice
+#			of options= settings.
+#
+#			When OpenSSL is used this file may also contain a
+#			chain of intermediate CA certificates to send in the
+#			TLS handshake.
+#
+#			When GnuTLS is used this option (and any paired
+#			tls-key= option) may be repeated to load multiple
+#			certificates for different domains.
+#
+#			Also, when generate-host-certificates=on is configured
+#			the first tls-cert= option must be a CA certificate
+#			capable of signing the automatically generated
+#			certificates.
+#
+#	   tls-key=	Path to a file containing private key file (PEM format)
+#			for the previous tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	   cipher=	Colon separated list of supported ciphers.
+#			NOTE: some ciphers such as EDH ciphers depend on
+#			      additional settings. If those settings are
+#			      omitted the ciphers may be silently ignored
+#			      by the OpenSSL library.
+#
+#	   options=	Various SSL implementation options. The most important
+#			being:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    NO_TLSv1    Disallow the use of TLSv1.0
+#
+#			    NO_TLSv1_1  Disallow the use of TLSv1.1
+#
+#			    NO_TLSv1_2  Disallow the use of TLSv1.2
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    SINGLE_ECDH_USE
+#				      Enable ephemeral ECDH key exchange.
+#				      The adopted curve should be specified
+#				      using the tls-dh option.
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#	   clientca=	File containing the list of CAs to use when
+#			requesting a client certificate.
+#
+#	   tls-cafile=	PEM file containing CA certificates to use when verifying
+#			client certificates. If not configured clientca will be
+#			used. May be repeated to load multiple files.
+#
+#	   capath=	Directory containing additional CA certificates
+#			and CRL lists to use when verifying client certificates.
+#			Requires OpenSSL or LibreSSL.
+#
+#	   crlfile=	File of additional CRL lists to use when verifying
+#			the client certificate, in addition to CRLs stored in
+#			the capath. Implies VERIFY_CRL flag below.
+#
+#	   tls-dh=[curve:]file
+#			File containing DH parameters for temporary/ephemeral DH key
+#			exchanges, optionally prefixed by a curve for ephemeral ECDH
+#			key exchanges.
+#			See OpenSSL documentation for details on how to create the
+#			DH parameter file. Supported curves for ECDH can be listed
+#			using the "openssl ecparam -list_curves" command.
+#			WARNING: EDH and EECDH ciphers will be silently disabled if
+#				 this option is not set.
+#
+#	   sslflags=	Various flags modifying the use of SSL:
+#			    DELAYED_AUTH
+#				Don't request client certificates
+#				immediately, but wait until acl processing
+#				requires a certificate (not yet implemented).
+#			    CONDITIONAL_AUTH
+#				Request a client certificate during the TLS
+#				handshake, but ignore certificate absence in
+#				the TLS client Hello. If the client does
+#				supply a certificate, it is validated.
+#			    NO_SESSION_REUSE
+#				Don't allow for session reuse. Each connection
+#				will result in a new SSL session.
+#			    VERIFY_CRL
+#				Verify CRL lists when accepting client
+#				certificates.
+#			    VERIFY_CRL_ALL
+#				Verify CRL lists for all certificates in the
+#				client certificate chain.
+#
+#	   tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is OFF.
+#
+#	   tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	   sslcontext=	SSL session ID context identifier.
+#
+#	Other Options:
+#
+#	   connection-auth[=on|off]
+#	                use connection-auth=off to tell Squid to prevent
+#	                forwarding Microsoft connection oriented authentication
+#			(NTLM, Negotiate and Kerberos)
+#
+#	   disable-pmtu-discovery=
+#			Control Path-MTU discovery usage:
+#			    off		lets OS decide on what to do (default).
+#			    transparent	disable PMTU discovery when transparent
+#					support is enabled.
+#			    always	disable always PMTU discovery.
+#
+#			In many setups of transparently intercepting proxies
+#			Path-MTU discovery can not work on traffic towards the
+#			clients. This is the case when the intercepting device
+#			does not fully track connections and fails to forward
+#			ICMP must fragment messages to the cache server. If you
+#			have such setup and experience that certain clients
+#			sporadically hang or never complete requests set
+#			disable-pmtu-discovery option to 'transparent'.
+#
+#	   name=	Specifies a internal name for the port. Defaults to
+#			the port specification (port or addr:port)
+#
+#	   tcpkeepalive[=idle,interval,timeout]
+#			Enable TCP keepalive probes of idle connections.
+#			In seconds; idle is the initial time before TCP starts
+#			probing the connection, interval how often to probe, and
+#			timeout the time before giving up.
+#
+#	   require-proxy-header
+#			Require PROXY protocol version 1 or 2 connections.
+#			The proxy_protocol_access is required to permit
+#			downstream proxies which can be trusted.
+#
+#	   worker-queues
+#			Ask TCP stack to maintain a dedicated listening queue
+#			for each worker accepting requests at this port.
+#			Requires TCP stack that supports the SO_REUSEPORT socket
+#			option.
+#
+#			SECURITY WARNING: Enabling worker-specific queues
+#			allows any process running as Squid's effective user to
+#			easily accept requests destined to this port.
+#
+#	If you run Squid on a dual-homed machine with an internal
+#	and an external interface we recommend you to specify the
+#	internal address:port in http_port. This way Squid will only be
+#	visible on the internal address.
+#
+#
+
+# Squid normally listens to port 3128
+http_port 8080
+
+#  TAG: https_port
+#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#
+#	The socket address where Squid will listen for client requests made
+#	over TLS or SSL connections. Commonly referred to as HTTPS.
+#
+#	This is most useful for situations where you are running squid in
+#	accelerator mode and you want to do the TLS work at the accelerator
+#	level.
+#
+#	You may specify multiple socket addresses on multiple lines,
+#	each with their own certificate and/or options.
+#
+#	The tls-cert= option is mandatory on HTTPS ports.
+#
+#	See http_port for a list of modes and options.
+#Default:
+# none
+
+#  TAG: ftp_port
+#	Enables Native FTP proxy by specifying the socket address where Squid
+#	listens for FTP client requests. See http_port directive for various
+#	ways to specify the listening address and mode.
+#
+#	Usage: ftp_port address [mode] [options]
+#
+#	WARNING: This is a new, experimental, complex feature that has seen
+#	limited production exposure. Some Squid modules (e.g., caching) do not
+#	currently work with native FTP proxying, and many features have not
+#	even been tested for compatibility. Test well before deploying!
+#
+#	Native FTP proxying differs substantially from proxying HTTP requests
+#	with ftp:// URIs because Squid works as an FTP server and receives
+#	actual FTP commands (rather than HTTP requests with FTP URLs).
+#
+#	Native FTP commands accepted at ftp_port are internally converted or
+#	wrapped into HTTP-like messages. The same happens to Native FTP
+#	responses received from FTP origin servers. Those HTTP-like messages
+#	are shoveled through regular access control and adaptation layers
+#	between the FTP client and the FTP origin server. This allows Squid to
+#	examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+#	mechanisms when shoveling wrapped FTP messages. For example,
+#	http_access and adaptation_access directives are used.
+#
+#	Modes:
+#
+#	   intercept	Same as http_port intercept. The FTP origin address is
+#			determined based on the intended destination of the
+#			intercepted connection.
+#
+#	   tproxy	Support Linux TPROXY for spoofing outgoing
+#			connections using the client IP address.
+#			NP: disables authentication and maybe IPv6 on the port.
+#
+#	By default (i.e., without an explicit mode option), Squid extracts the
+#	FTP origin address from the login@origin parameter of the FTP USER
+#	command. Many popular FTP clients support such native FTP proxying.
+#
+#	Options:
+#
+#	   name=token	Specifies an internal name for the port. Defaults to
+#			the port address. Usable with myportname ACL.
+#
+#	   ftp-track-dirs
+#			Enables tracking of FTP directories by injecting extra
+#			PWD commands and adjusting Request-URI (in wrapping
+#			HTTP requests) to reflect the current FTP server
+#			directory. Tracking is disabled by default.
+#
+#	   protocol=FTP	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to FTP. No other accepted
+#			values have been tested with. An unsupported value
+#			results in a FATAL error. Accepted values are FTP,
+#			HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+#
+#	Other http_port modes and options that are not specific to HTTP and
+#	HTTPS may also work.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_tos
+#	Allows you to select a TOS/Diffserv value for packets outgoing
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_tos 0x00 normal_service_net
+#	tcp_outgoing_tos 0x20 good_service_net
+#
+#	TOS/DSCP values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: clientside_tos
+#	Allows you to select a TOS/DSCP value for packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	clientside_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	clientside_tos 0x00 normal_service_net
+#	clientside_tos 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any TOS values set here
+#	will be overwritten by TOS values in qos_flows.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter mark value to outgoing packets
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_mark mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the mark value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_mark 0x00 normal_service_net
+#	tcp_outgoing_mark 0x20 good_service_net
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: mark_client_packet
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter MARK value to packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	mark_client_packet mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the MARK value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	mark_client_packet 0x00 normal_service_net
+#	mark_client_packet 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any mark values set here
+#	will be overwritten by mark values in qos_flows.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: mark_client_connection
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter CONNMARK value to a connection
+#	on the client-side, based on an ACL.
+#
+#	mark_client_connection mark-value[/mask] [!]aclname ...
+#
+#	The mark-value and mask are unsigned integers (hex, octal, or decimal).
+#	The mask may be used to preserve marking previously set by other agents
+#	(e.g., iptables).
+#
+#	A matching rule replaces the CONNMARK value. If a mask is also
+#	specified, then the masked bits of the original value are zeroed, and
+#	the configured mark-value is ORed with that adjusted value.
+#	For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
+#	in a 0xFB marking (rather than a 0xAB or 0x5B).
+#
+#	This directive semantics is similar to iptables --set-mark rather than
+#	--set-xmark functionality.
+#
+#	The directive does not interfere with qos_flows (which uses packet MARKs,
+#	not CONNMARKs).
+#
+#	Example where squid marks intercepted FTP connections:
+#
+#	acl proto_ftp proto FTP
+#	mark_client_connection 0x200/0xff00 proto_ftp
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: qos_flows
+#	Allows you to select a TOS/DSCP value to mark outgoing
+#	connections to the client, based on where the reply was sourced.
+#	For platforms using netfilter, allows you to set a netfilter mark
+#	value instead of, or in addition to, a TOS value.
+#
+#	By default this functionality is disabled. To enable it with the default
+#	settings simply use "qos_flows mark" or "qos_flows tos". Default
+#	settings will result in the netfilter mark or TOS value being copied
+#	from the upstream connection to the client. Note that it is the connection
+#	CONNMARK value not the packet MARK value that is copied.
+#
+#	It is not currently possible to copy the mark or TOS value from the
+#	client to the upstream connection request.
+#
+#	TOS values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Mark values can be any unsigned 32-bit integer value.
+#
+#	This setting is configured by setting the following values:
+#
+#	tos|mark                Whether to set TOS or netfilter mark values
+#
+#	local-hit=0xFF		Value to mark local cache hits.
+#
+#	sibling-hit=0xFF	Value to mark hits from sibling peers.
+#
+#	parent-hit=0xFF		Value to mark hits from parent peers.
+#
+#	miss=0xFF[/mask]	Value to mark cache misses. Takes precedence
+#				over the preserve-miss feature (see below), unless
+#				mask is specified, in which case only the bits
+#				specified in the mask are written.
+#
+#	The TOS variant of the following features are only possible on Linux
+#	and require your kernel to be patched with the TOS preserving ZPH
+#	patch, available from http://zph.bratcheda.org
+#	No patch is needed to preserve the netfilter mark, which will work
+#	with all variants of netfilter.
+#
+#	disable-preserve-miss
+#		This option disables the preservation of the TOS or netfilter
+#		mark. By default, the existing TOS or netfilter mark value of
+#		the response coming from the remote server will be retained
+#		and masked with miss-mark.
+#		NOTE: in the case of a netfilter mark, the mark must be set on
+#		the connection (using the CONNMARK target) not on the packet
+#		(MARK target).
+#
+#	miss-mask=0xFF
+#		Allows you to mask certain bits in the TOS or mark value
+#		received from the remote server, before copying the value to
+#		the TOS sent towards clients.
+#		Default for tos: 0xFF (TOS from server is not changed).
+#		Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+#	All of these features require the --enable-zph-qos compilation flag
+#	(enabled by default). Netfilter marking also requires the
+#	libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+#	libcap 2.09+ (--with-libcap).
+#
+#Default:
+# none
+
+#  TAG: tcp_outgoing_address
+#	Allows you to map requests to different outgoing IP addresses
+#	based on the username or source address of the user making
+#	the request.
+#
+#	tcp_outgoing_address ipaddr [[!]aclname] ...
+#
+#	For example;
+#		Forwarding clients with dedicated IPs for certain subnets.
+#
+#	  acl normal_service_net src 10.0.0.0/24
+#	  acl good_service_net src 10.0.2.0/24
+#
+#	  tcp_outgoing_address 2001:db8::c001 good_service_net
+#	  tcp_outgoing_address 10.1.0.2 good_service_net
+#
+#	  tcp_outgoing_address 2001:db8::beef normal_service_net
+#	  tcp_outgoing_address 10.1.0.1 normal_service_net
+#
+#	  tcp_outgoing_address 2001:db8::1
+#	  tcp_outgoing_address 10.1.0.3
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Squid will add an implicit IP version test to each line.
+#	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+#	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+#
+#
+#	NOTE: The use of this directive using client dependent ACLs is
+#	incompatible with the use of server side persistent connections. To
+#	ensure correct results it is best to set server_persistent_connections
+#	to off when using this directive in such configurations.
+#
+#	NOTE: The use of this directive to set a local IP on outgoing TCP links
+#	is incompatible with using TPROXY to set client IP out outbound TCP links.
+#	When needing to contact peers use the no-tproxy cache_peer option and the
+#	client_dst_passthru directive re-enable normal forwarding such as this.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Address selection is performed by the operating system.
+
+#  TAG: host_verify_strict
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic, Squid always verifies that the destination IP address matches
+#	the Host header domain or IP (called 'authority form URL').
+#
+#	This enforcement is performed to satisfy a MUST-level requirement in
+#	RFC 2616 section 14.23: "The Host field value MUST represent the naming
+#	authority of the origin server or gateway given by the original URL".
+#
+#	When set to ON:
+#		Squid always responds with an HTTP 409 (Conflict) error
+#		page and logs a security warning if there is no match.
+#
+#		Squid verifies that the destination IP address matches
+#		the Host header for forward-proxy and reverse-proxy traffic
+#		as well. For those traffic types, Squid also enables the
+#		following checks, comparing the corresponding Host header
+#		and Request-URI components:
+#
+#		 * The host names (domain or IP) must be identical,
+#		   but valueless or missing Host header disables all checks.
+#		   For the two host names to match, both must be either IP
+#		   or FQDN.
+#
+#		 * Port numbers must be identical, but if a port is missing
+#		   the scheme-default port is assumed.
+#
+#
+#	When set to OFF (the default):
+#		Squid allows suspicious requests to continue but logs a
+#		security warning and blocks caching of the response.
+#
+#		 * Forward-proxy traffic is not checked at all.
+#
+#		 * Reverse-proxy traffic is not checked at all.
+#
+#		 * Intercepted traffic which passes verification is handled
+#		   according to client_dst_passthru.
+#
+#		 * Intercepted requests which fail verification are sent
+#		   to the client original destination instead of DIRECT.
+#		   This overrides 'client_dst_passthru off'.
+#
+#		For now suspicious intercepted CONNECT requests are always
+#		responded to with an HTTP 409 (Conflict) error page.
+#
+#
+#	SECURITY NOTE:
+#
+#	As described in CVE-2009-0801 when the Host: header alone is used
+#	to determine the destination of a request it becomes trivial for
+#	malicious scripts on remote websites to bypass browser same-origin
+#	security policy and sandboxing protections.
+#
+#	The cause of this is that such applets are allowed to perform their
+#	own HTTP stack, in which case the same-origin policy of the browser
+#	sandbox only verifies that the applet tries to contact the same IP
+#	as from where it was loaded at the IP level. The Host: header may
+#	be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+#  TAG: client_dst_passthru
+#	With NAT or TPROXY intercepted traffic Squid may pass the request
+#	directly to the original client destination IP or seek a faster
+#	source using the HTTP Host header.
+#
+#	Using Host to locate alternative servers can provide faster
+#	connectivity with a range of failure recovery options.
+#	But can also lead to connectivity trouble when the client and
+#	server are attempting stateful interactions unaware of the proxy.
+#
+#	This option (on by default) prevents alternative DNS entries being
+#	located to send intercepted traffic DIRECT to an origin server.
+#	The clients original destination IP and port will be used instead.
+#
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic Squid will verify the Host: header and any traffic which
+#	fails Host verification will be treated as if this option were ON.
+#
+#	see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
+
+# TLS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: tls_outgoing_options
+#	disable		Do not support https:// URLs.
+#
+#	cert=/path/to/client/certificate
+#			A client X.509 certificate to use when connecting.
+#
+#	key=/path/to/client/private_key
+#			The private key corresponding to the cert= above.
+#
+#			If key= is not specified cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	cipher=...	The list of valid TLS ciphers to use.
+#
+#	min-version=1.N
+#			The minimum TLS protocol version to permit.
+#			To control SSLv3 use the options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
+#
+#	options=...	Specify various TLS/SSL implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#				See the OpenSSL SSL_CTX_set_options documentation
+#				for a more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#
+#	cafile=		PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	capath=		A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	crlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	flags=...	Specify various flags modifying the TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	domain= 	The peer name as advertised in its certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#Default:
+# tls_outgoing_options min-version=1.0
+
+# SSL OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ssl_unclean_shutdown
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Some browsers (especially MSIE) bugs out on SSL shutdown
+#	messages.
+#Default:
+# ssl_unclean_shutdown off
+
+#  TAG: ssl_engine
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	The OpenSSL engine to use. You will need to set this if you
+#	would like to use hardware SSL acceleration for example.
+#
+#	Not supported in builds with OpenSSL 3.0 or newer.
+#Default:
+# none
+
+#  TAG: sslproxy_session_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the timeout value for SSL sessions
+#Default:
+# sslproxy_session_ttl 300
+
+#  TAG: sslproxy_session_cache_size
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#        Sets the cache size to use for ssl session
+#Default:
+# sslproxy_session_cache_size 2 MB
+
+#  TAG: sslproxy_foreign_intermediate_certs
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Many origin servers fail to send their full server certificate
+#	chain for verification, assuming the client already has or can
+#	easily locate any missing intermediate certificates.
+#
+#	Squid uses the certificates from the specified file to fill in
+#	these missing chains when trying to validate origin server
+#	certificate chains.
+#
+#	The file is expected to contain zero or more PEM-encoded
+#	intermediate certificates. These certificates are not treated
+#	as trusted root certificates, and any self-signed certificate in
+#	this file will be ignored.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_sign_hash
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the hashing algorithm to use when signing generated certificates.
+#	Valid algorithm names depend on the OpenSSL library used. The following
+#	names are usually available: sha1, sha256, sha512, and md5. Please see
+#	your OpenSSL library manual for the available hashes. By default, Squids
+#	that support this option use sha256 hashes.
+#
+#	Squid does not forcefully purge cached certificates that were generated
+#	with an algorithm other than the currently configured one. They remain
+#	in the cache, subject to the regular cache eviction policy, and become
+#	useful if the algorithm changes again.
+#Default:
+# none
+
+#  TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	This option is consulted when a CONNECT request is received on
+#	an http_port (or a new connection is intercepted at an
+#	https_port), provided that port was configured with an ssl-bump
+#	flag. The subsequent data on the connection is either treated as
+#	HTTPS and decrypted OR tunneled at TCP level without decryption,
+#	depending on the first matching bumping "action".
+#
+#	ssl_bump <action> [!]acl ...
+#
+#	The following bumping actions are currently supported:
+#
+#	    splice
+#		Become a TCP tunnel without decrypting proxied traffic.
+#		This is the default action.
+#
+#	    bump
+#		When used on step SslBump1, establishes a secure connection
+#		with the client first, then connect to the server.
+#		When used on step SslBump2 or SslBump3, establishes a secure
+#		connection with the server and, using a mimicked server
+#		certificate, with the client.
+#
+#	    peek
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of splicing the
+#		connection. Peeking at the server certificate (during step 2)
+#		usually precludes bumping of the connection at step 3.
+#
+#	    stare
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of bumping the
+#		connection. Staring at the server certificate (during step 2)
+#		usually precludes splicing of the connection at step 3.
+#
+#	    terminate
+#		Close client and server connections.
+#
+#	Backward compatibility actions available at step SslBump1:
+#
+#	    client-first
+#		Bump the connection. Establish a secure connection with the
+#		client first, then connect to the server. This old mode does
+#		not allow Squid to mimic server SSL certificate and does not
+#		work with intercepted SSL connections.
+#
+#	    server-first
+#		Bump the connection. Establish a secure connection with the
+#		server first, then establish a secure connection with the
+#		client, using a mimicked server certificate. Works with both
+#		CONNECT requests and intercepted SSL connections, but does
+#		not allow to make decisions based on SSL handshake info.
+#
+#	    peek-and-splice
+#		Decide whether to bump or splice the connection based on
+#		client-to-squid and server-to-squid SSL hello messages.
+#		XXX: Remove.
+#
+#	    none
+#		Same as the "splice" action.
+#
+#	All ssl_bump rules are evaluated at each of the supported bumping
+#	steps.  Rules with actions that are impossible at the current step are
+#	ignored. The first matching ssl_bump action wins and is applied at the
+#	end of the current step. If no rules match, the splice action is used.
+#	See the at_step ACL for a list of the supported SslBump steps.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
+#
+#
+#	# Example: Bump all TLS connections except those originating from
+#	# localhost or those going to example.com.
+#
+#	acl broken_sites ssl::server_name .example.com
+#	ssl_bump splice localhost
+#	ssl_bump splice broken_sites
+#	ssl_bump bump all
+#Default:
+# Become a TCP tunnel without decrypting proxied traffic.
+
+#  TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Use this ACL to bypass server certificate validation errors.
+#
+#	For example, the following lines will bypass all validation errors
+#	when talking to servers for example.com. All other
+#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+#		acl BrokenButTrustedServers dstdomain example.com
+#		sslproxy_cert_error allow BrokenButTrustedServers
+#		sslproxy_cert_error deny all
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Using slow acl types may result in server crashes
+#
+#	Without this option, all server certificate validation errors
+#	terminate the transaction to protect Squid and the client.
+#
+#	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+#	but should not happen unless your OpenSSL library is buggy.
+#
+#	SECURITY WARNING:
+#		Bypassing validation errors is dangerous because an
+#		error usually implies that the server cannot be trusted
+#		and the connection may be insecure.
+#
+#	See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+#  TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#        sslproxy_cert_sign <signing algorithm> acl ...
+#
+#        The following certificate signing algorithms are supported:
+#
+#	   signTrusted
+#		Sign using the configured CA certificate which is usually
+#		placed in and trusted by end-user browsers. This is the
+#		default for trusted origin server certificates.
+#
+#	   signUntrusted
+#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+#		This is the default for untrusted origin server certificates
+#		that are not self-signed (see ssl::certUntrusted).
+#
+#	   signSelf
+#		Sign using a self-signed certificate with the right CN to
+#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+#		browser. This is the default for self-signed origin server
+#		certificates (see ssl::certSelfSigned).
+#
+#	This clause only supports fast acl types.
+#
+#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+#	signing algorithm to generate the certificate and ignores all
+#	subsequent sslproxy_cert_sign options (the first match wins). If no
+#	acl(s) match, the default signing algorithm is determined by errors
+#	detected when obtaining and validating the origin server certificate.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#	sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+#	The following certificate adaptation algorithms are supported:
+#
+#	   setValidAfter
+#		Sets the "Not After" property to the "Not After" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setValidBefore
+#		Sets the "Not Before" property to the "Not Before" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setCommonName or setCommonName{CN}
+#		Sets Subject.CN property to the host name specified as a
+#		CN parameter or, if no explicit CN parameter was specified,
+#		extracted from the CONNECT request. It is a misconfiguration
+#		to use setCommonName without an explicit parameter for
+#		intercepted or tproxied SSL connections.
+#
+#	This clause only supports fast acl types.
+#
+#	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+#	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+#	corresponding adaptation algorithm to generate the certificate and
+#	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+#	group (i.e., the first match wins within each algorithm group). If no
+#	acl(s) match, the default mimicking action takes place.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslpassword_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify a program used for entering SSL key passphrases
+#	when using encrypted SSL certificate keys. If not specified
+#	keys must either be unencrypted, or Squid started with the -N
+#	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
+#Default:
+# none
+
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
+
+#  TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specify the location and options of the executable for certificate
+#	generator.
+#
+#	/usr/lib/squid/security_file_certgen program can use a disk cache to improve response
+#	times on repeated requests. To enable caching, specify -s and -M
+#	parameters. If those parameters are not given, the program generates
+#	a new certificate on every request.
+#
+#	For more information use:
+#		/usr/lib/squid/security_file_certgen -h
+#Default:
+# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+
+#  TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specifies the maximum number of certificate generation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child is idle and no new child can be started due to
+#	numberofchildren limit. If the queued requests exceed queue size for
+#	more than 3 minutes squid aborts its operation. The default value is
+#	set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 32 startup=5 idle=1
+
+#  TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify the location and options of the executable for ssl_crt_validator
+#	process.
+#
+#	Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+#	Options:
+#	  ttl=n         TTL in seconds for cached results. The default is 60 secs
+#	  cache=n       limit the result cache size. The default value is 2048
+#Default:
+# none
+
+#  TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specifies the maximum number of certificate validation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each certificate validator helper can handle in
+#	parallel. A value of 0 indicates the certficate validator does not
+#	support concurrency. Defaults to 1.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	a request ID in front of the request/response. The request
+#	ID from the request must be echoed back with the response
+#	to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. If the queued
+#	requests exceed queue size for more than 3 minutes squid aborts its
+#	operation. The default value is set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
+
+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_peer
+#	To specify other caches in a hierarchy, use the format:
+#
+#		cache_peer hostname type http-port icp-port [options]
+#
+#	For example,
+#
+#	#                                        proxy  icp
+#	#          hostname             type     port   port  options
+#	#          -------------------- -------- ----- -----  -----------
+#	cache_peer parent.foo.net       parent    3128  3130  default
+#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer example.com          parent    80       0  default
+#	cache_peer cdn.example.com      sibling   3128     0
+#
+#	      type:	either 'parent', 'sibling', or 'multicast'.
+#
+#	proxy-port:	The port number where the peer accept HTTP requests.
+#			For other Squid proxies this is usually 3128
+#			For web servers this is usually 80
+#
+#	  icp-port:	Used for querying neighbor caches about objects.
+#			Set to 0 if the peer does not support ICP or HTCP.
+#			See ICP and HTCP options below for additional details.
+#
+#
+#	==== ICP OPTIONS ====
+#
+#	You MUST also set icp_port and icp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using ICP.
+#
+#
+#	no-query	Disable ICP queries to this neighbor.
+#
+#	multicast-responder
+#			Indicates the named peer is a member of a multicast group.
+#			ICP queries will not be sent directly to the peer, but ICP
+#			replies will be accepted from it.
+#
+#	closest-only	Indicates that, for ICP_OP_MISS replies, we'll only forward
+#			CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+#	background-ping
+#			To only send ICP queries to this neighbor infrequently.
+#			This is used to keep the neighbor round trip time updated
+#			and is usually used in conjunction with weighted-round-robin.
+#
+#
+#	==== HTCP OPTIONS ====
+#
+#	You MUST also set htcp_port and htcp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using HTCP.
+#
+#
+#	htcp		Send HTCP, instead of ICP, queries to the neighbor.
+#			You probably also want to set the "icp-port" to 4827
+#			instead of 3130. This directive accepts a comma separated
+#			list of options described below.
+#
+#	htcp=oldsquid	Send HTCP to old Squid versions (2.5 or earlier).
+#
+#	htcp=no-clr	Send HTCP to the neighbor but without
+#			sending any CLR requests.  This cannot be used with
+#			only-clr.
+#
+#	htcp=only-clr	Send HTCP to the neighbor but ONLY CLR requests.
+#			This cannot be used with no-clr.
+#
+#	htcp=no-purge-clr
+#			Send HTCP to the neighbor including CLRs but only when
+#			they do not result from PURGE requests.
+#
+#	htcp=forward-clr
+#			Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+#	==== PEER SELECTION METHODS ====
+#
+#	The default peer selection method is ICP, with the first responding peer
+#	being used as source. These options can be used for better load balancing.
+#
+#
+#	default		This is a parent cache which can be used as a "last-resort"
+#			if a peer cannot be located by any of the peer-selection methods.
+#			If specified more than once, only the first is used.
+#
+#	round-robin	Load-Balance parents which should be used in a round-robin
+#			fashion in the absence of any ICP queries.
+#			weight=N can be used to add bias.
+#
+#	weighted-round-robin
+#			Load-Balance parents which should be used in a round-robin
+#			fashion with the frequency of each parent being based on the
+#			round trip time. Closer parents are used more often.
+#			Usually used for background-ping parents.
+#			weight=N can be used to add bias.
+#
+#	carp		Load-Balance parents which should be used as a CARP array.
+#			The requests will be distributed among the parents based on the
+#			CARP load balancing hash function based on their weight.
+#
+#	userhash	Load-balance parents based on the client proxy_auth or ident username.
+#
+#	sourcehash	Load-balance parents based on the client source IP.
+#
+#	multicast-siblings
+#			To be used only for cache peers of type "multicast".
+#			ALL members of this multicast group have "sibling"
+#			relationship with it, not "parent".  This is to a multicast
+#			group when the requested object would be fetched only from
+#			a "parent" cache, anyway.  It's useful, e.g., when
+#			configuring a pool of redundant Squid proxies, being
+#			members of the same multicast group.
+#
+#
+#	==== PEER SELECTION OPTIONS ====
+#
+#	weight=N	use to affect the selection of a peer during any weighted
+#			peer-selection mechanisms.
+#			The weight must be an integer; default is 1,
+#			larger weights are favored more.
+#			This option does not affect parent selection if a peering
+#			protocol is not in use.
+#
+#	basetime=N	Specify a base amount to be subtracted from round trip
+#			times of parents.
+#			It is subtracted before division by weight in calculating
+#			which parent to fectch from. If the rtt is less than the
+#			base time the rtt is set to a minimal value.
+#
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
+#			Only useful when sending to a multicast group.
+#			Because we don't accept ICP replies from random
+#			hosts, you must configure other group members as
+#			peers with the 'multicast-responder' option.
+#
+#	no-delay	To prevent access to this neighbor from influencing the
+#			delay pools.
+#
+#	digest-url=URL	Tell Squid to fetch the cache digest (if digests are
+#			enabled) for this host from the specified URL rather
+#			than the Squid default location.
+#
+#
+#	==== CARP OPTIONS ====
+#
+#	carp-key=key-specification
+#			use a different key than the full URL to hash against the peer.
+#			the key-specification is a comma-separated list of the keywords
+#			scheme, host, port, path, params
+#			Order is not important.
+#
+#	==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+#	originserver	Causes this parent to be contacted as an origin server.
+#			Meant to be used in accelerator setups when the peer
+#			is a web server.
+#
+#	forceddomain=name
+#			Set the Host header of requests forwarded to this peer.
+#			Useful in accelerator setups where the server (peer)
+#			expects a certain domain name but clients may request
+#			others. ie example.com or www.example.com
+#
+#	no-digest	Disable request of cache digests.
+#
+#	no-netdb-exchange
+#			Disables requesting ICMP RTT database (NetDB).
+#
+#
+#	==== AUTHENTICATION OPTIONS ====
+#
+#	login=user:password
+#			If this is a personal/workgroup proxy and your parent
+#			requires proxy authentication.
+#
+#			Note: The string can include URL escapes (i.e. %20 for
+#			spaces). This also means % must be written as %%.
+#
+#	login=PASSTHRU
+#			Send login details received from client to this peer.
+#			Both Proxy- and WWW-Authorization headers are passed
+#			without alteration to the peer.
+#			Authentication is not required by Squid for this to work.
+#
+#			Note: This will pass any form of authentication but
+#			only Basic auth will work through a proxy unless the
+#			connection-auth options are also used.
+#
+#	login=PASS	Send login details received from client to this peer.
+#			Authentication is not required by this option.
+#
+#			If there are no client-provided authentication headers
+#			to pass on, but username and password are available
+#			from an external ACL user= and password= result tags
+#			they may be sent instead.
+#
+#			Note: To combine this with proxy_auth both proxies must
+#			share the same user database as HTTP only allows for
+#			a single login (one for proxy, one for origin server).
+#			Also be warned this will expose your users proxy
+#			password to the peer. USE WITH CAUTION
+#
+#	login=*:password
+#			Send the username to the upstream cache, but with a
+#			fixed password. This is meant to be used when the peer
+#			is in another administrative domain, but it is still
+#			needed to identify each user.
+#			The star can optionally be followed by some extra
+#			information which is added to the username. This can
+#			be used to identify this proxy to the peer, similar to
+#			the login=username:password option above.
+#
+#	login=NEGOTIATE
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The first principal from the default keytab or defined by
+#			the environment variable KRB5_KTNAME will be used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	login=NEGOTIATE:principal_name
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The principal principal_name from the default keytab or
+#			defined by the environment variable KRB5_KTNAME will be
+#			used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	connection-auth=on|off
+#			Tell Squid that this peer does or not support Microsoft
+#			connection oriented authentication, and any such
+#			challenges received from there should be ignored.
+#			Default is auto to automatically determine the status
+#			of the peer.
+#
+#	auth-no-keytab
+#			Do not use a keytab to authenticate to a peer when
+#			login=NEGOTIATE is specified. Let the GSSAPI
+#			implementation determine which already existing
+#			credentials cache to use instead.
+#
+#
+#	==== SSL / HTTPS / TLS OPTIONS ====
+#
+#	tls		Encrypt connections to this peer with TLS.
+#
+#	sslcert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this peer.
+#
+#	sslkey=/path/to/ssl/key
+#			The private key corresponding to sslcert above.
+#
+#			If sslkey= is not specified sslcert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	sslcipher=...	The list of valid SSL ciphers to use when connecting
+#			to this peer.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various TLS implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	sslcapath=...	A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	sslcrlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	sslflags=...	Specify various flags modifying the SSL implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	ssldomain= 	The peer name as advertised in it's certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#
+#	front-end-https[=off|on|auto]
+#			Enable the "Front-End-Https: On" header needed when
+#			using Squid as a SSL frontend in front of Microsoft OWA.
+#			See MS KB document Q307347 for details on this header.
+#			If set to auto the header will only be added if the
+#			request is forwarded as a https:// URL.
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	==== GENERAL OPTIONS ====
+#
+#	connect-timeout=N
+#			A peer-specific connect timeout.
+#			Also see the peer_connect_timeout directive.
+#
+#	connect-fail-limit=N
+#			How many times connecting to a peer must fail before
+#			it is marked as down. Standby connection failures
+#			count towards this limit. Default is 10.
+#
+#	allow-miss	Disable Squid's use of only-if-cached when forwarding
+#			requests to siblings. This is primarily useful when
+#			icp_hit_stale is used by the sibling. Excessive use
+#			of this option may result in forwarding loops. One way
+#			to prevent peering loops when using this option, is to
+#			deny cache peer usage on requests from a peer:
+#			acl fromPeer ...
+#			cache_peer_access peerName deny fromPeer
+#
+#	max-conn=N 	Limit the number of concurrent connections the Squid
+#			may open to this peer, including already opened idle
+#			and standby connections. There is no peer-specific
+#			connection limit by default.
+#
+#			A peer exceeding the limit is not used for new
+#			requests unless a standby connection is available.
+#
+#			max-conn currently works poorly with idle persistent
+#			connections: When a peer reaches its max-conn limit,
+#			and there are idle persistent connections to the peer,
+#			the peer may not be selected because the limiting code
+#			does not know whether Squid can reuse those idle
+#			connections.
+#
+#	standby=N	Maintain a pool of N "hot standby" connections to an
+#			UP peer, available for requests when no idle
+#			persistent connection is available (or safe) to use.
+#			By default and with zero N, no such pool is maintained.
+#			N must not exceed the max-conn limit (if any).
+#
+#			At start or after reconfiguration, Squid opens new TCP
+#			standby connections until there are N connections
+#			available and then replenishes the standby pool as
+#			opened connections are used up for requests. A used
+#			connection never goes back to the standby pool, but
+#			may go to the regular idle persistent connection pool
+#			shared by all peers and origin servers.
+#
+#			Squid never opens multiple new standby connections
+#			concurrently.  This one-at-a-time approach minimizes
+#			flooding-like effect on peers. Furthermore, just a few
+#			standby connections should be sufficient in most cases
+#			to supply most new requests with a ready-to-use
+#			connection.
+#
+#			Standby connections obey server_idle_pconn_timeout.
+#			For the feature to work as intended, the peer must be
+#			configured to accept and keep them open longer than
+#			the idle timeout at the connecting Squid, to minimize
+#			race conditions typical to idle used persistent
+#			connections. Default request_timeout and
+#			server_idle_pconn_timeout values ensure such a
+#			configuration.
+#
+#	name=xxx	Unique name for the peer.
+#			Required if you have multiple peers on the same host
+#			but different ports.
+#			This name can be used in cache_peer_access and similar
+#			directives to identify the peer.
+#			Can be used by outgoing access controls through the
+#			peername ACL type.
+#
+#	no-tproxy	Do not use the client-spoof TPROXY support when forwarding
+#			requests to this peer. Use normal address selection instead.
+#			This overrides the spoof_client_ip ACL.
+#
+#	proxy-only	objects fetched from the peer will not be stored locally.
+#
+#Default:
+# none
+
+#  TAG: cache_peer_access
+#	Restricts usage of cache_peer proxies.
+#
+#	Usage:
+#		cache_peer_access peer-name allow|deny [!]aclname ...
+#
+#	For the required peer-name parameter, use either the value of the
+#	cache_peer name=value parameter or, if name=value is missing, the
+#	cache_peer hostname parameter.
+#
+#	This directive narrows down the selection of peering candidates, but
+#	does not determine the order in which the selected candidates are
+#	contacted. That order is determined by the peer selection algorithms
+#	(see PEER SELECTION sections in the cache_peer documentation).
+#
+#	If a deny rule matches, the corresponding peer will not be contacted
+#	for the current transaction -- Squid will not send ICP queries and
+#	will not forward HTTP requests to that peer. An allow match leaves
+#	the corresponding peer in the selection. The first match for a given
+#	peer wins for that peer.
+#
+#	The relative order of cache_peer_access directives for the same peer
+#	matters. The relative order of any two cache_peer_access directives
+#	for different peers does not matter. To ease interpretation, it is a
+#	good idea to group cache_peer_access directives for the same peer
+#	together.
+#
+#	A single cache_peer_access directive may be evaluated multiple times
+#	for a given transaction because individual peer selection algorithms
+#	may check it independently from each other. These redundant checks
+#	may be optimized away in future Squid versions.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# No peer usage restrictions.
+
+#  TAG: neighbor_type_domain
+#	Modify the cache_peer neighbor type when passing requests
+#	about specific domains to the peer.
+#
+#	Usage:
+#		 neighbor_type_domain neighbor parent|sibling domain domain ...
+#
+#	For example:
+#		cache_peer foo.example.com parent 3128 3130
+#		neighbor_type_domain foo.example.com sibling .au .de
+#
+#	The above configuration treats all requests to foo.example.com as a
+#	parent proxy unless the request is for a .au or .de ccTLD domain name.
+#Default:
+# The peer type from cache_peer directive is used for all requests to that peer.
+
+#  TAG: dead_peer_timeout	(seconds)
+#	This controls how long Squid waits to declare a peer cache
+#	as "dead."  If there are no ICP replies received in this
+#	amount of time, Squid will declare the peer dead and not
+#	expect to receive any further ICP replies.  However, it
+#	continues to send ICP queries, and will mark the peer as
+#	alive upon receipt of the first subsequent ICP reply.
+#
+#	This timeout also affects when Squid expects to receive ICP
+#	replies from peers.  If more than 'dead_peer' seconds have
+#	passed since the last ICP reply was received, Squid will not
+#	expect to receive an ICP reply on the next query.  Thus, if
+#	your time between requests is greater than this timeout, you
+#	will see a lot of requests sent DIRECT to origin servers
+#	instead of to your parents.
+#Default:
+# dead_peer_timeout 10 seconds
+
+#  TAG: forward_max_tries
+#	Limits the number of attempts to forward the request.
+#
+#	For the purpose of this limit, Squid counts all high-level request
+#	forwarding attempts, including any same-destination retries after
+#	certain persistent connection failures and any attempts to use a
+#	different peer. However, these low-level attempts are not counted:
+#	* connection reopening attempts (enabled using connect_retries)
+#	* unfinished Happy Eyeballs connection attempts (prevented by setting
+#	  happy_eyeballs_connect_limit to 0)
+#
+#	See also: forward_timeout and connect_retries.
+#Default:
+# forward_max_tries 25
+
+# MEMORY CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mem	(bytes)
+#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+#
+#	'cache_mem' specifies the ideal amount of memory to be used
+#	for:
+#		* In-Transit objects
+#		* Hot Objects
+#		* Negative-Cached objects
+#
+#	Data for these objects are stored in 4 KB blocks.  This
+#	parameter specifies the ideal upper limit on the total size of
+#	4 KB blocks allocated.  In-Transit objects take the highest
+#	priority.
+#
+#	In-transit objects have priority over the others.  When
+#	additional space is needed for incoming data, negative-cached
+#	and hot objects will be released.  In other words, the
+#	negative-cached and hot objects will fill up any unused space
+#	not needed for in-transit objects.
+#
+#	If circumstances require, this limit will be exceeded.
+#	Specifically, if your incoming request rate requires more than
+#	'cache_mem' of memory to hold in-transit objects, Squid will
+#	exceed this limit to satisfy the new requests.  When the load
+#	decreases, blocks will be freed until the high-water mark is
+#	reached.  Thereafter, blocks will be used to store hot
+#	objects.
+#
+#	If shared memory caching is enabled, Squid does not use the shared
+#	cache space for in-transit objects, but they still consume as much
+#	local memory as they need. For more details about the shared memory
+#	cache, see memory_cache_shared.
+#Default:
+# cache_mem 256 MB
+
+#  TAG: maximum_object_size_in_memory	(bytes)
+#	Objects greater than this size will not be attempted to kept in
+#	the memory cache. This should be set high enough to keep objects
+#	accessed frequently in memory to improve performance whilst low
+#	enough to keep larger objects from hoarding cache_mem.
+#Default:
+# maximum_object_size_in_memory 512 KB
+
+#  TAG: memory_cache_shared	on|off
+#	Controls whether the memory cache is shared among SMP workers.
+#
+#	The shared memory cache is meant to occupy cache_mem bytes and replace
+#	the non-shared memory cache, although some entities may still be
+#	cached locally by workers for now (e.g., internal and in-transit
+#	objects may be served from a local memory cache even if shared memory
+#	caching is enabled).
+#
+#	By default, the memory cache is shared if and only if all of the
+#	following conditions are satisfied: Squid runs in SMP mode with
+#	multiple workers, cache_mem is positive, and Squid environment
+#	supports required IPC primitives (e.g., POSIX shared memory segments
+#	and GCC-style atomic operations).
+#
+#	To avoid blocking locks, shared memory uses opportunistic algorithms
+#	that do not guarantee that every cachable entity that could have been
+#	shared among SMP workers will actually be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+#  TAG: memory_cache_mode
+#	Controls which objects to keep in the memory cache (cache_mem)
+#
+#	always	Keep most recently fetched objects in memory (default)
+#
+#	disk	Only disk cache hits are kept in memory, which means
+#		an object must first be cached on disk and then hit
+#		a second time before cached in memory.
+#
+#	network	Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
+#  TAG: memory_replacement_policy
+#	The memory replacement policy parameter determines which
+#	objects are purged from memory when memory space is needed.
+#
+#	See cache_replacement_policy for details on algorithms.
+#Default:
+# memory_replacement_policy lru
+
+# DISK CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_replacement_policy
+#	The cache replacement policy parameter determines which
+#	objects are evicted (replaced) when disk space is needed.
+#
+#	    lru       : Squid's original list based LRU policy
+#	    heap GDSF : Greedy-Dual Size Frequency
+#	    heap LFUDA: Least Frequently Used with Dynamic Aging
+#	    heap LRU  : LRU policy implemented using a heap
+#
+#	Applies to any cache_dir lines listed below this directive.
+#
+#	The LRU policies keeps recently referenced objects.
+#
+#	The heap GDSF policy optimizes object hit rate by keeping smaller
+#	popular objects in cache so it has a better chance of getting a
+#	hit.  It achieves a lower byte hit rate than LFUDA though since
+#	it evicts larger (possibly popular) objects.
+#
+#	The heap LFUDA policy keeps popular objects in cache regardless of
+#	their size and thus optimizes byte hit rate at the expense of
+#	hit rate since one large, popular object will prevent many
+#	smaller, slightly less popular objects from being cached.
+#
+#	Both policies utilize a dynamic aging mechanism that prevents
+#	cache pollution that can otherwise occur with frequency-based
+#	replacement policies.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	the value of maximum_object_size above its default of 4 MB to
+#	to maximize the potential byte hit rate improvement of LFUDA.
+#
+#	For more information about the GDSF and LFUDA cache replacement
+#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+#Default:
+# cache_replacement_policy lru
+
+#  TAG: minimum_object_size	(bytes)
+#	Objects smaller than this size will NOT be saved on disk.  The
+#	value is specified in bytes, and the default is 0 KB, which
+#	means all responses can be stored.
+#Default:
+# no limit
+
+#  TAG: maximum_object_size	(bytes)
+#	Set the default value for max-size parameter on any cache_dir.
+#	The value is specified in bytes, and the default is 4 MB.
+#
+#	If you wish to get a high BYTES hit ratio, you should probably
+#	increase this (one 32 MB object hit counts for 3200 10KB
+#	hits).
+#
+#	If you wish to increase hit ratio more than you want to
+#	save bandwidth you should leave this low.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	this value to maximize the byte hit rate improvement of LFUDA!
+#	See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
+#  TAG: cache_dir
+#	Format:
+#		cache_dir Type Directory-Name Fs-specific-data [options]
+#
+#	You can specify multiple cache_dir lines to spread the
+#	cache among different disk partitions.
+#
+#	Type specifies the kind of storage system to use. Only "ufs"
+#	is built by default. To enable any of the other storage systems
+#	see the --enable-storeio configure option.
+#
+#	'Directory' is a top-level directory where cache swap
+#	files will be stored.  If you want to use an entire disk
+#	for caching, this can be the mount-point directory.
+#	The directory must exist and be writable by the Squid
+#	process.  Squid will NOT create this directory for you.
+#
+#	In SMP configurations, cache_dir must not precede the workers option
+#	and should use configuration macros or conditionals to give each
+#	worker interested in disk caching a dedicated cache directory.
+#
+#
+#	====  The ufs store type  ====
+#
+#	"ufs" is the old well-known Squid storage format that has always
+#	been there.
+#
+#	Usage:
+#		cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+#
+#	'Mbytes' is the amount of disk space (MB) to use under this
+#	directory.  The default is 100 MB.  Change this to suit your
+#	configuration.  Do NOT put the size of your disk drive here.
+#	Instead, if you want Squid to use the entire disk drive,
+#	subtract 20% and use that value.
+#
+#	'L1' is the number of first-level subdirectories which
+#	will be created under the 'Directory'.  The default is 16.
+#
+#	'L2' is the number of second-level subdirectories which
+#	will be created under each first-level directory.  The default
+#	is 256.
+#
+#
+#	====  The aufs store type  ====
+#
+#	"aufs" uses the same storage format as "ufs", utilizing
+#	POSIX-threads to avoid blocking the main Squid process on
+#	disk-I/O. This was formerly known in Squid as async-io.
+#
+#	Usage:
+#		cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+#
+#	see argument descriptions under ufs above
+#
+#
+#	====  The diskd store type  ====
+#
+#	"diskd" uses the same storage format as "ufs", utilizing a
+#	separate process to avoid blocking the main Squid process on
+#	disk-I/O.
+#
+#	Usage:
+#		cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+#
+#	see argument descriptions under ufs above
+#
+#	Q1 specifies the number of unacknowledged I/O requests when Squid
+#	stops opening new files. If this many messages are in the queues,
+#	Squid won't open new files. Default is 64
+#
+#	Q2 specifies the number of unacknowledged messages when Squid
+#	starts blocking.  If this many messages are in the queues,
+#	Squid blocks until it receives some replies. Default is 72
+#
+#	When Q1 < Q2 (the default), the cache directory is optimized
+#	for lower response time at the expense of a decrease in hit
+#	ratio.  If Q1 > Q2, the cache directory is optimized for
+#	higher hit ratio at the expense of an increase in response
+#	time.
+#
+#
+#	====  The rock store type  ====
+#
+#	Usage:
+#	    cache_dir rock Directory-Name Mbytes [options]
+#
+#	The Rock Store type is a database-style storage. All cached
+#	entries are stored in a "database" file, using fixed-size slots.
+#	A single entry occupies one or more slots.
+#
+#	If possible, Squid using Rock Store creates a dedicated kid
+#	process called "disker" to avoid blocking Squid worker(s) on disk
+#	I/O. One disker kid is created for each rock cache_dir.  Diskers
+#	are created only when Squid, running in daemon mode, has support
+#	for the IpcIo disk I/O module.
+#
+#	swap-timeout=msec: Squid will not start writing a miss to or
+#	reading a hit from disk if it estimates that the swap operation
+#	will take more than the specified number of milliseconds. By
+#	default and when set to zero, disables the disk I/O time limit
+#	enforcement. Ignored when using blocking I/O module because
+#	blocking synchronous I/O does not allow Squid to estimate the
+#	expected swap wait time.
+#
+#	max-swap-rate=swaps/sec: Artificially limits disk access using
+#	the specified I/O rate limit. Swap out requests that
+#	would cause the average I/O rate to exceed the limit are
+#	delayed. Individual swap in requests (i.e., hits or reads) are
+#	not delayed, but they do contribute to measured swap rate and
+#	since they are placed in the same FIFO queue as swap out
+#	requests, they may wait longer if max-swap-rate is smaller.
+#	This is necessary on file systems that buffer "too
+#	many" writes and then start blocking Squid and other processes
+#	while committing those writes to disk.  Usually used together
+#	with swap-timeout to avoid excessive delays and queue overflows
+#	when disk demand exceeds available disk "bandwidth". By default
+#	and when set to zero, disables the disk I/O rate limit
+#	enforcement. Currently supported by IpcIo module only.
+#
+#	slot-size=bytes: The size of a database "record" used for
+#	storing cached responses. A cached response occupies at least
+#	one slot and all database I/O is done using individual slots so
+#	increasing this parameter leads to more disk space waste while
+#	decreasing it leads to more disk I/O overheads. Should be a
+#	multiple of your operating system I/O page size. Defaults to
+#	16KBytes. A housekeeping header is stored with each slot and
+#	smaller slot-sizes will be rejected. The header is smaller than
+#	100 bytes.
+#
+#
+#	==== COMMON OPTIONS ====
+#
+#	no-store	no new objects should be stored to this cache_dir.
+#
+#	min-size=n	the minimum object size in bytes this cache_dir
+#			will accept.  It's used to restrict a cache_dir
+#			to only store large objects (e.g. AUFS) while
+#			other stores are optimized for smaller objects
+#			(e.g. Rock).
+#			Defaults to 0.
+#
+#	max-size=n	the maximum object size in bytes this cache_dir
+#			supports.
+#			The value in maximum_object_size directive sets
+#			the default unless more specific details are
+#			available (ie a small store capacity).
+#
+#	Note: To make optimal use of the max-size limits you should order
+#	the cache_dir lines with the smallest max-size value first.
+#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+#  TAG: store_dir_select_algorithm
+#	How Squid selects which cache_dir to use when the response
+#	object will fit into more than one.
+#
+#	Regardless of which algorithm is used the cache_dir min-size
+#	and max-size parameters are obeyed. As such they can affect
+#	the selection algorithm by limiting the set of considered
+#	cache_dir.
+#
+#	Algorithms:
+#
+#		least-load
+#
+#	This algorithm is suited to caches with similar cache_dir
+#	sizes and disk speeds.
+#
+#	The disk with the least I/O pending is selected.
+#	When there are multiple disks with the same I/O load ranking
+#	the cache_dir with most available capacity is selected.
+#
+#	When a mix of cache_dir sizes are configured the faster disks
+#	have a naturally lower I/O loading and larger disks have more
+#	capacity. So space used to store objects and data throughput
+#	may be very unbalanced towards larger disks.
+#
+#
+#		round-robin
+#
+#	This algorithm is suited to caches with unequal cache_dir
+#	disk sizes.
+#
+#	Each cache_dir is selected in a rotation. The next suitable
+#	cache_dir is used.
+#
+#	Available cache_dir capacity is only considered in relation
+#	to whether the object will fit and meets the min-size and
+#	max-size parameters.
+#
+#	Disk I/O loading is only considered to prevent overload on slow
+#	disks. This algorithm does not spread objects by size, so any
+#	I/O loading per-disk may appear very unbalanced and volatile.
+#
+#	If several cache_dirs use similar min-size, max-size, or other
+#	limits to to reject certain responses, then do not group such
+#	cache_dir lines together, to avoid round-robin selection bias
+#	towards the first cache_dir after the group. Instead, interleave
+#	cache_dir lines from different groups. For example:
+#
+#		store_dir_select_algorithm round-robin
+#		cache_dir rock /hdd1 ... min-size=100000
+#		cache_dir rock /ssd1 ... max-size=99999
+#		cache_dir rock /hdd2 ... min-size=100000
+#		cache_dir rock /ssd2 ... max-size=99999
+#		cache_dir rock /hdd3 ... min-size=100000
+#		cache_dir rock /ssd3 ... max-size=99999
+#Default:
+# store_dir_select_algorithm least-load
+
+#  TAG: max_open_disk_fds
+#	To avoid having disk as the I/O bottleneck Squid can optionally
+#	bypass the on-disk cache if more than this amount of disk file
+#	descriptors are open.
+#
+#	A value of 0 indicates no limit.
+#Default:
+# no limit
+
+#  TAG: cache_swap_low	(percent, 0-100)
+#	The low-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above this low-water mark and attempts to maintain utilization
+#	near the low-water mark.
+#
+#	As swap utilization increases towards the high-water mark set
+#	by cache_swap_high object eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_high and cache_replacement_policy
+#Default:
+# cache_swap_low 90
+
+#  TAG: cache_swap_high	(percent, 0-100)
+#	The high-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above the low-water mark set by cache_swap_low and attempts to
+#	maintain utilization near the low-water mark.
+#
+#	As swap utilization increases towards this high-water mark object
+#	eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_low and cache_replacement_policy
+#Default:
+# cache_swap_high 95
+
+# LOGFILE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: logformat
+#	Usage:
+#
+#	logformat <name> <format specification>
+#
+#	Defines an access log format.
+#
+#	The <format specification> is a string with embedded % format codes
+#
+#	% format codes all follow the same basic structure where all
+#	components but the formatcode are optional and usually unnecessary,
+#	especially when dealing with common codes.
+#
+#		% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
+#
+#		encoding escapes or otherwise protects "special" characters:
+#
+#			"	Quoted string encoding where quote(") and
+#				backslash(\) characters are \-escaped while
+#				CR, LF, and TAB characters are encoded as \r,
+#				\n, and \t two-character sequences.
+#
+#			[	Custom Squid encoding where percent(%), square
+#				brackets([]), backslash(\) and characters with
+#				codes outside of [32,126] range are %-encoded.
+#				SP is not encoded. Used by log_mime_hdrs.
+#
+#			#	URL encoding (a.k.a. percent-encoding) where
+#				all URL unsafe and control characters (per RFC
+#				1738) are %-encoded.
+#
+#			/	Shell-like encoding where quote(") and
+#				backslash(\) characters are \-escaped while CR
+#				and LF characters are encoded as \r and \n
+#				two-character sequences. Values containing SP
+#				character(s) are surrounded by quotes(").
+#
+#			'	Raw/as-is encoding with no escaping/quoting.
+#
+#			Default encoding: When no explicit encoding is
+#			specified, each %code determines its own encoding.
+#			Most %codes use raw/as-is encoding, but some codes use
+#			a so called "pass-through URL encoding" where all URL
+#			unsafe and control characters (per RFC 1738) are
+#			%-encoded, but the percent character(%) is left as is.
+#
+#		-	left aligned
+#
+#		width	minimum and/or maximum field width:
+#			    [width_min][.width_max]
+#			When minimum starts with 0, the field is zero-padded.
+#			String values exceeding maximum width are truncated.
+#
+#		{arg}	argument such as header name etc. This field may be
+#			placed before or after the token, but not both at once.
+#
+#	Format codes:
+#
+#		%	a literal % character
+#		sn	Unique sequence number per log line entry
+#		err_code    The ID of an error response served by Squid or
+#				a similar internal error identifier.
+#		err_detail  Additional err_code-dependent error information.
+#		note	The annotation specified by the argument. Also
+#			logs the adaptation meta headers set by the
+#			adaptation_meta configuration parameter.
+#			If no argument given all annotations logged.
+#			The argument may include a separator to use with
+#			annotation values:
+#                            name[:separator]
+#			By default, multiple note values are separated with ","
+#			and multiple notes are separated with "\r\n".
+#			When logging named notes with %{name}note, the
+#			explicitly configured separator is used between note
+#			values. When logging all notes with %note, the
+#			explicitly configured separator is used between
+#			individual notes. There is currently no way to
+#			specify both value and notes separators when logging
+#			all notes with %note.
+#		master_xaction  The master transaction identifier is an unsigned
+#			integer. These IDs are guaranteed to monotonically
+#			increase within a single worker process lifetime, with
+#			higher values corresponding to transactions that were
+#			accepted or initiated later. Due to current implementation
+#			deficiencies, some IDs are skipped (i.e. never logged).
+#			Concurrent workers and restarted workers use similar,
+#			overlapping sequences of master transaction IDs.
+#
+#	Connection related format codes:
+#
+#		>a	Client source IP address
+#		>A	Client FQDN
+#		>p	Client source port
+#		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+#		>la	Local IP address the client connected to
+#		>lp	Local port number the client connected to
+#		>qos    Client connection TOS/DSCP value set by Squid
+#		>nfmark Client connection netfilter packet MARK set by Squid
+#
+#		la	Local listening IP address the client connection was connected to.
+#		lp	Local listening port number the client connection was connected to.
+#
+#		<a	Server IP address of the last server or peer connection
+#		<A	Server FQDN or peer name
+#		<p	Server port number of the last server or peer connection
+#		<la	Local IP address of the last server or peer connection
+#		<lp     Local port number of the last server or peer connection
+#		<qos	Server connection TOS/DSCP value set by Squid
+#		<nfmark Server connection netfilter packet MARK set by Squid
+#
+#		>handshake Raw client handshake
+#			Initial client bytes received by Squid on a newly
+#			accepted TCP connection or inside a just established
+#			CONNECT tunnel. Squid stops accumulating handshake
+#			bytes as soon as the handshake parser succeeds or
+#			fails (determining whether the client is using the
+#			expected protocol).
+#
+#			For HTTP clients, the handshake is the request line.
+#			For TLS clients, the handshake consists of all TLS
+#			records up to and including the TLS record that
+#			contains the last byte of the first ClientHello
+#			message. For clients using an unsupported protocol,
+#			this field contains the bytes received by Squid at the
+#			time of the handshake parsing failure.
+#
+#			See the on_unsupported_protocol directive for more
+#			information on Squid handshake traffic expectations.
+#
+#			Current support is limited to these contexts:
+#			- http_port connections, but only when the
+#			  on_unsupported_protocol directive is in use.
+#			- https_port connections (and CONNECT tunnels) that
+#			  are subject to the ssl_bump peek or stare action.
+#
+#			To protect binary handshake data, this field is always
+#			base64-encoded (RFC 4648 Section 4). If logformat
+#			field encoding is configured, that encoding is applied
+#			on top of base64. Otherwise, the computed base64 value
+#			is recorded as is.
+#
+#	Time related format codes:
+#
+#		ts	Seconds since epoch
+#		tu	subsecond time (milliseconds)
+#		tl	Local time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tg	GMT time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tr	Response time (milliseconds)
+#		dt	Total time spent making DNS lookups (milliseconds)
+#		tS	Approximate master transaction start time in
+#			<full seconds since epoch>.<fractional seconds> format.
+#			Currently, Squid considers the master transaction
+#			started when a complete HTTP request header initiating
+#			the transaction is received from the client. This is
+#			the same value that Squid uses to calculate transaction
+#			response time when logging %tr to access.log. Currently,
+#			Squid uses millisecond resolution for %tS values,
+#			similar to the default access.log "current time" field
+#			(%ts.%03tu).
+#
+#	Access Control related format codes:
+#
+#		et	Tag returned by external acl
+#		ea	Log string returned by external acl
+#		un	User name (any available)
+#		ul	User name from authentication
+#		ue	User name from external acl helper
+#		ui	User name from ident
+#		un	A user name. Expands to the first available name
+#			from the following list of information sources:
+#			- authenticated user name, like %ul
+#			- user name supplied by an external ACL, like %ue
+#			- SSL client name, like %us
+#			- ident user name, like %ui
+#		credentials Client credentials. The exact meaning depends on
+#			the authentication scheme: For Basic authentication,
+#			it is the password; for Digest, the realm sent by the
+#			client; for NTLM and Negotiate, the client challenge
+#			or client credentials prefixed with "YR " or "KK ".
+#
+#	HTTP related format codes:
+#
+#	    REQUEST
+#
+#		[http::]rm	Request method (GET/POST etc)
+#		[http::]>rm	Request method from client
+#		[http::]<rm	Request method sent to server or peer
+#
+#		[http::]ru	Request URL received (or computed) and sanitized
+#
+#				Logs request URI received from the client, a
+#				request adaptation service, or a request
+#				redirector (whichever was applied last).
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Honors strip_query_terms and uri_whitespace.
+#
+#				This field is not encoded by default. Encoding
+#				this field using variants of %-encoding will
+#				clash with uri_whitespace modifications that
+#				also use %-encoding.
+#
+#		[http::]>ru	Request URL received from the client (or computed)
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Unlike %ru, this request URI is not affected
+#				by request adaptation, URL rewriting services,
+#				and strip_query_terms.
+#
+#				Honors uri_whitespace.
+#
+#				This field is using pass-through URL encoding
+#				by default. Encoding this field using other
+#				variants of %-encoding will clash with
+#				uri_whitespace modifications that also use
+#				%-encoding.
+#
+#		[http::]<ru	Request URL sent to server or peer
+#		[http::]>rs	Request URL scheme from client
+#		[http::]<rs	Request URL scheme sent to server or peer
+#		[http::]>rd	Request URL domain from client
+#		[http::]<rd	Request URL domain sent to server or peer
+#		[http::]>rP	Request URL port from client
+#		[http::]<rP	Request URL port sent to server or peer
+#		[http::]rp	Request URL path excluding hostname
+#		[http::]>rp	Request URL path excluding hostname from client
+#		[http::]<rp	Request URL path excluding hostname sent to server or peer
+#		[http::]rv	Request protocol version
+#		[http::]>rv	Request protocol version from client
+#		[http::]<rv	Request protocol version sent to server or peer
+#
+#		[http::]>h	Original received request header.
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Accepts optional header field name/value filter
+#				argument using name[:[separator]element] format.
+#		[http::]>ha	Received request header after adaptation and
+#				redirection (pre-cache REQMOD vectoring point).
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Optional header name argument as for >h
+#
+#	    RESPONSE
+#
+#		[http::]<Hs	HTTP status code received from the next hop
+#		[http::]>Hs	HTTP status code sent to the client
+#
+#		[http::]<h	Reply header. Optional header name argument
+#				as for >h
+#
+#		[http::]mt	MIME content type
+#
+#
+#	    SIZE COUNTERS
+#
+#		[http::]st	Total size of request + reply traffic with client
+#		[http::]>st	Total size of request received from client.
+#				Excluding chunked encoding bytes.
+#		[http::]<st	Total size of reply sent to client (after adaptation)
+#
+#		[http::]>sh	Size of request headers received from client
+#		[http::]<sh	Size of reply headers sent to client (after adaptation)
+#
+#		[http::]<sH	Reply high offset sent
+#		[http::]<sS	Upstream object size
+#
+#		[http::]<bs	Number of HTTP-equivalent message body bytes
+#				received from the next hop, excluding chunked
+#				transfer encoding and control messages.
+#				Generated FTP/Gopher listings are treated as
+#				received bodies.
+#
+#	    TIMING
+#
+#		[http::]<pt	Peer response time in milliseconds. The timer starts
+#				when the last request byte is sent to the next hop
+#				and stops when the last response byte is received.
+#		[http::]<tt	Total time in milliseconds. The timer
+#				starts with the first connect request (or write I/O)
+#				sent to the first selected peer. The timer stops
+#				with the last I/O with the last peer.
+#
+#	Squid handling related format codes:
+#
+#		Ss	Squid request status (TCP_MISS etc)
+#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
+#
+#	SSL-related format codes:
+#
+#		ssl::bump_mode	SslBump decision for the transaction:
+#
+#				For CONNECT requests that initiated bumping of
+#				a connection and for any request received on
+#				an already bumped connection, Squid logs the
+#				corresponding SslBump mode ("splice", "bump",
+#				"peek", "stare", "terminate", "server-first"
+#				or "client-first"). See the ssl_bump option
+#				for more information about these modes.
+#
+#				A "none" token is logged for requests that
+#				triggered "ssl_bump" ACL evaluation matching
+#				a "none" rule.
+#
+#				In all other cases, a single dash ("-") is
+#				logged.
+#
+#		ssl::>sni	SSL client SNI sent to Squid.
+#
+#		ssl::>cert_subject
+#				The Subject field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Subject often has spaces.
+#
+#		ssl::>cert_issuer
+#				The Issuer field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Issuer often has spaces.
+#
+#		ssl::<cert_subject
+#				The Subject field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Subject often has spaces.
+#
+#		ssl::<cert_issuer
+#				The Issuer field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Issuer often has spaces.
+#
+#		ssl::<cert
+#				The received server x509 certificate in PEM
+#				format, including BEGIN and END lines (or a
+#				dash ('-') if the certificate is unavailable).
+#
+#				WARNING: Large certificates will exceed the
+#				current 8KB access.log record limit, resulting
+#				in truncated records. Such truncation usually
+#				happens in the middle of a record field. The
+#				limit applies to all access logging modules.
+#
+#				The logged certificate may have failed
+#				validation and may not be trusted by Squid.
+#				This field does not include any intermediate
+#				certificates that may have been received from
+#				the server or fetched during certificate
+#				validation process.
+#
+#				Currently, Squid only collects server
+#				certificates during step3 of SslBump
+#				processing; connections that were not subject
+#				to ssl_bump rules or that did not match a peek
+#				or stare rule at step2 will not have the
+#				server certificate information.
+#
+#				This field is using pass-through URL encoding
+#				by default.
+#
+#		ssl::<cert_errors
+#				The list of certificate validation errors
+#				detected by Squid (including OpenSSL and
+#				certificate validation helper components). The
+#				errors are listed in the discovery order. By
+#				default, the error codes are separated by ':'.
+#				Accepts an optional separator argument.
+#
+#		%ssl::>negotiated_version The negotiated TLS version of the
+#				client connection.
+#
+#		%ssl::<negotiated_version The negotiated TLS version of the
+#				last server or peer connection.
+#
+#		%ssl::>received_hello_version The TLS version of the Hello
+#				message received from TLS client.
+#
+#		%ssl::<received_hello_version The TLS version of the Hello
+#				message received from TLS server.
+#
+#		%ssl::>received_supported_version The maximum TLS version
+#				supported by the TLS client.
+#
+#		%ssl::<received_supported_version The maximum TLS version
+#				supported by the TLS server.
+#
+#		%ssl::>negotiated_cipher The negotiated cipher of the
+#				client connection.
+#
+#		%ssl::<negotiated_cipher The negotiated cipher of the
+#				last server or peer connection.
+#
+#	If ICAP is enabled, the following code becomes available (as
+#	well as ICAP log codes documented with the icap_log option):
+#
+#		icap::tt Total ICAP "blocking" time for the HTTP transaction. The
+#				timer ticks while Squid checks adaptation_access and while
+#				ICAP transaction(s) expect ICAP response headers, including
+#				the embedded adapted HTTP message headers (where applicable).
+#				This measurement is meant to estimate ICAP impact on HTTP
+#				transaction response times, but it does not currently account
+#				for slow ICAP response body delivery blocking HTTP progress.
+#
+#				Once Squid receives the final ICAP response headers (e.g.,
+#				ICAP 200 or 204) and the associated adapted HTTP message
+#				headers (if any) from the ICAP service, the corresponding ICAP
+#				transaction stops affecting this measurement, even though the
+#				transaction itself may continue for a long time (e.g., to
+#				finish sending the ICAP request and/or to finish receiving the
+#				ICAP response body).
+#
+#				When "blocking" sections of multiple concurrent ICAP
+#				transactions overlap in time, the overlapping segment is
+#				counted only once.
+#
+#				To see complete ICAP transaction response times (rather than
+#				the cumulative effect of their blocking sections) use the
+#				%adapt::all_trs logformat code or the icap_log directive.
+#
+#	If adaptation is enabled the following codes become available:
+#
+#		adapt::<last_h	The header of the last ICAP response or
+#				meta-information from the last eCAP
+#				transaction related to the HTTP transaction.
+#				Like <h, accepts an optional header name
+#				argument.
+#
+#		adapt::sum_trs Summed adaptation transaction response
+#				times recorded as a comma-separated list in
+#				the order of transaction start time. Each time
+#				value is recorded as an integer number,
+#				representing response time of one or more
+#				adaptation (ICAP or eCAP) transaction in
+#				milliseconds.  When a failed transaction is
+#				being retried or repeated, its time is not
+#				logged individually but added to the
+#				replacement (next) transaction. Lifetimes of individually
+#				listed adaptation transactions may overlap.
+#				See also: %icap::tt and %adapt::all_trs.
+#
+#		adapt::all_trs All adaptation transaction response times.
+#				Same as %adapt::sum_trs but response times of
+#				individual transactions are never added
+#				together. Instead, all transaction response
+#				times are recorded individually.
+#
+#	You can prefix adapt::*_trs format codes with adaptation
+#	service name in curly braces to record response time(s) specific
+#	to that service. For example: %{my_service}adapt::sum_trs
+#
+#	Format codes related to the PROXY protocol:
+#
+#		proxy_protocol::>h PROXY protocol header, including optional TLVs.
+#
+#				Supports the same field and element reporting/extraction logic
+#				as %http::>h. For configuration and reporting purposes, Squid
+#				maps each PROXY TLV to an HTTP header field: the TLV type
+#				(configured as a decimal integer) is the field name, and the
+#				TLV value is the field value. All TLVs of "LOCAL" connections
+#				(in PROXY protocol terminology) are currently skipped/ignored.
+#
+#				Squid also maps the following standard PROXY protocol header
+#				blocks to pseudo HTTP headers (their names use PROXY
+#				terminology and start with a colon, following HTTP tradition
+#				for pseudo headers): :command, :version, :src_addr, :dst_addr,
+#				:src_port, and :dst_port.
+#
+#				Without optional parameters, this logformat code logs
+#				pseudo headers and TLVs.
+#
+#				This format code uses pass-through URL encoding by default.
+#
+#				Example:
+#					# relay custom PROXY TLV #224 to adaptation services
+#					adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
+#
+#				See also: %http::>h
+#
+#	The default formats available (which do not need re-defining) are:
+#
+#logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent  %>a [%tl] "%{User-Agent}>h"
+#
+#	NOTE: When the log_mime_hdrs directive is set to ON.
+#		The squid, common and combined formats have a safely encoded copy
+#		of the mime headers appended to each line within a pair of brackets.
+#
+#	NOTE: The common and combined formats are not quite true to the Apache definition.
+#		The logs from Squid contain an extra status and hierarchy code appended.
+#
+#Default:
+# The format definitions squid, common, combined, referrer, useragent are built in.
+
+#  TAG: access_log
+#	Configures whether and how Squid logs HTTP and ICP transactions.
+#	If access logging is enabled, a single line is logged for every
+#	matching HTTP or ICP request. The recommended directive formats are:
+#
+#	access_log <module>:<place> [option ...] [acl acl ...]
+#	access_log none [acl acl ...]
+#
+#	The following directive format is accepted but may be deprecated:
+#	access_log <module>:<place> [<logformat name> [acl acl ...]]
+#
+#        In most cases, the first ACL name must not contain the '=' character
+#	and should not be equal to an existing logformat name. You can always
+#	start with an 'all' ACL to work around those restrictions.
+#
+#	Will log to the specified module:place using the specified format (which
+#	must be defined in a logformat directive) those entries which match
+#	ALL the acl's specified (which must be defined in acl clauses).
+#	If no acl is specified, all requests will be logged to this destination.
+#
+#	===== Available options for the recommended directive format =====
+#
+#	logformat=name		Names log line format (either built-in or
+#				defined by a logformat directive). Defaults
+#				to 'squid'.
+#
+#	buffer-size=64KB	Defines approximate buffering limit for log
+#				records (see buffered_logs).  Squid should not
+#				keep more than the specified size and, hence,
+#				should flush records before the buffer becomes
+#				full to avoid overflows under normal
+#				conditions (the exact flushing algorithm is
+#				module-dependent though).  The on-error option
+#				controls overflow handling.
+#
+#	on-error=die|drop	Defines action on unrecoverable errors. The
+#				'drop' action ignores (i.e., does not log)
+#				affected log records. The default 'die' action
+#				kills the affected worker. The drop action
+#				support has not been tested for modules other
+#				than tcp.
+#
+#	rotate=N		Specifies the number of log file rotations to
+#				make when you run 'squid -k rotate'. The default
+#				is to obey the logfile_rotate directive. Setting
+#				rotate=0 will disable the file name rotation,
+#				but the log files are still closed and re-opened.
+#				This will enable you to rename the logfiles
+#				yourself just before sending the rotate signal.
+#				Only supported by the stdio module.
+#
+#	===== Modules Currently available =====
+#
+#	none	Do not log any requests matching these ACL.
+#		Do not specify Place or logformat name.
+#
+#	stdio	Write each log line to disk immediately at the completion of
+#		each request.
+#		Place: the filename and path to be written.
+#
+#	daemon	Very similar to stdio. But instead of writing to disk the log
+#		line is passed to a daemon helper for asychronous handling instead.
+#		Place: varies depending on the daemon.
+#
+#		log_file_daemon Place: the file name and path to be written.
+#
+#	syslog	To log each request via syslog facility.
+#		Place: The syslog facility and priority level for these entries.
+#		Place Format:  facility.priority
+#
+#		where facility could be any of:
+#			authpriv, daemon, local0 ... local7 or user.
+#
+#		And priority could be any of:
+#			err, warning, notice, info, debug.
+#
+#	udp	To send each log line as text data to a UDP receiver.
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	tcp	To send each log line as text data to a TCP receiver.
+#		Lines may be accumulated before sending (see buffered_logs).
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	Default:
+#		access_log daemon:/var/log/squid/access.log squid
+#Default:
+# access_log daemon:/var/log/squid/access.log squid
+
+#  TAG: icap_log
+#	ICAP log files record ICAP transaction summaries, one line per
+#	transaction.
+#
+#	The icap_log option format is:
+#	icap_log <filepath> [<logformat name> [acl acl ...]]
+#	icap_log none [acl acl ...]]
+#
+#	Please see access_log option documentation for details. The two
+#	kinds of logs share the overall configuration approach and many
+#	features.
+#
+#	ICAP processing of a single HTTP message or transaction may
+#	require multiple ICAP transactions.  In such cases, multiple
+#	ICAP transaction log lines will correspond to a single access
+#	log line.
+#
+#	ICAP log supports many access.log logformat %codes. In ICAP context,
+#	HTTP message-related %codes are applied to the HTTP message embedded
+#	in an ICAP message. Logformat "%http::>..." codes are used for HTTP
+#	messages embedded in ICAP requests while "%http::<..." codes are used
+#	for HTTP messages embedded in ICAP responses. For example:
+#
+#		http::>h	To-be-adapted HTTP message headers sent by Squid to
+#				the ICAP service. For REQMOD transactions, these are
+#				HTTP request headers. For RESPMOD, these are HTTP
+#				response headers, but Squid currently cannot log them
+#				(i.e., %http::>h will expand to "-" for RESPMOD).
+#
+#		http::<h	Adapted HTTP message headers sent by the ICAP
+#				service to Squid (i.e., HTTP request headers in regular
+#				REQMOD; HTTP response headers in RESPMOD and during
+#				request satisfaction in REQMOD).
+#
+#	ICAP OPTIONS transactions do not embed HTTP messages.
+#
+#	Several logformat codes below deal with ICAP message bodies. An ICAP
+#	message body, if any, typically includes a complete HTTP message
+#	(required HTTP headers plus optional HTTP message body). When
+#	computing HTTP message body size for these logformat codes, Squid
+#	either includes or excludes chunked encoding overheads; see
+#	code-specific documentation for details.
+#
+#	For Secure ICAP services, all size-related information is currently
+#	computed before/after TLS encryption/decryption, as if TLS was not
+#	in use at all.
+#
+#	The following format codes are also available for ICAP logs:
+#
+#		icap::<A	ICAP server IP address. Similar to <A.
+#
+#		icap::<service_name	ICAP service name from the icap_service
+#				option in Squid configuration file.
+#
+#		icap::ru	ICAP Request-URI. Similar to ru.
+#
+#		icap::rm	ICAP request method (REQMOD, RESPMOD, or
+#				OPTIONS). Similar to existing rm.
+#
+#		icap::>st	The total size of the ICAP request sent to the ICAP
+#				server (ICAP headers + ICAP body), including chunking
+#				metadata (if any).
+#
+#		icap::<st	The total size of the ICAP response received from the
+#				ICAP server (ICAP headers + ICAP body), including
+#				chunking metadata (if any).
+#
+#		icap::<bs	The size of the ICAP response body received from the
+#				ICAP server, excluding chunking metadata (if any).
+#
+#		icap::tr 	Transaction response time (in
+#				milliseconds).  The timer starts when
+#				the ICAP transaction is created and
+#				stops when the transaction is completed.
+#				Similar to tr.
+#
+#		icap::tio	Transaction I/O time (in milliseconds). The
+#				timer starts when the first ICAP request
+#				byte is scheduled for sending. The timers
+#				stops when the last byte of the ICAP response
+#				is received.
+#
+#		icap::to 	Transaction outcome: ICAP_ERR* for all
+#				transaction errors, ICAP_OPT for OPTION
+#				transactions, ICAP_ECHO for 204
+#				responses, ICAP_MOD for message
+#				modification, and ICAP_SAT for request
+#				satisfaction. Similar to Ss.
+#
+#		icap::Hs	ICAP response status code. Similar to Hs.
+#
+#		icap::>h	ICAP request header(s). Similar to >h.
+#
+#		icap::<h	ICAP response header(s). Similar to <h.
+#
+#	The default ICAP log format, which can be used without an explicit
+#	definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
+#
+#	See also: logformat and %adapt::<last_h
+#Default:
+# none
+
+#  TAG: logfile_daemon
+#	Specify the path to the logfile-writing daemon. This daemon is
+#	used to write the access and store logs, if configured.
+#
+#	Squid sends a number of commands to the log daemon:
+#	  L<data>\n - logfile data
+#	  R\n - rotate file
+#	  T\n - truncate file
+#	  O\n - reopen file
+#	  F\n - flush file
+#	  r<n>\n - set rotate count to <n>
+#	  b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+#	No responses is expected.
+#Default:
+# logfile_daemon /usr/lib/squid/log_file_daemon
+
+#  TAG: stats_collection	allow|deny acl acl...
+#	This options allows you to control which requests gets accounted
+#	in performance counters.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
+#  TAG: cache_store_log
+#	Logs the activities of the storage manager.  Shows which
+#	objects are ejected from the cache, and which objects are
+#	saved and for how long.
+#	There are not really utilities to analyze this data, so you can safely
+#	disable it (the default).
+#
+#	Store log uses modular logging outputs. See access_log for the list
+#	of modules supported.
+#
+#	Example:
+#		cache_store_log stdio:/var/log/squid/store.log
+#		cache_store_log daemon:/var/log/squid/store.log
+#Default:
+# none
+
+#  TAG: cache_swap_state
+#	Location for the cache "swap.state" file. This index file holds
+#	the metadata of objects saved on disk.  It is used to rebuild
+#	the cache during startup.  Normally this file resides in each
+#	'cache_dir' directory, but you may specify an alternate
+#	pathname here.  Note you must give a full filename, not just
+#	a directory. Since this is the index for the whole object
+#	list you CANNOT periodically rotate it!
+#
+#	If %s can be used in the file name it will be replaced with a
+#	a representation of the cache_dir name where each / is replaced
+#	with '.'. This is needed to allow adding/removing cache_dir
+#	lines when cache_swap_log is being used.
+#
+#	If have more than one 'cache_dir', and %s is not used in the name
+#	these swap logs will have names such as:
+#
+#		cache_swap_log.00
+#		cache_swap_log.01
+#		cache_swap_log.02
+#
+#	The numbered extension (which is added automatically)
+#	corresponds to the order of the 'cache_dir' lines in this
+#	configuration file.  If you change the order of the 'cache_dir'
+#	lines in this file, these index files will NOT correspond to
+#	the correct 'cache_dir' entry (unless you manually rename
+#	them).  We recommend you do NOT use this option.  It is
+#	better to keep these index files in each 'cache_dir' directory.
+#Default:
+# Store the journal inside its cache_dir
+
+#  TAG: logfile_rotate
+#	Specifies the default number of logfile rotations to make when you
+#	type 'squid -k rotate'. The default is 10, which will rotate
+#	with extensions 0 through 9. Setting logfile_rotate to 0 will
+#	disable the file name rotation, but the logfiles are still closed
+#	and re-opened. This will enable you to rename the logfiles
+#	yourself just before sending the rotate signal.
+#
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
+#
+#	Note, from Squid-4 this option is only a default for access.log
+#	recorded by stdio: module. Those logs can be rotated separately by
+#	using the rotate=N option on their access_log directive.
+#
+#	Note, the 'squid -k rotate' command normally sends a USR1
+#	signal to the running squid process.  In certain situations
+#	(e.g. on Linux with Async I/O), USR1 is used for other
+#	purposes, so -k rotate uses another signal.  It is best to get
+#	in the habit of using 'squid -k rotate' instead of 'kill -USR1
+#	<pid>'.
+#
+#	Note, for Debian/Linux the default of logfile_rotate is
+#	zero, since it includes external logfile-rotation methods.
+#Default:
+# logfile_rotate 0
+
+#  TAG: mime_table
+#	Path to Squid's icon configuration file.
+#
+#	You shouldn't need to change this, but the default file contains
+#	examples and formatting information if you do.
+#Default:
+# mime_table /usr/share/squid/mime.conf
+
+#  TAG: log_mime_hdrs	on|off
+#	The Cache can record both the request and the response MIME
+#	headers for each HTTP transaction.  The headers are encoded
+#	safely and will appear as two bracketed fields at the end of
+#	the access log (for either the native or httpd-emulated log
+#	formats).  To enable this logging set log_mime_hdrs to 'on'.
+#Default:
+# log_mime_hdrs off
+
+#  TAG: pid_filename
+#	A filename to write the process-id to.  To disable, enter "none".
+#Default:
+# pid_filename /run/squid.pid
+
+#  TAG: client_netmask
+#	A netmask for client addresses in logfiles and cachemgr output.
+#	Change this to protect the privacy of your cache clients.
+#	A netmask of 255.255.255.0 will log all IP's in that range with
+#	the last digit set to '0'.
+#Default:
+# Log full client IP address
+
+#  TAG: strip_query_terms
+#	By default, Squid strips query terms from requested URLs before
+#	logging.  This protects your user's privacy and reduces log size.
+#
+#	When investigating HIT/MISS or other caching behaviour you
+#	will need to disable this to see the full URL used by Squid.
+#Default:
+# strip_query_terms on
+
+#  TAG: buffered_logs	on|off
+#	Whether to write/send access_log records ASAP or accumulate them and
+#	then write/send them in larger chunks. Buffering may improve
+#	performance because it decreases the number of I/Os. However,
+#	buffering increases the delay before log records become available to
+#	the final recipient (e.g., a disk file or logging daemon) and,
+#	hence, increases the risk of log records loss.
+#
+#	Note that even when buffered_logs are off, Squid may have to buffer
+#	records if it cannot write/send them immediately due to pending I/Os
+#	(e.g., the I/O writing the previous log record) or connectivity loss.
+#
+#	Currently honored by 'daemon' and 'tcp' access_log modules only.
+#Default:
+# buffered_logs off
+
+#  TAG: netdb_filename
+#	Where Squid stores it's netdb journal.
+#	When enabled this journal preserves netdb state between restarts.
+#
+#	To disable, enter "none".
+#Default:
+# netdb_filename stdio:/var/spool/squid/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_log
+#	Squid administrative logging file.
+#
+#	This is where general information about Squid behavior goes. You can
+#	increase the amount of data logged to this file and how often it is
+#	rotated with "debug_options"
+#Default:
+# cache_log /var/log/squid/cache.log
+
+#  TAG: debug_options
+#	Logging options are set as section,level where each source file
+#	is assigned a unique section.  Lower levels result in less
+#	output,  Full debugging (level 9) can result in a very large
+#	log file, so be careful.
+#
+#	The magic word "ALL" sets debugging levels for all sections.
+#	The default is to run with "ALL,1" to record important warnings.
+#
+#	The rotate=N option can be used to keep more or less of these logs
+#	than would otherwise be kept by logfile_rotate.
+#	For most uses a single log should be enough to monitor current
+#	events affecting Squid.
+#Default:
+# Log all critical and important messages.
+
+#  TAG: coredump_dir
+#	By default Squid leaves core files in the directory from where
+#	it was started. If you set 'coredump_dir' to a directory
+#	that exists, Squid will chdir() to that directory at startup
+#	and coredump files will be left there.
+#
+#Default:
+# Use the directory from where Squid was started.
+#
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# OPTIONS FOR FTP GATEWAYING
+# -----------------------------------------------------------------------------
+
+#  TAG: ftp_user
+#	If you want the anonymous login password to be more informative
+#	(and enable the use of picky FTP servers), set this to something
+#	reasonable for your domain, like wwwuser@somewhere.net
+#
+#	The reason why this is domainless by default is the
+#	request can be made on the behalf of a user in any domain,
+#	depending on how the cache is used.
+#	Some FTP server also validate the email address is valid
+#	(for example perl.com).
+#Default:
+# ftp_user Squid@
+
+#  TAG: ftp_passive
+#	If your firewall does not allow Squid to use passive
+#	connections, turn off this option.
+#
+#	Use of ftp_epsv_all option requires this to be ON.
+#Default:
+# ftp_passive on
+
+#  TAG: ftp_epsv_all
+#	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator, as the EPRT command will never be used and therefore,
+#	translation of the data portion of the segments will never be needed.
+#
+#	When a client only expects to do two-way FTP transfers this may be
+#	useful.
+#	If squid finds that it must do a three-way FTP transfer after issuing
+#	an EPSV ALL command, the FTP session will fail.
+#
+#	If you have any doubts about this option do not use it.
+#	Squid will nicely attempt all other connection methods.
+#
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+#  TAG: ftp_epsv
+#	FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator using EPSV, as the EPRT command will never be used
+#	and therefore, translation of the data portion of the segments
+#	will never be needed.
+#
+#	EPSV is often required to interoperate with FTP servers on IPv6
+#	networks. On the other hand, it may break some IPv4 servers.
+#
+#	By default, EPSV may try EPSV with any FTP server. To fine tune
+#	that decision, you may restrict EPSV to certain clients or servers
+#	using ACLs:
+#
+#		ftp_epsv allow|deny al1 acl2 ...
+#
+#	WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
+#
+#	Only fast ACLs are supported.
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# none
+
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
+#  TAG: ftp_sanitycheck
+#	For security and data integrity reasons Squid by default performs
+#	sanity checks of the addresses of FTP data connections ensure the
+#	data connection is to the requested server. If you need to allow
+#	FTP connections to servers using another IP address for the data
+#	connection turn this off.
+#Default:
+# ftp_sanitycheck on
+
+#  TAG: ftp_telnet_protocol
+#	The FTP protocol is officially defined to use the telnet protocol
+#	as transport channel for the control connection. However, many
+#	implementations are broken and does not respect this aspect of
+#	the FTP protocol.
+#
+#	If you have trouble accessing files with ASCII code 255 in the
+#	path or similar problems involving this ASCII code you can
+#	try setting this directive to off. If that helps, report to the
+#	operator of the FTP server in question that their FTP server
+#	is broken and does not follow the FTP standard.
+#Default:
+# ftp_telnet_protocol on
+
+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+# -----------------------------------------------------------------------------
+
+#  TAG: diskd_program
+#	Specify the location of the diskd executable.
+#	Note this is only useful if you have compiled in
+#	diskd as one of the store io modules.
+#Default:
+# diskd_program /usr/lib/squid/diskd
+
+#  TAG: unlinkd_program
+#	Specify the location of the executable for file deletion process.
+#Default:
+# unlinkd_program /usr/lib/squid/unlinkd
+
+#  TAG: pinger_program
+#	Specify the location of the executable for the pinger process.
+#Default:
+# pinger_program /usr/lib/squid/pinger
+
+#  TAG: pinger_enable
+#	Control whether the pinger is active at run-time.
+#	Enables turning ICMP pinger on and off with a simple
+#	squid -k reconfigure.
+#Default:
+# pinger_enable on
+
+# OPTIONS FOR URL REWRITING
+# -----------------------------------------------------------------------------
+
+#  TAG: url_rewrite_program
+#	The name and command line parameters of an admin-provided executable
+#	for redirecting clients or adjusting/replacing client request URLs.
+#
+#	This helper is consulted after the received request is cleared by
+#	http_access and adapted using eICAP/ICAP services (if any). If the
+#	helper does not redirect the client, Squid checks adapted_http_access
+#	and may consult the cache or forward the request to the next hop.
+#
+#
+#	For each request, the helper gets one line in the following format:
+#
+#	  [channel-ID <SP>] request-URL [<SP> extras] <NL>
+#
+#	Use url_rewrite_extras to configure what Squid sends as 'extras'.
+#
+#
+#	The helper must reply to each query using a single line:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs] <NL>
+#
+#	The result section must match exactly one of the following outcomes:
+#
+#	  OK [status=30N] url="..."
+#
+#		Redirect the client to a URL supplied in the 'url' parameter.
+#		Optional 'status' specifies the status code to send to the
+#		client in Squid's HTTP redirect response. It must be one of
+#		the standard HTTP redirect status codes: 301, 302, 303, 307,
+#		or 308. When no specific status is requested, Squid uses 302.
+#
+#	  OK rewrite-url="..."
+#
+#		Replace the current request URL with the one supplied in the
+#		'rewrite-url' parameter. Squid fetches the resource specified
+#		by the new URL and forwards the received response (or its
+#		cached copy) to the client.
+#
+#		WARNING: Avoid rewriting URLs! When possible, redirect the
+#		client using an "OK url=..." helper response instead.
+#		Rewriting URLs may create inconsistent requests and/or break
+#		synchronization between internal client and origin server
+#		states, especially when URLs or other message parts contain
+#		snippets of that state. For example, Squid does not adjust
+#		Location headers and embedded URLs after the helper rewrites
+#		the request URL.
+#
+#	  OK
+#		Keep the client request intact.
+#
+#	  ERR
+#		Keep the client request intact.
+#
+#	  BH [message="..."]
+#		A helper problem that should be reported to the Squid admin
+#		via a level-1 cache.log message. The 'message' parameter is
+#		reserved for specifying the log message.
+#
+#	In addition to the kv-pairs mentioned above, Squid also understands
+#	the following optional kv-pairs in URL rewriter responses:
+#
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#
+#		The clt_conn_tag=TAG pair is treated as a regular transaction
+#		annotation for the current request and also annotates future
+#		requests on the same client connection. A helper may update
+#		the TAG during subsequent requests by returning a new kv-pair.
+#
+#
+#	Helper messages contain the channel-ID part if and only if the
+#	url_rewrite_children directive specifies positive concurrency. As a
+#	channel-ID value, Squid sends a number between 0 and concurrency-1.
+#	The helper must echo back the received channel-ID in its response.
+#
+#	By default, Squid does not use a URL rewriter.
+#Default:
+# none
+
+#  TAG: url_rewrite_children
+#	Specifies the maximum number of redirector processes that Squid may
+#	spawn (numberofchildren) and several related options. Using too few of
+#	these helper processes (a.k.a. "helpers") creates request queues.
+#	Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each redirector helper can handle in
+#	parallel. Defaults to 0 which indicates the redirector
+#	is a old-style single threaded redirector.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. The default
+#	maximum is zero if url_rewrite_bypass is enabled and
+#	2*numberofchildren otherwise. If the queued requests exceed queue size
+#	and redirector_bypass configuration option is set, then redirector is
+#	bypassed. Otherwise, Squid is allowed to temporarily exceed the
+#	configured maximum, marking the affected helper as "overloaded". If
+#	the helper overload lasts more than 3 minutes, the action prescribed
+#	by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: url_rewrite_host_header
+#	To preserve same-origin security policies in browsers and
+#	prevent Host: header forgery by redirectors Squid rewrites
+#	any Host: header in redirected requests.
+#
+#	If you are running an accelerator this may not be a wanted
+#	effect of a redirector. This directive enables you disable
+#	Host: alteration in reverse-proxy traffic.
+#
+#	WARNING: Entries are cached on the result of the URL rewriting
+#	process, so be careful if you have domain-virtual hosts.
+#
+#	WARNING: Squid and other software verifies the URL and Host
+#	are matching, so be careful not to relay through other proxies
+#	or inspecting firewalls with this disabled.
+#Default:
+# url_rewrite_host_header on
+
+#  TAG: url_rewrite_access
+#	If defined, this access list specifies which requests are
+#	sent to the redirector processes.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: url_rewrite_bypass
+#	When this is 'on', a request will not go through the
+#	redirector if all the helpers are busy. If this is 'off' and the
+#	redirector queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	redirectors are not critical to your caching system. If you use
+#	redirectors for access control, and you enable this option,
+#	users may have access to pages they should not
+#	be allowed to request.
+#
+#	Enabling this option sets the default url_rewrite_children queue-size
+#	option value to 0.
+#Default:
+# url_rewrite_bypass off
+
+#  TAG: url_rewrite_extras
+#	Specifies a string to be append to request line format for the
+#	rewriter helper. "Quoted" format values may contain spaces and
+#	logformat %macros. In theory, any logformat %macro can be used.
+#	In practice, a %macro expands as a dash (-) if the helper request is
+#	sent before the required macro information is available to Squid.
+#Default:
+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: url_rewrite_timeout
+#	Squid times active requests to redirector. The timeout value and Squid
+#	reaction to a timed out request are configurable using the following
+#	format:
+#
+#	url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+#
+#	supported timeout actions:
+#		fail	Squid return a ERR_GATEWAY_FAILURE error page
+#
+#		bypass	Do not re-write the URL
+#
+#		retry	Send the lookup to the helper again
+#
+#		use_configured_response
+#			Use the <quoted-response> as helper response
+#Default:
+# Squid waits for the helper response forever
+
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+#  TAG: store_id_program
+#	Specify the location of the executable StoreID helper to use.
+#	Since they can perform almost any function there isn't one included.
+#
+#	For each requested URL, the helper will receive one line with the format
+#
+#	  [channel-ID <SP>] URL [<SP> extras]<NL>
+#
+#
+#	After processing the request the helper must reply using the following format:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs]
+#
+#	The result code can be:
+#
+#	  OK store-id="..."
+#		Use the StoreID supplied in 'store-id='.
+#
+#	  ERR
+#		The default is to use HTTP request URL as the store ID.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	In addition to the above kv-pairs Squid also understands the following
+#	optional kv-pairs received from URL rewriters:
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#		Please see url_rewrite_program related documentation for this
+#		kv-pair
+#
+#	Helper programs should be prepared to receive and possibly ignore
+#	additional whitespace-separated tokens on each input line.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#	NOTE: when using StoreID refresh_pattern will apply to the StoreID
+#	      returned from the helper and not the URL.
+#
+#	WARNING: Wrong StoreID value returned by a careless helper may result
+#	         in the wrong cached response returned to the user.
+#
+#	By default, a StoreID helper is not used.
+#Default:
+# none
+
+#  TAG: store_id_extras
+#        Specifies a string to be append to request line format for the
+#        StoreId helper. "Quoted" format values may contain spaces and
+#        logformat %macros. In theory, any logformat %macro can be used.
+#        In practice, a %macro expands as a dash (-) if the helper request is
+#        sent before the required macro information is available to Squid.
+#Default:
+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: store_id_children
+#	Specifies the maximum number of StoreID helper processes that Squid
+#	may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each storeID helper can handle in
+#	parallel. Defaults to 0 which indicates the helper
+#	is a old-style single threaded program.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests to N. A request is queued
+#	when no existing child can accept it due to concurrency limit and no
+#	new child can be started due to numberofchildren limit. The default
+#	maximum is 2*numberofchildren. If the queued requests exceed queue
+#	size and redirector_bypass configuration option is set, then
+#	redirector is bypassed. Otherwise, Squid is allowed to temporarily
+#	exceed the configured maximum, marking the affected helper as
+#	"overloaded". If the helper overload lasts more than 3 minutes, the
+#	action prescribed by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: store_id_access
+#	If defined, this access list specifies which requests are
+#	sent to the StoreID processes.  By default all requests
+#	are sent.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: store_id_bypass
+#	When this is 'on', a request will not go through the
+#	helper if all helpers are busy. If this is 'off' and the helper
+#	queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	helpers are not critical to your caching system. If you use
+#	helpers for critical caching components, and you enable this
+#	option,	users may not get objects from cache.
+#	This options sets default queue-size option of the store_id_children
+#	to 0.
+#Default:
+# store_id_bypass on
+
+# OPTIONS FOR TUNING THE CACHE
+# -----------------------------------------------------------------------------
+
+#  TAG: cache
+#	Requests denied by this directive will not be served from the cache
+#	and their responses will not be stored in the cache. This directive
+#	has no effect on other transactions and on already cached responses.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	This and the two other similar caching directives listed below are
+#	checked at different transaction processing stages, have different
+#	access to response information, affect different cache operations,
+#	and differ in slow ACLs support:
+#
+#	* cache: Checked before Squid makes a hit/miss determination.
+#		No access to reply information!
+#		Denies both serving a hit and storing a miss.
+#		Supports both fast and slow ACLs.
+#	* send_hit: Checked after a hit was detected.
+#		Has access to reply (hit) information.
+#		Denies serving a hit only.
+#		Supports fast ACLs only.
+#	* store_miss: Checked before storing a cachable miss.
+#		Has access to reply (miss) information.
+#		Denies storing a miss only.
+#		Supports fast ACLs only.
+#
+#	If you are not sure which of the three directives to use, apply the
+#	following decision logic:
+#
+#	* If your ACL(s) are of slow type _and_ need response info, redesign.
+#	  Squid does not support that particular combination at this time.
+#        Otherwise:
+#	* If your directive ACL(s) are of slow type, use "cache"; and/or
+#	* if your directive ACL(s) need no response info, use "cache".
+#        Otherwise:
+#	* If you do not want the response cached, use store_miss; and/or
+#	* if you do not want a hit on a cached response, use send_hit.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: send_hit
+#	Responses denied by this directive will not be served from the cache
+#	(but may still be cached, see store_miss). This directive has no
+#	effect on the responses it allows and on the cached objects.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives.
+#
+#	Unlike the "cache" directive, send_hit only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	For example:
+#
+#		# apply custom Store ID mapping to some URLs
+#		acl MapMe dstdomain .c.example.com
+#		store_id_program ...
+#		store_id_access allow MapMe
+#
+#		# but prevent caching of special responses
+#		# such as 302 redirects that cause StoreID loops
+#		acl Ordinary http_status 200-299
+#		store_miss deny MapMe !Ordinary
+#
+#		# and do not serve any previously stored special responses
+#		# from the cache (in case they were already cached before
+#		# the above store_miss rule was in effect).
+#		send_hit deny MapMe !Ordinary
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: store_miss
+#	Responses denied by this directive will not be cached (but may still
+#	be served from the cache, see send_hit). This directive has no
+#	effect on the responses it allows and on the already cached responses.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives. See the
+#	send_hit directive for a usage example.
+#
+#	Unlike the "cache" directive, store_miss only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: max_stale	time-units
+#	This option puts an upper limit on how stale content Squid
+#	will serve from the cache if cache validation fails.
+#	Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
+
+#  TAG: refresh_pattern
+#	usage: refresh_pattern [-i] regex min percent max [options]
+#
+#	By default, regular expressions are CASE-SENSITIVE.  To make
+#	them case-insensitive, use the -i option.
+#
+#	'Min' is the time (in minutes) an object without an explicit
+#	expiry time should be considered fresh. The recommended
+#	value is 0, any higher values may cause dynamic applications
+#	to be erroneously cached unless the application designer
+#	has taken the appropriate actions.
+#
+#	'Percent' is a percentage of the objects age (time since last
+#	modification age) an object without explicit expiry time
+#	will be considered fresh.
+#
+#	'Max' is an upper limit on how long objects without an explicit
+#	expiry time will be considered fresh. The value is also used
+#	to form Cache-Control: max-age header for a request sent from
+#	Squid to origin/parent.
+#
+#	options: override-expire
+#		 override-lastmod
+#		 reload-into-ims
+#		 ignore-reload
+#		 ignore-no-store
+#		 ignore-private
+#		 max-stale=NN
+#		 refresh-ims
+#		 store-stale
+#
+#		override-expire enforces min age even if the server
+#		sent an explicit expiry time (e.g., with the
+#		Expires: header or Cache-Control: max-age). Doing this
+#		VIOLATES the HTTP standard.  Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		Note: override-expire does not enforce staleness - it only extends
+#		freshness / min. If the server returns a Expires time which
+#		is longer than your max time, Squid will still consider
+#		the object fresh for that period of time.
+#
+#		override-lastmod enforces min age even on objects
+#		that were modified recently.
+#
+#		reload-into-ims changes a client no-cache or ``reload''
+#		request for a cached entry into a conditional request using
+#		If-Modified-Since and/or If-None-Match headers, provided the
+#		cached entry has a Last-Modified and/or a strong ETag header.
+#		Doing this VIOLATES the HTTP standard. Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		ignore-reload ignores a client no-cache or ``reload''
+#		header. Doing this VIOLATES the HTTP standard. Enabling
+#		this feature could make you liable for problems which
+#		it causes.
+#
+#		ignore-no-store ignores any ``Cache-control: no-store''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		ignore-private ignores any ``Cache-control: private''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		refresh-ims causes squid to contact the origin server
+#		when a client issues an If-Modified-Since request. This
+#		ensures that the client will receive an updated version
+#		if one is available.
+#
+#		store-stale stores responses even if they don't have explicit
+#		freshness or a validator (i.e., Last-Modified or an ETag)
+#		present, or if they're already stale. By default, Squid will
+#		not cache such responses because they usually can't be
+#		reused. Note that such responses will be stale by default.
+#
+#		max-stale=NN provide a maximum staleness factor. Squid won't
+#		serve objects more stale than this even if it failed to
+#		validate the object. Default: use the max_stale global limit.
+#
+#	Basically a cached object is:
+#
+#		FRESH if expire > now, else STALE
+#		STALE if age > max
+#		FRESH if lm-factor < percent, else STALE
+#		FRESH if age < min
+#		else STALE
+#
+#	The refresh_pattern lines are checked in the order listed here.
+#	The first entry which matches is used.  If none of the entries
+#	match the default will be used.
+#
+#	Note, you must uncomment all the default lines if you want
+#	to change one. The default setting is only active if none is
+#	used.
+#
+#
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+#  TAG: quick_abort_min	(KB)
+#Default:
+# quick_abort_min 16 KB
+
+#  TAG: quick_abort_max	(KB)
+#Default:
+# quick_abort_max 16 KB
+
+#  TAG: quick_abort_pct	(percent)
+#	The cache by default continues downloading aborted requests
+#	which are almost completed (less than 16 KB remaining). This
+#	may be undesirable on slow (e.g. SLIP) links and/or very busy
+#	caches.  Impatient users may tie up file descriptors and
+#	bandwidth by repeatedly requesting and immediately aborting
+#	downloads.
+#
+#	When the user aborts a request, Squid will check the
+#	quick_abort values to the amount of data transferred until
+#	then.
+#
+#	If the transfer has less than 'quick_abort_min' KB remaining,
+#	it will finish the retrieval.
+#
+#	If the transfer has more than 'quick_abort_max' KB remaining,
+#	it will abort the retrieval.
+#
+#	If more than 'quick_abort_pct' of the transfer has completed,
+#	it will finish the retrieval.
+#
+#	If you do not want any retrieval to continue after the client
+#	has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+#	to '0 KB'.
+#
+#	If you want retrievals to always continue if they are being
+#	cached set 'quick_abort_min' to '-1 KB'.
+#Default:
+# quick_abort_pct 95
+
+#  TAG: read_ahead_gap	buffer-size
+#	The amount of data the cache will buffer ahead of what has been
+#	sent to the client when retrieving an object from another server.
+#Default:
+# read_ahead_gap 16 KB
+
+#  TAG: negative_ttl	time-units
+#	Set the Default Time-to-Live (TTL) for failed requests.
+#	Certain types of failures (such as "connection refused" and
+#	"404 Not Found") are able to be negatively-cached for a short time.
+#	Modern web servers should provide Expires: header, however if they
+#	do not this can provide a minimum TTL.
+#	The default is not to cache errors with unknown expiry details.
+#
+#	Note that this is different from negative caching of DNS lookups.
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#Default:
+# negative_ttl 0 seconds
+
+#  TAG: positive_dns_ttl	time-units
+#	Upper limit on how long Squid will cache positive DNS responses.
+#	Default is 6 hours (360 minutes). This directive must be set
+#	larger than negative_dns_ttl.
+#Default:
+# positive_dns_ttl 6 hours
+
+#  TAG: negative_dns_ttl	time-units
+#	Time-to-Live (TTL) for negative caching of failed DNS lookups.
+#	This also sets the lower cache limit on positive lookups.
+#	Minimum value is 1 second, and it is not recommendable to go
+#	much below 10 seconds.
+#Default:
+# negative_dns_ttl 1 minutes
+
+#  TAG: range_offset_limit	size [acl acl...]
+#	usage: (size) [units] [[!]aclname]
+#
+#	Sets an upper limit on how far (number of bytes) into the file
+#	a Range request	may be to cause Squid to prefetch the whole file.
+#	If beyond this limit, Squid forwards the Range request as it is and
+#	the result is NOT cached.
+#
+#	This is to stop a far ahead range request (lets say start at 17MB)
+#	from making Squid fetch the whole object up to that point before
+#	sending anything to the client.
+#
+#	Multiple range_offset_limit lines may be specified, and they will
+#	be searched from top to bottom on each request until a match is found.
+#	The first match found will be used.  If no line matches a request, the
+#	default limit of 0 bytes will be used.
+#
+#	'size' is the limit specified as a number of units.
+#
+#	'units' specifies whether to use bytes, KB, MB, etc.
+#	If no units are specified bytes are assumed.
+#
+#	A size of 0 causes Squid to never fetch more than the
+#	client requested. (default)
+#
+#	A size of 'none' causes Squid to always fetch the object from the
+#	beginning so it may cache the result. (2.0 style)
+#
+#	'aclname' is the name of a defined ACL.
+#
+#	NP: Using 'none' as the byte value here will override any quick_abort settings
+#	    that may otherwise apply to the range request. The range request will
+#	    be fully fetched from start to finish regardless of the client
+#	    actions. This affects bandwidth usage.
+#Default:
+# none
+
+#  TAG: minimum_expiry_time	(seconds)
+#	The minimum caching time according to (Expires - Date)
+#	headers Squid honors if the object can't be revalidated.
+#	The default is 60 seconds.
+#
+#	In reverse proxy environments it might be desirable to honor
+#	shorter object lifetimes. It is most likely better to make
+#	your server return a meaningful Last-Modified header however.
+#
+#	In ESI environments where page fragments often have short
+#	lifetimes, this will often be best set to 0.
+#Default:
+# minimum_expiry_time 60 seconds
+
+#  TAG: store_avg_object_size	(bytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  The default is 13 KB.
+#
+#	This is used to pre-seed the cache index memory allocation to
+#	reduce expensive reallocate operations while handling clients
+#	traffic. Too-large values may result in memory allocation during
+#	peak traffic, too-small values will result in wasted memory.
+#
+#	Check the cache manager 'info' report metrics for the real
+#	object sizes seen by your Squid before tuning this.
+#Default:
+# store_avg_object_size 13 KB
+
+#  TAG: store_objects_per_bucket
+#	Target number of objects per bucket in the store hash table.
+#	Lowering this value increases the total number of buckets and
+#	also the storage maintenance rate.  The default is 20.
+#Default:
+# store_objects_per_bucket 20
+
+# HTTP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: request_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP request
+#	(including request-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to received FTP commands.
+#
+#	This limit has no direct affect on Squid memory consumption.
+#
+#	Squid does not check this limit when sending requests.
+#Default:
+# request_header_max_size 64 KB
+
+#  TAG: reply_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP response
+#	(including status-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to FTP command responses.
+#
+#	Squid also checks this limit when loading hit responses from disk cache.
+#
+#	Squid does not check this limit when sending responses.
+#Default:
+# reply_header_max_size 64 KB
+
+#  TAG: request_body_max_size	(bytes)
+#	This specifies the maximum size for an HTTP request body.
+#	In other words, the maximum size of a PUT/POST request.
+#	A user who attempts to send a request with a body larger
+#	than this limit receives an "Invalid Request" error message.
+#	If you set this parameter to a zero (the default), there will
+#	be no limit imposed.
+#
+#	See also client_request_buffer_max_size for an alternative
+#	limitation on client uploads which can be configured.
+#Default:
+# No limit.
+
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
+#  TAG: broken_posts
+#	A list of ACL elements which, if matched, causes Squid to send
+#	an extra CRLF pair after the body of a PUT/POST request.
+#
+#	Some HTTP servers has broken implementations of PUT/POST,
+#	and rely on an extra CRLF pair sent by some WWW clients.
+#
+#	Quote from RFC2616 section 4.1 on this matter:
+#
+#	  Note: certain buggy HTTP/1.0 client implementations generate an
+#	  extra CRLF's after a POST request. To restate what is explicitly
+#	  forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+#	  a request with an extra CRLF.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# acl buggy_server url_regex ^http://....
+# broken_posts allow buggy_server
+#Default:
+# Obey RFC 2616.
+
+#  TAG: adaptation_uses_indirect_client	on|off
+#	Controls whether the indirect client IP address (instead of the direct
+#	client IP address) is passed to adaptation services.
+#
+#	See also: follow_x_forwarded_for adaptation_send_client_ip
+#Default:
+# adaptation_uses_indirect_client on
+
+#  TAG: via	on|off
+#	If set (default), Squid will include a Via header in requests and
+#	replies as required by RFC2616.
+#Default:
+# via on
+
+#  TAG: vary_ignore_expire	on|off
+#	Many HTTP servers supporting Vary gives such objects
+#	immediate expiry time with no cache-control header
+#	when requested by a HTTP/1.0 client. This option
+#	enables Squid to ignore such expiry times until
+#	HTTP/1.1 is fully implemented.
+#
+#	WARNING: If turned on this may eventually cause some
+#	varying objects not intended for caching to get cached.
+#Default:
+# vary_ignore_expire off
+
+#  TAG: request_entities
+#	Squid defaults to deny GET and HEAD requests with request entities,
+#	as the meaning of such requests are undefined in the HTTP standard
+#	even if not explicitly forbidden.
+#
+#	Set this directive to on if you have clients which insists
+#	on sending request entities in GET or HEAD requests. But be warned
+#	that there is server software (both proxies and web servers) which
+#	can fail to properly process this kind of request which may make you
+#	vulnerable to cache pollution attacks if enabled.
+#Default:
+# request_entities off
+
+#  TAG: request_header_access
+#	Usage: request_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option replaces the old 'anonymize_headers' and the
+#	older 'http_anonymizer' option with something that is much
+#	more configurable. A list of ACLs for each header name allows
+#	removal of specific header fields under specific conditions.
+#
+#	This option only applies to outgoing HTTP request headers (i.e.,
+#	headers sent by Squid to the next HTTP hop such as a cache peer
+#	or an origin server). The option has no effect during cache hit
+#	detection. The equivalent adaptation vectoring point in ICAP
+#	terminology is post-cache REQMOD.
+#
+#	The option is applied to individual outgoing request header
+#	fields. For each request header field F, Squid uses the first
+#	qualifying sets of request_header_access rules:
+#
+#	    1. Rules with header_name equal to F's name.
+#	    2. Rules with header_name 'Other', provided F's name is not
+#	       on the hard-coded list of commonly used HTTP header names.
+#	    3. Rules with header_name 'All'.
+#
+#	Within that qualifying rule set, rule ACLs are checked as usual.
+#	If ACLs of an "allow" rule match, the header field is allowed to
+#	go through as is. If ACLs of a "deny" rule match, the header is
+#	removed and request_header_replace is then checked to identify
+#	if the removed header has a replacement. If no rules within the
+#	set have matching ACLs, the header field is left as is.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		request_header_access From deny all
+#		request_header_access Referer deny all
+#		request_header_access User-Agent deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		request_header_access Authorization allow all
+#		request_header_access Proxy-Authorization allow all
+#		request_header_access Cache-Control allow all
+#		request_header_access Content-Length allow all
+#		request_header_access Content-Type allow all
+#		request_header_access Date allow all
+#		request_header_access Host allow all
+#		request_header_access If-Modified-Since allow all
+#		request_header_access Pragma allow all
+#		request_header_access Accept allow all
+#		request_header_access Accept-Charset allow all
+#		request_header_access Accept-Encoding allow all
+#		request_header_access Accept-Language allow all
+#		request_header_access Connection allow all
+#		request_header_access All deny all
+#
+#	HTTP reply headers are controlled with the reply_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is performed).
+#Default:
+# No limits.
+
+#  TAG: reply_header_access
+#	Usage: reply_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option only applies to reply headers, i.e., from the
+#	server to the client.
+#
+#	This is the same as request_header_access, but in the other
+#	direction. Please see request_header_access for detailed
+#	documentation.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		reply_header_access Server deny all
+#		reply_header_access WWW-Authenticate deny all
+#		reply_header_access Link deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		reply_header_access Allow allow all
+#		reply_header_access WWW-Authenticate allow all
+#		reply_header_access Proxy-Authenticate allow all
+#		reply_header_access Cache-Control allow all
+#		reply_header_access Content-Encoding allow all
+#		reply_header_access Content-Length allow all
+#		reply_header_access Content-Type allow all
+#		reply_header_access Date allow all
+#		reply_header_access Expires allow all
+#		reply_header_access Last-Modified allow all
+#		reply_header_access Location allow all
+#		reply_header_access Pragma allow all
+#		reply_header_access Content-Language allow all
+#		reply_header_access Retry-After allow all
+#		reply_header_access Title allow all
+#		reply_header_access Content-Disposition allow all
+#		reply_header_access Connection allow all
+#		reply_header_access All deny all
+#
+#	HTTP request headers are controlled with the request_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is
+#	performed).
+#Default:
+# No limits.
+
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#
+#	This option allows you to change the contents of headers
+#	denied with request_header_access above, by replacing them
+#	with some fixed string.
+#
+#	This only applies to request headers, not reply headers.
+#
+#	By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: request_header_add
+#	Usage:   request_header_add field-name field-value [ acl ... ]
+#	Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP requests (i.e.,
+#	request headers sent by Squid to the next HTTP hop such as a
+#	cache peer or an origin server). The option has no effect during
+#	cache hit detection. The equivalent adaptation vectoring point
+#	in ICAP terminology is post-cache REQMOD.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the request to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching requests. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The request_header_add supports fast ACLs only.
+#
+#	See also: reply_header_add.
+#Default:
+# none
+
+#  TAG: reply_header_add
+#	Usage:   reply_header_add field-name field-value [ acl ... ]
+#	Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP responses (i.e., response
+#	headers delivered by Squid to the client). This option has no effect on
+#	cache hit detection. The equivalent adaptation vectoring point in
+#	ICAP terminology is post-cache RESPMOD. This option does not apply to
+#	successful CONNECT replies.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the response to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching responses. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The reply_header_add option supports fast ACLs only.
+#
+#	See also: request_header_add.
+#Default:
+# none
+
+#  TAG: note
+#	This option used to log custom information about the master
+#	transaction. For example, an admin may configure Squid to log
+#	which "user group" the transaction belongs to, where "user group"
+#	will be determined based on a set of ACLs and not [just]
+#	authentication information.
+#	Values of key/value pairs can be logged using %{key}note macros:
+#
+#	    note key value acl ...
+#	    logformat myFormat ... %{key}note ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: relaxed_header_parser	on|off|warn
+#	In the default "on" setting Squid accepts certain forms
+#	of non-compliant HTTP messages where it is unambiguous
+#	what the sending application intended even if the message
+#	is not correctly formatted. The messages is then normalized
+#	to the correct form when forwarded by Squid.
+#
+#	If set to "warn" then a warning will be emitted in cache.log
+#	each time such HTTP error is encountered.
+#
+#	If set to "off" then such HTTP errors will cause the request
+#	or response to be rejected.
+#Default:
+# relaxed_header_parser on
+
+#  TAG: collapsed_forwarding	(on|off)
+#       This option controls whether Squid is allowed to merge multiple
+#       potentially cachable requests for the same URI before Squid knows
+#       whether the response is going to be cachable.
+#
+#       When enabled, instead of forwarding each concurrent request for
+#       the same URL, Squid just sends the first of them. The other, so
+#       called "collapsed" requests, wait for the response to the first
+#       request and, if it happens to be cachable, use that response.
+#       Here, "concurrent requests" means "received after the first
+#       request headers were parsed and before the corresponding response
+#       headers were parsed".
+#
+#       This feature is disabled by default: enabling collapsed
+#       forwarding needlessly delays forwarding requests that look
+#       cachable (when they are collapsed) but then need to be forwarded
+#       individually anyway because they end up being for uncachable
+#       content. However, in some cases, such as acceleration of highly
+#       cachable content with periodic or grouped expiration times, the
+#       gains from collapsing [large volumes of simultaneous refresh
+#       requests] outweigh losses from such delays.
+#
+#       Squid collapses two kinds of requests: regular client requests
+#       received on one of the listening ports and internal "cache
+#       revalidation" requests which are triggered by those regular
+#       requests hitting a stale cached object. Revalidation collapsing
+#       is currently disabled for Squid instances containing SMP-aware
+#       disk or memory caches and for Vary-controlled cached objects.
+#Default:
+# collapsed_forwarding off
+
+#  TAG: collapsed_forwarding_access
+#	Use this directive to restrict collapsed forwarding to a subset of
+#	eligible requests. The directive is checked for regular HTTP
+#	requests, internal revalidation requests, and HTCP/ICP requests.
+#
+#		collapsed_forwarding_access allow|deny [!]aclname ...
+#
+#	This directive cannot force collapsing. It has no effect on
+#	collapsing unless collapsed_forwarding is 'on', and all other
+#	collapsing preconditions are satisfied.
+#
+#	* A denied request will not collapse, and future transactions will
+#	  not collapse on it (even if they are allowed to collapse).
+#
+#	* An allowed request may collapse, or future transactions may
+#	  collapse on it (provided they are allowed to collapse).
+#
+#	This directive is evaluated before receiving HTTP response headers
+#	and without access to Squid-to-peer connection (if any).
+#
+#	Only fast ACLs are supported.
+#
+#	See also: collapsed_forwarding.
+#Default:
+# Requests may be collapsed if collapsed_forwarding is on.
+
+#  TAG: shared_transient_entries_limit	(number of entries)
+#	This directive limits the size of a table used for sharing current
+#	transaction information among SMP workers. A table entry stores meta
+#	information about a single cache entry being delivered to Squid
+#	client(s) by one or more SMP workers. A single table entry consumes
+#	less than 128 shared memory bytes.
+#
+#	The limit should be significantly larger than the number of
+#	concurrent non-collapsed cachable responses leaving Squid. For a
+#	cache that handles less than 5000 concurrent requests, the default
+#	setting of 16384 should be plenty.
+#
+#	Using excessively large values wastes shared memory. Limiting the
+#	table size too much results in hash collisions, leading to lower hit
+#	ratio and missed SMP request collapsing opportunities: Transactions
+#	left without a table entry cannot cache their responses and are
+#	invisible to other concurrent requests for the same resource.
+#
+#	A zero limit is allowed but unsupported. A positive small limit
+#	lowers hit ratio, but zero limit disables a lot of essential
+#	synchronization among SMP workers, leading to HTTP violations (e.g.,
+#	stale hit responses). It also disables shared collapsed forwarding:
+#	A worker becomes unable to collapse its requests on transactions in
+#	other workers, resulting in more trips to the origin server and more
+#	cache thrashing.
+#Default:
+# shared_transient_entries_limit 16384
+
+# TIMEOUTS
+# -----------------------------------------------------------------------------
+
+#  TAG: forward_timeout	time-units
+#	This parameter specifies how long Squid should at most attempt in
+#	finding a forwarding path for the request before giving up.
+#Default:
+# forward_timeout 4 minutes
+
+#  TAG: connect_timeout	time-units
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested server or peer to complete before Squid should
+#	attempt to find another path where to forward the request.
+#Default:
+# connect_timeout 1 minute
+
+#  TAG: peer_connect_timeout	time-units
+#	This parameter specifies how long to wait for a pending TCP
+#	connection to a peer cache.  The default is 30 seconds.   You
+#	may also set different timeout values for individual neighbors
+#	with the 'connect-timeout' option on a 'cache_peer' line.
+#Default:
+# peer_connect_timeout 30 seconds
+
+#  TAG: read_timeout	time-units
+#	Applied on peer server connections.
+#
+#	After each successful read(), the timeout will be extended by this
+#	amount.  If no data is read again after this amount of time,
+#	the request is aborted and logged with ERR_READ_TIMEOUT.
+#
+#	The default is 15 minutes.
+#Default:
+# read_timeout 15 minutes
+
+#  TAG: write_timeout	time-units
+#	This timeout is tracked for all connections that have data
+#	available for writing and are waiting for the socket to become
+#	ready. After each successful write, the timeout is extended by
+#	the configured amount. If Squid has data to write but the
+#	connection is not ready for the configured duration, the
+#	transaction associated with the connection is terminated. The
+#	default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
+#  TAG: request_timeout
+#	How long to wait for complete HTTP request headers after initial
+#	connection establishment.
+#Default:
+# request_timeout 5 minutes
+
+#  TAG: request_start_timeout
+#	How long to wait for the first request byte after initial
+#	connection establishment.
+#Default:
+# request_start_timeout 5 minutes
+
+#  TAG: client_idle_pconn_timeout
+#	How long to wait for the next HTTP request on a persistent
+#	client connection after the previous request completes.
+#Default:
+# client_idle_pconn_timeout 2 minutes
+
+#  TAG: ftp_client_idle_timeout
+#	How long to wait for an FTP request on a connection to Squid ftp_port.
+#	Many FTP clients do not deal with idle connection closures well,
+#	necessitating a longer default timeout than client_idle_pconn_timeout
+#	used for incoming HTTP requests.
+#Default:
+# ftp_client_idle_timeout 30 minutes
+
+#  TAG: client_lifetime	time-units
+#	The maximum amount of time a client (browser) is allowed to
+#	remain connected to the cache process.  This protects the Cache
+#	from having a lot of sockets (and hence file descriptors) tied up
+#	in a CLOSE_WAIT state from remote clients that go away without
+#	properly shutting down (either because of a network failure or
+#	because of a poor client implementation).  The default is one
+#	day, 1440 minutes.
+#
+#	NOTE:  The default value is intended to be much larger than any
+#	client would ever need to be connected to your cache.  You
+#	should probably change client_lifetime only as a last resort.
+#	If you seem to have many client connections tying up
+#	filedescriptors, we recommend first tuning the read_timeout,
+#	request_timeout, persistent_request_timeout and quick_abort values.
+#Default:
+# client_lifetime 1 day
+
+#  TAG: pconn_lifetime	time-units
+#	Desired maximum lifetime of a persistent connection.
+#	When set, Squid will close a now-idle persistent connection that
+#	exceeded configured lifetime instead of moving the connection into
+#	the idle connection pool (or equivalent). No effect on ongoing/active
+#	transactions. Connection lifetime is the time period from the
+#	connection acceptance or opening time until "now".
+#
+#	This limit is useful in environments with long-lived connections
+#	where Squid configuration or environmental factors change during a
+#	single connection lifetime. If unrestricted, some connections may
+#	last for hours and even days, ignoring those changes that should
+#	have affected their behavior or their existence.
+#
+#	Currently, a new lifetime value supplied via Squid reconfiguration
+#	has no effect on already idle connections unless they become busy.
+#
+#	When set to '0' this limit is not used.
+#Default:
+# pconn_lifetime 0 seconds
+
+#  TAG: half_closed_clients
+#	Some clients may shutdown the sending side of their TCP
+#	connections, while leaving their receiving sides open.	Sometimes,
+#	Squid can not tell the difference between a half-closed and a
+#	fully-closed TCP connection.
+#
+#	By default, Squid will immediately close client connections when
+#	read(2) returns "no more data to read."
+#
+#	Change this option to 'on' and Squid will keep open connections
+#	until a read(2) or write(2) on the socket returns an error.
+#	This may show some benefits for reverse proxies. But if not
+#	it is recommended to leave OFF.
+#Default:
+# half_closed_clients off
+
+#  TAG: server_idle_pconn_timeout
+#	Timeout for idle persistent connections to servers and other
+#	proxies.
+#Default:
+# server_idle_pconn_timeout 1 minute
+
+#  TAG: ident_timeout
+#	Maximum time to wait for IDENT lookups to complete.
+#
+#	If this is too high, and you enabled IDENT lookups from untrusted
+#	users, you might be susceptible to denial-of-service by having
+#	many ident requests going at once.
+#Default:
+# ident_timeout 10 seconds
+
+#  TAG: shutdown_lifetime	time-units
+#	When SIGTERM or SIGHUP is received, the cache is put into
+#	"shutdown pending" mode until all active sockets are closed.
+#	This value is the lifetime to set for all open descriptors
+#	during shutdown mode.  Any active clients after this many
+#	seconds will receive a 'timeout' message.
+#Default:
+# shutdown_lifetime 30 seconds
+
+# ADMINISTRATIVE PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mgr
+#	Email-address of local cache manager who will receive
+#	mail if the cache dies.  The default is "webmaster".
+#Default:
+# cache_mgr webmaster
+
+#  TAG: mail_from
+#	From: email-address for mail sent when the cache dies.
+#	The default is to use 'squid@unique_hostname'.
+#
+#	See also: unique_hostname directive.
+#Default:
+# none
+
+#  TAG: mail_program
+#	Email program used to send mail if the cache dies.
+#	The default is "mail". The specified program must comply
+#	with the standard Unix mail syntax:
+#	  mail-program recipient < mailfile
+#
+#	Optional command line options can be specified.
+#Default:
+# mail_program mail
+
+#  TAG: cache_effective_user
+#	If you start Squid as root, it will change its effective/real
+#	UID/GID to the user specified below.  The default is to change
+#	to UID of proxy.
+#	see also; cache_effective_group
+#Default:
+# cache_effective_user proxy
+
+#  TAG: cache_effective_group
+#	Squid sets the GID to the effective user's default group ID
+#	(taken from the password file) and supplementary group list
+#	from the groups membership.
+#
+#	If you want Squid to run with a specific GID regardless of
+#	the group memberships of the effective user then set this
+#	to the group (or GID) you want Squid to run as. When set
+#	all other group privileges of the effective user are ignored
+#	and only this GID is effective. If Squid is not started as
+#	root the user starting Squid MUST be member of the specified
+#	group.
+#
+#	This option is not recommended by the Squid Team.
+#	Our preference is for administrators to configure a secure
+#	user account for squid with UID/GID matching system policies.
+#Default:
+# Use system group memberships of the cache_effective_user account
+
+#  TAG: httpd_suppress_version_string	on|off
+#	Suppress Squid version string info in HTTP headers and HTML error pages.
+#Default:
+# httpd_suppress_version_string off
+
+#  TAG: visible_hostname
+#	If you want to present a special hostname in error messages, etc,
+#	define this.  Otherwise, the return value of gethostname()
+#	will be used. If you have multiple caches in a cluster and
+#	get errors about IP-forwarding you must set them to have individual
+#	names with this setting.
+#Default:
+# Automatically detect the system host name
+
+#  TAG: unique_hostname
+#	If you want to have multiple machines with the same
+#	'visible_hostname' you must give each machine a different
+#	'unique_hostname' so forwarding loops can be detected.
+#Default:
+# Copy the value from visible_hostname
+
+#  TAG: hostname_aliases
+#	A list of other DNS names your cache has.
+#Default:
+# none
+
+#  TAG: umask
+#	Minimum umask which should be enforced while the proxy
+#	is running, in addition to the umask set at startup.
+#
+#	For a traditional octal representation of umasks, start
+#        your value with 0.
+#Default:
+# umask 027
+
+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
+# -----------------------------------------------------------------------------
+#
+#	This section contains parameters for the (optional) cache
+#	announcement service.  This service is provided to help
+#	cache administrators locate one another in order to join or
+#	create cache hierarchies.
+#
+#	An 'announcement' message is sent (via UDP) to the registration
+#	service by Squid.  By default, the announcement message is NOT
+#	SENT unless you enable it with 'announce_period' below.
+#
+#	The announcement message includes your hostname, plus the
+#	following information from this configuration file:
+#
+#		http_port
+#		icp_port
+#		cache_mgr
+#
+#	All current information is processed regularly and made
+#	available on the Web at http://www.ircache.net/Cache/Tracker/.
+
+#  TAG: announce_period
+#	This is how frequently to send cache announcements.
+#
+#	To enable announcing your cache, just set an announce period.
+#
+#	Example:
+#		announce_period 1 day
+#Default:
+# Announcement messages disabled.
+
+#  TAG: announce_host
+#	Set the hostname where announce registration messages will be sent.
+#
+#	See also announce_port and announce_file
+#Default:
+# announce_host tracker.ircache.net
+
+#  TAG: announce_file
+#	The contents of this file will be included in the announce
+#	registration messages.
+#Default:
+# none
+
+#  TAG: announce_port
+#	Set the port where announce registration messages will be sent.
+#
+#	See also announce_host and announce_file
+#Default:
+# announce_port 3131
+
+# HTTPD-ACCELERATOR OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: httpd_accel_surrogate_id
+#	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+#	need an identification token to allow control targeting. Because
+#	a farm of surrogates may all perform the same tasks, they may share
+#	an identification token.
+#
+#	When the surrogate is a reverse-proxy, this ID is also
+#	used as cdn-id for CDN-Loop detection (RFC 8586).
+#Default:
+# visible_hostname is used if no specific ID is set.
+
+#  TAG: http_accel_surrogate_remote	on|off
+#	Remote surrogates (such as those in a CDN) honour the header
+#	"Surrogate-Control: no-store-remote".
+#
+#	Set this to on to have squid behave as a remote surrogate.
+#Default:
+# http_accel_surrogate_remote off
+
+#  TAG: esi_parser	libxml2|expat
+#	Selects the XML parsing library to use when interpreting responses with
+#	Edge Side Includes.
+#
+#	To disable ESI handling completely, ./configure Squid with --disable-esi.
+#Default:
+# Selects libxml2 if available at ./configure time or libexpat otherwise.
+
+# DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: delay_pools
+#	This represents the number of delay pools to be used.  For example,
+#	if you have one class 2 delay pool and one class 3 delays pool, you
+#	have a total of 2 delay pools.
+#
+#	See also delay_parameters, delay_class, delay_access for pool
+#	configuration details.
+#Default:
+# delay_pools 0
+
+#  TAG: delay_class
+#	This defines the class of each delay pool.  There must be exactly one
+#	delay_class line for each delay pool.  For example, to define two
+#	delay pools, one of class 2 and one of class 3, the settings above
+#	and here would be:
+#
+#	Example:
+#	    delay_pools 4      # 4 delay pools
+#	    delay_class 1 2    # pool 1 is a class 2 pool
+#	    delay_class 2 3    # pool 2 is a class 3 pool
+#	    delay_class 3 4    # pool 3 is a class 4 pool
+#	    delay_class 4 5    # pool 4 is a class 5 pool
+#
+#	The delay pool classes are:
+#
+#		class 1		Everything is limited by a single aggregate
+#				bucket.
+#
+#		class 2 	Everything is limited by a single aggregate
+#				bucket as well as an "individual" bucket chosen
+#				from bits 25 through 32 of the IPv4 address.
+#
+#		class 3		Everything is limited by a single aggregate
+#				bucket as well as a "network" bucket chosen
+#				from bits 17 through 24 of the IP address and a
+#				"individual" bucket chosen from bits 17 through
+#				32 of the IPv4 address.
+#
+#		class 4		Everything in a class 3 delay pool, with an
+#				additional limit on a per user basis. This
+#				only takes effect if the username is established
+#				in advance - by forcing authentication in your
+#				http_access rules.
+#
+#		class 5		Requests are grouped according their tag (see
+#				external_acl's tag= reply).
+#
+#
+#	Each pool also requires a delay_parameters directive to configure the pool size
+#	and speed limits used whenever the pool is applied to a request. Along with
+#	a set of delay_access directives to determine when it is used.
+#
+#	NOTE: If an IP address is a.b.c.d
+#		-> bits 25 through 32 are "d"
+#		-> bits 17 through 24 are "c"
+#		-> bits 17 through 32 are "c * 256 + d"
+#
+#	NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+#		IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also delay_parameters and delay_access.
+#Default:
+# none
+
+#  TAG: delay_access
+#	This is used to determine which delay pool a request falls into.
+#
+#	delay_access is sorted per pool and the matching starts with pool 1,
+#	then pool 2, ..., and finally pool N. The first delay pool where the
+#	request is allowed is selected for the request. If it does not allow
+#	the request to any pool then the request is not delayed (default).
+#
+#	For example, if you want some_big_clients in delay
+#	pool 1 and lotsa_little_clients in delay pool 2:
+#
+#		delay_access 1 allow some_big_clients
+#		delay_access 1 deny all
+#		delay_access 2 allow lotsa_little_clients
+#		delay_access 2 deny all
+#		delay_access 3 allow authenticated_clients
+#
+#	See also delay_parameters and delay_class.
+#
+#Default:
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: delay_parameters
+#	This defines the parameters for a delay pool.  Each delay pool has
+#	a number of "buckets" associated with it, as explained in the
+#	description of delay_class.
+#
+#	For a class 1 delay pool, the syntax is:
+#		delay_class pool 1
+#		delay_parameters pool aggregate
+#
+#	For a class 2 delay pool:
+#		delay_class pool 2
+#		delay_parameters pool aggregate individual
+#
+#	For a class 3 delay pool:
+#		delay_class pool 3
+#		delay_parameters pool aggregate network individual
+#
+#	For a class 4 delay pool:
+#		delay_class pool 4
+#		delay_parameters pool aggregate network individual user
+#
+#	For a class 5 delay pool:
+#		delay_class pool 5
+#		delay_parameters pool tagrate
+#
+#	The option variables are:
+#
+#		pool		a pool number - ie, a number between 1 and the
+#				number specified in delay_pools as used in
+#				delay_class lines.
+#
+#		aggregate	the speed limit parameters for the aggregate bucket
+#				(class 1, 2, 3).
+#
+#		individual	the speed limit parameters for the individual
+#				buckets (class 2, 3).
+#
+#		network		the speed limit parameters for the network buckets
+#				(class 3).
+#
+#		user		the speed limit parameters for the user buckets
+#				(class 4).
+#
+#		tagrate		the speed limit parameters for the tag buckets
+#				(class 5).
+#
+#	A pair of delay parameters is written restore/maximum, where restore is
+#	the number of bytes (not bits - modem and network speeds are usually
+#	quoted in bits) per second placed into the bucket, and maximum is the
+#	maximum number of bytes which can be in the bucket at any time.
+#
+#	There must be one delay_parameters line for each delay pool.
+#
+#
+#	For example, if delay pool number 1 is a class 2 delay pool as in the
+#	above example, and is being used to strictly limit each host to 64Kbit/sec
+#	(plus overheads), with no overall limit, the line is:
+#
+#		delay_parameters 1 none 8000/8000
+#
+#	Note that 8 x 8K Byte/sec -> 64K bit/sec.
+#
+#	Note that the word 'none' is used to represent no limit.
+#
+#
+#	And, if delay pool number 2 is a class 3 delay pool as in the above
+#	example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+#	with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+#	individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
+#	to permit a decent web page to be downloaded at a decent speed
+#	(if the network is not being limited due to overuse) but slow down
+#	large downloads more significantly:
+#
+#		delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+#	Note that 8 x  32K Byte/sec ->  256K bit/sec.
+#		  8 x   8K Byte/sec ->   64K bit/sec.
+#		  8 x 600  Byte/sec -> 4800  bit/sec.
+#
+#
+#	Finally, for a class 4 delay pool as in the example - each user will
+#	be limited to 128Kbits/sec no matter how many workstations they are logged into.:
+#
+#		delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+#	See also delay_class and delay_access.
+#
+#Default:
+# none
+
+#  TAG: delay_initial_bucket_level	(percent, 0-100)
+#	The initial bucket percentage is used to determine how much is put
+#	in each bucket when squid starts, is reconfigured, or first notices
+#	a host accessing it (in class 2 and class 3, individual hosts and
+#	networks only have buckets associated with them once they have been
+#	"seen" by squid).
+#Default:
+# delay_initial_bucket_level 50
+
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: client_delay_pools
+#	This option specifies the number of client delay pools used. It must
+#	preceed other client_delay_* options.
+#
+#	Example:
+#		client_delay_pools 2
+#
+#	See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+#  TAG: client_delay_initial_bucket_level	(percent, 0-no_limit)
+#	This option determines the initial bucket size as a percentage of
+#	max_bucket_size from client_delay_parameters. Buckets are created
+#	at the time of the "first" connection from the matching IP. Idle
+#	buckets are periodically deleted up.
+#
+#	You can specify more than 100 percent but note that such "oversized"
+#	buckets are not refilled until their size goes down to max_bucket_size
+#	from client_delay_parameters.
+#
+#	Example:
+#		client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+#  TAG: client_delay_parameters
+#
+#	This option configures client-side bandwidth limits using the
+#	following format:
+#
+#	    client_delay_parameters pool speed_limit max_bucket_size
+#
+#	pool is an integer ID used for client_delay_access matching.
+#
+#	speed_limit is bytes added to the bucket per second.
+#
+#	max_bucket_size is the maximum size of a bucket, enforced after any
+#	speed_limit additions.
+#
+#	Please see the delay_parameters option for more information and
+#	examples.
+#
+#	Example:
+#		client_delay_parameters 1 1024 2048
+#		client_delay_parameters 2 51200 16384
+#
+#	See also client_delay_access.
+#
+#Default:
+# none
+
+#  TAG: client_delay_access
+#	This option determines the client-side delay pool for the
+#	request:
+#
+#	    client_delay_access pool_ID allow|deny acl_name
+#
+#	All client_delay_access options are checked in their pool ID
+#	order, starting with pool 1. The first checked pool with allowed
+#	request is selected for the request. If no ACL matches or there
+#	are no client_delay_access options, the request bandwidth is not
+#	limited.
+#
+#	The ACL-selected pool is then used to find the
+#	client_delay_parameters for the request. Client-side pools are
+#	not used to aggregate clients. Clients are always aggregated
+#	based on their source IP addresses (one bucket per source IP).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Additionally, only the client TCP connection details are available.
+#	ACLs testing HTTP properties will not work.
+#
+#	Please see delay_access for more examples.
+#
+#	Example:
+#		client_delay_access 1 allow low_rate_network
+#		client_delay_access 2 allow vips_network
+#
+#
+#	See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: response_delay_pool
+#	This option configures client response bandwidth limits using the
+#	following format:
+#
+#	response_delay_pool name [option=value] ...
+#
+#	name	the response delay pool name
+#
+#	available options:
+#
+#		individual-restore	The speed limit of an individual
+#					bucket(bytes/s). To be used in conjunction
+#					with 'individual-maximum'.
+#
+#		individual-maximum	The maximum number of bytes which can
+#					be placed into the individual bucket. To be used
+#					in conjunction with 'individual-restore'.
+#
+#		aggregate-restore	The speed limit for the aggregate
+#					bucket(bytes/s). To be used in conjunction with
+#					'aggregate-maximum'.
+#
+#		aggregate-maximum	The maximum number of bytes which can
+#	   				be placed into the aggregate bucket. To be used
+#					in conjunction with 'aggregate-restore'.
+#
+#		initial-bucket-level	The initial bucket size as a percentage
+#					of individual-maximum.
+#
+#	Individual and(or) aggregate bucket options may not be specified,
+#   	meaning no individual and(or) aggregate speed limitation.
+#	See also response_delay_pool_access and delay_parameters for
+#	terminology details.
+#Default:
+# none
+
+#  TAG: response_delay_pool_access
+#	Determines whether a specific named response delay pool is used
+#	for the transaction. The syntax for this directive is:
+#
+#	response_delay_pool_access pool_name allow|deny acl_name
+#
+#	All response_delay_pool_access options are checked in the order
+#	they appear in this configuration file. The first rule with a
+#	matching ACL wins. If (and only if) an "allow" rule won, Squid
+#	assigns the response to the corresponding named delay pool.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: wccp_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCP disabled.
+
+#  TAG: wccp2_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCPv2 disabled.
+
+#  TAG: wccp_version
+#	This directive is only relevant if you need to set up WCCP(v1)
+#	to some very old and end-of-life Cisco routers. In all other
+#	setups it must be left unset or at the default setting.
+#	It defines an internal version in the WCCP(v1) protocol,
+#	with version 4 being the officially documented protocol.
+#
+#	According to some users, Cisco IOS 11.2 and earlier only
+#	support WCCP version 3.  If you're using that or an earlier
+#	version of IOS, you may need to change this value to 3, otherwise
+#	do not specify this parameter.
+#Default:
+# wccp_version 4
+
+#  TAG: wccp2_rebuild_wait
+#	If this is enabled Squid will wait for the cache dir rebuild to finish
+#	before sending the first wccp2 HereIAm packet
+#Default:
+# wccp2_rebuild_wait on
+
+#  TAG: wccp2_forwarding_method
+#	WCCP2 allows the setting of forwarding methods between the
+#	router/switch and the cache.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment method.
+#Default:
+# wccp2_forwarding_method gre
+
+#  TAG: wccp2_return_method
+#	WCCP2 allows the setting of return methods between the
+#	router/switch and the cache for packets that the cache
+#	decides not to handle.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment.
+#
+#	If the "ip wccp redirect exclude in" command has been
+#	enabled on the cache interface, then it is still safe for
+#	the proxy server to use a l2 redirect method even if this
+#	option is set to GRE.
+#Default:
+# wccp2_return_method gre
+
+#  TAG: wccp2_assignment_method
+#	WCCP2 allows the setting of methods to assign the WCCP hash
+#	Valid values are as follows:
+#
+#	hash - Hash assignment
+#	mask - Mask assignment
+#
+#	As a general rule, cisco routers support the hash assignment method
+#	and cisco switches support the mask assignment method.
+#Default:
+# wccp2_assignment_method hash
+
+#  TAG: wccp2_service
+#	WCCP2 allows for multiple traffic services. There are two
+#	types: "standard" and "dynamic". The standard type defines
+#	one service id - http (id 0). The dynamic service ids can be from
+#	51 to 255 inclusive.  In order to use a dynamic service id
+#	one must define the type of traffic to be redirected; this is done
+#	using the wccp2_service_info option.
+#
+#	The "standard" type does not require a wccp2_service_info option,
+#	just specifying the service id will suffice.
+#
+#	MD5 service authentication can be enabled by adding
+#	"password=<password>" to the end of this service declaration.
+#
+#	Examples:
+#
+#	wccp2_service standard 0	# for the 'web-cache' standard service
+#	wccp2_service dynamic 80	# a dynamic service type which will be
+#					# fleshed out with subsequent options.
+#	wccp2_service standard 0 password=foo
+#Default:
+# Use the 'web-cache' standard service.
+
+#  TAG: wccp2_service_info
+#	Dynamic WCCPv2 services require further information to define the
+#	traffic you wish to have diverted.
+#
+#	The format is:
+#
+#	wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
+#	    priority=<priority> ports=<port>,<port>..
+#
+#	The relevant WCCPv2 flags:
+#	+ src_ip_hash, dst_ip_hash
+#	+ source_port_hash, dst_port_hash
+#	+ src_ip_alt_hash, dst_ip_alt_hash
+#	+ src_port_alt_hash, dst_port_alt_hash
+#	+ ports_source
+#
+#	The port list can be one to eight entries.
+#
+#	Example:
+#
+#	wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
+#	    priority=240 ports=80
+#
+#	Note: the service id must have been defined by a previous
+#	'wccp2_service dynamic <id>' entry.
+#Default:
+# none
+
+#  TAG: wccp2_weight
+#	Each cache server gets assigned a set of the destination
+#	hash proportional to their weight.
+#Default:
+# wccp2_weight 10000
+
+#  TAG: wccp_address
+#	Use this option if you require WCCP(v1) to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+#  TAG: wccp2_address
+#	Use this option if you require WCCPv2 to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+# PERSISTENT CONNECTION HANDLING
+# -----------------------------------------------------------------------------
+#
+# Also see "pconn_timeout" in the TIMEOUTS section
+
+#  TAG: client_persistent_connections
+#	Persistent connection support for clients.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with clients.
+#Default:
+# client_persistent_connections on
+
+#  TAG: server_persistent_connections
+#	Persistent connection support for servers.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with servers.
+#Default:
+# server_persistent_connections on
+
+#  TAG: persistent_connection_after_error
+#	With this directive the use of persistent connections after
+#	HTTP errors can be disabled. Useful if you have clients
+#	who fail to handle errors on persistent connections proper.
+#Default:
+# persistent_connection_after_error on
+
+#  TAG: detect_broken_pconn
+#	Some servers have been found to incorrectly signal the use
+#	of HTTP/1.0 persistent connections even on replies not
+#	compatible, causing significant delays. This server problem
+#	has mostly been seen on redirects.
+#
+#	By enabling this directive Squid attempts to detect such
+#	broken replies and automatically assume the reply is finished
+#	after 10 seconds timeout.
+#Default:
+# detect_broken_pconn off
+
+# CACHE DIGEST OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: digest_generation
+#	This controls whether the server will generate a Cache Digest
+#	of its contents.  By default, Cache Digest generation is
+#	enabled if Squid is compiled with --enable-cache-digests defined.
+#Default:
+# digest_generation on
+
+#  TAG: digest_bits_per_entry
+#	This is the number of bits of the server's Cache Digest which
+#	will be associated with the Digest entry for a given HTTP
+#	Method and URL (public key) combination.  The default is 5.
+#Default:
+# digest_bits_per_entry 5
+
+#  TAG: digest_rebuild_period	(seconds)
+#	This is the wait time between Cache Digest rebuilds.
+#Default:
+# digest_rebuild_period 1 hour
+
+#  TAG: digest_rewrite_period	(seconds)
+#	This is the wait time between Cache Digest writes to
+#	disk.
+#Default:
+# digest_rewrite_period 1 hour
+
+#  TAG: digest_swapout_chunk_size	(bytes)
+#	This is the number of bytes of the Cache Digest to write to
+#	disk at a time.  It defaults to 4096 bytes (4KB), the Squid
+#	default swap page.
+#Default:
+# digest_swapout_chunk_size 4096 bytes
+
+#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
+#	This is the percentage of the Cache Digest to be scanned at a
+#	time.  By default it is set to 10% of the Cache Digest.
+#Default:
+# digest_rebuild_chunk_percentage 10
+
+# SNMP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: snmp_port
+#	The port number where Squid listens for SNMP requests. To enable
+#	SNMP support set this to a suitable port number. Port number
+#	3401 is often used for the Squid SNMP agent. By default it's
+#	set to "0" (disabled)
+#
+#	Example:
+#		snmp_port 3401
+#Default:
+# SNMP disabled.
+
+#  TAG: snmp_access
+#	Allowing or denying access to the SNMP port.
+#
+#	All access to the agent is denied by default.
+#	usage:
+#
+#	snmp_access allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# snmp_access allow snmppublic localhost
+# snmp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: snmp_incoming_address
+#	Just like 'udp_incoming_address', but for the SNMP port.
+#
+#	snmp_incoming_address	is used for the SNMP socket receiving
+#				messages from SNMP agents.
+#
+#	The default snmp_incoming_address is to listen on all
+#	available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+#  TAG: snmp_outgoing_address
+#	Just like 'udp_outgoing_address', but for the SNMP port.
+#
+#	snmp_outgoing_address	is used for SNMP packets returned to SNMP
+#				agents.
+#
+#	If snmp_outgoing_address is not set it will use the same socket
+#	as snmp_incoming_address. Only change this if you want to have
+#	SNMP replies sent using another address than where this Squid
+#	listens for SNMP queries.
+#
+#	NOTE, snmp_incoming_address and snmp_outgoing_address can not have
+#	the same value since they both use the same port.
+#Default:
+# Use snmp_incoming_address or an address selected by the operating system.
+
+# ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icp_port
+#	The port number where Squid sends and receives ICP queries to
+#	and from neighbor caches.  The standard UDP port for ICP is 3130.
+#
+#	Example:
+#		icp_port 3130
+#Default:
+# ICP disabled.
+
+#  TAG: htcp_port
+#	The port number where Squid sends and receives HTCP queries to
+#	and from neighbor caches.  To turn it on you want to set it to
+#	4827.
+#
+#	Example:
+#		htcp_port 4827
+#Default:
+# HTCP disabled.
+
+#  TAG: log_icp_queries	on|off
+#	If set, ICP queries are logged to access.log. You may wish
+#	do disable this if your ICP load is VERY high to speed things
+#	up or to simplify log analysis.
+#Default:
+# log_icp_queries on
+
+#  TAG: udp_incoming_address
+#	udp_incoming_address	is used for UDP packets received from other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Only change this if you want to have all UDP queries received on
+#	a specific interface/address.
+#
+#	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_outgoing_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Accept packets from all machine interfaces.
+
+#  TAG: udp_outgoing_address
+#	udp_outgoing_address	is used for UDP packets sent out to other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Instead it will use the same socket as udp_incoming_address.
+#	Only change this if you want to have UDP queries sent using another
+#	address than where this Squid listens for UDP queries from other
+#	caches.
+#
+#	NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_incoming_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Use udp_incoming_address or an address selected by the operating system.
+
+#  TAG: icp_hit_stale	on|off
+#	If you want to return ICP_HIT for stale cache objects, set this
+#	option to 'on'.  If you have sibling relationships with caches
+#	in other administrative domains, this should be 'off'.  If you only
+#	have sibling relationships with caches under your control,
+#	it is probably okay to set this to 'on'.
+#	If set to 'on', your siblings should use the option "allow-miss"
+#	on their cache_peer lines for connecting to you.
+#Default:
+# icp_hit_stale off
+
+#  TAG: minimum_direct_hops
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many hops away.
+#Default:
+# minimum_direct_hops 4
+
+#  TAG: minimum_direct_rtt	(msec)
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many rtt milliseconds away.
+#Default:
+# minimum_direct_rtt 400
+
+#  TAG: netdb_low
+#	The low water mark for the ICMP measurement database.
+#
+#	Note: high watermark controlled by netdb_high directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_low 900
+
+#  TAG: netdb_high
+#	The high water mark for the ICMP measurement database.
+#
+#	Note: low watermark controlled by netdb_low directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_high 1000
+
+#  TAG: netdb_ping_period
+#	The minimum period for measuring a site.  There will be at
+#	least this much delay between successive pings to the same
+#	network.  The default is five minutes.
+#Default:
+# netdb_ping_period 5 minutes
+
+#  TAG: query_icmp	on|off
+#	If you want to ask your peers to include ICMP data in their ICP
+#	replies, enable this option.
+#
+#	If your peer has configured Squid (during compilation) with
+#	'--enable-icmp' that peer will send ICMP pings to origin server
+#	sites of the URLs it receives.  If you enable this option the
+#	ICP replies from that peer will include the ICMP data (if available).
+#	Then, when choosing a parent cache, Squid will choose the parent with
+#	the minimal RTT to the origin server.  When this happens, the
+#	hierarchy field of the access.log will be
+#	"CLOSEST_PARENT_MISS".  This option is off by default.
+#Default:
+# query_icmp off
+
+#  TAG: test_reachability	on|off
+#	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
+#	instead of ICP_MISS if the target host is NOT in the ICMP
+#	database, or has a zero RTT.
+#Default:
+# test_reachability off
+
+#  TAG: icp_query_timeout	(msec)
+#	Normally Squid will automatically determine an optimal ICP
+#	query timeout value based on the round-trip-time of recent ICP
+#	queries.  If you want to override the value determined by
+#	Squid, set this 'icp_query_timeout' to a non-zero value.  This
+#	value is specified in MILLISECONDS, so, to use a 2-second
+#	timeout (the old default), you would write:
+#
+#		icp_query_timeout 2000
+#Default:
+# Dynamic detection.
+
+#  TAG: maximum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very large values (say 5 seconds).
+#	Use this option to put an upper limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# maximum_icp_query_timeout 2000
+
+#  TAG: minimum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very small timeouts, even lower than
+#	the normal latency variance on your link due to traffic.
+#	Use this option to put an lower limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# minimum_icp_query_timeout 5
+
+#  TAG: background_ping_rate	time-units
+#	Controls how often the ICP pings are sent to siblings that
+#	have background-ping set.
+#Default:
+# background_ping_rate 10 seconds
+
+# MULTICAST ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: mcast_groups
+#	This tag specifies a list of multicast groups which your server
+#	should join to receive multicasted ICP queries.
+#
+#	NOTE!  Be very careful what you put here!  Be sure you
+#	understand the difference between an ICP _query_ and an ICP
+#	_reply_.  This option is to be set only if you want to RECEIVE
+#	multicast queries.  Do NOT set this option to SEND multicast
+#	ICP (use cache_peer for that).  ICP replies are always sent via
+#	unicast, so this option does not affect whether or not you will
+#	receive replies from multicast group members.
+#
+#	You must be very careful to NOT use a multicast address which
+#	is already in use by another group of caches.
+#
+#	If you are unsure about multicast, please read the Multicast
+#	chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
+#
+#	Usage: mcast_groups 239.128.16.128 224.0.1.20
+#
+#	By default, Squid doesn't listen on any multicast groups.
+#Default:
+# none
+
+#  TAG: mcast_miss_addr
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	If you enable this option, every "cache miss" URL will
+#	be sent out on the specified multicast address.
+#
+#	Do not enable this option unless you are are absolutely
+#	certain you understand what you are doing.
+#Default:
+# disabled.
+
+#  TAG: mcast_miss_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the time-to-live value for packets multicasted
+#	when multicasting off cache miss URLs is enabled.  By
+#	default this is set to 'site scope', i.e. 16.
+#Default:
+# mcast_miss_ttl 16
+
+#  TAG: mcast_miss_port
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the port number to be used in conjunction with
+#	'mcast_miss_addr'.
+#Default:
+# mcast_miss_port 3135
+
+#  TAG: mcast_miss_encode_key
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	The URLs that are sent in the multicast miss stream are
+#	encrypted.  This is the encryption key.
+#Default:
+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
+
+#  TAG: mcast_icp_query_timeout	(msec)
+#	For multicast peers, Squid regularly sends out ICP "probes" to
+#	count how many other peers are listening on the given multicast
+#	address.  This value specifies how long Squid should wait to
+#	count all the replies.  The default is 2000 msec, or 2
+#	seconds.
+#Default:
+# mcast_icp_query_timeout 2000
+
+# INTERNAL ICON OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icon_directory
+#	Where the icons are stored. These are normally kept in
+#	/usr/share/squid/icons
+#Default:
+# icon_directory /usr/share/squid/icons
+
+#  TAG: global_internal_static
+#	This directive controls is Squid should intercept all requests for
+#	/squid-internal-static/ no matter which host the URL is requesting
+#	(default on setting), or if nothing special should be done for
+#	such URLs (off setting). The purpose of this directive is to make
+#	icons etc work better in complex cache hierarchies where it may
+#	not always be possible for all corners in the cache mesh to reach
+#	the server generating a directory listing.
+#Default:
+# global_internal_static on
+
+#  TAG: short_icon_urls
+#	If this is enabled Squid will use short URLs for icons.
+#	If disabled it will revert to the old behavior of including
+#	it's own name and port in the URL.
+#
+#	If you run a complex cache hierarchy with a mix of Squid and
+#	other proxies you may need to disable this directive.
+#Default:
+# short_icon_urls on
+
+# ERROR PAGE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: error_directory
+#	If you wish to create your own versions of the default
+#	error files to customize them to suit your company copy
+#	the error/template files to another directory and point
+#	this tag at them.
+#
+#	WARNING: This option will disable multi-language support
+#	         on error pages if used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are making translations for a
+#	language that Squid does not currently provide please consider
+#	contributing your translation back to the project.
+#	http://wiki.squid-cache.org/Translations
+#
+#	The squid developers working on translations are happy to supply drop-in
+#	translated error files in exchange for any new language contributions.
+#Default:
+# Send error pages in the clients preferred language
+
+#  TAG: error_default_language
+#	Set the default language which squid will send error pages in
+#	if no existing translation matches the clients language
+#	preferences.
+#
+#	If unset (default) generic English will be used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are interested in making
+#	translations for any language see the squid wiki for details.
+#	http://wiki.squid-cache.org/Translations
+#Default:
+# Generate English language pages.
+
+#  TAG: error_log_languages
+#	Log to cache.log what languages users are attempting to
+#	auto-negotiate for translations.
+#
+#	Successful negotiations are not logged. Only failures
+#	have meaning to indicate that Squid may need an upgrade
+#	of its error page translations.
+#Default:
+# error_log_languages on
+
+#  TAG: err_page_stylesheet
+#	CSS Stylesheet to pattern the display of Squid default error pages.
+#
+#	For information on CSS see http://www.w3.org/Style/CSS/
+#Default:
+# err_page_stylesheet /etc/squid/errorpage.css
+
+#  TAG: err_html_text
+#	HTML text to include in error messages.  Make this a "mailto"
+#	URL to your admin address, or maybe just a link to your
+#	organizations Web page.
+#
+#	To include this in your error messages, you must rewrite
+#	the error template files (found in the "errors" directory).
+#	Wherever you want the 'err_html_text' line to appear,
+#	insert a %L tag in the error template file.
+#Default:
+# none
+
+#  TAG: email_err_data	on|off
+#	If enabled, information about the occurred error will be
+#	included in the mailto links of the ERR pages (if %W is set)
+#	so that the email body contains the data.
+#	Syntax is <A HREF="mailto:%w%W">%w</A>
+#Default:
+# email_err_data on
+
+#  TAG: deny_info
+#	Usage:   deny_info err_page_name acl
+#	or       deny_info http://... acl
+#	or       deny_info TCP_RESET acl
+#
+#	This can be used to return a ERR_ page for requests which
+#	do not pass the 'http_access' rules.  Squid remembers the last
+#	acl it evaluated in http_access, and if a 'deny_info' line exists
+#	for that ACL Squid returns a corresponding error page.
+#
+#	The acl is typically the last acl on the http_access deny line which
+#	denied access. The exceptions to this rule are:
+#	- When Squid needs to request authentication credentials. It's then
+#	  the first authentication related acl encountered
+#	- When none of the http_access lines matches. It's then the last
+#	  acl processed on the last http_access line.
+#	- When the decision to deny access was made by an adaptation service,
+#	  the acl name is the corresponding eCAP or ICAP service_name.
+#
+#	NP: If providing your own custom error pages with error_directory
+#	    you may also specify them by your custom file name:
+#	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+#
+#	By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+#	may be specified by prefixing the file name with the code and a colon.
+#	e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+#
+#	Alternatively you can tell Squid to reset the TCP connection
+#	by specifying TCP_RESET.
+#
+#	Or you can specify an error URL or URL pattern. The browsers will
+#	get redirected to the specified URL after formatting tags have
+#	been replaced. Redirect will be done with 302 or 307 according to
+#	HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+#	the URL. e.g. 303:http://example.com/
+#
+#	URL FORMAT TAGS:
+#		%a	- username (if available. Password NOT included)
+#		%A	- Local listening IP address the client connection was connected to
+#		%B	- FTP path URL
+#		%e	- Error number
+#		%E	- Error description
+#		%h	- Squid hostname
+#		%H	- Request domain name
+#		%i	- Client IP Address
+#		%M	- Request Method
+#		%O	- Unescaped message result from external ACL helper
+#		%o	- Message result from external ACL helper
+#		%p	- Request Port number
+#		%P	- Request Protocol name
+#		%R	- Request URL path
+#		%T	- Timestamp in RFC 1123 format
+#		%U	- Full canonical URL from client
+#			  (HTTPS URLs terminate with *)
+#		%u	- Full canonical URL from client
+#		%w	- Admin email from squid.conf
+#		%x	- Error name
+#		%%	- Literal percent (%) code
+#
+#Default:
+# none
+
+# OPTIONS INFLUENCING REQUEST FORWARDING
+# -----------------------------------------------------------------------------
+
+#  TAG: nonhierarchical_direct
+#	By default, Squid will send any non-hierarchical requests
+#	(not cacheable request type) direct to origin servers.
+#
+#	When this is set to "off", Squid will prefer to send these
+#	requests to parents.
+#
+#	Note that in most configurations, by turning this off you will only
+#	add latency to these request without any improvement in global hit
+#	ratio.
+#
+#	This option only sets a preference. If the parent is unavailable a
+#	direct connection to the origin server may still be attempted. To
+#	completely prevent direct connections use never_direct.
+#Default:
+# nonhierarchical_direct on
+
+#  TAG: prefer_direct
+#	Normally Squid tries to use parents for most requests. If you for some
+#	reason like it to first try going direct and only use a parent if
+#	going direct fails set this to on.
+#
+#	By combining nonhierarchical_direct off and prefer_direct on you
+#	can set up Squid to use a parent as a backup path if going direct
+#	fails.
+#
+#	Note: If you want Squid to use parents for all requests see
+#	the never_direct directive. prefer_direct only modifies how Squid
+#	acts on cacheable requests.
+#Default:
+# prefer_direct off
+
+#  TAG: cache_miss_revalidate	on|off
+#	RFC 7232 defines a conditional request mechanism to prevent
+#	response objects being unnecessarily transferred over the network.
+#	If that mechanism is used by the client and a cache MISS occurs
+#	it can prevent new cache entries being created.
+#
+#	This option determines whether Squid on cache MISS will pass the
+#	client revalidation request to the server or tries to fetch new
+#	content for caching. It can be useful while the cache is mostly
+#	empty to more quickly have the cache populated by generating
+#	non-conditional GETs.
+#
+#	When set to 'on' (default), Squid will pass all client If-* headers
+#	to the server. This permits server responses without a cacheable
+#	payload to be delivered and on MISS no new cache entry is created.
+#
+#	When set to 'off' and if the request is cacheable, Squid will
+#	remove the clients If-Modified-Since and If-None-Match headers from
+#	the request sent to the server. This requests a 200 status response
+#	from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
+#  TAG: always_direct
+#	Usage: always_direct allow|deny [!]aclname ...
+#
+#	Here you can use ACL elements to specify requests which should
+#	ALWAYS be forwarded by Squid to the origin servers without using
+#	any peers.  For example, to always directly forward requests for
+#	local servers ignoring any parents or siblings you may have use
+#	something like:
+#
+#		acl local-servers dstdomain my.domain.net
+#		always_direct allow local-servers
+#
+#	To always forward FTP requests directly, use
+#
+#		acl FTP proto FTP
+#		always_direct allow FTP
+#
+#	NOTE: There is a similar, but opposite option named
+#	'never_direct'.  You need to be aware that "always_direct deny
+#	foo" is NOT the same thing as "never_direct allow foo".  You
+#	may need to use a deny rule to exclude a more-specific case of
+#	some other rule.  Example:
+#
+#		acl local-external dstdomain external.foo.net
+#		acl local-servers dstdomain  .foo.net
+#		always_direct deny local-external
+#		always_direct allow local-servers
+#
+#	NOTE: If your goal is to make the client forward the request
+#	directly to the origin server bypassing Squid then this needs
+#	to be done in the client configuration. Squid configuration
+#	can only tell Squid how Squid should fetch the object.
+#
+#	NOTE: This directive is not related to caching. The replies
+#	is cached as usual even if you use always_direct. To not cache
+#	the replies see the 'cache' directive.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Prevent any cache_peer being used for this request.
+
+#  TAG: never_direct
+#	Usage: never_direct allow|deny [!]aclname ...
+#
+#	never_direct is the opposite of always_direct.  Please read
+#	the description for always_direct if you have not already.
+#
+#	With 'never_direct' you can use ACL elements to specify
+#	requests which should NEVER be forwarded directly to origin
+#	servers.  For example, to force the use of a proxy for all
+#	requests, except those in your local domain use something like:
+#
+#		acl local-servers dstdomain .foo.net
+#		never_direct deny local-servers
+#		never_direct allow all
+#
+#	or if Squid is inside a firewall and there are local intranet
+#	servers inside the firewall use something like:
+#
+#		acl local-intranet dstdomain .foo.net
+#		acl local-external dstdomain external.foo.net
+#		always_direct deny local-external
+#		always_direct allow local-intranet
+#		never_direct allow all
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow DNS results to be used for this request.
+
+# ADVANCED NETWORKING OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: incoming_udp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_udp_average 6
+
+#  TAG: incoming_tcp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_tcp_average 4
+
+#  TAG: incoming_dns_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_dns_average 4
+
+#  TAG: min_udp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_udp_poll_cnt 8
+
+#  TAG: min_dns_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_dns_poll_cnt 8
+
+#  TAG: min_tcp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_tcp_poll_cnt 8
+
+#  TAG: accept_filter
+#	FreeBSD:
+#
+#	The name of an accept(2) filter to install on Squid's
+#	listen socket(s).  This feature is perhaps specific to
+#	FreeBSD and requires support in the kernel.
+#
+#	The 'httpready' filter delays delivering new connections
+#	to Squid until a full HTTP request has been received.
+#	See the accf_http(9) man page for details.
+#
+#	The 'dataready' filter delays delivering new connections
+#	to Squid until there is some data to process.
+#	See the accf_dataready(9) man page for details.
+#
+#	Linux:
+#
+#	The 'data' filter delays delivering of new connections
+#	to Squid until there is some data to process by TCP_ACCEPT_DEFER.
+#	You may optionally specify a number of seconds to wait by
+#	'data=N' where N is the number of seconds. Defaults to 30
+#	if not specified.  See the tcp(7) man page for details.
+#EXAMPLE:
+## FreeBSD
+#accept_filter httpready
+## Linux
+#accept_filter data
+#Default:
+# none
+
+#  TAG: client_ip_max_connections
+#	Set an absolute limit on the number of connections a single
+#	client IP can use. Any more than this and Squid will begin to drop
+#	new connections from the client until it closes some links.
+#
+#	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+#	connections from the client. For finer control use the ACL access controls.
+#
+#	Requires client_db to be enabled (the default).
+#
+#	WARNING: This may noticably slow down traffic received via external proxies
+#	or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# No limit.
+
+#  TAG: tcp_recv_bufsize	(bytes)
+#	Size of receive buffer to set for TCP sockets.  Probably just
+#	as easy to change your kernel's default.
+#	Omit from squid.conf to use the default buffer size.
+#Default:
+# Use operating system TCP defaults.
+
+# ICAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icap_enable	on|off
+#	If you want to enable the ICAP module support, set this to on.
+#Default:
+# icap_enable off
+
+#  TAG: icap_connect_timeout
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested ICAP server to complete before giving up and either
+#	terminating the HTTP transaction or bypassing the failure.
+#
+#	The default for optional services is peer_connect_timeout.
+#	The default for essential services is connect_timeout.
+#	If this option is explicitly set, its value applies to all services.
+#Default:
+# none
+
+#  TAG: icap_io_timeout	time-units
+#	This parameter specifies how long to wait for an I/O activity on
+#	an established, active ICAP connection before giving up and
+#	either terminating the HTTP transaction or bypassing the
+#	failure.
+#Default:
+# Use read_timeout.
+
+#  TAG: icap_service_failure_limit	limit [in memory-depth time-units]
+#	The limit specifies the number of failures that Squid tolerates
+#	when establishing a new TCP connection with an ICAP service. If
+#	the number of failures exceeds the limit, the ICAP service is
+#	not used for new ICAP requests until it is time to refresh its
+#	OPTIONS.
+#
+#	A negative value disables the limit. Without the limit, an ICAP
+#	service will not be considered down due to connectivity failures
+#	between ICAP OPTIONS requests.
+#
+#	Squid forgets ICAP service failures older than the specified
+#	value of memory-depth. The memory fading algorithm
+#	is approximate because Squid does not remember individual
+#	errors but groups them instead, splitting the option
+#	value into ten time slots of equal length.
+#
+#	When memory-depth is 0 and by default this option has no
+#	effect on service failure expiration.
+#
+#	Squid always forgets failures when updating service settings
+#	using an ICAP OPTIONS transaction, regardless of this option
+#	setting.
+#
+#	For example,
+#		# suspend service usage after 10 failures in 5 seconds:
+#		icap_service_failure_limit 10 in 5 seconds
+#Default:
+# icap_service_failure_limit 10
+
+#  TAG: icap_service_revival_delay
+#	The delay specifies the number of seconds to wait after an ICAP
+#	OPTIONS request failure before requesting the options again. The
+#	failed ICAP service is considered "down" until fresh OPTIONS are
+#	fetched.
+#
+#	The actual delay cannot be smaller than the hardcoded minimum
+#	delay of 30 seconds.
+#Default:
+# icap_service_revival_delay 180
+
+#  TAG: icap_preview_enable	on|off
+#	The ICAP Preview feature allows the ICAP server to handle the
+#	HTTP message by looking only at the beginning of the message body
+#	or even without receiving the body at all. In some environments,
+#	previews greatly speedup ICAP processing.
+#
+#	During an ICAP OPTIONS transaction, the server may tell	Squid what
+#	HTTP messages should be previewed and how big the preview should be.
+#	Squid will not use Preview if the server did not request one.
+#
+#	To disable ICAP Preview for all ICAP services, regardless of
+#	individual ICAP server OPTIONS responses, set this option to "off".
+#Example:
+#icap_preview_enable off
+#Default:
+# icap_preview_enable on
+
+#  TAG: icap_preview_size
+#	The default size of preview data to be sent to the ICAP server.
+#	This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+#  TAG: icap_206_enable	on|off
+#	206 (Partial Content) responses is an ICAP extension that allows the
+#	ICAP agents to optionally combine adapted and original HTTP message
+#	content. The decision to combine is postponed until the end of the
+#	ICAP response. Squid supports Partial Content extension by default.
+#
+#	Activation of the Partial Content extension is negotiated with each
+#	ICAP service during OPTIONS exchange. Most ICAP servers should handle
+#	negotation correctly even if they do not support the extension, but
+#	some might fail. To disable Partial Content support for all ICAP
+#	services and to avoid any negotiation, set this option to "off".
+#
+#	Example:
+#	    icap_206_enable off
+#Default:
+# icap_206_enable on
+
+#  TAG: icap_default_options_ttl
+#	The default TTL value for ICAP OPTIONS responses that don't have
+#	an Options-TTL header.
+#Default:
+# icap_default_options_ttl 60
+
+#  TAG: icap_persistent_connections	on|off
+#	Whether or not Squid should use persistent connections to
+#	an ICAP server.
+#Default:
+# icap_persistent_connections on
+
+#  TAG: adaptation_send_client_ip	on|off
+#	If enabled, Squid shares HTTP client IP information with adaptation
+#	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+#	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+#	See also: adaptation_uses_indirect_client
+#Default:
+# adaptation_send_client_ip off
+
+#  TAG: adaptation_send_username	on|off
+#	This sends authenticated HTTP client username (if available) to
+#	the adaptation service.
+#
+#	For ICAP, the username value is encoded based on the
+#	icap_client_username_encode option and is sent using the header
+#	specified by the icap_client_username_header option.
+#Default:
+# adaptation_send_username off
+
+#  TAG: icap_client_username_header
+#	ICAP request header name to use for adaptation_send_username.
+#Default:
+# icap_client_username_header X-Client-Username
+
+#  TAG: icap_client_username_encode	on|off
+#	Whether to base64 encode the authenticated client username.
+#Default:
+# icap_client_username_encode off
+
+#  TAG: icap_service
+#	Defines a single ICAP service using the following format:
+#
+#	icap_service id vectoring_point uri [option ...]
+#
+#	id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		ICAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: icap://servername:port/servicepath
+#		ICAP server and service location.
+#	     icaps://servername:port/servicepath
+#		The "icap:" URI scheme is used for traditional ICAP server and
+#		service location (default port is 1344, connections are not
+#		encrypted). The "icaps:" URI scheme is for Secure ICAP
+#		services that use SSL/TLS-encrypted ICAP connections (by
+#		default, on port 11344).
+#
+#	ICAP does not allow a single service to handle both REQMOD and RESPMOD
+#	transactions. Squid does not enforce that requirement. You can specify
+#	services with the same service_url and different vectoring_points. You
+#	can even specify multiple identical services as long as their
+#	service_names differ.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. ICAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is treated as
+#		optional. If the service cannot be reached or malfunctions,
+#		Squid will try to ignore any errors and process the message as
+#		if the service was not enabled. No all ICAP errors can be
+#		bypassed.  If set to 0, the ICAP service is treated as
+#		essential and all ICAP errors will result in an error page
+#		returned to the HTTP client.
+#
+#		Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next. The services
+#		are specified using the X-Next-Services ICAP response header
+#		value, formatted as a comma-separated list of service names.
+#		Each named service should be configured in squid.conf. Other
+#		services are ignored. An empty X-Next-Services value results
+#		in an empty plan which ends the current adaptation.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default: the ICAP X-Next-Services
+#		response header is ignored.
+#
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
+#	on-overload=block|bypass|wait|force
+#		If the service Max-Connections limit has been reached, do
+#		one of the following for each new ICAP transaction:
+#		  * block:  send an HTTP error response to the client
+#		  * bypass: ignore the "over-connected" ICAP service
+#		  * wait:   wait (in a FIFO queue) for an ICAP connection slot
+#		  * force:  proceed, ignoring the Max-Connections limit
+#
+#		In SMP mode with N workers, each worker assumes the service
+#		connection limit is Max-Connections/N, even though not all
+#		workers may use a given service.
+#
+#		The default value is "bypass" if service is bypassable,
+#		otherwise it is set to "wait".
+#
+#
+#	max-conn=number
+#		Use the given number as the Max-Connections limit, regardless
+#		of the Max-Connections value given by the service, if any.
+#
+#	connection-encryption=on|off
+#		Determines the ICAP service effect on the connections_encrypted
+#		ACL.
+#
+#		The default is "on" for Secure ICAP services (i.e., those
+#		with the icaps:// service URIs scheme) and "off" for plain ICAP
+#		services.
+#
+#		Does not affect ICAP connections (e.g., does not turn Secure
+#		ICAP on or off).
+#
+#	==== ICAPS / TLS OPTIONS ====
+#
+#	These options are used for Secure ICAP (icaps://....) services only.
+#
+#	tls-cert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this ICAP server.
+#
+#	tls-key=/path/to/ssl/key
+#			The private key corresponding to the previous
+#			tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	tls-cipher=...	The list of valid TLS/SSL ciphers to use when connecting
+#			to this icap server.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various OpenSSL library options:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list. Options relevant only to SSLv2 are
+#			not supported.
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the icap server certificate.
+#			Use to specify intermediate CA certificate(s) if not sent
+#			by the server. Or the full CA chain for the server when
+#			using the tls-default-ca=off flag.
+#			May be repeated to load multiple files.
+#
+#	tls-capath=...	A directory containing additional CA certificates to
+#			use when verifying the icap server certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	tls-crlfile=...	A certificate revocation list file to use when
+#			verifying the icap server certificate.
+#
+#	tls-flags=...	Specify various flags modifying the Squid TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the icap server certificate
+#				matches the server name
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-domain=	The icap server name as advertised in it's certificate.
+#			Used for verifying the correctness of the received icap
+#			server certificate. If not specified the icap server
+#			hostname extracted from ICAP URI will be used.
+#
+#	Older icap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
+#Default:
+# none
+
+#  TAG: icap_class
+#	This deprecated option was documented to define an ICAP service
+#	chain, even though it actually defined a set of similar, redundant
+#	services, and the chains were not supported.
+#
+#	To define a set of redundant services, please use the
+#	adaptation_service_set directive. For service chains, use
+#	adaptation_service_chain.
+#Default:
+# none
+
+#  TAG: icap_access
+#	This option is deprecated. Please use adaptation_access, which
+#	has the same ICAP functionality, but comes with better
+#	documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ecap_enable	on|off
+#	Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+#  TAG: ecap_service
+#	Defines a single eCAP service
+#
+#	ecap_service id vectoring_point uri [option ...]
+#
+#        id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		eCAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#		Squid uses the eCAP service URI to match this configuration
+#		line with one of the dynamically loaded services. Each loaded
+#		eCAP service must have a unique URI. Obtain the right URI from
+#		the service provider.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. eCAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is treated as optional.
+#		If the service cannot be reached or malfunctions, Squid will try
+#		to ignore any errors and process the message as if the service
+#		was not enabled. No all eCAP errors can be bypassed.
+#		If set to 'off' or '0', the eCAP service is treated as essential
+#		and all eCAP errors will result in an error page returned to the
+#		HTTP client.
+#
+#                Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default.
+#
+#	connection-encryption=on|off
+#		Determines the eCAP service effect on the connections_encrypted
+#		ACL.
+#
+#		Defaults to "on", which does not taint the master transaction
+#		w.r.t. that ACL.
+#
+#		Does not affect eCAP API calls.
+#
+#	Older ecap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#
+#Example:
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
+#Default:
+# none
+
+#  TAG: loadable_modules
+#	Instructs Squid to load the specified dynamic module(s) or activate
+#	preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: adaptation_service_set
+#
+#	Configures an ordered set of similar, redundant services. This is
+#	useful when hot standby or backup adaptation servers are available.
+#
+#	    adaptation_service_set set_name service_name1 service_name2 ...
+#
+# 	The named services are used in the set declaration order. The first
+#	applicable adaptation service from the set is used first. The next
+#	applicable service is tried if and only if the transaction with the
+#	previous service fails and the message waiting to be adapted is still
+#	intact.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the set. A broken service is a down optional service.
+#
+#	The services in a set must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	If all services in a set are optional then adaptation failures are
+#	bypassable. If all services in the set are essential, then a
+#	transaction failure with one service may still be retried using
+#	another service from the set, but when all services fail, the master
+#	transaction fails as well.
+#
+#	A set may contain a mix of optional and essential services, but that
+#	is likely to lead to surprising results because broken services become
+#	ignored (see above), making previously bypassable failures fatal.
+#	Technically, it is the bypassability of the last failed service that
+#	matters.
+#
+#	See also: adaptation_access adaptation_service_chain
+#
+#Example:
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+#  TAG: adaptation_service_chain
+#
+#	Configures a list of complementary services that will be applied
+#	one-by-one, forming an adaptation chain or pipeline. This is useful
+#	when Squid must perform different adaptations on the same message.
+#
+#	    adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# 	The named services are used in the chain declaration order. The first
+#	applicable adaptation service from the chain is used first. The next
+#	applicable service is applied to the successful adaptation results of
+#	the previous service in the chain.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the chain. A broken service is a down optional service.
+#
+#	Request satisfaction terminates the adaptation chain because Squid
+#	does not currently allow declaration of RESPMOD services at the
+#	"reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+#	The services in a chain must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	A chain may contain a mix of optional and essential services. If an
+#	essential adaptation fails (or the failure cannot be bypassed for
+#	other reasons), the master transaction fails. Otherwise, the failure
+#	is bypassed as if the failed adaptation service was not in the chain.
+#
+#	See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
+#Default:
+# none
+
+#  TAG: adaptation_access
+#	Sends an HTTP transaction to an ICAP or eCAP adaptation	service.
+#
+#	adaptation_access service_name allow|deny [!]aclname...
+#	adaptation_access set_name     allow|deny [!]aclname...
+#
+#	At each supported vectoring point, the adaptation_access
+#	statements are processed in the order they appear in this
+#	configuration file. Statements pointing to the following services
+#	are ignored (i.e., skipped without checking their ACL):
+#
+#	    - services serving different vectoring points
+#	    - "broken-but-bypassable" services
+#	    - "up" services configured to ignore such transactions
+#              (e.g., based on the ICAP Transfer-Ignore header).
+#
+#        When a set_name is used, all services in the set are checked
+#	using the same rules, to find the first applicable one. See
+#	adaptation_service_set for details.
+#
+#	If an access list is checked and there is a match, the
+#	processing stops: For an "allow" rule, the corresponding
+#	adaptation service is used for the transaction. For a "deny"
+#	rule, no adaptation service is activated.
+#
+#	It is currently not possible to apply more than one adaptation
+#	service at the same vectoring point to the same HTTP transaction.
+#
+#        See also: icap_service and ecap_service
+#
+#Example:
+#adaptation_access service_1 allow all
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: adaptation_service_iteration_limit
+#	Limits the number of iterations allowed when applying adaptation
+#	services to a message. If your longest adaptation set or chain
+#	may have more than 16 services, increase the limit beyond its
+#	default value of 16. If detecting infinite iteration loops sooner
+#	is critical, make the iteration limit match the actual number
+#	of services in your longest adaptation set or chain.
+#
+#	Infinite adaptation loops are most likely with routing services.
+#
+#	See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+#  TAG: adaptation_masterx_shared_names
+#	For each master transaction (i.e., the HTTP request and response
+#	sequence, including all related ICAP and eCAP exchanges), Squid
+#	maintains a table of metadata. The table entries are (name, value)
+#	pairs shared among eCAP and ICAP exchanges. The table is destroyed
+#	with the master transaction.
+#
+#	This option specifies the table entry names that Squid must accept
+#	from and forward to the adaptation transactions.
+#
+#	An ICAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by returning an ICAP header field with a name
+#	specified in adaptation_masterx_shared_names.
+#
+#	An eCAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by implementing the libecap::visitEachOption() API
+#	to provide an option with a name specified in
+#	adaptation_masterx_shared_names.
+#
+#	Squid will store and forward the set entry to subsequent adaptation
+#	transactions within the same master transaction scope.
+#
+#	Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
+#Default:
+# none
+
+#  TAG: adaptation_meta
+#	This option allows Squid administrator to add custom ICAP request
+#	headers or eCAP options to Squid ICAP requests or eCAP transactions.
+#	Use it to pass custom authentication tokens and other
+#	transaction-state related meta information to an ICAP/eCAP service.
+#
+#	The addition of a meta header is ACL-driven:
+#		adaptation_meta name value [!]aclname ...
+#
+#	Processing for a given header name stops after the first ACL list match.
+#	Thus, it is impossible to add two headers with the same name. If no ACL
+#	lists match for a given header name, no such header is added. For
+#	example:
+#
+#		# do not debug transactions except for those that need debugging
+#		adaptation_meta X-Debug 1 needs_debugging
+#
+#		# log all transactions except for those that must remain secret
+#		adaptation_meta X-Log 1 !keep_secret
+#
+#		# mark transactions from users in the "G 1" group
+#		adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+#	The "value" parameter may be a regular squid.conf token or a "double
+#	quoted string". Within the quoted string, use backslash (\) to escape
+#	any character, which is currently only useful for escaping backslashes
+#	and double quotes. For example,
+#	    "this string has one backslash (\\) and two \"quotes\""
+#
+#	Used adaptation_meta header values may be logged via %note
+#	logformat code. If multiple adaptation_meta headers with the same name
+#	are used during master transaction lifetime, the header values are
+#	logged in the order they were used and duplicate values are ignored
+#	(only the first repeated value will be logged).
+#Default:
+# none
+
+#  TAG: icap_retry
+#	This ACL determines which retriable ICAP transactions are
+#	retried. Transactions that received a complete ICAP response
+#	and did not have to consume or produce HTTP bodies to receive
+#	that response are usually retriable.
+#
+#	icap_retry allow|deny [!]aclname ...
+#
+#	Squid automatically retries some ICAP I/O timeouts and errors
+#	due to persistent connection race conditions.
+#
+#	See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+#  TAG: icap_retry_limit
+#	Limits the number of retries allowed.
+#
+#	Communication errors due to persistent connection race
+#	conditions are unavoidable, automatically retried, and do not
+#	count against this limit.
+#
+#	See also: icap_retry
+#Default:
+# No retries are allowed.
+
+# DNS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: check_hostnames
+#	For security and stability reasons Squid can check
+#	hostnames for Internet standard RFC compliance. If you want
+#	Squid to perform these checks turn this directive on.
+#Default:
+# check_hostnames off
+
+#  TAG: allow_underscore
+#	Underscore characters is not strictly allowed in Internet hostnames
+#	but nevertheless used by many sites. Set this to off if you want
+#	Squid to be strict about the standard.
+#	This check is performed only when check_hostnames is set to on.
+#Default:
+# allow_underscore on
+
+#  TAG: dns_retransmit_interval
+#	Initial retransmit interval for DNS queries. The interval is
+#	doubled each time all configured DNS servers have been tried.
+#Default:
+# dns_retransmit_interval 5 seconds
+
+#  TAG: dns_timeout
+#	DNS Query timeout. If no response is received to a DNS query
+#	within this time all DNS servers for the queried domain
+#	are assumed to be unavailable.
+#Default:
+# dns_timeout 30 seconds
+
+#  TAG: dns_packet_max
+#	Maximum number of bytes packet size to advertise via EDNS.
+#	Set to "none" to disable EDNS large packet support.
+#
+#	For legacy reasons DNS UDP replies will default to 512 bytes which
+#	is too small for many responses. EDNS provides a means for Squid to
+#	negotiate receiving larger responses back immediately without having
+#	to failover with repeat requests. Responses larger than this limit
+#	will retain the old behaviour of failover to TCP DNS.
+#
+#	Squid has no real fixed limit internally, but allowing packet sizes
+#	over 1500 bytes requires network jumbogram support and is usually not
+#	necessary.
+#
+#	WARNING: The RFC also indicates that some older resolvers will reply
+#	with failure of the whole request if the extension is added. Some
+#	resolvers have already been identified which will reply with mangled
+#	EDNS response on occasion. Usually in response to many-KB jumbogram
+#	sizes being advertised by Squid.
+#	Squid will currently treat these both as an unable-to-resolve domain
+#	even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
+
+#  TAG: dns_defnames	on|off
+#	Normally the RES_DEFNAMES resolver option is disabled
+#	(see res_init(3)).  This prevents caches in a hierarchy
+#	from interpreting single-component hostnames locally.  To allow
+#	Squid to handle single-component names, enable this option.
+#Default:
+# Search for single-label domain names is disabled.
+
+#  TAG: dns_multicast_local	on|off
+#	When set to on, Squid sends multicast DNS lookups on the local
+#	network for domains ending in .local and .arpa.
+#	This enables local servers and devices to be contacted in an
+#	ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
+
+#  TAG: dns_nameservers
+#	Use this if you want to specify a list of DNS name servers
+#	(IP addresses) to use instead of those given in your
+#	/etc/resolv.conf file.
+#
+#	On Windows platforms, if no value is specified here or in
+#	the /etc/resolv.conf file, the list of DNS name servers are
+#	taken from the Windows registry, both static and dynamic DHCP
+#	configurations are supported.
+#
+#	Example: dns_nameservers 10.0.0.1 192.172.0.4
+#Default:
+# Use operating system definitions
+
+#  TAG: hosts_file
+#	Location of the host-local IP name-address associations
+#	database. Most Operating Systems have such a file on different
+#	default locations:
+#	- Un*X & Linux:    /etc/hosts
+#	- Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\winnt)
+#	- Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\windows)
+#	- Windows 9x/Me:   %windir%\hosts
+#			   (%windir% value is usually c:\windows)
+#	- Cygwin:	   /etc/hosts
+#
+#	The file contains newline-separated definitions, in the
+#	form ip_address_in_dotted_form name [name ...] names are
+#	whitespace-separated. Lines beginning with an hash (#)
+#	character are comments.
+#
+#	The file is checked at startup and upon configuration.
+#	If set to 'none', it won't be checked.
+#	If append_domain is used, that domain will be added to
+#	domain-local (i.e. not containing any dot character) host
+#	definitions.
+#Default:
+# hosts_file /etc/hosts
+
+#  TAG: append_domain
+#	Appends local domain name to hostnames without any dots in
+#	them.  append_domain must begin with a period.
+#
+#	Be warned there are now Internet names with no dots in
+#	them using only top-domain names, so setting this may
+#	cause some Internet sites to become unavailable.
+#
+#Example:
+# append_domain .yourdomain.com
+#Default:
+# Use operating system definitions
+
+#  TAG: ignore_unknown_nameservers
+#	By default Squid checks that DNS responses are received
+#	from the same IP addresses they are sent to.  If they
+#	don't match, Squid ignores the response and writes a warning
+#	message to cache.log.  You can allow responses from unknown
+#	nameservers by setting this option to 'off'.
+#Default:
+# ignore_unknown_nameservers on
+
+#  TAG: ipcache_size	(number of entries)
+#	Maximum number of DNS IP cache entries.
+#Default:
+# ipcache_size 1024
+
+#  TAG: ipcache_low	(percent)
+#Default:
+# ipcache_low 90
+
+#  TAG: ipcache_high	(percent)
+#	The size, low-, and high-water marks for the IP cache.
+#Default:
+# ipcache_high 95
+
+#  TAG: fqdncache_size	(number of entries)
+#	Maximum number of FQDN cache entries.
+#Default:
+# fqdncache_size 1024
+
+# MISCELLANEOUS
+# -----------------------------------------------------------------------------
+
+#  TAG: configuration_includes_quoted_values	on|off
+#	If set, Squid will recognize each "quoted string" after a configuration
+#	directive as a single parameter. The quotes are stripped before the
+#	parameter value is interpreted or used.
+#	See "Values with spaces, quotes, and other special characters"
+#	section for more details.
+#Default:
+# configuration_includes_quoted_values off
+
+#  TAG: memory_pools	on|off
+#	If set, Squid will keep pools of allocated (but unused) memory
+#	available for future use.  If memory is a premium on your
+#	system and you believe your malloc library outperforms Squid
+#	routines, disable this.
+#Default:
+# memory_pools on
+
+#  TAG: memory_pools_limit	(bytes)
+#	Used only with memory_pools on:
+#	memory_pools_limit 50 MB
+#
+#	If set to a non-zero value, Squid will keep at most the specified
+#	limit of allocated (but unused) memory in memory pools. All free()
+#	requests that exceed this limit will be handled by your malloc
+#	library. Squid does not pre-allocate any memory, just safe-keeps
+#	objects that otherwise would be free()d. Thus, it is safe to set
+#	memory_pools_limit to a reasonably high value even if your
+#	configuration will use less memory.
+#
+#	If set to none, Squid will keep all memory it can. That is, there
+#	will be no limit on the total amount of memory used for safe-keeping.
+#
+#	To disable memory allocation optimization, do not set
+#	memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
+#
+#	An overhead for maintaining memory pools is not taken into account
+#	when the limit is checked. This overhead is close to four bytes per
+#	object kept. However, pools may actually _save_ memory because of
+#	reduced memory thrashing in your malloc library.
+#Default:
+# memory_pools_limit 5 MB
+
+#  TAG: forwarded_for	on|off|transparent|truncate|delete
+#	If set to "on", Squid will append your client's IP address
+#	in the HTTP requests it forwards. By default it looks like:
+#
+#		X-Forwarded-For: 192.1.2.3
+#
+#	If set to "off", it will appear as
+#
+#		X-Forwarded-For: unknown
+#
+#	If set to "transparent", Squid will not alter the
+#	X-Forwarded-For header in any way.
+#
+#	If set to "delete", Squid will delete the entire
+#	X-Forwarded-For header.
+#
+#	If set to "truncate", Squid will remove all existing
+#	X-Forwarded-For entries, and place the client IP as the sole entry.
+#Default:
+# forwarded_for on
+
+#  TAG: cachemgr_passwd
+#	Specify passwords for cachemgr operations.
+#
+#	Usage: cachemgr_passwd password action action ...
+#
+#	Some valid actions are (see cache manager menu for a full list):
+#		5min
+#		60min
+#		asndb
+#		authenticator
+#		cbdata
+#		client_list
+#		comm_incoming
+#		config *
+#		counters
+#		delay
+#		digest_stats
+#		dns
+#		events
+#		filedescriptors
+#		fqdncache
+#		histograms
+#		http_headers
+#		info
+#		io
+#		ipcache
+#		mem
+#		menu
+#		netdb
+#		non_peers
+#		objects
+#		offline_toggle *
+#		pconn
+#		peer_select
+#		reconfigure *
+#		redirector
+#		refresh
+#		server_list
+#		shutdown *
+#		store_digest
+#		storedir
+#		utilization
+#		via_headers
+#		vm_objects
+#
+#	* Indicates actions which will not be performed without a
+#	  valid password, others can be performed if not listed here.
+#
+#	To disable an action, set the password to "disable".
+#	To allow performing an action without a password, set the
+#	password to "none".
+#
+#	Use the keyword "all" to set the same password for all actions.
+#
+#Example:
+# cachemgr_passwd secret shutdown
+# cachemgr_passwd lesssssssecret info stats/objects
+# cachemgr_passwd disable all
+#Default:
+# No password. Actions which require password are denied.
+
+#  TAG: client_db	on|off
+#	If you want to disable collecting per-client statistics,
+#	turn off client_db here.
+#Default:
+# client_db on
+
+#  TAG: refresh_all_ims	on|off
+#	When you enable this option, squid will always check
+#	the origin server for an update when a client sends an
+#	If-Modified-Since request.  Many browsers use IMS
+#	requests when the user requests a reload, and this
+#	ensures those clients receive the latest version.
+#
+#	By default (off), squid may return a Not Modified response
+#	based on the age of the cached version.
+#Default:
+# refresh_all_ims off
+
+#  TAG: reload_into_ims	on|off
+#	When you enable this option, client no-cache or ``reload''
+#	requests will be changed to If-Modified-Since requests.
+#	Doing this VIOLATES the HTTP standard.  Enabling this
+#	feature could make you liable for problems which it
+#	causes.
+#
+#	see also refresh_pattern for a more selective approach.
+#Default:
+# reload_into_ims off
+
+#  TAG: connect_retries
+#	Limits the number of reopening attempts when establishing a single
+#	TCP connection. All these attempts must still complete before the
+#	applicable connection opening timeout expires.
+#
+#	By default and when connect_retries is set to zero, Squid does not
+#	retry failed connection opening attempts.
+#
+#	The (not recommended) maximum is 10 tries. An attempt to configure a
+#	higher value results in the value of 10 being used (with a warning).
+#
+#	Squid may open connections to retry various high-level forwarding
+#	failures. For an outside observer, that activity may look like a
+#	low-level connection reopening attempt, but those high-level retries
+#	are governed by forward_max_tries instead.
+#
+#	See also: connect_timeout, forward_timeout, icap_connect_timeout,
+#	ident_timeout, and forward_max_tries.
+#Default:
+# Do not retry failed connections.
+
+#  TAG: retry_on_error
+#	If set to ON Squid will automatically retry requests when
+#	receiving an error response with status 403 (Forbidden),
+#	500 (Internal Error), 501 or 503 (Service not available).
+#	Status 502 and 504 (Gateway errors) are always retried.
+#
+#	This is mainly useful if you are in a complex cache hierarchy to
+#	work around access control errors.
+#
+#	NOTE: This retry will attempt to find another working destination.
+#	Which is different from the server which just failed.
+#Default:
+# retry_on_error off
+
+#  TAG: as_whois_server
+#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
+#	queried only when Squid starts up, not for every request.
+#Default:
+# as_whois_server whois.ra.net
+
+#  TAG: offline_mode
+#	Enable this option and Squid will never try to validate cached
+#	objects.
+#Default:
+# offline_mode off
+
+#  TAG: uri_whitespace
+#	What to do with requests that have whitespace characters in the
+#	URI.  Options:
+#
+#	strip:  The whitespace characters are stripped out of the URL.
+#		This is the behavior recommended by RFC2396 and RFC3986
+#		for tolerant handling of generic URI.
+#		NOTE: This is one difference between generic URI and HTTP URLs.
+#
+#	deny:   The request is denied.  The user receives an "Invalid
+#		Request" message.
+#		This is the behaviour recommended by RFC2616 for safe
+#		handling of HTTP request URL.
+#
+#	allow:  The request is allowed and the URI is not changed.  The
+#		whitespace characters remain in the URI.  Note the
+#		whitespace is passed to redirector processes if they
+#		are in use.
+#		Note this may be considered a violation of RFC2616
+#		request parsing where whitespace is prohibited in the
+#		URL field.
+#
+#	encode:	The request is allowed and the whitespace characters are
+#		encoded according to RFC1738.
+#
+#	chop:	The request is allowed and the URI is chopped at the
+#		first whitespace.
+#
+#
+#	NOTE the current Squid implementation of encode and chop violates
+#	RFC2616 by not using a 301 redirect after altering the URL.
+#Default:
+# uri_whitespace strip
+
+#  TAG: chroot
+#	Specifies a directory where Squid should do a chroot() while
+#	initializing.  This also causes Squid to fully drop root
+#	privileges after initializing.  This means, for example, if you
+#	use a HTTP port less than 1024 and try to reconfigure, you may
+#	get an error saying that Squid can not open the port.
+#Default:
+# none
+
+#  TAG: pipeline_prefetch
+#	HTTP clients may send a pipeline of 1+N requests to Squid using a
+#	single connection, without waiting for Squid to respond to the first
+#	of those requests. This option limits the number of concurrent
+#	requests Squid will try to handle in parallel. If set to N, Squid
+#	will try to receive and process up to 1+N requests on the same
+#	connection concurrently.
+#
+#	Defaults to 0 (off) for bandwidth management and access logging
+#	reasons.
+#
+#	NOTE: pipelining requires persistent connections to clients.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
+#Default:
+# Do not pre-parse pipelined requests.
+
+#  TAG: high_response_time_warning	(msec)
+#	If the one-minute median response time exceeds this value,
+#	Squid prints a WARNING with debug level 0 to get the
+#	administrators attention.  The value is in milliseconds.
+#Default:
+# disabled.
+
+#  TAG: high_page_fault_warning
+#	If the one-minute average page fault rate exceeds this
+#	value, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.  The value is in page faults
+#	per second.
+#Default:
+# disabled.
+
+#  TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+#       GNU Malloc with mstats()
+#
+#	If the memory usage (as determined by gnumalloc, if available and used)
+#	exceeds	this amount, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.
+#Default:
+# disabled.
+
+#  TAG: sleep_after_fork	(microseconds)
+#	When this is set to a non-zero value, the main Squid process
+#	sleeps the specified number of microseconds after a fork()
+#	system call. This sleep may help the situation where your
+#	system reports fork() failures due to lack of (virtual)
+#	memory. Note, however, if you have a lot of child
+#	processes, these sleep delays will add up and your
+#	Squid will not service requests for some amount of time
+#	until all the child processes have been started.
+#	On Windows value less then 1000 (1 milliseconds) are
+#	rounded to 1000.
+#Default:
+# sleep_after_fork 0
+
+#  TAG: windows_ipaddrchangemonitor	on|off
+# Note: This option is only available if Squid is rebuilt with the
+#       MS Windows
+#
+#	On Windows Squid by default will monitor IP address changes and will
+#	reconfigure itself after any detected event. This is very useful for
+#	proxies connected to internet with dial-up interfaces.
+#	In some cases (a Proxy server acting as VPN gateway is one) it could be
+#	desiderable to disable this behaviour setting this to 'off'.
+#	Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+#  TAG: eui_lookup
+#	Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
+#  TAG: max_filedescriptors
+#	Set the maximum number of filedescriptors, either below the
+#	operating system default or up to the hard limit.
+#
+#	Remove from squid.conf to inherit the current ulimit soft
+#	limit setting.
+#
+#	Note: Changing this requires a restart of Squid. Also
+#	not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system soft limit set by ulimit.
+
+#  TAG: force_request_body_continuation
+#	This option controls how Squid handles data upload requests from HTTP
+#	and FTP agents that require a "Please Continue" control message response
+#	to actually send the request body to Squid. It is mostly useful in
+#	adaptation environments.
+#
+#	When Squid receives an HTTP request with an "Expect: 100-continue"
+#	header or an FTP upload command (e.g., STOR), Squid normally sends the
+#	request headers or FTP command information to an adaptation service (or
+#	peer) and waits for a response. Most adaptation services (and some
+#	broken peers) may not respond to Squid at that stage because they may
+#	decide to wait for the HTTP request body or FTP data transfer. However,
+#	that request body or data transfer may never come because Squid has not
+#	responded with the HTTP 100 or FTP 150 (Please Continue) control message
+#	to the request sender yet!
+#
+#	An allow match tells Squid to respond with the HTTP 100 or FTP 150
+#	(Please Continue) control message on its own, before forwarding the
+#	request to an adaptation service or peer. Such a response usually forces
+#	the request sender to proceed with sending the body. A deny match tells
+#	Squid to delay that control response until the origin server confirms
+#	that the request body is needed. Delaying is the default behavior.
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: http_upgrade_request_protocols
+#	Controls client-initiated and server-confirmed switching from HTTP to
+#	another protocol (or to several protocols) using HTTP Upgrade mechanism
+#	defined in RFC 7230 Section 6.7. Squid itself does not understand the
+#	protocols being upgraded to and participates in the upgraded
+#	communication only as a dumb TCP proxy. Admins should not allow
+#	upgrading to protocols that require a more meaningful proxy
+#	participation.
+#
+#	Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
+#
+#	The required "protocol" parameter is either an all-caps word OTHER or an
+#	explicit protocol name (e.g. "WebSocket") optionally followed by a slash
+#	and a version token (e.g. "HTTP/3"). Explicit protocol names and
+#	versions are case sensitive.
+#
+#	When an HTTP client sends an Upgrade request header, Squid iterates over
+#	the client-offered protocols and, for each protocol P (with an optional
+#	version V), evaluates the first non-empty set of
+#	http_upgrade_request_protocols rules (if any) from the following list:
+#
+#		* All rules with an explicit protocol name equal to P.
+#		* All rules that use OTHER instead of a protocol name.
+#
+#	In other words, rules using OTHER are considered for protocol P if and
+#	only if there are no rules mentioning P by name.
+#
+#	If both of the above sets are empty, then Squid removes protocol P from
+#	the Upgrade offer.
+#
+#	If the client sent a versioned protocol offer P/X, then explicit rules
+#	referring to the same-name but different-version protocol P/Y are
+#	declared inapplicable. Inapplicable rules are not evaluated (i.e. are
+#	ignored). However, inapplicable rules still belong to the first set of
+#	rules for P.
+#
+#	Within the applicable rule subset, individual rules are evaluated in
+#	their configuration order. If all ACLs of an applicable "allow" rule
+#	match, then the protocol offered by the client is forwarded to the next
+#	hop as is. If all ACLs of an applicable "deny" rule match, then the
+#	offer is dropped. If no applicable rules have matching ACLs, then the
+#	offer is also dropped. The first matching rule also ends rules
+#	evaluation for the offered protocol.
+#
+#	If all client-offered protocols are removed, then Squid forwards the
+#	client request without the Upgrade header. Squid never sends an empty
+#	Upgrade request header.
+#
+#	An Upgrade request header with a value violating HTTP syntax is dropped
+#	and ignored without an attempt to use extractable individual protocol
+#	offers.
+#
+#	Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
+#	checks that the server listed at least one protocol name and sent a
+#	Connection:upgrade response header. Squid does not understand individual
+#	protocol naming and versioning concepts enough to implement stricter
+#	checks, but an admin can restrict HTTP 101 (Switching Protocols)
+#	responses further using http_reply_access. Responses denied by
+#	http_reply_access rules and responses flagged by the internal Upgrade
+#	checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
+#	Squid-to-server connection closures.
+#
+#	If Squid sends an Upgrade request header, and the next hop (e.g., the
+#	origin server) responds with an acceptable HTTP 101 (Switching
+#	Protocols), then Squid forwards that message to the client and becomes
+#	a TCP tunnel.
+#
+#	The presence of an Upgrade request header alone does not preclude cache
+#	lookups. In other words, an Upgrade request might be satisfied from the
+#	cache, using regular HTTP caching rules.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Each of the following groups of configuration lines represents a
+#	separate configuration example:
+#
+#	# never upgrade to protocol Foo; all others are OK
+#	http_upgrade_request_protocols Foo deny all
+#	http_upgrade_request_protocols OTHER allow all
+#
+#	# only allow upgrades to protocol Bar (except for its first version)
+#	http_upgrade_request_protocols Bar/1 deny all
+#	http_upgrade_request_protocols Bar allow all
+#	http_upgrade_request_protocols OTHER deny all # this rule is optional
+#
+#	# only allow upgrades to protocol Baz, and only if Baz is the only offer
+#	acl UpgradeHeaderHasMultipleOffers ...
+#	http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
+#	http_upgrade_request_protocols Baz allow all
+#Default:
+# Upgrade header dropped, effectively blocking an upgrade attempt.
+
+#  TAG: server_pconn_for_nonretriable
+#	This option provides fine-grained control over persistent connection
+#	reuse when forwarding HTTP requests that Squid cannot retry. It is useful
+#	in environments where opening new connections is very expensive
+#	(e.g., all connections are secured with TLS with complex client and server
+#	certificate validation) and race conditions associated with persistent
+#	connections are very rare and/or only cause minor problems.
+#
+#	HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
+#	Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
+#	By default, when forwarding such "risky" requests, Squid opens a new
+#	connection to the server or cache_peer, even if there is an idle persistent
+#	connection available. When Squid is configured to risk sending a non-retriable
+#	request on a previously used persistent connection, and the server closes
+#	the connection before seeing that risky request, the user gets an error response
+#	from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
+#	with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
+#
+#	If an allow rule matches, Squid reuses an available idle persistent connection
+#	(if any) for the request that Squid cannot retry. If a deny rule matches, then
+#	Squid opens a new connection for the request that Squid cannot retry.
+#
+#	This option does not affect requests that Squid can retry. They will reuse idle
+#	persistent connections (if any).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Example:
+#		acl SpeedIsWorthTheRisk method POST
+#		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
+#Default:
+# Open new connections for forwarding requests Squid cannot retry safely.
+
+#  TAG: happy_eyeballs_connect_timeout	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
+#	delay between opening a primary to-server connection and opening a
+#	spare to-server connection for the same master transaction. This delay
+#	is similar to the Connection Attempt Delay in RFC 8305, but it is only
+#	applied to the first spare connection attempt. Subsequent spare
+#	connection attempts use happy_eyeballs_connect_gap, and primary
+#	connection attempts are not artificially delayed at all.
+#
+#	Terminology: The "primary" and "spare" designations are determined by
+#	the order of DNS answers received by Squid: If Squid DNS AAAA query
+#	was answered first, then primary connections are connections to IPv6
+#	peer addresses (while spare connections use IPv4 addresses).
+#	Similarly, if Squid DNS A query was answered first, then primary
+#	connections are connections to IPv4 peer addresses (while spare
+#	connections use IPv6 addresses).
+#
+#	Shorter happy_eyeballs_connect_timeout values reduce master
+#	transaction response time, potentially improving user-perceived
+#	response times (i.e., making user eyeballs happier). Longer delays
+#	reduce both concurrent connection level and server bombardment with
+#	connection requests, potentially improving overall Squid performance
+#	and reducing the chance of being blocked by servers for opening too
+#	many unused connections.
+#
+#	RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
+#	10 (milliseconds) to "avoid congestion collapse in the presence of
+#	high packet-loss rates".
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_gap and
+#	happy_eyeballs_connect_limit.
+#Default:
+# happy_eyeballs_connect_timeout 250
+
+#  TAG: happy_eyeballs_connect_gap	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	minimum delay between opening spare to-server connections (to any
+#	server; i.e. across all concurrent master transactions in a Squid
+#	instance). Each SMP worker currently multiplies the configured gap
+#	by the total number of workers so that the combined spare connection
+#	opening rate of a Squid instance obeys the configured limit. The
+#	workers do not coordinate connection openings yet; a micro burst
+#	of spare connection openings may violate the configured gap.
+#
+#	This directive has similar trade-offs as
+#	happy_eyeballs_connect_timeout, but its focus is on limiting traffic
+#	amplification effects for Squid as a whole, while
+#	happy_eyeballs_connect_timeout works on an individual master
+#	transaction level.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_limit. See the former for related terminology.
+#Default:
+# no artificial delays between spare attempts
+
+#  TAG: happy_eyeballs_connect_limit
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	maximum number of spare to-server connections (to any server; i.e.
+#	across all concurrent master transactions in a Squid instance).
+#	Each SMP worker gets an equal share of the total limit. However,
+#	the workers do not share the actual connection counts yet, so one
+#	(busier) worker cannot "borrow" spare connection slots from another
+#	(less loaded) worker.
+#
+#	Setting this limit to zero disables concurrent use of primary and
+#	spare TCP connections: Spare connection attempts are made only after
+#	all primary attempts fail. However, Squid would still use the
+#	DNS-related optimizations of the Happy Eyeballs approach.
+#
+#	This directive has similar trade-offs as happy_eyeballs_connect_gap,
+#	but its focus is on limiting Squid overheads, while
+#	happy_eyeballs_connect_gap focuses on the origin server and peer
+#	overheads.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_gap. See the former for related terminology.
+#Default:
+# no artificial limit on the number of concurrent spare attempts
+
diff --git a/siotp/sisr1/tp06/files_admin/squid_v4.conf b/siotp/sisr1/tp06/files_admin/squid_v4.conf
new file mode 100644
index 0000000..161c737
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/squid_v4.conf
@@ -0,0 +1,9165 @@
+#	WELCOME TO SQUID 5.7
+#	----------------------------
+#
+#	This is the documentation for the Squid configuration file.
+#	This documentation can also be found online at:
+#		http://www.squid-cache.org/Doc/config/
+#
+#	You may wish to look at the Squid home page and wiki for the
+#	FAQ and other documentation:
+#		http://www.squid-cache.org/
+#		http://wiki.squid-cache.org/SquidFaq
+#		http://wiki.squid-cache.org/ConfigExamples
+#
+#	This documentation shows what the defaults for various directives
+#	happen to be.  If you don't need to change the default, you should
+#	leave the line out of your squid.conf in most cases.
+#
+#	In some cases "none" refers to no default setting at all,
+#	while in other cases it refers to the value of the option
+#	- the comments for that keyword indicate if this is the case.
+#
+
+#  Configuration options can be included using the "include" directive.
+#  Include takes a list of files to include. Quoting and wildcards are
+#  supported.
+#
+#  For example,
+#
+#  include /path/to/included/file/squid.acl.config
+#
+#  Includes can be nested up to a hard-coded depth of 16 levels.
+#  This arbitrary restriction is to prevent recursive include references
+#  from causing Squid entering an infinite loop whilst trying to load
+#  configuration files.
+#
+#  Values with byte units
+#
+#	Squid accepts size units on some size related directives. All
+#	such directives are documented with a default value displaying
+#	a unit.
+#
+#	Units accepted by Squid are:
+#		bytes - byte
+#		KB - Kilobyte (1024 bytes)
+#		MB - Megabyte
+#		GB - Gigabyte
+#
+#  Values with time units
+#
+#	Time-related directives marked with either "time-units" or
+#	"time-units-small" accept a time unit. The supported time units are:
+#
+#		nanosecond (time-units-small only)
+#		microsecond (time-units-small only)
+#		millisecond
+#		second
+#		minute
+#		hour
+#		day
+#		week
+#		fortnight
+#		month - 30 days
+#		year - 31557790080 milliseconds (just over 365 days)
+#		decade
+#
+#  Values with spaces, quotes, and other special characters
+#
+#	Squid supports directive parameters with spaces, quotes, and other
+#	special characters. Surround such parameters with "double quotes". Use
+#	the configuration_includes_quoted_values directive to enable or
+#	disable that support.
+#
+#	Squid supports reading configuration option parameters from external
+#	files using the syntax:
+#		parameters("/path/filename")
+#	For example:
+#		acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
+#
+#  Conditional configuration
+#
+#	If-statements can be used to make configuration directives
+#	depend on conditions:
+#
+#	    if <CONDITION>
+#	        ... regular configuration directives ...
+#	    [else
+#	        ... regular configuration directives ...]
+#	    endif
+#
+#	The else part is optional. The keywords "if", "else", and "endif"
+#	must be typed on their own lines, as if they were regular
+#	configuration directives.
+#
+#	NOTE: An else-if condition is not supported.
+#
+#	These individual conditions types are supported:
+#
+#	    true
+#		Always evaluates to true.
+#	    false
+#		Always evaluates to false.
+#	    <integer> = <integer>
+#	        Equality comparison of two integer numbers.
+#
+#
+#  SMP-Related Macros
+#
+#	The following SMP-related preprocessor macros can be used.
+#
+#	${process_name} expands to the current Squid process "name"
+#	(e.g., squid1, squid2, or cache1).
+#
+#	${process_number} expands to the current Squid process
+#	identifier, which is an integer number (e.g., 1, 2, 3) unique
+#	across all Squid processes of the current service instance.
+#
+#	${service_name} expands into the current Squid service instance
+#	name identifier which is provided by -n on the command line.
+#
+#  Logformat Macros
+#
+#	Logformat macros can be used in many places outside of the logformat
+#	directive. In theory, all of the logformat codes can be used as %macros,
+#	where they are supported. In practice, a %macro expands as a dash (-) when
+#	the transaction does not yet have enough information and a value is needed.
+#
+#	There is no definitive list of what tokens are available at the various
+#	stages of the transaction.
+#
+#	And some information may already be available to Squid but not yet
+#	committed where the macro expansion code can access it (report
+#	such instances!). The macro will be expanded into a single dash
+#	('-') in such cases. Not all macros have been tested.
+#
+
+#  TAG: broken_vary_encoding
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: cache_vary
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: error_map
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: external_refresh_check
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: location_rewrite_program
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: refresh_stale_hit
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: dns_v4_first
+#	Remove this line. Squid no longer supports preferential treatment of DNS A records.
+#Default:
+# none
+
+#  TAG: cache_peer_domain
+#	Replace with dstdomain ACLs and cache_peer_access.
+#Default:
+# none
+
+#  TAG: ie_refresh
+#	Remove this line. The behaviour enabled by this is no longer needed.
+#Default:
+# none
+
+#  TAG: sslproxy_cafile
+#	Remove this line. Use tls_outgoing_options cafile= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_capath
+#	Remove this line. Use tls_outgoing_options capath= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_cipher
+#	Remove this line. Use tls_outgoing_options cipher= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_certificate
+#	Remove this line. Use tls_outgoing_options cert= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_key
+#	Remove this line. Use tls_outgoing_options key= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_flags
+#	Remove this line. Use tls_outgoing_options flags= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_options
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_version
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: hierarchy_stoplist
+#	Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+#Default:
+# none
+
+#  TAG: log_access
+#	Remove this line. Use acls with access_log directives to control access logging
+#Default:
+# none
+
+#  TAG: log_icap
+#	Remove this line. Use acls with icap_log directives to control icap logging
+#Default:
+# none
+
+#  TAG: ignore_ims_on_miss
+#	Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+#  TAG: balance_on_multiple_ip
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
+#Default:
+# none
+
+#  TAG: chunked_request_body_max_size
+#	Remove this line. Squid is now HTTP/1.1 compliant.
+#Default:
+# none
+
+#  TAG: dns_v4_fallback
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+#  TAG: emulate_httpd_log
+#	Replace this with an access_log directive using the format 'common' or 'combined'.
+#Default:
+# none
+
+#  TAG: forward_log
+#	Use a regular access.log with ACL limiting it to MISS events.
+#Default:
+# none
+
+#  TAG: ftp_list_width
+#	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+#  TAG: ignore_expect_100
+#	Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+#  TAG: log_fqdn
+#	Remove this option from your config. To log FQDN use %>A in the log format.
+#Default:
+# none
+
+#  TAG: log_ip_on_direct
+#	Remove this option from your config. To log server or peer names use %<A in the log format.
+#Default:
+# none
+
+#  TAG: maximum_single_addr_tries
+#	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+#  TAG: referer_log
+#	Replace this with an access_log directive using the format 'referrer'.
+#Default:
+# none
+
+#  TAG: update_headers
+#	Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+#  TAG: url_rewrite_concurrency
+#	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
+
+#  TAG: useragent_log
+#	Replace this with an access_log directive using the format 'useragent'.
+#Default:
+# none
+
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: zero_buffers
+#Default:
+# none
+
+#  TAG: incoming_rate
+#Default:
+# none
+
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
+#  TAG: wais_relay_host
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+#  TAG: wais_relay_port
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# OPTIONS FOR SMP
+# -----------------------------------------------------------------------------
+
+#  TAG: workers
+#	Number of main Squid processes or "workers" to fork and maintain.
+#	0: "no daemon" mode, like running "squid -N ..."
+#	1: "no SMP" mode, start one main Squid process daemon (default)
+#	N: start N main Squid process daemons (i.e., SMP mode)
+#
+#	In SMP mode, each worker does nearly all what a single Squid daemon
+#	does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+#  TAG: cpu_affinity_map
+#	Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+#	Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+#	    cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+#	affects processes 1 through 4 only and places them on the first
+#	four even cores, starting with core #1.
+#
+#	CPU cores are numbered starting from 1. Requires support for
+#	sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+#	Multiple cpu_affinity_map options are merged.
+#
+#	See also: workers
+#Default:
+# Let operating system decide.
+
+#  TAG: shared_memory_locking	on|off
+#	Whether to ensure that all required shared memory is available by
+#	"locking" that shared memory into RAM when Squid starts. The
+#	alternative is faster startup time followed by slightly slower
+#	performance and, if not enough RAM is actually available during
+#	runtime, mysterious crashes.
+#
+#	SMP Squid uses many shared memory segments. These segments are
+#	brought into Squid memory space using an mmap(2) system call. During
+#	Squid startup, the mmap() call often succeeds regardless of whether
+#	the system has enough RAM. In general, Squid cannot tell whether the
+#	kernel applies this "optimistic" memory allocation policy (but
+#	popular modern kernels usually use it).
+#
+#	Later, if Squid attempts to actually access the mapped memory
+#	regions beyond what the kernel is willing to allocate, the
+#	"optimistic" kernel simply kills Squid kid with a SIGBUS signal.
+#	Some of the memory limits enforced by the kernel are currently
+#	poorly understood: We do not know how to detect and check them. This
+#	option ensures that the mapped memory will be available.
+#
+#	This option may have a positive performance side-effect: Locking
+#	memory at start avoids runtime paging I/O. Paging slows Squid down.
+#
+#	Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
+#	CAP_IPC_LOCK capability, or equivalent.
+#Default:
+# shared_memory_locking off
+
+#  TAG: hopeless_kid_revival_delay	time-units
+#	Normally, when a kid process dies, Squid immediately restarts the
+#	kid. A kid experiencing frequent deaths is marked as "hopeless" for
+#	the duration specified by this directive. Hopeless kids are not
+#	automatically restarted.
+#
+#	Currently, zero values are not supported because they result in
+#	misconfigured SMP Squid instances running forever, endlessly
+#	restarting each dying kid. To effectively disable hopeless kids
+#	revival, set the delay to a huge value (e.g., 1 year).
+#
+#	Reconfiguration also clears all hopeless kids designations, allowing
+#	for manual revival of hopeless kids.
+#Default:
+# hopeless_kid_revival_delay 1 hour
+
+# OPTIONS FOR AUTHENTICATION
+# -----------------------------------------------------------------------------
+
+#  TAG: auth_param
+#	This is used to define parameters for the various authentication
+#	schemes supported by Squid.
+#
+#		format: auth_param scheme parameter [setting]
+#
+#	The order in which authentication schemes are presented to the client is
+#	dependent on the order the scheme first appears in config file. IE
+#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
+#	scheme if basic is the first entry presented, even if more secure
+#	schemes are presented. For now use the order in the recommended
+#	settings section below. If other browsers have difficulties (don't
+#	recognize the schemes offered even if you are using basic) either
+#	put basic first, or disable the other schemes (by commenting out their
+#	program entry).
+#
+#	Once an authentication scheme is fully configured, it can only be
+#	shutdown by shutting squid down and restarting. Changes can be made on
+#	the fly and activated with a reconfigure. I.E. You can change to a
+#	different helper, but not unconfigure the helper completely.
+#
+#	Please note that while this directive defines how Squid processes
+#	authentication it does not automatically activate authentication.
+#	To use authentication you must in addition make use of ACLs based
+#	on login name in http_access (proxy_auth, proxy_auth_regex or
+#	external with %LOGIN used in the format tag). The browser will be
+#	challenged for authentication on the first such acl encountered
+#	in http_access processing and will also be re-challenged for new
+#	login credentials if the request is being denied by a proxy_auth
+#	type acl.
+#
+#	WARNING: authentication can't be used in a transparently intercepting
+#	proxy as the client then thinks it is talking to an origin server and
+#	not the proxy. This is a limitation of bending the TCP/IP protocol to
+#	transparently intercepting port 80, not a limitation in Squid.
+#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
+#	authentication disabled.
+#
+#	=== Parameters common to all schemes. ===
+#
+#	"program" cmdline
+#		Specifies the command for the external authenticator.
+#
+#		By default, each authentication scheme is not used unless a
+#		program is specified.
+#
+#		See http://wiki.squid-cache.org/Features/AddonHelpers for
+#		more details on helper operations and creating your own.
+#
+#	"key_extras" format
+#		Specifies a string to be append to request line format for
+#		the authentication helper. "Quoted" format values may contain
+#		spaces and logformat %macros. In theory, any logformat %macro
+#		can be used. In practice, a %macro expands as a dash (-) if
+#		the helper request is sent before the required macro
+#		information is available to Squid.
+#
+#		By default, Squid uses request formats provided in
+#		scheme-specific examples below (search for %credentials).
+#
+#		The expanded key_extras value is added to the Squid credentials
+#		cache and, hence, will affect authentication. It can be used to
+#		autenticate different users with identical user names (e.g.,
+#		when user authentication depends on http_port).
+#
+#		Avoid adding frequently changing information to key_extras. For
+#		example, if you add user source IP, and it changes frequently
+#		in your environment, then max_user_ip ACL is going to treat
+#		every user+IP combination as a unique "user", breaking the ACL
+#		and wasting a lot of memory on those user records. It will also
+#		force users to authenticate from scratch whenever their IP
+#		changes.
+#
+#	"realm" string
+#		Specifies the protection scope (aka realm name) which is to be
+#		reported to the client for the authentication scheme. It is
+#		commonly part of the text the user will see when prompted for
+#		their username and password.
+#
+#		For Basic the default is "Squid proxy-caching web server".
+#		For Digest there is no default, this parameter is mandatory.
+#		For NTLM and Negotiate this parameter is ignored.
+#
+#	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+#		[queue-size=N] [on-persistent-overload=action]
+#		[reservation-timeout=seconds]
+#
+#		The maximum number of authenticator processes to spawn. If
+#		you start too few Squid will have to wait for them to process
+#		a backlog of credential verifications, slowing it down. When
+#		password verifications are done via a (slow) network you are
+#		likely to need lots of authenticator processes.
+#
+#		The startup= and idle= options permit some skew in the exact
+#		amount run. A minimum of startup=N will begin during startup
+#		and reconfigure. Squid will start more in groups of up to
+#		idle=N in an attempt to meet traffic needs and to keep idle=N
+#		free above those traffic needs up to the maximum.
+#
+#		The concurrency= option sets the number of concurrent requests
+#		the helper can process.  The default of 0 is used for helpers
+#		who only supports one request at a time. Setting this to a
+#		number greater than 0 changes the protocol used to include a
+#		channel ID field first on the request/response line, allowing
+#		multiple requests to be sent to the same helper in parallel
+#		without waiting for the response.
+#
+#		Concurrency must not be set unless it's known the helper
+#		supports the input format with channel-ID fields.
+#
+#		The queue-size option sets the maximum number of queued
+#		requests. A request is queued when no existing child can
+#		accept it due to concurrency limit and no new child can be
+#		started due to numberofchildren limit. The default maximum is
+#		2*numberofchildren. Squid is allowed to temporarily exceed the
+#		configured maximum, marking the affected helper as
+#		"overloaded". If the helper overload lasts more than 3
+#		minutes, the action prescribed by the on-persistent-overload
+#		option applies.
+#
+#		The on-persistent-overload=action option specifies Squid
+#		reaction to a new helper request arriving when the helper
+#		has been overloaded for more that 3 minutes already. The number
+#		of queued requests determines whether the helper is overloaded
+#		(see the queue-size option).
+#
+#		Two actions are supported:
+#
+#		  die	Squid worker quits. This is the default behavior.
+#
+#		  ERR	Squid treats the helper request as if it was
+#			immediately submitted, and the helper immediately
+#			replied with an ERR response. This action has no effect
+#			on the already queued and in-progress helper requests.
+#
+#		NOTE: NTLM and Negotiate schemes do not support concurrency
+#			in the Squid code module even though some helpers can.
+#
+#		The reservation-timeout=seconds option allows NTLM and Negotiate
+#		helpers to forget about clients that abandon their in-progress
+#		connection authentication without closing the connection. The
+#		timeout is measured since the last helper response received by
+#		Squid for the client. Fractional seconds are not supported.
+#
+#		After the timeout, the helper will be used for other clients if
+#		there are no unreserved helpers available. In the latter case,
+#		the old client attempt to resume authentication will not be
+#		forwarded to the helper (and the client should open a new HTTP
+#		connection and retry authentication from scratch).
+#
+#		By default, reservations do not expire and clients that keep
+#		their connections open without completing authentication may
+#		exhaust all NTLM and Negotiate helpers.
+#
+#	"keep_alive" on|off
+#		If you experience problems with PUT/POST requests when using
+#		the NTLM or Negotiate schemes then you can try setting this
+#		to off. This will cause Squid to forcibly close the connection
+#		on the initial request where the browser asks which schemes
+#		are supported by the proxy.
+#
+#		For Basic and Digest this parameter is ignored.
+#
+#	"utf8" on|off
+#		Useful for sending credentials to authentication backends that
+#		expect UTF-8 encoding (e.g., LDAP).
+#
+#		When this option is enabled, Squid uses HTTP Accept-Language
+#		request header to guess the received credentials encoding
+#		(ISO-Latin-1, CP1251, or UTF-8) and then converts the first
+#		two encodings into UTF-8.
+#
+#		When this option is disabled and by default, Squid sends
+#		credentials in their original (i.e. received) encoding.
+#
+#		This parameter is only honored for Basic and Digest schemes.
+#		For Basic, the entire username:password credentials are
+#		checked and, if necessary, re-encoded. For Digest -- just the
+#		username component. For NTLM and Negotiate schemes, this
+#		parameter is ignored.
+#
+#
+#	=== Example Configuration ===
+#
+#	This configuration displays the recommended authentication scheme
+#	order from most to least secure with recommended minimum configuration
+#	settings for each scheme:
+#
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 20 startup=0 idle=1
+##
+##auth_param digest program <uncomment and complete this line to activate>
+##auth_param digest children 20 startup=0 idle=1
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 20 startup=0 idle=1
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5 startup=5 idle=1
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
+
+#  TAG: authenticate_cache_garbage_interval
+#	The time period between garbage collection across the username cache.
+#	This is a trade-off between memory utilization (long intervals - say
+#	2 days) and CPU (short intervals - say 1 minute). Only change if you
+#	have good reason to.
+#Default:
+# authenticate_cache_garbage_interval 1 hour
+
+#  TAG: authenticate_ttl
+#	The time a user & their credentials stay in the logged in
+#	user cache since their last request. When the garbage
+#	interval passes, all user credentials that have passed their
+#	TTL are removed from memory.
+#Default:
+# authenticate_ttl 1 hour
+
+#  TAG: authenticate_ip_ttl
+#	If you use proxy authentication and the 'max_user_ip' ACL,
+#	this directive controls how long Squid remembers the IP
+#	addresses associated with each user.  Use a small value
+#	(e.g., 60 seconds) if your users might change addresses
+#	quickly, as is the case with dialup.   You might be safe
+#	using a larger value (e.g., 2 hours) in a corporate LAN
+#	environment with relatively static address assignments.
+#Default:
+# authenticate_ip_ttl 1 second
+
+# ACCESS CONTROLS
+# -----------------------------------------------------------------------------
+
+#  TAG: external_acl_type
+#	This option defines external acl classes using a helper program
+#	to look up the status
+#
+#	  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
+#
+#	Options:
+#
+#	  ttl=n		TTL in seconds for cached results (defaults to 3600
+#			for 1 hour)
+#
+#	  negative_ttl=n
+#			TTL for cached negative lookups (default same
+#			as ttl)
+#
+#	  grace=n	Percentage remaining of TTL where a refresh of a
+#			cached entry should be initiated without needing to
+#			wait for a new reply. (default is for no grace period)
+#
+#	  cache=n	The maximum number of entries in the result cache. The
+#			default limit is 262144 entries.  Each cache entry usually
+#			consumes at least 256 bytes. Squid currently does not remove
+#			expired cache entries until the limit is reached, so a proxy
+#			will sooner or later reach the limit. The expanded FORMAT
+#			value is used as the cache key, so if the details in FORMAT
+#			are highly variable, a larger cache may be needed to produce
+#			reduction in helper load.
+#
+#	  children-max=n
+#			Maximum number of acl helper processes spawned to service
+#			external acl lookups of this type. (default 5)
+#
+#	  children-startup=n
+#			Minimum number of acl helper processes to spawn during
+#			startup and reconfigure to service external acl lookups
+#			of this type. (default 0)
+#
+#	  children-idle=n
+#			Number of acl helper processes to keep ahead of traffic
+#			loads. Squid will spawn this many at once whenever load
+#			rises above the capabilities of existing processes.
+#			Up to the value of children-max. (default 1)
+#
+#	  concurrency=n	concurrency level per process. Only used with helpers
+#			capable of processing more than one query at a time.
+#
+#	  queue-size=N  The queue-size option sets the maximum number of
+#			queued requests. A request is queued when no existing
+#			helper can accept it due to concurrency limit and no
+#			new helper can be started due to children-max limit.
+#			If the queued requests exceed queue size, the acl is
+#			ignored. The default value is set to 2*children-max.
+#
+#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers.
+#
+#	  ipv4 / ipv6	IP protocol used to communicate with this helper.
+#			The default is to auto-detect IPv6 and use it when available.
+#
+#
+#	FORMAT is a series of %macro codes. See logformat directive for a full list
+#	of the accepted codes. Although note that at the time of any external ACL
+#	being tested data may not be available and thus some %macro expand to '-'.
+#
+#	In addition to the logformat codes; when processing external ACLs these
+#	additional macros are made available:
+#
+#	  %ACL		The name of the ACL being tested.
+#
+#	  %DATA		The ACL arguments specified in the referencing config
+#			'acl ... external' line, separated by spaces (an
+#			"argument string"). see acl external.
+#
+#			If there are no ACL arguments %DATA expands to '-'.
+#
+#			If you do not specify a DATA macro inside FORMAT,
+#			Squid automatically appends %DATA to your FORMAT.
+#			Note that Squid-3.x may expand %DATA to whitespace
+#			or nothing in this case.
+#
+#			By default, Squid applies URL-encoding to each ACL
+#			argument inside the argument string. If an explicit
+#			encoding modifier is used (e.g., %#DATA), then Squid
+#			encodes the whole argument string as a single token
+#			(e.g., with %#DATA, spaces between arguments become
+#			%20).
+#
+#	If SSL is enabled, the following formating codes become available:
+#
+#	  %USER_CERT		SSL User certificate in PEM format
+#	  %USER_CERTCHAIN	SSL User certificate chain in PEM format
+#	  %USER_CERT_xx		SSL User certificate subject attribute xx
+#	  %USER_CA_CERT_xx	SSL User certificate issuer attribute xx
+#
+#
+#	NOTE: all other format codes accepted by older Squid versions
+#		are deprecated.
+#
+#
+#	General request syntax:
+#
+#	  [channel-ID] FORMAT-values
+#
+#
+#	FORMAT-values consists of transaction details expanded with
+#	whitespace separation per the config file FORMAT specification
+#	using the FORMAT macros listed above.
+#
+#	Request values sent to the helper are URL escaped to protect
+#	each value in requests against whitespaces.
+#
+#	If using protocol=2.5 then the request sent to the helper is not
+#	URL escaped to protect against whitespace.
+#
+#	NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#
+#	The helper receives lines expanded per the above format specification
+#	and for each input line returns 1 line starting with OK/ERR/BH result
+#	code and optionally followed by additional keywords with more details.
+#
+#
+#	General result syntax:
+#
+#	  [channel-ID] result keyword=value ...
+#
+#	Result consists of one of the codes:
+#
+#	  OK
+#		the ACL test produced a match.
+#
+#	  ERR
+#		the ACL test does not produce a match.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	The meaning of 'a match' is determined by your squid.conf
+#	access control configuration. See the Squid wiki for details.
+#
+#	Defined keywords:
+#
+#	  user=		The users name (login)
+#
+#	  password=	The users password (for login= cache_peer option)
+#
+#	  message=	Message describing the reason for this response.
+#			Available as %o in error pages.
+#			Useful on (ERR and BH results).
+#
+#	  tag=		Apply a tag to a request. Only sets a tag once,
+#			does not alter existing tags.
+#
+#	  log=		String to be logged in access.log. Available as
+#			%ea in logformat specifications.
+#
+#	  clt_conn_tag= Associates a TAG with the client TCP connection.
+#			Please see url_rewrite_program related documentation
+#			for this kv-pair.
+#
+#	Any keywords may be sent on any response whether OK, ERR or BH.
+#
+#	All response keyword values need to be a single token with URL
+#	escaping, or enclosed in double quotes (") and escaped using \ on
+#	any double quotes or \ characters within the value. The wrapping
+#	double quotes are removed before the value is interpreted by Squid.
+#	\r and \n are also replace by CR and LF.
+#
+#	Some example key values:
+#
+#		user=John%20Smith
+#		user="John Smith"
+#		user="J. \"Bob\" Smith"
+#Default:
+# none
+
+#  TAG: acl
+#	Defining an Access List
+#
+#	Every access list definition must begin with an aclname and acltype,
+#	followed by either type-specific arguments or a quoted filename that
+#	they are read from.
+#
+#	   acl aclname acltype argument ...
+#	   acl aclname acltype "file" ...
+#
+#	When using "file", the file should contain one item per line.
+#
+#
+#	ACL Options
+#
+#	Some acl types supports options which changes their default behaviour:
+#
+#	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
+#		case-insensitive, use the -i option. To return case-sensitive
+#		use the +i option between patterns, or make a new ACL line
+#		without -i.
+#
+#	-n	Disable lookups and address type conversions.  If lookup or
+#		conversion is required because the parameter type (IP or
+#		domain name) does not match the message address type (domain
+#		name or IP), then the ACL would immediately declare a mismatch
+#		without any warnings or lookups.
+#
+#	-m[=delimiters]
+#		Perform a list membership test, interpreting values as
+#		comma-separated token lists and matching against individual
+#		tokens instead of whole values.
+#		The optional "delimiters" parameter specifies one or more
+#		alternative non-alphanumeric delimiter characters.
+#		non-alphanumeric delimiter characters.
+#
+#	--	Used to stop processing all options, in the case the first acl
+#		value has '-' character as first character (for example the '-'
+#		is a valid domain name)
+#
+#	Some acl types require suspending the current request in order
+#	to access some external data source.
+#	Those which do are marked with the tag [slow], those which
+#	don't are marked as [fast].
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+#	for further information
+#
+#	***** ACL TYPES AVAILABLE *****
+#
+#	acl aclname src ip-address/mask ...	# clients IP address [fast]
+#	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
+#	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
+#	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
+#
+#if USE_SQUID_EUI
+#	acl aclname arp      mac-address ...
+#	acl aclname eui64    eui64-address ...
+#	  # [fast]
+#	  # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
+#	  #
+#	  # The 'arp' ACL code is not portable to all operating systems.
+#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other
+#	  # BSD variants.
+#	  #
+#	  # The eui_lookup directive is required to be 'on' (the default)
+#	  # and Squid built with --enable-eui for MAC/EUI addresses to be
+#	  # available for this ACL.
+#	  #
+#	  # Squid can only determine the MAC/EUI address for IPv4
+#	  # clients that are on the same subnet. If the client is on a
+#	  # different subnet, then Squid cannot find out its address.
+#	  #
+#	  # IPv6 protocol does not contain ARP. MAC/EUI is either
+#	  # encoded directly in the IPv6 address or not available.
+#endif
+#	acl aclname clientside_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  # DEPRECATED. Use the 'client_connection_mark' instead.
+#
+#	acl aclname client_connection_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  #
+#	  # mark and mask are unsigned integers (hex, octal, or decimal).
+#	  # If multiple marks are given, then the ACL matches if at least
+#	  # one mark matches.
+#	  #
+#	  # Uses netfilter-conntrack library.
+#	  # Requires building Squid with --enable-linux-netfilter.
+#	  #
+#	  # The client, various intermediaries, and Squid itself may set
+#	  # CONNMARK at various times. The last CONNMARK set wins. This ACL
+#	  # checks the mark present on an accepted connection or set by
+#	  # Squid afterwards, depending on the ACL check timing. This ACL
+#	  # effectively ignores any mark set by other agents after Squid has
+#	  # accepted the connection.
+#
+#	acl aclname srcdomain   .foo.com ...
+#	  # reverse lookup, from client IP [slow]
+#	acl aclname dstdomain [-n] .foo.com ...
+#	  # Destination server from URL [fast]
+#	acl aclname srcdom_regex [-i] \.foo\.com ...
+#	  # regex matching client name [slow]
+#	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
+#	  # regex matching server [fast]
+#	  #
+#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+#	  # based URL is used and no match is found. The name "none" is used
+#	  # if the reverse lookup fails.
+#
+#	acl aclname src_as number ...
+#	acl aclname dst_as number ...
+#	  # [fast]
+#	  # Except for access control, AS numbers can be used for
+#	  # routing of requests to specific caches. Here's an
+#	  # example for routing all requests for AS#1241 and only
+#	  # those to mycache.mydomain.net:
+#	  # acl asexample dst_as 1241
+#	  # cache_peer_access mycache.mydomain.net allow asexample
+#	  # cache_peer_access mycache_mydomain.net deny all
+#
+#	acl aclname peername myPeer ...
+#	acl aclname peername_regex [-i] regex-pattern ...
+#	  # [fast]
+#	  # match against a named cache_peer entry
+#	  # set unique name= on cache_peer lines for reliable use.
+#
+#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+#	  # [fast]
+#	  #  day-abbrevs:
+#	  #	S - Sunday
+#	  #	M - Monday
+#	  #	T - Tuesday
+#	  #	W - Wednesday
+#	  #	H - Thursday
+#	  #	F - Friday
+#	  #	A - Saturday
+#	  #  h1:m1 must be less than h2:m2
+#
+#	acl aclname url_regex [-i] ^http:// ...
+#	  # regex matching on whole URL [fast]
+#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+#	  # regex matching on URL login field
+#	acl aclname urlpath_regex [-i] \.gif$ ...
+#	  # regex matching on URL path [fast]
+#
+#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
+#	                                      # ranges are alloed
+#	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
+#	                                      # NP: for interception mode this is usually '80'
+#
+#	acl aclname myportname 3128 ...       # *_port name [fast]
+#
+#	acl aclname proto HTTP FTP ...        # request protocol [fast]
+#
+#	acl aclname method GET POST ...       # HTTP request method [fast]
+#
+#	acl aclname http_status 200 301 500- 400-403 ...
+#	  # status code in reply [fast]
+#
+#	acl aclname browser [-i] regexp ...
+#	  # pattern match on User-Agent header (see also req_header below) [fast]
+#
+#	acl aclname referer_regex [-i] regexp ...
+#	  # pattern match on Referer header [fast]
+#	  # Referer is highly unreliable, so use with care
+#
+#	acl aclname ident [-i] username ...
+#	acl aclname ident_regex [-i] pattern ...
+#	  # string match on ident output [slow]
+#	  # use REQUIRED to accept any non-null ident.
+#
+#	acl aclname proxy_auth [-i] username ...
+#	acl aclname proxy_auth_regex [-i] pattern ...
+#	  # perform http authentication challenge to the client and match against
+#	  # supplied credentials [slow]
+#	  #
+#	  # takes a list of allowed usernames.
+#	  # use REQUIRED to accept any valid username.
+#	  #
+#	  # Will use proxy authentication in forward-proxy scenarios, and plain
+#	  # http authenticaiton in reverse-proxy scenarios
+#	  #
+#	  # NOTE: when a Proxy-Authentication header is sent but it is not
+#	  # needed during ACL checking the username is NOT logged
+#	  # in access.log.
+#	  #
+#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
+#	  # to check username/password combinations (see
+#	  # auth_param directive).
+#	  #
+#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+#	  # as the browser needs to be configured for using a proxy in order
+#	  # to respond to proxy authentication.
+#
+#	acl aclname snmp_community string ...
+#	  # A community string to limit access to your SNMP Agent [fast]
+#	  # Example:
+#	  #
+#	  #	acl snmppublic snmp_community public
+#
+#	acl aclname maxconn number
+#	  # This will be matched when the client's IP address has
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
+#
+#	acl aclname max_user_ip [-s] number
+#	  # This will be matched when the user attempts to log in from more
+#	  # than <number> different ip addresses. The authenticate_ip_ttl
+#	  # parameter controls the timeout on the ip entries. [fast]
+#	  # If -s is specified the limit is strict, denying browsing
+#	  # from any further IP addresses until the ttl has expired. Without
+#	  # -s Squid will just annoy the user by "randomly" denying requests.
+#	  # (the counter is reset each time the limit is reached and a
+#	  # request is denied)
+#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
+#	  # clients may appear to come from multiple addresses if they are
+#	  # going through proxy farms, so a limit of 1 may cause user problems.
+#
+#	acl aclname random probability
+#	  # Pseudo-randomly match requests. Based on the probability given.
+#	  # Probability may be written as a decimal (0.333), fraction (1/3)
+#	  # or ratio of matches:non-matches (3:5).
+#
+#	acl aclname req_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the request generated
+#	  # by the client. Can be used to detect file upload or some
+#	  # types HTTP tunneling requests [fast]
+#	  # NOTE: This does NOT match the reply. You cannot use this
+#	  # to match the returned file type.
+#
+#	acl aclname req_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known request headers.  May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACL [fast]
+#
+#	acl aclname rep_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the reply received by
+#	  # squid. Can be used to detect file download or some
+#	  # types HTTP tunneling requests. [fast]
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname rep_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known reply headers. May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACLs [fast]
+#
+#	acl aclname external class_name [arguments...]
+#	  # external ACL lookup via a helper class defined by the
+#	  # external_acl_type directive [slow]
+#
+#	acl aclname user_cert attribute values...
+#	  # match against attributes in a user SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
+#
+#	acl aclname ca_cert attribute values...
+#	  # match against attributes a users issuing CA SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
+#
+#	acl aclname ext_user [-i] username ...
+#	acl aclname ext_user_regex [-i] pattern ...
+#	  # string match on username returned by external acl helper [slow]
+#	  # use REQUIRED to accept any non-null user name.
+#
+#	acl aclname tag tagvalue ...
+#	  # string match on tag returned by external acl helper [fast]
+#	  # DEPRECATED. Only the first tag will match with this ACL.
+#	  # Use the 'note' ACL instead for handling multiple tag values.
+#
+#	acl aclname hier_code codename ...
+#	  # string match against squid hierarchy code(s); [fast]
+#	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
+#	  #
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname note [-m[=delimiters]] name [value ...]
+#	  # match transaction annotation [fast]
+#	  # Without values, matches any annotation with a given name.
+#	  # With value(s), matches any annotation with a given name that
+#	  # also has one of the given values.
+#	  # If the -m flag is used, then the value of the named
+#	  # annotation is interpreted as a list of tokens, and the ACL
+#	  # matches individual name=token pairs rather than whole
+#	  # name=value pairs. See "ACL Options" above for more info.
+#	  # Annotation sources include note and adaptation_meta directives
+#	  # as well as helper and eCAP responses.
+#
+#	acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+#	acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current master transaction.
+#	  # The added annotation can then be tested using note ACL and
+#	  # logged (or sent to helpers) using %note format code.
+#	  #
+#	  # Annotations can be specified using replacement and addition
+#	  # formats. The key=value form replaces old same-key annotation
+#	  # value(s). The key+=value form appends a new value to the old
+#	  # same-key annotation. Both forms create a new key=value
+#	  # annotation if no same-key annotation exists already. If
+#	  # -m flag is used, then the value is interpreted as a list
+#	  # and the annotation will contain key=token pair(s) instead of the
+#	  # whole key=value pair.
+#	  #
+#	  # This ACL is especially useful for recording complex multi-step
+#	  # ACL-driven decisions. For example, the following configuration
+#	  # avoids logging transactions accepted after aclX matched:
+#	  #
+#	  #  # First, mark transactions accepted after aclX matched
+#	  #  acl markSpecial annotate_transaction special=true
+#	  #  http_access allow acl001
+#	  #  ...
+#	  #  http_access deny acl100
+#	  #  http_access allow aclX markSpecial
+#	  #
+#	  #  # Second, do not log marked transactions:
+#	  #  acl markedSpecial note special true
+#	  #  access_log ... deny markedSpecial
+#	  #
+#	  #  # Note that the following would not have worked because aclX
+#	  #  # alone does not determine whether the transaction was allowed:
+#	  #  access_log ... deny aclX # Wrong!
+#	  #
+#	  # Warning: This ACL annotates the transaction even when negated
+#	  # and even if subsequent ACLs fail to match. For example, the
+#	  # following three rules will have exactly the same effect as far
+#	  # as annotations set by the "mark" ACL are concerned:
+#	  #
+#	  #  some_directive acl1 ... mark # rule matches if mark is reached
+#	  #  some_directive acl1 ... !mark     # rule never matches
+#	  #  some_directive acl1 ... mark !all # rule never matches
+#
+#	acl aclname annotate_client [-m[=delimiters]] key=value ...
+#	acl aclname annotate_client [-m[=delimiters]] key+=value ...
+#	  #
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current client-to-Squid
+#	  # connection. Connection annotations are propagated to the current
+#	  # and all future master transactions on the annotated connection.
+#	  # See the annotate_transaction ACL for details.
+#	  #
+#	  # For example, the following configuration avoids rewriting URLs
+#	  # of transactions bumped by SslBump:
+#	  #
+#	  #  # First, mark bumped connections:
+#	  #  acl markBumped annotate_client bumped=true
+#	  #  ssl_bump peek acl1
+#	  #  ssl_bump stare acl2
+#	  #  ssl_bump bump acl3 markBumped
+#	  #  ssl_bump splice all
+#	  #
+#	  #  # Second, do not send marked transactions to the redirector:
+#	  #  acl markedBumped note bumped true
+#	  #  url_rewrite_access deny markedBumped
+#	  #
+#	  #  # Note that the following would not have worked because acl3 alone
+#	  #  # does not determine whether the connection is going to be bumped:
+#	  #  url_rewrite_access deny acl3 # Wrong!
+#
+#	acl aclname adaptation_service service ...
+#	  # Matches the name of any icap_service, ecap_service,
+#	  # adaptation_service_set, or adaptation_service_chain that Squid
+#	  # has used (or attempted to use) for the master transaction.
+#	  # This ACL must be defined after the corresponding adaptation
+#	  # service is named in squid.conf. This ACL is usable with
+#	  # adaptation_meta because it starts matching immediately after
+#	  # the service has been selected for adaptation.
+#
+#	acl aclname transaction_initiator initiator ...
+#	  # Matches transaction's initiator [fast]
+#	  #
+#	  # Supported initiators are:
+#	  #  esi: matches transactions fetching ESI resources
+#	  #  certificate-fetching: matches transactions fetching
+#	  #     a missing intermediate TLS certificate
+#	  #  cache-digest: matches transactions fetching Cache Digests
+#	  #     from a cache_peer
+#	  #  htcp: matches HTCP requests from peers
+#	  #  icp: matches ICP requests to peers
+#	  #  icmp: matches ICMP RTT database (NetDB) requests to peers
+#	  #  asn: matches asns db requests
+#	  #  internal: matches any of the above
+#	  #  client: matches transactions containing an HTTP or FTP
+#	  #     client request received at a Squid *_port
+#	  #  all: matches any transaction, including internal transactions
+#	  #     without a configurable initiator and hopefully rare
+#	  #     transactions without a known-to-Squid initiator
+#	  #
+#	  # Multiple initiators are ORed.
+#
+#	acl aclname has component
+#	  # matches a transaction "component" [fast]
+#	  #
+#	  # Supported transaction components are:
+#	  #  request: transaction has a request header (at least)
+#	  #  response: transaction has a response header (at least)
+#	  #  ALE: transaction has an internally-generated Access Log Entry
+#	  #       structure; bugs notwithstanding, all transaction have it
+#	  #
+#	  # For example, the following configuration helps when dealing with HTTP
+#	  # clients that close connections without sending a request header:
+#	  #
+#	  #  acl hasRequest has request
+#	  #  acl logMe note important_transaction
+#	  #  # avoid "logMe ACL is used in context without an HTTP request" warnings
+#	  #  access_log ... logformat=detailed hasRequest logMe
+#	  #  # log request-less transactions, instead of ignoring them
+#	  #  access_log ... logformat=brief !hasRequest
+#	  #
+#	  # Multiple components are not supported for one "acl" rule, but
+#	  # can be specified (and are ORed) using multiple same-name rules:
+#	  #
+#	  #  # OK, this strange logging daemon needs request or response,
+#	  #  # but can work without either a request or a response:
+#	  #  acl hasWhatMyLoggingDaemonNeeds has request
+#	  #  acl hasWhatMyLoggingDaemonNeeds has response
+#
+#acl aclname at_step step
+#	  # match against the current request processing step [fast]
+#	  # Valid steps are:
+#	  #   GeneratingCONNECT: Generating HTTP CONNECT request headers
+#
+#	acl aclname any-of acl1 acl2 ...
+#	  # match any one of the acls [fast or slow]
+#	  # The first matching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple any-of lines with the same name are ORed.
+#	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
+#	  #   acl A any-of a1 a2
+#	  #   acl A any-of a3 a4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	acl aclname all-of acl1 acl2 ...
+#	  # match all of the acls [fast or slow]
+#	  # The first mismatching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple all-of lines with the same name are ORed.
+#	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
+#	  #   acl B all-of b1 b2
+#	  #   acl B all-of b3 b4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	Examples:
+#		acl macaddress arp 09:00:2b:23:45:67
+#		acl myexample dst_as 1241
+#		acl password proxy_auth REQUIRED
+#		acl fileupload req_mime_type -i ^multipart/form-data$
+#		acl javascript rep_mime_type -i ^application/x-javascript$
+#
+#Default:
+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
+#
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#  TAG: proxy_protocol_access
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address using PROXY protocol.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	This directive is solely for validating new PROXY protocol
+#	connections received from a port flagged with require-proxy-header.
+#	It is checked only once after TCP connection setup.
+#
+#	A deny match results in TCP connection closure.
+#
+#	An allow match is required for Squid to permit the corresponding
+#	TCP connection, before Squid even looks for HTTP request headers.
+#	If there is an allow match, Squid starts using PROXY header information
+#	to determine the source address of the connection for all future ACL
+#	checks, logging, etc.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# all TCP connections to ports with require-proxy-header will be denied
+
+#  TAG: follow_x_forwarded_for
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	PROXY protocol connections are controlled by the proxy_protocol_access
+#	directive which is checked before this.
+#
+#	If a request reaches us from a source that is allowed by this
+#	directive, then we trust the information it provides regarding
+#	the IP of the client it received from (if any).
+#
+#	For the purpose of ACLs used in this directive the src ACL type always
+#	matches the address we are testing and srcdomain matches its rDNS.
+#
+#	On each HTTP request Squid checks for X-Forwarded-For header fields.
+#	If found the header values are iterated in reverse order and an allow
+#	match is required for Squid to continue on to the next value.
+#	The verification ends when a value receives a deny match, cannot be
+#	tested, or there are no more values to test.
+#	NOTE: Squid does not yet follow the Forwarded HTTP header.
+#
+#	The end result of this process is an IP address that we will
+#	refer to as the indirect client address.  This address may
+#	be treated as the client address for access control, ICAP, delay
+#	pools and logging, depending on the acl_uses_indirect_client,
+#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
+#	log_uses_indirect_client and tproxy_uses_indirect_client options.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	For example:
+#
+#		acl localhost src 127.0.0.1
+#		acl my_other_proxy srcdomain .proxy.example.com
+#		follow_x_forwarded_for allow localhost
+#		follow_x_forwarded_for allow my_other_proxy
+#Default:
+# X-Forwarded-For header will be ignored.
+
+#  TAG: acl_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
+#Default:
+# acl_uses_indirect_client on
+
+#  TAG: delay_pool_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+#  TAG: log_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
+#  TAG: tproxy_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address when spoofing the outgoing client.
+#
+#	This has no effect on requests arriving in non-tproxy
+#	mode ports.
+#
+#	SECURITY WARNING: Usage of this option is dangerous
+#	and should not be used trivially. Correct configuration
+#	of follow_x_forwarded_for with a limited set of trusted
+#	sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+#  TAG: spoof_client_ip
+#	Control client IP address spoofing of TPROXY traffic based on
+#	defined access lists.
+#
+#	spoof_client_ip allow|deny [!]aclname ...
+#
+#	If there are no "spoof_client_ip" lines present, the default
+#	is to "allow" spoofing of any suitable request.
+#
+#	Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+#	This clause supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
+#  TAG: http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
+#	http_access allow|deny [!]aclname ...
+#
+#	NOTE on default values:
+#
+#	If there are no "access" lines present, the default is to deny
+#	the request.
+#
+#	If none of the "access" lines cause a match, the default is the
+#	opposite of the last line in the list.  If the last line was
+#	deny, the default is allow.  Conversely, if the last line
+#	is allow, the default will be deny.  For these reasons, it is a
+#	good idea to have an "deny all" entry at the end of your access
+#	lists to avoid potential confusion.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# Deny, unless rules exist in squid.conf.
+#
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+
+# MES ACL
+acl localnet src 172.16.0.0/24
+acl allowed_ips src 172.16.0.100-172.16.0.255
+acl deny_ips src 172.16.0.5-172.16.0.99
+acl mots_cles url_regex -i tf1 c8 m6 francetv oqee france3 canal chine japon france allemagne corse inde irlande afrique mali somalie iran irak italie angleterre royaume
+acl urls_interdit url_regex youtube.com facebook.com twitch.tv discord.com instragram.com instagram.fr snapchat.com snapchat.fr
+acl horaires_pause time MTWHF 12:00-14:00
+
+http_access allow allowed_ips urls_interdit
+http_access allow allowed_ips mots_cles
+http_access allow mots_cles horaires_pause
+http_access allow urls_interdit horaires_pause
+http_access deny mots_cles
+http_access deny urls_interdit
+http_access allow localnet
+
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+include /etc/squid/conf.d/*.conf
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+#  TAG: adapted_http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	Essentially identical to http_access, but runs after redirectors
+#	and ICAP/eCAP adaptation. Allowing access control based on their
+#	output.
+#
+#	If not set then only http_access is used.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: http_reply_access
+#	Allow replies to client requests. This is complementary to http_access.
+#
+#	http_reply_access allow|deny [!] aclname ...
+#
+#	NOTE: if there are no access lines present, the default is to allow
+#	all replies.
+#
+#	If none of the access lines cause a match the opposite of the
+#	last line will apply. Thus it is good practice to end the rules
+#	with an "allow all" or "deny all" entry.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: icp_access
+#	Allowing or Denying access to the ICP port based on defined
+#	access lists
+#
+#	icp_access  allow|deny [!]aclname ...
+#
+#	NOTE: The default if no icp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using ICP.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_access
+#	Allowing or Denying access to the HTCP port based on defined
+#	access lists
+#
+#	htcp_access  allow|deny [!]aclname ...
+#
+#	See also htcp_clr_access for details on access control for
+#	cache purge (CLR) HTCP messages.
+#
+#	NOTE: The default if no htcp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using the htcp option.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_clr_access
+#	Allowing or Denying access to purge content using HTCP based
+#	on defined access lists.
+#	See htcp_access for details on general HTCP access control.
+#
+#	htcp_clr_access  allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
+#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: miss_access
+#	Determines whether network access is permitted when satisfying a request.
+#
+#	For example;
+#	    to force your neighbors to use you as a sibling instead of
+#	    a parent.
+#
+#		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
+#		miss_access deny  !localclients
+#		miss_access allow all
+#
+#	This means only your local clients are allowed to fetch relayed/MISS
+#	replies from the network and all other clients can only fetch cached
+#	objects (HITs).
+#
+#	The default for this setting allows all clients who passed the
+#	http_access rules to relay via this proxy.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: ident_lookup_access
+#	A list of ACL elements which, if matched, cause an ident
+#	(RFC 931) lookup to be performed for this request.  For
+#	example, you might choose to always perform ident lookups
+#	for your main multi-user Unix boxes, but not for your Macs
+#	and PCs.  By default, ident lookups are not performed for
+#	any requests.
+#
+#	To enable ident lookups for specific client addresses, you
+#	can follow this example:
+#
+#	acl ident_aware_hosts src 198.168.1.0/24
+#	ident_lookup_access allow ident_aware_hosts
+#	ident_lookup_access deny all
+#
+#	Only src type ACL checks are fully supported.  A srcdomain
+#	ACL might work at times, but it will not always provide
+#	the correct result.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Unless rules exist in squid.conf, IDENT is not fetched.
+
+#  TAG: reply_body_max_size	size [acl acl...]
+#	This option specifies the maximum size of a reply body. It can be
+#	used to prevent users from downloading very large files, such as
+#	MP3's and movies. When the reply headers are received, the
+#	reply_body_max_size lines are processed, and the first line where
+#	all (if any) listed ACLs are true is used as the maximum body size
+#	for this reply.
+#
+#	This size is checked twice. First when we get the reply headers,
+#	we check the content-length value.  If the content length value exists
+#	and is larger than the allowed size, the request is denied and the
+#	user receives an error message that says "the request or reply
+#	is too large." If there is no content-length, and the reply
+#	size exceeds this limit, the client's connection is just closed
+#	and they will receive a partial reply.
+#
+#	WARNING: downstream caches probably can not detect a partial reply
+#	if there is no content-length header, so they will cache
+#	partial responses and give them out as hits.  You should NOT
+#	use this option if you have downstream caches.
+#
+#	WARNING: A maximum size smaller than the size of squid's error messages
+#	will cause an infinite loop and crash squid. Ensure that the smallest
+#	non-zero value you use is greater that the maximum header size plus
+#	the size of your largest error page.
+#
+#	If you set this parameter none (the default), there will be
+#	no limit imposed.
+#
+#	Configuration Format is:
+#		reply_body_max_size SIZE UNITS [acl ...]
+#	ie.
+#		reply_body_max_size 10 MB
+#
+#Default:
+# No limit is applied.
+
+#  TAG: on_unsupported_protocol
+#	Determines Squid behavior when encountering strange requests at the
+#	beginning of an accepted TCP connection or the beginning of a bumped
+#	CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+#	especially useful in interception environments where Squid is likely
+#	to see connections for unsupported protocols that Squid should either
+#	terminate or tunnel at TCP level.
+#
+#		on_unsupported_protocol <action> [!]acl ...
+#
+#	The first matching action wins. Only fast ACLs are supported.
+#
+#	Supported actions are:
+#
+#	tunnel: Establish a TCP connection with the intended server and
+#		blindly shovel TCP packets between the client and server.
+#
+#	respond: Respond with an error message, using the transfer protocol
+#		for the Squid port that received the request (e.g., HTTP
+#		for connections intercepted at the http_port). This is the
+#		default.
+#
+#	Squid expects the following traffic patterns:
+#
+#	  http_port: a plain HTTP request
+#	  https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+#	  ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+#	  CONNECT tunnel on http_port: same as https_port
+#	  CONNECT tunnel on https_port: same as https_port
+#
+#	Currently, this directive has effect on intercepted connections and
+#	bumped tunnels only. Other cases are not supported because Squid
+#	cannot know the intended destination of other traffic.
+#
+#	For example:
+#	  # define what Squid errors indicate receiving non-HTTP traffic:
+#	  acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+#	  # define what Squid errors indicate receiving nothing:
+#	  acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+#	  # tunnel everything that does not look like HTTP:
+#          on_unsupported_protocol tunnel foreignProtocol
+#	  # tunnel if we think the client waits for the server to talk first:
+#	  on_unsupported_protocol tunnel serverTalksFirstProtocol
+#	  # in all other error cases, just send an HTTP "error page" response:
+#	  on_unsupported_protocol respond all
+#
+#	See also: squid_error ACL
+#Default:
+# Respond with an error message to unidentifiable traffic
+
+#  TAG: auth_schemes
+#	Use this directive to customize authentication schemes presence and
+#	order in Squid's Unauthorized and Authentication Required responses.
+#
+#		auth_schemes scheme1,scheme2,... [!]aclname ...
+#
+#	where schemeN is the name of one of the authentication schemes
+#	configured using auth_param directives. At least one scheme name is
+#	required. Multiple scheme names are separated by commas. Either
+#	avoid whitespace or quote the entire schemes list.
+#
+#	A special "ALL" scheme name expands to all auth_param-configured
+#	schemes in their configuration order. This directive cannot be used
+#	to configure Squid to offer no authentication schemes at all.
+#
+#	The first matching auth_schemes rule determines the schemes order
+#	for the current Authentication Required transaction. Note that the
+#	future response is not yet available during auth_schemes evaluation.
+#
+#	If this directive is not used or none of its rules match, then Squid
+#	responds with all configured authentication schemes in the order of
+#	auth_param directives in the configuration file.
+#
+#	This directive does not determine when authentication is used or
+#	how each authentication scheme authenticates clients.
+#
+#	The following example sends basic and negotiate authentication
+#	schemes, in that order, when requesting authentication of HTTP
+#	requests matching the isIE ACL (not shown) while sending all
+#	auth_param schemes in their configuration order to other clients:
+#
+#		auth_schemes basic,negotiate isIE
+#		auth_schemes ALL all # explicit default
+#
+#	This directive supports fast ACLs only.
+#
+#	See also: auth_param.
+#Default:
+# use all auth_param schemes in their configuration order
+
+# NETWORK OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: http_port
+#	Usage:	port [mode] [options]
+#		hostname:port [mode] [options]
+#		1.2.3.4:port [mode] [options]
+#
+#	The socket addresses where Squid will listen for HTTP client
+#	requests.  You may specify multiple socket addresses.
+#	There are three forms: port alone, hostname with port, and
+#	IP address with port.  If you specify a hostname or IP
+#	address, Squid binds the socket to that specific
+#	address. Most likely, you do not need to bind to a specific
+#	address, so you can use the port number alone.
+#
+#	If you are running Squid in accelerator mode, you
+#	probably want to listen on port 80 also, or instead.
+#
+#	The -a command line option may be used to specify additional
+#	port(s) where Squid listens for proxy request. Such ports will
+#	be plain proxy ports with no options.
+#
+#	You may specify multiple socket addresses on multiple lines.
+#
+#	Modes:
+#
+#	   intercept	Support for IP-Layer NAT interception delivering
+#			traffic to this Squid port.
+#			NP: disables authentication on the port.
+#
+#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
+#			of outgoing connections using the client IP address.
+#			NP: disables authentication on the port.
+#
+#	   accel	Accelerator / reverse proxy mode
+#
+#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
+#			establish secure connection with the client and with
+#			the server, decrypt HTTPS messages as they pass through
+#			Squid, and treat them as unencrypted HTTP messages,
+#			becoming the man-in-the-middle.
+#
+#			The ssl_bump option is required to fully enable
+#			bumping of CONNECT requests.
+#
+#	Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+#	Accelerator Mode Options:
+#
+#	   defaultsite=domainname
+#			What to use for the Host: header if it is not present
+#			in a request. Determines what site (not origin server)
+#			accelerators should consider the default.
+#
+#	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
+#
+#	   protocol=	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to HTTP/1.1 for http_port and
+#			HTTPS/1.1 for https_port.
+#			When an unsupported value is configured Squid will
+#			produce a FATAL error.
+#			Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
+#
+#	   vport	Virtual host port support. Using the http_port number
+#			instead of the port passed on Host: headers.
+#
+#	   vport=NN	Virtual host port support. Using the specified port
+#			number instead of the port passed on Host: headers.
+#
+#	   act-as-origin
+#			Act as if this Squid is the origin server.
+#			This currently means generate new Date: and Expires:
+#			headers on HIT instead of adding Age:.
+#
+#	   ignore-cc	Ignore request Cache-Control headers.
+#
+#			WARNING: This option violates HTTP specifications if
+#			used in non-accelerator setups.
+#
+#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+#			accelerated requests are denied direct forwarding as if
+#			never_direct was used.
+#
+#			WARNING: this option opens accelerator mode to security
+#			vulnerabilities usually only affecting in interception
+#			mode. Make sure to protect forwarding with suitable
+#			http_access rules when using this.
+#
+#
+#	SSL Bump Mode Options:
+#	    In addition to these options ssl-bump requires TLS/SSL options.
+#
+#	   generate-host-certificates[=<on|off>]
+#			Dynamically create SSL server certificates for the
+#			destination hosts of bumped CONNECT requests.When
+#			enabled, the cert and key options are used to sign
+#			generated certificates. Otherwise generated
+#			certificate will be selfsigned.
+#			If there is a CA certificate lifetime of the generated
+#			certificate equals lifetime of the CA certificate. If
+#			generated certificate is selfsigned lifetime is three
+#			years.
+#			This option is enabled by default when ssl-bump is used.
+#			See the ssl-bump option above for more information.
+#
+#	   dynamic_cert_mem_cache_size=SIZE
+#			Approximate total RAM size spent on cached generated
+#			certificates. If set to zero, caching is disabled. The
+#			default value is 4MB.
+#
+#	TLS / SSL Options:
+#
+#	   tls-cert=	Path to file containing an X.509 certificate (PEM format)
+#			to be used in the TLS handshake ServerHello.
+#
+#			If this certificate is constrained by KeyUsage TLS
+#			feature it must allow HTTP server usage, along with
+#			any additional restrictions imposed by your choice
+#			of options= settings.
+#
+#			When OpenSSL is used this file may also contain a
+#			chain of intermediate CA certificates to send in the
+#			TLS handshake.
+#
+#			When GnuTLS is used this option (and any paired
+#			tls-key= option) may be repeated to load multiple
+#			certificates for different domains.
+#
+#			Also, when generate-host-certificates=on is configured
+#			the first tls-cert= option must be a CA certificate
+#			capable of signing the automatically generated
+#			certificates.
+#
+#	   tls-key=	Path to a file containing private key file (PEM format)
+#			for the previous tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	   cipher=	Colon separated list of supported ciphers.
+#			NOTE: some ciphers such as EDH ciphers depend on
+#			      additional settings. If those settings are
+#			      omitted the ciphers may be silently ignored
+#			      by the OpenSSL library.
+#
+#	   options=	Various SSL implementation options. The most important
+#			being:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    NO_TLSv1    Disallow the use of TLSv1.0
+#
+#			    NO_TLSv1_1  Disallow the use of TLSv1.1
+#
+#			    NO_TLSv1_2  Disallow the use of TLSv1.2
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    SINGLE_ECDH_USE
+#				      Enable ephemeral ECDH key exchange.
+#				      The adopted curve should be specified
+#				      using the tls-dh option.
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#	   clientca=	File containing the list of CAs to use when
+#			requesting a client certificate.
+#
+#	   tls-cafile=	PEM file containing CA certificates to use when verifying
+#			client certificates. If not configured clientca will be
+#			used. May be repeated to load multiple files.
+#
+#	   capath=	Directory containing additional CA certificates
+#			and CRL lists to use when verifying client certificates.
+#			Requires OpenSSL or LibreSSL.
+#
+#	   crlfile=	File of additional CRL lists to use when verifying
+#			the client certificate, in addition to CRLs stored in
+#			the capath. Implies VERIFY_CRL flag below.
+#
+#	   tls-dh=[curve:]file
+#			File containing DH parameters for temporary/ephemeral DH key
+#			exchanges, optionally prefixed by a curve for ephemeral ECDH
+#			key exchanges.
+#			See OpenSSL documentation for details on how to create the
+#			DH parameter file. Supported curves for ECDH can be listed
+#			using the "openssl ecparam -list_curves" command.
+#			WARNING: EDH and EECDH ciphers will be silently disabled if
+#				 this option is not set.
+#
+#	   sslflags=	Various flags modifying the use of SSL:
+#			    DELAYED_AUTH
+#				Don't request client certificates
+#				immediately, but wait until acl processing
+#				requires a certificate (not yet implemented).
+#			    CONDITIONAL_AUTH
+#				Request a client certificate during the TLS
+#				handshake, but ignore certificate absence in
+#				the TLS client Hello. If the client does
+#				supply a certificate, it is validated.
+#			    NO_SESSION_REUSE
+#				Don't allow for session reuse. Each connection
+#				will result in a new SSL session.
+#			    VERIFY_CRL
+#				Verify CRL lists when accepting client
+#				certificates.
+#			    VERIFY_CRL_ALL
+#				Verify CRL lists for all certificates in the
+#				client certificate chain.
+#
+#	   tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is OFF.
+#
+#	   tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	   sslcontext=	SSL session ID context identifier.
+#
+#	Other Options:
+#
+#	   connection-auth[=on|off]
+#	                use connection-auth=off to tell Squid to prevent
+#	                forwarding Microsoft connection oriented authentication
+#			(NTLM, Negotiate and Kerberos)
+#
+#	   disable-pmtu-discovery=
+#			Control Path-MTU discovery usage:
+#			    off		lets OS decide on what to do (default).
+#			    transparent	disable PMTU discovery when transparent
+#					support is enabled.
+#			    always	disable always PMTU discovery.
+#
+#			In many setups of transparently intercepting proxies
+#			Path-MTU discovery can not work on traffic towards the
+#			clients. This is the case when the intercepting device
+#			does not fully track connections and fails to forward
+#			ICMP must fragment messages to the cache server. If you
+#			have such setup and experience that certain clients
+#			sporadically hang or never complete requests set
+#			disable-pmtu-discovery option to 'transparent'.
+#
+#	   name=	Specifies a internal name for the port. Defaults to
+#			the port specification (port or addr:port)
+#
+#	   tcpkeepalive[=idle,interval,timeout]
+#			Enable TCP keepalive probes of idle connections.
+#			In seconds; idle is the initial time before TCP starts
+#			probing the connection, interval how often to probe, and
+#			timeout the time before giving up.
+#
+#	   require-proxy-header
+#			Require PROXY protocol version 1 or 2 connections.
+#			The proxy_protocol_access is required to permit
+#			downstream proxies which can be trusted.
+#
+#	   worker-queues
+#			Ask TCP stack to maintain a dedicated listening queue
+#			for each worker accepting requests at this port.
+#			Requires TCP stack that supports the SO_REUSEPORT socket
+#			option.
+#
+#			SECURITY WARNING: Enabling worker-specific queues
+#			allows any process running as Squid's effective user to
+#			easily accept requests destined to this port.
+#
+#	If you run Squid on a dual-homed machine with an internal
+#	and an external interface we recommend you to specify the
+#	internal address:port in http_port. This way Squid will only be
+#	visible on the internal address.
+#
+#
+
+# Squid normally listens to port 3128
+http_port 8080
+
+#  TAG: https_port
+#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#
+#	The socket address where Squid will listen for client requests made
+#	over TLS or SSL connections. Commonly referred to as HTTPS.
+#
+#	This is most useful for situations where you are running squid in
+#	accelerator mode and you want to do the TLS work at the accelerator
+#	level.
+#
+#	You may specify multiple socket addresses on multiple lines,
+#	each with their own certificate and/or options.
+#
+#	The tls-cert= option is mandatory on HTTPS ports.
+#
+#	See http_port for a list of modes and options.
+#Default:
+# none
+
+#  TAG: ftp_port
+#	Enables Native FTP proxy by specifying the socket address where Squid
+#	listens for FTP client requests. See http_port directive for various
+#	ways to specify the listening address and mode.
+#
+#	Usage: ftp_port address [mode] [options]
+#
+#	WARNING: This is a new, experimental, complex feature that has seen
+#	limited production exposure. Some Squid modules (e.g., caching) do not
+#	currently work with native FTP proxying, and many features have not
+#	even been tested for compatibility. Test well before deploying!
+#
+#	Native FTP proxying differs substantially from proxying HTTP requests
+#	with ftp:// URIs because Squid works as an FTP server and receives
+#	actual FTP commands (rather than HTTP requests with FTP URLs).
+#
+#	Native FTP commands accepted at ftp_port are internally converted or
+#	wrapped into HTTP-like messages. The same happens to Native FTP
+#	responses received from FTP origin servers. Those HTTP-like messages
+#	are shoveled through regular access control and adaptation layers
+#	between the FTP client and the FTP origin server. This allows Squid to
+#	examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+#	mechanisms when shoveling wrapped FTP messages. For example,
+#	http_access and adaptation_access directives are used.
+#
+#	Modes:
+#
+#	   intercept	Same as http_port intercept. The FTP origin address is
+#			determined based on the intended destination of the
+#			intercepted connection.
+#
+#	   tproxy	Support Linux TPROXY for spoofing outgoing
+#			connections using the client IP address.
+#			NP: disables authentication and maybe IPv6 on the port.
+#
+#	By default (i.e., without an explicit mode option), Squid extracts the
+#	FTP origin address from the login@origin parameter of the FTP USER
+#	command. Many popular FTP clients support such native FTP proxying.
+#
+#	Options:
+#
+#	   name=token	Specifies an internal name for the port. Defaults to
+#			the port address. Usable with myportname ACL.
+#
+#	   ftp-track-dirs
+#			Enables tracking of FTP directories by injecting extra
+#			PWD commands and adjusting Request-URI (in wrapping
+#			HTTP requests) to reflect the current FTP server
+#			directory. Tracking is disabled by default.
+#
+#	   protocol=FTP	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to FTP. No other accepted
+#			values have been tested with. An unsupported value
+#			results in a FATAL error. Accepted values are FTP,
+#			HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+#
+#	Other http_port modes and options that are not specific to HTTP and
+#	HTTPS may also work.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_tos
+#	Allows you to select a TOS/Diffserv value for packets outgoing
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_tos 0x00 normal_service_net
+#	tcp_outgoing_tos 0x20 good_service_net
+#
+#	TOS/DSCP values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: clientside_tos
+#	Allows you to select a TOS/DSCP value for packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	clientside_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	clientside_tos 0x00 normal_service_net
+#	clientside_tos 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any TOS values set here
+#	will be overwritten by TOS values in qos_flows.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter mark value to outgoing packets
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_mark mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the mark value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_mark 0x00 normal_service_net
+#	tcp_outgoing_mark 0x20 good_service_net
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: mark_client_packet
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter MARK value to packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	mark_client_packet mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the MARK value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	mark_client_packet 0x00 normal_service_net
+#	mark_client_packet 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any mark values set here
+#	will be overwritten by mark values in qos_flows.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: mark_client_connection
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter CONNMARK value to a connection
+#	on the client-side, based on an ACL.
+#
+#	mark_client_connection mark-value[/mask] [!]aclname ...
+#
+#	The mark-value and mask are unsigned integers (hex, octal, or decimal).
+#	The mask may be used to preserve marking previously set by other agents
+#	(e.g., iptables).
+#
+#	A matching rule replaces the CONNMARK value. If a mask is also
+#	specified, then the masked bits of the original value are zeroed, and
+#	the configured mark-value is ORed with that adjusted value.
+#	For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
+#	in a 0xFB marking (rather than a 0xAB or 0x5B).
+#
+#	This directive semantics is similar to iptables --set-mark rather than
+#	--set-xmark functionality.
+#
+#	The directive does not interfere with qos_flows (which uses packet MARKs,
+#	not CONNMARKs).
+#
+#	Example where squid marks intercepted FTP connections:
+#
+#	acl proto_ftp proto FTP
+#	mark_client_connection 0x200/0xff00 proto_ftp
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: qos_flows
+#	Allows you to select a TOS/DSCP value to mark outgoing
+#	connections to the client, based on where the reply was sourced.
+#	For platforms using netfilter, allows you to set a netfilter mark
+#	value instead of, or in addition to, a TOS value.
+#
+#	By default this functionality is disabled. To enable it with the default
+#	settings simply use "qos_flows mark" or "qos_flows tos". Default
+#	settings will result in the netfilter mark or TOS value being copied
+#	from the upstream connection to the client. Note that it is the connection
+#	CONNMARK value not the packet MARK value that is copied.
+#
+#	It is not currently possible to copy the mark or TOS value from the
+#	client to the upstream connection request.
+#
+#	TOS values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Mark values can be any unsigned 32-bit integer value.
+#
+#	This setting is configured by setting the following values:
+#
+#	tos|mark                Whether to set TOS or netfilter mark values
+#
+#	local-hit=0xFF		Value to mark local cache hits.
+#
+#	sibling-hit=0xFF	Value to mark hits from sibling peers.
+#
+#	parent-hit=0xFF		Value to mark hits from parent peers.
+#
+#	miss=0xFF[/mask]	Value to mark cache misses. Takes precedence
+#				over the preserve-miss feature (see below), unless
+#				mask is specified, in which case only the bits
+#				specified in the mask are written.
+#
+#	The TOS variant of the following features are only possible on Linux
+#	and require your kernel to be patched with the TOS preserving ZPH
+#	patch, available from http://zph.bratcheda.org
+#	No patch is needed to preserve the netfilter mark, which will work
+#	with all variants of netfilter.
+#
+#	disable-preserve-miss
+#		This option disables the preservation of the TOS or netfilter
+#		mark. By default, the existing TOS or netfilter mark value of
+#		the response coming from the remote server will be retained
+#		and masked with miss-mark.
+#		NOTE: in the case of a netfilter mark, the mark must be set on
+#		the connection (using the CONNMARK target) not on the packet
+#		(MARK target).
+#
+#	miss-mask=0xFF
+#		Allows you to mask certain bits in the TOS or mark value
+#		received from the remote server, before copying the value to
+#		the TOS sent towards clients.
+#		Default for tos: 0xFF (TOS from server is not changed).
+#		Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+#	All of these features require the --enable-zph-qos compilation flag
+#	(enabled by default). Netfilter marking also requires the
+#	libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+#	libcap 2.09+ (--with-libcap).
+#
+#Default:
+# none
+
+#  TAG: tcp_outgoing_address
+#	Allows you to map requests to different outgoing IP addresses
+#	based on the username or source address of the user making
+#	the request.
+#
+#	tcp_outgoing_address ipaddr [[!]aclname] ...
+#
+#	For example;
+#		Forwarding clients with dedicated IPs for certain subnets.
+#
+#	  acl normal_service_net src 10.0.0.0/24
+#	  acl good_service_net src 10.0.2.0/24
+#
+#	  tcp_outgoing_address 2001:db8::c001 good_service_net
+#	  tcp_outgoing_address 10.1.0.2 good_service_net
+#
+#	  tcp_outgoing_address 2001:db8::beef normal_service_net
+#	  tcp_outgoing_address 10.1.0.1 normal_service_net
+#
+#	  tcp_outgoing_address 2001:db8::1
+#	  tcp_outgoing_address 10.1.0.3
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Squid will add an implicit IP version test to each line.
+#	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+#	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+#
+#
+#	NOTE: The use of this directive using client dependent ACLs is
+#	incompatible with the use of server side persistent connections. To
+#	ensure correct results it is best to set server_persistent_connections
+#	to off when using this directive in such configurations.
+#
+#	NOTE: The use of this directive to set a local IP on outgoing TCP links
+#	is incompatible with using TPROXY to set client IP out outbound TCP links.
+#	When needing to contact peers use the no-tproxy cache_peer option and the
+#	client_dst_passthru directive re-enable normal forwarding such as this.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Address selection is performed by the operating system.
+
+#  TAG: host_verify_strict
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic, Squid always verifies that the destination IP address matches
+#	the Host header domain or IP (called 'authority form URL').
+#
+#	This enforcement is performed to satisfy a MUST-level requirement in
+#	RFC 2616 section 14.23: "The Host field value MUST represent the naming
+#	authority of the origin server or gateway given by the original URL".
+#
+#	When set to ON:
+#		Squid always responds with an HTTP 409 (Conflict) error
+#		page and logs a security warning if there is no match.
+#
+#		Squid verifies that the destination IP address matches
+#		the Host header for forward-proxy and reverse-proxy traffic
+#		as well. For those traffic types, Squid also enables the
+#		following checks, comparing the corresponding Host header
+#		and Request-URI components:
+#
+#		 * The host names (domain or IP) must be identical,
+#		   but valueless or missing Host header disables all checks.
+#		   For the two host names to match, both must be either IP
+#		   or FQDN.
+#
+#		 * Port numbers must be identical, but if a port is missing
+#		   the scheme-default port is assumed.
+#
+#
+#	When set to OFF (the default):
+#		Squid allows suspicious requests to continue but logs a
+#		security warning and blocks caching of the response.
+#
+#		 * Forward-proxy traffic is not checked at all.
+#
+#		 * Reverse-proxy traffic is not checked at all.
+#
+#		 * Intercepted traffic which passes verification is handled
+#		   according to client_dst_passthru.
+#
+#		 * Intercepted requests which fail verification are sent
+#		   to the client original destination instead of DIRECT.
+#		   This overrides 'client_dst_passthru off'.
+#
+#		For now suspicious intercepted CONNECT requests are always
+#		responded to with an HTTP 409 (Conflict) error page.
+#
+#
+#	SECURITY NOTE:
+#
+#	As described in CVE-2009-0801 when the Host: header alone is used
+#	to determine the destination of a request it becomes trivial for
+#	malicious scripts on remote websites to bypass browser same-origin
+#	security policy and sandboxing protections.
+#
+#	The cause of this is that such applets are allowed to perform their
+#	own HTTP stack, in which case the same-origin policy of the browser
+#	sandbox only verifies that the applet tries to contact the same IP
+#	as from where it was loaded at the IP level. The Host: header may
+#	be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+#  TAG: client_dst_passthru
+#	With NAT or TPROXY intercepted traffic Squid may pass the request
+#	directly to the original client destination IP or seek a faster
+#	source using the HTTP Host header.
+#
+#	Using Host to locate alternative servers can provide faster
+#	connectivity with a range of failure recovery options.
+#	But can also lead to connectivity trouble when the client and
+#	server are attempting stateful interactions unaware of the proxy.
+#
+#	This option (on by default) prevents alternative DNS entries being
+#	located to send intercepted traffic DIRECT to an origin server.
+#	The clients original destination IP and port will be used instead.
+#
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic Squid will verify the Host: header and any traffic which
+#	fails Host verification will be treated as if this option were ON.
+#
+#	see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
+
+# TLS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: tls_outgoing_options
+#	disable		Do not support https:// URLs.
+#
+#	cert=/path/to/client/certificate
+#			A client X.509 certificate to use when connecting.
+#
+#	key=/path/to/client/private_key
+#			The private key corresponding to the cert= above.
+#
+#			If key= is not specified cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	cipher=...	The list of valid TLS ciphers to use.
+#
+#	min-version=1.N
+#			The minimum TLS protocol version to permit.
+#			To control SSLv3 use the options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
+#
+#	options=...	Specify various TLS/SSL implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#				See the OpenSSL SSL_CTX_set_options documentation
+#				for a more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#
+#	cafile=		PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	capath=		A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	crlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	flags=...	Specify various flags modifying the TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	domain= 	The peer name as advertised in its certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#Default:
+# tls_outgoing_options min-version=1.0
+
+# SSL OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ssl_unclean_shutdown
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Some browsers (especially MSIE) bugs out on SSL shutdown
+#	messages.
+#Default:
+# ssl_unclean_shutdown off
+
+#  TAG: ssl_engine
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	The OpenSSL engine to use. You will need to set this if you
+#	would like to use hardware SSL acceleration for example.
+#
+#	Not supported in builds with OpenSSL 3.0 or newer.
+#Default:
+# none
+
+#  TAG: sslproxy_session_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the timeout value for SSL sessions
+#Default:
+# sslproxy_session_ttl 300
+
+#  TAG: sslproxy_session_cache_size
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#        Sets the cache size to use for ssl session
+#Default:
+# sslproxy_session_cache_size 2 MB
+
+#  TAG: sslproxy_foreign_intermediate_certs
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Many origin servers fail to send their full server certificate
+#	chain for verification, assuming the client already has or can
+#	easily locate any missing intermediate certificates.
+#
+#	Squid uses the certificates from the specified file to fill in
+#	these missing chains when trying to validate origin server
+#	certificate chains.
+#
+#	The file is expected to contain zero or more PEM-encoded
+#	intermediate certificates. These certificates are not treated
+#	as trusted root certificates, and any self-signed certificate in
+#	this file will be ignored.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_sign_hash
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the hashing algorithm to use when signing generated certificates.
+#	Valid algorithm names depend on the OpenSSL library used. The following
+#	names are usually available: sha1, sha256, sha512, and md5. Please see
+#	your OpenSSL library manual for the available hashes. By default, Squids
+#	that support this option use sha256 hashes.
+#
+#	Squid does not forcefully purge cached certificates that were generated
+#	with an algorithm other than the currently configured one. They remain
+#	in the cache, subject to the regular cache eviction policy, and become
+#	useful if the algorithm changes again.
+#Default:
+# none
+
+#  TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	This option is consulted when a CONNECT request is received on
+#	an http_port (or a new connection is intercepted at an
+#	https_port), provided that port was configured with an ssl-bump
+#	flag. The subsequent data on the connection is either treated as
+#	HTTPS and decrypted OR tunneled at TCP level without decryption,
+#	depending on the first matching bumping "action".
+#
+#	ssl_bump <action> [!]acl ...
+#
+#	The following bumping actions are currently supported:
+#
+#	    splice
+#		Become a TCP tunnel without decrypting proxied traffic.
+#		This is the default action.
+#
+#	    bump
+#		When used on step SslBump1, establishes a secure connection
+#		with the client first, then connect to the server.
+#		When used on step SslBump2 or SslBump3, establishes a secure
+#		connection with the server and, using a mimicked server
+#		certificate, with the client.
+#
+#	    peek
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of splicing the
+#		connection. Peeking at the server certificate (during step 2)
+#		usually precludes bumping of the connection at step 3.
+#
+#	    stare
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of bumping the
+#		connection. Staring at the server certificate (during step 2)
+#		usually precludes splicing of the connection at step 3.
+#
+#	    terminate
+#		Close client and server connections.
+#
+#	Backward compatibility actions available at step SslBump1:
+#
+#	    client-first
+#		Bump the connection. Establish a secure connection with the
+#		client first, then connect to the server. This old mode does
+#		not allow Squid to mimic server SSL certificate and does not
+#		work with intercepted SSL connections.
+#
+#	    server-first
+#		Bump the connection. Establish a secure connection with the
+#		server first, then establish a secure connection with the
+#		client, using a mimicked server certificate. Works with both
+#		CONNECT requests and intercepted SSL connections, but does
+#		not allow to make decisions based on SSL handshake info.
+#
+#	    peek-and-splice
+#		Decide whether to bump or splice the connection based on
+#		client-to-squid and server-to-squid SSL hello messages.
+#		XXX: Remove.
+#
+#	    none
+#		Same as the "splice" action.
+#
+#	All ssl_bump rules are evaluated at each of the supported bumping
+#	steps.  Rules with actions that are impossible at the current step are
+#	ignored. The first matching ssl_bump action wins and is applied at the
+#	end of the current step. If no rules match, the splice action is used.
+#	See the at_step ACL for a list of the supported SslBump steps.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
+#
+#
+#	# Example: Bump all TLS connections except those originating from
+#	# localhost or those going to example.com.
+#
+#	acl broken_sites ssl::server_name .example.com
+#	ssl_bump splice localhost
+#	ssl_bump splice broken_sites
+#	ssl_bump bump all
+#Default:
+# Become a TCP tunnel without decrypting proxied traffic.
+
+#  TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Use this ACL to bypass server certificate validation errors.
+#
+#	For example, the following lines will bypass all validation errors
+#	when talking to servers for example.com. All other
+#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+#		acl BrokenButTrustedServers dstdomain example.com
+#		sslproxy_cert_error allow BrokenButTrustedServers
+#		sslproxy_cert_error deny all
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Using slow acl types may result in server crashes
+#
+#	Without this option, all server certificate validation errors
+#	terminate the transaction to protect Squid and the client.
+#
+#	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+#	but should not happen unless your OpenSSL library is buggy.
+#
+#	SECURITY WARNING:
+#		Bypassing validation errors is dangerous because an
+#		error usually implies that the server cannot be trusted
+#		and the connection may be insecure.
+#
+#	See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+#  TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#        sslproxy_cert_sign <signing algorithm> acl ...
+#
+#        The following certificate signing algorithms are supported:
+#
+#	   signTrusted
+#		Sign using the configured CA certificate which is usually
+#		placed in and trusted by end-user browsers. This is the
+#		default for trusted origin server certificates.
+#
+#	   signUntrusted
+#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+#		This is the default for untrusted origin server certificates
+#		that are not self-signed (see ssl::certUntrusted).
+#
+#	   signSelf
+#		Sign using a self-signed certificate with the right CN to
+#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+#		browser. This is the default for self-signed origin server
+#		certificates (see ssl::certSelfSigned).
+#
+#	This clause only supports fast acl types.
+#
+#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+#	signing algorithm to generate the certificate and ignores all
+#	subsequent sslproxy_cert_sign options (the first match wins). If no
+#	acl(s) match, the default signing algorithm is determined by errors
+#	detected when obtaining and validating the origin server certificate.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#	sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+#	The following certificate adaptation algorithms are supported:
+#
+#	   setValidAfter
+#		Sets the "Not After" property to the "Not After" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setValidBefore
+#		Sets the "Not Before" property to the "Not Before" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setCommonName or setCommonName{CN}
+#		Sets Subject.CN property to the host name specified as a
+#		CN parameter or, if no explicit CN parameter was specified,
+#		extracted from the CONNECT request. It is a misconfiguration
+#		to use setCommonName without an explicit parameter for
+#		intercepted or tproxied SSL connections.
+#
+#	This clause only supports fast acl types.
+#
+#	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+#	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+#	corresponding adaptation algorithm to generate the certificate and
+#	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+#	group (i.e., the first match wins within each algorithm group). If no
+#	acl(s) match, the default mimicking action takes place.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslpassword_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify a program used for entering SSL key passphrases
+#	when using encrypted SSL certificate keys. If not specified
+#	keys must either be unencrypted, or Squid started with the -N
+#	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
+#Default:
+# none
+
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
+
+#  TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specify the location and options of the executable for certificate
+#	generator.
+#
+#	/usr/lib/squid/security_file_certgen program can use a disk cache to improve response
+#	times on repeated requests. To enable caching, specify -s and -M
+#	parameters. If those parameters are not given, the program generates
+#	a new certificate on every request.
+#
+#	For more information use:
+#		/usr/lib/squid/security_file_certgen -h
+#Default:
+# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+
+#  TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specifies the maximum number of certificate generation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child is idle and no new child can be started due to
+#	numberofchildren limit. If the queued requests exceed queue size for
+#	more than 3 minutes squid aborts its operation. The default value is
+#	set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 32 startup=5 idle=1
+
+#  TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify the location and options of the executable for ssl_crt_validator
+#	process.
+#
+#	Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+#	Options:
+#	  ttl=n         TTL in seconds for cached results. The default is 60 secs
+#	  cache=n       limit the result cache size. The default value is 2048
+#Default:
+# none
+
+#  TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specifies the maximum number of certificate validation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each certificate validator helper can handle in
+#	parallel. A value of 0 indicates the certficate validator does not
+#	support concurrency. Defaults to 1.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	a request ID in front of the request/response. The request
+#	ID from the request must be echoed back with the response
+#	to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. If the queued
+#	requests exceed queue size for more than 3 minutes squid aborts its
+#	operation. The default value is set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
+
+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_peer
+#	To specify other caches in a hierarchy, use the format:
+#
+#		cache_peer hostname type http-port icp-port [options]
+#
+#	For example,
+#
+#	#                                        proxy  icp
+#	#          hostname             type     port   port  options
+#	#          -------------------- -------- ----- -----  -----------
+#	cache_peer parent.foo.net       parent    3128  3130  default
+#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer example.com          parent    80       0  default
+#	cache_peer cdn.example.com      sibling   3128     0
+#
+#	      type:	either 'parent', 'sibling', or 'multicast'.
+#
+#	proxy-port:	The port number where the peer accept HTTP requests.
+#			For other Squid proxies this is usually 3128
+#			For web servers this is usually 80
+#
+#	  icp-port:	Used for querying neighbor caches about objects.
+#			Set to 0 if the peer does not support ICP or HTCP.
+#			See ICP and HTCP options below for additional details.
+#
+#
+#	==== ICP OPTIONS ====
+#
+#	You MUST also set icp_port and icp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using ICP.
+#
+#
+#	no-query	Disable ICP queries to this neighbor.
+#
+#	multicast-responder
+#			Indicates the named peer is a member of a multicast group.
+#			ICP queries will not be sent directly to the peer, but ICP
+#			replies will be accepted from it.
+#
+#	closest-only	Indicates that, for ICP_OP_MISS replies, we'll only forward
+#			CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+#	background-ping
+#			To only send ICP queries to this neighbor infrequently.
+#			This is used to keep the neighbor round trip time updated
+#			and is usually used in conjunction with weighted-round-robin.
+#
+#
+#	==== HTCP OPTIONS ====
+#
+#	You MUST also set htcp_port and htcp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using HTCP.
+#
+#
+#	htcp		Send HTCP, instead of ICP, queries to the neighbor.
+#			You probably also want to set the "icp-port" to 4827
+#			instead of 3130. This directive accepts a comma separated
+#			list of options described below.
+#
+#	htcp=oldsquid	Send HTCP to old Squid versions (2.5 or earlier).
+#
+#	htcp=no-clr	Send HTCP to the neighbor but without
+#			sending any CLR requests.  This cannot be used with
+#			only-clr.
+#
+#	htcp=only-clr	Send HTCP to the neighbor but ONLY CLR requests.
+#			This cannot be used with no-clr.
+#
+#	htcp=no-purge-clr
+#			Send HTCP to the neighbor including CLRs but only when
+#			they do not result from PURGE requests.
+#
+#	htcp=forward-clr
+#			Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+#	==== PEER SELECTION METHODS ====
+#
+#	The default peer selection method is ICP, with the first responding peer
+#	being used as source. These options can be used for better load balancing.
+#
+#
+#	default		This is a parent cache which can be used as a "last-resort"
+#			if a peer cannot be located by any of the peer-selection methods.
+#			If specified more than once, only the first is used.
+#
+#	round-robin	Load-Balance parents which should be used in a round-robin
+#			fashion in the absence of any ICP queries.
+#			weight=N can be used to add bias.
+#
+#	weighted-round-robin
+#			Load-Balance parents which should be used in a round-robin
+#			fashion with the frequency of each parent being based on the
+#			round trip time. Closer parents are used more often.
+#			Usually used for background-ping parents.
+#			weight=N can be used to add bias.
+#
+#	carp		Load-Balance parents which should be used as a CARP array.
+#			The requests will be distributed among the parents based on the
+#			CARP load balancing hash function based on their weight.
+#
+#	userhash	Load-balance parents based on the client proxy_auth or ident username.
+#
+#	sourcehash	Load-balance parents based on the client source IP.
+#
+#	multicast-siblings
+#			To be used only for cache peers of type "multicast".
+#			ALL members of this multicast group have "sibling"
+#			relationship with it, not "parent".  This is to a multicast
+#			group when the requested object would be fetched only from
+#			a "parent" cache, anyway.  It's useful, e.g., when
+#			configuring a pool of redundant Squid proxies, being
+#			members of the same multicast group.
+#
+#
+#	==== PEER SELECTION OPTIONS ====
+#
+#	weight=N	use to affect the selection of a peer during any weighted
+#			peer-selection mechanisms.
+#			The weight must be an integer; default is 1,
+#			larger weights are favored more.
+#			This option does not affect parent selection if a peering
+#			protocol is not in use.
+#
+#	basetime=N	Specify a base amount to be subtracted from round trip
+#			times of parents.
+#			It is subtracted before division by weight in calculating
+#			which parent to fectch from. If the rtt is less than the
+#			base time the rtt is set to a minimal value.
+#
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
+#			Only useful when sending to a multicast group.
+#			Because we don't accept ICP replies from random
+#			hosts, you must configure other group members as
+#			peers with the 'multicast-responder' option.
+#
+#	no-delay	To prevent access to this neighbor from influencing the
+#			delay pools.
+#
+#	digest-url=URL	Tell Squid to fetch the cache digest (if digests are
+#			enabled) for this host from the specified URL rather
+#			than the Squid default location.
+#
+#
+#	==== CARP OPTIONS ====
+#
+#	carp-key=key-specification
+#			use a different key than the full URL to hash against the peer.
+#			the key-specification is a comma-separated list of the keywords
+#			scheme, host, port, path, params
+#			Order is not important.
+#
+#	==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+#	originserver	Causes this parent to be contacted as an origin server.
+#			Meant to be used in accelerator setups when the peer
+#			is a web server.
+#
+#	forceddomain=name
+#			Set the Host header of requests forwarded to this peer.
+#			Useful in accelerator setups where the server (peer)
+#			expects a certain domain name but clients may request
+#			others. ie example.com or www.example.com
+#
+#	no-digest	Disable request of cache digests.
+#
+#	no-netdb-exchange
+#			Disables requesting ICMP RTT database (NetDB).
+#
+#
+#	==== AUTHENTICATION OPTIONS ====
+#
+#	login=user:password
+#			If this is a personal/workgroup proxy and your parent
+#			requires proxy authentication.
+#
+#			Note: The string can include URL escapes (i.e. %20 for
+#			spaces). This also means % must be written as %%.
+#
+#	login=PASSTHRU
+#			Send login details received from client to this peer.
+#			Both Proxy- and WWW-Authorization headers are passed
+#			without alteration to the peer.
+#			Authentication is not required by Squid for this to work.
+#
+#			Note: This will pass any form of authentication but
+#			only Basic auth will work through a proxy unless the
+#			connection-auth options are also used.
+#
+#	login=PASS	Send login details received from client to this peer.
+#			Authentication is not required by this option.
+#
+#			If there are no client-provided authentication headers
+#			to pass on, but username and password are available
+#			from an external ACL user= and password= result tags
+#			they may be sent instead.
+#
+#			Note: To combine this with proxy_auth both proxies must
+#			share the same user database as HTTP only allows for
+#			a single login (one for proxy, one for origin server).
+#			Also be warned this will expose your users proxy
+#			password to the peer. USE WITH CAUTION
+#
+#	login=*:password
+#			Send the username to the upstream cache, but with a
+#			fixed password. This is meant to be used when the peer
+#			is in another administrative domain, but it is still
+#			needed to identify each user.
+#			The star can optionally be followed by some extra
+#			information which is added to the username. This can
+#			be used to identify this proxy to the peer, similar to
+#			the login=username:password option above.
+#
+#	login=NEGOTIATE
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The first principal from the default keytab or defined by
+#			the environment variable KRB5_KTNAME will be used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	login=NEGOTIATE:principal_name
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The principal principal_name from the default keytab or
+#			defined by the environment variable KRB5_KTNAME will be
+#			used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	connection-auth=on|off
+#			Tell Squid that this peer does or not support Microsoft
+#			connection oriented authentication, and any such
+#			challenges received from there should be ignored.
+#			Default is auto to automatically determine the status
+#			of the peer.
+#
+#	auth-no-keytab
+#			Do not use a keytab to authenticate to a peer when
+#			login=NEGOTIATE is specified. Let the GSSAPI
+#			implementation determine which already existing
+#			credentials cache to use instead.
+#
+#
+#	==== SSL / HTTPS / TLS OPTIONS ====
+#
+#	tls		Encrypt connections to this peer with TLS.
+#
+#	sslcert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this peer.
+#
+#	sslkey=/path/to/ssl/key
+#			The private key corresponding to sslcert above.
+#
+#			If sslkey= is not specified sslcert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	sslcipher=...	The list of valid SSL ciphers to use when connecting
+#			to this peer.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various TLS implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	sslcapath=...	A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	sslcrlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	sslflags=...	Specify various flags modifying the SSL implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	ssldomain= 	The peer name as advertised in it's certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#
+#	front-end-https[=off|on|auto]
+#			Enable the "Front-End-Https: On" header needed when
+#			using Squid as a SSL frontend in front of Microsoft OWA.
+#			See MS KB document Q307347 for details on this header.
+#			If set to auto the header will only be added if the
+#			request is forwarded as a https:// URL.
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	==== GENERAL OPTIONS ====
+#
+#	connect-timeout=N
+#			A peer-specific connect timeout.
+#			Also see the peer_connect_timeout directive.
+#
+#	connect-fail-limit=N
+#			How many times connecting to a peer must fail before
+#			it is marked as down. Standby connection failures
+#			count towards this limit. Default is 10.
+#
+#	allow-miss	Disable Squid's use of only-if-cached when forwarding
+#			requests to siblings. This is primarily useful when
+#			icp_hit_stale is used by the sibling. Excessive use
+#			of this option may result in forwarding loops. One way
+#			to prevent peering loops when using this option, is to
+#			deny cache peer usage on requests from a peer:
+#			acl fromPeer ...
+#			cache_peer_access peerName deny fromPeer
+#
+#	max-conn=N 	Limit the number of concurrent connections the Squid
+#			may open to this peer, including already opened idle
+#			and standby connections. There is no peer-specific
+#			connection limit by default.
+#
+#			A peer exceeding the limit is not used for new
+#			requests unless a standby connection is available.
+#
+#			max-conn currently works poorly with idle persistent
+#			connections: When a peer reaches its max-conn limit,
+#			and there are idle persistent connections to the peer,
+#			the peer may not be selected because the limiting code
+#			does not know whether Squid can reuse those idle
+#			connections.
+#
+#	standby=N	Maintain a pool of N "hot standby" connections to an
+#			UP peer, available for requests when no idle
+#			persistent connection is available (or safe) to use.
+#			By default and with zero N, no such pool is maintained.
+#			N must not exceed the max-conn limit (if any).
+#
+#			At start or after reconfiguration, Squid opens new TCP
+#			standby connections until there are N connections
+#			available and then replenishes the standby pool as
+#			opened connections are used up for requests. A used
+#			connection never goes back to the standby pool, but
+#			may go to the regular idle persistent connection pool
+#			shared by all peers and origin servers.
+#
+#			Squid never opens multiple new standby connections
+#			concurrently.  This one-at-a-time approach minimizes
+#			flooding-like effect on peers. Furthermore, just a few
+#			standby connections should be sufficient in most cases
+#			to supply most new requests with a ready-to-use
+#			connection.
+#
+#			Standby connections obey server_idle_pconn_timeout.
+#			For the feature to work as intended, the peer must be
+#			configured to accept and keep them open longer than
+#			the idle timeout at the connecting Squid, to minimize
+#			race conditions typical to idle used persistent
+#			connections. Default request_timeout and
+#			server_idle_pconn_timeout values ensure such a
+#			configuration.
+#
+#	name=xxx	Unique name for the peer.
+#			Required if you have multiple peers on the same host
+#			but different ports.
+#			This name can be used in cache_peer_access and similar
+#			directives to identify the peer.
+#			Can be used by outgoing access controls through the
+#			peername ACL type.
+#
+#	no-tproxy	Do not use the client-spoof TPROXY support when forwarding
+#			requests to this peer. Use normal address selection instead.
+#			This overrides the spoof_client_ip ACL.
+#
+#	proxy-only	objects fetched from the peer will not be stored locally.
+#
+#Default:
+# none
+
+#  TAG: cache_peer_access
+#	Restricts usage of cache_peer proxies.
+#
+#	Usage:
+#		cache_peer_access peer-name allow|deny [!]aclname ...
+#
+#	For the required peer-name parameter, use either the value of the
+#	cache_peer name=value parameter or, if name=value is missing, the
+#	cache_peer hostname parameter.
+#
+#	This directive narrows down the selection of peering candidates, but
+#	does not determine the order in which the selected candidates are
+#	contacted. That order is determined by the peer selection algorithms
+#	(see PEER SELECTION sections in the cache_peer documentation).
+#
+#	If a deny rule matches, the corresponding peer will not be contacted
+#	for the current transaction -- Squid will not send ICP queries and
+#	will not forward HTTP requests to that peer. An allow match leaves
+#	the corresponding peer in the selection. The first match for a given
+#	peer wins for that peer.
+#
+#	The relative order of cache_peer_access directives for the same peer
+#	matters. The relative order of any two cache_peer_access directives
+#	for different peers does not matter. To ease interpretation, it is a
+#	good idea to group cache_peer_access directives for the same peer
+#	together.
+#
+#	A single cache_peer_access directive may be evaluated multiple times
+#	for a given transaction because individual peer selection algorithms
+#	may check it independently from each other. These redundant checks
+#	may be optimized away in future Squid versions.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# No peer usage restrictions.
+
+#  TAG: neighbor_type_domain
+#	Modify the cache_peer neighbor type when passing requests
+#	about specific domains to the peer.
+#
+#	Usage:
+#		 neighbor_type_domain neighbor parent|sibling domain domain ...
+#
+#	For example:
+#		cache_peer foo.example.com parent 3128 3130
+#		neighbor_type_domain foo.example.com sibling .au .de
+#
+#	The above configuration treats all requests to foo.example.com as a
+#	parent proxy unless the request is for a .au or .de ccTLD domain name.
+#Default:
+# The peer type from cache_peer directive is used for all requests to that peer.
+
+#  TAG: dead_peer_timeout	(seconds)
+#	This controls how long Squid waits to declare a peer cache
+#	as "dead."  If there are no ICP replies received in this
+#	amount of time, Squid will declare the peer dead and not
+#	expect to receive any further ICP replies.  However, it
+#	continues to send ICP queries, and will mark the peer as
+#	alive upon receipt of the first subsequent ICP reply.
+#
+#	This timeout also affects when Squid expects to receive ICP
+#	replies from peers.  If more than 'dead_peer' seconds have
+#	passed since the last ICP reply was received, Squid will not
+#	expect to receive an ICP reply on the next query.  Thus, if
+#	your time between requests is greater than this timeout, you
+#	will see a lot of requests sent DIRECT to origin servers
+#	instead of to your parents.
+#Default:
+# dead_peer_timeout 10 seconds
+
+#  TAG: forward_max_tries
+#	Limits the number of attempts to forward the request.
+#
+#	For the purpose of this limit, Squid counts all high-level request
+#	forwarding attempts, including any same-destination retries after
+#	certain persistent connection failures and any attempts to use a
+#	different peer. However, these low-level attempts are not counted:
+#	* connection reopening attempts (enabled using connect_retries)
+#	* unfinished Happy Eyeballs connection attempts (prevented by setting
+#	  happy_eyeballs_connect_limit to 0)
+#
+#	See also: forward_timeout and connect_retries.
+#Default:
+# forward_max_tries 25
+
+# MEMORY CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mem	(bytes)
+#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+#
+#	'cache_mem' specifies the ideal amount of memory to be used
+#	for:
+#		* In-Transit objects
+#		* Hot Objects
+#		* Negative-Cached objects
+#
+#	Data for these objects are stored in 4 KB blocks.  This
+#	parameter specifies the ideal upper limit on the total size of
+#	4 KB blocks allocated.  In-Transit objects take the highest
+#	priority.
+#
+#	In-transit objects have priority over the others.  When
+#	additional space is needed for incoming data, negative-cached
+#	and hot objects will be released.  In other words, the
+#	negative-cached and hot objects will fill up any unused space
+#	not needed for in-transit objects.
+#
+#	If circumstances require, this limit will be exceeded.
+#	Specifically, if your incoming request rate requires more than
+#	'cache_mem' of memory to hold in-transit objects, Squid will
+#	exceed this limit to satisfy the new requests.  When the load
+#	decreases, blocks will be freed until the high-water mark is
+#	reached.  Thereafter, blocks will be used to store hot
+#	objects.
+#
+#	If shared memory caching is enabled, Squid does not use the shared
+#	cache space for in-transit objects, but they still consume as much
+#	local memory as they need. For more details about the shared memory
+#	cache, see memory_cache_shared.
+#Default:
+# cache_mem 256 MB
+
+#  TAG: maximum_object_size_in_memory	(bytes)
+#	Objects greater than this size will not be attempted to kept in
+#	the memory cache. This should be set high enough to keep objects
+#	accessed frequently in memory to improve performance whilst low
+#	enough to keep larger objects from hoarding cache_mem.
+#Default:
+# maximum_object_size_in_memory 512 KB
+
+#  TAG: memory_cache_shared	on|off
+#	Controls whether the memory cache is shared among SMP workers.
+#
+#	The shared memory cache is meant to occupy cache_mem bytes and replace
+#	the non-shared memory cache, although some entities may still be
+#	cached locally by workers for now (e.g., internal and in-transit
+#	objects may be served from a local memory cache even if shared memory
+#	caching is enabled).
+#
+#	By default, the memory cache is shared if and only if all of the
+#	following conditions are satisfied: Squid runs in SMP mode with
+#	multiple workers, cache_mem is positive, and Squid environment
+#	supports required IPC primitives (e.g., POSIX shared memory segments
+#	and GCC-style atomic operations).
+#
+#	To avoid blocking locks, shared memory uses opportunistic algorithms
+#	that do not guarantee that every cachable entity that could have been
+#	shared among SMP workers will actually be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+#  TAG: memory_cache_mode
+#	Controls which objects to keep in the memory cache (cache_mem)
+#
+#	always	Keep most recently fetched objects in memory (default)
+#
+#	disk	Only disk cache hits are kept in memory, which means
+#		an object must first be cached on disk and then hit
+#		a second time before cached in memory.
+#
+#	network	Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
+#  TAG: memory_replacement_policy
+#	The memory replacement policy parameter determines which
+#	objects are purged from memory when memory space is needed.
+#
+#	See cache_replacement_policy for details on algorithms.
+#Default:
+# memory_replacement_policy lru
+
+# DISK CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_replacement_policy
+#	The cache replacement policy parameter determines which
+#	objects are evicted (replaced) when disk space is needed.
+#
+#	    lru       : Squid's original list based LRU policy
+#	    heap GDSF : Greedy-Dual Size Frequency
+#	    heap LFUDA: Least Frequently Used with Dynamic Aging
+#	    heap LRU  : LRU policy implemented using a heap
+#
+#	Applies to any cache_dir lines listed below this directive.
+#
+#	The LRU policies keeps recently referenced objects.
+#
+#	The heap GDSF policy optimizes object hit rate by keeping smaller
+#	popular objects in cache so it has a better chance of getting a
+#	hit.  It achieves a lower byte hit rate than LFUDA though since
+#	it evicts larger (possibly popular) objects.
+#
+#	The heap LFUDA policy keeps popular objects in cache regardless of
+#	their size and thus optimizes byte hit rate at the expense of
+#	hit rate since one large, popular object will prevent many
+#	smaller, slightly less popular objects from being cached.
+#
+#	Both policies utilize a dynamic aging mechanism that prevents
+#	cache pollution that can otherwise occur with frequency-based
+#	replacement policies.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	the value of maximum_object_size above its default of 4 MB to
+#	to maximize the potential byte hit rate improvement of LFUDA.
+#
+#	For more information about the GDSF and LFUDA cache replacement
+#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+#Default:
+# cache_replacement_policy lru
+
+#  TAG: minimum_object_size	(bytes)
+#	Objects smaller than this size will NOT be saved on disk.  The
+#	value is specified in bytes, and the default is 0 KB, which
+#	means all responses can be stored.
+#Default:
+# no limit
+
+#  TAG: maximum_object_size	(bytes)
+#	Set the default value for max-size parameter on any cache_dir.
+#	The value is specified in bytes, and the default is 4 MB.
+#
+#	If you wish to get a high BYTES hit ratio, you should probably
+#	increase this (one 32 MB object hit counts for 3200 10KB
+#	hits).
+#
+#	If you wish to increase hit ratio more than you want to
+#	save bandwidth you should leave this low.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	this value to maximize the byte hit rate improvement of LFUDA!
+#	See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
+#  TAG: cache_dir
+#	Format:
+#		cache_dir Type Directory-Name Fs-specific-data [options]
+#
+#	You can specify multiple cache_dir lines to spread the
+#	cache among different disk partitions.
+#
+#	Type specifies the kind of storage system to use. Only "ufs"
+#	is built by default. To enable any of the other storage systems
+#	see the --enable-storeio configure option.
+#
+#	'Directory' is a top-level directory where cache swap
+#	files will be stored.  If you want to use an entire disk
+#	for caching, this can be the mount-point directory.
+#	The directory must exist and be writable by the Squid
+#	process.  Squid will NOT create this directory for you.
+#
+#	In SMP configurations, cache_dir must not precede the workers option
+#	and should use configuration macros or conditionals to give each
+#	worker interested in disk caching a dedicated cache directory.
+#
+#
+#	====  The ufs store type  ====
+#
+#	"ufs" is the old well-known Squid storage format that has always
+#	been there.
+#
+#	Usage:
+#		cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+#
+#	'Mbytes' is the amount of disk space (MB) to use under this
+#	directory.  The default is 100 MB.  Change this to suit your
+#	configuration.  Do NOT put the size of your disk drive here.
+#	Instead, if you want Squid to use the entire disk drive,
+#	subtract 20% and use that value.
+#
+#	'L1' is the number of first-level subdirectories which
+#	will be created under the 'Directory'.  The default is 16.
+#
+#	'L2' is the number of second-level subdirectories which
+#	will be created under each first-level directory.  The default
+#	is 256.
+#
+#
+#	====  The aufs store type  ====
+#
+#	"aufs" uses the same storage format as "ufs", utilizing
+#	POSIX-threads to avoid blocking the main Squid process on
+#	disk-I/O. This was formerly known in Squid as async-io.
+#
+#	Usage:
+#		cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+#
+#	see argument descriptions under ufs above
+#
+#
+#	====  The diskd store type  ====
+#
+#	"diskd" uses the same storage format as "ufs", utilizing a
+#	separate process to avoid blocking the main Squid process on
+#	disk-I/O.
+#
+#	Usage:
+#		cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+#
+#	see argument descriptions under ufs above
+#
+#	Q1 specifies the number of unacknowledged I/O requests when Squid
+#	stops opening new files. If this many messages are in the queues,
+#	Squid won't open new files. Default is 64
+#
+#	Q2 specifies the number of unacknowledged messages when Squid
+#	starts blocking.  If this many messages are in the queues,
+#	Squid blocks until it receives some replies. Default is 72
+#
+#	When Q1 < Q2 (the default), the cache directory is optimized
+#	for lower response time at the expense of a decrease in hit
+#	ratio.  If Q1 > Q2, the cache directory is optimized for
+#	higher hit ratio at the expense of an increase in response
+#	time.
+#
+#
+#	====  The rock store type  ====
+#
+#	Usage:
+#	    cache_dir rock Directory-Name Mbytes [options]
+#
+#	The Rock Store type is a database-style storage. All cached
+#	entries are stored in a "database" file, using fixed-size slots.
+#	A single entry occupies one or more slots.
+#
+#	If possible, Squid using Rock Store creates a dedicated kid
+#	process called "disker" to avoid blocking Squid worker(s) on disk
+#	I/O. One disker kid is created for each rock cache_dir.  Diskers
+#	are created only when Squid, running in daemon mode, has support
+#	for the IpcIo disk I/O module.
+#
+#	swap-timeout=msec: Squid will not start writing a miss to or
+#	reading a hit from disk if it estimates that the swap operation
+#	will take more than the specified number of milliseconds. By
+#	default and when set to zero, disables the disk I/O time limit
+#	enforcement. Ignored when using blocking I/O module because
+#	blocking synchronous I/O does not allow Squid to estimate the
+#	expected swap wait time.
+#
+#	max-swap-rate=swaps/sec: Artificially limits disk access using
+#	the specified I/O rate limit. Swap out requests that
+#	would cause the average I/O rate to exceed the limit are
+#	delayed. Individual swap in requests (i.e., hits or reads) are
+#	not delayed, but they do contribute to measured swap rate and
+#	since they are placed in the same FIFO queue as swap out
+#	requests, they may wait longer if max-swap-rate is smaller.
+#	This is necessary on file systems that buffer "too
+#	many" writes and then start blocking Squid and other processes
+#	while committing those writes to disk.  Usually used together
+#	with swap-timeout to avoid excessive delays and queue overflows
+#	when disk demand exceeds available disk "bandwidth". By default
+#	and when set to zero, disables the disk I/O rate limit
+#	enforcement. Currently supported by IpcIo module only.
+#
+#	slot-size=bytes: The size of a database "record" used for
+#	storing cached responses. A cached response occupies at least
+#	one slot and all database I/O is done using individual slots so
+#	increasing this parameter leads to more disk space waste while
+#	decreasing it leads to more disk I/O overheads. Should be a
+#	multiple of your operating system I/O page size. Defaults to
+#	16KBytes. A housekeeping header is stored with each slot and
+#	smaller slot-sizes will be rejected. The header is smaller than
+#	100 bytes.
+#
+#
+#	==== COMMON OPTIONS ====
+#
+#	no-store	no new objects should be stored to this cache_dir.
+#
+#	min-size=n	the minimum object size in bytes this cache_dir
+#			will accept.  It's used to restrict a cache_dir
+#			to only store large objects (e.g. AUFS) while
+#			other stores are optimized for smaller objects
+#			(e.g. Rock).
+#			Defaults to 0.
+#
+#	max-size=n	the maximum object size in bytes this cache_dir
+#			supports.
+#			The value in maximum_object_size directive sets
+#			the default unless more specific details are
+#			available (ie a small store capacity).
+#
+#	Note: To make optimal use of the max-size limits you should order
+#	the cache_dir lines with the smallest max-size value first.
+#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+#  TAG: store_dir_select_algorithm
+#	How Squid selects which cache_dir to use when the response
+#	object will fit into more than one.
+#
+#	Regardless of which algorithm is used the cache_dir min-size
+#	and max-size parameters are obeyed. As such they can affect
+#	the selection algorithm by limiting the set of considered
+#	cache_dir.
+#
+#	Algorithms:
+#
+#		least-load
+#
+#	This algorithm is suited to caches with similar cache_dir
+#	sizes and disk speeds.
+#
+#	The disk with the least I/O pending is selected.
+#	When there are multiple disks with the same I/O load ranking
+#	the cache_dir with most available capacity is selected.
+#
+#	When a mix of cache_dir sizes are configured the faster disks
+#	have a naturally lower I/O loading and larger disks have more
+#	capacity. So space used to store objects and data throughput
+#	may be very unbalanced towards larger disks.
+#
+#
+#		round-robin
+#
+#	This algorithm is suited to caches with unequal cache_dir
+#	disk sizes.
+#
+#	Each cache_dir is selected in a rotation. The next suitable
+#	cache_dir is used.
+#
+#	Available cache_dir capacity is only considered in relation
+#	to whether the object will fit and meets the min-size and
+#	max-size parameters.
+#
+#	Disk I/O loading is only considered to prevent overload on slow
+#	disks. This algorithm does not spread objects by size, so any
+#	I/O loading per-disk may appear very unbalanced and volatile.
+#
+#	If several cache_dirs use similar min-size, max-size, or other
+#	limits to to reject certain responses, then do not group such
+#	cache_dir lines together, to avoid round-robin selection bias
+#	towards the first cache_dir after the group. Instead, interleave
+#	cache_dir lines from different groups. For example:
+#
+#		store_dir_select_algorithm round-robin
+#		cache_dir rock /hdd1 ... min-size=100000
+#		cache_dir rock /ssd1 ... max-size=99999
+#		cache_dir rock /hdd2 ... min-size=100000
+#		cache_dir rock /ssd2 ... max-size=99999
+#		cache_dir rock /hdd3 ... min-size=100000
+#		cache_dir rock /ssd3 ... max-size=99999
+#Default:
+# store_dir_select_algorithm least-load
+
+#  TAG: max_open_disk_fds
+#	To avoid having disk as the I/O bottleneck Squid can optionally
+#	bypass the on-disk cache if more than this amount of disk file
+#	descriptors are open.
+#
+#	A value of 0 indicates no limit.
+#Default:
+# no limit
+
+#  TAG: cache_swap_low	(percent, 0-100)
+#	The low-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above this low-water mark and attempts to maintain utilization
+#	near the low-water mark.
+#
+#	As swap utilization increases towards the high-water mark set
+#	by cache_swap_high object eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_high and cache_replacement_policy
+#Default:
+# cache_swap_low 90
+
+#  TAG: cache_swap_high	(percent, 0-100)
+#	The high-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above the low-water mark set by cache_swap_low and attempts to
+#	maintain utilization near the low-water mark.
+#
+#	As swap utilization increases towards this high-water mark object
+#	eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_low and cache_replacement_policy
+#Default:
+# cache_swap_high 95
+
+# LOGFILE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: logformat
+#	Usage:
+#
+#	logformat <name> <format specification>
+#
+#	Defines an access log format.
+#
+#	The <format specification> is a string with embedded % format codes
+#
+#	% format codes all follow the same basic structure where all
+#	components but the formatcode are optional and usually unnecessary,
+#	especially when dealing with common codes.
+#
+#		% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
+#
+#		encoding escapes or otherwise protects "special" characters:
+#
+#			"	Quoted string encoding where quote(") and
+#				backslash(\) characters are \-escaped while
+#				CR, LF, and TAB characters are encoded as \r,
+#				\n, and \t two-character sequences.
+#
+#			[	Custom Squid encoding where percent(%), square
+#				brackets([]), backslash(\) and characters with
+#				codes outside of [32,126] range are %-encoded.
+#				SP is not encoded. Used by log_mime_hdrs.
+#
+#			#	URL encoding (a.k.a. percent-encoding) where
+#				all URL unsafe and control characters (per RFC
+#				1738) are %-encoded.
+#
+#			/	Shell-like encoding where quote(") and
+#				backslash(\) characters are \-escaped while CR
+#				and LF characters are encoded as \r and \n
+#				two-character sequences. Values containing SP
+#				character(s) are surrounded by quotes(").
+#
+#			'	Raw/as-is encoding with no escaping/quoting.
+#
+#			Default encoding: When no explicit encoding is
+#			specified, each %code determines its own encoding.
+#			Most %codes use raw/as-is encoding, but some codes use
+#			a so called "pass-through URL encoding" where all URL
+#			unsafe and control characters (per RFC 1738) are
+#			%-encoded, but the percent character(%) is left as is.
+#
+#		-	left aligned
+#
+#		width	minimum and/or maximum field width:
+#			    [width_min][.width_max]
+#			When minimum starts with 0, the field is zero-padded.
+#			String values exceeding maximum width are truncated.
+#
+#		{arg}	argument such as header name etc. This field may be
+#			placed before or after the token, but not both at once.
+#
+#	Format codes:
+#
+#		%	a literal % character
+#		sn	Unique sequence number per log line entry
+#		err_code    The ID of an error response served by Squid or
+#				a similar internal error identifier.
+#		err_detail  Additional err_code-dependent error information.
+#		note	The annotation specified by the argument. Also
+#			logs the adaptation meta headers set by the
+#			adaptation_meta configuration parameter.
+#			If no argument given all annotations logged.
+#			The argument may include a separator to use with
+#			annotation values:
+#                            name[:separator]
+#			By default, multiple note values are separated with ","
+#			and multiple notes are separated with "\r\n".
+#			When logging named notes with %{name}note, the
+#			explicitly configured separator is used between note
+#			values. When logging all notes with %note, the
+#			explicitly configured separator is used between
+#			individual notes. There is currently no way to
+#			specify both value and notes separators when logging
+#			all notes with %note.
+#		master_xaction  The master transaction identifier is an unsigned
+#			integer. These IDs are guaranteed to monotonically
+#			increase within a single worker process lifetime, with
+#			higher values corresponding to transactions that were
+#			accepted or initiated later. Due to current implementation
+#			deficiencies, some IDs are skipped (i.e. never logged).
+#			Concurrent workers and restarted workers use similar,
+#			overlapping sequences of master transaction IDs.
+#
+#	Connection related format codes:
+#
+#		>a	Client source IP address
+#		>A	Client FQDN
+#		>p	Client source port
+#		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+#		>la	Local IP address the client connected to
+#		>lp	Local port number the client connected to
+#		>qos    Client connection TOS/DSCP value set by Squid
+#		>nfmark Client connection netfilter packet MARK set by Squid
+#
+#		la	Local listening IP address the client connection was connected to.
+#		lp	Local listening port number the client connection was connected to.
+#
+#		<a	Server IP address of the last server or peer connection
+#		<A	Server FQDN or peer name
+#		<p	Server port number of the last server or peer connection
+#		<la	Local IP address of the last server or peer connection
+#		<lp     Local port number of the last server or peer connection
+#		<qos	Server connection TOS/DSCP value set by Squid
+#		<nfmark Server connection netfilter packet MARK set by Squid
+#
+#		>handshake Raw client handshake
+#			Initial client bytes received by Squid on a newly
+#			accepted TCP connection or inside a just established
+#			CONNECT tunnel. Squid stops accumulating handshake
+#			bytes as soon as the handshake parser succeeds or
+#			fails (determining whether the client is using the
+#			expected protocol).
+#
+#			For HTTP clients, the handshake is the request line.
+#			For TLS clients, the handshake consists of all TLS
+#			records up to and including the TLS record that
+#			contains the last byte of the first ClientHello
+#			message. For clients using an unsupported protocol,
+#			this field contains the bytes received by Squid at the
+#			time of the handshake parsing failure.
+#
+#			See the on_unsupported_protocol directive for more
+#			information on Squid handshake traffic expectations.
+#
+#			Current support is limited to these contexts:
+#			- http_port connections, but only when the
+#			  on_unsupported_protocol directive is in use.
+#			- https_port connections (and CONNECT tunnels) that
+#			  are subject to the ssl_bump peek or stare action.
+#
+#			To protect binary handshake data, this field is always
+#			base64-encoded (RFC 4648 Section 4). If logformat
+#			field encoding is configured, that encoding is applied
+#			on top of base64. Otherwise, the computed base64 value
+#			is recorded as is.
+#
+#	Time related format codes:
+#
+#		ts	Seconds since epoch
+#		tu	subsecond time (milliseconds)
+#		tl	Local time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tg	GMT time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tr	Response time (milliseconds)
+#		dt	Total time spent making DNS lookups (milliseconds)
+#		tS	Approximate master transaction start time in
+#			<full seconds since epoch>.<fractional seconds> format.
+#			Currently, Squid considers the master transaction
+#			started when a complete HTTP request header initiating
+#			the transaction is received from the client. This is
+#			the same value that Squid uses to calculate transaction
+#			response time when logging %tr to access.log. Currently,
+#			Squid uses millisecond resolution for %tS values,
+#			similar to the default access.log "current time" field
+#			(%ts.%03tu).
+#
+#	Access Control related format codes:
+#
+#		et	Tag returned by external acl
+#		ea	Log string returned by external acl
+#		un	User name (any available)
+#		ul	User name from authentication
+#		ue	User name from external acl helper
+#		ui	User name from ident
+#		un	A user name. Expands to the first available name
+#			from the following list of information sources:
+#			- authenticated user name, like %ul
+#			- user name supplied by an external ACL, like %ue
+#			- SSL client name, like %us
+#			- ident user name, like %ui
+#		credentials Client credentials. The exact meaning depends on
+#			the authentication scheme: For Basic authentication,
+#			it is the password; for Digest, the realm sent by the
+#			client; for NTLM and Negotiate, the client challenge
+#			or client credentials prefixed with "YR " or "KK ".
+#
+#	HTTP related format codes:
+#
+#	    REQUEST
+#
+#		[http::]rm	Request method (GET/POST etc)
+#		[http::]>rm	Request method from client
+#		[http::]<rm	Request method sent to server or peer
+#
+#		[http::]ru	Request URL received (or computed) and sanitized
+#
+#				Logs request URI received from the client, a
+#				request adaptation service, or a request
+#				redirector (whichever was applied last).
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Honors strip_query_terms and uri_whitespace.
+#
+#				This field is not encoded by default. Encoding
+#				this field using variants of %-encoding will
+#				clash with uri_whitespace modifications that
+#				also use %-encoding.
+#
+#		[http::]>ru	Request URL received from the client (or computed)
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Unlike %ru, this request URI is not affected
+#				by request adaptation, URL rewriting services,
+#				and strip_query_terms.
+#
+#				Honors uri_whitespace.
+#
+#				This field is using pass-through URL encoding
+#				by default. Encoding this field using other
+#				variants of %-encoding will clash with
+#				uri_whitespace modifications that also use
+#				%-encoding.
+#
+#		[http::]<ru	Request URL sent to server or peer
+#		[http::]>rs	Request URL scheme from client
+#		[http::]<rs	Request URL scheme sent to server or peer
+#		[http::]>rd	Request URL domain from client
+#		[http::]<rd	Request URL domain sent to server or peer
+#		[http::]>rP	Request URL port from client
+#		[http::]<rP	Request URL port sent to server or peer
+#		[http::]rp	Request URL path excluding hostname
+#		[http::]>rp	Request URL path excluding hostname from client
+#		[http::]<rp	Request URL path excluding hostname sent to server or peer
+#		[http::]rv	Request protocol version
+#		[http::]>rv	Request protocol version from client
+#		[http::]<rv	Request protocol version sent to server or peer
+#
+#		[http::]>h	Original received request header.
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Accepts optional header field name/value filter
+#				argument using name[:[separator]element] format.
+#		[http::]>ha	Received request header after adaptation and
+#				redirection (pre-cache REQMOD vectoring point).
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Optional header name argument as for >h
+#
+#	    RESPONSE
+#
+#		[http::]<Hs	HTTP status code received from the next hop
+#		[http::]>Hs	HTTP status code sent to the client
+#
+#		[http::]<h	Reply header. Optional header name argument
+#				as for >h
+#
+#		[http::]mt	MIME content type
+#
+#
+#	    SIZE COUNTERS
+#
+#		[http::]st	Total size of request + reply traffic with client
+#		[http::]>st	Total size of request received from client.
+#				Excluding chunked encoding bytes.
+#		[http::]<st	Total size of reply sent to client (after adaptation)
+#
+#		[http::]>sh	Size of request headers received from client
+#		[http::]<sh	Size of reply headers sent to client (after adaptation)
+#
+#		[http::]<sH	Reply high offset sent
+#		[http::]<sS	Upstream object size
+#
+#		[http::]<bs	Number of HTTP-equivalent message body bytes
+#				received from the next hop, excluding chunked
+#				transfer encoding and control messages.
+#				Generated FTP/Gopher listings are treated as
+#				received bodies.
+#
+#	    TIMING
+#
+#		[http::]<pt	Peer response time in milliseconds. The timer starts
+#				when the last request byte is sent to the next hop
+#				and stops when the last response byte is received.
+#		[http::]<tt	Total time in milliseconds. The timer
+#				starts with the first connect request (or write I/O)
+#				sent to the first selected peer. The timer stops
+#				with the last I/O with the last peer.
+#
+#	Squid handling related format codes:
+#
+#		Ss	Squid request status (TCP_MISS etc)
+#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
+#
+#	SSL-related format codes:
+#
+#		ssl::bump_mode	SslBump decision for the transaction:
+#
+#				For CONNECT requests that initiated bumping of
+#				a connection and for any request received on
+#				an already bumped connection, Squid logs the
+#				corresponding SslBump mode ("splice", "bump",
+#				"peek", "stare", "terminate", "server-first"
+#				or "client-first"). See the ssl_bump option
+#				for more information about these modes.
+#
+#				A "none" token is logged for requests that
+#				triggered "ssl_bump" ACL evaluation matching
+#				a "none" rule.
+#
+#				In all other cases, a single dash ("-") is
+#				logged.
+#
+#		ssl::>sni	SSL client SNI sent to Squid.
+#
+#		ssl::>cert_subject
+#				The Subject field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Subject often has spaces.
+#
+#		ssl::>cert_issuer
+#				The Issuer field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Issuer often has spaces.
+#
+#		ssl::<cert_subject
+#				The Subject field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Subject often has spaces.
+#
+#		ssl::<cert_issuer
+#				The Issuer field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Issuer often has spaces.
+#
+#		ssl::<cert
+#				The received server x509 certificate in PEM
+#				format, including BEGIN and END lines (or a
+#				dash ('-') if the certificate is unavailable).
+#
+#				WARNING: Large certificates will exceed the
+#				current 8KB access.log record limit, resulting
+#				in truncated records. Such truncation usually
+#				happens in the middle of a record field. The
+#				limit applies to all access logging modules.
+#
+#				The logged certificate may have failed
+#				validation and may not be trusted by Squid.
+#				This field does not include any intermediate
+#				certificates that may have been received from
+#				the server or fetched during certificate
+#				validation process.
+#
+#				Currently, Squid only collects server
+#				certificates during step3 of SslBump
+#				processing; connections that were not subject
+#				to ssl_bump rules or that did not match a peek
+#				or stare rule at step2 will not have the
+#				server certificate information.
+#
+#				This field is using pass-through URL encoding
+#				by default.
+#
+#		ssl::<cert_errors
+#				The list of certificate validation errors
+#				detected by Squid (including OpenSSL and
+#				certificate validation helper components). The
+#				errors are listed in the discovery order. By
+#				default, the error codes are separated by ':'.
+#				Accepts an optional separator argument.
+#
+#		%ssl::>negotiated_version The negotiated TLS version of the
+#				client connection.
+#
+#		%ssl::<negotiated_version The negotiated TLS version of the
+#				last server or peer connection.
+#
+#		%ssl::>received_hello_version The TLS version of the Hello
+#				message received from TLS client.
+#
+#		%ssl::<received_hello_version The TLS version of the Hello
+#				message received from TLS server.
+#
+#		%ssl::>received_supported_version The maximum TLS version
+#				supported by the TLS client.
+#
+#		%ssl::<received_supported_version The maximum TLS version
+#				supported by the TLS server.
+#
+#		%ssl::>negotiated_cipher The negotiated cipher of the
+#				client connection.
+#
+#		%ssl::<negotiated_cipher The negotiated cipher of the
+#				last server or peer connection.
+#
+#	If ICAP is enabled, the following code becomes available (as
+#	well as ICAP log codes documented with the icap_log option):
+#
+#		icap::tt Total ICAP "blocking" time for the HTTP transaction. The
+#				timer ticks while Squid checks adaptation_access and while
+#				ICAP transaction(s) expect ICAP response headers, including
+#				the embedded adapted HTTP message headers (where applicable).
+#				This measurement is meant to estimate ICAP impact on HTTP
+#				transaction response times, but it does not currently account
+#				for slow ICAP response body delivery blocking HTTP progress.
+#
+#				Once Squid receives the final ICAP response headers (e.g.,
+#				ICAP 200 or 204) and the associated adapted HTTP message
+#				headers (if any) from the ICAP service, the corresponding ICAP
+#				transaction stops affecting this measurement, even though the
+#				transaction itself may continue for a long time (e.g., to
+#				finish sending the ICAP request and/or to finish receiving the
+#				ICAP response body).
+#
+#				When "blocking" sections of multiple concurrent ICAP
+#				transactions overlap in time, the overlapping segment is
+#				counted only once.
+#
+#				To see complete ICAP transaction response times (rather than
+#				the cumulative effect of their blocking sections) use the
+#				%adapt::all_trs logformat code or the icap_log directive.
+#
+#	If adaptation is enabled the following codes become available:
+#
+#		adapt::<last_h	The header of the last ICAP response or
+#				meta-information from the last eCAP
+#				transaction related to the HTTP transaction.
+#				Like <h, accepts an optional header name
+#				argument.
+#
+#		adapt::sum_trs Summed adaptation transaction response
+#				times recorded as a comma-separated list in
+#				the order of transaction start time. Each time
+#				value is recorded as an integer number,
+#				representing response time of one or more
+#				adaptation (ICAP or eCAP) transaction in
+#				milliseconds.  When a failed transaction is
+#				being retried or repeated, its time is not
+#				logged individually but added to the
+#				replacement (next) transaction. Lifetimes of individually
+#				listed adaptation transactions may overlap.
+#				See also: %icap::tt and %adapt::all_trs.
+#
+#		adapt::all_trs All adaptation transaction response times.
+#				Same as %adapt::sum_trs but response times of
+#				individual transactions are never added
+#				together. Instead, all transaction response
+#				times are recorded individually.
+#
+#	You can prefix adapt::*_trs format codes with adaptation
+#	service name in curly braces to record response time(s) specific
+#	to that service. For example: %{my_service}adapt::sum_trs
+#
+#	Format codes related to the PROXY protocol:
+#
+#		proxy_protocol::>h PROXY protocol header, including optional TLVs.
+#
+#				Supports the same field and element reporting/extraction logic
+#				as %http::>h. For configuration and reporting purposes, Squid
+#				maps each PROXY TLV to an HTTP header field: the TLV type
+#				(configured as a decimal integer) is the field name, and the
+#				TLV value is the field value. All TLVs of "LOCAL" connections
+#				(in PROXY protocol terminology) are currently skipped/ignored.
+#
+#				Squid also maps the following standard PROXY protocol header
+#				blocks to pseudo HTTP headers (their names use PROXY
+#				terminology and start with a colon, following HTTP tradition
+#				for pseudo headers): :command, :version, :src_addr, :dst_addr,
+#				:src_port, and :dst_port.
+#
+#				Without optional parameters, this logformat code logs
+#				pseudo headers and TLVs.
+#
+#				This format code uses pass-through URL encoding by default.
+#
+#				Example:
+#					# relay custom PROXY TLV #224 to adaptation services
+#					adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
+#
+#				See also: %http::>h
+#
+#	The default formats available (which do not need re-defining) are:
+#
+#logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent  %>a [%tl] "%{User-Agent}>h"
+#
+#	NOTE: When the log_mime_hdrs directive is set to ON.
+#		The squid, common and combined formats have a safely encoded copy
+#		of the mime headers appended to each line within a pair of brackets.
+#
+#	NOTE: The common and combined formats are not quite true to the Apache definition.
+#		The logs from Squid contain an extra status and hierarchy code appended.
+#
+#Default:
+# The format definitions squid, common, combined, referrer, useragent are built in.
+
+#  TAG: access_log
+#	Configures whether and how Squid logs HTTP and ICP transactions.
+#	If access logging is enabled, a single line is logged for every
+#	matching HTTP or ICP request. The recommended directive formats are:
+#
+#	access_log <module>:<place> [option ...] [acl acl ...]
+#	access_log none [acl acl ...]
+#
+#	The following directive format is accepted but may be deprecated:
+#	access_log <module>:<place> [<logformat name> [acl acl ...]]
+#
+#        In most cases, the first ACL name must not contain the '=' character
+#	and should not be equal to an existing logformat name. You can always
+#	start with an 'all' ACL to work around those restrictions.
+#
+#	Will log to the specified module:place using the specified format (which
+#	must be defined in a logformat directive) those entries which match
+#	ALL the acl's specified (which must be defined in acl clauses).
+#	If no acl is specified, all requests will be logged to this destination.
+#
+#	===== Available options for the recommended directive format =====
+#
+#	logformat=name		Names log line format (either built-in or
+#				defined by a logformat directive). Defaults
+#				to 'squid'.
+#
+#	buffer-size=64KB	Defines approximate buffering limit for log
+#				records (see buffered_logs).  Squid should not
+#				keep more than the specified size and, hence,
+#				should flush records before the buffer becomes
+#				full to avoid overflows under normal
+#				conditions (the exact flushing algorithm is
+#				module-dependent though).  The on-error option
+#				controls overflow handling.
+#
+#	on-error=die|drop	Defines action on unrecoverable errors. The
+#				'drop' action ignores (i.e., does not log)
+#				affected log records. The default 'die' action
+#				kills the affected worker. The drop action
+#				support has not been tested for modules other
+#				than tcp.
+#
+#	rotate=N		Specifies the number of log file rotations to
+#				make when you run 'squid -k rotate'. The default
+#				is to obey the logfile_rotate directive. Setting
+#				rotate=0 will disable the file name rotation,
+#				but the log files are still closed and re-opened.
+#				This will enable you to rename the logfiles
+#				yourself just before sending the rotate signal.
+#				Only supported by the stdio module.
+#
+#	===== Modules Currently available =====
+#
+#	none	Do not log any requests matching these ACL.
+#		Do not specify Place or logformat name.
+#
+#	stdio	Write each log line to disk immediately at the completion of
+#		each request.
+#		Place: the filename and path to be written.
+#
+#	daemon	Very similar to stdio. But instead of writing to disk the log
+#		line is passed to a daemon helper for asychronous handling instead.
+#		Place: varies depending on the daemon.
+#
+#		log_file_daemon Place: the file name and path to be written.
+#
+#	syslog	To log each request via syslog facility.
+#		Place: The syslog facility and priority level for these entries.
+#		Place Format:  facility.priority
+#
+#		where facility could be any of:
+#			authpriv, daemon, local0 ... local7 or user.
+#
+#		And priority could be any of:
+#			err, warning, notice, info, debug.
+#
+#	udp	To send each log line as text data to a UDP receiver.
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	tcp	To send each log line as text data to a TCP receiver.
+#		Lines may be accumulated before sending (see buffered_logs).
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	Default:
+#		access_log daemon:/var/log/squid/access.log squid
+#Default:
+# access_log daemon:/var/log/squid/access.log squid
+
+#  TAG: icap_log
+#	ICAP log files record ICAP transaction summaries, one line per
+#	transaction.
+#
+#	The icap_log option format is:
+#	icap_log <filepath> [<logformat name> [acl acl ...]]
+#	icap_log none [acl acl ...]]
+#
+#	Please see access_log option documentation for details. The two
+#	kinds of logs share the overall configuration approach and many
+#	features.
+#
+#	ICAP processing of a single HTTP message or transaction may
+#	require multiple ICAP transactions.  In such cases, multiple
+#	ICAP transaction log lines will correspond to a single access
+#	log line.
+#
+#	ICAP log supports many access.log logformat %codes. In ICAP context,
+#	HTTP message-related %codes are applied to the HTTP message embedded
+#	in an ICAP message. Logformat "%http::>..." codes are used for HTTP
+#	messages embedded in ICAP requests while "%http::<..." codes are used
+#	for HTTP messages embedded in ICAP responses. For example:
+#
+#		http::>h	To-be-adapted HTTP message headers sent by Squid to
+#				the ICAP service. For REQMOD transactions, these are
+#				HTTP request headers. For RESPMOD, these are HTTP
+#				response headers, but Squid currently cannot log them
+#				(i.e., %http::>h will expand to "-" for RESPMOD).
+#
+#		http::<h	Adapted HTTP message headers sent by the ICAP
+#				service to Squid (i.e., HTTP request headers in regular
+#				REQMOD; HTTP response headers in RESPMOD and during
+#				request satisfaction in REQMOD).
+#
+#	ICAP OPTIONS transactions do not embed HTTP messages.
+#
+#	Several logformat codes below deal with ICAP message bodies. An ICAP
+#	message body, if any, typically includes a complete HTTP message
+#	(required HTTP headers plus optional HTTP message body). When
+#	computing HTTP message body size for these logformat codes, Squid
+#	either includes or excludes chunked encoding overheads; see
+#	code-specific documentation for details.
+#
+#	For Secure ICAP services, all size-related information is currently
+#	computed before/after TLS encryption/decryption, as if TLS was not
+#	in use at all.
+#
+#	The following format codes are also available for ICAP logs:
+#
+#		icap::<A	ICAP server IP address. Similar to <A.
+#
+#		icap::<service_name	ICAP service name from the icap_service
+#				option in Squid configuration file.
+#
+#		icap::ru	ICAP Request-URI. Similar to ru.
+#
+#		icap::rm	ICAP request method (REQMOD, RESPMOD, or
+#				OPTIONS). Similar to existing rm.
+#
+#		icap::>st	The total size of the ICAP request sent to the ICAP
+#				server (ICAP headers + ICAP body), including chunking
+#				metadata (if any).
+#
+#		icap::<st	The total size of the ICAP response received from the
+#				ICAP server (ICAP headers + ICAP body), including
+#				chunking metadata (if any).
+#
+#		icap::<bs	The size of the ICAP response body received from the
+#				ICAP server, excluding chunking metadata (if any).
+#
+#		icap::tr 	Transaction response time (in
+#				milliseconds).  The timer starts when
+#				the ICAP transaction is created and
+#				stops when the transaction is completed.
+#				Similar to tr.
+#
+#		icap::tio	Transaction I/O time (in milliseconds). The
+#				timer starts when the first ICAP request
+#				byte is scheduled for sending. The timers
+#				stops when the last byte of the ICAP response
+#				is received.
+#
+#		icap::to 	Transaction outcome: ICAP_ERR* for all
+#				transaction errors, ICAP_OPT for OPTION
+#				transactions, ICAP_ECHO for 204
+#				responses, ICAP_MOD for message
+#				modification, and ICAP_SAT for request
+#				satisfaction. Similar to Ss.
+#
+#		icap::Hs	ICAP response status code. Similar to Hs.
+#
+#		icap::>h	ICAP request header(s). Similar to >h.
+#
+#		icap::<h	ICAP response header(s). Similar to <h.
+#
+#	The default ICAP log format, which can be used without an explicit
+#	definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
+#
+#	See also: logformat and %adapt::<last_h
+#Default:
+# none
+
+#  TAG: logfile_daemon
+#	Specify the path to the logfile-writing daemon. This daemon is
+#	used to write the access and store logs, if configured.
+#
+#	Squid sends a number of commands to the log daemon:
+#	  L<data>\n - logfile data
+#	  R\n - rotate file
+#	  T\n - truncate file
+#	  O\n - reopen file
+#	  F\n - flush file
+#	  r<n>\n - set rotate count to <n>
+#	  b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+#	No responses is expected.
+#Default:
+# logfile_daemon /usr/lib/squid/log_file_daemon
+
+#  TAG: stats_collection	allow|deny acl acl...
+#	This options allows you to control which requests gets accounted
+#	in performance counters.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
+#  TAG: cache_store_log
+#	Logs the activities of the storage manager.  Shows which
+#	objects are ejected from the cache, and which objects are
+#	saved and for how long.
+#	There are not really utilities to analyze this data, so you can safely
+#	disable it (the default).
+#
+#	Store log uses modular logging outputs. See access_log for the list
+#	of modules supported.
+#
+#	Example:
+#		cache_store_log stdio:/var/log/squid/store.log
+#		cache_store_log daemon:/var/log/squid/store.log
+#Default:
+# none
+
+#  TAG: cache_swap_state
+#	Location for the cache "swap.state" file. This index file holds
+#	the metadata of objects saved on disk.  It is used to rebuild
+#	the cache during startup.  Normally this file resides in each
+#	'cache_dir' directory, but you may specify an alternate
+#	pathname here.  Note you must give a full filename, not just
+#	a directory. Since this is the index for the whole object
+#	list you CANNOT periodically rotate it!
+#
+#	If %s can be used in the file name it will be replaced with a
+#	a representation of the cache_dir name where each / is replaced
+#	with '.'. This is needed to allow adding/removing cache_dir
+#	lines when cache_swap_log is being used.
+#
+#	If have more than one 'cache_dir', and %s is not used in the name
+#	these swap logs will have names such as:
+#
+#		cache_swap_log.00
+#		cache_swap_log.01
+#		cache_swap_log.02
+#
+#	The numbered extension (which is added automatically)
+#	corresponds to the order of the 'cache_dir' lines in this
+#	configuration file.  If you change the order of the 'cache_dir'
+#	lines in this file, these index files will NOT correspond to
+#	the correct 'cache_dir' entry (unless you manually rename
+#	them).  We recommend you do NOT use this option.  It is
+#	better to keep these index files in each 'cache_dir' directory.
+#Default:
+# Store the journal inside its cache_dir
+
+#  TAG: logfile_rotate
+#	Specifies the default number of logfile rotations to make when you
+#	type 'squid -k rotate'. The default is 10, which will rotate
+#	with extensions 0 through 9. Setting logfile_rotate to 0 will
+#	disable the file name rotation, but the logfiles are still closed
+#	and re-opened. This will enable you to rename the logfiles
+#	yourself just before sending the rotate signal.
+#
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
+#
+#	Note, from Squid-4 this option is only a default for access.log
+#	recorded by stdio: module. Those logs can be rotated separately by
+#	using the rotate=N option on their access_log directive.
+#
+#	Note, the 'squid -k rotate' command normally sends a USR1
+#	signal to the running squid process.  In certain situations
+#	(e.g. on Linux with Async I/O), USR1 is used for other
+#	purposes, so -k rotate uses another signal.  It is best to get
+#	in the habit of using 'squid -k rotate' instead of 'kill -USR1
+#	<pid>'.
+#
+#	Note, for Debian/Linux the default of logfile_rotate is
+#	zero, since it includes external logfile-rotation methods.
+#Default:
+# logfile_rotate 0
+
+#  TAG: mime_table
+#	Path to Squid's icon configuration file.
+#
+#	You shouldn't need to change this, but the default file contains
+#	examples and formatting information if you do.
+#Default:
+# mime_table /usr/share/squid/mime.conf
+
+#  TAG: log_mime_hdrs	on|off
+#	The Cache can record both the request and the response MIME
+#	headers for each HTTP transaction.  The headers are encoded
+#	safely and will appear as two bracketed fields at the end of
+#	the access log (for either the native or httpd-emulated log
+#	formats).  To enable this logging set log_mime_hdrs to 'on'.
+#Default:
+# log_mime_hdrs off
+
+#  TAG: pid_filename
+#	A filename to write the process-id to.  To disable, enter "none".
+#Default:
+# pid_filename /run/squid.pid
+
+#  TAG: client_netmask
+#	A netmask for client addresses in logfiles and cachemgr output.
+#	Change this to protect the privacy of your cache clients.
+#	A netmask of 255.255.255.0 will log all IP's in that range with
+#	the last digit set to '0'.
+#Default:
+# Log full client IP address
+
+#  TAG: strip_query_terms
+#	By default, Squid strips query terms from requested URLs before
+#	logging.  This protects your user's privacy and reduces log size.
+#
+#	When investigating HIT/MISS or other caching behaviour you
+#	will need to disable this to see the full URL used by Squid.
+#Default:
+# strip_query_terms on
+
+#  TAG: buffered_logs	on|off
+#	Whether to write/send access_log records ASAP or accumulate them and
+#	then write/send them in larger chunks. Buffering may improve
+#	performance because it decreases the number of I/Os. However,
+#	buffering increases the delay before log records become available to
+#	the final recipient (e.g., a disk file or logging daemon) and,
+#	hence, increases the risk of log records loss.
+#
+#	Note that even when buffered_logs are off, Squid may have to buffer
+#	records if it cannot write/send them immediately due to pending I/Os
+#	(e.g., the I/O writing the previous log record) or connectivity loss.
+#
+#	Currently honored by 'daemon' and 'tcp' access_log modules only.
+#Default:
+# buffered_logs off
+
+#  TAG: netdb_filename
+#	Where Squid stores it's netdb journal.
+#	When enabled this journal preserves netdb state between restarts.
+#
+#	To disable, enter "none".
+#Default:
+# netdb_filename stdio:/var/spool/squid/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_log
+#	Squid administrative logging file.
+#
+#	This is where general information about Squid behavior goes. You can
+#	increase the amount of data logged to this file and how often it is
+#	rotated with "debug_options"
+#Default:
+# cache_log /var/log/squid/cache.log
+
+#  TAG: debug_options
+#	Logging options are set as section,level where each source file
+#	is assigned a unique section.  Lower levels result in less
+#	output,  Full debugging (level 9) can result in a very large
+#	log file, so be careful.
+#
+#	The magic word "ALL" sets debugging levels for all sections.
+#	The default is to run with "ALL,1" to record important warnings.
+#
+#	The rotate=N option can be used to keep more or less of these logs
+#	than would otherwise be kept by logfile_rotate.
+#	For most uses a single log should be enough to monitor current
+#	events affecting Squid.
+#Default:
+# Log all critical and important messages.
+
+#  TAG: coredump_dir
+#	By default Squid leaves core files in the directory from where
+#	it was started. If you set 'coredump_dir' to a directory
+#	that exists, Squid will chdir() to that directory at startup
+#	and coredump files will be left there.
+#
+#Default:
+# Use the directory from where Squid was started.
+#
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# OPTIONS FOR FTP GATEWAYING
+# -----------------------------------------------------------------------------
+
+#  TAG: ftp_user
+#	If you want the anonymous login password to be more informative
+#	(and enable the use of picky FTP servers), set this to something
+#	reasonable for your domain, like wwwuser@somewhere.net
+#
+#	The reason why this is domainless by default is the
+#	request can be made on the behalf of a user in any domain,
+#	depending on how the cache is used.
+#	Some FTP server also validate the email address is valid
+#	(for example perl.com).
+#Default:
+# ftp_user Squid@
+
+#  TAG: ftp_passive
+#	If your firewall does not allow Squid to use passive
+#	connections, turn off this option.
+#
+#	Use of ftp_epsv_all option requires this to be ON.
+#Default:
+# ftp_passive on
+
+#  TAG: ftp_epsv_all
+#	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator, as the EPRT command will never be used and therefore,
+#	translation of the data portion of the segments will never be needed.
+#
+#	When a client only expects to do two-way FTP transfers this may be
+#	useful.
+#	If squid finds that it must do a three-way FTP transfer after issuing
+#	an EPSV ALL command, the FTP session will fail.
+#
+#	If you have any doubts about this option do not use it.
+#	Squid will nicely attempt all other connection methods.
+#
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+#  TAG: ftp_epsv
+#	FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator using EPSV, as the EPRT command will never be used
+#	and therefore, translation of the data portion of the segments
+#	will never be needed.
+#
+#	EPSV is often required to interoperate with FTP servers on IPv6
+#	networks. On the other hand, it may break some IPv4 servers.
+#
+#	By default, EPSV may try EPSV with any FTP server. To fine tune
+#	that decision, you may restrict EPSV to certain clients or servers
+#	using ACLs:
+#
+#		ftp_epsv allow|deny al1 acl2 ...
+#
+#	WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
+#
+#	Only fast ACLs are supported.
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# none
+
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
+#  TAG: ftp_sanitycheck
+#	For security and data integrity reasons Squid by default performs
+#	sanity checks of the addresses of FTP data connections ensure the
+#	data connection is to the requested server. If you need to allow
+#	FTP connections to servers using another IP address for the data
+#	connection turn this off.
+#Default:
+# ftp_sanitycheck on
+
+#  TAG: ftp_telnet_protocol
+#	The FTP protocol is officially defined to use the telnet protocol
+#	as transport channel for the control connection. However, many
+#	implementations are broken and does not respect this aspect of
+#	the FTP protocol.
+#
+#	If you have trouble accessing files with ASCII code 255 in the
+#	path or similar problems involving this ASCII code you can
+#	try setting this directive to off. If that helps, report to the
+#	operator of the FTP server in question that their FTP server
+#	is broken and does not follow the FTP standard.
+#Default:
+# ftp_telnet_protocol on
+
+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+# -----------------------------------------------------------------------------
+
+#  TAG: diskd_program
+#	Specify the location of the diskd executable.
+#	Note this is only useful if you have compiled in
+#	diskd as one of the store io modules.
+#Default:
+# diskd_program /usr/lib/squid/diskd
+
+#  TAG: unlinkd_program
+#	Specify the location of the executable for file deletion process.
+#Default:
+# unlinkd_program /usr/lib/squid/unlinkd
+
+#  TAG: pinger_program
+#	Specify the location of the executable for the pinger process.
+#Default:
+# pinger_program /usr/lib/squid/pinger
+
+#  TAG: pinger_enable
+#	Control whether the pinger is active at run-time.
+#	Enables turning ICMP pinger on and off with a simple
+#	squid -k reconfigure.
+#Default:
+# pinger_enable on
+
+# OPTIONS FOR URL REWRITING
+# -----------------------------------------------------------------------------
+
+#  TAG: url_rewrite_program
+#	The name and command line parameters of an admin-provided executable
+#	for redirecting clients or adjusting/replacing client request URLs.
+#
+#	This helper is consulted after the received request is cleared by
+#	http_access and adapted using eICAP/ICAP services (if any). If the
+#	helper does not redirect the client, Squid checks adapted_http_access
+#	and may consult the cache or forward the request to the next hop.
+#
+#
+#	For each request, the helper gets one line in the following format:
+#
+#	  [channel-ID <SP>] request-URL [<SP> extras] <NL>
+#
+#	Use url_rewrite_extras to configure what Squid sends as 'extras'.
+#
+#
+#	The helper must reply to each query using a single line:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs] <NL>
+#
+#	The result section must match exactly one of the following outcomes:
+#
+#	  OK [status=30N] url="..."
+#
+#		Redirect the client to a URL supplied in the 'url' parameter.
+#		Optional 'status' specifies the status code to send to the
+#		client in Squid's HTTP redirect response. It must be one of
+#		the standard HTTP redirect status codes: 301, 302, 303, 307,
+#		or 308. When no specific status is requested, Squid uses 302.
+#
+#	  OK rewrite-url="..."
+#
+#		Replace the current request URL with the one supplied in the
+#		'rewrite-url' parameter. Squid fetches the resource specified
+#		by the new URL and forwards the received response (or its
+#		cached copy) to the client.
+#
+#		WARNING: Avoid rewriting URLs! When possible, redirect the
+#		client using an "OK url=..." helper response instead.
+#		Rewriting URLs may create inconsistent requests and/or break
+#		synchronization between internal client and origin server
+#		states, especially when URLs or other message parts contain
+#		snippets of that state. For example, Squid does not adjust
+#		Location headers and embedded URLs after the helper rewrites
+#		the request URL.
+#
+#	  OK
+#		Keep the client request intact.
+#
+#	  ERR
+#		Keep the client request intact.
+#
+#	  BH [message="..."]
+#		A helper problem that should be reported to the Squid admin
+#		via a level-1 cache.log message. The 'message' parameter is
+#		reserved for specifying the log message.
+#
+#	In addition to the kv-pairs mentioned above, Squid also understands
+#	the following optional kv-pairs in URL rewriter responses:
+#
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#
+#		The clt_conn_tag=TAG pair is treated as a regular transaction
+#		annotation for the current request and also annotates future
+#		requests on the same client connection. A helper may update
+#		the TAG during subsequent requests by returning a new kv-pair.
+#
+#
+#	Helper messages contain the channel-ID part if and only if the
+#	url_rewrite_children directive specifies positive concurrency. As a
+#	channel-ID value, Squid sends a number between 0 and concurrency-1.
+#	The helper must echo back the received channel-ID in its response.
+#
+#	By default, Squid does not use a URL rewriter.
+#Default:
+# none
+
+#  TAG: url_rewrite_children
+#	Specifies the maximum number of redirector processes that Squid may
+#	spawn (numberofchildren) and several related options. Using too few of
+#	these helper processes (a.k.a. "helpers") creates request queues.
+#	Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each redirector helper can handle in
+#	parallel. Defaults to 0 which indicates the redirector
+#	is a old-style single threaded redirector.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. The default
+#	maximum is zero if url_rewrite_bypass is enabled and
+#	2*numberofchildren otherwise. If the queued requests exceed queue size
+#	and redirector_bypass configuration option is set, then redirector is
+#	bypassed. Otherwise, Squid is allowed to temporarily exceed the
+#	configured maximum, marking the affected helper as "overloaded". If
+#	the helper overload lasts more than 3 minutes, the action prescribed
+#	by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: url_rewrite_host_header
+#	To preserve same-origin security policies in browsers and
+#	prevent Host: header forgery by redirectors Squid rewrites
+#	any Host: header in redirected requests.
+#
+#	If you are running an accelerator this may not be a wanted
+#	effect of a redirector. This directive enables you disable
+#	Host: alteration in reverse-proxy traffic.
+#
+#	WARNING: Entries are cached on the result of the URL rewriting
+#	process, so be careful if you have domain-virtual hosts.
+#
+#	WARNING: Squid and other software verifies the URL and Host
+#	are matching, so be careful not to relay through other proxies
+#	or inspecting firewalls with this disabled.
+#Default:
+# url_rewrite_host_header on
+
+#  TAG: url_rewrite_access
+#	If defined, this access list specifies which requests are
+#	sent to the redirector processes.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: url_rewrite_bypass
+#	When this is 'on', a request will not go through the
+#	redirector if all the helpers are busy. If this is 'off' and the
+#	redirector queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	redirectors are not critical to your caching system. If you use
+#	redirectors for access control, and you enable this option,
+#	users may have access to pages they should not
+#	be allowed to request.
+#
+#	Enabling this option sets the default url_rewrite_children queue-size
+#	option value to 0.
+#Default:
+# url_rewrite_bypass off
+
+#  TAG: url_rewrite_extras
+#	Specifies a string to be append to request line format for the
+#	rewriter helper. "Quoted" format values may contain spaces and
+#	logformat %macros. In theory, any logformat %macro can be used.
+#	In practice, a %macro expands as a dash (-) if the helper request is
+#	sent before the required macro information is available to Squid.
+#Default:
+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: url_rewrite_timeout
+#	Squid times active requests to redirector. The timeout value and Squid
+#	reaction to a timed out request are configurable using the following
+#	format:
+#
+#	url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+#
+#	supported timeout actions:
+#		fail	Squid return a ERR_GATEWAY_FAILURE error page
+#
+#		bypass	Do not re-write the URL
+#
+#		retry	Send the lookup to the helper again
+#
+#		use_configured_response
+#			Use the <quoted-response> as helper response
+#Default:
+# Squid waits for the helper response forever
+
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+#  TAG: store_id_program
+#	Specify the location of the executable StoreID helper to use.
+#	Since they can perform almost any function there isn't one included.
+#
+#	For each requested URL, the helper will receive one line with the format
+#
+#	  [channel-ID <SP>] URL [<SP> extras]<NL>
+#
+#
+#	After processing the request the helper must reply using the following format:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs]
+#
+#	The result code can be:
+#
+#	  OK store-id="..."
+#		Use the StoreID supplied in 'store-id='.
+#
+#	  ERR
+#		The default is to use HTTP request URL as the store ID.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	In addition to the above kv-pairs Squid also understands the following
+#	optional kv-pairs received from URL rewriters:
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#		Please see url_rewrite_program related documentation for this
+#		kv-pair
+#
+#	Helper programs should be prepared to receive and possibly ignore
+#	additional whitespace-separated tokens on each input line.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#	NOTE: when using StoreID refresh_pattern will apply to the StoreID
+#	      returned from the helper and not the URL.
+#
+#	WARNING: Wrong StoreID value returned by a careless helper may result
+#	         in the wrong cached response returned to the user.
+#
+#	By default, a StoreID helper is not used.
+#Default:
+# none
+
+#  TAG: store_id_extras
+#        Specifies a string to be append to request line format for the
+#        StoreId helper. "Quoted" format values may contain spaces and
+#        logformat %macros. In theory, any logformat %macro can be used.
+#        In practice, a %macro expands as a dash (-) if the helper request is
+#        sent before the required macro information is available to Squid.
+#Default:
+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: store_id_children
+#	Specifies the maximum number of StoreID helper processes that Squid
+#	may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each storeID helper can handle in
+#	parallel. Defaults to 0 which indicates the helper
+#	is a old-style single threaded program.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests to N. A request is queued
+#	when no existing child can accept it due to concurrency limit and no
+#	new child can be started due to numberofchildren limit. The default
+#	maximum is 2*numberofchildren. If the queued requests exceed queue
+#	size and redirector_bypass configuration option is set, then
+#	redirector is bypassed. Otherwise, Squid is allowed to temporarily
+#	exceed the configured maximum, marking the affected helper as
+#	"overloaded". If the helper overload lasts more than 3 minutes, the
+#	action prescribed by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: store_id_access
+#	If defined, this access list specifies which requests are
+#	sent to the StoreID processes.  By default all requests
+#	are sent.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: store_id_bypass
+#	When this is 'on', a request will not go through the
+#	helper if all helpers are busy. If this is 'off' and the helper
+#	queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	helpers are not critical to your caching system. If you use
+#	helpers for critical caching components, and you enable this
+#	option,	users may not get objects from cache.
+#	This options sets default queue-size option of the store_id_children
+#	to 0.
+#Default:
+# store_id_bypass on
+
+# OPTIONS FOR TUNING THE CACHE
+# -----------------------------------------------------------------------------
+
+#  TAG: cache
+#	Requests denied by this directive will not be served from the cache
+#	and their responses will not be stored in the cache. This directive
+#	has no effect on other transactions and on already cached responses.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	This and the two other similar caching directives listed below are
+#	checked at different transaction processing stages, have different
+#	access to response information, affect different cache operations,
+#	and differ in slow ACLs support:
+#
+#	* cache: Checked before Squid makes a hit/miss determination.
+#		No access to reply information!
+#		Denies both serving a hit and storing a miss.
+#		Supports both fast and slow ACLs.
+#	* send_hit: Checked after a hit was detected.
+#		Has access to reply (hit) information.
+#		Denies serving a hit only.
+#		Supports fast ACLs only.
+#	* store_miss: Checked before storing a cachable miss.
+#		Has access to reply (miss) information.
+#		Denies storing a miss only.
+#		Supports fast ACLs only.
+#
+#	If you are not sure which of the three directives to use, apply the
+#	following decision logic:
+#
+#	* If your ACL(s) are of slow type _and_ need response info, redesign.
+#	  Squid does not support that particular combination at this time.
+#        Otherwise:
+#	* If your directive ACL(s) are of slow type, use "cache"; and/or
+#	* if your directive ACL(s) need no response info, use "cache".
+#        Otherwise:
+#	* If you do not want the response cached, use store_miss; and/or
+#	* if you do not want a hit on a cached response, use send_hit.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: send_hit
+#	Responses denied by this directive will not be served from the cache
+#	(but may still be cached, see store_miss). This directive has no
+#	effect on the responses it allows and on the cached objects.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives.
+#
+#	Unlike the "cache" directive, send_hit only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	For example:
+#
+#		# apply custom Store ID mapping to some URLs
+#		acl MapMe dstdomain .c.example.com
+#		store_id_program ...
+#		store_id_access allow MapMe
+#
+#		# but prevent caching of special responses
+#		# such as 302 redirects that cause StoreID loops
+#		acl Ordinary http_status 200-299
+#		store_miss deny MapMe !Ordinary
+#
+#		# and do not serve any previously stored special responses
+#		# from the cache (in case they were already cached before
+#		# the above store_miss rule was in effect).
+#		send_hit deny MapMe !Ordinary
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: store_miss
+#	Responses denied by this directive will not be cached (but may still
+#	be served from the cache, see send_hit). This directive has no
+#	effect on the responses it allows and on the already cached responses.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives. See the
+#	send_hit directive for a usage example.
+#
+#	Unlike the "cache" directive, store_miss only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: max_stale	time-units
+#	This option puts an upper limit on how stale content Squid
+#	will serve from the cache if cache validation fails.
+#	Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
+
+#  TAG: refresh_pattern
+#	usage: refresh_pattern [-i] regex min percent max [options]
+#
+#	By default, regular expressions are CASE-SENSITIVE.  To make
+#	them case-insensitive, use the -i option.
+#
+#	'Min' is the time (in minutes) an object without an explicit
+#	expiry time should be considered fresh. The recommended
+#	value is 0, any higher values may cause dynamic applications
+#	to be erroneously cached unless the application designer
+#	has taken the appropriate actions.
+#
+#	'Percent' is a percentage of the objects age (time since last
+#	modification age) an object without explicit expiry time
+#	will be considered fresh.
+#
+#	'Max' is an upper limit on how long objects without an explicit
+#	expiry time will be considered fresh. The value is also used
+#	to form Cache-Control: max-age header for a request sent from
+#	Squid to origin/parent.
+#
+#	options: override-expire
+#		 override-lastmod
+#		 reload-into-ims
+#		 ignore-reload
+#		 ignore-no-store
+#		 ignore-private
+#		 max-stale=NN
+#		 refresh-ims
+#		 store-stale
+#
+#		override-expire enforces min age even if the server
+#		sent an explicit expiry time (e.g., with the
+#		Expires: header or Cache-Control: max-age). Doing this
+#		VIOLATES the HTTP standard.  Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		Note: override-expire does not enforce staleness - it only extends
+#		freshness / min. If the server returns a Expires time which
+#		is longer than your max time, Squid will still consider
+#		the object fresh for that period of time.
+#
+#		override-lastmod enforces min age even on objects
+#		that were modified recently.
+#
+#		reload-into-ims changes a client no-cache or ``reload''
+#		request for a cached entry into a conditional request using
+#		If-Modified-Since and/or If-None-Match headers, provided the
+#		cached entry has a Last-Modified and/or a strong ETag header.
+#		Doing this VIOLATES the HTTP standard. Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		ignore-reload ignores a client no-cache or ``reload''
+#		header. Doing this VIOLATES the HTTP standard. Enabling
+#		this feature could make you liable for problems which
+#		it causes.
+#
+#		ignore-no-store ignores any ``Cache-control: no-store''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		ignore-private ignores any ``Cache-control: private''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		refresh-ims causes squid to contact the origin server
+#		when a client issues an If-Modified-Since request. This
+#		ensures that the client will receive an updated version
+#		if one is available.
+#
+#		store-stale stores responses even if they don't have explicit
+#		freshness or a validator (i.e., Last-Modified or an ETag)
+#		present, or if they're already stale. By default, Squid will
+#		not cache such responses because they usually can't be
+#		reused. Note that such responses will be stale by default.
+#
+#		max-stale=NN provide a maximum staleness factor. Squid won't
+#		serve objects more stale than this even if it failed to
+#		validate the object. Default: use the max_stale global limit.
+#
+#	Basically a cached object is:
+#
+#		FRESH if expire > now, else STALE
+#		STALE if age > max
+#		FRESH if lm-factor < percent, else STALE
+#		FRESH if age < min
+#		else STALE
+#
+#	The refresh_pattern lines are checked in the order listed here.
+#	The first entry which matches is used.  If none of the entries
+#	match the default will be used.
+#
+#	Note, you must uncomment all the default lines if you want
+#	to change one. The default setting is only active if none is
+#	used.
+#
+#
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+#  TAG: quick_abort_min	(KB)
+#Default:
+# quick_abort_min 16 KB
+
+#  TAG: quick_abort_max	(KB)
+#Default:
+# quick_abort_max 16 KB
+
+#  TAG: quick_abort_pct	(percent)
+#	The cache by default continues downloading aborted requests
+#	which are almost completed (less than 16 KB remaining). This
+#	may be undesirable on slow (e.g. SLIP) links and/or very busy
+#	caches.  Impatient users may tie up file descriptors and
+#	bandwidth by repeatedly requesting and immediately aborting
+#	downloads.
+#
+#	When the user aborts a request, Squid will check the
+#	quick_abort values to the amount of data transferred until
+#	then.
+#
+#	If the transfer has less than 'quick_abort_min' KB remaining,
+#	it will finish the retrieval.
+#
+#	If the transfer has more than 'quick_abort_max' KB remaining,
+#	it will abort the retrieval.
+#
+#	If more than 'quick_abort_pct' of the transfer has completed,
+#	it will finish the retrieval.
+#
+#	If you do not want any retrieval to continue after the client
+#	has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+#	to '0 KB'.
+#
+#	If you want retrievals to always continue if they are being
+#	cached set 'quick_abort_min' to '-1 KB'.
+#Default:
+# quick_abort_pct 95
+
+#  TAG: read_ahead_gap	buffer-size
+#	The amount of data the cache will buffer ahead of what has been
+#	sent to the client when retrieving an object from another server.
+#Default:
+# read_ahead_gap 16 KB
+
+#  TAG: negative_ttl	time-units
+#	Set the Default Time-to-Live (TTL) for failed requests.
+#	Certain types of failures (such as "connection refused" and
+#	"404 Not Found") are able to be negatively-cached for a short time.
+#	Modern web servers should provide Expires: header, however if they
+#	do not this can provide a minimum TTL.
+#	The default is not to cache errors with unknown expiry details.
+#
+#	Note that this is different from negative caching of DNS lookups.
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#Default:
+# negative_ttl 0 seconds
+
+#  TAG: positive_dns_ttl	time-units
+#	Upper limit on how long Squid will cache positive DNS responses.
+#	Default is 6 hours (360 minutes). This directive must be set
+#	larger than negative_dns_ttl.
+#Default:
+# positive_dns_ttl 6 hours
+
+#  TAG: negative_dns_ttl	time-units
+#	Time-to-Live (TTL) for negative caching of failed DNS lookups.
+#	This also sets the lower cache limit on positive lookups.
+#	Minimum value is 1 second, and it is not recommendable to go
+#	much below 10 seconds.
+#Default:
+# negative_dns_ttl 1 minutes
+
+#  TAG: range_offset_limit	size [acl acl...]
+#	usage: (size) [units] [[!]aclname]
+#
+#	Sets an upper limit on how far (number of bytes) into the file
+#	a Range request	may be to cause Squid to prefetch the whole file.
+#	If beyond this limit, Squid forwards the Range request as it is and
+#	the result is NOT cached.
+#
+#	This is to stop a far ahead range request (lets say start at 17MB)
+#	from making Squid fetch the whole object up to that point before
+#	sending anything to the client.
+#
+#	Multiple range_offset_limit lines may be specified, and they will
+#	be searched from top to bottom on each request until a match is found.
+#	The first match found will be used.  If no line matches a request, the
+#	default limit of 0 bytes will be used.
+#
+#	'size' is the limit specified as a number of units.
+#
+#	'units' specifies whether to use bytes, KB, MB, etc.
+#	If no units are specified bytes are assumed.
+#
+#	A size of 0 causes Squid to never fetch more than the
+#	client requested. (default)
+#
+#	A size of 'none' causes Squid to always fetch the object from the
+#	beginning so it may cache the result. (2.0 style)
+#
+#	'aclname' is the name of a defined ACL.
+#
+#	NP: Using 'none' as the byte value here will override any quick_abort settings
+#	    that may otherwise apply to the range request. The range request will
+#	    be fully fetched from start to finish regardless of the client
+#	    actions. This affects bandwidth usage.
+#Default:
+# none
+
+#  TAG: minimum_expiry_time	(seconds)
+#	The minimum caching time according to (Expires - Date)
+#	headers Squid honors if the object can't be revalidated.
+#	The default is 60 seconds.
+#
+#	In reverse proxy environments it might be desirable to honor
+#	shorter object lifetimes. It is most likely better to make
+#	your server return a meaningful Last-Modified header however.
+#
+#	In ESI environments where page fragments often have short
+#	lifetimes, this will often be best set to 0.
+#Default:
+# minimum_expiry_time 60 seconds
+
+#  TAG: store_avg_object_size	(bytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  The default is 13 KB.
+#
+#	This is used to pre-seed the cache index memory allocation to
+#	reduce expensive reallocate operations while handling clients
+#	traffic. Too-large values may result in memory allocation during
+#	peak traffic, too-small values will result in wasted memory.
+#
+#	Check the cache manager 'info' report metrics for the real
+#	object sizes seen by your Squid before tuning this.
+#Default:
+# store_avg_object_size 13 KB
+
+#  TAG: store_objects_per_bucket
+#	Target number of objects per bucket in the store hash table.
+#	Lowering this value increases the total number of buckets and
+#	also the storage maintenance rate.  The default is 20.
+#Default:
+# store_objects_per_bucket 20
+
+# HTTP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: request_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP request
+#	(including request-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to received FTP commands.
+#
+#	This limit has no direct affect on Squid memory consumption.
+#
+#	Squid does not check this limit when sending requests.
+#Default:
+# request_header_max_size 64 KB
+
+#  TAG: reply_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP response
+#	(including status-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to FTP command responses.
+#
+#	Squid also checks this limit when loading hit responses from disk cache.
+#
+#	Squid does not check this limit when sending responses.
+#Default:
+# reply_header_max_size 64 KB
+
+#  TAG: request_body_max_size	(bytes)
+#	This specifies the maximum size for an HTTP request body.
+#	In other words, the maximum size of a PUT/POST request.
+#	A user who attempts to send a request with a body larger
+#	than this limit receives an "Invalid Request" error message.
+#	If you set this parameter to a zero (the default), there will
+#	be no limit imposed.
+#
+#	See also client_request_buffer_max_size for an alternative
+#	limitation on client uploads which can be configured.
+#Default:
+# No limit.
+
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
+#  TAG: broken_posts
+#	A list of ACL elements which, if matched, causes Squid to send
+#	an extra CRLF pair after the body of a PUT/POST request.
+#
+#	Some HTTP servers has broken implementations of PUT/POST,
+#	and rely on an extra CRLF pair sent by some WWW clients.
+#
+#	Quote from RFC2616 section 4.1 on this matter:
+#
+#	  Note: certain buggy HTTP/1.0 client implementations generate an
+#	  extra CRLF's after a POST request. To restate what is explicitly
+#	  forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+#	  a request with an extra CRLF.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# acl buggy_server url_regex ^http://....
+# broken_posts allow buggy_server
+#Default:
+# Obey RFC 2616.
+
+#  TAG: adaptation_uses_indirect_client	on|off
+#	Controls whether the indirect client IP address (instead of the direct
+#	client IP address) is passed to adaptation services.
+#
+#	See also: follow_x_forwarded_for adaptation_send_client_ip
+#Default:
+# adaptation_uses_indirect_client on
+
+#  TAG: via	on|off
+#	If set (default), Squid will include a Via header in requests and
+#	replies as required by RFC2616.
+#Default:
+# via on
+
+#  TAG: vary_ignore_expire	on|off
+#	Many HTTP servers supporting Vary gives such objects
+#	immediate expiry time with no cache-control header
+#	when requested by a HTTP/1.0 client. This option
+#	enables Squid to ignore such expiry times until
+#	HTTP/1.1 is fully implemented.
+#
+#	WARNING: If turned on this may eventually cause some
+#	varying objects not intended for caching to get cached.
+#Default:
+# vary_ignore_expire off
+
+#  TAG: request_entities
+#	Squid defaults to deny GET and HEAD requests with request entities,
+#	as the meaning of such requests are undefined in the HTTP standard
+#	even if not explicitly forbidden.
+#
+#	Set this directive to on if you have clients which insists
+#	on sending request entities in GET or HEAD requests. But be warned
+#	that there is server software (both proxies and web servers) which
+#	can fail to properly process this kind of request which may make you
+#	vulnerable to cache pollution attacks if enabled.
+#Default:
+# request_entities off
+
+#  TAG: request_header_access
+#	Usage: request_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option replaces the old 'anonymize_headers' and the
+#	older 'http_anonymizer' option with something that is much
+#	more configurable. A list of ACLs for each header name allows
+#	removal of specific header fields under specific conditions.
+#
+#	This option only applies to outgoing HTTP request headers (i.e.,
+#	headers sent by Squid to the next HTTP hop such as a cache peer
+#	or an origin server). The option has no effect during cache hit
+#	detection. The equivalent adaptation vectoring point in ICAP
+#	terminology is post-cache REQMOD.
+#
+#	The option is applied to individual outgoing request header
+#	fields. For each request header field F, Squid uses the first
+#	qualifying sets of request_header_access rules:
+#
+#	    1. Rules with header_name equal to F's name.
+#	    2. Rules with header_name 'Other', provided F's name is not
+#	       on the hard-coded list of commonly used HTTP header names.
+#	    3. Rules with header_name 'All'.
+#
+#	Within that qualifying rule set, rule ACLs are checked as usual.
+#	If ACLs of an "allow" rule match, the header field is allowed to
+#	go through as is. If ACLs of a "deny" rule match, the header is
+#	removed and request_header_replace is then checked to identify
+#	if the removed header has a replacement. If no rules within the
+#	set have matching ACLs, the header field is left as is.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		request_header_access From deny all
+#		request_header_access Referer deny all
+#		request_header_access User-Agent deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		request_header_access Authorization allow all
+#		request_header_access Proxy-Authorization allow all
+#		request_header_access Cache-Control allow all
+#		request_header_access Content-Length allow all
+#		request_header_access Content-Type allow all
+#		request_header_access Date allow all
+#		request_header_access Host allow all
+#		request_header_access If-Modified-Since allow all
+#		request_header_access Pragma allow all
+#		request_header_access Accept allow all
+#		request_header_access Accept-Charset allow all
+#		request_header_access Accept-Encoding allow all
+#		request_header_access Accept-Language allow all
+#		request_header_access Connection allow all
+#		request_header_access All deny all
+#
+#	HTTP reply headers are controlled with the reply_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is performed).
+#Default:
+# No limits.
+
+#  TAG: reply_header_access
+#	Usage: reply_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option only applies to reply headers, i.e., from the
+#	server to the client.
+#
+#	This is the same as request_header_access, but in the other
+#	direction. Please see request_header_access for detailed
+#	documentation.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		reply_header_access Server deny all
+#		reply_header_access WWW-Authenticate deny all
+#		reply_header_access Link deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		reply_header_access Allow allow all
+#		reply_header_access WWW-Authenticate allow all
+#		reply_header_access Proxy-Authenticate allow all
+#		reply_header_access Cache-Control allow all
+#		reply_header_access Content-Encoding allow all
+#		reply_header_access Content-Length allow all
+#		reply_header_access Content-Type allow all
+#		reply_header_access Date allow all
+#		reply_header_access Expires allow all
+#		reply_header_access Last-Modified allow all
+#		reply_header_access Location allow all
+#		reply_header_access Pragma allow all
+#		reply_header_access Content-Language allow all
+#		reply_header_access Retry-After allow all
+#		reply_header_access Title allow all
+#		reply_header_access Content-Disposition allow all
+#		reply_header_access Connection allow all
+#		reply_header_access All deny all
+#
+#	HTTP request headers are controlled with the request_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is
+#	performed).
+#Default:
+# No limits.
+
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#
+#	This option allows you to change the contents of headers
+#	denied with request_header_access above, by replacing them
+#	with some fixed string.
+#
+#	This only applies to request headers, not reply headers.
+#
+#	By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: request_header_add
+#	Usage:   request_header_add field-name field-value [ acl ... ]
+#	Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP requests (i.e.,
+#	request headers sent by Squid to the next HTTP hop such as a
+#	cache peer or an origin server). The option has no effect during
+#	cache hit detection. The equivalent adaptation vectoring point
+#	in ICAP terminology is post-cache REQMOD.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the request to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching requests. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The request_header_add supports fast ACLs only.
+#
+#	See also: reply_header_add.
+#Default:
+# none
+
+#  TAG: reply_header_add
+#	Usage:   reply_header_add field-name field-value [ acl ... ]
+#	Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP responses (i.e., response
+#	headers delivered by Squid to the client). This option has no effect on
+#	cache hit detection. The equivalent adaptation vectoring point in
+#	ICAP terminology is post-cache RESPMOD. This option does not apply to
+#	successful CONNECT replies.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the response to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching responses. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The reply_header_add option supports fast ACLs only.
+#
+#	See also: request_header_add.
+#Default:
+# none
+
+#  TAG: note
+#	This option used to log custom information about the master
+#	transaction. For example, an admin may configure Squid to log
+#	which "user group" the transaction belongs to, where "user group"
+#	will be determined based on a set of ACLs and not [just]
+#	authentication information.
+#	Values of key/value pairs can be logged using %{key}note macros:
+#
+#	    note key value acl ...
+#	    logformat myFormat ... %{key}note ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: relaxed_header_parser	on|off|warn
+#	In the default "on" setting Squid accepts certain forms
+#	of non-compliant HTTP messages where it is unambiguous
+#	what the sending application intended even if the message
+#	is not correctly formatted. The messages is then normalized
+#	to the correct form when forwarded by Squid.
+#
+#	If set to "warn" then a warning will be emitted in cache.log
+#	each time such HTTP error is encountered.
+#
+#	If set to "off" then such HTTP errors will cause the request
+#	or response to be rejected.
+#Default:
+# relaxed_header_parser on
+
+#  TAG: collapsed_forwarding	(on|off)
+#       This option controls whether Squid is allowed to merge multiple
+#       potentially cachable requests for the same URI before Squid knows
+#       whether the response is going to be cachable.
+#
+#       When enabled, instead of forwarding each concurrent request for
+#       the same URL, Squid just sends the first of them. The other, so
+#       called "collapsed" requests, wait for the response to the first
+#       request and, if it happens to be cachable, use that response.
+#       Here, "concurrent requests" means "received after the first
+#       request headers were parsed and before the corresponding response
+#       headers were parsed".
+#
+#       This feature is disabled by default: enabling collapsed
+#       forwarding needlessly delays forwarding requests that look
+#       cachable (when they are collapsed) but then need to be forwarded
+#       individually anyway because they end up being for uncachable
+#       content. However, in some cases, such as acceleration of highly
+#       cachable content with periodic or grouped expiration times, the
+#       gains from collapsing [large volumes of simultaneous refresh
+#       requests] outweigh losses from such delays.
+#
+#       Squid collapses two kinds of requests: regular client requests
+#       received on one of the listening ports and internal "cache
+#       revalidation" requests which are triggered by those regular
+#       requests hitting a stale cached object. Revalidation collapsing
+#       is currently disabled for Squid instances containing SMP-aware
+#       disk or memory caches and for Vary-controlled cached objects.
+#Default:
+# collapsed_forwarding off
+
+#  TAG: collapsed_forwarding_access
+#	Use this directive to restrict collapsed forwarding to a subset of
+#	eligible requests. The directive is checked for regular HTTP
+#	requests, internal revalidation requests, and HTCP/ICP requests.
+#
+#		collapsed_forwarding_access allow|deny [!]aclname ...
+#
+#	This directive cannot force collapsing. It has no effect on
+#	collapsing unless collapsed_forwarding is 'on', and all other
+#	collapsing preconditions are satisfied.
+#
+#	* A denied request will not collapse, and future transactions will
+#	  not collapse on it (even if they are allowed to collapse).
+#
+#	* An allowed request may collapse, or future transactions may
+#	  collapse on it (provided they are allowed to collapse).
+#
+#	This directive is evaluated before receiving HTTP response headers
+#	and without access to Squid-to-peer connection (if any).
+#
+#	Only fast ACLs are supported.
+#
+#	See also: collapsed_forwarding.
+#Default:
+# Requests may be collapsed if collapsed_forwarding is on.
+
+#  TAG: shared_transient_entries_limit	(number of entries)
+#	This directive limits the size of a table used for sharing current
+#	transaction information among SMP workers. A table entry stores meta
+#	information about a single cache entry being delivered to Squid
+#	client(s) by one or more SMP workers. A single table entry consumes
+#	less than 128 shared memory bytes.
+#
+#	The limit should be significantly larger than the number of
+#	concurrent non-collapsed cachable responses leaving Squid. For a
+#	cache that handles less than 5000 concurrent requests, the default
+#	setting of 16384 should be plenty.
+#
+#	Using excessively large values wastes shared memory. Limiting the
+#	table size too much results in hash collisions, leading to lower hit
+#	ratio and missed SMP request collapsing opportunities: Transactions
+#	left without a table entry cannot cache their responses and are
+#	invisible to other concurrent requests for the same resource.
+#
+#	A zero limit is allowed but unsupported. A positive small limit
+#	lowers hit ratio, but zero limit disables a lot of essential
+#	synchronization among SMP workers, leading to HTTP violations (e.g.,
+#	stale hit responses). It also disables shared collapsed forwarding:
+#	A worker becomes unable to collapse its requests on transactions in
+#	other workers, resulting in more trips to the origin server and more
+#	cache thrashing.
+#Default:
+# shared_transient_entries_limit 16384
+
+# TIMEOUTS
+# -----------------------------------------------------------------------------
+
+#  TAG: forward_timeout	time-units
+#	This parameter specifies how long Squid should at most attempt in
+#	finding a forwarding path for the request before giving up.
+#Default:
+# forward_timeout 4 minutes
+
+#  TAG: connect_timeout	time-units
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested server or peer to complete before Squid should
+#	attempt to find another path where to forward the request.
+#Default:
+# connect_timeout 1 minute
+
+#  TAG: peer_connect_timeout	time-units
+#	This parameter specifies how long to wait for a pending TCP
+#	connection to a peer cache.  The default is 30 seconds.   You
+#	may also set different timeout values for individual neighbors
+#	with the 'connect-timeout' option on a 'cache_peer' line.
+#Default:
+# peer_connect_timeout 30 seconds
+
+#  TAG: read_timeout	time-units
+#	Applied on peer server connections.
+#
+#	After each successful read(), the timeout will be extended by this
+#	amount.  If no data is read again after this amount of time,
+#	the request is aborted and logged with ERR_READ_TIMEOUT.
+#
+#	The default is 15 minutes.
+#Default:
+# read_timeout 15 minutes
+
+#  TAG: write_timeout	time-units
+#	This timeout is tracked for all connections that have data
+#	available for writing and are waiting for the socket to become
+#	ready. After each successful write, the timeout is extended by
+#	the configured amount. If Squid has data to write but the
+#	connection is not ready for the configured duration, the
+#	transaction associated with the connection is terminated. The
+#	default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
+#  TAG: request_timeout
+#	How long to wait for complete HTTP request headers after initial
+#	connection establishment.
+#Default:
+# request_timeout 5 minutes
+
+#  TAG: request_start_timeout
+#	How long to wait for the first request byte after initial
+#	connection establishment.
+#Default:
+# request_start_timeout 5 minutes
+
+#  TAG: client_idle_pconn_timeout
+#	How long to wait for the next HTTP request on a persistent
+#	client connection after the previous request completes.
+#Default:
+# client_idle_pconn_timeout 2 minutes
+
+#  TAG: ftp_client_idle_timeout
+#	How long to wait for an FTP request on a connection to Squid ftp_port.
+#	Many FTP clients do not deal with idle connection closures well,
+#	necessitating a longer default timeout than client_idle_pconn_timeout
+#	used for incoming HTTP requests.
+#Default:
+# ftp_client_idle_timeout 30 minutes
+
+#  TAG: client_lifetime	time-units
+#	The maximum amount of time a client (browser) is allowed to
+#	remain connected to the cache process.  This protects the Cache
+#	from having a lot of sockets (and hence file descriptors) tied up
+#	in a CLOSE_WAIT state from remote clients that go away without
+#	properly shutting down (either because of a network failure or
+#	because of a poor client implementation).  The default is one
+#	day, 1440 minutes.
+#
+#	NOTE:  The default value is intended to be much larger than any
+#	client would ever need to be connected to your cache.  You
+#	should probably change client_lifetime only as a last resort.
+#	If you seem to have many client connections tying up
+#	filedescriptors, we recommend first tuning the read_timeout,
+#	request_timeout, persistent_request_timeout and quick_abort values.
+#Default:
+# client_lifetime 1 day
+
+#  TAG: pconn_lifetime	time-units
+#	Desired maximum lifetime of a persistent connection.
+#	When set, Squid will close a now-idle persistent connection that
+#	exceeded configured lifetime instead of moving the connection into
+#	the idle connection pool (or equivalent). No effect on ongoing/active
+#	transactions. Connection lifetime is the time period from the
+#	connection acceptance or opening time until "now".
+#
+#	This limit is useful in environments with long-lived connections
+#	where Squid configuration or environmental factors change during a
+#	single connection lifetime. If unrestricted, some connections may
+#	last for hours and even days, ignoring those changes that should
+#	have affected their behavior or their existence.
+#
+#	Currently, a new lifetime value supplied via Squid reconfiguration
+#	has no effect on already idle connections unless they become busy.
+#
+#	When set to '0' this limit is not used.
+#Default:
+# pconn_lifetime 0 seconds
+
+#  TAG: half_closed_clients
+#	Some clients may shutdown the sending side of their TCP
+#	connections, while leaving their receiving sides open.	Sometimes,
+#	Squid can not tell the difference between a half-closed and a
+#	fully-closed TCP connection.
+#
+#	By default, Squid will immediately close client connections when
+#	read(2) returns "no more data to read."
+#
+#	Change this option to 'on' and Squid will keep open connections
+#	until a read(2) or write(2) on the socket returns an error.
+#	This may show some benefits for reverse proxies. But if not
+#	it is recommended to leave OFF.
+#Default:
+# half_closed_clients off
+
+#  TAG: server_idle_pconn_timeout
+#	Timeout for idle persistent connections to servers and other
+#	proxies.
+#Default:
+# server_idle_pconn_timeout 1 minute
+
+#  TAG: ident_timeout
+#	Maximum time to wait for IDENT lookups to complete.
+#
+#	If this is too high, and you enabled IDENT lookups from untrusted
+#	users, you might be susceptible to denial-of-service by having
+#	many ident requests going at once.
+#Default:
+# ident_timeout 10 seconds
+
+#  TAG: shutdown_lifetime	time-units
+#	When SIGTERM or SIGHUP is received, the cache is put into
+#	"shutdown pending" mode until all active sockets are closed.
+#	This value is the lifetime to set for all open descriptors
+#	during shutdown mode.  Any active clients after this many
+#	seconds will receive a 'timeout' message.
+#Default:
+# shutdown_lifetime 30 seconds
+
+# ADMINISTRATIVE PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mgr
+#	Email-address of local cache manager who will receive
+#	mail if the cache dies.  The default is "webmaster".
+#Default:
+# cache_mgr webmaster
+
+#  TAG: mail_from
+#	From: email-address for mail sent when the cache dies.
+#	The default is to use 'squid@unique_hostname'.
+#
+#	See also: unique_hostname directive.
+#Default:
+# none
+
+#  TAG: mail_program
+#	Email program used to send mail if the cache dies.
+#	The default is "mail". The specified program must comply
+#	with the standard Unix mail syntax:
+#	  mail-program recipient < mailfile
+#
+#	Optional command line options can be specified.
+#Default:
+# mail_program mail
+
+#  TAG: cache_effective_user
+#	If you start Squid as root, it will change its effective/real
+#	UID/GID to the user specified below.  The default is to change
+#	to UID of proxy.
+#	see also; cache_effective_group
+#Default:
+# cache_effective_user proxy
+
+#  TAG: cache_effective_group
+#	Squid sets the GID to the effective user's default group ID
+#	(taken from the password file) and supplementary group list
+#	from the groups membership.
+#
+#	If you want Squid to run with a specific GID regardless of
+#	the group memberships of the effective user then set this
+#	to the group (or GID) you want Squid to run as. When set
+#	all other group privileges of the effective user are ignored
+#	and only this GID is effective. If Squid is not started as
+#	root the user starting Squid MUST be member of the specified
+#	group.
+#
+#	This option is not recommended by the Squid Team.
+#	Our preference is for administrators to configure a secure
+#	user account for squid with UID/GID matching system policies.
+#Default:
+# Use system group memberships of the cache_effective_user account
+
+#  TAG: httpd_suppress_version_string	on|off
+#	Suppress Squid version string info in HTTP headers and HTML error pages.
+#Default:
+# httpd_suppress_version_string off
+
+#  TAG: visible_hostname
+#	If you want to present a special hostname in error messages, etc,
+#	define this.  Otherwise, the return value of gethostname()
+#	will be used. If you have multiple caches in a cluster and
+#	get errors about IP-forwarding you must set them to have individual
+#	names with this setting.
+#Default:
+# Automatically detect the system host name
+
+#  TAG: unique_hostname
+#	If you want to have multiple machines with the same
+#	'visible_hostname' you must give each machine a different
+#	'unique_hostname' so forwarding loops can be detected.
+#Default:
+# Copy the value from visible_hostname
+
+#  TAG: hostname_aliases
+#	A list of other DNS names your cache has.
+#Default:
+# none
+
+#  TAG: umask
+#	Minimum umask which should be enforced while the proxy
+#	is running, in addition to the umask set at startup.
+#
+#	For a traditional octal representation of umasks, start
+#        your value with 0.
+#Default:
+# umask 027
+
+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
+# -----------------------------------------------------------------------------
+#
+#	This section contains parameters for the (optional) cache
+#	announcement service.  This service is provided to help
+#	cache administrators locate one another in order to join or
+#	create cache hierarchies.
+#
+#	An 'announcement' message is sent (via UDP) to the registration
+#	service by Squid.  By default, the announcement message is NOT
+#	SENT unless you enable it with 'announce_period' below.
+#
+#	The announcement message includes your hostname, plus the
+#	following information from this configuration file:
+#
+#		http_port
+#		icp_port
+#		cache_mgr
+#
+#	All current information is processed regularly and made
+#	available on the Web at http://www.ircache.net/Cache/Tracker/.
+
+#  TAG: announce_period
+#	This is how frequently to send cache announcements.
+#
+#	To enable announcing your cache, just set an announce period.
+#
+#	Example:
+#		announce_period 1 day
+#Default:
+# Announcement messages disabled.
+
+#  TAG: announce_host
+#	Set the hostname where announce registration messages will be sent.
+#
+#	See also announce_port and announce_file
+#Default:
+# announce_host tracker.ircache.net
+
+#  TAG: announce_file
+#	The contents of this file will be included in the announce
+#	registration messages.
+#Default:
+# none
+
+#  TAG: announce_port
+#	Set the port where announce registration messages will be sent.
+#
+#	See also announce_host and announce_file
+#Default:
+# announce_port 3131
+
+# HTTPD-ACCELERATOR OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: httpd_accel_surrogate_id
+#	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+#	need an identification token to allow control targeting. Because
+#	a farm of surrogates may all perform the same tasks, they may share
+#	an identification token.
+#
+#	When the surrogate is a reverse-proxy, this ID is also
+#	used as cdn-id for CDN-Loop detection (RFC 8586).
+#Default:
+# visible_hostname is used if no specific ID is set.
+
+#  TAG: http_accel_surrogate_remote	on|off
+#	Remote surrogates (such as those in a CDN) honour the header
+#	"Surrogate-Control: no-store-remote".
+#
+#	Set this to on to have squid behave as a remote surrogate.
+#Default:
+# http_accel_surrogate_remote off
+
+#  TAG: esi_parser	libxml2|expat
+#	Selects the XML parsing library to use when interpreting responses with
+#	Edge Side Includes.
+#
+#	To disable ESI handling completely, ./configure Squid with --disable-esi.
+#Default:
+# Selects libxml2 if available at ./configure time or libexpat otherwise.
+
+# DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: delay_pools
+#	This represents the number of delay pools to be used.  For example,
+#	if you have one class 2 delay pool and one class 3 delays pool, you
+#	have a total of 2 delay pools.
+#
+#	See also delay_parameters, delay_class, delay_access for pool
+#	configuration details.
+#Default:
+# delay_pools 0
+
+#  TAG: delay_class
+#	This defines the class of each delay pool.  There must be exactly one
+#	delay_class line for each delay pool.  For example, to define two
+#	delay pools, one of class 2 and one of class 3, the settings above
+#	and here would be:
+#
+#	Example:
+#	    delay_pools 4      # 4 delay pools
+#	    delay_class 1 2    # pool 1 is a class 2 pool
+#	    delay_class 2 3    # pool 2 is a class 3 pool
+#	    delay_class 3 4    # pool 3 is a class 4 pool
+#	    delay_class 4 5    # pool 4 is a class 5 pool
+#
+#	The delay pool classes are:
+#
+#		class 1		Everything is limited by a single aggregate
+#				bucket.
+#
+#		class 2 	Everything is limited by a single aggregate
+#				bucket as well as an "individual" bucket chosen
+#				from bits 25 through 32 of the IPv4 address.
+#
+#		class 3		Everything is limited by a single aggregate
+#				bucket as well as a "network" bucket chosen
+#				from bits 17 through 24 of the IP address and a
+#				"individual" bucket chosen from bits 17 through
+#				32 of the IPv4 address.
+#
+#		class 4		Everything in a class 3 delay pool, with an
+#				additional limit on a per user basis. This
+#				only takes effect if the username is established
+#				in advance - by forcing authentication in your
+#				http_access rules.
+#
+#		class 5		Requests are grouped according their tag (see
+#				external_acl's tag= reply).
+#
+#
+#	Each pool also requires a delay_parameters directive to configure the pool size
+#	and speed limits used whenever the pool is applied to a request. Along with
+#	a set of delay_access directives to determine when it is used.
+#
+#	NOTE: If an IP address is a.b.c.d
+#		-> bits 25 through 32 are "d"
+#		-> bits 17 through 24 are "c"
+#		-> bits 17 through 32 are "c * 256 + d"
+#
+#	NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+#		IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also delay_parameters and delay_access.
+#Default:
+# none
+
+#  TAG: delay_access
+#	This is used to determine which delay pool a request falls into.
+#
+#	delay_access is sorted per pool and the matching starts with pool 1,
+#	then pool 2, ..., and finally pool N. The first delay pool where the
+#	request is allowed is selected for the request. If it does not allow
+#	the request to any pool then the request is not delayed (default).
+#
+#	For example, if you want some_big_clients in delay
+#	pool 1 and lotsa_little_clients in delay pool 2:
+#
+#		delay_access 1 allow some_big_clients
+#		delay_access 1 deny all
+#		delay_access 2 allow lotsa_little_clients
+#		delay_access 2 deny all
+#		delay_access 3 allow authenticated_clients
+#
+#	See also delay_parameters and delay_class.
+#
+#Default:
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: delay_parameters
+#	This defines the parameters for a delay pool.  Each delay pool has
+#	a number of "buckets" associated with it, as explained in the
+#	description of delay_class.
+#
+#	For a class 1 delay pool, the syntax is:
+#		delay_class pool 1
+#		delay_parameters pool aggregate
+#
+#	For a class 2 delay pool:
+#		delay_class pool 2
+#		delay_parameters pool aggregate individual
+#
+#	For a class 3 delay pool:
+#		delay_class pool 3
+#		delay_parameters pool aggregate network individual
+#
+#	For a class 4 delay pool:
+#		delay_class pool 4
+#		delay_parameters pool aggregate network individual user
+#
+#	For a class 5 delay pool:
+#		delay_class pool 5
+#		delay_parameters pool tagrate
+#
+#	The option variables are:
+#
+#		pool		a pool number - ie, a number between 1 and the
+#				number specified in delay_pools as used in
+#				delay_class lines.
+#
+#		aggregate	the speed limit parameters for the aggregate bucket
+#				(class 1, 2, 3).
+#
+#		individual	the speed limit parameters for the individual
+#				buckets (class 2, 3).
+#
+#		network		the speed limit parameters for the network buckets
+#				(class 3).
+#
+#		user		the speed limit parameters for the user buckets
+#				(class 4).
+#
+#		tagrate		the speed limit parameters for the tag buckets
+#				(class 5).
+#
+#	A pair of delay parameters is written restore/maximum, where restore is
+#	the number of bytes (not bits - modem and network speeds are usually
+#	quoted in bits) per second placed into the bucket, and maximum is the
+#	maximum number of bytes which can be in the bucket at any time.
+#
+#	There must be one delay_parameters line for each delay pool.
+#
+#
+#	For example, if delay pool number 1 is a class 2 delay pool as in the
+#	above example, and is being used to strictly limit each host to 64Kbit/sec
+#	(plus overheads), with no overall limit, the line is:
+#
+#		delay_parameters 1 none 8000/8000
+#
+#	Note that 8 x 8K Byte/sec -> 64K bit/sec.
+#
+#	Note that the word 'none' is used to represent no limit.
+#
+#
+#	And, if delay pool number 2 is a class 3 delay pool as in the above
+#	example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+#	with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+#	individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
+#	to permit a decent web page to be downloaded at a decent speed
+#	(if the network is not being limited due to overuse) but slow down
+#	large downloads more significantly:
+#
+#		delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+#	Note that 8 x  32K Byte/sec ->  256K bit/sec.
+#		  8 x   8K Byte/sec ->   64K bit/sec.
+#		  8 x 600  Byte/sec -> 4800  bit/sec.
+#
+#
+#	Finally, for a class 4 delay pool as in the example - each user will
+#	be limited to 128Kbits/sec no matter how many workstations they are logged into.:
+#
+#		delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+#	See also delay_class and delay_access.
+#
+#Default:
+# none
+
+#  TAG: delay_initial_bucket_level	(percent, 0-100)
+#	The initial bucket percentage is used to determine how much is put
+#	in each bucket when squid starts, is reconfigured, or first notices
+#	a host accessing it (in class 2 and class 3, individual hosts and
+#	networks only have buckets associated with them once they have been
+#	"seen" by squid).
+#Default:
+# delay_initial_bucket_level 50
+
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: client_delay_pools
+#	This option specifies the number of client delay pools used. It must
+#	preceed other client_delay_* options.
+#
+#	Example:
+#		client_delay_pools 2
+#
+#	See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+#  TAG: client_delay_initial_bucket_level	(percent, 0-no_limit)
+#	This option determines the initial bucket size as a percentage of
+#	max_bucket_size from client_delay_parameters. Buckets are created
+#	at the time of the "first" connection from the matching IP. Idle
+#	buckets are periodically deleted up.
+#
+#	You can specify more than 100 percent but note that such "oversized"
+#	buckets are not refilled until their size goes down to max_bucket_size
+#	from client_delay_parameters.
+#
+#	Example:
+#		client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+#  TAG: client_delay_parameters
+#
+#	This option configures client-side bandwidth limits using the
+#	following format:
+#
+#	    client_delay_parameters pool speed_limit max_bucket_size
+#
+#	pool is an integer ID used for client_delay_access matching.
+#
+#	speed_limit is bytes added to the bucket per second.
+#
+#	max_bucket_size is the maximum size of a bucket, enforced after any
+#	speed_limit additions.
+#
+#	Please see the delay_parameters option for more information and
+#	examples.
+#
+#	Example:
+#		client_delay_parameters 1 1024 2048
+#		client_delay_parameters 2 51200 16384
+#
+#	See also client_delay_access.
+#
+#Default:
+# none
+
+#  TAG: client_delay_access
+#	This option determines the client-side delay pool for the
+#	request:
+#
+#	    client_delay_access pool_ID allow|deny acl_name
+#
+#	All client_delay_access options are checked in their pool ID
+#	order, starting with pool 1. The first checked pool with allowed
+#	request is selected for the request. If no ACL matches or there
+#	are no client_delay_access options, the request bandwidth is not
+#	limited.
+#
+#	The ACL-selected pool is then used to find the
+#	client_delay_parameters for the request. Client-side pools are
+#	not used to aggregate clients. Clients are always aggregated
+#	based on their source IP addresses (one bucket per source IP).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Additionally, only the client TCP connection details are available.
+#	ACLs testing HTTP properties will not work.
+#
+#	Please see delay_access for more examples.
+#
+#	Example:
+#		client_delay_access 1 allow low_rate_network
+#		client_delay_access 2 allow vips_network
+#
+#
+#	See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: response_delay_pool
+#	This option configures client response bandwidth limits using the
+#	following format:
+#
+#	response_delay_pool name [option=value] ...
+#
+#	name	the response delay pool name
+#
+#	available options:
+#
+#		individual-restore	The speed limit of an individual
+#					bucket(bytes/s). To be used in conjunction
+#					with 'individual-maximum'.
+#
+#		individual-maximum	The maximum number of bytes which can
+#					be placed into the individual bucket. To be used
+#					in conjunction with 'individual-restore'.
+#
+#		aggregate-restore	The speed limit for the aggregate
+#					bucket(bytes/s). To be used in conjunction with
+#					'aggregate-maximum'.
+#
+#		aggregate-maximum	The maximum number of bytes which can
+#	   				be placed into the aggregate bucket. To be used
+#					in conjunction with 'aggregate-restore'.
+#
+#		initial-bucket-level	The initial bucket size as a percentage
+#					of individual-maximum.
+#
+#	Individual and(or) aggregate bucket options may not be specified,
+#   	meaning no individual and(or) aggregate speed limitation.
+#	See also response_delay_pool_access and delay_parameters for
+#	terminology details.
+#Default:
+# none
+
+#  TAG: response_delay_pool_access
+#	Determines whether a specific named response delay pool is used
+#	for the transaction. The syntax for this directive is:
+#
+#	response_delay_pool_access pool_name allow|deny acl_name
+#
+#	All response_delay_pool_access options are checked in the order
+#	they appear in this configuration file. The first rule with a
+#	matching ACL wins. If (and only if) an "allow" rule won, Squid
+#	assigns the response to the corresponding named delay pool.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: wccp_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCP disabled.
+
+#  TAG: wccp2_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCPv2 disabled.
+
+#  TAG: wccp_version
+#	This directive is only relevant if you need to set up WCCP(v1)
+#	to some very old and end-of-life Cisco routers. In all other
+#	setups it must be left unset or at the default setting.
+#	It defines an internal version in the WCCP(v1) protocol,
+#	with version 4 being the officially documented protocol.
+#
+#	According to some users, Cisco IOS 11.2 and earlier only
+#	support WCCP version 3.  If you're using that or an earlier
+#	version of IOS, you may need to change this value to 3, otherwise
+#	do not specify this parameter.
+#Default:
+# wccp_version 4
+
+#  TAG: wccp2_rebuild_wait
+#	If this is enabled Squid will wait for the cache dir rebuild to finish
+#	before sending the first wccp2 HereIAm packet
+#Default:
+# wccp2_rebuild_wait on
+
+#  TAG: wccp2_forwarding_method
+#	WCCP2 allows the setting of forwarding methods between the
+#	router/switch and the cache.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment method.
+#Default:
+# wccp2_forwarding_method gre
+
+#  TAG: wccp2_return_method
+#	WCCP2 allows the setting of return methods between the
+#	router/switch and the cache for packets that the cache
+#	decides not to handle.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment.
+#
+#	If the "ip wccp redirect exclude in" command has been
+#	enabled on the cache interface, then it is still safe for
+#	the proxy server to use a l2 redirect method even if this
+#	option is set to GRE.
+#Default:
+# wccp2_return_method gre
+
+#  TAG: wccp2_assignment_method
+#	WCCP2 allows the setting of methods to assign the WCCP hash
+#	Valid values are as follows:
+#
+#	hash - Hash assignment
+#	mask - Mask assignment
+#
+#	As a general rule, cisco routers support the hash assignment method
+#	and cisco switches support the mask assignment method.
+#Default:
+# wccp2_assignment_method hash
+
+#  TAG: wccp2_service
+#	WCCP2 allows for multiple traffic services. There are two
+#	types: "standard" and "dynamic". The standard type defines
+#	one service id - http (id 0). The dynamic service ids can be from
+#	51 to 255 inclusive.  In order to use a dynamic service id
+#	one must define the type of traffic to be redirected; this is done
+#	using the wccp2_service_info option.
+#
+#	The "standard" type does not require a wccp2_service_info option,
+#	just specifying the service id will suffice.
+#
+#	MD5 service authentication can be enabled by adding
+#	"password=<password>" to the end of this service declaration.
+#
+#	Examples:
+#
+#	wccp2_service standard 0	# for the 'web-cache' standard service
+#	wccp2_service dynamic 80	# a dynamic service type which will be
+#					# fleshed out with subsequent options.
+#	wccp2_service standard 0 password=foo
+#Default:
+# Use the 'web-cache' standard service.
+
+#  TAG: wccp2_service_info
+#	Dynamic WCCPv2 services require further information to define the
+#	traffic you wish to have diverted.
+#
+#	The format is:
+#
+#	wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
+#	    priority=<priority> ports=<port>,<port>..
+#
+#	The relevant WCCPv2 flags:
+#	+ src_ip_hash, dst_ip_hash
+#	+ source_port_hash, dst_port_hash
+#	+ src_ip_alt_hash, dst_ip_alt_hash
+#	+ src_port_alt_hash, dst_port_alt_hash
+#	+ ports_source
+#
+#	The port list can be one to eight entries.
+#
+#	Example:
+#
+#	wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
+#	    priority=240 ports=80
+#
+#	Note: the service id must have been defined by a previous
+#	'wccp2_service dynamic <id>' entry.
+#Default:
+# none
+
+#  TAG: wccp2_weight
+#	Each cache server gets assigned a set of the destination
+#	hash proportional to their weight.
+#Default:
+# wccp2_weight 10000
+
+#  TAG: wccp_address
+#	Use this option if you require WCCP(v1) to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+#  TAG: wccp2_address
+#	Use this option if you require WCCPv2 to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+# PERSISTENT CONNECTION HANDLING
+# -----------------------------------------------------------------------------
+#
+# Also see "pconn_timeout" in the TIMEOUTS section
+
+#  TAG: client_persistent_connections
+#	Persistent connection support for clients.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with clients.
+#Default:
+# client_persistent_connections on
+
+#  TAG: server_persistent_connections
+#	Persistent connection support for servers.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with servers.
+#Default:
+# server_persistent_connections on
+
+#  TAG: persistent_connection_after_error
+#	With this directive the use of persistent connections after
+#	HTTP errors can be disabled. Useful if you have clients
+#	who fail to handle errors on persistent connections proper.
+#Default:
+# persistent_connection_after_error on
+
+#  TAG: detect_broken_pconn
+#	Some servers have been found to incorrectly signal the use
+#	of HTTP/1.0 persistent connections even on replies not
+#	compatible, causing significant delays. This server problem
+#	has mostly been seen on redirects.
+#
+#	By enabling this directive Squid attempts to detect such
+#	broken replies and automatically assume the reply is finished
+#	after 10 seconds timeout.
+#Default:
+# detect_broken_pconn off
+
+# CACHE DIGEST OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: digest_generation
+#	This controls whether the server will generate a Cache Digest
+#	of its contents.  By default, Cache Digest generation is
+#	enabled if Squid is compiled with --enable-cache-digests defined.
+#Default:
+# digest_generation on
+
+#  TAG: digest_bits_per_entry
+#	This is the number of bits of the server's Cache Digest which
+#	will be associated with the Digest entry for a given HTTP
+#	Method and URL (public key) combination.  The default is 5.
+#Default:
+# digest_bits_per_entry 5
+
+#  TAG: digest_rebuild_period	(seconds)
+#	This is the wait time between Cache Digest rebuilds.
+#Default:
+# digest_rebuild_period 1 hour
+
+#  TAG: digest_rewrite_period	(seconds)
+#	This is the wait time between Cache Digest writes to
+#	disk.
+#Default:
+# digest_rewrite_period 1 hour
+
+#  TAG: digest_swapout_chunk_size	(bytes)
+#	This is the number of bytes of the Cache Digest to write to
+#	disk at a time.  It defaults to 4096 bytes (4KB), the Squid
+#	default swap page.
+#Default:
+# digest_swapout_chunk_size 4096 bytes
+
+#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
+#	This is the percentage of the Cache Digest to be scanned at a
+#	time.  By default it is set to 10% of the Cache Digest.
+#Default:
+# digest_rebuild_chunk_percentage 10
+
+# SNMP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: snmp_port
+#	The port number where Squid listens for SNMP requests. To enable
+#	SNMP support set this to a suitable port number. Port number
+#	3401 is often used for the Squid SNMP agent. By default it's
+#	set to "0" (disabled)
+#
+#	Example:
+#		snmp_port 3401
+#Default:
+# SNMP disabled.
+
+#  TAG: snmp_access
+#	Allowing or denying access to the SNMP port.
+#
+#	All access to the agent is denied by default.
+#	usage:
+#
+#	snmp_access allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# snmp_access allow snmppublic localhost
+# snmp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: snmp_incoming_address
+#	Just like 'udp_incoming_address', but for the SNMP port.
+#
+#	snmp_incoming_address	is used for the SNMP socket receiving
+#				messages from SNMP agents.
+#
+#	The default snmp_incoming_address is to listen on all
+#	available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+#  TAG: snmp_outgoing_address
+#	Just like 'udp_outgoing_address', but for the SNMP port.
+#
+#	snmp_outgoing_address	is used for SNMP packets returned to SNMP
+#				agents.
+#
+#	If snmp_outgoing_address is not set it will use the same socket
+#	as snmp_incoming_address. Only change this if you want to have
+#	SNMP replies sent using another address than where this Squid
+#	listens for SNMP queries.
+#
+#	NOTE, snmp_incoming_address and snmp_outgoing_address can not have
+#	the same value since they both use the same port.
+#Default:
+# Use snmp_incoming_address or an address selected by the operating system.
+
+# ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icp_port
+#	The port number where Squid sends and receives ICP queries to
+#	and from neighbor caches.  The standard UDP port for ICP is 3130.
+#
+#	Example:
+#		icp_port 3130
+#Default:
+# ICP disabled.
+
+#  TAG: htcp_port
+#	The port number where Squid sends and receives HTCP queries to
+#	and from neighbor caches.  To turn it on you want to set it to
+#	4827.
+#
+#	Example:
+#		htcp_port 4827
+#Default:
+# HTCP disabled.
+
+#  TAG: log_icp_queries	on|off
+#	If set, ICP queries are logged to access.log. You may wish
+#	do disable this if your ICP load is VERY high to speed things
+#	up or to simplify log analysis.
+#Default:
+# log_icp_queries on
+
+#  TAG: udp_incoming_address
+#	udp_incoming_address	is used for UDP packets received from other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Only change this if you want to have all UDP queries received on
+#	a specific interface/address.
+#
+#	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_outgoing_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Accept packets from all machine interfaces.
+
+#  TAG: udp_outgoing_address
+#	udp_outgoing_address	is used for UDP packets sent out to other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Instead it will use the same socket as udp_incoming_address.
+#	Only change this if you want to have UDP queries sent using another
+#	address than where this Squid listens for UDP queries from other
+#	caches.
+#
+#	NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_incoming_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Use udp_incoming_address or an address selected by the operating system.
+
+#  TAG: icp_hit_stale	on|off
+#	If you want to return ICP_HIT for stale cache objects, set this
+#	option to 'on'.  If you have sibling relationships with caches
+#	in other administrative domains, this should be 'off'.  If you only
+#	have sibling relationships with caches under your control,
+#	it is probably okay to set this to 'on'.
+#	If set to 'on', your siblings should use the option "allow-miss"
+#	on their cache_peer lines for connecting to you.
+#Default:
+# icp_hit_stale off
+
+#  TAG: minimum_direct_hops
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many hops away.
+#Default:
+# minimum_direct_hops 4
+
+#  TAG: minimum_direct_rtt	(msec)
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many rtt milliseconds away.
+#Default:
+# minimum_direct_rtt 400
+
+#  TAG: netdb_low
+#	The low water mark for the ICMP measurement database.
+#
+#	Note: high watermark controlled by netdb_high directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_low 900
+
+#  TAG: netdb_high
+#	The high water mark for the ICMP measurement database.
+#
+#	Note: low watermark controlled by netdb_low directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_high 1000
+
+#  TAG: netdb_ping_period
+#	The minimum period for measuring a site.  There will be at
+#	least this much delay between successive pings to the same
+#	network.  The default is five minutes.
+#Default:
+# netdb_ping_period 5 minutes
+
+#  TAG: query_icmp	on|off
+#	If you want to ask your peers to include ICMP data in their ICP
+#	replies, enable this option.
+#
+#	If your peer has configured Squid (during compilation) with
+#	'--enable-icmp' that peer will send ICMP pings to origin server
+#	sites of the URLs it receives.  If you enable this option the
+#	ICP replies from that peer will include the ICMP data (if available).
+#	Then, when choosing a parent cache, Squid will choose the parent with
+#	the minimal RTT to the origin server.  When this happens, the
+#	hierarchy field of the access.log will be
+#	"CLOSEST_PARENT_MISS".  This option is off by default.
+#Default:
+# query_icmp off
+
+#  TAG: test_reachability	on|off
+#	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
+#	instead of ICP_MISS if the target host is NOT in the ICMP
+#	database, or has a zero RTT.
+#Default:
+# test_reachability off
+
+#  TAG: icp_query_timeout	(msec)
+#	Normally Squid will automatically determine an optimal ICP
+#	query timeout value based on the round-trip-time of recent ICP
+#	queries.  If you want to override the value determined by
+#	Squid, set this 'icp_query_timeout' to a non-zero value.  This
+#	value is specified in MILLISECONDS, so, to use a 2-second
+#	timeout (the old default), you would write:
+#
+#		icp_query_timeout 2000
+#Default:
+# Dynamic detection.
+
+#  TAG: maximum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very large values (say 5 seconds).
+#	Use this option to put an upper limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# maximum_icp_query_timeout 2000
+
+#  TAG: minimum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very small timeouts, even lower than
+#	the normal latency variance on your link due to traffic.
+#	Use this option to put an lower limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# minimum_icp_query_timeout 5
+
+#  TAG: background_ping_rate	time-units
+#	Controls how often the ICP pings are sent to siblings that
+#	have background-ping set.
+#Default:
+# background_ping_rate 10 seconds
+
+# MULTICAST ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: mcast_groups
+#	This tag specifies a list of multicast groups which your server
+#	should join to receive multicasted ICP queries.
+#
+#	NOTE!  Be very careful what you put here!  Be sure you
+#	understand the difference between an ICP _query_ and an ICP
+#	_reply_.  This option is to be set only if you want to RECEIVE
+#	multicast queries.  Do NOT set this option to SEND multicast
+#	ICP (use cache_peer for that).  ICP replies are always sent via
+#	unicast, so this option does not affect whether or not you will
+#	receive replies from multicast group members.
+#
+#	You must be very careful to NOT use a multicast address which
+#	is already in use by another group of caches.
+#
+#	If you are unsure about multicast, please read the Multicast
+#	chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
+#
+#	Usage: mcast_groups 239.128.16.128 224.0.1.20
+#
+#	By default, Squid doesn't listen on any multicast groups.
+#Default:
+# none
+
+#  TAG: mcast_miss_addr
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	If you enable this option, every "cache miss" URL will
+#	be sent out on the specified multicast address.
+#
+#	Do not enable this option unless you are are absolutely
+#	certain you understand what you are doing.
+#Default:
+# disabled.
+
+#  TAG: mcast_miss_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the time-to-live value for packets multicasted
+#	when multicasting off cache miss URLs is enabled.  By
+#	default this is set to 'site scope', i.e. 16.
+#Default:
+# mcast_miss_ttl 16
+
+#  TAG: mcast_miss_port
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the port number to be used in conjunction with
+#	'mcast_miss_addr'.
+#Default:
+# mcast_miss_port 3135
+
+#  TAG: mcast_miss_encode_key
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	The URLs that are sent in the multicast miss stream are
+#	encrypted.  This is the encryption key.
+#Default:
+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
+
+#  TAG: mcast_icp_query_timeout	(msec)
+#	For multicast peers, Squid regularly sends out ICP "probes" to
+#	count how many other peers are listening on the given multicast
+#	address.  This value specifies how long Squid should wait to
+#	count all the replies.  The default is 2000 msec, or 2
+#	seconds.
+#Default:
+# mcast_icp_query_timeout 2000
+
+# INTERNAL ICON OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icon_directory
+#	Where the icons are stored. These are normally kept in
+#	/usr/share/squid/icons
+#Default:
+# icon_directory /usr/share/squid/icons
+
+#  TAG: global_internal_static
+#	This directive controls is Squid should intercept all requests for
+#	/squid-internal-static/ no matter which host the URL is requesting
+#	(default on setting), or if nothing special should be done for
+#	such URLs (off setting). The purpose of this directive is to make
+#	icons etc work better in complex cache hierarchies where it may
+#	not always be possible for all corners in the cache mesh to reach
+#	the server generating a directory listing.
+#Default:
+# global_internal_static on
+
+#  TAG: short_icon_urls
+#	If this is enabled Squid will use short URLs for icons.
+#	If disabled it will revert to the old behavior of including
+#	it's own name and port in the URL.
+#
+#	If you run a complex cache hierarchy with a mix of Squid and
+#	other proxies you may need to disable this directive.
+#Default:
+# short_icon_urls on
+
+# ERROR PAGE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: error_directory
+#	If you wish to create your own versions of the default
+#	error files to customize them to suit your company copy
+#	the error/template files to another directory and point
+#	this tag at them.
+#
+#	WARNING: This option will disable multi-language support
+#	         on error pages if used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are making translations for a
+#	language that Squid does not currently provide please consider
+#	contributing your translation back to the project.
+#	http://wiki.squid-cache.org/Translations
+#
+#	The squid developers working on translations are happy to supply drop-in
+#	translated error files in exchange for any new language contributions.
+#Default:
+# Send error pages in the clients preferred language
+
+#  TAG: error_default_language
+#	Set the default language which squid will send error pages in
+#	if no existing translation matches the clients language
+#	preferences.
+#
+#	If unset (default) generic English will be used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are interested in making
+#	translations for any language see the squid wiki for details.
+#	http://wiki.squid-cache.org/Translations
+#Default:
+# Generate English language pages.
+
+#  TAG: error_log_languages
+#	Log to cache.log what languages users are attempting to
+#	auto-negotiate for translations.
+#
+#	Successful negotiations are not logged. Only failures
+#	have meaning to indicate that Squid may need an upgrade
+#	of its error page translations.
+#Default:
+# error_log_languages on
+
+#  TAG: err_page_stylesheet
+#	CSS Stylesheet to pattern the display of Squid default error pages.
+#
+#	For information on CSS see http://www.w3.org/Style/CSS/
+#Default:
+# err_page_stylesheet /etc/squid/errorpage.css
+
+#  TAG: err_html_text
+#	HTML text to include in error messages.  Make this a "mailto"
+#	URL to your admin address, or maybe just a link to your
+#	organizations Web page.
+#
+#	To include this in your error messages, you must rewrite
+#	the error template files (found in the "errors" directory).
+#	Wherever you want the 'err_html_text' line to appear,
+#	insert a %L tag in the error template file.
+#Default:
+# none
+
+#  TAG: email_err_data	on|off
+#	If enabled, information about the occurred error will be
+#	included in the mailto links of the ERR pages (if %W is set)
+#	so that the email body contains the data.
+#	Syntax is <A HREF="mailto:%w%W">%w</A>
+#Default:
+# email_err_data on
+
+#  TAG: deny_info
+#	Usage:   deny_info err_page_name acl
+#	or       deny_info http://... acl
+#	or       deny_info TCP_RESET acl
+#
+#	This can be used to return a ERR_ page for requests which
+#	do not pass the 'http_access' rules.  Squid remembers the last
+#	acl it evaluated in http_access, and if a 'deny_info' line exists
+#	for that ACL Squid returns a corresponding error page.
+#
+#	The acl is typically the last acl on the http_access deny line which
+#	denied access. The exceptions to this rule are:
+#	- When Squid needs to request authentication credentials. It's then
+#	  the first authentication related acl encountered
+#	- When none of the http_access lines matches. It's then the last
+#	  acl processed on the last http_access line.
+#	- When the decision to deny access was made by an adaptation service,
+#	  the acl name is the corresponding eCAP or ICAP service_name.
+#
+#	NP: If providing your own custom error pages with error_directory
+#	    you may also specify them by your custom file name:
+#	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+#
+#	By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+#	may be specified by prefixing the file name with the code and a colon.
+#	e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+#
+#	Alternatively you can tell Squid to reset the TCP connection
+#	by specifying TCP_RESET.
+#
+#	Or you can specify an error URL or URL pattern. The browsers will
+#	get redirected to the specified URL after formatting tags have
+#	been replaced. Redirect will be done with 302 or 307 according to
+#	HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+#	the URL. e.g. 303:http://example.com/
+#
+#	URL FORMAT TAGS:
+#		%a	- username (if available. Password NOT included)
+#		%A	- Local listening IP address the client connection was connected to
+#		%B	- FTP path URL
+#		%e	- Error number
+#		%E	- Error description
+#		%h	- Squid hostname
+#		%H	- Request domain name
+#		%i	- Client IP Address
+#		%M	- Request Method
+#		%O	- Unescaped message result from external ACL helper
+#		%o	- Message result from external ACL helper
+#		%p	- Request Port number
+#		%P	- Request Protocol name
+#		%R	- Request URL path
+#		%T	- Timestamp in RFC 1123 format
+#		%U	- Full canonical URL from client
+#			  (HTTPS URLs terminate with *)
+#		%u	- Full canonical URL from client
+#		%w	- Admin email from squid.conf
+#		%x	- Error name
+#		%%	- Literal percent (%) code
+#
+#Default:
+# none
+
+# OPTIONS INFLUENCING REQUEST FORWARDING
+# -----------------------------------------------------------------------------
+
+#  TAG: nonhierarchical_direct
+#	By default, Squid will send any non-hierarchical requests
+#	(not cacheable request type) direct to origin servers.
+#
+#	When this is set to "off", Squid will prefer to send these
+#	requests to parents.
+#
+#	Note that in most configurations, by turning this off you will only
+#	add latency to these request without any improvement in global hit
+#	ratio.
+#
+#	This option only sets a preference. If the parent is unavailable a
+#	direct connection to the origin server may still be attempted. To
+#	completely prevent direct connections use never_direct.
+#Default:
+# nonhierarchical_direct on
+
+#  TAG: prefer_direct
+#	Normally Squid tries to use parents for most requests. If you for some
+#	reason like it to first try going direct and only use a parent if
+#	going direct fails set this to on.
+#
+#	By combining nonhierarchical_direct off and prefer_direct on you
+#	can set up Squid to use a parent as a backup path if going direct
+#	fails.
+#
+#	Note: If you want Squid to use parents for all requests see
+#	the never_direct directive. prefer_direct only modifies how Squid
+#	acts on cacheable requests.
+#Default:
+# prefer_direct off
+
+#  TAG: cache_miss_revalidate	on|off
+#	RFC 7232 defines a conditional request mechanism to prevent
+#	response objects being unnecessarily transferred over the network.
+#	If that mechanism is used by the client and a cache MISS occurs
+#	it can prevent new cache entries being created.
+#
+#	This option determines whether Squid on cache MISS will pass the
+#	client revalidation request to the server or tries to fetch new
+#	content for caching. It can be useful while the cache is mostly
+#	empty to more quickly have the cache populated by generating
+#	non-conditional GETs.
+#
+#	When set to 'on' (default), Squid will pass all client If-* headers
+#	to the server. This permits server responses without a cacheable
+#	payload to be delivered and on MISS no new cache entry is created.
+#
+#	When set to 'off' and if the request is cacheable, Squid will
+#	remove the clients If-Modified-Since and If-None-Match headers from
+#	the request sent to the server. This requests a 200 status response
+#	from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
+#  TAG: always_direct
+#	Usage: always_direct allow|deny [!]aclname ...
+#
+#	Here you can use ACL elements to specify requests which should
+#	ALWAYS be forwarded by Squid to the origin servers without using
+#	any peers.  For example, to always directly forward requests for
+#	local servers ignoring any parents or siblings you may have use
+#	something like:
+#
+#		acl local-servers dstdomain my.domain.net
+#		always_direct allow local-servers
+#
+#	To always forward FTP requests directly, use
+#
+#		acl FTP proto FTP
+#		always_direct allow FTP
+#
+#	NOTE: There is a similar, but opposite option named
+#	'never_direct'.  You need to be aware that "always_direct deny
+#	foo" is NOT the same thing as "never_direct allow foo".  You
+#	may need to use a deny rule to exclude a more-specific case of
+#	some other rule.  Example:
+#
+#		acl local-external dstdomain external.foo.net
+#		acl local-servers dstdomain  .foo.net
+#		always_direct deny local-external
+#		always_direct allow local-servers
+#
+#	NOTE: If your goal is to make the client forward the request
+#	directly to the origin server bypassing Squid then this needs
+#	to be done in the client configuration. Squid configuration
+#	can only tell Squid how Squid should fetch the object.
+#
+#	NOTE: This directive is not related to caching. The replies
+#	is cached as usual even if you use always_direct. To not cache
+#	the replies see the 'cache' directive.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Prevent any cache_peer being used for this request.
+
+#  TAG: never_direct
+#	Usage: never_direct allow|deny [!]aclname ...
+#
+#	never_direct is the opposite of always_direct.  Please read
+#	the description for always_direct if you have not already.
+#
+#	With 'never_direct' you can use ACL elements to specify
+#	requests which should NEVER be forwarded directly to origin
+#	servers.  For example, to force the use of a proxy for all
+#	requests, except those in your local domain use something like:
+#
+#		acl local-servers dstdomain .foo.net
+#		never_direct deny local-servers
+#		never_direct allow all
+#
+#	or if Squid is inside a firewall and there are local intranet
+#	servers inside the firewall use something like:
+#
+#		acl local-intranet dstdomain .foo.net
+#		acl local-external dstdomain external.foo.net
+#		always_direct deny local-external
+#		always_direct allow local-intranet
+#		never_direct allow all
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow DNS results to be used for this request.
+
+# ADVANCED NETWORKING OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: incoming_udp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_udp_average 6
+
+#  TAG: incoming_tcp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_tcp_average 4
+
+#  TAG: incoming_dns_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_dns_average 4
+
+#  TAG: min_udp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_udp_poll_cnt 8
+
+#  TAG: min_dns_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_dns_poll_cnt 8
+
+#  TAG: min_tcp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_tcp_poll_cnt 8
+
+#  TAG: accept_filter
+#	FreeBSD:
+#
+#	The name of an accept(2) filter to install on Squid's
+#	listen socket(s).  This feature is perhaps specific to
+#	FreeBSD and requires support in the kernel.
+#
+#	The 'httpready' filter delays delivering new connections
+#	to Squid until a full HTTP request has been received.
+#	See the accf_http(9) man page for details.
+#
+#	The 'dataready' filter delays delivering new connections
+#	to Squid until there is some data to process.
+#	See the accf_dataready(9) man page for details.
+#
+#	Linux:
+#
+#	The 'data' filter delays delivering of new connections
+#	to Squid until there is some data to process by TCP_ACCEPT_DEFER.
+#	You may optionally specify a number of seconds to wait by
+#	'data=N' where N is the number of seconds. Defaults to 30
+#	if not specified.  See the tcp(7) man page for details.
+#EXAMPLE:
+## FreeBSD
+#accept_filter httpready
+## Linux
+#accept_filter data
+#Default:
+# none
+
+#  TAG: client_ip_max_connections
+#	Set an absolute limit on the number of connections a single
+#	client IP can use. Any more than this and Squid will begin to drop
+#	new connections from the client until it closes some links.
+#
+#	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+#	connections from the client. For finer control use the ACL access controls.
+#
+#	Requires client_db to be enabled (the default).
+#
+#	WARNING: This may noticably slow down traffic received via external proxies
+#	or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# No limit.
+
+#  TAG: tcp_recv_bufsize	(bytes)
+#	Size of receive buffer to set for TCP sockets.  Probably just
+#	as easy to change your kernel's default.
+#	Omit from squid.conf to use the default buffer size.
+#Default:
+# Use operating system TCP defaults.
+
+# ICAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icap_enable	on|off
+#	If you want to enable the ICAP module support, set this to on.
+#Default:
+# icap_enable off
+
+#  TAG: icap_connect_timeout
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested ICAP server to complete before giving up and either
+#	terminating the HTTP transaction or bypassing the failure.
+#
+#	The default for optional services is peer_connect_timeout.
+#	The default for essential services is connect_timeout.
+#	If this option is explicitly set, its value applies to all services.
+#Default:
+# none
+
+#  TAG: icap_io_timeout	time-units
+#	This parameter specifies how long to wait for an I/O activity on
+#	an established, active ICAP connection before giving up and
+#	either terminating the HTTP transaction or bypassing the
+#	failure.
+#Default:
+# Use read_timeout.
+
+#  TAG: icap_service_failure_limit	limit [in memory-depth time-units]
+#	The limit specifies the number of failures that Squid tolerates
+#	when establishing a new TCP connection with an ICAP service. If
+#	the number of failures exceeds the limit, the ICAP service is
+#	not used for new ICAP requests until it is time to refresh its
+#	OPTIONS.
+#
+#	A negative value disables the limit. Without the limit, an ICAP
+#	service will not be considered down due to connectivity failures
+#	between ICAP OPTIONS requests.
+#
+#	Squid forgets ICAP service failures older than the specified
+#	value of memory-depth. The memory fading algorithm
+#	is approximate because Squid does not remember individual
+#	errors but groups them instead, splitting the option
+#	value into ten time slots of equal length.
+#
+#	When memory-depth is 0 and by default this option has no
+#	effect on service failure expiration.
+#
+#	Squid always forgets failures when updating service settings
+#	using an ICAP OPTIONS transaction, regardless of this option
+#	setting.
+#
+#	For example,
+#		# suspend service usage after 10 failures in 5 seconds:
+#		icap_service_failure_limit 10 in 5 seconds
+#Default:
+# icap_service_failure_limit 10
+
+#  TAG: icap_service_revival_delay
+#	The delay specifies the number of seconds to wait after an ICAP
+#	OPTIONS request failure before requesting the options again. The
+#	failed ICAP service is considered "down" until fresh OPTIONS are
+#	fetched.
+#
+#	The actual delay cannot be smaller than the hardcoded minimum
+#	delay of 30 seconds.
+#Default:
+# icap_service_revival_delay 180
+
+#  TAG: icap_preview_enable	on|off
+#	The ICAP Preview feature allows the ICAP server to handle the
+#	HTTP message by looking only at the beginning of the message body
+#	or even without receiving the body at all. In some environments,
+#	previews greatly speedup ICAP processing.
+#
+#	During an ICAP OPTIONS transaction, the server may tell	Squid what
+#	HTTP messages should be previewed and how big the preview should be.
+#	Squid will not use Preview if the server did not request one.
+#
+#	To disable ICAP Preview for all ICAP services, regardless of
+#	individual ICAP server OPTIONS responses, set this option to "off".
+#Example:
+#icap_preview_enable off
+#Default:
+# icap_preview_enable on
+
+#  TAG: icap_preview_size
+#	The default size of preview data to be sent to the ICAP server.
+#	This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+#  TAG: icap_206_enable	on|off
+#	206 (Partial Content) responses is an ICAP extension that allows the
+#	ICAP agents to optionally combine adapted and original HTTP message
+#	content. The decision to combine is postponed until the end of the
+#	ICAP response. Squid supports Partial Content extension by default.
+#
+#	Activation of the Partial Content extension is negotiated with each
+#	ICAP service during OPTIONS exchange. Most ICAP servers should handle
+#	negotation correctly even if they do not support the extension, but
+#	some might fail. To disable Partial Content support for all ICAP
+#	services and to avoid any negotiation, set this option to "off".
+#
+#	Example:
+#	    icap_206_enable off
+#Default:
+# icap_206_enable on
+
+#  TAG: icap_default_options_ttl
+#	The default TTL value for ICAP OPTIONS responses that don't have
+#	an Options-TTL header.
+#Default:
+# icap_default_options_ttl 60
+
+#  TAG: icap_persistent_connections	on|off
+#	Whether or not Squid should use persistent connections to
+#	an ICAP server.
+#Default:
+# icap_persistent_connections on
+
+#  TAG: adaptation_send_client_ip	on|off
+#	If enabled, Squid shares HTTP client IP information with adaptation
+#	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+#	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+#	See also: adaptation_uses_indirect_client
+#Default:
+# adaptation_send_client_ip off
+
+#  TAG: adaptation_send_username	on|off
+#	This sends authenticated HTTP client username (if available) to
+#	the adaptation service.
+#
+#	For ICAP, the username value is encoded based on the
+#	icap_client_username_encode option and is sent using the header
+#	specified by the icap_client_username_header option.
+#Default:
+# adaptation_send_username off
+
+#  TAG: icap_client_username_header
+#	ICAP request header name to use for adaptation_send_username.
+#Default:
+# icap_client_username_header X-Client-Username
+
+#  TAG: icap_client_username_encode	on|off
+#	Whether to base64 encode the authenticated client username.
+#Default:
+# icap_client_username_encode off
+
+#  TAG: icap_service
+#	Defines a single ICAP service using the following format:
+#
+#	icap_service id vectoring_point uri [option ...]
+#
+#	id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		ICAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: icap://servername:port/servicepath
+#		ICAP server and service location.
+#	     icaps://servername:port/servicepath
+#		The "icap:" URI scheme is used for traditional ICAP server and
+#		service location (default port is 1344, connections are not
+#		encrypted). The "icaps:" URI scheme is for Secure ICAP
+#		services that use SSL/TLS-encrypted ICAP connections (by
+#		default, on port 11344).
+#
+#	ICAP does not allow a single service to handle both REQMOD and RESPMOD
+#	transactions. Squid does not enforce that requirement. You can specify
+#	services with the same service_url and different vectoring_points. You
+#	can even specify multiple identical services as long as their
+#	service_names differ.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. ICAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is treated as
+#		optional. If the service cannot be reached or malfunctions,
+#		Squid will try to ignore any errors and process the message as
+#		if the service was not enabled. No all ICAP errors can be
+#		bypassed.  If set to 0, the ICAP service is treated as
+#		essential and all ICAP errors will result in an error page
+#		returned to the HTTP client.
+#
+#		Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next. The services
+#		are specified using the X-Next-Services ICAP response header
+#		value, formatted as a comma-separated list of service names.
+#		Each named service should be configured in squid.conf. Other
+#		services are ignored. An empty X-Next-Services value results
+#		in an empty plan which ends the current adaptation.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default: the ICAP X-Next-Services
+#		response header is ignored.
+#
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
+#	on-overload=block|bypass|wait|force
+#		If the service Max-Connections limit has been reached, do
+#		one of the following for each new ICAP transaction:
+#		  * block:  send an HTTP error response to the client
+#		  * bypass: ignore the "over-connected" ICAP service
+#		  * wait:   wait (in a FIFO queue) for an ICAP connection slot
+#		  * force:  proceed, ignoring the Max-Connections limit
+#
+#		In SMP mode with N workers, each worker assumes the service
+#		connection limit is Max-Connections/N, even though not all
+#		workers may use a given service.
+#
+#		The default value is "bypass" if service is bypassable,
+#		otherwise it is set to "wait".
+#
+#
+#	max-conn=number
+#		Use the given number as the Max-Connections limit, regardless
+#		of the Max-Connections value given by the service, if any.
+#
+#	connection-encryption=on|off
+#		Determines the ICAP service effect on the connections_encrypted
+#		ACL.
+#
+#		The default is "on" for Secure ICAP services (i.e., those
+#		with the icaps:// service URIs scheme) and "off" for plain ICAP
+#		services.
+#
+#		Does not affect ICAP connections (e.g., does not turn Secure
+#		ICAP on or off).
+#
+#	==== ICAPS / TLS OPTIONS ====
+#
+#	These options are used for Secure ICAP (icaps://....) services only.
+#
+#	tls-cert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this ICAP server.
+#
+#	tls-key=/path/to/ssl/key
+#			The private key corresponding to the previous
+#			tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	tls-cipher=...	The list of valid TLS/SSL ciphers to use when connecting
+#			to this icap server.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various OpenSSL library options:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list. Options relevant only to SSLv2 are
+#			not supported.
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the icap server certificate.
+#			Use to specify intermediate CA certificate(s) if not sent
+#			by the server. Or the full CA chain for the server when
+#			using the tls-default-ca=off flag.
+#			May be repeated to load multiple files.
+#
+#	tls-capath=...	A directory containing additional CA certificates to
+#			use when verifying the icap server certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	tls-crlfile=...	A certificate revocation list file to use when
+#			verifying the icap server certificate.
+#
+#	tls-flags=...	Specify various flags modifying the Squid TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the icap server certificate
+#				matches the server name
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-domain=	The icap server name as advertised in it's certificate.
+#			Used for verifying the correctness of the received icap
+#			server certificate. If not specified the icap server
+#			hostname extracted from ICAP URI will be used.
+#
+#	Older icap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
+#Default:
+# none
+
+#  TAG: icap_class
+#	This deprecated option was documented to define an ICAP service
+#	chain, even though it actually defined a set of similar, redundant
+#	services, and the chains were not supported.
+#
+#	To define a set of redundant services, please use the
+#	adaptation_service_set directive. For service chains, use
+#	adaptation_service_chain.
+#Default:
+# none
+
+#  TAG: icap_access
+#	This option is deprecated. Please use adaptation_access, which
+#	has the same ICAP functionality, but comes with better
+#	documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ecap_enable	on|off
+#	Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+#  TAG: ecap_service
+#	Defines a single eCAP service
+#
+#	ecap_service id vectoring_point uri [option ...]
+#
+#        id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		eCAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#		Squid uses the eCAP service URI to match this configuration
+#		line with one of the dynamically loaded services. Each loaded
+#		eCAP service must have a unique URI. Obtain the right URI from
+#		the service provider.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. eCAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is treated as optional.
+#		If the service cannot be reached or malfunctions, Squid will try
+#		to ignore any errors and process the message as if the service
+#		was not enabled. No all eCAP errors can be bypassed.
+#		If set to 'off' or '0', the eCAP service is treated as essential
+#		and all eCAP errors will result in an error page returned to the
+#		HTTP client.
+#
+#                Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default.
+#
+#	connection-encryption=on|off
+#		Determines the eCAP service effect on the connections_encrypted
+#		ACL.
+#
+#		Defaults to "on", which does not taint the master transaction
+#		w.r.t. that ACL.
+#
+#		Does not affect eCAP API calls.
+#
+#	Older ecap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#
+#Example:
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
+#Default:
+# none
+
+#  TAG: loadable_modules
+#	Instructs Squid to load the specified dynamic module(s) or activate
+#	preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: adaptation_service_set
+#
+#	Configures an ordered set of similar, redundant services. This is
+#	useful when hot standby or backup adaptation servers are available.
+#
+#	    adaptation_service_set set_name service_name1 service_name2 ...
+#
+# 	The named services are used in the set declaration order. The first
+#	applicable adaptation service from the set is used first. The next
+#	applicable service is tried if and only if the transaction with the
+#	previous service fails and the message waiting to be adapted is still
+#	intact.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the set. A broken service is a down optional service.
+#
+#	The services in a set must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	If all services in a set are optional then adaptation failures are
+#	bypassable. If all services in the set are essential, then a
+#	transaction failure with one service may still be retried using
+#	another service from the set, but when all services fail, the master
+#	transaction fails as well.
+#
+#	A set may contain a mix of optional and essential services, but that
+#	is likely to lead to surprising results because broken services become
+#	ignored (see above), making previously bypassable failures fatal.
+#	Technically, it is the bypassability of the last failed service that
+#	matters.
+#
+#	See also: adaptation_access adaptation_service_chain
+#
+#Example:
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+#  TAG: adaptation_service_chain
+#
+#	Configures a list of complementary services that will be applied
+#	one-by-one, forming an adaptation chain or pipeline. This is useful
+#	when Squid must perform different adaptations on the same message.
+#
+#	    adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# 	The named services are used in the chain declaration order. The first
+#	applicable adaptation service from the chain is used first. The next
+#	applicable service is applied to the successful adaptation results of
+#	the previous service in the chain.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the chain. A broken service is a down optional service.
+#
+#	Request satisfaction terminates the adaptation chain because Squid
+#	does not currently allow declaration of RESPMOD services at the
+#	"reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+#	The services in a chain must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	A chain may contain a mix of optional and essential services. If an
+#	essential adaptation fails (or the failure cannot be bypassed for
+#	other reasons), the master transaction fails. Otherwise, the failure
+#	is bypassed as if the failed adaptation service was not in the chain.
+#
+#	See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
+#Default:
+# none
+
+#  TAG: adaptation_access
+#	Sends an HTTP transaction to an ICAP or eCAP adaptation	service.
+#
+#	adaptation_access service_name allow|deny [!]aclname...
+#	adaptation_access set_name     allow|deny [!]aclname...
+#
+#	At each supported vectoring point, the adaptation_access
+#	statements are processed in the order they appear in this
+#	configuration file. Statements pointing to the following services
+#	are ignored (i.e., skipped without checking their ACL):
+#
+#	    - services serving different vectoring points
+#	    - "broken-but-bypassable" services
+#	    - "up" services configured to ignore such transactions
+#              (e.g., based on the ICAP Transfer-Ignore header).
+#
+#        When a set_name is used, all services in the set are checked
+#	using the same rules, to find the first applicable one. See
+#	adaptation_service_set for details.
+#
+#	If an access list is checked and there is a match, the
+#	processing stops: For an "allow" rule, the corresponding
+#	adaptation service is used for the transaction. For a "deny"
+#	rule, no adaptation service is activated.
+#
+#	It is currently not possible to apply more than one adaptation
+#	service at the same vectoring point to the same HTTP transaction.
+#
+#        See also: icap_service and ecap_service
+#
+#Example:
+#adaptation_access service_1 allow all
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: adaptation_service_iteration_limit
+#	Limits the number of iterations allowed when applying adaptation
+#	services to a message. If your longest adaptation set or chain
+#	may have more than 16 services, increase the limit beyond its
+#	default value of 16. If detecting infinite iteration loops sooner
+#	is critical, make the iteration limit match the actual number
+#	of services in your longest adaptation set or chain.
+#
+#	Infinite adaptation loops are most likely with routing services.
+#
+#	See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+#  TAG: adaptation_masterx_shared_names
+#	For each master transaction (i.e., the HTTP request and response
+#	sequence, including all related ICAP and eCAP exchanges), Squid
+#	maintains a table of metadata. The table entries are (name, value)
+#	pairs shared among eCAP and ICAP exchanges. The table is destroyed
+#	with the master transaction.
+#
+#	This option specifies the table entry names that Squid must accept
+#	from and forward to the adaptation transactions.
+#
+#	An ICAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by returning an ICAP header field with a name
+#	specified in adaptation_masterx_shared_names.
+#
+#	An eCAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by implementing the libecap::visitEachOption() API
+#	to provide an option with a name specified in
+#	adaptation_masterx_shared_names.
+#
+#	Squid will store and forward the set entry to subsequent adaptation
+#	transactions within the same master transaction scope.
+#
+#	Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
+#Default:
+# none
+
+#  TAG: adaptation_meta
+#	This option allows Squid administrator to add custom ICAP request
+#	headers or eCAP options to Squid ICAP requests or eCAP transactions.
+#	Use it to pass custom authentication tokens and other
+#	transaction-state related meta information to an ICAP/eCAP service.
+#
+#	The addition of a meta header is ACL-driven:
+#		adaptation_meta name value [!]aclname ...
+#
+#	Processing for a given header name stops after the first ACL list match.
+#	Thus, it is impossible to add two headers with the same name. If no ACL
+#	lists match for a given header name, no such header is added. For
+#	example:
+#
+#		# do not debug transactions except for those that need debugging
+#		adaptation_meta X-Debug 1 needs_debugging
+#
+#		# log all transactions except for those that must remain secret
+#		adaptation_meta X-Log 1 !keep_secret
+#
+#		# mark transactions from users in the "G 1" group
+#		adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+#	The "value" parameter may be a regular squid.conf token or a "double
+#	quoted string". Within the quoted string, use backslash (\) to escape
+#	any character, which is currently only useful for escaping backslashes
+#	and double quotes. For example,
+#	    "this string has one backslash (\\) and two \"quotes\""
+#
+#	Used adaptation_meta header values may be logged via %note
+#	logformat code. If multiple adaptation_meta headers with the same name
+#	are used during master transaction lifetime, the header values are
+#	logged in the order they were used and duplicate values are ignored
+#	(only the first repeated value will be logged).
+#Default:
+# none
+
+#  TAG: icap_retry
+#	This ACL determines which retriable ICAP transactions are
+#	retried. Transactions that received a complete ICAP response
+#	and did not have to consume or produce HTTP bodies to receive
+#	that response are usually retriable.
+#
+#	icap_retry allow|deny [!]aclname ...
+#
+#	Squid automatically retries some ICAP I/O timeouts and errors
+#	due to persistent connection race conditions.
+#
+#	See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+#  TAG: icap_retry_limit
+#	Limits the number of retries allowed.
+#
+#	Communication errors due to persistent connection race
+#	conditions are unavoidable, automatically retried, and do not
+#	count against this limit.
+#
+#	See also: icap_retry
+#Default:
+# No retries are allowed.
+
+# DNS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: check_hostnames
+#	For security and stability reasons Squid can check
+#	hostnames for Internet standard RFC compliance. If you want
+#	Squid to perform these checks turn this directive on.
+#Default:
+# check_hostnames off
+
+#  TAG: allow_underscore
+#	Underscore characters is not strictly allowed in Internet hostnames
+#	but nevertheless used by many sites. Set this to off if you want
+#	Squid to be strict about the standard.
+#	This check is performed only when check_hostnames is set to on.
+#Default:
+# allow_underscore on
+
+#  TAG: dns_retransmit_interval
+#	Initial retransmit interval for DNS queries. The interval is
+#	doubled each time all configured DNS servers have been tried.
+#Default:
+# dns_retransmit_interval 5 seconds
+
+#  TAG: dns_timeout
+#	DNS Query timeout. If no response is received to a DNS query
+#	within this time all DNS servers for the queried domain
+#	are assumed to be unavailable.
+#Default:
+# dns_timeout 30 seconds
+
+#  TAG: dns_packet_max
+#	Maximum number of bytes packet size to advertise via EDNS.
+#	Set to "none" to disable EDNS large packet support.
+#
+#	For legacy reasons DNS UDP replies will default to 512 bytes which
+#	is too small for many responses. EDNS provides a means for Squid to
+#	negotiate receiving larger responses back immediately without having
+#	to failover with repeat requests. Responses larger than this limit
+#	will retain the old behaviour of failover to TCP DNS.
+#
+#	Squid has no real fixed limit internally, but allowing packet sizes
+#	over 1500 bytes requires network jumbogram support and is usually not
+#	necessary.
+#
+#	WARNING: The RFC also indicates that some older resolvers will reply
+#	with failure of the whole request if the extension is added. Some
+#	resolvers have already been identified which will reply with mangled
+#	EDNS response on occasion. Usually in response to many-KB jumbogram
+#	sizes being advertised by Squid.
+#	Squid will currently treat these both as an unable-to-resolve domain
+#	even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
+
+#  TAG: dns_defnames	on|off
+#	Normally the RES_DEFNAMES resolver option is disabled
+#	(see res_init(3)).  This prevents caches in a hierarchy
+#	from interpreting single-component hostnames locally.  To allow
+#	Squid to handle single-component names, enable this option.
+#Default:
+# Search for single-label domain names is disabled.
+
+#  TAG: dns_multicast_local	on|off
+#	When set to on, Squid sends multicast DNS lookups on the local
+#	network for domains ending in .local and .arpa.
+#	This enables local servers and devices to be contacted in an
+#	ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
+
+#  TAG: dns_nameservers
+#	Use this if you want to specify a list of DNS name servers
+#	(IP addresses) to use instead of those given in your
+#	/etc/resolv.conf file.
+#
+#	On Windows platforms, if no value is specified here or in
+#	the /etc/resolv.conf file, the list of DNS name servers are
+#	taken from the Windows registry, both static and dynamic DHCP
+#	configurations are supported.
+#
+#	Example: dns_nameservers 10.0.0.1 192.172.0.4
+#Default:
+# Use operating system definitions
+
+#  TAG: hosts_file
+#	Location of the host-local IP name-address associations
+#	database. Most Operating Systems have such a file on different
+#	default locations:
+#	- Un*X & Linux:    /etc/hosts
+#	- Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\winnt)
+#	- Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\windows)
+#	- Windows 9x/Me:   %windir%\hosts
+#			   (%windir% value is usually c:\windows)
+#	- Cygwin:	   /etc/hosts
+#
+#	The file contains newline-separated definitions, in the
+#	form ip_address_in_dotted_form name [name ...] names are
+#	whitespace-separated. Lines beginning with an hash (#)
+#	character are comments.
+#
+#	The file is checked at startup and upon configuration.
+#	If set to 'none', it won't be checked.
+#	If append_domain is used, that domain will be added to
+#	domain-local (i.e. not containing any dot character) host
+#	definitions.
+#Default:
+# hosts_file /etc/hosts
+
+#  TAG: append_domain
+#	Appends local domain name to hostnames without any dots in
+#	them.  append_domain must begin with a period.
+#
+#	Be warned there are now Internet names with no dots in
+#	them using only top-domain names, so setting this may
+#	cause some Internet sites to become unavailable.
+#
+#Example:
+# append_domain .yourdomain.com
+#Default:
+# Use operating system definitions
+
+#  TAG: ignore_unknown_nameservers
+#	By default Squid checks that DNS responses are received
+#	from the same IP addresses they are sent to.  If they
+#	don't match, Squid ignores the response and writes a warning
+#	message to cache.log.  You can allow responses from unknown
+#	nameservers by setting this option to 'off'.
+#Default:
+# ignore_unknown_nameservers on
+
+#  TAG: ipcache_size	(number of entries)
+#	Maximum number of DNS IP cache entries.
+#Default:
+# ipcache_size 1024
+
+#  TAG: ipcache_low	(percent)
+#Default:
+# ipcache_low 90
+
+#  TAG: ipcache_high	(percent)
+#	The size, low-, and high-water marks for the IP cache.
+#Default:
+# ipcache_high 95
+
+#  TAG: fqdncache_size	(number of entries)
+#	Maximum number of FQDN cache entries.
+#Default:
+# fqdncache_size 1024
+
+# MISCELLANEOUS
+# -----------------------------------------------------------------------------
+
+#  TAG: configuration_includes_quoted_values	on|off
+#	If set, Squid will recognize each "quoted string" after a configuration
+#	directive as a single parameter. The quotes are stripped before the
+#	parameter value is interpreted or used.
+#	See "Values with spaces, quotes, and other special characters"
+#	section for more details.
+#Default:
+# configuration_includes_quoted_values off
+
+#  TAG: memory_pools	on|off
+#	If set, Squid will keep pools of allocated (but unused) memory
+#	available for future use.  If memory is a premium on your
+#	system and you believe your malloc library outperforms Squid
+#	routines, disable this.
+#Default:
+# memory_pools on
+
+#  TAG: memory_pools_limit	(bytes)
+#	Used only with memory_pools on:
+#	memory_pools_limit 50 MB
+#
+#	If set to a non-zero value, Squid will keep at most the specified
+#	limit of allocated (but unused) memory in memory pools. All free()
+#	requests that exceed this limit will be handled by your malloc
+#	library. Squid does not pre-allocate any memory, just safe-keeps
+#	objects that otherwise would be free()d. Thus, it is safe to set
+#	memory_pools_limit to a reasonably high value even if your
+#	configuration will use less memory.
+#
+#	If set to none, Squid will keep all memory it can. That is, there
+#	will be no limit on the total amount of memory used for safe-keeping.
+#
+#	To disable memory allocation optimization, do not set
+#	memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
+#
+#	An overhead for maintaining memory pools is not taken into account
+#	when the limit is checked. This overhead is close to four bytes per
+#	object kept. However, pools may actually _save_ memory because of
+#	reduced memory thrashing in your malloc library.
+#Default:
+# memory_pools_limit 5 MB
+
+#  TAG: forwarded_for	on|off|transparent|truncate|delete
+#	If set to "on", Squid will append your client's IP address
+#	in the HTTP requests it forwards. By default it looks like:
+#
+#		X-Forwarded-For: 192.1.2.3
+#
+#	If set to "off", it will appear as
+#
+#		X-Forwarded-For: unknown
+#
+#	If set to "transparent", Squid will not alter the
+#	X-Forwarded-For header in any way.
+#
+#	If set to "delete", Squid will delete the entire
+#	X-Forwarded-For header.
+#
+#	If set to "truncate", Squid will remove all existing
+#	X-Forwarded-For entries, and place the client IP as the sole entry.
+#Default:
+# forwarded_for on
+
+#  TAG: cachemgr_passwd
+#	Specify passwords for cachemgr operations.
+#
+#	Usage: cachemgr_passwd password action action ...
+#
+#	Some valid actions are (see cache manager menu for a full list):
+#		5min
+#		60min
+#		asndb
+#		authenticator
+#		cbdata
+#		client_list
+#		comm_incoming
+#		config *
+#		counters
+#		delay
+#		digest_stats
+#		dns
+#		events
+#		filedescriptors
+#		fqdncache
+#		histograms
+#		http_headers
+#		info
+#		io
+#		ipcache
+#		mem
+#		menu
+#		netdb
+#		non_peers
+#		objects
+#		offline_toggle *
+#		pconn
+#		peer_select
+#		reconfigure *
+#		redirector
+#		refresh
+#		server_list
+#		shutdown *
+#		store_digest
+#		storedir
+#		utilization
+#		via_headers
+#		vm_objects
+#
+#	* Indicates actions which will not be performed without a
+#	  valid password, others can be performed if not listed here.
+#
+#	To disable an action, set the password to "disable".
+#	To allow performing an action without a password, set the
+#	password to "none".
+#
+#	Use the keyword "all" to set the same password for all actions.
+#
+#Example:
+# cachemgr_passwd secret shutdown
+# cachemgr_passwd lesssssssecret info stats/objects
+# cachemgr_passwd disable all
+#Default:
+# No password. Actions which require password are denied.
+
+#  TAG: client_db	on|off
+#	If you want to disable collecting per-client statistics,
+#	turn off client_db here.
+#Default:
+# client_db on
+
+#  TAG: refresh_all_ims	on|off
+#	When you enable this option, squid will always check
+#	the origin server for an update when a client sends an
+#	If-Modified-Since request.  Many browsers use IMS
+#	requests when the user requests a reload, and this
+#	ensures those clients receive the latest version.
+#
+#	By default (off), squid may return a Not Modified response
+#	based on the age of the cached version.
+#Default:
+# refresh_all_ims off
+
+#  TAG: reload_into_ims	on|off
+#	When you enable this option, client no-cache or ``reload''
+#	requests will be changed to If-Modified-Since requests.
+#	Doing this VIOLATES the HTTP standard.  Enabling this
+#	feature could make you liable for problems which it
+#	causes.
+#
+#	see also refresh_pattern for a more selective approach.
+#Default:
+# reload_into_ims off
+
+#  TAG: connect_retries
+#	Limits the number of reopening attempts when establishing a single
+#	TCP connection. All these attempts must still complete before the
+#	applicable connection opening timeout expires.
+#
+#	By default and when connect_retries is set to zero, Squid does not
+#	retry failed connection opening attempts.
+#
+#	The (not recommended) maximum is 10 tries. An attempt to configure a
+#	higher value results in the value of 10 being used (with a warning).
+#
+#	Squid may open connections to retry various high-level forwarding
+#	failures. For an outside observer, that activity may look like a
+#	low-level connection reopening attempt, but those high-level retries
+#	are governed by forward_max_tries instead.
+#
+#	See also: connect_timeout, forward_timeout, icap_connect_timeout,
+#	ident_timeout, and forward_max_tries.
+#Default:
+# Do not retry failed connections.
+
+#  TAG: retry_on_error
+#	If set to ON Squid will automatically retry requests when
+#	receiving an error response with status 403 (Forbidden),
+#	500 (Internal Error), 501 or 503 (Service not available).
+#	Status 502 and 504 (Gateway errors) are always retried.
+#
+#	This is mainly useful if you are in a complex cache hierarchy to
+#	work around access control errors.
+#
+#	NOTE: This retry will attempt to find another working destination.
+#	Which is different from the server which just failed.
+#Default:
+# retry_on_error off
+
+#  TAG: as_whois_server
+#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
+#	queried only when Squid starts up, not for every request.
+#Default:
+# as_whois_server whois.ra.net
+
+#  TAG: offline_mode
+#	Enable this option and Squid will never try to validate cached
+#	objects.
+#Default:
+# offline_mode off
+
+#  TAG: uri_whitespace
+#	What to do with requests that have whitespace characters in the
+#	URI.  Options:
+#
+#	strip:  The whitespace characters are stripped out of the URL.
+#		This is the behavior recommended by RFC2396 and RFC3986
+#		for tolerant handling of generic URI.
+#		NOTE: This is one difference between generic URI and HTTP URLs.
+#
+#	deny:   The request is denied.  The user receives an "Invalid
+#		Request" message.
+#		This is the behaviour recommended by RFC2616 for safe
+#		handling of HTTP request URL.
+#
+#	allow:  The request is allowed and the URI is not changed.  The
+#		whitespace characters remain in the URI.  Note the
+#		whitespace is passed to redirector processes if they
+#		are in use.
+#		Note this may be considered a violation of RFC2616
+#		request parsing where whitespace is prohibited in the
+#		URL field.
+#
+#	encode:	The request is allowed and the whitespace characters are
+#		encoded according to RFC1738.
+#
+#	chop:	The request is allowed and the URI is chopped at the
+#		first whitespace.
+#
+#
+#	NOTE the current Squid implementation of encode and chop violates
+#	RFC2616 by not using a 301 redirect after altering the URL.
+#Default:
+# uri_whitespace strip
+
+#  TAG: chroot
+#	Specifies a directory where Squid should do a chroot() while
+#	initializing.  This also causes Squid to fully drop root
+#	privileges after initializing.  This means, for example, if you
+#	use a HTTP port less than 1024 and try to reconfigure, you may
+#	get an error saying that Squid can not open the port.
+#Default:
+# none
+
+#  TAG: pipeline_prefetch
+#	HTTP clients may send a pipeline of 1+N requests to Squid using a
+#	single connection, without waiting for Squid to respond to the first
+#	of those requests. This option limits the number of concurrent
+#	requests Squid will try to handle in parallel. If set to N, Squid
+#	will try to receive and process up to 1+N requests on the same
+#	connection concurrently.
+#
+#	Defaults to 0 (off) for bandwidth management and access logging
+#	reasons.
+#
+#	NOTE: pipelining requires persistent connections to clients.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
+#Default:
+# Do not pre-parse pipelined requests.
+
+#  TAG: high_response_time_warning	(msec)
+#	If the one-minute median response time exceeds this value,
+#	Squid prints a WARNING with debug level 0 to get the
+#	administrators attention.  The value is in milliseconds.
+#Default:
+# disabled.
+
+#  TAG: high_page_fault_warning
+#	If the one-minute average page fault rate exceeds this
+#	value, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.  The value is in page faults
+#	per second.
+#Default:
+# disabled.
+
+#  TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+#       GNU Malloc with mstats()
+#
+#	If the memory usage (as determined by gnumalloc, if available and used)
+#	exceeds	this amount, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.
+#Default:
+# disabled.
+
+#  TAG: sleep_after_fork	(microseconds)
+#	When this is set to a non-zero value, the main Squid process
+#	sleeps the specified number of microseconds after a fork()
+#	system call. This sleep may help the situation where your
+#	system reports fork() failures due to lack of (virtual)
+#	memory. Note, however, if you have a lot of child
+#	processes, these sleep delays will add up and your
+#	Squid will not service requests for some amount of time
+#	until all the child processes have been started.
+#	On Windows value less then 1000 (1 milliseconds) are
+#	rounded to 1000.
+#Default:
+# sleep_after_fork 0
+
+#  TAG: windows_ipaddrchangemonitor	on|off
+# Note: This option is only available if Squid is rebuilt with the
+#       MS Windows
+#
+#	On Windows Squid by default will monitor IP address changes and will
+#	reconfigure itself after any detected event. This is very useful for
+#	proxies connected to internet with dial-up interfaces.
+#	In some cases (a Proxy server acting as VPN gateway is one) it could be
+#	desiderable to disable this behaviour setting this to 'off'.
+#	Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+#  TAG: eui_lookup
+#	Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
+#  TAG: max_filedescriptors
+#	Set the maximum number of filedescriptors, either below the
+#	operating system default or up to the hard limit.
+#
+#	Remove from squid.conf to inherit the current ulimit soft
+#	limit setting.
+#
+#	Note: Changing this requires a restart of Squid. Also
+#	not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system soft limit set by ulimit.
+
+#  TAG: force_request_body_continuation
+#	This option controls how Squid handles data upload requests from HTTP
+#	and FTP agents that require a "Please Continue" control message response
+#	to actually send the request body to Squid. It is mostly useful in
+#	adaptation environments.
+#
+#	When Squid receives an HTTP request with an "Expect: 100-continue"
+#	header or an FTP upload command (e.g., STOR), Squid normally sends the
+#	request headers or FTP command information to an adaptation service (or
+#	peer) and waits for a response. Most adaptation services (and some
+#	broken peers) may not respond to Squid at that stage because they may
+#	decide to wait for the HTTP request body or FTP data transfer. However,
+#	that request body or data transfer may never come because Squid has not
+#	responded with the HTTP 100 or FTP 150 (Please Continue) control message
+#	to the request sender yet!
+#
+#	An allow match tells Squid to respond with the HTTP 100 or FTP 150
+#	(Please Continue) control message on its own, before forwarding the
+#	request to an adaptation service or peer. Such a response usually forces
+#	the request sender to proceed with sending the body. A deny match tells
+#	Squid to delay that control response until the origin server confirms
+#	that the request body is needed. Delaying is the default behavior.
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: http_upgrade_request_protocols
+#	Controls client-initiated and server-confirmed switching from HTTP to
+#	another protocol (or to several protocols) using HTTP Upgrade mechanism
+#	defined in RFC 7230 Section 6.7. Squid itself does not understand the
+#	protocols being upgraded to and participates in the upgraded
+#	communication only as a dumb TCP proxy. Admins should not allow
+#	upgrading to protocols that require a more meaningful proxy
+#	participation.
+#
+#	Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
+#
+#	The required "protocol" parameter is either an all-caps word OTHER or an
+#	explicit protocol name (e.g. "WebSocket") optionally followed by a slash
+#	and a version token (e.g. "HTTP/3"). Explicit protocol names and
+#	versions are case sensitive.
+#
+#	When an HTTP client sends an Upgrade request header, Squid iterates over
+#	the client-offered protocols and, for each protocol P (with an optional
+#	version V), evaluates the first non-empty set of
+#	http_upgrade_request_protocols rules (if any) from the following list:
+#
+#		* All rules with an explicit protocol name equal to P.
+#		* All rules that use OTHER instead of a protocol name.
+#
+#	In other words, rules using OTHER are considered for protocol P if and
+#	only if there are no rules mentioning P by name.
+#
+#	If both of the above sets are empty, then Squid removes protocol P from
+#	the Upgrade offer.
+#
+#	If the client sent a versioned protocol offer P/X, then explicit rules
+#	referring to the same-name but different-version protocol P/Y are
+#	declared inapplicable. Inapplicable rules are not evaluated (i.e. are
+#	ignored). However, inapplicable rules still belong to the first set of
+#	rules for P.
+#
+#	Within the applicable rule subset, individual rules are evaluated in
+#	their configuration order. If all ACLs of an applicable "allow" rule
+#	match, then the protocol offered by the client is forwarded to the next
+#	hop as is. If all ACLs of an applicable "deny" rule match, then the
+#	offer is dropped. If no applicable rules have matching ACLs, then the
+#	offer is also dropped. The first matching rule also ends rules
+#	evaluation for the offered protocol.
+#
+#	If all client-offered protocols are removed, then Squid forwards the
+#	client request without the Upgrade header. Squid never sends an empty
+#	Upgrade request header.
+#
+#	An Upgrade request header with a value violating HTTP syntax is dropped
+#	and ignored without an attempt to use extractable individual protocol
+#	offers.
+#
+#	Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
+#	checks that the server listed at least one protocol name and sent a
+#	Connection:upgrade response header. Squid does not understand individual
+#	protocol naming and versioning concepts enough to implement stricter
+#	checks, but an admin can restrict HTTP 101 (Switching Protocols)
+#	responses further using http_reply_access. Responses denied by
+#	http_reply_access rules and responses flagged by the internal Upgrade
+#	checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
+#	Squid-to-server connection closures.
+#
+#	If Squid sends an Upgrade request header, and the next hop (e.g., the
+#	origin server) responds with an acceptable HTTP 101 (Switching
+#	Protocols), then Squid forwards that message to the client and becomes
+#	a TCP tunnel.
+#
+#	The presence of an Upgrade request header alone does not preclude cache
+#	lookups. In other words, an Upgrade request might be satisfied from the
+#	cache, using regular HTTP caching rules.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Each of the following groups of configuration lines represents a
+#	separate configuration example:
+#
+#	# never upgrade to protocol Foo; all others are OK
+#	http_upgrade_request_protocols Foo deny all
+#	http_upgrade_request_protocols OTHER allow all
+#
+#	# only allow upgrades to protocol Bar (except for its first version)
+#	http_upgrade_request_protocols Bar/1 deny all
+#	http_upgrade_request_protocols Bar allow all
+#	http_upgrade_request_protocols OTHER deny all # this rule is optional
+#
+#	# only allow upgrades to protocol Baz, and only if Baz is the only offer
+#	acl UpgradeHeaderHasMultipleOffers ...
+#	http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
+#	http_upgrade_request_protocols Baz allow all
+#Default:
+# Upgrade header dropped, effectively blocking an upgrade attempt.
+
+#  TAG: server_pconn_for_nonretriable
+#	This option provides fine-grained control over persistent connection
+#	reuse when forwarding HTTP requests that Squid cannot retry. It is useful
+#	in environments where opening new connections is very expensive
+#	(e.g., all connections are secured with TLS with complex client and server
+#	certificate validation) and race conditions associated with persistent
+#	connections are very rare and/or only cause minor problems.
+#
+#	HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
+#	Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
+#	By default, when forwarding such "risky" requests, Squid opens a new
+#	connection to the server or cache_peer, even if there is an idle persistent
+#	connection available. When Squid is configured to risk sending a non-retriable
+#	request on a previously used persistent connection, and the server closes
+#	the connection before seeing that risky request, the user gets an error response
+#	from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
+#	with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
+#
+#	If an allow rule matches, Squid reuses an available idle persistent connection
+#	(if any) for the request that Squid cannot retry. If a deny rule matches, then
+#	Squid opens a new connection for the request that Squid cannot retry.
+#
+#	This option does not affect requests that Squid can retry. They will reuse idle
+#	persistent connections (if any).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Example:
+#		acl SpeedIsWorthTheRisk method POST
+#		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
+#Default:
+# Open new connections for forwarding requests Squid cannot retry safely.
+
+#  TAG: happy_eyeballs_connect_timeout	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
+#	delay between opening a primary to-server connection and opening a
+#	spare to-server connection for the same master transaction. This delay
+#	is similar to the Connection Attempt Delay in RFC 8305, but it is only
+#	applied to the first spare connection attempt. Subsequent spare
+#	connection attempts use happy_eyeballs_connect_gap, and primary
+#	connection attempts are not artificially delayed at all.
+#
+#	Terminology: The "primary" and "spare" designations are determined by
+#	the order of DNS answers received by Squid: If Squid DNS AAAA query
+#	was answered first, then primary connections are connections to IPv6
+#	peer addresses (while spare connections use IPv4 addresses).
+#	Similarly, if Squid DNS A query was answered first, then primary
+#	connections are connections to IPv4 peer addresses (while spare
+#	connections use IPv6 addresses).
+#
+#	Shorter happy_eyeballs_connect_timeout values reduce master
+#	transaction response time, potentially improving user-perceived
+#	response times (i.e., making user eyeballs happier). Longer delays
+#	reduce both concurrent connection level and server bombardment with
+#	connection requests, potentially improving overall Squid performance
+#	and reducing the chance of being blocked by servers for opening too
+#	many unused connections.
+#
+#	RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
+#	10 (milliseconds) to "avoid congestion collapse in the presence of
+#	high packet-loss rates".
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_gap and
+#	happy_eyeballs_connect_limit.
+#Default:
+# happy_eyeballs_connect_timeout 250
+
+#  TAG: happy_eyeballs_connect_gap	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	minimum delay between opening spare to-server connections (to any
+#	server; i.e. across all concurrent master transactions in a Squid
+#	instance). Each SMP worker currently multiplies the configured gap
+#	by the total number of workers so that the combined spare connection
+#	opening rate of a Squid instance obeys the configured limit. The
+#	workers do not coordinate connection openings yet; a micro burst
+#	of spare connection openings may violate the configured gap.
+#
+#	This directive has similar trade-offs as
+#	happy_eyeballs_connect_timeout, but its focus is on limiting traffic
+#	amplification effects for Squid as a whole, while
+#	happy_eyeballs_connect_timeout works on an individual master
+#	transaction level.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_limit. See the former for related terminology.
+#Default:
+# no artificial delays between spare attempts
+
+#  TAG: happy_eyeballs_connect_limit
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	maximum number of spare to-server connections (to any server; i.e.
+#	across all concurrent master transactions in a Squid instance).
+#	Each SMP worker gets an equal share of the total limit. However,
+#	the workers do not share the actual connection counts yet, so one
+#	(busier) worker cannot "borrow" spare connection slots from another
+#	(less loaded) worker.
+#
+#	Setting this limit to zero disables concurrent use of primary and
+#	spare TCP connections: Spare connection attempts are made only after
+#	all primary attempts fail. However, Squid would still use the
+#	DNS-related optimizations of the Happy Eyeballs approach.
+#
+#	This directive has similar trade-offs as happy_eyeballs_connect_gap,
+#	but its focus is on limiting Squid overheads, while
+#	happy_eyeballs_connect_gap focuses on the origin server and peer
+#	overheads.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_gap. See the former for related terminology.
+#Default:
+# no artificial limit on the number of concurrent spare attempts
+
diff --git a/siotp/sisr1/tp06/files_admin/squid_v5_auth.conf b/siotp/sisr1/tp06/files_admin/squid_v5_auth.conf
new file mode 100644
index 0000000..438c6bd
--- /dev/null
+++ b/siotp/sisr1/tp06/files_admin/squid_v5_auth.conf
@@ -0,0 +1,9174 @@
+#	WELCOME TO SQUID 5.7
+#	----------------------------
+#
+#	This is the documentation for the Squid configuration file.
+#	This documentation can also be found online at:
+#		http://www.squid-cache.org/Doc/config/
+#
+#	You may wish to look at the Squid home page and wiki for the
+#	FAQ and other documentation:
+#		http://www.squid-cache.org/
+#		http://wiki.squid-cache.org/SquidFaq
+#		http://wiki.squid-cache.org/ConfigExamples
+#
+#	This documentation shows what the defaults for various directives
+#	happen to be.  If you don't need to change the default, you should
+#	leave the line out of your squid.conf in most cases.
+#
+#	In some cases "none" refers to no default setting at all,
+#	while in other cases it refers to the value of the option
+#	- the comments for that keyword indicate if this is the case.
+#
+
+#  Configuration options can be included using the "include" directive.
+#  Include takes a list of files to include. Quoting and wildcards are
+#  supported.
+#
+#  For example,
+#
+#  include /path/to/included/file/squid.acl.config
+#
+#  Includes can be nested up to a hard-coded depth of 16 levels.
+#  This arbitrary restriction is to prevent recursive include references
+#  from causing Squid entering an infinite loop whilst trying to load
+#  configuration files.
+#
+#  Values with byte units
+#
+#	Squid accepts size units on some size related directives. All
+#	such directives are documented with a default value displaying
+#	a unit.
+#
+#	Units accepted by Squid are:
+#		bytes - byte
+#		KB - Kilobyte (1024 bytes)
+#		MB - Megabyte
+#		GB - Gigabyte
+#
+#  Values with time units
+#
+#	Time-related directives marked with either "time-units" or
+#	"time-units-small" accept a time unit. The supported time units are:
+#
+#		nanosecond (time-units-small only)
+#		microsecond (time-units-small only)
+#		millisecond
+#		second
+#		minute
+#		hour
+#		day
+#		week
+#		fortnight
+#		month - 30 days
+#		year - 31557790080 milliseconds (just over 365 days)
+#		decade
+#
+#  Values with spaces, quotes, and other special characters
+#
+#	Squid supports directive parameters with spaces, quotes, and other
+#	special characters. Surround such parameters with "double quotes". Use
+#	the configuration_includes_quoted_values directive to enable or
+#	disable that support.
+#
+#	Squid supports reading configuration option parameters from external
+#	files using the syntax:
+#		parameters("/path/filename")
+#	For example:
+#		acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
+#
+#  Conditional configuration
+#
+#	If-statements can be used to make configuration directives
+#	depend on conditions:
+#
+#	    if <CONDITION>
+#	        ... regular configuration directives ...
+#	    [else
+#	        ... regular configuration directives ...]
+#	    endif
+#
+#	The else part is optional. The keywords "if", "else", and "endif"
+#	must be typed on their own lines, as if they were regular
+#	configuration directives.
+#
+#	NOTE: An else-if condition is not supported.
+#
+#	These individual conditions types are supported:
+#
+#	    true
+#		Always evaluates to true.
+#	    false
+#		Always evaluates to false.
+#	    <integer> = <integer>
+#	        Equality comparison of two integer numbers.
+#
+#
+#  SMP-Related Macros
+#
+#	The following SMP-related preprocessor macros can be used.
+#
+#	${process_name} expands to the current Squid process "name"
+#	(e.g., squid1, squid2, or cache1).
+#
+#	${process_number} expands to the current Squid process
+#	identifier, which is an integer number (e.g., 1, 2, 3) unique
+#	across all Squid processes of the current service instance.
+#
+#	${service_name} expands into the current Squid service instance
+#	name identifier which is provided by -n on the command line.
+#
+#  Logformat Macros
+#
+#	Logformat macros can be used in many places outside of the logformat
+#	directive. In theory, all of the logformat codes can be used as %macros,
+#	where they are supported. In practice, a %macro expands as a dash (-) when
+#	the transaction does not yet have enough information and a value is needed.
+#
+#	There is no definitive list of what tokens are available at the various
+#	stages of the transaction.
+#
+#	And some information may already be available to Squid but not yet
+#	committed where the macro expansion code can access it (report
+#	such instances!). The macro will be expanded into a single dash
+#	('-') in such cases. Not all macros have been tested.
+#
+
+#  TAG: broken_vary_encoding
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: cache_vary
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: error_map
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: external_refresh_check
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: location_rewrite_program
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: refresh_stale_hit
+#	This option is not yet supported by Squid-3.
+#Default:
+# none
+
+#  TAG: dns_v4_first
+#	Remove this line. Squid no longer supports preferential treatment of DNS A records.
+#Default:
+# none
+
+#  TAG: cache_peer_domain
+#	Replace with dstdomain ACLs and cache_peer_access.
+#Default:
+# none
+
+#  TAG: ie_refresh
+#	Remove this line. The behaviour enabled by this is no longer needed.
+#Default:
+# none
+
+#  TAG: sslproxy_cafile
+#	Remove this line. Use tls_outgoing_options cafile= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_capath
+#	Remove this line. Use tls_outgoing_options capath= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_cipher
+#	Remove this line. Use tls_outgoing_options cipher= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_certificate
+#	Remove this line. Use tls_outgoing_options cert= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_client_key
+#	Remove this line. Use tls_outgoing_options key= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_flags
+#	Remove this line. Use tls_outgoing_options flags= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_options
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: sslproxy_version
+#	Remove this line. Use tls_outgoing_options options= instead.
+#Default:
+# none
+
+#  TAG: hierarchy_stoplist
+#	Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
+#Default:
+# none
+
+#  TAG: log_access
+#	Remove this line. Use acls with access_log directives to control access logging
+#Default:
+# none
+
+#  TAG: log_icap
+#	Remove this line. Use acls with icap_log directives to control icap logging
+#Default:
+# none
+
+#  TAG: ignore_ims_on_miss
+#	Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+#  TAG: balance_on_multiple_ip
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
+#Default:
+# none
+
+#  TAG: chunked_request_body_max_size
+#	Remove this line. Squid is now HTTP/1.1 compliant.
+#Default:
+# none
+
+#  TAG: dns_v4_fallback
+#	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+#  TAG: emulate_httpd_log
+#	Replace this with an access_log directive using the format 'common' or 'combined'.
+#Default:
+# none
+
+#  TAG: forward_log
+#	Use a regular access.log with ACL limiting it to MISS events.
+#Default:
+# none
+
+#  TAG: ftp_list_width
+#	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+#  TAG: ignore_expect_100
+#	Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+#  TAG: log_fqdn
+#	Remove this option from your config. To log FQDN use %>A in the log format.
+#Default:
+# none
+
+#  TAG: log_ip_on_direct
+#	Remove this option from your config. To log server or peer names use %<A in the log format.
+#Default:
+# none
+
+#  TAG: maximum_single_addr_tries
+#	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+#  TAG: referer_log
+#	Replace this with an access_log directive using the format 'referrer'.
+#Default:
+# none
+
+#  TAG: update_headers
+#	Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+#  TAG: url_rewrite_concurrency
+#	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
+
+#  TAG: useragent_log
+#	Replace this with an access_log directive using the format 'useragent'.
+#Default:
+# none
+
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: zero_buffers
+#Default:
+# none
+
+#  TAG: incoming_rate
+#Default:
+# none
+
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
+#  TAG: wais_relay_host
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+#  TAG: wais_relay_port
+#	Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# OPTIONS FOR SMP
+# -----------------------------------------------------------------------------
+
+#  TAG: workers
+#	Number of main Squid processes or "workers" to fork and maintain.
+#	0: "no daemon" mode, like running "squid -N ..."
+#	1: "no SMP" mode, start one main Squid process daemon (default)
+#	N: start N main Squid process daemons (i.e., SMP mode)
+#
+#	In SMP mode, each worker does nearly all what a single Squid daemon
+#	does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+#  TAG: cpu_affinity_map
+#	Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+#	Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+#	    cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+#	affects processes 1 through 4 only and places them on the first
+#	four even cores, starting with core #1.
+#
+#	CPU cores are numbered starting from 1. Requires support for
+#	sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+#	Multiple cpu_affinity_map options are merged.
+#
+#	See also: workers
+#Default:
+# Let operating system decide.
+
+#  TAG: shared_memory_locking	on|off
+#	Whether to ensure that all required shared memory is available by
+#	"locking" that shared memory into RAM when Squid starts. The
+#	alternative is faster startup time followed by slightly slower
+#	performance and, if not enough RAM is actually available during
+#	runtime, mysterious crashes.
+#
+#	SMP Squid uses many shared memory segments. These segments are
+#	brought into Squid memory space using an mmap(2) system call. During
+#	Squid startup, the mmap() call often succeeds regardless of whether
+#	the system has enough RAM. In general, Squid cannot tell whether the
+#	kernel applies this "optimistic" memory allocation policy (but
+#	popular modern kernels usually use it).
+#
+#	Later, if Squid attempts to actually access the mapped memory
+#	regions beyond what the kernel is willing to allocate, the
+#	"optimistic" kernel simply kills Squid kid with a SIGBUS signal.
+#	Some of the memory limits enforced by the kernel are currently
+#	poorly understood: We do not know how to detect and check them. This
+#	option ensures that the mapped memory will be available.
+#
+#	This option may have a positive performance side-effect: Locking
+#	memory at start avoids runtime paging I/O. Paging slows Squid down.
+#
+#	Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
+#	CAP_IPC_LOCK capability, or equivalent.
+#Default:
+# shared_memory_locking off
+
+#  TAG: hopeless_kid_revival_delay	time-units
+#	Normally, when a kid process dies, Squid immediately restarts the
+#	kid. A kid experiencing frequent deaths is marked as "hopeless" for
+#	the duration specified by this directive. Hopeless kids are not
+#	automatically restarted.
+#
+#	Currently, zero values are not supported because they result in
+#	misconfigured SMP Squid instances running forever, endlessly
+#	restarting each dying kid. To effectively disable hopeless kids
+#	revival, set the delay to a huge value (e.g., 1 year).
+#
+#	Reconfiguration also clears all hopeless kids designations, allowing
+#	for manual revival of hopeless kids.
+#Default:
+# hopeless_kid_revival_delay 1 hour
+
+# OPTIONS FOR AUTHENTICATION
+# -----------------------------------------------------------------------------
+
+#  TAG: auth_param
+#	This is used to define parameters for the various authentication
+#	schemes supported by Squid.
+#
+#		format: auth_param scheme parameter [setting]
+#
+#	The order in which authentication schemes are presented to the client is
+#	dependent on the order the scheme first appears in config file. IE
+#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
+#	scheme if basic is the first entry presented, even if more secure
+#	schemes are presented. For now use the order in the recommended
+#	settings section below. If other browsers have difficulties (don't
+#	recognize the schemes offered even if you are using basic) either
+#	put basic first, or disable the other schemes (by commenting out their
+#	program entry).
+#
+#	Once an authentication scheme is fully configured, it can only be
+#	shutdown by shutting squid down and restarting. Changes can be made on
+#	the fly and activated with a reconfigure. I.E. You can change to a
+#	different helper, but not unconfigure the helper completely.
+#
+#	Please note that while this directive defines how Squid processes
+#	authentication it does not automatically activate authentication.
+#	To use authentication you must in addition make use of ACLs based
+#	on login name in http_access (proxy_auth, proxy_auth_regex or
+#	external with %LOGIN used in the format tag). The browser will be
+#	challenged for authentication on the first such acl encountered
+#	in http_access processing and will also be re-challenged for new
+#	login credentials if the request is being denied by a proxy_auth
+#	type acl.
+#
+#	WARNING: authentication can't be used in a transparently intercepting
+#	proxy as the client then thinks it is talking to an origin server and
+#	not the proxy. This is a limitation of bending the TCP/IP protocol to
+#	transparently intercepting port 80, not a limitation in Squid.
+#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
+#	authentication disabled.
+#
+#	=== Parameters common to all schemes. ===
+#
+#	"program" cmdline
+#		Specifies the command for the external authenticator.
+#
+#		By default, each authentication scheme is not used unless a
+#		program is specified.
+#
+#		See http://wiki.squid-cache.org/Features/AddonHelpers for
+#		more details on helper operations and creating your own.
+#
+#	"key_extras" format
+#		Specifies a string to be append to request line format for
+#		the authentication helper. "Quoted" format values may contain
+#		spaces and logformat %macros. In theory, any logformat %macro
+#		can be used. In practice, a %macro expands as a dash (-) if
+#		the helper request is sent before the required macro
+#		information is available to Squid.
+#
+#		By default, Squid uses request formats provided in
+#		scheme-specific examples below (search for %credentials).
+#
+#		The expanded key_extras value is added to the Squid credentials
+#		cache and, hence, will affect authentication. It can be used to
+#		autenticate different users with identical user names (e.g.,
+#		when user authentication depends on http_port).
+#
+#		Avoid adding frequently changing information to key_extras. For
+#		example, if you add user source IP, and it changes frequently
+#		in your environment, then max_user_ip ACL is going to treat
+#		every user+IP combination as a unique "user", breaking the ACL
+#		and wasting a lot of memory on those user records. It will also
+#		force users to authenticate from scratch whenever their IP
+#		changes.
+#
+#	"realm" string
+#		Specifies the protection scope (aka realm name) which is to be
+#		reported to the client for the authentication scheme. It is
+#		commonly part of the text the user will see when prompted for
+#		their username and password.
+#
+#		For Basic the default is "Squid proxy-caching web server".
+#		For Digest there is no default, this parameter is mandatory.
+#		For NTLM and Negotiate this parameter is ignored.
+#
+#	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+#		[queue-size=N] [on-persistent-overload=action]
+#		[reservation-timeout=seconds]
+#
+#		The maximum number of authenticator processes to spawn. If
+#		you start too few Squid will have to wait for them to process
+#		a backlog of credential verifications, slowing it down. When
+#		password verifications are done via a (slow) network you are
+#		likely to need lots of authenticator processes.
+#
+#		The startup= and idle= options permit some skew in the exact
+#		amount run. A minimum of startup=N will begin during startup
+#		and reconfigure. Squid will start more in groups of up to
+#		idle=N in an attempt to meet traffic needs and to keep idle=N
+#		free above those traffic needs up to the maximum.
+#
+#		The concurrency= option sets the number of concurrent requests
+#		the helper can process.  The default of 0 is used for helpers
+#		who only supports one request at a time. Setting this to a
+#		number greater than 0 changes the protocol used to include a
+#		channel ID field first on the request/response line, allowing
+#		multiple requests to be sent to the same helper in parallel
+#		without waiting for the response.
+#
+#		Concurrency must not be set unless it's known the helper
+#		supports the input format with channel-ID fields.
+#
+#		The queue-size option sets the maximum number of queued
+#		requests. A request is queued when no existing child can
+#		accept it due to concurrency limit and no new child can be
+#		started due to numberofchildren limit. The default maximum is
+#		2*numberofchildren. Squid is allowed to temporarily exceed the
+#		configured maximum, marking the affected helper as
+#		"overloaded". If the helper overload lasts more than 3
+#		minutes, the action prescribed by the on-persistent-overload
+#		option applies.
+#
+#		The on-persistent-overload=action option specifies Squid
+#		reaction to a new helper request arriving when the helper
+#		has been overloaded for more that 3 minutes already. The number
+#		of queued requests determines whether the helper is overloaded
+#		(see the queue-size option).
+#
+#		Two actions are supported:
+#
+#		  die	Squid worker quits. This is the default behavior.
+#
+#		  ERR	Squid treats the helper request as if it was
+#			immediately submitted, and the helper immediately
+#			replied with an ERR response. This action has no effect
+#			on the already queued and in-progress helper requests.
+#
+#		NOTE: NTLM and Negotiate schemes do not support concurrency
+#			in the Squid code module even though some helpers can.
+#
+#		The reservation-timeout=seconds option allows NTLM and Negotiate
+#		helpers to forget about clients that abandon their in-progress
+#		connection authentication without closing the connection. The
+#		timeout is measured since the last helper response received by
+#		Squid for the client. Fractional seconds are not supported.
+#
+#		After the timeout, the helper will be used for other clients if
+#		there are no unreserved helpers available. In the latter case,
+#		the old client attempt to resume authentication will not be
+#		forwarded to the helper (and the client should open a new HTTP
+#		connection and retry authentication from scratch).
+#
+#		By default, reservations do not expire and clients that keep
+#		their connections open without completing authentication may
+#		exhaust all NTLM and Negotiate helpers.
+#
+#	"keep_alive" on|off
+#		If you experience problems with PUT/POST requests when using
+#		the NTLM or Negotiate schemes then you can try setting this
+#		to off. This will cause Squid to forcibly close the connection
+#		on the initial request where the browser asks which schemes
+#		are supported by the proxy.
+#
+#		For Basic and Digest this parameter is ignored.
+#
+#	"utf8" on|off
+#		Useful for sending credentials to authentication backends that
+#		expect UTF-8 encoding (e.g., LDAP).
+#
+#		When this option is enabled, Squid uses HTTP Accept-Language
+#		request header to guess the received credentials encoding
+#		(ISO-Latin-1, CP1251, or UTF-8) and then converts the first
+#		two encodings into UTF-8.
+#
+#		When this option is disabled and by default, Squid sends
+#		credentials in their original (i.e. received) encoding.
+#
+#		This parameter is only honored for Basic and Digest schemes.
+#		For Basic, the entire username:password credentials are
+#		checked and, if necessary, re-encoded. For Digest -- just the
+#		username component. For NTLM and Negotiate schemes, this
+#		parameter is ignored.
+#
+#
+#	=== Example Configuration ===
+#
+#	This configuration displays the recommended authentication scheme
+#	order from most to least secure with recommended minimum configuration
+#	settings for each scheme:
+#
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 20 startup=0 idle=1
+##
+##auth_param digest program <uncomment and complete this line to activate>
+##auth_param digest children 20 startup=0 idle=1
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 20 startup=0 idle=1
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5 startup=5 idle=1
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
+
+#  TAG: authenticate_cache_garbage_interval
+#	The time period between garbage collection across the username cache.
+#	This is a trade-off between memory utilization (long intervals - say
+#	2 days) and CPU (short intervals - say 1 minute). Only change if you
+#	have good reason to.
+#Default:
+# authenticate_cache_garbage_interval 1 hour
+
+#  TAG: authenticate_ttl
+#	The time a user & their credentials stay in the logged in
+#	user cache since their last request. When the garbage
+#	interval passes, all user credentials that have passed their
+#	TTL are removed from memory.
+#Default:
+# authenticate_ttl 1 hour
+
+#  TAG: authenticate_ip_ttl
+#	If you use proxy authentication and the 'max_user_ip' ACL,
+#	this directive controls how long Squid remembers the IP
+#	addresses associated with each user.  Use a small value
+#	(e.g., 60 seconds) if your users might change addresses
+#	quickly, as is the case with dialup.   You might be safe
+#	using a larger value (e.g., 2 hours) in a corporate LAN
+#	environment with relatively static address assignments.
+#Default:
+# authenticate_ip_ttl 1 second
+
+# ACCESS CONTROLS
+# -----------------------------------------------------------------------------
+
+#  TAG: external_acl_type
+#	This option defines external acl classes using a helper program
+#	to look up the status
+#
+#	  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
+#
+#	Options:
+#
+#	  ttl=n		TTL in seconds for cached results (defaults to 3600
+#			for 1 hour)
+#
+#	  negative_ttl=n
+#			TTL for cached negative lookups (default same
+#			as ttl)
+#
+#	  grace=n	Percentage remaining of TTL where a refresh of a
+#			cached entry should be initiated without needing to
+#			wait for a new reply. (default is for no grace period)
+#
+#	  cache=n	The maximum number of entries in the result cache. The
+#			default limit is 262144 entries.  Each cache entry usually
+#			consumes at least 256 bytes. Squid currently does not remove
+#			expired cache entries until the limit is reached, so a proxy
+#			will sooner or later reach the limit. The expanded FORMAT
+#			value is used as the cache key, so if the details in FORMAT
+#			are highly variable, a larger cache may be needed to produce
+#			reduction in helper load.
+#
+#	  children-max=n
+#			Maximum number of acl helper processes spawned to service
+#			external acl lookups of this type. (default 5)
+#
+#	  children-startup=n
+#			Minimum number of acl helper processes to spawn during
+#			startup and reconfigure to service external acl lookups
+#			of this type. (default 0)
+#
+#	  children-idle=n
+#			Number of acl helper processes to keep ahead of traffic
+#			loads. Squid will spawn this many at once whenever load
+#			rises above the capabilities of existing processes.
+#			Up to the value of children-max. (default 1)
+#
+#	  concurrency=n	concurrency level per process. Only used with helpers
+#			capable of processing more than one query at a time.
+#
+#	  queue-size=N  The queue-size option sets the maximum number of
+#			queued requests. A request is queued when no existing
+#			helper can accept it due to concurrency limit and no
+#			new helper can be started due to children-max limit.
+#			If the queued requests exceed queue size, the acl is
+#			ignored. The default value is set to 2*children-max.
+#
+#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers.
+#
+#	  ipv4 / ipv6	IP protocol used to communicate with this helper.
+#			The default is to auto-detect IPv6 and use it when available.
+#
+#
+#	FORMAT is a series of %macro codes. See logformat directive for a full list
+#	of the accepted codes. Although note that at the time of any external ACL
+#	being tested data may not be available and thus some %macro expand to '-'.
+#
+#	In addition to the logformat codes; when processing external ACLs these
+#	additional macros are made available:
+#
+#	  %ACL		The name of the ACL being tested.
+#
+#	  %DATA		The ACL arguments specified in the referencing config
+#			'acl ... external' line, separated by spaces (an
+#			"argument string"). see acl external.
+#
+#			If there are no ACL arguments %DATA expands to '-'.
+#
+#			If you do not specify a DATA macro inside FORMAT,
+#			Squid automatically appends %DATA to your FORMAT.
+#			Note that Squid-3.x may expand %DATA to whitespace
+#			or nothing in this case.
+#
+#			By default, Squid applies URL-encoding to each ACL
+#			argument inside the argument string. If an explicit
+#			encoding modifier is used (e.g., %#DATA), then Squid
+#			encodes the whole argument string as a single token
+#			(e.g., with %#DATA, spaces between arguments become
+#			%20).
+#
+#	If SSL is enabled, the following formating codes become available:
+#
+#	  %USER_CERT		SSL User certificate in PEM format
+#	  %USER_CERTCHAIN	SSL User certificate chain in PEM format
+#	  %USER_CERT_xx		SSL User certificate subject attribute xx
+#	  %USER_CA_CERT_xx	SSL User certificate issuer attribute xx
+#
+#
+#	NOTE: all other format codes accepted by older Squid versions
+#		are deprecated.
+#
+#
+#	General request syntax:
+#
+#	  [channel-ID] FORMAT-values
+#
+#
+#	FORMAT-values consists of transaction details expanded with
+#	whitespace separation per the config file FORMAT specification
+#	using the FORMAT macros listed above.
+#
+#	Request values sent to the helper are URL escaped to protect
+#	each value in requests against whitespaces.
+#
+#	If using protocol=2.5 then the request sent to the helper is not
+#	URL escaped to protect against whitespace.
+#
+#	NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#
+#	The helper receives lines expanded per the above format specification
+#	and for each input line returns 1 line starting with OK/ERR/BH result
+#	code and optionally followed by additional keywords with more details.
+#
+#
+#	General result syntax:
+#
+#	  [channel-ID] result keyword=value ...
+#
+#	Result consists of one of the codes:
+#
+#	  OK
+#		the ACL test produced a match.
+#
+#	  ERR
+#		the ACL test does not produce a match.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	The meaning of 'a match' is determined by your squid.conf
+#	access control configuration. See the Squid wiki for details.
+#
+#	Defined keywords:
+#
+#	  user=		The users name (login)
+#
+#	  password=	The users password (for login= cache_peer option)
+#
+#	  message=	Message describing the reason for this response.
+#			Available as %o in error pages.
+#			Useful on (ERR and BH results).
+#
+#	  tag=		Apply a tag to a request. Only sets a tag once,
+#			does not alter existing tags.
+#
+#	  log=		String to be logged in access.log. Available as
+#			%ea in logformat specifications.
+#
+#	  clt_conn_tag= Associates a TAG with the client TCP connection.
+#			Please see url_rewrite_program related documentation
+#			for this kv-pair.
+#
+#	Any keywords may be sent on any response whether OK, ERR or BH.
+#
+#	All response keyword values need to be a single token with URL
+#	escaping, or enclosed in double quotes (") and escaped using \ on
+#	any double quotes or \ characters within the value. The wrapping
+#	double quotes are removed before the value is interpreted by Squid.
+#	\r and \n are also replace by CR and LF.
+#
+#	Some example key values:
+#
+#		user=John%20Smith
+#		user="John Smith"
+#		user="J. \"Bob\" Smith"
+#Default:
+# none
+
+#  TAG: acl
+#	Defining an Access List
+#
+#	Every access list definition must begin with an aclname and acltype,
+#	followed by either type-specific arguments or a quoted filename that
+#	they are read from.
+#
+#	   acl aclname acltype argument ...
+#	   acl aclname acltype "file" ...
+#
+#	When using "file", the file should contain one item per line.
+#
+#
+#	ACL Options
+#
+#	Some acl types supports options which changes their default behaviour:
+#
+#	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
+#		case-insensitive, use the -i option. To return case-sensitive
+#		use the +i option between patterns, or make a new ACL line
+#		without -i.
+#
+#	-n	Disable lookups and address type conversions.  If lookup or
+#		conversion is required because the parameter type (IP or
+#		domain name) does not match the message address type (domain
+#		name or IP), then the ACL would immediately declare a mismatch
+#		without any warnings or lookups.
+#
+#	-m[=delimiters]
+#		Perform a list membership test, interpreting values as
+#		comma-separated token lists and matching against individual
+#		tokens instead of whole values.
+#		The optional "delimiters" parameter specifies one or more
+#		alternative non-alphanumeric delimiter characters.
+#		non-alphanumeric delimiter characters.
+#
+#	--	Used to stop processing all options, in the case the first acl
+#		value has '-' character as first character (for example the '-'
+#		is a valid domain name)
+#
+#	Some acl types require suspending the current request in order
+#	to access some external data source.
+#	Those which do are marked with the tag [slow], those which
+#	don't are marked as [fast].
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+#	for further information
+#
+#	***** ACL TYPES AVAILABLE *****
+#
+#	acl aclname src ip-address/mask ...	# clients IP address [fast]
+#	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
+#	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
+#	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
+#
+#if USE_SQUID_EUI
+#	acl aclname arp      mac-address ...
+#	acl aclname eui64    eui64-address ...
+#	  # [fast]
+#	  # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
+#	  #
+#	  # The 'arp' ACL code is not portable to all operating systems.
+#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other
+#	  # BSD variants.
+#	  #
+#	  # The eui_lookup directive is required to be 'on' (the default)
+#	  # and Squid built with --enable-eui for MAC/EUI addresses to be
+#	  # available for this ACL.
+#	  #
+#	  # Squid can only determine the MAC/EUI address for IPv4
+#	  # clients that are on the same subnet. If the client is on a
+#	  # different subnet, then Squid cannot find out its address.
+#	  #
+#	  # IPv6 protocol does not contain ARP. MAC/EUI is either
+#	  # encoded directly in the IPv6 address or not available.
+#endif
+#	acl aclname clientside_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  # DEPRECATED. Use the 'client_connection_mark' instead.
+#
+#	acl aclname client_connection_mark mark[/mask] ...
+#	  # matches CONNMARK of an accepted connection [fast]
+#	  #
+#	  # mark and mask are unsigned integers (hex, octal, or decimal).
+#	  # If multiple marks are given, then the ACL matches if at least
+#	  # one mark matches.
+#	  #
+#	  # Uses netfilter-conntrack library.
+#	  # Requires building Squid with --enable-linux-netfilter.
+#	  #
+#	  # The client, various intermediaries, and Squid itself may set
+#	  # CONNMARK at various times. The last CONNMARK set wins. This ACL
+#	  # checks the mark present on an accepted connection or set by
+#	  # Squid afterwards, depending on the ACL check timing. This ACL
+#	  # effectively ignores any mark set by other agents after Squid has
+#	  # accepted the connection.
+#
+#	acl aclname srcdomain   .foo.com ...
+#	  # reverse lookup, from client IP [slow]
+#	acl aclname dstdomain [-n] .foo.com ...
+#	  # Destination server from URL [fast]
+#	acl aclname srcdom_regex [-i] \.foo\.com ...
+#	  # regex matching client name [slow]
+#	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
+#	  # regex matching server [fast]
+#	  #
+#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+#	  # based URL is used and no match is found. The name "none" is used
+#	  # if the reverse lookup fails.
+#
+#	acl aclname src_as number ...
+#	acl aclname dst_as number ...
+#	  # [fast]
+#	  # Except for access control, AS numbers can be used for
+#	  # routing of requests to specific caches. Here's an
+#	  # example for routing all requests for AS#1241 and only
+#	  # those to mycache.mydomain.net:
+#	  # acl asexample dst_as 1241
+#	  # cache_peer_access mycache.mydomain.net allow asexample
+#	  # cache_peer_access mycache_mydomain.net deny all
+#
+#	acl aclname peername myPeer ...
+#	acl aclname peername_regex [-i] regex-pattern ...
+#	  # [fast]
+#	  # match against a named cache_peer entry
+#	  # set unique name= on cache_peer lines for reliable use.
+#
+#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+#	  # [fast]
+#	  #  day-abbrevs:
+#	  #	S - Sunday
+#	  #	M - Monday
+#	  #	T - Tuesday
+#	  #	W - Wednesday
+#	  #	H - Thursday
+#	  #	F - Friday
+#	  #	A - Saturday
+#	  #  h1:m1 must be less than h2:m2
+#
+#	acl aclname url_regex [-i] ^http:// ...
+#	  # regex matching on whole URL [fast]
+#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+#	  # regex matching on URL login field
+#	acl aclname urlpath_regex [-i] \.gif$ ...
+#	  # regex matching on URL path [fast]
+#
+#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
+#	                                      # ranges are alloed
+#	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
+#	                                      # NP: for interception mode this is usually '80'
+#
+#	acl aclname myportname 3128 ...       # *_port name [fast]
+#
+#	acl aclname proto HTTP FTP ...        # request protocol [fast]
+#
+#	acl aclname method GET POST ...       # HTTP request method [fast]
+#
+#	acl aclname http_status 200 301 500- 400-403 ...
+#	  # status code in reply [fast]
+#
+#	acl aclname browser [-i] regexp ...
+#	  # pattern match on User-Agent header (see also req_header below) [fast]
+#
+#	acl aclname referer_regex [-i] regexp ...
+#	  # pattern match on Referer header [fast]
+#	  # Referer is highly unreliable, so use with care
+#
+#	acl aclname ident [-i] username ...
+#	acl aclname ident_regex [-i] pattern ...
+#	  # string match on ident output [slow]
+#	  # use REQUIRED to accept any non-null ident.
+#
+#	acl aclname proxy_auth [-i] username ...
+#	acl aclname proxy_auth_regex [-i] pattern ...
+#	  # perform http authentication challenge to the client and match against
+#	  # supplied credentials [slow]
+#	  #
+#	  # takes a list of allowed usernames.
+#	  # use REQUIRED to accept any valid username.
+#	  #
+#	  # Will use proxy authentication in forward-proxy scenarios, and plain
+#	  # http authenticaiton in reverse-proxy scenarios
+#	  #
+#	  # NOTE: when a Proxy-Authentication header is sent but it is not
+#	  # needed during ACL checking the username is NOT logged
+#	  # in access.log.
+#	  #
+#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
+#	  # to check username/password combinations (see
+#	  # auth_param directive).
+#	  #
+#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+#	  # as the browser needs to be configured for using a proxy in order
+#	  # to respond to proxy authentication.
+#
+#	acl aclname snmp_community string ...
+#	  # A community string to limit access to your SNMP Agent [fast]
+#	  # Example:
+#	  #
+#	  #	acl snmppublic snmp_community public
+#
+#	acl aclname maxconn number
+#	  # This will be matched when the client's IP address has
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
+#
+#	acl aclname max_user_ip [-s] number
+#	  # This will be matched when the user attempts to log in from more
+#	  # than <number> different ip addresses. The authenticate_ip_ttl
+#	  # parameter controls the timeout on the ip entries. [fast]
+#	  # If -s is specified the limit is strict, denying browsing
+#	  # from any further IP addresses until the ttl has expired. Without
+#	  # -s Squid will just annoy the user by "randomly" denying requests.
+#	  # (the counter is reset each time the limit is reached and a
+#	  # request is denied)
+#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
+#	  # clients may appear to come from multiple addresses if they are
+#	  # going through proxy farms, so a limit of 1 may cause user problems.
+#
+#	acl aclname random probability
+#	  # Pseudo-randomly match requests. Based on the probability given.
+#	  # Probability may be written as a decimal (0.333), fraction (1/3)
+#	  # or ratio of matches:non-matches (3:5).
+#
+#	acl aclname req_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the request generated
+#	  # by the client. Can be used to detect file upload or some
+#	  # types HTTP tunneling requests [fast]
+#	  # NOTE: This does NOT match the reply. You cannot use this
+#	  # to match the returned file type.
+#
+#	acl aclname req_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known request headers.  May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACL [fast]
+#
+#	acl aclname rep_mime_type [-i] mime-type ...
+#	  # regex match against the mime type of the reply received by
+#	  # squid. Can be used to detect file download or some
+#	  # types HTTP tunneling requests. [fast]
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname rep_header header-name [-i] any\.regex\.here
+#	  # regex match against any of the known reply headers. May be
+#	  # thought of as a superset of "browser", "referer" and "mime-type"
+#	  # ACLs [fast]
+#
+#	acl aclname external class_name [arguments...]
+#	  # external ACL lookup via a helper class defined by the
+#	  # external_acl_type directive [slow]
+#
+#	acl aclname user_cert attribute values...
+#	  # match against attributes in a user SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
+#
+#	acl aclname ca_cert attribute values...
+#	  # match against attributes a users issuing CA SSL certificate
+#	  # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
+#
+#	acl aclname ext_user [-i] username ...
+#	acl aclname ext_user_regex [-i] pattern ...
+#	  # string match on username returned by external acl helper [slow]
+#	  # use REQUIRED to accept any non-null user name.
+#
+#	acl aclname tag tagvalue ...
+#	  # string match on tag returned by external acl helper [fast]
+#	  # DEPRECATED. Only the first tag will match with this ACL.
+#	  # Use the 'note' ACL instead for handling multiple tag values.
+#
+#	acl aclname hier_code codename ...
+#	  # string match against squid hierarchy code(s); [fast]
+#	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
+#	  #
+#	  # NOTE: This has no effect in http_access rules. It only has
+#	  # effect in rules that affect the reply data stream such as
+#	  # http_reply_access.
+#
+#	acl aclname note [-m[=delimiters]] name [value ...]
+#	  # match transaction annotation [fast]
+#	  # Without values, matches any annotation with a given name.
+#	  # With value(s), matches any annotation with a given name that
+#	  # also has one of the given values.
+#	  # If the -m flag is used, then the value of the named
+#	  # annotation is interpreted as a list of tokens, and the ACL
+#	  # matches individual name=token pairs rather than whole
+#	  # name=value pairs. See "ACL Options" above for more info.
+#	  # Annotation sources include note and adaptation_meta directives
+#	  # as well as helper and eCAP responses.
+#
+#	acl aclname annotate_transaction [-m[=delimiters]] key=value ...
+#	acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current master transaction.
+#	  # The added annotation can then be tested using note ACL and
+#	  # logged (or sent to helpers) using %note format code.
+#	  #
+#	  # Annotations can be specified using replacement and addition
+#	  # formats. The key=value form replaces old same-key annotation
+#	  # value(s). The key+=value form appends a new value to the old
+#	  # same-key annotation. Both forms create a new key=value
+#	  # annotation if no same-key annotation exists already. If
+#	  # -m flag is used, then the value is interpreted as a list
+#	  # and the annotation will contain key=token pair(s) instead of the
+#	  # whole key=value pair.
+#	  #
+#	  # This ACL is especially useful for recording complex multi-step
+#	  # ACL-driven decisions. For example, the following configuration
+#	  # avoids logging transactions accepted after aclX matched:
+#	  #
+#	  #  # First, mark transactions accepted after aclX matched
+#	  #  acl markSpecial annotate_transaction special=true
+#	  #  http_access allow acl001
+#	  #  ...
+#	  #  http_access deny acl100
+#	  #  http_access allow aclX markSpecial
+#	  #
+#	  #  # Second, do not log marked transactions:
+#	  #  acl markedSpecial note special true
+#	  #  access_log ... deny markedSpecial
+#	  #
+#	  #  # Note that the following would not have worked because aclX
+#	  #  # alone does not determine whether the transaction was allowed:
+#	  #  access_log ... deny aclX # Wrong!
+#	  #
+#	  # Warning: This ACL annotates the transaction even when negated
+#	  # and even if subsequent ACLs fail to match. For example, the
+#	  # following three rules will have exactly the same effect as far
+#	  # as annotations set by the "mark" ACL are concerned:
+#	  #
+#	  #  some_directive acl1 ... mark # rule matches if mark is reached
+#	  #  some_directive acl1 ... !mark     # rule never matches
+#	  #  some_directive acl1 ... mark !all # rule never matches
+#
+#	acl aclname annotate_client [-m[=delimiters]] key=value ...
+#	acl aclname annotate_client [-m[=delimiters]] key+=value ...
+#	  #
+#	  # Always matches. [fast]
+#	  # Used for its side effect: This ACL immediately adds a
+#	  # key=value annotation to the current client-to-Squid
+#	  # connection. Connection annotations are propagated to the current
+#	  # and all future master transactions on the annotated connection.
+#	  # See the annotate_transaction ACL for details.
+#	  #
+#	  # For example, the following configuration avoids rewriting URLs
+#	  # of transactions bumped by SslBump:
+#	  #
+#	  #  # First, mark bumped connections:
+#	  #  acl markBumped annotate_client bumped=true
+#	  #  ssl_bump peek acl1
+#	  #  ssl_bump stare acl2
+#	  #  ssl_bump bump acl3 markBumped
+#	  #  ssl_bump splice all
+#	  #
+#	  #  # Second, do not send marked transactions to the redirector:
+#	  #  acl markedBumped note bumped true
+#	  #  url_rewrite_access deny markedBumped
+#	  #
+#	  #  # Note that the following would not have worked because acl3 alone
+#	  #  # does not determine whether the connection is going to be bumped:
+#	  #  url_rewrite_access deny acl3 # Wrong!
+#
+#	acl aclname adaptation_service service ...
+#	  # Matches the name of any icap_service, ecap_service,
+#	  # adaptation_service_set, or adaptation_service_chain that Squid
+#	  # has used (or attempted to use) for the master transaction.
+#	  # This ACL must be defined after the corresponding adaptation
+#	  # service is named in squid.conf. This ACL is usable with
+#	  # adaptation_meta because it starts matching immediately after
+#	  # the service has been selected for adaptation.
+#
+#	acl aclname transaction_initiator initiator ...
+#	  # Matches transaction's initiator [fast]
+#	  #
+#	  # Supported initiators are:
+#	  #  esi: matches transactions fetching ESI resources
+#	  #  certificate-fetching: matches transactions fetching
+#	  #     a missing intermediate TLS certificate
+#	  #  cache-digest: matches transactions fetching Cache Digests
+#	  #     from a cache_peer
+#	  #  htcp: matches HTCP requests from peers
+#	  #  icp: matches ICP requests to peers
+#	  #  icmp: matches ICMP RTT database (NetDB) requests to peers
+#	  #  asn: matches asns db requests
+#	  #  internal: matches any of the above
+#	  #  client: matches transactions containing an HTTP or FTP
+#	  #     client request received at a Squid *_port
+#	  #  all: matches any transaction, including internal transactions
+#	  #     without a configurable initiator and hopefully rare
+#	  #     transactions without a known-to-Squid initiator
+#	  #
+#	  # Multiple initiators are ORed.
+#
+#	acl aclname has component
+#	  # matches a transaction "component" [fast]
+#	  #
+#	  # Supported transaction components are:
+#	  #  request: transaction has a request header (at least)
+#	  #  response: transaction has a response header (at least)
+#	  #  ALE: transaction has an internally-generated Access Log Entry
+#	  #       structure; bugs notwithstanding, all transaction have it
+#	  #
+#	  # For example, the following configuration helps when dealing with HTTP
+#	  # clients that close connections without sending a request header:
+#	  #
+#	  #  acl hasRequest has request
+#	  #  acl logMe note important_transaction
+#	  #  # avoid "logMe ACL is used in context without an HTTP request" warnings
+#	  #  access_log ... logformat=detailed hasRequest logMe
+#	  #  # log request-less transactions, instead of ignoring them
+#	  #  access_log ... logformat=brief !hasRequest
+#	  #
+#	  # Multiple components are not supported for one "acl" rule, but
+#	  # can be specified (and are ORed) using multiple same-name rules:
+#	  #
+#	  #  # OK, this strange logging daemon needs request or response,
+#	  #  # but can work without either a request or a response:
+#	  #  acl hasWhatMyLoggingDaemonNeeds has request
+#	  #  acl hasWhatMyLoggingDaemonNeeds has response
+#
+#acl aclname at_step step
+#	  # match against the current request processing step [fast]
+#	  # Valid steps are:
+#	  #   GeneratingCONNECT: Generating HTTP CONNECT request headers
+#
+#	acl aclname any-of acl1 acl2 ...
+#	  # match any one of the acls [fast or slow]
+#	  # The first matching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple any-of lines with the same name are ORed.
+#	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
+#	  #   acl A any-of a1 a2
+#	  #   acl A any-of a3 a4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	acl aclname all-of acl1 acl2 ...
+#	  # match all of the acls [fast or slow]
+#	  # The first mismatching ACL stops further ACL evaluation.
+#	  #
+#	  # ACLs from multiple all-of lines with the same name are ORed.
+#	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
+#	  #   acl B all-of b1 b2
+#	  #   acl B all-of b3 b4
+#	  #
+#	  # This group ACL is fast if all evaluated ACLs in the group are fast
+#	  # and slow otherwise.
+#
+#	Examples:
+#		acl macaddress arp 09:00:2b:23:45:67
+#		acl myexample dst_as 1241
+#		acl password proxy_auth REQUIRED
+#		acl fileupload req_mime_type -i ^multipart/form-data$
+#		acl javascript rep_mime_type -i ^application/x-javascript$
+#
+#Default:
+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
+#
+#
+# Recommended minimum configuration:
+#
+
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+
+#  TAG: proxy_protocol_access
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address using PROXY protocol.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	This directive is solely for validating new PROXY protocol
+#	connections received from a port flagged with require-proxy-header.
+#	It is checked only once after TCP connection setup.
+#
+#	A deny match results in TCP connection closure.
+#
+#	An allow match is required for Squid to permit the corresponding
+#	TCP connection, before Squid even looks for HTTP request headers.
+#	If there is an allow match, Squid starts using PROXY header information
+#	to determine the source address of the connection for all future ACL
+#	checks, logging, etc.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# all TCP connections to ports with require-proxy-header will be denied
+
+#  TAG: follow_x_forwarded_for
+#	Determine which client proxies can be trusted to provide correct
+#	information regarding real client IP address.
+#
+#	Requests may pass through a chain of several other proxies
+#	before reaching us. The original source details may by sent in:
+#		* HTTP message Forwarded header, or
+#		* HTTP message X-Forwarded-For header, or
+#		* PROXY protocol connection header.
+#
+#	PROXY protocol connections are controlled by the proxy_protocol_access
+#	directive which is checked before this.
+#
+#	If a request reaches us from a source that is allowed by this
+#	directive, then we trust the information it provides regarding
+#	the IP of the client it received from (if any).
+#
+#	For the purpose of ACLs used in this directive the src ACL type always
+#	matches the address we are testing and srcdomain matches its rDNS.
+#
+#	On each HTTP request Squid checks for X-Forwarded-For header fields.
+#	If found the header values are iterated in reverse order and an allow
+#	match is required for Squid to continue on to the next value.
+#	The verification ends when a value receives a deny match, cannot be
+#	tested, or there are no more values to test.
+#	NOTE: Squid does not yet follow the Forwarded HTTP header.
+#
+#	The end result of this process is an IP address that we will
+#	refer to as the indirect client address.  This address may
+#	be treated as the client address for access control, ICAP, delay
+#	pools and logging, depending on the acl_uses_indirect_client,
+#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
+#	log_uses_indirect_client and tproxy_uses_indirect_client options.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	SECURITY CONSIDERATIONS:
+#
+#		Any host from which we accept client IP details can place
+#		incorrect information in the relevant header, and Squid
+#		will use the incorrect information as if it were the
+#		source address of the request.  This may enable remote
+#		hosts to bypass any access control restrictions that are
+#		based on the client's source addresses.
+#
+#	For example:
+#
+#		acl localhost src 127.0.0.1
+#		acl my_other_proxy srcdomain .proxy.example.com
+#		follow_x_forwarded_for allow localhost
+#		follow_x_forwarded_for allow my_other_proxy
+#Default:
+# X-Forwarded-For header will be ignored.
+
+#  TAG: acl_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
+#Default:
+# acl_uses_indirect_client on
+
+#  TAG: delay_pool_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+#  TAG: log_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
+#  TAG: tproxy_uses_indirect_client	on|off
+#	Controls whether the indirect client address
+#	(see follow_x_forwarded_for) is used instead of the
+#	direct client address when spoofing the outgoing client.
+#
+#	This has no effect on requests arriving in non-tproxy
+#	mode ports.
+#
+#	SECURITY WARNING: Usage of this option is dangerous
+#	and should not be used trivially. Correct configuration
+#	of follow_x_forwarded_for with a limited set of trusted
+#	sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+#  TAG: spoof_client_ip
+#	Control client IP address spoofing of TPROXY traffic based on
+#	defined access lists.
+#
+#	spoof_client_ip allow|deny [!]aclname ...
+#
+#	If there are no "spoof_client_ip" lines present, the default
+#	is to "allow" spoofing of any suitable request.
+#
+#	Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+#	This clause supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
+#  TAG: http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
+#	http_access allow|deny [!]aclname ...
+#
+#	NOTE on default values:
+#
+#	If there are no "access" lines present, the default is to deny
+#	the request.
+#
+#	If none of the "access" lines cause a match, the default is the
+#	opposite of the last line in the list.  If the last line was
+#	deny, the default is allow.  Conversely, if the last line
+#	is allow, the default will be deny.  For these reasons, it is a
+#	good idea to have an "deny all" entry at the end of your access
+#	lists to avoid potential confusion.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# Deny, unless rules exist in squid.conf.
+#
+
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+
+#Passwords for proxy and stuff idk
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
+auth_param basic children 5
+auth_param basic credentialsttl 1 minute
+
+
+# MES ACL
+acl auth proxy_auth REQUIRED
+acl localnet src 172.16.0.0/24
+acl allowed_ips src 172.16.0.100-172.16.0.255
+acl deny_ips src 172.16.0.5-172.16.0.99
+acl mots_cles url_regex -i tf1 c8 m6 francetv oqee france3 canal chine japon france allemagne corse inde irlande afrique mali somalie iran irak italie angleterre royaume
+acl urls_interdit url_regex youtube.com facebook.com twitch.tv discord.com instragram.com instagram.fr snapchat.com snapchat.fr
+acl horaires_pause time MTWHF 12:00-14:00
+
+
+http_access deny !auth
+http_access allow auth
+http_access allow allowed_ips urls_interdit
+http_access allow allowed_ips mots_cles
+http_access allow mots_cles horaires_pause
+http_access allow urls_interdit horaires_pause
+http_access deny mots_cles
+http_access deny urls_interdit
+http_access allow localnet
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+include /etc/squid/conf.d/*.conf
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+#  TAG: adapted_http_access
+#	Allowing or Denying access based on defined access lists
+#
+#	Essentially identical to http_access, but runs after redirectors
+#	and ICAP/eCAP adaptation. Allowing access control based on their
+#	output.
+#
+#	If not set then only http_access is used.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: http_reply_access
+#	Allow replies to client requests. This is complementary to http_access.
+#
+#	http_reply_access allow|deny [!] aclname ...
+#
+#	NOTE: if there are no access lines present, the default is to allow
+#	all replies.
+#
+#	If none of the access lines cause a match the opposite of the
+#	last line will apply. Thus it is good practice to end the rules
+#	with an "allow all" or "deny all" entry.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: icp_access
+#	Allowing or Denying access to the ICP port based on defined
+#	access lists
+#
+#	icp_access  allow|deny [!]aclname ...
+#
+#	NOTE: The default if no icp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using ICP.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_access
+#	Allowing or Denying access to the HTCP port based on defined
+#	access lists
+#
+#	htcp_access  allow|deny [!]aclname ...
+#
+#	See also htcp_clr_access for details on access control for
+#	cache purge (CLR) HTCP messages.
+#
+#	NOTE: The default if no htcp_access lines are present is to
+#	deny all traffic. This default may cause problems with peers
+#	using the htcp option.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: htcp_clr_access
+#	Allowing or Denying access to purge content using HTCP based
+#	on defined access lists.
+#	See htcp_access for details on general HTCP access control.
+#
+#	htcp_clr_access  allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
+#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: miss_access
+#	Determines whether network access is permitted when satisfying a request.
+#
+#	For example;
+#	    to force your neighbors to use you as a sibling instead of
+#	    a parent.
+#
+#		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
+#		miss_access deny  !localclients
+#		miss_access allow all
+#
+#	This means only your local clients are allowed to fetch relayed/MISS
+#	replies from the network and all other clients can only fetch cached
+#	objects (HITs).
+#
+#	The default for this setting allows all clients who passed the
+#	http_access rules to relay via this proxy.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: ident_lookup_access
+#	A list of ACL elements which, if matched, cause an ident
+#	(RFC 931) lookup to be performed for this request.  For
+#	example, you might choose to always perform ident lookups
+#	for your main multi-user Unix boxes, but not for your Macs
+#	and PCs.  By default, ident lookups are not performed for
+#	any requests.
+#
+#	To enable ident lookups for specific client addresses, you
+#	can follow this example:
+#
+#	acl ident_aware_hosts src 198.168.1.0/24
+#	ident_lookup_access allow ident_aware_hosts
+#	ident_lookup_access deny all
+#
+#	Only src type ACL checks are fully supported.  A srcdomain
+#	ACL might work at times, but it will not always provide
+#	the correct result.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Unless rules exist in squid.conf, IDENT is not fetched.
+
+#  TAG: reply_body_max_size	size [acl acl...]
+#	This option specifies the maximum size of a reply body. It can be
+#	used to prevent users from downloading very large files, such as
+#	MP3's and movies. When the reply headers are received, the
+#	reply_body_max_size lines are processed, and the first line where
+#	all (if any) listed ACLs are true is used as the maximum body size
+#	for this reply.
+#
+#	This size is checked twice. First when we get the reply headers,
+#	we check the content-length value.  If the content length value exists
+#	and is larger than the allowed size, the request is denied and the
+#	user receives an error message that says "the request or reply
+#	is too large." If there is no content-length, and the reply
+#	size exceeds this limit, the client's connection is just closed
+#	and they will receive a partial reply.
+#
+#	WARNING: downstream caches probably can not detect a partial reply
+#	if there is no content-length header, so they will cache
+#	partial responses and give them out as hits.  You should NOT
+#	use this option if you have downstream caches.
+#
+#	WARNING: A maximum size smaller than the size of squid's error messages
+#	will cause an infinite loop and crash squid. Ensure that the smallest
+#	non-zero value you use is greater that the maximum header size plus
+#	the size of your largest error page.
+#
+#	If you set this parameter none (the default), there will be
+#	no limit imposed.
+#
+#	Configuration Format is:
+#		reply_body_max_size SIZE UNITS [acl ...]
+#	ie.
+#		reply_body_max_size 10 MB
+#
+#Default:
+# No limit is applied.
+
+#  TAG: on_unsupported_protocol
+#	Determines Squid behavior when encountering strange requests at the
+#	beginning of an accepted TCP connection or the beginning of a bumped
+#	CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
+#	especially useful in interception environments where Squid is likely
+#	to see connections for unsupported protocols that Squid should either
+#	terminate or tunnel at TCP level.
+#
+#		on_unsupported_protocol <action> [!]acl ...
+#
+#	The first matching action wins. Only fast ACLs are supported.
+#
+#	Supported actions are:
+#
+#	tunnel: Establish a TCP connection with the intended server and
+#		blindly shovel TCP packets between the client and server.
+#
+#	respond: Respond with an error message, using the transfer protocol
+#		for the Squid port that received the request (e.g., HTTP
+#		for connections intercepted at the http_port). This is the
+#		default.
+#
+#	Squid expects the following traffic patterns:
+#
+#	  http_port: a plain HTTP request
+#	  https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
+#	  ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
+#	  CONNECT tunnel on http_port: same as https_port
+#	  CONNECT tunnel on https_port: same as https_port
+#
+#	Currently, this directive has effect on intercepted connections and
+#	bumped tunnels only. Other cases are not supported because Squid
+#	cannot know the intended destination of other traffic.
+#
+#	For example:
+#	  # define what Squid errors indicate receiving non-HTTP traffic:
+#	  acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
+#	  # define what Squid errors indicate receiving nothing:
+#	  acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
+#	  # tunnel everything that does not look like HTTP:
+#          on_unsupported_protocol tunnel foreignProtocol
+#	  # tunnel if we think the client waits for the server to talk first:
+#	  on_unsupported_protocol tunnel serverTalksFirstProtocol
+#	  # in all other error cases, just send an HTTP "error page" response:
+#	  on_unsupported_protocol respond all
+#
+#	See also: squid_error ACL
+#Default:
+# Respond with an error message to unidentifiable traffic
+
+#  TAG: auth_schemes
+#	Use this directive to customize authentication schemes presence and
+#	order in Squid's Unauthorized and Authentication Required responses.
+#
+#		auth_schemes scheme1,scheme2,... [!]aclname ...
+#
+#	where schemeN is the name of one of the authentication schemes
+#	configured using auth_param directives. At least one scheme name is
+#	required. Multiple scheme names are separated by commas. Either
+#	avoid whitespace or quote the entire schemes list.
+#
+#	A special "ALL" scheme name expands to all auth_param-configured
+#	schemes in their configuration order. This directive cannot be used
+#	to configure Squid to offer no authentication schemes at all.
+#
+#	The first matching auth_schemes rule determines the schemes order
+#	for the current Authentication Required transaction. Note that the
+#	future response is not yet available during auth_schemes evaluation.
+#
+#	If this directive is not used or none of its rules match, then Squid
+#	responds with all configured authentication schemes in the order of
+#	auth_param directives in the configuration file.
+#
+#	This directive does not determine when authentication is used or
+#	how each authentication scheme authenticates clients.
+#
+#	The following example sends basic and negotiate authentication
+#	schemes, in that order, when requesting authentication of HTTP
+#	requests matching the isIE ACL (not shown) while sending all
+#	auth_param schemes in their configuration order to other clients:
+#
+#		auth_schemes basic,negotiate isIE
+#		auth_schemes ALL all # explicit default
+#
+#	This directive supports fast ACLs only.
+#
+#	See also: auth_param.
+#Default:
+# use all auth_param schemes in their configuration order
+
+# NETWORK OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: http_port
+#	Usage:	port [mode] [options]
+#		hostname:port [mode] [options]
+#		1.2.3.4:port [mode] [options]
+#
+#	The socket addresses where Squid will listen for HTTP client
+#	requests.  You may specify multiple socket addresses.
+#	There are three forms: port alone, hostname with port, and
+#	IP address with port.  If you specify a hostname or IP
+#	address, Squid binds the socket to that specific
+#	address. Most likely, you do not need to bind to a specific
+#	address, so you can use the port number alone.
+#
+#	If you are running Squid in accelerator mode, you
+#	probably want to listen on port 80 also, or instead.
+#
+#	The -a command line option may be used to specify additional
+#	port(s) where Squid listens for proxy request. Such ports will
+#	be plain proxy ports with no options.
+#
+#	You may specify multiple socket addresses on multiple lines.
+#
+#	Modes:
+#
+#	   intercept	Support for IP-Layer NAT interception delivering
+#			traffic to this Squid port.
+#			NP: disables authentication on the port.
+#
+#	   tproxy	Support Linux TPROXY (or BSD divert-to) with spoofing
+#			of outgoing connections using the client IP address.
+#			NP: disables authentication on the port.
+#
+#	   accel	Accelerator / reverse proxy mode
+#
+#	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
+#			establish secure connection with the client and with
+#			the server, decrypt HTTPS messages as they pass through
+#			Squid, and treat them as unencrypted HTTP messages,
+#			becoming the man-in-the-middle.
+#
+#			The ssl_bump option is required to fully enable
+#			bumping of CONNECT requests.
+#
+#	Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+#	Accelerator Mode Options:
+#
+#	   defaultsite=domainname
+#			What to use for the Host: header if it is not present
+#			in a request. Determines what site (not origin server)
+#			accelerators should consider the default.
+#
+#	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
+#
+#	   protocol=	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to HTTP/1.1 for http_port and
+#			HTTPS/1.1 for https_port.
+#			When an unsupported value is configured Squid will
+#			produce a FATAL error.
+#			Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
+#
+#	   vport	Virtual host port support. Using the http_port number
+#			instead of the port passed on Host: headers.
+#
+#	   vport=NN	Virtual host port support. Using the specified port
+#			number instead of the port passed on Host: headers.
+#
+#	   act-as-origin
+#			Act as if this Squid is the origin server.
+#			This currently means generate new Date: and Expires:
+#			headers on HIT instead of adding Age:.
+#
+#	   ignore-cc	Ignore request Cache-Control headers.
+#
+#			WARNING: This option violates HTTP specifications if
+#			used in non-accelerator setups.
+#
+#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+#			accelerated requests are denied direct forwarding as if
+#			never_direct was used.
+#
+#			WARNING: this option opens accelerator mode to security
+#			vulnerabilities usually only affecting in interception
+#			mode. Make sure to protect forwarding with suitable
+#			http_access rules when using this.
+#
+#
+#	SSL Bump Mode Options:
+#	    In addition to these options ssl-bump requires TLS/SSL options.
+#
+#	   generate-host-certificates[=<on|off>]
+#			Dynamically create SSL server certificates for the
+#			destination hosts of bumped CONNECT requests.When
+#			enabled, the cert and key options are used to sign
+#			generated certificates. Otherwise generated
+#			certificate will be selfsigned.
+#			If there is a CA certificate lifetime of the generated
+#			certificate equals lifetime of the CA certificate. If
+#			generated certificate is selfsigned lifetime is three
+#			years.
+#			This option is enabled by default when ssl-bump is used.
+#			See the ssl-bump option above for more information.
+#
+#	   dynamic_cert_mem_cache_size=SIZE
+#			Approximate total RAM size spent on cached generated
+#			certificates. If set to zero, caching is disabled. The
+#			default value is 4MB.
+#
+#	TLS / SSL Options:
+#
+#	   tls-cert=	Path to file containing an X.509 certificate (PEM format)
+#			to be used in the TLS handshake ServerHello.
+#
+#			If this certificate is constrained by KeyUsage TLS
+#			feature it must allow HTTP server usage, along with
+#			any additional restrictions imposed by your choice
+#			of options= settings.
+#
+#			When OpenSSL is used this file may also contain a
+#			chain of intermediate CA certificates to send in the
+#			TLS handshake.
+#
+#			When GnuTLS is used this option (and any paired
+#			tls-key= option) may be repeated to load multiple
+#			certificates for different domains.
+#
+#			Also, when generate-host-certificates=on is configured
+#			the first tls-cert= option must be a CA certificate
+#			capable of signing the automatically generated
+#			certificates.
+#
+#	   tls-key=	Path to a file containing private key file (PEM format)
+#			for the previous tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	   cipher=	Colon separated list of supported ciphers.
+#			NOTE: some ciphers such as EDH ciphers depend on
+#			      additional settings. If those settings are
+#			      omitted the ciphers may be silently ignored
+#			      by the OpenSSL library.
+#
+#	   options=	Various SSL implementation options. The most important
+#			being:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    NO_TLSv1    Disallow the use of TLSv1.0
+#
+#			    NO_TLSv1_1  Disallow the use of TLSv1.1
+#
+#			    NO_TLSv1_2  Disallow the use of TLSv1.2
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    SINGLE_ECDH_USE
+#				      Enable ephemeral ECDH key exchange.
+#				      The adopted curve should be specified
+#				      using the tls-dh option.
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#	   clientca=	File containing the list of CAs to use when
+#			requesting a client certificate.
+#
+#	   tls-cafile=	PEM file containing CA certificates to use when verifying
+#			client certificates. If not configured clientca will be
+#			used. May be repeated to load multiple files.
+#
+#	   capath=	Directory containing additional CA certificates
+#			and CRL lists to use when verifying client certificates.
+#			Requires OpenSSL or LibreSSL.
+#
+#	   crlfile=	File of additional CRL lists to use when verifying
+#			the client certificate, in addition to CRLs stored in
+#			the capath. Implies VERIFY_CRL flag below.
+#
+#	   tls-dh=[curve:]file
+#			File containing DH parameters for temporary/ephemeral DH key
+#			exchanges, optionally prefixed by a curve for ephemeral ECDH
+#			key exchanges.
+#			See OpenSSL documentation for details on how to create the
+#			DH parameter file. Supported curves for ECDH can be listed
+#			using the "openssl ecparam -list_curves" command.
+#			WARNING: EDH and EECDH ciphers will be silently disabled if
+#				 this option is not set.
+#
+#	   sslflags=	Various flags modifying the use of SSL:
+#			    DELAYED_AUTH
+#				Don't request client certificates
+#				immediately, but wait until acl processing
+#				requires a certificate (not yet implemented).
+#			    CONDITIONAL_AUTH
+#				Request a client certificate during the TLS
+#				handshake, but ignore certificate absence in
+#				the TLS client Hello. If the client does
+#				supply a certificate, it is validated.
+#			    NO_SESSION_REUSE
+#				Don't allow for session reuse. Each connection
+#				will result in a new SSL session.
+#			    VERIFY_CRL
+#				Verify CRL lists when accepting client
+#				certificates.
+#			    VERIFY_CRL_ALL
+#				Verify CRL lists for all certificates in the
+#				client certificate chain.
+#
+#	   tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is OFF.
+#
+#	   tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	   sslcontext=	SSL session ID context identifier.
+#
+#	Other Options:
+#
+#	   connection-auth[=on|off]
+#	                use connection-auth=off to tell Squid to prevent
+#	                forwarding Microsoft connection oriented authentication
+#			(NTLM, Negotiate and Kerberos)
+#
+#	   disable-pmtu-discovery=
+#			Control Path-MTU discovery usage:
+#			    off		lets OS decide on what to do (default).
+#			    transparent	disable PMTU discovery when transparent
+#					support is enabled.
+#			    always	disable always PMTU discovery.
+#
+#			In many setups of transparently intercepting proxies
+#			Path-MTU discovery can not work on traffic towards the
+#			clients. This is the case when the intercepting device
+#			does not fully track connections and fails to forward
+#			ICMP must fragment messages to the cache server. If you
+#			have such setup and experience that certain clients
+#			sporadically hang or never complete requests set
+#			disable-pmtu-discovery option to 'transparent'.
+#
+#	   name=	Specifies a internal name for the port. Defaults to
+#			the port specification (port or addr:port)
+#
+#	   tcpkeepalive[=idle,interval,timeout]
+#			Enable TCP keepalive probes of idle connections.
+#			In seconds; idle is the initial time before TCP starts
+#			probing the connection, interval how often to probe, and
+#			timeout the time before giving up.
+#
+#	   require-proxy-header
+#			Require PROXY protocol version 1 or 2 connections.
+#			The proxy_protocol_access is required to permit
+#			downstream proxies which can be trusted.
+#
+#	   worker-queues
+#			Ask TCP stack to maintain a dedicated listening queue
+#			for each worker accepting requests at this port.
+#			Requires TCP stack that supports the SO_REUSEPORT socket
+#			option.
+#
+#			SECURITY WARNING: Enabling worker-specific queues
+#			allows any process running as Squid's effective user to
+#			easily accept requests destined to this port.
+#
+#	If you run Squid on a dual-homed machine with an internal
+#	and an external interface we recommend you to specify the
+#	internal address:port in http_port. This way Squid will only be
+#	visible on the internal address.
+#
+#
+
+# Squid normally listens to port 3128
+http_port 8080
+
+#  TAG: https_port
+#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#
+#	The socket address where Squid will listen for client requests made
+#	over TLS or SSL connections. Commonly referred to as HTTPS.
+#
+#	This is most useful for situations where you are running squid in
+#	accelerator mode and you want to do the TLS work at the accelerator
+#	level.
+#
+#	You may specify multiple socket addresses on multiple lines,
+#	each with their own certificate and/or options.
+#
+#	The tls-cert= option is mandatory on HTTPS ports.
+#
+#	See http_port for a list of modes and options.
+#Default:
+# none
+
+#  TAG: ftp_port
+#	Enables Native FTP proxy by specifying the socket address where Squid
+#	listens for FTP client requests. See http_port directive for various
+#	ways to specify the listening address and mode.
+#
+#	Usage: ftp_port address [mode] [options]
+#
+#	WARNING: This is a new, experimental, complex feature that has seen
+#	limited production exposure. Some Squid modules (e.g., caching) do not
+#	currently work with native FTP proxying, and many features have not
+#	even been tested for compatibility. Test well before deploying!
+#
+#	Native FTP proxying differs substantially from proxying HTTP requests
+#	with ftp:// URIs because Squid works as an FTP server and receives
+#	actual FTP commands (rather than HTTP requests with FTP URLs).
+#
+#	Native FTP commands accepted at ftp_port are internally converted or
+#	wrapped into HTTP-like messages. The same happens to Native FTP
+#	responses received from FTP origin servers. Those HTTP-like messages
+#	are shoveled through regular access control and adaptation layers
+#	between the FTP client and the FTP origin server. This allows Squid to
+#	examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
+#	mechanisms when shoveling wrapped FTP messages. For example,
+#	http_access and adaptation_access directives are used.
+#
+#	Modes:
+#
+#	   intercept	Same as http_port intercept. The FTP origin address is
+#			determined based on the intended destination of the
+#			intercepted connection.
+#
+#	   tproxy	Support Linux TPROXY for spoofing outgoing
+#			connections using the client IP address.
+#			NP: disables authentication and maybe IPv6 on the port.
+#
+#	By default (i.e., without an explicit mode option), Squid extracts the
+#	FTP origin address from the login@origin parameter of the FTP USER
+#	command. Many popular FTP clients support such native FTP proxying.
+#
+#	Options:
+#
+#	   name=token	Specifies an internal name for the port. Defaults to
+#			the port address. Usable with myportname ACL.
+#
+#	   ftp-track-dirs
+#			Enables tracking of FTP directories by injecting extra
+#			PWD commands and adjusting Request-URI (in wrapping
+#			HTTP requests) to reflect the current FTP server
+#			directory. Tracking is disabled by default.
+#
+#	   protocol=FTP	Protocol to reconstruct accelerated and intercepted
+#			requests with. Defaults to FTP. No other accepted
+#			values have been tested with. An unsupported value
+#			results in a FATAL error. Accepted values are FTP,
+#			HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
+#
+#	Other http_port modes and options that are not specific to HTTP and
+#	HTTPS may also work.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_tos
+#	Allows you to select a TOS/Diffserv value for packets outgoing
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_tos 0x00 normal_service_net
+#	tcp_outgoing_tos 0x20 good_service_net
+#
+#	TOS/DSCP values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: clientside_tos
+#	Allows you to select a TOS/DSCP value for packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	clientside_tos ds-field [!]aclname ...
+#
+#	Example where normal_service_net uses the TOS value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	clientside_tos 0x00 normal_service_net
+#	clientside_tos 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any TOS values set here
+#	will be overwritten by TOS values in qos_flows.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
+#	"default" to use whatever default your host has.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter mark value to outgoing packets
+#	on the server side, based on an ACL.
+#
+#	tcp_outgoing_mark mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the mark value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	tcp_outgoing_mark 0x00 normal_service_net
+#	tcp_outgoing_mark 0x20 good_service_net
+#
+#	Only fast ACLs are supported.
+#Default:
+# none
+
+#  TAG: mark_client_packet
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter MARK value to packets being transmitted
+#	on the client-side, based on an ACL.
+#
+#	mark_client_packet mark-value [!]aclname ...
+#
+#	Example where normal_service_net uses the MARK value 0x00
+#	and good_service_net uses 0x20
+#
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
+#	mark_client_packet 0x00 normal_service_net
+#	mark_client_packet 0x20 good_service_net
+#
+#	Note: This feature is incompatible with qos_flows. Any mark values set here
+#	will be overwritten by mark values in qos_flows.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: mark_client_connection
+# Note: This option is only available if Squid is rebuilt with the
+#       Packet MARK (Linux)
+#
+#	Allows you to apply a Netfilter CONNMARK value to a connection
+#	on the client-side, based on an ACL.
+#
+#	mark_client_connection mark-value[/mask] [!]aclname ...
+#
+#	The mark-value and mask are unsigned integers (hex, octal, or decimal).
+#	The mask may be used to preserve marking previously set by other agents
+#	(e.g., iptables).
+#
+#	A matching rule replaces the CONNMARK value. If a mask is also
+#	specified, then the masked bits of the original value are zeroed, and
+#	the configured mark-value is ORed with that adjusted value.
+#	For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
+#	in a 0xFB marking (rather than a 0xAB or 0x5B).
+#
+#	This directive semantics is similar to iptables --set-mark rather than
+#	--set-xmark functionality.
+#
+#	The directive does not interfere with qos_flows (which uses packet MARKs,
+#	not CONNMARKs).
+#
+#	Example where squid marks intercepted FTP connections:
+#
+#	acl proto_ftp proto FTP
+#	mark_client_connection 0x200/0xff00 proto_ftp
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: qos_flows
+#	Allows you to select a TOS/DSCP value to mark outgoing
+#	connections to the client, based on where the reply was sourced.
+#	For platforms using netfilter, allows you to set a netfilter mark
+#	value instead of, or in addition to, a TOS value.
+#
+#	By default this functionality is disabled. To enable it with the default
+#	settings simply use "qos_flows mark" or "qos_flows tos". Default
+#	settings will result in the netfilter mark or TOS value being copied
+#	from the upstream connection to the client. Note that it is the connection
+#	CONNMARK value not the packet MARK value that is copied.
+#
+#	It is not currently possible to copy the mark or TOS value from the
+#	client to the upstream connection request.
+#
+#	TOS values really only have local significance - so you should
+#	know what you're specifying. For more information, see RFC2474,
+#	RFC2475, and RFC3260.
+#
+#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255.
+#	Note that only multiples of 4 are usable as the two rightmost bits have
+#	been redefined for use by ECN (RFC 3168 section 23.1).
+#	The squid parser will enforce this by masking away the ECN bits.
+#
+#	Mark values can be any unsigned 32-bit integer value.
+#
+#	This setting is configured by setting the following values:
+#
+#	tos|mark                Whether to set TOS or netfilter mark values
+#
+#	local-hit=0xFF		Value to mark local cache hits.
+#
+#	sibling-hit=0xFF	Value to mark hits from sibling peers.
+#
+#	parent-hit=0xFF		Value to mark hits from parent peers.
+#
+#	miss=0xFF[/mask]	Value to mark cache misses. Takes precedence
+#				over the preserve-miss feature (see below), unless
+#				mask is specified, in which case only the bits
+#				specified in the mask are written.
+#
+#	The TOS variant of the following features are only possible on Linux
+#	and require your kernel to be patched with the TOS preserving ZPH
+#	patch, available from http://zph.bratcheda.org
+#	No patch is needed to preserve the netfilter mark, which will work
+#	with all variants of netfilter.
+#
+#	disable-preserve-miss
+#		This option disables the preservation of the TOS or netfilter
+#		mark. By default, the existing TOS or netfilter mark value of
+#		the response coming from the remote server will be retained
+#		and masked with miss-mark.
+#		NOTE: in the case of a netfilter mark, the mark must be set on
+#		the connection (using the CONNMARK target) not on the packet
+#		(MARK target).
+#
+#	miss-mask=0xFF
+#		Allows you to mask certain bits in the TOS or mark value
+#		received from the remote server, before copying the value to
+#		the TOS sent towards clients.
+#		Default for tos: 0xFF (TOS from server is not changed).
+#		Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+#	All of these features require the --enable-zph-qos compilation flag
+#	(enabled by default). Netfilter marking also requires the
+#	libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+#	libcap 2.09+ (--with-libcap).
+#
+#Default:
+# none
+
+#  TAG: tcp_outgoing_address
+#	Allows you to map requests to different outgoing IP addresses
+#	based on the username or source address of the user making
+#	the request.
+#
+#	tcp_outgoing_address ipaddr [[!]aclname] ...
+#
+#	For example;
+#		Forwarding clients with dedicated IPs for certain subnets.
+#
+#	  acl normal_service_net src 10.0.0.0/24
+#	  acl good_service_net src 10.0.2.0/24
+#
+#	  tcp_outgoing_address 2001:db8::c001 good_service_net
+#	  tcp_outgoing_address 10.1.0.2 good_service_net
+#
+#	  tcp_outgoing_address 2001:db8::beef normal_service_net
+#	  tcp_outgoing_address 10.1.0.1 normal_service_net
+#
+#	  tcp_outgoing_address 2001:db8::1
+#	  tcp_outgoing_address 10.1.0.3
+#
+#	Processing proceeds in the order specified, and stops at first fully
+#	matching line.
+#
+#	Squid will add an implicit IP version test to each line.
+#	Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+#	Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
+#
+#
+#	NOTE: The use of this directive using client dependent ACLs is
+#	incompatible with the use of server side persistent connections. To
+#	ensure correct results it is best to set server_persistent_connections
+#	to off when using this directive in such configurations.
+#
+#	NOTE: The use of this directive to set a local IP on outgoing TCP links
+#	is incompatible with using TPROXY to set client IP out outbound TCP links.
+#	When needing to contact peers use the no-tproxy cache_peer option and the
+#	client_dst_passthru directive re-enable normal forwarding such as this.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Address selection is performed by the operating system.
+
+#  TAG: host_verify_strict
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic, Squid always verifies that the destination IP address matches
+#	the Host header domain or IP (called 'authority form URL').
+#
+#	This enforcement is performed to satisfy a MUST-level requirement in
+#	RFC 2616 section 14.23: "The Host field value MUST represent the naming
+#	authority of the origin server or gateway given by the original URL".
+#
+#	When set to ON:
+#		Squid always responds with an HTTP 409 (Conflict) error
+#		page and logs a security warning if there is no match.
+#
+#		Squid verifies that the destination IP address matches
+#		the Host header for forward-proxy and reverse-proxy traffic
+#		as well. For those traffic types, Squid also enables the
+#		following checks, comparing the corresponding Host header
+#		and Request-URI components:
+#
+#		 * The host names (domain or IP) must be identical,
+#		   but valueless or missing Host header disables all checks.
+#		   For the two host names to match, both must be either IP
+#		   or FQDN.
+#
+#		 * Port numbers must be identical, but if a port is missing
+#		   the scheme-default port is assumed.
+#
+#
+#	When set to OFF (the default):
+#		Squid allows suspicious requests to continue but logs a
+#		security warning and blocks caching of the response.
+#
+#		 * Forward-proxy traffic is not checked at all.
+#
+#		 * Reverse-proxy traffic is not checked at all.
+#
+#		 * Intercepted traffic which passes verification is handled
+#		   according to client_dst_passthru.
+#
+#		 * Intercepted requests which fail verification are sent
+#		   to the client original destination instead of DIRECT.
+#		   This overrides 'client_dst_passthru off'.
+#
+#		For now suspicious intercepted CONNECT requests are always
+#		responded to with an HTTP 409 (Conflict) error page.
+#
+#
+#	SECURITY NOTE:
+#
+#	As described in CVE-2009-0801 when the Host: header alone is used
+#	to determine the destination of a request it becomes trivial for
+#	malicious scripts on remote websites to bypass browser same-origin
+#	security policy and sandboxing protections.
+#
+#	The cause of this is that such applets are allowed to perform their
+#	own HTTP stack, in which case the same-origin policy of the browser
+#	sandbox only verifies that the applet tries to contact the same IP
+#	as from where it was loaded at the IP level. The Host: header may
+#	be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+#  TAG: client_dst_passthru
+#	With NAT or TPROXY intercepted traffic Squid may pass the request
+#	directly to the original client destination IP or seek a faster
+#	source using the HTTP Host header.
+#
+#	Using Host to locate alternative servers can provide faster
+#	connectivity with a range of failure recovery options.
+#	But can also lead to connectivity trouble when the client and
+#	server are attempting stateful interactions unaware of the proxy.
+#
+#	This option (on by default) prevents alternative DNS entries being
+#	located to send intercepted traffic DIRECT to an origin server.
+#	The clients original destination IP and port will be used instead.
+#
+#	Regardless of this option setting, when dealing with intercepted
+#	traffic Squid will verify the Host: header and any traffic which
+#	fails Host verification will be treated as if this option were ON.
+#
+#	see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
+
+# TLS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: tls_outgoing_options
+#	disable		Do not support https:// URLs.
+#
+#	cert=/path/to/client/certificate
+#			A client X.509 certificate to use when connecting.
+#
+#	key=/path/to/client/private_key
+#			The private key corresponding to the cert= above.
+#
+#			If key= is not specified cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	cipher=...	The list of valid TLS ciphers to use.
+#
+#	min-version=1.N
+#			The minimum TLS protocol version to permit.
+#			To control SSLv3 use the options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
+#
+#	options=...	Specify various TLS/SSL implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#				See the OpenSSL SSL_CTX_set_options documentation
+#				for a more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#
+#	cafile=		PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	capath=		A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	crlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	flags=...	Specify various flags modifying the TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	domain= 	The peer name as advertised in its certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#Default:
+# tls_outgoing_options min-version=1.0
+
+# SSL OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ssl_unclean_shutdown
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Some browsers (especially MSIE) bugs out on SSL shutdown
+#	messages.
+#Default:
+# ssl_unclean_shutdown off
+
+#  TAG: ssl_engine
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	The OpenSSL engine to use. You will need to set this if you
+#	would like to use hardware SSL acceleration for example.
+#
+#	Not supported in builds with OpenSSL 3.0 or newer.
+#Default:
+# none
+
+#  TAG: sslproxy_session_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the timeout value for SSL sessions
+#Default:
+# sslproxy_session_ttl 300
+
+#  TAG: sslproxy_session_cache_size
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#        Sets the cache size to use for ssl session
+#Default:
+# sslproxy_session_cache_size 2 MB
+
+#  TAG: sslproxy_foreign_intermediate_certs
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Many origin servers fail to send their full server certificate
+#	chain for verification, assuming the client already has or can
+#	easily locate any missing intermediate certificates.
+#
+#	Squid uses the certificates from the specified file to fill in
+#	these missing chains when trying to validate origin server
+#	certificate chains.
+#
+#	The file is expected to contain zero or more PEM-encoded
+#	intermediate certificates. These certificates are not treated
+#	as trusted root certificates, and any self-signed certificate in
+#	this file will be ignored.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_sign_hash
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Sets the hashing algorithm to use when signing generated certificates.
+#	Valid algorithm names depend on the OpenSSL library used. The following
+#	names are usually available: sha1, sha256, sha512, and md5. Please see
+#	your OpenSSL library manual for the available hashes. By default, Squids
+#	that support this option use sha256 hashes.
+#
+#	Squid does not forcefully purge cached certificates that were generated
+#	with an algorithm other than the currently configured one. They remain
+#	in the cache, subject to the regular cache eviction policy, and become
+#	useful if the algorithm changes again.
+#Default:
+# none
+
+#  TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	This option is consulted when a CONNECT request is received on
+#	an http_port (or a new connection is intercepted at an
+#	https_port), provided that port was configured with an ssl-bump
+#	flag. The subsequent data on the connection is either treated as
+#	HTTPS and decrypted OR tunneled at TCP level without decryption,
+#	depending on the first matching bumping "action".
+#
+#	ssl_bump <action> [!]acl ...
+#
+#	The following bumping actions are currently supported:
+#
+#	    splice
+#		Become a TCP tunnel without decrypting proxied traffic.
+#		This is the default action.
+#
+#	    bump
+#		When used on step SslBump1, establishes a secure connection
+#		with the client first, then connect to the server.
+#		When used on step SslBump2 or SslBump3, establishes a secure
+#		connection with the server and, using a mimicked server
+#		certificate, with the client.
+#
+#	    peek
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of splicing the
+#		connection. Peeking at the server certificate (during step 2)
+#		usually precludes bumping of the connection at step 3.
+#
+#	    stare
+#		Receive client (step SslBump1) or server (step SslBump2)
+#		certificate while preserving the possibility of bumping the
+#		connection. Staring at the server certificate (during step 2)
+#		usually precludes splicing of the connection at step 3.
+#
+#	    terminate
+#		Close client and server connections.
+#
+#	Backward compatibility actions available at step SslBump1:
+#
+#	    client-first
+#		Bump the connection. Establish a secure connection with the
+#		client first, then connect to the server. This old mode does
+#		not allow Squid to mimic server SSL certificate and does not
+#		work with intercepted SSL connections.
+#
+#	    server-first
+#		Bump the connection. Establish a secure connection with the
+#		server first, then establish a secure connection with the
+#		client, using a mimicked server certificate. Works with both
+#		CONNECT requests and intercepted SSL connections, but does
+#		not allow to make decisions based on SSL handshake info.
+#
+#	    peek-and-splice
+#		Decide whether to bump or splice the connection based on
+#		client-to-squid and server-to-squid SSL hello messages.
+#		XXX: Remove.
+#
+#	    none
+#		Same as the "splice" action.
+#
+#	All ssl_bump rules are evaluated at each of the supported bumping
+#	steps.  Rules with actions that are impossible at the current step are
+#	ignored. The first matching ssl_bump action wins and is applied at the
+#	end of the current step. If no rules match, the splice action is used.
+#	See the at_step ACL for a list of the supported SslBump steps.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
+#
+#
+#	# Example: Bump all TLS connections except those originating from
+#	# localhost or those going to example.com.
+#
+#	acl broken_sites ssl::server_name .example.com
+#	ssl_bump splice localhost
+#	ssl_bump splice broken_sites
+#	ssl_bump bump all
+#Default:
+# Become a TCP tunnel without decrypting proxied traffic.
+
+#  TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Use this ACL to bypass server certificate validation errors.
+#
+#	For example, the following lines will bypass all validation errors
+#	when talking to servers for example.com. All other
+#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+#		acl BrokenButTrustedServers dstdomain example.com
+#		sslproxy_cert_error allow BrokenButTrustedServers
+#		sslproxy_cert_error deny all
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Using slow acl types may result in server crashes
+#
+#	Without this option, all server certificate validation errors
+#	terminate the transaction to protect Squid and the client.
+#
+#	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+#	but should not happen unless your OpenSSL library is buggy.
+#
+#	SECURITY WARNING:
+#		Bypassing validation errors is dangerous because an
+#		error usually implies that the server cannot be trusted
+#		and the connection may be insecure.
+#
+#	See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+#  TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#        sslproxy_cert_sign <signing algorithm> acl ...
+#
+#        The following certificate signing algorithms are supported:
+#
+#	   signTrusted
+#		Sign using the configured CA certificate which is usually
+#		placed in and trusted by end-user browsers. This is the
+#		default for trusted origin server certificates.
+#
+#	   signUntrusted
+#		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+#		This is the default for untrusted origin server certificates
+#		that are not self-signed (see ssl::certUntrusted).
+#
+#	   signSelf
+#		Sign using a self-signed certificate with the right CN to
+#		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+#		browser. This is the default for self-signed origin server
+#		certificates (see ssl::certSelfSigned).
+#
+#	This clause only supports fast acl types.
+#
+#	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+#	signing algorithm to generate the certificate and ignores all
+#	subsequent sslproxy_cert_sign options (the first match wins). If no
+#	acl(s) match, the default signing algorithm is determined by errors
+#	detected when obtaining and validating the origin server certificate.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#
+#	sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+#	The following certificate adaptation algorithms are supported:
+#
+#	   setValidAfter
+#		Sets the "Not After" property to the "Not After" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setValidBefore
+#		Sets the "Not Before" property to the "Not Before" property of
+#		the CA certificate used to sign generated certificates.
+#
+#	   setCommonName or setCommonName{CN}
+#		Sets Subject.CN property to the host name specified as a
+#		CN parameter or, if no explicit CN parameter was specified,
+#		extracted from the CONNECT request. It is a misconfiguration
+#		to use setCommonName without an explicit parameter for
+#		intercepted or tproxied SSL connections.
+#
+#	This clause only supports fast acl types.
+#
+#	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+#	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+#	corresponding adaptation algorithm to generate the certificate and
+#	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+#	group (i.e., the first match wins within each algorithm group). If no
+#	acl(s) match, the default mimicking action takes place.
+#
+#	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+#	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+#	CONNECT request that carries a domain name. In all other cases (CONNECT
+#	to an IP address or an intercepted SSL connection), Squid cannot detect
+#	the domain mismatch at certificate generation time when
+#	bump-server-first is used.
+#Default:
+# none
+
+#  TAG: sslpassword_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify a program used for entering SSL key passphrases
+#	when using encrypted SSL certificate keys. If not specified
+#	keys must either be unencrypted, or Squid started with the -N
+#	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
+#Default:
+# none
+
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
+
+#  TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specify the location and options of the executable for certificate
+#	generator.
+#
+#	/usr/lib/squid/security_file_certgen program can use a disk cache to improve response
+#	times on repeated requests. To enable caching, specify -s and -M
+#	parameters. If those parameters are not given, the program generates
+#	a new certificate on every request.
+#
+#	For more information use:
+#		/usr/lib/squid/security_file_certgen -h
+#Default:
+# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+
+#  TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --enable-ssl-crtd
+#
+#	Specifies the maximum number of certificate generation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child is idle and no new child can be started due to
+#	numberofchildren limit. If the queued requests exceed queue size for
+#	more than 3 minutes squid aborts its operation. The default value is
+#	set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 32 startup=5 idle=1
+
+#  TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specify the location and options of the executable for ssl_crt_validator
+#	process.
+#
+#	Usage:  sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+#	Options:
+#	  ttl=n         TTL in seconds for cached results. The default is 60 secs
+#	  cache=n       limit the result cache size. The default value is 2048
+#Default:
+# none
+
+#  TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+#       --with-openssl
+#
+#	Specifies the maximum number of certificate validation processes that
+#	Squid may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources. Squid
+#	does not support spawning more than 32 helpers.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=N
+#
+#	Sets the minimum number of processes to spawn when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few children temporary slows Squid under load while it
+#	tries to spawn enough additional processes to cope with traffic.
+#
+#		idle=N
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each certificate validator helper can handle in
+#	parallel. A value of 0 indicates the certficate validator does not
+#	support concurrency. Defaults to 1.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	a request ID in front of the request/response. The request
+#	ID from the request must be echoed back with the response
+#	to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. If the queued
+#	requests exceed queue size for more than 3 minutes squid aborts its
+#	operation. The default value is set to 2*numberofchildren.
+#
+#	You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
+
+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_peer
+#	To specify other caches in a hierarchy, use the format:
+#
+#		cache_peer hostname type http-port icp-port [options]
+#
+#	For example,
+#
+#	#                                        proxy  icp
+#	#          hostname             type     port   port  options
+#	#          -------------------- -------- ----- -----  -----------
+#	cache_peer parent.foo.net       parent    3128  3130  default
+#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
+#	cache_peer example.com          parent    80       0  default
+#	cache_peer cdn.example.com      sibling   3128     0
+#
+#	      type:	either 'parent', 'sibling', or 'multicast'.
+#
+#	proxy-port:	The port number where the peer accept HTTP requests.
+#			For other Squid proxies this is usually 3128
+#			For web servers this is usually 80
+#
+#	  icp-port:	Used for querying neighbor caches about objects.
+#			Set to 0 if the peer does not support ICP or HTCP.
+#			See ICP and HTCP options below for additional details.
+#
+#
+#	==== ICP OPTIONS ====
+#
+#	You MUST also set icp_port and icp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using ICP.
+#
+#
+#	no-query	Disable ICP queries to this neighbor.
+#
+#	multicast-responder
+#			Indicates the named peer is a member of a multicast group.
+#			ICP queries will not be sent directly to the peer, but ICP
+#			replies will be accepted from it.
+#
+#	closest-only	Indicates that, for ICP_OP_MISS replies, we'll only forward
+#			CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+#	background-ping
+#			To only send ICP queries to this neighbor infrequently.
+#			This is used to keep the neighbor round trip time updated
+#			and is usually used in conjunction with weighted-round-robin.
+#
+#
+#	==== HTCP OPTIONS ====
+#
+#	You MUST also set htcp_port and htcp_access explicitly when using these options.
+#	The defaults will prevent peer traffic using HTCP.
+#
+#
+#	htcp		Send HTCP, instead of ICP, queries to the neighbor.
+#			You probably also want to set the "icp-port" to 4827
+#			instead of 3130. This directive accepts a comma separated
+#			list of options described below.
+#
+#	htcp=oldsquid	Send HTCP to old Squid versions (2.5 or earlier).
+#
+#	htcp=no-clr	Send HTCP to the neighbor but without
+#			sending any CLR requests.  This cannot be used with
+#			only-clr.
+#
+#	htcp=only-clr	Send HTCP to the neighbor but ONLY CLR requests.
+#			This cannot be used with no-clr.
+#
+#	htcp=no-purge-clr
+#			Send HTCP to the neighbor including CLRs but only when
+#			they do not result from PURGE requests.
+#
+#	htcp=forward-clr
+#			Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+#	==== PEER SELECTION METHODS ====
+#
+#	The default peer selection method is ICP, with the first responding peer
+#	being used as source. These options can be used for better load balancing.
+#
+#
+#	default		This is a parent cache which can be used as a "last-resort"
+#			if a peer cannot be located by any of the peer-selection methods.
+#			If specified more than once, only the first is used.
+#
+#	round-robin	Load-Balance parents which should be used in a round-robin
+#			fashion in the absence of any ICP queries.
+#			weight=N can be used to add bias.
+#
+#	weighted-round-robin
+#			Load-Balance parents which should be used in a round-robin
+#			fashion with the frequency of each parent being based on the
+#			round trip time. Closer parents are used more often.
+#			Usually used for background-ping parents.
+#			weight=N can be used to add bias.
+#
+#	carp		Load-Balance parents which should be used as a CARP array.
+#			The requests will be distributed among the parents based on the
+#			CARP load balancing hash function based on their weight.
+#
+#	userhash	Load-balance parents based on the client proxy_auth or ident username.
+#
+#	sourcehash	Load-balance parents based on the client source IP.
+#
+#	multicast-siblings
+#			To be used only for cache peers of type "multicast".
+#			ALL members of this multicast group have "sibling"
+#			relationship with it, not "parent".  This is to a multicast
+#			group when the requested object would be fetched only from
+#			a "parent" cache, anyway.  It's useful, e.g., when
+#			configuring a pool of redundant Squid proxies, being
+#			members of the same multicast group.
+#
+#
+#	==== PEER SELECTION OPTIONS ====
+#
+#	weight=N	use to affect the selection of a peer during any weighted
+#			peer-selection mechanisms.
+#			The weight must be an integer; default is 1,
+#			larger weights are favored more.
+#			This option does not affect parent selection if a peering
+#			protocol is not in use.
+#
+#	basetime=N	Specify a base amount to be subtracted from round trip
+#			times of parents.
+#			It is subtracted before division by weight in calculating
+#			which parent to fectch from. If the rtt is less than the
+#			base time the rtt is set to a minimal value.
+#
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
+#			Only useful when sending to a multicast group.
+#			Because we don't accept ICP replies from random
+#			hosts, you must configure other group members as
+#			peers with the 'multicast-responder' option.
+#
+#	no-delay	To prevent access to this neighbor from influencing the
+#			delay pools.
+#
+#	digest-url=URL	Tell Squid to fetch the cache digest (if digests are
+#			enabled) for this host from the specified URL rather
+#			than the Squid default location.
+#
+#
+#	==== CARP OPTIONS ====
+#
+#	carp-key=key-specification
+#			use a different key than the full URL to hash against the peer.
+#			the key-specification is a comma-separated list of the keywords
+#			scheme, host, port, path, params
+#			Order is not important.
+#
+#	==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+#	originserver	Causes this parent to be contacted as an origin server.
+#			Meant to be used in accelerator setups when the peer
+#			is a web server.
+#
+#	forceddomain=name
+#			Set the Host header of requests forwarded to this peer.
+#			Useful in accelerator setups where the server (peer)
+#			expects a certain domain name but clients may request
+#			others. ie example.com or www.example.com
+#
+#	no-digest	Disable request of cache digests.
+#
+#	no-netdb-exchange
+#			Disables requesting ICMP RTT database (NetDB).
+#
+#
+#	==== AUTHENTICATION OPTIONS ====
+#
+#	login=user:password
+#			If this is a personal/workgroup proxy and your parent
+#			requires proxy authentication.
+#
+#			Note: The string can include URL escapes (i.e. %20 for
+#			spaces). This also means % must be written as %%.
+#
+#	login=PASSTHRU
+#			Send login details received from client to this peer.
+#			Both Proxy- and WWW-Authorization headers are passed
+#			without alteration to the peer.
+#			Authentication is not required by Squid for this to work.
+#
+#			Note: This will pass any form of authentication but
+#			only Basic auth will work through a proxy unless the
+#			connection-auth options are also used.
+#
+#	login=PASS	Send login details received from client to this peer.
+#			Authentication is not required by this option.
+#
+#			If there are no client-provided authentication headers
+#			to pass on, but username and password are available
+#			from an external ACL user= and password= result tags
+#			they may be sent instead.
+#
+#			Note: To combine this with proxy_auth both proxies must
+#			share the same user database as HTTP only allows for
+#			a single login (one for proxy, one for origin server).
+#			Also be warned this will expose your users proxy
+#			password to the peer. USE WITH CAUTION
+#
+#	login=*:password
+#			Send the username to the upstream cache, but with a
+#			fixed password. This is meant to be used when the peer
+#			is in another administrative domain, but it is still
+#			needed to identify each user.
+#			The star can optionally be followed by some extra
+#			information which is added to the username. This can
+#			be used to identify this proxy to the peer, similar to
+#			the login=username:password option above.
+#
+#	login=NEGOTIATE
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The first principal from the default keytab or defined by
+#			the environment variable KRB5_KTNAME will be used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	login=NEGOTIATE:principal_name
+#			If this is a personal/workgroup proxy and your parent
+#			requires a secure proxy authentication.
+#			The principal principal_name from the default keytab or
+#			defined by the environment variable KRB5_KTNAME will be
+#			used.
+#
+#			WARNING: The connection may transmit requests from multiple
+#			clients. Negotiate often assumes end-to-end authentication
+#			and a single-client. Which is not strictly true here.
+#
+#	connection-auth=on|off
+#			Tell Squid that this peer does or not support Microsoft
+#			connection oriented authentication, and any such
+#			challenges received from there should be ignored.
+#			Default is auto to automatically determine the status
+#			of the peer.
+#
+#	auth-no-keytab
+#			Do not use a keytab to authenticate to a peer when
+#			login=NEGOTIATE is specified. Let the GSSAPI
+#			implementation determine which already existing
+#			credentials cache to use instead.
+#
+#
+#	==== SSL / HTTPS / TLS OPTIONS ====
+#
+#	tls		Encrypt connections to this peer with TLS.
+#
+#	sslcert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this peer.
+#
+#	sslkey=/path/to/ssl/key
+#			The private key corresponding to sslcert above.
+#
+#			If sslkey= is not specified sslcert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	sslcipher=...	The list of valid SSL ciphers to use when connecting
+#			to this peer.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various TLS implementation options.
+#
+#			OpenSSL options most important are:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    NO_TICKET
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list.
+#
+#			GnuTLS options most important are:
+#
+#			    %NO_TICKETS
+#				      Disable use of RFC5077 session tickets.
+#				      Some servers may have problems
+#				      understanding the TLS extension due
+#				      to ambiguous specification in RFC4507.
+#
+#				See the GnuTLS Priority Strings documentation
+#				for a more complete list.
+#				http://www.gnutls.org/manual/gnutls.html#Priority-Strings
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the peer certificate. May be repeated to load multiple files.
+#
+#	sslcapath=...	A directory containing additional CA certificates to
+#			use when verifying the peer certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	sslcrlfile=... 	A certificate revocation list file to use when
+#			verifying the peer certificate.
+#
+#	sslflags=...	Specify various flags modifying the SSL implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the peer certificate
+#				matches the server name
+#
+#	ssldomain= 	The peer name as advertised in it's certificate.
+#			Used for verifying the correctness of the received peer
+#			certificate. If not specified the peer hostname will be
+#			used.
+#
+#	front-end-https[=off|on|auto]
+#			Enable the "Front-End-Https: On" header needed when
+#			using Squid as a SSL frontend in front of Microsoft OWA.
+#			See MS KB document Q307347 for details on this header.
+#			If set to auto the header will only be added if the
+#			request is forwarded as a https:// URL.
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-no-npn	Do not use the TLS NPN extension to advertise HTTP/1.1.
+#
+#	==== GENERAL OPTIONS ====
+#
+#	connect-timeout=N
+#			A peer-specific connect timeout.
+#			Also see the peer_connect_timeout directive.
+#
+#	connect-fail-limit=N
+#			How many times connecting to a peer must fail before
+#			it is marked as down. Standby connection failures
+#			count towards this limit. Default is 10.
+#
+#	allow-miss	Disable Squid's use of only-if-cached when forwarding
+#			requests to siblings. This is primarily useful when
+#			icp_hit_stale is used by the sibling. Excessive use
+#			of this option may result in forwarding loops. One way
+#			to prevent peering loops when using this option, is to
+#			deny cache peer usage on requests from a peer:
+#			acl fromPeer ...
+#			cache_peer_access peerName deny fromPeer
+#
+#	max-conn=N 	Limit the number of concurrent connections the Squid
+#			may open to this peer, including already opened idle
+#			and standby connections. There is no peer-specific
+#			connection limit by default.
+#
+#			A peer exceeding the limit is not used for new
+#			requests unless a standby connection is available.
+#
+#			max-conn currently works poorly with idle persistent
+#			connections: When a peer reaches its max-conn limit,
+#			and there are idle persistent connections to the peer,
+#			the peer may not be selected because the limiting code
+#			does not know whether Squid can reuse those idle
+#			connections.
+#
+#	standby=N	Maintain a pool of N "hot standby" connections to an
+#			UP peer, available for requests when no idle
+#			persistent connection is available (or safe) to use.
+#			By default and with zero N, no such pool is maintained.
+#			N must not exceed the max-conn limit (if any).
+#
+#			At start or after reconfiguration, Squid opens new TCP
+#			standby connections until there are N connections
+#			available and then replenishes the standby pool as
+#			opened connections are used up for requests. A used
+#			connection never goes back to the standby pool, but
+#			may go to the regular idle persistent connection pool
+#			shared by all peers and origin servers.
+#
+#			Squid never opens multiple new standby connections
+#			concurrently.  This one-at-a-time approach minimizes
+#			flooding-like effect on peers. Furthermore, just a few
+#			standby connections should be sufficient in most cases
+#			to supply most new requests with a ready-to-use
+#			connection.
+#
+#			Standby connections obey server_idle_pconn_timeout.
+#			For the feature to work as intended, the peer must be
+#			configured to accept and keep them open longer than
+#			the idle timeout at the connecting Squid, to minimize
+#			race conditions typical to idle used persistent
+#			connections. Default request_timeout and
+#			server_idle_pconn_timeout values ensure such a
+#			configuration.
+#
+#	name=xxx	Unique name for the peer.
+#			Required if you have multiple peers on the same host
+#			but different ports.
+#			This name can be used in cache_peer_access and similar
+#			directives to identify the peer.
+#			Can be used by outgoing access controls through the
+#			peername ACL type.
+#
+#	no-tproxy	Do not use the client-spoof TPROXY support when forwarding
+#			requests to this peer. Use normal address selection instead.
+#			This overrides the spoof_client_ip ACL.
+#
+#	proxy-only	objects fetched from the peer will not be stored locally.
+#
+#Default:
+# none
+
+#  TAG: cache_peer_access
+#	Restricts usage of cache_peer proxies.
+#
+#	Usage:
+#		cache_peer_access peer-name allow|deny [!]aclname ...
+#
+#	For the required peer-name parameter, use either the value of the
+#	cache_peer name=value parameter or, if name=value is missing, the
+#	cache_peer hostname parameter.
+#
+#	This directive narrows down the selection of peering candidates, but
+#	does not determine the order in which the selected candidates are
+#	contacted. That order is determined by the peer selection algorithms
+#	(see PEER SELECTION sections in the cache_peer documentation).
+#
+#	If a deny rule matches, the corresponding peer will not be contacted
+#	for the current transaction -- Squid will not send ICP queries and
+#	will not forward HTTP requests to that peer. An allow match leaves
+#	the corresponding peer in the selection. The first match for a given
+#	peer wins for that peer.
+#
+#	The relative order of cache_peer_access directives for the same peer
+#	matters. The relative order of any two cache_peer_access directives
+#	for different peers does not matter. To ease interpretation, it is a
+#	good idea to group cache_peer_access directives for the same peer
+#	together.
+#
+#	A single cache_peer_access directive may be evaluated multiple times
+#	for a given transaction because individual peer selection algorithms
+#	may check it independently from each other. These redundant checks
+#	may be optimized away in future Squid versions.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Default:
+# No peer usage restrictions.
+
+#  TAG: neighbor_type_domain
+#	Modify the cache_peer neighbor type when passing requests
+#	about specific domains to the peer.
+#
+#	Usage:
+#		 neighbor_type_domain neighbor parent|sibling domain domain ...
+#
+#	For example:
+#		cache_peer foo.example.com parent 3128 3130
+#		neighbor_type_domain foo.example.com sibling .au .de
+#
+#	The above configuration treats all requests to foo.example.com as a
+#	parent proxy unless the request is for a .au or .de ccTLD domain name.
+#Default:
+# The peer type from cache_peer directive is used for all requests to that peer.
+
+#  TAG: dead_peer_timeout	(seconds)
+#	This controls how long Squid waits to declare a peer cache
+#	as "dead."  If there are no ICP replies received in this
+#	amount of time, Squid will declare the peer dead and not
+#	expect to receive any further ICP replies.  However, it
+#	continues to send ICP queries, and will mark the peer as
+#	alive upon receipt of the first subsequent ICP reply.
+#
+#	This timeout also affects when Squid expects to receive ICP
+#	replies from peers.  If more than 'dead_peer' seconds have
+#	passed since the last ICP reply was received, Squid will not
+#	expect to receive an ICP reply on the next query.  Thus, if
+#	your time between requests is greater than this timeout, you
+#	will see a lot of requests sent DIRECT to origin servers
+#	instead of to your parents.
+#Default:
+# dead_peer_timeout 10 seconds
+
+#  TAG: forward_max_tries
+#	Limits the number of attempts to forward the request.
+#
+#	For the purpose of this limit, Squid counts all high-level request
+#	forwarding attempts, including any same-destination retries after
+#	certain persistent connection failures and any attempts to use a
+#	different peer. However, these low-level attempts are not counted:
+#	* connection reopening attempts (enabled using connect_retries)
+#	* unfinished Happy Eyeballs connection attempts (prevented by setting
+#	  happy_eyeballs_connect_limit to 0)
+#
+#	See also: forward_timeout and connect_retries.
+#Default:
+# forward_max_tries 25
+
+# MEMORY CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mem	(bytes)
+#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+#
+#	'cache_mem' specifies the ideal amount of memory to be used
+#	for:
+#		* In-Transit objects
+#		* Hot Objects
+#		* Negative-Cached objects
+#
+#	Data for these objects are stored in 4 KB blocks.  This
+#	parameter specifies the ideal upper limit on the total size of
+#	4 KB blocks allocated.  In-Transit objects take the highest
+#	priority.
+#
+#	In-transit objects have priority over the others.  When
+#	additional space is needed for incoming data, negative-cached
+#	and hot objects will be released.  In other words, the
+#	negative-cached and hot objects will fill up any unused space
+#	not needed for in-transit objects.
+#
+#	If circumstances require, this limit will be exceeded.
+#	Specifically, if your incoming request rate requires more than
+#	'cache_mem' of memory to hold in-transit objects, Squid will
+#	exceed this limit to satisfy the new requests.  When the load
+#	decreases, blocks will be freed until the high-water mark is
+#	reached.  Thereafter, blocks will be used to store hot
+#	objects.
+#
+#	If shared memory caching is enabled, Squid does not use the shared
+#	cache space for in-transit objects, but they still consume as much
+#	local memory as they need. For more details about the shared memory
+#	cache, see memory_cache_shared.
+#Default:
+# cache_mem 256 MB
+
+#  TAG: maximum_object_size_in_memory	(bytes)
+#	Objects greater than this size will not be attempted to kept in
+#	the memory cache. This should be set high enough to keep objects
+#	accessed frequently in memory to improve performance whilst low
+#	enough to keep larger objects from hoarding cache_mem.
+#Default:
+# maximum_object_size_in_memory 512 KB
+
+#  TAG: memory_cache_shared	on|off
+#	Controls whether the memory cache is shared among SMP workers.
+#
+#	The shared memory cache is meant to occupy cache_mem bytes and replace
+#	the non-shared memory cache, although some entities may still be
+#	cached locally by workers for now (e.g., internal and in-transit
+#	objects may be served from a local memory cache even if shared memory
+#	caching is enabled).
+#
+#	By default, the memory cache is shared if and only if all of the
+#	following conditions are satisfied: Squid runs in SMP mode with
+#	multiple workers, cache_mem is positive, and Squid environment
+#	supports required IPC primitives (e.g., POSIX shared memory segments
+#	and GCC-style atomic operations).
+#
+#	To avoid blocking locks, shared memory uses opportunistic algorithms
+#	that do not guarantee that every cachable entity that could have been
+#	shared among SMP workers will actually be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+#  TAG: memory_cache_mode
+#	Controls which objects to keep in the memory cache (cache_mem)
+#
+#	always	Keep most recently fetched objects in memory (default)
+#
+#	disk	Only disk cache hits are kept in memory, which means
+#		an object must first be cached on disk and then hit
+#		a second time before cached in memory.
+#
+#	network	Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
+#  TAG: memory_replacement_policy
+#	The memory replacement policy parameter determines which
+#	objects are purged from memory when memory space is needed.
+#
+#	See cache_replacement_policy for details on algorithms.
+#Default:
+# memory_replacement_policy lru
+
+# DISK CACHE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_replacement_policy
+#	The cache replacement policy parameter determines which
+#	objects are evicted (replaced) when disk space is needed.
+#
+#	    lru       : Squid's original list based LRU policy
+#	    heap GDSF : Greedy-Dual Size Frequency
+#	    heap LFUDA: Least Frequently Used with Dynamic Aging
+#	    heap LRU  : LRU policy implemented using a heap
+#
+#	Applies to any cache_dir lines listed below this directive.
+#
+#	The LRU policies keeps recently referenced objects.
+#
+#	The heap GDSF policy optimizes object hit rate by keeping smaller
+#	popular objects in cache so it has a better chance of getting a
+#	hit.  It achieves a lower byte hit rate than LFUDA though since
+#	it evicts larger (possibly popular) objects.
+#
+#	The heap LFUDA policy keeps popular objects in cache regardless of
+#	their size and thus optimizes byte hit rate at the expense of
+#	hit rate since one large, popular object will prevent many
+#	smaller, slightly less popular objects from being cached.
+#
+#	Both policies utilize a dynamic aging mechanism that prevents
+#	cache pollution that can otherwise occur with frequency-based
+#	replacement policies.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	the value of maximum_object_size above its default of 4 MB to
+#	to maximize the potential byte hit rate improvement of LFUDA.
+#
+#	For more information about the GDSF and LFUDA cache replacement
+#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+#Default:
+# cache_replacement_policy lru
+
+#  TAG: minimum_object_size	(bytes)
+#	Objects smaller than this size will NOT be saved on disk.  The
+#	value is specified in bytes, and the default is 0 KB, which
+#	means all responses can be stored.
+#Default:
+# no limit
+
+#  TAG: maximum_object_size	(bytes)
+#	Set the default value for max-size parameter on any cache_dir.
+#	The value is specified in bytes, and the default is 4 MB.
+#
+#	If you wish to get a high BYTES hit ratio, you should probably
+#	increase this (one 32 MB object hit counts for 3200 10KB
+#	hits).
+#
+#	If you wish to increase hit ratio more than you want to
+#	save bandwidth you should leave this low.
+#
+#	NOTE: if using the LFUDA replacement policy you should increase
+#	this value to maximize the byte hit rate improvement of LFUDA!
+#	See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
+#  TAG: cache_dir
+#	Format:
+#		cache_dir Type Directory-Name Fs-specific-data [options]
+#
+#	You can specify multiple cache_dir lines to spread the
+#	cache among different disk partitions.
+#
+#	Type specifies the kind of storage system to use. Only "ufs"
+#	is built by default. To enable any of the other storage systems
+#	see the --enable-storeio configure option.
+#
+#	'Directory' is a top-level directory where cache swap
+#	files will be stored.  If you want to use an entire disk
+#	for caching, this can be the mount-point directory.
+#	The directory must exist and be writable by the Squid
+#	process.  Squid will NOT create this directory for you.
+#
+#	In SMP configurations, cache_dir must not precede the workers option
+#	and should use configuration macros or conditionals to give each
+#	worker interested in disk caching a dedicated cache directory.
+#
+#
+#	====  The ufs store type  ====
+#
+#	"ufs" is the old well-known Squid storage format that has always
+#	been there.
+#
+#	Usage:
+#		cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+#
+#	'Mbytes' is the amount of disk space (MB) to use under this
+#	directory.  The default is 100 MB.  Change this to suit your
+#	configuration.  Do NOT put the size of your disk drive here.
+#	Instead, if you want Squid to use the entire disk drive,
+#	subtract 20% and use that value.
+#
+#	'L1' is the number of first-level subdirectories which
+#	will be created under the 'Directory'.  The default is 16.
+#
+#	'L2' is the number of second-level subdirectories which
+#	will be created under each first-level directory.  The default
+#	is 256.
+#
+#
+#	====  The aufs store type  ====
+#
+#	"aufs" uses the same storage format as "ufs", utilizing
+#	POSIX-threads to avoid blocking the main Squid process on
+#	disk-I/O. This was formerly known in Squid as async-io.
+#
+#	Usage:
+#		cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+#
+#	see argument descriptions under ufs above
+#
+#
+#	====  The diskd store type  ====
+#
+#	"diskd" uses the same storage format as "ufs", utilizing a
+#	separate process to avoid blocking the main Squid process on
+#	disk-I/O.
+#
+#	Usage:
+#		cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+#
+#	see argument descriptions under ufs above
+#
+#	Q1 specifies the number of unacknowledged I/O requests when Squid
+#	stops opening new files. If this many messages are in the queues,
+#	Squid won't open new files. Default is 64
+#
+#	Q2 specifies the number of unacknowledged messages when Squid
+#	starts blocking.  If this many messages are in the queues,
+#	Squid blocks until it receives some replies. Default is 72
+#
+#	When Q1 < Q2 (the default), the cache directory is optimized
+#	for lower response time at the expense of a decrease in hit
+#	ratio.  If Q1 > Q2, the cache directory is optimized for
+#	higher hit ratio at the expense of an increase in response
+#	time.
+#
+#
+#	====  The rock store type  ====
+#
+#	Usage:
+#	    cache_dir rock Directory-Name Mbytes [options]
+#
+#	The Rock Store type is a database-style storage. All cached
+#	entries are stored in a "database" file, using fixed-size slots.
+#	A single entry occupies one or more slots.
+#
+#	If possible, Squid using Rock Store creates a dedicated kid
+#	process called "disker" to avoid blocking Squid worker(s) on disk
+#	I/O. One disker kid is created for each rock cache_dir.  Diskers
+#	are created only when Squid, running in daemon mode, has support
+#	for the IpcIo disk I/O module.
+#
+#	swap-timeout=msec: Squid will not start writing a miss to or
+#	reading a hit from disk if it estimates that the swap operation
+#	will take more than the specified number of milliseconds. By
+#	default and when set to zero, disables the disk I/O time limit
+#	enforcement. Ignored when using blocking I/O module because
+#	blocking synchronous I/O does not allow Squid to estimate the
+#	expected swap wait time.
+#
+#	max-swap-rate=swaps/sec: Artificially limits disk access using
+#	the specified I/O rate limit. Swap out requests that
+#	would cause the average I/O rate to exceed the limit are
+#	delayed. Individual swap in requests (i.e., hits or reads) are
+#	not delayed, but they do contribute to measured swap rate and
+#	since they are placed in the same FIFO queue as swap out
+#	requests, they may wait longer if max-swap-rate is smaller.
+#	This is necessary on file systems that buffer "too
+#	many" writes and then start blocking Squid and other processes
+#	while committing those writes to disk.  Usually used together
+#	with swap-timeout to avoid excessive delays and queue overflows
+#	when disk demand exceeds available disk "bandwidth". By default
+#	and when set to zero, disables the disk I/O rate limit
+#	enforcement. Currently supported by IpcIo module only.
+#
+#	slot-size=bytes: The size of a database "record" used for
+#	storing cached responses. A cached response occupies at least
+#	one slot and all database I/O is done using individual slots so
+#	increasing this parameter leads to more disk space waste while
+#	decreasing it leads to more disk I/O overheads. Should be a
+#	multiple of your operating system I/O page size. Defaults to
+#	16KBytes. A housekeeping header is stored with each slot and
+#	smaller slot-sizes will be rejected. The header is smaller than
+#	100 bytes.
+#
+#
+#	==== COMMON OPTIONS ====
+#
+#	no-store	no new objects should be stored to this cache_dir.
+#
+#	min-size=n	the minimum object size in bytes this cache_dir
+#			will accept.  It's used to restrict a cache_dir
+#			to only store large objects (e.g. AUFS) while
+#			other stores are optimized for smaller objects
+#			(e.g. Rock).
+#			Defaults to 0.
+#
+#	max-size=n	the maximum object size in bytes this cache_dir
+#			supports.
+#			The value in maximum_object_size directive sets
+#			the default unless more specific details are
+#			available (ie a small store capacity).
+#
+#	Note: To make optimal use of the max-size limits you should order
+#	the cache_dir lines with the smallest max-size value first.
+#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
+
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /var/spool/squid 100 16 256
+
+#  TAG: store_dir_select_algorithm
+#	How Squid selects which cache_dir to use when the response
+#	object will fit into more than one.
+#
+#	Regardless of which algorithm is used the cache_dir min-size
+#	and max-size parameters are obeyed. As such they can affect
+#	the selection algorithm by limiting the set of considered
+#	cache_dir.
+#
+#	Algorithms:
+#
+#		least-load
+#
+#	This algorithm is suited to caches with similar cache_dir
+#	sizes and disk speeds.
+#
+#	The disk with the least I/O pending is selected.
+#	When there are multiple disks with the same I/O load ranking
+#	the cache_dir with most available capacity is selected.
+#
+#	When a mix of cache_dir sizes are configured the faster disks
+#	have a naturally lower I/O loading and larger disks have more
+#	capacity. So space used to store objects and data throughput
+#	may be very unbalanced towards larger disks.
+#
+#
+#		round-robin
+#
+#	This algorithm is suited to caches with unequal cache_dir
+#	disk sizes.
+#
+#	Each cache_dir is selected in a rotation. The next suitable
+#	cache_dir is used.
+#
+#	Available cache_dir capacity is only considered in relation
+#	to whether the object will fit and meets the min-size and
+#	max-size parameters.
+#
+#	Disk I/O loading is only considered to prevent overload on slow
+#	disks. This algorithm does not spread objects by size, so any
+#	I/O loading per-disk may appear very unbalanced and volatile.
+#
+#	If several cache_dirs use similar min-size, max-size, or other
+#	limits to to reject certain responses, then do not group such
+#	cache_dir lines together, to avoid round-robin selection bias
+#	towards the first cache_dir after the group. Instead, interleave
+#	cache_dir lines from different groups. For example:
+#
+#		store_dir_select_algorithm round-robin
+#		cache_dir rock /hdd1 ... min-size=100000
+#		cache_dir rock /ssd1 ... max-size=99999
+#		cache_dir rock /hdd2 ... min-size=100000
+#		cache_dir rock /ssd2 ... max-size=99999
+#		cache_dir rock /hdd3 ... min-size=100000
+#		cache_dir rock /ssd3 ... max-size=99999
+#Default:
+# store_dir_select_algorithm least-load
+
+#  TAG: max_open_disk_fds
+#	To avoid having disk as the I/O bottleneck Squid can optionally
+#	bypass the on-disk cache if more than this amount of disk file
+#	descriptors are open.
+#
+#	A value of 0 indicates no limit.
+#Default:
+# no limit
+
+#  TAG: cache_swap_low	(percent, 0-100)
+#	The low-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above this low-water mark and attempts to maintain utilization
+#	near the low-water mark.
+#
+#	As swap utilization increases towards the high-water mark set
+#	by cache_swap_high object eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_high and cache_replacement_policy
+#Default:
+# cache_swap_low 90
+
+#  TAG: cache_swap_high	(percent, 0-100)
+#	The high-water mark for AUFS/UFS/diskd cache object eviction by
+#	the cache_replacement_policy algorithm.
+#
+#	Removal begins when the swap (disk) usage of a cache_dir is
+#	above the low-water mark set by cache_swap_low and attempts to
+#	maintain utilization near the low-water mark.
+#
+#	As swap utilization increases towards this high-water mark object
+#	eviction becomes more agressive.
+#
+#	The value difference in percentages between low- and high-water
+#	marks represent an eviction rate of 300 objects per second and
+#	the rate continues to scale in agressiveness by multiples of
+#	this above the high-water mark.
+#
+#	Defaults are 90% and 95%. If you have a large cache, 5% could be
+#	hundreds of MB. If this is the case you may wish to set these
+#	numbers closer together.
+#
+#	See also cache_swap_low and cache_replacement_policy
+#Default:
+# cache_swap_high 95
+
+# LOGFILE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: logformat
+#	Usage:
+#
+#	logformat <name> <format specification>
+#
+#	Defines an access log format.
+#
+#	The <format specification> is a string with embedded % format codes
+#
+#	% format codes all follow the same basic structure where all
+#	components but the formatcode are optional and usually unnecessary,
+#	especially when dealing with common codes.
+#
+#		% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
+#
+#		encoding escapes or otherwise protects "special" characters:
+#
+#			"	Quoted string encoding where quote(") and
+#				backslash(\) characters are \-escaped while
+#				CR, LF, and TAB characters are encoded as \r,
+#				\n, and \t two-character sequences.
+#
+#			[	Custom Squid encoding where percent(%), square
+#				brackets([]), backslash(\) and characters with
+#				codes outside of [32,126] range are %-encoded.
+#				SP is not encoded. Used by log_mime_hdrs.
+#
+#			#	URL encoding (a.k.a. percent-encoding) where
+#				all URL unsafe and control characters (per RFC
+#				1738) are %-encoded.
+#
+#			/	Shell-like encoding where quote(") and
+#				backslash(\) characters are \-escaped while CR
+#				and LF characters are encoded as \r and \n
+#				two-character sequences. Values containing SP
+#				character(s) are surrounded by quotes(").
+#
+#			'	Raw/as-is encoding with no escaping/quoting.
+#
+#			Default encoding: When no explicit encoding is
+#			specified, each %code determines its own encoding.
+#			Most %codes use raw/as-is encoding, but some codes use
+#			a so called "pass-through URL encoding" where all URL
+#			unsafe and control characters (per RFC 1738) are
+#			%-encoded, but the percent character(%) is left as is.
+#
+#		-	left aligned
+#
+#		width	minimum and/or maximum field width:
+#			    [width_min][.width_max]
+#			When minimum starts with 0, the field is zero-padded.
+#			String values exceeding maximum width are truncated.
+#
+#		{arg}	argument such as header name etc. This field may be
+#			placed before or after the token, but not both at once.
+#
+#	Format codes:
+#
+#		%	a literal % character
+#		sn	Unique sequence number per log line entry
+#		err_code    The ID of an error response served by Squid or
+#				a similar internal error identifier.
+#		err_detail  Additional err_code-dependent error information.
+#		note	The annotation specified by the argument. Also
+#			logs the adaptation meta headers set by the
+#			adaptation_meta configuration parameter.
+#			If no argument given all annotations logged.
+#			The argument may include a separator to use with
+#			annotation values:
+#                            name[:separator]
+#			By default, multiple note values are separated with ","
+#			and multiple notes are separated with "\r\n".
+#			When logging named notes with %{name}note, the
+#			explicitly configured separator is used between note
+#			values. When logging all notes with %note, the
+#			explicitly configured separator is used between
+#			individual notes. There is currently no way to
+#			specify both value and notes separators when logging
+#			all notes with %note.
+#		master_xaction  The master transaction identifier is an unsigned
+#			integer. These IDs are guaranteed to monotonically
+#			increase within a single worker process lifetime, with
+#			higher values corresponding to transactions that were
+#			accepted or initiated later. Due to current implementation
+#			deficiencies, some IDs are skipped (i.e. never logged).
+#			Concurrent workers and restarted workers use similar,
+#			overlapping sequences of master transaction IDs.
+#
+#	Connection related format codes:
+#
+#		>a	Client source IP address
+#		>A	Client FQDN
+#		>p	Client source port
+#		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+#		>la	Local IP address the client connected to
+#		>lp	Local port number the client connected to
+#		>qos    Client connection TOS/DSCP value set by Squid
+#		>nfmark Client connection netfilter packet MARK set by Squid
+#
+#		la	Local listening IP address the client connection was connected to.
+#		lp	Local listening port number the client connection was connected to.
+#
+#		<a	Server IP address of the last server or peer connection
+#		<A	Server FQDN or peer name
+#		<p	Server port number of the last server or peer connection
+#		<la	Local IP address of the last server or peer connection
+#		<lp     Local port number of the last server or peer connection
+#		<qos	Server connection TOS/DSCP value set by Squid
+#		<nfmark Server connection netfilter packet MARK set by Squid
+#
+#		>handshake Raw client handshake
+#			Initial client bytes received by Squid on a newly
+#			accepted TCP connection or inside a just established
+#			CONNECT tunnel. Squid stops accumulating handshake
+#			bytes as soon as the handshake parser succeeds or
+#			fails (determining whether the client is using the
+#			expected protocol).
+#
+#			For HTTP clients, the handshake is the request line.
+#			For TLS clients, the handshake consists of all TLS
+#			records up to and including the TLS record that
+#			contains the last byte of the first ClientHello
+#			message. For clients using an unsupported protocol,
+#			this field contains the bytes received by Squid at the
+#			time of the handshake parsing failure.
+#
+#			See the on_unsupported_protocol directive for more
+#			information on Squid handshake traffic expectations.
+#
+#			Current support is limited to these contexts:
+#			- http_port connections, but only when the
+#			  on_unsupported_protocol directive is in use.
+#			- https_port connections (and CONNECT tunnels) that
+#			  are subject to the ssl_bump peek or stare action.
+#
+#			To protect binary handshake data, this field is always
+#			base64-encoded (RFC 4648 Section 4). If logformat
+#			field encoding is configured, that encoding is applied
+#			on top of base64. Otherwise, the computed base64 value
+#			is recorded as is.
+#
+#	Time related format codes:
+#
+#		ts	Seconds since epoch
+#		tu	subsecond time (milliseconds)
+#		tl	Local time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tg	GMT time. Optional strftime format argument
+#				default %d/%b/%Y:%H:%M:%S %z
+#		tr	Response time (milliseconds)
+#		dt	Total time spent making DNS lookups (milliseconds)
+#		tS	Approximate master transaction start time in
+#			<full seconds since epoch>.<fractional seconds> format.
+#			Currently, Squid considers the master transaction
+#			started when a complete HTTP request header initiating
+#			the transaction is received from the client. This is
+#			the same value that Squid uses to calculate transaction
+#			response time when logging %tr to access.log. Currently,
+#			Squid uses millisecond resolution for %tS values,
+#			similar to the default access.log "current time" field
+#			(%ts.%03tu).
+#
+#	Access Control related format codes:
+#
+#		et	Tag returned by external acl
+#		ea	Log string returned by external acl
+#		un	User name (any available)
+#		ul	User name from authentication
+#		ue	User name from external acl helper
+#		ui	User name from ident
+#		un	A user name. Expands to the first available name
+#			from the following list of information sources:
+#			- authenticated user name, like %ul
+#			- user name supplied by an external ACL, like %ue
+#			- SSL client name, like %us
+#			- ident user name, like %ui
+#		credentials Client credentials. The exact meaning depends on
+#			the authentication scheme: For Basic authentication,
+#			it is the password; for Digest, the realm sent by the
+#			client; for NTLM and Negotiate, the client challenge
+#			or client credentials prefixed with "YR " or "KK ".
+#
+#	HTTP related format codes:
+#
+#	    REQUEST
+#
+#		[http::]rm	Request method (GET/POST etc)
+#		[http::]>rm	Request method from client
+#		[http::]<rm	Request method sent to server or peer
+#
+#		[http::]ru	Request URL received (or computed) and sanitized
+#
+#				Logs request URI received from the client, a
+#				request adaptation service, or a request
+#				redirector (whichever was applied last).
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Honors strip_query_terms and uri_whitespace.
+#
+#				This field is not encoded by default. Encoding
+#				this field using variants of %-encoding will
+#				clash with uri_whitespace modifications that
+#				also use %-encoding.
+#
+#		[http::]>ru	Request URL received from the client (or computed)
+#
+#				Computed URLs are URIs of internally generated
+#				requests and various "error:..." URIs.
+#
+#				Unlike %ru, this request URI is not affected
+#				by request adaptation, URL rewriting services,
+#				and strip_query_terms.
+#
+#				Honors uri_whitespace.
+#
+#				This field is using pass-through URL encoding
+#				by default. Encoding this field using other
+#				variants of %-encoding will clash with
+#				uri_whitespace modifications that also use
+#				%-encoding.
+#
+#		[http::]<ru	Request URL sent to server or peer
+#		[http::]>rs	Request URL scheme from client
+#		[http::]<rs	Request URL scheme sent to server or peer
+#		[http::]>rd	Request URL domain from client
+#		[http::]<rd	Request URL domain sent to server or peer
+#		[http::]>rP	Request URL port from client
+#		[http::]<rP	Request URL port sent to server or peer
+#		[http::]rp	Request URL path excluding hostname
+#		[http::]>rp	Request URL path excluding hostname from client
+#		[http::]<rp	Request URL path excluding hostname sent to server or peer
+#		[http::]rv	Request protocol version
+#		[http::]>rv	Request protocol version from client
+#		[http::]<rv	Request protocol version sent to server or peer
+#
+#		[http::]>h	Original received request header.
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Accepts optional header field name/value filter
+#				argument using name[:[separator]element] format.
+#		[http::]>ha	Received request header after adaptation and
+#				redirection (pre-cache REQMOD vectoring point).
+#				Usually differs from the request header sent by
+#				Squid, although most fields are often preserved.
+#				Optional header name argument as for >h
+#
+#	    RESPONSE
+#
+#		[http::]<Hs	HTTP status code received from the next hop
+#		[http::]>Hs	HTTP status code sent to the client
+#
+#		[http::]<h	Reply header. Optional header name argument
+#				as for >h
+#
+#		[http::]mt	MIME content type
+#
+#
+#	    SIZE COUNTERS
+#
+#		[http::]st	Total size of request + reply traffic with client
+#		[http::]>st	Total size of request received from client.
+#				Excluding chunked encoding bytes.
+#		[http::]<st	Total size of reply sent to client (after adaptation)
+#
+#		[http::]>sh	Size of request headers received from client
+#		[http::]<sh	Size of reply headers sent to client (after adaptation)
+#
+#		[http::]<sH	Reply high offset sent
+#		[http::]<sS	Upstream object size
+#
+#		[http::]<bs	Number of HTTP-equivalent message body bytes
+#				received from the next hop, excluding chunked
+#				transfer encoding and control messages.
+#				Generated FTP/Gopher listings are treated as
+#				received bodies.
+#
+#	    TIMING
+#
+#		[http::]<pt	Peer response time in milliseconds. The timer starts
+#				when the last request byte is sent to the next hop
+#				and stops when the last response byte is received.
+#		[http::]<tt	Total time in milliseconds. The timer
+#				starts with the first connect request (or write I/O)
+#				sent to the first selected peer. The timer stops
+#				with the last I/O with the last peer.
+#
+#	Squid handling related format codes:
+#
+#		Ss	Squid request status (TCP_MISS etc)
+#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
+#
+#	SSL-related format codes:
+#
+#		ssl::bump_mode	SslBump decision for the transaction:
+#
+#				For CONNECT requests that initiated bumping of
+#				a connection and for any request received on
+#				an already bumped connection, Squid logs the
+#				corresponding SslBump mode ("splice", "bump",
+#				"peek", "stare", "terminate", "server-first"
+#				or "client-first"). See the ssl_bump option
+#				for more information about these modes.
+#
+#				A "none" token is logged for requests that
+#				triggered "ssl_bump" ACL evaluation matching
+#				a "none" rule.
+#
+#				In all other cases, a single dash ("-") is
+#				logged.
+#
+#		ssl::>sni	SSL client SNI sent to Squid.
+#
+#		ssl::>cert_subject
+#				The Subject field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Subject often has spaces.
+#
+#		ssl::>cert_issuer
+#				The Issuer field of the received client
+#				SSL certificate or a dash ('-') if Squid has
+#				received an invalid/malformed certificate or
+#				no certificate at all. Consider encoding the
+#				logged value because Issuer often has spaces.
+#
+#		ssl::<cert_subject
+#				The Subject field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Subject often has spaces.
+#
+#		ssl::<cert_issuer
+#				The Issuer field of the received server
+#				TLS certificate or a dash ('-') if this is
+#				not available. Consider encoding the logged
+#				value because Issuer often has spaces.
+#
+#		ssl::<cert
+#				The received server x509 certificate in PEM
+#				format, including BEGIN and END lines (or a
+#				dash ('-') if the certificate is unavailable).
+#
+#				WARNING: Large certificates will exceed the
+#				current 8KB access.log record limit, resulting
+#				in truncated records. Such truncation usually
+#				happens in the middle of a record field. The
+#				limit applies to all access logging modules.
+#
+#				The logged certificate may have failed
+#				validation and may not be trusted by Squid.
+#				This field does not include any intermediate
+#				certificates that may have been received from
+#				the server or fetched during certificate
+#				validation process.
+#
+#				Currently, Squid only collects server
+#				certificates during step3 of SslBump
+#				processing; connections that were not subject
+#				to ssl_bump rules or that did not match a peek
+#				or stare rule at step2 will not have the
+#				server certificate information.
+#
+#				This field is using pass-through URL encoding
+#				by default.
+#
+#		ssl::<cert_errors
+#				The list of certificate validation errors
+#				detected by Squid (including OpenSSL and
+#				certificate validation helper components). The
+#				errors are listed in the discovery order. By
+#				default, the error codes are separated by ':'.
+#				Accepts an optional separator argument.
+#
+#		%ssl::>negotiated_version The negotiated TLS version of the
+#				client connection.
+#
+#		%ssl::<negotiated_version The negotiated TLS version of the
+#				last server or peer connection.
+#
+#		%ssl::>received_hello_version The TLS version of the Hello
+#				message received from TLS client.
+#
+#		%ssl::<received_hello_version The TLS version of the Hello
+#				message received from TLS server.
+#
+#		%ssl::>received_supported_version The maximum TLS version
+#				supported by the TLS client.
+#
+#		%ssl::<received_supported_version The maximum TLS version
+#				supported by the TLS server.
+#
+#		%ssl::>negotiated_cipher The negotiated cipher of the
+#				client connection.
+#
+#		%ssl::<negotiated_cipher The negotiated cipher of the
+#				last server or peer connection.
+#
+#	If ICAP is enabled, the following code becomes available (as
+#	well as ICAP log codes documented with the icap_log option):
+#
+#		icap::tt Total ICAP "blocking" time for the HTTP transaction. The
+#				timer ticks while Squid checks adaptation_access and while
+#				ICAP transaction(s) expect ICAP response headers, including
+#				the embedded adapted HTTP message headers (where applicable).
+#				This measurement is meant to estimate ICAP impact on HTTP
+#				transaction response times, but it does not currently account
+#				for slow ICAP response body delivery blocking HTTP progress.
+#
+#				Once Squid receives the final ICAP response headers (e.g.,
+#				ICAP 200 or 204) and the associated adapted HTTP message
+#				headers (if any) from the ICAP service, the corresponding ICAP
+#				transaction stops affecting this measurement, even though the
+#				transaction itself may continue for a long time (e.g., to
+#				finish sending the ICAP request and/or to finish receiving the
+#				ICAP response body).
+#
+#				When "blocking" sections of multiple concurrent ICAP
+#				transactions overlap in time, the overlapping segment is
+#				counted only once.
+#
+#				To see complete ICAP transaction response times (rather than
+#				the cumulative effect of their blocking sections) use the
+#				%adapt::all_trs logformat code or the icap_log directive.
+#
+#	If adaptation is enabled the following codes become available:
+#
+#		adapt::<last_h	The header of the last ICAP response or
+#				meta-information from the last eCAP
+#				transaction related to the HTTP transaction.
+#				Like <h, accepts an optional header name
+#				argument.
+#
+#		adapt::sum_trs Summed adaptation transaction response
+#				times recorded as a comma-separated list in
+#				the order of transaction start time. Each time
+#				value is recorded as an integer number,
+#				representing response time of one or more
+#				adaptation (ICAP or eCAP) transaction in
+#				milliseconds.  When a failed transaction is
+#				being retried or repeated, its time is not
+#				logged individually but added to the
+#				replacement (next) transaction. Lifetimes of individually
+#				listed adaptation transactions may overlap.
+#				See also: %icap::tt and %adapt::all_trs.
+#
+#		adapt::all_trs All adaptation transaction response times.
+#				Same as %adapt::sum_trs but response times of
+#				individual transactions are never added
+#				together. Instead, all transaction response
+#				times are recorded individually.
+#
+#	You can prefix adapt::*_trs format codes with adaptation
+#	service name in curly braces to record response time(s) specific
+#	to that service. For example: %{my_service}adapt::sum_trs
+#
+#	Format codes related to the PROXY protocol:
+#
+#		proxy_protocol::>h PROXY protocol header, including optional TLVs.
+#
+#				Supports the same field and element reporting/extraction logic
+#				as %http::>h. For configuration and reporting purposes, Squid
+#				maps each PROXY TLV to an HTTP header field: the TLV type
+#				(configured as a decimal integer) is the field name, and the
+#				TLV value is the field value. All TLVs of "LOCAL" connections
+#				(in PROXY protocol terminology) are currently skipped/ignored.
+#
+#				Squid also maps the following standard PROXY protocol header
+#				blocks to pseudo HTTP headers (their names use PROXY
+#				terminology and start with a colon, following HTTP tradition
+#				for pseudo headers): :command, :version, :src_addr, :dst_addr,
+#				:src_port, and :dst_port.
+#
+#				Without optional parameters, this logformat code logs
+#				pseudo headers and TLVs.
+#
+#				This format code uses pass-through URL encoding by default.
+#
+#				Example:
+#					# relay custom PROXY TLV #224 to adaptation services
+#					adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
+#
+#				See also: %http::>h
+#
+#	The default formats available (which do not need re-defining) are:
+#
+#logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent  %>a [%tl] "%{User-Agent}>h"
+#
+#	NOTE: When the log_mime_hdrs directive is set to ON.
+#		The squid, common and combined formats have a safely encoded copy
+#		of the mime headers appended to each line within a pair of brackets.
+#
+#	NOTE: The common and combined formats are not quite true to the Apache definition.
+#		The logs from Squid contain an extra status and hierarchy code appended.
+#
+#Default:
+# The format definitions squid, common, combined, referrer, useragent are built in.
+
+#  TAG: access_log
+#	Configures whether and how Squid logs HTTP and ICP transactions.
+#	If access logging is enabled, a single line is logged for every
+#	matching HTTP or ICP request. The recommended directive formats are:
+#
+#	access_log <module>:<place> [option ...] [acl acl ...]
+#	access_log none [acl acl ...]
+#
+#	The following directive format is accepted but may be deprecated:
+#	access_log <module>:<place> [<logformat name> [acl acl ...]]
+#
+#        In most cases, the first ACL name must not contain the '=' character
+#	and should not be equal to an existing logformat name. You can always
+#	start with an 'all' ACL to work around those restrictions.
+#
+#	Will log to the specified module:place using the specified format (which
+#	must be defined in a logformat directive) those entries which match
+#	ALL the acl's specified (which must be defined in acl clauses).
+#	If no acl is specified, all requests will be logged to this destination.
+#
+#	===== Available options for the recommended directive format =====
+#
+#	logformat=name		Names log line format (either built-in or
+#				defined by a logformat directive). Defaults
+#				to 'squid'.
+#
+#	buffer-size=64KB	Defines approximate buffering limit for log
+#				records (see buffered_logs).  Squid should not
+#				keep more than the specified size and, hence,
+#				should flush records before the buffer becomes
+#				full to avoid overflows under normal
+#				conditions (the exact flushing algorithm is
+#				module-dependent though).  The on-error option
+#				controls overflow handling.
+#
+#	on-error=die|drop	Defines action on unrecoverable errors. The
+#				'drop' action ignores (i.e., does not log)
+#				affected log records. The default 'die' action
+#				kills the affected worker. The drop action
+#				support has not been tested for modules other
+#				than tcp.
+#
+#	rotate=N		Specifies the number of log file rotations to
+#				make when you run 'squid -k rotate'. The default
+#				is to obey the logfile_rotate directive. Setting
+#				rotate=0 will disable the file name rotation,
+#				but the log files are still closed and re-opened.
+#				This will enable you to rename the logfiles
+#				yourself just before sending the rotate signal.
+#				Only supported by the stdio module.
+#
+#	===== Modules Currently available =====
+#
+#	none	Do not log any requests matching these ACL.
+#		Do not specify Place or logformat name.
+#
+#	stdio	Write each log line to disk immediately at the completion of
+#		each request.
+#		Place: the filename and path to be written.
+#
+#	daemon	Very similar to stdio. But instead of writing to disk the log
+#		line is passed to a daemon helper for asychronous handling instead.
+#		Place: varies depending on the daemon.
+#
+#		log_file_daemon Place: the file name and path to be written.
+#
+#	syslog	To log each request via syslog facility.
+#		Place: The syslog facility and priority level for these entries.
+#		Place Format:  facility.priority
+#
+#		where facility could be any of:
+#			authpriv, daemon, local0 ... local7 or user.
+#
+#		And priority could be any of:
+#			err, warning, notice, info, debug.
+#
+#	udp	To send each log line as text data to a UDP receiver.
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	tcp	To send each log line as text data to a TCP receiver.
+#		Lines may be accumulated before sending (see buffered_logs).
+#		Place: The destination host name or IP and port.
+#		Place Format:   //host:port
+#
+#	Default:
+#		access_log daemon:/var/log/squid/access.log squid
+#Default:
+# access_log daemon:/var/log/squid/access.log squid
+
+#  TAG: icap_log
+#	ICAP log files record ICAP transaction summaries, one line per
+#	transaction.
+#
+#	The icap_log option format is:
+#	icap_log <filepath> [<logformat name> [acl acl ...]]
+#	icap_log none [acl acl ...]]
+#
+#	Please see access_log option documentation for details. The two
+#	kinds of logs share the overall configuration approach and many
+#	features.
+#
+#	ICAP processing of a single HTTP message or transaction may
+#	require multiple ICAP transactions.  In such cases, multiple
+#	ICAP transaction log lines will correspond to a single access
+#	log line.
+#
+#	ICAP log supports many access.log logformat %codes. In ICAP context,
+#	HTTP message-related %codes are applied to the HTTP message embedded
+#	in an ICAP message. Logformat "%http::>..." codes are used for HTTP
+#	messages embedded in ICAP requests while "%http::<..." codes are used
+#	for HTTP messages embedded in ICAP responses. For example:
+#
+#		http::>h	To-be-adapted HTTP message headers sent by Squid to
+#				the ICAP service. For REQMOD transactions, these are
+#				HTTP request headers. For RESPMOD, these are HTTP
+#				response headers, but Squid currently cannot log them
+#				(i.e., %http::>h will expand to "-" for RESPMOD).
+#
+#		http::<h	Adapted HTTP message headers sent by the ICAP
+#				service to Squid (i.e., HTTP request headers in regular
+#				REQMOD; HTTP response headers in RESPMOD and during
+#				request satisfaction in REQMOD).
+#
+#	ICAP OPTIONS transactions do not embed HTTP messages.
+#
+#	Several logformat codes below deal with ICAP message bodies. An ICAP
+#	message body, if any, typically includes a complete HTTP message
+#	(required HTTP headers plus optional HTTP message body). When
+#	computing HTTP message body size for these logformat codes, Squid
+#	either includes or excludes chunked encoding overheads; see
+#	code-specific documentation for details.
+#
+#	For Secure ICAP services, all size-related information is currently
+#	computed before/after TLS encryption/decryption, as if TLS was not
+#	in use at all.
+#
+#	The following format codes are also available for ICAP logs:
+#
+#		icap::<A	ICAP server IP address. Similar to <A.
+#
+#		icap::<service_name	ICAP service name from the icap_service
+#				option in Squid configuration file.
+#
+#		icap::ru	ICAP Request-URI. Similar to ru.
+#
+#		icap::rm	ICAP request method (REQMOD, RESPMOD, or
+#				OPTIONS). Similar to existing rm.
+#
+#		icap::>st	The total size of the ICAP request sent to the ICAP
+#				server (ICAP headers + ICAP body), including chunking
+#				metadata (if any).
+#
+#		icap::<st	The total size of the ICAP response received from the
+#				ICAP server (ICAP headers + ICAP body), including
+#				chunking metadata (if any).
+#
+#		icap::<bs	The size of the ICAP response body received from the
+#				ICAP server, excluding chunking metadata (if any).
+#
+#		icap::tr 	Transaction response time (in
+#				milliseconds).  The timer starts when
+#				the ICAP transaction is created and
+#				stops when the transaction is completed.
+#				Similar to tr.
+#
+#		icap::tio	Transaction I/O time (in milliseconds). The
+#				timer starts when the first ICAP request
+#				byte is scheduled for sending. The timers
+#				stops when the last byte of the ICAP response
+#				is received.
+#
+#		icap::to 	Transaction outcome: ICAP_ERR* for all
+#				transaction errors, ICAP_OPT for OPTION
+#				transactions, ICAP_ECHO for 204
+#				responses, ICAP_MOD for message
+#				modification, and ICAP_SAT for request
+#				satisfaction. Similar to Ss.
+#
+#		icap::Hs	ICAP response status code. Similar to Hs.
+#
+#		icap::>h	ICAP request header(s). Similar to >h.
+#
+#		icap::<h	ICAP response header(s). Similar to <h.
+#
+#	The default ICAP log format, which can be used without an explicit
+#	definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
+#
+#	See also: logformat and %adapt::<last_h
+#Default:
+# none
+
+#  TAG: logfile_daemon
+#	Specify the path to the logfile-writing daemon. This daemon is
+#	used to write the access and store logs, if configured.
+#
+#	Squid sends a number of commands to the log daemon:
+#	  L<data>\n - logfile data
+#	  R\n - rotate file
+#	  T\n - truncate file
+#	  O\n - reopen file
+#	  F\n - flush file
+#	  r<n>\n - set rotate count to <n>
+#	  b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+#	No responses is expected.
+#Default:
+# logfile_daemon /usr/lib/squid/log_file_daemon
+
+#  TAG: stats_collection	allow|deny acl acl...
+#	This options allows you to control which requests gets accounted
+#	in performance counters.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
+#  TAG: cache_store_log
+#	Logs the activities of the storage manager.  Shows which
+#	objects are ejected from the cache, and which objects are
+#	saved and for how long.
+#	There are not really utilities to analyze this data, so you can safely
+#	disable it (the default).
+#
+#	Store log uses modular logging outputs. See access_log for the list
+#	of modules supported.
+#
+#	Example:
+#		cache_store_log stdio:/var/log/squid/store.log
+#		cache_store_log daemon:/var/log/squid/store.log
+#Default:
+# none
+
+#  TAG: cache_swap_state
+#	Location for the cache "swap.state" file. This index file holds
+#	the metadata of objects saved on disk.  It is used to rebuild
+#	the cache during startup.  Normally this file resides in each
+#	'cache_dir' directory, but you may specify an alternate
+#	pathname here.  Note you must give a full filename, not just
+#	a directory. Since this is the index for the whole object
+#	list you CANNOT periodically rotate it!
+#
+#	If %s can be used in the file name it will be replaced with a
+#	a representation of the cache_dir name where each / is replaced
+#	with '.'. This is needed to allow adding/removing cache_dir
+#	lines when cache_swap_log is being used.
+#
+#	If have more than one 'cache_dir', and %s is not used in the name
+#	these swap logs will have names such as:
+#
+#		cache_swap_log.00
+#		cache_swap_log.01
+#		cache_swap_log.02
+#
+#	The numbered extension (which is added automatically)
+#	corresponds to the order of the 'cache_dir' lines in this
+#	configuration file.  If you change the order of the 'cache_dir'
+#	lines in this file, these index files will NOT correspond to
+#	the correct 'cache_dir' entry (unless you manually rename
+#	them).  We recommend you do NOT use this option.  It is
+#	better to keep these index files in each 'cache_dir' directory.
+#Default:
+# Store the journal inside its cache_dir
+
+#  TAG: logfile_rotate
+#	Specifies the default number of logfile rotations to make when you
+#	type 'squid -k rotate'. The default is 10, which will rotate
+#	with extensions 0 through 9. Setting logfile_rotate to 0 will
+#	disable the file name rotation, but the logfiles are still closed
+#	and re-opened. This will enable you to rename the logfiles
+#	yourself just before sending the rotate signal.
+#
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
+#
+#	Note, from Squid-4 this option is only a default for access.log
+#	recorded by stdio: module. Those logs can be rotated separately by
+#	using the rotate=N option on their access_log directive.
+#
+#	Note, the 'squid -k rotate' command normally sends a USR1
+#	signal to the running squid process.  In certain situations
+#	(e.g. on Linux with Async I/O), USR1 is used for other
+#	purposes, so -k rotate uses another signal.  It is best to get
+#	in the habit of using 'squid -k rotate' instead of 'kill -USR1
+#	<pid>'.
+#
+#	Note, for Debian/Linux the default of logfile_rotate is
+#	zero, since it includes external logfile-rotation methods.
+#Default:
+# logfile_rotate 0
+
+#  TAG: mime_table
+#	Path to Squid's icon configuration file.
+#
+#	You shouldn't need to change this, but the default file contains
+#	examples and formatting information if you do.
+#Default:
+# mime_table /usr/share/squid/mime.conf
+
+#  TAG: log_mime_hdrs	on|off
+#	The Cache can record both the request and the response MIME
+#	headers for each HTTP transaction.  The headers are encoded
+#	safely and will appear as two bracketed fields at the end of
+#	the access log (for either the native or httpd-emulated log
+#	formats).  To enable this logging set log_mime_hdrs to 'on'.
+#Default:
+# log_mime_hdrs off
+
+#  TAG: pid_filename
+#	A filename to write the process-id to.  To disable, enter "none".
+#Default:
+# pid_filename /run/squid.pid
+
+#  TAG: client_netmask
+#	A netmask for client addresses in logfiles and cachemgr output.
+#	Change this to protect the privacy of your cache clients.
+#	A netmask of 255.255.255.0 will log all IP's in that range with
+#	the last digit set to '0'.
+#Default:
+# Log full client IP address
+
+#  TAG: strip_query_terms
+#	By default, Squid strips query terms from requested URLs before
+#	logging.  This protects your user's privacy and reduces log size.
+#
+#	When investigating HIT/MISS or other caching behaviour you
+#	will need to disable this to see the full URL used by Squid.
+#Default:
+# strip_query_terms on
+
+#  TAG: buffered_logs	on|off
+#	Whether to write/send access_log records ASAP or accumulate them and
+#	then write/send them in larger chunks. Buffering may improve
+#	performance because it decreases the number of I/Os. However,
+#	buffering increases the delay before log records become available to
+#	the final recipient (e.g., a disk file or logging daemon) and,
+#	hence, increases the risk of log records loss.
+#
+#	Note that even when buffered_logs are off, Squid may have to buffer
+#	records if it cannot write/send them immediately due to pending I/Os
+#	(e.g., the I/O writing the previous log record) or connectivity loss.
+#
+#	Currently honored by 'daemon' and 'tcp' access_log modules only.
+#Default:
+# buffered_logs off
+
+#  TAG: netdb_filename
+#	Where Squid stores it's netdb journal.
+#	When enabled this journal preserves netdb state between restarts.
+#
+#	To disable, enter "none".
+#Default:
+# netdb_filename stdio:/var/spool/squid/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_log
+#	Squid administrative logging file.
+#
+#	This is where general information about Squid behavior goes. You can
+#	increase the amount of data logged to this file and how often it is
+#	rotated with "debug_options"
+#Default:
+# cache_log /var/log/squid/cache.log
+
+#  TAG: debug_options
+#	Logging options are set as section,level where each source file
+#	is assigned a unique section.  Lower levels result in less
+#	output,  Full debugging (level 9) can result in a very large
+#	log file, so be careful.
+#
+#	The magic word "ALL" sets debugging levels for all sections.
+#	The default is to run with "ALL,1" to record important warnings.
+#
+#	The rotate=N option can be used to keep more or less of these logs
+#	than would otherwise be kept by logfile_rotate.
+#	For most uses a single log should be enough to monitor current
+#	events affecting Squid.
+#Default:
+# Log all critical and important messages.
+
+#  TAG: coredump_dir
+#	By default Squid leaves core files in the directory from where
+#	it was started. If you set 'coredump_dir' to a directory
+#	that exists, Squid will chdir() to that directory at startup
+#	and coredump files will be left there.
+#
+#Default:
+# Use the directory from where Squid was started.
+#
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/spool/squid
+
+# OPTIONS FOR FTP GATEWAYING
+# -----------------------------------------------------------------------------
+
+#  TAG: ftp_user
+#	If you want the anonymous login password to be more informative
+#	(and enable the use of picky FTP servers), set this to something
+#	reasonable for your domain, like wwwuser@somewhere.net
+#
+#	The reason why this is domainless by default is the
+#	request can be made on the behalf of a user in any domain,
+#	depending on how the cache is used.
+#	Some FTP server also validate the email address is valid
+#	(for example perl.com).
+#Default:
+# ftp_user Squid@
+
+#  TAG: ftp_passive
+#	If your firewall does not allow Squid to use passive
+#	connections, turn off this option.
+#
+#	Use of ftp_epsv_all option requires this to be ON.
+#Default:
+# ftp_passive on
+
+#  TAG: ftp_epsv_all
+#	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator, as the EPRT command will never be used and therefore,
+#	translation of the data portion of the segments will never be needed.
+#
+#	When a client only expects to do two-way FTP transfers this may be
+#	useful.
+#	If squid finds that it must do a three-way FTP transfer after issuing
+#	an EPSV ALL command, the FTP session will fail.
+#
+#	If you have any doubts about this option do not use it.
+#	Squid will nicely attempt all other connection methods.
+#
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+#  TAG: ftp_epsv
+#	FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+#	NATs may be able to put the connection on a "fast path" through the
+#	translator using EPSV, as the EPRT command will never be used
+#	and therefore, translation of the data portion of the segments
+#	will never be needed.
+#
+#	EPSV is often required to interoperate with FTP servers on IPv6
+#	networks. On the other hand, it may break some IPv4 servers.
+#
+#	By default, EPSV may try EPSV with any FTP server. To fine tune
+#	that decision, you may restrict EPSV to certain clients or servers
+#	using ACLs:
+#
+#		ftp_epsv allow|deny al1 acl2 ...
+#
+#	WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
+#
+#	Only fast ACLs are supported.
+#	Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# none
+
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
+#  TAG: ftp_sanitycheck
+#	For security and data integrity reasons Squid by default performs
+#	sanity checks of the addresses of FTP data connections ensure the
+#	data connection is to the requested server. If you need to allow
+#	FTP connections to servers using another IP address for the data
+#	connection turn this off.
+#Default:
+# ftp_sanitycheck on
+
+#  TAG: ftp_telnet_protocol
+#	The FTP protocol is officially defined to use the telnet protocol
+#	as transport channel for the control connection. However, many
+#	implementations are broken and does not respect this aspect of
+#	the FTP protocol.
+#
+#	If you have trouble accessing files with ASCII code 255 in the
+#	path or similar problems involving this ASCII code you can
+#	try setting this directive to off. If that helps, report to the
+#	operator of the FTP server in question that their FTP server
+#	is broken and does not follow the FTP standard.
+#Default:
+# ftp_telnet_protocol on
+
+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+# -----------------------------------------------------------------------------
+
+#  TAG: diskd_program
+#	Specify the location of the diskd executable.
+#	Note this is only useful if you have compiled in
+#	diskd as one of the store io modules.
+#Default:
+# diskd_program /usr/lib/squid/diskd
+
+#  TAG: unlinkd_program
+#	Specify the location of the executable for file deletion process.
+#Default:
+# unlinkd_program /usr/lib/squid/unlinkd
+
+#  TAG: pinger_program
+#	Specify the location of the executable for the pinger process.
+#Default:
+# pinger_program /usr/lib/squid/pinger
+
+#  TAG: pinger_enable
+#	Control whether the pinger is active at run-time.
+#	Enables turning ICMP pinger on and off with a simple
+#	squid -k reconfigure.
+#Default:
+# pinger_enable on
+
+# OPTIONS FOR URL REWRITING
+# -----------------------------------------------------------------------------
+
+#  TAG: url_rewrite_program
+#	The name and command line parameters of an admin-provided executable
+#	for redirecting clients or adjusting/replacing client request URLs.
+#
+#	This helper is consulted after the received request is cleared by
+#	http_access and adapted using eICAP/ICAP services (if any). If the
+#	helper does not redirect the client, Squid checks adapted_http_access
+#	and may consult the cache or forward the request to the next hop.
+#
+#
+#	For each request, the helper gets one line in the following format:
+#
+#	  [channel-ID <SP>] request-URL [<SP> extras] <NL>
+#
+#	Use url_rewrite_extras to configure what Squid sends as 'extras'.
+#
+#
+#	The helper must reply to each query using a single line:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs] <NL>
+#
+#	The result section must match exactly one of the following outcomes:
+#
+#	  OK [status=30N] url="..."
+#
+#		Redirect the client to a URL supplied in the 'url' parameter.
+#		Optional 'status' specifies the status code to send to the
+#		client in Squid's HTTP redirect response. It must be one of
+#		the standard HTTP redirect status codes: 301, 302, 303, 307,
+#		or 308. When no specific status is requested, Squid uses 302.
+#
+#	  OK rewrite-url="..."
+#
+#		Replace the current request URL with the one supplied in the
+#		'rewrite-url' parameter. Squid fetches the resource specified
+#		by the new URL and forwards the received response (or its
+#		cached copy) to the client.
+#
+#		WARNING: Avoid rewriting URLs! When possible, redirect the
+#		client using an "OK url=..." helper response instead.
+#		Rewriting URLs may create inconsistent requests and/or break
+#		synchronization between internal client and origin server
+#		states, especially when URLs or other message parts contain
+#		snippets of that state. For example, Squid does not adjust
+#		Location headers and embedded URLs after the helper rewrites
+#		the request URL.
+#
+#	  OK
+#		Keep the client request intact.
+#
+#	  ERR
+#		Keep the client request intact.
+#
+#	  BH [message="..."]
+#		A helper problem that should be reported to the Squid admin
+#		via a level-1 cache.log message. The 'message' parameter is
+#		reserved for specifying the log message.
+#
+#	In addition to the kv-pairs mentioned above, Squid also understands
+#	the following optional kv-pairs in URL rewriter responses:
+#
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#
+#		The clt_conn_tag=TAG pair is treated as a regular transaction
+#		annotation for the current request and also annotates future
+#		requests on the same client connection. A helper may update
+#		the TAG during subsequent requests by returning a new kv-pair.
+#
+#
+#	Helper messages contain the channel-ID part if and only if the
+#	url_rewrite_children directive specifies positive concurrency. As a
+#	channel-ID value, Squid sends a number between 0 and concurrency-1.
+#	The helper must echo back the received channel-ID in its response.
+#
+#	By default, Squid does not use a URL rewriter.
+#Default:
+# none
+
+#  TAG: url_rewrite_children
+#	Specifies the maximum number of redirector processes that Squid may
+#	spawn (numberofchildren) and several related options. Using too few of
+#	these helper processes (a.k.a. "helpers") creates request queues.
+#	Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each redirector helper can handle in
+#	parallel. Defaults to 0 which indicates the redirector
+#	is a old-style single threaded redirector.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests. A request is queued when
+#	no existing child can accept it due to concurrency limit and no new
+#	child can be started due to numberofchildren limit. The default
+#	maximum is zero if url_rewrite_bypass is enabled and
+#	2*numberofchildren otherwise. If the queued requests exceed queue size
+#	and redirector_bypass configuration option is set, then redirector is
+#	bypassed. Otherwise, Squid is allowed to temporarily exceed the
+#	configured maximum, marking the affected helper as "overloaded". If
+#	the helper overload lasts more than 3 minutes, the action prescribed
+#	by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: url_rewrite_host_header
+#	To preserve same-origin security policies in browsers and
+#	prevent Host: header forgery by redirectors Squid rewrites
+#	any Host: header in redirected requests.
+#
+#	If you are running an accelerator this may not be a wanted
+#	effect of a redirector. This directive enables you disable
+#	Host: alteration in reverse-proxy traffic.
+#
+#	WARNING: Entries are cached on the result of the URL rewriting
+#	process, so be careful if you have domain-virtual hosts.
+#
+#	WARNING: Squid and other software verifies the URL and Host
+#	are matching, so be careful not to relay through other proxies
+#	or inspecting firewalls with this disabled.
+#Default:
+# url_rewrite_host_header on
+
+#  TAG: url_rewrite_access
+#	If defined, this access list specifies which requests are
+#	sent to the redirector processes.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: url_rewrite_bypass
+#	When this is 'on', a request will not go through the
+#	redirector if all the helpers are busy. If this is 'off' and the
+#	redirector queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	redirectors are not critical to your caching system. If you use
+#	redirectors for access control, and you enable this option,
+#	users may have access to pages they should not
+#	be allowed to request.
+#
+#	Enabling this option sets the default url_rewrite_children queue-size
+#	option value to 0.
+#Default:
+# url_rewrite_bypass off
+
+#  TAG: url_rewrite_extras
+#	Specifies a string to be append to request line format for the
+#	rewriter helper. "Quoted" format values may contain spaces and
+#	logformat %macros. In theory, any logformat %macro can be used.
+#	In practice, a %macro expands as a dash (-) if the helper request is
+#	sent before the required macro information is available to Squid.
+#Default:
+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: url_rewrite_timeout
+#	Squid times active requests to redirector. The timeout value and Squid
+#	reaction to a timed out request are configurable using the following
+#	format:
+#
+#	url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
+#
+#	supported timeout actions:
+#		fail	Squid return a ERR_GATEWAY_FAILURE error page
+#
+#		bypass	Do not re-write the URL
+#
+#		retry	Send the lookup to the helper again
+#
+#		use_configured_response
+#			Use the <quoted-response> as helper response
+#Default:
+# Squid waits for the helper response forever
+
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+#  TAG: store_id_program
+#	Specify the location of the executable StoreID helper to use.
+#	Since they can perform almost any function there isn't one included.
+#
+#	For each requested URL, the helper will receive one line with the format
+#
+#	  [channel-ID <SP>] URL [<SP> extras]<NL>
+#
+#
+#	After processing the request the helper must reply using the following format:
+#
+#	  [channel-ID <SP>] result [<SP> kv-pairs]
+#
+#	The result code can be:
+#
+#	  OK store-id="..."
+#		Use the StoreID supplied in 'store-id='.
+#
+#	  ERR
+#		The default is to use HTTP request URL as the store ID.
+#
+#	  BH
+#		An internal error occurred in the helper, preventing
+#		a result being identified.
+#
+#	In addition to the above kv-pairs Squid also understands the following
+#	optional kv-pairs received from URL rewriters:
+#	  clt_conn_tag=TAG
+#		Associates a TAG with the client TCP connection.
+#		Please see url_rewrite_program related documentation for this
+#		kv-pair
+#
+#	Helper programs should be prepared to receive and possibly ignore
+#	additional whitespace-separated tokens on each input line.
+#
+#	When using the concurrency= option the protocol is changed by
+#	introducing a query channel tag in front of the request/response.
+#	The query channel tag is a number between 0 and concurrency-1.
+#	This value must be echoed back unchanged to Squid as the first part
+#	of the response relating to its request.
+#
+#	NOTE: when using StoreID refresh_pattern will apply to the StoreID
+#	      returned from the helper and not the URL.
+#
+#	WARNING: Wrong StoreID value returned by a careless helper may result
+#	         in the wrong cached response returned to the user.
+#
+#	By default, a StoreID helper is not used.
+#Default:
+# none
+
+#  TAG: store_id_extras
+#        Specifies a string to be append to request line format for the
+#        StoreId helper. "Quoted" format values may contain spaces and
+#        logformat %macros. In theory, any logformat %macro can be used.
+#        In practice, a %macro expands as a dash (-) if the helper request is
+#        sent before the required macro information is available to Squid.
+#Default:
+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
+
+#  TAG: store_id_children
+#	Specifies the maximum number of StoreID helper processes that Squid
+#	may spawn (numberofchildren) and several related options. Using
+#	too few of these helper processes (a.k.a. "helpers") creates request
+#	queues. Using too many helpers wastes your system resources.
+#
+#	Usage: numberofchildren [option]...
+#
+#	The startup= and idle= options allow some measure of skew in your
+#	tuning.
+#
+#		startup=
+#
+#	Sets a minimum of how many processes are to be spawned when Squid
+#	starts or reconfigures. When set to zero the first request will
+#	cause spawning of the first child process to handle it.
+#
+#	Starting too few will cause an initial slowdown in traffic as Squid
+#	attempts to simultaneously spawn enough processes to cope.
+#
+#		idle=
+#
+#	Sets a minimum of how many processes Squid is to try and keep available
+#	at all times. When traffic begins to rise above what the existing
+#	processes can handle this many more will be spawned up to the maximum
+#	configured. A minimum setting of 1 is required.
+#
+#		concurrency=
+#
+#	The number of requests each storeID helper can handle in
+#	parallel. Defaults to 0 which indicates the helper
+#	is a old-style single threaded program.
+#
+#	When this directive is set to a value >= 1 then the protocol
+#	used to communicate with the helper is modified to include
+#	an ID in front of the request/response. The ID from the request
+#	must be echoed back with the response to that request.
+#
+#		queue-size=N
+#
+#	Sets the maximum number of queued requests to N. A request is queued
+#	when no existing child can accept it due to concurrency limit and no
+#	new child can be started due to numberofchildren limit. The default
+#	maximum is 2*numberofchildren. If the queued requests exceed queue
+#	size and redirector_bypass configuration option is set, then
+#	redirector is bypassed. Otherwise, Squid is allowed to temporarily
+#	exceed the configured maximum, marking the affected helper as
+#	"overloaded". If the helper overload lasts more than 3 minutes, the
+#	action prescribed by the on-persistent-overload option applies.
+#
+#		on-persistent-overload=action
+#
+#	Specifies Squid reaction to a new helper request arriving when the helper
+#	has been overloaded for more that 3 minutes already. The number of queued
+#	requests determines whether the helper is overloaded (see the queue-size
+#	option).
+#
+#	Two actions are supported:
+#
+#	  die	Squid worker quits. This is the default behavior.
+#
+#	  ERR	Squid treats the helper request as if it was
+#		immediately submitted, and the helper immediately
+#		replied with an ERR response. This action has no effect
+#		on the already queued and in-progress helper requests.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+#  TAG: store_id_access
+#	If defined, this access list specifies which requests are
+#	sent to the StoreID processes.  By default all requests
+#	are sent.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: store_id_bypass
+#	When this is 'on', a request will not go through the
+#	helper if all helpers are busy. If this is 'off' and the helper
+#	queue grows too large, the action is prescribed by the
+#	on-persistent-overload option. You should only enable this if the
+#	helpers are not critical to your caching system. If you use
+#	helpers for critical caching components, and you enable this
+#	option,	users may not get objects from cache.
+#	This options sets default queue-size option of the store_id_children
+#	to 0.
+#Default:
+# store_id_bypass on
+
+# OPTIONS FOR TUNING THE CACHE
+# -----------------------------------------------------------------------------
+
+#  TAG: cache
+#	Requests denied by this directive will not be served from the cache
+#	and their responses will not be stored in the cache. This directive
+#	has no effect on other transactions and on already cached responses.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	This and the two other similar caching directives listed below are
+#	checked at different transaction processing stages, have different
+#	access to response information, affect different cache operations,
+#	and differ in slow ACLs support:
+#
+#	* cache: Checked before Squid makes a hit/miss determination.
+#		No access to reply information!
+#		Denies both serving a hit and storing a miss.
+#		Supports both fast and slow ACLs.
+#	* send_hit: Checked after a hit was detected.
+#		Has access to reply (hit) information.
+#		Denies serving a hit only.
+#		Supports fast ACLs only.
+#	* store_miss: Checked before storing a cachable miss.
+#		Has access to reply (miss) information.
+#		Denies storing a miss only.
+#		Supports fast ACLs only.
+#
+#	If you are not sure which of the three directives to use, apply the
+#	following decision logic:
+#
+#	* If your ACL(s) are of slow type _and_ need response info, redesign.
+#	  Squid does not support that particular combination at this time.
+#        Otherwise:
+#	* If your directive ACL(s) are of slow type, use "cache"; and/or
+#	* if your directive ACL(s) need no response info, use "cache".
+#        Otherwise:
+#	* If you do not want the response cached, use store_miss; and/or
+#	* if you do not want a hit on a cached response, use send_hit.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: send_hit
+#	Responses denied by this directive will not be served from the cache
+#	(but may still be cached, see store_miss). This directive has no
+#	effect on the responses it allows and on the cached objects.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives.
+#
+#	Unlike the "cache" directive, send_hit only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	For example:
+#
+#		# apply custom Store ID mapping to some URLs
+#		acl MapMe dstdomain .c.example.com
+#		store_id_program ...
+#		store_id_access allow MapMe
+#
+#		# but prevent caching of special responses
+#		# such as 302 redirects that cause StoreID loops
+#		acl Ordinary http_status 200-299
+#		store_miss deny MapMe !Ordinary
+#
+#		# and do not serve any previously stored special responses
+#		# from the cache (in case they were already cached before
+#		# the above store_miss rule was in effect).
+#		send_hit deny MapMe !Ordinary
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: store_miss
+#	Responses denied by this directive will not be cached (but may still
+#	be served from the cache, see send_hit). This directive has no
+#	effect on the responses it allows and on the already cached responses.
+#
+#	Please see the "cache" directive for a summary of differences among
+#	store_miss, send_hit, and cache directives. See the
+#	send_hit directive for a usage example.
+#
+#	Unlike the "cache" directive, store_miss only supports fast acl
+#	types.  See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# By default, this directive is unused and has no effect.
+
+#  TAG: max_stale	time-units
+#	This option puts an upper limit on how stale content Squid
+#	will serve from the cache if cache validation fails.
+#	Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
+
+#  TAG: refresh_pattern
+#	usage: refresh_pattern [-i] regex min percent max [options]
+#
+#	By default, regular expressions are CASE-SENSITIVE.  To make
+#	them case-insensitive, use the -i option.
+#
+#	'Min' is the time (in minutes) an object without an explicit
+#	expiry time should be considered fresh. The recommended
+#	value is 0, any higher values may cause dynamic applications
+#	to be erroneously cached unless the application designer
+#	has taken the appropriate actions.
+#
+#	'Percent' is a percentage of the objects age (time since last
+#	modification age) an object without explicit expiry time
+#	will be considered fresh.
+#
+#	'Max' is an upper limit on how long objects without an explicit
+#	expiry time will be considered fresh. The value is also used
+#	to form Cache-Control: max-age header for a request sent from
+#	Squid to origin/parent.
+#
+#	options: override-expire
+#		 override-lastmod
+#		 reload-into-ims
+#		 ignore-reload
+#		 ignore-no-store
+#		 ignore-private
+#		 max-stale=NN
+#		 refresh-ims
+#		 store-stale
+#
+#		override-expire enforces min age even if the server
+#		sent an explicit expiry time (e.g., with the
+#		Expires: header or Cache-Control: max-age). Doing this
+#		VIOLATES the HTTP standard.  Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		Note: override-expire does not enforce staleness - it only extends
+#		freshness / min. If the server returns a Expires time which
+#		is longer than your max time, Squid will still consider
+#		the object fresh for that period of time.
+#
+#		override-lastmod enforces min age even on objects
+#		that were modified recently.
+#
+#		reload-into-ims changes a client no-cache or ``reload''
+#		request for a cached entry into a conditional request using
+#		If-Modified-Since and/or If-None-Match headers, provided the
+#		cached entry has a Last-Modified and/or a strong ETag header.
+#		Doing this VIOLATES the HTTP standard. Enabling this feature
+#		could make you liable for problems which it causes.
+#
+#		ignore-reload ignores a client no-cache or ``reload''
+#		header. Doing this VIOLATES the HTTP standard. Enabling
+#		this feature could make you liable for problems which
+#		it causes.
+#
+#		ignore-no-store ignores any ``Cache-control: no-store''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		ignore-private ignores any ``Cache-control: private''
+#		headers received from a server. Doing this VIOLATES
+#		the HTTP standard. Enabling this feature could make you
+#		liable for problems which it causes.
+#
+#		refresh-ims causes squid to contact the origin server
+#		when a client issues an If-Modified-Since request. This
+#		ensures that the client will receive an updated version
+#		if one is available.
+#
+#		store-stale stores responses even if they don't have explicit
+#		freshness or a validator (i.e., Last-Modified or an ETag)
+#		present, or if they're already stale. By default, Squid will
+#		not cache such responses because they usually can't be
+#		reused. Note that such responses will be stale by default.
+#
+#		max-stale=NN provide a maximum staleness factor. Squid won't
+#		serve objects more stale than this even if it failed to
+#		validate the object. Default: use the max_stale global limit.
+#
+#	Basically a cached object is:
+#
+#		FRESH if expire > now, else STALE
+#		STALE if age > max
+#		FRESH if lm-factor < percent, else STALE
+#		FRESH if age < min
+#		else STALE
+#
+#	The refresh_pattern lines are checked in the order listed here.
+#	The first entry which matches is used.  If none of the entries
+#	match the default will be used.
+#
+#	Note, you must uncomment all the default lines if you want
+#	to change one. The default setting is only active if none is
+#	used.
+#
+#
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+#  TAG: quick_abort_min	(KB)
+#Default:
+# quick_abort_min 16 KB
+
+#  TAG: quick_abort_max	(KB)
+#Default:
+# quick_abort_max 16 KB
+
+#  TAG: quick_abort_pct	(percent)
+#	The cache by default continues downloading aborted requests
+#	which are almost completed (less than 16 KB remaining). This
+#	may be undesirable on slow (e.g. SLIP) links and/or very busy
+#	caches.  Impatient users may tie up file descriptors and
+#	bandwidth by repeatedly requesting and immediately aborting
+#	downloads.
+#
+#	When the user aborts a request, Squid will check the
+#	quick_abort values to the amount of data transferred until
+#	then.
+#
+#	If the transfer has less than 'quick_abort_min' KB remaining,
+#	it will finish the retrieval.
+#
+#	If the transfer has more than 'quick_abort_max' KB remaining,
+#	it will abort the retrieval.
+#
+#	If more than 'quick_abort_pct' of the transfer has completed,
+#	it will finish the retrieval.
+#
+#	If you do not want any retrieval to continue after the client
+#	has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+#	to '0 KB'.
+#
+#	If you want retrievals to always continue if they are being
+#	cached set 'quick_abort_min' to '-1 KB'.
+#Default:
+# quick_abort_pct 95
+
+#  TAG: read_ahead_gap	buffer-size
+#	The amount of data the cache will buffer ahead of what has been
+#	sent to the client when retrieving an object from another server.
+#Default:
+# read_ahead_gap 16 KB
+
+#  TAG: negative_ttl	time-units
+#	Set the Default Time-to-Live (TTL) for failed requests.
+#	Certain types of failures (such as "connection refused" and
+#	"404 Not Found") are able to be negatively-cached for a short time.
+#	Modern web servers should provide Expires: header, however if they
+#	do not this can provide a minimum TTL.
+#	The default is not to cache errors with unknown expiry details.
+#
+#	Note that this is different from negative caching of DNS lookups.
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#Default:
+# negative_ttl 0 seconds
+
+#  TAG: positive_dns_ttl	time-units
+#	Upper limit on how long Squid will cache positive DNS responses.
+#	Default is 6 hours (360 minutes). This directive must be set
+#	larger than negative_dns_ttl.
+#Default:
+# positive_dns_ttl 6 hours
+
+#  TAG: negative_dns_ttl	time-units
+#	Time-to-Live (TTL) for negative caching of failed DNS lookups.
+#	This also sets the lower cache limit on positive lookups.
+#	Minimum value is 1 second, and it is not recommendable to go
+#	much below 10 seconds.
+#Default:
+# negative_dns_ttl 1 minutes
+
+#  TAG: range_offset_limit	size [acl acl...]
+#	usage: (size) [units] [[!]aclname]
+#
+#	Sets an upper limit on how far (number of bytes) into the file
+#	a Range request	may be to cause Squid to prefetch the whole file.
+#	If beyond this limit, Squid forwards the Range request as it is and
+#	the result is NOT cached.
+#
+#	This is to stop a far ahead range request (lets say start at 17MB)
+#	from making Squid fetch the whole object up to that point before
+#	sending anything to the client.
+#
+#	Multiple range_offset_limit lines may be specified, and they will
+#	be searched from top to bottom on each request until a match is found.
+#	The first match found will be used.  If no line matches a request, the
+#	default limit of 0 bytes will be used.
+#
+#	'size' is the limit specified as a number of units.
+#
+#	'units' specifies whether to use bytes, KB, MB, etc.
+#	If no units are specified bytes are assumed.
+#
+#	A size of 0 causes Squid to never fetch more than the
+#	client requested. (default)
+#
+#	A size of 'none' causes Squid to always fetch the object from the
+#	beginning so it may cache the result. (2.0 style)
+#
+#	'aclname' is the name of a defined ACL.
+#
+#	NP: Using 'none' as the byte value here will override any quick_abort settings
+#	    that may otherwise apply to the range request. The range request will
+#	    be fully fetched from start to finish regardless of the client
+#	    actions. This affects bandwidth usage.
+#Default:
+# none
+
+#  TAG: minimum_expiry_time	(seconds)
+#	The minimum caching time according to (Expires - Date)
+#	headers Squid honors if the object can't be revalidated.
+#	The default is 60 seconds.
+#
+#	In reverse proxy environments it might be desirable to honor
+#	shorter object lifetimes. It is most likely better to make
+#	your server return a meaningful Last-Modified header however.
+#
+#	In ESI environments where page fragments often have short
+#	lifetimes, this will often be best set to 0.
+#Default:
+# minimum_expiry_time 60 seconds
+
+#  TAG: store_avg_object_size	(bytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  The default is 13 KB.
+#
+#	This is used to pre-seed the cache index memory allocation to
+#	reduce expensive reallocate operations while handling clients
+#	traffic. Too-large values may result in memory allocation during
+#	peak traffic, too-small values will result in wasted memory.
+#
+#	Check the cache manager 'info' report metrics for the real
+#	object sizes seen by your Squid before tuning this.
+#Default:
+# store_avg_object_size 13 KB
+
+#  TAG: store_objects_per_bucket
+#	Target number of objects per bucket in the store hash table.
+#	Lowering this value increases the total number of buckets and
+#	also the storage maintenance rate.  The default is 20.
+#Default:
+# store_objects_per_bucket 20
+
+# HTTP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: request_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP request
+#	(including request-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to received FTP commands.
+#
+#	This limit has no direct affect on Squid memory consumption.
+#
+#	Squid does not check this limit when sending requests.
+#Default:
+# request_header_max_size 64 KB
+
+#  TAG: reply_header_max_size	(KB)
+#	This directives limits the header size of a received HTTP response
+#	(including status-line). Increasing this limit beyond its 64 KB default
+#	exposes certain old Squid code to various denial-of-service attacks. This
+#	limit also applies to FTP command responses.
+#
+#	Squid also checks this limit when loading hit responses from disk cache.
+#
+#	Squid does not check this limit when sending responses.
+#Default:
+# reply_header_max_size 64 KB
+
+#  TAG: request_body_max_size	(bytes)
+#	This specifies the maximum size for an HTTP request body.
+#	In other words, the maximum size of a PUT/POST request.
+#	A user who attempts to send a request with a body larger
+#	than this limit receives an "Invalid Request" error message.
+#	If you set this parameter to a zero (the default), there will
+#	be no limit imposed.
+#
+#	See also client_request_buffer_max_size for an alternative
+#	limitation on client uploads which can be configured.
+#Default:
+# No limit.
+
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
+#  TAG: broken_posts
+#	A list of ACL elements which, if matched, causes Squid to send
+#	an extra CRLF pair after the body of a PUT/POST request.
+#
+#	Some HTTP servers has broken implementations of PUT/POST,
+#	and rely on an extra CRLF pair sent by some WWW clients.
+#
+#	Quote from RFC2616 section 4.1 on this matter:
+#
+#	  Note: certain buggy HTTP/1.0 client implementations generate an
+#	  extra CRLF's after a POST request. To restate what is explicitly
+#	  forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+#	  a request with an extra CRLF.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# acl buggy_server url_regex ^http://....
+# broken_posts allow buggy_server
+#Default:
+# Obey RFC 2616.
+
+#  TAG: adaptation_uses_indirect_client	on|off
+#	Controls whether the indirect client IP address (instead of the direct
+#	client IP address) is passed to adaptation services.
+#
+#	See also: follow_x_forwarded_for adaptation_send_client_ip
+#Default:
+# adaptation_uses_indirect_client on
+
+#  TAG: via	on|off
+#	If set (default), Squid will include a Via header in requests and
+#	replies as required by RFC2616.
+#Default:
+# via on
+
+#  TAG: vary_ignore_expire	on|off
+#	Many HTTP servers supporting Vary gives such objects
+#	immediate expiry time with no cache-control header
+#	when requested by a HTTP/1.0 client. This option
+#	enables Squid to ignore such expiry times until
+#	HTTP/1.1 is fully implemented.
+#
+#	WARNING: If turned on this may eventually cause some
+#	varying objects not intended for caching to get cached.
+#Default:
+# vary_ignore_expire off
+
+#  TAG: request_entities
+#	Squid defaults to deny GET and HEAD requests with request entities,
+#	as the meaning of such requests are undefined in the HTTP standard
+#	even if not explicitly forbidden.
+#
+#	Set this directive to on if you have clients which insists
+#	on sending request entities in GET or HEAD requests. But be warned
+#	that there is server software (both proxies and web servers) which
+#	can fail to properly process this kind of request which may make you
+#	vulnerable to cache pollution attacks if enabled.
+#Default:
+# request_entities off
+
+#  TAG: request_header_access
+#	Usage: request_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option replaces the old 'anonymize_headers' and the
+#	older 'http_anonymizer' option with something that is much
+#	more configurable. A list of ACLs for each header name allows
+#	removal of specific header fields under specific conditions.
+#
+#	This option only applies to outgoing HTTP request headers (i.e.,
+#	headers sent by Squid to the next HTTP hop such as a cache peer
+#	or an origin server). The option has no effect during cache hit
+#	detection. The equivalent adaptation vectoring point in ICAP
+#	terminology is post-cache REQMOD.
+#
+#	The option is applied to individual outgoing request header
+#	fields. For each request header field F, Squid uses the first
+#	qualifying sets of request_header_access rules:
+#
+#	    1. Rules with header_name equal to F's name.
+#	    2. Rules with header_name 'Other', provided F's name is not
+#	       on the hard-coded list of commonly used HTTP header names.
+#	    3. Rules with header_name 'All'.
+#
+#	Within that qualifying rule set, rule ACLs are checked as usual.
+#	If ACLs of an "allow" rule match, the header field is allowed to
+#	go through as is. If ACLs of a "deny" rule match, the header is
+#	removed and request_header_replace is then checked to identify
+#	if the removed header has a replacement. If no rules within the
+#	set have matching ACLs, the header field is left as is.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		request_header_access From deny all
+#		request_header_access Referer deny all
+#		request_header_access User-Agent deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		request_header_access Authorization allow all
+#		request_header_access Proxy-Authorization allow all
+#		request_header_access Cache-Control allow all
+#		request_header_access Content-Length allow all
+#		request_header_access Content-Type allow all
+#		request_header_access Date allow all
+#		request_header_access Host allow all
+#		request_header_access If-Modified-Since allow all
+#		request_header_access Pragma allow all
+#		request_header_access Accept allow all
+#		request_header_access Accept-Charset allow all
+#		request_header_access Accept-Encoding allow all
+#		request_header_access Accept-Language allow all
+#		request_header_access Connection allow all
+#		request_header_access All deny all
+#
+#	HTTP reply headers are controlled with the reply_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is performed).
+#Default:
+# No limits.
+
+#  TAG: reply_header_access
+#	Usage: reply_header_access header_name allow|deny [!]aclname ...
+#
+#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
+#	this feature could make you liable for problems which it
+#	causes.
+#
+#	This option only applies to reply headers, i.e., from the
+#	server to the client.
+#
+#	This is the same as request_header_access, but in the other
+#	direction. Please see request_header_access for detailed
+#	documentation.
+#
+#	For example, to achieve the same behavior as the old
+#	'http_anonymizer standard' option, you should use:
+#
+#		reply_header_access Server deny all
+#		reply_header_access WWW-Authenticate deny all
+#		reply_header_access Link deny all
+#
+#	Or, to reproduce the old 'http_anonymizer paranoid' feature
+#	you should use:
+#
+#		reply_header_access Allow allow all
+#		reply_header_access WWW-Authenticate allow all
+#		reply_header_access Proxy-Authenticate allow all
+#		reply_header_access Cache-Control allow all
+#		reply_header_access Content-Encoding allow all
+#		reply_header_access Content-Length allow all
+#		reply_header_access Content-Type allow all
+#		reply_header_access Date allow all
+#		reply_header_access Expires allow all
+#		reply_header_access Last-Modified allow all
+#		reply_header_access Location allow all
+#		reply_header_access Pragma allow all
+#		reply_header_access Content-Language allow all
+#		reply_header_access Retry-After allow all
+#		reply_header_access Title allow all
+#		reply_header_access Content-Disposition allow all
+#		reply_header_access Connection allow all
+#		reply_header_access All deny all
+#
+#	HTTP request headers are controlled with the request_header_access directive.
+#
+#	By default, all headers are allowed (no anonymizing is
+#	performed).
+#Default:
+# No limits.
+
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#
+#	This option allows you to change the contents of headers
+#	denied with request_header_access above, by replacing them
+#	with some fixed string.
+#
+#	This only applies to request headers, not reply headers.
+#
+#	By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
+#  TAG: request_header_add
+#	Usage:   request_header_add field-name field-value [ acl ... ]
+#	Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP requests (i.e.,
+#	request headers sent by Squid to the next HTTP hop such as a
+#	cache peer or an origin server). The option has no effect during
+#	cache hit detection. The equivalent adaptation vectoring point
+#	in ICAP terminology is post-cache REQMOD.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the request to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching requests. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The request_header_add supports fast ACLs only.
+#
+#	See also: reply_header_add.
+#Default:
+# none
+
+#  TAG: reply_header_add
+#	Usage:   reply_header_add field-name field-value [ acl ... ]
+#	Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+#	This option adds header fields to outgoing HTTP responses (i.e., response
+#	headers delivered by Squid to the client). This option has no effect on
+#	cache hit detection. The equivalent adaptation vectoring point in
+#	ICAP terminology is post-cache RESPMOD. This option does not apply to
+#	successful CONNECT replies.
+#
+#	Field-name is a token specifying an HTTP header name. If a
+#	standard HTTP header name is used, Squid does not check whether
+#	the new header conflicts with any existing headers or violates
+#	HTTP rules. If the response to be modified already contains a
+#	field with the same name, the old field is preserved but the
+#	header field values are not merged.
+#
+#	Field-value is either a token or a quoted string. If quoted
+#	string format is used, then the surrounding quotes are removed
+#	while escape sequences and %macros are processed.
+#
+#	One or more Squid ACLs may be specified to restrict header
+#	injection to matching responses. As always in squid.conf, all
+#	ACLs in the ACL list must be satisfied for the insertion to
+#	happen. The reply_header_add option supports fast ACLs only.
+#
+#	See also: request_header_add.
+#Default:
+# none
+
+#  TAG: note
+#	This option used to log custom information about the master
+#	transaction. For example, an admin may configure Squid to log
+#	which "user group" the transaction belongs to, where "user group"
+#	will be determined based on a set of ACLs and not [just]
+#	authentication information.
+#	Values of key/value pairs can be logged using %{key}note macros:
+#
+#	    note key value acl ...
+#	    logformat myFormat ... %{key}note ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
+
+#  TAG: relaxed_header_parser	on|off|warn
+#	In the default "on" setting Squid accepts certain forms
+#	of non-compliant HTTP messages where it is unambiguous
+#	what the sending application intended even if the message
+#	is not correctly formatted. The messages is then normalized
+#	to the correct form when forwarded by Squid.
+#
+#	If set to "warn" then a warning will be emitted in cache.log
+#	each time such HTTP error is encountered.
+#
+#	If set to "off" then such HTTP errors will cause the request
+#	or response to be rejected.
+#Default:
+# relaxed_header_parser on
+
+#  TAG: collapsed_forwarding	(on|off)
+#       This option controls whether Squid is allowed to merge multiple
+#       potentially cachable requests for the same URI before Squid knows
+#       whether the response is going to be cachable.
+#
+#       When enabled, instead of forwarding each concurrent request for
+#       the same URL, Squid just sends the first of them. The other, so
+#       called "collapsed" requests, wait for the response to the first
+#       request and, if it happens to be cachable, use that response.
+#       Here, "concurrent requests" means "received after the first
+#       request headers were parsed and before the corresponding response
+#       headers were parsed".
+#
+#       This feature is disabled by default: enabling collapsed
+#       forwarding needlessly delays forwarding requests that look
+#       cachable (when they are collapsed) but then need to be forwarded
+#       individually anyway because they end up being for uncachable
+#       content. However, in some cases, such as acceleration of highly
+#       cachable content with periodic or grouped expiration times, the
+#       gains from collapsing [large volumes of simultaneous refresh
+#       requests] outweigh losses from such delays.
+#
+#       Squid collapses two kinds of requests: regular client requests
+#       received on one of the listening ports and internal "cache
+#       revalidation" requests which are triggered by those regular
+#       requests hitting a stale cached object. Revalidation collapsing
+#       is currently disabled for Squid instances containing SMP-aware
+#       disk or memory caches and for Vary-controlled cached objects.
+#Default:
+# collapsed_forwarding off
+
+#  TAG: collapsed_forwarding_access
+#	Use this directive to restrict collapsed forwarding to a subset of
+#	eligible requests. The directive is checked for regular HTTP
+#	requests, internal revalidation requests, and HTCP/ICP requests.
+#
+#		collapsed_forwarding_access allow|deny [!]aclname ...
+#
+#	This directive cannot force collapsing. It has no effect on
+#	collapsing unless collapsed_forwarding is 'on', and all other
+#	collapsing preconditions are satisfied.
+#
+#	* A denied request will not collapse, and future transactions will
+#	  not collapse on it (even if they are allowed to collapse).
+#
+#	* An allowed request may collapse, or future transactions may
+#	  collapse on it (provided they are allowed to collapse).
+#
+#	This directive is evaluated before receiving HTTP response headers
+#	and without access to Squid-to-peer connection (if any).
+#
+#	Only fast ACLs are supported.
+#
+#	See also: collapsed_forwarding.
+#Default:
+# Requests may be collapsed if collapsed_forwarding is on.
+
+#  TAG: shared_transient_entries_limit	(number of entries)
+#	This directive limits the size of a table used for sharing current
+#	transaction information among SMP workers. A table entry stores meta
+#	information about a single cache entry being delivered to Squid
+#	client(s) by one or more SMP workers. A single table entry consumes
+#	less than 128 shared memory bytes.
+#
+#	The limit should be significantly larger than the number of
+#	concurrent non-collapsed cachable responses leaving Squid. For a
+#	cache that handles less than 5000 concurrent requests, the default
+#	setting of 16384 should be plenty.
+#
+#	Using excessively large values wastes shared memory. Limiting the
+#	table size too much results in hash collisions, leading to lower hit
+#	ratio and missed SMP request collapsing opportunities: Transactions
+#	left without a table entry cannot cache their responses and are
+#	invisible to other concurrent requests for the same resource.
+#
+#	A zero limit is allowed but unsupported. A positive small limit
+#	lowers hit ratio, but zero limit disables a lot of essential
+#	synchronization among SMP workers, leading to HTTP violations (e.g.,
+#	stale hit responses). It also disables shared collapsed forwarding:
+#	A worker becomes unable to collapse its requests on transactions in
+#	other workers, resulting in more trips to the origin server and more
+#	cache thrashing.
+#Default:
+# shared_transient_entries_limit 16384
+
+# TIMEOUTS
+# -----------------------------------------------------------------------------
+
+#  TAG: forward_timeout	time-units
+#	This parameter specifies how long Squid should at most attempt in
+#	finding a forwarding path for the request before giving up.
+#Default:
+# forward_timeout 4 minutes
+
+#  TAG: connect_timeout	time-units
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested server or peer to complete before Squid should
+#	attempt to find another path where to forward the request.
+#Default:
+# connect_timeout 1 minute
+
+#  TAG: peer_connect_timeout	time-units
+#	This parameter specifies how long to wait for a pending TCP
+#	connection to a peer cache.  The default is 30 seconds.   You
+#	may also set different timeout values for individual neighbors
+#	with the 'connect-timeout' option on a 'cache_peer' line.
+#Default:
+# peer_connect_timeout 30 seconds
+
+#  TAG: read_timeout	time-units
+#	Applied on peer server connections.
+#
+#	After each successful read(), the timeout will be extended by this
+#	amount.  If no data is read again after this amount of time,
+#	the request is aborted and logged with ERR_READ_TIMEOUT.
+#
+#	The default is 15 minutes.
+#Default:
+# read_timeout 15 minutes
+
+#  TAG: write_timeout	time-units
+#	This timeout is tracked for all connections that have data
+#	available for writing and are waiting for the socket to become
+#	ready. After each successful write, the timeout is extended by
+#	the configured amount. If Squid has data to write but the
+#	connection is not ready for the configured duration, the
+#	transaction associated with the connection is terminated. The
+#	default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
+#  TAG: request_timeout
+#	How long to wait for complete HTTP request headers after initial
+#	connection establishment.
+#Default:
+# request_timeout 5 minutes
+
+#  TAG: request_start_timeout
+#	How long to wait for the first request byte after initial
+#	connection establishment.
+#Default:
+# request_start_timeout 5 minutes
+
+#  TAG: client_idle_pconn_timeout
+#	How long to wait for the next HTTP request on a persistent
+#	client connection after the previous request completes.
+#Default:
+# client_idle_pconn_timeout 2 minutes
+
+#  TAG: ftp_client_idle_timeout
+#	How long to wait for an FTP request on a connection to Squid ftp_port.
+#	Many FTP clients do not deal with idle connection closures well,
+#	necessitating a longer default timeout than client_idle_pconn_timeout
+#	used for incoming HTTP requests.
+#Default:
+# ftp_client_idle_timeout 30 minutes
+
+#  TAG: client_lifetime	time-units
+#	The maximum amount of time a client (browser) is allowed to
+#	remain connected to the cache process.  This protects the Cache
+#	from having a lot of sockets (and hence file descriptors) tied up
+#	in a CLOSE_WAIT state from remote clients that go away without
+#	properly shutting down (either because of a network failure or
+#	because of a poor client implementation).  The default is one
+#	day, 1440 minutes.
+#
+#	NOTE:  The default value is intended to be much larger than any
+#	client would ever need to be connected to your cache.  You
+#	should probably change client_lifetime only as a last resort.
+#	If you seem to have many client connections tying up
+#	filedescriptors, we recommend first tuning the read_timeout,
+#	request_timeout, persistent_request_timeout and quick_abort values.
+#Default:
+# client_lifetime 1 day
+
+#  TAG: pconn_lifetime	time-units
+#	Desired maximum lifetime of a persistent connection.
+#	When set, Squid will close a now-idle persistent connection that
+#	exceeded configured lifetime instead of moving the connection into
+#	the idle connection pool (or equivalent). No effect on ongoing/active
+#	transactions. Connection lifetime is the time period from the
+#	connection acceptance or opening time until "now".
+#
+#	This limit is useful in environments with long-lived connections
+#	where Squid configuration or environmental factors change during a
+#	single connection lifetime. If unrestricted, some connections may
+#	last for hours and even days, ignoring those changes that should
+#	have affected their behavior or their existence.
+#
+#	Currently, a new lifetime value supplied via Squid reconfiguration
+#	has no effect on already idle connections unless they become busy.
+#
+#	When set to '0' this limit is not used.
+#Default:
+# pconn_lifetime 0 seconds
+
+#  TAG: half_closed_clients
+#	Some clients may shutdown the sending side of their TCP
+#	connections, while leaving their receiving sides open.	Sometimes,
+#	Squid can not tell the difference between a half-closed and a
+#	fully-closed TCP connection.
+#
+#	By default, Squid will immediately close client connections when
+#	read(2) returns "no more data to read."
+#
+#	Change this option to 'on' and Squid will keep open connections
+#	until a read(2) or write(2) on the socket returns an error.
+#	This may show some benefits for reverse proxies. But if not
+#	it is recommended to leave OFF.
+#Default:
+# half_closed_clients off
+
+#  TAG: server_idle_pconn_timeout
+#	Timeout for idle persistent connections to servers and other
+#	proxies.
+#Default:
+# server_idle_pconn_timeout 1 minute
+
+#  TAG: ident_timeout
+#	Maximum time to wait for IDENT lookups to complete.
+#
+#	If this is too high, and you enabled IDENT lookups from untrusted
+#	users, you might be susceptible to denial-of-service by having
+#	many ident requests going at once.
+#Default:
+# ident_timeout 10 seconds
+
+#  TAG: shutdown_lifetime	time-units
+#	When SIGTERM or SIGHUP is received, the cache is put into
+#	"shutdown pending" mode until all active sockets are closed.
+#	This value is the lifetime to set for all open descriptors
+#	during shutdown mode.  Any active clients after this many
+#	seconds will receive a 'timeout' message.
+#Default:
+# shutdown_lifetime 30 seconds
+
+# ADMINISTRATIVE PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: cache_mgr
+#	Email-address of local cache manager who will receive
+#	mail if the cache dies.  The default is "webmaster".
+#Default:
+# cache_mgr webmaster
+
+#  TAG: mail_from
+#	From: email-address for mail sent when the cache dies.
+#	The default is to use 'squid@unique_hostname'.
+#
+#	See also: unique_hostname directive.
+#Default:
+# none
+
+#  TAG: mail_program
+#	Email program used to send mail if the cache dies.
+#	The default is "mail". The specified program must comply
+#	with the standard Unix mail syntax:
+#	  mail-program recipient < mailfile
+#
+#	Optional command line options can be specified.
+#Default:
+# mail_program mail
+
+#  TAG: cache_effective_user
+#	If you start Squid as root, it will change its effective/real
+#	UID/GID to the user specified below.  The default is to change
+#	to UID of proxy.
+#	see also; cache_effective_group
+#Default:
+# cache_effective_user proxy
+
+#  TAG: cache_effective_group
+#	Squid sets the GID to the effective user's default group ID
+#	(taken from the password file) and supplementary group list
+#	from the groups membership.
+#
+#	If you want Squid to run with a specific GID regardless of
+#	the group memberships of the effective user then set this
+#	to the group (or GID) you want Squid to run as. When set
+#	all other group privileges of the effective user are ignored
+#	and only this GID is effective. If Squid is not started as
+#	root the user starting Squid MUST be member of the specified
+#	group.
+#
+#	This option is not recommended by the Squid Team.
+#	Our preference is for administrators to configure a secure
+#	user account for squid with UID/GID matching system policies.
+#Default:
+# Use system group memberships of the cache_effective_user account
+
+#  TAG: httpd_suppress_version_string	on|off
+#	Suppress Squid version string info in HTTP headers and HTML error pages.
+#Default:
+# httpd_suppress_version_string off
+
+#  TAG: visible_hostname
+#	If you want to present a special hostname in error messages, etc,
+#	define this.  Otherwise, the return value of gethostname()
+#	will be used. If you have multiple caches in a cluster and
+#	get errors about IP-forwarding you must set them to have individual
+#	names with this setting.
+#Default:
+# Automatically detect the system host name
+
+#  TAG: unique_hostname
+#	If you want to have multiple machines with the same
+#	'visible_hostname' you must give each machine a different
+#	'unique_hostname' so forwarding loops can be detected.
+#Default:
+# Copy the value from visible_hostname
+
+#  TAG: hostname_aliases
+#	A list of other DNS names your cache has.
+#Default:
+# none
+
+#  TAG: umask
+#	Minimum umask which should be enforced while the proxy
+#	is running, in addition to the umask set at startup.
+#
+#	For a traditional octal representation of umasks, start
+#        your value with 0.
+#Default:
+# umask 027
+
+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
+# -----------------------------------------------------------------------------
+#
+#	This section contains parameters for the (optional) cache
+#	announcement service.  This service is provided to help
+#	cache administrators locate one another in order to join or
+#	create cache hierarchies.
+#
+#	An 'announcement' message is sent (via UDP) to the registration
+#	service by Squid.  By default, the announcement message is NOT
+#	SENT unless you enable it with 'announce_period' below.
+#
+#	The announcement message includes your hostname, plus the
+#	following information from this configuration file:
+#
+#		http_port
+#		icp_port
+#		cache_mgr
+#
+#	All current information is processed regularly and made
+#	available on the Web at http://www.ircache.net/Cache/Tracker/.
+
+#  TAG: announce_period
+#	This is how frequently to send cache announcements.
+#
+#	To enable announcing your cache, just set an announce period.
+#
+#	Example:
+#		announce_period 1 day
+#Default:
+# Announcement messages disabled.
+
+#  TAG: announce_host
+#	Set the hostname where announce registration messages will be sent.
+#
+#	See also announce_port and announce_file
+#Default:
+# announce_host tracker.ircache.net
+
+#  TAG: announce_file
+#	The contents of this file will be included in the announce
+#	registration messages.
+#Default:
+# none
+
+#  TAG: announce_port
+#	Set the port where announce registration messages will be sent.
+#
+#	See also announce_host and announce_file
+#Default:
+# announce_port 3131
+
+# HTTPD-ACCELERATOR OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: httpd_accel_surrogate_id
+#	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+#	need an identification token to allow control targeting. Because
+#	a farm of surrogates may all perform the same tasks, they may share
+#	an identification token.
+#
+#	When the surrogate is a reverse-proxy, this ID is also
+#	used as cdn-id for CDN-Loop detection (RFC 8586).
+#Default:
+# visible_hostname is used if no specific ID is set.
+
+#  TAG: http_accel_surrogate_remote	on|off
+#	Remote surrogates (such as those in a CDN) honour the header
+#	"Surrogate-Control: no-store-remote".
+#
+#	Set this to on to have squid behave as a remote surrogate.
+#Default:
+# http_accel_surrogate_remote off
+
+#  TAG: esi_parser	libxml2|expat
+#	Selects the XML parsing library to use when interpreting responses with
+#	Edge Side Includes.
+#
+#	To disable ESI handling completely, ./configure Squid with --disable-esi.
+#Default:
+# Selects libxml2 if available at ./configure time or libexpat otherwise.
+
+# DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: delay_pools
+#	This represents the number of delay pools to be used.  For example,
+#	if you have one class 2 delay pool and one class 3 delays pool, you
+#	have a total of 2 delay pools.
+#
+#	See also delay_parameters, delay_class, delay_access for pool
+#	configuration details.
+#Default:
+# delay_pools 0
+
+#  TAG: delay_class
+#	This defines the class of each delay pool.  There must be exactly one
+#	delay_class line for each delay pool.  For example, to define two
+#	delay pools, one of class 2 and one of class 3, the settings above
+#	and here would be:
+#
+#	Example:
+#	    delay_pools 4      # 4 delay pools
+#	    delay_class 1 2    # pool 1 is a class 2 pool
+#	    delay_class 2 3    # pool 2 is a class 3 pool
+#	    delay_class 3 4    # pool 3 is a class 4 pool
+#	    delay_class 4 5    # pool 4 is a class 5 pool
+#
+#	The delay pool classes are:
+#
+#		class 1		Everything is limited by a single aggregate
+#				bucket.
+#
+#		class 2 	Everything is limited by a single aggregate
+#				bucket as well as an "individual" bucket chosen
+#				from bits 25 through 32 of the IPv4 address.
+#
+#		class 3		Everything is limited by a single aggregate
+#				bucket as well as a "network" bucket chosen
+#				from bits 17 through 24 of the IP address and a
+#				"individual" bucket chosen from bits 17 through
+#				32 of the IPv4 address.
+#
+#		class 4		Everything in a class 3 delay pool, with an
+#				additional limit on a per user basis. This
+#				only takes effect if the username is established
+#				in advance - by forcing authentication in your
+#				http_access rules.
+#
+#		class 5		Requests are grouped according their tag (see
+#				external_acl's tag= reply).
+#
+#
+#	Each pool also requires a delay_parameters directive to configure the pool size
+#	and speed limits used whenever the pool is applied to a request. Along with
+#	a set of delay_access directives to determine when it is used.
+#
+#	NOTE: If an IP address is a.b.c.d
+#		-> bits 25 through 32 are "d"
+#		-> bits 17 through 24 are "c"
+#		-> bits 17 through 32 are "c * 256 + d"
+#
+#	NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+#		IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	See also delay_parameters and delay_access.
+#Default:
+# none
+
+#  TAG: delay_access
+#	This is used to determine which delay pool a request falls into.
+#
+#	delay_access is sorted per pool and the matching starts with pool 1,
+#	then pool 2, ..., and finally pool N. The first delay pool where the
+#	request is allowed is selected for the request. If it does not allow
+#	the request to any pool then the request is not delayed (default).
+#
+#	For example, if you want some_big_clients in delay
+#	pool 1 and lotsa_little_clients in delay pool 2:
+#
+#		delay_access 1 allow some_big_clients
+#		delay_access 1 deny all
+#		delay_access 2 allow lotsa_little_clients
+#		delay_access 2 deny all
+#		delay_access 3 allow authenticated_clients
+#
+#	See also delay_parameters and delay_class.
+#
+#Default:
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: delay_parameters
+#	This defines the parameters for a delay pool.  Each delay pool has
+#	a number of "buckets" associated with it, as explained in the
+#	description of delay_class.
+#
+#	For a class 1 delay pool, the syntax is:
+#		delay_class pool 1
+#		delay_parameters pool aggregate
+#
+#	For a class 2 delay pool:
+#		delay_class pool 2
+#		delay_parameters pool aggregate individual
+#
+#	For a class 3 delay pool:
+#		delay_class pool 3
+#		delay_parameters pool aggregate network individual
+#
+#	For a class 4 delay pool:
+#		delay_class pool 4
+#		delay_parameters pool aggregate network individual user
+#
+#	For a class 5 delay pool:
+#		delay_class pool 5
+#		delay_parameters pool tagrate
+#
+#	The option variables are:
+#
+#		pool		a pool number - ie, a number between 1 and the
+#				number specified in delay_pools as used in
+#				delay_class lines.
+#
+#		aggregate	the speed limit parameters for the aggregate bucket
+#				(class 1, 2, 3).
+#
+#		individual	the speed limit parameters for the individual
+#				buckets (class 2, 3).
+#
+#		network		the speed limit parameters for the network buckets
+#				(class 3).
+#
+#		user		the speed limit parameters for the user buckets
+#				(class 4).
+#
+#		tagrate		the speed limit parameters for the tag buckets
+#				(class 5).
+#
+#	A pair of delay parameters is written restore/maximum, where restore is
+#	the number of bytes (not bits - modem and network speeds are usually
+#	quoted in bits) per second placed into the bucket, and maximum is the
+#	maximum number of bytes which can be in the bucket at any time.
+#
+#	There must be one delay_parameters line for each delay pool.
+#
+#
+#	For example, if delay pool number 1 is a class 2 delay pool as in the
+#	above example, and is being used to strictly limit each host to 64Kbit/sec
+#	(plus overheads), with no overall limit, the line is:
+#
+#		delay_parameters 1 none 8000/8000
+#
+#	Note that 8 x 8K Byte/sec -> 64K bit/sec.
+#
+#	Note that the word 'none' is used to represent no limit.
+#
+#
+#	And, if delay pool number 2 is a class 3 delay pool as in the above
+#	example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+#	with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+#	individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
+#	to permit a decent web page to be downloaded at a decent speed
+#	(if the network is not being limited due to overuse) but slow down
+#	large downloads more significantly:
+#
+#		delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+#	Note that 8 x  32K Byte/sec ->  256K bit/sec.
+#		  8 x   8K Byte/sec ->   64K bit/sec.
+#		  8 x 600  Byte/sec -> 4800  bit/sec.
+#
+#
+#	Finally, for a class 4 delay pool as in the example - each user will
+#	be limited to 128Kbits/sec no matter how many workstations they are logged into.:
+#
+#		delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+#	See also delay_class and delay_access.
+#
+#Default:
+# none
+
+#  TAG: delay_initial_bucket_level	(percent, 0-100)
+#	The initial bucket percentage is used to determine how much is put
+#	in each bucket when squid starts, is reconfigured, or first notices
+#	a host accessing it (in class 2 and class 3, individual hosts and
+#	networks only have buckets associated with them once they have been
+#	"seen" by squid).
+#Default:
+# delay_initial_bucket_level 50
+
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+#  TAG: client_delay_pools
+#	This option specifies the number of client delay pools used. It must
+#	preceed other client_delay_* options.
+#
+#	Example:
+#		client_delay_pools 2
+#
+#	See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+#  TAG: client_delay_initial_bucket_level	(percent, 0-no_limit)
+#	This option determines the initial bucket size as a percentage of
+#	max_bucket_size from client_delay_parameters. Buckets are created
+#	at the time of the "first" connection from the matching IP. Idle
+#	buckets are periodically deleted up.
+#
+#	You can specify more than 100 percent but note that such "oversized"
+#	buckets are not refilled until their size goes down to max_bucket_size
+#	from client_delay_parameters.
+#
+#	Example:
+#		client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+#  TAG: client_delay_parameters
+#
+#	This option configures client-side bandwidth limits using the
+#	following format:
+#
+#	    client_delay_parameters pool speed_limit max_bucket_size
+#
+#	pool is an integer ID used for client_delay_access matching.
+#
+#	speed_limit is bytes added to the bucket per second.
+#
+#	max_bucket_size is the maximum size of a bucket, enforced after any
+#	speed_limit additions.
+#
+#	Please see the delay_parameters option for more information and
+#	examples.
+#
+#	Example:
+#		client_delay_parameters 1 1024 2048
+#		client_delay_parameters 2 51200 16384
+#
+#	See also client_delay_access.
+#
+#Default:
+# none
+
+#  TAG: client_delay_access
+#	This option determines the client-side delay pool for the
+#	request:
+#
+#	    client_delay_access pool_ID allow|deny acl_name
+#
+#	All client_delay_access options are checked in their pool ID
+#	order, starting with pool 1. The first checked pool with allowed
+#	request is selected for the request. If no ACL matches or there
+#	are no client_delay_access options, the request bandwidth is not
+#	limited.
+#
+#	The ACL-selected pool is then used to find the
+#	client_delay_parameters for the request. Client-side pools are
+#	not used to aggregate clients. Clients are always aggregated
+#	based on their source IP addresses (one bucket per source IP).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#	Additionally, only the client TCP connection details are available.
+#	ACLs testing HTTP properties will not work.
+#
+#	Please see delay_access for more examples.
+#
+#	Example:
+#		client_delay_access 1 allow low_rate_network
+#		client_delay_access 2 allow vips_network
+#
+#
+#	See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+#  TAG: response_delay_pool
+#	This option configures client response bandwidth limits using the
+#	following format:
+#
+#	response_delay_pool name [option=value] ...
+#
+#	name	the response delay pool name
+#
+#	available options:
+#
+#		individual-restore	The speed limit of an individual
+#					bucket(bytes/s). To be used in conjunction
+#					with 'individual-maximum'.
+#
+#		individual-maximum	The maximum number of bytes which can
+#					be placed into the individual bucket. To be used
+#					in conjunction with 'individual-restore'.
+#
+#		aggregate-restore	The speed limit for the aggregate
+#					bucket(bytes/s). To be used in conjunction with
+#					'aggregate-maximum'.
+#
+#		aggregate-maximum	The maximum number of bytes which can
+#	   				be placed into the aggregate bucket. To be used
+#					in conjunction with 'aggregate-restore'.
+#
+#		initial-bucket-level	The initial bucket size as a percentage
+#					of individual-maximum.
+#
+#	Individual and(or) aggregate bucket options may not be specified,
+#   	meaning no individual and(or) aggregate speed limitation.
+#	See also response_delay_pool_access and delay_parameters for
+#	terminology details.
+#Default:
+# none
+
+#  TAG: response_delay_pool_access
+#	Determines whether a specific named response delay pool is used
+#	for the transaction. The syntax for this directive is:
+#
+#	response_delay_pool_access pool_name allow|deny acl_name
+#
+#	All response_delay_pool_access options are checked in the order
+#	they appear in this configuration file. The first rule with a
+#	matching ACL wins. If (and only if) an "allow" rule won, Squid
+#	assigns the response to the corresponding named delay pool.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: wccp_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCP disabled.
+
+#  TAG: wccp2_router
+#	Use this option to define your WCCP ``home'' router for
+#	Squid.
+#
+#	wccp_router supports a single WCCP(v1) router
+#
+#	wccp2_router supports multiple WCCPv2 routers
+#
+#	only one of the two may be used at the same time and defines
+#	which version of WCCP to use.
+#Default:
+# WCCPv2 disabled.
+
+#  TAG: wccp_version
+#	This directive is only relevant if you need to set up WCCP(v1)
+#	to some very old and end-of-life Cisco routers. In all other
+#	setups it must be left unset or at the default setting.
+#	It defines an internal version in the WCCP(v1) protocol,
+#	with version 4 being the officially documented protocol.
+#
+#	According to some users, Cisco IOS 11.2 and earlier only
+#	support WCCP version 3.  If you're using that or an earlier
+#	version of IOS, you may need to change this value to 3, otherwise
+#	do not specify this parameter.
+#Default:
+# wccp_version 4
+
+#  TAG: wccp2_rebuild_wait
+#	If this is enabled Squid will wait for the cache dir rebuild to finish
+#	before sending the first wccp2 HereIAm packet
+#Default:
+# wccp2_rebuild_wait on
+
+#  TAG: wccp2_forwarding_method
+#	WCCP2 allows the setting of forwarding methods between the
+#	router/switch and the cache.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment method.
+#Default:
+# wccp2_forwarding_method gre
+
+#  TAG: wccp2_return_method
+#	WCCP2 allows the setting of return methods between the
+#	router/switch and the cache for packets that the cache
+#	decides not to handle.  Valid values are as follows:
+#
+#	gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+#	l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+#
+#	Currently (as of IOS 12.4) cisco routers only support GRE.
+#	Cisco switches only support the L2 redirect assignment.
+#
+#	If the "ip wccp redirect exclude in" command has been
+#	enabled on the cache interface, then it is still safe for
+#	the proxy server to use a l2 redirect method even if this
+#	option is set to GRE.
+#Default:
+# wccp2_return_method gre
+
+#  TAG: wccp2_assignment_method
+#	WCCP2 allows the setting of methods to assign the WCCP hash
+#	Valid values are as follows:
+#
+#	hash - Hash assignment
+#	mask - Mask assignment
+#
+#	As a general rule, cisco routers support the hash assignment method
+#	and cisco switches support the mask assignment method.
+#Default:
+# wccp2_assignment_method hash
+
+#  TAG: wccp2_service
+#	WCCP2 allows for multiple traffic services. There are two
+#	types: "standard" and "dynamic". The standard type defines
+#	one service id - http (id 0). The dynamic service ids can be from
+#	51 to 255 inclusive.  In order to use a dynamic service id
+#	one must define the type of traffic to be redirected; this is done
+#	using the wccp2_service_info option.
+#
+#	The "standard" type does not require a wccp2_service_info option,
+#	just specifying the service id will suffice.
+#
+#	MD5 service authentication can be enabled by adding
+#	"password=<password>" to the end of this service declaration.
+#
+#	Examples:
+#
+#	wccp2_service standard 0	# for the 'web-cache' standard service
+#	wccp2_service dynamic 80	# a dynamic service type which will be
+#					# fleshed out with subsequent options.
+#	wccp2_service standard 0 password=foo
+#Default:
+# Use the 'web-cache' standard service.
+
+#  TAG: wccp2_service_info
+#	Dynamic WCCPv2 services require further information to define the
+#	traffic you wish to have diverted.
+#
+#	The format is:
+#
+#	wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
+#	    priority=<priority> ports=<port>,<port>..
+#
+#	The relevant WCCPv2 flags:
+#	+ src_ip_hash, dst_ip_hash
+#	+ source_port_hash, dst_port_hash
+#	+ src_ip_alt_hash, dst_ip_alt_hash
+#	+ src_port_alt_hash, dst_port_alt_hash
+#	+ ports_source
+#
+#	The port list can be one to eight entries.
+#
+#	Example:
+#
+#	wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
+#	    priority=240 ports=80
+#
+#	Note: the service id must have been defined by a previous
+#	'wccp2_service dynamic <id>' entry.
+#Default:
+# none
+
+#  TAG: wccp2_weight
+#	Each cache server gets assigned a set of the destination
+#	hash proportional to their weight.
+#Default:
+# wccp2_weight 10000
+
+#  TAG: wccp_address
+#	Use this option if you require WCCP(v1) to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+#  TAG: wccp2_address
+#	Use this option if you require WCCPv2 to use a specific
+#	interface address.
+#
+#	The default behavior is to not bind to any specific address.
+#Default:
+# Address selected by the operating system.
+
+# PERSISTENT CONNECTION HANDLING
+# -----------------------------------------------------------------------------
+#
+# Also see "pconn_timeout" in the TIMEOUTS section
+
+#  TAG: client_persistent_connections
+#	Persistent connection support for clients.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with clients.
+#Default:
+# client_persistent_connections on
+
+#  TAG: server_persistent_connections
+#	Persistent connection support for servers.
+#	Squid uses persistent connections (when allowed). You can use
+#	this option to disable persistent connections with servers.
+#Default:
+# server_persistent_connections on
+
+#  TAG: persistent_connection_after_error
+#	With this directive the use of persistent connections after
+#	HTTP errors can be disabled. Useful if you have clients
+#	who fail to handle errors on persistent connections proper.
+#Default:
+# persistent_connection_after_error on
+
+#  TAG: detect_broken_pconn
+#	Some servers have been found to incorrectly signal the use
+#	of HTTP/1.0 persistent connections even on replies not
+#	compatible, causing significant delays. This server problem
+#	has mostly been seen on redirects.
+#
+#	By enabling this directive Squid attempts to detect such
+#	broken replies and automatically assume the reply is finished
+#	after 10 seconds timeout.
+#Default:
+# detect_broken_pconn off
+
+# CACHE DIGEST OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: digest_generation
+#	This controls whether the server will generate a Cache Digest
+#	of its contents.  By default, Cache Digest generation is
+#	enabled if Squid is compiled with --enable-cache-digests defined.
+#Default:
+# digest_generation on
+
+#  TAG: digest_bits_per_entry
+#	This is the number of bits of the server's Cache Digest which
+#	will be associated with the Digest entry for a given HTTP
+#	Method and URL (public key) combination.  The default is 5.
+#Default:
+# digest_bits_per_entry 5
+
+#  TAG: digest_rebuild_period	(seconds)
+#	This is the wait time between Cache Digest rebuilds.
+#Default:
+# digest_rebuild_period 1 hour
+
+#  TAG: digest_rewrite_period	(seconds)
+#	This is the wait time between Cache Digest writes to
+#	disk.
+#Default:
+# digest_rewrite_period 1 hour
+
+#  TAG: digest_swapout_chunk_size	(bytes)
+#	This is the number of bytes of the Cache Digest to write to
+#	disk at a time.  It defaults to 4096 bytes (4KB), the Squid
+#	default swap page.
+#Default:
+# digest_swapout_chunk_size 4096 bytes
+
+#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
+#	This is the percentage of the Cache Digest to be scanned at a
+#	time.  By default it is set to 10% of the Cache Digest.
+#Default:
+# digest_rebuild_chunk_percentage 10
+
+# SNMP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: snmp_port
+#	The port number where Squid listens for SNMP requests. To enable
+#	SNMP support set this to a suitable port number. Port number
+#	3401 is often used for the Squid SNMP agent. By default it's
+#	set to "0" (disabled)
+#
+#	Example:
+#		snmp_port 3401
+#Default:
+# SNMP disabled.
+
+#  TAG: snmp_access
+#	Allowing or denying access to the SNMP port.
+#
+#	All access to the agent is denied by default.
+#	usage:
+#
+#	snmp_access allow|deny [!]aclname ...
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#Example:
+# snmp_access allow snmppublic localhost
+# snmp_access deny all
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: snmp_incoming_address
+#	Just like 'udp_incoming_address', but for the SNMP port.
+#
+#	snmp_incoming_address	is used for the SNMP socket receiving
+#				messages from SNMP agents.
+#
+#	The default snmp_incoming_address is to listen on all
+#	available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+#  TAG: snmp_outgoing_address
+#	Just like 'udp_outgoing_address', but for the SNMP port.
+#
+#	snmp_outgoing_address	is used for SNMP packets returned to SNMP
+#				agents.
+#
+#	If snmp_outgoing_address is not set it will use the same socket
+#	as snmp_incoming_address. Only change this if you want to have
+#	SNMP replies sent using another address than where this Squid
+#	listens for SNMP queries.
+#
+#	NOTE, snmp_incoming_address and snmp_outgoing_address can not have
+#	the same value since they both use the same port.
+#Default:
+# Use snmp_incoming_address or an address selected by the operating system.
+
+# ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icp_port
+#	The port number where Squid sends and receives ICP queries to
+#	and from neighbor caches.  The standard UDP port for ICP is 3130.
+#
+#	Example:
+#		icp_port 3130
+#Default:
+# ICP disabled.
+
+#  TAG: htcp_port
+#	The port number where Squid sends and receives HTCP queries to
+#	and from neighbor caches.  To turn it on you want to set it to
+#	4827.
+#
+#	Example:
+#		htcp_port 4827
+#Default:
+# HTCP disabled.
+
+#  TAG: log_icp_queries	on|off
+#	If set, ICP queries are logged to access.log. You may wish
+#	do disable this if your ICP load is VERY high to speed things
+#	up or to simplify log analysis.
+#Default:
+# log_icp_queries on
+
+#  TAG: udp_incoming_address
+#	udp_incoming_address	is used for UDP packets received from other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Only change this if you want to have all UDP queries received on
+#	a specific interface/address.
+#
+#	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_outgoing_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Accept packets from all machine interfaces.
+
+#  TAG: udp_outgoing_address
+#	udp_outgoing_address	is used for UDP packets sent out to other
+#				caches.
+#
+#	The default behavior is to not bind to any specific address.
+#
+#	Instead it will use the same socket as udp_incoming_address.
+#	Only change this if you want to have UDP queries sent using another
+#	address than where this Squid listens for UDP queries from other
+#	caches.
+#
+#	NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
+#	modules. Altering it will affect all of them in the same manner.
+#
+#	see also; udp_incoming_address
+#
+#	NOTE, udp_incoming_address and udp_outgoing_address can not
+#	have the same value since they both use the same port.
+#Default:
+# Use udp_incoming_address or an address selected by the operating system.
+
+#  TAG: icp_hit_stale	on|off
+#	If you want to return ICP_HIT for stale cache objects, set this
+#	option to 'on'.  If you have sibling relationships with caches
+#	in other administrative domains, this should be 'off'.  If you only
+#	have sibling relationships with caches under your control,
+#	it is probably okay to set this to 'on'.
+#	If set to 'on', your siblings should use the option "allow-miss"
+#	on their cache_peer lines for connecting to you.
+#Default:
+# icp_hit_stale off
+
+#  TAG: minimum_direct_hops
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many hops away.
+#Default:
+# minimum_direct_hops 4
+
+#  TAG: minimum_direct_rtt	(msec)
+#	If using the ICMP pinging stuff, do direct fetches for sites
+#	which are no more than this many rtt milliseconds away.
+#Default:
+# minimum_direct_rtt 400
+
+#  TAG: netdb_low
+#	The low water mark for the ICMP measurement database.
+#
+#	Note: high watermark controlled by netdb_high directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_low 900
+
+#  TAG: netdb_high
+#	The high water mark for the ICMP measurement database.
+#
+#	Note: low watermark controlled by netdb_low directive.
+#
+#	These watermarks are counts, not percents.  The defaults are
+#	(low) 900 and (high) 1000.  When the high water mark is
+#	reached, database entries will be deleted until the low
+#	mark is reached.
+#Default:
+# netdb_high 1000
+
+#  TAG: netdb_ping_period
+#	The minimum period for measuring a site.  There will be at
+#	least this much delay between successive pings to the same
+#	network.  The default is five minutes.
+#Default:
+# netdb_ping_period 5 minutes
+
+#  TAG: query_icmp	on|off
+#	If you want to ask your peers to include ICMP data in their ICP
+#	replies, enable this option.
+#
+#	If your peer has configured Squid (during compilation) with
+#	'--enable-icmp' that peer will send ICMP pings to origin server
+#	sites of the URLs it receives.  If you enable this option the
+#	ICP replies from that peer will include the ICMP data (if available).
+#	Then, when choosing a parent cache, Squid will choose the parent with
+#	the minimal RTT to the origin server.  When this happens, the
+#	hierarchy field of the access.log will be
+#	"CLOSEST_PARENT_MISS".  This option is off by default.
+#Default:
+# query_icmp off
+
+#  TAG: test_reachability	on|off
+#	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
+#	instead of ICP_MISS if the target host is NOT in the ICMP
+#	database, or has a zero RTT.
+#Default:
+# test_reachability off
+
+#  TAG: icp_query_timeout	(msec)
+#	Normally Squid will automatically determine an optimal ICP
+#	query timeout value based on the round-trip-time of recent ICP
+#	queries.  If you want to override the value determined by
+#	Squid, set this 'icp_query_timeout' to a non-zero value.  This
+#	value is specified in MILLISECONDS, so, to use a 2-second
+#	timeout (the old default), you would write:
+#
+#		icp_query_timeout 2000
+#Default:
+# Dynamic detection.
+
+#  TAG: maximum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very large values (say 5 seconds).
+#	Use this option to put an upper limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# maximum_icp_query_timeout 2000
+
+#  TAG: minimum_icp_query_timeout	(msec)
+#	Normally the ICP query timeout is determined dynamically.  But
+#	sometimes it can lead to very small timeouts, even lower than
+#	the normal latency variance on your link due to traffic.
+#	Use this option to put an lower limit on the dynamic timeout
+#	value.  Do NOT use this option to always use a fixed (instead
+#	of a dynamic) timeout value. To set a fixed timeout see the
+#	'icp_query_timeout' directive.
+#Default:
+# minimum_icp_query_timeout 5
+
+#  TAG: background_ping_rate	time-units
+#	Controls how often the ICP pings are sent to siblings that
+#	have background-ping set.
+#Default:
+# background_ping_rate 10 seconds
+
+# MULTICAST ICP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: mcast_groups
+#	This tag specifies a list of multicast groups which your server
+#	should join to receive multicasted ICP queries.
+#
+#	NOTE!  Be very careful what you put here!  Be sure you
+#	understand the difference between an ICP _query_ and an ICP
+#	_reply_.  This option is to be set only if you want to RECEIVE
+#	multicast queries.  Do NOT set this option to SEND multicast
+#	ICP (use cache_peer for that).  ICP replies are always sent via
+#	unicast, so this option does not affect whether or not you will
+#	receive replies from multicast group members.
+#
+#	You must be very careful to NOT use a multicast address which
+#	is already in use by another group of caches.
+#
+#	If you are unsure about multicast, please read the Multicast
+#	chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
+#
+#	Usage: mcast_groups 239.128.16.128 224.0.1.20
+#
+#	By default, Squid doesn't listen on any multicast groups.
+#Default:
+# none
+
+#  TAG: mcast_miss_addr
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	If you enable this option, every "cache miss" URL will
+#	be sent out on the specified multicast address.
+#
+#	Do not enable this option unless you are are absolutely
+#	certain you understand what you are doing.
+#Default:
+# disabled.
+
+#  TAG: mcast_miss_ttl
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the time-to-live value for packets multicasted
+#	when multicasting off cache miss URLs is enabled.  By
+#	default this is set to 'site scope', i.e. 16.
+#Default:
+# mcast_miss_ttl 16
+
+#  TAG: mcast_miss_port
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	This is the port number to be used in conjunction with
+#	'mcast_miss_addr'.
+#Default:
+# mcast_miss_port 3135
+
+#  TAG: mcast_miss_encode_key
+# Note: This option is only available if Squid is rebuilt with the
+#       -DMULTICAST_MISS_STREAM define
+#
+#	The URLs that are sent in the multicast miss stream are
+#	encrypted.  This is the encryption key.
+#Default:
+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
+
+#  TAG: mcast_icp_query_timeout	(msec)
+#	For multicast peers, Squid regularly sends out ICP "probes" to
+#	count how many other peers are listening on the given multicast
+#	address.  This value specifies how long Squid should wait to
+#	count all the replies.  The default is 2000 msec, or 2
+#	seconds.
+#Default:
+# mcast_icp_query_timeout 2000
+
+# INTERNAL ICON OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icon_directory
+#	Where the icons are stored. These are normally kept in
+#	/usr/share/squid/icons
+#Default:
+# icon_directory /usr/share/squid/icons
+
+#  TAG: global_internal_static
+#	This directive controls is Squid should intercept all requests for
+#	/squid-internal-static/ no matter which host the URL is requesting
+#	(default on setting), or if nothing special should be done for
+#	such URLs (off setting). The purpose of this directive is to make
+#	icons etc work better in complex cache hierarchies where it may
+#	not always be possible for all corners in the cache mesh to reach
+#	the server generating a directory listing.
+#Default:
+# global_internal_static on
+
+#  TAG: short_icon_urls
+#	If this is enabled Squid will use short URLs for icons.
+#	If disabled it will revert to the old behavior of including
+#	it's own name and port in the URL.
+#
+#	If you run a complex cache hierarchy with a mix of Squid and
+#	other proxies you may need to disable this directive.
+#Default:
+# short_icon_urls on
+
+# ERROR PAGE OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: error_directory
+#	If you wish to create your own versions of the default
+#	error files to customize them to suit your company copy
+#	the error/template files to another directory and point
+#	this tag at them.
+#
+#	WARNING: This option will disable multi-language support
+#	         on error pages if used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are making translations for a
+#	language that Squid does not currently provide please consider
+#	contributing your translation back to the project.
+#	http://wiki.squid-cache.org/Translations
+#
+#	The squid developers working on translations are happy to supply drop-in
+#	translated error files in exchange for any new language contributions.
+#Default:
+# Send error pages in the clients preferred language
+
+#  TAG: error_default_language
+#	Set the default language which squid will send error pages in
+#	if no existing translation matches the clients language
+#	preferences.
+#
+#	If unset (default) generic English will be used.
+#
+#	The squid developers are interested in making squid available in
+#	a wide variety of languages. If you are interested in making
+#	translations for any language see the squid wiki for details.
+#	http://wiki.squid-cache.org/Translations
+#Default:
+# Generate English language pages.
+
+#  TAG: error_log_languages
+#	Log to cache.log what languages users are attempting to
+#	auto-negotiate for translations.
+#
+#	Successful negotiations are not logged. Only failures
+#	have meaning to indicate that Squid may need an upgrade
+#	of its error page translations.
+#Default:
+# error_log_languages on
+
+#  TAG: err_page_stylesheet
+#	CSS Stylesheet to pattern the display of Squid default error pages.
+#
+#	For information on CSS see http://www.w3.org/Style/CSS/
+#Default:
+# err_page_stylesheet /etc/squid/errorpage.css
+
+#  TAG: err_html_text
+#	HTML text to include in error messages.  Make this a "mailto"
+#	URL to your admin address, or maybe just a link to your
+#	organizations Web page.
+#
+#	To include this in your error messages, you must rewrite
+#	the error template files (found in the "errors" directory).
+#	Wherever you want the 'err_html_text' line to appear,
+#	insert a %L tag in the error template file.
+#Default:
+# none
+
+#  TAG: email_err_data	on|off
+#	If enabled, information about the occurred error will be
+#	included in the mailto links of the ERR pages (if %W is set)
+#	so that the email body contains the data.
+#	Syntax is <A HREF="mailto:%w%W">%w</A>
+#Default:
+# email_err_data on
+
+#  TAG: deny_info
+#	Usage:   deny_info err_page_name acl
+#	or       deny_info http://... acl
+#	or       deny_info TCP_RESET acl
+#
+#	This can be used to return a ERR_ page for requests which
+#	do not pass the 'http_access' rules.  Squid remembers the last
+#	acl it evaluated in http_access, and if a 'deny_info' line exists
+#	for that ACL Squid returns a corresponding error page.
+#
+#	The acl is typically the last acl on the http_access deny line which
+#	denied access. The exceptions to this rule are:
+#	- When Squid needs to request authentication credentials. It's then
+#	  the first authentication related acl encountered
+#	- When none of the http_access lines matches. It's then the last
+#	  acl processed on the last http_access line.
+#	- When the decision to deny access was made by an adaptation service,
+#	  the acl name is the corresponding eCAP or ICAP service_name.
+#
+#	NP: If providing your own custom error pages with error_directory
+#	    you may also specify them by your custom file name:
+#	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+#
+#	By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+#	may be specified by prefixing the file name with the code and a colon.
+#	e.g. 404:ERR_CUSTOM_ACCESS_DENIED
+#
+#	Alternatively you can tell Squid to reset the TCP connection
+#	by specifying TCP_RESET.
+#
+#	Or you can specify an error URL or URL pattern. The browsers will
+#	get redirected to the specified URL after formatting tags have
+#	been replaced. Redirect will be done with 302 or 307 according to
+#	HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+#	the URL. e.g. 303:http://example.com/
+#
+#	URL FORMAT TAGS:
+#		%a	- username (if available. Password NOT included)
+#		%A	- Local listening IP address the client connection was connected to
+#		%B	- FTP path URL
+#		%e	- Error number
+#		%E	- Error description
+#		%h	- Squid hostname
+#		%H	- Request domain name
+#		%i	- Client IP Address
+#		%M	- Request Method
+#		%O	- Unescaped message result from external ACL helper
+#		%o	- Message result from external ACL helper
+#		%p	- Request Port number
+#		%P	- Request Protocol name
+#		%R	- Request URL path
+#		%T	- Timestamp in RFC 1123 format
+#		%U	- Full canonical URL from client
+#			  (HTTPS URLs terminate with *)
+#		%u	- Full canonical URL from client
+#		%w	- Admin email from squid.conf
+#		%x	- Error name
+#		%%	- Literal percent (%) code
+#
+#Default:
+# none
+
+# OPTIONS INFLUENCING REQUEST FORWARDING
+# -----------------------------------------------------------------------------
+
+#  TAG: nonhierarchical_direct
+#	By default, Squid will send any non-hierarchical requests
+#	(not cacheable request type) direct to origin servers.
+#
+#	When this is set to "off", Squid will prefer to send these
+#	requests to parents.
+#
+#	Note that in most configurations, by turning this off you will only
+#	add latency to these request without any improvement in global hit
+#	ratio.
+#
+#	This option only sets a preference. If the parent is unavailable a
+#	direct connection to the origin server may still be attempted. To
+#	completely prevent direct connections use never_direct.
+#Default:
+# nonhierarchical_direct on
+
+#  TAG: prefer_direct
+#	Normally Squid tries to use parents for most requests. If you for some
+#	reason like it to first try going direct and only use a parent if
+#	going direct fails set this to on.
+#
+#	By combining nonhierarchical_direct off and prefer_direct on you
+#	can set up Squid to use a parent as a backup path if going direct
+#	fails.
+#
+#	Note: If you want Squid to use parents for all requests see
+#	the never_direct directive. prefer_direct only modifies how Squid
+#	acts on cacheable requests.
+#Default:
+# prefer_direct off
+
+#  TAG: cache_miss_revalidate	on|off
+#	RFC 7232 defines a conditional request mechanism to prevent
+#	response objects being unnecessarily transferred over the network.
+#	If that mechanism is used by the client and a cache MISS occurs
+#	it can prevent new cache entries being created.
+#
+#	This option determines whether Squid on cache MISS will pass the
+#	client revalidation request to the server or tries to fetch new
+#	content for caching. It can be useful while the cache is mostly
+#	empty to more quickly have the cache populated by generating
+#	non-conditional GETs.
+#
+#	When set to 'on' (default), Squid will pass all client If-* headers
+#	to the server. This permits server responses without a cacheable
+#	payload to be delivered and on MISS no new cache entry is created.
+#
+#	When set to 'off' and if the request is cacheable, Squid will
+#	remove the clients If-Modified-Since and If-None-Match headers from
+#	the request sent to the server. This requests a 200 status response
+#	from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
+#  TAG: always_direct
+#	Usage: always_direct allow|deny [!]aclname ...
+#
+#	Here you can use ACL elements to specify requests which should
+#	ALWAYS be forwarded by Squid to the origin servers without using
+#	any peers.  For example, to always directly forward requests for
+#	local servers ignoring any parents or siblings you may have use
+#	something like:
+#
+#		acl local-servers dstdomain my.domain.net
+#		always_direct allow local-servers
+#
+#	To always forward FTP requests directly, use
+#
+#		acl FTP proto FTP
+#		always_direct allow FTP
+#
+#	NOTE: There is a similar, but opposite option named
+#	'never_direct'.  You need to be aware that "always_direct deny
+#	foo" is NOT the same thing as "never_direct allow foo".  You
+#	may need to use a deny rule to exclude a more-specific case of
+#	some other rule.  Example:
+#
+#		acl local-external dstdomain external.foo.net
+#		acl local-servers dstdomain  .foo.net
+#		always_direct deny local-external
+#		always_direct allow local-servers
+#
+#	NOTE: If your goal is to make the client forward the request
+#	directly to the origin server bypassing Squid then this needs
+#	to be done in the client configuration. Squid configuration
+#	can only tell Squid how Squid should fetch the object.
+#
+#	NOTE: This directive is not related to caching. The replies
+#	is cached as usual even if you use always_direct. To not cache
+#	the replies see the 'cache' directive.
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Prevent any cache_peer being used for this request.
+
+#  TAG: never_direct
+#	Usage: never_direct allow|deny [!]aclname ...
+#
+#	never_direct is the opposite of always_direct.  Please read
+#	the description for always_direct if you have not already.
+#
+#	With 'never_direct' you can use ACL elements to specify
+#	requests which should NEVER be forwarded directly to origin
+#	servers.  For example, to force the use of a proxy for all
+#	requests, except those in your local domain use something like:
+#
+#		acl local-servers dstdomain .foo.net
+#		never_direct deny local-servers
+#		never_direct allow all
+#
+#	or if Squid is inside a firewall and there are local intranet
+#	servers inside the firewall use something like:
+#
+#		acl local-intranet dstdomain .foo.net
+#		acl local-external dstdomain external.foo.net
+#		always_direct deny local-external
+#		always_direct allow local-intranet
+#		never_direct allow all
+#
+#	This clause supports both fast and slow acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow DNS results to be used for this request.
+
+# ADVANCED NETWORKING OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: incoming_udp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_udp_average 6
+
+#  TAG: incoming_tcp_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_tcp_average 4
+
+#  TAG: incoming_dns_average
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# incoming_dns_average 4
+
+#  TAG: min_udp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_udp_poll_cnt 8
+
+#  TAG: min_dns_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_dns_poll_cnt 8
+
+#  TAG: min_tcp_poll_cnt
+#	Heavy voodoo here.  I can't even believe you are reading this.
+#	Are you crazy?  Don't even think about adjusting these unless
+#	you understand the algorithms in comm_select.c first!
+#Default:
+# min_tcp_poll_cnt 8
+
+#  TAG: accept_filter
+#	FreeBSD:
+#
+#	The name of an accept(2) filter to install on Squid's
+#	listen socket(s).  This feature is perhaps specific to
+#	FreeBSD and requires support in the kernel.
+#
+#	The 'httpready' filter delays delivering new connections
+#	to Squid until a full HTTP request has been received.
+#	See the accf_http(9) man page for details.
+#
+#	The 'dataready' filter delays delivering new connections
+#	to Squid until there is some data to process.
+#	See the accf_dataready(9) man page for details.
+#
+#	Linux:
+#
+#	The 'data' filter delays delivering of new connections
+#	to Squid until there is some data to process by TCP_ACCEPT_DEFER.
+#	You may optionally specify a number of seconds to wait by
+#	'data=N' where N is the number of seconds. Defaults to 30
+#	if not specified.  See the tcp(7) man page for details.
+#EXAMPLE:
+## FreeBSD
+#accept_filter httpready
+## Linux
+#accept_filter data
+#Default:
+# none
+
+#  TAG: client_ip_max_connections
+#	Set an absolute limit on the number of connections a single
+#	client IP can use. Any more than this and Squid will begin to drop
+#	new connections from the client until it closes some links.
+#
+#	Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+#	connections from the client. For finer control use the ACL access controls.
+#
+#	Requires client_db to be enabled (the default).
+#
+#	WARNING: This may noticably slow down traffic received via external proxies
+#	or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# No limit.
+
+#  TAG: tcp_recv_bufsize	(bytes)
+#	Size of receive buffer to set for TCP sockets.  Probably just
+#	as easy to change your kernel's default.
+#	Omit from squid.conf to use the default buffer size.
+#Default:
+# Use operating system TCP defaults.
+
+# ICAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: icap_enable	on|off
+#	If you want to enable the ICAP module support, set this to on.
+#Default:
+# icap_enable off
+
+#  TAG: icap_connect_timeout
+#	This parameter specifies how long to wait for the TCP connect to
+#	the requested ICAP server to complete before giving up and either
+#	terminating the HTTP transaction or bypassing the failure.
+#
+#	The default for optional services is peer_connect_timeout.
+#	The default for essential services is connect_timeout.
+#	If this option is explicitly set, its value applies to all services.
+#Default:
+# none
+
+#  TAG: icap_io_timeout	time-units
+#	This parameter specifies how long to wait for an I/O activity on
+#	an established, active ICAP connection before giving up and
+#	either terminating the HTTP transaction or bypassing the
+#	failure.
+#Default:
+# Use read_timeout.
+
+#  TAG: icap_service_failure_limit	limit [in memory-depth time-units]
+#	The limit specifies the number of failures that Squid tolerates
+#	when establishing a new TCP connection with an ICAP service. If
+#	the number of failures exceeds the limit, the ICAP service is
+#	not used for new ICAP requests until it is time to refresh its
+#	OPTIONS.
+#
+#	A negative value disables the limit. Without the limit, an ICAP
+#	service will not be considered down due to connectivity failures
+#	between ICAP OPTIONS requests.
+#
+#	Squid forgets ICAP service failures older than the specified
+#	value of memory-depth. The memory fading algorithm
+#	is approximate because Squid does not remember individual
+#	errors but groups them instead, splitting the option
+#	value into ten time slots of equal length.
+#
+#	When memory-depth is 0 and by default this option has no
+#	effect on service failure expiration.
+#
+#	Squid always forgets failures when updating service settings
+#	using an ICAP OPTIONS transaction, regardless of this option
+#	setting.
+#
+#	For example,
+#		# suspend service usage after 10 failures in 5 seconds:
+#		icap_service_failure_limit 10 in 5 seconds
+#Default:
+# icap_service_failure_limit 10
+
+#  TAG: icap_service_revival_delay
+#	The delay specifies the number of seconds to wait after an ICAP
+#	OPTIONS request failure before requesting the options again. The
+#	failed ICAP service is considered "down" until fresh OPTIONS are
+#	fetched.
+#
+#	The actual delay cannot be smaller than the hardcoded minimum
+#	delay of 30 seconds.
+#Default:
+# icap_service_revival_delay 180
+
+#  TAG: icap_preview_enable	on|off
+#	The ICAP Preview feature allows the ICAP server to handle the
+#	HTTP message by looking only at the beginning of the message body
+#	or even without receiving the body at all. In some environments,
+#	previews greatly speedup ICAP processing.
+#
+#	During an ICAP OPTIONS transaction, the server may tell	Squid what
+#	HTTP messages should be previewed and how big the preview should be.
+#	Squid will not use Preview if the server did not request one.
+#
+#	To disable ICAP Preview for all ICAP services, regardless of
+#	individual ICAP server OPTIONS responses, set this option to "off".
+#Example:
+#icap_preview_enable off
+#Default:
+# icap_preview_enable on
+
+#  TAG: icap_preview_size
+#	The default size of preview data to be sent to the ICAP server.
+#	This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+#  TAG: icap_206_enable	on|off
+#	206 (Partial Content) responses is an ICAP extension that allows the
+#	ICAP agents to optionally combine adapted and original HTTP message
+#	content. The decision to combine is postponed until the end of the
+#	ICAP response. Squid supports Partial Content extension by default.
+#
+#	Activation of the Partial Content extension is negotiated with each
+#	ICAP service during OPTIONS exchange. Most ICAP servers should handle
+#	negotation correctly even if they do not support the extension, but
+#	some might fail. To disable Partial Content support for all ICAP
+#	services and to avoid any negotiation, set this option to "off".
+#
+#	Example:
+#	    icap_206_enable off
+#Default:
+# icap_206_enable on
+
+#  TAG: icap_default_options_ttl
+#	The default TTL value for ICAP OPTIONS responses that don't have
+#	an Options-TTL header.
+#Default:
+# icap_default_options_ttl 60
+
+#  TAG: icap_persistent_connections	on|off
+#	Whether or not Squid should use persistent connections to
+#	an ICAP server.
+#Default:
+# icap_persistent_connections on
+
+#  TAG: adaptation_send_client_ip	on|off
+#	If enabled, Squid shares HTTP client IP information with adaptation
+#	services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+#	For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+#	See also: adaptation_uses_indirect_client
+#Default:
+# adaptation_send_client_ip off
+
+#  TAG: adaptation_send_username	on|off
+#	This sends authenticated HTTP client username (if available) to
+#	the adaptation service.
+#
+#	For ICAP, the username value is encoded based on the
+#	icap_client_username_encode option and is sent using the header
+#	specified by the icap_client_username_header option.
+#Default:
+# adaptation_send_username off
+
+#  TAG: icap_client_username_header
+#	ICAP request header name to use for adaptation_send_username.
+#Default:
+# icap_client_username_header X-Client-Username
+
+#  TAG: icap_client_username_encode	on|off
+#	Whether to base64 encode the authenticated client username.
+#Default:
+# icap_client_username_encode off
+
+#  TAG: icap_service
+#	Defines a single ICAP service using the following format:
+#
+#	icap_service id vectoring_point uri [option ...]
+#
+#	id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		ICAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: icap://servername:port/servicepath
+#		ICAP server and service location.
+#	     icaps://servername:port/servicepath
+#		The "icap:" URI scheme is used for traditional ICAP server and
+#		service location (default port is 1344, connections are not
+#		encrypted). The "icaps:" URI scheme is for Secure ICAP
+#		services that use SSL/TLS-encrypted ICAP connections (by
+#		default, on port 11344).
+#
+#	ICAP does not allow a single service to handle both REQMOD and RESPMOD
+#	transactions. Squid does not enforce that requirement. You can specify
+#	services with the same service_url and different vectoring_points. You
+#	can even specify multiple identical services as long as their
+#	service_names differ.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. ICAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is treated as
+#		optional. If the service cannot be reached or malfunctions,
+#		Squid will try to ignore any errors and process the message as
+#		if the service was not enabled. No all ICAP errors can be
+#		bypassed.  If set to 0, the ICAP service is treated as
+#		essential and all ICAP errors will result in an error page
+#		returned to the HTTP client.
+#
+#		Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the ICAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next. The services
+#		are specified using the X-Next-Services ICAP response header
+#		value, formatted as a comma-separated list of service names.
+#		Each named service should be configured in squid.conf. Other
+#		services are ignored. An empty X-Next-Services value results
+#		in an empty plan which ends the current adaptation.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default: the ICAP X-Next-Services
+#		response header is ignored.
+#
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
+#	on-overload=block|bypass|wait|force
+#		If the service Max-Connections limit has been reached, do
+#		one of the following for each new ICAP transaction:
+#		  * block:  send an HTTP error response to the client
+#		  * bypass: ignore the "over-connected" ICAP service
+#		  * wait:   wait (in a FIFO queue) for an ICAP connection slot
+#		  * force:  proceed, ignoring the Max-Connections limit
+#
+#		In SMP mode with N workers, each worker assumes the service
+#		connection limit is Max-Connections/N, even though not all
+#		workers may use a given service.
+#
+#		The default value is "bypass" if service is bypassable,
+#		otherwise it is set to "wait".
+#
+#
+#	max-conn=number
+#		Use the given number as the Max-Connections limit, regardless
+#		of the Max-Connections value given by the service, if any.
+#
+#	connection-encryption=on|off
+#		Determines the ICAP service effect on the connections_encrypted
+#		ACL.
+#
+#		The default is "on" for Secure ICAP services (i.e., those
+#		with the icaps:// service URIs scheme) and "off" for plain ICAP
+#		services.
+#
+#		Does not affect ICAP connections (e.g., does not turn Secure
+#		ICAP on or off).
+#
+#	==== ICAPS / TLS OPTIONS ====
+#
+#	These options are used for Secure ICAP (icaps://....) services only.
+#
+#	tls-cert=/path/to/ssl/certificate
+#			A client X.509 certificate to use when connecting to
+#			this ICAP server.
+#
+#	tls-key=/path/to/ssl/key
+#			The private key corresponding to the previous
+#			tls-cert= option.
+#
+#			If tls-key= is not specified tls-cert= is assumed to
+#			reference a PEM file containing both the certificate
+#			and private key.
+#
+#	tls-cipher=...	The list of valid TLS/SSL ciphers to use when connecting
+#			to this icap server.
+#
+#	tls-min-version=1.N
+#			The minimum TLS protocol version to permit. To control
+#			SSLv3 use the tls-options= parameter.
+#			Supported Values: 1.0 (default), 1.1, 1.2
+#
+#	tls-options=...	Specify various OpenSSL library options:
+#
+#			    NO_SSLv3    Disallow the use of SSLv3
+#
+#			    SINGLE_DH_USE
+#				      Always create a new key when using
+#				      temporary/ephemeral DH key exchanges
+#
+#			    ALL       Enable various bug workarounds
+#				      suggested as "harmless" by OpenSSL
+#				      Be warned that this reduces SSL/TLS
+#				      strength to some attacks.
+#
+#			See the OpenSSL SSL_CTX_set_options documentation for a
+#			more complete list. Options relevant only to SSLv2 are
+#			not supported.
+#
+#	tls-cafile=	PEM file containing CA certificates to use when verifying
+#			the icap server certificate.
+#			Use to specify intermediate CA certificate(s) if not sent
+#			by the server. Or the full CA chain for the server when
+#			using the tls-default-ca=off flag.
+#			May be repeated to load multiple files.
+#
+#	tls-capath=...	A directory containing additional CA certificates to
+#			use when verifying the icap server certificate.
+#			Requires OpenSSL or LibreSSL.
+#
+#	tls-crlfile=...	A certificate revocation list file to use when
+#			verifying the icap server certificate.
+#
+#	tls-flags=...	Specify various flags modifying the Squid TLS implementation:
+#
+#			DONT_VERIFY_PEER
+#				Accept certificates even if they fail to
+#				verify.
+#			DONT_VERIFY_DOMAIN
+#				Don't verify the icap server certificate
+#				matches the server name
+#
+#	tls-default-ca[=off]
+#			Whether to use the system Trusted CAs. Default is ON.
+#
+#	tls-domain=	The icap server name as advertised in it's certificate.
+#			Used for verifying the correctness of the received icap
+#			server certificate. If not specified the icap server
+#			hostname extracted from ICAP URI will be used.
+#
+#	Older icap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
+#Default:
+# none
+
+#  TAG: icap_class
+#	This deprecated option was documented to define an ICAP service
+#	chain, even though it actually defined a set of similar, redundant
+#	services, and the chains were not supported.
+#
+#	To define a set of redundant services, please use the
+#	adaptation_service_set directive. For service chains, use
+#	adaptation_service_chain.
+#Default:
+# none
+
+#  TAG: icap_access
+#	This option is deprecated. Please use adaptation_access, which
+#	has the same ICAP functionality, but comes with better
+#	documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: ecap_enable	on|off
+#	Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+#  TAG: ecap_service
+#	Defines a single eCAP service
+#
+#	ecap_service id vectoring_point uri [option ...]
+#
+#        id: ID
+#		an opaque identifier or name which is used to direct traffic to
+#		this specific service. Must be unique among all adaptation
+#		services in squid.conf.
+#
+#	vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+#		This specifies at which point of transaction processing the
+#		eCAP service should be activated. *_postcache vectoring points
+#		are not yet supported.
+#
+#	uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#		Squid uses the eCAP service URI to match this configuration
+#		line with one of the dynamically loaded services. Each loaded
+#		eCAP service must have a unique URI. Obtain the right URI from
+#		the service provider.
+#
+#	To activate a service, use the adaptation_access directive. To group
+#	services, use adaptation_service_chain and adaptation_service_set.
+#
+#	Service options are separated by white space. eCAP services support
+#	the following name=value options:
+#
+#	bypass=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is treated as optional.
+#		If the service cannot be reached or malfunctions, Squid will try
+#		to ignore any errors and process the message as if the service
+#		was not enabled. No all eCAP errors can be bypassed.
+#		If set to 'off' or '0', the eCAP service is treated as essential
+#		and all eCAP errors will result in an error page returned to the
+#		HTTP client.
+#
+#                Bypass is off by default: services are treated as essential.
+#
+#	routing=on|off|1|0
+#		If set to 'on' or '1', the eCAP service is allowed to
+#		dynamically change the current message adaptation plan by
+#		returning a chain of services to be used next.
+#
+#		Dynamic adaptation plan may cross or cover multiple supported
+#		vectoring points in their natural processing order.
+#
+#		Routing is not allowed by default.
+#
+#	connection-encryption=on|off
+#		Determines the eCAP service effect on the connections_encrypted
+#		ACL.
+#
+#		Defaults to "on", which does not taint the master transaction
+#		w.r.t. that ACL.
+#
+#		Does not affect eCAP API calls.
+#
+#	Older ecap_service format without optional named parameters is
+#	deprecated but supported for backward compatibility.
+#
+#
+#Example:
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
+#Default:
+# none
+
+#  TAG: loadable_modules
+#	Instructs Squid to load the specified dynamic module(s) or activate
+#	preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: adaptation_service_set
+#
+#	Configures an ordered set of similar, redundant services. This is
+#	useful when hot standby or backup adaptation servers are available.
+#
+#	    adaptation_service_set set_name service_name1 service_name2 ...
+#
+# 	The named services are used in the set declaration order. The first
+#	applicable adaptation service from the set is used first. The next
+#	applicable service is tried if and only if the transaction with the
+#	previous service fails and the message waiting to be adapted is still
+#	intact.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the set. A broken service is a down optional service.
+#
+#	The services in a set must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	If all services in a set are optional then adaptation failures are
+#	bypassable. If all services in the set are essential, then a
+#	transaction failure with one service may still be retried using
+#	another service from the set, but when all services fail, the master
+#	transaction fails as well.
+#
+#	A set may contain a mix of optional and essential services, but that
+#	is likely to lead to surprising results because broken services become
+#	ignored (see above), making previously bypassable failures fatal.
+#	Technically, it is the bypassability of the last failed service that
+#	matters.
+#
+#	See also: adaptation_access adaptation_service_chain
+#
+#Example:
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+#  TAG: adaptation_service_chain
+#
+#	Configures a list of complementary services that will be applied
+#	one-by-one, forming an adaptation chain or pipeline. This is useful
+#	when Squid must perform different adaptations on the same message.
+#
+#	    adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# 	The named services are used in the chain declaration order. The first
+#	applicable adaptation service from the chain is used first. The next
+#	applicable service is applied to the successful adaptation results of
+#	the previous service in the chain.
+#
+#	When adaptation starts, broken services are ignored as if they were
+#	not a part of the chain. A broken service is a down optional service.
+#
+#	Request satisfaction terminates the adaptation chain because Squid
+#	does not currently allow declaration of RESPMOD services at the
+#	"reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+#	The services in a chain must be attached to the same vectoring point
+#	(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+#	A chain may contain a mix of optional and essential services. If an
+#	essential adaptation fails (or the failure cannot be bypassed for
+#	other reasons), the master transaction fails. Otherwise, the failure
+#	is bypassed as if the failed adaptation service was not in the chain.
+#
+#	See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
+#Default:
+# none
+
+#  TAG: adaptation_access
+#	Sends an HTTP transaction to an ICAP or eCAP adaptation	service.
+#
+#	adaptation_access service_name allow|deny [!]aclname...
+#	adaptation_access set_name     allow|deny [!]aclname...
+#
+#	At each supported vectoring point, the adaptation_access
+#	statements are processed in the order they appear in this
+#	configuration file. Statements pointing to the following services
+#	are ignored (i.e., skipped without checking their ACL):
+#
+#	    - services serving different vectoring points
+#	    - "broken-but-bypassable" services
+#	    - "up" services configured to ignore such transactions
+#              (e.g., based on the ICAP Transfer-Ignore header).
+#
+#        When a set_name is used, all services in the set are checked
+#	using the same rules, to find the first applicable one. See
+#	adaptation_service_set for details.
+#
+#	If an access list is checked and there is a match, the
+#	processing stops: For an "allow" rule, the corresponding
+#	adaptation service is used for the transaction. For a "deny"
+#	rule, no adaptation service is activated.
+#
+#	It is currently not possible to apply more than one adaptation
+#	service at the same vectoring point to the same HTTP transaction.
+#
+#        See also: icap_service and ecap_service
+#
+#Example:
+#adaptation_access service_1 allow all
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+#  TAG: adaptation_service_iteration_limit
+#	Limits the number of iterations allowed when applying adaptation
+#	services to a message. If your longest adaptation set or chain
+#	may have more than 16 services, increase the limit beyond its
+#	default value of 16. If detecting infinite iteration loops sooner
+#	is critical, make the iteration limit match the actual number
+#	of services in your longest adaptation set or chain.
+#
+#	Infinite adaptation loops are most likely with routing services.
+#
+#	See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+#  TAG: adaptation_masterx_shared_names
+#	For each master transaction (i.e., the HTTP request and response
+#	sequence, including all related ICAP and eCAP exchanges), Squid
+#	maintains a table of metadata. The table entries are (name, value)
+#	pairs shared among eCAP and ICAP exchanges. The table is destroyed
+#	with the master transaction.
+#
+#	This option specifies the table entry names that Squid must accept
+#	from and forward to the adaptation transactions.
+#
+#	An ICAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by returning an ICAP header field with a name
+#	specified in adaptation_masterx_shared_names.
+#
+#	An eCAP REQMOD or RESPMOD transaction may set an entry in the
+#	shared table by implementing the libecap::visitEachOption() API
+#	to provide an option with a name specified in
+#	adaptation_masterx_shared_names.
+#
+#	Squid will store and forward the set entry to subsequent adaptation
+#	transactions within the same master transaction scope.
+#
+#	Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
+#Default:
+# none
+
+#  TAG: adaptation_meta
+#	This option allows Squid administrator to add custom ICAP request
+#	headers or eCAP options to Squid ICAP requests or eCAP transactions.
+#	Use it to pass custom authentication tokens and other
+#	transaction-state related meta information to an ICAP/eCAP service.
+#
+#	The addition of a meta header is ACL-driven:
+#		adaptation_meta name value [!]aclname ...
+#
+#	Processing for a given header name stops after the first ACL list match.
+#	Thus, it is impossible to add two headers with the same name. If no ACL
+#	lists match for a given header name, no such header is added. For
+#	example:
+#
+#		# do not debug transactions except for those that need debugging
+#		adaptation_meta X-Debug 1 needs_debugging
+#
+#		# log all transactions except for those that must remain secret
+#		adaptation_meta X-Log 1 !keep_secret
+#
+#		# mark transactions from users in the "G 1" group
+#		adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+#	The "value" parameter may be a regular squid.conf token or a "double
+#	quoted string". Within the quoted string, use backslash (\) to escape
+#	any character, which is currently only useful for escaping backslashes
+#	and double quotes. For example,
+#	    "this string has one backslash (\\) and two \"quotes\""
+#
+#	Used adaptation_meta header values may be logged via %note
+#	logformat code. If multiple adaptation_meta headers with the same name
+#	are used during master transaction lifetime, the header values are
+#	logged in the order they were used and duplicate values are ignored
+#	(only the first repeated value will be logged).
+#Default:
+# none
+
+#  TAG: icap_retry
+#	This ACL determines which retriable ICAP transactions are
+#	retried. Transactions that received a complete ICAP response
+#	and did not have to consume or produce HTTP bodies to receive
+#	that response are usually retriable.
+#
+#	icap_retry allow|deny [!]aclname ...
+#
+#	Squid automatically retries some ICAP I/O timeouts and errors
+#	due to persistent connection race conditions.
+#
+#	See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+#  TAG: icap_retry_limit
+#	Limits the number of retries allowed.
+#
+#	Communication errors due to persistent connection race
+#	conditions are unavoidable, automatically retried, and do not
+#	count against this limit.
+#
+#	See also: icap_retry
+#Default:
+# No retries are allowed.
+
+# DNS OPTIONS
+# -----------------------------------------------------------------------------
+
+#  TAG: check_hostnames
+#	For security and stability reasons Squid can check
+#	hostnames for Internet standard RFC compliance. If you want
+#	Squid to perform these checks turn this directive on.
+#Default:
+# check_hostnames off
+
+#  TAG: allow_underscore
+#	Underscore characters is not strictly allowed in Internet hostnames
+#	but nevertheless used by many sites. Set this to off if you want
+#	Squid to be strict about the standard.
+#	This check is performed only when check_hostnames is set to on.
+#Default:
+# allow_underscore on
+
+#  TAG: dns_retransmit_interval
+#	Initial retransmit interval for DNS queries. The interval is
+#	doubled each time all configured DNS servers have been tried.
+#Default:
+# dns_retransmit_interval 5 seconds
+
+#  TAG: dns_timeout
+#	DNS Query timeout. If no response is received to a DNS query
+#	within this time all DNS servers for the queried domain
+#	are assumed to be unavailable.
+#Default:
+# dns_timeout 30 seconds
+
+#  TAG: dns_packet_max
+#	Maximum number of bytes packet size to advertise via EDNS.
+#	Set to "none" to disable EDNS large packet support.
+#
+#	For legacy reasons DNS UDP replies will default to 512 bytes which
+#	is too small for many responses. EDNS provides a means for Squid to
+#	negotiate receiving larger responses back immediately without having
+#	to failover with repeat requests. Responses larger than this limit
+#	will retain the old behaviour of failover to TCP DNS.
+#
+#	Squid has no real fixed limit internally, but allowing packet sizes
+#	over 1500 bytes requires network jumbogram support and is usually not
+#	necessary.
+#
+#	WARNING: The RFC also indicates that some older resolvers will reply
+#	with failure of the whole request if the extension is added. Some
+#	resolvers have already been identified which will reply with mangled
+#	EDNS response on occasion. Usually in response to many-KB jumbogram
+#	sizes being advertised by Squid.
+#	Squid will currently treat these both as an unable-to-resolve domain
+#	even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
+
+#  TAG: dns_defnames	on|off
+#	Normally the RES_DEFNAMES resolver option is disabled
+#	(see res_init(3)).  This prevents caches in a hierarchy
+#	from interpreting single-component hostnames locally.  To allow
+#	Squid to handle single-component names, enable this option.
+#Default:
+# Search for single-label domain names is disabled.
+
+#  TAG: dns_multicast_local	on|off
+#	When set to on, Squid sends multicast DNS lookups on the local
+#	network for domains ending in .local and .arpa.
+#	This enables local servers and devices to be contacted in an
+#	ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
+
+#  TAG: dns_nameservers
+#	Use this if you want to specify a list of DNS name servers
+#	(IP addresses) to use instead of those given in your
+#	/etc/resolv.conf file.
+#
+#	On Windows platforms, if no value is specified here or in
+#	the /etc/resolv.conf file, the list of DNS name servers are
+#	taken from the Windows registry, both static and dynamic DHCP
+#	configurations are supported.
+#
+#	Example: dns_nameservers 10.0.0.1 192.172.0.4
+#Default:
+# Use operating system definitions
+
+#  TAG: hosts_file
+#	Location of the host-local IP name-address associations
+#	database. Most Operating Systems have such a file on different
+#	default locations:
+#	- Un*X & Linux:    /etc/hosts
+#	- Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\winnt)
+#	- Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
+#			   (%SystemRoot% value install default is c:\windows)
+#	- Windows 9x/Me:   %windir%\hosts
+#			   (%windir% value is usually c:\windows)
+#	- Cygwin:	   /etc/hosts
+#
+#	The file contains newline-separated definitions, in the
+#	form ip_address_in_dotted_form name [name ...] names are
+#	whitespace-separated. Lines beginning with an hash (#)
+#	character are comments.
+#
+#	The file is checked at startup and upon configuration.
+#	If set to 'none', it won't be checked.
+#	If append_domain is used, that domain will be added to
+#	domain-local (i.e. not containing any dot character) host
+#	definitions.
+#Default:
+# hosts_file /etc/hosts
+
+#  TAG: append_domain
+#	Appends local domain name to hostnames without any dots in
+#	them.  append_domain must begin with a period.
+#
+#	Be warned there are now Internet names with no dots in
+#	them using only top-domain names, so setting this may
+#	cause some Internet sites to become unavailable.
+#
+#Example:
+# append_domain .yourdomain.com
+#Default:
+# Use operating system definitions
+
+#  TAG: ignore_unknown_nameservers
+#	By default Squid checks that DNS responses are received
+#	from the same IP addresses they are sent to.  If they
+#	don't match, Squid ignores the response and writes a warning
+#	message to cache.log.  You can allow responses from unknown
+#	nameservers by setting this option to 'off'.
+#Default:
+# ignore_unknown_nameservers on
+
+#  TAG: ipcache_size	(number of entries)
+#	Maximum number of DNS IP cache entries.
+#Default:
+# ipcache_size 1024
+
+#  TAG: ipcache_low	(percent)
+#Default:
+# ipcache_low 90
+
+#  TAG: ipcache_high	(percent)
+#	The size, low-, and high-water marks for the IP cache.
+#Default:
+# ipcache_high 95
+
+#  TAG: fqdncache_size	(number of entries)
+#	Maximum number of FQDN cache entries.
+#Default:
+# fqdncache_size 1024
+
+# MISCELLANEOUS
+# -----------------------------------------------------------------------------
+
+#  TAG: configuration_includes_quoted_values	on|off
+#	If set, Squid will recognize each "quoted string" after a configuration
+#	directive as a single parameter. The quotes are stripped before the
+#	parameter value is interpreted or used.
+#	See "Values with spaces, quotes, and other special characters"
+#	section for more details.
+#Default:
+# configuration_includes_quoted_values off
+
+#  TAG: memory_pools	on|off
+#	If set, Squid will keep pools of allocated (but unused) memory
+#	available for future use.  If memory is a premium on your
+#	system and you believe your malloc library outperforms Squid
+#	routines, disable this.
+#Default:
+# memory_pools on
+
+#  TAG: memory_pools_limit	(bytes)
+#	Used only with memory_pools on:
+#	memory_pools_limit 50 MB
+#
+#	If set to a non-zero value, Squid will keep at most the specified
+#	limit of allocated (but unused) memory in memory pools. All free()
+#	requests that exceed this limit will be handled by your malloc
+#	library. Squid does not pre-allocate any memory, just safe-keeps
+#	objects that otherwise would be free()d. Thus, it is safe to set
+#	memory_pools_limit to a reasonably high value even if your
+#	configuration will use less memory.
+#
+#	If set to none, Squid will keep all memory it can. That is, there
+#	will be no limit on the total amount of memory used for safe-keeping.
+#
+#	To disable memory allocation optimization, do not set
+#	memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
+#
+#	An overhead for maintaining memory pools is not taken into account
+#	when the limit is checked. This overhead is close to four bytes per
+#	object kept. However, pools may actually _save_ memory because of
+#	reduced memory thrashing in your malloc library.
+#Default:
+# memory_pools_limit 5 MB
+
+#  TAG: forwarded_for	on|off|transparent|truncate|delete
+#	If set to "on", Squid will append your client's IP address
+#	in the HTTP requests it forwards. By default it looks like:
+#
+#		X-Forwarded-For: 192.1.2.3
+#
+#	If set to "off", it will appear as
+#
+#		X-Forwarded-For: unknown
+#
+#	If set to "transparent", Squid will not alter the
+#	X-Forwarded-For header in any way.
+#
+#	If set to "delete", Squid will delete the entire
+#	X-Forwarded-For header.
+#
+#	If set to "truncate", Squid will remove all existing
+#	X-Forwarded-For entries, and place the client IP as the sole entry.
+#Default:
+# forwarded_for on
+
+#  TAG: cachemgr_passwd
+#	Specify passwords for cachemgr operations.
+#
+#	Usage: cachemgr_passwd password action action ...
+#
+#	Some valid actions are (see cache manager menu for a full list):
+#		5min
+#		60min
+#		asndb
+#		authenticator
+#		cbdata
+#		client_list
+#		comm_incoming
+#		config *
+#		counters
+#		delay
+#		digest_stats
+#		dns
+#		events
+#		filedescriptors
+#		fqdncache
+#		histograms
+#		http_headers
+#		info
+#		io
+#		ipcache
+#		mem
+#		menu
+#		netdb
+#		non_peers
+#		objects
+#		offline_toggle *
+#		pconn
+#		peer_select
+#		reconfigure *
+#		redirector
+#		refresh
+#		server_list
+#		shutdown *
+#		store_digest
+#		storedir
+#		utilization
+#		via_headers
+#		vm_objects
+#
+#	* Indicates actions which will not be performed without a
+#	  valid password, others can be performed if not listed here.
+#
+#	To disable an action, set the password to "disable".
+#	To allow performing an action without a password, set the
+#	password to "none".
+#
+#	Use the keyword "all" to set the same password for all actions.
+#
+#Example:
+# cachemgr_passwd secret shutdown
+# cachemgr_passwd lesssssssecret info stats/objects
+# cachemgr_passwd disable all
+#Default:
+# No password. Actions which require password are denied.
+
+#  TAG: client_db	on|off
+#	If you want to disable collecting per-client statistics,
+#	turn off client_db here.
+#Default:
+# client_db on
+
+#  TAG: refresh_all_ims	on|off
+#	When you enable this option, squid will always check
+#	the origin server for an update when a client sends an
+#	If-Modified-Since request.  Many browsers use IMS
+#	requests when the user requests a reload, and this
+#	ensures those clients receive the latest version.
+#
+#	By default (off), squid may return a Not Modified response
+#	based on the age of the cached version.
+#Default:
+# refresh_all_ims off
+
+#  TAG: reload_into_ims	on|off
+#	When you enable this option, client no-cache or ``reload''
+#	requests will be changed to If-Modified-Since requests.
+#	Doing this VIOLATES the HTTP standard.  Enabling this
+#	feature could make you liable for problems which it
+#	causes.
+#
+#	see also refresh_pattern for a more selective approach.
+#Default:
+# reload_into_ims off
+
+#  TAG: connect_retries
+#	Limits the number of reopening attempts when establishing a single
+#	TCP connection. All these attempts must still complete before the
+#	applicable connection opening timeout expires.
+#
+#	By default and when connect_retries is set to zero, Squid does not
+#	retry failed connection opening attempts.
+#
+#	The (not recommended) maximum is 10 tries. An attempt to configure a
+#	higher value results in the value of 10 being used (with a warning).
+#
+#	Squid may open connections to retry various high-level forwarding
+#	failures. For an outside observer, that activity may look like a
+#	low-level connection reopening attempt, but those high-level retries
+#	are governed by forward_max_tries instead.
+#
+#	See also: connect_timeout, forward_timeout, icap_connect_timeout,
+#	ident_timeout, and forward_max_tries.
+#Default:
+# Do not retry failed connections.
+
+#  TAG: retry_on_error
+#	If set to ON Squid will automatically retry requests when
+#	receiving an error response with status 403 (Forbidden),
+#	500 (Internal Error), 501 or 503 (Service not available).
+#	Status 502 and 504 (Gateway errors) are always retried.
+#
+#	This is mainly useful if you are in a complex cache hierarchy to
+#	work around access control errors.
+#
+#	NOTE: This retry will attempt to find another working destination.
+#	Which is different from the server which just failed.
+#Default:
+# retry_on_error off
+
+#  TAG: as_whois_server
+#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
+#	queried only when Squid starts up, not for every request.
+#Default:
+# as_whois_server whois.ra.net
+
+#  TAG: offline_mode
+#	Enable this option and Squid will never try to validate cached
+#	objects.
+#Default:
+# offline_mode off
+
+#  TAG: uri_whitespace
+#	What to do with requests that have whitespace characters in the
+#	URI.  Options:
+#
+#	strip:  The whitespace characters are stripped out of the URL.
+#		This is the behavior recommended by RFC2396 and RFC3986
+#		for tolerant handling of generic URI.
+#		NOTE: This is one difference between generic URI and HTTP URLs.
+#
+#	deny:   The request is denied.  The user receives an "Invalid
+#		Request" message.
+#		This is the behaviour recommended by RFC2616 for safe
+#		handling of HTTP request URL.
+#
+#	allow:  The request is allowed and the URI is not changed.  The
+#		whitespace characters remain in the URI.  Note the
+#		whitespace is passed to redirector processes if they
+#		are in use.
+#		Note this may be considered a violation of RFC2616
+#		request parsing where whitespace is prohibited in the
+#		URL field.
+#
+#	encode:	The request is allowed and the whitespace characters are
+#		encoded according to RFC1738.
+#
+#	chop:	The request is allowed and the URI is chopped at the
+#		first whitespace.
+#
+#
+#	NOTE the current Squid implementation of encode and chop violates
+#	RFC2616 by not using a 301 redirect after altering the URL.
+#Default:
+# uri_whitespace strip
+
+#  TAG: chroot
+#	Specifies a directory where Squid should do a chroot() while
+#	initializing.  This also causes Squid to fully drop root
+#	privileges after initializing.  This means, for example, if you
+#	use a HTTP port less than 1024 and try to reconfigure, you may
+#	get an error saying that Squid can not open the port.
+#Default:
+# none
+
+#  TAG: pipeline_prefetch
+#	HTTP clients may send a pipeline of 1+N requests to Squid using a
+#	single connection, without waiting for Squid to respond to the first
+#	of those requests. This option limits the number of concurrent
+#	requests Squid will try to handle in parallel. If set to N, Squid
+#	will try to receive and process up to 1+N requests on the same
+#	connection concurrently.
+#
+#	Defaults to 0 (off) for bandwidth management and access logging
+#	reasons.
+#
+#	NOTE: pipelining requires persistent connections to clients.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
+#Default:
+# Do not pre-parse pipelined requests.
+
+#  TAG: high_response_time_warning	(msec)
+#	If the one-minute median response time exceeds this value,
+#	Squid prints a WARNING with debug level 0 to get the
+#	administrators attention.  The value is in milliseconds.
+#Default:
+# disabled.
+
+#  TAG: high_page_fault_warning
+#	If the one-minute average page fault rate exceeds this
+#	value, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.  The value is in page faults
+#	per second.
+#Default:
+# disabled.
+
+#  TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+#       GNU Malloc with mstats()
+#
+#	If the memory usage (as determined by gnumalloc, if available and used)
+#	exceeds	this amount, Squid prints a WARNING with debug level 0 to get
+#	the administrators attention.
+#Default:
+# disabled.
+
+#  TAG: sleep_after_fork	(microseconds)
+#	When this is set to a non-zero value, the main Squid process
+#	sleeps the specified number of microseconds after a fork()
+#	system call. This sleep may help the situation where your
+#	system reports fork() failures due to lack of (virtual)
+#	memory. Note, however, if you have a lot of child
+#	processes, these sleep delays will add up and your
+#	Squid will not service requests for some amount of time
+#	until all the child processes have been started.
+#	On Windows value less then 1000 (1 milliseconds) are
+#	rounded to 1000.
+#Default:
+# sleep_after_fork 0
+
+#  TAG: windows_ipaddrchangemonitor	on|off
+# Note: This option is only available if Squid is rebuilt with the
+#       MS Windows
+#
+#	On Windows Squid by default will monitor IP address changes and will
+#	reconfigure itself after any detected event. This is very useful for
+#	proxies connected to internet with dial-up interfaces.
+#	In some cases (a Proxy server acting as VPN gateway is one) it could be
+#	desiderable to disable this behaviour setting this to 'off'.
+#	Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+#  TAG: eui_lookup
+#	Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
+#  TAG: max_filedescriptors
+#	Set the maximum number of filedescriptors, either below the
+#	operating system default or up to the hard limit.
+#
+#	Remove from squid.conf to inherit the current ulimit soft
+#	limit setting.
+#
+#	Note: Changing this requires a restart of Squid. Also
+#	not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system soft limit set by ulimit.
+
+#  TAG: force_request_body_continuation
+#	This option controls how Squid handles data upload requests from HTTP
+#	and FTP agents that require a "Please Continue" control message response
+#	to actually send the request body to Squid. It is mostly useful in
+#	adaptation environments.
+#
+#	When Squid receives an HTTP request with an "Expect: 100-continue"
+#	header or an FTP upload command (e.g., STOR), Squid normally sends the
+#	request headers or FTP command information to an adaptation service (or
+#	peer) and waits for a response. Most adaptation services (and some
+#	broken peers) may not respond to Squid at that stage because they may
+#	decide to wait for the HTTP request body or FTP data transfer. However,
+#	that request body or data transfer may never come because Squid has not
+#	responded with the HTTP 100 or FTP 150 (Please Continue) control message
+#	to the request sender yet!
+#
+#	An allow match tells Squid to respond with the HTTP 100 or FTP 150
+#	(Please Continue) control message on its own, before forwarding the
+#	request to an adaptation service or peer. Such a response usually forces
+#	the request sender to proceed with sending the body. A deny match tells
+#	Squid to delay that control response until the origin server confirms
+#	that the request body is needed. Delaying is the default behavior.
+#Default:
+# Deny, unless rules exist in squid.conf.
+
+#  TAG: http_upgrade_request_protocols
+#	Controls client-initiated and server-confirmed switching from HTTP to
+#	another protocol (or to several protocols) using HTTP Upgrade mechanism
+#	defined in RFC 7230 Section 6.7. Squid itself does not understand the
+#	protocols being upgraded to and participates in the upgraded
+#	communication only as a dumb TCP proxy. Admins should not allow
+#	upgrading to protocols that require a more meaningful proxy
+#	participation.
+#
+#	Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
+#
+#	The required "protocol" parameter is either an all-caps word OTHER or an
+#	explicit protocol name (e.g. "WebSocket") optionally followed by a slash
+#	and a version token (e.g. "HTTP/3"). Explicit protocol names and
+#	versions are case sensitive.
+#
+#	When an HTTP client sends an Upgrade request header, Squid iterates over
+#	the client-offered protocols and, for each protocol P (with an optional
+#	version V), evaluates the first non-empty set of
+#	http_upgrade_request_protocols rules (if any) from the following list:
+#
+#		* All rules with an explicit protocol name equal to P.
+#		* All rules that use OTHER instead of a protocol name.
+#
+#	In other words, rules using OTHER are considered for protocol P if and
+#	only if there are no rules mentioning P by name.
+#
+#	If both of the above sets are empty, then Squid removes protocol P from
+#	the Upgrade offer.
+#
+#	If the client sent a versioned protocol offer P/X, then explicit rules
+#	referring to the same-name but different-version protocol P/Y are
+#	declared inapplicable. Inapplicable rules are not evaluated (i.e. are
+#	ignored). However, inapplicable rules still belong to the first set of
+#	rules for P.
+#
+#	Within the applicable rule subset, individual rules are evaluated in
+#	their configuration order. If all ACLs of an applicable "allow" rule
+#	match, then the protocol offered by the client is forwarded to the next
+#	hop as is. If all ACLs of an applicable "deny" rule match, then the
+#	offer is dropped. If no applicable rules have matching ACLs, then the
+#	offer is also dropped. The first matching rule also ends rules
+#	evaluation for the offered protocol.
+#
+#	If all client-offered protocols are removed, then Squid forwards the
+#	client request without the Upgrade header. Squid never sends an empty
+#	Upgrade request header.
+#
+#	An Upgrade request header with a value violating HTTP syntax is dropped
+#	and ignored without an attempt to use extractable individual protocol
+#	offers.
+#
+#	Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
+#	checks that the server listed at least one protocol name and sent a
+#	Connection:upgrade response header. Squid does not understand individual
+#	protocol naming and versioning concepts enough to implement stricter
+#	checks, but an admin can restrict HTTP 101 (Switching Protocols)
+#	responses further using http_reply_access. Responses denied by
+#	http_reply_access rules and responses flagged by the internal Upgrade
+#	checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
+#	Squid-to-server connection closures.
+#
+#	If Squid sends an Upgrade request header, and the next hop (e.g., the
+#	origin server) responds with an acceptable HTTP 101 (Switching
+#	Protocols), then Squid forwards that message to the client and becomes
+#	a TCP tunnel.
+#
+#	The presence of an Upgrade request header alone does not preclude cache
+#	lookups. In other words, an Upgrade request might be satisfied from the
+#	cache, using regular HTTP caching rules.
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Each of the following groups of configuration lines represents a
+#	separate configuration example:
+#
+#	# never upgrade to protocol Foo; all others are OK
+#	http_upgrade_request_protocols Foo deny all
+#	http_upgrade_request_protocols OTHER allow all
+#
+#	# only allow upgrades to protocol Bar (except for its first version)
+#	http_upgrade_request_protocols Bar/1 deny all
+#	http_upgrade_request_protocols Bar allow all
+#	http_upgrade_request_protocols OTHER deny all # this rule is optional
+#
+#	# only allow upgrades to protocol Baz, and only if Baz is the only offer
+#	acl UpgradeHeaderHasMultipleOffers ...
+#	http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
+#	http_upgrade_request_protocols Baz allow all
+#Default:
+# Upgrade header dropped, effectively blocking an upgrade attempt.
+
+#  TAG: server_pconn_for_nonretriable
+#	This option provides fine-grained control over persistent connection
+#	reuse when forwarding HTTP requests that Squid cannot retry. It is useful
+#	in environments where opening new connections is very expensive
+#	(e.g., all connections are secured with TLS with complex client and server
+#	certificate validation) and race conditions associated with persistent
+#	connections are very rare and/or only cause minor problems.
+#
+#	HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
+#	Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
+#	By default, when forwarding such "risky" requests, Squid opens a new
+#	connection to the server or cache_peer, even if there is an idle persistent
+#	connection available. When Squid is configured to risk sending a non-retriable
+#	request on a previously used persistent connection, and the server closes
+#	the connection before seeing that risky request, the user gets an error response
+#	from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
+#	with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
+#
+#	If an allow rule matches, Squid reuses an available idle persistent connection
+#	(if any) for the request that Squid cannot retry. If a deny rule matches, then
+#	Squid opens a new connection for the request that Squid cannot retry.
+#
+#	This option does not affect requests that Squid can retry. They will reuse idle
+#	persistent connections (if any).
+#
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+#	Example:
+#		acl SpeedIsWorthTheRisk method POST
+#		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
+#Default:
+# Open new connections for forwarding requests Squid cannot retry safely.
+
+#  TAG: happy_eyeballs_connect_timeout	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
+#	delay between opening a primary to-server connection and opening a
+#	spare to-server connection for the same master transaction. This delay
+#	is similar to the Connection Attempt Delay in RFC 8305, but it is only
+#	applied to the first spare connection attempt. Subsequent spare
+#	connection attempts use happy_eyeballs_connect_gap, and primary
+#	connection attempts are not artificially delayed at all.
+#
+#	Terminology: The "primary" and "spare" designations are determined by
+#	the order of DNS answers received by Squid: If Squid DNS AAAA query
+#	was answered first, then primary connections are connections to IPv6
+#	peer addresses (while spare connections use IPv4 addresses).
+#	Similarly, if Squid DNS A query was answered first, then primary
+#	connections are connections to IPv4 peer addresses (while spare
+#	connections use IPv6 addresses).
+#
+#	Shorter happy_eyeballs_connect_timeout values reduce master
+#	transaction response time, potentially improving user-perceived
+#	response times (i.e., making user eyeballs happier). Longer delays
+#	reduce both concurrent connection level and server bombardment with
+#	connection requests, potentially improving overall Squid performance
+#	and reducing the chance of being blocked by servers for opening too
+#	many unused connections.
+#
+#	RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
+#	10 (milliseconds) to "avoid congestion collapse in the presence of
+#	high packet-loss rates".
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_gap and
+#	happy_eyeballs_connect_limit.
+#Default:
+# happy_eyeballs_connect_timeout 250
+
+#  TAG: happy_eyeballs_connect_gap	(msec)
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	minimum delay between opening spare to-server connections (to any
+#	server; i.e. across all concurrent master transactions in a Squid
+#	instance). Each SMP worker currently multiplies the configured gap
+#	by the total number of workers so that the combined spare connection
+#	opening rate of a Squid instance obeys the configured limit. The
+#	workers do not coordinate connection openings yet; a micro burst
+#	of spare connection openings may violate the configured gap.
+#
+#	This directive has similar trade-offs as
+#	happy_eyeballs_connect_timeout, but its focus is on limiting traffic
+#	amplification effects for Squid as a whole, while
+#	happy_eyeballs_connect_timeout works on an individual master
+#	transaction level.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_limit. See the former for related terminology.
+#Default:
+# no artificial delays between spare attempts
+
+#  TAG: happy_eyeballs_connect_limit
+#	This Happy Eyeballs (RFC 8305) tuning directive specifies the
+#	maximum number of spare to-server connections (to any server; i.e.
+#	across all concurrent master transactions in a Squid instance).
+#	Each SMP worker gets an equal share of the total limit. However,
+#	the workers do not share the actual connection counts yet, so one
+#	(busier) worker cannot "borrow" spare connection slots from another
+#	(less loaded) worker.
+#
+#	Setting this limit to zero disables concurrent use of primary and
+#	spare TCP connections: Spare connection attempts are made only after
+#	all primary attempts fail. However, Squid would still use the
+#	DNS-related optimizations of the Happy Eyeballs approach.
+#
+#	This directive has similar trade-offs as happy_eyeballs_connect_gap,
+#	but its focus is on limiting Squid overheads, while
+#	happy_eyeballs_connect_gap focuses on the origin server and peer
+#	overheads.
+#
+#	The following Happy Eyeballs directives place additional connection
+#	opening restrictions: happy_eyeballs_connect_timeout and
+#	happy_eyeballs_connect_gap. See the former for related terminology.
+#Default:
+# no artificial limit on the number of concurrent spare attempts
+
diff --git a/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_1.nft b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_1.nft
new file mode 100644
index 0000000..3e35f9b
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_1.nft
@@ -0,0 +1,17 @@
+define netif = enp0s3
+define dmzif = enp0s8
+define lanif = enp0s9
+
+table ip ipfilter {
+	chain routing {
+		type filter hook forward priority filter; policy accept;
+		icmp type echo-request iif { $netif, $dmzif } drop
+		icmp type { echo-reply, echo-request } accept
+		drop
+	}
+
+	chain system_in {
+		type filter hook input priority filter; policy accept;
+		icmp type echo-request iif { $netif, $dmzif } drop
+	}
+}
diff --git a/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_2.nft b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_2.nft
new file mode 100644
index 0000000..83875ea
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_2.nft
@@ -0,0 +1,25 @@
+define netif = enp0s3
+define dmzif = enp0s8
+define lanif = enp0s9
+
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		tcp dport 22 accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		tcp dport 22 accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+		tcp sport 22 accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		tcp sport 22 accept
+        }
+}
diff --git a/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_3.nft b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_3.nft
new file mode 100644
index 0000000..b9e041e
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_3.nft
@@ -0,0 +1,42 @@
+define netif = enp0s3
+define dmzif = enp0s8
+define lanif = enp0s9
+
+define firewall = 192.168.0.120
+define ipdmz = 172.16.0.254
+define iplan = 10.0.0.254
+
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		icmp type echo-reply accept
+		icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept
+		icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
+		tcp dport 22 accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		icmp type echo-reply accept
+		icmp type echo-request iif {$lanif} accept
+                tcp dport 22 accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+        	icmp type echo-request iif {$lanif} oif {$dmzif} accept
+		icmp type echo-reply iif {$dmzif} oif {$lanif} accept
+	}
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+		icmp type echo-reply oif {$lanif} accept
+		icmp type echo-request accept
+		tcp sport 22 accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
+		icmp type echo-reply iif {$dmzif}  oif {$lanif} accept
+		icmp type echo-request iif {$lanif} oif {$dmzif} accept
+		icmp type echo-request ip saddr $iplan oif $lanif accept
+		tcp sport 22 accept
+        }
+}
diff --git a/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_4.nft b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_4.nft
new file mode 100644
index 0000000..f261dd5
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/current_ruleset_partie_4.nft
@@ -0,0 +1,68 @@
+define netif = enp0s3
+define dmzif = enp0s8
+define lanif = enp0s9
+
+define firewall = 192.168.0.120
+define ipdmz = 172.16.0.254
+define iplan = 10.0.0.254
+
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		icmp type echo-reply accept
+		ct state established, related accept
+		icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept
+		icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
+                tcp dport 20 accept
+                tcp dport 21 accept
+                tcp dport {80, 443} accept
+		tcp dport 22 accept
+		ip saddr 10.121.38.1 tcp dport {80, 443} accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		icmp type echo-reply accept
+		icmp type echo-request iif {$lanif} accept
+		ct state established, related accept
+                tcp dport 20 accept
+                tcp dport 21 accept
+                tcp dport {80, 443} accept
+                tcp dport 22 accept
+		ip saddr 10.121.38.1 tcp dport {80, 443} accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+        	icmp type echo-request iif {$lanif} oif {$dmzif} accept
+		icmp type echo-reply iif {$dmzif} oif {$lanif} accept
+	}
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+                ip daddr 10.121.38.7-10.121.38.8 accept
+                ip daddr 10.121.38.1 tcp dport 8080 accept
+		icmp type echo-reply oif {$lanif} accept
+		icmp type echo-request accept
+                tcp dport 20 accept
+		tcp sport 20 accept
+                tcp dport 21 accept
+		tcp sport 21 accept
+                tcp dport {80, 443} accept
+		tcp sport {80, 443} accept
+		tcp sport 22 accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		ip daddr 10.121.38.7-10.121.38.8 accept
+		ip daddr 10.121.38.1 tcp dport 8080 accept
+		icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
+		icmp type echo-reply iif {$dmzif}  oif {$lanif} accept
+		icmp type echo-request iif {$lanif} oif {$dmzif} accept
+		icmp type echo-request ip saddr $iplan oif $lanif accept
+                tcp dport 20 accept
+                tcp sport 20 accept
+                tcp dport 21 accept
+                tcp sport 21 accept
+                tcp dport {80, 443} accept
+                tcp sport {80, 443} accept
+		tcp sport 22 accept
+        }
+}
diff --git a/siotp/sisr1/tp07/files_firewall/interfaces b/siotp/sisr1/tp07/files_firewall/interfaces
new file mode 100644
index 0000000..cab3445
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/interfaces
@@ -0,0 +1,25 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 192.168.0.120
+gateway 192.168.0.1
+pre-up bash /root/scriptsnft/refresh_firewall.sh
+
+# Second network interface : DMZ
+allow-hotplug enp0s8
+iface enp0s8 inet static
+address 172.16.0.254/24
+
+# Third network interface : LAN
+allow-hotplug enp0s9
+iface enp0s9 inet static
+address 10.0.0.254/24
diff --git a/siotp/sisr1/tp07/files_firewall/proxy.conf b/siotp/sisr1/tp07/files_firewall/proxy.conf
new file mode 100644
index 0000000..849a7c6
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/proxy.conf
@@ -0,0 +1,3 @@
+Acquire::http::Proxy "http://10.121.38.1:8080/";
+Acquire::https::Proxy "http://10.121.38.1:8080/";
+
diff --git a/siotp/sisr1/tp07/files_firewall/refresh_firewall.sh b/siotp/sisr1/tp07/files_firewall/refresh_firewall.sh
new file mode 100644
index 0000000..070243f
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/refresh_firewall.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# active le routage entre les interfaces réseau du firewall
+echo "1" > /proc/sys/net/ipv4/ip_forward
+#vide les règles actuelles du pare-feu
+nft flush ruleset
+#charge les règles du pare-feu présentes dans le fichier
+nft -f /root/scriptsnft/current_ruleset.nft
diff --git a/siotp/sisr1/tp07/files_firewall/resolv.conf b/siotp/sisr1/tp07/files_firewall/resolv.conf
new file mode 100644
index 0000000..04f8dc4
--- /dev/null
+++ b/siotp/sisr1/tp07/files_firewall/resolv.conf
@@ -0,0 +1,4 @@
+domain sio.lan
+search sio.lan
+nameserver 10.121.38.7
+nameserver 10.121.38.8
diff --git a/siotp/sisr1/tp07/files_pclan/interfaces b/siotp/sisr1/tp07/files_pclan/interfaces
new file mode 100644
index 0000000..563707b
--- /dev/null
+++ b/siotp/sisr1/tp07/files_pclan/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 10.0.0.1/24
+gateway 10.0.0.254
diff --git a/siotp/sisr1/tp07/files_pclan/resolv.conf b/siotp/sisr1/tp07/files_pclan/resolv.conf
new file mode 100644
index 0000000..04f8dc4
--- /dev/null
+++ b/siotp/sisr1/tp07/files_pclan/resolv.conf
@@ -0,0 +1,4 @@
+domain sio.lan
+search sio.lan
+nameserver 10.121.38.7
+nameserver 10.121.38.8
diff --git a/siotp/sisr1/tp07/files_pcnet/interfaces b/siotp/sisr1/tp07/files_pcnet/interfaces
new file mode 100644
index 0000000..05e785e
--- /dev/null
+++ b/siotp/sisr1/tp07/files_pcnet/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 192.168.0.121
+gateway 192.168.0.120
diff --git a/siotp/sisr1/tp07/files_pcnet/resolv.conf b/siotp/sisr1/tp07/files_pcnet/resolv.conf
new file mode 100644
index 0000000..04f8dc4
--- /dev/null
+++ b/siotp/sisr1/tp07/files_pcnet/resolv.conf
@@ -0,0 +1,4 @@
+domain sio.lan
+search sio.lan
+nameserver 10.121.38.7
+nameserver 10.121.38.8
diff --git a/siotp/sisr1/tp07/files_srvweb/interfaces b/siotp/sisr1/tp07/files_srvweb/interfaces
new file mode 100644
index 0000000..9a67b8a
--- /dev/null
+++ b/siotp/sisr1/tp07/files_srvweb/interfaces
@@ -0,0 +1,14 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 172.16.0.1/24
+gateway 172.16.0.254
diff --git a/siotp/sisr1/tp07/files_srvweb/resolv.conf b/siotp/sisr1/tp07/files_srvweb/resolv.conf
new file mode 100644
index 0000000..04f8dc4
--- /dev/null
+++ b/siotp/sisr1/tp07/files_srvweb/resolv.conf
@@ -0,0 +1,4 @@
+domain sio.lan
+search sio.lan
+nameserver 10.121.38.7
+nameserver 10.121.38.8