From af50cb61be099cabcc3588fcf7a9f5530685b4ea Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 11:25:49 +0200 Subject: [PATCH 01/11] structure-production-checklist --- docs/graphql/manual/guides/index.rst | 1 + .../manual/guides/production-checklist.rst | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 docs/graphql/manual/guides/production-checklist.rst diff --git a/docs/graphql/manual/guides/index.rst b/docs/graphql/manual/guides/index.rst index 26b8124dd52fa..ee6e52ae64251 100644 --- a/docs/graphql/manual/guides/index.rst +++ b/docs/graphql/manual/guides/index.rst @@ -11,6 +11,7 @@ Guides / Tutorials / Resources :titlesonly: Deployment guides + Production checklist Sample apps & boilerplates Integration/migration tutorials Integrating with monitoring frameworks diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst new file mode 100644 index 0000000000000..e098933371885 --- /dev/null +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -0,0 +1,78 @@ +.. _production-checklist: + +Production checklist +==================== + +.. contents:: Table of contents + :backlinks: none + :depth: 1 + :local: + +Security +-------- + +In order to increase the security of your GraphQL engine, some steps are necessary. + +Reverse proxy +^^^^^^^^^^^^^ + +You might want to set up Hasura behind a load balancer to improve performance, reliability and security. + +Both nginx and Caddy work well with Hasura. + +nginx +~~~~~ + +`Here `_ is how to configure a nginx reverse proxy. + +Caddy +~~~~~ + +`Here `_ is how to configure a Caddy proxy. + +Admin secret +^^^^^^^^^^^^ + +Configure an admin secret like described :doc:`here <../deployment/securing-graphql-endpoint>`. + +CORS domains +^^^^^^^^^^^^ + +Configure your CORS domains as described `here `_. + +API security +------------ + +Allow-list +^^^^^^^^^^ + +White-list safe queries (GraphQL queries, mutations, subscriptions) by creating an :doc:`allow-list <../deployment/allow-list>`. + +Limit rows +^^^^^^^^^^ + +Enable/disable API endpoints +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Console availability +^^^^^^^^^^^^^^^^^^^^ + +Gateway +------- + +Gzip responses +^^^^^^^^^^^^^^ + +If you are not using HTTP2, you can do :doc:`HTTP compression <../deployment/compression>` in order to increase speed. + +Load balancing +^^^^^^^^^^^^^^ + +Logging +------- + +Optimisations +------------- + +Subscriptions +^^^^^^^^^^^^^ \ No newline at end of file From f3227ce3c417b2c5820b8b2b841909708210b553 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 13:18:59 +0200 Subject: [PATCH 02/11] add content and change structure --- .../manual/guides/production-checklist.rst | 44 ++++++++----------- 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index e098933371885..bd087f1bfd5bd 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -11,14 +11,19 @@ Production checklist Security -------- -In order to increase the security of your GraphQL engine, some steps are necessary. +In order to increase the security of your GraphQL engine, the following steps are recommended. -Reverse proxy -^^^^^^^^^^^^^ +Admin secret +^^^^^^^^^^^^ + +Configure an admin secret as described :doc:`here <../deployment/securing-graphql-endpoint>`. + +Reverse proxy & API gateway +^^^^^^^^^^^^^^^^^^^^^^^^^^^ You might want to set up Hasura behind a load balancer to improve performance, reliability and security. -Both nginx and Caddy work well with Hasura. +NOTE: SHAHIDH WILL ADD MORE INFO HERE INCLUDING CONFIGURATION nginx ~~~~~ @@ -30,10 +35,10 @@ Caddy `Here `_ is how to configure a Caddy proxy. -Admin secret -^^^^^^^^^^^^ -Configure an admin secret like described :doc:`here <../deployment/securing-graphql-endpoint>`. +.. note:: + + ``gzip`` compression is enabled by default if the client supports it. CORS domains ^^^^^^^^^^^^ @@ -48,31 +53,20 @@ Allow-list White-list safe queries (GraphQL queries, mutations, subscriptions) by creating an :doc:`allow-list <../deployment/allow-list>`. -Limit rows -^^^^^^^^^^ - -Enable/disable API endpoints -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Console availability ^^^^^^^^^^^^^^^^^^^^ -Gateway -------- +It is recommended to `disable the console `_ for the production instance. -Gzip responses -^^^^^^^^^^^^^^ +Limit rows +^^^^^^^^^^ -If you are not using HTTP2, you can do :doc:`HTTP compression <../deployment/compression>` in order to increase speed. +You can `limit the number of rows `_ that can be accessed with one request. -Load balancing -^^^^^^^^^^^^^^ +Enable/disable admin endpoints +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Logging ------- -Optimisations -------------- - -Subscriptions -^^^^^^^^^^^^^ \ No newline at end of file +:doc:`This page <../deployment/logging>` describes the different types of server logs, as well as how to access them. \ No newline at end of file From 9be7fd92dd32e24909252c8a21718b59818aa1d7 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 13:33:57 +0200 Subject: [PATCH 03/11] Add disable admin endpoints# --- docs/graphql/manual/guides/production-checklist.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index bd087f1bfd5bd..54323950f9301 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -8,6 +8,8 @@ Production checklist :depth: 1 :local: +This guide is a checklist that helps to be aware of potential vulnerabilities before deploying Hasura GraphQL engine to production. It also suggests solutions to reduce the risk of these vulnerabilities. + Security -------- @@ -63,8 +65,10 @@ Limit rows You can `limit the number of rows `_ that can be accessed with one request. -Enable/disable admin endpoints -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Disable admin endpoints +^^^^^^^^^^^^^^^^^^^^^^^ + +It is recommended to `disable access to the schema / metadata API `_ for the production instance. Logging ------- From e890639188dfe392f113c6292d8c3f9dbc5028e3 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 15:15:13 +0200 Subject: [PATCH 04/11] Update docs/graphql/manual/guides/production-checklist.rst Co-Authored-By: dsandip --- docs/graphql/manual/guides/production-checklist.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index 54323950f9301..217412f7a28d7 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -8,7 +8,7 @@ Production checklist :depth: 1 :local: -This guide is a checklist that helps to be aware of potential vulnerabilities before deploying Hasura GraphQL engine to production. It also suggests solutions to reduce the risk of these vulnerabilities. +This guide is a checklist for configuring and securing GraphQL engine for a production deployment. Security -------- @@ -73,4 +73,4 @@ It is recommended to `disable access to the schema / metadata API ` describes the different types of server logs, as well as how to access them. \ No newline at end of file +:doc:`This page <../deployment/logging>` describes the different types of server logs, as well as how to access them. From 87bf8148d431d4296c1dfee4fa17ca64ba60b822 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 15:15:26 +0200 Subject: [PATCH 05/11] Update docs/graphql/manual/guides/production-checklist.rst Co-Authored-By: dsandip --- docs/graphql/manual/guides/production-checklist.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index 217412f7a28d7..03d608ab7f764 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -13,7 +13,7 @@ This guide is a checklist for configuring and securing GraphQL engine for a prod Security -------- -In order to increase the security of your GraphQL engine, the following steps are recommended. +The following steps are recommended to better secure your production GraphQL engine instance: Admin secret ^^^^^^^^^^^^ From da13d768e8f3da3c30439f4cb0d5f0f6a03dc2b3 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 15:16:00 +0200 Subject: [PATCH 06/11] Update docs/graphql/manual/guides/production-checklist.rst Co-Authored-By: dsandip --- docs/graphql/manual/guides/production-checklist.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index 03d608ab7f764..eb4ed077b8dee 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -30,7 +30,7 @@ NOTE: SHAHIDH WILL ADD MORE INFO HERE INCLUDING CONFIGURATION nginx ~~~~~ -`Here `_ is how to configure a nginx reverse proxy. +`Here `_ is how you can configure an NGINX reverse proxy. Caddy ~~~~~ From 9d290232a8d8eabbd1c96fac94ab5f64dc3b2d70 Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 15:16:16 +0200 Subject: [PATCH 07/11] Update docs/graphql/manual/guides/production-checklist.rst Co-Authored-By: dsandip --- docs/graphql/manual/guides/production-checklist.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index eb4ed077b8dee..74df659530484 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -35,7 +35,7 @@ nginx Caddy ~~~~~ -`Here `_ is how to configure a Caddy proxy. +`Here `_ is how you can configure a Caddy proxy. .. note:: From 6d8921259a565903d50a165eafca12ad06feeb9c Mon Sep 17 00:00:00 2001 From: Marion Schleifer Date: Tue, 15 Oct 2019 15:38:58 +0200 Subject: [PATCH 08/11] add note on telementery --- docs/graphql/manual/guides/production-checklist.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst index 54323950f9301..8ebb02c38cf66 100644 --- a/docs/graphql/manual/guides/production-checklist.rst +++ b/docs/graphql/manual/guides/production-checklist.rst @@ -38,10 +38,6 @@ Caddy `Here `_ is how to configure a Caddy proxy. -.. note:: - - ``gzip`` compression is enabled by default if the client supports it. - CORS domains ^^^^^^^^^^^^ @@ -73,4 +69,8 @@ It is recommended to `disable access to the schema / metadata API ` describes the different types of server logs, as well as how to access them. \ No newline at end of file +:doc:`This page <../deployment/logging>` describes the different types of server logs, as well as how to access them. + +.. note:: + + While PII data is not captured, it is recommended that telemetry be disabled for production instances. The relevant environment variable can be found :doc:`here <../deployment/graphql-engine-flags/reference>`. From 2a3d05978e181caca6a052192b8f50f6611b1edc Mon Sep 17 00:00:00 2001 From: Shahidh K Muhammed Date: Wed, 16 Oct 2019 18:40:28 +0530 Subject: [PATCH 09/11] update doc, move to deploying --- docs/graphql/manual/api-reference/index.rst | 2 + docs/graphql/manual/deployment/allow-list.rst | 2 + .../graphql/manual/deployment/compression.rst | 2 + .../deployment/graphql-engine-flags/index.rst | 2 + docs/graphql/manual/deployment/index.rst | 1 + docs/graphql/manual/deployment/logging.rst | 2 + .../deployment/production-checklist.rst | 204 ++++++++++++++++++ .../deployment/securing-graphql-endpoint.rst | 2 + docs/graphql/manual/guides/index.rst | 1 - .../manual/guides/production-checklist.rst | 76 ------- 10 files changed, 217 insertions(+), 77 deletions(-) create mode 100644 docs/graphql/manual/deployment/production-checklist.rst delete mode 100644 docs/graphql/manual/guides/production-checklist.rst diff --git a/docs/graphql/manual/api-reference/index.rst b/docs/graphql/manual/api-reference/index.rst index e11b278b316e4..6087788e26c9b 100644 --- a/docs/graphql/manual/api-reference/index.rst +++ b/docs/graphql/manual/api-reference/index.rst @@ -1,3 +1,5 @@ +.. _api-reference: + API Reference ============= diff --git a/docs/graphql/manual/deployment/allow-list.rst b/docs/graphql/manual/deployment/allow-list.rst index e53a904c3f4fb..6a12e035a35f5 100644 --- a/docs/graphql/manual/deployment/allow-list.rst +++ b/docs/graphql/manual/deployment/allow-list.rst @@ -1,3 +1,5 @@ +.. _allow-list: + Allow-list for queries ====================== diff --git a/docs/graphql/manual/deployment/compression.rst b/docs/graphql/manual/deployment/compression.rst index 787c077ce1f84..38c9099af4364 100644 --- a/docs/graphql/manual/deployment/compression.rst +++ b/docs/graphql/manual/deployment/compression.rst @@ -1,3 +1,5 @@ +.. _http-compression: + HTTP Compression ================ diff --git a/docs/graphql/manual/deployment/graphql-engine-flags/index.rst b/docs/graphql/manual/deployment/graphql-engine-flags/index.rst index 78f086c65f01e..ca3a12c065dbd 100644 --- a/docs/graphql/manual/deployment/graphql-engine-flags/index.rst +++ b/docs/graphql/manual/deployment/graphql-engine-flags/index.rst @@ -1,3 +1,5 @@ +.. _hge_flags: + GraphQL engine server configuration =================================== diff --git a/docs/graphql/manual/deployment/index.rst b/docs/graphql/manual/deployment/index.rst index 08bc857cf6905..c660b9e8b4425 100644 --- a/docs/graphql/manual/deployment/index.rst +++ b/docs/graphql/manual/deployment/index.rst @@ -57,3 +57,4 @@ For access to Hasura GraphQL engine logs, check the below page for details: postgres-permissions Updating GraphQL engine HTTP Compression + Production checklist diff --git a/docs/graphql/manual/deployment/logging.rst b/docs/graphql/manual/deployment/logging.rst index 40a6e2957ca57..df715ba9a8896 100644 --- a/docs/graphql/manual/deployment/logging.rst +++ b/docs/graphql/manual/deployment/logging.rst @@ -1,3 +1,5 @@ +.. _hge_logs: + Hasura GraphQL engine logs ========================== diff --git a/docs/graphql/manual/deployment/production-checklist.rst b/docs/graphql/manual/deployment/production-checklist.rst new file mode 100644 index 0000000000000..d2dae769e6746 --- /dev/null +++ b/docs/graphql/manual/deployment/production-checklist.rst @@ -0,0 +1,204 @@ +.. _production-checklist: + +Production Checklist +==================== + +.. contents:: Table of contents + :backlinks: none + :depth: 1 + :local: + +This guide is a checklist for configuring and securing GraphQL engine for a +production deployment. + +Admin Secret +------------ + +Set an admin secret to protect the API from unauthrorized access. It is +recommended to keep this as a long string. + +.. code-block:: bash + + # set env var + HASURA_GRAPHQL_ADMIN_SECRET=averylongpasswordstring + + # or use the flag + graphql-engine --database-url= serve --admin-secret= + +More details can be found at :ref:`securing-graphql-endpoint`. + +Permissions +----------- + +Review the summary +~~~~~~~~~~~~~~~~~~ +Review the authorization/permission rules set on tables. You can make use of the +"Schema permissions summary" page to get a bird's eye view on all the +permissions set across all tables and roles. Pay extra attention to roles like +"anonymous" which allow unauthenticated access. + +.. image:: https://graphql-engine-cdn.hasura.io/img/schema_permissions_summary.png + :class: no-shadow + :alt: Hasura console - Schema permissions summary + +Limit number of rows returned +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +You should :ref:`limit the number of rows ` that can be +accessed in one request, by setting the number in the select permission. This +will prevent someone from accidentally or otherwise querying the entire table in +one shot, thus adding load on Postgres. + +Disable APIs +------------ + +Hasura exposes many APIs which might not be relevant for a production instance +that is only supposed to serve GraphQL. APIs can be selectively enabled using +the corresponding flag or environment variable. + +In most production scenarios, you would only need GraphQL API to be enabled. + +.. code-block:: bash + + # set this env var to enable only the graphql api + HASURA_GRAPHQL_ENABLED_APIS=graphql + + # if you're using flags + graphql-engine --database-url= serve --enabled-apis=graphql + +By setting the above flag or env var, we are disabling the ``metadata``, +``pg_dump`` and ``config`` APIs. ``health`` and ``version`` APIs are public and +cannot be disabled. + +Read more at :ref:`api-reference`. + +.. note:: + + If you're using ``cli-migrations`` image, prior to ``v1.0.0-beta.8``, setting + enabled APIs to only ``graphql`` can cause the migration apply step to fail. + Please update to the latest version if you're facing this issue. + ``graphql`` can cause the mi + + +Disable Console +--------------- + +It is recommended that you disable the console on production deployments. Also, +when you disable Metadata APIs, console will stop working. + +.. code-block:: bash + + # set the env var to disable console + HASURA_GRAPHQL_ENABLE_CONSOLE=false + + # when using flags, no --enable-console flag implies console is disabled + graphql-engine --database-url= serve + +.. note:: + + You can still use the CLI to open a console connected to this instance. + (Provided ``metadata`` APIs are not disabled). + +Allow List +---------- + +An allow-list can be set up to restrict what kind of queries can be made against +this particular instance. If your API is meant to serve a frontend client, you +can only allow those queries used by the client to pass through. Every other +query will be rejected without even getting validated. + +Read more at :ref:`allow-list`. + +CORS Domains +------------ + +By default, all cross-origin requests are allowed by Hasura. You should restrict +it to the domains which you trust. + +.. code-block:: bash + + # set the env var, accept cross-origin requests from https://my-ui.com + HASURA_GRAPHQL_CORS_DOMAIN=https://my-ui.com + + # using flags + graphql-engine --database-url= server --cors-domain="https://my-ui.com" + +You can read more about this setting at :ref:`configure-cors`. + +Enable HTTPS +------------ + +Hasura does not handle SSL/TLS for your API. That means, Hasura cannot serve +your API on a HTTPS URL and you should use a reverse proxy (like Nginx, Caddy, +Kong, Traefik etc.) or the cloud provider's native load balancer SSL +termination features to secure your API. + +`Nginx `__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Here is a sample ``nginx.conf`` to proxy requests to Hasura: + +.. code-block:: nginx + + server { + listen 80; + server_name hasura.my-domain.com; + + location / { + proxy_pass http://localhost:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } + +Please note that setting up SSL is not covered in this guide. You can find more +information at `Nginx docs +`__. + +To serve Hasura with a URL prefix instead of a separate subdomain, use +``location /hasura/`` or similar. + +`Caddy `__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Here is a sample ``Caddyfile`` to proxy requests to Hasura: + +.. code-block:: bash + + hasura.my-domain.com { + proxy / http://localhost:8080 + websocket + } + +Caddy has SSL provisioning built-in with Let's Encrypt. You can find the docs at +`Caddy website `__. + +In order to serve at a URL prefix, use the following configuration: + +.. code-block:: bash + + my-domain.com { + proxy /hasura http://localhost:8080 + websocket + without /hasura + } + +Logging +------- + + +The :ref:`guide on logs ` describes different log types Hasura uses. +You can configure the GraphQL engine to enable/disable certain log-types using +the the ``--enabled-log-types`` flag or the ``HASURA_GRAPHQL_ENABLED_LOG_TYPES`` +env var. + +If you are collecting your logs using an agent and you're interested in +capturing the request logs along with the SQL that is generated, you should +enable ``query-log`` (it is not enabled by default). + +.. code-block:: bash + + # enable all log types + HASURA_GRAPHQL_ENABLED_LOG_TYPES=startup,http-log,query-log,websocket-log,webhook-log + + # using flags + graphql-engine --database-url= + serve --enabled-log-types="startup,http-log,query-log,websocket-log,webhook-log" diff --git a/docs/graphql/manual/deployment/securing-graphql-endpoint.rst b/docs/graphql/manual/deployment/securing-graphql-endpoint.rst index ec1e9e69d1c44..1bf0ec2daadc6 100644 --- a/docs/graphql/manual/deployment/securing-graphql-endpoint.rst +++ b/docs/graphql/manual/deployment/securing-graphql-endpoint.rst @@ -1,3 +1,5 @@ +.. _securing-graphql-endpoint: + Securing the GraphQL endpoint ============================= diff --git a/docs/graphql/manual/guides/index.rst b/docs/graphql/manual/guides/index.rst index ee6e52ae64251..26b8124dd52fa 100644 --- a/docs/graphql/manual/guides/index.rst +++ b/docs/graphql/manual/guides/index.rst @@ -11,7 +11,6 @@ Guides / Tutorials / Resources :titlesonly: Deployment guides - Production checklist Sample apps & boilerplates Integration/migration tutorials Integrating with monitoring frameworks diff --git a/docs/graphql/manual/guides/production-checklist.rst b/docs/graphql/manual/guides/production-checklist.rst deleted file mode 100644 index c96f8088845ce..0000000000000 --- a/docs/graphql/manual/guides/production-checklist.rst +++ /dev/null @@ -1,76 +0,0 @@ -.. _production-checklist: - -Production checklist -==================== - -.. contents:: Table of contents - :backlinks: none - :depth: 1 - :local: - -This guide is a checklist for configuring and securing GraphQL engine for a production deployment. - -Security --------- - -The following steps are recommended to better secure your production GraphQL engine instance: - -Admin secret -^^^^^^^^^^^^ - -Configure an admin secret as described :doc:`here <../deployment/securing-graphql-endpoint>`. - -Reverse proxy & API gateway -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -You might want to set up Hasura behind a load balancer to improve performance, reliability and security. - -NOTE: SHAHIDH WILL ADD MORE INFO HERE INCLUDING CONFIGURATION - -nginx -~~~~~ - -`Here `_ is how you can configure an NGINX reverse proxy. - -Caddy -~~~~~ - -`Here `_ is how you can configure a Caddy proxy. - - -CORS domains -^^^^^^^^^^^^ - -Configure your CORS domains as described `here `_. - -API security ------------- - -Allow-list -^^^^^^^^^^ - -White-list safe queries (GraphQL queries, mutations, subscriptions) by creating an :doc:`allow-list <../deployment/allow-list>`. - -Console availability -^^^^^^^^^^^^^^^^^^^^ - -It is recommended to `disable the console `_ for the production instance. - -Limit rows -^^^^^^^^^^ - -You can `limit the number of rows `_ that can be accessed with one request. - -Disable admin endpoints -^^^^^^^^^^^^^^^^^^^^^^^ - -It is recommended to `disable access to the schema / metadata API `_ for the production instance. - -Logging -------- - -:doc:`This page <../deployment/logging>` describes the different types of server logs, as well as how to access them. - -.. note:: - - While PII data is not captured, it is recommended that telemetry be disabled for production instances. The relevant environment variable can be found :doc:`here <../deployment/graphql-engine-flags/reference>`. From eb14874f788f088d8c473a3aa77ab421602ea59f Mon Sep 17 00:00:00 2001 From: Shahidh K Muhammed Date: Wed, 23 Oct 2019 09:21:54 +0530 Subject: [PATCH 10/11] add review feedback --- .../manual/deployment/enable-https.rst | 60 +++++++++++++++ docs/graphql/manual/deployment/index.rst | 1 + .../deployment/production-checklist.rst | 74 +++---------------- 3 files changed, 72 insertions(+), 63 deletions(-) create mode 100644 docs/graphql/manual/deployment/enable-https.rst diff --git a/docs/graphql/manual/deployment/enable-https.rst b/docs/graphql/manual/deployment/enable-https.rst new file mode 100644 index 0000000000000..d1f2526bd882d --- /dev/null +++ b/docs/graphql/manual/deployment/enable-https.rst @@ -0,0 +1,60 @@ +.. _enable-https: + +Enable HTTPS +============ + +Hasura does not handle SSL/TLS for your API. That means, Hasura cannot serve +your API on a HTTPS URL and you should use a reverse proxy (like Nginx, Caddy, +Kong, Traefik etc.) or the cloud provider's native load balancer SSL +termination features to secure your API. + +`Nginx `__ +-------------------------------------- + +Here is a sample ``nginx.conf`` to proxy requests to Hasura: + +.. code-block:: nginx + + server { + listen 80; + server_name hasura.my-domain.com; + + location / { + proxy_pass http://localhost:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } + +Please note that setting up SSL is not covered in this guide. You can find more +information at `Nginx docs +`__. + +To serve Hasura with a URL prefix instead of a separate subdomain, use +``location /hasura/`` or similar. + +`Caddy `__ +------------------------------------ + +Here is a sample ``Caddyfile`` to proxy requests to Hasura: + +.. code-block:: bash + + hasura.my-domain.com { + proxy / http://localhost:8080 + websocket + } + +Caddy has SSL provisioning built-in with Let's Encrypt. You can find the docs at +`Caddy website `__. + +In order to serve at a URL prefix, use the following configuration: + +.. code-block:: bash + + my-domain.com { + proxy /hasura http://localhost:8080 + websocket + without /hasura + } diff --git a/docs/graphql/manual/deployment/index.rst b/docs/graphql/manual/deployment/index.rst index 939167c5fb6a6..6e4eaa0339f2f 100644 --- a/docs/graphql/manual/deployment/index.rst +++ b/docs/graphql/manual/deployment/index.rst @@ -56,6 +56,7 @@ For access to Hasura GraphQL engine logs, check the below page for details: allow-list postgres-permissions HTTP Compression + Enable HTTPS Updating GraphQL engine Downgrading GraphQL engine Production checklist diff --git a/docs/graphql/manual/deployment/production-checklist.rst b/docs/graphql/manual/deployment/production-checklist.rst index d2dae769e6746..0b672d739b75f 100644 --- a/docs/graphql/manual/deployment/production-checklist.rst +++ b/docs/graphql/manual/deployment/production-checklist.rst @@ -11,8 +11,8 @@ Production Checklist This guide is a checklist for configuring and securing GraphQL engine for a production deployment. -Admin Secret ------------- +Set Admin Secret +---------------- Set an admin secret to protect the API from unauthrorized access. It is recommended to keep this as a long string. @@ -27,8 +27,8 @@ recommended to keep this as a long string. More details can be found at :ref:`securing-graphql-endpoint`. -Permissions ------------ +Verify Permissions +------------------ Review the summary ~~~~~~~~~~~~~~~~~~ @@ -98,8 +98,8 @@ when you disable Metadata APIs, console will stop working. You can still use the CLI to open a console connected to this instance. (Provided ``metadata`` APIs are not disabled). -Allow List ----------- +Set up an Allow List +-------------------- An allow-list can be set up to restrict what kind of queries can be made against this particular instance. If your API is meant to serve a frontend client, you @@ -108,8 +108,8 @@ query will be rejected without even getting validated. Read more at :ref:`allow-list`. -CORS Domains ------------- +Restrict CORS Domains +--------------------- By default, all cross-origin requests are allowed by Hasura. You should restrict it to the domains which you trust. @@ -127,62 +127,10 @@ You can read more about this setting at :ref:`configure-cors`. Enable HTTPS ------------ -Hasura does not handle SSL/TLS for your API. That means, Hasura cannot serve -your API on a HTTPS URL and you should use a reverse proxy (like Nginx, Caddy, -Kong, Traefik etc.) or the cloud provider's native load balancer SSL -termination features to secure your API. - -`Nginx `__ -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Here is a sample ``nginx.conf`` to proxy requests to Hasura: - -.. code-block:: nginx - - server { - listen 80; - server_name hasura.my-domain.com; - - location / { - proxy_pass http://localhost:8080/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } - } - -Please note that setting up SSL is not covered in this guide. You can find more -information at `Nginx docs -`__. - -To serve Hasura with a URL prefix instead of a separate subdomain, use -``location /hasura/`` or similar. - -`Caddy `__ -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Here is a sample ``Caddyfile`` to proxy requests to Hasura: - -.. code-block:: bash - - hasura.my-domain.com { - proxy / http://localhost:8080 - websocket - } - -Caddy has SSL provisioning built-in with Let's Encrypt. You can find the docs at -`Caddy website `__. - -In order to serve at a URL prefix, use the following configuration: - -.. code-block:: bash - - my-domain.com { - proxy /hasura http://localhost:8080 - websocket - without /hasura - } +A detailed guide is available at :ref:`enable-https`. -Logging -------- +Configure Logging +----------------- The :ref:`guide on logs ` describes different log types Hasura uses. From 8d403d28ecb89947200ff605679f7f36816c36fd Mon Sep 17 00:00:00 2001 From: rikinsk Date: Wed, 23 Oct 2019 14:50:40 +0530 Subject: [PATCH 11/11] minor edits --- .../manual/deployment/enable-https.rst | 23 ++++++-- .../deployment/graphql-engine-flags/index.rst | 1 - docs/graphql/manual/deployment/index.rst | 8 +-- .../deployment/production-checklist.rst | 53 ++++++++++-------- .../deployment/schema_permissions_summary.png | Bin 0 -> 31535 bytes 5 files changed, 52 insertions(+), 33 deletions(-) create mode 100644 docs/img/graphql/manual/deployment/schema_permissions_summary.png diff --git a/docs/graphql/manual/deployment/enable-https.rst b/docs/graphql/manual/deployment/enable-https.rst index d1f2526bd882d..e8d459bc13823 100644 --- a/docs/graphql/manual/deployment/enable-https.rst +++ b/docs/graphql/manual/deployment/enable-https.rst @@ -3,13 +3,28 @@ Enable HTTPS ============ -Hasura does not handle SSL/TLS for your API. That means, Hasura cannot serve -your API on a HTTPS URL and you should use a reverse proxy (like Nginx, Caddy, +.. contents:: Table of contents + :backlinks: none + :depth: 2 + :local: + +Setting up HTTPS +---------------- + +Hasura GraphQL engine does not handle SSL/TLS for your API. That means, Hasura GraphQL engine cannot serve +your API on an HTTPS URL. + +You should use a reverse proxy (like Nginx, Caddy, Kong, Traefik etc.) or the cloud provider's native load balancer SSL termination features to secure your API. +Sample configurations +--------------------- + +Here are a few sample configurations for some popular proxies: + `Nginx `__ --------------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here is a sample ``nginx.conf`` to proxy requests to Hasura: @@ -35,7 +50,7 @@ To serve Hasura with a URL prefix instead of a separate subdomain, use ``location /hasura/`` or similar. `Caddy `__ ------------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here is a sample ``Caddyfile`` to proxy requests to Hasura: diff --git a/docs/graphql/manual/deployment/graphql-engine-flags/index.rst b/docs/graphql/manual/deployment/graphql-engine-flags/index.rst index ca3a12c065dbd..e1e8cc9d1ab7e 100644 --- a/docs/graphql/manual/deployment/graphql-engine-flags/index.rst +++ b/docs/graphql/manual/deployment/graphql-engine-flags/index.rst @@ -24,7 +24,6 @@ The following are a few configuration use cases: - :ref:`cli-with-admin-secret` - :ref:`configure-cors` - :ref:`console-assets-on-server` -- :ref:`http-compression` .. toctree:: :hidden: diff --git a/docs/graphql/manual/deployment/index.rst b/docs/graphql/manual/deployment/index.rst index 6e4eaa0339f2f..750c6c9e8a8bc 100644 --- a/docs/graphql/manual/deployment/index.rst +++ b/docs/graphql/manual/deployment/index.rst @@ -51,12 +51,12 @@ For access to Hasura GraphQL engine logs, check the below page for details: Using Docker Using Kubernetes Server configuration - Server logs + postgres-permissions securing-graphql-endpoint + Server logs + Enable HTTPS allow-list - postgres-permissions HTTP Compression - Enable HTTPS + Production checklist Updating GraphQL engine Downgrading GraphQL engine - Production checklist diff --git a/docs/graphql/manual/deployment/production-checklist.rst b/docs/graphql/manual/deployment/production-checklist.rst index 0b672d739b75f..198d20917e527 100644 --- a/docs/graphql/manual/deployment/production-checklist.rst +++ b/docs/graphql/manual/deployment/production-checklist.rst @@ -1,6 +1,6 @@ .. _production-checklist: -Production Checklist +Production checklist ==================== .. contents:: Table of contents @@ -11,10 +11,10 @@ Production Checklist This guide is a checklist for configuring and securing GraphQL engine for a production deployment. -Set Admin Secret ----------------- +Set an admin secret +------------------- -Set an admin secret to protect the API from unauthrorized access. It is +Set an admin secret to protect the API from unauthorized access. It is recommended to keep this as a long string. .. code-block:: bash @@ -23,13 +23,18 @@ recommended to keep this as a long string. HASURA_GRAPHQL_ADMIN_SECRET=averylongpasswordstring # or use the flag - graphql-engine --database-url= serve --admin-secret= + graphql-engine --database-url= serve --admin-secret=averylongpasswordstring More details can be found at :ref:`securing-graphql-endpoint`. -Verify Permissions +Verify permissions ------------------ +.. contents:: + :backlinks: none + :depth: 1 + :local: + Review the summary ~~~~~~~~~~~~~~~~~~ Review the authorization/permission rules set on tables. You can make use of the @@ -37,9 +42,9 @@ Review the authorization/permission rules set on tables. You can make use of the permissions set across all tables and roles. Pay extra attention to roles like "anonymous" which allow unauthenticated access. -.. image:: https://graphql-engine-cdn.hasura.io/img/schema_permissions_summary.png - :class: no-shadow +.. thumbnail:: ../../../img/graphql/manual/deployment/schema_permissions_summary.png :alt: Hasura console - Schema permissions summary + :width: 75% Limit number of rows returned ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -69,21 +74,20 @@ By setting the above flag or env var, we are disabling the ``metadata``, ``pg_dump`` and ``config`` APIs. ``health`` and ``version`` APIs are public and cannot be disabled. -Read more at :ref:`api-reference`. +Read more about all the API types at the :ref:`API reference `. .. note:: If you're using ``cli-migrations`` image, prior to ``v1.0.0-beta.8``, setting enabled APIs to only ``graphql`` can cause the migration apply step to fail. Please update to the latest version if you're facing this issue. - ``graphql`` can cause the mi -Disable Console +Disable console --------------- It is recommended that you disable the console on production deployments. Also, -when you disable Metadata APIs, console will stop working. +when you disable the metadata API, console will stop working. .. code-block:: bash @@ -98,21 +102,21 @@ when you disable Metadata APIs, console will stop working. You can still use the CLI to open a console connected to this instance. (Provided ``metadata`` APIs are not disabled). -Set up an Allow List +Set up an allow-list -------------------- -An allow-list can be set up to restrict what kind of queries can be made against +An allow-list can be set up to restrict what kind of requests can be made against this particular instance. If your API is meant to serve a frontend client, you -can only allow those queries used by the client to pass through. Every other -query will be rejected without even getting validated. +can only allow those requests used by the client to pass through. Every other +request will be rejected without even getting validated. Read more at :ref:`allow-list`. -Restrict CORS Domains +Restrict CORS domains --------------------- -By default, all cross-origin requests are allowed by Hasura. You should restrict -it to the domains which you trust. +By default, all cross-origin requests are allowed by Hasura GraphQL engine. You should restrict +them to the domains which you trust. .. code-block:: bash @@ -127,20 +131,21 @@ You can read more about this setting at :ref:`configure-cors`. Enable HTTPS ------------ -A detailed guide is available at :ref:`enable-https`. +Production APIs should be served over HTTPS to be secure over the network. -Configure Logging ------------------ +See :ref:`enable-https` for details on achieving this. +Configure logging +----------------- -The :ref:`guide on logs ` describes different log types Hasura uses. +The :ref:`logs guide ` describes different log types and log levels Hasura GraphQL engine uses. You can configure the GraphQL engine to enable/disable certain log-types using the the ``--enabled-log-types`` flag or the ``HASURA_GRAPHQL_ENABLED_LOG_TYPES`` env var. If you are collecting your logs using an agent and you're interested in capturing the request logs along with the SQL that is generated, you should -enable ``query-log`` (it is not enabled by default). +enable ``query-log`` *(it is not enabled by default)*. .. code-block:: bash diff --git a/docs/img/graphql/manual/deployment/schema_permissions_summary.png b/docs/img/graphql/manual/deployment/schema_permissions_summary.png new file mode 100644 index 0000000000000000000000000000000000000000..4d345cc5acf9222b397fde00349c0233b0e46e8a GIT binary patch literal 31535 zcmbsPbx>Sg@Gc5N2$CRyU^6&D0zqehKyVEj+#Lod1PCrcg2UkMAq4jXcip(V%LMm8 zaJiHB{HngM>QUrq3!;}@Jai5btM?pcsm6efHML|J_qo6$5 z!9qhy4t|NTAO|07M+sTolarIjv+0K( zp{=d04<9}Z4GpcVtXy4OrlzL3`Xrp4pYQDKJOZz;{+wO*g{mulxXJyYq3BV$clW_M zXXf_q=4R(6D_ik{p4$hF#K~I|W5YmI`J1BR!~2K*mM_;gr&pU>L)UkkclS!lu&cRw z*Xq6N+PbUbldI*W>!#+h$yxu-OL?uRySpU`S);4{1J{a$>p!h4_xDSMc7JZ}uD5?( z?d)F9mEWYM-BeU6sj92`w@sv&UibGKsww3z-BxbgU9GQQ9UfgzOs*_7C7CK+cXU`N zeQ=FyydEA=GLOHS&*bxL`Cai@!^kc`Q}<}J%-t_rLqkJR$>DypYXYutbK6^FuhAK( zsUALX-P6O(#nsU_^7wdieLCh?Fqcx=e;KP=PT`2Jshk5%T?j>bXDTL{r9Zq zP**F&+3m#mSZ;cnvzd0zkFp)$hqax{)Sr7lzxb+|Q~M8!0rh*D9={eEvi+>}e|^zu zOZD#U>$J?6UTKT(SzHguZl73MzZr`=+#bK09cegx=qQUxbu+M5(p_1eO!kSto|#=) z?5>+wb4?!Zj7|9mp=0-^4gnDrGZoPZKuw{gZ`M*@OLclmYS-w} zOm#y;7jMu&Nadi3OJaQ2UW&J~Y02hvh^~Oq4|qy(Sa>o|)J%U>%eTNE(VMqPGuwTg zwc8VeUa4>NEIor%N1Tw5Fiq<`1)2Kz&Z>%PC{M8o$wVF0*y)UtMv6*Q zEe2OcQBd5bWF^Ja-4_lP2Ft&45(SUv%J`|hr@Va_W&UBqxnVw0U1j@0;PFqvyzhT! z=%fSH562nwjYJMdIfO&a`zcL;ZTRYzy9c4E-;yvKG0b>`(q|fv;ALw~ym~5%vAmIm zm}R5tqF~;j@HgTO5k|juiJWA`i-mTB$O!VS(-HR|y`G*>NVO?d0rT`#<$`sUfqo1~ zf~&Ls_mv?clO#IUv>UVl5uBRiEQf<6Sj4k!nyC@F)QGr$;!E2|rCBnOY*ont0+>}_ zjLjW)A!My8* z$l4M?zE|arj?32E;-QeSm`{36_U+d%8dn8ZI-Wl`1kj>Qp77Bms_Z zio^Y5|8^N7EIZHRLH_D1Qen689x^h~!y__bEQt^MM#}(X-%BOQu*^Z0^wHuWWC=i|4RwMye7@NJUNuZ{$3a z?0!RbZcNbQPLL#$KHzS( zq8qSwTQh{M5MH-T1s<%VdfuHHdGz1)g8H>vGG85rxjm)PG@Z%{W{7T1W_33Ln_@6% zFm&?Jg*Is}kSL~Y2(0fVpLQe%h2(C+X#Y(3e3L)-;mbBkXCgKKrbo0v@m}l9Qlns`(f6~~ws%rc1N<6BZEecBsgs`uU!P)UM-$^Q8@eou z?_s>&i1@3{E5z~k6PT8xiY4Gl216E%cXg z2EPz!C}y8g`z`>bmTtvNq8tuq_1G$n*oyF^DTCj!kT*exT%T%WTd%(R zLxqKy0BYU+)kJ9EJIxe#XmIM+XN=u4JC;k0k@Z?YiqU5DzBJDl&?!UVsZR2`x`T`0 zJ03!uBf8H+_dJr-JgEtnl!}ZI6x_M@-$89V^;grU^bp-*Wkq@MselBN7MpF%B5<~Y zs?*rdPm5s+A^L7i2MQ!q7cEV1C2KLv-`TYc#$+8W;O=(yj6zYO(GZxgsG&dB_xgMe z)+K+LN@5SbN&@77yZ9#l?O&`zX7I>h;U@z%#1mO|2GQ`>=8-7B_a$xnwFT7tEv`#l za?Rk(Aw@VDsck08-?kP%t{1w;mUQQm9yS~$R^5?fOHz>0A$U}4h)FIsWnj6!g&KkjetXFE z?8R4oz}Q%96;z0??U-1?pD|I62gDS}S$cM8Sn`3VrF11pC(QG*D}@ zKQ=fdk|`j};0;TomNwA8d@J)D0~J57bL1$t${1lo(o5}J6QMklQVTpnBDP##;&);# zV11yFHIq2ffRcDFF)tczfP$N5W|%6DedJ8^b8#~?>0Cl8CORu^0UBJ+^>pD^DT~l@ z4f)3Uh9%e^Bc(Y@?kLpr**7mL@L+<68GPjWw#UVo5g~k8a4>Ph?kMYW z$#G}O{T)|@9#xK_m$p1*MFbLu8wjh=dkQI22!|auYO~%jvqzhJuRVNM9Iie$$vOzi zSQRr2Rx-@P{o@#!?*o2KrO#1I+$>~0nGg0E_U3t$;NROFn(@x9Kh^A};=2-{4cMhP z3>-u*a2ZkzeEd~M<;qZCX({LhU=0-+tY5Eb={yR^B0aoQ`-bbl*vnp?_9lUCaN%i? z)Q{Fxi!*{gX(imjlw*g`%;Y1_H2P- z6-{fO!p5(`Qm$7Bw2#iUf9?Ch5pdZhrK-TFv2aaao@D72C@$h;p$6g{vD#bTpx-8pMI6c4#=tD zrbRg3zD?`ed4f9#;$YxNVt0fI(a0BHX`&Lw>yJQ8E1>M5aE@vw%e&KM8k6!yhZ^|q zw&0K)PUkWaSl;A0Cnf=`LE9zK)r=Gf)ToHqq%(-8hhafR^4UMB1D+C}8`brOJHTYa zzyH$oMWrYVVJz_-{Y-)!&1f70wDQ2|$UAc0_nu%kQ3aJq#~lq|p5`R?^95%S7>hMY zmO2T3uUZsfbn5!%kCn@@(EFsM1Om`B?jWKnn%a%wGWy3a|UIP=53Sj9DY%gc{OSkTXnjV zS7t%^c5<~hq*#RvH18Y|&Jbo@z+4PndPSMS^?<((*P0myPmX%9RHVidzk)F<_%C(- z)Guw6EBM^6kYHtaVvzQ=5f}j5cFNx>R{_7;caF;IXx|wWmu-DJD_-{}^Q`!BG(TKV zU7TVLk1A&d@1wbJi(}Iv$VTBKXp<&`DPe<{AOui%{YExkxci*y9;48K7~Si#y>P|s z?%+f++*u0HZbeODIB(HS=n!y;sD073mP$G7&)%=CyH)6U?o%opY14yE#(R7`cezc6 zsJW_x9`hKfJb4}xK0w;@X8j3astH-lcxs5D{hA5g+*QCUpA)xDc+tx=Eht$wiX@;q z$2}n9O7Ysjyg$YB6O5kvh|CG?1q)-}oO&CI+I7aVEaLktnJu}E(yK+(mrk7{Q6Y0q5S+H2V?%~ zr0k?Becj)9=!Wb}HViO2D}J8_EJCv(L>=R4U%+Y-mybEd%S*4oG$K0 zK^iO%2~z!JVNPUHp~q9F^QOGUfk#!h0Z0?V~_3`jw4zNFWw~Why6LZ z=lkT|>S)Pl9nuFHplinw!j_&Kdt2Jk@QfyC!0m-WOT{iZ8jOE#+bHlI+f5!b& zC)(0S5Iw0%V~&2qRDfO6AkTt1g6?p4Ox5N?2msPc=$*_toZtRmbu#g2E#7|3o}*V?@r&{a^RLJC zR>ta7^}k0XQh@vRz-aT24q41>Gw))8sK||V20F;h-)&T`^8}@rx#L7$Np`4ASE(?V z>%rGQ0c5ow*}0M+`kf|3YOU;@rh%XFXp+dg%^MZgmEeXIQWmrPOqGL}2*#n! zr@?HnTQRX|A&!d`AOhL~e`nczK72GUG6bf}PNv#S%l1o77&Hd&cjg;Y3h6&y$*kEm zw!P$TEQy+lg}8mV!^z`^;!$(3dOEf^>~*40i&s;SC7p^P!&;XAOv%vR*h;tFsaxtZ?vK1%1Pf)g)AYWfxoY&qYk&>6FW6U-4HD z^K#tDG<9h4kbdA2BxuZKqq1JYgSzrj$k>2?xwpK;x^5@37Sn@nh4N{#p${lTE}H%H zFrXV9ZALNE(7OvMPz3O#7h_a`s&^5T?an8*BACyUs_v-WubJ9|J|)?%!0s^w83T;2 z^2bHRH?rJuDC^YxA1PnMLUQe7*kBXPvA8ygx-rBBHdg1lR59K~-4&Xsu`FK<#D;q7 zNwg5WS7*)KiS@wa*1T||`0Agqn=Fngq zFh@MZtj~SE3;K|`gi2js=ls!bHQRXC|`}SwOx&cz780aqS1c~MA%z+X>%!B0LoqP_*BRgC&J7E zhi8Z{6)b`Ke=3Gr-hIg!?ST6iS=_DsIZVz5qp6L!lfz_>FE*y({>+wwNm|YK)oBpU zZ8-IbDHp~NpFbGQf}$Oc%7teP_<=DwVeN3V6o@f^I+P+JaCy8S3F>vcGdk&z!1Z~C z6^@6&Z{=7Nz?8r~p(tLdJ&aIE_EhiAyO8GoPN4gY>U*pWdY-AeLt!htt!1< zhCX!XvtG{H@x zuPp%vpC~&f6|L~_P>3lG$|5O(J^Bf_AQ2+`dX#GFcxCWf?K@*P2n9YZ11AlA2@7f| z`W^(*Lq&>eMS$1IOsCzZF4uC?!NkDSf+RLxp(K; z>)%Sqgj$9WsEci`C-hoZso%S`lS*1;QhiAf!?Xa3aryfhB91UCPCe_>S5@5{ZH@lj ztS^NAY%bFPa&I!|i$2%?1!c!8O}fEYc!TO0kE_F0qz^*^o<4%Y%LEte^JVZ{ddrty z@*{x_A+a7ZnC3;vrD!cLRTh70U5j0vMIU%kZ!N5Xn1D-r8(e(-8!ROJE>-VUTG?wr z_^6T!;ovS8ecJko%HRu48Z+5)OKWXyEfouL)5aP>T$T+AAIDC;$lSUz9f6w00V1~p zsW-(8fn)-j_!cf2>`&{;_doFfr+o>{b85thM1SV~I$zkw%-GTB@XYT;-^aiH2KBbC z$3sx6xq%@?uWq5gi1cx)HFQT;_d>Hy$GBB;!?LA5H`5Y5AHM>d#cN%v3SBh{f_ux~ z5H_Ht;`+z@_whdckB2}V7BWl%x)0cbw-IfZ8f9fsj>Y@{X*KBewDmINNQ5KW8lu@H zk^DOl*@61}h&ujJrQC5HaDOTQL*b+WG%ZtC%$f#jO!e{P_2_`RsBS9W`D%~|{xASp z;Sqevpy}e3Q8DbJ$kw0*$EsGLmk+ zGDuZ>v;l#9Gow)e)BVieEu)^@8JUqOCH|l@OFf38&mX5FzEie)4K$ZN(j5g{k1_=V}fggB?h#w|!yL{eX0i1Tt;)AEzI|m^C~Y$lVRC zLdA!nh{AFGKxpmu7e|LK!JJWutG1KSUB^ZUf!+I$GX3k~KB`!}uU=X11GEL=gyOE5 zPICz`#m$V*{zMH9aO}9xdG$2oris|AmaV_G<_!c~XKb=l@0&ll`i%Nma;$zB9XWUb zd5dCt_j<5&Mw=030~hiho?a9&{l?&_Xlc(Iz(NfE_|3RRP7I}+%oGmdji2U!LNkL8 z>#p~}hxuX90-=sv$Q{5HhZ7(ykSC8U5JU$IBb%PwSpO_NgJ4+U|C>i>iZe#jePv|2 zR1-1^2N}5^j3g6ol{UM43@CgnBiG;=de!#NAebC+1Sxc!rDE)iF{^1wGIWF5okOeo_o5v+Tui*> z?37Bq77;)G)5e3m)wzdceJK0zm$asu9S}JyN3=c~PoE z0mc#$AYdx-lvCxX9X6YE#@p7gsuF%0^*4Sq1FRQ#+zBR2;j%Az1lxqbmQBb!F0H;P zV-ivs9^((3)Vc8roNeBP%sx&ymFUxMGi6JdW)uzBVnBjj13~Gf51{B(M&>+@x1pjp z3ugVU*iom&mlIrPX4j&7d<;p_D+cFE^BtJX948S4{c-7fk|}!;OB~dt8%q01Hd{5? z`Ws6uBy7m0_cPOvKW|`59CV2}T2trrK?MYAF9l8zsXD1W?v{&N@6KycgS zp*6^b8G)~vY9Do`v5NIjY`EfeI?Oj;%D)D}+}DK%&}MC%?c(}^AiRTHv5wn#>s{+ zlA+-o+Z5Yg_=t*?ygzQbExmg9@3yIq!TbB3@OxU}CYgvgKnJn~F8dXf4mYLf2-2#p zeck+iRdwtrA0%QhfUf4TZ(`*u27LZ}Pv9fXu90e}cLDZ>eAu2LB13q27iElYw{V>M zZ2i#@0Tw)^;2wPZyGwV-0l)+ zz&;`8i>CvdQyeL;Y@RRYuYp*KbHO1y5XM9ZUa;YrGBfbp6z5q0D4o>?-ZK0gZ_BF2 z{7&?$7&e43$dcf}keVjbdQeYINwvd^Sa~7CA$W2Xjg9c#C1xY6w z()GJm)D+#on)L&F+}BaSJOFF%Cp(shyK}M4g#Eij!|=Vm3oqK^-g;2!K4d1?uq4-b zG$n)pCPUOcXGVnRv-ogH^|(_P*p>w2F&**(SXlv>Mqsx6HzztEMYVVpV_joKZx}QQ)|kTU_=mkq@|y+RI)U_6Z;Jgh*Ch^bbN!p! zdo7OYOW}rU&AxF9$;$E`ZSwC;2~Oqm_Gi5($T)=|bVK?bMdO&F0*?ZrX)`&?NmquO*QsfS#v>9UD3`^Kd5Z0uSiTxsGkF z1Wm$da3C0=Pa%q-jj#;iip@WpvN(cSGNrzV4RDq=RkB^tr(%Wtj z>+P@JYoD@|KF+Hv&@q5?LH27O(W+0%F+6VhX9oMF!*_39>_jyaoUFP!#?l7+F-u z-r~dJdpH2}5{>8omEeDa!BWlLS16{q$l7*iy7ZHbgAnC37`cKR?oB`pGb3MjgpZ{1D;!dqrs1J0@<^SUzwsFu?3hK59$2FO*`cA z1;bvMDu4c)Pa~roo&TGWK}Sy<4>jU@kAxU)@*BNp;>u%*e&2|t$aXtK+Fw18w$3Ln zQzpY*C&zi3j-7VRR@{67lU~H{CP5XV<^tg9w{tySz{2d*j5dH1Pj^8BOE>t4GB}g; z-%uN1<{E@rfP&34guS6NCQ9!}y6FAPGx%9ylo#hhygG1g7?>-}7+iois2yUE()ju{ zF)7+$itN)tK9{Qz?GT|aN{S>Be&$2;0mxZM6ObSgBUYG&sWwp51*Lj1n9@%Uj&Zc> zHB=&b$TkK?hnNrj#)Uz%jP&MP8+;7!ye?kkB(vU$bhrTs6EK%YR}9?tm@>v)NJ~MS zm_+F=rxaJSoh2g1yf8VC>bX6RNmc2KT??)k*>IOicxtoBd*Cb`pEIQ$aO?%>uQ0)G z-;Vd*zdYrnimv&iwQT|}!2Ac{y_x<#iu&8Hk(Q$6Vn( z@OxX9(oI6yxg%h!87|*+#xM}FwT?5KuMl|d%VQ=Eknka2C*xg8IXeXUm*wjNzLOuc zc?+wb_ZV3DPHYVLF9_ayjiz5^mA8RqP!tH-eAMztp5Ew(7a6Z&VMsCNrE) z&?vKJUo4}pr#3@PvnLuJ>iG*#Xdg8?Sk$;0p958gSCMS*)zQ`DQ=|C{8Am%F`YKyF z&j&Od*1mrXG*NY5D~loI23Xno$%@+7=y2kk-N z@(I2jr0p*%{sfCI1SC@%+0T~*m}5+ZZ;>x!VKbXn+eg0-b~)H{Z6>yKK=TTyd=FGN zFR3U1#0P(Rof9)?akAiA$4kP_hluvHm<9>V7gWtR`R1t>M<)cfPvZKoI@UvM_BZ!` zUL{w;!DuNl5V90{Y0LGbxP}@Y$=Ba0l7(r6s%iax>4DWeo8i{2I~;p&l#N`Pp^@-C zO84f5dj10~#~r2&6|j-VMaw5&a>n@623SGB*3w^&i-An}iovwGz#nvoreyh7=!~(a zBNrF05|TUS%_kSVudi#h0g-uuIRuMi1<=h!VX?(uJ+S~i zcWgt?^xB^7y6WrQTmpw`y`q76Zz0ybA07wk=GCa@xuoZW|t@``|zZC;K{!NPIk2MA!n6iwY|u55N$3M!fKIX9zyjAgPEm zpzZOX1(3IrknVFVb&83CVN({10b-1ZEBYtU_x(29R7!PsngP*=3pR7zgHLD|`=4mM zu9&s4ri;3?P0SqXJEcRc5W4c0?JCP26Yhsaudcso^ilXe;qlN(C5lz?yz47`-Km;v zjff3)8h-M;5Lb{XRX8aE$a1`hQlmHf4ZWx^U_{8qoz6s;zW_4XXGI^Rw4?;$9XknY z;jsf^xT^AtAnssS_Trv^GET8e_<^BCMU zyfI0R_Blr@nSkb3gg$yZ*J!ePY5~E^o9{XuFK&p$&$LhM%<3`t#6bm_In`jeR|()E=9cKcfx02gw{2(D~#}HdZv}rH)C0; zc~KoLBwJP2Iim4m>PW~{CIOOl;@r=Md0ZNl$du^ADOl){62<>xFGo|QvYA%}nDAKA z3v^m@q-CYT=_(NBVv4VFka9;?<+*}MR>7s0BgUXJ#~^+aQbWyZB6aSj=s$QDl#|PT z!GSrC?JxhjJi&qr&vPXY{dO8@a_O!%mkuduG7L4>XLsN!&>506RPKv>g=evK%dels zkL4v0x2Re{u=gZfM5AFrb<&%1_*1K_!S5mmo^5Id?#Gy_9)9PRRgc#Aq$-9(Ln#>c zP#DtuMu~$^h~L*8XQPiI{;RTLHOxQh$=lXb;DlK+{n|gF3)%$AEjdBCk)eGlpXkS+ z>^dJ%yde}isfsc{l-|yAsmu1W{=7vZ+v-M%qhNC#^Sf7GJ*Zs$ZvwFVAns^GmOI0U z=cafBt7c5LDI7#wtNQGlj>Vr1-WgRq#Y2s`${-Ra)COjzPYCwLphpcDPV=0v``q`B zFg72nT==Eg>=7Hi9RpXx(RD$;TFGC>IL`2=KYgDHM?}jEg6vAw7x5OTUWj8$Q%*7} z0agY@XpS*{W?q^I5E*$jyoxk-&z3Ts%m3YnCb=8YY*4_9+4m(Wy~N#1Aij2*7r`Hz zw6;P$Oo}OjgE%EWab!s|JsAWwbp{DJNrBazzQdD01zP8g@2cB;m^i+tav6iJRB~Z~ zleZS>4LQNR%mm4hRa3r_v9zc5HCW6PE|SF`PJ?Ms%`?1cUW{2{#5wklbrQPrq2v-6 z&t{naXdE~FV%-a}A>1E${`}oj%*twDA`YG>s7Og*{;^&iCM);+10c^U9NQ1tehTj5 zaSG2xBboW+TRtPD4ZKg6eAnA$M&aAtQDG2n_o~JplMRJF2Ch|oUgSQ3)(86a9j+xd zi=yg{5NC&Zh(SWuXxuX3J1@}@b z0BSg4V`X+@!BV2Y88Dc#XQn^{%iyxJ7HtYh&wGnLlSoSBbZ%VaNRG+`j__!JSLMc1 z+N7KE^zosavkr$r*)>`}5Cp^LF{lFi-3P+Pz5wZYA;NE2ThaHN2hCWI3O~>zN})cn zxNKS!B(?DVdZM={#_sK`988-#{w9|h{7+<{B!3>vKhC{uhFhN5=!!%SY70gqK6f-u zWK{dR(HBa8Plbb3(Be-MUN-dRr2lErDEB8gSq@LKvrJo-{S1zezpmhqYdRh+Fw?hg zZmP`0hXhKqX|Z77b^Tcw(+>-VUss*U{^F`j zT@7bj$@#sN#E_|9?i6+t^J`9!e>QgMVCDVtg67VJ2K@`BCVBiu_@G;hUE@-R*^n_b z%kvcj?6Y}yoY}JaizM661)j&Haf6_jJV}DbYP!IW{#4HdB#?Fq>eNeJ+Ryz(N`GCR zK_p;4#iQoj(JV}xDAp+Ef13Zs{TC;*GwUxF9VZpvw1BMGY9%Fs^~(O#>%9XzLx42I zmX-6h*AAVNmrwycf2?f%sQVW0;s%jpH!>wS!Ai`K%QJXYTM5eJ5m=hJV-TdnQ13oU zmSHSX!xn1-%~CZz+6Kdtbx>c5152NYN3md3#5gG zB*6kBX9!rJBVS&4nO#>(6k;g=ft=viBqn{@Wg8%qT-DxiI171Z<*24~f`5MsJ|m+0 z6%LrNmK%?{ETB6ap2$${i%E5RI0kn_+7sO#gHVP9kvu$q#|ZQ7u7OV%x34mx6L-_o zwPHyF6eOd2!5gjxjKG4{L1tR_*dDXV!Zwu+k&kP za$y7u1z8dzYC<8C-F)ew3MqIhBQW3X&Nl1g69x(RPi8LClOk)HQ6>OHEE@ZPEK8yw z&IAZEQyiXdzEqF|E<}+LP?mtlhe4+B|6hs;Mn6@O(W7^}kGL8w#&54&W;>bUNOimS zIksf|748NJA7tu8K%#;We=|%kj=ZH3d5;Z!I4VSIXov%mP; zUzPK6JTdTRuS#gZ1yY$qmh@o4r(#e>EY12eu}&Ts&r!4(6eRrxM5Xq>^fDi%f#5*wx( z(|Fv}|IVcG+$Nlx<0Mvk5+!D>N)ZeZ)(KF`W@Zf-01gUk@25M?9r-zij@ffDQ_SW_F6J;SWCKgfNoBmg)X_!11pvx{VPQo|>D``8>XZ>HYPtcYN_~^XOlm%V)yUGI6;p z6oK{~W(S&oW@gP;YofD5!A_x2_Q!8ex?sQuhOxf?eh_viNp~tOo--|MC6?>Bi1Vf^vE5~yqW#&CoxwM z%cZaw9mpIfJQH-j93sEAe8@vy%hu7?$;Qc0tKKeT-%EY1%W|wv5tTR6&1KGZ&iv=* z@(uHfiendO&TOeJkobbb?^pO8Y}5aV0YLatjg&|!o9tioVpYI{i*#e{rjSo)cs&-+ zKEC%$3dx>JuAVt&WTeGV$Hi>X@s@r1jzTRH7W`J_&o^d>1AxKTA;x1DKFXnM>SoH> zM~<;P!mX0vAE^`vfA$sm57FzT5~JecF?Uh4eQ81XSC5YM__@lyRpvoZ6lAjm{<>Zc z$rg!;i4o6@ak;ky4_#Ru)?^YD$1y$k?!zdT=L)rFJC4YpOMOUoZ3Nm zH$1jAf~T>LU>Mq!rfM~_?!qFG_N^`}0jUG(i)tJ@Gf5^gMLahZ3PnmM4k;%-SN5i= znH|MYe*=KiL)AttaKUYSkq8q;j}Vc$TDgBg&HfP^`qhCrHSV+<<5Kt=eELp9&jj^F z3r={@2Cq)Vg|JjZ-JbS7n)dz1X9GoI@a$Lm^7)0W@k@|WieU^X6V{9_#=h&8Xp-YL zYFR>JqBzi0CpCaJ>VRs0a}?C?viJ}MFK}GJ6Xxedd}v`65*MuVXw*7M6TEZ5IE#fO z32P;P&io!h@E)K26&)1g*K=inzbidmZ&9wT6&kq}^pZ?s8{D)6&vJ}boqMtEjN`(X zPfu)o^2t70g1Dii_iKQo@jf`@4NJHpk6n?Vl3j6Wm5|jZJMvi*)05SKdhd}T^aISh z4EUk-Lj%0afM>)@s`J^%Jz)_aDvao7=EyG`_ z)+yp;G3^f=#jg+y>~r&5t*akY%HU!yU*=w1y#p^!nyCVtv!iUryDul|X<=7tX$qaw&;gc zuE`fO-XJ#2rK}{cn1!_1G3}sur@*#_l-J5~zqS^hAB%*bk4@3zd-wiH61uA(s-8i;6OwpR zQ~Hs%CiF}2iw?i$stvJuYX`wvX81|-gYwDO+xy|3N*Yu7U{MN(%bUOZ#|>*>I;`1~ zV>29%mBaXvo0<8oyUw{(=mi5G>02Pm`bfpXBpEVMl1C4_JBZZMh19yDYztk7haOFI zJ_zFNUEr(<@f?K=1@Pc$Lu*4Mh$fzyv-SiRIHF)+4Pjqk*`_nAbPe%lD%piW-*(bA z7HK(CGyeQEeD#VY6>iVEef2`o0VR&}s{{7AW%3dSOqp|m&zlVMr7O6%PDrpjLh-O2-o0JpPmZ#XsZxXIXw5qvfJ8nV5=m74 zI^(HZx05oUSqh?Dyd%49H*MY7XrxSQqvWC%=X5|3bl67W)9TZH{=!;{d<}m2ygV`r zuG4P@JS`rm|AI${RVNC4(4n}S&1qY>5@4?#oLkjb;Q91~r_9HUwy5#^1Ln313)+h( zH+dv;%sVRiq&+l_%H}K}Fcjea%tr>wr&Y$u(>}5MWTO#C8?y^W+yAP+8PZM_C_NaN z11~%IWd5+VJn%X9G^0cCs3xxe8$2i5r07b)UVo7`s(zkH2K`Tpm#NobI2i!y)TotU*c$^hx&;>*h)A!jUpF=(?l^m~_mGI?xNbB4&v| zlj2s2!KF02q6At2Tn6S+i zzCFtCBWDR$N{QfrPc3;$p1UI!lTxtV-;;4skUqQYqI5j}NklGO>5FV$k^F9SiWr$$ z$;nw_0Cx$8W#LCclRA4CpO<}6jQ*KLre6~$YaGUY5LuSkQ=R(NfdC03J{aBs90x`m z27X_f6KCuP8EM!ycbw43XnkAc4!^~R|K%<8h@@}%YAol^@Xu*PpFPo-ChLw?)@W=ln2jCF-1nM=UddXm~S1cSORI5(E8{4r!3l(t|trMZfu3o zl)Qnho;EDRr0jNdwu~>`C8|_fUlqIWB2Jz-TVGYTI(np}s8u}Gfi#cBrY)}~K=P|P zX>In>^A?&22_yiE(&KhjD-@A89ikb&b!3WmP zL@E@$r*#g&-xKm>iu4Ce4OAPeo^sI@%GiHrV9JP-oBPlqF8AEgt1`_d5AzLE_yF_} zm4)-IyfWz|v@u3hg{c_3!W-@0GMdXtSC5EC;OP2`Xxeh>^|AArIp6I!oNjH4P>3HC zAC`)|P96}2n+Jo?n9v|eU{joL@cHOdl3Z=4;Wn4|Xx$)Dk6$3f+O2>g3lRIv^nj{V z5GeysMpbcWDIaI@0Z)-P0Fp7h5sZGOf5Cp?-KHAZ+iTw|$mA-~E{SWDdW=;DL zY9F%k2ssJS@BoQiXNTOa$``J^V|^=PLi&2~6$E5fID*r0l>d-e z_qtz^<(=92Z-Lpj$n|%tg8e+ikE56Gg750~e|_Qgx=Y?K@qnLs!o&S^RN9dkpl?*a zJ6CoIYg0^8Sz~2{;^;!yp9P^=RBOw-{`1&E7ntjDg&#`iwLuZ4tWoP~JK8LO z#uv{k*PNttktL7?$n4l}zs`HrkCZTbC|-6@)3T!B2WRtnZNOl;UyS``RJM)YPPj^dxoV5G~i zgI#%iSR>-l4OTimt`-Ix>OJ8_s~L$wE=#v7viL7w5JoNjT9(y6(sF5ef#0#?af2e3 z3W?J!Pb~J;S|=wh)t{;cN1et81@u7j+U_VNB5;IO)2NPQJct|P%NXAMmqrngBJ5rE z+%^@&*Oma!ABQKEAVhI_jLL6sG<(hqO8!=^tKl1A!w@Y*2GY#JG@<8@O*t=N-`l9# zk{YuRBnnvheO6VCMJe7tdroXXNaD>s?0>$yyr1w5d;-Bxj@5@4Ho7b1zKwb z{mU^Xhg}kd(kl5#e!-F3gM!hv;Fe8PMZWYjYsXPF@2t|%;%#{h#0YozZ1yK4-PQ7B z_VWu_`GV;^s8^IwiZhjx(Y(P>K-%9cg`8WmR{7U;uF{8~Gt>aBPkDtab#Fp7#?XEfJM^s&FZJ2!pE%NYsnzB}zJG8ls>osM z_)6QmcT?LJ6ecI-(YO}2cC3XuynnEl<-c?5kz;$n50SX+>>fUwXr<2b&k7B@75?n- zb_sVp3Od!=QqoP%sQXnKV|tL0tl<#}{ZL^M`6~oP1_P2bpKt_^KwiRUoh>%Q%{5xh ztZySggj9=6%Ic+U$N4rou%oKx0CP<#rL#|s5E49-bn8U_Q36aaysY6`OM~wu*cB$z zaf-GZ5{Iar44dbZTedb#nJgKuCseF;k@e;J&fuRH>JRbU0VMzGM{Yw6pEG| zCvjql&EdsWW%j=ZFzpkbT=xXSJ&dFeTinggEV#4zJ|;SDR!02YcfFZUt}!1%!~FEk zL`N1Bj=4bvntBD3mvbl96}PDZ=z7~sg~Szb3h0{Ls*C^9SRqr?tv<)ft!sSUxIe5V zjv$ccBXBdw_YFO01qk6ae?LvK-bn5Rw~*#0@C&3$-r(Rwn)#`l8G|6&32N|`MC^QT#I z`xh4;#_$x1y;)4bkkPv5UI!cx;VRCYekrOC6--_OhbVf3$wiSWSVSf-4n( z&bsP0ZuR!}YrJ2d$4Uk1Fkh^?yFQdbrSpV=4v0SV4-u~@d@!;#_P`k8dJo$Hg}Xr>>r^`Wx=HDY-Ex1=)Tj*->N zz+Zi_Z~`8KbxUZu%NZ1XfG?*Z5ZWVKhLhIv1^p%j*~r+X6f?9VZwyJAJfhwO4 z4MyEr7Zq<}Cqyzu2depOc!mAk$;Tg-T`kut$oB;iWneR$=M`UU2Ih7&9$ovZtn(TW zehNq`+G%pv29@&kNZr`(&iKw$G6-US1`Uq>T7T|xO0?Wghg@tDxuIx=$LdBQybXP1 z`S6N2!|O?G2(S_`Mx+Q(^V-4IYUZ3*c~bu&%k68m$VkgHP+lXn#LXot&39R3g!X}o zyV1pm`Ea+*{6(7;7?DJGo$0fBz9_h45(x}*8_W)ShnoDf+~)ivIg#!&6g z*5AXI3>hoIbw7Ovi>Y~u``YLd@r}Pss>@@Q<7!j#?6x`QD)-g@EG!PlyefC72IsEe zr>3c?=5B9EfqMajZt6A0O2$JmCEk0V%FEN0rujnw1|A35|4^{*Jc1YhF>yX5-_Atx z?LZjK|6TBCUJzx6kAXsiQI1b08D43lS&$#xIk8%1+;47y!!=Yt1UCr=C#OP&I1x~; zV6cV01;E(_9~=T%q&TL6yKuPJxnL_r!L>_-bom&EzhZ{#=cB2=$gZ{IUGt1QZoSz=>FN)W^ zdB<^^jrVO{*t3wR|DcFaKbEWKQj#`23z$$MX*T&&=@Fj4G{vJN^@ZuX_jA%%@8ICi z(b_Us8w=uy?8WU0>-xwWjb_P%(WXrpamP|lQ?@%RX#@!uvOYS=#S{$8t4AYKV^v<` zK;H7SNb8?Wssb7uBwl82$+D8Ni1ZunJ6RT}3>pny9xApytRVX|UNMkjaDmkpF8u(T z%P!PhXD9+Lz}Opmv{u6HUT^mJ+yYUJ7x%{;i3VIO*okTD)m#N8Nkb`*fQ#C$eiW0O zUoJ>A3Sn&ZRvj=Lb2sV%n#gWF1tP|D?CxCom}c*hq3F_PW_x*ezu+-pfe{b%PZIDgnd+U%Sc#rZLKiD<1%PWjOjri#@eji25 z_oSyBIuU*#gWk%YnAVK^9b;5G57T|%jdjXc1kT3B0Ee~9_ztJ-VflurZ^A1@S z&{J$nw{D?}AeC#KC$|9v`P_Vp$B#YvbF9UOj9j45x6XtGl}EK3tG>{F#u3N~xUgB| z=N+VTapGs%CQyA5nz#3@+)VUmxFL(H%}M(f!1|JcmQ< zwcyod#v!HV`uR>fg|_F%d5v(Hg7EQcY-+DV2Y|121;#tRnNEOxPHHK7O12`}X)84= z_Y6PoWJDzM1lCMpb&@!bD(fb-Gd~^CN6Rd1>wq|y60M!u<94m!dRat3QY|Y=8E&Ds zHcIkc@F5&Bk&d!WoRNV>{C;X)vzU_&5Rr_tzQI*#4<$en1Li^t-WB}AN}@PKJ#a(= zfgQ2{!m8ejUghBvwBd}n{U9C14r9BXdmPeaxj`3#&JO6t&AKzsALF$C5#!CeHD!b| zVPE;7T`^lGF2EHVeEC3biT1#5se}{cvZ*Ua0MI^k zTgv8z@&ZXZM0&Gr=E)Dcsw}@(3|yA+f$4~U4$yj@_fwO@L=47O13FoedtX$9E4B!5 z53KY?J@&f7B5mhAnC?W}nT7^s6)=R^ur-8cq_gr~;DC8F0tJo6@~|8Y&YVq0JOJfG zw-o~4aX83-IxQ76Vn6XyCJAz1j}JST{tQ#1&s%?GDgC}? zd$+BqM6&I9Rz_b{;5|6G7!T6gRp1pEy7ZbpFUI!fb2UKr>Z;Fwb@WHEf)cd3JSLE}VVhi_IrC-!_7Uu9exOzrrI)iGuDJ0KeP zRt2W1FN;7(yuY+{*Za=|nULt~UreU}7t z@noztbotBY9=)SiQ%n&1QLOBRy`WxudO6KgYe4?VV?ZWP*O2+)W<;`7@ASkuEZ zfgz)harTK0g8uGIbFN&*xEVn&i_@ux+b*`Kqw?Ay4DVg?XDq z*f?T%&-w`s4~H)fjmdyIV)W+^PA#2A7)225HD3AoyGL2obeRJ}% z42Wih>oH|-H;r_nmpQM3z9SQ|u>ZsNmMHS6c3DEjLC@k?BTF`9*?gv@U5Kd5cff6_ zi$RdT$yx;hfiM;=t3el*nG zr>utoP!K(W+9rAX#`|c5iVM7e6RKb~{gdIo+ke6toN4VG^QawzXD2Y!&9%uG;rxi0 z`^gJ*Fu^Yp<{Oj#S!ODW>S9hty&fU{6ejLIjjj(Hk%|&-tQJxDM>W(#zhwI>r9D56 zJ>mgqdsOk{iDLu!#e5*-N{@D%-S>Yg%1AFSlb?^u#)(5lo#|GBhBdZv#KT}9KU8lgSR^2m_4p~y7*|ha2eZm z;@Wp!c{4B?etUF*$(aW*yHr{VQ@V+6&?@M^giN!obiv6qV-Jfb@ zmR}q0k8=zhtxOA0a)INazkeJ~kpCSjbXH9ukNNGiKCtF2+>3%D>fw4eftN$Nqi@NmtPTD`)$4g9b(-I0gC>IMEAmagGLhwh#6WY zH|y7{se14jD0!g4R+?2eaCA~58MnasF{fBudPbcLSyHk2X2+RJEBWh^oJkQr?KN*}@OD<1 zq1@ON5T>kyMyZ_B;|zz6HG1fQ$LDg)+v~mpg^g+H)*L^}S{~@&t?y|hfKn8X`k-d< zJPj{z`(l64A)pJ^c!YNvSSB(4>WaPmJfxN9& zb>P}jWpm(vr$kDsYL7AlTndDtS+O4b>qL2}9lZ%e94Ms+ z_e%8Wm&gNZU$s}WAg-2NSfFU6$q1!${DrWN8jn79JVh&VWm8Y~ZY_ZUgX-73y!O@h z_>`8s{ZrQL8^zegB5XF+tXnJ4dspv93-50uT!@>I<;}yZqeX`Lr8+U|VZ|P?d6=~n z*-~EmKi>nPyC}->KZK4EE+RlJLD*|ksjqIxA1f(;{Sw3!p8HEV?A4`7T4%k0g+McV<#U2s4)&Bk9TVC znh}?r2!Oq3=D|9Sb1R9zt84#kP7KM z!j2~8?P{#=WYXzfJmxj@y1e5PIql?sNooccOEkq5h z<=O6Nl0heF>URX17#^w}Bh<0?!PlH-K@2pp$N$R5pyFCmnn!5PPvYQ-a9$*9(N9(& z+NU5?C$MgalO-X2sP;lYd)&T2+xQc)ZCX@f;z>Rj?440}dz# zgZZ7Frs?M=I;cflJq~NYzb8B%oB!Ok?5Z+ElBP{8{#?I~ITbepvLLkd;s$fTD3fcn z`bp^PQ$;%N&DznzA=kiH?a{DZx7Eq7==Y$aZMjhn|=0tRtkR z!%GDT4n2mSR_yGKRlZUVd5yU%FT`Fn&V}wt6U^eq!~bKE z+1cp5dy%G&gu|uG%@5Ak2nDLxnjgip?ZVpS27>sFR8{tsJlSP2^JXO%gd5SXh;bI& zG(F?bBTwtEbSI5i@@u?&wVJQ3wTe<9nx?d5=LcYRK8ABe8tzSdib8D=u|~RXXSmgw zLfZkegK~%wu3>7ul_EB-$Ep|m6SvUSAOyp3!6QRTS|Q};Y;k?y+r0`Y8fQ=|#df|@ z)_(xgkuf6AU#x?2MA9CxD#p=4GrUm8fyT*$9)bj*2mEKwvF8N+oc2Wzv;RYxkIr-T zE%U+*2FZSn6C3raBxFMqXfn+}9+Z<)NjX{t4crEwX1bKIru57I&SGDPh=@R^jENG8 zYJ4qJ%A<1Y%cr$oSXK0OH5D&Sc4}a?)+e<7lKLW_OBA#>l!s?-YrB-eXHuwE{D%fS zE*OIz=OTsTB~)c?hIXtP{4P?=^Y{mm2Jw+PkKxNrpzw>?v8`V6nIs+9lQ*T$%k+jZ z^L1kmOAXu{*BeSA#ce=q>L{t#6BjY-;lVatUJoSJl915ISN-9%Pwh$7DGLDi7Lb zZ<*6K3*#LCaYo*k#J1Je{)avde#-Oxd5>g$3>0GsK{oT{2BkYDlz|45Ph3i~CKcZa zP**^07Jlk&a6kL=G&x*dTqa~W0vA9wwU^y1pY}oe z%S&L1TaWgEg6Vx;dm71F@YNpybB?emkq{xOh~Z+oFLACKnpDqDSeyQ8Ege21QjAd@ z;KYKv>wvc`U39$C6L9x+pwZJOdT6VctHHMSTkQw8g>A=0j5UJ&S5xluGAizPXM-EZ zQ_mVt;0Ps<`}5XUqM;0pA*^m?QOx?I?4IFduPq0A^YPR$l9`G?5zlbbiKbI4lg&fiq@%xBOHw7JiNL3_$ zF4h213=I+KHA-e_Q{_*Lf7wKJ#U9VL3}RW&{!(hsz;7<&8qvU|m=~S*UTf$r8}eLw zX**$uxz1vM{kLAf$TGh7=5DRncaH?Ve#8F1SbhvYdurEO%l`HKeOB0R-!Vnh&EVGi z(!dS>_W3SJo4<(cV7=uIKs3}mlfMtRxVd*&4KZi9x1Dbo7P_<4y5_+rJ}N#yO>>Kk zZAK>BdOT7ixgGsgP6EF7%x*s^=W-~LN06I8HSc{LNyO`FZ9{k-dTmV=o(<2*hx1H6 z>^109&DS!!6&x_vCxlfvO1W5=ZCIX-YQB`x=C-ypIBfai29= z?3Is34tS6^o9m$_8_77An?7JiCbL8%%-Ad;2%D!Gw|{o7Ck(bI_|uqIW_8~fZEs~6 zgzcbq6YtWXEKk(()QO1I-efXnJ`UkDtl2UA$j9|46<1Oq4qjlD^4141`DRsYEzvch zIP5)g&`6T)j5d+L$Ah(O&~Ozljq^eOo(+llBed2BVE0O+&35%CMn&66SesowQONMZAyfpSIYpvCx$#@rNlHy)4%%`nf zbhfT{HgPzdeqIqX@s7h;WNgzaZRl`!xatV$yfIvvWA#APDvphHPwz<=LM)Gx;mtAVq3`Pj!W4dRA|u=;#|oStHRQPi z$!as*PzbhSu6LSd1#36LfM$rSkD(#}Ct;$Ozz$WuBaFyc>EECn2>=duM!i!Ep(3^e zNQ7cDID+Xe+NkLj+w_V$`eSph`H2rZ!D$ooS`c0*CAN*0L_4)2N&aLbdnfJ?Vfb68 zI<}=^80pJL#OZSdAHS1aa@E(EVUB*?x#w2Ki8$(>>`!y?h@qay{M_$pM>IA5^u^9w zGso%%%a1|{Rck|NT>?pZ`upA&o04V0uUqM^pTeCwCZE{b5ju0pO4n?Ik}amC?6p1w?%Q6MmcQSCCe$dd$4HY`QPG zKW@ILCj6vR^m_dpFNAt<&NsV%5;eZC|cm(6u57Q{l!huWCocig20$a`d`}?N1po~?#h%PAz z9T}emulN%(f4XUdWs9)Kg)s=LQ;~{Q*t?ImDwz4Vd0F|6GcB(1T7`Q;uRPejmf5!g z&%2MMg+_`!Wo+$tzcAsA9{m8N9#0L;N;4lLgTxPPN(1)n+x=6v(R12ZwaJ6yUgn!= z18^doF|gxURwfE& zPdMI@x0dxqJE>tTKn$cI;H#a*vz6{rp1dA7NU;$Vioxwe}O|UNj-x&FjJ_v6b&X&lILRY@FuoK0UOWYg_LG|0NQ(5 z=_Z1mw^;=AFIxhSQ8}SEWd$9I#ym{J)>Oe zq-@g^KI=pmWu>|;F62}t%?TR6nW}A;G)F33z}NhYIf`u?#h2WRUewBO>Az5ZFD-88 zo5A)Z4MSMJXFBH;R5YBZjDYY$aW=bY#AS0fbdn@!mYJUG&+A{B#%)r_UH5{L^xn46 zj4DAjnQZ|`|I1pDT%{IRgqKtQB9bOk7Z;B0545yF!qoLwd9nYWK73Jr+o1*;yjY98J>r=+g?#P7{bMQ-rrxAEpi z>>=u8)8(#Kxbk~6CrqL7E1SYmmUiwh_NBib-Kn#sZ~Jj1SW@LTR3)Yg9;KpWVSs|w za**7pz9WJNqAu#@eP*e z>La%F%~i{I!5=V1Uw)=59fJ2<$grK{y9x0n8!24VuPAIQGk5{8J_lyiW}zco%b=Pp z+yI_CXTS}!38Zx?B=tOJ{gIK3x?`$?{kqf2U0CjmJVJZ@!vYD<0Q6Y=xBPF2U5nXF zAPeAI&+6aDoLf|-o;FF(GrMLPmjS6oLyfm$ljevc8Hwee|6UG zp4WfZ!CY3U*H+0uNebe|fRb$3Dw}xv@!=|WEHdGQMDka`uc}dXgJh$Dy|G>tEjNWe;VVcgr>In=jHPGysZ2{9_1#*T5auJMf37lIuV)Ah^8^xnh zvVUh@{nR=4hsG^g8Yy#nvH!4oExMG&x4CKDteu&2c&Et$)Ut^qN7*bj`+9e$M}zv$ zed&Q(_2P&ji9V|^;0zQ^4rLM1nLg|L^Cs+1X>Z(L8wfq=|1^Z=e0G=Fd{0%YU(REeJ9vnbi1IF{j9Qd4VDup&p

g{Hyq8;pLs&t!BUw*}3AiO+=$dvKQg&A0jWQMIGz395)dI7EK%67h{=F8F%{ zjD!jNo!U|dkzh#xe}?R&%#NL#cx!Lg7X$-80f{g{ZXcK-!-DnDtc))XW}9kky1F22 zsz=)z#6O|jmG?yQQ*kp7^{>ninC5@AD)}QjycOr8o^h&<^p`lKDzu*&OqcVS>~C2W zwH^W!;q9rW6PDlF{Q!qSM0b5bm{~qe7v%}5#j@GlB5xK?L{Q!*Q_^aXDCvz1c$BXgT??1+Frj85$VKBIruFK0*x}$m=qtYoXkB~w_ zGOUqW3tGB}WDr{Wq~%jIz?bB`#{jui7E!C7!OJ%?wc~pfK+vepI&;xR5)%?MoA|r9 z=zM2B_4pd+=W2LW`pe%xTV+V}eP~lP_otv)8@nB({y#b)t$UhkZtFJR!l?+I}B`Z{jxFYe9C;jx6}S7EJ; z3bVF3AI|B3<8E`l4KyPqpaYrdcW3I*R)=U`@lrQZcJS={!Mo!oko{Dj$vIllcvfv> zGA3uC-Xnd)&IY>(8aMb)|A~E^<;d$Ufi(fY@r)>j$1hL%^GB#~69njhuVvoU&Eifn zYUVlgqWmZ*UQ}?#0AfGA35IzgnqZ=Q42^th<$-60y1!^R_kR>af?#D)UxxvQF-v}x zSSt0L&d4Hc+0e`y$U}^K*KBPuXCyPNgq)nUOl`npn7JEZ_vcdrI}#B zfnO-=&DzUct*8?jk5ABiMqn~-a<9{o+^!^PW}8}JR#9FQmV>wZ6-KZ1p}VO zEP{;EXjjdQt}6Z1lVvDdWva67g9PnJE(*(EUcE#VkH1qP0I2k_K!!z8N|#sx6U|}> zEuuK6mG+p+%X=1-;0ECT#XIzS$pWgXrMv^ZVgv;IqD;ocOZeTF2ux-goXt&7Z~EA2 ze%FYC9M-+x1DiI1vq1fK--7sH$;UN<(t4bpw0JIQGF_EBd6{DK+5fZiH0uN)O4|kh zc3cP(g$m;o)ldTtn>-wf+yGU70{(0X$fha^JTm$>(u9iPET2<>-pPm0{HKJm&A#5(`Wnb9t5okGD>N8}W*2JppZ` zvqBdhkxrLz`Hry_!0lJ1>_C;C6GWf||C$#r(9Vv##oT%FxV-ZdwM|>ka1myyIlQLbg)5Oy+ zUmb3_`UOK7IlOp-Sv;@kX5<0jNHv521H8h4juABtsSS!Pr*hEK-)}9^7|q5@^uC~N zz)pE%8t0P!2!CKDo~AeXJ7p4=y)Xva1^ie}j^>IJ+-69e3|z!KaehbZZr9ZA04NWb zaIMnf;RIg_{*dm-9!#sfT>9P&CvyLEP`J?j$A*`Wy^ZnWa#MsqtApm3&fSSK7d`z_ zJA%03(})Qtn5CB&x#bxgf2G`?_9h`)a1_Asr788GSYtl)z2F(*wn7dcCDW^Q_KVO- z^M_p)#z_Z<-xddZ*nnx}o#cEE993Uytbr39M8(XO##1Ff3?RQ>yyiha&|-MAyy(4!m63(r0KeQMd6RFv=2X)tQ>;yKd3Z; z1GChzalmENT0mf!`%4+BN@}GSH@XY{3dGpJq6?O+VoO{3`=>T&n)^4mHTn|>20ZBW zTCfG7j}U0G6J79nc1+;7hSF)ltbQXOH(s&rw*__LV~>0-=0qk5D}M639<81XR36SA@)~ zQ|>ac%b>KjI|7yCG28I`d8_O_h_eG;>ZE-0eTjaalK@ke+`)<;9@8oP15HUMKnX)J zm^?}m?GdRYZQ8}!;@hI92WG?`sdt{PQn@+H!+s`izPnKWY-)}hgq-e*9PDE+YELCK z4D^$DSp}B(HRiZg6X_HLe0GW!h_XE1RR|xZJP@X2Qz}pbwL}O%2md`g`)}J#>7o8_ z*pm70Y2*^&NI!*oCz31yS-{6CqZKd6*KlYY6Jn@`8r0)C=L#b}5(k=Zpz@c(QX_zn z@MF|jApy{w9hEorzv`eunM0}h$-wl&Cv=1c{dD^4k3NqY$}w(aHb zEyk|+@DB*>JH9qFODj7}t$o3fzBf$ge|5;(!VAv6Y5=9wrUhWC&ld}2THRBoz?W{b zVZV73L3*w1F6c+u^@MiMyZ5M2*Z1@g@12JG5$`!D+tAKI-#%Bv+%~kKX1Xb_n5ojd z@DlSYR_I^m8B1HINuv?~jpTs%RQd>J@XV-|@KsGy%ElXgT>{LT&J66Ss^il`K0zx4 zJCa@UEZMAjg0P%jSz6L#3Gop{5E%X%^DIBg1tceozV5MJGeV%H8#JBig?gr8my6GM zpHa;?*!RinyJrH->KP=wG9xrMnhisUM$3&uvJT0_CYg( zN<1miYRb)egR3Sy)jlt&Q3o>x?4T!r;5wSCG`Hcj$EceshMJX9%O5kwNG=jpK)^}x z+?F(5I2N^t+O5xLDsBc0&!^gR)UW6;=&1=>1%5ir7^eN)uz2 z?SF#HMKzhlwb=Uz=KW!fIK4TS%Citm`vE3`u+wXxb$cfz+xMa#2&O}+2G>BE8J&=W zt_!*Fr&4rKsDNr>QBouqS?2jlk4zkvkk#t=0x%Su;1c{f7CZ&t zrPlje2#yqsE_DWmuI(qASNYwS6|pXK_-oRUn`ZWHCecfgJvBwYnk`wTSmT>*4ERy{ zDO#LX(B?a68h}ds0Dm*1)=Tu+i~vqu!g1}v*KzIXfJ}=F!r?}mBJq8a=!HlJHhGR_ zLeO6<3O$){G5RK*0tA!)2ljiHStg2x{$BDZCJGDL}gU7!4O}I2P z>I&y;nKfXb?vxZolHPBm-Vnj(ZW11}%}?|Vr|A*?rI3U$H0MDU5k7oR4SabaJb)0B z&Hmw30|O+Ylv`5`VX!i@7CI?`Ysp)zPr&Z}EW*A>y-md+0fHp$zw8!J8_Nz%=;l%L z-gtEB^}!u0GREJ5gI4>fzi*$FewiHez~8we6*gmIcboN9^|brImcQv%w^W;#EOtde z4BenL@VTGyKF3rle`ZOD*zxVAedb03{Oyo|Hw|rEJ0;c+pDB3uw%B`Tn28qoj2Mle zGKz8OH83V>k8Fb?UGzzz=GD*GWu7Nv)Q$v`sp+p8d}w!f4`&oR8m^E_nd{%4{5ki$ z8+2~vy;i%n@)LgN)Y<`3bYr-x_dlG=hWCG>+1@XS4K2|7f=$`x>+M?49O1!p=W>Wt z%9DZHXYM#ut~M$26D_`wDZdN8&WA|(>|8kv&rfK#D~xy)K=T;sO_O49TyXe}1e667 z-ExF&Gy_qpK?XqbD$&(x8I&ih4{amPjwsW``Z{u14Vl#W+7??G`NL7u^D@w_SK zx9wil5?Ht-dIk*++4)kf44mbCiKiOTXFcX?qsL`^7#=!${P9vSm(|!?RQINY*Z`Cx z{bxaha-`+h7nYhjW=)gv_0tDBM7(Q_E*7ndOWQU|c&;en!4lv}m4x5OzpB@ngiOug z3Q|RZR1Pi}BbLx8NDCF3Buv;haXaqrsC?dxod}Wl9#_S2smgMahrQ9w;r>}Kp|7Z} z6v-NBbcDaP&KSPMDe>jA-V^fi0jeG)O!^OGbRS3*br$X(=eQoUaSXgL*|~|ndpOXW z7h>OVx%_jMdz0@pz7Z!vc+zGO8z;R)67TW39QO1*X8zdO(wyX8fAA|lmAEOlj?c8* z;D;&vs`1z6CrL8)OK;WlRA)L|ewAbe%E0>(1#{InfFMeAK$zw$gdhu&?<3ZsHcflb zMNG$hy7@WO_xuDmj}JNWtZyt!Y;_)W8Jgc}{hcKL5QUw1R(i|vqJ)+eDFY$+g$bbpxd9Swn&-ufRd-qZe`ns#Wxyu8 zZy11*zT@MsJE({c+P@AN#Tv1Ly}^gssn@Nli00fM(aF$?nNrZkL@tjr@wOgN?Npo! zG1(Uz4HN9AuEpsWgM1M^DisVN_j`T76L*S9kVT`yb{+OSx9xDqC4}!X^u>Gq#hQ zR-+p;UDRdjMUU$TE%F&GGB-;FF;M3g9z=>Teu?Ar4LuHUTfl{4tPvl$DZY5@Jw~h$ zZ^_p|qlX;FaILw;p?~;O@LNp^$!%7`wr3Fv)|Zr<-~=F4{FF(8CP?Hj^Xa&<;e^p8 z!5^F?MG~(D5DOg+rwc82V-~Naa|=v(n+s(vY$mii6|PXGaYxQzWP~I(K&Z0KNQY7r0pT z$5z;pPKWPb4|DbAfW0Cs9X`L1MKI|lz)`O|ax`V7jpP=Y?GrjvXr_(r3%cKyl*(GO zgkbw+N$DoIkXsb_rMmy@5nTl`%s5gdA4iqHS=wJB*(Mo+X!8Arvz;5``27GlDTTn? zI$qkFHM*{?r)m#D_ACkpJx}LaI4Z1K2tL#9$=yX6_ab_AsV@XvXy1~>x%4MNd5eHQ z{ij9s#*h1nBH8`j&>N=-KC|~a6+r@}hnWvHM|+C7>zR5hV!Nno@lnFZ14Knn-cG67 zf`c@8Hl*5om$mqxU(UH5K1y`~x^Da#vVet!-7RQBG}%Rz-~z(ZaNs&dEx}*40i~1$ z3Q;}#f{d@Y1m>P5D3F@W3STEat$E)GqQn)Pv&b|n-k#Ag$yS^?Xqo~R}E}6rj;N6^d5C3x>)~s7d4`IQpJA=B~A>52BN5` z6N_R?kromIPpE_3|4IB6BW+1{!EN0_av&M91^P&JpG1YG6I$DTR+H4kAv189#@#f; zu%uu_R=+d*(jmIna*ttMSQBd>Vh_e2O<2^uSKvyDz>SZ_F%E0fyv>9bk|9K^AziGN z2Gvttx&+@smAVS8cCD@$zx=3Ef}j1N1v7(x$TK42B3Ot;7huYn@v(J^?(&%}yQ>2(TZ(NHh*@>fqxssh3_+)%A zub?BrHxs+fK{eF1B&eHS>+jR=lb8tDQJP39DJA^HT#=HUI57C-w|a%WE7UrU(6`qA zeA_5Nmxr-eoi@pWYi?HQN#Oc-MMwJKc4M-01tF?YZ14fyaM5lNtj@T18h z9&lZzFv|tNPj@r=i{+ODG+zyyNZXcGpd+}-pIVz`VFoAu!YypBA-R#z2{Z} zJ%lIE4UG;4m%_{t>v!y-d$y_eg)vMG?AJ;x8QKHqb=Pd@Q2|Qd>rvU}?C&K1kXjS5 zFZ8Jm9%CN-3NXOfWW!ZJ<=aA_sei2BgkS?hyi?R?IXcV@_(Q!_pmB_GY3#Sl3G)TMbDlwT73B1TQ_ zF11;~r{L^1%^Tzi=W66>GwdRJx!pOhCL*~Bc$<$o-;7|I{O}FoepB$`9{p$4FGGHH z^DE)jXCcB{e8i{?+x6ABW(^ERlo;q;YVmN#UDC05(!o)>n`XtwjTuclvPlRKRI9>ys;5#%6Tk^RA|`u2dsZcBxp=Dy_=i{N>}9D z$JuUco38I{<9U8-RnfLvdWpCEbV9LfG(c$bLt0utB=0eM=SQ5sT)CY`T77Yq#=z)O zWIYus-MGauNiFaG)xXD7(|>F1cuqp5T*x_+*`q?;+{diz7_-E@e#RHbC{gSdhZ`h} zgIY+%uDeTq0J`zC{8>z6dKLxAutB@JpTXJcQhsP*b3HB zY0rV^)M^;peh1SwtS19omblU*c7c_)F#i7(kVgce7{$ z+ZB>2J$6Tx-)ES%UZz_EkUG(#s0I%C9J?>oV0O{`9M2maSP-2ZPmCZ)_KA}5 zI&=F&2!^RW36>$F=-~)`JGN!{SQ1wyCBJo+aQne3MyLOUs!M%i%yDe^;IT7C^}Mix z8P_Ofm93Pkl$k4{{!yXS1|wp literal 0 HcmV?d00001