From 27f4b2b475a37a93ac8f624d2757815325885b85 Mon Sep 17 00:00:00 2001 From: Aloys <16886290+trolologuy@users.noreply.github.com> Date: Tue, 8 Nov 2022 14:07:17 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Update=20DNS=20configuration=20i?= =?UTF-8?q?nstructions=20(#2447)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :construction: Refactoring + adding vars + rephrasing * :construction: Rebase from main * :memo: Smaller fixes * :construction: Refactoring + adding vars + rephrasing * :memo: Smaller fixes + fix linting issuest * :bug: Fix linting issues * :memo: Apply recommendations from review * :bug: Fix links * :memo: Fix linting * :memo: Update DNS configuration instructions * :memo: Fix links * :memo: Smaller fixes * :bug: Fix linting issues * :construction: Apply recommendations from review + refactoring :construction: Refactoring + adding vars :memo: Test * :construction: Refactoring + adding vars + rephrasing * :construction: Rebase from main * :memo: Smaller fixes * :construction: Refactoring + adding vars + rephrasing :memo: Smaller fixes + fix linting issuest :bug: Fix linting issues :memo: Apply recommendations from review :bug: Fix links :memo: Fix linting :memo: Update DNS configuration instructions :memo: Fix links :memo: Smaller fixes :bug: Fix linting issues :construction: Apply recommendations from review + refactoring :construction: Refactoring + adding vars :memo: Test * :memo: Applying recommendations and further improvements * :memo: (re-)applied recommendations + smaller rephrasing and improvements * :memo: Apply suggestions from code review Co-authored-by: Aaron Collier * :memo: Apply feedback from review + fix previous mistakes * :memo: Apply suggestions from code review Co-authored-by: Aaron Collier * :memo: Apply suggestions from code review Co-authored-by: Aaron Collier * :memo: Apply suggestions from code review Co-authored-by: Aaron Collier * :memo: Further changes from review * 🎨 Styling changes * 🐛 Add alias for deleted page * 📝 Add link to explanation on apex domains Co-authored-by: Aaron Collier --- docs/src/define-routes/_index.md | 4 +- docs/src/define-routes/https.md | 18 +- docs/src/domains/_index.md | 4 +- docs/src/domains/cdn/_index.md | 169 ++++++------- docs/src/domains/cdn/cloudflare.md | 27 +- docs/src/domains/cdn/fastly.md | 10 +- docs/src/domains/checklist.md | 183 ++++++++++---- docs/src/domains/quick-start.md | 104 -------- docs/src/domains/steps/_index.md | 236 ++++++++++++------ docs/src/domains/steps/dns.md | 199 ++++++++++----- docs/src/domains/steps/subdomains.md | 57 ++--- docs/src/domains/steps/tls.md | 100 ++++---- docs/src/domains/troubleshoot.md | 46 ++-- docs/src/environments/default-environment.md | 6 +- .../next-steps/going-live/configure-dns.md | 11 +- .../next-steps/going-live/first-steps.md | 2 +- docs/src/other/glossary.md | 6 + .../images/management-console/edit-plan.png | Bin 19856 -> 0 bytes .../settings-upgrade-plan.png | Bin 72116 -> 0 bytes 19 files changed, 646 insertions(+), 536 deletions(-) delete mode 100644 docs/src/domains/quick-start.md delete mode 100644 docs/static/images/management-console/edit-plan.png delete mode 100644 docs/static/images/management-console/settings-upgrade-plan.png diff --git a/docs/src/define-routes/_index.md b/docs/src/define-routes/_index.md index 5ee2b0227a..ba485c4a9a 100644 --- a/docs/src/define-routes/_index.md +++ b/docs/src/define-routes/_index.md @@ -130,7 +130,7 @@ Each route in your configuration file is defined in one of two ways: * A URL with a placeholder such as `https://{default}/blog` The available placeholders are `{default}` and `{all}`. -They stand in for the [custom domains](../domains/quick-start.md) you've defined in your project. +They stand in for the [custom domains](../domains/steps/_index.md) you've defined in your project. These domains can be top-level domains (`example.com`) or subdomains (`app.example.com`). @@ -272,7 +272,7 @@ In projects created before November 2017, the `.` in subdomains was replaced wit It was switched to preserve `.` to simplify SSL handling and improve support for longer domains. If your project was created before November 2017, it still uses `---` to the left of the environment name. If you wish to switch to dotted-domains, please file a support ticket and we can do that for you. -Doing so may change the domain name that your production domain name should CNAME to. +Doing so may change the domain name that your production domain name should `CNAME` to. {{< /note >}} diff --git a/docs/src/define-routes/https.md b/docs/src/define-routes/https.md index 5060256143..9c4f3197d5 100644 --- a/docs/src/define-routes/https.md +++ b/docs/src/define-routes/https.md @@ -14,21 +14,11 @@ The Let’s Encrypt TLS Certificates are: - automatically renewed 28 days before expiration If a renewal is available and needed, the environment is automatically redeployed to renew the certificate. -As no new build is required the process should take at most a few seconds. +As no code changes are made, the build image is reused and build books are not run. The deploy and post-deploy hook are run during this process. - -{{< note >}} -Platform.sh provides managed service and runtime containers for your projects -- -security and system upgrades to those containers are applied automatically by us in the background. -Whether or not an upgrade needs to be applied is judged during redeploys, but also during this renewal process. +During the redeploy, security and system upgrades are automatically applied to your containers when required. That means that most of the time renewals take a few seconds *unless* upgrades are available for your containers. -In those cases, containers are rebooted and the process takes a little longer. -{{< /note >}} - -If you are using a custom TLS certificate, seven days before it expires -Platform.sh issues a Let's Encrypt certificate and replaces the custom certificate with it to avoid interruption in service. -If you wish to continue using the custom certificate, -replace it with an updated certificate more than seven days before it expires. +In those cases, containers are rebooted and the process takes a little longer. {{< note >}} TLS certificates are often still called SSL certificates. @@ -40,7 +30,7 @@ In practice, they mean the same thing today, but TLS is the more correct term. {{% lets_encrypt_limitations %}} -If you need more hostnames than that, obtain additional certificates or a wildcard certificate from another TLS provider. +If you need more hostnames than that, obtain additional certificates or a wildcard certificate from a [third-party issuer](../domains/steps/tls.md). Alternatively, consider splitting your project up into multiple Platform.sh projects. ## Using HTTPS diff --git a/docs/src/domains/_index.md b/docs/src/domains/_index.md index 9e7c2874f1..1cae226418 100644 --- a/docs/src/domains/_index.md +++ b/docs/src/domains/_index.md @@ -1,6 +1,6 @@ --- -title: "Custom Domains" +title: "Custom domains" weight: -70 description: | - By default, a Platform.sh app is available at its Platform.sh domain. The following resources help you take your application live with the domain that you wish. + By default, a Platform.sh app is available at its Platform.sh domain. The following resources help you take your app live with the domain that you wish. --- diff --git a/docs/src/domains/cdn/_index.md b/docs/src/domains/cdn/_index.md index 4893b651d4..e5d9d81518 100644 --- a/docs/src/domains/cdn/_index.md +++ b/docs/src/domains/cdn/_index.md @@ -1,39 +1,35 @@ --- -title: "Content Delivery Networks (CDNs)" -sidebarTitle: "Content Delivery Networks" +title: "Content delivery networks (CDNs)" +sidebarTitle: "Content delivery networks" weight: 3 +description: Improve performance for distributed end-users of your website with a content delivery network (CDN). layout: single --- +Effective caching can mean a huge difference in the perceived performance of an app by its users. +Placing the caches closer to your users (wherever they may be) is the best solution currently available. + Dedicated plans include a Fastly CDN account by default, which is managed by Platform.sh. -Our experience has shown that effective caching can mean a huge difference in the perceived performance of an application by its users, -and that placing the caches closer to your users (wherever they may be) is the best solution currently available. -Self-Service Grid plans do not include a CDN by default, but you are welcome to configure one yourself. +Self-Service Grid plans don't include a CDN by default, but you are welcome to configure one yourself. See our [guidelines](../../bestpractices/http-caching.md) for when and if to use a CDN for HTTP caching. -We have partnerships with a variety of CDN vendors depending on your application’s needs. Our recommended CDN provider is [Fastly](./fastly.md). ## DNS management The distributed nature of most CDNs means that for proper functioning, -any domains that you intend to make use of the CDN are required to use CNAME records for pointing the DNS entries. -Pointing the root domain (example.com) at a CNAME record isn't possible for all DNS hosts, -so you need to confirm this functionality or migrate to a new DNS host. -CloudFlare has a [more detailed writeup](https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/) -of the challenges of root CNAMEs. +any domains that you intend to make use of the CDN are required to use `CNAME` records for DNS entries. +Not all DNS registrars support pointing from an apex domain such as `example.com` to a hostname with a `CNAME` record. +Ideally, your registrar supports [`CNAME` records for apex domains](../steps/dns.md#handling-apex-domains). -In the event that you and your team choose a pure Fastly solution, -this is negated by their providing a set of Anycast IP addresses for you. -This allows you to create A records for your root domain that point to Fastly’s CDN. +CDNs have different methods to overcome this issue. +CloudFlare uses [`CNAME` flattening](https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/). +Fastly provides a set of Anycast IP addresses so you can [create A records for your root domain pointing to Fastly’s CDN](https://docs.fastly.com/en/guides/using-fastly-with-apex-domains). ## Initial setup -For Dedicated plans, CDN setup is handled by Platform.sh as part of your onboarding. -After the application is stood up on its Dedicated virtual machines, -we can begin the collaborative process of provisioning the CDN and configuring DNS and caching setup. -We provide CDN services for both staging and production. +For Dedicated plans, a CDN is set up automatically for both Staging and Production environments as part of your onboarding. For self-service Grid plans, the setup can be done at any time by the customer. @@ -44,27 +40,26 @@ there may be varying levels of flexibility with regard to caching and ongoing ca This should be discussed between your sales representative and senior technical members of your team if there are concerns with CDN configuration and functionality. -If using Fastly as a CDN, you can provide either custom VCL snippets or a full custom VCL file. -Platform.sh grants customers access to do so upon request. +If using Fastly as a CDN, you can provide custom VCL snippets or a full custom VCL file through a [support ticket](../../overview/get-support.md). Be aware that downtime caused by custom VCL configuration isn't covered by the SLA, -just as application code in your repository isn't covered by the SLA. +just as app code in your repository isn't covered by the SLA. ## TLS encryption Security and the related topic of encryption of data are fundamental principles at Platform.sh, -and as such we provide TLS certificates in the default Dedicated package. -This allows for encryption of all traffic between your users and your application. +and so Dedicated packages include TLS certificates by default. +This allows for encryption of all traffic between your users and your app. By default, a shared certificate is provisioned with the chosen CDN vendor. If you opt for the Global Application Cache, certificates are provisioned for both the site subdomain (`www`) and the asset/CDN subdomain. -We use wildcard certificates to secure production, staging, and any other subdomains simultaneously. +Wildcard certificates are used to secure Production and Staging environments and any other subdomains simultaneously. If you need Extended Validation TLS certificates, -you need to provide your own from an issuer of your choice that we can install for you. +you need to provide your own from an issuer of your choice that can then be installed for you. If you need to provide your own TLS certificate, place the certificate, the unencrypted private key, -and the necessary certificate chain supplied by your TLS provider in your application's `private` directory (not web accessible), +and the necessary certificate chain supplied by your TLS provider in your app's `private` directory (not web accessible), and then open a ticket to let our team know to install it. -Dedicated supports a single TLS certificate on the origin. +Dedicated plans support a single TLS certificate on the origin. Support for multiple certificates is offered only through a CDN such as CloudFront or Fastly. Self-signed certificates can optionally be used on the origin for development purposes or for enabling TLS between the CDN and origin. @@ -81,18 +76,18 @@ So it uses the origin name provided by Platform.sh. To ensure your TLS certificates are valid for both requests from clients to the CDN and from the CDN to the server on Platform.sh, you need to take two additional steps: -1. Configure your CDN to set the `X-Forwarded-Host` HTTP header to the public domain (`example.com`). +1. Configure your CDN to set the `X-Forwarded-Host` HTTP header to your domain, for example: `example.com`. That allows the request from the CDN to Platform.sh to still carry the original requested domain. The specific way to do so varies by the CDN. -2. Ensure your application can read from the `X-Forwarded-Host` header should it need the Host information. - Many popular applications already do so, - but if you have a custom application make sure that it checks for that header +2. Ensure your app can read from the `X-Forwarded-Host` header should it need the Host information. + Many popular apps already do so, + but if you have a custom app make sure that it checks for that header and uses it instead of `Host` as appropriate. ## Web Application Firewall & Anti-DDoS All Platform.sh-hosted sites, either Grid or Dedicated, live on infrastructure provided by major cloud vendors. -These vendors include their own Level 3 DDoS protection that is sufficient for the vast majority of cases. +These vendors include their own Level 3 DDoS protection that is sufficient for the majority of cases. Customers are welcome to put their own WAF in front of a Dedicated cluster or add other security measures not included in the offering. @@ -100,9 +95,9 @@ Customers are welcome to put their own WAF in front of a Dedicated cluster or ad When using a CDN the Platform.sh router's HTTP cache becomes redundant. In most cases it's best to disable it outright. -Modify your route in `.platform/routes.yaml` like so to disable the cache: +Modify your route like so to disable the cache: -```yaml +```yaml {location=".platform/routes.yaml"} "https://{default}/": type: upstream upstream: "app:http" @@ -114,79 +109,75 @@ Modify your route in `.platform/routes.yaml` like so to disable the cache: ## Preventing direct access When using a CDN, you might not want users to access your Platform.sh origin directly. -There are three ways to secure your origin. - -### Password protected HTTP Authentication - -You can password protect your project using [HTTP access control](../../environments/http-access-control.md). - -Make sure that you generate a password of sufficient strength. -You can then share the password with your CDN provider. -Make sure the CDN adds a header to authenticate correctly to your origin. +There are three ways to secure your origin: -Add a custom header to the origin request with the base64 encoded username:password. +- **Password protected HTTP Authentication**: Restrict access to your project with the [HTTP access control](../../environments/http-access-control.md). +- **Allowing and denying IP addresses**: If your CDN doesn't support adding headers to the request to origin, you can allow the IP addresses of your CDN. +- **Client-authenticated TLS**. -For example: `Aladdin:OpenSesame` would become `Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l`. +### Password protected HTTP authentication -Be aware that this approach applies the same user and password to all development environments, too. +This approach applies the same username and password to your production and all development environments. You can have developers enter credentials through their browser, or override the access control setting for each child environment. -{{< note >}} +To use password protected HTTP Authentication: -This is the recommended approach for CloudFlare. - -{{< /note >}} +1. Consult your CDN's documentation to ensure it supports that feature. +2. Generate a password of sufficient strength. +3. Password protect your project using [HTTP access control](../../environments/http-access-control.md). +4. Share the password with your CDN provider. +5. Make sure the CDN adds a header to authenticate correctly to your origin by adding a custom header to the origin request with the base64 encoded `username:password` you chose in step 2. + For example: `Aladdin:OpenSesame` would become `Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l`. ### Allowing and denying IP addresses -If your CDN doesn't support adding headers to the request to origin, you can allow the IP addresses of your CDN. - -{{< note >}} -You *WILL* have to update your configuration when your CDN updates their IP addresses. -{{< /note >}} - -List of IP ranges for: - -- [CloudFlare](https://www.cloudflare.com/ips/) -- [Fastly](https://docs.fastly.com/en/guides/accessing-fastlys-ip-ranges) - -Be aware that this approach applies the same IP restrictions to all development environments, too. +This approach applies the same IP restrictions to your production and all development environments. To remove it from development environments, you need to disable it on each environment -or else create a single child of the default environment where it is disabled, +or else create a single child of the default environment where it is disabled and them make all development branches off of that environment. -### Client authenticated TLS +You also have to update your configuration when your CDN updates their IP addresses. -If your CDN offers this option, an alternative way of securing the connection is [client authenticated TLS](../../define-routes/https.md#client-authenticated-tls). +To allow and deny IP addresses: -**note**: Remember to permit your developers to access the origin by creating your own certificate -or else they won't be able to access the project URL directly (see below). +1. Set up your CDN. +2. Get the IP range for your CDN provider: -CloudFlare has [a very good article](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) -on what client authenticated TLS is and how to set this up. + - [CloudFlare](https://www.cloudflare.com/ips/) + - [Fastly](https://docs.fastly.com/en/guides/accessing-fastlys-ip-ranges) -To activate authenticated TLS follow the following steps: +3. Allow only these IPs for your project using [HTTP access control](../../environments/http-access-control.md#filter-ip-addresses). -- Download the correct certificate from your CDN provider. - - [CloudFlare](https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem) - - *Caveat! an attacker could make a Cloudflare account to bypass your origin restriction. For CloudFlare, using the HTTP access control described above is the recommended way of securing your origin.* - - [Fastly](https://docs.fastly.com/products/waf-tuning-plus-package#authenticated-tls-to-origin) -- Make sure you have a `.crt` file. If you have a `.pem` file, rename it to `cdn.crt` -- Add the `cdn.crt` to your git repository -- Add the relevant configuration to your `.platform.app.yaml` file -``` -tls: - client_authentication: "require" - client_certificate_authorities: - - !include - type: string - path: cdn.crt -``` +### Client-authenticated TLS -{{< note >}} +If your CDN offers this option, an alternative way of securing the connection is [client-authenticated TLS](../../define-routes/https.md#client-authenticated-tls). +Note: Remember to permit your developers to access the origin by creating your own certificate +or else they can't access the project URL directly. -The steps above are generally similar but can vary for different CDN providers. -Contact your CDN provider's support department for specific assistance. +To activate authenticated TLS follow the following steps: -{{< /note >}} +1. Download the certificate from your CDN provider: + - [CloudFlare](https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem). + Using client-authenticated TLS with Cloudflare is the recommended approach. + It avoids the possibility that an attacker could make a Cloudflare account to bypass your origin restriction. + Use the authenticated origin pull method to secure your origin. + - [Fastly](https://docs.fastly.com/products/waf-tuning-plus-package#authenticated-tls-to-origin) + +2. Make sure you have a `.crt` file. + If you have a `.pem` file, rename it to `cdn.crt`. +3. Add the `cdn.crt` file to your Git repository +4. Add the relevant configuration: + + ```yaml {location=".platform/routes.yaml"} + https://{default}: + tls: + client_authentication: "require" + client_certificate_authorities: + - !include + type: string + path: cdn.crt + ``` + +These steps are generally similar but can vary for different CDN providers. +Contact your CDN provider's support for specific assistance. diff --git a/docs/src/domains/cdn/cloudflare.md b/docs/src/domains/cdn/cloudflare.md index c434ffc4e8..a5d16fbded 100644 --- a/docs/src/domains/cdn/cloudflare.md +++ b/docs/src/domains/cdn/cloudflare.md @@ -7,21 +7,18 @@ aliases: - "/golive/steps/cloudflare.html" --- -One of the main features that a modern DNS provider needs to have to work well with Platform.sh -is colloquially known as "CNAME Flattening". -This solves the problem of being able to point your "root domain" (example.com) -to a domain name (CNAME) rather than an IP address (A record). -[This post](https://blog.cloudflare.com/introducing-CNAME-flattening-rfc-compliant-cnames-at-a-domains-root/) explains it well. +Verify your registrar supports [`CNAME` records for apex domains](../steps/dns.md#handling-apex-domains). +This solves the problem of being able to point an apex domain such as `example.com` +to a domain name (using a `CNAME` record) rather than an IP address (using an A record). +CloudFlare offers [`CNAME` flattening as an alternative](https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/). To correctly point DNS to your Platform.sh project, -you need at the very least the production environment CNAME, -in other words the domain of your site before you add a custom domain. -This is the value you would get from [Step 4 of the pre-launch checklist](/domains/checklist.md). +you need the [target for your Production environment](../../domains/steps/_index.md#2-get-the-target-for-your-project). -Assuming that you are using both a `www.` subdomain as well as the bare domain, -you'll want to point both of those DNS entries to the same place. +Assuming that you are using both a `www.` subdomain and the bare domain, +point both of those DNS entries to the same place. Whether you choose the bare domain version or the `www` subdomain doesn't make any practical difference, -as they both reach Platform.sh and be handled correctly. +as they both reach Platform.sh and are handled correctly. {{% disable-cache CDN="Cloudflare" %}} @@ -30,7 +27,7 @@ as they both reach Platform.sh and be handled correctly. Cloudflare also makes it possible to use their free TLS/SSL service to secure your site via HTTPS, while also being behind their CDN if you so choose. If you decide to use Cloudflare's CDN functionality in addition to their DNS service, -you should be sure to choose the "Full SSL" option in the Cloudflare admin. +you should be sure to choose the **Full SSL** option in the Cloudflare admin. This means that traffic to your site is encrypted from the client (browser) to Cloudflare's servers using their certificate, and also between Cloudflare's servers and your project hosting here at Platform.sh, @@ -42,8 +39,8 @@ mostly like using your project's Let's Encrypt certificate. User <---------------> Cloudflare <-------------> Platform.sh ``` -The other option known as "Flexible SSL" causes issues if you intend to redirect all traffic to HTTPS. -The "Flexible SSL" option uses Cloudflare's TLS/SSL certificate to encrypt traffic between your users and the CDN, +The other option known as **Flexible SSL** causes issues if you intend to redirect all traffic to HTTPS. +The **Flexible SSL** option uses Cloudflare's TLS/SSL certificate to encrypt traffic between your users and the CDN, but passes requests from the CDN back to your project at Platform.sh via HTTP. This facilitates sites that don't have a TLS/SSL certificate beginning to offer their users a more secure experience, by at the least eliminating the unencrypted attack vector on the "last mile" to the user's browser. @@ -57,7 +54,7 @@ User <---------------> Cloudflare <-------------> Platform.sh This causes all traffic from Cloudflare to your project to be redirected to HTTPS, which sets off an endless loop as HTTPS traffic is presented as HTTP to your project no matter what. -In short: *Always use "Full SSL" unless you have a very clear reason to do otherwise* +In short: *Always use **Full SSL** unless you have a very clear reason to do otherwise* ## Let's Encrypt certificate renewal diff --git a/docs/src/domains/cdn/fastly.md b/docs/src/domains/cdn/fastly.md index c9d12d8d7a..83587e08c1 100644 --- a/docs/src/domains/cdn/fastly.md +++ b/docs/src/domains/cdn/fastly.md @@ -15,14 +15,14 @@ but it is a common choice for customers to self-configure. Launching a Platform.sh site with Fastly in front of it is nearly the same as launching normally. There are only a few notable differences. -Individual applications may have their own Fastly setup instructions or additional modules. -Consult the documentation for your application for specific details. +Individual apps may have their own Fastly setup instructions or additional modules. +Consult the documentation for your app for specific details. {{% disable-cache CDN="Fastly" %}} ## Set the Platform.sh domain on Fastly -Rather than create a DNS CNAME for your default Platform.sh branch (for instance `main-7rqtwti-qwertyqwerty.eu.platform.sh`), +Rather than create a DNS `CNAME` for your default Platform.sh branch (for instance `main-abcd123.abcdefgh1234567.eu.platformsh.site`), [configure Fastly](https://docs.fastly.com/guides/basic-configuration/working-with-domains) to respond to requests for your domain name and to treat the default Platform.sh branch as its backend server. Be sure to enable TLS for the backend connection to Platform.sh. @@ -52,7 +52,7 @@ This step should be done well in advance of the actual go-live. ## Anycast -You have the option of using either a [CNAME or a set of Anycast IP addresses](https://docs.fastly.com/guides/basic-configuration/using-fastly-with-apex-domains). -Fastly prefers that you use the CNAME but either work. +You have the option of using either a [`CNAME` or a set of Anycast IP addresses](https://docs.fastly.com/guides/basic-configuration/using-fastly-with-apex-domains). +Fastly prefers that you use the `CNAME` but either work. If using the Anycast IP addresses on a {{% names/dedicated-gen-2 %}} production environment, open a support ticket with the new A records to provide to our support team. diff --git a/docs/src/domains/checklist.md b/docs/src/domains/checklist.md index 3a5d252271..af82394a7a 100644 --- a/docs/src/domains/checklist.md +++ b/docs/src/domains/checklist.md @@ -10,69 +10,158 @@ sidebarTitle: "Pre-Launch Checklist" ## 1. Register a domain name with a supported provider -You have a domain name registered for your site with a Registrar of your choice. -The registrar must allow you to use CNAMEs for your domain. -(Some registrars may call these Aliases or similar.). -If your domain is currently active elsewhere, -the Time-To-Live (TTL) on your domain is set to the lowest possible value to minimize transition time. +Before you go live, you need a domain name registered with the registrar of your choice. +Verify your registrar supports [`CNAME` records for apex domains](./steps/dns.md#handling-apex-domains). +Some registrars may call these `ALIAS` or `ANAME` records. -{{< note >}} +See [what an apex domain is](./steps/dns.md#what-is-an-apex-domain). -You can't use a `A` record. -Verify your DNS provider supports CNAMES. -(If it doesn't you want to run away from it anyway). -Also you are much happier if it supports Apex domains (more in the next chapter). - -{{< /note >}} - -## 2. Test your site! +## 2. Test your site Make sure your site is running and configured as you want it to be, on your production branch. In particular, see the [Routes documentation](../define-routes/_index.md). -You need your routes configured appropriately before you begin. -Make sure you have turned off [basic-authentication](/administration/web/configure-environment.md) if it was turned on during development. -If your production environment is on a {{% names/dedicated-gen-2 %}} instance, -ensure that the code is up to date in both your `staging` and `production` branches, -as those are what are mirrored to the {{% names/dedicated-gen-2 %}} instances. -Also ensure that the data on the production instance is up to date and ready to launch. +If you turned on HTTP access control during development, [turn it off before launch](../administration/web/configure-environment.md#http-access-control). -## 3. Optionally obtain a 3rd party TLS certificate +If your production environment is on a {{% names/dedicated-gen-2 %}} instance, ensure that: -Platform.sh automatically provides TLS certificates for all sites issued by [Let's Encrypt](https://letsencrypt.org/) at no charge. -[In most cases](../define-routes/https.md#limits), this is sufficient and no further action is necessary. -However, if you want to use a [third-party TLS certificate](./steps/tls.md) to encrypt your production site, -you can obtain one from any number of 3rd party TLS issuers. -Platform.sh doesn't charge for using a 3rd party TLS certificate, although the issuer may. +* Your code is up-to-date in both your Staging and Production branches. + Those are mirrored to the {{% names/dedicated-gen-2 %}} instances. +* Your data in the Production environment is up-to-date and ready to launch. -Platform.sh supports all kinds of certificates including domain-validated certificates, -extended validation (EV) certificates, high-assurance certificates and wildcard certificates. -The use of HA or EV certificates is the main reason why you may wish to use a third party issuer rather than the default certificate. -You also need a custom certificate if you use wildcard routes, as Let's Encrypt doesn't support wildcard certificates. +### Test the domain locally -If you do wish to use a 3rd party certificate, ensure it is purchased and active prior to going live. +You can test your site's behavior before going live by locally pointing your domain +to the IP addresses for your project's production environment. +This can be particularly useful to check that a CMS is properly set up. -## 4. Optionally configure your CDN +To change where the domain points on your computer, choose one of the following methods: -If you are using a CDN, either one included with an Enterprise plan or one you provide for a self-service Grid project, -ensure that your CDN account is registered and configured in advance. -That includes setting the upstream on your CDN to point to the Platform.sh production instance. +{{< codetabs >}} -* For a Grid-based project, that's the domain connected to your production branch. - Run `platform environment:info edge_hostname` to get the domain name to use. -* For a {{% names/dedicated-gen-2 %}} project, the upstream to use is provided by your Platform.sh onboarding representative. +--- +title=In your browser +file=none +highlight=false +--- + +1. Get the IP addresses of your project's production environment by running `dig +short $(platform environment:info edge_hostname)`. +2. Download a suitable browser extension: -Consult your CDN's documentation for how to set the CDN's upstream address. + * [Firefox LiveHosts add-on](https://addons.mozilla.org/en-US/firefox/addon/livehosts/) + * [Chrome LiveHosts extension](https://chrome.google.com/webstore/detail/livehosts/hdpoplemgeaioijkmoebnnjcilfjnjdi) -For Enterprise plans you may need to obtain a DNS TXT record from your Platform.sh support representative by opening a ticket. -Consult the documentation for your CDN provider and our own [CDN guide](/domains/cdn/_index.md). +3. In the browser extension, map your domain name to the IP addresses. +<---> + +--- +title=On macOS and Linux +file=none +highlight=false --- -* Domain name is registered? -* Your DNS TTL is set as low as possible? -* Your code and data is tested and ready to launch on your production branch? -* Your custom TLS certificate is purchased, if you're using one? -* Your CDN is configured to serve from Platform.sh, if you're using one? +1. Get the IP addresses of your project's production environment by running `dig +short $(platform environment:info edge_hostname)`. +2. Open the `/etc/hosts` file with admin privileges using your favorite text editor. +3. Add the IP addresses and domains for mapping to that file. +4. Save and close the file. + +After adding these lines, the file looks something like the following: + + +
##
+# Host Database
+#
+# localhost is used to configure the loopback interface
+# when the system is booting.  Do not change this entry.
+##
+127.0.0.1	localhost
+255.255.255.255	broadcasthost
+::1             localhost
+{{}}      {{}}
+{{}}      www.{{}}
+
+ +For example, if your IP addresses are `192.0.2.1` and `192.0.2.2`, and you added both the `example.com` domain and the `www.example.com` subdomain the bottom of the file looks like the following: + +```yaml {location="/etc/hosts"} +... +192.0.2.1 example.com +192.0.2.1 www.example.com +192.0.2.2 example.com +192.0.2.2 www.example.com +``` + +<---> + +--- +title=On Windows +file=none +highlight=false +--- + +1. Get the IP addresses of your project's production environment by running `dig +short $(platform environment:info edge_hostname)`. +2. Open the `c:\Windows\System32\Drivers\etc\hosts` file with admin privileges using your favorite text editor. +3. Add the IP addresses and domains for mapping to that file. +4. Save and close the file. + +After adding these lines, the file looks something like the following: + + +
# Copyright (c) 1993-2009 Microsoft Corp.
+#
+# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
+#
+# This file contains the mappings of IP addresses to host names. Each
+# entry should be kept on an individual line. The IP address should
+# be placed in the first column followed by the corresponding host name.
+# The IP address and the host name should be separated by at least one
+# space.
+#
+# Additionally, comments (such as these) may be inserted on individual
+# lines or following the machine name denoted by a '#' symbol.
+#
+# For example:
+#
+#      102.54.94.97     rhino.acme.com          # source server
+#       38.25.63.10     x.acme.com              # x client host
+# localhost name resolution is handled within DNS itself.
+#  127.0.0.1       localhost
+#  ::1             localhost
+{{}}         {{}}
+{{}}         www.{{}}
+
+ +For example, if your IP addresses are `192.0.2.1` and `192.0.2.2`, and you added both the `example.com` domain and the `www.example.com` subdomain the bottom of the file looks like the following: + +```yaml {location="c:\Windows\System32\Drivers\etc\hosts"} +... +192.0.2.1 example.com +192.0.2.1 www.example.com +192.0.2.2 example.com +192.0.2.2 www.example.com +``` + +{{< /codetabs >}} + +Once your tests are over, don't forget to delete the entries you added. + +## 3. Optional: Obtain a third-party TLS certificate + +Platform.sh automatically provides TLS certificates for all sites and environments. +These certificates are issued at no charge by [Let's Encrypt](https://letsencrypt.org/). +In most cases, this is sufficient and no further action is necessary, though see the [limits](../define-routes/https.md#limits). + +If you want to use a third-party certificate, ensure it's purchased and active before going live. +The main reasons to use a third-party issuer rather than the default certificate include +using extended validation or high-assurance certificates. +See how to add a [third-party TLS certificate to your site](./steps/tls.md). + +## 4. Optional: Configure your CDN + +If you are using a CDN, either one included with an Enterprise plan or one you provide for a self-service Grid project, +ensure that your CDN account is registered and configured in advance. + +## What's next -**Time to [Go Live](/domains/quick-start.md).** \ No newline at end of file +After you've completed the above steps, it's time to [go live](./steps/_index.md). diff --git a/docs/src/domains/quick-start.md b/docs/src/domains/quick-start.md deleted file mode 100644 index ae38186165..0000000000 --- a/docs/src/domains/quick-start.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: "Quick Start" -weight: -70 -description: | - By default, a Platform.sh app is available at a domain generated by Platform.sh. The following resources help you take your application live on your custom domain. ---- -{{% description %}} - -{{< note theme="warning">}} - -Adding a custom domain means your existing automatically generated URLs stop working. - -Don't add a custom domain to your project until you're fully ready to change your DNS settings. -Until that time, continue working with the Platform.sh generated URLs. - -{{< /note >}} - -{{< note>}} - -Custom domains can only be added to the default environment on production plans ({{< partial "plans/min-production-size" >}} or larger). - -{{< /note >}} - -## Summary of steps - -* Describe your desired future URL structure in [.platform/routes.yaml](../define-routes/_index.md) -* Understand [what DNS records you need](../domains/steps/dns.md), and whether your DNS provider can support them -* Optional: [use a CDN](../domains/cdn/_index.md) -* Update your [DNS](../domains/steps/dns.md) - -This short section gives a basic typical example. -See the [Step by step guide](../domains/steps/_index.md) for more complex cases. - -## Set your domain - -Now, add a single domain to your Platform.sh project for `mysite.com`: - -{{< codetabs >}} - ---- -title=In the Console -file=none -highlight=false ---- - -- Select the project where you want to add a domain. -- Click {{< icon settings >}} **Settings**. -- Click **Domains**. -- Enter `mysite.com` into the **Domain** field. -- Click **+ Add**. - -<---> ---- -title=Using the CLI -file=none -highlight=false ---- - -Run the following command: - -```bash -platform domain:add -p mysite.com -``` - -{{< /codetabs >}} - -As soon as you add the domain, Platform.sh no longer serves `main-def456-abc123.eu-2.platformsh.site` at all. -Instead, `{default}` in `routes.yaml` is replaced with `mysite.com` anywhere it appears when generating routes to respond to. - -You can still access the original internal domain by running `platform environment:info edge_hostname -e `. - -{{< note >}} -If you are planning on using subdomains across multiple projects, [the setup differs slightly](./steps/subdomains.md). -{{< /note >}} - -## Configure your DNS provider - -On your DNS provider, you would create two CNAMEs: - -`mysite.com` should be an ALIAS/CNAME/ANAME to `main-def456-abc123.eu-2.platformsh.site`. -`www.mysite.com` should be a CNAME to `main-def456-abc123.eu-2.platformsh.site`. - -{{< note >}} -Both point to the same name. See the note above regarding how different registrars handle dynamic apex domains. -{{< /note >}} - -## Result - -Here's what happens under the hood. -Assume for a moment that all caches everywhere are empty. -An incoming request for `mysite.com` results in the following: - -1. Your browser asks the DNS network for `mysite.com`'s DNS A record (the IP address of this host). - It responds with "it's an alias for `www.main-def456-abc123.eu-2.platformsh.site`" (the CNAME), - which itself resolves to the A record with IP address `1.2.3.4` (or whatever the actual address is). - By default DNS requests by browsers are recursive, so there is no performance penalty for using CNAMEs. -3. Your browser sends a request to `1.2.3.4` for domain `mysite.com`. -4. Your router responds with an HTTP 301 redirect to `www.mysite.com` (because that's what `routes.yaml` specified). -5. Your browser looks up `www.mysite.com` and, as above, gets an alias for `www.main-def456-abc123.eu-2.platformsh.site`, which is IP `1.2.3.4`. -6. Your browser sends a request to `1.2.3.4` for domain `www.mysite.com`. - Your router passes the request through to your application which in turn responds with whatever it's supposed to do. - -On subsequent requests, your browser knows to connect to `1.2.3.4` for domain `www.mysite.com` and skip the rest. -The entire process takes only a few milliseconds. diff --git a/docs/src/domains/steps/_index.md b/docs/src/domains/steps/_index.md index 4f025f00d1..80e7161e34 100644 --- a/docs/src/domains/steps/_index.md +++ b/docs/src/domains/steps/_index.md @@ -1,132 +1,204 @@ --- -title: "Custom Domains - Step by step guide" +title: Set up a custom domain weight: 2 -sidebarTitle: "Step by step guide" -description: | - Configuring custom domains on Platform.sh is a simple two or three step process. You can either use the Platform.sh Console or the CLI to configure your project for production. Once you are familiar with it the whole process usually takes a couple of minutes. +description: Add a custom domain to your project once it's ready to go live. layout: single +aliases: + - /domains/quick-start.html --- -{{% description %}} +Once your project is ready for production, replace the automatically generated domain with your own custom domain. -{{< note >}} -The order of operations isn't really important, but if you are migrating a site from an existing provider, -you should first configure the domain on the Platform.sh side, and only then switch DNS over. -{{< /note >}} +Note that adding a domain disables the automatically generated URL for your Production environment only. +URLs for non-Production environments can't be customized. + +## Before you begin + +You need: + +* A project that's ready to go live +* A domain with access to its settings with the registrar +* A registrar that allows `CNAME` records or [one of the alternatives](./dns.md) on [apex domains](../../other/glossary.md#apex-domain) +* Optional: The [CLI](../../administration/cli/_index.md) installed locally +* If you are on a development plan, you need to [upgrade your tier to a production plan](#1-change-your-plan-to-a-production-plan). + +If you are planning to use several subdomains of the same domain on different projects, +see how to [manage multiple subdomains](/domains/steps/subdomains.md) *before* you add your domain to Platform.sh. ## 1. Change your plan to a production plan If you are on a Development plan, you can't add a domain. -You need to upgrade your subscription to a production plan. +You need to upgrade your subscription to a [production plan](../../other/glossary.md#production-plan). + +To upgrade your plan tier, you must be an organization owner or have [the manage plans permission](../../administration/organizations.md#manage-your-organization-users) + +To upgrade your plan tier: + +{{< codetabs >}} + +--- +title=Using the CLI +file=none +highlight=false +--- + +Run the following [CLI command](../../administration/cli/_index.md): + +```bash +platform subscription:info plan standard +``` + +<---> + +--- +title=In the console +file=none +highlight=false +--- -{{< note >}} +1. On the tile of the project you want to upgrade, click **{{< icon more >}} More**. +2. Click **Edit plan**. +3. Change the plan to at least {{< partial "plans/min-production-size" >}}. +4. Check the change to the monthly cost. +5. Click **Save**. -You can add a domain to your production environment. -The domain used for non-production environments is always generated and can't be customized, -even if your project is on a Production plan. +{{< /codetabs >}} -{{< /note >}} +You can find [more information on plan tiers](https://platform.sh/pricing). -In the [Console](https://console.platform.sh), click the **More** button for your project and select **Edit plan**. +## 2. Get the target for your project -![Edit Plan](/images/management-console/edit-plan.png "0.3") +You want to point your DNS record to the automatically generated URL. +Your domain needs to point to that target for your site to go live. -You can also access information about the project's plan under "Billing" -and then by selecting the project from your list of projects. -You can make changes to the project by clicking ‘Upgrade Plan’. +For Dedicated plans, get the target for your project from your Platform.sh contact. -![Edit Plan](/images/management-console/billing-plan-upgrade.png "0.6") +{{< codetabs >}} -You can make changes to the type of plan, the number of environments, amount of storage and number of users here. -When you make changes, it updates the monthly price you're paying. -Click `Upgrade plan` to save the new settings. +--- +title=Using the CLI +file=none +highlight=false +--- -![Edit Plan Choose](/images/management-console/settings-upgrade-plan.png "0.6") +Get the target by running the following [CLI command](../../administration/cli/_index.md): -You can find more information on pricing on the [pricing page](https://platform.sh/pricing). +```bash +platform environment:info edge_hostname +``` -## 2. (CDN version) Configure your DNS provider +<---> -If you are serving the site through a CDN, configure your DNS provider to point at your CDN account. -The address or CNAME to set for that varies with the CDN provider. -Refer to their documentation or to the [CDN guide](/domains/cdn/_index.md). +--- +title=In the console +file=none +highlight=false +--- -## 2. (Non-CDN version) Configure your DNS provider +1. In the Console, open your Production environment. +2. Click **URLs** and copy the URL to your site excluding `https://`. -Configure your DNS provider to point your domain to your Platform.sh production environment domain name. + For example, if the automatically generated URL is `https://main-abcd123.abcdefgh1234567.eu.platformsh.site`, + the target is `main-abcd123.abcdefgh1234567.eu.platformsh.site`. -The way to do so varies somewhat depending on your registrar, but nearly all registrars should allow you to set a CNAME. -Some call it an Alias or similar alternate name, -but either way the intent is to say "this domain should always resolve to... this other domain". +{{< /codetabs >}} -You can access the CNAME target by running `platform environment:info edge_hostname`. -That's the host name by which Platform.sh knows your environment. -Add a CNAME record from your desired domain (`www.example.com`) to the value of the `edge_hostname`. +## 3. Configure your DNS provider -If you have multiple domains you want to be served by the same application you need to add a CNAME record for each of them. +Your DNS provider (usually your registrar) is where you manage your domain. +Most registrars offer similar functionalities regarding DNS configuration but use different terminology or configuration. +For example, some registrars require you to use an `@` to create custom records on the apex domain, while others don't. +Check your registrar's documentation. -Note that depending on your registrar and the TTL you set, -it could take anywhere from 15 minutes to 72 hours for the DNS change to fully propagate across the Internet. +Note that depending on your registrar and the time to live (TTL) you set, +it can take anywhere from 15 minutes to 72 hours for DNS changes to be taken into account. -If you are using an apex domain (`example.com`), -see the additional information about [Apex domains and CNAME records](/domains/steps/dns.md). +{{< codetabs >}} -If you are planning to host multiple subdomains on different projects, -see the additional information about [Subdomains](/domains/steps/subdomains.md) *before* you add your domain to Platform.sh. +--- +title=Not using a CDN +file=none +highlight=false +--- -## 3. (Non-CDN version) Set your domain in Platform.sh +To configure your domain name to point to your project: -{{< note >}} +1. Consult your provider's documentation to find out how to add or edit DNS records. +2. Open your registrar's domain management system. +3. Set the TTL on your domain to the lowest possible value to minimize transition time. +4. Add a `CNAME` record pointing from your domain to the [target](#2-get-the-target-for-your-project). + Not all registrars allow these kinds of records. + If yours doesn't, see the [alternatives](./dns.md#handling-apex-domains). +5. Optional: If you have multiple domains you want to be served by the same app, add a `CNAME` record for each of them. + That includes the `www` subdomain if you are using it in your [routes configuration](../../define-routes/_index.md). +6. Set the TTL value back to its previous value. -If using a CDN, skip this step. -The CDN should already have been configured in advance to point to Platform.sh as its upstream. +If your domain is `example.com` and you are using the `www` subdomain, you have records like the following: -{{< /note >}} +* `example.com` is a `CNAME`/`ANAME`/`ALIAS` record pointing to `main-abcd123.abcdefgh1234567.eu.platformsh.site`. +* `www.example.com` is a `CNAME` record pointing to `main-abcd123.abcdefgh1234567.eu.platformsh.site`. -This step tells the Platform.sh edge layer where to route requests for your web site. -You can do this through the CLI with `platform domain:add example.com` -or [using the Console](/administration/web/configure-project.md#domains). +Both `example.com` and `www.example.com` point to the same target. +Redirects are handled by the [router you configure](../../define-routes/_index.md). -You can add multiple domains to point to your project. -Each domain can have its own custom SSL certificate, or use the default one provided. +<---> -If you require access to the site before the domain name becomes active, -you can create a `hosts` file entry on your computer -and point it to the IP address that resolves when you access your production project branch. +--- +title=Using a CDN +file=none +highlight=false +--- + +To configure your CDN and your domain name to point to your project: -To get the IP address, first run `platform environment:info edge_hostname`. -That prints the "internal" domain name for your project. -Run `ping ` to get its IP address. +1. Open your CDN's management system. +2. Point the CDN at your [target](#2-get-the-target-for-your-project). +3. Open your registrar’s domain management system. +4. Configure your DNS to point at your CDN. + The address or `CNAME` record to use varies by CDN provider. + Refer to your provider's documentation or to the [CDN guide](../cdn/_index.md). +5. Optional: If you have multiple domains you want to be served by the same app, add a `CNAME` record for each of them. + That includes the `www` subdomain if you are using it in your [routes configuration](../../define-routes/_index.md). -In OS X and Linux you can add that IP to your `/etc/hosts` file. -In Windows the file is named `c:\Windows\System32\Drivers\etc\hosts`. -You need to be a admin user to change that file. -So in OS X you usually run something like `sudo vi /etc/hosts`. -After adding the line, the file looks something like: +{{< /codetabs >}} -![Hosts File](/images/config-files/hosts-file.png "0.4") +## 4. Set your domain in Platform.sh -Alternatively, there's an add-on for Firefox -that allows you to dynamically switch DNS IP addresses without modifying your `hosts` file. +Add a single domain to your project: -* [Firefox LiveHosts add-on](https://addons.mozilla.org/en-US/firefox/addon/livehosts/) +{{< codetabs >}} -{{< note >}} +--- +title=Using the CLI +file=none +highlight=false +--- -Don't put the IP address you see here, but the one you got from the ping command. +Run the following command: -*Also, remember to remove this entry after you have configured DNS!* + +
+ 
platform domain:add {{}}
+
-{{< /note >}} +<---> + +--- +title=In the console +file=none +highlight=false +--- -Sometimes it can take Let's Encrypt a couple of minutes to provision the certificate the first time. -This is normal, and only means the first deploy after enabling a domain may take longer than usual. -Setting the CNAME record with your DNS provider first helps to minimize that disruption. +1. Select the project where you want to add a domain. +2. Click {{< icon settings >}} **Settings**. +3. Click **Domains**. +4. In the **Domain** field, enter your domain. +5. Click **Add**. -## 4. Bonus steps (Optional) +{{< /codetabs >}} -### Configure health notifications +## What's next -While not required, it's strongly recommended that you set up [health notifications](/integrations/notifications.md) -to advise you if your site is experiencing issues such as running low on disk space. -Notifications can be sent via email, Slack, or PagerDuty. +* [Use a content delivery network](../cdn/_index.md) +* [Use subdomains across multiple projects](./subdomains.md) +* [Use a custom TLS certificate](./tls.md) diff --git a/docs/src/domains/steps/dns.md b/docs/src/domains/steps/dns.md index 27dab327e8..f5c7d939a3 100644 --- a/docs/src/domains/steps/dns.md +++ b/docs/src/domains/steps/dns.md @@ -1,107 +1,170 @@ --- -title: "DNS management and Apex domains" +title: "DNS management and apex domains" weight: 1 -description: "Platform.sh expects you to use a CNAME for all DNS records. But that doesn't work with some DNS registrars." -sidebarTitle: "DNS and CNAMEs" +description: See why `CNAME` records are used and what to do if your DNS registrar doesn't support them for apex domains. +sidebarTitle: "DNS and apex domains" --- -{{% description %}} +Platform.sh expects you to use `CNAME` records on your [apex domain](../../other/glossary.md#apex-domain). +But that doesn't work with some DNS registrars. +Learn why they're recommended and what else you can do. -## Why CNAMEs? +## Why `CNAME` records? -Platform.sh is a cloud hosting provider. -That means each individual "site" isn't its own computer but a set of containers running on one or more virtual machines, which are themselves running on any number of physical computers, all of which are shared with other customers running the same configuration. -An entire region of projects runs behind our dedicated, high-performance edge routers, which are responsible for mapping incoming requests to the particular container on a particular host that is appropriate. +Each site on Platform.sh is made up of a set of containers. +Platform.sh runs routers for each region to map incoming requests to the appropriate container. +For inbound requests to be forwarded to the right container, the requests need to know the IPs of the routers at the time of the request. +The IP addresses for the routers in [each region](../../development/regions.md) are fairly stable but can change in two cases: -All of that logic is quite robust and fast, but it does require that incoming requests all get sent first to the edge routers. -While the [IP addresses of the edge routers](/development/regions.md) are fairly stable, they aren't guaranteed to never change. -We also may add or remove routers to help scale the region, or take them offline one at a time for upgrades and maintenance. -So it's critical that inbound requests always know what the IPs are of the edge routers at the time of the request. +* To up- or downscale a region. + Routers are added or removed. +* For upgrades and maintenance. + Routers are taken offline, one at a time, to apply the changes. -All of Platform.sh's "edge hostnames" (the auto-generated URLs in the form `--..platformsh.site`) are DNS records we control that resolve to the IP addresses of the edge routers for that region. -If an edge router is updated, taken out of rotation, etc. then those domains update quickly and automatically with no further action required. +The edge hostname's destination IP addresses are updated automatically should they change. -An A record pointed at the same IP addresses would need to be updated manually every time an edge router changes or is temporarily offline. -That means every time Platform.sh is doing routine maintenance or upgrades on the edge routers there's a significant potential for a site to experience a partial outage if a request comes in for an offline edge router. +If a router is being upgraded and its IP changed, two possibilities arise: -We don't want that. -You don't want that. -Using a CNAME DNS record pointing at the "edge hostname" avoids that problem, as it's updated almost immediately should the edge router configuration change. +* Your apex domain points to the edge hostname using `CNAME`/`ANAME` or `ALIAS` records. The IP addresses for the routers are updated automatically. You don't need to do anything. Your website remains online. +* Your apex domain points to your project's region using `A` records. + The IP addresses for the routers aren't updated automatically. + Your website appears temporarily offline until you manually update your `A` records or the router is back from maintenance. -## Why are CNAME records problematic? +The edge hostname can be [retrieved through the CLI or the Console](./_index.md#2-get-the-target-for-your-project). -The DNS specification was originally published in 1987 in [RFC 1034](https://tools.ietf.org/html/rfc1034) and [RFC 1035](https://tools.ietf.org/html/rfc1035), long before name-based HTTP hosting became prevalent. -Those RFCs plus the many follow-ups to clarify and expand on it are somewhat vague on the behavior of CNAME, but it's generally understood that an apex domain (`example.com`) may not be used as an alias in a CNAME record. -That creates a problem if you want to use an apex domain with any container-based managed hosting service like Platform.sh, because of the point above. +## Why `CNAME` records are problematic -There's a [detailed thread](https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain) on the subject that provides more technical detail. +The DNS specification was originally published in 1987, long before name-based HTTP hosting became prevalent. +In the multiple RFCs that were written regarding `CNAME` records, the description of their behavior is rather vague. -## Where should the CNAME point to? +It's generally understood that a `CNAME` record for an apex domain like `example.com`: -You can access the CNAME target from your terminal by using the CLI and the command: +* Can only point to an IP address like `192.0.2.1` (an `A` record). +* Can't be used as an alias for another hostname like `www.example.com` (a `CNAME` record). -```bash -platform environment:info edge_hostname -``` +The `CNAME` record limitation is especially problematic if you want to use an apex domain with any container-based managed hosting service like Platform.sh. + +Many registrars allow `CNAME` records for apex domains. +If yours doesn't, several solutions exist [to bypass that limitation](#handling-apex-domains). ## Handling Apex domains -There are a number of ways of handling the CNAME-on-Apex limitation of DNS. +Some DNS providers (usually your registrar) don't allow `CNAME` records for [apex domains](../../other/glossary.md#apex-domain). +This is one of the [limitations to `CNAME` records](#why-CNAME-records-are-problematic). + +Check your registrar's documentation to make sure that `CNAME` records on apex domains are supported. +If your registrar supports them, follow the [guide to using such records](../steps/_index.md). +If your registrar doesn't support them, there are a number of ways to handle the limitation. + +The recommended approach is to use custom records. + +{{< codetabs >}} + +--- +title=Use custom records +file=none +highlight=false +--- -### Using a DNS provider with custom records +Some DNS providers offer custom, non-standard records (sometimes `ANAME` or `ALIAS` records) that you can manage like `CNAME` records. +These nonstandard records make an internal lookup behind the scenes and respond to DNS lookups as if they were `A` records. +As these are nonstandard, their behavior (and quality) can vary and not all DNS registrars offer such a feature. -Many DNS providers have found a way around the CNAME-on-Apex limitation. -Some DNS registrars now offer custom, non-standard records (sometimes called `ANAME` or `ALIAS`) that you can manage like a CNAME but do their own internal lookup behind the scenes and then respond to DNS lookups as if they were an `A` record. -As these are non-standard their behavior (and quality) can vary, and not all DNS registrars offer such a feature. +If you want your site to be accessible at a URL like `https://example.com` and not only `https://www.example.com`, +this is the best way to do so. -If you want your site to be accessible with `https://example.com` and not only `https://www.example.com` this is the best way to do so. -Examples of such workaround records include: +To configure your domain name to point to your project using custom records, follow the instructions on [how to set up a custom domain](./_index.md). +When you come to configuring your DNS provider, replace the suggested `CNAME` record with the custom record pointing from your domain to the target. + +Examples of such workaround records and providers include: - * CNAME Flattening at [CloudFlare](https://www.cloudflare.com/) - * ANAME at [easyDNS](https://www.easydns.com/), [DNS Made Easy](http://www.dnsmadeeasy.com/), or [Name.com](https://www.name.com/) - * ALIAS at [DNSimple](https://dnsimple.com/) or [ClouDNS](https://www.cloudns.net/) +* `CNAME` flattening at [CloudFlare](https://developers.cloudflare.com/dns/additional-options/cname-flattening) +* `ANAME` records at [easyDNS](https://easydns.com/features/aname-root-domain-alias/), + [DNS Made Easy](https://support.dnsmadeeasy.com/support/solutions/articles/47001001412-aname-records), + and [Name.com](https://www.name.com/support/articles/115010493967-adding-an-aname-alias-record) +* `ALIAS` records at [DNSimple](https://support.dnsimple.com/articles/alias-record/) + and [ClouDNS](https://www.cloudns.net/wiki/article/18/) -Platform.sh recommends ensuring that your DNS Provider supports dynamic apex domains before registering your domain name with them. -If you are using a DNS Provider that doesn't support dynamic apex domains then you can't use `example.com` with Platform.sh, and need to use only `www.example.com` (or similar) instead. +<---> + +--- +title=Use domain forwarding +file=none +highlight=false +--- + +If your registrar doesn't support custom records, you can consider using domain forwarding. + +If your domain is `example.com`, domain forwarding redirects all requests from `example.com` to `www.example.com`. -### (Alternate) Using a DNS provider with apex domain forwarding +To configure your domain name to point to your project using domain forwarding: -If you are willing to make the `www.` version of your site the canonical version (which is recommended), some registrars or DNS providers may provide a domain redirect feature—also known as domain forwarding—from the apex domain `example.com` to `www.example.com`. -Before looking to change registrars, check whether your current provider supports both domain forwarding for the Apex *and* the DNS CNAME record to Platform.sh for the `www.` at the same time. -The following DNS providers are known to support both apex forwarding and advanced DNS configurations simultaneously: +1. Make the `www.` version of your site the default (canonical) version and configure your app and routes to [use the `www` subdomain as upstream](../../define-routes/_index.md). +2. Follow the instructions on [how to set up a custom domain](./_index.md). + When you come to configuring your DNS provider, replace the suggested `CNAME` record with a record forwarding requests from {{}} to `www.`{{}}. -* [Namecheap](https://www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-do-i-set-up-a-url-redirect-for-a-domain) +The following DNS providers are known to support both domain forwarding and advanced DNS configurations: -### (Alternate) Using a `www` redirection service +* [Namecheap](https://www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/) -If your preferred registrar/DNS provider doesn't support either custom records or the apex domain forwarding options above, free services such as [WWWizer](http://wwwizer.com/) allow blind redirects and allow you to use a CNAME record to Platform.sh for `www.example.com` and an `A` record to their service at `example.com`, which in turn sends a redirect. +<---> -{{< note >}} -If using a redirection service, you must ensure that `http://example.com/` redirects to `http://www.example.com/`, not to `https://www.example.com/`. -(That is, the HTTP URL redirects to an HTTP URL, not to an HTTPS URL.) -Platform.sh automatically redirects that request to the HTTPS itself. -Trying to change the protocol and domain in the same redirect causes issues for Let's Encrypt and prevent the TLS certificate from being issued correctly. -The extra redirect adds only a millisecond or two to the first page load only, and is imperceptible to most humans. -{{< /note >}} +--- +title=Use a `www` redirection service +file=none +highlight=false +--- + +If your registrar doesn't support custom records or domain forwarding you can consider using a redirection service. + +If your domain is `example.com`, a redirection service uses an `A` record to redirect all requests +from `example.com` to `www.example.com`. -### (Alternate) Using A records +One such redirection service is [WWWizer](http://wwwizer.com/naked-domain-redirect). -If you absolutely can't use a DNS provider that supports aliases or a redirection service, it is possible to use `A` records with Platform.sh. -They result in a sub-optimal experience. +To configure your domain name to point to your project using a redirection service: -This process has a few limitations: +1. Make the `www.` version of your site the default (canonical) version and configure your app and routes to [use the `www` subdomain as upstream](../../define-routes/_index.md). +2. Follow the instructions on [how to set up a custom domain](./_index.md). + When you come to configuring your DNS provider, replace the suggested `CNAME` record with + an `A` record pointing from your domain to the redirection service. + For WWWizer, that's the IP `174.129.25.170`. +3. Ensure that your redirects use the same protocol: + `http://example.com` redirects to `http://www.example.com`, not to `https://www.example.com`. + Redirects from `http` to `https` are handled automatically. + Trying to change the protocol and domain in the same redirect causes issues for Let's Encrypt + and prevents the TLS certificate from being issued correctly. -* Should we ever need to change one of those IPs your configuration needs to be manually updated. -Until it is some requests are lost. +The extra redirect adds a few milliseconds to the first page load. + +<---> + +--- +title=Use `A` records +file=none +highlight=false +--- + +If your registrar doesn't support custom records or domain forwarding and you can't use a redirection service, consider using `A` records. + +Using `A` records is _strongly discouraged_ and [should only be used as a last resort](#why-cname-records). + +Using `A` records has several limitations: + +* If the IPs change, you need to manually update your configuration. + Until you do, the site can appear offline because requests are lost. * Directly pointing at the edge routers bypasses their load-balancing functionality. -Should one of them go offline for maintenance (as happens periodically for upgrades) about 1/3 of requests to your site goes to the offline router and be lost, making the site appear offline. + Should one of them go offline for maintenance (as happens periodically for upgrades), + about 1/3 of requests to your site are sent to the offline router and are lost, making the site appear offline. + +To configure your domain name to point to your project using `A` records: -{{< note theme=info title="none" >}} -For that reason using A records is _strongly discouraged_ and should only be used as a last resort. -{{< /note >}} +1. Get the IP addresses of your project's production environment by running `dig +short $(platform environment:info edge_hostname)`. +2. Follow the instructions on [how to set up a custom domain](./_index.md). + When you come to configuring your DNS provider, replace the suggested `CNAME` record + with separate `A` records pointing from your domain to each of the IP addresses from step 1. + Incoming DNS lookups pick one of those IP addresses at random to use for the given request (known as round-robin DNS). -See the [Public IP](/development/regions.md) list for the 3 Inbound addresses for your region. -In your DNS provider, configure 3 separate A records for your domain, one for each of those IP addresses. -Incoming requests then pick one of those IPs at random to use for that request (the so-called DNS round-robin). +{{< /codetabs >}} diff --git a/docs/src/domains/steps/subdomains.md b/docs/src/domains/steps/subdomains.md index 891f8ebb87..f357b89012 100644 --- a/docs/src/domains/steps/subdomains.md +++ b/docs/src/domains/steps/subdomains.md @@ -6,28 +6,32 @@ description: "How to handle multiple subdomains in different projects." --- You can host multiple subdomains, such as `foo.example.com` and `bar.example.com`, -within a single Platform.sh project using [routes](../../define-routes/_index.md). +within a single project using [routes](../../define-routes/_index.md). -To use subdomains across multiple projects, you need to add an additional DNS record. -If you don't, you may receive an error when trying to add a subdomain to a second project. +If you try to use a domain that's claimed on another project, you see an error like the following: -## Quick solution +```text +This domain is already claimed by another project. If this is incorrect or you are trying to add a subdomain, please open a ticket with support. +``` -To enable multiple projects to use subdomains of the same domain, add a DNS `TXT` record with your DNS registrar. -Consult your registrar's documentation for how to do so, as it varies by registrar. +## Use subdomains across multiple projects -The record should look like the following: +To enable multiple projects to use subdomains of the same domain, +you need to add a specific `TXT` record for your domain. +Consult your registrar's documentation for how to add such a record. + +The `TXT` record should look like the following: ```text -_public-suffix-root.example.com TXT "public-suffix-root=example.com" +_public-suffix-root.{{}} TXT "public-suffix-root={{}}" ``` -Replace `example.com` with your actual domain name. -That tells Platform.sh to treat `example.com` effectively as a top-level domain -so you can add multiple `something.example.com` domains to different Platform.sh projects. +Replace {{}} with your actual domain name. +This means your domain is treated as a top-level domain +so you can add multiple subdomains to different projects. -Note: You should add this record before you add your first domain (such as `example.com`) to Platform.sh. -You can remove the record after adding subdomains, which reinstates [hijacking protection](#subdomain-hijacking-protection). +Note: You should add this record before you add your first domain to Platform.sh. +You can remove the record after adding subdomains, which reinstates [subdomain hijacking protection](#subdomain-hijacking-protection). This ensures no other users could possibly add a subdomain to their project, though your DNS records should prevent them from actually using it (assuming you don't use wildcards pointing at Platform.sh). @@ -45,29 +49,32 @@ For example, a web page at `foo.bar.baz.example.com` can usually set a cookie th to `bar.baz.example.com`, to `baz.example.com`, or to `example.com`, but *not* to all `.com` domains. That allows a single logical site to be segmented across different subdomains but use a single account login cookie. Setting a cookie for all `.com` domains would be a security risk. -(There are other restrictions on TLDs, but cookies are the easiest example.) +Other restrictions apply to TLDs, but cookies are the most basic example. Aside from true TLDs, browser makers have a list of domain suffixes that should get the same special handling called the [Public Suffix List (PSL)](https://publicsuffix.org/). If you added the `example.com` domain to the PSL, browsers would refuse to set a cookie on `example.com` from a page at `foo.example.com`. -(They would still accept cookies from a page at `example.com`.) +They would still accept cookies from a page at `example.com`. ### Subdomain hijacking protection By default, Platform.sh allows only one project to use a given domain at a time. -This is to prevent a malicious actor from registering a project with `evil.example.com` +This is to prevent a malicious actor from registering a project with a subdomain such as `evil.example.com` and using that to set cookies on your `example.com` website. When a domain is added to any project, the first level of the domain not in the PSL is considered "reserved" for that project. So if you add `foo.bar.baz.example.com` to a project, that project now owns `example.com` as far as Platform.sh is concerned and no other project can have a domain anywhere in `*.example.com`. -(Multiple subdomains within that same project are perfectly fine.) +Multiple subdomains within that same project are perfectly fine. + +Subdomain hijacking protection ensures that no other users can add a subdomain to their project +as long as you don't use wildcard DNS records pointing at Platform.sh. In most cases, that's a desirable added layer of security. But you may run into a problem when you want multiple subdomains from the same organization as separate projects. -(Multiple departments at the same university, for instance.) +For example, multiple departments at the same university. One option would be to add `example.com` to the PSL, but you might not want or be able to do that. To limit what domains get protected, Platform.sh supports a small extension to the PSL. @@ -89,17 +96,5 @@ In certain cases (such as if your domain was added manually by Platform.sh suppo your domain may be reserved for the project you added it to. Then you can't set up a second project with the bare domain (`example.com`) or a subdomain (`foo.example.com`). -If that happens, open a support ticket and our support team can remove the protection for that domain. +If that happens, [contact support](../../overview/get-support.md). Include the project ID of the project that already has the domain. - -## Claimed domains - -If you try to use a domain that's claimed, you see an error like the following: - -```text -This domain is already claimed by another project. If this is incorrect or you are trying to add a subdomain, please open a ticket with support. -``` - -This relates to the [subdomain highjacking prevention](#subdomain-hijacking-protection). -It's likely the result of an attempt to assign subdomains across multiple projects. -See the [solution above](#quick-solution). \ No newline at end of file diff --git a/docs/src/domains/steps/tls.md b/docs/src/domains/steps/tls.md index bc22a57c04..89457671c0 100644 --- a/docs/src/domains/steps/tls.md +++ b/docs/src/domains/steps/tls.md @@ -1,85 +1,89 @@ --- -title: "(Optional) Configure a third-party TLS certificate" +title: "Configure a third-party TLS certificate" weight: 3 -sidebarTitle: "Custom TLS" +sidebarTitle: "Custom TLS certificates" --- -Platform.sh automatically provides all production environments with standard TLS certificates issued by [Let's Encrypt](https://letsencrypt.org/). +Platform.sh automatically provides all environments with standard Transport Layer Security (TLS) certificates issued by [Let's Encrypt](https://letsencrypt.org/). No further action is required to use TLS-encrypted connections beyond [specifying HTTPS routes](../../define-routes/https.md). -Alternatively, you may provide your own third-party TLS certificate from the TLS issuer of your choice. +You can also provide your own third-party TLS certificate from the issuer of your choice. +Platform.sh doesn't charge for using a third-party TLS certificate, although the issuer may. Consult your TLS issuer for instructions on how to generate an TLS certificate. +You can use many kinds of certificates, including domain-validated, extended validation, high-assurance, and wildcard certificates. + A custom certificate isn't necessary for development environments. Platform.sh automatically provides wildcard certificates that cover all `*.platform.sh` domains, including development environments. -{{< note >}} - -The private key should be in the old style, which means it should start with `BEGIN RSA PRIVATE KEY`. -If it starts with `BEGIN PRIVATE KEY`, it's bundled with the identifier for key type. +If you are using a third-party certificate, seven days before it expires +Platform.sh issues a Let's Encrypt certificate and replaces the custom certificate with it to avoid interruption in service. +If you wish to continue using the custom certificate, +replace it with an updated certificate more than seven days before it expires. -To convert it to the old-style RSA key: - -```bash -openTLS rsa -in private.key -out private.rsa.key -``` +### Add a custom certificate -{{< /note >}} +You can add a custom certificate using the [CLI](../../administration/cli/_index.md) or in the [Console](../../administration/web/_index.md). -### Add a custom certificate +Your certificate has to be in PKCS #1 format and start with `-----BEGIN RSA PRIVATE KEY-----`. +If it doesn't start that way, [change the format](#change-the-private-key-format). -You can add a custom certificate in the [Console](/administration/web/_index.md) -or using the [command line interface](../../administration/cli/_index.md). +To add your custom certificate, follow these steps: {{< codetabs >}} --- -title=In the Console +title=Using the CLI file=none highlight=false --- -- Select the project where you want to add a certificate. -- Click {{< icon settings >}} **Settings**. -- Click **Certificates**. -- Click **+ Add**. -- Fill in your private key, public key certificate, and (optionally) intermediate SSL certificates. -- Click **Add Certificate**. +1. Add the certificate with the following command: + + + 
platform domain:add {{}} --cert {{}} --key {{}}
+ + For example: + + ```bash + platform domain:add secure.example.com --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key + ``` + + You can optionally include intermediate SSL certificates by adding ‐‐chain {{}} for each one. + +2. Redeploy your production environment with the following command: + + ```bash + platform environment:redeploy + ``` <---> + --- -title=Using the CLI +title=In the Console file=none highlight=false --- -Run the following command: - -```bash -platform domain:add -p --cert --key -``` +1. Open the project where you want to add a certificate. +2. Click {{< icon settings >}} **Settings**. +3. Click **Certificates**. +4. Click **+ Add**. +5. Fill in your private key, public key certificate, and (optionally) intermediate SSL certificates. +6. Click **Add Certificate**. +7. Access your production environment. +8. Click {{< icon more >}} **More**. +9. Click **Redeploy**. -For example: - -```bash -platform domain:add -p abcdefg123456 secure.example.com --cert /etc/TLS/private/secure-example-com.crt --key /etc/TLS/private/secure-example-com.key -``` +{{< /codetabs >}} -You can optionally include intermediate SSL certificates by adding `--chain ` for each one. +### Change the private key format -{{< /codetabs >}} +Your certificate's private key needs to be in PKCS #1 format, which means it starts with `-----BEGIN RSA PRIVATE KEY-----`. +If it has `-----BEGIN PRIVATE KEY-----` instead, it's in PKCS #8 format and you need to change it. -For the new certificate to be taken into account, you need to [redeploy the environment](../../development/troubleshoot.md#force-a-redeploy). +To convert your private key (`private.key`) from PKCS #8 to PKCS #1 format (`private.rsa.key`), run the following command: ```bash -platform environment:redeploy +openTLS rsa -in private.key -out private.rsa.key ``` - -{{< note theme="info" title="Success!" >}} - -Your site should now be live and accessible to the world (as soon as the DNS propagates). - -{{< /note >}} - -If something isn't working see the [troubleshooting guide](/domains/troubleshoot.md) for common issues. -If that doesn't help, feel free to [contact support](../../overview/get-support.md). diff --git a/docs/src/domains/troubleshoot.md b/docs/src/domains/troubleshoot.md index 65a0868ff7..2a541f9eb1 100644 --- a/docs/src/domains/troubleshoot.md +++ b/docs/src/domains/troubleshoot.md @@ -2,7 +2,7 @@ title: "Going Live - Troubleshooting" weight: 4 description: | - If all steps above have been followed and the site still doesn't resolve (after waiting for the DNS update to propagate), here are a few simple self-help steps to take before contacting support. + If your site doesn't resolve after you've made DNS changes, check potential solutions to common issues. sidebarTitle: "Troubleshooting" --- @@ -10,28 +10,36 @@ sidebarTitle: "Troubleshooting" ## Verify DNS -On the command line with OS X or Linux (or using the Linux subsystem for Windows) type `host www.example.com`: +On the command line using macOS, Linux, or the Windows Subsystem for Linux, run the following command: -The response should be something like: +```bash +host www.{{< variable "YOUR_DOMAIN" >}} +``` + +If your domain is `example.com`, the response should be something like the following: ```text -www.example.com is an alias for main-t2xxqeifuhpzg.eu.platform.sh. -main-t2xxqeifuhpzg.eu.platform.sh has address 54.76.136.188 +www.example.com is an alias for main-abcd123.abcdefgh1234567.eu.platformsh.site. +main-abcd123.abcdefgh1234567.eu.platformsh.site has address 192.0.2.1 ``` -1. If it isn't, either you haven't configured correctly your DNS server, or the DNS configuration didn't propagate yet. - As a first step you can try and remove your local DNS cache. -2. You can also try to set your DNS server to the Google public DNS server (8.8.8.8/8.8.4.4) - to see if the issue is with the DNS server you are using. -3. Try to run `ping www.example.com` (with you own domain name). - If the result is different from what you got from the `host www.example.com`, - you might want to verify your `/etc/hosts` file (or its windows equivalent), - you might have left there an entry from testing. +If it isn't, try the following steps: + +* Your DNS server might not be correctly configured or the old DNS records are still cached. + Try removing your local DNS cache. +* Set your computer's DNS server to Google Public DNS (`8.8.8.8` and `8.8.4.4`) + to see if the issue is with the DNS server you are using. +* Run `ping www.{{< variable "YOUR_DOMAIN" >}}`. + If the result is different from what you got from running `host www.{{< variable "YOUR_DOMAIN" >}}`, + you might need to remove your [test settings](./checklist.md#2-test-your-site). ## Verify SSL -On the command line with OS X or Linux (or using the Linux subsystem for Windows), -type `curl -I -v https://example.com` (again using your own domain): +On the command line using macOS, Linux, or the Windows Subsystem for Linux, run the following command: + +```bash +curl -I -v https://www.{{< variable "YOUR_DOMAIN" >}} +``` The response should be long. Look for error messages. They're usually explicit enough. @@ -40,11 +48,11 @@ Often the problem is with a mismatch between the certificate and the domain name ## Verify your application On the command line type `platform logs app` and see there are no clear anomalies there. -Do the same with `platform logs error` +Do the same with `platform logs error`. ## Use ASCII for the domain -Platform.sh expects an ASCII representation of your domain here. +Platform.sh expects an ASCII representation of your domain. To use an internationalized domain name, convert your IDN domain to ASCII. Use a tool such as the [conversion tool provided by Verisign](https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-conversion-tool/index.xhtml). @@ -52,6 +60,4 @@ Use a tool such as the [conversion tool provided by Verisign](https://www.verisi {{% troubleshoot %}} -[Contact support](/overview/get-support.md) - -We are here to help. Please include as much detail as possible (we can provide quicker help). +If your website is still not working as expected, [contact support](../overview/get-support.md). diff --git a/docs/src/environments/default-environment.md b/docs/src/environments/default-environment.md index 8bc0a7a239..a3be33eadf 100644 --- a/docs/src/environments/default-environment.md +++ b/docs/src/environments/default-environment.md @@ -177,9 +177,9 @@ Follow the instructions to change the default branch to `main` for your provider ## 7. Update DNS records Whether or not you're using a CDN, -if your site is live you have probably added a Platform.sh address somewhere when configuring a [custom domain](../domains/quick-start.md). +if your site is live you have probably added a Platform.sh address somewhere when configuring a [custom domain](../domains/steps/_index.md). If you have a CDN, it's with the CDN provider. -If you don't have a CDN, it's probably a CNAME record. +If you don't have a CDN, it's probably a `CNAME` record. In either case, the setting probably has the old environment name as part of it. Update the setting to use the new environment name. @@ -187,7 +187,7 @@ Update the setting to use the new environment name. Verify that the new URL is correct by comparing it to the result from this command: ```bash -platform environment:info edge_hostname -e main +platform environment:info edge_hostname ``` ## 8. Optional: Delete the `old` environment diff --git a/docs/src/gettingstarted/next-steps/going-live/configure-dns.md b/docs/src/gettingstarted/next-steps/going-live/configure-dns.md index ca6f62dfa5..6e6d9485a6 100644 --- a/docs/src/gettingstarted/next-steps/going-live/configure-dns.md +++ b/docs/src/gettingstarted/next-steps/going-live/configure-dns.md @@ -10,18 +10,19 @@ The next step is to configure your DNS provider to point to the domain of your p {{< asciinema src="videos/asciinema/cname-target.cast" >}} -You can access the CNAME target from your terminal by using the CLI and the command: +You can access the `CNAME` target from your terminal by using the CLI and the command: ```bash platform environment:info edge_hostname ``` -Add a CNAME record from your desired domain (and it's `www` subdomain) to the value of the `edge_hostname`. -Depending on your registrar, this value may be called an "Alias" or something similar. +If your registrar supports `CNAME` records for apex domains (such as `example.com`), +add a `CNAME` record from your desired domain (and it's `www` subdomain) to the value returned. +If your registrar doesn't support this or you want to know more, see more on [DNS and apex domains](../../../domains/steps/dns.md) -If your application is going to serve multiple domains, you need to add a CNAME record for each of them. +If your application is going to serve multiple domains, you need to add a `CNAME` record for each of them. -You can find out more information about using an apex domain and CNAME records +You can find out more information about using an apex domain and `CNAME` records in the [Going Live documentation](/domains/steps/dns.md). Depending on your registrar and the TTL you set for the domain, diff --git a/docs/src/gettingstarted/next-steps/going-live/first-steps.md b/docs/src/gettingstarted/next-steps/going-live/first-steps.md index a57f28d5b4..72f38d964f 100644 --- a/docs/src/gettingstarted/next-steps/going-live/first-steps.md +++ b/docs/src/gettingstarted/next-steps/going-live/first-steps.md @@ -10,7 +10,7 @@ Before you take your site live, there are a few steps that help you prepare the 1. **Register your domain and choose a suitable DNS provider** - If you plan on serving exclusively from a subdomain such as the historically common `www.` subdomain, you are able use any DNS provider that supports CNAME records. If you wish to use the apex domain, such as `https://site.com`, with no `www.` subdomain, choose one of the specialized DNS providers that allow you to use [ALIAS or ANAME records](/domains/steps/dns.md). Make sure to do this before moving on to the next steps, as the CLI rejects attempts to add domains that don't allow CNAMEs. + If you plan on serving exclusively from a subdomain such as the historically common `www.` subdomain, you are able use any DNS provider that supports `CNAME` records. If you wish to use the apex domain, such as `https://site.com`, with no `www.` subdomain, choose one of the specialized DNS providers that allow you to use [ALIAS or ANAME records](/domains/steps/dns.md). Make sure to do this before moving on to the next steps, as the CLI rejects attempts to add domains that don't allow `CNAME`s. 2. **Test your routes** diff --git a/docs/src/other/glossary.md b/docs/src/other/glossary.md index 22ea78bbd0..ee45160d5b 100644 --- a/docs/src/other/glossary.md +++ b/docs/src/other/glossary.md @@ -12,6 +12,12 @@ aliases: An environment that's deployed. See how to [deactivate an environment](../environments/deactivate-environment.md). +## Apex domain + +An apex domain is a domain name that doesn't include a subdomain. + +For example, `example.com` is an apex domain and `www.example.com` is a subdomain. + ## Branch Branching an environment means creating a new branch in the Git repository and an exact copy of that environment. diff --git a/docs/static/images/management-console/edit-plan.png b/docs/static/images/management-console/edit-plan.png deleted file mode 100644 index fe71b93516f6e55f8671d7b542f6a4dcace63518..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 19856 zcmcG#by!qi+crG*Pbn1vX^{bx?hd7glx`51p<(ETF%U$$JER*Kx>c0!ZbZ5p9ENxo zzvsU1=lkB{xu5s_j_3I14`R<=d#}CL73X>dOH!Gp<4szM+)a3PRu z{(oHuM|AQd>cKBkXDMxGHKdudo3SGT@)C|TK|F!k8k-|j5yo&2hYo}=7)5WXuI;R? zs32&Hv}HBEI)~NW)*g(8K!nBI?Tt;X5zbFc5ayP4B2Rbfo1Z?hgo`}Y;!$K*w3k3w zSju`jBGf#U)J;9DO$Fdj#YCS7y9EtHW$hpZtA_ zv$e?6|Cp4v;;SbTNJqpI9#&o!Qx0yPCwu~|9K2lI0s_oWIN3S)+1UBnIJj6icm=uH z1vxpN{NwW!+|3bgCa5YY{f~Qr|3sczI6K=5vaz|jxv{!&u_7JK**F9Q1lZU)**G~_ zz!@w~9(K;g?ksjrwEw(WaoDNEc_3r(mZ4@d&o||GKQ5(?6C8 zEEt=+u{|3HEBnsUn<^E{>*P${cL%!JQ=$j+U+nxU?hE_Q~ImEok}g=fd%CulJ9!@P9uS&VM_W z4NQjZYIFY|oBhv2z=E#+{Fmv1fBt3s2s>c$j=;19?|(6cK;$4W$(QQxlbbVlyonG^ zmwOD2FFa}RRR1#YB)X3vl473 z7X;F)`!jpV_JW!2zq{1`^p5}SJpZ?g|8M{P7mHx8xeq4>3o<(C^u+Yy_fGYuoUMh$ zV*%)1VnS3KzVfzN^FVRlB0Ncq;?b`@-RqDS%Cr-!)oebm*D%y4`a-t91H*S4-~fq&|Hc;%tmy zUgn zhoiUij-hYsgR(_<=Vw#YdD|sX+~WXg0)i8_R1`lmG(2I{0}8FJtxc(nk|6{OnVQkm zbb-3WeAsR}eCJSlIUkqlPrv2|Pj0+(oXBqVYYOG59cMK>GSYlBplYU@E0{#6D&$Z` z4C#;YZZa`7c1UoB9&H_T>9IKp2A77NAgSscjwRTlwbXr^EtMw`YS@z?D+>$lYM17- zu)lD~;vZXM+P9+*f2%GGcGf(&!5q_s^GWU`n<^&s^Nmygo3~`!PK&V{>l<{*NBbwm zMFpbn{MLQn4yPL;S4C;=mPMHQGkDeT>D`WqF|hyDUKTCU*3c+?2P#RhO-({Y1}Dwg zg#Qfn2@nwxrVpipOE#XK&R~bCH~`G)n{#jiOg)WPoNslUHiV_AAhiRe@2-5u0L%=uTI%1S4rKe-KbGs-h=DRdvs z=FoUJaYYfKb7B`xcVQ39eJ`7-ySj3BnrC}@wwevkf9#LYylhNsy1WfjkG**4a3Q=i zgg2$ee2#2de@9*#Z)QXlmFRocY?OrbKGJKRtrJpgQc_NOCZh9F_9=9JQ&sizHdZf6 zH1qcep%$kpBv~cWOsd^1~w$E`WuM4QhhA%eNs|_kI z#zjZR+&Q)@(yT|A7bJ)`O?{b)6tCJ8%oFM*eTa2QeVv^H9-br@YN;~CthZ#fCUFD)sFm=D1{nW&cGbfR+( zex;lgtmy0OZF95m8qM0FqrAFeO3RLemd`t-%ZY^#1+$-X!*cHtypFLiLF+EX@vKE9 zcIjWU&!OyN8KeyKQJ$j;%gvRse_eX^U6m5?-V>|!taGZtgMBuehiPrr6zjt z^noO42xAN|++b>fUt3`zp3{1+*@-l;rvs<9*z8PHb6!R8W?kK>0d`0RUvYS68~uTi z!}9QT+uoc*3oaK;;Mds;_sN{=ljnrJ%lAO5L!h z)z?TjgTk(EkX+6ggc>>glp@@z&ENa}dqPdVu8{j$Kh@0cb`?>*64%$?#RdxjaFTqU zJ4)wEv0sokAu%y}=|bY~y{h4V+Nswi)1I-rW;&?MU-&i+mU*1Kbc#>GhOKVsRO=rQ z&aBkq)%UnnZ_ABPF38}cgQusuoJJ2FVpHcozr5BMqPG=#9=`H}Z^Je9o`zUCZ#DlD z8v3W*7N1|lY3Z~NU;M7a>HB_*W@5EN?84`u_kA7Qx~-|D*=Oy&hU-DG*Q&ouq~^BD zn36Nk*J`i&Rsu{*^T;>qN$+OIqPk0yTM!X_HZkfMV@(>zVsxFfo4b2*ohq-LB$}ct zNWK$<3W@h2g2Z#hbGGDPeGdDxUc$=2w)-@D>_}7_eGZtbIe3H5oA$& zrfvViQs-w!Cu4bE*+TAhH3Z@)v@xLgCsCEW*9cD~Ll=`520Piz<1!syet==zVbz}> zKiE=^oizFZg{FiII%>ES@7pcMQL?FjSTgvf^(cmq9twFwJhY;&+99ek969fFpoB*} z#h~t{K*l3W;%+nLwEF!yEjbyPCUTONt&jB4&e|FWV*1rx*b-4p{@O&xo(f1Kjy6Wz zzKf8y2%*_J6yqVk{sW=ds8XSBUiOquHpX(ltUu-G+Fe47R49QRS5EU6ZWfVxA(5tH zazi_7i&upweAw+cgGJq`48={{YhO8_DV>6C%8x3ZL5UtQO}TI!NSAZ09F9>Yxsqv3 zJJVUO)x7>~k3r4;`FuJvLLTy@@;pG5I#4r|mcVAu6eK)3mjH#pLNVoymjdmYI^<%p z+Y>jx?i;LsH@kPHS#_kVXVBRBT(#|9NOQ9I(n7XLi+VFV5lN0GCi!B4NQ05q2th=~ z6H;KUp7xrEGQ&h%U6RXoiEVavaj8Qt)23r_zT~>Mf#P}u;rdqxmj>AnN1A1y83oq4 zV$~D)+2o|4a-7h+v+oaQ3|~0IO<8tk8_!HK#LLk*uA4$x zn+4R0R6>#ysmM8or~E6D11Cu*)4u0YdTzP885&cPez(_77jWkO^x5@`R(5A+`Kp9| zfEm+Vo5_EiKjoigK-&6X+JUE=rE0cq_Tf}m-UsrLWr>1XEGxsY)``)e&Cm@?fpzM+ zd_~LNxviz*9DGf!P_=Vx@_JNcw(p5$lq^(pljCC3=cpp8%%@S}e2ZK|cWtrwn#%fe zzSST^tNHL%$?1_yLHgRznRnx`OVlunT8zyYOT$4$Pn5%g5xIow$L7h9w zu%;7(ebTM}$?rlH{m9yIMG*CUSGh@_MIgVTNI#DEXPdNk$-7ETas9M&%Y@En5T@Wj z+^yR+aYw=AG)keOak0O20 zCM7x^o@3{w=u$d{rfd_t zRrkjHbn(G*{fZ+0NaP}jVC%6V6g$?|#eZtlSYEK|)_wM3{!rEub$K|vwIGe#f6J6M z04j02yGde# znP4_cb7S7LtR)t$B(}JIzW%LQXsvlA?{r37>!tk~D{Y_4FDk(Q1Y&9w$SkS=2)F{M{wzGTSNG#OzKRfgJaDp$+MRHVeKlf6qC`cfqbS()$1Iao)p2-9H;{t&%N$qO^dV-dIigui z*unb58k(>7A+9&%r9B=C1@+=G{$bJ)YoMxQ#X`6W}GMpW|`OO>|eSi`hL z9=XaDvZEj)K}+ujfdI!5?3|uguin75p!D-7W0k3QLf*|Yh3I>a-cT*gCb5kWl^x*7 zqcE3-*tBNU#gUsHK80x2$*+MvEt@|>ajism8#K-n5~z! zFW)Mz%P3bO=Xm;{2C>ehP6w`uBX0inK}?XlQYrxHSQQ#z)YP`d9Fku zszr`}ixC&CW&~xD52LM=PV%E35oVkP8&!?U#3%-thw8Ms_PDzo-OLnq)UBFK%5R!2 zLE9Ef&az{MAq4s+(QP(j8CATE`tgrH=S;V*}6jEw>W{$dg$E#?0ZbS^_HXbYc<75&Je`zWx(PWu0E-psg{N1wN z`RZ2s%12y+i#D9FGfaH*Te4I{CV52JYr{SBGILc+jD3Rii^+t%Cz-KY;8+y9Nlp6Zu z`BM|pt>mck+{d+yJh^+Rr9rkyR_UcYP`sU7yZA-#{foLElMGK~8(n2gLkcS>j@s)L zJKf=lbetEP(`syUMq5ytbB8L94`!btIn+mM66Lqjf|t7+C*!AbT|Lx>SuU-Mcb)xm z+pmcz0|wJ~vA#@X?JAon5SdWe(?eWPSkv9$|gaQqlw%rxSxQV z7nN`nNGMTEY*z9ryAhDkF>Tvz$ELc?aXU@^a5BWSJ?)|s2NY3YG(|;&$Ex)s2oWO}t>MrKx~Y=+vRw!fX_l34?BtDeGJ?Tl?}p*<$CcHV4g;U3 zTf-lbSg}}nE?H-GFCXKm_Y>sjA>;SPs1oo=lBk-CU@31U2n`$i%jVA$31*SqD1-})mg)>8IzF0 z@DeJ@t2%b!z{1LS7UbqTHC@k{s=U(UvR4w+N5&A+H$611_a58Ucv_DIIKxrt(K1m? zXO{o%BmBGgyY|S)JZW4d`*Wfv&`KqPMzXQFnrCL3@D4ULOm=P}rfhg2RrF9DCf(JM zH+T?S70P)K+^(ThXl0%9BS^PCGVDSdd5-}4=E?(xZrIu>ZPRt zo5oH21l-))0+JcKFL?DJfA+Qn!Z}cTCjgT3a&re$M7sBMcg*bEuHGJfI2W9w73+eX zlv-MkpZS^IZ>S{xMvb9xSn)FR;-s(&3VravVtCWR;iZ6xvdC$wr>*4_YR5QWoxd@$ z7SUH0lWC%dw>l_i9jNQHMN?Zt`sF-oAo)oEF~-t@9OCO78IpRoFvqteoTtY+UbeG~ zG&+4f;y>e;RX&N4NX!W*ENIYWnVHC1IsD8*reV^5Mz2?xZH_M#2Snip4p`ckxElJYN_kod{f?EkCVc!y?e|cUq8{e zX%|Mfcfe6%oIPc5uG6SoJU#-CCpNU!ODhN!RF}rz@;R$Ur;mU@>Vddz0^ zSiaWIt45z9qyX=VMQK(7_b9`7p0cfSMz>&qc~ZC04qQ%w2LH%cRM#5BO5Qk~Vp{qe zkbXKzzgrAPPOAEkh#&T+e2Sm zMP`p)os&8LF;Da6IL5`f{MPX(wYt(2Q@CaFqCMBQAS2$|N?)0}%1Vck!vyEM5u{R z)0thGT(G*@9db86pQ-_O!A5I&H&ThF(@HX8>xy}3nqn|}iQbl=6?Y7rW4PpPm@ht| zj!veXhg8T%zDZ-bE)@p3VWw(wTj5XE^t#kRdYakG-D)d`Jd8?|0>)?ex}-`BXV-J` zL)ef4eeS=D8YexE#<8uYFsK7@Tp?b5E-F|T%K%nLBbYMvEH~F~=U5Tq+!yZLA-h7; zVc9a#Lwet~A{-uwkJ7U|tNa9gKagwL3d)ZRo{}Nt2=iXFOa9e81|-I zOD(sGlH(%T(?T<9!~fx(J2HjmZN*WIm{&}`W`E!511|YEa{OzOOneTN8y*ARDi>H+*>d=YA|gt(Nq1_7_m-7%*E1An1rass%rSE>mspUYSGU?=+DQfH zdZkyc@@+_Zm%~OALHtJ5iFTM`#qr%;o)Xu}yZ0d)jtxrGBNC2v^yyS2l$iQf(pKX0U1&LtV!gg{avxIf7$Rbg6QUb_&1 z^Tuf84==P1*`7CQSRi@$tBCN#c%Log(_;_?Ulf*NNMC+d4p)g25dI?70~;I7f8RFp zjbdruZ2E|PF7=T|VuA3|NUNzfCyu)12NgZ<*U|fXRzJgvk?c(>qEwVcw|~}HJ(#L= zRRXKArKPW{bfs0Vwuk?4qW(Wg)&EZOeWCoTgBb!jGGW0}C6-MIfuyf|$ciH=EOpiP8XeBhaID-; z-&@(r7xmJwow}9XpsJy7ceq2|nsEmLnc;x4jQ@ht==|{KhROc^=B933yYH-JB;4`$ zx2(_@t-@xXp+AFT@&>}@K>giPDY1XRK@J+2zg@hgA zX6WebKFX*=Qg13BOEfYFT1E0V8cOB*!#T zcD>TOTDNTKBWDlhb;zlE@q=Y%!UQ8T@3A{`g<`#$?@f}G7o}Q4=tH-C3p?62Hl~EY z#GJ(p&^n)?^~9dgAsZzpp52a4O?9bGmNI&%mkiGE&gINzeJPuDWcVh`+r#d2<;v;% z^)YI`)(2imgTn>qJ-#YZ**r8n9@Ue)lY%Qdo$)A4)zN~_yMJ9AYN_zffxKCCP(BB9 z#9%f0jAw;G8V43C?wOyIOGZguVu|~rE{r$B$n=DAXyg(rSzDX0vL}7{LpCNcGj@ml zo?it^fQIJVPj_ARrOfsp$7S60EvV#8NHEi%k`kI30i7V5{bF#d_vLP#T7x zGv5C_Wq{J|8KzqGI%h7nR=C##T&75xXP0I-jX^5^9`5Vo5){=jugHL(nVqQlP=xFt z)%z1T^U6|(vaYSi=C9Y0kgI*aSm>3AMDrjpzl*J2sGBaNX!g-Ln~xu? z&HIe#ojj&7o4ps~`<+#gJCCH9dz(J$nr?Q}OO~m8(V0BQPa$$r#YDufw+P3(DUC7N zAv5Qh$+-8a#+6r4ez3CPw$PSq&7lw{;>)J@3heFq1Jva&KdIy&s}mZ{zS$VqF3 z3;^&V9$(aDmF=Vd^f0W?g;kme1Iv-QTq{U#=h+$U?uv3fO2^);dWN)I8d=xc;jMKX zWAvTv4T_lLfON7e5i9jo;NLAacv`>p#!-lYM0ZORWJzbeNJ$wfRXg05X`G+%5S z^ob!4{+M^i@BJWDj*g4#OBN_E_=F9)3$t}Ra<6m_P@&J->TsS_sLGVm14fXPG(eT< z7uNch2I@3?nDLu0BQ~JRV?s*$dwDyH>wbRGJ9;TZb!x61+PdpW_2MB-ehb50$ZH|{ zn%esMda87hh0=Tu*M1ilm!l)aNpw(1NQ$V>>APDvj7&^A_x!Skf^cncVM;h+>&Zvc zNVmQ-sg^`2G{UtZlL5GfZ(rSerH3%Hw^7Pl8M_jd?%PnA;yV2OYLWal&rk=4vn8Ctd_1k>0q$IhLN@aU5BOY6l{B@kR{ya4K6~S50i0O;T z<<{q&%pNhj4m*15?w@UM6lxgRsP(ZqUOdMRrZlK7Jb!A&eb(dc^6cblN-w zxSw%yqVdwU=9-(mV?D+_>UNi^K3Rc;wl|iXTWYoMXp!9chvsy%OSQVmvp`7ndyRmd ze&pWpxLWS@%JmYykl>~H(O9ody{G+s?giVO)Tu&V6<;l;)+!>OhAe;YSs&?RW;Z;_hqZYv#1fmzKAqi107@+52feRg)nV?BDd#D;RvWy59!v7XNC_-g6v3p*_< zc#u+3p6|90q@gY_r!#ELXM+^`OL0aQe-^?L8Y#aw)?a*?$|3DhovPmur&Z-PcQ?v> ze$6X}C*4a7b~cXT%BC6)5A5VmEQB8Y`zYY95xeZL~pXdIriidEbr11ZJ4mC zwsw2)mc5-69mCYwd^+Tk+HGB)QQbG8lT9UCgOO482oJe`7QXx_rcgql)tvUax_3o8u3fE>1U0TZ1PWy-pH&tdl8<<>ZK&wO==RFDIC@HXaTJ2M3cQ8_G&bdVSjy zxXeYdo8^PXmI{uo!KBTX=Q}|`L2ONbOv-afBNx>SM4-0gUp_~*>g(&yF88@^(L=7E z2RHxtIO@YVKIe((Ne!rX=y?8oKlmbi7qU=FG@+TF_j+MxGXVW6!`y4=Z4+qE8EEP}qs!7E8Bk)_h3G~l0l!Jq*bprvGAI33C;EVPaxp-L|&1)e}s2b??fUm>8dv8Mi@)g%Cc$CLxF4 zKm7dsh(kMzPDNZdwau78C&QcaxUeu~d#+6!uZ!dAW*%;CTq@x|VE*MhVrJd(wN5Kl zXB%>Ia?UI}@@$P2TBU~Fm-tr=3=rqwv`K!S4Fc4kmJF#N=aX;m?--%ZkGysoPa@@6 z6F3oIl$?i$hq$=7zW(&v8+R@+eJD|oH(1VEPiDP#z@jFy8-FJ;@-8#$Aq&)>sz#3W z*uMuIH!sExw(EDcr>b`%WT;>Y3d1B_VEN;ib@tB=`jYUTSN@Qp_F3H7K~33KcU+Qk znaQSARB)RiW!5J9Kx;`lp5WPpt?ly0MpAUN`m0yrDJe6{5g^W;Y)$cj#x@29nK_ZM zrQJ<2|z*}t4J%T*%5;(Eej7W<{dY^Kt0%NyB2%01I*HN z@4*!y)FC{Ekh54y8198&cO9>b)cxIh}uW>4j$Q$eL)sR zu&MpEoSdA?JxN;X>Wkakz9Sl19Vn6;0e*gxGBRGCRgI4%TIX_=)4qIR?;?5;6&BVP zP9veq&x=A`j*n{_8O>4E{Q7%6hDL^mnRU?c;%r45`M90PrQ z%7&w3W9H`OY`PWCxVXxf<{pxe@L7*CWA3Gt6%-Z@4GzMg+1c5i5CVcQ5RgJixuhK< z8ye>Q$xE6qJkLij&aq-=yAn?7oQuJvT>b>qRF58IVIL6_m+03zZj2WH-RTqoZtt`? zUN$~HzPJdNmz9&1t=VfOr(@92(4Z7>l>Dw3+%w}g*XX|Y`)FgV8h!?XWwal3J|`rEiA5#?hQWeTZzHIEIjNL!sMHAj%sec z>`f6OVbN9B(aE=o>t?N6&9EHGG4Nc=zC%D&q0FuX=C<>RsU&=J|7gqzb$Naw_@kY_ zwE5!n+Kt=#K1U;^4f~&&kAuZx5K2xl7#5=@@39htP}3-O=-stHdka7~D$^N(@$>hWyIoLPIwq2@2%&IWL*&HtVsE0?%=L zx5L--`t|EiX=%N_@2^MF!Hh(D{BJ`n>I2ix`R6v4ma>Hk3JRQM?Crl)S64f)3Q7>y zEq1iE$v6h;U?w9%nK2j)*tDJyC^K`>2g3ZeWoJ()FL0ll+S(5R0cm)6q*pzOtMtyc zP?)S);$1wv5z4FQTG%x+y+%Vr!zvz06^P5_wyn<~;|a827Vps{T#Cn!pHTvTTLLI* zcKWr*Vu!<(RrcODNH(2ouWb6(^sUw5PhFj$&q=~YeTRNnR%_0OlT4WSU@_Ck*qG3{ ztd!J;RQ9W+wEB2^dmHecL6BSSmglmnM)F?;>FQd>3M!bH*|Hw8ailkpJE%tVbTzZ0 zq9V1aUEBH^g#QM;a%z!$#uKI{h`3U}<9YsII2PFT%%H z&0*R)4YJYf?Ci+M2mp_@=k=hWsScBY!&>t~RcWf}sfft=c$w)ShxKUDa_X4b=fbxP zbaVnul^`D>ysmFsCQ<$E8Jdz$=hxOqA3Wdy=&&P-VGbnKF?}aR(CGkDGzqizukk({Su-ayvIf%BQCrC3eCzK^OY zi_lR5r<7At3O$!?4WmY_Wyh^+#(fG3Iyg9>GwqP|JX)voS?)_~Hf_Uq`UOH~2mIk1 z_@t_u8WR(fwY4<~tA5^G%uXW+cZX~R`S}r&8U_X|BJbb5gI;#T8-dUen({VO`E2Xi ze{{IIfo$5p2Y>)nVR31x0|ld*n3!O_t)#3R*YC9VlZ1d$P~9X%XPtHcN=JtPyqN_f z-C=BLX<2U81A^jT=z(*2dHIv=nWTsaW3k;b(>77eVpJDvy@G07i7$N4Gs}B1#cej? znSkYBR)7Di@&YvjVDeEe8#O+!OpV9dGi*W?2X4Gld#q17&}r8!U_a3=dhlK|4H za)M^_=29wTXuk~!GPbg|4x<*E<%+xY{}*&v#r+o^M=d`A)@@DncOPvu2;2V`J<0zG zDgFys^FM8P{`=zp=QioDIvwSOmv26O`h;!HYr{0g$rD0*&x{9qe4yH~wKqM31 zZ>Loj-uvM)X3)kd9j2J!m2G~70M?BUiCNvBt36A?aK5K)Sb2tHa) zLU!hJbv+PK)6j^am=QfcR5QCplfMOEP`4kq@%Nho*FwN2G&Gj-5M*~agV*LbhsQ=A z>f+#waf?4L>30+9J{5KKETP+YWZW+6>bWgHe*CDgO2)&(Lt(m%fRiJSBOa~T#F zcEjk>3MRX(G%d`#IaM8o2&T#g2+9qxAm{eK5VW2k0=b;{-6e#w)V99>cyP?n%eK_8 zQTK=lWQ}t3zF30wH~@Lg1u|rGz;>1T9x4X3U>gebI^bfM<+qZ8A z1_p|Y8KK>-?Z8=<)+Ti7gHBIRv*qJhwZFV*KAY(CZFRf}T3$+lkAod~K9$k}-U$Lg z@eJUBBRzmcfFpUodUe0+vB)PKf<6wbcFPu)>S<1|W1BUL`Ehi4xr>aqw|9WT>}auG z53;ndkcpMGx3ABr(kjL-OmEh6yLRRG@88;?fSql*0K5o{u)pjQM1PMNmob;&8Iczx zj{A!p%d?SAfxxW~&QInp7pN}*<^B;HtjH%opIAR;)|V<0=}3VEd1u&?XlI01NyY`_ zK+)Z=H&V1XC?KAivR1tT)V|Nmzk)rc7SccDzC541JO}0|D+8D;$RW+mC>RW;q|^)a z3SQ)FQRW~>t4F1%b0&ZyD@?iAW_jE?Y4W>@CTw>m%+p*3RNtt{$1;OGsy#oRii(QT z`TGfC;^Xtk(+i7=n7`=MyKVsvy2QTw69CwQ9=@K+?3>P7pFe*N6T7G}y-c#Jvs~#- zArL#WukG3KJ*n3+@~Nat8lP_oh$*fz0xPyTQI0wtN?YGPJ@ve6kDdTLp*u~?D95U{ z2e5W{RVN-Ozwz!L9Fz8$Z_}7oRU|uBFG0X+!mLY zeNWeNQ$%c+>3GXw3gD$4mj;Od{IyU3l!&>~fuV1Wmr1xKNy)L|l5w|tD}4vrlkx24 zD6BiTYQXmnsBoHhba$T}Pa$1S@>DXlyWbpNV0Sh`ea}xTzq}2;L*@R$?Mf9-5jp|X zCWYIUNvlLbQE_Aj5KVLAYoIOYC$L&})WzBIHZ0cfa4||baU~NZL^F=efN_xdy4ad+ zh%+Y(3k$KpZH$0EeU4rVyZHF&QytJuTux$H^h)a187EHRHkAAmL_|b5#LVs>_ICHg zI*~)n-?M_|;p43-tzzAy?>KAUDLa&XS5KAF?ZxFnI7!zVZtu|gslzbcIgE8wkO_XBQcs6 zFHm&a0b;Qjpb;y{PWbZoAvF0RR9>590Od0q)D1gcF92**S;^bHCy~y}6(sj)SQNbo zkefg*mxIB|8kTl;#5@mIfrw$=pZ?O890PVp3_VeeOba&3rNbe`04g98{MdN5yA-^a z!p)~EkOnaN4p5;$0%WWCb^Vj?HRIIQnsHZqdSXeHjt*WFc%SRCEyYtHh2`0^XMjYq zu;Ah10>u&+4-XM@9h4}-D1}@>Nc!~Y-UPRasp%4`&G$pFu!u+_&^LgT#<@Sst51K! zzUnzE%g*Pk7tYe7#2?au*OC6GuY>X-V#ZwjSZ z!w1ak&!0aar^~)(eEwX(_pBzlm>vp^mjGatvmTP36p$4j9^T*IzdXyr!ctsRba;3e z{cRDUqmw{Um8}dY;gZ_&2Y>LS0^zF?K?~zbslqyjh9%`%K!>5qZHTtx3L$#*2*_Um z?wqWT$fKYP47oWuImo%D!6Awm?=Lkq+D-CJ&-nSZf2TNWHz|e5TU2N4#CSQ&(HtAy3-uy!vf1Ux)ql*m!hK$MqP(yH2kY7#q_Ois339 zUp>8?q117fQ9Q3&pA4BA9U_{SpXu@7i+lm}D?9`-`G(5zX+hX^K&#LW9eZ761s#?r zTPzdd2=mmWBqluv7ne$km+%8z9Gs22BNX)*w&`;7up$a{Fc5y~j9YH&)E)11Mwo&~ zb^7{?57u?Y2_VZ@+%nrKUY+VJ+NV!VhVxWBllL9JzPYxXj{!geAr*b2V|5^NtXR*S zst_JCLX%%rrP(AtDvagm^24Lx?-!1r2$Rz^@sMwtyci6`6@$0m$KFWA++a{nWfptY z^wV2@bSIFIp)7m()DfHWMcKIBa6(i|rA|GC9ObNfbDIwv$=r ziK3|qfbm45MwSX>nPFlCp z>Wrc(Smb3!QCM$NJASluhiVkUYV=XGPa#_4mplwMu=4mAPDsvW7JQznJ2(!6xgNZ> z2%7@Wt;kAs-*>pk%aWpO&OJYyLyCviuAAe=&3$9wH5w4@%)Bi-n$9c8_W@i0>Lo?# z!qg6TT_KgjH(BB>@Y)#?Cfli*q%o)VI_)D%91XnGmZ}RBxeQPdMOKlrn{J17U*tv? zGzv9!9!93J3;1o$HcqYOIX^AKZAQ+Cw%O2}13k}rLKn^wH(mjhlP-d|w**we7O3gS zyHPZhJH*jk1f<0a{tlCtg9Av&>RCq>SVZvf z5R_clC?~wA#C)gsXaRye7Sg=Cx;&9pH#62;E5ao}RXc7nZRRM{XPPdXj0D z8rs5S#WnWb^Idok>vP0mL z&D(v41f>b#+qjSW3oN7NL_PN5n0r1l{>%>!au`W#S-*_1Azmkt@4uXgr%QFD))zVg znSYL+_U%IbPE!yl>&VJ}*=)~INO;OLTVhb}d=Va{4nxqCw-#|pb4bxVC)LC~cya$!bkPlTzf1l+$P!0&>+|y*fK4Vm zBvtL@b6$!<}OzrIy@xU2$QjpOQp% z+add^JNZ3B2!Z5yA2=R6)5C<7o>*N<)?iAZ(TjHxKj@vFf=U70P#*^eCyJRZfZFF* z0+0+4!Vj&xQytma?~GnjqS7hO4h30E4a-bEcUsH06FTU8B8(ZwfQjk5zmJhnhp4>kJ3;TR zdr#iN!~@}pAeSTtNf4KLnB~VsBi?iJ-Rn^Hln77BEK&#E8^xRUbeZiIly0HuXoP#) z>3y{BBmr&Go6RWl2t?`dZgfv+N? z4*y!xa+0}KCsLlLG3x3gIb_Q`!H`w8HATq>Kd6UK4GZ0zusp0@yIWqDyQv6AS)oK( z0`STqt-|X`GB^UIBa}c$HcJS|UVh~S@3YHS%`C4q99fi{yI}FDt*)Im#Yl5W@EhJ4 z_||?g{#p|j;WF7oLs1@rci^_h$$+rVkich0h_MItB=b&A6j(Yblr5vRtL+Tr0H}S}MyImIG=x7&3 zdn`G0~%|2!XXKc6>D8r7f@v;F@wARR^X7T|Y{1H1NIa#q!%9 z9MFzLtJ-UA$&LbLybLYy{FH?{bm;k>LYm=5W(vYC{@|NJfSG6%p7hh8g?NPQ1U^fg zjV_OE=;E^yoV)NvQr<|DJNOi`Kd10%%mdH{S=reMabOW(r>ln27+u_@nM!!VdbdxVfUOBAcqz%yZ5&v# z1>G=6*&JUIe%bb9LX4W<{@1T>?^RS(92X;RD0&@lg_5I_F3 z8X^9Car2wa-=CA55KbWFw-R_|&@On?qSL;KF1I8M(r#}tFeUl*rkyP^99MH}&(xn( zP;-w-kQ5f`eCxf~NZw{0D>Y)%DK03GD;4JqUa&aI|9~%zro8}C)uI~cpJDG~?Ix$6 ztSY%~AmwCTI@Bf~42039&v=-kQuN;%+?iM6qzT@ z5m^F+^KJv05frC3(2@ctK;0Ud&^eVCM;>U&&+=(8cj+CI;a8a#|vIv*eZ|05o0w92<9ddK1Yg&3W#PW6`z^iTK zsG>tJs$8$U8-~_x_B}tW?F5BI7B|n%z_sY-YCzSay>nwGC#bfIiq|GyhZCOqR`wF; z^4!&;<g*)XEV9FQgwL-)@%Slg*;KDR+0 ztKnx8H)MG`J39vlP z%lX7fQcyKIR35dpN$nV-Mb!5`?Ivf9E+wzFct%VvLS!M~K)$BJIIun@j+?WtYFqIEm#Vo>8 zdHL-;9r4p%(+a@m{OM_*GcralCUvS z$v^+F`KVir+zeJ}rH8C;-T+1yEa<~JjTQnY@nQ6L)k7dHGGsZb^ zOiD(^7uGG2B~#>fTTgi6QdT0XZNAhY?mO-43tOf}W|e;jY71qMacd~$)N*-uO%1=# zs{tW>0b^U#?YJQe14;nN&CgGd02MwpGiwa(jQDDEd$~Kx`RP=oC`))?w8b+vglQC> zM6c!HjpoIVBmNvo3?gVEpftmznc9$;Ep&+OOr6H;)=+L(w;l%bfmh7aaC04goHMl= zaQm+rNDOIG_y1ZH>$mGmw&mPhv|i_Qo|U0t;6Haaw^zn2oJyOHy(*h@CQT>hiJyGP zJCA*?`7T1+QnnQB(pf#Z^7V?~O~wC#BM?uuOC%<(jc5w2soAs7Z+Y~J>*-QOU7#9m zW)U!oV|6t(CzeLk8NF3msBH!8GpDRy(QmyveEqauzp%8I(|nKh7y;K{o>~B$Y?)LI z9NJ3Ruk|}fGRQ2ncB`M6aID1rz~5yzT~D~DY*&a^m)`n@_srUeZLjn0KXRMS@98I9 zUbbfA{UTr}ZC-DevomvlZc6yN_0L`z7kQuTa#`V5tMon-SlH(P=UjhPOiRD4xcKVZ z8LxHsoN$}I`sHWoo0m!+HrmeQf3{NS)|yktg5JA-+xhLQP|C{}%eJR_>{Un!U%lD` z*eVKgS{oOqp7X|E>1>&!zqY1kCU9EySIK1^lhAFypUHT?Os!w5zWCU&H~Q6|f&K28 zDsw-iR8OhhyYB;VTrl z_nUL$&f4O$zQx}Au75o+?cb-#z_Ltj^1}*0h0TXvZk;---#uTd)Iv4wftvTR@SO+Y3Z+`?4Ose2`ReuHlj|4y^YUuDPx_; zrj5X%9>=o&Y1a;=sOv=csw$p5wzT`<+v-yXfXk_y7shbs-T5f`l&?|OGDjM zl`}sxT~eON3hY!q_`=3oS$=kwX_dIXJJZQiRjLzBftl?1nrfAwXN-7%+3f(%HcRS$ z-Er|OpYSI6X%Z#3x_N*LX*VrBt){U2&N}JO+0XaI+C{{~=**tIZ`S)Qy8WBO3Nvrd zf92u9^db2ca1f_%)s{JovvV)Z-uL%gbnVyNQ&TkidM7YCEN@fM%VqdsIMZ~3Oti)c zU_t!;RHQy9=Yg5-jHV6p!N3vSyj%Y+EOZ8r9dPsTeEIqnSiu3ua*Xm{zUTbv3>>s# zSkU?6#fv|GYVN8{PEkJn*!b?Sp4 diff --git a/docs/static/images/management-console/settings-upgrade-plan.png b/docs/static/images/management-console/settings-upgrade-plan.png deleted file mode 100644 index 7a9c4c2f63b4eac6f091d8c4105b0155396e71cd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 72116 zcmdqIcT`i`*Def-BBJP#A0pE9h@gOgw9rvhP-!Z?i&CY87D|ACf^t-dXpAf zh{BN;ARwJUA_55{gaCnr5R%;F{NDHe_l@@(?|1JQ-@Sh@_Ga(wwdY)GuQi|f%xArR zU}19d`1#{JJUl1w-M#&Yhv!H!56@xbv7?+T6}Oc9I0u2CyAGi|Jc7d9KVF`^{BxX( zyrGXwjCg8CB-S|p@Oj@fzsbY%HBIoq{Rj`Q*u8tVZ(2w4t}h7Wdw`;p57<1%RloV% z4(Gc_`1R|R;E6wWD;1w$j%EBniQGBzuDtEdyT4pZ{BbEc#lKQy|9J3lz{L3UkV1dy z9~#N6kJT>}+j)xeT{@Bc;uxh6TVbG4=2zKKm7TX%NQXT2Zm+T^fRB8H;4AP$XfNU& z1+FhVJVW)n|2{eKoaa3ELj1?mHx6@8RQ`3yhkN9CWyEumd;Ip`STQg6u1aRYT>y35K{AWc5YbzMg9-M7J4lbw66Eacb7%~#d+7` zz*z_*0QpIg4(&U-u}QvJYnW)VLbmfk<{>q69&wI5uK@>Cscg z-c=r#cNLgGOLWEr8yBB*csj!b-ZJ#TS|87&H9m>bz94 z2z`iSii*{l30b)TltHw#HFYMosC_W9A!;DQMA9~Cx@RhJMWBTR-9q;5hR70YdwI|9&MYMr*Nf^bc0qfsrC{- zF`q}3B(bBW96aO(ub2;^C?J~++dt+9?|T!rR=(v;xAets{cy`2s|@6hslP8H=JX*pSwrK7x)oDWJwcrQ$`0jxg3xSr z!td7WI1QTtG0689=2ia7Z6MhUvrBWccXp7E-o?t``y*AI5%Zr(g9?ZRfxPIsAP*_K z>Kwb;YAHhxhFvN+aIDty8iU06*{~3fo(OP^ro7ifkh_#Ca7&F#Bjhedc$V6DU`tfK z>oD6s;HG`YvEs5dk_oET^>&X2aKcSH^7Eh;|3`^1O?36Rn$FFjn7s)^P0tFBD5I?v z4mJfkN_#wE$OSs3UE+-pzJdQmPbJ{z{D9?}JcuAHD%%vUTXdjsRq?cTDNQstI61q;G&n2r?-?9eJ!^=*et@=K|t= zfCo$GA~AwUKZt1_s>n$dnY0Xf?McJ9dH+fJ)XHhzzd7 zOQ))&kveVLgXFNroUbx6tiR<9e_reLlYu!nz8q(EE=dAwdv=H7vXm(qi>Gu}Pwr9% zoKtlOAW(W?luye_l4UHr{DfTYL!}EI%rK+%ksyZ=>kPq<(~v_xN8cT`7E%o+X-ubp zl@^1965Ki_JmVw>P}Frv__t*Jr5EJ;)fG35X2U-@tT$zM0voa2e<1aMjWI~S95b@1{f)aCs^Jrbu{L&U zGy3zNNer&>7W6jySZ)hVvZw^%jdw?Cv`0dhYI=@qZ;=2)V7qv{Y5w-Xs(snm#1(kqLU&|5SSvc6bGM z^p*CxmL$e@wyxYeXGtR7*E0GU6Ik2z<%!PH0HUqLU+9^(77pvYHN;yfQ1mqY?0L}T zaL`K?z=<4-qA#H+=CVBhLW}cS=gv>ctMG(7oSw?b#O>18GDg*kP{Q{$4Sh+us5LYY zHk?ypAvBuUkRfqF`&Q*!yRsOfPMZv|(bLwt$ z7(}+jO(;Fz9mGF6rs!Q7Hy)!R4%yl2wM8$GK~FR4q;G4lEY#Yak*5U1#FNKX*rBnXZnhwGAn<>Xxfe!ji^4 zSv3GBguN;KwC8IxiZ;kuk#}MqXfPF0p?wiGLNA_5UioQn$e)jUHf>$&wKC|jFSGJ@ zwr(@dIO)CimWF;Mn!hu~r98IS4<^l>n>xHt3=CC$9dfdzQ}beQ=!Jpr*X<66s-Rp#D9(@& zk=iwpNxolEdUe??Z1{ek;W)h$ z(mx2yEYmQd%*HAX@TQ8<*CpGYyM(;*INf-!AljK;pu_KLMA1nfiLG^940%D|zye)D zvv=WEZu_oJR--@+Wo}tWZESq+cSdyRm*e2h^*>1#ROikHHxN$$ny!~%?$G?FLwO&4 zy3UMkz$CPfA+}BeC27rcaG!vjlr8}z<`$Zs95Z>DACq67D($OR0#I-J26mCze&e<(&H%s&Da2z>@6|?Ej3qRj?FbO55Yv!St z^mT(QPTYSMYgxg?eok#r)J|20%i0CZUN3BF*7!L7d@ep*HspS0Kt6a5n?Q(t=4`}E5!NSHmdc?Eo5#6pGU|^Y%rghxQH5H#kTgNwU=KuX%Et z7o-XRTYUv&#hh1EVdmkxMKm}! z9uM2Mtg|d~c!spWH~s^ma}e3ph{G-}S^1$i7yPBUk3Uwjuj3whzMcM`aQ&KAsqer$ z!9hYp*jj|(KR2BhWfTAT*@>5DCH~{&zsBzWv&H`}3BdmyjXX){ZX(r>r>;Ebm%0*x zf%KL4iRx{9_3R_GNym^4k?l%EpFTN~JsX0mBVPru4thg?yJQtTiZ)6fHBWL_883^g z97?=R6t>)0GomAM3T)%L3i9Vqyw}C88wiAjaRUwVj zX3JT+yjySG_J6C2>h1apA{R~IU6`y4!Q&2vvrpvFzNIko#iXtViKu12stfyVo(QJv zBMbdqAQD#F{@K4}w)6<+mGL0xaUa{QPucL+TIw)L#EtHlo0@#d9dBX~`OJmx%($N` z5)%CD4H99y(dNB=e_hn(CjGKod!()H*Ro1IUb+o?tL7d&P!K-p>v6Sf zO5U4|9YIn~A3;mh_gJ>uUSP`I3D9*h;8kH|E z%%M!0-ETNuH$X{}pb`SL3|(^Tyd*s!V2uFVGc2!tC!6m}| ze&n9GYE@GZEOXcLTV7Ov(NuM#S0S2$2pa1K=UAWejzSaHU-{K3Th4mAOKz5`>Y+49 z`UHFxNYfS+I_23|K&WT^vPj$DucGVV8;hJg_l8WTqHuuD%KQkzZfp{qIwx+- zEO@p?f}y=8o^rVoaZP21kek}LI*ha3Ex<=^P~Zto-~qqdX-WAjvA6;gAoJIH4Nq;) za)Pm4duhtw<%l@_@U-8_jlMmjjJ>eSpNCq7z2rWd)km8Y9ml0q|n=>Im)YGU1GmJ#gpK8sqPdiAkngsmb zLlG5e4j0o`ZEKMpvw5*jG1~Ux?u#P@;v%k5D=?Fjp~Q2O<6O^%t{qyP^#A_Uguh47 z>%tWapB(w6+^i_SLt}j1Rww1qXTY+_`a8{a8%L=Ei+x0gg8DYVymVdJPUM+aFog_Z zYFdPFcgv8sqgUtdObPK&lB zpN5^kLB>RHtQ{@$jSU)6ugr#Gz6%Ij-8pzHVykq{7df_}pfASk9;m=fD3dgPlC|K~ z&?rAzr$v0B?{e=OH|dIy5wI^2 zSYXNZEHl8x$lih|OG|>aIZXNd=gTIg*->}x3yb&ODKjapOYoiUw?yb=%{rtWzPX}4 zwKTwF?x{L*0bN+qw&s3_tcPtno7>Ns=>zR6IP~DBJC-#-#YkigER#u%y|+tKTAA~! zRp2^T9Xo{$8^4ySY-U>NE_{?lsO_+e+PGfxSmh$N*|4*8eSgS>Sikj9-2XvW$iT{i z`1&2A?0?Js>}(*|tiWdfLS$=EBO{c!sW#q8MbuuUVI$&l-x$^z zZRZ}Bi(`+Hk>Qr}wcwCn?__*vO zyC8*IW@08(y>qI^@wUh=iWRF~v2F_a#pZMoC~RC^9x1*ynI8{Wf;cx@1j1LQLdK4` z5dw?$k7lfS>Z``((%yFMeF=&1b6Z`2WY9-K^oeZ+P&?bVh(Y4^L8@-Vi#2n=!e^lx zyJW@a(xNxCb^hEWJwqQJ{r70VS^pLXm&t?iB337v0u9JAKq(CV{DQp(!+@ikg@DRQ z68nP<#9Be3_?g1s{W4_2DFbUJCYNn}+bw3xuBs0*EotHy<{Z0w3h5GydCKkTAy-Pv zEI30Mp*Bb~4$RN#`dL+_8eTg%{0EyfFIYNh>;cYeWfH6XM`wB`!;85Kc&aL-AkRmALd=ba>1(v;`a{FCh<$TyYP6g?Iiv;SW+=1&q1srhhH>=f7ruO?aOZMk@MkXkC@EcaqYt1u66 zc_bLNl)-@0Fm_qjI{uv(yqAkFbQdT{(;+mkq~8*{f^L2>)XU{9YT?xOhGmMIqG_GA zq@I&Uv}8!X0`ilK=oGr1l;sqtVAxK56~duhYam^JrgMq^cwT{G@6k_p1d(m{*pN(~ z&RjZlJIx$MjE{ zzofTsrf{8#2Ngh1kEHW`5Ppe*KYEDF18qbVodd*dfVQ%2Zdh^%{;tnlQixc@iHW7$ zC+fqkc=c~#f`_2SFHzI3(YLfY%t|>6-X)|c+!6qIbcaJ=A)2b~9}aS<|Ec_T^TBX* zIC~^~fAp$!)h(P;ARLY89MWNHy{u;7Z_Amp|hR zFAAuM`(6tgt#UOaJbrgW&9Ln{cB`+z`3ThV+KG*xvMxkNYUtCR>b|x6D11w-E430V zuF=3$EjY-Ba2V^UKjw_hP!I;ZiPP*i|M$T4!pPqpwo!VtmpZG(fDgH0vnzO8?H+HW zn9URq@euFMiJ30ES3<&kxsu4wguBsyxrkmvN!(H_hag~i zh+Adb+tW8;ESXIP0e<%lNpZAA{EZe@(04{ z)Q$F47kols$Jbs_2e$TA%_Y+xRQpG8xVOeZ3pzk;Ex^?-j@(|)h#<%8Ky9OAsZPC5 zQ==&5Kmom)^K8yC8a|;i?HUTN`o`_9a6zdK2WA_!l~$lf*or0>&{5@h4tGKbrNEHw z@^@aDHVAnYx2AJ}o9SgAy=L&O7N^@ymsOafSJ~?B;%R&k0ahvp{XG?GT+SCH1gD6q zc%I_TA$h|Z{a%#?5dg%97R{d9># zB$&5(4$Lt61SSne&6JU_z70ldUJ-;5LM?NRZvD;;!hUyEQ*NTa;3%vY^7Vy-fG>Rt zvf_T72^K)ro;zgk&DUK_ePK$*lQzE5YTfz7prgyr>=`GcS3mNb5xf%NXABBCsZQUC zqD#*`YR_rhT(R$2_LE$Ci3+}}fhaO03xiey3>~tPy*qEHEosr_Ei>De^ZaUwtU^$x z6ly#Z^kI{}Cydd+8H~=?Hvr5wyvN21byN@JY{d+20_&PY2D;S7QbgqDaB6E4R_yTk zSTT;#xEC>)5&dtE5fzwRhklT8!nKXZB;D{~m>i>#s*Srg8Pi!d68DG{gOf9Oqy#^h2Y2;F2e4c__vpI^ zUoQL1CCHkrNwT@sA3Vl|KelYd;GI(ec#csO9M>^85?DU%^a5Xj!7417eJh~P<30In z-gRi)i5YnKE+ToC6l$x?S!=X6T2EPjq(m(s8hhf1=3>zsQ2nRz|t{5 zFLC}~Wb|%R-f^^ZFyUk>@kXo7_2|K?(oQQ1Qet*O_QRQti3x4@r=!#T-7?=wlxHc5 zF>PKaGv+A<8s2lj+d>m2wsw1YyB~IQPaE(vZ_YuJ%X|yQ!f|3nV$G=pkW;~h-j1~! zp^bw$qrb&sjnKv&p2j<999`G$4m6-J>h8;fNH=zFt(pbfAD{iy7k zd?UO=^$VDw-w`=ATZM$BW!*k$ScBz`*rYeJgtgwh>-WBFxiRv^tjCFAJZNmgh5eT+0NUO;C;Az^pqVXqBmPnrpH4q~ECU zy?jrnaB@TU`UOr9(N15!Z+mE{g)f;tkomduX0M<|=mQ_S^LTT#axoHm#odEqlQd#? zszpr0AM+P!vG4dfN@Ry;Kc}|sG4Z^F=65N#46_-vq8HnqAJpA37`8k(Lya|B*LV89 zay@RhGz2+Z=j@rop;~DKp1n*}F%xUM)6of(((|1HpX8!TdaDtTk0DcIW58%sd0qCp zoy&EJp)X zlU_7>oG&}*F-&2!L!!oNIo%8aC=9_i-wQO~+HhhlpGEG^-`L8#ZuARtP*Ly)hvzK# z-RfaX_x*g*xO=nZiz&isKi8sa&h=_?a`-V9T;{_?%J(`j{1eRKHjjQnNc~+<2;%;) z_V(8Od*!*s?bzuPwgS=F$qVWFcGYw6@Uvw4K?t({yF8E(evV!eT&uDY|IW4BTx7Fw zGIEZ(K#n`1XX$&vaDk^CW`4_%KG^sBN0mY0VWh|5Rf!Kml|uIgx}p`}&q49)2|sf7vw!7gr`;d)7~l<&bM>E zy7=aMb1oKNuHAMr2rUyawhEg1mpE1MU721ALuYaGg)NW%Llpx_Zb-!T)m2YTHkeMC zU3UT=E7-jdQwZm9I*PhrFivKu8bKHpmIpASAH4+Mw|x0*Jn-XKv}Z*PZSW!EjTNwb zc4uD9bmM+|$c*`Y@>lpN#PpT5VSwTkG%>8ZOXX|I>jGlFNU&$9ws z)=Dp->I&0$G0{3Tie6|~*|?^RgX8+e^E!sUs~F{p^$5zhBhVCsatSpH zAH71{jR~L1y0TBP#io}xZ-@K{(BTa`ggFx1l@)yOx-T4fE~iC|X@ptBe5;kbE$tjo zM?J~-Q}l31-}Dj~tZHsc{tj-eUJ4dUO{k_}IuI5+c}~%#Fs4MuKLV6Sn^3jxrp3Ei z*D=HVeUhk5Yz>f=jXEGr6*J%mmqGpTc8{oco-$>5fwDh+_DwBKa906pW*@!5K7#+Y zyZP2IW=et?D5WLbyZ`KO=kx>c zGOxR%iF!9<(Lg!c#=)gQ$bz1fHt8Ozn*0U3ALydj8ju;h5Kbf=hA9TfnW^2X7)lfTfPp?!G;bi(Ec`nmE$evXwpexp&~>b+-q|2&zEn_q0_CnJR&k!nenY0 zbx`qPLyi)S97dd@ko!YuNG&jaD_PCJ3R_f3xyH7ea_AkN^sDpVZP|cHol)^VAgwQv zfN_=)dcGIIud|B%^f^@Sg!(6--9+lMb8*A~&tS0y`KR)kU2xLXGny97Pqa?%K`TiZ z$SBjlkN|c>4a=Y#QsJ>`q08K= z-e=n7A0?L`fD_NPT91n$c1flL<6Qyjz74M&p8*F=W|15};@^cD$KCmp_X)#KSl~EH zpJw&+=of)=!s;zfVD*ra&K4`nXmdmSj1K3xDNU~3x|bclN{B~nfe z%WpkpJ;a-#EN`iOlJ2en2qR~#PyJXJdl_7{szzo~8%t7k{O6gKHL&5nNKrLTPx9F7 z{)bj={9W%F{G)$&N9h}Nk|4P1p|FS4LFIJaPpEc}3rAM5(1lEyzu2^J)_v@g%it#$ z-5RMg9te)MOl>sAQ=;ORIS_yMLM{tFd=StvTw9fl@4w{cgk1}(-dbu zg_Uy&uDh>P#RJ@i$sFh#me~gk*nPAyP1M$Z1CCbMbwZ{1!#E}Q;dXS@_0@3X@D={G zMSV<{+LYe1*D=QW0(+!Q+5j~9_H5hL?iyG)wFf7gm%)V7^%=cV9b|L_tF{BOR^FG# zyb|)quhkN)nmdZC2$;HtT8O1>FI3ga*UQeZOHt;>l4RV`_Sa7L9xu9d6LWJi6kkZI zczE+kcNa$dUlyM$`~#A51@bx5;IY$2SYCR&%hx%eUfE7A##wFZv$g9fem$ffqfmQs^YLj(q+o5#xl?tHQZhUdqPyyap`_M{C;}Z@>`H#x@FAvCC^WE z)6DRWcVKx2H{;<6O*$)~_KRY3B{!%6<`zTEOtp8V{2Je(NaLl)2;Pt>+2AB+?Yy> znynfXD~t0g4t5LKvLk>nb?;yT4Z{CI{XNVd-ApTR>YM4y+ti(06DB3)qP|iKhT?iD z)O*&~yrq%bG$-o5)8Sk8a$Ga3wHi2QsXrL8L*GJK*rCNvsdul!N;regJ`J>WX zPQcG9OSzoX&5UwtTCG@Eff8bdG)bP%PPF^Ouc=XI8O0kf6V?UIvE;Q4eyg!Uh#4q) zcOyaV>jIkbd#-`2C{Up^-FR%?z&0=9^oio)@8(PT0p20`YLlW7vb}2KNPzgzvTCza zolH>IN|uIb^~l7IcZjtA>h1}Sh4s|&|0K=+EwNPb(?4Kfvv&cTmm#(YE@7n-`)|#q zR}J<62lJ#11C;CA^*4gk6lm9+Y;&akU3P7p;;>HkE%VP5E~;0V%WpKI0^kebD|kbO zgF84Tj?2)+I}iZ~x_KL`ojCYDe6DT1l`?X~Hp$w6jg@A%{+kH96#vS%oth`kJsR zEfSqQOXwC<{)c8Bx`rgXx#qM-q5a`Lciac15cDO%#=cW=k#}-y3b&F)MYzu5vfLJ! zRoxSu3csxGuk{9xfg_$R4gb(*^|cTGlkjX6xXAtSe@_MbzsK+Yjvn_vEqQbDxZ1Ol z6is=jfJPf80~p7+(MA!C_%Q2*e8y5O0x;Km8#L$q8_kg%(j^tV&S3=IJX_TagB@o< zV@fOBYHq6T#&SaoczsFAiT$@E4EsT=NZJ1*=U*BJjRivIC09}@itO!AtOgP zD%t}pF3&|kh;pd$S+0!s8#th;c#bWkwHn{hW1&06a2Gc6j_V{Cc4=%zHUNQpIVpqi zNiA?6`*Cv->@Z26I$t96(U6r9r^FpUZeA8gokEne^@%%{pejS*J$-JKKBZ&Im(w#eB%U!!-aAvq5U8EKm3R`s9XQa=<;+4T6M3hWix*XNUy&7Tc9K~*h96D zQ|^sge=6-%yEiy(tj`*hpJ%~PZYuKe8A;@@G%p7E#Ds;5V)7)l=WXIJ& zHY_Xal~85Rc7i7@5h`F#p`@~>v-GEWW|;u{&mNj>@rM1&*HN8fO5;#FeHM{`#kfPK zE{H*X^kd;?EWBKWAIRPYzW6a@*MxrE)Hkhb*%L@nDd(`mHR77moN&HUUgGN1f`y

dU3J6nfQ`8FA-fiAAT)&Bz!*%cg@07!R2gaX#90oy{<89)wDWog)|9ZgL^18s z+Gw>a^Dk1S^8L+peCpv;`b-;bz%Y-7;@Ye=unz+m{^)+ntlf45v)wS#AGTmd?#g89 z$Kl(ktVyysFNq0|v^wKHB|<6rGs#rVa@M=C z4#2qAh`>Gw$kxl+@@kc~CKpIMGmCarNc5rBZ3wscT;;~eN_oDmb9+;uyVuWe%(_5! z-juw+H(8Mv2ve9@IubpRR`yf^(niw+Mdao2CY@C0BQEm900_>lz9m)Ywmt zZ2A4<@Y|ocZj-)mMHi$2BX$x6z)QT81O-Lty16tF8HRg^yKRQidUi zdlILk*2_zTpd!3s)FM8(KnTK?-9cC_KKgQu#B_cq2^vr!SkzlFG=fX87#J>l`lRbnXfCLLMR|9C?eI` z4AzHj!uxc?T?NXZk2`~z%^W#M1_lw4+B9+3GzlEjHugj#4%@!%1ey$s(BZ5Wtesv} zC(b?u2W>9mHdWTIlZfl?AoK;ctxz9c^e*?rJ(G<$;K7t@4 z+GWC<_}*8IH(Pv_be2E;jjpWMx*5^}x+JR8kRrUTNqB}MytqYXX-kTEN4wRQJtVoA zgTgVQ=8Uvn$xAgFKQSc`^JYZAL}jkmGU(DZ{`RHv?$*A8Cp%$z-`X;KWqd5o%_l+xB!TDgNB;uV>yaIH{o0Xg zXR^HW04?3*156X)?q4~_=MpC>9u05D#GYM9RGRFsa1NA-gmAIthM(%eb#f%7d^&|A zQ@3r2yBn#Gp17u1S>(TDEm78>&#b=|G;EnR!yiHrJa>uV zE36K<7;3boX!2s`#CYH^ckI5cU*>+-13%rO6wPy{=2fn_I~g^}j+&>f@I5ODe7uLH zB|nQAT@5H1t=n#2P`w0?j_}`ImNY%o1pyfQAKD1F@vm%FZrl955wg6sQIwv?<;Eqv3dG=BeB!Qe8+msWYJOT=@2&9jhN)BSzO zPu>SAj<}o?C@J76Dxu!+0%n5IuF$KK-D#xrCAzJZEwf6;Ut#rk~wgXm6^@?FN; z(%(%r0tX@QTRU3>!b;XA4?bmgMNatTy_vizbI!sq&5Zp@sI03!$s5kFWsv!u zmdTKi@~Tj& z<_yh46(<56`FFZXg&SPx8W}Kfi+Scd%x>Ga1(o@wScN% z7dKkQ$nZ(gYlQjwuThE|_y7gBzAo)(_i*xJ519Wc9a-Nfo!p!f^05S?+W3BUmY~oMZ;ZM?)5VXsS6txy`)%&d z|BsWJp$_laZ4oYT=Hc_8xAe=54lOG>{Z_R6qu4inp6EldcqO$tlcT7 z-DA!BH)6=K2!#mtKFqU^qzMiG=7seRP#Y)zVJv)ugNMHTYaW7Uu3Q(_uROk}si-14 z&m{5>a?+azvk<5`GHizC;50lDojCS4o%0fvBeZLA<%%;qV@GgrtQ8D5JCcxLv;X;% ze?%K9cN|ZtWP8LFR6vHQu~WusbSd}C|LX+N)ps`9fv)tqUGWd%WLJ6yJA3kJ!~%eR z?7|X#EMN(-0XUT^6;TSEUfH4^>@4I>Hm*(%Lm}CwNMs|fS?A0+CZ>3yV+tn%U?lv3?79u0?WIrJBAeMA@ zFDovMId8o3G#h9?l{kdNBbciVIx#GCT4nZbX$RC(8m_cTmR6dpXRXN*)ydDR$2$!h zAkf%Y(CPw$aWCDOyyWK4R#dQ?GRAPh=`Z>2Y$)_>HxqR!h=YiysJPG}AC#e4(j|=I zW{+RoJhP3GjgaR!aay3^(bqjFKV>V{mFC?5dadlZ$JlNPkltVw+@D8OA1ck={OuxD z+sh7`jqDLQd=jyQQy?rB!N$o*=Zv5r`R7qnbV~SO`&F}UVNI8>_kRQ}y&-B|iMZxe zw_Z=bw6NQ;BzzQ2v&|lgBS#1R8D%(B8td6WL9{FLslYh9S^ro%(&rSowWnGbQMkFd zK~9o9ctgOaaRpQAEP}`>+mBP1o*KBpX6!ZV^n58c39WP+m6*|uQ<>(DKaz_OgomJG z1=Dv5p;vBLoa;LH{^)FgF4!Qv!l=?k_77_i4j)m1lcS6c-HLYDAGT7H=8Tp$YH2u5 zzA+9$>umVpe}&}5Rz-B|Mx)GSM7`#a zKMRw#s9!NFvE5z@_^47mA}a0gPlcp+v8~#rJ6+O!c_a2nv8Y%C4TRWIV{kM((wA-&^;kEoC>sY%pt?i5zzd>)4F&STF8#u7sV=sK~Lsn~-Cev^}IgmGmtcBcWG zDXP5gmJu@@TR`Y7H4He^fT%sRC29QPb4-Du%^dz<1vq%&%%f&}S#DZlDxDD5JE_%q ze3=@DBX`v4E((fgVy)dLd($=!7WS%`($!Ta(O*L7^T0a)iw$fw>B^pF44ppHuiBKP z8&j7=pbs=)ZD^x~(=Kkq4XmC!zMzJX1@8rqLTD6y0w8UZG|i6OI~?0X_R5_@z6(BB zT0~qUHYASBTDa93ttJ$)AJDd{k&!a?@ac3};qvOVG*` zl<&HzZ?_w(IZt8bQqM;lwyzoj%H7a+n<;K&c1K`6T9*xHfIak;;)3AYmTqfih5^PS z`^IZsO3%0ZD)C_KB@!JK;;oAyf8$5K#slq9?3S<083k*>8!8K~Pxw98H7^LhFbCBRGB=W{jxi%JhnhlNC`VRjaV+wboB7>%6B zwmp_x#MxNoIW@Kzo#KkalXmWEnBhSc2Ig8>bTGyu;Yh!jCS}%4ck)Z%gPE=EXA9np zFDFfe&w9HJQRm&0GC?jsmyH@M2L|rg5uYlF3rx2^lo}t=+9l#9fn1lWP$RuupTg1vE!j zD2Vfo#z8zfqhi?J`ql_p_^Rbz_p6nJI!Lj2IDk^{i<6n@JxT-g#djjmXawyLUuaUv z-02}~ezGuA+xtYH}Z;0E4n32 zUo@ux*79zUj66Pmx{uGIp9vm%&1Qb{X2>s8v&KrIk51I zm45>rB$V21HD9tJ&*FxM*?G2SEYaZywpRqK)yzt_O0&Z;p@!$Xhc7n*r($aXuaCUBCDK{ z0tDQyZG|uckATNTb&=_GB-IBQDyGE7>0@^O0@_&uM307#mU@kFcGK|b8v1r@e_z62 zn2Z;Kh(|1Xb!bPN8?_l|ULn$l3hew6NC{?dW3$Y0hNb@W#J=o;@cAxsJu;hJDy5{l zen1zGkhZ)WUWgetvVis_Q{>Vq(z-3tr>S0@kK^l zGu^ZH8WPgCnSsZ~TJeIdB!z12l!4=_PpbPZ5)Z_eYpO;K+&bihKkQMRc%$9J9jz`y1FWsA~RvcH?k7ue?{%NDpa}Aq|5f3+f*nt z(Lk+@$j0F_qops6y>-%(o8lbm4nmf@2X6xg)=9bfv3}{XUJZFcZEU?TDqeb_-8E{f z+rn^V-7+`(HCP5X26m%$_1Wbn1xQyM##_ta;YI0tzZT*QHy~iUh4)~LJV4dId#N-# ztc2EWgnxqSSs)c%&{@)pq~+GAc<-LRQFoNT^Y@pPp9-~=hnM$e&0!}F=H}-&U%c&d zRH`u|t{@zmi)@XS=UeLmqpYPU$W{8!7t_kowip?4~?$Cc^IsJU`s>gD9hL-SkmPvo|t{JPKGU(_~@`=Iy6 zmXbou1=HK%-_+vlU_yIIf&jv+;sl?4{j!w%fhTe`j|w=VNdi-z6(PX6pc6mOK4snA z$R{k*^~J)h#_|ISPHUjAE}7ri7#v)+=%1~Pkw*GQ7I_*_r1~Lyz2kPSH=?jSq+m@< zz1jV;G%6W6T}y0Y4p??%Q**|1|4um)EYx}gXm6gJgG{GY1G`=k@b~7%`!Tcnb2>CFo=I$sjjV4LRs>YpJ z98ZZzk#ZZayzp_4@S&@5jklnyqv93j$+&9ZT{IsRfYGRPs#tLPIB)${&Me=b_?GXf zIXZo9u!*y3Tu`O7CGfO&MrLEvcI>38_nT*N0+oHo<%OT&jH3h|H70Q^Vz&a(uFgLB!u!})q z^`%Mj`;=r9j^ZI5q3##3kNWqiqs}?<(u6>S_tbU+m#x% zwXy4G)trAEkAkqe165*Kci0AAJO$r$7en_SdQ15BWoTXyC=#bLP;Scc96~)OC1m_- z_)H$FRUqL^zf8Qr;=xHIN84_+x5CcfD}e|<`ttJji{hq=a|$!}>a!lJlP-2K8b|Cl zbz@!afTurv1GqbtvJ;2%PRHDlyg-F!<5R3rrH|S^SlrD*pc|xAoe$NX$bN&a?okXi zB9@-K^`Z${8MHl@F?I573u$M}6~c*wT6wz}gDV5ph9;%CU2Ve$0A9LBmDRLuLD$Tw z2z1SfpV`{i#6vEPBvjVx5Ss%{gVFm7f=3Drek%}eG{)ZQNoI^2a-@RWzZT?bE7>8< z3ytjIxScl}kj%&7AY!Mo@xB9gDoT;OwicsSY}Z@BG$hI+=XX3uj?~XQ8OO;!Cr%Uf zqJyWrE0K+y*pZfq8cw;%pNr@upE1JgpWQD(xg1)(c=s1{N-QHCa5GqUeIcqZ0O=tS zzA0^YamUnnVN?YUjdMt$9B}3%yMRDQ9D@V&{bib1zqWvN?3BbwAdAR`i9dFu7f4(4 z?tK4ebt@Bi++OI`4yZO&p5z;lD@2Uly%T6uWRjxW#Rn1yf&Qwlm6s|h3YAw7zTtT= zM)rbK-RiDWbdyg+pYhuDbI4$|0wHS&lkHJq^rW|%)o#!m{!9Bu!xR#J&)-nu0Kin} zZoWHq=VvBzhR=6cXRohEy8Q5P)BGymyyx=KbOe#5Up{Z$FlKFCwe4Kt+oRHdCv9Dj zth@Of+|e}c2Mj6*_Hr_$-BUO`jMraV-0(YE;W5Hc46w?3do-%3dLw=Z0NSPW>_&g0 z{T^hYVtl&A-w7EMjQoIxqccR)tVt$}Co`|{5iK@zp`Z25ao36MQCJJ=UdG!SQOx3x z8ja(f(OK7M1*u{|drmAb>wdi~zQ3gz4EDmw7f%tlFcVCDX1=gi+LzeS?>nzJ5+5yM z37MQqOPXf2q7UnE(eX+SK-%D$GZ2DjqXPurO|R^7@fYq@5wl$nRMwX{d*PyGU^`&8 z4m-^Zly*5v0O(En4*d_--ZQMJt!on5n1m!}1%00P{l0(aI*0rrD{IX)>zHHQ;~rx^ zF|z|y)}*S>Q%`IXiUfl9k+<4Qucg)S3NqweYIaeJ8U31T#Uh(lqdA^R?{R}gQ1~Sm zUu1^r+`6uK=_O-z_$&f6d4y0i3wK0Wj@&-S>~OzFVx91g?9#ev7^<@r+IY>QePcXy z!CQU}7o2ctdHljcaPy(ayS&NwZ{*aAx=q*k1$ub$qePnE6Pw5Kgow`xb-SZS60qN+?6WGXC{0rG-O9&61f3yUk=!4V ztfTw3o~4Gigo4H?W00)HuXA;{^u7Z_dN1=LlZ`B5o3+-f?IZV03YsK1e(H?NrN&QR zT^((0itbDT9`-i76y!oNVM9x|!E{bg{hmk$mwctb#Fqh_lhGa790=bjov&HZYN*OZ zq{Dmq%=i9xkj4BJh6B#Y)HYMYi0glLe}^LPl?M1_8OVHO*Lp8P5*DDtIxvM`?xwBw za)21CtU?5!!ou=4u7DTqbE4(s)Sh4}`bH9^)Wi&vc8XRtpomdSlu_-0j9Xe}o3sQ; zra|PE{QRQ#es1!mozIfYh%sDO%TlOov3R`#P+)b{tr+)Wb`A2I-r0q<=@UcvZ^yio zD2IY?HbeFOZbnRDTg`#n03=9OXsBlLxQ?1Egs>$k&$GsUO{exDt!y@0h?X365CBc@ zaqGNTCw=QED9aU8XZKknkZ@SkV&zhsOnmN|(Gd;`Hx+%=h&Bs1y?+@o^;e=r=Mx{l5zEEQzM)Xwutw3cHKkTB*< zP&lQAgBk7Jz6bdP3tk6Wm;N>m#x|fWAz`)~j;!W=HRd*MKD7&U*K+B8h5rIfMzLG} z8@U;=952I!fDyLCq}h@cvV8ESVjaE!r9HRg z@!%(jSQcpyPB&d#&2ZR^S~W(xYuv#oRw%MSq)7>Ei)pzBIZC2Xr*%GXXKKU62;E$v zLxhgCn)WU)d7`SqbuXYkt6=J|p5P42iVqKRw#XI9JKFWd*yhb0aYu||y`!#|oeRpO za}ozmE7cMxY(CSOO}NrfLq${J-We$N|9tLvYtOSg7&zdArlE9vH`ysIY)kQZ2K>)W z_OMG%7S@@UNKO!BbLRdFlA0L@$aN*z;ZDQmSec!w8kU1NoP>cu=2K2~yf%JUafUB=pmpV{ylB~aA<@}rzPCjRhzKl2@)|09HM zcGcwGsG!aQ>8z|BFJ~o2*WK7hcmOkENwcy*+~jkie%c@33SQOSHrQLI6B0eUn!f7S zwGvm3T{XF0Q?8?UkJ-|Gey?1s@(K@Ec%`41;VZ7FV$~)Z=t_4I-DRNfp874LvxCx=&HAk16i@0~MD7 z+)9A5i;dDth zL_eKhCr|owBBwQ6#5YY`(?)+58y+M-m>lL@amsmnE;Q=@iqp%BbNEw9PXNfDme5Iv z;7fFzjSOdQN@e-jspg;q_lAt_ZR6ixuK4M}V^S?4=NLCRdR5#vH4M^7kHe;EZM1lg zx!C&Bo@{^5L8!}kz}Rud$hbN9rtlkT>tYF~t`*?dN6sl2__a;1Bs#Lnb_pt2EP9jr zTGwWY#%{sK1}!z99oem<#F;cG^~C zdAjsxm=uLwcv@1_T8o0c1BjKs*eULReO-WsFnI&0j3F~h;ZQHy&@H&V)1|1ZCcSH| z1Xp7R{T6)mcDqhkxyd=t#=wz_?r#7u**))(*L?DF!uC4@L2RaX7>F|>Mz?-uW7d%o zQ+%rk=}q#NApDf@n+7pPc)=sjqK$Y=E_x8zM=EooVQ_)hfxy9()g>tiY@AK{u#H!1 zZJJlOKMa}BV5@F?Op4sZVHZfdUOz3FfrL6ZdDk6_Mplk#V-5=qB`a#l=80zceF)Up zuHH|?kwP=Gzifv--DH2I0~HM?GBOdnWPH%V67GT}8%qhjn#~$ADK&lsw4`lAXfl3r zQqY8xY+%5A<}l;!s+X^XD3C-A;fT5O?x4Zi4mpNW<|Dyg?%CYnhf@TQ2V$s zqijD|@Hhd7e`30^c3?76O(Jlz>~u)$NN}gS!ZK?v-lcr?AJX%*^>L_t(&kQl3}v(Q z%^;3q`LIkdxbqbnZfE4~(3odCkP~UpHs9|e#!975BoQ_Z&m#Lw_L21jCL4f$0OBc+ zY9eA3%0O&Yggt3W^@bhAePe_ckN8#zu^4n;fH)WrTg)I@S?Ntz*Mz|6JlNcO=^P8V z1IGQ^4w2z$qA*^KE_u{>RzSl|kT!^6}6epz_6 zk~!J43AROvB^=nY7GM@3FgqFO3Ix#nce$|GND4ROO@le{^rGQY#7Zmsjq#T4p)G*L z9kRQI*XorL^*5`Z+hM2-YsXm78qh-%`k;3WVD= zZm@scn!&Pn>L)zjdC_0P(H~ekpF&4%HD^{2HtRN53{0Em{T8&ET9dPrJwe|L&Ih=( zSwlsJ`^f9_>ATW+52l4R?O<5%R~TxPNSqc70q=%O?8+s)>}`H6mXS*f}LU zMosiGVP}&R#OsVdKxh*oAW{S2%I633$@|A}sUUm_otAMJ!6wp0`)rfgY1>r-x#qA) zs!q8!qHB9s6c=eDejRzyT0pv$Avbrm5upXAmD6!Kwx4}Q%Fdx(zSHXOv_`o$1Zg7K z3^u8UPCx*Q;zPZ+RF4Wa$k_U^CN(`aj^vXV&E;Ji z6)fnAq)s^iIu|Hn`w_aVhGksPm;BJs(B0t;jJ!L$uZMy`8wQMC_W(4WJi8^UD?FO$ zcL_JgeC5lIHbA2{r7cA;KK7y60lP{O?(>$CA5EA-*$2L8IIE2JYgkjVjGG%qB`u_p z+2_FiKIwu#Zb@poq+sU(#t|^B`tMPb%G@>%lo@pd+X5@vIT&OD$cI5SILY@Lq*-I6 zT@f(Zp`?L@`l5((>J}ucNv+ziq5r9rhhI{7d8GwY8{MPM?VhTG#B2j}o)jT04Z>b~ zwWStC2prle7)`lL+nkS#Q1dYUllgFU(<2V!ulp^Up@?gazti9-x9qb5s`|@>(meGyfMOzJzP%$iD3aAY9|B zy>s?UHS@7@J>#ny)~=wSn0in2d-e&nBmLMHnMb24nj7)GtFNGR(i5R zs^n(W9p=x$#agwHlK@j`jSX=X2Ao)5JLR-`Lcf?ltap{q~E2YN_TCb&Y_CFym%xBB|ZU{UgMpfSoL_%jIGEYYL* zV882AyIK?OQ%x$a6iDl>Y)rd?PhEFEVIkhX1>2w#SuDN^2kX{ID=jk*11!|PP>6xz zGo#%QDZxo}@wdqOl_U8s@-djLeju_}HXRHybfLJIygdi( zmqVpiY|Lt1oFrYE5^O|aNqK`e&VX}|bCcioZyZ|gnQjVo-BQ5O!j}Zf1v}NMTAILL z5xg_C#uklNuI*c?AUtkOO^a$2V$&2TI1`L27zIbi_Sb@y1|5b1C*TdnMF(l@EWp}-@di@0$Tr^ z!FZ^IH-3eq55(a{<>R!Y6|#S!Hhb5q{Nt(+BcA+lqcQ0oiS`rFp=1$S%SLlp=?i|( zKSeEV39w01b1QSYL4sc%9Pp(zugK*%2f>S;OpH=iy;?+Y3;vOtC0)9A2e1$JEq~|Z z-9TDJg`!%NuJ|+0Jz;fk!ADX92c~#60650#0H z8!!8}#q+z2w{aUY%F5Bo{s@fSZFDdVMyq&;uM?4S+b((rbU?MH5tT%L;HW$QgEyB7 zpW^G4-I@399q)OZ4v?z#JKt;W;vdHKR-eD>(7M~;+9xOBC`BB6)jCWf=(=6tCU*iP zmWo>qb6Yr$jVep5Y;drKqjt3b*v0cMw~mPH#9#%8=ex7y8*uS(_EAko4Z0iCYSR+@ zhX}?jZf~RUYeM)-Gw9diB;DR)L%QSyPt01WiHm(PyY4*!0K`4%4PlgMhvbohGTOB9 zn4Ibk?Ao4HGa<2WnY(g`;CgeZ{PMtnKv42SJ%QQcO`%>RwG2mU2S*o}$etw!5akee zo$OP5?usUs4)2dTW?{yrc7K+gXp-1V@7*s^Ucf{4Q56MWjpK^)nvgwgY{m($+n|U|Ih%)VTgQ&ym9Y z4hQ#st++q-&iDma)YTkCFqjj>%=OqoCneFZAT=>ezXkz;=l(wT6gO%dk>x5) z^%H4nrGEhpm9J@N;MB8C)A+gsR5`X$Mio*4)g&Rzd8S|GSMSt)0n`nY7dJ*(T(#FQ7r6o57FqKK^ zpWP>)0o?c+Y8}c~6X0EiQVcG)_UtBfi4h`3eepyuZY@q7yrZWHD}b{(uW^E~1n9IE z33dUV980q=1EGT!J?f8I!Y@@M<(jFA^FA3RXjE!Vf7;IHS-YReB4Nqmgba7byP&A; z<~~1+)g*M+#1U>dwZ6jFr?2~SgT5J0l{_$2cBS2W z@~SCvB}bK0jl+6^+Q(I6`4@SX_w6R~I)UuKYGce>@C*t&uo5)i3=VJ! z=s4k`(w|^fwjg8#sz^JMAU%=4b-xT=T)>M+iWqpfbmK*Mx!!jr3dHs7!7*Yo@iaPzTu86!YauSSe(hr%A{RJeSC^Eg62NT;{ z!uH&#f7iWqafg7#Y5Y9nzK z3rq;{)yRJJ)yR_0y@mLBENh?Frz;#Ww7mAf+vLxjEUu!$j`z~J7ID1^Qb#w&H~O-_ zs;Bhvz90sCtg~U^#r4NAY768VL~FI!JyexW0y(7BpXT5DTIStgwX7troJD0Vp)2Fi z$nkHBF~Dqd{QV+P6~ILEo7d?}McTWf^xg< zNMN~6<(F^-k~a9F+OMvP`^XW00jY*gfagjRkW|k49C02U`XY1ee?YgZIr;^Y*VAq&|2AV0D1-S6tiM4yujs(zF5D zygw-ASFOd@m4^W26nN^C)-S;fe)nkfEKr-%zc*y^4Ip-v99{dB)7M<-z$<_M9~~N} z9N-4*A$mf;ZWTQDPzgYjMaq8dxjDbKz0fb)Ja-}qQ#q1c=`sXC&VHD`FN*V=OJe<3 zkM>8B^LD*C)Z<*~uT`KRT1QSeR<{BL+pfv#gZ6RG7jd#MJ)|Qi`u88I!dd~!&Yw&+ zFS+&|EQI_}alQHd^8!a%--BlrAggb##NE03qZp}MB;iJsQ~f&T_^7p~Sh2f_z%tmtY2dQ0kAwqzju>T0QtM^t zhTNpmj0paAxh*8YzF{~k6F`4+t)yfLRrA5e%ey%1B9T>t9h(XFeFODQHd3vkngVgC zFNJ8h=Q5&i{xON+z_`f+xiZUUdA=V^FKYP?vuQBrYpk3qNJLcMd$?Mm0EMd`0U z5ml#x5TpS=6Gy8-`tq&0yB{6Ths4qVi)9YVYL}^ok+j%VkcEo-QsO(P@t=Bh%+JdC8fQ0= zxvXBzzi*zMKiX$_OND|>gCVPYW};pU^l^+FweN#2!uIrp?L`F6j)#}_W8%PHy0n#n zC1G?+`N^<2AfPjCEU9qyNc5+QQc@37V?OD=XLc_kn}>x@AI81u@$LlM=YlB@8E=5C z1w9LA`_umz(g?SUpsB5r?&QKd=E38mz230hnk?e#TKA%e<7Q-uNb4(^HDL=vrCSRJ zw~ieCMu-Qqp3et6`ZV2g|7eh&8*H0v(w)1KSSPO}z_7$9l*Xb_QTFHsrPdc^G$M5u zTTTL_D#kVY6ysG;JBqHkS)pT>Fuhw){}dXCuzLsS9XoZeIoI6nCd)PEqiu>TvZ@?W zQ?>mQ&;#yA?kI(=$loVbmhJ?R2lddQSLPwWAu=;~V6PVm1{=9C$5Vce2dRF3klX5L zq{ht{*KP3|g9C!7ZQ4)(P{Ca-HTgwp{lUFyw;R{c79dc6^(hBv8;BD3CF7028gEU* z{5Reu4UPqfezyvA=Q02qoi(0OG#r)*t)_bB<2|0GrzOg3dPw{Wv z?Lug3eGC%~6n~Xczv_6rt*-L zUTJjh0c)2|xpQ+cl=*!&0>FAp${WzH$?p5C6XB&q%`Q3aje2kqDCV3UQD@3|ATPQODLAB}}spG;L!sBhF1DGt$E$Ei`Zyy-O?!eHA+65Iz8r zy5Q%Zr9I(;bZberhD+CVW-!0kdVw;ln`y{y?Odq0pszaMXID`>m8~I@C+$3csXQ9w zb8bItO-(cZ+8XW6LhQlMua9b+{*=$NQPUe-dZM?vwKVGXjr*VkzMS8k^C}-8whn5fs^y0;KIWnYr&UJ?jir9Z<3WOdxP6S2)m#^& z-}-4~*|4KQXbIQ~Ui}fows7?x)GK|*BJ1WVdrkA^&u~ZLX`?!oT7bxj-q>VV>f(?^ zIb5pd?~MvWU}yR=kJdK6%)G3;2rS`2NKt##=3{_=a{L~$;Z7N}}>V zxt9lg9Rw3Beu~jfdda-o&Q~5EUl+)vIi(@bsyW6b9^h_Z2f4C^RWzGF6SAEhn~Xq_@z=G2g!WsG!o6>zlEdNK{QJ(do1^koczSI19VC)U#{Eo0^!uy#~;Y3&)t(s4g*c z-LPSUwyBBi;2rps!#D|7fzep8)XsfBeg56tXRFW3m1pj8i_VbkE*RYi*f(cJ#^XbZ z&2`tE>Q+qV!ny&cNAX&Vp2!{akB=E$uxrczEQ)@4fa!@F>zlL2IZ8GnzgVfR2kW)N z`i7DA-T$Z|veyRq8AfUkp`(h062KBP-w zvkF8`WVL0kzTf@+I3mh(BE_2)t?o|>`tHngoGaGbDAy$FbF*1;QDwW?jL=@nV}5R4cN|JYcvS~CZ_1oAJ4)Dk^7HNM|DBgX zUlsyHWr5$P1&Q?Jlq||D8WPDAB0#$Pd62sO*b)<1I91Ob1UQ|7WqL9N+#3Hf|NfZ7 z@uL;X(DmHMgnUKt`!~T^tr)Igt3-xIu38rbKReWY1%!LjqxSEJWRnJ7ntaD#&M*IE z?$8TISOj&`T^G8LPI#6btT;GJzC1dB0Vl4QUBsqzBQ>g9mU7^hx`@>!Ls|2t44em^ z0?cuhjqSpFs?eff)(f)mJbGMOQ|)&DuB(Fu$g0efiP2nM4`&$)e47^)uOC3@qFb*x z)EMI|2EuFj_x4^FPreat#F7rtMLOl$QueHa@BrPw_Ki_^)VH?9$OQ>Zse-W@f!?!h zpV-~Bfqe{?a@{quO>t|=NFohtx_%8jr>(p5ZV|23e;F41Sb-^a*1(jhKDO!g;=k}YWArHm>DPv04`eU5-W9){P~1|5yt0% zFkpZ`gH(M5p_7>#Bp^FGFFy~j0FStzVy9Lype2=N$I(&vom#(T;Q%T*Q^H@&MdX3~ zz!zGG5h6M6y~$xO&AwJCf+$yXDZonLSQBH<_j4(oQrmB+^`bU-(mRkK^%%!S5{bRj zVWP(XmHqh8BNv<6uj%h<=Q!D>(|H?9zlw*4mF4c)r2bz^4elh(R)kNgecKP1U7uv+ z)F-llX!nyG)aWf8tuHaLf6vO9u;9(ZBKIvHnIJwH+PA!7y_d*^YbfPo5;!}FxQ>i>l_2fX}#esf!d^=a`CULCXd89wma7ZtoN>aB48S}yK}xq z_W(b|{yImcdT=;1d=;>cJ|yoMUQM^cpKyFD-NwIYCQ==x9H-ICoIP-E!sz+^V!y{6 z@RaK+oV2YA{93qgui5}Z1&|_fzd*gbLN&jM+`V%DV|5+*hR-+)z;pzexTC)wxC>a@ zf$MuVnbX~0NphkCJuq5;!TBEps!)veUeN^>NSIq{T|!^1nKOY!1#3_o2jvZM9JUAd zgzsl{M1?Ph5fZcj;AiFc2YYBDMcF1M^r4j{4kT~M{y}fQ?VbyTq2}UTjdI~R3~nw> zAlEI>XkxU~rJoCjAuxll*#g!KF>=v%YBN4pqppBC*@OC}_%ue=#0lG?4D@eJt**ar*j zmh83ladutQ{^@Y@`~WR-?lac`x-O}P5Y7heyc_K;BB{y8NmTn!MfDBvoa|}}vKs(p zu7d=FayRE-8f+M|cbtt=q*{_*dp0yIKG>-|tTham-UlR;D_G5O#c*(wAv?Jm|Mo|S zdF$R(zT32~-o3Tone{!Lq`pY^oO`WznRZbdx+%i)^OY@Zz2YQB6US`)K<;xN*VSiF zdG{uj3n<1}N_yb0AEfxara%Dxid)WkpPw8xE@1hxaABFivVRdqIzjAykaLaYzH&YV zwwrjw;1eYBVcGZb6+jf)YLMHY&2Y4LW>-x``IBXRu`nlQ_`V57841I&A3w|}9p{J0 z2iWDbJYfMt(qx*ngf4LSNbqwFop~3j$`*WIn#mlVNw0VB~_{s^&F2 z)e4sH?nZuG?~>l%Cd3!ga3r{svl;uP|FAOHP`gu zUpOQSx+|$&ugwbNTV2gEQJ{^KEMz*9NN;kqB%g0P)3OyDY|vqG>kTW$3X-Y!xaV@w zW*4D&lA}x-lvx%fp$b?MGM@>XPtFWnHkpcy+aQu4sf;39*l-TcP)Wa-Pkz@+gWbn= zFmVAK4@2VqN*nJxGiVqH1Wj*auXxQ*6Z2{$FvwV%8nX13Tlg9gTg4}rhT|?u{lweFwn2ZY+C(^keS3W zH}W^=ee}p($xA0x62+8AI78ZI46JM1=Y{r!L%mP(3wicUs@O>OenphhO?l(B^x(E` z&}jDAt}M18((}$p1vQ%;c0$CY21>#y4+OTNpjpfdNN`A<1GoXaxzqCArmFu=z3b-o zKWN{ag;dDaYkKy?C6iQ|5&~T<0V1qs|5RMxRl5(iH>s8D(jrijw^Rt&`OxufAcmv| zyfiHevvG{?Zc*)Oi%h7jT!60o_B$R`#;IS~JTu4Gh^6F!^SPV|2wX}0Et|VSz5#DQTa*1P` zhCZFoofoo%AvYdJI#aln7Q1=gLvE-DxdRReU#3+N4rbJuwW2(VDzVwwAj$8!YGyvOQA3brqe8n{L(B|z?Cl)ExFf$&F}jLuU;4Pt(2n{lWGC=Wqi z7$t`026kwSt8Zs&PxR|eS1EJQk5ymjY8OVL4mRUR@|(DEJu$w(Ivj32;4SlmWaTir zv7SRorQi%3B;3o(wzF3s2Z9;OGnZzd4j1PFP7~{`(d*2zDN85cS}BY)bzJz2aO(N- zt#@*p3zlYtXAZo~Oln|zBet&9D4Dv3MTb&Ks6L6-k)V_@jlm`6oSpVyU;(tHS6Q%H zC1}>5uSBd1fM*ac{+sW0M*Fqna|xvg+_W)+P(v*H?xwBlmqQ4e-Q6#R<8j*5~-P-G_L4N)XsUApxTs1#&XaEu)YB!+q^=}a07|Oog3}kw}?pMNoI~g3mh7*qd*^%U|F4;sny(~0dO9IP0)@2T-te;l& zr(KQMX3W?3h6qZDZDsB!Vmn#jO>_9&+dqdP0mHU&jgYDiBn>W{;9eQW@<*52!B!j6MqF z>0priNonYEeA7~ol_PXea~3@>!4p!vRU9X&Bx7LkaxS-10r0BuU*F!1AT}Z(9(zQ` zDYvvY=+aIcFfY-xw%lH7RAbrY0#s$g{OZ;?h=QD>;3{711U;}9H%(~BNQ0H6(MB9}nvH zRdCehWzfYjL5Gc_Cw2T&1~rPH8{WGgZ4e?RO6Y;GZn`*GU3~&_ScYx?GIWB~9Im5E zE%cbM*G0|96H0c}-hP125WcLLSetli4R^zlwbT~}KCF|Bf~#`kFWuS6+Sz$}$rdUB zqqkqd+U9ODH)Fb6(}RN+W5DtA3MAY)9QzZcd`*|aJYVKI2)pdimsJtB#usk(xq%?p z_xk#iE!NCg62paR4Zz7CA3VOkT*`4UXifTfQ-dZAq$c@~>_B=~dHJ@5Mi@Y9L`(L& zUbh;V!~JnTOMBxG5G!9Qp`RzaXrHv?wgWZwPLs1A=(3t*-nO%h<3(Sz>Zb)Op&=UA z7^4m^ys?!{*CYH@*_C-$ef!~Mb7S7eSw|^7I*SIU=^a^T}T3vnT zF63(3jC`8?8QD+z@_ffmUwHYo^ZcbP`#(!gJ$xF(_w_8Vn(%j-YJ+3@Ubsm`zszU= z&e|hqSCy`U%;%EHA#hzqom;THy@%MX^ST5gh1cqi^SwAIup);xZ z*0sD;6P$$g)|cerp7)QH#FLc~n)nV!Nmzs1kB$X$=6i}1XkJ{iZu?7dZt=HgPkJd< z>)*n*uv(RtmAVa8=N(-AZDYQ4j;dN;&~Y$P&XpL2`;L)B;U;%qwD0njWlxse#1tCe zWRU5oHkg)^)6}<0`&!lnWrsgA*AH>b$VA%JeL%ZCF)egv+OuoR90v|bnE>2QZ2>ob zW=qPc$7;m-fbsv?gxIXYK@ z{(N>MxXufeyqg zD|Pd?z#C=u{n+|+gA*nVG}7J8jw?i{+%2$9KREweurd2J^X9Nl--~sn*Ybxmr97=) z&x3u+UR(eSH{}CU!S*H5{ANC%oHJiLHsa;a)Lm)cC+)BzdR@}OOk=(EkLKVNz31|G zlU0vc7PgT1JDmIE&fiXw9QorP$;r+)WdXYa4fXr9b{;B8oS1oWXmGaodtp~rEyGVQ zN{I2zWzD8adGM^SPTb@)!zQGo3Ct=yT`6I4RHcXc0_>%uxJqZfuDlnJq$Slzo^*@a8kGOLct z^0vyIDCN^p{2P%!obPMEJG>&B2O@+oRjKAgI7v7nc4qY7uS<=6^pJc8@9TpmSL9-C zgoKy%NAETBqhrifHf;YLcM$dU50d{1q+N+ss=IOO$siE0com?6;O9o{mZn<;V^uE= z@$~()ybx-dCjb^MD0Q=6X}`Ji$Y_}7FU!Vv0`l~`;gwX%Kxm-=WYC#M+)0uhr)CLL z0r$c>kot^q&8Z$P&(^Z7Zz({jXsHvKpp( z==50Dh-BwZSpU&;?3g{gCyoIDI`{!|-dnj;LONE2WE?#Fn$H&D4&zv9CjD{Xd3AsxV0qeVp7Hrl4^W8Ch0&lBNet%ji7_+aQMcFv0y1%Ln zo8SR6Ehs7Q;jD9I?*hr(|2QM3!+$C#kQ5p_9r`gww$AUHOA`1*D5nVzkaVL4Z@ZZ3 z7iqJm5|)zR7L!hA&bwMtEVL8lTNdE~qj6q2v)gf{b@6q}f#yqvp<4?h*iIpjRpPh& zT2O8Fs!HUpss1D%^Cy|&V}yktu0+IG#_Hajj^Z!m13?+!7cvt$^aB1+_5<^dl|ZJe zrS2Nvey|VhBiY;!S_z%~_$}t7|I>Ys!3AwMiMHI2>nZsaPCS_%oe?^>-roKi0k_A+ zFQ16OXE);0k%RS&kG?!hltZnTH2=7;JOXO*8lS!w8nDG$DO@b>3>6O0qR1){HT@*+u!3#Z-(%g;a&CkqLkmTnO({67Q6$BSv&Xe70W_FG5jW(_I-`2)DtB_!M9 zM1x-)Ghxfv@El5dD1-v>${}uT!UAIKi;KVDt%*av7(a=+xj{`$T%EdE<@%xhvt)Am zt#J&!Gy1xR4*adE`35QuY`nOsV|N06JCXV~FdGJ*yf})tj35c12Eu$%MTJ7+4fz-{ zg_3cE{)~kRrN$X**;vvqW6kM@f@=(C5=3nha+E8|hhSfe`IL+l_^{h&F-?3q#V?U3 z1q$ovC)RsYo$(7>x~2VO6FrD}2-DbQ5^xwi{(Sd(T$ zRFU%ptwtvNY0cAgD%W`51@a)nDl%1;2q`*}yj0g}iZrpFS9_=9H=-P}U;x#+;|v_V z*%q+XTc&2{?j9#HJnXEwX7cbyBmaS+hdu{G-XW0)uBHweC%$#vz`VRGTY1J}Nwukg z)%lfYXfovQcjbyU(u%6%ynz6AsBOnp`6KcGcgUQ_r@stDGx#_Gb2b^?{s+hOB!}g* zp^6-;lm~C^*X|@PO}^$=e_e0TwAc37@$3RN-RY?S{v*X}&F)2fKmPSt{wJ2sA&4Bd zgv}c6ZN`duJbT0nF0P^JW$rmE@jtG4p!awkTwJvRBW<0hei2)Mikv{>Gro=O{+YMm z)NPNq$hku|NJ_LHc<+8ypb~q3e_}n4K2Ze!{?;9PX!+8Gx;-uqP=*uG1Iwg6I1_l9 zC+f5^znuEM;a_>rfmR5-d8^6~tbCt?%I14?PyqI{J;m#D_;*fkF0Q8+sd}fLRq=6$ zoU#e{{Sx1&R@L%A$shkb{rk!Ty}gr6INz?kDNz06f8V|SSh@Pj@1R;ByR*^5Z(~tM zukyV8Z%4$^d;TC^`)>g!jsZnqsQFJ5eEyFPIQ{RZreE3GfmdD4gf*QVd(5SIRCJH$ z0(2^9x81$z?00=G@uvxUh%V4b$)zB(|NU6B{zC94#^a4YX}>9-Ku75>D7^}H0jl*4 z@O|$64aFX+B~YuLD*2&+z0O`HOEN2B@#le>z+A%<&4o|CVTWEzk>gU`XWe$-VrDK#}!& z;CWyQC@s5d?E%TZ$5g%VKXWF3pPc&Yu; zy{=1j4}S*+(L2I*TvP~NE|zjsQ`aWoz&!zv|IW1aVuamgHJLo63+HOT{;vH{lg~MW zBO!i3rpaGdt{!@hAnF0t8prr}|Gosy!#Dn~NmpbSZ?}}4Kve+`hWvizI^ay8{dd)Hjr>iPj46#Yqm^S)y@(HZ;vW z`Qz6cE|1N7fBs=z+Yg*o`APY4#A%tizqZdt4?a4w=idO5+E*YGW_0dyO-KEAC2{FJ z`sIuOiqJ0mvI9OH@K-x9SALI6TfvX1q--Gfj3h9H2ZMgM_G{__{lDz4_rK;}x2yeT6yx^=E>Di2ggRu_jlnux zOft;N9q+Vk4q*&c6LwZt>+pPVa1)c-!iP~!2Gy7UuAL1p>gY*e<-TkuxUF+Ri8<8F znbf(o2;AKRLuMf9=C!gL_|J2;nJfBYK9@ssBR9?~!H16p?+%al4{F6DKbl}ZDPhoN zfiwB{1un;pPYNgxi27N3S=^KkZfd%j!8;t{K9KE(z$k0}70fEcrt`JJK8PqqjpZ?p z<66clB6cs1j@Go++KWBlpA9#uxw!IWxFSP;%ntAt1GLiYlFOSDuGDEvNKkKDk|NJW zgQqUs*QC%T7Kxt zDNn|h+w7#Aq3m`|o146`Z`gq$xqoWZ2XAWgcXH_=yIQ$HocWy2lHM4?@WZ<3~Pl!1gYd9CpC57D6 zZ?K$c^+%CFjN8gm3mw+iK1xs{VkTW0lm+y!kuwNT_hh)sRp;GzN$YOYF}XZ3>sx|* z$12!#%?W7xv_|$oNFB>HKjWu5FpGS9UK7aEgz@J(!JaO=5@9g)8=@fQkF~4k) zX`x9;8?QC(W2S}eVU>}}hw`8&2_qV84;%4?U_fwLlhwSBgbb%wnbylFKPx|MUWXSb z;KIbZcTPIp%+GqHDqageaS(D0xvEWSY1}zg$mM-IJ&Ipzc0Vf?zoeh36`*PjsthbqVKG) zpQL7wwmx95Qu zk8D2~n=tsLDR53Z)@iDL??~bXwG!2+H%Um>5*1&#R;hdXInOR0H6z~{7EF?^9!Y4Nh@jWss1&sK zOaIwI49j_GP^KBaXa@G-OtAqI#6`SAC~AO@pV80#N9XL%MOS>Ux4!`jT}-XqMpJQj zgfM6O;Mg)42)fguIwm20B)nUisx)WnRC$^H)nwg0+6xf8rTz1hO5y|J*NaUJ%1@bn z%Hf0l!=8YuF=x)ZVSoY0oRrCKlsojo-U*y^WYA&~E<0CwWa$WV&P2*;zQP7+##xEvvU5j=F@HQeMc{>MnaoH{*~gRin&7{-(T;T&FK!9dA-j(W?lYN zPH>Nk8*v%uMcneLMS0ndUY?c?dF09pRm)0A(go0t9LWT%qv+#S|8JFpREGwd?MEWy1YNP{q%SBhNXbuq$&psC#IZGTc% z4M|*wrPF754%9lq29g=2*c_fpHW^;@P8ZP^dw`4Z%9PGAwUd%Vdo&iAXmxKebmNVk zJexM&&xLV<6PzMU7t(#=f6!=Y78zBhSy}IGVVAd9^A!IXL@h%tmLX~5`Pu#87fCkB zzMqM<)9^T9DI`b8fxhM~^lT19wvuOq`V!8vgUUSrAGXdjpouM7+XyG(2_h;@rOC0- z1XPd`ItbY41SB*Sl@8Kt08v1t+33APAk@%HC{jcqv``Wt0#ZXSp@i~H6g}tO`^_&M zl9}0ic4qc^*1O)#`fFyXDYE6~x))5-{)Lx4!5DFz6y#t_rTciH@d@ZQ_z5&8=Y{G^ zCrLjOlaonU6UAd%%ID&)Gk_hLm~!a-*~S8DTUEygS+h87XiQl>`A)`0XvX9`dcbs> znJhUfZc*{XLaeWhb2UmeoQQkP>s)@!gK31%U1#>kbZclXK8!D5-Di7=Q>kgTXn(HK zN)M?4vPCQnKw{l`V6al=>$BeCooeyO6o#%I$z3tEBr$9Gk*`JJzR zgV2)UF{}k!%()=|y1g1$c2d7DHJI$I8t<@>{NAGzC%(9!n??vOkmw5u^Pg8!Kwj6ydUu3i;$}?T`EK~RZk#6%Yjc_J zdu1(_t8wVbBt;!~SMIyHF-cdC^5tmB{SY zSuf!uQiDVe%GBAxFcBzH)Aj7{CX04^t^Kk~Tm`7Q5!q{YNvlzv zf@rz$*ri-8-UJnFm&58LWxC-vu9OtDk%lqV0anI1$d1S~ecFFQDum0tDy`cX7;ay@Vz3c&AKHm+{DIBDbnIU9XtX30+TPkA6InY-%C8uB4mtwURQ5v` zyb?@~fb5;8SplYW7Rl6A9!eIV>prDVKf*${nb#^XbgO}%KOs;LA@=Fh`40X6%^c#@%53xPi2X8=yIJrGWL7FC8!==)t*G3$G zZrgD3OH>n~wKT~h!7|C<`(h$Y)yFF$zxVHy_Bq`oE>J)05W<%{6K=8qbZh-e7TwGa z;r4*}`zPcEOZw{RV8to>1P2>Q3%wJ_dlsurGdkuRcCn-C_;7J4pQnaodVLR4xiDT6 zc5J<|$T0d-SlkVZ_)pK(#B)szt;sUW=&jpMPb|-&eML2aRa>q$l^iNKx(N2CS&Tme8HHYKZ8AfQ8rY?^z#Gkckr@{%7F1}hpsE@ooaM$ zlevdV9RXj!!jmsoU(a3+Lip-SyN1f#Un+YA&!}v{hQnKXK2y%NwFXGM0_x@M62KR5~m_@eeeZ12{1J;zoqX>9(jjXkAoM{M=e)a zdpx0%v2S?dh33t6#de!}FD`d9B;g1s8ZW4Xr~HfxUD!3;C0`+ZNG`M)p^Xnde+ze3 zcaj?Qj&36YcdkvHZAV~5hs2gGtyh}WsIZmhu{ht(b-S4cGAMRi*b~uJyF&Ce<;>3t zlI>PP!qATTSkr|Ydrv&r&go1lzQhHt>lI|F8R8SvyDRh<4>Tel={{ad>A9J+6~kX+ zOdwrz9doF5WG>d=K6uR$=wpiAvx;GMZyi)l81>)7A=sCy`|oYJrXc=2tekIQCue8c%ru12y#2t^AQnD^ z*>Cw(V`bN(o#t*$?X)wV)Zi^W*|Xd0?A##gb>_9y@-5nZ?4gicpwK@&cLh&rav|-} zrp4Binz^)V4yqa=;v?Qc@cj66D!qP8jb663@SfXDE%PKkm@rx_x*7MEm_^taduOec zmIwObOhVyT#qo-1od{gew1x2at_Wrm*T?HUu;*J8#;9d5>mXF^snz`VUua=CFKAfc zzJ7D0yM}GR0c89~T?Qp?dE_p+kWBL~Nx#PRWmT7Mt)$8=q1R)Ny|)TaCb^6^K&?%L z50RKcx6eY?E6naKTWo%IeOwag`(qGY#44>@_k?c2)3Bu8&fSRK&OI5VdeQ4lqZp(w zCD^}m#afSs`blZkHff7xShGV-U-`^vM1S5?NJB!Vq!XZezy zn2TvxRRqdTuW%`Slc`oQ{OhUyLQ(CPMEP!~Z1kpgSM|yQ0(hOOt60QO1n^Je@f&+N zK||3)Y%DUZ+~lSS-tGYu%C?&E0vL)t;0~Q$-@Bh*RNF3^7yw-#eNe zrm;OG;m1A~k=b?h@XUe&j7_)3#xk;6?&Z#eps61eE2iwHunoGQ_G6 z_-RN%=RII;-qqO0h7Rk+d|O!0q)+M39{E!0wqP11&*(Q{hotIE&il(%1fbetYZ2{R z_S9#`71T|~df0ZnHH<$gJmFv`Ir0J+sFvSx^cq*3sVPyna+eCzinD(%mZ7g#`xqi6 z^*~h>K#?f~5bQ<&O90sYCTb@EsoX3~FADb}gj43`_QXagJ38|D$>f035UxMm!#3S( zfhCi3Gfa;CjOiY#;=dY|18r6j*3%~{`)coP#(c3s_U2k z00|1OfG~R2{yO<1i&Cd@T9`2ksAE3~HhO*f*KQ@7lCCqEY4ooi24Lb`&gz%Ns=s>F z|Fb#|`2A(Ogv}Pp$qPKX-<6v52Y89^|L~{aE)WM$C_>r%NZQG_>}9h3y8Jqi_>%?0 z)V0DS@GL+c&AT=JI-)8lkes6sYFwF{E#S`;BY<|w{pqwfDF8>RIPv&jg0k3@@lxzf zCP)HKr=-E9Q}W?NT&3kbky*pv@el>y$)+9E1Y0+NJF%!Tt01`beR@`2~;k8&4dUUtCFPIo?1}aQ;`(HZ! zjP&bU@?M%}?{xkonc5)HGrw8$E|csQ+4rLOpLX5p({Ow33BVn?Kd1*eL~S9Y7|q7q zZBY2rBn~*DZNSI=e;E-~;9q|*;g@c@6acW%^jQ2Jms~>h*O4p*eqQIEyr4Z-PhIy z+5(`jvz>Iqu19dqx)Za2oSNC|MJuz_w#^q8DMXxbVu4w9Q6Y*)-{gt zsdob4UDM&xSfHWt0&pT$dp7*x8-jZ4_OxSs`6?rtKsKh|PweKT* z?0U7y)m-jF@h)R-{C0-k>l~Q^;8c5<`&;_-XI%jB`dcbQyf0j0h^nbGH+N74zp3qn zp%HkXKge4xh>4X%PTyroh~IfEIyTzlE+a!+TnSQ_sb?p}e1*1B;9Jk#_|>;fb9Ls4 zzBvC%!6Hpn96VEEBX zG4@IT^!FYgAf#h4PHFE|T*q#Jb7W;CA(~sU5j_f?BNc+*Xk9o^_Q9vNb5q}kP+e&1 zF_`JR^(jsK>`XlA3c1{WH@g<{3UU?KE?^aZu1@>W&1 z8&O?5sx;}`z%=jgb@Kq|?gt>=6j{BNwB%+EO7c0l;&q*+ma5|2J$;wCu4^s1_nANQ zvG))lhB+c1Ag^-n^-hK-J~zE+XY6XP{LEZC0Aa%JOzM*f;}Y6|=3Hoj=2=xVrIJr{ z;qlB`+w=CqjH!%5rV=FQlC_?!j+bP$d+e(C(lYMaN(cPowwM>SMOw;Eu;!vNQ#GEA zysAKb<$AuJI+0qYYf_L`Tv=1n{kiPXvWpj;7VefTu322b&ZOGgK0TsksK*;X4y=c_#PlgbM z)QQD2`Q_swQr7QCj12o#_wcpU4Wf{o)OVA4NCB4HTTeWt@6i3{>p^l{MQf={-K zPugHhYgTKIqa_5AKU<_u8oOxaBeb_mP;DUZtzCy5cf0wWk}fdjI*3#3OtN#so`$%} ztn>wt24d8_Ga7`Yno@2!_)3P(SMmT**#+6vGH8D^=`S3?laD$nQe&l z!R(W%8hFR&Ril8wrEuY_j<@Qvvk#GGL%BT;82Yps75h~C;DKsfs6};eoI{LT&+x_y z@KBf6=_5n8>csi{2FNdJTQ^^s)tV2QiW-_t7aG?b>49+hFR_sGm=sm;=37*hQD08#rvXc4q#nuqViC!6+ zo5Jruy8gEAO7dzi0!zG8yAB;GVnKP?~A_E6}JSxJ!7E7U-4n`cuTtBuZ z?II<~sR3d}b>BnGXahQ|2kI=BO*!^Wyqja5J2UCpgTWD71nX4#m?W?9j4xC$62a?9 zGa=VhpiB&SBAqQ=e7L(lmGQWYcPnzh$wS@-h795C2J+43z40>1&=el4;1rqy#Va5l zAJC%u zzULs%ua7>BQ7)DN`n~GnLxOAf3O3S|yV%sgq^5B4$C{ZWjO$=8JFCQ6?{@gL_k;`%In!pGitjWmv(B`%`Cqy?XYt)w%(wXWLO0iIB)@of`Gu^7I3vx^gQq52W0rWG_3FL#m_*6ksDEkT=Ztta(p?e( zoUD|+8Hk9R`mS-cy!WB!;M&^t+_Z755)7!{S3f5DGnEx1YD#xX^<{A5E30;IKs8ty8d-KAU|{_t+=J$nPm>P{7ZiH0CAqSUje?#!}Uo+bb50oQnE|I2(GSkSHhVO9GY zU6%#g?%2RXwE)LpS~CRc1{@-gf{9E*EJVLKS6%#s;gcfRF zp9XcWE~X|3<(~k0dE3*oFL>Z1&OGG246bZTdM&Vm7)#Jr(4-hClg`3?O^t`Pgs3D9%UkF0!+7(6XtdW??St=j^NR{ zn*(7OV=9wL>@G`6%it!=`OFr~ESJd2ST?{c9KkTgMbF4Tb^Nd8sVq+>_;E)=*bNpeYuIn7DO$F>u)z>M63M17{_bU zx&+)`A__9n_*YEm_XHbl$LrG1!Kf;7hg~Ctl4tuIXF<)in%lxGvBHSs_$a`5XF-H- z)}IL%iOq7Gn$$Q>+m2ge=-7cGC&a3u6L7#FAq&~2_Z@~|ONQamVYEPb`qpdhi%W#W zTaUtZ+Q!(bqwjEDFfAA_%R=GYIy%O()BvyM)rS34=6N2tVOoz7!-D4^CE?X=b@jH# zD=)OE!)OHmGS;Q~=F4pfgMKSISh)KMLF8%Kq}9?%#HoV$*&Au9v24D@c|+5ac~9aP zj5`W#c~4yi^q@d6RYYC2QzjbVI1>ef^2Tdt6B|uImNfAD!41(clM1?%h{mCWyUwim zUNkeTl8&04>-3486udrWJ93!M^FvQ_W6KwzYu~5ua}#ni4k}Y$Mfpq0luaAFjG11K zo(;*c>$^Dzx+naPQF5+Kgg}zpIeV{}T^@;#>Q5!+Mex?&USj(rzOjC$&6DT_K;@|;tv=Xg4hoKU)UdEa4V&)9YIAE)t!Pv2gmNbt~4Q$NB;`hvj&3YBio?Vd;#@jVET%4dG88m2l`>()Yxb>Cmzk@Y?cD?=CP22KKNM%z3o06H(2GGq zF5BJ-N5_OC)WKD#Ky6HDfU)T$nim!r$uNaiM5yNFZE3n|OeK;Idaa%~OZ`TOx8HvAVm{XN!Fu*0?D5o& ziLaCG`l|f}3%Oq91@=v;KDGjb47#vPtx`Xt@&ZW-4I5b`#+JposdV9<7tY-utgcWz?#qUUIEwT$R*XK8v7RYz9q|wr7Q=+c0XS+#3w3 z4tBe%H$@;Y!mjJW+g3IEVLkSrvO&}FPPq-S8R%wgNUq-!zT13vcemsC{_VrDDzZ}M zdER~(Q;{5&stS=;me91N1L=m)xS(`P>nfoQ?ZSynf=-otREx|EYLeFYV*bD$bqc~Z z$)mr-cGrBCjrk*DrV3GROa-&8Qw(S2o|k+sipxxlQn4}XM9Bh=JwFwP<%o47-%PC} z>Fm&` za-nqR`EwmlK;e~HQqtt?>>PcDW7qg((%&iTfKsl1;h1wtU%-IwW)2IOZiZghkl)5Z zP(fGuPBYj0aIT+O7^=W>0GOtfd8)1Mnx(0RvwtM9b)J)Fl$}wf3zP4}`I}W}CiPe9 z8=Kk*e)n9>hm{T-=;c!VssyL?_?)I3oiRMqj(&)3!c)CD~ zl>LP6B$u(h#>m4@C3w~+oBU!m7v(X??_Spr2z_3%9ae@w!Ap}i1M3yXD%u6TPug60gejbu`dR{pc3yb=tU?o$V4j%Qr z&GMTMlXr2IwfTC!@GXTo02{L4AKHbiTX$ptRbn#zZ@|b2E+VuA0eY_56Wo7j7|X61 z`U3-n!Nth@GMfax|N5Wb3RkL=fB#FyR=v14oE$1ffTQyMiyvQJrbtIcW`(Z%Lv; zxmJ8EzzJFYHiwXKW^6~Iw&Yti#q;#9T2er&|J6;teFO)}L2myM{lP1~R}xMu4!#1^ zd}SEAKeA54WcE_Zgyvp9)W!VHWoIt)D#% zyOXnAVio*0M#__b`(Ul4cCsJ$wY{K!+xTAeYVBbeNfIKH0 zo00r=Oh1wm$eE(1`>BMf_6D;6axo7uBQLxpOu7ZneWhCdRb`BkT1|Q|Kg*rHsHD7T`bc z0tGeFrY+6D9gL09c^`->n5l^?_dEB9ka;d0qvr>hZI(9Cjc!oy7y>|z1lv{9iU;4dOD};;ajLJ z0!KhkLB4_Epm*CdeZiXm-^{4W>TC1BMQ?bIZ4`|nmbPH3!0hKSAXIz$DJoGzW+27o zK^pXy<0xR)Y9nH|5czzD1MsU>?h8fd18 zUC)ZY-gn%~lV)fgtS!%Vd*9E1aJt+2tJ-19 z-<|-4&27HFRH#fZlF4Bs%buV+K%TDbA=aUsPVE0tQ40A82y@C~s!7M4`og22Bd(OB zX0EVI`Mfi;m8tVi>2wdTA8B#5$G9WI>7WO7GwyE{u6Bzi%CnP2u-C?@A(sD+eqw?3r@{J#?v$MQyZ|v-wphx=Ccc4(Owz0yH6UZ7R)1Injj5=UhO*l0aL0 z!0lQlCJU)JxA9>hAKoXHdr^VA7_ZKJTi|rRSS$-u67#5>2l}q7G*9}4bwFo@ga0Go zn{+3Y-ww2ZTSf%n?Fe~1RBquBVshN;XCY|rCM-<+z!?El_aR}E1J&1>BUuF=Aa~ly zHE{QlNM`1wAP#50oyMZ9IIl=Kn{XsJQDd`gQZp1LylK_%{n|#=AkhAY&*|NV-0S%> za4e#jYRid)T?%1 zqM;f_`Y;u~Xg|0&-opE^?j|_8FWYlC07KzveYM!gY1&}lrvkC8Dricww%y_^ z98!5*7w4NkB4lobG|ItW^akoJD~Fddd3)B(>-i(h_qCfWc6q#BPEZ7Dd*9zlPIpK;E!JqrO(ehjKEkz>>06!t#5fzB z1LLT$`nnTrCnjf9jM{q`%T?|hi~!jOle|U?R>S0W-#C6>LbM3S!;AL?!DNOIfA6F~ zsjCo!WLG|jN3xk;=B-Py_P&)yQj7^hAGfP|YFK9+P{wj=^%|_FV0Pk0y`BSW>1uM8 zqr}kM$gfC-@`H`($;2sv<49IDFZG-Wla#{QN(bWY_4H31mP9EA{Wh&X~KZI zDYHsm85Q({v334LfBE6Jmhwk4f zT`E0wi);NJvfWCsAZ(5?)$Da<&iF>On+k9O_1RlI#2Y|#@uR8ykbm^B`yQLDz{P{@ zq~#||!lgrR7%q*Pm0#!K6mL2(Oj%O{QU-Z8iHWkd`dY|)mV=H;+^z!aee%Cj1y2oM zpyW>=8SXF96w-x^*e)r3AIZ%xM`J(M18JH^Sqz_cyS?sRljxy{v;u+SxA$yM7;{k!gl}t9gw|i|%YBYfYo7#Q1#X5F?PJ{OCZ&mnO zk7hr4^mxvvGZ@juvs7oe%MMowLF+G`Ph9spaggRha&aHNfI_I3a&>3?`C0m`&5RdgYKG&V4qW>Ns|Lf#csshDqE1s55ELgga@`Ksiji*YQgWyv zFI+bbiB!VGP+wuA60UjL?Y-0I_VVGLJ1p2A=C(H=DoVgjPd51S+8UyR$K=Nz!Z5hw zz{2(Q>v@Y`kUYNCYSk5qfj!Q8vb+8A_2mmDY!f-K!Npg&vb}v(LQ9X+wA^8o^5gZF zWOaUf5l`6>?~2VVM&5(EaT3=S`+VhKIlLF9`(VgH%4_YbshCVYousXB!)z+BYY4{QA^l9V1wXMpMC*f0lb!qd)$ZC(VO^y-w1KAf! z&I>V4U-vA033lCeh-ZWM*V|Q-Py`dlJ$rWxlg;=_I7X(Wv`0EAzG%W^-SExWy?}+* zgSyOT-D1hMe2YU_J6NAtF7vCZDb<04Me01$U6QqHLpip+a_1+63%tfg*XCFENf1b; zHCw1~@U$`6CDII#Vpv?Ojhxvjvl7r02-)9?wFrw@^;jRF6TWi18?#S(M)t}IKk2P9 zW=XbPTz0pnSB3W72LitX!-i6#AQCf2yCBnpqWK58>wNCD^-B>BvzmgB{L+pMab)>S zhE5?PUOg^mIlpQLqs=f4E_o;@yC9I*6f4^woZHeDtibgYu%&UZfPT@;De~!(5Uz5O9HZdguGvjW0s_O#PL5%u8`hKGuJ8XzaO6PVX=k zP~YebvMrR+%s}vKCqOn{-9w_YYRzII^(VK#IkxLR$9Z_Q(4BQb%W<$uT;*V;EqL{E zj;IzpVBY2~8{h^m2CSJJp>GHJ4)u@W_)Iw;X5o%+2vWm?m7N##>sbhPxjl|Z_r1Gh z`z`uc20iOJ9xf<#0NI^(ZAmIQ-*<}NE-8a_9c;e8)4i)xU>)$WZrjQI(Z)F}Om~P* z((_y9Vn2b$nVStXbs##~O1sF2E8n+Q`ZD-|D6(KLbwP#LYHPZr^bw7LufEx^S{Eg4 zig}(A7%<9BNL_jwUjgq$vVjl~v0ZYZ$yVvXr@Bz>&`e@E`Ci&gi>ax| zz1G@@a2a5pDRpdOy67Ay`gw8jv9&03J!w{$iHz#%lp5r!+8gBI`=29)9sWv95sk!I zZOG2olxXnNw%^q&@EAQ9>tSmV-iAS|2<033Q&a7hp}wnAgz}$4+cfM8IYD2Ob&di{aIOIdG0p-n$opr*F0k#|v` zzCJSp5UV z4^4DQ*_h8yc~%Lu>CT>8#^iUe1Zfp!^55|_(S<*}AuJV`p!+VUUkd-;N!hZhVAy3` zA5i8cy42Rv^qpfHK>U-VEju<@YP~W0&MYl*>&K9%3ntuDh6}=Q_rhw;++P7)64o5^ zlG2ipvgfw;Kh#ALgNOdg5#`IeFmbCZ$z@qdd~KqS6Sg7}0-^GB0eIU-(t@QzMsX3C`PDTHcM(+YXdk4oa`OA^Z#=>?td?nqTfjlv zU5A(bTDrSw_tLFuCO}EYX(i{C5a3DXaAUK~+dL{p7Ts7VoNbUKEu;GEiD2y3+p>?2 z7Q5-K;ULIdI)cirK`S6IUoFsLv>$iK=Alrvt^ebB=ShYNV#d_$+ov>idLG9@ljlA0Nt>vbc-_?~-C7u#%eBEwl*jNHn*`s z60dY@oqTix0Ag17&clkCIMA9Hvi&`nlzHS8i29Hl<=$T zdm=?fCZW04T(D@*_2p#&tDqD;rYbpWjMXBW6|^UNQES6nKpI(**N93g)ylSzDNLX+;asP+Lt^lH zip%%iS3FRcYG6s4!cLLHutYZf4~x=lg0IvoF2CIx5|;HLfi22w5Mx^!?iE|wY{b_9 z5NHcrk&IiKg&&j%*Ra=?`{sJbSy!iQx!he|1T@Y!w64Q}IE@+a9q;n77T(H_l!bwi z;ul_Vb{mLV(uFmhf+TytuU$Y8I~9C4(YDLawp>g{XG|qJM#Xt{3v&c2tM6T6MX~FH zC;ACJ^jVLV+jz50v@#A;(>OnSo(xTMFlM;QdXGj)!SrwabExEgbtQbM(8sB|dxatD4K{Ecqa z3-iuPfkVU-wU10JjFs~}cSxOSP-zc)!-qYP%%(n$0HVXK=d$&D0Q=DQth-QKfK>MK7DtQPjr%oxvdW6Xu^_A)Ihd}lpvMiE%6(cWHoX-LP2 zc6H!vthljAW0LqjaU5v6I-ZBU z&Br%Q7C%@R8Lwz233#5xO_rYJPi6y<9!oNZiTSQkb+Ah_l> zq->X)zfV2KL*!BWnCjUDg<3UMLb2!;_H!x2kSpsTvqoF?g`LJ>o~Y%)gDi11u{YP~ zFM*Yc^?a-#U>4@YIS0Unf-bgF90ZZ&UBNoy>CUR4ne!{Ik02R0SxG>h(kG{YWvk`1 zf#aUnYR^amx-@21P|x1{b_Sz<{&F7TmhW}@u;Fu}!am`T1*^*v@@gj+0{Z$5rDDTs zAEg*~6~1_g!2(1HVP^`-+--$&e1bN_ZBYvVZw}%p!@x*c!J_(l+PwQ#P42VS*B4}b zncIbgjN6K(3rN(Zlix75EC@*LbsVYxdCC~PsmC2=Zx`3+v=qh_h6g6;siy}E{9TE6 zz7eN8m+qTn5vv?Dk&%k9De z#}4M!*!S@Ab2UOYD7B5u<+;Y;b!Wyg)sdJ2&Ov47(gfWOUzDk}>{|C%I;aBib(NHg zrKjb$@quG=tU@dEf^Ej1XW_lwVyz6e&Sm4;8 z=3nAN6akjr&0J9HT#4|_eXTF^I0yDUKvCMN^WFQ$OeW63_eE29hnk$pb1&6gc1=stI!%}7k06=39&pi(+Mf&w7lv;4grbE9NV zZnFHP)?8(RXt$+~v3%E}7dP3sc3sOF!cDf2S)XW>+G@d+9=q#xt=vv*>PFgtbl?e( zu%HPC;+bNkXj4&5Pk{h820H6{zBtTEO<=j~(yBx8QuQuNn{ChA_a3YX3D#r#kLM*_ zch*0+c&4;QtEd5W9*=mDzGP#a@C>(6dte3PUzr^Age+7xNsK(0DO)qSnmk-cN0e$x}Q-HVqw@gOXE)@XEtfnMSC8B?b)qUsumRdm2uAC=$oRRwMyI@5z3^)S|fE zv!_%qg|2`DvPnf|cBSeB4E7U&`t6b|$&KXc6G<){Z)<96DKJ=+2lnD=GR4>={FhNM zP^WN{Ee)h9Vht4gUxEZLiW||L;!j>DUO%Ci{L2Cuh>HYnV*uxbF2C&~!wCzx&+LP% z4*|n~|LMB%3qe!)aRU$>By*&%_bbypx54m(vP45(!suxo=%3*rXJ0f~J>xhbXi$YYLhq!DY;3V?C+v)~$nMBlM`N6rU z@VY0z4nls@=kGv`hC);5@l=p%@`S;uU&hkFA1^Wi z12~?1^f5oci{R*=njlv0|5P;~zW?+3KjtA>sbetk zrFp+nj8s(F{=fWP93qd}XQA=*6>!}Dn2;p49sj=uBf8g0vVJXG_j5%4ObG$|W}J_P z1trJ!pIoHO2l}5y2r84mS|d+h>60&R*n`mfzxZ=zuJo6be9C|79NzxCxRQ&nkM1Q7 za2f$D8~$6_@n2_}|K(jXcf2`=(v(yT-~dM10Be@E7#oWA{^U@{uU%9Zjj|L@w=et} zhJ`n30GFW}vWY2vN(*swEDy*Rhb2ERi&(LFuJF59B5=sd_MB{RZ#A7_CK z7H#UE(fZrHCHUux^}s3qW1ewZNz#g97xV9@W$)0i{o6aeOn_Ak#XRO$DIxG>+w3Hp zLe7Mv6Iw8a%WWF2e{Uy5)9On<(?cI**4hTyw#F>BhKqxcjU>zVkI ziSocev3+`ZlhW_Nv$=1WRZtXzMj@tOfU}`j_K_mtx6)K??E)DC8d;4G;N<0SU+1WI z^4pn7*F?fqwz77%Ro&=MCC?apy{epR{l;%sy~^Vj3uHvZb>7I>yq5v=QNM=SNh$DI zXix0Zpw-F1%M$UM;ZB`13^=@Ao7km*%qYQ%=Dqd7OuWnc^x-H4PNSXAmD9T!&l{R~ z;#4Z9JVg^lgy+bCuq75C$>%s-a*xtCRvk*F{j46O7N3~{aAiHiOZ(BRB*A{_i zq1FSj0tLo4D&d^xjcRLF0=b4)Ji>Xu%dT6u4!7!D*#P2%{@C%74I%xLc-dWhUPnh4U=IdP*t=q{aGfS{yKc zUatG5%5TRdC@8ls8@-e2K#Hjd9)=HwM~{D}4Yn`ho>S*KpL9-s8MR;b z%FfVb5QbNr{4$vtr|GumT}hvS;SInPn~5%RFlNe)?8I^Z)GofXX!!Y?kY9g+Ey_)M z;V^LCsgqCZy|l|=IKu_?$GJWetdTmUE0`tU%QyVg*?2xvYkwS+&p7l^x4w92RXK#ua8~B?Vs+8n8GX6a2 zZgp%8i!zZotj3xz1qT zXzaG9bfry0r&h&*7unwTywG9P#J2CDu>NqXmZ{m!!1>n5EOH5%>(-2EQ3d-69>G`C z?xDFJ&WjQwws#-b;q+%^%WV)az3`{|i~bYoQ<}_0{*JyiPIY3VU1)XA>}PL$HlkHI zZZzk4EUHP>BnIcdjl-{0j!|s~MD>wnvr50e;CvIAJB)w9drt4Y_YYI`QUyl~D&v}m z<1l>er7unZvStxF&}ue=aB)^=*naJ~$0W;IBlk0T{_E9iA*p}Zs?9dSAH5i+_z=`I zNLUNzr5f!DOxD>VTmq|d@zcIfE!1PKB&*}F$8*4G%z=S_b*C1t#TTfTPx9+R3FB#} z4qqdS^-kxu>a^v`L$~-)YVm08?}#1!=-gE<9p4#i`=X|~GW5Y76S%{SE{An<1%j(q83d*|bjh;AH7aH!4?9)q&$d5wT%&alkD8 zEa;mM)!=01yafmYEc-M!yVJAVU$IGA&vzYffH6Q-x48_B&XH1&BEx2Q^x!fE`G667SE#%=CABEc|^`rtMFO{{i< zJt&2|cUpVAgx`soiAcJ3?8hm*E55Y^9_lvQHI_*Q?c4F@`{9DchG%soQ5z*u!whTT z^{r}KEL_)uaz-;e1|+Ho43?YGv9#h`mfs37>BbA*d3>Fp49!>T^_wgbye(B6Oh$kf z1`U+NX@Kys{E0p9FBO}KqK7cq0F3DYQOSlXd*;|2rS1doIayOu7n=hL%=MAo{zL|u zdTUPddPj0yJNU4(ftp;zSe6Kj2^Ih{P*339^yb&Hs#GVrzz>+8?pCST*?A72BOqbc ztUb&DDfsZ^Fn>HD?wS#=Kq8d%*~7d{ zueNS(u*~FmBZ%hJe==xgnM#E>_zuk)R3ctl^p7abw!J4(Jvp<5 zC-B6RLKU|7&gmJ3+@IN-OeRNCJS*TGAuGWz5Y)T9MTWRJ1novV?*?#o!}xnA5`OE7 zEF{I8L!bxzuSd*vcbgZO-XmhS`VCZv&;>i;_}nu4Y`24nV{RBj`?w{+!+x7<;4JLB z+t{x#eQ-_grlH9`Otga~g4-GA=p1^%@(^ih1@8*+e^#ojb(+I|^+vz$9FoN2F?;*A zh}7&Sa@;-%X6k?kTvRM6c1wn%@%>Rd6!Rs{P#+S(`pJvUlI%uUUtf5OKFB3^6Rxhj zZN&QfNgcU9M?)&Ky~t^_`q@??#pDZ#qzy&oo^;)+ZZ~7iL~OpYzH~!(J&VK)_8r}` zZ@G_N z>7B2dmUBMeH(QijY7jFAeJXy**j=+WdOwLn?&jE77Twu-o-U}G^@wzs;AZT>E@-_& zIm*=94o&o-6bpS8)*SjsDJ%qDvUr+UkzZ1nlXO;7$(rkX0xWnmb21{S*!ok7*lD?{ z^^~>!K@;y{TZR;>O{Z3P+7PC~IR%{(F9-dLysnR=9?rV1|I%S~B9I|c*e5!o`do_Q z4^;b8wXOciQ{saoh5dU#M?SOHsjtysdN2qJJFJ*mQrN28*_bgcuMXxGi=EEce)uXk zIb6!jZr(jMsm4|_77K7kd}0p}ytNtE=B;)~5ig4@y@*Q;ze1<(c&4x_@W^F^&!+Ibht}JnGQQlC_Y+r!CCQCI z;e`%*8fH}b!rKRUo{W(%+zn5e@;;ahGV*OxL>ojFYxPniE!Z;9#hmd+>(0akVLe~Oo* z{EGqqL8mlo2+bd-I(Z2o68%?i$b3&5aK<~TcBX=Mp9i9?-_b|?`+vPA`N62^PC!!k ziaO({keKRp2%zTMt=VwOJPJ;f@)9ob@`oA%qLho(t2)1yTLmKAGJ}~DeLaB+d28jJ zkhcPcYJmM;^(5nwKJC%0Go@zR;#B|B!63n-sF_MzGYkgA%<}Wc)aZUoA@?^v(M6Ji0C%%`FU22mHH{H>RHS|5Tqb{BGzQ z2j*_jGYn`xWj&P|!uY4J7L(;jY&*ato-qEf<1zlY zjO#kDY=D0ZKYEAB{ph(nRggoyOs2|`b=^@=DZvC3hKR4_^ddsxZioS(1K7CCOEtXsjq zG%}$V4JwTFis~=+MeJ!gN~B1`&9*~kst%$@o(ex5OX{$Zo$s9eJG=XFt;sfxP=HBV zk=n?x$Vl1|(D<=Bxi%$Y5elLaEb{2Q@LE~Xt zk_97Xzv7Xqkl#JY>FLQ}fGg%AZwY4ci@jKZ60F09|CSBSI`QFm<9!03LT*)@k;!Rw zcYX`}wam-nlKx}xrt)rqFQ!BPbCnCI9=J|64I)f$@(RY`D+WYec1`J@hE` zk5Av{_&?Iu^A_ZV+55UffDXXTiZqCJfck$^m_msNR<0!MT=s|xyV{>p}* z>TTsFDx2uZ@QThWo64Xz$I^vw z?8beb!0OPQY_3;*HL2(diF>L0_|;{x_sbQ zclD+2tsJCHD9lr;B=0iDq6T;!^ zX-U@!5PWCot4eEuw|@iElfDf?u6IB^{5KkF`Knz(UEZXJU=@a4JAScF!S+M%iuWa; zh8{t}9wt4N!h9$Yj^-Kb3(9=ekTh8{8TWi)Xx@pUG3NI-2fVTvDWZJ5Gg_LQkp_%O++E*njA?ibdXQUmGu)38~%T5Ma6RfNJQLdXxR50>#pSensXd%vF4Z{>>`=-1joHd}K#12QavvWDb)A3oT* zkTZOa5j{paVvFEjQ0ZFYu4hG)TvFnj&KOd{*Z{W$%t(cEhQ2Fr+A0zmw56NF?AMA@wm=To05kF1Nx(sExurf zo%J+TPNsOtKj$7^3SZ_xBnhMRz-RVcQlZ<`kJ4AKGBpjgZB>d znvkY{Uo)v}=GjneaoD_hKKI#sTQ&1qfD2tYd|?wEe5;hj$HmBrTD}zTk9@$M$a(Qt z8wvS1n~}}uxnWKD6}05dJI<07?cPr3w$2E2l#0~!${W=i0wgRWF6Qt>%^B5@!+8a! zby-6Mo=F;7rop_-;nlPbhcQAF_1#m-ptMZdNl8Xr=j`mqI)h(oU?k?-A3&b z0oD`td?}T=I&~bAZZRYcG4At%OnU=hE|1Qw^rkG8REH^d#2ulex2cWJ13sq%yKP~y!isjIZEBh_~-N>xMZ!K3u}v1$2k;K@J*G^(-F z%%XwH3#8mY@ji8{HHlLlj~Mo$OQJqclZ+$bUnQDn3{+#u0*zt9KhqMWDUr zuq<@zZVX~Z0(#eoI$uU@Bud@+v?#RB*G7FHk&j+p@omm8upP%qx%JsOt4$!_SkL=N z8Pls0!)uCzz^o)m38vwkG~(w&lywrqMPwayXkKS_30IV4mXv;@3t^l8VSYfeH~}pg znP2QuN8My8vB9Ewlu!rzoaI@X!&!_vZyGX0&0NJfUR-GE(LTcS8Ty?TKebB%fD1tO zZk4H`ul28FIQ*artE=34w)B90dO>lQ5TNA3} zJoKY&r|I|HV)gx(O?b{Mu$T7OjC!QaDN#4-vI;&ia zig#C{qV;3DJ$a4H!w|bZ4AAf1Aja?!kF%+WIU#qM)@s`(m%R&#YR=CItH?jehramE z#!ntW&?o8>_NPax4isKMHbgt65GIOg~Rzf@YlqerAy#z+@`8Iv( zoNBJ_=>l8@Ly~GWG`wzm76Y<$q|c6T5Y;`Kz^hg#)h9t*_y{j&)1ppS+skf_q|VumN5OgU%~i8JT>lzgiE^olln7#B6H8f53mHRS$vk~ zV2L+yZw-w!NzhBc`40V}I|0zNhC3iPZ?K9P9oRTyK3&mn{F1mJQ5f9s#rtEu0;U=x z*l2(_psGLR4mzbIk^~A=^fmNJa1m*(B6`*Sbf5hMsDPakZ8&y7)VP?-`qRCplp!e{ zzC(?>8XihKq7Os^*&BUdg2wv_T;Q;!$uPXXeS6@gz254Zd1RbqdH?%Ez$U$WMf5g> zqauEGL9QWc`u%zPtEVbVf2?wbG=pqh=gM?q-TJVhYMpW!Ak)!KlhGHzDADjqsmObi z-o~99b?Y+&u@|!tIht;hdx}zD91{#ccKz)8{oephg^HWPxz`5n0FJ}XEPvXd1b^%s zvfkHc{kSiEbUYjD*2}!R9%?PlIqU^7_L{EgWw;1Pg_=p1u+=nt4xKmU*xug%5a3gk zHXIKDH0=D0?xiG{W^$O?7N=OWF0~nwmUpGv>awijkw~(^1T<@iL%?o{5qx8ML#O)d zsP$p#yQOm9P^dsC+1$pwg+}Wt?vlKo=5wZ*+!Gb>Ti!bK!rXyfP9&NfsAfasT!jcm z0|DYO!(O{3E7xE{Po9i(970IW`APzLFJXnzSguEeACooK>oUAE^=_t%Fhl(T%+vaX ztny=Avk2U;@)&vM?z@=~tlOOr!ol$Z7;hhF=7$RBr;@9=AHUXC9y{KNJA1GDnqQet z4dM}&3!5)*nXp2Q8sJrrh@wB(_sPNUd{Z+NfgRsy?K(i+65;I&V&%8>c`B)nd3{^_ z;y3gB3E?n1VkIW0^hUFiviz_Xar~nGEXqXfp4sMgnA2MFkL3RSTX}B9k$o#ikqBah zFv#{Z&Rh?0zaG>>>DkXlS`_K_PmLG=!;bMVpG4{nYU^-#E5*$ZS+^*@x|Yd14yPld z;BHOMHg`X*Ye#q$xtd+BxR&Pc{beHXDh$6AE_O+{VUA;&j@W(Jy37LZS;gx4?l_fs zvI-#i>XfBGHa}5PS6I`?R@HNSAr(GOhM84u?XV&Oprm_zGJd4J3M>1F?s|pNhFVCs ztAC*n(JrtA1x#9t&q&1j9Doj2v-?oEVrDIU{5~MAe6$^0wV+HqtnbS%KgPGBQuWm$ z&{hMZ%7V0W3%4@*hWDQ5x ze!b4ia0#Is?z8??5XxF=^6u&7y>k7(=;bMX)M<7|iQ@KBv6@$EprpeduCw2WU7xsl zfM)9-IvmdI1aMwfS*r_cE`E==HK3Qu0Y6h{YD$bKR!|RY(UwfL;>jkeYR}j3Pr$1A zPY+_0C-3WIuT7g!6m^Bxk6;`2-tkft=Se7rxc5@3vRyYqsADDrMxUn=ZyrH5ZU6H5 zSP_xw-~NcSNT)~_^s4009J&3TRK-YxwwqqMfjJpW&!J< zh6ZU(OTb+1>nSDqv%S9kEfR$Dt9IvD@iYzR-kmW{Z0hKi(=a%0R~AsaU@s`#V8%aV zemV05dw0QmZN~!Dl!#-W=p8>R$L)3o-t9r~bZ$04Osm9N=?7@?5UmIHn0EIXM+5dn=4Izfj%YvaYAdz`nYsyqU`Yt z!iPHATBoKr9`2c2=x{-Go-4KRd5yZP&Aq>NYUTS5^*_+Sv+6f|4}eScvDMogeN!bn zfG8;n`vf_0)ob|X;jItHt;Oz1DlgX>8Z^DVe(Lx9-`DKNRg`@v&fRPype%69>2Q|P zHEJ5!_ph&wEVqfJDI6hnd`jxX>sv&zWod;7H^us_b9)!C&lz;ZKtab*tRU9@?>uG} zdjD_aAA0Zg*j~z}JCF13zXXRCfbQI`7t1I51E6TeumBJiLja=5Au#g&I`;SVuv$L9 zmxTFml?~zd2k(={_ZoY!-|$~_j0MQk86w|f_d${bo9g~P^1H*gm)xYuLw8pC&MLYu z$Qc%9t{mRlqg}H6d7%!0$L~f0pa0&K(>GVw!_f>?-Mg>nF_BrK1mC@K(XhgJzx;0^ zfJ(IJc;8*-S<}9e?aCggL(!juu%6Tc$DuKsilr)>YuRN#oUy?UTPh@6@o@4wHsp)E zAUS6Dw`?Ur`nA~uTm*0cgK<(^xUx$bo)D2u9b3W)lA0Xa)z&KaN4$UTWI93krW;6V z`a6r&=P5p3uv;J5=)%DBcnUr?xhI~~&yt+17GW05(^my;6|4TY_T*lymQ}u^;?O@t z27y-gzP7dGef2h#Q-}X6UAb2N-n87m3CsTyI#|+u$wwDhz>S>kKT3yttcc`$|6l-> zY-@5L({LUQBnz?oB@E_!%vi|AO+rLYtJc|fm14jX$9KzTYV5J&mD% zl2)xQ{I0%pufbR>_mcc?-t%6Qdj&}T5jNhg<AO~8W z1KI~3l2nPmZePDu675Q|Ae0rUd(f&`C8fX(dIA^}`jSCM(i;5|I2A!|R9dQw!3pC| z&(^dR@ToxUMwkPinLHUb3wC8p9$^45bD0?yDWf2)>QehU$d)OhCQM~cp+=db%-Pw! zJtF8DLA%S$53K^8XUWXZ)Y;b0%$jcuq&qTKM?;8Q;Cn+?hC=w%boGM49x;$Cc+k6L z<4}0F@kj~oXeKTiM!AV%IX$hLlmg-S4O;poa9X9E>B76SD((wvJZ!3&nD>y(;>y{ODon2HKuLA!7UpTUL{X31B(ZpSt=%3Juh%*V0Xs0!iWxty z8;q?jGnbk9?et~lXru$v>GubzAWVgCG?p>V;qGMS(g?FPV(%YH3M)npJ+=E(?xg9m zs$a}Bb*FuFHyeAD-W3(3-VqO75 z=rBU&yXJeZH&-jY4cuw20|tUu7LSRszXNK-zE*6?!&Y!&U+$dgoD;q_lu>aDQ6Pae z8D11TSv~o#ngsc1C}$s3M69VIJCT`VH5E)&bzYDN8BS*AVMmx1hSBs)y2e2&oMi`? z$i3}FMKaTUz;%v}!U;afYP;3q)-i4AnFZSn?ae+bOG&-oR&fA-e|wn%UvV1x1F#x? zyvIQO)L;SJ)~uH*m(F2pRvjH*F*7YUwq?LpxD;c;Q|bG&z928gBLb&Elhd4Qx^X8Y zqHK)67}DDqezyZodoB0GV%}lR0y#E-R1jjWN)V)61YAgR@15KP%X;RZ+~s#`%r0wH zfz>xTJu~F+7UTlg_znh|;mJvbf5$B|ZR2|wnLr-V$GcVevrN`DbX;P8yV#CTe^4_DM(#InpQ<_T9}B z9vh@5D7AS#d2_@CsqYe>xjAwk391qDH!vpt+8n1yPT2`>Jr z5Z!B+)xY^go`&t@5s;4k)^L=K>gb-tGSeuJ5G8l-_1$9N-JtQjj%c3Q)o)h`JzS}Z z6M5bq@N;I9bx%@Wl}8B{_fW89j}n@^8BsKxDN~mh13?^>6!$wa#e@3 zt@6JaU&AA3l(#y%Dy%sqa9JINvZWhtW>v&Xr&v>rivY_MS;jc!{d=zI`YY9Q@6V!v z+l|q54HvcF|J~bz^neG6qP>T!_X&5HG_YYxK z=k46a&d10o7$u~2)k30KM zq~ZUwUr%TrN!>aQck;3sX6u2)$7`Dt$nh|$1Xs}Jaak|t?!oy63@!4a# zax6FkGr1jREzDW!ijBz#1KnKpPdS2RkLUzsEXfmaS6QMmWBd2}v8nHL>(A$BPHHTW z`Iy16%FGSH?sr#3#{6+(N-)n9EziwoQ$+;N8j)-LAutG~)sWKSZr7){Gb4^ncFd=5 zx4)o^2;!QI?|H527@d*Nh|^FS8tD~*EnE0@Dj^hOb1;3$S3u*ZknhYTcMB&l6Y-4Z zg4miWvtaaR@|F^DLgC8b()FnhSFc*5Z8FZ(YskG57yW1<6O((s6|A?gReF!@K^jt zEdwM0eNx=x)ZBS=fUxISxOR=18h_5oS2fHT+kvH1mV*#3VuJH*sU|-Z`bA?6JWy>E6Z&qtM zYK;3mbz6KM{gi2#m<)7xXF{-4H*ViK^rVxGmHCc0q|;+HSp%1kcIQNviYJ9rnprD7 z>9faKeBw5yjSzILv6D7%^H@(4D&%Xk@}OV`Abl%+A&iRbYz5c!JfzNVv}a23WRS-& za8LNmDGv?Wc10ntZoRro<8^jPfN9}1|A9iY(f5k+uDt7(VZcu>x^;641UHg`=EcF# zIUx_RA)amqsxAmcfOZ#zS?=sd(R_^$U+XO!1> zSeOUTsMK4V#LclCCD8VRH8uIAkq@`1b>u+$*_}~(j{_byI!W$XsM1)xM7nnt9oe;B zXN+#if7*n=tKU=5o8@eikun^E31(_A%f_j_ma~J9?h+DcwK+w;6hdih#9EC#UD=*L z`q1x!c%k&=#UyJ2RQEgS>@|XKnds45TP6U*T(jsX%lMD$I{C8^?{EmBGzwapJHHmF zp(i{t)On1p? zxHZd??pg8AEpTCv^b?O3FlX#k3z}_Dg^%De;J!Oy%b(t)rsks7^hkUStL_E4E@I>K z$sFu5J!KMSKz-k2^uZ2rb2dI^vhQ>b6FOZ%9aZ||eKa1?u!sHTv{4 z#B|8zI@F6&=xX__!==MWuu_dBp!sTB>qS2N*LkY>18kwJ39rk#3-!T|+z!mf?m+2Q zlI5z(XjTVpaRPM>nW-L#yJ`u~ltgCMKDoIK=0*4XYGRB>@WnMhFZ6%9mD9Pkiw33s z1(n`;7q#dD^q-j>bXMQNzHR=wYs5!SwI-K78G3F$O8oe^ruEs*Zd2)asvs9~NjqGF z+58J15R|}56)t59*JCsmozSJk$7gs>AQzpjUC)5UAvTr0n`&;!fwA+(=*4&FM)&4G zIyhi-yfQw6tVbF(qTOt(+@iTa1XiY;>G8rA7U4P28&s>(tp{Lw1GG~;fBvJ!ZYJ)^3*Y>Vc|N|@l*bmW zZnkJ;01}Og*xr0<$uUNmAzW|~x*I*;LF`zm^X+(Cno7t4mk$TL*{qjWg>*9(YT#-0 z1)IBh>s3P0!yn_o5by@ZgtmPGE=-Au+s|;bvKbTgH((6ep%Xyyu1yJq8&$)FRy;-5 zQGP8a8c_9i?}q1gSmCi%IeBpUsXkw0uvH(aX!ap(y9D!8J;BDU61-G(i&6)@(}DNY zjn^ozT)os3xdu|LVu)U8LcLVSsW7O>cn`)56?7snt*?2`205WJ(C9{A+D-}J^hP={ zsL9(hmtJA7Ok7|0UqEIuR=7b)c=PbbniS!Wg2qxA9r(IpufUlRa#-sl7ZiWfVSApJP6<~)JFvphWFEUbu zFMykzll?dcfYYlrLzC3YLMZ>nzTKlio|i0fRW_;$aldr1aZ2aD8>Mplt|J8fW4~Mb>aP zGK#b*BR}Bskt^#NJ6qyH^Np8NQ`MMwaQdpgP~65uC}t z)jT85z;Fw8zsh9f@^3L18`tZJ)w+t}y?BvWA@Vq&(c~}2B-y!O2MzLYTpf^xq}g5J zIrxnU^2>Z~Z)o27D%hR9!L{K0mAlZ6I07Kis@HS;0S&s)fvf5&^k%rO2KHPDfFc|3 z4!X`(-488UgfaC!KP0vVI>?Vl_pkBwK5dxs9eoy_BJkk1L|xK)PZu9nse9;o zqGiAG)$zj2j%k#zsi}h!* zs3qSCn^UJV(;L7+8V@wHcl=vx=_?hPBLltqEvMKRoy08*!M?oy*`>PT>dbsFrbc%< zQsn0jb>zz|ABB%%3&M6OApJm4}e(-=*U7p2Q z+0=xrJXL6`R`B}p7-f{k1Bb_m0JhYY>I_xZ9WfS_bk}An(p}M7q=Fl4c{)(VNrl=gEqt1@MjGkJb2Xhu{oSn&#t=WM zH{qM*WkLD~9xN?pUTeBlzg6V2-BGv=%f)XOIx&O$s!zZX{*5uX>bcW!S!Y4>wK?)- z!-kD2Qo0uLzPq$wdK$U)UJnkXJ8=I?fddJT1_DeiTNXw>c6i(7G9jh2pWq?>1nmxY z_?U`K?Yk*GEF%R$G(ZQA1*w0on|tqO+XIxJZdVwKhn#M=Y?jD$_e zFxN_{t;ya}>b6_M3dWacGawH*DjI#IJ8D(cU;Ddf_({0>06F{hU{kedQ+{Nn(|{e{ z(eNnBc}u*9&DKer=hleJ71fGH#qeH}G4F@i8f*ZKGR+{rujX>iX!aR&BI;d1dFgb7 zS$4SVQi-f8u#h&wt6g$Ks5L=@Av|4!EV;{>dHGk>7-hm?6~IvzpnkJuapA1cg;R$> z-rZQmydn8!?}7RGVKI0A^HpLYWHvm!i3l|g6`W8k-OezECMk4>%N>d^{zBln7^tD} z)nL?L=cbt25`A^VLGPGfjlh5>WBPNT`YFB8p^Ut|EBenP=T2M6CNDM z=Qe6_+KXo3qB%maz~5_ zl3VOnc0-~Ao7_sBG*&AP1M&WL4Li%Kcx;dS!A1+@2wy=)Lk{cOA}}7btfZ>55sFu8yRCz=Y9HBwsF`v5ntp?@=b9d18VZ zk|IjdP1>Z}n(6P>zZjYY0`o&e4}2e;fe=gaSh81d>oHUp&#%8|BctPOJvf=!J; zk@guqjw~rTzIFPCSU15eBkvwYr8eO<9+d4Jc zoIwSa&|MoF4mHV0wfCG0I1OHZb%l?h9Pct~0W6>juXPcN(N$0Q=bC3mbgiQ8UdLNu zUjG`)7>ypN?#&Qs%s5-I@$|EeF;3&N)GGMQ5iP}FntK3uqhmw&K|sxn(~kbdgm>uR z-4Zq22#>Wwt;?~wO~SS48x39H7-$AAxbMZ3=l50pk=QoURsjJ}iq=DW-UV6%kZ^oDxR~3m`wx#T(JSn>$T5BCz8ZKaV)XJQ9I-`3`dw zIM9S8glyeP|Jc+CA=_Hm+nm&#JmLWWM7qzfnN9FKO5^^o5uAs!s;35^Xn4jNydX}So zg6zhgN~CfYSroqX9NeFb0O;gM_65}URv~7!KNl=gz#kuKehHltw4l<`?H&pjoFJHI zn0sgZ;vBC2at%L!(g+r;`l&ndeN7MQ`t{8eb59OWyQakoq>;rG?J6~3zJG}PP!#Ov z^q}j5U*7i z8&X{ej|&>Q*iu9=O@klo7~6fd0KkrcO+@aGr8%uR>L4l{P;ZeKZ`9Cc&h_U}U;=i~ zyk7)G+iw5bq`4B0#rAJ6TaUraHMC#9@4xO1xRv0J2@>dt^i@?&jibDFgS^Y9zOFYI zp^abF?eE8x!BffJG48YVO25ViKf0v{2 z5N40uB*x2Kb#ql3TWW4m^cETNO*!%1YUqQ#+51I{#&wDg;pL%9-5UKqsP`oaK53cr=tQqz0)@fvVm; zlJj}l)8i%pZ$<>DKNv^^rHb1RemE?4v&l4KMNT%aR59?N=SEjz&ive&;xwy+mfz#% z&Hy*p%$K&ng0S(ql>OA0P@|aom-mmeiV+PFak{6k?yvjg*2Q?b+N67WUgwLw@^=3? zY_a3;g*hK>W7W+k--#C@egzJ7r5~jq8(korx%~6RW1EaXoO0WG+)v;p?#*JOy2`>_ zV&W~qt!$C}1kx&O+l2HNJ9_xpw`Mn;l}wUivwXcK zyLsgikaq|-LZ932Lz!!fBaO=sWA?f0^d)QPAPkXy??3q4r@vE9RI>xd#lTH~1y>8oXUOW2XVk$@(tv&h8aFT?NY2eqUbYg2dN z#)rflb%u+tKI64$pZ_%qQqiANN{53JK+d z$y`!_YndQK6iBn|8TKW3@T(XF*J4g}N6sn~N(Jq+7*XK_fYm>!Jk}g?Sc zL-(<+Q{YTDQRBnKkJ5Q( z?+epU)4#tC{AyEq$>^4Q(NEg{Psk*ZX@vpo^MGvVJ+ zx~1dRto*CO$x`;-nYUeR_>stJIw=wJ4ZjVq6O!pk&RFI<@adrUVcNVVH&!R%dUD8| zk59y?B&j>`i#${zCx}gz$5aM)h9TVIa>wytTd(5XR*F>Wd@fx4-7Ofw)bpqvc%S07>6A!q4M@ zO*_LXNxH-KHkq?7f=8U^a7u;PfGXxrYjuB(SIGC0_{W2NZaY1T0tsQ5O+y3hgKN2- z6HDcimGME$G=eAP2XwVSgwgqRHHXs}qwvBv99X`bnVauDu!9kO{;>`f)6DqdZ@lzt zkc<{lQSmrsmNc*IV?WZFm zV98vOAhA+k13pp;9l8#?l374C0pquY=pZ0)PR)Y3kplC348jG9oalH4?yUNu@1Oj+ zfDdW9GxiNX?C)90-Cv!$JJ}2je(4DdCOe#@UP35=LHjxq=XWgWw~d&$7h`|UH}c;c zUdd%v$#KnHsqU4eur;blyDFcQXV5T+BG9R%^^Gq{5sx?VBB*k1Mcr3%O7ubfVeeaI#N(L!K6%r;3t!v|JL_ zUm>MDT9q>Do=p21h2W#Ycf2{pu-@~J0;jCr<{j(dT!?Gdo`&DD=zd>*#Hb}xLI z^%6}iWY}F-@C-!{tleu%ZBEV)@nyAl;FE#XA)}z%IF;RyCiN0N>a%i@V}RK@isV)^ zWGay18f?8i-k*@D_B^Xp6&7UaM<3UYEuH1x|r#9S>z(oaZM-NEBlQ4{R9+JeQ~pN$YS7 zmd#uU{=VDfXrm-wU3R2{VV9ZAb+wnMx@&&GxxZj)7QRc^f|NB&;OCY!fI6yEjVrB< zJCD+gBqEzd4}2|gI;eT!@hQ9s=U+~v!Q^F&B`h|Me_((EsL12~vw1~gH>Eb>b9ZgT z`vvBciA5CC{@2cl&VZKY24+U4TbknYJ9bEY9qHADW5RbqDb1xS^EKUFna8tMx}5XI zAG}X{GEo~h&#A@Plwh*)JZR2Mt1&d-L-`#mf5#OrLC{nCE8jbOsBt0~j@{950Nv5w zgYHm|@U=;2;P5KQ^Zq+YK|P+kPGjPP2N+A_m<4ONnO?{%T%AvIvN42yUsM<*IWmoP zDHEu5CoJ_z0N}H4%tMX?nL$k>5j>NAv+Za4&5e&P%w|pm8MUwtRmE&2T^8>q;}h|i zacq$r%z`atu?zMZHvd#bac8n%QTUC@7JPF`!^2Y!96{vthQD7`t($LOe`S}BEUlc) zcY`o;P)9P|>Upl}%E$nk4D=|a1+VMr9 zvZyPcLMT05qy3Zz8q~gi3)RcV4IbA?-1J^WFB_Oh9eZDO?l2Y0{9MEROVMy30`fB? z^Z!ZNOJ>BL`OJMt(GF`q?D;@?Q|M6q5KUHAyC84W2bCQ;;(3el7z|| zO-t*M4abkqw_HUX_8s#7RIyX^_%D(xmM5f8^K~2tJ|I@o?k8k9%t9DDLK3=ZgG{g-DaxD(DcgHj04H`F&9Twg`QvF^lLIyip zgV3Qci?EHI<(-QKDn?lHMXd!o7XX2cEv&hm3x`cj=q_b#_imtvFfT2#${INPRjBxp z4lw?&h?RHI-c4~^k2;j){VdM>ywb1njnB?*zF)~2r%+xB<)n{~&<81XpRQ{BIyQ|U zCnXNmtV#`5HMl?n8r&5|{}obwxAM~BeY-=Omt#^J z5rRz!TzpU;(W=)2h^Y~lsjLzY4ixI*m&2J-Iy@5U1Ua29zjJaH`kGDXlebo{Oikog zbgWt_?s6}Y#hK>w%S{vw7%kp^nCO4-TW3(rD8hdwtPJ~835s1cpKt8= zjB;h11J|gN4#f@YS3DVr*sTLXGcO7TJ0IGpkDCiu$xKbCz&iM%pmwd%vNe#-H?b=y zf@ROd04LX1?qm<^0eSv%NmflCxru9;k~Qe53f7(5@3Z7%S85q7$m%7JgnqX0SynQw#8lyM0qz$;R%tN!YjK=(|0Vtc{!G&#lV^Y{9;X- z)i&=<-$rD?=OMfO=(AYH+t-X_AHDbBHI-uX=PKUQR#%Fs-wOz^4Q*8SrjJ=7O?ekd z0$g{(2$E;R8{^+!($lDyXkm%s?vvmDU{cg5c257Y_?FKb(AcdX(ap9)Izs?&TFn)R z+p%GQeekY*ldwP6V5*0F?fKG|khBgw;Q0kYGVIO19D0tKEtA%%do`R5LwANPvX(zJ z^~`L){`4XG?5W(-Ha~7ZnsSIJzyolO8aA$!=|MF{n^I%nPL8Il;k&J_W9*mpe$KV* ztGuN5cJJ5agt`0e-&=Zb<@dAo{n^aZI}@7lXBWe-|F!p_tjm8NsP|5KpX8s-lo$J* z|7`xe#Hp$Orx8)xeU|?;edPadTJP=uiw80jsnu6+UCCR3-J|m8-Mo7Pq5b&z{{eY7 BW7Gfu