From 9a474f09badc5530bbadf13606e837107ef8c595 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@notmyidea.org>
Date: Thu, 11 Feb 2016 22:08:17 +0100
Subject: [PATCH] Add an article about let's encrypt

---
 content/crypto/lets-encrypt.rst        | 130 +++++++++++++++++++++++++
 content/static/unsecure-connection.png | Bin 0 -> 11258 bytes
 2 files changed, 130 insertions(+)
 create mode 100644 content/crypto/lets-encrypt.rst
 create mode 100644 content/static/unsecure-connection.png

diff --git a/content/crypto/lets-encrypt.rst b/content/crypto/lets-encrypt.rst
new file mode 100644
index 0000000..eb28bba
--- /dev/null
+++ b/content/crypto/lets-encrypt.rst
@@ -0,0 +1,130 @@
+Let's Encrypt + HAProxy
+#######################
+
+:date: 2016-02-11
+:headline: Comment j'ai mis en place des certificats SSL avec Let's Encrypt
+           derrière haproxy.
+
+.. epigraph::
+
+    It’s time for the Web to take a big step forward in terms of security and
+    privacy. We want to see HTTPS become the default. Let’s Encrypt was built
+    to enable that by making it as easy as possible to get and manage
+    certificates.
+
+    -- `Let's Encrypt <https://letsencrypt.org/>`_
+
+Depuis début Décembre, la nouvelle *authorité de certification* Let's Encrypt
+est passée en version *Beta*. Les certificats SSL sont un moyen de 1. chiffrer la
+communication entre votre navigateur et le serveur et 2. un moyen d'être sur
+que le site Web auquel vous accédez est celui auquel vous pensez vous connecter
+(pour éviter des `attaques de l'homme du milieu
+<https://fr.wikipedia.org/wiki/Attaque_de_l'homme_du_milieu>`_).
+
+Jusqu'à maintenant, il était nécessaire de payer une entreprise pour faire en
+sorte d'avoir des certificats qui évitent d'avoir ce genre d'erreurs dans vos
+navigateurs:
+
+.. image:: {filename}/static/unsecure-connection.png
+    :alt: Message de firefox lorsque une connexion n'est pas sécurisée.
+
+Maintenant, grâce à Let's Encrypt il est possible d'avoir des certificats SSL
+**gratuits**, ce qui représente un grand pas en avant pour la sécurité de nos
+communications.
+
+Je viens de mettre en place un procédé (assez simple) qui permet de configurer
+votre serveur pour générer des certificats SSL valides avec Let's Encrypt et
+le répartiteur de charge `HAProxy <http://www.haproxy.org/>`_.
+
+Je me suis basé pour cet article sur d'`autres
+<https://blog.infomee.fr/p/letsencrypt-haproxy>`_ `articles
+<http://blog.victor-hery.com/article22/utiliser-let-s-encrypt-avec-haproxy>`_, dont je
+vous recommande la lecture pour un complément d'information.
+
+Validation des domaines par Let's Encrypt
+=========================================
+
+Je vous passe les détails d'installation du client de Let's Encrypt, qui sont
+`très bien expliqués sur leur documentation
+<https://github.com/letsencrypt/letsencrypt#installation>`_.
+
+Une fois installé, vous allez taper une commande qui va ressembler à::
+
+  letsencrypt-auto certonly --renew-by-default
+  --webroot -w /home/www/letsencrypt-requests/ \
+  -d hurl.kinto-storage.org \
+  -d forums.kinto-storage.org
+
+Le *webroot* est l'endroit ou les preuves de détention du domaine vont être
+déposées.
+
+Lorsque les serveurs de Let's Encrypt vont vouloir vérifier que vous êtes bien
+à l'origine des demandes de certificats, ils vont envoyer une requête HTTP sur
+``http://domaine.org/.well-known/acme-challenge``, ou il voudra trouver des
+informations qu'il aura généré via la commande ``letsencrypt-auto``.
+
+J'ai choisi de faire une règle dans haproxy pour diriger toutes les requêtes
+avec le chemin ``.well-known/acme-challenge`` vers un *backend* nginx qui sert
+des fichiers statiques (ceux contenus dans
+``/home/www/letsencrypt-requests/``).
+
+Voici la section de la configuration de HAProxy (et `la configuration
+complete
+<https://github.com/almet/infra/blob/master/haproxy/haproxy.cfg#L63-L72>`_
+si ça peut être utile)::
+
+   frontend http
+       bind 0.0.0.0:80
+       mode http
+       default_backend nginx_server
+
+       acl letsencrypt_check path_beg /.well-known/acme-challenge
+       use_backend letsencrypt_backend if letsencrypt_check
+
+       redirect scheme https code 301 if !{ ssl_fc } !letsencrypt_check
+
+   backend letsencrypt_backend
+       http-request set-header Host letsencrypt.requests
+       dispatch 127.0.0.1:8000
+
+Et celle de NGINX::
+
+   server {
+       listen 8000;
+       server_name letsencrypt.requests;
+       root /home/www/letsencrypt-requests;
+   }
+
+Installation des certificats dans HAProxy
+=========================================
+
+Vos certificats SSL devraient être générés dans ``/etc/letsencrypt/live``, mais
+ils ne sont pas au format attendu par haproxy.  Rien de grave, la commande
+suivant convertit l'ensemble des certificats en une version compatible avec
+HAProxy::
+
+  cat /etc/letsencrypt/live/domaine.org/privkey.pem /etc/letsencrypt/live/domaine.org/fullchain.pem > /etc/ssl/letsencrypt/domaine.org.pem
+
+Et ensuite dans la configuration de haproxy, pour le (nouveau) *frontend* https::
+
+  bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/letsencrypt
+
+Faites bien attention à avoir un *frontend* `https` pour tous vos sites en HTTPS.
+`Pour moi cela ressemble à ça
+<https://github.com/almet/infra/blob/master/haproxy/haproxy.cfg#L38-L60>`_.
+
+Une fois tout ceci fait, redémarrez votre service haproxy et zou !
+
+Automatisation
+==============
+
+Pour automatiser un peu tout ça, j'ai choisi de faire ça comme suit:
+
+* Un fichier domaine dans ``letsencrypt/domains/domain.org`` qui contient le script ``letsencrypt``.
+* Un fichier d'installation de certificats dans
+  ``letsencrypt/install-certs.sh`` qui s'occupe d'installer les certificats
+  déjà générés.
+
+Et voila ! `Le tout est dans un dépot github
+<https://github.com/almet/infra/>`_, si jamais ça peut vous servir, tant mieux !
+
diff --git a/content/static/unsecure-connection.png b/content/static/unsecure-connection.png
new file mode 100644
index 0000000000000000000000000000000000000000..5e1b25b52df8739966d660c97f67b7027e80e6ad
GIT binary patch
literal 11258
zcmc(FWl&sQ*Cm7mlHeXZ5Zqk?4S@uAcXw;tHE4hU!Gnax-5Qqw!Cf0^+}*Wtrt`e-
zJ2myqH&ydvs-}PR>ArQ3t$p{od#|-4loTY<-x9w?KtMp3minTCfbaqz{u}rj8UFnv
zb4?xIymS$hR(lQq_`Wv#2LDgwDz4?K>R{pOVeD*<U<q`vH)nA%bv8E#x>z~5o*=ag
zBOts-kp3d7=9zJ{<l&3gbN}aTOrKF&N~%%{U0o>+r+88fS1HZpmXb=G87itn@2>Xg
zthDGgRZ!$NDOCDalrL$CSYog9;xd0^wyaPL=+Eb$kf8{j%rXTGA1xm)%elkm=2ErQ
zfxrp^$`CBEZ#pU~`(*GQl-<8XgWmqVL@)OLsO>!0u;*uEi@mw=r26ndT3VWtk`fU?
zQ&Te|BjfbqqN}S52^BR;w=N1kdq@#-Qn4X@a%Se}S0t21|3~kn8Q9fTzU^!UbYVfW
z8Mt355{FA3wxC;M(~|yA2ik;J_{7m+kM}T_y~%uHzm=605UYN3mIjHxNy5V;Cyt2W
z>rbstxK3VYSHvf!fA?52MlC9?p+P{x2c!l7S~YI@`T5yhca`ky>|}g1Z+hsc*`Axb
zEm_&x6yP0g>i~c8Q2R9z9GQ_pI#Z!9YhaK`b*rtTbAGcCYie(guETOh!S>$mh%xw}
zxfMXtH=)Q-t^ZG_;UY2~9%6J7UOOe`ECi)uHEKG#jkRr=#owuU4i6)zkv6Dm>bv3a
zdp&sUF^Z*&H?0uVv;_D!%$Sgn#7Exo6!AN*ehQ5h+Mh0!yx1N&ySnO`nIQ-q9+u0=
z$!T<4doeIDKr_=&Uti#`($**_hzlD%$a7dRVK+=l!aqLo5Bdyx8hm_58PbSrPD*FB
zTS_|2BE=hUkJ%P5rMgXm#bZ*NMFjx-8Xs2*9-6Y@!4$rE&!SWNDPJW?%fi++s-}jk
zT&He*vB`xL;Efk85nNu*^7ZT2Mt&&neJ>v8^%3vShQWG_ObWJ+3R%qjfcU=vGaA)q
zt&eAaMi$X5oxVI;AT%^wdD~v8QfxI{g0G;UK+5kJ_~*~3eH|T~i^&T!azPV*2Opo`
z1b)%>;V3q(&x8FmCOxX(pBQu4kNN}iNq#~)D&_^uGw%Y|aCv{c4n*xre(bHScf(uM
zgd>;Z{(Z7DDJ4bH%q*|N91#&Q2^p{F_U?|;4$4ldh6V7lYeEbSRR#QR*RhsBd=-c<
z+=@J@1X9=<ua7d*5Cqw=I;<GJQ$k=}BHCm_48;=XrUsHJ?u`CIed-0iS8yqXNq=jJ
zRSt@5Y~&9H2?`2A%Cu{2b}ZwPWiCSs2ZUWFSDj_~Jbt&|VyDm8m;P!1Yu^eD2Zo97
zZ3cJf4VGBY&aFMvu^E6|_k_O{;HbhMb9OF?H;jX}`Rr5SIh<Y-%3q=b;xnRl&{-QU
zuRHD+rnUIW{i{rHl7)qYij<W<t|16^)|4iRk52zOjF`^X+vDh`Q0>OkE)+4!Iv%ZD
z@qH@y$Blyftiq`L_7J@vV|;u(n*Z^}hHAO*d4)I*V2{W-7fo@`UcDXB;92);lHxQ)
z;m=GOVF1dc)t*Wx;y2Ti73|;8YN8qSJAaH>*det{itACwrvTlJ!xF3p7M>VHt{Zo4
zV&YHsC*d_{hFG1O-<_dJglf<^_10jM<1N`Q0N58e%x(}1&j46LDhl2!=2jn--(V_>
z9fgW*wX>n7iNiU6d64UY09FJ;2>npC!G~k}h2(ns1!o6b!ZP3$#v3O>P8nHoi-NU!
zdZyA6vhBI&UzFQDJN=5hq#4lKX2MFgwyvB^muT2T9&_s+M-hjiuT#@|vMWBH3K2<&
zL{f^R!LV>p<-Q8=k`#&up9L!tjJXQ&3wO9O_$C-K$Ae|@=##N4{j3T6WW3OZyKMOA
zc>fX)L2G@<6f62_PpbYTy5QVP;vz!uo!$-frQ^v!AT5r{UwbJ=w%%{d*V#T?jEQvj
z^=Y;_GuY49W~&w|n32yb4j-tFTMz;FstzWR#$r=`B*sZQIyy!WVDs_u%{Ms2f<T7R
z0l~^!`WuDMBpvZpovsNf+6~TV{`htHTaq>Y54pas74P?iodw$4mP_K3-?F66##SAT
zwL|?@`3Wm};xmd7Wd$>qNXG9vSTE5?#oF%yRlMVtyc^wmVG7GKI_d!_FfIQFFC6*u
zY$L6em&l_4r2YEg#Z&y?CC=CPJ}kEN6dS&~G@T}s6ECy?-Ifc&G=IkB_S4X)Fzrnq
zlgSQ6uqD(?kZ-k&cGe{?F!Xl;W_X`JdJ`=^&-cp<4ULX0%mtj%)3Npa_z^EHtikVn
zv$~Lnu78hV@@ee;6wJg%P^mvh_;i!QS$otg8Q}ZHgRVaYFfz)bE8w`#iH#kn7cE0g
zV!OWtNgMSGzqrJ0wOTi_YEK-kbiL*&FSQd(5$S^rxjL`_hi@p7x!SaEpO@w@aeePD
z&HSTTr39}Z1M6IT)^k{|1QB)QOgGMrJrnP7hrtyk`x^FyTQTzT$Z?WEbLTJv3~~`g
zGd&!lTce}R(8^dg^o2{K{{9XjtrdlU9o-fe)uaF;u#1+U#WOhZ$vut~ddiiK`6LNV
zdQFAP33k5xvrvdw-Xh#t)JI;BFS}JfI-l`{m271!6L2r!FC72##uH~9(%<ny(9&a3
zXdhD0_u>1y`2>QB88vV3Qc<F`AS%(GtAp7$7#I~39)j+NQVaF=O-(L>P7p)!^mJQC
zz`eoaspm5nkeUYUckk}(jOHQp8V#*%M(ABZLf;jSDN&o22abL3L3_ZMltYwrdv?S^
ze+cD?vSZq%(bT!2S9y|r(?J4m&x+yjcCg{7n)hmx2l?3H+}Pwm{^m74Dr2BTSKs8r
zlumsp@w?Bu3QF11!X22RTsQlUCUYlvE6>Lcr`F?+4@Y?4n7JcJb-{tRLl`)^10^NA
zT(=ts9p-ErZxj92M)8<Fqo&1rrdh0Y*a?u!`-i4p8_#Ig5N+z-p_RD$_c&MB>u>2<
zY~9e^uJm-ODg}dm+f8s-(9!KD3!Hq{669{n9UGf35QJ~73G^>pIZCnBe%kA+PnXYC
zsPtI?FIfo`L4C~^N$7J`d0TnvzJPk{nZ=;27mlqb!gdNE>XJ?YMZI02tq<D(FSeL1
z{Z<F^?eY%QIo*6^Mq#v{H6eRQ4}(X;h7eBfSK@bSAt51Z_kxT`k%55-I<;1!^U2YR
zKOcFm&?s=+P%ygyyM8$)CbtKb?To&n+EP;AQjzhKJ>4nfAU#p^ubEh@w@%T+ME2Dc
z@QNuZ&A6WT;>j_&vZP-jifg>HUCH>9^CMjxG&fWDdG_A=5U6Ny?lwxX)YlXeB+iEs
zFeGbQ$?=@7eR;+F(OBnWL$*hyTs+SYkZZCZodX`LQ?`9WeWGxKjyF&K?{v`ViUuB_
zSu{Ghg+zmILwb<iH^gRAq53eNq3reaZu`daIpxQ?%dWYPQP7L<xmyP`;?>^e(C+~Y
zk#!*So)+Hco?E9w?*J+YpLohmV@!j{$it#j?Fb!<aPon%W@8)@3yNEJ`Q?dv(INUF
zDd9}{su)<&PXD2?Zwx(ZioU`i;&XcsNdQNHj;f9yU$VqjCLnQ0F|N59IE?F3Sam<Z
z#$Sj?rNQpw#i!9Wo)$m*0ll~{87B{w-qBQQy!7RinP;E9s;0Vm+7Y9holX4p*|7^`
zt{_%ct+C;7*iYW~?7S%4Tta99+wzS7sZ0)UEEJl)TVJ%<R9u3iu)i%)5^Vc;HwC-;
z!zvQGTU8T6w|~tX*CpF`v3M1GyI&4$B%Uwe4ZmEU4LE3SY-(CN-VQN$=LBPGeuJ#|
zh=bjZsmm7qO?2q`IA_D>6SEoUanz`3HAtJ13p7gi=IfZ`(|Kv^mxzJB?1bE50reaG
z9F6knpS!0^50_ihA0FPCp4ps4F=%_cnN~eh5#YDsY&|5Kc4P85&Z1^XZ-ZDYFQ3uK
zTkjx^zkiCQk48MVDj$Ba?rK$JF?tFCdJ>9wSxxdk_esj#JECwPI4%6-Yr$s`rVxMZ
zyecCR?yZH9Bfaen61nzWn_7)Q{LSt_0Mm2{Lc326CK6dALUt>Q%}shc9-rVDvGGiu
z^Z=N5Rbc+5>^gZ))<2ACV4fAQWP+kD{6?~EGf7j^MH*?25_Gy86Rsunr!{QE$Lq_p
zK&-%BU}rpSaN+sgjil9%xoY*Ta)P)X)V%sPKn5t=QOy>sn~sP^#v9Vndfe5bFfqf!
z#|GYlSTjTQ_&?HL()sfX#0&gl^cQp}zfi5JC?koc+RfJ&0^cwbzjvNyZrgkMz}5hU
zq_op+(aQ$$X0?QPVt|HZF%toE8vDFur6rvE?)arAcC2L&dAlaNH(08KuQ*E7=bEQ1
zBwZfHcwX*6_fr`BfF(Ew7HIx!uQJK*5ZZbM@$E7A6zn&LJVeY7rh}X#7TLowj}3>y
z9|40;4mw^C+e7NRhW$@1_d2UPX6pM7@uHh;TQ5iM;%WpC&g>o>(R2ONv`X^x-Oa7u
z(w-C*!_B?iD)`sjUR!*No+3qyfjP_1fY^mvfe^!{&I<h&Ms)h&%uvE5l-q-Z`I>Zr
zOsks)TUCXst;A!P_c&7($5szsljiKj*_gP;d~~n>z&b;|LL$O`bFHT<h9SyTUd3?>
zUHkgb2L}2{Z~^!8?Cse?st~rLqVXrhtj_r!P@pj8sy1`pNVHa8Cwl0k6R9`na{$*n
zz4g3TMqdwt6TF_cl0#9<FepXrC?`*GYh<kBF{-QvINp-yX+wbfGHvM`LD%_6ZxQNP
z$e+p^3#ZCsCx+U3xZCc%F~%@$G}lcKv+5lNR~tlDwf(yE7%6?IiX3ftUY)DfSCm<^
zQ++G8cYQ`vE=#?@r-Pu%iYE-O(Of{)pw5A?jbWc`fSc{<)IohI++yc{Ew-o?LmoL%
zxw1Br`kmL2<E7G^C&a1ScK97+%53BsnaBV8o7|5nX!HnbGmR^JLE0<+0}ymK3X3X-
zH5`n5;u|*bnPqn#7;SGk?CzgclU@1z{?q5uoD1??n+L{pC)*^oqYsYfiH7Fq)3o})
z3Y<22sr~9gx_c;sXHJdxIk(jH47?Jeva{jNNFp!rweP6s#n^H1L^ysL#7-d2F3Va*
zcE6Y<W1Q?qX6vpYkV~9kXSQOinsrYgjcBa4w{0<@f+o|i@Z4E&Nm?ivAackt>Vv~v
zR#h}PAd+4cO>!A4qod%PYCyil!=t;taPsEkE<yOowwa2&yKwC8>ek@^y;Si+Tkm0<
zd{y~O&mgzC;To&<Y@s9{rXQy;bNwW$#L+pIn7;P(&V+!fb>YDQ!4+!FGYr#O2VEM4
zfWx8YxV}tSk>%&7g>%%#7Y&yB>PctyrAB_XF8xy|M8wW6+`Uby9F%n%k3xi(+;`Sw
z5RWrRM>nxBP-$aw4|{&^L!cQ|yv!^726(u@TvSzEonzSUKLxw^V7%r-&2ry)8p((c
zbQsB5c1aNMxn{nHok;2`tU3u+pB|24J$_&J%2;%c=lojE8x7HY5}n1LuJL#kE9_k1
zl%>^I9M%;M$*C6TWfs~Kru`%m`NhSUkZ{t$m}o}=98k%62OOv(H&DC0)X|>>x!>j9
ze0(;j>?qd89gDMXrkkjD^=c+Gz_*{ms-gE`${@ibG5D1vqf!2%TjrcgMPK_C-E`)F
z?9xNcsr?n0+LH@)$KgZMX^q4N!Kt2Y%b-sWiL>NP(wq8HGe6xXNKSS|SY5{5seJO`
z_pA(7jRthx=e~Cky_CV7!-^=gDSj@G;|a~_k?O}WU@#~5eCb$J4H!(x&W^=LXbBt!
ziOz?)g=wnkt_r&dyM;%uLcyjPAKeD=S}b)4$X)&N1VFwjj-o@imRyAp@5vD`wD^2G
zzz%)lYX2-p(P+aty^`CSP@uwL;%c=+Ayd6b4c|@oGV9GfKk5(MUXfXs-D53LNu>{y
z1%~U5Kyv3Op;3Dsc^mN$wYAn6inBD65sH;hrX2Qn;@5j&u*n~+BV;9hV9u24hFS&<
zt+y{%@wY60H&=ICp2{uX+&e9!4j=<hEyr8LqaNuvpP$oaZ+`K4*yt1av_#G{4921K
z#%^Z@mo~or;Sy7K^4-F(EAu-!SCFya{D$taqdk|!noJ7<MWd3Ek~VfW_4cb(rKHkQ
z+Nf@*R=f(N$?Jl4k0B*uqR;qtb2}xH;4fg_O2)RfvPMSlSrrtzM|=}5?bFdJ3ahI-
z{gx&9Ut&;EQ-?qb6-j(%f!L@*&B9_AimZ5-(9x%G7E8z;fs$ssMDMLV>2zqbLF=BT
zsOHhbCBMoggGXAEru~dcT`(Iu*_s{WCt@&9BRdlf8_Qe2+4u(~US`zt-Uc2s^R4Xs
zc-qy;1v#{hv<jk$UZhH5S6sf7>dI}wJDVhs^1<L_x+vGO$?V33fSNB}bu$gys84)B
z-8Zk3sb<b=_oQ+MeD`wN>PuCgnw_%EFKf{845k+Ct7V`@>yFsLpFYorfw)VXZ8hVl
zZ(iWu)>OLP<?%#vNgd&^%8GeAlc%N8uxLSn>lJZU32LQjK3+WbXHIS#DN_fBu`JPG
zM<>Vk*U^MSnDlmbXL^lz_x?x%j;nvjNR{xaPIo&$u(%eZiPdL(rdUkq2(=HtGzGWb
zztrG=kWEkh{`62<-O*7Hsa{gwBPuec#A}_}z*;nJfp?ESUC`UBqW`E7HoTd$GpJF|
z<E_~JOX+&r{II$DbiZ#3j4tcD&Am!PUb+PxY5`XyX8HQ*u0M^NB|o*LdGx_LR<duZ
zzl<UW43$~F@Vd+&gSv7o<$b2K?aGPqQ?_+B;JrmA4(1-9y8#Zq50m##!PmufDwszM
zjqys!p3q_3pD7;-L`15pQNq1Azc34Xm#J%DZyCO0X=n^tL%cp-lGW1s*>QDD5BCtS
zJQ~z7Lb;?=e={aRPV%f^vL9X%tHI4aj1Jx~TP@=;{iJf$3AFTiyU7|Jr3OYWN{hGx
z5nbrIod@a(YMEUWmCcINL#@S&=;%d#ZF74~JSnsMc<ta1Co%N*`<%}D)+*0ig>ITM
zzRA^Bvb;|#DMJ2=BYdu!Gf6n#)mCi6X)np!1D8!#-n%~2`s+5tME99o68>rY0n%o_
zrY9t1HQ)ctx(ySKP&wzEjC%1>SJF=Qs0to)P{jJAu3S~7yXT05jL{Aj;=(H2oE#nh
zEH9Izq<i`kJ#(+<<*RJ#gh|ZBz!|DwWb{sjQp)X6%OP}nX3}4$Pb+WB7CcPg9FB+N
zC&a*4<d^_4S$)nctOZtr%j|xPl~F|f08WtbOWv}Z*Y%F4S-Twr=&XxH^EWc`cWzWF
zZVYrnzvL!cd*7o9YF_4U<BCOSl*szNVm{J~3IlG5yD((mZK#}tR9CX*&Lq($nHmmn
z#ZGcP+KyJ4jaKRv&)JhXdi({!-%e+yt9?gR?%o8jpfR$whj5aUj4sdLE(emVQVuI%
zU<hwSbrP3`^)@En@C~eY4#FZ|M0#U#UCc)Nwi|JFdAqJZ`RI<<W>YL5k4}}F>OV>n
zSZIVrqTsW#vR<C7P^6d1<<JU!o*BSJo~?0o>hYOloMO?bfv1)g2IXQ_?kM0>G^20A
zB~sf)r!>|5w7z}9kJKW<es>dD@hvavOu6O{e02MqxT)*kvN1y9{rw##PMbfn>?&DQ
z`OlraE7eU6RW(ifNI+ZtWWF%Ror{^EGHWa2LZ{Cd^hk$OvLt8KT+K((Tgrr9ObO!h
z$Yss3>fTUA$tHPSEC72YDiS_h)pT=Q#zgb;7^=3hOVOV==D!BJMY_CFfajBk(dC|Z
zP9HMUOQ@fb`!M&?-xpDg6Bn*)&Kx?{AC5<7IpwWn?4gx77_nyPl*$t^HW9u(KRq>C
z{qt2TKOc+dN!pq9!O{^RtH|ctrjL$J@^|Aoxw+^S9+Ij)IP7^z!l{l%C~L)<b9K6~
z>o*Q}*Y--cc{DR^u6s({dWVA!2Te+IuBU1I*A)WafIJ8H-V=*|PCq8)%THW@hc}4<
zR7LS0qj%@^8uGcH?z~l%>10g7_Fqyo#PfYDroCC!U~6FPp=CRw;tK9!No~#(MOPO+
z9xs3L1W9@GQPXDC+~f;c%L`R4bcdvq-e#4cfmnH_-`<MGCKJVRAwzExm-7Zj<<)<9
z`ICtp+*f)-a-$Rngmtth^d^@WCIc&2_K7L8=qqf@t(YTU;kUK5{k6H9FRAiI?+>4?
z>W(Ys$Nh~OU-Vl8VY{W~Bq(&yV9m8qWdoc2rC)2`k@>+_qo<i3&E>C`<z=Za5CnAq
z92s}bW`{ZiWkN$E&YxjICiMZm>jADXYgV+IcGge_Z{~r{j@F_*F20z4wGTbbCEl*Y
z7gcRuIzGTRkaj`wG!8{PM#+!Sd%<ns^*hXAE$6^)o5wF3Nv(6767Um&U&VK3n05^J
zGEsyV9!CdIep}0I#{Yb4GioDdi>J95>Xsj(>twfGh^=~9ZtRvZ)MgGb+bNK-Qc*lT
zTIAWKyK~@+iF?W)U9e#)yBg!pxuMJXZKWZ5eYKHM^c2-LR3b)197VNYJ)VW=cXugD
zLL@p>qxgf+ZDiG3BRYNkVu`q#>;UX_VS$5#gI3|upyczCJ+F=xzsn(NCW}b`^rua&
z&M?ibOZm6Jls*W<@a#n;^OCHqLNQkXZIa7D(9d_Zx+2Zp;MoJA0MOb3o9yg1_XJyW
zckId$O}%Slsj`U#AASrO$Wo7FDXws9GV+a(;Ep7Q{t)+#mRNeaSofLHj6=Il7p)UM
z#!;rJ*u<sVm-2vL9Bcuj$qCAdWCBGrY=F2a6}BrLjk$ET`~#WKgK;#&D|rV}Qz1LS
znVs#9H${WlWC_6%tNFT*lbjZn&04wGZ#)e38ALno6a<G`*xCjpnRsz=GQVfTOl>Dw
zYp%NZZfR9u5hTBmd<ScxX@`r6q=QWdVG>GKQkYA_k_iP>I<U><YV?Ga{cy{@(h_~#
zX6^|Z94Na7c8iJ3k(~jRCGYRPn?jLwDRC}K2CcB(9I49OOn^^(z}}0A1Q3mgz`*Lq
z85W(5$1UgTva-2)dlCi)2ISe6(xRm|@0{5(SUg97{*lKr+p<P0ck0h{N`jMnNtmfv
zyb<P>&VhEL4>ts{PwOLoh%iWhD~1<?vfgU}IV<OhS>`kVJZ2?ly`Pc)^^wIhFa1Nn
zE5b{)7O?flSaO@;)~99Y@^{K}9cn((-YOF}H$yhNz-hpDZ@zEOy(1=)#(DnseT2W8
zH&E?_9<8ULB!noo&Z-*`QBi9;o@jf4&5*v!0}sU!jCZnzVI!#P!!9RPbyXns^RwyU
z^hRQ4y|WW&=JxT7S>f{g?ZH<Hh9fyc;UwD7uHvHGNiB1SQM@uH`EyEwv4!u#d7i@G
z3Ll~rrLsHMo}`C~nm_~X1VSko&+fcTE&gNO1k)LB4}kE)j$VCb9*rvYXk*3nUh5e@
zt0cIlP!M=b-Y8HsAoshs2UVHIBG>i!p4e1(P9>~(RGy>#?7DxY>Ix{GUf}Q9ENGmR
z@MY?DgS1KQ5cE<cto0dDk(-k}H8Pa&YXS;*eY*4cVmDfj!u{ur{sN?1ePo10Q^4a8
zO<BE3P^B6z`b%6E6>ONn#K50iUZ<pEs~+a@$98~I<>GwqdIw}?Hsy%}5&TXJ8~xmv
z!j-}B1a^4u$K*q1!ob*~A#{KHc9CGzXl=U_!(Lz_V-a^`fYVlY!s?Ihu#d~TCwF|I
zCDrNt4b;lB)3x{R_`QK?AwwB5^w(Ch9nb2hv28COSLM2zM15WIiqP2wc@uHL)2Xh7
z#0#z`J;V5*4M9tcl`uS?E_?qM*^=%`-lctfAlh;t%}B*So5X59m&mCk+KAw&of>fu
ziX5LqWp6+d5=`-}$<&kd0}i@l=!s=z*8QM#ZJBB-=Wmh&nKy%^>5R-%S?x!&7V&s4
zNqIj@&11Nf*7%HQLGmZ&{6D$Qni!bwNGT_F&{$RPg@&0<+PeCa^9`#D43P>)9jZ2?
z(|@-)^1Z@**x+vo(Cv^b_cm}1a6-<72pbI!9&8;(1ese=*I_Vn#*$KB*Ab4J5o6%(
zyB-J478=I?!}YVLrY2p*G`AEj33BB{M{*TL&4VBAU>%jn6LlpDreVW6@?&(@r#qkk
z@Xl&`NDr+e7fMxq-*gQF%wta!BpST8W>}{wsq1-dxy-0J<5v@p?xTnk7mup7vAQqa
zrE%m{WjTi9KvK?vni3<_;E5EQxiA3Iy>`BVGO&vGBqWz3mQ}g9cT7(wgp~`P8|{p`
z9z%)4Wn9Yb(to{szC{kpTpXp)g*l$?T32+_Cd6TC&2Q|lg&NklyB;jXF6$q&U@Psu
z%RL;?KiZf1Jo&YU8Cue^z;p}E<xYC^lS3mOd5RDr9M<)8qp3;pu-rl|FFw9{`un6$
z-9cRs2Xe}71-u+Z?lH)>)wGxgiW#Ws3gc5ziprcWtv($nEWz~z{>O!84bQKf15L$i
zTHCR1t5e4S(#I1<4krdPq?wpyZs5gxz#YccL>mkIZOyNwPL>vP6KL2Hdb;2tayC1l
z)Je5IpfcN$-_h!NJO^6)fMk7SBCW97<yrZF9o$8T$NJe+X=|I<n^BdA5B4CxxKNoj
z!m$W6U8%t&r(j-}aOPZSaG)#9xJu*&F7hYXN&Z#4zkFVwd4rar3w2*KAtp(|?D|YK
z#8~R2obRykWig#Ci9~6NjQ?e9tOy+|!$2Nf9fZr9z-Z#S@0$`KE~Yc-Ru|})8^wYT
zPK$*o*w{n^$4e~(Y?c61M<*waxq7&6{8~9rf(2g#op|khP!~Bx006*%d2Hhl6ZFFA
zDLG;#1lRqkfxHD=__$xb62sOUz4x`b`5@AFcP@{XqpY(hTL=iKfq!cO5)691I-~S{
zd&VK5U}R0F0ngPeEiK7CR}p>v{N(H9{|e4{#p-=ZI}vQzO{ofl`}mD*AJGd7GhbzC
z*I01d&d5bP{+*}WK4&IZUeEAXm|yHN)ZOz_#3S}UmrJgZ%+(m*(EnXF<wY}G_`(t+
z!cqID#jZ<J{wrN#iAm}({=Fgl^_%}=d(7{Z*IN+pQR=Z#L2b?!(%2%c<U}`Nf&FwZ
z_}%|dn;<kVt7-b)g)gp}Pz*lK@w+r`g-Xv*FvT$q!}G_3WrIJXFPmypLlRrD#1P*8
zzW@C5>%&V7R<8&?|293(aJ^U{o7^TPVFXdM!l1!x%FE4RkCveblY<9KFL@7TRX&T&
zK9SR>Zw1g|;MHhqP*`{Q#vWY5?pT4Mcc+%btyZx4P=?S;>o5XM=f5lYr=Gn4k;yRK
z{NV^J2C*5ry7+9SS?H-;!>yP662F1LzE_|v!1~3|==O^&n^XD|7XRq*)-vE(=F)B6
zVJKE7`x{1}Dx<Ck@vXq0IqE~f*8ZK7*zBaPr5kS9XwyGvZTiV!$Vv<MYj&F^KmKmH
zYctfOf#Ybz#qI`>JeuphZtqtL+dig(V})fdt@Ib>*Wyy?<$n!<N9o5XC!Zj?8D~`g
z(3%q5H-<};@<l>eOVDfWU_-Wx7x0eLnH_Vcp_G3eVus~qg?rF&X!IPxo`b{H-}ge0
zP$bP`SL}o`_ub?K>H#B$`2UTf2RTZDgNFN#A0{VS-NVhxN)aa6B&a`k*OOej!0FPZ
ziRM1^{_v!(Y|j7tMRv;TC}~Mlqbn?s{e2?Bz0GmBKyqv675qVJh<}Msn@G|c)dSf9
zANyLQnhP*+gcNpT`5*JQ_-l&|NtfPu+kHR-RLoL?R>QN1eBJoLQ}Mo>I3M`IAA)cN
z{Y}had^g-y{7?AuX<5>n(8yQAhVDP0)jo1IdM}HeurmZ}BOC%i0~Cgs74IFDzHQ@`
zYO-!Xi|g!AM^va~U6_5u50qb14hO;)k|RCe*D@w=nf`Q_-Pvkxd2G8Ll_CjX=30-4
z;g{`SQ^Kk9>h4|UzIl2rKQEo!${mWI-JEZ;s4M)XFxj79*Am<3iCyqHS`=v!+VbPf
zK^J^olkG`TviHF6-YOEem!2c*tJk*xvViYyemjAHV(6-hX|exna`4A>iyRb-wf6G&
zdLWgJ)#I?~5zlze5|NrDI8r%(k+Kj|P^OI=2~7gw=}(bTnC$1gm#A}Qh74DX#BASy
zY+sLpSr%Sa%I|bf5{VO1t$ZDRSXD>9n`Nm7{`X>mn*V>R6*#}3lP7R8P8m4AX1Asz
z{qJRo31~q{(@*0$CY@NZ*T%w|4`y$hz@z{?)t^;aUFlpz_NzI_S=DC+8{cMsauisn
zZo?M8xiK$d8UAqG9e8*iF>;JRRTh1!z*N|NOwlDkMivNps0!_0jQ9FC|Lu%WRj@Rb
z<jZIJ@<<j155Y!P=t0*hmSM-_G~gFS`>z39L>L}29s*;T{==Ky3xrH{^zf0Y!=zzZ
zxG5uE;umC%P^t!SjQ>c_g{R`4HE$LgMW3azwz^aHwv3fWo0D&@eS$EWd)8V6Qq_Ko
ziu_mRm#0wjnm|K~9xP&^c`dU|6N0rZ9`shV%DGVd^HOVNvMNQ}K>ROkwNjr?K)id{
z{&Ax&XIVJmmVP9{l-r~APOhx}&dR}@I4aK>>708uyRmFaq0gGSvPA=z3zHAc1&-Kj
zt`Bg(72WDb+K_Y^>rmHw)i2OD?;%msW~?X?OVm*%d~{Y<%HIZovyYx?#+_8LF6kNx
zIuoU||C4<jV@sYDzYg6~LEoEPTpRU!lRTHy>g@G~GNdUktCLy{T9?*8sW?5HSrd;N
z%2q$zRGqGVa%3^>!&-~s`@IiDDqU%zfPA8NF_|MZwWPljUTv&x#ZzBN$;5=olJ(*o
zr>n8RhuUc4>nz#h@>?z@pI3j^?czdbC_nt2<``4nV(+BX%fpxAfh>|ucGK>(Vc47Y
zhos@%cX>j{5SsOr1-0r05y=!(tK^E1O5TF=PQsN*_xQoXHcfGkDK!O4>?etJF*`@y
zXI$@C!%rt*2dw4*-1c(azFt#~J5+7G{xRlvK8aDNDV$f7DLF-BgY~<t^B$xk<*A=G
zh}-&Q{zEx=rCdI8g;#5Gv;D1|nN)Eq)%xFP6+xwc(JGF56VuC`qxe4hRFsLkI+wFG
zwJtphDg9B~DnXnZcn;}&kfqLQP0qhV@!_Z~I@^#wBBh?su{{U}Adol5)?n6HI50N@
zy$BSdt@pKl_TQ!0TS9Dnu{Hk}-UDs)y*39vP3GZ_MO?tb7yOR}Z2vO4%LmcWxvI`m
z7#?js;~n*y^NTy)kbejSSS@2Tyu3qgYOcE3j$|TVT{-<eRUJ-09HBfimXYn_@odqF
zXDJ2uu^9bld0aSZKNB9fO(rAb-7=zDSya_y6->zsfW|8S&c$`)?>-li?r|4j-t|Tv
zh_IUuAmWq?=uFJlXiqHpty8*(X_BT|joc<LnweJ`8NglHg1U%3w6^Q_{d&4@tqB+9
z+Q24pW24P~Ng*TU3Clad8yDYgb8Sh+ovnLbX8yYP5ME(U?CYC7B2T&Q$$rpa$dVD$
zLeCcNKE{!)uY9b0U}!l!1ghCG!!s`w8;?)Pl(H!%Yp7U>M$vOEem5f*kaD#HkvWdy
zO>cxOXtk}r>Sf_KEpq)ngf?W*^g9Hr^LLT63;HjM&>R&H&f*ophf>+n{nf+0nDiDD
zAchSmZl%+i7#>ki+xj95pfPf!zFnSm>m>M^m@kU#j7Fs4?6OeZ)IpE5Y(PGmj+Hgc
zc8wzsX<vb&=J5i^uf$kMBB*`3C}<bWRQIP7|2gK!`WPthzK?EFp|^TD&D`wU7#9l2
zh`h?{r*S?qlVJO(x^7~%Gw}mi`0D-HM{G@p#2bBYmIAQTZIwx-^6ZaBw--n|nGBX*
zUW~VyP06i6|M=w(%6!`FPBHX5rb^xfcqT&KqnCd;CCT`JJiJ-6XU=AWKtS&I=B^_(
z%q93{TWSKI;ok|8)EnkS9}btEotx3rt_I2oany6%*MREW;Wn}r-?Z9eeWxi&e2poJ
zGu8`Mc@qopY@ubh{+iz2r=BJnKO|k}qlT*tE^CSxTrB_gVoDZ#+H4v=nxF&}Sk1|*
zu|g=kjwnsc*_kobD{zolG8Vb^cq)4Na~Pz(+!jBlRS0M7XmgCkN5J<GFC}MPdT0hg
z11iw6x(`o4X2`s%Tr59&*hL#IMJ}_)bwwvE+?pPcV~_(zlAvas=ZLaCdVt@jwlgun
z*87Q;p;k|lv`L)=(e5@wtvc49!E{~H!-%qyiu<$e;mFZCkfxRQcW@#67i08iuCVj{
zQ8Y-M+E2fKof(Td{|PxK{}pjY{>XxdLGWs>|6lD*Kpzd;7&^^UBD{DPL0VklONE$G
G(Ek9(5=eUh

literal 0
HcmV?d00001