From 2209ea1883fa1f0d785fd99fa41667d341998fd5 Mon Sep 17 00:00:00 2001 From: okxlin Date: Thu, 1 Aug 2024 20:47:40 +0800 Subject: [PATCH] =?UTF-8?q?feat:=E9=87=8D=E6=9E=84uuwaf?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/uuwaf/2.5.2/.env.sample | 6 -- apps/uuwaf/2.5.2/data.yml | 40 ----------- apps/uuwaf/2.5.2/docker-compose.yml | 62 ---------------- apps/uuwaf/2.5.2/sourcedownload.sh | 15 ---- apps/uuwaf/5.1.1/.env.sample | 7 ++ apps/uuwaf/5.1.1/data.yml | 47 +++++++++++++ apps/uuwaf/5.1.1/docker-compose.yml | 54 ++++++++++++++ apps/uuwaf/5.1.1/low-memory-my.cnf | 63 +++++++++++++++++ apps/uuwaf/5.1.1/scripts/uninstall.sh | 3 + apps/uuwaf/README.md | 97 ++++---------------------- apps/uuwaf/data.yml | 39 +++++------ apps/uuwaf/logo.png | Bin 5011 -> 1765 bytes 12 files changed, 208 insertions(+), 225 deletions(-) delete mode 100644 apps/uuwaf/2.5.2/.env.sample delete mode 100644 apps/uuwaf/2.5.2/data.yml delete mode 100644 apps/uuwaf/2.5.2/docker-compose.yml delete mode 100644 apps/uuwaf/2.5.2/sourcedownload.sh create mode 100644 apps/uuwaf/5.1.1/.env.sample create mode 100644 apps/uuwaf/5.1.1/data.yml create mode 100644 apps/uuwaf/5.1.1/docker-compose.yml create mode 100644 apps/uuwaf/5.1.1/low-memory-my.cnf create mode 100644 apps/uuwaf/5.1.1/scripts/uninstall.sh diff --git a/apps/uuwaf/2.5.2/.env.sample b/apps/uuwaf/2.5.2/.env.sample deleted file mode 100644 index 8291cdd3..00000000 --- a/apps/uuwaf/2.5.2/.env.sample +++ /dev/null @@ -1,6 +0,0 @@ -CONTAINER_NAME="uuwaf" -PANEL_APP_PORT_CONSOLE="4443" -PANEL_APP_PORT_HTTP="80" -PANEL_APP_PORT_HTTPS="443" -SUBNET_PREFIX="172.22.0" -TIME_ZONE="Asia/Shanghai" diff --git a/apps/uuwaf/2.5.2/data.yml b/apps/uuwaf/2.5.2/data.yml deleted file mode 100644 index f8aca1fd..00000000 --- a/apps/uuwaf/2.5.2/data.yml +++ /dev/null @@ -1,40 +0,0 @@ -additionalProperties: - formFields: - - default: 80 - edit: true - envKey: PANEL_APP_PORT_HTTP - labelEn: HTTP Port - labelZh: HTTP端口 - required: true - rule: paramPort - type: number - - default: 443 - edit: true - envKey: PANEL_APP_PORT_HTTPS - labelEn: HTTPS Port - labelZh: HTTPS端口 - required: true - rule: paramPort - type: number - - default: 4443 - edit: true - envKey: PANEL_APP_PORT_CONSOLE - labelEn: Console Port - labelZh: 控制台端口 - required: true - rule: paramPort - type: number - - default: Asia/Shanghai - edit: true - envKey: TIME_ZONE - labelEn: Time zone - labelZh: 时区 - required: true - type: text - - default: 172.22.0 - edit: true - envKey: SUBNET_PREFIX - labelEn: Subnet prefix - labelZh: 子网前缀 - required: true - type: text diff --git a/apps/uuwaf/2.5.2/docker-compose.yml b/apps/uuwaf/2.5.2/docker-compose.yml deleted file mode 100644 index f2c3a2f3..00000000 --- a/apps/uuwaf/2.5.2/docker-compose.yml +++ /dev/null @@ -1,62 +0,0 @@ -services: - uuwaf: - build: ./docker/ - ulimits: - nproc: 65535 - nofile: - soft: 102400 - hard: 102400 - container_name: ${CONTAINER_NAME}-uuwaf - networks: - 1panel-network: - wafnet: - ipv4_address: ${SUBNET_PREFIX}.3 - ports: - - "${PANEL_APP_PORT_HTTP}:80" - - "${PANEL_APP_PORT_HTTPS}:443" - - "${PANEL_APP_PORT_CONSOLE}:4443" - volumes: - - ./uuwaf:/uuwaf - command: ["/run.sh"] - environment: - - TZ=${TIME_ZONE} - labels: - createdBy: "Apps" - links: - - wafdb - depends_on: - - wafdb - - wafdb: - image: percona:8 - container_name: ${CONTAINER_NAME}-wafdb - networks: - 1panel-network: - wafnet: - ipv4_address: ${SUBNET_PREFIX}.7 - #ports: - #- "127.0.0.1:4306:3306" - volumes: - - ./uuwaf/initdb:/docker-entrypoint-initdb.d - - wafdata:/var/lib/mysql - environment: - - TZ=${TIME_ZONE} - - INIT_ROCKSDB - - MYSQL_ROOT_PASSWORD=Safe3.WAF - labels: - createdBy: "Apps" - -volumes: - wafdata: - -networks: - 1panel-network: - external: true - wafnet: - name: wafnet - driver: bridge - ipam: - driver: default - config: - - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 - subnet: ${SUBNET_PREFIX}.0/24 diff --git a/apps/uuwaf/2.5.2/sourcedownload.sh b/apps/uuwaf/2.5.2/sourcedownload.sh deleted file mode 100644 index 37d63f8d..00000000 --- a/apps/uuwaf/2.5.2/sourcedownload.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -mkdir -p ./tmp - -wget -O ./tmp/waf-community.tgz https://github.com/Safe3/uuWAF/releases/download/v2.5.2/waf-docker-community.v2.5.2.tgz - -tar -zxvf ./tmp/waf-community.tgz -C ./tmp - -cp -r ./tmp/waf-community/docker . - -cp -r ./tmp/waf-community/uuwaf . - -rm -r ./tmp - -echo 附件已经下载成功 \ No newline at end of file diff --git a/apps/uuwaf/5.1.1/.env.sample b/apps/uuwaf/5.1.1/.env.sample new file mode 100644 index 00000000..3184a321 --- /dev/null +++ b/apps/uuwaf/5.1.1/.env.sample @@ -0,0 +1,7 @@ +CONTAINER_NAME="uuwaf" +MYSQL_MAX_CONNECTIONS=512 +PANEL_APP_PORT_CONSOLE=4443 +PANEL_APP_PORT_HTTP=80 +PANEL_APP_PORT_HTTPS=443 +PANEL_DB_USER_PASSWORD="Safe3.WAF" +TIME_ZONE="Asia/Shanghai" diff --git a/apps/uuwaf/5.1.1/data.yml b/apps/uuwaf/5.1.1/data.yml new file mode 100644 index 00000000..5bbd1ef3 --- /dev/null +++ b/apps/uuwaf/5.1.1/data.yml @@ -0,0 +1,47 @@ +additionalProperties: + formFields: + - default: "80" + edit: true + envKey: PANEL_APP_PORT_HTTP + labelEn: HTTP Port + labelZh: HTTP 端口 + required: true + rule: paramPort + type: number + - default: "443" + edit: true + envKey: PANEL_APP_PORT_HTTPS + labelEn: HTTPS Port + labelZh: HTTPS 端口 + required: true + rule: paramPort + type: number + - default: "4443" + edit: true + envKey: PANEL_APP_PORT_CONSOLE + labelEn: Console Port + labelZh: 控制台端口 + required: true + rule: paramPort + type: number + - default: "Asia/Shanghai" + edit: true + envKey: TIME_ZONE + labelEn: Time zone + labelZh: 时区 + required: true + type: text + - default: "Safe3.WAF" + envKey: PANEL_DB_USER_PASSWORD + labelEn: Password + labelZh: 数据库用户密码 + required: true + rule: paramComplexity + type: password + - default: "512" + edit: true + envKey: MYSQL_MAX_CONNECTIONS + labelEn: MySQL Max Connections + labelZh: 数据库最大连接数 + required: true + type: number \ No newline at end of file diff --git a/apps/uuwaf/5.1.1/docker-compose.yml b/apps/uuwaf/5.1.1/docker-compose.yml new file mode 100644 index 00000000..10bd7092 --- /dev/null +++ b/apps/uuwaf/5.1.1/docker-compose.yml @@ -0,0 +1,54 @@ +services: + uuwaf: + image: "uusec/nanqiang:v5.1.1" + ulimits: + nproc: 65535 + nofile: + soft: 102400 + hard: 102400 + container_name: ${CONTAINER_NAME} + networks: + - 1panel-network + ports: + - ${PANEL_APP_PORT_HTTP}:80 + - ${PANEL_APP_PORT_HTTPS}:443 + - ${PANEL_APP_PORT_CONSOLE}:4443 + volumes: + - wafshared:/uuwaf + command: ["/run.sh"] + environment: + - TZ=${TIME_ZONE} + - UUWAF_MYSQL_PASSWORD=${PANEL_DB_USER_PASSWORD} + links: + - wafdb + depends_on: + wafdb: + condition: service_healthy + wafdb: + image: "percona/percona-server:5.7.44" + container_name: ${CONTAINER_NAME}-db + networks: + - 1panel-network + volumes: + - wafshared:/docker-entrypoint-initdb.d + - wafdata:/var/lib/mysql + - ./low-memory-my.cnf:/etc/mysql/my.cnf + environment: + - TZ=${TIME_ZONE} + - INIT_ROCKSDB + - MYSQL_MAX_CONNECTIONS=${MYSQL_MAX_CONNECTIONS} + - MYSQL_ROOT_PASSWORD=${PANEL_DB_USER_PASSWORD} + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "127.0.0.1", "--silent"] + start_period: 0s + interval: 5s + timeout: 3s + retries: 3 +volumes: + wafshared: + name: wafshared + wafdata: + name: wafdata +networks: + 1panel-network: + external: true \ No newline at end of file diff --git a/apps/uuwaf/5.1.1/low-memory-my.cnf b/apps/uuwaf/5.1.1/low-memory-my.cnf new file mode 100644 index 00000000..0ef74b63 --- /dev/null +++ b/apps/uuwaf/5.1.1/low-memory-my.cnf @@ -0,0 +1,63 @@ +# For advice on how to change settings please see +# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html + +[mysqld] +# +# Remove leading # and set to the amount of RAM for the most important data +# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%. +# innodb_buffer_pool_size = 128M +# +# Remove leading # to turn on a very important data integrity option: logging +# changes to the binary log between backups. +# log_bin +# +# Remove leading # to set options mainly useful for reporting servers. +# The server defaults are faster for transactions and fast SELECTs. +# Adjust sizes as needed, experiment to find the optimal values. +# join_buffer_size = 128M +# sort_buffer_size = 2M +# read_rnd_buffer_size = 2M +skip-host-cache +skip-name-resolve +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +secure-file-priv=/var/lib/mysql-files +user=mysql + +# Disabling symbolic-links is recommended to prevent assorted security risks +symbolic-links=0 + +log-error=/var/log/mysqld.log +pid-file=/var/run/mysqld/mysqld.pid + + +#### These optimize the memory use of MySQL +#### http://www.tocker.ca/2014/03/10/configuring-mysql-to-use-minimal-memory.html +innodb_buffer_pool_size=5M +innodb_log_buffer_size=256K +query_cache_size=0 +max_connections=10 +key_buffer_size=8 +thread_cache_size=0 +host_cache_size=0 +innodb_ft_cache_size=1600000 +innodb_ft_total_cache_size=32000000 + +# per thread or per operation settings +thread_stack=131072 +sort_buffer_size=32K +read_buffer_size=8200 +read_rnd_buffer_size=8200 +max_heap_table_size=16K +tmp_table_size=1K +bulk_insert_buffer_size=0 +join_buffer_size=128 +net_buffer_length=1K +innodb_sort_buffer_size=64K + +#settings that relate to the binary log (if enabled) +binlog_cache_size=4K +binlog_stmt_cache_size=4K + +#### from https://mariadb.com/de/node/579 +performance_schema = off \ No newline at end of file diff --git a/apps/uuwaf/5.1.1/scripts/uninstall.sh b/apps/uuwaf/5.1.1/scripts/uninstall.sh new file mode 100644 index 00000000..1a62d5e5 --- /dev/null +++ b/apps/uuwaf/5.1.1/scripts/uninstall.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +docker-compose down --volumes \ No newline at end of file diff --git a/apps/uuwaf/README.md b/apps/uuwaf/README.md index 35346d81..21d13f10 100644 --- a/apps/uuwaf/README.md +++ b/apps/uuwaf/README.md @@ -1,93 +1,26 @@ -# 使用说明 -## 1. 商店安装应用 +# 南墙 -填写参数,点击安装,这里会报错, +**南墙** WEB 应用防火墙(简称:`uuWAF`)一款社区驱动的免费、高性能、高扩展顶级 Web 应用安全防护产品。 -这是正常的,因为必要附件未下载,进行下一步操作。 +## **技术优势** -## 2. 执行脚本下载附件 +- 先进语义引擎 -终端执行以下命令下载所需附件,大致路径需要按需修改,脚本即在软件安装目录下 -``` -cd /opt/1panel/apps/local/uuwaf/uuwaf/sourcedownload.sh && \ -chmod +x /opt/1panel/apps/local/uuwaf/uuwaf/sourcedownload.sh && \ -bash /opt/1panel/apps/local/uuwaf/uuwaf/sourcedownload.sh -``` + 南墙采用业界领先的 `SQL、XSS、RCE、LFI` 4种基于语义分析的检测引擎,结合多种深度解码引擎可对 `base64、json、form-data` 等 HTTP 内容真实还原,从而有效抵御各种绕过 WAF 的攻击方式,并且相比传统正则匹配具备准确率高、误报率低、效率高等特点,管理员无需维护庞杂的规则库,即可拦截多种攻击类型。 -## 3. 重建应用 +- **智能 0day 防御** -正确下载了附件后,点击重建应用,等待安装成功。 + 南墙创新性的运用机器学习技术,使用**异常检测算法**对 http 正常与攻击流量进行区分识别,并对正常流量进行白名单威胁建模。通过**机器学习算法**自动学习正常流量中的参数特征,并转化成对应的参数白名单规则库,可以在面对各种突发 0day 漏洞时,无需添加规则即可拦截攻击,免除网站管理者一出现漏洞就需挑灯夜战升级的痛苦。 -- 默认地址注意是`https` +- **高级规则引擎** -- 默认账号密码 -``` -username:admin -password:wafadmin -``` - -# 原始相关 - -# 南墙简介 - -[![GitHub stars](https://img.shields.io/github/stars/Safe3/uuWAF.svg?label=关注 南墙&style=for-the-badge)](https://github.com/Safe3/uuWAF) -[![Chat](https://img.shields.io/badge/Discuss-加入讨论组-7289da.svg?style=for-the-badge)](https://github.com/Safe3/uuWAF/discussions) - -> **南墙**WEB应用防火墙(简称:`uuWAF`)一款社区驱动的免费、高性能、高扩展顶级Web应用和API安全防护产品。 - -![](http://waf.uusec.com/_media/waf.png) - -🏠安装及使用请访问官网: https://waf.uusec.com/ - -:heavy_exclamation_mark:注意:南墙 暂不开源,直接下载编译好的二进制文件安装即可,github仓库内主要为社区贡献的规则,每次 uuWAF 发布将自动更新。 + 南墙积极运用 `nginx` 和 `luajit` 的高性能、高灵活性特点,除了提供对普通用户友好性较好的传统规则创建模式,还提供了高扩展性、高灵活性的 lua 脚本规则编写功能,使得有一定编程功底的高级安全管理员可以创造出一系列传统 WAF 所不能实现的高级漏洞防护规则,用户可以编写一系列插件来扩展 WAF 现有功能。从而使得在拦截一些复杂漏洞时,可以更加得心应手。 +## 使用 -## :dart: 技术优势 -- :libra: 先进语义引擎 - - 南墙采用业界领先的`SQL、XSS、RCE、LFI` 4种基于语义分析的检测引擎,结合多种深度解码引擎可对`base64、json、form-data`等HTTP内容真实还原,从而有效抵御各种绕过WAF的攻击方式,并且相比传统正则匹配具备准确率高、误报率低、效率高等特点,管理员无需维护庞杂的规则库,即可拦截多种攻击类型。 - -- :ophiuchus: 智能0day防御 - - 南墙创新性的运用机器学习技术,使用**异常检测算法**对http正常与攻击流量进行区分识别,并对正常流量进行白名单威胁建模。通过**机器学习算法**自动学习正常流量中的参数特征,并转化成对应的参数白名单规则库,可以在面对各种突发0day漏洞时,无需添加规则即可拦截攻击,免除网站管理者一出现漏洞就需挑灯夜战升级的痛苦。 - -- :gemini: 高级规则引擎 - - 南墙积极运用`nginx`和`luajit`的高性能、高灵活性特点,除了提供对普通用户友好性较好的传统规则创建模式,还提供了高扩展性、高灵活性的lua脚本规则编写功能,使得有一定编程功底的高级安全管理员可以创造出一系列传统WAF所不能实现的高级漏洞防护规则,用户可以编写一系列插件来扩展WAF现有功能。从而使得在拦截一些复杂漏洞时,可以更加得心应手。 - - - - -## :rocket: 快速进阶 - -南墙为你提供了强大灵活的扩展和安全规则的编写API,在管理后台发布后所有规则无需重启立即生效,远超市面上大部分免费WAF产品如`ModSecurity`,规则展示如下: - -![](http://waf.uusec.com/_media/rule.png) - -🏠请访问官网: https://waf.uusec.com/ 下载 南墙WAF使用说明书 了解规则API详情 - - - - -## :gift_heart: 贡献分享 - -参照: https://waf.uusec.com/#/guide/contribute - - - - -## :kissing_heart: 加入讨论 - -欢迎各位就 南墙 的各种bug或功能需求及使用问题,在如下渠道参与讨论 - -- 问题提交:https://github.com/Safe3/uuWAF/issues - -- 讨论社区:https://github.com/Safe3/uuWAF/discussions - -- 官方 QQ 群:11500614 - -- 官方微信群:微信扫描以下二维码加入 - - 微信群 - +1. 登录后台,访问https://wafip:4443 ,wafip为安装南墙的服务器ip,用户名`admin`,密码`wafadmin` +2. 添加站点,进入站点管理菜单,点击添加站点按钮,按提示添加站点域名与网站服务器ip +3. 添加证书,进入证书管理菜单,点击添加证书按钮,上传第二步中域名的https证书和私钥文件 +4. 将域名DNS的ip指向改为南墙服务器ip地址 +5. 访问站点域名查看网站是否能够访问 \ No newline at end of file diff --git a/apps/uuwaf/data.yml b/apps/uuwaf/data.yml index 0ad5f5b0..4c09d8e6 100644 --- a/apps/uuwaf/data.yml +++ b/apps/uuwaf/data.yml @@ -1,20 +1,19 @@ -name: 南墙 Web 应用防火墙(uuWAF) -tags: - - 工具 -title: 免费、高性能、高扩展顶级Web应用和API安全防护产品 -type: 工具 -description: 免费、高性能、高扩展顶级Web应用和API安全防护产品 -additionalProperties: - key: uuwaf - name: 南墙 Web 应用防火墙(uuWAF) - tags: - - Tool - shortDescZh: 免费、高性能、高扩展顶级Web应用和API安全防护产品 - shortDescEn: High-performance, highly scalable, top-tier web application and API security protection product - type: tool - crossVersionUpdate: true - limit: 1 - recommend: 0 - website: https://waf.uusec.com - github: https://github.com/Safe3/uuWAF - document: https://waf.uusec.com +name: uuWAF +tags: + - 安全 +title: 南墙 WEB 应用防火墙 +description: 南墙 WEB 应用防火墙 +additionalProperties: + key: uuwaf + name: uuWAF + tags: + - Security + shortDescZh: 南墙 WEB 应用防火墙 + shortDescEn: NanQiang Web Application Firewall + type: tool + crossVersionUpdate: true + limit: 1 + recommend: 0 + website: https://waf.uusec.com/#/ + github: https://github.com/Safe3/uuWAF + document: https://waf.uusec.com/#/?id=main diff --git a/apps/uuwaf/logo.png b/apps/uuwaf/logo.png index bab6cbac45e9f1d7e768048cdb847d1204076c63..f82ea82fde288ed28b6815e33782438593b69256 100644 GIT binary patch delta 1760 zcmV<61|Rv8C*=*08Gi!+005o0f$RVP00d`2O+f$vv5yPQJZy+i)26aKOh)2C7Rw^#VQV*kAh`m{#=w-NfKEBdic z{i_)Kx+na(JpH2-`MF&G!3z4wdHkjz`mRX(sV5H6MgG7Y`+u%H`=A{BtRnxw6#J|z z`@CTLwLAaG1`g3h|HTCk(M9{GEB><=`@?Sj#S9M7MGnzL|HKLVpBVqf3I4_o|H%XW zu^$f6Mf;^H{HU&Li!%mU9#ChQscB)`$|NrwY zmI#q}y}tAKL3HOZJ9EzLEQVb&Ts0_`WdU}h0V|T=|M15!cflLHM8TUQ01$unyhZpw z5CHGVW}UwofQ8zaE_g0`+v{1XA^J2;-vj_9#}WfOM*ebLMcJV6Yf%71rISQ*WR|)# zL(_$2NPkHUNu{n1!!Rf*FuMhsNsN}mh8t-ryqXSdBMcX%0>fBaBTsJ2ZIJ14Y&Y0M6W|(u3{j`cAkS)N`cOvp zFzr+Ye>fz`x+t-KiyvcWQ<~Xss(x9a4liUWrGM-TNj(ZBQeiI=7o)^6v*oIN=Lh|v z)32hOFmy>|FN9CIzQA$1@8m3E9beyY4BZvsFAxA%$QW(DSH^#7FXie+-_j*Z%1tKV z>n5%1gO2lSuGwa9!yyDQ_YD#$)7!zOb5XiV2koM;%v%H9c_E2kxm+iux7pI3mJ=jT z%74he+WZ?)n$-;xN9TKhqKW(m<-c>SJm3UU%C=fWKb4db?fon=(YkwleSLkLe7v7T-ZGNRE2oQ(VZd*y3ymEyxN|4qT7X2mLfdh}zLT zvAa|;`?_ogQR5f`;8ELVEpt2QC>j5+uYY_1RLj_o!bWHu0IiV)q2+Od&vXFyd&gp} zR(q;s0pP=UMN#3iba)I*#BSHqtLxOF_AY?RglK~{(V9G^0kF02ptkdTpc5OF<_g|e z>b+U2E<`Z_s2!6}5NUwfbPZV}M9=Wvc zRR3hw9IEj3Gl36$yjtjV=rztwb~`R5PX!ra1- z0IXrKK=I4x*>1OvQ9Na;@u@R~Ze99*Q^Qr%sPn+)9Tly8Dk>jXMvru%J34942uRWs zUZ`Bw5btMlq+S@g)V2B4v9m16OfTI|+QfJ1COd#h>Q5(*(fARhiU1XKCVvR&hDg-z z54#4hJAhOcK@i(+z0Rkp54903Ox27Q-tSrjL9`xsm8hIl0aV)*wMfgP40V-Qj#G8m ziK$Y2dO8%cmLfuA+L{(-Ge)_tOA4osa8Tokiz!*o#%7=;QqCL;288Z-d#Yp>;Hj0? za$){#@jv8&9$DU|PX|-`qkmT1M_;MDPtq)E%3XW$oL6$HE^j-tR3TgUcazE8M~lEx z{b<%HbZv6sHgZn4z#MZvl^S<)m`V8@0$A81%Q#1{$Vle;)TM)w>Z8-WPzpjfT%Dis z+Oy^{g9`|Nn(jueLdhnVtMdq?MkA27)d%&LBN|9US(ZzQdCP!5*MA};XW|1XXNNnuK$ypcKtGm|%>?VFmLsy>p+#WjUi*4I=i^u=z28&XuS)yq15Z&BD zE9Bw7-ha{D4{?0wmXz(L>+>n;H{QO%ajLj@SNadb*}R;X=c1bc0000P)K0EX8E>vJLf#}1JHp9ZIXsoJwLzY zea~~B`#j5io_ zH1?KJH(*c&1Hc^Zxf~M!OdK50`N3IHDYgqEwF$iPS`FNJNu2gxo4eYqqd6DCF&dnM zzy;T5e+U2 z%h_t^g;pS(@h80n7@%|7AhvIBpdPB73Y#qwksy>70Hq7`?(VagkIvkzqeuCi0CK=8 z0C#;n)mBkhxa`1p7Er;z6fo1E4Ux2&VJYc|K6JJd(D}y?0B`w}jhA{F72Vlng61Z^ z#bl(_)kHqc6Ea*1t)?0R=?FxW7!<;NEWhxdHdp*`8#6iyTh>_Ue1IeXRY)~OxEc@)fWR6+#7xQh zp9nkq5RxnI@&}*HCMs%YMInZrqVUmJk;mD6gG8PB50e25_?zu1iTtn)xj2uC{aH8v z@};rf`w8jB(=9;`J6gbICdo`Bh?&4lAg!5*K^3jP^pPD&^mHxJ>4r0cq2Wzlf`=dy z16X!zOaML6Zs&&LMyM`9|&ijFeH6Od3I{n8?$B4L}evKqL&2 zZ6It72tzEZ9_3*7Y}P|3yL!mmS^MYr)a1Y4hxTonR!_e1lNJRy2l3(44%*42m@mWq z^JTE}&p7VCM2fgprZl5MgOY||fj~?E6NCXA4N8UJOhlB@Y}E6gvAz6>?3npTifYps z1gp1!u^Pl{A-Nrr*S1TZ#I1Y84B&Q141lVeTV0V(v{C8BW|aGu5C^k`t!$A|AU7r! zuY*kh6A^^1051Z0A;{9q1ObX_jWIQ3>?yGAe75L4K6BYG^3}Repl_zc%w~bO2Wai( z)f*>=5l4z7aT_EyLg#-ue~#zacOfV=NbTF?g^tJu60Uwdq8mX_a*&POK!le->M6LP zf~BDiT*+dwHr5H3uPTj8Nf;q*Ln2#bh*$x<0Y*Lq#SdUv^xMNtm;u5g z&WVWZ^Py!M8#gdo%0{~jv4$;vG12Fcj znU-j1tX;y~^9xvUhG7JGLc&!(3G)b4_#rwQLr1j59zqS<-W{w=D``p~CV(8GNH9Xd zrfdaaSp7GN>J!&e$M{3!xB=ibu%54Kp_wXLl6DIJ!3lpF*|7!72-wUJ@^L8s7@ZUB zoYaJBy?Z=tz74>sELf25GGdE45HKYQ%jL$eWQ#skE70HB?>w7E4_ab_x8 z{F0C(7aJ~Tgckr712#qgaSiH%pHefzcO|Rrf`^p%5$519aTw zpKuTC+J%nJ7sl!v#tcB=XA2itcKK>oL>IDEn1WPjgclfCkYM?mGUlW9ndDOja)^cE}LGc72 zOtGy%DKH2Q7$YdFd30v6|7e%gbOw50^gJeWke!I(_(r4!D9X=KZZL&;Z0tTf1NPoI zTL(MeC#0TBo{>mF!V3jcoQLL%=p5|CF&cC_c9IYmLzsd{YLE*dta6hm=1)ZD67Prs z;OBBqJk-BJO0`TlaayFcAU7shnn~iHX$hXjF&=bk{2OBW3LFEtA;?ixEDoM9P**pt zE7xW*w@YTGaaDuNIYE>&IQU|{unQ*%E2t$e0=&q;jtNBTQQ#j;bkfN!XE#X4zL1P; z1#vBa6oUdV4wB^O4e|QofZl=S8-p=DFi_t^%DR}ma2dzKQE`4wx}2KlZr<>gv+iH4F)6wpLz1Unu_l8 ze=LY@C*a&e8vh1Z0GimC>0{msXU1FE7Iz7U%YsaWLHJQs+INZe_n#^=$r`-BW-32% zWyR<|AO{-Rw|TlSFJBz)eXIe4eG02{L`)tL+px8Otu=((O~2v49ADu8L7un)gpZ83 z{AS{DRjbskKgeXgDkK#xX-N>1q2#{UOqWr9$LT1=nb83_r%Sl5zs%OEg~EZ#T@T#J z*w-L6YbGHgc*=mF4Vy>k3XDsy&-}%Tj{)d-hpz`1*Z|N zMWGOS%lMTdw2xv*3C8>*YyFEt>&64W`}F1ax|vcm6C^JJ__7HUHmo2Y)@;pobpLDc zpB_rpob2c@idC$g@^Ic^1`+)}O%?#Kv2K+?shk&4q0z*{e;3&YkHfhiO;`=Q0_ zlYjxsVGQVX6L9*?qkQ&ae$o0H-(oxfG_MN_i`H+?FMQy8d6`|R4Q?N|!sGLQLBWq4 zF&$`;_|A7CSvl)TW8xmKvff2!`&$-6YM9iASTp5<7bqg)Q6tE)}Y|4)KI z#argodMWdHnJ%_dWx0u6KO~{Aq{aC0c&Ad)z2ZTDR*dr15DWf-;NZ@YlO7$KO!L)! z)t{6ReT)6%U=-GUgW&vHR?V0vi_c$cV*f$m?f4P^U>l?u#c6T+@>dR89rv$_%#15J z%;7L+@lQi&pr5a4PW#6}?wYSUU zAN^NY!92M5{g$i-jT&cGuLg*k!?JhECROzArXVw*{fPlEvd_8&1`i$LCrtqTSo!M3 zitZKPu6*{asw3CBW5sw~dlv8D4`S^W?@1>DzKFa zt6sKh7XApeGyWDQ{^<5M!ypmNAv29t0Ho^<2#7!)f&A<*+ORjjJ-d=Me-psKVG@U# zM09he#=aVB+b48xA*BV9La@-pY^0)0uh5lGh1vQYxN%DPkmWFQ&f)eqUYr9(6b%^} zg)r*KPLVn~bz#wiU*Az=oyG9EPPrn&&D z-um9R7{zPbB{uihmsdAW;WdkGv;&S~+d@W37UI50w0DRyb ztPn)v%89+lG!q+;WCj@s_UCH&OYrp8?AvjF>#DXdV3^8`_3GB;eqFW|pS++(2gQ>} z2h)tSW=~q2>gd$P#SguZU-aO$1aTTO|2IbI5F=oIrhECk@jl*2o<(dJfMH?-VmCJ7 zN%3G`O2M!NpNuqX@3p} z@R+#?PgE`%uYq;XwWSYF*^LUI+eXhL4x=5sJqLWerd1ESQ+Xs=0A+s!yYe{}iM_UC zZ+7cX>piR{NXs{>bu%g-rbO~v#HqE2ofm|0G{qvJBAh>700L$Is^ZxTK72@z&LD<9 zar6bHai!oitS(VSK}J_S1E=CRbfn;;L7H8A+K5dw3OO@P{DHMakp1PK+TOwK7xyL9xK^Nb<3q(970001UGi-{9sWI7A zmazj0jYQHc!kp^Q0)y9&lL!K!MQrHj1Zfa*;1d^NlMSW{L6D;bMIt;rc*c|YF~8-E zrYm?TY9wX%MwQc^qeOiQR%UOIOmvTC{GlZmH8+K*q^v0oUo~D+dmN_jFo8~@gf}Adn`am0+<4z3h&&cu`e>#r^o!%d#k4-2(LpdHF?!fP~CAJIhMsTu`#=7)yVkI z1$uquRJUw$&;Re!JW|2Zdcb6Q}3)(mSmFApxMvZY$C9@AnY3#`QOUF>tB$stD}u@Le{M zzM3DlmX2j!8hj;#9|!XR0{qe9Js1jvJcG9b^baHP;NsFLUEO0}{n~Sk;j2_$C^*>> zC9K(T=|H{PJAB}9{~c4oL7mVqt*G2HGi~jYsE#Q*AmQK^X7wIAjIvW&^w9n2YFnSp zA{_`>?P%1nkW&e!ikL$s#SlX7WrPRH{pmrhTsN+xb!HH{f*)d75|kz2W_-tutD$rP z$<*=azM;%d=lkiDFAW^_VB}C^%Np1%spGB^cJkwt)W-I9zXu84Of&uSs0luf!Qd^8 zNp1NX^|UaWAPPG zT4Z-AyZ%|_oOPqlCyJ!wQ_+X(xEraXZv3xmGbj%Jo7f+m%DyCF2?!5@^F52A-Fx;^ z`joGUhNaiYRPDa-#d|J_{PlAuyanErl1DQ0_c#?b>ta!{!<44Iz(d7T$>L8T!8Oe0 zLxXUD{y;G1K6PrS2oZb39f%bK)W{}ZW( z8!40v1^ha4&AG6u*6`-U&4|ULw6teZ{lcEL(-Tt@VkwuM%b3Ef3FSJ&R*%%Qmo$|~ z5GzvBSgr?(Nw6Op%iY7Z)3$q+yL#z_(Ho~GBtmv~Uzb|A@QdaAt>;xIGvSh04KEb- zzygsbmu#oZmbXXipiM0gE~=q z&~44%Pc*(8VayQNki0Ms6YY`7CP>$9NZQ^y6kj=r_MTv}{LQ2_9p`coK$}{XP=<8N=8mEZPAj_CdsZum=SsAyDg1K}-#RX@E^L5X+eeWGj3* z4chJvFz*IE?B1U$3=g9BVm;b9|FH&uc6R05S-nrC{dh2`$*!QJoN9~yv+YFh-y>P5 zAX@`cXjbe4Q~<~)ZI=uShUO$$oFd{hU|eV^5CiNxTKUPHu{-~}TGl?A5#$dY$a6$h z2d9p)4Q^60!Nb#)f!=!rMqW%Lq?1&#JVh&OHV4@Sao#VBqLmZMp7tu?r7CYKM+2f`L&a~u#SnZfLeVUeWQtn{39v8ozI?_;MEaWhNQ5|cv&6Gw7~ z&6#J*PTey*YwGu$biwgHQEt+2mcDBjCz*2sH{C6fm{Aqj+#+>xHc(C(17gP-)|JVv zd3DAs4Gj(P@SfXKX>Z1SavEnDRd!fK#n>_1Q&o7CT5l@9n|Z}ixjD+YoIv%HHZuO} z?@QIiZ*OR3X2Mf9S@3!Z12AY?r4Loc{!tF*V|P{em@?pZENFS2ux$Zj)hZrsb>9T& dXw?(|@V`yWWE-=NSyuo6002ovPDHLkV1hC(efa