From 00e77466507afb23d0a05f74eb0b5cc4c51df697 Mon Sep 17 00:00:00 2001 From: Christian Henke Date: Thu, 17 Aug 2023 14:59:54 +0200 Subject: [PATCH 1/5] Tutorial: Secure hosting of a public Web Server --- config.yml | 1 + .../PublicWebServer/images/basic-auth.png | Bin 0 -> 21865 bytes .../images/connection-secure.png | Bin 0 -> 32214 bytes wiki/Tutorials/PublicWebServer/index.md | 113 ++++++++++++++++++ wiki/includes/glossary.md | 1 + wiki/security.md | 2 + 6 files changed, 117 insertions(+) create mode 100644 wiki/Tutorials/PublicWebServer/images/basic-auth.png create mode 100644 wiki/Tutorials/PublicWebServer/images/connection-secure.png create mode 100644 wiki/Tutorials/PublicWebServer/index.md diff --git a/config.yml b/config.yml index 5c9b2eb3..5b6e7681 100644 --- a/config.yml +++ b/config.yml @@ -155,6 +155,7 @@ nav: - 'Kubermatic' : Tutorials/Kubermatic/index.md - 'Loadbalancer' : Tutorials/Loadbalancer/index.md - 'Object Storage' : Tutorials/ObjectStorage/index.md + - 'Public Web Server' : Tutorials/PublicWebServer/index.md - 'Reverse Proxy with Elixir AAI': Tutorials/Elixir_AAI/Elixir_AAI.md - 'Save FloatingIPs' : Tutorials/SaveFloatingIPs/index.md - 'Set up RStudio' : Tutorials/RStudio_Server/index.md diff --git a/wiki/Tutorials/PublicWebServer/images/basic-auth.png b/wiki/Tutorials/PublicWebServer/images/basic-auth.png new file mode 100644 index 0000000000000000000000000000000000000000..d0028abd5be8f8c2fbb16865fdf503dbf234242f GIT binary patch literal 21865 zcmcG$WmKG7v@KY;1}8WK2p&9maF^ij1a}DT1PeifyE_DTDcr4sI|PDTp@kIk>YV#} zjC*gte*L3ge?MT1?PJ@TYp%KLhpMvd8+1~1008htUQS9K0D$KO0N}V#;bAFO)o+eq z{}9|Hnj2DJCdh;o1ARPoN`R8>)P z2?$mDgw$-&LxMxR2~r9P66h7`0O;Pbm&JMLz9BDi{75O8s_+W%vLUh(XspyLNG(%$ zcO$1xo*ImJqm^5C(L@gP+@R~p_mkFn*0~uaqR&SvI5d97B3?)|mrgF8S2uP5Y*22!t4$$vz^$c>tB#U%2 z$czu*_%?3HbrG{%F4pesO(=F7_{O`PaQ~TGg~ab+CI7MQeLTFtT2vj440t!eapne(n&y(OXK~^Z82LXX zhOMwgJiXc^q|izJcDg%LlqPpJ!y9E-3ex0wA<7sO{;VGwjX%J)D`bqiw($MbF3MOmieUii~t3YjSx$t)Y%86jLL(KTXwc^OPR+ z`rIS)_~B+nJVXNB9S~WF!mcX{-Nx}6i!z4RSX)ADvD26})RGg8oVZ;2(#AxZ)0)J; zdHNTkuo{YX+H>Hhv^JI;S1N4g9eGsm3wO!O%R8>MRNJs@<%QtT0FGLnHtd@9e=xGK z)ffYPSLL<+R7i=4ysmb~SYq!J;yeUtW^wDiddDwDQ1SwQCtgeYQupC(m6#COPZQZ9 z?O{IJU-lu2(Op5*h%ag?;L!`lgn!hW3iwDB17E=FpTLLY57YNoo~Wo%)}LbKOg#N# zBH<|V?Xuc1sBw-88sH@|ymqAqRr56neu9?s6@GE_af|F>|TFCwcTJ^h?eyQ?= z+--aYU=ph8mT@x*GXDOiDP}1K=OaVlp^D1fY2vqOAy#&%yAW}|{(0(QDeORrh^?XU zFvDnbpnp=;9g*;z^h~G931IvvQ1c_DK}IU8L25z*rys-toH$b?+iEjY=)Be4)24LQ zQ?FAtm-1W#PUG{V3diA-aBkLzn=e=Uiyd?ynySC~x*b)x?sJeMU#X zc1NGy@Rq6xA<{v}eXuvKo?7+n0J}B^y4dkcKYl86jn(<;cRQ4V{Pr-*jcOuG#QmJI zs$2Yff;sY*5y+I|&(lk@+m<2l?#s;|q-&?Oo{qy7KhlL*Oc9{xi@sZ$F`Akg?n0wz zpyRQQ?0kA(^ggf9#Y#9m>oL*-X0v5=I&8Qj)+4luxl{t>k`Ab&YAzRZcZo|B4Izp- zi)5ZzZFOsT$C+yBm!KnV-rbL<*TY>_Cw?)Trng4ij5PFzkE03jhj0+#vBMCJANv}P~FCN&ze@CA>|G4I7a{v2VS%6_rdYfU2$r0ebxQDZ*5Y5lsCUgmpyDk?&Ecyt+>brN44;Jgy< zmm4HFjWc6u176LtW?eNm!#d$`*fm0mj)0sl0G+>D{Vn@0GOPOS3!U4#BV_Nd3?>Pe zs8Gvm+jkWvYPaUwphgTKFldXn&8`|F$%a-X$vXFMjCu^=kO zft5@60VW&7>p}g0q>L&;B}?zM6HIz$YnRL=iS~!zyc(qW0@C#^h2)vZ=lr~1J36gz zPBxr>C*M5&h>Zc@T>d`fq&RyeoolrQF))-O-sN2we&OkrphiR6J{gWB=5jgoLotWm zI#uZq?$}*c)9`h{+AfkjI2aavZJkcIP!_x}J~MyU0vZjxowfS6?UT-vRvQOXD=GH{ z=Ht1}gSpy&+jR($KhfR{G3kD|J}4_Lc0Zc6yg8iF7bz(&p3D<{eXDu)f|NRlM^o2M zTbZB#2MX?aeSw0nudfx6%QSDtTeEN^>nWg~XNz-~f=MZEvjlIQAgnF!(h&2b3OzP; zf|GA&DA8HG@qD=~A9xu&PZsIfB)lHi+W%UYWvdbX`2v9?-#DP;huAkc7~IL}N8n49 zuN>z_zMiihATD%ONzUz5S9J^QBMQU?v{TdG*FdvK7@ar#sPu&5(*?RscK5wR_)X2= z(bXC5DEI@e1ptdNP2{q2?nVflrXXmbUoO5oC*K|Ufx|{BMz8PbvYuPD{wi)A)f({V zCw{TvdMj&VoBWrq&46Q_etnO~MhAoE&ovZLv|i5^r;%o`60f4$4KZwr2-@jxz3a_3$NWBl$CZ{5Mfcd)AyCJ=n>c{=`=rIomSSx?D z?}kqL>h>Hyk9`d>oe~b%)D)UjVrJp>k{++9W+H*4ckaA7Phw{hk@Plmb&XXnah$FL zjJH#D%ZYBkr@4#s&#K~DiGTHzlyRAebA7bWw9pkuOiF4_p1ooc5NN*vFB3XPF?X(x zr?4~z*kA;t{nD-P@9gGvaGCJbMs)?=U<=>iaGP|vAKhR6U0GQ{!KUo;zAPNG5OmvD z^7ro=v*@^jOlo%`1@})5ownmi?SVY3T5<&sHfxrTIbrF!J_p_`8X+a4nMI?P1aBRFz^;>F*5ysI z-_=3SWfA@$qQpk0ujtlwt_<}gdWIb$S&OYO<}&%vc{PQ+129C6r)dYCH{xmH6^bq}Qem>v-q1<^#Q?IWt2~eT`B%^0fFE+I~m@Oe=A#zRpI>4_s7WhB8g9V?9OaZCap1ct#_J0E-F6vwWZK@Xa2c>aA`=R90 zmuR5|OZCLUzBi%RB5kgJWdKGU?%xhNlAV7V>Xd(a*iGs-v7@M1Ue?ugDN46U!TI)U zHQ6puS}hITOl534QgxP50=Tv|?VnCUv&hVBM7$>hq^Ur@>^|c9llf{n#|RuKNMxsF zZYmXF7oxYXid|zi9FN&4$%*#7gBP3hNc6;Ho~NlelQ9>5O^d6-d_)EihldL7wUI=c z=2btHbS}oea+j$#tc}$XWCVcb&~lw*S(~X9R*&M^dO<*_SUJg3fx*bKDUD#z#mLjB z5S0=~Xi8*UkUT11oy6k5W6ZO`mzN@U_lv)*#dfM$itFfXrqgL6;Fa3iqGLmyG^<`? zpb>gzK=}m5#0m71^-4m=vdXPos?@lC7s6TimlkasS&VfP_+YB5e%F#P$%e>x#_f8X zk4Wp3Vm1)r0kZ~whhxY7{a~;jTjc&vo!Nj>*X~u2IbCenee;a6|LD{dD>HM0O_8XW zs;X)d{pWNaP_D4fx}jOPW(dQvCLua`h5^T6Gb@F^ z0Q4six~4chU+&mdXFl^Q`C4}Bb#>v(X!afgTyJKl$Mm`*7LAlAB`>{*rOj$b=3SGE z)n^bwZ$w+mkGO%kD*(>X&z|kG-9uc2gI^?Q5imEv5^PC=_dWL5qy-FYj=Jx@k}IJRt85G4FdLAU7tK2NGBdNpc#k})TVA^#3~3m<^l>8p~`FU zQfwjoE|Lq?J58@((bk*J+stbaYSj8zNgXtBs`o|~E3@-aI{3_bHWip<+i3|bZ*g2J zg_-qC9t;5PR3=Y!##)PG)l_=T%FJHc7ezcX4 z%E-uAx(`OX)AT@2@|&#APLepyfA|j|**8x3X{PrT4U6zoQekpplz*6wCCqf z*s-tuRMH^+-owNU;sbCYb~(Fq(6!mPZRDlRhveJuJ6(^PcXP%P+VL*&LrmtJtJ}K zJpP?p2Hrb!Ydf$@qX?aCs9fic4r0~uMfYBTv|Wp{8hw?%?p6@iJJ6?WQov+f{V2j% zS=g^-#lD{Be(s0EEJ&bZQ=l?3Lm?-Eud6_Mgw=ws$aeRwORK00A?}3Yu<8nkBe9-O z7Jy|SPb7Qdc<(PVl;T5WajvIvtF#f}jJE5uY@dP5lIxM&uyv)kwIR*ucN@ur^l67 zXdwxvW^J7sEQwI5Qujf5B6>>`c7Hp&^#}4&HbaI9GhB?XH-*|yg%&wn2cA8btz0EW zlGcZ$q^CVknF^3viEwKNRhHsYG>9FQbK3OUmMHedl(UE@g zlvSgCwQ`w;2!=AO$!Z-lDWh)xhyHL3t&LCAVK_Y|gjhF5FqBrR{Xv);mY}0;CMA$F zouyOduMh(3sj8Br(8-Qn_DUXBU27~x1Xc!4fkpw9S}Hg(5>EmZH=miIaMJ2}@CUxe zzaN8gwheDqm2XdtUMO51*V$XaB*6e1E47yA)_)4FOQhhd!L~ahhr==l;Q9dMyi{YP1zxJQ6zv9g z{_TlYfRT4^E5p8tG_Jtl;0l76oZKi++%0Yb=l-@WOUvolr~A1+3MR$jmMSCwCxXaI zr}^}A0U&sFgXnalu}cLre;(*{nwU%>YH4l#+Vpn|1KNsZMk8@1GJzc^00gBEF=csK zoUV0$Q98MIYSb=vSgChb84nS;M5fR0`>ldis^n+2Q<==Vc6YYX?%K!Asefr$b_tTWuRc6 zKb+6m<`km2sO;Wt?8Qcp*mTAS0@J9TzV4WVre44P-OqtS9F0E~e=c_}QB;RePKvbg zd32kUpdpLh+UAlj*shitVA-X3#)W7zamH|BtC&1&Z2p=I%@At-`@u^EgBpH4Rz?%% zWb-+$A_hmk{h(WC+6V9WQ2IH`_x89X2k}Sw>58gBf5c*uX!eYt-{apOmtIX|R~1L~ z0%HNkp>cs9eay~*wXwG5VeK1jYVs%tz!qk*2FUfNfNg-_Sx%?x&bzbttx?(j zI;ZdI1wTNQ02w!-U}`y>Ti;qGs8G65XjQmp`hGBbSLDt5lr|g=0wC+y-M4U>f%e>S zrUTS9=QylPvXZPYeY;5{HAuZN4Dwx17tA+`=8b1K@Hi#~$4M1AOG}Dy3v)8Gs|0X3 zAP%|*bPbE2 ze?&oqwkCCW_ro$nrE+^D~-4jPi{wu_FeLuSiTBKUSy@FWf zqT8y95)2~3d)8)mHl{}^m)5MR6RdRvAi!&;jH4FuoI{%_ z3B|_@IsGK}k)SIvDO9C~HnSa$0nFB5;!!f#2? zk7$~?qMW0`pmS9pu@b7ywyviX)|ln>O!OvGij45gI=TI7>Q-+E(nwO(tWdN*p{V8P zuu;l)8d6;U9!Kd1?x9{zts4jc{rp0`QLPRKEAxJ{r}>(yJx5U`#d_pBtS>ZV&*@;$8hpbiB3gA7nrjUE(l)v

1!7?Krsn0ieana>Fxbq1 z6~wm`GZp|%pxWXXS075{#saig0^bWQEs_Ex$oR_1GBrKZ1W>}R52oA8M3)`VU3u>A z9IYGNqMAcXwN}f&QTi~aHw~PeS2wh(Q{;z`%Qm< zVj=5C;L2RCkEvEF;jo`|Kx-Ww0-yq54O!iI8tu**R4VZ|ZlX@T0Hzx+e~1#J-gzI&T112ksQu zj%}ji4vaa52BrL3&>e9!)&j=pi|3Zn&ajjNthCSb7`hkP5XEew->ONA{(3t7iDW9p z6N|=UOY4nUm`HIsz4{KaC8Uv4j=a!(`B5Whwb_;aASQHFSjlT!N`UoJQRB?PsS&4-gSjmpl%_VT5{O$zMaWfu7AD?3;g;!5d2MiqYX5@b&WE$ggw zVW{pYBx(Z@Z?5C+Q;t2oyXO(;au8@5z`AK)KY9KM6S<@g`}sCtQ~z?Izs$UsU^Z}e z5M_EYquY0BoTMtM^K;fbTUc~_UUT?x>w`IJj9QM2$|;`jH+v~*?)0Zh4Kb-f#L`)# zu(v94XY;+i)Kj_SzuSis=E2H!UgWd&0Y;TUio74laS)Iv&mtzX7Rti!bm<@@*J1&} z-v@;S^4+FRKO4kV0Z{c3UfyczyTEfUHlU8?9V)FSoV&2m;L2N0XW*SBx{Zf|^SGPOF0 zi-odn&3H+5BGUuQ)E8=JRn;e1bF-VTs<88ZxO#z$X<^f(%I9k`KbFLBvQWhr^y06j zr5Fp&`Q$T82FP`O$a#}N0->1uu2gJGt8<=B8HM5Fx7hOuk|%3sC+yizOQa3a%NP*b z&nBr7WX<^K>9}MI2DbZ5x1|W>*6*F^aykwcdtwklOq$={T_)&%YO~(*@gs~$Oke}l z<;WYE-0#XBxsejH9RvtD?(R4s1JWwtg9ApIsPSPn$8+W+)RJ2ds%Fg7_JfHRz6g1o zx<76WYt_-BLb_@f-`?t_@bZnj3;0bW<3_vv;pT|6tH=KI`(g6&M->5d#bb`4C4=!NM#l5%zyEAPgSXcz&OIgH{J827`v*%KIZ{ zPgoAz1jn_88lkYFPo$c}YU1MJe9b#qtBUv%sF!4_W;zx6&2~~2&H6dYWjEe6N^$Y9 zf?PW1HHNkyK^9yYO7xNFZK79EE88w@hHT(QxNsZ^!wiVOW{$Eo2k{e?#O?vTvCE^d zsa5C3xl4y38yW))IeTK(DO+0clExC=mRQU_un$tgfbT!RH4rW>y4hZyFjhidY6Hj0 zv)xc@1DzViD$Ld-YTg+AC^u1tzL#u&c@G1`%PA_wUxQ{n=CH~q_B#9@zN)FI$;b?+ z*Vk%$6oujJ=rH*#P7V$Z{{H>jZlUtXT~J!hzgAJ6{g`MrL_uT05f|o6vVebR)=0xp z`#n#>e_-VIg|MkWWc&dG`2QU~|9{E~(Bk{k`mH7iAwY9hBh?!LX}NitWL#WKF%vS*6T5T=5c35Ig(ME0$61)N;k(+?GQm#38C5r9S- zY-)juO+=HE=uB5?Y2OqBd3Ww4Xe#Z(nuBZ?@83_fcqnczyLAEja4*mNZi)E?cpWC| z!u8lZ_Z%JuhBKN;TsLAgv7l7amhEI%78jJ8Pb1$c|uU!wnTre9mmD zU&D96qOpCwlqQ~HUdIUa|D^@^cTc~=)j}d(03WWGYM&GRE&CvZj*O}&S_&4mR0?FK zryfqfH9^T+0d8-x)lJW_Tm@3nafbrxynbram2^p|!BI3;1_#gCngpId|FUF_jr;?} zO_SO^^T6d4>&{`N4lBpQQ_~7IMdu+Vkr7)!M*9(o(H-RW8ymn47qM7d6Ugd0$LMGi zN3+_)(GfJ#hMFYoy!A*&HVFc5+JTn)z}7CaRaEg+(1&>ttuNLo4w3C}#pGwjq^&Lg z>?X<-q12md2JeVBdR}+;mbEf9SslEyz_Bq{3G1F7y7(slFIF^2vk7<-h=2?>HM;4t z5-N8oVSdX;?i{?r5WNLKc{XXXK7=MX;Z|go7^+QHX0NH_9$_J?u@`y}=4W*CvVncT zs99)%+TAybYweih=fl6Cpmc+~?VdMJZXDcz6fsP1nWyz3=9-Bp&d2(16kpTgPj8n- z@?JS=&j)CcH_0Xu%Llt}(W#{flOikO2NgCM8m;{U)A9Xca-X-YPtw?xb3Z=KEXIcD z(t(00eb`u}H?}y9A6##t_OoA=_fMa8V+jRh@HsW%ad8ucIT+RScRL7s_3TUUhb0LwywRV9K;*9$<_Lb&2B5Oa4+)JsWu9xU{T-mMx_X^1ge@ujkFet75&5| zl}7w)`lB;_fYe0UaL?-Bqk@grxThQb3cBl)kkG0=Gp3gIvX-irFIAE(;tMsDxPWk7 z;PJed6+LJYLplpit`ZAz@!?kqe3Tb_0gi+w^^vqz?4L+v-2Ft%cb>WOCiPzo3aFX) zv5^UXadc{iC*El~vX_L9cWC50=1&3r@_?=Ynvwc-_^^d|Gt@ck2zt0|Ju?Q2cqlI~owQQ$8wclSzQGrIEwL}; zc|NO+4*@W)Zej9RA3(Zbk^-!w%vP=e^|G_x+*tP2iPVblIYOBO%`HmJA#v?Kd)SGA z|L4S{^iw#;QKs=+R4AVz$DZ5r_Bjb;1?`r3)Yj^D3+Ih)jLm#Y*DH{mu%3)2-|!ke zg}Czy1x$&i>M|%tBIO%S{KT*9)|BrjNO^04v zdu%UmzM_xEzE9oM0}gZE-+eJryy@bIlMF+6ZoIZ~*C)WTn^yjo<-I7^<=W+97B?O~ zzNDmNl}>HV(g~sTrSKaCcIM!F(W24kUSSy}@a~FARtu~Ch4dH|v&iiZO6?sFL+ZHXQNyymRx(ikMB(2s3G$35b17&O2%jJnAZTW55v}R8#n>;=C z&->Gy>B&1SiG1$bLCH`Q`Hz||wJ(jk z6S>hjcJF0-SjFBxl|Vv}r{xuDGVRYV$I66r+5=VtO`7mk*}JU3E1p@6QN7aR;&ZB< z24i<;uS{X)A*fdlms{@#X_pozE>`X~E?vpKJoSqfhQTKO-RyMk?loP0Jox738I7j^ zc)otu9hRwDb2Ssn3@F)c^pa=!3`I01j9q)bihU-6CFYltl6&yHD+ywFtqdGWh;A!Z z2aOjedf^+b057{tU#m5%jRrUSGa}XY=ZLgIj+sIu-Ctg%GqlEEcANXgve-xsqr42H zg>3XS7S!KdJxH0qV)JW1>#*qQ*;i&h*UE<`X?!>zI9yYv$yt;m3=HSy&i7uc<XlfP0)UYvnN9jmnG+{cXE8wQ!`*dP1wD6{-=Mr>C=X~ZYTIv?IBJ#KB zaEM)b>|sK5e-Lb9|Ksy7`x+9v3B%{`!Egq`alOj;JJ(UU4~mn zj`#C}4@!1N`8oH#i07B#>uZSao7=T#$D7_%T>4PBa1@cCAjmPoVtJV;?7BCN<=F?# z;CfUZ)IvvysB`>yYjql(nu}OUyDzokfS1A2`u6xVQ)X6viJifDYJ^1$u8~!=0sbxJ}ZGuHDpgPmp_0*ka@wRR|-N(=4kBWlM z>*a>5H6zRQ@jMs}MEg|Bsn%butv8CTWwGq2%&l5-K>BwtYbRI+MbID)2Ht>np6&om z@2Sj)E){F#2O11h8O_$Ex1ZMkX&xoDhx6}A(HlQyzuF@mpvl8=Ar^Beswzp}rSM4X z5oN7bvc0>`?gnm$zqnA0_E&2It=B-b%Qb3XIrEn&TT0+r^-BO1)l>ZXJp;5!`1*m2 zh5O99J99b6&Tg@TPsef<=r#TB^4uRVNj}3&efs+jg**!Cv4{;llk%YSw^b54ICg#Z zy$kT&p?B-K48@BXSp>eiik}pyY+052ZT&QE?#=;z+)yB23_L7PMN)iSEK>o)Ia9?Q zK^>MDag1o(49%fYKWHPcp%(|sf$W~b?e6!{12P|`J|8})X6FL!6MJ!l|Dz?P*yLEQ=PH(n7r!rpq)X-d!=Yy5+v~O z1{Ob)^X#njOo5^TD!mf>dJ3g|K7YqLBR^Uja%a-7B8WQTEOag|D;y1rKn5smBvQ;^ z{q2=9*LqbzyCi#$t0nE=leKjINj~i9*Qvj`jqXp+KnpgKo-4hF`}5=h&tNty2T;Qx z{l|qo_7CW`o7MK}a~&OXTOg{}>7Xld#FLqvt#iR+M8JI4Np2+Vk?3mrkAD4@YCns+ z_%t-0b0;E`rhtXiPbdkr;Hq2bl$WQCT_L{7q@EctX!k}ZFKV63Yder7|7%~6F__O{ zKNTa`ZcJ{%HSFUrYt4+6+|~et+}IVEq{HW_%VUi*+?DC>{^6(ocCOJ{&evt}VqI=e z3;i$nna5f&BWTv!#O<1RcjFNb=Hy9 znXk^vu<8AH|KBW`yv;_-S7`u}L65TN_DyP!uUjsKOYU;rOK`g-v=kZ8lI=)_y$08^ zo6F1*7J+1YwqEb#1&8`z@X9_gQ>>*Cs^YACiRr!Q@RlmT7qpMb65Q`-QkK_*Q10s0 zX*DFI?JVMiLhfT?D?~#=CsmU4t-G?1vBkta52qTCUsq^!p$5=dNl_u>NPv%6*x``T zbUQWSH*?wwG|J2VWRuMl^!gYyY1DC@4T%^C=)iVbp=WmXTa^|QSFLK98EGxkBhU^B z4SjRF`q?-YQCp0eOiQ5(jd66X>AY7X2`m8o6HDdz3-3tG1AKmK7~i5sji`OQ-4}6o z9$6>wOQ{&((!XDa2N2Q(hf`KJuQtQ}NFl1j*)*%@%`E1O$f)Xn*3#OhprO5Tr~$M& z0L%GwuFnY?k11p@qEI8A4RN_64Qry`vPc&EIi@}bA^^(iwN|w7gVD2|3!(j4ge7ZZ zN@>5|hOX@D)jW22XiRy8nu%IdTZLyscB0=ddP-6GfOjn&n>?B*Dvr09r~^aa7s7{C z=7h_efgfi4T=Q`743n0}5jFWx)+mP14coIsGu!v_IKt@MskklI^M4sTJ9#l8rW61; z-nYa|spRR%0Wew5Z@Ss)bSc`mVyK?XT2!`>f;pWoG|+rb=KB4x{Y=+(=jX&+%7~25 zW9Zm>>bBc3BK#O?NsskfEx1#fm=Mmt39^c!QupzA)Nvt*Q(JWwEelynR6Q^Bz4Gg; zqxK~U=As3`vVXASHu_mNNBs%P82P%1rJ>6>gH|5ZZB^|ewg+!tPwVx1-$zAxo8vZ< zUj{*95mZ;CSG6JRL#L_PuRsNe!!_w800>S57-E_w@_&w7VAkR)Po4_LY(_;!Zv5lH zr^p~b!bfa4edpvK?VYSMX(`f=Tsb^%O)p&af|_$Q>NidW{BVE&tf~p(BZ>)nH{0t% zu)CYf_5~jxb30ru*c7!G>hVMVGYGupl^AKNq-3Z6vz~!UYLIBIX9834I9F5F%*ADn zvR0WiIiEJ*+FItd-SnaJI`K7k(YtqaIsq^#-WQ=*_EkmbTU}Tn_E3hqZ>VQ=>3cPT zMS7g$E=5gvB{d4l2MrGV?{pqE)3USJ0sv&q{*optu7N~KM*|F(B@uo#l=&F@JJXTj zg$?PfLP7T*+?|@0GY#hOamChxO<}Z)iw;y86#4zXerb4skF!nbiBCMd%Y9f8f}@YN zEW=yRay3T`Uh)wsZGzjp83mr;6o#rjSLXX z>a%t*y>_k|>}wPeXP21>gj#s7NsScn#W7(XX0?2Fw*V%foJr`sEP*HENJS2TTC^mm zqbdd>40H2O4`vk8wZuSbD*or~{tc=a?}C#Tc{1Lh#8tEV-FUEwi3_v+MikweF}dIu zyILf_t~YF6$C>@XtPFFIwA~^0h<`^ktt=34^OKhvdK2MgwM6xAAM4E^VH@i(FaO8( zQYMscVc%>x^UD`^#rWMJ&fF;s+-iz8))0C1Z-(`sgZWDxXD{nbBpY zUmwpbdVpD3M`DOgrz{@fAl)v}joGT=!ujj-s9<%%Dc0ITucV>~Y+vVF)V!$OH+eWI zu?ic-G&NBfT3Q~0IcaQ0%*@Q=qoc%k<6&94CX>MrZacg;ftI1S!xJ43fkxGY5}M7e zo7oBJ>BOX@`aoX~pm8l@6nM?VXN%!Kgks#<*STyT1C-?UBbR#yBJ$BMZ>OV~QT;wL6D9PLml%TCezC6!!m zXs80Jt`ag-{yrhjrrtNJLDa*Fr$&gX#mFSr^IUkI+&CMT04w)#(6s+-L9=Y`p-1tl zXvjw#sZVR+3{PU+y+H6I_9D-(xHh{EjZ_5|?al2dg#knWkNY6olZ`83g=$;n+WW9J zx+p__Q;+&_>W=XzXLejV=8PYxVhQNp5{jsoeyY3hpR9w&X<*4D-1wRR)e>yFur_Ku zwZf}(}({dHl2r52uom9bij}p?t+|<> z$-`&__%lCr+N-{w&YlZS(3)3qp3u*;p z-l^#IIJmQfdZD>JT}Ll=Lv7yBAg!8{jw|!2Di#i9x#YgQX}T{!_Z2w(K@O73**VgI zs}v#%@RQ5ExUM;KEOUnuk*#r3nhT5p>x#at=f=r9aVX646yb0~&n4C(eBAave_t9V zn+w&`@(Dm;s5Bwt0N1gL{Nu)y2_wn`@GV2-eAX3=%pBh(3HT-n$B7x+8ArK5%ejuI z>N-6f?##Yng!qo@Xk|NebtFB*5lQc4zYBOC33K;Q#_FLOQxqM)J4i^*Ok!7nlcY-p zX4Q41kLxN{$`3m~2Y%;2V-%rml9+uYQN5q*xU;SnFpc%y4{eXd{?$$FrV<+2vEP{Y z`pkWe0K_Y_TjZfM;=GN0BPtYW*BaNXb#@3y8V93-VZH#;gp5+B{ z7;UetKe|ps?Y|M0z>eu3XsqqflPix5V>F#CszT^!p*Kg*lcxhghkV8M1Y&QwMtD3w zOE)JW$1w3b^mit`8b->|n-pV8@a8)w)fk|I;1u>*w1Sd=z@pjcW7Z zH!3nj5|Q={xLR}yTa?9he$+WVst!*7;8p)(>eo)};hyU}f7PkZ)gdBB6QBSHi~p+o z(Jn}J0`mDyaets7tL2>l4UM|v>qg6EU1%g5rKnau1_t(i$g2`q2!=}~07O{Dd;B3} zi`?+R!p_i^PeP``p1*bJ0&{TZE1w;u z=>EnEJ}|<=G$1qx0b2df)A<(DA>VG0wE=#^A!u%ow8zQTIHRa@TyEWPH#k=>42xB+j6$H z6*B(mv1M6!k;&Wp>moyTqa^# zu+9a!e(NBOCe*u5R9Fd{JlRW7;H$YvO&GJ^+9tf_)y`6I3U8&q9zQ1_M-*{Dbptt% z07Ho{MpiKOA}=mL)9qilvcB#on+#4bfR{;gW958!XJjn`p#qwu?rTW2RCj|~T!M^Rnm}OXAr2XeuwjYXtys7+d3Y-ttoJ}+5pOw5l>= zWQ7KJLR_g;1+m@sh-vM*-H-W?C<-h{b#m(qi=wFb&PG=fq~Kqd%`{S zKeZXW@-e2kSNwRF^a4YpFe>-|E{FP`f~WtLQVN#EoDoYRR(>9VfhX})Y4dvGnDWSv z`h!tzEXqgf_s+p#_Y`Ub zvq!fXL@bR;|I}3$tp8isZOdcy1_ATx{d?*_s#9hY)uZ3iyFw*Ibnt8P49fcNbHeV8 z+L>PWEE#3~lVIwJx0;_NJ{5#-ER%%8kT(X-M5 zC*QwmSaJC0LE>h4<%CtEmQ%*R*0xgH13wH$D}VMCtoXlBlKttU3!9N+_3lhXCn%0rY`kJP!7ueg*@shya9lr#5E<|mGX@hg|IzdVVR zZ9D$OtPmoPKt7X+q4bt5hB-U^2zfoCez)JEhtt2y#vdmTI{}h+vgfh4^b!N%B8H9r zBMn|PJE`H~ES`%L*yR0TiYz_bO7>o|QIwLh%VD%GXphs0ti{`RBOb~&>_!WvlP00~ zz1GlU@CXSpLaKj$I~ldnI_7U;tuN#+F)aLd*gYQmA8zZOdWkW#S0a*`zN~;*ObT7n z^)6oX%%tBEfNKBx6z%o)1H~qEY!hKqgm}(NZi(@56+%Mbb$`~aBD~PK6+HnOY;h)p z<6Xbr&2Jk3-<+(KdG)AGDDxe;=ujN=o$1+R;z&#F4{Ce3#S`Pb=tgH8x7d)THs9__ z(#kZAn>@9OsEE$J4uQzeOh`8c5FybParWN`C8_*en=gOh2GDv{T5yOjW5vnj|qjJ#cUZ$7SYPLY>-%*BrAWtq$2) z9n|cC+n%&2t@j!Ow4JYBep&ZBP3&{i2rj!povxyI1{+QQ&5bylZa#JMabviy7l7y+>{5Df$H zh9Qx)a0_8g=5c^4U^Irm<8OYAmzOuu`>ZRji}gX`+^rM|kelM6F8f+o)%j=rN)Ixg^XuHIiKKKU!QG)h(pJ+wrl zEbi%L>EaUL+V!FdiIqEHwHUBYn(1#$ItV*6n6q+oM~>oXvncs4|Iclw&Sexb%KeR8 z%*CZ{%u^8Dgpd09@J=;*CZGGO5{U0@w{KAKw{1rLOs~?&H-Im`-JDyE91M5vxFi`F zKYMs4-Yx+ht52IgpzNKCkS`wpkTQZf$!v0K2_#>aB&++=^W%N<4MK#?*W#5yO~N#6 zqvPZ84hwXgVfnRdmj(OH?pgsc|11~mRwqTwVJPYPYm522Vya3*Febh0^xW-0#j3`r z+hR>oQdVio=V0z;9|QzC8VXYblfcIUu?wM*RxT`9U-38f=Iy5yklVR^p&r^Qz)w0o? z@s>7-(%+H__3aH|!kspDtzQKRC|-tVxr@QV_|xQgzD6fK|J{&Xb~0%oKUOBbLJ{tM z=N-FE{5p``qq&Mh@nza0EUA3)TE|PM$yTvjeEb|}GRqTAQ1Ml^7UoQpw zsG!JQvKp3IV!NM@%!B|Pud%1q%|l_`!yd|O0k4KnYHatelF^y(R`r|i-{({k?g2we z?qy3CF;$9F9O#qmVUA0plxB(xcBZXbpCvv2eZbg-aRPHQ7t3xBMapBjJm(xa06>WL z&+h_Ysql?HbBN`o5L%tt?w_;hRtEWsTUN8B{8`(krFs1dTR-|lXklfT*Y981t*9lw z%u3~lIfxa8m!4u{ZP`$>;J~%St!HErT5oj!kh-n}VIKop7^c~Er)5rxK}4r!hWWw& zsHy+K2uYr-rAR`Pi(<|5o!Owo7Vpa!18~p!R|`3cVRfBi<=+0xp8fS{CZ@iJdWq9 zsTS&72V`buVhc%me&Ld8(^Yq=YPy^**PD+7iUfYR)7=DFgR-sm$=Fgp1^Go6LaeM0 zRGrjg2iz6XvFP`P?b}6G<9kchzhNBY)Hq}%s!JJs=$QS?Fsr@Tt%;VhtPbNdq=J7V zdqfiA3}mTHuAi}Q2zhqBChpC?Ud8P{gO~ZXN_Y1uJ6*OVQkoiMVoBB1W@1TsyNk3Y zdOU;rEw~(3uFfKEVY00wb}2-wFvcfC$7Wf66sFbls(0$dl|fcp@cJGLk+hhRAM^D* zKB*_MvfVbqzd-d$bZ=jR4TEe6sTYDR9&L7us)&trjX#nKtI7g_p=jN(P^$7pM`YD=p%QY%JLwMVp)+I#P|J`|;9 zVn>Z8c2zZ$QbFygqCP8j6h+kzHH+AzVvk??{r|iF-*eA>&$#D2&v~z`VWRXC2O6fa zVm-mk!1p%v5ZS-3Gi#)^ctsg;^r9b$*qq9h5S9JJ#dlU1_rB6|647;j@Q3EQihtt9 z@XKXbX`-I9rA4S12oXKA`%9oXYY?CRW(f?qnQ_?kY+p!(%?yDvZ!`Q$SYY8Z15haC zo|BvSfwAy;2WUY%pL(#F(dWoK_Z9tm#jBVpkDt||M6&N7IlbDY*JnZsY7)thD)hm{>pkF7U% zrezjVPcyt7($2z#Yiq-1i)pt=3K~dOBtP+Fc!8#1^zO52H+G z51br`C4ZKd`F87IEEak3yf;bp24rJ`+o9{T#3eJ-^V?jyyvgA9l(RdW}U4F}srB_33>9vd>r3Ic4;(4A5; z8RIB0=Unhh(d&-S^g{P+80u<$H#Ax*sGGECdGjMdhE9Su#bgtSpYt`XB{8;CDHyu1 z5xkchEz2YX*gm?uXx$4+|Nebq?cAq7!%`?!JAL|UeK>Oanv83I*2EFM$z`jlpV*|& zZ(=5I7;WXvEkVRKdaJ7-t;%NZa`qd&q64TSV#fdFc^*8qfqz>tVD(1I#++J9!jc)# zVxQZ17`eYsB1rSx$Y4>ec+HQc{Q^q5@%Af}zG-7907L*Pb1`8`=Z3q7x4O-t7CQ;9 zqY$YtI|XrIOZ$C8%dn8?S3{kD#?F?%Ki!BRSxZX%h9V9hL&eMKsIl24LUd@OlsVy( zfgz(U-@4%7fTs+D203oSJzVp2|GHKd7u$RYC^*hTe!7(Wb2dY&lwJGbFF)UNY7*a> zGU4hg=x-HZKOL9!P*lJ`@xc`1Z2~D36u|!)Ae9eERyFWtO_77wiz5wqpeI;8 z@>Ysd;kn*HdpYB`YxR3XyQ<6-Z&`*#-HH={e`f*V!FkcOLX2hp9O)c5VTc*XF?uX( zJ-42FtyeS$GG%gqD~&6D<{Z{r^rhnWGIAnxe&Uj!JkPbKtu^r$DhhQ9UDVS~vZXvW zejn-89sGYq3UbJEOwuQ!*X9y~EZJ*4yy2e7rx{K?@xiV}pepXte>ei1w3WqU9i|hfd z_k0J83C>i2$9lLsIs(sQ9xU)7G>UxV>b=42eIv=VT53`cp%UO7-KFjA`>H|9x3EB` z8?7sMRRT&{t-vd{C;ZAh9kyJ3VmSniBet56CcBacUaE`$Pt-mV_zis1tVzX8w4>k4U?nl|Fm14`=F`1SFCug&0}oVLzdPvW}$&HZ{NH1Bj$6c(i`^ zko-!M`9%uLs!ShWZ-tLqeLiCSyWMhP_mbh=t>Ax$xz{;z20m; zSrgdfx%qx(RF{^D4shh0cEGh2e%!IgQ9H*5Nw@I3NB8b$&XzshSN1KRMnI7 z+F29r5GE>s5i^9ykojn#J+G7R?c9!$uJE;<%MwNDyU~dvtaDNYDf+dbmtcEtx1*i5 zQg`c^CP~KvwD2*-mFD!?!G(EJD+8xM(#-i`g_`%wi5|Jx@n}S)RIp1H7dqmni|bPx zVg9^qrEHj^a2o);2k##?wuqk)HBYDrz5>8&G5v9Thm(;ltwnc^lJj4=~^=9!syBd{@+U9+%CF z|3YG+m|Mo>7Sv08!#UMDvPE-X;5_#r`)J1T{3$H^woU&nUf2Uwkq7K9cV9do~X`1fWW0tc_P6<&v zlggcPRDl@{a^@nwpyq+GK;8khK}_k7u51F-?b5R|3J_%g)*=@4?=PI6&PDbYt0u?PW^R z;A8-G&w@RH_sY*I)zb)1M))}h1a=l-KVGjII1NX7dTyLuH)Gm^NyDdmdF9rH{W!(L zpFM$0i%Eadfa*99`GO0eA!QJ@T2f>*l$Ca0MfY9Vh27WFomF9rps?xa3I~kFh=I+C4ee_9MR})%-r$O)VWo2jIV(HsY->gcJzB|RJ^JaTQRUlY=t3y%pJ1hHES|S zaSuT5Ogg~YFN7R6dI2pb&rbu8#qv>ce)fuiu_3A}lhS-4ik^0Nn03lKXrA~VSuSX? zzCQ7+3`YUC)S>nMqD#CO-b+sXACa;*loetVur1@cqQ?(Jcjy5RBarS_V)=~oOUD)e zi%4dH{f%GNCc%DjmyT&4+ofzlV_oNHSS{YbK&uuK-GMaJD?7!I8rGg3uZe?EoIqu{ ze%sPJ_V&*Xa?IKQ9T0<~=emml>)GVuag;*SBb5;Kj3DXqkm&vnyGEWD(s(o6G?hWbY+>+7L-4e}w%w#iLh1Y}YeMC~ZRqLZ&Hb$!-H#~ZpmwESkyAx+hSPcOcqQ+lf{^s#S-&4A&e<#;26F&tw?UT zxH&N_Yie4bucy)|BAJ7C>iYUg$Wc@{sGbF~PW!{8dH~f2r(zY?AA!$TO&1Nrp?X7( z8!B!rgmJD2&P4cT;I9?&M&CBtjczZenCf!Bti0&FqS#d24Y+YD&VJHVMY|!o?%JUb zGmC)#-207RbRl!Mi)*`L-7Yrc;OVI}V!PgSl3@t;r6}WM0v3$tXx|yzPaMN^3e8U)1G> zmb9~vlzzuAg%fSfRIa5AP;Do>4k!ojHF-{60M`?yB9-_w7|!yXWX8%z%f5WEePpM! zTiM0q>8>=nH6(}HMv;3EzHXZ_`5Qz0#=1W>)IDisr0y_4srmR!1-PO?r<&olz|M)w)MlabpWl1A-Y?Y>7+B~Y z(A*!?6xdV#5JkrTs4m`a5ZcM&n#?~>1=$hrxHOg29-D*bnLB~KdNv&<^qpVFYM+OM z={h)MPcHH}knk?Mi7|IAabe#g>@4D&yBBt{N-C81mJtpUdvCVNB=s4kBGFopGdprZ z^bKWyj!d}6e!xGCk<9Q$Q(J7PE!;Qv)M5d_b)GXkNEJON(!V&|DTlMMXb%(ofmMl( zJ6HGC`e&jQpwfhU(6%HslUoDJe~v?^5y`hUdld(`Y-*W+=GIOxGRG$`185pKozdDe zQf(#&kQ;@%QUu`1(^-n2sS-<+mM*i;!pP_~2E%prax6NJqN^a+CZyb=w9iE*vya$l zc5p`#N@fGS*At5Gq#Ounc`jF4Qc|+2?#Sho@ZkzO%$Oa+b0>F;7DoQSf2#%$DJxoFkvxJVnh{?kati%6-3A!eC<4ff@DS8V9`m`H|eR$ vY(_6tO5=v0=fXz(hjl{dh~WRV0~tx}Yd+ooS zYi4>*OLbM9)6;eLUExX!k|;>{NB{t!NK1*S005LP?iM^BKOH}(l6r*t`|9_y zWj<=>axmU{knPRXWVedTS6W%=%0<|-?a1|x1~OntlUr;zB1AnX7H0+pr51Qy3~@uQ zMyJX150tYMJUWpFw;k}^n95ap!iAxKj2=ZPE~ayaxK$NT&)tzLlYZCvCaX=W!5jr6nvna-nsOK-Q>MCj?P#HD zb#EPV^`@bB#Z^K4aLOCn|H$TeAcPv~Qnl?I+P|%5bED~e{d9ZM?t1js{WCSSla2ck`weSL%?_Kl)u@muksUeCMhQ_vuPs`3ol-DwPSXF=%AWQA9LluZ z^*t;Vzd31$d(V-}nrWzdTr}7TVpw2o!++93#)$qmh5y$?={#qnU%!4`Y`29tYyZay zFQm}v--FE7y6`{#spdGpBdVCUuG1n!MKDx=sQQ-kXEO`LcA~CTbo_BtJ z-c8?v9Ulf7`g>3itnk6Xfu>>vq&EMMfu6pil%{#v_E=Ty_o5uc|IuqsT!h)0AEO7U z>Vr{5YZjX=FPmqR_SdZ4(Lh0E^)S8!<7l|0cI?L%G z@krb#Lhk%GX(r&$$*p`kd*{Y291!qNIme=S((3)-hmk(sd$<_BfsDYSpen?B+u|({ z%LGkgKCu{od%n9o^=P)&$JpM9U7Yimm69rD?YvDr@EJY9s;6_Vw$rbcEhe0tAByN9fr*EAZ*h+F;RB!l+skeB?R<~>-SByXf216DW<_+WlZKJe zKXHfa>uZ}oxljOr4%Ct35n0oQ6BH!uSIY7yB|qAjuS}}XVu?Tj`4V;lnN2NxRXSl#+`vi3(>OaR2F5gZ+R6`xhX`baJFYy>w4Ok{7e@TA2u-+NEBwUb!r{RAn`(jQp zA8uBRy2$5~-Ps2)`VBz59MM4njp9pdqGi$YB6+05Dvl{5L=%gL-qmYb>rvT)(6{ zeGN&Ux%LVMW2E~%@|u{VI7-HH^LG02FgO;+MOr{|UEL;xW6&noG`atUt)@vQyBqla?yQ4Q5l3qA%18q-!_+BL#(TJ}-u z+zLVf`f$m~4UU7W0L#I23+LH|S3;u;mq-5JH9#+Bt@ZhQ18{tKxUheR61v#vJn3GX znwna=oqmf(t@)YiJX+nHEqHaAa536`r)WuoX$`$_6)h1hQwS^^dN{PvpCgKzMIrzy`sd@Dh zhd$+t?Kh|Iu0m?x3IeLHWB12BhgPj$0D=^SN~gY(001U1%B%)plFn;r*(Kve*pfmoRcg=!AEyIhjriY(mUWsAH0=zg z;SMn|z6SWvYQC5L8-!ZlCmGSsr41K4z);qi7Y2+N$43~cMZ|j3{okNn!y`Tmb)~*~ zzVwUw(7z2ggMn~U-uOg|GiU()54gig=*twHDidiEHlD1zafQ0jRq~|n)WNO>YjC8Q zmuw61l{l#>y+Wb>h}4K00x9&0;_j|CFLL!t85`xonb^1O;01yX^pTZ7hB#OG?uQJ3)VTBB#fF7h=TS`kDTbxxY8(ERCFj(RW30Psp z-6Yd!oG>YDaex$7SdE?BP>d7gT;J{*AU4b@bDrKYTdsgP5(V_kUY8Zn-?Nos&Uqnur64gpB@1{O# zIy#judQ!gfJX82f#Y_P#Ot3Ta_R|0QQ#yiSlLlt>KFXoDljn9bHc-N-hXp zKbRW)_*_#JuUHWF58jq*XSVdKC|8d6Mhs1K!sz=j{XGq$bzw9O^S<+++diLf?X;Edv3Z+=t35l_hV2abKE~KkJsuZh4L-)N;$9dm6+JicVv#zdY z1pVLh#ozA;9p^UobLbEsK; zdMl-go1=siOG?Io0_^=?f`6MskFh`eMiYD^gU%2T6Jn*7(_(dy@&-E>`g#}M-F;2O z>hryEF3zW#1+d4@LML^*cV4HJ6TpM&#FMwb$G9pwI{5hb>a)EgA|pjbMRUCEBNkO} z4>S!7P@8;RsK$f1M^5fLiGjVx&?bJt*TlrFS+l2cgwaJb?HpM^J92X=uEqN9hBkTg&7!{;4-)rhs~0a#+61tx!HhLi$2<;q5jlf@NF=*o?vGzR zKEP3ur(d5A`qpIB@xA|PvQpLD^YXy8K!`S-SiSRH-nu=CB>&LJT~RA-W5A+n#uxv$*L%S^Hxp^;%QUu<8vVUKN#AT% z9vjQQr{rtBsr{{i{{(W>l^mHqf0inl_2hqsbU$6sz{SAWcIOim?9L7gRw!x6-CDb? zW`@MVZ{JdRIWx}2(^MIC#1`Fj-P~?3cZQg0OV}(F)+y-!3$K&6eKQAIBFMf?W^(JR zsQBz1K`=!|z|#vnB&f|&ki6c1FSY5pwQ%IgvY5>LyQ&5WgyHl}3vG@^XL(E-b;d?z z+<5fA!{ZrVA4x;hKANT0uIHe z8^N8~P2-=e*iPZ`GwJJ2E<6f8%~%%1l4vwt=hE4u5AZNp{9jrC=ObP*(}v|!)RNf| zNML=v7z9XBV`6-Y9wg8^1awivSW!d2BNL$>Fh|TvkBd0(#A>qVQDiC{+%lm-T;~J% zg~H_YF=6eia^)K)<-Q}A+oh&w{4_+#tVsxth=_DExK68J!yywCnj=@Y~)zcWZ0w^z^jc&F4G_YRk&Vcpj~AsrERk#($z$41(y* z$bdUGXT{9$^PLlmAL#ip3AxZ>NIB7OtAJnhfWQu9DzBdlE~-dG|09z{8JA~mi=LPX z4TAL`jg9h>b|(-E+tUBTU28(6!T$-MfvL`ryZK)=9amSj|I^De?fC*?K@U z_!kL^sY%tc(?Yz;R17G8R(vGJhAWrM1|RjeF?!PMhTifD)RZ>!oga}u%L;)pF(8{D z#c|(%Z8t+G&erE1o>jRgxl*Jr%Yzsgup;1TM&Vnt?B#F}be%6&uWsb}5A(5ZrW!Ao znK~_o+2Z#TFT68r=aDzwFi-#>MRTvoE~)Tzkmd1^L^R2lprT|lpXOlqX`MVzF*K~R z#y3Ng;adkLzSUp#Ll9}$xd_6XLs%FodVBy)g6`!pCQny5+WO-0pT#kS!~zBn)#Fw+ zj&uSumeD3yGB98ajVoqcB1V)iB?JpVLqS0WOltc%U!MoDah%@X35ngP5NlS!sX1$k zg|vN6Hzxx~%?dEhibXr|DrWkmq@?7K$jPAQl|>+E&IRWMe!|z=qqASDh4O9KuW2@4X^Nf9-guX)f1yx8&oq4TWt(e!E3 z2a7{zX`s!}ltTimdf1{(nF88nXZcW<&KAN}@+0V(FPw$q7a;wOY+v3nkdl|aup{nE z{rv=3UpNp27C=XVVhp*lbdj75AcaZB#XH^1d3&Ud)CVjV9qJ1?`Qk`P4w*J^jJWdKYR;rEX#RTD(= zFhQ=9S2Ov)UPC!^%3VPQNRHs=e-Zo^k;<<#30=~Q0}PEwVmEe+tvdx(_#qiSWlj5Q z%ZVB9sh5!&bs{%bt7ZQ+d|~_4>lRH4%4I8~SARImhM^VLfP#gdL3lAa)VFJ6N45=^ zhbxJ#d8R#C)cGUnZkV~-eKzaxt{O~=36dX-JtlH8T|E^|e$s7Y=-TWs@ixd1xMY+? zm4BsbUg=)$`N65*CjtZK7U{&bm_1fUUw{O%#9WbM5O7`zD%JQDm&;i*Y>Wp0y-T*I zkWJ_TyYk)ohLGnEf_PQ|(?~Xx3jQ7FD|+JiXQbnY>=K4H;5H2h|;w`nz|F za?=$QQ84cfXCxStZDw^awQZP zzR7xhp!@IY#r=CtXBOmqZSIdp@!urCN4P8!n8*FULQpTqvQzzlZqOF&**e3sGBSpW~ic0{%4~G3z zB`&y!jhE73qk?2{#q+IvD{*)N1AZ>9;=Z>pttn) zI_)cN*6P3ObJJ}y#Ly-03xJfc=gAq8?IO|Tn=-#=DB>I>Ey7DQp8uV~tYKoJU%Bmn z^Sv8VN|^#=|Kep^{+t@Y!SczP~|}hO=Q4- zDwi?MVBtaX^S*yJ2|cU)<;*Sq=tds)0r|69>aIp!WsQ1fspAt|FsBJ#9@yL1TVw0T^0$_?_OfPq07?9_dHnk$rTjE*R4y=oQqlpoq;s&7i0SxdtF$^j%9EDW5Wr2Ost!(g)wPUWWRV3SnxCQ^6xnL}O9q=24? zIx4~=zK=933I@nef=J7*v0g5oD#Fx)L{sB9w$&Q5b43SvFL0jWU&ut2_+UBma9yg)ixK@x}*4qMi-*DUNkE89SJ6KSPF#erZf z8+T&E?_KhJVB+JAue+UpNls>BZ3t>#Ucxze6)T}k5~)Tx5UeXTXqdISIIg3P^KuJ{ zrCi~;){qbr>W_-e^CwA5ZK{&~Xse#Yw*(kfv^wHEp@+JZ>BZ=4r(NQJpk$ogvzmej z+=-W@03u!{u+Vi=mZWQIV|#bD5}$8%-}z!~k!%TCj9qC3t-yQe{TlzEtsGsMn2>>T z>-yAOkA_=y<*}Z&nXtBaaKE;JnFlD&12PH^6AxAn{g7aA%IBB2Vq#c+SS|u-+zp;G zI#l6_Xu)f|7Ot_8ZE1D!LmziaiRN`Ekgl8|3n0p8aCY-+31J4TLIt9%$Aa-~JbV&{y;6sdg4fgS zUg^Et6eYRHoTG5aA1uw|2xKUfDNU!alX>O*y6#4U>PLgF{`*GCXy_O_ktMgUTa#YwTRb!SEuA`53al}-}K3XZYCu)U7T1u%8%lBd0lq)FX#Xu4FHu~ zX`Y2Vh5j|1%?J;$KSjOQ<{uThN7sjtG7YR5%ipH>0@SOZfB^Z`wQL`U*k=bsTVqZR z6ss#EAJLuQYwkwq>ufS;pw8-Km3njbwQC>hE0yYOTy5xI(P&CM=PKu-^OzGtYb1{6 z#kjeDUwN4}6f6ZmX53)H&r*lud{IvzK5*+PH~xa8QEcgQi25^ z*(gGjezkjxn0ilK&$GMm|Mh8QaLA~p({a16nO4w0QMXs1#PZ!_Z_ztsZP|Rcpz8aF zyL#jUk2jCaeGv>dl?0|?X|Z(jnXyT^;nCs!KI+ZWY6VNSo4f_#pjj1lXWOY*l6PZa zqJY;mNy7`G^grf@ug#BvjieV32|4vs#~|x>DQ*LSCb#~#wkw#`Rfm+RCci&XinPNh_6<=E{hP=JjdH=wgHe^5V++30P^V3HAQgFK+hR!K^ zxgRc`Yy_g*>{c>8?96%d`f*DGj@yY2e&t8YUWcMp-)|ITwMXjs%W_P0lz>_spPTvY zA@8P7Uj83kWOS~&D}A79sXSiKLlj-l9u??mY8YNNvu}L!d{-WkV4+ID~*dR7rVxd2#W9=>kc^heh#)4ljMX!jBsB zl6nR&KYmOKmg$l~ila~T9i#MrFRRhoOF$;jBYS^!r53|nJ&{g0?V&z~?uL|brU#r9%`;@FxY8?Q z&m)c|$^Ba^&32gFm3STgBXFLx z7%qAxs0hvJkkhX;dtOJz80#}+lpM?@`4UX4Pv!~X9sB1$;E9HqUyV-&6|*mlU$Efdg}AB2 zh&ZmeVvNG%eM(J0q)2Yq64xbRVZ$OJV1TSl7ZK`n;Q=xUV-B_htKqL*=iPD{3Ju+^ZE+q^>Qpae`gl-Ln#iH@JuB^LOVOWXN48p#aDRI~+ z^A_7rU?G3=?WvAt+~>f|_0dyONXTuK%L>6}QzBXQcvyE577|Np_q=O)l=-^5WRxCe z3|+T00*w()gKlk%W9*n?K`mCu?0Hek*r9sApC&sPrPs1qJUU%~bUrn}rkAH1#X_M@ zp&EN$@`FdUq`$AK3`<$$u>~wK8V=KPcC$?^-Gr(Xvqm*aW||Dk(L6>Q$KyNQ2?k^4 za^}+mt5~I7=B7Aq^c1be%izcydYRs}LM~V6R+)ld;hgc^LF*T7qyWY=CWpBFDbu8}gZtH`i+*!3;R0XwLj1{d;vFHyZ?Y(x3 z9L{KrBTEGJ(7P_{w7Er7Ct@e1Snd^mFjEUQA5~Ilm+ti}ZiX+jJQ%Kimt@o>^mVMF zEY=k3k3-kruyE*lvKc36xIkrliqXDP9-k>mCAMC>KHA-0hs^eQ#o4_|rv+Ta?)AIg zlQFjVr}yo5MhC*PTjQI$=#P7^`+1d6^-D+IigOTr+3;0EcbTGU*3?fkl5!bhtJ+8j?#9yi zO5yYKP(wL|jU;9SS)765^_)!hCX1wH>4ni##z;JSZsMzd8IjNLm!rRnKDkGI`*!{} zbZXM~cwKaU(A03ZGL{wZ@j`H1( z+|~ZXZ}9DHTdSd}^50T6UjYCZSzh-1vOxF^_Y4@BoloB5Rmm`?{$>I(6q<=mStNvd zgx@&D^`<}Xl*3(=BuhkVb>;3&XBBURe>Uw=BWAg)Z~gEb^YRsJjQ_*&>STa`{(?}j zO?7BH(JR%rY4;@apT9!3k7Tc;BFZNguel`VO8yc#nGYJ9Q8O^Oy&BQ`KksVo{}xQy z@kEY((Y{qL!-f94Bhu9IaGJz|m1-`DLNdqbKh|yVTvp5DJCLZzz;7D;aIiZ&Ig=x*JZiD}m~vIm4uk6 znPv5bhIV1=$5u90u`7)}ztwPDZvo!xhVjxvp}D8wgno_{4IY0rh6ZI72{f=`9l&syn3^Rq!E)Goou4lhum`s`R_-oYpZ2n7h(|@9j_|z3|D=t zCDgBYk^WP0_Yh-BrYyb+e}bjCf8{ckuL81Lqo=REul<639>kMCCFVBXpA7iQ923p9 zZ|CVCZ@I+hSkrETfb#;{T}nIvz&`S)JqdEXE=#uz*?tH`QpDA4C&H zUq`Ul(zSFj3AJL{XHPeSH52KoTi74&IX@R#oSu?)ofH|z!ifay{7q;bD99=W$9(6u zwhPStEQkecY%?*~+Y;#2n!=3k!@~#UXGq)wq+k) zh}D&3(D@VVw{KS~`G?s={YhOT5|$Wf6x1GZ&+}BeH3w9b@ZYQO<*HWtSHfcj5Wsjm zsZ+_PtJK2zue&M!4h_^De9!hLO#_B|Jfij&#JZkF&%MqVy#@~^GVs4WY|A9?9S4T* z*lKZzmON{d&Sbac9g0>m`8SC@;y@`cK`Nq3wIql<#rF{)vP*trdNf;EW^pm^?bvsI z84p+6Js6<{k(5eOkkOdps`rA7n(w|GOZM9J^(UZogqel~4gp5#=)UFy$-BArCqRRE z*?-2~dSfmi3>pzg?+g%K@i6g3guUyVdp8&I3H?YEq?FNqu)4zu)MnDsTp}Xg&8p>o zjl>nUh%wg{YAj&E2>x|}tLy2g>qQH2A**!rM_dx=;zRXl{PI88X0;nW=utqd!|@he zO?HrU-M?6JAHRq(XvSx87)x+V4o@`9x%`&6E}Kfy007B;?<=*J4#g=jLi5w#xjDP{ z<)eYzhOG5=>dhFfWd9~umqLkQUR`4()UW)#={a539t3~}$#RB15z*pkPf%+F`rM;J zN;^&u)82**yXO>7(ZafIx_oYDI4Sp>cGS4ZF4dEnc+N#Bil*_b)gOEoA{5^Xf<~{x9fR+r6Nn)Z8mD(W4 zW9jZiDgr!@aAd>?a3OxF;kSdav}MgJs-0m%%7qC?FSj<)LT`{n=bBH80Kq0x7THfJ z!Ok})^;lOxNJ4020H|GO_^D&cnwHyEJA*0(fH>4~eYFBW)u!QLJ=V?W`J`a3k^NF! zpa&k6_KWSB=buEFcF6~F;8T!%NT*7N>lfZ2dgc^wyX1k7=2T#68A@0Hxq%NFnKTy2 zMYA;>tglx&Vgju27!yYnrK7{F8Po@BN#kS`BF+M=bj=e-{;+TFHLe$OvOp7qpa8Oq z_8K-~|5nLqZx??zDa9h`q23+%`>-3BgbEnIC{#z113g}73&`jX0*qjk7lg%wB7#(` z(7a`n=h64cIneT#v2z_#{*9KbQ|kACzLAE7=?Q16=VifRg6NQCim>LB-A%9zgCw#L zqCGgAVSMoeuMZ>AWQj?#*>Coo-dS-8*WadR)UEI`B{j!&t{(msk}=2n3UgbINC~pE z`DPlr+qxdrMTb_dlN_(nDIKD#$Gv@RY;|~@utc&U)rq9jR&>-VXMo+}w_%=IAycm{ z9yPW+MFXUgi_Cm*A7onPTFD)t5Aay`Vtzpo8##zS^cBxl;zA z0ml8Hm1IkrqLAy~p;}aE> zx+Fu2^*`k6FTfHMhPJg-U?tqIv#26VIv=a9PVvmo3v<>cdn}T9dZ7V(Rb9|>!XRAIK6vxQeuJ2gy-ZAH z<&K%$JSJ<;)avaSo;W;Wu)AXazQB=bp#wgz@|@m9w3lfI&*2r>{yKE?A&5VOwuTj7 zcPHi)d(a8*|NYV|iJ2sP(MX3`5*8*|yNky&NaN(O`M2tgj7r4p{Yy1=l{~6M0|!^* zVD9dCE?Y-~`1z@lax|!z>XyBr=y!-fv^*p=_i5{oQD7K|@UhHhW960QqsS^h`)#t7 zNdtU$tEO3UgBC+|iKqxn!-#>tGHUa^7;qO90V+b6sej?U zz4$06_7v8I_Iow<{Bb}-M+;6qKmQikTI@PF>jeOwXf2`nZk75T_e8QY+hCa?M)}P| zv-6iJ)LtMr_R!nEMM#PV%nLausBqVV$C^a}5 z{&Gmj*NlF`|jAK?M2#1TvSQF>?e$03w%=0VFp1RaX5Wg(r=kbIah1GL|1P&6&N z7hGJ~Z|(9;E46DR=L;YqQq_t;HUoTu5^_uQL`R1yEy1%cqOh&q_$Hd6;U-00tTLN@Vs3T6ptj_X?K&2OxXNo!O0_i@y7nZX-ZO9W#U|5Z7s?Cs;I z1u+BYxNkQVjq{@GqRyzMtC!<>vt(KDgD3v)n@$$mPhD~@Ltg21?7Z!tEBk%zCWJz$ zIxnnNhr_~@V>=st2G_rOk?Km@8z@tLT#o`|NF>Dcch^s~BXg}->@~V{Mvgog zr&EF>$%|vO+rD-r*YZ49d`T_V5P{7|#)F%Yw#Hx0M}`By6bzFSjJ_SdQI{to^s^XA z3Cv#9#w#smIs9gn^``!}ckS&A=ukk|Ra2N4ST+&qy}?rW_pVdq7m7>@Z{7uEpc8 zY_2+sqm?q=h=7Oa1@vagzRem*Pf$ zFTm?`Wz!ldAc+3uZPP{)3Q*rGVbrc)tp1+FJiE%DN4VB*dSuWZur(|{#wz%S%|f>c z1z=@Ukh}?h^*nPx4MgfPXyNL}Hpgxd(66UFUe?sCs$rlXmg0VpJpg^)FSd2xGagxO zFdZ>y&s|ul{de*|KKJ!_72{RjyU^V*NVmoyXZL*zS%Z40>7~4g^$Q;6gc>j#8>8-j zKCK+jS<_oPqhcmzfqf?_7N&3nmsd@Lp4<~tCTv^W$7Kc8bL*q2=hR;-LhtJUmjI<4 zFxZycc$v43H>9JsQ|5rDbfZ1l7wuQHxlHCGbjP(ygm~h&$n7!Qq0^5qHD|baF+34K z(5lN#`WuHt12Sh=A<+fQvs}dO{jZbpRfkSLm-ARZO49re@-NSeN4Knd%M~6E>hPw{ z7C7rF)#QrGWyO_8!{uT`0=B2DB{t2*4&iOBrDYz%l0q~1g(FU+aQ=6*L}7{AfjPHYw=h z@$5Nly>5dAo3$5tf2qs6VmrC5n|0=$78=AGe}666jbR!gO>Nc8;229n1X0In)GUm% zv|fp;c)PS**hdK!ZN7Vp`z`LWoXMTLmehQX1gax1@Ji&bqoCME{WTH~Wq6e1PDr*fhSjhO4DxWov~1$N)ovGhz} zYrY33%z2u4d>0COs?5w{KP2Tm_`6Y?D=N&-Dndb>D`fjo92}%zO0G3El)sjbAq|f3 znhCG>z>I)xwaGqKqyPn#m#Mdib$hV}suTVy;N)w)D|_48pB5$V>z`0Mgq;ZOy=ILS zCRv5oQQ}BXH8(vb$YXb+iyKx+$mVUm#a)ICaUP4Di3$XyD4fGx8e6QNVuXS+({p)- z-)br?!MCCRrfen7%jzmZ*G5gTo>e^6o6@}V64JN!*eV!6NmNyPMf~Xw1y|6Z6>e5q zjKy^6MwdigEUOvi#(+}B2}bf;m7fz1a{Qq( zUGq7;CGzQO-eGQ6U#TtF{={~jA@bZDxyDTltr@tr)?yZ=xKc6irTlY@kLpePeX#}u z9FfoNj@#*L!n6=&a9qj>hpw!@AVEnhtO29V^!NQDvqye%KACsC_*;A|)pK=(?Obd% zZ%1^SeoNX%e%n%^LmjuOMt<*4td{gn0{%G!(vcglsn#}RXdGo`WQy0LX__YC!?xSNN0Gc3w6n06u3+p&E*Bx{X{ux$Fi zVfmv!wBaqc++_~&`3x4!34|`6Q)_H2M^A~xx=*q-D?u5Vp9Vq!2J_jTE zg-DW`&g|dkE3)T(P-Sc8)*A=ru)aZQc1r@&$R?)B{-O}RleZn#{o;>Xi8-GQKAh4v zbbh9X)$m%`6kcK%O1WzaK$rmB&!Im7Pvq|>6+DB)@5VGKl~4Y7eaM>hZIZpB5}tITk1j#{$mh6OmNl*{AG=ju zo;+P26(PU0Q;Y4l(g^P@4!)Hvw3l81K9vFp@J7A9XOd|%yOo)YNv{l!MPw2vqbpDya_w1NvwF!t#*1}|8}y~ zqA{Y>iJ4iy%Cr#IjE5Eq|Igw)rFss#pPXO=#V~rw__c02Fo0tslyK-gRrGl{jo%1t zG2e(#zrCJKXo~X`uo6g%et2x0rZGOA`$dj=9~hfqijG~RGCi#JS9AeRirVY>1!=Tm z5}tX6FI88X;#S7hUwSu>snwd!<3k|(tSB9KHLiqxH9QkbIW~b1P%`*QWVOX0yQ0~C zhi4=u<9q0w25pCqFdC0YBhB>g-gFK>!#V!Eu39JxR_9TzKRuK7`L{H*grSjJv{=f$ zwXsvK(wyd}3FWqU$>Jb(yy`lH203YBIcXD``OgOWHX?Jal*eA8aTD2X_l0dCH*SQQ z^daSBA!@?Wdm^~A$As(qO0aQw^|EDHbq)_&1Zh)|H%=zN9Z{$|9O9$vY8KSu{Nu#lrB!%TNv{Urk$>PM`> z+dv0}U>N@8#uu08FOJYh##kh$gbe;M9k5#Ev)?08Vv;a&Y^^j@EIIc(8Ltyw0HL>( zpoApIbDN6=7yG-@KUJ^%zm2_VQa&LQCizC4U&RzdN&l}(3bb52_EHj~@b?Gli|Wj2 zaw*OEUM;`}4=XNc;p!6Ymr90B8|E*#DMgYX%8 zUc`v7MrZQpZg15GSCC-Y-v@{v$0L@diDNAVsQ`4 zB+8=AG#>GGXzInCKpR!F$n5&K?u|v+SZk6yY?NYtz0K*%%++}E~h zdr>h4jeC!I_=PtaG_{Z%x(Q7sg7tY5I}HjVnn-Rnm#~P+R1;?#dfD7qdBSOGCaIX! z(~U_@m#T5Y;IT{1g>U}o?B@bj$3Lo--y~>8HoA0|0?qW(#&gIPq3gh`C zZr-uE$eeUHZ;7nMQ5Z95{PbHN^OeK@hzS0a*ZRG6xE!Jeu~^q&I|VgO^^r^_z-9*Xb^$ z2)Q}4RxDbNvpaZBY^qb2!*#Uh0i6UW9hdj?pAJ1T;~Bb~$cXj-Y-u!Jjpo;ocj6mE z`~a`(W)+$87oA*rU?k}t&)2n9?J^V>;|DIefRR(oPWn&L7eeifO@rE3)9dN6

ek zUk8yayzt$t-!`rk$`Z3zk`RF0i>sQ(sh*ijhl{#kYCbkQ+o3@Teq`QGM-%Z)&Ei{R zw$+UXF5~%znxZ6*b56g}mLIxuU>(^aFEW;Qqq$~pzdcty9taB|`k~EYx@5%9Cfmna zRiL*DOE7)*+Yl~n4i)0a1>YPQ>zq>Z`77h-%}*Rbv|~kxZs+% zi4an_M}#PRc8g0pH#Y*YAEkjV8&A7fEa@S(kREuw_3{qblp{axzYt1+Iz5g$+R`t#{8ckv5( z{D!JWVL?ZwJYj1wD^WE!ETf2})MmL|-7$se|xwgvN>55IU)1S`kp+OqXCZR-5${-8xUP}cM zs0#hFTPL$!t&H!7=erg58&AY~;^?h?F8nhrN=(9$*cd=;t1g4(yDWml#%K92jMgSH z-`m|59sno>OU!?`%0_X}Md#Y1h{opa82jt8`z&num->z3oBs6ydFo%%_lbHn)|mrm5msVm_a_@e4U}1467R0TWnYYj`CCh2?Srs%Nds zrGTxQ;O`17)YqN6s-TAZx4&YWhwky-8-yIE(@rG&L#QNkqG-_N>vy~4BdQ#VR!5Hmy<^#<`^%?BM5#=%UmmS+?(x}i21}}*1-QY z9nN1(obtHj5Uy|)$o7m8DeqjKJ0#0myr-DNEGogG&-*@=ygbpQ6HA9sDb zDTJu#&oCz-`4&U;$&Uz2r%tM~GQ761W9C0TKwmfXDCu)Q06F|K%SMcdxjIZ`NKlaW z45qaN1y}rExd7GvD$PGXueau;Oz1u6=eci4lLF6W-#6dv;d+h>1T7XNh8kIiV<;7boWBU%ldLI)iMF0NY?l_vugvx)E^IIZiIXNu6{0#eJHSKR%ZCC zrlDgMqbPHXyQ*c_Vly%xyonb-IFQC4_9m@w+!rM-$e2?{Q>1j>L!feP2i!HRzPXIg zGd=R(-NINj*J35Q4_P`WewTp#%ArHD&dm**>t9m1l8C z#rg2U0-rPFOzEpdU=yyOfoWM+Q=k<92XT+*{2$GIRd5_lw`7Z%EVP(qS!kifG-76E zTMV{n#B4D$Gh56I7Be$h7Bfp0?|gsU*tmNa{(aeqt*4%fu9|u1={o0Ro=ltmd0#2= zkuB%M!srR~v)OC*OL?Zd{#aND&|PnloK4 zsHj8B;tMsV7k~i^DWl=i6b1&~Mc~#Yp%b~hg)DEI{l)w8p~gE_W~8ipjT$pY%7rUF zNz*Un4wYW?Le|vqf{C~Bw3p`R46~~Z)>rx%G0sIb?MUO!-|ie`vf+0{U(n=_uv*+a z!Ua!1Vsxh2!T>gF-!I|=T1yF&LZ-f=L1Z07jrrmV8pPjsi;enKwlZA-(8!u*5Okhk)$S`vg@JsMi zN=rwn#HP{{lya@a^7sAeDdWUYMtibO6AP0*N^XGJ2P!`oX4!-hbngWqic@-QR7UT= zHWNlte8*6n9e7mtyl|>Dr$mG$k9n7oawBpXE$8F>*t|*Vacmwua0>Kn52k#jX#y+zm{04a|OX&ccRg7@{h8D_i7wK0<;@#?7; z;`E_1Hd;S(HvPi+G-ZV4Yxl&m*Cy!ZaZfmd&@aG$I&ZmM8*E|n5r+3#Ra5pdi!AkVq`oFKV2`v;ZDoQu z^V3;}YKbPPKoEwJzLS3Eg%0dyk-V0v=XrmFIWaO7-n@9LEA1dUNJ z?q7gG6D|ClB&|Xww~tM`-_jSDW8ww`7jrnUN42gP@UP;&S#%_}*3hc=cQXLBi?39_ zM1*~!aoNV`=9-(5{<;|&NFY`iy*i)k@-P)RpnOt*bQL=BkxieNv+1B*g%JZH-+RwP zKM|t3kFzt5PcS1M$1F_*8risjRoavS(tRmRP)Z=2w`HeylnGhMc_QIEi=F14A(FS^ zEY^Jh;7RGe?wFp6=+Ao-6|jl%C5h}W4}0?})jE;C)Q1M&6=$gs(wl*+_g-m)em~w< z!dg~~61=m)WBkEL-PvYuJZEa(!F_#JBtdSjJ(2oLX1bd=O0Clo5X2IQUr7xiFYq}3 zOhNY&s4w##;PC2jT0ASSw(EV|)M(}2#lZyrroW(a!kHtV0#KEo$GOtcB53QdI7E{D zCz1XnTLmAH_O>aBt7c_PcCZ1R>xqPDzakn|UdLOFNzR$j|J+*su zv%XBRPIkBfqMye;#hD}x_N+n#{O8Ri$re6;1l6xrd@&mQ2PR7Y2cKfhBSw4N&-dZZ zg-OOX)b1dNmP+pOI{XtdY`U?Yf@(3m++s9cX$2(;B!rIrdSlEW%X;p6hnIH$?5DUn z>=5I%9>>I#?cp{bR95RBk#IAHj%DQJ#Z0{H!G5#7srCNl(0VvK6Igz)`MJ$&_#Hh< z$=HkCR$g`)?8-k#!A|m`6Ei*2&_=DxeAYglocC$XJvzO0ExpHjTvc9{&)3_>fA+Q4 zHUKJPxW-_+m@Z9i!Nt#SV-_+?0u2 zYe>Ms9e$kAoRp=fd%6=xNs}jR`y$5H;*T9%!-(bUpxQ_r;o-2gq6`ga?7g*rp?^Zm zH?*<2uFY6eQGfJjQ_oJn>i2Uo#jkje2B;-=fe%%7XXSTbxd?0b%(Th0tF5e*Vk&Lk zB<;@`g9dUGg&IDkIz$%g?hC%R+is=j-VKMb9jr+i zG2&@6Km5ZHd<-Lu2$6dr4spadMg8%n&C&HRtN3C5+3C_A-GUkyN{x)P*8H5OjOcA( zB*}VDZo^5>p#?V6XmTSxH~V6*tc0^le);CsAN;F0TDS3gUS!EtQ`Lqy7<{^^wAnIp znTY%KNd@mD%#N_sLG*R@YlP9EhlE+Jy_H2P0w6574csxQ<`h}7jQ_wF*sSj)0% z(4Y_{LrNJ8Q$d?D5Wgu!c##211&PMppT5FW^aSYRTwSX?VQ1@dWvV2mDCJ-|4T(W& zOoO~x#L-MO<(LKrwGI~;Wg>YrD5+Bk#;0?{+nth%hEcJ^b%m9lghjgm@{c02U+G{L z>}0sV2?!P%whWY!>g%XGWCpjjTbl&x)6&t%D2$#dRBO5kWps&qe#PQMV?ro|o8o<< z$7ko)_*3SxjSFjAA{}jsGRMe^zf*arLG`ucU7K`R;0JXLog|tk@WEPIY;R@2XfC4DoAlfkhw98C}qq?6`D=b5sleU=O`onNRUmA3*t*x)GuDt(V(lysBzuPCgxPKyd zU=DBdpaV%rJU%`WMoMrEwSF@E@{%7dcmz>&vbJVmVDNd^#is?^jnzT~iyjXl%=gts z+n1LYFE20qFHaEK%;%KlL^u)F^l{BBN(kTCAZ2{7ySqDmt#a(2-f2IxI-T9YNO~$B z;)!uTw&QXnv?p%Vc8H8r<$Hrhyx;${6>I*7o>ZmU86tTft>BQ!2=W$8l5OTw%sY!X zOJ&HDZtEo$g%EM(fo*a5XO@`LWOP8pWV ztJbi;KBt);dTP6OZ;LCAKeo71{E^|cKB*yp#oLjtp5r+FqS-Jf#mJXviLY4dJi@HA zS-xEuuCX!WZIwBrkVji+L08iUVuWG|3FGzsPL^V9cK7&FV}7S63|Dw++hN$@P-lL= z?{;UFg>kGsd0h^t^*qmDdV7oKm&T+AzZuC2?V4BiS7LI0aj`9LUk0}Yyxh#@(z0EF z=^Ii&SzxA%?3pF3VEK(rF-cK_)~eHkNPPOR4S7Sgy#0Js|8ryWh0cYJl>F{a-_0X94<4QT7fwU$7oO$2&`(gRX+cSmge7=M<8=yThTTV{2K0O|wr#p) zqvVsh_A-!Oyo7GK$KbDwPT3LbP4L~*DHP6oIyENzhFp0q95eX%TB(T1= zPgQ)y&j#w)q+O3t+f@%MJ)!j{eAmDE_-vM~6x-Q8P<|GE+V9+7ARD{iNXJ@x5u)PV zv#aYL40b`AA$~e-Dm*$f-G=6aM}p&7&0?{!fDSoc*iO{t9W0XuJbKRCiqA^^vNOIO zBSd!XS)U(JFzeTFvKP4Zy1K`Ginhm)V}b~>xFWVqse;%7MD?vg_>lhZD{lP)8% zw<=kGk9%+CcfyOig|EuEtKKI~7f(=|nzU;(j;^f8=&?@8>mgm6+;7E-$AA+Scj;Y} z?(OVv7MDG7>WJe%U7zBdwrFdEN^87T-Eq-u+*pB`c=Xj#Urv0odGm`fLY;TaFtk$U-;R5GIy{8%djvo4nQY5- z&SpuWkJluc`CQAsy_5KiS{9 z3u#1?pnm*zI`4viR$Zdr$fFHv zkht7Mq0PR_%{LxBPgKt%=RDc=ij)WBoh3C$XKy-=R3ZX~_0}?sGgK8Rxxrf4NIVvm z$kWh*^zZpEeFxh=z*QyYAS$eKzh2WXY6$G+N2FGh7xQX_(3oe`L965tb!s;XPA73j| z7;K3D0pve@NAUQoUi!U9ko@M}h$+Hv^mFn&hT8MFPuF2^x!OAgv+l;?z*gY6-Omq% zO(up|ZhJlcRqco4)M>Y0??!l)mBc4VJtCiC1I-lo2@M|HZ5Vd}qVJVm zRH(BX^~)QVVc&xR;X6^q?)8dFYyNndJcbN>U#*N=XS?XZjW>RhwI1t^{8eaQr=G6l zs92W2%M?SG9iAT_9oEZJmABdXDeU)gmXLluMSAml_nwXSOTMf`DBCS z;64?3lHKTR&W-CpDe)V$?>DerYN=0iYZ`Kc<@%7qofqxf%+KUg*WQY1Hj_QF7LS+p zE#bYc&9hH3-O!0-=&CT%vKH*?(qOCi_g{HWtFis{XK3|VzjpZaCOq-7Mo@A@SMlHK zafceGu<7L69=x z0?B`wo*SRg%aJu@Mtsc!kB<7MprAJXuW$UH)>|sBQ&M zrF zz4=o=zvEfce9{*KDTrXU8z!icKM2C*jhqXxkHPgVA59EDc6n}8nbvn^lS2WmZ7tYX za1NYWG>y5-#jL_QmW-b}@L*AF5B3yL~pQ|8TJrIh9cP^ZR002?52YE$}}E;i3C!hc2lCWEMXiZ z&pYtOjFuP`V_jUmEe%d1iY{jFBG~iXL3J*EU@hzK>X<3EeW^Pkgrxv{$)&=mMlw|| zB3v(U77(P>+n!3-;OS!8AiUeGK#dMq&`tf8lWra+78a&@paWItlqx+XBK6`iO+B^$ zYC2UOdCUP5Qyi;XI982Ea0{T^bPKt17g7Z)Md>8j>u71=9s%?HCpPhOKLUyp5SLpDN;KE8 zLim9bFYtk$p2zhfXR|!%##HW~5n)heuiKI*=wdXm3p7>br@sF z@3ct4QuscMcD~PGXFD3vwF3+SP56Q(yg2uXiuW|_em=_m zt*uv;R3UmIv!lIx$^46Z)0*}uN~RSQ0J5B6D%X76UUx9xbs}_b^BxUrcuIrCtp=yI zOj(ev$1V)1X{wX(I+gTCLuAZMO-xo)(#T^PpQ^dd(P!VS#Q72wq`UJU*d zf-_IYCW`V3v+%@Qizs`I+fqGg-&KuN+(e}7)V8dh5sQhw`C%cv)_s#~?%c1C)~|~u zbyn;x&BxvjK(~F&Hz2HaLt6tao(8&_tS*v4#FF5KlLJ5YeEoxk8L}sz+Mgec!8-m_ z**(DEnt~E_H$wvWE-h*0PfHmHW!cozgcTe3Qjt@>w|8^Wn(O?bI61}-MGhpqHJ)wG zjv%Z{$@BJIBn%Fiuf4+${POdo9_M|Bx(Cxb*~`WH=(P``{AtyOrp?Lxu#t!L_qkt4 zvv->>dl`WZRD$#Ek0Z9RR<;8O*=c)%Ek%Pwj(^yLJ5nsMDDAzEe$d5j`!^_QH@j>+ zK_YvsIsGTWmtQFcSUQ>T4B)C)qrK#L7=z3?A-18*g}9O**oKp3QF3lJo)T7im?Emq zJ=~5Px(%EDq=s$SAFhfzGo#-wOy4iRuBm$->n{$zxH|d77g#6L(R6oKg;(IX_n$Ux zx~L;?=4oj@jy^hfk$_tbeKFHK-}05aCUjaBOT(JCvM7d?{Tn(Tm&g+1wzV1GZue(y zI=y&tU$uI2S5i2r&n4p&sYl7)&d6c%#{pF(wN=lv)sLX!lXH~(7BCgF3be^HS45%{@a z`~K8W;31O9Y&0sGZ1V4K?lx;@OypQF|Gj8*t=sl_mwg}mPos3(Zi~`ETIEUp}L z#F21#JqA*BXcsBc6tlJa`Ct@0Mjh29dM;5EAkc^}1>E|*6OS!@dOY@F2p2w ztX%KKC=-v#17^aK%W^ODe?v6nXKvWd|v$ASm&V zlcPW7yO;&P+)wBrc5u;`-8G$>uMFL19(bYb0|3U+CIoO{F1IpjxDrL)S z+~4kZ(Lsr)zwHr@SLA9VDld#Sito_gf112JH*c6oL({uwZi-pqc7OX(}Tq7*vzM8M z>VC+qth|M9@}IDvjG6+NEK6czzD7EN0EiqjSiBi3jYw|H!Ugn$+} z1tsEcF0-Hy)Fu5h)6I=5ecXm?e`n|Bc(ID}M>8k%X`2hqO4gYWIj`fb@_hnYP_f`G z=)OXBgehu9UX^{11hz{1sN_jRCr(nB(j9F#a8F(8dNIVJMvJ`K5dn?30mjJ4NiVpy zH~6$k@b+0)>+iE_s$^zP%Webi8vqQWD*GV=Wk*bRR7AxQnLbl>)k8izAGiT5C_;=K zQiTpCdIuqWB9$x0TwK8U61?_3@_O(q%H2X(PV1kEVg#ulQo4eLZcfw|R`qcMIS3^% z05bB-uzlz{@7NC+4|fD~5?(beEyxK>pB)=*YHGTwMUeaT+T4)zAn9`Nr&!fFVbKgh z>kR?hVJ1>Xz}W6!qdh%q(OUcrlrXv2GfceU@WEl0ktjK=(~?aA5{E^MuoFgkH+cM$ zzZ59ZjR&r$|a9aqjm|j*cC1^61cMRO;$E5{i#WW>K>i>m0_b3zp|a?_T#+YDS|B}P~xQ1P*GI2;FlBGOi@}V z^K+&I@VxWI5}l3RPRw1$rkn@ixH_B2g~+G~Lwm(QF>xk!T^;wZ`XHTJo(Bf~aAS(c zhBBJU5uu?8F6`%ErNp%bwp}ZWl)fqB^GCE3-A< z577%Rv%K+bw46I<>fF6%*uoJkKkZfSRp>H&HlcQenh|^wg}it`I|%|KOqHnh+7;=w zO&Q1g>WF^AHXnvo2>5J_tPZc_&5Fx9WN4w31BblDDob>pzKRG4w)&2AiDq|1m@QPl->_L+2CJmwOz0~k*~gBN6BEL^62Qu@udKgpt95#pQXqZ<$^cW_4QS?)YMc|pn-wv>Xej} zQ0(mGMq6E%JG`H_?}no%SjS2&xYwm+W#y$iEngnb!F#81ib>tMnQm=dU+qbGZ_aLR zrmy$B94fPujZ+*I9oH>wLy)Sd5Aue;$Vhj7pZ-&5R;LZRk=;?z*T>FTCPo z%fw5UwuSLBrw%_Kf9N|~0&8}}ChvEWLBh5;L{h z^rt_2)uwTw_#>W@V}F2s$2CaQdGAet)8;~-YM`U8toYA4_Mu zcWyWJmG%iTgbh-T;fk*FyxO6J7WN-jQ&(>&t_HBOp9h;`rl#_K35;q!2ZzkeO0pO{ z^H6H2FFxWrutCM`M*MmdHulq+uNHh16w9i(~(DbGz4 zgWPr>u+?i82Sj_y+GXgFzj=;E%^cftIX{;^D}o!K12>&~{>h;j!ce&*y*Y}$h12ln ziWy0T6g~S`zqVZm&K}b^9X$;Vh1fcFGCGj^UM77q<+aJYUEi1r^aE255<&^va=tZg zt**_`0>}~aBu=^}%@fR@31uDG7SBIo=XyRZrlv4i9^y4iNFlEEc9rPnbjuwdFJ*O`xZSnYt?M`zLR$Ds`+EEx{NZPHO z922k#e|!o=>R`Z&Ap7(8P<5Ez05 zW01yQ;JuuXnm(RYRx|s1pZ4}Y;^~>^MDG-8sUHvYkPxjkEn||r&!}%4Bp=aZr z*8bear;k;|Nf@Bz9STZ{JNuW`tfA*GXTPHNylV>C9*>rUzxn45o`Pw#d<>q4CCPkR zDGl$NJf2*zfNmGow{KJGn&7Pltg#1$^sfAkJ9L0NPoYXkONBDiu)%%2v7*cK`jl{3 z@e5Zv)R0vJvrhX-RxX&9ZgUBKQB29Vv9WA~*^p(Vf|Hgu{ix}UyXhTp@-@9{GWgg% zm6w{9ZqC*)UY90wt(pkizF9^L(bunIpzG5>wb{xsBtY{gCvP24-s*Uwo!cuPVzz~@ zPp;H&)7@m?G*H#n$DiAtpr9{8bbe4IllM9wWD_QX8ONOdRDCt{9f86EhV#Jbvu^=6 z6&H_mp>n{iu2!Kk77}7q?Js|91>tX5B_--a{&0tdp@;@maBx@8zpLlC;U#GGNoJ?X zweH@Ut;Aw~!0MONkJN%aL>h#JIr+fE(_qCASipf)K;`{RjcGT}1MMfdW1iIq#wM!X z`Eg{Ff5uBC7S@>A^>@dXWgD05-dPkSFH_Z!ns~x$Bq(8!$dwbOvXT;}&d5<3rV_00 zfO|L>B{lUFfcDkdWpN$N`F14)6A;$_Rc$WUT9mnG)i$bs@`!*6AJ8a!^ix(f27txk z^j#G@dAKf`c+c|~75tibnODgubY0hi(v==iUMxC zjVxogqDG+Vq;6(FSU4tkSjF1X!nZrb2+fxSiy(Cy!VksC`t_-3+wU=o@1w@MkjE{V4$L6!j@W)_X{$_dJDX7 zqv=R}s0CiOf`eduL#pXLWM!@*7wPVB6c$<3C;@T~8-w=RX5E4GD)bJ)k&=0M=hII+ z*>BtwJinV;zDQ1xK_dF2udsl#+8dt-*Xhcmhxl2e|L+a(h7l}atGOu6_s)1XH$c+c z{XXDSIa6)vj|+ zBGKMeyVen7S`N7Y7DeJtatuAqa0&E`#HNE-(};f88~rG9!%qJdAAQVEp1g(?=z)+? zSV|Re8|}hxh$}*sac?j+Y>bpq1#{EqIoJ;?=y;^aEk^@dFhES1X*A!NbQlioJEWT) z5&y!0ybExM@rn#zInmhYsA9USwU(Bav$L~}T$6;gs=PWU#lfwP@F!|&P;2=~b4ytn z?Hqwi*f1lKC_oM^IXzO!qV_eSsAH1Qr}?6b3^Tbn3s2KHvLf-5xo<7oYUjJ11-w zdAL9C!WZx!JK4nsk$Y&L?K|EtVI+CSubQ5mOwK|H*C*JevoG47G%sFhjl9|%V9#sE zcNxNdeEEL6ClWwP3bxL%fY6zqxvFLqN3a0co2)WP?K7-cL_{PYFi2q4K^`VpkW^jQ zzLb$yi#ZTR{jJm4XYDjUs}&6x($G$5*{c?dyjv$?>$UH4zR}9m06cE}PMpmUe38}l z^CLKMaU=I1W&2r+q4p=U&z*SF)6&W{j$^4Lx$GXLNd+3RR_(h4xbCi^_k1W<*#bpH zpVdE2E4N+w2pO2c`|j)zsm9qq-?(fJ~wbo!6`r~#Zo22`68yOX~aD1y%p^+wP z`4YxMqrB;H-T|?fvT9hEpMQCMIw#_Oae_zpA5Z5V9Efl~=t0n^c(sq8mwF>~qFIPg>LvzPe=sQUsiBVFZndag1!?iq^@%FQF9#3JGlns)PscZ-iDu8afQqo4C(a@S1|ZW!xKTVR96b_iGf_)T>x$o9inzoe3q zl7)rEzcRUQw+g;f&KKhbo#d*&Ghbw+6b?BpE{q;LA>xe+3KLzpaZiP)oUG z-oW?5i*l*a;sICGQL3183g76l!xR9KEIn+*5YUDD(@aL3eI_&Ckb1-DM4XTLj9TX8 zE9~(rr|eyuj2Q3X0g^KLRR}s35;+i4pt>~U8-n;8)LIL{R{*uEN2)5B!=)ne@YP-X zVOAdjroV}k66BC$4|4bcqJJmH0(A|cjs}jj4|Uz#_b6Bo&ix_* z@WX>VtKPSZ;Tj=P1)n!~_~9^z=*Y4d&RJtsC(MGgocaViNC07K%qfP4s-L8jv5F&1 z#UcJ+7Z=5C=@^HnVavOMnf1{6DLypx<~l(sX-Ky;>^X66#z9yMi0AryQnn|AGA4rn zd0B1jM@mouAqTC#Aqv(i!`dZ!59~BzP#v~pns*;4vvJax8$>nj?=5qEzl|htdeig5 zT}?>s`e7Ed_xY3O&^bnBNXg=nOg}N7pX{Ca=tsK_oM#&|>rG5;Ky3;V}@Ij6?3i# zN(_}xV_zdLjDOJNewu8Ot%BrLrAVBd(xTEXYb&=a=P9asg@Hk!S1+bM+K`8-qDrtE zlMv5)-Ffj42D)8n27w^1vW2L_ovF>{nHtIxbR2SH)TtKUQi5gBS$r5@&0A|$2duqkPpxh1BV+# z-)I(T59c@Krn`g_E@x551#J*C@Z0a7)pkkZb1P~_A*eOZs z(9lpp0X5b-JwKFH*-!A^E>yR(v~;eqvBR&+zJh{mpNDxHu58iMooNKCR+sSV6W!M9 z5`6&hSdMa=&DzYVD1#1MdfH5huXg#1kT(2AOn^0av#_s>lInwq*?U4sAZdp;o(@O@U)|&=zXua z%nlkpkI}(v!P3$)=N5gSad#(yOo$fqZ;Oy8mVT<|X&d*xXtw!=o3Y%RV37hmWeKm2 z-U1?Em#uKv#GZuD@gGPLAr-t3cWIT^Zg?~*S)$-=@b76=_IEHLQltx(cBHAsA3c5M zhPHYo6tw=~j0GWL=FXCzxA{xR48A5G#X6RX8$!-rEhG zjBq;&_;rSX(ZvI7le(Iy73;GPL=e2}JX3M6&5+DlEZ(?T*gS9COGXlZ@|^3NWT=ul z#)SfbDEVAcWK-_mo7*m3^fqP?AG(?wWR07}M^$JXPw00+LBeV#y8S0KA0a8 zZt-Px<`LPg)k>z1Puuq6Z)W5E+EoG$j*^F}%1OYo<-3Kps#0ciaTiN$-wvl!@B>tb z%C_^t`&nakb$z8jnPMvMC^^6C3VOQj4X_EDo_ixTWVJ1va^1*8YCepqw*-lMdlUEQ zwBJ5;$OA_7oSK%uBK!vW0uRF0&aaM9u}zKNU-JpyOMaVB9($+oF{U-u-~ zp#Vf`(c_{!g1tZaBm>&xv9DPu2J7k6J?uXpnhg`Ez=dW@zdiaH+M$b_)~DU@abR3&Q5Afo9kA^W3@U`aH$1H<<$R-;#o z-dteiiO}wUp+8m3^4}ZuWFa>L8Pp?_e;OzB%nKU%rp@e~qzlBYe5ZY#=h0^Lqr$G> z*`SvohC%#KTd`olo2m$W=dTZ`+2i`nr?5ct{<<4wW($rb+4}p>)jl#ZVRJv?-eEV{ zK0(4OXkUXW#gkZSeaG!_df#U67k5ZB`Sbh(+jn7%mDq+h)k7KVkhw9wpav>_`AlJF9nReARIFe!B1y3_4S>WmR{Ke_gY%6B~I_d z65`_CVNJK--i86bewX)x>~0PcRTeN%zAGuLzq1mg9F>i6p_ z0D$8o;6}*Ld3ETsX*x$0wlFgDTrq2?tA_Xi!)?eQCBBOEe!-t1se{LOxAop!B62dN z!GtnqRypbEAwxj^>dFLHWH_h_%>UL`{?!!lJ(6|Y8yl}dQEEJUfiSuTJG(q7p_WG- zgtFTP6`}-GYSxoGKV6RI**>%m7H;cB>&g70qm;ID06F1!@|?Fd7jHiLSk8Zybnsbn zp{7T!`Fwo5MjGAGWy9f1t~oN(tM?}d;;{uWxQ&c#XlQ72Id#7*OrFe1sIIQ28;rEA z*Orw*PnV;uP@ubKNN>n3F*@I^`Q+Ylx9yg#rn#8aC@r{(|IFWV%3!q>>(|EN~nc|>--an^d(lUzq!d7M_EObrz(^;cFxhu^ae z^bQ+aOjHya8hXyEfgEvv->?}{F>G(shFF*Vq8S}CV+R6%*t*>jqKh$SYj4%zjZs5_P^NH=tX+^Z?$VN&FSvxMr~d(7 zSO%*-Sz7m7pZgS4_Au|V*x)K6rd*PoY3Bz-ak%x{&Q zD*Ql{!Vh*J%Xpoi2GG5Fo*B7k9MJ(HJKuF}w3;?>5qhm`y{m+$7KE;@@EqUYSNCr^ ziK=miXHg7IGhuq&i;-uH{k>9!rHm`;U%OWN(9H4;;}UU7JA>2O1kZ1>MCPO6t_~{F zfi{e=lR;WH>UHw09$2RkaYo|%B3dQW9(DFw<7x7p?bqvD!7~G|R)}nomwfo1I8l}+ zv%Ifa*^X{&@?wyuHO1x(!JbOsHX7UiW6GXjYraZpUS8gWb38#14>sgV?c@A%az0Q= z-04q_=#NQ2@Y!NYIEgf<<#$L}7$Jv+5rlCympnOn!^vi)`RX8|RH{b8=hD7+6j)NJ zZ^M=TA#A_Z7PYq?Sp?IGS09q_4Mvfue@rBAJ_&VPuZ+)2B8&_njHG2{t(Hw@hLDD; zS5HBGGrg?)LJn{9hfaQeevl>y!k&y{mrP_%NOe}HV!^5bG7IEPTVyB{&mQtG+L{s+ zsh6mIOq8KHjMDh2{&Rl6t_G&|3^E0YbOj)9aWHSD%?az+5C0vyX$uZWqMtuqqE>dT z2UfxncYwGK=cPNYa|Ide{P-=w<~bGaxL%(mB5k-c=2)v6ta`u(S;)^vZ5?_4HYuhw zLwFdxhk)9vhv~YHcF*@2Lu7$4sAcGLHtyiOXcAG7G0t9l){Z&BUS8n8XC(gntmA)7 zT~bg|WO>{Z?(1fM+I4Nfh@%NdXsR{&Lt8u|Y>eq^Yb literal 0 HcmV?d00001 diff --git a/wiki/Tutorials/PublicWebServer/index.md b/wiki/Tutorials/PublicWebServer/index.md new file mode 100644 index 00000000..1d1eb4c2 --- /dev/null +++ b/wiki/Tutorials/PublicWebServer/index.md @@ -0,0 +1,113 @@ +# Secure hosting of a public Web Server + +When providing an online service to the public, encryption and authentication are the two main security aspects to consider. +Neglecting either one of them, could potentially lead to unauthorized access, privacy violations or even server hijacking. + +One quick way to encrypt and authenticate is explained below. +It is assumed, that you already have an instance running inside the de.NBI Cloud to host the web server, with a public floating IP attached. + +## Domain name registration + +Every public website needs a domain name that people can type into their browser address bar to visit the site. +Domain names can usually be obtained from domain name registrars, which is out of scope of this document. + +Please make sure your domain name points to the public floating IP of your web server instance. + +For the Bielefeld site you may request a domain name ending in `.bi.denbi.de` (e.g. `myservice.bi.denbi.de`) by [contacting us](../../Compute_Center/Bielefeld.md#contact). + +## Encryption + +Using unencrypted HTTP communication is unsafe because it allows data to be transmitted in plain text, +making it easy for attackers to intercept and read sensitive information. + +Therefore, do not expose your HTTP-only-speaking web server software directly, but use an encrypting reverse proxy in front. + +TLS encrypts data during transmission, preventing unauthorized access and eavesdropping. +One simple way to use TLS is to place a [Caddy server](https://caddyserver.com/) in between the internet and the web server you would like to make publicly available. +This way, Caddy will act as a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) encrypting your traffic. Caddy will automatically provision a free TLS certificate for your domain name through the non-profit certificate authority Let's Encrypt and renew it when necessary. + +### Caddy - Installation + +Requirements: + +- Operating system: Ubuntu/Debian + +Execute the following commands on the instance that is going to be hosting the web server: +``` +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list +sudo apt update +sudo apt install caddy +``` + +The Caddy server should now be installed and running. + +Source: [Caddy installation steps for Ubuntu/Debian](https://caddyserver.com/docs/install#debian-ubuntu-raspbian) + +### Caddy - Configuration + +Requirements: + +- A domain name pointing to the public floating IP of your web server instance. +- A web server that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`. + +Replace the contents of `/etc/caddy/Caddyfile` on your instance with the snippet below. +Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port the +web server is listening on. + +`/etc/caddy/Caddyfile` +``` +example.bi.denbi.de { + reverse_proxy 127.0.0.1:8080 +} +``` + +Reload the Caddy server: +`sudo systemctl reload caddy` + +Afterwards, you should be able to access your web server by simply entering the domain name (without any port). +Your browser should now indicate that the connection is secure, as seen below. + +![](images/connection-secure.png) + +## Authentication + +It is strongly advised to make use of the authentication and user management features your web server provides. + +In case the web server you make public does not offer any authentication methods, +access must be regulated by telling the Caddy server to ask visitors for their username and password. +Users are managed inside the Caddy server configuration file. +To create a new user, e.g. `alice`, generate a password hash using + +``` +caddy hash-password +``` + +on the command line. +Add the username and the password hash by creating a new `basicauth` section as seen below. + +`/etc/caddy/Caddyfile` +``` +example.bi.denbi.de { + reverse_proxy 127.0.0.1:8000 + basicauth / { + alice $2a$14$osbZTr.aovwDoO8WULE7hu0rF8YbrZt5Ltp0W.tIARgkE8525HLCG + } +} +``` + +To add more users, simply add more lines to the `basicauth` section: + +``` + basicauth / { + alice $2a$14$osbZTr.aovwDoO8WULE7hu0rF8YbrZt5Ltp0W.tIARgkE8525HLCG + bob $2a$14$INrlWVMNeuULZYnkVIBclefLHGmXLB.WQdKQGr/FjpeJYDrmGUN1e + carol $2a$14$nPEUHsqMDS7YfuVzo1n3iecRBexUI9wQINymbnedI0iG4E.Pchfe6 + } +``` + +Finally, reload the Caddy server: `sudo systemctl reload caddy` + +Visitors should now be prompted for username and password: + +![](images/basic-auth.png) diff --git a/wiki/includes/glossary.md b/wiki/includes/glossary.md index 167c1419..4a14ff30 100644 --- a/wiki/includes/glossary.md +++ b/wiki/includes/glossary.md @@ -24,3 +24,4 @@ *[url]: Uniform Resource Locator or web address *[UUID]: Universally unique identifier, a 128-bit label *[uuid]: Universally unique identifier, a 128-bit label +*[TLS]: Transport Layer Security diff --git a/wiki/security.md b/wiki/security.md index ac2e18b3..7fec57e1 100644 --- a/wiki/security.md +++ b/wiki/security.md @@ -89,5 +89,7 @@ attacks that were (easily) able to guess your instance's IP and port (which are means). It is also highly recommended to protect your network traffic from prying eyes using TLS which is available inside almost all server applications, especially webservers. +Feel free to take a look at the tutorial [Secure hosting of a public Web Server](Tutorials/PublicWebServer/index.md) for guidance. + **Always** change the default credentials of services as these are well known and will be probed as soon as the service is exposed to the internet. From d0ca93eaa220b42a1e909bf1f7faa764290f18c6 Mon Sep 17 00:00:00 2001 From: Christian Henke Date: Fri, 18 Aug 2023 11:17:41 +0200 Subject: [PATCH 2/5] add security group set up; fixes --- .../images/security-group-rules.png | Bin 0 -> 13621 bytes wiki/Tutorials/PublicWebServer/index.md | 51 +++++++++++++++--- 2 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 wiki/Tutorials/PublicWebServer/images/security-group-rules.png diff --git a/wiki/Tutorials/PublicWebServer/images/security-group-rules.png b/wiki/Tutorials/PublicWebServer/images/security-group-rules.png new file mode 100644 index 0000000000000000000000000000000000000000..1b31451131244bbc76653a5145c9f9a0b5d8d806 GIT binary patch literal 13621 zcmb`Oby!ZAf?k)Igt500=AEr@E(=DIB$QtA{YfkDlhP$f-Wt#0@Pp{hsH9H~wxrI^+Jy``!Dd z(wMu@`+m%7+vlIm1J<6I@;y1Z`Wg1(+ZV1UD@bQg5LeYfi}|2miVhMCDXZX2kq6R0 zx_jrgQ&?E;wu|AR^`)hr~e!2DMF|e@8U(kd88d%Q)a&iA! zKR!ph{NqQPFqZ9~O56{l*ncg<_y2O%GdWB8Pi>gxD^!J@zoeR3pbTLNDCuW=kWr9_ zr;rkKgZ!|*p*UHd5kOo{`M2?dm`02@``!|S?pY`~&djuSli-(--f;lAd{-hmf7m5c z^dxZwuien&<)7w149Ap@*YYsl65>H2^y1NuXWW#OF{UAwJ<)P#BwzfM<yd?a_wkZPp24_i8BqXO6)ej0~_f7Y{ z-afxVXplF7V+o|F$g09k!E1AUWm$1B!6Gf~;GAViWt71OTDfU35KiqmlH)B?WE~bq z#%|EW%ITYFx(;igiTCe~s*bv|rmV=WUb z;ExVSD8Ax(X=FmWmzK^)W;|Uvl`|x`A z^W#XS!qo~HZoou~d9k~gDzwge=t*bSmoVBLxfCp{Us|d)Hueb3fFyEp-AzSGIB$7K^Ek1n^*y@%=dOMKS(gyIwQ@1LSb7}j zDlO}5q;s^4zzc~mLbl_iXWddv1bxhtmBsIwC+m+>ErG7YTRyq?j8&pn3WTH z_y((CKXg8p9d;GAqqXSQ+S8*tx>}9@QgFZUL*8>v^|uKbRASu5NARLzAkcI?$v@5a z5H0IF2mWOstQOy5b~KRUJf^tltXF+6smgS-jhcy}DB7a!gQSe2U!&nU<;>npBz(E$ zcZ1&7vib`Y=InizY4_)8(qM@9o7ZT}y6P~hzknsA=TOhlZD{5AlJW~IT{t~Mt%P^p z8v3{ywl>mm{5ky#HdDh+7$v?-v9s*u_%Z2P%^b;C(Su$1hFlz?3)Z`#Z7(K9z&xxy zZ`H3S7JE}zFT0B1Z)7*Si}k~nd~@ZkTY64GSkH(G&%li0R=+5}|HZ?m1ba!r(*p^k zt@ssMb~9>pbLQT6$CBA#ip^I}HWIYgP6 z>(0^j=;ZF~DdEX;erT2H=mWO(GyDorqtjXN6uTlyh4}dVoHUDCYXzIleQ@WXpk%se zwyC4+OvYTjLkQ9iGpPRlMw_zExI3ujz17HLNUH)1N20~S>+GXqK306A(2x(G=PwXT za{Zzd6&FOrezNFS&<~3XaOPwNfY+k`URapgdHjPK`+=bg6QNN*r?6=XbMuE6Z;)2M zX1~?8`pJbw&i+&c)x1>oGI`A}RG@vfWbA8BU*Ln0?{mIap#}DS!O+xY;prutOi45{ zU})vC8%d3N3CT2m_%7F>GI#z^x`bAI7SFl=KGw&%$tz4GE);6(ZHUUAPX=M8irO`>U*kdvytrQd?)`=!J9uT=+Wbb{tSpt} z*;8`zw`QBM3!NGQEN#~i+fVO+>WyaR+CFYaWVZ$G%F{ur003OrdvG3c<8ElEY`C0@ zAoKC4&k+y4F1xW;7w3T`mnlb17$o+F$f?tB0t?c^s6YvAOXaE*!3;GZkS)$UGAW+sqS5+=TfZeP zyv%sqC~h`N!CYNCgvr3AM4kLmOjjRCUbEIm+PPq^J6PYKJX5@zC9Q{^0ugvgq8qd4 zxpBk3Vf(36Ndf z*?ZKB{j{2SZ~13Ne>Zdv&YYufFkE*w4%#@gc#`kiKcHW0-l2=Y*InGi??Sx{L4cE8tD{7`JYrdjg;_R{OT#KyF)_Kjtnct-B z-Y++{V`_7y<-SH2_%_)#ygjsJ{}lr3eiEe5zXt*AuwR{v7vtc=|=5Cp$!d8u65fh|_OvVz=S* zXYNUuCIRV$bq&3L`3bpa;OcwHi_-0`7;nwc@x;V!((Ueb-&Z79SeFUWNQHK@uEnL{ z#E=deWG7RPy6ai*$#B=ewe1eUI_(ah{d`0_!ixYR*qD?5Jt&;iwKtTkN>-ucZFBlE z-^_%=iwZ$=P1m-4Nw@5|w2H`00@0^Uvw}ptyw%l&M4>@%zfz?r$~>Vn&ggXGuWhxN zI9WhMkR|PjBDYJba7kRr<}=9H5(-%-n)iZVuRVN5$4&sE648_ejxHy)pVP_lYBrh?BJR%=3^mHb_kyv1uGTm=X`?T_?r*3M8sVJhV!hoNF9BA+S52b`TjIh)sx7M9LVlMYF$)mMOmGvcO5R9* z6_eXRS!=jyavtPrMll+Te-IuUJ;uHGH5p?+UvcHsW$zh{OGIRFH8Lwc`g`1xR6M-~ zBEkU@_K)fCD8YRS@N8F5*yf{ebd~?BJk2YdlO>84C5ojPx~#r zh?yM;xIrp3god!u7Gi>f#oK@d-R}HUdscS|I76wZCH8XeNT^0-shJCjydW19bDOw= zI2dcW^^w%JBJ`(SI}GWwk1uVl&eM{fr2Wn*W9Cf(g`*yTMi~-|CEa;yr?Xgz*vUgK zs&q4()d^}Wbi$RE*G7GV1xtG_FX{*+R~0oK={0aS@)&G~AJLmd_3l5 z=0vzjtt9!%t-|fR9W=^B+9@OhN<6rYUo4(FYaO;GBtkjMnQN@$<4<$@+1W8!`ZpfY z)vhLA2OBSP%Qifm;@q2fV;so^T`Z>x=rOwJv_EfNdRJ$Y0Oozb2$o!9_+6p}kB+Yl zrcdwhNF7TsBoMb+vO5~|1<*XYk^p(TF~>AWqkV?C-`%X9%_r2NTIkQY3P~h~@oc)x z)o^1%q=DfD!EYugf-jzExU<3_M$N$m7MWzpJ0g8KeJ7`Z98D9qXUG-)Oiox8`*?5biv1Dh(>AU+pJfOaX3fOSx6Fa4moR4nW5ndUVpY>g5@FIKq@vI2Ut`hf*eIitN<0!!7x z_<*oWT|k{)5c3s{{Xv)cw8ix%$#+eegPBA^gXm_iJ!1#iZXn%AmQc3I6ifqUR`jqTgk1KUcE#+56h2>s2X=xp2+_c5}&2x&n ztB-ff>G!U&x!oapH|9{8A-ybk&gzfRU48P`DtmdG=0T1w^cCEc6my=Z24UAUudZP?wa-&RC2;v*JBlB$Xtf*os?m|fD}%OZ=}-A zjGe$@Z^%;9{lJSndRmrc@s=kDEtziiN7YP4BF#ubDK^jI&Gi~dP{XTVHPzT7!I?^LLefZr9$ZR!w&1m=DLig#=*Ri9 z1$aH5T76^-9S@Ido1OTiS56_a_+B>X>KH;FlJ>kuyFf`>bE=)7PQR7Mx>-kC3;%P> z{S{hgb}H_J{yC34l)A*6@Ye!smmJ^uHj@LPid|J#_9Hhpk!Pc$@>5?$i>{{uUvQe5 zs`M4xl-J&LxjuUEiGC950uuc2le{LOwML9jGa>P}H*R9_Q`OPT-79Aq;et}qkdW<$ z<2c>SkdPR!%fOaOMmN^>4B_6GZ)MD7)*?mP4Z{}{{YjFqp7$$h>Yy{0_8;JS^+9FB zaQ&EH{pu6{fFTDMW6a?-K7R7IQ?WU*8ljkC18q}ablbMK2bK{{l!xTY_-VxqP z)B3HIkeLS&#cUxTXN4N6gZZeHLO~47T9jN;)HgbkUzXoQ;2e|_&9 z=S8l(;8VNhvt!s6SwJqNM4;EC*SfyfkdrG%MEFXqf!)*J5mi`JlzE-t*F?9$GQ{*_ zczf!2=Hs__5BGO$t@6k`!3M4u?d#c)7Jmh?XGAN#2;X#{3p^#@2iq;UhO@=c5}1wf zrazLwQ7+cG=(N=N#nz zRGT+5_r#g*17po%x_Oy$a8RI#F9r&w6i1>0gsE2%e!*pY^&FzkS{;{Ty4vge_xjP&{3ik)Y^(SnL4+fc45nN~M*<3C;n4^Fj(E zI}P-r((AW5h_l(xr3d*LvB86>;}{=*BV&KQ#RO<2y7;dBVJG z!J)n=5iy*UUpk|*PRO-pB|sEY;nRKfy8#-nM;FV235^qZ_MM|3^H#i20@^K#Pi$vd z^9mXD`Ett9UKwr~-3=O3cnNH3lD3RrG2mG9+^QU^nACbCwED!Nk zC-f6jQiU3sEZBC?AE*B&-lyC4i%L8a_Rp=B5a=|^pS61wlTn4qMeT>~%;#$tsd!to z<4Q@`d(4%)%@twmUC^ML$eAPzO^;W5?i@zE!q-VxZrELD4rp)#xtG8` zM;Pk>OSPctG|Ce^Oi6Ji`>rX{HG%#5~6G|YL+8Ye3DDf6AxoAP2kI*! zzNH>;oBgiVW?6bhHQ&w+CBE%}>z{fr?VG?YN7sl=L8$cirguTjC6`hNp_X$Z^m7$o ziG`u`pp}XR|EK~~kEGqSPtsvtp9273U1T+YF5lcaF^5|k%>0#Z_cMB-0ktdn8+w^g zbgAG5Gz?=Gt8(bIPpsr0({G=w-u>z~L;!54P1aDogSot0HU(Pk1v9%>cp+)cx_TtMs$i_ zM`Dh!L9ptN@h1y5W(B?Fwj1L6kl~QEA9+w^47A&KbHg7bgXpH(KY!&`O}WoZ%+CXD z)i7mGb@dl^x%mCYx}5_lKiWxFz^YiNS|*!WY8(>6u8>)^T#hKZ2N6Ha!{?aRf1}{% z>9{o=UwtQT#S%Fju}B9xnn{hm^R|%?3+n-$924kQ-$3pTIHe_8yY*Xl@~)Dx#Wnfc zS&90K{!pjK`l19BWIqf|56GHWZT8b3bx})j!xvXJ?J2$xcjr%X(T=y;`+UxRN+ufs zFseoR6q7rFOFXHNN3+9J*LniDWB73uzT~bgCJ31Cp4CbEhT&_P{!Kx(27lgB9CNQ^s07f<1hf&x+jx^;^W1R&FYzl8UH z&bmJQ)A5hjgIDdI@7pA92C_%uU7`jc%sV zGYM;A$yE>jGl82?;Uav1f4Ga)LbJc=E+-Rt)8D`wmN)1+%63SXfWqD@c1Zu}Bg^Ql z#$S~5(a)UtemHaWTS`i9i&yXeZ@%>32H@YY%I2W?(HFRG|4|S`gf+G&9!#eVX_fjX z=*11~xpG<;Mpu2|T;TbBC%WFQ4u;aSwXgwPtOtad#p`%5uq+cqYdtYs*gci5A?Ygf z`YG>kMF@6ElF#x1`|XP+&9WXz*xi_4l==)Zm206$^JITq-?O#>W!HL4%>W8I;A8M( z2%YtHiBw`A{FK_38+a7j)NS6fZc@4P}J&JL)sJdS5SkeqQ^lZ6M^e1RxzvM8N>N(av68C!MF*F4nIN|O5*0d78gSSPnE4T1Xk?x|7S?Z;LR~&J+o{j-YsVj&q6P>=~bfT zmU{d26B3a)8JlC?adR3Z0y4cBuw}HeHT2Phgg}a?nP3if-H4&Gf!pu?fwt{h+JQ}3 zXD2vwA?zPO<4VSIf@FN-BkHsA$@)tJ!}GpcnEXIb?^PYD81LBwaKTg!2F)vm=%0^u z-Xl2MTeCs+oldnEz~KT2t@rtd$IpL0_ZyV=qT{+cJMEJM0JygMj=7w#L4}Yx+(z62 z+$vFha+J@&(6P5&*!jnP86PIzlXrG0F!Z0au^~%)lFx$QG8x=(!rM^?YD*zs=Rh-h zGeIP2T7Kq_{Dr`4zz(fV|CAJinLWCqT6)AgMI0$$$CUf-(sr!9lhZY5rlQHU`F(xS z+FVp{Uv_%By=;-t6M~jo#Z;Zl+%HAX3AX35c1G40xvP(oHC-2K(C-$S zt!rhxkny+I)T$Q|-OlT1^8y&(Ta;=|2?SHoUcwM_?!Ka!&P&Y-QiZV}}r*8zV;&7a4c&iMw zXyB}`n{5{=6^6S^MW_<0*{a9-;421>f8hiCjM z4MJ?@JC{+=@siA*SW$O`1?jO))9B6qoQlmrRiU%_!F;uUs(B_EC)^pF7Tx6Jyjiv7 z%*t)~?eb(Wr3Q|JR%_n?0#!)NRI1d}qU04*JDz-$7N0rdS{bRw3MxV->;1`J?dE~I z{>7Ee+&v+S;MWx}_JQZ{Z~NOS0T{8;&x+VabRhx2qRp&&O1VHHn_+{sT&Xb&lMlSO;6AQu_;Gm zmpoKQi${>jp&UWf=|lz>8z8o)fWE{JGEy8Dglx=)99D-q34$~=?YoNc!1JFv6g2LH zfpN(veRZO`7w^R-!Q^y#R3@*rH_?XbA%Z(kiS(|=mY+RLeCAP5eQ zT*r-a^A~^spR>p*9)eBoPK(Cl+zt(M8(^Fkn84wFE7SVZ!gJgcMN#CN#osa4!@;B6 z8e4Nx&4QiqZqZ_J+pd8&0+p)UaWQ}67}TBZ$Ooi%qrNo$Y^=2@zLi4Yo0;V!l<517 zAcN+O#?5;1?Hn_>BQk{CZDcr_NjM2%n!9!TE_$ z)!KhOHgPiEDE8cQVXMq-lT*c>fkAjjp~DQ`z_DeaGrn0C>F3U~gK_B7qd@w-R02kz zc9!PV8KG6EcXoD*T7_jOC+{_qCk{aM3?it*$0^o@GYzoazL=(x^DB8D6X)L2xSLOH zh8%>P#5k|--J4F$3H}NrFk6k>d^X9#`>8ZS7j6nMenJ^XxW@ac3F|=r?5NFJRq@Hm zUSh1QPl05hTSFW|@&R4Uo3n;sHx7ZMl=>RoDtb}%Swj zhm+i8mKN_AOcUZ6iVRR*A|eLFDugbrQxv(!604kTS+|EIAL4+W0I_}9iwb8GvB$%s zUUnq|m(9`cqn17))4zVj2)R@DA_}S_eb$bn;$^OgKZ8O;F0yaE^cah#tabjvhD>=G zt`31-%wd&1yll>1(O2}MVM0O1TZHBcDg-f@@oh&O84@#>%dWsW!E+Y|s0Hb@U)J$O zDDKb-&Vj@k4=|3UcvMCmz6eqp*tRDoyLO)q);nv4d zcfbZ}h6fD}whcW#8w3tc4XNwfzIe_z;@OO@$-%ifNOK|~0*R`k2?&A%LKUM9?B33f z-KQ}o77+Y8D|PQ{E{%A>fScDl4j;eWBGlA!2W&T<$;N-Up?oLgr!;WmY;JUypPia- zM9M(JnyZQY1ivv?jum;nMQ+wnd5fAJ0p}^+D1pJ$TGA8-gXB7w{27|2zV~MB6PNo~ z-p0xVRK~9TAx$P_3F?}}B1GR*_GcT|?DF`0oD4tSv^%9F+3(zvK^~h$SfKsk7^4-B z$=!HGSp!;#eMFii>pTy;xy8=Xl*hh&jp8o#*?zWRVn}=(6Dr>?6>30Bvk%M_iAS>( zd$Maw0)1BUT^lNA5*sT_qdAB}DY)pC_^#67hY9Jm4|fJVrCsxBO>l8xtxt zY(+eYjf{3(yqqSf@2jjF6Wo8?yKZXvG^Ekhg2GiFzv9z^xq*dt;$Er?1v$>yQZjFj zC=!!gSqp#rNlXg_>b~DxDKOMp8nm0^%;!%5*3rJe9L18{fMU-;ikHE}sQTo9I>i0z zrFvG!IGMum;+NaV+pj=$*YsxV#xYnEwnw6ca*ztG*U-KRKc<+Sk^fYV#mCGX1VL>N-{q zL%P2fCYM@CUEcj}M?lJNz|A!vO^}weA+jzeJ`RHx2@%}q0f{a}*IY-j55=N@;Bx|w zHx?nD`nFT&@h1Idl^R~$tEykHA1LEB=7!PBD;>yKHp|yK)s6-9x2HGOHc?GSb_);3 z#Rye19HABaDYPgk@H;NLY!wprXHgTMas%h^)^o?@BlHB>wTGf@WLMeDr-p_J_I!kV z<5U3NJUp8d5@R&f-+iCea6!^eqDgB0;Ry3hh)T#RO zM2B!M@lhZxY}h?w?rgM0q`$qiCzp%Mq49aP9;1?~*^lJ&7$-bRQ6y1Bmz>*hZGd6{ zlV1_8pS!aI!3kZ8^KNhZk|I7+cGq?~a+TO%N=8)aal)c@WL6A$FlFm(0ts2EU*XOo zvuwJ9aO=$?C7r)^jupm_Fs|cu-<1F71N=JRS2OThTT55q@Jj&vcCavhrl+r;@%< zbxi-ZT$coJKzW3axR7yiX#^}?+bM-X6hmuPRQsPo@wFU!p|_h z*>u2NjCE(y>wp}yIPZ0CZ~ zKZQ4~nr}Q9P>7%nhN#;<^*=L4Qi)vJ+s)$g^I2aQob*%iJeQcOjTQbDda3tzHmp=u zREeD=WQm5XCL<&SuhBYZzYVQoMpwYdmX${9{b2Eh(OlHKhh`UYSwd0f8&Hk_#m1F# zQ~Fx^d5jKON6A5z^QN$kn{e@XbNt12Ss;s2d_0Bt+>qK&!xypItK52kq$cH=2HXr7 z$!|6X;obzNiW)k9QO6I55l0qiO-2`{C)%e`;R2;ocAX_Y{{SwUlz7gpmV$m6qrL4P zZ>Ga(4qh;b`=NM=I~4FuOU9U3i;MSYrehd!y3zt&Cti@t5MFa4+c-}iu#uPXK#MHX zq>j`h?5d;mJa&DV54s6SR7!97gW$iTyJ4-kp9T3qrH0MOhQdda*}YSq_OSqb)MvHTc^9egVw)kM>4)D06+95E@6q%py3?ds}FEe;Xdt;}0wwE9@ z{kninR{J^GgrAE<&}F6Zr1uBY^;{`aev$K{Itl9!WM-54?0w3^xROB?2X5M5%~W3> zc`bZQ-G$l6tp|i2HC$3=ZsJD(S?4%)XTObY$uP#9SGYKbwA`gh*iw87hUSSIXkW0P zB5|U1ges3ca1OR;U+kHr{JN(pI$As^{TF{J05oc8W5BXn)qn?lg|iG^=?fdHmvk1P z(r=yNw~JT66NL}^d)xgkBC5d26q3OFC6)ljAQjIU7hwjsgzx&cJyfn&78LlO>v$N` zt!_*qoPWkeH5LMVeMIs|f|kuH1%%#15;x(_X-}`|*@a66`{7%ysE_lxr>B>yq|r=S zLV^f}rB`m@RB6av{^La1MwQ8D-Y5D)lNk(D!#ga_V%i3lyBNrPQ=9^bkzlNZzN z+VX^hyEUF|`Vh7jhWJ47k=8d{%R`p<#Cb^)L%gAzfzk)FB^|B}3B1DoFjGWRVc?T2 z6}8)WYFFjBrwZp>UkOofLi%#7c(~9pz=44^sji(e1LgxHpPaN0T<)FF}tRJd+D`UN{*^Hp~hN%#M@Y z6nyWpyV6fOq5*Km!@u#VhAD*6pg^_mFS5-pzx2*?yItU}0ZetZ%|DoDEUoYjn5!BUl|;?E3X5*srY*NmHo#Mtrlc&)^WU5VBZFh5sBM!RPHradfUF+77^Vbx((K z0QlX7nu0dNc;5{2<3AOe#djwSrA!@OVy+|`Y!tiJdcRW2Kh+ZJauk>bUQ#dAY1y&| z69ZP|V!>a9c%06(XaiQ|D3>$as6*0f5_EVBnHsh}u^}RQ==~HYnUWozU||iIZRO(X zrlhzmuvC!|@6hhD_s%{e@zh`2Fz=-^&QOxsZpZiK zPtF!v_Tl;~*W!)A1%U+9w3vHXAMfD&Kk(SUkeJH9_PP8|ID}z&g%Nq1lDJN4uW38S z=KX(>vE3G_ntze8^TnKjf0MC!u^k3Axv;{#&RJ55YF+*VOcj`miTs}}IzJ4#Z|Mzk z*r%fN*SN7|+uL?ObFLb@X|x6W?H{aDVr0@L`WJGLhr_6DR&E)L7K>uaA4o `Security Groups` +- Click on the button `+ Create Security Group` +- Name the new security group "public-web-server" and confirm the creation by clicking on `Create Security Group` + +Now the security group rules list should be visible. + +- Click on `+ Add Rule` +- Select "**HTTP**" as the `Rule` +- Enter "0.0.0.0/0" as the `CIDR` and click on `Add` + +- Click on `+ Add Rule` again +- This time select "**HTTPS**" as the `Rule` +- Enter "0.0.0.0/0" as the `CIDR` and click on `Add` + +The result should look like this: + +![](images/security-group-rules.png) + +Next, the security group needs to be added to the instance hosting your web server. + +- In the menu on the left go to `Instances` +- Find your instance and select `Edit Security Groups` from its `Actions` drop-down list +- Add your new security group "public-web-server" to the list of Instance Security Groups by clicking on the `+` next to it, then click `Save` + +The Caddy server should now be publicly reachable via HTTP on port `80` and serve its default web page. + ### Caddy - Configuration +This section will configure the Caddy server to set up TLS and to proxy requests to your backend service. + Requirements: - A domain name pointing to the public floating IP of your web server instance. -- A web server that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`. +- A backend service that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`. Replace the contents of `/etc/caddy/Caddyfile` on your instance with the snippet below. Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port the -web server is listening on. +backend service is listening on. `/etc/caddy/Caddyfile` ``` @@ -65,17 +100,17 @@ example.bi.denbi.de { Reload the Caddy server: `sudo systemctl reload caddy` -Afterwards, you should be able to access your web server by simply entering the domain name (without any port). +Afterwards, you should be able to access your backend service by simply entering the domain name (without any port). Your browser should now indicate that the connection is secure, as seen below. ![](images/connection-secure.png) ## Authentication -It is strongly advised to make use of the authentication and user management features your web server provides. +It is strongly advised to **make use of the authentication and user management features** your backend service provides. In case the web server you make public does not offer any authentication methods, -access must be regulated by telling the Caddy server to ask visitors for their username and password. +**access must be regulated** by telling the Caddy server to ask visitors for their username and password. Users are managed inside the Caddy server configuration file. To create a new user, e.g. `alice`, generate a password hash using From a1946388a2333770b30fe325812a0b98641979de Mon Sep 17 00:00:00 2001 From: Christian Henke Date: Fri, 18 Aug 2023 11:41:43 +0200 Subject: [PATCH 3/5] clarifications --- wiki/Tutorials/PublicWebServer/index.md | 31 ++++++++++++++----------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/wiki/Tutorials/PublicWebServer/index.md b/wiki/Tutorials/PublicWebServer/index.md index 6052d29a..ae607d70 100644 --- a/wiki/Tutorials/PublicWebServer/index.md +++ b/wiki/Tutorials/PublicWebServer/index.md @@ -1,21 +1,22 @@ # Secure hosting of a public Web Server When providing an online service to the public, **encryption** and **authentication** are the two main security aspects to consider. -Neglecting either one of them, could potentially lead to unauthorized access, privacy violations or even server hijacking. +Neglecting either one of them could potentially lead to unauthorized access, privacy violations or even server hijacking. One quick way to encrypt and authenticate is explained below. -It is assumed, that you already have a designated instance running inside the de.NBI Cloud with a public floating IP attached. +It is assumed, that you already have a designated instance running inside the de.NBI Cloud with a public Floating IP attached. Please start the **backend service** (e.g. a Galaxy server) that you would like to make publicly available and configure it to listen on `localhost` or `127.0.0.1` only. ## Domain name registration Every public website needs a domain name that people can type into their browser address bar to visit the site. Domain names can usually be obtained from domain name registrars, which is out of scope of this document. +A domain name is strictly necessary to be able to use TLS encryption. -Please make sure your domain name points to the public floating IP of your web server instance. +Please make sure your domain name points to the public Floating IP of your web server instance. -For the Bielefeld site you may request a domain name ending in `.bi.denbi.de` (e.g. `myservice.bi.denbi.de`) by [contacting us](../../Compute_Center/Bielefeld.md#contact). +For the Bielefeld site you may request a domain name ending in `.bi.denbi.de` (e.g. `myservice.bi.denbi.de`) by [contacting us](../../Compute_Center/Bielefeld.md#contact) and mentioning your domain name of choice, your OpenStack project name and the target Floating IP for the domain. ## Encryption @@ -80,17 +81,18 @@ The Caddy server should now be publicly reachable via HTTP on port `80` and serv ### Caddy - Configuration This section will configure the Caddy server to set up TLS and to proxy requests to your backend service. +From then on, any requests on port `80` will be redirected to the secure port `443` (TLS). Requirements: -- A domain name pointing to the public floating IP of your web server instance. -- A backend service that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`. +- A domain name pointing to the public Floating IP of your web server instance. +- A backend service that you would like to make public listening on `localhost` or `127.0.0.1`. Replace the contents of `/etc/caddy/Caddyfile` on your instance with the snippet below. -Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port the +Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port your backend service is listening on. -`/etc/caddy/Caddyfile` +`/etc/caddy/Caddyfile`: ``` example.bi.denbi.de { reverse_proxy 127.0.0.1:8080 @@ -107,9 +109,12 @@ Your browser should now indicate that the connection is secure, as seen below. ## Authentication -It is strongly advised to **make use of the authentication and user management features** your backend service provides. +It is strongly advised to **make use** of the authentication and user management features your backend service +already provides. -In case the web server you make public does not offer any authentication methods, +### Basic Authentication + +In case the backend service you make public does not offer any authentication methods, **access must be regulated** by telling the Caddy server to ask visitors for their username and password. Users are managed inside the Caddy server configuration file. To create a new user, e.g. `alice`, generate a password hash using @@ -118,10 +123,10 @@ To create a new user, e.g. `alice`, generate a password hash using caddy hash-password ``` -on the command line. +on the command line on your instance. Add the username and the password hash by creating a new `basicauth` section as seen below. -`/etc/caddy/Caddyfile` +`/etc/caddy/Caddyfile`: ``` example.bi.denbi.de { reverse_proxy 127.0.0.1:8000 @@ -143,6 +148,6 @@ To add more users, simply add more lines to the `basicauth` section: Finally, reload the Caddy server: `sudo systemctl reload caddy` -Visitors should now be prompted for username and password: +Visitors should now be prompted for a username and password: ![](images/basic-auth.png) From afe90b604d3ed74c5d94db7b7976daf1b74478b9 Mon Sep 17 00:00:00 2001 From: Christian Henke Date: Fri, 18 Aug 2023 12:04:47 +0200 Subject: [PATCH 4/5] clarifications --- wiki/Tutorials/PublicWebServer/index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wiki/Tutorials/PublicWebServer/index.md b/wiki/Tutorials/PublicWebServer/index.md index ae607d70..0b362828 100644 --- a/wiki/Tutorials/PublicWebServer/index.md +++ b/wiki/Tutorials/PublicWebServer/index.md @@ -123,8 +123,9 @@ To create a new user, e.g. `alice`, generate a password hash using caddy hash-password ``` -on the command line on your instance. -Add the username and the password hash by creating a new `basicauth` section as seen below. +on the command line on your instance. The command will ask you to enter and repeat a password of your choice. +Add the username and the resulting generated password hash to the config file by creating a +new `basicauth` section as seen below. `/etc/caddy/Caddyfile`: ``` From d876496cc0c2e16f2aeb4e4bd25478941402a6a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Kr=C3=BCger?= Date: Wed, 23 Aug 2023 14:47:22 +0200 Subject: [PATCH 5/5] Update bielefeld 08/2023 (#475) * update Bielefeld specific Images section * update formatting * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke * Update wiki/Compute_Center/Bielefeld.md Co-authored-by: Christian Henke --------- Co-authored-by: Christian Henke --- wiki/Compute_Center/Bielefeld.md | 168 ++++++++++++++++--------------- 1 file changed, 88 insertions(+), 80 deletions(-) diff --git a/wiki/Compute_Center/Bielefeld.md b/wiki/Compute_Center/Bielefeld.md index 47e8d529..963349e2 100644 --- a/wiki/Compute_Center/Bielefeld.md +++ b/wiki/Compute_Center/Bielefeld.md @@ -1,26 +1,26 @@ # de.NBI cloud at Bielefeld University -The Bielefeld cloud site currently has OpenStack Train installed. That means that the general descriptions with -screenshots based on OpenStack Newton differs from our installation. +The Bielefeld cloud site currently runs the OpenStack version "Yoga". ## Contact -The de.NBI cloud team in Bielefeld can be contacted via email: os-service(at)cebitec.uni-bielefeld.de +The de.NBI cloud team in Bielefeld can be contacted via email: os-service(at)cebitec.uni-bielefeld.de ## Entrypoint -The OpenStack Dashboard as main entry point to the de.NBI Cloud Bielefeld is available + +The OpenStack Dashboard as main entry point to the de.NBI Cloud Bielefeld is available at [https://openstack.cebitec.uni-bielefeld.de](https://openstack.cebitec.uni-bielefeld.de). ## Endpoints -You can get an up-to-date list of API endpoints of the available services using the dashboard or +You can get an up-to-date list of API endpoints of the available services using the dashboard or the OpenStack command-line tool (`openstack endpoint list`). ## Login -The Bielefeld cloud site supports login using LifeScience AAI via OpenID Connect or default Keystone credentials. -Using LifeScience AAI is the preferred way for all cloud users and the only way for non-cloud users not working -at Bielefeld university. +The Bielefeld cloud site supports login using LifeScience AAI via OpenID Connect or default Keystone credentials. +Using LifeScience AAI is the preferred way for all cloud users not working +at Bielefeld university. ## Network @@ -31,33 +31,34 @@ Project network routers are managed by the de.NBI Cloud Bielefeld team. All othe management operations are unrestricted. The routers of the deNBI projects are located in an unrestricted public network. - ### MTU settings -We make use of a network virtualization technology called Virtual Extensible LAN (VXLAN). The MTU value provided -to the network interfaces is 1450 and therefore differs from an expected default *value* (e.g. 1500). You have to +We make use of a network virtualization technology called Virtual Extensible LAN (VXLAN). The MTU value provided +to the network interfaces is 1450 and therefore differs from an expected default *value* (e.g. 1500). You have to consider this if running docker or any other container technology. ## Images -Preconfigured cloud images are available for Ubuntu LTS (18.04, 20.04, and 22.04) and Debian (10 and 11). +Preconfigured cloud images are available for Ubuntu LTS (20.04, and 22.04) and Debian (11 and 12). These images apply some auto-configuration on boot specific to the cloud site Bielefeld: -- Site-local APT mirror is used as default -- If needed, APT, Docker and the environment are configured to use the local proxy +- Site-local APT mirror is used as default (only Ubuntu LTS). +- New login style showing important messages from de.NBI cloud site Bielefeld (if there are any). +- Fail2ban (https://github.com/fail2ban/fail2ban) comes preinstalled and configured to monitor SSH access and improve + security. All images are able to run on other cloud sites without any further modifications. ### Ubuntu apt mirror -We run an apt mirror for Ubuntu LTS releases (18.04, 20.04 and 22.04) to speed up package download. The mirror is available -at the Bielefeld cloud site through the external (http://apt-cache.bi.denbi.de:9999 or http://129.70.51.2:9999) and cebitec -(http://172.21.40.2:9999) network. +We run an apt mirror for Ubuntu LTS releases (20.04 and 22.04) to speed up package download. The mirror is available +at the Bielefeld cloud site through the external (http://apt-cache.bi.denbi.de:9999 or http://129.70.51.2:9999) +network. This mirror is synced every midnight with the official Canonical/Debian repositories. ## Object storage -The storage backend used by the Bielefeld cloud site is powered by [Ceph](https://www.ceph.com/en/). The Object storage +The storage backend used by the Bielefeld cloud site is powered by [Ceph](https://www.ceph.com/en/). The Object storage endpoint provides API access via SWIFT and S3. The latter should be preferred due to better performance. You can find a tutorial [here](../Tutorials/ObjectStorage/index.md) on how to use this service. @@ -72,13 +73,12 @@ are independent of this cloud-center), you have to copy your data to a safe loca for yourself. We do our best to prevent any data loss, but we can't guarantee that 100%. Here is a quick overview about our solutions for storing data: -| Data Location | Description | Performance | -| ------------- | ----------- | ----------- | -| Root Disk | The root disk of an instance is hosted on a RAID10 backend. This means that data is safe against single harddrive failures. However, if the hypervisor itself goes bad your data will be also completely unavailable. | Fast | -| Ephemeral Disk | Some flavors provide an extra disk called "ephemeral disk". While this storage is practical for most use-cases it is also the most unsafe one. They are **not** included in Snapshots and should be used for temporarily used data. | Fast | -| Volumes | Volumes are stored redundantly in our Ceph-Storage. Since volumes are network-backed storage, random read/write operations performance is significantly slower than using the local disk space. Volumes offer a great solution for storing persistent data since volumes can be swapped to different instances. | Medium - Fast | -| S3 Object Storage | This data is also stored in our Ceph-Storage just like volumes. Access to this data is completely independent from instances since access is done via regular HTTPS. Therefore data in S3 is safe against any hypervisor issues. Performance heavily depends on the client used to access the object storage. A single-threaded connection is slow but can heavily speed up using multiple connections retrieving different chunks of the same object. Pushing data is much slower than retrieving data. | Slow - Fast | - +| Data Location | Description | Performance | +|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| +| Root Disk | The root disk of an instance is hosted on a RAID10 backend. This means that data is safe against single harddrive failures. However, if the hypervisor itself goes bad your data will be also completely unavailable. | Fast | +| Ephemeral Disk | Some flavors provide an extra disk called "ephemeral disk". While this storage is practical for most use-cases it is also the most unsafe one. They are **not** included in Snapshots and should be used for temporarily used data. | Fast | +| Volumes | Volumes are stored redundantly in our Ceph-Storage. Since volumes are network-backed storage, random read/write operations performance is significantly slower than using the local disk space. Volumes offer a great solution for storing persistent data since volumes can be swapped to different instances. | Medium - Fast | +| S3 Object Storage | This data is also stored in our Ceph-Storage just like volumes. Access to this data is completely independent from instances since access is done via regular HTTPS. Therefore data in S3 is safe against any hypervisor issues. Performance heavily depends on the client used to access the object storage. A single-threaded connection is slow but can heavily speed up using multiple connections retrieving different chunks of the same object. Pushing data is much slower than retrieving data. | Slow - Fast | ## Server Groups for optional performance gains @@ -86,12 +86,12 @@ Our OpenStack cluster consists of multiple compute nodes hosting all running ins can benefit if you schedule the instances of your project on as many different compute nodes as possible. - Distributed systems (like HPC, databases...) can get a significant performance gain. -- Spreading instances over several compute nodes increases the availability when running a high availability setup. +- Spreading instances over several compute nodes increases the availability when running a high availability setup. -This can be achieved with *Server Groups*. Server Groups act as a "container" for instances and describe +This can be achieved with *Server Groups*. Server Groups act as a "container" for instances and describe a "policy" on how those instances should be scheduled across the OpenStack Compute nodes. -In order to create such Server Group, login to the OpenStack Dashboard and navigate to Compute -> Server Groups. +In order to create such Server Group, login to the OpenStack Dashboard and navigate to Compute -> Server Groups. Afterwards click on *Create Server Group*: ![sg_screen1](img/bielefeld/sg_screen1.png) @@ -100,55 +100,53 @@ On the new screen, give this security group a name and assign the wanted affinit The policies are defined as following: -| Policy | Description | -|--------------|--------------| -| affinity | Force schedule all instances on one single compute node. | -| soft affinity | Try to schedule all instances on a single compute node. Allow to violate the policy when there is not enough space on this single node. | -| anti affinity | Force schedule all instances as spread as possible on all compute nodes. | -| soft anti affinity | Try to schedule all instances as spread as possible on all compute nodes. Allow to violate this policy when there are not enough compute nodes with such capacity. | +| Policy | Description | +|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | Force schedule all instances on one single compute node. | +| soft affinity | Try to schedule all instances on a single compute node. Allow to violate the policy when there is not enough space on this single node. | +| anti affinity | Force schedule all instances as spread as possible on all compute nodes. | +| soft anti affinity | Try to schedule all instances as spread as possible on all compute nodes. Allow to violate this policy when there are not enough compute nodes with such capacity. | -It is recommended to use the "soft" variant. Otherwise, instances can fail to start when they would violate +It is recommended to use the "soft" variant. Otherwise, instances can fail to start when they would violate the more strict policy options. -Afterwards the creation of a new Server Group, you can add instances to it when you are creating them. +Afterwards the creation of a new Server Group, you can add instances to it when you are creating them. It's not possible to add already running instances to a Server Group since they are already scheduled. On the *Server Groups* tab, add the group by clicking on the small up-arrow: ![sg_screen3](img/bielefeld/sg_screen3.png) Afterwards, the scheduling of this instance will respect your selected Server Group policy. - ## Application Credentials (use OpenStack API) In order to access the OpenStack Cloud via command-line tools, you need to source a so called rc file. -This _standard_ procedure does not work on all Cloud locations. Executing `source` on the -downloaded rc file prompts for a password. This password **is not the same** you have used when +This _standard_ procedure does not work on all Cloud locations. Executing `source` on the +downloaded rc file prompts for a password. This password **is not the same** you have used when authenticating to LifeScience in order to access the OpenStack Dashboard. -Internally, OpenStack does not set a local password for your ELIXIR-ID, since it does not need to +Internally, OpenStack does not set a local password for your ELIXIR-ID, since it does not need to hence OpenStack confirms your authorization separately via LifeScience AAI. -However, the commandline-tools can only function with a set local password. Prior to the new -OpenStack release, users had to contact the cloud site administrators in order for them to set an -explicit local password and send it back to the user via encrypted mail or de.NBI vault service. +However, the commandline-tools can only function with a set local password. Prior to the new +OpenStack release, users had to contact the cloud site administrators in order for them to set an +explicit local password and send it back to the user via encrypted mail or de.NBI vault service. -Luckily, there is a new feature since OpenStack Rocky where users are able to set their own *local* +Luckily, there is a new feature since OpenStack Rocky where users are able to set their own *local* credentials via the dashboard. -Log in to the OpenStack Dashboard as usual, on the left side navigate to Identity -> Application +Log in to the OpenStack Dashboard as usual, on the left side navigate to Identity -> Application Credentials and create a new credential set: ![ac_screen1](img/bielefeld/ac_screen1.png) -Afterwards, you have to specify your new credential set. You can leave the 'secret' field blank, -OpenStack will autogenerate a long and cryptic password string afterwards. Of course you can also +Afterwards, you have to specify your new credential set. You can leave the 'secret' field blank, +OpenStack will autogenerate a long and cryptic password string afterwards. Of course you can also provide your own secret. **Warning: The secret field is not hidden in the browser!**. Afterwards click on *Create Application Credential*: ![ac_screen2](img/bielefeld/ac_screen2.png) -In the new window, you can directly download a generated rc file. Make sure that you explicitly +In the new window, you can directly download a generated rc file. Make sure that you explicitly click on *Close* afterwards, otherwise the credential won't be saved: ![ac_screen3](img/bielefeld/ac_screen3.png) - After the credential has been downloaded to your favourite location, you can simply source the file with: @@ -161,28 +159,27 @@ Now you can use the openstack commandline tools. ### Note -Application credentials are currently not supported by all applications or development kits accessing the -Openstack API. In this case users have to contact the cloud site administrators in order for them to set +Application credentials are currently not supported by all applications or development kits accessing the +Openstack API. In this case users have to contact the cloud site administrators in order for them to set an explicit local password. - ## Instance Metadata Openstack presents configuration information to instances it starts via a mechanism called metadata. -This metadata can be accessed querying `http://169.254.169.254/`. Services like cloud-init make use +This metadata can be accessed querying `http://169.254.169.254/`. Services like cloud-init make use of this metadata to initialize and configure a started instance. Beside metadata information in AWS compatible format, Openstack additionally supports metadata in its own style. There are three different kind of metadata which can be accessed by the user. -| Typ | Description | -|-----|-----------------------------------------------------------------------------------------------| +| Typ | Description | +|--------------|-----------------------------------------------------------------------------------------------| | Compute data | Structured data containing information about network, hostname, public-key, ... | -| User data | The user has the ability to pass unstructured data like shell scripts, ... to the instance. | -| Vendor data | Optional the cloud provider can make vendor specific information (static or dynamic) availabe | +| User data | The user has the ability to pass unstructured data like shell scripts, ... to the instance. | +| Vendor data | Optional the cloud provider can make vendor specific information (static or dynamic) availabe | On request project specific information like all users with their elixir id/name and public-keys can be made -available. For example, this information can be used to build up a multi-user instance, giving all users of the +available. For example, this information can be used to build up a multi-user instance, giving all users of the project access. ``` @@ -203,8 +200,7 @@ project access. } ``` -**Important: This feature is not active as a default setting and will only be enabled on request.** - +**Important: This feature is not active as a default setting and will only be enabled on request.** ## (Information) Security @@ -217,19 +213,20 @@ Our cloud infrastructure and user virtual machines are clock synchronised using ### Information security incidents -If users become aware of a security incident or notice an abnormal behaviour of their instances (e.g. unexpected high CPU -load or high network traffic without actively running anything), they should immediately contact +If users become aware of a security incident or notice an abnormal behaviour of their instances (e.g. unexpected high +CPU +load or high network traffic without actively running anything), they should immediately contact the cloud administrators (os-service@cebitec.uni-bielefeld.de). The administrators will assist in isolating the affected instances from the public network and will (with the owner's consent) start a basic forensic analysis. -Depending on the analysis results a security incident report is written and the security incident -officer of Bielefeld university is informed. If any personal data is affected, the data security officer +Depending on the analysis results a security incident report is written and the security incident +officer of Bielefeld university is informed. If any personal data is affected, the data security officer is also consulted. ### Cryptography We use cryptographic methods to protect user data stored on our infrastructure: -- Client connections to our OpenStack Dashboard and Openstack API +- Client connections to our OpenStack Dashboard and Openstack API are encrypted using TLS - Local disks of instances are located on encrypted devices (LUKS) - Cloud storage is LUKS encrypted @@ -249,15 +246,17 @@ If we detect an instance with a **HIGH** vulnerability: If we detect an instance with a **MEDIUM** vulnerability: -- The instance will continue to exist and connect to the internet as usually UNLESS this issue is not fixed in a specified time +- The instance will continue to exist and connect to the internet as usually UNLESS this issue is not fixed in a + specified time - For this, you will also be contacted by us with an attached report - These reports also give hints on how to fix the listed vulnerability - You can contact us if you need help in resolving a vulnerability - ## Current Known Problems -- Spawning large GPU instances can fail after 10~ minutes. These instance have special requirements for main-memory and spawning them can therefore cause timeouts. The solution is simply to try again or pick a flavor which requires less memory. If spawning GPU-instances fail repeatedly, please contact us. +- Spawning large GPU instances can fail after 10~ minutes. These instance have special requirements for main-memory and + spawning them can therefore cause timeouts. The solution is simply to try again or pick a flavor which requires less + memory. If spawning GPU-instances fail repeatedly, please contact us. If you notice any issues which are not part of this list, don't hesitate to contact us. @@ -277,18 +276,23 @@ to connect to an instance via an ssh client. If the client times out or throws an error like `Destination not reachable`: - Make sure that the instance is running and in an `ACTIVE` state. -- Make sure that the instance has a floating-ip attached to it. You can't ssh into an instance which only has a private ip. +- Make sure that the instance has a floating-ip attached to it. You can't ssh into an instance which only has a private + ip. - Check the SecurityGroups of your project and allow ingress port for SSH (Port 22). - - You can check this in the OpenStack-Dashboard: Project -> Network -> Security Groups. -- You are using a broken snapshot or image which is not able to configure its internal network configuration via `cloud-init`. + - You can check this in the OpenStack-Dashboard: Project -> Network -> Security Groups. +- You are using a broken snapshot or image which is not able to configure its internal network configuration + via `cloud-init`. - There may be network issues on our side. If you are receiving `Connection refused`: -- Network connectivity to your instance is given and the internal ssh-server is running, but the instance itself is not allowing your connection. +- Network connectivity to your instance is given and the internal ssh-server is running, but the instance itself is not + allowing your connection. -- You are using a wrong or too open SSH-Key. - - Make sure to use the correct private key-file and that the key on your local machine has correct permissions. Usually only the logged-in user should have access to it. The OpenSSH-Client won't try keys with too open permissions. +- You are using a wrong or too open SSH-Key. + - Make sure to use the correct private key-file and that the key on your local machine has correct permissions. + Usually only the logged-in user should have access to it. The OpenSSH-Client won't try keys with too open + permissions. - You are using the wrong remote user. - If you are using an ubuntu based image or snapshot, the remote user is `ubuntu`. For debian it is `debian`. @@ -297,13 +301,15 @@ If you are receiving `Connection refused`: - See [here](Bielefeld.md#my-instance-is-stuck-in-maintenance-mode-while-booting) on how to resolve this. - Something is misconfigured inside your instance. - - The public key in `/home/ubuntu/.ssh/authorized_keys` is missing. - - The permissions are broken or too open in `/home/ubuntu/` or `/home/ubuntu/.ssh/`. (Too open eg. with `chmod 777`). - - In these cases, you are completely locked out, and you won't be able to access your instance in some way again. In rare and urgent cases, we can manually repair this but for this we need your explicit consent to do so. - + - The public key in `/home/ubuntu/.ssh/authorized_keys` is missing. + - The permissions are broken or too open in `/home/ubuntu/` or `/home/ubuntu/.ssh/`. (Too open eg. + with `chmod 777`). + - In these cases, you are completely locked out, and you won't be able to access your instance in some way again. In + rare and urgent cases, we can manually repair this but for this we need your explicit consent to do so. + ### My instance is stuck in maintenance mode while booting. -When using a regular OpenStack-Project, you can check this by opening the VNC-Console of the instance. +When using a regular OpenStack-Project, you can check this by opening the VNC-Console of the instance. Click on your instance on the OpenStack-Dashboard and select `Console` in the tab-menu. ![](img/bielefeld/vncconsole.png) @@ -317,11 +323,13 @@ If the console is not receiving your keystroke, click on the bar beforehand whic You should then scan and repair all your filesystems. You can list all your connected filesystems with `lsblk`. Afterwards perform a check and repair all issues with (replace the last character with the disk of your choice): + ```shell sudo fsck.ext4 /dev/vd[a,b,c] ``` -If you are using a SimpleVM-Project, you are not able to access this console. Please contact the [Cloud-Helpdesk](https://cloud.denbi.de/portal/webapp/#/help). +If you are using a SimpleVM-Project, you are not able to access this console. Please contact +the [Cloud-Helpdesk](https://cloud.denbi.de/portal/webapp/#/help). ### I can't suspend or shelve my instance