From donny at cloudspin.me Thu Dec 18 11:06:14 2014 Content-Type: multipart/mixed; boundary="===============0493102271181504866==" MIME-Version: 1.0 From: Donny Davis To: users at ovirt.org Subject: [ovirt-users] IPv6 Functionality for WebSocket Proxy Date: Thu, 18 Dec 2014 09:06:07 -0700 Message-ID: <02ac01d01adc$89c68340$9d5389c0$@cloudspin.me> --===============0493102271181504866== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable This is a multipart message in MIME format. ------=3D_NextPart_000_02AD_01D01AA1.DD69F530 Content-Type: text/plain; charset=3D"us-ascii" Content-Transfer-Encoding: 7bit I just realized this morning that my noVNC connections were not working for IPv6 only on cloudspin.me For those who want to deploy dual stack functionality for ovirt-websocket-proxy here is a very simple and elegant fix. = = NGINX is a useful tool :) = You will need nginx to proxy the connection between your IPv6 customers, and the IPv4 listening only websocket proxy(however that can be changed in /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy .conf but you can't have your cake and eat it too. one or the other ipv4 or ipv6) Anyways, here is the fix = Install nginx on your websocket proxy server - Why Nginx, because I like it better than apache. The default config for Ovirt could be setup to do this with the web server that is already running :) just sayin For my configuration I am running the websocket proxy on a different host, but I imagine you could use this config in a full deployment and use websocket proxy on the engine host = server { server_name web.cloudspin.me; # this is the hostname that you told the engine that the websocket proxy would be listening on #listen 6100; #Commented because I am using this for ipv6 only, but you could use nginx to proxy both and only open one port in the firewall listen [::]:6100 ssl; #NOTE this needs to listen on the same port you told the engine the websocket proxy would be listening on = ssl_certificate /physical/path/to/ssl/cert; #I used the same cert that my websocket proxy is using ssl_certificate_key /physical/path/to/ssl/key; = ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; = access_log /var/log/nginx/websocket.cloudspin.me-access.log; error_log /var/log/nginx/websocket.cloudspin.me-error.log; = location / { proxy_pass https://ip_address_of_websocket_proxy:6100; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; = } } = = Too easy to fix the many problems I have had getting websocket proxy to work. If you have a commerical cert and key, this would be a great place to put it, so your users don't have to bother with trusting your CA, it will just work = = Cheers and I hope this helps = If anyone needs any help getting this to work give me a shout = Donny D cloudspin.me = = = ------=3D_NextPart_000_02AD_01D01AA1.DD69F530 Content-Type: text/html; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable

I just = =3D realized this morning that my noVNC connections were not working for =3D IPv6 only on cloudspin.me

For those = =3D who want to deploy dual stack functionality for ovirt-websocket-proxy =3D here is a very simple and elegant fix.

 

NGINX is a = =3D useful tool :)

 

You will = =3D need nginx to proxy the connection between your IPv6 customers, and the =3D IPv4 listening only websocket proxy(however that can be changed in =3D /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-pr= =3D oxy.conf but you can't have your cake and eat it too… one or the =3D other ipv4 or ipv6)

Anyways, here is = =3D the fix

 

Install nginx on your websocket proxy server - Why =3D Nginx, because I like it better than apache. The default config for =3D Ovirt could be setup to do this with the web server that is already =3D running :) just sayin

For my =3D configuration I am running the websocket proxy on a different host, but =3D I imagine you could use this config in a full deployment and use =3D websocket proxy on the engine host

 

server =3D {

        server_name =3D web.cloudspin.me; # this is the hostname that you told the engine that =3D the websocket proxy would be listening on

        #listen =3D 6100;           &n= =3D bsp; #Commented because I am using this for ipv6 only, but you could use = =3D nginx to proxy both and only open one port in the =3D firewall

        listen [::]:6100 =3D ssl;     #NOTE this needs to listen on the same port = =3D you told the engine the websocket proxy would be listening =3D on  

        ssl_certificate= =3D            =3D /physical/path/to/ssl/cert; #I used the same cert that my websocket =3D proxy is using

        =3D ssl_certificate_key       =3D /physical/path/to/ssl/key;

 

        ssl =3D on;

        =3D ssl_session_cache  builtin:1000  =3D shared:SSL:10m;

        ssl_protocols  = =3D TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers =3D HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

   =3D      ssl_prefer_server_ciphers =3D on;

 

        access_log =3D /var/log/nginx/websocket.cloudspin.me-access.log;

        error_log =3D /var/log/nginx/websocket.cloudspin.me-error.log;

 

        location / =3D {

          &nb= =3D sp; proxy_pass =3D https://ip_address_of_websocket_proxy:6100;

          =3D proxy_http_version 1.1;

          =3D proxy_set_header Upgrade $http_upgrade;

          =3D proxy_set_header Connection "upgrade";

          &nb= =3D sp;   

        }

    }

 

 

Too easy to fix = =3D the many problems I have had getting websocket proxy to work. If you =3D have a commerical cert and key, this would be a great place to put it, =3D so your users don't have to bother with trusting your CA, it will just =3D work

 

Cheers and I =3D hope this helps

 

If anyone needs = =3D any help getting this to work give me a shout

 

Donny =3D D

cloudspin.me

 

 

 

------=3D_NextPart_000_02AD_01D01AA1.DD69F530-- --===============0493102271181504866== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" VGhpcyBpcyBhIG11bHRpcGFydCBtZXNzYWdlIGluIE1JTUUgZm9ybWF0LgoKLS0tLS0tPV9OZXh0 UGFydF8wMDBfMDJBRF8wMUQwMUFBMS5ERDY5RjUzMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47 CgljaGFyc2V0PSJ1cy1hc2NpaSIKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKSSBq dXN0IHJlYWxpemVkIHRoaXMgbW9ybmluZyB0aGF0IG15IG5vVk5DIGNvbm5lY3Rpb25zIHdlcmUg bm90IHdvcmtpbmcgZm9yCklQdjYgb25seSBvbiBjbG91ZHNwaW4ubWUKCkZvciB0aG9zZSB3aG8g d2FudCB0byBkZXBsb3kgZHVhbCBzdGFjayBmdW5jdGlvbmFsaXR5IGZvcgpvdmlydC13ZWJzb2Nr ZXQtcHJveHkgaGVyZSBpcyBhIHZlcnkgc2ltcGxlIGFuZCBlbGVnYW50IGZpeC4gCgogCgpOR0lO WCBpcyBhIHVzZWZ1bCB0b29sIDopCgogCgpZb3Ugd2lsbCBuZWVkIG5naW54IHRvIHByb3h5IHRo ZSBjb25uZWN0aW9uIGJldHdlZW4geW91ciBJUHY2IGN1c3RvbWVycywgYW5kCnRoZSBJUHY0IGxp c3RlbmluZyBvbmx5IHdlYnNvY2tldCBwcm94eShob3dldmVyIHRoYXQgY2FuIGJlIGNoYW5nZWQg aW4KL3Vzci9zaGFyZS9vdmlydC1lbmdpbmUvc2VydmljZXMvb3ZpcnQtd2Vic29ja2V0LXByb3h5 L292aXJ0LXdlYnNvY2tldC1wcm94eQouY29uZiBidXQgeW91IGNhbid0IGhhdmUgeW91ciBjYWtl IGFuZCBlYXQgaXQgdG9vLiBvbmUgb3IgdGhlIG90aGVyIGlwdjQgb3IKaXB2NikKCkFueXdheXMs IGhlcmUgaXMgdGhlIGZpeAoKIAoKSW5zdGFsbCBuZ2lueCBvbiB5b3VyIHdlYnNvY2tldCBwcm94 eSBzZXJ2ZXIgLSBXaHkgTmdpbngsIGJlY2F1c2UgSSBsaWtlIGl0CmJldHRlciB0aGFuIGFwYWNo ZS4gVGhlIGRlZmF1bHQgY29uZmlnIGZvciBPdmlydCBjb3VsZCBiZSBzZXR1cCB0byBkbyB0aGlz CndpdGggdGhlIHdlYiBzZXJ2ZXIgdGhhdCBpcyBhbHJlYWR5IHJ1bm5pbmcgOikganVzdCBzYXlp bgoKRm9yIG15IGNvbmZpZ3VyYXRpb24gSSBhbSBydW5uaW5nIHRoZSB3ZWJzb2NrZXQgcHJveHkg b24gYSBkaWZmZXJlbnQgaG9zdCwKYnV0IEkgaW1hZ2luZSB5b3UgY291bGQgdXNlIHRoaXMgY29u ZmlnIGluIGEgZnVsbCBkZXBsb3ltZW50IGFuZCB1c2UKd2Vic29ja2V0IHByb3h5IG9uIHRoZSBl bmdpbmUgaG9zdAoKIAoKc2VydmVyIHsKCiAgICAgICAgc2VydmVyX25hbWUgd2ViLmNsb3Vkc3Bp bi5tZTsgIyB0aGlzIGlzIHRoZSBob3N0bmFtZSB0aGF0IHlvdSB0b2xkCnRoZSBlbmdpbmUgdGhh dCB0aGUgd2Vic29ja2V0IHByb3h5IHdvdWxkIGJlIGxpc3RlbmluZyBvbgoKICAgICAgICAjbGlz dGVuIDYxMDA7ICAgICAgICAgICAgICNDb21tZW50ZWQgYmVjYXVzZSBJIGFtIHVzaW5nIHRoaXMg Zm9yCmlwdjYgb25seSwgYnV0IHlvdSBjb3VsZCB1c2UgbmdpbnggdG8gcHJveHkgYm90aCBhbmQg b25seSBvcGVuIG9uZSBwb3J0IGluCnRoZSBmaXJld2FsbAoKICAgICAgICBsaXN0ZW4gWzo6XTo2 MTAwIHNzbDsgICAgICNOT1RFIHRoaXMgbmVlZHMgdG8gbGlzdGVuIG9uIHRoZSBzYW1lCnBvcnQg eW91IHRvbGQgdGhlIGVuZ2luZSB0aGUgd2Vic29ja2V0IHByb3h5IHdvdWxkIGJlIGxpc3Rlbmlu ZyBvbiAgIAoKICAgICAgICBzc2xfY2VydGlmaWNhdGUgICAgICAgICAgIC9waHlzaWNhbC9wYXRo L3RvL3NzbC9jZXJ0OyAjSSB1c2VkIHRoZQpzYW1lIGNlcnQgdGhhdCBteSB3ZWJzb2NrZXQgcHJv eHkgaXMgdXNpbmcKCiAgICAgICAgc3NsX2NlcnRpZmljYXRlX2tleSAgICAgICAvcGh5c2ljYWwv cGF0aC90by9zc2wva2V5OwoKIAoKICAgICAgICBzc2wgb247CgogICAgICAgIHNzbF9zZXNzaW9u X2NhY2hlICBidWlsdGluOjEwMDAgIHNoYXJlZDpTU0w6MTBtOwoKICAgICAgICBzc2xfcHJvdG9j b2xzICBUTFN2MSBUTFN2MS4xIFRMU3YxLjI7CgogICAgICAgIHNzbF9jaXBoZXJzCkhJR0g6IWFO VUxMOiFlTlVMTDohRVhQT1JUOiFDQU1FTExJQTohREVTOiFNRDU6IVBTSzohUkM0OwoKICAgICAg ICBzc2xfcHJlZmVyX3NlcnZlcl9jaXBoZXJzIG9uOwoKIAoKICAgICAgICBhY2Nlc3NfbG9nIC92 YXIvbG9nL25naW54L3dlYnNvY2tldC5jbG91ZHNwaW4ubWUtYWNjZXNzLmxvZzsKCiAgICAgICAg ZXJyb3JfbG9nIC92YXIvbG9nL25naW54L3dlYnNvY2tldC5jbG91ZHNwaW4ubWUtZXJyb3IubG9n OwoKIAoKICAgICAgICBsb2NhdGlvbiAvIHsKCiAgICAgICAgICAgIHByb3h5X3Bhc3MgaHR0cHM6 Ly9pcF9hZGRyZXNzX29mX3dlYnNvY2tldF9wcm94eTo2MTAwOwoKICAgICAgICAgIHByb3h5X2h0 dHBfdmVyc2lvbiAxLjE7CgogICAgICAgICAgcHJveHlfc2V0X2hlYWRlciBVcGdyYWRlICRodHRw X3VwZ3JhZGU7CgogICAgICAgICAgcHJveHlfc2V0X2hlYWRlciBDb25uZWN0aW9uICJ1cGdyYWRl IjsKCiAgICAgICAgICAgICAgIAoKICAgICAgICB9CgogICAgfQoKIAoKIAoKVG9vIGVhc3kgdG8g Zml4IHRoZSBtYW55IHByb2JsZW1zIEkgaGF2ZSBoYWQgZ2V0dGluZyB3ZWJzb2NrZXQgcHJveHkg dG8Kd29yay4gSWYgeW91IGhhdmUgYSBjb21tZXJpY2FsIGNlcnQgYW5kIGtleSwgdGhpcyB3b3Vs ZCBiZSBhIGdyZWF0IHBsYWNlIHRvCnB1dCBpdCwgc28geW91ciB1c2VycyBkb24ndCBoYXZlIHRv IGJvdGhlciB3aXRoIHRydXN0aW5nIHlvdXIgQ0EsIGl0IHdpbGwKanVzdCB3b3JrIAoKIAoKQ2hl ZXJzIGFuZCBJIGhvcGUgdGhpcyBoZWxwcwoKIAoKSWYgYW55b25lIG5lZWRzIGFueSBoZWxwIGdl dHRpbmcgdGhpcyB0byB3b3JrIGdpdmUgbWUgYSBzaG91dAoKIAoKRG9ubnkgRAoKY2xvdWRzcGlu Lm1lCgogCgogCgogCgoKLS0tLS0tPV9OZXh0UGFydF8wMDBfMDJBRF8wMUQwMUFBMS5ERDY5RjUz MApDb250ZW50LVR5cGU6IHRleHQvaHRtbDsKCWNoYXJzZXQ9InVzLWFzY2lpIgpDb250ZW50LVRy YW5zZmVyLUVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxlCgo8aHRtbCB4bWxuczp2PTNEInVybjpz Y2hlbWFzLW1pY3Jvc29mdC1jb206dm1sIiA9CnhtbG5zOm89M0QidXJuOnNjaGVtYXMtbWljcm9z b2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiA9CnhtbG5zOnc9M0QidXJuOnNjaGVtYXMtbWljcm9zb2Z0 LWNvbTpvZmZpY2U6d29yZCIgPQp4bWxuczptPTNEImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5j b20vb2ZmaWNlLzIwMDQvMTIvb21tbCIgPQp4bWxucz0zRCJodHRwOi8vd3d3LnczLm9yZy9UUi9S RUMtaHRtbDQwIj48aGVhZD48bWV0YSA9Cmh0dHAtZXF1aXY9M0RDb250ZW50LVR5cGUgY29udGVu dD0zRCJ0ZXh0L2h0bWw7ID0KY2hhcnNldD0zRHVzLWFzY2lpIj48bWV0YSBuYW1lPTNER2VuZXJh dG9yIGNvbnRlbnQ9M0QiTWljcm9zb2Z0IFdvcmQgMTQgPQooZmlsdGVyZWQgbWVkaXVtKSI+PHN0 eWxlPjwhLS0KLyogRm9udCBEZWZpbml0aW9ucyAqLwpAZm9udC1mYWNlCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsKCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30KQGZvbnQtZmFjZQoJe2Zv bnQtZmFtaWx5OiJMdWNpZGEgQ29uc29sZSI7CglwYW5vc2UtMToyIDExIDYgOSA0IDUgNCAyIDIg NDt9Ci8qIFN0eWxlIERlZmluaXRpb25zICovCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRp di5Nc29Ob3JtYWwKCXttYXJnaW46MGluOwoJbWFyZ2luLWJvdHRvbTouMDAwMXB0OwoJZm9udC1z aXplOjExLjBwdDsKCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQphOmxpbmss IHNwYW4uTXNvSHlwZXJsaW5rCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5OwoJY29sb3I6Ymx1ZTsK CXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5r Rm9sbG93ZWQKCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7Cgljb2xvcjpwdXJwbGU7Cgl0ZXh0LWRl Y29yYXRpb246dW5kZXJsaW5lO30Kc3Bhbi5FbWFpbFN0eWxlMTcKCXttc28tc3R5bGUtdHlwZTpw ZXJzb25hbC1jb21wb3NlOwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsKCWNv bG9yOndpbmRvd3RleHQ7fQouTXNvQ2hwRGVmYXVsdAoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1v bmx5OwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9CkBwYWdlIFdvcmRTZWN0 aW9uMQoJe3NpemU6OC41aW4gMTEuMGluOwoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGlu O30KZGl2LldvcmRTZWN0aW9uMQoJe3BhZ2U6V29yZFNlY3Rpb24xO30KLS0+PC9zdHlsZT48IS0t W2lmIGd0ZSBtc28gOV0+PHhtbD4KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0zRCJlZGl0IiBzcGlk bWF4PTNEIjEwMjYiIC8+CjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pgo8bzpzaGFwZWxheW91dCB2OmV4dD0zRCJlZGl0Ij4KPG86aWRtYXAgdjpleHQ9M0QiZWRpdCIg ZGF0YT0zRCIxIiAvPgo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+PC9oZWFkPjxi b2R5IGxhbmc9M0RFTi1VUyBsaW5rPTNEYmx1ZSA9CnZsaW5rPTNEcHVycGxlPjxkaXYgY2xhc3M9 M0RXb3JkU2VjdGlvbjE+PHAgY2xhc3M9M0RNc29Ob3JtYWw+SSBqdXN0ID0KcmVhbGl6ZWQgdGhp cyBtb3JuaW5nIHRoYXQgbXkgbm9WTkMgY29ubmVjdGlvbnMgd2VyZSBub3Qgd29ya2luZyBmb3Ig PQpJUHY2IG9ubHkgb24gY2xvdWRzcGluLm1lPG86cD48L286cD48L3A+PHAgY2xhc3M9M0RNc29O b3JtYWw+Rm9yIHRob3NlID0Kd2hvIHdhbnQgdG8gZGVwbG95IGR1YWwgc3RhY2sgZnVuY3Rpb25h bGl0eSBmb3Igb3ZpcnQtd2Vic29ja2V0LXByb3h5ID0KaGVyZSBpcyBhIHZlcnkgc2ltcGxlIGFu ZCBlbGVnYW50IGZpeC4gPG86cD48L286cD48L3A+PHAgPQpjbGFzcz0zRE1zb05vcm1hbD48bzpw PiZuYnNwOzwvbzpwPjwvcD48cCBjbGFzcz0zRE1zb05vcm1hbD5OR0lOWCBpcyBhID0KdXNlZnVs IHRvb2wgOik8bzpwPjwvbzpwPjwvcD48cCA9CmNsYXNzPTNETXNvTm9ybWFsPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsPllvdSB3aWxsID0KbmVlZCBuZ2lueCB0byBw cm94eSB0aGUgY29ubmVjdGlvbiBiZXR3ZWVuIHlvdXIgSVB2NiBjdXN0b21lcnMsIGFuZCB0aGUg PQpJUHY0IGxpc3RlbmluZyBvbmx5IHdlYnNvY2tldCBwcm94eShob3dldmVyIHRoYXQgY2FuIGJl IGNoYW5nZWQgaW4gPQovdXNyL3NoYXJlL292aXJ0LWVuZ2luZS9zZXJ2aWNlcy9vdmlydC13ZWJz b2NrZXQtcHJveHkvb3ZpcnQtd2Vic29ja2V0LXByPQpveHkuY29uZiBidXQgeW91IGNhbid0IGhh dmUgeW91ciBjYWtlIGFuZCBlYXQgaXQgdG9vJiM4MjMwOyBvbmUgb3IgdGhlID0Kb3RoZXIgaXB2 NCBvciBpcHY2KTxvOnA+PC9vOnA+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsPkFueXdheXMsIGhl cmUgaXMgPQp0aGUgZml4PG86cD48L286cD48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWw+PG86cD4m bmJzcDs8L286cD48L3A+PHAgPQpjbGFzcz0zRE1zb05vcm1hbD5JbnN0YWxsIG5naW54IG9uIHlv dXIgd2Vic29ja2V0IHByb3h5IHNlcnZlciAtIFdoeSA9Ck5naW54LCBiZWNhdXNlIEkgbGlrZSBp dCBiZXR0ZXIgdGhhbiBhcGFjaGUuIFRoZSBkZWZhdWx0IGNvbmZpZyBmb3IgPQpPdmlydCBjb3Vs ZCBiZSBzZXR1cCB0byBkbyB0aGlzIHdpdGggdGhlIHdlYiBzZXJ2ZXIgdGhhdCBpcyBhbHJlYWR5 ID0KcnVubmluZyA6KSBqdXN0IHNheWluPG86cD48L286cD48L3A+PHAgY2xhc3M9M0RNc29Ob3Jt YWw+Rm9yIG15ID0KY29uZmlndXJhdGlvbiBJIGFtIHJ1bm5pbmcgdGhlIHdlYnNvY2tldCBwcm94 eSBvbiBhIGRpZmZlcmVudCBob3N0LCBidXQgPQpJIGltYWdpbmUgeW91IGNvdWxkIHVzZSB0aGlz IGNvbmZpZyBpbiBhIGZ1bGwgZGVwbG95bWVudCBhbmQgdXNlID0Kd2Vic29ja2V0IHByb3h5IG9u IHRoZSBlbmdpbmUgaG9zdDxvOnA+PC9vOnA+PC9wPjxwID0KY2xhc3M9M0RNc29Ob3JtYWw+PG86 cD4mbmJzcDs8L286cD48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1 dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6Ikx1Y2lkYSBDb25zb2xlIic+c2VydmVyID0KezxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz0zRE1zb05vcm1hbCA9CnN0eWxlPTNEJ3RleHQtYXV0b3NwYWNlOm5vbmUnPjxzcGFuID0K c3R5bGU9M0QnZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiTHVjaWRhID0KQ29uc29sZSIn PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBzZXJ2ZXJfbmFtZSA9 CndlYi5jbG91ZHNwaW4ubWU7ICMgdGhpcyBpcyB0aGUgaG9zdG5hbWUgdGhhdCB5b3UgdG9sZCB0 aGUgZW5naW5lIHRoYXQgPQp0aGUgd2Vic29ja2V0IHByb3h5IHdvdWxkIGJlIGxpc3RlbmluZyBv bjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCA9CmNsYXNzPTNETXNvTm9ybWFsIHN0eWxlPTNEJ3Rl eHQtYXV0b3NwYWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9M0QnZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseToiTHVjaWRhID0KQ29uc29sZSInPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyAjbGlzdGVuID0KNjEwMDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbj0KYnNwOyAjQ29tbWVudGVk IGJlY2F1c2UgSSBhbSB1c2luZyB0aGlzIGZvciBpcHY2IG9ubHksIGJ1dCB5b3UgY291bGQgdXNl ID0KbmdpbnggdG8gcHJveHkgYm90aCBhbmQgb25seSBvcGVuIG9uZSBwb3J0IGluIHRoZSA9CmZp cmV3YWxsPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsID0Kc3R5bGU9 M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IGxpc3RlbiBbOjpdOjYxMDAgPQpzc2w7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7ICNOT1RFIHRoaXMgbmVlZHMgdG8gbGlzdGVuIG9uIHRoZSBzYW1lIHBvcnQgPQp5 b3UgdG9sZCB0aGUgZW5naW5lIHRoZSB3ZWJzb2NrZXQgcHJveHkgd291bGQgYmUgbGlzdGVuaW5n ID0Kb24mbmJzcDsmbmJzcDsgPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPTNETXNvTm9y bWFsID0Kc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7c3NsX2NlcnRpZmljYXRlPQombmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg PQovcGh5c2ljYWwvcGF0aC90by9zc2wvY2VydDsgI0kgdXNlZCB0aGUgc2FtZSBjZXJ0IHRoYXQg bXkgd2Vic29ja2V0ID0KcHJveHkgaXMgdXNpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0 eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPQpzc2xfY2VydGlmaWNh dGVfa2V5Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ID0KL3BoeXNpY2FsL3Bh dGgvdG8vc3NsL2tleTs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwg PQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFj ZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1 Y2lkYSA9CkNvbnNvbGUiJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgc3NsID0Kb247PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsID0K c3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ID0Kc3NsX3Nlc3Npb25fY2FjaGUmbmJzcDsgYnVpbHRp bjoxMDAwJm5ic3A7ID0Kc2hhcmVkOlNTTDoxMG07PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNs YXNzPTNETXNvTm9ybWFsID0Kc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpz dHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNzbF9wcm90b2NvbHMm bmJzcDsgPQpUTFN2MSBUTFN2MS4xIFRMU3YxLjI7PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNs YXNzPTNETXNvTm9ybWFsID0Kc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpz dHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNzbF9jaXBoZXJzID0K SElHSDohYU5VTEw6IWVOVUxMOiFFWFBPUlQ6IUNBTUVMTElBOiFERVM6IU1ENTohUFNLOiFSQzQ7 PG86cD48L286cD48L3NwYT0Kbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgc3R5bGU9M0QndGV4 dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiJMdWNpZGEgQ29uc29sZSInPiZuYnNwOyZuYnNwOyA9CiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwO3NzbF9wcmVmZXJfc2VydmVyX2NpcGhlcnMgPQpvbjs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpu b25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lk YSA9CkNvbnNvbGUiJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29O b3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2Zv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYWNjZXNzX2xvZyA9Ci92YXIvbG9nL25n aW54L3dlYnNvY2tldC5jbG91ZHNwaW4ubWUtYWNjZXNzLmxvZzs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHA9CiBjbGFzcz0zRE1zb05vcm1hbCBzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48 c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNv bnNvbGUiJz4mbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7IGVycm9yX2xvZyA9 Ci92YXIvbG9nL25naW54L3dlYnNvY2tldC5jbG91ZHNwaW4ubWUtZXJyb3IubG9nOzxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCA9CmNsYXNzPTNETXNvTm9ybWFsIHN0eWxlPTNEJ3RleHQtYXV0b3Nw YWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9M0QnZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToi THVjaWRhID0KQ29uc29sZSInPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz0z RE1zb05vcm1hbCA9CnN0eWxlPTNEJ3RleHQtYXV0b3NwYWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9 M0QnZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiTHVjaWRhID0KQ29uc29sZSInPiZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBsb2NhdGlvbiAvID0KezxvOnA+ PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz0zRE1zb05vcm1hbCA9CnN0eWxlPTNEJ3RleHQtYXV0 b3NwYWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9M0QnZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eToiTHVjaWRhID0KQ29uc29sZSInPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYj0Kc3A7IHByb3h5X3Bhc3MgPQpodHRwczovL2lw X2FkZHJlc3Nfb2Zfd2Vic29ja2V0X3Byb3h5OjYxMDA7PG86cD48L286cD48L3NwYW4+PC9wPjxw ID0KY2xhc3M9M0RNc29Ob3JtYWwgc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4g PQpzdHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xl Iic+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 ID0KcHJveHlfaHR0cF92ZXJzaW9uIDEuMTs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxl PTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz4mbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPQpwcm94 eV9zZXRfaGVhZGVyIFVwZ3JhZGUgJGh0dHBfdXBncmFkZTs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ PHAgPQpjbGFzcz0zRE1zb05vcm1hbCBzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3Bh biA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNv bGUiJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgPQpwcm94eV9zZXRfaGVhZGVyIENvbm5lY3Rpb24gJnF1b3Q7dXBncmFkZSZxdW90Ozs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgPQpjbGFzcz0zRE1zb05vcm1hbCBzdHlsZT0zRCd0ZXh0LWF1 dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmI9CnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1 dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDt9PG86cD48L286cD48L3M9CnBhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3Jt YWwgc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgPQpDb25zb2xlIic+Jm5ic3A7Jm5ic3A7Jm5i c3A7IH08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0z RCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUiJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48 c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNv bnNvbGUiJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwg PQpzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSBDb25zb2xlIic+VG9vIGVhc3kgdG8gZml4ID0K dGhlIG1hbnkgcHJvYmxlbXMgSSBoYXZlIGhhZCBnZXR0aW5nIHdlYnNvY2tldCBwcm94eSB0byB3 b3JrLiBJZiB5b3UgPQpoYXZlIGEgY29tbWVyaWNhbCBjZXJ0IGFuZCBrZXksIHRoaXMgd291bGQg YmUgYSBncmVhdCBwbGFjZSB0byBwdXQgaXQsID0Kc28geW91ciB1c2VycyBkb24ndCBoYXZlIHRv IGJvdGhlciB3aXRoIHRydXN0aW5nIHlvdXIgQ0EsIGl0IHdpbGwganVzdCA9CndvcmsgPG86cD48 L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsID0Kc3R5bGU9M0QndGV4dC1hdXRv c3BhY2U6bm9uZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiJMdWNpZGEgPQpDb25zb2xlIic+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PTNETXNvTm9ybWFsID0Kc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9uZSc+PHNwYW4gPQpzdHls ZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEgQ29uc29sZSInPkNoZWVy cyBhbmQgSSA9CmhvcGUgdGhpcyBoZWxwczxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz0z RE1zb05vcm1hbCA9CnN0eWxlPTNEJ3RleHQtYXV0b3NwYWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9 M0QnZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiTHVjaWRhID0KQ29uc29sZSInPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz0zRE1zb05vcm1hbCA9CnN0eWxlPTNEJ3Rl eHQtYXV0b3NwYWNlOm5vbmUnPjxzcGFuID0Kc3R5bGU9M0QnZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseToiTHVjaWRhIENvbnNvbGUiJz5JZiBhbnlvbmUgbmVlZHMgPQphbnkgaGVscCBnZXR0 aW5nIHRoaXMgdG8gd29yayBnaXZlIG1lIGEgc2hvdXQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAg PQpjbGFzcz0zRE1zb05vcm1hbCBzdHlsZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9 CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSA9CkNvbnNvbGUi Jz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9M0RNc29Ob3JtYWwgPQpzdHls ZT0zRCd0ZXh0LWF1dG9zcGFjZTpub25lJz48c3BhbiA9CnN0eWxlPTNEJ2ZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6Ikx1Y2lkYSBDb25zb2xlIic+RG9ubnkgPQpEPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPTNETXNvTm9ybWFsID0Kc3R5bGU9M0QndGV4dC1hdXRvc3BhY2U6bm9u ZSc+PHNwYW4gPQpzdHlsZT0zRCdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJMdWNpZGEg PQpDb25zb2xlIic+Y2xvdWRzcGluLm1lPG86cD48L286cD48L3NwYW4+PC9wPjxwID0KY2xhc3M9 M0RNc29Ob3JtYWw+PG86cD4mbmJzcDs8L286cD48L3A+PHAgPQpjbGFzcz0zRE1zb05vcm1hbD48 bzpwPiZuYnNwOzwvbzpwPjwvcD48cCA9CmNsYXNzPTNETXNvTm9ybWFsPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPjwvZGl2PjwvYm9keT48L2h0bWw+Ci0tLS0tLT1fTmV4dFBhcnRfMDAwXzAyQURfMDFE MDFBQTEuREQ2OUY1MzAtLQoK --===============0493102271181504866==--