terrywang · July 28, 2022 23:29
diff --git a/nginx.conf b/nginx.conf
 # User and group used by worker processes
 # ubuntu
 # user www-data;
 # fedora
 user nginx;

 # Ideally # of worker processes = # of CPUs or cores
 # Set to auto to autodetect
 # max_clients = worker_processes * worker_connections
 worker_processes auto;

 pid /run/nginx.pid;

 # Maximum number of open file descriptors per process
 # should be > worker_connections
 worker_rlimit_nofile 10240;

 events {
    # Use epoll on Linux 2.6+
    use epoll;
    # Max number of simultaneous connections per worker process
    worker_connections 2048;
    # Accept all new connections at one time
    multi_accept on;
 }

 http {

    ##
    # Basic Settings
    ##

    # Hide nginx version information
    server_tokens off;

    # Speed up file transfers by using sendfile() to copy directly
    # between descriptors rather than using read()/write()
    sendfile on;

    # Tell Nginx not to send out partial frames; this increases throughput
    # since TCP frames are filled up before being sent out (adds TCP_CORK)
    # Send the response header and the beginning of a file in one packet
    # Send a file in full packets
    tcp_nopush on;

    # Tell Nginx to enable the Nagle buffering algorithm for TCP packets
    # which collates several smaller packets together into one larger packet
    # thus saving bandwidth at the cost of a nearly imperceptible increase to latency
    tcp_nodelay off;
    
    send_timeout 30;

    # How long to allow each connection to stay idle;
    # Longer values are better for each individual client, especially SSL
    # But means that worker connections are tied up longer.75
    keepalive_timeout 60;

    keepalive_requests 200;
    # client_header_timeout 20;
    # client_body_timeout 20;
    reset_timedout_connection on;
    
    types_hash_max_size 2048;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    # default_type application/octet-stream;
    default_type text/html;
    charset UTF-8;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    # Enable Gzip compression
    gzip on;

    # This should be turned on if pre-compressed copies (.gz) of static files exist
    # If NOT it should be left off as it will cause extra I/O
    # default: off
    # gzip_static on;

    # Do NOT compress anything smaller than 256 bytes
    gzip_min_length 256;

    # Fuck IE6
    gzip_disable "msie6";

    # Tell proxies to cache both the gzipped and regular version of a resource
    # whenever the client's Accept-Encoding capabilities header varies;
    # Avoids the issue where a non-gzip capable client (rare)
    # would display gibberish if their proxy gave them the gzipped version.
    # gzip_vary on;

    # Compress data even for clients that are connecting via proxies
    # Identified by the "Via" header
    gzip_proxied any;

    # Compression level (1-9)
    # 5 is the perfect compromise between size and CPU usage
    gzip_comp_level 5;
    
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    gzip_types
        text/plain
        text/css
        application/json
        application/x-javascript
        text/xml
        application/xml
        application/xml+rss
        text/javascript;


    # Cache open file descriptors, their sizes and mtime
    # information on existence of directories
    # file lookup error such as "file not found", "no read permission" and so on
    #
    # Pros: nginx can immediately begin sending data when a popular file is requested
    # and will also immediately send a 404 if a file doesn't exist, and so on
    #
    # Cons: The server will NOT react immediately to changes on file system
    # which may be undesirable
    #
    # Config: inactive files are released from the cache after 20 seconds
    # whereas active (recently requested) files are re-validated every 30 seconds
    # File descriptors will NOT be cached unless they are used at least twice in 20s (inactive)
    #
    # A maximum of the 1000 most recently used file descriptors will be cached at any time
    #
    # Production servers with stable file collections will definitely want to enable the cache
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid    30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##
    
    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
 }


 #mail {
 #   # See sample authentication script at:
 #   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 # 
 #   # auth_http localhost/auth.php;
 #   # pop3_capabilities "TOP" "USER";
 #   # imap_capabilities "IMAP4rev1" "UIDPLUS";
 # 
 #   server {
 #       listen     localhost:110;
 #       protocol   pop3;
 #       proxy      on;
 #   }
 # 
 #   server {
 #       listen     localhost:143;
 #       protocol   imap;
 #       proxy      on;
 #   }
 #}
diff --git a/terry.im.conf b/terry.im.conf
 upstream php {
    # ubuntu
    # server unix:/run/php/php8.1-fpm.sock;
    # fedora
    server unix:/run/php-fpm/www.sock;
 }

 server {
    listen 80;
    # listen [::]:80 default ipv6only=on;
    server_name terry.im www.terry.im;

    # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
    location / {
        return 301 https://$host$request_uri;
    }
 }

 server {
    # listen 443 ssl;
    listen 443 ssl http2;

    server_name terry.im www.terry.im;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/.lego/certificates/terry.im.crt;
    ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    # openssl dhparam -out /path/to/dhparams_4096.pem 4096
    ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

    # modern configuration, tweak to your needs
    # ssl_protocols TLSv1.2 TLSv1.3;
    ssl_protocols TLSv1.3;
    # ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    # ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
    ssl_prefer_server_ciphers on;

    # intermediate configuration, tweak to your needs
    # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
    add_header Strict-Transport-Security "max-age=63072000; always;";

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;

    # resolver <IP DNS resolver> valid=300s;
    # resolver_timeout 5s;
    resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
    resolver_timeout 5s;

    root /var/www/terry.im;
    index index.php index.html index.htm;

    # rewrite ^(.*)$ $scheme://www.terry.im$1;

    access_log /var/log/nginx/terry.im-access.log;
    error_log /var/log/nginx/terry.im-error.log;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to index.html
        try_files $uri $uri/ /index.html;
    }

    # skillmatrix rewrite rules
    location /skillmatrix {
        rewrite ^/(.*)$ https://sites.google.com/site/imterry/$1 permanent;
        #rewrite ^/.*$ https://sites.google.com/site/imterry/$1 permanent;
        #rewrite ^(/.*)$ https://sites.google.com/site/imterry/$1 permanent;
        access_log /var/log/nginx/skillmatrix-access.log;
        error_log /var/log/nginx/skillmatrix-error.log notice;
        rewrite_log on;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_index index.php;
        # include fastcgi_params;
        # nginx 1.6.1 upstream change - use fastcgi.conf
        include fastcgi.conf;
        # fastcgi_pass unix:/var/run/php-fpm.sock;
        # Use upstream
        fastcgi_pass php;

        # proxy_set_header X-Real-IP  $remote_addr;
        # proxy_set_header X-Forwarded-For $remote_addr;
        # proxy_set_header Host $host;
        # proxy_pass http://127.0.0.1:8080;
        # proxy_redirect off;
    }
    
    # tweetnest rewrite rules
    location ~ /tweetnest {
        satisfy all;
        # deny cidr
        allow 192.168.1.0/24;
        deny all;
        
        # basic authentication
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
        rewrite ^/tweetnest/sort/?$ /tweetnest/sort.php last;
        rewrite ^/tweetnest/favorites/?$ /tweetnest/favorites.php last;
        rewrite ^/tweetnest/search/?$ /tweetnest/search.php last;
        rewrite ^/tweetnest/([0-9]+)/([0-9]+)/?$ /tweetnest/month.php?y=$1&m=$2;
        rewrite ^/tweetnest/([0-9]+)/([0-9]+)/([0-9]+)/?$ /tweetnest/day.php?y=$1&m=$2&d=$3;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known/ {
        allow all;
    }

    location ~ /\. {
        deny all;
    }

    location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
        deny all;
    }

    # Browser cache
    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm)$ {
        expires 30d;
        log_not_found off;
    }

 }
	# User and group used by worker processes
	# ubuntu
	# user www-data;
	# fedora
	user nginx;

	# Ideally # of worker processes = # of CPUs or cores
	# Set to auto to autodetect
	# max_clients = worker_processes * worker_connections
	worker_processes auto;

	pid /run/nginx.pid;

	# Maximum number of open file descriptors per process
	# should be > worker_connections
	worker_rlimit_nofile 10240;

	events {
	# Use epoll on Linux 2.6+
	use epoll;
	# Max number of simultaneous connections per worker process
	worker_connections 2048;
	# Accept all new connections at one time
	multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	# Hide nginx version information
	server_tokens off;

	# Speed up file transfers by using sendfile() to copy directly
	# between descriptors rather than using read()/write()
	sendfile on;

	# Tell Nginx not to send out partial frames; this increases throughput
	# since TCP frames are filled up before being sent out (adds TCP_CORK)
	# Send the response header and the beginning of a file in one packet
	# Send a file in full packets
	tcp_nopush on;

	# Tell Nginx to enable the Nagle buffering algorithm for TCP packets
	# which collates several smaller packets together into one larger packet
	# thus saving bandwidth at the cost of a nearly imperceptible increase to latency
	tcp_nodelay off;

	send_timeout 30;

	# How long to allow each connection to stay idle;
	# Longer values are better for each individual client, especially SSL
	# But means that worker connections are tied up longer.75
	keepalive_timeout 60;

	keepalive_requests 200;
	# client_header_timeout 20;
	# client_body_timeout 20;
	reset_timedout_connection on;

	types_hash_max_size 2048;

	server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	# default_type application/octet-stream;
	default_type text/html;
	charset UTF-8;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	# Enable Gzip compression
	gzip on;

	# This should be turned on if pre-compressed copies (.gz) of static files exist
	# If NOT it should be left off as it will cause extra I/O
	# default: off
	# gzip_static on;

	# Do NOT compress anything smaller than 256 bytes
	gzip_min_length 256;

	# Fuck IE6
	gzip_disable "msie6";

	# Tell proxies to cache both the gzipped and regular version of a resource
	# whenever the client's Accept-Encoding capabilities header varies;
	# Avoids the issue where a non-gzip capable client (rare)
	# would display gibberish if their proxy gave them the gzipped version.
	# gzip_vary on;

	# Compress data even for clients that are connecting via proxies
	# Identified by the "Via" header
	gzip_proxied any;

	# Compression level (1-9)
	# 5 is the perfect compromise between size and CPU usage
	gzip_comp_level 5;

	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	gzip_types
	text/plain
	text/css
	application/json
	application/x-javascript
	text/xml
	application/xml
	application/xml+rss
	text/javascript;


	# Cache open file descriptors, their sizes and mtime
	# information on existence of directories
	# file lookup error such as "file not found", "no read permission" and so on
	#
	# Pros: nginx can immediately begin sending data when a popular file is requested
	# and will also immediately send a 404 if a file doesn't exist, and so on
	#
	# Cons: The server will NOT react immediately to changes on file system
	# which may be undesirable
	#
	# Config: inactive files are released from the cache after 20 seconds
	# whereas active (recently requested) files are re-validated every 30 seconds
	# File descriptors will NOT be cached unless they are used at least twice in 20s (inactive)
	#
	# A maximum of the 1000 most recently used file descriptors will be cached at any time
	#
	# Production servers with stable file collections will definitely want to enable the cache
	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}


	#mail {
	# # See sample authentication script at:
	# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
	#
	# # auth_http localhost/auth.php;
	# # pop3_capabilities "TOP" "USER";
	# # imap_capabilities "IMAP4rev1" "UIDPLUS";
	#
	# server {
	# listen localhost:110;
	# protocol pop3;
	# proxy on;
	# }
	#
	# server {
	# listen localhost:143;
	# protocol imap;
	# proxy on;
	# }
	#}
	upstream php {
	# ubuntu
	# server unix:/run/php/php8.1-fpm.sock;
	# fedora
	server unix:/run/php-fpm/www.sock;
	}

	server {
	listen 80;
	# listen [::]:80 default ipv6only=on;
	server_name terry.im www.terry.im;

	# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
	location / {
	return 301 https://$host$request_uri;
	}
	}

	server {
	# listen 443 ssl;
	listen 443 ssl http2;

	server_name terry.im www.terry.im;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /path/to/.lego/certificates/terry.im.crt;
	ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
	# openssl dhparam -out /path/to/dhparams_4096.pem 4096
	ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

	# modern configuration, tweak to your needs
	# ssl_protocols TLSv1.2 TLSv1.3;
	ssl_protocols TLSv1.3;
	# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
	# ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305\|ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
	ssl_prefer_server_ciphers on;

	# intermediate configuration, tweak to your needs
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
	add_header Strict-Transport-Security "max-age=63072000; always;";

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;

	# resolver <IP DNS resolver> valid=300s;
	# resolver_timeout 5s;
	resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
	resolver_timeout 5s;

	root /var/www/terry.im;
	index index.php index.html index.htm;

	# rewrite ^(.*)$ $scheme://www.terry.im$1;

	access_log /var/log/nginx/terry.im-access.log;
	error_log /var/log/nginx/terry.im-error.log;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to index.html
	try_files $uri $uri/ /index.html;
	}

	# skillmatrix rewrite rules
	location /skillmatrix {
	rewrite ^/(.*)$ https://sites.google.com/site/imterry/$1 permanent;
	#rewrite ^/.*$ https://sites.google.com/site/imterry/$1 permanent;
	#rewrite ^(/.*)$ https://sites.google.com/site/imterry/$1 permanent;
	access_log /var/log/nginx/skillmatrix-access.log;
	error_log /var/log/nginx/skillmatrix-error.log notice;
	rewrite_log on;
	}

	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_index index.php;
	# include fastcgi_params;
	# nginx 1.6.1 upstream change - use fastcgi.conf
	include fastcgi.conf;
	# fastcgi_pass unix:/var/run/php-fpm.sock;
	# Use upstream
	fastcgi_pass php;

	# proxy_set_header X-Real-IP $remote_addr;
	# proxy_set_header X-Forwarded-For $remote_addr;
	# proxy_set_header Host $host;
	# proxy_pass http://127.0.0.1:8080;
	# proxy_redirect off;
	}

	# tweetnest rewrite rules
	location ~ /tweetnest {
	satisfy all;
	# deny cidr
	allow 192.168.1.0/24;
	deny all;

	# basic authentication
	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/.htpasswd;
	rewrite ^/tweetnest/sort/?$ /tweetnest/sort.php last;
	rewrite ^/tweetnest/favorites/?$ /tweetnest/favorites.php last;
	rewrite ^/tweetnest/search/?$ /tweetnest/search.php last;
	rewrite ^/tweetnest/([0-9]+)/([0-9]+)/?$ /tweetnest/month.php?y=$1&m=$2;
	rewrite ^/tweetnest/([0-9]+)/([0-9]+)/([0-9]+)/?$ /tweetnest/day.php?y=$1&m=$2&d=$3;
	}

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ^~ /.well-known/ {
	allow all;
	}

	location ~ /\. {
	deny all;
	}

	location ~* (?:\.(?:bak\|config\|sql\|fla\|psd\|ini\|log\|sh\|inc\|swp\|dist)\|~)$ {
	deny all;
	}

	# Browser cache
	location ~* ^.+\.(css\|js\|jpg\|jpeg\|gif\|png\|ico\|gz\|svg\|svgz\|ttf\|otf\|woff\|eot\|mp4\|ogg\|ogv\|webm)$ {
	expires 30d;
	log_not_found off;
	}

	}