From ed1b30aa2ceb323f2b3fb6ca275e27babc2e7f55 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Mon, 22 Jul 2024 12:34:42 -0400
Subject: [PATCH 01/17] proxy components naming (#704)

---
 endpoints/proxy/backend.go    |  2 +-
 endpoints/proxy/frontend.go   |  2 +-
 endpoints/publicProxy/http.go |  4 ++--
 util/proxy.go                 | 10 +++++-----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/endpoints/proxy/backend.go b/endpoints/proxy/backend.go
index 1aef09e9..9a22ce00 100644
--- a/endpoints/proxy/backend.go
+++ b/endpoints/proxy/backend.go
@@ -52,7 +52,7 @@ func NewBackend(cfg *BackendConfig) (*Backend, error) {
 		return nil, err
 	}
 
-	handler := util.NewProxyHandler(proxy)
+	handler := util.NewRequestsWrapper(proxy)
 	return &Backend{
 		cfg:      cfg,
 		listener: listener,
diff --git a/endpoints/proxy/frontend.go b/endpoints/proxy/frontend.go
index bd31b36b..9660270e 100644
--- a/endpoints/proxy/frontend.go
+++ b/endpoints/proxy/frontend.go
@@ -68,7 +68,7 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 	}
 	proxy.Transport = zTransport
 
-	handler := authHandler(cfg.ShrToken, util.NewProxyHandler(proxy), "zrok", cfg, zCtx)
+	handler := authHandler(cfg.ShrToken, util.NewRequestsWrapper(proxy), "zrok", cfg, zCtx)
 	return &Frontend{
 		cfg:     cfg,
 		zCtx:    zCtx,
diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index 60fc4438..f32736bb 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -73,7 +73,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
 	if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
 		return nil, err
 	}
-	handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
+	handler := shareHandler(util.NewRequestsWrapper(proxy), cfg, key, zCtx)
 	return &HttpFrontend{
 		cfg:     cfg,
 		zCtx:    zCtx,
@@ -151,7 +151,7 @@ func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProx
 	return &httputil.ReverseProxy{Director: director}
 }
 
-func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Context) http.HandlerFunc {
+func shareHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Context) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		shrToken := resolveService(pcfg.HostMatch, r.Host)
 		if shrToken != "" {
diff --git a/util/proxy.go b/util/proxy.go
index 8991fecd..a585a603 100644
--- a/util/proxy.go
+++ b/util/proxy.go
@@ -6,13 +6,13 @@ import (
 	"sync/atomic"
 )
 
-type proxyHandler struct {
+type requestsWrapper struct {
 	proxy    *httputil.ReverseProxy
 	requests int32
 }
 
-func NewProxyHandler(proxy *httputil.ReverseProxy) *proxyHandler {
-	handler := &proxyHandler{proxy: proxy}
+func NewRequestsWrapper(proxy *httputil.ReverseProxy) *requestsWrapper {
+	handler := &requestsWrapper{proxy: proxy}
 
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
@@ -23,10 +23,10 @@ func NewProxyHandler(proxy *httputil.ReverseProxy) *proxyHandler {
 	return handler
 }
 
-func (self *proxyHandler) Requests() int32 {
+func (self *requestsWrapper) Requests() int32 {
 	return atomic.LoadInt32(&self.requests)
 }
 
-func (self *proxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (self *requestsWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	self.proxy.ServeHTTP(w, r)
 }

From b7423ca59ec7c88afc14f88ad38e5d48e087cf63 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Tue, 23 Jul 2024 13:39:17 -0400
Subject: [PATCH 02/17] minimum viable interstitial (#704)

---
 endpoints/publicProxy/http.go                 | 10 +++++++++
 endpoints/publicProxy/interstitialUi/embed.go |  6 ++++++
 .../publicProxy/interstitialUi/handler.go     | 21 +++++++++++++++++++
 .../publicProxy/interstitialUi/index.html     | 13 ++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 endpoints/publicProxy/interstitialUi/embed.go
 create mode 100644 endpoints/publicProxy/interstitialUi/handler.go
 create mode 100644 endpoints/publicProxy/interstitialUi/index.html

diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index f32736bb..2787c62a 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -9,6 +9,7 @@ import (
 	"github.com/openziti/sdk-golang/ziti"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/publicProxy/healthUi"
+	"github.com/openziti/zrok/endpoints/publicProxy/interstitialUi"
 	"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"
 	"github.com/openziti/zrok/endpoints/publicProxy/unauthorizedUi"
 	"github.com/openziti/zrok/environment"
@@ -157,6 +158,15 @@ func shareHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Conte
 		if shrToken != "" {
 			if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
 				if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
+
+					ignore := r.Header.Get("zrok_interstitial")
+					_, zrokOkErr := r.Cookie("zrok_interstitial")
+					if ignore == "" && zrokOkErr != nil {
+						logrus.Infof("forcing interstitial for: %v", r.URL)
+						interstitialUi.WriteInterstitialAnnounce(w)
+						return
+					}
+
 					if scheme, found := cfg["auth_scheme"]; found {
 						switch scheme {
 						case string(sdk.None):
diff --git a/endpoints/publicProxy/interstitialUi/embed.go b/endpoints/publicProxy/interstitialUi/embed.go
new file mode 100644
index 00000000..e95039ab
--- /dev/null
+++ b/endpoints/publicProxy/interstitialUi/embed.go
@@ -0,0 +1,6 @@
+package interstitialUi
+
+import "embed"
+
+//go:embed index.html
+var FS embed.FS
diff --git a/endpoints/publicProxy/interstitialUi/handler.go b/endpoints/publicProxy/interstitialUi/handler.go
new file mode 100644
index 00000000..98bd5dbc
--- /dev/null
+++ b/endpoints/publicProxy/interstitialUi/handler.go
@@ -0,0 +1,21 @@
+package interstitialUi
+
+import (
+	"github.com/sirupsen/logrus"
+	"net/http"
+)
+
+func WriteInterstitialAnnounce(w http.ResponseWriter) {
+	if data, err := FS.ReadFile("index.html"); err == nil {
+		w.WriteHeader(http.StatusOK)
+		n, err := w.Write(data)
+		if n != len(data) {
+			logrus.Errorf("short write")
+			return
+		}
+		if err != nil {
+			logrus.Error(err)
+			return
+		}
+	}
+}
diff --git a/endpoints/publicProxy/interstitialUi/index.html b/endpoints/publicProxy/interstitialUi/index.html
new file mode 100644
index 00000000..d2b014d2
--- /dev/null
+++ b/endpoints/publicProxy/interstitialUi/index.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+    <script>
+        function onClick() {
+            document.cookie = "zrok_interstitial = true";
+            window.location.reload();
+        }
+    </script>
+    <body>
+        <h1>this is a zrok share!</h1>
+        <button onClick="onClick()">Visit Site</button>
+    </body>
+</html>
\ No newline at end of file

From 2e3d6a627f92611c3750c47cc87fc82d41b41af7 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 10:43:22 -0400
Subject: [PATCH 03/17] frontend config for interstitial enable/disable;
 zrok.proxy.v1 support for interstitial enablement (#704)

---
 endpoints/publicProxy/config.go | 18 ++++++++++--------
 endpoints/publicProxy/http.go   | 17 ++++++++++-------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/endpoints/publicProxy/config.go b/endpoints/publicProxy/config.go
index 54710c0b..cac3da35 100644
--- a/endpoints/publicProxy/config.go
+++ b/endpoints/publicProxy/config.go
@@ -12,12 +12,13 @@ import (
 const V = 3
 
 type Config struct {
-	V         int
-	Identity  string
-	Address   string
-	HostMatch string
-	Oauth     *OauthConfig
-	Tls       *endpoints.TlsConfig
+	V            int
+	Identity     string
+	Address      string
+	HostMatch    string
+	Interstitial bool
+	Oauth        *OauthConfig
+	Tls          *endpoints.TlsConfig
 }
 
 type OauthConfig struct {
@@ -45,8 +46,9 @@ type OauthProviderConfig struct {
 
 func DefaultConfig() *Config {
 	return &Config{
-		Identity: "public",
-		Address:  "0.0.0.0:8080",
+		Identity:     "public",
+		Address:      "0.0.0.0:8080",
+		Interstitial: false,
 	}
 }
 
diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index 2787c62a..d4083724 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -158,13 +158,16 @@ func shareHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Conte
 		if shrToken != "" {
 			if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
 				if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
-
-					ignore := r.Header.Get("zrok_interstitial")
-					_, zrokOkErr := r.Cookie("zrok_interstitial")
-					if ignore == "" && zrokOkErr != nil {
-						logrus.Infof("forcing interstitial for: %v", r.URL)
-						interstitialUi.WriteInterstitialAnnounce(w)
-						return
+					if pcfg.Interstitial {
+						if _, istlFound := cfg["interstitial"]; istlFound {
+							skip := r.Header.Get("skip_zrok_interstitial")
+							_, zrokOkErr := r.Cookie("zrok_interstitial")
+							if skip == "" && zrokOkErr != nil {
+								logrus.Debugf("forcing interstitial for '%v'", r.URL)
+								interstitialUi.WriteInterstitialAnnounce(w)
+								return
+							}
+						}
 					}
 
 					if scheme, found := cfg["auth_scheme"]; found {

From 2755422a29bb2ee013b8b47e4cdfbdbcfae1af7d Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 10:47:12 -0400
Subject: [PATCH 04/17] iteration (#704)

---
 endpoints/publicProxy/http.go | 16 +++++++++-------
 sdk/golang/sdk/config.go      | 11 +++++++----
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index d4083724..5e3ba4e8 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -159,13 +159,15 @@ func shareHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Conte
 			if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
 				if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
 					if pcfg.Interstitial {
-						if _, istlFound := cfg["interstitial"]; istlFound {
-							skip := r.Header.Get("skip_zrok_interstitial")
-							_, zrokOkErr := r.Cookie("zrok_interstitial")
-							if skip == "" && zrokOkErr != nil {
-								logrus.Debugf("forcing interstitial for '%v'", r.URL)
-								interstitialUi.WriteInterstitialAnnounce(w)
-								return
+						if v, istlFound := cfg["interstitial"]; istlFound {
+							if istlEnabled, ok := v.(bool); ok && istlEnabled {
+								skip := r.Header.Get("skip_zrok_interstitial")
+								_, zrokOkErr := r.Cookie("zrok_interstitial")
+								if skip == "" && zrokOkErr != nil {
+									logrus.Debugf("forcing interstitial for '%v'", r.URL)
+									interstitialUi.WriteInterstitialAnnounce(w)
+									return
+								}
 							}
 						}
 					}
diff --git a/sdk/golang/sdk/config.go b/sdk/golang/sdk/config.go
index 38748e78..e07000bb 100644
--- a/sdk/golang/sdk/config.go
+++ b/sdk/golang/sdk/config.go
@@ -1,13 +1,16 @@
 package sdk
 
-import "github.com/pkg/errors"
+import (
+	"github.com/pkg/errors"
+)
 
 const ZrokProxyConfig = "zrok.proxy.v1"
 
 type FrontendConfig struct {
-	AuthScheme AuthScheme       `json:"auth_scheme"`
-	BasicAuth  *BasicAuthConfig `json:"basic_auth"`
-	OauthAuth  *OauthConfig     `json:"oauth"`
+	Interstitial bool             `json:"interstitial"`
+	AuthScheme   AuthScheme       `json:"auth_scheme"`
+	BasicAuth    *BasicAuthConfig `json:"basic_auth"`
+	OauthAuth    *OauthConfig     `json:"oauth"`
 }
 
 type BasicAuthConfig struct {

From 275666c2b23f3e8d8b80752e258d0c0a3090e649 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 11:16:36 -0400
Subject: [PATCH 05/17] skip_interstitial_grants sql structure (#704)

---
 controller/store/skipInterstitialGrant.go      | 18 ++++++++++++++++++
 .../029_v0_4_36_skip_interstitial_grants.sql   | 13 +++++++++++++
 .../029_v0_4_36_skip_interstitial_grants.sql   | 13 +++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 controller/store/skipInterstitialGrant.go
 create mode 100644 controller/store/sql/postgresql/029_v0_4_36_skip_interstitial_grants.sql
 create mode 100644 controller/store/sql/sqlite3/029_v0_4_36_skip_interstitial_grants.sql

diff --git a/controller/store/skipInterstitialGrant.go b/controller/store/skipInterstitialGrant.go
new file mode 100644
index 00000000..2ec2d80a
--- /dev/null
+++ b/controller/store/skipInterstitialGrant.go
@@ -0,0 +1,18 @@
+package store
+
+import (
+	"github.com/jmoiron/sqlx"
+	"github.com/pkg/errors"
+)
+
+func (str *Store) IsAccountGrantedSkipInterstitial(acctId int, trx *sqlx.Tx) (bool, error) {
+	stmt, err := trx.Prepare("select count(0) from skip_interstitial_grants where account_id = $1")
+	if err != nil {
+		return false, errors.Wrap(err, "error preparing skip_interstitial_grants select statement")
+	}
+	var count int
+	if err := stmt.QueryRow(acctId).Scan(&count); err != nil {
+		return false, errors.Wrap(err, "error querying skip_interstitial_grants count")
+	}
+	return count > 0, nil
+}
diff --git a/controller/store/sql/postgresql/029_v0_4_36_skip_interstitial_grants.sql b/controller/store/sql/postgresql/029_v0_4_36_skip_interstitial_grants.sql
new file mode 100644
index 00000000..a57782dc
--- /dev/null
+++ b/controller/store/sql/postgresql/029_v0_4_36_skip_interstitial_grants.sql
@@ -0,0 +1,13 @@
+-- +migrate Up
+
+create table skip_interstitial_grants (
+    id                  serial                  primary key,
+
+    account_id          integer                 references accounts (id) not null,
+
+    created_at          timestamptz             not null default(current_timestamp),
+    updated_at          timestamptz             not null default(current_timestamp),
+    deleted             boolean                 not null default(false)
+);
+
+create index skip_interstitial_grants_id_idx on skip_interstitial_grants (account_id);
\ No newline at end of file
diff --git a/controller/store/sql/sqlite3/029_v0_4_36_skip_interstitial_grants.sql b/controller/store/sql/sqlite3/029_v0_4_36_skip_interstitial_grants.sql
new file mode 100644
index 00000000..a2fbf464
--- /dev/null
+++ b/controller/store/sql/sqlite3/029_v0_4_36_skip_interstitial_grants.sql
@@ -0,0 +1,13 @@
+-- +migrate Up
+
+create table skip_interstitial_grants (
+    id                  integer                 primary key,
+
+    account_id          integer                 references accounts (id) not null,
+
+    created_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    deleted             boolean                 not null default(false)
+);
+
+create index skip_interstitial_grants_id_idx on skip_interstitial_grants (account_id);
\ No newline at end of file

From d593232cf67f3f17b6203647320233c7823d4278 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 11:28:20 -0400
Subject: [PATCH 06/17] wire skip interstitial into public share config (#704)

---
 controller/share.go              | 7 ++++++-
 controller/sharePublic.go        | 3 ++-
 controller/zrokEdgeSdk/config.go | 4 +++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/controller/share.go b/controller/share.go
index b5dc286b..21d018bc 100644
--- a/controller/share.go
+++ b/controller/share.go
@@ -133,7 +133,12 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 				logrus.Infof("added frontend selection '%v' with ziti identity '%v' for share '%v'", frontendSelection, sfe.ZId, shrToken)
 			}
 		}
-		shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, edge)
+		skipInterstitial, err := str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx)
+		if err != nil {
+			logrus.Errorf("error checking skip interstitial for account '%v': %v", principal.Email, err)
+			return share.NewShareInternalServerError()
+		}
+		shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, !skipInterstitial, edge)
 		if err != nil {
 			logrus.Error(err)
 			return share.NewShareInternalServerError()
diff --git a/controller/sharePublic.go b/controller/sharePublic.go
index 58539e8b..335b9b24 100644
--- a/controller/sharePublic.go
+++ b/controller/sharePublic.go
@@ -13,7 +13,7 @@ func newPublicResourceAllocator() *publicResourceAllocator {
 	return &publicResourceAllocator{}
 }
 
-func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds, frontendTemplates []string, params share.ShareParams, edge *rest_management_api_client.ZitiEdgeManagement) (shrZId string, frontendEndpoints []string, err error) {
+func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds, frontendTemplates []string, params share.ShareParams, interstitial bool, edge *rest_management_api_client.ZitiEdgeManagement) (shrZId string, frontendEndpoints []string, err error) {
 	var authUsers []*sdk.AuthUserConfig
 	for _, authUser := range params.Body.AuthUsers {
 		authUsers = append(authUsers, &sdk.AuthUserConfig{Username: authUser.Username, Password: authUser.Password})
@@ -23,6 +23,7 @@ func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds
 		return "", nil, err
 	}
 	options := &zrokEdgeSdk.FrontendOptions{
+		Interstitial:   interstitial,
 		AuthScheme:     authScheme,
 		BasicAuthUsers: authUsers,
 		Oauth: &sdk.OauthConfig{
diff --git a/controller/zrokEdgeSdk/config.go b/controller/zrokEdgeSdk/config.go
index c164814e..d58f32ee 100644
--- a/controller/zrokEdgeSdk/config.go
+++ b/controller/zrokEdgeSdk/config.go
@@ -12,6 +12,7 @@ import (
 )
 
 type FrontendOptions struct {
+	Interstitial   bool
 	AuthScheme     sdk.AuthScheme
 	BasicAuthUsers []*sdk.AuthUserConfig
 	Oauth          *sdk.OauthConfig
@@ -19,7 +20,8 @@ type FrontendOptions struct {
 
 func CreateConfig(cfgTypeZId, envZId, shrToken string, options *FrontendOptions, edge *rest_management_api_client.ZitiEdgeManagement) (cfgZId string, err error) {
 	cfg := &sdk.FrontendConfig{
-		AuthScheme: options.AuthScheme,
+		Interstitial: options.Interstitial,
+		AuthScheme:   options.AuthScheme,
 	}
 	if cfg.AuthScheme == sdk.Basic {
 		cfg.BasicAuth = &sdk.BasicAuthConfig{}

From 23a9be0a408583f0898208a077cbe0a891fd1809 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 14:09:06 -0400
Subject: [PATCH 07/17] interim interstitial page layout (#704)

---
 .../publicProxy/interstitialUi/index.html     | 210 +++++++++++++++++-
 1 file changed, 206 insertions(+), 4 deletions(-)

diff --git a/endpoints/publicProxy/interstitialUi/index.html b/endpoints/publicProxy/interstitialUi/index.html
index d2b014d2..45f454a7 100644
--- a/endpoints/publicProxy/interstitialUi/index.html
+++ b/endpoints/publicProxy/interstitialUi/index.html
@@ -1,13 +1,215 @@
 <!DOCTYPE html>
 <html lang="en">
+<head>
+    <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1"/>
+    <meta name="theme-color" content="#000000"/>
+    <meta name="description" content="zrok ui"/>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Russo+One&display=swap" rel="stylesheet">
+    <title>zrok</title>
+    <style>
+        body {
+            margin: 0;
+            padding: 25;
+            font-family: 'JetBrains Mono', Consolas, 'Courier New', monospace;
+            -webkit-font-smoothing: antialiased;
+            -moz-osx-font-smoothing: grayscale;
+			justify-content: center;
+			display: flex;
+        }
+        h1, h2, h3, h4, h5, h6 {
+            font-family: 'Russo One', sans-serif;
+        }
+        table {
+            table-layout: fixed;
+            width: 100%;
+        }
+        td {
+            vertical-align: top;
+        }
+        td:last-child {
+            width: 80%;
+            overflow: clip;
+        }
+        td:first-child {
+            width: 20%;
+            overflow: auto;
+        }
+        button {
+            color: purple;
+        }
+        button {
+            appearance: button;
+            backface-visibility: hidden;
+            background-image: linear-gradient(180deg, #0E0238 0%, #231069 100%);
+            border-radius: 6px;
+            border-width: 0;
+            box-shadow: rgba(50, 50, 93, .1) 0 0 0 1px inset,rgba(50, 50, 93, .1) 0 2px 5px 0,rgba(0, 0, 0, .07) 0 1px 1px 0;
+            box-sizing: border-box;
+            color: #fff;
+            cursor: pointer;
+            font-family: 'Russo One', sans-serif;
+            font-size: 100%;
+            height: 44px;
+            line-height: 1.15;
+            margin: 12px 0 0;
+            outline: none;
+            overflow: hidden;
+            padding: 0 25px;
+            position: relative;
+            text-align: center;
+            text-transform: none;
+            transform: translateZ(0);
+            transition: all .2s,box-shadow .08s ease-in;
+            user-select: none;
+            -webkit-user-select: none;
+            touch-action: manipulation;
+        }
+        button:hover {
+            color: #9BF316;
+        }
+        #banner {
+            padding: 25px;
+        }
+        #info, #info2 {
+            width: 920px;
+            padding: 35px;
+			margin: 25px;
+			border: 1px solid gray;
+			border-radius: 10px;
+			text-align: left;
+        }
+		#hostname {
+			color: red;
+		}
+    </style>
+</head>
+<body>
+<div id="root">
+    <div id="banner">
+        <svg width="25%" height="25%" viewBox="0 0 100 30" xml:space="default" style="clip-rule:evenodd;fill-rule:evenodd;stroke-miterlimit:10" id="svg48" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
+					<defs id="defs48" /><namedview id="namedview48" pagecolor="#ffffff" bordercolor="#000000" borderopacity="0.25"/>
+            <g transform="matrix(0.0639619,0,0,0.0388212,-1.65041,-1.44321)" id="g1">
+						<path d="m 1589.31,230.468 c 0,-106.573 -52.51,-193.096 -117.2,-193.096 H 143.033 c -64.683,0 -117.198,86.523 -117.198,193.096 v 386.191 c 0,106.573 52.515,193.096 117.198,193.096 H 1472.11 c 64.69,0 117.2,-86.523 117.2,-193.096 z" style="fill:#170549" id="path1" />
+					</g>
+            <g transform="matrix(-0.0296355,-0.233707,-0.233707,0.0296355,76.730746,23.501948)" id="g15">
+						<path d="m -30.685,-47.339 c 0.924,3.31 1.524,5.653 1.574,6.05 0.401,2.368 -0.97,54.354 -1.574,56.749 -0.171,1.029 -1.342,5.311 -2.995,10.56 -11.859,-21.982 -11.292,-51.69 2.995,-73.359" style="fill:#a3a3a3" id="path14" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,89.174746,26.961548)" id="g23">
+						<path d="m 0,-51.2 19.7,-3 c 5.6,-0.9 10.9,2.8 11.9,8.4 l 2.7,17.7 C 29.9,-18.1 23.6,-9 16,-1.3 10.9,3.9 15.9,-1.6 10,2.1 L 1,-39.8 C 0.1,-45.3 -5.7,-50.3 0,-51.2" style="fill:#b3b3b3" id="path22" />
+					</g>
+            <g transform="matrix(-0.160445,0.172496,0.172496,0.160445,96.828546,10.865078)" id="g24">
+						<path d="m 61.55,-141.309 c -46.795,1.269 -84.666,39.929 -84.684,86.346 -0.018,46.417 37.889,83.042 84.684,81.772 46.795,-1.269 84.666,-39.929 84.684,-86.346 0.018,-46.417 -37.889,-83.042 -84.684,-81.772" id="path23" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,56.099446,11.884458)" id="g25">
+						<path d="M 0,34.1 8.7,32.5 C 4.8,21.8 3.2,10.4 4,-0.9 V -1.1 L -6.1,0.7 c -5.4,0.9 -9.2,6.1 -8.3,11.6 l 2.5,13.8 c 1.1,5.5 6.5,9.1 11.9,8" style="fill:#ffffff" id="path24" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,99.257546,5.2882484)" id="g26">
+						<path d="m 0,33.4 -8.8,1.1 C -8.3,23.1 -10.2,11.8 -14.4,1.2 V 1 L -4.2,-0.3 C 1.3,-1.1 6.4,2.8 7.2,8.3 L 9,22.2 C 9.5,27.8 5.5,32.8 0,33.4" style="fill:#ffffff" id="path25" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,76.712646,31.343248)" id="g27">
+						<path d="m 0,-161.7 c -22,0.5 -42.9,9.5 -58.3,25.2 -15.3,15.3 -23.7,36.2 -23.3,57.8 0.4,21.5 9.6,42 25.5,56.5 C -40,-7.3 -18.7,0.7 3.2,0 25.2,-0.5 46.1,-9.5 61.5,-25.2 76.7,-40.6 85.1,-61.4 84.8,-83 84.4,-104.5 75.2,-125 59.4,-139.6 43.2,-154.4 21.9,-162.4 0,-161.7 m -61.7,22.1 c 16.3,-16.6 38.4,-26.2 61.6,-26.8 23.2,-0.7 45.7,7.7 62.7,23.4 16.8,15.4 26.5,37 26.9,59.8 C 89.9,-60.3 81,-38.3 64.9,-22 48.6,-5.4 26.5,4.1 3.3,4.7 -19.8,5.4 -42.3,-3 -59.3,-18.7 c -16.8,-15.4 -26.5,-37.1 -26.9,-59.8 -0.5,-22.9 8.4,-44.9 24.5,-61.1" style="fill-rule:nonzero" id="path26" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,56.099446,11.790228)" id="g28">
+						<path d="M 0,34.5 8.7,32.9 C 4.8,22.2 3.2,10.8 4,-0.5 v -0.2 l -7.7,1.4 c 0.1,9.2 0.2,17.8 2.8,27.3 l -8.8,1.6 c -0.4,0 -0.7,0.3 -0.8,0.7 2.5,3.2 6.5,4.9 10.5,4.2" style="fill:#a3a3a3" id="path27" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,99.257546,5.5473884)" id="g29">
+						<path d="m 0,32.3 -8.8,1.1 C -8.3,22 -10.2,10.7 -14.4,0.1 v -0.2 l 7.7,-1 c 2.7,8.8 5.2,17 5.6,26.8 L 7.7,24.6 C 8.1,24.5 8.5,24.7 8.7,25 7.4,29 4,31.8 0,32.3" style="fill:#a3a3a3" id="path28" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,57.418746,12.449848)" id="g30">
+						<path d="m 0,28.3 -6,1.1 c -2,0.4 -4.2,-0.1 -5.9,-1.2 -1.7,-1.1 -2.9,-2.9 -3.3,-4.9 L -17.6,9.5 c -0.4,-2 0.1,-4.1 1.3,-5.7 1.2,-1.7 3,-2.8 5.1,-3.2 L -4,-0.7 c -0.4,9.8 1,19.6 4,29 M -5.2,34 3.6,32.4 6.4,31.9 5.5,29.3 C 1.7,18.9 0.1,7.9 0.9,-3.2 V -3.5 L 0.8,-4 0.4,-6.3 -2,-5.9 -12.1,-4.1 c -3.3,0.6 -6.2,2.4 -8.2,5.1 -1.9,2.7 -2.7,6 -2.1,9.2 l 2.5,13.8 c 0.6,3.2 2.5,6.1 5.2,7.9 2.9,2 6.2,2.7 9.5,2.1" style="fill-rule:nonzero" id="path29" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,97.749846,5.8536384)" id="g31">
+						<path d="m 0,29.5 6.1,-0.8 c 2.1,-0.3 3.9,-1.3 5.2,-3 1.3,-1.6 1.9,-3.6 1.6,-5.7 L 11.1,6.1 C 10.8,4.1 9.8,2.2 8.1,1 6.4,-0.2 4.4,-0.8 2.3,-0.5 L -5,0.4 c 1.7,4.6 2.9,9.4 3.7,14.2 0.9,5.1 1.3,10 1.3,14.9 m 6.6,3.8 -8.8,1.1 -2.8,0.4 0.1,-2.7 C -4.4,21.1 -6.3,10 -10.4,-0.2 l -0.1,-0.3 -0.1,-0.5 -0.3,-2.3 2.4,-0.3 10.2,-1.3 c 3.3,-0.4 6.7,0.4 9.3,2.4 2.6,2 4.4,4.9 4.8,8.1 l 1.8,13.9 c 0.4,3.3 -0.5,6.6 -2.6,9.1 -2,2.6 -5,4.3 -8.4,4.7" style="fill-rule:nonzero" id="path30" />
+					</g>
+            <g transform="matrix(-0.094487,-0.2158,-0.2158,0.094487,60.008346,10.163168)" id="g32">
+						<path d="m -68.968,-142.292 c -20.852,8.475 -37.24,25.148 -45.56,46.039 -17.44,43.442 2.976,93.561 45.56,112.032 9.157,3.96 18.932,6.339 28.941,6.76 -61.01,-17.172 -106.83,-100.38 -28.941,-164.831" style="fill:#ffffff" id="path31" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,95.346946,21.496048)" id="g33">
+						<path d="m 0,-10.4 c 1.7,-4.2 3,-8.6 3.9,-13 -7.8,18.2 -18.4,31.7 -30.5,41.1 -11,8.6 -23.9,14.3 -37.7,16.6 -13.2,2.2 -26.8,1.5 -39.8,-2 -13.1,-3.4 -25.4,-9.4 -36.2,-17.6 1.5,1.7 3.2,3.4 4.9,5 16.1,14.9 37.4,22.8 59.3,22.1 22,-0.5 42.9,-9.5 58.3,-25.2 C -10,9 -4,-0.2 0,-10.4 m 10.4,-31.7 c 0.3,11.4 -1.7,22.7 -5.9,33.3 -4.3,10.7 -10.6,20.4 -18.7,28.5 -16.3,16.6 -38.4,26.1 -61.6,26.7 -23.1,0.7 -45.6,-7.7 -62.6,-23.4 -3.8,-3.5 -7.3,-7.3 -10.4,-11.4 -3.1,-4.1 -5.7,-8.4 -8,-13 l -5.1,-13.9 9.1,11.4 c 13,15.5 30.6,26.6 50.2,31.7 12.3,3.3 25.1,4 37.7,1.9 12.9,-2.1 25.1,-7.5 35.5,-15.6 15.1,-11.8 27.6,-30.2 35.2,-56.7 l 2.7,-14.9 z" style="fill-rule:nonzero" id="path32" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,62.507246,12.284948)" id="g34">
+						<path d="m 0,-59 c 32.8,-33.4 87,-34.8 121,-3.2 16.1,14.8 25.6,35.6 26.2,57.4 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -64.8,-8.3 -93,24.3 -20.7,23.7 -19.6,48.4 -18,69.4 C -30.5,4.5 -25.5,-33.1 0,-59" style="fill:#ffffff" id="path33" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,76.665546,22.037948)" id="g35">
+						<path d="m 0,-124.1 c -22,0.5 -42.9,9.5 -58.3,25.2 -11.7,11.8 -19.5,27 -22.2,43.4 -1.9,11.4 -1.3,23 1.8,34.1 -0.1,-6.4 0.4,-12.9 1.4,-19.2 2.4,-13.7 8.5,-26.5 17.8,-36.9 14.5,-16.7 29.9,-25.9 46,-29.4 16.1,-3.5 32.7,-1.4 49.7,4.4 11.3,3.7 21.6,10 30,18.4 6.7,6.8 12.3,14.6 16.7,23.1 C 81.7,-66.3 80,-71.5 77.7,-76.5 73.3,-86.1 67.1,-94.7 59.3,-101.9 43.1,-116.8 21.9,-124.8 0,-124.1 m -61.8,22.1 c 16.3,-16.6 38.4,-26.2 61.7,-26.8 23.1,-0.7 45.6,7.7 62.6,23.4 8.2,7.6 14.8,16.7 19.4,26.9 4.6,10.1 7.1,21.1 7.4,32.2 l -0.2,13.2 -4.3,-12.2 C 78.5,-61 71.1,-72.4 62.7,-80.8 54.8,-88.7 45.1,-94.6 34.5,-98.1 c -16.2,-5.5 -32,-7.5 -47.1,-4.2 -15.1,3.3 -29.5,11.9 -43.3,27.8 -8.7,9.8 -14.5,21.8 -16.7,34.6 -2.1,11.5 -1.4,22.8 -0.6,33.1 l 0.9,12.2 -5.4,-11.1 c -7.7,-15.7 -10.4,-33.4 -7.5,-50.7 2.8,-17.1 11,-33.2 23.4,-45.6" style="fill-rule:nonzero" id="path34" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,97.043046,0.69445839)" id="g36">
+						<path d="m 0,37.2 c 0.3,2.4 0.5,4.8 0.5,7.3 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -75.4,-3.5 -98,26.7 -6.8,9 -18.6,29.7 -15.7,54.2 -7.6,-24.3 -1.1,-48.6 20.4,-70.4 32.7,-33.5 86.8,-35 120.8,-3.3 C -12.1,8.2 -3.9,22 0,37.2" style="fill:#e6e6e6" id="path35" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,92.166646,14.028248)" id="g37">
+						<path d="m 0,-49.8 c 6.3,6.4 11.6,13.6 15.8,21.4 -1.6,-4 -3.5,-7.9 -5.7,-11.5 -3.9,-6.6 -8.8,-12.5 -14.4,-17.8 -16.2,-14.9 -37.5,-22.9 -59.5,-22.3 -22.2,0.6 -43.2,9.7 -58.7,25.5 -10.4,10.6 -17.2,21.7 -20.5,33.2 -1.4,4.9 -2.2,9.9 -2.3,15 0.5,-2.5 1,-4.8 1.7,-7.1 2.9,-9.8 7.5,-19.1 13.5,-27.3 11.1,-14.9 26.7,-24.4 43.8,-29.1 18.6,-5 38.2,-4.4 56.4,1.7 11.3,3.7 21.5,10 29.9,18.3 m 22.6,30.1 c 0.2,1.3 0.3,2.6 0.4,3.7 0.1,1.2 0.1,2.5 0.2,3.7 l 0.3,10.9 -4.1,-10.2 C 13.1,-27.3 5.6,-38.8 -2.8,-47.3 c -7.9,-7.9 -17.7,-13.9 -28.3,-17.4 -17.5,-5.8 -36.3,-6.4 -54.1,-1.6 -16.3,4.4 -31.2,13.5 -41.7,27.6 -5.8,7.9 -10.2,16.7 -13,26.1 -2.6,8.7 -3.4,17.8 -2.4,26.8 l 2.4,20.4 -6.2,-19.4 c -4,-12.2 -4.2,-25.2 -0.7,-37.5 3.5,-12 10.5,-23.7 21.4,-34.7 l 0.1,-0.1 c 16.2,-16.5 38.3,-26 61.4,-26.6 23,-0.7 45.3,7.6 62.2,23.2 l 0.1,0.1 c 5.9,5.4 10.9,11.7 15.1,18.6 4.1,6.8 7.2,14.2 9.1,21.9 z" style="fill-rule:nonzero" id="path36" />
+					</g>
+            <g transform="matrix(0.131129,0.19571,0.19571,-0.131129,60.042246,4.7938284)" id="g38">
+						<path d="m 32.805,-16.969 c 0,0 -31.438,29.611 -14.637,74.808 1.315,4.657 15.792,4.346 14.637,-2.946 -1.154,-7.292 -9.456,-35.313 13.492,-66.457 1.659,-2.195 -8.429,-10.963 -13.492,-5.405" style="fill:#e6e6e6" id="path37" />
+					</g>
+            <g transform="matrix(0.235579,0,0,0.235579,52.094646,-8.3046516)" id="g45">
+						<g opacity="0.25" id="g44">
+							<g transform="matrix(-1,0,0,1,141,101.8)" id="g39">
+								<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path38" />
+							</g>
+                            <g transform="matrix(-1,0,0,1,143.3,88.2)" id="g40">
+								<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path39" />
+							</g>
+                            <g transform="matrix(-1,0,0,1,71.8,112.5)" id="g41">
+								<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path40" />
+							</g>
+                            <g transform="translate(116.1,122.6)" id="g42">
+								<path d="m 0,17.4 c -11.8,1.8 -23.8,-0.3 -34.3,-5.8 -0.9,-0.5 -1.3,-1.6 -0.8,-2.5 0.5,-0.9 1.6,-1.3 2.5,-0.8 20.1,10.8 44.9,7 60.7,-9.4 0.7,-0.7 1.9,-0.7 2.6,0 0.7,0.7 0.7,1.9 0,2.6 -7.9,8 -18,13.4 -29,15.6 -0.5,0 -1.1,0.2 -1.7,0.3 z" style="fill:none;fill-rule:nonzero;stroke:#ffffff;stroke-width:16.98px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4" id="path41" />
+							</g>
+                            <g transform="matrix(-1,0,0,1,76.2,97.8)" id="g43">
+								<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path42" />
+							</g>
+						</g>
+					</g>
+            <g id="zrok" transform="matrix(0.02734414,0,0,0.02978162,2.3966205,5.6320267)">&#10;        <path d="M 508.489,211.308 300.982,391.439 h 207.507 v 93.53 H 134.977 v -93.53 L 342.483,211.308 H 134.977 v -93.53 h 373.512 z" style="fill:#7bf600;fill-rule:nonzero" id="path45" />
+                <path d="m 791.453,218.236 c -31.692,0 -64.39,6.928 -98.094,20.784 V 484.969 H 561.309 V 117.778 h 116.958 l 7.546,45.033 C 729.075,128.17 774.349,110.85 821.636,110.85 h 33.955 v 107.386 z" style="fill:#7bf600;fill-rule:nonzero" id="path46" />
+                <path d="m 1300.79,381.047 c 0,34.64 -10.69,61.776 -32.07,81.405 -21.38,19.63 -50.93,29.445 -88.66,29.445 H 1006.5 c -37.723,0 -67.277,-9.815 -88.657,-29.445 -21.379,-19.629 -32.069,-46.765 -32.069,-81.405 V 221.7 c 0,-34.641 10.69,-61.776 32.069,-81.405 21.38,-19.63 50.934,-29.445 88.657,-29.445 h 173.56 c 37.73,0 67.28,9.815 88.66,29.445 21.38,19.629 32.07,46.764 32.07,81.405 z M 1168.74,232.092 c 0,-18.475 -10.06,-27.712 -30.18,-27.712 h -90.55 c -20.13,0 -30.19,9.237 -30.19,27.712 v 138.563 c 0,18.475 10.06,27.712 30.19,27.712 h 90.55 c 20.12,0 30.18,-9.237 30.18,-27.712 z" style="fill:#7bf600;fill-rule:nonzero" id="path47" />
+                <path d="M 1500.75,339.478 V 484.969 H 1368.7 V 0 h 132.05 v 245.948 h 60.37 l 83,-128.17 h 139.59 l -113.18,176.667 113.18,190.524 h -139.59 l -86.78,-145.491 z" style="fill:#7bf600;fill-rule:nonzero" id="path48" />
+            </g>
+        </svg>
+    </div>
     <script>
         function onClick() {
             document.cookie = "zrok_interstitial = true";
             window.location.reload();
         }
     </script>
-    <body>
-        <h1>this is a zrok share!</h1>
-        <button onClick="onClick()">Visit Site</button>
-    </body>
+    <div id="container">
+        <div id="info">
+            <h1>You are about to visit a zrok share served at:</h1>
+			<h2 id="hostname"></h2>
+
+			<ul>
+				<li>This share is made available for free through zrok.</li>
+				<li>You should only visit this shared website if you trust whoever sent you the link.</li>
+				<li>Be careful about disclosing any personal or financial information like passwords, phone numbers, or credit cards.</li>
+			</ul>
+
+            <button onClick="onClick()">Visit Share</button>
+        </div>
+		<div id="info2">
+			<h1>Are you the owner of this zrok share?</h1>
+			<p>
+				We display this page to prevent abuse of zrok shares. Visitors to your share will only see it once.
+			</p>
+
+			<h2>To remove this page:</h2>
+			<ul>
+				<li>If you are using the global zrok service at zrok.io, you can upgrade to any paid account to have this
+					page removed.</li>
+				<li>If you are using a zrok instance hosted elsewhere, contact the administrator of your instance for
+					options to have this page removed.</li>
+				<li>If you are operating a self-hosted zrok instance, see the documentation for configuration options
+					to remove the interstitial page.</li>
+			</ul>
+		</div>
+    </div>
+</div>
+</body>
+<script>
+	document.getElementById("hostname").innerText = document.location.host;
+</script>
 </html>
\ No newline at end of file

From 607ba8b69e3e79da85279672cb2084d6855106fa Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 24 Jul 2024 14:23:18 -0400
Subject: [PATCH 08/17] samesite; expiration; path (#704)

---
 endpoints/publicProxy/interstitialUi/index.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/endpoints/publicProxy/interstitialUi/index.html b/endpoints/publicProxy/interstitialUi/index.html
index 45f454a7..936d87c4 100644
--- a/endpoints/publicProxy/interstitialUi/index.html
+++ b/endpoints/publicProxy/interstitialUi/index.html
@@ -173,7 +173,8 @@
     </div>
     <script>
         function onClick() {
-            document.cookie = "zrok_interstitial = true";
+			let e=new Date; e.setTime(e.getTime()+6048e5);
+            document.cookie = 'zrok_interstitial = true; expires=${e}; path=/; SameSite=None';
             window.location.reload();
         }
     </script>

From c3cf0f866845c99f489328eef40fd405f21112d2 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:02:03 -0400
Subject: [PATCH 09/17] responsive, updated interstitial layout (#704)

---
 .../publicProxy/interstitialUi/index.html     | 340 ++++++++++--------
 1 file changed, 187 insertions(+), 153 deletions(-)

diff --git a/endpoints/publicProxy/interstitialUi/index.html b/endpoints/publicProxy/interstitialUi/index.html
index 936d87c4..82270dfc 100644
--- a/endpoints/publicProxy/interstitialUi/index.html
+++ b/endpoints/publicProxy/interstitialUi/index.html
@@ -4,39 +4,22 @@
     <meta charset="utf-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1"/>
     <meta name="theme-color" content="#000000"/>
-    <meta name="description" content="zrok ui"/>
+    <meta name="description" content="zrok interstitial"/>
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Russo+One&display=swap" rel="stylesheet">
+	<link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono&display=swap" rel="stylesheet">
     <title>zrok</title>
     <style>
         body {
             margin: 0;
-            padding: 25;
             font-family: 'JetBrains Mono', Consolas, 'Courier New', monospace;
             -webkit-font-smoothing: antialiased;
             -moz-osx-font-smoothing: grayscale;
-			justify-content: center;
-			display: flex;
         }
-        h1, h2, h3, h4, h5, h6 {
+        h1, h2 {
             font-family: 'Russo One', sans-serif;
         }
-        table {
-            table-layout: fixed;
-            width: 100%;
-        }
-        td {
-            vertical-align: top;
-        }
-        td:last-child {
-            width: 80%;
-            overflow: clip;
-        }
-        td:first-child {
-            width: 20%;
-            overflow: auto;
-        }
         button {
             color: purple;
         }
@@ -70,147 +53,198 @@
         button:hover {
             color: #9BF316;
         }
-        #banner {
-            padding: 25px;
-        }
-        #info, #info2 {
-            width: 920px;
-            padding: 35px;
-			margin: 25px;
-			border: 1px solid gray;
+		.info {
+			border: 1px solid #231069;
 			border-radius: 10px;
-			text-align: left;
-        }
+			padding: 30px;
+		}
+		.container {
+			width: 90%;
+			margin-left: auto;
+			margin-right: auto;
+		}
+		.row {
+			position: relative;
+			width: 100%;
+		}
+		.row [class^="col"] {
+			float: left;
+			margin: 0.5rem 2%;
+			min-height: 0.125rem;
+		}
+		.col {
+			width: 96%;
+		}
+		.row::after {
+			content: "";
+			display: table;
+			clear: both;
+		}
+		@media only screen and (min-width: 33.75em) {  /* 540px */
+			.container {
+				width: 80%;
+			}
+		}
+		@media only screen and (min-width: 45em) {  /* 720px */
+			.col {
+				margin-top: 25px;
+				width: 96%;
+			}
+		}
+		@media only screen and (min-width: 60em) { /* 960px */
+			.container {
+				width: 75%;
+				max-width: 60rem;
+			}
+		}
 		#hostname {
 			color: red;
 		}
+		#root, #zrok {
+			margin-top: 25px;
+		}
     </style>
 </head>
 <body>
-<div id="root">
-    <div id="banner">
-        <svg width="25%" height="25%" viewBox="0 0 100 30" xml:space="default" style="clip-rule:evenodd;fill-rule:evenodd;stroke-miterlimit:10" id="svg48" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
-					<defs id="defs48" /><namedview id="namedview48" pagecolor="#ffffff" bordercolor="#000000" borderopacity="0.25"/>
-            <g transform="matrix(0.0639619,0,0,0.0388212,-1.65041,-1.44321)" id="g1">
-						<path d="m 1589.31,230.468 c 0,-106.573 -52.51,-193.096 -117.2,-193.096 H 143.033 c -64.683,0 -117.198,86.523 -117.198,193.096 v 386.191 c 0,106.573 52.515,193.096 117.198,193.096 H 1472.11 c 64.69,0 117.2,-86.523 117.2,-193.096 z" style="fill:#170549" id="path1" />
-					</g>
-            <g transform="matrix(-0.0296355,-0.233707,-0.233707,0.0296355,76.730746,23.501948)" id="g15">
-						<path d="m -30.685,-47.339 c 0.924,3.31 1.524,5.653 1.574,6.05 0.401,2.368 -0.97,54.354 -1.574,56.749 -0.171,1.029 -1.342,5.311 -2.995,10.56 -11.859,-21.982 -11.292,-51.69 2.995,-73.359" style="fill:#a3a3a3" id="path14" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,89.174746,26.961548)" id="g23">
-						<path d="m 0,-51.2 19.7,-3 c 5.6,-0.9 10.9,2.8 11.9,8.4 l 2.7,17.7 C 29.9,-18.1 23.6,-9 16,-1.3 10.9,3.9 15.9,-1.6 10,2.1 L 1,-39.8 C 0.1,-45.3 -5.7,-50.3 0,-51.2" style="fill:#b3b3b3" id="path22" />
-					</g>
-            <g transform="matrix(-0.160445,0.172496,0.172496,0.160445,96.828546,10.865078)" id="g24">
-						<path d="m 61.55,-141.309 c -46.795,1.269 -84.666,39.929 -84.684,86.346 -0.018,46.417 37.889,83.042 84.684,81.772 46.795,-1.269 84.666,-39.929 84.684,-86.346 0.018,-46.417 -37.889,-83.042 -84.684,-81.772" id="path23" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,56.099446,11.884458)" id="g25">
-						<path d="M 0,34.1 8.7,32.5 C 4.8,21.8 3.2,10.4 4,-0.9 V -1.1 L -6.1,0.7 c -5.4,0.9 -9.2,6.1 -8.3,11.6 l 2.5,13.8 c 1.1,5.5 6.5,9.1 11.9,8" style="fill:#ffffff" id="path24" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,99.257546,5.2882484)" id="g26">
-						<path d="m 0,33.4 -8.8,1.1 C -8.3,23.1 -10.2,11.8 -14.4,1.2 V 1 L -4.2,-0.3 C 1.3,-1.1 6.4,2.8 7.2,8.3 L 9,22.2 C 9.5,27.8 5.5,32.8 0,33.4" style="fill:#ffffff" id="path25" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,76.712646,31.343248)" id="g27">
-						<path d="m 0,-161.7 c -22,0.5 -42.9,9.5 -58.3,25.2 -15.3,15.3 -23.7,36.2 -23.3,57.8 0.4,21.5 9.6,42 25.5,56.5 C -40,-7.3 -18.7,0.7 3.2,0 25.2,-0.5 46.1,-9.5 61.5,-25.2 76.7,-40.6 85.1,-61.4 84.8,-83 84.4,-104.5 75.2,-125 59.4,-139.6 43.2,-154.4 21.9,-162.4 0,-161.7 m -61.7,22.1 c 16.3,-16.6 38.4,-26.2 61.6,-26.8 23.2,-0.7 45.7,7.7 62.7,23.4 16.8,15.4 26.5,37 26.9,59.8 C 89.9,-60.3 81,-38.3 64.9,-22 48.6,-5.4 26.5,4.1 3.3,4.7 -19.8,5.4 -42.3,-3 -59.3,-18.7 c -16.8,-15.4 -26.5,-37.1 -26.9,-59.8 -0.5,-22.9 8.4,-44.9 24.5,-61.1" style="fill-rule:nonzero" id="path26" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,56.099446,11.790228)" id="g28">
-						<path d="M 0,34.5 8.7,32.9 C 4.8,22.2 3.2,10.8 4,-0.5 v -0.2 l -7.7,1.4 c 0.1,9.2 0.2,17.8 2.8,27.3 l -8.8,1.6 c -0.4,0 -0.7,0.3 -0.8,0.7 2.5,3.2 6.5,4.9 10.5,4.2" style="fill:#a3a3a3" id="path27" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,99.257546,5.5473884)" id="g29">
-						<path d="m 0,32.3 -8.8,1.1 C -8.3,22 -10.2,10.7 -14.4,0.1 v -0.2 l 7.7,-1 c 2.7,8.8 5.2,17 5.6,26.8 L 7.7,24.6 C 8.1,24.5 8.5,24.7 8.7,25 7.4,29 4,31.8 0,32.3" style="fill:#a3a3a3" id="path28" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,57.418746,12.449848)" id="g30">
-						<path d="m 0,28.3 -6,1.1 c -2,0.4 -4.2,-0.1 -5.9,-1.2 -1.7,-1.1 -2.9,-2.9 -3.3,-4.9 L -17.6,9.5 c -0.4,-2 0.1,-4.1 1.3,-5.7 1.2,-1.7 3,-2.8 5.1,-3.2 L -4,-0.7 c -0.4,9.8 1,19.6 4,29 M -5.2,34 3.6,32.4 6.4,31.9 5.5,29.3 C 1.7,18.9 0.1,7.9 0.9,-3.2 V -3.5 L 0.8,-4 0.4,-6.3 -2,-5.9 -12.1,-4.1 c -3.3,0.6 -6.2,2.4 -8.2,5.1 -1.9,2.7 -2.7,6 -2.1,9.2 l 2.5,13.8 c 0.6,3.2 2.5,6.1 5.2,7.9 2.9,2 6.2,2.7 9.5,2.1" style="fill-rule:nonzero" id="path29" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,97.749846,5.8536384)" id="g31">
-						<path d="m 0,29.5 6.1,-0.8 c 2.1,-0.3 3.9,-1.3 5.2,-3 1.3,-1.6 1.9,-3.6 1.6,-5.7 L 11.1,6.1 C 10.8,4.1 9.8,2.2 8.1,1 6.4,-0.2 4.4,-0.8 2.3,-0.5 L -5,0.4 c 1.7,4.6 2.9,9.4 3.7,14.2 0.9,5.1 1.3,10 1.3,14.9 m 6.6,3.8 -8.8,1.1 -2.8,0.4 0.1,-2.7 C -4.4,21.1 -6.3,10 -10.4,-0.2 l -0.1,-0.3 -0.1,-0.5 -0.3,-2.3 2.4,-0.3 10.2,-1.3 c 3.3,-0.4 6.7,0.4 9.3,2.4 2.6,2 4.4,4.9 4.8,8.1 l 1.8,13.9 c 0.4,3.3 -0.5,6.6 -2.6,9.1 -2,2.6 -5,4.3 -8.4,4.7" style="fill-rule:nonzero" id="path30" />
-					</g>
-            <g transform="matrix(-0.094487,-0.2158,-0.2158,0.094487,60.008346,10.163168)" id="g32">
-						<path d="m -68.968,-142.292 c -20.852,8.475 -37.24,25.148 -45.56,46.039 -17.44,43.442 2.976,93.561 45.56,112.032 9.157,3.96 18.932,6.339 28.941,6.76 -61.01,-17.172 -106.83,-100.38 -28.941,-164.831" style="fill:#ffffff" id="path31" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,95.346946,21.496048)" id="g33">
-						<path d="m 0,-10.4 c 1.7,-4.2 3,-8.6 3.9,-13 -7.8,18.2 -18.4,31.7 -30.5,41.1 -11,8.6 -23.9,14.3 -37.7,16.6 -13.2,2.2 -26.8,1.5 -39.8,-2 -13.1,-3.4 -25.4,-9.4 -36.2,-17.6 1.5,1.7 3.2,3.4 4.9,5 16.1,14.9 37.4,22.8 59.3,22.1 22,-0.5 42.9,-9.5 58.3,-25.2 C -10,9 -4,-0.2 0,-10.4 m 10.4,-31.7 c 0.3,11.4 -1.7,22.7 -5.9,33.3 -4.3,10.7 -10.6,20.4 -18.7,28.5 -16.3,16.6 -38.4,26.1 -61.6,26.7 -23.1,0.7 -45.6,-7.7 -62.6,-23.4 -3.8,-3.5 -7.3,-7.3 -10.4,-11.4 -3.1,-4.1 -5.7,-8.4 -8,-13 l -5.1,-13.9 9.1,11.4 c 13,15.5 30.6,26.6 50.2,31.7 12.3,3.3 25.1,4 37.7,1.9 12.9,-2.1 25.1,-7.5 35.5,-15.6 15.1,-11.8 27.6,-30.2 35.2,-56.7 l 2.7,-14.9 z" style="fill-rule:nonzero" id="path32" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,62.507246,12.284948)" id="g34">
-						<path d="m 0,-59 c 32.8,-33.4 87,-34.8 121,-3.2 16.1,14.8 25.6,35.6 26.2,57.4 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -64.8,-8.3 -93,24.3 -20.7,23.7 -19.6,48.4 -18,69.4 C -30.5,4.5 -25.5,-33.1 0,-59" style="fill:#ffffff" id="path33" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,76.665546,22.037948)" id="g35">
-						<path d="m 0,-124.1 c -22,0.5 -42.9,9.5 -58.3,25.2 -11.7,11.8 -19.5,27 -22.2,43.4 -1.9,11.4 -1.3,23 1.8,34.1 -0.1,-6.4 0.4,-12.9 1.4,-19.2 2.4,-13.7 8.5,-26.5 17.8,-36.9 14.5,-16.7 29.9,-25.9 46,-29.4 16.1,-3.5 32.7,-1.4 49.7,4.4 11.3,3.7 21.6,10 30,18.4 6.7,6.8 12.3,14.6 16.7,23.1 C 81.7,-66.3 80,-71.5 77.7,-76.5 73.3,-86.1 67.1,-94.7 59.3,-101.9 43.1,-116.8 21.9,-124.8 0,-124.1 m -61.8,22.1 c 16.3,-16.6 38.4,-26.2 61.7,-26.8 23.1,-0.7 45.6,7.7 62.6,23.4 8.2,7.6 14.8,16.7 19.4,26.9 4.6,10.1 7.1,21.1 7.4,32.2 l -0.2,13.2 -4.3,-12.2 C 78.5,-61 71.1,-72.4 62.7,-80.8 54.8,-88.7 45.1,-94.6 34.5,-98.1 c -16.2,-5.5 -32,-7.5 -47.1,-4.2 -15.1,3.3 -29.5,11.9 -43.3,27.8 -8.7,9.8 -14.5,21.8 -16.7,34.6 -2.1,11.5 -1.4,22.8 -0.6,33.1 l 0.9,12.2 -5.4,-11.1 c -7.7,-15.7 -10.4,-33.4 -7.5,-50.7 2.8,-17.1 11,-33.2 23.4,-45.6" style="fill-rule:nonzero" id="path34" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,97.043046,0.69445839)" id="g36">
-						<path d="m 0,37.2 c 0.3,2.4 0.5,4.8 0.5,7.3 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -75.4,-3.5 -98,26.7 -6.8,9 -18.6,29.7 -15.7,54.2 -7.6,-24.3 -1.1,-48.6 20.4,-70.4 32.7,-33.5 86.8,-35 120.8,-3.3 C -12.1,8.2 -3.9,22 0,37.2" style="fill:#e6e6e6" id="path35" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,92.166646,14.028248)" id="g37">
-						<path d="m 0,-49.8 c 6.3,6.4 11.6,13.6 15.8,21.4 -1.6,-4 -3.5,-7.9 -5.7,-11.5 -3.9,-6.6 -8.8,-12.5 -14.4,-17.8 -16.2,-14.9 -37.5,-22.9 -59.5,-22.3 -22.2,0.6 -43.2,9.7 -58.7,25.5 -10.4,10.6 -17.2,21.7 -20.5,33.2 -1.4,4.9 -2.2,9.9 -2.3,15 0.5,-2.5 1,-4.8 1.7,-7.1 2.9,-9.8 7.5,-19.1 13.5,-27.3 11.1,-14.9 26.7,-24.4 43.8,-29.1 18.6,-5 38.2,-4.4 56.4,1.7 11.3,3.7 21.5,10 29.9,18.3 m 22.6,30.1 c 0.2,1.3 0.3,2.6 0.4,3.7 0.1,1.2 0.1,2.5 0.2,3.7 l 0.3,10.9 -4.1,-10.2 C 13.1,-27.3 5.6,-38.8 -2.8,-47.3 c -7.9,-7.9 -17.7,-13.9 -28.3,-17.4 -17.5,-5.8 -36.3,-6.4 -54.1,-1.6 -16.3,4.4 -31.2,13.5 -41.7,27.6 -5.8,7.9 -10.2,16.7 -13,26.1 -2.6,8.7 -3.4,17.8 -2.4,26.8 l 2.4,20.4 -6.2,-19.4 c -4,-12.2 -4.2,-25.2 -0.7,-37.5 3.5,-12 10.5,-23.7 21.4,-34.7 l 0.1,-0.1 c 16.2,-16.5 38.3,-26 61.4,-26.6 23,-0.7 45.3,7.6 62.2,23.2 l 0.1,0.1 c 5.9,5.4 10.9,11.7 15.1,18.6 4.1,6.8 7.2,14.2 9.1,21.9 z" style="fill-rule:nonzero" id="path36" />
-					</g>
-            <g transform="matrix(0.131129,0.19571,0.19571,-0.131129,60.042246,4.7938284)" id="g38">
-						<path d="m 32.805,-16.969 c 0,0 -31.438,29.611 -14.637,74.808 1.315,4.657 15.792,4.346 14.637,-2.946 -1.154,-7.292 -9.456,-35.313 13.492,-66.457 1.659,-2.195 -8.429,-10.963 -13.492,-5.405" style="fill:#e6e6e6" id="path37" />
-					</g>
-            <g transform="matrix(0.235579,0,0,0.235579,52.094646,-8.3046516)" id="g45">
-						<g opacity="0.25" id="g44">
-							<g transform="matrix(-1,0,0,1,141,101.8)" id="g39">
-								<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path38" />
-							</g>
-                            <g transform="matrix(-1,0,0,1,143.3,88.2)" id="g40">
-								<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path39" />
-							</g>
-                            <g transform="matrix(-1,0,0,1,71.8,112.5)" id="g41">
-								<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path40" />
-							</g>
-                            <g transform="translate(116.1,122.6)" id="g42">
-								<path d="m 0,17.4 c -11.8,1.8 -23.8,-0.3 -34.3,-5.8 -0.9,-0.5 -1.3,-1.6 -0.8,-2.5 0.5,-0.9 1.6,-1.3 2.5,-0.8 20.1,10.8 44.9,7 60.7,-9.4 0.7,-0.7 1.9,-0.7 2.6,0 0.7,0.7 0.7,1.9 0,2.6 -7.9,8 -18,13.4 -29,15.6 -0.5,0 -1.1,0.2 -1.7,0.3 z" style="fill:none;fill-rule:nonzero;stroke:#ffffff;stroke-width:16.98px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4" id="path41" />
-							</g>
-                            <g transform="matrix(-1,0,0,1,76.2,97.8)" id="g43">
-								<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path42" />
+	<script>
+		function onClick() {
+			let e=new Date; e.setTime(e.getTime()+6048e5);
+			document.cookie = 'zrok_interstitial = 1; expires=${e}; path=/; SameSite=None';
+			window.location.reload();
+		}
+	</script>
+	<div id="root">
+		<div class="container">
+			<div class="row">
+				<div id="warning" class="col info">
+					<h1>You are about to visit a zrok share located at:</h1>
+					<h2 id="hostname"></h2>
+
+					<ul>
+						<li>This share is made available for free through <a href="https://zrok.io/" target="_">zrok</a>.</li>
+						<li>You should only visit this share if you trust whoever sent you the link.</li>
+						<li><strong>Be careful about disclosing any personal or financial information like passwords, phone numbers, or credit cards.</strong></li>
+					</ul>
+
+					<button onClick="onClick()">Visit Share</button>
+				</div>
+			</div>
+			<div class="row">
+				<div class="col">
+					<h2>Non-interactive clients:</h2>
+					<ul>
+						<li>This warning can be bypassed by setting the <strong>skip_zrok_interstitial</strong> HTTP
+							header with any value set.</li>
+					</ul>
+				</div>
+			</div>
+			<div class="row">
+				<div class="col info">
+					<h1>Are you the owner of this zrok share?</h1>
+					<p>
+						We display this page to prevent abuse of zrok shares. Visitors to your share will only see it once.
+					</p>
+
+					<h2>To remove this page:</h2>
+					<ul>
+						<li>If you are using the global zrok service at zrok.io, you can upgrade to any paid account to have this
+							page removed.</li>
+						<li>If you are using a zrok instance hosted elsewhere, contact the administrator of your instance for
+							options to have this page removed.</li>
+						<li>If you are operating a self-hosted zrok instance, see the
+							<a href="https://docs.zrok.io/" target="_">documentation</a> for configuration options
+							to remove the interstitial page.</li>
+					</ul>
+				</div>
+			</div>
+			<div class="row">
+				<div id="zrok" class="col">
+					<a href="https://zrok.io/" target="_"><svg width="25%" height="25%" viewBox="0 0 100 30" xml:space="default" style="clip-rule:evenodd;fill-rule:evenodd;stroke-miterlimit:10" id="svg48" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
+						<defs id="defs48" /><namedview id="namedview48" pagecolor="#ffffff" bordercolor="#000000" borderopacity="0.25"/>
+						<g transform="matrix(0.0639619,0,0,0.0388212,-1.65041,-1.44321)" id="g1">
+							<path d="m 1589.31,230.468 c 0,-106.573 -52.51,-193.096 -117.2,-193.096 H 143.033 c -64.683,0 -117.198,86.523 -117.198,193.096 v 386.191 c 0,106.573 52.515,193.096 117.198,193.096 H 1472.11 c 64.69,0 117.2,-86.523 117.2,-193.096 z" style="fill:#170549" id="path1" />
+						</g>
+						<g transform="matrix(-0.0296355,-0.233707,-0.233707,0.0296355,76.730746,23.501948)" id="g15">
+							<path d="m -30.685,-47.339 c 0.924,3.31 1.524,5.653 1.574,6.05 0.401,2.368 -0.97,54.354 -1.574,56.749 -0.171,1.029 -1.342,5.311 -2.995,10.56 -11.859,-21.982 -11.292,-51.69 2.995,-73.359" style="fill:#a3a3a3" id="path14" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,89.174746,26.961548)" id="g23">
+							<path d="m 0,-51.2 19.7,-3 c 5.6,-0.9 10.9,2.8 11.9,8.4 l 2.7,17.7 C 29.9,-18.1 23.6,-9 16,-1.3 10.9,3.9 15.9,-1.6 10,2.1 L 1,-39.8 C 0.1,-45.3 -5.7,-50.3 0,-51.2" style="fill:#b3b3b3" id="path22" />
+						</g>
+						<g transform="matrix(-0.160445,0.172496,0.172496,0.160445,96.828546,10.865078)" id="g24">
+							<path d="m 61.55,-141.309 c -46.795,1.269 -84.666,39.929 -84.684,86.346 -0.018,46.417 37.889,83.042 84.684,81.772 46.795,-1.269 84.666,-39.929 84.684,-86.346 0.018,-46.417 -37.889,-83.042 -84.684,-81.772" id="path23" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,56.099446,11.884458)" id="g25">
+							<path d="M 0,34.1 8.7,32.5 C 4.8,21.8 3.2,10.4 4,-0.9 V -1.1 L -6.1,0.7 c -5.4,0.9 -9.2,6.1 -8.3,11.6 l 2.5,13.8 c 1.1,5.5 6.5,9.1 11.9,8" style="fill:#ffffff" id="path24" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,99.257546,5.2882484)" id="g26">
+							<path d="m 0,33.4 -8.8,1.1 C -8.3,23.1 -10.2,11.8 -14.4,1.2 V 1 L -4.2,-0.3 C 1.3,-1.1 6.4,2.8 7.2,8.3 L 9,22.2 C 9.5,27.8 5.5,32.8 0,33.4" style="fill:#ffffff" id="path25" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,76.712646,31.343248)" id="g27">
+							<path d="m 0,-161.7 c -22,0.5 -42.9,9.5 -58.3,25.2 -15.3,15.3 -23.7,36.2 -23.3,57.8 0.4,21.5 9.6,42 25.5,56.5 C -40,-7.3 -18.7,0.7 3.2,0 25.2,-0.5 46.1,-9.5 61.5,-25.2 76.7,-40.6 85.1,-61.4 84.8,-83 84.4,-104.5 75.2,-125 59.4,-139.6 43.2,-154.4 21.9,-162.4 0,-161.7 m -61.7,22.1 c 16.3,-16.6 38.4,-26.2 61.6,-26.8 23.2,-0.7 45.7,7.7 62.7,23.4 16.8,15.4 26.5,37 26.9,59.8 C 89.9,-60.3 81,-38.3 64.9,-22 48.6,-5.4 26.5,4.1 3.3,4.7 -19.8,5.4 -42.3,-3 -59.3,-18.7 c -16.8,-15.4 -26.5,-37.1 -26.9,-59.8 -0.5,-22.9 8.4,-44.9 24.5,-61.1" style="fill-rule:nonzero" id="path26" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,56.099446,11.790228)" id="g28">
+							<path d="M 0,34.5 8.7,32.9 C 4.8,22.2 3.2,10.8 4,-0.5 v -0.2 l -7.7,1.4 c 0.1,9.2 0.2,17.8 2.8,27.3 l -8.8,1.6 c -0.4,0 -0.7,0.3 -0.8,0.7 2.5,3.2 6.5,4.9 10.5,4.2" style="fill:#a3a3a3" id="path27" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,99.257546,5.5473884)" id="g29">
+							<path d="m 0,32.3 -8.8,1.1 C -8.3,22 -10.2,10.7 -14.4,0.1 v -0.2 l 7.7,-1 c 2.7,8.8 5.2,17 5.6,26.8 L 7.7,24.6 C 8.1,24.5 8.5,24.7 8.7,25 7.4,29 4,31.8 0,32.3" style="fill:#a3a3a3" id="path28" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,57.418746,12.449848)" id="g30">
+							<path d="m 0,28.3 -6,1.1 c -2,0.4 -4.2,-0.1 -5.9,-1.2 -1.7,-1.1 -2.9,-2.9 -3.3,-4.9 L -17.6,9.5 c -0.4,-2 0.1,-4.1 1.3,-5.7 1.2,-1.7 3,-2.8 5.1,-3.2 L -4,-0.7 c -0.4,9.8 1,19.6 4,29 M -5.2,34 3.6,32.4 6.4,31.9 5.5,29.3 C 1.7,18.9 0.1,7.9 0.9,-3.2 V -3.5 L 0.8,-4 0.4,-6.3 -2,-5.9 -12.1,-4.1 c -3.3,0.6 -6.2,2.4 -8.2,5.1 -1.9,2.7 -2.7,6 -2.1,9.2 l 2.5,13.8 c 0.6,3.2 2.5,6.1 5.2,7.9 2.9,2 6.2,2.7 9.5,2.1" style="fill-rule:nonzero" id="path29" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,97.749846,5.8536384)" id="g31">
+							<path d="m 0,29.5 6.1,-0.8 c 2.1,-0.3 3.9,-1.3 5.2,-3 1.3,-1.6 1.9,-3.6 1.6,-5.7 L 11.1,6.1 C 10.8,4.1 9.8,2.2 8.1,1 6.4,-0.2 4.4,-0.8 2.3,-0.5 L -5,0.4 c 1.7,4.6 2.9,9.4 3.7,14.2 0.9,5.1 1.3,10 1.3,14.9 m 6.6,3.8 -8.8,1.1 -2.8,0.4 0.1,-2.7 C -4.4,21.1 -6.3,10 -10.4,-0.2 l -0.1,-0.3 -0.1,-0.5 -0.3,-2.3 2.4,-0.3 10.2,-1.3 c 3.3,-0.4 6.7,0.4 9.3,2.4 2.6,2 4.4,4.9 4.8,8.1 l 1.8,13.9 c 0.4,3.3 -0.5,6.6 -2.6,9.1 -2,2.6 -5,4.3 -8.4,4.7" style="fill-rule:nonzero" id="path30" />
+						</g>
+						<g transform="matrix(-0.094487,-0.2158,-0.2158,0.094487,60.008346,10.163168)" id="g32">
+							<path d="m -68.968,-142.292 c -20.852,8.475 -37.24,25.148 -45.56,46.039 -17.44,43.442 2.976,93.561 45.56,112.032 9.157,3.96 18.932,6.339 28.941,6.76 -61.01,-17.172 -106.83,-100.38 -28.941,-164.831" style="fill:#ffffff" id="path31" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,95.346946,21.496048)" id="g33">
+							<path d="m 0,-10.4 c 1.7,-4.2 3,-8.6 3.9,-13 -7.8,18.2 -18.4,31.7 -30.5,41.1 -11,8.6 -23.9,14.3 -37.7,16.6 -13.2,2.2 -26.8,1.5 -39.8,-2 -13.1,-3.4 -25.4,-9.4 -36.2,-17.6 1.5,1.7 3.2,3.4 4.9,5 16.1,14.9 37.4,22.8 59.3,22.1 22,-0.5 42.9,-9.5 58.3,-25.2 C -10,9 -4,-0.2 0,-10.4 m 10.4,-31.7 c 0.3,11.4 -1.7,22.7 -5.9,33.3 -4.3,10.7 -10.6,20.4 -18.7,28.5 -16.3,16.6 -38.4,26.1 -61.6,26.7 -23.1,0.7 -45.6,-7.7 -62.6,-23.4 -3.8,-3.5 -7.3,-7.3 -10.4,-11.4 -3.1,-4.1 -5.7,-8.4 -8,-13 l -5.1,-13.9 9.1,11.4 c 13,15.5 30.6,26.6 50.2,31.7 12.3,3.3 25.1,4 37.7,1.9 12.9,-2.1 25.1,-7.5 35.5,-15.6 15.1,-11.8 27.6,-30.2 35.2,-56.7 l 2.7,-14.9 z" style="fill-rule:nonzero" id="path32" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,62.507246,12.284948)" id="g34">
+							<path d="m 0,-59 c 32.8,-33.4 87,-34.8 121,-3.2 16.1,14.8 25.6,35.6 26.2,57.4 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -64.8,-8.3 -93,24.3 -20.7,23.7 -19.6,48.4 -18,69.4 C -30.5,4.5 -25.5,-33.1 0,-59" style="fill:#ffffff" id="path33" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,76.665546,22.037948)" id="g35">
+							<path d="m 0,-124.1 c -22,0.5 -42.9,9.5 -58.3,25.2 -11.7,11.8 -19.5,27 -22.2,43.4 -1.9,11.4 -1.3,23 1.8,34.1 -0.1,-6.4 0.4,-12.9 1.4,-19.2 2.4,-13.7 8.5,-26.5 17.8,-36.9 14.5,-16.7 29.9,-25.9 46,-29.4 16.1,-3.5 32.7,-1.4 49.7,4.4 11.3,3.7 21.6,10 30,18.4 6.7,6.8 12.3,14.6 16.7,23.1 C 81.7,-66.3 80,-71.5 77.7,-76.5 73.3,-86.1 67.1,-94.7 59.3,-101.9 43.1,-116.8 21.9,-124.8 0,-124.1 m -61.8,22.1 c 16.3,-16.6 38.4,-26.2 61.7,-26.8 23.1,-0.7 45.6,7.7 62.6,23.4 8.2,7.6 14.8,16.7 19.4,26.9 4.6,10.1 7.1,21.1 7.4,32.2 l -0.2,13.2 -4.3,-12.2 C 78.5,-61 71.1,-72.4 62.7,-80.8 54.8,-88.7 45.1,-94.6 34.5,-98.1 c -16.2,-5.5 -32,-7.5 -47.1,-4.2 -15.1,3.3 -29.5,11.9 -43.3,27.8 -8.7,9.8 -14.5,21.8 -16.7,34.6 -2.1,11.5 -1.4,22.8 -0.6,33.1 l 0.9,12.2 -5.4,-11.1 c -7.7,-15.7 -10.4,-33.4 -7.5,-50.7 2.8,-17.1 11,-33.2 23.4,-45.6" style="fill-rule:nonzero" id="path34" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,97.043046,0.69445839)" id="g36">
+							<path d="m 0,37.2 c 0.3,2.4 0.5,4.8 0.5,7.3 -12.8,-31.9 -30.4,-46.9 -51.7,-54.1 -33.2,-11.2 -75.4,-3.5 -98,26.7 -6.8,9 -18.6,29.7 -15.7,54.2 -7.6,-24.3 -1.1,-48.6 20.4,-70.4 32.7,-33.5 86.8,-35 120.8,-3.3 C -12.1,8.2 -3.9,22 0,37.2" style="fill:#e6e6e6" id="path35" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,92.166646,14.028248)" id="g37">
+							<path d="m 0,-49.8 c 6.3,6.4 11.6,13.6 15.8,21.4 -1.6,-4 -3.5,-7.9 -5.7,-11.5 -3.9,-6.6 -8.8,-12.5 -14.4,-17.8 -16.2,-14.9 -37.5,-22.9 -59.5,-22.3 -22.2,0.6 -43.2,9.7 -58.7,25.5 -10.4,10.6 -17.2,21.7 -20.5,33.2 -1.4,4.9 -2.2,9.9 -2.3,15 0.5,-2.5 1,-4.8 1.7,-7.1 2.9,-9.8 7.5,-19.1 13.5,-27.3 11.1,-14.9 26.7,-24.4 43.8,-29.1 18.6,-5 38.2,-4.4 56.4,1.7 11.3,3.7 21.5,10 29.9,18.3 m 22.6,30.1 c 0.2,1.3 0.3,2.6 0.4,3.7 0.1,1.2 0.1,2.5 0.2,3.7 l 0.3,10.9 -4.1,-10.2 C 13.1,-27.3 5.6,-38.8 -2.8,-47.3 c -7.9,-7.9 -17.7,-13.9 -28.3,-17.4 -17.5,-5.8 -36.3,-6.4 -54.1,-1.6 -16.3,4.4 -31.2,13.5 -41.7,27.6 -5.8,7.9 -10.2,16.7 -13,26.1 -2.6,8.7 -3.4,17.8 -2.4,26.8 l 2.4,20.4 -6.2,-19.4 c -4,-12.2 -4.2,-25.2 -0.7,-37.5 3.5,-12 10.5,-23.7 21.4,-34.7 l 0.1,-0.1 c 16.2,-16.5 38.3,-26 61.4,-26.6 23,-0.7 45.3,7.6 62.2,23.2 l 0.1,0.1 c 5.9,5.4 10.9,11.7 15.1,18.6 4.1,6.8 7.2,14.2 9.1,21.9 z" style="fill-rule:nonzero" id="path36" />
+						</g>
+						<g transform="matrix(0.131129,0.19571,0.19571,-0.131129,60.042246,4.7938284)" id="g38">
+							<path d="m 32.805,-16.969 c 0,0 -31.438,29.611 -14.637,74.808 1.315,4.657 15.792,4.346 14.637,-2.946 -1.154,-7.292 -9.456,-35.313 13.492,-66.457 1.659,-2.195 -8.429,-10.963 -13.492,-5.405" style="fill:#e6e6e6" id="path37" />
+						</g>
+						<g transform="matrix(0.235579,0,0,0.235579,52.094646,-8.3046516)" id="g45">
+							<g opacity="0.25" id="g44">
+								<g transform="matrix(-1,0,0,1,141,101.8)" id="g39">
+									<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path38" />
+								</g>
+								<g transform="matrix(-1,0,0,1,143.3,88.2)" id="g40">
+									<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path39" />
+								</g>
+								<g transform="matrix(-1,0,0,1,71.8,112.5)" id="g41">
+									<path d="m 0,-36.8 c -10.162,0 -18.4,8.238 -18.4,18.4 C -18.4,-8.238 -10.162,0 0,0 10.162,0 18.4,-8.238 18.4,-18.4 18.4,-28.562 10.162,-36.8 0,-36.8" style="fill:#fefcf9;fill-rule:nonzero" id="path40" />
+								</g>
+								<g transform="translate(116.1,122.6)" id="g42">
+									<path d="m 0,17.4 c -11.8,1.8 -23.8,-0.3 -34.3,-5.8 -0.9,-0.5 -1.3,-1.6 -0.8,-2.5 0.5,-0.9 1.6,-1.3 2.5,-0.8 20.1,10.8 44.9,7 60.7,-9.4 0.7,-0.7 1.9,-0.7 2.6,0 0.7,0.7 0.7,1.9 0,2.6 -7.9,8 -18,13.4 -29,15.6 -0.5,0 -1.1,0.2 -1.7,0.3 z" style="fill:none;fill-rule:nonzero;stroke:#ffffff;stroke-width:16.98px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4" id="path41" />
+								</g>
+								<g transform="matrix(-1,0,0,1,76.2,97.8)" id="g43">
+									<path d="m 0,-14.2 c -3.921,0 -7.1,3.179 -7.1,7.1 0,3.921 3.179,7.1 7.1,7.1 3.921,0 7.1,-3.179 7.1,-7.1 0,-3.921 -3.179,-7.1 -7.1,-7.1" style="fill-rule:nonzero" id="path42" />
+								</g>
 							</g>
 						</g>
-					</g>
-            <g id="zrok" transform="matrix(0.02734414,0,0,0.02978162,2.3966205,5.6320267)">&#10;        <path d="M 508.489,211.308 300.982,391.439 h 207.507 v 93.53 H 134.977 v -93.53 L 342.483,211.308 H 134.977 v -93.53 h 373.512 z" style="fill:#7bf600;fill-rule:nonzero" id="path45" />
-                <path d="m 791.453,218.236 c -31.692,0 -64.39,6.928 -98.094,20.784 V 484.969 H 561.309 V 117.778 h 116.958 l 7.546,45.033 C 729.075,128.17 774.349,110.85 821.636,110.85 h 33.955 v 107.386 z" style="fill:#7bf600;fill-rule:nonzero" id="path46" />
-                <path d="m 1300.79,381.047 c 0,34.64 -10.69,61.776 -32.07,81.405 -21.38,19.63 -50.93,29.445 -88.66,29.445 H 1006.5 c -37.723,0 -67.277,-9.815 -88.657,-29.445 -21.379,-19.629 -32.069,-46.765 -32.069,-81.405 V 221.7 c 0,-34.641 10.69,-61.776 32.069,-81.405 21.38,-19.63 50.934,-29.445 88.657,-29.445 h 173.56 c 37.73,0 67.28,9.815 88.66,29.445 21.38,19.629 32.07,46.764 32.07,81.405 z M 1168.74,232.092 c 0,-18.475 -10.06,-27.712 -30.18,-27.712 h -90.55 c -20.13,0 -30.19,9.237 -30.19,27.712 v 138.563 c 0,18.475 10.06,27.712 30.19,27.712 h 90.55 c 20.12,0 30.18,-9.237 30.18,-27.712 z" style="fill:#7bf600;fill-rule:nonzero" id="path47" />
-                <path d="M 1500.75,339.478 V 484.969 H 1368.7 V 0 h 132.05 v 245.948 h 60.37 l 83,-128.17 h 139.59 l -113.18,176.667 113.18,190.524 h -139.59 l -86.78,-145.491 z" style="fill:#7bf600;fill-rule:nonzero" id="path48" />
-            </g>
-        </svg>
-    </div>
-    <script>
-        function onClick() {
-			let e=new Date; e.setTime(e.getTime()+6048e5);
-            document.cookie = 'zrok_interstitial = true; expires=${e}; path=/; SameSite=None';
-            window.location.reload();
-        }
-    </script>
-    <div id="container">
-        <div id="info">
-            <h1>You are about to visit a zrok share served at:</h1>
-			<h2 id="hostname"></h2>
-
-			<ul>
-				<li>This share is made available for free through zrok.</li>
-				<li>You should only visit this shared website if you trust whoever sent you the link.</li>
-				<li>Be careful about disclosing any personal or financial information like passwords, phone numbers, or credit cards.</li>
-			</ul>
-
-            <button onClick="onClick()">Visit Share</button>
-        </div>
-		<div id="info2">
-			<h1>Are you the owner of this zrok share?</h1>
-			<p>
-				We display this page to prevent abuse of zrok shares. Visitors to your share will only see it once.
-			</p>
-
-			<h2>To remove this page:</h2>
-			<ul>
-				<li>If you are using the global zrok service at zrok.io, you can upgrade to any paid account to have this
-					page removed.</li>
-				<li>If you are using a zrok instance hosted elsewhere, contact the administrator of your instance for
-					options to have this page removed.</li>
-				<li>If you are operating a self-hosted zrok instance, see the documentation for configuration options
-					to remove the interstitial page.</li>
-			</ul>
+						<g id="zrok" transform="matrix(0.02734414,0,0,0.02978162,2.3966205,5.6320267)">&#10;        <path d="M 508.489,211.308 300.982,391.439 h 207.507 v 93.53 H 134.977 v -93.53 L 342.483,211.308 H 134.977 v -93.53 h 373.512 z" style="fill:#7bf600;fill-rule:nonzero" id="path45" />
+							<path d="m 791.453,218.236 c -31.692,0 -64.39,6.928 -98.094,20.784 V 484.969 H 561.309 V 117.778 h 116.958 l 7.546,45.033 C 729.075,128.17 774.349,110.85 821.636,110.85 h 33.955 v 107.386 z" style="fill:#7bf600;fill-rule:nonzero" id="path46" />
+							<path d="m 1300.79,381.047 c 0,34.64 -10.69,61.776 -32.07,81.405 -21.38,19.63 -50.93,29.445 -88.66,29.445 H 1006.5 c -37.723,0 -67.277,-9.815 -88.657,-29.445 -21.379,-19.629 -32.069,-46.765 -32.069,-81.405 V 221.7 c 0,-34.641 10.69,-61.776 32.069,-81.405 21.38,-19.63 50.934,-29.445 88.657,-29.445 h 173.56 c 37.73,0 67.28,9.815 88.66,29.445 21.38,19.629 32.07,46.764 32.07,81.405 z M 1168.74,232.092 c 0,-18.475 -10.06,-27.712 -30.18,-27.712 h -90.55 c -20.13,0 -30.19,9.237 -30.19,27.712 v 138.563 c 0,18.475 10.06,27.712 30.19,27.712 h 90.55 c 20.12,0 30.18,-9.237 30.18,-27.712 z" style="fill:#7bf600;fill-rule:nonzero" id="path47" />
+							<path d="M 1500.75,339.478 V 484.969 H 1368.7 V 0 h 132.05 v 245.948 h 60.37 l 83,-128.17 h 139.59 l -113.18,176.667 113.18,190.524 h -139.59 l -86.78,-145.491 z" style="fill:#7bf600;fill-rule:nonzero" id="path48" />
+						</g>
+					</svg></a>
+				</div>
+			</div>
 		</div>
-    </div>
-</div>
-</body>
-<script>
-	document.getElementById("hostname").innerText = document.location.host;
-</script>
+	</body>
+	<script>
+		document.getElementById("hostname").innerText = document.location.host;
+	</script>
 </html>
\ No newline at end of file

From e0b467fab0c20c866d81a6e7fea88cc8d1a4cec0 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:37:20 -0400
Subject: [PATCH 10/17] skip interstitial on drive shares (#704)

---
 controller/share.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/controller/share.go b/controller/share.go
index 21d018bc..b43088d1 100644
--- a/controller/share.go
+++ b/controller/share.go
@@ -133,10 +133,15 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 				logrus.Infof("added frontend selection '%v' with ziti identity '%v' for share '%v'", frontendSelection, sfe.ZId, shrToken)
 			}
 		}
-		skipInterstitial, err := str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx)
-		if err != nil {
-			logrus.Errorf("error checking skip interstitial for account '%v': %v", principal.Email, err)
-			return share.NewShareInternalServerError()
+		var skipInterstitial bool
+		if backendMode != sdk.DriveBackendMode {
+			skipInterstitial, err = str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx)
+			if err != nil {
+				logrus.Errorf("error checking skip interstitial for account '%v': %v", principal.Email, err)
+				return share.NewShareInternalServerError()
+			}
+		} else {
+			skipInterstitial = true
 		}
 		shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, !skipInterstitial, edge)
 		if err != nil {

From 3e42d32a503ea82112ed1166f2e228eded6283a3 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:37:43 -0400
Subject: [PATCH 11/17] docs draft (#704)

---
 docs/guides/self-hosting/interstitial-page.md |  51 ++++++++++++++++++
 docs/images/zrok_interstitial_rendezvous.png  | Bin 0 -> 28840 bytes
 etc/frontend.yml                              |   5 ++
 3 files changed, 56 insertions(+)
 create mode 100644 docs/guides/self-hosting/interstitial-page.md
 create mode 100644 docs/images/zrok_interstitial_rendezvous.png

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
new file mode 100644
index 00000000..fbad01e9
--- /dev/null
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -0,0 +1,51 @@
+---
+title: Interstitial Page Configuration
+sidebar_label: Interstitial Pages
+sidebar_position: 18
+---
+
+On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution.
+
+Interstitial pages can be enabled on a per-frontend basis, allowing the interstitial to be enabled on shared public frontends, but not private, closed frontends. The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it.
+
+By default, if you do not specifically enable interstitial pages, then your self-hosted service instance will not offer them.
+
+Let's take a look at how the interstitial pages mechanism works:
+
+![zrok_interstitial_rendezvous](../../images/zrok_interstitial_rendezvous.png)
+
+Every zrok share has a _config_ recorded in the underlying OpenZiti network. The config is of type `zrok.proxy.v1`. The frontend uses the information in this config to understand the disposition of the share. The config can contain an `interstitial: true` setting. If the config has this setting, and the frontend is configured to enable interstitial pages, then end users accessing the share will receive the interstitial page on first visit.
+
+By default the zrok controller will record `interstitial: true` in the share config _unless_ a row is present in the `skip_interstitial_grants` table in the underlying database. The `skip_interstitial_grants` table is a basic SQL structure that allows inserting a row per account. 
+
+```
+create table skip_interstitial_grants (
+    id          serial         primary key,
+
+    account_id  integer        references accounts (id) not null,
+
+    created_at  timestamptz    not null default(current_timestamp),
+    updated_at  timestamptz    not null default(current_timestamp),
+    deleted     boolean        not null default(false)
+);
+```
+
+If an account has a row present in this table when creating a share, then the controller will write `interstitial: false` into the config for the share, which will bypass the interstitial regardless of frontend configuration.
+
+The frontend config looks like this:
+
+```
+# Setting the `interstitial` setting to `true` will allow this frontend 
+# to offer interstitial pages if they are configured on the share by the 
+# controller.
+#
+#interstitial: true
+```
+
+Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer interstitial pages.
+
+## Bypassing the Interstitial
+
+End users can offer an HTTP header of `skip_zrok_interstitial`, set to any value to bypass the interstitial page. Setting this header means that the user most likely understands what a zrok share is and will hopefully not fall for a phishing attack.
+
+This header is especially useful for API clients (like `curl`).
\ No newline at end of file
diff --git a/docs/images/zrok_interstitial_rendezvous.png b/docs/images/zrok_interstitial_rendezvous.png
new file mode 100644
index 0000000000000000000000000000000000000000..4830af0d22def81aff5281c0c9b2884462b78021
GIT binary patch
literal 28840
zcmeFZ2Rzq*+c%7U6(w7xvI&KZtnA3nE_?ggd+#mECOZn1Y!N9Vo1&DEJ(H5`J)h%?
z&VT>&I`8YepZk99>$#rS>v_HY=NaGe8OP@s@8f+OUw0MdB~P6=cLD<g<CL_NxH1L?
zmMaDZrUmvfxZ-Bv^&0-cbX1nSj#2pG!Ve4#l0v5&>Q2^fCgxUX40=wngP-U**vxDl
zo#;8m={Y!VSfP!a9BggiN4RcnYiw>}jy68H$HB&Nm4%Img@a3#or|7Rl${6pKQ>k_
zZcfdE=M7BJHirY<wDmBzvNE9Okl<ovgP|DJ+1cqiuftDr<~Gi5@UI&$w;uOZCiqFz
z&dv(0hBlNncS4@$<YDFHMqZJXQoSih&mjgsTbWy;;U7t~k)<v2im`)%E33IJJkD{I
zm7Db{ToN;Lu(gJVB-r5+8!I;_HxDZZ8xP$1Yf}=OY{)IRrea`X;9&m8bjW_uP6nn2
zdsUE-(KJ+7ag~rZmyo)y#)38%Gd|d(3);ca90as4uHTa*FFU#0p%1Paqg~96U?s>^
zM<WBP!^`XkR}5_(jL{B<?{gv7IB(FiiNdqUf1F~*<_4w?2G;P4jREXue;!4UEX(2h
z=7+~2E@!BLmNGQ6(BQktEz5UX^ahW|Kaci%Olvnu2Ln5^o3_SiD;U_=?O<4TcHYB5
zjolBf@bd8;tkTrs_dJJBAQx23J$~;67K?1p)Y;q^?RYra!6heKTPr7XyT4yFvbC`R
z&HCGe1`ZCku77{b#MbI?cZaju!N&jg5^_Q1Kgblhs%CENWOld<w!`Hi*QL<rre=pT
zbN{|!ZSecq!zUfh42*4E4_@ED^yi@*i1D{D9c*o3xIfP9&)dHrvUU?gTOqRkEylxn
zK;!=JzxxkiIQ+xD{&$9xl9$mlmN9g;cIT3HRMpT>aF$c~tz9k#R?deKKR8ZDC->h9
z3>$)Tg}c{5TKmdwWM%6N2X@`n%-jjBVrKwa&nfN-ss`80oUE<jw*#w3bOkKO3H@91
z4hFX~_-jY|oBYqk`j>De(O~ON4(>4Q;fNep4@GjQ$?SY!`pC4df9VAW-{CW6f9M1U
z*WpEjLtQle$Jog0|1$>$&m5ljf4+Xi<^Gde{L8a|dG`hO=UH%Dfzn+!u>}VUUgaN$
z!fo%2Xyg737RP=2L|h3wyB){{-0koCaLwf4c>cO3gLb;^U|??J2sdxq+JHCx>uGLN
zWK?q-CvbO8=1%4YaF#Ie!75<C2MalP>i1=1bC>_cwf%jZ!%Z65TG<}>$-kDx$;Hlz
z<^mt}*QNh5Vf@~vA^fl}9VZ7cmA^#tkL!P2`&VKD>FrDE_ok7f{_8+Fe%qFftrKEu
z|HiZo4U8;J9c-O#j1`=ntjui?14K;D*ucS30SwaI39$!=dJwTe9ro4g|EL{uUOn_y
zhjz%pbEwUK*dhCGH~gm^{^R0*A3NmycXs%{U{W3qwwA1R4z_OYtS%s_|A9gMlTLu&
zM9lFImug^TZi;{qBZvqHnz)X5S91uAqK7xE&5ex_$NeuAXkTIWaUCFz{~ER6{<~Um
z{tLC>{ukbv^S_;Q2CTVnMSnSG<Vb&?<R6wT2EN+C*2)Tw=dWY_<Nm=oe^~xsr-E4U
zzcKv(3R~v-E&bmymGeKwRQ7*$YP|pLPL20JoZ5d7|8K`@Vuf}SMX)Ix0@}v-@JDeY
zD+5PIb0fI;hZ+8LWQZX_Vr3<E7`2SiCI-&?G5cU5wDEsHvj6+o=MSIy8^!$TQh#4_
zKwB9&nY$pd0Ty#;i2usX{^#)JPn?TD8AV&b2N1jt5g6C+>3(~DwnNYVdnQL)X9pwn
z;ai9e{d;WnZ>GHZ&r|XoD(LSioeUgI(N6yhQ*uJq383yDIP*W3%;D4f*zVsw`9B8%
z57V$e;Q0T*%Sb@B?gVQ3|5YEu&VJ}C{=e^Ie(&UuL;EjtGH5q*C-r@#$B6_F<X4UT
zU#}kiCXQGs;-rvU;)t++|DuR?Fo$GnpOg3t4*Yw61*mo3pkXN3=D$p2_Fc_?ZV(3+
zj<}P5*xKK6w%->1|DIptM3#uStKWX@H+1>!Wd5J`YaIU^czOT(`n7%E_dno7etXfs
z$frM*VgK%Ly6fP^;R^^uc|enp4fZl(U{GO5i;Jqd>HbPPnslpsZ8y>BgjAqYqTdOu
z&a_S$o_j%zLm5F%iB8h8w2b6f$^lgLG>>TLhp6`UD&M@}|A0$8HRw6}ieY#~U@4rJ
zU)b`Y=WwNE_2PI_*qQ6Jm_$^+|Fc8+t1-@A7?X4fKuP%>{zrm&j~@^9$3p~g;W%HM
z4)yQXsNh26U%wF9{r^w=ACQN?Us&atE4r<-LzR=QF|>=H6@+s}aELG7|26QEADgq%
zkj_7rUiMvq)=N6y-EC3fxtguQs>OGgC2lvAz+q}j_|4HK@(udUYOZ*bDB8O&e^)Xe
zdR^9dk5sn$@zP}5ndJeDZ_M>|C;>gxJQ_n-AzdJbjMGFaUBLaqpruO$N~%^5wJx-H
zMq?_`vT04JwozxK#vA>szpTV##X>rfHEpT7gJLtj*7nWLMJ|i3Xw5Q<w|<yMwl&Y3
zWWXe{JB?Wr^<c6?WUcwcT$W#G<pVxPnZRSG9xFT)@?XXL>3Y`R|H$!oxwrDVtSDeI
zKNJmZ?V6Ht(7LNF4r<Zc_;p1?;8m}6yBy83+?Q2JQ79U^VuwkYA0uzxT;O*Je~c(B
zl{S_arM=yHs>q{Z$*1@D<-A+M$>KO&b}4Q$>#@8a_d6<nF!pug(XCLUdS)ztH_GIT
zv&9-^=AWNVi!(={+Nq-XU2QZ<jPHJZ7vB~>t$rLQ+V3Xzytgs2B;T`SlQ&Uvgs!~0
zy3Z7;HC{V0;VbZ(6>C;s?(OO?HW2HpbS>&meYYBefs-T-@{SWJO(8(F`%os+%)0#Q
zr?2*0OGx8)?Hr=hzl1sH%VXGx&7}M|G-suR0}RZPXmqPJ#m8POuiXoIqdAK5%G8In
zIQxm_S9QKKS;5#ZY)5n*zP3_>&`TBbdP#_={6z>yw-^<_Y7`~U(W*4+gq>!2tp41v
zv&!AkBM~J>&t}=f+*fKE)&79*bC-t(8El3N2R3u_O-05nlNw|*p+fAQt5&4`0TNgy
zM77?oEL!FF8$$3?HCTSqU=kHG!nrX|pFMN6t$i(qX}nN1N4dm$fcs2Eq|OT(%t+zO
z9>LZ${<Q?7Q=<A6r9FFuY?j-wc)O9a@{FIPs0dKJyI7)W&aue6OSP~)*}V31z9g<T
zWJ;{F*&6t9VT7eW>GaQIZ3`4f<Xz}fEN!N2N}~<I=O=yOr-4tL6NiDL{t!bLKYxyv
z;pNBt1xfp<uS$(IOjss@a*a2!==8mjS3$W3ukXJaCrP*^Vc)_of<;FV;HPm#&5*&r
z7(0n;mvNSN_ku!ge#qMesy<O7I}A)83f|hg+_M216H((IngfGwevyFN(pr{D_duDV
zQS0smQk(e$$eb<DzquhZMjn5Q7wdNf8}@=J|HA&v{$98#=&W9IBe(lC8&v5;u>9$2
zI|4;IO@~Y(guyv-wGgxYG;k1*a*0M=5b=9>9M3K@qEf$SJ*%R0fy&@>86n*6>^b)o
z1ddGy%R<Ep{p7aXRvNU==Sv4E#7&5n1k#OSz)tP_h^+^Y?(a0>I8JI|1aiB)hm8~`
zT7(KjOclMX@e<ikq|y5YRJ%vg1^ifYI?Us6K>kM_m`$+mOTtP(s@KUHx&5N-P7c@(
zmNYEO|8d9b_sHRJQ&=LdWuhgj?Pt*&n+e_ZH$Px^yK^{}5H058;W)hL&${^3M7^-*
zLe^=%Bq^dS=)0?(DG_nbX2>h)#jB>jOLCOlyC$k?;`Ft|eQBTd{lPl9)FGUxQEHOo
z6-6N!ds(gU*+|^Qo3RglcQqm}@X_4LRgJk)vwnSZ<tIa10*i|INfJh?I0l6TH9hZJ
z0b!NH)t+t7jarOXrn`ygWk`m8**hF7rMSqzX*?oT%LIovU&62<#9`}{ikyA>l6eIe
z_$4U_dkiYs^6{`iM$wnHBSLSJ*t3{*tJLq{Q?gdN{EFqZAII)ABy;I4HV_@R=|~rx
z9^rSLRh|5Jod}MJ#uZHUCo!mdqtN(P>l>rqeU;P`meAaM7k~K)3~f=4S8p}mc(=r6
z=vrTeeb&2y3VWlssXRqaKRR#hcz%9*volK)pQ|(^xzc^<n>5%sdTaGp>^0|Ush^HU
zSg;4467)mqS{p<GYg)kR?wRdt!^TMBSdZP#rt{l4hA3vu7g90_%sHK+gTIC<)lRc&
zKik#GxPCN8ttkDf?XdRFR;~XL<x-QI8xv8&_bVE#bhp<RCbJ*<#P&WnI$q4vQ_v5l
z@EX;N_#S*vx*);R>p~n;WbDX+CQo#*S>|ZHEPN~zFVh@x{>-v#C_nRCR`p^kvu}7<
z#ab_IrbkA6whESie3rx`zxKFs2z<A3b2u3yKY~eAu~tGJGJylRX&~sAE)7^j@$sW0
zlHUZF_pQQldqbI}S2iS&D9OHICbi{ySmhJh#CIPv#Ex!F8#djer}Ucl|JoWOR*c!>
z_y}u*8iRdcDj5@3@g=iH0q8tEe}@D(+8`<zIPo|N1{S2-A9%^@T;@|a<;w;kDn%3n
z&y7M-l1~abuFbvKJC>H<y)Yh3MQO4*4x1W(F_Xe&`Pir>a=MW@!Q3327aXwT;Q`mR
zAqQM#Z;99`XGeBElL%rkSY3j*WwGcU1%eSc)fy@{;Otuzt}FS;7w0hH@bXqte*rjh
zONIw{FJVd7A_{Uw>Po4N3U<;8TXHAa?dw={qr@Qc^`NL^Z@PU)u=Gi(-Nqa7Aw3Lr
zr(-d|l>Lmr2kko;|7DJ!+`)*YGo=~OgM$$w1anqcPwJDz+TSxJdDBb}gMLqgu{V(w
zHBK}#^|8aLP5lxd3VL4rlqH$?OeyOQBa7$ijKlW2{SgZSQF7S?=9oLD&Yx4JII%Do
z7ouJ!&;5rDJ=k{l`&l9pMZu!yy%N8@yEPYk)m%A8r?MQEj6+=K;bg)4WKKzt;nU0f
zg`2r5*^%3uKZ`hAX4F?$8-urOc=r7iChdFLSyr9bbc8tcgBoYRR*NjenfuZOJ&!d#
zSjml6OlF)7f7HqWYBD2Uo1bV&l|&W$=^p9j`xTy3X|AeCGL5Xho69*~dpm2oTsQ&j
z=y&%Q*G7CpS}FUs+RxapZEq|kUX-n}s5;7-jMzG^osaQ2-WgJ{q*Iha+JaVZc2-kg
zn17Zi)Tw-$DUVAbpbolvQ8J1m{^`wBneN<M=r4sj4jYT;WHy5U5+-GFhsk&JJhsEC
z_%q+$r=oW@S904K6w;+YyV2j;lczBokG52_u7gA!W(WDWCPG34bzVD_n18-#K2lTd
zVa9eO)YeUSZ`&~_pbJ9)^Gbbw2-7Gz`Uq^0hJLiGBQQ^`NG9c~x$4!dmm@y>p$$Wo
zuD6ym6IirzJAA|?G|R1$H$DBajv6n1eLKyuBYv0YZK9q}&hQyG$uhG~*F9FIpBN?=
z=~inxd~45P?Q5x&YTIHKuy_5|PPQ@MfFG|Oe&$MgIHj;|^#mTJQ2um#8vo1fjj4wa
zxXY!y&0A3WI&(xq5~O6W$8JVFJI{h02)?jJ`Hhb^pZ$2yxn2UpvojlulX1>Jd!(E0
zkshTspqia8X4R|FzG-edSfTVp44VU6<UV**#`tfkwl#!7SI)EP`=wwh#Lxs2#XO@N
zd)N8&=H*h8_pv8PFSXuhQn~-J(ryf^DGk%e??yBRPH!L*oJ-B!GD*^eeT4>d7v$?a
zvFGrD3aq-G#cXa<a$6<QNymx{ZGNZa>cg-PmOdiKDBw0P@}w>ZQ|{*$E-{$_OIyvx
zx75Xj7E0NlJq449!^@I5C7KGLk|p@$ncKvq*rh*IIT43O#ugwjj<<C_;7Vn}Wi|P4
z9S@5r&S95d4?e*}cpTGp>I1odoWa?Tf*#A!a>*QTE9Yu1gFtTYQF7WPeG0@l$vO+F
zzySD4c_dSRZFWdy<n{c#=nI2Q@{t$%>$jc0f23Zyd2(gswX^Jw@8bw^{&Mm1`&Jm~
zerF7N8c60NOEAG~V~Fggr!a?4CIySFznjkoWEab0tNWw#NtjGP_k}9Y;$O$-n5y^}
zr#gyuSNkoCa$JwsYaBb{sySk+&T@ifmd!GhOr&a0U{0o;0z#zn-R6L!Cv(@5Uk)VF
zIM*B{I`Bkx<&uL2nq;zB6b-SLSIfo>dI6Ujzm2`IQwXtv$ciFQ`N_SM%{%M$;p8<7
zwQO78HeBuOLylvXIx>DSA_xLiSEXTdv(jw;IyM3-6MyW~xo0=aDH@Jxd1;ONpEz<1
zGYnur@lniD-9nQFh?9Yuv&&V&^|_RJ+-`gO!H0~~)NPFlf0)5d&G^Fujh**Pwp9(+
z!}wX|IGIm{oOV^0uJ>eJ=bzf$*|Jc^I!^FOsQuivzI|tREIhL{0UaoOH9eU>l)d96
z@l4jw&)HGNt<j=!6<Wpm{zUe9w+lRSRw&p*uCjH!@m!lNFu@k&bX|7|vNeA2ic=q>
z7#n=}00G<2NegZQuW|<21i6~6S$-zK^@=O%Pd1i6D|D}thvo^mFJj~A))sFDy5gIB
zUk>Gu!VdrLeP_ovqlx??eQ|v262*xRjO)gC`exemI}kr^>Zi66%HNUBAIj4H*x<8y
zG6%ZL-rmay$MzduTYm4%W&^%3Hur~d%qAiJ_G9A%XA*p$qt2&SqzZbLKbB9^WOI(X
z#<msm!>#@6#x+OR`BBj_gERQnJ^32+TIE*LV$GLKz=_B2mXL$Gj1k){PGKepKIb`~
zjh4O7n1MGb+G}tU4^M_!=e6n`Jo4OOa&?XRVeXlc=Jc8QM)LCW25(7-iPV4Lq_bwO
zk=@R&?{{45(X!1!8_e*vWYkBJ^B>b0BHG@W>SDLr4{Q3UAB3*Y@EBAVPE7;Qn$9@S
zZWyHRtNY!SwQes$j3jBSfzVzq!&AP^u=KLYsNH;~*{960d;INRMXAO`TaNVQ-nz_1
z8W|$sy}2x;RC`tU7&C>}gP?llIRKA=LFtn7?mk%^CMgiQlD!ReU{k|{cAHamkEP?f
zhWQ`31+z5>Re}=8hM#3eeMxkaZyOg>ta7t=Zn$pt=~zkK4Q+5j-R8HMcWxJI^EED7
zyUmq`!b79SZbuY*1m|ha3w>=*bDiL;(k5|jUUWj6Lvp0jGV#2q!)QHWiqIp&cS1|w
ztS-cNLgcP+`wz-*yZX%>(zQ8&twvQl`m^-*eW7RgaoLwdZI!$Q1J$0cH-9y@8>!dh
z%Qh0Y8{oV_;Sfo+C$V$IQ(lXKeW*nkT?F+~LGl^Z!F*;COeD&YhopC)2>OpPq}vI{
zUb#bW8d~$Q9=~PTcVqI5v%*6jIM%N>2a-Y{kJbhl&z8tzdGY`nw8TttV$Q7bd#>hR
z`)KgOpp<1bP=wcG_Gp(@2uwHZ!Y&AD+XgIHU&yg%o$_Eh$+QmCw-0G~*PEy+Uc}r9
zJQq5=@Rs4>x@tbWqYz<if-Dh9Q%KtL=`I|g1U%7)I8-xah1ctpJhO1uu2PFf5E_^P
zrU{?sZv)6OPl;fXC>GgBNWCD1V0F-AyFrKIwjItlB&KnSAiR_MF8gNc(^+$ldgLv$
z%WX(Ha0PiQ@rrCz(*9eKw4Y3|gm>4oz$c2X&W+5eXjGiPa^oJ!G#<Tnkk$R<6*jVN
z-2^efK*Au2c}lH>3w-;V()n7We@_aV>ZvsxV)xzKwx@XFX|+$WT1qgB(Y^;T*~(qY
z4Ex$ck{REM5>?1xkaVSgyH1smK&1Doct<FszOy(+OcCVsCFr)(Z|t~#8Z63AXfT2Z
zGf-YT0_rc!V!pN|Dg^(^jPcXOs)-aXSb_Y7zR78fsKRk7GR0X;^@Qy&NPBKmciXWw
zm~s9z;CMa690dpGhE?N5K@|>Qp;FbXh@9U=>b294a9b)_r>mHH%?~NqNL)S4*sUv2
z;b)7Dn!}YAjseE7W;CbmH!%xTKMNUJEw<Z|yB}{pZ=K##IWp2z(oaq@@t5eQIv(Py
z3#&gD#Bt-?t@^>#l*ZGQG)0fKFwv6O29m9ETky)v;<=xk@D54YUId#XDVwaw+!W^Q
ze9*Ij8t+PyE4l*D7An3Fm%5gkcHmiss8<$Xe<$}Hc8MJSpykkhCO~AmD+dXYv6pUL
zdieILWsjWq<z^uP+IA3ZXn6@PB3Po2OYWl@cZOa&TP8(tY?i)zBWU{LHq|53?Tt>|
zd;EIe*=-3h2XDRv%BP`_Ek`vcmTFlY;DPs3E6{I8F%1lm^9YXFh5&Xo?s=uG&TNH_
z9ao>V6vs;+Id;Rpvoxg<l4#r^VOCeXcr%6W=m`?GaEaaRjqcdv@=rGm0sYpzh;f(p
zL$y;A^i7GnwH1$*MQ+WtFQlqi+_l;!>sC-{Bv0s_ul@Ky_K{UzNoT34LKzP|a~mW?
zCm4Flt+jLrirYOQ7)vK}JSp_5BX-<&kBB6buC+(eYzl;0k#P&09rT^5Fc^P{m%Jjx
zabu8->&OI8KXb1s7MEp@s^?dWu4jaq`KBG|(ty6ubHmjEKjr5Oj#57IV3xVhxVXLH
z7_U}D&gUQwFpVh$pRy-4{s%1hf)rK$T1+~+cRpHwkG$q9w?$X0e^)O(Ep`$lp*IE*
z;0BQP;`>w{o&fx|Vk%5*{`P(@^G>>F&J_=M#qQt&=p=RjRraN8uVqGOxXS&>%~b9b
zPyg?vuN)?00Wn&9n2_dm{3b`wY}%fb!GDDlKooD3$oI9FVRUbCs2l&pl)&p5C2`aN
zeRNSSi3)ZR4?6UD36K6`jkl+>ktZa$s`&U60*p!T8>*c%SgJH?LO*VAFLiVRf5qoA
zlf)X3G4SLvCo#}2ypbaFYcWNc?V)7CEtn=D_4NARwpvN-UwW?Dlu@4K@%;Qi`jJ|Z
zZb0SisHu3$S%819&(RB921+aZ9GA?AGpzY!tq6bygs`}?He&f<;-+BANz?0~X#<3{
zTi9#nz!q?QS2nc0X3!Y^kY|M>${XiETw?>L45L^fE9Wq2H`D7Vo*W}Od(G+DV6~?j
z2l^cykOlVvnck2&X@t38{M;$8`!usURVuf2?8efRWXfcFGG~A{oACC$*kki#U<PZ+
zQFf-}tIfeR_th2VyweswtDO0KEzqwIVa>?3Cw`Tra1Ksy>yDng4@oGb)f!H}Y{Sm;
z6zVJJJm9szDpns(nQ0JyfsdnJfY0&UebURf*=k>!l*mb8eYiN9$2h@}U)mBP>}k5X
z)q2(bxS4wH(zh3nh5bvdjIgPiX$<QPg~KQstSB?J246W!DscbkFUz|YJOFdCEv@_-
zP%~@}XMza&=@#q0;G_HqGsD}8Kb${fvcgCJYiuGH89#ds>xz+zU<68J^oyP^srcjC
zjPrtb;$BU@i;sh3Hl+0qStB8>gm}f2f`XtNq^SCOSQ4QedZybmvQaE+@%yA`7{8y#
zL<G;{+Xb2y7o#Mws78Nfq%Kaj<!K0n3Y@K>wjQjAsgG;`{!3&i=Wd|aSks*d+!#Vm
zpP25tH~fhrR3nm@gsygoA3^t(pi4~NpQ9+To9*rC=A4Pr0^iCE8G@S7U@DK<N2(vg
z)s<JxKKjW%fBl`E9h4Qeg(%Zh3_9usLG2ih_IJuwgi0pINaMA?uKCiYV0Fyk)#`hm
z5!E*fVvY=$7utE<7az+#;8i-~honLMWtL9>fV^IW;iCOYvCmS!d+q%5>1_-Mg>7pw
zrFTN~JOW#ZLj%5UL|i!o$;XNB1~q>7`0>%&w+JuD2cU4e*qu}OaYnx~(`bmhoa4Sq
zUW&z0`T6n;7qE<egl)y^0g!bNtpu(SjY#&ac~WVqml#XG^4@a!_?6^h&hp^MbWyq1
z^}&riN9HdzC?U`=CdEg7DSh1*zI!__HxnW(mCXR<%u?5))z{Wj1iK~t#^uj5JUxNo
zKi!=t3q;mr_1f@f?JdY2kJ{V#ZvJ3+@17J5Dq4dISHH93+}u&K-0P4{^r*ry*Oa{T
zia2-Oko(b-r@IDe#f#5!nuParigBi6m`M8ovOu_<uSIWmV<FpAp%C(VW+FE?@}|fK
z=#OllmQX^m9Xi0iI;v@qwwDdYU%Yva^gW$*|BGgxX!_T8{0?mUORb5d^$oxA54UF>
zOpQKgD_r4snTZCn%KR9c?XUo8KkoTV^BO{t@KLc4yqupFfFdupL{TQfVdU94<|sc=
zPE>4=RLT@56u(fXkgxvy{;22TSLu)VK~$MB+HZVxD1?2O0j0--)k*=<?G`;7l+~at
z;Ik~wyinlUZY_!EDXq!&OlzdI%W)_txvuxERtKrqKD{NL_R#{^=*06pHm$`54KGX#
zt`WZSSjo+Y>{mx6=nPf;H<9-0-OZoVk?#P_pKZpW!T)mX0l%yK>P%nOEJLG0@CnlU
z`r^1B!EJnBtTc!)5>24f4`N&bLC5O%G7@3K0Yx^{okmg3usOQ^>|xRQ^=t4|X^IAf
z%eX=>8`*F&?sk_C4~6yQ)2`98XugPc9r0F!sQtubyq%kQ%h26>>DzmYW92?Oo72T|
zY1f>)tf=3op}a`Z67B1+;siXcd9X-aU6zu<20S;H&FiR7hT;qMfV&0B-FvMV3uF)8
zqfvQLY<}@gk;W)EIxRfn1Uo49<g->Z3sr*$ZQGiAa|H;?7us5VR1-L$_2EeioHeG*
zF{o`ZI5=T#jogRWGlQ>Gg3mTk2ngPptOj-^mtH6Zdp6<0HRs%Zu`l5N&AW5st&3*{
zUMdU)-kn_Sd?K4i+zqEvesil&(Hj*`fUfzl{=<@8B~D}%M{)4z@Np}Dc`WS4a78rm
zM4#e0U1tX`DHLkIa+-8hHVowp)n>LeQlLrD{be=cwG;tG1{Lyewc)f0V+$i!O$p|2
z-6vz8n8J;n2_C>!9DMbD0`JF_LP<UVx(GR;7G+0zygqg88s1B?OrOCjcNL&S#w(Ip
zAG{{#vbewb<6}l3!kCg{Wc0-ydJfM{qdaMmpz+A8+H#Z!B!1jmYt!Abj+E)bzJ>C-
zLY}K~jue#)+Te%~fCFxk0kr+Orz?%M@aA2#7WPJ6;PJeXt6KzY*Y9s!n=qx+v|_>u
zx(O;k+t7n5R>QU5E}oOg8>`_Od~&DFHO&U1Ogwm=95Lbwx!#-H-kVN!XD}YT2ySg?
zdUw^5_+XEw*4M4bam;8%?6V_?RWy=BfKxgu8_7$U*NqS`<2~aJx(w$wLmFracq@b&
z-`{z%b?Q8~)LkO_E+4U!6~v9fftFH`m4~9LV3a9xo^K^*G20t&CUe{v_Sv$2&$6{T
zV0+7qvuZufnA4<Pk=ai8LeYthj#Bj+$ws2}D)8s>4zCKf3=cHB2cyr82s;o1(vo0^
zK)Ot`VxLQ6e8473EWfZOb6F<P^6HZj5ng07lJrc*Ncd_$I$rigH!edg<n^L{M0|7b
zfor(DpsyuW%Lw`_5o64kK;`F+##W~k^l*CrYh$tP3bLS?UsjYp>lr8do=o}OP22h@
zJ3#%N-SbP4o-qBY**7APGbn+nO_9cVoFqxmRe_%Tw<xT=?WHJ$l4!c$ZS>G*GY84;
zuer=TV@O4Ju73X{Hr^6dgh%l41@ZdVIEAhnS@9Yv0CcP2azD5*X~mO^IDK?^(gD_8
zL@~}<jWcqq@M8`dg@~+$D&)4<<r0m(2WOkjpjG>MTzuv@rPt_YAo1`utWVdd?%D5A
z)~9^hmaJ7%G6B%B=g|@?U3(3N$)7k`-Y9~VM7};AcEuR@q}MVmw{q`~9#w@1ptFG$
zUjclLGBE7sUC)#rrHm$dK)lOHSYDA3vd6^`c4@@kACR)LHB-7)83tsY#N%$3!ot4#
z2H<iXeT@gR>4yiGs*vKwvN5M1OM;=w6B&AS&BtV77#Y9pZhU~+E<My;n@Oe@l@E;Z
z)!@;Ynv-CQuRe~GEA##C1^8hzy$CG+WPR{Sz(;3whMLXaIZl1ZIq6qm#yeDL+Cf38
z7H`7r4|NMEV3(eFZ>?S`IsV=gtL7f!XRB-l9b^5xVc5Peu2!!kuqrCJMFUU)$*cvd
z%Rf{|`)8oQpjn!fU;`!I#Xi%AIhJ~6yR?2gu0=JQxhDoBK1<dfY_{e$Cl?NH2u4$y
zqu1MXaS@EI900jbEgQB0+I$^y9f=P+b4BwGi{Zq#ck!~|K+(zEe6OfOZR|&DF_VRT
zYnX-_nQViambMXO2katq6s2$iWKB5_f&0VW6|T>5_ladtV1-?%Fw`vYN1N;`_?74#
zQ>daI1;xBQk2Row!XIicdHnA$-O7FZswVI_e(pyTw>qu5svm)*{nk_5`cIbufbwX6
z-2>_eN~nZ<9?Q>0-z?B$$=2tnWaDkt?RFrLAJTmK+xhC#$4l=*mKO&>>*$UMiQ)M=
zfR)|cLFc$Eq~P!;3tkSN*pz<2`+Q^wz#pe!bH`ko@liVcBd{KBJEByx3z$_i1l3~z
zWV*D!141$Ge_>wY@=No*`*sWgb(7EThH0{Zdx`Kp(_}(|T4q+0#@+P^eCN=n^9T)q
z5Z$7}5V&H2wU&WYfL^c0D^}Rohkh`e4O_sAy^h=`oibEnh8}`#<~0NB$7BZ)p+tc>
z3^gMMR`y}oXrP+LFY$uO_;S@_dpk_eL4ucD1jm&8PwfJGc0zn5UqzfspP=6c*ln3`
zbN2RD@12z|GWU&43bbE2hzj?9Hh-EX<gH1d;6BkDfpFU!-?O5+;)QF5f0`XQ8M(-O
zm`wy`!_zf9e~N*CMe}M|6ppN#rgdvH^)$r`@U@oj4b`u)ww$}uITZi_l@^%pM69DH
zf;4)d9K(9@G_ztRUR%zob5|9yPCSn)Fiz#My`5c<$f9+z;tJt$se5Ox6z1JM&{`+1
zq`T6!^k7)p<7O_LbpAiT6y<r&6uU}Cjmh%`@o;idFwIT_(Z+51Ynk_5hdGSSSYeVa
z6+<J+HD*(#lqDg3pHT_rIY~90@1sU@E=uegFI#{V`PSN8;)gW;JTr2_<O6^zT$$Vy
z=Vy%=NRP8sMG;E=0dGdV3%Rh5wwh9F;Jit%vF#n|Z%o|7FnT?734};s@k&Q{NAteI
zRXRf}flD85msD5iGSkc6od}-36&fKP>r}d2ac;s^`t~#Yq0UALsPAcjI;B#j6tYCU
zCFn3*@@uNa;!j#2%gm@x{h`y`sdBt?JhBXO%<0!z3by2ObAp)6FAYzh%)~2omuGLc
z>VV>lwdh%3>|R)O%Q(M3@MtP$ODX9_6+jhtAGeiQi(+_Y6-)b!)d#=s2jRGo4l@JO
z_<He&H1thay>efA`Wh?HL=da@<y~)Q`7$W%NrUR6TO!GcgnhhnbgN%4|NPRCH+v33
z`K_jQaV%Ck2vFCvOWUpxpB40Y@tXIvtg;8QL4DA)F1vUwTR)pofS^BMHlEjJ36fYT
z2wL%iglka!A{{1?A{-wtfz;?8_9%*u)#F!BL8{5cq*wmMVqY<`PI1zQ%KI^*t`cFR
zF!gSbB^n$V<LZ%yom@Bq#e5N{oIU|^J|_J%ZaNO9Yj0r4Wwvk*ZKZ_)+c!tQ_LF99
z);i3{9=axPoRUd80(GnhuTC=i_SlGGRn+a3b_jiT4%>?o-hEamS$B&_qW8RQRmLjD
zx3_UEq2ubuaLg_qKtlybqh!G3RC37NXXyxzVTw~F@w*nDIQ66(5NsA}a1-@OJ=_>J
zyG^3C$WKxtm;He~m4&eX#Gv7hW@**^4+n?wCBjq!+BB$;ad7Df@Gxy>6U7EKgSfY*
z^NOmzO~3Cf{u0lgWrRJNE*R9)(5|(){KI*r4O{7sWiWxRHPnTD-q1*?O(i9vw57n(
zg5^yU%ZS}3<JGzZO+0YdMg+Y#RfV9`B-p3gkJPB*FWpkLb3cb;M(?MgtE~}W>AgI=
zch!Q-1w5!Sbghuy43>b-2z6MH|71r$i~J}=N{f*JfPqeBFOWd7tg6nlEvZVd+DBc%
zZy47Jo5R#@^j@3Q5#2VjV(`;%pl^&x{?t|sI3ya}yT?k?#gg*HImmkY!D7r!o9?sH
z`$fxP=lejDkq(MLpJM9~L9Se0cfN*7F|*|q!EMd0cTUZO&lEEP`m;4^yxeb@0fg?x
z)rEwuKEE*(NE8!*VNP#j=@%h}kbMzN5QmCu7=#&CZMm7-Sn3y>p45BjA<UD?*!z2@
zS<W%NhV)A<Q!=U$>(yr|5qwN>HY8~aH6!bF4QVBU&7V}duhdqI6!@V>>Q0~Bg-i8|
zGf)Ryb_z5H{sxyu#NL!Z>hy#c*3wjmn&%k6?(Do$s2C{879?|;-j=<sK3?rQmp=H$
zS8vB{_k6Z7^*q~8QCiFb)atK+?84c)bsU=t*XPh6;{c4-qdn_o4l8kM?dOKUCw}rk
zA5MXe!8Kq$0s#t>p<<gV0&Ag<E1tK3Ih`Vmm?83-aSRZ1(&+-P?p-6~vC&?c*s$G}
zc;s>p=Q}l<RWBQ<?|R#nH(pHVSBDH%@k-6qpEeyGGHJdO@yyy|v-Jf?e-lRjG11gT
zM+MbLLhZN!L3zzz;DeExEtiTUEha6FYObm@z%0fJFMj6pympTe91g_#j}=n-n)Y?1
zJ>sK;-s}ix?3p$iOdbNrK?4)}BpYx>M;kons<XKZExDMZ48EZZn#}0*Nif?_j8xc*
z8MZ`PtHy{<p0%IH3T7X_H&$riPe(uv&JB-%=%dsq&<mI7&dw5fuFq!xl)lj%NuI}Q
z(`^whlo3zz*_>M6skd^}`JDZHy$Xd%;fTji7CuP&6KvQ|L5?2<4#Nx8I`e^{*l|j}
zZbt`+5VEomF`}XDn-}THN$XD>R1t>TW_*=sJ{V)wN4L`DCiHU5%CcXXTtSm@SKV>*
zq<Z@?@;Muk9S$rikvC<iOF<tf=IL|9+6q8XKD0Ca4$X5H8RQ=*dQQLS@5)i>u69>>
zD)%WR_=nUeJyxhmKv)T6uU6RPSqTOWmbkNCjb|Q1hZ|X^?rA9I6L7=0k+?+IH%6fp
z8dKxFCG%7+`7t00<qEqoY_hT7vs@Oc&JlMh8YEo5k^@neZUqdDD9Wz>T=q-*>3%g%
z2Qu!=@==e|jTuel$IijVec?1WLN3deQTv}f!zu+qn-0>iPGDx=CUa(g)72NISS5jw
zt(USyHP%Au%M86F@!Zz^-`}+~(%C^_iOUD?0`Dj%t}k=LoiEP-(d8x2O2=K?7_>Q!
z^hO;nnLvrtxtBPo+8N!JuyXIMg7D5``3?%8H`RQYm8h%8<VO();19tQr$%*j_J&^j
zm#w*~9Dd85{OJHA?fIL~LCTg6mboCOkr{!l-*aR^k1&vUYuc+U;ylkgz|5-RCj@Ul
zmLjZcyH-N4FNo$SD8*6DyL}TW?B+l>pBniMR2bA@-$FiGU9<Ng@7|5BC3b^)R38);
zU*2G&1l}Blgbe|0S$zO#C1#&!xB?$dv56bk+7X@JN+ci`i86?ytWQO^Cn+g#KXqpE
zUtgHWOXi=cT<WP06aH!K?y=aNr>4+fZf*Ixxa+gTQ+muwAXrNCrh082VvlxFVC6y!
zQh&BXecOz6FTGWGOZVxDqy!19F+yIi_2T|B9>6F+qzWeW?a9V+Hf~P5^x(AKOPjPv
zZ8;fmOu?}I(=u`sXR%(|48;O1os)R)O_9-eAP}I=C2`dGiv?0K&UimNT%E@irtrhg
z!5%!jQ2bb9JHal2&}}X+rVVI@>Q=5PIxVo9Uxfbg{^4acRt;zbC~T1R_^IzfWJe1s
z#^W*c#Jjnz7+U;FpmV8i$jRg^t3dNG<IK;`7H@Vp^X@gdug*YwOqKlFyURt-eyW>M
z<M^Fy&$Y@`D`JJtK2_@ZaJCt~;E%TbFLDT*%vq0wB+XA6LQ_M^5*zf5h<pV>)0j4r
z;8EE@HvyB*>lfQlU4OcEY{3|*vrd1pfbNkPNL1S3e`O{Mm&luRdV6ap0Y5E5MAK9r
zrI(5pfo6}#{igSiTI}fnLj4N<k%-eoF6(u@gH-Jb%%ClddVoI)ROs}vJ>Z*;=a&vM
z3m2$AzfQicUgPy@r2nS<ndcP^dIcBftEwFsN<>MX?YLG5VSjn9zZwnUOCJ}6VZ>WP
z5=K;OUJoR4&iRES*3z+bN?4rs<Bch)<8vqVm}Y6txZWmq3uV}XqHHU4KIPJ=jLzTu
zK9X`={aKKIuWtzP`1jAi=1f_aCPRIPYQNVRr-i7(cdv#{Azj-}s_q1&%$#?jnhym|
zRW(Nl^4a49<C*BJh;jMUiqhEHhISo*OWnNnXMN{K>tx@sf2b$+N#CPPU~C+*i&p@C
z8+AOOy=11Z^kg~B_l<F*+XL$OIK45TGUV0G+?F(cak&UL29&OjiU%jrm|_e6Tve9m
z93^Ys4YyK!;q8wfO_T@CVJk##F{c6m4c@uDEfB!Qtn_{3{OVmA3mGV#(&W91e#2wl
zDGq5+_Vi=ui&~clwBUM&xh??pF7Zl{3D10eamtttM<`e0v2G)Yhtc9gB(9r{X=$kR
z^yj4CU+}VoT`|PogD62Xp9YJY!_^3A!baMBtOKAiq`FCSRnL*Y1;_uheM}yOSOsGc
zPs7YZLJ9k9y+Nf>GWNym2?pO*gqvTc)5rR)fbY`iV6ck8M@3Qy=FU#n*U;q+<ZG06
z3DH)&dXc%Kk2a;bjz?m3tY@DbTSIzdfehoQu}hG`Vnz55ju8Ip%HE`ENSsN7>+!gq
zzAKVOV3kIA;GX|xJ6y$7LEC;Nt71tPrrzLK)cp|FR`XmZ!=gL4`E+}yRBbS#W8a;!
zU0(U_?Gl0Ot^1+OuK|$uXzA&PUW<3XnM`!51+`x1<<biu|G;A}=|9!>{bce>$f2PP
z&q77v$GI;afH`^)P{86_%%w{Nemp=kvdr>97qs6<zfa+s48#}uD2JiM!!|J1HrY<%
zS`)^9Lg2j^cYP4x)Hqtn$X19W5lqofqW!{<48C_me)?Jvd7*7>{0Wybq*)tC^ls}N
zO>5`?oZhX3dZO8TA{z3hG<HNXd1Gg2K9^e$d=0x&6Ah4MQ}?Va6=ota#N-VOyX$L&
zy7}NV1BhK+US8mHXoZ76>Uq4ZAF7@xVcA61?i6}P7|I@oQdpZm8G||2F+Yi`r;d=*
zHH42UmLez}wfsb&1-om}7;-?CkLN~GqZyTG_<VP(=;V?V9Sw*X<W<{Bi7(21d~h6x
zX*QhHmBj7!9lg*-sQJVL+1d)2vFb_?AE2j$uLQJ+{jlprgUT$w^uMO8JHPk!E%9AS
z;Ti#-ZFRMW0Bp1BQ&(n(v>b)*@lQ07A5H%TTcpmkpxQo5WBL&)nqJ7!pBMgy$L5cD
z<k+)5h6neZV|A+Bl#s$1FJop4QXydFwE-IQsTHI*gs`BLJ0r4pGjD`Ft?3%=;z!!l
zJptMdmm0~RB!Db5P@k5Yb=5hAoYzhS_-Y2EE?rpo<JA>7cV9#{Uy5(ty?iSdXmVyH
zLK8$f!yw|NbaKaINq$8PH;xQ?-Rw4c<qpe7iXAt92;Mz$n)z9MDk-BPRlOIi;y^3~
zcHiVFuROizKM%TZZ`GTCv6^6TgnKsBv4lEl6FMB?TR$5?Rr=Q0`_9MG#5Uab`1cTn
zvCdkBN<ct^c(3Qa?L~m?*={HC`=LsV-_jr*me4=L=U2d%JuMn|ET>wk;<#MYm_<C&
zCHp=!2u<SpEtLO6RjcGL2)C-ewU87`rYA8Wt!9v?wO|^`Vj+czuN@EdfL^g`TlM_>
z9r`t&CF(&0;zHXFlowR(tPXT$-Z=ST(41yfk0x{&Xru4#r0xzg^qvdjH@@QNB#lFC
zR(@%t)A!Q$;YrU9);PcCU}E8uZ#(5^{7!nR<*R3K>s7v;Ula>1fj(C8UO-otvQQwJ
zgaSq6`oPehu({mx1r8eDyZj$UgM}|V4}Jt*uLLTIJc6AwmvPpS7^+uXqUcNf{Zm$m
zW@NX=WXPKVBa;pIN+l5?ZS$1tOAzLrAgCJ1&KT~nwh{x{#q5f#+LNgp5K6k=u0dr^
z{F)6?@1rtA5-#d;Iz{LjSz)0pRk3*i?&lr&@1t9Ifm(phi~*!811!0z&Nz!jJIgq)
z`)&3;{b0&5KH?a^1Iq1({Pz+bcJ;K6bEDo;(NzBW4~bUofx%D!Mye1`!5H9%qZ-pJ
z76ZI}y`;tEh!ukyP&ZsrdPu5^J;gb5lxNV+syA8$3iztH2pH-wUTMDCM_h<Q-CHbv
ziUNYwr(3*DI{IJ^!@k?p)0?Zm@(Ot}5eF{e$LU(LU^I(CPytE0{>B0vIgZG$p4>%<
zrxvzD&@NbIakfck6fvb%@DQj^Ci7OG5j$c4JK`5h(C6?6k0uRSl`+Jqi(h7{rh(?9
zo*iVJC-6r)8IeynrUZ>=2ysw;7)?4Dk4j}mu=O93$p`6HxqW&Wkfg;pTTg+amrb}2
z-YH4wI;a7|o4wu2A1lXRUw<$QgkG7`bQjadn+7{{qu3zxNV}}cYyM$j2#Vi;CW^ss
zd*S7T@elZl-i)0EyNr4@RS3@^_~k03LL=Z7H$FtuC&^)q-L=zP1)bSn<lv=?`P0%o
zn}K>g`Pa_%vGRjOmX@w*_pesE&gEjCf;z7Q6XwM0UlQyF7X&9{9kPU>H8ZPlnGE=d
z1rZGzoQnIPPO{{-Yc|<($;wDKIechQ?5T#;@56KNt{+y^V+Wqii8R;Y7^td9)dd_a
zm^oJ-fwDTNf*BeKqJV{=*7I5jrXo25yr~Td@$lzGU-_3CM_jKaFsVrRZ2jWdYe1i(
z8>N9=vpST=z3vBSUdQ9Z)11K78D&FEEK#x~sbRC!^7U=pBq%V5?u_rKaWdVgCcIJT
zTwTpCgnmcz3VKfNU6EZ%_Zw&oT6^67_6N5w()K71EsS@G8Mu$LSyE#rBAM9TthAo@
z(5oyBeB2}$iTux$oE`hrBsS8*Gx4w9QbG!?5_1a*p+Ao@nLsyBXeiMCEg{x8k8h^l
z1{gzY-ud{sH6_-N9g86r=VM^UqCtgZ08t+qGS*pvMt3clL{^rH3+j2^pv9LYuCTu2
z9(b|dFvGo(SL3y@$YhWR-HN`q>KvqN%a92B(__oE3K|42wXQ<~Vzu`H_3XH2V<Ql%
zUCciqwN@p;WGRO%JRUcOV%z%2F<gS}pmHQnM|xhM$0QEu+Mx9%_!LNW0Mf8M<(dwm
zEjc1ODFTz^4B|J?+Igv&owcjk$^n+|JzaR(cU{&028Zp?>s!b0DQ2AIjKiD)-&0|>
zAy_`&vbVSu+X`A!p?Xh~l$PNxS*vGQPg`D3q%&N0bz6IQ8M7YGnp4ILM5L8)MNi&7
z`_rq6>=Gzy2B^#-`ZxjlNY-(mK1B+n%^H{jBIZw>%fz8_XU9_RA@sVe33R?vgT|=F
z&kR><A@vHH;L&Sgz)9uMmm|f|lTTrBPdcdu6C9qKQ`{j-g^v{SlFEU|hy&_eW(T<3
zQlQfmIE-5#6*h^uBUHl=yW{6rUxW89)MSNV_gv=7GbP&YNJ#onES2Mar%W7_T7c-k
zMMAt?2>si+zVK-Qhr?H?4JZoU8h}puC#YlnH9#)Y^V&&sn_L2za~?&aM^&@ED0`QX
z_Redq1u(<}$V86q2nyJ*fk)2O5c^sL>FZ;>d+n4lr}YC-Q0|C>=)^RP$YBrEZ3$m3
z!GZ|0DxdlS6^7X+ju|O2Z}&P3bceuo<>wc*di;QFyRmu>DDyj;k}+37uVy*$?lPI;
zcZ~-t?4dK6EcvQ=ERib#8fdBeP_)lkln6gdeIxAjEpyPd%VtMVnBo+xpWK-<g+$D*
zqdXeZ7!<@gUC*j~w}fug&wbyopbYkQcW$vCIgS^uIw-20S#_F4)2x3jyPI-T&^qk`
zgclW`_7tu>=W|U7(S8jOc=_5hY-Z$VdY?}MePeO@&eJHr+w6o16-WcA+iDMV_{afJ
zVgO1OS8cFPGHE5iE>O^GUGeC>79CRp*CeF|Wq#aJYul=YJN+tmA1z+dt%?S^`q?tP
z3EXjJ(xus_@@csyxCXs?$L;U#O|i4KS)6xG%4wQmHJL@w!!Ckhgv*)x=&;mT18W;N
zsBcnY(l+V9V!N5inDaqS$hU7Nu$n^3KaR7mk31Ce&P8FGe159%kd^e3YP4>(2Yiy|
zv$x|~<`kxJgZZS<X?(SLV0O-1N<pKvPgw*FIOk1HPUOop6L2LdO6(c&IQk<!;4ZGu
z1eQ2>7Ibn$oW-6+KB=j8sDmn&YKhN|$4YFA1GDZTv=w=qfBO)3oI&^bg=;`em0buU
zqnt5H<#RMqe4h0Dh7Rx8x&C^s1W3p-HIEhQR&UC>U%%2ePQu(d)@8T+{ZqG36(rap
z1g@b80qCzE$L5Qf`F*zCNTqMIIWueS7{o7RWs?H}h=WQ3jy&*jeyD9(NJrjyX}p$3
zu`O`|omEGUzWNJALquFLf+w5BcHvnq7o$4f5a5fH8z-xo&wG8t^IWj=!;md1s$NaG
zAmpVUe`F70jWpz)*?2~yA5oda;#VC*s=d@dG~|=5u2Cz@SAP147b<vRa2@)Yo&eRM
z{K^5nF`1~><$t0>6n7?LX{K7M+M`UwO5c~V)6o2^J2j2{BdpS3GgnA7x<u~*`JwuY
zSQZM6M2w@Sy}sGNp#@x4RisEN&?uEyNj!dOm*=$WOmD{OC69!KvM9x;5a#FaK&XLs
zy_Q&1v3d33$9J;j9rq#}7Ug0{-6eZ2W^V>^{)}-?_hrB|LR?H++>@h87~CrpxkoE+
zC}WdwXWzRkvanpH%di>P_Pi$Y#5V@a9dNMAoJM#jiEB-~A3STkE1~%n^?>mr&0LwY
z3h#T$ia-KS62M(`JH<WZE>_7$U|_zFIW}{hkTOz1t>KovsW~CBT}o1M<(stc_}Vf$
z!2UWHQRB5BP<vYe&SNiJLkt5O`H%>#g#oapHHO7Yg?M=q;?;~j2idflD5Uedl_r!)
z7D)@QK+?Upi2i{|X9pED(mNIncTQni1()TO=O(%BZogtqeW^TsHJAERrerC%_z^AB
zTfS$zZ)l^Sr{2u@UJ~T((C`U>*{Cg+MFfM>wPNtBL7~}dGLy&R*PO1)UsP*`d1Vco
zTok?%W{2^I*Mi+Ylg)sFAS--``qfAp-aiiS`}n=1DY$`QFHP982ub}3d*PHaO|qmO
zbtO66839#!a$(viO2LGr=Z2Tq%Ff?PycS{Ex~p>>{bP_cmidPA#?Ii4xA(aMou<Et
z!pE&Nr!JL8H;r_}pJmT%>qn2gOC~mbvgD_Lx^BN%T=aD&XRoQQK)W*FexBwfwp!Yp
z?t8oQ#~BBGLlvE2U(wKiznOI+K^m*@BG|pfT4ml66anI(|LhG3SDg;Y_0^tSLmI?8
zR_4%}w%%`=xF5Rp!kx#wzdYvayHr7K`<EtfJvNrc^%m{F^f=7TdYfzQsgUt`htkO=
zcR3Wk%oW}~dLl;9&i(53cc0+k!ok0oUXV>NK7tjh%x2t5K$=A1I{s=X|I$SoBG(aS
zZI*_oJ{j6C%~wpMAM&L=ZcDnTZO>!hdzH^+zJgBXf#T#V=cRHd$}VXR6KPw%HLY&S
zT~x559kxnHC_Uo*jlhkPHN-sW4aK;wY#@!jHb$))pQ?B1HYu@YQ<`b70nSUG;BO`C
zm3&0BCb$}vPJs^uS5iTmx>U2u)#=I>TwWcESzWoi^E|vkep^t!M_q?TGrCcJP@fU9
z5>zUYh=5{aWqT}r*z!!D%23lJcWG|Y`r5{uMW0s}IShuSq&Gb7QN7gH;9hUnvGXm<
z9g^>NvSHd7d3(8GGd!lfkK^6edkdTdH2$`o`exJ&)1LMlrZ`EtM2bLu+5FzUfeusp
z(p=$o{h%j(z)Q(O2l@MFk<QV6S%{7FSI;~+jfK4^1f0TM(#r|U)7@>i+RAR9CO-L;
zC1GX6iby-Gb3JQQxxj|r`4J6#R<m5&vDn?)=P=cy^EOR5#H;hC(Oq%|myiDUvO*$d
zUzjOP27W7hVns^v?Bk+UQra<2H^`?QC(p2yYLp6@A_;rBZy!H7s@!&j71GQYfP6B5
ze!3MvQ=ISXzj=K7wCift56`e4_%R3#1U=JN07I>kGa?B;(g>C_(f4Z}XEfy)bKkfr
zw2*n&)be9soR3ESE`V~ihqGwoNrrPxL1k4kzM)7V9j6jfIQ2F@t5Y~|j7@0~51O8)
zC_Dns?*Jtk<TK@s_*6yOrXZYXXH`+(ZT!=jZB%l7K-4>bG*Sj7z=yMnJPI8owFm<N
zOo!reRzT-d>JlWxJq|283lD_}p3Za#@7)JtSffoEnFun7v{MfnFQ&+1ESRyYgzUIV
z$7#-GYSEf2%AJ+|yjJo(DjL_mHWP4?a*i_n$XE%A$c_*uI>VQ$6Y)R<DwN%FI$07C
zGzv3*B*;88I}1=ECt;#N`q2RKYPD&=MCwT}QE*zr(`3m}$me2Nw750i_*CZ=8azs3
zvkf=Txx4F@+zDYG4H@1dl;F)oTdzW7rnzq4Vle7~1&vjzpDrQz8i_1<Zi;g1Z9~hF
zy}QrgyS96mRPt`KSn`DzP-BK6u=1HvFS8@I$VUT(4#+-D<%3V>1sm3D;$;ZeueQK9
z4oE=~Nn`)%l|5o!DC9#e=muo(6MOHNHIKmgToCgOnu{812x$YjXAEtzJr3uz#IR07
zrfw>lT`axJFb^_)mQ>=VQPIbEF@Mr~lh)Apu~f|UA%5r=aIoZyMAilLO=*%??}a^L
zk^D~AVRuP93W4u1hwlCy;=bZD_!n|($?pSoQ=Bl-dyc61EQmRbFX;V(us?h&+j>UN
ziyHFkHDC1UB7bBznZh({l8_Lhfx3!iQhC}+%z5;85;fOj69wNILE9G%twgxp<p6@6
zr%A;<Y>(g__`aUg7(f~aG_U^coo1T}V=MSFcM>=-n;D-ZZ{!ulN5U^QXyMNjl(;XM
zAng<7xN<js6MmJiDl0BqetaYvODl=TV>H^H7F?}hpZ%T>YLf9u>_##GlwP3qFA>?1
z!Dir3859iZ09SmEw9=}N<0TC|e@Xy(UK+_y?_atl11)<+EJsvg{Mx{yy=ot``DFuV
zfrgslgR+xc7$Dvi@sE`KJ4(>f^P{gc`#!UVvgbtz>4(|Y(BONJQ5%#;(VsGJ*fiHB
z^PhKnI4)lqSF<^Nna}Bav|K9p&A-2KlX+zH_7((%*JMY)8meGHL(&NUGOFJ+*_K#l
zYAEx&2-ROOR0W*ks4oA^r;KVjKRAZ0fZdN%_+AF70Gvq}6-D$Uo?gTZK^#a$;LxyO
zb5^(;3bgenPKNOE#su>9G&BLpLTbN)Hnt$L;{~~d@b~^2%0qx#EOeR|4Jg@Z^c<sw
z7SxAvJq23XtAhnPmAC&kF8GVJS?PE8nI-{Q*)$Uvj4)ly=eqhG-+LGMiaW+_2{#M%
z-V|P;Rf+R!Kpf~`oz3hp_|>C{X|ui08{VIV4y>=<_xN`{)Tj4DpNuT@x~!O*;1Ss|
zA`7~fFhoSg?~*?%(gdd%N_zndO#9rq<q#iV_$W{Un)q0tSE%P<GM`j!27sOm)9Nm=
zk0IScs@3oXGOImwVHn~90CxQ>N$E{zTfLItwLTWIkAQiRJYS5w&E~FZp|-{~r|(oy
z|E9sa$FCI*bMM%s@Y-kU`&vVBXZi0dV$yu^>>AV7Y~>u$@uoDEW*EkY=VrQq2GZ#<
zTbTs}%ytyy&yoQ~IHQ}yRxf;@Yx=@~q#nNn``BesqovQ3o9^&6v<Ot(9;Z7)!465b
zK|s(RBnE%Ep+m)qa6K8$6d!XZV}$ZNw^cNle6DF4L_(nD*hlTKu%)j;{_no^>m~WH
z%3P%+`<NiV@7Kq|%PKqY5iRo7X^Gv~^_}G8K-2{pzqS%QXXZ+J<pNEvI_cMtToXz1
zqCkg{liJx$;&XgD17Crgz?T8SoQ~0cV#rB#J)cQH3Wtv&QR^&0%Z`KJXgd3-;`7{7
z_@fYQl)l>;tjyW4RXdFYquMc)-E(tD-JSrwi#M0EHk6e#pPnY{&`G(OGcMEyhAf*c
zpY~gh9}b3Z1?FuMz5$1XmS7xg@KBQ7IVzIVUy7~(75q;p`xVAPzDkD@FWp}!OB_Vb
z%GTU1i2xARHV51aKM`O_<11ui>F%EN$a@n;LcE#0!FhZqBWe~}OXz_&TO6%B;!T#E
zg1R6NL>ZoI@j#^-xNg|N^OU-*KMX1g>RzqzSveXAl1&Z{=vR9Hr`<q4vpP#X`*p;3
zj|E6@2mX6(TY9;wOno)p{C(;{B9OA92g<Ean@6mqvcn(hxO<u<#cQ?Cw8xfNOA6~E
zga%GR?mUi%wV=GJR(;S1k)p?EiR1&9{h`={xDDisKA(b+;5fe_@IZa<jjW1nu#j$j
zFf@c4b)G^WgZ)|(@%n66T%+FtgVrkbw<5(sfime}jFnnA?t}B5LY>RlD&hda?T%r3
z88qy;AT<omYmK_me*R!FxIu3-^JS@^Z_QzA)%q?O=TqnNZxi5H&1mMwn@-+6$CbMc
zTtP}FCm~J+!Y>a9%y#ZV58BisD4HyM)2c1wH*^tmiXe#teGeM8)2Le>Oen85>I2$7
zb_8wTLpT5Z6D>4P#f<7QBem&jocVWWJ-4C?*8Z>duKXR!wU0BV%%HJmlHF8NvLvNa
zjPlw=C4?GBjmVKHQpqw1i7aI+rFv80Bw0!+3Xx+;PK&J~ITaJ7EG2nAckempA9#O#
zugedvG1v1vbI*N$m(TKLf@3yqz?~(puE)72bl>JY2p4%D>C<e`q8X-unCDv@S86Nt
zSbf(u>nzosh?NZsxfX0SXruOi{?qQhit*12(!N7Z8ma38=Az8Gremv&UKSp-;hw7p
zhi;p*)`Mgp<QTf&I+xXW0DlVjY-i^jqHYh~##Iwuft<MS#LW(8bD@m6ecVY6^Z4XA
zI#o)29?asAvd8^zV7EKI44)3Yg`nFx+0fw?`fsRR85>c*eeH>o{PHt|643&4)r$`v
zz*A0P0*np1-+}#dm%bqGzrh-2fNR9O2(OD!`N##YvUo`-oD31|hBlPu8h~AyD_NHU
z)c9yv9s={9(O6nKP2-e&1NdU5)={=Q<COl&pn;R$5(jrcM#LhXeE5`qCn}^il4OrE
zo2)%!e5<4Bi|lssf+3R3gGh!my_r-&wUX@UP(aUTHydmt`UgBip7F~YZ$I|dY`h)l
zQ+6i<`u?C>hKvp<yKD(UskQk^vhO~eX{R-r@24jElG2QhJtW?DB*7E@FK*}Ui0kMA
z8!`KvKLDWAwV{W~vgbhc6~9_pl8pD6vHc-|J6OyUsSy>3D7U(%3y0RM7prEf8!LPW
zr$S_YDU1V$nsbOO9{)mN3O_S4IjWu5_D??Syc=>e{>LYfuM63t(ov-d23w|MTqJac
zpw`xbrC~G0vC+qZwn!<0{k>IGQpIwp`xbGP<cIC)imDui47deA5$tSRG<DTCqIAyt
z=20Ht37jf%*{_|O=>|<BGnpa1iL*~0(VYce+R+N!!@PIH$Xk)c-4($}ukGt=Vss^>
zYE(nNr2Lnx{~3IJDTIm9^=j&A{lOwcx1r5V&zhMe7C%*0yQEhD)%TLoVPr;YgwHp%
zM`f3yhh_ivh)gS~@*I<ll)Ru-ULMuz3On*C!$j0n7ayt*p?=nc^v2N#;s`CLf-Pyl
zR}Z~VIT;lqslK^)n)u2g=#1>7@MAiRX-`oH7K9;7>$ctafwS+srx$xv9k@lBwrlai
z>&_R})8i{F-`~yVylXx0E1)v#x5?FL&+D<qu`CQ+z50XtM=)%L1|KIrd6|7Rp=7E@
z#jR_yk6V#+Fr6)}pjL`aVtI7#qc(;0%|wHWc7y$zasJiWwV{g)yjxCkn@{<?p2ZX8
zeSLp9C;v;(z>^fPhxu8Cd%F7a4uH+}<&L20X4^DQC~}`~%(c!<|8@71E9V)n&e<=C
z32fgKn`Pca-Bx+n^+?0W9Pgo02RY&hL{?v5`DAzF12PFm1<$G^UZ@#ycRSY9$-rTm
zV`B=+sZAQ%<>vD)m9})Vzp%AE!`<E)RkiCS*<6ZJtX1Z=8&9?q#lrC2@olY5%3NlR
z%xUQ|(f)OT{mrMHkD3cg$VipAL;41B<+-my$IrOKh?(nJSJW9#S+L>kZ;TD5N?skz
zsagJV!O|w4nU5b-nhV}TilCutfrzV%t$dJvyd&FOh$3kd?h+GN!fs836beB}I?zd!
zVa^%T(%{ABegM~dq<x=gZ}i~eNZm#=IaC)Ag}<g=tS_oPwvIs<(&}a}so?Ob(F|PP
zY>BAXza&Dw8;1;4%Le0#cRtT|vRUfgqMdoSF~_7T@I$B5(XC0IRth`4Y&ky5OHCUA
zU!H0fzw0jkI1}Q`gP)sMIAwuX-Qs$EoKccKKKv>JY`~Suo<%2HDbKHZNjAP|caG)7
z%-@@^k_66i#Q!_q_1O%T5TDOn%Al7&RePv*F;bBs#!)cDXZT{o(Z@WFvf9Kf2U=MX
zeB376$!H0j?g2d!2>}l8wGkNd0Ulzv-ngQ$EPLw|k@l<L42mdVT-6rM0G@{YkGhe?
zTz{UGj)a-usq^;P*@6e^#{pnM(r%s5l4bBV_k83ZW$l+^WzQmAI)sag(_Zw<REIJ9
z^|MbgVO}{47|%_g^akn^iZ&R#qS9aoouLt-pxUI?({C$oEZo%1rr`^C{G^U^O^qwh
z+nD*MD#c|LoC1%Y3Kp{JCSvt%f(QmR{_X4<$ygz7fZpfm+*{Ff+0;##1GCn_bIYcH
zG;x^J&(NEVD4Ass+Dr;>5R(l-+`%ev+-GPXg|Q8(qR&)~uLq`!IkcjtSaJC$0#V*!
zMfCe<7kK&1ole{t+#Nng(_U#<Y=;iyo0ixx=J9d#Zd;*{>jb;k&?O*Rsq{U=rI}}H
zf{ct3zxT$f<`3HGDOwY#?C-R=Tr<M%2NG;5I*G;S3Bfy&Bvg3#D`Z<c3G1IM!Km+9
zwp1s!?#LfT9k%$pUIy~stvjx#?dTk@HDjK=x0BS@#kkyNmS=YCv;L!P*3Ld{3n9%j
zyd_89uCSlwrG+M|fL+C_9tQ;@C&;Oh)Zq10_rf@nH#sF$ndp4SrKQX-`L7;GP`HOG
zB}2dby@)BPSbdcXPR2pkJ^B&6&?=PjaH$givy<Z=6`h}USBAPlqHxJ9zc(1vw-Z&e
zdo)&+?6`ll9S`Vg8WfEMJ-6lDdn4lL{2K^m1&IT+&?Cnpd6erA@$>!V2XE5(aN*cM
z%uc<0!Uqvy3|Z1UT(wwK7|gN1^rlhB_y#I<lq&VQ0#p^bvb;Q<p`A9TmtXazyzbZ7
zY6j}G$zNu$L_s*(MG?Lrzs}MI?h@~PP#shQ3#-4*rmU5@*I*hgFnc4?l-*18-fPq6
zhV2*dtBVH_jGh#`f^W#>+>caWib*KWKs4mJ)EQNV2{XD<g)Z#nNO(1*5r9epyRzjY
zE5uWn(tf%WwfAUL$cWVM;+iw0X)k1-{ocjZ7+b;>W5Q`lX2%e0)WIF;O8llJtrB57
zk0uG_@-d<6qFnnkr!oxp9r%Zo5F9t8k?}bMhDU{2A?Pf#d7$;c$IZPvez8W8v@*}`
zx?lVh&nWG{@XIx$QRhbDLgEMK2l(=UVOT5uvPac^z6R&6{OZterFW)(Oj=8{S*k4)
zPO#DL_o`Yzj+83`L3aO!vAPS?0A@Q<i&MZiLjHoac!T2Cy6M4jWjFus^7GLuVa48$
zbl^Qo1xi_PZnS)x2FmGeqka<~d-DY-Dh{UQWM$j*q&aVMjNL;xjTXXb80QpQ5D_+l
zcUrkupb$esl1v=TcdbD7lM=(u5FtHBYo0)cPW>;Aag3`UWx?W;@eXK<a<^B7MWZh4
zalks0X2zUypHA$eAoptK+|p5%N4@NL{tJ4T-n}w{wREG?I0_|GjW1J7rTCyl@+OA^
zg2b9bsR8fzqdR(9rb*g`e*iWa8e2%yANutrNOUX(rZlnh6aC#08Pd)f<=|?cLz`4m
zO=%Q`r8^v$O00h^Y=$xTMGI>9CuzpyYHvxmU76Ie4p-|zGdlv?RbvXv!m@4#6$b5G
zoqKi4$H*Il2_+kw(_us2h~*v_x`PTPIU$NpCT0P`yOzF#Z1*8`tewjClFL}TdpIFZ
zr4sIGX8Tlx<ARkg5Kq(RRrM-(y!B9b9~X(Hy4&^uXp6KtE}ft7rvyc6FwU1q{fIF<
z`?1y-CUcrH5d%HSp$N~m5c;&6XD;@-_ZNjE?siIfqm<?a-hs#vfnd<$MmF{EeB666
z8*GB8)By}oTD7Jk@cqUZt&%(wh+cKDJ<_0N=qeTUTaK^K5j!YBqX7~<VQSI(uDnf}
zc}@lCB8U3U>hweoKv&X;!E60z?eS4Cngk6{Uk|1~(Aej29n=Xd(0wuuF4;n3&z-I~
zurU;B0Vtr71G_tnv0NqSfU?X_jV4DV(rnRYe=PB;X9VpOYd%DkVu2$bBMy_GJ?cM4
zKN{mnjN}nutLFv0uBB@^UWo3jcgnS%y|Gw|kC9DcV^(2MzRLT~J`M3LXEyfJmQU0!
zHbs7ZD@Fj^3L2C@5<TO437HT1{8|ply08}h!k52J$D?l{Xq)-9BD;AUeToakuk{>X
z8;$(j<$k-aKU-O~a)p0)GWZYxyN`+VCP8}ea7IZi8Q2xSI_IOl0loZ~DNssk%94N&
zGly#p>c@?QkNr`EGBq6nw5&~9Anav|4DoKailjtM;m>rx_9AxCX19v{zbYVreVr9x
zm55&SXB!yHP(E2swr6t07JQ7YR{F|NVbUo7wn&n9KTYAsR(#r3C*=ZsQznQY9}<eo
zZJ}E6w7su=1gG8*E9KtjyZ<D7phA>kpvP(0rFjJ_cfFLJz*wdoz`pllw$c0nyxi}>
zZZgODJA@k*s#2&Bg2_&x@a%`KeDh?r-ry6Ar8}y!=JxQ6igVEf1%yDISdZGSx~({f
zlHR>__x=>zH3xV7Zk4g~1fVq{hi_iRe#d@8dj63=n+KPQr38<o1zsBd<8ax<#MOhS
z%{0&uB^a|dVPrva#7x|Ou9`j_zlKqWi2$_+5iwpw$vmJ5;l(%cy$*~fzm`*mHl*)^
zgVWIjA&Tc9*)bb?X)%soNhGs<rc8hyhK4d|2x(FxvmfhV`TKiRrk|G)jX}UCJ^MN9
zp7a*p25W4IsO9lEe19sWL3((4O3j(F)QH7&6x!?4bvzas84K}a2R8=<yJ1M4a!ntk
zHYsRV^4Au+-L&_8_FLXJK+K`_Us9CGcT1$xyC-9>vV`kpA|_m+@F(${D9F)lra<UX
z@G7pB!>oD#4C06e;BHU%Xs_uDpw<pTMDLy9UvviBkO6JsTQ%?E#q&7M6l??F*f$pP
zqhGn)wu7qX4#W=wnt)2v-*tjk#~eJ?0BQ6hMdrZ@eG<jEmS_B{gClRQuXpPp(~iao
zPjGFxW1mcsHh*ezT%4*(l?zk5gz7*O>F)%Z4=Vt?Plxf5ueh2hb?W`D)(+pa?){_B
zaDekvyZe~%1C<3c%w$cZ&Xn((NL=w!FW;BUX)&e5V95=rEO9a<W(6N26ll=BBWvZ?
zGpWyUR)}W~E`zpnIb=5DR24epnNxMIc-EtsK0#u`=xX>2_rer@3p$0?4af!r7qDJt
zW_qZ0UNq^2r(W2lZy>i?iwOK#L0z20mSw_%5OJN>k9(3LK7WsqiasZ<Gody_M)#S`
zF_R-bx8=PSe4PTpnj2^S8d!`M%}9lpj0^nzBTCSLWP_i(=dTy>jyZq-887|+9sggC
e|8;*%geMfZTT&D3?&Dt%3R#)kuP-#?ME(aR+#ApU

literal 0
HcmV?d00001

diff --git a/etc/frontend.yml b/etc/frontend.yml
index ad90a9ff..7ea7e861 100644
--- a/etc/frontend.yml
+++ b/etc/frontend.yml
@@ -10,6 +10,11 @@ v: 3
 #
 #host_match: zrok.io
 
+# Setting the `interstitial` setting to `true` will allow this frontend to offer interstitial pages if they are
+# configured on the share by the controller.
+#
+#interstitial: true
+
 # The OAuth configuration is used when enabling OAuth authentication with your public frontend.
 #
 #oauth:

From 8ed89d3400dfb01221b1d65158c201435411ece3 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:43:42 -0400
Subject: [PATCH 12/17] doc update (#704)

---
 docs/guides/self-hosting/interstitial-page.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
index fbad01e9..a32a04f3 100644
--- a/docs/guides/self-hosting/interstitial-page.md
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -6,17 +6,19 @@ sidebar_position: 18
 
 On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution.
 
-Interstitial pages can be enabled on a per-frontend basis, allowing the interstitial to be enabled on shared public frontends, but not private, closed frontends. The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it.
+Interstitial pages can be enabled on a per-frontend basis. This allows the interstitial to be enabled on open public frontends, but not closed public frontends (closed public frontends require a grant to use). 
+
+The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it. This facilitates building infrastructure that grants trusted users additional privileges.
 
 By default, if you do not specifically enable interstitial pages, then your self-hosted service instance will not offer them.
 
-Let's take a look at how the interstitial pages mechanism works:
+Let's take a look at how the interstitial pages mechanism works. The following diagram shows the share configuration rendezvous made between the zrok controller and a zrok frontend:
 
 ![zrok_interstitial_rendezvous](../../images/zrok_interstitial_rendezvous.png)
 
 Every zrok share has a _config_ recorded in the underlying OpenZiti network. The config is of type `zrok.proxy.v1`. The frontend uses the information in this config to understand the disposition of the share. The config can contain an `interstitial: true` setting. If the config has this setting, and the frontend is configured to enable interstitial pages, then end users accessing the share will receive the interstitial page on first visit.
 
-By default the zrok controller will record `interstitial: true` in the share config _unless_ a row is present in the `skip_interstitial_grants` table in the underlying database. The `skip_interstitial_grants` table is a basic SQL structure that allows inserting a row per account. 
+By default the zrok controller will record `interstitial: true` in the share config _unless_ a row is present in the `skip_interstitial_grants` table in the underlying database for the account creating the share. The `skip_interstitial_grants` table is a basic SQL structure that allows inserting a row per account. 
 
 ```
 create table skip_interstitial_grants (
@@ -30,9 +32,9 @@ create table skip_interstitial_grants (
 );
 ```
 
-If an account has a row present in this table when creating a share, then the controller will write `interstitial: false` into the config for the share, which will bypass the interstitial regardless of frontend configuration.
+If an account has a row present in this table when creating a share, then the controller will write `interstitial: false` into the config for the share, which will bypass the interstitial regardless of frontend configuration. The `skip_interstitial_grants` controls what the zrok controller will store in the share config when creating the share.
 
-The frontend config looks like this:
+The frontend configuration controls what the frontend will do with the share config it finds in OpenZiti. The new stanza looks like this:
 
 ```
 # Setting the `interstitial` setting to `true` will allow this frontend 
@@ -42,7 +44,7 @@ The frontend config looks like this:
 #interstitial: true
 ```
 
-Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer interstitial pages.
+Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer an interstitial page if the share config enables the interstitial page for that share.
 
 ## Bypassing the Interstitial
 

From 7d3079a3f2dd7461f55fc6a76cefb8093850efff Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:45:39 -0400
Subject: [PATCH 13/17] docs (#704)

---
 docs/guides/self-hosting/interstitial-page.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
index a32a04f3..217bc079 100644
--- a/docs/guides/self-hosting/interstitial-page.md
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -10,7 +10,7 @@ Interstitial pages can be enabled on a per-frontend basis. This allows the inter
 
 The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it. This facilitates building infrastructure that grants trusted users additional privileges.
 
-By default, if you do not specifically enable interstitial pages, then your self-hosted service instance will not offer them.
+By default, if you do not specifically enable interstitial pages on a public frontend, then your self-hosted service instance will not offer them.
 
 Let's take a look at how the interstitial pages mechanism works. The following diagram shows the share configuration rendezvous made between the zrok controller and a zrok frontend:
 

From ace8bae54f47b37ce08ce9ee228c825c84be2b52 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:49:50 -0400
Subject: [PATCH 14/17] docs (#704)

---
 docs/guides/self-hosting/interstitial-page.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
index 217bc079..054eee76 100644
--- a/docs/guides/self-hosting/interstitial-page.md
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -6,7 +6,7 @@ sidebar_position: 18
 
 On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution.
 
-Interstitial pages can be enabled on a per-frontend basis. This allows the interstitial to be enabled on open public frontends, but not closed public frontends (closed public frontends require a grant to use). 
+Interstitial pages can be enabled on a per-frontend basis. This allows the interstitial to be enabled on open public frontends but not closed public frontends (closed public frontends require a grant to use). 
 
 The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it. This facilitates building infrastructure that grants trusted users additional privileges.
 
@@ -48,6 +48,10 @@ Simply setting `interstitial: true` in the controller config will allow the conf
 
 ## Bypassing the Interstitial
 
+The interstitial page will be presented unless the client shows up with a `zrok_interstitial` cookie. When the user is presented with the interstitial page, there is a button they can click which sets the necessary cookie and allows them to visit the site. The cookie is set to expire in one week.
+
 End users can offer an HTTP header of `skip_zrok_interstitial`, set to any value to bypass the interstitial page. Setting this header means that the user most likely understands what a zrok share is and will hopefully not fall for a phishing attack.
 
-This header is especially useful for API clients (like `curl`).
\ No newline at end of file
+The `skip_zrok_interstitial` header is especially useful for API clients (like `curl`) and other types of non-interactive clients.
+
+The `drive` backend mode does not currently support `GET` requests and cannot be accessed with a conventional web browser, so it bypasses the interstitial page requirement.
\ No newline at end of file

From 6da6cbc4c6d73aa6c5641adc4042af767db03d21 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 11:50:25 -0400
Subject: [PATCH 15/17] lint (#704)

---
 docs/guides/self-hosting/interstitial-page.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
index 054eee76..aaafda80 100644
--- a/docs/guides/self-hosting/interstitial-page.md
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -1,5 +1,5 @@
 ---
-title: Interstitial Page Configuration
+title: Interstitial Pages
 sidebar_label: Interstitial Pages
 sidebar_position: 18
 ---

From 55605aad772f4a5b1f050e5b568765d30d2041e2 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 12:53:24 -0400
Subject: [PATCH 16/17] changelog (#704)

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49849180..72d26e1f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## v0.4.36
 
+FEATURE: New interstitial pages that can be enabled per-frontend, and disabled per-account (https://github.com/openziti/zrok/issues/704)
+
 CHANGE: Enable `"declaration": true` in `tsconfig.json` for Node SDK.
 
 ## v0.4.35

From e41eea770426247846c10666572b84400afb595b Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 25 Jul 2024 13:52:15 -0400
Subject: [PATCH 17/17] typo (#704)

---
 docs/guides/self-hosting/interstitial-page.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/guides/self-hosting/interstitial-page.md b/docs/guides/self-hosting/interstitial-page.md
index aaafda80..31de6664 100644
--- a/docs/guides/self-hosting/interstitial-page.md
+++ b/docs/guides/self-hosting/interstitial-page.md
@@ -44,7 +44,7 @@ The frontend configuration controls what the frontend will do with the share con
 #interstitial: true
 ```
 
-Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer an interstitial page if the share config enables the interstitial page for that share.
+Simply setting `interstitial: true` in the frontend config will allow the configured frontend to offer an interstitial page if the share config enables the interstitial page for that share.
 
 ## Bypassing the Interstitial