----------------------- HAProxy Starter Guide ----------------------- version 3.3 This document is an introduction to HAProxy for all those who don't know it, as well as for those who want to re-discover it when they know older versions. Its primary focus is to provide users with all the elements to decide if HAProxy is the product they're looking for or not. Advanced users may find here some parts of solutions to some ideas they had just because they were not aware of a given new feature. Some sizing information is also provided, the product's lifecycle is explained, and comparisons with partially overlapping products are provided. This document doesn't provide any configuration help or hints, but it explains where to find the relevant documents. The summary below is meant to help you search sections by name and navigate through the document. Note to documentation contributors : This document is formatted with 80 columns per line, with even number of spaces for indentation and without tabs. Please follow these rules strictly so that it remains easily printable everywhere. If you add sections, please update the summary below for easier searching. Summary ------- 1. Available documentation 2. Quick introduction to load balancing and load balancers 3. Introduction to HAProxy 3.1. What HAProxy is and is not 3.2. How HAProxy works 3.3. Basic features 3.3.1. Proxying 3.3.2. SSL 3.3.3. Monitoring 3.3.4. High availability 3.3.5. Load balancing 3.3.6. Stickiness 3.3.7. Logging 3.3.8. Statistics 3.4. Standard features 3.4.1. Sampling and converting information 3.4.2. Maps 3.4.3. ACLs and conditions 3.4.4. Content switching 3.4.5. Stick-tables 3.4.6. Formatted strings 3.4.7. HTTP rewriting and redirection 3.4.8. Server protection 3.5. Advanced features 3.5.1. Management 3.5.2. System-specific capabilities 3.5.3. Scripting 3.6. Sizing 3.7. How to get HAProxy 4. Companion products and alternatives 4.1. Apache HTTP server 4.2. NGINX 4.3. Varnish 4.4. Alternatives 5. Contacts 1. Available documentation -------------------------- The complete HAProxy documentation is contained in the following documents. Please ensure to consult the relevant documentation to save time and to get the most accurate response to your needs. Also please refrain from sending questions to the mailing list whose responses are present in these documents. - intro.txt (this document) : it presents the basics of load balancing, HAProxy as a product, what it does, what it doesn't do, some known traps to avoid, some OS-specific limitations, how to get it, how it evolves, how to ensure you're running with all known fixes, how to update it, complements and alternatives. - management.txt : it explains how to start haproxy, how to manage it at runtime, how to manage it on multiple nodes, and how to proceed with seamless upgrades. - configuration.txt : the reference manual details all configuration keywords and their options. It is used when a configuration change is needed. - coding-style.txt : this is for developers who want to propose some code to the project. It explains the style to adopt for the code. It is not very strict and not all the code base completely respects it, but contributions which diverge too much from it will be rejected. - proxy-protocol.txt : this is the de-facto specification of the PROXY protocol which is implemented by HAProxy and a number of third party products. - README : how to build HAProxy from sources 2. Quick introduction to load balancing and load balancers ---------------------------------------------------------- Load balancing consists in aggregating multiple components in order to achieve a total processing capacity above each component's individual capacity, without any intervention from the end user and in a scalable way. This results in more operations being performed simultaneously by the time it takes a component to perform only one. A single operation however will still be performed on a single component at a time and will not get faster than without load balancing. It always requires at least as many operations as available components and an efficient load balancing mechanism to make use of all components and to fully benefit from the load balancing. A good example of this is the number of lanes on a highway which allows as many cars to pass during the same time frame without increasing their individual speed. Examples of load balancing : - Process scheduling in multi-processor systems - Link load balancing (e.g. EtherChannel, Bonding) - IP address load balancing (e.g. ECMP, DNS round-robin) - Server load balancing (via load balancers) The mechanism or component which performs the load balancing operation is called a load balancer. In web environments these components are called a "network load balancer", and more commonly a "load balancer" given that this activity is by far the best known case of load balancing. A load balancer may act : - at the link level : this is called link load balancing, and it consists in choosing what network link to send a packet to; - at the network level : this is called network load balancing, and it consists in choosing what route a series of packets will follow; - at the server level : this is called server load balancing and it consists in deciding what server will process a connection or request. Two distinct technologies exist and address different needs, though with some overlapping. In each case it is important to keep in mind that load balancing consists in diverting the traffic from its natural flow and that doing so always requires a minimum of care to maintain the required level of consistency between all routing decisions. The first one acts at the packet level and processes packets more or less individually. There is a 1-to-1 relation between input and output packets, so it is possible to follow the traffic on both sides of the load balancer using a regular network sniffer. This technology can be very cheap and extremely fast. It is usually implemented in hardware (ASICs) allowing to reach line rate, such as switches doing ECMP. Usually stateless, it can also be stateful (consider the session a packet belongs to and called layer4-LB or L4), may support DSR (direct server return, without passing through the LB again) if the packets were not modified, but provides almost no content awareness. This technology is very well suited to network-level load balancing, though it is sometimes used for very basic server load balancing at high speed. The second one acts on session contents. It requires that the input streams is reassembled and processed as a whole. The contents may be modified, and the output stream is segmented into new packets. For this reason it is generally performed by proxies and they're often called layer 7 load balancers or L7. This implies that there are two distinct connections on each side, and that there is no relation between input and output packets sizes nor counts. Clients and servers are not required to use the same protocol (for example IPv4 vs IPv6, clear vs SSL). The operations are always stateful, and the return traffic must pass through the load balancer. The extra processing comes with a cost so it's not always possible to achieve line rate, especially with small packets. On the other hand, it offers wide possibilities and is generally achieved by pure software, even if embedded into hardware appliances. This technology is very well suited for server load balancing. Packet-based load balancers are generally deployed in cut-through mode, so they are installed on the normal path of the traffic and divert it according to the configuration. The return traffic doesn't necessarily pass through the load balancer. Some modifications may be applied to the network destination address in order to direct the traffic to the proper destination. In this case, it is mandatory that the return traffic passes through the load balancer. If the routes doesn't make this possible, the load balancer may also replace the packets' source address with its own in order to force the return traffic to pass through it. Proxy-based load balancers are deployed as a server with their own IP addresses and ports, without architecture changes. Sometimes this requires to perform some adaptations to the applications so that clients are properly directed to the load balancer's IP address and not directly to the server's. Some load balancers may have to adjust some servers' responses to make this possible (e.g. the HTTP Location header field used in HTTP redirects). Some proxy-based load balancers may intercept traffic for an address they don't own, and spoof the client's address when connecting to the server. This allows them to be deployed as if they were a regular router or firewall, in a cut-through mode very similar to the packet based load balancers. This is particularly appreciated for products which combine both packet mode and proxy mode. In this case DSR is obviously still not possible and the return traffic still has to be routed back to the load balancer. A very scalable layered approach would consist in having a front router which receives traffic from multiple load balanced links, and uses ECMP to distribute this traffic to a first layer of multiple stateful packet-based load balancers (L4). These L4 load balancers in turn pass the traffic to an even larger number of proxy-based load balancers (L7), which have to parse the contents to decide what server will ultimately receive the traffic. The number of components and possible paths for the traffic increases the risk of failure; in very large environments, it is even normal to permanently have a few faulty components being fixed or replaced. Load balancing done without awareness of the whole stack's health significantly degrades availability. For this reason, any sane load balancer will verify that the components it intends to deliver the traffic to are still alive and reachable, and it will stop delivering traffic to faulty ones. This can be achieved using various methods. The most common one consists in periodically sending probes to ensure the component is still operational. These probes are called "health checks". They must be representative of the type of failure to address. For example a ping- based check will not detect that a web server has crashed and doesn't listen to a port anymore, while a connection to the port will verify this, and a more advanced request may even validate that the server still works and that the database it relies on is still accessible. Health checks often involve a few retries to cover for occasional measuring errors. The period between checks must be small enough to ensure the faulty component is not used for too long after an error occurs. Other methods consist in sampling the production traffic sent to a destination to observe if it is processed correctly or not, and to evict the components which return inappropriate responses. However this requires to sacrifice a part of the production traffic and this is not always acceptable. A combination of these two mechanisms provides the best of both worlds, with both of them being used to detect a fault, and only health checks to detect the end of the fault. A last method involves centralized reporting : a central monitoring agent periodically updates all load balancers about all components' state. This gives a global view of the infrastructure to all components, though sometimes with less accuracy or responsiveness. It's best suited for environments with many load balancers and many servers. Layer 7 load balancers also face another challenge known as stickiness or persistence. The principle is that they generally have to direct multiple subsequent requests or connections from a same origin (such as an end user) to the same target. The best known example is the shopping cart on an online store. If each click leads to a new connection, the user must always be sent to the server which holds his shopping cart. Content-awareness makes it easier to spot some elements in the request to identify the server to deliver it to, but that's not always enough. For example if the source address is used as a key to pick a server, it can be decided that a hash-based algorithm will be used and that a given IP address will always be sent to the same server based on a divide of the address by the number of available servers. But if one server fails, the result changes and all users are suddenly sent to a different server and lose their shopping cart. The solution against this issue consists in memorizing the chosen target so that each time the same visitor is seen, he's directed to the same server regardless of the number of available servers. The information may be stored in the load balancer's memory, in which case it may have to be replicated to other load balancers if it's not alone, or it may be stored in the client's memory using various methods provided that the client is able to present this information back with every request (cookie insertion, redirection to a sub-domain, etc). This mechanism provides the extra benefit of not having to rely on unstable or unevenly distributed information (such as the source IP address). This is in fact the strongest reason to adopt a layer 7 load balancer instead of a layer 4 one. In order to extract information such as a cookie, a host header field, a URL or whatever, a load balancer may need to decrypt SSL/TLS traffic and even possibly to re-encrypt it when passing it to the server. This expensive task explains why in some high-traffic infrastructures, sometimes there may be a lot of load balancers. Since a layer 7 load balancer may perform a number of complex operations on the traffic (decrypt, parse, modify, match cookies, decide what server to send to, etc), it can definitely cause some trouble and will very commonly be accused of being responsible for a lot of trouble that it only revealed. Often it will be discovered that servers are unstable and periodically go up and down, or for web servers, that they deliver pages with some hard-coded links forcing the clients to connect directly to one specific server without passing via the load balancer, or that they take ages to respond under high load causing timeouts. That's why logging is an extremely important aspect of layer 7 load balancing. Once a trouble is reported, it is important to figure if the load balancer took a wrong decision and if so why so that it doesn't happen anymore. 3. Introduction to HAProxy -------------------------- HAProxy is written as "HAProxy" to designate the product, and as "haproxy" to designate the executable program, software package or a process. However, both are commonly used for both purposes, and are pronounced H-A-Proxy. Very early, "haproxy" used to stand for "high availability proxy" and the name was written in two separate words, though by now it means nothing else than "HAProxy". 3.1. What HAProxy is and isn't ------------------------------ HAProxy is : - a TCP proxy : it can accept a TCP connection from a listening socket, connect to a server and attach these sockets together allowing traffic to flow in both directions; IPv4, IPv6 and even UNIX sockets are supported on either side, so this can provide an easy way to translate addresses between different families. - an HTTP reverse-proxy (called a "gateway" in HTTP terminology) : it presents itself as a server, receives HTTP requests over connections accepted on a listening TCP socket, and passes the requests from these connections to servers using different connections. It may use any combination of HTTP/1.x or HTTP/2 on any side and will even automatically detect the protocol spoken on each side when ALPN is used over TLS. - an SSL terminator / initiator / offloader : SSL/TLS may be used on the connection coming from the client, on the connection going to the server, or even on both connections. A lot of settings can be applied per name (SNI), and may be updated at runtime without restarting. Such setups are extremely scalable and deployments involving tens to hundreds of thousands of certificates were reported. - a TCP normalizer : since connections are locally terminated by the operating system, there is no relation between both sides, so abnormal traffic such as invalid packets, flag combinations, window advertisements, sequence numbers, incomplete connections (SYN floods), or so will not be passed to the other side. This protects fragile TCP stacks from protocol attacks, and also allows to optimize the connection parameters with the client without having to modify the servers' TCP stack settings. - an HTTP normalizer : when configured to process HTTP traffic, only valid complete requests are passed. This protects against a lot of protocol-based attacks. Additionally, protocol deviations for which there is a tolerance in the specification are fixed so that they don't cause problem on the servers (e.g. multiple-line headers). - an HTTP fixing tool : it can modify / fix / add / remove / rewrite the URL or any request or response header. This helps fixing interoperability issues in complex environments. - a content-based switch : it can consider any element from the request to decide what server to pass the request or connection to. Thus it is possible to handle multiple protocols over a same port (e.g. HTTP, HTTPS, SSH). - a server load balancer : it can load balance TCP connections and HTTP requests. In TCP mode, load balancing decisions are taken for the whole connection. In HTTP mode, decisions are taken per request. - a traffic regulator : it can apply some rate limiting at various points, protect the servers against overloading, adjust traffic priorities based on the contents, and even pass such information to lower layers and outer network components by marking packets. - a protection against DDoS and service abuse : it can maintain a wide number of statistics per IP address, URL, cookie, etc and detect when an abuse is happening, then take action (slow down the offenders, block them, send them to outdated contents, etc). - an observation point for network troubleshooting : due to the precision of the information reported in logs, it is often used to narrow down some network-related issues. - an HTTP compression offloader : it can compress responses which were not compressed by the server, thus reducing the page load time for clients with poor connectivity or using high-latency, mobile networks. - a caching proxy : it may cache responses in RAM so that subsequent requests for the same object avoid the cost of another network transfer from the server as long as the object remains present and valid. It will however not store objects to any persistent storage. Please note that this caching feature is designed to be maintenance free and focuses solely on saving haproxy's precious resources and not on save the server's resources. Caches designed to optimize servers require much more tuning and flexibility. If you instead need such an advanced cache, please use Varnish Cache, which integrates perfectly with haproxy, especially when SSL/TLS is needed on any side. - a FastCGI gateway : FastCGI can be seen as a different representation of HTTP, and as such, HAProxy can directly load-balance a farm comprising any combination of FastCGI application servers without requiring to insert another level of gateway between them. This results in resource savings and a reduction of maintenance costs. HAProxy is not : - an explicit HTTP proxy, i.e. the proxy that browsers use to reach the internet. There are excellent open-source software dedicated for this task, such as Squid. However HAProxy can be installed in front of such a proxy to provide load balancing and high availability. - a data scrubber : it will not modify the body of requests nor responses. - a static web server : during startup, it isolates itself inside a chroot jail and drops its privileges, so that it will not perform any single file- system access once started. As such it cannot be turned into a static web server (dynamic servers are supported through FastCGI however). There are excellent open-source software for this such as Apache or Nginx, and HAProxy can be easily installed in front of them to provide load balancing, high availability and acceleration. - a packet-based load balancer : it will not see IP packets nor UDP datagrams, will not perform NAT or even less DSR. These are tasks for lower layers. Some kernel-based components such as IPVS (Linux Virtual Server) already do this pretty well and complement perfectly with HAProxy. 3.2. How HAProxy works ---------------------- HAProxy is an event-driven, non-blocking engine combining a very fast I/O layer with a priority-based, multi-threaded scheduler. As it is designed with a data forwarding goal in mind, its architecture is optimized to move data as fast as possible with the least possible operations. It focuses on optimizing the CPU cache's efficiency by sticking connections to the same CPU as long as possible. As such it implements a layered model offering bypass mechanisms at each level ensuring data doesn't reach higher levels unless needed. Most of the processing is performed in the kernel, and HAProxy does its best to help the kernel do the work as fast as possible by giving some hints or by avoiding certain operation when it guesses they could be grouped later. As a result, typical figures show 15% of the processing time spent in HAProxy versus 85% in the kernel in TCP or HTTP close mode, and about 30% for HAProxy versus 70% for the kernel in HTTP keep-alive mode. A single process can run many proxy instances; configurations as large as 300000 distinct proxies in a single process were reported to run fine. A single core, single CPU setup is far more than enough for more than 99% users, and as such, users of containers and virtual machines are encouraged to use the absolute smallest images they can get to save on operational costs and simplify troubleshooting. However the machine HAProxy runs on must never ever swap, and its CPU must not be artificially throttled (sub-CPU allocation in hypervisors) nor be shared with compute-intensive processes which would induce a very high context-switch latency. Threading allows to exploit all available processing capacity by using one thread per CPU core. This is mostly useful for SSL or when data forwarding rates above 40 Gbps are needed. In such cases it is critically important to avoid communications between multiple physical CPUs, which can cause strong bottlenecks in the network stack and in HAProxy itself. While counter-intuitive to some, the first thing to do when facing some performance issues is often to reduce the number of CPUs HAProxy runs on. HAProxy only requires the haproxy executable and a configuration file to run. For logging it is highly recommended to have a properly configured syslog daemon and log rotations in place. Logs may also be sent to stdout/stderr, which can be useful inside containers. The configuration files are parsed before starting, then HAProxy tries to bind all listening sockets, and refuses to start if anything fails. Past this point it cannot fail anymore. This means that there are no runtime failures and that if it accepts to start, it will work until it is stopped. Once HAProxy is started, it does exactly 3 things : - process incoming connections; - periodically check the servers' status (known as health checks); - exchange information with other haproxy nodes. Processing incoming connections is by far the most complex task as it depends on a lot of configuration possibilities, but it can be summarized as the 9 steps below : - accept incoming connections from listening sockets that belong to a configuration entity known as a "frontend", which references one or multiple listening addresses; - apply the frontend-specific processing rules to these connections that may result in blocking them, modifying some headers, or intercepting them to execute some internal applets such as the statistics page or the CLI; - pass these incoming connections to another configuration entity representing a server farm known as a "backend", which contains the list of servers and the load balancing strategy for this server farm; - apply the backend-specific processing rules to these connections; - decide which server to forward the connection to according to the load balancing strategy; - apply the backend-specific processing rules to the response data; - apply the frontend-specific processing rules to the response data; - emit a log to report what happened in fine details; - in HTTP, loop back to the second step to wait for a new request, otherwise close the connection. Frontends and backends are sometimes considered as half-proxies, since they only look at one side of an end-to-end connection; the frontend only cares about the clients while the backend only cares about the servers. HAProxy also supports full proxies which are exactly the union of a frontend and a backend. When HTTP processing is desired, the configuration will generally be split into frontends and backends as they open a lot of possibilities since any frontend may pass a connection to any backend. With TCP-only proxies, using frontends and backends rarely provides a benefit and the configuration can be more readable with full proxies. 3.3. Basic features ------------------- This section will enumerate a number of features that HAProxy implements, some of which are generally expected from any modern load balancer, and some of which are a direct benefit of HAProxy's architecture. More advanced features will be detailed in the next section. 3.3.1. Basic features : Proxying -------------------------------- Proxying is the action of transferring data between a client and a server over two independent connections. The following basic features are supported by HAProxy regarding proxying and connection management : - Provide the server with a clean connection to protect them against any client-side defect or attack; - Listen to multiple IP addresses and/or ports, even port ranges; - Transparent accept : intercept traffic targeting any arbitrary IP address that doesn't even belong to the local system; - Server port doesn't need to be related to listening port, and may even be translated by a fixed offset (useful with ranges); - Transparent connect : spoof the client's (or any) IP address if needed when connecting to the server; - Provide a reliable return IP address to the servers in multi-site LBs; - Offload the server thanks to buffers and possibly short-lived connections to reduce their concurrent connection count and their memory footprint; - Optimize TCP stacks (e.g. SACK), congestion control, and reduce RTT impacts; - Support different protocol families on both sides (e.g. IPv4/IPv6/Unix); - Timeout enforcement : HAProxy supports multiple levels of timeouts depending on the stage the connection is, so that a dead client or server, or an attacker cannot be granted resources for too long; - Protocol validation: HTTP, SSL, or payload are inspected and invalid protocol elements are rejected, unless instructed to accept them anyway; - Policy enforcement : ensure that only what is allowed may be forwarded; - Both incoming and outgoing connections may be limited to certain network namespaces (Linux only), making it easy to build a cross-container, multi-tenant load balancer; - PROXY protocol presents the client's IP address to the server even for non-HTTP traffic. This is an HAProxy extension that was adopted by a number of third-party products by now, at least these ones at the time of writing : - client : haproxy, stud, stunnel, exaproxy, ELB, squid - server : haproxy, stud, postfix, exim, nginx, squid, node.js, varnish 3.3.2. Basic features : SSL --------------------------- HAProxy's SSL stack is recognized as one of the most featureful according to Google's engineers (http://istlsfastyet.com/). The most commonly used features making it quite complete are : - SNI-based multi-hosting with no limit on sites count and focus on performance. At least one deployment is known for running 50000 domains with their respective certificates; - support for wildcard certificates reduces the need for many certificates ; - certificate-based client authentication with configurable policies on failure to present a valid certificate. This allows to present a different server farm to regenerate the client certificate for example; - authentication of the backend server ensures the backend server is the real one and not a man in the middle; - authentication with the backend server lets the backend server know it's really the expected haproxy node that is connecting to it; - TLS NPN and ALPN extensions make it possible to reliably offload SPDY/HTTP2 connections and pass them in clear text to backend servers; - OCSP stapling further reduces first page load time by delivering inline an OCSP response when the client requests a Certificate Status Request; - Dynamic record sizing provides both high performance and low latency, and significantly reduces page load time by letting the browser start to fetch new objects while packets are still in flight; - permanent access to all relevant SSL/TLS layer information for logging, access control, reporting etc. These elements can be embedded into HTTP header or even as a PROXY protocol extension so that the offloaded server gets all the information it would have had if it performed the SSL termination itself. - Detect, log and block certain known attacks even on vulnerable SSL libs, such as the Heartbleed attack affecting certain versions of OpenSSL. - support for stateless session resumption (RFC 5077 TLS Ticket extension). TLS tickets can be updated from CLI which provides them means to implement Perfect Forward Secrecy by frequently rotating the tickets. 3.3.3. Basic features : Monitoring ---------------------------------- HAProxy focuses a lot on availability. As such it cares about servers state, and about reporting its own state to other network components : - Servers' state is continuously monitored using per-server parameters. This ensures the path to the server is operational for regular traffic; - Health checks support two hysteresis for up and down transitions in order to protect against state flapping; - Checks can be sent to a different address/port/protocol : this makes it easy to check a single service that is considered representative of multiple ones, for example the HTTPS port for an HTTP+HTTPS server. - Servers can track other servers and go down simultaneously : this ensures that servers hosting multiple services can fail atomically and that no one will be sent to a partially failed server; - Agents may be deployed on the server to monitor load and health : a server may be interested in reporting its load, operational status, administrative status independently from what health checks can see. By running a simple agent on the server, it's possible to consider the server's view of its own health in addition to the health checks validating the whole path; - Various check methods are available : TCP connect, HTTP request, SMTP hello, SSL hello, LDAP, SQL, Redis, send/expect scripts, all with/without SSL; - State change is notified in the logs and stats page with the failure reason (e.g. the HTTP response received at the moment the failure was detected). An e-mail can also be sent to a configurable address upon such a change ; - Server state is also reported on the stats interface and can be used to take routing decisions so that traffic may be sent to different farms depending on their sizes and/or health (e.g. loss of an inter-DC link); - HAProxy can use health check requests to pass information to the servers, such as their names, weight, the number of other servers in the farm etc. so that servers can adjust their response and decisions based on this knowledge (e.g. postpone backups to keep more CPU available); - Servers can use health checks to report more detailed state than just on/off (e.g. I would like to stop, please stop sending new visitors); - HAProxy itself can report its state to external components such as routers or other load balancers, allowing to build very complete multi-path and multi-layer infrastructures. 3.3.4. Basic features : High availability ----------------------------------------- Just like any serious load balancer, HAProxy cares a lot about availability to ensure the best global service continuity : - Only valid servers are used ; the other ones are automatically evicted from load balancing farms ; under certain conditions it is still possible to force to use them though; - Support for a graceful shutdown so that it is possible to take servers out of a farm without affecting any connection; - Backup servers are automatically used when active servers are down and replace them so that sessions are not lost when possible. This also allows to build multiple paths to reach the same server (e.g. multiple interfaces); - Ability to return a global failed status for a farm when too many servers are down. This, combined with the monitoring capabilities makes it possible for an upstream component to choose a different LB node for a given service; - Stateless design makes it easy to build clusters : by design, HAProxy does its best to ensure the highest service continuity without having to store information that could be lost in the event of a failure. This ensures that a takeover is the most seamless possible; - Integrates well with standard VRRP daemon keepalived : HAProxy easily tells keepalived about its state and copes very well with floating virtual IP addresses. Note: only use IP redundancy protocols (VRRP/CARP) over cluster- based solutions (Heartbeat, ...) as they're the ones offering the fastest, most seamless, and most reliable switchover. 3.3.5. Basic features : Load balancing -------------------------------------- HAProxy offers a fairly complete set of load balancing features, most of which are unfortunately not available in a number of other load balancing products : - no less than 10 load balancing algorithms are supported, some of which apply to input data to offer an infinite list of possibilities. The most common ones are round-robin (for short connections, pick each server in turn), leastconn (for long connections, pick the least recently used of the servers with the lowest connection count), source (for SSL farms or terminal server farms, the server directly depends on the client's source address), URI (for HTTP caches, the server directly depends on the HTTP URI), hdr (the server directly depends on the contents of a specific HTTP header field), first (for short-lived virtual machines, all connections are packed on the smallest possible subset of servers so that unused ones can be powered down); - all algorithms above support per-server weights so that it is possible to accommodate from different server generations in a farm, or direct a small fraction of the traffic to specific servers (debug mode, running the next version of the software, etc); - dynamic weights are supported for round-robin, leastconn and consistent hashing ; this allows server weights to be modified on the fly from the CLI or even by an agent running on the server; - slow-start is supported whenever a dynamic weight is supported; this allows a server to progressively take the traffic. This is an important feature for fragile application servers which require to compile classes at runtime as well as cold caches which need to fill up before being run at full throttle; - hashing can apply to various elements such as client's source address, URL components, query string element, header field values, POST parameter, RDP cookie; - consistent hashing protects server farms against massive redistribution when adding or removing servers in a farm. That's very important in large cache farms and it allows slow-start to be used to refill cold caches; - a number of internal metrics such as the number of connections per server, per backend, the amount of available connection slots in a backend etc makes it possible to build very advanced load balancing strategies. 3.3.6. Basic features : Stickiness ---------------------------------- Application load balancing would be useless without stickiness. HAProxy provides a fairly comprehensive set of possibilities to maintain a visitor on the same server even across various events such as server addition/removal, down/up cycles, and some methods are designed to be resistant to the distance between multiple load balancing nodes in that they don't require any replication : - stickiness information can be individually matched and learned from different places if desired. For example a JSESSIONID cookie may be matched both in a cookie and in the URL. Up to 8 parallel sources can be learned at the same time and each of them may point to a different stick-table; - stickiness information can come from anything that can be seen within a request or response, including source address, TCP payload offset and length, HTTP query string elements, header field values, cookies, and so on. - stick-tables are replicated between all nodes in a multi-master fashion; - commonly used elements such as SSL-ID or RDP cookies (for TSE farms) are directly accessible to ease manipulation; - all sticking rules may be dynamically conditioned by ACLs; - it is possible to decide not to stick to certain servers, such as backup servers, so that when the nominal server comes back, it automatically takes the load back. This is often used in multi-path environments; - in HTTP it is often preferred not to learn anything and instead manipulate a cookie dedicated to stickiness. For this, it's possible to detect, rewrite, insert or prefix such a cookie to let the client remember what server was assigned; - the server may decide to change or clean the stickiness cookie on logout, so that leaving visitors are automatically unbound from the server; - using ACL-based rules it is also possible to selectively ignore or enforce stickiness regardless of the server's state; combined with advanced health checks, that helps admins verify that the server they're installing is up and running before presenting it to the whole world; - an innovative mechanism to set a maximum idle time and duration on cookies ensures that stickiness can be smoothly stopped on devices which are never closed (smartphones, TVs, home appliances) without having to store them on persistent storage; - multiple server entries may share the same stickiness keys so that stickiness is not lost in multi-path environments when one path goes down; - soft-stop ensures that only users with stickiness information will continue to reach the server they've been assigned to but no new users will go there. 3.3.7. Basic features : Logging ------------------------------- Logging is an extremely important feature for a load balancer, first because a load balancer is often wrongly accused of causing the problems it reveals, and second because it is placed at a critical point in an infrastructure where all normal and abnormal activity needs to be analyzed and correlated with other components. HAProxy provides very detailed logs, with millisecond accuracy and the exact connection accept time that can be searched in firewalls logs (e.g. for NAT correlation). By default, TCP and HTTP logs are quite detailed and contain everything needed for troubleshooting, such as source IP address and port, frontend, backend, server, timers (request receipt duration, queue duration, connection setup time, response headers time, data transfer time), global process state, connection counts, queue status, retries count, detailed stickiness actions and disconnect reasons, header captures with a safe output encoding. It is then possible to extend or replace this format to include any sampled data, variables, captures, resulting in very detailed information. For example it is possible to log the number of cumulative requests or number of different URLs visited by a client. The log level may be adjusted per request using standard ACLs, so it is possible to automatically silent some logs considered as pollution and instead raise warnings when some abnormal behavior happen for a small part of the traffic (e.g. too many URLs or HTTP errors for a source address). Administrative logs are also emitted with their own levels to inform about the loss or recovery of a server for example. Each frontend and backend may use multiple independent log outputs, which eases multi-tenancy. Logs are preferably sent over UDP, maybe JSON-encoded, and are truncated after a configurable line length in order to guarantee delivery. But it is also possible to send them to stdout/stderr or any file descriptor, as well as to a ring buffer that a client can subscribe to in order to retrieve them. 3.3.8. Basic features : Statistics ---------------------------------- HAProxy provides a web-based statistics reporting interface with authentication, security levels and scopes. It is thus possible to provide each hosted customer with his own page showing only his own instances. This page can be located in a hidden URL part of the regular web site so that no new port needs to be opened. This page may also report the availability of other HAProxy nodes so that it is easy to spot if everything works as expected at a glance. The view is synthetic with a lot of details accessible (such as error causes, last access and last change duration, etc), which are also accessible as a CSV table that other tools may import to draw graphs. The page may self-refresh to be used as a monitoring page on a large display. In administration mode, the page also allows to change server state to ease maintenance operations. A Prometheus exporter is also provided so that the statistics can be consumed in a different format depending on the deployment. 3.4. Standard features ---------------------- In this section, some features that are very commonly used in HAProxy but are not necessarily present on other load balancers are enumerated. 3.4.1. Standard features : Sampling and converting information -------------------------------------------------------------- HAProxy supports information sampling using a wide set of "sample fetch functions". The principle is to extract pieces of information known as samples, for immediate use. This is used for stickiness, to build conditions, to produce information in logs or to enrich HTTP headers. Samples can be fetched from various sources : - constants : integers, strings, IP addresses, binary blocks; - the process : date, environment variables, server/frontend/backend/process state, byte/connection counts/rates, queue length, random generator, ... - variables : per-session, per-request, per-response variables; - the client connection : source and destination addresses and ports, and all related statistics counters; - the SSL client session : protocol, version, algorithm, cipher, key size, session ID, all client and server certificate fields, certificate serial, SNI, ALPN, NPN, client support for certain extensions; - request and response buffers contents : arbitrary payload at offset/length, data length, RDP cookie, decoding of SSL hello type, decoding of TLS SNI; - HTTP (request and response) : method, URI, path, query string arguments, status code, headers values, positional header value, cookies, captures, authentication, body elements; A sample may then pass through a number of operators known as "converters" to experience some transformation. A converter consumes a sample and produces a new one, possibly of a completely different type. For example, a converter may be used to return only the integer length of the input string, or could turn a string to upper case. Any arbitrary number of converters may be applied in series to a sample before final use. Among all available sample converters, the following ones are the most commonly used : - arithmetic and logic operators : they make it possible to perform advanced computation on input data, such as computing ratios, percentages or simply converting from one unit to another one; - IP address masks are useful when some addresses need to be grouped by larger networks; - data representation : URL-decode, base64, hex, JSON strings, hashing; - string conversion : extract substrings at fixed positions, fixed length, extract specific fields around certain delimiters, extract certain words, change case, apply regex-based substitution; - date conversion : convert to HTTP date format, convert local to UTC and conversely, add or remove offset; - lookup an entry in a stick table to find statistics or assigned server; - map-based key-to-value conversion from a file (mostly used for geolocation). 3.4.2. Standard features : Maps ------------------------------- Maps are a powerful type of converter consisting in loading a two-columns file into memory at boot time, then looking up each input sample from the first column and either returning the corresponding pattern on the second column if the entry was found, or returning a default value. The output information also being a sample, it can in turn experience other transformations including other map lookups. Maps are most commonly used to translate the client's IP address to an AS number or country code since they support a longest match for network addresses but they can be used for various other purposes. Part of their strength comes from being updatable on the fly either from the CLI or from certain actions using other samples, making them capable of storing and retrieving information between subsequent accesses. Another strength comes from the binary tree based indexation which makes them extremely fast even when they contain hundreds of thousands of entries, making geolocation very cheap and easy to set up. 3.4.3. Standard features : ACLs and conditions ---------------------------------------------- Most operations in HAProxy can be made conditional. Conditions are built by combining multiple ACLs using logic operators (AND, OR, NOT). Each ACL is a series of tests based on the following elements : - a sample fetch method to retrieve the element to test ; - an optional series of converters to transform the element ; - a list of patterns to match against ; - a matching method to indicate how to compare the patterns with the sample For example, the sample may be taken from the HTTP "Host" header, it could then be converted to lower case, then matched against a number of regex patterns using the regex matching method. Technically, ACLs are built on the same core as the maps, they share the exact same internal structure, pattern matching methods and performance. The only real difference is that instead of returning a sample, they only return "found" or or "not found". In terms of usage, ACL patterns may be declared inline in the configuration file and do not require their own file. ACLs may be named for ease of use or to make configurations understandable. A named ACL may be declared multiple times and it will evaluate all definitions in turn until one matches. About 13 different pattern matching methods are provided, among which IP address mask, integer ranges, substrings, regex. They work like functions, and just like with any programming language, only what is needed is evaluated, so when a condition involving an OR is already true, next ones are not evaluated, and similarly when a condition involving an AND is already false, the rest of the condition is not evaluated. There is no practical limit to the number of declared ACLs, and a handful of commonly used ones are provided. However experience has shown that setups using a lot of named ACLs are quite hard to troubleshoot and that sometimes using anonymous ACLs inline is easier as it requires less references out of the scope being analyzed. 3.4.4. Standard features : Content switching -------------------------------------------- HAProxy implements a mechanism known as content-based switching. The principle is that a connection or request arrives on a frontend, then the information carried with this request or connection are processed, and at this point it is possible to write ACLs-based conditions making use of these information to decide what backend will process the request. Thus the traffic is directed to one backend or another based on the request's contents. The most common example consists in using the Host header and/or elements from the path (sub-directories or file-name extensions) to decide whether an HTTP request targets a static object or the application, and to route static objects traffic to a backend made of fast and light servers, and all the remaining traffic to a more complex application server, thus constituting a fine-grained virtual hosting solution. This is quite convenient to make multiple technologies coexist as a more global solution. Another use case of content-switching consists in using different load balancing algorithms depending on various criteria. A cache may use a URI hash while an application would use round-robin. Last but not least, it allows multiple customers to use a small share of a common resource by enforcing per-backend (thus per-customer connection limits). Content switching rules scale very well, though their performance may depend on the number and complexity of the ACLs in use. But it is also possible to write dynamic content switching rules where a sample value directly turns into a backend name and without making use of ACLs at all. Such configurations have been reported to work fine at least with 300000 backends in production. 3.4.5. Standard features : Stick-tables --------------------------------------- Stick-tables are commonly used to store stickiness information, that is, to keep a reference to the server a certain visitor was directed to. The key is then the identifier associated with the visitor (its source address, the SSL ID of the connection, an HTTP or RDP cookie, the customer number extracted from the URL or from the payload, ...) and the stored value is then the server's identifier. Stick tables may use 3 different types of samples for their keys : integers, strings and addresses. Only one stick-table may be referenced in a proxy, and it is designated everywhere with the proxy name. Up to 8 keys may be tracked in parallel. The server identifier is committed during request or response processing once both the key and the server are known. Stick-table contents may be replicated in active-active mode with other HAProxy nodes known as "peers" as well as with the new process during a reload operation so that all load balancing nodes share the same information and take the same routing decision if client's requests are spread over multiple nodes. Since stick-tables are indexed on what allows to recognize a client, they are often also used to store extra information such as per-client statistics. The extra statistics take some extra space and need to be explicitly declared. The type of statistics that may be stored includes the input and output bandwidth, the number of concurrent connections, the connection rate and count over a period, the amount and frequency of errors, some specific tags and counters, etc. In order to support keeping such information without being forced to stick to a given server, a special "tracking" feature is implemented and allows to track up to 3 simultaneous keys from different tables at the same time regardless of stickiness rules. Each stored statistics may be searched, dumped and cleared from the CLI and adds to the live troubleshooting capabilities. While this mechanism can be used to surclass a returning visitor or to adjust the delivered quality of service depending on good or bad behavior, it is mostly used to fight against service abuse and more generally DDoS as it allows to build complex models to detect certain bad behaviors at a high processing speed. 3.4.6. Standard features : Formatted strings -------------------------------------------- There are many places where HAProxy needs to manipulate character strings, such as logs, redirects, header additions, and so on. In order to provide the greatest flexibility, the notion of Formatted strings was introduced, initially for logging purposes, which explains why it's still called "log-format". These strings contain escape characters allowing to introduce various dynamic data including variables and sample fetch expressions into strings, and even to adjust the encoding while the result is being turned into a string (for example, adding quotes). This provides a powerful way to build header contents, to build response data or even response templates, or to customize log lines. Additionally, in order to remain simple to build most common strings, about 50 special tags are provided as shortcuts for information commonly used in logs. 3.4.7. Standard features : HTTP rewriting and redirection --------------------------------------------------------- Installing a load balancer in front of an application that was never designed for this can be a challenging task without the proper tools. One of the most commonly requested operation in this case is to adjust requests and response headers to make the load balancer appear as the origin server and to fix hard coded information. This comes with changing the path in requests (which is strongly advised against), modifying Host header field, modifying the Location response header field for redirects, modifying the path and domain attribute for cookies, and so on. It also happens that a number of servers are somewhat verbose and tend to leak too much information in the response, making them more vulnerable to targeted attacks. While it's theoretically not the role of a load balancer to clean this up, in practice it's located at the best place in the infrastructure to guarantee that everything is cleaned up. Similarly, sometimes the load balancer will have to intercept some requests and respond with a redirect to a new target URL. While some people tend to confuse redirects and rewriting, these are two completely different concepts, since the rewriting makes the client and the server see different things (and disagree on the location of the page being visited) while redirects ask the client to visit the new URL so that it sees the same location as the server. In order to do this, HAProxy supports various possibilities for rewriting and redirects, among which : - regex-based URL and header rewriting in requests and responses. Regex are the most commonly used tool to modify header values since they're easy to manipulate and well understood; - headers may also be appended, deleted or replaced based on formatted strings so that it is possible to pass information there (e.g. client side TLS algorithm and cipher); - HTTP redirects can use any 3xx code to a relative, absolute, or completely dynamic (formatted string) URI; - HTTP redirects also support some extra options such as setting or clearing a specific cookie, dropping the query string, appending a slash if missing, and so on; - a powerful "return" directive allows to customize every part of a response like status, headers, body using dynamic contents or even template files. - all operations support ACL-based conditions; 3.4.8. Standard features : Server protection -------------------------------------------- HAProxy does a lot to maximize service availability, and for this it takes large efforts to protect servers against overloading and attacks. The first and most important point is that only complete and valid requests are forwarded to the servers. The initial reason is that HAProxy needs to find the protocol elements it needs to stay synchronized with the byte stream, and the second reason is that until the request is complete, there is no way to know if some elements will change its semantics. The direct benefit from this is that servers are not exposed to invalid or incomplete requests. This is a very effective protection against slowloris attacks, which have almost no impact on HAProxy. Another important point is that HAProxy contains buffers to store requests and responses, and that by only sending a request to a server when it's complete and by reading the whole response very quickly from the local network, the server side connection is used for a very short time and this preserves server resources as much as possible. A direct extension to this is that HAProxy can artificially limit the number of concurrent connections or outstanding requests to a server, which guarantees that the server will never be overloaded even if it continuously runs at 100% of its capacity during traffic spikes. All excess requests will simply be queued to be processed when one slot is released. In the end, this huge resource savings most often ensures so much better server response times that it ends up actually being faster than by overloading the server. Queued requests may be redispatched to other servers, or even aborted in queue when the client aborts, which also protects the servers against the "reload effect", where each click on "reload" by a visitor on a slow-loading page usually induces a new request and maintains the server in an overloaded state. The slow-start mechanism also protects restarting servers against high traffic levels while they're still finalizing their startup or compiling some classes. Regarding the protocol-level protection, it is possible to relax the HTTP parser to accept non standard-compliant but harmless requests or responses and even to fix them. This allows bogus applications to be accessible while a fix is being developed. In parallel, offending messages are completely captured with a detailed report that help developers spot the issue in the application. The most dangerous protocol violations are properly detected and dealt with and fixed. For example malformed requests or responses with two Content-length headers are either fixed if the values are exactly the same, or rejected if they differ, since it becomes a security problem. Protocol inspection is not limited to HTTP, it is also available for other protocols like TLS or RDP. When a protocol violation or attack is detected, there are various options to respond to the user, such as returning the common "HTTP 400 bad request", closing the connection with a TCP reset, or faking an error after a long delay ("tarpit") to confuse the attacker. All of these contribute to protecting the servers by discouraging the offending client from pursuing an attack that becomes very expensive to maintain. HAProxy also proposes some more advanced options to protect against accidental data leaks and session crossing. Not only it can log suspicious server responses but it will also log and optionally block a response which might affect a given visitors' confidentiality. One such example is a cacheable cookie appearing in a cacheable response and which may result in an intermediary cache to deliver it to another visitor, causing an accidental session sharing. 3.5. Advanced features ---------------------- 3.5.1. Advanced features : Management ------------------------------------- HAProxy is designed to remain extremely stable and safe to manage in a regular production environment. It is provided as a single executable file which doesn't require any installation process. Multiple versions can easily coexist, meaning that it's possible (and recommended) to upgrade instances progressively by order of importance instead of migrating all of them at once. Configuration files are easily versioned. Configuration checking is done off-line so it doesn't require to restart a service that will possibly fail. During configuration checks, a number of advanced mistakes may be detected (e.g. a rule hiding another one, or stickiness that will not work) and detailed warnings and configuration hints are proposed to fix them. Backwards configuration file compatibility goes very far away in time, with version 1.5 still fully supporting configurations for versions 1.1 written 13 years before, and 1.6 only dropping support for almost unused, obsolete keywords that can be done differently. The configuration and software upgrade mechanism is smooth and non disruptive in that it allows old and new processes to coexist on the system, each handling its own connections. System status, build options, and library compatibility are reported on startup. Some advanced features allow an application administrator to smoothly stop a server, detect when there's no activity on it anymore, then take it off-line, stop it, upgrade it and ensure it doesn't take any traffic while being upgraded, then test it again through the normal path without opening it to the public, and all of this without touching HAProxy at all. This ensures that even complicated production operations may be done during opening hours with all technical resources available. The process tries to save resources as much as possible, uses memory pools to save on allocation time and limit memory fragmentation, releases payload buffers as soon as their contents are sent, and supports enforcing strong memory limits above which connections have to wait for a buffer to become available instead of allocating more memory. This system helps guarantee memory usage in certain strict environments. A command line interface (CLI) is available as a UNIX or TCP socket, to perform a number of operations and to retrieve troubleshooting information. Everything done on this socket doesn't require a configuration change, so it is mostly used for temporary changes. Using this interface it is possible to change a server's address, weight and status, to consult statistics and clear counters, dump and clear stickiness tables, possibly selectively by key criteria, dump and kill client-side and server-side connections, dump captured errors with a detailed analysis of the exact cause and location of the error, dump, add and remove entries from ACLs and maps, update TLS shared secrets, apply connection limits and rate limits on the fly to arbitrary frontends (useful in shared hosting environments), and disable a specific frontend to release a listening port (useful when daytime operations are forbidden and a fix is needed nonetheless). Updating certificates and their configuration on the fly is permitted, as well as enabling and consulting traces of every processing step of the traffic. For environments where SNMP is mandatory, at least two agents exist, one is provided with the HAProxy sources and relies on the Net-SNMP Perl module. Another one is provided with the commercial packages and doesn't require Perl. Both are roughly equivalent in terms of coverage. It is often recommended to install 4 utilities on the machine where HAProxy is deployed : - socat (in order to connect to the CLI, though certain forks of netcat can also do it to some extents); - halog from the latest HAProxy version : this is the log analysis tool, it parses native TCP and HTTP logs extremely fast (1 to 2 GB per second) and extracts useful information and statistics such as requests per URL, per source address, URLs sorted by response time or error rate, termination codes etc. It was designed to be deployed on the production servers to help troubleshoot live issues so it has to be there ready to be used; - tcpdump : this is highly recommended to take the network traces needed to troubleshoot an issue that was made visible in the logs. There is a moment where application and haproxy's analysis will diverge and the network traces are the only way to say who's right and who's wrong. It's also fairly common to detect bugs in network stacks and hypervisors thanks to tcpdump; - strace : it is tcpdump's companion. It will report what HAProxy really sees and will help sort out the issues the operating system is responsible for from the ones HAProxy is responsible for. Strace is often requested when a bug in HAProxy is suspected; 3.5.2. Advanced features : System-specific capabilities ------------------------------------------------------- Depending on the operating system HAProxy is deployed on, certain extra features may be available or needed. While it is supported on a number of platforms, HAProxy is primarily developed on Linux, which explains why some features are only available on this platform. The transparent bind and connect features, the support for binding connections to a specific network interface, as well as the ability to bind multiple processes to the same IP address and ports are only available on Linux and BSD systems, though only Linux performs a kernel-side load balancing of the incoming requests between the available processes. On Linux, there are also a number of extra features and optimizations including support for network namespaces (also known as "containers") allowing HAProxy to be a gateway between all containers, the ability to set the MSS, Netfilter marks and IP TOS field on the client side connection, support for TCP FastOpen on the listening side, TCP user timeouts to let the kernel quickly kill connections when it detects the client has disappeared before the configured timeouts, TCP splicing to let the kernel forward data between the two sides of a connections thus avoiding multiple memory copies, the ability to enable the "defer-accept" bind option to only get notified of an incoming connection once data become available in the kernel buffers, and the ability to send the request with the ACK confirming a connect (sometimes called "piggy-back") which is enabled with the "tcp-smart-connect" option. On Linux, HAProxy also takes great care of manipulating the TCP delayed ACKs to save as many packets as possible on the network. Some systems have an unreliable clock which jumps back and forth in the past and in the future. This used to happen with some NUMA systems where multiple processors didn't see the exact same time of day, and recently it became more common in virtualized environments where the virtual clock has no relation with the real clock, resulting in huge time jumps (sometimes up to 30 seconds have been observed). This causes a lot of trouble with respect to timeout enforcement in general. Due to this flaw of these systems, HAProxy maintains its own monotonic clock which is based on the system's clock but where drift is measured and compensated for. This ensures that even with a very bad system clock, timers remain reasonably accurate and timeouts continue to work. Note that this problem affects all the software running on such systems and is not specific to HAProxy. The common effects are spurious timeouts or application freezes. Thus if this behavior is detected on a system, it must be fixed, regardless of the fact that HAProxy protects itself against it. On Linux, a new starting process may communicate with the previous one to reuse its listening file descriptors so that the listening sockets are never interrupted during the process's replacement. 3.5.3. Advanced features : Scripting ------------------------------------ HAProxy can be built with support for the Lua embedded language, which opens a wide area of new possibilities related to complex manipulation of requests or responses, routing decisions, statistics processing and so on. Using Lua it is even possible to establish parallel connections to other servers to exchange information. This way it becomes possible (though complex) to develop an authentication system for example. Please refer to the documentation in the file "doc/lua-api/index.rst" for more information on how to use Lua. 3.5.4. Advanced features: Tracing --------------------------------- At any moment an administrator may connect over the CLI and enable tracing in various internal subsystems. Various levels of details are provided by default so that in practice anything between one line per request to 500 lines per request can be retrieved. Filters as well as an automatic capture on/off/pause mechanism are available so that it really is possible to wait for a certain event and watch it in detail. This is extremely convenient to diagnose protocol violations from faulty servers and clients, or denial of service attacks. 3.6. Sizing ----------- Typical CPU usage figures show 15% of the processing time spent in HAProxy versus 85% in the kernel in TCP or HTTP close mode, and about 30% for HAProxy versus 70% for the kernel in HTTP keep-alive mode. This means that the operating system and its tuning have a strong impact on the global performance. Usages vary a lot between users, some focus on bandwidth, other ones on request rate, others on connection concurrency, others on SSL performance. This section aims at providing a few elements to help with this task. It is important to keep in mind that every operation comes with a cost, so each individual operation adds its overhead on top of the other ones, which may be negligible in certain circumstances, and which may dominate in other cases. When processing the requests from a connection, we can say that : - forwarding data costs less than parsing request or response headers; - parsing request or response headers cost less than establishing then closing a connection to a server; - establishing an closing a connection costs less than a TLS resume operation; - a TLS resume operation costs less than a full TLS handshake with a key computation; - an idle connection costs less CPU than a connection whose buffers hold data; - a TLS context costs even more memory than a connection with data; So in practice, it is cheaper to process payload bytes than header bytes, thus it is easier to achieve high network bandwidth with large objects (few requests per volume unit) than with small objects (many requests per volume unit). This explains why maximum bandwidth is always measured with large objects, while request rate or connection rates are measured with small objects. Some operations scale well on multiple processes spread over multiple CPUs, and others don't scale as well. Network bandwidth doesn't scale very far because the CPU is rarely the bottleneck for large objects, it's mostly the network bandwidth and data buses to reach the network interfaces. The connection rate doesn't scale well over multiple processors due to a few locks in the system when dealing with the local ports table. The request rate over persistent connections scales very well as it doesn't involve much memory nor network bandwidth and doesn't require to access locked structures. TLS key computation scales very well as it's totally CPU-bound. TLS resume scales moderately well, but reaches its limits around 4 processes where the overhead of accessing the shared table offsets the small gains expected from more power. The performance numbers one can expect from a very well tuned system are in the following range. It is important to take them as orders of magnitude and to expect significant variations in any direction based on the processor, IRQ setting, memory type, network interface type, operating system tuning and so on. The following numbers were found on a Core i7 running at 3.7 GHz equipped with a dual-port 10 Gbps NICs running Linux kernel 3.10, HAProxy 1.6 and OpenSSL 1.0.2. HAProxy was running as a single process on a single dedicated CPU core, and two extra cores were dedicated to network interrupts : - 20 Gbps of maximum network bandwidth in clear text for objects 256 kB or higher, 10 Gbps for 41kB or higher; - 4.6 Gbps of TLS traffic using AES256-GCM cipher with large objects; - 83000 TCP connections per second from client to server; - 82000 HTTP connections per second from client to server; - 97000 HTTP requests per second in server-close mode (keep-alive with the client, close with the server); - 243000 HTTP requests per second in end-to-end keep-alive mode; - 300000 filtered TCP connections per second (anti-DDoS) - 160000 HTTPS requests per second in keep-alive mode over persistent TLS connections; - 13100 HTTPS requests per second using TLS resumed connections; - 1300 HTTPS connections per second using TLS connections renegotiated with RSA2048; - 20000 concurrent saturated connections per GB of RAM, including the memory required for system buffers; it is possible to do better with careful tuning but this result it easy to achieve. - about 8000 concurrent TLS connections (client-side only) per GB of RAM, including the memory required for system buffers; - about 5000 concurrent end-to-end TLS connections (both sides) per GB of RAM including the memory required for system buffers; A more recent benchmark featuring the multi-thread enabled HAProxy 2.4 on a 64-core ARM Graviton2 processor in AWS reached 2 million HTTPS requests per second at sub-millisecond response time, and 100 Gbps of traffic: https://www.haproxy.com/blog/haproxy-forwards-over-2-million-http-requests-per-second-on-a-single-aws-arm-instance/ Thus a good rule of thumb to keep in mind is that the request rate is divided by 10 between TLS keep-alive and TLS resume, and between TLS resume and TLS renegotiation, while it's only divided by 3 between HTTP keep-alive and HTTP close. Another good rule of thumb is to remember that a high frequency core with AES instructions can do around 20 Gbps of AES-GCM per core. Another good rule of thumb is to consider that on the same server, HAProxy will be able to saturate : - about 5-10 static file servers or caching proxies; - about 100 anti-virus proxies; - and about 100-1000 application servers depending on the technology in use. 3.7. How to get HAProxy ----------------------- HAProxy is an open source project covered by the GPLv2 license, meaning that everyone is allowed to redistribute it provided that access to the sources is also provided upon request, especially if any modifications were made. HAProxy evolves as a main development branch called "master" or "mainline", from which new branches are derived once the code is considered stable. A lot of web sites run some development branches in production on a voluntarily basis, either to participate to the project or because they need a bleeding edge feature, and their feedback is highly valuable to fix bugs and judge the overall quality and stability of the version being developed. The new branches that are created when the code is stable enough constitute a stable version and are generally maintained for several years, so that there is no emergency to migrate to a newer branch even when you're not on the latest. Once a stable branch is issued, it may only receive bug fixes, and very rarely minor feature updates when that makes users' life easier. All fixes that go into a stable branch necessarily come from the master branch. This guarantees that no fix will be lost after an upgrade. For this reason, if you fix a bug, please make the patch against the master branch, not the stable branch. You may even discover it was already fixed. This process also ensures that regressions in a stable branch are extremely rare, so there is never any excuse for not upgrading to the latest version in your current branch. Branches are numbered with two digits delimited with a dot, such as "1.6". Since 1.9, branches with an odd second digit are mostly focused on sensitive technical updates and more aimed at advanced users because they are likely to trigger more bugs than the other ones. They are maintained for about a year only and must not be deployed where they cannot be rolled back in emergency. A complete version includes one or two sub-version numbers indicating the level of fix. For example, version 1.5.14 is the 14th fix release in branch 1.5 after version 1.5.0 was issued. It contains 126 fixes for individual bugs, 24 updates on the documentation, and 75 other backported patches, most of which were needed to fix the aforementioned 126 bugs. An existing feature may never be modified nor removed in a stable branch, in order to guarantee that upgrades within the same branch will always be harmless. HAProxy is available from multiple sources, at different release rhythms : - The official community web site : / : this site provides the sources of the latest development release, all stable releases, as well as nightly snapshots for each branch. The release cycle is not fast, several months between stable releases, or between development snapshots. Very old versions are still supported there. Everything is provided as sources only, so whatever comes from there needs to be rebuilt and/or repackaged; - GitHub : https://github.com/haproxy/haproxy/ : this is the mirror for the development branch only, which provides integration with the issue tracker, continuous integration and code coverage tools. This is exclusively for contributors; - A number of operating systems such as Linux distributions and BSD ports. These systems generally provide long-term maintained versions which do not always contain all the fixes from the official ones, but which at least contain the critical fixes. It often is a good option for most users who do not seek advanced configurations and just want to keep updates easy; - Commercial versions from http://www.haproxy.com/ : these are supported professional packages built for various operating systems or provided as appliances, based on the latest stable versions and including a number of features backported from the next release for which there is a strong demand. It is the best option for users seeking the latest features with the reliability of a stable branch, the fastest response time to fix bugs, or simply support contracts on top of an open source product; In order to ensure that the version you're using is the latest one in your branch, you need to proceed this way : - verify which HAProxy executable you're running : some systems ship it by default and administrators install their versions somewhere else on the system, so it is important to verify in the startup scripts which one is used; - determine which source your HAProxy version comes from. For this, it's generally sufficient to type "haproxy -v". A development version will appear like this, with the "dev" word after the branch number : HAProxy version 2.4-dev18-a5357c-137 2021/05/09 - https://haproxy.org/ A stable version will appear like this, as well as unmodified stable versions provided by operating system vendors : HAProxy version 1.5.14 2015/07/02 And a nightly snapshot of a stable version will appear like this with an hexadecimal sequence after the version, and with the date of the snapshot instead of the date of the release : HAProxy version 1.5.14-e4766ba 2015/07/29 Any other format may indicate a system-specific package with its own patch set. For example HAProxy Enterprise versions will appear with the following format (--) : HAProxy version 1.5.0-994126-357 2015/07/02 Please note that historically versions prior to 2.4 used to report the process name with a hyphen between "HA" and "Proxy", including those above which were adjusted to show the correct format only, so better ignore this word or use a relaxed match in scripts. Additionally, modern versions add a URL linking to the project's home. Finally, versions 2.1 and above will include a "Status" line indicating whether the version is safe for production or not, and if so, till when, as well as a link to the list of known bugs affecting this version. - for system-specific packages, you have to check with your vendor's package repository or update system to ensure that your system is still supported, and that fixes are still provided for your branch. For community versions coming from haproxy.org, just visit the site, verify the status of your branch and compare the latest version with yours to see if you're on the latest one. If not you can upgrade. If your branch is not maintained anymore, you're definitely very late and will have to consider an upgrade to a more recent branch (carefully read the README when doing so). HAProxy will have to be updated according to the source it came from. Usually it follows the system vendor's way of upgrading a package. If it was taken from sources, please read the README file in the sources directory after extracting the sources and follow the instructions for your operating system. 4. Companion products and alternatives -------------------------------------- HAProxy integrates fairly well with certain products listed below, which is why they are mentioned here even if not directly related to HAProxy. 4.1. Apache HTTP server ----------------------- Apache is the de-facto standard HTTP server. It's a very complete and modular project supporting both file serving and dynamic contents. It can serve as a frontend for some application servers. It can even proxy requests and cache responses. In all of these use cases, a front load balancer is commonly needed. Apache can work in various modes, some being heavier than others. Certain modules still require the heavier pre-forked model and will prevent Apache from scaling well with a high number of connections. In this case HAProxy can provide a tremendous help by enforcing the per-server connection limits to a safe value and will significantly speed up the server and preserve its resources that will be better used by the application. Apache can extract the client's address from the X-Forwarded-For header by using the "mod_rpaf" extension. HAProxy will automatically feed this header when "option forwardfor" is specified in its configuration. HAProxy may also offer a nice protection to Apache when exposed to the internet, where it will better resist a wide number of types of DoS attacks. 4.2. NGINX ---------- NGINX is the second de-facto standard HTTP server. Just like Apache, it covers a wide range of features. NGINX is built on a similar model as HAProxy so it has no problem dealing with tens of thousands of concurrent connections. When used as a gateway to some applications (e.g. using the included PHP FPM) it can often be beneficial to set up some frontend connection limiting to reduce the load on the PHP application. HAProxy will clearly be useful there both as a regular load balancer and as the traffic regulator to speed up PHP by decongesting it. Also since both products use very little CPU thanks to their event-driven architecture, it's often easy to install both of them on the same system. NGINX implements HAProxy's PROXY protocol, thus it is easy for HAProxy to pass the client's connection information to NGINX so that the application gets all the relevant information. Some benchmarks have also shown that for large static file serving, implementing consistent hash on HAProxy in front of NGINX can be beneficial by optimizing the OS' cache hit ratio, which is basically multiplied by the number of server nodes. 4.3. Varnish ------------ Varnish is a smart caching reverse-proxy, probably best described as a web application accelerator. Varnish doesn't implement SSL/TLS and wants to dedicate all of its CPU cycles to what it does best. Varnish also implements HAProxy's PROXY protocol so that HAProxy can very easily be deployed in front of Varnish as an SSL offloader as well as a load balancer and pass it all relevant client information. Also, Varnish naturally supports decompression from the cache when a server has provided a compressed object, but doesn't compress however. HAProxy can then be used to compress outgoing data when backend servers do not implement compression, though it's rarely a good idea to compress on the load balancer unless the traffic is low. When building large caching farms across multiple nodes, HAProxy can make use of consistent URL hashing to intelligently distribute the load to the caching nodes and avoid cache duplication, resulting in a total cache size which is the sum of all caching nodes. In addition, caching of very small dumb objects for a short duration on HAProxy can sometimes save network round trips and reduce the CPU load on both the HAProxy and the Varnish nodes. This is only possible is no processing is done on these objects on Varnish (this is often referred to as the notion of "favicon cache", by which a sizeable percentage of useless downstream requests can sometimes be avoided). However do not enable HAProxy caching for a long time (more than a few seconds) in front of any other cache, that would significantly complicate troubleshooting without providing really significant savings. 4.4. Alternatives ----------------- Linux Virtual Server (LVS or IPVS) is the layer 4 load balancer included within the Linux kernel. It works at the packet level and handles TCP and UDP. In most cases it's more a complement than an alternative since it doesn't have layer 7 knowledge at all. Pound is another well-known load balancer. It's much simpler and has much less features than HAProxy but for many very basic setups both can be used. Its author has always focused on code auditability first and wants to maintain the set of features low. Its thread-based architecture scales less well with high connection counts, but it's a good product. Pen is a quite light load balancer. It supports SSL, maintains persistence using a fixed-size table of its clients' IP addresses. It supports a packet-oriented mode allowing it to support direct server return and UDP to some extents. It is meant for small loads (the persistence table only has 2048 entries). NGINX can do some load balancing to some extents, though it's clearly not its primary function. Production traffic is used to detect server failures, the load balancing algorithms are more limited, and the stickiness is very limited. But it can make sense in some simple deployment scenarios where it is already present. The good thing is that since it integrates very well with HAProxy, there's nothing wrong with adding HAProxy later when its limits have been reached. Varnish also does some load balancing of its backend servers and does support real health checks. It doesn't implement stickiness however, so just like with NGINX, as long as stickiness is not needed that can be enough to start with. And similarly, since HAProxy and Varnish integrate so well together, it's easy to add it later into the mix to complement the feature set. 5. Contacts ----------- If you want to contact the developers or any community member about anything, the best way to do it usually is via the mailing list by sending your message to haproxy@formilux.org. Please note that this list is public and its archives are public as well so you should avoid disclosing sensitive information. A thousand of users of various experience levels are present there and even the most complex questions usually find an optimal response relatively quickly. Suggestions are welcome too. For users having difficulties with e-mail, a Discourse platform is available at http://discourse.haproxy.org/ . However please keep in mind that there are less people reading questions there and that most are handled by a really tiny team. In any case, please be patient and respectful with those who devote their spare time helping others. I you believe you've found a bug but are not sure, it's best reported on the mailing list. If you're quite convinced you've found a bug, that your version is up-to-date in its branch, and you already have a GitHub account, feel free to go directly to https://github.com/haproxy/haproxy/ and file an issue with all possibly available details. Again, this is public so be careful not to post information you might later regret. Since the issue tracker presents itself as a very long thread, please avoid pasting very long dumps (a few hundreds lines or more) and attach them instead. If you've found what you're absolutely certain can be considered a critical security issue that would put many users in serious trouble if discussed in a public place, then you can send it with the reproducer to security@haproxy.org. A small team of trusted developers will receive it and will be able to propose a fix. We usually don't use embargoes and once a fix is available it gets merged. In some rare circumstances it can happen that a release is coordinated with software vendors. Please note that this process usually messes up with eveyone's work, and that rushed up releases can sometimes introduce new bugs, so it's best avoided unless strictly necessary; as such, there is often little consideration for reports that needlessly cause such extra burden, and the best way to see your work credited usually is to provide a working fix, which will appear in changelogs. I am well aware of the popular opinion that such subjects are too abstruse to be understood by practical mechanics¡ªan assumption that is founded mainly in the fact that the subject of heat and motion are not generally studied, and have been too recently demonstrated in a scientific way to command confidence and attention; but the subject is really no more difficult to understand in an elementary sense than that of the relation between movement and force illustrated in the "mechanical powers" of school-books, which no apprentice ever did or ever will understand, except by first studying the principles of force and motion, independent of mechanical agents, such as screws, levers, wedges, and so on. A new design should be based upon one of two suppositions¡ªeither that existing mechanism is imperfect in its construction, or that it lacks functions which a new design may supply; and if those who spend their time in making plans for novel machinery would stop to consider this from the beginning, it would save no little of the time wasted in what may be called scheming without a purpose. A man, coming silently from some concealment, in a dory, undetected in their busy absorption, held something menacingly businesslike and sending sun glints from its blue steel. Its hollow nose covered both at the range he had. ¡°Well, Sky Patrol¡ªand Ground Crew,¡± he hailed them. ¡°We are going to see some excitement at last!¡± "You're right, Si," shouted the Lieutenant and Shorty. "Hip, hip, hooray for the Army o' the Cumberland and old Pap Thomas!" "Glad ain't no name for it," said Levi. "Did you say you'd got the boys in there? Here, you men, bring me two or three of those cracker-boxes." "The very same company," gasped the woman. And the other asked: "And the raid'll be made ter-morrer?" "My¡ª" But before they had time to answer, something burst from between the stalls and ran down the darkling slope, brandishing a knife. It was Mexico Bill, running amok, as he had sometimes run before, but on less crowded occasions. The women sent up an ear-splitting yell, and made a fresh onslaught on the hedge. Someone grabbed the half-breed from behind, but his knife flashed, and the next moment he was free, dashing through the gorse towards his victims. Such a discovery could not long remain a secret;¡ªthe tale reached the ears of young De Boteler, and, already prepossessed in his favour, it was but a natural consequence that Calverley should rise from being first an assistant, to be the steward, the page, and, at length, the esquire to the heir to the barony of Sudley. But the progress of his fortunes did but add to the malevolence of the detractor and the tale-bearer; theft, sacrilege, and even murder were hinted at as probable causes for a youth, who evidently did not belong to the vulgar, being thus a friendless outcast. But the most charitable surmise was, that he was the offspring of the unhallowed love of some dame or damsel who had reared him in privacy, and had destined him for the church; and that either upon the death of his protectress, or through some fault, he had been expelled from his home. Calverley had a distant authoritative manner towards his equals and inferiors, which, despite every effort, checked inquisitiveness; and all the information he ever gave was, that he was the son of a respectable artizan of the city of London, whom his father's death had left friendless. Whether this statement was correct or not, could never be discovered. Calverley was never known to allude to aught that happened in the years previous to his becoming an inmate of the castle: what little he had said was merely in reply to direct questions. It would seem, then, that he stood alone in the world, and such a situation is by no means enviable; and although duplicity, selfishness and tyranny, formed the principal traits in his character; and though independently of tyranny and selfishness, his mind instinctively shrunk from any contact, save that of necessity, with those beneath him, yet had he gazed upon the growing beauty of Margaret till a love pure and deep¡ªa love in which was concentrated all the slumbering affections, had risen and expanded in his breast, until it had, as it were, become a part of his being. HoMEAÒ»¼¶ÈÕ±¾l00Ãâ·Ñ¿´ ENTER NUMBET 0018www.sbdav2im.com.cn
difansen.com.cn
www.keepep.com.cn
www.eyewatch.com.cn
www.bawk.com.cn
nkhy.com.cn
www.gpij.com.cn
tianfuk.com.cn
www.jijigugu.com.cn
sbju.com.cn
长篇失控的淫乱小说 欧美美女游戏节目 使尽操成人网 大鸡巴爱丝袜 成人电影免播放器的 一级色图欧美 人体艺术大胆下体图 女人下体凹凸 欧美骚逼25 少妇穴穴20p 老女人l 日本少妇做爱图片25p 女学生性交口交肛交 就爱操逼录音 胖女同 诱惑写真那个网站好 丰腴熟女乱伦 哪里能看到苍井空网络硬盘 女教师乱淫动态图片 熟妇掰逼图 性爱之人兽交 中国最火簧片 WWW.A1J3.COM WWW.HZGRYY.COM WWW.JPTUBES.COM WWW.XZYWHY.COM WWW.LYJJBJ.COM WWW.U2CHE.COM WWW.CCC195.COM WWW.ZISHG.COM WWW.VB04.COM WWW.88SCSC.COM WWW.CQGGZY.COM WWW.YNKQN.COM WWW.HAOTE.COM WWW.FXE9.COM WWW.DDD91.COM WWW.ZQTYQC.COM WWW.YUEJLWO.COM WWW.007CB.COM WWW.XMCGHH.COM WWW.AV977.COM WWW.6789DA.COM WWW.QULA7.COM WWW.HHH738.COM WWW.QB5200.COM WWW.0755MSX.NET WWW.BKHCG.COM WWW.REN999.COM WWW.AV577.COM WWW.BX857.COM WWW.QUXUNW.COM WWW.V2D5.COM WWW.500173.COM WWW.771588.COM WWW.MAV7676.COM WWW.6655.COM WWW.YOKOO.COM WWW.G8GW.COM WWW.CCC294.COM WWW.868RRC.COM WWW.XIQUREN.COM WWW.XAZHKJ.COM HEZE.DZWWW.COM WWW.UB73.COM WWW.8220365.COM WWW.AVTT2014.COM WWW.33TVTV.COM WWW.SHHEZWZ.COM WWW.IFP7.COM WWW.SZZBAF.COM WWW.1122NJ.COM WWW.ENET.COM.CN WWW.WWW.91DIZHI.SPACE WWW.13YM.COM WWW.BBB528.COM WWW.Y5QD.COM WWW.CCC903.COM WWW.OUOULU.COM WWW.YESHEMAO.NET WWW.JLZDYY.COM WWW.612SE.COM WWW.SHTJZK.COM WWW.CHUNMEN.COM WWW.A0663.COM WWW.019GEGE.COM WWW.CZJXDQ.COM WWW.GAO540.COM WWW.JLMMBB.COM WWW.HGDVD.COM WWW.9LALA.COM WWW.CC354.COM WWW.97WEN.CN WWW.OUYUJX.COM WWW.DAJIE.COM AWWW.777ZYZ.COM WWW.CCC700.COM WWW.612621.COM WWW.NI3456.COM 另类变态图片调教 放尿系列 糖糖幼幼免费网站 艹幼处在线 在线免费观看视频偷拍 窝久久草 999热这里只9999p9有精品视频 AV搞视频 王宪三级片 亚洲成人A片毛片 熟女乱伦20p上一篇下一篇 成人激情午夜网 色七七影视 插插日本骚女人 妈妈人妻受孕 第四色先锋视频 国产美女自慰视频在线观看 青楼社区的最新网址是 色欲影视2p x小色哥 色色肉肉伦乱图 少女和少男做爱黄色网站 黑崎礼子在线 美国二级伦理宅宅网 橹射 露外阴的伦理电影 裸体学生妹 童话村av 亚洲欧美幼齿无码 超碰在线大片 迷奸漂亮女邻居 小泽玛利亚与人妖图片 淑女爆菊网 古典武侠妹妹和朋友 后入90后少妇18p 超碰sm免费公开成人视频 da炮机av无码 你懂的AV资源网 制服丝袜最新在线视频 大棒插穴乱伦小说 狼国48Q 男女操B图 wwwAV4455com 天上人间宝宝福利吧 寂寞人妻居家自拍色图 性爱综合AV 草群裙社区在线视频 6080三级片mp4 成人哥哥干哥哥 街夜色亚洲视屏 白白发布 2016AV撸撸射在线视频 强奸幼女开苞小说 谢文的人体艺术 泷泽萝拉AV在线wwwlulukan1com 噜噜噜偷拍自拍 295cccom 搜索www妈妈与儿子乱伦大杂烩 性奴骚奶子 美淫小 屁眼调教 看岛国大片 偷拍亚洲美女性爱视频 偷偷摸狠狠干 狼友基地在线 高中处女开苞落红伦理聚合免插件在线 wwwfff2345 caopporn超碰 2017天天撸 搞搞电影网成人视频 国产自拍国产久久自拍视频 欧洲成人AV片 diao青青草 爱爱综合x0 狠狠舔干 曰本理伦图片 hentaixxx少女 淫淫网淫妻交换 人曾交长片 后门插逼逼动态 骗朋友出来轮奸她操死她 手机美利坚中文字幕 在线Av东方伊甸园 韩国r在线网站 男女野战图片 西瓜操 dilidili艳母 欧美成人在线免费视频 熟女乱亚洲影院 wwwpp398comVR 皇色精彩视频久草在线 小姐被黑人轮流干 天天更新在线视频 影音先锋ye321最新地址 人体艺术日本 国产女神自慰在线 淫妻交换性爱技巧校园春色hhxxoo1com 91驾校在线视频 影音先锋网站亚洲 不需下载在线观看操逼短片 猛男干娘女图片 找老熟妇做爱 543cccn 偷拍偷拍少妇25p 真人上传黄色视频免费在线观看 岛国片公媳乱伦 亚州黄色小说 成人电影偷拍无码 成人啪啪啪看骚妇的小逼插的水汪汪高潮连连视频 wwwtomitaocom 淫色直播的有哪些 人兽性爱欧美三级片 男人第四色网 久久在线经典视频 wwwaa847com下载 1111kf李宗瑞 ww26xecom 赞助商影片分类偷拍视频230自拍视频240国产视频19日韩视频 东京热MV 撸一撸亚洲色图 最新的黄色网站 775jj 百性阁mecom sss911 日本性感女护士舔男孩大鸡巴全部视频大全免费观看 影音先锋看激情电影 亚洲天堂av在线直播 www567net最新网站 各种国产AV有什么免费网址 wwwddd20com 爆乳国产 亚洲另类一国产aⅴ在线视频 特菲娜样子 爱的色放图 女人逼逼 91超在线观看视频播放 玩幼女b黄色电影淫放 哦哦叉叉 www1111avcowang 快播里面能看黄色图片不 少妇性爱电影 黑白中文母22p bb啪啪网站视频 超碰成人公开视频超碰免费131spcom 成人看片自慰免费视频在线观看视频 迅雷色色强暴小说 欧美性爱色域网 日韩av手机在线 色色人阁www63cocom av久久在线观看 欧美图片偷拍图片区手机在线播放 5080午夜电影 亚洲av无码久久在线 wwwseqing爆 公交车上干美女 人妻熟女激情自拍 俺去也插插插插 seri123一样的网站 淫女偷拍 免费三级金梅瓶 河南工业大学钟月双 美女屁股wwwpp0022com 影音先锋主播自慰 4hu46 强奸幼女妹妹小说 女人阴道穴片 av美女天堂下载 淫色人妻哥哥操 亚洲啊T天堂 狠狠爱在线牛人视频 紧急通知小姨子 田野色在线视频 xia12345magnet 天天色播 av毛片成人在线观看网站 激情啊嗯啊嗯啊啊啊嗯嗯啊 欧美大香蕉毛片 天天啪啪 色站成人美眉红楼 露脸良家人妻熟女 BNSPS298 www123chaopengcom 校园春色处女女大学生 淫荡母乳人妻 99pp黄色网站 男女上床私照 淫色网极品美穴 有木有AV软件 古墓丽影h版免费观看 黄色网址导行 办公室女秘书伦理片 日本超级AV在线视频 在哪里可以免费观看无码黄片 www1122vgcm 成人色漫 在线手机播放器 我爱操操电影免费ti789com 三给片区电影在线观看 wwgaosecom 麻生希第一部快播 meinvz1ynet 幼幼被破处 搜索美女三级黄片口活 撸一撸日日爱狠狠爱 男女大尺度啪啪图片 万达影院 97超碰色视频在线观看 宜春院首页怡红院 jlzz4欧美 www58hhhhcom 夜夜干夜夜5岁到13岁 1024jd在线看免费视频 人气女优小说 亚渊成人影院 日本激情点的床上男女 欧洲黄绝 欧美人与兽肏屄电影 淫乱派对资源 www2333ca 叼嗨视频直播真人版 免播放器成人熟女乱伦电影 成人A片小说 色色撸手机在线观看 美女哈鞭视频 上黑丝美女 无码噜噜噜AV在线观看 插日本美女粉嫩小嫩穴 免费视性爱频在线观看网站1 日本2017最新H动漫 丝袜日本美女小说 美国最新黄网址大全 蝌蚪窝久久视频 日本女模做爱视频下载 狗鸡巴插骚穴小说 香港a片毛片hciyycom 413121神马电影 jjady3infoa121html 国产视频妈妈在儿子面前自慰 黄鳝门影音先锋 表姐穴穴湿润 偷拍人妻影音 叫做sh什么的电影 草了同事老婆 超碰视频A片在线视频wwwvb111com 偷拍自拍撸撸她 lunliwang 狗干MM porn老女人 达恩电影网你懂的网站 欧美高跟骚女 男尼所巨炮无遮图mman189com 爆操情人 qq公众号色色的 青青草是华人绿色18 阿女AV 新惰色站 PU510COM 插日本少妇20p 国产谢妹妹影院wwwqqqq95com 在线访问升级中 东方在线校园春色 日韩插插插 phoenixmarie小男人 狼友a∨在线视频xw970com 亚洲高清可乐操第一站 制度丝袜国产手机在线 天堂妹2017 夜夜撸在线视频暗暗撸在线视频加多撸在线视频天天撸在线视频 私拍性爱视频 美女激情超碰 bu444com 迅雷色色种子 健身房女教练av 26UUU天天曰久久射MP4 亚洲涩图AV WWW210BECOM A极超碰 sunpornecom avttktv caov2 女同爱爱mp4 亚洲无码超碰在线播放视频2017年版中文字幕中文字幕中文字幕人妻淫乱 人人日动漫 哥哥色哥哥射哥哥干哥哥撸 男女操免费视频 想屄图 奇米影视777撸 nipingdebi 日本极品大胆私阴艺术 美女激情裸聊自拍 欧美色尼玛肛交图库 苍井空插穴图片hha6 taiwansexvideo 日本av美女裸体 色18美女游客 熟女bb被操 爱爱在线成人视频 美国长吊爆肏嫩逼 人体美鲍视频 淫乱性交图片论坛 抽插片 丝袜美女撸 真是嫩啊 肉穴被插 日本美女人体图 做爱的黄色诗 孕妇 torrent百度云 黄色网站2016自拍视频 偷拍色老大导航400色导航 嫩屄人体艺术摄影 调教骚穴 正在播放和朝鲜老妈操 岳母的肉洞 88ri88ri图片88i88 大鸡巴插狗b 操骚熟娘们 成人在线走光 嫂子 阴唇 色bt导航 少妇群交色无码 操老汉影视 操衅淫荡 成人虐待系列网站 美女裸体艺术图片15p 成人综合论坛2014 幼女做爱av 幼女激情做爱 zumeiav oumeidngfu 色妺妹快播电影 三级完整影 亚洲90后色图 迷奸小妹影音先锋 日本女性裸体色图 sha人妻civou 车模打炮17p奔雷 美女淫乱合成图片 美女人体 东北操逼电影 楚留香色网 现在有什么说新的中国美少女组合 影视先锋看动漫 山村乱伦小说远山的呼唤 日本美女美鲍人体图片 无毛幼女潮吹 车上草妈 美女被干黄色无遮挡图片 吸吮龟头 艳色荡母有声小说 百人体图片下载 WWW_X8S2_COM 美女搞鸡激情 淫女影音先锋 日本母乳喂养宠物视频 性欲强的母子淫乱 110139 白白色趁人视频 亚洲五月色人阁 日本人妖性交网 和张妈做爱 吉吉影音av激情电影 后进式猛擦美女p 日本大胆妹妹做爱 苍井空电影种子 下载 振动器黄色网站 thisav新网 女孩放尿 女人被狠操动态图 嫩白的嫂嫂 高中美女做爱图 先锋影音 伦理 影音先锋美女躶体乱伦小说 xex8cc 黑人学生内射美女老师 女优嫩逼图 工藤美纱qvod在线 WWW_979AV_COM 苍井空の玩具rmvb 日本美女性交图淫香淫色 强奸援交女艳照门 舔她的嫩心 强奸乱伦3d大奶网 色顶综合论坛 屄屄的粉红肉 ujizz姘撹夫鎴 帼鑱h仭 欧美老头做爱 丝袜熟女gif 曹查理 三级 狠狠射狠狠操色妈妈色姐姐 日本女人被干 人体外排人体艺术黄色片 寂寞少妇被插的一浪一浪 色站图片看不了 美女在酒店内射 奇米网下载av的 av爆乳公车ed2k 曰本全捰人体写真百度图片搜索 免费涩情小说 伴娘满足摄影师 同时为伴郎和摄影师服务 口交showtime 肏妈啦 田韩a片 kaobi动作片 日本成人强奸乱伦电影 刘晓庆的屄 人兽坏弟弟 成人图片成人视频 日韩户外大胆人体艺术 内涵鸡巴 人体美女阴 小穴穴进进出出图片 舔范冰冰玉足 菊色宫嘻嘻色儿女 妈妈的嫩穴洞 大胭人体艺术 百性阁撸撸侠 bbbbb666 妈妈和哥哥性交 黑石塔地图 周淑仪 wherewereyou 昵称网 臀肥骚穴图片 搜查宫先锋影音 快播毛屄屄 大鸡巴轮奸淫荡女儿 小说区淫妻交换小说史 操姐姐的小屄 西西热艺术 女主播在主播室被肏 激情明星合成论坛哥哥妹妹 欧美最大乳房人体艺术 如何操逼才舒服 性爱小说网视频 熟女骚屄姿势视频 91快播电影国外处女 台北聚色网 偷拍自拍论坛 u性爱网站 马六人体美鲍 张雨欣人体 我和2个女同事做爱 老鸡巴同志小说 熟女的角色扮演性爱快播 WWWKANDIUCOM 男男无忌 少妇偷情亚洲色图 武汉17中操操视频 在线看大奶人妻 老荡妇高跟丝袜足交 爱北京熟女 美女美学穴p WWW51MM520COM 男强奸女做 双飞小骚逼 张柏芝婐照吃鸡绝版 WWWUU11COM 我和表姐偷情 公媳乱伦影音先锋电影 泰国妹舔好 五月天四情 赵世熙年龄 欧美老太女郎丰满人体艺术 淫色影香 e416355f00025f2c 父女两性插入乱轮 新女体洗澡 WWW69OOOCOM 蒲天杯钢琴大赛 成人电泓网 金正恩操逼 性爱色站 乱论中文影院幼女 苍井空qvod电影在线 亚洲无毛穴 女明星的外阴 欧洲伦理小说 qvod亚洲东京热 omeichengrenwang 爆操舅母 黄色我的老师 动漫美女穿黑丝袜能看见洞 俄罗斯学院色色撸撸 黑人肛交亚裔女 性生活duppid1duppid1 不愿意露脸14p sjp成人动漫电影 林雨欣小雄性事全集mp3 色女图区亚洲色图操逼 香港龙虎豹五月 欧美性爱淫色 肥乳肥逼 瑟瑟性交图片 美同十次啦 裸身美女dongtai 无水印超大胆图片 骚妇性艺术 亚洲欧美卡通动漫偷拍自拍 爱玩老爸大鸡巴 女性bt图片搜索 爆操少妇骚贱逼 岳母的红裤头乱伦小说 在线观看色色影院无需播放器 淫妻交换色小说 美女小穴19p 一个样先锋影院 骚逼图欧美 男人社区 男人尻屄鸡巴拔不出来照片 熟妇操p百性阁 狠狠操幼女 张筱雨私穴 日本十次啦 长谷川凉子 我爱看片台湾永久app 亚洲成人女子偷拍图片 操老网友自拍 欧美日韩熟女变态 WWWSESEOCOM 五月成人小妹妹被射电影网 去哪里找李宗瑞视频 插逼微视频 好色小姑 丰满熟女迷恋 韩子萱抠逼 最大胆美女阴道艺术图片展 成人性爱电影母狗 大鸡吧干小姑娘 依依淫色网 黑寡妇黄色小说 幼幼潮吹 深圳龙岗鸡婆电召 快射电影 白色天使电影 下载 欧美激情校园春色www34qfcom 中文无码字幕qovd搜查官 老奶奶射精 花瓣床上美熟 中年夫妻作爱射精动态图片 小说乡村留守女人滥情 欧洲女亚洲夫妻炮 小女孩阴部视频自慰视频 av妈咪 t偷拍小电影 百合真人在线视频 天天影视jiatingluanlun 狼人专业维修 欧美男女性抽插动图片 亚洲性l大爷视频av 德国熟女大妈 东北乱交 水野朝阳丝袜凉鞋诱惑先锋影音 东莞小姐全集magnet 理伦乱伦网站 军哥哥操我 巨乳人妻催眠 xxxmobimediaweibocn WWW916RRRCOMCN wwwtr6688net 日本色倩女星波多野结衣 奇奇热奇奇色妻子撸 涩涩淫淫 91porm自拍我爱我妻 wwwhbmaocom av专卖店微信 欲表姐一家 撸色阁 丁香五月香 强暴小说成人动漫 撸撸啪啪啪撸nanrenfulicom 韩国女主播青草超碰 巨乳美女自拍自慰 操逼哥哥操小妹妹 无敌先锋mp4 wwwsaozivipsom 强奸乱干 影院先锋h卡通 先锋资源武藤クレア 大香蕉yinminwang 中国一线女星性交图 动漫另类亚洲色图 口交技巧mmissno1com 中国激情大片免费 最新巨乳波霸pppp38com 妹妹援妓git 日本大胸熟女妈妈在线视频 WWW123hp下载 乱伦美少妇 18岁人妻少妇口爆吞精 掰穴写真 亚洲色图丝袜美腿丝袜美腿偷拍自拍 激情网站五月色 青青草AV在线视频观免www388crwcom 幼幼av无需下免费看 骚熟丝足微博 www88qvqv 妖女内射17p wwwkkyuxguin 淫荡丝袜老熟女 超骚97超碰在线视频 一路路向西2在线完整版 内衣妹妹扣逼 腌也撸日日撸 人与兽的性事黄色网站 ggbb日本一级黄色操逼 亚洲色图幼y 长谷真理香bt资源 欧美女人与狗ZXXX 国模私拍gogo人体艺术 香港妹超碰 免费空姐撸管视频网站 操新疆女孩 东热在线视频女子大生 sesxxxxx 亚洲男人第四色婷婷 黄页网站成年人香港赌场黄色电影 妖怪黄色小说 av在线人妖和美女 武侠古典在线理论三级欧美激情 男屁眼被曰小说 淫斗罗 超碰人妻人人碰5533tcom 先锋影音官方下载 色色男奇米ckplayer 进逼眼图片图片大全 欧美av夜夜干夜夜 梦到舔小女孩的逼 日本肉肉美女阴毛左山 WWW_ADY9_NET 全祼大胆下体图片 嘻嘻女大人体艺术 sejiejie导航 韩国女厕所偷拍影音先锋 免费有声小说网站 猎国 有声小说 樱井莉亚电影美愚 樱井莉亚search酒吧 樱井莉亚松岛 小泽玛利亚btdiz 求无毒h网 求可以看的h网 在线观看的h网 手机快播能看的h网 可以看图片的h网 h网视频 www黄色小说com 开心五月激 东京热系列图片 五月 酒色网电影小说 下载看黄片 黄色小说在线观看 婷婷五月色桃色激情 爱川美里菜 织田真子 双叶美佳 性感内裤 一起做爱 ass69 哥哥色高清 蝴蝶谷影视 喜爱色社区 性乐汇综合 一本道AV 一道色导航 重武器女孩 女色无罪成人 台灣佬娛樂網 我爱我色成人 酒色鬼伦理资源 90后av(荐) 买春堂G谁有E谁有E 910668快播电影 xxxymovies 熟女乱伦网qvod电影 哥也爱 色一把 深爱基情网 天天基金每日净值表 无码支付在线播放 午夜AV在线观看 超碰在线关晓彤0 滨崎里绪女同全集 无需播放器的av无码电影 水梅公开超碰在线 外国色污视频 500性福利看片 聊斋艳谭17影院 资源网丝袜 亚州视频二区在线视频 我爱五月色 暴风影音怎么下载A片 日本地铁av电影 青草2018CK在线观看 日韩高清无码午夜 magnet 蒂亚AV资源 午夜男日B视频 snis623 在线播放 放课后无码观看 皇家Lu23 男人天堂2018亚洲男人天堂大香蕉 22 6ppav 邪恶天堂第99 狂欢a片 WWW6666SQCOM 三kkkk xhatmer 18 F2DZY 男人天堂在线福利2019 亚洲日韩 国产自拍 在线视频 情侣自拍内射 迅雷下载黄色视频 magnet 强奸舒不舒服 秋霞电影社长夫人 全球热门视频 magnet 强奸之夜视屏 性交内涵视频 秀玲叔嫂 在线福利视频广州富姐 榆次炮友 御姐成人纵欲视频 日本视频在校妾 玉桃园毛片 日韩主播高清福利 日本人妻资源下载地址 SNIS-430 大香蕉澳门皇冠国产自拍成人 韩国成年在线视频 性爱自拍直播视频 外国福利在线 快狐成年app 鸡鸡插嫩屄的影院 宅男影院xo 人人色人人干 五月婷婷心爱 四级剧情美国 magnet 华裔张丽精选11 magnet 滨崎真绪 西瓜影音 色大姐五月天丁香 苹果手机a片 怎么查询最新得AV番号 亚洲色综合伊人色 7080wcom手机伦理 米卡本子 www wf96 com 曰本性交派对 国产性高潮自拍 mp4 saobo下载 一本道手机在线秒播福利 免费成人激情视频 www4hu998cam 狼友 国庆 福利 提示:点开黑屏或白屏缓冲五秒 [红包] 福利免费视频 [红包] ht 张伯芝自拍在线视频 村上丽奈三级视频 京香在线视频p 葡京夜夜夜 77yy伦理 猛干黑丝袜老师 在线观看 日本一级大黄毛片 美足福利小视频在线影院 少妇美女主播应狼友要求半夜路边勾引 欧美色一色大香蕉GV 日本做爱无码动画 mp4 高树零磁力链接 巨屌性交 九九爱爱视频6re 微拍福利247 软妹在线福利 国产 同事 校园 在线 李宗瑞奇奥网33 一本道大香蕉伊人线av 95福利视频 日本色一情 依依亚洲图片去哪里 国超福利视频免费 百度云黄片 《鬼父》全集在线观看无码 爽歪歪色视频 姿势强化操视频 最新艺术片快播 5侧所性视频 阿V小视频 超碰国产思瑞 德田重男和儿媳妇嘴对嘴喝酒 淫妻自拍艳照 我的世界中国版宣传片 av免费在线手机 与和尚交缠的色却之夜 在线 av川村真矢在线影片 怎样免费看欧美性爱视频真人秀 美艳娇妻肖云韵 免费福利成人 77色女 何殷纯个人信息 ganmimi 大哥综合站 最新地址 韩国车模番号 wwwxiai09cm 牛牛碰人人础免费视频 av手机日韩在线 午夜av影院免费播放版 丘咲エミリ nnuu66日本系列 免费任你日 日本处女-视频@Here 偶偶福利私密视频 18x同学伪娘到厕所里射精动漫 操碰福利视频 star534 ftp 亚洲日韩激情在线 二本道AVDVD 在线av日韩经典 亚洲图片京东热av 剥皮人魔BT迅雷 91男人天堂91福利社 水中 五月丁香 水岛津实蓝衣地铁快播 影院在线协和 色老板在线影院观看2017 成人视频5 yingshi 399 空姐GIF av色中 免费av电影微网站在线观看 亚须希磁力 下载 动感小站福利小视频 菲菲影院 厨房塞蔬菜番号 大黄片福利 东方在线aav视频 充气娃娃A片在线观看 番号鹌 初美沙希初裸写真在线 大胸美女和黑人爱爱 日本专区无码视频3166 rbd的系列人妻在线播放 48号缚师 神马电影69小情侣 2369小电影 苍井空毛片免费 myloved视频 男欢女爱视频录像 大肚人妻孕交视频 nannuzuoaihuangsedaqquan 亚洲女同视频 k视频手机在线 无码乱操 66BAB视频在线 d群交 番号 推荐 富姐血柠檬宾馆调教视频 亚州黄色无码视频 真实迷奸大学校花一线天嫩逼 www609ee 大香蕉伊人视频免费整 欧美高清h 日本高清aaDVD 色久久久久 第四色网男人香蕉 谷露影院在线国产 caoporen公开视频在线播放 91情侣理任在线 九州av–男人的天堂! 丁香五月天小说网 伊人成人电影色大哥 WWW,A片 AV小视频在线播放 青草a免费线观 日韩高清无码在线视频 ftxx00 sayaka fukuhara 4480青苹果影院免费4460 西田麻衣高清无码视频 长沙丝足调教 xingchashipin 国产老熟女大尺度自拍 偷拍自拍在线看100p www37ibcon 福利电影tcn 欧美高跟鞋射视频在线 馒头B紧身裤视频热舞 深夜福利无码小电影 sao360 日本av视频欧美性爱视频 下载 成人久久午夜电影 草莓论坛 se cop在线视频 成人影片不需下载gav 星野遥电影手机在线观看 丁香婷婷五月天小说 破初系列在线观看网站 悠悠资源色 日b视频过程狠狠色哥网站 26uuu最新亚洲欧美在线 南日p无码午夜影院 东方影库av无码在线播放 换妻一族电影 幼女AV 媚药女同按摩师在线观看 zzjiyou 韩妞在酒吧被黑鬼下药 泷泽萝拉在线播放教师 69堂在线看草莓 美丽坚共和国 草b大片免费的 森下真衣 视频在线观看 草莓视频在线看绝斯斯 日本69式视频有码 ADy无码 你懂的直播免费 日本无码丝袜 佐々木爱美 磁力 口交内射视频 校园 都市 欧美 自拍 磁力网 武侠古典之萧历 letvclient://msiteAction?actionType=9&pid=&vid=21286812&cid=30&zid=0&ver av毛片在线观看直播 白洁 高杰 欧美性爱大白屁股娘们性爱视频 免費高清視頻一色佬 影音先锋阿姨不约 最新av电影在线 有声性说 涩66 日本吹潮在线观看 含羞草大人影院 黑鹰坠落h版5060 青娱乐色琪琪 色色鸟亚洲 极速在线 欧美 亚洲 偷拍 王梦溪 迅雷下载 和99re一网的网站 操空姐 avzon kjfuli福利视频 经典 小鲜肉苏州94 香椎 jav anal hd ady手机 5533992c0m 日本重口网站在线 小视屏福利网站 性爱动漫福利 小老弟视频精品 国产自拍 小妹自拍自慰视频网站 学生妹被艹视频 先锋eeuss 小清新影院性高清视频 校园另类自拍欧美 邪恶里番肉番 馨雨女神调教视频 筱慧视频在线网址 泄欲哥导航网址 中国清纯大学生默默 www84gncom 女耻物 明光大尺度歌舞团 2018在线看的视频你懂得 免费无毒福利 狠狠的艹免费视频 国产网红福利 欧洲老妈A片 www,俄罗斯,幼色 老外影院黄色 bl插插电影 微熟女在线播放 兴奋生中出巨乳交配 橘优花 www8733cc 插菊花综合网人妻 4k 在线福利影院 莉莉影院俄罗斯少妇露脸 午夜群交视频 千百噜噜噜影片 美女强奸啪啪啪视频 任性操 做爱视频教师 日本美女重口味啪啪啪做爱视频 想要零用钱妹妹 素股 日本强奸乱伦在线观看网站 淫乱视频操屄 欧美 日本 国产 导航 激情黄片超爽 1小沢在线播放 哥去射偷拍自拍在线观看 最新97视频网站 94套图吧 阿,我要被你操,被我舔 深圳同居换夫 日本在线高清m949dtv 少妇爱爱 大香焦网视频免费视频,i xp123亚洲影院 熟女 博彩 wwwmvm888co 福利宅男影院免费视频福利在线看 黄片影院。 uuu778 mp4 综合网人 亚洲无码中文字幕成人动漫 大箱焦成人网 >>宅*男*影*院<< 西瓜影音 王思懿金瓶在线看片 在哪里可以看h动漫短视频 印度av视频网 drp无码影院 国语自拍对白在线 操逼比赛 苍井空无码av种子磁力链接迅雷 操逼故事在线视屏 韩国成人主播 双飞 不用下载安装就能看的吃男人鸡巴视频 北京熟女取精2女上位 变态调教性奴视频 avop-360 欧美三级伦理大尺度 马牛叉电影 搜人体苍井空50分钟无码 男人装 明日花 大香蕉AV在线播放 丝袜av排行榜前10名 无码黄电影在线 影音先锋AV有码丝袜美腿 2018最好的塔巴夫影视 苍老师在线55集 亚洲制服无码欧美 大贯杏里AV百度云 怡春院偷拍首页综合网 www 702qq cnm 被窝午夜手机自拍福利视频 Thailand年轻的制服高中女孩淫乱生活传闻风波 玩弄淫穴 无套爆操 爆精内射 附高清 vv影厍 操逼小视频在哪下载 tayelu免费视频 播播影院女性向 操后妈6o分钟 成人在线动漫 黄色a片在线免费观看 我妻如妓 秘社mm视频 纯洁 亚洲 国产网友自拍偷拍视频 连袜裤javlibrary 万色吧影视 1啊无套清晰 日本日日夜夜bb 黑木一香 magnet i日本人69种视频 日本aⅴ视频天堂肮脏医生 熟女大阴户视频 爱区 看片岛 vr捆绑美女 92午夜免费200部 深夜做爱视频在线观看 国产成人福利 magnet 澳门色片 av女捜査官yingyuan jb影院下载入口 日本漫画之工fanmu angelbaby19部 在线播放 变态搞基网站 先锋熟女少妇 vip7116韩国电影 黄色电影院六度电影老女人 欧美同性视频vibes 欧美在线天堂视频一本道 伦理 大片 高跟丝袜女视频 后插资源 波多野结衣末剪版在线观看 苍井空 在线播放 8p 肏女人 日本姊妹同 福利fl218 久久爱免费福利在线 男女性爱傻拍拍视频高清 伊人大香蕉在线视频网 综合色爱视频 肉色丝袜爱福利在线观看 偷拍自拍第八十五 美女真播母乳真播 西瓜影音 曰本无码在线 345bkcom 手机亚洲mm88cc 一本道dpp 美国理论午夜十二点 后入式xoxo免费影院 日本av女优视屏 黑裤袜系列在线 斑斑马电影街 欧美图区 国内自拍 强奸乱伦 我爱你AV52 亚洲av剧情 立花琉莉在线网站 Caoporn网站 午夜福利757在线视1000 ssni048在线 男人的肉棒插进了女人的小穴里不用给钱的视频 琪琪在线狠狠射 九哥小浪窑网 2018天天干夜夜啪天天射天天日影院久久99 麻美由真 bt字幕 日日久久天天 k卫生间男女ⅹⅹoo视频 CD性爱视频 天天操天天玩 调教堕落中日韩美女 激情戏新视觉 尻屄怎么读 边玉洁年轻时的照片 老外干十岁女孩磁力链接 黑丝少妇影音先锋 a片一线看 宅樱三级片 欧美女孩w18 捆绑女奴 很黄很色的动画片在线观看 wwwqiuxia66路cam ipz483百度网盘很黄很色的动画片在线观看 丝雅电影网伦理片在线看 美国巨乳波霸护士 美国邪恶毛片 色色琪电影 少妇操视频在线观看 美国十次大公鸡 毛片观看福利影院合集 美女被xxoo奶摸 伦理片eeuss2θ12手机板 噜噜色噜噜吧琪琪网 人妻凌辱参观日百度云 气质美女经理酒醉被上司带宾馆各种玩操自拍流出 极品巨乳美女高潮视频 精品成人A片电 染上春色在线播放 激情视频无码丁香五月 激情影琓 自由 黃色片干姐姐3131 麻美由真 恶父 白妇少洁的小说 福利视频午夜小说自拍 卡在墙洞男孩汉化版百度云 百姓阁不夜城最新地址 日本少妇Her a,ji ,huang,pian 秋弄韩 百合润美 magnet 欧洲av成人在线 蛋壳姬 岛国种子搬运工官网 吻逼抠逼视频 任你操视频这里只精品 无码专区 大xj香蕉49 精品国产自在线拍400部 黑人巨大战原纱央莉mp4 欧美熟妇系列1032 女主女王sm视频免费专区 横山美雪视频在线观看 六间房黄带 国产av自拍在线 www@pziyuan@com 口活最好的番号排名 哪个网站能看小泽玛利亚的视频 下载 得弟日001 二奶夺位 下载 www3133dcon 日本′电影强暴女搜查迅雷哥 亚州高清无吗不卡视屏 狼好色日韩高清视频 高清国产牛牛碰视频 凹凸视频分类在线a一 一级毛扁L 高老庄成人在线 看片 酒店偷拍 日本AV群交游戏 男的精喷如泉的一部av 手机看片秒拍修复 bbb977改成什么了 男人天堂噜 AV日产 1电影天堂EEUSS 萝莉小电影种子 ftp MSWD-10023 ftp snis911下载 射大嫂在线播放 浅香结菜 国美女主播福利视频 韩国vip主播无码 国产主播自拍磁力链接bt种子下载 国产在线短篇 拿男女做实验的电影 国内酒店女生骚逼视频 国外无码ay免费视频 江疏影 口 交 视频 欧美Av色中色拉风影院 自拍porn87高清日本mp4 国产农村夫妻啪 国内自拍网盘 色B心 自拍偷拍激情国产 97高清影院 亚 无码性视频 动态做爱LOⅤE 长筒靴做爱 magnet 美国成人午夜片 铃原爱蜜莉视频在线播放 欧美激mp4 日韩自拍在线高清视频 yyyfuli 最美肛交无码下载 下载 视频一AAVV、com 操同事的小女友爱剪辑 wohejiaoshimamadeseqinggushi 77mp4 sixt 偷拍视频毛片日本 国内自拍女厕小便 珑泽萝拉无码av下载 杨幂 醉酒 1024你懂的 污漫韩国漫画57 艾迪av无码 亚洲第一成人福利网 shkd-744在线 豹纹内裤影院 黑人熟妇视频在线观看 爱爱无码视屏 黄色视屏免费看在线 卧室五六式老太太每个人的阴道毛视频 花蜜性爱小说 heniaoxiaoshuo 外国美女性感穴图 骚屄性交还录像基地 插动漫美女动态 97sese图片区 我让老婆找大鸡巴把她日到高潮 草裙裸体艺术照片 我和门口的阿姨做爱小说 日本女人与男人性交图片 男子艺术图片 偷拍自拍激情小说迅雷下载 老人与小孩大性交 快来干我小说 人体艺术下阴 孕妇母乳先锋 欧美色图一巨乳 中国山西忻州岢岚美女脱了衣服内裤大奶屁股露出来上床b的图片 口述6p 看真人操屄视频 日本女老师写真 男人日女人下面的视频 酒色网婷婷五月天 良家肥臀 俄罗斯色妞 成人大尺度gif 极品美女影音做爱 姐弟性交大赛无码 口交动大鸡吧 熟色201412 91热色色色 亚洲获奖a片 好想看看美女的写穴视频 舒淇人艺术 美女无衣自拍图片 刘嘉玲大胆人体写真图 gege揉搓 欧美金发熟妇图 超级mv性交大战电影 青沼知朝番号 欧洲色图色福利 继母阴道淫荡风骚 撸死你资源站兽交 250ppcum 成年美女图 女女调教电影 9797滛滛网 妹妹操哥哥日 营野沙莉亚 操淫屄网 婶婶的小屄 abcdduppid1 44tttt 恋古成人图片论坛 成人激悁大?6?4 操逼张慧敏逼照 强奸乱伦飞 夫妻性爱录音 操逼操电影网 性爱动态图片15p 美国玩中国女人的图片 WWW_5555K_COM 免费论理片 色幼女性交导航 色播五月天亚洲图片资料 321操逼网 人体裸体艺术美 乡村色妹性交视频网 曰本性爱第一页 丰满少妇给我足交 外国投拍美女上厕所视频 性爱图片做爱电视 影音先锋母亲性交 中出し 东めぐみ 147美女人体艺术波 女子逼毛 umei 丝足 � 日本美女性交欧美色图偷偷橹 日本黄色成人很黄的 亚洲图片小说网 幼幼百度云种子 WWW_YULE_COM 姐妹色 人与兽黄片视频一级片 超碰caoporn成人 那个软件能看白片 va999资源网 动漫黄图小说 中国人体莎莉 女人淫秽乱伦 俄罗斯明星人体艺术 谁有熟女网站 射极品空姐超碰 日韩柔体性爱影片 wwwre999com 李宗瑞不雅视频文件影音先锋 欧美 亚洲 娜 WWW_4HU50_COM 色小说乱伦故事 chengrendianyingxengai 百度美穴 WWW_168_INFO 春暖花开影视性吧 泰岚性感 xiao77论坛新年 极美印象苍井空奇色 天使妹妹淫荡网 婷婷五月色中阁 师姐淫屄 qiangjiancaobiwang 海岛人淫乱 日本人t体yishu 大牛村群 美女艺术照 欧美骚妇和狗交配 色人谷美国发布站 农场性爱在线视频 内射美女小嫩逼 欧美入逼色图 赤裸天使讨论区 欧美大但pp图片 97sese 97ai 97gan 美女人一人体图片 明星漏逼逼 偷拍自拍区操老肥熟 偷情人妻骚母狗淫语对白说要被狠狠的操 情趣连体 超级诱惑 tube24韩国 亚洲淫淫碰 肛交567视频在线成人 女同学肛交小穴肛门草 美女色图qvod 肥奶大逼 俺去乱了 西西大胆人体艺术黑木耳 经典av片名字 成人图片 鲍鱼 快播怎么看无码电影 欧美淫秽影片 傅 贞怡 人体艺术 色 中 色亚洲色图人与狗 花开半夏演员表 中国净水器供应商 重庆赵红霞真实照片 辛亥革命电影 温州第十二中学 淫香淫色天天色 黑人和韩国女人做爱 激情少妇乱伦 3d玉铺团 偷情老婆小说 办公室操我 骨感小骚货视频 哇嘎影视四色 苍井空和黑人拍的av是9那部 俄罗斯裸体体图 我想操比找美女 欧美性爱人与猪 美女裸体漏阴图片 插入小妈小穴 西西处女人体艺体欣赏 色图五六月天 免费先锋成人网 处女搞屄 当母音屯 qiangjianluanlunying1 免费黄色图片网站 逼邪恶漫画 新乱伦影音先锋 凉拌木耳女生每次最多吃多少 狠狠地mv撸五月天 女子身体艳照 电视剧激情图 国产妇女做爱视频 搡大白逼 性交乱伦p 嫩逼的女郎做爱图片 26eeee 色444电影 三级片一thunderftp WWW_888XXHH_COM 牛牛视频播放器护士 治阳瘘早泄的中药泡酒 熟女人妻裸体 长谷川惠美全裸图片 夫妻性爱偷拍照片 美轮美做求歌名 WWW_678BS_COM 日逼的事情 骚狼操淫妇电影 日本av女优馒头逼图片 北条麻妃快播影片 2014最新乱伦强奸电影 幼香幼色论坛 女人与大黄狗做爱 淫乱的少妇 欧美黄色片午夜剧场a片 大色窝色狼网夜夜激情 看淫荡老婆群交兽交 国产熟女在线视频 欧美母猪和人性交 偷拍自拍武士色 小妹屄图 色站导航欧美色图 爱爱射欧美图片 美妖操逼 巴士超短摩擦色网 女人与公狗高清rm yazhouxingaitaiwanlao 在线自拍亚洲欧美 山斗香港三级 欧美日韩偷拍 高树玛利亚bt 抽插熟女撸 WWW38XTCOM 大黑油葫芦交配 伦理熟女人妻 色桥人体艺术抓美网抓拍美女美丽 最逼的中国演员 伦乱透屄故事 中学屄吧 野外大胆裸照 国外天体海滩视频 日韩影片北原多香子 那晚小姨子把我狂吸 人体彩绘图片大全图 美女裸体劈腿照片大阴唇 女人掰逼图百度 直走丈夫买烟妻子被李书记蹂躏 亚洲陈丽佳人体艺术 美女草比视频 屄的写真 聚色冈样 日本66人体艺术摄影 亚洲美女白虎色图 WWWOTALUMODECOM 性花宫黄色成人激情 亚洲最大成人操穴电影网 宬人电影在线播 春满四合院视频 韩国美少女主播荷恩 操白百何的骚逼 欧洲色图激情网 va看逼 强奸滛乱 曰日撸小说 波多野结衣作品那一部好看 成人片撸一撸 淫淫巨乳合网 heiguigan 色妹妹a 性感女妺妹 5x在线视频 xxoo青涩综合网 俺去也影音先锋 乱伦奸幼性交小说阅读 6699色图 一夲道京东热全部电影 女人被强奸时的反映 迢碰av 极品美女骚屄 俄罗斯乱伦抢 成人性爱图片网址 永旺cgv影院 裸图b美女 撸撸成人动漫云播放器 戴文青木写真 日本人妻斩先锋影音 看女人色图bbb 女优希崎杰西卡黑色丝袜人体艺术 老妇少男忘年乱小说 鸡巴尻小屄 uu小孩逼11p yy6029新视觉影院官 爱人体静雨 ok5858com tangfangdadan人体艺术 近亲相奸お母さんと爱欲性交 少女性奴母狗血泪斑斑调教 幼女小嫩逼10p 岳母乱伦淫荡肉戏故事 媳妇叫公公摸奶 ppp36官方网站 嫩馒头鲍色图 WWWHDCCBKRCOM cccc80 内射小妹妹图片15p 美女大学教师视频 狗茎欧美女人 WWW55HHCOM 男人阴茎实图高清 5月激情乱伦 新福利影院宅男 老妇的肉逼 强奸乱伦少女破处 学生性爱视频 欧美少女做爱美图 藏姬阁第一福利老司机 欧美电影家庭手机 三邦美女视频在线观看 se鲍鱼 福利嫂超碰 厕所阴唇 邯郸性趣天堂 色尼姑免费原官方网站gya1024cn 被催眠的校花小柔 av导航全球 老熟妇好爽 日本近亲乱伦中文字幕mp4 色播五月天永久网站 扒开屄操 swww99aaww 黄视频体验区 自拍偷拍性爱视频www16efcom 欧美男人与狗兽交 飞华两性试衣间 爸爸女儿乱伦妈妈儿子做爱 亚洲男同性恋做爱图片 视频裸聊女同骚逼 群交谷城 日本女优恋足视频 JJ射精正面图片 乱仑吃屄 亚洲熟女图片wwwgzyunhecom 成人色片电视频 成人电影哥哥碰 最新人妻av在线网站 伦理微电影magnet 巨乳爆乳大奶子插肉穴小说 和巨人美女做爱 123gbgb男人看的地址 强奸乱伦校园都市激情 快来干我老婆 性交短篇小说 AVMO欧美 s级女优网友自拍 手指插花核小说 成人做爱乱伦人体艺术 绿母漫画真人版 青青3p 色欲母子性爱小说 家庭伦理小说网址 奇米影视手机版百度 夜撸va 成人小说快播电影 美女干逼人体艺术 meinvluotitu 日本三线片线观看 逼里逼里香哥哥 jizzjizz丝足 爱爱激情五月 香港三级片系列激凸男女1高清在线观看四虎影库 欧美搞B片 哎到花心了啊 美女大胆露穴 谭晶h文 野花撸进不去怎么办 那里可以免费观看三级做爱视频 操台湾妹子综合网站 动漫人物h小说合集 另类女同群交小说 爱爱扣插舔 大奶妹官网 为什么收不到韩国女主播青草的视频 淫妻乱伦龙腾小说 播播影院色播五月先锋资源 苍井空潦草av片 久久鲁免费观看到底 三级片三级片的坏的视频播放 巨乳女教师magnet 美女黑木茸百度图片 老女人的淫 风俗娘湿 亚洲少妇xxoo 搜色电影影音先锋 插妹妹日妹妹dj520netwww78p78info 光棍电影网限制 用力插妈妈的骚逼啊啊 日本捆绑性爱 四虎影库A片 免费网男人草女人 在找黄片人与兽 可免费观看激情全过程的APP 纯妹妹极品穴穴享用整晚 侏儒a片 风流少妇人体艺术图片 快播日本乱伦 天浴电影黄色 风骚日本老师下载 柚子塞屄色图 sm妻子捆绑兽交小说 乱伦小说意淫强奸校园春色古典武侠淫妻交换 我的女朋友是40岁的人妻 www84ytom 日本春药按摩 女人玉门高清大图百度 AV电景色网 免费在线欧美AVwwwc5508com 微博btdownloadbaiducom 公公大鸡巴太大了视频 少妇五月天综合网 巨乳丝袜制服中文剧情字幕 谁知道手机能看的片 人性交配色色 快播欧洲成人套图网 保定色尼姑色和尚 西欧拳交 haosex a片99kk511cnarrseseappsitewww90abc95w4cn 亚洲级欲 日本妈妈v淫 少女b图片亚洲色图 xiongmeideseqingyouse 自拍偷拍彭娜 亚洲色图暮色吧 成人一级黄片网站 elluxurycom 爱碰网官网 操丝袜姐姐小说系列 性交姿势wwwcnkangcomwww7788xsnet sss电脑版 苍井空和男佳也那部 裸体模特在雪中 被大吊干是什么感觉 大嫂激情图片 菲菲肉穴 变态另类6eeeeecom 色斗鱼wwwsedouyucom AV网站www520vodcomwwwxx557com 肏了小骚屄 xf77piay 说几个看幼幼片的网站 哥哥干网友骚货 苍井空超过激交大乱 淫淫网刘晓庆裸图 苍井空的私处照 酒色五月丁香 仓井空老师剧照 教师无码潮吹 张柏芝的桃源洞真嫩 kk99se访问升级 偷怕自拍撸 矢吹春奈 强奸处女口述 5566影音先锋干大姑 强奸伦理小说视频 国产自拍剧情在线 求推荐可以看高清色图的网站 998av 成人动漫阿凡达 寂寞妈妈免费视频 奇米影视色资源 堀井美月av 欧美人人免费视频在线观看 美国a片啪啪 WWV111WeCOm 小穴潮吹什虐阴么 五色房间播播影院 wwwqingjunlu3tv Aa片影院播放器 男人的av影库 一级片视频 小妹子论坛资源分享 色图片图片区 跟女朋友啪啪直播贴吧 第九月激情网yuyongniancom 美女馒头缝 H幼幼萝莉图片 成人无毒网站 阴布图片大全 空姐被黑人插 高跟美女 黄色电影姐姐妹妹是拉拉 亚洲免费快播网站 黄色电影A片毛片 51cC0m 欧美双插电影 欧美男女av影片 4438五月天 朋友淫荡的妈妈我可以操你妈妈吗 色玖玖AVcom 双性黄色人电影 老外的大肉捧系列小说 免费的黄网站网 老妇成人图片大全 黄色图片观看 995cc 人体美女床上诱惑 36d色图百度 透逼自拍 无码有码在线 丝袜15p 欧美激情狐狸精 成人电影AAA990 天天啪久久wwwgeerlscom 哈尔滨色 全程露脸52岁视频拍摄 wwwqyuletvagmailcom 激情校园春色老师 亚洲色图韩国明星潜规则p 捆绑强奸娇喘视频 西门庆导航网址 青青草针对华在线视 久久热时间停止器视频 淫荡熟妇16P 亚洲视频在线成人 搜索wwwweibocomu5405295901 好了av第色 爰看AV电影 啪啪啪萝莉被操 亚洲露b人体艺术 东京热一本道金8天国 久久热我爱看a片 自拍偷拍网址wwwhhhh15com 微拍福利wwwmiwpscom 免费看天天A片美女图片免费 狠狠爱十狠狠干十狠狠撸日 青青草手机在线vip免费 桐岛惠理香 美女红色曰逼图片单曲 放个国产韩国日本美国欧州男舔逼逼女舔大鸡巴把鸡巴扎入逼里猛抽猛扎放个最黄 ckplayer在线亚洲 肉文ed2k WWW460TVCoM 9911影院 在线电影选项院 日妹妹干妹妹影院百度 wwwbb698com wwwnv81com新网址 青之驱魔师cosplay 大爷操作影院388sesecom 幼女ayi 操嫩人 人妖操人妖电影 大鸡巴干性感美女 操妹妹插妹妹AV 东北夫妻4P艳照 国产精品偷拍自拍明星系列在线 在线播放国产偷拍 姑坏姑集百万潮流 抽插淫荡少妇小清15p 和公公尻穴 一本道av在线三级 母狗奴隶 黄色网站草莓影院 裸体姿势艺术诱惑 操久久 幼女动漫下载迅雷下载 成人电影之手机偷拍 嫩穴妻 al7788 鸡巴视频国产在线 yc15电影com 阿v对白 妈妈的丝袜20P 毛片基地SM另类 xxxx欧美制服 swwwpu730comhtmindexhtm 大吊性交 大尺度激情性爱美女 图片专区欧美色图 强奸骚货女朋友 影音先锋咪咪色 熟女人妻校园春色淫色人妻 www48xycom 皇色王朝2356 辣文娇妻系列小说 激情婷婷第五月婷婷强奸乱伦 泡幼女网 就爱就爱娱乐网 5577k 亚洲色网偷拍图片 播乐子超在线 10万部爽片等你欣赏 看美女裸体视烦 武则天H版 性色影视 天天拍拍国美在线视频 www48kcon 碗君西西人体大胆 搜索去色色吧 淫荡阿姨在线 87bbb最新网 妻子与大学生黑子 怡红院首页一百度 黄色乱伦电影av 香港性禁片 ae517magnet 青青草的快播 狠狠操骚b 射你阴b 女孩发骚自慰 搜索www4444com 19sei最新地地址 AV在线国语对白52kukucomwwwaa0ecom 欧美人人妻激情小说与视 5XX 女人自慰囗交动物乱伦 性感美人妻电影 久草在线站街女 色色色色色干干妹妹 www路360ppcom 99pp黄色网站 国产AV偷拍视频 40岁少妇露脸久久草热在线 小衣与狗 91pro内部地址 男女性交猛抽动 调教男啊啊啊 空姐被强奸的日本AV电影 国产自拍操逼试视频 给表姐调教成性奴 哥哥色欧美激情 大香焦爱爱网 wwgaosecom 先锋影音av资源 亲脱摸扣操 av色色com 少妇性爱故事论坛 姐弟乱伦网站 AVPP6SCOM 久草在线妹妹干 114张悠雨魅惑图片色色看看色色看看主 男女性爱三级毛片 开心酒色吧 网友自拍偷拍国产在线第一页 酒店调教性奴母狗亚洲图片 Av电视在线看 Sm小说虐丁妈妈 黄色视觉黄色小说 swwwbu370comhtmindexhtm 在线娇喘 亚州强爆乱伦视频 wwwjjj2345co 像淫荡游戏这种动画有哪些 日本午夜户外直播 杏吧有你大香蕉 pcn中文网 日本女人色中色35wwwwcom 色系大片观看方法 超碰巨乳视频在线 成人套图49p 鸡巴25p WWW884aacon下载 伦理片小向美奈子 HAOXAVCOMmagnet www57bbee 大香蕉久草免费的成人视频 大乳乳乱伦 撸醒睡熟儿子乱伦视频在线 尤18TV 伦理片琪琪第8页 黄色真人网址下载 成人动漫父女乱伦 美女丝袜激情图 色婷婷伦理网站 修真抽插穴 火影忍者谢哥博客 豆豆色穴成人网 狠狠干妹妹图片 最骚美女最骚美女最骚美女最骚美女最骚美女最骚美女 WWW92ddcccom 沈阳母子 手机看av片成人电影 高清av在线无码 牛牛碰电影 姐姐高潮出水10p 淫哥哥下载 神马性爱交易 av天天堂在线观看日本 群交乱伦姐姐 冲田杏梨人体777e丫图 水仙二嫂视频福利在线 国产原创自拍996 ee655con 同性恋舔我小穴 超碰图片wwwxmxh188com 黄图的网站是什么 三妹影院 青青草制服性爱片 天海翼 亚洲 图片 色五小姐在线视频 仓井空全集百度影音 WWW_RP_INFO 人体艺术巨乳巨炮 我爱亚洲人体爱人体 劲爆乱伦故事 一女二男性爱图 日本美写真视频 处女中出 偷拍自拍美女操逼在线播放 欧美极品嫩穴 fc2日本成人视频最新 卫校女同学自慰图 台湾美腿模特视频全集 三浦惠里子作品封面 母子淫乱日逼一神爱爱小说网 藏獒吃伟哥强奸女人 草裙社区蜜祧成人快播 人体狠狠鲁 最美女屄图 狠狠挺近花心射 撸波波明星美图 一窃开一脏器 少妇裸体性交写真图片 哥哥去在线图片欧美 性爱派对图片 什么样的女人逼最紧 性吧春暖花开性爱自拍 日本漂亮女人三级照片 邻家小妹的大奶子 色妹妹来也青草影视 色迷淫色 9115视频在线资源sss 经典あ级制あ丝袜另类专区巨あ波霸清纯あ美 黄色1级piang 女优性交免费电影 77sssee 人妻少妇被 人体艺术 筱 美女裸照操逼照 为什么我喜欢让情人操我 夫妻性交真像视频 最大胆美女人体艺术 欧美色图种子百度网盘 a片强奸系列快播片 高树玛丽亚 ed2k 强奸作爱图片 site 免费在线观看日本人av 黑丝肉丝双飞乐 色史中色 超性感丝袜美女内衣视频 se情wangzhan 日本鬼子抢奸中国妇女 大香蕉狠很撸 oumejiqing 虐足酷刑 少女拳交视频 和少妇 仓井空magnet 汤加丽美女 孕妇系列 乱伦 肥女胖女3p 色图 色百合电影导航 苍井空无码先锋下载 苍井空裸体无码写真 日本少妇11p图片 日本妹妹性爱射精图 操逼视频先操逼在玩逼 少年与老太太性爱日本说中文 媚药先锋 性门照 快播肏淫妇 好看图片小说 制服 日本 幼幼 高清 丝袜肛门视频 最新尿尿偷拍 公公插媳妇逼 看80后操bthunderftp thisav新网 性交组图 成人色短小说 口述母子伦理感觉 操肿了少妇小穴 aikojiaocom 一 级黄色图片 骚妹妹爱爱图网 reitiyshu人体艺术rtys日本美女大胆人体艺术激情人体艺术 下一章激情内射视频 大鸡吧小臭臭操操操小穴 强奸苍井空 毕夏漏点 肏胖骚屄 巨乳护士 绣 亚洲大肚男激情自拍 欧美大黑棍pk亚洲美女 快播 h片段 老人头人体艺术图片 撸撸ase 操了大姨姐的骚穴 711c人体大胆 父女叉屄 老外女与动物 韩国女主播阿狸快播 做爱网子 白皙亚裔女大战老外 套图超市有声小说 35p激情熟女 淫叫骚妇 中年家庭妇女色相 汤加丽人体艺术专辑 mhaodizhi4ifno 意淫miki 苍井空百度网盘种子 美女双穴被奸 写真视频快播 自拍偷拍 露脸 夫妻 少妇艺术祼体照片 丰满裸体大奶 无码av社区网 女人正面裸体艺术 十九女孩庄媛 网友自拍偷拍天天 阿门阿前 可爱多儿童摄影 我比想象中爱你 南京江宁房产 家具风水 漫步者1000tc 想着胜利前进 东南亚女孩艺术人体 苍井空人体全集 siwameijiao中文字幕 熟女淫乱色图 五月天激情鲁大妈色播 www520色偷偷撸 波霸彭丹露奶图 金发美女小嫩屄 美人阁第四色 熟女合成48p 原千惠透明装 女儿操父亲大鸡巴小说 暴力操女 剧情新片换妻影音先锋播放 先锋影院 av 不撸 女阴部无遮挡 爆操宾馆大龄女 聊斋乱伦性事 妈妈被老外狂干 操大黑逼逼 撸撸小说母狗 金梅瓶电视剧5集在线wwwqitetecom 贵女淫乱 WWWEYHJCOMM 7788sesewang 缔D杏那 黄昏操逼在线播放 都市激情撸情 avbbcom 瑟瑟色综合 日本妹妹综合 十八岁女孩人体艺术 www79vvvcom 日本美女下体艺术摄影图 我和少女做爱视频 成人电影一级a片 大黄瓜vs小菊花 黄色录像电影片段 老富婆操比性爱 幼女性交站 yazhouav亚洲av 美女美穴图片30p 熟女精品写真 成年dianin 茂如森林的阴毛图 夫妻性爱自拍16p 青岛小护士视频 明星不于明加的不雅照 影院上映最新电影 摔跤吧爸爸吉吉影院 岳母女婿生子 太阳的后裔苏格影院 阿姨吸我鸡巴舔我屁股吃我大便 天海翼作品被截图 丰满人妖的性爱 淫乱图片草裙网 女乱15p 杉田瞳i~淫若妻妊妇 插插综合图看黄色一级图片 纸做的爱的小贺图片 照片自拍小说图片电影 透视旗袍人体艺术图片 五月天色姐妹 我和处女小护士操逼 撸图屋聚色阁 罗体美妞图 快播亚洲色图自拍偷拍 淫荡女老师教室淫穴被大鸡巴插 熟女人妻阿姨在线电影 姐夫和小姨子激情视频 红衣美女舞劈腿 成人电影av天堂网 杀戮都市吧国产各种门 解放的潘多拉 禽兽父亲绑起自己女儿猛操 欧毛毛女三级黄色片图 尻嫩屄图 日本幼女美鲍 乳大黑女人 香港掰穴 阴毛多的大胆人体 美女行爱视频 男吊写真 国产农村野台子脱衣舞 美女fs2you 疯狂肏屄视频 WWW098HHCOM 操屄小说视频 西西88人体艺术 我看午夜人体艺术 日本美少女大胆人体艺术图片 2014最新偷拍自拍 撸撸b图 女人体艺术专题博客 好看的亚洲伦理无插件 撸炮动漫 大香蕉在线观看少妇www22oxoxcom yy6029淫影院 有没有哥哥妹妹乱伦的小说 轻吻也飘然在线福利 cos先锋影音 mcc色区催眠 街射ed2k 农村大胸阿姨做爱 爱搞逼图片 5x社区一样的网站 春暖花开操逼吧 日本男女裸体性交照片 姐姐帮哥哥推精油 黄图m226wwcomnxgxcom 与淫荡女医生做爱 美屄magnet 天天鲁大香蕉网 白丝护士爱爱 足交久久帆布鞋 2233d最新2233d地址 色无极亚洲dddd88com751vvcom 美国九九九色成人网成人网站 亚洲幼女口交电影 青青草www99kk496cn 色图人妻斩 三级黄图片欣赏 wwwjizzluolicom 恐怖十八禁ftp 偷拍女士推油 南美熟妇视频 郭碧婷一级片 东京热哥哥妹妹 肏妹玩肏我呀 淫淫hhhh 720lu自拍www820qqcc 97色色强奸电子书 生孩子视频色色 两只角头上插着叶子 kangavhaole001com 欧美母子乱伦影视先锋资源 美女与动物乱伦 骚妇狠狠操插 欧美色图凌辱 wwwva6nt8wcn 姐姐精品播放器 日本成人黄色六级片 成人动漫淫乱乱伦强奸 吉吉影音乱伦小说 干亚洲女孩 东南亚老母猪15p 久久欧美视频aa0ecom 日本邪恶电影在线观看网 wwwseqingwangzcom av天堂松岛枫 欧美图片偷拍图片区勃起 骚逼逼撸 50岁女快播电影 久草热这里只有精品网 货车司机轮奸 影音先锋色谔谔 性趣阁论坛地址一 陈人日韩短片在线免费观看 伦理片伦理聚合网站 色人谷色小姐 毛毛生活片 偷拍自拍亚洲女同 亚欧淫色 jipinseyinyuan 操美女NB 内射轮奸男女小说 一楼一凤影音 老狼网最新网站 求最新簧片软件 欧美胖妞性爱电影 美国x级片女优 亚洲小说另类人妖 5252avavw我爱好色 亚洲色图偷拍自拍wwwssyy555com 亚图片综合网 大爷操影院院18k 男人插美女护士私处视频 林志玲假期去基地色图 13岁少女阴帝的图片 黄色录像同性恋口交 亚洲小说图片偷拍电影下载区 日本无毛少女逼图片 被黑人轮奸好爽 小美女的毛真多东方av 性侵人妻小说 操60老太逼对白 日本空姐艺术丝袜图片 95后大鸡巴 星戒有声小说 亮剑有声小说 有声小说小仙儿 寻春色 春色括号 春色龙 樱井莉亚跳舞 小泽玛利亚女王 小泽玛利亚msn 小泽玛利亚现今 小泽玛利亚luozhao 跪求一个h网 www.唯品网 www酷狗音乐mp3 www传奇时间 se开心五月天 开心五月天最新地址 东京热真实 看黄片怎么找 空调看黄片 织田真子 五月激情网 人兽综合 色男色女 视频下载 四房播播 我爱手淫 av幼稚园 插妹妹高清 大M成人网 骚女窝影片 色狐狸小说 四门成人网 我色淫我乐 黄网二十一区 妈妈儿子乱伦 色导航百度骚 色色3A丝袜 第四色在线电影 淫荡小妹激情网 在线视频返回顶部 撸一撸 俺去也 天天看 777米奇 色论坛 急先锋 瑟瑟爱 白虎活络膏 色妊阁影音先锋 弟必撸 弟弟干 蝴蝶谷成人 色色南 热のAV 澳门葡京城AV 大尺度视频试看5分钟 自拍直播网av 在线亚洲中文呦呦 www路avav008路com 吉泽明步女教师在线DVD 3d人妖ladybayshd 阴模人人看人草 波多野结衣丈夫去世 wwwaaak7 超级草碰碰人人 噜噜色噜噜巴噜噜网 莉莉影院正在播 女大学生 武汉情侣自拍 ed2k 韩国孕交av 五月丁香深爱基地 av美国绿色导航 伊凡综合成人 成人猫咪993ii 做出综合网 4438人成 2018秋霞理论电网在线视频 超碰无码97国产人妻手机在线 红怡影院 adyhh 日本哺乳av在钱视频 手机AV迅雷 激情四射啪啪的视频网站 欧美群交一级毛片 亚洲毛片av手机看片 青青草93观看视频视频播放 邪恶少漫画acg邪恶帝 情人添逼逼视频让我高、潮 小媳妇寂寞在家自慰水真多 强奸之夜视屏 茄子自拍在线视频 人妻操逼免费视频 青青草影院兔看 秋霞高清无码在放 青青草视频网站 迅雷下载 秋霞电影手机版八妻子影院 情趣黑丝高跟美骚妇装看病勾引药店医师 病床上激烈ML爆操 无套暴力抽插爆精内射 强奸强奸 樱木あゆ美 吉吉影音 日本三级2017大尺度 日本三级强奸 日本三级无码动画下载 日本女优深田奈奈人体 日本三p视频在线 日本性爱啪啪视频 日韩先锋伦理人妻 羽田桃子 白丝视频 hd porn 深喉电影在线 青春草原视频免费观看 无需播放器视频国产 asiafox电击 在线 一本道东京热大香蕉aⅴ 埃及艳后 av版影音先锋 Cccc74 大香蕉X影院 VOSS-069 16974视频观看 手机国产AV 阿v影音在线观看 微拍福利Av 色播153 色噜噜插 人妻3pmp4 free 波多野结衣video 我要看小日本儿看三级片小日本人太三级片。 白浆40p 全裸美女秀磁力链接 亚洲爱液视频在线 千花集林志玲 马匹窝在线视频 曼丁哥视频可以播放 女主播啪啪种子 下载 纹舞兰在线 吽哆啪啪 色午夜福利影院 本庄优花在线观看手机 直播毛片无码啪啪 91视频青青草影院 小俊资源网 色爱天天插 成人电影迅雷下载 91久了re9热在线观看 lu559 亚洲日韩无码av影音先锋 斯卡拉琪琪 欧美 啄木鸟 在线 日本很黄很慌bb很色的视频 内地伦理片无码视频 日本黄页大全视频 找个小姐日着玩视频 395UaGG 二线女明星不雅视频 欧美磁性链接 2018每日在线女优AV视频 92后女性食奶视频 色色色av激情视频欧美 夜夜插gif wwweee184 超级大奶头黄片 av, com 蝌蚪窝米奇网 色嘛嘛 现在的小视频网址 变态人妖性交视频 京香julia艺术照 潜入女捜査官手机在线 东方成人lu片 wwwe8817comwww7caopcom 1269av在线视频 在线AV色色 男人天堂2018天堂网西瓜影音 伊人成年小说综合网 97夏同学旧网 欧洲色b 无码AV网站大全 日本伦理无码高清mp4迅雷下载 A片毛片基地 一边看书一边自慰番号 鲁鸡把播放器 sebi97 av番号 mp4 58看片 97色色酒吧电影院 亚洲日韩激情在线 龚玥菲新潘金莲斑马影视 色东方 MIDE–500 亚洲欧美av在线观看 av天5 中文字幕人妻出轨av番号 87国产一区 牛bai 聊斋仙桃影视 xo影院在线观看免费观看 丁香花婷婷 色妞abs130 红怡院成人 强奸美女的视频app 宅男视频3p3 天堂岛av大全 吉泽明步986先锋 SSNI-413 ed2k 秋霞170 大奶av音像先锋 大片播放器 X 影片名:网红美女演绎学生看到老师穿着高跟丝袜很性感就尾随跟到家里和老 福利社男人把鸡插入美女尿道视频 疯狂缠绵桃色视频 丁香视频资源站 大波妹 yinyin福利自拍 大香蕉兽交人在线视频 大沢萌夜总会 大奶少妇喂 手淫69视频 情侣偷拍自拍在线 微拍福利99 大胆西西人体44rt ,net 一个护士的性爱录音 国产亚洲精品自拍偷拍野战视频 亚洲图片 自拍 俄罗斯t极度另类 流浪汉强x番号 欧美妻片 漫画区成人福利 超碰在线视频自拍偷拍国产 成人av所有网址 动力电影 西瓜影音 SNIS-300 800AV亚洲 丁香五月在线观看线 日本一本道av京东热高清 欧洲美女视频 足控磁力 mp4 ckplayer菠萝影院 欧美性爱bb视频 a免费高清不卡视频 youbb线视频 ses涩涩影院 XOXO在线 bibibi视频女主播 鸡巴插入欧美美女的b舒服 日本护士x x x o o o 露出视频福利 小黄瓜免费的福利视频 韩国伦理片s歩兵 毛多水多的女优 bt美国福利影吧 52我爱干免费看 四库影视 免费视频 成人影片不需下载gav 破初系列在线观看网站 三级黄线下载 白丝网站你懂的 自拍秦先生 男用j插女b 武汉第七中学门国产自拍在线 蒂亚 中文字幕在线观看 久热 中文字幕母亲和孩子 恋夜女主播福利合集 周末同床 ddy2499 江疏影不良视频magnet 威尼斯人大屁股做爱无码视频 迅雷资源链接 在线看成人小视频 在线看片网站国产 一个女人有男朋友为了生活和老板上床电影 社区性爱视频 最新欧美Av在线 欧美曰本一本道免费视频在线观看 日韩人妻免费高清视频 中国一级A片、/ 欧美无码av先锋影音 美人蒲 电影强奸乱伦 蚂蚁窝一个释放蝌蚪 密桃影 任你操任你曰爽爽 无码在线高速 av俘虏 五月丁678 任你躁视频搬运工 精品 鸭子澳门网址 日本最长69式在线 我妻如妓我如奴四哥 红豆导航精品在线 xx676 日本avv喷潮 九卅影城tv777 日本黄色影院 日本我不卡av 性污秽小视频 新忍尿大会。part2 性自虐视频网站 性感女神级美女主播诱惑要被迷死了 性感学生妹小视频 现在哪里还有小视频网站 泄欲哥网 小苹果性交影院 柳州莫菁 福利 温碧霞b cup 操逼直播视频直播 艹逼色中色 少妇掰B自慰21p ady伦理影音先锋 厕奴调教番号 京香junlia作品动态图 操白嫩女友露脸图 欧美日一本道 - 百度 - 百度 - 百度 - 百度 百度天堂acg silk024在线观西瓜看 美乳少妇动态视频 谷露琪琪五月丁香 freex彩漫 爱爱呻吟视频在线 办公室女神小雅漫画在线阅读 男人吸奶视频在线 91影院色激情 一级厕所偷拍视频 网红美女磁力链接 黑大屁股男女性交视频 日本女优中文字幕 午夜激情XXOO 电影院里摸她屄 美女视频做爱 t亚洲黄片 人人摸人人搞人人操 大机巴搞影院 仔仔网福利视频在线观看 女主丰满 国产 风骚中年妇女 台湾野外伦理 甘榴影院 国产福利直播在线手机视频 人妖做爱a片在线看 天堂鲁丝袜 jav在线播放无需下载播放器 亚洲午马天堂 亚洲新一木道, av网址色福利大全 成人网站来一波 四叶AV影院 男人同性视频在线观看 - 百度 老司机电影天堂看懂的 美殴色图 无码a试看 闪一下成人视频网站 华裔女与黑人群交 国产重口味自拍 波多野结衣3d无码作品番号及封面 国产丝袜高跟恋足调教视频 北京妞性爱视频 播放器大全女女女女女 国产视频母子做爱 被抄的影院 国内自拍在线吧 草逼 不堪凌辱的小林 波多野结衣被内射的 百度云 国产小青蛙搭讪 西瓜。 XXⅩ日本学生观看播放 湿妹伦理片 一本道素人三级 松下沙荣子BF-557 设为首页加入收藏图片区88 看米奇资源站 一本道最新色视频 少妇骚逼天天日 777影院 色老影院 水岛津实 媚药发狂种子 www875bbcon jjkkrrrr 冲田杏梨小时工 东方超碰进入 兔费在线直播欧美性爱电影 国产一本道久在道在线播放 淫妻的变化 色和尚色琪琪在线 1024手机基地看电影旧版恐怖片 人人澡操碰碰中文字 haodiaose37qao视频 协和影院影音先锋 暴风福利在线播放 real睿宝内部V8视频种子 PPPD-642 骑马乳交插乳抽插 JULIA 最后是厉害的 超碰人妻福利视频在线观看 本庄优花磁力 播播撸 t人体写真APP s:∥aui:a26067:C0m 暴风影音在线视频秋霞 sm 亚洲 欧美 少妇 浴室迷情苍井空视频大全 嗯嗯 宝贝在线观看视频 美女裸体无阴毛艺术 日本老黄片电影阿香 爱看福利群 动画无码种子 magnet 鸡吧操屄视频 午夜十二点福利导航 日本老女人丝祙 色色屋影院 动漫操操操人人操hhenhen 日本性交视濒 国产av 丝袜美腿 久久reav在线观看 亚洲阿v天堂2017手机avtt 4438x4最新视频网 四房播人肉 樱花族论坛在线视频 甘婷婷种子磁力搜索 97资源 magnet 日本加嘞比性交视频 3手机激情在线成人影院 类似仙桃福利视频的网站 198黄色网站 女教师监禁奴隶免费 rio在线手机视频免费视频 黄片啊啊嗯激烈 O福利导航 qiuxia手机影院同性恋 午夜欧美成人影dvd片 噜噜吧老司机免费影院 第九影院福利 在线观看 莉哥不雅视频1分钟完整版 奇优影院 WebCache 视频区在线av 欧美爱爱a∨视频 国外在线nobotv 国产熟女超碰在线视频 哺乳期的淫荡少妇 本田莉子视频 国产性虑自拍 国模抠B自拍 藏经阁色 亚洲无码性爱视频在线 让老公插自己小姊妹 japanesevoices 1819 福利gif magnet 2泰國超正女學生自拍影片流出 无毛伦理 欧美萝莉自慰视频 av视频 日本av 福利电影青春草 caoporn 国产自拍 偷拍自拍自拍视频嫖妓 48号缚师绑美女 高跟爆乳在线 天堂网_avmp4 国产自拍 小辣椒 苍井空在线教师2015 免费无码伦理片havtv 小草草大黄瓜在线观看 勇者传说ol加速器 伦伦影院手机在线看 看黄色视频, 谷露邪恶影院体验区 国产自拍HD高清 97影院霞秋在线 我的班主任是个超级大色鬼里番 青娱乐吧· 肏多毛的老女人 一本道av 免费频 内裤飞走了百度云 重生fast girls btav 七色成人在线 成人先锋爱爱视频 97paoa 毛片儿激情淫乱视频 超爽福利的秒拍视频 222kkk 乐色视频国产自拍 久草视频前田由美中出 河台性游戏 丁香色区大香蕉视频 欧美tv快来射电影 CD性爱视频 成人小视频日本 韩国舔屄 5017神级无码番号推荐 大桥未久快播视频在线 俄罗斯波神在线播放 人本黄片在线观看 玫瑰花大眼睛模特裸体视频 美国老太大阴部性成熟 舌恋丝 乱伦视频在线免费看 毛色性一级片 毛片试看3o秒的视频 裸体影城 美女仓井啪啪无翼乌 美女操操 撸撸炮撸一炮在线影院 极品魔鬼身材女神被满身毛 清纯唯美五月香蕉 青青草视频苍井空 精品幼女在线视频 寂寞丝妇 经典伦理片abc 人与畜生配交电影 强奸乱伦图片 激情视频体验版女自慰 朴妮麦福利视频优酷网 会员 28:37 大神夜店搭讪极品外围女带回高级寓所阳台一直干到莎发720P高清无 金瓶梅在线第五季 精品一级国产黄片 伦理片明末 一级韩国毛片性一交图片 真实强奸ed2k 下载 800av播放器 美乳女神思瑞 我要涩涩 李美淑左爱 99精品任你干 日本黄色视频裸照 午夜影院视费x看1000 深喉吞精在线 超碰人人很很操图片 性51免费视频在线观看 被窝网理论在线福利视频 午夜图库三级 Lingleizhuanqv 亚洲欧洲日美有码无码有声小说 宝宝新福利影院 91爱丝小仙女酒店前台 我要打飞 机com2019 waifu哔咔官网 57av08 sigua 888com 欧州av与亚州av 亚洲图日韩专区 好声音 好好的日免费视频 下载 黄色影院福利区免费无需下载在线试看。 黑人来中国跟美妞说鸡巴超级大骚货主动约炮鸡巴大也是很好的一件事啊- 黄色彩大美女的逼逼 户外女主播勾引外卖小哥打野炮 欧美图片综合自拍19p 黄片毛片淫乱篇快速影院 日本高清无码视频自拍 大香蕉在线导航视频 插少妇綾合网 wwwady51 日本井川由依影视 汤姆影院AVt0n 大香蕉狼狼日伊人 伦理电影网无码 a片毛片香港澳门 色妞老秃驴 欧美 日韩 巨乳人妻 精品国产自在线拍fennencaonu 一本道久在线名模 翔田千里 艳情 在线播放 捆绑调教 拳交番号大全 国产啪啪啪视频网友自拍 58影视网在线 神码伦理在线 加勒比系列丝袜中出 男女做爱视频黄片 mp4 单身男福利剧场 夫面前侵犯柚木 seyutv 么什网战看成人免费 99thz桃色论坛 百威快播成人电网 日本AV群交游戏 成年人免费黄色网站 kedouzipaiwang sesihu 大香蕉伊人综合网色屋 先锋影在线看片 caopo国产成人 99thz在线论坛 澳门三级操碰在线视频 id034一之濑桃 猛男操美女视频 91国产乱伦剧情006-“儿子我受不了”母子乱伦之卡拉OK內射骚屄妈妈高清无水印版 欧美幼老色与狗色 五感图片在线 桃隐福利社区官方论坛入口 91福利站在线 3d口球视频 国模蒂蒂在线 韩国美女自慰视频在线看 久久 国产制服丝袜福利视频 韩国午夜爱阴 韩国美女vip视频合集在线观看 国产自拍无极制 国产自拍啪啪啪在线 国产自拍、欧美 男女鸡鸡插阴道里面的视频 男女交配视频真人 爱爱午夜老司机福利影院 日本黄片视频软件 美女,主播真心漂亮椅子上紫薇逼逼无毛 u15 番号 丝袜长腿秘书性爱 国产自拍视频同事 日本爱爱成人视频网站 肥熟大妞 丝袜黑色脚交图片福利 一日本老太视频播放 川相美月 无码 9191手机国产在线播放 qiangjianshaonushipin 五十路无码合集thunder 马凡舒裸体视频迅雷下载下载 Caoii∪1024 porn三级 magnet 国产自拍yi 自拍5xsq 里番douluo123 青草草社区 网友自拍 国庆 厕所视频 黄片A片视频 日本激情性短视频观看 - 百度 做素股 yezubuluo18,com 珑泽萝拉无码av下载 玉色天堂 快手AV网址 加勒比 东京热 Japanese av在线 色中色址导航 aa2424凤凰影院 wwwxx男人天堂 爱paipai 在线成人AV magnet 日韩无码茌线 成人综合娱乐在线视频 mav磁力链接 爱人体福利导航 欧美 色 图 中国人的最爱苍井空520 欧美高中情侣 视频 黄色艳舞视频 成人视频黄色网站 大香蕉高清在线播放 欧美畜生伦理 Japanese av jav hd 国产精品大香蕉在线视频 乡本佳人视频 菅野松雪磁力种子下载 日本女优视频 ed2k 玛格丽特公主的艳照 乱伦骚逼12p 那里能看苍井空的 打屁股2小游戏3kk 拍和日本人做爱的电影 偷挶? 大白逼黄片 吃林心如身体 人体艺体大写真 hd色妹妹影院第三页 人体艺术网站有那几个 色战 黑丝袜电影院 日本美女全祼体图片免费 鬼地狱ⅱ长泽雪野 胖子大阴唇也很胖 操美女妹妹小说 淫妻女友系列小说 黄朝激情 撸撸色色屄 户外掰开美女人体艺术 肛交合集观看 御姐很哀伤无码照片 逍遥仙境论坛最新地址 丝交p 我操邻居小媳妇 明日香捆绑 撸女热 能看的欧美图片 闫凤娇大尺度艺术 波多野结衣14影音先锋 自拍在线网 伊沢淳子先锋影音