Archive

Category Archives for "CloudFlare"

Designing the new Cloudflare Web Application Firewall

Designing the new Cloudflare Web Application Firewall
Designing the new Cloudflare Web Application Firewall

The Cloudflare Web Application Firewall (WAF) protects websites and applications from malicious traffic attempting to exploit vulnerabilities in server software. It’s a critical piece of the broader security posture of your application. With that in mind, we made sure improvements to the Web Application Firewall dashboard experience made it easier to enable the WAF and configure rules to match the specific requirements of an application. In this post, I’ll share parts of the process we followed and the rationale behind the decisions we took when designing the new Web Application Firewall dashboard experience.

I’ve separated out my design process into three stages:

  1. Identify the tasks customers are trying to complete using the WAF
  2. Prioritise the tasks in such a way that it’s clear what the most common tasks are vs what the more involved tasks are
  3. Define, create, and refine the interface and interactions

Identifying the tasks customers are trying to complete

We support a range of customers — individual developers or hobbyists, small/medium-sized businesses where it’s common for a developer to fulfil multiple roles and responsibilities, through to large global enterprises where often there is an entire department dedicated to information security. Traditionally, product development teams use techniques such Continue reading

Branch predictor: How many “if”s are too many? Including x86 and M1 benchmarks!

Branch predictor: How many
Branch predictor: How many

Some time ago I was looking at a hot section in our code and I saw this:


	if (debug) {
    	  log("...");
    }
    

This got me thinking. This code is in a performance critical loop and it looks like a waste - we never run with the "debug" flag enabled[1]. Is it ok to have if clauses that will basically never be run? Surely, there must be some performance cost to that...

Just how bad is peppering the code with avoidable if statements?

Back in the days the general rule was: a fully predictable branch has close to zero CPU cost.

To what extent is this true? If one branch is fine, then how about ten? A hundred? A thousand? When does adding one more if statement become a bad idea?

At some point the negligible cost of simple branch instructions surely adds up to a significant amount. As another example, a colleague of mine found this snippet in our production code:


const char *getCountry(int cc) {
		if(cc == 1) return "A1";
        if(cc == 2) return "A2";
        if(cc == 3) return "O1";
        if(cc == 4) return "AD";
        if(cc == 5) return "AE";
        if(cc == 6) return "AF";
         Continue reading

SSHing to my Raspberry Pi 400 from a browser, with Cloudflare Tunnel and Auditable Terminal

SSHing to my Raspberry Pi 400 from a browser, with Cloudflare Tunnel and Auditable Terminal

A few weeks ago I received a Raspberry Pi 400 as a gift. I didn’t have time to do anything beyond plug it in and verify that it works. It’s great that the Pi 400 comes with everything you need except for a screen: there’s the computer itself, mouse, HDMI cable and power adapter.

SSHing to my Raspberry Pi 400 from a browser, with Cloudflare Tunnel and Auditable Terminal

The Pi 400 has been sitting gathering dust when Cloudflare launched Auditable Terminal giving me the perfect excuse to get out the Pi 400 and hook it up.

Auditable Terminal gives you a fully featured SSH client in your browser. You authenticate using Cloudflare Access and can log into a computer from anywhere just using the browser and get a terminal. And using Cloudflare Tunnel you can securely connect a computer to Cloudflare without punching holes in a firewall. And you end up with a consistent terminal experience across devices: 256 colours, Unicode support and the same fonts everywhere.

SSHing to my Raspberry Pi 400 from a browser, with Cloudflare Tunnel and Auditable Terminal

This is ideal for my use case: set up the Pi 400 on my home network, use Cloudflare Tunnel to connect it to the Cloudflare network, use Auditable Terminal to connect to the Pi 400 via Cloudflare and the tunnel using nothing more than a browser.

Here’s Continue reading

Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns

Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns
Project Jengo Redux: Cloudflare’s Prior Art Search Bounty Returns

Here we go again.

On March 15, Cloudflare was sued by a patent troll called Sable Networks — a company that doesn’t appear to have operated a real business in nearly ten years — relying on patents that don’t come close to the nature of our business or the services we provide. This is the second time we’ve faced a patent troll lawsuit.

As readers of the blog (or followers of tech press such as ZDNet and TechCrunch) will remember, back in 2017 Cloudflare responded aggressively to our first encounter with a patent troll, Blackbird Technologies, making clear we wouldn’t simply go along and agree to a nuisance settlement as part of what we considered an unfair, unjust, and inefficient system that throttled innovation and threatened emerging companies. If you don’t want to read all of our previous blog posts on the issue, you can watch the scathing criticisms of patent trolling provided by John Oliver or the writers of Silicon Valley.

We committed to fighting back against patent trolls in a way that would turn the normal incentive structure on its head. In addition to defending the case aggressively in the courts, we also founded Project JengoContinue reading

Cloudflare obtains new ISO/IEC 27701:2019 privacy certification and what that means for you

Cloudflare obtains new ISO/IEC 27701:2019 privacy certification and what that means for you

This post is also available in French and German.

Cloudflare obtains new ISO/IEC 27701:2019 privacy certification and what that means for you

Cloudflare is one of the first organisations in our industry to have achieved ISO/IEC 27701:2019 certification, and the first web performance & security company to be certified to the new ISO privacy standard as both a data processor and controller.

Providing transparency into our privacy practices has always been a priority for us. We think it is important that we do more than talk about our commitment to privacy — we are continually looking for ways to demonstrate that commitment. For example, after we launched the Internet's fastest, privacy-first public DNS resolver, 1.1.1.1, we didn’t just publish our commitments to our public resolver users, we engaged an independent firm to make sure we were meeting our commitments, and we blogged about it, publishing their report.

Cloudflare obtains new ISO/IEC 27701:2019 privacy certification and what that means for you

Following in that tradition, today we’re excited to announce that Cloudflare has been certified to a new international privacy standard for protecting and managing the processing of personal data — ISO/IEC 27701:2019. The standard is designed such that the requirements organizations must meet to become certified are very closely aligned to the requirements in the EU’s General Data Protection Regulation (“GDPR”). So Continue reading

Announcing Cloudflare Images beta to simplify your image pipeline

Announcing Cloudflare Images beta to simplify your image pipeline
Announcing Cloudflare Images beta to simplify your image pipeline

Today, we are announcing the beta of Cloudflare Images: a simple service to store, resize, optimize, and deliver images at scale.

In 2018, we launched Stream to provide a single product that could be used to store, encode, and deliver videos. With Cloudflare Images, we are doing for images what Stream did for videos. Just like Stream, Cloudflare Images eliminates the need to think about storage buckets, egress costs, and many other common problems that are solved for you out of the box. Whether you are building an ecommerce platform with millions of high-res product pictures and videos or a new app for creators, you can build your entire media pipeline by combining Cloudflare Images and Stream.

Fundamental questions for storing and serving images

Any time you are building infrastructure for image storage and processing, there are four fundamental questions you must answer:

  1. “Where do we store images?”
  2. “How do we secure, resize, and optimize the images for different use cases?”
  3. “How do we serve the images to our users reliably?”
  4. “How do we do all of these things at scale while having predictable and affordable pricing, especially during spikes?”

Cloudflare Images has a straightforward set Continue reading

Start building your own private network on Cloudflare today

Start building your own private network on Cloudflare today
Start building your own private network on Cloudflare today

Starting today, your team can create a private network on Cloudflare’s network. Team members click a single button to connect to private IPs in environments that you control. Cloudflare’s network routes their connection through a data center in one of over 200 cities around the world. On the other side, administrators deploy a lightweight software connector that replaces traditional VPN appliances.

Cloudflare’s private network combines IP level connectivity and Zero Trust controls. Thick clients like RDP software, SMB file viewers, or other programs can connect to the private IPs already in use in your deployment without any additional configuration. Coming soon, you’ll be able to layer additional identity-based network-level rules to control which users, from which devices, can reach specific IPs.

We are launching this feature as a follow-up to Cloudflare’s Developer Week because we are excited to give your development team, and your entire organization, a seamless platform for building and connecting your internal resources. We built this solution based on feedback from customers who want to move to a Zero Trust model without sacrificing some of the convenience of a private network.

We’re excited to give any team the ability to run their internal network on Cloudflare’s global Continue reading

A Full Circle Journey: Introducing Cloudflare Canada

A Full Circle Journey: Introducing Cloudflare Canada

Pour voir cette publication en français, veuillez cliquer ici.

A Full Circle Journey: Introducing Cloudflare Canada

Today Cloudflare announced that Toronto will be home to Cloudflare’s first Canadian office and team. While I currently live in San Francisco, I was born and raised in Saskatchewan. As a proud Canadian, today feels like a homecoming. Canada has always been an important part of our history and customer base, and I am thrilled to see Cloudflare make a further commitment of expanding officially in the country and opening an office in Toronto. We are hiring a team locally to help our current customers and future customers, and to support even more great Canadian organizations. I wanted to share more about how Cloudflare works with Canadian businesses, what today’s announcement means, and some personal reflections.

How Cloudflare works with Canadian entrepreneurs, businesses, and nonprofits

Cloudflare helps ensure anything connected to the Internet is fast, safe, and reliable. We do this by running a distributed global cloud platform that delivers a broad range of network services to businesses of all sizes—making them more secure, enhancing the performance of anything connected online, and eliminating costs and complexity. We help approximately 25M Internet properties around the world—whether you’re a Canadian entrepreneur trying to Continue reading

Why I’m helping Cloudflare grow in Canada

Why I'm helping Cloudflare grow in Canada
Why I'm helping Cloudflare grow in Canada

I am incredibly excited to join Cloudflare as Head of Sales for Canada to expand the company’s growth in the region as part of its mission to help build a better Internet. This is an important milestone for Cloudflare to better serve the needs of our Canadian customers, recruit local talent, and build on the regional successes we’ve had around the globe.

Internet security, privacy, and performance are key drivers for every business, individual, and public sector organization. Universal dependency on the Internet has significantly increased, with web commerce, remote learning, distributed teams, remote work, virtual meetings etc. — and this is all here to stay.

Over the last few years we have seen the industry move from on-premise infrastructure and applications to a cloud-first approach with cloud and SaaS architectures. As this significant and inevitable transition has accelerated, it has introduced new complexities, challenges, and opportunities for organizations with the evolution to heterogeneous environments across public cloud, on-premise, and hybrid deployments.

At the same time, a company’s digital assets (data, web properties, applications, etc.) have become their most valuable assets. How an organization uses the Internet to serve their customers, partners, and employees has become a strategic priority Continue reading

DDoS attack trends for 2021 Q1

DDoS attack trends for 2021 Q1
DDoS attack trends for 2021 Q1

Last week was Developer Week at Cloudflare. During that week, our teams released a bunch of cool new products, including a bunch of improvements to Workers. And it's not just our customers that love deploying apps with Workers, but also our engineering teams. Workers is also what powers our Internet traffic and attack trends on Cloudflare Radar. Today, along with this deep-dive analysis blog, we’re excited to announce the new Radar DDoS Report page, our first fully automated data notebook built on top of Jupyter, Clickhouse, and Workers.

Last month, we introduced our autonomous edge DDoS (Distributed Denial of Service) protection system and explained how it is able to drop attacks at wire speed without impacting performance. It runs in our networks’ edge, analyzes traffic asynchronously to avoid impacting performance, and pushes mitigation rules in-line immediately once attacks are detected. All of this is done autonomously, i.e., without requiring centralized consensus.

Today, we’d like to share the latest DDoS insights and trends that are based on attacks that our system mitigated during the first quarter of 2021. When we analyze attacks, we calculate the “DDoS activity” rate, which is the percent of attack traffic out of Continue reading

Entwicklung der DDoS-Bedrohungslandschaft im ersten Quartal 2021

Entwicklung der DDoS-Bedrohungslandschaft im ersten Quartal 2021
Entwicklung der DDoS-Bedrohungslandschaft im ersten Quartal 2021

Letzte Woche fand die Cloudflare Developer Week statt – ein willkommener Anlass für unsere Teams, eine Reihe von spannenden neuen Produkten und nicht zuletzt auch einige Verbesserungen für Workers vorzustellen. Die Qualitäten dieser Lösung für den Einsatz von Applikationen wissen übrigens nicht nur unsere Kunden zu schätzen: Das Tool erfreut sich auch bei unseren eigenen Entwicklern großer Beliebtheit. Unter anderem basiert auch unsere Untersuchung von Internet- und Bedrohungstrends mithilfe von Cloudflare Radar auf Workers. Wir freuen uns, dass wir Ihnen heute (zusätzlich zu diesem Blogbeitrag mit detaillierten Analysen zu diesem Thema) unseren neuen Radar DDoS Report präsentieren können, unser erstes komplett automatisiertes Daten-Notebook auf der Grundlage von Jupyter, Clickhouse und Workers.

Letzten Monat stellten wir unser autonomes, am Netzwerkrand (Edge) betriebenes Schutzsystem gegen DDoS-Angriffe (Distributed Denial of Service) vor und erläuterten, wie es mit dieser Lösung gelingen kann, Attacken verzögerungsfrei und ohne Performance-Einbußen abzuwehren. Dieses System vermeidet Leistungsabfälle durch eine asynchrone Analyse des Datenverkehrs und leitet bei Angriffen sofort und direkt im Datenstrom Gegenmaßnahmen ein. All dies geschieht autonom am Netzwerkrand, eine separate Prüfung über eine zentrale Stelle ist nicht nötig.

Heute möchten wir Sie nun auf der Grundlage der Angriffe, die unsere Systeme im ersten Quartal 2021 abwehren Continue reading

Cloudflare’s Partnership with HashiCorp and Bootstrapping Terraform with Cf-Terraforming

Cloudflare’s Partnership with HashiCorp and Bootstrapping Terraform with Cf-Terraforming
Cloudflare’s Partnership with HashiCorp and Bootstrapping Terraform with Cf-Terraforming

Cloudflare and HashiCorp have been technology partners since 2018, and in that time Cloudflare’s integration with HashiCorp’s technology has deepened, especially with Terraform, HashiCorp’s infrastructure-as-code product. Today we are announcing a major update to our Terraform bootstrapping tool, cf-terraforming. In this blog, I recap the history of our partnership, the HashiCorp Terraform Verified Provider for Cloudflare, and how getting started with Terraform for Cloudflare developers is easier than ever before with the new version of cf-terraforming.

Cloudflare and HashiCorp

Members of the open source community wrote and supported the first version of Cloudflare's Terraform provider. Eventually our customers began to bring up Terraform in conversations more often. Because of customer demand, we started supporting and developing the Terraform provider ourselves. You can read the initial v1.0 announcement for the provider here. Soon after, Cloudflare’s Terraform provider became ‘verified’ and we began working with HashiCorp to provide a high quality experience for developers.

HashiCorp Terraform allows developers to control their infrastructure-as-code through a standard configuration language, HashiCorp Configuration Language (HCL). It works across a myriad of different types of infrastructure including cloud service providers, containers, virtual machines, bare metal, etc. Terraform makes it easy for developers to follow Continue reading

Containers at the edge: it’s not what you think, or maybe it is

Containers at the edge: it’s not what you think, or maybe it is
Containers at the edge: it’s not what you think, or maybe it is

At Cloudflare, we’re committed to making it as easy as possible for developers to make their ideas come to life. Our announcements this week aim to give developers all the tools they need to build their next application on the edge. These include things like static site hosting, certificate management, and image services, just to name a few.

Today, we’re thrilled to announce that we’re exploring a new type of service at the edge: containers.

This announcement will be exciting to some and surprising to many. On this very blog, we’ve talked about why we believe isolates — rather than containers on the edge — will be the future model for applications on the web.

Containers at the edge: it’s not what you think, or maybe it is

Isolates are best for Distributed Systems

Let us be clear: isolates are the best way to do edge compute, period. The Workers platform is designed to allow developers to treat our global network as one big computer. This has been a long-held dream of generations of engineers, inspiring slogans like "The Network is the Computer" — a trademark which, incidentally, we now own. Isolates and Durable Objects are finally making that vision possible.

In short, isolates excel at distributed systems. They are perfect for Continue reading

Announcing Cloudflare’s Database Partners

Announcing Cloudflare’s Database Partners
Announcing Cloudflare’s Database Partners

Cloudflare Workers is the easiest way for developers to deploy their application’s code with performance, scale and security baked in. No configuration necessary. Worker code scales to serve billions of requests close to your users across Cloudflare’s 200+ data centers.

But that’s not the only interesting problem we need to solve. Every application has two parts: code and state.

State isn’t always the easiest to work in a massive distributed system. When an application runs in 200+ data centers simultaneously, there’s an inherent tradeoff between distributing the data for better performance, availability, scale, and guaranteeing that all data centers see the same data at a given point in time.

Our goal is to make state at the edge seamless. We started that journey with Workers KV, which provides low-latency access to globally distributed data. We’re since added Durable Objects, with strong consistency and the ability to design coordination patterns on top of Workers. We’re continuing to invest in and build out these products.

However, some use cases aren’t easily implemented with Workers KV or Durable Objects. Think querying complex datasets, or communicating with an existing system-of-record. Even if we built this functionality ourselves, there will always be customers who want Continue reading

Cloudflare Stream now supports NFTs

Cloudflare Stream now supports NFTs
Cloudflare Stream now supports NFTs

Cloudflare Stream has been helping creators publish their videos online without having to think about video quality, device compatibility, storage buckets or digging through FFmpeg documentation. These creators want to be able to claim ownership of their works and assert control over how that ownership claim is transferred. Increasingly, many of those creators are looking to Non-Fungible Tokens (NFTs).

NFTs are a special type of smart contract that allows provable ownership of the contract on the blockchain. Some call NFTs collectibles because like coins or stamps, collectors who enjoy them buy, sell and trade them. Collectors keep track of NFTs on the Ethereum blockchain which acts as a shared source of truth of all the activity.

Today, we’re introducing a new API that takes a ERC-721 token ID and contact address and sets it on a video so every video on Stream can be represented with an NFT.

curl -X POST -H "Authorization: Bearer $AUTH_TOKEN" --data '{"contract":"0x57f1887a8bf19b14fc0d912b9b2acc9af147ea85","token":"5"}' https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/stream/$VIDEO_ID/nft

Once you set it, you cannot change these values so be sure to set it to an NFT you own! If you set a video you own to an NFT you don’t own, the owner of the NFT can claim Continue reading

Node.js support in Cloudflare Workers

Node.js support in Cloudflare Workers
Node.js support in Cloudflare Workers

We released Cloudflare Workers three years ago, making edge compute accessible to the masses with native support for the world’s most ubiquitous language — JavaScript.

The Workers platform has transformed so much since its launch. Developers can not only write sandboxed code at our edge, they can also store data at the edge with Workers KV and, more recently, coordinate state within our giant network using Durable Objects. Now, we’re excited to share our support of an 11 year old technology that’s still going strong: Node.js.

Node.js made a breakthrough by enabling developers to build both the frontend and the backend with a single language. It took JavaScript beyond the browser and into the server by using Chrome’s JavaScript engine, V8.

Workers is also built on V8 Isolates and empowers developers in a similar way by allowing you to create entire applications with only JavaScript — except your code runs across Cloudflare’s data centers in over 100 countries.

Our Package Support Today

There is nothing more satisfying than importing a library and watching your code magically work out-of-the-box.

For over 20k packages, Workers supports this magic already: any Node.js package that uses webpack or another polyfill Continue reading

Introducing workers.new, custom builds, and improved logging for Workers

Introducing workers.new, custom builds, and improved logging for Workers
Introducing workers.new, custom builds, and improved logging for Workers

Cloudflare Workers® aims to be the easiest and most powerful platform for developers to build and deploy their applications. With Workers, you can quickly solve problems without having to wonder: “is this going to scale?”

You write the JavaScript and we handle the rest, from distribution to scaling and concurrency.

In the spirit of quickly solving problems, we’re excited to launch three new improvements to the Workers experience, so you can take your next idea and ship it even faster.

Introducing... workers.new

Introducing workers.new, custom builds, and improved logging for Workers

First, we’re introducing https://workers.new, a shortcut that takes you directly to a JavaScript editor for creating a new Worker. Anytime you have a cool idea, need a quick fix to a problem, or just want to debug some JavaScript, you now have a simple way to go from idea to prototype. What’s more is you don’t even need to deploy the Worker to try it out!

Introducing workers.new, custom builds, and improved logging for Workers

We’ve also updated the default Worker template to help you go a few steps beyond the typical “Hello, World!”. When you open the editor, you’ll now see a few examples that demonstrate how to redirect requests, modify headers, and parse responses.

Customize your build scripts

Introducing workers.new, custom builds, and improved logging for Workers

For developers Continue reading

A Boring Announcement: Free Tunnels for Everyone

A Boring Announcement: Free Tunnels for Everyone
A Boring Announcement: Free Tunnels for Everyone

A few months ago, we announced that we wanted to make Zero Trust security accessible to everyone, regardless of size, scale, or resources. Argo Tunnel, our secure method of connecting resources directly to Cloudflare, is the next piece of the puzzle.

Argo Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight connector in your environment. With this model, your team does not need to go through the hassle of poking holes in your firewall or validating that traffic originated from Cloudflare IPs.

In the past, Argo Tunnel has been priced based on bandwidth consumption as part of Argo Smart Routing, Cloudflare’s traffic acceleration feature. Starting today, we’re excited to announce that any organization can use the secure, outbound-only connection feature of the product at no cost. You can still add the paid Argo Smart Routing feature to accelerate traffic.

As part of that change (and to reduce confusion), we’re also renaming the product to Cloudflare Tunnel. To get started, sign up today.

If you’re interested in how and why we’re doing this, keep scrolling.

In 2018, Cloudflare introduced Argo Tunnel, a private, secure connection between your origin Continue reading

Bringing AI to the edge with NVIDIA GPUs

Bringing AI to the edge with NVIDIA GPUs
Bringing AI to the edge with NVIDIA GPUs

Cloudflare has long used machine learning for bot detection, identifying anomalies, customer support and business intelligence.  And internally we have a cluster of GPUs used for model training and inference.

For even longer we’ve been running code “at the edge” in more than 200 cities worldwide. Initially, that was code that we wrote and any customization was done through our UI or API. About seven years ago we started deploying custom code, written in Lua, for our enterprise customers.

But it’s quite obvious that using a language that isn’t widely understood, and going through an account executive to get code written, isn’t a viable solution and so four years ago we announced Cloudflare Workers. Workers allows anyone, on any plan, to write code that gets deployed to our edge network. And they can do it in the language they choose.

After launching Workers we added storage through Workers KV as programs need algorithms plus data. And we’ve continued to add to the Workers platform with Workers Unbound, Durable Objects, Jurisdictional Restrictions and more.

But many of today’s applications need access to the latest machine learning and deep learning methods. Those applications need three things: to scale easily, Continue reading

Expanding the Cloudflare Workers Observability Ecosystem

Expanding the Cloudflare Workers Observability Ecosystem
Expanding the Cloudflare Workers Observability Ecosystem

One of the themes of Developer Week is “it takes a village”, and observability is one area where that is especially true. Cloudflare Workers lets you quickly write code that is infinitely scalable — no availability regions, no scaling policies. Your code runs in every one of our data centers by default: region Earth, as we like to say. While fast time to market and effortless scale are amazing benefits, seasoned developers know that as soon as your code is in the wild… stuff happens, and you need the tools in place to investigate, diagnose, fix and monitor those issues.

Today we’re delighted to add to our existing analytics partners. We’re announcing new partnerships with six observability-focused companies that are deeply integrated into the Cloudflare Workers ecosystem. We’re confident these partnerships will provide immediate value in building the operational muscle to maintain and make your next generation of applications fast, secure and bullet-proof in production.

Expanding the Cloudflare Workers Observability Ecosystem

console.log(`Got request. Extracted name=${name}. Saving…`);

Cloudflare wrangler gives you the ability to generate, configure, build, preview and publish your projects, from the comfort of your dev environment. Writing code in your favorite IDE with a fully-fledged CLI tool that also allows you to simulate Continue reading

1 2 3 69