I’m a WAF writer. I recently discovered a risk that WAF based on nginx may be bypassed when I rewrite the code. If cloudflare’s WAF is also based on nginx, I would like to give you some suggestions.
Cloudflare is a company worth over $25 billion, so it’s not based on nginx - it’s an entirely in-house system.
Most Cloudflare is actually based on OSS, I’m pretty sure a considerable part of the WAF base is inspired by ModSecurity implementation on NGINX,
I’d say that it’s OK to share the suggestion but chances are they won’t give it much relevance unless it’s an actual threat which they usually want to talk about privately until fixed.
@Judge Cloudflare is a huge company, however, many of its resources are based on well-known open-source projects.
Here is an example: https://blog.cloudflare.com/how-we-scaled-nginx-and-saved-the-world-54-years-every-day/
I quote: “Each of our machines run NGINX with 15 worker processes, which means one slow I/O should only block up to 6% of the requests. However, the events are not evenly distributed, with the top worker taking 11% of the requests (or twice as many as expected).”
OK, I noticed that you moved to Rust, so there should be no such problem.
This topic was automatically closed after 30 days. New replies are no longer allowed.