公开(公告)号：US20210089328A1

公开(公告)日：2021-03-25

申请号：US17114382

申请日：2020-12-07

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US10791099B2

公开(公告)日：2020-09-29

申请号：US16159437

申请日：2018-10-12

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

公开(公告)号：US10666613B2

公开(公告)日：2020-05-26

申请号：US16160294

申请日：2018-10-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/46

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

公开(公告)号：US10331462B1

公开(公告)日：2019-06-25

申请号：US16182522

申请日：2018-11-06

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L29/08 ,  H04L29/06

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US10305871B2

公开(公告)日：2019-05-28

申请号：US14964491

申请日：2015-12-09

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Thomas Sullivan ,  Lee Hahn Holloway ,  Piotr Sikora ,  Ryan Lackey ,  John Graham-Cumming ,  Dane Orion Knecht ,  Patrick Donahue ,  Zi Lin

IPC: H04L29/06 ,  G06F21/33

Abstract: A server receives a request from a client to establish a secure session. The server analyzes the request to determine a set of one or more properties of the request. The server selects, based at least in part on the determined set of properties, one of multiple certificates for a hostname of the server, where each of the certificates is signed using a different signature and hash algorithm pair. The server returns the selected certificate to the client.

公开(公告)号：US10218805B2

公开(公告)日：2019-02-26

申请号：US15179454

申请日：2016-06-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L9/00 ,  H04L29/08 ,  H04L29/06

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US10142434B2

公开(公告)日：2018-11-27

申请号：US16002401

申请日：2018-06-07

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: H04L29/08 ,  H04L29/06

Abstract: A network optimizer receives, from a client device, a request for a network resource including a first version identifier identifying a first version of the network resource. A request for the network resource is transmitted to a far end network optimizer with a second version identifier that identifies a second version of the network resource. The network optimizer receives, from the far end network optimizer, a response that includes a first differences file that specifies first difference(s) between the second version with a most current version of the network resource. The response does not include the entire network resource. The network optimizer transmits to the client device a second response including a second differences file that identifies differences between the most current version of the network resource and the first version of the network resource causing the generation of an updated version of the network resource at the client device.

公开(公告)号：US10129224B2

公开(公告)日：2018-11-13

申请号：US15413187

申请日：2017-01-23

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Phillippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10104194B2

公开(公告)日：2018-10-16

申请号：US15811623

申请日：2017-11-13

Applicant: Cloudflare, Inc.

Inventor： John Graham-Cumming ,  Andrew Galloni ,  Terin Stock

IPC: G06F15/173 ,  H04L29/08 ,  H04L29/06

Abstract: A browser receives a web page that includes a script that is configured to control subsequent requests of the browser for at least the web page and caches a first portion of the web page that includes reference(s) to other web resource(s). A subsequent request for the web page is dispatched to the script which returns the cached first portion of the web page to the browser and a request for the full web page is made. Request(s) are also transmitted for the web resource(s) referenced in the first portion of the web page without waiting for the full web page to be received. When the full web page is received, if the first portion of the page matches the corresponding portion of the full page, that corresponding portion is removed from the full page and the remaining page is returned to the browser.

公开(公告)号：US10104039B1

公开(公告)日：2018-10-16

申请号：US15719537

申请日：2017-09-28

Applicant: Cloudflare, Inc.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L29/12 ,  H04L29/08 ,  H04L12/46 ,  H04W28/02 ,  H04L29/06

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.