公开(公告)号：US10374953B1

公开(公告)日：2019-08-06

申请号：US16253819

申请日：2019-01-22

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Dane Orion Knecht

IPC: H04L12/741 ,  H04L12/46 ,  H04L29/08 ,  H04L29/06

Abstract: Method and apparatus for traffic optimization in virtual private networks (VPNs). A client device establishes a first VPN connection with a first server based on first VPN credentials. Traffic is transmitted and received through the first VPN connection to and from the first server. A second server is identified based on traffic optimization criteria that need to be satisfied by the VPN connection. Upon receipt of the identification of the second server the client device is to use the second server as a destination of a second VPN connection. The second VPN connection satisfies a set of traffic optimization goals for at least one flow from the flows forwarded through the first VPN connection. Based on the identification of the second server, the client device establishes the second VPN connection for the flow between the client device and the second server.

公开(公告)号：US20190098343A1

公开(公告)日：2019-03-28

申请号：US15726315

申请日：2017-10-05

Applicant: Cloudflare, Inc.

Inventor： Dane Orion Knecht ,  Igor Postelnik ,  Oliver Yu ,  John Graham-Cumming ,  Dani Grant ,  Nitin Rao

IPC: H04N21/231 ,  H04N21/218 ,  H04N21/239 ,  H04N21/232

Abstract: A server in a content delivery network (CDN) receives a request for a web page of a domain handled by an origin server. The server retrieves the web page and the web page references a video. The server retrieves a file that indicates a list of locations of the domain in which segments of the video are located. The server fetches at least an initial portion of the segments. The server receives a request for the video. The server transmits to the requester at least the initial portion of the segments. The server receives a subsequent request of a different portion of the segments. The server transmits a response to the requester that instructs the requester to transmit the request for the different portion of segments to a second server in the CDN.

公开(公告)号：US20180048730A1

公开(公告)日：2018-02-15

申请号：US15233157

申请日：2016-08-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Matthew Browning Prince

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2828 ,  H04L67/02 ,  H04L67/10 ,  H04L67/2842 ,  H04L67/42 ,  H04L69/04

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

公开(公告)号：US20170237571A1

公开(公告)日：2017-08-17

申请号：US15271190

申请日：2016-09-20

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/08 ,  H04L9/30 ,  H04L29/06 ,  H04L9/08 ,  H04L9/14

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09634837B1

公开(公告)日：2017-04-25

申请号：US15211731

申请日：2016-07-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L29/06 ,  H04L9/12 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/101 ,  H04L9/3228 ,  H04L9/3297 ,  H04L61/10 ,  H04L61/1511 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0838 ,  H04L63/108 ,  H04L63/1416 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/10 ,  H04L67/28 ,  H04L67/2833 ,  H04L67/2842 ,  H04L67/42 ,  H04L2463/142

Abstract: A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

公开(公告)号：US12248792B2

公开(公告)日：2025-03-11

申请号：US18393385

申请日：2023-12-21

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  G06F9/455 ,  G06F21/53 ,  H04L9/40 ,  H04L41/50 ,  H04L67/00 ,  H04L67/02 ,  H04L67/10 ,  H04L67/53 ,  H04L67/63

Abstract: A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.

公开(公告)号：US11949647B2

公开(公告)日：2024-04-02

申请号：US17728407

申请日：2022-04-25

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L61/2592 ,  H04L12/46 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

CPC classification number: H04L61/2592 ,  H04L12/4633 ,  H04L12/4641 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

Abstract: A tunnel is established between a first edge server of a distributed edge compute and routing service and a tunnel client residing on an origin server. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the first edge server. The routing rules are based at least in part on traffic information gathered from processing other traffic that traverses the distributed edge compute and routing service. A request for content served by the origin server through the tunnel is received at a second edge server of the distributed edge compute and routing service. A path from the second edge server to the first edge server is determined based on the routing rules. The request is transmitted on the determined path. The first edge server receives the request and transmits the request to the origin server over the tunnel.

公开(公告)号：US11561805B2

公开(公告)日：2023-01-24

申请号：US17114382

申请日：2020-12-07

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L67/00 ,  H04L67/02 ,  H04L67/10 ,  G06F9/455 ,  H04L9/40 ,  H04L67/53 ,  H04L67/63 ,  G06F21/53

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US20220286424A1

公开(公告)日：2022-09-08

申请号：US17409535

申请日：2021-08-23

Applicant: CLOUDFLARE, INC.

Inventor： Marek Przemyslaw Majkowski ,  Braden Michael Ehrat ,  Sergi Isasi ,  Dane Orion Knecht ,  Dina Kozlov ,  Rustam Xing Lalkaka ,  Eric Reeves ,  Oliver Zi-gang Yu

IPC: H04L29/12

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.

公开(公告)号：US11438302B1

公开(公告)日：2022-09-06

申请号：US17409535

申请日：2021-08-23

Applicant: CLOUDFLARE, INC.

Inventor： Marek Przemyslaw Majkowski ,  Braden Michael Ehrat ,  Sergi Isasi ,  Dane Orion Knecht ,  Dina Kozlov ,  Rustam Xing Lalkaka ,  Eric Reeves ,  Oliver Zi-Gang Yu

IPC: H04L29/08 ,  H04L29/06 ,  H04L61/5007

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.