公开(公告)号：US20200007494A1

公开(公告)日：2020-01-02

申请号：US16570505

申请日：2019-09-13

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  David Randolph Conrad ,  Matthieu Philippe François Tourne

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06

Abstract: A first packet of a first protocol version type that includes an incoming request for an action to be performed on an identified resource is received from a client at a proxy server as a result of a DNS request resolving to a network address of the proxy server. The proxy server transmits an outgoing request for the action to be performed on the identified resource to a network address of the destination origin server in a second packet that is of the second protocol version type. The proxy server receives a third packet that includes an incoming response from the destination origin server, the third packet being of the second protocol version type. The proxy server transmits a fourth packet to the client, the fourth packet being of the first protocol version type, wherein the fourth packet includes an outgoing response that is based on the incoming response.

公开(公告)号：US20190334812A1

公开(公告)日：2019-10-31

申请号：US16505458

申请日：2019-07-08

Applicant: CLOUDFLARE, INC.

Inventor： Jeff Sesung Kim ,  Jun Ho Choi

IPC: H04L12/725 ,  H04W40/00

Abstract: A mobile accelerator system includes point of presences (POPs) that includes an entry POP. The entry POP receives a query to a content server from a mobile device via a dedicated transport channel. The entry POP determines a direct connection score for a direct connection between the mobile device and the content server that does not traverse the mobile accelerator system. The entry POP determines a POP connection score for a connection between the mobile device and the content server through the entry POP and a candidate exit POP. The entry POP determines a dynamic path ranking based on the direct connection score, the POP connection score, and other POP connection score(s) associated with other candidate exit POP(s). The entry POP determines at least a portion of a dynamic path between the mobile device based on the dynamic path ranking and routes data transfers through that dynamic path.

公开(公告)号：US20190319919A1

公开(公告)日：2019-10-17

申请号：US16160294

申请日：2018-10-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion KNECHT ,  John GRAHAM-CUMMING ,  Dani GRANT ,  Christopher Philip BRANCH ,  Tom PASEKA

IPC: H04L29/12 ,  H04L29/08 ,  H04L12/46 ,  H04L29/06

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

公开(公告)号：US20190215166A1

公开(公告)日：2019-07-11

申请号：US16356304

申请日：2019-03-18

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/08 ,  H04L29/06

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

公开(公告)号：US10313475B2

公开(公告)日：2019-06-04

申请号：US15489433

申请日：2017-04-17

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince

IPC: H04L29/08 ,  H04L29/12 ,  H04L29/06

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server transmits the request to the origin server. Responsive to determining that the origin server is offline, the proxy server determines whether the requested resource is available in cache. If it is in cache, the proxy server retrieves the requested resource from the cache and transmits the requested resource to the client device.

公开(公告)号：US20190044924A1

公开(公告)日：2019-02-07

申请号：US16159437

申请日：2018-10-12

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/32 ,  H04L9/08

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

公开(公告)号：US10177909B1

公开(公告)日：2019-01-08

申请号：US15828123

申请日：2017-11-30

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Brendan Scott McMillion

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/14

Abstract: Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with an identified location as input such that only servers of the identified location can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that certain identified servers of the identified location cannot decrypt cannot decrypt the second piece. The keys are transmitted to the servers.

公开(公告)号：US20190007214A1

公开(公告)日：2019-01-03

申请号：US16103820

申请日：2018-08-14

Applicant: CLOUDFLARE, INC.

Inventor： Evan Johnson

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: A request from a computing device for accessing a resource is received by an edge server, where the request includes a cookie containing a first token value and a second token value. The edge server validates the first token value and a second token value using a third token value generated using hashing algorithm with a secret key and one or more other values. The edge server then compares the received token values with the third token value. When the request is validated, the edge server retrieves the request resource.

公开(公告)号：US10129296B2

公开(公告)日：2018-11-13

申请号：US15603256

申请日：2017-05-23

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/55

Abstract: A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

公开(公告)号：US20180324270A1

公开(公告)日：2018-11-08

申请号：US16025903

申请日：2018-07-02

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion KNECHT ,  John GRAHAM-CUMMING ,  Matthew Browning PRINCE

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2828 ,  H04L67/02 ,  H04L67/10 ,  H04L67/2842 ,  H04L67/42 ,  H04L69/04

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.