公开(公告)号：US11316787B2

公开(公告)日：2022-04-26

申请号：US17020605

申请日：2020-09-14

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Dane Orion Knecht

IPC: H04L45/745 ,  H04L12/46 ,  H04L67/56 ,  H04L67/01 ,  H04L67/10

Abstract: Method and apparatus for traffic optimization in virtual private networks (VPNs). A client device establishes a first VPN connection with a first server based on first VPN credentials. Traffic is transmitted and received through the first VPN connection to and from the first server. A second server is identified based on traffic optimization criteria that need to be satisfied by the VPN connection. Upon receipt of the identification of the second server the client device is to use the second server as a destination of a second VPN connection. The second VPN connection satisfies a set of traffic optimization goals for at least one flow from the flows forwarded through the first VPN connection. Based on the identification of the second server, the client device establishes the second VPN connection for the flow between the client device and the second server.

公开(公告)号：US11159479B2

公开(公告)日：2021-10-26

申请号：US16505433

申请日：2019-07-08

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming

IPC: G06F15/16 ,  H04L29/12

Abstract: A DNS name server manages CNAME records. The server receives a query for a first Address record for a fully qualified domain name from a requester. The server determines that the fully qualified domain name has a CNAME record, where the fully qualified domain name is a root domain. The server traverses a chain according to the CNAME record to locate a second Address record that includes an IP address. The server generates a response to the query that includes a third Address record for the fully qualified domain name that includes at least the IP address of the located second Address record. The server transmits the generated response to the requester.

公开(公告)号：US20210089328A1

公开(公告)日：2021-03-25

申请号：US17114382

申请日：2020-12-07

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US10791099B2

公开(公告)日：2020-09-29

申请号：US16159437

申请日：2018-10-12

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

公开(公告)号：US10666613B2

公开(公告)日：2020-05-26

申请号：US16160294

申请日：2018-10-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/46

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

公开(公告)号：US10331462B1

公开(公告)日：2019-06-25

申请号：US16182522

申请日：2018-11-06

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L29/08 ,  H04L29/06

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US10305871B2

公开(公告)日：2019-05-28

申请号：US14964491

申请日：2015-12-09

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Thomas Sullivan ,  Lee Hahn Holloway ,  Piotr Sikora ,  Ryan Lackey ,  John Graham-Cumming ,  Dane Orion Knecht ,  Patrick Donahue ,  Zi Lin

IPC: H04L29/06 ,  G06F21/33

Abstract: A server receives a request from a client to establish a secure session. The server analyzes the request to determine a set of one or more properties of the request. The server selects, based at least in part on the determined set of properties, one of multiple certificates for a hostname of the server, where each of the certificates is signed using a different signature and hash algorithm pair. The server returns the selected certificate to the client.

公开(公告)号：US10237365B2

公开(公告)日：2019-03-19

申请号：US14818277

申请日：2015-08-04

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Stephen Joel ,  Lee Hahn Holloway ,  Dane Orion Knecht ,  Albertus Strasheim

IPC: H04L29/08 ,  G06F17/24 ,  G06F17/22 ,  H04L29/06 ,  G06F17/30

Abstract: A request for a web page is received at a proxy server. The request originates from a client network application of a client device. The requested web page includes multiple references to multiple images. The proxy server retrieves the requested web page. The proxy server modifies code of the retrieved web page such that the client network application will not, for each one of those images, initially request those images when parsing the page. The proxy server also adds code to the retrieved web page that, when executed by the client network application, causes at least two of the images to be requested with a single request. The proxy server transmits the modified web page to the client device.

公开(公告)号：US10218805B2

公开(公告)日：2019-02-26

申请号：US15179454

申请日：2016-06-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L9/00 ,  H04L29/08 ,  H04L29/06

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US10129224B2

公开(公告)日：2018-11-13

申请号：US15413187

申请日：2017-01-23

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Phillippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.