公开(公告)号：US10104039B1

公开(公告)日：2018-10-16

申请号：US15719537

申请日：2017-09-28

Applicant: Cloudflare, Inc.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L29/12 ,  H04L29/08 ,  H04L12/46 ,  H04W28/02 ,  H04L29/06

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

公开(公告)号：US10069787B2

公开(公告)日：2018-09-04

申请号：US14676631

申请日：2015-04-01

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming

IPC: G06F15/173 ,  H04L29/12

Abstract: A method and apparatus for managing CNAME records such that CNAME records at the root domain are supported while complying with the RFC specification (an IP address is returned for any Address query for the root record). The authoritative DNS infrastructure acts as a DNS resolver where if there is a CNAME at the root record, rather than returning that record directly, a recursive lookup is used to follow the CNAME chain until an A record is located. The address associated with the A record is then returned. This effectively “flattens” the CNAME chain. This complies with the requirements of the DNS specification and is invisible to any service that interacts with the DNS server.

公开(公告)号：US20160315767A1

公开(公告)日：2016-10-27

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09450950B2

公开(公告)日：2016-09-20

申请号：US14675385

申请日：2015-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20160065684A1

公开(公告)日：2016-03-03

申请号：US14937799

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Stephen Joel ,  Michael Sofaer ,  Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Matthieu Philippe François Tourne ,  Sébastien Andreas Henry Pahl ,  Dane Orion Knecht

IPC: H04L29/08 ,  H04W4/18 ,  G06T3/40

CPC classification number: H04L67/2804 ,  G06F17/30905 ,  G06T3/40 ,  H04L67/2823 ,  H04W4/185

Abstract: A request is received at a proxy server for a web page, the request originating from a client network application of a client device. The requested web page includes multiple references to multiple images. The proxy server retrieves the requested web page. The proxy server modifies code of the retrieved web page such that the client network application will not, for each one of images, request that image until the location where that image is to be displayed is within a viewport of the client network application or within a defined distance from the viewport of the client network application. The proxy server transmits the modified web page to the client device.

Abstract translation: 在用于网页的代理服务器处接收到来自客户端设备的客户端网络应用的请求。 所请求的网页包括对多个图像的多个引用。 代理服务器检索所请求的网页。 代理服务器修改检索到的网页的代码，使得客户端网络应用程序对于每个图像将不请求该图像，直到该图像要被显示的位置在客户端网络应用的视口内，或者在 与客户端网络应用程序的视口的距离。 代理服务器将修改的网页发送到客户端设备。

公开(公告)号：US09184911B2

公开(公告)日：2015-11-10

申请号：US14248254

申请日：2014-04-08

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码传送到不同的服务器以进行解密以及计算安全会话的主密钥和会话密钥所需的其他信息。 不同的服务器解密加密的前提秘密，生成主密钥，并生成在安全会话中使用的会话密钥，用于加密和解密客户端设备与服务器之间的通信，并将这些会话密钥发送到该服务器。

公开(公告)号：US12273316B2

公开(公告)日：2025-04-08

申请号：US18392521

申请日：2023-12-21

Applicant: CLOUDFLARE, INC.

Inventor： Marek Przemyslaw Majkowski ,  Braden Michael Ehrat ,  Sergi Isasi ,  Dane Orion Knecht ,  Dina Kozlov ,  Rustam Xing Lalkaka ,  Eric Reeves ,  Oliver Zi-gang Yu

IPC: H04L61/5007

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.

公开(公告)号：US20250106306A1

公开(公告)日：2025-03-27

申请号：US18898515

申请日：2024-09-26

Applicant: CLOUDFLARE, INC.

Inventor： Michael Hart ,  Keith Adler ,  Derek Arturo Chamorro ,  Brendan Martin Irvine-Broque ,  Dane Orion Knecht ,  Rita Kozlov ,  Jesse Thomas Kipp ,  Celso Martinho ,  Manish Muttreja ,  Isaac Rehg ,  Richard Lawrence Robinett ,  Syona Sarma ,  Sven Sauleau ,  Phillip David Wittig

IPC: H04L67/63 ,  H04L41/16 ,  H04L67/1014

Abstract: A first compute server of a plurality of compute servers of a distributed cloud computing network receives an inference request. The first compute server determines that the received inference request triggers execution of code at the distributed cloud computing network, where the code is related to an artificial intelligence (AI) application that interacts with the inference request and causes input of the inference request to be run through an AI model. If the AI model is not loaded at the first compute server but is loaded at a second compute server, the inference request is routed to the second compute server for performing the inference operation.

公开(公告)号：US11863448B2

公开(公告)日：2024-01-02

申请号：US18158694

申请日：2023-01-24

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Dane Orion Knecht

IPC: H04L45/745 ,  H04L12/46 ,  H04L67/10 ,  H04L67/01 ,  H04L67/56

CPC classification number: H04L45/745 ,  H04L12/4633 ,  H04L12/4641 ,  H04L67/01 ,  H04L67/10 ,  H04L67/56

Abstract: Traffic optimization in virtual private networks (VPNs) is described. A client device establishes a first VPN connection with a first server according to a first VPN route configuration that specifies a first VPN route to the first server. Flow(s) of traffic is forwarded through the first VPN connection to the first server. The client device receives a second VPN route configuration that specifies a second VPN route to a second server of the plurality of servers for establishing a second VPN connection, where the second VPN connection satisfies a set of traffic optimization criteria. The client device establishes the second VPN connection with the second server according to the second VPN route configuration. Traffic is forwarded through the second VPN connection to the second server.

公开(公告)号：US11855958B2

公开(公告)日：2023-12-26

申请号：US17903828

申请日：2022-09-06

Applicant: CLOUDFLARE, INC.

Inventor： Marek Przemyslaw Majkowski ,  Braden Michael Ehrat ,  Sergi Isasi ,  Dane Orion Knecht ,  Dina Kozlov ,  Rustam Xing Lalkaka ,  Eric Reeves ,  Oliver Zi-gang Yu

IPC: H04L29/08 ,  H04L29/06 ,  H04L61/5007

CPC classification number: H04L61/5007

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.