公开(公告)号：US11153226B2

公开(公告)日：2021-10-19

申请号：US16272289

申请日：2019-02-11

Applicant: Cloudflare, Inc.

Inventor： Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Christopher Stephen Joel ,  John Brinton Roberts ,  Michael Jonas Sofaer ,  Jason Thomas Walte Benterou

IPC: G06F15/16 ,  H04L12/911 ,  H04L29/08 ,  G06F8/61 ,  H04L29/06

Abstract: A proxy server automatically includes web applications in web pages at the network level. The proxy server receives, from a client device, a request for a network resource at a domain and is hosted at an origin server. The proxy server retrieves the requested network resource. The retrieved network resource does not include the web applications. The proxy server determines that the web applications are to be installed within the network resource. The proxy server automatically modifies the retrieved network resource to include the web applications. The proxy server transmits a response to the client device that includes the modified network resource. The network resource may remain unchanged at the origin server.

公开(公告)号：US20210240785A1

公开(公告)日：2021-08-05

申请号：US17234517

申请日：2021-04-19

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne

IPC: G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F40/143 ,  G06F40/14 ,  G06F15/16 ,  G06F21/00 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page. The proxy server scans the HTML page to locate one or more modification tokens that each indicates content that is subject to being modified. For at least one of the located modification tokens, the proxy server automatically modifies at least a portion of the content of the HTML page that corresponds to that modification token. The proxy server then transmits the modified HTML page to the client device.

公开(公告)号：US10984068B2

公开(公告)日：2021-04-20

申请号：US15497153

申请日：2017-04-25

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne

IPC: G06F16/90 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F40/14 ,  G06F15/16 ,  G06F21/00 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page. The proxy server scans the HTML page to locate one or more modification tokens that each indicates content that is subject to being modified. For at least one of the located modification tokens, the proxy server automatically modifies at least a portion of the content of the HTML page that corresponds to that modification token. The proxy server then transmits the modified HTML page to the client device.

公开(公告)号：US10904204B2

公开(公告)日：2021-01-26

申请号：US16570505

申请日：2019-09-13

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  David Randolph Conrad ,  Matthieu Philippe François Tourne

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06

Abstract: A first packet of a first protocol version type that includes an incoming request for an action to be performed on an identified resource is received from a client at a proxy server as a result of a DNS request resolving to a network address of the proxy server. The proxy server transmits an outgoing request for the action to be performed on the identified resource to a network address of the destination origin server in a second packet that is of the second protocol version type. The proxy server receives a third packet that includes an incoming response from the destination origin server, the third packet being of the second protocol version type. The proxy server transmits a fourth packet to the client, the fourth packet being of the first protocol version type, wherein the fourth packet includes an outgoing response that is based on the incoming response.

公开(公告)号：US20200322374A1

公开(公告)日：2020-10-08

申请号：US16800175

申请日：2020-02-25

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US10791099B2

公开(公告)日：2020-09-29

申请号：US16159437

申请日：2018-10-12

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

公开(公告)号：US10608983B2

公开(公告)日：2020-03-31

申请号：US15666412

申请日：2017-08-01

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Michelle Marie Zatlyn

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L29/14 ,  H04L12/24

Abstract: A domain name is received from a customer. DNS is queried for multiple possible subdomains of the domain. For each subdomain that resolves, information about that subdomain's corresponding resource record is stored in a zone file that also includes a resource record for the domain name. The zone file is presented to the customer. A designation from the customer of which of the resource records are to point to an IP address of a proxy server is received. The resource records are modified according to the input of the customer and the zone file is propagated including the modified resource records.

公开(公告)号：US10574690B2

公开(公告)日：2020-02-25

申请号：US15489421

申请日：2017-04-17

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US20190303415A1

公开(公告)日：2019-10-03

申请号：US16363835

申请日：2019-03-25

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye ,  Matthieu Philippe François Tourne ,  Michelle Marie Zatlyn

IPC: G06F16/958 ,  G06F16/95 ,  H04L29/08 ,  G06F21/00 ,  H04L12/911 ,  H04L29/06 ,  H04L12/58 ,  G06F17/22 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  G06F15/16 ,  G06F21/55 ,  H04L29/14

Abstract: A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

公开(公告)号：US10129224B2

公开(公告)日：2018-11-13

申请号：US15413187

申请日：2017-01-23

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Phillippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/32

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.