Linux - The Cloudflare Blog (Page 2)

April 06, 2020 12:00PM

Conntrack tales - one thousand and one flows

We were wondering - can we just enable Linux "conntrack"? How does it actually work? I volunteered to help the team understand the dark corners of the Linux's "conntrack" stateful firewall subsystem....

Marek Majkowski

March 25, 2020 12:00PM

Speeding up Linux disk encryption

Linux Kernel Crypto Performance Security

Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!...

Ignat Korchagin

March 19, 2020 12:57PM

Keepalives considered harmful

NGINX Linux Performance

You’d think keepalives would always be helpful, but turns out reality isn’t always what you expect it to be. It really helps if you read Why does one NGINX worker take all the load? first....

Ivan Babrou

March 18, 2020 12:00PM

The problem with thread^W event loops

NGINX Linux

Back when Cloudflare was created, over 10 years ago now, the dominant HTTP server used to power websites was Apache httpd. However, we decided to build our infrastructure using the then relatively new NGINX server....

Julien Desgats

October 12, 2019 2:00PM

It's crowded in here!

eBPF Linux UDP

We recently gave a presentation on Programming socket lookup with BPF at the Linux Plumbers Conference 2019 in Lisbon, Portugal. This blog post is a recap of the problem statement and proposed solution we presented....

Jakub Sitnicki

July 18, 2019 3:12PM

A Tale of Two (APT) Transports

Securing access to your APT repositories is critical. At Cloudflare, like in most organizations, we used a legacy VPN to lock down who could reach our internal software repositories. However, a network perimeter model lacks a number of features that we consider critical to a team’s security....

By

Ryan Djurovich

Cloudflare Access , Linux , HTTPS , Security

July 10, 2019 2:07PM

A gentle introduction to Linux Kernel fuzzing

For some time I’ve wanted to play with coverage-guided fuzzing. I decided to have a go at the Linux Kernel netlink machinery. It's a good target: it's an obscure part of kernel, and it's relatively easy to automatically craft valid messages....

By

Marek Majkowski

Linux , Kernel , Developers , Deep Dive

May 30, 2019 2:00PM

Cloudflare Repositories FTW

Kali Linux turned six years old this year! In this time, Kali has established itself as the de-facto standard open source penetration testing platform....

By

Guest Author

Linux

May 18, 2019 4:00PM

Cloudflare architecture and how BPF eats the world

Recently at I gave a short talk titled "Linux at Cloudflare". The talk ended up being mostly about BPF. It seems, no matter the question - BPF is the answer. Here is a transcript of a slightly adjusted version of that talk....

By

Marek Majkowski

eBPF , Linux , Programming , Developers , Anycast

May 03, 2019 2:00PM

eBPF can't count?!

It is unlikely we can tell you anything new about the extended Berkeley Packet Filter, eBPF for short, if you've read all the great man pages, docs, guides, and some of our blogs out there. But we can tell you a war story, who doesn't like those?...

By

Jakub Sitnicki

eBPF , Linux , Programming

April 24, 2019 7:21PM

xdpcap: XDP Packet Capture

Our servers process a lot of network packets, be it legitimate traffic or large denial of service attacks. To do so efficiently, we’ve embraced eXpress Data Path (XDP), a Linux kernel technology that provides a high performance mechanism for low level packet processing....

By

Arthur Fabre

Linux , Developers , Programming

January 04, 2019 11:02AM

io_submit: The epoll alternative you've never heard about

The Linux AIO is designed for, well, Asynchronous disk IO! Disk files are not the same thing as network sockets! Is it even possible to use the Linux AIO API with network sockets in the first place? The answer turns out to be a strong YES!...

By

Marek Majkowski

Linux , API , Developers

November 29, 2018 9:54AM

Know your SCM_RIGHTS

As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously....

By

Vlad Krasnov

TLS 1.3 , TLS , Security , Linux , TCP

August 24, 2018 4:11PM

Introducing ebpf_exporter

Here at Cloudflare we use Prometheus to collect operational metrics. We run it on hundreds of servers and ingest millions of metrics per second to get insight into our network and provide the best possible service to our customers....

By

Ivan Babrou

Speed & Reliability , eBPF , Linux , Programming