A new Cloudflare Web Application Firewall
blog.cloudflare.comThe plan is to open source the old WAF code (that I wrote long ago) once the new WAF is fully rolled out.
Sad to see LuaJIT is no longer in use.
LuaJIT was so far ahead of it's time (and still is), it's sad to see the current state of it since Mike Pall has moved on. The learned lesson for me is that, even if you have a vastly superior offering - the success of something is hugely correlated to the community behind it.
Mike Pall is still working on LuaJIT just last week he pushed the first stage of string buffer support sponsored by some network company https://github.com/LuaJIT/LuaJIT/commit/4c6b669c419f313306b9...
*Activates [APPLAUSE] indicator*
Wow. I was imagining the possibilities of being able to share some of the basic techniques behind the system, but being able to have an actual MWE of real racing stripes™ is cooler than I could ever have imagined would be viable. Thanks.
Curious if you have any stories from working on this? I'd love to hear what some of the hardest problems to solve were?
You can start here: https://www.youtube.com/watch?v=nlt4XKhucS4
Couple of points from the video:
1. The regular expression simplifier (https://youtu.be/nlt4XKhucS4?t=1102) stood out as particularly interesting - I get the impression it was partly "mostly simple", and partly battle-tested/nontrivial/hand-tuned. Speaking not-entirely-rhetorically, this would probably be a very interesting tidbit to study.
2. You mentioned at https://youtu.be/nlt4XKhucS4?t=2272 in response to a question that you apparently pass PNGs and other binary content "straight through" (in the context of file upload), ie bypassing the WAF. Given things like...
- webpage in JPEG (http://lcamtuf.coredump.cx/squirrel/, https://news.ycombinator.com/item?id=12262470, https://news.ycombinator.com/item?id=4209052),
- JavaScript in EXIF (https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-ex...)
- PHP in EXIF (https://web.archive.org/web/20130708132109/https://websec.io...)
- HTML+JavaScript+1021 byte demo inside PNG: https://news.ycombinator.com/item?id=24824299, http://www.p01.org/MONOSPACE/ (general NB: "Packed version" link under "Additional links" actually loads the demo for me in Chrome, but clicking through from HN and loading the URL directly doesn't - some sort of bizarre CORS-related thing?)
...I presume the status quo has changed somewhat here. Hearing how/what's going on in this space would be very interesting.
Slides: https://github.com/cloudflare/jgc-talks/raw/master/nginx.con...
Above link is direct download, which I'm biased towards since Chrome's PDF viewer supports left and right arrow keys.
Protip for users with tiny* screens: right-click video twice, enable Picture-in-Picture, arrange video so slides are still visible so you can follow along)
(* Specifically <24", ie laptops)
Do you get to go 'off-call' then?
I haven't been on call for that code for a long time. There's a whole team that works on it and has been improving it for quite a few years.
Glad to hear! It's a little jarring that the Web-UI throws it's hands in the air when you add a few boolean clauses so I look forward to some improvements there.
Cloudflare is, in general, a delight to use.
> "Cloudflare is, in general, a delight to use."
Agreed. There's lots of companies in the space that Cloudflare operates in. Cloudflare is the "macOS/Apple" of the market whereas their competition is the unwieldily mess that is "Linux".
On a technical level: I agree, it works great. Their dashboard needs some work. What I find annoying is mostly the "load everything in single ajax requests, but don't set the size of it in HTML", which makes elements jump around while stuff above them is being rendered. That's very annoying when your connection isn't great for some reason and buttons get replaced by different buttons. I get it, "use the API", but when you need to do something manually, I'd prefer a higher total load time over something that's asking for mistakes. There's a good reason Google is heavily advising to get rid of layout shifts.
The other thing I took personally was them removing the "remember me" functionality in a two step process: first it was broken, and then they removed the feature alltogether it instead of fixing.
Email me (jgc) any issues.
Recently for a few sites I run I realized I am increasingly verrry dependent or leaning heavily on this Firewall to keep so much Bot and spam traffic off my site.
Sorry, you don't get to market to folk who're willing to read the words "Magic Quadrant" and post that shit to HN at the same time. Pick your poison! We're a technical crowd, remember? Shudder. I wonder if the CloudFlare folk will be returning to their offices wearing suits when lockdown is over.