CloudFlare's new WAF: compiling to Lua

The text discusses how Cloudflare has developed a new Web Application Firewall (WAF) using Lua, a lightweight scripting language, and nginx, an open-source web server. The WAF is designed to protect websites from common vulnerabilities such as SQL injection, cross-site scripting, and command injection attacks. It can read existing mod_security configurations and supports its own simplified rule language. The Lua code in the waf module determines whether a request should be blocked or passed to the origin for processing. The WAF is highly optimized using techniques such as clause reordering, regular expression optimization, operator replacement, global optimizations, and Lua optimizations. It has been tested under a test harness with line-level timing information and in Cloudflare's network with detailed systemtap-based instrumentation. The resulting code is hard to read because it's essentially the WAF's assembly language and has been automatically generated. The overall goal was to get the median WAF block/allow decision made in less than 1 millisecond when running in the real world, which has been achieved.