Making the WAF 40% faster
Cloudflare has made significant performance improvements to its Web Application Firewall (WAF) by transitioning from PCRE to RE2 and implementing memoization. The WAF now uses deterministic finite automaton instead of backtracking algorithms, resulting in a linear time execution with the size of input. Memoization was also introduced to cache the output of function calls for reuse in future calls, leading to significant savings. These changes have resulted in an increase of the cache hit percentage from 56% to 74%, and a sharp decrease of 40% in the average time the WAF takes to process and analyze an HTTP request at the Cloudflare edge. The company is currently porting its Lua WAF to use the same engine powering Firewall Rules, which uses a filter syntax inspired by Wireshark® for better performance and safety.
Company
Cloudflare
Date published
July 1, 2020
Author(s)
Miguel de Moura
Word count
1308
Language
English
Hacker News points
13