Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Methods and apparatus are disclosed herein that enable an infrastructure service to route messages to various servers, even if the servers are not addressed by individual public network addresses. The infrastructure service distributed messages by processing a portion of the message through a hash function. By utilizing a reverse hash process, a server can determine a custom port number that will cause the hash algorithm to route a reply message directly to the selected server even when addressed to a communal address.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: An edge server of an infrastructure service establishes a transport connection in user space with a client and in accordance with a transport layer network protocol. The edge server receives a packet over the transport connection with the client that comprises a request for an object. If the edge server cannot serve the object, it forwards the request to a cluster server with an intent indicated for the cluster server to reply directly to the client. The cluster server receives the forwarded request and determines whether to accept the intent indicated by the edge server. If so, the edge server conveys instructions to the cluster server for sending at least a portion of the object directly to the client. The cluster server then sends at least the portion of the object to the client in accordance with the instructions.

Abstract: Described herein are methods, systems, and software to handle verification information in a content node. In one example, a method of operating a content node includes receiving a secure content request from an end user device and determining the availability of verification information stored on the content node to service the secure content request. The method further provides, if the verification information is available, verifying the end user device based on the verification information. The method also includes, if the verification information is unavailable, querying an origin server to verify the end user device.

Abstract: Methods and apparatus are disclosed herein that enable an infrastructure service to route messages to various servers, even if the servers are not addressed by individual public network addresses. The infrastructure service distributed messages by processing a portion of the message through a hash function. By utilizing a reverse hash process, a server can determine a custom port number that will cause the hash algorithm to route a reply message directly to the selected server even when addressed to a communal address.

Abstract: Systems, methods, apparatuses, and software that announce prefixes associated content nodes of a content delivery network are provided herein. In one example, a method of operating a communication system comprising Internet service providers configured to exchange content requests between end user devices and content nodes is presented. The method includes assigning a content node of the content delivery network a first Internet Protocol (IP) address having an associated first short prefix and a first long prefix, and assigning the content node a second IP address having an associated second short prefix and a second long prefix. The method also includes announcing the first short prefix and the first long prefix to a first Internet service provider communicatively coupled to the content node, and announcing the second short prefix and the second long prefix to a second Internet service provider communicatively coupled to the content node.

Abstract: Systems, methods, apparatuses, and software that select network addresses of a content node of a content delivery network are provided herein. In one example, a method of operating a control node to perform network address selection that selects between different communication service providers according to network characteristics is presented. The control node receives a domain name lookup request from an end user device to reach a content node. The control node processes network characteristics and the domain name lookup request to select a network address that corresponds to one of the communication service providers. The end user device can use the selected network address to reach the content node over the selected communication service provider.

Abstract: An edge server of an infrastructure service establishes a transport connection in user space with a client and in accordance with a transport layer network protocol. The edge server receives a packet over the transport connection with the client that comprises a request for an object. If the edge server cannot serve the object, it forwards the request to a cluster server with an intent indicated for the cluster server to reply directly to the client. The cluster server receives the forwarded request and determines whether to accept the intent indicated by the edge server. If so, the edge server conveys instructions to the cluster server for sending at least a portion of the object directly to the client. The cluster server then sends at least the potion of the object to the client in accordance with the instructions.

Abstract: Described herein are methods, systems, and software for encrypting and erasing data objects in a content node. In one example, a method of operating a content node that caches content divided into one or more data objects includes encrypting the one or more data objects using separate encryption keys for each of the one or more data objects, the separate encryption keys comprising a common portion shared by the one or more data objects and an individualized portion unique to each data object. The method further provides receiving a purge request to erase at least one data object and, responsive to the purge request, erasing at least one of the common portion or the individualized portion for the at least one data object based on the purge request.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Systems, methods, and software for operating one or more content delivery nodes (CDN), which cache content for delivery to end users, are provided herein. In one example, content requests received from at least a first end user for the content at a first CDN are monitored to determine when the content requests comprise an attack on the first CDN. Responsive to the attack on the first CDN, a rate limit is established in the first CDN on at least the content requests received by the first CDN and an indication of the attack is transferred for delivery to at least a second CDN. Responsive to the indication of the attack, the rate limit is applied for further content requests received for the content at the second CDN.

Abstract: A communication system exchanges communications between end user devices, content delivery nodes (CDN) of a content delivery system, and a control system that selects CDNs of the content delivery system. The control system receives a domain name lookup request issued by an end user device for retrieving content cached by one or more CDNs of the content delivery system. The control system associates the end user device with a network performance profile to select a CDN of the content delivery system. The control system transfers a network address associated with the selected CDN for receipt by the end user device responsive to the domain name lookup request.

Abstract: Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.