Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes establishing address translations which translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information, and responsive to domain name translation requests from the end user devices, providing ones of the network addresses. The method includes receiving content requests transferred by the end user devices that comprise the network addresses, and performing one or more actions based on the stenographic information in the network addresses.

Abstract: Disclosed herein are methods, systems, and software for modifying a communication path based on content delivery performance data. In one example, a method of operating a content server that hosts content to be provided to a plurality of end user devices includes identifying latency data for a plurality of end user devices communicating with the content server, and identifying that the one or more end user devices in the plurality of end user devices exceed a latency threshold based on the latency data. The method further includes, in response to identifying that the one or more end user devices in the plurality of end user devices exceed the latency threshold, modifying the communication path between the content server and the one or more end user devices by modifying a domain name system (DNS) configuration for the content server.

Abstract: Systems, methods, apparatuses, and software that select network addresses of a content node of a content delivery network are provided herein. In one example, a method of operating a control node to perform network address selection that selects between different communication service providers according to network characteristics is presented. The control node receives a domain name lookup request from an end user device to reach a content node. The control node processes network characteristics and the domain name lookup request to select a network address that corresponds to one of the communication service providers. The end user device can use the selected network address to reach the content node over the selected communication service provider.

Abstract: Methods, systems, and software for operating a data storage system of a content delivery node are provided herein. In one example, a method of operating a data storage system of a content delivery node is presented. The method includes receiving content data into a storage system, storing the content data in a first storage space, determining popular content data within the content data based on at least user requests for the content data, and storing the popular content data in a second storage space.

Abstract: Systems, methods, apparatuses, and software that announce prefixes associated content nodes of a content delivery network are provided herein. In one example, a method of operating a communication system comprising Internet service providers configured to exchange content requests between end user devices and content nodes is presented. The method includes assigning a content node of the content delivery network a first Internet Protocol (IP) address having an associated first short prefix and a first long prefix, and assigning the content node a second IP address having an associated second short prefix and a second long prefix. The method also includes announcing the first short prefix and the first long prefix to a first Internet service provider communicatively coupled to the content node, and announcing the second short prefix and the second long prefix to a second Internet service provider communicatively coupled to the content node.

Abstract: Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.

Abstract: Systems, methods, apparatuses, and software for operating content delivery networks are provided herein. In one example, a method of operating a domain name translation node in a first point-of-presence of a content delivery network is presented. The method includes receiving a translation message issued by an end user device for translation of a domain name into a content network address, and processing the translation message to identify a network address of a node that transferred the translation message. The method also includes selecting the content network address based at least in part on correlations between network addresses and performance factors to direct the end user device to a target cache node at a point-of-presence different than the point-of-presence of the domain name translation node, and transferring a response message indicating the content network address which directs the end user device to the target cache node at the second point-of-presence.

Abstract: Disclosed herein are methods, systems, and software for bypassing a domain name system. In one example, a method of operating a user communication device includes receiving a user instruction requesting content within a user application of the user communication device. The method further provides, in response to the user instruction, processing at least a domain name system bypass data structure on the user communication device to identify a network address for retrieving the content. The method further includes, requesting the content from a content node using the network address.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: Systems, methods, apparatuses, and software that select network addresses of a content node of a content delivery network are provided herein. In one example, a method of operating a control node to perform network address selection that selects between different communication service providers according to network characteristics is presented. The control node receives a domain name lookup request from an end user device to reach a content node. The control node processes network characteristics and the domain name lookup request to select a network address that corresponds to one of the communication service providers. The end user device can use the selected network address to reach the content node over the selected communication service provider.

Abstract: Disclosed herein are methods, systems, and software for modifying a communication path based on content delivery performance data. In one example, a method of operating a content server that hosts content to be provided to a plurality of end user devices includes identifying latency data for a plurality of end user devices communicating with the content server, and identifying that the one or more end user devices in the plurality of end user devices exceed a latency threshold based on the latency data. The method further includes, in response to identifying that the one or more end user devices in the plurality of end user devices exceed the latency threshold, modifying the communication path between the content server and the one or more end user devices by modifying a domain name system (DNS) configuration for the content server.

Abstract: Systems, methods, apparatuses, and software that announce prefixes associated content nodes of a content delivery network are provided herein. In one example, a method of operating a communication system comprising Internet service providers configured to exchange content requests between end user devices and content nodes is presented. The method includes assigning a content node of the content delivery network a first Internet Protocol (IP) address having an associated first short prefix and a first long prefix, and assigning the content node a second IP address having an associated second short prefix and a second long prefix. The method also includes announcing the first short prefix and the first long prefix to a first Internet service provider communicatively coupled to the content node, and announcing the second short prefix and the second long prefix to a second Internet service provider communicatively coupled to the content node.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes establishing address translations which translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information, and responsive to domain name translation requests from the end user devices, providing ones of the network addresses. The method includes receiving content requests transferred by the end user devices that comprise the network addresses, and performing one or more actions based on the stenographic information in the network addresses.

Abstract: Systems, methods, and software for operating a content delivery system are provided herein. In one example, a method includes, in a first content delivery node, receiving a purge instruction to purge first content stored in the first content delivery node and responsively purging the first content. Responsive to purging the first content, the method includes transferring a content request for delivery to a second content delivery node, where the content request comprises a request for second content to replace the first content and a revision indicator of the first content. Responsive to the content request, the method includes receiving the second content for storage in the first content delivery node.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.