Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Systems and methods for server authentication in a content delivery network are provided. Various embodiments include a content delivery network obtaining multiple digital certificates from multiple certificate authorities. When a client attempts to access the content delivery network, the network serves the client a digital certificate and then monitors the authentication of the certificate. If the authentication fails, the content delivery network serves the client another digital certificate that was issued from a different certificate authority. In other embodiments, the content delivery network constantly monitors the function of each certificate authority. The content delivery network constantly pings each certificate authority. If any one of the certificate authorities fails to respond to the pings, the content delivery network will presume the certificate authority is non-operational and will stop using certificates from the non-operational certificate authorities until they resume operation.

Abstract: Systems and methods for server authentication in a content delivery network are provided. Various embodiments include a content delivery network obtaining multiple digital certificates from multiple certificate authorities. When a client attempts to access the content delivery network, the network serves the client a digital certificate and then monitors the authentication of the certificate. If the authentication fails, the content delivery network serves the client another digital certificate that was issued from a different certificate authority. In other embodiments, the content delivery network constantly monitors the function of each certificate authority. The content delivery network constantly pings each certificate authority. If any one of the certificate authorities fails to respond to the pings, the content delivery network will presume the certificate authority is non-operational and will stop using certificates from the non-operational certificate authorities until they resume operation.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: A method and system for authenticating answers to Domain Name System (DNS) queries originating from recursive DNS servers are provided. A verification component provides a verification that a DNS query originated from the recursive DNS server. An authoritative DNS server receives the query via a network, such as the Internet, and provides an answer to the query to an authentication component. The authentication component then provides an authentication, such as a digital signature, which confirms that the received answer was provided by the authoritative DNS server, and then communicates the answer and the authentication to the verification component via the network. The verification component then verifies that the authentication corresponds to the received answer and sends the answer to the recursive DNS server. When the verification component receives an answer in the absence of a corresponding authentication, the verification component drops the answer.

Abstract: Systems and methods for server authentication in a content delivery network are provided. Various embodiments include a content delivery network obtaining multiple digital certificates from multiple certificate authorities. When a client attempts to access the content delivery network, the network serves the client a digital certificate and then monitors the authentication of the certificate. If the authentication fails, the content delivery network serves the client another digital certificate that was issued from a different certificate authority. In other embodiments, the content delivery network constantly monitors the function of each certificate authority. The content delivery network constantly pings each certificate authority. If any one of the certificate authorities fails to respond to the pings, the content delivery network will presume the certificate authority is non-operational and will stop using certificates from the non-operational certificate authorities until they resume operation.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes establishing address translations which translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information, and responsive to domain name translation requests from the end user devices, providing ones of the network addresses. The method includes receiving content requests transferred by the end user devices that comprise the network addresses, and performing one or more actions based on the stenographic information in the network addresses.

Abstract: A method and system for authenticating answers to Domain Name System (DNS) queries originating from recursive DNS servers provided. A verification component provides a versification that a DNS query originated from the recursive DNS server. An authoritative DNS server receives the query via a network, such as the Internet, provides an answer to the query to an authentication component. The authentication component then provides an authentication such as a digital signature, which confirms that the received answer was provided by the authoritative DNS server, and then communicates the answer and the authentication to the verification component via the network. The verification component then verifies that the authentication corresponds to the receive answer and sends the answer to the recursive DNS server. When the verification component receives an answer in the absence of a corresponding authentication the verification component drops the answer.

Abstract: Systems, methods, apparatuses, and software for operating content delivery networks are provided herein. In one example, a method of operating a domain name translation node in a first point-of-presence of a content delivery network is presented. The method includes receiving a translation message issued by an end user device for translation of a domain name into a content network address, and processing the translation message to identify a network address of a node that transferred the translation message. The method also includes selecting the content network address based at least in part on correlations between network addresses and performance factors to direct the end user device to a target cache node at a point-of-presence different than the point-of-presence of the domain name translation node, and transferring a response message indicating the content network address which directs the end user device to the target cache node at the second point-of-presence.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.