SYSTEM Cited by 2 sources
Cloudflare FL1 proxy¶
FL1 is Cloudflare's legacy front-line edge HTTP proxy — the Lua-on-nginx (OpenResty) implementation that handles a portion of customer traffic on Cloudflare's edge. It is being replaced by FL2, the newer Rust-based proxy.
The two generations run side-by-side in production as Cloudflare migrates customers across — a long-running dual-system migration shape. Some code paths (like the rulesets engine) have been re-implemented in FL2 in Rust while the original Lua version continues to serve traffic on FL1 customers.
What runs on FL1¶
- The Lua implementation of Cloudflare's rulesets engine, with its killswitch subsystem fed from the global configuration system.
- The customer-facing Cloudflare Managed Ruleset (systems/cloudflare-managed-ruleset) when deployed on a zone served by FL1.
- Code that has existed for years but whose killswitch-on-
action=executepath had never been exercised in production before 2025-12-05 — the killswitch subsystem had been used many times, just not against anexecute-action rule. When it finally ran, a latent nil-index bug ([[concepts/nil-index-lua- bug]]) in the post-processing path threw, producing HTTP 500s for ~28% of Cloudflare's HTTP traffic for ~25 minutes.
What's different on FL2¶
Per the 2025-12-05 post-mortem:
In our replacement for this code in our new FL2 proxy, which is written in Rust, the error did not occur.
The Rust re-implementation structurally prevents the specific
nil-index bug class that detonated on FL1 — not by catching
it in review or testing, but because the Rust compiler does not
let code compile that dereferences a potentially-absent value
without handling the absent case (Option<T> / pattern
matching). Canonical wiki instance of
patterns/rust-replacement-of-dynamic-language-hot-path.
Relationship to Pingora¶
FL1 / FL2 describe the L7 HTTP proxy that applies WAF, rulesets, and other customer-facing policy. systems/pingora is the underlying Rust-based HTTP framework used for Cloudflare's Rust proxy services (pingora-origin does last-mile outbound to customer origins; FL2 is the front-line counterpart on the ingress side). The wiki does not yet have a canonical source confirming that FL2 is built on Pingora versus parallel to Pingora — the 12-05 post is silent on that structural detail.
Seen in¶
- sources/2025-12-05-cloudflare-outage-on-december-5-2025 — canonical wiki instance: the legacy proxy where a seven-year- old dormant Lua nil-index bug in the rulesets-engine killswitch path detonated when the WAF testing tool was turned off via the global configuration system. Customers on FL2 and customers on the China network were unaffected; only FL1 + Managed-Ruleset customers saw HTTP 500s.
- sources/2025-11-18-cloudflare-outage-on-november-18-2025 — FL1 was also affected here, but differently from FL2. FL2 panicked on the oversized Bot Management feature file; FL1's bots module did not panic — instead, every request got bot score = 0 (behaviorally "100% bot traffic"). Customers using bot-score rules like "block if score > 0.9" silently overblocked; customers not using bot score were unaffected. Complementary failure shape to 12-05 (where FL1 was the 5xx surface and FL2 was unaffected) — this incident shows the legacy proxy producing the silent correctness-failure surface while the strategic proxy produced the loud availability-failure surface. Same root cause (oversized feature file), two distinct downstream failure modes.