SYSTEM Cited by 3 sources
Cloudflare FL2 proxy¶
FL2 is Cloudflare's newer Rust-based front-line edge HTTP proxy, the successor to FL1's Lua-on-nginx stack. Cloudflare is migrating customer traffic from FL1 to FL2 as part of a long-running dual-system migration.
Why it mattered on 2025-12-05¶
On 2025-12-05, a seven-year-old dormant Lua nil-index bug in the FL1 rulesets engine's killswitch path detonated when the internal WAF testing tool was turned off via the global configuration system. HTTP 500 errors for ~28% of Cloudflare's HTTP traffic for ~25 minutes. Customers served by FL2 were unaffected. Cloudflare's explicit attribution:
In our replacement for this code in our new FL2 proxy, which is written in Rust, the error did not occur. This type of code error is prevented by languages with strong type systems.
The canonical wiki instance of patterns/rust-replacement-of-dynamic-language-hot-path — the dormant bug in a dynamically-typed hot path is structurally prevented by the replacement's static type system, without anyone needing to re-find the specific bug during the rewrite. Pairs with the Aurora DSQL Rust journey and Dropbox Nucleus as memory-safety case studies.
Relationship to Pingora¶
Cloudflare's public Rust-proxy framework is systems/pingora; pingora-origin is the outbound / origin-facing service built on it. The 2025-12-05 post-mortem names FL2 as "our new FL2 proxy, which is written in Rust" but does not explicitly place FL2 on top of Pingora in the structural diagram — so the wiki notes the Rust attribution but not a Pingora-FL2 composition relationship.
Seen in¶
- sources/2025-12-05-cloudflare-outage-on-december-5-2025 — canonical wiki instance: FL2 customers were unaffected by the FL1 Lua nil-index bug; Cloudflare explicitly attributes this to Rust's type system, independent of whether the rewrite found or fixed the specific bug during development.
- sources/2025-11-18-cloudflare-outage-on-november-18-2025 —
limit of the Rust-type-system defense: FL2 did not escape
this incident. An upstream ClickHouse permission migration
produced an oversized Bot Management feature file; FL2's
bots module bounds-check was implemented as a Rust
.unwrap()that panicked (thread fl2_worker_thread panicked: called Result::unwrap() on an Err value), killing every worker thread that hit the module for ~3 hours. The language choice prevented nil-index (see concepts/nil-index-lua-bug) but not the concepts/unhandled-rust-panic / absence-of-fail-open class. Canonical wiki instance showing language-side correctness wins are additive to, not a substitute for, fail-open discipline. - sources/2026-04-17-cloudflare-agents-week-network-performance-update — context instance, not named directly. The connection-handling hot-path work cited in the post ("improving CPU usage and memory usage in our software that handles fundamental actions like establishing connections, SSL/TLS termination, traffic management, and the core proxy that all requests flow through") is the FL2 + Pingora surface. Framework- level efficiency is the substrate that makes protocol- level wins (HTTP/3, congestion-window tuning) economic at fleet scale.