Cloudflare Open Sources Its Low Level RUST HTTP Framework, Pingora | Prime Reacts
ฝัง
- เผยแพร่เมื่อ 19 พ.ค. 2024
- Recorded live on twitch, GET IN
/ theprimeagen
Become a backend engineer. Its my favorite site
boot.dev/?promo=PRIMEYT
This is also the best way to support me is to support yourself becoming a better backend engineer.
Blog article: blog.cloudflare.com/pingora-o...
By: Yuchen Wu, Edward Wang & Andrew Hauck
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-Kinesis
Hey I am sponsored by Turso, an edge database. I think they are pretty neet. Give them a try for free and if you want you can get a decent amount off (the free tier is the best (better than planetscale or any other))
turso.tech/deeznuts - วิทยาศาสตร์และเทคโนโลยี
Prime: There's just not enough time for me to play around with this stuff
Also Prime: *reads articles for 3 hours every day*
I know it's "Engine X" but in my head it will always be "n-jinx"
In my head: /ŋɪŋs/ (IPA lmao)
God dammit another n-jinx 😂
for me it's "en-ginks". (g like gif)
I got laughed at on my first job for calling it like that since I had never heard anyone pronounce it. Turns out some people do actually call it like that so I wasn’t that wrong
enGIN EXX
Cloudflair. Nice
i cant believe theHumanagen would make a spelling mistake 😔 the nerve he has to be anything short of perfect in every way smh
@@ShadowKestrelTheDyslexiagen
also, reading "services" in the title, brain telling the mouth to say "interfaces". can we get some stats whether colored hair made it worse or better?
For those in the future - it’s was Cloudflair in the original title. DAMN IT FLIP!
Oh actually, I thought it could be intentional. Sometimes literally mentioning trademarks by their exact name can cause problems as you can be blamed for promoting those.
If someone makes a DSL parser that makes pingora be a drop in replacement for nginx (Making it capable of reading nginx config files), nginx is toasted
Tom could probably do that.
I love how there is a underlying plot throughout his videos. You need to watch the older videos to get references like
"Tom is a genius" or "LUA, brazil mentioned"
Porque maria!
Haskell mentioned?
I know the Tom is genius video is from the JDSL video. Where is the porque Maria and Lua, Brasil references from?
lol Tom is a genius tho for real.
@@earthling_parthporque Maria is from a soap opera. Lua was invented in Brazil.
This could be the crate used to build a nginx replacement *wink*
On the way. It's called River and is supposed to be a reverse proxy load balancer with all the high level features of nginx and caddy built on top of pingora
Promotion driven development
@@zealy1369Lol nice
But why do we need it? "enjynx" has be here for years, it thoroughly tested by devs and users
@@Y-JA nice - no code but already 684 stars on gh
post quantum crypto is very much not eliptical curve stuff. It is a new suite of assymetric algorithms for key establishment and signing. ML-KEM, ML-DSA and SLH-DSA are the NIST chosen ones (these are the NIST acronym names just as AES is the NIST name for Rijndael), FIPS standards for these 3 (203, 204 and 205) had public release for comment back in August.
There are more coming most likely. This is all relatively new styles of cryptographic algorithms.
it's all gibberish to me :D, but I know how to generate a pair of SSH keys :D
@@SandraWantsCokeAnd I can pretty much guarantee they are broken by a quantum computer running Shor's algorithm, we've known of the issue for 20 years, we have an algorithm to run on quantum computer but no quantum computers to run it on. RSA, Diffie-Hellman, and Elliptic Curve Diffie-Hellmen are all known to be breakable by this one algorithm. We also have Lenstra elliptic-curve factorization and by applying the quantum search algorithm Grover's algorithm to also breaks these algorithms in theory even easier that Shor's algorithm. Your SSH keys are probably the third, though a decade ago would have been the 1st potentially.
Put simply most assymetric cryptography in use today (seperate public and private keys) is known to be vulnerable via an algorithm that we know solves the hard mathematics problem they are based on (factorization of the product of two large primes and similar problems that can be reformulated as this problem) given a computer capable of running the algorithm. The industry has been hard at work coming up with new algorithms to fix this and these are just starting to be implemented now in 2024.
Are they also known as CRYSTALS-KYBER and CRYSTALS-DILITHIUM (much like AES is also known as Rijndael)? Mostly I want to make sure my information here is good.
@@Omnifarious0Yeah, and SLH-DSA is SPHINCS before the standardisation, that said, like AES I expect the NIST names are the ones we'll come to know hence why I specified that is the NIST naming.
@@EwanMarshall - I got the names I used from the NIST website for the contest. I'm sad the page I looked at wasn't really explicit about the NIST names because I think you're right.
There is a safe c++ program ... yeah, and I saw a herd of unicorns in my backyard.
It only uses the c subset of the language and is compiled with a formal verification tool.
Its trivial to create a verifiably safe C++ program. Allocate no dynamic memory or allocate it all at start (btw, OOM crashes rust too). No need to use references counters if you don't want, just bump allocate everything and bind every dynamic objects lifetime to the lifetime of the program. Bonus points: wrap every pointer in a new smart ptr which will check bounds before dereferencing. Bonus bonus points: make your smart pointer address reference a vector index, so you can grow your memory space independent of refs. Now its safe to hold arbitrary pointers or references. To be clear, this is just the trivial way. Another way is only using smart_ptr or unique_ptr, ever, but this will raise the complexity. Some languages (like Swift) operate that way and that's how they achieve memory safety. In essence a reference counter IS a garbage collector.
12:50 That's the presentation recipe that everybody learns in University, that is why you see it everywhere.
Introduction - Tell them what you are going to talk about.
Body - Talk about it.
Conclusion - Tell them what you talked about.
It is silly but it works and people just follow it to a T.
This, very toastmasters style.
Seat their brain with a key points coming up.
Give them the information.
Anchor that information by giving them all the key points again at the end.
I felt the real pain in that last 30 seconds.
I'd been waiting for this since last year!
Post-quantum crypto is lattice cryptography. Elliptic curves are theoretically vulnerable to quantum computers.
"conclusion" should be renamed "tldr"
2:15 - ECC (Elliptic Curve) algorithms are most definitely _not_ post-quantum. They are easily broken by very similar quantum algorithms to those that can break RSA. Post-quantum refers to public key algorithms that are not broken by quantum computers. There was a NIST contest recently, and there were some interesting entries. They chose winners in 2022. The two winning algorithms were CRYSTALS-Kyber for key exchange (sort of a replacement for Diffie-Hellman) and CRYSTALS-DILITHIUM for digital signatures (sort of a replacement for RSA). There were other digital signature algorithms that were considered good enough to be used.
These algorithms cannot be efficiently broken by any known algorithm, including algorithms implemented on quantum computers.
These names are also the names given to the algorithms by their authors. NIST gives much more pedestrian and bureaucratic names to them. Much like the authors of AES call it Rijndael.
Are there any post-quantum encryption methods that do not require really have handshake? Something like x25519 require transmitting 32 bytes but every post-quantum encryption I know about requires a lot of data which doesn't scale well for any TLS-like protocol.
@@MikkoRantalainen - About the only thing I can think of here is actual quantum encryption. But that requires specialized hardware all the way along the path between you and the person you're communicating with.
Any kind of public key algorithm is going to require a handshake.
@@Omnifarious0 I totally agree that handshake is required. The question is can to create a quantum safe protocol that can run on regular computers and require less than 1 KB for the handshake instead of multiple megabytes that quantum safe algorithms seem to typically have.
The whole point of the handshake is to come up with a random 256 bit (32 byte) shared secret on both ends because AES-256 will be safe even with quantum computers.
@@MikkoRantalainen - Unfortunately, I don't know enough about exactly how they work to be able to give you an answer. One thought I have is that it might be possible to distribute the keys separately from engaging in the handshake. And since a given key is likely to be re-used many times, that should do a lot to reduce the total bandwidth used.
But, it's possible that there really isn't a way to get around a massive information exchange at the beginning of the conversation. :-/
US GOV MENTIONED! LET'S GO!!!!
They mentioned Go? Or what do you mean let's Go?
@@SandraWantsCoke GO MENTION LETS GO
@SandraWantsCoke "let's go" means "let us go". I think he is imprisoned or something. I dont know who exactly he refers to as "us", but I for one think they should be let free. He is clearly in distress.
He wants us to Go program the Us Go V.
postquantum crypto are not elliptic curves, they are also vulnerable to quantum computers. postquantum is completely different approach (learning with errors)
Good to see him be interested in proxies.
Flair! Makes it blazing fast!
Hey I have a Pliny the Elder work crew from Russian River! I don't drink anymore but that was (is?) a great brewery!
"I hate your build systems" 🤣I feel your pain!
That was one of the best outros yet!
"Joe Biden is a Rustacean..."
Prime, He doesn't even know he's alive.
Cloudflare saving face. Nice.
could i get some context? i'm a bit out of the loop here.
@raffimolero64 I'm just referring to their recent viral momemt after firing one of their employees
2:09 It is my understanding that elliptic curve cryptography is not post-quantum computer safe, since the discrete log problem can be solved by Shor's algorithm
it's Cloudflare duuuuuuuuuuuuuuuude
Pingora makes me think of envoy, but written in rust, and not configured with yaml.
I get these types of videos and have no ideas what this even means
5:08 that's so me!
k9s is already exists, pretty cool tool
skilled trades mentioned
Hands down the best sign off 💰14:43
when you do build your load balancer / proxy, team up with hussein nasser from youtube
Teams wanting to use TS over Go... I mean if you subtract Node build times from you working hours. It's like 2h of actual work per day. Maybe that is the way.
i thought there was a company called 'Cloudflair', that would be an insane abuse of trademark
🇧🇷 mentioned 😊
Spanish speakers "Pingo-ra" 👀
Somebody make a lxc or containerd of this thing.
I hate cloudflare, but they have some really skilled and serious engineers from top to down. If pingora has a graceful restart, then I'll give it a go (over nginx or ha-proxy or whatever).
fearful concurrency
But is it BLAZINGLY FAST?
RIP varnish
Proxy as a framework 🫢🫢🫢
Brazil mentioned 🇧🇷
Genuine question: what reasons do so many of you hate nginx? I’ve never had to deal with nginx, outside of some minor tweaks to its config.
I work with it almost everyday, writing configs and I love it! Cannot say the same about apache/caddy/lightspeed though. I also do net get why people can hate nginx
quadrillion is a number i'm not used to hearing in day-to-day life
pretty good, actually looks like openresty
cloudflare got that ✨flair ✨
The Primeagen gotta know what he's doing when he's capitalizing "RUST" for maximum rage bait lmao.
Rust mentioned
Always read and yell it out as "ninx!".... and this is AFTER their website taught me how to actually say it, they just not gonna stop me!
Fifteen sweaty nerds coming up with YAF (YetAnotherFramework)
optimal prime can you make video on ebpf
is this the beginning of the future
moving from :
c/c++ ---> rust
java ---> go
css ---> Tailwind
Intel ---> amd
stackOverflow ---> ChatBots
VsCode ---> might be Zed
and NewsPlatforms ---> X
New Rulers in the market : OpenAI and Nvidia
Not tailwind 😂
some people just want to read the conclusion!
Could have the made pinGOra in GO?
If you follow the links in the Apache licence, the foundations, 1995, HTTPD offering can do all the above, as can the 2004, BSD licensed, Nginx, as can numerous commercial offerings. They're all supported, and have install bases in the millions, to ensure they'll be supported for decades to come, no personal effort required. So why reinvent the proxy / reverse proxy, let alone rope yourself into supporting a bespoke one, for decades.
I don’t know rust but I want to use this
Neat.
a GAZILLION WEB REQUESTS?!
Brazil mentioned. Sorry for being late.
So, Pingola needs us, uh?
I love build systems
Imagine making the most awesome Rust Code, and then having to integrate OpenSSL, and *then* calling security the top priority.
what's wrong with openssl? Afaik openssl is used in everything related to ssl/tls
@@oleksiistri8429 You never heard of heartbleed and how it caused a lot of vulnerabilities issues 10y ago, allowing attackers to "bleed" infos from the server? Yes, it was patched, and yes, it's used a lot and considered almost a defacto standard, but there are alternatives, that got a lot more popular since that huge vulnerability discovery back then. You should take a look at rustls.
@@oleksiistri8429 OpenSSL isn't unsafe by itself, but the C OpenSSL API - Rust HTTP integration sounds like a pain when trying to be secure.
Sounds like prime is 🤏 close to streaming ft so he can do what he wants. 👏
I like saying pingora. I like the way prime say pingora. Just put some more "rrrrrrr" into it.
whats ur list?
This is kind of like YARP in C#.
openresty is fun to use.
pingora sounds like naughty in Spanish, but in a very bad way
The Pingora peak is a mountain in Wyoming i believe and there's also "ping" in there which hints at i/o and communications.
The higher level proxy/balancer that will be built on top of Pingora is called River (a river originates from a mountain)
I feel like the naming is clever.
First they came for HTTPS, now they come for the servers
cLoUdFLaiR
BRAZIL MENTIONED!!!!
Elliptical curve is not post quantum.
green?
We Brazilians will love this name, "Pingora".
FYI “pinga” means 🍆 in Cuban Spanish, so Pingora is a very funny name. Sounds like 🍆🍆🍆
“I bet he wants this Pingora”
Pingora, hardening your network since 2024.
Debería llamarse Pingota. Sería la risa
Please enjoy your Government Mandated Memory Safe Language. You are being rescued. Please don’t resist
This comment is the best
I bet lopolo just wanted to say that, sure CF is cool and the thing will be perfect, but the fact that much of the Internet depends directly and solely on CF.. is frustrating and disturbing. It's "too big to fail". And that's down bad.
i love cloudflair
I don't.
I wear 37 pieces of cloudflair, like Brian
Elliptic curve is not quantum safe. 🤓 (infosec nerd here)
The next version of the "owned with facts and logic" meme is "you're Ben Shapiro and I'm a random liberal arts college student".
"n-jinx"
"bless you"
Node is just cancer, doing the lords work prime
Brazil mentioned
hahaha. in my countrie's spanish slang this name would translate more or less to "dickery"
what if i call nginx "ngeenks"
that's what I did back then lol
Then you are even more of a genius than Tom himself
yeah, did that too, because if you read it in german, thats how you would pronounce it😅
How did they get away with using the crab? Rust Foundation didn't aggro?
It's because Ferris(the crab) was not created by the Rust Foundation
Joe Biden is a senior Rust developer.
Nice.
I trust cloudflare a lot more than Microsoft or Google
Cloudflair
Someone nds to give programming framework namers a course in multi-lingual vulgar terms. That name... it's... wow.
is there a C++ version of Pingora?
There are libraries out there, but they're not mainstream. The degree program I am in does cover it I think.
Cloudflare*
That k8s joke was the worst joke I think I i have ever heard in my life. Franky it wraps around to being the funniest thing I've ever heard
Cloudflare* 😂 nice overview apart from that
Rust is difficult to learn 😢.
That’s not how you spell Cloudflare
clearly no cubans work at Cloudlflare LMAO!!!
Conclusion was generated by GPT. That's the thing.
Bidens got a fursona aparently.
"I tell ya folks... rust!" - Joe Biden