Why Cloudflare Replaced Nginx with Pingora: Architecture, Design Decisions, and Performance Benefits

Cloudflare announced that it is deprecating Nginx in favor of its internally built, Rust‑based HTTP proxy called Pingora. The new service processes over a trillion requests per day, delivering higher performance while using only a third of the CPU and memory of the previous proxy stack.

Several architectural constraints of Nginx motivated the change: each request is handled by a single worker process, leading to load imbalance across CPU cores, poor connection‑reuse due to per‑worker connection pools, and limited ability to implement complex features such as custom retry logic or advanced request filtering.

Cloudflare evaluated three options—continue investing in Nginx, migrate to another third‑party proxy (e.g., Envoy), or build a new platform from scratch. The decision to build Pingora was driven by the need for a solution that could scale with Cloudflare’s traffic, provide fine‑grained control, and avoid the limitations of the Nginx worker model.

Key design choices for Pingora include using Rust for memory safety and performance, implementing a multithreaded runtime (Tokio) with work‑stealing to share connection pools across threads, and creating a programmable request‑lifecycle API similar to Nginx/OpenResty. This enables developers to add features such as HTTP/2 upstream support and gRPC without extensive engineering effort.

Performance measurements show that Pingora reduces median TTFB by 5 ms and the 95th‑percentile by 80 ms, largely due to better connection reuse across threads. New‑connection rates dropped to one‑third of the previous service, and connection‑reuse rates increased from 87.1 % to 99.92 %, saving hundreds of years of handshake time annually.

Resource consumption is also lower: CPU usage drops by roughly 70 % and memory usage by about 67 % compared with the legacy Lua‑based Nginx stack, thanks to Rust’s efficiency and the elimination of per‑worker connection pools and Lua string copying.

Safety improvements stem from Rust’s memory‑safe semantics, which eliminate many classes of crashes and undefined behavior that plagued the previous C/Lua codebase. Since Pingora’s launch, the service has handled millions of billions of requests without a single crash caused by its own code.

In summary, Pingora provides a faster, more efficient, and more secure proxy platform that serves as the foundation for Cloudflare’s current and future products.