Why Cloudflare Replaced Nginx with Pingora: Design, Performance, and Security Benefits

Cloudflare announced that it is deprecating Nginx in favor of a new, Rust‑based HTTP proxy called Pingora, claiming it is faster, more efficient, and more secure.

Why build a new proxy – Nginx’s worker‑process model caused load imbalance, limited connection reuse, and made it difficult to add advanced features such as request‑retry logic or custom header handling. The C codebase also lacked memory safety, and the community activity was low.

Options evaluated – Continue investing in Nginx, migrate to another third‑party proxy (e.g., Envoy), or build an internal platform from scratch. After years of quarterly reviews, Cloudflare chose the latter.

Pingora project design decisions – Rust was selected for memory safety without sacrificing performance. A custom HTTP library was built to handle non‑standard and legacy HTTP traffic. The runtime uses Tokio for asynchronous multithreading, and a request‑lifecycle programmable interface similar to Nginx/OpenResty was provided.

Performance gains – In production, Pingora reduces median TTFB by 5 ms and the 95th percentile by 80 ms, cuts new connections to one‑third, raises connection‑reuse rate from 87.1 % to 99.92 %, and saves roughly 434 years of handshake time per day. CPU and memory usage drop about 70 % and 67 % respectively, thanks to Rust’s efficiency and a multithreaded model that shares connection pools.

Security improvements – Rust’s memory‑safety guarantees eliminate many classes of crashes and undefined behavior, leading to virtually zero service‑side crashes despite processing trillions of requests.

Conclusion – Pingora provides a faster, more efficient, and more flexible internal proxy platform that underpins Cloudflare’s current and future products, with plans to open‑source the project.