Why Cloudflare Replaced NGINX with Pingora: Design Decisions, Performance Gains, and Security Improvements

Cloudflare announced that it has replaced NGINX with its own next‑generation reverse‑proxy service, Pingora, claiming superior speed, efficiency, and security. Pingora is written in Rust and processes over one trillion requests per day while using only a third of the CPU and memory of the previous proxy infrastructure.

The motivation for building Pingora stems from limitations in NGINX’s worker‑process architecture, which caused load imbalance, poor connection reuse, and difficulty adding advanced features. NGINX’s single‑worker handling per request and isolated connection pools led to higher latency and resource consumption.

Additional constraints included the inability to implement certain functionalities (e.g., request retries with different headers) and the challenges of extending a C‑based codebase safely. Cloudflare therefore evaluated three options: customizing NGINX, migrating to another third‑party proxy, or building an internal solution from scratch, ultimately choosing the latter.

Key design decisions for Pingora include:

Choosing Rust for memory safety without sacrificing performance.

Implementing a custom HTTP library rather than relying on existing ones to maximize flexibility.

Supporting non‑standard HTTP status codes and handling a wide range of non‑compliant traffic.

Adopting a multithreaded model with Tokio for efficient resource sharing and work‑stealing.

Providing a programmable request‑lifecycle API similar to NGINX/OpenResty for easy migration of existing logic.

Performance measurements show that Pingora reduces median TTFB by 5 ms and the 95th percentile by 80 ms, largely due to better connection reuse across threads. It also cuts new connections per second to one‑third of the legacy service, improving connection‑reuse rates from 87.1 % to 99.92 % and saving an estimated 434 years of handshake time per day for customers.

Efficiency gains include roughly 70 % lower CPU usage and 67 % lower memory consumption under the same load, thanks to Rust’s faster execution, reduced copying of HTTP headers, and the multithreaded shared‑reference model. The multithreaded design also eliminates many mutex‑protected shared‑memory accesses required by NGINX.

Security benefits arise from Rust’s memory‑safety guarantees, which dramatically reduce the risk of crashes and undefined behavior. In production, Pingora has processed billions of requests without a single crash caused by its own code, and any failures observed were due to hardware or kernel issues rather than the proxy itself.

Overall, Pingora provides a faster, more efficient, and more secure foundation for Cloudflare’s suite of products, enabling rapid development of new features such as HTTP/2 upstream support, gRPC, and Cache Reserve with R2 storage, while also offering a developer‑friendly, extensible platform for future innovations.