Why Cloudflare Replaced NGINX with Pingora: Inside a High‑Performance Proxy

Cloudflare announced it is replacing NGINX with its home‑grown HTTP proxy Pingora, claiming higher speed, efficiency, and security.

Introduction

Pingora is a new HTTP proxy written in Rust that processes over one trillion requests daily, delivering better performance while using only a third of the CPU and memory of the previous infrastructure.

Why Build a New Proxy

NGINX’s worker‑process architecture caused load imbalance, limited connection reuse, and hindered the addition of advanced features. Each request was handled by a single worker, leading to CPU core under‑utilization and slower TTFB due to fragmented connection pools.

Furthermore, extending NGINX with custom functionality was difficult because its C codebase is not memory‑safe, and integrating Lua added performance and type‑safety drawbacks. The NGINX community’s limited activity also constrained innovation.

Architectural Limitations

The single‑worker model prevented efficient sharing of connections across cores, resulting in higher handshake overhead and resource consumption.

Feature Constraints

NGINX made it hard to implement request retries with different header sets, and its C foundation lacked memory safety, increasing the risk of crashes. Lua, while safer, suffered from lower performance and lack of static typing.

Choosing to Build Our Own

Cloudflare evaluated three options: continue investing in NGINX, migrate to another third‑party proxy (e.g., Envoy), or build an internal platform from scratch. Over time, the internal solution proved to have the best ROI for their scale.

Pingora Project Design Decisions

Rust was selected for its memory safety without sacrificing performance. Instead of using existing HTTP libraries like hyper, Cloudflare built a custom library to maximize flexibility and support non‑RFC‑compliant traffic patterns.

The design includes a multithreaded scheduler with work‑stealing, leveraging the Tokio async runtime, and a programmable request‑lifecycle interface similar to NGINX/OpenResty, allowing developers to write filters that can modify or reject requests.

Pingora’s Production Performance

Pingora reduces median TTFB by 5 ms and the 95th percentile by 80 ms compared to the legacy service. Shared connection pools across threads improve reuse, cutting new connections to one‑third and increasing reuse rates from 87.1 % to 99.92 % for a major client, saving an estimated 434 years of handshake time per day.

CPU and memory consumption drop by roughly 70 % and 67 % under the same traffic load, thanks to Rust’s efficiency and the multithreaded model that avoids costly Lua‑C string copying and mutex‑protected shared memory.

Security Improvements

Rust’s memory‑safe semantics eliminate undefined‑behavior bugs, allowing Cloudflare to release features faster without fearing crashes. Since Pingora’s launch, the service has processed billions of requests without a single crash caused by its own code.

Conclusion

Cloudflare has built a faster, more efficient, and more secure internal proxy that serves as a platform for current and future products, with plans to open source the project and share further technical details.