Monthly Archives: February 2017

Incident report on memory leak caused by Cloudflare parser bug

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.


apache – proxy & proxy_http


Invalid command ‘ProxyPreserveHost’, perhaps misspelled or defined by a module not included in the server configuration

sudo a2enmod proxy


[Sun Feb 26 03:48:38.613627 2017] [proxy:warn] [pid 9117] [client 94.63.XXX.XXX:49486] AH01144: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

sudo a2enmod proxy_http

Restart apache and everything should be okay now.