quiche VS s2n-quic

The title of this post puts emphasis on "written in C", making me wonder when this would ever be a desirable feature, given that more secure implementations are available, and can be integrated into old C projects just as easily.

No need to rewrite everything from the ground up: https://github.com/cloudflare/quiche#curl

The issue is dead silent too!

https://github.com/cloudflare/quiche/issues/1115

Even though Oxy is a proprietary project, we try to give back some love to the open-source community without which the project wouldn’t be possible by open-sourcing some of the building blocks such as https://github.com/cloudflare/boring and https://github.com/cloudflare/quiche.

They’ve been on the Rust train since at least 2019. Just look at projects like quiche, wrangler, and boringtun

It's more like Cloudflare forked nginx a long time ago, and is meanwhile in the very slow (like, decade-long) process of replacing it entirely.

The Cloudflare Workers Runtime, for instance, is built directly around V8; it does not use nginx or any other existing web server stack. Many new features of Cloudflare are in turn built on Workers, and much of the old stack build on nginx is gradually being migrated to Workers. https://workers.dev https://github.com/cloudflare/workerd

In another part of the stack, there is Pingora, another built-from-scratch web server focused on high-performance proxying and caching: https://blog.cloudflare.com/how-we-built-pingora-the-proxy-t...

Even when using nginx, Cloudflare has rewritten or added big chunks of code, such as implementing HTTP/3: https://github.com/cloudflare/quiche And of course there is a ton of business logic written in Lua on top of that nginx base.

Though arguably, Cloudflare's biggest piece of magic is the layer 3 network. It's so magical that people don't even think about it, it just works. Seamlessly balancing traffic across hundreds of locations without even varying IP addresses is, well, not easy.

I could go on... automatic SSL provisioning? DDoS protection? etc. These aren't nginx features.

So while Cloudflare may have gotten started being more-or-less nginx-as-a-service I don't think you can really call it that anymore.

(I'm the tech lead for Cloudflare Workers.)

Ask Cloudflare why they use HTTP/3 and QUIC https://github.com/cloudflare/quiche.

Cloudflare has used rust for multiple projects in the past such as their QUIC/HTTP3 implementation Quiche and a WireGuard implementation BoringTun.

Yes, the Kani CI time for s2n-quic dropped by more than 25% with Kani 0.28.

Packet parsing is a great application for this type of testing. We've used bolero/Kani in a bunch of s2n-quic's codec implementations - example.

It's definitely a valid question, with there being a lot of great QUIC implementations out there. We do believe, though, s2n-quic has a lot to offer with a high level of security, testing, performance, and features. Given that s2n-quic will eventually be integrated into AWS Services, we ultimately need direct ownership of fundamental libraries like s2n-quic, s2n-tls, etc. to be able to maintain that high level of security and performance for our customers.