
Run JavaScript on Cloudflare with Workers - jgrahamc
https://blog.cloudflare.com/cloudflare-workers-unleashed/
======
kentonv
Hi folks! This is my project at Cloudflare -- which, entirely by coincidence,
I joined exactly one year ago today:
[https://news.ycombinator.com/item?id=13860027](https://news.ycombinator.com/item?id=13860027)

Happy to answer any questions.

~~~
netcraft
The FAQ says that these are still in beta and not production ready - is that
still true or has that page not been updated with this announcement?

Also, it says 50ms of cpu time, 15 seconds of real time as limits. When
developing, are there easy ways to get measurements of how long things are
taking? I can imagine 50ms on my MBP may not be the same as in production -
either faster or slower - but I wouldnt want to get to production to find out.

[https://developers.cloudflare.com/workers/faq/](https://developers.cloudflare.com/workers/faq/)

~~~
kentonv
> The FAQ says that these are still in beta and not production ready

Oops! That's outdated. Let me go fix that right now...

Workers are already being used in production by customers large and small
today.

------
bad_user
> _Due to the immense amount of work that has gone into optimizing V8, it
> outperforms just about any popular server programming language with the
> possible exceptions of C /C++, Rust, and Go._

Odd statement and it’s not true.

I work with Node.js a lot, which is using V8 and have tested a lot of code
cross compiled to both JavaScript and the JVM.

As a matter of fact the JVM beats the shit out of V8 in everything but startup
time.

And this is not an educated guess, I have the same code, some cross-compiled
via a compiler that can target both (plenty of such compilers these days,
including Scala, Clojure and Kotlin) and some code hand optimized for each
specific platform and the difference is huge in both cases. And let’s be
clear, this is not code that handles numeric calculations, for which JS would
be at a big disadvantage.

Imagine that I’m not running the same unit tests, for JS I have to do much
less interations in property based testing, because Travis-ci chokes on the JS
tests. So it’s a constant pain that I feel weekly.

And actually anybody that ever worked with both can attest to that. The
performance of V8 is rather poor, except for startup time where the situation
is reversed, V8 being amongst the best and the JVM amongst the worst if
startup time matters.

~~~
kentonv
You're right, Java should have been included along with the other languages I
mentioned. As a strongly-typed, compiled language, it should indeed beat V8
handily. I had intended to say that V8 outperforms other dynamically-typed
languages like PHP, Python, Ruby, etc.

But because startup time and RAM usage are so important to our use case, Java
has never been in the running as a plausible implementation choice, so to be
honest I sort of forgot about it. :/

~~~
bad_user
Yes, I admit the startup time for the JVM is terrible and your choice of V8
makes sense in that light.

Plus indeed people will be able to use WebAssembly and compile languages like
Rust to it.

------
graystevens
$0.50/million requests, but it’s a minimum of $5/month (giving you 10million
requests essentially.)

Not a criticism, this it looks like an excellent product for those who can
benefit from it, just calling it out for others that read the comments here
before the original content.

------
jakozaur
Looks like a little bit cheaper than AWS Lambda@Edge which is $0.6/mln, but
more than regular AWS Lambda $0.2/mln. On Lambda you pay extra for resources,
but you can get more RAM or CPU there (e.g. running Chrome Headless is an
option there).

On the other hand CloudFlare Workers looks more distributed, but suitable just
for 50ms CPU time, 15s wall time and 128 MB. This is enough for redirects, A/B
testing, but often not enough for writing serverless applications or any kind
of rendering.

I wonder whether CloudFlare wants to get into serverless business and this is
first iteration or if it's just a CDN which is more customisable by allowing
code to run there.

~~~
jgrahamc
But no data transfer charges from Cloudflare. And the JavaScript deploys in
seconds not minutes.

~~~
jakozaur
No data transfer fees from CloudFlare is their big competitive advantage.
$0.5-0.7 GB / egress on major public clouds can be brutal. Transferring one
object out of S3 cost same as storing it for 2.5 months.

~~~
kentonv
Also note Lambda@Edge has a CPU time component to their pricing.

~~~
mrkurt
With a 50ms minimum. Because I guess you can't do anything useful faster than
that. :)

------
jgrahamc
And they typically run in under 1ms and global deploys take less than 30s and
it's native V8.

~~~
neuland
Are Cloudflare Workers implemented as an NGINX module like OpenResty?

~~~
kentonv
Nope. It's a new stand-alone HTTP server. This lets us implement a tighter
sandbox, since all the code is purpose-built for running inside it.

~~~
ayosec
> It's a new stand-alone HTTP server.

Are you going to publish more info about that HTTP server? Like the technology
used to write it.

~~~
kentonv
Yeah, I'll probably write that up at some point.

For now, here's the source code for the HTTP implementation. :)

[https://github.com/capnproto/capnproto/blob/master/c++/src/k...](https://github.com/capnproto/capnproto/blob/master/c++/src/kj/compat/http.h)

[https://github.com/capnproto/capnproto/blob/master/c++/src/k...](https://github.com/capnproto/capnproto/blob/master/c++/src/kj/compat/http.c++)

That's from the KJ C++ toolkit library, which is part of the Cap'n Proto
project, which is my own work that predates my time at Cloudflare. We're using
this in the Workers engine and updating the code as needed.

Yes, I know, NIH syndrome. But it has been pretty handy to be able to jump in
and make changes to the underlying HTTP code whenever we need to.

I hope to spend some time writing better docs for KJ, then write a blog post
all about it.

The only major dependencies of the core Workers runtime are V8, KJ, and
BoringSSL.

------
stevebmark
Wasn't running code on edge nodes how Cloudflare man in the middle attacked
millions of encrypted websites for a year?

------
siscia
What I find missing here and in aws lambda or google function is the notion of
"state".

I believe it would really be a game changer if we could open and maintain an
open connection with a database.

~~~
kentonv
Indeed, we want to provide storage, but easy-to-use storage that can scale to
100+ (or 1000+) nodes is tricky. We're working on it. :)

PS. If you're a distributed storage expert and want to work on this, we're
hiring!

~~~
mr_luc
I'm not an expert, but I've gotten used to CRDTs being available in Elixir-
land (Phoenix.Tracker, in phoenix_pubsub).

But I don't believe >40 or so nodes has never been Erlang's strong point.

Edit: with the conclusion being of course that you wouldn't want to strongly
connect the edge nodes, so instead it'd be something more traditional, where
if people pay for a storage add-on, you folks are automating the schlep of
spinning them up a long-lived storage cluster, and networking it so that only
their edge nodes can access it. At which point you could be building on
anything, maybe even something that already exists like Redis or etcd. Hmm,
though for hello-world purposes I might still see what could be put together
in beam-land, where everything is more at your fingertips ...

------
ggambetta
FWIW kentonv posting in this thread, who did this project, is the guy who
invented protocol buffers :o

~~~
ocdtrekkie
Technically, Kenton made Protocol Buffers _version 2_ , and open sourced it, I
believe. Kenton did, however, make Cap'n Proto, which builds on what he
learned from doing Protocol Buffers. And he also created Sandstorm.io, a self-
hosting platform I am quite fond of. :)

~~~
icebraining
+1 Sandstorm is awesome. And porting an app is not complicated, thanks to a
sensible architecture and good documentation.

------
neals
Not really into this space. What would be some usecases for this? Call an api,
do a thing? Or more like, process some data and post the results?

~~~
zackbloom
There are some that people already think about doing on the edge, like complex
caching rules, routing based on cookies, and edge side includes.

Then there are things people are just starting to think about, like doing a/b
testing by serving different variants from the edge and building their API
gateway into the edge.

Finally there are things people will only start dreaming of now that the tech
is available, like filtering the massive stream of data coming in from IoT at
the edge, or powering interactive experiences that require compute which
individual machines don't have, but speed which centralization can't provide.

~~~
thegoleffect
Kenton said Workers don't have access to client's cookies, how can you do
routing based on cookies with Workers?

~~~
slig
They don't have access to all the cookies in the users cookie jar, but since
they work by intercepting requests, they can read the cookies that the browser
send and act upon them.

------
emj
Exciting times! Seems it's all about making a product that sells the features
of serverless in the right way. Technically I would like websockets on these
platforms, but I don't know how to sell that as a feature.

These numbers 50 ms of compute time and 15 s idle are interesting in the
serverless space. Now I'm waiting for sane performance suites to figure out
what suites you, I'm guessin this solution will kill in these strange latency
test for AWS lambda from the other day:
[https://news.ycombinator.com/item?id=16542286](https://news.ycombinator.com/item?id=16542286)

~~~
kentonv
> Technically I would like websockets on these platforms

FWIW that's something I'm working on. It's tricky because it's not actually in
the Service Workers standard. Currently, we support WebSocket pass-through (so
if you do something like rewrite a request and return the response, and it
happens to be a WebSocket handshake, it will "just work"), but haven't yet
added support for terminating a WebSocket directly in a Worker (either as
client or server).

------
HugoDaniel
Do those workers have to complete a captcha ?

~~~
jasongill
I don't think you read the article - this is your own JavaScript that runs on
their edge severs, not humans doing work

~~~
softawre
It was a joke...

------
jeswin
Will you be able to share how you sandbox these scripts?

~~~
kentonv
We have multiple layers of sandboxing. To start, each Worker runs in a
separate V8 isolate (which is actually a stronger separation than Chrome uses
to separate an iframe from a parent frame, by default). We also have an
extremely tight seccomp filter, and a long list of other measures.

We made an intentional decision early on to avoid providing any precise timers
in Workers -- even Date.now() only returns the time of last I/O (so it doesn't
advance during a tight loop). This proved to be a really good idea when
Spectre hit. (But we also shipped V8's Spectre mitigations pretty much
immediately when they appeared in git -- well before they landed in Chrome.)

------
arpit
How does this compare with running AWS Lambda's on CloudFront?

[https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-
at-the-edge.html)

------
tombowditch
Looks very nice! Is the minimum cost ($5/m) per site or per account?

------
ryanworl
Can a Cloudflare app install a worker into a Cloudflare customer’s zone?

~~~
kentonv
Not yet, but with Workers launched this is now my top priority, and something
we're all very excited about.

~~~
ryanworl
Ok thanks.

Do workers play nicely with managed CNAMEs?

~~~
avidal
It's something we're iterating on, and the results are so far looking
promising; but there are a few scenarios in which they may not work (yet). If
you reach out to your SE they should be able to get into specifics.

------
zaarn
Now this is indeed quite interesting.

Though 0.50 per million is only true if you have more than 10 million requests
per month, otherwise the price will be higher since there is 5$ minimum.

------
hashseed
In what case should this be preferred over plain old Service Workers running
on the user's browser? Latter is even lower latency and for free.

~~~
jgrahamc
1\. It's easy to maintain/update the code because it is pushed once to
Cloudflare and you don't have to worry about browser caching effects on
JavaScript delivered to the browser.

2\. The performance of the code will be much higher than in the browser
because of the server resources available and also because and subrequests
will happen across Cloudflare's fast/reliable links and not whatever the end
user is connected to.

3\. The end user has control over what JavaScript is executed and might use a
tool like Disconnect to block external scripts preventing the code from
running at all.

4\. Security: you can include things like API keys.

5\. Script starts executing earlier.

6\. Conserves bandwidth/battery life of mobile users.

------
holtalanm
this looks like something that could be used to host an entire web app (sans
database). Pretty cool!

------
thefounder
Is it possible to just change/rewrite the request origin like on AWS Edge?

~~~
zackbloom
Yes it is! You can make arbitrary requests in your Worker to anywhere on the
internet you like, and return any response you like.

~~~
thefounder
The JS requests are limited to several MBs so you can't download large assets.
This applies on AWS Edge too but on AWS you can modify the request's origin
and then cloudfront agent (which has higher limits ) will perform the actual
request using the origin you set.

~~~
kentonv
The Workers runtime fully supports streaming requests/responses. If you're
just passing the response through, it does not get buffered in the worker, and
it is not subject to the Worker's memory limit. You can absolutely download
multi-gigabyte files through a Worker.

~~~
kentonv
To expand on that, when you invoke fetch() and get a Response object back,
that object is returned as soon as response _headers_ have been received; it
does not wait for the body. The Response object contains a ReadableStream from
which you can read the body, but if you instead pass the response directly to
event.respondWith(), then it will stream right back out to the client.

------
KayL
Can the playground show the resource limits info?

~~~
zackbloom
It's something we would love to expose in the future. That said, we have yet
to see someone run into those limits (on purpose). The average worker runs
with less than a ms CPU time.

------
burner5692
Before using a Cloudflare product, please consider if you want to contribute
to the Internet's largest man-in-the-middle attack. They have a poor track
record when it comes to security[0], privacy[1], and censorship[2]. We're at
the point where it's our responsibility to protect the Internet and keep these
companies in check. Cloudflare is among the worst existential threats to the
Internet.

[0]: [https://gizmodo.com/everything-you-need-to-know-about-
cloudb...](https://gizmodo.com/everything-you-need-to-know-about-cloudbleed-
the-lates-1792710616)

[1]: [https://blog.torproject.org/trouble-
cloudflare](https://blog.torproject.org/trouble-cloudflare)

[2]: [https://www.nytimes.com/2017/09/13/opinion/cloudflare-
daily-...](https://www.nytimes.com/2017/09/13/opinion/cloudflare-daily-
stormer-charlottesville.html)

~~~
kentonv
[0]: Cloudflare provides SSL certificates to millions of web sites (even ones
that don't pay us), was one of the first to deploy TLS 1.3 and quantum-
resistant crypto, provides DDoS mitigation to all customers (again including
free customers), etc. But yeah, we had a bug once. :/

[1]: Cloudflare now implements Privacy Pass which means Tor users mostly don't
see captchas anymore.

[2]: Please read: [https://blog.cloudflare.com/why-we-terminated-daily-
stormer/](https://blog.cloudflare.com/why-we-terminated-daily-stormer/)

~~~
phyzome
I agree with what you said, and I like you (so I don't want to hammer on this
on a day you should be celebrating a cool thing you made), but...

You missed what I think is the most important thing: Cloudflare currently
entails _correlated risk_ , for lack of a better term. A government intrusion
into CF represents access to thousands and thousands of sites' decrypted
streams. This is a huge target for the US, Russian, and other spy agencies, to
the extent that I cannot believe you're not _already_ compromised.

All those small customers who are using you for free TLS should be using Let's
Encrypt so they can get end-to-end encryption, necessitating individual,
active attacks (I suppose on DNS) rather than sweeping, passive attacks.

I think there are some cool and good things that Cloudflare does, but it's
irresponsible to minimize the threat it presents to privacy in today's
internet.

[Edit: Also, if you don't want to respond to this thread, I will totally
understand, and think that's reasonable. I don't want to shit on your cake!]

~~~
zackbloom
Isn't the entire idea of the cloud a massive correlated risk? If AWS is
hacked, it would be very bad. That said, experience has seemed to show that
people who build infrastructure tend to make less mistakes in that way than
the millions of people who are building businesses and personal sites would. I
agree that in a perfect world security would be easy to get right and
federated, but it seems like it you have to pick one 'right' is the best
choice for now.

Do you use any cloud providers?

~~~
phyzome
Yes, TLS termination is something that people get wrong, but there are other
ways of decreasing that risk than to hand off the task entirely to someone
else.

And yes, if AWS were compromised, that would suck. But right now a lot of
CloudFlare sites are backed by AWS. So now their traffic is at risk in _two_
places, not just one.

I don't tend to use cloud providers, no. I self-host some stuff out of my
house, with reliance on DNS and CAs being the major points of "correlated
risk". I use S3 for serving some public files.

