What You'll Learn
- Why Cloudflare moved from Nginx (FL1) to Pingora (FL2) and what changed
- Real performance numbers: CPU, memory, latency improvements in 2026
- How to configure async stale-while-revalidate correctly on your site
- New Cloudflare Pingora features released in April–May 2026
What Is Cloudflare Pingora?
Cloudflare Pingora is a Rust-based proxy framework built entirely in-house by Cloudflare to replace Nginx as their core request-handling infrastructure. The name comes from Pingora Peak in the Wind River Range — a challenging climb, much like the engineering problem Cloudflare set out to solve.
Cloudflare open-sourced Pingora so developers can build their own programmable network services on the same framework. The GitHub repository sits at cloudflare/pingora with support for HTTP 1/2, TLS via OpenSSL, BoringSSL, or rustls, plus gRPC and WebSocket proxying.
As of May 4, 2026, Cloudflare's changelog confirms: "Cloudflare's cache now runs on a new proxy built on Pingora — the Rust-based framework that already serves a significant portion of Cloudflare's network traffic. The new proxy is faster, more memory-safe, and designed to evolve our cache architecture."
Why Cloudflare Replaced Nginx with Pingora (FL1 → FL2)
Cloudflare's old stack — internally called FL1 — was built on Nginx (written in C), combined with LuaJIT scripting and C interface layers, plus separate Rust modules bolted on. This multi-language hybrid created a fundamental problem: data had to be constantly converted between representations needed by each language. That conversion burned CPU cycles and memory on every single request.
The new stack — FL2 — is a single unified Rust codebase. No language boundaries, no conversion overhead. Cloudflare's internal measurements show FL2 uses less than half the CPU of FL1 and much less than half the memory. That's not a marginal gain — it's a fundamental architectural improvement that frees up enormous compute capacity for new features.
The deeper reason for the switch is Nginx's process-per-worker model. In Nginx, each worker process is an isolated island. If a heavy request lands on Worker A, it stays there — even if Worker B is completely idle. This "worker pinning" causes uneven latency and wasted resources at Cloudflare's scale. Cloudflare Workers AI and other services needed a smarter foundation.
Pingora vs Nginx: Real Performance Differences
The architectural difference between Pingora and Nginx goes deeper than just language choice. Here's what makes Pingora fundamentally different:
| Feature | Nginx (FL1) | Pingora (FL2) |
|---|---|---|
| Architecture | Process-per-worker (isolated) | 1-thread-per-core event loop |
| Language | C + LuaJIT + Rust modules | Pure Rust (single codebase) |
| CPU Usage | Baseline (FL1) | Less than half of FL1 |
| Memory Copy | Buffer copies between layers | Zero Copy (direct memory pointers) |
| Counting Speed | Standard hash tables | Count-min sketch: 5x faster |
| Memory Safety | Manual (C) — vulnerability risk | Rust compile-time guarantees |
| Worker Sharing | No (worker pinning) | Yes (shared thread pool) |
One key innovation in Pingora is the use of count-min sketch for counting operations instead of regular hash tables. This data structure makes counting 5 times faster — which directly benefits rate limiting, cache hit counting, and traffic analytics at Cloudflare's scale.
Pingora also implements Zero Copy by directly manipulating memory pointers, avoiding the unnecessary buffer copies that Nginx (through its Go-like abstraction layers in LuaJIT) was generating on every request. This is especially important for high-throughput scenarios. For developers using Cloudflare as their CDN, this translates to lower latency and better cache performance automatically.
Cloudflare Pingora 2026: New Features and Updates
The first half of 2026 has brought a rapid stream of Pingora-related updates. Here's what's new:
✓ May 4, 2026 — Full Cache Migration
Cloudflare's entire cache layer now runs on Pingora. This is the biggest milestone — every cached response from Cloudflare's network now goes through the Rust-based proxy. Immediate performance improvements kicked in automatically for all customers.
✓ April 27, 2026 — Cache Response Rules + Zone Versioning
Cache Response Rules now work with Version Management. You can version response-phase cache settings and promote them through environments — just like Cache Rules and other supported configurations. This is a major workflow improvement for teams managing multiple environments.
✓ April 17, 2026 — FL2 Network Performance Update
By migrating the request handling layer to the Rust-based FL2 architecture, Cloudflare increased its performance lead to cover 60% of the world's top networks. Cloudflare uses real-user measurements and connection trimeans to ensure data reflects actual end-user experience.
✓ March 2026 — Security Fix: Request Smuggling
In December 2025, Cloudflare received reports of HTTP/1.x request smuggling vulnerabilities in the Pingora open source framework. These were patched and disclosed publicly in March 2026. If you're running Pingora OSS on your own infrastructure, ensure you're on the latest version.
How to Configure Stale-While-Revalidate with Cloudflare Pingora
The biggest practical benefit of Pingora for most site owners is fully asynchronous stale-while-revalidate (SWR). Here's what that means and how to use it.
In the old model, when a cached object expired, the first user to request it would have to wait while the origin fetched a fresh copy. With async SWR on Pingora, every user gets the stale content immediately while revalidation happens silently in the background. Zero wait, zero perceived latency.
› Step 1: Set Cache-Control on your origin server
Cache-Control: public, max-age=3600, stale-while-revalidate=86400
› What these values mean:
- max-age=3600 — Cache is considered fresh for 1 hour. During this time, Cloudflare serves directly from cache, no origin hit.
- stale-while-revalidate=86400 — After max-age expires, Cloudflare will serve the stale cached version for up to 24 hours while asynchronously fetching a fresh copy from origin in the background.
› Step 2: Verify in Cloudflare Dashboard
Go to Caching › Cache Rules in your Cloudflare dashboard. Make sure no Cache Rule is overriding your origin Cache-Control header. If you want to force SWR without changing your origin, you can set it via a Cache Rule using Edge Cache TTL + Stale settings. Cloudflare redirects and bot management rules also interact with cache — check for conflicts.
› Step 3: Test with cf-cache-status header
curl -I https://yoursite.com/page # Look for: cf-cache-status: REVALIDATING or HIT
Recommended max-age ranges: For news/blog = 300-1800 seconds (5-30 minutes). For product pages = 3600 seconds (1 hour). For static assets = 86400+ seconds. Set stale-while-revalidate to at least 5-10x your max-age for smooth background revalidation.
Pingora and Cloudflare Workers: How They Work Together
Cloudflare Workers — the serverless edge compute layer — sits on top of Pingora. When you deploy a Worker, it runs within the same Rust-based infrastructure. This means Workers can read and modify the Cache-Control headers that Pingora uses for SWR decisions.
Workers can also interact with the cache API to explicitly store, read, or invalidate cached entries. Combined with Pingora's async SWR, this creates a powerful edge caching architecture where stale content is always served instantly and refreshed in background — entirely transparent to the end user.
If you're comparing deployment platforms, see our full breakdown of Cloudflare Pages vs Vercel 2026 — both use Cloudflare's edge network but differ significantly in build pipelines and cache control options.
Is Pingora a Complete Nginx Replacement?
This is the most nuanced question in the Pingora discussion. For Cloudflare's own internal infrastructure, yes — Pingora has fully replaced Nginx. But for developers building their own reverse proxies, the answer is more complex.
Nginx's ecosystem is massive — thousands of modules, decades of documentation, and a deployment base spanning millions of servers. Pingora, while technically superior in several ways, is designed for programmable network services, not drop-in Nginx replacement. Cloudflare operates at a scale that's fundamentally different from most Nginx use cases.
• Stick with Nginx if: You need a simple web server, extensive module ecosystem, or are running shared hosting environments.
Middle grounds like Apache APISIX exist for teams that want modern features without a full Rust rewrite. The Pingora GitHub repo also has an open issue to switch to a better Rust async runtime, which could further improve performance in future releases. You can compare storage costs alongside compute in our Cloudflare R2 Storage pricing guide 2026.
Conclusion: What Pingora Means for Your Site in 2026
If your site runs behind Cloudflare, the Pingora migration is already working for you — no configuration required. Every cached response now goes through a faster, more memory-safe Rust proxy with less CPU overhead. The May 2026 full cache migration was a silent upgrade that benefits every Cloudflare customer automatically.
The one thing you can do to take advantage of Pingora's capabilities is to properly configure stale-while-revalidate headers on your origin. This single header gives your visitors zero-latency cache responses even on stale content, while Pingora handles fresh copies in the background. For high-traffic sites or news publishers, this can dramatically reduce time-to-first-byte and eliminate cache-miss latency spikes.
Pingora's progression — from internal Cloudflare tool to open-source framework to powering the world's largest CDN cache — represents one of the most significant infrastructure shifts in web technology this decade. The White House officially recommends Rust for memory safety. Cloudflare is proving why at planetary scale.
Last Updated: May 17, 2026 | Source: Cloudflare Blog & Cloudflare Developers Docs (Official)