Zeroserve challenges nginx and Caddy with eBPF-driven zero-config web serving
Developers can script request handling and routing without kernel privileges, with benchmarks showing Zeroserve outperforming established servers in small file and proxy workloads.
Zeroserve has emerged as a new open-source alternative to established web servers like nginx and Caddy, utilising extended Berkeley Packet Filter (eBPF) programs as its sole configuration method. The server is designed to serve websites directly from a single tarball without unpacking files to disk, allowing users to script request handling, authentication, and routing in userspace. This approach collapses the traditional split between declarative configuration and scripting runtimes into a single, sandboxed program that processes every request.
The architecture relies on a single-threaded event loop design that scales by running multiple processes, with each instance handling one CPU core. All network and disk input/output operations are managed through io_uring via the monoio runtime. Unlike traditional eBPF applications that require kernel-level access, Zeroserve runs its eBPF programs in userspace using the async-ebpf runtime. This runtime JIT-compiles bytecode to native x86-64 code using uBPF, eliminating the need for kernel BPF subsystem access or CAP_BPF capabilities.
To ensure security without kernel intervention, Zeroserve employs a pointer cage mechanism that confines memory access to the script's own arena, effectively replacing the role of the kernel verifier in sandboxing. Scripts are fully preemptible via a timer, which defaults to a two-millisecond interval but can be tuned to ten milliseconds. This feature prevents a single slow script from stalling the event loop, ensuring that the server continues to serve other connections even if one request encounters a performance bottleneck.
The server supports TLS 1.3 terminated by BoringSSL, including native Encrypted Client Hello (ECH) and JA4 client fingerprinting. In benchmarks conducted on an eight-core Ryzen 7 3700X, Zeroserve served small static files approximately 17 per cent faster than nginx on a single core. When proxying small responses, Zeroserve was approximately 22 per cent faster than nginx and 3.4 times faster than Caddy, demonstrating significant efficiency in handling API calls and small JSON payloads.
However, the performance landscape shifts with larger data sets. For large proxied bodies of 100 KB, nginx pulled ahead due to more efficient buffering mechanisms. Idle memory usage for a single Zeroserve instance is approximately 15 MB PSS, which is higher than nginx's 6 MB but significantly lower than Caddy's 60 MB. The project is open source and available on GitHub, offering a distinct option for developers prioritising small-file performance and streamlined configuration.
