zeroserve v0.2.11: Caddy Compatibility and eBPF-Powered Performance
zeroserve v0.2.11 introduces a Caddy-compat mode that allows users to provide a Caddyfile, which the server then JIT-compiles into eBPF and subsequently into native x86_64 or ARM64 machine code. This architecture, combined with an io_uring event loop, significantly reduces overhead compared to traditional web servers.
Performance Benchmarks
zeroserve demonstrates substantial performance gains over Caddy and competitive results against Nginx in HTTPS reverse proxy scenarios. In tests conducted on an AMD Ryzen 7 3700X with two threads, zeroserve (using the clang backend) achieved 38,948 requests per second (req/s), compared to Caddy's 12,529 req/s.
| Protocol | Server | Throughput | p50 Latency | p99 Latency | Peak RSS |
|---|---|---|---|---|---|
| HTTPS | zeroserve-clang | 38,948 req/s | 1.45ms | 3.91ms | 30.9 MiB |
| HTTPS | zeroserve-tcc | 36,653 req/s | 1.67ms | 4.00ms | 34.2 MiB |
| HTTPS | Caddy | 12,529 req/s | 4.74ms | 13.11ms | 67.4 MiB |
| HTTPS | Nginx | 37,424 req/s | 1.57ms | 4.24ms | 25.7 MiB |
Key takeaways from the data include a roughly 3x increase in throughput and a 70% reduction in p99 latency when compared to Caddy.
eBPF Integration and Custom Middleware
zeroserve runs Turing-complete eBPF in userspace, enabling the execution of custom code directly from a Caddyfile. This allows for the implementation of complex logic that would typically require a separate plugin or a custom build of the server.
For example, users can integrate AWS SigV4 authentication for S3-compatible buckets by calling an eBPF middleware plugin. In a Caddyfile, this is implemented via the zeroserve_call directive:
example.com {
route /s3/* {
uri strip_prefix /s3
rewrite * /my-bucket{uri}
zeroserve_call io.su3.aws-sigv4 sign_request {
access_key_id "minioadmin"
secret_access_key "minioadmin"
}
reverse_proxy http://127.0.0.1:9000
}
}
Community Feedback and Technical Critiques
While the performance metrics are impressive, the community has raised several concerns regarding the practical utility and security of the zeroserve approach.
Security and Attack Surface
Critics have pointed out that the use of JIT compilation and io_uring may increase the attack surface of the server.
"The idea of jit compilation of a web server in a small project is pretty terrifying to me. The attack surface here is enormous."
Additionally, some users expressed caution regarding the recent security advisories associated with io_uring:
"Exposing services that use io_uring is a hard pass."
Feature Parity and Practicality
Some developers argue that the performance gains are negligible for most use cases, as Caddy's existing performance is sufficient for the majority of applications. Others noted the lack of critical features like ACME (Automatic Certificate Management Environment) for automatic SSL/TLS certificates, which is a primary reason many users choose Caddy.
"Caddy compatible" minus everything that matters, like ACME and plugins.
Technical Questions on eBPF
There is ongoing discussion regarding the nature of eBPF in userspace. Some users questioned the purpose of running eBPF in userspace rather than the kernel, while others debated whether eBPF is truly Turing-complete given the complexity limits imposed by the verifier.