Caddy compatibility for zeroserve: 3x throughput and 70% lower latency

Anyone else got a really weird Chorme pop-up asking which cert to use for su3.io:443?

Very bizarre, never seen that before.

Thumbprints:

  - 60949a09aab8677f87a0b9eda7099a03ca510fb3
  - 1b146798f0dc93773247e86312f1b730c4eeebb3

"Caddy compatible" minus everything that matters, like ACME and plugins. And NGINX still steals the show. Not everything needs to be rewritten.

I am surprised how well nginx holds up?!

I still think of eBPF as not being Turing-complete. There is still a complexity limit in the verifier. Even if someone did implement Game of Life by having the program set a timer to run itself. https://isovalent.com/blog/post/ebpf-yes-its-turing-complete...

From a technical standpoint, these are always impressive projects, but I've always wondered: has anyone ever encountered a use case where the Caddy was the bottleneck?

Another vibe coded, dead in 6 month Rust project.

People that trully need performance are not going to use a random server that has 0 support/ track record.

Interesting. Trying to get some of the performance advantages of TUX/IIS without as much insecurity makes sense for some big players, I guess.

The usual 3400 lines lock file and AGENTS.md raise some questions about the aforementioned security, though.

Fudge, I really need to carve out time today to play with zeroserve. Very cool stuff

Interesting. Trying to get some of the performance advantages of TUX/IIS without as much insecurity makes sense for some big players, I guess.

The usual 3400 lines lock file and AGENTS.md raise some questions about the aforementioned security, though.

Anyone else got a really weird Chorme pop-up asking which cert to use for su3.io:443?

Very bizarre, never seen that before.

Thumbprints:

  - 60949a09aab8677f87a0b9eda7099a03ca510fb3
  - 1b146798f0dc93773247e86312f1b730c4eeebb3

> Very bizarre, never seen that before.

For my own stuff that's not meant for a wider audience, I sometimes use mTLS in front of my apps, alongside self-signed certs (my own CA) that shouldn't show up in certificate transparency logs.

This site also seems to be requesting a certificate from the user. Normally you probably don't want that for public facing resources.

Here it attempts to read my personal certificate that sits in the browser that I use for filling my taxes and do government stuff, suspicious indeed.

Yes, I agree it would be very nice to have a way to integrate ACME into zeroserve. I'm not sure if zeroserve's plugin system might allow one to add a plugin to support it?

"Caddy compatible" minus everything that matters, like ACME and plugins. And NGINX still steals the show. Not everything needs to be rewritten.

Same thoughts. If I need more performant caddy alternative I'm going to use nginx at least it has some extras.

I am surprised how well nginx holds up?!

Why? It's one of the most optimized HTTP servers ever. Anything that claims beating nginx in benchmarks should be treated with high suspicion. I think these zeroserve numbers are likely accurate but it doesn't have the features and module ecosystem of nginx so the margins aren't worth it for me.

zeroserve doesn't use the Linux kernel's eBPF runtime to run the eBPF it uses, so the constraints of the Linux kernel's eBPF runtime (chosen because of how the Linux kernel thinks about protecting the Linux kernel from user space) don't apply to zeroserve (or other tools that use the eBPF instruction set but don't use the Linux kernel's particular implementation)

From a technical standpoint, these are always impressive projects, but I've always wondered: has anyone ever encountered a use case where the Caddy was the bottleneck?

Fudge, I really need to carve out time today to play with zeroserve. Very cool stuff

> Very bizarre, never seen that before.

For my own stuff that's not meant for a wider audience, I sometimes use mTLS in front of my apps, alongside self-signed certs (my own CA) that shouldn't show up in certificate transparency logs.

This site also seems to be requesting a certificate from the user. Normally you probably don't want that for public facing resources.

Here it attempts to read my personal certificate that sits in the browser that I use for filling my taxes and do government stuff, suspicious indeed.

Yes, I agree it would be very nice to have a way to integrate ACME into zeroserve. I'm not sure if zeroserve's plugin system might allow one to add a plugin to support it?

Same thoughts. If I need more performant caddy alternative I'm going to use nginx at least it has some extras.

Because it passes more boundaries and stuff. But hey, I didn’t code a Webserver so far - so what do I know. :D

AFAIK eBPF can be hardware offloaded. If you have the use case.

Because it passes more boundaries and stuff. But hey, I didn’t code a Webserver so far - so what do I know. :D

AFAIK eBPF can be hardware offloaded. If you have the use case.

Another vibe coded, dead in 6 month Rust project.

People that trully need performance are not going to use a random server that has 0 support/ track record.

Isn't there a chicken and egg problem where projects need to start with 0 track record? Nginx had zero track record at one point as well

Never mind cooldowns for dependencies, we need cooldowns for these adhd vibe projects.

Isn't there a chicken and egg problem where projects need to start with 0 track record? Nginx had zero track record at one point as well

zeroserve is a high-performance HTTPS server that runs eBPF scripts in userspace (intro). Now it's got a Caddy-compat mode - when provided a Caddyfile, zeroserve JIT-compiles it to eBPF and then to native x86_64/ARM64 machine code, and runs it in an io_uringevent loop.

protocol	server	throughput	p50	p99	peak RSS
https	zeroserve-clang	38,948 req/s	1.45ms	3.91ms	30.9 MiB
https	zeroserve-tcc	36,653 req/s	1.67ms	4.00ms	34.2 MiB
https	caddy	12,529 req/s	4.74ms	13.11ms	67.4 MiB
https	nginx	37,424 req/s	1.57ms	4.24ms	25.7 MiB

HTTPS reverse proxy, 2 threads, AMD Ryzen 7 3700X. Check CI for original run result.

Try it with your Caddyfile:

curl -fL -o zeroserve https://github.com/losfair/zeroserve/releases/download/v0.2.11/zeroserve-$(uname -m)-linux
chmod +x zeroserve
./zeroserve --caddy /etc/caddy/Caddyfile
curl http://127.0.0.1:8080

zeroserve runs turing-complete eBPF and you can call custom code from your Caddyfile. For example, to reverse-proxy a path to an S3-compatible bucket with AWS SigV4 auth, grab io.su3.aws-sigv4.c and then:

# zeroserve --plugin io.su3.aws-sigv4.c --caddy Caddyfile

example.com {
  route /s3/* {
    uri strip_prefix /s3
    rewrite * /my-bucket{uri}
  
    # Call the `sign_request` method in the eBPF middleware `io.su3.aws-sigv4.o`
    zeroserve_call io.su3.aws-sigv4 sign_request {
      access_key_id "minioadmin"
      secret_access_key "minioadmin"
    }
  
    reverse_proxy http://127.0.0.1:9000
  }
}

RSS

Hacker Times

Hacker Times

Caddy compatibility for zeroserve: 3x throughput and 70% lower latency

Discussion

Discussion