zeroserve: Scriptable eBPF Web Serving

Most web edge stacks split behavior across config files, rewrite rules, plugins, sidecars, and app code. zeroserve takes a different route: package the site as one tarball, serve it directly, and use userspace eBPF programs as request middleware.

What Is zeroserve?

zeroserve is a zero-config HTTPS server built around io_uring, TLS, and tarball-based static delivery. You give it a packed site, and it indexes file offsets inside the tarball instead of unpacking a document root.

The unusual part is scripting. C files under .zeroserve/scripts/ are compiled to eBPF objects at pack time and run in userspace on each request. The scripts can inspect requests, mutate headers, respond directly, rate limit, reverse proxy, or enrich static HTML through metadata.

Key Features

• Single-file deployments with hot reload through SIGHUP.
• Built-in HTTP serving, TLS support, SNI certificate selection, and PROXY protocol support.
• Userspace eBPF middleware that does not need kernel BPF privileges.
• Request helpers for headers, paths, JSON, HMAC, SHA-256, random data, rate limits, AWS SigV4, and OIDC flows.
• Reverse proxy support for small dynamic backends when a static site needs an API edge.

Installation

The project is written in Rust, so the simplest evaluation path is a source build:

git clone https://github.com/losfair/zeroserve.git
cd zeroserve
cargo build --release

For scripting tests and eBPF middleware, make sure clang and llc are available on the host.

Basic Usage

Package a site directory, then serve the resulting tarball:

zeroserve --pack ./public > site.tar
zeroserve --addr 0.0.0.0:8080 site.tar

For HTTPS, pass a certificate and key:

zeroserve \
  --addr 0.0.0.0:8080 \
  --tls-addr 0.0.0.0:8443 \
  --cert certificate.pem \
  --key key.pem \
  site.tar

Deploying an update is operationally simple: replace site.tar, then reload the process.

killall -SIGHUP zeroserve

Operational Tips

Treat zeroserve as an edge experiment before you treat it as a default replacement for nginx or Caddy. Its tarball deployment model is attractive for immutable static sites, internal dashboards, documentation portals, preview environments, and small protected tools.

Pay attention to the middleware boundary. Userspace eBPF avoids kernel privileges, but it is still request-path code. Keep scripts small, version them with the site, test auth under load, and export enough logs or metrics to explain blocked traffic during incidents.

Also benchmark your real response mix. The project reports strong numbers for small static files, middleware, and small proxy responses, while large proxied bodies are a case where nginx can still be the better fit.

Conclusion

zeroserve is worth watching because it compresses several SRE concerns into one deployment artifact: static content, TLS, gateway rules, and programmable request handling. That makes it a useful idea source for internal platforms.

Want to operate AI agents with the same discipline you apply to production services? Akmatori helps SRE teams run autonomous agents with clear workflows, controlled execution, and infrastructure-aware automation. Akmatori is built by Gcore, the global edge AI, cloud, network, and security provider.