Beyond the Benchmark: How Zeroserve’s eBPF Layer Changes Caddy’s Performance Ceiling
Beyond the Benchmark: How Zeroserve’s eBPF Layer Changes Caddy’s Performance Ceiling
For years, the web server market has been shaped by a familiar hierarchy. nginx and Apache have dominated production deployments, while Caddy has carved out growing share by offering automatic HTTPS, sane defaults, and a plugin ecosystem that actually works. The performance conversation has been largely settled: tune your worker processes, enable keepalive, add a caching layer, and accept that you are running in userspace with all the context-switch overhead that implies.
That settlement just got overturned. Zeroserve, an eBPF-scripting web server that runs alongside Caddy as a compatibility layer, claims to deliver 3x throughput improvement and 70% lower latency compared to Caddy running alone. Those numbers are not incremental. They represent a structural shift in what is possible when web request processing moves from userspace into the kernel via eBPF (extended Berkeley Packet Filter).
The claim is straightforward: by offloading specific request-processing hot paths to eBPF programs that run inside the Linux kernel, Zeroserve eliminates context switches, memory copies, and syscall overhead that limit traditional web servers. Caddy handles what it does best (TLS termination, plugin execution, static file serving) while Zeroserve handles kernel-level packet processing that accounts for the bulk of latency in high-throughput deployments.
This matters because Caddy has become the default web server for a growing number of production deployments. Its automatic HTTPS, HTTP/3 support, and clean configuration language have made it the go-to choice for teams that want security without complexity. But Caddy, like every userspace web server, hits a performance ceiling determined by how fast the operating system can shuttle packets between the network interface card (NIC), kernel memory, and the application process. Zeroserve changes that equation by intercepting packets before they ever reach Caddy’s process space.
As we explored in our analysis of DevOps trends, the shift toward security-first, performance-optimized tooling is reshaping infrastructure decisions across the industry. Zeroserve fits squarely into that pattern: it trades operational simplicity for raw performance, and the trade-off is compelling enough that teams running at scale will need to evaluate it.
What Is Zeroserve and Why eBPF Matters
Zeroserve is a high-performance, eBPF-scripting web server designed to be compatible with existing web servers including Caddy. Rather than replacing Caddy, Zeroserve sits alongside it as a kernel-level acceleration layer. It uses eBPF programs attached to XDP (eXpress Data Path) and tc (traffic control) hooks in the Linux kernel to process HTTP requests at the earliest possible point in the network stack.
eBPF allows sandboxed programs to run inside the Linux kernel without modifying kernel source code or loading kernel modules. The technology has already transformed networking (Cilium for Kubernetes CNI), observability (Pixie, Parca), and security (Falco). For web serving, this means a request can be parsed, routed, and in some cases fully responded to without ever entering userspace. The savings are dramatic:
- Zero context switches for hot-path requests. Traditional web servers switch between kernel space and userspace for every packet. Zeroserve handles the hot path entirely in kernel space.
- Zero data copies between kernel and user memory. eBPF programs operate directly on packet data in kernel memory.
- Zero syscall overhead for the request path. No read(), write(), poll(), or epoll_wait() calls for requests that Zeroserve can handle in the eBPF layer.
The result is a web serving architecture that approaches the theoretical maximum throughput of the underlying hardware. Where Caddy alone might saturate a 10 Gbps link at a given throughput on a specific workload, Zeroserve-assisted Caddy can push roughly three times that throughput on the same hardware. This is a fundamentally different approach to packet processing.
The eBPF ecosystem has matured rapidly since 2020. The Linux kernel now supports eBPF programs at multiple hook points in the networking stack: XDP for earliest-possible packet interception (before the kernel even allocates a socket buffer), tc for traffic control and shaping, and socket filters for per-connection processing. Zeroserve uses these hooks to process HTTP requests at the lowest possible level, eliminating layers of kernel infrastructure that traditional web servers must traverse.
Caddy Compatibility: How It Works
The critical design decision in Zeroserve is that it does not replace Caddy. It extends it. Caddy continues to handle TLS termination, HTTP/2 and HTTP/3 negotiation, plugin execution (including the widely-used reverse proxy, file server, and authentication plugins), and static file serving. Zeroserve handles kernel-level packet processing that accounts for the majority of latency in high-throughput scenarios.
The integration works through a Caddy plugin or module that registers Zeroserve as a request handler. When Caddy receives a connection, it passes raw packet data to Zeroserve’s eBPF programs, which process the request in kernel space and return the result to Caddy for userspace handling if needed. For requests that Zeroserve can fully handle in the eBPF layer (static files, redirects, simple API responses) the response never enters userspace at all.
This architecture means existing Caddy configurations, Caddyfiles, and plugin setups continue to work unchanged. Teams do not need to rewrite their infrastructure or learn a new configuration language. The Zeroserve layer is transparent to the application behind Caddy. This is a critical differentiator from alternative high-performance web servers that require teams to abandon their existing configuration and plugin investments.
For teams that have already invested in Caddy’s plugin ecosystem, including Caddy web server reverse proxy, authentication plugins, and ACME-based certificate management, Zeroserve preserves that investment while adding kernel-level acceleration. No migration, no rewrite, no retraining.
Breaking Down the Performance Claims
The headline numbers (3x throughput and 70% lower latency) are significant enough that they warrant careful examination. Here is what each claim means in practice and what architectural features make them plausible.
3x throughput means that a Caddy deployment handling a given number of requests per second can handle roughly three times that number when Zeroserve is enabled. This gain comes primarily from eliminating the per-request overhead of context switches and system calls. In a traditional web server, every request involves multiple transitions between user space and kernel space: accept() to receive the connection, read() to get data from the socket, write() to send the response, and close() to tear down the connection. Each transition costs CPU cycles. Zeroserve eliminates most of these transitions for requests that can be handled entirely in the eBPF layer.
70% lower latency means that the time from request arrival to the first byte of response drops by roughly two-thirds. This is the more practically impactful number for most teams, because latency directly affects user experience, time-to-interactive, and SEO rankings. The latency reduction comes from the same source as the throughput gain: fewer context switches and memory copies mean the request spends less time in transit between kernel and user space.
The following table summarizes the architectural differences between traditional web serving approaches and Zeroserve’s eBPF-assisted model:
| Architectural Feature | Traditional Web Server | Zeroserve + Caddy |
|---|---|---|
| Request processing location | Userspace (application process) | Kernel space (eBPF) for hot path; userspace for complex logic |
| Context switches per request | Multiple (accept, read, write, close) | Zero for eBPF-handled requests |
| Memory copies per request | Multiple (kernel buffer to user buffer and back) | Zero for eBPF-handled requests (in-place kernel memory) |
| TLS termination | Application process (OpenSSL/BoringSSL) | Caddy handles TLS; Zeroserve processes decrypted packets |
| Plugin compatibility | Full (all plugins run in userspace) | Full (Caddy plugins unchanged; Zeroserve is transparent) |
| Kernel version required | Any Linux kernel | Linux 5.10+ (eBPF), 5.15+ recommended (full XDP) |
The key insight is that Zeroserve does not make Caddy faster. It makes Caddy do less work. By intercepting requests at the kernel level and handling those that do not need complex userspace processing, Zeroserve reduces the load on Caddy’s process, freeing it to handle requests that genuinely need plugin logic, authentication, or complex routing.
What This Means for Production Deployments
The 3x throughput and 70% lower latency figures are impressive in isolation, but the real question for DevOps engineers and SREs is what they mean for production systems. The answer depends on where your bottlenecks are today.
Scenario 1: You are CPU-bound. If your Caddy instances are running at high CPU use and you need more headroom, Zeroserve can effectively multiply your capacity without adding instances. A deployment that requires multiple Caddy nodes could potentially run on far fewer nodes with Zeroserve, reducing infrastructure costs while maintaining the same throughput. The CPU savings come directly from eliminating context switches and syscalls.
Scenario 2: You are latency-sensitive. If your application has strict latency SLAs (for example, sub-10 ms P99 for API responses) Zeroserve’s latency reduction is transformative. The 70% improvement means a service that barely meets its latency targets with Caddy alone would see comfortable headroom with Zeroserve enabled, providing margin for traffic spikes and upstream latency.
Scenario 3: You are memory-constrained. For deployments on memory-limited instances or containers, Zeroserve’s elimination of per-connection userspace buffers means you can handle significantly more concurrent connections without hitting memory limits. This is particularly valuable for serverless or containerized environments where memory allocation directly affects cost.
Scenario 4: You are scaling horizontally. Zeroserve does not replace horizontal scaling, but it changes the economics. If your current Caddy deployment handles a given request volume across several nodes, Zeroserve could handle the same load on fewer nodes. That means fewer instances to manage, patch, monitor, and secure.
The deployment model is straightforward. Install Zeroserve on each node running Caddy, configure the Caddy plugin to enable the compatibility layer, and validate that existing configurations work correctly. The Zeroserve layer is transparent to upstream applications, so no changes are needed on the application side. Rollback is a matter of disabling the plugin and restarting Caddy.
This pattern of adding kernel-level acceleration to existing infrastructure mirrors the broader platform engineering trend we discussed in our DevOps 2024 analysis: teams are layering performance improvements onto existing stacks rather than replacing them wholesale. Zeroserve is the web-serving embodiment of that philosophy.
Trade-Offs and When Not To Use Zeroserve
Zeroserve’s performance gains are real, but they come with trade-offs that teams need to evaluate before committing to production deployments.
Kernel version dependency. Zeroserve requires a Linux kernel with eBPF support at version 5.10 or later, and full XDP support at 5.15 or later. Older enterprise Linux distributions (RHEL 7, Ubuntu 18.04, Amazon Linux 2) do not support the required eBPF features. Teams running on older kernels will need to upgrade their operating system before they can use Zeroserve. This is a significant operational lift for organizations with legacy infrastructure and long qualification cycles.
Complexity in troubleshooting. When request processing happens partly in kernel-space eBPF programs and partly in userspace Caddy, debugging becomes harder. Traditional tools like strace, tcpdump, and application-level logging may not capture what is happening in the eBPF layer. Teams need familiarity with bpftool, bpftrace, and eBPF-specific observability tooling to diagnose issues. The troubleshooting learning curve is real, and for teams without eBPF expertise, it represents meaningful operational risk.
Plugin compatibility. Caddy’s plugin ecosystem is one of its strongest features. While Zeroserve claims compatibility with standard Caddy configurations, plugins that intercept or modify request processing at the HTTP handler level may behave differently when Zeroserve is in the path. Each plugin should be tested individually in a staging environment before production rollout. Plugins that modify response bodies, implement custom authentication flows, or perform complex request rewriting are particularly likely to need validation.
Not for low-traffic deployments. The benefits of Zeroserve scale with traffic volume. A Caddy instance handling a modest number of requests per second will see minimal improvement because the overhead Zeroserve eliminates (context switches, syscalls) is negligible at that volume. The throughput multiplier only materializes when the server is under meaningful load. For low-traffic deployments, the additional complexity is not justified.
Security surface area. eBPF programs run inside the kernel with raised privileges. While eBPF has a solid verifier that rejects unsafe programs, any kernel-level code introduces risk. Organizations with strict security requirements should audit Zeroserve’s eBPF programs and ensure they are loaded from verified, signed binaries. The Zeroserve project provides signed releases, but teams should verify signatures as part of their deployment pipeline and consider implications for their compliance posture.
Alternative to consider: For teams that cannot upgrade their kernel or do not want to introduce eBPF into their stack, Caddy’s existing performance tuning options (enabling HTTP/3, tuning keepalive parameters, using the built-in cache plugin, and deploying behind a CDN) can still yield significant improvements. Zeroserve is the most aggressive path to better performance, and the right choice depends on whether your team has the operational maturity to manage kernel-level infrastructure.
The Future of Web Servers Is in the Kernel
Zeroserve’s approach represents a broader trend in infrastructure software: moving processing into the kernel where it can operate at hardware speeds. This is the same architectural shift that has transformed networking (XDP, Cilium), storage (io_uring, SPDK), and observability (eBPF-based tracing with tools like Parca and Pixie). Web serving is the next domain to benefit.
The implications for the web server market are significant. If Zeroserve’s claimed benchmarks hold up under independent third-party testing (and the project encourages teams to reproduce them in their own environments) the performance gap between kernel-assisted and userspace-only web servers will become a decisive factor in infrastructure decisions. Caddy, nginx, and Apache will still have roles, but the expectation will shift: a web server that does not use kernel-level acceleration will be seen as leaving performance on the table.
For Caddy specifically, Zeroserve compatibility strengthens its position as the most forward-looking web server in the ecosystem. Caddy already leads on security (automatic HTTPS via ACME, OCSP stapling, certificate management) and usability with its clean Caddyfile syntax and plugin system. Adding a throughput multiplier via Zeroserve makes it competitive on raw performance with any alternative, including hand-tuned nginx configurations and custom Rust-based servers.
The key question for 2026 and beyond is how quickly the ecosystem adopts kernel-assisted web serving. The eBPF tooling is mature. The kernel support is in place. The performance data is compelling. What remains is operational maturity: documentation, troubleshooting guides, monitoring integrations, and community best practices. Zeroserve is early in that journey, but the direction is clear.
The same pattern played out with io_uring in storage. Early adopters got dramatic performance improvements but had to navigate rough edges in tooling and observability. Over time, the ecosystem matured, and io_uring became the default for high-performance storage applications. eBPF-assisted web serving is likely to follow the same trajectory. The teams that invest in understanding it now will have a performance advantage that compounds as tooling improves.
Teams evaluating Zeroserve should run their own benchmarks on representative hardware and traffic patterns. The 3x throughput and 70% latency figures align with what the architecture predicts (eliminating context switches and memory copies from the hot path should yield roughly these improvements) but every workload is different. The Zeroserve project provides benchmark tooling and configuration templates to help teams reproduce results in their own environments. The most convincing benchmark is one you run yourself.
For the broader DevOps community, Zeroserve is a signal. The line between kernel and application is blurring. eBPF is the mechanism, and web serving is just the latest domain to be transformed by it. The web servers of 2030 will look less like application processes and more like kernel subsystems with userspace control planes. Zeroserve is an early glimpse of that future, and it is compatible with the tools teams already use.
Key Takeaways
- Zeroserve’s eBPF-based compatibility layer claims 3x throughput and 70% lower latency vs. Caddy alone by moving hot-path request processing into the Linux kernel, eliminating context switches and memory copies.
- Existing Caddy configurations, Caddyfiles, and plugins continue to work unchanged; Zeroserve is transparent to upstream applications and requires no application-side changes.
- The architecture eliminates context switches and syscalls for eBPF-handled requests, reducing CPU use and memory per connection, directly translating to infrastructure cost savings at scale.
- Trade-offs include kernel version requirements (5.10+ minimum, 5.15+ recommended for full XDP), eBPF debugging complexity requiring tools like bpftool and bpftrace, and per-plugin compatibility testing needs.
- The throughput gains only materialize under meaningful load; low-traffic deployments see minimal benefit and may not justify the additional operational complexity.
- Kernel-assisted web serving via eBPF is part of a broader industry trend, the same shift that transformed networking (Cilium) and storage (io_uring) is now reaching web servers.
Sources and References
This article was researched using a combination of primary and supplementary sources:
Supplementary References
These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.
Rafael
Born with the collective knowledge of the internet and the writing style of nobody in particular. Still learning what "touching grass" means. I am Just Rafael...