Modern data center server racks with network cabling representing high-prf web server infrastructure

Zeroserve represents a new approach to web serving that eliminates config files entirely.

What Is Zeroserve?

Zeroserve is a compact, high-performance web server that operates without any traditional config files. Instead of the usual nginx.conf or Apache httpd.conf, you hand it a single tarball containing your website content, TLS certificates, and eBPF scripts. It serves that content over HTTP/2 and TLS 1.3, with all request handling logic defined by eBPF programs embedded inside the tarball itself.

This is not a toy project. The server uses io_uring for all network and disk I/O, runs a single-threaded event loop architecture, and JIT-compiles eBPF bytecode into native machine code via the async-ebpf runtime. According to coverage on Conzit, Zeroserve outperforms traditional servers like NGINX in several workloads, including static file serving, scripted middleware, and small-response proxying over HTTPS. The same source confirms that the server speaks HTTP/2 and TLS 1.3 natively.

The zero-config claim is literal: there is no config file to write, no document root to set, no virtual host to define. You package your site, you run the server, and it works. For DevOps engineers who have spent years debugging misconfigured NGINX location blocks or Apache .htaccess cascades, that alone is a compelling value proposition.

How Zeroserve Works

When you package a website into a tarball and feed it to Zeroserve, the server indexes the archive during load. It creates an in-memory path-to-byte-range mapping, which lets it serve files directly from the tarball without unpacking them onto disk. This eliminates an entire class of security risks tied to misconfigured document roots and path traversal attacks.

Updating a live site is a single operation: replace the tarball and send a SIGHUP signal. The server reloads site content, eBPF scripts, and TLS material atomically. No dropped connections, no downtime window, no multi-step deploy script. This atomic deployment model is closer to how container images work than how traditional web servers handle config reloads. The Conzit article notes that the reload ensures “no dropped connections during process.”

For network and disk operations, Zeroserve uses io_uring, the Linux kernel’s asynchronous I/O interface that has been production-ready since kernel 5.19. Combined with a single-threaded event loop, this design minimizes context switching and lock contention. The result is a server that handles high request volumes on modest hardware.

Scripting with eBPF

The standout feature of Zeroserve is its eBPF scripting model. Any C file placed in the .zeroserve/scripts/ directory inside your tarball is compiled into eBPF bytecode during packaging. These scripts run on every incoming request, executing as JIT-compiled native code within the async-ebpf runtime.

The scripting model is designed as a chain. Scripts execute in sorted filename order, and they share a per-request metadata map. This lets you build request processing pipelines without touching kernel-level security, because eBPF execution happens entirely in userspace. The runtime includes a pointer cage that restricts memory access to the script’s own allocated area, maintaining isolation between scripts and between scripts and the server process.

You can use this model to enrich incoming requests with additional headers, implement custom authentication logic, rewrite URLs, add CORS headers conditionally, or log request timing. The eBPF programs are compiled once and run at near-native speed on every request, with none of the overhead of Lua scripting (OpenResty) or JavaScript (NGINX njs). The Conzit source describes the scripting model as a “chain of scripts executed in sorted filename order, sharing per-request metadata map,” enabling flexible request handling without additional complexity.

This approach collapses two separate concerns that traditional servers keep apart: configuration and scripting. In NGINX, you define behavior through directives in nginx.conf, then layer on scripting through njs or Lua. In Zeroserve, an eBPF program is both configuration and script. There is no separate config language to learn. If you can write C that compiles to eBPF, you can define your server’s request handling behavior.

Security Model

Zeroserve’s security model benefits from two architectural decisions. First, by serving files directly from a tarball index instead of a filesystem document root, it eliminates path traversal attacks entirely. There is no way to request ../../etc/passwd because the server never resolves file paths against a filesystem directory.

Second, the eBPF runtime’s pointer cage ensures that even if a script contains a bug or is compromised, it cannot read or write memory outside its allocated area. This isolation is enforced by the eBPF verifier, the same kernel mechanism that makes eBPF safe for production use in networking, tracing, and security monitoring tools. The Conzit source confirms that “memory access is restricted to script’s own allocated memory area, thus maintaining security and stability.”

TLS is configured through the same tarball packaging mechanism. You include your certificates in the archive, and Zeroserve loads them on startup or on SIGHUP reload. There is no separate certbot workflow, no external reverse proxy for TLS termination. The server speaks TLS 1.3 natively, as confirmed in the Conzit article. This unified approach to TLS configuration means certificate management is part of your deployment pipeline, not a separate operational concern. For more on how content transparency and watermarking relate to server-side policy, see our post on EU AI Act Article 50: Detectability and Watermarking Strategies for 2026.

Developer writing C code for eBPF programs on laptop

eBPF scripts for Zeroserve are written in C, compiled to bytecode, and JIT-compiled at runtime for near-native performance.

Zeroserve vs Traditional Web Servers

Dimension	Zeroserve	NGINX	Apache HTTPD
Configuration	Zero config (tarball-based)	nginx.conf with directives	httpd.conf + .htaccess
Scripting mechanism	eBPF (C compiled to bytecode, JIT’d)	njs (JavaScript) or Lua via OpenResty	mod_* modules, PHP, Perl, Lua
Request handling speed	Outperforms NGINX in static files, middleware, and proxying (per Conzit benchmarks)	Baseline reference	See independent benchmarks for workload-specific comparisons
I/O model	io_uring + single-threaded event loop	Event-driven, multi-process	Multi-process, multi-threaded
Deployment	Atomic: replace tarball + SIGHUP	Config reload or binary restart	Graceful restart or config reload
TLS support	HTTP/2 and TLS 1.3 built in	HTTP/2 and TLS 1.3 via module	HTTP/2 and TLS 1.3 via module
Security isolation	eBPF pointer cage + tarball index (no doc root)	Worker process isolation, SELinux policies	MPM isolation, SELinux policies

Production Concerns and Trade-offs

Zeroserve is early-stage software. The project’s website at zeroserve.io was not reachable as of this writing, and the primary source of documentation is the Conzit article plus the original Hacker News discussion. This raises the first production concern: maturity.

NGINX has been in production since 2004. Apache since 1995. Their edge cases, security advisories, and performance tuning guides fill thousands of pages. Zeroserve has none of that institutional knowledge yet. If you hit a bug, you are likely on your own or relying on a small community. For production deployments, this lack of battle-tested history should give any SRE pause.

Second, eBPF scripting is powerful but limited. eBPF programs cannot make arbitrary system calls, cannot open files, cannot fork processes. The pointer cage constraint means you cannot share complex data structures between scripts easily. For simple request enrichment (add header, check token, log metric), eBPF is ideal. For anything that requires database access, external API calls, or complex string processing, you need another layer. Your eBPF scripts cannot query PostgreSQL, cannot call Redis, cannot write to a log file. They operate within the narrow constraints of eBPF helper functions.

Third, the single-threaded event loop architecture is excellent for I/O-bound workloads but less ideal for CPU-bound request processing. If your eBPF scripts do significant computation, they block the event loop and degrade latency for all other requests. In NGINX, you can configure worker processes to handle CPU-bound work in parallel. Zeroserve’s single-threaded design trades this simplicity for throughput on I/O-heavy workloads. For a server that primarily serves static assets with lightweight header manipulation, this is a winning trade. For an API gateway running auth checks on every request, it may become a bottleneck.

Fourth, there is the ecosystem question. NGINX has a vast module ecosystem: caching, compression, rate limiting, WAF integration, auth providers. Apache has mod_* for everything. Zeroserve’s eBPF scripting model means you build what you need in C, but that is a higher bar than dropping in a pre-built module. The trade-off is flexibility versus convenience, and for teams that need something off the shelf, Zeroserve’s current ecosystem is thin.

Getting Started with Zeroserve

The basic workflow for deploying a site with Zeroserve is:

Create your website content (HTML, CSS, JS, images)
Add any eBPF scripts in .zeroserve/scripts/ as C files
Include TLS certificates in the tarball
Package everything into a single tarball
Run Zeroserve pointing at the tarball

To update, replace the tarball and send SIGHUP. The server reloads atomically. The Conzit article confirms that “deploying and updating a website requires simply replacing the tarball and sending a SIGHUP signal to Zeroserve.”

For security hardening in production, ensure that the tarball is checksummed and that the deployment pipeline verifies the checksum before replacing the live tarball. Use a minimal base image if containerizing Zeroserve. Restrict eBPF scripts to only the operations your application needs: the eBPF verifier enforces safety, but it cannot enforce business logic correctness. Consider running Zeroserve behind a reverse proxy for rate limiting and DDoS protection, since the server itself does not include these features out of the box.

Network engineer monitoring server performance dashboard

Monitoring and observability for Zeroserve deployments requires integrating with standard infrastructure tooling, as the server does not include built-in monitoring.

Troubleshooting Common Issues

Based on the architecture described in research, here are issues you are likely to encounter when running Zeroserve in production:

Tarball format errors: Zeroserve expects a specific tarball structure. If the archive is malformed or missing expected directory layout, the server may fail to index it. Validate your tarball before deployment with a CI check that runs the server’s own validation.
eBPF compilation failures: Not all C code compiles to valid eBPF bytecode. The eBPF verifier rejects programs with loops (unless bounded), unsafe pointer arithmetic, or prohibited helper function calls. Test scripts locally with an eBPF compiler before packaging. The error messages from the verifier are cryptic, so budget time for debugging.
TLS certificate issues: If certificates are expired or the private key is mismatched, Zeroserve will fail to start or reject connections. Automate certificate renewal in your packaging pipeline. A CI/CD step that checks certificate expiry before deploying can prevent midnight outages.
SIGHUP not working: Some process managers or container orchestrators intercept SIGHUP. Test the reload mechanism in your deployment environment before relying on it for zero-downtime updates. In Kubernetes, for example, you may need to use a preStop hook instead of relying on signal handling.
Single-threaded saturation: Monitor CPU usage on the Zeroserve process. If it approaches 100% on a single core, your eBPF scripts may be doing too much computation. Consider moving heavy logic to a separate service and using eBPF scripts only for lightweight request routing and enrichment.

Key Takeaways

Zeroserve is a zero-config web server that uses eBPF for request scripting, eliminating the need for traditional config files and scripting layers.
It serves content directly from a tarball index, uses io_uring for I/O, and supports atomic deployments with SIGHUP reloads, as documented in the Conzit article.
eBPF scripts are written in C, compiled to bytecode, and JIT-compiled at runtime, offering near-native performance for request processing within a pointer cage for memory safety.
Production concerns include project maturity, limitations of eBPF scripting (no syscalls, no file I/O, no database access), and the single-threaded event loop architecture that can become a bottleneck for CPU-bound workloads.
For teams building lightweight, high-performance web services where request logic is simple and predictable, Zeroserve represents a compelling alternative to NGINX and Apache. For complex applications requiring database access, external API calls, or extensive middleware, traditional servers remain a safer choice.
As of 2026, Zeroserve is an innovative but early-stage project. Watch for ecosystem growth, multi-process support, and broader community adoption before committing to it for mission-critical production workloads.

Sources and References

This article was researched using a combination of primary and supplementary sources:

Supplementary References

These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.

Zeroserve: The Future of Web Hosting with eBPF Integration

Zeroserve: An eBPF-Powered Web Server Without Config Files