alt.hn

6/14/2026 at 1:43:08 PM

Caddy compatibility for zeroserve: 3x throughput and 70% lower latency

 https://su3.io/posts/zeroserve-caddy-compat

by losfair

6/14/2026 at 3:07:41 PM

Anyone else got a really weird Chorme pop-up asking which cert to use for su3.io:443?

Very bizarre, never seen that before.

Thumbprints:

  - 60949a09aab8677f87a0b9eda7099a03ca510fb3
  - 1b146798f0dc93773247e86312f1b730c4eeebb3

by 1a527dd5

6/14/2026 at 4:09:35 PM

> Very bizarre, never seen that before.

For my own stuff that's not meant for a wider audience, I sometimes use mTLS in front of my apps, alongside self-signed certs (my own CA) that shouldn't show up in certificate transparency logs.

This site also seems to be requesting a certificate from the user. Normally you probably don't want that for public facing resources.

by KronisLV

6/14/2026 at 3:58:59 PM

Here it attempts to read my personal certificate that sits in the browser that I use for filling my taxes and do government stuff, suspicious indeed.

by embedding-shape

6/14/2026 at 4:47:39 PM

That’s likely just the side effect of supporting mtls. Mutual TLS came around at the same time as Microsoft did implicit network auth. Seemed magical at the time and so hare brained for eons of problems. The user side tls never caught on in most circles and still has the ancient sharp edges

by cmgbhm

6/14/2026 at 4:48:13 PM

That's because the client certificate interface in browsers is supremely dumb. It always just lists all certificates you have, with very little context in the UI, and hopes that's good enough. I believe that's part of the reason client certificates are not poplar; having actual users deal with that is terrible, and the browsers (in practice, Chrome because of its overwhelming market share) isn't incentivized to fix it.

by mook

6/14/2026 at 4:04:28 PM

Same on Firefox

by sunaookami

6/14/2026 at 3:46:54 PM

Same on Arc

by linsomniac

6/14/2026 at 3:33:21 PM

Same on Zen

by jorl17

6/14/2026 at 3:05:15 PM

No ACME! That is a dealbreaker

https://github.com/losfair/zeroserve/blob/main/CADDY_COMPAT....

by tln

6/14/2026 at 3:06:57 PM

Yes, I agree it would be very nice to have a way to integrate ACME into zeroserve. I'm not sure if zeroserve's plugin system might allow one to add a plugin to support it?

by codys

6/14/2026 at 4:29:55 PM

"Caddy compatible" minus everything that matters, like ACME and plugins. And NGINX still steals the show. Not everything needs to be rewritten.

by codingjoe

6/14/2026 at 4:34:05 PM

Same thoughts. If I need more performant caddy alternative I'm going to use nginx at least it has some extras.

by __natty__

6/14/2026 at 2:45:13 PM

I am surprised how well nginx holds up?!

by augunrik

6/14/2026 at 3:15:08 PM

Why? It's one of the most optimized HTTP servers ever. Anything that claims beating nginx in benchmarks should be treated with high suspicion. I think these zeroserve numbers are likely accurate but it doesn't have the features and module ecosystem of nginx so the margins aren't worth it for me.

by phillipseamore

6/14/2026 at 4:22:08 PM

Because it passes more boundaries and stuff. But hey, I didn’t code a Webserver so far - so what do I know. :D

AFAIK eBPF can be hardware offloaded. If you have the use case.

by augunrik

6/14/2026 at 6:10:47 PM

> But hey, I didn’t code a Webserver so far - so what do I know

If you limit the scope, its worth doing and might not take as much effort as you might think. You could possibly find some enjoyment and learn a few things doing so.

by someothherguyy

6/14/2026 at 2:51:33 PM

I still think of eBPF as not being Turing-complete. There is still a complexity limit in the verifier. Even if someone did implement Game of Life by having the program set a timer to run itself. https://isovalent.com/blog/post/ebpf-yes-its-turing-complete...

by smallerize

6/14/2026 at 3:01:17 PM

zeroserve doesn't use the Linux kernel's eBPF runtime to run the eBPF it uses, so the constraints of the Linux kernel's eBPF runtime (chosen because of how the Linux kernel thinks about protecting the Linux kernel from user space) don't apply to zeroserve (or other tools that use the eBPF instruction set but don't use the Linux kernel's particular implementation)

by codys

6/14/2026 at 2:44:10 PM

From a technical standpoint, these are always impressive projects, but I've always wondered: has anyone ever encountered a use case where the Caddy was the bottleneck?

by zsoltkacsandi

6/14/2026 at 6:18:10 PM

[dead]

by keynha

6/14/2026 at 2:47:58 PM

[dead]

by sieabahlpark

6/14/2026 at 5:34:27 PM

Another vibe coded, dead in 6 month Rust project.

People that trully need performance are not going to use a random server that has 0 support/ track record.

by Thaxll

6/14/2026 at 4:35:24 PM

Interesting. Trying to get some of the performance advantages of TUX/IIS without as much insecurity makes sense for some big players, I guess.

The usual 3400 lines lock file and AGENTS.md raise some questions about the aforementioned security, though.

by BoingBoomTschak

6/14/2026 at 5:21:08 PM

No thanks

by dshat

6/14/2026 at 2:30:55 PM

Fudge, I really need to carve out time today to play with zeroserve. Very cool stuff

by nullstyle