zeroserve is a zero-config HTTPS server that serves websites directly from tarballs while running eBPF programs as sandboxed middleware on each request. The server handles routing, authentication, and rate limiting through JIT-compiled eBPF code that executes in userspace, eliminating traditional configuration files. It supports TLS 1.3, HTTP/2, and Encrypted Client Hello out of the box.

The architecture relies on io_uring for all network and disk operations through the monoio runtime, with each instance running a single-threaded event loop. This design choice enables efficient scaling across multiple processes while maintaining performance. eBPF scripts compile to native machine code via async-ebpf's vendored uBPF, with a pointer cage providing memory safety that the kernel verifier normally handles.

Scripts execute in sorted filename order as a chain, sharing per-request metadata. They can inspect requests, modify headers, implement rate limiting, and even handle OIDC authentication with stateless sessions. A script calling zs_respond or zs_reverse_proxy short-circuits the chain. Hot reloading via SIGHUP swaps the tarball, scripts, and TLS material atomically without dropping connections.

Benchmarks show zeroserve outperforming both nginx and Caddy on single-core HTTPS workloads, serving 36,681 requests per second for small static files versus nginx's 27,892. The performance advantage extends across static file serving, scripted middleware, and reverse proxying scenarios, making it a compelling alternative for developers seeking simpler configuration.