[HN Gopher] Show HN: I built a memory-safe web server in Rust
___________________________________________________________________
Show HN: I built a memory-safe web server in Rust
The web server that I am building is currently in beta, so any
feedback is welcome.
Author : dorianniemiec
Score : 58 points
Date : 2025-03-02 07:35 UTC (15 hours ago)
(HTM) web link (www.ferronweb.org)
(TXT) w3m dump (www.ferronweb.org)
| qweqwe14 wrote:
| Have you heard of axum[1] or actix-web[2]? What does this do that
| existing Rust web servers don't?
|
| I think the "web server" ecosystem in Rust is pretty mature by
| now, so you should probably state in what way your project is
| novel on the website.
|
| Edit: OK, I realized that this is supposed to be an nginx/caddy
| replacement, so a complete, configurable web server/proxy. Maybe
| check out https://github.com/memorysafety/river or
| https://github.com/sozu-proxy/sozu
|
| [1] https://docs.rs/axum
|
| [2] https://docs.rs/actix-web
| dorianniemiec wrote:
| Yes, I know that both Axum and Actix Web exist. However, these
| are web application frameworks designed for building web
| applications in Rust. On the other hand, my project is a
| standalone web server, similar to Apache httpd, NGINX, or
| Caddy.
|
| While there are standalone web servers in Rust, such as Static
| Web Server and binserve, they primarily focus on serving static
| files rather than providing general-purpose web hosting
| capabilities. My goal is to create a more versatile web server
| that can handle a wider range of web hosting applications.
| qweqwe14 wrote:
| What about Cloudflare's pengora?
|
| Edit: or https://github.com/memorysafety/river
|
| Edit 2: or https://github.com/sozu-proxy/sozu
| Maledictus wrote:
| https://github.com/cloudflare/pingora seems to be focused
| on providing a library/framework
| dorianniemiec wrote:
| Pingora is not a standalone web server (like NGINX or
| Apache httpd), it's a Rust-based framework developed by
| Cloudflare for building network services, particularly HTTP
| proxies. River (built on Pingora) is designed to be a
| reverse proxy. My web server on the other hand is designed
| to be a general-purpose web server (it also supports
| reverse proxying).
| throwbacktictac wrote:
| It sounds like this is a general purpose web server rather than
| a web framework like axum and actix-web. It's in the category
| of nginx, apache or caddy.
| dorianniemiec wrote:
| I agree with you.
| IshKebab wrote:
| This was my question too so I think it's worth clarifying that
| on the home page.
| dorianniemiec wrote:
| I have just added a "What are the differences between Ferron
| and other web servers written in Rust?" question to
| Frequently Asked Questions.
| sejje wrote:
| Apparently you need to add "what is a webserver" for these
| new guys.
| dorianniemiec wrote:
| It's already in the FAQ section.
| Maledictus wrote:
| I'd mention fearless concurrency on the website/blog post, as
| that distinguishes your webserver from, say, caddy.
| dorianniemiec wrote:
| Thank you for the feedback! I think this is an advantage of
| Rust that prevents common pitfalls related to concurrent
| programming, making web servers written in Rust safer.
| rurban wrote:
| So deadlock free, or don't you just fear deadlocks, rather
| ignore the possibility?
| IshKebab wrote:
| I wouldn't. Blazing fast, fearless concurrency, etc. are all
| super cringe at this point. Just say it's fast, secure and
| reliable or something like that.
| reacharavindh wrote:
| As welcome as the efficiency and performance features are, the
| convenience of lets encrypt integration in Caddy wins the
| decision almost all the time. No more certbot cron jobs or
| worries about having the certs in the right place or permissions
| etc. for this to be equivalent to Caddy, that is the most
| important convenience feature.
| dorianniemiec wrote:
| Of course, my web server supports automatic TLS (through TLS-
| ALPN-01 challenge), just like Caddy.
| reacharavindh wrote:
| I apologise for my low quality comment. I only read the
| website and did not actually try the web server. It wasn't
| highlighted on the homepage(like Caddy does) and I made a
| tardy assumption.
| do_not_redeem wrote:
| I see that it's written in Rust, besides that, what's your
| ambition for why an end user would choose this project over one
| of the established players like Caddy/Traefik/nginx?
| adastra22 wrote:
| This web server is probably awesome. However "memory-safe" isn't
| distinguishing within the Rust ecosystem. There's... a lot... of
| Rust web servers out there, all of which are presumably memory-
| safe, because Rust:
|
| https://github.com/flosse/rust-web-framework-comparison
|
| How does Ferron distinguish itself from these? I didn't get that
| from skimming the landing page.
| dorianniemiec wrote:
| Thank you! Many other web server written in Rust are memory-
| safe as well, because of Rust's borrow checker. I designed
| Ferron to be a general-purpose, standalone web server, just
| like NGINX or Caddy. It can even run PHP web applications
| (through FastCGI).
| hnlmorg wrote:
| You're right, but the state of play is even better than you
| suggest because there's a lot of memory safe web servers
| outside of Rust too. Eg Go.
|
| And that's not even counting all the webservers included as
| part of their backend frameworks in Python, node.js, Java, etc.
|
| web servers written in unsafe languages are really the minority
| but those that do exist are largely so heavily battle tested
| that a rewrite would likely introduce new sources of bugs (eg
| Apache and nginx).
|
| If there's one domain that's seen a lot of competition for
| security, it's been web servers.
| johnny22 wrote:
| I was looking for a web server, not a web framework. A
| replacement for nginx and caddy, not something to build
| applications on thus I never would have thought about clicking
| on a link talking about web frameworks.
|
| Anybody have any suggestions beyond the one under discussion?
| ratorx wrote:
| I think for this web server to compete with caddy/nginx (if the
| goal is getting other people to use it, if built for fun, please
| ignore) this needs a good reason to exist.
|
| Memory-safe is nice compared to Nginx, but pretty moot when
| comparing to Caddy. OTOH, perhaps this could aim for
| better/comparable performance to Nginx (and better than Caddy)
| whilst being memory safe? It's still quite a niche use case
| though.
| yoavm wrote:
| According to the landing page, it already outperforms Caddy.
| dorianniemiec wrote:
| I will later update the performance benchmark chart, since
| the current one features an earlier alpha version of my web
| server (Project Karpacz 0.3.0).
| ratorx wrote:
| > performs similarly to a popular Caddy web server
|
| From the main landing page. Possibly the benchmarks are
| slightly better, but until Nginx is added it's hard to say
| how significant that bump is.
| hu3 wrote:
| So does nginx. Still Caddy keeps eating a slice of nginx pie.
| yoavm wrote:
| I suspect that people don't like changing web servers, and
| perhaps that's why it took the industry so long to move away from
| Apache. Ferron actually looks great -- great performance,
| automatic TLS, easy reverse proxy configuration and more.
| Congrats on shipping this!
| dorianniemiec wrote:
| Thank you for the feedback!
| encom wrote:
| What's wrong with Apache?
| yoavm wrote:
| It is often slower, harder to configure, and has fewer
| features than Nginx, Caddy, etc.
| hu3 wrote:
| Yeah it surprised me when Caddy [1] started gaining traction
| for that reason.
|
| It's much better than the old competition in many ways, so
| there's that.
|
| https://caddyserver.com
| 1oooqooq wrote:
| thanks for sharing. what's the commercial plans?
|
| i will add to the pile of cgi hosts in our CI for weird and
| borderline hostile php projects and report back.
| dorianniemiec wrote:
| Thank you! Right now, I don't have any commercial plans for my
| web server. My web server is free to use for everyone, and it's
| open source.
| Kwpolska wrote:
| How many memory safety issues are found per year in the
| established servers (Apache and nginx)?
|
| Why does the front page benchmark not include nginx?
| pointlessone wrote:
| Why doesn't benchmark include Ferron itself?
| dorianniemiec wrote:
| It includes an older, alpha version of my web server (Project
| Karpacz 0.3.0). I will update the benchmark later.
| k_bx wrote:
| Please consider out-of-the-box way to analyze slow queries,
| analysis by endpoints (ideally with some patterns to group by),
| ideally to not generate gigabytes of access logs but rather give
| some already-aggregated in-memory stats.
|
| Maybe batteries included would be great (web UI similar to
| HAProxy but way-way better).
| renox wrote:
| This seems to be a bonafide FOSS project, the correct way to
| ask for features is either to provide patch or money not this..
| eptcyka wrote:
| Is it susceptible to slow loris?
|
| Hyper, the http library, did not handle it well.
| dorianniemiec wrote:
| I haven't tested it for Slowloris yet.
___________________________________________________________________
(page generated 2025-03-02 23:01 UTC)