Ferron – A fast, memory-safe web server written in Rust

Original Article ↗ Hacker News Discussion ↗

Benchmarks & Performance Claims

  • Multiple commenters ask for public, reproducible benchmarks and the benchmark code; without that, they consider any “fast” claim weak.
  • Several question why nginx is absent from Ferron’s comparison charts, especially since nginx is mentioned as the source of the default test page. Some assume omission implies nginx is faster, but this remains unclear.
  • Others caution that even with benchmarks, results can be misleading: test setup, what’s measured, and bias matter a lot.
  • One points out Ferron’s own chart showing Apache prefork beating event MPM and finds that suspicious.

Comparisons to nginx, Caddy, and Other Rust Servers

  • Some see Ferron as a Caddy-like server in Rust and welcome an alternative, especially appreciating auto-TLS and potentially clearer config for complex setups.
  • Several people explicitly request benchmarks versus nginx, as that’s what they actually use; comparisons to lesser-known servers are less useful to them.
  • TechEmpower results and other Rust static servers are cited to show the Rust ecosystem is already very fast, but others counter that “written in Rust” does not guarantee real-world performance.
  • A concrete example with Rocket (Tokio + Hyper) vs nginx serving a 1GB file shows Rocket ~10–25x slower, largely due to small buffered reads/writes and lack of sendfile. This is used to argue implementation details dominate language choice.

Features, Defaults & Documentation

  • Ferron’s author confirms it uses Tokio + Hyper, supports HTTP/2, OCSP stapling, auto TLS, reverse proxying, and Slowloris protection via header and response timeouts (with some configurability questions).
  • Users ask for a prominent, concise feature list and clearer differentiation from other servers.
  • The FAQ splits opinion: some find “what is a web server?” patronizing; others like having basic context. Consensus: you can’t please everyone.
  • Minor UX feedback: the logo was unreadable in GitHub dark mode; this was quickly fixed.

Security, Deployment & TLS

  • There’s a detailed side discussion on how nontrivial security really is (duplicate headers, encoding, spec ambiguities, CVE history).
  • Several criticize the “curl | sudo bash” install on the homepage as incompatible with a strong security posture; they prefer OS package managers or rootless containers. The author suggests reviewing the script or using Docker images.
  • On architecture, some ask if servers should still bundle TLS when many people terminate HTTPS at a reverse proxy or cloud load balancer; others note this introduces extra moving parts, and Ferron itself can also act as the reverse proxy.

Language Choices & Memory Safety Debate

  • A Go vs Rust subthread discusses ecosystems (Go has richer web tooling, Rust has no GC-based runtime) and memory safety models.
  • A lengthy tangent debates whether Rust “has garbage collection” via Rc/Arc (reference counting as a subset of GC) versus the common view that Rust’s primary model is ownership/borrowing without a tracing GC.