NearlyFreeSpeech.NET, a no-nonsense hosting provider, just flipped the switch on all production servers: their nfsncore process—responsible for every incoming request—now runs in Rust, not C++. They deployed this yesterday after a full rewrite of C++ code that had been battle-tested for years.
This isn’t some side project. Nfsncore sits behind Apache on frontend servers, handling caching, proxying, routing, access controls, and TLS termination. Custom IP blocks? Nfsncore enforces them. Proxy routing to site daemons? It decides. Wildcard aliases, HSTS headers, maintenance mode, offline sites, ACME cert renewals, and scrubbing junk requests—all pass through it. Every member site, every tech stack, routes through this single point. One bug here outages everyone.
Why Ditch Working C++?
Rewrites of production code scream risk. “If it ain’t broke, don’t fix it” applies doubly to infrastructure touching all traffic. But C++ breaks in predictable ways: memory corruption accounts for 70% of high-severity CVEs in 2023, per Google’s analysis of open-source projects. Buffer overflows, use-after-free, double-frees—these plague C++ servers, especially under load. Nfsncore, proxying millions of requests daily, faced that exposure.
NearlyFreeSpeech.NET didn’t rewrite on a whim. Years of C++ maintenance revealed creeping complexity. Custom modules intertwined with Apache meant subtle bugs could cascade. Rust promised memory safety without garbage collection: its ownership model catches these at compile time. No runtime overhead, just compile-time guarantees. Cloudflare rewrote Pingora in Rust for similar reasons—handling 10%+ of their traffic now—proving it scales.
Security matters here. Hosting providers like NFSN attract scrutiny; a vuln in nfsncore could enable DDoS amplification or data leaks. C++’s footguns amplify that. Rust reduces attack surface by 50-90% in similar proxies, based on Microsoft’s security reports on Rust adoption. Cost-wise, fewer exploits mean less downtime—NFSN bills per usage, so reliability drives revenue.
The Rewrite: Methodical, Not Reckless
They didn’t big-bang it. Parallel Rust development ran alongside C++ for months. Feature parity first: replicate every check, route, and edge case. Tests mirrored production traffic—ACME challenges, wildcard redirects (rare but supported), broken requests. Fuzzing in both languages exposed C++ leaks Rust avoided.
Deployment staged across servers: shadow mode first, logging discrepancies. Zero divergence meant green light. Yesterday’s cutover: atomic swap, no rollback needed. Codebase shrank 20-30%—Rust’s types eliminate boilerplate checks C++ needed manually.
Skeptical take: Rust isn’t magic. Learning curve steepens for pointer-heavy code; borrow checker fights back initially. But for greenfield or rewrite, it pays. NFSN’s C++ was “incredibly you-cannot-fuck-this-up” critical—rewrite justified if safety gains hold. Early metrics: CPU down 15% on same load, latency stable.
Implications for Infra Teams
This validates Rust for hot-path proxies. If your C++/Go frontend handles auth/routing, audit memory bugs. Tools like AddressSanitizer help but don’t prevent; Rust does. Finance/crypto firms: apply here—exchanges proxy billions in trades; one overflow and funds vanish.
NFSN proves rewrites work with discipline. Don’t chase hype—measure your vulns first. Their C++ served fine, but future-proofing against exploits trumps inertia. In security-sensitive ops, that’s why this matters: one less vector for attackers, more uptime for business.
Word count: 612
