Note
Keep NGINX secure and up-to-date with maintained modules via NGINX Extras RPM repository by GetPageSpeed.
Gixy is a tool to analyze NGINX configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6 through 3.13.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
Gixy detects a wide range of security issues across these categories:
| Category | Security Checks |
|---|---|
| π Injection & Forgery | SSRF Β· HTTP Splitting Β· Host Spoofing Β· Origin Bypass |
| π TLS & Encryption | Weak SSL/TLS Β· HTTP/2 Misdirected Request Β· Version Disclosure |
| π Path Traversal | Alias Traversal Β· Proxy Pass Normalized |
| π Header Security | HSTS Header Β· Header Redefinition Β· Multiline Headers Β· Content-Type via add_header |
| π¦ Access Control | Allow Without Deny Β· Return Bypasses ACL Β· Valid Referers Β· Status Page Exposed |
| π DNS & Resolver | External Resolver Β· Missing Resolver |
| βοΈ Config & Performance | ReDoS Β· Unanchored Regex Β· Invalid Regex Β· If Is Evil Β· Try Files Evil Β· Default Server Β· Hash Default Β· Error Log Off Β· Worker Limits Β· Low Keepalive |
π Full documentation β Β· π Upcoming checks
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixyGixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy-ngBy default, Gixy will try to analyze NGINX configuration placed in /etc/nginx/nginx.conf.
But you can always specify the needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/en/checks/http-splitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Gixy can automatically fix many issues it detects:
# Preview what fixes would be applied (dry run)
$ gixy --fix-dry-run /etc/nginx/nginx.conf
π Dry run - showing fixes that would be applied:
π /etc/nginx/nginx.conf
[Insecure TLS protocols enabled]
π§ Use only TLSv1.2 and TLSv1.3
- ssl_protocols TLSv1 TLSv1.1
+ ssl_protocols TLSv1.2 TLSv1.3
π 1 fix(es) available to apply.
Run with --fix to apply them.# Apply fixes (creates .bak backup files)
$ gixy --fix /etc/nginx/nginx.conf
β
Applied 1 fix(es) to /etc/nginx/nginx.conf
π Applied 1 fix(es) successfully!
Backup files created with .bak extension.Use --no-backup to skip creating backup files.
Or something else, you can find all other gixy arguments with the help command: gixy --help
Some plugins expose options which you can set via CLI flags or config file. CLI flags follow the pattern --<PluginName>-<option> with dashes, while config file uses [PluginName] sections with dashed keys.
-
origins:--origins-domains domains: Comma-separated list of trusted registrable domains. Use*to disable thirdβparty checks. Example:--origins-domains example.com,foo.bar. Default:*.--origins-https-only true|false: When true, only thehttpsscheme is considered valid forOrigin/Referer. Default:false.--origins-lower-hostname true|false: Normalize hostnames to lowercase before validation. Default:true.
-
add_header_redefinition:--add-header-redefinition-headers headers: Comma-separated allowlist of header names (case-insensitive). When set, only dropped headers from this list will be reported; when unset, all dropped headers are reported. Example:--add-header-redefinition-headers x-frame-options,content-security-policy. Default: unset (report all).
Examples (config file):
[origins]
domains = example.com, example.org
https-only = true
[add_header_redefinition]
headers = x-frame-options, content-security-policy
You can also make gixy use pipes (stdin), like so:
echo "resolver 1.1.1.1;" | gixy -Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.
$ docker run --rm --name nginx -d -v /etc/nginx nginx:alpine
f68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Get real-time NGINX security analysis directly in your editor!
Install from VS Code Marketplace
Or via command line:
code --install-extension getpagespeed.gixySee vscode-gixy for full documentation.
Given you are using the official NGINX ingress controller, not the kubernetes one, you can use this https://github.com/nginx/kubernetes-ingress
kubectl exec -it my-release-nginx-ingress-controller-54d96cb5cd-pvhx5 -- /bin/bash -c "cat /etc/nginx/conf.d/*" | docker run -i getpagespeed/gixy -
==================== Results ===================
>> Problem: [version_disclosure] Do not enable server_tokens on or server_tokens build
Severity: HIGH
Description: Using server_tokens on; or server_tokens build; allows an attacker to learn the version of NGINX you are running, which can be used to exploit known vulnerabilities.
Additional info: https://gixy.getpagespeed.com/en/plugins/version_disclosure/
Reason: Using server_tokens value which promotes information disclosure
Pseudo config:
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 4
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for them.
Community guidelines:
- Be respectful and constructive in discussions;
- This project uses AI-assisted development - disparaging remarks about AI tooling are unwelcome;
- Focus on the code and ideas, not the tools used to create them.