Note
Keep NGINX secure and up-to-date with maintained modules via NGINX Extras RPM repository by GetPageSpeed.
Gixy is a tool to analyze NGINX configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6 through 3.13.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
Gixy detects a wide range of security issues across these categories:
| Category | Security Checks |
|---|---|
| 🔓 Injection & Forgery | SSRF · HTTP Splitting · Host Spoofing · Origin Bypass |
| 🔐 TLS & Encryption | Weak SSL/TLS · HTTP/2 Misdirected Request · Version Disclosure |
| 📂 Path Traversal | Alias Traversal · Proxy Pass Normalized |
| 📋 Header Security | HSTS Header · Header Redefinition · Multiline Headers · Content-Type via add_header |
| 🚦 Access Control | Allow Without Deny · Return Bypasses ACL · Valid Referers · Status Page Exposed |
| 🌐 DNS & Resolver | External Resolver · Missing Resolver |
| ⚙️ Config & Performance | ReDoS · Unanchored Regex · Invalid Regex · If Is Evil · Try Files Evil · Default Server · Hash Default · Error Log Off · Worker Limits · Low Keepalive |
📖 Full documentation → · 🆕 Upcoming checks
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixyGixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy-ngBy default, Gixy will try to analyze NGINX configuration placed in /etc/nginx/nginx.conf.
But you can always specify the needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/en/checks/http-splitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Gixy can automatically fix many issues it detects:
# Preview what fixes would be applied (dry run)
$ gixy --fix-dry-run /etc/nginx/nginx.conf
🔍 Dry run - showing fixes that would be applied:
📝 /etc/nginx/nginx.conf
[Insecure TLS protocols enabled]
🔧 Use only TLSv1.2 and TLSv1.3
- ssl_protocols TLSv1 TLSv1.1
+ ssl_protocols TLSv1.2 TLSv1.3
📊 1 fix(es) available to apply.
Run with --fix to apply them.# Apply fixes (creates .bak backup files)
$ gixy --fix /etc/nginx/nginx.conf
✅ Applied 1 fix(es) to /etc/nginx/nginx.conf
🎉 Applied 1 fix(es) successfully!
Backup files created with .bak extension.Use --no-backup to skip creating backup files.
Or something else, you can find all other gixy arguments with the help command: gixy --help
Some plugins expose options which you can set via CLI flags or config file. CLI flags follow the pattern --<PluginName>-<option> with dashes, while config file uses [PluginName] sections with dashed keys.
-
origins:--origins-domains domains: Comma-separated list of trusted registrable domains. Use*to disable third‑party checks. Example:--origins-domains example.com,foo.bar. Default:*.--origins-https-only true|false: When true, only thehttpsscheme is considered valid forOrigin/Referer. Default:false.--origins-lower-hostname true|false: Normalize hostnames to lowercase before validation. Default:true.
-
add_header_redefinition:--add-header-redefinition-headers headers: Comma-separated allowlist of header names (case-insensitive). When set, only dropped headers from this list will be reported; when unset, all dropped headers are reported. Example:--add-header-redefinition-headers x-frame-options,content-security-policy. Default: unset (report all).
Examples (config file):
[origins]
domains = example.com, example.org
https-only = true
[add_header_redefinition]
headers = x-frame-options, content-security-policy
You can also make gixy use pipes (stdin), like so:
echo "resolver 1.1.1.1;" | gixy -Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.
$ docker run --rm --name nginx -d -v /etc/nginx nginx:alpine
f68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Get real-time NGINX security analysis directly in your editor!
Install from VS Code Marketplace
Or via command line:
code --install-extension getpagespeed.gixySee vscode-gixy for full documentation.
Given you are using the official NGINX ingress controller, not the kubernetes one, you can use this https://github.com/nginx/kubernetes-ingress
kubectl exec -it my-release-nginx-ingress-controller-54d96cb5cd-pvhx5 -- /bin/bash -c "cat /etc/nginx/conf.d/*" | docker run -i getpagespeed/gixy -
==================== Results ===================
>> Problem: [version_disclosure] Do not enable server_tokens on or server_tokens build
Severity: HIGH
Description: Using server_tokens on; or server_tokens build; allows an attacker to learn the version of NGINX you are running, which can be used to exploit known vulnerabilities.
Additional info: https://gixy.getpagespeed.com/en/plugins/version_disclosure/
Reason: Using server_tokens value which promotes information disclosure
Pseudo config:
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 4
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for them.
Community guidelines:
- Be respectful and constructive in discussions;
- This project uses AI-assisted development - disparaging remarks about AI tooling are unwelcome;
- Focus on the code and ideas, not the tools used to create them.