This is an actively maintained fork of the original Gixy project by Yandex LLC.
Gixy is a tool to analyze NGINX configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6 through 3.13.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
Right now Gixy can find:
- [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by "add_header" directive
- [host_spoofing] Request's Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
- [alias_traversal] Path traversal via misconfigured alias
- [if_is_evil] If is evil when used in location context
- [allow_without_deny] Allow specified without deny
- [add_header_content_type] Setting Content-Type via add_header
- [resolver_external] Using external DNS nameservers
- [version_disclosure] Using insecure values for server_tokens
- [try_files_is_evil_too] The
directive is evil without open_file_cache - [proxy_pass_normalized]
will decode and normalize paths when specified with a path - [worker_rlimit_nofile_vs_connections]
must be at least twiceworker_connections
- [error_log_off]
set tooff
- [unanchored_regex] Regular expression without anchors
You can find things that Gixy is learning to detect at Issues labeled with "new plugin"
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixy
Gixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy-ng
Run Gixy and check results:
By default, Gixy will try to analyze NGINX configuration placed in /etc/nginx/nginx.conf
But you can always specify the needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Or something else, you can find all other gixy
arguments with the help command: gixy --help
You can also make gixy
use pipes (stdin), like so:
echo "resolver;" | gixy -
Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.
$ docker run --rm --name nginx -d -v /etc/nginx
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Given you are using the official NGINX ingress controller, not the kubernetes one, you can use this https://github.com/nginx/kubernetes-ingress
kubectl exec -it my-release-nginx-ingress-controller-54d96cb5cd-pvhx5 -- /bin/bash -c "cat /etc/nginx/conf.d/*" | docker run -i getpagespeed/gixy -
==================== Results ===================
>> Problem: [version_disclosure] Do not enable server_tokens on or server_tokens build
Severity: HIGH
Description: Using server_tokens on; or server_tokens build; allows an attacker to learn the version of NGINX you are running, which can be used to exploit known vulnerabilities.
Additional info: https://gixy.getpagespeed.com/en/plugins/version_disclosure/
Reason: Using server_tokens value which promotes information disclosure
Pseudo config:
server {
server_name XXXXX.dev;
server_tokens on;
server {
server_name XXXXX.dev;
server_tokens on;
server {
server_name XXXXX.dev;
server_tokens on;
server {
server_name XXXXX.dev;
server_tokens on;
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 4
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for it.