Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 2.7 and 3.5+.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
Right now Gixy can find:
You can find things that Gixy is learning to detect at Issues labeled with "new plugin"
Gixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy
Run Gixy and check results:
gixy
By default Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf
.
But you can always specify needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Or something else, you can find all other gixy
arguments with the help command: gixy --help
Contributions to Gixy are always welcome! You can help us in different ways:
Code guidelines: