GIXY is a powerful tool designed to analyze NGINX configurations, aiming to prevent security misconfigurations and automatically detect flaws. With support for multiple Python versions, it serves as a valuable asset for system administrators keen on enhancing the security of their web servers.
Gixy is a static analysis tool designed to scrutinize NGINX configurations, effectively preventing security misconfigurations and automating vulnerability detection. This actively maintained fork of the original Gixy project by Yandex LLC supports Python versions ranging from 3.6 to 3.13, delivering robust functionality primarily on GNU/Linux systems.
Key Features
Gixy can identify various security issues, including but not limited to:
- Server Side Request Forgery (SSRF): Vulnerabilities that allow attackers to access internal resources through HTTP requests.
- HTTP Splitting: Risks associated with the potential misusage of variables that may lead to HTTP injections.
- Referrer/Origin Validation Issues: Problems concerning the validation of HTTP referrer or origin headers.
- Redefinition of Response Headers: Identifying instances where response headers are improperly defined multiple times using the
add_headerdirective. - Host Header Forgery: Discovering requests where the Host header has been forged.
- Multiline Response Headers: Detects potentially problematic multiline headers.
Additional vulnerabilities can also be explored, including version disclosure and allow without deny.
Usage
By default, Gixy analyzes the NGINX configuration file located at /etc/nginx/nginx.conf. Users can specify a different path as needed:
gixy /path/to/your/nginx.conf
For instance, to run an analysis with result outputs:
gixy /etc/nginx/nginx.conf
Alternatively, users can skip specific tests when necessary:
gixy --skips http_splitting /etc/nginx/nginx.conf
Gixy can also accept standard input, allowing for flexibility in analyzing config streams:
echo "resolver 1.1.1.1;" | gixy -
Docker Support
Gixy is conveniently available as a Docker image, enabling seamless analysis through the following command:
docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
For users already operating an NGINX container, configurations can be shared using volumes:
docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
Contributions
Community contributions are vital to the development of Gixy. Contributions can include:
- Reporting issues or suggesting improvements.
- Forking the repository to develop and submit pull requests.
- Enhancing documentation to support users better.
The project adheres to Python's PEP 8 standards for code styling and requires unit testing for new plugin submissions.
No comments yet.
Sign in to be the first to comment.