GIXY
====
[](https://github.com/dvershinin/gixy/blob/master/LICENSE)
[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)
[](https://github.com/dvershinin/gixy/issues/new)
[](https://github.com/dvershinin/gixy/issues)
[](https://github.com/dvershinin/gixy/pulls)
# Overview
<img align="right" width="192" height="192" src="/docs/logo.png">
Gixy is a tool to analyze Nginx configuration.
The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6, 3.7, 3.8 and 3.9.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
# What it can do
Right now Gixy can find:
* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)
* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)
* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)
* [[add_header_redefinition] Redefining of response headers by "add_header" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)
* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)
* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)
* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)
* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)
* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)
* [[resolver_external] Using external DNS nameservers](https://blog.zorinaq.com/nginx-resolver-vulns/)
* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)
You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
# Installation
## CentOS/RHEL and other RPM-based systems
```bash
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixy
```
### Other systems
Gixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:
```bash
pip install gixy-ng
```
Run Gixy and check results:
```bash
gixy
```
# Usage
By default, Gixy will try to analyze Nginx configuration placed in `/etc/nginx/nginx.conf`.
But you can always specify needed path:
```
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
```
Or skip some tests:
```
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
Or something else, you can find all other `gixy` arguments with the help command: `gixy --help`
You can also make `gixy` use pipes (stdin), like so:
```bash
echo "resolver 1.1.1.1;" | gixy -
```
## Docker usage
Gixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To
use it, mount the configuration that you want to analyse as a volume and provide the path to the
configuration file when running the Gixy image.
```
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
```
If you have an image that already contains your nginx configuration, you can share the configuration
with the Gixy container as a volume.
```
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
# Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
* Open an issue with suggestions for improvements and errors you're facing;
* Fork this repository and submit a pull request;
* Improve the documentation.
Code guidelines:
* Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;
* Pull requests with new plugins must have unit tests for it.
Raw data
{
"_id": null,
"home_page": "https://github.com/dvershinin/gixy",
"name": "gixy-ng",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "nginx security lint static-analysis",
"author": "Yandex IS Team, GetPageSpeed LLC",
"author_email": "buglloc@yandex.ru, info@getpagespeed.com",
"download_url": "https://files.pythonhosted.org/packages/ed/63/a4eae1cfc5384ed62a08247f7f4bfa80a4a410e1355c4f12fce08ed35110/gixy-ng-0.1.24.tar.gz",
"platform": null,
"description": "GIXY\n====\n[](https://github.com/dvershinin/gixy/blob/master/LICENSE)\n[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)\n[](https://github.com/dvershinin/gixy/issues/new)\n[](https://github.com/dvershinin/gixy/issues)\n[](https://github.com/dvershinin/gixy/pulls)\n\n# Overview\n<img align=\"right\" width=\"192\" height=\"192\" src=\"/docs/logo.png\">\n\nGixy is a tool to analyze Nginx configuration.\nThe main goal of Gixy is to prevent security misconfiguration and automate flaw detection.\n\nCurrently supported Python versions are 3.6, 3.7, 3.8 and 3.9.\n\nDisclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.\n\n# What it can do\n\nRight now Gixy can find:\n\n* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)\n* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)\n* [[add_header_redefinition] Redefining of response headers by \"add_header\" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)\n* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)\n* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)\n* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)\n* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)\n* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)\n* [[resolver_external] Using external DNS nameservers](https://blog.zorinaq.com/nginx-resolver-vulns/)\n* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)\n\nYou can find things that Gixy is learning to detect at [Issues labeled with \"new plugin\"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)\n\n# Installation\n\n## CentOS/RHEL and other RPM-based systems\n\n```bash\nyum -y install https://extras.getpagespeed.com/release-latest.rpm\nyum -y install gixy\n```\n### Other systems\n\nGixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:\n\n```bash\npip install gixy-ng\n```\n\nRun Gixy and check results:\n```bash\ngixy\n```\n\n# Usage\nBy default, Gixy will try to analyze Nginx configuration placed in `/etc/nginx/nginx.conf`.\n\nBut you can always specify needed path:\n```\n$ gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\n\nProblem: [http_splitting] Possible HTTP-Splitting vulnerability.\nDescription: Using variables that can contain \"\\n\" may lead to http injection.\nAdditional info: https://github.com/dvershinin/gixy/blob/master/docs/ru/plugins/httpsplitting.md\nReason: At least variable \"$action\" can contain \"\\n\"\nPseudo config:\ninclude /etc/nginx/sites/default.conf;\n\n\tserver {\n\n\t\tlocation ~ /v1/((?<action>[^.]*)\\.json)?$ {\n\t\t\tadd_header X-Action $action;\n\t\t}\n\t}\n\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 1\n```\n\nOr skip some tests:\n```\n$ gixy --skips http_splitting /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n```\n\nOr something else, you can find all other `gixy` arguments with the help command: `gixy --help`\n\nYou can also make `gixy` use pipes (stdin), like so:\n\n```bash\necho \"resolver 1.1.1.1;\" | gixy -\n```\n\n## Docker usage\n\nGixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To\nuse it, mount the configuration that you want to analyse as a volume and provide the path to the\nconfiguration file when running the Gixy image.\n```\n$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf\n```\n\nIf you have an image that already contains your nginx configuration, you can share the configuration\nwith the Gixy container as a volume.\n```\n$ docker run --rm --name nginx -d -v /etc/nginx\nnginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905\n\n$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n\n```\n\n# Contributing\nContributions to Gixy are always welcome! You can help us in different ways:\n * Open an issue with suggestions for improvements and errors you're facing;\n * Fork this repository and submit a pull request;\n * Improve the documentation.\n\nCode guidelines:\n * Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;\n * Pull requests with new plugins must have unit tests for it.\n",
"bugtrack_url": null,
"license": "",
"summary": "NGINX configuration [sec]analyzer",
"version": "0.1.24",
"project_urls": {
"Homepage": "https://github.com/dvershinin/gixy"
},
"split_keywords": [
"nginx",
"security",
"lint",
"static-analysis"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0a96645cf41a24f087ee9cf7cd1286d2d1b9dacfa789876df27f7b7935b2efbe",
"md5": "3a10c146da11f4673e2b582869af6876",
"sha256": "eb6e5face34347328137735716aae99c4b4b67383eeb617c69955071bd6179a6"
},
"downloads": -1,
"filename": "gixy_ng-0.1.24-py3-none-any.whl",
"has_sig": false,
"md5_digest": "3a10c146da11f4673e2b582869af6876",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 59958,
"upload_time": "2024-01-14T04:08:41",
"upload_time_iso_8601": "2024-01-14T04:08:41.718015Z",
"url": "https://files.pythonhosted.org/packages/0a/96/645cf41a24f087ee9cf7cd1286d2d1b9dacfa789876df27f7b7935b2efbe/gixy_ng-0.1.24-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "ed63a4eae1cfc5384ed62a08247f7f4bfa80a4a410e1355c4f12fce08ed35110",
"md5": "fa14fe2f2bfd96b1b9e537fe64239c7d",
"sha256": "59ec74256e6e6a704b2f596e9236104fc1d945496a7b34a0547f14ee96aca9de"
},
"downloads": -1,
"filename": "gixy-ng-0.1.24.tar.gz",
"has_sig": false,
"md5_digest": "fa14fe2f2bfd96b1b9e537fe64239c7d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 64056,
"upload_time": "2024-01-14T04:08:43",
"upload_time_iso_8601": "2024-01-14T04:08:43.388970Z",
"url": "https://files.pythonhosted.org/packages/ed/63/a4eae1cfc5384ed62a08247f7f4bfa80a4a410e1355c4f12fce08ed35110/gixy-ng-0.1.24.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-01-14 04:08:43",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dvershinin",
"github_project": "gixy",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"tox": true,
"lcname": "gixy-ng"
}
JSON
