GIXY
====
[](https://github.com/dvershinin/gixy/blob/master/LICENSE)
[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)
[](https://github.com/dvershinin/gixy/issues/new)
[](https://github.com/dvershinin/gixy/issues)
[](https://github.com/dvershinin/gixy/pulls)
> [!TIP]
> This is an **actively maintained fork** of the original [Gixy](https://github.com/yandex/gixy) project by **Yandex LLC**.
# Overview
<img align="right" width="192" height="192" src="docs/gixy.png">
Gixy is a tool to analyze Nginx configuration.
The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6, 3.7, 3.8 and 3.9.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
# What it can do
Right now Gixy can find:
* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)
* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)
* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)
* [[add_header_redefinition] Redefining of response headers by "add_header" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)
* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)
* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)
* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)
* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)
* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)
* [[resolver_external] Using external DNS nameservers](https://blog.zorinaq.com/nginx-resolver-vulns/)
* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)
* [[try_files_is_evil_too] The try_files directive is evil without open_file_cache](https://www.getpagespeed.com/server-setup/nginx-try_files-is-evil-too)
You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
# Installation
## CentOS/RHEL and other RPM-based systems
```bash
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixy
```
### Other systems
Gixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:
```bash
pip install gixy-ng
```
Run Gixy and check results:
```bash
gixy
```
# Usage
By default, Gixy will try to analyze NGINX configuration placed in `/etc/nginx/nginx.conf`.
But you can always specify the needed path:
```
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
```
Or skip some tests:
```
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
Or something else, you can find all other `gixy` arguments with the help command: `gixy --help`
You can also make `gixy` use pipes (stdin), like so:
```bash
echo "resolver 1.1.1.1;" | gixy -
```
## Docker usage
Gixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To
use it, mount the configuration that you want to analyse as a volume and provide the path to the
configuration file when running the Gixy image.
```
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
```
If you have an image that already contains your nginx configuration, you can share the configuration
with the Gixy container as a volume.
```
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
# Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
* Open an issue with suggestions for improvements and errors you're facing;
* Fork this repository and submit a pull request;
* Improve the documentation.
Code guidelines:
* Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;
* Pull requests with new plugins must have unit tests for it.
Raw data
{
"_id": null,
"home_page": "https://github.com/dvershinin/gixy",
"name": "gixy-ng",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "nginx security lint static-analysis",
"author": "Yandex IS Team, GetPageSpeed LLC",
"author_email": "buglloc@yandex.ru, info@getpagespeed.com",
"download_url": "https://files.pythonhosted.org/packages/b0/50/cb681a4486b1053a7cda5cfc0d08eeb35185fb8e7431d4e534228b7442be/gixy_ng-0.2.1.tar.gz",
"platform": null,
"description": "GIXY\n====\n[](https://github.com/dvershinin/gixy/blob/master/LICENSE)\n[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)\n[](https://github.com/dvershinin/gixy/issues/new)\n[](https://github.com/dvershinin/gixy/issues)\n[](https://github.com/dvershinin/gixy/pulls)\n\n> [!TIP]\n> This is an **actively maintained fork** of the original [Gixy](https://github.com/yandex/gixy) project by **Yandex LLC**. \n\n# Overview\n<img align=\"right\" width=\"192\" height=\"192\" src=\"docs/gixy.png\">\n\nGixy is a tool to analyze Nginx configuration.\nThe main goal of Gixy is to prevent security misconfiguration and automate flaw detection.\n\nCurrently supported Python versions are 3.6, 3.7, 3.8 and 3.9.\n\nDisclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.\n\n# What it can do\n\nRight now Gixy can find:\n\n* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)\n* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)\n* [[add_header_redefinition] Redefining of response headers by \"add_header\" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)\n* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)\n* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)\n* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)\n* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)\n* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)\n* [[resolver_external] Using external DNS nameservers](https://blog.zorinaq.com/nginx-resolver-vulns/)\n* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)\n* [[try_files_is_evil_too] The try_files directive is evil without open_file_cache](https://www.getpagespeed.com/server-setup/nginx-try_files-is-evil-too)\n\nYou can find things that Gixy is learning to detect at [Issues labeled with \"new plugin\"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)\n\n# Installation\n\n## CentOS/RHEL and other RPM-based systems\n\n```bash\nyum -y install https://extras.getpagespeed.com/release-latest.rpm\nyum -y install gixy\n```\n### Other systems\n\nGixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:\n\n```bash\npip install gixy-ng\n```\n\nRun Gixy and check results:\n```bash\ngixy\n```\n\n# Usage\n\nBy default, Gixy will try to analyze NGINX configuration placed in `/etc/nginx/nginx.conf`.\n\nBut you can always specify the needed path:\n```\n$ gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\n\nProblem: [http_splitting] Possible HTTP-Splitting vulnerability.\nDescription: Using variables that can contain \"\\n\" may lead to http injection.\nAdditional info: https://github.com/dvershinin/gixy/blob/master/docs/ru/plugins/httpsplitting.md\nReason: At least variable \"$action\" can contain \"\\n\"\nPseudo config:\ninclude /etc/nginx/sites/default.conf;\n\n\tserver {\n\n\t\tlocation ~ /v1/((?<action>[^.]*)\\.json)?$ {\n\t\t\tadd_header X-Action $action;\n\t\t}\n\t}\n\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 1\n```\n\nOr skip some tests:\n```\n$ gixy --skips http_splitting /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n```\n\nOr something else, you can find all other `gixy` arguments with the help command: `gixy --help`\n\nYou can also make `gixy` use pipes (stdin), like so:\n\n```bash\necho \"resolver 1.1.1.1;\" | gixy -\n```\n\n## Docker usage\n\nGixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To\nuse it, mount the configuration that you want to analyse as a volume and provide the path to the\nconfiguration file when running the Gixy image.\n```\n$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf\n```\n\nIf you have an image that already contains your nginx configuration, you can share the configuration\nwith the Gixy container as a volume.\n```\n$ docker run --rm --name nginx -d -v /etc/nginx\nnginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905\n\n$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n\n```\n\n# Contributing\nContributions to Gixy are always welcome! You can help us in different ways:\n * Open an issue with suggestions for improvements and errors you're facing;\n * Fork this repository and submit a pull request;\n * Improve the documentation.\n\nCode guidelines:\n * Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;\n * Pull requests with new plugins must have unit tests for it.\n",
"bugtrack_url": null,
"license": null,
"summary": "NGINX configuration [sec]analyzer",
"version": "0.2.1",
"project_urls": {
"Homepage": "https://github.com/dvershinin/gixy"
},
"split_keywords": [
"nginx",
"security",
"lint",
"static-analysis"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "5d641883b9f80600d23e788045770fac748ae84326a2cfef49f9be62e9914ef1",
"md5": "4b156f2a13a527623b45364da41d8423",
"sha256": "63fa06bde48c58e3b90b47faf447d9fc8ec8e67beb13a34fb61c8143f36229ab"
},
"downloads": -1,
"filename": "gixy_ng-0.2.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4b156f2a13a527623b45364da41d8423",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 61389,
"upload_time": "2024-12-08T15:14:09",
"upload_time_iso_8601": "2024-12-08T15:14:09.076649Z",
"url": "https://files.pythonhosted.org/packages/5d/64/1883b9f80600d23e788045770fac748ae84326a2cfef49f9be62e9914ef1/gixy_ng-0.2.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "b050cb681a4486b1053a7cda5cfc0d08eeb35185fb8e7431d4e534228b7442be",
"md5": "cfafc3d43d293e05343a39b522f40c4a",
"sha256": "154fd25347ed6809efcd49f7867a4ceb6e3f8c58aa167a8910cc987e212f8430"
},
"downloads": -1,
"filename": "gixy_ng-0.2.1.tar.gz",
"has_sig": false,
"md5_digest": "cfafc3d43d293e05343a39b522f40c4a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 64986,
"upload_time": "2024-12-08T15:14:10",
"upload_time_iso_8601": "2024-12-08T15:14:10.979495Z",
"url": "https://files.pythonhosted.org/packages/b0/50/cb681a4486b1053a7cda5cfc0d08eeb35185fb8e7431d4e534228b7442be/gixy_ng-0.2.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-08 15:14:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dvershinin",
"github_project": "gixy",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "pyparsing",
"specs": [
[
"<=",
"2.4.7"
],
[
">=",
"1.5.5"
]
]
},
{
"name": "cached-property",
"specs": [
[
">=",
"1.2.0"
]
]
},
{
"name": "argparse",
"specs": [
[
">=",
"1.4.0"
]
]
},
{
"name": "six",
"specs": [
[
">=",
"1.1.0"
]
]
},
{
"name": "Jinja2",
"specs": [
[
">=",
"2.8"
]
]
},
{
"name": "ConfigArgParse",
"specs": [
[
">=",
"0.11.0"
]
]
}
],
"tox": true,
"lcname": "gixy-ng"
}
JSON
