GIXY
====
[](https://github.com/dvershinin/gixy/blob/master/LICENSE)
[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)
[](https://github.com/dvershinin/gixy/issues/new)
[](https://github.com/dvershinin/gixy/issues)
[](https://github.com/dvershinin/gixy/pulls)
[](https://nginx-extras.getpagespeed.com/)
> [!NOTE]
> Keep NGINX secure and up-to-date with maintained modules via [NGINX Extras RPM repository by GetPageSpeed](https://nginx-extras.getpagespeed.com/).
# Overview
<img align="right" width="192" height="192" src="docs/gixy.png">
Gixy is a tool to analyze NGINX configuration.
The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 3.6 through 3.13.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
# What it can do
Right now Gixy can find:
* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)
* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)
* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)
* [[add_header_redefinition] Redefining of response headers by "add_header" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)
* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)
* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)
* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)
* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)
* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)
* [[resolver_external] Using external DNS nameservers](https://gixy.getpagespeed.com/en/plugins/resolver_external/)
* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)
* [[try_files_is_evil_too] The `try_files` directive is evil without open_file_cache](https://www.getpagespeed.com/server-setup/nginx-try_files-is-evil-too)
* [[proxy_pass_normalized] `proxy_pass` will decode and normalize paths when specified with a path](https://gixy.getpagespeed.com/en/plugins/proxy_pass_normalized/)
* [[worker_rlimit_nofile_vs_connections] `worker_rlimit_nofile` must be at least twice `worker_connections`](https://gixy.getpagespeed.com/en/plugins/worker_rlimit_nofile_vs_connections/)
* [[error_log_off] `error_log` set to `off`](https://gixy.getpagespeed.com/en/plugins/error_log_off/)
* [[unanchored_regex] Regular expression without anchors](https://gixy.getpagespeed.com/en/plugins/unanchored_regex/)
* [[regex_redos] Regular expressions may result in easy denial-of-service (ReDoS) attacks](https://gixy.getpagespeed.com/en/plugins/regex_redos/)
* [[invalid_regex] Using a nonexistent regex capture group](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/invalid_regex.md)
You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
# Installation
## CentOS/RHEL and other RPM-based systems
```bash
yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixy
```
### Other systems
Gixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:
```bash
pip install gixy-ng
```
# Usage
By default, Gixy will try to analyze NGINX configuration placed in `/etc/nginx/nginx.conf`.
But you can always specify the needed path:
```
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
```
Or skip some tests:
```
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
Or something else, you can find all other `gixy` arguments with the help command: `gixy --help`
### Plugin options
Some plugins expose options which you can set via CLI flags or config file. CLI flags follow the pattern `--<PluginName>-<option>` with dashes, while config file uses `[PluginName]` sections with dashed keys.
- `origins`:
- `--origins-domains domains`: Comma-separated list of trusted registrable domains. Use `*` to disable third‑party checks. Example: `--origins-domains example.com,foo.bar`. Default: `*`.
- `--origins-https-only true|false`: When true, only the `https` scheme is considered valid for `Origin`/`Referer`. Default: `false`.
- `--origins-lower-hostname true|false`: Normalize hostnames to lowercase before validation. Default: `true`.
- `add_header_redefinition`:
- `--add-header-redefinition-headers headers`: Comma-separated allowlist of header names (case-insensitive). When set, only dropped headers from this list will be reported; when unset, all dropped headers are reported. Example: `--add-header-redefinition-headers x-frame-options,content-security-policy`. Default: unset (report all).
Examples (config file):
```
[origins]
domains = example.com, example.org
https-only = true
[add_header_redefinition]
headers = x-frame-options, content-security-policy
```
You can also make `gixy` use pipes (stdin), like so:
```bash
echo "resolver 1.1.1.1;" | gixy -
```
## Docker usage
Gixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To
use it, mount the configuration that you want to analyse as a volume and provide the path to the
configuration file when running the Gixy image.
```
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf
```
If you have an image that already contains your nginx configuration, you can share the configuration
with the Gixy container as a volume.
```
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
## Kubernetes usage
Given you are using the official NGINX ingress controller, not the kubernetes one, you can use this
https://github.com/nginx/kubernetes-ingress
```
kubectl exec -it my-release-nginx-ingress-controller-54d96cb5cd-pvhx5 -- /bin/bash -c "cat /etc/nginx/conf.d/*" | docker run -i getpagespeed/gixy -
```
```
==================== Results ===================
>> Problem: [version_disclosure] Do not enable server_tokens on or server_tokens build
Severity: HIGH
Description: Using server_tokens on; or server_tokens build; allows an attacker to learn the version of NGINX you are running, which can be used to exploit known vulnerabilities.
Additional info: https://gixy.getpagespeed.com/en/plugins/version_disclosure/
Reason: Using server_tokens value which promotes information disclosure
Pseudo config:
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
server {
server_name XXXXX.dev;
server_tokens on;
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 4
```
# Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
* Open an issue with suggestions for improvements and errors you're facing;
* Fork this repository and submit a pull request;
* Improve the documentation.
Code guidelines:
* Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;
* Pull requests with new plugins must have unit tests for it.
Raw data
{
"_id": null,
"home_page": "https://github.com/dvershinin/gixy",
"name": "gixy-ng",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "nginx security lint static-analysis",
"author": "Yandex IS Team, GetPageSpeed LLC",
"author_email": "buglloc@yandex.ru, info@getpagespeed.com",
"download_url": "https://files.pythonhosted.org/packages/44/68/f88560aecd810c4c696f4dd37cef47c00dab9cb70fcd33e7e51d9a3d3ffb/gixy_ng-0.2.12.tar.gz",
"platform": null,
"description": "GIXY\n====\n\n\n[](https://github.com/dvershinin/gixy/blob/master/LICENSE)\n[](https://github.com/dvershinin/gixy/actions/workflows/pythonpackage.yml)\n[](https://github.com/dvershinin/gixy/issues/new)\n[](https://github.com/dvershinin/gixy/issues)\n[](https://github.com/dvershinin/gixy/pulls)\n[](https://nginx-extras.getpagespeed.com/)\n\n> [!NOTE]\n> Keep NGINX secure and up-to-date with maintained modules via [NGINX Extras RPM repository by GetPageSpeed](https://nginx-extras.getpagespeed.com/).\n\n# Overview\n<img align=\"right\" width=\"192\" height=\"192\" src=\"docs/gixy.png\">\n\nGixy is a tool to analyze NGINX configuration.\nThe main goal of Gixy is to prevent security misconfiguration and automate flaw detection.\n\nCurrently supported Python versions are 3.6 through 3.13.\n\nDisclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.\n\n# What it can do\n\nRight now Gixy can find:\n\n* [[ssrf] Server Side Request Forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/ssrf.md)\n* [[http_splitting] HTTP Splitting](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n* [[origins] Problems with referrer/origin validation](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/origins.md)\n* [[add_header_redefinition] Redefining of response headers by \"add_header\" directive](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n* [[host_spoofing] Request's Host header forgery](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n* [[valid_referers] none in valid_referers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/validreferers.md)\n* [[add_header_multiline] Multiline response headers](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/addheadermultiline.md)\n* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/aliastraversal.md)\n* [[if_is_evil] If is evil when used in location context](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/if_is_evil.md)\n* [[allow_without_deny] Allow specified without deny](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/allow_without_deny.md)\n* [[add_header_content_type] Setting Content-Type via add_header](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/add_header_content_type.md)\n* [[resolver_external] Using external DNS nameservers](https://gixy.getpagespeed.com/en/plugins/resolver_external/)\n* [[version_disclosure] Using insecure values for server_tokens](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/version_disclosure.md)\n* [[try_files_is_evil_too] The `try_files` directive is evil without open_file_cache](https://www.getpagespeed.com/server-setup/nginx-try_files-is-evil-too)\n* [[proxy_pass_normalized] `proxy_pass` will decode and normalize paths when specified with a path](https://gixy.getpagespeed.com/en/plugins/proxy_pass_normalized/)\n* [[worker_rlimit_nofile_vs_connections] `worker_rlimit_nofile` must be at least twice `worker_connections`](https://gixy.getpagespeed.com/en/plugins/worker_rlimit_nofile_vs_connections/)\n* [[error_log_off] `error_log` set to `off`](https://gixy.getpagespeed.com/en/plugins/error_log_off/)\n* [[unanchored_regex] Regular expression without anchors](https://gixy.getpagespeed.com/en/plugins/unanchored_regex/)\n* [[regex_redos] Regular expressions may result in easy denial-of-service (ReDoS) attacks](https://gixy.getpagespeed.com/en/plugins/regex_redos/)\n* [[invalid_regex] Using a nonexistent regex capture group](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/invalid_regex.md)\n\nYou can find things that Gixy is learning to detect at [Issues labeled with \"new plugin\"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)\n\n# Installation\n\n## CentOS/RHEL and other RPM-based systems\n\n```bash\nyum -y install https://extras.getpagespeed.com/release-latest.rpm\nyum -y install gixy\n```\n### Other systems\n\nGixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy-ng). The best way to install it is with pip:\n\n```bash\npip install gixy-ng\n```\n\n# Usage\n\nBy default, Gixy will try to analyze NGINX configuration placed in `/etc/nginx/nginx.conf`.\n\nBut you can always specify the needed path:\n```\n$ gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\n\nProblem: [http_splitting] Possible HTTP-Splitting vulnerability.\nDescription: Using variables that can contain \"\\n\" may lead to http injection.\nAdditional info: https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/httpsplitting.md\nReason: At least variable \"$action\" can contain \"\\n\"\nPseudo config:\ninclude /etc/nginx/sites/default.conf;\n\n\tserver {\n\n\t\tlocation ~ /v1/((?<action>[^.]*)\\.json)?$ {\n\t\t\tadd_header X-Action $action;\n\t\t}\n\t}\n\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 1\n```\n\nOr skip some tests:\n```\n$ gixy --skips http_splitting /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n```\n\nOr something else, you can find all other `gixy` arguments with the help command: `gixy --help`\n\n### Plugin options\n\nSome plugins expose options which you can set via CLI flags or config file. CLI flags follow the pattern `--<PluginName>-<option>` with dashes, while config file uses `[PluginName]` sections with dashed keys.\n\n- `origins`:\n - `--origins-domains domains`: Comma-separated list of trusted registrable domains. Use `*` to disable third\u2011party checks. Example: `--origins-domains example.com,foo.bar`. Default: `*`.\n - `--origins-https-only true|false`: When true, only the `https` scheme is considered valid for `Origin`/`Referer`. Default: `false`.\n - `--origins-lower-hostname true|false`: Normalize hostnames to lowercase before validation. Default: `true`.\n\n- `add_header_redefinition`:\n - `--add-header-redefinition-headers headers`: Comma-separated allowlist of header names (case-insensitive). When set, only dropped headers from this list will be reported; when unset, all dropped headers are reported. Example: `--add-header-redefinition-headers x-frame-options,content-security-policy`. Default: unset (report all).\n\nExamples (config file):\n```\n[origins]\ndomains = example.com, example.org\nhttps-only = true\n\n[add_header_redefinition]\nheaders = x-frame-options, content-security-policy\n```\n\nYou can also make `gixy` use pipes (stdin), like so:\n\n```bash\necho \"resolver 1.1.1.1;\" | gixy -\n```\n\n## Docker usage\nGixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/getpagespeed/gixy/). To\nuse it, mount the configuration that you want to analyse as a volume and provide the path to the\nconfiguration file when running the Gixy image.\n```\n$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf\n```\n\nIf you have an image that already contains your nginx configuration, you can share the configuration\nwith the Gixy container as a volume.\n```\n$ docker run --rm --name nginx -d -v /etc/nginx\nnginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905\n\n$ docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf\n\n==================== Results ===================\nNo issues found.\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 0\n\n```\n## Kubernetes usage\nGiven you are using the official NGINX ingress controller, not the kubernetes one, you can use this\nhttps://github.com/nginx/kubernetes-ingress\n\n```\nkubectl exec -it my-release-nginx-ingress-controller-54d96cb5cd-pvhx5 -- /bin/bash -c \"cat /etc/nginx/conf.d/*\" | docker run -i getpagespeed/gixy -\n```\n\n```\n==================== Results ===================\n\n>> Problem: [version_disclosure] Do not enable server_tokens on or server_tokens build\nSeverity: HIGH\nDescription: Using server_tokens on; or server_tokens build; allows an attacker to learn the version of NGINX you are running, which can be used to exploit known vulnerabilities.\nAdditional info: https://gixy.getpagespeed.com/en/plugins/version_disclosure/\nReason: Using server_tokens value which promotes information disclosure\nPseudo config:\n\nserver {\n\tserver_name XXXXX.dev;\n\tserver_tokens on;\n}\n\nserver {\n\tserver_name XXXXX.dev;\n\tserver_tokens on;\n}\n\nserver {\n\tserver_name XXXXX.dev;\n\tserver_tokens on;\n}\n\nserver {\n\tserver_name XXXXX.dev;\n\tserver_tokens on;\n}\n\n==================== Summary ===================\nTotal issues:\n Unspecified: 0\n Low: 0\n Medium: 0\n High: 4\n\n```\n\n\n# Contributing\nContributions to Gixy are always welcome! You can help us in different ways:\n * Open an issue with suggestions for improvements and errors you're facing;\n * Fork this repository and submit a pull request;\n * Improve the documentation.\n\nCode guidelines:\n * Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;\n * Pull requests with new plugins must have unit tests for it.\n",
"bugtrack_url": null,
"license": null,
"summary": "NGINX configuration [sec]analyzer",
"version": "0.2.12",
"project_urls": {
"Homepage": "https://github.com/dvershinin/gixy"
},
"split_keywords": [
"nginx",
"security",
"lint",
"static-analysis"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "7987dd2d2e18154f0c1773c9f82ae443db7550667a73750d736d47ae42dff2db",
"md5": "10c136ea447f17150a55f435325abd2b",
"sha256": "39d7528abab4ef7b8f88cfda0e76665856294c6d278c771d983713182441e9dc"
},
"downloads": -1,
"filename": "gixy_ng-0.2.12-py3-none-any.whl",
"has_sig": false,
"md5_digest": "10c136ea447f17150a55f435325abd2b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 85206,
"upload_time": "2025-10-25T04:54:45",
"upload_time_iso_8601": "2025-10-25T04:54:45.976039Z",
"url": "https://files.pythonhosted.org/packages/79/87/dd2d2e18154f0c1773c9f82ae443db7550667a73750d736d47ae42dff2db/gixy_ng-0.2.12-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "4468f88560aecd810c4c696f4dd37cef47c00dab9cb70fcd33e7e51d9a3d3ffb",
"md5": "45a8970648e49697d6b701489f84a61a",
"sha256": "3d44e7baae0b153cd6c0c621b11a392c7678bbbf6b44134c98c6bb6e61769074"
},
"downloads": -1,
"filename": "gixy_ng-0.2.12.tar.gz",
"has_sig": false,
"md5_digest": "45a8970648e49697d6b701489f84a61a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 95930,
"upload_time": "2025-10-25T04:54:47",
"upload_time_iso_8601": "2025-10-25T04:54:47.187038Z",
"url": "https://files.pythonhosted.org/packages/44/68/f88560aecd810c4c696f4dd37cef47c00dab9cb70fcd33e7e51d9a3d3ffb/gixy_ng-0.2.12.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-25 04:54:47",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dvershinin",
"github_project": "gixy",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "crossplane",
"specs": [
[
">=",
"0.5.8"
]
]
},
{
"name": "cached-property",
"specs": [
[
">=",
"1.2.0"
]
]
},
{
"name": "argparse",
"specs": [
[
">=",
"1.4.0"
]
]
},
{
"name": "Jinja2",
"specs": [
[
">=",
"2.8"
]
]
},
{
"name": "ConfigArgParse",
"specs": [
[
">=",
"0.11.0"
]
]
}
],
"tox": true,
"lcname": "gixy-ng"
}
JSON
