This post will guide you how to analyze Nginx configuration file under Linux operating system. How to check the Nginx configuration file to prevent security misconfiguration and automate flaw detection in Linux.
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection. Currently supported Python versions are 2.7 and 3.5+.
Gixy Tool Installation
To install gixy tool in Linux system, you just need to execute the following command:
#pip install gixy
You can use the Gixy tool to analyze Nginx configuration placed in /etc/nginx/nginx.conf.
Type the following command:
#gixy /etc/nginx/nginx.conf
Outputs:
==================== Results =================== Problem: [http_splitting] Possible HTTP-Splitting vulnerability. Description: Using variables that can contain "\n" may lead to http injection. Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md Reason: At least variable "$action" can contain "\n" Pseudo config: include /etc/nginx/sites/default.conf; server { location ~ /v1/((?<action>[^.]*)\.json)?$ { add_header X-Action $action; } } ==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 1
More information about gixy tool
If you want to check more information about the Gixy tool, you can run the gixy command with –h option, type:
#gixy –h
Outputs:
positional arguments: nginx.conf Path to nginx.conf, e.g. /etc/nginx/nginx.conf optional arguments: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE config file path --write-config CONFIG_OUTPUT_PATH takes the current command line args and writes them out to a config file at the given path, then exits -v, --version show program's version number and exit -l, --level Report issues of a given severity level or higher (-l for LOW, -ll for MEDIUM, -lll for HIGH) -f {text,json,console}, --format {text,json,console} Specify output format -o OUTPUT_FILE, --output OUTPUT_FILE Write report to file -d, --debug Turn on debug mode --tests TESTS Comma-separated list of tests to run --skips SKIPS Comma-separated list of tests to skip --disable-includes Disable "include" directive processing plugins options: --origins-domains domains Default: * --origins-https-only https_only Default: False --add-header-redefinition-headers headers Default: x-frame-options,x-xss-protection,content- security-policy,x-content-type-options,cache-control available plugins: add_header_multiline http_splitting host_spoofing origins add_header_redefinition valid_referers ssrf