OSETC TECH

Linux: Analyzing Nginx Configuration with Gixy Tool

This post will guide you how to analyze Nginx configuration file under Linux operating system. How to check the Nginx configuration file to prevent security misconfiguration and automate flaw detection in Linux.

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection. Currently supported Python versions are 2.7 and 3.5+.

 Gixy Tool Installation


To install gixy tool in Linux system, you just need to execute the following command:

#pip install gixy

You can use the Gixy tool to analyze Nginx configuration placed in /etc/nginx/nginx.conf.

Type the following command:

#gixy /etc/nginx/nginx.conf

 

Outputs:

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.

Description: Using variables that can contain "\n" may lead to http injection.

Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md

Reason: At least variable "$action" can contain "\n"

Pseudo config:

include /etc/nginx/sites/default.conf;




       server {




              location ~ /v1/((?<action>[^.]*)\.json)?$ {

                     add_header X-Action $action;

              }

       }







==================== Summary ===================

Total issues:

    Unspecified: 0

    Low: 0

    Medium: 0

    High: 1

More information about gixy tool


If you want to check more information about the Gixy tool, you can run the gixy command with –h option, type:

#gixy –h

Outputs:

positional arguments:
  nginx.conf            Path to nginx.conf, e.g. /etc/nginx/nginx.conf
optional arguments:

  -h, --help            show this help message and exit

  -c CONFIG_FILE, --config CONFIG_FILE

                        config file path

  --write-config CONFIG_OUTPUT_PATH

                        takes the current command line args and writes them

                        out to a config file at the given path, then exits

  -v, --version         show program's version number and exit

  -l, --level           Report issues of a given severity level or higher (-l

                        for LOW, -ll for MEDIUM, -lll for HIGH)

  -f {text,json,console}, --format {text,json,console}

                        Specify output format

  -o OUTPUT_FILE, --output OUTPUT_FILE

                        Write report to file

  -d, --debug           Turn on debug mode

  --tests TESTS         Comma-separated list of tests to run

  --skips SKIPS         Comma-separated list of tests to skip

  --disable-includes    Disable "include" directive processing

plugins options:

  --origins-domains domains

                        Default: *

  --origins-https-only https_only

                        Default: False

  --add-header-redefinition-headers headers

                        Default: x-frame-options,x-xss-protection,content-

                        security-policy,x-content-type-options,cache-control
available plugins:

       add_header_multiline

       http_splitting

       host_spoofing

       origins

       add_header_redefinition

       valid_referers

       ssrf