2017-03-30 22:12:44 +00:00
GIXY
====
2017-03-30 22:46:06 +00:00
[](https://github.com/yandex/gixy/blob/master/LICENSE)
2017-04-11 16:13:19 +00:00
[](https://travis-ci.org/yandex/gixy)
2019-04-15 18:10:53 +00:00
[](https://github.com/yandex/gixy/issues/new)
2017-04-11 16:13:19 +00:00
[](https://github.com/yandex/gixy/issues)
[](https://github.com/yandex/gixy/pulls)
2017-03-30 22:12:44 +00:00
# Overview
2017-04-10 08:22:32 +00:00
< img align = "right" width = "192" height = "192" src = "/docs/logo.png" >
2017-04-29 06:36:22 +00:00
Gixy is a tool to analyze Nginx configuration.
2017-05-10 21:36:07 +00:00
The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
2017-04-10 08:22:32 +00:00
2019-07-09 21:01:02 +00:00
Currently supported Python versions are 2.7, 3.5, 3.6 and 3.7.
2017-03-30 22:46:44 +00:00
2017-04-29 06:36:22 +00:00
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
2017-03-30 22:12:44 +00:00
2017-05-10 21:50:32 +00:00
# What it can do
2017-05-10 21:36:07 +00:00
Right now Gixy can find:
* [[ssrf] Server Side Request Forgery](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)
* [[http_splitting] HTTP Splitting](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)
* [[origins] Problems with referrer/origin validation](https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md)
2017-05-11 08:44:05 +00:00
* [[add_header_redefinition] Redefining of response headers by "add_header" directive](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
2017-05-10 21:36:07 +00:00
* [[host_spoofing] Request's Host header forgery](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)
* [[valid_referers] none in valid_referers](https://github.com/yandex/gixy/blob/master/docs/en/plugins/validreferers.md)
* [[add_header_multiline] Multiline response headers](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
2017-10-10 11:59:18 +00:00
* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md)
2017-05-10 21:36:07 +00:00
You can find things that Gixy is learning to detect at [Issues labeled with "new plugin" ](https://github.com/yandex/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22 )
2017-03-30 22:12:44 +00:00
# Installation
2017-04-08 06:52:52 +00:00
Gixy is distributed on [PyPI ](https://pypi.python.org/pypi/gixy ). The best way to install it is with pip:
2017-03-30 22:12:44 +00:00
```bash
2017-04-04 19:54:12 +00:00
pip install gixy
2017-03-30 22:12:44 +00:00
```
Run Gixy and check results:
```bash
gixy
```
# Usage
2017-04-03 21:47:08 +00:00
By default Gixy will try to analyze Nginx configuration placed in `/etc/nginx/nginx.conf` .
2017-04-29 06:36:22 +00:00
But you can always specify needed path:
2017-03-30 22:40:17 +00:00
```
2017-03-30 22:12:44 +00:00
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
2017-04-04 22:37:57 +00:00
Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md
2017-03-30 22:12:44 +00:00
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?< action > [^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
```
Or skip some tests:
```
2017-04-03 21:47:31 +00:00
$ gixy --skips http_splitting /etc/nginx/nginx.conf
2017-03-30 22:12:44 +00:00
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
2017-03-30 22:40:17 +00:00
Or something else, you can find all other `gixy` arguments with the help command: `gixy --help`
2017-03-30 22:12:44 +00:00
2017-06-02 14:40:46 +00:00
## Docker usage
Gixy is available as a Docker image [from the Docker hub ](https://hub.docker.com/r/yandex/gixy/ ). To
use it, mount the configuration that you want to analyse as a volume and provide the path to the
configuration file when running the Gixy image.
```
$ docker run --rm -v `pwd` /nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf
```
If you have an image that already contains your nginx configuration, you can share the configuration
with the Gixy container as a volume.
```
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
```
2017-03-30 22:12:44 +00:00
# Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
* Open an issue with suggestions for improvements and errors you're facing;
* Fork this repository and submit a pull request;
* Improve the documentation.
Code guidelines:
2017-03-30 22:49:38 +00:00
* Python code style should follow [pep8 ](https://www.python.org/dev/peps/pep-0008/ ) standards whenever possible;
2017-04-29 06:36:22 +00:00
* Pull requests with new plugins must have unit tests for it.
