Detect Nginx Configuration Vulnerabilities with Gixy: A Practical Guide

Introduction

Gixy is a static analysis tool for Nginx configuration files, aimed at preventing security problems caused by improper settings. It works without starting any environment; you only need to specify the path to the config file.

Usage Example

Given a configuration file t.conf :

server {
    listen 80 default;

    location ~ /v1/((?<action>[^.]*)\.json)?$ {
        add_header X-Action $action;
        return 200 "OK";
    }
}

Run the analysis: gixy t.conf The result shows an http_splitting issue because the $action variable may contain a carriage‑return character, leading to an HTTP response header splitting vulnerability (CRLF injection). Example request:

/v1/see%20below%0d%0ax-crlf-header:injected.json

When decoded, the request contains a line break, allowing an attacker to inject an extra header:

HTTP/1.1 200 OK
Server: nginx/1.11.10
Date: Mon, 13 Mar 2017 21:21:29 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: close
X-Action: see below
x-crlf-header:injected

To fix it, tighten the location regex:

location ~ /v1/((?<action>[^/\s]+)\.json)?$ {
    ...
}

Re‑running Gixy confirms the issue is resolved.

Gixy also analyzes files included via include directives, e.g., when nginx.conf contains include servers/*;, all files under servers are checked automatically.

Detectable Issues

SSRF (Server‑Side Request Forgery)

HTTP Splitting (response header injection)

Incorrect referrer/origin validation

Misuse of add_header directive

Host header spoofing

Allowing empty Referer

Multi‑line response headers

Installation

Gixy is published on PyPI and can be installed with: pip install gixy After installation, the gixy command is available.

Conclusion

Gixy is simple and useful; even users with limited security knowledge can gain confidence by scanning their Nginx configurations. The project has gained over 4,000 stars on GitHub: https://github.com/yandex/gixy .