|
Gixy是一款用来分析Nginx配置文件安全的工具,使用Gixy最主要的目的是为了防止安全配置上出现错误,它能进行自动的缺陷检测。目前最新版本是gixy 0.1.9。
Gixy的特性 找出服务器端请求伪造。 验证HTTP拆分。 验证referrer/origin问题。 验证是否正确通过add_header指令重新定义Response Headers。 验证请求的主机头是否伪造。 验证valid_referers是否为空。 验证是否存在多行主机头。
Gixy安装 Gixy是一个Python开发的应用,目前支持的Python版本有2.7或3.5+。 安装步骤非常简单,直接使用pip安装即可: $ pip install gixy 如果你的系统比较老,自带Python版本比较低,请先升级Python版本。
Gixy使用 Gixy默认会检查/etc/nginx/nginx.conf配置文件。 $ gixy 也可以指定NGINX配置文件所在的位置。 $ gixy /usr/local/nginx/conf/nginx.conf ==================== Results =================== No issues found. ==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 0 来看一个http折分配置有问题的示例,修改Nginx配置: server { ... location ~ /v1/((?<action>[^.]*)\.json)?$ { add_header X-Action $action; } ... } 再次运行Gixy检查配置。 $ gixy /usr/local/nginx/conf/nginx.conf ==================== Results =================== >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability. Description: Using variables that can contain "\n" may lead to http injection. Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md Reason: At least variable "$action" can contain "\n" Pseudo config: server { server_name localhost mike.hi-linux.com; location ~ /v1/((?<action>[^.]*)\.json)?$ { add_header X-Action $action; } } ==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 1 从结果可以看出检测到了一个问题,指出问题类型为http_splitting。原因是$action变量中可以含有换行符。这就是HTTP响应头拆分漏洞,通过CRLFZ注入实现攻击。 如果你要暂时忽略某类错误检查,可以使用--skips参数: $ gixy --skips http_splitting /usr/local/nginx/conf/nginx.conf ==================== Results =================== No issues found. ==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 0 更多使用方法可以参考gixy --help命令。
Docker usage Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image. $ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume. $ docker run --rm --name nginx -d -v /etc/nginx nginx: alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905 $ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf ==================== Results =================== No issues found. ==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 0
相关主题 |
