如何在Linux/Unix上分析Nginx配置文件的安全性错误配置
时间:2020-01-09 10:40:00 来源:igfitidea点击:
如何在GNU/Linux操作系统上安装Gixy for Nginx配置静态分析器,以防止安全配置错误和自动进行缺陷检测?
Gixy是分析Nginx配置的工具。
Gixy的主要目标是防止安全性配置错误并自动进行缺陷检测。
当前支持的Python版本是2.7和3.5+。
现在,Gixy可以找到:
- [ssrf]服务器端请求伪造
- [http_splitting] HTTP拆分
- [origins]推荐人/来源验证存在问题
- [add_header_redefinition]通过add_header指令重新定义响应头
- [host_spoofing]请求主机标头伪造
- [valid_referers]在valid_referers中没有
- [add_header_multiline]多行响应标头
安装Gixy
执行以下命令:
$ pip install gixy
如何使用Gixy?
语法为:
$ gixy /etc/nginx/nginx.conf $ gixy [options] /etc/nginx/nginx.conf
选项
要查看gixy选项类型:
$ gixy -h
输出示例:
positional arguments:
nginx.conf Path to nginx.conf, e.g. /etc/nginx/nginx.conf
optional arguments:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
config file path
--write-config CONFIG_OUTPUT_PATH
takes the current command line args and writes them
out to a config file at the given path, then exits
-v, --version show program's version number and exit
-l, --level Report issues of a given severity level or higher (-l
for LOW, -ll for MEDIUM, -lll for HIGH)
-f {text,json,console}, --format {text,json,console}
Specify output format
-o OUTPUT_FILE, --output OUTPUT_FILE
Write report to file
-d, --debug Turn on debug mode
--tests TESTS Comma-separated list of tests to run
--skips SKIPS Comma-separated list of tests to skip
--disable-includes Disable "include" directive processing
plugins options:
--origins-domains domains
Default: *
--origins-https-only https_only
Default: False
--add-header-redefinition-headers headers
Default: x-frame-options,x-xss-protection,content
security-policy,x-content-type-options,cache-control
available plugins:
add_header_multiline
http_splitting
host_spoofing
origins
add_header_redefinition
valid_referers
ssrf
有关更多信息,请参见https://github.com/yandex/gixy。
