from Hacker News

Gixy: Nginx Configuration Static Analyzer

by mmsc on 2/16/25, 4:06 AM with 28 comments

  • by ProfDreamer on 2/16/25, 6:31 PM

    Using the nginx module on NixOS[1] and enabling services.nginx.validateConfigFil, which defaults to true, generated nginx configurations will be checked by Gixy[2]. The build will actually fail if Gixy finds any issues.

    [1]: https://github.com/NixOS/nixpkgs/blob/nixos-24.11/nixos/modu... [2]: https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/build...

  • by cadamsdotcom on 2/16/25, 6:11 AM

    Nice work, tons of extra stuff vs the original.

    Had a thought: imagine if it were a subcommand of nginx (whichever fork will accept it) - that’d give it a much wider audience.

    Even more impactful would be if analysis always ran at nginx startup. Wouldn’t have to be blocking but getting warned about risks would help more folks configure things more correctly more often.

    Either way great to have tools to help with correctly configuring the parts of your infra that are exposed to the wild internet.

  • by mobilemidget on 2/16/25, 10:25 AM

    I already learned one thing regarding add_header

    Worth the read already. Initially I even thought the analyzer was 'wrong' but curl tests indeed shows that add_header replaces all, surprisingly to me.

    Thanks!

    But I dont really like the installation of a pip/python ecosystem but that is just my issue :) I now simply copy the configurations from a python free servers and analyze them.

  • by ajayvk on 2/16/25, 4:25 PM

    I have been building a platform [1] which makes it easy to deploy internal tools. Instead of taking the config file approach, it allows you to install each app at a unique location (domain name + url path). Within its location, the app owns all the URLs and can managing request routing without requiring a global config update.

    The advantage is that new app installations cannot interfere with an existing app. I wrote more about this approach at https://clace.io/blog/webserver/

    [1] https://github.com/claceio/clace

  • by ossusermivami on 2/16/25, 11:00 AM

    nice idea but i get that error when i try to use the docker image (on a nixos env)

    NameError: name 'SRE_FLAG_TEMPLATE' is not defined. Did you mean: 'SRE_FLAG_VERBOSE'?

    (using the mentioned docker command on README $ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf)

  • by zelphirkalt on 2/16/25, 11:23 AM

    NGINX config language grates on me. Whyyy did they have to come up with their own config format? It is so much nicer to configure Caddy with JSON file for example. Probably would also be much easier to statically check things about the config, than having to create a parser for NGINX config (or somehow integrate NGINX' own parser maybe). Probably the best one can do is either have NGINX at some point offer alternative config that uses JSON, or have some converter from JSON to NGINX config.

  • by alp1n3_eth on 2/16/25, 4:04 PM

    Would it be useful or easier to plug in if these were rules developed for platforms such as Semgrep? It looks like they already have an existing nginx ruleset: https://semgrep.dev/p/nginx.

    They can always use some extra contributions, and would slot into existing tooling within a pipeline.

  • by efxzx on 2/16/25, 3:46 PM

    Great tool! Also, what about apache2, any similar tool suggestions?

  • by oriettaxx on 2/17/25, 12:46 AM

    uh, I'm hitting this one https://github.com/dvershinin/gixy/blob/master/docs/en/plugi...

    how serious is header injection? it sounds pretty serious, is it?

  • by huang_chung on 2/16/25, 10:20 AM

    The need for a configuration file analyzer is a good sign your software is overly complex and poorly architected.

    Configuration files should be self-documenting.

    Instead nginx taught us that if != if.