Gixy-Next: NGINX Configuration Misconfiguration Scanner

Gixy — Fri, 02 Jan 2026 17:54:33 +0000

Most of us have run nginx -t and called it a day. But syntax-valid configs can still be dangerous.

This post is a hands-on intro to Gixy-Next, an open source static analyzer for nginx.conf that looks for security misconfigurations, hardening gaps, and common footguns before they reach production.

If you operate NGINX at scale (or just want fewer 2am surprises), this tool is a nice "shift-left" safety net.

What is Gixy-Next?

Gixy-Next is a maintained fork in the "Gixy family" of NGINX configuration analyzers. It scans your configuration statically (no need to run NGINX) and reports findings with severity levels and actionable context.

It started as a fork of Yandex's original Gixy (first released in 2017), which is now unmaintained and not great with modern Python/NGINX realities. Gixy-Next exists to keep the project healthy: modern Python support, bug fixes, improved detection logic, and a focus on maintainable, reviewable changes.

Quick start

Install:

pip3 install gixy-next
# or, if you use uv:
uv pip install gixy-next

Run it (defaults to /etc/nginx/nginx.conf):

gixy

Or point it at a file:

gixy /opt/nginx.conf

Tip: scan the fully rendered config (includes resolved) out-of-band

NGINX configs often sprawl across many include files. A reliable approach is to dump the entire rendered configuration and scan that artifact on a different system than that running NGINX:

# dump the fully rendered NGINX configuration on one system
nginx -T > ./nginx-dump.conf

# run gixy on another system, just with that single file (which will be treated as various files as if they existed on a disk)
gixy ./nginx-dump.conf

# or via stdin:
cat ./nginx-dump.conf | gixy -

What it catches (examples)

Gixy-Next ships with a ton of plugins that detect a wide range of issues. A few examples you might care about:

HTTP response splitting hazards
SSRF-style proxy misconfigurations
Host header spoofing risks
Alias path traversal gotchas
Weak referer/origin validation
Unanchored regex patterns and ReDoS risk
Risky DNS resolver configurations
Version disclosure via server_tokens
Misleading "looks fine" patterns like if usage in location

You can browse the full plugin list in the Gixy-Next documentation, but the main point is: it finds the kinds of problems that are easy to mess up or just completely miss

Tune the signal: run only what you want

Run a focused subset of checks:

gixy --tests http_splitting,ssrf,version_disclosure

Skip noisy checks:

gixy --skips low_keepalive_requests,worker_rlimit_nofile_vs_connections

Filter by severity (compounding -l):

# -l  = LOW and higher
# -ll = MEDIUM and higher
# -lll = HIGH only
gixy -ll

Output formats: human-friendly and machine-friendly

By default the output is ANSI-colored for terminals. If you want plain text:

gixy -f text

If you want JSON (perfect for CI pipelines and dashboards):

gixy -f json ./nginx-dump.conf

The JSON includes fields like plugin, severity, file, line, reason, and a reference link for the specific check.

Why I like this approach

It complements code review: reviewers focus on intent, the scanner catches patterns.
It turns "tribal knowledge" hardening rules into repeatable checks.
It fits modern workflows: run locally, run in CI, track over time.

Contributing / feedback

If you run into a config pattern that should be detected but is missed, open an issue with a minimal reproducible snippet. New plugins and improvements are welcome.

DEV Community: Gixy