Most of us have run nginx -t and called it a day. But syntax-valid configs can still be dangerous.
This post is a hands-on intro to Gixy-Next, an open source static analyzer for nginx.conf that looks for security misconfigurations, hardening gaps, and common footguns before they reach production.
If you operate NGINX at scale (or just want fewer 2am surprises), this tool is a nice "shift-left" safety net.
What is Gixy-Next?
Gixy-Next is a maintained fork in the "Gixy family" of NGINX configuration analyzers. It scans your configuration statically (no need to run NGINX) and reports findings with severity levels and actionable context.
It started as a fork of Yandex's original Gixy (first released in 2017), which is now unmaintained and not great with modern Python/NGINX realities. Gixy-Next exists to keep the project healthy: modern Python support, bug fixes, improved detection logic, and a focus on maintainable, reviewable changes.
Quick start
Install:
pip3 install gixy-next
# or, if you use uv:
uv pip install gixy-next
Run it (defaults to /etc/nginx/nginx.conf):
gixy
Or point it at a file:
gixy /opt/nginx.conf
Tip: scan the fully rendered config (includes resolved) out-of-band
NGINX configs often sprawl across many include files. A reliable approach is to dump the entire rendered configuration and scan that artifact on a different system than that running NGINX:
# dump the fully rendered NGINX configuration on one system
nginx -T > ./nginx-dump.conf
# run gixy on another system, just with that single file (which will be treated as various files as if they existed on a disk)
gixy ./nginx-dump.conf
# or via stdin:
cat ./nginx-dump.conf | gixy -
What it catches (examples)
Gixy-Next ships with a ton of plugins that detect a wide range of issues. A few examples you might care about:
- HTTP response splitting hazards
- SSRF-style proxy misconfigurations
- Host header spoofing risks
- Alias path traversal gotchas
- Weak referer/origin validation
- Unanchored regex patterns and ReDoS risk
- Risky DNS resolver configurations
- Version disclosure via
server_tokens - Misleading "looks fine" patterns like
ifusage inlocation
You can browse the full plugin list in the Gixy-Next documentation, but the main point is: it finds the kinds of problems that are easy to mess up or just completely miss
Tune the signal: run only what you want
Run a focused subset of checks:
gixy --tests http_splitting,ssrf,version_disclosure
Skip noisy checks:
gixy --skips low_keepalive_requests,worker_rlimit_nofile_vs_connections
Filter by severity (compounding -l):
# -l = LOW and higher
# -ll = MEDIUM and higher
# -lll = HIGH only
gixy -ll
Output formats: human-friendly and machine-friendly
By default the output is ANSI-colored for terminals. If you want plain text:
gixy -f text
If you want JSON (perfect for CI pipelines and dashboards):
gixy -f json ./nginx-dump.conf
The JSON includes fields like plugin, severity, file, line, reason, and a reference link for the specific check.
Why I like this approach
- It complements code review: reviewers focus on intent, the scanner catches patterns.
- It turns "tribal knowledge" hardening rules into repeatable checks.
- It fits modern workflows: run locally, run in CI, track over time.
Contributing / feedback
If you run into a config pattern that should be detected but is missed, open an issue with a minimal reproducible snippet. New plugins and improvements are welcome.
Top comments (0)