Nginx Security Configuration Review

Dec 1

What are Semgrep and Gixy?

Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards at the editor, commit, and CI time. It's like having an automated code reviewer without the overhead of managing one. On the other hand, Gixy is a tool specifically aimed at analyzing Nginx configuration files to prevent security misconfiguration and automate the detection of common threats.

Installing the Tools

Before diving into the configurations, ensure that you have both tools installed. You can easily install them using Python's package manager, pip:

pip install semgrep
pip install gixy

Running Security Checks with Gixy

Gixy is your first line of defense in auditing Nginx configurations. It scans for misconfigurations like:

Unsafe include directives
Insecure proxy_pass settings
SSL/TLS vulnerabilities
And many more...

Using it is as simple as running gixy /etc/nginx/nginx.conf. It outputs a comprehensive report detailing any potential issues.

Leveraging Semgrep for Advanced Analysis

Semgrep goes beyond the capabilities of Gixy by allowing you to write custom rules for deep code scanning. You can scan your Nginx configurations for patterns that might indicate security risks. For example, you can detect if autoindex is mistakenly left on, which could expose sensitive directories:

rules:
- id: nginx-autoindex-enabled
  patterns:
    - pattern-inside: |
        location $X {
          ...
        }
    - pattern: autoindex on;
  message: "Disabling 'autoindex' is crucial to prevent unintended directory listings."
  languages: [generic]
  severity: ERROR

Running Semgrep could produce alerts that direct you to the exact line of code where the issue is present, providing an actionable message for quick remediation.

Sample Outputs: A Closer Look

When you run these tools, the outputs are not just lines of code; they're signposts indicating the health of your configurations.

Semgrep might return:

found 1 issue
 - /etc/nginx/conf.d/default.conf:22
Error: nginx-autoindex-enabled
Message: Disabling 'autoindex' in production can lead to information disclosure. Disable 'autoindex' or restrict access.
Code: autoindex on;

Gixy, on the other hand, might report:

[alias_traversal]
Issue: Potential alias traversal
Description: Incorrect usage of the alias directive can lead to directory traversal vulnerabilities.

Reviewing Results and Applying Changes

After reviewing the output, discern which issues are false positives and which require your attention. Modify your Nginx configurations accordingly and ensure to restart the Nginx service to apply changes. It's critical to repeat the analysis post-modification to confirm the fixes.

Semgrep Nginx Rulesets

To explain how you might create Semgrep rules for Nginx configurations, let’s consider what you might want to check for in an Nginx configuration file:

Security Headers: Ensure that security headers are properly set.
SSL Protocols: Ensure that only secure SSL protocols are used.
Access Controls: Ensure that sensitive directories are not publicly accessible.
Redirection Rules: Ensure that redirections are not leading to open redirects.
Resource Limits: Ensure that resource limits are set to prevent denial of service (DoS) attacks.

Here's how a ruleset for these concerns might look in Semgrep, hypothetically:

rules:
  - id: nginx-secure-headers
    patterns:
      - pattern-inside: |
          server {
            ...
          }
      - pattern-not: add_header Content-Security-Policy ...
      - pattern-not: add_header X-Frame-Options ...
      - pattern-not: add_header X-Content-Type-Options ...
      - pattern-not: add_header Referrer-Policy ...
    message: "Missing one or more security headers in server block."
    languages: [generic]
    severity: WARNING

  - id: nginx-ssl-protocols
    patterns:
      - pattern-inside: |
          server {
            ...
          }
      - pattern-not: ssl_protocols TLSv1.2 TLSv1.3;
    message: "Weak SSL protocols detected. Use only TLSv1.2 or TLSv1.3."
    languages: [generic]
    severity: ERROR

  - id: nginx-no-public-sensitive-dir
    pattern-either:
      - pattern: |
          location /sensitive {
            autoindex on;
          }
      - pattern: |
          location /admin {
            allow all;
          }
    message: "Sensitive directories should not be publicly accessible."
    languages: [generic]
    severity: ERROR

  - id: nginx-secure-redirect
    patterns:
      - pattern-inside: |
          rewrite ^(.*)$ ...
      - pattern-not: rewrite ^(.*)$ https://secure.example.com$1 permanent;
    message: "Ensure that redirects are not open. Use secure destinations."
    languages: [generic]
    severity: WARNING

  - id: nginx-resource-limits
    patterns:
      - pattern-inside: |
          http {
            ...
          }
      - pattern-not: |
          client_body_timeout 10;
          client_header_timeout 10;
          keepalive_timeout 10;
    message: "Set resource limits to prevent potential DoS attacks."
    languages: [generic]
    severity: INFO

Each rule in the ruleset is structured to identify a specific issue:

pattern-inside: This portion of the rule specifies a broader context in which to look for the issue.
pattern-not: This is the actual pattern that Semgrep will look for within the specified context. If this pattern is not found, it implies a potential issue, and the message is displayed.
message: A human-readable description of the issue that will be shown if the pattern is matched (or not matched, in the case of pattern-not).
languages: Semgrep rules can target multiple languages; generic is used here since Nginx configurations do not fall under a specific programming language that Semgrep supports.
severity: This can be INFO, WARNING, or ERROR, indicating the seriousness of the issue.

Please note that these rules are hypothetical and are meant to serve as examples of what you can do with Semgrep. In practice, you would need to tailor these rules to match your organization's specific policies, the structure of your Nginx configurations, and the security practices you wish to enforce.

Gixy Nginx Rulesets

Gixy is a tool designed to analyze Nginx configuration files for common misconfigurations and security vulnerabilities. It is focused on preventing several types of security issues, including:

[ngx_http_split_clients_module] - Misuse of the split_clients directive could lead to improper distribution of traffic, affecting load balancing and potentially leading to information disclosure.
[http_host] - Potential problems with the "Host" header when using proxy_pass and fastcgi_pass. Improper handling of this header can lead to security issues like cache poisoning.
[add_header] - Misuse of the add_header directive, particularly in the context of security headers. If used improperly, it may not apply security headers consistently across all responses.
[alias] - Checks for misconfiguration in the alias directive. Incorrect use can lead to directory traversal vulnerabilities.
[rewrite] - Potential problems with rewrite rules that may result in open redirection vulnerabilities or improper request handling.
[ssi] - Server Side Includes (SSI) misconfiguration can lead to information leakage if not properly controlled and secured.
[ssl] - Identifies SSL/TLS misconfigurations, such as using weak ciphers or protocols that could compromise secure communication.
[proxy_hide_header] - Ensures that headers which should be hidden from client responses, especially when using proxy_pass, are correctly specified.
[server_name] - Issues with server_name directives, such as wildcard names that may lead to security weaknesses or misrouting of traffic.
[server_tokens] - Advises on the server_tokens directive to control whether version numbers and server names are returned in headers, which can be an information leak.
[limit_zone] - Checks for potential misuse of the limit_zone directive, which can lead to inefficient resource allocation or DoS vulnerabilities.
[limit_req_zone] and [limit_req] - Analyze rate-limiting configurations that help mitigate DoS attacks. Misconfiguration can either lead to ineffectiveness or overblocking legitimate traffic.
[location] - Detects potential problems with the use of the location directive, such as ambiguous locations that may not behave as intended.

Gixy also provides general parsing and analysis of the configuration files to detect:

Usage of uninitialized variables.
Looping includes.
Inclusion of files from non-privileged directories.

Gixy's ruleset is built into the tool and is not designed to be modified or extended by the end-user in the same way as Semgrep. Instead, Gixy works out of the box, with a predefined set of checks based on best practices and common pitfalls in Nginx configuration.

To use Gixy, you simply run it against your Nginx configuration file(s), and it will report on any issues it finds, along with descriptions of the problem and recommendations for remediation. It's an excellent tool for a quick sanity check of Nginx configurations, especially to catch issues that might be overlooked during manual reviews.

Continuous Security: Integrating with CI/CD

Integrating Semgrep and Gixy into your Continuous Integration/Continuous Deployment (CI/CD) pipeline can help maintain ongoing security posture, ensuring that every deployment is safe and secure.

Conclusion

The combination of Gixy and Semgrep provides a robust framework for ensuring your Nginx configurations are secure by default. Regularly auditing your configurations with these tools can save you from future headaches caused by security incidents. Remember, in the realm of cybersecurity, prevention is always better than cure. So, arm yourself with Gixy and Semgrep, and keep your Nginx server locked down tight.

References

https://semgrep.dev/p/nginx
https://hub.docker.com/r/yandex/gixy/
https://github.com/yandex/gixy
https://github.com/yandex/gixy/tree/master/docs/en/plugins

nginxjsonconfigurationreviewsecurityreviewconfigreviewnginxsecuritysecurenginxconfiggixysemgrepsemgrepnginxgixynginx

Syed Huda