Nginx Configuration Analysis with Python: SSL, Security Headers, Server Blocks (Free Tool)

Why Nginx Configuration Analysis Matters

Nginx powers over 30% of all websites, making it the most popular reverse proxy and web server. But a single misconfiguration can expose your server to attacks: missing security headers, outdated SSL protocols, directory listing enabled, or server version disclosure.

dargslan-nginx-analyzer is a free Python tool that parses your Nginx configuration, identifies security issues, and provides actionable recommendations — all from the command line or Python scripts.

Install dargslan-nginx-analyzer

pip install dargslan-nginx-analyzer

Full Analysis Report

dargslan-nginx report

Auto-detects your nginx.conf location, parses all included configuration files, lists server blocks, and reports all security issues sorted by severity.

What Gets Checked

SSL/TLS Configuration

dargslan-nginx ssl

• Insecure protocols: SSLv3, TLSv1.0 detection
• Cipher suite configuration
• Server cipher preference (ssl_prefer_server_ciphers)
• Certificate configuration validation

Security Headers

dargslan-nginx headers

Checks for 7 critical security headers:

• X-Frame-Options — Clickjacking protection
• X-Content-Type-Options — MIME type sniffing prevention
• X-XSS-Protection — Cross-site scripting filter
• Strict-Transport-Security (HSTS) — Force HTTPS
• Content-Security-Policy — Resource loading control
• Referrer-Policy — Referrer information control
• Permissions-Policy — Browser feature permissions

Common Misconfigurations

dargslan-nginx issues

• server_tokens on — Nginx version disclosure
• autoindex on — Directory listing enabled
• Missing dotfile block — .env, .git accessible

Server Block Analysis

dargslan-nginx servers

Lists all server blocks with their server names, listen directives, SSL status, root paths, and source config files.

Config Validation

dargslan-nginx test

Runs nginx -t to validate configuration syntax before applying changes.

Python API

from dargslan_nginx_analyzer import NginxAnalyzer

na = NginxAnalyzer()  # auto-finds nginx.conf

# Full audit
issues = na.audit()
for issue in issues:
    print(f"[{issue['severity'].upper()}] {issue['server']}: {issue['message']}")

# Get server blocks
servers = na.get_server_blocks()
for s in servers:
    ssl = " [SSL]" if s['ssl'] else ""
    print(f"{s['server_name']}{ssl}")

# Custom config path
na = NginxAnalyzer(config_path="/etc/nginx/nginx.conf")

Fixing Common Issues

Disable Server Version Disclosure

# In nginx.conf http block:
server_tokens off;

Add Security Headers

# In server block:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Block Dotfile Access

location ~ /\. {
    deny all;
    return 404;
}

Download the Free Cheat Sheet

Get the complete Nginx Analyzer Cheat Sheet PDF with all checks and remediation commands.

Go Deeper with Nginx

Master Nginx configuration with our Nginx & Web Server eBooks. Explore all 20+ free Python CLI tools for Linux sysadmins at dargslan.com.