Show HN: Nginx-lint – A linter for Nginx configs with plugin support and autofix (github.com)

3 points by walf4431 ↗ HN

  Hi HN,

  I built nginx-lint, a new linter for nginx configuration files written in Rust using Claude Code.

  Why I built this: nginx configs are deceptively simple but full of subtle pitfalls – add_header inheritance silently dropping
  security headers in child blocks, alias path traversal from a missing trailing slash, if inside location causing unpredictable
  behavior, server_tokens leaking your nginx version by default. These issues are hard to catch in code review and often only surface
  in production.

  What it does:
  - 30+ built-in rules covering security, best practices, syntax, and style
  - Autofix with --fix to automatically correct issues
  - Lint partial configs – files in conf.d/ or sites-available/ can be linted standalone with --context http,server or a #
  nginx-lint:context comment, so you don't need the full nginx.conf to get accurate results
  - Configurable – .nginx-lint.toml lets you enable/disable individual rules, adjust severity, and tune rule-specific options (e.g.,
  allowed TLS protocols, indent size). Generate a default config with nginx-lint config init
  - WASM plugin system – write custom rules in Rust, compile to WebAssembly
  - Web UI that runs entirely client-side via WASM (https://walf443.github.io/nginx-lint/)
  - JSON output for CI integration
  - Docker image available: docker run --rm -v /path/to/nginx.conf:/tmp/nginx.conf ghcr.io/walf443/nginx-lint /tmp/nginx.conf
  Example .nginx-lint.toml:
  [rules.server-tokens-enabled]
  enabled = true

  [rules.indent]
  indent_size = 4

  [rules.deprecated-ssl-protocol]
  allowed_protocols = ["TLSv1.2", "TLSv1.3"]

  The partial config support is especially useful in CI – many teams split nginx configs across multiple files and only change one at
  a time. Context-aware rules like server_tokens detection work correctly even on a snippet that starts with location /api { ... }.

  The WASM plugin architecture lets you add organization-specific rules without modifying the core. Each plugin is a self-contained
  Rust crate compiled to .wasm. Native execution is ~300x faster than WASM, but the plugin system makes distribution and sandboxing
  easy.

  GitHub: https://github.com/walf443/nginx-lint
  Demo: https://walf443.github.io/nginx-lint/

  I'd love feedback on what rules you'd find most useful, or nginx pitfalls you've been bitten by.

0 comments

[ 3.1 ms ] story [ 9.6 ms ] thread

No comments yet.