fix: skip status_page_exposed warning for Unix socket listeners (#101)

dvershinin · dvershinin · commit 73990d6135f1 · 2026-02-09T03:26:44.000+08:00
When a server block only listens on Unix sockets, stub_status is
inherently inaccessible from the network — no IP restrictions needed.
diff --git a/gixy/plugins/status_page_exposed.py b/gixy/plugins/status_page_exposed.py
@@ -15,12 +15,36 @@ class status_page_exposed(Plugin):
     )
     directives = ["stub_status"]
 
+    def _server_uses_only_unix_sockets(self, directive):
+        """Check if the enclosing server block only listens on Unix sockets.
+
+        Args:
+            directive: The directive to check.
+
+        Returns:
+            True if the server block has at least one listen directive and all
+            of them use Unix sockets.
+        """
+        for parent in directive.parents:
+            if parent.name == "server":
+                listen_directives = parent.find("listen")
+                if not listen_directives:
+                    return False
+                return all(
+                    d.args and d.args[0].lower().startswith("unix:")
+                    for d in listen_directives
+                )
+        return False
+
     def audit(self, directive):
         """Audit stub_status directive for missing access restrictions.
 
         Args:
             directive: The stub_status directive to audit.
         """
+        if self._server_uses_only_unix_sockets(directive):
+            return
+
         parent = directive.parent
         if not parent:
             return
diff --git a/tests/plugins/simply/status_page_exposed/status_page_exposed_unix_fp.conf b/tests/plugins/simply/status_page_exposed/status_page_exposed_unix_fp.conf
@@ -0,0 +1,11 @@
+server {
+    listen unix:/run/nginx/status.sock;
+
+    location = / {
+        stub_status;
+    }
+
+    location / {
+        return 404;
+    }
+}
