[Rule] Nginx config rules

[minusworld]

Rule Description

Nginx config rules such as:

• proxy SSRF
• unsafe proxied connections
• outdated cipher suites
• more

Examples or references

• https://www.acunetix.com/blog/web-security-zone/hardening-nginx/
• https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/

PR Checklist

• [x] This ticket has links, references, or examples.
• [x] The rule has true positive and true negative test cases in a file that matches the rule name.

If the rule is my-rule, the test file name should be my-rule.js.

True positives are marked by comments with ruleid: <my-rule> and true negatives are marked by comments with ok: <my-rule>.

• [x] The rule has a good message. A good message includes:

1. A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls).
2. A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice).
3. An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag).

• [ ] After the PR has been reviewed and approved, merge the rule and close this ticket! Thanks for contributing!

[clintgibler]

Should also evaluate various existing tools, like https://github.com/yandex/gixy.

[minusworld]

https://semgrep.dev/p/nginx