How to Secure your Installation

of Revive Adserver

This article provides some general tips, tricks, and recommendations in order to properly secure your Revive Adserver installation.

Lock the Revive Adserver configuration file(s)

The configuration settings for your Revive Adserver are stored in one or more plain text files inside the ‘var’ folder.

In order to ensure that your system is secure and that nobody can make any unauthorized changes to the configuration settings or your system as a whole, these configuration files should be “locked”, meaning they should be set to be read-only.

To achieve this, set the permissions of any file with a name that ends in “conf.php” to “644” or whatever is the equivalent for your server, operating system or web server software.

chmod 644 *.conf.php

Server security

The Revive Adserver download package contains multiple folders and most of them are not supposed to be reached from a browser. They contain library files, plugins, configuration files, cache files, and anyone accessing them could gather confidential information that could be used with malicious intents.

If your webserver is not pointed directly to the Revive Adserver root directory, but is configured to serve www/admin and www/delivery via specific domains, feel free to skip the recommendations below..

Important Note

This page provides generic recommendations only, please ensure the settings are correct for your server setup and the web server software being used. Every system administrator is responsible for their own security implementation.

By default, Revive Adserver ships with .htaccess files that block any access to such folders on Apache instances that have been configured to allow .htaccess configuration files.

If your Apache does not or you are using a different webserver software, please find some generic instructions below.

Apache

Put the following in the virtual host configuration file:

<DirectoryMatch “^/path/to/revive/(?!$|www/)”>
    # Apache 2.4
    <IfModule mod_authz_core.c>
      Require all denied
    </IfModule>

    # Apache 2.2
    <IfModule !mod_authz_core.c>
      Order deny, allow
      Deny from all
    </IfModule>
</DirectoryMatch>

Alternatively, you could rely on the .htaccess files we ship:

<Directory /path/to/revive>
   AllowOverride AuthConfig Limit
</Directory>

Nginx

If Revive Adserver has been deployed in the document root:

location ~ ^/(?!$|www/) {
   return 403;
}

Otherwise:

location ~ ^/relative/path/to/revive/(?!$|www/) {
    return 403;
}

Securing the Images folder

The www/images folder of your Revive Adserver installation is used to store the images of any banners that you upload to the webserver. It’s also used to store the content of HTML5 banners that you upload. Generally speaking, there should never be any need to store executable PHP files in the www/images folder.

Unfortunately though, it has happened that malicious actors have found ways to upload PHP files into the www/images folder. Especially in a setup where the entire Revive Adserver installation is on a single server, such .php files could then be requested via a public URL, enabling the malicious actors to execute code that (for example) they could use to access the file system, the server, the database, or something else that’s not supposed to be accessible.

To prevent this from happening, it is recommended that you configure the web server in a way that prevents PHP files from being executed specifically in the www/images folder.

A community member suggested this method for servers using Apache:

Create a file named .htaccess in the www/images folder. This should be a simple text file, no file name extension.

Put the following content in the file:

php_flag engine off