How to Secure your Installation

of Revive Adserver

This article provides some general tips, tricks, and recommendations in order to properly secure your Revive Adserver installation.

Introduction

The Revive Adserver download package contains multiple folders and most of them are not supposed to be reached from a browser. They contain library files, plugins, configuration files, cache files, and anyone accessing them could gather confidential information that could be used with malicious intents.

If your webserver is not pointed directly to the Revive Adserver root directory, but is configured to serve www/admin and www/delivery via specific domains, feel free to skip the recommendations below..

Important Note

This page provides generic recommendations only, please ensure the settings are correct for your server setup and the web server software being used. Every system administrator is responsible for their own security implementation.

By default, Revive Adserver ships with .htaccess files that block any access to such folders on Apache instances that have been configured to allow .htaccess configuration files.

If your Apache does not or you are using a different webserver software, please find some generic instructions below.

Apache

Put the following in the virtual host configuration file:

<DirectoryMatch “^/path/to/revive/(?!$|www/)”>
    # Apache 2.4
    <IfModule mod_authz_core.c>
      Require all denied
    </IfModule>

    # Apache 2.2
    <IfModule !mod_authz_core.c>
      Order deny, allow
      Deny from all
    </IfModule>
</DirectoryMatch>

Alternatively, you could rely on the .htaccess files we ship:

<Directory /path/to/revive>
   AllowOverride AuthConfig Limit
</Directory>

Nginx

If Revive Adserver has been deployed in the document root:

location ~ ^/(?!$|www/) {
   return 403;
}

Otherwise:

location ~ ^/relative/path/to/revive/(?!$|www/) {
    return 403;
}