Secure Ghost with SSL
NOTICE - This blog is no longer running Ghost As you might have discovered this blog runs Ghost which is a simple blogging tool, that focuses on writing and content, not flashy extensions or mods you can get lost in. To improve my google search ranking and to add some security, i wanted to add SSL to the site, couldn’t find a single guide, so i decided to make one. Create SSL certificate with SmartSSL First log into your server with SSH, and create a SSL folder to hold your cetificates.
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
Next create a csr with openssl and input the info the guide asks for, extra attributes can be ignored.
openssl req -new -days 365 -nodes -keyout DOMAIN.key -out DOMAIN.csr
Secure your key, and copy the content of DOMAIN.csr to your clipholder
chmod 400 DOMAIN.key
nano DOMAIN.csr
I use SmartSSL to sign my certificates, because it free and secure enough for me. Once you have validated your domain with thier service you are free to create certificates. Select Certification Wizard and create a Web Server SSL/TLS certificate Since we have created the CSR on the server we need to skip this step. I have yet not been able to get it working by using the Generate Private Key guide. The DOMAIN.csr content you copied needs to be pasted into here. If you have done everything correctly you will se this Select the domain you want the certificate for I choose WWW as the subdomain Now you get the CRT that you need to copy to a file named ssl.crt on you server
nano ssl.crt
Now we are done with creating the certificate and we only need to configure nginx and Ghost to use it. Configuring nginx and Ghost to use SSL For my setup, i dont want SSL to be default for my site, but mandatory if you access the admin area. First we need to setup nginx for ssl. Locate your sites nginx config, likely under
/etc/nginx/sites-enabled/
it will look something like this
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name DOMAIN; # Replace with your domain
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 10G;
location / {
proxy_pass http://localhost:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
Add the SSL config
server {
listen 80 default_server;
listen 443 ssl; # SSL Port to listen on
listen [::]:80 default_server ipv6only=on;
server_name DOMAIN; # Replace with your domain
ssl_certificate /etc/nginx/ssl/ssl.crt; # Path to CRT file
ssl_certificate_key /etc/nginx/ssl/DOMAIN.key; # Path to key file
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 10G;
location / {
proxy_pass http://localhost:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
Stop and start nginx for the config to take effect
service nginx stop
service nginx start
Take a look at your site to see if its still online, and see what happens when you add https to the site. Wuhuu, we are online with https, now lets use it for something. You could go ahead and force SSL on all connections, but i just want to use it for the Ghost admin area. Locate your ghost config.js, likely under /var/www/ghost and navigate to the Production part
// ### Production
// When running Ghost in the wild, use the production environment
// Configure your URL and mail settings here
production: {
url: 'http://martinhannemann.com',
and add forceAdminSSL: true,
// ### Production
// When running Ghost in the wild, use the production environment
// Configure your URL and mail settings here
production: {
url: 'http://martinhannemann.com',
forceAdminSSL: true,
Restart all related services
service nginx stop
service nginx start
service ghost restart
Now if you try to enter the Ghost Admin you will be redirected to the secure version. I hope this was helpfull, if you have any questions or comments write below. Credits SSL Certificates with Nginx Protecting the Ghost Login Page With a Free SSL Certificate