Ghost Blog + Nginx + Let's Encrypt

Ghost is a open source blog platform for developers and journalists. At the time of writing, this blog is powered by Ghost. It's a lot more easier to use (and with less bloatware) than Wordpress and it can be hosted on your own server.

This post is dedicated to make a brief introduction to install Ghost Blog with Let's Encrypt SSL/TLS certificates and a custom config file for Nginx.

Requirements

In order to install Ghost, you need a local server or VPS with a GNU/Linux distribution, a configured DNS domain and Node.js, Let's Encrypt certbot and Nginx installed. Instructions below are intended for Ubuntu.

Install

Let's Encrypt Certbot

My previous post shows how to install the Let's Encrypt Certbot that renews SSL/TLS credentials automatically. But in a nutshell, you can install it on Ubuntu like this (replace mydomain.info with your own DNS domain):

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python-certbot-nginx
sudo certbot --nginx -d mydomain.info -d www.mydomain.info

Nginx

Nginx can be quicky installed with the following command (Nginx will act as a reverse proxy in order to allow access to Ghost blog from outside):

sudo apt-get install nginx

Node.js

Node.js can be installed in Ubuntu as follows:

curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
sudo apt-get install -y nodejs

Ghost Blog

Now you can install Ghost Blog with the following commands:

sudo npm install ghost-cli -g
sudo mkdir -p /var/www/ghost
sudo chown $(whoami):$(whoami) /var/www/ghost
sudo chmod 775 /var/www/ghost
cd /var/www/ghost
ghost install

Follow the instructions of the installer, and say no to Set up NGINX? and Set up SSL? since we're making our custom Nginx config file for this (more detailed instructions for the installer can be seen here).

Custom config file for Ghost + Let's Encrypt for Nginx

If everrything went well with the Ghost installer, the blog will be listening over http://localhost:2368. In order to make available to other PCs over the internet, a reverse proxy must be done. The config file shown below allows to make a reverse proxy from http://localhost:2368 to the external network using Let's Encrypt certificates for our DNS domain (as above, replace mydomain.info with your own domain):

#HTTP Server
server {  
    listen 80;
    server_name mydomain.info www.mydomain.info;
    return 301 https://mydomain.com$request_uri;
}

# HTTPS Server
server {  
    listen 443 ssl default_server;
    server_name mydomain.info;

    client_max_body_size 50M;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }

    ssl on;
    ssl_certificate /etc/letsencrypt/live/mydomain.info/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.info/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_session_timeout 5m;
}

Save this file as /etc/nginx/sites-available/blog.conf, with the nano editor, it can be done as follows (in nano, you can save with CTRL+O and exit with CTRL+X):

sudo nano /etc/nginx/sites-available/blog.conf

Now enable your new config file as follows:

sudo ln -s /etc/nginx/sites-available/blog.conf /etc/nginx/sites-enabled/blog.conf
sudo nginx -t
sudo service nginx restart

If everything went well, you will be able to access your site from https://mydomain.info.

Wrapping up

This tutorial is a brief introduction to Ghost Blog and custom configuration for Let's Encrypt. I hope you liked this post!