Set up a blog with Ghost and your custom domain managed with Cloudflare

Getting Started Dec 12, 2020

Little Background: The root domain's DNS of this blog is maintained with Cloudflare which provides services like Analytics, SSL, DDoS Protection for free.

I recently took the decision of setting up my portfolio website. After setting it up (and the fact that I tried blogging back in summer 2017 but it didn't work out), I started wondering if it was about time that I started managing my own blog.

I tried Ghost before in my previous blog and really liked the fact it is: a. open-source b. free-to-use and c. let's you use your custom domain with it for free. So, obviously, Ghost was go-to choice.

If you use this image, we’d appreciate a link back to our website www.quotecatalog.com.
Photo by Thought Catalog / Unsplash

With my experience working as a full stack web developer, I primarily used Let's Encrypt with Nginx on my websites, but then I stumbled on Cloudflare and found it to be extremely useful, so I switched my Domain's DNS management to it.

Following the usual guide on installing Ghost on your server, I ran into an SSL certificate error as Ghost's installation procedure uses Let's Encrypt with Nginx by default and my DNS management enforces Strict End-to-end encryption with Cloudflare.

The SSL configuration that requires a trusted CA certificate on the server.

<Following this problem, I thought that this would make a good first post>

Now, the most commonly used solution is to switch the setting to Flexible which only secures the connection between the host and Cloudflare.

The proper solution is mentioned right under it: "Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server"

So, after a little bit of looking around, I found out that you can generate a CA certificate of your own through Cloudflare of a root and it's subdomains that are managed through Cloudflare only.

Steps:

1) Install Ghost with this guide and skip the steps of Setup NGINX and Setup SSL.

2) Obtain your origin serve CA certificate through Cloudflare with Step 1 from the Cloudflare guide.

3) Transfer your generated certificate files to your server through scp command.

4) Setup NGINX yourself on your server (I use the default file in NGINX's configuration directory, however you can choose to create a separate domain file in the same directory). Start an editor of your choice and add the following configuration.

sudo vim /etc/nginx/sites-available/default
Open the file for editing
server {    
    listen 443 ssl;
    ssl on;
    server_name yourwebsite.com www.yourwebsite.com;
    ssl_certificate    /directory/to/ssl/origin.pem;
    ssl_certificate_key /directory/to/ssl/private.pem;
    location / {
            proxy_pass http://127.0.0.1:2368;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            client_max_body_size {VALUE}M;
}
}
server {
	listen 80;
    server_name yourwebsite.com www.yourwebsite.com;
    return 301 https://yourwebsite.com$request_uri;
}
NGINX Configuration for yourwebsite.com

[Optional]

Ghost usually starts on port 2368 but you can check it through it's configuration file and swap port number in above code snippet in case it's not 2368. You can also replace VALUE in above code snippet to increase the limit of data upload (in MB) which will allow you to add files with larger sizes.

sudo nginx -s reload
Restart NGINX

5) Voila! Now your blog should be up and running with end-to-end encryption secured through Cloudflare.

[BONUS]

You can use the Under Attack Mode for continuous check on DDoS any time someone tries to access your website. And yes, it is free!

In case you are facing any problems regarding this, feel free to comment on this article and I'll try to help out!

Cheers!

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.