Little Background: The root domain's DNS of this blog is maintained with Cloudflare which provides services like Analytics, SSL, DDoS Protection for free.
I recently took the decision of setting up my portfolio website. After setting it up (and the fact that I tried blogging back in summer 2017 but it didn't work out), I started wondering if it was about time that I started managing my own blog.
I tried Ghost before in my previous blog and really liked the fact it is: a. open-source b. free-to-use and c. let's you use your custom domain with it for free. So, obviously, Ghost was go-to choice.
With my experience working as a full stack web developer, I primarily used Let's Encrypt with Nginx on my websites, but then I stumbled on Cloudflare and found it to be extremely useful, so I switched my Domain's DNS management to it.
Following the usual guide on installing Ghost on your server, I ran into an SSL certificate error as Ghost's installation procedure uses Let's Encrypt with Nginx by default and my DNS management enforces Strict End-to-end encryption with Cloudflare.
<Following this problem, I thought that this would make a good first post>
Now, the most commonly used solution is to switch the setting to Flexible which only secures the connection between the host and Cloudflare.
The proper solution is mentioned right under it: "Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server"
So, after a little bit of looking around, I found out that you can generate a CA certificate of your own through Cloudflare of a root and it's subdomains that are managed through Cloudflare only.
2) Obtain your origin serve CA certificate through Cloudflare with Step 1 from the Cloudflare guide.
3) Transfer your generated certificate files to your server through scp command.
4) Setup NGINX yourself on your server (I use the default file in NGINX's configuration directory, however you can choose to create a separate domain file in the same directory). Start an editor of your choice and add the following configuration.
Ghost usually starts on port 2368 but you can check it through it's configuration file and swap port number in above code snippet in case it's not 2368. You can also replace VALUE in above code snippet to increase the limit of data upload (in MB) which will allow you to add files with larger sizes.
5) Voila! Now your blog should be up and running with end-to-end encryption secured through Cloudflare.
You can use the Under Attack Mode for continuous check on DDoS any time someone tries to access your website. And yes, it is free!
In case you are facing any problems regarding this, feel free to comment on this article and I'll try to help out!