{"_id":"59365227e16643001bac503b","category":{"_id":"59365227e16643001bac5032","version":"59365226e16643001bac5030","project":"543026235eceb608003fde5f","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2017-06-05T10:03:36.502Z","from_sync":false,"order":1,"slug":"getting-started-from-supportghostorgdevelopers","title":"Self-Host Install & Setup"},"project":"543026235eceb608003fde5f","user":"55acc88c6b4ff90d00784b61","parentDoc":null,"version":{"_id":"59365226e16643001bac5030","project":"543026235eceb608003fde5f","__v":1,"createdAt":"2017-06-06T06:56:38.999Z","releaseDate":"2017-06-06T06:56:38.999Z","categories":["59365227e16643001bac5031","59365227e16643001bac5032","59365227e16643001bac5033","59365227e16643001bac5034"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0.0"},"__v":0,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-06-05T15:07:29.115Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":4,"body":"[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"Note\",\n  \"body\": \"The [Ghost-CLI](doc:installing-ghost-via-the-cli)  is able to take over SSL setup for you **soon**. Pretty cool, hm? ๐Ÿ˜€\"\n}\n[/block]\nAfter [setting up a custom domain](doc:basic-nginx-config-self-hosted-with-custom-domain#section-point-your-custom-domain-at-your-blog) it is a good idea to secure the admin interface or maybe your whole blog using HTTPS. It is advisable to protect the admin interface with HTTPS because username and password are going to be transmitted in plaintext if you do not enable encryption.\n\nThe following example will show you how to set up SSL. We assume, that you have followed this guide so far and use nginx as your proxy server. A setup with another proxy server should look similar.\n\nFirst you need to obtain a SSL certificate from a provider you trust. Your provider will guide you through the process of generating your private key and a certificate signing request (CSR). After you have received the certificate file you have to copy the CRT file from your certificate provider and the KEY file which is generated during issuing the CSR to the server.\n\n* `mkdir /etc/nginx/ssl`\n* `cp server.crt /etc/nginx/ssl/server.crt`\n* `cp server.key /etc/nginx/ssl/server.key`\n\nAfter these two files are in place you need to update your nginx configuration.\n\n* Open the nginx configuration file with a text editor (e.g. `sudo nano /etc/nginx/sites-available/ghost.conf`\n* Add the settings indicated with a plus to your configuration file:\n\n```\nserver {\n     listen 80;\n+    listen 443 ssl;\n     server_name example.com;\n+    ssl_certificate        /etc/nginx/ssl/server.crt;\n+    ssl_certificate_key    /etc/nginx/ssl/server.key;\n     ...\n     location / {\n+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n+       proxy_set_header Host $http_host;\n+       proxy_set_header X-Forwarded-Proto $scheme;\n        proxy_pass http://127.0.0.1:2368;\n        ...\n     }\n }\n```\n\n-- Restart nginx\n\n<pre><code>$ sudo service nginx restart</code></pre>\n\nAfter these steps you should be able to reach the admin area of your blog using a secure HTTPS connection. If you want to force all your traffic to use SSL it is possible to change the protocol of the url setting in your config.js file to https (e.g.: `url: 'https://my-ghost-blog.com'`). This will force the use of SSL for frontend and admin. All requests sent over HTTP will be redirected to HTTPS. If you include images in your post that are retrieved from domains that are using HTTP an 'insecure content' warning will appear. Scripts and fonts from HTTP domains will stop working.\n\nIn most cases you'll want to force SSL for the administration interface and serve the frontend using HTTP and HTTPS. To force SSL for the admin area you can use the `forceAdminSSL: true` configuration option. For more information on configuring your blog to work with SSL, see the [config Guide](/v1.0.0/docs/configuring-ghost#section-ssl).\n\nIf you need further information on how to set up SSL for your proxy server the official SSL documention of <a href=\"http://nginx.org/en/docs/http/configuring_https_servers.html\">nginx</a> and <a href=\"http://httpd.apache.org/docs/current/ssl/ssl_howto.html\">apache</a> are a perfect place to start.","excerpt":"How to setup SSL for self-hosted Ghost","slug":"how-to-setup-ssl-for-self-hosted-ghost","type":"basic","title":"SSL Setup"}

SSL Setup

How to setup SSL for self-hosted Ghost

[block:callout] { "type": "info", "title": "Note", "body": "The [Ghost-CLI](doc:installing-ghost-via-the-cli) is able to take over SSL setup for you **soon**. Pretty cool, hm? ๐Ÿ˜€" } [/block] After [setting up a custom domain](doc:basic-nginx-config-self-hosted-with-custom-domain#section-point-your-custom-domain-at-your-blog) it is a good idea to secure the admin interface or maybe your whole blog using HTTPS. It is advisable to protect the admin interface with HTTPS because username and password are going to be transmitted in plaintext if you do not enable encryption. The following example will show you how to set up SSL. We assume, that you have followed this guide so far and use nginx as your proxy server. A setup with another proxy server should look similar. First you need to obtain a SSL certificate from a provider you trust. Your provider will guide you through the process of generating your private key and a certificate signing request (CSR). After you have received the certificate file you have to copy the CRT file from your certificate provider and the KEY file which is generated during issuing the CSR to the server. * `mkdir /etc/nginx/ssl` * `cp server.crt /etc/nginx/ssl/server.crt` * `cp server.key /etc/nginx/ssl/server.key` After these two files are in place you need to update your nginx configuration. * Open the nginx configuration file with a text editor (e.g. `sudo nano /etc/nginx/sites-available/ghost.conf` * Add the settings indicated with a plus to your configuration file: ``` server { listen 80; + listen 443 ssl; server_name example.com; + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; ... location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:2368; ... } } ``` -- Restart nginx <pre><code>$ sudo service nginx restart</code></pre> After these steps you should be able to reach the admin area of your blog using a secure HTTPS connection. If you want to force all your traffic to use SSL it is possible to change the protocol of the url setting in your config.js file to https (e.g.: `url: 'https://my-ghost-blog.com'`). This will force the use of SSL for frontend and admin. All requests sent over HTTP will be redirected to HTTPS. If you include images in your post that are retrieved from domains that are using HTTP an 'insecure content' warning will appear. Scripts and fonts from HTTP domains will stop working. In most cases you'll want to force SSL for the administration interface and serve the frontend using HTTP and HTTPS. To force SSL for the admin area you can use the `forceAdminSSL: true` configuration option. For more information on configuring your blog to work with SSL, see the [config Guide](/v1.0.0/docs/configuring-ghost#section-ssl). If you need further information on how to set up SSL for your proxy server the official SSL documention of <a href="http://nginx.org/en/docs/http/configuring_https_servers.html">nginx</a> and <a href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html">apache</a> are a perfect place to start.