Writing About Configuring Ghost Admin to use HTTPS with nginx

I’m considering migrating from Wordpress to Ghost so have them running side by side for a bit:

• http://oftheoldschool.com (Wordpress)
• http://andy.stanton.is/writing/ (Ghost)

Ghost does not have good media support at the moment so although I imported from Wordpress the images are broken. So is anything that used a Wordpress shortcode e.g. Soundcloud, Youtube etc.

Though that stands against it, I’ve not got that many posts so fixing those problems is doable. The ability to write posts in markdown is a big win for Ghost.

SSL for Ghost Admin ONLY

As with Wordpress, I want my admin area to be served using a self-signed certificate but I don’t want any of the rest of the blog available over https.

Ghost have provided an example nginx configuration to serve the entirety of the site over http and https. In addition, a Ghost config option allows you to force the admin page over https. The instructions for achieving this can be found here.

However, the rest of the blog will still be available over https too which is undesirable with a self-signed certificate. I don’t want the possibility of links to my site coming up with the ‘The site’s security certificate is not trusted!’ warning.

With a bit of crafty nginx configuration, we can make sure that only requests to /ghost are redirected to https, while any other requests are redirected to http.

This example server configuration shows how to achieve this:

server {
    listen                      80;
    server_name                 yourghostblog.com;

    location /ghost {
        return                  301 https://$host$request_uri;
    }

    location / {
        proxy_pass              http://127.0.0.1:2368;
        proxy_redirect          off;
        proxy_set_header        Host             $host;
        proxy_set_header        X-Real-IP        $remote_addr;
        proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

server {
    listen                      443 ssl;
    server_name                 yourghostblog.com;

    ssl_certificate             /etc/nginx/ssl/server.crt;
    ssl_certificate_key         /etc/nginx/ssl/server.key;
    ssl_session_timeout         5m;
    ssl_protocols               SSLv3 TLSv1;
    ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers   on;

    location /ghost {
        proxy_pass              http://127.0.0.1:2368;
        proxy_redirect          off;
        proxy_set_header        Host             $host;
        proxy_set_header        X-Real-IP        $remote_addr;
        proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

    location / {
        return                  301 http://$host$request_uri;
    }
}