The Secured Life

Back Story

Most websites come in two flavors: secured or unsecured. So what does that mean? Have you ever been to a site and in the address bar you see something like this:

Unsecured Example

And on the other hand you see sites like this:

Secured

The second one makes you feel a little better right? Well it should. I could go into this who encryption tutorial but just know going to just http:// will mean any data you submit to a site is unsecured and unencrypted and can be read by anyone because it's all plain text. But if you got a site with https:// (assuming they have a valid site certificate) that means all the data you submit or are accessing is encrypted and safe (for the most part ;-]).

Usually e-commerce sites that have shopping carts or use a credit in any way use the https:// protocol to keep your data safe and give the end-user a peace of mind.

Set up your Ghost Blog with SSL

When you buy a domain, sometimes they give you an SSL cert or you have to go out and buy one. Generating and setting up takes a little bit of time and there are resources available online showing you how to do it.

In my case everything I needed was a Google search away. I had to make a few modifications here and there to make it fit my needs. For instance, I use nginx as a webserver and have Ghost running on NodeJS elsewhere. So I use this thing called Proxy Pass in nginx to do the behind the scenes forwarding.

I had the option to either make my site completely SSL or just parts of it. The upside to having all of it set up using SSL is that the site is secured. But the downside is its always going to have some unecessary overhead if the content you are accessing doesn't have to be secured (like seeing an image or something).

I like having a complete package and all -- but I also like having options and not be limited to just one thing.

In my case I needed to set up just the admin panel of Ghost set to SSL. If you search around, you'll find if you set the forceAdminSSL to true it will redirect the Admin instance of Ghost to SSL always.

This works fantastic except one thing was left out of the documentation: If you have a server set up to do proxy_pass (nginx to NodeJS instance of Ghost through port 80) then you have to forward the X-Forward-Proto value to the proxy setup. If you don't, you are going to get an infinite redirect loop when visiting the admin panel of Ghost.

Add the following line to the proxy setup area of your nginx configuration file:

proxy_set_header X-Forwarded-Proto $scheme;  

Here's where you add it in the nginx configuration file:

        location ^~ /blog/ {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            proxy_pass http://127.0.0.1:2368;
            proxy_redirect off;    
        }  

This forwards the protocol used in the URL request. Otherwise although we are hitting the https version of site, we are still only hitting the http of the Ghost instance here:

proxy_pass http://127.0.0.1:2368;  

After doing all that restart Ghost and nginx and you should be golden.

If you have any questions, drop me a comment and I'll see what I can do :)