UPDATE: Alternative to Self Signed Certificate you can use free SSL certificate from Let's Encrypt CA. Here is a link to my next blog https://blog.kherwa.com/2017/06/18/how-to-get-free-ssl-certificate-for-your-domain/
This blog runs on open source software Ghost and is hosted on Amazon cloud EC2 service.
As admin section of your blog should be secure. It should run on HTTPS scheme, so that your passwords & other important data is encrypted before it is being sent through network.
What is a Self Signed Certificate?
Asymmetric cryptography works with two different keys. One of which is a public key and another is private key. You share your public key with everyone so that they can encrypt data with it, and on receipt of encrypted data you decrypt it with your private key. This makes communication between you and other person secure.
The public key mentioned above is called certificate.
If the certificate is issued by a CA(Certificate Authority) ex. Verizon, Entrust, Symantec etc. its a public certificate.If you have generated your own certificate without a CA it is known as Self Signed Certificate
.
How to generate a Self Signed Certificate
openssl req -x509 \
-nodes -days 365 \
-newkey rsa:2048 \
-keyout YOUR_DOMAIN.key -out YOUR_DOMAIN.crt
openssl is a program for generating SSL certificates.
for more info OpenSSL.
You can view tutorial on how to use it:
Tutorial Here.
How to use Self Signed Certificate with Ghost
We will be using
nginx
HTTP and reverse proxy server on ubuntu 16.04.2 LTS. for more info visit: nginx.
Install NGINX
sudo apt-get install nginx
it will be installed at /etc/nginx, then create a directory ssl.
sudo mkdir /etc/nginx/ssl
Generate SSL certificate
sudo openssl req -x509 \
-nodes -days 365 \
-newkey rsa:2048 \
-keyout /etc/nginx/ssl/YOUR_DOMAIN.key \
-out /etc/nginx/ssl/YOUR_DOMAIN.crt
Command will prompt for your site information, most important is Comman Name
fill it with your site fully qualified domain name.
For further reading visit Tutorial Here.
NGINX Configuration to use SSL with Ghost
server {
listen 80;
listen 443 ssl;
server_name YOUR_DOMAIN.com;
ssl_certificate
/etc/nginx/ssl/YOUR_DOMAIN.crt;
ssl_certificate_key
/etc/nginx/ssl/YOUR_DOMAIN.key;
location / {
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:2368;
}
}
Restart NGINX
sudo service nginx restart
If you have not already configured nginx
for Ghost
,
visit this doc NGINX Config
SSL only for admin section of Ghost
Open Ghost configuration file
cd /var/www/ghost
sudo nano config.js
Insert
forceAdminSSL: true
make sure url
parameter starts with http://
so that normal content on blog will be served on port 80
, whereas admin section will bbe served on secure port 443
.
Amazon EC2
Just open port 443
in security group if you had not already opened it before.