seniorokur
By:
seniorokur

Problem with SSL and Ghost

January 31, 2016 6.5k views
Ghost Let's Encrypt Nginx Ubuntu

Hello!

I've installed SSL to my one click install Ghost droplet but I have one problem with Ghost. Whenever I try to write url: https:// to production nginx gives 502 error code. But if i write http:// everything works almost perfectly. Nginx redirect http url to https url.

How can i fix this?

Here is my config.js file:

// # Ghost Configuration
// Setup your Ghost install for various [environments](http://support.ghost.org/config/#about-environments).

// Ghost runs in `development` mode by default. Full documentation can be found at http://support.ghost.org/config/

var path = require('path'),
    config;

config = {
    // ### Production
    // When running Ghost in the wild, use the production environment.
    // Configure your URL and mail settings here
    production: {
        url:    'http://talhaokur.net',
        mail: {
        from: 'no-reply@talhaokur.net',
    },
        database: {
            client: 'mysql',
            connection: {
                host: 'localhost',
                user: 'user',
                password: 'password',
                database: 'database',
                charset: 'utf8'
            },
            debug: false
        },

        server: {
            host: '127.0.0.1',
            port: '2368'
        },

    },

    // ### Development **(default)**
    development: {
        // The url to use when providing links to the site, E.g. in RSS and email.
        // Change this to your Ghost blog's published URL.
        url: '',

        // Example mail config
        // Visit http://support.ghost.org/mail for instructions
        // ```
          mail: {
              from: 'no-reply@talhaokur.net',
          },
        // ```

        // #### Database
        // Ghost supports sqlite3 (default), MySQL & PostgreSQL
        database: {
            client: 'mysql',
            connection: {
                host: 'localhost',
                user: 'user',
                password: 'password',
                database: 'database',
                charset: 'utf8'
            },
            debug: false
        },
        // #### Server
        // Can be host & port (default), or socket
        server: {
            // Host to be passed to node's `net.Server#listen()`
            host: '127.0.0.1',
            // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT`
            port: '2368'
        },
        // #### Paths
        // Specify where your content directory lives
        paths: {
            contentPath: path.join(__dirname, '/content/')
        }

    },

    // **Developers only need to edit below here**

    // ### Testing
    // Used when developing Ghost to run tests and check the health of Ghost
    // Uses a different port number
    testing: {
        url: 'http://127.0.0.1:2369',
        database: {
            client: 'mysql',
            connection: {
                host: 'localhost',
                user: 'user',
                password: 'password',
                database: 'database',
                charset: 'utf8'
            }
        },
        server: {
            host: '127.0.0.1',
            port: '2369'
        },
        logging: false
    },

    // ### Testing MySQL
    // Used by Travis - Automated testing run through GitHub
    'testing-mysql': {
        url: 'http://127.0.0.1:2369',
        database: {
            client: 'mysql',
            connection: {
                host     : '127.0.0.1',
                user     : 'root',
                password : '',
                database : 'ghost_testing',
                charset  : 'utf8'
            }
        },
        server: {
            host: '127.0.0.1',
            port: '2369'
        },
        logging: false
    },

    // ### Testing pg
    // Used by Travis - Automated testing run through GitHub
    'testing-pg': {
        url: 'http://127.0.0.1:2369',
        database: {
            client: 'pg',
            connection: {
                host     : '127.0.0.1',
                user     : 'postgres',
                password : '',
                database : 'ghost_testing',
                charset  : 'utf8'
            }
        },
        server: {
            host: '127.0.0.1',
            port: '2369'
        },
        logging: false
    }
};

module.exports = config;
2 comments
  • asb MOD February 1, 2016

    Hi! Are you using the DigitalOcean Ghost One-Click app? If not, could you share your Nginx configuration? I just tried setting this up using the Ghost One-Click app and Let's Encrypt, and I haven't been able to reproduce the problem.

    How To Secure Nginx with Let's Encrypt on Ubuntu 14.04
    In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 14.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
  • seniorokur February 2, 2016

    @asb yes I am using One-Click app. Btw I did a mistake. I did not use Let's Encrypt but I couldn't change labels, sorry about that. I've purchased a PositiveSSL certificate. And here is my ghost file under /etc/nginx/sites-enabled.

    #HTTP Server
server {  
    listen 80;
    server_name talhaokur.net www.talhaokur.net;
    rewrite ^ https://$server_name$request_uri? permanent;

    client_max_body_size 10M;

    location / {
            proxy_pass http://localhost:2368/;
            proxy_set_header Host $host;
            proxy_buffering off;
    }
}

# HTTPS Server
server {  
    listen 443 ssl;
    server_name talhaokur.net www.talhaokur.net;

    client_max_body_size 10M;

    location / {
            proxy_pass http://localhost:2368/;
            proxy_set_header Host $host;
            proxy_buffering off;
    }

    ssl on;
    ssl_certificate /etc/ssl/ghost/ssl-bundle.crt;
    ssl_certificate_key /etc/ssl/ghost/ghost.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_session_timeout 5m;
}
Log In to Comment
1 Answer
asb MOD February 2, 2016

Looking at your Nginx configuration, there are some improvements that you can make. I'd remove the proxy pass in the HTTP block as it should be never be executed. You can also just return 301 rather than do a rewrite, as they can be taxing. You're also missing some headers. Here's an example that works for me:

#HTTP Server
server {  
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

# HTTPS Server
server {  
    listen 443 ssl default_server;
    server_name example.com;

    client_max_body_size 10M;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }

    ssl on;
    ssl_certificate /etc/ssl/ghost/ssl-bundle.crt;
    ssl_certificate_key /etc/ssl/ghost/ghost.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_session_timeout 5m;
}

Also remember to restart Nginx after making changes to it's configuration. This goes for Ghost as well if you edit config.js

For more info, see Ghost's SSL docs .

Reply
Have another answer? Share your knowledge.

Related Questions