Migrating from Ghost 0.x to Ghost 1.x

It's been a while since I updated my blog's (0.x) version of Ghost and Ghost 1.x is a major upgrade with breaking changes and no automated migration path.

I also wanted to host a static site at https://robferguson.org and move my blog from http://robferguson.org to https://robferguson.org/blog.

In this post, I'll walk you through the steps I followed when migrating from Ghost 0.x to Ghost 1.x.

Prerequisites

When self hosting Ghost 1.x, the following stack is recommended:

Ubuntu 16.04
MySQL
Nginx
Systemd
Node.js v6 installed via NodeSource
At least 1GB memory (swap can be used)
A non-root user for running Ghost commands

Choose a hosting provider

I've been using DigitalOcean for several years, they're inexpensive and they make it easy to provision a VPS on which Ghost can be installed. I chose an entry level Droplet for $5 USD per month with Ubuntu 16.04 (x64), 512 MB of memory and 20 GB of storage:

droplet

Setup Ubuntu 16.04

I followed the steps in this post to setup Ubuntu 16.04. I chose an entry level Droplet with 512 MB of memory so I followed the steps in this post to setup a 4G swap file.

Install Nginx, MySQL, Node.js and Ghost

I followed the steps in the Ghost doc's Install & Setup section to install Nginx, MySQL, Node.js and Ghost (using the ghost-cli).

This is what my website's directory structure looks like:

├── /var
    └── /www
        └── /robferguson.org
            └── /html
                ├── index.html (static site landing page)
                ...
        └── /ghost
            └── /blog
                └── /content
                    └── /apps
                    └── /data
                    └── /images
                    └── /logs
                    └── /themes
            └── /current (-> /var/www/ghost/versions/1.6.1)
            └── /system
            └── /versions
            ├── config.production.json
            ├── robots.txt

config.production.json

{
  "url": "http://robferguson/blog",
  "server": {
    "port": 2368,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "localhost",
      "user": "ghost",
      "password": "PASSWORD",
      "database": "ghost"
    }
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": [
      "file",
      "stdout"
    ]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/www/ghost/blog/content"
  }
}

Note: You can start/stop Ghost using the following commands:

service ghost_localhost start
service ghost_localhost stop

Nginx

server {
  listen [::]:80;
  listen 80;

  server_name www.robferguson.org robferguson.org;

  # redirect http www and http non-www to https non-www
  # return 301 https://robferguson.org/blog$request_uri;
  rewrite ^ https://robferguson.org/blog$request_uri? permanent;
}

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  gzip off;
  
  server_name www.robferguson.org;

  include snippets/ssl.conf;

  # redirect https www to https non-www
  return 301 https://robferguson.org$request_uri;
}

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  gzip off;

  root /var/www/robferguson.org/html;
  index index.html;

  server_name robferguson.org;

  include snippets/ssl.conf;

  location / {
    try_files $uri.html $uri $uri/ /index.html;
  }

  location ^~ /blog {
    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;

    proxy_pass       http://127.0.0.1:2368;
    proxy_redirect   off;
  }

  location ~ ^/(robots.txt) {
    root /var/www/ghost;
  }
}

Note: You can start/stop/reload Nginx using the following commands:

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl reload nginx

ssl.conf

ssl_certificate     /etc/nginx/ssl/robferguson_org.crt;
ssl_certificate_key /etc/nginx/ssl/robferguson_org.key;
# sudo openssl dhparam 4096 -out /etc/ssl/dhparam.pem 
ssl_dhparam         /etc/ssl/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off;

# Modern configuration
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

I wanted to achieve an A+ on Qualys SSL Labs SSL Report:

qualys-ssl-report

So I followed the recommendations in these posts:

cipherli [dot] st: Strong Ciphers for Apache, nginx and Lighttpd
Mozilla: Mozilla SSL Configuration Generator
Dan Palmer: Achieving Full Marks on Qualys SSL Labs

robots.txt

User-agent: *
Sitemap: https://robferguson.org/blog/sitemap.xml

Migrating to Ghost 1.x

I followed these steps from the Ghost doc's Migrating to 1.0.0 section:

Backup your content using the JSON exporter
Use the Ghost Importer to import existing content

Copy your images to your new site

I backed up the images from my previous Ghost version:

cd /var/www/ghost/content
sudo zip -r images.zip images

And, copied them to my new Droplet using scp:

scp rob@128.199.238.4:/var/www/ghost/content/images.zip /var/www/ghost/blog/content
sudo unzip images.zip

Note: The Ghost user must own the content directory:

sudo chown -R ghost:ghost /var/www/ghost

Upload your theme

I purchased a new theme and uploaded it using Ghost's Settings => Design page:

new-theme-1

If your blog uses Disqus, don't forget to set your disqus_shortname:

var disqus_shortname = 'my-blog';

Note: You should find it in your theme's comments.hbs file (e.g., /var/www/ghost/blog/content/themes/[theme-name]/partials/comments.hbs).

Migrating your Disqus comments

I used the Disqus url-mapper to migrate my blog's comments.

Migrating your Stories image links

I moved my blog from http://robferguson.org to https://robferguson.org/blog so I also needed to update my published Stories image links from /content to /blog/content.

Server Hardening

Ubuntu 16.04

Its always a good idea to check for updates, so let's open a terminal session and run the following commands:

sudo apt update
sudo apt upgrade
sudo apt-get check
sudo apt-get autoclean

Now, run the following commands:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

You'll still be notified about "normal" updates, such as those that contain bugfixes, but security updates will be automagically installed.

MySQL

To harden MySQL run the following command:

sudo mysql_secure_installation

Then follow the prompts.

Server Auditing

Lynis is a security auditing tool for Linux, to install Lynis run the following commands:

cd /usr/local
sudo git clone https://github.com/CISOfy/lynis

To run Lynis:

cd /usr/local/lynis
sudo ./lynis audit system

You should see output like:

lynis

Lynis will perform an in-depth security scan, its primary goal is to test security defenses and provide tips for further system hardening. It will also scan for general system information, vulnerable software packages, and possible configuration issues.

References:

Ghost Docs: A guide to self hosting
Ghost Docs: How to install Ghost on your production server
Ghost Docs: A guide to getting your site updated to Ghost 1.0.0
Levi Bostian: Move Ghost blog to a subdirectory
cipherli [dot] st: Strong Ciphers for Apache, nginx and Lighttpd
Mozilla: Mozilla SSL Configuration Generator
Dan Palmer: Achieving Full Marks on Qualys SSL Labs
GitHub: Lynis the Security auditing tool for Linux, macOS, and UNIX-based systems