Update: To configure strong SSL security on Nginx please refer to this post by Remy van Elst.

When connecting to remote systems we use SSH because it encrypts all traffic during a session, both logins and data transfers. To obtain the same level of protection when administering Ghost, we need to update our Nginx configuration to ensure that all requests to Ghost's admin interface are only available over HTTPS.

Generate a Certificate Signing Request

To obtain a SSL certificate we need to generate a Certificate Signing Request (CSR).

Connect to your server using SSH and enter the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout robferguson_org.key -out robferguson_org.csr

It will prompt you for the following information:

Country Name (2 letter code): AU
State or Province Name (full name): NSW
Locality Name (city): Sydney
Organization Name (company):
Organizational Unit Name (section):
Common Name (Your name): robferguson.org

Email Address:
A challenge password:
An optional company name:

Note: Do not provide values for the last three fields (email address, challenge password and optional company name).

The information you provided will be used to create two files. A private key file (used for decryption) and a file containing your certificate signing request:


Purchase a SSL Certificate

I used NameCheap to purchase a (domain validation) SSL certificate.

From the NameCheap dashboard, click on your domain name, choose "Manage SSL Certificates" and then click on the 'Activate Now' link:


When prompted, choose Apache w/MOD_SSL from the "Select Web Server" drop-down list and then paste the contents of your certificate signing request into the form:


You also need to provide an 'approval' email address as well as administrative contact information.

Shortly after you complete the activation process you will receive an approval email containing a confirmation link. After you have approved the issuance of the certificate (clicked on the link) you will receive a second email containing your new certificate (e.g., robferguson_org.zip).

Update your Nginx configuration

First, we need to create a directory to store our certificate:

sudo mkdir /etc/nginx/ssl

Then we need to copy our certificate and the key we created when generating the certificate signing request into the new directory:

scp -P 22000 /Users/robferguson/Downloads/robferguson_org.zip homer@
sudo unzip robferguson_org.zip
sudo cp robferguson_org.crt /etc/nginx/ssl/robferguson_org.crt
sudo cp robferguson_org.key /etc/nginx/ssl/robferguson_org.key

The next step is to update your Nginx configuration file as follows:

server {
    listen                       80;
    server_name                  robferguson.org;
    access_log                   var/log/nginx/robferguson_org.log;

    location / {
        proxy_pass     ;
        proxy_redirect           off;
        proxy_set_header         Host             $host;
        proxy_set_header         X-Real-IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

    location /ghost {
        return                   301 https://$host$request_uri;

server {
    listen                       443 ssl;
    server_name 		         robferguson.org;
    access_log                   /var/log/nginx/robferguson_org.log;

    ssl_certificate              /etc/nginx/ssl/robferguson_org.crt;
    ssl_certificate_key          /etc/nginx/ssl/robferguson_org.key;
    ssl_session_timeout          5m;
    ssl_protocols                SSLv3 TLSv1;
    ssl_ciphers 			     ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers    on;

    location /ghost {
        proxy_pass     ;
        proxy_redirect           off;
        proxy_set_header         Host             $host;
        proxy_set_header         X-Real-IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

    location / { 
        return                   301 http://$host$request_uri;

Now, restart Nginx:

sudo service nginx restart

And, navigate to your site's admin interface:

robferguson.org signin

Which will only be accessable via HTTPS from now on.

What's Next

In the next post, we'll install some free themes.