502 Bad Gateway with DigitalOcean Droplet 1-Click and Cloudflare

If you’re looking for some help, it’s important to provide as much context as possible so that people are able to assist you. Try to always mention:

• What’s your URL? https://jmk.sh
• What version of Ghost are you using? Ghost-CLI version: 1.13.1 // Ghost version: 3.9.0
• What configuration? DigitalOcean 1-Click Droplet with Cloudflare
• What browser? N/A
• What errors or information do you see in the console? 502 Bad Gateway

This is with a fresh DO Droplet and the 1-Click install of Ghost from the DO Marketplace. ghost doctor reports nothing wrong, and the startup for ghost start looks fine in the output and provides the default URL for the admin interface. When directly navigating to https://DO-Droplet-IP I see the vanilla 502 Bad Gateway nginx page.

I did find this issue on github that began as a support request and evolved into a bug in Ghost-CLI where the default config.production.json points at the incorrect port but after updating hasn’t solved the issue.

On the Cloudflare end, I have SSL/TLS encryption mode set to “Full” which is “Encrypts end-to-end, using a self signed certificate on the server” (applies to me as the Droplet uses a Let’s Encrypt certificate). I verified that jmk.sh-ssl.conf is pointing at the created Lets Encrypt certificate. I have the following settings for my Edge Certificates:

• Always use HTTPS - enabled
• HTTP Strict Transport Security (HSTS) - disabled
• Minimum TLS Version - TLS 1.3
• TLS 1.3 - On (this is a separate setting from above)
• Automatic HTTPS Rewrites - on
• Universal SSL - enabled

I found some other topics related to 502 on image upload but none of the troubleshooting there seemed to help, or I wasn’t quite sure if it applied.

I’d appreciate some guidance! Thanks in advance.

Hi,

I have a similar working set-up to yours. e.g. D.O one-click install - Cloudflare

I do not set minimum TLS to 1.3 but leave it at default 1.0
SSL mode is set to Full (strict)

Everything else the same as your set-up

It may help if you pause Cloudflare on your domain initially until you get Ghost working. CF will just use the DNS when the site is paused.

If you still get 502 Bad Gateway then the problem most definitely lies with Ghost or NGinx set-up

Check that ghost is running

In terminal on your server, login as the ghost-mgr user

sudo -i -u ghost-mgr

Go to your install directory

cd /var/www/ghost

Then list ghost installations and status

ghost ls

Also, you can run

ghost doctor

If all is green and running, then it seems the fault will lie with your NGinx configuration.

Come back and we will dig a little deeper if that is the case

I had all this last week when I updated to 3.9

I tried the following and nothing worked

• ghost doctor
• ghost buster
• restart nginx
• restart ghost
• cloudflare dev mode

Eventually I decided to flip the switch and migrate to gatsby earlier than I had planned.

But in the process, something I did which I think fixed it was I changed the configured site url:

ghost config url https://my-domain.com

I actually changed it to something else, then change it back. But for you, i suggest just try setting it to your current domain.

Thanks for your prompt and detailed response!

I changed mode to Full (Strict), TLS to 1.0 and toggled the separate TLS 1.3 setting to off, still resulting in 502. Put domain into “Development Mode” and no changes. Browsing to the Droplet’s direct IP displays a 502 as well so it’s no surprise Development Mode didn’t change anything.

Verified that ghost has been running the whole time with ghost ls, listing in the default /var/www/ghost location and running on port 2368. ghost doctor has never thrown an issue for me and still isn’t after updating the above settings, sadly. I verified that /etc/nginx/sites-enabled/jmk.sh.conf is listening on the correct port:

server {
    listen 80;
    listen [::]:80;

    server_name jmk.sh;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;

    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

Thanks for sharing! Unfortunately it didn’t work for me, but I appreciate you adding your troubleshooting.

Performed the following: ghost config url https://jmk.sh followed by ghost stop and ghost start then verifying the instance with ghost ls. 502 error persisted, ran ghost doctor and see no errors.

OK, but the nginx file you have detailed, is for the non-ssl port 80

In your /var/www/ghost/system/files folder do you have the following:

jmk.sh-ssl.conf
jmk.sh.conf

So when I followed the instructions on the previously-mentioned GitHub issue related to the port Ghost listens on, I updated jmk.sh.conf to 2368 but not jmk.sh-ssl.conf. I pasted my non-SSL configuration above as that’s what I had open when writing the reply, but realized I may not have updated the port in both config files.

Lo and behold, there was the issue: jmk.sh-ssl.conf hadn’t been updated to listen on the correct port. Changed it, and now everything is right as rain.

The issue needs to be fixed on the 1-Click Droplet I believe, which is why the issue isn’t manifesting at large.

Thanks again for your help, it’s truly appreciated.