ActivityPub: SITE_MISSING error - Need manual registration cleanup for hughevans.dev

Developer help Self-hosting
1

Hi Ghost team,

I’m getting the SITE_MISSING error when trying to use the hosted ActivityPub service and believe I need manual cleanup of cached entries on ap.ghost.org, similar to this resolved case.

Setup:

  • Ghost version: 6.4.0

  • Site URL: https://hughevans.dev

  • Site UUID: 761564b7-38b2-48c7-a386-67749f9abdb9

  • Using Ghost’s hosted ActivityPub service (not self-hosted)

  • Docker Compose deployment with MySQL backend

  • Nginx proxy correctly configured to forward /.ghost/activitypub/* to https://ap.ghost.org

Current behavior:

  • Ghost logs show: ERROR No webhook secret found - cannot initialise

  • https://hughevans.dev/.ghost/activitypub/v1/account/me returns: {"error":"Forbidden","code":"SITE_MISSING"}

  • Nginx is properly proxying to ap.ghost.org (confirmed by receiving JSON responses instead of 404s)

What I’ve tried:

  • Configured Nginx to proxy ActivityPub requests with correct Host headers (proxy_set_header Host ``ap.ghost.org``;)

  • Added environment variables: activitypub__enabled: "true" and activitypub__url: https://ap.ghost.org

  • Restarted Ghost multiple times

  • Verified Cloudflare is properly configured with bypass rules for ActivityPub paths

  • Waited for rate limits to clear

I did extensive testing/tinkering while trying to get ActivityPub working, which likely created stale cached entries on ap.ghost.org.

Could a Ghost staff member (like @Sag who helped in the linked thread) please clear the cached entry for my site from ap.ghost.org’s database?

Thanks!

2

Hey @Hugh_Evans,

Apologies for the late reply, I have totally missed this thread!

We have recently shipped a change that clears outdated cache entries from ap.ghost.org. Would you be able to restart your Ghost instance once more, and see if the change helps to resolve the problem?

Sag

1 Like
3

Hi @Sag ,
Thanks for the reply. I’ve restarted my Ghost instance as requested (full container recreation via docker-compose stop/rm/up), but I’m still getting the same errors:

  • Ghost logs: ERROR No webhook secret found - cannot initialise

  • API endpoint: https://hughevans.dev/.ghost/activitypub/v1/account/me still returns {"error":"Forbidden","code":"SITE_MISSING"}

My nginx proxy is correctly forwarding ActivityPub requests to ap.ghost.org with the proper Host headers. Is there an additional step needed, or does the cache clearing need more time to propagate? Happy to wait and try again later if needed.

Site details:

4

Hey @Hugh_Evans,

There is indeed something off, but I can’t pin point what exactly.

In the production logs, I see HTTP 401/403 log entries from your site, and what surprises me is that the request URL is shown as `ap.ghost.org` (instead of your site URL) and that your site is marked as referer. Here’s an example log entry:

{ 
    "requestMethod": "GET",
    "requestUrl": "https://ap.ghost.org/.ghost/activitypub/v1/feed/reader",
    "requestSize": "778",
    "status": 403,
    "responseSize": "360",
    "referer": "https://hughevans.dev/",
    "protocol": "HTTP/1.1"
}

Would you mind sharing your nginx configuration here, or via support@ghost.org? I’m also curious if it matches what we officially recommend here, and if yes, whether these docs need a fix.

2 Likes
5

Thanks again for the reply @Sag I wonder if my setup is complicating things as Ghost is running on a separate machine and proxied to from nginx running on the first. My nginx config for hughevans.dev is as below

hugh@homelab:~ $ cat homelab/docker/nginx/conf/sites-available/hughevans.dev 

server {

    listen 80;

    listen [::]:80;

    server_name hughevans.dev www.hughevans.dev;

    return 302 https://$server_name$request_uri;

}



server {

    # SSL Configuration

    listen 443 ssl;

    listen [::]:443 ssl;

    http2 on;

    ssl_certificate         /etc/ssl/cert.pem;

    ssl_certificate_key     /etc/ssl/key.pem;

    server_name hughevans.dev www.hughevans.dev;



    # ActivityPub - proxy to Ghost's hosted service

    location ~ ^/.ghost/activitypub/ {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host ap.ghost.org;

        proxy_ssl_server_name on;

        proxy_pass https://ap.ghost.org;

    }



    location ~ ^/.well-known/(webfinger|nodeinfo) {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host ap.ghost.org;

        proxy_ssl_server_name on;

        proxy_pass https://ap.ghost.org;

    }





    # Static projects directory

    location /projects {

        root /var/www/hughevans.dev/html;

        try_files $uri $uri/ =404;

    }

...



    # Ghost - Everything else

    location / {

        proxy_pass http://192.168.0.17:2368;

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        

        proxy_buffering off;

        proxy_redirect off;

        proxy_read_timeout 300;

        proxy_connect_timeout 300;

        client_max_body_size 50m;

    }

}
6

Ahha.

From Ghost CLI’s repo:

location ~ /.ghost/activitypub/* {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host; 
    add_header X-Content-Type-Options $header_content_type_options;
    proxy_ssl_server_name on;
    proxy_pass https://ap.ghost.org;
}

This line is erroneous:
proxy_set_header Host ap.ghost.org; :cross_mark:

And then you’ve got a similar error for .well-known.

That’s consistent with what Sag is saying about what he sees on Ghost’s end, too… :slight_smile: See if that fixes you?

1 Like
7

Hey @Cathy_Sarisky ,

Thanks for catching that! I’ve been stumped for weeks! I’ve made the nginx configuration change - replaced proxy_set_header Host ap.ghost.org; with proxy_set_header Host $http_host; in both the /.ghost/activitypub/ and /.well-known/ location blocks, and restarted both nginx and Ghost.

The webfinger endpoint is now working! https://hughevans.dev/.well-known/webfinger?resource=acct:hugh@hughevans.dev returns HTTP 200.

However, the ActivityPub feed endpoint https://hughevans.dev/.ghost/activitypub/v1/feed/reader is still returning 403. @Sag Is this expected, or might there still be cached registration data on your end that needs clearing?

Thank you again both for all your help, I really appreciate it!