I am looking into self hosting ghost on a VPS (Digital Ocean), with Cloudflare in front.
Is it possible to use CF Tunnel, and have the additional challenge in front of the sign in? (PIN or other auth).
I know I could put a challenge in front of /ghost, but that seems like overkill, and I dont want to affect email / signups. In other words, I dont want a challenge in front of search or other inputs that dont need a login.
that would be excellent. I suppose the deeper question would be:
is there one effective REST path that one would block? In other words, if you dont have 2FA, and you want to have CF Tunnel put up a challenge, is there something more fine-grained than “/ghost”? I do know about putting admin on a different port, but… eh, doesn’t get at the core issue (the bare login/pw form, even w/brute force throttling, is not really the answer… I basically want to block that in the first place)
this would seem to be something that should be well documented by now.
You do /not/ want to block all of /ghost. That’ll break your search, your portal, etc etc, because they use the content API. At the very least, you need /ghost/api/content unblocked. Probably some other bits too.
I find it telling (of the ghost staff) that there does not seem to be a good answer to this. Thanks for attempting, Vika - I know you are not an employee there, and are trying your best. Also, thanks Cathy! I checked your site, and will be giving magicpages a trial.
Let me restate the goal as a User Story (or Blogger Story):
“As a ghost admin, I dont want logs full of bot and ddos attempts, and I am concerned about security. Because there isn’t any 2FA, I want to shield the login page with a Cloudflare challenge page (PIN or other 2FA). Doing this runs the risk of breaking search, subscriptions, and possibly other functionality (it is not clear which paths to leave open, and what to shield). How would I shield sign in and anything that requires a login, and preserve the functionality of everything else?”
It’s interesting that Ghost has existed this long, and still does not have 2FA. I dont feel like I want to put this on my own VPS, but I will try magicpages.
Note: I don’t fully agree with your security posture since (IMO) you’re mixing attack vectors, but I’m not going to focus on that
I want to shield the login page with a Cloudflare challenge page (PIN or other 2FA).
/ghost/ is the login UI, and being shielded by CF will mitigate a good portion of non-bot attempts /ghost/api/admin/session is the login endpoint for session auth (the one used by the UI). You can also shield it with CF with the following caveats:
If you have any integrations that use session auth, they will need to be updated accordingly
If a staff user can load the login UI, but the session endpoint is still shielded by CF, the login flow will be broken. I don’t know how likely this is, assuming both endpoints are shielded.