Ghost Backup Cli Command Line 403 Forbidden

I want to make a backup before updating it using the cli command ghost backup in the ghost directory /var/www/ghostblog . However i seem to hit a wall. I get an error that i dont understand it. Looking into the log file i thought that maybe the /ghost/api/admin/authentication/setup/ is blocked. So i made sure i unlock access to it from both nginx server and cloudflare. More specifically i made sure /ghost , /members , /webmentions , /email , /r/ are all reachable (because i usually lock access to them - as an extra security measure)

Below you can see the error messages i got after running the ghost backup command line.
Your input would be much appreciated.

:heavy_multiplication_x: Backing up site
An error occurred.
Message: ‘Response code 403 (Forbidden)’

Debug Information:
OS: Ubuntu, v22.04.4 LTS
Node Version: v18.20.2
Ghost Version: 5.82.2
Ghost-CLI Version: 1.26.0
Environment: production
Command: ‘ghost backup’

An error occurred.
Message: ‘Response code 403 (Forbidden)’

Stack: HTTPError: Response code 403 (Forbidden)
at EventEmitter. (/usr/lib/node_modules/ghost-cli/node_modules/got/source/as-promise.js:74:19)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Path: /ghost/api/admin/authentication/setup/

It’s unclear exactly what you’re doing here, but to run ghost backup, access to the server via command line, i.e., SSH, is needed. You should not attempt this via HTTP or the proxy server, and certainly should not expose Ghost folders.

yep, the backup command was from ssh. ran the backup command with the user that has sudo privileges. the command i entered was ghost backup .
the 403 forbidden was outputed after being prompted by the ghost cli to enter the sudo password. my password was fine.

I dont understand what you mean here:

Anyway, please run ghost doctor and post the output.

ghost doctor says everything is ok. the only thing that might not be proper is that it’s saying "ℹ Validating config [skipped]
regarding the urls mentioned, those are the urls i saw in the robots txt file and decided to just deny acces to them using cloudflare and nginx, so robots cant browse them.

this is the ghost doctor output

:heavy_check_mark: Checking system Node.js version - found v18.20.2
:heavy_check_mark: Checking logged in user
:heavy_check_mark: Ensuring user is not logged in as ghost user
:heavy_check_mark: Checking if logged in user is directory owner
:heavy_check_mark: Checking current folder permissions
:heavy_check_mark: Checking system compatibility
:heavy_check_mark: Checking for a MySQL installation

  • sudo systemctl is-active
    ? Sudo Password [hidden]
    Instance is currently running
    :information_source: Validating config [skipped]
    :heavy_check_mark: Checking folder permissions
    :heavy_check_mark: Checking file permissions
    :heavy_check_mark: Checking content folder ownership
    :heavy_check_mark: Checking memory availability
    :heavy_check_mark: Checking binary dependencies
    :heavy_check_mark: Checking free space
    :heavy_check_mark: Checking systemd unit file
    :heavy_check_mark: Checking systemd node version - found v18.20.2

i just saw that in the cloudflare logs there’s a request to /ghost/api/admin/authentication/setup/ when i run the backup command. this request is blocked by cloudflare…which seems odd to me.

that’s the url that is in the debug log i showed you in my main post
the user agent trying to o access that url is got/9.6.0

do you know of it ? i dont understand it
so from what i gather, there’s an http request to that url /ghost/api/.. , by the script got 9.6.0 when i try to do the backup. is this supposed to happen ?

as a side note, my inbound rules on the server are set to deny for all ports. my computer ip and cloudflare’s proxy ip’s are the only allowed ones to access the server .

The config is skipped because Ghost is running. You should not be concerned with Nginx etc. since this isn’t relevant. Ghost uses Node, and this server is refusing to to run the backup because the user executing the command isn’t authorized to do so. Most likely you have a permissions issue.

Have you tried sudo ghost backup', and do the enter the correct credentials when prompted by ghost-cli`?

The content and member export tasks run within the backup command work by using the Admin API so the machine you’re running the command on will need full access to the API via the configured site URL. It sounds like you have something that is blocking that and returning the 403


Thank You for the help. @Kevin was on point with the concern i had. @mjw help is much appreciated as well. Problem solved

For others stumbling into similar situation here’s my note. i allowed the access to such requests , by using cloudflare’s waf > tools > then added my server’s ip address to allow list

1 Like