Heads up: Cloudflare proxying in front of Ghost Pro will break it... eventually

All,

A heads up that I’ve seen problems with several sites (including one of mine, one a client’s that I didn’t set up, and one a client’s that I did set up) in the last two weeks. All were Ghost Pro sites with custom domains, and both had Cloudflare set to “Proxy” (not “DNS only”).

It has been possible to activate a custom domain on Ghost Pro and then flip Cloudflare over to proxy. This worked when I first tried it in ~April '23, and can still be done today. (It is not possible to activate a custom domain on Ghost Pro while Cloudflare is set to proxy.)

HOWEVER, I recently found my own demo site with an invalid (expired) certificate, as did one client. (It also looked like Ghost Pro no longer thought the custom domain was valid.) Another client has new problems with the root domain not redirecting to www, that appears to be coming from Ghost Pro, although it looks like his certificate did renew recently. That site uses a Worker to do some rewriting, and it’s possible the problem is not quite the same.

On my site, the temporary solution was to turn off proxying at Cloudflare, remove and re-add the custom domain, and then turn proxying back on. I’m expecting that’ll fix the problem for 90 days, when the certificate needs to renew again.

So, the TL;DR:

  • If you’re proxying with Cloudflare and using Ghost Pro, watch your certs for expiration. I am pretty sure this is new behavior, so don’t assume that just because it’s been fine for the last year, it’s still fine.
  • If anyone knows what rewriting/pass-through at Cloudflare would allow this to work, that’d be awesome. Please share!

And yes, I know that Ghost Pro uses Fastly and that sticking a second reverse proxy in front of it sounds sort of silly, but there are good uses for user-controlled Cloudflare out in front, such as page rewriting (for custom scripts loading, added meta-data, missing localizations, IP-based access, etc etc).

2 Likes

Cloudflare docs on how to validate domains so SSL certs can auto renew are here:

1 Like