I messed up my installation & need help

In an Ubuntu 24.04 LTS LXC container running on my ProxMox server I successfully installed Ghost and it was running fine locally under http://192.168.0.101:2368.

Eventually, I want my blog to be reachable from the internet via https, of course.

  • I created a subdomain for one of my domains: blog.wops.de
  • I edited the CNAME DNS record to point that subdomain to my fixed dynamic DNS name, let’s call it abcde.myfritz.net – and I didn’t forget the trailing dot in this CNAME configuration.
  • In my Fritz!Box router I opened port 443 and routed it to the Ghost container’s local IP 192.168.0.101
  • nginx is running in that container, too, and is configured for https and to pass-through the requests to 127.0.0.1:2368
  • I created a Letsencrypt certificate for blog.wops.de which is referenced in nginx’s config, too.
  • I configured Ghost’s address to be https://blog.wops.de
  • When I now navigate in a browser to this URL I get this (German) message from my router.

    This translates roughly to:

The DNS-Rebind protection of your FRITZ! Box has rejected your request for security reasons.
The host header of your request does not match the name of the FRITZ! Box matches.
If you access the FRITZ! Box, please add this as an exception in the user interface of your FRITZ! Box under “Home Network > Network > Network Settings” in the “DNS Rebind Protection” section.

  • If I do this and navigate to my blog URL again I’m presented with my router’s login page!?!?!
  • In my router’s configuration I already switched OFF that my router’s interface should be available from the internet via https.

Here’s my nginx conf file for the blog:

# HTTP-zu-HTTPS-Umleitung
server {
    listen 80;
    server_name blog.wops.de;

    # Leitet alle HTTP-Anfragen zu HTTPS weiter
    return 301 https://$host$request_uri;
}

# HTTPS-Serverblock
server {
    listen 443 ssl http2;
    server_name blog.wops.de;

    # SSL-Zertifikate von Let's Encrypt
    ssl_certificate /etc/letsencrypt/live/blog.wops.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.wops.de/privkey.pem;

    # Zusaetzliche SSL-Sicherheitsoptionen
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Proxy-Einstellungen fuer Ghost
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368; # Ghost laeuft standardmaessig auf Port 2368

        client_max_body_size 50m; # Erlaubt groessere Uploads
    }
}

Here’s the ghost doctor output:

stefan@ghost:/var/www/ghost$ ghost doctor

Love open source? We’re hiring JavaScript Engineers to work on Ghost full-time.
https://careers.ghost.org


✔ Checking system Node.js version - found v18.19.1
✔ Checking logged in user
✔ Ensuring user is not logged in as ghost user
✔ Checking if logged in user is directory owner
✔ Checking current folder permissions
System checks failed with message: 'Linux version is not Ubuntu 16, 18, 20, or 22'
Some features of Ghost-CLI may not work without additional configuration.
For local installs we recommend using `ghost install local` instead.
? Continue anyway? Yes
System stack check skipped
ℹ Checking system compatibility [skipped]
✔ Checking for a MySQL installation
+ sudo systemctl is-active ghost_192-168-0-101
? Sudo Password [hidden]
Instance is currently running
ℹ Validating config [skipped]
✔ Checking folder permissions
✔ Checking file permissions
✔ Checking content folder ownership
✔ Checking memory availability
✔ Checking binary dependencies
✔ Checking free space
✔ Checking systemd unit file
✔ Checking systemd node version - found v18.19.1
stefan@ghost:/var/www/ghost$ 

Here’s the ghost ls output:

stefan@ghost:/var/www/ghost$ ghost ls

Love open source? We’re hiring JavaScript Engineers to work on Ghost full-time.
https://careers.ghost.org


+ sudo systemctl is-active ghost_192-168-0-101
┌───────────────┬────────────────┬─────────┬──────────────────────┬──────────────────────┬──────┬─────────────────┐
│ Name          │ Location       │ Version │ Status               │ URL                  │ Port │ Process Manager │
├───────────────┼────────────────┼─────────┼──────────────────────┼──────────────────────┼──────┼─────────────────┤
│ 192-168-0-101 │ /var/www/ghost │ 5.105.0 │ running (production) │ https://blog.wops.de │ 2368 │ systemd         │
└───────────────┴────────────────┴─────────┴──────────────────────┴──────────────────────┴──────┴─────────────────┘
stefan@ghost:/var/www/ghost$

Here’s the config.production.json file (DB password redacted):

stefan@ghost:/var/www/ghost$ cat config.production.json 
{
  "url": "https://blog.wops.de",
  "server": {
    "port": 2368,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "127.0.0.1",
      "user": "ghost_user",
      "password": "<redacted>",
      "database": "ghost_db"
    }
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": [
      "file",
      "stdout"
    ]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/www/ghost/content"
  }
}

And here’s a screenshot of my router’s configuration for port 443 (IPv4 only):

The problem is also that I now can’t log into my Ghost blog anymore to make changes, write posts etc. because it’s no longer available under it’s initial, local, http-only address http://192.168.0.101:2368 – because it’s address is configured to be https://blog.wops.de, which doesn’t work.

Of course, I want to write further blog posts locally and don’t want to be dependent on a working internet connection for my locally hosted Ghost blog!

How can I configure Ghost so that it is fully accessible locally, too?

Any help much appreciated! :pray:

I have a FritzBox running here as well. The MyFritz service usuallly uses port 443.

As a first step, I’d suggest to check what port is assigend to that. You can do that at Internet → Freigaben → FRITZ!Box-Dienste.

Edit: just opened the URL you posted and it’s working well on my end. If you’ve solved it, maybe you can add your solution here, so others can find it in the future :blush:

2 Likes

Thanks, @jannis, for answering.
Indeed, others from outside my WiFi network can see the blog.
Or if I visit it on my iPhone via 5G it works, too.
However, if I navigate to https://blog.wops.de here from my LAN (regardless of WiFi or LAN cable connection) I get this rebind warning page from the Fritz!Box.

I tried adding my myfritz.net to the rebind protection list but to no avail.

Worst part currently is that I can only access my locally self-hosted Ghost blog via a mobile internet connection. :roll_eyes:
(Next problem: I can’t log in anymore but that’s another topic.)

So, no, not resolved for me, yet. It must be possible to access my locally self-hosted blog locally from inside my LAN. And as I wrote I can’t access http://192.168.0.101:2368 anymore because apparently Ghost can only be configured with one single URL?!?!? :triumph:

It won’t help your phone, but it might help your computers. You might create an ‘/etc/hosts’ file (details vary by platform, but works on Linux and Windows and I’d be shocked if not on Mac). This file tells your computer to override some DNS entries. So… you tell the computer on your LAN that your.realdomain . com can be found at 192.168.0.101. That causes that computer to ask 192.168.0.101 for content, while telling it that the request is for your.realdomain . com

I don’t have a FritzBox, so it’s very possible there’s a better/right way to do it, but I suspect the workaround above will help get you writing again!

1 Like

That is a good attempt, I didn’t know that exists in the FritzBox. But rather than adding the myfritz.net domain, I’d add blog.wops.de there. Have you tried that?

Hi @metawops, you cannot access it from your local network because the Nginx was re-configured to work with a domain using secured connection. It opened the 443 port

I personally deleted the Nginx and simply opended the port 80 using Socat. Here you can find how I did this, please see the Socat as an Alternative to Nginx. But in my case I use Cloudflare protection and their SSL certs.

But in fact when I try to open my blog from my network directly via http://[my ip]:80 - I see nothing… And for the admin page http://[my ip]:80/ghost it immediately redirects me to my domain https://lavr.site/

So, we need here a real Ghost CMS experts. I personally think that the config.production.json also should be updatet in some way.

No advices, just my thoughts

Thanks, @vlavrynovych, much appreciated! :pray:

I think I’ll have to fix a more basic problem first before I can follow up on this one.

@metawops

I understand. Usually when I see such a weird problems I start from the very beginning. BTW my setup is very similar bacause I also use Proxmox VE.

You can find all my steps described in this article:

Maybe you can find something useful in series of articles about Ghost CMS where I described my setup and experience from the first step till now: The Ghost Blog: Complete Guide

I wish you success and a speedy resolution of your problems.

1 Like