I do not want to expose Ghost directly to the Internet.
Regarding the reason why I’m connecting to Ghost over 80, it is because that is the default setup for Ghost. It installs a localhost website over a random nnnn port, then uses localhost nginx to distribute. So it was intuitive to connect to Ghost over 80.
I could try configuring the Reverse-Proxy to connect directly to the website on Ghost over nnnn. I guess the potential issue is that if nnnn changes to nnnn2, then I need to also update Reverse-Proxy. But I will try this later to see if it resolves the “absolute URI” issue. Stay tuned.
Yeah, but the default setup doesn’t expose anything? It puts nginx as reverse proxy in front of Ghost, which proxies port 443/80 to Ghost’s port.
Quite honestly, I think you’re making your life harder than it has to be by having this 3-step connection.
I’d either ditch the (still unnamed) reverse proxy you have exposed to the internet and use nginx at the forefront, or ditch nginx and connect from your reverse proxy directly to Ghost.
From what I read, there is no technical necessity for having both proxies.
If you have other services on the server, use your existing reverse proxy and ditch nginx. If Ghost’s port changes, you’d need to change nginx as well, so no downside here.
If you don’t have any other services on the server, ditch your other reverse proxy.
Yes, you are right that nnn is not exposed. So I cannot connect directly to the Ghost websites directly. I just tried.
As shared earlier, I do not want to expose Ghost to the Internet directly. That is why I have a Reverse-Proxy sitting in front. I am unsure if this configuration is that uncommon. So I am unsure if I should adopt your suggestion to abandon the Reverse-Proxy.
In any case, thanks for the discussion. I will continue to explore other permutations to see if the “absolute URIs” for images can be resolved.
As everyone recommended, B2B reverse proxies don’t really make sense. If your public-facing proxy is handling SSL termination, you might need to explicitly set the X-Forwarded-Proto to https on the redundant proxy.
I beg to differ. Setting up a separate “external from Ghost” proxy is not as uncommon as you may think. I want to put this here so other readers can draw their own conclusions.
Actually, having B2B reverse proxies makes a lot of sense for Ghost. This is because ghost-cli sets up its own nginx to front the ghost websites by default. Not only does the first proxy make it easier to support next-level path routings, it also effectively “hides” the actual Ghost machine (and architecture) from the Internet.
Also do not forget the rising occurrences of Docker-based Ghost, which can be quite transient in nature, thereby needing the first more-permanently-available proxy.
Anyway, this has been a good discussion. Thanks, all.
I still have to disagree. I do not think that this has been a good discussion.
There are three people experienced in Ghost telling you that your setup is quite exotic and we have all asked for reasons for it. You have not provided one, other than the one that Ghost shouldn’t be exposed. Which it isn’t.
The Ghost CLI can be used to install Ghost without nginx, by simply using ghost install --no-setup-nginx.
Installing Ghost with nginx does not tell anyone that you have Ghost installed. Based on headers they can assume you have nginx installed. Which is one of the most common web servers out there. If you properly set up Ghost through two proxies I will have the same amount of information about the fact that you’re running Ghost as I would if you were running just one proxy or nginx.
Anyway, I am out at this point. I stand by what I said: I see no technical reason whatsoever to do what you’re doing – and the reason you’re giving (not exposing Ghost) just doesn’t hold up.
Edit: actually, I have one suspicion: with “reverse proxy”, do you mean something like Cloudflare Tunnels? That would make the whole argument a bit more understandable, but in that case, I’d also just lock down the server and connect a Cloudflare Tunnel directly to the Ghost port.
)