Potential improvements to ghost-cli & self-hosted Ubuntu install docs

#1

I am moving my Ghost blogs from AWS to DO these days and I’m doing it by installing from scratch and then moving the content over.

Following the official docs I’ve kept running into various issues that I think would help other users if they were mentioned in the docs (I hope it isn’t just me running into them).

I’ve mentioned some of them in another thread as well:

Actual docs here:

  1. The mysql auth issue from here (Ghost install fails with MariaDB "ER_NOT_SUPPORTED_AUTH_MODE") could be added to the FAQ / Troubleshooting docs here: https://docs.ghost.org/faq/errors/.

  2. When using a sudo user that requires a password, the SSL setup fails at install time (fails the ghost start final step), but seems to work after a ghost setup command (even though the sudo password was already entered at a previous step in the install procedure and the nginx sudo command worked in a previous step as well). Actually the message says the SSL is skipped, but the site loads with https. Error below:

    One or more errors occurred.
    ProcessError
    Message: Command failed: /bin/sh -c sudo -S -p ‘#node-sudo-passwd#’ /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain domain.com --webroot /var/www/domain.com/system/nginx-root --reloadcmd “nginx -s reload” --accountemail email@domain.com
    [Fri May 3 14:31:38 EEST 2019] domain.com:Verify error:Invalid response from https://www.domain.com/.well-known/acme-challenge/pibaqc36ddc5a12bq8lyyjkwl95gacwtdrzttbbv9we/ [2606:4700:30::6812:292f]:

  3. When selecting https://domain.com, the nginx config file is done with listening to port 80 directive rather than 443, when the default should probably be the other way around (or automatically detected/configured based on the site URL introduced by the user, if http://domain.com with port 80, if https://domain.com with 443). You have to manually edit the nginx configs to make the site work.

  4. By the same token, based on what the user enters (i.e. https://domain.com vs. https://www.domain.com), the proper redirect nginx rule can be added to the nginx config (currently missing and needs to be added manually).

  5. The nginx.conf is pretty bare, it would help to add into it at least some of the usual suspects, i.e. standard options (keepalive, etc.), gzip options, maybe caching, ssl settings, maybe some security options, etc.

  6. Other things I felt were missing from the Ghost Ubuntu install docs:

  • securing the server (at least a link to a DO or similar tutorial if not adding the basic steps, such as disabling root login via sshd_config and recommending ssh key type of login)
  • adding how to install ufw & fail2ban for securing the server even more (ufw is mentioned in the docs, but without context, also the ufw enable ‘Nginx Full’ doesn’t work on a standard Ubuntu install as it gives the following error: ERROR: Could not find a profile matching ‘Nginx Full’ - should be replaced with ufw allow ssh, ufw allow http, ufw allow https)
  • I would add the recommended mysql_secure_installation steps
  • I didn’t get the sudo “chmod 775 /var/www/ghost” recommendation as the default folder permissions are 755 rather (and this works for the ghost install as well)
  • I think, but not 100% sure, that the database creation step failed the first time I did the install, and afterwards I made sure I had the databases already created before running ghost install - maybe there could be a note for this just in case
  • I also think that adding nginx logging to each website’s nginx config would help with troubleshooting potential issues

If anyone has other recommendations for the docs/cli, please post them here.

I will try to put in some time to do a PR for the docs on github, but I’m not much of a github user and wanted to post these to see if other people also think them useful to be added to the docs before doing the actual PR.

Thanks!

#2

Following - curious about using MariaDB instead of MySQL. Perhaps a Docker installation of ghost could help automate the security improvements and various changes during installation?

1 Like