I decided to start blogging again and after doing a little bit of research I decided to give the Ghost platform a chance.

Even though it has its downsides, I believe it probably provides me with all the necessary things for blogging.

I am currently running the blog on my Raspberry Pi, listening on localhost and nginx is listening in front forwarding the requests.

Here is the virtualhost for http:

server {  
  listen      80;
  server_name blog.marcdeop.com;
  root        /var/www/blog/;
  index       index.php;
  access_log  /var/log/nginx/blog.marcdeop.com-access.log;
  error_log   /var/log/nginx/blog.marcdeop.com-error.log;

  if ($http_host != "blog.marcdeop.com") {
    rewrite ^ http://blog.marcdeop.com$request_uri permanent;
  }

  # Redirect signin to https
  location /ghost/signin {
    return 301
    https://$server_name$request_uri;
  }

  location / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass       http://localhost:2368;
  }

  location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
    access_log off;
    expires    30d;
    add_header Pragma public;
    add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
    proxy_pass http://localhost:2368;
  }

  location = /robots.txt { access_log off; log_not_found off; }
  location = /favicon.ico { access_log off; log_not_found off; }

  location ~ /\.ht {
    deny all;
  }
}

Notice specially:

  location /ghost/signin {
    return 301
    https://$server_name$request_uri;
  }

I used this location to redirect to https so the password information is send in a secure way.

Next step will be setting up https. Here is the virtualhost:

server {  
  listen      443 ssl;
  server_name blog.marcdeop.com;
  root        /var/www/blog/;
  index       index.php;
  access_log  /var/log/nginx/blog.marcdeop.com-access-ssl.log;
  error_log   /var/log/nginx/blog.marcdeop.com-error-ssl.log;

  # Enable SSL
  ssl                 on;
  ssl_certificate     /etc/ssl/certs/blog.marcdeop.com.crt;
  ssl_certificate_key /etc/ssl/private/blog.marcdeop.com.key;

  # Accepted protocols
  ssl_prefer_server_ciphers On;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # Accept only strong ciphers
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

  # Unique DHGroup
  ssl_dhparam /etc/nginx/ssl/dhparams.pem;

  # Return to unsecured connection for all other pages
  location / {
    return 301 http://$server_name$request_uri;
  }

  location ~ ^/(favicon.ico) {
    root       /var/www/blog/core/shared;
    access_log off;
    expires    max;
  }

  # Connect to Node.js instance
  location ~ / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass       http://localhost:2368;
  }

  location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
    access_log off;
    expires    30d;
    add_header Pragma public;
    add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
    proxy_pass http://localhost:2368;
  }

  # Disable access to account creation page
  location ~ ^/(ghost/signup/) {
    rewrite ^/(.*)$ http://blog.marcdeop.com permanent;
  }

  location = /robots.txt { access_log off; log_not_found off; }
  location = /favicon.ico { access_log off; log_not_found off; }

  location ~ /\.ht {
    deny all;
  }
}