Getting Varnish, SSL and logging to work with Ghost

I have a complex set up. Varnish in front of Apache serving up cached content on port 80. Requests for secure (HTTPS) pages on port 443 are passed through to the Apache backend which deals with them. And now ghost runs on node.js and port 2368. So I have to get the unencrypted ghost traffic to go through Varnish and requests to login via SSL to get passed through Apache which then passes them on to node.js to deal with.


TL;DR - These are my notes; I hope they help.

You have to edit a few files here - the Varnish .vcl, the Apache vhosts file and the Ghost config.js file. I wanted it all set up so that all website traffic got logged which I could then monitor with Awstats.

So, in my Varnish VCL file - the master configuration of the caching server - I define my default backend server to query. In this case it is Apache.

backend default {
    .host = "127.0.0.1";
    .port = "8888";
}

My Apache virtual host file is set up so that requests for front end pages are served over regular HTTP on 8888 (and cached by Varnish through port 80) and back pages are served over HTTPS on port 443.

<VirtualHost *:8888>
  ServerName ghost.example.net
  ServerAdmin webmaster@example.net
  DocumentRoot /web/root/ghost/

  # Logs
  CustomLog /logs/access.log varnishcombined
  ErrorLog /logs/error.log

  # Proxy Config
  ProxyPass / http://127.0.0.1:2368/
  ProxyPreserveHost On
</VirtualHost>

Secure, encrypted admin pages

<VirtualHost *:443>
  ServerName ghost.example.net
  ServerAdmin webmaster@example.net
  DocumentRoot /web/root/ghost/

  # Logs
  CustomLog /logs/ga-access.log varnishcombined env=!dontlog
  ErrorLog /logs/ga-error.log

  # Proxy Config
  ProxyRequests Off
  ProxyPass / http://127.0.0.1:2368/
  ProxyPassReverse / http://127.0.0.1:2368/
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https" early

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  <DirectoryMatch /web/root/ghost>
    Order allow,deny
    Deny from all
  </DirectoryMatch>

  # SSL Config
  SSLEngine on
  SSLCertificateFile /path/to/ssl/certs/ghost.crt
  SSLCertificateKeyFile /path/to/ssl/keys/ghost.key
</VirtualHost>

So what you can see from the Apache config is that the front end is proxied by Apache from the node.js back-end on port 2368 to port 8888. The static front-end traffic is then served and cached by Varnish (on port 80) in an attempt to make it a wee bit faster.

The administration pages behind the scenes are protected by encrypting the connection so your username and password are not sent in clear text. This is done by switching to HTTPS on port 443.

The logs for front and backend are written to separate files and Awstats processes these for some simple analytics.

Finally, the config.js file of your Ghost installation you need to edit the following settings in the Production section:

url: 'http://ghost.mixedbredie.net',
urlSSL: 'https://ghost.mixedbredie.net',
forceAdminSSL: true

Restart your webserver, the Varnish cache and ghost and you are good to go:

sudo service apache2 restart
sudo service varnish restart
sudo service ghost restart

See how to install Ghost as a service here and here.

I can't remember what else I was going to write for this post...