Subscribe
caddy

Ghost & Caddy - Restrict admin url

Phil

2 min read
Ghost & Caddy - Restrict admin url
Photo by Kevin Gil Musñgi / Unsplash

The ghost blog doesn't have a configuration for changing the admin url.  By default the admin interface and logon portal is available at https://<your blog>/ghost.

I tend to agree with this post in one of several GitHub issue threads asking for this feature.  

Hardening, defendably the most important Defense technique, is where you reduce the vulnerability surface so attackers have fewer ways to exploit. By removing software defaults you take away tools from attackers that perform scans that uncover defaults in software as potential targets.

Unfortunately I don't have the time to devote to adding this feature to the platform, but fortunately it is easy enough to configure using Caddy as a reverse proxy.

There is a major limitation to this workaround as it will restrict access to the Ghost API which is hosted at /ghost/api.  This will break any third party apps or other features that depend on the API.  After this configuration, the Ghost API is available at the custom configured URL.  I have not tried any third party apps.

There are three steps to this configuration:

Step 1 - Caddy Config - Shut down all access to /ghost with "respond"

respond (Caddyfile directive) - Caddy Documentation
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
Caddy Web Server
myblog.com, www.myblog.com {
  reverse_proxy http://localhost:2368
  respond /ghost "Access denied" 403 {
    close
  }
}

Note again that this is going to restrict all access to the Ghost API located at /ghost/api. The API will be available at the new admin URL configured below.

Step 2 - Ghost Config - Configure alternate admin URL

Ghost actually supports having the admin interface hosted at a separate URL.  This configuration unfortunately adds a redirect at the default /ghost/ location which is why Step 1 is necessary.

Configuration - Adapt your publication to suit your needs
Find out how to configure your Ghost publication or override Ghost’s default behaviour with robust config options, including mail, storage, scheduling and more!
Ghost - The Professional Publishing Platform
"admin": {
  "url": "https://<random string>.myblog.com"
}

Step 3 - Caddy Config - Add another reverse proxy configuration in Caddy for the admin URL

<random string>.myblog.com {
  reverse_proxy http://localhost:2368
}

Conclusion

You can restrict what URLs are permitted in and out of Ghost by using a reverse proxy like Caddy.  This will probably not stop a determined attacker from finding your super secret admin URL, but it might stop a bot.

Sign up for more like this.

Enter your email
Subscribe