A day with Ghost and Co-Pilot

I have spent the day setting up this platform and having some challenges. Setting it up in it's basic form is easy but when you try to harden the system by separating the front end to the backend and also setting up a reverse proxy on the frontend to redirect to port 443 (HTTPS) with a SSL cert bot to support TLS has proved more challenging.

Separating the components and also architecting the internal network has taken some tinkering but as you can tell by writing this article we are up and running. It has been a learning curve getting back into development. The first choice was hosting hardware and also OS to support this platform. The base starting point was to use Docker which supports the component parts and also will support the internal network to safely obfuscate the backend for the internet. So base on these principles I have hosted this on a Linux server running Docker Community Edition.

I have ended up with 5 containers (3 more than I thought I was going to start with).

• To separate duties I have a web front end acting as a proxy server (container 1) to service the HTTP and HTTPS traffic.
• This means that the Ghost container (container 2) does not get directly exposed to the internet.
• The other container I was not expecting was a container specifically for managing SSL certs and certbot which is used by the proxy server. This means that all traffic will run over HTTPS and TLS.
• Container 4 is Mariadb to support the backend data which also sits on the internal network.
• The final container is more of an admin container to allow direct access to Mariadb if direct access is required. This container does not run all the time and only runs the Mariadb / MySQL client. This is needed as the Mariadb server doesn't have the client installed so if you need dorect access you either need to install the client on the Mariadb server which doens't feel right and doesn't feel overly secure.

The other feature with Docker is that I have 2 networks setup, internal_net and external_net. This provides the separation fron public facing containers and internal containers. The proxy server and ghost run on the external and internal network but everything else runs on the internal network.

Key considerations to think about are around setting up volumes to support the configuration files, content and the database itself. Be mindful of the UID and GIDs used and they need to match on the host and the containers. I fell foul of this and Copilot did help me out in this area.

The only other major thing you need to setup is mail as Ghost heavily relies on this for subscriptions so make sure you have an email account to use and then you are ready to go. It has been a learning curve but falling back onto Copilot when issues arise has been very helpful and got me to a better architected solution going forward.

the final thing for me to do now is setup backup and restore scripts to support this. I will let you know how I get on with that once completed.

Here's a start to Dave blogging !!!!