Sign in Subscribe
selfhost

Securely Self-Host Ghost on Proxmox Using Cloudflared - No Open Ports Needed

Selfhost without exposing ports to the internet

Everything Homelab

2 min read
Securely Self-Host Ghost on Proxmox Using Cloudflared - No Open Ports Needed

Self-hosting applications can be challenging because of the security risks associated with open ports. This article will show you how to self-host a Ghost blog on Proxmox without opening any ports. We'll achieve this by using Cloudflared, which securely tunnels traffic to your server, eliminating the need for open ports.

Prerequisites

Before you begin, ensure you have the following:

  1. A VM on Proxmox: A Linux-based VM (e.g., Ubuntu) to host Docker and Ghost.
  2. A domain name: Registered and managed through Cloudflare.
  3. Cloudflare account: Sign up at Cloudflare if you don't have one

Step 1: Setup Ghost

Install Docker and Docker Compose on your VM:

sudo apt install -y docker.io docker-compose
sudo systemctl start docker
sudo systemctl enable docker

Update your VM's system packages:

sudo apt update && sudo apt upgrade -y

Create a docker-compose.yml file:

nano docker-compose.yml

Add the following to the file:

version: '3.1'

services:

  ghost:
    image: ghost
    restart: always
    ports:
      - 8080:2242
    environment:
      database__client: mysql
      database__connection__host: db
      database__connection__user: root
      database__connection__password: example
      database__connection__database: ghost
      # this url value is just an example, and is likely wrong for your environment!
      url: https://your_domain.com # Set this value here before moving on

  db:
    image: mysql:8.0
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: example_password

Start ghost container

docker-compose up -d

Step 3: Install Cloudflared

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

sudo dpkg -i cloudflared-linux-amd64.deb

Step 4: Configure Cloudflare

Log in to your Cloudflare account, add your domain, and follow the setup wizard. This will include changing your domain's nameservers to Cloudflare's nameservers as instructed

Authenticate Cloudflared with Cloudflare

This command will open a browser window and prompt you to log in to your Cloudflare account. After logging in, select the domain you want to use.

cloudflared login

Create your tunnel

cloudflared tunnel create my-tunnel

Get your tunnel id

cd ~/.cloudflared

There should be a .json file in this directory. Grab the file name (tunnel id)

Configure the Tunnel
Create a configuration file for your tunnel. Replace my-tunnel with the name of your tunnel and your_domain with your actual domain.

sudo nano /etc/cloudflared/config.yml

Add the following lines:

Replace my-tunnel.json with the tunnel id you copied above. If you're using a non-root user, you'll also need to update the base path

tunnel: my-tunnel
credentials-file: /root/.cloudflared/my-tunnel.json

ingress:
  - hostname: your_domain.com
    service: http://localhost:2242
  - service: http_status:404

Start your tunnel

cloudflared tunnel run my-tunnel &

Step 4: Setup DNS resolution to your tunnel

Go to the DNS section in your Cloudflare dashboard. Add a CNAME record for your domain pointing to <my-tunnel-id>.cfargotunnel.com

Step 5: Enjoy your self-hosted ghost blog

Sign up for more like this

Enter your email
Subscribe