Skip to content

Instantly share code, notes, and snippets.

Last active December 28, 2016 07:16
Show Gist options
  • Save hwdsl2/1b1804cad601928472e7 to your computer and use it in GitHub Desktop.
Save hwdsl2/1b1804cad601928472e7 to your computer and use it in GitHub Desktop.
Ghost Blog Auto Setup Script with Nginx and ModSecurity
Copy link

And this is why I hate fscking hipsters apps like nodejs and shit, they don't even have a regular init/upstart/systemd script but require a module like forever or god (I'm looking at you Ruby). Why do you think these things exist? Because it is not in a hipster language? Because it "just works"? And of course, let's compile everything from source, why even would we think of using packages or the package management system the distro provides?

This is what happens when you let some stoned hipsters with a CS degree get loose and make software...

Now, end rant. The tutorial has some issues ass well and some of the steps could use a bit more explanation.

Why would you run ssh on a different port and then also install fail2ban, but still allow password login via ssh? ssh+fail2ban with keys on port 22 is fine as well, a simple NMAP scan finds your super secret port. The only thing a different ssh port does is keep your logs more clean, but since root login and password login is enabled by default on Ubuntu, it won't help you much. My botnet will try it happily from every IP it got, only just 2 times per hour so it won't get caught by fail2ban..

This: "if [ $(ps aux | grep node | grep -v grep | wc -l | tr -s "\n") -eq 0 ]; then" - is also where a normal init system is for. By the way, you could just use pgrep for this.

Also, explain why the specific modsecurity rules should be "relaxed". And, you don't relax them, you just disable them. You can override a modesecurity rule by undefining it and redifining it but changing the action or regex. I use this to "relax" rules that should be on, but cannot because of the software. Disabling them is just wrong unless there is a good reason for it.

The init script for NGINX does not require the expect fork if you specify daemon off in the nginx config file.

Copy link

fratoro commented Apr 28, 2014

@hwdsl2 after setting up modsecure, I am not being able to upload any media file within ghost. When I disable modescure everything seems ok. Can you tell me which rule is going to interrupt file uploads?

Copy link

hwdsl2 commented Apr 29, 2014

@fratoro Unfortunately uploading media files (e.g. the blog cover) is an issue for which I have not yet found a solution. It is certainly a problem with ModSecurity but I am not sure which rule is causing that.

For now you can try logging into Ghost admin via SSH port forwarding (at port 2368) in order to upload those files. This will bypass Nginx and access the Node.js backend directly. That's what I always did when managing my blog.

Alternatively you can create additional location blocks in nginx.conf for "/ghost/", and disable ModSecurity for it but allow access from only your IP. You can find the syntax via Google search.

Copy link

I have just stumbled upon this to check if my nginx configuration was good enough. Turns out I was about 3/4 there! Thanks!

Copy link

Philio commented Aug 8, 2014

You can use the NodeSource deb repo for the latest NodeJS for the previous 3 LTS releases of Ubuntu:

I would be surprised if there isn't also a PPA floating around that has Nginx with Mod Security support.

Copy link

hwdsl2 commented Aug 9, 2014

Thanks for the comment Philio! I'll check it out.

Copy link

It works! Awesome and thanks for your detailed tutorial :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment