This project has moved to a GitHub repository:
@hwdsl2 after setting up modsecure, I am not being able to upload any media file within ghost. When I disable modescure everything seems ok. Can you tell me which rule is going to interrupt file uploads?
@fratoro Unfortunately uploading media files (e.g. the blog cover) is an issue for which I have not yet found a solution. It is certainly a problem with ModSecurity but I am not sure which rule is causing that.
For now you can try logging into Ghost admin via SSH port forwarding (at port 2368) in order to upload those files. This will bypass Nginx and access the Node.js backend directly. That's what I always did when managing my blog.
Alternatively you can create additional location blocks in nginx.conf for "/ghost/", and disable ModSecurity for it but allow access from only your IP. You can find the syntax via Google search.
I have just stumbled upon this to check if my nginx configuration was good enough. Turns out I was about 3/4 there! Thanks!
You can use the NodeSource deb repo for the latest NodeJS for the previous 3 LTS releases of Ubuntu: https://deb.nodesource.com/setup
I would be surprised if there isn't also a PPA floating around that has Nginx with Mod Security support.
Thanks for the comment Philio! I'll check it out.
It works! Awesome and thanks for your detailed tutorial :)
And this is why I hate fscking hipsters apps like nodejs and shit, they don't even have a regular init/upstart/systemd script but require a module like forever or god (I'm looking at you Ruby). Why do you think these things exist? Because it is not in a hipster language? Because it "just works"? And of course, let's compile everything from source, why even would we think of using packages or the package management system the distro provides?
This is what happens when you let some stoned hipsters with a CS degree get loose and make software...
Now, end rant. The tutorial has some issues ass well and some of the steps could use a bit more explanation.
Why would you run ssh on a different port and then also install fail2ban, but still allow password login via ssh? ssh+fail2ban with keys on port 22 is fine as well, a simple NMAP scan finds your super secret port. The only thing a different ssh port does is keep your logs more clean, but since root login and password login is enabled by default on Ubuntu, it won't help you much. My botnet will try it happily from every IP it got, only just 2 times per hour so it won't get caught by fail2ban..
This: "if [ $(ps aux | grep node | grep -v grep | wc -l | tr -s "\n") -eq 0 ]; then" - is also where a normal init system is for. By the way, you could just use pgrep for this.
Also, explain why the specific modsecurity rules should be "relaxed". And, you don't relax them, you just disable them. You can override a modesecurity rule by undefining it and redifining it but changing the action or regex. I use this to "relax" rules that should be on, but cannot because of the software. Disabling them is just wrong unless there is a good reason for it.
The init script for NGINX does not require the expect fork if you specify daemon off in the nginx config file.