Protecting a Ghost Site with Cloudflare Access

Blocking access to the Ghost Admin section is a key security strategy, Cloudflare makes it easy.
By Aaron Junod
2 min read
Protecting a Ghost Site with Cloudflare Access
A Ghost with a shield.

I'm a big fan of Cloudflare - we use it at ZSuite and I rely on it for all my personal domains at home. Today, I want to share how to secure your Ghost blog with Cloudflare, particularly focusing on protecting the admin interface.

Why Cloudflare?

Let me share why I've standardized on Cloudflare for both enterprise and personal use:

  1. Unified Security Model: Instead of cobbling together various security tools, Cloudflare provides a cohesive security platform
  2. Performance: Their global CDN means your content is served from edge locations close to your users
  3. DDoS Protection: Built-in protection against distributed denial of service attacks
  4. Zero Trust Security: With Cloudflare Access, you can implement zero-trust security principles without the traditional complexity

Securing Ghost's Admin Interface

One of the most critical aspects of running a Ghost blog is protecting your admin interface. While Ghost has solid built-in security, adding Cloudflare Access as an additional layer provides enterprise-grade protection. Here's how I did it:

Step 1: Initial Setup

  1. Add your domain to Cloudflare (if you haven't already)
  2. Ensure your DNS is properly configured
  3. Enable Full (Strict) SSL mode in the SSL/TLS section

Step 2: Configuring Cloudflare Access

This is where things get interesting. I initially protected the /ghost path, but discovered an important nuance that I want to share:

# Access Rules (in order of priority)
1. Allow: /ghost/api/* (Required for Ghost operations)
2. Deny: /ghost/* (Protect admin interface)

Here's a crucial lesson learned: The order of rules matters. The allow rule for /ghost/api must come before the deny rule for /ghost, or your admin interface won't function correctly. This is because Cloudflare evaluates rules in order and stops at the first match.

Step 3: Setting Up Authentication

For authentication, I use GitHub SSO since it integrates perfectly with my workflow. It's straightforward to set up and provides robust security. I also recommend configuring a backup authentication method like One-Time Pin, just in case.

Performance Optimization

While security was my primary focus, Cloudflare also offers significant performance benefits. Here's what I've enabled:

  1. Auto Minify: For HTML, CSS, and JavaScript
  2. Brotli Compression: More efficient than gzip
  3. Early Hints: Faster page loads through 103 Early Hints
  4. HTTP/3: Enabled by default with Cloudflare

Lessons Learned

Through implementing this setup across multiple environments, here are my key takeaways:

  1. Test API Access: Always verify your API endpoints work after implementing access rules
  2. Rule Order Matters: Cloudflare processes rules in order, so more specific rules should come first

Looking Forward

With the continuous evolution of web threats, I'm impressed with how (Cloudflare)[https:/www.cloudflare.com] stays ahead of the curve. They are pros are frequent releases, and seem to match their energy between protection and capabilities for developers these days.

Have you implemented similar security measures for your Ghost blog? I'd love to hear about your experiences in the comments below.

Share This Article

Prev Next

Related Articles

Post Comments