How do I enable HTTPS for Ghost?

HTTPS on Ghost(Pro) vs Self-Hosted

The method to enable HTTPS depends entirely on your hosting environment. HostingDuty supports both Ghost(Pro) and self-hosted Ghost instances, but the configuration differs significantly between the two.

Ghost(Pro) Automatic SSL

If you are using Ghost(Pro), the managed hosting platform, you do not need to perform any manual configuration. All Ghost(Pro) sites come with automatic SSL enabled by default. This integration relies on Let's Encrypt to issue and renew certificates without user intervention. You simply configure your domain names in the Ghost Admin panel, and the system handles the rest. This eliminates the complexity of certificate management, including renewal and validation challenges.

For more details on how SSL works in our managed environment, see our guide on SSL certificates and the Let's Encrypt integration documentation.

Self-Hosted Ghost Manual Configuration

When hosting Ghost yourself, whether on a Droplet, VPS, or bare metal, you are responsible for the SSL layer. This typically involves installing a web server like Nginx or Apache in front of the Ghost Node.js application. The web server handles the HTTPS handshake and redirects HTTP requests to HTTPS.

To force HTTPS on a self-hosted instance, you must update your config.production.json file. Set the url property to use https:// and ensure the admin.url also uses the HTTPS protocol. Additionally, you need to configure your web server to terminate SSL connections. If you are using a reverse proxy, ensure that the X-Forwarded-Proto header is set to https so Ghost knows the original request was secure.

A common pitfall is redirect loops, which occur if the application and the proxy both attempt to force HTTPS. To avoid this, verify your proxy configuration matches the requirements outlined in our Ghost HTTPS configuration tutorial.

Security Implications

Enabling HTTPS is critical for security. It encrypts data in transit between the user's browser and your server, protecting login credentials and content from interception. Without HTTPS, your Ghost blog is vulnerable to man-in-the-middle attacks. HostingDuty recommends always enabling HTTPS for any public-facing Ghost instance.

For a deeper dive into the security protocols used, refer to our SSL/TLS explanation and security best practices.

Troubleshooting Common Issues

If you encounter issues after enabling HTTPS, check the following:

• Ensure your domain DNS records point to the correct server IP.
• Verify that the SSL certificate is valid and not expired.
• Check that your web server is listening on port 443.
• Review the Ghost logs for any protocol mismatch errors.

If you need assistance with specific configuration files, consult the Ghost configuration reference or ask in our community forum.