This is a bonus post continuing the 3-part series on setting up the Ghost 0.5.x working from source code on Azure Windows Azure Websites.
Now we are rocking an awesome NodeJS blog, complete with a custom theme, all being deployed from two different repositories.
Let’s take it up a notch and secure our blog with HTTPS for our custom domain, shall we?
Isn’t this documented elsewhere?
Sort of. You can read about getting your SSL certificate and configuring SSL for your Azure website, but things got a bit tricky when I started to configure Ghost to handle SSL. Sure, they’ve documented it too, but with Azure Websites it’s actually easier than all of this.
Let’s Do It!
Awesome! But before we get started, there are a few considerations you should know about before making the leap into SSL territory.
- SSL on Azure Websites adds cost for Basic sites, but is included in Standard sites if you’re using a custom domain. Learn about that here.
- If you’re using the *.azurewebsites.net domain, then HTTPS is already included and setup. You just need to configure your application!
- Changing SSL options in a production environment can take it down for a bit. If you need to worry about that, then check out the staged deployment options you can leverage in Window Azure.
Here we go!
- Get an SSL certificate, just like they say in the Azure documentation. Personally, I used DigiCert as my certification provider and OpenSSL to generate all the pieces I needed.
- Add the web.config as written in the Enforce HTTPS on Your Azure website section.
- In your config.json file for your Ghost site, add the `urlSSL: `https://yoursitedomain.com`
- DO NOT add the `forceAdminSSL` configuration option as mentioned in the Configuring Ghost or the How To Setup SSL for Self-Hosted Ghost.
If you do, your site will work but it will no longer let you login as it will cause a redirect loop because Azure is redirecting you with the web.config and Ghost is redirecting afterwards resulting in the inability to login.
- Lastly, update any references you have to external resources (e.g. CDNs) to use HTTPS rather than HTTP.
- Publish and you’re done.
At this point, you have a cloud-hosted, NodeJS blog, that is open source, with a custom deployment that pulls a custom theme from source on deploy and is secured with an SSL certificate.
This is awesome, but probably overkill for some people.
My blog at https://www.davidwesst.com is just a personal blog. This is definitely overkill for such a small site, but the whole point was to figure out if I could get it going with all the bells and whistles for a high-end production site. And I did, and now so have you.