In today's digital landscape, the security of your administrative interfaces is paramount. For those running a Ghost-powered publication, protecting your backend isn't just a best practice-it's a necessity. While Ghost offers its own security layers, you can significantly bolster your defenses by integrating Cloudflare Access, transforming your admin portal into a truly Zero Trust environment.

The Cloudflare Access Edge

Imagine controlling access to your Ghost dashboard not just with a password, but with identity-based rules that verify every request. That's the power of Cloudflare Access. Instead of relying solely on network perimeters or traditional VPNs, Cloudflare Access verifies user identity, device posture, and more before allowing any connection to your application. For your Ghost admin, this means only authorized personnel, verified through your chosen identity provider, can even see the login page.

Setting the Foundation: Your Cloudflare Zero Trust Setup

To begin, ensure your Ghost site is already proxied through Cloudflare. This is the fundamental requirement for Cloudflare Access to intercept and manage traffic to your domain. Once that's in place, head over to your Cloudflare Zero Trust dashboard - this is your command center for defining access policies.

Guarding Your Admin Portal: The /ghost Application

The core of securing your Ghost admin lies in defining a precise application within Cloudflare Access:

  1. Define Your Application: From the Zero Trust dashboard, navigate to Access > Applications. You'll want to add a new Self-Hosted application.
  2. Target the Admin Path: When configuring the application, give it a clear name like "Ghost Admin Panel." Crucially, set your Ghost site's domain and specify the Path as /ghost. This tells Cloudflare Access to apply its rules specifically to your administration area, not your public-facing content.
  3. Establish Access Rules: This is where you dictate who gets in. Under your application's policy, create an "Allow" rule. You can define access based on:
    • Emails: Grant access to specific email addresses (e.g., admin@yourdomain.com).
    • Email Domains: Allow anyone from yourcompany.com.
    • Identity Provider Groups: If you're integrated with an SSO provider, leverage existing user groups.
  4. Choose Authentication: Select the identity providers you want users to authenticate through (e.g., Cloudflare One, Google, Okta, etc.). This is how users will verify their identity before reaching your Ghost login.
  5. Enable Enhancements: For added security, ensure options like HTTP Only and Binding Cookie are enabled within the application settings.

Once configured, save your application. Now, any attempt to reach yourdomain.com/ghost will first be routed through Cloudflare's authentication challenge.

Ensuring Seamless API Functionality: The /ghost/api Bypass

Ghost, like many modern platforms, relies on an API for various front-end functions – think subscriptions, comments, or even your theme making background requests. If you secure everything under /ghost, you'll inadvertently break these features. The solution is to create a specific bypass for the Ghost API:

  1. Create a Separate Application: Back in Access > Applications, add another new Self-Hosted application.
  2. Target the API Path: Name this "Ghost API Bypass" and set the domain to your Ghost site. The critical part here is setting the Path to /ghost/api.
  3. Define a Bypass Policy: Instead of an "Allow" rule, you'll set the default policy for this application to Bypass. This means Cloudflare Access will not challenge requests to this specific path.
  4. Universal Inclusion: To ensure the API is accessible to everyone, set the policy rule to "Include: Everyone". Do not select any authentication providers for this API bypass application.

This dual application setup ensures your administrative portal is locked down, while legitimate API calls essential for your site's operation pass through unimpeded.

Verifying Your Setup

After implementing these configurations, it's vital to test everything thoroughly:

  • Admin Access Check: Open a new incognito browser window and navigate to yourdomain.com/ghost. You should immediately be presented with a Cloudflare Access authentication page (your chosen identity provider's login), before you even see the Ghost login screen.
  • API Functionality Check: From that same incognito window, test a feature that relies on Ghost's API – perhaps try subscribing to your newsletter, or interacting with a comment section. These actions should complete successfully, confirming your API bypass is working.

By strategically using Cloudflare Access for your Ghost administration, you're not just adding a password layer; you're implementing a sophisticated, identity-aware security framework that significantly enhances your site's resilience against unauthorized access.