A long, long time ago a mortgage lawyer started to write her blog, just to get familiar with several crazy newfangled things called computers and the internet by using them to do something she liked, writing. So she started writing a blog using something called Wordpress.
The aim of the blog, was to explain legal terms, and theories in simple intelligible language. The blog was called lawexplainedindia.
Time flew; and with life’s funny, yet inevitable twists and turns, the lawyer landed into the world of computers; the world of Free & open source software and technology. So, the blog changed its face and got a new home at
GHOST_URL/. It portrays what I think, and read, but not solely law now.
All these years, however I never took the responsibility of maintaining the website. Kushal, being the wonderful partner he is, used to do this painful job for me. He use to maintain it using a self hosted Ghost blog (Version 0.11.x).
I recently decided to take back the burden from Kushal. It would give me the opportunity of learning something new, becoming more familiar with the world of Free Software. I am now using a Digital Ocean droplet where the base operating system is CentOS 7. Setting that up was the easy part. Securing it and getting the blog to work, took some doing though. Here’s what I did …
Setup the firewall:
The first job was to setup the firewall rules to provide safety from the untrusted external network. I religiously followed Mohamed Raiyen’s post on hardening server security. That gave the droplet at least a semblance of safety.
Using official Ghost docker image
I wanted to use the latest Ghost as a platform to publish my blog.
There are two ways of doing that :
- Ghost can maintain it for you, for a monthly or yearly subscription.
- You can self host and maintain it yourself.
I opted for the second, by using the official docker container image.
The new ghost version provides an updated theme (Casper v2), but I liked my older version better. I copied my old theme (edited as required), all the images, and content into a directory /data.
The security context of the directory needed to be changed to access it inside the container by the following command
chcon -R -t svirt_sandbox_file_t /data
At PyCon US 2017, I had requested John Hawley to explain containers to me in a very naive non-technical way, one that a 10 year old would get.
Here’s how he put it …
“Imagine lots of little piggies in a sty. You have several naughty ones, which you do not want to get out of their own space and go into others.
Now the same theory applies to containers.
Here each sty is a container, where you are stopping your troublesome piglets (applications/programs) getting into others spaces.”
After this uh, interesting introduction, as I started to read more about containers, I came across an interesting comment by Dan Walsh that “Containers do not contain”, with a subsequent caution that if you want to use containers, one should use them following proper security measures.
This was the first time for me to use containers.
I played around with docker for few days before I used it here.
I am mounting the /data directory (from my machine) into /var/lib/ghost/content (in the container), as that is the content directory for ghost.
Now we can store the data even after the container stops running. I use the command below to start the docker container
docker run -d --name xyz -p 127.0.0.1234:2368 -v /data:/var/lib/ghost/content ghost:1.21.4
nginx as reverse proxy
I am using the nginx as the reverse proxy to the container. I also copy pasted the TLS certificates from Let’s Encrypt into the correct directory.
I will be writing about how to get a ssl certificate from lets encrypt in a subsequent blog post.
This particular project taught me to do several things at the same time, (all completely new to me) and gave me the real life production feeling :)
I learned each of these elements (docker, nginx, setting up a firewall, getting SSL certificates,) separately, and then combined them together as per the needs of the project — my shiny new blog. Though it took me a lot of time, frustration and a realization that the machine called computer is truly unpredictable (even more so than my unpredictable 3 year old). But at the end of all, when I witnessed my blog running at https://anweshadas.in, it was amazing.