We use hosted Ghost for our blog. For the most part, it's been great.
My biggest complaint is that Ghost doesn't yet have a built in SSL/TLS option (e.g. Let's Encrypt). Their recommendation is to use Cloudflare. It's fine for hobbyist or personal blogs, but as a corporation it's basically prevented us from using SSL.
We're in a regulated industry and need to do appropriate vetting of vendors. Onboarding a blog platform is very, very easy because of the relatively low risk nature of a blog. Onboarding an infrastructure vendor, like Cloudflare, is very complicated. Making it more complicated is we'd have no interest in actually paying for a Cloudflare service so it's impossible to get resources to complete the vetting process. On top of all of that, last year's Cloudbleed incident cast some real doubt on Cloudflare's security practices and ability to properly protect potentially sensitive data.
We will likely eventually self-host so we can get proper SSL support. I'm really disappointed by this since it will be more expensive than paying our Ghost subscription for several years.
For self-hosters, Ghost-CLI has deep Let's Encrypt integration. The tool will automatically guide you through provisioning an SSL certificate during the install process.
On Ghost(Pro) we have full end to end SSL support (you're right we used to only support CF's UniverSSL but that is no longer the case) - so anyone who uses a custom domain with Ghost(Pro) will automatically have an SSL cert provisioned and deployed for them in the background. For business customers who require the use of their own, custom certificates, there a few extra steps but we support that too.
what's the traffic and the avalable budget to hire a vendor that would be a Ultra-simple version of cloudflare: i.e. a caching proxy with a let's encrypt cert for https fronting your ghost blog?
Near $0. The problem isn't really the monthly cost (heck another $20/month wouldn't be noticeable). The problem is the vendor onboarding process for an infrastructure specific vendor.
Initial onboarding can take 20 to 50 hours of effort from an expensive resource. Plus, routine reviews which would alone cost more than I'd be willing to pay for such a service.
My biggest complaint is that Ghost doesn't yet have a built in SSL/TLS option (e.g. Let's Encrypt). Their recommendation is to use Cloudflare. It's fine for hobbyist or personal blogs, but as a corporation it's basically prevented us from using SSL.
We're in a regulated industry and need to do appropriate vetting of vendors. Onboarding a blog platform is very, very easy because of the relatively low risk nature of a blog. Onboarding an infrastructure vendor, like Cloudflare, is very complicated. Making it more complicated is we'd have no interest in actually paying for a Cloudflare service so it's impossible to get resources to complete the vetting process. On top of all of that, last year's Cloudbleed incident cast some real doubt on Cloudflare's security practices and ability to properly protect potentially sensitive data.
We will likely eventually self-host so we can get proper SSL support. I'm really disappointed by this since it will be more expensive than paying our Ghost subscription for several years.
reply