homelab

Ghost in compliance with the GDPR (Docker Compose)

Matthias Klein

Matthias Klein

3 min read
Ghost in compliance with the GDPR (Docker Compose)
Image from ghost.org

In the era of the GDPR (General Data Protection Regulation), it's essential for you to run your website in compliance with data protection regulations. Ghost is a modern, fast content management system that's gaining popularity in the self-hosting community. In this post, I'll guide you through how to run Ghost CMS with Docker-Compose while meeting GDPR requirements.

Requirements and Setup

Before you begin, make sure that Docker and Docker-Compose are installed on your server.

Docker-Compose Setup for Ghost

Here’s a simple docker-compose.yml file with the database and mail configurations already included:

services:
  ghost:
    image: ghost:latest
    container_name: ghost
    environment:
      url=https://your-domain.com
      database__client: mysql
      database__connection__host: ghost-db
      database__connection__user: ghost
      database__connection__password: "replace_with_secure_password"
      database__connection__database: ghost
      mail__from: "your.domain <post@your.domain>"
      mail__transport: "SMTP"
      mail__options__host: "mail.your.domain"
      mail__options__port: "465"
      mail__options__secureConnection: "true"
      mail__options__auth__user: "auth_user@your.domain"
      mail__options__auth__pass: "your_smtp_password"
    volumes:
      - ./ghost_data:/var/lib/ghost/content
    ports:
      - "2368:2368"
    restart: always
  db:
    image: mysql:latest
    container_name: ghost_db
    environment:
      MYSQL_ROOT_PASSWORD: replace_with_secure_password
      MYSQL_DATABASE: ghost
    volumes:
      - ./ghost_db:/var/lib/mysql
    restart: always

This is your starting point, but there are additional steps required for full GDPR compliance, particularly around data storage and user tracking.

GDPR Compliance: Key Requirements for Operating Ghost CMS

To ensure your Ghost CMS setup complies with the GDPR, make sure you follow these key guidelines:

  • Data Storage: Any personal data (e.g., comments, newsletter sign-ups, contact forms) must be collected and processed only with explicit user consent.
  • SSL Encryption: A secure, encrypted connection (SSL) is crucial to protect your users' data from unauthorized access.
  • Disable jsdelivr CDN: Instead of relying on the jsdelivr CDN, host all necessary files locally to maintain control over data transfers.
  • Tracking & Analytics: Any third-party tracking should be fully transparent and require user consent. Consider using privacy-friendly alternatives to Google Analytics, or ensure correct implementation (such as anonymizing IP addresses).
  • Cookie Banner: If your site uses cookies, a clear notification that requires active user consent is mandatory.

SSL Encryption

I run all my services behind a proxy (Zoraxy), which handles SSL certificates via a wildcard certificate. Make sure to adjust this based on your own setup.

Disabling jsdelivr CDN

Identify the affected files

In a typical Ghost installation using jsdelivr, the following files are loaded externally:

  • sodo-search.min.js: JavaScript for the search function (depending on your theme)
  • sodo-search.main.css: CSS for the search function
  • portal.min.js: JavaScript for member and subscription functionality (Ghost Portal)

Download files locally

The first step is to download these files from jsdelivr and host them locally on your server. You can do this by visiting the respective jsdelivr URLs in your browser and downloading the files:

  • sodo-search.min.js
  • sodo-search.main.css
  • portal.min.js

Save these files in a directory within Ghost, such as /content/files/js for the JavaScript files and /content/files/css for the CSS files.

Modify docker-compose.yml

Now, add the following three lines to the environment section of your docker-compose.yml:

      sodoSearch__url: "/content/files/js/sodo-search.min.js"
      sodoSearch__styles: "/content/files/css/sodo-search.main.css"
      portal__url: "/content/files/js/portal.min.js"
  • Privacy Policy: Ensure that your privacy policy covers all relevant points, including user data storage, tracking, and disclosure to third parties.
  • Cookie Banner: Use an open-source tool like CookieConsent to get user consent for cookies.

GDPR-Friendly Analytics Tools

While Google Analytics is widely used, it can be problematic from a data protection perspective. Luckily, there are alternatives like Umami, which is more privacy-friendly since it can be self-hosted and configured to anonymize users' IP addresses.

Conclusion

Ghost CMS is a great platform for self-hosting, but making it GDPR-compliant requires a few extra steps. With the right configuration, SSL encryption, a clear cookie banner, and privacy-friendly analytics tools, you’re well on your way to running a fully GDPR-compliant Ghost site.

💡
If you installed Ghost manually, you can find a German website here that describes the process for this type of installation.

Read more