Ghost in compliance with the GDPR

In the era of the GDPR (General Data Protection Regulation), it's essential for you to run your website in compliance with data protection regulations. Ghost is a modern, fast content management system that's gaining popularity in the self-hosting community. In this post, I'll guide you through how to run Ghost CMS with Docker-Compose while meeting GDPR requirements.

Requirements and Setup

Before you begin, make sure that Docker and Docker-Compose are installed on your server.

Docker-Compose Setup for Ghost

Here’s a simple docker-compose.yml file with the database and mail configurations already included:

services:
  ghost:
    image: ghost:latest
    container_name: ghost
    environment:
      url=https://your-domain.com
      database__client: mysql
      database__connection__host: ghost-db
      database__connection__user: ghost
      database__connection__password: "replace_with_secure_password"
      database__connection__database: ghost
      mail__from: "your.domain "
      mail__transport: "SMTP"
      mail__options__host: "mail.your.domain"
      mail__options__port: "465"
      mail__options__secureConnection: "true"
      mail__options__auth__user: "auth_user@your.domain"
      mail__options__auth__pass: "your_smtp_password"
    volumes:
      - ./ghost_data:/var/lib/ghost/content
    ports:
      - "2368:2368"
    restart: always
  db:
    image: mysql:latest
    container_name: ghost_db
    environment:
      MYSQL_ROOT_PASSWORD: replace_with_secure_password
      MYSQL_DATABASE: ghost
    volumes:
      - ./ghost_db:/var/lib/mysql
    restart: always

This is your starting point, but there are additional steps required for full GDPR compliance, particularly around data storage and user tracking.

GDPR Compliance: Key Requirements for Operating Ghost CMS

To ensure your Ghost CMS setup complies with the GDPR, make sure you follow these key guidelines:

SSL Encryption

I run all my services behind a proxy (Zoraxy), which handles SSL certificates via a wildcard certificate. Make sure to adjust this based on your own setup.

Disabling jsdelivr CDN

Identify the affected files

In a typical Ghost installation using jsdelivr, the following files are loaded externally:

Download files locally

The first step is to download these files from jsdelivr and host them locally on your server. You can do this by visiting the respective jsdelivr URLs in your browser and downloading the files:

Save these files in a directory within Ghost, such as /content/files/js for the JavaScript files and /content/files/css for the CSS files.

Modify docker-compose.yml

Now, add the following three lines to the environment section of your docker-compose.yml:

      sodoSearch__url: "/content/files/js/sodo-search.min.js"
      sodoSearch__styles: "/content/files/css/sodo-search.main.css"
      portal__url: "/content/files/js/portal.min.js"

GDPR-Friendly Analytics Tools

While Google Analytics is widely used, it can be problematic from a data protection perspective. Luckily, there are alternatives like Umami, which is more privacy-friendly since it can be self-hosted and configured to anonymize users' IP addresses.

Conclusion

Ghost CMS is a great platform for self-hosting, but making it GDPR-compliant requires a few extra steps. With the right configuration, SSL encryption, a clear cookie banner, and privacy-friendly analytics tools, you’re well on your way to running a fully GDPR-compliant Ghost site.

Tip: If you installed Ghost manually, you can find a German website here that describes the process for this type of installation.

🏡 Linktree | Follow me also on: GoToSocial | Lemmy