Secure Ghost with Cloudflare Access
Ghost ships without any form of MFA. This is bad security posture to have on a CMS. This is how I secured my Ghost admin portal behind Cloudflare Access.
Configure Ghost admin portal access
First make sure your Ghost site is being proxied through Cloudflare. From there go to your Cloudflare Zero Trust dashboard.
Go to Access > Applications > Add an application > Self Hosted.
Enter a name (Ex. Ghost admin) and the domain of your Ghost site. For the path enter "/ghost".
Enable any authentication providers that you want to allow access to the Ghost admin portal.
Add an Allow policy and configure as desired. Ex. My access policy limits logins to my email address and from a specific authentication method.
For additional settings I enabled HTTP Only and Enable Binding Cookie.
Click Add application and now go to yourghostsite.com/ghost. You should be presented with a Cloudflare Access page.
Configure Ghost API access
Applying the above configuration will break the Ghost API for your users. Users will not be able to subscribe to your blog or login to their account. Don't worry, we will fix that!
Go to Access > Applications > Add an application > Self Hosted.
Enter a name (Ex. Ghost API) and the domain of your Ghost site. For the path enter "/ghost/api".
Deselect all authentication providers.
Switch the default policy from Allow to Bypass.
Under Configure rules apply the setting Everyone and Everyone in the Include field.
Click Add application.
Testing
To test your configuration go to your Ghost site in a new incognito window. Try clicking a subscribe link on your site. A subscription page will show if the Ghost API is working. Now in that same window go to your Ghost admin portal, you should see a Cloudflare Access page.
Success! You have now secured your Ghost site.