Ghost Publishing Platform on AWS User Guide
Overview
This image runs Ghost, the open source publishing platform, behind nginx, with Node.js 22 LTS and MySQL 8 on the same instance. The Ghost process listens on 127.0.0.1:2368; nginx reverse proxies port 80 to it. Site content, members and posts are stored in MySQL, bound to the loopback interface only.
Ghost administrator and MySQL credentials are generated on the first boot of every deployed instance. Two instances launched from the same Amazon Machine Image never share passwords. The initial administrator email, the administrator password, and the MySQL password are written to /root/ghost-credentials.txt with mode 0600 so that only the root user can read them.
Ghost is configured to accept requests on any host, so the site automatically works on whatever public DNS name or IP address visitors reach the instance on. The image ships with Ghost-CLI installed, so upgrades, backups and configuration changes follow the standard Ghost workflows.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and inbound ports 80 and 443 from the networks your visitors will use
- The AWS CLI (version 2) installed locally if you plan to deploy from the command line
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Ghost Publishing Platform. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of m5.large or larger — Ghost benefits from headroom for Node.js and the MySQL workload. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound ports 80 and 443 from the networks your visitors use. Leave the root volume at the default size or larger.
Select Launch instance. First boot initialisation takes approximately one minute after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg Ghost Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens ports 22, 80, and 443 as described above.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=ghost-01}]'
The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.
Step 3: Connect and Retrieve Initial Credentials
Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| Ghost 6 on Ubuntu 24.04 | ubuntu |
The first boot service runs before the SSH daemon becomes ready, so the credentials file is always in place when you log in for the first time.
ssh <login-user>@<public-ip>
sudo cat /root/ghost-credentials.txt
You will see a plain text file containing the Ghost admin URL, the administrator email (cloudimg-admin@<public-ip>), the administrator password, and the MySQL database name, user, and password. Copy these values somewhere secure (a password manager or encrypted vault). Do not commit them to source control.
From the same SSH session you can confirm the deployment is healthy:
curl -fsS -o /dev/null -w 'Ghost front page HTTP %{http_code}\n' http://127.0.0.1/
A Ghost front page HTTP 200 response confirms the full stack — nginx, Node.js / Ghost and MySQL — is serving requests.
Step 4: First Sign In to the Ghost Admin
Open a web browser and navigate to http://<public-ip>/ghost/. Ghost presents the admin sign in form.
Enter the administrator email and the administrator password from /root/ghost-credentials.txt, then select Sign in. The public site itself is reached at http://<public-ip>/.
Step 5: The Ghost Admin Dashboard
After signing in, Ghost shows the admin dashboard — the home of all editorial and configuration work. The left hand menu gives you every management area: Posts and Pages for content, Tags for organising posts, Members for your audience, Site (Design, Navigation, Code injection) for theme work, and Settings for global configuration.
The dashboard surfaces traffic, recent posts and member activity. The Settings area is where you configure outbound mail, members, integrations and the site title.
Step 6: Change the Administrator Password and Email
For a production deployment rotate the administrator password that was generated on first boot, and set a real administrator email so password recovery and system notifications reach you. Select your avatar in the bottom left of the admin, choose Your profile, and update the email address at the top, then scroll down and use Change password to set a new password. Select Save.
Step 7: Write Your First Post
Ghost content is organised as posts, pages and tags. Open Posts, then select New post. Give the post a title, write the body in the editor, and add tags from the right hand sidebar. Use the Publish button at the top right to schedule or publish immediately.
The editor supports rich text, images, embeds, code blocks, bookmark cards, galleries and HTML cards out of the box. Once published, the post appears on the public site at http://<public-ip>/.
Step 8: View the Public Site
Browse to http://<public-ip>/ to see the public Ghost site. Ghost ships with the Source theme by default — a clean, fast theme that works for blogs, newsletters and editorial publications.
Switch themes under Settings then Design then Change theme, where you can upload any Ghost compatible theme zip or pick from the marketplace built into Ghost.
Step 9: Configure Outbound Email
Ghost relies on Mailgun to send newsletters and member emails, and on a separate SMTP provider for transactional mail (welcome, password reset). Open Settings then Email newsletter for the newsletter configuration; the docs at https://ghost.org/docs/config/mail/ cover both Mailgun and the transactional mail config block in /var/www/ghost/config.production.json.
For transactional mail edit the config block:
sudo nano /var/www/ghost/config.production.json
Set the mail object to use your SMTP provider — Amazon SES, SendGrid, Postmark and Mailgun are all common — and restart Ghost:
sudo systemctl restart ghost_cloudimg.service
Step 10: Enable HTTPS with Let's Encrypt
For any production Ghost deployment serve the site over HTTPS so session cookies and authentication tokens cannot be intercepted. The image ships with nginx, which certbot can configure automatically.
The following assumes you have a DNS record pointing your fully qualified domain name at the instance's public IP address.
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d ghost.your-domain.example \
--non-interactive --agree-tos -m you@your-domain.example \
--redirect
After certbot finishes, update the Ghost url field in /var/www/ghost/config.production.json to your HTTPS URL and restart Ghost:
sudo sed -i 's#"url": "http://[^"]*"#"url": "https://ghost.your-domain.example"#' /var/www/ghost/config.production.json
sudo systemctl restart ghost_cloudimg.service
Step 11: Backups and Maintenance
Ghost has two data sources that must be backed up together: the MySQL database and the site files in /var/www/ghost (the Ghost code tree, themes, and uploaded content under content/).
sudo mysqldump --single-transaction ghost_prod > /var/backups/ghost-db-$(date +%F).sql
sudo tar --acls --xattrs -czf /var/backups/ghost-files-$(date +%F).tgz -C /var/www ghost
Ship both artifacts to an Amazon S3 bucket or another object store.
For kernel and package updates, Ubuntu's unattended-upgrades is enabled by default — security patches apply automatically. To update Ghost itself, use Ghost-CLI:
sudo -u ghost HOME=/tmp bash -c "cd /var/www/ghost && ghost update"
Ghost-CLI handles the version download, schema migration and process restart in one command.
Step 12: Scaling Beyond a Single Instance
For larger deployments decouple Ghost from the single instance pattern:
- Move MySQL to Amazon RDS for MySQL and update
database.connectionin/var/www/ghost/config.production.json - Put the Ghost web tier behind an Application Load Balancer and scale horizontally with an Auto Scaling group, with the
content/directory on Amazon EFS shared storage - Serve static assets and uploaded media through Amazon CloudFront
- Use Amazon SES for transactional and bulk mail through Ghost's SMTP configuration
Each of these is documented in the official Ghost documentation at https://ghost.org/docs/.
Screenshots
The Ghost admin sign-in page, served on first boot with no manual setup.
The Ghost admin dashboard after first sign-in.
Composing a post in the Ghost editor.
The published Ghost front page served on port 80.
Support
cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.
For general Ghost administration questions consult the community at https://forum.ghost.org/ and the documentation at https://ghost.org/docs/.