All systems operational 21 cryptocurrencies accepted · Monero welcome No-KYC policy
ChainVPS

Publishing · no KYC

Host Ghost on an Offshore VPS

Ghost is a fast, modern publishing platform you can self-host in minutes on an offshore VPS, keeping your writing, subscribers, and payments off third-party clouds.

What it is

Ghost is an open-source Node.js CMS built for blogs, newsletters, and membership sites, with native email subscriptions, paid tiers, and a clean Markdown editor. It ships as an official Docker image backed by MySQL 8, serving your site over its own port behind a reverse proxy.

Why host it offshore

Running Ghost on a no-KYC, crypto-paid VPS means your publication is not tied to an account that can be identity-linked, deplatformed, or handed over on request. With offshore privacy-tier locations and unmetered bandwidth, you keep full control of your content, member list, and Stripe payouts without a hosting provider gatekeeping your words.

The deploy

A working reference setup

Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.

docker-compose.yml
services:
  ghost:
    image: ghost:5-alpine
    restart: always
    ports:
      # Bind to localhost only; terminate TLS in a reverse proxy (nginx/Caddy)
      - "127.0.0.1:2368:2368"
    environment:
      url: https://blog.example.com
      NODE_ENV: production
      database__client: mysql
      database__connection__host: db
      database__connection__port: 3306
      database__connection__user: ghost
      database__connection__password: CHANGE_ME_DB_PASSWORD
      database__connection__database: ghostdb
      # Optional outbound SMTP for member/newsletter email:
      # mail__transport: SMTP
      # mail__options__host: smtp.example.com
      # mail__options__port: 587
      # mail__options__auth__user: [email protected]
      # mail__options__auth__pass: CHANGE_ME_SMTP
    volumes:
      - ghost-content:/var/lib/ghost/content
    depends_on:
      - db

  db:
    image: mysql:8.0
    restart: always
    command: --default-authentication-plugin=caching_sha2_password
    environment:
      MYSQL_ROOT_PASSWORD: CHANGE_ME_ROOT_PASSWORD
      MYSQL_DATABASE: ghostdb
      MYSQL_USER: ghost
      MYSQL_PASSWORD: CHANGE_ME_DB_PASSWORD
    volumes:
      - ghost-db:/var/lib/mysql

volumes:
  ghost-content:
  ghost-db:

# Deploy:
#   apt-get update && apt-get install -y docker.io docker-compose-v2
#   docker compose up -d
# Then point a reverse proxy (Caddy/nginx) at 127.0.0.1:2368 to add HTTPS,
# and set `url:` to your real https:// domain before first boot.

Firewall

Ports to open

PortProtocolPurpose
2368TCPGhost HTTP app port - keep bound to 127.0.0.1 and reverse-proxy it, never expose publicly
443TCPHTTPS to the public via your reverse proxy (Caddy/nginx)
80TCPHTTP for ACME/Let's Encrypt cert issuance and redirect to 443
3306TCPMySQL - internal Docker network only, never publish to the host

Right-sizing

Which plan you need

Light

VPS Nano/Small (1-2 vCPU, 2 GB RAM)

Personal blog or a small newsletter. Ghost + MySQL fit comfortably; add 1 GB swap as a safety net.

Medium

VPS Pro (2-4 vCPU, 4-8 GB RAM)

Active publication with paid memberships, image-heavy posts, and regular email sends. Headroom for MySQL cache and traffic spikes.

Heavy

Dedicated (dedicated cores, 16 GB+ RAM, NVMe)

High-traffic site or multi-blog setup with large media libraries; isolate MySQL and serve media via cache for consistent latency.

Best locations: For a publication that must stay online regardless of takedown pressure, pick a ChainVPS privacy-tier location: Iceland (IS), Switzerland (CH), Romania (RO), Moldova (MD), Netherlands (NL), or Luxembourg (LU). CH and IS have strong press/speech protections and privacy law; NL and LU give low-latency reach into European readerships with unmetered bandwidth for image- and newsletter-heavy sites.

Lock it down

Hardening checklist

  • Never publish port 2368 or 3306 to 0.0.0.0. Keep Ghost bound to 127.0.0.1 and MySQL on the internal Docker network only; expose the site exclusively through a TLS reverse proxy (Caddy auto-issues Let's Encrypt certs, or use nginx + certbot).
  • Set the `url` env var to your real https:// domain before the very first boot. Ghost bakes the URL into resource links and changing it later requires a database update and cache flush.
  • Lock down the admin panel: enforce a long unique password on first setup, and restrict /ghost/ by IP allowlist or basic-auth at the proxy if you publish from fixed locations. Enable Ghost's built-in staff 2FA.
  • Back up both volumes on a schedule: dump MySQL (`docker compose exec db mysqldump -u ghost -p ghostdb`) and archive the content volume (`/var/lib/ghost/content`, which holds images and themes). Ship encrypted backups to ChainVPS storage or off-box.
  • Pin image tags (ghost:5-alpine, mysql:8.0) and update deliberately with `docker compose pull && docker compose up -d`; test theme/integration compatibility before jumping major Ghost versions, and keep the DDoS protection that ships with the plan enabled at the edge.

Questions

Hosting Ghost — FAQ

Does Ghost need MySQL, or can I use SQLite?

Ghost 5 officially requires MySQL 8 for production. The compose file above wires up MySQL 8 automatically. SQLite is only supported for local development and is not recommended for a live offshore deployment.

How do I add HTTPS?

Ghost itself serves plain HTTP on port 2368. Put a reverse proxy in front - Caddy is the simplest (it auto-issues and renews Let's Encrypt certificates), or use nginx with certbot. Point it at 127.0.0.1:2368 and set Ghost's `url` to your https:// domain.

Can I send newsletters without a third-party identity trail?

Ghost sends member email via any SMTP provider or Mailgun. On a privacy-focused setup, use an SMTP relay that accepts crypto or minimal signup and configure it through the mail__ environment variables. Transactional email still needs a deliverable sending domain with SPF/DKIM.

How much disk will I need?

Ghost's core plus MySQL is small (a few hundred MB). Real growth comes from uploaded images and video in the content volume. A light blog runs fine on 20-40 GB; image-heavy or membership sites should plan for NVMe storage and regular backups of the content volume.

Will my site survive traffic spikes or DDoS?

ChainVPS plans include DDoS protection at the network edge, and bandwidth is unmetered so a viral post will not rack up overage fees. For raw request spikes, enable proxy-level caching of offshore page views and move to a VPS Pro or dedicated plan if you consistently see high concurrency.

Spin up Ghost
in the next 60 seconds.

Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.