Publishing · no KYC
Host Ghost on an Offshore VPS
Ghost is a fast, modern publishing platform you can self-host in minutes on an offshore VPS, keeping your writing, subscribers, and payments off third-party clouds.
What it is
Ghost is an open-source Node.js CMS built for blogs, newsletters, and membership sites, with native email subscriptions, paid tiers, and a clean Markdown editor. It ships as an official Docker image backed by MySQL 8, serving your site over its own port behind a reverse proxy.
Why host it offshore
Running Ghost on a no-KYC, crypto-paid VPS means your publication is not tied to an account that can be identity-linked, deplatformed, or handed over on request. With offshore privacy-tier locations and unmetered bandwidth, you keep full control of your content, member list, and Stripe payouts without a hosting provider gatekeeping your words.
The deploy
A working reference setup
Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.
services:
ghost:
image: ghost:5-alpine
restart: always
ports:
# Bind to localhost only; terminate TLS in a reverse proxy (nginx/Caddy)
- "127.0.0.1:2368:2368"
environment:
url: https://blog.example.com
NODE_ENV: production
database__client: mysql
database__connection__host: db
database__connection__port: 3306
database__connection__user: ghost
database__connection__password: CHANGE_ME_DB_PASSWORD
database__connection__database: ghostdb
# Optional outbound SMTP for member/newsletter email:
# mail__transport: SMTP
# mail__options__host: smtp.example.com
# mail__options__port: 587
# mail__options__auth__user: [email protected]
# mail__options__auth__pass: CHANGE_ME_SMTP
volumes:
- ghost-content:/var/lib/ghost/content
depends_on:
- db
db:
image: mysql:8.0
restart: always
command: --default-authentication-plugin=caching_sha2_password
environment:
MYSQL_ROOT_PASSWORD: CHANGE_ME_ROOT_PASSWORD
MYSQL_DATABASE: ghostdb
MYSQL_USER: ghost
MYSQL_PASSWORD: CHANGE_ME_DB_PASSWORD
volumes:
- ghost-db:/var/lib/mysql
volumes:
ghost-content:
ghost-db:
# Deploy:
# apt-get update && apt-get install -y docker.io docker-compose-v2
# docker compose up -d
# Then point a reverse proxy (Caddy/nginx) at 127.0.0.1:2368 to add HTTPS,
# and set `url:` to your real https:// domain before first boot.
Firewall
Ports to open
| Port | Protocol | Purpose |
|---|---|---|
| 2368 | TCP | Ghost HTTP app port - keep bound to 127.0.0.1 and reverse-proxy it, never expose publicly |
| 443 | TCP | HTTPS to the public via your reverse proxy (Caddy/nginx) |
| 80 | TCP | HTTP for ACME/Let's Encrypt cert issuance and redirect to 443 |
| 3306 | TCP | MySQL - internal Docker network only, never publish to the host |
Right-sizing
Which plan you need
VPS Nano/Small (1-2 vCPU, 2 GB RAM)
Personal blog or a small newsletter. Ghost + MySQL fit comfortably; add 1 GB swap as a safety net.
VPS Pro (2-4 vCPU, 4-8 GB RAM)
Active publication with paid memberships, image-heavy posts, and regular email sends. Headroom for MySQL cache and traffic spikes.
Dedicated (dedicated cores, 16 GB+ RAM, NVMe)
High-traffic site or multi-blog setup with large media libraries; isolate MySQL and serve media via cache for consistent latency.
Best locations: For a publication that must stay online regardless of takedown pressure, pick a ChainVPS privacy-tier location: Iceland (IS), Switzerland (CH), Romania (RO), Moldova (MD), Netherlands (NL), or Luxembourg (LU). CH and IS have strong press/speech protections and privacy law; NL and LU give low-latency reach into European readerships with unmetered bandwidth for image- and newsletter-heavy sites.
Lock it down
Hardening checklist
- Never publish port 2368 or 3306 to 0.0.0.0. Keep Ghost bound to 127.0.0.1 and MySQL on the internal Docker network only; expose the site exclusively through a TLS reverse proxy (Caddy auto-issues Let's Encrypt certs, or use nginx + certbot).
- Set the `url` env var to your real https:// domain before the very first boot. Ghost bakes the URL into resource links and changing it later requires a database update and cache flush.
- Lock down the admin panel: enforce a long unique password on first setup, and restrict /ghost/ by IP allowlist or basic-auth at the proxy if you publish from fixed locations. Enable Ghost's built-in staff 2FA.
- Back up both volumes on a schedule: dump MySQL (`docker compose exec db mysqldump -u ghost -p ghostdb`) and archive the content volume (`/var/lib/ghost/content`, which holds images and themes). Ship encrypted backups to ChainVPS storage or off-box.
- Pin image tags (ghost:5-alpine, mysql:8.0) and update deliberately with `docker compose pull && docker compose up -d`; test theme/integration compatibility before jumping major Ghost versions, and keep the DDoS protection that ships with the plan enabled at the edge.
Deploy it on
The right ChainVPS product
Questions
Hosting Ghost — FAQ
Does Ghost need MySQL, or can I use SQLite?
Ghost 5 officially requires MySQL 8 for production. The compose file above wires up MySQL 8 automatically. SQLite is only supported for local development and is not recommended for a live offshore deployment.
How do I add HTTPS?
Ghost itself serves plain HTTP on port 2368. Put a reverse proxy in front - Caddy is the simplest (it auto-issues and renews Let's Encrypt certificates), or use nginx with certbot. Point it at 127.0.0.1:2368 and set Ghost's `url` to your https:// domain.
Can I send newsletters without a third-party identity trail?
Ghost sends member email via any SMTP provider or Mailgun. On a privacy-focused setup, use an SMTP relay that accepts crypto or minimal signup and configure it through the mail__ environment variables. Transactional email still needs a deliverable sending domain with SPF/DKIM.
How much disk will I need?
Ghost's core plus MySQL is small (a few hundred MB). Real growth comes from uploaded images and video in the content volume. A light blog runs fine on 20-40 GB; image-heavy or membership sites should plan for NVMe storage and regular backups of the content volume.
Will my site survive traffic spikes or DDoS?
ChainVPS plans include DDoS protection at the network edge, and bandwidth is unmetered so a viral post will not rack up overage fees. For raw request spikes, enable proxy-level caching of offshore page views and move to a VPS Pro or dedicated plan if you consistently see high concurrency.
More to self-host
Other one-click stacks
Spin up Ghost
in the next 60 seconds.
Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.