2FA for Ghost Admin Panel


I setup this blog yesterday with Ghost, you are using it right now.
But I wanted to protect the Admin Panel with 2FA but Ghost does not support that.

I thought how else could I do that!

I use authentik to authenticate to almost any application I run in my Network / Home Lab and so on. authentik has a proxy mode I already use with others. Now I tested it , for authentik you need to specify which paths need to be unauthenticated, so I tried it with the following REGEX:


Put I was bummed to find out that authentik uses Go and that does not have native negative lookahead support. So how could I else accomplish this.
I thought, to get my proxy to the authentik container I already use Nginx Proxy Manager, is there a way ?
Yes there is, Nginx Proxy Manager allows you to configure custom locations on the proxy host config
How you then go forward ?

Step 1: Create your authentik Proxy provider

  1. Under Applications > Providers click Create
  2. Name it 'Ghost'
  3. Select Proxy provider
  4. Then as the Authorization Flow use the implicit-consent
  5. Use the Proxy mode
  6. As the External Host use your domain without any paths and https as you should always in public sites.
  7. for Internal use the IP or hostname of your provider or container where you host Ghost

Leave then the Unauthenticated paths empty

Create your Application as you did with any other Application and select the Ghost Provider, then update your authentik embedded outpost.

So now for Nginx Proxy Manager
For this to work is to know that authentik expects to have an embedded redirection for the outpost, you can see them under Protocol Settings in the authentik Application named 'Allowed Redirect URIs'


For me I only needed the outpost to redirect maybe the second one is not needed then

Proxy Host - Main Page

As you can see in the screenshot you simply configure the base domain with the target hosting provider you run your ghost on

Then in the custom locations you add two locations

Custom Locations

You add one for /ghost which is the protected URL with authentik and then you configure the outpost to also in the backend be resolved to the authentik-server

This is all on the same docker host, therefore authentik internally does not use https