How to Fix GhostCMS API Not Working After Enabling Cloudflare Access on Ghost Admin Path

A week ago, I released an article about Increase Website Security: Protect Admin Routes Using Cloudflare Access

Increase Website Security: Protect Admin Routes Using Cloudflare Access
Most websites and web applications have an admin route - a place where you manage content, users, and settings. Common examples include: * /wp-admin for WordPress * /administrator for Joomla * /admin for custom apps Unfortunately, these admin pages are frequent targets for automated attacks. Hackers and bots constantly scan the internet for
Kidkrub : Personal Blog of a Precious Little DeveloperKidkrub

and I got a problem that my scheduled post is not working

The problem

The scenario is I can create a blog post and publish it without any problem, but when I schedule it after the time that it should be published, it says published x ago, but the status is still scheduled.

The investigating

First, I remembered that the post schedule works before I enable CloudFlare Access, so I tried disabling it, and it works again. Which means the problem is caused by CloudFlare Access, but how? At first, I thought that post-scheduling is managed by the backend side, but it's not. But I found out here they're using an API to publish our scheduled post. Now it makes sense, because when we enable CloudFlare Access to path, we need to authenticate before we can access /ghost path. The reason that we can publish is that we have already authenticated with CloudFlare Access, but when GhostCMS tries to call the API, it's blocked because it's not authenticated.

How to fix it?

Step 1: Set Up Cloudflare Access

  1. Go to Cloudflare Zero Trust Dashboard → Access → Applications.
  2. Click Add an application.
  3. Select Self-hosted.
  4. Give your application a name (e.g., "Ghost API").
  5. Define your API route

https://yourdomain.com/ghost/api

Step 2: Create an Access Policy

  1. Under Policies, click Add a policy.
  2. Create a rule that bypass everyone.
  1. Save the policy.

Conclusion

The problem occur because Cloudflare Access block our API path so we have to let Cloudflare Access bypass API path.

Another way that I found is use a service token attach with header to authenticate with cloudflare so we have to modify Ghost CMS code even it more secure but it use a lot of effort so I decided to use bypass API path way.