How to set an independent backend domain in AnQiCMS backend to enhance security?

As a website operator familiar with AnQiCMS, I am well aware of the importance of website security to the operation of the enterprise.Among the many security enhancement features of AnQiCMS, setting up a separate domain for the backend is a very effective and recommended practice.This not only enhances the defense level of the backend, but also makes the operation of the entire website appear more professional.

AnQiCMS support for backend domain security

AnQiCMS as an enterprise-level content management system takes the security of the system into consideration from the beginning. From the update log, it can be seen that as early asv2.1.1版本中就已“新增] Support custom backend domain function, enhancing backend protection.This feature allows operators to isolate the front-end (public access) of the website from the back-end management interface (for internal management) through different domain names.This isolation is an important part of the website security strategy, effectively narrowing the potential attackers' access to the backend entry points, thereby reducing the risk of being scanned maliciously or attacked with brute force.

Configure independent background domain name required preparation

Before configuring an independent management domain in AnQiCMS, some preliminary tasks need to be completed. First, you need to prepare a new subdomain, for example,admin.yourdomain.comEnglish for backend management. This subdomain should be different from your main website domain to achieve effective isolation.

Next, you must resolve this newly registered subdomain to your AnQiCMS server IP address. Ensuring that DNS resolution takes effect is the basis for accessing the new domain name.

Additionally, it is strongly recommended that you configure an SSL certificate for this new backend domain to enable HTTPS encrypted access.SSL certificates can protect data during transmission, preventing sensitive information from being intercepted or tampered with.AnQiCMS in "Global Function Settings" clearly points out: "Before setting, it is necessary to resolve the domain and bind the domain, otherwise, you will not be able to access the backend.This means that, in addition to DNS resolution, your server also needs to bind and configure the new domain name properly along with the corresponding web service (such as Nginx or Apache) to handle requests from that domain correctly.

Configure in AnQiCMS backend

After completing the domain resolution and server binding, you can proceed to configure in the AnQiCMS backend.

You need to log in to the default background management interface of AnQiCMS. Usually, if an independent background domain name has not been set, the address will be the main domain name plus/system/path (for examplehttp://yourdomain.com/system/).

After login, please navigate to the "Background Settings" option in the left menu bar and select "Global Function Settings.In this page, you will find an input box named "Backend Domain Address.

Enter the complete backend domain URL you have prepared, including the protocol type. For example, if your backend domain isadmin.yourdomain.comand SSL is configured, then you should enterhttps://admin.yourdomain.com/Please make sure to use HTTPS to ensure transmission security.

Completed after filling in, click the "OK" or "Save" button at the bottom of the page to save your settings.Once saved successfully, AnQiCMS will immediately enable the new backend domain.yourdomain.com/system/The address will no longer be able to access the backend. You need to log in to the management interface through the new domain name you have set up.

Configure server reverse proxy

Since the AnQiCMS application usually runs on a specific port (default is 8001) rather than directly listening on port 80 or 443, it is necessary to use the reverse proxy feature of a web server (such as Nginx or Apache) to forward external domain requests to the running port of AnQiCMS.This is equally important for the setup of independent domain names.

For Nginx servers, you can add a new backend domain in its configuration file.serverHere is a basic Nginx configuration example:

server {
    listen 80;
    server_name admin.yourdomain.com; # 替换为您的独立后台域名
    return 301 https://$host$request_uri; # 强制将HTTP请求重定向到HTTPS
}

server {
    listen 443 ssl;
    server_name admin.yourdomain.com; # 替换为您的独立后台域名

    # SSL证书配置，请替换为您的实际证书路径
    ssl_certificate /path/to/your/ssl/certificate.crt;
    ssl_certificate_key /path/to/your/ssl/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://127.0.0.1:8001; # AnQiCMS应用程序运行的端口
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Make sure to set:admin.yourdomain.comReplace with your actual backend domain, and/path/to/your/ssl/certificate.crtand/path/to/your/ssl/private.keyReplace with the path to your SSL certificate file. After configuration is complete, please restart the Nginx service to make the changes take effect.

If you are using Apache server, you need to go throughProxyPassandProxyPassReverseThis usually involves enabling the corresponding proxy module in the virtual host configuration and adding the following rules:

<VirtualHost *:80>
    ServerName admin.yourdomain.com
    Redirect permanent / https://admin.yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName admin.yourdomain.com
    SSLEngine on
    SSLCertificateFile /path/to/your/ssl/certificate.crt
    SSLCertificateKeyFile /path/to/your/ssl/private.key
    # 其他SSL配置

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8001/
    ProxyPassReverse / http://127.0.0.1:8001/
</VirtualHost>

Similarly, replace the domain name and certificate path, and restart the Apache service.

Enhance the backend security of the website

Setting an independent backend domain offers various benefits for enhancing the overall security of AnQiCMS:

Firstly, itreduces the attack surface.By separating the backend management interface from the frontend content display, the entry of the backend is no longer the general path under the public domain, making it more difficult for automated scanning tools and scripts to discover your management panel, thereby reducing the likelihood of being targeted by beginner attackers.

secondly, it allowsan independent security policy.You can apply more strict Web Application Firewall (WAF) rules, IP whitelist access restrictions, DDoS protection measures, and other measures to the backend domain than the front-end.For example, only specific office IPs are allowed to access the background domain name, while the front-end domain remains open.

Moreover, this isolation canPrevent automated attacks。Many automated penetration tests or malicious crawlers typically only target the main domain and its common paths for scanning, and independent backend domains can effectively circumvent these broad-spectrum attacks.

Finally, from the perspective of brand and professionalism, owning an independent management domain alsoenhanced the corporate imageand reflects the emphasis on website security and operational standards.

Verify the setup of independent backend domain

After completing the configuration of AnQiCMS background and server reverse proxy, you should immediately perform verification. Enter the new backend domain you have set in the browser (for examplehttps://admin.yourdomain.com/Check if it can access and display the login interface of AnQiCMS normally.

At the same time, try to access the original backend address (for example,http://yourdomain.com/system/），Confirm it can no longer access the management interface, or has been redirected to a new backend domain.If everything is normal, then congratulations to you, the independent background domain of AnQiCMS has been successfully set, and the security of your website background has been significantly enhanced.

Common Questions

Q1: Why can't I access the backend domain after setting it?

This is usually caused by incorrect DNS resolution, server binding, or reverse proxy configuration.Please check if your DNS records have correctly resolved the backend domain to the server IP.Then, confirm that your web server (Nginx/Apache) is bound to the domain name, and that the reverse proxy rules are correctly forwarding requests to the application port of AnQiCMS (default 8001).Also, be sure to check that the SSL certificate configuration is correct. If HTTPS is enforced and there is an issue with the certificate, it will also result in being unable to access.

Q2: Can I run multiple AnQiCMS sites on the same server and set independent backend domain names for each site?

Q3: What risks are there if my backend domain is not configured with an SSL certificate?

If your AnQiCMS backend domain is not configured with an SSL certificate (i.e., accessed via HTTP), then all information entered in the backend, including your administrator account and password, will be transmitted in plain text.