As a website operator familiar with AnQiCMS, I am well aware of the importance of website security for corporate operations.Among the many security enhancement features of AnQiCMS, setting up a separate domain for the backend is a very effective and recommended practice.This has improved the background protection level and also made the operation of the entire website appear more professional.
AnQiCMS support for admin domain security
AnQiCMS as an enterprise-level content management system took into account the security of the system from the beginning of its design. From the update log, as early asv2.1.1Version already supports the This feature allows operators to isolate the website front-end (accessible to the public) and the back-end management interface (for internal management) through different domain names.This isolation is an important part of the website security strategy, effectively narrowing the back-end entry points that potential attackers can access, thereby reducing the risk of malicious scanning or brute-force attacks.
Set up a dedicated backend domain required preparation
Before configuring an independent management domain in the AnQiCMS background, some preliminary work needs to be completed. First, you need to prepare a new subdomain, such asadmin.yourdomain.comThis subdomain is specifically used for backend management. It should be different from your main website domain to achieve effective isolation.
Next, you must resolve this newly registered subdomain to your AnQiCMS server IP address. Ensuring that DNS resolution takes effect is the basis for accessing the new domain name.
In addition, it is strongly recommended that you configure an SSL certificate for this new backend domain to enable HTTPS encrypted access.The SSL certificate can protect data during transmission, preventing sensitive information from being intercepted or tampered with.AnQiCMS explicitly points out in the "Global Function Settings" that: "Before setting, it is necessary to resolve the domain and bind the domain, otherwise, access to the background will not be possible.This means that, in addition to DNS resolution, your server also needs to bind and configure the new domain name with the corresponding web service (such as Nginx or Apache) so that it can correctly handle requests from the domain name.
Configure in AnQiCMS backend
After completing the domain resolution and server binding, you can proceed to configure in the AnQiCMS backend.
You need to log in to the default backend management interface of AnQiCMS. Usually, if an independent backend domain has not been set, the address will be the main domain name plus/system/path (for examplehttp://yourdomain.com/system/)
After logging in, please navigate to the "Background Settings" option in the left menu bar and select "Global Function Settings".On this page, you will find a text box named "Background Domain Address".
Enter the full backend domain URL you have prepared, including the protocol type. For example, if your backend domain isadmin.yourdomain.comand SSL is configured, then you should enterhttps://admin.yourdomain.com/Please make sure to use HTTPS to ensure the security of the transmission.
After filling in, click the "OK" or "Save" button at the bottom of the page to save your settings.Once saved successfully, AnQiCMS will immediately enable the new backend domain.This means, the originalyourdomain.com/system/The address will no longer be able to access the backend, you need to log in to the management interface through the new domain name that has been set up.
Configure the server reverse proxy
Due to the AnQiCMS application usually running on a specific port (default is 8001), rather than directly listening on ports 80 or 443, it is necessary to use the reverse proxy function of a web server (such as Nginx or Apache) to forward external domain requests to the running port of AnQiCMS.This is equally important for the setup of an independent backend domain.
For Nginx server, you can add a block for a new background domain in its configuration file.serverHere is a basic Nginx configuration example:
server {
listen 80;
server_name admin.yourdomain.com; # 替换为您的独立后台域名
return 301 https://$host$request_uri; # 强制将HTTP请求重定向到HTTPS
}
server {
listen 443 ssl;
server_name admin.yourdomain.com; # 替换为您的独立后台域名
# SSL证书配置,请替换为您的实际证书路径
ssl_certificate /path/to/your/ssl/certificate.crt;
ssl_certificate_key /path/to/your/ssl/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8001; # AnQiCMS应用程序运行的端口
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Make sure to includeadmin.yourdomain.comReplace it with your actual backend domain and proceed with the/path/to/your/ssl/certificate.crtand/path/to/your/ssl/private.keyReplace with the path to your SSL certificate file. After configuration is complete, please restart the Nginx service to make the changes take effect.
If you are using an Apache server, you will need to go throughProxyPassandProxyPassReverseInstructions to configure a reverse proxy. This usually involves enabling the corresponding proxy module in the virtual host configuration and adding the following rules:
<VirtualHost *:80>
ServerName admin.yourdomain.com
Redirect permanent / https://admin.yourdomain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName admin.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your/ssl/certificate.crt
SSLCertificateKeyFile /path/to/your/ssl/private.key
# 其他SSL配置
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8001/
ProxyPassReverse / http://127.0.0.1:8001/
</VirtualHost>
Similarly, replace the domain and certificate path, and restart the Apache service.
Enhance the security of the website backend.
Setting an independent backend domain has many benefits for improving the overall security of AnQiCMS:
First, itIt reduces the attack surface. By separating the backend management interface from the front-end content display, the entry of the backend is no longer a common path under the public domain, making it more difficult for automated scanning tools and scripts to discover your management panel and reducing the probability of being targeted by novice attackers.
Secondly, it allowsIndependent security policyYou can apply stricter Web Application Firewall (WAF) rules, IP whitelist access restrictions, DDoS protection measures, and other measures to the background domain compared to the front-end.For example, only specific office IPs are allowed to access the backend domain, while the frontend domain remains open.
Again, this isolation canprevent automated attacksMany automated penetration tests or malicious crawlers usually only target the main domain and its common paths for probing, and independent backend domains can effectively circumvent these widespread fishing-style attacks.
Finally, from the perspective of brand and professionalism, having an independent management domain alsoenhanced the corporate imageand reflects the importance of website security and operational standards.
Verify the setup of an independent backend domain
After completing the configuration of AnQiCMS backend and server reverse proxy, you should immediately perform verification. Enter the new backend domain you have set in the browser (for examplehttps://admin.yourdomain.com/Check if you can access and display the AnQiCMS login interface normally.
At the same time, try to access the original backend address (such ashttp://yourdomain.com/system/),Confirm it is inaccessible to the management interface or redirected to a new backend domain.If everything is normal, then congratulations to you, the independent background domain of AnQiCMS has been successfully set up, and the security of your website background has been significantly enhanced.
Common questions
Q1: Why is my backend domain not accessible after setting it up?
This is usually due to incorrect domain resolution, server binding, or reverse proxy configuration.Please check if your DNS records have correctly resolved the backend domain to the server IP.Then, confirm that your web server (Nginx/Apache) is bound to the domain name and that the reverse proxy rules are correctly forwarding requests to the AnQiCMS application port (default 8001).At the same time, be sure to check the SSL certificate configuration is correct, if HTTPS is enforced and the certificate has a problem, it will also cause access to fail.
Q2: Can I run multiple AnQiCMS sites on the same server and set an independent backend domain for each site?
AnQiCMS supports multi-site management, but each AnQiCMS application instance typically only binds one application port.If you configure multiple front-end sites in the same AnQiCMS program, these front-end sites usually share the same back-end management entry (i.e., the independent back-end domain name you set).If you need to run multiple completely independent AnQiCMS applications on the same server (for example, each application manages a set of completely different websites), and each application has its own independent backend domain, then each AnQiCMS instance needs to run on a different port, and corresponding reverse proxy rules need to be configured in the Web server for each backend domain to point to the corresponding AnQiCMS instance port.
Q3: What are the risks if my backend domain is not configured with an SSL certificate?
If your AnQiCMS backend domain is not configured with an SSL certificate (i.e., accessed via HTTP), then all the information entered in the backend, including your administrator account and password, will be transmitted in plain text.