As an experienced website operator who is well-versed in the operation of AnQiCMS, I am well aware of the importance of content security and system stability for a website.Setting a separate domain for the background is one of the effective measures to enhance the security of CMS and ensure that website content management is not disturbed.This not only can hide the back-end entry, increase the difficulty of attackers' identification, but also can provide more flexible and strict security protection strategies for back-end management.
Understanding the security benefits of an independent background domain
By default, the administration of AnQi CMS is usually accessed through a specific path under the main domain (such asyourdomain.com/system/Please access.Although this is convenient for deployment, it also exposes the backend entry point under the main domain, sharing the same entry point with the front-end content, which to some extent increases the risk of being scanned and attacked maliciously.
By configuring a separate domain for the AnQi CMS backend, such asadmin.yourdomain.comWe can completely separate the background management interface from the front-end content displayed to the public.This separation brings significant security advantages.Firstly, it effectively blurs the actual entry point of the backend, as conventional website traffic scanning tools find it harder to detect an uncommon subdomain.Secondly, an independent domain allows us to enforce stricter network security policies on the backend, such as configuring firewall rules, intrusion detection systems (IDS/IPS), more powerful Web application firewalls (WAF), and even restricting access to specific IP addresses, thereby greatly reducing the potential attack surface at the network level.At the same time, an independent domain also makes monitoring and auditing of background traffic more focused, any abnormal behavior can be more easily identified and responded to.
Preparation before configuration
To set up a separate backend domain in AnQi CMS, some prerequisites and system configuration协同 are required. This is a crucial step to ensure the smooth progress of the entire process.
First, you need to register a new subdomain (for exampleadmin.yourdomain.com) And point your DNS record (A record) to the IP address of your security CMS server.The DNS may take some time to take effect, usually a few minutes to a few hours.It is strongly recommended to apply for and configure an SSL certificate for this new backend domain, implement HTTPS encrypted access, which can effectively protect the data transmission security during your backend operations, and prevent sensitive information from leaking.
You will also need to have the configuration permissions for web servers on the server (such as Nginx or Apache).These web servers will act as reverse proxies, responsible for correctly forwarding requests to the new backend domain to the ports monitored by the Anq CMS application.Ensure you are familiar with the basic configuration methods of the web server you are using.
Domain settings in Anqi CMS backend
After completing the above preparation, you can enter the management background of AnQi CMS for specific settings.
Log in to your AnQi CMS background and navigate toBackend settingsthe area, and then selectGlobal feature settings. On this page, you will find a name calledBackend domain addressThe configuration item. Please enter the domain name you have independently set up for the background here, and make sure to include the protocol header (such ashttps://admin.yourdomain.comThis setting informs the Anqi CMS system that the background should respond to requests through this new domain and generate the corresponding link.
After completing the fill-in, be sure to click the bottom of the page.SaveButton, make the configuration effective.
Web server reverse proxy configuration (taking Nginx as an example)
The AnQi CMS application usually runs on a specific internal port (default is 8001).In order for external users to access through a domain name, we need to set up reverse proxy on the web server.
First, in the directory of your Nginx configuration file (usually/etc/nginx/conf.d/or/etc/nginx/sites-available/Create a new configuration file for the new backend domain or add one to the existing configuration fileserverthe block.
server {
# 监听80端口,用于HTTP访问
listen 80;
server_name admin.yourdomain.com; # 替换为您的后台域名
# 将所有HTTP请求重定向到HTTPS,强烈建议开启
return 301 https://$host$request_uri;
}
server {
# 监听443端口,用于HTTPS访问
listen 443 ssl http2;
server_name admin.yourdomain.com; # 替换为您的后台域名
# 配置SSL证书路径
ssl_certificate /path/to/your/admin.yourdomain.com.pem; # 替换为您的SSL证书文件路径
ssl_certificate_key /path/to/your/admin.yourdomain.com.key; # 替换为您的SSL证书私钥文件路径
# 更多SSL安全设置 (根据实际情况添加或调整)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options DENY;
# 后台请求转发配置
location / {
proxy_pass http://127.0.0.1:8001; # 确保这里是安企CMS实际监听的端口
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
# 可选:如果后台有独立的静态文件或上传目录,可以单独配置
# location /static/ {
# root /path/to/your/anqicms/backend/static;
# expires 30d;
# }
# 禁止访问敏感文件,例如数据库文件或配置备份
location ~ /\. {
deny all;
}
}
Be sure to setadmin.yourdomain.comReplace it with your actual backend domain and proceed with the/path/to/your/ssl_certificate.pemand/path/to/your/ssl_certificate_key.keyReplace with the actual path to your SSL certificate and private key.
After saving the Nginx configuration file, executenginx -tcommand to check if the configuration syntax is correct. If everything is normal, please proceed throughsystemctl reload nginx(or)service nginx reloadReload Nginx configuration command.
Verify the effect of the settings.
After completing all the above steps, you should perform verification to ensure that the independent domain setting of the background is successful.
Try to access the new backend domain you have set in the browser (for examplehttps://admin.yourdomain.com)。If the configuration is correct, you will see the login interface of the Anqicms backend. At the same time, try to access through the main domain under/system/Accessing the backend, you will find that the original backend entry has become invalid, it is usually redirected to a new backend domain name, or inaccessible due to Nginx configuration, which is exactly the security effect we expect.
In this way, you have successfully set up a separate access domain for the Anqi CMS backend management interface, greatly enhancing the security of the backend.
Frequently Asked Questions
Why can't I access the backend after configuring a separate domain for it?
This is the expected security enhancement effect.After you set up an independent backend domain in the Anqi CMS backend, the system will force the use of this new domain as the unique entry point for the backend./system/The path will no longer directly lead to the backend management interface, it is usually configured to redirect to a new backend domain, or may become inaccessible due to the reverse proxy rules of the web server.This isolation is to enhance the background security and prevent attackers from discovering the background entry by scanning the main station URL.
Do I need to configure an SSL certificate for my separate backend domain?
It is strongly recommended to configure an SSL certificate for your independent domain on the backend and use HTTPS encryption for access.Although it is not technically mandatory, HTTPS can encrypt all the data transmitted between you and the backend management system, including login credentials and content editing information, thereby effectively preventing data from being intercepted or tampered with.Considering the sensitivity of background operations, this is a practice to ensure management security.
How should I adjust the Nginx configuration if my Anqi CMS application is not running on the default port 8001?
In the Nginx reverse proxy configuration,proxy_pass http://127.0.0.1:8001;This line specifies the internal address and port that the Anqi CMS application listens on. If your Anqi CMS application is configured with a different port (such as 9000), you only need to change the configuration of this line to.8001Change to your actual port number, for exampleproxy_pass http://127.0.0.1:9000;Make sure to change it after modification