In the daily operation of the website, security is always the core element that needs to be prioritized.AnQiCMS as an English content management system designed with security in mind, while providing efficient and convenient services, also leaves us room to further strengthen the security line.Among them, setting up a separate domain for AnQiCMS backend is a simple yet extremely effective security enhancement strategy.Today, let's delve into the value of this approach and its specific implementation steps.
Why do we need to set a separate domain for AnQiCMS backend?
By default, the AnQiCMS backend usually accesses through the main domain under/system/path, for exampleyourdomain.com/system/. This mode is convenient, but it also brings some potential security risks. By configuring a separate domain for the backend (for example)admin.yourdomain.com), we can gain multiple security advantages:
Firstly,Increase the stealthiness of the backend entrySeparating the backend address from the main site domain can effectively prevent potential attackers from guessing or discovering the backend entry by scanning the main site directory.admin.yourdomain.com/system/This form, compared to directly probing under the main domain name, adds an additional layer of protection, reducing the risk of the backend being maliciously accessed.
Secondly,Achieve more refined access control.The independent backend domain allows us to apply stricter access restrictions using web servers (such as Nginx, Apache) or firewalls.admin.yourdomain.comThus, the attack surface is minimized. Even if the main domain is detected with a vulnerability for some reason, the background system can be additionally protected due to its independent access strategy.
Moreover,Easy to implement independent SSL/TLS encryption.Although the main site usually also deploys HTTPS, configuring a dedicated SSL certificate for the background independent domain can further ensure the security of data transmission in background management, preventing sensitive information (such as login credentials, operation data) from being intercepted or tampered with during transmission.This not only meets modern network security standards, but also enhances the trust of operation personnel in the back-end environment.
Finally,Enhance professionalism and management convenience.Have a dedicated backend domain name, which not only looks more professional visually but also facilitates the team's recognition and memory of the backend management entry, avoiding confusion with the front-end operations.In the multi-site management scenario, each site has an independent backend domain, which also makes the management structure more clear.
How to configure an independent domain for AnQiCMS backend: A Practical Guide
AnQiCMS in version v2.1.1 has added the feature of 'Support custom backend domain name function, enhance backend protection', which provides official support for us to achieve the above security goals.
First step: Register and parse a dedicated backend domain
You need to choose a suitable subdomain for the backend, such asadmin.yourdomain.com/manage.yourdomain.comIt can even be a new domain name completely different from the main site domain.After selecting, go to your domain registrar or DNS service provider to add an A record for this new domain and point it to the IP address of your AnQiCMS server.Ensure DNS resolution takes effect, usually a few minutes to a few hours.
Second step: Configure web server reverse proxy
AnQiCMS as a Go language application, typically runs on a specific port (by default is8001)。To allow external domains to access this port, we need to set up reverse proxy through Nginx or Apache web servers.
For example, using Nginx, you need to add a backend domain to your Nginx configuration fileserverblock, or add a new one to the existing main domain's configurationlocationBlock to handle this subdomain, forward all requests to the port where AnQiCMS is running. A basic Nginx configuration snippet might look like this:admin.yourdomain.comThe requests to the port where AnQiCMS is running. A basic Nginx configuration snippet might look like this:
server {
listen 80; # 监听HTTP请求
server_name admin.yourdomain.com; # 你的后台域名
# 强烈建议在此处配置HTTPS,并将HTTP请求重定向到HTTPS
# listen 443 ssl;
# server_name admin.yourdomain.com;
# ssl_certificate /path/to/your/admin.yourdomain.com.pem;
# ssl_certificate_key /path/to/your/admin.yourdomain.com.key;
# return 301 https://$host$request_uri; # HTTP强制跳转HTTPS
location / {
proxy_pass http://127.0.0.1:8001; # 将请求转发到AnQiCMS的运行端口
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
If you are using management tools such as Baota panel, 1Panel, or aaPanel, these tools usually provide an intuitive reverse proxy configuration interface. For example, in the 'Website' -> 'Reverse Proxy' of Baota panel, add your backend domain and set the target URL tohttp://127.0.0.1:8001English translation: Please make sure to restart the Nginx or Apache service after the operation is completed to take effect.
Step 3: Set it up in the AnQiCMS background.
Completed the domain resolution and reverse proxy configuration of the web server, we still need to tell the AnQiCMS system where its new home is located.
Login to the AnQiCMS admin panel (you may still need to access through the original main domain at this point)/system/Navigate to the 'Global Function Settings' page under 'Admin Settings' (refer tohelp-setting-system.mdDocument). Here, you will find an option named "Backend Domain Address". Enter your newly configured independent domain name in this field, for examplehttps://admin.yourdomain.com.
Important reminder:Fill in the backend domain address, it is strongly recommended to usehttps://The complete URL at the beginning, even if your server is not fully configured with SSL, it should be preset to enable HTTPS.Because once the SSL configuration is complete, you will always access the backend through an encrypted connection, and AnQiCMS will generate the correct link accordingly.
Step 4: Enable HTTPS encrypted connection (strongly recommended)
Although we have mentioned SSL configuration in the second step, it is emphasized again.Applying and installing an SSL certificate for your independent backend domain is a critical step to enhance security.You can obtain a free certificate from Let’s Encrypt, and most server management panels provide a傻瓜式的 application and deployment features.Enable HTTPS and ensure that your web server configuration redirects all HTTP requests to HTTPS.
How to verify after the configuration is completed?
After all the settings are done, try entering the new backend domain you have configured in your browser, for examplehttps://admin.yourdomain.com/system/(or any custom path you set)。If everything goes well, you should be able to access the AnQiCMS backend login interface normally. At the same time, try to access the originalyourdomain.com/system/The path, check if it is redirected to a new domain name, or if it is blocked by the web server, depending on your specific Nginx/Apache configuration. For security reasons, it is recommended to keep the original/system/Redirect the path to a new domain or block access directly to avoid exposure.
Through these steps, your AnQiCMS backend will run in a safer and more concealed environment, safeguarding the operation of your website.Security is not achieved overnight, but is a continuous optimization process. Setting up an independent domain for the background is an important link in this process.
Common Questions (FAQ)
Q1: After setting a separate domain name for the background, does it mean that the front-end website and the background website must be deployed on different servers?
A1:Maybe.The purpose of setting an independent domain name for AnQiCMS backend is mainly to distinguish access entry and strengthen the access control strategy, while the front-end and backend can still be deployed on the same server.admin.yourdomain.comThe request is forwarded to the specific port (default is 8001) run by AnQiCMS internally,yourdomain.comIf the request is made to the AnQiCMS front-end service. In this way, they share the same server resources at the physical level, but achieve separation at the logical access level.
**Q2: After configuring a separate domain name, the original main domain's `/system/