diff --git a/conf.d/assets-ai.conf b/conf.d/assets-ai.conf
index 30d5d46..ae0fb06 100644
--- a/conf.d/assets-ai.conf
+++ b/conf.d/assets-ai.conf
@@ -2,48 +2,13 @@ server {
     listen 443 ssl;
     server_name assets.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
-
-    # Authelia 认证端点（internal = 仅子请求可访问）
-    location /authelia-auth {
-        internal;
-        proxy_pass http://authelia:9091/api/authz/auth-request;
-        proxy_set_header Cookie $http_cookie;
-        proxy_set_header X-Original-Method $request_method;
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-URI $request_uri;
-        proxy_pass_request_body off;
-        proxy_set_header Content-Length "";
-    }
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     location / {
-        auth_request /authelia-auth;
-
-        auth_request_set $user $upstream_http_remote_user;
-        auth_request_set $groups $upstream_http_remote_groups;
-
-        proxy_set_header X-Remote-User $user;
-        proxy_set_header X-Remote-Groups $groups;
-        proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026";
-
+        proxy_pass http://assets-ai:3000;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_pass http://assets-ai:3000;
-    }
-
-    error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri;
-    error_page 502 503 = @fallback;
-
-    location @fallback {
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_pass http://assets-ai:3000;
+        proxy_set_header X-Forwarded-Proto https;
     }
 }
diff --git a/conf.d/cloud-ai.conf b/conf.d/cloud-ai.conf
index fb985f7..f4c9bf8 100644
--- a/conf.d/cloud-ai.conf
+++ b/conf.d/cloud-ai.conf
@@ -2,8 +2,8 @@ server {
     listen 443 ssl;
     server_name cloud.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     location / {
         proxy_pass http://cloud-ai;
diff --git a/conf.d/git-ai.conf b/conf.d/git-ai.conf
index 5157ac8..1839091 100644
--- a/conf.d/git-ai.conf
+++ b/conf.d/git-ai.conf
@@ -2,8 +2,8 @@ server {
     listen 443 ssl;
     server_name git.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     # Gitea 通过 OIDC 认证，不走 auth_request，只需基本反向代理
     location / {
diff --git a/conf.d/issue-ai.conf b/conf.d/issue-ai.conf
index e703bd9..8392ff4 100644
--- a/conf.d/issue-ai.conf
+++ b/conf.d/issue-ai.conf
@@ -2,48 +2,13 @@ server {
     listen 443 ssl;
     server_name issue.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
-
-    # Authelia 认证端点（internal = 仅子请求可访问）
-    location /authelia-auth {
-        internal;
-        proxy_pass http://authelia:9091/api/authz/auth-request;
-        proxy_set_header Cookie $http_cookie;
-        proxy_set_header X-Original-Method $request_method;
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-URI $request_uri;
-        proxy_pass_request_body off;
-        proxy_set_header Content-Length "";
-    }
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     location / {
-        auth_request /authelia-auth;
-
-        auth_request_set $user $upstream_http_remote_user;
-        auth_request_set $groups $upstream_http_remote_groups;
-
-        proxy_set_header X-Remote-User $user;
-        proxy_set_header X-Remote-Groups $groups;
-        proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026";
-
+        proxy_pass http://issue-ai:3000;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_pass http://issue-ai:3000;
-    }
-
-    error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri;
-    error_page 502 503 = @fallback;
-
-    location @fallback {
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_pass http://issue-ai:3000;
+        proxy_set_header X-Forwarded-Proto https;
     }
 }
diff --git a/conf.d/oa-ai.conf b/conf.d/oa-ai.conf
new file mode 100644
index 0000000..a75ce3b
--- /dev/null
+++ b/conf.d/oa-ai.conf
@@ -0,0 +1,28 @@
+server {
+    listen 443 ssl;
+    server_name oa.tlyq.ai;
+
+    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+
+    location /_next/static/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream oa-ai:3000;
+        proxy_pass http://$upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    location / {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream oa-ai:3000;
+        proxy_pass http://$upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        add_header Cache-Control "no-cache, no-store, must-revalidate";
+    }
+}
diff --git a/conf.d/root-domain.conf b/conf.d/root-domain.conf
index 4e836fe..545b7f9 100644
--- a/conf.d/root-domain.conf
+++ b/conf.d/root-domain.conf
@@ -5,8 +5,8 @@ server {
     server_name tlyq.ai;
 
     # 共用现有证书
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     return 301 https://www.tlyq.ai$request_uri;
 }
diff --git a/conf.d/sso-ai.conf b/conf.d/sso-ai.conf
deleted file mode 100644
index 81ef68e..0000000
--- a/conf.d/sso-ai.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name sso.tlyq.ai;
-
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
-
-    # 登录接口限流
-    location /api/firstfactor {
-        limit_req zone=sso_login burst=3 nodelay;
-        proxy_pass http://authelia:9091;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location / {
-        proxy_pass http://authelia:9091;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
diff --git a/conf.d/token-ai.conf b/conf.d/token-ai.conf
index 2f55f1e..ed0129e 100644
--- a/conf.d/token-ai.conf
+++ b/conf.d/token-ai.conf
@@ -2,8 +2,8 @@ server {
     listen 443 ssl;
     server_name token.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     location / {
         proxy_pass http://token-ai;
diff --git a/conf.d/www-ai.conf b/conf.d/www-ai.conf
index 52e0ba1..dde8f3b 100644
--- a/conf.d/www-ai.conf
+++ b/conf.d/www-ai.conf
@@ -2,11 +2,13 @@ server {
     listen 443 ssl;
     server_name www.tlyq.ai;
 
-    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/oa.tlyq.ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/oa.tlyq.ai/privkey.pem;
 
     location / {
-        proxy_pass http://www-ai;
+        resolver 127.0.0.11 valid=30s;
+        set $upstream www-ai;
+        proxy_pass http://$upstream;
         proxy_set_header Host $host;
     }
 }
diff --git a/nginx.conf b/nginx.conf
index 62f6da0..6914273 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -3,9 +3,6 @@ events {}
 http {
     include /etc/nginx/conf.d/*.conf;
 
-    # SSO 登录限流：按真实客户端 IP（X-Forwarded-For），每分钟 5 次，burst 3
-    limit_req_zone $http_x_forwarded_for zone=sso_login:10m rate=5r/m;
-
     # 所有 HTTP 自动跳 HTTPS
     server {
         listen 80 default_server;