diff --git a/scripts/update.sh b/scripts/update.sh
index 6e190f4..cc1dec3 100755
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -504,6 +504,33 @@ if ! $_COMPOSE ps --services --filter status=running 2>/dev/null | grep -q "^ngi
   ok "nginx 已启动"
 fi
 
+
+# ---------------------------------------------------------------------------
+# 迁移 A — 私有化 nginx 禁止用户自注册
+# upgrade.sh 会用新包覆盖 nginx conf，update.sh 单独运行时需手动注入
+# ---------------------------------------------------------------------------
+_nginx_conf="$ROOT_DIR/config/nginx/conf.d/xuqm.conf"
+if [ -f "$_nginx_conf" ] && ! grep -q 'api/auth/register' "$_nginx_conf"; then
+  python3 - "$_nginx_conf" <<\'PYEOF\'
+import re, sys
+content = open(sys.argv[1]).read()
+block = """  # 私有化部署：精确拦截用户自注册（必须在通用 /api/ 之前）
+  location = /api/auth/register {
+    add_header Content-Type \'application/json; charset=utf-8\' always;
+    return 403 \'{"code":403,"status":"1","data":null,"message":"私有化部署已禁用用户自注册"}\';
+  }
+
+"""
+content = re.sub(r"(  # 核心 API)", block + r"\1", content, count=1)
+open(sys.argv[1], \'w\').write(content)
+PYEOF
+  ok "nginx conf 已补充用户注册拦截规则"
+  # 重载 nginx 容器使配置生效
+  docker exec xuqm-private-nginx-1 nginx -s reload 2>/dev/null && ok "nginx 已 reload" || warn "nginx reload 失败，将在容器重启后生效"
+else
+  ok "nginx 用户注册拦截规则已存在，跳过"
+fi
+
 # ---------------------------------------------------------------------------
 # Step 7 — 等待 tenant-service 健康
 # ---------------------------------------------------------------------------