From 7abf1e1f26fbf9da0524506783b32f45ace4c6c2 Mon Sep 17 00:00:00 2001
From: xuqinmin12 <xuqinmin12@sina.com>
Date: Fri, 12 Jun 2026 22:43:24 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20update.sh=20=E8=BF=81=E7=A7=BBA-nginx?=
 =?UTF-8?q?=E6=8B=A6=E6=88=AA=E6=B3=A8=E5=86=8C+=E5=85=BC=E5=AE=B9?=
 =?UTF-8?q?=E7=8E=B0=E6=9C=89=E9=83=A8=E7=BD=B2=E7=AB=AF=E5=8F=A3+?=
 =?UTF-8?q?=E9=9D=9E=E4=BA=A4=E4=BA=92=E6=8B=89=E9=95=9C=E5=83=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/update.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/update.sh b/scripts/update.sh
index 6e190f4..cc1dec3 100755
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -504,6 +504,33 @@ if ! $_COMPOSE ps --services --filter status=running 2>/dev/null | grep -q "^ngi
   ok "nginx 已启动"
 fi
 
+
+# ---------------------------------------------------------------------------
+# 迁移 A — 私有化 nginx 禁止用户自注册
+# upgrade.sh 会用新包覆盖 nginx conf，update.sh 单独运行时需手动注入
+# ---------------------------------------------------------------------------
+_nginx_conf="$ROOT_DIR/config/nginx/conf.d/xuqm.conf"
+if [ -f "$_nginx_conf" ] && ! grep -q 'api/auth/register' "$_nginx_conf"; then
+  python3 - "$_nginx_conf" <<\'PYEOF\'
+import re, sys
+content = open(sys.argv[1]).read()
+block = """  # 私有化部署：精确拦截用户自注册（必须在通用 /api/ 之前）
+  location = /api/auth/register {
+    add_header Content-Type \'application/json; charset=utf-8\' always;
+    return 403 \'{"code":403,"status":"1","data":null,"message":"私有化部署已禁用用户自注册"}\';
+  }
+
+"""
+content = re.sub(r"(  # 核心 API)", block + r"\1", content, count=1)
+open(sys.argv[1], \'w\').write(content)
+PYEOF
+  ok "nginx conf 已补充用户注册拦截规则"
+  # 重载 nginx 容器使配置生效
+  docker exec xuqm-private-nginx-1 nginx -s reload 2>/dev/null && ok "nginx 已 reload" || warn "nginx reload 失败，将在容器重启后生效"
+else
+  ok "nginx 用户注册拦截规则已存在，跳过"
+fi
+
 # ---------------------------------------------------------------------------
 # Step 7 — 等待 tenant-service 健康
 # ---------------------------------------------------------------------------