diff --git a/deploy/web/default.conf b/deploy/web/default.conf
index f0acb7b..754a18c 100644
--- a/deploy/web/default.conf
+++ b/deploy/web/default.conf
@@ -4,9 +4,12 @@ server {
   root /usr/share/nginx/html;
   index index.html;
 
-  # 根路径下的验证文件走热加载目录
-  location ~ ^/([A-Za-z0-9._-]+\.(txt|html|xml))$ {
-    alias /verify-root/$1;
+  # 域名/微信等验证文件：用 root+URI，勿用「正则 + alias $1」（易 403）；文件放宿主机 ./verify-root/
+  location ~ ^/[A-Za-z0-9._-]+\.(txt|html|xml)$ {
+    root /verify-root;
+    try_files $uri =404;
+    default_type text/plain;
+    add_header Cache-Control "no-store";
   }
 
   # 静态资源必须真实存在，避免错误回退成 index.html 导致白屏
diff --git a/docker-compose.yml b/docker-compose.yml
index ee47899..02dc329 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -62,6 +62,7 @@ services:
       - ./scripts/nginx-entrypoint-wait-dns.sh:/nginx-entrypoint-wait-dns.sh:ro
       - ./nginx/yuheng.docker.conf.tpl:/yuheng.docker.conf.tpl:ro
       - ./nginx/runtime-confd:/etc/nginx/conf.d
+      - ./verify-root:/verify-root:ro
       - /etc/ssl/yh_web/yuheng.yuxindazhineng.com:/etc/ssl/yh_web/yuheng.yuxindazhineng.com:ro
     depends_on:
       - api
diff --git a/nginx/web.conf b/nginx/web.conf
index 7253d65..b4e4d5a 100644
--- a/nginx/web.conf
+++ b/nginx/web.conf
@@ -4,8 +4,11 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
-    location ~ ^/([A-Za-z0-9._-]+\.(txt|html|xml))$ {
-        alias /verify-root/$1;
+    location ~ ^/[A-Za-z0-9._-]+\.(txt|html|xml)$ {
+        root /verify-root;
+        try_files $uri =404;
+        default_type text/plain;
+        add_header Cache-Control "no-store";
     }
 
     location ^~ /assets/ {
diff --git a/nginx/yuheng.docker.conf.tpl b/nginx/yuheng.docker.conf.tpl
index 4009e5e..9da86e3 100644
--- a/nginx/yuheng.docker.conf.tpl
+++ b/nginx/yuheng.docker.conf.tpl
@@ -17,6 +17,14 @@ server {
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
 
+    # 验证文件在 443 上直接读挂载目录，不经 yh_web 反代（避免正则 alias 403、与内网路径不一致）
+    location ~ ^/[A-Za-z0-9._-]+\.(txt|html|xml)$ {
+        root /verify-root;
+        try_files $uri =404;
+        default_type text/plain;
+        add_header Cache-Control "no-store";
+    }
+
     location / {
         set $upstream_web web;
         proxy_pass http://$upstream_web:80;
diff --git a/verify-root/README.md b/verify-root/README.md
new file mode 100644
index 0000000..3f940fe
--- /dev/null
+++ b/verify-root/README.md
@@ -0,0 +1,11 @@
+# 站点根验证文件（微信、域名所有权等）
+
+将平台提供的 **`xxxxxxxx.txt`** 或 **`.html`** 放在本目录，访问：
+
+`https://你的域名/文件名`
+
+## 若出现 403
+
+- 文件权限：`chmod 644 *.txt`，目录 `chmod 755`（或 `chmod -R a+rX .`）
+- 容器需能读挂载目录（Podman/SELinux 可尝试 `:Z` 或 `chcon`，见部署文档）
+- 确保 **`docker-compose` 中 `yh_nginx` 与 `yh_web` 均挂载 `./verify-root:/verify-root`**