diff --git a/apps/infra/devops/gitea/helmchart.yaml b/apps/infra/devops/gitea/helmchart.yaml
index a49668f..1eac83e 100644
--- a/apps/infra/devops/gitea/helmchart.yaml
+++ b/apps/infra/devops/gitea/helmchart.yaml
@@ -42,6 +42,12 @@ spec:
       className: nginx
       annotations:
         nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          proxy_set_header Accept-Encoding "";
+          subs_filter_types text/html;
+          subs_filter '<(script|img|link)([^>]*) (src|href)="/' '<$1$2 $3="https://cdn.fillcode.com/git-dev-cm/' ri;
+          subs_filter 'url\(\/' 'url(https://cdn.fillcode.com/git-dev-cm/' ri;
+          subs_filter '<head>' '<head><script src="/__static/pwa-cdn.js"></script>' ri;
       hosts:
         - host: git.dev.cm
           paths:
diff --git a/apps/infra/monitor/prometheus/helmchart.yaml b/apps/infra/monitor/prometheus/helmchart.yaml
index 69b8530..4713fa4 100644
--- a/apps/infra/monitor/prometheus/helmchart.yaml
+++ b/apps/infra/monitor/prometheus/helmchart.yaml
@@ -32,6 +32,14 @@ spec:
       ingress:
         enabled: true
         ingressClassName: nginx
+        annotations:
+          nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            proxy_set_header Accept-Encoding "";
+            subs_filter_types text/html;
+            subs_filter '<(script|img|link)([^>]*) (src|href)="/' '<$1$2 $3="https://cdn.fillcode.com/monitor-dev-cm/' ri;
+            subs_filter 'url\(\/' 'url(https://cdn.fillcode.com/monitor-dev-cm/' ri;
+            subs_filter '<head>' '<head><script src="/__static/pwa-cdn.js"></script>' ri;
         hosts:
           - monitor.dev.cm
         paths:
diff --git a/apps/infra/net/nginx/configmap-static.yaml b/apps/infra/net/nginx/configmap-static.yaml
index 097b4bb..b35a116 100644
--- a/apps/infra/net/nginx/configmap-static.yaml
+++ b/apps/infra/net/nginx/configmap-static.yaml
@@ -376,7 +376,7 @@ data:
     let config = {
         cdnUrl: 'https://cdn.fillcode.com/',
         serviceWorkerUrl: '/__static/sw-cdn.js',
-        staticRegex: /\.(js|css|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|ico)$/,
+        staticRegex: /(.*\.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2|ttf|eot)|avatars[^/]+)$/,
         debug: false,
     }
     
@@ -426,13 +426,19 @@ data:
         if (config.debug) console.log('PWA-CDN:', url.href, '->', targetUrl)
     
         try {
-            // 创建新请求，保留原始缓存策略
-            const newRequest = new Request(targetUrl, {...request, mode: 'cors'})
+            // 创建新请求
+            const newRequest = new Request(targetUrl, {
+                ...request,
+                mode: 'cors',
+                credentials: 'include',
+                redirect: 'manual',
+            })
     
             // 请求目标域名，浏览器会自动处理缓存
             const response = await fetch(newRequest)
     
-            if (!response.ok) throw new Error('Target domain response not ok: ' + response.status)
+            // 当遇到非2XX返回时 全部回退原始请求 防止鉴权、重定向等问题
+            if (response.status < 200 || response.status >= 300) throw new Error('PWA-CDN: Non-2xx response detected')
     
             return response
         } catch (error) {
diff --git a/apps/infra/net/nginx/ingress-cdn.yaml b/apps/infra/net/nginx/ingress-cdn.yaml
index 9e8046f..0d692a5 100644
--- a/apps/infra/net/nginx/ingress-cdn.yaml
+++ b/apps/infra/net/nginx/ingress-cdn.yaml
@@ -14,9 +14,11 @@ metadata:
     nginx.ingress.kubernetes.io/enable-cors: "true"
     nginx.ingress.kubernetes.io/cors-allow-origin: "https://dev.cm, https://*.dev.cm, https://fillcode.cm, https://*.fillcode.cm"
     nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/proxy-cookie-domain: "~^(.+)$ cdn.fillcode.com"
-    nginx.ingress.kubernetes.io/proxy-cookie-path: "~^/(.*)$ /$1"
-    nginx.ingress.kubernetes.io/proxy-cookie-flags: "* Secure SameSite=None"
+    # cookie配置
+    nginx.ingress.kubernetes.io/proxy-cookie-domain: "* cdn.fillcode.com"
+    nginx.ingress.kubernetes.io/proxy-cookie-path: "/ /$1"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_cookie_flags ~ SameSite=None Secure;
 spec:
   ingressClassName: nginx
   rules:
diff --git a/apps/infra/net/nginx/static/sw-cdn.js b/apps/infra/net/nginx/static/sw-cdn.js
index 67678c0..602a381 100644
--- a/apps/infra/net/nginx/static/sw-cdn.js
+++ b/apps/infra/net/nginx/static/sw-cdn.js
@@ -4,7 +4,7 @@
 let config = {
     cdnUrl: 'https://cdn.fillcode.com/',
     serviceWorkerUrl: '/__static/sw-cdn.js',
-    staticRegex: /\.(js|css|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|ico)$/,
+    staticRegex: /(.*\.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2|ttf|eot)|avatars[^/]+)$/,
     debug: false,
 }
 
@@ -54,17 +54,19 @@ async function handleStaticResource(request, url) {
     if (config.debug) console.log('PWA-CDN:', url.href, '->', targetUrl)
 
     try {
-        // 创建新请求，保留原始缓存策略
+        // 创建新请求
         const newRequest = new Request(targetUrl, {
             ...request,
             mode: 'cors',
             credentials: 'include',
+            redirect: 'manual',
         })
 
         // 请求目标域名，浏览器会自动处理缓存
         const response = await fetch(newRequest)
 
-        if (!response.ok) throw new Error('Target domain response not ok: ' + response.status)
+        // 当遇到非2XX返回时 全部回退原始请求 防止鉴权、重定向等问题
+        if (response.status < 200 || response.status >= 300) throw new Error('PWA-CDN: Non-2xx response detected')
 
         return response
     } catch (error) {