diff --git a/.env b/.env
index 30787fd..bd6d4d9 100644
--- a/.env
+++ b/.env
@@ -1,15 +1,15 @@
 # Copy this file to .env before running docker compose.
 # XXXX LAN access: set PUBLIC_HOST to the machine IP, for example 192.168.3.11.
 # XXXX Public-domain access through frpc/frps + NPM: set PUBLIC_HOST to the external frontend host, for example seg.example.com.
-PUBLIC_HOST=192.168.3.11
+PUBLIC_HOST=seg.huijutec.cn
 
 # XXXX Frontend build-time API/WebSocket endpoints.
 # LAN default can stay empty because the frontend infers http://<browser-host>:8000.
 # Public-domain example:
 # VITE_API_BASE_URL=https://seg-api.example.com
 # VITE_WS_PROGRESS_URL=wss://seg-api.example.com/ws/progress
-VITE_API_BASE_URL=
-VITE_WS_PROGRESS_URL=
+VITE_API_BASE_URL=https://seg-api.huijutec.cn
+VITE_WS_PROGRESS_URL=wss://seg-api.huijutec.cn/ws/progress
 
 FRONTEND_PORT=3000
 BACKEND_PORT=8000
@@ -24,10 +24,11 @@ MINIO_ACCESS_KEY=minioadmin
 MINIO_SECRET_KEY=minioadmin
 
 # XXXX Browser-facing MinIO endpoint used to generate image/frame presigned URLs.
-# LAN example: 192.168.3.11:9000 and MINIO_SECURE=false
-# Public-domain example: seg-minio.example.com and MINIO_SECURE=true
-MINIO_PUBLIC_ENDPOINT=192.168.3.11:9000
+# LAN example: 192.168.3.11:9000 with MINIO_SECURE=false
+# Public-domain example: seg-minio.example.com with MINIO_PUBLIC_SECURE=true
+MINIO_PUBLIC_ENDPOINT=seg-minio.huijutec.cn
 MINIO_SECURE=false
+MINIO_PUBLIC_SECURE=true
 
 # Local directory containing SAM 2.1 checkpoints.
 # Keep this relative path so the whole Seg_Server_Docker folder can be moved.
@@ -36,7 +37,7 @@ SAM_MODELS_DIR=./models
 # XXXX Must include every browser origin that will open the frontend.
 # LAN example: ["http://192.168.3.11:3000","http://localhost:3000","http://127.0.0.1:3000"]
 # Public-domain example: ["https://seg.example.com"]
-CORS_ORIGINS=["http://192.168.3.11:3000","http://localhost:3000","http://127.0.0.1:3000"]
+CORS_ORIGINS=["https://seg.huijutec.cn","http://seg.huijutec.cn","http://localhost:3000","http://127.0.0.1:3000"]
 
 JWT_SECRET_KEY=change-this-to-a-long-random-production-secret
 ACCESS_TOKEN_EXPIRE_MINUTES=1440
diff --git a/.env.example b/.env.example
index 8a4d537..68708d9 100644
--- a/.env.example
+++ b/.env.example
@@ -24,10 +24,11 @@ MINIO_ACCESS_KEY=minioadmin
 MINIO_SECRET_KEY=minioadmin
 
 # XXXX Browser-facing MinIO endpoint used to generate image/frame presigned URLs.
-# LAN example: localhost:9000 and MINIO_SECURE=false
-# Public-domain example: seg-minio.example.com and MINIO_SECURE=true
+# LAN example: localhost:9000 with MINIO_SECURE=false
+# Public-domain example: seg-minio.example.com with MINIO_PUBLIC_SECURE=true
 MINIO_PUBLIC_ENDPOINT=localhost:9000
 MINIO_SECURE=false
+# MINIO_PUBLIC_SECURE=true
 
 # Local directory containing SAM 2.1 checkpoints.
 # Keep ./models for a self-contained deploy, or point to another path only when deliberately sharing a model cache.
diff --git a/README.md b/README.md
index 03aface..553679f 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,7 @@ MINIO_ACCESS_KEY=minioadmin
 MINIO_SECRET_KEY=minioadmin
 MINIO_PUBLIC_ENDPOINT=localhost:9000
 MINIO_SECURE=false
+# MINIO_PUBLIC_SECURE=true
 
 SAM_MODELS_DIR=./models
 
@@ -344,7 +345,8 @@ VITE_WS_PROGRESS_URL=wss://seg-api.example.com/ws/progress
 
 # XXXX Browser-facing MinIO endpoint
 MINIO_PUBLIC_ENDPOINT=seg-minio.example.com
-MINIO_SECURE=true
+MINIO_SECURE=false
+MINIO_PUBLIC_SECURE=true
 
 # XXXX Browser origins
 CORS_ORIGINS=["https://seg.example.com"]
diff --git a/backend/config.py b/backend/config.py
index 0948024..9e18e6f 100644
--- a/backend/config.py
+++ b/backend/config.py
@@ -18,6 +18,7 @@ class Settings(BaseSettings):
     minio_access_key: str = "minioadmin"
     minio_secret_key: str = "minioadmin"
     minio_secure: bool = False
+    minio_public_secure: bool | None = None
 
     # SAM
     sam_default_model: str = "sam2.1_hiera_tiny"
diff --git a/backend/minio_client.py b/backend/minio_client.py
index 8d9df21..a6d8ef1 100644
--- a/backend/minio_client.py
+++ b/backend/minio_client.py
@@ -35,11 +35,14 @@ def get_minio_public_client() -> Minio:
     global _minio_public_client
     if _minio_public_client is None:
         endpoint = settings.minio_public_endpoint or settings.minio_endpoint
+        secure = settings.minio_public_secure
+        if secure is None:
+            secure = settings.minio_secure
         _minio_public_client = Minio(
             endpoint,
             access_key=settings.minio_access_key,
             secret_key=settings.minio_secret_key,
-            secure=settings.minio_secure,
+            secure=secure,
         )
     return _minio_public_client
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 65eb5e1..304d2ed 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -132,7 +132,6 @@ services:
     restart: unless-stopped
     profiles:
       - frpc
-    command: ["-c", "/etc/frp/frpc.toml"]
     volumes:
       - ./docker/frpc/frpc.toml:/etc/frp/frpc.toml:ro
     depends_on:
diff --git a/docker/frpc/frpc.toml b/docker/frpc/frpc.toml
index 09d14fc..c9aa3ec 100644
--- a/docker/frpc/frpc.toml
+++ b/docker/frpc/frpc.toml
@@ -3,43 +3,41 @@
 # after replacing every "# XXXX" placeholder below.
 
 # 基础连接配置
-# XXXX 公网 frps 服务器地址，例如 "1.2.3.4" 或 "frps.example.com"
-serverAddr = "XX.XX.XX.XX"
+serverAddr = "82.157.255.195"
 # XXXX 公网 frps 服务端口，必须与 frps 的 bindPort 一致
 serverPort = 7000
 
 # 权限验证 - 必须与服务端一致
 auth.method = "token"
-# XXXX 必须替换为 frps 服务端配置中的 token
-auth.token = "XXXXX"
+auth.token = "en.xjtu.edu.cn"
 
 # 传输配置优化
 transport.poolCount = 5
 transport.heartbeatTimeout = -1
 
 # --- 映射前端访问端口 ---
-# XXXX NPM 可反代公网服务器本机 remotePort 13000 到 seg.example.com
+# NPM 可反代公网服务器本机 remotePort 10000 到 seg.huijutec.cn
 [[proxies]]
 name = "seg-frontend"
 type = "tcp"
 localIP = "frontend"
 localPort = 80
-remotePort = 13000
+remotePort = 10000
 
 # --- 映射后端 API + WebSocket 端口 ---
-# XXXX NPM 可反代公网服务器本机 remotePort 18000 到 seg-api.example.com，并开启 WebSocket Support
+# NPM 可反代公网服务器本机 remotePort 10001 到 seg-api.huijutec.cn，并开启 WebSocket Support
 [[proxies]]
 name = "seg-backend"
 type = "tcp"
 localIP = "backend"
 localPort = 8000
-remotePort = 18000
+remotePort = 10001
 
 # --- 映射 MinIO 图片/帧图/缩略图端口 ---
-# XXXX NPM 可反代公网服务器本机 remotePort 19000 到 seg-minio.example.com
+# NPM 可反代公网服务器本机 remotePort 10002 到 seg-minio.huijutec.cn
 [[proxies]]
 name = "seg-minio"
 type = "tcp"
 localIP = "minio"
 localPort = 9000
-remotePort = 19000
+remotePort = 10002