diff --git a/backend/internal/repository/http_upstream.go b/backend/internal/repository/http_upstream.go
index ba6bb8fc..9e9f4e6e 100644
--- a/backend/internal/repository/http_upstream.go
+++ b/backend/internal/repository/http_upstream.go
@@ -124,19 +124,9 @@ func NewHTTPUpstream(cfg *config.Config) service.HTTPUpstream {
 //   - 调用方必须关闭 resp.Body，否则会导致 inFlight 计数泄漏
 //   - inFlight > 0 的客户端不会被淘汰，确保活跃请求不被中断
 func (s *httpUpstreamService) Do(req *http.Request, proxyURL string, accountID int64, accountConcurrency int) (*http.Response, error) {
-	// Node.js TLS 代理：仅拦截白名单内的上游主机
-	if s.isNodeTLSProxyEnabled() {
-		if req != nil && req.URL != nil {
-			slog.Warn("node_tls_proxy_check",
-				"scheme", req.URL.Scheme,
-				"host", req.URL.Host,
-				"hostname", req.URL.Hostname(),
-				"should_route", s.shouldRouteViaNodeProxy(req),
-			)
-		}
-		if s.shouldRouteViaNodeProxy(req) {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	// Node.js TLS 代理：所有 HTTPS 上游请求走 Node.js 代理
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	if err := s.validateRequestHost(req); err != nil {
@@ -191,20 +181,8 @@ func (s *httpUpstreamService) DoWithTLS(req *http.Request, proxyURL string, acco
 	}
 
 	// 优先使用 Node.js TLS 代理模式
-	if s.isNodeTLSProxyEnabled() {
-		shouldRoute := s.shouldRouteViaNodeProxy(req)
-		host := ""
-		if req != nil && req.URL != nil {
-			host = req.URL.Hostname()
-		}
-		slog.Warn("node_tls_proxy_check_tls_path",
-			"host", host,
-			"should_route", shouldRoute,
-			"tls_fingerprint_enabled", enableTLSFingerprint,
-		)
-		if shouldRoute {
-			return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
-		}
+	if s.isNodeTLSProxyEnabled() && req != nil && req.URL != nil && req.URL.Scheme == "https" {
+		return s.doViaNodeTLSProxy(req, accountID, accountConcurrency)
 	}
 
 	// TLS 指纹已启用，记录调试日志