docs(security): document profile migration

This commit is contained in:
Aethersailor
2026-05-15 19:15:52 +08:00
parent 90f0970a31
commit aa40511547
4 changed files with 98 additions and 0 deletions

View File

@@ -149,6 +149,21 @@ quanx_device_id=
;surge_ssr_path=/usr/bin/ssr-local
resolve_hostname=true
[security]
;Security profile:
;lan - default, legacy behavior for private/LAN deployments. Local, private
; and fake-ip resources are allowed.
;public - for Internet-facing deployments. Only untrusted request-controlled
; fetches are restricted; built-in local templates and trusted config
; files continue to work.
;strict - same public fetch restrictions, and public upload cannot be enabled.
;Environment override: SUBCONVERTER_SECURITY_PROFILE=lan|public|strict
profile=lan
;Only used by public profile. lan keeps legacy upload behavior; strict always
;disables public upload.
;Environment override: SUBCONVERTER_ALLOW_PUBLIC_UPLOAD=true|false
allow_public_upload=false
[emojis]
add_emoji=false
remove_old_emoji=true

View File

@@ -168,6 +168,21 @@ quanx_device_id = ""
#surge_ssr_path = "/usr/bin/ssr-local"
resolve_hostname = true
[security]
# Security profile:
# lan - default, legacy behavior for private/LAN deployments. Local, private
# and fake-ip resources are allowed.
# public - for Internet-facing deployments. Only untrusted request-controlled
# fetches are restricted; built-in local templates and trusted config
# files continue to work.
# strict - same public fetch restrictions, and public upload cannot be enabled.
# Environment override: SUBCONVERTER_SECURITY_PROFILE=lan|public|strict
profile = "lan"
# Only used by public profile. lan keeps legacy upload behavior; strict always
# disables public upload.
# Environment override: SUBCONVERTER_ALLOW_PUBLIC_UPLOAD=true|false
allow_public_upload = false
[emojis]
add_emoji = false
remove_old_emoji = true

View File

@@ -68,6 +68,21 @@ surge_external_proxy:
surge_ssr_path: "" # /usr/bin/ssr-local
resolve_hostname: true
security:
# Security profile:
# lan - default, legacy behavior for private/LAN deployments. Local,
# private and fake-ip resources are allowed.
# public - for Internet-facing deployments. Only untrusted request-controlled
# fetches are restricted; built-in local templates and trusted config
# files continue to work.
# strict - same public fetch restrictions, and public upload cannot be enabled.
# Environment override: SUBCONVERTER_SECURITY_PROFILE=lan|public|strict
profile: lan
# Only used by public profile. lan keeps legacy upload behavior; strict always
# disables public upload.
# Environment override: SUBCONVERTER_ALLOW_PUBLIC_UPLOAD=true|false
allow_public_upload: false
emojis:
add_emoji: false
remove_old_emoji: true