CUPS
From DuncanWiki
THIS PAGE IS UNDER CONSTRUCTION
Absolutely *nothing* on this page is finalized. I typically start documenting something & slowly add to it until it's complete.
CUPS is the printing service that comes with Mac OS X, most Linux distributions as well as many other UNIX systems. It supports IPP (Internet Printing Protocol) & IPP over HTTP.
Contents |
Adding A Printer
Printer Sharing
Printing Remotely
I wanted the ability to print things at home when I'm at work, at a friend's house, cafe, on the road or just about anywhere else I have an internet connection.
. This involved a a few steps that are simple in retrospect but not all of them were completely easy to figure out as CUPS documentation on the web completely stinks.
System Preparation
There are a few steps you have to take that aren't directly related to CUPS :
- Forward port 631 from my router to my print server
- Selectively open port 631 on my print server to external IPs
- This is currently manually done with iptables
- This will eventually be handled by Apache & PHP
Authorize Remote Connections
I used PHP & Apache to create a file detailing the IPs that are allowed to connect to CUPS. Basically you'll hit a URL (ex: http://duncanbrown.org/openup.php) & this script will take your IP & append it to a file. We'll have another script read in the file & an iptables rule to allow your CUPS connection.
<?php $open_up_file = "/tmp/open_up.ips" ; $fh = fopen($open_up_file, 'a') ; fwrite($fh, $_SERVER['REMOTE_ADDR']) ; fwrite($fh, "\n") ; fclose($fh) ; ?>
This is a small script I wrote that handles the IPs saved to /tmp/open_up.ips, I saved it as /usr/local/bin/open_up & had cron run it once a minute.
#!/bin/bash ports="22 631" drop_time="24 hours" ip_file=/tmp/open_up.ips touch $ip_file time="$(date --date "$drop_time" "+%R %x")" while read ip ; do iptables -I INPUT -s $ip -p tcp -m tcp --dport 631 -j ACCEPT echo "iptables -D INPUT -s $ip -p tcp -m tcp --dport 631 -j ACCEPT" | at $time done < $ip_file rm -f $ip_file
CUPS Configuration
My /etc/cups/cups.conf... all I did was add Allow from ALL to each section. I don't really care about the security implications of this since my internal network is fairly locked down & external connections are managed via iptables.
MaxLogSize 2000000000
# Show general information in error_log.
LogLevel info
SystemGroup sys root
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Share local printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
# Allow shared printing and remote administration...
Order allow,deny
Allow @LOCAL
Allow from ALL
</Location>
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow from ALL
</Location>
<Location /admin/conf>
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow from ALL
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Order allow,deny
Allow from ALL
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
Order allow,deny
Allow from ALL
</Limit>
<Limit CUPS-Authenticate-Job>
Order allow,deny
Allow from ALL
</Limit>
<Limit All>
Order allow,deny
Allow from ALL
</Limit>
</Policy>
Future Plans
- Enable CUPS based authentication.
