HOWTO setup a small server

CUPS (Print Server)

Prerequisite: OpenSSL The following configuration depends on a correctly setup public-key infrastructure. Especially, the certificate of the CA must be available on all hosts.

Browsing and Polling

There are two ways to configure the server and client:

  1. Browsing The server propagates its printers to the network via UDP broadcast packets. This will produce some extra-load on the server and the network. Clients will require a running scheduler (CUPS daemon) listening for these information, if they want to make use of this feature, but they will require no further configuration.
  2. Polling The server will not propagate its printers to the network. The clients know which server to use and poll it for its printers. There will be less load on the server and network and clients will not require any scheduler, but a manual configuration. (If a server has browsing enabled, the client still can use polling to make an own scheduler unneccessary.)

Client Installation

As cups recommends really a lot of packages to install, you could add --no-install-recommends to the below commands to avoid their installation.

Install the following packages for browsing support. No further configuration will be required, if the server has browsing enabled (but have a look at the networking requirements in the last section!). Otherwise continue with the configuration in the next section.

# apt-get --no-install-recommends install cups cups-client

Install the following packages for a polling-only client and continue with the configuration in the next section.

# apt-get --no-install-recommends install cups-client

Client Configuration

On a polling client these two lines should be sufficient for a complete configuration. The first line enables encryption and depending on your security requirements may be skipped. The second line contains the server to poll. The port port with separator (colon) needs to be added only, if it differs from the default one.

File: /etc/cups/client.conf

Encryption Required
ServerName server.example.com:port

Server Installation

Install the neccessary packages for CUPS server. Concerning the --no-install-recommends option the same as for the client installation applies.

# apt-get --no-install-recommends install cups cups-client

Surely, you also want to install some of the packages containing PPD (PostScript Printer Definition) files (“drivers”), for example:

# apt-get --no-install-recommends install openprinting-ppds \
  foomatic-filters-ppds hplip-ppds

Server Basic Configuration

The basic configuration makes the server listen on all network interfaces (IPv4 only). Replace the existing Listen line with the one below:

Excerpt: /etc/cups/cupsd.conf

# listen on all interfaces
#Listen localhost:631
Listen 0.0.0.0:631

Next, to permit remote access, Allow @LOCAL (or a similar directive) must be added to at least the / location. If you also want to configure the printing system remotely via its web interface, you will have to add an Allow directive to the /admin location. The complete part of the configuration file for these two locations could look like this:

Excerpt: /etc/cups/cupsd.conf

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow @LOCAL
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow @LOCAL
</Location>

If you want CUPS to support browsing, the following directives are required (modify access rules according to your needs):

Excerpt: /etc/cups/cupsd.conf

Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseAddress @LOCAL

If you prefer polling, the Browsing directive must be set to Off instead:

Excerpt: /etc/cups/cupsd.conf

Browsing Off

Server SSL Configuration

The following adds the default server key/certificate to CUPS:

Excerpt: /etc/cups/cupsd.conf

ServerCertificate /etc/ssl/certs/server.crt
ServerKey /etc/ssl/private/server.key

As CUPS runs as root by default, no further actions are required to enable it to read the key file.

You can make CUPS listening on an aditional SSL port, although it should support StartTLS to upgrade an unencrypted connection to an encrypted one. The next makes CUPS listen on ssl_port, e.g., 632 on all interfaces (IPv4 only):

Excerpt: /etc/cups/cupsd.conf

SSLListen 0.0.0.0:ssl_port

Finally, restart the scheduler:

# /etc/init.d/cups restart

Server Printer Configuration

This is preferably done with a web browser. Just open one of the addresses http://server.example.com:631 or https://server.example.com:631 (or https://server.example.com:ssl_port). Note, that you will have to enter your root password to add/change printers. Thus the encrypted connections starting with https:// are highly recommended!

Networking Requirements

Prerequisite: Shorewall If using a packet filter like Shorewall, you will have to accept connections/packets from other hosts. For a client relying on a browsing server this is typically:

Excerpt: /etc/shorewall/rules

# CUPS
#
ACCEPT		net		$FW		udp	631
#

For the server a typical configuration is given below. The first ACCEPT line is required to permit access to the default CUPS port, and the second one for an additional SSL port (if configured).

Excerpt: /etc/shorewall/rules

# CUPS
#
ACCEPT		net		$FW		tcp	631
ACCEPT		net		$FW		tcp	ssl_port
#

And restart Shorewall:

# shorewall restart

Back to index.