[cups.development] Allow printing from certain servers only

Jon Peatfield J.S.Peatfield at damtp.cam.ac.uk
Mon Mar 3 15:18:42 PST 2008 

On Mon, 3 Mar 2008, Johnny Reyes wrote:

> What I am trying to accomplish is allow printing from certain unix 
> servers and deny all other printing. Some background, all the unix 
> servers are in the same subnet, so I have do allow printing from certain 
> hostnames and deny all other hostnames (fully qualified name). I am 
> using the BrowseAllow and BrowseDeny but nothing seem to be working, 
> printing is allowed from all servers which is what I do not want. I have 
> updated the cupsd.conf file with similar entries
>
> BrowseAllow hostname.domainname
>
> BrowseOrder is allow, deny
>
> Order Deny,Allow
>
> I am trying to understand what is wrong and how do I get production host 
> unix server to print and all other hosts fron not printinig.

BrowseAllow etc commands are related to whether to accept browse mesages 
(ie IPP printer adverts) from hosts.  This isn't how to restrict which 
hosts may print jobs etc.  See the manual for lots more detail.

If you want to prevent *all* http and ipp forms of access to your server 
then you can simply add a section in the <Location /> part of cupsd.conf, 
e.g. we have the following:

<Location />
   Order Deny,Allow
   Deny From All
   # allow from myself
   Allow From 127.0.0.1
   # allow general requests from hosts matching these blocks
   Allow From 131.111.16.0/24
   Allow From 131.111.17.0/24
....
</Location>

to deny to all but the net-blocks specified.  Obviously you can do more 
complex things than that.  You should be careful to check whether a more 
specific Location-block allows something.

On a different cups server we want to allow http requests from more places 
than print jobs, so we do the following ugly hack:

<Location />
....

# allow/deny rules much like above...

   # these will be allowed to perform non-http requests
   <LimitExcept GET HEAD OPTIONS>
     # Restrict access
     Order Deny,Allow
     Deny From All

     # loopback
     Allow From 127.0.0.1
....
     Allow From @IF(brLap)
   </Limit>
</Location>

Now this stuff is possibly easier to do with a Policy these days but we 
started doing it before such things were available, and I still don't 
understand them... :-(

You can tell that this is for an older version of cups 'cos we ended the 
<LimitExcept> with </Limit> which got fixed in a recent release...

-- 
Jon Peatfield,  Computer Officer,  DAMTP,  University of Cambridge
Mail:  jp107 at damtp.cam.ac.uk     Web:  http://www.damtp.cam.ac.uk/

More information about the cups mailing list