Cups
如何在 CUPS 中啟用對管理頁面的遠端訪問
我正在尋找訪問 CUPS Web 界面的管理頁面的權限。
我可以訪問該頁面,並且可以瀏覽該站點的大部分內容,但遺憾的是,管理頁面仍然被遠端資源鎖定。
我確實設置了
Allow from all
並且Allow all
現在到處都嘗試過,但我仍然無法訪問該頁面。我錯過了什麼?
配置文件
# # # Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a # complete description of this file. # # Log general information in error_log - change "warn" to "debug" # for troubleshooting... LogLevel warn # Deactivate CUPS' internal logrotating, as we provide a better one, especially # LogLevel debug2 gets usable now MaxLogSize 0 # Allow connection from remote hosts Port 631 Listen /var/run/cups/cups.sock # Show shared printers on the local network. Browsing On BrowseOrder allow,deny BrowseAllow all BrowseLocalProtocols all # Default authentication type, when authentication is required... DefaultAuthType Basic # Web interface setting... WebInterface Yes # Restrict access to the server... <Location /> Order allow,deny Allow from all </Location> # Restrict access to the admin pages... <Location /admin> Order allow,deny Allow from all </Location> # Restrict access to configuration files... <Location /admin/conf> AuthType Default Order allow,deny Allow from all </Location> # Set the default printer/job policies... <Policy default> # Job/subscription privacy... JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default # Job-related operations must be done by the owner or an administrator... <Limit Create-Job Print-Job Print-URI Validate-Job> Order deny,allow Allow from all </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> Require user @OWNER @SYSTEM Order deny,allow Allow from all </Limit> # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM Order deny,allow Allow from all </Limit> # All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow Allow from all </Limit> # Only the owner or an administrator can cancel or authenticate a job... <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow Allow from all </Limit> <Limit All> Order deny,allow Allow from all </Limit> </Policy> # Set the authenticated printer/job policies... <Policy authenticated> # Job/subscription privacy... JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default # Job-related operations must be done by the owner or an administrator... <Limit Create-Job Print-Job Print-URI Validate-Job> AuthType Default Order deny,allow Allow from all </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> AuthType Default Require user @OWNER @SYSTEM Order deny,allow Allow from all </Limit> # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow Allow from all </Limit> # All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow Allow from all </Limit> # Only the owner or an administrator can cancel or authenticate a job... <Limit Cancel-Job CUPS-Authenticate-Job> AuthType Default Require user @OWNER @SYSTEM Order deny,allow Allow from all </Limit> <Limit All> Order deny,allow Allow from all </Limit> </Policy>
Dockerfile
# # Add a Printer user # RUN useradd \ --groups=sudo,lp,lpadmin \ --create-home \ --home-dir=/home/print \ --shell=/bin/bash \ print # # Set the password for the printer user # RUN echo print:sdsds | chpasswd
我要做的是在標籤下方的以下塊中:
</Policy>
<Location /> Order allow,deny Allow localhost Allow from 192.168.0.* Allow from 10.0.*.* </Location> Listen 0.0.0.0:631
特別是對於管理員訪問,vanilla 配置通常具有:
<Location /admin/conf> AuthType Default Require user @SYSTEM Order allow,deny </Location>
為了創建一個合適的使用者帳戶,您只需要創建一個作為該
lpadmin
組成員的使用者(我建議您確實需要對 admin 部分進行某種身份驗證):,sudo useradd -g lpadmin cupsadmin
然後設置密碼。另請參閱https://askubuntu.com/questions/387217/cups-admin-user-and-password-saucy
更新:以下內容應該作為起點,也恰好解決了@DavidGatti 最初提出的問題 - 它不像原始配置那樣完整/精細,但可以重新添加策略配置。
但是,此配置確實取消了使用 @SYSTEM 使用者,而是接受任何“本地”有效使用者。配置的案例是在 docker 容器中執行 CUPS,因此似乎最好避免要求任何“特殊”的東西,除了使用者密碼之外,以提供對 CUPS 的管理員訪問權限。
# Disable cups internal logging - use logrotate instead MaxLogSize 0 # Log general information in error_log - change "warn" to "debug" # for troubleshooting... LogLevel warn #PageLogFormat Listen /run/cups/cups.sock Listen 0.0.0.0:631 Port 631 # Show shared printers on the local network. Browsing On BrowseLocalProtocols dnssd # Default authentication type, when authentication is required... DefaultAuthType Basic # Web interface setting... WebInterface Yes # Restrict access to the server... # This config allow anyone access to the WUI <Location /> Order allow,deny Allow all </Location> # Restrict access to the admin pages... # Allows anyone to try and access admin pages. # Any local user's credentials will be accepted <Location /admin> AuthType Basic Require valid-user Allow all Order allow,deny </Location> # Restrict access to configuration files... # Any local user's credentials will be accepted <Location /admin/conf> AuthType Basic Require valid-user Allow all Order allow,deny </Location> # Restrict access to log files... # Any local user's credentials will be accepted <Location /admin/log> AuthType Basic Require valid-user Allow all Order allow,deny </Location> Browsing On
您可能還會在如何配置杯子以允許遠端列印和身份驗證和本地列印中找到一些不錯的指針?