CUPS (Common Unix Printing System) is a widely used printing service for Unix-like operating systems, providing a standardized method for managing print jobs and printers. CUPS employs the Internet Printing Protocol (IPP) to facilitate communication between clients and printers. A web UI allows users to easily submit print jobs, configure printers, and manage print settings. CUPS' modular architecture supports various printer types and drivers, making it adaptable for diverse environments, from home networks to large enterprises.

In this lab, you will install the CUPS service, Configure Web UI Access, and add a virtual PDF printer. The instructions for commands in this lab assume you are running as a normal user, not the root user.

CUPS Installation, Configuration, and Management

• Install the cups and cups-pdf packages: sudo apt update && sudo apt install cups cups-pdf
• Check the status of the CUPS service daemon: service cups status
• Check the status of the print queues: lpstat -t
• View the list of available print services, including those discovered on our network: sudo lpinfo -v

CUPS Server Configuration

To provide printing service over the network, modify your /etc/cups/cupsd.conf file:

• Change the default Listen localhost:631 directive to Port directive
• Enable the web interface by setting WebInterface yes
• Restart your CUPS service: sudo service cups restart
• Add a UFW rule to allow IPP and Bonjour through your firewall:

sudo ufw allow 631
sudo ufw allow 5353

sudo ufw allow 631
sudo ufw allow 5353

Check to make sure that cupsd is listening for incoming requests on port 631:

sudo ss -tlpn | grep 631
# --- Sample Output ---
LISTEN 0      4096                                 0.0.0.0:631        0.0.0.0:*    users:(("cupsd",pid=4536,fd=7))
LISTEN 0      4096                                    [::]:631           [::]:*    users:(("cupsd",pid=4536,fd=8))  

sudo ss -tlpn | grep 631
# --- Sample Output ---
LISTEN 0      4096                                 0.0.0.0:631        0.0.0.0:*    users:(("cupsd",pid=4536,fd=7))
LISTEN 0      4096                                    [::]:631           [::]:*    users:(("cupsd",pid=4536,fd=8))  

Test to see if your CUPS server web interface is working by using wget:

wget -O - http://localhost:631

wget -O - http://localhost:631

The output should start with a ... 200 OK and you should see HTML code for the web page being printed in your terminal.

Attempt to visit your CUPS web interface from a browser on your host computer at http://<Server_IP>:631. You may not be able to visit the site (may get Error 403: Forbidden). The default CUPS configuration is restrictive and for good reason. It is inadvisable to allow printers and print jobs to be accessed from the internet without security controls.

Provide Access Through The CUPS Web UI

The /etc/cups/cupsd.conf configuration file contains HTML-style tags and additional directives. You can refer to man 5 cupsd.conf for the list of these directives and their valid values.
Note: For this lab, we are focused on the most basic settings. For example, we are not configuring or explicitly enforcing SSL encryption, and will only use basic access controls. For a production system, please ensure that you are using an appropriate level of security controls and risk mitigations for the specific environment.

Open the /etc/cups/cupsd.conf configuration file and see the current configuration. You may notice that <location /> refers to the root of the document store for the web interface (for example http://<ip of your server>:631) while <location /admin> refers to the URL path /admin (for example http://<ip of your server>:631/admin). You can configure different settings and access controls for each location based on your needs.

• Edit the configuration file to allow access to users visiting the site from your Host-Only virtual network (i.e. from the 192.168.xxx.0/24), so you are able to access the site from your host OS by adding an Allow directive.

    # ...
    # Restrict access to the server... Do not forget to change the IP to your network address
    <Location />
      Allow from 192.168.XXX.0/24
      Order allow,deny
    </Location>
    # ...

    # ...
    # Restrict access to the server... Do not forget to change the IP to your network address
    <Location />
      Allow from 192.168.XXX.0/24
      Order allow,deny
    </Location>
    # ...

• Restart your cups server and test access to the web UI from your host using a web browser: sudo service cups restart.
• Click on the links at the very top of the page to verify you can access: Home, Classes, Help, Jobs, Printers
• Under Printers, you should have a print queue named PDF. This is the PDF printer that we added by installing the cups-pdf package.
  • Using the Maintenace drop-down, attempt the Print Test Page.
  • Click on the Show All Jobs button. You should see the print job completed by the anonymous user.
  • Anonymous users can also view all print jobs on the server.
• Modify your /etc/cups/cupsd.conf file to limit networks, and require authentication by adding the AuthType Default to the <Location /printers> and <location /jobs>:

    # ...
    <Location />
      Allow from 192.168.XXX.0/24
      Order allow,deny
    </Location>
    
    <Location /printers>
      Allow from 192.168.XXX.0/24
      AuthType Default
      Require valid-user
    </Location>
     
    <Location /jobs>
      Allow from 192.168.XXX.0/24
      AuthType Default
      Require valid-user
    </Location>
    # ...

    # ...
    <Location />
      Allow from 192.168.XXX.0/24
      Order allow,deny
    </Location>
    
    <Location /printers>
      Allow from 192.168.XXX.0/24
      AuthType Default
      Require valid-user
    </Location>
     
    <Location /jobs>
      Allow from 192.168.XXX.0/24
      AuthType Default
      Require valid-user
    </Location>
    # ...

• Restart the CUPS service.
• Visit the page using a Private tab or window in your browser to validate these settings:
  • https://192.168.XXX.99:631/
  • https://192.168.XXX.99:631/jobs
  • https://192.168.XXX.99:631/printers
    • Make sure you are not able to access these pages without authentication
• Authenticate using your Linux username and password and submit another Print Test Page, and review the jobs to validate everything is working as expected.
• From your terminal, validate that your Linux user is able to access the web interface as well:
  • wget -O - http://localhost:631 should still return 200 OK and output HTML code from the page
• Optional Step: You can use Allow and Deny directives to control access to /admin and /admin/conf locations as well. You can look up information about the Require directive in the documentation, including man 5 cupsd.conf and the same is accessible via the Help in the web interface.

Since the PDF printer is not physical, it does not spit out paper for you to see when submitting print jobs. However, a PDF file should now be placed in the PDF sub-directory in your home. You can cd ~/PDF and ls to see this file. In the next steps, you copy these files to your web document root so you can download them through your browser.

Printing From CLI

• Print out your cupsd.conf file: lp /etc/cups/cupsd.conf
• Verify that a .pdf file has appeared in your user's ~/PDF directory. Copy that file to your user's ~/public_html directory:

  ls ~/PDF 
  cp ~/PDF/*.pdf ~/public_html
  
  # Pay attention to the file permissions in your public_html directory
  chmod +r ~/public_html/*.pdf

  ls ~/PDF 
  cp ~/PDF/*.pdf ~/public_html
  
  # Pay attention to the file permissions in your public_html directory
  chmod +r ~/public_html/*.pdf

• Visit your website to download or view your PDF files: http://<IP_Address>/~<username>/<filename>
• You could even add a hyperlink to your files inside your index.html document to save typing out the filename in the URL. The following is just an example. Replace the file names with your filenames:

  # make sure to modify the filename in href=<pdf_filename>. This is just an example:
  echo "<p>My <a href=cupsd.conf__PDF-job_1.pdf>PDF file of the cupsd.conf file</a> can be viewed by clicking on the link.</p>" >> public_html/index.html

  # make sure to modify the filename in href=<pdf_filename>. This is just an example:
  echo "<p>My <a href=cupsd.conf__PDF-job_1.pdf>PDF file of the cupsd.conf file</a> can be viewed by clicking on the link.</p>" >> public_html/index.html

Modify cups-pdf Printer Configuration

• Modify your /etc/cups/cups-pdf.conf to use Label 2 and TitlePref 1: sudo nano /etc/cups/cups-pdf.conf
  • Tip: As usual, there should be some explanations and comments in this file. Use the nano Where Is tool using Ctrl + W shortcut to locate the commented out settings in order to uncomment and modify them where they are! Additionally, you should see explanations of what these settings mean and do.
• Try printing your /etc/cups/cupsd.conf file again. Observe what is put into your ~/PDF directory this time.

# Print the file
lp /etc/cups/cupsd.conf

# Get the file name
ls ~/PDF

# Copy the file to your web Document Root
cp ~/PDF/<FileName>.pdf ~/public_html

# Set permissions so you can access it via the address bar
chmod 644 ~/public_html/*.pdf

# Print the file
lp /etc/cups/cupsd.conf

# Get the file name
ls ~/PDF

# Copy the file to your web Document Root
cp ~/PDF/<FileName>.pdf ~/public_html

# Set permissions so you can access it via the address bar
chmod 644 ~/public_html/*.pdf

Queue and Device Management

• Disable the PDF print queue: sudo cupsdisable PDF
• Submit several print jobs:

  lp /etc/hosts
  lp /etc/services
  lp /etc/hostname
  lp /etc/fstab
  lp /etc/protocols

  lp /etc/hosts
  lp /etc/services
  lp /etc/hostname
  lp /etc/fstab
  lp /etc/protocols

• Verify the jobs are waiting to print by viewing the print queue: lpstat -t
• Enable your PDF print queue: sudo cupsenable PDF
• Verify the jobs printed:

  lpstat -t
  ls ~/PDF

  lpstat -t
  ls ~/PDF

• Set the PDF print queue to reject incoming print jobs and check the status with lpstat:

  sudo cupsreject PDF
  lpstat -t

  sudo cupsreject PDF
  lpstat -t

• Try to submit a print job to the PDF print queue again: lp /etc/hosts
  • Observe the difference between a disabled queue and a rejecting queue.
• To successfully submit print jobs, set the PDF print queue to accept print jobs again, and see the difference in lpstat:

  sudo cupsaccept PDF
  lpstat -t

  sudo cupsaccept PDF
  lpstat -t

Try to submit a print job to the PDF print queue, and this time it should go through: lp /etc/hosts

Log Files

Examine the content of the various log files in /var/log/cups to see what is being logged for your activity on your web server:

ls /var/log/cups
more /var/log/cups/*_log

ls /var/log/cups
more /var/log/cups/*_log

Evaluate your server

• Run sudo /root/server-check.sh -l 7 firstname lastname studentnumber.
• Review any problems detected and correct as necessary.
• Do not move on to the next labs until you have this lab at 100%.
• If you are having trouble getting Lab 7 to 100%, try running sudo /root/server-check.sh -l 123456 firstname lastname studentnumber to make sure you haven't accidentally broken what was completed in previous labs.