5

According to the cupsd.conf documentation, one should be able to "require authentication for remote access, but allow local access without authentication." There doesn't appear to be any other documentation on this subject.

I tried putting the following in my cupsd.conf:

<Location />
  # Restrict access to the server...
  Allow from 192.168.1.0/24
  Require valid-user
  Satisfy any
  Order allow,deny
</Location>

It doesn't work for me.

Has anyone gotten this to work? Is there an example cupsd.conf available with this configuration?

Jeff Strunk
  • 2,107
  • 1
  • 24
  • 29

1 Answers1

4

Add the following lines to you snippet:

Allow from localhost
Allow from 127.0.0.1
Deny from all

and change the Order line to

Order deny,allow

so it reads:

<Location />
   # Restrict access to the server 'root' location...
   Allow from 192.168.1.0/24
   Allow from localhost
   Allow from 127.0.0.1
   Deny from all
   Require valid-user
   Satisfy any
   Order deny,allow
 </Location>

Should this not be sufficient, add the same settings for the <Location /printers> and the </Location /admin>:

<Location /printers>
   # Restrict access to the server's shared printers...
   Allow from 192.168.1.0/24
   Allow from localhost
   Allow from 127.0.0.1
   deny from all
   Require valid-user
   Satisfy any
   Order deny,allow
 </Location>
Kurt Pfeifle
  • 1,746
  • 2
  • 12
  • 19
  • @Jeff Strunk: thanks for the correction; this version is correct now (I remember vaguely, that I lost internet connections towards my editing session. Maybe before my last 'save' completed...). – Kurt Pfeifle Dec 13 '11 at 18:55
  • Although not asked in the question, it would be nice if SSL would be required for remote access but not for local access. Is it easy to modify for that? – Erik Sjölund May 07 '12 at 08:54
  • For me it fails when I do `Allow from 192.168.1.1/24`, but passes with `allow from 192.168.1.0/24`. Error was ` Bad netmask value 192.168.1.1/24 on line 32.` – Tomasz Gandor Sep 02 '17 at 05:15
  • 1
    @TomaszGandor: Not only for YOU, but it should fail for EVERYBODY. The reason for this error message is that `192.168.1.1/24` INDEED is a bad netmask value, and that it ought to be `192.168.0.1/24` (as it worked for you). My bad, my mistake, I should have known better! Thanks for noticing and for writing your comment. I'll correct my answer in a minute. – Kurt Pfeifle Sep 02 '17 at 20:11