# # "$Id: cupsd.conf.in,v 1.30.2.1 2005/05/31 18:45:34 jlovell Exp $" # # Sample configuration file for the Common UNIX Printing System (CUPS) # scheduler. # # Copyright 1997-2005 by Easy Software Products, all rights reserved. # # These coded instructions, statements, and computer programs are the # property of Easy Software Products and are protected by Federal # copyright law. Distribution and use rights are outlined in the file # "LICENSE.txt" which should have been included with this file. If this # file is missing or damaged please contact Easy Software Products # at: # # Attn: CUPS Licensing Information # Easy Software Products # 44141 Airport View Drive, Suite 204 # Hollywood, Maryland 20636 USA # # Voice: (301) 373-9600 # EMail: cups-info@cups.org # WWW: http://www.cups.org # ######################################################################## # # # This is the CUPS configuration file. If you are familiar with # # Apache or any of the other popular web servers, we've followed the # # same format. Any configuration variable used here has the same # # semantics as the corresponding variable in Apache. If we need # # different functionality then a different name is used to avoid # # confusion... # # # ######################################################################## ######## ######## Server Identity ######## # # ServerName: the hostname of your server, as advertised to the world. # By default CUPS will use the hostname of the system. # # To set the default server used by clients, see the client.conf file. # # If the Listen 127.0.0.1:631 command is set later in this file then # the server name needs to be 127.0.0.1, otherwise cupsGetPPD(), for # example, will fail. # ServerName 127.0.0.1 # # ServerAdmin: the email address to send all complaints/problems to. # By default CUPS will use "root@hostname". # #ServerAdmin root@your.domain.com ######## ######## Server Options ######## # # AccessLog: the access log file; if this does not start with a leading / # then it is assumed to be relative to ServerRoot. By default set to # "@CUPS_LOGDIR@/access_log" # # You can also use the special name "syslog" to send the output to the # syslog file or daemon. # #AccessLog @CUPS_LOGDIR@/access_log # # Classification: the classification level of the server. If set, this # classification is displayed on all pages, and raw printing is disabled. # The default is the empty string. # #Classification classified #Classification confidential #Classification secret #Classification topsecret #Classification unclassified # # ClassifyOverride: whether to allow users to override the classification # on printouts. If enabled, users can limit banner pages to before or # after the job, and can change the classification of a job, but cannot # completely eliminate the classification or banners. # # The default is off. # #ClassifyOverride off # # DataDir: the root directory for the CUPS data files. # By default "@CUPS_DATADIR@". # #DataDir @CUPS_DATADIR@ # # DefaultCharset: the default character set to use. If not specified, # defaults to "utf-8". Note that this can also be overridden in # HTML documents... # #DefaultCharset utf-8 # # DefaultLanguage: the default language if not specified by the browser. # If not specified, the current locale is used. # #DefaultLanguage en # # DocumentRoot: the root directory for HTTP documents that are served. # By default "@CUPS_DOCROOT@". # #DocumentRoot @CUPS_DOCROOT@ # # ErrorLog: the error log file; if this does not start with a leading / # then it is assumed to be relative to ServerRoot. By default set to # "@CUPS_LOGDIR@/error_log" # # You can also use the special name "syslog" to send the output to the # syslog file or daemon. # #ErrorLog @CUPS_LOGDIR@/error_log # # FileDevice: determines whether the scheduler will allow new printers # to be added using device URIs of the form "file:/foo/bar". The default # is not to allow file devices due to the potential security vulnerability # and due to the fact that file devices do not support raw printing. # #FileDevice No # # FontPath: the path to locate all font files (currently only for pstoraster) # By default "@CUPS_FONTPATH@". # #FontPath @CUPS_FONTPATH@ # # LogLevel: controls the number of messages logged to the ErrorLog # file and can be one of the following: # # debug2 Log everything. # debug Log almost everything. # info Log all requests and state changes. # warn Log errors and warnings. # error Log only errors. # none Log nothing. # LogLevel info # # MaxLogSize: controls the maximum size of each log file before they are # rotated. Defaults to 1048576 (1MB). Set to 0 to disable log rotating. # #MaxLogSize 0 # # PageLog: the page log file; if this does not start with a leading / # then it is assumed to be relative to ServerRoot. By default set to # "@CUPS_LOGDIR@/page_log" # # You can also use the special name "syslog" to send the output to the # syslog file or daemon. # #PageLog @CUPS_LOGDIR@/page_log # # PreserveJobHistory: whether or not to preserve the job history after a # job is completed, cancelled, or stopped. Default is Yes. # #PreserveJobHistory Yes # # PreserveJobFiles: whether or not to preserve the job files after a # job is completed, cancelled, or stopped. Default is No. # #PreserveJobFiles No # # AutoPurgeJobs: automatically purge jobs when not needed for quotas. # Default is No. # #AutoPurgeJobs No # # MaxCopies: maximum number of copies that a user can request. Default is # 100. # MaxCopies 10000 # # MaxJobs: maximum number of jobs to keep in memory (active and completed.) # Default is 500; the value 0 is used for no limit. # #MaxJobs 500 # # MaxJobsPerPrinter: maximum number of active jobs per printer. The default # is 0 for no limit. # #MaxJobsPerPrinter 0 # # MaxJobsPerUser: maximum number of active jobs per user. The default # is 0 for no limit. # #MaxJobsPerUser 0 # # MaxPrinterHistory: controls the maximum number of history collections # in the printer-state-history attribute. Set to 0 to disable history # data. # #MaxPrinterHistory 10 # # Printcap: the name of the printcap file. Default is /etc/printcap. # Leave blank to disable printcap file generation. # #Printcap /etc/printcap # # PrintcapFormat: the format of the printcap file, currently either # BSD or Solaris. The default is "BSD". # #PrintcapFormat BSD #PrintcapFormat Solaris # # PrintcapGUI: the name of the GUI options panel program to associate # with print queues under IRIX. The default is "/usr/bin/glpoptions" # from ESP Print Pro. # # This option is only used under IRIX; the options panel program # must accept the "-d printer" and "-o options" options and write # the selected printer options back to stdout on completion. # #PrintcapGUI /usr/bin/glpoptions # # RequestRoot: the directory where request files are stored. # By default "@CUPS_REQUESTS@". # #RequestRoot @CUPS_REQUESTS@ # # RemoteRoot: the name of the user assigned to unauthenticated accesses # from remote systems. By default "remroot". # #RemoteRoot remroot # # ServerBin: the root directory for the scheduler executables. # By default "@CUPS_SERVERBIN@". # #ServerBin @CUPS_SERVERBIN@ # # ServerRoot: the root directory for the scheduler. # By default "@CUPS_SERVERROOT@". # #ServerRoot @CUPS_SERVERROOT@ # # ConfigFilePerm: The permissions of the config file. # MacOSX's Sharing preference panel requires the file be readable by others. # By default 600. # ConfigFilePerm 0644 # # AppleQuotas: Use the Apple XServe quota library # /usr/lib/libPrintServiceQuota.dylib to enforce quotas. # Enabled by default. # #AppleQuotas On # # ServerTokens: specifies what information in provided in the Server # header of HTTP responses. The default is Minor. # # ServerTokens None # ServerTokens ProductOnly CUPS # ServerTokens Major CUPS/1 # ServerTokens Minor CUPS/1.1 # ServerTokens Minimal CUPS/@CUPS_VERSION@ # ServerTokens OS CUPS/@CUPS_VERSION@ (uname) # ServerTokens Full CUPS/@CUPS_VERSION@ (uname) IPP/1.1 # #ServerTokens Minor ######## ######## Fax Support ######## # # FaxRetryLimit: the number of times a fax job is retried. # The default is 5 times. # #FaxRetryLimit 5 # # FaxRetryInterval: the number of seconds between fax job retries. # The default is 300 seconds/5 minutes. # #FaxRetryInterval 300 ######## ######## Encryption Support ######## # # ServerCertificate: the file to read containing the server's certificate. # Defaults to "@CUPS_SERVERCERTIFICATE@". # #ServerCertificate @CUPS_SERVERCERTIFICATE@ # # ServerKey: the file to read containing the server's key. # Defaults to "@CUPS_SERVERKEY@". # #ServerKey @CUPS_SERVERKEY@ ######## ######## Filter Options ######## # # User/Group: the user and group the server runs under. Normally this # must be @CUPS_USER@ and @CUPS_GROUP@, however you can configure things for another # user or group as needed. # # Note: the server must be run initially as root to support the # default IPP port of 631. It changes users whenever an external # program is run, or if the RunAsUser directive is specified... # #User @CUPS_USER@ #Group @CUPS_GROUP@ # # RIPCache: the amount of memory that each RIP should use to cache # bitmaps. The value can be any real number followed by "k" for # kilobytes, "m" for megabytes, "g" for gigabytes, or "t" for tiles # (1 tile = 256x256 pixels.) Defaults to "8m" (8 megabytes). # #RIPCache 8m # # TempDir: the directory to put temporary files in. This directory must be # writable by the user defined above! Defaults to "@CUPS_REQUESTS@/tmp" or # the value of the TMPDIR environment variable. # #TempDir @CUPS_REQUESTS@/tmp # # FilterLimit: sets the maximum cost of all job filters that can be run # at the same time. A limit of 0 means no limit. A typical job may need # a filter limit of at least 200; limits less than the minimum required # by a job force a single job to be printed at any time. # # The default limit is 0 (unlimited). # #FilterLimit 0 ######## ######## Network Options ######## # # Ports/addresses that we listen to. The default port 631 is reserved # for the Internet Printing Protocol (IPP) and is what we use here. # # If Unix domain socket support is enabled the full path of the socket # may also be used. # # You can have multiple Port/Listen lines to listen to more than one # port or address, or to restrict access: # # Port 80 # Port 631 # Listen hostname # Listen hostname:80 # Listen hostname:631 # Listen 1.2.3.4 # Listen 1.2.3.4:631 # Listen @CUPS_DEFAULT_DOMAINSOCKET@ # # NOTE: Unfortunately, most web browsers don't support TLS or HTTP Upgrades # for encryption. If you want to support web-based encryption you'll # probably need to listen on port 443 (the "https" port...) # # NOTE 2: In order for the command-line and web interfaces to work, you # must have at least one Port or Listen line that allows access from the # local loopback address (localhost). # #Port 80 #Port 443 #Port 631 Listen 127.0.0.1:631 Listen @CUPS_DEFAULT_DOMAINSOCKET@ # # HostNameLookups: whether or not to do lookups on IP addresses to get a # fully-qualified hostname. This defaults to Off for performance reasons... # #HostNameLookups On # # KeepAlive: whether or not to support the Keep-Alive connection # option. Default is on. # #KeepAlive On # # KeepAliveTimeout: the timeout before Keep-Alive connections are # automatically closed. Default is 60 seconds. # #KeepAliveTimeout 60 # # MaxClients: controls the maximum number of simultaneous clients that # will be handled. Defaults to 100. # #MaxClients 100 # # MaxClientsPerHost: controls the maximum number of simultaneous clients that # will be handled from a specific host. Defaults to 10 or 1/10th of the # MaxClients setting, whichever is larger. A value of 0 specifies the # automatic (10 or 1/10th) setting. # #MaxClientsPerHost 0 # # MaxRequestSize: controls the maximum size of HTTP requests and print files. # Set to 0 to disable this feature (defaults to 0.) # #MaxRequestSize 0 # # Timeout: the timeout before requests time out. Default is 300 seconds. # #Timeout 300 ######## ######## Browsing Options ######## # # Browsing: whether or not to broadcast and/or listen for CUPS printer # information on the network. Enabled by default. # #Browsing On # # BrowseProtocols: which protocols to use for browsing. Can be # any of the following separated by whitespace and/or commas: # # all - Use all supported protocols. # cups - Use the CUPS browse protocol. # slp - Use the SLPv2 protocol. # dnssd - Use the multicast DNS (aka Bonjour) protocol. # # The default is "cups". # # NOTE: If you choose to use SLPv2, it is *strongly* recommended that # you have at least one SLP Directory Agent (DA) on your # network. Otherwise, browse updates can take several seconds, # during which the scheduler will not respond to client # requests. # #BrowseProtocols cups # # BrowseLocalProtocols: controls the sending/registration of local # printers. Can be any of the protocols listed in BrowseProtocols. # # The default is "@CUPS_DEFAULT_BROWSELOCALPROTOCOLS@". #BrowseLocalProtocols @CUPS_DEFAULT_BROWSELOCALPROTOCOLS@ # # BrowseRemoteProtocols: controls the receipt/discovery/listening # for remote printers. Can be any of the protocols listed in # BrowseProtocols. # # The default is "cups". #BrowseRemoteProtocols cups # # BrowseAddress: specifies a broadcast address to be used. By # default browsing information is not sent! # # Note: HP-UX does not properly handle broadcast unless you have a # Class A, B, C, or D netmask (i.e. no CIDR support). # # Note: Using the "global" broadcast address (255.255.255.255) will # activate a Linux demand-dial link with the default configuration. # If you have a LAN as well as the dial-up link, use the LAN's # broadcast address. # # The @LOCAL address broadcasts to all non point-to-point interfaces. # For example, if you have a LAN and a dial-up link, @LOCAL would # send printer updates to the LAN but not to the dial-up link. # Similarly, the @IF(name) address sends to the named network # interface, e.g. @IF(eth0) under Linux. Interfaces are refreshed # automatically (no more than once every 60 seconds), so they can # be used on dynamically-configured interfaces, e.g. PPP, 802.11, etc. # #BrowseAddress x.y.z.255 #BrowseAddress x.y.255.255 #BrowseAddress x.255.255.255 #BrowseAddress 255.255.255.255 #BrowseAddress @LOCAL #BrowseAddress @IF(name) # # BrowseShortNames: whether or not to use "short" names for remote printers # when possible (e.g. "printer" instead of "printer@host".) Enabled by # default. # BrowseShortNames No # # BrowseAllow: specifies an address mask to allow for incoming browser # packets. The default is to allow packets from all addresses. # # BrowseDeny: specifies an address mask to deny for incoming browser # packets. The default is to deny packets from no addresses. # # Both "BrowseAllow" and "BrowseDeny" accept the following notations for # addresses: # # All # None # *.domain.com # .domain.com # host.domain.com # nnn.* # nnn.nnn.* # nnn.nnn.nnn.* # nnn.nnn.nnn.nnn # nnn.nnn.nnn.nnn/mm # nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm # @LOCAL # @IF(name) # # The hostname/domainname restrictions only work if you have turned hostname # lookups on! # BrowseAllow 127.0.0.1 BrowseAllow @LOCAL BrowseDeny All # # BrowseInterval: the time between browsing updates in seconds. Default # is 30 seconds. # # Note that browsing information is sent whenever a printer's state changes # as well, so this represents the maximum time between updates. # # Set this to 0 to disable outgoing broadcasts so your local printers are # not advertised but you can still see printers on other hosts. # #BrowseInterval 30 # # BrowseOrder: specifies the order of BrowseAllow/BrowseDeny comparisons. # #BrowseOrder allow,deny BrowseOrder deny,allow # # BrowsePoll: poll the named server(s) for printers # #BrowsePoll address:port # # BrowsePort: the port used for UDP broadcasts. By default this is # the IPP port; if you change this you need to do it on all servers. # Only one BrowsePort is recognized. # #BrowsePort 631 # # BrowseRelay: relay browser packets from one address/network to another. # #BrowseRelay source-address destination-address #BrowseRelay @IF(src) @IF(dst) # # BrowseTimeout: the timeout for network printers - if we don't # get an update within this time the printer will be removed # from the printer list. This number definitely should not be # less the BrowseInterval value for obvious reasons. Defaults # to 300 seconds. # #BrowseTimeout 300 # # ImplicitClasses: whether or not to use implicit classes. # # Printer classes can be specified explicitly in the classes.conf # file, implicitly based upon the printers available on the LAN, or # both. # # When ImplicitClasses is On, printers on the LAN with the same name # (e.g. Acme-LaserPrint-1000) will be put into a class with the same # name. This allows you to setup multiple redundant queues on a LAN # without a lot of administrative difficulties. If a user sends a # job to Acme-LaserPrint-1000, the job will go to the first available # queue. # # Enabled by default. # ImplicitClasses Off # # ImplicitAnyClasses: whether or not to create "AnyPrinter" implicit # classes. # # When ImplicitAnyClasses is On and a local queue of the same name # exists, e.g. "printer", "printer@server1", "printer@server1", then # an implicit class called "Anyprinter" is created instead. # # When ImplicitAnyClasses is Off, implicit classes are not created # when there is a local queue of the same name. # # Disabled by default. # #ImplicitAnyCLasses Off # # HideImplicitMembers: whether or not to show the members of an # implicit class. # # When HideImplicitMembers is On, any remote printers that are # part of an implicit class are hidden from the user, who will # then only see a single queue even though many queues will be # supporting the implicit class. # # Enabled by default. # #HideImplicitMembers On # # DefaultShared: the default printer-is-shared value if not # specified when printer is created. # # On by default. # #DefaultShared On ######## ######## Security Options ######## # # SystemGroup: the group name for "System" (printer administration) # access. The default varies depending on the operating system, but # will be "sys", "system", or "root" (checked for in that order.) # SystemGroup admin # # RootCertDuration: How frequently the root certificate is regenerated. # Defaults to 300 seconds. # RootCertDuration 43200 # # Access permissions for each directory served by the scheduler. # Locations are relative to DocumentRoot... # # AuthType: the authorization to use: # # None - Perform no authentication # Basic - Perform authentication using the HTTP Basic method. # Digest - Perform authentication using the HTTP Digest method. # # (Note: local certificate authentication can be substituted by # the client for Basic or Digest when connecting to the # localhost interface) # # AuthClass: the authorization class; currently only "Anonymous", "User", # "System" (valid user belonging to group SystemGroup), and "Group" # (valid user belonging to the specified group) are supported. # # AuthGroupName: the group name for "Group" authorization. # # Order: the order of Allow/Deny processing. # # Allow: allows access from the specified hostname, domain, IP address, # network, or interface. # # Deny: denies access from the specified hostname, domain, IP address, # network, or interface. # # Both "Allow" and "Deny" accept the following notations for addresses: # # All # None # *.domain.com # .domain.com # host.domain.com # nnn.* # nnn.nnn.* # nnn.nnn.nnn.* # nnn.nnn.nnn.nnn # nnn.nnn.nnn.nnn/mm # nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm # @LOCAL # @IF(name) # # The host and domain address require that you enable hostname lookups # with "HostNameLookups On" above. # # The @LOCAL address allows or denies from all non point-to-point # interfaces. For example, if you have a LAN and a dial-up link, # @LOCAL could allow connections from the LAN but not from the dial-up # link. Similarly, the @IF(name) address allows or denies from the # named network interface, e.g. @IF(eth0) under Linux. Interfaces are # refreshed automatically (no more than once every 60 seconds), so # they can be used on dynamically-configured interfaces, e.g. PPP, # 802.11, etc. # # Encryption: whether or not to use encryption; this depends on having # the OpenSSL library linked into the CUPS library and scheduler. # # Possible values: # # Always - Always use encryption (SSL) # Never - Never use encryption # Required - Use TLS encryption upgrade # IfRequested - Use encryption if the server requests it # # The default value is "IfRequested". # Order Deny,Allow Deny From All Allow From @LOCAL # # # You may wish to limit access to printers and classes, either with Allow # and Deny lines, or by requiring a username and password. # # # # # You may wish to limit access to printers and classes, either with Allow # and Deny lines, or by requiring a username and password. # # # # # You may wish to limit access to job operations, either with Allow # and Deny lines, or by requiring a username and password. # # # # # You may wish to limit access to printers and classes, either with Allow # and Deny lines, or by requiring a username and password. # # # # # You may wish to limit access to printers and classes, either with Allow # and Deny lines, or by requiring a username and password. # ## Anonymous access (default) #AuthType None ## Require a username and password (Basic authentication) #AuthType Basic #AuthClass User ## Require a username and password (Digest/MD5 authentication) #AuthType Digest #AuthClass User ## Restrict access to local domain #Order Deny,Allow #Deny From All #Allow From .mydomain.com # # # You definitely will want to limit access to the administration functions. # The default configuration requires a local connection from a user who # is a member of the system group to do any admin tasks. You can change # the group name using the SystemGroup directive. # AuthType None AuthClass Anonymous ## Restrict access to local domain Order Deny,Allow Deny From All Allow From 127.0.0.1 #Encryption Required AuthType Basic AuthClass System AuthType None AuthClass Anonymous ## Restrict access to local domain Order Deny,Allow Deny From All Allow From 127.0.0.1 AuthType Basic AuthClass System # # End of "$Id: cupsd.conf.in,v 1.30.2.1 2005/05/31 18:45:34 jlovell Exp $". #