Matt made a comment on an earlier post asking if I knew of any good how-to articles about setting up a print server. I did a little bit of looking, and it seems like most of the good articles assume that the server is already up and running. I will not pretend this is a good article, and it certainly isn’t comprehensive, but it is what it is. Basically, I’ll just run down the cupsd.conf file on my print server and point out differences and why I made them different.
Now some people might ask “well, Ben, what about Windows-based print servers?” That’s a valid question. It has been my experience that Windows print servers work very well with Windows clients. In a heterogeneous environment, though, Windows servers don’t perform well. That’s where the Common Unix Print System (CUPS) comes in. CUPS runs on pretty much any Unix or Linux system (including Mac OS X, which is part of the reason Apple purchased CUPS in 2007). Most, if not all, Linux distributions ship with CUPS, and the source code is available if you prefer to roll your own. We are going to assume you’ve already done a yum install cups (or apt-get install cupsys or ./configure;make;make install or whatever).
I’m assuming your CUPS configuration files live in /etc/cups, which is the default on Fedora/Red Hat/CentOS systems. If it lives somewhere else, adjust accordingly. There are several files in the configuration directory, but if you’re setting up a server, the one you’re immediately interested in is cupsd.conf. This is the configuration file for the CUPS server daemon.
There are a lot of options that you can specify, I don’t know what all of them are, but that’s what the documentation is for. What I do know is that lines that start with ‘#’ are comments, and are there to help you remember later what you did when you set your server up. The options are mostly in the format “option_name option_value” and some options are grouped into sections with <label> </label> tags, similar to HTML and XML. So let’s look at what I did, keeping in mind that my options are set for my server, and your needs may be different.
SystemGroup sys root eascomp
The “SystemGroup” option defines who can administer the print server. In this case, the ‘eascomp’ group contains all of my department’s IT staff. This allows anyone on the team to do routine tasks on the server (e.g. deleting jobs, restarting a queue, etc) without having to explicitly define each command in /etc/sudoers. Note that this does not give the specified group(s) permission to edit the config files by hand, that is still controlled by regular Unix file permissions.
By default, CUPS is set up to only listen to requests coming from the machine it is running on. That doesn’t do much good when you’re trying to run a print service for multiple machines, so I commented the line out. I then added the ‘Port 631’ line to tell CUPS to listen for requests from any host on port 631 (we’ll make the security a bit better later). 631 is the standard port for the Internet Printing Protocol (IPP). However, Windows does not seem to understand IPP by default, so when you add a CUPS printer to Windows, you have to specify the port (e.g. http://print.my.employer.edu:631). In order to remove this pain, I also told CUPS to listen on port 80, the standard http port. If you plan to run a web server on the same machine, you can’t listen on port 80.
This section controls where clients can access the server from. In most of the real-world cases I can think of, you’ll want to block all hosts by default and then allow only the specific hosts or networks that need access. Only bad things can happen if you run a print server for the whole world to use. The order of allow and deny after the Order command is very important. Whichever comes first is the default, so you’ll want to make sure you use “deny,allow” unless you’ve got a completely self-contained network. In my example above, I deny everywhere and then explicitly add the IP addresses and DNS entries for my department. (It isn’t strictly necessary to do it both ways, one or the other works fine in most cases. It just so happens that I’ve got a few IPs that don’t have DNS records and I’m too lazy to fix that).
That’s all there is to it. You’ve now got your own cupsd.conf and you’re ready to start the server (/etc/init.d/cups start, unless you’re Nathan, in which case it’s “go CUPS go!”). It’s also worth noting that you can do some CUPS configuration through a web browser (http://localhost:631) or through a GUI program that your distro provides. I prefer to do it by hand, because that’s easier to do remotely and it gives you more control over what you’re actually changing.
So now that you’ve got your server set up, it’s time to add printers. At this point, I think the rest of the Internet does a good job of explaining things, so I won’t duplicate the effort. Don’t worry though, I seem to be on a CUPS kick lately, and I doubt this post will be the last on the subject. I do want to note, however, that just because you have CUPS itself running, that doesn’t mean you’re done. I strongly suggest modifying your firewall rules to allow only the correct hosts access to the port(s) you’re running CUPS on (you’re doing default deny on your firewall, right?).