How can I enable remote access to the Admin page in CUPS

I'm looking to get access to the admin page of the CUPS web interface.

I can reach the page, and I can browse the majority of the site, but sadly the Admin page is still locked from remote sources.

I did set Allow from all and also tried Allow all everywhere now, and still I can't access the page.

What am I missing?

Config file

#
#
# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Allow connection from remote hosts
Port 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols all

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow from all
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow from all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Order allow,deny
  Allow from all
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow from all
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  <Limit All>
    Order deny,allow
    Allow from all
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
    Allow from all
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow from all
  </Limit>

  <Limit All>
    Order deny,allow
    Allow from all
  </Limit>
</Policy>

Dockerfile

#
#   Add a Printer user
#
RUN useradd \
    --groups=sudo,lp,lpadmin \
    --create-home \
    --home-dir=/home/print \
    --shell=/bin/bash \
    print

#
#   Set the password for the printer user
#
RUN echo print:sdsds | chpasswd

What I would do is at the following block below the </Policy> tag:

<Location />
    Order allow,deny
    Allow localhost
    Allow from 192.168.0.*
    Allow from 10.0.*.*
</Location>

Listen 0.0.0.0:631

For admin access specifically, the vanilla config normally has:

<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

In order to create a suitable user account, you just need to create a user that is a member of the lpadmin group (I would recommend you do require some kind auth for the admin section): sudo useradd -g lpadmin cupsadmin, then set a password.

See also https://askubuntu.com/questions/387217/cups-admin-user-and-password-saucy

Update: The below should work as a starting point to also happens to fix the issue originally raise by @DavidGatti - it isn't as complete/granular as the original config, but the policy config can be re-added.

This config does however do away with using @SYSTEM user, and instead will accept any 'local', valid user. The use-case for the config is running CUPS in a docker container, so it seemed best to avoid requiring anything 'special', beyond a user with a password, to provide admin access to CUPS.

# Disable cups internal logging - use logrotate instead
MaxLogSize 0

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
#PageLogFormat

Listen /run/cups/cups.sock
Listen 0.0.0.0:631
Port 631

# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
# This config allow anyone access to the WUI
<Location />
  Order allow,deny
  Allow all
</Location>

# Restrict access to the admin pages...
# Allows anyone to try and access admin pages.
# Any local user's credentials will be accepted
<Location /admin>
  AuthType Basic
  Require valid-user
  Allow all
  Order allow,deny
</Location>

# Restrict access to configuration files...
# Any local user's credentials will be accepted
<Location /admin/conf>
  AuthType Basic
  Require valid-user
  Allow all
  Order allow,deny
</Location>

# Restrict access to log files...
# Any local user's credentials will be accepted
<Location /admin/log>
  AuthType Basic
  Require valid-user
  Allow all
  Order allow,deny
</Location>

Browsing On

You might also find some decent pointers in How to configure cups to allow remote printing with authentication and local printing without?


If you need quick fix, without technical details, use this command

sudo cupsctl --remote-any
sudo /etc/init.d/cups restart