I've installed cups and started the service.
Trying to access to the web interface at 192.168.x.x:631 I receive a 403 error.
I need to enable remote access with this command:
sudo cupsctl --remote-admin
and restart the service
service cups restart
On Ubuntu Srv 16.04
My /etc/cups/cupsd.conf
(make a copy before)
LogLevel warn
PageLogFormat
MaxLogSize 0
Port 631
Listen /var/run/cups/cups.sock
Browsing Off
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
Order allow,deny
Allow #LOCAL
</Location>
<Location /admin>
Order allow,deny
Allow #LOCAL
</Location>
<Location /admin/conf>
AuthType Default
Require user #SYSTEM
Order allow,deny
Allow #LOCAL
</Location>
<Location /admin/log>
AuthType Default
Require user #SYSTEM
Order allow,deny
Order allow,deny
Allow #LOCAL
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user #OWNER #SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user #SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user #SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user #OWNER #SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user #OWNER #SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user #SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user #SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user #OWNER #SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
Don't forget open the firewall (if enable)
sudo ufw allow 631
Related
I have the current configuration in my httpd.conf file.I am trying to remove the vulnerability Authentication Bypass Using HTTP Verb Tampering. I only want to allow certain HTTP request headers, Get and Post in the below example and a different header should throw an error.
DocumentRoot "c:/dev"
<Directory "C:/dev">
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride Limit
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
Order allow,deny
Allow from all
</Directory>
This configuration is still allowing other http request headers like put, options etc. I am using postman api to test my changes. Please help!
This is how you can limit to GET/POST/OPTIONS. Note: NIST Stigs V-26396 states that this should not be applied to the root but only the others such as in my example (/etc/apache2/apache2.conf):
It appears that this would work as well :
<Location /var/www/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
<Location /usr/share/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
Further reading :
https://vaulted.io/library/disa-stigs-srgs/apache_22_server_for_unix_security_technical_implementation_guide/V-26396
http://httpd.apache.org/docs/current/mod/core.html#limitexcept
Try this settings
<Location />
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
The LimitExcept directive is the inverse of Limit directive. It allows applying a set of access restrictions to all listed http methods except for the ones listed with the LimitExcept directive. See this link: http://httpd.apache.org/docs/current/mod/core.html#limitexcept. So the access restrictions are applied to all http methods except for the ones listed with LimitExcept.
In your case the problem seems to be with the access control directives. See this link for more information: http://httpd.apache.org/docs/current/mod/mod_access_compat.html#order
You can try to remove the directives below
I sorta have a HTTP config working for Apache 2.2 that allows WebDav. At least I can use the WinSCP client to attach with the DAV account listed below.
But I also have much older clunkier clients that may only work for anonymous access. And they are not working.
Windows 7 (Map drive), it pops up the credentials but does not log in.
FalconView (probably only understands anonymous login
Any idea what I am doing wrong here with the anon access? I am a novice at HTTPD.conf
(the environment variable ${EGPL_JobsPath} resolves to a windows path:
E.g. F:\Jobs
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_JobsPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
Require valid-user
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require user me
</LimitExcept>
AuthType Basic
AuthName DAV
AuthUserFile conf/users.passwords
</Directory>
The only way I could get this to work, is to turn off all Authentication and leave the webdav folder open to the world. I would still like to hear from people with better ideas:
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_LibrarianPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
</Directory>
Is it possible to restrict differently the user access in a directory on an apache server?
For example that user foo can read and write a file and another user bar can only read?
Update: what I tried so far
<Directory /var/www/html/uploads>
DAV On
AuthType Basic
AuthName "WebDAV access"
AuthUserFile /var/www/html/uploads/.passwdfile
AllowOverride None
Options None
<LimitExcept GET>
Require user testUserGet testUserPut
</LimitExcept>
<LimitExcept PUT>
Require user testUserPut
</LimitExcept>
Require valid-user
</Directory>
However, I know can PUT stuff into uploads just by specifying a valid user (I guess that's due to Require valid-user).
What I need is that testUserGet can only perform GET and testUserPut only PUT and GET.
Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.
This is in my httpd.conf:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require user valid-user
</Directory>
But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?
Thank you in advance.
This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 22.33.44.55
Require valid-user
</RequireAny>
</Directory>
If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>
I hope this helps someone - as it took me a while to figure it out.
edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here
Add this: Satisfy Any (which means either of those 2 should be passed).
And the syntax is either:
Require valid-user
Or:
Require user <userid>
If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP
<RequireAny>
Require env AllowIP
Require valid-user
</RequireAny>
</Directory>
The source of the idea
At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.
This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.
<Location>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
AuthBasicFake demouser
Require all granted
</If>
<Else>
Require valid-user
</Else>
</Location>
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP
AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"
<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>
İ also checked many variants. this code üorks with 2.4 version of apache 100%
I have set up a site that is currently work in progress. I'm using an external SMS gateway that needs access to a script on my server. However, I have set up a basic username and password authentication for regular users, but the SMS gateway can't get through that.
How can I allow a single IP to pass through the authentication without authenticating itself, and deny all other users that aren't authenticated?
Here's my .htaccess file:
Order allow,deny
Allow from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require user admin
Just found out, with help from JoseK:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require valid-user
Allow from 1.2.3.4
Satisfy Any
UPDATE: As of Apache 2.4, Order, Allow, Deny, and Satisfy directives should not be used anymore. So the new syntax is:
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
Try changing first 2 lines to
Order deny,allow
Deny from all
Allow from 1.2.3.x
Replace your desired IP in the Allow from