1<!DOCTYPE HTML>
2<html>
3<!-- SECTION: Man Pages -->
4<head>
5	<link rel="stylesheet" type="text/css" href="../cups-printable.css">
6	<title>cupsd.conf(5)</title>
7</head>
8<body>
9<h1 class="title">cupsd.conf(5)</h1>
10<h2 class="title"><a name="NAME">Name</a></h2>
11cupsd.conf - server configuration file for cups
12<h2 class="title"><a name="DESCRIPTION">Description</a></h2>
13The
14<i>cupsd.conf</i>
15file configures the CUPS scheduler,
16<b>cupsd</b>(8).
17It is normally located in the
18<i>/etc/cups</i>
19directory.
20Each line in the file can be a configuration directive, a blank line, or a comment.
21Configuration directives typically consist of a name and zero or more values separated by whitespace.
22The configuration directive name and values are case-insensitive.
23Comment lines start with the # character.
24<h3><a name="TOP_LEVEL_DIRECTIVES">Top-level Directives</a></h3>
25The following top-level directives are understood by
26<b>cupsd</b>(8):
27<dl class="man">
28<dt><a name="AccessLogLevel"></a><b>AccessLogLevel config</b>
29<dd style="margin-left: 5.0em"><dt><b>AccessLogLevel actions</b>
30<dd style="margin-left: 5.0em"><dt><b>AccessLogLevel all</b>
31<dd style="margin-left: 5.0em">Specifies the logging level for the AccessLog file.
32The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated.
33The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config".
34The "all" level logs all requests.
35The default access log level is "actions".
36<dt><a name="AutoPurgeJobs"></a><b>AutoPurgeJobs Yes</b>
37<dd style="margin-left: 5.0em"><dt><b>AutoPurgeJobs No</b>
38<dd style="margin-left: 5.0em"><br>
39Specifies whether to purge job history data automatically when it is no longer required for quotas.
40The default is "No".
41<dt><a name="BrowseDNSSDSubTypes"></a><b>BrowseDNSSDSubTypes</b><i>_subtype[,...]</i>
42<dd style="margin-left: 5.0em">Specifies a list of Bonjour sub-types to advertise for each shared printer.
43For example, "BrowseDNSSDSubTypes _cups,_print" will tell network clients that both CUPS sharing and IPP Everywhere are supported.
44The default is "_cups" which is necessary for printer sharing to work between systems using CUPS.
45<dt><a name="BrowseLocalProtocols"></a><b>BrowseLocalProtocols all</b>
46<dd style="margin-left: 5.0em"><dt><b>BrowseLocalProtocols dnssd</b>
47<dd style="margin-left: 5.0em"><dt><b>BrowseLocalProtocols none</b>
48<dd style="margin-left: 5.0em">Specifies which protocols to use for local printer sharing.
49The default is "dnssd" on systems that support Bonjour and "none" otherwise.
50<dt><a name="BrowseWebIF"></a><b>BrowseWebIF Yes</b>
51<dd style="margin-left: 5.0em"><dt><b>BrowseWebIF No</b>
52<dd style="margin-left: 5.0em"><br>
53Specifies whether the CUPS web interface is advertised.
54The default is "No".
55<dt><a name="Browsing"></a><b>Browsing Yes</b>
56<dd style="margin-left: 5.0em"><dt><b>Browsing No</b>
57<dd style="margin-left: 5.0em"><br>
58Specifies whether shared printers are advertised.
59The default is "No".
60<dt><a name="DefaultAuthType"></a><b>DefaultAuthType Basic</b>
61<dd style="margin-left: 5.0em"><dt><b>DefaultAuthType Negotiate</b>
62<dd style="margin-left: 5.0em"><br>
63Specifies the default type of authentication to use.
64The default is "Basic".
65<dt><a name="DefaultEncryption"></a><b>DefaultEncryption Never</b>
66<dd style="margin-left: 5.0em"><dt><b>DefaultEncryption IfRequested</b>
67<dd style="margin-left: 5.0em"><dt><b>DefaultEncryption Required</b>
68<dd style="margin-left: 5.0em">Specifies whether encryption will be used for authenticated requests.
69The default is "Required".
70<dt><a name="DefaultLanguage"></a><b>DefaultLanguage </b><i>locale</i>
71<dd style="margin-left: 5.0em">Specifies the default language to use for text and web content.
72The default is "en".
73<dt><a name="DefaultPaperSize"></a><b>DefaultPaperSize Auto</b>
74<dd style="margin-left: 5.0em"><dt><b>DefaultPaperSize None</b>
75<dd style="margin-left: 5.0em"><dt><b>DefaultPaperSize </b><i>sizename</i>
76<dd style="margin-left: 5.0em">Specifies the default paper size for new print queues. "Auto" uses a locale-specific default, while "None" specifies there is no default paper size.
77Specific size names are typically "Letter" or "A4".
78The default is "Auto".
79<dt><a name="DefaultPolicy"></a><b>DefaultPolicy </b><i>policy-name</i>
80<dd style="margin-left: 5.0em">Specifies the default access policy to use.
81The default access policy is "default".
82<dt><a name="DefaultShared"></a><b>DefaultShared Yes</b>
83<dd style="margin-left: 5.0em"><dt><b>DefaultShared No</b>
84<dd style="margin-left: 5.0em">Specifies whether local printers are shared by default.
85The default is "Yes".
86<dt><a name="DirtyCleanInterval"></a><b>DirtyCleanInterval </b><i>seconds</i>
87<dd style="margin-left: 5.0em">Specifies the delay for updating of configuration and state files.
88A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.
89The default value is "30".
90<dt><a name="DNSSDHostName"></a><b>DNSSDHostName</b><i>hostname.example.com</i>
91<dd style="margin-left: 5.0em">Specifies the fully-qualified domain name for the server that is used for Bonjour sharing.
92The default is typically the server's ".local" hostname.
93<dt><a name="ErrorPolicy"></a><b>ErrorPolicy abort-job</b>
94<dd style="margin-left: 5.0em">Specifies that a failed print job should be aborted (discarded) unless otherwise specified for the printer.
95<dt><b>ErrorPolicy retry-current-job</b>
96<dd style="margin-left: 5.0em">Specifies that a failed print job should be retried immediately unless otherwise specified for the printer.
97<dt><b>ErrorPolicy retry-job</b>
98<dd style="margin-left: 5.0em">Specifies that a failed print job should be retried at a later time unless otherwise specified for the printer.
99<dt><b>ErrorPolicy stop-printer</b>
100<dd style="margin-left: 5.0em">Specifies that a failed print job should stop the printer unless otherwise specified for the printer. The 'stop-printer' error policy is the default.
101<dt><a name="FilterLimit"></a><b>FilterLimit </b><i>limit</i>
102<dd style="margin-left: 5.0em">Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems.
103A limit of 0 disables filter limiting.
104An average print to a non-PostScript printer needs a filter limit of about 200.
105A PostScript printer needs about half that (100).
106Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time.
107The default limit is "0".
108<dt><a name="FilterNice"></a><b>FilterNice </b><i>nice-value</i>
109<dd style="margin-left: 5.0em">Specifies the scheduling priority (
110<b>nice</b>(8)
111value) of filters that are run to print a job.
112The nice value ranges from 0, the highest priority, to 19, the lowest priority.
113The default is 0.
114<dt><a name="GSSServiceName"></a><b>GSSServiceName </b><i>name</i>
115<dd style="margin-left: 5.0em">Specifies the service name when using Kerberos authentication.
116The default service name is "http."
117<dt><b>HostNameLookups On</b>
118<dd style="margin-left: 5.0em"><dt><a name="HostNameLookups"></a><b>HostNameLookups Off</b>
119<dd style="margin-left: 5.0em"><dt><b>HostNameLookups Double</b>
120<dd style="margin-left: 5.0em">Specifies whether to do reverse lookups on connecting clients.
121The "Double" setting causes
122<b>cupsd</b>(8)
123to verify that the hostname resolved from the address matches one of the addresses returned for that hostname.
124Double lookups also prevent clients with unregistered addresses from connecting to your server.
125The default is "Off" to avoid the potential server performance problems with hostname lookups.
126Only set this option to "On" or "Double" if absolutely required.
127<dt><a name="IdleExitTimeout"></a><b>IdleExitTimeout </b><i>seconds</i>
128<dd style="margin-left: 5.0em">Specifies the length of time to wait before shutting down due to inactivity.
129The default is "60" seconds.
130Note: Only applicable when
131<b>cupsd</b>(8)
132is run on-demand (e.g., with <b>-l</b>).
133<dt><a name="JobKillDelay"></a><b>JobKillDelay </b><i>seconds</i>
134<dd style="margin-left: 5.0em">Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job.
135The default is "30".
136<dt><a name="JobRetryInterval"></a><b>JobRetryInterval </b><i>seconds</i>
137<dd style="margin-left: 5.0em">Specifies the interval between retries of jobs in seconds.
138This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
139The default is "30".
140<dt><a name="JobRetryLimit"></a><b>JobRetryLimit </b><i>count</i>
141<dd style="margin-left: 5.0em">Specifies the number of retries that are done for jobs.
142This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
143The default is "5".
144<dt><a name="KeepAlive"></a><b>KeepAlive Yes</b>
145<dd style="margin-left: 5.0em"><dt><b>KeepAlive No</b>
146<dd style="margin-left: 5.0em">Specifies whether to support HTTP keep-alive connections.
147The default is "Yes".
148<dt><a name="KeepAliveTimeout"></a><b>KeepAliveTimeout </b><i>seconds</i>
149<dd style="margin-left: 5.0em">Specifies how long an idle client connection remains open.
150The default is "30".
151<dt><a name="LimitIPP"></a><b>&lt;Limit </b><i>operation </i>...<b>> </b>... <b>&lt;/Limit></b>
152<dd style="margin-left: 5.0em">Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATION NAMES".
153<dt><a name="Limit"></a><b>&lt;Limit </b><i>method </i>...<b>> </b>... <b>&lt;/Limit></b>
154<dd style="margin-left: 5.0em"><dt><a name="LimitExcept"></a><b>&lt;LimitExcept </b><i>method </i>...<b>> </b>... <b>&lt;/LimitExcept></b>
155<dd style="margin-left: 5.0em">Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHOD NAMES".
156<dt><a name="LimitRequestBody"></a><b>LimitRequestBody </b><i>size</i>
157<dd style="margin-left: 5.0em">Specifies the maximum size of print files, IPP requests, and HTML form data.
158The default is "0" which disables the limit check.
159<dt><a name="Listen"></a><b>Listen </b><i>ipv4-address</i><b>:</b><i>port</i>
160<dd style="margin-left: 5.0em"><dt><b>Listen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
161<dd style="margin-left: 5.0em"><dt><b>Listen *:</b><i>port</i>
162<dd style="margin-left: 5.0em"><dt><b>Listen </b><i>/path/to/domain/socket</i>
163<dd style="margin-left: 5.0em">Listens to the specified address and port or domain socket path for connections.
164Multiple Listen directives can be provided to listen on multiple addresses.
165The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks.
166<dt><a name="ListenBackLog"></a><b>ListenBackLog </b><i>number</i>
167<dd style="margin-left: 5.0em">Specifies the number of pending connections that will be allowed.
168This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections.
169When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones.
170The default is the OS-defined default limit, typically either "5" for older operating systems or "128" for newer operating systems.
171<dt><a name="Location"></a><b>&lt;Location </b><i>/path</i><b>> </b>... <b>&lt;/Location></b>
172<dd style="margin-left: 5.0em">Specifies access control for the named location.
173Paths are documented below in the section "LOCATION PATHS".
174<dt><a name="LogDebugHistory"></a><b>LogDebugHistory </b><i>number</i>
175<dd style="margin-left: 5.0em">Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting.
176<dt><a name="LogLevel"></a><b>LogLevel </b>none
177<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>emerg
178<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>alert
179<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>crit
180<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>error
181<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>warn
182<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>notice
183<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>info
184<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>debug
185<dd style="margin-left: 5.0em"><dt><b>LogLevel </b>debug2
186<dd style="margin-left: 5.0em">Specifies the level of logging for the ErrorLog file.
187The value "none" stops all logging while "debug2" logs everything.
188The default is "warn".
189<dt><a name="LogTimeFormat"></a><b>LogTimeFormat </b>standard
190<dd style="margin-left: 5.0em"><dt><b>LogTimeFormat </b>usecs
191<dd style="margin-left: 5.0em">Specifies the format of the date and time in the log files.
192The value "standard" is the default and logs whole seconds while "usecs" logs microseconds.
193<dt><a name="MaxClients"></a><b>MaxClients </b><i>number</i>
194<dd style="margin-left: 5.0em">Specifies the maximum number of simultaneous clients that are allowed by the scheduler.
195The default is "100".
196<dt><a name="MaxClientPerHost"></a><b>MaxClientsPerHost </b><i>number</i>
197<dd style="margin-left: 5.0em">Specifies the maximum number of simultaneous clients that are allowed from a
198single address.
199The default is the MaxClients value.
200<dt><a name="MaxCopies"></a><b>MaxCopies </b><i>number</i>
201<dd style="margin-left: 5.0em">Specifies the maximum number of copies that a user can print of each job.
202The default is "9999".
203<dt><a name="MaxHoldTime"></a><b>MaxHoldTime </b><i>seconds</i>
204<dd style="margin-left: 5.0em">Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled.
205The default is "0" which disables cancellation of held jobs.
206<dt><a name="MaxJobs"></a><b>MaxJobs </b><i>number</i>
207<dd style="margin-left: 5.0em">Specifies the maximum number of simultaneous jobs that are allowed.
208Set to "0" to allow an unlimited number of jobs.
209The default is "500".
210<dt><a name="MaxJobsPerPrinter"></a><b>MaxJobsPerPrinter </b><i>number</i>
211<dd style="margin-left: 5.0em">Specifies the maximum number of simultaneous jobs that are allowed per printer.
212The default is "0" which allows up to MaxJobs jobs per printer.
213<dt><a name="MaxJobsPerUser"></a><b>MaxJobsPerUser </b><i>number</i>
214<dd style="margin-left: 5.0em">Specifies the maximum number of simultaneous jobs that are allowed per user.
215The default is "0" which allows up to MaxJobs jobs per user.
216<dt><a name="MaxJobTime"></a><b>MaxJobTime </b><i>seconds</i>
217<dd style="margin-left: 5.0em">Specifies the maximum time a job may take to print before it is canceled.
218Set to "0" to disable cancellation of "stuck" jobs.
219The default is "10800" (3 hours).
220<dt><a name="MaxLogSize"></a><b>MaxLogSize </b><i>size</i>
221<dd style="margin-left: 5.0em">Specifies the maximum size of the log files before they are rotated.
222The value "0" disables log rotation.
223The default is "1048576" (1MB).
224<dt><a name="MultipleOperationTimeout"></a><b>MultipleOperationTimeout </b><i>seconds</i>
225<dd style="margin-left: 5.0em">Specifies the maximum amount of time to allow between files in a multiple file print job.
226The default is "900" (15 minutes).
227<dt><a name="Policy"></a><b>&lt;Policy </b><i>name</i><b>> </b>... <b>&lt;/Policy></b>
228<dd style="margin-left: 5.0em">Specifies access control for the named policy.
229<dt><a name="Port"></a><b>Port </b><i>number</i>
230<dd style="margin-left: 5.0em">Listens to the specified port number for connections.
231<dt><a name="PreserveJobFiles"></a><b>PreserveJobFiles Yes</b>
232<dd style="margin-left: 5.0em"><dt><b>PreserveJobFiles No</b>
233<dd style="margin-left: 5.0em"><dt><b>PreserveJobFiles </b><i>seconds</i>
234<dd style="margin-left: 5.0em">Specifies whether job files (documents) are preserved after a job is printed.
235If a numeric value is specified, job files are preserved for the indicated number of seconds after printing.
236The default is "86400" (preserve 1 day).
237<dt><a name="PreserveJobHistory"></a><b>PreserveJobHistory Yes</b>
238<dd style="margin-left: 5.0em"><dt><b>PreserveJobHistory No</b>
239<dd style="margin-left: 5.0em"><dt><b>PreserveJobHistory </b><i>seconds</i>
240<dd style="margin-left: 5.0em">Specifies whether the job history is preserved after a job is printed.
241If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing.
242If "Yes", the job history is preserved until the MaxJobs limit is reached.
243The default is "Yes".
244<dt><a name="ReloadTimeout"></a><b>ReloadTimeout </b><i>seconds</i>
245<dd style="margin-left: 5.0em">Specifies the amount of time to wait for job completion before restarting the scheduler.
246The default is "30".
247<dt><a name="ServerAdmin"></a><b>ServerAdmin </b><i>email-address</i>
248<dd style="margin-left: 5.0em">Specifies the email address of the server administrator.
249The default value is "root@ServerName".
250<dt><a name="ServerAlias"></a><b>ServerAlias </b><i>hostname </i>[ ... <i>hostname </i>]
251<dd style="margin-left: 5.0em"><dt><b>ServerAlias *</b>
252<dd style="margin-left: 5.0em">The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces.
253Using the special name "*" can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall.
254If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using "*".
255<dt><a name="ServerName"></a><b>ServerName </b><i>hostname</i>
256<dd style="margin-left: 5.0em">Specifies the fully-qualified hostname of the server.
257The default is the value reported by the
258<b>hostname</b>(1)
259command.
260<dt><a name="ServerTokens"></a><b>ServerTokens None</b>
261<dd style="margin-left: 5.0em"><dt><b>ServerTokens ProductOnly</b>
262<dd style="margin-left: 5.0em"><dt><b>ServerTokens Major</b>
263<dd style="margin-left: 5.0em"><dt><b>ServerTokens Minor</b>
264<dd style="margin-left: 5.0em"><dt><b>ServerTokens Minimal</b>
265<dd style="margin-left: 5.0em"><dt><b>ServerTokens OS</b>
266<dd style="margin-left: 5.0em"><dt><b>ServerTokens Full</b>
267<dd style="margin-left: 5.0em">Specifies what information is included in the Server header of HTTP responses.
268"None" disables the Server header.
269"ProductOnly" reports "CUPS".
270"Major" reports "CUPS/major IPP/2".
271"Minor" reports "CUPS/major.minor IPP/2.1".
272"Minimal" reports "CUPS/major.minor.patch IPP/2.1".
273"OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
274"Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
275The default is "Minimal".
276<dt><a name="SSLListen"></a><b>SSLListen </b><i>ipv4-address</i><b>:</b><i>port</i>
277<dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
278<dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
279<dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
280<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
281<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
282<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
283By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
284Security is reduced when <i>Allow</i> options are used.
285Security is enhanced when <i>Deny</i> options are used.
286The <i>AllowDH</i> option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
287The <i>AllowRC4</i> option enables the 128-bit RC4 cipher suites, which are required for some older clients.
288The <i>AllowSSL3</i> option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
289The <i>DenyCBC</i> option disables all CBC cipher suites.
290The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
291The <i>MinTLS</i> options set the minimum TLS version to support.
292The <i>MaxTLS</i> options set the maximum TLS version to support.
293Not all operating systems support TLS 1.3 at this time.
294<dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
295<dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
296<dt><a name="StrictConformance"></a><b>StrictConformance Yes</b>
297<dd style="margin-left: 5.0em"><dt><b>StrictConformance No</b>
298<dd style="margin-left: 5.0em">Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications.
299The default is "No".
300<dt><a name="Timeout"></a><b>Timeout </b><i>seconds</i>
301<dd style="margin-left: 5.0em">Specifies the HTTP request timeout.
302The default is "900" (15 minutes).
303<dt><a name="WebInterface"></a><b>WebInterface yes</b>
304<dd style="margin-left: 5.0em"><dt><b>WebInterface no</b>
305<dd style="margin-left: 5.0em">Specifies whether the web interface is enabled.
306The default is "No".
307</dl>
308<h3><a name="HTTP_METHOD_NAMES">Http Method Names</a></h3>
309The following HTTP methods are supported by
310<b>cupsd</b>(8):
311<dl class="man">
312<dt>GET
313<dd style="margin-left: 5.0em">Used by a client to download icons and other printer resources and to access the CUPS web interface.
314<dt>HEAD
315<dd style="margin-left: 5.0em">Used by a client to get the type, size, and modification date of resources.
316<dt>OPTIONS
317<dd style="margin-left: 5.0em">Used by a client to establish a secure (SSL/TLS) connection.
318<dt>POST
319<dd style="margin-left: 5.0em">Used by a client to submit IPP requests and HTML forms from the CUPS web interface.
320<dt>PUT
321<dd style="margin-left: 5.0em">Used by a client to upload configuration files.
322</dl>
323<h3><a name="IPP_OPERATION_NAMES">Ipp Operation Names</a></h3>
324The following IPP operations are supported by
325<b>cupsd</b>(8):
326<dl class="man">
327<dt>CUPS-Accept-Jobs
328<dd style="margin-left: 5.0em">Allows a printer to accept new jobs.
329<dt>CUPS-Add-Modify-Class
330<dd style="margin-left: 5.0em">Adds or modifies a printer class.
331<dt>CUPS-Add-Modify-Printer
332<dd style="margin-left: 5.0em">Adds or modifies a printer.
333<dt>CUPS-Authenticate-Job
334<dd style="margin-left: 5.0em">Releases a job that is held for authentication.
335<dt>CUPS-Delete-Class
336<dd style="margin-left: 5.0em">Deletes a printer class.
337<dt>CUPS-Delete-Printer
338<dd style="margin-left: 5.0em">Deletes a printer.
339<dt>CUPS-Get-Classes
340<dd style="margin-left: 5.0em">Gets a list of printer classes.
341<dt>CUPS-Get-Default
342<dd style="margin-left: 5.0em">Gets the server default printer or printer class.
343<dt>CUPS-Get-Devices
344<dd style="margin-left: 5.0em">Gets a list of devices that are currently available.
345<dt>CUPS-Get-Document
346<dd style="margin-left: 5.0em">Gets a document file for a job.
347<dt>CUPS-Get-PPD
348<dd style="margin-left: 5.0em">Gets a PPD file.
349<dt>CUPS-Get-PPDs
350<dd style="margin-left: 5.0em">Gets a list of installed PPD files.
351<dt>CUPS-Get-Printers
352<dd style="margin-left: 5.0em">Gets a list of printers.
353<dt>CUPS-Move-Job
354<dd style="margin-left: 5.0em">Moves a job.
355<dt>CUPS-Reject-Jobs
356<dd style="margin-left: 5.0em">Prevents a printer from accepting new jobs.
357<dt>CUPS-Set-Default
358<dd style="margin-left: 5.0em">Sets the server default printer or printer class.
359<dt>Cancel-Job
360<dd style="margin-left: 5.0em">Cancels a job.
361<dt>Cancel-Jobs
362<dd style="margin-left: 5.0em">Cancels one or more jobs.
363<dt>Cancel-My-Jobs
364<dd style="margin-left: 5.0em">Cancels one or more jobs creates by a user.
365<dt>Cancel-Subscription
366<dd style="margin-left: 5.0em">Cancels a subscription.
367<dt>Close-Job
368<dd style="margin-left: 5.0em">Closes a job that is waiting for more documents.
369<dt>Create-Job
370<dd style="margin-left: 5.0em">Creates a new job with no documents.
371<dt>Create-Job-Subscriptions
372<dd style="margin-left: 5.0em">Creates a subscription for job events.
373<dt>Create-Printer-Subscriptions
374<dd style="margin-left: 5.0em">Creates a subscription for printer events.
375<dt>Get-Job-Attributes
376<dd style="margin-left: 5.0em">Gets information about a job.
377<dt>Get-Jobs
378<dd style="margin-left: 5.0em">Gets a list of jobs.
379<dt>Get-Notifications
380<dd style="margin-left: 5.0em">Gets a list of event notifications for a subscription.
381<dt>Get-Printer-Attributes
382<dd style="margin-left: 5.0em">Gets information about a printer or printer class.
383<dt>Get-Subscription-Attributes
384<dd style="margin-left: 5.0em">Gets information about a subscription.
385<dt>Get-Subscriptions
386<dd style="margin-left: 5.0em">Gets a list of subscriptions.
387<dt>Hold-Job
388<dd style="margin-left: 5.0em">Holds a job from printing.
389<dt>Hold-New-Jobs
390<dd style="margin-left: 5.0em">Holds all new jobs from printing.
391<dt>Pause-Printer
392<dd style="margin-left: 5.0em">Stops processing of jobs by a printer or printer class.
393<dt>Pause-Printer-After-Current-Job
394<dd style="margin-left: 5.0em">Stops processing of jobs by a printer or printer class after the current job is finished.
395<dt>Print-Job
396<dd style="margin-left: 5.0em">Creates a new job with a single document.
397<dt>Purge-Jobs
398<dd style="margin-left: 5.0em">Cancels one or more jobs and deletes the job history.
399<dt>Release-Held-New-Jobs
400<dd style="margin-left: 5.0em">Allows previously held jobs to print.
401<dt>Release-Job
402<dd style="margin-left: 5.0em">Allows a job to print.
403<dt>Renew-Subscription
404<dd style="margin-left: 5.0em">Renews a subscription.
405<dt>Restart-Job
406<dd style="margin-left: 5.0em">Reprints a job, if possible.
407<dt>Send-Document
408<dd style="margin-left: 5.0em">Adds a document to a job.
409<dt>Set-Job-Attributes
410<dd style="margin-left: 5.0em">Changes job information.
411<dt>Set-Printer-Attributes
412<dd style="margin-left: 5.0em">Changes printer or printer class information.
413<dt>Validate-Job
414<dd style="margin-left: 5.0em">Validates options for a new job.
415</dl>
416<h3><a name="LOCATION_PATHS">Location Paths</a></h3>
417The following paths are commonly used when configuring
418<b>cupsd</b>(8):
419<dl class="man">
420<dt>/
421<dd style="margin-left: 5.0em">The path for all get operations (get-printers, get-jobs, etc.)
422<dt>/admin
423<dd style="margin-left: 5.0em">The path for all administration operations (add-printer, delete-printer, start-printer, etc.)
424<dt>/admin/conf
425<dd style="margin-left: 5.0em">The path for access to the CUPS configuration files (cupsd.conf, client.conf, etc.)
426<dt>/admin/log
427<dd style="margin-left: 5.0em">The path for access to the CUPS log files (access_log, error_log, page_log)
428<dt>/classes
429<dd style="margin-left: 5.0em">The path for all printer classes
430<dt>/classes/name
431<dd style="margin-left: 5.0em">The resource for the named printer class
432<dt>/jobs
433<dd style="margin-left: 5.0em">The path for all jobs (hold-job, release-job, etc.)
434<dt>/jobs/id
435<dd style="margin-left: 5.0em">The path for the specified job
436<dt>/printers
437<dd style="margin-left: 5.0em">The path for all printers
438<dt>/printers/name
439<dd style="margin-left: 5.0em">The path for the named printer
440<dt>/printers/name.png
441<dd style="margin-left: 5.0em">The icon file path for the named printer
442<dt>/printers/name.ppd
443<dd style="margin-left: 5.0em">The PPD file path for the named printer
444</dl>
445<h3><a name="DIRECTIVES_VALID_WITHIN_LOCATION_AND_LIMIT_SECTIONS">Directives Valid Within Location And Limit Sections</a></h3>
446The following directives may be placed inside Location and Limit sections in the <b>cupsd.conf</b> file:
447<dl class="man">
448<dt><b>Allow all</b>
449<dd style="margin-left: 5.0em"><dt><b>Allow none</b>
450<dd style="margin-left: 5.0em"><dt><b>Allow </b><i>host.domain.com</i>
451<dd style="margin-left: 5.0em"><dt><b>Allow *.</b><i>domain.com</i>
452<dd style="margin-left: 5.0em"><dt><b>Allow </b><i>ipv4-address</i>
453<dd style="margin-left: 5.0em"><dt><b>Allow </b><i>ipv4-address</i><b>/</b><i>netmask</i>
454<dd style="margin-left: 5.0em"><dt><b>Allow </b><i>ipv4-address</i><b>/</b><i>mm</i>
455<dd style="margin-left: 5.0em"><dt><b>Allow [</b><i>ipv6-address</i><b>]</b>
456<dd style="margin-left: 5.0em"><dt><b>Allow [</b><i>ipv6-address</i><b>]/</b><i>mm</i>
457<dd style="margin-left: 5.0em"><dt><b>Allow @IF(</b><i>name</i><b>)</b>
458<dd style="margin-left: 5.0em"><dt><b>Allow @LOCAL</b>
459<dd style="margin-left: 5.0em">Allows access from the named hosts, domains, addresses, or interfaces.
460The @IF(name) form uses the current subnets configured for the named interface.
461The @LOCAL form uses the current subnets configured for all interfaces that are not point-to-point, for example Ethernet and Wi-Fi interfaces are used but DSL and VPN interfaces are not.
462The Order directive controls whether Allow lines are evaluated before or after Deny lines.
463<dt><b>AuthType None</b>
464<dd style="margin-left: 5.0em"><dt><b>AuthType Basic</b>
465<dd style="margin-left: 5.0em"><dt><b>AuthType Default</b>
466<dd style="margin-left: 5.0em"><dt><b>AuthType Negotiate</b>
467<dd style="margin-left: 5.0em">Specifies the type of authentication required.
468The value "Default" corresponds to the DefaultAuthType value.
469<dt><b>Deny all</b>
470<dd style="margin-left: 5.0em"><dt><b>Deny none</b>
471<dd style="margin-left: 5.0em"><dt><b>Deny </b><i>host.domain.com</i>
472<dd style="margin-left: 5.0em"><dt><b>Deny *.</b><i>domain.com</i>
473<dd style="margin-left: 5.0em"><dt><b>Deny </b><i>ipv4-address</i>
474<dd style="margin-left: 5.0em"><dt><b>Deny </b><i>ipv4-address</i><b>/</b><i>netmask</i>
475<dd style="margin-left: 5.0em"><dt><b>Deny </b><i>ipv4-address</i><b>/</b><i>mm</i>
476<dd style="margin-left: 5.0em"><dt><b>Deny [</b><i>ipv6-address</i><b>]</b>
477<dd style="margin-left: 5.0em"><dt><b>Deny [</b><i>ipv6-address</i><b>]/</b><i>mm</i>
478<dd style="margin-left: 5.0em"><dt><b>Deny @IF(</b><i>name</i><b>)</b>
479<dd style="margin-left: 5.0em"><dt><b>Deny @LOCAL</b>
480<dd style="margin-left: 5.0em">Denies access from the named hosts, domains, addresses, or interfaces.
481The @IF(name) form uses the current subnets configured for the named interface.
482The @LOCAL form uses the current subnets configured for all interfaces that are not point-to-point, for example Ethernet and Wi-Fi interfaces are used but DSL and VPN interfaces are not.
483The Order directive controls whether Deny lines are evaluated before or after Allow lines.
484<dt><b>Encryption IfRequested</b>
485<dd style="margin-left: 5.0em"><dt><b>Encryption Never</b>
486<dd style="margin-left: 5.0em"><dt><b>Encryption Required</b>
487<dd style="margin-left: 5.0em">Specifies the level of encryption that is required for a particular location.
488The default value is "IfRequested".
489<dt><b>Order allow,deny</b>
490<dd style="margin-left: 5.0em">Specifies that access is denied by default. Allow lines are then processed followed by Deny lines to determine whether a client may access a particular resource.
491<dt><b>Order deny,allow</b>
492<dd style="margin-left: 5.0em">Specifies that access is allowed by default. Deny lines are then processed followed by Allow lines to determine whether a client may access a particular resource.
493<dt><b>Require group </b><i>group-name </i>[ <i>group-name </i>... ]
494<dd style="margin-left: 5.0em">Specifies that an authenticated user must be a member of one of the named groups.
495<dt><b>Require user {</b><i>user-name</i>|<b>@</b><i>group-name</i>} ...
496<dd style="margin-left: 5.0em">Specifies that an authenticated user must match one of the named users or be a member of one of the named groups.
497The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the
498<b>cups-files.conf</b>(5)
499file.
500The group name "@OWNER" corresponds to the owner of the resource, for example the person that submitted a print job.
501Note: The 'root' user is not special and must be granted privileges like any other user account.
502<dt><b>Require valid-user</b>
503<dd style="margin-left: 5.0em">Specifies that any authenticated user is acceptable.
504<dt><b>Satisfy all</b>
505<dd style="margin-left: 5.0em">Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
506<dt><b>Satisfy any</b>
507<dd style="margin-left: 5.0em">Specifies that any a client may access a resource if either the authentication (AuthType/Require) or address (Allow/Deny/Order) conditions are satisfied.
508For example, this can be used to require authentication only for remote accesses.
509</dl>
510<h3><a name="DIRECTIVES_VALID_WITHIN_POLICY_SECTIONS">Directives Valid Within Policy Sections</a></h3>
511The following directives may be placed inside Policy sections in the <b>cupsd.conf</b> file:
512<dl class="man">
513<dt><b>JobPrivateAccess all</b>
514<dd style="margin-left: 5.0em"><dt><b>JobPrivateAccess default</b>
515<dd style="margin-left: 5.0em"><dt><b>JobPrivateAccess </b>{<i>user</i>|<b>@</b><i>group</i>|<b>@ACL</b>|<b>@OWNER</b>|<b>@SYSTEM</b>} ...
516<dd style="margin-left: 5.0em">Specifies an access list for a job's private values.
517The "default" access list is "@OWNER @SYSTEM".
518"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
519"@OWNER" maps to the job's owner.
520"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
521<b>cups-files.conf</b>(5)
522file.
523<dt><b>JobPrivateValues all</b>
524<dd style="margin-left: 5.0em"><dt><b>JobPrivateValues default</b>
525<dd style="margin-left: 5.0em"><dt><b>JobPrivateValues none</b>
526<dd style="margin-left: 5.0em"><dt><b>JobPrivateValues </b><i>attribute-name </i>[ ... <i>attribute-name </i>]
527<dd style="margin-left: 5.0em">Specifies the list of job values to make private.
528The "default" values are "job-name", "job-originating-host-name", "job-originating-user-name", and "phone".
529<dt><b>SubscriptionPrivateAccess all</b>
530<dd style="margin-left: 5.0em"><dt><b>SubscriptionPrivateAccess default</b>
531<dd style="margin-left: 5.0em"><dt><b>SubscriptionPrivateAccess </b>{<i>user</i>|<b>@</b><i>group</i>|<b>@ACL</b>|<b>@OWNER</b>|<b>@SYSTEM</b>} ...
532<dd style="margin-left: 5.0em">Specifies an access list for a subscription's private values.
533The "default" access list is "@OWNER @SYSTEM".
534"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
535"@OWNER" maps to the job's owner.
536"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
537<b>cups-files.conf</b>(5)
538file.
539<dt><b>SubscriptionPrivateValues all</b>
540<dd style="margin-left: 5.0em"><dt><b>SubscriptionPrivateValues default</b>
541<dd style="margin-left: 5.0em"><dt><b>SubscriptionPrivateValues none</b>
542<dd style="margin-left: 5.0em"><dt><b>SubscriptionPrivateValues </b><i>attribute-name </i>[ ... <i>attribute-name </i>]
543<dd style="margin-left: 5.0em">Specifies the list of subscription values to make private.
544The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data".
545</dl>
546<h3><a name="DEPRECATED_DIRECTIVES">Deprecated Directives</a></h3>
547The following directives are deprecated and will be removed in a future release of CUPS:
548<dl class="man">
549<dt><a name="Classification"></a><b>Classification </b><i>banner</i>
550<dd style="margin-left: 5.0em"><br>
551Specifies the security classification of the server.
552Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions.
553The default is no classification banner.
554<dt><a name="ClassifyOverride"></a><b>ClassifyOverride Yes</b>
555<dd style="margin-left: 5.0em"><dt><b>ClassifyOverride No</b>
556<dd style="margin-left: 5.0em"><br>
557Specifies whether users may override the classification (cover page) of individual print jobs using the "job-sheets" option.
558The default is "No".
559<dt><a name="PageLogFormat"></a><b>PageLogFormat </b><i>format-string</i>
560<dd style="margin-left: 5.0em">Specifies the format of PageLog lines.
561Sequences beginning with percent (%) characters are replaced with the corresponding information, while all other characters are copied literally.
562The following percent sequences are recognized:
563<pre class="man">
564
565    "%%" inserts a single percent character.
566    "%{name}" inserts the value of the specified IPP attribute.
567    "%C" inserts the number of copies for the current page.
568    "%P" inserts the current page number.
569    "%T" inserts the current date and time in common log format.
570    "%j" inserts the job ID.
571    "%p" inserts the printer name.
572    "%u" inserts the username.
573
574</pre>
575The default is the empty string, which disables page logging.
576The string "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}" creates a page log with the standard items.
577Use "%{job-impressions-completed}" to insert the number of pages (sides) that were printed, or "%{job-media-sheets-completed}" to insert the number of sheets that were printed.
578<dt><a name="RIPCache"></a><b>RIPCache </b><i>size</i>
579<dd style="margin-left: 5.0em">Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.
580The default is "128m".
581</dl>
582<h2 class="title"><a name="NOTES">Notes</a></h2>
583File, directory, and user configuration directives that used to be allowed in the <b>cupsd.conf</b> file are now stored in the
584<b>cups-files.conf</b>(5)
585file instead in order to prevent certain types of privilege escalation attacks.
586<p>The scheduler MUST be restarted manually after making changes to the <b>cupsd.conf</b> file.
587On Linux this is typically done using the
588<b>systemctl</b>(8)
589command, while on macOS the
590<b>launchctl</b>(8)
591command is used instead.
592<p>The @LOCAL macro name can be confusing since the system running
593<b>cupsd</b>
594often belongs to a different set of subnets from its clients.
595<h2 class="title"><a name="CONFORMING_TO">Conforming To</a></h2>
596The <b>cupsd.conf</b> file format is based on the Apache HTTP Server configuration file format.
597<h2 class="title"><a name="EXAMPLES">Examples</a></h2>
598Log everything with a maximum log file size of 32 megabytes:
599<pre class="man">
600
601    AccessLogLevel all
602    LogLevel debug2
603    MaxLogSize 32m
604
605</pre>
606Require authentication for accesses from outside the 10. network:
607<pre class="man">
608
609    &lt;Location />
610    Order allow,deny
611    Allow from 10./8
612    AuthType Basic
613    Require valid-user
614    Satisfy any
615    &lt;/Location>
616</pre>
617<h2 class="title"><a name="SEE_ALSO">See Also</a></h2>
618<b>classes.conf</b>(5),
619<b>cups-files.conf</b>(5),
620<b>cupsd</b>(8),
621<b>mime.convs</b>(5),
622<b>mime.types</b>(5),
623<b>printers.conf</b>(5),
624<b>subscriptions.conf</b>(5),
625CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
626<h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
627Copyright &copy; 2007-2019 by Apple Inc.
628
629</body>
630</html>
631