# CUPS web interface gives 403 Forbidden



## JohnLWebb (Apr 29, 2009)

I have followed the instructions for installing CUPS exactly as they are indicated in the handbook. When I get to the step indicating I can browse to the web based interface, it gives me a 403 Forbidden error. I am attempting to access the web based interface from another workstation since the server is only intended to be a print server. It has no window managers configured. (http://x.x.x.x:631)

Ay help would be great. Even a push in the right direction...

The error_log indicates that no authentication data was provided;

from error_log

```
D [29/Apr/2009:14:08:04 -0500] cupsdAuthorize: No authentication data provided.
D [29/Apr/2009:14:08:04 -0500] cupsdSendError: 10 code=403 (Forbidden)
```

My cupsd.conf file is unchanged from the default except fo adding the following line;

Listen 192.168.1.2:631


```
#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup wheel


# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Encryption Required
  Order allow,deny
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#
```

I did the following tasks indicated by the install output;


```
1) Add following to /etc/devfs.rules (create if it doesn't exist):

[system=10]
add path 'unlpt*' mode 0660 group cups
add path 'ulpt*' mode 0660 group cups
add path 'lpt*' mode 0660 group cups

2) And following to /etc/rc.conf:

devfs_system_ruleset="system"

3) Restart devfs: /etc/rc.d/devfs restart
```


----------



## Maurovale (Apr 29, 2009)

You can't access cups from another workstation because you have this line defined :

```
Listen localhost:631
```

You need to configure cups to listen in your external or lan interface


----------



## JohnLWebb (Apr 29, 2009)

I changed my cupsd.conf in the following manner and still get the same problem;

```
# Only listen for connections from the local machine.
#Listen localhost:631
Listen 192.168.1.2:631
Listen /var/run/cups.sock
```


----------



## anomie (Apr 29, 2009)

Either change

```
DefaultAuthType Basic
```

to:

```
DefaultAuthType None
```

... or make that decision on a Location-by-Location basis.

---

edit: I might have goofed on the syntax for that. It looks like you may need to do this at the Location level, e.g.: 


```
<Location /admin/conf>
  AuthType None
  Require user @SYSTEM
  Order allow,deny
</Location>
```

I'm also unsure about that Order directive. Standard rule processing makes me think that you will still be denied, and may in fact need: 


```
<Location /admin/conf>
  AuthType None
  Require user @SYSTEM
  Order allow,deny
  Allow from your.net.here/24
</Location>
```

But you can test that for yourself.


----------



## Maurovale (Apr 29, 2009)

Please don't forget to restartd cupsd after the changes.

Did it work ?


----------



## JohnLWebb (Apr 29, 2009)

No, sorry, still not working but things look a little different;

Its not showing the error in the error_log any more. I am still getting 403 Forbidden in the browser though...

I have beend doing the cupsd restart;
/usr/local/etc/rc.d/cupsd restart

I changed <Location /admin/conf>

My new cupsd.conf


```
#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup wheel


# Only listen for connections from the local machine.
#Listen localhost:631
#Listen 127.0.0.1:631
Listen 192.168.1.2:631
Listen /var/run/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# Default authentication type, when authentication is required...
DefaultAuthType None

# Restrict access to the server...
<Location />
  Order allow,deny
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Encryption Required
  Order allow,deny
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType None
  Require user @SYSTEM
  Order allow,deny
  Allow 192.168.1.0/24
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#
```


----------



## anomie (Apr 29, 2009)

FYI, you can set *LogLevel debug* to get more verbose logging. 

It's possible we just didn't hit the right directory. If you are no longer seeing messages about authentication, then try: 

```
<Location />
  Order allow,deny
  Allow 192.168.1.0/24
</Location>
```

Then reload cupsd. If it still doesn't work, try cranking up the LogLevel and capturing more info. It would be good to know which directory your browser is trying to access (as reported by cupsd).


----------



## JohnLWebb (Apr 29, 2009)

I changed the LogLevel back to debug so I am getting the messages now. Sorry, I changed it back to info when I replaced the file.

the error_log looks like this;


```
I [29/Apr/2009:16:51:09 -0500] Scheduler shutting down normally.
I [29/Apr/2009:16:51:09 -0500] Saving job cache file "/var/cache/cups/job.cache"...
I [29/Apr/2009:16:51:11 -0500] Listening to 192.168.1.2:631 (IPv4)
I [29/Apr/2009:16:51:11 -0500] Listening to /var/run/cups.sock (Domain)
I [29/Apr/2009:16:51:11 -0500] Loaded configuration file "/usr/local/etc/cups/cupsd.conf"
I [29/Apr/2009:16:51:11 -0500] Using default TempDir of /var/spool/cups/tmp...
I [29/Apr/2009:16:51:11 -0500] Configured for up to 100 clients.
I [29/Apr/2009:16:51:11 -0500] Allowing up to 100 client connections per host.
I [29/Apr/2009:16:51:11 -0500] Using policy "default" as the default!
I [29/Apr/2009:16:51:11 -0500] Full reload is required.
I [29/Apr/2009:16:51:11 -0500] Loaded MIME database from '/usr/local/etc/cups': 35 types, 38 filters...
I [29/Apr/2009:16:51:11 -0500] Loading job cache file "/var/cache/cups/job.cache"...
I [29/Apr/2009:16:51:11 -0500] Full reload complete.
I [29/Apr/2009:16:51:11 -0500] Cleaning out old temporary files in "/var/spool/cups/tmp"...
I [29/Apr/2009:16:51:12 -0500] Listening to 192.168.1.2:631 on fd 3...
I [29/Apr/2009:16:51:12 -0500] Listening to /var/run/cups.sock on fd 4...
I [29/Apr/2009:16:51:12 -0500] Resuming new connection processing...
D [29/Apr/2009:16:51:12 -0500] Discarding unused server-started event...
D [29/Apr/2009:16:51:13 -0500] Report: clients=0
D [29/Apr/2009:16:51:13 -0500] Report: jobs=0
D [29/Apr/2009:16:51:13 -0500] Report: jobs-active=0
D [29/Apr/2009:16:51:13 -0500] Report: printers=0
D [29/Apr/2009:16:51:13 -0500] Report: printers-implicit=0
D [29/Apr/2009:16:51:13 -0500] Report: stringpool-string-count=164
D [29/Apr/2009:16:51:13 -0500] Report: stringpool-alloc-bytes=4928
D [29/Apr/2009:16:51:13 -0500] Report: stringpool-total-bytes=3720
D [29/Apr/2009:16:51:17 -0500] cupsdAcceptClient: 8 from 192.168.1.100:631 (IPv4)
D [29/Apr/2009:16:51:17 -0500] cupsdReadClient: 8 GET / HTTTP/1.1
D [29/Apr/2009:16:51:17 -0500] cupsdAuthorize: No authentication data provided.
D [29/Apr/2009:16:51:17 -0500] cupsdSendError: 8 code=403 (Forbidden)
D [29/Apr/2009:16:51:17 -0500] cupsdCloseClient: 8
D [29/Apr/2009:16:51:17 -0500] cupsdAcceptClient: 8 from 192.168.1.100:631 (IPv4)
D [29/Apr/2009:16:51:17 -0500] cupsdReadClient: 8 GET /cups.css HTTTP/1.1
D [29/Apr/2009:16:51:17 -0500] cupsdAuthorize: No authentication data provided.
D [29/Apr/2009:16:51:17 -0500] cupsdSendError: 8 code=403 (Forbidden)
D [29/Apr/2009:16:51:17 -0500] cupsdCloseClient: 8
```


----------



## JohnLWebb (Apr 29, 2009)

Ok, I changed the Location and now i am getting the web based interface to load in the browser. 



```
<Location />
  Order allow,deny
  Allow 192.168.1.0/24
</Location>
```

Thanks alot. Now I will resume attempting to configure the printing capabilities.


----------

