.\"
-.\" "$Id: cupsd.conf.man.in 7002 2007-10-01 23:07:37Z mike $"
+.\" cupsd.conf man page for CUPS.
.\"
-.\" cupsd.conf man page for the Common UNIX Printing System (CUPS).
+.\" Copyright 2007-2018 by Apple Inc.
+.\" Copyright 1997-2006 by Easy Software Products.
.\"
-.\" Copyright 2007-2008 by Apple Inc.
-.\" Copyright 1997-2006 by Easy Software Products.
+.\" Licensed under Apache License v2.0. See the file "LICENSE" for more information.
.\"
-.\" These coded instructions, statements, and computer programs are the
-.\" property of Apple Inc. and are protected by Federal copyright
-.\" law. Distribution and use rights are outlined in the file "LICENSE.txt"
-.\" which should have been included with this file. If this file is
-.\" file is missing or damaged, see the license at "http://www.cups.org/".
-.\"
-.TH cupsd.conf 5 "Common UNIX Printing System" "2 January 2008" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "9 November 2017" "Apple Inc."
.SH NAME
cupsd.conf \- server configuration file for cups
.SH DESCRIPTION
-The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+The
+.I cupsd.conf
+file configures the CUPS scheduler,
+.BR cupsd (8).
+It is normally located in the
+.I /etc/cups
+directory.
+\fBNote:\fR File, directory, and user configuration directives that used to be allowed in the \fBcupsd.conf\fR file are now stored in the
+.BR cups-files.conf (5)
+file instead in order to prevent certain types of privilege escalation attacks.
.LP
-Each line in the file can be a configuration directive, a blank line,
-or a comment. Comment lines start with the # character. The
-configuration directives are intentionally similar to those used by the
-popular Apache web server software and are described below.
-.SH DIRECTIVES
-The following directives are understood by \fIcupsd(8)\fR. Consult the
-on-line help for detailed descriptions:
+Each line in the file can be a configuration directive, a blank line, or a comment.
+Configuration directives typically consist of a name and zero or more values separated by whitespace.
+The configuration directive name and values are case-insensitive.
+Comment lines start with the # character.
+.SS TOP-LEVEL DIRECTIVES
+The following top-level directives are understood by
+.BR cupsd (8):
+.\"#AccessLogLevel
.TP 5
-AccessLog filename
+\fBAccessLogLevel config\fR
.TP 5
-AccessLog syslog
-.br
-Defines the access log filename.
+\fBAccessLogLevel actions\fR
.TP 5
-Allow all
+\fBAccessLogLevel all\fR
+Specifies the logging level for the AccessLog file.
+The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated.
+The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config".
+The "all" level logs all requests.
+The default access log level is "actions".
+.\"#AutoPurgeJobs
.TP 5
-Allow none
+\fBAutoPurgeJobs Yes\fR
.TP 5
-Allow host.domain.com
+\fBAutoPurgeJobs No\fR
+.br
+Specifies whether to purge job history data automatically when it is no longer required for quotas.
+The default is "No".
+.\"#BrowseDNSSDSubTypes
.TP 5
-Allow *.domain.com
+.BI BrowseDNSSDSubTypes _subtype[,...]
+Specifies a list of Bonjour sub-types to advertise for each shared printer.
+For example, "BrowseDNSSDSubTypes _cups,_print" will tell network clients that both CUPS sharing and IPP Everywhere are supported.
+The default is "_cups" which is necessary for printer sharing to work between systems using CUPS.
+.\"#BrowseLocalProtocols
.TP 5
-Allow ip-address
+\fBBrowseLocalProtocols all\fR
.TP 5
-Allow ip-address/netmask
+\fBBrowseLocalProtocols dnssd\fR
.TP 5
-Allow ip-address/mm
+\fBBrowseLocalProtocols none\fR
+Specifies which protocols to use for local printer sharing.
+The default is "dnssd" on systems that support Bonjour and "none" otherwise.
+.\"#BrowseWebIF
.TP 5
-Allow @IF(name)
+\fBBrowseWebIF Yes\fR
.TP 5
-Allow @LOCAL
+\fBBrowseWebIF No\fR
.br
-Allows access from the named hosts or addresses.
+Specifies whether the CUPS web interface is advertised.
+The default is "No".
+.\"#Browsing
.TP 5
-AuthClass User
+\fBBrowsing Yes\fR
.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
+\fBBrowsing No\fR
.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
+Specifies whether shared printers are advertised.
+The default is "No".
+.\"#DefaultAuthType
+.TP 5
+\fBDefaultAuthType Basic\fR
.TP 5
-AuthGroupName group-name
+\fBDefaultAuthType Negotiate\fR
.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
+Specifies the default type of authentication to use.
+The default is "Basic".
+.\"#DefaultEncryption
.TP 5
-AuthType None
+\fBDefaultEncryption Never\fR
.TP 5
-AuthType Basic
+\fBDefaultEncryption IfRequested\fR
.TP 5
-AuthType BasicDigest
+\fBDefaultEncryption Required\fR
+Specifies whether encryption will be used for authenticated requests.
+The default is "Required".
+.\"#DefaultLanguage
.TP 5
-AuthType Digest
+\fBDefaultLanguage \fIlocale\fR
+Specifies the default language to use for text and web content.
+The default is "en".
+.\"#DefaultPaperSize
.TP 5
-AuthType Negotiate
-.br
-Specifies the authentication type (None, Basic, BasicDigest, Digest, Negotiate)
+\fBDefaultPaperSize Auto\fR
.TP 5
-AutoPurgeJobs Yes
+\fBDefaultPaperSize None\fR
.TP 5
-AutoPurgeJobs No
-.br
-Specifies whether to purge job history data automatically when
-it is no longer required for quotas.
+\fBDefaultPaperSize \fIsizename\fR
+Specifies the default paper size for new print queues. "Auto" uses a locale-specific default, while "None" specifies there is no default paper size.
+Specific size names are typically "Letter" or "A4".
+The default is "Auto".
+.\"#DefaultPolicy
.TP 5
-BrowseAddress ip-address
+\fBDefaultPolicy \fIpolicy-name\fR
+Specifies the default access policy to use.
+The default access policy is "default".
+.\"#DefaultShared
.TP 5
-BrowseAddress @IF(name)
+\fBDefaultShared Yes\fR
.TP 5
-BrowseAddress @LOCAL
-.br
-Specifies a broadcast address for outgoing printer information packets.
+\fBDefaultShared No\fR
+Specifies whether local printers are shared by default.
+The default is "Yes".
+.\"#DirtyCleanInterval
+.TP 5
+\fBDirtyCleanInterval \fIseconds\fR
+Specifies the delay for updating of configuration and state files.
+A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.
+The default value is "30".
+.\"#DNSSDHostName
+.TP 5
+.BI DNSSDHostName hostname.example.com
+Specifies the fully-qualified domain name for the server that is used for Bonjour sharing.
+The default is typically the server's ".local" hostname.
+.\"#ErrorPolicy
+.TP 5
+\fBErrorPolicy abort-job\fR
+Specifies that a failed print job should be aborted (discarded) unless otherwise specified for the printer.
+.TP 5
+\fBErrorPolicy retry-job\fR
+Specifies that a failed print job should be retried at a later time unless otherwise specified for the printer.
+.TP 5
+\fBErrorPolicy retry-this-job\fR
+Specifies that a failed print job should be retried immediately unless otherwise specified for the printer.
+.TP 5
+\fBErrorPolicy stop-printer\fR
+Specifies that a failed print job should stop the printer unless otherwise specified for the printer. The 'stop-printer' error policy is the default.
+.\"#FilterLimit
+.TP 5
+\fBFilterLimit \fIlimit\fR
+Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems.
+A limit of 0 disables filter limiting.
+An average print to a non-PostScript printer needs a filter limit of about 200.
+A PostScript printer needs about half that (100).
+Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time.
+The default limit is "0".
+.\"#FilterNice
+.TP 5
+\fBFilterNice \fInice-value\fR
+Specifies the scheduling priority (
+.BR nice (8)
+value) of filters that are run to print a job.
+The nice value ranges from 0, the highest priority, to 19, the lowest priority.
+The default is 0.
+.\"#GSSServiceName
+.TP 5
+\fBGSSServiceName \fIname\fR
+Specifies the service name when using Kerberos authentication.
+The default service name is "http."
+.TP 5
+.\"#HostNameLookups
+\fBHostNameLookups On\fR
+.TP 5
+\fBHostNameLookups Off\fR
+.TP 5
+\fBHostNameLookups Double\fR
+Specifies whether to do reverse lookups on connecting clients.
+The "Double" setting causes
+.BR cupsd (8)
+to verify that the hostname resolved from the address matches one of the addresses returned for that hostname.
+Double lookups also prevent clients with unregistered addresses from connecting to your server.
+The default is "Off" to avoid the potential server performance problems with hostname lookups.
+Only set this option to "On" or "Double" if absolutely required.
+.\"#IdleExitTimeout
+.TP 5
+\fBIdleExitTimeout \fIseconds\fR
+Specifies the length of time to wait before shutting down due to inactivity.
+The default is "60" seconds.
+Note: Only applicable when
+.BR cupsd (8)
+is run on-demand (e.g., with \fB-l\fR).
+.\"#JobKillDelay
+.TP 5
+\fBJobKillDelay \fIseconds\fR
+Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job.
+The default is "30".
+.\"#JobRetryInterval
+.TP 5
+\fBJobRetryInterval \fIseconds\fR
+Specifies the interval between retries of jobs in seconds.
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "30".
+.\"#JobRetryLimit
.TP 5
-BrowseAllow all
+\fBJobRetryLimit \fIcount\fR
+Specifies the number of retries that are done for jobs.
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "5".
+.\"#KeepAlive
.TP 5
-BrowseAllow none
+\fBKeepAlive Yes\fR
.TP 5
-BrowseAllow host.domain.com
+\fBKeepAlive No\fR
+Specifies whether to support HTTP keep-alive connections.
+The default is "Yes".
+.\"#KeepAliveTimeout
.TP 5
-BrowseAllow *.domain.com
+\fBKeepAliveTimeout \fIseconds\fR
+Specifies how long an idle client connection remains open.
+The default is "30".
+.\"#LimitIPP
.TP 5
-BrowseAllow ip-address
+\fB<Limit \fIoperation \fR...\fB> \fR... \fB</Limit>\fR
+Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATION NAMES".
+.\"#Limit
.TP 5
-BrowseAllow ip-address/netmask
+\fB<Limit \fImethod \fR...\fB> \fR... \fB</Limit>\fR
+.\"#LimitExcept
.TP 5
-BrowseAllow ip-address/mm
+\fB<LimitExcept \fImethod \fR...\fB> \fR... \fB</LimitExcept>\fR
+Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHOD NAMES".
+.\"#LimitRequestBody
.TP 5
-BrowseAllow @IF(name)
+\fBLimitRequestBody \fIsize\fR
+Specifies the maximum size of print files, IPP requests, and HTML form data.
+The default is "0" which disables the limit check.
+.\"#Listen
.TP 5
-BrowseAllow @LOCAL
-.br
-Allows incoming printer information packets from the named host or address.
+\fBListen \fIipv4-address\fB:\fIport\fR
.TP 5
-BrowseDeny all
+\fBListen [\fIipv6-address\fB]:\fIport\fR
.TP 5
-BrowseDeny none
+\fBListen *:\fIport\fR
.TP 5
-BrowseDeny host.domain.com
+\fBListen \fI/path/to/domain/socket\fR
+Listens to the specified address and port or domain socket path for connections.
+Multiple Listen directives can be provided to listen on multiple addresses.
+The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks.
+.\"#ListenBackLog
.TP 5
-BrowseDeny *.domain.com
+\fBListenBackLog \fInumber\fR
+Specifies the number of pending connections that will be allowed.
+This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections.
+When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones.
+The default is the OS-defined default limit, typically either "5" for older operating systems or "128" for newer operating systems.
+.\"#Location
.TP 5
-BrowseDeny ip-address
+\fB<Location \fI/path\fB> \fR... \fB</Location>\fR
+Specifies access control for the named location.
+Paths are documented below in the section "LOCATION PATHS".
+.\"#LogDebugHistory
.TP 5
-BrowseDeny ip-address/netmask
+\fBLogDebugHistory \fInumber\fR
+Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting.
+.\"#LogLevel
.TP 5
-BrowseDeny ip-address/mm
+\fBLogLevel \fRnone
.TP 5
-BrowseDeny @IF(name)
+\fBLogLevel \fRemerg
.TP 5
-BrowseDeny @LOCAL
-.br
-Denies incoming printer information packets from the named host or address.
+\fBLogLevel \fRalert
.TP 5
-BrowseInterval seconds
-.br
-Specifies the maximum interval between printer information broadcasts.
+\fBLogLevel \fRcrit
.TP 5
-BrowseOrder allow,deny
+\fBLogLevel \fRerror
.TP 5
-BrowseOrder deny,allow
-.br
-Specifies the order of printer information access control (allow,deny or deny,allow)
+\fBLogLevel \fRwarn
.TP 5
-BrowsePoll host-or-ip-address
-.br
-Specifies a server to poll for printer information.
+\fBLogLevel \fRnotice
.TP 5
-BrowsePort port
-.br
-Specifies the port to listen to for printer information packets.
+\fBLogLevel \fRinfo
.TP 5
-BrowseProtocols [All] [CUPS] [DNSSD] [LDAP] [SLP]
-.br
-Specifies the protocols to use for printer browsing.
+\fBLogLevel \fRdebug
.TP 5
-BrowseLocalProtocols [All] [CUPS] [DNSSD] [LDAP] [SLP]
-.br
-Specifies the protocols to use for local printer browsing.
+\fBLogLevel \fRdebug2
+Specifies the level of logging for the ErrorLog file.
+The value "none" stops all logging while "debug2" logs everything.
+The default is "warn".
+.\"#LogTimeFormat
.TP 5
-BrowseRemoteProtocols [All] [CUPS] [DNSSD] [LDAP] [SLP]
-.br
-Specifies the protocols to use for remote printer browsing.
+\fBLogTimeFormat \fRstandard
.TP 5
-BrowseRelay from-address to-address
-.br
-Specifies that printer information packets should be relayed from one host or
-network to another.
+\fBLogTimeFormat \fRusecs
+Specifies the format of the date and time in the log files.
+The value "standard" is the default and logs whole seconds while "usecs" logs microseconds.
+.\"#MaxClients
.TP 5
-BrowseShortNames Yes
+\fBMaxClients \fInumber\fR
+Specifies the maximum number of simultaneous clients that are allowed by the scheduler.
+The default is "100".
+.\"#MaxClientPerHost
.TP 5
-BrowseShortNames No
-.br
-Specifies whether remote printers will use short names ("printer") or not
-("printer@server"). This option is ignored if more than one remote printer
-exists with the same name.
+\fBMaxClientsPerHost \fInumber\fR
+Specifies the maximum number of simultaneous clients that are allowed from a
+single address.
+The default is the MaxClients value.
+.\"#MaxCopies
.TP 5
-BrowseTimeout seconds
-.br
-Specifies the maximum interval between printer information updates before
-remote printers will be removed from the list of available printers.
+\fBMaxCopies \fInumber\fR
+Specifies the maximum number of copies that a user can print of each job.
+The default is "9999".
+.\"#MaxHoldTime
+.TP 5
+\fBMaxHoldTime \fIseconds\fR
+Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled.
+The default is "0" which disables cancellation of held jobs.
+.\"#MaxJobs
+.TP 5
+\fBMaxJobs \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed.
+Set to "0" to allow an unlimited number of jobs.
+The default is "500".
+.\"#MaxJobsPerPrinter
+.TP 5
+\fBMaxJobsPerPrinter \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed per printer.
+The default is "0" which allows up to MaxJobs jobs per printer.
+.\"#MaxJobsPerUser
+.TP 5
+\fBMaxJobsPerUser \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed per user.
+The default is "0" which allows up to MaxJobs jobs per user.
+.\"#MaxJobTime
+.TP 5
+\fBMaxJobTime \fIseconds\fR
+Specifies the maximum time a job may take to print before it is canceled.
+Set to "0" to disable cancellation of "stuck" jobs.
+The default is "10800" (3 hours).
+.\"#MaxLogSize
+.TP 5
+\fBMaxLogSize \fIsize\fR
+Specifies the maximum size of the log files before they are rotated.
+The value "0" disables log rotation.
+The default is "1048576" (1MB).
+.\"#MultipleOperationTimeout
+.TP 5
+\fBMultipleOperationTimeout \fIseconds\fR
+Specifies the maximum amount of time to allow between files in a multiple file print job.
+The default is "300" (5 minutes).
+.\"#PassEnv
+.TP 5
+\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+Passes the specified environment variable(s) to child processes.
+.\"#Policy
.TP 5
-Browsing Yes
+\fB<Policy \fIname\fB> \fR... \fB</Policy>\fR
+Specifies access control for the named policy.
+.\"#Port
.TP 5
-Browsing No
-.br
-Specifies whether or not remote printer browsing should be enabled.
+\fBPort \fInumber\fR
+Listens to the specified port number for connections.
+.\"#PreserveJobFiles
.TP 5
-Classification banner
-.br
-Specifies the security classification of the server.
+\fBPreserveJobFiles Yes\fR
.TP 5
-ClassifyOverride Yes
+\fBPreserveJobFiles No\fR
.TP 5
-ClassifyOverride No
-.br
-Specifies whether to allow users to override the classification
-of individual print jobs.
+\fBPreserveJobFiles \fIseconds\fR
+Specifies whether job files (documents) are preserved after a job is printed.
+If a numeric value is specified, job files are preserved for the indicated number of seconds after printing.
+The default is "86400" (preserve 1 day).
+.\"#PreserveJobHistory
.TP 5
-ConfigFilePerm mode
-.br
-Specifies the permissions for all configuration files that the scheduler
-writes.
+\fBPreserveJobHistory Yes\fR
.TP 5
-DataDir path
-.br
-Specified the directory where data files can be found.
+\fBPreserveJobHistory No\fR
.TP 5
-DefaultAuthType Basic
+\fBPreserveJobHistory \fIseconds\fR
+Specifies whether the job history is preserved after a job is printed.
+If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing.
+If "Yes", the job history is preserved until the MaxJobs limit is reached.
+The default is "Yes".
+.\"#ReloadTimeout
.TP 5
-DefaultAuthType BasicDigest
+\fBReloadTimeout \fIseconds\fR
+Specifies the amount of time to wait for job completion before restarting the scheduler.
+The default is "30".
+.\"#ServerAdmin
.TP 5
-DefaultAuthType Digest
+\fBServerAdmin \fIemail-address\fR
+Specifies the email address of the server administrator.
+The default value is "root@ServerName".
+.\"#ServerAlias
.TP 5
-DefaultAuthType Negotiate
-.br
-Specifies the default type of authentication to use.
+\fBServerAlias \fIhostname \fR[ ... \fIhostname \fR]
.TP 5
-DefaultCharset charset
-.br
-Specifies the default character set to use for text.
+\fBServerAlias *\fR
+The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces.
+Using the special name "*" can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall.
+If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using "*".
+.\"#ServerName
.TP 5
-DefaultLanguage locale
-.br
-Specifies the default language to use for text and web content.
+\fBServerName \fIhostname\fR
+Specifies the fully-qualified hostname of the server.
+The default is the value reported by the
+.BR hostname (1)
+command.
+.\"#ServerTokens
.TP 5
-DefaultPolicy policy-name
-.br
-Specifies the default access policy to use.
+\fBServerTokens None\fR
.TP 5
-DefaultShared Yes
+\fBServerTokens ProductOnly\fR
.TP 5
-DefaultShared No
-.br
-Specifies whether local printers are shared by default.
+\fBServerTokens Major\fR
.TP 5
-Deny all
+\fBServerTokens Minor\fR
.TP 5
-Deny none
+\fBServerTokens Minimal\fR
.TP 5
-Deny host.domain.com
+\fBServerTokens OS\fR
.TP 5
-Deny *.domain.com
+\fBServerTokens Full\fR
+Specifies what information is included in the Server header of HTTP responses.
+"None" disables the Server header.
+"ProductOnly" reports "CUPS".
+"Major" reports "CUPS 2".
+"Minor" reports "CUPS 2.0".
+"Minimal" reports "CUPS 2.0.0".
+"OS" reports "CUPS 2.0.0 (UNAME)" where UNAME is the output of the
+.BR uname (1)
+command.
+"Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0".
+The default is "Minimal".
+.\"#SetEnv
.TP 5
-Deny ip-address
+\fBSetEnv \fIvariable value\fR
+Set the specified environment variable to be passed to child processes.
+.\"#SSLListen
.TP 5
-Deny ip-address/netmask
+\fBSSLListen \fIipv4-address\fB:\fIport\fR
.TP 5
-Deny ip-address/mm
+\fBSSLListen [\fIipv6-address\fB]:\fIport\fR
.TP 5
-Deny @IF(name)
+\fBSSLListen *:\fIport\fR
+Listens on the specified address and port for encrypted connections.
+.\"#SSLOptions
+.TP 5
+.TP 5
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+.TP 5
+\fBSSLOptions None\fR
+Sets encryption options (only in /etc/cups/client.conf).
+By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+Security is reduced when \fIAllow\fR options are used.
+Security is enhanced when \fIDeny\fR options are used.
+The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation (not supported on systems using GNU TLS).
+The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients.
+The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The \fIDenyCBC\fR option disables all CBC cipher suites.
+The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fIMinTLS\fR options set the minimum TLS version to support.
+The \fIMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
+.\"#SSLPort
+.TP 5
+\fBSSLPort \fIport\fR
+Listens on the specified port for encrypted connections.
+.\"#StrictConformance
.TP 5
-Deny @LOCAL
-.br
-Denies access to the named host or address.
+\fBStrictConformance Yes\fR
.TP 5
-DocumentRoot directory
-.br
-Specifies the root directory for the internal web server documents.
+\fBStrictConformance No\fR
+Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications.
+The default is "No".
+.\"#Timeout
.TP 5
-Encryption IfRequested
+\fBTimeout \fIseconds\fR
+Specifies the HTTP request timeout.
+The default is "300" (5 minutes).
+.\"#WebInterface
.TP 5
-Encryption Never
+\fBWebInterface yes\fR
.TP 5
-Encryption Required
-.br
-Specifies the level of encryption that is required for a particular
-location.
+\fBWebInterface no\fR
+Specifies whether the web interface is enabled.
+The default is "No".
+.SS HTTP METHOD NAMES
+The following HTTP methods are supported by
+.BR cupsd (8):
.TP 5
-ErrorLog filename
+GET
+Used by a client to download icons and other printer resources and to access the CUPS web interface.
.TP 5
-ErrorLog syslog
-.br
-Specifies the error log filename.
+HEAD
+Used by a client to get the type, size, and modification date of resources.
.TP 5
-FileDevice Yes
+OPTIONS
+Used by a client to establish a secure (SSL/TLS) connection.
.TP 5
-FileDevice No
-.br
-Specifies whether the file pseudo-device can be used for new
-printer queues.
+POST
+Used by a client to submit IPP requests and HTML forms from the CUPS web interface.
.TP 5
-FilterLimit limit
-.br
-Specifies the maximum cost of filters that are run concurrently.
+PUT
+Used by a client to upload configuration files.
+.SS IPP OPERATION NAMES
+The following IPP operations are supported by
+.BR cupsd (8):
.TP 5
-FilterNice nice-value
-.br
-Specifies the scheduling priority ("nice" value) of filters that
-are run to print a job.
+CUPS\-Accept\-Jobs
+Allows a printer to accept new jobs.
.TP 5
-FontPath directory[:directory:...]
-.br
-Specifies the search path for fonts.
+CUPS\-Add\-Modify\-Class
+Adds or modifies a printer class.
.TP 5
-Group group-name-or-number
-.br
-Specifies the group name or ID that will be used when executing
-external programs.
+CUPS\-Add\-Modify\-Printer
+Adds or modifies a printer.
.TP 5
-HideImplicitMembers Yes
+CUPS\-Authenticate\-Job
+Releases a job that is held for authentication.
.TP 5
-HideImplicitMembers No
-.br
-Specifies whether to hide members of implicit classes.
+CUPS\-Delete\-Class
+Deletes a printer class.
.TP 5
-HostNameLookups Yes
+CUPS\-Delete\-Printer
+Deletes a printer.
.TP 5
-HostNameLookups No
+CUPS\-Get\-Classes
+Gets a list of printer classes.
.TP 5
-HostNameLookups Double
-.br
-Specifies whether or not to do reverse lookups on client addresses.
+CUPS\-Get\-Default
+Gets the server default printer or printer class.
.TP 5
-ImplicitAnyClasses Yes
+CUPS\-Get\-Devices
+Gets a list of devices that are currently available.
.TP 5
-ImplicitAnyClasses No
-.br
-Specifies whether or not to create implicit classes for local and
-remote printers, e.g. "AnyPrinter" from "Printer", "Printer@server1",
-and "Printer@server2".
+CUPS\-Get\-Document
+Gets a document file for a job.
.TP 5
-ImplicitClasses Yes
+CUPS\-Get\-PPD
+Gets a PPD file.
.TP 5
-ImplicitClasses No
-.br
-Specifies whether or not to create implicit classes from identical
-remote printers.
+CUPS\-Get\-PPDs
+Gets a list of installed PPD files.
.TP 5
-Include filename
-.br
-Includes the named file.
+CUPS\-Get\-Printers
+Gets a list of printers.
.TP 5
-JobRetryInterval seconds
-.br
-Specifies the interval between retries of jobs in seconds.
+CUPS\-Move\-Job
+Moves a job.
.TP 5
-JobRetryLimit count
-.br
-Specifies the number of retries that are done for jobs.
+CUPS\-Reject\-Jobs
+Prevents a printer from accepting new jobs.
.TP 5
-KeepAlive Yes
+CUPS\-Set\-Default
+Sets the server default printer or printer class.
.TP 5
-KeepAlive No
-.br
-Specifies whether to support HTTP keep-alive connections.
+Cancel\-Job
+Cancels a job.
.TP 5
-KeepAliveTimeout seconds
-.br
-Specifies the amount of time that connections are kept alive.
+Cancel\-Jobs
+Cancels one or more jobs.
.TP 5
-Krb5Keytab filename
-.br
-Overrides the Kerberos key tab location.
+Cancel\-My\-Jobs
+Cancels one or more jobs creates by a user.
.TP 5
-<Limit operations> ... </Limit>
-.br
-Specifies the IPP operations that are being limited inside a policy.
+Cancel\-Subscription
+Cancels a subscription.
.TP 5
-<Limit methods> ... </Limit>
+Close\-Job
+Closes a job that is waiting for more documents.
.TP 5
-<LimitExcept methods> ... </LimitExcept>
-.br
-Specifies the HTTP methods that are being limited inside a location.
+Create\-Job
+Creates a new job with no documents.
.TP 5
-LimitRequestBody
-.br
-Specifies the maximum size of any print job request.
+Create\-Job\-Subscriptions
+Creates a subscription for job events.
.TP 5
-Listen ip-address:port
+Create\-Printer\-Subscriptions
+Creates a subscription for printer events.
.TP 5
-Listen *:port
+Get\-Job\-Attributes
+Gets information about a job.
.TP 5
-Listen /path/to/domain/socket
-.br
-Listens to the specified address and port or domain socket path.
+Get\-Jobs
+Gets a list of jobs.
.TP 5
-<Location /path> ... </Location>
-.br
-Specifies access control for the named location.
+Get\-Notifications
+Gets a list of event notifications for a subscription.
.TP 5
-LogFilePerm mode
-.br
-Specifies the permissions for all log files that the scheduler writes.
+Get\-Printer\-Attributes
+Gets information about a printer or printer class.
.TP 5
-LogLevel alert
+Get\-Subscription\-Attributes
+Gets information about a subscription.
.TP 5
-LogLevel crit
+Get\-Subscriptions
+Gets a list of subscriptions.
.TP 5
-LogLevel debug2
+Hold\-Job
+Holds a job from printing.
.TP 5
-LogLevel debug
+Hold\-New\-Jobs
+Holds all new jobs from printing.
.TP 5
-LogLevel emerg
+Pause\-Printer
+Stops processing of jobs by a printer or printer class.
.TP 5
-LogLevel error
+Pause\-Printer\-After\-Current\-Job
+Stops processing of jobs by a printer or printer class after the current job is finished.
.TP 5
-LogLevel info
+Print\-Job
+Creates a new job with a single document.
.TP 5
-LogLevel none
+Purge\-Jobs
+Cancels one or more jobs and deletes the job history.
.TP 5
-LogLevel notice
+Release\-Held\-New\-Jobs
+Allows previously held jobs to print.
.TP 5
-LogLevel warn
-.br
-Specifies the logging level for the ErrorLog file.
+Release\-Job
+Allows a job to print.
.TP 5
-MaxClients number
-.br
-Specifies the maximum number of simultaneous clients to support.
+Renew\-Subscription
+Renews a subscription.
.TP 5
-MaxClientsPerHost number
-.br
-Specifies the maximum number of simultaneous clients to support from a
-single address.
+Restart\-Job
+Reprints a job, if possible.
.TP 5
-MaxCopies number
-.br
-Specifies the maximum number of copies that a user can print of each job.
+Send\-Document
+Adds a document to a job.
.TP 5
-MaxJobs number
-.br
-Specifies the maximum number of simultaneous jobs to support.
+Set\-Job\-Attributes
+Changes job information.
.TP 5
-MaxJobsPerPrinter number
-.br
-Specifies the maximum number of simultaneous jobs per printer to support.
+Set\-Printer\-Attributes
+Changes printer or printer class information.
.TP 5
-MaxJobsPerUser number
-.br
-Specifies the maximum number of simultaneous jobs per user to support.
+Validate\-Job
+Validates options for a new job.
+.SS LOCATION PATHS
+The following paths are commonly used when configuring
+.BR cupsd (8):
.TP 5
-MaxLogSize number-bytes
-.br
-Specifies the maximum size of the log files before they are
-rotated (0 to disable rotation)
+/
+The path for all get operations (get-printers, get-jobs, etc.)
.TP 5
-MaxRequestSize number-bytes
-.br
-Specifies the maximum request/file size in bytes (0 for no limit)
+/admin
+The path for all administration operations (add-printer, delete-printer, start-printer, etc.)
.TP 5
-Order allow,deny
+/admin/conf
+The path for access to the CUPS configuration files (cupsd.conf, client.conf, etc.)
.TP 5
-Order deny,allow
-.br
-Specifies the order of HTTP access control (allow,deny or deny,allow)
+/admin/log
+The path for access to the CUPS log files (access_log, error_log, page_log)
.TP 5
-PageLog filename
+/classes
+The path for all printer classes
.TP 5
-PageLog syslog
-.br
-Specifies the page log filename.
+/classes/name
+The resource for the named printer class
.TP 5
-PassEnv variable [... variable]
-.br
-Passes the specified environment variable(s) to child processes.
+/jobs
+The path for all jobs (hold-job, release-job, etc.)
.TP 5
-<Policy name> ... </Policy>
-.br
-Specifies access control for the named policy.
+/jobs/id
+The path for the specified job
.TP 5
-Port number
-.br
-Specifies a port number to listen to for HTTP requests.
+/printers
+The path for all printers
.TP 5
-PreserveJobFiles Yes
+/printers/name
+The path for the named printer
.TP 5
-PreserveJobFiles No
-.br
-Specifies whether or not to preserve job files after they are printed.
+/printers/name.png
+The icon file path for the named printer
.TP 5
-PreserveJobHistory Yes
+/printers/name.ppd
+The PPD file path for the named printer
+.SS DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS
+The following directives may be placed inside Location and Limit sections in the \fBcupsd.conf\fR file:
.TP 5
-PreserveJobHistory No
-.br
-Specifies whether or not to preserve the job history after they are
-printed.
+\fBAllow all\fR
.TP 5
-Printcap
+\fBAllow none\fR
.TP 5
-Printcap filename
-.br
-Specifies the filename for a printcap file that is updated
-automatically with a list of available printers (needed for
-legacy applications); specifying Printcap with no filename
-disables printcap generation.
+\fBAllow \fIhost.domain.com\fR
.TP 5
-PrintcapFormat bsd
+\fBAllow *.\fIdomain.com\fR
.TP 5
-PrintcapFormat solaris
-.br
-Specifies the format of the printcap file.
+\fBAllow \fIipv4-address\fR
.TP 5
-PrintcapGUI
+\fBAllow \fIipv4-address\fB/\fInetmask\fR
.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
+\fBAllow \fIipv4-address\fB/\fImm\fR
.TP 5
-ReloadTimeout seconds
-.br
-Specifies the amount of time to wait for job completion before
-restarting the scheduler.
+\fBAllow [\fIipv6-address\fB]\fR
.TP 5
-RemoteRoot user-name
-.br
-Specifies the username that is associated with unauthenticated root
-accesses.
+\fBAllow [\fIipv6-address\fB]/\fImm\fR
.TP 5
-RequestRoot directory
-.br
-Specifies the directory to store print jobs and other HTTP request
-data.
+\fBAllow @IF(\fIname\fB)\fR
.TP 5
-Require group group-name-list
+\fBAllow @LOCAL\fR
+Allows access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Allow lines are evaluated before or after Deny lines.
.TP 5
-Require user user-name-list
+\fBAuthType None\fR
.TP 5
-Require valid-user
-.br
-Specifies that user or group authentication is required.
+\fBAuthType Basic\fR
.TP 5
-RIPCache bytes
-.br
-Specifies the maximum amount of memory to use when converting images
-and PostScript files to bitmaps for a printer.
+\fBAuthType Default\fR
.TP 5
-Satisfy all
+\fBAuthType Negotiate\fR
+Specifies the type of authentication required.
+The value "Default" corresponds to the DefaultAuthType value.
.TP 5
-Satisfy any
-.br
-Specifies whether all or any limits set for a Location must be
-satisfied to allow access.
+\fBDeny all\fR
.TP 5
-ServerAdmin user@domain.com
-.br
-Specifies the email address of the server administrator.
+\fBDeny none\fR
.TP 5
-ServerBin directory
-.br
-Specifies the directory where backends, CGIs, daemons, and filters may
-be found.
+\fBDeny \fIhost.domain.com\fR
.TP 5
-ServerCertificate filename
-.br
-Specifies the encryption certificate to use.
+\fBDeny *.\fIdomain.com\fR
.TP 5
-ServerKey filename
-.br
-Specifies the encryption key to use.
+\fBDeny \fIipv4-address\fR
.TP 5
-ServerName hostname-or-ip-address
-.br
-Specifies the fully-qualified hostname of the server.
+\fBDeny \fIipv4-address\fB/\fInetmask\fR
.TP 5
-ServerRoot directory
-.br
-Specifies the directory where the server configuration files can be found.
+\fBDeny \fIipv4-address\fB/\fImm\fR
.TP 5
-ServerTokens Full
+\fBDeny [\fIipv6-address\fB]\fR
.TP 5
-ServerTokens Major
+\fBDeny [\fIipv6-address\fB]/\fImm\fR
.TP 5
-ServerTokens Minimal
+\fBDeny @IF(\fIname\fB)\fR
.TP 5
-ServerTokens Minor
+\fBDeny @LOCAL\fR
+Denies access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Deny lines are evaluated before or after Allow lines.
.TP 5
-ServerTokens None
+\fBEncryption IfRequested\fR
.TP 5
-ServerTokens OS
+\fBEncryption Never\fR
.TP 5
-ServerTokens ProductOnly
-.br
-Specifies what information is included in the Server header of HTTP
-responses.
+\fBEncryption Required\fR
+Specifies the level of encryption that is required for a particular location.
+The default value is "IfRequested".
.TP 5
-SetEnv variable value
-.br
-Set the specified environment variable to be passed to child processes.
+\fBOrder allow,deny\fR
+Specifies that access is denied by default. Allow lines are then processed followed by Deny lines to determine whether a client may access a particular resource.
.TP 5
-SSLListen
-.br
-Listens on the specified address and port for encrypted connections.
+\fBOrder deny,allow\fR
+Specifies that access is allowed by default. Deny lines are then processed followed by Allow lines to determine whether a client may access a particular resource.
.TP 5
-SSLPort
-.br
-Listens on the specified port for encrypted connections.
+\fBRequire group \fIgroup-name \fR[ \fIgroup-name \fR... ]
+Specifies that an authenticated user must be a member of one of the named groups.
.TP 5
-SystemGroup group-name [group-name ...]
-.br
-Specifies the group(s) to use for System class authentication.
+\fBRequire user {\fIuser-name\fR|\fB@\fIgroup-name\fR} ...
+Specifies that an authenticated user must match one of the named users or be a member of one of the named groups.
+The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
+The group name "@OWNER" corresponds to the owner of the resource, for example the person that submitted a print job.
+Note: The 'root' user is not special and must be granted privileges like any other user account.
.TP 5
-TempDir directory
-.br
-Specifies the directory where temporary files are stored.
+\fBRequire valid-user\fR
+Specifies that any authenticated user is acceptable.
.TP 5
-Timeout seconds
-.br
-Specifies the HTTP request timeout in seconds.
+\fBSatisfy all\fR
+Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
+.TP 5
+\fBSatisfy any\fR
+Specifies that any a client may access a resource if either the authentication (AuthType/Require) or address (Allow/Deny/Order) conditions are satisfied.
+For example, this can be used to require authentication only for remote accesses.
+.SS DIRECTIVES VALID WITHIN POLICY SECTIONS
+The following directives may be placed inside Policy sections in the \fBcupsd.conf\fR file:
.TP 5
-User user-name
+\fBJobPrivateAccess all\fR
+.TP 5
+\fBJobPrivateAccess default\fR
+.TP 5
+\fBJobPrivateAccess \fR{\fIuser\fR|\fB@\fIgroup\fR|\fB@ACL\fR|\fB@OWNER\fR|\fB@SYSTEM\fR} ...
+Specifies an access list for a job's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
+.TP 5
+\fBJobPrivateValues all\fR
+.TP 5
+\fBJobPrivateValues default\fR
+.TP 5
+\fBJobPrivateValues none\fR
+.TP 5
+\fBJobPrivateValues \fIattribute-name \fR[ ... \fIattribute-name \fR]
+Specifies the list of job values to make private.
+The "default" values are "job-name", "job-originating-host-name", "job-originating-user-name", and "phone".
+.TP 5
+\fBSubscriptionPrivateAccess all\fR
+.TP 5
+\fBSubscriptionPrivateAccess default\fR
+.TP 5
+\fBSubscriptionPrivateAccess \fR{\fIuser\fR|\fB@\fIgroup\fR|\fB@ACL\fR|\fB@OWNER\fR|\fB@SYSTEM\fR} ...
+Specifies an access list for a subscription's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
+.TP 5
+\fBSubscriptionPrivateValues all\fR
+.TP 5
+\fBSubscriptionPrivateValues default\fR
+.TP 5
+\fBSubscriptionPrivateValues none\fR
+.TP 5
+\fBSubscriptionPrivateValues \fIattribute-name \fR[ ... \fIattribute-name \fR]
+Specifies the list of subscription values to make private.
+The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data".
+.SS DEPRECATED DIRECTIVES
+The following directives are deprecated and will be removed in a future release of CUPS:
+.\"#Classification
+.TP 5
+\fBClassification \fIbanner\fR
.br
-Specifies the user name or ID that is used when running external programs.
+Specifies the security classification of the server.
+Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions.
+The default is no classification banner.
+.\"#ClassifyOverride
+.TP 5
+\fBClassifyOverride Yes\fR
+.TP 5
+\fBClassifyOverride No\fR
+.br
+Specifies whether users may override the classification (cover page) of individual print jobs using the "job-sheets" option.
+The default is "No".
+.\"#PageLogFormat
+.TP 5
+\fBPageLogFormat \fIformat-string\fR
+Specifies the format of PageLog lines.
+Sequences beginning with percent (%) characters are replaced with the corresponding information, while all other characters are copied literally.
+The following percent sequences are recognized:
+.nf
+
+ "%%" inserts a single percent character.
+ "%{name}" inserts the value of the specified IPP attribute.
+ "%C" inserts the number of copies for the current page.
+ "%P" inserts the current page number.
+ "%T" inserts the current date and time in common log format.
+ "%j" inserts the job ID.
+ "%p" inserts the printer name.
+ "%u" inserts the username.
+
+.fi
+The default is the empty string, which disables page logging.
+The string "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}" creates a page log with the standard items.
+Use "%{job-impressions-completed}" to insert the number of pages (sides) that were printed, or "%{job-media-sheets-completed}" to insert the number of sheets that were printed.
+.\"#RIPCache
+.TP 5
+\fBRIPCache \fIsize\fR
+Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.
+The default is "128m".
+.SH CONFORMING TO
+The \fBcupsd.conf\fR file format is based on the Apache HTTP Server configuration file format.
+.SH EXAMPLES
+Log everything with a maximum log file size of 32 megabytes:
+.nf
+
+ AccessLogLevel all
+ LogLevel debug2
+ MaxLogSize 32m
+
+.fi
+Require authentication for accesses from outside the 10. network:
+.nf
+
+ <Location />
+ Order allow,deny
+ Allow from 10./8
+ AuthType Basic
+ Require valid-user
+ Satisfy any
+ </Location>
+.fi
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
-\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
-\fIsubscriptions.conf(5)\fR,
-.br
-http://localhost:631/help
+.BR classes.conf (5),
+.BR cups-files.conf (5),
+.BR cupsd (8),
+.BR mime.convs (5),
+.BR mime.types (5),
+.BR printers.conf (5),
+.BR subscriptions.conf (5),
+CUPS Online Help (http://localhost:631/help)
.SH COPYRIGHT
-Copyright 2007-2008 by Apple Inc.
-.\"
-.\" End of "$Id: cupsd.conf.man.in 7002 2007-10-01 23:07:37Z mike $".
-.\"
+Copyright \[co] 2007-2018 by Apple Inc.
projects / thirdparty / cups.git / blobdiff