The cupsd.conf file configures the CUPS scheduler, cupsd(8). It
is normally located in the /etc/cups directory. Each line in the
file can be a configuration directive, a blank line, or a
comment. Configuration directives typically consist of a name
and zero or more values separated by whitespace. The
configuration directive name and values are case-insensitive.
Comment lines start with the # character.
TOP-LEVEL DIRECTIVES
The following top-level directives are understood by cupsd(8):
AccessLogLevel config
AccessLogLevel actions
AccessLogLevel all
Specifies the logging level for the AccessLog file. The
"config" level logs when printers and classes are added,
deleted, or modified and when configuration files are
accessed or updated. The "actions" level logs when print
jobs are submitted, held, released, modified, or canceled,
and any of the conditions for "config". The "all" level
logs all requests. The default access log level is
"actions".
AutoPurgeJobs Yes
AutoPurgeJobs No
Specifies whether to purge job history data automatically
when it is no longer required for quotas. The default is
"No".
BrowseDNSSDSubTypes
_subtype[,...]
Specifies a list of Bonjour sub-types to advertise for each
shared printer. For example, "BrowseDNSSDSubTypes
_cups,_print" will tell network clients that both CUPS
sharing and IPP Everywhere are supported. The default is
"_cups" which is necessary for printer sharing to work
between systems using CUPS.
BrowseLocalProtocols all
BrowseLocalProtocols dnssd
BrowseLocalProtocols none
Specifies which protocols to use for local printer sharing.
The default is "dnssd" on systems that support Bonjour and
"none" otherwise.
BrowseWebIF Yes
BrowseWebIF No
Specifies whether the CUPS web interface is advertised. The
default is "No".
Browsing Yes
Browsing No
Specifies whether shared printers are advertised. The
default is "No".
DefaultAuthType Basic
DefaultAuthType Negotiate
Specifies the default type of authentication to use. The
default is "Basic".
DefaultEncryption Never
DefaultEncryption IfRequested
DefaultEncryption Required
Specifies whether encryption will be used for authenticated
requests. The default is "Required".
DefaultLanguage
locale
Specifies the default language to use for text and web
content. The default is "en".
DefaultPaperSize Auto
DefaultPaperSize None
DefaultPaperSize
sizename
Specifies the default paper size for new print queues.
"Auto" uses a locale-specific default, while "None"
specifies there is no default paper size. Specific size
names are typically "Letter" or "A4". The default is
"Auto".
DefaultPolicy
policy-name
Specifies the default access policy to use. The default
access policy is "default".
DefaultShared Yes
DefaultShared No
Specifies whether local printers are shared by default. The
default is "Yes".
DirtyCleanInterval
seconds
Specifies the delay for updating of configuration and state
files. A value of 0 causes the update to happen as soon as
possible, typically within a few milliseconds. The default
value is "30".
DNSSDHostName
hostname.example.com
Specifies the fully-qualified domain name for the server
that is used for Bonjour sharing. The default is typically
the server's ".local" hostname.
ErrorPolicy abort-job
Specifies that a failed print job should be aborted
(discarded) unless otherwise specified for the printer.
ErrorPolicy retry-current-job
Specifies that a failed print job should be retried
immediately unless otherwise specified for the printer.
ErrorPolicy retry-job
Specifies that a failed print job should be retried at a
later time unless otherwise specified for the printer.
ErrorPolicy stop-printer
Specifies that a failed print job should stop the printer
unless otherwise specified for the printer. The 'stop-
printer' error policy is the default.
FilterLimit
limit
Specifies the maximum cost of filters that are run
concurrently, which can be used to minimize disk, memory,
and CPU resource problems. A limit of 0 disables filter
limiting. An average print to a non-PostScript printer
needs a filter limit of about 200. A PostScript printer
needs about half that (100). Setting the limit below these
thresholds will effectively limit the scheduler to printing
a single job at any time. The default limit is "0".
FilterNice
nice-value
Specifies the scheduling priority ( nice
(8) value) of
filters that are run to print a job. The nice value ranges
from 0, the highest priority, to 19, the lowest priority.
The default is 0.
GSSServiceName
name
Specifies the service name when using Kerberos
authentication. The default service name is "http."
HostNameLookups On
HostNameLookups Off
HostNameLookups Double
Specifies whether to do reverse lookups on connecting
clients. The "Double" setting causes cupsd(8) to verify
that the hostname resolved from the address matches one of
the addresses returned for that hostname. Double lookups
also prevent clients with unregistered addresses from
connecting to your server. The default is "Off" to avoid
the potential server performance problems with hostname
lookups. Only set this option to "On" or "Double" if
absolutely required.
IdleExitTimeout
seconds
Specifies the length of time to wait before shutting down
due to inactivity. The default is "60" seconds. Note: Only
applicable when cupsd(8) is run on-demand (e.g., with -l
).
JobKillDelay
seconds
Specifies the number of seconds to wait before killing the
filters and backend associated with a canceled or held job.
The default is "30".
JobRetryInterval
seconds
Specifies the interval between retries of jobs in seconds.
This is typically used for fax queues but can also be used
with normal print queues whose error policy is "retry-job"
or "retry-current-job". The default is "30".
JobRetryLimit
count
Specifies the number of retries that are done for jobs.
This is typically used for fax queues but can also be used
with normal print queues whose error policy is "retry-job"
or "retry-current-job". The default is "5".
KeepAlive Yes
KeepAlive No
Specifies whether to support HTTP keep-alive connections.
The default is "Yes".
<Limit
operation ...>
... </Limit>
Specifies the IPP operations that are being limited inside a
Policy section. IPP operation names are listed below in the
section "IPP OPERATION NAMES".
<Limit
method ...>
... </Limit>
<LimitExcept
method ...>
... </LimitExcept>
Specifies the HTTP methods that are being limited inside a
Location section. HTTP method names are listed below in the
section "HTTP METHOD NAMES".
LimitRequestBody
size
Specifies the maximum size of print files, IPP requests, and
HTML form data. The default is "0" which disables the limit
check.
Listen
ipv4-address:
port
Listen [
ipv6-address]:
port
Listen *:
port
Listen
/path/to/domain/socket
Listens to the specified address and port or domain socket
path for connections. Multiple Listen directives can be
provided to listen on multiple addresses. The Listen
directive is similar to the Port directive but allows you to
restrict access to specific interfaces or networks.
ListenBackLog
number
Specifies the number of pending connections that will be
allowed. This normally only affects very busy servers that
have reached the MaxClients limit, but can also be triggered
by large numbers of simultaneous connections. When the
limit is reached, the operating system will refuse
additional connections until the scheduler can accept the
pending ones. The default is the OS-defined default limit,
typically either "5" for older operating systems or "128"
for newer operating systems.
<Location
/path>
... </Location>
Specifies access control for the named location. Paths are
documented below in the section "LOCATION PATHS".
LogDebugHistory
number
Specifies the number of debugging messages that are retained
for logging if an error occurs in a print job. Debug
messages are logged regardless of the LogLevel setting.
LogLevel
none
LogLevel
emerg
LogLevel
alert
LogLevel
crit
LogLevel
error
LogLevel
warn
LogLevel
notice
LogLevel
info
LogLevel
debug
LogLevel
debug2
Specifies the level of logging for the ErrorLog file. The
value "none" stops all logging while "debug2" logs
everything. The default is "warn".
LogTimeFormat
standard
LogTimeFormat
usecs
Specifies the format of the date and time in the log files.
The value "standard" is the default and logs whole seconds
while "usecs" logs microseconds.
MaxClients
number
Specifies the maximum number of simultaneous clients that
are allowed by the scheduler. The default is "100".
MaxClientsPerHost
number
Specifies the maximum number of simultaneous clients that
are allowed from a single address. The default is the
MaxClients value.
MaxCopies
number
Specifies the maximum number of copies that a user can print
of each job. The default is "9999".
MaxHoldTime
seconds
Specifies the maximum time a job may remain in the
"indefinite" hold state before it is canceled. The default
is "0" which disables cancellation of held jobs.
MaxJobs
number
Specifies the maximum number of simultaneous jobs that are
allowed. Set to "0" to allow an unlimited number of jobs.
The default is "500".
MaxJobsPerPrinter
number
Specifies the maximum number of simultaneous jobs that are
allowed per printer. The default is "0" which allows up to
MaxJobs jobs per printer.
MaxJobsPerUser
number
Specifies the maximum number of simultaneous jobs that are
allowed per user. The default is "0" which allows up to
MaxJobs jobs per user.
MaxJobTime
seconds
Specifies the maximum time a job may take to print before it
is canceled. Set to "0" to disable cancellation of "stuck"
jobs. The default is "10800" (3 hours).
MaxLogSize
size
Specifies the maximum size of the log files before they are
rotated. The value "0" disables log rotation. The default
is "1048576" (1MB).
MultipleOperationTimeout
seconds
Specifies the maximum amount of time to allow between files
in a multiple file print job. The default is "900" (15
minutes).
<Policy
name>
... </Policy>
Specifies access control for the named policy.
Port
number
Listens to the specified port number for connections.
PreserveJobFiles Yes
PreserveJobFiles No
PreserveJobFiles
seconds
Specifies whether job files (documents) are preserved after
a job is printed. If a numeric value is specified, job
files are preserved for the indicated number of seconds
after printing. The default is "86400" (preserve 1 day).
PreserveJobHistory Yes
PreserveJobHistory No
PreserveJobHistory
seconds
Specifies whether the job history is preserved after a job
is printed. If a numeric value is specified, the job
history is preserved for the indicated number of seconds
after printing. If "Yes", the job history is preserved
until the MaxJobs limit is reached. The default is "Yes".
ReloadTimeout
seconds
Specifies the amount of time to wait for job completion
before restarting the scheduler. The default is "30".
ServerAdmin
email-address
Specifies the email address of the server administrator.
The default value is "root@ServerName".
ServerAlias
hostname [ ... hostname ]
ServerAlias *
The ServerAlias directive is used for HTTP Host header
validation when clients connect to the scheduler from
external interfaces. Using the special name "*" can expose
your system to known browser-based DNS rebinding attacks,
even when accessing sites through a firewall. If the auto-
discovery of alternate names does not work, we recommend
listing each alternate name with a ServerAlias directive
instead of using "*".
ServerName
hostname
Specifies the fully-qualified hostname of the server. The
default is the value reported by the hostname(1) command.
ServerTokens None
ServerTokens ProductOnly
ServerTokens Major
ServerTokens Minor
ServerTokens Minimal
ServerTokens OS
ServerTokens Full
Specifies what information is included in the Server header
of HTTP responses. "None" disables the Server header.
"ProductOnly" reports "CUPS". "Major" reports "CUPS/major
IPP/2". "Minor" reports "CUPS/major.minor IPP/2.1".
"Minimal" reports "CUPS/major.minor.patch IPP/2.1". "OS"
reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
"Full" reports "CUPS/major.minor.path (osname osversion;
architecture) IPP/2.1". The default is "Minimal".
SSLListen
ipv4-address:
port
SSLListen [
ipv6-address]:
port
SSLListen *:
port
Listens on the specified address and port for encrypted
connections.
SSLOptions
[AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC]
[DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3]
[MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3]
SSLOptions None
Sets encryption options (only in /etc/cups/client.conf). By
default, CUPS only supports encryption using TLS v1.0 or
higher using known secure cipher suites. Security is
reduced when Allow options are used. Security is enhanced
when Deny options are used. The AllowDH option enables
cipher suites using plain Diffie-Hellman key negotiation
(not supported on systems using GNU TLS). The AllowRC4
option enables the 128-bit RC4 cipher suites, which are
required for some older clients. The AllowSSL3 option
enables SSL v3.0, which is required for some older clients
that do not support TLS v1.0. The DenyCBC option disables
all CBC cipher suites. The DenyTLS1.0 option disables TLS
v1.0 support - this sets the minimum protocol version to TLS
v1.1. The MinTLS options set the minimum TLS version to
support. The MaxTLS options set the maximum TLS version to
support. Not all operating systems support TLS 1.3 at this
time.
SSLPort
port
Listens on the specified port for encrypted connections.
StrictConformance Yes
StrictConformance No
Specifies whether the scheduler requires clients to strictly
adhere to the IPP specifications. The default is "No".
Timeout
seconds
Specifies the HTTP request timeout. The default is "900"
(15 minutes).
WebInterface yes
WebInterface no
Specifies whether the web interface is enabled. The default
is "No".
HTTP METHOD NAMES
The following HTTP methods are supported by cupsd(8):
GET Used by a client to download icons and other printer
resources and to access the CUPS web interface.
HEAD Used by a client to get the type, size, and modification
date of resources.
OPTIONS
Used by a client to establish a secure (SSL/TLS) connection.
POST Used by a client to submit IPP requests and HTML forms from
the CUPS web interface.
PUT Used by a client to upload configuration files.
IPP OPERATION NAMES
The following IPP operations are supported by cupsd(8):
CUPS-Accept-Jobs
Allows a printer to accept new jobs.
CUPS-Add-Modify-Class
Adds or modifies a printer class.
CUPS-Add-Modify-Printer
Adds or modifies a printer.
CUPS-Authenticate-Job
Releases a job that is held for authentication.
CUPS-Delete-Class
Deletes a printer class.
CUPS-Delete-Printer
Deletes a printer.
CUPS-Get-Classes
Gets a list of printer classes.
CUPS-Get-Default
Gets the server default printer or printer class.
CUPS-Get-Devices
Gets a list of devices that are currently available.
CUPS-Get-Document
Gets a document file for a job.
CUPS-Get-PPD
Gets a PPD file.
CUPS-Get-PPDs
Gets a list of installed PPD files.
CUPS-Get-Printers
Gets a list of printers.
CUPS-Move-Job
Moves a job.
CUPS-Reject-Jobs
Prevents a printer from accepting new jobs.
CUPS-Set-Default
Sets the server default printer or printer class.
Cancel-Job
Cancels a job.
Cancel-Jobs
Cancels one or more jobs.
Cancel-My-Jobs
Cancels one or more jobs creates by a user.
Cancel-Subscription
Cancels a subscription.
Close-Job
Closes a job that is waiting for more documents.
Create-Job
Creates a new job with no documents.
Create-Job-Subscriptions
Creates a subscription for job events.
Create-Printer-Subscriptions
Creates a subscription for printer events.
Get-Job-Attributes
Gets information about a job.
Get-Jobs
Gets a list of jobs.
Get-Notifications
Gets a list of event notifications for a subscription.
Get-Printer-Attributes
Gets information about a printer or printer class.
Get-Subscription-Attributes
Gets information about a subscription.
Get-Subscriptions
Gets a list of subscriptions.
Hold-Job
Holds a job from printing.
Hold-New-Jobs
Holds all new jobs from printing.
Pause-Printer
Stops processing of jobs by a printer or printer class.
Pause-Printer-After-Current-Job
Stops processing of jobs by a printer or printer class after
the current job is finished.
Print-Job
Creates a new job with a single document.
Purge-Jobs
Cancels one or more jobs and deletes the job history.
Release-Held-New-Jobs
Allows previously held jobs to print.
Release-Job
Allows a job to print.
Renew-Subscription
Renews a subscription.
Restart-Job
Reprints a job, if possible.
Send-Document
Adds a document to a job.
Set-Job-Attributes
Changes job information.
Set-Printer-Attributes
Changes printer or printer class information.
Validate-Job
Validates options for a new job.
LOCATION PATHS
The following paths are commonly used when configuring cupsd(8):
/ The path for all get operations (get-printers, get-jobs,
etc.)
/admin
The path for all administration operations (add-printer,
delete-printer, start-printer, etc.)
/admin/conf
The path for access to the CUPS configuration files
(cupsd.conf, client.conf, etc.)
/admin/log
The path for access to the CUPS log files (access_log,
error_log, page_log)
/classes
The path for all printer classes
/classes/name
The resource for the named printer class
/jobs
The path for all jobs (hold-job, release-job, etc.)
/jobs/id
The path for the specified job
/printers
The path for all printers
/printers/name
The path for the named printer
/printers/name.png
The icon file path for the named printer
/printers/name.ppd
The PPD file path for the named printer
DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS
The following directives may be placed inside Location and Limit
sections in the cupsd.conf
file:
Allow all
Allow none
Allow
host.domain.com
Allow *.
domain.com
Allow
ipv4-address
Allow
ipv4-address/
netmask
Allow
ipv4-address/
mm
Allow [
ipv6-address]
Allow [
ipv6-address]/
mm
Allow @IF(
name)
Allow @LOCAL
Allows access from the named hosts, domains, addresses, or
interfaces. The @IF(name) form uses the current subnets
configured for the named interface. The @LOCAL form uses
the current subnets configured for all interfaces that are
not point-to-point, for example Ethernet and Wi-Fi
interfaces are used but DSL and VPN interfaces are not. The
Order directive controls whether Allow lines are evaluated
before or after Deny lines.
AuthType None
AuthType Basic
AuthType Default
AuthType Negotiate
Specifies the type of authentication required. The value
"Default" corresponds to the DefaultAuthType value.
Deny all
Deny none
Deny
host.domain.com
Deny *.
domain.com
Deny
ipv4-address
Deny
ipv4-address/
netmask
Deny
ipv4-address/
mm
Deny [
ipv6-address]
Deny [
ipv6-address]/
mm
Deny @IF(
name)
Deny @LOCAL
Denies access from the named hosts, domains, addresses, or
interfaces. The @IF(name) form uses the current subnets
configured for the named interface. The @LOCAL form uses
the current subnets configured for all interfaces that are
not point-to-point, for example Ethernet and Wi-Fi
interfaces are used but DSL and VPN interfaces are not. The
Order directive controls whether Deny lines are evaluated
before or after Allow lines.
Encryption IfRequested
Encryption Never
Encryption Required
Specifies the level of encryption that is required for a
particular location. The default value is "IfRequested".
Order allow,deny
Specifies that access is denied by default. Allow lines are
then processed followed by Deny lines to determine whether a
client may access a particular resource.
Order deny,allow
Specifies that access is allowed by default. Deny lines are
then processed followed by Allow lines to determine whether
a client may access a particular resource.
Require group
group-name [ group-name ... ]
Specifies that an authenticated user must be a member of one
of the named groups.
Require user {
user-name|@
group-name} ...
Specifies that an authenticated user must match one of the
named users or be a member of one of the named groups. The
group name "@SYSTEM" corresponds to the list of groups
defined by the SystemGroup directive in the
cups-files.conf(5) file. The group name "@OWNER"
corresponds to the owner of the resource, for example the
person that submitted a print job. Note: The 'root' user is
not special and must be granted privileges like any other
user account.
Require valid-user
Specifies that any authenticated user is acceptable.
Satisfy all
Specifies that all Allow, AuthType, Deny, Order, and Require
conditions must be satisfied to allow access.
Satisfy any
Specifies that any a client may access a resource if either
the authentication (AuthType/Require) or address
(Allow/Deny/Order) conditions are satisfied. For example,
this can be used to require authentication only for remote
accesses.
DIRECTIVES VALID WITHIN POLICY SECTIONS
The following directives may be placed inside Policy sections in
the cupsd.conf
file:
JobPrivateAccess all
JobPrivateAccess default
JobPrivateAccess
{user|@
group|@ACL
|@OWNER
|@SYSTEM
} ...
Specifies an access list for a job's private values. The
"default" access list is "@OWNER @SYSTEM". "@ACL" maps to
the printer's requesting-user-name-allowed or requesting-
user-name-denied values. "@OWNER" maps to the job's owner.
"@SYSTEM" maps to the groups listed for the SystemGroup
directive in the cups-files.conf(5) file.
JobPrivateValues all
JobPrivateValues default
JobPrivateValues none
JobPrivateValues
attribute-name [ ... attribute-name ]
Specifies the list of job values to make private. The
"default" values are "job-name", "job-originating-host-
name", "job-originating-user-name", and "phone".
SubscriptionPrivateAccess all
SubscriptionPrivateAccess default
SubscriptionPrivateAccess
{user|@
group|@ACL
|@OWNER
|@SYSTEM
} ...
Specifies an access list for a subscription's private
values. The "default" access list is "@OWNER @SYSTEM".
"@ACL" maps to the printer's requesting-user-name-allowed or
requesting-user-name-denied values. "@OWNER" maps to the
job's owner. "@SYSTEM" maps to the groups listed for the
SystemGroup directive in the cups-files.conf(5) file.
SubscriptionPrivateValues all
SubscriptionPrivateValues default
SubscriptionPrivateValues none
SubscriptionPrivateValues
attribute-name [ ... attribute-name ]
Specifies the list of subscription values to make private.
The "default" values are "notify-events", "notify-pull-
method", "notify-recipient-uri", "notify-subscriber-user-
name", and "notify-user-data".
DEPRECATED DIRECTIVES
The following directives are deprecated and will be removed in a
future release of CUPS:
Classification
banner
Specifies the security classification of the server. Any
valid banner name can be used, including "classified",
"confidential", "secret", "topsecret", and "unclassified",
or the banner can be omitted to disable secure printing
functions. The default is no classification banner.
ClassifyOverride Yes
ClassifyOverride No
Specifies whether users may override the classification
(cover page) of individual print jobs using the "job-sheets"
option. The default is "No".
PageLogFormat
format-string
Specifies the format of PageLog lines. Sequences beginning
with percent (%) characters are replaced with the
corresponding information, while all other characters are
copied literally. The following percent sequences are
recognized:
"%%" inserts a single percent character.
"%{name}" inserts the value of the specified IPP attribute.
"%C" inserts the number of copies for the current page.
"%P" inserts the current page number.
"%T" inserts the current date and time in common log format.
"%j" inserts the job ID.
"%p" inserts the printer name.
"%u" inserts the username.
The default is the empty string, which disables page
logging. The string "%p %u %j %T %P %C %{job-billing}
%{job-originating-host-name} %{job-name} %{media} %{sides}"
creates a page log with the standard items. Use "%{job-
impressions-completed}" to insert the number of pages
(sides) that were printed, or "%{job-media-sheets-
completed}" to insert the number of sheets that were
printed.
RIPCache
size
Specifies the maximum amount of memory to use when
converting documents into bitmaps for a printer. The
default is "128m".