Connecting to remote CUPS server via ssh tunnel
Support issue: you need to connect to a client’s CUPS web server on port 631 but don’t want to go to the hassle of teaching the client how to forward port 631 on his/her firewall/router (not to mention that 631 is blocked by firewalld on the Linux system.) The solution is to use an ssh tunnel.
In this scenario:
- Your client is Hobbit Fine Foods at hobbitfinefoods.com
- You’ve forwarded port 722 on the border router (an anti-bot measure) to port 22 on the Linux back-office ccomputer (hostname pos)
- You’ve set up password-less login
Ergo, to get a shell you need to do:
[me@mycomputer ~]$ ssh -p722 qretail@hobbitfinefoods.com Last login: Fri Apr 5 18:24:41 2019 from s0106602ad08cc7c2.j.random.net [qretail@pos ~]$
Now we need a way to get ssh talking to port 631 at hobbitfinefoods. Note that because we’re already getting through their border router using port 22 and we’re getting throuugh the Linux firewall (again using port 22), references to ports should be relative to the Linux system itself.
[me@mycomputer ~]$ ssh -fNL 9000:localhost:631 -p722 qretail@hobbitfinefoods.com
It’s really that simple. To connect to their CUPS server, at this point all you
need to do is point your web browser to https
://localhost:9000
. Note the
following:
- Use HTTPS to make the connection or you won’t be able to do any actual administration.
- If you are prompted for a user name and password, you have to supply the
root user and password; attempting to use a user in the
@SYSTEM
group will give you 404 Forbidden result and you won’t be able to re-authenticate without shutting down the browser. - Because CUPS believes it is being run locally and not remotely, it redirects to localhost:631, which may result in an error or confusingly connect you to the CUPS server on your system.
What if you need to connect to the CUPS server on a cash register system at Hobbit Fine Foods? Simple: set up a tunnel on the Linux back office system (this assumes the POS system can locate cash111 using DNS or a hosts file):
[qretail@pos]$ ssh -fNL 9000:localhost:631 cash111
Now requests to port 9000 on your system will go to pos:9000 at hobbitfinefoods.com, and from there to port 631 on cash111.
Remember to kill the tunnel after you’re finished using it, although if you leave it open the security risk is practically non-existent because it’s encrypted and bound to your system.
[me@mycomputer ~]$ ps -ef | grep 'ssh -f' me 29056 1 0 19:53 ? 00:00:00 ssh -f -N -L 9000:localhost:631 -p722 qretail@hobbitfinefoods.com me 31010 501 0 20:02 tty 00:00:00 grep 'ssh -f' [me@mycomputer ~]$ kill 29056