Connecting to remote CUPS server via ssh tunnel

Support issue: you need to connect to a client’s CUPS web server on port 631 but don’t want to go to the hassle of teaching the client how to forward port 631 on his/her firewall/router (not to mention that 631 is blocked by firewalld on the Linux system.) The solution is to use an ssh tunnel.

In this scenario:

  • Your client is Hobbit Fine Foods at
  • You’ve forwarded port 722 on the border router (an anti-bot measure) to port 22 on the Linux back-office ccomputer (hostname pos)
  • You’ve set up password-less login

Ergo, to get a shell you need to do:

[me@mycomputer ~]$ ssh -p722
Last login: Fri Apr  5 18:24:41 2019 from
[qretail@pos ~]$

Now we need a way to get ssh talking to port 631 at hobbitfinefoods. Note that because we’re already getting through their border router using port 22 and we’re getting throuugh the Linux firewall (again using port 22), references to ports should be relative to the Linux system itself.

[me@mycomputer ~]$ ssh -fNL 9000:localhost:631 -p722

It’s really that simple. To connect to their CUPS server, at this point all you need to do is point your web browser to https://localhost:9000. Note the following:

  • Use HTTPS to make the connection or you won’t be able to do any actual administration.
  • If you are prompted for a user name and password, you have to supply the root user and password; attempting to use a user in the @SYSTEM group will give you 404 Forbidden result and you won’t be able to re-authenticate without shutting down the browser.
  • Because CUPS believes it is being run locally and not remotely, it redirects to localhost:631, which may result in an error or confusingly connect you to the CUPS server on your system.

What if you need to connect to the CUPS server on a cash register system at Hobbit Fine Foods? Simple: set up a tunnel on the Linux back office system (this assumes the POS system can locate cash111 using DNS or a hosts file):

[qretail@pos]$ ssh -fNL 9000:localhost:631 cash111

Now requests to port 9000 on your system will go to pos:9000 at, and from there to port 631 on cash111.

Remember to kill the tunnel after you’re finished using it, although if you leave it open the security risk is practically non-existent because it’s encrypted and bound to your system.

[me@mycomputer ~]$ ps -ef | grep 'ssh -f'
me   29056   1  0 19:53 ?   00:00:00 ssh -f -N -L 9000:localhost:631 -p722
me   31010 501  0 20:02 tty 00:00:00 grep 'ssh -f'
[me@mycomputer ~]$ kill 29056