Knowledge Base
Home » Main » Forcing use of HTTPS/SSL only

Forcing use of HTTPS/SSL only

By default, PaperCut offers both plain HTTP and encrypted HTTPS based browser access. HTTP is on port 9191 and HTTPS/SSL on port 9192. To restrict end-users access to the system via SSL only:

Students/End-User Pages:

End-users access the system via the URL: http://server:9191/user or via the Details... link on the client. If the Client Settings option Use SSL/HTTPS if available is selected, any users that hit the plain HTTP user page will automatically be redirected to the HTTPS secure connection. End-user web login via the non-SSL connection will be denied. To turn this on:

  1. Login as an admin level user
  2. Navigate to Options -> General -> Client Software
  3. Select Use HTTPS/SSL if available (Advanced)
  4. Press Apply to save.
  5. The next time clients restart, the Details... link or access to end-user web pages will redirect to the SSL login.

If you are using the PaperCut user client you should configure the client using the "config.properties" file to connect to the server's fully qualified address (i.e. the name the SSL certificate is issued with). This will avoid the certificate warning when the user clicks on the "Details..." link in the client.

Note: When using SSL with end-users we recommend considering a signed certificate with your server. More details about this somewhat complex procedure can be found here.

Admin Pages:

The admin pages are accessed via URLs like http://server:9191/admin or https://server:9192/admin for a secure connection. This URL is not published anywhere and you should ensure that:

  • You only bookmark and use the secure link when accessing from a remote system.
  • Only tell other admin/staff the 9192 HTTPS address and bookmark it for them in their browsers. A handy way to publish the URL is to put a convenient link on an intranet page available to all staff.


It is not possible to turn off the plain HTTP port entirely because:

  • It is used internally by the client for non-sensitive data such as event notification, as plain HTTP connections have less overhead than SSL, reducing load on the server.
  • In the case SSL fails (such as if the certificate becomes invalid), the plain connection will still be available for login.

Categories: User Web Interface

Keywords: turn on SSL, block HTTP, deny HTTP, secure socket layer, cleartext, plaintext

Page last modified on April 27, 2012, at 01:22 PM

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.