Choose your language

Choose your login

Contact us

Forcing use of HTTPS/SSL only

THE PAGE APPLIES TO:

By default, PaperCut offers both plain HTTP and encrypted HTTPS based browser access. HTTP is on port 9191 and HTTPS/SSL on port 9192. This article instructs you how to restrict end-user and admin access to the system via SSL/HTTPS only.

These are some things you should know before beginning:

  • Before following the steps here, make sure you have installed and fully tested putting a signed certificate on your PaperCut server as described in the article: Installing an SSL Certificate the Easy Way.
  • Test accessing the web interface of the PaperCut server by browsing to https://:9192 to ensure there are no certificate errors before proceeding.
  • This configuration change will replicate to Site Servers. If you have PaperCut Site Servers in your environment, be sure to also install signed certificates on those servers as well.
  • For more instructions on how to secure your PaperCut server, see Secure your PaperCut NG/MF server.

Forcing HTTPS/SSL

  1. Login as an admin level user.
  2. Navigate to Options -> Advanced -> Security (Prior to 13.1 this option is located in Options -> Client Software).
  3. Select Redirect to HTTPS/SSL if available.
  4. Press Apply to save.
  5. Restart the PaperCut Application Server to finalise the change.

If the Redirect to HTTPS/SSL if available option is selected, any users that hit the plain HTTP pages will automatically be redirected to the HTTPS secure connection. Logins via the non-SSL connection will be denied.

Note: Prior to 13.1 Administrator logins were not automatically redirected. An administrator could choose if their login used SSL or plain text connections.

Enabling HSTS (HTTP Strict Transport Security):

As of version 17.1 of PaperCut NG and PaperCut MF, the Redirect to HTTPS/SSL if available option can be reinforced by configuring the use of HSTS. To turn on HSTS:

  1. Make sure that HTTPS access has been before proceeding.
  2. Login as an admin level user.
  3. Navigate to Options -> Advanced -> Security (Prior to 13.1 this option is located in Options -> Client Software).
  4. Ensure that Redirect to HTTPS/SSL if available is enabled.
  5. Turn on Use HTTP Strict Transport Security.
  6. Press Apply to save.
  7. Restart the PaperCut Application Server to finalise the change.

For supported web browsers, HSTS allows the PaperCut Application Server to dictate to the browser itself that communication must be performed over secure HTTPS. Port 443 must be used in conjunction with HSTS, as the client-side implementation of the HSTS mechanism assumes a standardised port assignment for SSL communication.

Students/End-User Pages:

End-users access the system via the URL: http://server:9191/user or via the Details… link on the client. When the Redirect to HTTPS/SSL if available option is selected access to end-user web pages will redirect to the SSL login page.

If you are using the PaperCut user client you should configure the client using the “config.properties” file to connect to the server’s fully qualified address (i.e. the name the SSL certificate is issued with). This will avoid the certificate warning when the user clicks on the “Details…” link in the client.

Note: When using SSL with end-users we recommend considering a signed certificate with your server. More details about this somewhat complex procedure can be found here.

Admin Pages:

The admin pages are accessed via URLs like http://server:9191/admin or https://server:9192/admin for a secure connection. This URL is not published anywhere and you should ensure that:

  • You only bookmark and use the secure link when accessing from a remote system.

  • Only tell other admin/staff the 9192 HTTPS address and bookmark it for them in their browsers. A handy way to publish the URL is to put a convenient link on an intranet page available to all staff.

In the case SSL fails (like if the certificate becomes invalid), administrators will still able to login. However, their request must originate from the PaperCut server’s localhost address (127.0.0.1 or 0:0:0:0:0:0:0:1). This is usually done by logging into the PaperCut server (either physically or via a remote desktop connection) and using a browser installed locally.

It is not possible to turn off the plain HTTP port entirely because:

  • It is used internally by the User Client for non-sensitive data such as event notifications, as plain HTTP connections have less overhead than SSL, reducing load on the server.

  • It needs to be available for emergency administrator logins directly from the server itself, if SSL communication becomes impossible (e.g. due to certificate expiry).


Categories: How-to Articles , Security and Privacy , User Interface


Keywords: turn on SSL , block HTTP , deny HTTP , secure socket layer , cleartext , plaintext

Comments

Last updated February 19, 2024