237899745/S905L3A
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden intranet CUPS setup

Browse Source
This commit is contained in:
yuyx
2026-06-09 14:47:36 +08:00
parent 0878c71b5a
commit 2a688d2514
7 changed files with 158 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
setup_cups.sh
View File

@@ -17,12 +17,32 @@ YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# 运行时可用环境变量覆盖,默认面向内网部署。
REPO_ARCHIVE_URL="${REPO_ARCHIVE_URL:-https://git.workyai.cn/237899745/S905L3A/archive/master.zip}"
REPO_ARCHIVE_FALLBACK_URL="${REPO_ARCHIVE_FALLBACK_URL:-https://gitee.com/yu-yon/S905L3A/repository/archive/master.zip}"
CUPS_ALLOWED_NET="${CUPS_ALLOWED_NET:-@LOCAL}"
DRIVER_MANAGER_HOST="${DRIVER_MANAGER_HOST:-0.0.0.0}"
DRIVER_MANAGER_PRIVATE_ONLY="${DRIVER_MANAGER_PRIVATE_ONLY:-1}"
# 打印带颜色的信息
info() { echo -e "${BLUE}[信息]${NC} $1"; }
success() { echo -e "${GREEN}[成功]${NC} $1"; }
warn() { echo -e "${YELLOW}[警告]${NC} $1"; }
error() { echo -e "${RED}[错误]${NC} $1"; exit 1; }
download_repo_archive() {
local output_file=$1
if wget -q --show-progress -O "$output_file" "$REPO_ARCHIVE_URL" 2>/dev/null || \
curl -fsSL -o "$output_file" "$REPO_ARCHIVE_URL" 2>/dev/null; then
return 0
fi
warn "主仓库下载失败,尝试镜像源..."
wget -q --show-progress -O "$output_file" "$REPO_ARCHIVE_FALLBACK_URL" 2>/dev/null || \
curl -fsSL -o "$output_file" "$REPO_ARCHIVE_FALLBACK_URL" 2>/dev/null
}
# 检查是否为root用户
check_root() {
if [ "$(id -u)" != "0" ]; then
@@ -355,8 +375,10 @@ configure_static_ip_netplan() {
done
dns_list=$(echo "$dns_list" | sed 's/^, //')
local target_file="/etc/netplan/99-cups-static-ip.yaml"
# 创建新的netplan配置
cat > /etc/netplan/01-static-ip.yaml << EOF
cat > "$target_file" << EOF
# 静态 IP 配置 - 由 CUPS 一键脚本生成
network:
version: 2
@@ -374,13 +396,13 @@ network:
EOF
# 设置正确的权限(避免 "Permissions too open" 警告)
chmod 600 /etc/netplan/01-static-ip.yaml
chmod 600 "$target_file"
# 删除其他可能冲突的配置
for f in /etc/netplan/*.yaml; do
if [ "$f" != "/etc/netplan/01-static-ip.yaml" ] && [ -f "$f" ]; then
# 只清理脚本旧版本生成的 netplan 文件,避免误删用户自己的网络配置
for f in /etc/netplan/01-static-ip.yaml /etc/netplan/01-dhcp.yaml /etc/netplan/99-cups-static-ip.yaml /etc/netplan/99-cups-dhcp.yaml; do
if [ "$f" != "$target_file" ] && [ -f "$f" ]; then
rm -f "$f"
info "移除冲突配置: $f"
info "移除脚本旧配置: $f"
fi
done
@@ -466,7 +488,7 @@ configure_dhcp() {
echo -e "${YELLOW}警告: 切换为 DHCP 后IP 地址可能会改变!${NC}"
echo " 请确保你能通过其他方式(如显示器/串口)访问设备"
echo ""
read -p "确定要切<EFBFBD><EFBFBD>为 DHCP 吗? [y/N]: " confirm < /dev/tty
read -p "确定要切为 DHCP 吗? [y/N]: " confirm < /dev/tty
confirm=${confirm:-N}
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
@@ -528,8 +550,10 @@ configure_dhcp_netplan() {
fi
done
local target_file="/etc/netplan/99-cups-dhcp.yaml"
# 创建新的 netplan DHCP 配置
cat > /etc/netplan/01-dhcp.yaml << EOF
cat > "$target_file" << EOF
# DHCP 配置 - 由 CUPS 一键脚本生成
network:
version: 2
@@ -540,13 +564,13 @@ network:
EOF
# 设置正确的权限
chmod 600 /etc/netplan/01-dhcp.yaml
chmod 600 "$target_file"
# 删除其他可能冲突的配置
for f in /etc/netplan/*.yaml; do
if [ "$f" != "/etc/netplan/01-dhcp.yaml" ] && [ -f "$f" ]; then
# 只清理脚本旧版本生成的 netplan 文件,避免误删用户自己的网络配置
for f in /etc/netplan/01-static-ip.yaml /etc/netplan/01-dhcp.yaml /etc/netplan/99-cups-static-ip.yaml /etc/netplan/99-cups-dhcp.yaml; do
if [ "$f" != "$target_file" ] && [ -f "$f" ]; then
rm -f "$f"
info "移除冲突配置: $f"
info "移除脚本旧配置: $f"
fi
done
@@ -922,15 +946,13 @@ install_chinese_templates() {
cp -f "$SCRIPT_DIR/cups-templates-zh_CN/"*.tmpl "$templates_dir/"
success "中文界面模板安装完成(本地)"
else
# 从 Gitee 下载模板(使用 zip 包方式,更可靠)
info "从 Gitee 下载中文模板..."
# 从当前仓库下载模板(使用 zip 包方式,更可靠)
info "从仓库下载中文模板..."
local tmp_dir=$(mktemp -d)
local zip_url="https://gitee.com/yu-yon/S905L3A/repository/archive/master.zip"
# 下载仓库 zip 包
if wget -q --show-progress -O "$tmp_dir/repo.zip" "$zip_url" 2>/dev/null || \
curl -sL -o "$tmp_dir/repo.zip" "$zip_url" 2>/dev/null; then
if download_repo_archive "$tmp_dir/repo.zip"; then
# 解压
cd "$tmp_dir"
@@ -1012,13 +1034,11 @@ install_driver_manager() {
cp -f "$SCRIPT_DIR/cups-driver-manager/cups-driver-manager.service" /etc/systemd/system/ 2>/dev/null || true
info "从本地复制驱动管理器文件"
else
# 从 Gitee 下载
info "从 Gitee 下载驱动管理器..."
# 从当前仓库下载
info "从仓库下载驱动管理器..."
local tmp_dir=$(mktemp -d)
local zip_url="https://gitee.com/yu-yon/S905L3A/repository/archive/master.zip"
if wget -q --show-progress -O "$tmp_dir/repo.zip" "$zip_url" 2>/dev/null || \
curl -sL -o "$tmp_dir/repo.zip" "$zip_url" 2>/dev/null; then
if download_repo_archive "$tmp_dir/repo.zip"; then
cd "$tmp_dir"
unzip -q repo.zip 2>/dev/null
@@ -1043,7 +1063,13 @@ install_driver_manager() {
# 更新 systemd 服务文件中的密码
if [ -f /etc/systemd/system/cups-driver-manager.service ]; then
sed -i "s/DRIVER_MANAGER_PASSWORD=admin/DRIVER_MANAGER_PASSWORD=$admin_pass/" /etc/systemd/system/cups-driver-manager.service
sed -i "s/DRIVER_MANAGER_PASSWORD=.*/DRIVER_MANAGER_PASSWORD=$admin_pass/" /etc/systemd/system/cups-driver-manager.service
sed -i "s#^ExecStart=.*#ExecStart=/usr/bin/python3 $install_dir/driver_manager.py --host $DRIVER_MANAGER_HOST --port 632#" /etc/systemd/system/cups-driver-manager.service
if grep -q "DRIVER_MANAGER_ALLOW_PRIVATE_ONLY" /etc/systemd/system/cups-driver-manager.service; then
sed -i "s/DRIVER_MANAGER_ALLOW_PRIVATE_ONLY=.*/DRIVER_MANAGER_ALLOW_PRIVATE_ONLY=$DRIVER_MANAGER_PRIVATE_ONLY/" /etc/systemd/system/cups-driver-manager.service
else
sed -i "/DRIVER_MANAGER_PASSWORD=/a Environment=DRIVER_MANAGER_ALLOW_PRIVATE_ONLY=$DRIVER_MANAGER_PRIVATE_ONLY" /etc/systemd/system/cups-driver-manager.service
fi
else
# 手动创建服务文件
cat > /etc/systemd/system/cups-driver-manager.service << EOF
@@ -1056,10 +1082,11 @@ Wants=cups.service
Type=simple
User=root
WorkingDirectory=$install_dir
ExecStart=/usr/bin/python3 $install_dir/driver_manager.py --port 632
ExecStart=/usr/bin/python3 $install_dir/driver_manager.py --host $DRIVER_MANAGER_HOST --port 632
Restart=on-failure
RestartSec=5
Environment=DRIVER_MANAGER_PASSWORD=$admin_pass
Environment=DRIVER_MANAGER_ALLOW_PRIVATE_ONLY=$DRIVER_MANAGER_PRIVATE_ONLY
[Install]
WantedBy=multi-user.target
@@ -1147,6 +1174,8 @@ install_pdf_printer() {
# 配置CUPS
configure_cups() {
info "配置 CUPS 允许远程访问..."
local cups_allow="${CUPS_ALLOWED_NET:-@LOCAL}"
info "CUPS 访问范围: ${cups_allow}"
# 备份原配置
cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.bak
@@ -1165,9 +1194,11 @@ configure_cups() {
sed -i '/^Listen.*631/a ServerAlias *' /etc/cups/cupsd.conf
fi
# 禁用强制加密(允许 HTTP 访问)
# 内网场景允许 HTTP同时不拒绝客户端主动发起的 HTTPS。
if ! grep -q "^DefaultEncryption" /etc/cups/cupsd.conf; then
sed -i '/^ServerAlias/a DefaultEncryption Never' /etc/cups/cupsd.conf
sed -i '/^ServerAlias/a DefaultEncryption IfRequested' /etc/cups/cupsd.conf
else
sed -i 's/^DefaultEncryption.*/DefaultEncryption IfRequested/' /etc/cups/cupsd.conf
fi
# 启用网络浏览
@@ -1184,43 +1215,46 @@ configure_cups() {
# 修改 Policy default 允许匿名打印
# 找到 <Limit Create-Job Print-Job Print-URI Validate-Job> 块并修改
sed -i '/<Limit Create-Job Print-Job Print-URI Validate-Job>/,/<\/Limit>/{
sed -i "/<Limit Create-Job Print-Job Print-URI Validate-Job>/,/<\/Limit>/{
s/Order deny,allow/Order allow,deny/
/Require user/d
/Order/a\ Allow all
}' /etc/cups/cupsd.conf
/Allow /d
/Order/a\\ Allow ${cups_allow}
}" /etc/cups/cupsd.conf
# 配置访问权限 - 允许所有网络访问
# 配置访问权限 - 默认仅允许本机和本地网络访问
# 先删除现有的 Location 块,然后重新添加
cat > /tmp/cups_locations.conf << 'EOF'
cat > /tmp/cups_locations.conf << EOF
# 允许所有网络访问(内网环境使用)
# 允许本机和本地网络访问(内网环境使用)
<Location />
Order allow,deny
Allow all
Allow ${cups_allow}
</Location>
<Location /admin>
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow all
Allow ${cups_allow}
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow all
Allow ${cups_allow}
</Location>
# 允许远程打印
<Location /printers>
Order allow,deny
Allow all
Allow ${cups_allow}
</Location>
<Location /printers/*>
Order allow,deny
Allow all
Allow ${cups_allow}
</Location>
EOF
@@ -1267,7 +1301,7 @@ main() {
# 询问是否安装驱动管理器
echo -e "${YELLOW}是否安装驱动管理器Web界面安装打印机驱动${NC}"
echo " 推荐:选择 Y可通过网页上传安装 .deb/.ppd/.tar.gz 等驱动"
echo " 端口: 632"
echo " 端口: 632(默认仅允许内网来源访问)"
echo ""
read -p "安装驱动管理器? [Y/n]: " install_dm < /dev/tty
install_dm=${install_dm:-Y}
@@ -1419,7 +1453,7 @@ main() {
echo -e " ${GREEN}${NC} 地址: http://${LOCAL_IP}:632 ${GREEN}${NC}"
echo -e " ${GREEN}${NC} ${RED}用户名: admin${NC} ${GREEN}${NC}"
echo -e " ${GREEN}${NC} ${RED}密码: ${dm_pass}${NC} ${GREEN}${NC}"
echo -e " ${GREEN}${NC} ${YELLOW}(注意不是SSH密码!)${NC} ${GREEN}${NC}"
echo -e " ${GREEN}${NC} ${YELLOW}(注意不是SSH密码,仅允许内网访问)${NC} ${GREEN}${NC}"
echo -e " ${GREEN}└─────────────────────────────────────────────────────┘${NC}"
echo ""
fi
@@ -1646,7 +1680,7 @@ share_all_printers() {
echo ""
echo -e "${YELLOW}═══════════════════════════════════════════════════════════${NC}"
echo -e "${YELLOW} 一键共享所有打印机 ${NC}"
echo -e "${YELLOW}══<EFBFBD><EFBFBD><EFBFBD>════════════════════════════════════════════════════════${NC}"
echo -e "${YELLOW}══════════════════════════════════════════════════════════${NC}"
echo ""
# 检查CUPS是否运行