linux - Cups - 可能的 DDoS 和损坏的管道 (errno=32)
问题描述
我正在使用有效的 Letsencrypt 证书在 IPPS 上运行 Cups 服务器。在过去的几个月里,它适用于具有不同操作系统(Win7-10、Mac、Linux)的客户端
他们都使用相同的通用 Post Script Driver。
然而,在过去的几天里,我有一个客户端打开了很多连接(下面的示例日志),触发了我的MaxClientsPerHost 80限制。每秒从一个 IP/客户端打开大约 2-5 个连接。
结果,当客户端尝试打印某事时,它确实会发生很高的延迟。
我们尝试重新安装客户端机器/驱动程序。删除并重新添加打印机,但无济于事。
一项广泛的谷歌研究没有发现为什么会发生这种情况。
因此,希望找到有类似问题/深杯子知识的人,我在下面发布了我的配置。
编辑打印机配置/信息
- 打印机在 Debian 10 上运行。
- 使用cups-pdf作为用tea4cups包装的打印机- 它将输出一个简单的.ps 文件
- 它需要正确配置并在客户端上运行的身份验证
- 队列中是否已有作业无关紧要
- 所有客户端使用相同的驱动程序
任何提示都非常受欢迎。
相关错误行:(来自下面的日志)
cupsdReadClient: error=32, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
样本日志
D [19/Feb/2020:12:43:18 +0100] [Client 29] Server address is "YYY.YYY.YYY.YYY".
D [19/Feb/2020:12:43:18 +0100] [Client 29] Accepted from XXX.XXX.XXX.XXX:63298 (IPv4)
D [19/Feb/2020:12:43:18 +0100] [Client 29] Waiting for request.
d [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdReadClient: error=0, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
d [19/Feb/2020:12:43:18 +0100] [Client 29] Saw first byte 16, auto-negotiating SSL/TLS session.
D [19/Feb/2020:12:43:18 +0100] [Client 29] Connection now encrypted.
d [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdReadClient: error=0, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
D [19/Feb/2020:12:43:18 +0100] [Client 29] POST /printers/PDF HTTP/1.1
D [19/Feb/2020:12:43:18 +0100] [Client 29] Read: status=200, state=6
d [19/Feb/2020:12:43:18 +0100] [Client 29] con->uri="/printers/PDF", con->best=0x55dfb097b7b0(/printers)
D [19/Feb/2020:12:43:18 +0100] [Client 29] No authentication data provided.
D [19/Feb/2020:12:43:18 +0100] [Client 29] 1.0 Get-Printer-Attributes 11
D [19/Feb/2020:12:43:18 +0100] [Client 29] Returning IPP successful-ok for Get-Printer-Attributes (https://example.com:632/printers/PDF) from XXX.XXX.XXX.XXX.
D [19/Feb/2020:12:43:18 +0100] [Client 29] Content-Length: 9508
D [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdSendHeader: code=200, type="application/ipp", auth_type=0
D [19/Feb/2020:12:43:18 +0100] [Client 29] con->http=0x55dfb0b445a0
D [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdWriteClient error=0, used=0, state=HTTP_STATE_POST_SEND, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=9508, response=0x55dfb0b549c0(IPP_STATE_DATA), pipe_pid=0, file=-1
D [19/Feb/2020:12:43:18 +0100] [Client 29] Writing IPP response, ipp_state=IPP_STATE_DATA, old wused=0, new wused=0
D [19/Feb/2020:12:43:18 +0100] [Client 29] bytes=0, http_state=0, data_remaining=9508
D [19/Feb/2020:12:43:18 +0100] [Client 29] Flushing write buffer.
D [19/Feb/2020:12:43:18 +0100] [Client 29] New state is HTTP_STATE_WAITING
D [19/Feb/2020:12:43:18 +0100] [Client 29] Waiting for request.
d [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdReadClient: error=0, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
D [19/Feb/2020:12:43:18 +0100] [Client 29] POST /printers/PDF HTTP/1.1
D [19/Feb/2020:12:43:18 +0100] [Client 29] Read: status=200, state=6
d [19/Feb/2020:12:43:18 +0100] [Client 29] con->uri="/printers/PDF", con->best=0x55dfb097b7b0(/printers)
D [19/Feb/2020:12:43:18 +0100] [Client 29] No authentication data provided.
D [19/Feb/2020:12:43:18 +0100] [Client 29] 1.0 Get-Printer-Attributes 11
D [19/Feb/2020:12:43:18 +0100] [Client 29] Returning IPP successful-ok for Get-Printer-Attributes (https://example.com:632/printers/PDF) from XXX.XXX.XXX.XXX.
D [19/Feb/2020:12:43:18 +0100] [Client 29] Content-Length: 9508
D [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdSendHeader: code=200, type="application/ipp", auth_type=0
D [19/Feb/2020:12:43:18 +0100] [Client 29] con->http=0x55dfb0b445a0
D [19/Feb/2020:12:43:18 +0100] [Client 29] cupsdWriteClient error=0, used=0, state=HTTP_STATE_POST_SEND, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=9508, response=0x55dfb0b3bbb0(IPP_STATE_DATA), pipe_pid=0, file=-1
D [19/Feb/2020:12:43:18 +0100] [Client 29] Writing IPP response, ipp_state=IPP_STATE_DATA, old wused=0, new wused=0
D [19/Feb/2020:12:43:18 +0100] [Client 29] bytes=0, http_state=0, data_remaining=9508
D [19/Feb/2020:12:43:18 +0100] [Client 29] Flushing write buffer.
D [19/Feb/2020:12:43:18 +0100] [Client 29] New state is HTTP_STATE_WAITING
D [19/Feb/2020:12:43:18 +0100] [Client 29] Waiting for request.
d [19/Feb/2020:12:44:27 +0100] [Client 29] cupsdReadClient: error=0, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
D [19/Feb/2020:12:44:27 +0100] [Client 29] HTTP_STATE_WAITING Closing for error 32 (Broken pipe)
D [19/Feb/2020:12:44:27 +0100] [Client 29] Closing connection.
D [19/Feb/2020:12:44:27 +0100] [Client 29] Waiting for socket close.
d [19/Feb/2020:12:44:27 +0100] [Client 29] cupsdReadClient: error=32, used=0, state=HTTP_STATE_WAITING, data_encoding=HTTP_ENCODING_LENGTH, data_remaining=0, request=(nil)(), file=-1
D [19/Feb/2020:12:44:27 +0100] [Client 29] Closing on EOF.
D [19/Feb/2020:12:44:27 +0100] [Client 29] Closing connection.
lpstat -v
scheduler is running
no system default destination
device for PDF: tea4cups://
PDF accepting requests since Mi 20 Nov 2019 15:45:13 CET
printer PDF is idle. enabled since Mi 20 Nov 2019 15:45:13 CET
cupsd.conf
LogLevel warn
PageLogFormat
MaxLogSize 0
# Allow remote access
Port 632
MaxClients 400
MaxClientsPerHost 80
# Share local printers on the local network.
Browsing On
BrowseLocalProtocols dnssd
BrowseWebIF No
DefaultAuthType Basic
DefaultEncryption Required
WebInterface No
HostNameLookups On
ServerName example.com
<Location />
AuthType None
Encryption Required
# Allow shared printing...
Order allow,deny
Allow all
</Location>
<Location /printers>
AuthType None
Encryption Required
Order allow,deny
Allow all
</Location>
<Location /admin>
AuthType Basic
Require user @OWNER @SYSTEM @print_admins
Order allow,deny
Allow all
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM @print_admins marc
Order allow,deny
Allow all
</Location>
<Location /admin/log>
AuthType Default
Require user @SYSTEM @print_admins marc
Order allow,deny
</Location>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Get-Notifications Send-Document Release-Job Validate-Job>
AuthType Basic
Require user @OWNER @SYSTEM @print_admins @print_users
Order deny,allow
Allow all
Allow localhost
</Limit>
<Limit Send-URI Hold-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Basic
Require user @OWNER @SYSTEM @print_admins @print_users
Order deny,allow
Allow all
Allow localhost
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM @print_admins
Order deny,allow
Allow all
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM @print_admins
Order deny,allow
Allow all
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM @print_admins @print_users
Order deny,allow
Allow all
</Limit>
<Limit All>
AuthType None
Order deny,allow
Allow all
</Limit>
</Policy>
打印机.conf
# Printer configuration file for CUPS v2.2.10
# Written by cupsd
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer PDF>
UUID urn:uuid:bb8eef67-3503-1234-1234-1234546464
Info PDF
MakeModel Generic CUPS-PDF Printer (w/ options)
#DeviceURI cups-pdf:/
DeviceURI tea4cups://
State Idle
StateTime 1574261113
ConfigTime 1551802733
Type 12644428
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
AllowUser @print_admins
AllowUser @print_users
OpPolicy authenticated
ErrorPolicy abort-job
</Printer>
解决方案
推荐阅读
- powershell - 从 ssh 运行时无法识别 Powershell
- database - 基于 HSQL 文件的数据库的 HikariCP 失败
- java - 提供程序类 org.eclipse.jetty.http.Http1FieldPreEncoder 不在模块中
- visual-studio-2015 - 无法将自动化测试与测试用例关联
- xamarin - 在 iOS 和 Android 上使用 Xamarin 时,是否可以强制 Edge (Chromium) 作为 WebView?
- reactjs - 引用其他组件时测试样式组件
- sql - SQL - SUM 但过滤 2 max 列
- ssh - ssh 和 sudo:pam_unix(sudo:auth):对话失败,auth 无法识别 [username] 的密码
- sql-server - MS SQL:XML 翻译器
- javascript - 如何使用 window.requestAnimationFrame 并且能够改变它的速度?