Enforce HTTPS communication

By default, PaperCut NG & MF allows connections over both HTTP (port 9191) and HTTPS (port 9192). To make sure users are accessing the server securely, here’s you can enable these two options:

Redirect to HTTPS/SSL—Redirects HTTP requests to HTTPS whenever possible. Connections to plain HTTP port 9191 will be redirected to secure HTTPS port 9192, or port 443 you’ve followed the instructions to Enable ports 80 (HTTP) and 443 (HTTPS) . While this adds security, there’s still a small window for man-in-the-middle attacks when users first connect over HTTP.
Use HTTP Strict Transport Security (HSTS)— HSTS adds an added layer of security by instructing web browsers to require a trusted certificate and to always use HTTPS (on port 443) for a set time after their first secure login. This reduces the risk of man-in-the-middle attacks since the redirect only happens once, not every time they access PaperCut.

Redirect to HTTPS/SSL

Log in to the admin interface of your PaperCut NG/MF server.
Navigate to Options > Advanced.
In the Security section, click Redirect to HTTPS/SSL if available.
Additionally, if you want to enable HSTS click the Use HTTP Strict Transport Security check box.

Caution

This option tells browsers to only connect over HTTPS port 443 and requires a trusted certificate to be installed on the PaperCut server. You must Enable port 443 (HTTPS) in order to activate this setting, and you should test your certificate before proceeding.
Press Apply to save.
Restart the PaperCut Application Server to finalize the change, see: Stop and start the Application Server .

Can’t connect to the Application Server after enabling HSTS?

If you can’t connect after enabling HSTS, it’s likely due to one of these issues:

PaperCut NG/MF has not been configured with a valid certificate
The Application Server is is not listening on port 443, either because it hasn’t been enabled, the port is blocked, or another application on the server is using it.

To fix this, roll back your changes:

Log in to the server running the PaperCut NG/MF Application Server.
Connect to the web interface using http://localhost:9191. (Non-secure connections are allowed from localhost.)
Clear the Redirect to HTTPS/SSL and Use HTTP Strict Transport Security (HSTS) checkboxes.
Restart the Application Server.
Test to make sure that the PaperCut server is accessible on port 443 and does not display any certificate errors before trying again.

Can you completely disable HTTP port 9191?

It’s not possible to turn off the HTTP port entirely because:

It’s used internally by the User Client for non-sensitive data, like event notifications. HTTP connections have less overhead than SSL, reducing the load on the server.
It needs to remain available for emergency administrator logins directly from the server if SSL communication becomes impossible (e.g., due to certificate expiry).

Considerations with other PaperCut Components

PaperCut User Client: The PaperCut User Client is used to display balances, pop up messages to users, and allow for account selection and client billing. The instructions in this article affect how the PaperCut user client connects, so users might see the error ‘Unable to successfully retrieve valid data from secure connection to server ’ if a signed certificate is not installed so be sure to test this change. Additionally, you may want to follow the instructions on Customize the User Client so that the URL for the server matches the Common name on the certificate or users may see a certificate error when clicking this link.
Direct Print Monitor: The Direct Print Monitor is used for tracking print jobs on user’s workstations. The version included in PaperCut NG/MF 23.0 and later supports both HTTPS (9192, 9195 preferred) and HTTP (9191) connections. Refer to Configure how the Print Provider communicate over HTTPS .
Site Servers: This configuration change will replicate to Site Servers. If you have PaperCut Site Servers in your environment, be sure to also install signed certificates on those servers as well.