MyQ X Server
MyQ X Server
Breadcrumbs

Advanced Security

MyQ security is structured in distinct layers, with enforcement handled by separate system components. This separation protects business-critical data and services, and administrators must understand it to configure advanced settings safely and responsibly.

This section covers the advanced security configuration options. For general advanced configuration options, see Advanced Configuration.

Editing configuration files directly can affect system stability and security. These settings are intended for experienced administrators. Incorrect changes may result in service disruption or data loss. If you are unsure, contact MyQ Support before proceeding.

Path Conventions

  • {install} – Application installation directory
    Defaults are C:\Program Files\MyQ\ and C:\Program Files\MyQ Central Server\

  • {data} – Application data directory.
    Defaults are C:\ProgramData\MyQ\ and C:\ProgramData\MyQ Central Server\

Both locations may be customized during installation.

Security Architecture Overview

Security Layer

Print Server

Central Server

Web TLS (HTTPS encryption)

Component: HTTP Router (Traefik)
Config: {data}\config.ini
{data}\traefik.custom.rules.yaml

Component: HTTP Server (Apache)
Config: {install}\Apache\conf\httpd.conf
(SSLProtocol, SSLCipherSuite)

HTTP Security Headers

Component: Apache (behind Traefik)
Config: {install}\Apache\conf\httpd.conf
(also edit httpd.template.conf)

Component: Apache
Config: {install}\Apache\conf\httpd.conf
(also edit httpd.template.conf)

Non-Web Secure Communication
(SMTP, IPP, LPR, WebSockets)

Component: MyQ internal components
Config: {data}\config.ini ([Security] sslProtocol=)

Component: MyQ internal components
Config: {data}\config.ini ([Security] sslProtocol=)

On Print Server, TLS termination is handled by Traefik. On Central Server, TLS termination is handled by Apache.

Web TLS Configuration (HTTP Router – Traefik)

The HTTP Router (Traefik) is responsible for terminating HTTPS connections and managing TLS protocol versions and cipher suites.

Configure the Minimum TLS Version

To define the minimum allowed TLS version, set the SSL protocol in config.ini.

Open config.ini in a text editor and add or modify:

[Security]
sslProtocol=TLS1.3

Supported values:

  • TLS1

  • TLS1.1

  • TLS1.2 (default from Print Server 10.2)

  • TLS1.3

This setting applies to:

  • HTTP Router (web HTTPS)

  • SMTP

  • IPP

  • LPR

  • Messages (WebSockets)

Restart all services after modification.

Configure Cipher Suites

Use Secure Presets (Recommended)

Open config.ini in a text editor and add or modify:

[Security]
sslCipherSuites=strict

Available modes:

  • compatible (default)
    Allows selected weaker ciphers for legacy device compatibility.

  • strict
    Disables weak ciphers.

The following ciphers allowed in compatible mode only:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Strict mode is recommended, but compatible mode remains the default due to legacy device requirements.

Allow Selected Cipher Suites

To to allow selected cipher suites, edit traefik.custom.rules.yaml. Then save the file and restart all services for the change to take effect.

Example:

tls:
  options:
    default:
      cipherSuites:
        - TLS_RSA_WITH_AES_256_GCM_SHA384
        - TLS_RSA_WITH_3DES_EDE_CBC_SHA

Important!

Do NOT edit these files:

  • {install}\Server\traefik.rules.yaml

  • {install}\Server\traefik.yaml

These are default installation files and will be overwritten during upgrades.

If sslProtocol=TLS1.3 is enforced, cipher selection is not configurable, and Traefik secure defaults are used.

Ensure connected devices support the selected cipher suites.

HTTP Security Headers (Apache)

Apache runs behind the HTTP Router and does not terminate TLS. Apache listens only on localhost and does not manage TLS protocol versions or cipher suites.

Apache is responsible for HTTP response security headers.

These include:

  • Content-Security-Policy (CSP)

  • Strict-Transport-Security (HSTS)

  • X-Frame-Options

  • X-Content-Type-Options

  • Referrer-Policy

  • Permissions-Policy

  • Other header-level protections

Configuration Location

To modify the HTTP security header configuration, edit both of these files. Then restart MyQ services. If httpd.template.conf file is not modified, your changes will be overwritten during service updates.

  • {install}\Apache\conf\httpd.conf

  • {install}\Apache\conf\httpd.template.conf

Non-Web Secure Communication

Some MyQ components use secure communication independent of web HTTPS.

These include:

  • SMTP

  • IPP

  • LPR

  • Internal C++ components

TLS behavior for these components is controlled by the sslProtocol parameter in config.ini. This setting does not modify HTTP headers and does not directly modify Apache TLS behavior.

Force Kerberos-Only Authentication

For environments requiring strict authentication, add the following to config.ini:

[Security]
KerberosOnly=true

This disables NTLM fallback and enforces Kerberos-only authentication.

Ensure:

  • Proper SPN registration.

  • Correct Kerberos infrastructure configuration.

Misconfiguration may prevent authentication.