diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml
index a0bec1f86..a4166bb08 100644
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@@ -7,26 +7,20 @@
     name: cups
     state: present
 
-# 2021-07-12: LET'S STICK CLOSER TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN
-# SKIP MOST OF THE NEXT ~120 LINES, THX TO NEW NGINX (cups/templates/cups.conf)
+# WARNING: 'apt install cups' AND 'apt install --reinstall cups'
+# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR
+# INSTALL OF CUPS EXISTED!  SO OPTION #1 OR #2 ARE NEEDED BELOW:
 
-# # WARNING: 'apt install cups' AND 'apt install --reinstall cups'
-# # UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR
-# # INSTALL OF CUPS EXISTED!  SO OPTION #1 OR #2 ARE NEEDED BELOW:
+# OPTION #1: OLD WAY (BRITTLE)
+#
+# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
+#   template:
+#     src: cupsd.conf.j2
+#     dest: /etc/cups/cupsd.conf
 
-# # OPTION #1: OLD WAY (BRITTLE)
-# #
-# # - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
-# #   template:
-# #     src: cupsd.conf.j2
-# #     dest: /etc/cups/cupsd.conf
+# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!)
 
-# # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!)
-
-# # - debug:
-# #     msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW...
-
-- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT!  The file will now be created -- by the ~2 stanzas below.
+- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT!  The file will now be created -- by ~4 stanzas below.  Also keep an eye on /var/log/cups/error_log
   meta: noop
 
 - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups
@@ -76,49 +70,43 @@
 #     append: yes
 #     groups: lpadmin
 
-# - name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW
-#   systemd:
-#     daemon_reload: yes
-#     name: "{{ item }}"
-#     state: restarted
-#   with_items:
-#     - cups
-#     - cups-browsed
+- name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW
+  systemd:
+    #daemon_reload: yes
+    name: cups
+    state: started
 
-# 2021-07-12: 'cupsctl --remote-admin && systemctl restart cups' enables
-# http://10.8.0.x:631 -- but this is even less useful than ever, now that
-# http://10.8.0.x/print works -- thx to the new /etc/nginx/conf.d/cups.conf
+# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+#   command: cupsctl --remote-admin --share-printers --user-cancel-any
+
+# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
+# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
+# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
+
+- name: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+  command: cupsctl --remote-any --share-printers --user-cancel-any
+
+# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
+# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE*
+# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!)
 #
-# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
-#   command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging
+# FYI repeated use of 'cupsctl' commands also removes comments and blank lines.
+#
+# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+#   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
+#   when: not cups_enabled
 
-# # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
-# # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
-# # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
-
-# # - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
-# #   command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging
-
-# # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
-# # BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE*
-# # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!)
-# #
-# # FYI repeated use of 'cupsctl' commands also removes comments and blank lines.
-# #
-# # - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
-# #   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
-# #   when: not cups_enabled
-
-# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request') -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)"
+# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)"
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     line: "{{ item }}"
 #     insertbefore: '^Listen .*/run/cups/cups.sock$'    # Also matches old form: '^Listen /var/run/cups/cups.sock$'
 #   with_items:
-#     - "#ServerAlias *"
+#     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+#     - "ServerAlias *"
 #     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
 #     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
-#     - "Listen 127.0.0.1:631"
+#     - "#Listen 127.0.0.1:631"
 #     - "#Listen 0.0.0.0:631"
 #     - "#Listen *:631"
 
diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml
index 80921e99f..886a15c14 100644
--- a/roles/cups/tasks/nginx.yml
+++ b/roles/cups/tasks/nginx.yml
@@ -1,6 +1,6 @@
 - name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template
   template:
-    src: cups.conf
+    src: cups.conf.j2
     dest: "{{ nginx_conf_dir }}/cups.conf"    # /etc/nginx/conf.d
   when: cups_enabled
 
diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf
deleted file mode 100644
index e61d87f34..000000000
--- a/roles/cups/templates/cups.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-location = /print {
-    return 301 /print/;    # "Moved Permanently" redirect
-    #rewrite /print /print/;    # Faster, if links are fixed!
-}
-
-location ~ /print/(.*) {
-    proxy_pass http://127.0.0.1:631/$1;
-    proxy_set_header Host '127.0.0.1';
-    proxy_cache_bypass $http_upgrade;
-    proxy_set_header X-Real-IP $remote_addr;
-
-    sub_filter ' href="/' ' href="/print/';
-    sub_filter ' action="/' ' action="/print/';
-    sub_filter ' src="/' ' src="/print/';
-    sub_filter_types *;
-    sub_filter_once off;
-}
-
-# location ~ /cups/(.*) {
-#     proxy_pass http://127.0.0.1:631/$1;
-#     proxy_set_header Host '127.0.0.1';
-#     proxy_cache_bypass $http_upgrade;
-#     proxy_set_header X-Real-IP $remote_addr;
-#
-#     sub_filter ' href="/' ' href="/cups/';
-#     sub_filter ' action="/' ' action="/cups/';
-#     sub_filter ' src="/' ' src="/cups/';
-#     sub_filter_types *;
-#     sub_filter_once off;
-# }
diff --git a/roles/cups/templates/cups.conf.j2 b/roles/cups/templates/cups.conf.j2
new file mode 100644
index 000000000..7efd33266
--- /dev/null
+++ b/roles/cups/templates/cups.conf.j2
@@ -0,0 +1,73 @@
+# ADMINISTER CUPS AT http://box/print/admin WITH USERNAME 'Admin' AND PASSWORD
+# 'changeme' (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
+
+
+# 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying
+# (commented out below) has many glitches, e.g. CUPS' https connections etc.
+
+location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
+
+    # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since
+    # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using
+    # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE
+    # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+
+    if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') {
+        return 301 http://localhost:631;    # Or http://127.0.0.1:631
+    }
+
+    if ($host ~ 'box(|.lan)') {    # /etc/hosts may have BOTH above AND box.lan
+        return 301 http://localhost:631;
+    }
+
+    return 301 http://$host:631;    # Can work with 192.168.0.x & 10.8.0.y ETC
+}
+
+
+# https://anthe.studio/blog/en/cups-nginx-reverse-proxy
+# https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/
+# https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/
+
+# location = /print {
+#     return 301 /print/;    # "Moved Permanently" redirect
+#     #rewrite /print /print/;    # Faster, if links are fixed!
+# }
+
+## location ~ ^/print(|/.*)$ {
+##     proxy_pass https://127.0.0.1:631$1;    # Fails: trailing slash nec here
+# location ~ ^/print/(.*) {
+#     proxy_pass https://127.0.0.1:631/$1;
+#
+#     #proxy_http_version 1.1;
+#     #proxy_set_header Accept-Encoding "";
+#     #proxy_set_header Upgrade $http_upgrade;
+#     #proxy_set_header Connection 'upgrade';
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#
+#     proxy_set_header X-Real-IP $remote_addr;
+#     #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+#     #proxy_set_header X-Forwarded-Host $server_name;
+#
+#     sub_filter ' href="/' ' href="/print/';
+#     sub_filter ' action="/' ' action="/print/';
+#     sub_filter ' src="/' ' src="/print/';
+#     #sub_filter 'ACTION="/' 'ACTION="/print/';
+#     #sub_filter 'URL=/' 'URL=/print/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }
+
+# location ~ /cups/(.*) {
+#     proxy_pass http://127.0.0.1:631/$1;
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#     proxy_set_header X-Real-IP $remote_addr;
+#
+#     sub_filter ' href="/' ' href="/cups/';
+#     sub_filter ' action="/' ' action="/cups/';
+#     sub_filter ' src="/' ' src="/cups/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }
diff --git a/test.yml b/test.yml
index 70a40e74d..be808dc92 100644
--- a/test.yml
+++ b/test.yml
@@ -20,11 +20,16 @@
   #    name: 0-init
 
   - debug:
-      msg: YO!
+      msg: "{{ 'changeme' | password_hash('sha512') }}"
 
   #- pause:
 
-  - debug:
-      msg: "{{ 'changeme' | password_hash('sha512') }}"
+  - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description
+    debug:
+      msg: '"''"'    # FAILS: '"\'"'
+
+  - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml
+    debug:
+      msg: "'\"'"    # FAILS: "'""'"
 
   # TEST ANSIBLE COMMANDS/MODULES HERE!