fix(haproxy): Disable HTTP/2 to fix inconsistent vhost auth

HTTP/2 multiplexing caused HAProxy's http_auth() to inconsistently evaluate auth rules, resulting in protected vhosts randomly returning 200 (bypass) or 401 (auth required). Disabled HTTP/2 ALPN negotiation (alpn h2,http/1.1 → alpn http/1.1) to ensure consistent HTTP Basic Auth behavior for protected sites. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-23 12:18:34 +01:00 · 2026-02-23 12:18:34 +01:00 · b414ea3284
commit b414ea3284
parent a2bc5dd7d8
4 changed files with 15 additions and 4 deletions
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@ -3148,3 +3148,14 @@ git checkout HEAD -- index.html
    - Search and category filters respect authentication state.
    - **Files:**
      - `secubox-app-gk2hub/files/usr/sbin/hub-generator` (updated)
+
+37. **HAProxy HTTP/2 Auth Bug Fix (2026-02-23)**
+    - Fixed inconsistent HTTP Basic Auth behavior with HTTP/2 multiplexing.
+    - Protected vhosts randomly returned 200 (bypass) or 401 (auth required) when using HTTP/2.
+    - Root cause: HTTP/2 connection multiplexing caused HAProxy's `http_auth()` to inconsistently evaluate auth rules.
+    - **Fix:** Disabled HTTP/2 ALPN negotiation, reverting to HTTP/1.1 only.
+    - All protected MetaBlogizer sites (sa, ab, dgse, dcb, ccom) now consistently require authentication.
+    - **Files:**
+      - `secubox-app-haproxy/files/usr/sbin/haproxyctl` (alpn h2,http/1.1 → alpn http/1.1)
+      - `secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg` (updated)
+      - `secubox-app-haproxy/files/etc/config/haproxy` (updated)
--- a/package/secubox/secubox-app-haproxy/files/etc/config/haproxy
+++ b/package/secubox/secubox-app-haproxy/files/etc/config/haproxy
@ -36,7 +36,7 @@ config frontend 'http_front'
 # Example frontend (HTTPS with SNI using crt-list for multi-cert support)
 config frontend 'https_front'
 	option name 'https-in'
-	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1'
+	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1'
 	option mode 'http'
 	option default_backend 'fallback'
 	option enabled '1'
--- a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
+++ b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
@ -605,7 +605,7 @@ EOF
 		if [ -f "$CERTS_LIST_FILE" ] && [ -s "$CERTS_LIST_FILE" ]; then
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn http/1.1
    mode http
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Real-IP %[src]
@ -614,7 +614,7 @@ EOF
 			# Fallback to directory mode if no certs.list
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn http/1.1
    mode http
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Real-IP %[src]
--- a/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg
+++ b/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg
@ -49,7 +49,7 @@ frontend http-in

 # HTTPS frontend - SSL termination with multi-certificate SNI support
 frontend https-in
-    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1
+    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1
    mode http

    # Security headers