diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md
index eef7ade8..5d7b1af7 100644
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@@ -3148,3 +3148,14 @@ git checkout HEAD -- index.html
     - Search and category filters respect authentication state.
     - **Files:**
       - `secubox-app-gk2hub/files/usr/sbin/hub-generator` (updated)
+
+37. **HAProxy HTTP/2 Auth Bug Fix (2026-02-23)**
+    - Fixed inconsistent HTTP Basic Auth behavior with HTTP/2 multiplexing.
+    - Protected vhosts randomly returned 200 (bypass) or 401 (auth required) when using HTTP/2.
+    - Root cause: HTTP/2 connection multiplexing caused HAProxy's `http_auth()` to inconsistently evaluate auth rules.
+    - **Fix:** Disabled HTTP/2 ALPN negotiation, reverting to HTTP/1.1 only.
+    - All protected MetaBlogizer sites (sa, ab, dgse, dcb, ccom) now consistently require authentication.
+    - **Files:**
+      - `secubox-app-haproxy/files/usr/sbin/haproxyctl` (alpn h2,http/1.1 → alpn http/1.1)
+      - `secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg` (updated)
+      - `secubox-app-haproxy/files/etc/config/haproxy` (updated)
diff --git a/package/secubox/secubox-app-haproxy/files/etc/config/haproxy b/package/secubox/secubox-app-haproxy/files/etc/config/haproxy
index bf02d92d..1ec1e72b 100644
--- a/package/secubox/secubox-app-haproxy/files/etc/config/haproxy
+++ b/package/secubox/secubox-app-haproxy/files/etc/config/haproxy
@@ -36,7 +36,7 @@ config frontend 'http_front'
 # Example frontend (HTTPS with SNI using crt-list for multi-cert support)
 config frontend 'https_front'
 	option name 'https-in'
-	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1'
+	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1'
 	option mode 'http'
 	option default_backend 'fallback'
 	option enabled '1'
diff --git a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
index 21f60925..e62d8c08 100644
--- a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
+++ b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
@@ -605,7 +605,7 @@ EOF
 		if [ -f "$CERTS_LIST_FILE" ] && [ -s "$CERTS_LIST_FILE" ]; then
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn http/1.1
     mode http
     http-request set-header X-Forwarded-Proto https
     http-request set-header X-Real-IP %[src]
@@ -614,7 +614,7 @@ EOF
 			# Fallback to directory mode if no certs.list
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn http/1.1
     mode http
     http-request set-header X-Forwarded-Proto https
     http-request set-header X-Real-IP %[src]
diff --git a/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg b/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg
index ff596324..9af3e38d 100644
--- a/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg
+++ b/package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg
@@ -49,7 +49,7 @@ frontend http-in
 
 # HTTPS frontend - SSL termination with multi-certificate SNI support
 frontend https-in
-    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1
+    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1
     mode http
 
     # Security headers