fix(haproxy): Disable HTTP/2 to fix inconsistent vhost auth

HTTP/2 multiplexing caused HAProxy's http_auth() to inconsistently
evaluate auth rules, resulting in protected vhosts randomly returning
200 (bypass) or 401 (auth required).

Disabled HTTP/2 ALPN negotiation (alpn h2,http/1.1 → alpn http/1.1)
to ensure consistent HTTP Basic Auth behavior for protected sites.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/HISTORY.md

@@ -3148,3 +3148,14 @@ git checkout HEAD -- index.html
     - Search and category filters respect authentication state.
     - **Files:**
       - `secubox-app-gk2hub/files/usr/sbin/hub-generator` (updated)
+
+37. **HAProxy HTTP/2 Auth Bug Fix (2026-02-23)**
+    - Fixed inconsistent HTTP Basic Auth behavior with HTTP/2 multiplexing.
+    - Protected vhosts randomly returned 200 (bypass) or 401 (auth required) when using HTTP/2.
+    - Root cause: HTTP/2 connection multiplexing caused HAProxy's `http_auth()` to inconsistently evaluate auth rules.
+    - **Fix:** Disabled HTTP/2 ALPN negotiation, reverting to HTTP/1.1 only.
+    - All protected MetaBlogizer sites (sa, ab, dgse, dcb, ccom) now consistently require authentication.
+    - **Files:**
+      - `secubox-app-haproxy/files/usr/sbin/haproxyctl` (alpn h2,http/1.1 → alpn http/1.1)
+      - `secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg` (updated)
+      - `secubox-app-haproxy/files/etc/config/haproxy` (updated)

package/secubox/secubox-app-haproxy/files/etc/config/haproxy

@@ -36,7 +36,7 @@ config frontend 'http_front'
 # Example frontend (HTTPS with SNI using crt-list for multi-cert support)
 config frontend 'https_front'
 	option name 'https-in'
-	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1'
+	option bind '*:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1'
 	option mode 'http'
 	option default_backend 'fallback'
 	option enabled '1'

package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl

@@ -605,7 +605,7 @@ EOF
 		if [ -f "$CERTS_LIST_FILE" ] && [ -s "$CERTS_LIST_FILE" ]; then
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt-list $CONTAINER_CERTS_PATH/certs.list alpn http/1.1
     mode http
     http-request set-header X-Forwarded-Proto https
     http-request set-header X-Real-IP %[src]
@@ -614,7 +614,7 @@ EOF
 			# Fallback to directory mode if no certs.list
 			cat << EOF
 frontend https-in
-    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn h2,http/1.1
+    bind *:$https_port,[::]:$https_port ssl crt $CONTAINER_CERTS_PATH/ alpn http/1.1
     mode http
     http-request set-header X-Forwarded-Proto https
     http-request set-header X-Real-IP %[src]

package/secubox/secubox-app-haproxy/files/usr/share/haproxy/templates/default.cfg

@@ -49,7 +49,7 @@ frontend http-in
 
 # HTTPS frontend - SSL termination with multi-certificate SNI support
 frontend https-in
-    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1
+    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1
     mode http
 
     # Security headers