Hi there, thanks for releasing support for http/2! Sadly, we are facing issues since enabling it.
We are using HA-Proxy version 1.8.1-1~bpo8+1 2017/12/04 on Debian 8. On the backend, jetty 9.3.11.v20160721 with http/1.1 answers requests. Since I've enabled http/2 ("alpn h2,http/1.1"), we are facing issues with Firefox Quantum both, on windows 10 and macOS. I do not have any complaints regarding other browsers (yet?). Requested HTML pages are delivered empty or even cut in the middle. There is no recurring pattern, it's like a lottery, still, very seldom.. The yet simple but not satisfiable solution is to restart the browser. I know the provided information is quite spare, so my question is actually, if there Is there any guideline I can follow to provide you more information? I've appended some snippets of the proxy configuration. Cheers, Max global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats # make ssl safe ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-default-server-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA tune.ssl.default-dh-param 2048 defaults mode http log global option httplog option dontlognull option forwardfor except 127.0.0.0/8 option redispatch retries 5 timeout http-request 10s timeout queue 2m timeout connect 20s timeout client 2m timeout server 60m timeout http-keep-alive 2m timeout check 20s maxconn 15000 balance roundrobin stats enable stats hide-version stats realm Haproxy\ Statistics stats uri /secretpath?secretparam stats auth secretusr:secretpasswd frontend frontend_https-sni bind *:443 ssl crt /etc/haproxy/ssl/ crt /etc/haproxy/LE/crt strict-sni alpn h2,http/1.1 mode http tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend %[ssl_fc_sni,lower,map_dom(/etc/haproxy/switch_ssl.map)] backend bknd_ssl_offloading_xxxxxx mode http http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https