net/haproxy: adjust HTTP/2 settings to adopt HAProxy 2.8 defaults

net/haproxy/pkg-descr

@@ -15,6 +15,8 @@ Fixed:
 * fix typo in cert sync script
 
 Changed:
+* change default for HTTP/2 to enabled (only new frontends/backends)
+* add "no-alpn" option if HTTP/2 is not enabled (TLS-enabled frontends)
 * move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 

net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

@@ -796,7 +796,7 @@
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
                 <http2Enabled type="BooleanField">
-                    <default>0</default>
+                    <default>1</default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">
@@ -1036,7 +1036,7 @@
                     <Required>N</Required>
                 </linkedMailer>
                 <http2Enabled type="BooleanField">
-                    <default>0</default>
+                    <default>1</default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf

@@ -1369,6 +1369,9 @@ frontend {{frontend.name}}
 {#           # convert protocols to HAProxy-compatible format #}
 {%           set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
 {%           do ssl_options.append('alpn ' ~ alpn_options) %}
+{%         else %}
+{#           # disable ALPN to enforce the GUI settings #}
+{%           do ssl_options.append('no-alpn') %}
 {%         endif %}
 {#       # HTTP/2 without TLS #}
 {%       elif frontend.http2Enabled|default("") == '1' and frontend.http2Enabled_nontls|default("") == '1' %}