diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index da3d9d987..18eeccaba 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -15,6 +15,8 @@ Fixed:
* fix typo in cert sync script
Changed:
+* change default for HTTP/2 to enabled (only new frontends/backends)
+* add "no-alpn" option if HTTP/2 is not enabled (TLS-enabled frontends)
* move OCSP settings from "Service" to "Global" section
* replace bundled haproxyctl library with haproxy-cli
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 01e1eb4de..ed8670c42 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -796,7 +796,7 @@
N
- 0
+ 1
N
@@ -1036,7 +1036,7 @@
N
- 0
+ 1
N
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 13754b111..571562c8d 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1369,6 +1369,9 @@ frontend {{frontend.name}}
{# # convert protocols to HAProxy-compatible format #}
{% set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
{% do ssl_options.append('alpn ' ~ alpn_options) %}
+{% else %}
+{# # disable ALPN to enforce the GUI settings #}
+{% do ssl_options.append('no-alpn') %}
{% endif %}
{# # HTTP/2 without TLS #}
{% elif frontend.http2Enabled|default("") == '1' and frontend.http2Enabled_nontls|default("") == '1' %}