Converting HTTP/2 (h2c) without TLS to HTTP/1.1


This is for penetration testing purposes, not for any kind of prod setup.

I’d like to set up HAProxy to receive HTTP/2 traffic (h2c, HTTP/2 without TLS) coming from a native application. HAProxy should then convert this traffic to HTTP/1.1 and send it to a desired endpoint.

More particularly, the client that’ll be connecting to HTTP/2 HAProxy non-TLS listener sends the PRI request first, and as such, I’m assuming the HTTP/2 connection mode the client is using is “Starting HTTP/2 with Prior Knowledge” RFC

What settings could I use to have HAProxy listen HTTP/2 without TLS?

I’ve checked the “bind” command in the configuration file language and apart from ALPN (which I’m assuming is an incorrect option here as it implies TLS).

I’m guessing the minimalistic configuration file would be something like (listen for HTTP/2 on port 8009 and pass on to port 8000).


frontend http_front
   bind *:8009 <???>
   default_backend http_back

backend http_back
   balance roundrobin
   server localhost check


Unfortunately that’s not supported.

Currently TLS/ALPN is the only way to get H2 running.


Thank you for the quick response, clears out I should try in another direction such as nginx. If anyone knows another tool that’d do this, please post it here.