we recently upgraded our HAProxy server from Debian Bookworm to Trixie, thereby updating HAProxy from 2.6.12 to 3.0.11. Since then, a Linux client using Evolution cannot connect to the Exchange server anymore as he repeatedly gets asked for his credentials.
This seems to be caused by ALPN making http/2 available for the frontend by default, which Exchange as the backend is not compatible with as far as I could find.
I want to force HAProxy to use http/1.1 for connections with this backend (not the others) while the frontend should still offer all versions. However, logging shows that this setting seems to be ignored.
/etc/haproxy/haproxy.cfg:
backend ExchangeEWS
option httpchk GET /ews
http-check expect status 401
server atl-ex2019 192.168.120.3:443 ssl verify none alpn http/1.1
Backend traffic is http/1.1 by default. Your configuration does absolutely nothing, other than enabling ALPN and negotiating http/1.1 towards your backend server. You don’t need to disable H2 on the backend because it was never on in the first place.
H2 on the frontend is a different thing. When you put alpn http/1.1 on your bind line in the frontend, the problem is gone?
%HV shows the request HTTP version between the client and haproxy. It has nothing to do with the backend HTTP version.
You are showing the same variable twice, I don’t know why you expect a different result.
Should have checked the output of ChatGPT more thoroughly… looked fine to me and I didn’t notice this blunder
Changing the bind line fixes the problem.
Not sure though why exactly: When Exchange (according to ChatGPT) has problems with h2, but HAProxy already uses h1.1 communicating with Exchange, why does changing the frontend make a difference?
