Protocol support

HTTP

On this page

Although HAProxy can load balance HTTP requests in TCP mode, in which the connections are opaque and the HTTP messages aren’t inspected or altered, it can also operate in HTTP mode. In HTTP mode, the load balancer can inspect and modify the messages to perform protocol-specific actions. To enable HTTP mode, set the directive mode http in your frontend and backend sections.

Below, we describe features related to distinct versions of the HTTP protocol.

HTTP/3 Jump to heading

HAProxy can send and receive HTTP/3 messages over the QUIC protocol.

While earlier HTTP implementations were transported over TCP, the HTTP/3 protocol is transported over QUIC, a UDP-based, connectionless protocol. To support QUIC, your HAProxy package must bundle a QUIC-compatible TLS library.

HTTP/3 over HTTPS to the client Jump to heading

This section applies to:

  • HAProxy 2.7 and newer
  • HAProxy Enterprise 2.7r1 and newer
  • HAProxy ALOHA 15.0 and newer

To enable HTTP/3 between the load balancer and the client, update your configuration so that your frontend includes the required directives:

  • a bind directive that uses the address prefix quic4@ and sets alpn h3. Note that for HAProxy 2.8 / HAProxy Enterprise 2.8r1 / HAProxy ALOHA 15.5 and newer, you don’t need to set the alpn argument, since it defaults to h3.
  • an http-response set-header directive that sets the alt-svc header.
haproxy
frontend example
  bind :80
  
  # Enable HTTPS
  bind :443  ssl crt ssl.pem
  
  # enables HTTP/3 over QUIC
  bind quic4@:443 ssl crt ssl.pem alpn h3
   
  # Redirects to HTTPS
  http-request redirect scheme https unless { ssl_fc }
  
  # 'Alt-Svc' header invites client to switch to the QUIC protocol
  # Max age (ma) is set to 15 minutes (900 seconds), but
  # can be increased once verified working as expected
  http-response set-header alt-svc "h3=\":443\";ma=900;"
   
  default_backend webservers
haproxy
frontend example
  bind :80
  
  # Enable HTTPS
  bind :443  ssl crt ssl.pem
  
  # enables HTTP/3 over QUIC
  bind quic4@:443 ssl crt ssl.pem alpn h3
   
  # Redirects to HTTPS
  http-request redirect scheme https unless { ssl_fc }
  
  # 'Alt-Svc' header invites client to switch to the QUIC protocol
  # Max age (ma) is set to 15 minutes (900 seconds), but
  # can be increased once verified working as expected
  http-response set-header alt-svc "h3=\":443\";ma=900;"
   
  default_backend webservers

HTTP/3 over HTTPS to the server Jump to heading

This section applies to:

  • HAProxy 3.3 and newer

Experimental feature

This feature is experimental! To use it, add expose-experimental-directives to your global configuration section.

To connect to backend servers with HTTP/3 over QUIC, prefix the server’s address with quic4@ and enable SSL/TLS arguments. Ensure that your backend web server supports HTTP/3 and has it enabled.

haproxy
backend servers
  mode http
  server s1 quic4@192.168.0.10:443 check maxconn 30 ssl verify required ca-file /etc/haproxy/ssl/myca.pem 
haproxy
backend servers
  mode http
  server s1 quic4@192.168.0.10:443 check maxconn 30 ssl verify required ca-file /etc/haproxy/ssl/myca.pem

Troubleshoot HTTP/3 over QUIC Jump to heading

Browsers can be strict when it comes to QUIC, and when they encounter an issue, they will silently fall back to using HTTP/2. For instance, they often don’t allow self-signed TLS certificates, and getting verbose error logs from a browser can be difficult.

Try running the QUIC-compatible curl command to test QUIC connections so that you can see the verbose output of the request and response. Run it as a Docker container, as in the following example where we run curl as a container to test HTTP/3 over QUIC for example.com:

nix
docker run -ti --rm alpine/curl-http3 curl --verbose --http3 --silent --head https://example.com
nix
docker run -ti --rm alpine/curl-http3 curl --verbose --http3 --silent --head https://example.com

HTTP/2 Jump to heading

You can load balance HTTP/2 over:

  • encrypted HTTPS when OpenSSL 1.0.2 or newer is available on the server
  • unencrypted HTTP (known as h2c)

Most browsers support HTTP/2 over HTTPS only, but you may find it useful to enable h2c between backend services (for example, gRPC services).

HTTP/2 over HTTPS to the client Jump to heading

This section applies to:

  • HAProxy 1.8 and newer
  • HAProxy Enterprise 1.8r1 and newer
  • HAProxy ALOHA 10.0 and newer

HTTP/2 is enabled by default between clients and load balancer in HAProxy ALOHA 15.5 / HAProxy Enterprise 2.8r1 and up. You don’t need to specify the alpn extension, because it has a default value of h2,http/1.1 for HTTPS bind lines. Note that ALPN works only for HTTPS bind lines, so HTTP/2 requires HTTPS. Clients that lack support for HTTP/2 will be automatically reverted to HTTP/1.1. The load balancer server must have OpenSSL 1.0.2 or newer.

haproxy
frontend www
  mode http
  bind :443 ssl crt /path/to/cert.crt
  default_backend servers
haproxy
frontend www
  mode http
  bind :443 ssl crt /path/to/cert.crt
  default_backend servers

For HAProxy ALOHA 15.0 / HAProxy Enterprise 2.7r1 and older, you will need to specify both the extension and protocols:

haproxy
frontend www
  mode http
  bind :443 ssl crt /path/to/cert.crt alpn h2,http/1.1
  default_backend servers
haproxy
frontend www
  mode http
  bind :443 ssl crt /path/to/cert.crt alpn h2,http/1.1
  default_backend servers

HTTP/2 over HTTPS to the server Jump to heading

This section applies to:

  • HAProxy 1.9 and newer
  • HAProxy Enterprise 1.9r1 and newer
  • HAProxy ALOHA 11.0 and newer

To enable HTTP/2 between the load balancer and your backend servers, add the alpn argument to your server or default-server lines:

haproxy
backend servers
   mode http
   server s1 192.168.0.10:443 ssl alpn h2,http/1.1
   server s2 192.168.0.11:443 ssl alpn h2,http/1.1
haproxy
backend servers
   mode http
   server s1 192.168.0.10:443 ssl alpn h2,http/1.1
   server s2 192.168.0.11:443 ssl alpn h2,http/1.1

This announces to the servers that the load balancer, acting as a client, supports HTTP/2. The servers must also support it.

HTTP/2 over HTTP (h2c) to the client Jump to heading

This section applies to:

  • HAProxy 1.9 and newer
  • HAProxy Enterprise 1.9r1 and newer
  • HAProxy ALOHA 11.0 and newer

To enable HTTP/2 between clients and the load balancer without using TLS, use the proto argument to announce support for it. This method doesn’t allow you to support multiple versions of HTTP simultaneously.

haproxy
frontend www
  mode http
  bind :80 proto h2
  default_backend servers
haproxy
frontend www
  mode http
  bind :80 proto h2
  default_backend servers

HTTP/2 over HTTP (h2c) to the server Jump to heading

This section applies to:

  • HAProxy 1.9 and newer
  • HAProxy Enterprise 1.9r1 and newer
  • HAProxy ALOHA 11.0 and newer

To enable HTTP/2 between the load balancer and your backend servers, add the proto argument to your server or default-server lines:

haproxy
backend servers
  mode http
  server s1 192.168.0.10:80 proto h2
  server s2 192.168.0.11:80 proto h2
haproxy
backend servers
  mode http
  server s1 192.168.0.10:80 proto h2
  server s2 192.168.0.11:80 proto h2

Adjust the HTTP/2 initial window size Jump to heading

When you expect large file uploads over a network with moderately high latency, you may experience slow upload speeds. You can increase the HTTP/2 Flow Control window size to allow the load balancer to buffer more data. Set tune.h2.initial-window-size in the global section to the number of bytes the client can upload before waiting for an acknowledgement from the load balancer. For example, you could set a high value like 1048576.

Enable an idleness ping Jump to heading

This section applies to:

  • HAProxy 3.2 and newer
  • HAProxy Enterprise 3.2r1 and newer
  • HAProxy ALOHA 17.5 and newer

To more efficiently close any idle HTTP/2 connections, you can add an idle connection check.

  • For HTTP/2 to the client, add idle-ping to the bind line. It sets an interval, such as 10 seconds in this example:

    haproxy
    frontend www
      mode http
      bind :443 ssl crt /path/to/cert.crt idle-ping 10s
      default_backend servers
    haproxy
    frontend www
      mode http
      bind :443 ssl crt /path/to/cert.crt idle-ping 10s
      default_backend servers

  • For HTTP/2 to the server, add idle-ping to the server line. It sets an interval, such as 10 seconds in this example:

    haproxy
    backend servers
      mode http
      server s1 192.168.0.10:443 ssl alpn h2,http/1.1 idle-ping 10s
      server s2 192.168.0.11:443 ssl alpn h2,http/1.1 idle-ping 10s
    haproxy
    backend servers
      mode http
      server s1 192.168.0.10:443 ssl alpn h2,http/1.1 idle-ping 10s
      server s2 192.168.0.11:443 ssl alpn h2,http/1.1 idle-ping 10s

See also Jump to heading

  • To enable the TLS ALPN extension and a protocol list for the bind directive, see bind - alpn.
  • To force a protocol for the bind directive, see bind - proto.
  • To enable the TLS ALPN extension and a protocol list for the server directive, see server - alpn.
  • To force a protocol for the server directive, see server - proto.
  • To set the default value for the HTTP/2 initial window size, see tune.h2.initial-window-size.

Do you have any suggestions on how we can improve the content of this page?

Previous page gRPC Next page Passive FTP
© 2025 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences