Routing based on ALPN

Vladimir Homutov vl at
Mon Feb 19 11:45:15 UTC 2018

On Mon, Feb 19, 2018 at 12:02:06PM +0100, Wiktor Kwapisiewicz via nginx wrote:
> Hello,
> I'm looking for a way to route traffic on port 443 based on ALPN value
> without SSL termination.
> ssl_preread_module [1] does something similar but the only exposed
> variable ($ssl_preread_server_name) is for SNI, not ALPN.
> A bit of context. I'd like to use nginx to host regular HTTPS server on port
> 443 but if the ALPN value is 'xmpp-client' transparently proxy the traffic
> to my local Jabber server. This feature [2] is already supported by several
> XMPP clients.
> Is there a way to access and save ALPN value to a variable?


currently this is not possible; as you correctly noted, ssl_preread
module only processes SNI extension.
To achieve what you want, ssl_preread module needs to be extended to process
ALPN extension as well and export results as a variable, that could be
used to make routing decision.

More information about the nginx mailing list