Does stream module have support to negotiate ALPN when terminating TLS?

sojuro nginx-forum at
Sun Dec 15 07:20:12 UTC 2019

Is there support for forwarding to backends when clients are sending ALPN? I
would like to use the stream module if possible. The following nginx config
works successfully with a Go client but not with the Ruby client. This is
similar to the problem with AWS ELB 

stream {
	upstream stream_backend_1 {
		server mygrpcservice:8080;
	server {
		listen 443 ssl;
		proxy_pass            stream_backend_1;
		ssl_certificate       /etc/ssl/test_cert.pem;
		ssl_certificate_key   /etc/ssl/test_key.pem;
		ssl_preread 		  on;

With preread on and nginx-debug I got the following in the logs and so the
client is sending ALPN data 
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols

but the Handshake fails in the grpc library because Server does not set the
negotiated ALPN??
D1214 23:00:44.714269000 123145438679040]  
Security handshake failed:
{"created":"@1576393244.714255000","description":"Cannot check peer: missing
selected ALPN

Also fails with openssl 

$ openssl s_client -connect -alpn h2 | grep alpn
verify return:1
No ALPN negotiated


Posted at Nginx Forum:,286473,286473#msg-286473

More information about the nginx mailing list