Routing Http2 traffic without decrypting tls packets

Ruslan Ermilov ru at
Tue Sep 3 14:39:38 UTC 2019

On Mon, Sep 02, 2019 at 05:45:59PM +0000, Jayarajan, Keerthi (AT ASP RTC) wrote:
> Hi,
> I'm working in blockchain project for Honeywell. We have blockchain nodes
> hosted in our cloud. These nodes should connect and talk to external node and
> vice versa. We are using Nginx as Reverse proxy server through which external
> node can connect to our nodes. We are using Hyperledger fabric blockchain
> framework which works on grpc protocol using http2. I found Nginx 1.15.2
> supports http2. So I installed it and tested sample grpc application(without
> tls) successfully. Now, I need external node to talk to our node reverse
> proxied via Nginx. But our nodes are tls encrypted and client authentication
> is enabled. I want the external node to talk to internal node as if the Nginx
> was not there. It should forward everything based on the hostname without
> decrypting the packets. I tried this ssl_preread directive but It says not
> allowed for http2. Can you please technically tell how this can be
> accomplished. Looking forward for your support. If this is feasible, we would
> like to go with Nginx Plus for production.

ngx_stream_ssl_preread_module that you mentioned above can route traffic
based on either server name requested through SNI or protocols advertised
in ALPN, or combination.  The documentation for the module has complete
You don't need "ssl http2" in the listen directive for it to work.

More information about the nginx mailing list