diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h
index a4c99fa..cbe7f6a 100644
--- a/common/include/ssl_stream.h
+++ b/common/include/ssl_stream.h
@@ -16,14 +16,15 @@ enum SSL_STREAM_OPT
 	SSL_STREAM_OPT_IS_CT_CERT,				//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_IS_MUTUAL_AUTH,			//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_PINNING_STATUS,			//0:FALSE, 1:TRUE.
-	SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS,	//0:FALSE, 1:TRUE.
+	SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS,		//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED,	//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
 	SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME,	//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
 	SSL_STREAM_OPT_NO_VERIFY_ISSUER,		//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
 	SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE,	//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
-	SSL_STREAM_OPT_BLOCK_FAKE_CERT,		//VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
+	SSL_STREAM_OPT_BLOCK_FAKE_CERT,			//VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
 	SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
 	SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
+	SSL_STREAM_OPT_ENABLE_ALPN,
 	SSL_STREAM_OPT_KEYRING_ID
 };
 int sslver_str2num(const char * version_str);
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 3c3a45a..1fcbb0b 100644
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -26,6 +26,10 @@ if(ENABLE_PLUGIN_HTTP)
 	target_link_libraries(tfe -Wl,--whole-archive http -Wl,--no-whole-archive)
 endif()
 
+if(ENABLE_PLUGIN_HTTP2)
+	target_link_libraries(tfe -Wl,--whole-archive http2 -Wl,--no-whole-archive)
+endif()
+
 if(ENABLE_PLUGIN_DECRYPT_MIRRORING)
 	target_link_libraries(tfe -Wl,--whole-archive decrypt-mirroring -Wl,--no-whole-archive)
 endif()
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 2faa808..53a71f1 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -182,6 +182,7 @@ struct ssl_upstream_parts
 	char block_fake_cert;
 	struct ssl_service_status svc_status;
 	enum ssl_stream_action action;
+	int apln_enabled;
 	int keyring_id;
 	struct ssl_chello * client_hello;
 	int is_server_cert_verify_passed;
@@ -892,7 +893,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
 	{
 		SSL_set_tlsext_host_name(ssl, chello->sni);
 	}
-	if (chello->alpn && !mgr->no_alpn)
+	if (chello->alpn && s_stream->up_parts.apln_enabled)
 	{
 		ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
 		assert(ret==0);
@@ -1603,7 +1604,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
 		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
 		EC_KEY_free(ecdh);
 	}
-	if(!mgr->no_alpn && selected_alpn)
+	if(s_stream->peer->up_parts.apln_enabled && selected_alpn)
 	{
 		SSL_CTX_set_alpn_select_cb(sslctx, alpn_select_proto_cb, (void*)selected_alpn);
 	}
@@ -1992,7 +1993,7 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
 int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT  opt_type, int opt_val)
 {
 	struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
-
+	assert(upstream->dir==CONN_DIR_UPSTREAM);
 	switch(opt_type)
 	{
 		case	SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED:
@@ -2016,6 +2017,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 		case	SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
 			upstream->ssl_max_version=opt_val;
 			break;
+		case	SSL_STREAM_OPT_ENABLE_ALPN:
+			upstream->up_parts.apln_enabled=opt_val;
+			break;
 		case	SSL_STREAM_OPT_KEYRING_ID:
 			upstream->up_parts.keyring_id=opt_val;
 			break;
diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp
index d9e9299..34d9089 100644
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -29,6 +29,7 @@ struct intercept_param
 	int block_fake_cert;
 	int ssl_min_version;
 	int ssl_max_version;
+	int allow_http2;
 	int mirror_client_version;
 	int decrypt_mirror_enabled;
 	int mirror_profile_id;
@@ -125,6 +126,8 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 			item=cJSON_GetObjectItem(ssl_ver, "max");	
 			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
 		}
+		item=cJSON_GetObjectItem(ssl_ver, "allow_http2"); 
+		if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
 	}
 	*ad=param;
 	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
@@ -188,6 +191,10 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, param->ssl_min_version);
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, param->ssl_max_version);
 	}
+	if(param->allow_http2)
+	{
+		ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
+	}
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);