diff --git a/conn.go b/conn.go
index 1210aea..b318327 100644
--- a/conn.go
+++ b/conn.go
@@ -18,6 +18,7 @@ import (
 	"strings"
 	"sync"
 	//"sync/atomic"
+	"golang.org/x/net/http2"
 	"time"
 )
 
@@ -50,6 +51,9 @@ func listenAndServe(arg Args) error {
 	case "wss": // websocket security connection
 		return NewWs(arg).listenAndServeTLS()
 	case "tls": // tls connection
+		if arg.Protocol == "http2" || arg.Protocol == "h2" { // only support http2 over TLS
+			return listenAndServeHttp2(arg)
+		}
 		ln, err = tls.Listen("tcp", arg.Addr,
 			&tls.Config{Certificates: []tls.Certificate{arg.Cert}})
 	case "tcp": // Local TCP port forwarding
@@ -83,6 +87,15 @@ func listenAndServe(arg Args) error {
 	}
 }
 
+func listenAndServeHttp2(arg Args) error {
+	srv := http.Server{
+		Addr:    arg.Addr,
+		Handler: http.HandlerFunc(handlerHttp2Request),
+	}
+	http2.ConfigureServer(&srv, nil)
+	return srv.ListenAndServeTLS(certFile, keyFile)
+}
+
 func listenAndServeTcpForward(arg Args) error {
 	raddr, err := net.ResolveTCPAddr("tcp", arg.Remote)
 	if err != nil {
diff --git a/http.go b/http.go
index 36f4449..3541cf5 100644
--- a/http.go
+++ b/http.go
@@ -10,6 +10,8 @@ import (
 )
 
 func handleHttpRequest(req *http.Request, conn net.Conn, arg Args) {
+	glog.V(LINFO).Infof("[http] %s - %s", conn.RemoteAddr(), req.Host)
+
 	if glog.V(LDEBUG) {
 		dump, err := httputil.DumpRequest(req, false)
 		if err != nil {
@@ -18,7 +20,6 @@ func handleHttpRequest(req *http.Request, conn net.Conn, arg Args) {
 			glog.Infoln(string(dump))
 		}
 	}
-	glog.V(LINFO).Infof("[http] %s - %s", conn.RemoteAddr(), req.Host)
 
 	var username, password string
 	if arg.User != nil {
diff --git a/http2.go b/http2.go
new file mode 100644
index 0000000..77b58e4
--- /dev/null
+++ b/http2.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"github.com/golang/glog"
+	"net/http"
+	"net/http/httputil"
+)
+
+func handlerHttp2Request(w http.ResponseWriter, r *http.Request) {
+	glog.V(LINFO).Infof("[http2] %s - %s", r.RemoteAddr, r.Host)
+
+	if glog.V(LDEBUG) {
+		dump, err := httputil.DumpRequest(r, false)
+		if err != nil {
+			glog.Infoln(err)
+		} else {
+			glog.Infoln(string(dump))
+		}
+	}
+
+}
diff --git a/tls.go b/tls.go
index 2ce8f5d..083df8e 100644
--- a/tls.go
+++ b/tls.go
@@ -6,7 +6,8 @@ import (
 )
 
 const (
-
+	certFile = "cert.pem"
+	keyFile  = "key.pem"
 	// This is the default cert file for convenience, providing your own cert is recommended.
 	rawCert = `-----BEGIN CERTIFICATE-----
 MIIC5jCCAdCgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
@@ -58,7 +59,7 @@ nh/BAoGBAMY5z2f1pmMhrvtPDSlEVjgjELbaInxFaxPLR4Pdyzn83gtIIU14+R8X
 
 func init() {
 	var err error
-	if tlsCert, err = tls.LoadX509KeyPair("cert.pem", "key.pem"); err != nil {
+	if tlsCert, err = tls.LoadX509KeyPair(certFile, keyFile); err != nil {
 		glog.V(LWARNING).Infoln(err)
 
 		tlsCert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey))