Kong gRPC Routing Issue - HTTP/2 Requests Getting 400 Errors

Questions
1

Kong gRPC Routing Issue - HTTP/2 Requests Getting 400 Errors

Problem

Trying to route gRPC traffic through Kong, but all gRPC requests fail with 400 errors while HTTP routing works fine.

Environment

  • Kong 3.4.3.21 (open source)
  • Kubernetes deployment
  • Service exposes ports 80 and 443

What Works

Direct gRPC to backend: grpcurl -plaintext localhost:50051 list
HTTP routing through Kong: curl http://localhost:8080/world
Kong Admin API on port 8001

What Fails

gRPC through Kong:

grpcurl -plaintext localhost:8080 list
Error: "Failed to dial target host: context deadline exceeded"

Kong Logs

127.0.0.1 - - [26/Oct/2025:19:27:17 +0000] "PRI * HTTP/2.0" 400 57 "-" "-"

Configuration

Service:

{
  "name": "bookstore-grpc",
  "protocol": "grpc",
  "host": "bookstore-grpc.grpc.svc.cluster.local",
  "port": 50051
}

Routes Tried:

{
“name”: “bookstore-grpc-simple”,
“protocols”: [“grpc”],
“paths”: [“/”],
“service”: {“name”: “bookstore-grpc”}
}

{
“name”: “bookstore-grpc-host”,
“protocols”: [“grpc”],
“hosts”: [“bookstore-grpc.local”],
“paths”: [“/”],
“service”: {“name”: “bookstore-grpc”}
}

{
“name”: “bookstore-grpc-path”,
“protocols”: [“grpc”],
“paths”: [“/bookstore.BookStore”],
“service”: {“name”: “bookstore-grpc”}
}
  • Path-based: paths: ["/"]
  • Host-based: hosts: ["bookstore-grpc.local"]
  • Specific: paths: ["/bookstore.BookStore"]

Key Finding

proxy_listener shows as null:

curl -s http://localhost:8001/ | jq '.configuration.proxy_listener'
# null

What I’ve Tried

  1. Multiple route configurations
  2. Different gRPC clients
  3. Verified backend connectivity
  4. Various timeout settings
  5. Clean slate setup

Backend gRPC service is healthy and works directly. Only routing through Kong fails. Any help appreciated! Moreover, my HTTP services are working well with kong.

2

@Abdul_Matin please try the following:

Kong must be explicitly configured to accept HTTP/2 traffic on the proxy port for gRPC to work. By default, Kong listens for HTTP/1.x unless you add the http2 suffix to the proxy_listen (or KONG_PROXY_LISTEN) configuration. If this is not set, gRPC clients will fail to connect, and you’ll see the exact error and log pattern you described.

Make sure http2 has been added to 1 of the below parameters
e.g
proxy_listen = 0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl
KONG_PROXY_LISTEN = 0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl
Please remember to restart Kong after you modified any of them
how to proxy gRPC request via kong

Solution

  1. Update Kong’s proxy listener to support HTTP/2:

    If you’re running Kong in Kubernetes, set the environment variable for the deployment:

    KONG_PROXY_LISTEN=0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl

    Or, if you’re using a config file, ensure:

    proxy_listen = 0.0.0.0:8000 http2, 0.0.0.0:8443 http2 ssl

    Then restart Kong for the changes to take effect.

    Reference: how to proxy gRPC request via kong

  2. Verify the listener:

    After restarting, check that Kong is listening for HTTP/2:

    curl -s http://localhost:8001/ | jq '.configuration.proxy_listen'

    You should see the http2 suffix in the output.

  3. Route configuration:

    Your route definitions look correct for gRPC. For example:

    {
    "name": "bookstore-grpc-simple",
    "protocols": ["grpc"],
    "paths": ["/"],
    "service": {"name": "bookstore-grpc"}
    }

    This is a standard setup for gRPC routing in Kong.

Additional Notes

  • gRPC requires HTTP/2: If Kong is not listening for HTTP/2, all gRPC requests will fail with 400 errors, as you observed.

  • Kong 3.6.x and later: If you upgrade, simultaneous HTTP/1.1 and HTTP/2 without TLS on the same port is supported. For Kong 3.4.x, you may need to dedicate a port for HTTP/2 if you also need HTTP/1.1 on port 80. gRPC over HTTP

Summary

Update your proxy_listen or KONG_PROXY_LISTEN to include http2, restart Kong, and your gRPC routing should work as expected.

If you continue to see issues after this change, please provide the updated listener configuration and any new error logs.

3

Thanks it worked. In that case, I can only serve http2 traffic over the port. Can I serve both htt1.x and http2 over the same port?

4

Great @Abdul_Matin . For questions I encourage you to checkout out our AI assistant at https://developer.konghq.com/. I have been feeding your questions into the agent to get this information. I posted your follow up question to the agent and got this back:

Yes, Kong Gateway can serve both HTTP/1.x and HTTP/2 over the same port, but with some important caveats:

  • For HTTPS (TLS) ports: You can serve both HTTP/1.x and HTTP/2 on the same port using the http2 ssl suffix in your proxy_listen configuration. This works because TLS allows protocol negotiation (ALPN), so clients and Kong can agree on which protocol to use for each connection. For example:

    proxy_listen = 0.0.0.0:8443 http2 ssl

    With this configuration, both HTTP/1.x and HTTP/2 clients can connect to port 8443, and Kong will handle both protocols appropriately over TLS connections. This is the recommended and most widely supported approach for serving both protocols on the same port Does Kong support http2 protocol?.

  • For plain HTTP (non-TLS) ports: By default, NGINX (and therefore Kong) does not support serving both HTTP/1.x and HTTP/2 on the same non-TLS port. HTTP/2 without TLS (h2c) requires “prior knowledge” from the client, and NGINX only supports one protocol version per plain HTTP port. If you configure a port for HTTP/2 (e.g., 0.0.0.0:8000 http2), only clients that use HTTP/2 with prior knowledge can connect; HTTP/1.x clients will not be able to use that port, and vice versa Does Kong support http2 protocol?, gRPC over HTTP.

  • Recent Kong versions: Starting with Kong Gateway 3.6.x, there is support for listening to both HTTP/1.1 and HTTP/2 without TLS on the same port, but only in those versions and later. For earlier versions, you must use separate ports for HTTP/1.x and HTTP/2 if you want to support both protocols without TLS gRPC over HTTP.

Summary:

  • For HTTPS: Yes, both HTTP/1.x and HTTP/2 are supported on the same port.

  • For HTTP (no TLS): Only supported on the same port in Kong Gateway 3.6.x and later; otherwise, you need separate ports.

If you need to configure this, use the proxy_listen directive as shown above.