diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 5a7664cde3..e494189bb5 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -3045,7 +3045,7 @@ start_tcp(dig_query_t *query) {
 		isc_nm_httpconnect(netmgr, &localaddr, &query->sockaddr, uri,
 				   !query->lookup->https_get, tcp_connected,
 				   connectquery, tlsctx, sess_cache,
-				   local_timeout);
+				   local_timeout, false, NULL);
 #endif
 	} else {
 		isc_nm_streamdnsconnect(netmgr, &localaddr, &query->sockaddr,
diff --git a/bin/tests/test_client.c b/bin/tests/test_client.c
index f32fa6770e..e26b2e657e 100644
--- a/bin/tests/test_client.c
+++ b/bin/tests/test_client.c
@@ -408,7 +408,7 @@ run(void) {
 		}
 		isc_nm_httpconnect(netmgr, &sockaddr_local, &sockaddr_remote,
 				   req_url, is_post, connect_cb, NULL, tls_ctx,
-				   NULL, timeout);
+				   NULL, timeout, false, NULL);
 	} break;
 #endif
 	default:
diff --git a/bin/tests/test_server.c b/bin/tests/test_server.c
index 1a78534b37..2dad8cf4f8 100644
--- a/bin/tests/test_server.c
+++ b/bin/tests/test_server.c
@@ -275,7 +275,7 @@ run(void) {
 		if (result == ISC_R_SUCCESS) {
 			result = isc_nm_listenhttp(netmgr, ISC_NM_LISTEN_ALL,
 						   &sockaddr, 0, NULL, tls_ctx,
-						   eps, 0, &sock);
+						   eps, 0, false, &sock);
 		}
 		isc_nm_http_endpoints_detach(&eps);
 	} break;
diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
index 1bbdb52259..8002884aea 100644
--- a/lib/isc/include/isc/netmgr.h
+++ b/lib/isc/include/isc/netmgr.h
@@ -640,13 +640,14 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 		   const char *uri, bool POST, isc_nm_cb_t cb, void *cbarg,
 		   isc_tlsctx_t			     *ctx,
 		   isc_tlsctx_client_session_cache_t *client_sess_cache,
-		   unsigned int			      timeout);
+		   unsigned int timeout, bool proxy,
+		   isc_nm_proxyheader_info_t *proxy_info);
 
 isc_result_t
 isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface,
 		  int backlog, isc_quota_t *quota, isc_tlsctx_t *ctx,
 		  isc_nm_http_endpoints_t *eps, uint32_t max_concurrent_streams,
-		  isc_nmsocket_t **sockp);
+		  bool proxy, isc_nmsocket_t **sockp);
 
 isc_nm_http_endpoints_t *
 isc_nm_http_endpoints_new(isc_mem_t *mctx);
diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index f6a11d69d5..aa106e06d9 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -344,6 +344,13 @@ isc__nm_httpsession_detach(isc_nm_http_session_t **sessionp) {
 			     sizeof(isc_nm_http_session_t));
 }
 
+isc_nmhandle_t *
+isc__nm_httpsession_handle(isc_nm_http_session_t *session) {
+	REQUIRE(VALID_HTTP2_SESSION(session));
+
+	return (session->handle);
+}
+
 static http_cstream_t *
 find_http_cstream(int32_t stream_id, isc_nm_http_session_t *session) {
 	http_cstream_t *cstream = NULL;
@@ -1446,7 +1453,8 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 		   const char *uri, bool post, isc_nm_cb_t cb, void *cbarg,
 		   isc_tlsctx_t *tlsctx,
 		   isc_tlsctx_client_session_cache_t *client_sess_cache,
-		   unsigned int timeout) {
+		   unsigned int timeout, bool proxy,
+		   isc_nm_proxyheader_info_t *proxy_info) {
 	isc_sockaddr_t local_interface;
 	isc_nmsocket_t *sock = NULL;
 	isc__networker_t *worker = NULL;
@@ -1510,8 +1518,12 @@ isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 
 	if (tlsctx != NULL) {
 		isc_nm_tlsconnect(mgr, local, peer, transport_connect_cb, sock,
-				  tlsctx, client_sess_cache, timeout, false,
+				  tlsctx, client_sess_cache, timeout, proxy,
 				  NULL);
+	} else if (proxy) {
+		isc_nm_proxystreamconnect(mgr, local, peer,
+					  transport_connect_cb, sock, timeout,
+					  proxy_info);
 	} else {
 		isc_nm_tcpconnect(mgr, local, peer, transport_connect_cb, sock,
 				  timeout);
@@ -2461,7 +2473,7 @@ isc_result_t
 isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface,
 		  int backlog, isc_quota_t *quota, isc_tlsctx_t *ctx,
 		  isc_nm_http_endpoints_t *eps, uint32_t max_concurrent_streams,
-		  isc_nmsocket_t **sockp) {
+		  bool proxy, isc_nmsocket_t **sockp) {
 	isc_nmsocket_t *sock = NULL;
 	isc_result_t result;
 	isc__networker_t *worker = NULL;
@@ -2486,7 +2498,11 @@ isc_nm_listenhttp(isc_nm_t *mgr, uint32_t workers, isc_sockaddr_t *iface,
 	if (ctx != NULL) {
 		result = isc_nm_listentls(mgr, workers, iface,
 					  httplisten_acceptcb, sock, backlog,
-					  quota, ctx, false, &sock->outer);
+					  quota, ctx, proxy, &sock->outer);
+	} else if (proxy) {
+		result = isc_nm_listenproxystream(mgr, workers, iface,
+						  httplisten_acceptcb, sock,
+						  backlog, quota, &sock->outer);
 	} else {
 		result = isc_nm_listentcp(mgr, workers, iface,
 					  httplisten_acceptcb, sock, backlog,
@@ -3201,8 +3217,8 @@ isc__nm_http_cleanup_data(isc_nmsocket_t *sock) {
 
 	if ((sock->type == isc_nm_httplistener ||
 	     sock->type == isc_nm_httpsocket ||
-	     sock->type == isc_nm_tcpsocket ||
-	     sock->type == isc_nm_tlssocket) &&
+	     sock->type == isc_nm_tcpsocket || sock->type == isc_nm_tlssocket ||
+	     sock->type == isc_nm_proxystreamsocket) &&
 	    sock->h2.session != NULL)
 	{
 		if (sock->h2.connect.uri != NULL) {
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 5011d0b20b..34c4982c0e 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -1088,6 +1088,9 @@ isc__nm_httpsession_attach(isc_nm_http_session_t *source,
 void
 isc__nm_httpsession_detach(isc_nm_http_session_t **sessionp);
 
+isc_nmhandle_t *
+isc__nm_httpsession_handle(isc_nm_http_session_t *session);
+
 void
 isc__nm_http_set_tlsctx(isc_nmsocket_t *sock, isc_tlsctx_t *tlsctx);
 
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 97176c9336..0ac2529c88 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -2147,15 +2147,20 @@ get_proxy_handle(isc_nmhandle_t *handle) {
 	switch (sock->type) {
 	case isc_nm_proxystreamsocket:
 		return (handle);
+#ifdef HAVE_LIBNGHTTP2
+	case isc_nm_httpsocket:
+		return (get_proxy_handle(
+			isc__nm_httpsession_handle(sock->h2.session)));
+#endif /* HAVE_LIBNGHTTP2 */
 	default:
 		break;
 	}
 
-	if (sock->outerhandle == NULL) {
-		return NULL;
+	if (sock->outerhandle != NULL) {
+		return (get_proxy_handle(sock->outerhandle));
 	}
 
-	return (get_proxy_handle(sock->outerhandle));
+	return (NULL);
 }
 
 bool
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index 6524702095..3561acd21d 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -581,10 +581,10 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
 	if (result == ISC_R_SUCCESS) {
 		quota = isc_mem_get(ifp->mgr->mctx, sizeof(*quota));
 		isc_quota_init(quota, max_clients);
-		result = isc_nm_listenhttp(ifp->mgr->nm, ISC_NM_LISTEN_ALL,
-					   &ifp->addr, ifp->mgr->backlog, quota,
-					   sslctx, epset,
-					   max_concurrent_streams, &sock);
+		result = isc_nm_listenhttp(
+			ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr,
+			ifp->mgr->backlog, quota, sslctx, epset,
+			max_concurrent_streams, false, &sock);
 	}
 
 	isc_nm_http_endpoints_detach(&epset);
diff --git a/tests/isc/doh_test.c b/tests/isc/doh_test.c
index 2a05429ba8..6e46abe917 100644
--- a/tests/isc/doh_test.c
+++ b/tests/isc/doh_test.c
@@ -103,6 +103,8 @@ static atomic_bool check_listener_quota = false;
 
 static isc_nm_http_endpoints_t *endpoints = NULL;
 
+static atomic_bool use_PROXY = false;
+
 static isc_nm_t **nm = NULL;
 
 /* Timeout for soft-timeout tests (0.05 seconds) */
@@ -184,7 +186,7 @@ connect_send_request(isc_nm_t *mgr, const char *uri, bool post,
 
 	isc_nm_httpconnect(mgr, NULL, &tcp_listen_addr, uri, post,
 			   connect_send_cb, data, ctx, client_sess_cache,
-			   timeout);
+			   timeout, atomic_load(&use_PROXY), NULL);
 }
 
 static int
@@ -472,7 +474,7 @@ ISC_LOOP_TEST_IMPL(mock_doh_uv_tcp_bind) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
 				   &tcp_listen_addr, 0, NULL, NULL, endpoints,
-				   0, &listen_sock);
+				   0, false, &listen_sock);
 	assert_int_not_equal(result, ISC_R_SUCCESS);
 	assert_null(listen_sock);
 
@@ -504,7 +506,7 @@ doh_noop(void *arg ISC_ATTR_UNUSED) {
 
 	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
 				   &tcp_listen_addr, 0, NULL, NULL, endpoints,
-				   0, &listen_sock);
+				   0, atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	isc_loop_teardown(mainloop, listen_sock_close, listen_sock);
 
@@ -547,7 +549,7 @@ doh_noresponse(void *arg ISC_ATTR_UNUSED) {
 
 	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
 				   &tcp_listen_addr, 0, NULL, NULL, endpoints,
-				   0, &listen_sock);
+				   0, atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	isc_loop_teardown(mainloop, listen_sock_close, listen_sock);
 
@@ -639,7 +641,7 @@ doh_timeout_recovery(void *arg ISC_ATTR_UNUSED) {
 
 	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
 				   &tcp_listen_addr, 0, NULL, NULL, endpoints,
-				   0, &listen_sock);
+				   0, atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	isc_loop_teardown(mainloop, listen_sock_close, listen_sock);
 
@@ -658,7 +660,8 @@ doh_timeout_recovery(void *arg ISC_ATTR_UNUSED) {
 			ISC_NM_HTTP_DEFAULT_PATH);
 	isc_nm_httpconnect(connect_nm, NULL, &tcp_listen_addr, req_url,
 			   atomic_load(&POST), timeout_request_cb, NULL, ctx,
-			   client_sess_cache, T_SOFT);
+			   client_sess_cache, T_SOFT, atomic_load(&use_PROXY),
+			   NULL);
 }
 
 static int
@@ -765,10 +768,10 @@ doh_recv_one(void *arg ISC_ATTR_UNUSED) {
 					   doh_receive_request_cb, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
-				   &tcp_listen_addr, 0, quotap,
-				   atomic_load(&use_TLS) ? server_tlsctx : NULL,
-				   endpoints, 0, &listen_sock);
+	result = isc_nm_listenhttp(
+		listen_nm, ISC_NM_LISTEN_ALL, &tcp_listen_addr, 0, quotap,
+		atomic_load(&use_TLS) ? server_tlsctx : NULL, endpoints, 0,
+		atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	sockaddr_to_url(&tcp_listen_addr, atomic_load(&use_TLS), req_url,
@@ -892,10 +895,10 @@ doh_recv_two(void *arg ISC_ATTR_UNUSED) {
 					   doh_receive_request_cb, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
-				   &tcp_listen_addr, 0, quotap,
-				   atomic_load(&use_TLS) ? server_tlsctx : NULL,
-				   endpoints, 0, &listen_sock);
+	result = isc_nm_listenhttp(
+		listen_nm, ISC_NM_LISTEN_ALL, &tcp_listen_addr, 0, quotap,
+		atomic_load(&use_TLS) ? server_tlsctx : NULL, endpoints, 0,
+		atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	sockaddr_to_url(&tcp_listen_addr, atomic_load(&use_TLS), req_url,
@@ -907,7 +910,8 @@ doh_recv_two(void *arg ISC_ATTR_UNUSED) {
 
 	isc_nm_httpconnect(connect_nm, NULL, &tcp_listen_addr, req_url,
 			   atomic_load(&POST), doh_connect_send_two_requests_cb,
-			   NULL, ctx, client_sess_cache, 5000);
+			   NULL, ctx, client_sess_cache, 5000,
+			   atomic_load(&use_PROXY), NULL);
 
 	isc_loop_teardown(mainloop, listen_sock_close, listen_sock);
 }
@@ -992,10 +996,10 @@ doh_recv_send(void *arg ISC_ATTR_UNUSED) {
 					   doh_receive_request_cb, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
-				   &tcp_listen_addr, 0, quotap,
-				   atomic_load(&use_TLS) ? server_tlsctx : NULL,
-				   endpoints, 0, &listen_sock);
+	result = isc_nm_listenhttp(
+		listen_nm, ISC_NM_LISTEN_ALL, &tcp_listen_addr, 0, quotap,
+		atomic_load(&use_TLS) ? server_tlsctx : NULL, endpoints, 0,
+		atomic_load(&use_PROXY), &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	for (size_t i = 0; i < nthreads; i++) {
@@ -1108,7 +1112,8 @@ ISC_LOOP_TEST_IMPL(doh_bad_connect_uri) {
 
 	result = isc_nm_listenhttp(listen_nm, ISC_NM_LISTEN_ALL,
 				   &tcp_listen_addr, 0, quotap, server_tlsctx,
-				   endpoints, 0, &listen_sock);
+				   endpoints, 0, atomic_load(&use_PROXY),
+				   &listen_sock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	/*