diff --git a/libmproxy/cmdline.py b/libmproxy/cmdline.py
index 7f6f69ef0..3779953f8 100644
--- a/libmproxy/cmdline.py
+++ b/libmproxy/cmdline.py
@@ -1,11 +1,11 @@
 from __future__ import absolute_import
 import os
 import re
+
 import configargparse
+
 from netlib.tcp import Address, sslversion_choices
-
 import netlib.utils
-
 from . import filt, utils, version
 from .proxy import config
 
@@ -358,6 +358,20 @@ def proxy_options(parser):
         action="store", type=int, dest="port", default=8080,
         help="Proxy service port."
     )
+    http2 = group.add_mutually_exclusive_group()
+    http2.add_argument("--http2", action="store_true", dest="http2")
+    http2.add_argument("--no-http2", action="store_false", dest="http2",
+                       help="Explicitly enable/disable experimental HTTP2 support. "
+                            "Disabled by default. "
+                            "Default value will change in a future version."
+                       )
+    rawtcp = group.add_mutually_exclusive_group()
+    rawtcp.add_argument("--raw-tcp", action="store_true", dest="rawtcp")
+    rawtcp.add_argument("--no-raw-tcp", action="store_false", dest="rawtcp",
+                       help="Explicitly enable/disable experimental raw tcp support. "
+                            "Disabled by default. "
+                            "Default value will change in a future version."
+                       )
 
 
 def proxy_ssl_options(parser):
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index 52164241c..308fa0a0e 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -16,7 +16,7 @@ from ..models import (
     HTTPFlow, HTTPRequest, HTTPResponse, make_error_response, make_connect_response, Error
 )
 from .base import Layer, Kill
-
+from .rawtcp import RawTCPLayer
 
 class _HttpLayer(Layer):
     supports_streaming = False
@@ -364,7 +364,13 @@ class HttpLayer(Layer):
                 if self.check_close_connection(flow):
                     return
 
-                # TODO: Implement HTTP Upgrade
+                # Handle 101 Switching Protocols
+                # It may be useful to pass additional args (such as the upgrade header)
+                # to next_layer in the future
+                if flow.response.status_code == 101:
+                    layer = self.ctx.next_layer(self)
+                    layer()
+                    return
 
                 # Upstream Proxy Mode: Handle CONNECT
                 if flow.request.form_in == "authority" and flow.response.code == 200:
diff --git a/libmproxy/protocol/tls.py b/libmproxy/protocol/tls.py
index 6e8535ae0..2cddb1dd4 100644
--- a/libmproxy/protocol/tls.py
+++ b/libmproxy/protocol/tls.py
@@ -3,6 +3,8 @@ from __future__ import (absolute_import, print_function, division)
 import struct
 
 from construct import ConstructError
+import six
+import sys
 
 from netlib.tcp import NetLibError, NetLibInvalidCertificateError
 from netlib.http.http1 import HTTP1Protocol
@@ -387,7 +389,7 @@ class TlsLayer(Layer):
                 self._establish_tls_with_client()
             except:
                 pass
-            raise e
+            six.reraise(*sys.exc_info())
 
         self._establish_tls_with_client()
 
@@ -416,9 +418,11 @@ class TlsLayer(Layer):
             # and mitmproxy would enter TCP passthrough mode, which we want to avoid.
             deprecated_http2_variant = lambda x: x.startswith("h2-") or x.startswith("spdy")
             if self.client_alpn_protocols:
-                alpn = filter(lambda x: not deprecated_http2_variant(x), self.client_alpn_protocols)
+                alpn = [x for x in self.client_alpn_protocols if not deprecated_http2_variant(x)]
             else:
                 alpn = None
+            if alpn and "h2" in alpn and not self.config.http2 :
+                alpn.remove("h2")
 
             ciphers_server = self.config.ciphers_server
             if not ciphers_server:
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 2a1b84cb5..cd9eda5ab 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -54,6 +54,8 @@ class ProxyConfig:
             authenticator=None,
             ignore_hosts=tuple(),
             tcp_hosts=tuple(),
+            http2=False,
+            rawtcp=False,
             ciphers_client=None,
             ciphers_server=None,
             certs=tuple(),
@@ -78,6 +80,8 @@ class ProxyConfig:
 
         self.check_ignore = HostMatcher(ignore_hosts)
         self.check_tcp = HostMatcher(tcp_hosts)
+        self.http2 = http2
+        self.rawtcp = rawtcp
         self.authenticator = authenticator
         self.cadir = os.path.expanduser(cadir)
         self.certstore = certutils.CertStore.from_store(
@@ -183,6 +187,8 @@ def process_proxy_options(parser, options):
         upstream_server=upstream_server,
         ignore_hosts=options.ignore_hosts,
         tcp_hosts=options.tcp_hosts,
+        http2=options.http2,
+        rawtcp=options.rawtcp,
         authenticator=authenticator,
         ciphers_client=options.ciphers_client,
         ciphers_server=options.ciphers_server,
@@ -192,4 +198,4 @@ def process_proxy_options(parser, options):
         ssl_verify_upstream_cert=options.ssl_verify_upstream_cert,
         ssl_verify_upstream_trusted_cadir=options.ssl_verify_upstream_trusted_cadir,
         ssl_verify_upstream_trusted_ca=options.ssl_verify_upstream_trusted_ca
-    )
\ No newline at end of file
+    )
diff --git a/libmproxy/proxy/root_context.py b/libmproxy/proxy/root_context.py
index dccdf023c..54bea1db4 100644
--- a/libmproxy/proxy/root_context.py
+++ b/libmproxy/proxy/root_context.py
@@ -1,8 +1,13 @@
 from __future__ import (absolute_import, print_function, division)
+import string
+import sys
 
+import six
+
+from libmproxy.exceptions import ProtocolException
 from netlib.http.http1 import HTTP1Protocol
 from netlib.http.http2 import HTTP2Protocol
-
+from netlib.tcp import NetLibError
 from ..protocol import (
     RawTCPLayer, TlsLayer, Http1Layer, Http2Layer, is_tls_record_magic, ServerConnectionMixin
 )
@@ -48,7 +53,10 @@ class RootContext(object):
         if self.config.check_ignore(top_layer.server_conn.address):
             return RawTCPLayer(top_layer, logging=False)
 
-        d = top_layer.client_conn.rfile.peek(3)
+        try:
+            d = top_layer.client_conn.rfile.peek(3)
+        except NetLibError as e:
+            six.reraise(ProtocolException, ProtocolException(str(e)), sys.exc_info()[2])
         client_tls = is_tls_record_magic(d)
 
         # 2. Always insert a TLS layer, even if there's neither client nor server tls.
@@ -82,21 +90,17 @@ class RootContext(object):
             if alpn == HTTP1Protocol.ALPN_PROTO_HTTP1:
                 return Http1Layer(top_layer, 'transparent')
 
-        # 6. Assume HTTP1 by default
-        return Http1Layer(top_layer, 'transparent')
+        # 6. Check for raw tcp mode
+        is_ascii = (
+            len(d) == 3 and
+            # better be safe here and don't expect uppercase...
+            all(x in string.ascii_letters for x in d)
+        )
+        if self.config.rawtcp and not is_ascii:
+            return RawTCPLayer(top_layer)
 
-        # In a future version, we want to implement TCP passthrough as the last fallback,
-        # but we don't have the UI part ready for that.
-        #
-        # d = top_layer.client_conn.rfile.peek(3)
-        # is_ascii = (
-        #     len(d) == 3 and
-        #     # better be safe here and don't expect uppercase...
-        #     all(x in string.ascii_letters for x in d)
-        # )
-        # # TODO: This could block if there are not enough bytes available?
-        # d = top_layer.client_conn.rfile.peek(len(HTTP2Protocol.CLIENT_CONNECTION_PREFACE))
-        # is_http2_magic = (d == HTTP2Protocol.CLIENT_CONNECTION_PREFACE)
+        # 7. Assume HTTP1 by default
+        return Http1Layer(top_layer, 'transparent')
 
     def log(self, msg, level, subs=()):
         """