diff --git a/deploy/access-proxy/main.go b/deploy/access-proxy/main.go
index 6e7afbb..e295420 100644
--- a/deploy/access-proxy/main.go
+++ b/deploy/access-proxy/main.go
@@ -166,23 +166,24 @@ func proxyCopy(errCh chan<- error, dst io.Writer, src io.Reader) {
 }
 
 func readClientHello(reader *bufio.Reader) ([]byte, string, error) {
-	header, err := reader.Peek(5)
-	if err != nil {
+	header := make([]byte, 5)
+	if _, err := io.ReadFull(reader, header); err != nil {
 		return nil, "", err
 	}
 	if header[0] != 22 {
 		return nil, "", errors.New("not a tls client hello")
 	}
 	recordLen := int(header[3])<<8 | int(header[4])
-	full, err := reader.Peek(5 + recordLen)
-	if err != nil {
+	full := make([]byte, 5+recordLen)
+	copy(full, header)
+	if _, err := io.ReadFull(reader, full[5:]); err != nil {
 		return nil, "", err
 	}
 	host, err := extractSNI(full)
 	if err != nil {
 		return nil, "", err
 	}
-	return append([]byte(nil), full...), host, nil
+	return full, host, nil
 }
 
 func extractSNI(packet []byte) (string, error) {