diff --git a/.gitignore b/.gitignore
index 85e7c1d..9cef47e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
/.idea/
+/Istio/02-Traffic_management/XX-HTTPS-backend/
diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md
index 8477018..340f1c4 100644
--- a/Istio/00-Troubleshooting/README.md
+++ b/Istio/00-Troubleshooting/README.md
@@ -55,6 +55,8 @@ Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a p
Target a pod and start a packet capture on the istio-proxy container.
+This step requires istio to be installed with the flag `values.global.proxy.privileged=true`
+
```shell
$ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile
new file mode 100644
index 0000000..e3df53b
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile
@@ -0,0 +1,13 @@
+FROM nginx
+
+ADD server.conf /etc/nginx/conf.d/default.conf
+
+# RUN apt-get update && \
+# apt-get install apache2 openssl -y && \
+# a2ensite default-ssl && \
+# a2enmod ssl && \
+
+RUN mkdir -p /var/www/html
+RUN echo "Howdy
" | tee /var/www/html/index.html
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md
new file mode 100644
index 0000000..bdab5da
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md
@@ -0,0 +1,321 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+The previous example was modified set the gateway to enable for HTTP2 traffic.
+
+https://stackoverflow.com/a/59610581
+
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: secure-http2
+ protocol: HTTP2
+ hosts:
+ - "*"
+ tls:
+ mode: SIMPLE
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+```
+
+``
+
+# Walkthrough
+
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated.
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+ --key=certfolder/istio.cert.key \
+ --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+### http2
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+### http1-web
+
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://stackoverflow.com/a/51279606
+
+- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
+[+] Building 0.0s (0/0)
+ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
+
+---
+## Create the Dockerfile
+
+```bash
+FROM ubuntu/apache2
+
+RUN apt-get update && \
+apt-get install apache2 openssl -y && \
+a2ensite default-ssl && \
+a2enmod ssl && \
+echo "Howdy
" | tee /var/www/html/index.html
+
+RUN /usr/bin/printf "\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+\n\
+\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+ SSLEngine on\n\
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
+" > /etc/apache2/sites-available/000-default.conf
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
+```
+
+## Build the image
+
+Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
+
+For my own commodity, I have used a raspberry pi 4 to build this images.
+
+The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
+
+```shell
+ docker build --tag https-demo:armv7 .
+```
+```text
+docker build --tag https-demo:armv7 . --no-cache
+[+] Building 16.5s (8/8) FINISHED
+ => [internal] load .dockerignore 0.0s
+ => => transferring context: 2B 0.0s
+ => [internal] load build definition from Dockerfile 0.0s
+ => => transferring dockerfile: 1.09kB 0.0s
+ => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
+ => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
+ => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
+ => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
+ => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
+ => exporting to image 1.0s
+ => => exporting layers 1.0s
+ => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
+ => => naming to docker.io/library/https-demo:armv7 0.0s
+```
+
+## Tag the image
+
+```shell
+docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
+```
+
+## Upload to the registery server
+
+```text
+docker image push registery.filter.home:5000/https-demo:armv7
+The push refers to repository [registery.filter.home:5000/https-demo]
+c6d858706b08: Pushed
+9e077e0202f0: Pushed
+6ffc708d0cf3: Pushed
+69e01b4bf4d7: Pushed
+17c5b30f3843: Pushed
+0b9f60fbcaf1: Pushed
+armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
+```
+
+
+
+## ?
+curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
+
+
+
+
+
+---
+
+
+Has apache2 installed with a default certificate.
+
+Port 80 visible for HTTP
+
+Port 443 visible for HTTPS.
+
+
+
+
+curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
+http_version: 2
+status_code: 200
+
+
+
+```shell
+curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net
+```
+
+```shell
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
+```
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml
new file mode 100644
index 0000000..7553d94
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml
@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: PERMISSIVE
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml
new file mode 100755
index 0000000..afeb40d
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8080
+ name: http-s
+ targetPort: 80
+ protocol: TCP
+ appProtocol: HTTP
+
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-apache-demo:armv7
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: Always #Always
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: nginx
+ version: v1
+ spec:
+ # serviceAccountName: istio-helloworld
+ containers:
+ - name: nginx
+ image: nginx
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml
new file mode 100755
index 0000000..1fe0fa3
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml
@@ -0,0 +1,118 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+# istio: myingressgateway
+ istio: ingressgateway
+ servers:
+# - port:
+# number: 443
+# name: secure-http2
+# protocol: HTTP2
+# hosts:
+# - "*"
+ - port:
+ number: 80
+ name: http2-i
+ protocol: HTTP2
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https-i
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+#
+ mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: http-vs
+ match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+ - name: https-vs
+ match:
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8080
+ tls:
+ mode: DISABLE
+
+ - port:
+ number: 8443
+ tls:
+# credentialName: client-credential
+ mode: SIMPLE
+
+# port:
+# name: https-backend
+# number: 8443
+# protocol: HTTPS
+# tls:
+# credentialName: my-tls-cert-secret
+# mode: SIMPLE
+# tcp:
+## - match:
+## - port: 80
+## route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8080
+## - match:
+## - port: 443
+# - route:
+# - destination:
+# host: helloworld
+# port:
+# number: 8443
+#
+# tls:
+# - match:
+# - port: 443
+# sniHosts:
+# - "hello.si"
+## - uri:
+## exact: /helloworld
+# route:
+# - destination:
+# host: helloworld
+# port:
+# number: 8443
+## protocol: HTTPS
+## rewrite:
+## uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml
new file mode 100644
index 0000000..850c2eb
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml
@@ -0,0 +1,29 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+ name: ingress
+spec:
+ profile: empty # Do not install CRDs or the control plane
+ components:
+ ingressGateways:
+ - name: myistio-ingressgateway
+ namespace: istio-ingress
+ enabled: true
+ label:
+ istio: myingressgateway
+ k8s:
+ service:
+ ports:
+ - name: https-ingress
+ port: 443
+ protocol: TCP
+ targetPort: 1055
+ - name: http-ingress
+ port: 80
+ protocol: TCP
+ targetPort: 1085
+
+ values:
+ gateways:
+ istio-ingressgateway:
+ injectionTemplate: gateway
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf
new file mode 100644
index 0000000..1b7c17a
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf
@@ -0,0 +1,37 @@
+server {
+ listen 80;
+# rewrite ^ https://$server_name$request_uri? permanent;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+
+server {
+ listen 443 ssl default_server http2;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+ ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ ssl on;
+ ssl_certificate /cert.crt;
+ ssl_certificate_key /cert.key;
+ ssl_session_timeout 5m;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/README.md b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md
new file mode 100644
index 0000000..ad5fd8a
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md
@@ -0,0 +1,311 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+The previous example was modified set the gateway to enable for HTTP2 traffic.
+
+https://stackoverflow.com/a/59610581
+
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: secure-http2
+ protocol: HTTP2
+ hosts:
+ - "*"
+ tls:
+ mode: SIMPLE
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+```
+
+``
+
+# Walkthrough
+
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated.
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+ --key=certfolder/istio.cert.key \
+ --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+### http2
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+### http1-web
+
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://stackoverflow.com/a/51279606
+
+- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
+[+] Building 0.0s (0/0)
+ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
+
+---
+## Create the Dockerfile
+
+```bash
+FROM ubuntu/apache2
+
+RUN apt-get update && \
+apt-get install apache2 openssl -y && \
+a2ensite default-ssl && \
+a2enmod ssl && \
+echo "Howdy
" | tee /var/www/html/index.html
+
+RUN /usr/bin/printf "\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+\n\
+\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+ SSLEngine on\n\
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
+" > /etc/apache2/sites-available/000-default.conf
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
+```
+
+## Build the image
+
+Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
+
+For my own commodity, I have used a raspberry pi 4 to build this images.
+
+The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
+
+```shell
+ docker build --tag https-demo:armv7 .
+```
+```text
+docker build --tag https-demo:armv7 . --no-cache
+[+] Building 16.5s (8/8) FINISHED
+ => [internal] load .dockerignore 0.0s
+ => => transferring context: 2B 0.0s
+ => [internal] load build definition from Dockerfile 0.0s
+ => => transferring dockerfile: 1.09kB 0.0s
+ => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
+ => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
+ => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
+ => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
+ => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
+ => exporting to image 1.0s
+ => => exporting layers 1.0s
+ => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
+ => => naming to docker.io/library/https-demo:armv7 0.0s
+```
+
+## Tag the image
+
+```shell
+docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
+```
+
+## Upload to the registery server
+
+```text
+docker image push registery.filter.home:5000/https-demo:armv7
+The push refers to repository [registery.filter.home:5000/https-demo]
+c6d858706b08: Pushed
+9e077e0202f0: Pushed
+6ffc708d0cf3: Pushed
+69e01b4bf4d7: Pushed
+17c5b30f3843: Pushed
+0b9f60fbcaf1: Pushed
+armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
+```
+
+
+
+## ?
+curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
+
+
+
+
+
+---
+
+
+Has apache2 installed with a default certificate.
+
+Port 80 visible for HTTP
+
+Port 443 visible for HTTPS.
+
+
+
+
+curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
+http_version: 2
+status_code: 200
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml
new file mode 100755
index 0000000..afeb40d
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8080
+ name: http-s
+ targetPort: 80
+ protocol: TCP
+ appProtocol: HTTP
+
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-apache-demo:armv7
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: Always #Always
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: nginx
+ version: v1
+ spec:
+ # serviceAccountName: istio-helloworld
+ containers:
+ - name: nginx
+ image: nginx
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml
new file mode 100755
index 0000000..1fe0fa3
--- /dev/null
+++ b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml
@@ -0,0 +1,118 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+# istio: myingressgateway
+ istio: ingressgateway
+ servers:
+# - port:
+# number: 443
+# name: secure-http2
+# protocol: HTTP2
+# hosts:
+# - "*"
+ - port:
+ number: 80
+ name: http2-i
+ protocol: HTTP2
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https-i
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+#
+ mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: http-vs
+ match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+ - name: https-vs
+ match:
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8080
+ tls:
+ mode: DISABLE
+
+ - port:
+ number: 8443
+ tls:
+# credentialName: client-credential
+ mode: SIMPLE
+
+# port:
+# name: https-backend
+# number: 8443
+# protocol: HTTPS
+# tls:
+# credentialName: my-tls-cert-secret
+# mode: SIMPLE
+# tcp:
+## - match:
+## - port: 80
+## route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8080
+## - match:
+## - port: 443
+# - route:
+# - destination:
+# host: helloworld
+# port:
+# number: 8443
+#
+# tls:
+# - match:
+# - port: 443
+# sniHosts:
+# - "hello.si"
+## - uri:
+## exact: /helloworld
+# route:
+# - destination:
+# host: helloworld
+# port:
+# number: 8443
+## protocol: HTTPS
+## rewrite:
+## uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile
new file mode 100644
index 0000000..e3df53b
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile
@@ -0,0 +1,13 @@
+FROM nginx
+
+ADD server.conf /etc/nginx/conf.d/default.conf
+
+# RUN apt-get update && \
+# apt-get install apache2 openssl -y && \
+# a2ensite default-ssl && \
+# a2enmod ssl && \
+
+RUN mkdir -p /var/www/html
+RUN echo "Howdy
" | tee /var/www/html/index.html
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md
new file mode 100644
index 0000000..611f8be
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md
@@ -0,0 +1,325 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+The previous example was modified set the gateway to enable for HTTP2 traffic.
+
+https://stackoverflow.com/a/59610581
+
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: secure-http2
+ protocol: HTTP2
+ hosts:
+ - "*"
+ tls:
+ mode: SIMPLE
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+```
+
+``
+
+# Walkthrough
+
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated.
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+ --key=certfolder/istio.cert.key \
+ --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+### http2
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+### http1-web
+
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://stackoverflow.com/a/51279606
+
+- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
+[+] Building 0.0s (0/0)
+ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
+
+---
+## Create the Dockerfile
+
+```bash
+FROM ubuntu/apache2
+
+RUN apt-get update && \
+apt-get install apache2 openssl -y && \
+a2ensite default-ssl && \
+a2enmod ssl && \
+echo "Howdy
" | tee /var/www/html/index.html
+
+RUN /usr/bin/printf "\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+\n\
+\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+ SSLEngine on\n\
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
+" > /etc/apache2/sites-available/000-default.conf
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
+```
+
+## Build the image
+
+Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
+
+For my own commodity, I have used a raspberry pi 4 to build this images.
+
+The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
+
+```shell
+ docker build --tag https-demo:armv7 .
+```
+```text
+docker build --tag https-demo:armv7 . --no-cache
+[+] Building 16.5s (8/8) FINISHED
+ => [internal] load .dockerignore 0.0s
+ => => transferring context: 2B 0.0s
+ => [internal] load build definition from Dockerfile 0.0s
+ => => transferring dockerfile: 1.09kB 0.0s
+ => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
+ => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
+ => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
+ => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
+ => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
+ => exporting to image 1.0s
+ => => exporting layers 1.0s
+ => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
+ => => naming to docker.io/library/https-demo:armv7 0.0s
+```
+
+## Tag the image
+
+```shell
+docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
+```
+
+## Upload to the registery server
+
+```text
+docker image push registery.filter.home:5000/https-demo:armv7
+The push refers to repository [registery.filter.home:5000/https-demo]
+c6d858706b08: Pushed
+9e077e0202f0: Pushed
+6ffc708d0cf3: Pushed
+69e01b4bf4d7: Pushed
+17c5b30f3843: Pushed
+0b9f60fbcaf1: Pushed
+armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
+```
+
+
+
+## ?
+curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
+
+
+
+
+
+---
+
+
+Has apache2 installed with a default certificate.
+
+Port 80 visible for HTTP
+
+Port 443 visible for HTTPS.
+
+
+
+
+curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
+http_version: 2
+status_code: 200
+
+# Recv failure: Connection reset by peer
+
+```shell
+kubectl apply -f ./
+```
+
+```shell
+curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net
+```
+
+```shell
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
+```
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml
new file mode 100644
index 0000000..da9883d
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml
@@ -0,0 +1,11 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: DISABLE
+
+
+#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml
new file mode 100755
index 0000000..4305bf6
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml
@@ -0,0 +1,113 @@
+#apiVersion: networking.istio.io/v1alpha3
+#kind: Gateway
+#metadata:
+# name: helloworld-gateway
+#spec:
+# selector:
+## istio: myingressgateway
+# istio: ingressgateway
+# servers:
+# - hosts:
+# ["lb.net","*.lb.net"]
+# port:
+# name: tls-443
+# number: 443
+# protocol: HTTPS
+# tls:
+# mode: SIMPLE
+# credentialName: my-tls-cert-secret
+# minProtocolVersion: TLSV1_2
+#---
+#apiVersion: networking.istio.io/v1alpha3
+#kind: VirtualService
+#metadata:
+# name: helloworld-vs
+#spec:
+# hosts:
+# - "*"
+# gateways:
+# - helloworld-gateway
+# http:
+## - name: http-vs
+## match:
+## - port: 80
+## route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+## port:
+## number: 8080
+# - name: https-vs
+# match:
+# - port: 443
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
+# port:
+# number: 443
+##
+## tls:
+## - match:
+## - port: 443
+## sniHosts: ["lb.net"]
+## route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+## port:
+## number: 443
+##---
+##apiVersion: networking.istio.io/v1alpha3
+##kind: DestinationRule
+##metadata:
+## name: helloworld
+## namespace: default
+##spec:
+## host: helloworld.default.svc.cluster.local
+## trafficPolicy:
+## portLevelSettings:
+## - port:
+## number: 8080
+## tls:
+## mode: DISABLE
+## - port:
+## number: 8443
+## tls:
+## credentialName: client-credential
+## mode: SIMPLE
+## port:
+## name: https-backend
+## number: 8443
+## protocol: HTTPS
+## tls:
+## credentialName: my-tls-cert-secret
+## mode: SIMPLE
+## tcp:
+### - match:
+### - port: 80
+### route:
+### - destination:
+### host: helloworld
+### port:
+### number: 8080
+### - match:
+### - port: 443
+## - route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8443
+##
+## tls:
+## - match:
+## - port: 443
+## sniHosts:
+## - "hello.si"
+### - uri:
+### exact: /helloworld
+## route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8443
+### protocol: HTTPS
+### rewrite:
+### uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml
new file mode 100755
index 0000000..afeb40d
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8080
+ name: http-s
+ targetPort: 80
+ protocol: TCP
+ appProtocol: HTTP
+
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-apache-demo:armv7
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: Always #Always
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: nginx
+ version: v1
+ spec:
+ # serviceAccountName: istio-helloworld
+ containers:
+ - name: nginx
+ image: nginx
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml
new file mode 100755
index 0000000..5070950
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml
@@ -0,0 +1,36 @@
+#apiVersion: networking.istio.io/v1beta1
+#kind: Gateway
+#metadata:
+# name: helloworld-gateway
+#spec:
+# selector:
+# istio: ingressgateway
+# servers:
+# - hosts:
+# - "*"
+# port:
+# name: https
+# number: 443
+# protocol: HTTPS
+# tls:
+# mode: PASSTHROUGH
+#---
+#apiVersion: networking.istio.io/v1beta1
+#kind: VirtualService
+#metadata:
+# name: helloworld-vs
+#spec:
+# gateways:
+# - helloworld-gateway
+# hosts: ["lb.net","*.lb.net"]
+## http:
+## - route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+##spec:
+# tls:
+# - match:
+# - sniHosts: ["lb.net","*.lb.net"]
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml
new file mode 100755
index 0000000..a313d3a
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml
@@ -0,0 +1,87 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ # istio: myingressgateway
+ istio: ingressgateway
+ servers:
+ # - port:
+ # number: 443
+ # name: secure-http2
+ # protocol: HTTP2
+ # hosts:
+ # - "*"
+ - port:
+ number: 80
+ name: http2-i
+ protocol: HTTP2
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https-i
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+# credentialName: my-tls-cert-secret
+# minProtocolVersion: TLSV1_2
+ #
+ mode: PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "lb.net"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: http-vs
+ match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+# - name: https-vs
+# match:
+# - port: 443
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
+# port:
+# number: 8443
+ tls:
+ - match:
+ - port: 443
+ sniHosts: ["lb.net"]
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8080
+ tls:
+ mode: DISABLE
+
+ - port:
+ number: 8443
+ tls:
+ mode: DISABLE
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml
new file mode 100644
index 0000000..850c2eb
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml
@@ -0,0 +1,29 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+ name: ingress
+spec:
+ profile: empty # Do not install CRDs or the control plane
+ components:
+ ingressGateways:
+ - name: myistio-ingressgateway
+ namespace: istio-ingress
+ enabled: true
+ label:
+ istio: myingressgateway
+ k8s:
+ service:
+ ports:
+ - name: https-ingress
+ port: 443
+ protocol: TCP
+ targetPort: 1055
+ - name: http-ingress
+ port: 80
+ protocol: TCP
+ targetPort: 1085
+
+ values:
+ gateways:
+ istio-ingressgateway:
+ injectionTemplate: gateway
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf
new file mode 100644
index 0000000..1b7c17a
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf
@@ -0,0 +1,37 @@
+server {
+ listen 80;
+# rewrite ^ https://$server_name$request_uri? permanent;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+
+server {
+ listen 443 ssl default_server http2;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+ ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ ssl on;
+ ssl_certificate /cert.crt;
+ ssl_certificate_key /cert.key;
+ ssl_session_timeout 5m;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile
new file mode 100644
index 0000000..e3df53b
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile
@@ -0,0 +1,13 @@
+FROM nginx
+
+ADD server.conf /etc/nginx/conf.d/default.conf
+
+# RUN apt-get update && \
+# apt-get install apache2 openssl -y && \
+# a2ensite default-ssl && \
+# a2enmod ssl && \
+
+RUN mkdir -p /var/www/html
+RUN echo "Howdy
" | tee /var/www/html/index.html
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md
new file mode 100644
index 0000000..f356e8b
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md
@@ -0,0 +1,313 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+The previous example was modified set the gateway to enable for HTTP2 traffic.
+
+https://stackoverflow.com/a/59610581
+
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: secure-http2
+ protocol: HTTP2
+ hosts:
+ - "*"
+ tls:
+ mode: SIMPLE
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+```
+
+``
+
+# Walkthrough
+
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated.
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+ --key=certfolder/istio.cert.key \
+ --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+### http2
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+### http1-web
+
+#### Curl HTTP1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### Curl HTTP1.1
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+#### Curl HTTP2
+
+```shell
+curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://stackoverflow.com/a/51279606
+
+- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
+
+
+docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
+[+] Building 0.0s (0/0)
+ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
+
+---
+## Create the Dockerfile
+
+```bash
+FROM ubuntu/apache2
+
+RUN apt-get update && \
+apt-get install apache2 openssl -y && \
+a2ensite default-ssl && \
+a2enmod ssl && \
+echo "Howdy
" | tee /var/www/html/index.html
+
+RUN /usr/bin/printf "\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+\n\
+\n\
+ ServerAdmin webmaster@localhost\n\
+ DocumentRoot /var/www/html\n\
+ ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+ CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+ SSLEngine on\n\
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
+" > /etc/apache2/sites-available/000-default.conf
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
+```
+
+## Build the image
+
+Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
+
+For my own commodity, I have used a raspberry pi 4 to build this images.
+
+The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
+
+```shell
+ docker build --tag https-demo:armv7 .
+```
+```text
+docker build --tag https-demo:armv7 . --no-cache
+[+] Building 16.5s (8/8) FINISHED
+ => [internal] load .dockerignore 0.0s
+ => => transferring context: 2B 0.0s
+ => [internal] load build definition from Dockerfile 0.0s
+ => => transferring dockerfile: 1.09kB 0.0s
+ => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
+ => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
+ => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
+ => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
+ => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
+ => exporting to image 1.0s
+ => => exporting layers 1.0s
+ => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
+ => => naming to docker.io/library/https-demo:armv7 0.0s
+```
+
+## Tag the image
+
+```shell
+docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
+```
+
+## Upload to the registery server
+
+```text
+docker image push registery.filter.home:5000/https-demo:armv7
+The push refers to repository [registery.filter.home:5000/https-demo]
+c6d858706b08: Pushed
+9e077e0202f0: Pushed
+6ffc708d0cf3: Pushed
+69e01b4bf4d7: Pushed
+17c5b30f3843: Pushed
+0b9f60fbcaf1: Pushed
+armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
+```
+
+
+
+## ?
+curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
+
+
+
+
+
+---
+
+
+Has apache2 installed with a default certificate.
+
+Port 80 visible for HTTP
+
+Port 443 visible for HTTPS.
+
+
+
+
+curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
+http_version: 2
+status_code: 200
+
+# Recv failure: Connection reset by peer
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml
new file mode 100644
index 0000000..da9883d
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml
@@ -0,0 +1,11 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: DISABLE
+
+
+#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml
new file mode 100755
index 0000000..871a985
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml
@@ -0,0 +1,117 @@
+#apiVersion: networking.istio.io/v1alpha3
+#kind: Gateway
+#metadata:
+# name: helloworld-gateway
+#spec:
+# selector:
+## istio: myingressgateway
+# istio: ingressgateway
+# servers:
+# - hosts:
+# ["lb.net","*.lb.net"]
+# port:
+# name: tls-443
+# number: 443
+# protocol: HTTPS
+# tls:
+# mode: SIMPLE
+# credentialName: my-tls-cert-secret
+# minProtocolVersion: TLSV1_2
+#---
+#apiVersion: networking.istio.io/v1alpha3
+#kind: VirtualService
+#metadata:
+# name: helloworld-vs
+#spec:
+# hosts:
+# - "*"
+# gateways:
+# - helloworld-gateway
+# http:
+## - name: http-vs
+## match:
+## - port: 80
+## route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+## port:
+## number: 8080
+# - name: https-vs
+# match:
+# - port: 443
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
+# port:
+# number: 443
+##
+## tls:
+## - match:
+## - port: 443
+## sniHosts: ["lb.net"]
+## route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+## port:
+## number: 443
+#
+##---
+##apiVersion: networking.istio.io/v1alpha3
+##kind: DestinationRule
+##metadata:
+## name: helloworld
+## namespace: default
+##spec:
+## host: helloworld.default.svc.cluster.local
+## trafficPolicy:
+## portLevelSettings:
+## - port:
+## number: 8080
+## tls:
+## mode: DISABLE
+#
+## - port:
+## number: 8443
+## tls:
+## credentialName: client-credential
+## mode: SIMPLE
+#
+#
+## port:
+## name: https-backend
+## number: 8443
+## protocol: HTTPS
+## tls:
+## credentialName: my-tls-cert-secret
+## mode: SIMPLE
+## tcp:
+### - match:
+### - port: 80
+### route:
+### - destination:
+### host: helloworld
+### port:
+### number: 8080
+### - match:
+### - port: 443
+## - route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8443
+##
+## tls:
+## - match:
+## - port: 443
+## sniHosts:
+## - "hello.si"
+### - uri:
+### exact: /helloworld
+## route:
+## - destination:
+## host: helloworld
+## port:
+## number: 8443
+### protocol: HTTPS
+### rewrite:
+### uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml
new file mode 100755
index 0000000..233c5ed
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml
@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - name: p1
+ port: 80
+ protocol: TCP
+ - name: https
+ port: 443
+ protocol: TCP
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-apache-demo:armv7
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent #Always
+ ports:
+ - containerPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: nginx
+ version: v1
+ spec:
+ # serviceAccountName: istio-helloworld
+ containers:
+ - name: nginx
+ image: nginx
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml
new file mode 100755
index 0000000..5070950
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml
@@ -0,0 +1,36 @@
+#apiVersion: networking.istio.io/v1beta1
+#kind: Gateway
+#metadata:
+# name: helloworld-gateway
+#spec:
+# selector:
+# istio: ingressgateway
+# servers:
+# - hosts:
+# - "*"
+# port:
+# name: https
+# number: 443
+# protocol: HTTPS
+# tls:
+# mode: PASSTHROUGH
+#---
+#apiVersion: networking.istio.io/v1beta1
+#kind: VirtualService
+#metadata:
+# name: helloworld-vs
+#spec:
+# gateways:
+# - helloworld-gateway
+# hosts: ["lb.net","*.lb.net"]
+## http:
+## - route:
+## - destination:
+## host: helloworld.default.svc.cluster.local
+##spec:
+# tls:
+# - match:
+# - sniHosts: ["lb.net","*.lb.net"]
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml
new file mode 100755
index 0000000..210ef29
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml
@@ -0,0 +1,85 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ # istio: myingressgateway
+ istio: ingressgateway
+ servers:
+ # - port:
+ # number: 443
+ # name: secure-http2
+ # protocol: HTTP2
+ # hosts:
+ # - "*"
+ - port:
+ number: 80
+ name: http2-i
+ protocol: HTTP2
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https-i
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+ #
+ mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts: ["lb.net"]
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: http-vs
+ match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 80
+ - name: https-vs
+ match:
+ - port: 443
+ sniHosts: ["lb.net"]
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 443
+# tls:
+# - match:
+# - sniHosts: ["lb.net"]
+# route:
+# - destination:
+# host: helloworld.default.svc.cluster.local
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8080
+ tls:
+ mode: DISABLE
+#
+ - port:
+ number: 443
+ tls:
+ credentialName: client-credential
+ mode: DISABLE
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml
new file mode 100644
index 0000000..850c2eb
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml
@@ -0,0 +1,29 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+ name: ingress
+spec:
+ profile: empty # Do not install CRDs or the control plane
+ components:
+ ingressGateways:
+ - name: myistio-ingressgateway
+ namespace: istio-ingress
+ enabled: true
+ label:
+ istio: myingressgateway
+ k8s:
+ service:
+ ports:
+ - name: https-ingress
+ port: 443
+ protocol: TCP
+ targetPort: 1055
+ - name: http-ingress
+ port: 80
+ protocol: TCP
+ targetPort: 1085
+
+ values:
+ gateways:
+ istio-ingressgateway:
+ injectionTemplate: gateway
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf
new file mode 100644
index 0000000..1b7c17a
--- /dev/null
+++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf
@@ -0,0 +1,37 @@
+server {
+ listen 80;
+# rewrite ^ https://$server_name$request_uri? permanent;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+
+server {
+ listen 443 ssl default_server http2;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+ ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ ssl on;
+ ssl_certificate /cert.crt;
+ ssl_certificate_key /cert.key;
+ ssl_session_timeout 5m;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
\ No newline at end of file