Configuring Envoy to expose HTTP + mTLS when workload is HTTPS

We have a Java workload running that only exposes a HTTPS port, and requires certificates/keys be loaded into a proprietary keystore. The certificate it is presenting is self signed.

We would like to enable other workloads in the mesh to access this with HTTP + mTLS (with mTLS certificates managed by Istio), and have Envoy handle the upstream HTTPS connection to the workload internally.

Is there any way to configure this via Istio, without dropping down to an Envoy filter? (I’m guessing it would be possible via an Envoy filter, but haven’t tried that yet).