How to redirect to HTTPS except for /.well-known/acme-challenge

I want the traffic thar comes to my cluster as HTTP to be redirected to HTTPS. However, the cluster receives requests from hundreds of domains that change dinamically (creating new certs with cert-manager). So I want the redirect to happen only when the URI doesn’t have the prefix /.well-known/acme-challenge

I am using a gateway that listens to 443 and other gateway that listens to 80 and send the HTTP to an acme-solver virtual service.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: default-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - site1.com
    port:
      name: https-site1.com
      number: 443
      protocol: HTTPS
    tls:
      credentialName: cert-site1.com
      mode: SIMPLE
  - hosts:
    - site2.com
    port:
      name: https-site2.com
      number: 443
      protocol: HTTPS
    tls:
      credentialName: cert-site2.com
      mode: SIMPLE
  ...
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: acme-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: acme-solver
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - acme-gateway
  http:
  - match:
    - uri:
        prefix: /.well-known/acme-challenge
    route:
    - destination:
        host: acme-solver.istio-system.svc.cluster.local
        port:
          number: 8089
  - redirect:
      authority: # Should redirect to https://$HOST, but I don't know how to get the $HOST

I also tried to configure in the Gateway with tls:httpsRedirect:, but then all trafic were redirected to HTTPS, so Let’s Encrypt couldn’t complete the acme challange.

How can I do that using istio?