Inject WAF sidecar on Istio Ingress deployment

Is it possible to inject a WAF sidecar in the Istio Ingress Gateway deployment?

Currently the default Istio Ingress-gateway setup looks like this.

I want to Inject a ModSecurity Docker container as a Sidecar Proxy to the Istio Ingress-Gateway deployment itself and bring in the WAF functionality. What’s the right way to do it?

I tried to manually modify the istio-ingressgateway Deployment to inject the ModSecurity sidecar and also update the istio-ingressgateway Service to point to ModSecurity container first. But it seems ModSec pod can not route traffic to the Envoy container correctly. It shows 500 error message.

      - name: modsecurity-apache
        image: owasp/modsecurity-crs:v3.2-modsec2-apache
        - containerPort: 7070
        - name: SETPROXY
          value: "True"
        - name: PROXYLOCATION
          value: ""
      - args:
        - proxy
        - router

After I deploy this config it shows an error message in the logs saying the port 7070 is already in use. Initially I thought it conflicts with one of the ports of Envoy since they are both running on the same pod. So I built a custom image and changed the port to something completely random, but it still shows the same error message!

Does the Envoy in the istio-ingressgateway listen on all ports of the pod or something? I am not sure what to try anymore. Any hint would really help.