Istio (Envoy-proxy sidecar) is blocking http traffic on port 8088

I had the same problem and I found solution…
you need to create PeerAuthentication, because Istio with version 1.5.1 if you enable mTLS into your gateway, Istio close all decryption traffic.

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: PERMISSIVE

You can check your service though cli “istioctl”

istioctl authn tls-check <pod> 

if there is “ISTIO_MUTUAL” you need add PeerAuthentication for connection between service with sidecar and service without sidecar.

Also, you can create special rule only specific port…

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "example"
spec:
  selector:
    matchLabels:
      app: example
  mtls:
    mode: STRICT
  portLevelMtls:
    1337:
      mode: DISABLE