mTLS between ingress gateway and sidecars

Hi all, I am new to Istio and meeting difficulties to understand one of the concept despite looking everywhere in the doc, could one of you kindly advise ?

A gateway defines an entry/leaving point into/out of the mesh (ingress or egress traffic). The docker image used is the same as the one used for the sidecars. I am trying to implement mTLS between the ingress gateway and the sidecar it routes too:

downstream—mTLS–>ingress gateway pod—mTLS—>sidecar—HTTP—>workload (httpbin)

Gateway can either terminate the TLS traffic or passthrough it. I created a PeerAuthentication resource to enforce mTLS in the whole service mesh.

The first intuitive solution seems to passthrough the tls traffic and let the sidecar terminates it. Yet I am unable to make it working (with a VirtualService configuring tls route of course). In the doc here , it looks like tls passthrough can only be configured if the workload itself implement mTLS. Why does not it work with a workload configuring only plain HTTP ? I thought the sidecar were supposed to intercept any traffic (only mTLS there), and terminate it. I am getting code 56 with curl, indicating that there is a protocol mismatch - trying to route on a tls route while the workload listens http traffic. I tried to change the httpbin service port name with the ‘https-’ prefix without success.

The second solution is to terminate the mTLS traffic on the gateway, and originate a new mTLS connection. I therefore made the appropriate changes in the gateway and the VirtualService (http routing), and implemented a DestinationRule called httpbin-dr to the httpbin service to originate a new mTLS connection. This is working fine. Yet, that is also working when removing DestinationRule httpbin-dr . How is this working ? In my understanding, the sidecar must accept only mTLS traffic due to the PeerAuthentication.

I must miss an obvious concept, could you guide me ?