NGinx streaming to Istio Gateway - How to expose externally

Hello everyone, good morning!

I need some assistance on my case.

In internal network, I am using CA and certificate, both self-signed and I configured them into a secret that is being set in the tls, credentialName of my gateway object. This certificate has in its SAN “*”.

Outside my cluster, I have an NGinx with a fix IP, that is registered into my internal DNS as With the same certificate, not using http2, using https, I would be able to have multiple gateways, in different namespaces, using the same secret, and having these gateways hosts of subdomain, for example, Gateway 1 as and Gateway 2 as, but both linked to the same secret.

The NGinx outside the cluster does an stream to the Istio Gateway (Service exposed as NodePort) as below:

worker_processes 4;
worker_rlimit_nofile 40000;

events {
    worker_connections 8192;

http {
    server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;

stream {
    upstream istio_gateway_servers_https {
        server IP01_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;
        server IP02_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;
        server IP03_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;

    server {
        listen 443;
        proxy_pass istio_gateway_servers_https;

For internal network it is fine but now I need to expose that into the internet. I tried to use another NGinx in the DMZ network as a reverse proxy to the NGinx that does the stream but without success. I am always receiving SSL handshake error.

Does anybody have similar topology or could help me to solve that in a different way?

Thanks everyone for your time.