Trying to replace haproxy with istio with a mixmode backend (http + ssh) on same external port

Hi, I’m evaluating replacing my ingress controller from a custom built haproxy operator with istio in my homelab. Most of the functionality is easily replaced with envoy filters (ie. auth, rate limit), however I couldn’t figure out how to do a mixmode tcp/http backend based on protocol sniffing and routing them to different backends.

I’m using haproxy to wrap ssh connections using the same cert.

I’m testing with the latest version of istio 1.7.3

This is how I currently have my ingress set up in this case:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ide-dev
  namespace: dev-env
  annotations:
    haproxy-ingress.my-custom-ingress.io/http-2: "true"
    haproxy-ingress.my-custom-ingress.io/oauth-service: oauth2-proxy.lb
    haproxy-ingress.my-custom-ingress.io/oauth-uri-host: auth.example.com
    haproxy-ingress.my-custom-ingress.io/auth-tls-ca-file: ca-cert-internal
    haproxy-ingress.my-custom-ingress.io/auth-tls-crl-file: ca-cert-internal
    haproxy-ingress.my-custom-ingress.io/auth-tls-verify: required
  labels:
    ingress-type: internal
spec:
  rules:
  - host: dev.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: dev
          servicePort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ssh-dev
  namespace: dev-env
  annotations:
    haproxy-ingress.my-custom-ingress.io/tcp-backends: "true"
    haproxy-ingress.my-custom-ingress.io/custom-conditions: |
      [
        "payload(0,7) -m bin 5353482d322e30",
        "ssl_fc_has_crt"
      ]
    haproxy-ingress.my-custom-ingress.io/auth-tls-ca-file: ca-cert-internal
    haproxy-ingress.my-custom-ingress.io/auth-tls-crl-file: ca-cert-internal
    haproxy-ingress.my-custom-ingress.io/auth-tls-verify: required
  labels:
    ingress-type: internal
spec:
  rules:
  - host: dev.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: dev-ssh
          servicePort: 22

And a diagram:

Any help with this is appreciated.