Tunneling TCP over HTTP - to original destination cluster

Hello,

I am looking to use the TCP tunneling over HTTP feature for one of my use cases. I have been looking at the examples mentioned here, especially this one. The example is great and really works.

But my use case has an additional need, of connecting to downstream cluster per request. So downstream clusters can change for every request. I have tried using the original destination cluster as below with no success.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: orig-dest-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: LISTENER
      match:
        context: ANY
      patch:
        operation: ADD
        value:
          name: proxy
          address:
            socket_address:
              protocol: TCP
              address: 0.0.0.0
              port_value: 8080
          useOriginalDst: true
          filter_chains:
          - filters:
            - name: "envoy.filters.network.tcp_proxy"
              typed_config:
                "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"
                stat_prefix: ingress_proxy
                cluster: orig_dest
                tunneling_config:
                  hostname: host.com:443
    - applyTo: CLUSTER
      patch:
        operation: ADD
        value: # cluster specification
          name: orig_dest
          type: ORIGINAL_DST
          connect_timeout: 5s
          # This ensures HTTP/1.1 CONNECT is used for establishing the tunnel.
          typed_extension_protocol_options:
            envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
              "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
              explicit_http_config:
                http_protocol_options: {}
          original_dst_lb_config:
            use_http_header: true
          lb_policy: CLUSTER_PROVIDED
          dns_lookup_family: V4_ONLY

I keep getting error, No downstream connection or no original_dst.

If at all, I could use x-envoy-original-dst-host for specifying the downstream host and port, that would be perfect.

Please help!