I found the way, may be it was too obvious for the others but not for me. I used EnvoyFilter. Here is the example that I used. Now it works as expected:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xffc-forward-protocol
namespace: mynamespace # as defined in meshConfig resource.
spec:
workloadSelector:
labels:
rbliznet: ingressgateway
istio: custom-ingressgateway
app: custom-ingressgateway
configPatches:
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
# context applyed only to gateway
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
forward_client_cert_details: FORWARD_ONLY