// Make an SSL Tunnel on the first message pair of each SSL + proxy connection.
    val url = route.address.url
    val requestLine = "CONNECT ${url.toHostHeader(includeDefaultPort = true)} HTTP/1.1"
    while (true) {
      val source = this.source!!
      val sink = this.sink!!
      val tunnelCodec =
        Http1ExchangeCodec(
          // No client for CONNECT tunnels:
          client = null,

      connectionSpecIndex = -1,
      isTlsFallback = false,
    )
  }

  /**
   * Returns a request that creates a TLS tunnel via an HTTP proxy. Everything in the tunnel request
   * is sent unencrypted to the proxy server, so tunnels include only the minimum set of headers.
   * This avoids sending potentially sensitive data like HTTP cookies to the proxy unencrypted.
   *

									OutlierDetection: &networking.OutlierDetection{MinHealthPercent: 10},
								},
							},
							Tunnel:        nil,
							ProxyProtocol: nil,
						},
					},
				},
			},
			configDumps: map[string][]byte{
				"productpage-v1-1234567890": config,
				"ingress":                   []byte("{}"),
			},

If there is no waypoint, ztunnel will enforce RBAC policies against the request.

If all checks pass, ztunnel will open a connection to the target. This will spoof the source IP (from `Forwarded` for waypoints, or the incoming IP otherwise).
Once the connection is established we return a 200 HTTP code, and bi-directionally copy data to/from the tunnel to the destination.

## Certificates

    }

    /**
     * Respond to `CONNECT` requests until a non-tunnel response is peeked. Returns true if further
     * calls should be attempted on the socket.
     */
    @Throws(IOException::class, InterruptedException::class)
    private fun processTunnelRequests(): Boolean {
      if (!dispatcher.peek().inTunnel) return true // No tunnel requests.

      val source = raw.source().buffer()

     *
     * When a new connection is received, all in-tunnel responses are served before the connection is
     * upgraded to HTTPS or HTTP/2.
     */
    fun inTunnel() =
      apply {
        removeHeader("Content-Length")
        inTunnel = true
      }

    /**
     * Adds an HTTP 1xx response to precede this response. Note that this response's

    This is only relevant for duplex request bodies, because they are written concurrently when
    reading the response body.

 *  New: `MockResponse.inTunnel()` is a new `mockwebserver3` API to configure responses that are
    served while creating a proxy tunnel. This obsoletes both the `tunnelProxy` argument on
    `MockWebServer` and the `UPGRADE_TO_SSL_AT_END` socket option. (Only APIs on `mockwebserver3`

  //  "cert sign", "crl sign", "encipher only", "decipher only", "any",
  //  "server auth", "client auth",
  //  "code signing", "email protection", "s/mime",
  //  "ipsec end system", "ipsec tunnel", "ipsec user",
  //  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

 *  Fix: Allow interceptors to change the request method.
 *  Fix: Don’t use the request's `User-Agent` or `Proxy-Authorization` when
    connecting to an HTTPS server via an HTTP tunnel. The `Proxy-Authorization`
    header was being leaked to the origin server.
 *  Fix: Digits may be used in a URL scheme.
 *  Fix: Improve connection timeout recovery.

* Version-guard Kubectl client Guestbook application test against deployments ([#24478](https://github.com/kubernetes/kubernetes/pull/24478), [@ihmccreery](https://github.com/ihmccreery))
* Fix goroutine leak in ssh-tunnel healthcheck. ([#24487](https://github.com/kubernetes/kubernetes/pull/24487), [@cjcullen](https://github.com/cjcullen))