# shellcheck disable=SC2034
KUBE_DNS_SERVICE_PORT=53
# shellcheck disable=SC2034
KUBE_DNS_PORT_53_TCP_PROTO=tcp
# shellcheck disable=SC2034
KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53
# shellcheck disable=SC2034
KUBE_DNS_PORT_53_UDP_PROTO=udp
# shellcheck disable=SC2034
KUBERNETES_PORT_443_TCP_PROTO=tcp
# shellcheck disable=SC2034
KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1
# shellcheck disable=SC2034

COMMIT
* nat
-N ISTIO_OUTPUT
-N ISTIO_PRERT
-A OUTPUT -j ISTIO_OUTPUT
-A PREROUTING -j ISTIO_PRERT
-A ISTIO_OUTPUT -d 169.254.7.127 -p tcp -m tcp -j ACCEPT
-A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ACCEPT
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001

const (
	// HTTPListener identifies a listener as being of HTTP type by the presence of an HTTP connection manager filter
	HTTPListener = wellknown.HTTPConnectionManager

	// TCPListener identifies a listener as being of TCP type by the presence of TCP proxy filter
	TCPListener = wellknown.TCPProxy

	IPMatcher = "type.googleapis.com/xds.type.matcher.v3.IPMatcher"
)

After this, the client and the server have an **encrypted TCP connection**, this is what TLS provides. And then they can use that connection to start the actual **HTTP communication**.

And that's what **HTTPS** is, it's just plain **HTTP** inside a **secure TLS connection** instead of a pure (unencrypted) TCP connection.

/// tip

	if runtime.GOOS != "linux" {
		t.Skip()
	}

	l, err := net.Listen("tcp", "localhost:0") // ask kernel for a free port.
	if err != nil {
		t.Fatal(err)
	}
	defer l.Close()

	port := l.Addr().(*net.TCPAddr).Port

	testCases := []struct {
		host        string
		port        int
		expectedErr error
	}{
		{"", port, fmt.Errorf("listen tcp :%v: bind: address already in use", port)},

      "nativeTunnel": true,
      "status": "Healthy",
      "clusterId": "Kubernetes"
    },
    "/10.244.1.10": {
      "workloadIps": [
        "10.244.1.10"
      ],
      "protocol": "TCP",
      "uid": "Kubernetes//Pod/httpbin/httpbin-65975d4c6f-jr69n",
      "name": "httpbin-65975d4c6f-jr69n",
      "namespace": "httpbin",
      "trustDomain": "cluster.local",
      "serviceAccount": "httpbin",

 * Don't start a new attempt until 250 ms after the most recent attempt was started.
 * Keep whichever TCP connection succeeds first and cancel all the others.
 * Race TCP only. Only attempt a TLS handshake on the winning TCP connection.

* Шифрование соединения происходит **на уровне протокола TCP**.
    * Протокол TCP находится на один уровень **ниже протокола HTTP**.
    * Поэтому **проверка сертификатов и шифрование** происходит **до HTTP**.
* **TCP не знает о "доменах"**, но знает об IP-адресах.
    * Информация о **запрашиваемом домене** извлекается из запроса **на уровне HTTP**.

* A criptografia da conexão acontece no nível TCP.
    * Essa é uma camada abaixo do HTTP.
    * Portanto, o manuseio do certificado e da criptografia é feito antes do HTTP.
* O TCP não sabe sobre "domínios". Apenas sobre endereços IP.
    * As informações sobre o domínio solicitado vão nos dados HTTP.
* Os certificados HTTPS “certificam” um determinado domínio, mas o protocolo e a encriptação acontecem ao nível do TCP, antes de sabermos de que domínio se trata.

							{
								Name: wellknown.HTTPConnectionManager,
							},
						},
					},
				},
			},
			expect: true,
		},
		{
			desc: "http-tcp-type-match",
			inFilter: &ListenerFilter{
				Type: "HTTP+TCP",
			},
			inListener: &listener.Listener{
				FilterChains: []*listener.FilterChain{{
					Filters: []*listener.Filter{
						{
							Name: wellknown.TCPProxy,
						},