From 41a7e9dd48ff16aa649b12b8fa4ee20bccbe8d12 Mon Sep 17 00:00:00 2001
From: Michael Puncel <mpuncel@squareup.com>
Date: Mon, 11 May 2026 08:08:57 -0400
Subject: [PATCH] Add extended CONNECT setting to ProxyConfig

---
 kubernetes/customresourcedefinitions.gen.yaml |   5 +
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html     |  12 ++
 mesh/v1alpha1/proxy.pb.go                     | 104 ++++++++++--------
 mesh/v1alpha1/proxy.proto                     |   6 +
 networking/v1beta1/proxy_config.pb.go         |  35 ++++--
 networking/v1beta1/proxy_config.pb.html       |  12 ++
 networking/v1beta1/proxy_config.proto         |   6 +
 7 files changed, 125 insertions(+), 55 deletions(-)

diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 7318e07ffd..549b925508 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -8089,6 +8089,11 @@ spec:
                 minimum: 0
                 nullable: true
                 type: integer
+              enableHttp2Connect:
+                description: Enables HTTP/2 extended CONNECT support on sidecar HTTP
+                  listeners.
+                nullable: true
+                type: boolean
               environmentVariables:
                 additionalProperties:
                   maxLength: 2048
diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index ca06252b2d..4ef193b802 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4145,6 +4145,18 @@ <h2 id="ProxyConfig">ProxyConfig</h2>
 Defaults to true.
 Optional.</p>
 
+</td>
+</tr>
+<tr id="ProxyConfig-enable_http2_connect">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-enable_http2_connect">enableHttp2Connect</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
+</div></td>
+<td>
+<p>Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+The setting affects generated sidecar listener HTTP connection managers; it
+does not configure upstream clusters.</p>
+
 </td>
 </tr>
 <tr id="ProxyConfig-zipkin_address" class="deprecated ">
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index 14c40425e1..ca89476950 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -1080,8 +1080,13 @@ type ProxyConfig struct {
 	// Defaults to true.
 	// Optional.
 	StatsCompression *wrappers.BoolValue `protobuf:"bytes,42,opt,name=stats_compression,json=statsCompression,proto3" json:"stats_compression,omitempty"`
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
+	// Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+	// This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+	// The setting affects generated sidecar listener HTTP connection managers; it
+	// does not configure upstream clusters.
+	EnableHttp2Connect *wrappers.BoolValue `protobuf:"bytes,43,opt,name=enable_http2_connect,json=enableHttp2Connect,proto3" json:"enable_http2_connect,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }
 
 func (x *ProxyConfig) Reset() {
@@ -1403,6 +1408,13 @@ func (x *ProxyConfig) GetStatsCompression() *wrappers.BoolValue {
 	return nil
 }
 
+func (x *ProxyConfig) GetEnableHttp2Connect() *wrappers.BoolValue {
+	if x != nil {
+		return x.EnableHttp2Connect
+	}
+	return nil
+}
+
 type isProxyConfig_ClusterName interface {
 	isProxyConfig_ClusterName()
 }
@@ -2932,7 +2944,7 @@ const file_mesh_v1alpha1_proxy_proto_rawDesc = "" +
 	"poll_delay\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\tpollDelay\x126\n" +
 	"\bfallback\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\bfallbackB\n" +
 	"\n" +
-	"\bprovider\"\xeb'\n" +
+	"\bprovider\"\xb9(\n" +
 	"\vProxyConfig\x12\x1f\n" +
 	"\vconfig_path\x18\x01 \x01(\tR\n" +
 	"configPath\x12\x1f\n" +
@@ -2976,7 +2988,8 @@ const file_mesh_v1alpha1_proxy_proto_rawDesc = "" +
 	"\rproxy_headers\x18' \x01(\v2-.istio.mesh.v1alpha1.ProxyConfig.ProxyHeadersR\fproxyHeaders\x12I\n" +
 	"\x13file_flush_interval\x18( \x01(\v2\x19.google.protobuf.DurationR\x11fileFlushInterval\x122\n" +
 	"\x16file_flush_min_size_kb\x18) \x01(\rR\x12fileFlushMinSizeKb\x12G\n" +
-	"\x11stats_compression\x18* \x01(\v2\x1a.google.protobuf.BoolValueR\x10statsCompression\x1a@\n" +
+	"\x11stats_compression\x18* \x01(\v2\x1a.google.protobuf.BoolValueR\x10statsCompression\x12L\n" +
+	"\x14enable_http2_connect\x18+ \x01(\v2\x1a.google.protobuf.BoolValueR\x12enableHttp2Connect\x1a@\n" +
 	"\x12ProxyMetadataEntry\x12\x10\n" +
 	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
 	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a@\n" +
@@ -3147,47 +3160,48 @@ var file_mesh_v1alpha1_proxy_proto_depIdxs = []int32{
 	28, // 31: istio.mesh.v1alpha1.ProxyConfig.proxy_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders
 	39, // 32: istio.mesh.v1alpha1.ProxyConfig.file_flush_interval:type_name -> google.protobuf.Duration
 	38, // 33: istio.mesh.v1alpha1.ProxyConfig.stats_compression:type_name -> google.protobuf.BoolValue
-	37, // 34: istio.mesh.v1alpha1.RemoteService.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
-	43, // 35: istio.mesh.v1alpha1.RemoteService.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
-	44, // 36: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_attributes:type_name -> google.protobuf.Int64Value
-	44, // 37: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_annotations:type_name -> google.protobuf.Int64Value
-	44, // 38: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_message_events:type_name -> google.protobuf.Int64Value
-	2,  // 39: istio.mesh.v1alpha1.Tracing.OpenCensusAgent.context:type_name -> istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext
-	18, // 40: istio.mesh.v1alpha1.Tracing.CustomTag.literal:type_name -> istio.mesh.v1alpha1.Tracing.Literal
-	19, // 41: istio.mesh.v1alpha1.Tracing.CustomTag.environment:type_name -> istio.mesh.v1alpha1.Tracing.Environment
-	20, // 42: istio.mesh.v1alpha1.Tracing.CustomTag.header:type_name -> istio.mesh.v1alpha1.Tracing.RequestHeader
-	17, // 43: istio.mesh.v1alpha1.Tracing.CustomTagsEntry.value:type_name -> istio.mesh.v1alpha1.Tracing.CustomTag
-	39, // 44: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.poll_delay:type_name -> google.protobuf.Duration
-	38, // 45: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.fallback:type_name -> google.protobuf.BoolValue
-	39, // 46: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.poll_delay:type_name -> google.protobuf.Duration
-	38, // 47: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.fallback:type_name -> google.protobuf.BoolValue
-	1,  // 48: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.forwarded_client_cert:type_name -> istio.mesh.v1alpha1.ForwardClientCertDetails
-	36, // 49: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.set_current_client_cert_details:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
-	30, // 50: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.request_id:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId
-	29, // 51: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.server:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server
-	31, // 52: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.attempt_count:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount
-	34, // 53: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.envoy_debug_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
-	35, // 54: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.metadata_exchange_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
-	38, // 55: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.preserve_http1_header_case:type_name -> google.protobuf.BoolValue
-	32, // 56: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_host:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost
-	33, // 57: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_port:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort
-	38, // 58: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server.disabled:type_name -> google.protobuf.BoolValue
-	38, // 59: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId.disabled:type_name -> google.protobuf.BoolValue
-	38, // 60: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount.disabled:type_name -> google.protobuf.BoolValue
-	38, // 61: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost.enabled:type_name -> google.protobuf.BoolValue
-	38, // 62: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort.enabled:type_name -> google.protobuf.BoolValue
-	38, // 63: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders.disabled:type_name -> google.protobuf.BoolValue
-	5,  // 64: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders.mode:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
-	38, // 65: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
-	38, // 66: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.cert:type_name -> google.protobuf.BoolValue
-	38, // 67: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.chain:type_name -> google.protobuf.BoolValue
-	38, // 68: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.dns:type_name -> google.protobuf.BoolValue
-	38, // 69: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.uri:type_name -> google.protobuf.BoolValue
-	70, // [70:70] is the sub-list for method output_type
-	70, // [70:70] is the sub-list for method input_type
-	70, // [70:70] is the sub-list for extension type_name
-	70, // [70:70] is the sub-list for extension extendee
-	0,  // [0:70] is the sub-list for field type_name
+	38, // 34: istio.mesh.v1alpha1.ProxyConfig.enable_http2_connect:type_name -> google.protobuf.BoolValue
+	37, // 35: istio.mesh.v1alpha1.RemoteService.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
+	43, // 36: istio.mesh.v1alpha1.RemoteService.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
+	44, // 37: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_attributes:type_name -> google.protobuf.Int64Value
+	44, // 38: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_annotations:type_name -> google.protobuf.Int64Value
+	44, // 39: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_message_events:type_name -> google.protobuf.Int64Value
+	2,  // 40: istio.mesh.v1alpha1.Tracing.OpenCensusAgent.context:type_name -> istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext
+	18, // 41: istio.mesh.v1alpha1.Tracing.CustomTag.literal:type_name -> istio.mesh.v1alpha1.Tracing.Literal
+	19, // 42: istio.mesh.v1alpha1.Tracing.CustomTag.environment:type_name -> istio.mesh.v1alpha1.Tracing.Environment
+	20, // 43: istio.mesh.v1alpha1.Tracing.CustomTag.header:type_name -> istio.mesh.v1alpha1.Tracing.RequestHeader
+	17, // 44: istio.mesh.v1alpha1.Tracing.CustomTagsEntry.value:type_name -> istio.mesh.v1alpha1.Tracing.CustomTag
+	39, // 45: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.poll_delay:type_name -> google.protobuf.Duration
+	38, // 46: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.fallback:type_name -> google.protobuf.BoolValue
+	39, // 47: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.poll_delay:type_name -> google.protobuf.Duration
+	38, // 48: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.fallback:type_name -> google.protobuf.BoolValue
+	1,  // 49: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.forwarded_client_cert:type_name -> istio.mesh.v1alpha1.ForwardClientCertDetails
+	36, // 50: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.set_current_client_cert_details:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
+	30, // 51: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.request_id:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId
+	29, // 52: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.server:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server
+	31, // 53: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.attempt_count:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount
+	34, // 54: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.envoy_debug_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
+	35, // 55: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.metadata_exchange_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
+	38, // 56: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.preserve_http1_header_case:type_name -> google.protobuf.BoolValue
+	32, // 57: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_host:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost
+	33, // 58: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_port:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort
+	38, // 59: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server.disabled:type_name -> google.protobuf.BoolValue
+	38, // 60: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId.disabled:type_name -> google.protobuf.BoolValue
+	38, // 61: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount.disabled:type_name -> google.protobuf.BoolValue
+	38, // 62: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost.enabled:type_name -> google.protobuf.BoolValue
+	38, // 63: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort.enabled:type_name -> google.protobuf.BoolValue
+	38, // 64: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders.disabled:type_name -> google.protobuf.BoolValue
+	5,  // 65: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders.mode:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
+	38, // 66: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
+	38, // 67: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.cert:type_name -> google.protobuf.BoolValue
+	38, // 68: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.chain:type_name -> google.protobuf.BoolValue
+	38, // 69: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.dns:type_name -> google.protobuf.BoolValue
+	38, // 70: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.uri:type_name -> google.protobuf.BoolValue
+	71, // [71:71] is the sub-list for method output_type
+	71, // [71:71] is the sub-list for method input_type
+	71, // [71:71] is the sub-list for extension type_name
+	71, // [71:71] is the sub-list for extension extendee
+	0,  // [0:71] is the sub-list for field type_name
 }
 
 func init() { file_mesh_v1alpha1_proxy_proto_init() }
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index c4f145d18a..eb06f75c70 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -773,6 +773,12 @@ message ProxyConfig {
   // Defaults to true.
   // Optional.
   google.protobuf.BoolValue stats_compression = 42;
+
+  // Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+  // This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+  // The setting affects generated sidecar listener HTTP connection managers; it
+  // does not configure upstream clusters.
+  google.protobuf.BoolValue enable_http2_connect = 43;
 }
 
 message RemoteService {
diff --git a/networking/v1beta1/proxy_config.pb.go b/networking/v1beta1/proxy_config.pb.go
index b4aef6a6e4..39b0574d61 100644
--- a/networking/v1beta1/proxy_config.pb.go
+++ b/networking/v1beta1/proxy_config.pb.go
@@ -141,9 +141,14 @@ type ProxyConfig struct {
 	// +protoc-gen-crd:map-value-validation:MaxLength=2048
 	EnvironmentVariables map[string]string `protobuf:"bytes,3,rep,name=environment_variables,json=environmentVariables,proto3" json:"environment_variables,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// Specifies the details of the proxy image.
-	Image         *ProxyImage `protobuf:"bytes,4,opt,name=image,proto3" json:"image,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
+	Image *ProxyImage `protobuf:"bytes,4,opt,name=image,proto3" json:"image,omitempty"`
+	// Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+	// This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+	// The setting affects generated sidecar listener HTTP connection managers; it
+	// does not configure upstream clusters.
+	EnableHttp2Connect *wrappers.BoolValue `protobuf:"bytes,5,opt,name=enable_http2_connect,json=enableHttp2Connect,proto3" json:"enable_http2_connect,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }
 
 func (x *ProxyConfig) Reset() {
@@ -204,6 +209,13 @@ func (x *ProxyConfig) GetImage() *ProxyImage {
 	return nil
 }
 
+func (x *ProxyConfig) GetEnableHttp2Connect() *wrappers.BoolValue {
+	if x != nil {
+		return x.EnableHttp2Connect
+	}
+	return nil
+}
+
 // The following values are used to construct proxy image url.
 // format: `${hub}/${image_name}/${tag}-${image_type}`,
 // example: `registry.istio.io/release/proxyv2:1.11.1` or `registry.istio.io/release/proxyv2:1.11.1-distroless`.
@@ -260,12 +272,13 @@ var File_networking_v1beta1_proxy_config_proto protoreflect.FileDescriptor
 
 const file_networking_v1beta1_proxy_config_proto_rawDesc = "" +
 	"\n" +
-	"%networking/v1beta1/proxy_config.proto\x12\x18istio.networking.v1beta1\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\x89\x03\n" +
+	"%networking/v1beta1/proxy_config.proto\x12\x18istio.networking.v1beta1\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\xd7\x03\n" +
 	"\vProxyConfig\x12@\n" +
 	"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12=\n" +
 	"\vconcurrency\x18\x02 \x01(\v2\x1b.google.protobuf.Int32ValueR\vconcurrency\x12t\n" +
 	"\x15environment_variables\x18\x03 \x03(\v2?.istio.networking.v1beta1.ProxyConfig.EnvironmentVariablesEntryR\x14environmentVariables\x12:\n" +
-	"\x05image\x18\x04 \x01(\v2$.istio.networking.v1beta1.ProxyImageR\x05image\x1aG\n" +
+	"\x05image\x18\x04 \x01(\v2$.istio.networking.v1beta1.ProxyImageR\x05image\x12L\n" +
+	"\x14enable_http2_connect\x18\x05 \x01(\v2\x1a.google.protobuf.BoolValueR\x12enableHttp2Connect\x1aG\n" +
 	"\x19EnvironmentVariablesEntry\x12\x10\n" +
 	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
 	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"+\n" +
@@ -293,17 +306,19 @@ var file_networking_v1beta1_proxy_config_proto_goTypes = []any{
 	nil,                              // 2: istio.networking.v1beta1.ProxyConfig.EnvironmentVariablesEntry
 	(*v1beta1.WorkloadSelector)(nil), // 3: istio.type.v1beta1.WorkloadSelector
 	(*wrappers.Int32Value)(nil),      // 4: google.protobuf.Int32Value
+	(*wrappers.BoolValue)(nil),       // 5: google.protobuf.BoolValue
 }
 var file_networking_v1beta1_proxy_config_proto_depIdxs = []int32{
 	3, // 0: istio.networking.v1beta1.ProxyConfig.selector:type_name -> istio.type.v1beta1.WorkloadSelector
 	4, // 1: istio.networking.v1beta1.ProxyConfig.concurrency:type_name -> google.protobuf.Int32Value
 	2, // 2: istio.networking.v1beta1.ProxyConfig.environment_variables:type_name -> istio.networking.v1beta1.ProxyConfig.EnvironmentVariablesEntry
 	1, // 3: istio.networking.v1beta1.ProxyConfig.image:type_name -> istio.networking.v1beta1.ProxyImage
-	4, // [4:4] is the sub-list for method output_type
-	4, // [4:4] is the sub-list for method input_type
-	4, // [4:4] is the sub-list for extension type_name
-	4, // [4:4] is the sub-list for extension extendee
-	0, // [0:4] is the sub-list for field type_name
+	5, // 4: istio.networking.v1beta1.ProxyConfig.enable_http2_connect:type_name -> google.protobuf.BoolValue
+	5, // [5:5] is the sub-list for method output_type
+	5, // [5:5] is the sub-list for method input_type
+	5, // [5:5] is the sub-list for extension type_name
+	5, // [5:5] is the sub-list for extension extendee
+	0, // [0:5] is the sub-list for field type_name
 }
 
 func init() { file_networking_v1beta1_proxy_config_proto_init() }
diff --git a/networking/v1beta1/proxy_config.pb.html b/networking/v1beta1/proxy_config.pb.html
index f5f5aea7b5..3f7f0dcc6d 100644
--- a/networking/v1beta1/proxy_config.pb.html
+++ b/networking/v1beta1/proxy_config.pb.html
@@ -105,6 +105,18 @@ <h2 id="ProxyConfig">ProxyConfig</h2>
 <td>
 <p>Specifies the details of the proxy image.</p>
 
+</td>
+</tr>
+<tr id="ProxyConfig-enable_http2_connect">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-enable_http2_connect">enableHttp2Connect</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
+</div></td>
+<td>
+<p>Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+The setting affects generated sidecar listener HTTP connection managers; it
+does not configure upstream clusters.</p>
+
 </td>
 </tr>
 </tbody>
diff --git a/networking/v1beta1/proxy_config.proto b/networking/v1beta1/proxy_config.proto
index 330b184e26..f38d10684e 100644
--- a/networking/v1beta1/proxy_config.proto
+++ b/networking/v1beta1/proxy_config.proto
@@ -127,6 +127,12 @@ message ProxyConfig {
 
   // Specifies the details of the proxy image.
   ProxyImage image = 4;
+
+  // Enables HTTP/2 extended CONNECT support on sidecar HTTP listeners.
+  // This allows proxies to accept WebSocket upgrades tunneled with RFC 8441.
+  // The setting affects generated sidecar listener HTTP connection managers; it
+  // does not configure upstream clusters.
+  google.protobuf.BoolValue enable_http2_connect = 5;
 }
 
 // The following values are used to construct proxy image url.