diff --git a/integration/policy_test.go b/integration/policy_test.go
index dfa979eb1..50dadb61a 100644
--- a/integration/policy_test.go
+++ b/integration/policy_test.go
@@ -405,7 +405,7 @@ func TestSNIMismatch(t *testing.T) {
 	}
 	defer res.Body.Close()
 
-	assert.Equal(t, http.StatusMisdirectedRequest, res.StatusCode)
+	assert.Equal(t, http.StatusOK, res.StatusCode)
 }
 
 func TestAttestationJWT(t *testing.T) {
diff --git a/internal/controlplane/luascripts/fix-misdirected.lua b/internal/controlplane/luascripts/fix-misdirected.lua
deleted file mode 100644
index d13045fe4..000000000
--- a/internal/controlplane/luascripts/fix-misdirected.lua
+++ /dev/null
@@ -1,23 +0,0 @@
-function envoy_on_request(request_handle)
-    local headers = request_handle:headers()
-    local dynamic_meta = request_handle:streamInfo():dynamicMetadata()
-
-    local authority = headers:get(":authority")
-
-    -- store the authority header in the metadata so we can retrieve it in the response
-    dynamic_meta:set("envoy.filters.http.lua", "request.authority", authority)
-end
-
-function envoy_on_response(response_handle)
-    local headers = response_handle:headers()
-    local dynamic_meta = response_handle:streamInfo():dynamicMetadata()
-
-    local authority =
-        dynamic_meta:get("envoy.filters.http.lua")["request.authority"]
-
-    -- if we got a 404 (no route found) and the authority header doens't match
-    -- assume we've coalesced http/2 connections and return a 421
-    if headers:get(":status") == "404" and authority ~= "%s" then
-        headers:replace(":status", "421")
-    end
-end
diff --git a/internal/controlplane/luascripts/statik.go b/internal/controlplane/luascripts/statik.go
index fe565c7c9..f446f37cc 100644
--- a/internal/controlplane/luascripts/statik.go
+++ b/internal/controlplane/luascripts/statik.go
@@ -9,6 +9,6 @@ import (
 const Luascripts = "luascripts" // static asset namespace
 
 func init() {
-	data := "PK\x03\x04\x14\x00\x08\x00\x08\x00\x00\x00!(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00	\x00clean-upstream.luaUT\x05\x00\x01\x80Cm8\x94S\xc1n\x9c0\x10\xbd\xf3\x15O\xf4PV%\x91z\xdd\xc8\xff\xd0{\xd5\"\x17f\x17\xab`\xbb\xf68\x9b\xe4\xd0o\xaf\x00\xc3\xe2\x00\xaa\xe2\x03\x1e\xcb\xf3\xde<\xde\x8c/A\xd7\xac\x8c\x86\xa3\xde<SeMON\x85\xbe\xaa\x8d\xf9\xad\xa8\x98\xb6J\xcb\x9eJL\x87S\x06\x00\x0f\x0f\xe8\x82Dc\xc8\xeb\xcf\x0c\x1f\xac5\x8ea\xec\xc0&;\xd4\xd2rp\x84\xab3\xc1\xfa\x19\xe2\x0dn\x04G\xb6\x935\x81oj\xf8\x1a\xb4R7\x1da..^^\xdf \x19\xdc\x12H70\x971\xf4\xec\x94\xbe\x8eT\x93\x12\x88\x18\x9c\xaf>\xfcZk\xc5\xe3#r\xf1\xfd\xe7\xd3\x8f/O\xc8K\xe4\xf9\xe9\xa3\xb8\x15\xca\x11\x07\xa7#&#\xddd\xd9\xe2[+}e\x1d]\xd4K\xe1\xd9\x95\x98\xe2\x04\xe7\xd9\xe1\xaf\x80V\x1d\xa4n\x86\xe3y(\xfb\xb5\xc4\xa7\x98\x0d!\"\xf0\x1d;\xe9g\xf3Z\x19]9\xfa\x13\xc8s\x11\xf7jrl*\xd3\x99ZvhI6\xe4<\x04\xd2\x9cs\xbc(\xd6\xc9=\xb1l$\xcbm\xf6|S\x9c\xb2U~\x9c\x8e\xb5Sb!9_\x89\x8b|\x7f\x80\xa2\x83\xea\xb2G\xc1-\xe9\xf1\xfa^hiPT=q'\\\x91/fFc\x13\xaaai\xba-\\\x07\xb3\xbdU\x94\x8e\xf8\xbcf)ql\x179\xe5\xbd\xc8\x1d0\xf4o\xde\xb7\x06\xca\xc0\xadq\xeaM\x8e\xdd\xfd\x9f\x85I\xf6\xc6\xc9\x94k\xc7\xcb\xf7\xc5\x12K\xf7\xb8\x0f\xa0q\xbe!\x90\x7f\x8b\xd2\x90\xaf[\xb1z\x03	\xb0\xdc\xe59m\x9buwx\xf8\xb3cqks\x0f\x1f\x8a\xb7F\xfb\xa1\xbbS\xb0<\x95\x11\xf1/\x00\x00\xff\xffPK\x07\x08\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\x00\x00!(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00	\x00ext-authz-set-cookie.luaUT\x05\x00\x01\x80Cm8\x8c\x91An\x830\x10E\xf7\x9cb\xc4\xcaHI\x0e\x80\x94\x03t\xd1\x13T\x955\xc5C\xb0j\x8fS{\x88\x9aM\xcf^AM\x04\x0dM\x19	\x01\xe2\xff?\xf8\xbf\xb6\xe7Fl` \xbe\x84\xab\x0e\xac#}\xf4\x94D\xe5\xbb\xee\x90\x8d\xa3\xaa\x00\x00p\xa1A\x07\x1d\xa1\xa1\x98\xe0\x08KM\x9d?\xa8\xb9\xd8\\\x19\xbdm\xb4'\xc1{G\x92H\xe8\x9f\xb8\x0d\xaa\xaa\xb3\xf4\x99\x04\x0d\n\xe6\x18\xdbN\x0b\xeb\x13\x89*?\xf7\xe7\xe0)\xda\xde\xef\x13\xc9\xbe	\xe1\xddRY\xc1\xd7\x11\xd8:\x90\x8ex\xf4\x0d3_^\xa7\xc1=\x1e\xf3\xd0Z'\x14\xd3\xa1\x139\x1f\\\x8f\xe5\x0e\xca)U'\x12\x9dSw\xb7\xa4\xbb\xd9\xf2OU\xf1[\x1d\xc9\x87\x0b\xfdi\x18\xf5\xc4\xa6\x18\xaeb\x8dM:\x07N\xa4\xa6\x87\x7f\xe8,D\xdb\xf0,-\x1b\xf8\xfc\xe4\xc8\x9b\x83\xe3\xb2\xef\xd3\x83\xbeoh\x07_&\x87l\x86\xd7\x97U\x12\xaf\xab|\xa7Z\xd1\x18U\xce\x8a\xdc=\x08Z\x96\xfc\x1d\x00\x00\xff\xffPK\x07\x08\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\x00\x00!(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00	\x00fix-misdirected.luaUT\x05\x00\x01\x80Cm8\x9c\x92\xc1\x8a\xdb0\x10\x86\xef~\x8aAP\xd6\x86l\xba\x1b|2\xf8\x01z\xe8\x13\x94\x12\x06i\x1c\x0b\xecQ\xaa\x19e\xc9\xa5\xcf^\xac\xd8\x89\xd3\x84\xb6\xf4`,\xa4\xf9\xff\xf9\xf5\x8d\xba\xc4V}` >\x85\xf3>\xf0>\xd2\x8fD\xa2\xe5\xfc\xdf\xf7\xc8n\xa0\xaa\x00\x00\x18\x82\xc5\x01zBGQ\xa0\x85\xfb\x9af>(\xd7\xc5\xee\xcc8z\xbb\x1fI\xf1Q!\x1a	\xc7/\xdc\x85\xb2j\xe6\xd2\xaf\xa4\xe8P\xb1\xac\x8a\x95\x0f&\xedC\xf4z\x86v	\xd0\x1cHK\xd3\\O\xcc,x}\x05\xd1\x10	\xb4\xa7\x95\xee\xa2\x02\xcfy\x7f\x9c\xbb\x80\x04\xf8 \xb0\xc8\x10I\xa3\xa7\x13\x81\xd7\xa5*\x92\x1c\x03\x0be\xdf\xf5U\x1a\x99zgh\xdb\xce\x0fJQ\xb6\xbd\xeaq;$4\x1b0\xf3=\xb7\xb7p\x9b[\x94\xaa vE\xf1\x8c\xfd\xa5]\xb9,\xfeB\xff\xae\xe8\xdf\xf0\xdfK\xfe\x8b\x7f\xde}\x00r\xf8\x03\x90\xea\xdb\x13 \xdf\xaf\xd3\xf2\xdd4\x82CP@\xa8\xdfj(9@\x0cI	\xba\x90\xd8U\x80\xec\x9e\x0f\xd3\x05byQ\x18Qm\xbf\xd8\xa1H\x1a	>\xe8\xe5D`\x03\x0e$\x96\x1cLi>\xef\xc0\x06f\xca\xdc%\xfbF\xd2\x14y\xea\xbc{\xcf\x0e\xbe\xfb\xed\x81\x89\xa2&1\x15\xb4-\x98\xfa\xad6Yw\xcb\xf2\xb3\x05\xf3I\xcc\x94\x90\xafl\x16\x8bH\xc7\x01-\xddl6`\xea\xdd\xbb\xb9\x0ciz\x07\xd3\xf7+\x00\x00\xff\xffPK\x07\x08\xf8\xe6\xbe\x98q\x01\x00\x00\x87\x03\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\x00\x00!(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00	\x00remove-impersonate-headers.luaUT\x05\x00\x01\x80Cm8|\x92\xd1n\xb30\x0c\x85\xefy\n\x8b\xff&H\xf4\x97v\x8b\xc4\xb3DiqKTH\x98\xed\xb0M\xd3\xde}\xca\x02)\xack\xb9I\xc4\xf9|\xec#g\xf0'3\xc09\xb8\x93X\xef\x80\xc5\x90\xb0~\xb3\xd2+\x16\xaa\xd3\x8f\xaa\x00\x00 \x94@\x11\xa1\x86\xc3Q\xbd\xd4\xf0/\xa9\xd0\xb6\x89+\xd0uE\x91\xcd\xd0\xcd\xfeC{\xa7	_\x03\xb2\xa8\xe5\xd4\xbdq\xdd\x80\xc95\x0d\xd0\xa3\xe9\x90\x18Z\xd83\xcd\"\xa8-<\xa2\x98\xce\x88\xb9\xa7WEU\xc5\x86'\x1c\xfd\x8c\xda\x8e\x13\x12{g\x04\xf5\xad\xdfZ\xd2\\PT\xf9\x18-\xd3\x04\xf6\xfc\xccNzt?\xd8\xad\xb9x\x9d\n\xa0\x85\xcf\xaf,\x9e=\xc1\xb5\x86\x19\xac\x83\xc9Xb\xb5xT\xd0\xf9L-\x1d\xb7[\xb9\xd6PnZ\x1f\xf0]\xc8\x1c\xca\n\xa2a\xdc\xc4N\xbd\x90\x0fS\xf9\xb7\x16\x18\xa9\xdc\x8f\xbc~b\x8e\x03\xfe\xb7\x8e\x91D\xe5\x045\\\xab\x1d\x1a\xd7\xbd\xbd?I\x97M\xee\xf2-\xb9\x9b$\xab\xb9*~\xdb\xc7\xf3\xe1\xcb\xe2\xc9;F\xb5^\xf2\xdb\x8a\x05\xdf\x01\x00\x00\xff\xffPK\x07\x08y\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x00\x00!(\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00\x12\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00clean-upstream.luaUT\x05\x00\x01\x80Cm8PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x00\x00!(\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00\x18\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xeb\x01\x00\x00ext-authz-set-cookie.luaUT\x05\x00\x01\x80Cm8PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x00\x00!(\xf8\xe6\xbe\x98q\x01\x00\x00\x87\x03\x00\x00\x13\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81A\x03\x00\x00fix-misdirected.luaUT\x05\x00\x01\x80Cm8PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x00\x00!(y\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00\x1e\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xfc\x04\x00\x00remove-impersonate-headers.luaUT\x05\x00\x01\x80Cm8PK\x05\x06\x00\x00\x00\x00\x04\x00\x04\x007\x01\x00\x00l\x06\x00\x00\x00\x00"
+	data := "PK\x03\x04\x14\x00\x08\x00\x08\x00]\xa2PQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00	\x00clean-upstream.luaUT\x05\x00\x013\x00\x8a_\x94S\xc1n\x9c0\x10\xbd\xf3\x15O\xf4PV%\x91z\xdd\xc8\xff\xd0{\xd5\"\x17f\x17\xab`\xbb\xf68\x9b\xe4\xd0o\xaf\x00\xc3\xe2\x00\xaa\xe2\x03\x1e\xcb\xf3\xde<\xde\x8c/A\xd7\xac\x8c\x86\xa3\xde<SeMON\x85\xbe\xaa\x8d\xf9\xad\xa8\x98\xb6J\xcb\x9eJL\x87S\x06\x00\x0f\x0f\xe8\x82Dc\xc8\xeb\xcf\x0c\x1f\xac5\x8ea\xec\xc0&;\xd4\xd2rp\x84\xab3\xc1\xfa\x19\xe2\x0dn\x04G\xb6\x935\x81oj\xf8\x1a\xb4R7\x1da..^^\xdf \x19\xdc\x12H70\x971\xf4\xec\x94\xbe\x8eT\x93\x12\x88\x18\x9c\xaf>\xfcZk\xc5\xe3#r\xf1\xfd\xe7\xd3\x8f/O\xc8K\xe4\xf9\xe9\xa3\xb8\x15\xca\x11\x07\xa7#&#\xddd\xd9\xe2[+}e\x1d]\xd4K\xe1\xd9\x95\x98\xe2\x04\xe7\xd9\xe1\xaf\x80V\x1d\xa4n\x86\xe3y(\xfb\xb5\xc4\xa7\x98\x0d!\"\xf0\x1d;\xe9g\xf3Z\x19]9\xfa\x13\xc8s\x11\xf7jrl*\xd3\x99ZvhI6\xe4<\x04\xd2\x9cs\xbc(\xd6\xc9=\xb1l$\xcbm\xf6|S\x9c\xb2U~\x9c\x8e\xb5Sb!9_\x89\x8b|\x7f\x80\xa2\x83\xea\xb2G\xc1-\xe9\xf1\xfa^hiPT=q'\\\x91/fFc\x13\xaaai\xba-\\\x07\xb3\xbdU\x94\x8e\xf8\xbcf)ql\x179\xe5\xbd\xc8\x1d0\xf4o\xde\xb7\x06\xca\xc0\xadq\xeaM\x8e\xdd\xfd\x9f\x85I\xf6\xc6\xc9\x94k\xc7\xcb\xf7\xc5\x12K\xf7\xb8\x0f\xa0q\xbe!\x90\x7f\x8b\xd2\x90\xaf[\xb1z\x03	\xb0\xdc\xe59m\x9buwx\xf8\xb3cqks\x0f\x1f\x8a\xb7F\xfb\xa1\xbbS\xb0<\x95\x11\xf1/\x00\x00\xff\xffPK\x07\x08\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00]\xa2PQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00	\x00ext-authz-set-cookie.luaUT\x05\x00\x013\x00\x8a_\x8c\x91An\x830\x10E\xf7\x9cb\xc4\xcaHI\x0e\x80\x94\x03t\xd1\x13T\x955\xc5C\xb0j\x8fS{\x88\x9aM\xcf^AM\x04\x0dM\x19	\x01\xe2\xff?\xf8\xbf\xb6\xe7Fl` \xbe\x84\xab\x0e\xac#}\xf4\x94D\xe5\xbb\xee\x90\x8d\xa3\xaa\x00\x00p\xa1A\x07\x1d\xa1\xa1\x98\xe0\x08KM\x9d?\xa8\xb9\xd8\\\x19\xbdm\xb4'\xc1{G\x92H\xe8\x9f\xb8\x0d\xaa\xaa\xb3\xf4\x99\x04\x0d\n\xe6\x18\xdbN\x0b\xeb\x13\x89*?\xf7\xe7\xe0)\xda\xde\xef\x13\xc9\xbe	\xe1\xddRY\xc1\xd7\x11\xd8:\x90\x8ex\xf4\x0d3_^\xa7\xc1=\x1e\xf3\xd0Z'\x14\xd3\xa1\x139\x1f\\\x8f\xe5\x0e\xca)U'\x12\x9dSw\xb7\xa4\xbb\xd9\xf2OU\xf1[\x1d\xc9\x87\x0b\xfdi\x18\xf5\xc4\xa6\x18\xaeb\x8dM:\x07N\xa4\xa6\x87\x7f\xe8,D\xdb\xf0,-\x1b\xf8\xfc\xe4\xc8\x9b\x83\xe3\xb2\xef\xd3\x83\xbeoh\x07_&\x87l\x86\xd7\x97U\x12\xaf\xab|\xa7Z\xd1\x18U\xce\x8a\xdc=\x08Z\x96\xfc\x1d\x00\x00\xff\xffPK\x07\x08\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00]\xa2PQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00	\x00remove-impersonate-headers.luaUT\x05\x00\x013\x00\x8a_|\x92\xd1n\xb30\x0c\x85\xefy\n\x8b\xff&H\xf4\x97v\x8b\xc4\xb3DiqKTH\x98\xed\xb0M\xd3\xde}\xca\x02)\xack\xb9I\xc4\xf9|\xec#g\xf0'3\xc09\xb8\x93X\xef\x80\xc5\x90\xb0~\xb3\xd2+\x16\xaa\xd3\x8f\xaa\x00\x00 \x94@\x11\xa1\x86\xc3Q\xbd\xd4\xf0/\xa9\xd0\xb6\x89+\xd0uE\x91\xcd\xd0\xcd\xfeC{\xa7	_\x03\xb2\xa8\xe5\xd4\xbdq\xdd\x80\xc95\x0d\xd0\xa3\xe9\x90\x18Z\xd83\xcd\"\xa8-<\xa2\x98\xce\x88\xb9\xa7WEU\xc5\x86'\x1c\xfd\x8c\xda\x8e\x13\x12{g\x04\xf5\xad\xdfZ\xd2\\PT\xf9\x18-\xd3\x04\xf6\xfc\xccNzt?\xd8\xad\xb9x\x9d\n\xa0\x85\xcf\xaf,\x9e=\xc1\xb5\x86\x19\xac\x83\xc9Xb\xb5xT\xd0\xf9L-\x1d\xb7[\xb9\xd6PnZ\x1f\xf0]\xc8\x1c\xca\n\xa2a\xdc\xc4N\xbd\x90\x0fS\xf9\xb7\x16\x18\xa9\xdc\x8f\xbc~b\x8e\x03\xfe\xb7\x8e\x91D\xe5\x045\\\xab\x1d\x1a\xd7\xbd\xbd?I\x97M\xee\xf2-\xb9\x9b$\xab\xb9*~\xdb\xc7\xf3\xe1\xcb\xe2\xc9;F\xb5^\xf2\xdb\x8a\x05\xdf\x01\x00\x00\xff\xffPK\x07\x08y\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00]\xa2PQ\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00\x12\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00clean-upstream.luaUT\x05\x00\x013\x00\x8a_PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00]\xa2PQ\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00\x18\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xeb\x01\x00\x00ext-authz-set-cookie.luaUT\x05\x00\x013\x00\x8a_PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00]\xa2PQy\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00\x1e\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81A\x03\x00\x00remove-impersonate-headers.luaUT\x05\x00\x013\x00\x8a_PK\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xed\x00\x00\x00\xb1\x04\x00\x00\x00\x00"
 	fs.RegisterWithNamespace("luascripts", data)
 }
diff --git a/internal/controlplane/xds_filters.go b/internal/controlplane/xds_filters.go
deleted file mode 100644
index 705214ed0..000000000
--- a/internal/controlplane/xds_filters.go
+++ /dev/null
@@ -1,116 +0,0 @@
-package controlplane
-
-import (
-	"fmt"
-	"time"
-
-	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
-	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
-	envoy_extensions_filters_http_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
-	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
-	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
-	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
-	"google.golang.org/protobuf/types/known/durationpb"
-
-	"github.com/pomerium/pomerium/config"
-)
-
-func getHTTPConnectionManagerFilters(options *config.Options, tlsDomain string) []*envoy_http_connection_manager.HttpFilter {
-	fs := []*envoy_http_connection_manager.HttpFilter{
-		getRemoveImpersonateHeadersFilter(),
-		getExtAuthZFilter(options),
-		getExtAuthZSetCookieFilter(),
-		getCleanUpstreamFilter(),
-	}
-
-	if tlsDomain != "" && tlsDomain != "*" {
-		fs = append(fs, getFixMisdirectedFilter(tlsDomain))
-	}
-
-	fs = append(fs, &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.Router,
-	})
-
-	return fs
-}
-
-func getRemoveImpersonateHeadersFilter() *envoy_http_connection_manager.HttpFilter {
-	data := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.RemoveImpersonateHeaders,
-	})
-	return &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.Lua,
-		ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-			TypedConfig: data,
-		},
-	}
-}
-
-func getExtAuthZFilter(options *config.Options) *envoy_http_connection_manager.HttpFilter {
-	var grpcClientTimeout *durationpb.Duration
-	if options.GRPCClientTimeout != 0 {
-		grpcClientTimeout = durationpb.New(options.GRPCClientTimeout)
-	} else {
-		grpcClientTimeout = durationpb.New(30 * time.Second)
-	}
-	data := marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
-		StatusOnError: &envoy_type_v3.HttpStatus{
-			Code: envoy_type_v3.StatusCode_InternalServerError,
-		},
-		Services: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthz_GrpcService{
-			GrpcService: &envoy_config_core_v3.GrpcService{
-				Timeout: grpcClientTimeout,
-				TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{
-					EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{
-						ClusterName: options.GetAuthorizeURL().Host,
-					},
-				},
-			},
-		},
-		IncludePeerCertificate: true,
-	})
-	return &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.HTTPExternalAuthorization,
-		ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-			TypedConfig: data,
-		},
-	}
-}
-
-func getExtAuthZSetCookieFilter() *envoy_http_connection_manager.HttpFilter {
-	data := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.ExtAuthzSetCookie,
-	})
-	return &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.Lua,
-		ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-			TypedConfig: data,
-		},
-	}
-}
-
-func getCleanUpstreamFilter() *envoy_http_connection_manager.HttpFilter {
-	data := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: luascripts.CleanUpstream,
-	})
-	return &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.Lua,
-		ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-			TypedConfig: data,
-		},
-	}
-}
-
-func getFixMisdirectedFilter(fqdn string) *envoy_http_connection_manager.HttpFilter {
-	// based on https://github.com/projectcontour/contour/pull/2483/files#diff-7b5eca045986ae5cb249a53591b132b2db720095fa9fa24715178f660383b6c6R303
-	code := fmt.Sprintf(luascripts.FixMisdirected, fqdn)
-	data := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
-		InlineCode: code,
-	})
-	return &envoy_http_connection_manager.HttpFilter{
-		Name: wellknown.Lua,
-		ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
-			TypedConfig: data,
-		},
-	}
-}
diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go
index 3aeba0d84..564c4042b 100644
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@@ -5,11 +5,13 @@ import (
 	"net"
 	"net/url"
 	"sort"
+	"time"
 
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
+	envoy_extensions_filters_http_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
 	envoy_extensions_filters_listener_proxy_protocol_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
@@ -64,7 +66,7 @@ func (srv *Server) buildMainListener(options *config.Options) *envoy_config_list
 
 	if options.InsecureServer {
 		filter := buildMainHTTPConnectionManagerFilter(options,
-			getAllRouteableDomains(options, options.Addr), "")
+			getAllRouteableDomains(options, options.Addr))
 
 		return &envoy_config_listener_v3.Listener{
 			Name:            "http-ingress",
@@ -92,7 +94,7 @@ func (srv *Server) buildMainListener(options *config.Options) *envoy_config_list
 		ListenerFilters: listenerFilters,
 		FilterChains: buildFilterChains(options, options.Addr,
 			func(tlsDomain string, httpDomains []string) *envoy_config_listener_v3.FilterChain {
-				filter := buildMainHTTPConnectionManagerFilter(options, httpDomains, tlsDomain)
+				filter := buildMainHTTPConnectionManagerFilter(options, httpDomains)
 				filterChain := &envoy_config_listener_v3.FilterChain{
 					Filters: []*envoy_config_listener_v3.Filter{filter},
 				}
@@ -126,14 +128,14 @@ func buildFilterChains(
 	var chains []*envoy_config_listener_v3.FilterChain
 	for _, domain := range tlsDomains {
 		// first we match on SNI
-		chains = append(chains, callback(domain, []string{domain}))
+		chains = append(chains, callback(domain, allDomains))
 	}
 	// if there are no SNI matches we match on HTTP host
 	chains = append(chains, callback("*", allDomains))
 	return chains
 }
 
-func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []string, tlsDomain string) *envoy_config_listener_v3.Filter {
+func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []string) *envoy_config_listener_v3.Filter {
 	var virtualHosts []*envoy_config_route_v3.VirtualHost
 	for _, domain := range domains {
 		vh := &envoy_config_route_v3.VirtualHost{
@@ -161,14 +163,46 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 			virtualHosts = append(virtualHosts, vh)
 		}
 	}
-	if tlsDomain == "*" {
-		virtualHosts = append(virtualHosts, &envoy_config_route_v3.VirtualHost{
-			Name:    "catch-all",
-			Domains: []string{"*"},
-			Routes:  buildPomeriumHTTPRoutes(options, "*"),
-		})
+	virtualHosts = append(virtualHosts, &envoy_config_route_v3.VirtualHost{
+		Name:    "catch-all",
+		Domains: []string{"*"},
+		Routes:  buildPomeriumHTTPRoutes(options, "*"),
+	})
+
+	var grpcClientTimeout *durationpb.Duration
+	if options.GRPCClientTimeout != 0 {
+		grpcClientTimeout = ptypes.DurationProto(options.GRPCClientTimeout)
+	} else {
+		grpcClientTimeout = ptypes.DurationProto(30 * time.Second)
 	}
 
+	extAuthZ := marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
+		StatusOnError: &envoy_type_v3.HttpStatus{
+			Code: envoy_type_v3.StatusCode_InternalServerError,
+		},
+		Services: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthz_GrpcService{
+			GrpcService: &envoy_config_core_v3.GrpcService{
+				Timeout: grpcClientTimeout,
+				TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{
+					EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{
+						ClusterName: options.GetAuthorizeURL().Host,
+					},
+				},
+			},
+		},
+		IncludePeerCertificate: true,
+	})
+
+	extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
+		InlineCode: luascripts.ExtAuthzSetCookie,
+	})
+	cleanUpstreamLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
+		InlineCode: luascripts.CleanUpstream,
+	})
+	removeImpersonateHeadersLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
+		InlineCode: luascripts.RemoveImpersonateHeaders,
+	})
+
 	var maxStreamDuration *durationpb.Duration
 	if options.WriteTimeout > 0 {
 		maxStreamDuration = ptypes.DurationProto(options.WriteTimeout)
@@ -180,8 +214,36 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 		RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{
 			RouteConfig: buildRouteConfiguration("main", virtualHosts),
 		},
-		HttpFilters: getHTTPConnectionManagerFilters(options, tlsDomain),
-		AccessLog:   buildAccessLogs(options),
+		HttpFilters: []*envoy_http_connection_manager.HttpFilter{
+			{
+				Name: "envoy.filters.http.lua",
+				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
+					TypedConfig: removeImpersonateHeadersLua,
+				},
+			},
+			{
+				Name: "envoy.filters.http.ext_authz",
+				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
+					TypedConfig: extAuthZ,
+				},
+			},
+			{
+				Name: "envoy.filters.http.lua",
+				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
+					TypedConfig: extAuthzSetCookieLua,
+				},
+			},
+			{
+				Name: "envoy.filters.http.lua",
+				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
+					TypedConfig: cleanUpstreamLua,
+				},
+			},
+			{
+				Name: "envoy.filters.http.router",
+			},
+		},
+		AccessLog: buildAccessLogs(options),
 		CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{
 			IdleTimeout:       ptypes.DurationProto(options.IdleTimeout),
 			MaxStreamDuration: maxStreamDuration,
diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go
index 568e5b937..1fee62515 100644
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@@ -22,7 +22,7 @@ const (
 
 func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 	options := config.NewDefaultOptions()
-	filter := buildMainHTTPConnectionManagerFilter(options, []string{"example.com"}, "*")
+	filter := buildMainHTTPConnectionManagerFilter(options, []string{"example.com"})
 	testutil.AssertProtoJSONEqual(t, `{
 		"name": "envoy.filters.network.http_connection_manager",
 		"typedConfig": {
diff --git a/internal/controlplane/xds_lua.go b/internal/controlplane/xds_lua.go
index d1b85cb53..e6d3c0843 100644
--- a/internal/controlplane/xds_lua.go
+++ b/internal/controlplane/xds_lua.go
@@ -16,7 +16,6 @@ var luascripts struct {
 	ExtAuthzSetCookie        string
 	CleanUpstream            string
 	RemoveImpersonateHeaders string
-	FixMisdirected           string
 }
 
 func init() {
@@ -29,7 +28,6 @@ func init() {
 		"/clean-upstream.lua":             &luascripts.CleanUpstream,
 		"/ext-authz-set-cookie.lua":       &luascripts.ExtAuthzSetCookie,
 		"/remove-impersonate-headers.lua": &luascripts.RemoveImpersonateHeaders,
-		"/fix-misdirected.lua":            &luascripts.FixMisdirected,
 	}
 
 	err = fs.Walk(hfs, "/", func(p string, fi os.FileInfo, err error) error {