diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 0b8e4c079..aa7007742 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -10,6 +10,7 @@
 - authenticate: allow hot reloaded admin users config @cuonglm [GH-984]
 - authorize: include "kid" in JWT headers @cuonglm [GH-1046]
 - config: both base64 and file reference can be used for "certificates" @dmitrif [GH-1055]
+- envoy: enable strip host port matching @cuonglm [GH-1126]
 
 ### Changes
 
diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go
index 65b27675c..8403dc56c 100644
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@@ -225,8 +225,9 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 			RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
 		},
 		// See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-		UseRemoteAddress: &wrappers.BoolValue{Value: true},
-		SkipXffAppend:    false,
+		UseRemoteAddress:      &wrappers.BoolValue{Value: true},
+		SkipXffAppend:         false,
+		StripMatchingHostPort: true,
 	})
 
 	return &envoy_config_listener_v3.Filter{
diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go
index 39ebdd93a..cbe28959b 100644
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@@ -308,6 +308,7 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 				"validateClusters": false
 			},
 			"statPrefix": "ingress",
+			"stripMatchingHostPort": true,
 			"tracing": {
 				"randomSampling": {
 					"value": 0.01