diff --git a/_integration/testsuite/httpproxy/009-https-misdirected-request.yaml b/_integration/testsuite/httpproxy/009-https-misdirected-request.yaml
new file mode 100644
index 00000000000..270630dcc74
--- /dev/null
+++ b/_integration/testsuite/httpproxy/009-https-misdirected-request.yaml
@@ -0,0 +1,204 @@
+# Copyright 2020 VMware, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.  You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import data.contour.resources
+
+# Ensure that cert-manager is installed.
+# Version check the certificates resource.
+
+Group := "cert-manager.io"
+Version := "v1alpha2"
+
+have_certmanager_version {
+  v := resources.versions["certificates"]
+  v[_].Group == Group
+  v[_].Version == Version
+}
+
+skip[msg] {
+  not resources.is_supported("certificates")
+  msg := "cert-manager is not installed"
+}
+
+skip[msg] {
+  not have_certmanager_version
+
+  avail := resources.versions["certificates"]
+
+  msg := concat("\n", [
+    sprintf("cert-manager version %s/%s is not installed", [Group, Version]),
+    "available versions:",
+    yaml.marshal(avail)
+  ])
+}
+
+---
+
+# Create a self-signed issuer to give us secrets.
+
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo
+
+---
+
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: echo-cert
+spec:
+  dnsNames:
+  - echo.projectcontour.io
+  secretName: echo
+  issuerRef:
+    name: selfsigned
+
+---
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: echo
+spec:
+  virtualhost:
+    fqdn: echo.projectcontour.io
+    tls:
+      secretName: echo
+  routes:
+  - services:
+    - name: echo
+      port: 80
+
+---
+
+import data.contour.resources
+
+Name := "echo"
+
+fatal_proxy_is_not_present[msg] {
+  not resources.is_present("httpproxies", Name)
+  msg := sprintf("HTTPProxy for %q is not present", [ Name ])
+}
+
+---
+
+import data.contour.resources
+
+Name := "echo"
+
+fatal_proxy_is_not_valid[msg] {
+  status := resources.status("httpproxies", Name)
+
+  object.get(status, "currentStatus", "") != "valid"
+
+  msg := sprintf("HTTPProxy %q is not valid\n%s", [
+    Name, yaml.marshal(status)
+  ])
+}
+
+---
+
+import data.contour.http.client
+import data.contour.http.request
+import data.contour.http.response
+
+Response := client.Get({
+  "url": sprintf("https://%s/misdirected/%d", [
+     client.target_addr, time.now_ns()
+  ]),
+  "headers": {
+    "Host": "echo.projectcontour.io",
+    "User-Agent": client.ua("misdirected-request"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+error_non_200_response [msg] {
+  not Response
+  msg := "no response"
+}
+
+error_non_200_response [msg] {
+  status := object.get(Response, "status_code", 000)
+  status != 200
+  msg := sprintf("got status %d, wanted %d", [status, 200])
+}
+
+error_wrong_routing [msg] {
+  not response.has_testid(Response)
+  msg := "response has missing body or test ID"
+}
+
+error_wrong_routing[msg] {
+  wanted := "echo"
+  testid := response.testid(Response)
+  testid != wanted
+  msg := sprintf("got test ID %q, wanted %q", [testid, wanted])
+}
+
+---
+
+import data.contour.http.client
+import data.contour.http.request
+import data.contour.http.response
+
+# Send a request with a Host header that doesn't match the SNI name that
+# we have for the proxy document. We expect the mismatch will generate a
+# 421 respnse, not 404.
+
+Response := client.Get({
+  "url": sprintf("https://%s/misdirected/%d", [
+     client.target_addr, time.now_ns()
+  ]),
+  "headers": {
+    "Host": "echo-two.projectcontour.io",
+    "User-Agent": client.ua("misdirected-request"),
+  },
+  "tls_server_name": "echo.projectcontour.io",
+  "tls_insecure_skip_verify": true,
+})
+
+error_non_421_response [msg] {
+  not Response
+  msg := "no response"
+}
+
+error_non_421_response [msg] {
+  status := object.get(Response, "status_code", 000)
+  status != 421
+  msg := sprintf("got status %d, wanted %d", [status, 421])
+}
diff --git a/_integration/testsuite/policies/contour-resources.rego b/_integration/testsuite/policies/contour-resources.rego
index dab9af2cb53..ade42935b55 100644
--- a/_integration/testsuite/policies/contour-resources.rego
+++ b/_integration/testsuite/policies/contour-resources.rego
@@ -81,3 +81,14 @@ get(resource, name) = obj {
 } else = obj {
   obj := {}
 }
+
+# status returns the status field of the named resource. If the resource
+# is not present, and empty object is returned. Implemented in terms of
+# 'get', so namespace syntax works for the object name.
+#
+# Examples:
+#   resources.status("httpproxies", "foo")
+status(resource, name) = s {
+  r := get(resource, name)
+  s := object.get(r, "status", {})
+}
diff --git a/internal/contour/listener.go b/internal/contour/listener.go
index 5ca7dfb0f4a..51dafc99fc4 100644
--- a/internal/contour/listener.go
+++ b/internal/contour/listener.go
@@ -297,6 +297,7 @@ func visitListeners(root dag.Vertex, lvc *ListenerVisitorConfig) map[string]*v2.
 	// Add a listener if there are vhosts bound to http.
 	if lv.http {
 		cm := envoy.HTTPConnectionManagerBuilder().
+			DefaultFilters().
 			RouteConfigName(ENVOY_HTTP_LISTENER).
 			MetricsPrefix(ENVOY_HTTP_LISTENER).
 			AccessLoggers(lvc.newInsecureAccessLog()).
@@ -366,6 +367,8 @@ func (v *listenerVisitor) visit(vertex dag.Vertex) {
 			// coded into monitoring dashboards.
 			filters = envoy.Filters(
 				envoy.HTTPConnectionManagerBuilder().
+					AddFilter(envoy.FilterMisdirectedRequests(vh.VirtualHost.Name)).
+					DefaultFilters().
 					RouteConfigName(path.Join("https", vh.VirtualHost.Name)).
 					MetricsPrefix(ENVOY_HTTPS_LISTENER).
 					AccessLoggers(v.ListenerVisitorConfig.newSecureAccessLog()).
diff --git a/internal/contour/listener_test.go b/internal/contour/listener_test.go
index f13394ff24e..340ec92312a 100644
--- a/internal/contour/listener_test.go
+++ b/internal/contour/listener_test.go
@@ -127,6 +127,8 @@ func TestListenerCacheQuery(t *testing.T) {
 func TestListenerVisit(t *testing.T) {
 	httpsFilterFor := func(vhost string) *envoy_api_v2_listener.Filter {
 		return envoy.HTTPConnectionManagerBuilder().
+			AddFilter(envoy.FilterMisdirectedRequests(vhost)).
+			DefaultFilters().
 			MetricsPrefix(ENVOY_HTTPS_LISTENER).
 			RouteConfigName(path.Join("https", vhost)).
 			AccessLoggers(envoy.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG)).
@@ -781,6 +783,8 @@ func TestListenerVisit(t *testing.T) {
 					},
 					TransportSocket: transportSocket(envoy_api_v2_auth.TlsParameters_TLSv1_1, "h2", "http/1.1"),
 					Filters: envoy.Filters(envoy.HTTPConnectionManagerBuilder().
+						AddFilter(envoy.FilterMisdirectedRequests("whatever.example.com")).
+						DefaultFilters().
 						MetricsPrefix(ENVOY_HTTPS_LISTENER).
 						RouteConfigName(path.Join("https", "whatever.example.com")).
 						AccessLoggers(envoy.FileAccessLogEnvoy("/tmp/https_access.log")).
diff --git a/internal/e2e/lds_test.go b/internal/e2e/lds_test.go
index 8668b66ad98..9f2b2a2b66f 100644
--- a/internal/e2e/lds_test.go
+++ b/internal/e2e/lds_test.go
@@ -15,6 +15,7 @@ package e2e
 
 import (
 	"context"
+	"path"
 	"testing"
 
 	ingressroutev1 "github.com/projectcontour/contour/apis/contour/v1beta1"
@@ -34,6 +35,16 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
+func httpsFilterFor(vhost string) *envoy_api_v2_listener.Filter {
+	return envoy.HTTPConnectionManagerBuilder().
+		AddFilter(envoy.FilterMisdirectedRequests(vhost)).
+		DefaultFilters().
+		RouteConfigName(path.Join("https", vhost)).
+		MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
+		AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
+		Get()
+}
+
 func TestNonTLSListener(t *testing.T) {
 	rh, cc, done := setup(t)
 	defer done()
@@ -229,11 +240,7 @@ func TestTLSListener(t *testing.T) {
 					envoy.TLSInspector(),
 				),
 				FilterChains: filterchaintls("kuard.example.com", s1,
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
+					httpsFilterFor("kuard.example.com"),
 					"h2", "http/1.1"),
 			},
 			staticListener(),
@@ -281,11 +288,7 @@ func TestTLSListener(t *testing.T) {
 					envoy.TLSInspector(),
 				),
 				FilterChains: filterchaintls("kuard.example.com", s1,
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
+					httpsFilterFor("kuard.example.com"),
 					"h2", "http/1.1"),
 			},
 			staticListener(),
@@ -402,11 +405,7 @@ func TestIngressRouteTLSListener(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("kuard.example.com", secret1,
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/kuard.example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
+			httpsFilterFor("kuard.example.com"),
 			"h2", "http/1.1"),
 	}
 
@@ -462,13 +461,7 @@ func TestIngressRouteTLSListener(t *testing.T) {
 					envoy_api_v2_auth.TlsParameters_TLSv1_3,
 					nil,
 					"h2", "http/1.1"),
-				envoy.Filters(
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
-				),
+				envoy.Filters(httpsFilterFor("kuard.example.com")),
 			),
 		},
 	}
@@ -560,11 +553,7 @@ func TestLDSFilter(t *testing.T) {
 					envoy.TLSInspector(),
 				),
 				FilterChains: filterchaintls("kuard.example.com", s1,
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
+					httpsFilterFor("kuard.example.com"),
 					"h2", "http/1.1"),
 			},
 		),
@@ -749,11 +738,7 @@ func TestLDSIngressHTTPSUseProxyProtocol(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("kuard.example.com", s1,
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/kuard.example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
+			httpsFilterFor("kuard.example.com"),
 			"h2", "http/1.1"),
 	}
 	assert.Equal(t, &v2.DiscoveryResponse{
@@ -863,13 +848,7 @@ func TestLDSCustomAddressAndPort(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("kuard.example.com", s1,
-
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/kuard.example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
-
+			httpsFilterFor("kuard.example.com"),
 			"h2", "http/1.1"),
 	}
 	assert.Equal(t, &v2.DiscoveryResponse{
@@ -969,11 +948,12 @@ func TestLDSCustomAccessLogPaths(t *testing.T) {
 		),
 		FilterChains: filterchaintls("kuard.example.com", s1,
 			envoy.HTTPConnectionManagerBuilder().
+				AddFilter(envoy.FilterMisdirectedRequests("kuard.example.com")).
+				DefaultFilters().
 				RouteConfigName("https/kuard.example.com").
 				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
 				AccessLoggers(envoy.FileAccessLogEnvoy("/tmp/https_access.log")).
 				Get(),
-
 			"h2", "http/1.1"),
 	}
 	assert.Equal(t, &v2.DiscoveryResponse{
@@ -1073,11 +1053,7 @@ func TestIngressRouteHTTPS(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("example.com", s1,
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
+			httpsFilterFor("example.com"),
 			"h2", "http/1.1"),
 	}
 	assert.Equal(t, &v2.DiscoveryResponse{
@@ -1164,13 +1140,7 @@ func TestIngressRouteMinimumTLSVersion(t *testing.T) {
 					envoy_api_v2_auth.TlsParameters_TLSv1_2,
 					nil,
 					"h2", "http/1.1"),
-				envoy.Filters(
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
-				),
+				envoy.Filters(httpsFilterFor("kuard.example.com")),
 			),
 		},
 	}
@@ -1232,13 +1202,7 @@ func TestIngressRouteMinimumTLSVersion(t *testing.T) {
 					envoy_api_v2_auth.TlsParameters_TLSv1_3,
 					nil,
 					"h2", "http/1.1"),
-				envoy.Filters(
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
-				),
+				envoy.Filters(httpsFilterFor("kuard.example.com")),
 			),
 		},
 	}
diff --git a/internal/envoy/listener.go b/internal/envoy/listener.go
index 55c77419716..e9a1db02dd2 100644
--- a/internal/envoy/listener.go
+++ b/internal/envoy/listener.go
@@ -14,6 +14,7 @@
 package envoy
 
 import (
+	"fmt"
 	"sort"
 	"time"
 
@@ -22,6 +23,7 @@ import (
 	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoy_api_v2_listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
 	accesslog "github.com/envoyproxy/go-control-plane/envoy/config/filter/accesslog/v2"
+	lua "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/lua/v2"
 	http "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
 	tcp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
@@ -70,6 +72,7 @@ type httpConnectionManagerBuilder struct {
 	metricsPrefix   string
 	accessLoggers   []*accesslog.AccessLog
 	requestTimeout  time.Duration
+	filters         []*http.HttpFilter
 }
 
 // RouteConfigName sets the name of the RDS element that contains
@@ -102,6 +105,27 @@ func (b *httpConnectionManagerBuilder) RequestTimeout(timeout time.Duration) *ht
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder {
+	b.filters = append(b.filters,
+		&http.HttpFilter{
+			Name: wellknown.Gzip,
+		},
+		&http.HttpFilter{
+			Name: wellknown.GRPCWeb,
+		},
+		&http.HttpFilter{
+			Name: wellknown.Router,
+		},
+	)
+
+	return b
+}
+
+func (b *httpConnectionManagerBuilder) AddFilter(f *http.HttpFilter) *httpConnectionManagerBuilder {
+	b.filters = append(b.filters, f)
+	return b
+}
+
 // Get returns a new http.HttpConnectionManager filter, constructed
 // from the builder settings.
 //
@@ -114,13 +138,7 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_api_v2_listener.Filter {
 				ConfigSource:    ConfigSource("contour"),
 			},
 		},
-		HttpFilters: []*http.HttpFilter{{
-			Name: wellknown.Gzip,
-		}, {
-			Name: wellknown.GRPCWeb,
-		}, {
-			Name: wellknown.Router,
-		}},
+		HttpFilters: b.filters,
 		CommonHttpProtocolOptions: &envoy_api_v2_core.HttpProtocolOptions{
 			// Sets the idle timeout for HTTP connections to 60 seconds.
 			// This is chosen as a rough default to stop idle connections wasting resources,
@@ -169,6 +187,7 @@ func HTTPConnectionManager(routename string, accesslogger []*accesslog.AccessLog
 		MetricsPrefix(routename).
 		AccessLoggers(accesslogger).
 		RequestTimeout(requestTimeout).
+		DefaultFilters().
 		Get()
 }
 
@@ -284,6 +303,32 @@ func FilterChains(filters ...*envoy_api_v2_listener.Filter) []*envoy_api_v2_list
 	}
 }
 
+func FilterMisdirectedRequests(fqdn string) *http.HttpFilter {
+	code := `
+function envoy_on_request(request_handle)
+    local headers = request_handle:headers()
+    local host = headers:get(":authority")
+
+    if host ~= "%s" then
+	request_handle:respond({
+		[":status"] = "421",
+	    },
+	    ""
+	)
+    end
+end
+`
+
+	return &http.HttpFilter{
+		Name: "envoy.filters.http.lua",
+		ConfigType: &http.HttpFilter_TypedConfig{
+			TypedConfig: toAny(&lua.Lua{
+				InlineCode: fmt.Sprintf(code, fqdn),
+			}),
+		},
+	}
+}
+
 // FilterChainTLS returns a TLS enabled envoy_api_v2_listener.FilterChain,
 func FilterChainTLS(domain string, downstream *envoy_api_v2_auth.DownstreamTlsContext, filters []*envoy_api_v2_listener.Filter) *envoy_api_v2_listener.FilterChain {
 	fc := &envoy_api_v2_listener.FilterChain{
diff --git a/internal/featuretests/downstreamvalidation_test.go b/internal/featuretests/downstreamvalidation_test.go
index 0263f746a33..b19165c9939 100644
--- a/internal/featuretests/downstreamvalidation_test.go
+++ b/internal/featuretests/downstreamvalidation_test.go
@@ -18,7 +18,6 @@ import (
 
 	v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
-	"github.com/projectcontour/contour/internal/contour"
 	"github.com/projectcontour/contour/internal/dag"
 	"github.com/projectcontour/contour/internal/envoy"
 	"github.com/projectcontour/contour/internal/k8s"
@@ -108,11 +107,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("example.com", serverTLSSecret,
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
+			httpsFilterFor("example.com"),
 			&dag.PeerValidationContext{
 				CACertificate: &dag.Secret{
 					Object: clientCASecret,
diff --git a/internal/featuretests/envoy.go b/internal/featuretests/envoy.go
index 86ddac42aee..b6d6d989bf6 100644
--- a/internal/featuretests/envoy.go
+++ b/internal/featuretests/envoy.go
@@ -16,6 +16,7 @@ package featuretests
 // envoy helpers
 
 import (
+	"path"
 	"testing"
 	"time"
 
@@ -27,6 +28,7 @@ import (
 	envoy_config_v2_tcpproxy "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/golang/protobuf/proto"
+	"github.com/projectcontour/contour/internal/contour"
 	"github.com/projectcontour/contour/internal/dag"
 	"github.com/projectcontour/contour/internal/envoy"
 	"github.com/projectcontour/contour/internal/protobuf"
@@ -233,6 +235,16 @@ func filterchaintls(domain string, secret *v1.Secret, filter *envoy_api_v2_liste
 	}
 }
 
+func httpsFilterFor(vhost string) *envoy_api_v2_listener.Filter {
+	return envoy.HTTPConnectionManagerBuilder().
+		AddFilter(envoy.FilterMisdirectedRequests(vhost)).
+		DefaultFilters().
+		RouteConfigName(path.Join("https", vhost)).
+		MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
+		AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
+		Get()
+}
+
 func tcpproxy(t *testing.T, statPrefix, cluster string) *envoy_api_v2_listener.Filter {
 	return &envoy_api_v2_listener.Filter{
 		Name: wellknown.TCPProxy,
diff --git a/internal/featuretests/tlscertificatedelegation_test.go b/internal/featuretests/tlscertificatedelegation_test.go
index 5196e04813c..9d11883319c 100644
--- a/internal/featuretests/tlscertificatedelegation_test.go
+++ b/internal/featuretests/tlscertificatedelegation_test.go
@@ -19,7 +19,6 @@ import (
 	v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	ingressroutev1 "github.com/projectcontour/contour/apis/contour/v1beta1"
 	projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
-	"github.com/projectcontour/contour/internal/contour"
 	"github.com/projectcontour/contour/internal/envoy"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -128,11 +127,7 @@ func TestTLSCertificateDelegation(t *testing.T) {
 			envoy.TLSInspector(),
 		),
 		FilterChains: filterchaintls("example.com", sec1,
-			envoy.HTTPConnectionManagerBuilder().
-				RouteConfigName("https/example.com").
-				MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-				AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-				Get(),
+			httpsFilterFor("example.com"),
 			nil,
 			"h2", "http/1.1"),
 	}
diff --git a/internal/featuretests/tlsprotocolversion_test.go b/internal/featuretests/tlsprotocolversion_test.go
index 9b9c63858f8..ecdc75ae158 100644
--- a/internal/featuretests/tlsprotocolversion_test.go
+++ b/internal/featuretests/tlsprotocolversion_test.go
@@ -21,7 +21,6 @@ import (
 	envoy_api_v2_listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
 	ingressroutev1 "github.com/projectcontour/contour/apis/contour/v1beta1"
 	projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
-	"github.com/projectcontour/contour/internal/contour"
 	"github.com/projectcontour/contour/internal/dag"
 	"github.com/projectcontour/contour/internal/envoy"
 	v1 "k8s.io/api/core/v1"
@@ -91,11 +90,7 @@ func TestTLSMinimumProtocolVersion(t *testing.T) {
 					envoy.TLSInspector(),
 				),
 				FilterChains: filterchaintls("kuard.example.com", sec1,
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
+					httpsFilterFor("kuard.example.com"),
 					nil,
 					"h2", "http/1.1"),
 			},
@@ -144,13 +139,7 @@ func TestTLSMinimumProtocolVersion(t *testing.T) {
 					envoy_api_v2_auth.TlsParameters_TLSv1_3,
 					nil,
 					"h2", "http/1.1"),
-				envoy.Filters(
-					envoy.HTTPConnectionManagerBuilder().
-						RouteConfigName("https/kuard.example.com").
-						MetricsPrefix(contour.ENVOY_HTTPS_LISTENER).
-						AccessLoggers(envoy.FileAccessLogEnvoy("/dev/stdout")).
-						Get(),
-				),
+				envoy.Filters(httpsFilterFor("kuard.example.com")),
 			),
 		},
 	}
diff --git a/site/_resources/envoy.md b/site/_resources/envoy.md
index 4a239c93354..8592d39340a 100644
--- a/site/_resources/envoy.md
+++ b/site/_resources/envoy.md
@@ -34,7 +34,7 @@ If you are using the image recommended in our [example deployment][3] no action
 If you are providing your own Envoy it must be compiled with the following extensions:
 
 - `access_loggers`: `envoy.access_loggers.file`,`envoy.access_loggers.http_grpc`,`envoy.access_loggers.tcp_grpc`
-- `filters.http`: `envoy.buffer`,`envoy.cors`,`envoy.csrf`,`envoy.fault`,`envoy.filters.http.adaptive_concurrency`,`envoy.filters.http.dynamic_forward_proxy`,`envoy.filters.http.grpc_http1_reverse_bridge`,`envoy.filters.http.grpc_stats`,`envoy.filters.http.header_to_metadata`,`envoy.filters.http.original_src`,`envoy.grpc_http1_bridge`,`envoy.grpc_json_transcoder`,`envoy.grpc_web`,`envoy.gzip`,`envoy.health_check`,`envoy.ip_tagging`,`envoy.router`
+- `filters.http`: `envoy.buffer`, `envoy.cors`, `envoy.csrf`, `envoy.fault`, `envoy.filters.http.adaptive_concurrency`, `envoy.filters.http.dynamic_forward_proxy`, `envoy.filters.http.grpc_http1_reverse_bridge`, `envoy.filters.http.grpc_stats`, `envoy.filters.http.header_to_metadata`, `envoy.filters.http.lua`, `envoy.filters.http.original_src`, `envoy.grpc_http1_bridge`, `envoy.grpc_json_transcoder`, `envoy.grpc_web`, `envoy.gzip`, `envoy.health_check`, `envoy.ip_tagging`, `envoy.router`
 - `filters.listener`: `envoy.listener.http_inspector`,`envoy.listener.original_dst`,`envoy.listener.original_src`,`envoy.listener.proxy_protocol`,`envoy.listener.tls_inspector`
 - `filters.network`: `envoy.echo`,`envoy.filters.network.sni_cluster`,`envoy.http_connection_manager`,`envoy.tcp_proxy`
 - `stat_sinks`: `envoy.metrics_service`