diff --git a/config/config-gateway.yaml b/config/config-gateway.yaml
index 024de9aa9..1c9f26a93 100644
--- a/config/config-gateway.yaml
+++ b/config/config-gateway.yaml
@@ -53,4 +53,4 @@ data:
         class: istio
         gateway: istio-system/knative-local-gateway
         service: istio-system/knative-local-gateway
-        httpListenerName: http2
+        httpListenerName: default
diff --git a/pkg/reconciler/ingress/config/gateway.go b/pkg/reconciler/ingress/config/gateway.go
index bad391106..7c13dee85 100644
--- a/pkg/reconciler/ingress/config/gateway.go
+++ b/pkg/reconciler/ingress/config/gateway.go
@@ -39,7 +39,7 @@ const (
 	defaultGatewayClass = "istio"
 
 	// defaultClusterLocalHTTPListener is the name of the listener for HTTP traffic
-	defaultClusterLocalHTTPListener = "http2"
+	defaultClusterLocalHTTPListener = "default"
 
 	// defaultExternalIPHTTPListener
 	defaultExternalIPHTTPListener = "default"
diff --git a/pkg/reconciler/ingress/ingress.go b/pkg/reconciler/ingress/ingress.go
index 0bf481244..2863522cc 100644
--- a/pkg/reconciler/ingress/ingress.go
+++ b/pkg/reconciler/ingress/ingress.go
@@ -103,8 +103,10 @@ func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 			return err
 		}
 
+		// For now, we only generate the redirected HTTPRoute for external visibility,
+		// because there's no way to provide TLS for internal listeners.
 		var redirectHTTPRoute *gatewayapi.HTTPRoute
-		if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected {
+		if ing.Spec.HTTPOption == v1alpha1.HTTPOptionRedirected && rule.Visibility == v1alpha1.IngressVisibilityExternalIP {
 			redirectHTTPRoute, err = c.reconcileRedirectHTTPRoute(ctx, ing, &rule)
 			if err != nil {
 				return err
diff --git a/pkg/reconciler/ingress/reconcile_resources.go b/pkg/reconciler/ingress/reconcile_resources.go
index 7d8df2cc0..64cb49be0 100644
--- a/pkg/reconciler/ingress/reconcile_resources.go
+++ b/pkg/reconciler/ingress/reconcile_resources.go
@@ -50,8 +50,10 @@ func (c *Reconciler) reconcileWorkloadRoute(
 		Name:      gatewayapi.ObjectName(gatewayConfig.Gateway.Name),
 	}
 
-	// if http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway
-	if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected {
+	// If http > https redirect is enabled, this route must only be bound to the TLS listener on the gateway.
+	// For now, we only generate the TLS Listener on the external traffic gateway
+	// because there's no way to provide TLS for internal listeners.
+	if ing.Spec.HTTPOption == netv1alpha1.HTTPOptionRedirected && rule.Visibility == netv1alpha1.IngressVisibilityExternalIP {
 		sectionName := gatewayapi.SectionName(listenerPrefix + ing.GetUID())
 		gatewayRef.SectionName = &sectionName
 	}