diff --git a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
index e807c8b7f7..835f4bfa73 100644
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
@@ -297,7 +297,8 @@ The SNI proxy will forward the traffic to port `443`.
 
     {{< text bash >}}
     $ cat <<EOF > ./sni-proxy.conf
-    user www-data;
+    # setup custom path that do not require root access
+    pid /tmp/nginx.pid;
 
     events {
     }
@@ -312,7 +313,7 @@ The SNI proxy will forward the traffic to port `443`.
       # tcp forward proxy by SNI
       server {
         resolver 8.8.8.8 ipv6=off;
-        listen       127.0.0.1:8443;
+        listen       127.0.0.1:18443;
         proxy_pass   \$ssl_preread_server_name:443;
         ssl_preread  on;
       }
@@ -349,6 +350,7 @@ The SNI proxy will forward the traffic to port `443`.
             service:
               ports:
               - port: 443
+                targetPort: 8443
                 name: https
             overlays:
             - kind: Deployment
@@ -363,18 +365,14 @@ The SNI proxy will forward the traffic to port `443`.
                     mountPath: /etc/nginx
                     readOnly: true
                   securityContext:
-                    runAsNonRoot: false
-                    runAsUser: 0
+                    runAsNonRoot: true
+                    runAsUser: 101
               - path: spec.template.spec.volumes[-1]
                 value: |
                   name: sni-proxy-config
                   configMap:
                     name: egress-sni-proxy-configmap
                     defaultMode: 292 # 0444
-      values:
-        gateways:
-          istio-egressgateway:
-            runAsRoot: true
     EOF
     {{< /text >}}
 
@@ -407,7 +405,7 @@ The SNI proxy will forward the traffic to port `443`.
       - sni-proxy.local
       location: MESH_EXTERNAL
       ports:
-      - number: 8443
+      - number: 18443
         name: tcp
         protocol: TCP
       resolution: STATIC
@@ -518,7 +516,7 @@ The SNI proxy will forward the traffic to port `443`.
         - destination:
             host: sni-proxy.local
             port:
-              number: 8443
+              number: 18443
           weight: 100
     ---
     # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@@ -599,8 +597,8 @@ The SNI proxy will forward the traffic to port `443`.
     You should see lines similar to the following:
 
     {{< text plain >}}
-    [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
-    [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
+    [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
+    [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
     {{< /text >}}
 
 1.  Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the
diff --git a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
index 657f99e384..cb1e19f492 100644
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
@@ -175,7 +175,8 @@ kubectl delete destinationrule egressgateway-for-wikipedia
 
 snip_setup_egress_gateway_with_sni_proxy_1() {
 cat <<EOF > ./sni-proxy.conf
-user www-data;
+# setup custom path that do not require root access
+pid /tmp/nginx.pid;
 
 events {
 }
@@ -190,7 +191,7 @@ stream {
   # tcp forward proxy by SNI
   server {
     resolver 8.8.8.8 ipv6=off;
-    listen       127.0.0.1:8443;
+    listen       127.0.0.1:18443;
     proxy_pass   \$ssl_preread_server_name:443;
     ssl_preread  on;
   }
@@ -222,6 +223,7 @@ spec:
         service:
           ports:
           - port: 443
+            targetPort: 8443
             name: https
         overlays:
         - kind: Deployment
@@ -236,18 +238,14 @@ spec:
                 mountPath: /etc/nginx
                 readOnly: true
               securityContext:
-                runAsNonRoot: false
-                runAsUser: 0
+                runAsNonRoot: true
+                runAsUser: 101
           - path: spec.template.spec.volumes[-1]
             value: |
               name: sni-proxy-config
               configMap:
                 name: egress-sni-proxy-configmap
                 defaultMode: 292 # 0444
-  values:
-    gateways:
-      istio-egressgateway:
-        runAsRoot: true
 EOF
 }
 
@@ -275,7 +273,7 @@ spec:
   - sni-proxy.local
   location: MESH_EXTERNAL
   ports:
-  - number: 8443
+  - number: 18443
     name: tcp
     protocol: TCP
   resolution: STATIC
@@ -379,7 +377,7 @@ spec:
     - destination:
         host: sni-proxy.local
         port:
-          number: 8443
+          number: 18443
       weight: 100
 ---
 # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@@ -453,8 +451,8 @@ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-syste
 }
 
 ! read -r -d '' snip_configure_traffic_through_egress_gateway_with_sni_proxy_6 <<\ENDSNIP
-[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
-[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
+[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
+[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
 ENDSNIP
 
 snip_configure_traffic_through_egress_gateway_with_sni_proxy_7() {
diff --git a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh
old mode 100644
new mode 100755
index faa10a0ff0..bb80f6c8f2
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh
@@ -31,7 +31,7 @@ _wait_for_deployment default sleep
 snip_before_you_begin_4
 
 confirm_blocking() {
-kubectl exec "$SOURCE_POD" -c sleep -sS -I https://www.google.com | grep  "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
+kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://www.google.com | grep  "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
 }
 _verify_contains confirm_blocking "command terminated with exit code 35"
 
@@ -86,7 +86,7 @@ _wait_for_istio envoyfilter istio-system egress-gateway-sni-verifier
 _verify_same snip_configure_traffic_through_egress_gateway_with_sni_proxy_4 "$snip_configure_traffic_through_egress_gateway_with_sni_proxy_4_out"
 
 _verify_lines snip_configure_traffic_through_egress_gateway_with_sni_proxy_5 "
-+ outbound|8443||sni-proxy.local
++ outbound|18443||sni-proxy.local
 + en.wikipedia.org
 + de.wikipedia.org
 "