Missing Sec-WebSocket-Key in WebSocket connection handshake
The problem is probably in the HTTP2 implementation in Firefox & Chrome (Safari works OK). We were digging for three days and finally realized that after disabling the HTTP2 issue disappeared.
This is the response from DigitalOcean technical support:
We had recently enabled support for Websockets over HTTP2 (RFC 8441). This adds support for browsers to reuse an existing HTTP2 connection and will allow tunneling of WebSocket connections over an HTTP2 stream. As part of an immediate fix we have disabled this functionality which informs browsers to create Websockets over HTTP1.1 (RFC 6455). We believe the bug is actually within Chrome/Firefox but further testing is necessary to track down the issue. To our knowledge the LB wasn't the issue as it was the browser that was not including the required header Sec-WebSocket-Key.