Cannot connect to secure websocket (goaccess)

Traefik Traefik v2 (latest)
,
1

Hi,
I am working on a docker-compose project using traefik as a reverse proxy for a MediaWiki. I am trying to set up the log analyzer GoAccess to generate real time html reports from the apache logs. The report is then served with a simple nginx webserver. The real time updates invoke a secured websocket connection, which I cannot get to work at all. I am unsure how to route the websocket and tried many configs and ideas I found online, to no avail. It does work locally without tls/ssl.

redacted excerpt of docker-compose.yml:

services:
  apache:
     [...]

  reverse-proxy:
    restart: always
    image: traefik:v2.8
    ports:
      - 443:443 # HTTPS port
      - 80:80 # HTTP port
      - 7890:7890 # goaccess websocket
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - traefik-letsencrypt:/letsencrypt # Persistent file for ACME Setup (Certificate Store)
      - traefik-log:/data/log # Persistent file for logging
    networks:
      - default
    labels:
      - traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.dashboard.entrypoints=websecure
      - traefik.http.routers.dashboard.tls.certResolver=le
      - traefik.http.routers.dashboard.service=api@internal
      
  goaccess:
    image: allinurl/goaccess
    container_name: goaccess
    depends_on:
      - traefik-certs-dumper
    restart: always
    command:
      - '--log-file=/srv/log/access.log'
      - '--output=/srv/reports/index.html'
      - '--log-format=COMBINED'
      - '--real-time-html'
      - '--anonymize-ip'
      # - '--config-file=/etc/goaccess.conf'
      - '--geoip-database=/srv/geoip/GeoLite2-City.mmdb'
      - '--db-path=/srv/data'
      - '--ssl-cert=/letsencrypt/certs/certs/stats.example.com.crt'
      - '--ssl-key=/letsencrypt/certs/private/stats.example.com.key'
      # - '--restore'
      # - '--persist'
    expose:
      - 7890
    # ports:
    #   - 7890:7890
    networks:
      default:
        aliases:
         - goaccess.svc
    volumes:
      - apache_logs:/srv/log:ro
      - apache_reports:/srv/reports
      - goaccess_db:/srv/data
      # - ./goaccess/goaccess.conf:/etc/goaccess.conf
      - ./goaccess/GeoLite2-City.mmdb:/srv/geoip/GeoLite2-City.mmdb
      - traefik-letsencrypt:/letsencrypt:ro
    labels:
      - traefik.http.routers.goaccess.rule=Host(`stats.example.com`) # && PathPrefix(`/ws`)
      - traefik.http.routers.goaccess.entrypoints=wss
      - traefik.http.routers.goaccess.tls.certResolver=le
      - traefik.http.routers.goaccess.middlewares=sslheader
      - traefik.http.middlewares.sslheader.headers.customRequestHeaders.X-Forwarded-Proto=https
      - traefik.http.services.goaccess-portal-compose.loadbalancer.server.port=7890

  nginx:
    image: nginx
    container_name: nginx-goaccess
    depends_on:
      - goaccess
    volumes:
      - apache_reports:/usr/share/nginx/html
    labels:
      - traefik.http.routers.nginx.rule=Host(`stats.example.com`)
      - traefik.http.routers.nginx.entrypoints=websecure
      - traefik.http.routers.nginx.tls.certResolver=le

  # just a tool to convert traefik's acme.json to .crt and .key files for goaccess --ssl-crt and --ssl-key
  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.8.1
    entrypoint: sh -c 'apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs'
    volumes:
      - traefik-letsencrypt:/data

traefik.yml:

log:
  level: DEBUG

accessLog:
  filePath: "/data/log/access.log"

api:
  dashboard: true

entryPoints:
  websecure:
    address: ":443"
  web:
    address: ":80"
    # redirect to https
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  metrics:
    address: :8082
  wss:
    address: :7890

metrics:
  prometheus:
    entryPoint: metrics

providers:
  docker: {}

certificatesResolvers:
  le:
    acme:
      tlschallenge: true
      storage: /letsencrypt/acme.json
      email: email@xyz.com
      httpChallenge:
        # used during the challenge
        entryPoint: web

The websocket connection fails:
Firefox can’t establish a connection to the server at wss://stats.example.com:7890/.

Request Headers:

GET / undefined
Host: stats.example.com:7890
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://stats.example.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: VXLNqRn6fy+s7+8feykgLQ==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Also, the connection attempt is marked as insecure.

I suspect my traefik routing has redundant or contradicting settings, maybe conceptional errors (I'm new to all this, sorry!).
I would much appreciate any help you can offer!