Update: the issue was solved by using an unreleased version of Rack that recognizes wss as an accepted secure scheme in X-Forwarded-Proto. Render’s load balancers currently use wss for X-Forwarded-Proto during websocket upgrade requests.
However, since the standard X-Forwarded-Proto header does not specify wss as an accepted protocol, we will be transitioning to using https instead. From what we’ve seen, application servers that support wss already support https in this field so it should only increase compatibility.