Introduction

A site can load normally through Cloudflare while chats, live dashboards, or notifications silently fail. That usually happens when the normal HTTP path works but the WebSocket upgrade path breaks at the proxy, load balancer, or origin. Because real-time features rely on a persistent upgraded connection, even a small mismatch in headers, SSL handling, or port support can stop them. The fix is to trace the full upgrade path from browser to origin and confirm each layer actually supports WebSockets.

Symptoms

  • The main site loads, but live updates or chat features never connect
  • Browser developer tools show failed WebSocket handshake or unexpected close events
  • Direct-origin testing works while the proxied hostname fails
  • The issue started after enabling Cloudflare, changing SSL mode, or moving the app
  • Requests fall back to polling or appear to hang indefinitely

Common Causes

  • The origin or upstream proxy does not accept WebSocket upgrade requests correctly
  • Cloudflare proxy settings or route rules send the traffic to the wrong service path
  • SSL or port configuration differs between the normal site traffic and the WebSocket endpoint
  • Load balancer, reverse proxy, or app timeouts close long-lived upgraded connections too early
  • Firewall or security controls treat the upgraded connection as abnormal traffic

Step-by-Step Fix

  1. Reproduce the failure in the browser network tools and confirm whether the WebSocket handshake fails immediately or drops after connecting.
  2. Test the WebSocket endpoint directly against the origin to separate Cloudflare behavior from origin application issues.
  3. Review the endpoint hostname, path, and port to make sure Cloudflare is proxying the same destination the application expects.
  4. Check the origin server, reverse proxy, and load balancer for correct upgrade header handling and long-lived connection support.
  5. Verify Cloudflare SSL mode matches how the origin terminates TLS so the upgrade path does not fail on scheme mismatches.
  6. Inspect timeout settings at each layer, because real-time connections may be dropped by a proxy long before the app notices.
  7. Confirm firewall, WAF, and security rules are not blocking or throttling upgraded requests differently from normal page loads.
  8. Re-test the live feature after each change rather than assuming general site availability proves WebSockets are healthy.
  9. Keep the WebSocket path documented in deployment runbooks so future proxy or SSL changes do not silently break real-time features.