Long-lived WebSocket connections need careful timeout tuning. We run a single Nginx instance in front of several backends and centralize SSL termination there. For WebSocket endpoints we set proxy_read_timeout and proxy_send_timeout to 86400 seconds (24 hours) so connections stay up without being cut by the proxy.
We use the standard Upgrade/Connection headers and pass through X-Real-IP and X-Forwarded-Proto so backends see the real client and scheme. So far we haven't needed to increase buffer sizes, but we keep an eye on large frames.
Keeping config in one place makes it easy to roll out TLS and HTTP/2 changes everywhere at once.