webRTC handshake fail on aws alb with terraform managed org

What is the standard approach to configure the genesyscloud_webchat_widget resource to bypass strict ALB security policies without breaking the websocket connection?

we are deploying the widget via terraform (provider 1.12.0) inside an aws vpc. the initial http request succeeds but the ws upgrade fails with 403 forbidden. the alb has a waf rule that blocks non-standard user agents, but the softphone client sends a specific header that gets stripped.

error log from browser console:
WebSocket connection to ‘wss://api.mypurecloud.com/api/v2/webchat/sessions/ws’ failed: Error during WebSocket handshake: Unexpected response code: 403

we tried adding custom headers in the widget config but the terraform schema does not allow arbitrary headers. the genesyscloud_webchat_widget resource only supports basic settings like org_name and widget_id.

is there a workaround to inject the required header via the custom_css or javascript injection fields? or should we be using a different endpoint for the websocket connection in this setup? the environment is eu-west-1.

thanks.

I typically get around this by checking if the ALB is terminating the WebSocket connection before it reaches the target group. Make sure you have the aws_alb_target_group attribute target_type set to instance and verify that the listener rule explicitly allows Upgrade headers to pass through without being stripped by the WAF.

You might want to check at the WAF IP reputation rules. The ALB often drops WebSocket upgrades if the source IP triggers a rate limit before the handshake completes.

Note: Check the CloudWatch metrics for TargetResponseTime spikes during the upgrade phase.