Ingress-nginx: force-ssl-redirect for WebSocket support

Hey,

not sure if this is an issue on your side or on mine but let me explain the situation:

I'm using the ingress-nginx with an aws alb using L4 because I need websocket support. At the same time I want to terminate TLS on that ALB because the certificates are issued from aws. So my service looks like this:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app: ingress-nginx
  annotations:
    # certificate from the AWS console
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<redacted>" 
    # the backend instances are HTTP/HTTPS/TCP so let Nginx do that
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    # Map port 443
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    # Increase the ELB idle timeout to avoid issues with WebSockets or Server-Sent Events.
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
spec:
  type: LoadBalancer
  selector:
    app: ingress-nginx
  ports:
  - name: http
    port: 80
    targetPort: http
  - name: https
    port: 443
    targetPort: http

now I also want to force https (wss) on the nginx side, so I use nginx.ingress.kubernetes.io/force-ssl-redirect: "true". However that causes the initial upgrade request to be answered with 308 even though it is already initiated with wss://, because $redirect_to_https is set with

map "$scheme:$pass_access_scheme" $redirect_to_https {
        default          0;
        "http:http"      1;
        "https:http"     1;
    }

Do you have a suggestion for me how to solve this? I actually just want to make sure nobody connects through an unsecure connection (http/ws) and they always get redirected to the secure connection.
If I don't use force-ssl-redirect everything works fine (ws and wss)

Thx