For whatever reason I too had the same issue. Using the same config from 1.6.x and applying to 2.2.3 would always net the same websocket failed error. Rancher2 itself would only log even in debug:
2019/06/03 13:47:53 [ERROR] Error during subscribe websocket: origin not allowed
2019/06/03 13:47:53 [ERROR] Unknown error: websocket: origin not allowed
Copy and paste verbatim from the external LB page and changing the upstream URL along with reformatting for use as a virtual host never always ended with the same origin error no matter the browser (Chrome / Firefox) or computer.
I eventually found someone else with a similar issue posting to the GitLab forum. The solution was to change from:
proxy_set_header Host $host;
proxy_set_header Host $http_host;
I might still tcpdump the traffic to see why $host fails but $http_host works but for now I can continue with testing a migration.
My NGINX version is:
nginx -v nginx version: nginx/1.16.0