You are correct that the problem seems to be from websockets.In the error log for apache, I see:
[Wed Jun 15 17:00:39.470705 2016] [proxy:warn] [pid 16801] [client x.x.x.x:57356] AH01144: No protocol handler was valid for the URL /api/v3/users/websocket. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
I'm not entirely sure what to do with this. Here's my current apache SSL file, using let's encrypt:
<VirtualHost x.x.x.x:443>
ServerName my.mattermost.org
SSLCertificateFile /etc/letsencrypt/live/my.mattermost.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.mattermost.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v3/users/websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RequestHeader set X-Forwarded-Proto "https"
<Location /api/v3/users/websocket>
Require all granted
ProxyPassReverse ws://127.0.0.1:8065/api/v3/users/websocket
ProxyPassReverseCookieDomain 127.0.0.1 my.mattermost.org
</Location>
<Location />
Require all granted
ProxyPassReverse https://127.0.0.1:8065/
ProxyPassReverseCookieDomain 127.0.0.1 my.mattermost.org
</Location>
</VirtualHost>