This will sound a little odd, but we have an NGINX reverse proxy acting as an SSL termination point for a remote desktop web gateway from Microsoft.

Currently, the primary Web Client ingress point is protected by SSL Client Certificates - you must have a valid SSL CLient Certificate to get to the web component.

However, RDWeb from Microsoft still has to establish WSS connections (`wss://...`) to the RD Gateway component - a separate server. The tricky part about this is it uses *only* `wss`. This works fine if the web frontend is open to all, but we want to restrict it so that only one WSS pathway can actually be used and no other WSS requests work.

When attempting to make this work, we've been trying various configurations of location matching ultimately ending with the WSS connections all failing except when passed through directly WITHOUT any restrictions (that is, `location / { ... }` is globally permitted for the gateway component.)

Is there a way to configure NGINX so that it tests the requested wss path *first* before it hands off to the backend, thereby determining if it's permitted or rejected?