Web socket 502 bad gateway

I am running vaultwarden using nginx as reverse proxy and Cloudflare but for websocket there is error 502 bad gateway when I access yourvaultdomain.com/notifications/hub… Will my websocket still work despite error 502 bad gateway?
my nginx conf:

# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8080;
  keepalive 2;
}
upstream vaultwarden-ws {
  zone vaultwarden-ws 64k;
  server 127.0.0.1:3012;
  keepalive 2;
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name vaultwarden.example.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name vaultwarden.example.tld;

    # Specify SSL Config when needed
    #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
    #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
    #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;

    client_max_body_size 128M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-ws;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header "Connection" "";
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
}

this is from: Proxy examples · dani-garcia/vaultwarden Wiki · GitHub
my vaultwarden log:

[2023-03-25 20:08:25.701][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:55054
[2023-03-25 20:08:46.357][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:39960
[2023-03-25 20:08:46.915][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:39972
[2023-03-25 20:08:47.323][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:39984
[2023-03-25 20:08:47.576][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:39986
[2023-03-25 20:08:47.774][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:39998
[2023-03-25 20:08:47.930][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40008
[2023-03-25 20:08:48.072][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40020
[2023-03-25 20:08:48.239][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40036
[2023-03-25 20:08:48.413][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40038
[2023-03-25 20:08:48.583][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40042
[2023-03-25 20:08:48.752][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40046
[2023-03-25 20:08:48.892][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40062
[2023-03-25 20:08:49.026][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40066
[2023-03-25 20:08:49.151][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40068
[2023-03-25 20:08:49.280][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40070
[2023-03-25 20:08:49.453][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.17.0.1:40078 

You should not access the /notifications/hub endpoint directly in your browser because it is only used for establishing a websocket connection. Check out the following wiki page on how to test if it works:

thank you sir it seems to work fine.