Should it be possible to terminate SSL for wss (secure websockets) at a layer 4 load balancer?
Seems to me that wss (and ws) in general would require TCP routing since an HTTP reverse proxy wouldn't be able to make sense of the packets; and, SSL termination would require layer 7 routing since the session is really maintained above layer 4. I feel somewhat confident about the first statement, and much less so about the second.
Bonus question. If it is possible, in general, to achieve wss routing and ssl termination in a single load balancer, can it be done specifically with HAProxy? Nginx? Other?
Yes, in theory. WSS uses HTTP for the handshake, once the session is negotiated it is passed to WSS.
However, load balancer come in many forms and protocol implementations can leave a lot to be desired.
NGNIX seems to be a good option as they actually provide mention to this on their website.
Resources: https://www.nginx.com/blog/websocket-nginx/
http://nginx.org/en/docs/http/websocket.html?_ga=1.232918046.1407092516.1485627218