With all HAProxy versions prior to 1.5-dev22, when used in mode http
, it worked in the tunnel
"sub-mode" if no other "sub-mode" was specified. I realize there's not actually such a thing as a "sub-mode" in HAProxy, but I'm not sure what else to call it. The docs just use the word 'mode', but I find that even more confusing...
In any event, in tunnel
"sub-mode" only the first request and response are processed, and everything else is forwarded with no analysis at all. This mode should not be used as it creates lots of trouble with logging and HTTP processing.
As of 1.5-dev22, the default "sub-mode" was changed from tunnel
to keep alive
, meaning that all requests and responses are processed, and connections remain open but idle between responses and new requests.
This can be changed by using the option http-keep-alive
, option http-tunnel
, option httpclose
, option http-server-close
and option forceclose
keywords in frontends and backends, with the effective mode (or "sub-mode" if you will) being outlined in the docs. Under section 4, there's a table that shows the effective "sub-mode" based on which options are set in the frontend and backed used for a particular connection.
For completeness, here's the relevant section of the docs, including the table and it's various "sub-modes", as it exists at the time of this writing (1.5.14):
In HTTP mode, the processing applied to requests and responses flowing over
a connection depends in the combination of the frontend's HTTP options and
the backend's. HAProxy supports 5 connection modes :
- KAL : keep alive ("option http-keep-alive") which is the default mode : all
requests and responses are processed, and connections remain open but idle
between responses and new requests.
- TUN: tunnel ("option http-tunnel") : this was the default mode for versions
1.0 to 1.5-dev21 : only the first request and response are processed, and
everything else is forwarded with no analysis at all. This mode should not
be used as it creates lots of trouble with logging and HTTP processing.
- PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
but with "Connection: close" appended in both directions to try to make
both ends close after the first request/response exchange.
- SCL: server close ("option http-server-close") : the server-facing
connection is closed after the end of the response is received, but the
client-facing connection remains open.
- FCL: forced close ("option forceclose") : the connection is actively closed
after the end of the response.
The effective mode that will be applied to a connection passing through a
frontend and a backend can be determined by both proxy modes according to the
following matrix, but in short, the modes are symmetric, keep-alive is the
weakest option and force close is the strongest.
Backend mode
| KAL | TUN | PCL | SCL | FCL
----+-----+-----+-----+-----+----
KAL | KAL | TUN | PCL | SCL | FCL
----+-----+-----+-----+-----+----
TUN | TUN | TUN | PCL | SCL | FCL
Frontend ----+-----+-----+-----+-----+----
mode PCL | PCL | PCL | PCL | FCL | FCL
----+-----+-----+-----+-----+----
SCL | SCL | SCL | FCL | SCL | FCL
----+-----+-----+-----+-----+----
FCL | FCL | FCL | FCL | FCL | FCL
Turns out that our IIS install script included the following:
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Filter "system.applicationHost/applicationPools/applicationPoolDefaults" -Name "enableConfigurationOverride" -Value "False"
Which essentially changes the default setting for all application pools that disabled any configuration override. Essentially, this turned off the ability to use web.config files within our sites.
That would definitely do it. I couldn't see anything in the UI for the enableConfigurationOverride
option.
So I just ran the following in Powershell to fix the issue:
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Filter "system.applicationHost/applicationPools/applicationPoolDefaults" -Name "enableConfigurationOverride" -Value "True"
Best Answer
The problem has been solved, however my understanding of active directory and domain controllers is lacking.
Here are the conditions that restored the log files:
Hopefully this information is useful to someone in the future.