Magento

Turpentine is not Full Page Cache

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install nginx, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

Turpentine? Alright

Hello, Magento 1.9.x website owner. I am sure you want to speed up your website and heard of Varnish. The only complete plugin for implementing Varnish support in Magento 1.9.x is called Turpentine. Ever heard of Turpentine?

It’s a plugin that tries to make your Magento Varnish-aware.

No, it is not a real world solution for your performance concerns. Unfortunately. And unfortunately it is not a full page cache system either. Here is why.

The story of the most evil default value

Turpentine has its share of issues. And some of them are double fold and hidden. For me, it’s quite alarming how issues like this coupled with enabled “VCL Fix” and ajax-ified carts made many people think that things work fine.
Me included. But actually the CSRF protection is disabled this way. Something I had to learn months later after taking a closer look at everything.

It’s a very common setup:

  • Nginx as SSL terminator
  • Varnish
  • Turpentine plugin in Magento is set with VCL Fix enabled and crawler IP set to 127.0.0.1 (the effing default!)
  • Add to cart functionality is implemented using AJAX

Everything is working just fine. Little did you know that your CSRF is disabled because what happens in the background is that the form keys belong to “crawler” session and thus don’t really change from user to user. Bad!

Now what if you want to do the right thing. You set crawler IP to empty or adjust the VCL with the code to check against proper IP header:

if (std.ip(req.http.X-Forwarded-For, "0.0.0.0") ~ crawler_acl ||

Alright! Things are going to work as they should now! Yes?

Wrong. With VCL fix enabled your first cookie-less request is bypassed (piped, in Varnish terms).

So that sounds like a bad idea and doesn’t fall into category of “negligible performance hit”. It’s tremendous performance disaster. Every single new visitor will get completely uncached page on their very first visit. A visit that is so much important to keep the bounce rate low. A visit so important for making sure that the visitor converts into a customer.

OK. What are the options at our table that Turpentine has to offer? Disable VCL Fix? That means disabling CSRF protection for those few actions where it may be not so important. But I don’t really think so. I am not sure you want to sacrifice security for performance in any way.

There’s a known chase for performance in this competitive websites world – but you know when to stop and when not.

Final thoughts

I am sorry if I had to rant on why Turpentine is of no real use. But I feel somewhat deceived as the aforementioned behaviour made me think that things work fine for quite a lot of time whereas they really didn’t at the cost of lessening security.

I understand it worked for Magento versions below 1.8. And I understand that the plugin developers did their best with Magento 1 which doesn’t support Varnish out of the box. Well, it just doesn’t.

Relax. And don’t bother with Varnish and Magento 1 unless you want to sacrifice some security to make it work. Have a coffee. Use an FPC plugin that just works.

Useful links collected of the course of “investigation”:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.