Turpentine is not a Full Page Cache

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Turpentine? Alright

Hello, Magento 1.9.x website owner. I am sure you want to speed up your website and heard of Varnish. The only complete plugin for implementing Varnish support in Magento 1.9.x is called Turpentine. Ever heard of Turpentine?

It’s a plugin that tries to make your Magento Varnish-aware.

No, it is not a real-world solution for your performance concerns. Unfortunately. And unfortunately, it is not a full-page cache system either.
It is simply, unacceptable.
Here is why.

The story of the evilest default value

Turpentine has its share of issues. And some of them are double-fold and hidden. For me, it’s quite alarming how issues like this coupled with enabled “VCL Fix” and ajax-ified carts made many people think that things work fine.
Me included. But actually, the CSRF protection is disabled this way. Something I had to learn months later after taking a closer look at everything.

It’s a very common setup:

  • Nginx as SSL terminator
  • Varnish
  • Turpentine plugin in Magento is set with VCL Fix enabled and crawler IP set to (the effing default!)
  • Add to cart functionality is implemented using AJAX

Everything is working just fine. Little did you know that your CSRF is disabled because what happens in the background is that the form keys belong to “crawler” session and thus don’t really change from user to user. Bad!

Now, what if you want to do the right thing. You set crawler IP to empty or adjust the VCL with the code to check against the proper IP header:

if (std.ip(req.http.X-Forwarded-For, "") ~ crawler_acl ||

Alright! Things are going to work as they should now! Yes?

Wrong. With VCL fix enabled your first cookie-less request is bypassed (piped, in Varnish terms).

So that sounds like a bad idea and doesn’t fall into the category of “negligible performance hit”. It’s a tremendous performance disaster. Every single new visitor will get a completely uncached page on their very first visit. A visit that is so much important to keep the bounce rate low.
Is a visit so important for making sure that the visitor converts into a customer… go completely uncached, for every visitor? You’ve heard me!

OK. What are the options at our table that Turpentine has to offer? Disable VCL Fix? That means disabling CSRF protection for those few actions where it may not be so important. But I don’t really think so. I am not sure you want to sacrifice security for performance in any way.

There’s a known chase for performance in this competitive websites’ world – but you know when to stop and when not.

Final thoughts

I am sorry if I had to rant on why Turpentine is of no real use. But I feel somewhat deceived as the aforementioned behavior made me think that things work fine for quite a lot of time whereas they really didn’t at the cost of lessening security.

I understand it worked for Magento versions below 1.8. And I understand that the plugin developers did their best with Magento 1 which doesn’t support Varnish out of the box. Well, it just doesn’t.

Relax. And don’t bother with Varnish and Magento 1 unless you want to sacrifice some security to make it work. Have a coffee. Use an FPC plugin that just works.

Useful links collected of the course of “investigation”:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.