Ops pointed out that almost 60% of the apache traffic is calls to Special:CentralAutoLogin. About half of that traffic is to /start, so it looks like Special:CentralAutoLogin/start is still not cached, even though we don't disable client caching in the output page. MediaWiki is sending Cache-Control private.
csteipp@linux-hv06:~> curl -Ik 'https://en.wikipedia.org/wiki/index.php?title=Special:CentralAutoLogin/start&type=script&returnto=One&returntoquery=' | grep Cache-Control
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
It seems like that is because OutputPage checks to see if $this->mSquidMaxage != 0, otherwise it sends out the private header. On my dev system, I added $this->getOutput()->setSquidMaxage( 3600 ), and I then get
csteipp@linux-hv06:~> curl -Ik 'https://127.0.0.1/wiki_port83/de/index.php?title=Special:CentralAutoLogin/start&type=script&returnto=One&returntoquery='
HTTP/1.1 302 Found
Date: Mon, 16 Sep 2013 23:32:21 GMT
Server: Apache/2.2.22 (Linux/SUSE)
X-Powered-By: PHP/5.3.17
X-Content-Type-Options: nosniff
P3P: CP="This is not a P3P policy! See http://127.0.0.1/wiki_port83/de/index.php?title=Special:CentralAutoLogin/P3P for more info."
Vary: Accept-Encoding,Cookie
Cache-Control: s-maxage=3600, must-revalidate, max-age=0
Location: https://127.0.0.1/wiki_port83/pool/index.php?title=Special:CentralAutoLogin/checkLoggedIn&wikiid=dewiki83&proto=https&type=script&returnto=One&returntoquery=
Content-Type: text/html; charset=utf-8
Is that enough to have varnish cache these, but logged in users will always bypass the cache?
Version: master
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=52206