feat(edge): more waf

Author: RoRoJ

faq/assets/scaleway-edge-services-pipeline.webp

@@ -14,9 +14,10 @@ productIcon: EdgeServicesProductIcon
 
 Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. Creating Edge Services [pipelines](/edge-services/concepts/#pipeline) towards your Load Balancers or Object Storage buckets provides: 
 -A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and 
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity, and
 - A customizable and secure endpoint for accessing content via Edge Services, which can be set to a subdomain of your choice and secured with an SSL/TLS certificate.
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
 ## Which products are compatible with Edge Services?
 

faq/edge-services.mdx

@@ -3645,6 +3645,10 @@
                     "label": "Configure a cache",
                     "slug": "configure-cache"
                   },
+                  {
+                    "label": "Configure WAF",
+                    "slug": "configure-waf"
+                  },
                   {
                     "label": "Monitor with Cockpit",
                     "slug": "monitor-cockpit"
@@ -3671,6 +3675,10 @@
                     "label": "CNAME records for Edge Services",
                     "slug": "cname-record"
                   },
+                  {
+                    "label": "Understanding WAF",
+                    "slug": "understanding-waf"
+                  },
                   {
                     "label": "Understanding pricing",
                     "slug": "understanding-pricing"

menu/navigation.json

@@ -42,7 +42,7 @@ The endpoint can be customized with a user-defined subdomain, allowing you to re
 
 ## Exclusions
 
-In the context of an Edge Services [Web Application Firewall](#web-application-firewall), exclusions let you define filters for requests that should not be evaluated by the WAF, but rather pass straight to the Load Balancer origin. Learn more about [creating exclusions](TODO)
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), exclusions let you define filters for requests that should not be evaluated by WAF, but rather pass straight to the Load Balancer origin. Learn more about [creating exclusions](/edge-services/how-to/configure-waf/#how-to-set-exclusions)
 
 ## Origin
 
@@ -63,7 +63,7 @@ The Load Balancer defined by the user as origin for a given Edge Services pipeli
 
 ## Paranoia level
 
-In the context of an Edge Services [Web Application Firewall](#web-application-firewall), the paranoia level determines how sensitive the request-evaluation mechanism is to potential threats. Four paranoia levels are available, with level 1 being the least sensitive, and level 4 being the most sensitive. The higher the paranoia level, the more likely it is that a given request will be judged to be malicious. For full details on paranoia levels, see [TODO](todo).
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), the paranoia level determines how sensitive the request-evaluation mechanism is to potential threats. Four paranoia levels are available, with level 1 being the least sensitive, and level 4 being the most sensitive. The higher the paranoia level, the more likely it is that a given request will be judged to be malicious. For full details on paranoia levels, see our [detailed documentation](/edge-services/reference-content/understanding-waf/#waf-ruleset-and-paranoia-levels).
 
 ## Pipeline
 
@@ -79,4 +79,4 @@ The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sen
 
 ## WAF
 
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can set the [paranoia level](#paranoia-level) to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more about [configuring a WAF](/edge-services/how-to/configure-waf/).
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can set the [paranoia level](#paranoia-level) to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more about [configuring WAF](/edge-services/how-to/configure-waf/).

pages/edge-services/concepts.mdx

@@ -13,10 +13,12 @@ categories:
   - network
 ---
 
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by the WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.
 
 This page walks you through the processing of enabling and configuring WAF to protect your Load Balancer origin. 
 
+To read more about how WAF works, try our [Understanding WAF](/edge-services/reference-content/understanding-waf/) page.
+
 <Message type="note">
 WAF is not available for Object Storage bucket origins.
 </Message>
@@ -39,10 +41,10 @@ WAF is not available for Object Storage bucket origins.
 
     TODO SCREENSHOT
 
-3. Choose the **paranoia level**, from 1 - 4, that is best adapted to your use case. The higher the paranoia level, the more sensitive WAF is to potential threats, and the more likely it is to class a request as malicious. For help with choosing a paranoia level, see our [dedicated documentation](TODO).
+3. Choose the **paranoia level**, from 1 - 4, that is best adapted to your use case. The higher the paranoia level, the more sensitive WAF is to potential threats, and the more likely it is to class a request as malicious. For help with choosing a paranoia level, see our [dedicated documentation](/edge-services/reference-content/understanding-waf/#waf-ruleset-and-paranoia-levels).
 
         <Message type="tip">
-        After enabling WAF, you will be able to [set exclusions](TODO) that filter out requests matching certain criteria from being evaluated by WAF.
+        After enabling WAF, you will be able to [set exclusions](#how-to-set-exclusions) that filter out requests matching certain criteria from being evaluated by WAF.
         </Message>
 
 4. Select a WAF **mode**. Requests judged to be malicious can either be **blocked** and prevented from passing to the Load Balancer origin, or **logged** but allowed to pass.
@@ -68,13 +70,13 @@ Once you have enabled WAF, you can choose to set **exclusions**. Exclusions are
     <Lightbox src="scaleway-add-exclusions.webp" alt="A screenshot of the Add exclusions popup in the Scaleway console, with an 'if' box to set a path regex value, and a 'then' box pre-filled to 'Bypass WAF'" /> TODO CHANGE NEW BUTTON?
 
 3. Set up to two filters for this exclusion. You can add either:
-  - One ***Path regex** filter, to match paths of requests to exclude. For example, TODO
-  - One **HTTP method** filter, to match te HTTP methods of requests to exclude. For example, enter one or more of `GET`, `PATCH`, `PUT`, `DELETE` etc. Requests that match any of these methods will be considered to match the HTTP method filter.
-  - One of each of the above (use the **Add filter** button to add the second filter)
+    - One ***Path regex** filter, to match paths of requests to exclude. For example, `/api/v1/.*`
+    - One **HTTP method** filter, to match te HTTP methods of requests to exclude. For example, enter one or more of `GET`, `PATCH`, `PUT`, `DELETE` etc. Requests that match any of these methods will be considered to match the HTTP method filter.
+    - One of each of the above (use the **Add filter** button to add the second filter)
 
-  If you include both a path regex and an HTTP method filter in the same exclusion, requests must match both of the filters in order to be excluded.
+    If you include both a path regex and an HTTP method filter in the same exclusion, requests must match both of the filters in order to be excluded.
 
-  Currently, the only action possible to set for matching requests is **Bypass WAF** (matching requests will not be evaluated by WAF and will proceed directly to the Load Balancer origin.) In the future, more actions will be added.
+    Currently, the only action possible to set for matching requests is **Bypass WAF** (matching requests will not be evaluated by WAF and will proceed directly to the Load Balancer origin.) In the future, more actions will be added.
 
 4. Click **Add** to add the exclusion.
 
@@ -94,7 +96,7 @@ Once you have enabled WAF, you can choose to set **exclusions**. Exclusions are
 
 4. Click **Confirm** when you have finished editing.
 
-  You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+    You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
 
 5. Continue to edit or delete other exclusions as necessary.
 
@@ -110,7 +112,7 @@ Once you have enabled WAF, you can choose to set **exclusions**. Exclusions are
 
 3. Click **Delete**.
 
-You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+    You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
 
 4. Continue to edit or delete other exclusions as necessary.
 

pages/edge-services/how-to/configure-waf.mdx

@@ -6,7 +6,7 @@ content:
   h1: How to subscribe to Edge Services
   paragraph: Find out how to take your first steps with Scaleway Edge Services by subscribing to a pricing plan. Learn how to choose the best plan for your needs and change your plan at the click of a button.
 dates:
-  validation: 2024-10-15
+  validation: 2025-03-03
   posted: 2024-10-15
 tags: object-storage edge-services subscription-plan subscribe billing pricing
 categories:
@@ -19,6 +19,7 @@ To use Edge Services, you must subscribe to a [pricing plan](https://www.scalewa
 
 - A fixed number of Edge Services [pipelines](/edge-services/concepts/#pipeline). You can create pipelines for either Load Balancers, Object Storage buckets, or a mixture of both, with your subscription plan.
 - A certain amount of egress [cache](/edge-services/concepts/#cache) data (the quantity of data transferred from Edge Services' caches, not including the transfer from the origin bucket or Load Balancer).
+- TODO
 - A custom domain and SSL certificate (managed or custom) for each pipeline.
 
 If you create more pipelines than are included in your plan, or your pipelines' caches egress more data than is included, you will be charged additionally for this. The rates per pipeline/GB of data are indicated on the [pricing](https://www.scaleway.com/en/pricing/network/#edge-services) page.

pages/edge-services/how-to/subscribe-edge-services.mdx

@@ -31,7 +31,7 @@ You can set **exclusions**, so that certain requests are not evaluated by WAF an
 
 In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
+<Lightbox src="scaleway-edge-services-pipeline-diag.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
 If you have both WAF and cache enabled, requests that can be served by the cache will not go through WAF. Only requests that cannot be served by the cache will be filtered by WAF, and allowed to pass to the origin or not depending on your WAF configuration.