fix(waf): diagrams and flows

Author: RoRoJ

faq/edge-services.mdx

@@ -5,7 +5,7 @@ meta:
 content:
   h1: Edge Services
 dates:
-  validation: 2025-02-04
+  validation: 2025-03-03
 category: network
 productIcon: EdgeServicesProductIcon
 ---
@@ -31,4 +31,22 @@ Find out more about how Edge Service subscription plans and billing works on our
 
 ## If I customize my Edge Services endpoint with my own domain, can it serve content over HTTPS?
 
-Yes, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that subdomain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/).
+Yes, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that subdomain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/).
+
+## What is WAF?
+
+**W**eb **A**pplication **F**irewall is a feature available via Edge Services for Load Balancer origins only. When enabled, WAF filters requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
+
+## I don't have a Load Balancer, how can I use WAF with a different type of Scaleway resource?
+
+For now, this isn't possible: you must put such resources behind a Load Balancer in order to benefit from WAF. Watch this space for other solutions in the future.
+
+## Can I use WAF and caching simultaneously?
+
+Yes, you can have both of these features enabled at the same time on the same Load Balancer pipeline. WAF protects your Load Balancer origin only: it does not filter requests served by the cache.
+
+## What ruleset is used by WAF? Is it updated automatically?
+
+Scaleway Edge Services WAF uses the [OWASP **C**ore **R**ule **S**et (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack such as SQL injection and cross-site scripting. Full details are available in the [OWASP CRS documentation](https://coreruleset.org/docs/).
+
+We handle the automatic updating of rules, removing this hassle from you the user.

pages/edge-services/how-to/assets/scaleway-edge-services-pipeline.webp renamed to macros/edge-services/assets/scaleway-edge-services-pipeline-diag.webp

@@ -7,4 +7,4 @@ macro: edge-services-bucket-benefits
 - Enhance performance by caching your stored objects, to be served directly by Edge Services from the cache
 - Finely control your cached objects via purging (cache invalidation)
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline-nowaf.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />

macros/edge-services/assets/scaleway-edge-services-pipeline-nowaf.webp

@@ -4,12 +4,13 @@ macro: edge-services-lb-benefits
 
 Creating an Edge Services pipeline for your Load Balancer helps to reduce load on your Load Balancer's backend servers. The origin configuration you define is used by Edge Services to connect to your Load Balancer and request content, which is then stored in the cache. Then, when your Load Balancer origin is accessed via its customizable Edge Services endpoint, the requested content is served from the cache (if present), without the need to fetch this content via the Load Balancer and its backend servers.
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline-diag.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
 
 Edge Services lets you:
 
 - Define the specific origin (Load Balancer, frontend port, and host) for a given pipeline and its associated cache
 - Choose the TTL for cached objects, and purge the entire cache or specific cached objects at any time (cache invalidation)
+- Configure a [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
 - Customize your Edge Services pipeline endpoint using a subdomain of your own domain
 - Add an SSL/TLS certificate so that Edge Services can serve content over HTTPS for your subdomain
 

macros/edge-services/assets/scaleway-edge-services-pipeline.webp

@@ -6,7 +6,7 @@ content:
   h1: How to create an Edge Services pipeline for an Object Storage bucket
   paragraph: This page explains how to configure an Edge Services pipeline for a Scaleway Object Storage bucket. Set up your own custom domain to point to your bucket, and enable a caching service for faster and more efficient delivery.
 dates:
-  validation: 2024-10-15
+  validation: 2025-03-03
   posted: 2024-07-24
 tags: object-storage edge-services cdn network cache domain https
 categories:
@@ -44,7 +44,10 @@ You can create an Edge Services pipeline [from the Object Storage section of the
 
 5. Enter a name for the pipeline, or leave the randomly generated name in place.
 
-6. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
+6. Optionally, configure **Advanced Settings:**
+    - **Cache**: When enabled, content from your origin bucket is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+
+7. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
 
     You are returned to the **Pipelines** tab, where the newly created pipeline now displays.
 

macros/edge-services/edge-services-bucket-benefits.mdx

@@ -6,7 +6,7 @@ content:
   h1: How to create an Edge Services pipeline for a Load Balancer
   paragraph: This page explains how to configure an Edge Services pipeline on your Load Balancer, enabling a caching service for faster and more efficient delivery.
 dates:
-  validation: 2024-10-15
+  validation: 2025-03-03
   posted: 2024-07-24
 tags: load-balancer edge-services cdn network cache domain https
 categories:
@@ -34,6 +34,7 @@ You can create an Edge Services pipeline from the Load Balancer section of the c
 
 2. Click **Create pipeline**. The pipeline creation wizard displays.
 
+    TODO UPDATE
     <Lightbox src="scaleway-edge-create-pipeline-lb.webp" alt="A screenshot of the Scaleway console shows the Edge Services pipeline creation wizard. It prompts you to select an origin type (Load Balancer or Object Storage), and configure the other options described below on this page." />
 
 3. Configure the [origin](/edge-services/concepts/#origin) for this pipeline:
@@ -52,9 +53,13 @@ You can create an Edge Services pipeline from the Load Balancer section of the c
 
 5. Enter a name for this Edge Services pipeline, or leave the auto-generated name in place.
 
+6. Optionally, configure **Advanced Settings:**
+    - **Cache**: When enabled, content from your Load Balancer origin is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+    - **WAF**: When enabled, requests to your Load Balancer origin are evaluated by a **W**eb **A**pplication **F**irewall. Malicious requests are blocked or logged, depending on your settings. Set a paranoia level to determine WAF's aggressivity, and a mode (block or log) for dealing with malicious requests. [Find out more about WAF](/edge-services/reference-content/understanding-waf/).
+
     The summary cost for the creation of this pipeline is displayed, notably whether it falls within the limits of your current [subscription plan](/edge-services/reference-content/understanding-pricing/)
 
-6. Click **Create Edge Services pipeline** to finish.
+7. Click **Create Edge Services pipeline** to finish.
 
     You are returned to the **Pipelines** tab, where the newly created pipeline now displays.