feat(edge): add waf doc

Author: RoRoJ

pages/edge-services/assets/scaleway-edge-services-pipeline.webp

@@ -29,14 +29,21 @@ The CNAME record pointing your subdomain to the Edge Services endpoint, if you h
 
 ## Edge Services
 
-Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides a [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin), and a customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
+Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides:
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin)
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
+- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
 
 ## Endpoint
 
 The endpoint from which a given Edge Services pipeline can be accessed, e.g. `https://pipeline-id.svc.edge.scw.cloud`. When a client requests content from the Edge Services endpoint, it is served by Edge Services and its cache, rather than from the origin (Object Storage bucket or Load Balancer backend servers) directly. Edge Services automatically manages redirection from HTTP to HTTPS.
 
 The endpoint can be customized with a user-defined subdomain, allowing you to replace the standardized endpoint with the subdomain of a domain you already own, e.g. `http://my-own-domain.com`. An associated [certificate](#certificate), and [CNAME record](#cname-record) will be required, in this case.
 
+## Exclusions
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), exclusions let you define filters for requests that should not be evaluated by the WAF, but rather pass straight to the Load Balancer origin. Learn more about [creating exclusions](TODO)
+
 ## Origin
 
 The primary source from which a Scaleway Edge Services pipeline retrieves and caches data. An origin can consist of either:
@@ -54,22 +61,22 @@ The origin host must be associated with the origin Load Balancer / its backend s
 
 The Load Balancer defined by the user as origin for a given Edge Services pipeline. The pipeline connects to this Load Balancer, on the specified frontend port to request content.
 
+## Paranoia level
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), the paranoia level determines how sensitive the request-evaluation mechanism is to potential threats. Four paranoia levels are available, with level 1 being the least sensitive, and level 4 being the most sensitive. The higher the paranoia level, the more likely it is that a given request will be judged to be malicious. For full details on paranoia levels, see [TODO](todo).
+
 ## Pipeline
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
-An Edge Services pipeline consists of an [origin](#origin) for which Edge Services requests and [caches](#cache) content, and an [endpoint](#endpoint) from which this content is served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. 
+An Edge Services pipeline consists of an [origin](#origin), which Edge Services can protect from threats with a [Web Application Firefall](#web-application-firewall), and for which it also requests and [caches](#cache) content. Each pipeline also has an [endpoint](#endpoint) from which content is accessed served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. Edge Services can also protect 
 
-You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that the cache can be enabled and disabled at will, so it is an optional part of the pipeline, as is the customization of the endpoint.
+You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that caching and WAF can be enabled and disabled at will, so are optional parts of the pipeline, as is the customization of the endpoint. WAF is only available for Load Balancer origins, not Object Storage buckets.
 
 ## Protocol
 
 The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sending requests to an origin Load Balancer. HTTPS is recommended, but you should choose the protocol that corresponds with your Load Balancer setup.
 
 ## WAF
 
-<Message type="note">
-Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/) and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming to the Scaleway console soon.
-</Message>
-
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the [paranoia level](#paranoia-level) to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more about [configuring a WAF](/edge-services/how-to/configure-waf/).

pages/edge-services/concepts.mdx

@@ -0,0 +1,50 @@
+---
+meta:
+  title: How to configure Edge Services Web Application Firewall
+  description: Learn how to configure a Web Application Firewall (WAF) for Edge Services. Protect your Load Balancer origin from threats and malicious requests, and fine tune your settings to pick the right paranoia level and exclusions for your use case.
+content:
+  h1: How to configure Edge Services Web Application Firewall
+  paragraph: Learn how to configure a Web Application Firewall (WAF) for Edge Services. Protect your Load Balancer origin from threats and malicious requests, and fine tune your settings to pick the right paranoia level and exclusions for your use case.
+dates:
+  validation: 2025-03-03
+  posted: 2024-07-24
+tags: object-storage edge-services cdn network waf paranoia block exclusions
+categories:
+  - network
+---
+
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by the WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.
+
+This page walks you through the processing of enabling and configuring WAF to protect your Load Balancer origin. 
+
+<Message type="note">
+WAF is not available for Object Storage bucket origins.
+</Message>
+
+<Macro id="requirements" />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An Edge Services pipeline for a [Load Balancer](/edge-services/how-to/create-pipeline-lb/) origin
+
+## How to enable and configure WAF
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to enable WAF:
+    TODO UPDATE
+    <Lightbox src="scaleway-edge-services-dashboard.webp" alt="A screenshot of the Edge Services dashboard in the Scaleway console. This is a dashboard for Edge Services on an Object Storage bucket, showing links to the documentation, Scaleway Cockpit, the endpoint, cache settings and a button to disable the pipeline." />
+
+2. In the **Web Application Firewall (WAF)** panel, use the <Icon name="toggle" /> icon to enable WAF.
+
+    A pop-up displays:
+
+    TODO SCREENSHOT
+
+3. Choose the **paranoia level**, from 1 - 4, that is best adapted to your use case. The higher the paranoia level, the more sensitive WAF is to potential threats, and the more likely it is to class a request as malicious. For help with choosing a paranoia level, see our [dedicated documentation](TODO).
+
+        <Message type="tip">
+        After enabling WAF, you will be able to [set exclusions](TODO) that filter out requests matching certain criteria from being evaluated by WAF.
+        </Message>
+
+4. Select a WAF **mode**. Requests judged to be malicious can either be **blocked** and prevented from passing to the Load Balancer origin, or **logged** but allowed to pass.
+
+5. Click **Save**

pages/edge-services/how-to/assets/scaleway-edge-services-pipeline.webp

@@ -6,15 +6,15 @@ meta:
 
 <Alert
   sentiment="info"
-  title="Edge Services WAF is now available via the Edge Services API!"
+  title="Edge Services WAF is now available!"
 >
-  Web Application Firewall (WAF) for Edge Services is now in Public Beta and available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). Enable WAF to protect your Load Balancer origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
+  Edge Services now offers a Web Application Firewall (WAF) service, to protect your origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/how-to/configure-waf/).
 </Alert>
 
 <ProductHeader 
    productName="Edge Services"
    productLogo="edgeServices"
-   description="Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. It provides a caching service to improve performance by reducing load on your origin, and a customizable, secure endpoint for accessing content via Edge Services."
+   description="Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. It provides a caching service to improve performance by reducing load on your origin, WAF to protect against malicious requests, and a customizable, secure endpoint for accessing content via Edge Services."
    url="/edge-services/quickstart/"
    label="Edge Services Quickstart"
 />