feat(es): more waf

Author: RoRoJ

pages/edge-services/reference-content/assets/scaleway-edge-services-pipeline.webp

@@ -27,23 +27,37 @@ When you subscribe to a plan, you are billed its flat monthly fee, which allows
 
 - Run a fixed maximum number of Edge Services [pipelines](/edge-services/concepts/#pipeline) for the month. They can be for Object Storage or Load Balancer origins, or a mixture of both.
 - Egress a fixed maximum amount of data from all your pipelines' [caches](/edge-services/concepts/#cache).
+- Filter a fixed maximum amount of requests through [WAF](/edge-services/concepts/#waf)
 
-If you subscribe to a plan, and exceed its monthly limits for pipelines or cache data, you will incur additional charges that month. 
+<Message type="note">
+The Starter plan does not include WAF. To use WAF on this plan, you must may an additional monthly add-on charge (see [below](#waf-add-on)).
+</Message>
 
-Essentially, your Edge Services monthly bill is made up of your **monthly subscription plan price** + **any additional pipeline charges incurred** + **any additional cache charges incurred**.
+If you subscribe to a plan, and exceed its monthly limits for pipelines, cache data, or WAF requests you will incur additional charges that month. 
+
+Essentially, your Edge Services monthly bill is made up of your **monthly subscription plan price** + **any additional pipeline charges incurred** + **any additional cache charges incurred** + **optional WAF add-on** (Started plan only) + **any additional WAF charges incurred**.
 
 For full details of the price and limits of each plan, refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services). Subscription plans are scoped to a single Scaleway [Project](/organizations-and-projects/concepts/#project).
 
 ## Keeping track of your Edge Services consumption
 
 You can check the number of pipelines you have at any one time in the **Pipelines** tab of the Edge Services dashboard in the Scaleway console. [Scaleway Cockpit](/edge-services/how-to/monitor-cockpit/) can be used to monitor the data egressing from your Edge Services caches.
 
+## WAF add-on
+
+The Starter plan is the only plan that does not include WAF. To use WAF on this plan, you must may an additional monthly add-on charge (see [pricing page]([pricing page](https://www.scaleway.com/en/pricing/network/#edge-services)). 
+
+This add-on then lets you enable WAF on all your pipelines, and use a fixed amount of WAF requests for that month across all pipelines. Any WAF requests that exceed this amount will be charged additionally, as described below.
+
+WAF is only compatible with Load Balancer origin pipelines, not with Object Storage bucket pipelines.
+
 ## Included usage vs additional charges
 
 Additional charges apply when you either:
 
 - Have more pipelines in existence (at any given time) than the limit of your monthly plan
 - Egress more data from all your pipelines' caches combined, than the limit of your monthly plan
+- Filter more requests through WAF, for all of your pipelines combined, than the limit of your monthly plan or add-on.
 
 Read on to understand more about how additional charges are applied.
 
@@ -92,6 +106,30 @@ You consumed 200 GB of cache data that was not included within your monthly plan
 `{Fee per GB of additional cache} * 200 GB` <br/>
 e.g. `0.0135 * 200 = €2.70`
 
+### Additional WAF charges
+
+WAF consumption is based on the number of requests processed by all your Edge Services pipelines' Web Application Firewalls combined, in a given month. Requests that are served by the cache are **not** processed by WAF, as WAF protects only your origin.
+
+For every million requests processed by Edge Services WAF in a month, **beyond** the limit of your monthly plan (or add-on, in the case of the Starter plan), an additional charge applies.
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- For the entire month of November, you are subscribed to the **Professional** plan, which has a limit of 5M WAF requests.
+- Over the course of the month, a total of 8M requests were processed by WAF across all your Edge Services pipelines. 
+
+You used 3M extra WAF requests that were not included within your monthly plan. Your November Edge Services billing, in terms of additional WAF charges, is therefore calculated as follows:
+
+`{Fee per additional 1M WAF requests} * 3` <br/>
+e.g. `0.5 * 3 = €1.50`
+
+<Message type="note">
+You are charged proportionally for additional WAF requests, even though the price is set per million. If, for example, you only make 500,000 additional WAF requests in a month, you will be charged `{Fee per additional 1M WAF requests} / 2`.
+</Message>
+
 ## Changing your subscription plan
 
 You can upgrade or downgrade your subscription plan at any time. Read on to understand how changing plan mid-month affects your billing.
@@ -162,3 +200,49 @@ You consumed 200 GB of cache data that was not included within your monthly Star
 `{Fee per GB of additional cache} * 200 GB` <br/>
 e.g. `0.0135 * 200 = €2.70`
 
+### WAF charges
+
+Any additional WAF request charges accumulated when you exceeded your previous plan's limit will remain on your monthly bill. From the moment you change your plan, your WAF request consumption resets to 0. During the rest of the month, you can consume WAF requests up to the new plan's limit without being charged.  
+
+<Message type="note">
+- If you **downgrade** your plan, all the WAF requests made within the hour of changing plans will count towards the WAF request consumption of the new plan. 
+- If you **upgrade** your plan, all the WAF requests made within the hour of changing plans will count towards the cache consumption of the old plan.
+</Message>
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- From November 1-10 you are subscribed to the **Professional** plan, which has a limit of 5M WAF requests.
+- From November 1-10 you make 10M WAF requests.
+- On November 11, you upgrade to the **Advanced** plan, which has a limit of 50M WAF requests. Your WAF request usage resets to 0.
+- Between November 11 and the end of the month, you make 50M WAF requests.
+
+You made 5M WAF requests that were not included within your monthly Professional plan, between November 1-10. For the rest of the month, you were within the limits of your new Advanced plan. Your November Edge Services billing, in terms of the additional cache charges, is therefore calculated as follows:
+
+`{Fee per additional 1M WAF requests} * 5` <br/>
+e.g. `0.5* 5 = €2.50`
+
+### WAF add-on
+
+This scenario applies to a user who is subscribed to the Starter plan and pays the WAF add-on price, then upgrades to a higher level plan.
+
+You will be billed pro-rata for the add-on charge, based on how long you were subscribed Starter with an add-on before upgrading, during the billing month. 
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- From November 1-10 you are subscribed to the **Starter** plan and **WAF add-on** 
+- On November 11, you switch to the **Professional** plan.
+- You remain subscribed to the **Professional** plan for the rest of the month (ending November 30)
+
+There are 30 days in the month of November, and you spent 10 of them subscribed to the Starter plan with the WAF add-on. When you upgrade to the Professional plan, the WAF add-on was no longer applicable because WAF was automatically included in your subscription plan. Your November Edge Services billing, in terms of the WAF add-on, is therefore calculated as follows:
+
+`({Monthly price for WAF add-on} / 30 days) * 10 days` <br/>
+e.g. `(4 / 30) * 10 = 1.33`
+

pages/edge-services/reference-content/assets/scaleway-edge-services-waf-diag.webp

@@ -21,25 +21,75 @@ When enabled, WAF protects your Load Balancer backend from potential threats.
 
 It does so by evaluating each request to your Load Balancer origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
 
-For requests judged to be malicious, WAF can either block them from passing to your origin, or simply log them but allow them to pass, depending on the settings you choose.
+For requests judged to be malicious, WAF can either block them from passing to your origin (as shown in the diagram below), or simply log them but allow them to pass, depending on the settings you choose.
 
 You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your Load Balancer origin. Exclusion filters are based on the request path and/or HTTP request type.
 
-TODO WAF diagram?
+<Lightbox src="scaleway-edge-services-waf-diag.webp" alt="A diagram shows how Edge Services WAF deals with three different types of HTTP request. A request meeting the criteria for WAF exclusion is passed directly to the Load Balancer origin. A benign request is first checked by the WAF rules, then allowed to pass to the Load Balancer origin. A malicious request is checked by the rules, and blocked from passing to the Load Balancer origin." />
 
 ## WAF in an Edge Services pipeline
 
 In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
 
-TODO DIAGRAM
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
-## WAF ruleset and paranoia level
+If you have both WAF and cache enabled, requests that can be served by the cache will not go through WAF. Only requests that cannot be served by the cache will be filtered by WAF, and allowed to pass to the origin or not depending on your WAF configuration.
 
-When evaluating requests
+## WAF ruleset and paranoia levels
+
+Scaleway Edge Services WAF uses the [OWASP **C**ore **R**ule **S**et (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack such as SQL injection and cross-site scripting. Full details are available in the [OWASP CRS documentation](https://coreruleset.org/docs/).
+
+**Paranoia level settings** are an integral part of the core ruleset. They dictate how aggressive the ruleset should be when judging whether a given request is malicious or not. The paranoia level is rated from 1 to 4, which each being more aggressive and more sensitive to potential threats than the last.
+
+The four levels are:
+
+- **1 - Minimal protection**: Basic security, suitable for environments with low sensitivity, prioritizing minimal false alerts.
+- **2 - Moderate protection**: Solid protection for environments dealing with real-world customer data.
+- **3 - Strong protection**: Banking-standard security, prioritizing safety but prone to frequent false alerts.
+- **4 - Maximum protection**: Hyper-paranoid rules, fit for protecting the most critical and sensitive assets.
+
+The higher the paranoia level, the more likely you are to have **false positives**. This is when WAF classes a request as malicious, when in fact it is not. 
+
+- At level 1, the ruleset is unlikely to trigger false positives, however it is also more likely to miss threats and aggressions and classify them as benign.
+
+- At level 4, the ruleset is so aggressive that it detects almost every possible attack, however it is also highly likely to trigger a significant number of false positives whereby a lot of legitimate traffic will be classes as malicious.
+
+|  | Level 1 | Level 2 | Level 3 | Level 4 |
+|---|---|---|---|---|
+| Number of threats detected | Lowest | Moderately Low | Moderately High | Highest |
+| Number of false positives | Lowest | Moderately Low | Moderately High | Highest |
+
+Choosing a paranoia level therefore means trading off **how hard it is for an attacker to go undetected** against **how much legitimate traffic is incorrectly classified as malicious**. This depends on your use case, and the sensitivity of the application and assets being protected by WAF.
+
+- Anyone running an HTTP server on the internet could benefit from level 1 protection.
+- If real user data is involved, consider level 2.
+- For online banking, consider level 3
+- For crown-jewel level assets, consider level 4.
+
+Find out more about paranoia levels in the [official OWASP CRS documentation](https://coreruleset.org/docs/2-how-crs-works/2-2-paranoia_levels/).
+
+Read on to find out how you can use **exclusions** to mitigate the effect of some false positives.
+
+## WAF exclusions
+
+WAF **exclusions** are filters that allow matching requests (based on **path** and/or **HTTP request type**) to bypass WAF entirely.
+
+You can set up to 100 exclusions after enabling WAF on a given pipeline.
+
+- **Path filter**: Define a regular expression to filter for in request paths, e.g. `/api/v1/.*`
+- **HTTP request filter**: Define one or more HTTP request types to filter requests for, e.g. `GET`, `DELETE`, `POST` etc.
+
+Each exclusion can consist of:
+
+- A path filter only, OR
+- An HTTP request filter only (which itself can filter for multiple request types on an `ANY` basis), OR
+- One path filter and one HTTP request filter. In this case, only requests matching **both** filters will be considered to meet the criteria for exclusion.
+
+TODO screenshot?
 
 ## WAF limitations
 
 - WAF is only compatible with Load Balancer origins. It cannot be enabled for Object Storage bucket origins.
 - WAF protects your origin only, and not your cache.
 - You can add a maximum of 100 WAF exclusions
-- 
+- You cannot currently specify exclusions at the individual rule level. Requests matching exclusion filters bypass WAF entirely.