How to configure Edge Services Web Application Firewall

An Edge Services Web Application Firewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the paranoia level to be used when evaluating requests, and set exclusions to define traffic that shouldn’t be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.

This page walks you through the process of enabling and configuring WAF to protect your Load Balancer origin.

To read more about how WAF works, try our Understanding WAF page.

Before you startLink to this anchor

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• An Edge Services pipeline for a Load Balancer origin

How to enable and configure WAFLink to this anchor

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to enable WAF:

   

2. In the Web Application Firewall (WAF) panel, click Enable WAF.

   A pop-up displays:

   

3. Choose the paranoia level, from 1 - 4, that is best adapted to your use case. The higher the paranoia level, the more sensitive WAF is to potential threats, and the more likely it is to classify a request as malicious. For help with choosing a paranoia level, see our dedicated documentation.

   Tip

   After enabling WAF, you will be able to set exclusions that filter out requests matching certain criteria from being evaluated by WAF.

4. Select a WAF mode. Requests judged to be malicious can either be blocked and prevented from passing to the Load Balancer origin, or logged but allowed to pass.

5. Click Save

WAF is enabled and you are returned to your Edge Services pipeline overview. You can disable or edit WAF settings at any time.

How to set exclusionsLink to this anchor

Once you have enabled WAF, you can choose to set exclusions. Exclusions are a set of filters: requests that match the filters are not evaluated by WAF, and pass directly to your Load Balancer origin.

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to set WAF exclusions.

2. In the WAF panel, click + Add exclusions. WAF goes into Edit mode.

   Note

   You can only add exclusions after you have already enabled WAF.

   The following screen displays:

   

3. Set up to two filters for this exclusion. You can add either:

   • One *Path regex filter, to match paths of requests to exclude. For example, /api/v1/.*
   • One HTTP method filter, to match te HTTP methods of requests to exclude. For example, enter one or more of GET, PATCH, PUT, DELETE etc. Requests that match any of these methods will be considered to match the HTTP method filter.
   • One of each of the above (use the Add filter button to add the second filter)

   If you include both a path regex and an HTTP method filter in the same exclusion, requests must match both of the filters in order to be excluded.

   Currently, the only action possible to set for matching requests is Bypass WAF (matching requests will not be evaluated by WAF and will proceed directly to the Load Balancer origin.) In the future, more actions will be added.

4. Click Add to add the exclusion.

You are returned to your Edge Services pipeline overview.

5. Optional Click Add exclusions to add more exclusions, if you wish (maximum 100). Follow steps 3 to 4 each time.

6. Click Save changes to exit Edit mode and save all the exclusions you added.

How to edit exclusionsLink to this anchor

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF exclusions.

2. In the WAF panel, click «Edit Icon» next to the exclusion you want to edit.

3. Make edits to the filters as required. Remember, you cannot add more than one filter of each type (maximum of one path regex and one HTTP method filter per exclusion).

4. Click Confirm when you have finished editing.

   You are returned to your Edge Services pipeline overview, but you are still in Edit mode.

5. Continue to edit or delete other exclusions as necessary.

6. Click Save changes to exit Edit mode and save all your changes.

How to delete exclusionsLink to this anchor

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to delete WAF exclusions.

2. In the WAF panel, click «Delete Icon» next to the exclusion you want to delete.

   WAF goes into Edit mode, and a pop-up displays, asking you to confirm the deletion.

3. Click Delete.

   You are returned to your Edge Services pipeline overview, but you are still in Edit mode.

4. Continue to edit or delete other exclusions as necessary.

5. Click Save changes to exit Edit mode and save all your changes and deletions.

How to edit WAF configurationLink to this anchor

You can edit WAF’s paranoia level and mode (log or block) at any time.

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF.

2. In the WAF panel, click «Edit Icon».

3. Edit the paranoia level and mode as required.

4. Click Save.

   Your edits are saved, and you are returned to the Edge Services pipeline dashboard.

How to disable WAFLink to this anchor

You can disable WAF at any time.

1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to disable WAF.

2. In the WAF panel, click Disable WAF.

   A pop-up displays, informing you that WAF will no longer evaluate, block or log requests to your Load Balancer origin.

3. Click Disable to confirm.

   WAF is disabled and you are returned to your Edge Services’ pipeline overview.