On this page
wildwindstudio.com EdgeOne (EO) Operations Manual
Site zone: wildwindstudio.com =
zone-31ojren22baa(Tencent Cloud EO, Personal plan, dnsPodAccess integration, DNS records managed in DNSPod) Covers two types of operations: ① Reverse proxy backend API domain into EO; ② Host frontend static site using a COS bucket + EO.
0. Credential Map (Sanitized)
| Credential | Usage | Storage Location |
|---|---|---|
Primary Account Key (appid 1258895932, labeled tencent_sms) | Manages EO / DNSPod / COS / CAM; used for all management operations in this manual | Project resflow/config.toml under [tencent_sms] (do not commit to repo) |
| tencent_email Key | Another account (appid 1392608203), unrelated to this zone | Same [tencent_email] section |
| Frontend Upload Credential | CAM Sub-user cos_op (Uin 100049168554), for frontend coscli uploads + EO cache purging | Held on the frontend side; policy see §4 |
| CLB Origin Certificate (certbot) | Certificate for the EO→CLB origin fetch segment | bj-middleware-1, see another manual "wildwindstudio.com Certificate Auto-Renewal" |
⚠️
tcclicalls toteofor write operations must include--endpoint teo.tencentcloudapi.com, otherwise it defaults to the international siteteo.intl.tencentcloudapi.comcausing connection timeouts. ⚠️tcclidoes not have a cos service, and the machine lacks coscli/SDK; COS operations use hand-written HMAC-SHA1 signatures + pythonrequeststo directly call the XML API (script see §5).
Set management credentials to environment variables (subsequent commands assume they are exported):
# Read from config.toml's [tencent_sms] to avoid pasting plaintext
1. Scenario A: Reverse Proxy Backend API Domain into EO
Using cn-reserve-api.wildwindstudio.com as an example (origin fetch to Tencent Cloud CLB).
Steps (Order: Create origin fetch + certificate first, wait for certificate to be deployed before switching DNS, to avoid 5xx downtime):
ZONE=zone-31ojren22baa
DOMAIN=cn-reserve-api.wildwindstudio.com
CLB=lb-mm70ra69-ihl1vfoqucp93sma.clb.bj-tencentclb.com
# ① Create acceleration domain (IP_DOMAIN origin fetch to CLB, Force HTTPS:443; CLB's 80 is a forced 302 redirect, do not origin fetch to 80)
# Returns OwnershipVerification=null, meaning no ownership verification is required (subdomain inherits from zone)
# ② Enable edge free certificate (EO auto-signs + auto-renews)
# Poll until certStatus=deployed (approx. 4~10 minutes)
|
# ③ After certificate is deployed, change the DNSPod record for this domain to point to the EO entry <domain>.eo.dnse1.com
# —— Find RecordId then use ModifyRecord (only change this one record)
Verification (Pre-check using EO edge IP before switching DNS):
IP=
Protection: When new hosts have no independent domain-level policy, it falls back to the site-level ZoneDefaultPolicy (CC adaptive rate limiting on/Loose/Challenge + Managed WAF on/DetectionOnly). This is basic protection, no fine-grained rate limiting configured. View:
tccli teo DescribeSecurityPolicy ... --Entity ZoneDefaultPolicy.
Note: The CC action is JSChallenge; non-browser clients (e.g., game clients connecting directly to the API) cannot solve the challenge; under Loose mode, it only triggers in extreme anomalies, which is acceptable.
2. Scenario B: COS Static Frontend + EO Hosting
Using cn-reservation.wildwindstudio.com as an example, bucket cn-reservation-webui-1258895932 (ap-nanjing). Refer to bucket game-reserve-webui-1258895932 (ap-tokyo, reservation site).
Steps:
# ① Create bucket (public read) + ② Enable static website (index.html + AutoAddressing)
# —— Use §5's cos_admin.py (hand-written signature), or console operation
# ③ EO Create acceleration domain (COS origin fetch; when OriginType=COS, [cannot] pass HostHeader, EO fills it automatically)
ZONE=zone-31ojren22baa
WEP=cn-reservation-webui-1258895932.cos-website.ap-nanjing.myqcloud.com
# ④ Enable edge certificate (same as Scenario A ②)
# ⑤ DNS: New subdomain uses CreateRecord (do not touch any existing records)
Verification (Empty bucket origin fetch should return COS 404, proving the chain works; once index.html is uploaded, it returns 200):
DOM=cn-reservation.wildwindstudio.com
IP=
| |
# subject=CN=<domain> means edge certificate is deployed (if not deployed, it first serves *.cdn.myqcloud.com default certificate, TLS handshake fails)
3. Frontend Deployment (coscli Upload + EO Cache Purge)
Frontend pair (one set per site, just change bucket / change purge target domain):
coscli Configuration (cn-reservation-coscli.yaml):
cos:
base:
secretid: <cos_op's SecretId, sanitized>
secretkey: <cos_op's SecretKey, sanitized>
sessiontoken: ""
protocol: https
buckets:
- name: cn-reservation-webui-1258895932 # Change to new bucket
alias: website
region: ap-nanjing # Change region
endpoint: cos.ap-nanjing.myqcloud.com # Change endpoint
ofs: false
Cache Purge Script (TC3 signature calls teo CreatePurgeTask, only change Targets domain for new sites):
# Change Targets in payload to target domain:
# {"ZoneId":"*","Type":"purge_host","Targets":["cn-reservation.wildwindstudio.com"]}
Release process: coscli sync <build artifact directory> cos://website/ -c cn-reservation-coscli.yaml → Run cache purge script.
4. Frontend Upload Credential CAM Authorization (Required for New Buckets)
The permissions for the frontend sub-user cos_op are controlled by a single custom policy cos_full_permission (PolicyId 274095472).
For every new bucket added, you must add the new bucket resource to the cos:* statement of this policy, otherwise coscli upload will report 403 AccessDenied.
(teo:CreatePurgeTask is already authorized for *, no need to modify for purging any domain.)
# Read current policy
# Update (keep old bucket resources, append new bucket resources; resource format qcs::cos:<region>:uid/<appid>:<bucket-appid>/*)
Locate sub-user:
cam ListUsers→ Match AK against candidatecam ListAccessKeys --TargetUin <uin>→cam ListAttachedUserPolicies --TargetUin <uin>to find policy.
5. Appendix: COS Management Script (Hand-written Signature, No coscli Needed)
When coscli/SDK is not available on the machine, use python requests + COS HMAC-SHA1 signature to directly call the XML API. Core signature function:
= or ; = or
=; =f
=
=; =
=
=f
=f
=
return
- GET Service (List all buckets): host
service.cos.myqcloud.com, GET/ - PUT Bucket + Public Read: host
<bucket>.cos.<region>.myqcloud.com, PUT/, sign withx-cos-acl: public-read - PUT Static Website: PUT
/?website, body see below, requirescontent-md5(base64(md5(body))) +content-type: application/xml - Verify: GET
/?acl, GET/?website
Static Website Body (consistent with reference bucket):
index.html
Enabled
6. Common Pitfalls Quick Reference
| Symptom | Cause / Handling |
|---|---|
teo.intl... timed out | tccli teo write operation missing --endpoint teo.tencentcloudapi.com |
UnSupportChangeHostHeaderWithThisOriginType | Cannot pass HostHeader when OriginType=COS, remove it (EO fills it automatically) |
TLS handshake failure after DNS switch, HTTP 000 | Edge certificate not deployed yet, edge first serves *.cdn.myqcloud.com; wait for certStatus=deployed and edge subject=own domain (minutes to tens of minutes) |
coscli upload 403 AccessDenied | cos_op policy missing bucket resource, see §4 |
DomainStatus long process | EO acceleration domain provisioning in progress, does not affect deployed certificate functionality; will automatically flip to online |
DescribeDnsRecords(teo) returns 0 records | dnsPodAccess mode DNS records are in DNSPod, use dnspod DescribeRecordList to query |
Appendix: Existing Acceleration Domains in This Zone
| Domain | Origin Fetch | Usage |
|---|---|---|
| cn-reserve-api.wildwindstudio.com | CLB lb-mm70ra69 (HTTPS:443) | CN Backend API |
| cn-reservation.wildwindstudio.com | COS cn-reservation-webui (ap-nanjing) | CN Reservation Frontend |
| reservation / meltdown / www | COS Static Buckets | JP/Official Website Frontend |