搬瓦工 CN2 GIA 与 Komari：轻量级 Go 语言探针呈现三网顶级网络艺术

BandwagonHost CN2 GIA & Komari: A Lightweight Go Probe Presenting the Art of Top-Tier Networking

搬瓦工（BandwagonHost）的 CN2 GIA 线路堪称 VPS 界的网络天花板。其三网顶级直连架构不仅带来了令人惊叹的极致超低延迟，更是在晚高峰也能保持全天候 0 丢包 的神话。这种丝滑、纯粹的网络体验，如果不配上一个优秀的现代监控探针将其彻底可视化，简直是暴殄天物！ BandwagonHost's CN2 GIA routing is arguably the network ceiling of the VPS world. Its top-tier direct connection across all three major networks brings not only amazingly stable and low latency but also maintains a mythical 0 packet loss even during peak hours. Such a silky-smooth and pure network experience would be an absolute waste if not thoroughly visualized with an excellent modern monitoring dashboard!

为了不辜负瓦工如此顶级的线路，我们需要一款同样极致的探针。今天的主角 Komari 正是为此而生。 To live up to such top-tier routing from BandwagonHost, we need an equally ultimate probe. Today's protagonist, Komari, was born for this exact purpose.

为什么选择 Komari？ / Why Choose Komari?

市面上的服务器监控面板琳琅满目，但 Komari 凭借其独特的架构脱颖而出： The market is full of server monitoring panels, but Komari stands out with its unique architecture:

基于 Go 语言构建 / Built with Go：Komari 的主控端和 Agent 均采用 Golang 编写。天生的高并发优势和出色的内存管理，使得它能以极低的系统资源占用，轻松处理并发连接。
Komari's controller and agent are both written in Golang. Its inherent high-concurrency advantages and excellent memory management allow it to easily handle concurrent connections with extremely low system resource consumption.
优雅的 Controller + Agent 架构 / Elegant Controller + Agent Architecture：主控面板（Controller）负责节点管理与数据展示，轻量 Agent 负责采集系统指标，并通过 WebSocket 持久连接上报数据。这种设计避免了传统轮询式监控产生的大量请求开销，在低带宽 VPS 环境下依然能够保持高实时性与极低资源占用。
The controller dashboard is responsible for node management and data presentation, while the lightweight Agent collects system metrics and reports data via persistent WebSocket connections. This design avoids the massive request overhead generated by traditional polling-based monitoring, maintaining high real-time performance and extremely low resource usage even in low-bandwidth VPS environments.
极致轻量与极简主义 / Extreme Lightweight & Minimalism：监控工具本身不应成为服务器的负担。Komari 没有臃肿的依赖库，对于极其珍贵的瓦工服务器资源来说，运行它几乎是“零感知”的。
Monitoring tools themselves shouldn't be a burden on the server. Komari has no bloated dependency libraries; for the extremely precious BandwagonHost server resources, running it is almost "zero-perception".

本文将通过严谨的逻辑，一步一步完成 Komari 的基础部署、高级安全反代，以及多节点 Agent 的接入。 This article will walk through the basic deployment of Komari, advanced secure reverse proxy configuration, and multi-node Agent integration, step-by-step with rigorous logic.

第一步：基础安装 - 部署 Komari 主控 / Step 1: Basic Installation - Deploying Komari Controller

无论你是在白天使用 Windows 办公，还是使用 macOS 的终端，请先通过 SSH 接入你的搬瓦工服务器。为了保证环境的隔离性和未来排错的便利性，我们采用 Docker Compose 进行部署。 Whether you are working on Windows during the day or using the macOS terminal, please SSH into your BandwagonHost server first. To ensure environmental isolation and ease of future troubleshooting, we will deploy using Docker Compose.

1. 创建项目目录结构 / Create Project Directory Structure

mkdir -p /opt/komari && cd /opt/komari

2. 编写 Docker Compose 配置文件 / Write the Docker Compose Configuration

创建并编辑 Docker Compose 配置文件： Create and edit the Docker Compose configuration file:

nano docker-compose.yml

写入以下内容（注意端口映射的安全加固与版本控制）： Write the following content (note the security hardening of port mapping and version control):

version: '3.8'
services:
  komari:
    # 生产环境建议将 latest 替换为具体的 release 版本号以保证系统稳定性
    # For production, it's recommended to replace 'latest' with a specific release version to ensure system stability
    image: ghcr.io/komari-monitor/komari:latest
    container_name: komari
    restart: unless-stopped
    ports:
      - "127.0.0.1:25774:25774"
    volumes:
      - ./data:/app/data

🔍 Debug 与安全分析逻辑 / Debugging & Security Analysis Logic: 为什么映射 `/app/data`？ / Why map `/app/data`? 探针的面板设置、节点信息都物理存储在这个目录。如果不做映射，一旦容器重启或销毁，所有配置数据将全部丢失。 (The panel settings and node information are physically stored in this directory. If not mapped, all configuration data will be completely lost once the container restarts or is destroyed.); 安全加固 `127.0.0.1`： / Security Hardening `127.0.0.1`: 绑定本地环回地址 `127.0.0.1`，杜绝被批量扫描及 0day 漏洞攻击的潜在威胁。 (Binding to the local loopback address `127.0.0.1` eliminates the potential threat of being bulk-scanned and attacked by 0-day vulnerabilities.)

3. 启动服务 / Start the Service

docker compose up -d

启动后，执行 `docker logs komari` 查看系统自动生成的初始管理员账号和密码。 After starting, execute `docker logs komari` to view the initial admin account and password automatically generated by the system.

第二步：进阶配置 - Caddy 详尽反代与 HTTPS / Step 2: Advanced Configuration - Detailed Caddy Reverse Proxy & HTTPS

在前端，我们将使用 Caddy 申请免费证书并进行反向代理，将安全的 HTTPS 流量转发给内网的 Komari。 On the frontend, we will use Caddy to request a free certificate and set up a reverse proxy to forward secure HTTPS traffic to the internal Komari service.

1. 编辑 Caddyfile / Edit the Caddyfile

打开你的 Caddy 配置文件（通常位于 `/etc/caddy/Caddyfile`）： Open your Caddy config file (usually located at `/etc/caddy/Caddyfile`):

nano /etc/caddy/Caddyfile

写入以下配置（请将 `status.yourdomain.com` 替换为你的真实域名）： Write the following configuration (please replace `status.yourdomain.com` with your real domain name):

status.yourdomain.com {
    # 启用现代 TLS 协议 / Enable modern TLS protocols
    tls {
        protocols tls1.2 tls1.3
    }
    
    # 反向代理至本地环回地址的 Komari 端口 / Reverse proxy to the Komari port on the local loopback address
    reverse_proxy localhost:25774 {
        # 传递真实访客 IP 和协议 / Pass real visitor IP and protocol
        header_up Host {host}
        header_up X-Real-IP {remote}
        header_up X-Forwarded-For {remote}
        header_up X-Forwarded-Proto {scheme}
    }

    # 启用压缩机制以加快探针面板加载速度 / Enable compression to speed up dashboard loading
    encode gzip zstd

    # 现代且严谨的安全响应头设置 / Modern and rigorous security response headers setup
    header {
        # 注意：此处未加 preload，只有在你准备将域名提交到浏览器 HSTS preload list 时才建议加入 preload 参数
        # Note: 'preload' is omitted here; it is only recommended if you plan to submit the domain to the browser HSTS preload list
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "strict-origin-when-cross-origin"
    }
    
    # 详尽的访问日志记录，为未来排错提供明确的数据分析支持 / Detailed access logging to provide clear data support for future debugging
    log {
        output file /var/log/caddy/komari_access.log {
            roll_size 100mb
            roll_keep 5
        }
        format json
    }
}

🔍 Debug 与排错逻辑 / Debugging & Troubleshooting Logic: WebSocket 断连与 Cloudflare 避坑： / WebSocket Disconnection & Cloudflare Pitfalls: Komari 极其依赖 WebSocket 进行实时数据推送（Caddy v2 默认原生支持 WebSocket 转发）。如果你发现面板卡死不刷新，请首先检查链路。如果你在前端套用了 Cloudflare，请务必检查：1. 网络设置中的 "WebSockets" 选项是否开启；2. SSL/TLS 加密模式必须设置为 "Full" 或 "Full (Strict)"，否则会导致循环重定向或握手失败。 (Komari heavily relies on WebSocket for real-time data push. If the panel freezes, check the link first. If using Cloudflare, ensure: 1. "WebSockets" is enabled in Network settings; 2. SSL/TLS mode is set to "Full" or "Full (Strict)" to prevent redirect loops or handshake failures.); 日志分析排错： / Log Analysis Troubleshooting: 这里专门配置了 `/var/log/caddy/komari_access.log`。如果配置完出现 502 错误，切忌盲目瞎猜，直接使用 `tail -f /var/log/caddy/komari_access.log` 追踪日志，通过分析 HTTP 状态码和 Upstream 报错来精准定位问题。 (We specifically configured `/var/log/caddy/komari_access.log`. If a 502 error occurs, do not guess blindly; directly use `tail -f` to track the log and pinpoint the issue by analyzing HTTP status codes and Upstream errors.)

2. 重载 Caddy 生效 / Reload Caddy to Apply

caddy reload --config /etc/caddy/Caddyfile

第三步：多节点 Agent 接入实战 / Step 3: Multi-Node Agent Integration Practice

主控端稳如泰山后，现在我们可以把其他 VPS 统一接入面板进行管理了。 With the controller stable as a mountain, we can now integrate your other VPS nodes into the dashboard for unified management.

1. 主控端获取连接参数 / Get Connection Parameters from Controller

登录你的 Komari 面板后台，点击“添加节点”。系统会为你生成一串专属的 Agent 连接命令，其中包含了你的 API 地址 和对应节点的 Secret Key。 Log into your Komari dashboard backend and click "Add Node". The system will generate a dedicated Agent connection command containing your API Address and the corresponding node's Secret Key.

2. 在被控节点安装 Agent / Install Agent on the Managed Node

通过 SSH 登录到你需要监控的服务器，为了保持系统整洁，我们依然推荐使用 Docker 运行 Agent： Log into the server you want to monitor via SSH. To keep the system clean, we still recommend running the Agent using Docker:

docker run -d \
  --name komari-agent \
  --restart unless-stopped \
  --net=host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /:/rootfs:ro \
  ghcr.io/komari-monitor/komari-agent:latest \
  -api "wss://status.yourdomain.com/api/v1/ws" \
  -secret "你的节点专属SecretKey"

🔍 Debug 与分析逻辑 / Debugging & Analysis Logic: 参数解析 `net=host` 与目录映射： / Parameter Parsing `net=host` and Directory Mapping: Agent 需要真实获取宿主机的网卡流量、CPU 和内存信息，因此必须使用 `--net=host` 共享网络命名空间，并将宿主机的 `/proc` 和 `/sys` 以只读 (`ro`) 模式映射进容器。 (The Agent needs to fetch real host network traffic, CPU, and memory info, so it must use `--net=host` to share the network namespace and map the host's `/proc` and `/sys` into the container in read-only (`ro`) mode.); 协议检查： / Protocol Check: 确保 `-api` 参数使用的是 `wss://`（WebSocket Secure），因为我们的主控端已经配置了严格的 HTTPS。如果填成 `ws://` 将会被 Caddy 拒绝连接。 (Ensure the `-api` parameter uses `wss://` (WebSocket Secure) since our controller is configured with strict HTTPS. If filled as `ws://`, the connection will be rejected by Caddy.)

大功告成！现在，你可以坐在屏幕前，看着所有服务器的绿色心跳线，享受数据掌控在自己手中的极致快感了。 Mission accomplished! Now, you can sit in front of the screen, watch the green heartbeat lines of all your servers, and enjoy the ultimate thrill of having your data under your own control.

进阶探索与安全延展 / Advanced Exploration & Security Extension

Komari 其实还有更多强大的进阶玩法等待你发掘。例如，你可以配置 Telegram Bot 接收服务器到期续费、流量预警、系统高负载以及延迟异常的实时推送（测速节点 IP 推荐在 zstaticcdn.com 获取）。此外，面板还支持高度定制化的美化主题。关于这些高级配置，篇幅所限不再展开，强烈建议访问 GitHub 搜索 `komari` 或直达官方文档 (https://komari-document.pages.dev/) 自行探索学习。
Komari actually has many more powerful advanced features waiting for you to discover. For instance, you can configure a Telegram Bot to receive real-time push notifications for server expiration renewals, traffic warnings, high system load, and abnormal latency (we recommend getting speed test node IPs from zstaticcdn.com). Additionally, the dashboard supports highly customizable aesthetic themes. Due to space constraints, we won't expand on these advanced configurations here. It is highly recommended to search for `komari` on GitHub or visit the official documentation (https://komari-document.pages.dev/) to explore and learn on your own.

最后，虽然瓦工的线路极佳，但公网环境险恶。为了预防潜在的 DDoS 攻击或端口嗅探，你可以进一步研究如何为面板或网站套上“赛博菩萨” Cloudflare 的 Proxy (CDN) 甚至配置更为安全的 Cloudflare Tunnel。这些都是 VPS 玩家进阶的必修课，期待你查阅相关资料，继续点亮你的网络安全技能树！
Finally, although BandwagonHost's routing is excellent, the public internet environment is perilous. To prevent potential DDoS attacks or port sniffing, you can further research how to put your dashboard or website behind the "Cyber Bodhisattva" Cloudflare's Proxy (CDN) or even configure the much safer Cloudflare Tunnel. These are required courses for advanced VPS players. We look forward to you looking up relevant materials and continuing to light up your network security skill tree!

Created by AlexLynn for md5.pw Community.