The latest articles on DEV Community by Nino (@onin). https://dev.to/onin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F70111%2Fc5d2105f-0a49-4d40-94d4-4e2398c83900.jpeg https://dev.to/onin en Nino Tue, 24 Feb 2026 08:32:34 +0000 https://dev.to/onin/the-end-of-kubernetesingress-nginx-your-march-2026-migration-playbook-fhn https://dev.to/onin/the-end-of-kubernetesingress-nginx-your-march-2026-migration-playbook-fhn <p>In March 2026, the community-maintained <code>kubernetes/ingress-nginx</code> controller will reach End-of-Life (EOL). While your existing clusters will not break overnight and the core Kubernetes Ingress API remains fully supported, the controller's repository will become read-only. This means no new features and, critically, <strong>no future CVE patches</strong>. Engineering teams must plan their migrations now to avoid compounding security risks and compliance violations.</p> <p>It’s common to leave functioning infrastructure untouched, but running deprecated software in your cluster’s critical path introduces unnecessary risk. With a public and immovable deadline, engineering teams have a clear window to plan a structured migration rather than reacting hastily to a future vulnerability.</p> <h2> What’s Actually Happening with ingress-nginx March 2026 Retirement </h2> <p>Let’s be crystal clear on terminology, because confusion here is costing teams weeks.</p> <p><strong>The Kubernetes Ingress API resource remains GA, feature-frozen, and fully supported.</strong> Nothing changes there. What is retiring is the community-maintained ingress-nginx controller (<code>kubernetes/ingress-nginx</code>).</p> <p>From the official November 11, 2025 Kubernetes blog post by Tabitha Sable (Security Response Committee):</p> <blockquote> <p>“Best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. Existing deployments of Ingress NGINX will continue to function and installation artifacts will remain available.”</p> </blockquote> <p>The January 29, 2026 joint Steering + SRC statement by Kat Cosgrove made the urgency unmistakable:</p> <blockquote> <p>“In March 2026, Kubernetes will retire Ingress NGINX, a piece of critical infrastructure for about half of cloud native environments… Half of you will be affected. You have two months left to prepare… We cannot overstate the severity of this situation or the importance of beginning migration… immediately.”</p> </blockquote> <p>Post-March, the repositories move to the <code>kubernetes-retired</code> organization and become read-only. That’s the end of the road.</p> <p><strong>Note for managed Kubernetes users:</strong> Services like Azure AKS Application Routing or certain GKE ingress configurations have vendor-extended support until November 2026 for critical patches. Always check your cloud provider’s SLA before assuming you’re immediately exposed.</p> <h2> Why ingress-nginx EOL Is a Much Bigger Deal Than Most Teams Realize </h2> <ul> <li> <strong>Security &amp; Compliance:</strong> The CVE-2025–1974 vulnerability in March 2025 (an unauthenticated RCE via exposed admission webhooks) demonstrated the potential blast radius of controller flaws. After March 2026, the absence of patches means any newly discovered vulnerabilities will remain unmitigated.</li> <li> <strong>Audit Blockers:</strong> "EOL software in the L7 data path" triggers automatic findings in SOC 2, PCI-DSS, ISO 27001, and HIPAA. Compliance teams are already flagging this, blocking production promotions, and delaying customer deployments.</li> <li> <strong>Talent Attrition:</strong> The strongest SREs and platform engineers explicitly ask in interviews: <em>“What’s your long-term ingress strategy?”</em> No one wants to own an abandoned controller in 2027 while peers ship Gateway API features.</li> <li> <strong>Compounding Operational Debt:</strong> Every new service adds another Ingress object tied to dead code. Migration effort scales linearly with ingress count, but exponentially with annotation sprawl.</li> </ul> <h2> How to Check if You’re Affected </h2> <p>Run these commands today. Any positive result means you’re affected—and you need to start planning your replace project now.</p> <p><strong>Standard controller &amp; Helm detection:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Standard controller detection</span> kubectl get pods <span class="nt">--all-namespaces</span> <span class="nt">--selector</span> app.kubernetes.io/name<span class="o">=</span>ingress-nginx <span class="c"># Helm releases</span> helm list <span class="nt">-A</span> <span class="nt">--filter</span> ingress-nginx <span class="c"># Any deployment method</span> kubectl get deployments,daemonsets <span class="nt">--all-namespaces</span> <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>ingress-nginx </code></pre> </div> <p><strong>Checking for the IngressNightmare signature (CVE-2025–1974):</strong><br> Thousands of clusters still have this lingering signature. Check admission webhook TLS certs for <code>Issuer Organization = “nil1”</code>, <code>Subject Organization = “nil2”</code>, or DNS names containing <code>ingress-nginx-controller-admission</code> or <code>nginx</code>.</p> <p>One-liner inside the cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret <span class="nt">-n</span> ingress-nginx ingress-nginx-admission <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.tls\.crt}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> | openssl x509 <span class="nt">-text</span> <span class="nt">-noout</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"Issuer:|Subject:|DNS:"</span> </code></pre> </div> <p>External scanners (Censys, Shodan, etc.) still surface matches with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tls.certificate.parsed.issuer.organization:"nil1" AND tls.certificate.parsed.subject.organization:"nil2" AND tls.certificate.parsed.names:nginx </code></pre> </div> <p>Also inspect the webhook config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get validatingwebhookconfigurations ingress-nginx-admission <span class="nt">-o</span> yaml </code></pre> </div> <p>If you see any of the above, you now have a documented production risk with a hard deadline.</p> <h2> Migration Options Ranked by Realism for Production Teams (February 2026) </h2> <p>The ecosystem has shifted heavily toward the Gateway API. Here is a breakdown of the most viable targets based on your infrastructure and long-term strategy:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Migration Effort (1-5)</th> <th>Annotation Compatibility</th> <th>Gateway API Readiness</th> <th>Commercial Support</th> <th>Zero-Downtime Feasibility</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>Gateway API (any implementation)</td> <td>4</td> <td>None (full translation)</td> <td>Native v1.2+</td> <td>Varies</td> <td>High (dual-run)</td> <td>Future-proof teams</td> </tr> <tr> <td>Traefik (nginx-ingress provider)</td> <td>1-2</td> <td>~80% of common nginx.*</td> <td>Full v1.4</td> <td>OSS + Enterprise</td> <td>Very high</td> <td>Brownfield with heavy annotations</td> </tr> <tr> <td>F5 / NGINX Inc Controller</td> <td>2-3</td> <td>High (official NGINX)</td> <td>Growing</td> <td>Strong (F5)</td> <td>High</td> <td>NGINX veterans</td> </tr> <tr> <td>Cilium (eBPF Gateway)</td> <td>3</td> <td>Low</td> <td>Native</td> <td>OSS + Enterprise</td> <td>High</td> <td>Existing Cilium users</td> </tr> <tr> <td>Envoy Gateway</td> <td>3-4</td> <td>Low</td> <td>Native</td> <td>OSS</td> <td>High</td> <td>Modern Envoy stacks</td> </tr> <tr> <td>HAProxy Ingress</td> <td>3</td> <td>Medium</td> <td>Partial</td> <td>OSS + Enterprise</td> <td>High</td> <td>HAProxy preference</td> </tr> <tr> <td>Kong</td> <td>3</td> <td>Medium</td> <td>Native</td> <td>OSS + Enterprise</td> <td>High</td> <td>API-gateway heavy workloads</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Special callout for brownfield teams:</strong> Traefik’s experimental <code>nginx-ingress</code> provider stands out as the brownfield hero. It reuses ~80% of your existing <code>nginx.ingress.kubernetes.io/*</code> annotations out of the box, letting you keep most of your Ingress objects unchanged while immediately getting full Gateway API underneath. In every migration I’ve seen with 50–300 ingresses, this cut the effort almost in half.</p> </blockquote> <p>As of February 2026, Gateway API v1.2+ is battle-tested. 2026 is actually the perfect time to migrate—the ecosystem has stabilized, the documentation is excellent, and the talent that already knows Gateway API is still rare and highly sought after.</p> <h2> Practical Migration Playbook (Zero-Fluff, Production-Tested) </h2> <ul> <li> <strong>Inventory (Day 1):</strong> Audit your current state. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get ingress <span class="nt">-A</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.metadata.annotations}{"\n"}{end}'</span> </code></pre> </div> <ul> <li> <strong>Convert automatically:</strong> Utilize translation tools to kickstart the process. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ingress2gateway print <span class="nt">--providers</span><span class="o">=</span>nginx <span class="nt">--input-file</span><span class="o">=</span>ingresses.yaml </code></pre> </div> <ul> <li> <strong>Deploy side-by-side:</strong> Deploy the new controller using a different <code>ingressClassName</code>.</li> <li> <strong>Validate rigorously:</strong> Reuse your existing test suite, utilize traffic shadowing/mirroring, and use <code>kubeconform</code> + custom Rego policies for annotation translation.</li> <li> <strong>Cutover safely (with a rollback path):</strong> Use Blue/green deployments via Gateway HTTPRoute weights. Isolate the blast radius by updating namespace-by-namespace. Define explicit rollback triggers (e.g., 5xx error rate &gt; 1% or latency &gt; 200ms) and pre-document the exact <code>kubectl apply</code> commands needed to instantly revert.</li> <li> <strong>Post-Cutover Observation:</strong> Maintain a 72-hour monitoring window to catch delayed edge cases like renewed cert-manager failures or long-lived connection drops.</li> </ul> <p><strong>Estimate timelines (Add a 20–30% buffer for true zero-downtime):</strong></p> <ul> <li>Small (&lt;50 services): 1–2 engineer-weeks</li> <li>Medium (50–200 services): 3–6 engineer-weeks</li> <li>Large (200+ ingresses, multi-cluster): 8–16 engineer-weeks</li> </ul> <h2> Common Pitfalls &amp; Real War Stories from the Field </h2> <ul> <li> <strong>Rewrite-target annotation hell:</strong> One team with 47 clusters spent 120 engineer-hours writing custom Traefik middleware to handle their old rewrite-target annotations before they could cut over.</li> <li> <strong>Default backend surprises:</strong> Three services 404’d on cutover because fallback behavior differs across controllers.</li> <li> <strong>cert-manager webhook cert rotation:</strong> The infamous <code>nil1/nil2</code> certs refused to rotate cleanly on one migration until we pinned the new controller’s policy.</li> <li> <strong>Legacy vs new ingressClassName:</strong> Old <code>kubernetes.io/ingress.class</code> annotations are silently ignored by modern controllers.</li> <li> <strong>Dual-controller TLS cert conflicts:</strong> Sporadic 503s occurred during cutover until we pinned the new controller’s admission secret rotation policy.</li> <li> <strong>Canary / auth / rate-limit sprawl:</strong> Teams that tried "weekend heroics" regretted it heavily.</li> </ul> <h2> 30-Day Action Checklist to Beat the March 2026 Deadline </h2> <p>Copy-paste this into your runbook—it’s the exact checklist I use with every client:</p> <ol> <li>Run audit commands and screenshot results today.</li> <li>Build a central inventory of every Ingress + annotation count.</li> <li>Spin up a PoC with your chosen replacement controller this week.</li> <li>Run <code>ingress2gateway</code> on a non-prod namespace.</li> <li>Complete staging dual-controller cutover by Day 15.</li> <li>Document every custom annotation and its replacement.</li> <li>Update runbooks, golden images, and CI pipelines.</li> <li>Brief security &amp; compliance with official Kubernetes quotes.</li> <li>Schedule a full dry-run cutover weekend.</li> <li>Reach out for help if blocked.</li> </ol> <h2> Final Word </h2> <p>The March 2026 deadline is firm. Teams that allocate time in their roadmaps now will transition smoothly to modern, fully supported networking architectures. Proactive planning ensures your team controls the timeline, rather than being forced into a rushed emergency swap later. By auditing early, utilizing tools like <code>ingress2gateway</code>, and performing an incremental dual-stack cutover, you can modernize your cluster routing safely and systematically.</p> <p><strong>About the Author: Nino Skopac</strong></p> <ul> <li>GitHub: <a href="https://github.com/NinoSkopac" rel="noopener noreferrer">@NinoSkopac</a> </li> <li>LinkedIn: <a href="https://www.linkedin.com/in/skopac/" rel="noopener noreferrer">Nino Skopac</a> </li> <li>X (Twitter): <a href="https://x.com/NinoSkopac" rel="noopener noreferrer">@NinoSkopac</a> </li> </ul> <p><em>Finally, let me leave you with this valuable resource from The Linux Foundation: <iframe src="https://www.youtube.com/embed/zIyX44efjLo"> </iframe> </em></p> kubernetes devops security sre Nino Sun, 22 Feb 2026 08:30:06 +0000 https://dev.to/onin/one-openclaw-gateway-multiple-isolated-ai-assistants-one-telegram-bot-per-worker-3k97 https://dev.to/onin/one-openclaw-gateway-multiple-isolated-ai-assistants-one-telegram-bot-per-worker-3k97 <h2> tldr; </h2> <p>Give every team member their own private AI employee on a single machine. Full isolation, zero extra servers, Telegram-only setup in minutes.</p> <h2> Abstract </h2> <p>Tired of spinning up separate servers or cloud instances for every AI assistant in your company? </p> <p><strong>OpenClaw</strong> lets you run <strong>dozens of completely separate, fully isolated agents</strong> on <strong>one single machine</strong> — and Telegram makes the UX feel magical.</p> <p>Each worker gets their own dedicated bot (<code>@AliceSalesClawBot</code>, <code>@BobSupportClawBot</code>, etc.). They chat privately with “their” AI, have their own memory, files, tools, and personality — and they never see anyone else’s stuff.</p> <p>Here’s exactly how I set it up.</p> <h3> Why this works so well </h3> <ul> <li>One Gateway process handles everything </li> <li>Each agent gets its own workspace folder (<code>~/.openclaw/agents/alice-sales/</code>) </li> <li>Separate <code>SOUL.md</code>, <code>AGENTS.md</code>, history, allowed tools, LLM keys, everything </li> <li>Telegram routing is dead simple and rock-solid </li> </ul> <p>From the worker’s perspective it’s just “my personal AI in Telegram”. They have no idea it’s all running on the same Mac Mini / VPS.</p> <h3> Step 1: Create one agent per worker </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openclaw agents add alice-sales openclaw agents add bob-support openclaw agents add carol-finance <span class="c"># ... one for every person</span> </code></pre> </div> <h3> Step 2: Create a Telegram bot for each agent </h3> <p>Talk to <a class="mentioned-user" href="https://dev.to/botfather">@botfather</a><br> /newbot → give it a clean name<br> Copy the token</p> <p>Do this once per worker.</p> <h3> Step 3: Configure everything in one file </h3> <p>Run openclaw configure or edit ~/.openclaw/openclaw.json directly.<br> Here’s a ready-to-paste example for a 3-person team:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"agents"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"list"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice-sales"</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"~/.openclaw/agents/alice-sales"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob-support"</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"~/.openclaw/agents/bob-support"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"carol-finance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"~/.openclaw/agents/carol-finance"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"bindings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"agentId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice-sales"</span><span class="p">,</span><span class="w"> </span><span class="nl">"match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"channel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"telegram"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"agentId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob-support"</span><span class="p">,</span><span class="w"> </span><span class="nl">"match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"channel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"telegram"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"agentId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"carol-finance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"channel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"telegram"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"carol"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"channels"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"telegram"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"accounts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alice"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"botToken"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7123456789:AAFxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dmPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pairing"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"bob"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"botToken"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7987654321:AAFyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dmPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pairing"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"carol"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"botToken"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7843210987:AAFzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dmPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pairing"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Security tip (do this immediately): </h4> <p>After the worker sends their first message, change dmPolicy to "allowlist" and add their Telegram numeric ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"allowFrom"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"tg:1234567890"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>(Get the ID by having them message @userinfobot)</p> <h3> Step 4: Restart &amp; test </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openclaw gateway restart openclaw agents list <span class="nt">--bindings</span> </code></pre> </div> <p>Send each worker their bot link. Done.</p> <h2> What you get automatically </h2> <ul> <li>Full isolation (memory, files, tools, history)</li> <li>Different models or permissions per person (Claude for leadership, cheaper model for interns)</li> <li>Agents can still talk to each other internally when needed</li> <li>Works on anything: old Mac Mini, cheap VPS, even a Raspberry Pi with some tweaks</li> </ul> <h2> Official docs I used </h2> <ul> <li><a href="https://docs.openclaw.ai/concepts/multi-agent" rel="noopener noreferrer">Multi-Agent Routing</a></li> <li><a href="https://docs.openclaw.ai/channels/telegram" rel="noopener noreferrer">Telegram Channel Configuration</a></li> </ul> <h2> Security hardening </h2> <p>If you want tighter control over your Openclaw, consider installing via my open source Openclaw hardening kit: <a href="https://github.com/NinoSkopac/openclaw-secure-kit" rel="noopener noreferrer">https://github.com/NinoSkopac/openclaw-secure-kit</a></p> <p>It is a turnkey solution - secure-by-default OpenClaw, with a verifiable security report.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favxxmvmd7i99jub4h5qr.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favxxmvmd7i99jub4h5qr.jpg" alt="openclaw security kit security report" width="800" height="840"></a></p> openclaw agents telegram Nino Sun, 04 May 2025 15:11:20 +0000 https://dev.to/onin/how-to-use-playwright-mcp-with-a-proxy-3cpi https://dev.to/onin/how-to-use-playwright-mcp-with-a-proxy-3cpi <p>Playwright MCP (@playwright/mcp) provides a powerful way for developers to integrate Playwright-driven browser automation into LLM-driven workflows through the Model Context Protocol (MCP). Often, you'll need to use a proxy with your automation tasks—whether to access region-restricted content, secure internal networks, or for debugging purposes. This guide explains clearly how you can configure and run Playwright MCP with a proxy.</p> <h2> 🤔 What Exactly is Playwright MCP? </h2> <p>Before diving into the proxy setup, let's briefly discuss what MCP (Model Context Protocol) is:</p> <p>MCP is an open-source, HTTP-like protocol designed to standardize two-way communication between LLM-powered assistants and external tools like browsers, databases, APIs, CRMs, and messaging services. MCP defines discovery, request/response schemas, and robust security mechanisms to simplify integrations, allowing your AI-driven workflow to perform data fetching or trigger actions without building bespoke integrations from scratch.</p> <p>Playwright MCP integrates Playwright, a popular browser automation tool, into your MCP-based workflows—unlocking powerful browser automation capabilities directly within your LLM-driven applications.</p> <h2> 🔐 Why Use a Proxy with Playwright MCP? </h2> <p>You might want proxy integration for several reasons, such as:</p> <ul> <li>Accessing geo-specific content: Proxy servers enable IP-based geo-location changes.</li> <li>Security &amp; Privacy: Proxies can avoid exposing your real IP address.</li> <li>Debugging &amp; testing network scenarios: Simulate certain network constraints or behaviors through proxies.</li> <li>Security compliance: Certain enterprise setups require mandatory proxy usage.</li> <li>Setting up a proxy with Playwright MCP is straightforward—you just specify proxy options within the MCP's built-in configuration.</li> </ul> <h2> 🛠 Minimal Configuration: Use a Proxy with MCP </h2> <p>Below is a minimal config.json example for configuring MCP to use Playwright with a proxy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"browser"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"browserName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"chromium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"launchOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"proxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://random.instill.network:8080"</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pass"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"headless"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">8931</span><span class="p">,</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can add this to your project and run MCP to use Playwright automation with your specified proxy setup.</p> <h2> ✅ Advanced Example (Full-Featured Configuration) </h2> <p>Here's a more elaborate example illustrating additional useful settings, like the ability to bypass proxies for certain sites (internal sites) and browser viewport fine-tuning:</p> <p>proxy-mcp.config.json<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"browser"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"launchOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"proxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://random.instill.network:8080"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bypass"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*.internal.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pass"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"headless"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"contextOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"viewport"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"width"</span><span class="p">:</span><span class="w"> </span><span class="mi">1280</span><span class="p">,</span><span class="w"> </span><span class="nl">"height"</span><span class="p">:</span><span class="w"> </span><span class="mi">720</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">8931</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"capabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"core"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tabs"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pdf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"wait"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 🏃 Running The MCP Server With Your Proxy Configuration </h2> <p>After creating your configuration file, simply start Playwright MCP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx @playwright/mcp@latest <span class="nt">--config</span><span class="o">=</span>proxy-mcp.config.json </code></pre> </div> <p>The MCP server will now use your defined proxy settings during all Playwright browser automation tasks—super convenient!</p> <h2> 🚀 Programmatic Usage (Node.js) </h2> <p>You might want to integrate MCP server proxy configuration directly into your Node.js workflow for custom integrations. Playwright MCP supports this seamlessly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">http</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/mcp</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SSEServerTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@modelcontextprotocol/sdk/server/sse.js</span><span class="dl">'</span><span class="p">;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mcpServer</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createServer</span><span class="p">({</span> <span class="na">browser</span><span class="p">:</span> <span class="p">{</span> <span class="na">launchOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="p">{</span> <span class="na">server</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://random.instill.network:8080</span><span class="dl">'</span><span class="p">,</span> <span class="na">bypass</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*.internal.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pass</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headless</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">contextOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">viewport</span><span class="p">:</span> <span class="p">{</span> <span class="na">width</span><span class="p">:</span> <span class="mi">1280</span><span class="p">,</span> <span class="na">height</span><span class="p">:</span> <span class="mi">720</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="na">server</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">8931</span> <span class="p">},</span> <span class="na">capabilities</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">core</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">tabs</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pdf</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">wait</span><span class="dl">'</span> <span class="p">]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/messages</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SSEServerTransport</span><span class="p">(</span><span class="dl">'</span><span class="s1">/messages</span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">);</span> <span class="nx">transport</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">res</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">404</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">8931</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">🚀 MCP server running at http://0.0.0.0:8931</span><span class="dl">'</span><span class="p">));</span> <span class="p">})();</span> </code></pre> </div> <h2> 🧑‍💻 VSCode Integration Example (Optional) </h2> <p>If you're working directly within Visual Studio Code, you might find it handy to configure MCP integration directly through VSCode settings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">settings.json</span><span class="w"> </span><span class="err">snippet</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"playwright"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"playwright"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"@playwright/mcp@latest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--config=proxy-mcp.config.json"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now, simply run or integrate MCP from within VSCode for convenient browser-fueled workflows.</p> <h2> 🌟 Wrapping Up &amp; Next Steps </h2> <p>Configuring Playwright MCP to use a proxy is simple and blends neatly into existing workflows. Utilize the provided examples to streamline your browser automation tasks with ease.</p> <h2> 🔥 Ready to Build Powerful AI-Powered Workflows? </h2> <p>Bring your ideas to life and supercharge your AI-driven workflows with Instill AI. Instill provides robust tooling for AI integration, allowing you to seamlessly orchestrate automation tasks, interact with LLM-powered agents, and build next-gen AI infrastructure.</p> <p>🚀 <a href="https://instill.network/" rel="noopener noreferrer">Explore Instill Network →</a></p> playwright automation mcp proxy