Redpanda is a Kafka-API-compatible streaming platform written in C++ with no JVM and no ZooKeeper. This guide installs Redpanda on Ubuntu 24.04, secures it with a Let's Encrypt certificate and SASL/SCRAM authentication, tunes the kernel for production, verifies with a producer/consumer test, and exposes Redpanda Console behind Nginx basic auth. By the end, you'll have a secured, production-tuned single-node Redpanda cluster with a web console.
Prerequisite: Ubuntu 24.04 server sized per Redpanda's CPU/memory requirements, non-root sudo user, and a domain A record (e.g.
redpanda.example.com).
Install Redpanda
$ sudo apt update
$ curl -1sLf 'https://dl.redpanda.com/nzc4ZYQK3WRGd9sy/redpanda/cfg/setup/bash.deb.sh' | sudo -E bash
Warning: Only run vendor setup scripts you trust — piped
curl | sudo bashruns with root privileges.
$ sudo apt install redpanda -y
$ rpk --version
Open the Firewall
| Port | Service | Purpose |
|---|---|---|
| 9092 | Kafka API | Producer/consumer traffic |
| 8082 | Pandaproxy (HTTP) | REST access for non-Kafka clients |
| 8081 | Schema Registry | Avro/Protobuf schema versioning |
| 9644 | Admin API | Monitoring, config, health checks |
| 33145 | Internal RPC | Inter-node communication |
$ sudo ufw allow 9092,8082,8081,9644,33145/tcp
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
$ sudo ufw reload
Issue a Let's Encrypt Certificate
Redpanda ships with plaintext networking by default, fine for a lab, not for anything else.
$ sudo apt install certbot -y
$ DOMAIN=redpanda.example.com
$ EMAIL=admin@example.com
$ sudo certbot certonly --standalone -d $DOMAIN --non-interactive --email $EMAIL
Certbot stores certs under /etc/letsencrypt/live, readable only by root. Redpanda runs as its own redpanda user, so copy the certs into a dedicated directory:
$ sudo mkdir /etc/redpanda/certs
$ sudo cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/redpanda/certs/node.crt
$ sudo cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/redpanda/certs/node.key
$ sudo cp /etc/letsencrypt/live/$DOMAIN/chain.pem /etc/redpanda/certs/ca.crt
$ sudo chown -R redpanda:redpanda /etc/redpanda/certs/
$ sudo chmod 400 /etc/redpanda/certs/node.key
$ sudo chmod 444 /etc/redpanda/certs/node.crt /etc/redpanda/certs/ca.crt
Automate renewal — Let's Encrypt certs expire every 90 days, so wire a deploy hook that refreshes Redpanda's copies and restarts the service:
$ sudo nano /etc/letsencrypt/renewal-hooks/deploy/redpanda-renewal.sh
#!/bin/bash
DOMAIN="redpanda.example.com"
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/redpanda/certs/node.crt
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/redpanda/certs/node.key
cp /etc/letsencrypt/live/$DOMAIN/chain.pem /etc/redpanda/certs/ca.crt
chown -R redpanda:redpanda /etc/redpanda/certs/
chmod 400 /etc/redpanda/certs/node.key
chmod 444 /etc/redpanda/certs/node.crt /etc/redpanda/certs/ca.crt
systemctl restart redpanda
$ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/redpanda-renewal.sh
$ sudo certbot renew --dry-run
Tune for Production
$ sudo rpk redpanda mode production
$ sudo rpk redpanda tune all
$ sudo systemctl start redpanda-tuner
tune all optimizes I/O schedulers and CPU settings, takes ~30 seconds. The tuner service reapplies these on every reboot since kernel tuning doesn't persist otherwise.
Bootstrap Authentication
Set security policy before the first startup so it's enforced from the very first boot.
$ sudo nano /etc/redpanda/.bootstrap.yaml
enable_sasl: true
admin_api_require_auth: true
superusers:
- admin
Note: This file is only read on first startup. Later changes go through the Admin API or
rpk cluster config.
Set the superuser's password:
$ echo "RP_BOOTSTRAP_USER=admin:STRONG_PASSWORD:SCRAM-SHA-256" | sudo tee -a /etc/default/redpanda
Configure the Node
$ sudo cp /etc/redpanda/redpanda.yaml /etc/redpanda/redpanda-backup.yaml
$ sudo nano /etc/redpanda/redpanda.yaml
Replace the contents (swap redpanda.example.com for your domain):
redpanda:
data_directory: /var/lib/redpanda/data
seed_servers: []
rpc_server:
address: 0.0.0.0
port: 33145
advertised_rpc_api:
address: redpanda.example.com
port: 33145
kafka_api:
- name: tls_listener
address: 0.0.0.0
port: 9092
authentication_method: sasl
advertised_kafka_api:
- name: tls_listener
address: redpanda.example.com
port: 9092
kafka_api_tls:
- name: tls_listener
key_file: /etc/redpanda/certs/node.key
cert_file: /etc/redpanda/certs/node.crt
truststore_file: /etc/redpanda/certs/ca.crt
enabled: true
require_client_auth: false
admin:
- address: 0.0.0.0
port: 9644
admin_api_tls:
- enabled: true
key_file: /etc/redpanda/certs/node.key
cert_file: /etc/redpanda/certs/node.crt
truststore_file: /etc/redpanda/certs/ca.crt
rpk:
tune_network: true
tune_disk_scheduler: true
tune_disk_nomerges: true
tune_disk_write_cache: true
tune_disk_irq: true
tune_cpu: true
tune_aio_events: true
tune_clocksource: true
tune_swappiness: true
coredump_dir: /var/lib/redpanda/coredump
tune_ballast_file: true
This enables SASL-over-TLS on the Kafka API (9092), TLS on the Admin API (9644), advertises both under your public domain, and applies the full rpk tuning profile.
$ sudo systemctl start redpanda
$ sudo systemctl status redpanda
Create an rpk Profile
Run rpk as your regular user (not sudo) so it picks up your profile.
$ nano ~/rpk-profile.yaml
kafka_api:
sasl:
user: admin
password: STRONG_PASSWORD
mechanism: SCRAM-SHA-256
tls:
enabled: true
ca_file: /etc/redpanda/certs/ca.crt
brokers:
- redpanda.example.com:9092
admin_api:
tls:
enabled: true
ca_file: /etc/redpanda/certs/ca.crt
addresses:
- redpanda.example.com:9644
$ rpk profile create production --from-profile ~/rpk-profile.yaml
$ rpk cluster health
CLUSTER HEALTH OVERVIEW
=======================
Healthy: true
Unhealthy reasons: []
Controller ID: 0
All nodes: [0]
Nodes down: []
Cluster UUID: 65e28fbb-c1b4-42c3-b0b7-fd82608699f3
Test with a Producer and Consumer
$ rpk topic create test-topic
TOPIC STATUS
test-topic OK
$ echo "Hello Redpanda" | rpk topic produce test-topic
Produced to partition 0 at offset 0 with timestamp 1699618845123.
$ rpk topic consume test-topic --num 1
Deploy Redpanda Console
$ sudo apt install redpanda-console -y
$ sudo nano /etc/redpanda/redpanda-console-config.yaml
server:
listenPort: 8080
listenAddress: 127.0.0.1
kafka:
brokers:
- redpanda.example.com:9092
tls:
enabled: true
caFilepath: /etc/redpanda/certs/ca.crt
sasl:
enabled: true
username: admin
password: STRONG_PASSWORD
mechanism: SCRAM-SHA-256
redpanda:
adminApi:
enabled: true
urls:
- https://redpanda.example.com:9644
tls:
enabled: true
caFilepath: /etc/redpanda/certs/ca.crt
authentication:
basic:
username: admin
password: STRONG_PASSWORD
$ sudo systemctl enable redpanda-console
$ sudo systemctl start redpanda-console
Front the Console with Nginx Basic Auth
Redpanda Console CE has no built-in login — put Nginx basic auth in front of it.
$ sudo apt install nginx -y
$ sudo apt install apache2-utils -y
$ sudo htpasswd -c /etc/nginx/.htpasswd admin
$ sudo nano /etc/nginx/sites-available/redpanda-console
server {
listen 80;
server_name redpanda.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name redpanda.example.com;
ssl_certificate /etc/letsencrypt/live/redpanda.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redpanda.example.com/privkey.pem;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
$ sudo ln -s /etc/nginx/sites-available/redpanda-console /etc/nginx/sites-enabled/
$ sudo nginx -t
$ sudo systemctl restart nginx
Open https://redpanda.example.com, enter the basic-auth credentials to reach the console dashboard.
Next Steps
Redpanda is running with TLS, SASL auth, production tuning, and a secured console. From here you can:
- Add more brokers and set
seed_serversfor a multi-node cluster - Wire Kafka Connect or a schema registry client against port 8081
- Point existing Kafka producers/consumers at Redpanda. The wire protocol is compatible, no client changes needed
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)