# TLS Termination in Redpanda Console

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: TLS Termination in Redpanda Console
latest-redpanda-tag: v25.3.11
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "false"
page-eol-date: November 19, 2026
latest-connect-version: 4.93.0
docname: config/security/tls-termination
page-component-name: streaming
page-version: "25.3"
page-component-version: "25.3"
page-component-title: Streaming
page-relative-src-path: config/security/tls-termination.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.3/modules/console/pages/config/security/tls-termination.adoc
description: Learn how to secure Redpanda Console using TLS, either by letting Redpanda Console handle TLS termination or by offloading it to an upstream component, such as a reverse proxy or a Cloud HTTPS LoadBalancer.
page-git-created-date: "2024-09-11"
page-git-modified-date: "2026-05-26"
support-status: supported
---

<!-- Source: https://docs.redpanda.com/streaming/25.3/console/config/security/tls-termination.md -->

To secure Redpanda Console using TLS (Transport Layer Security), you can either let Redpanda Console handle TLS termination or you can offload it to an upstream component, such as a reverse proxy or a cloud HTTPS load balancer. TLS termination refers to the process of decrypting incoming TLS-encrypted traffic. Choosing the right approach depends on various factors, such as your application’s traffic load, the complexity of your infrastructure, security requirements, and resource availability:

-   Redpanda Console handles TLS termination

    | Advantages | Drawbacks |
    | --- | --- |
    | Simplicity: You don’t need an additional component to handle the TLS termination. | Performance: TLS termination can be computationally expensive, especially for high-traffic applications. |
    | Control: Because the TLS termination happens within Redpanda Console, you have direct control over the process, which can be beneficial for troubleshooting and custom configurations. |  |

-   An upstream component handles TLS termination

    | Advantages | Drawbacks |
    | --- | --- |
    | Performance: Offloading the task of TLS termination to another component can help improve the performance of Redpanda Console by reducing its computational load. | Complexity: Using another component for TLS termination can increase the overall complexity of your system. |
    | Flexibility: You can use different types of upstream components (like various reverse proxies or load balancers) depending on your infrastructure needs and preferences. |  |
    | Simplicity: Reverse proxies like NGINX Ingress can integrate with other components such as cert-manager, which automatically renews certificates from LetsEncrypt. |  |


## [](#use-redpanda-console-for-tls-termination)Use Redpanda Console for TLS termination

When you use Redpanda Console to terminate the TLS connection, Redpanda Console starts two HTTP servers:

-   An HTTPS server on the configured HTTPS port.

-   An HTTP server on the configured HTTP port which redirects HTTP requests to the HTTPS port.


#### Standalone

Add the following configuration to your `/etc/redpanda/redpanda-console-config.yaml` file:

```yaml
server:
  # httpsListenPort defines the port on which Redpanda Console is listening for TLS connections, while advertisedHttpsListenPort defines the port that is advertised to clients, which may be different due to network configurations such as load balancers or proxies. advertisedHttpsListenPort is needed when redirecting a HTTP request to an HTTPS URL.
  httpsListenPort: 443
  advertisedHttpsListenPort: 443
  listenPort: 8080
  tls:
    enabled: true
    certFilepath: <path-to-cert>
    keyFilepath: <path-to-key>
    # AllowedOrigins is a list of origins that can send requests from a browser to the Redpanda Console
    # API. By default, a same-site policy is enforced to prevent CSRF-attacks.
    # Only in very specific deployment models you may need to change the secure default.
    # For example, during development, it's common to have the API server and the client running on different ports of localhost, which are treated as different origins by browsers. In this case, you would need to set `allowedOrigins` to include the origin of your client's development server.
    # allowedOrigins: []
```

Replace `<path-to-cert>` and `<path-to-key>` with the paths of your TLS certificate and key, respectively.

#### Kubernetes embedded

When using the Redpanda Operator or the Redpanda Helm chart, configure Redpanda Console TLS through the cluster configuration:
##### Operator

```yaml
apiVersion: cluster.redpanda.com/v1alpha2
kind: Redpanda
metadata:
  name: redpanda-sample
spec:
  chartRef: {}
  clusterSpec:
    console:
      config:
        server:
          httpsListenPort: 443
          advertisedHttpsListenPort: 443
          listenPort: 8080
          tls:
            enabled: true
            certFilepath: <path-to-cert>
            keyFilepath: <path-to-key>
```

##### Helm

```yaml
console:
  enabled: true
  console:
    config:
      server:
        httpsListenPort: 443
        advertisedHttpsListenPort: 443
        listenPort: 8080
        tls:
          enabled: true
          certFilepath: <path-to-cert>
          keyFilepath: <path-to-key>
```

#### Kubernetes standalone

When using the standalone Redpanda Console Helm chart, configure TLS in your Helm values:

```yaml
config:
  server:
    httpsListenPort: 443
    advertisedHttpsListenPort: 443
    listenPort: 8080
    tls:
      enabled: true
      certFilepath: <path-to-cert>
      keyFilepath: <path-to-key>
```

Apply with:

```bash
helm upgrade --install redpanda-console redpanda/console -f console-values.yaml
```

In this example, Redpanda Console is serving HTTPS traffic on port 443, where both `httpsListenPort` and `advertisedHttpsListenPort` are set to the same value. Any requests to the `listenPort` 8080 are redirected to the `advertisedHttpsListenPort`.

If you want Redpanda Console to serve HTTPS on a non-standard port like 8081, but you want to present the URL to users as though it’s serving on the standard HTTPS port 443, you can set `httpsListenPort` to 8081 and `advertisedHttpsListenPort` to 443. This configuration might be useful in development or testing scenarios. For example, if Redpanda Console’s internal address is `https://192.168.1.100:8081` but externally it’s accessed through `https://public-address.com:443`, set `httpsListenPort` to 8081 and `advertisedHttpsListenPort` to 443. Despite listening internally on 8081, Redpanda Console will generate URLs for clients using port 443.

> 📝 **NOTE**
>
> If you host Redpanda Console under a sub-path of your domain, such as `https://my-company.com/redpanda/console`, configure [HTTP path rewrites](https://docs.redpanda.com/streaming/25.3/console/config/http-path-rewrites/) in Redpanda Console.

### [](#http-strict-transport-security-hsts)HTTP Strict Transport Security (HSTS)

When TLS is enabled, Redpanda Console server automatically adds the HTTP Strict Transport Security (HSTS) header to all responses:

```none
Strict-Transport-Security: max-age=31536000
```

The HSTS header instructs web browsers to:

-   Always connect to Redpanda Console using HTTPS, never HTTP

-   Automatically upgrade any HTTP requests to HTTPS for the next 365 days (31536000 seconds)

-   Refuse connections if there are certificate errors or warnings


This behavior begins after the browser’s first successful HTTPS connection to Redpanda Console.

HSTS provides protection against:

-   Protocol downgrade attacks: Prevents attackers from forcing connections to use insecure HTTP

-   Accidental insecure connections: Users typing `http://` in their browser are automatically redirected to HTTPS

-   Session hijacking: Eliminates the risk window where HTTP traffic could be intercepted before redirect


You can verify that HSTS is enabled by checking the response headers:

```none
curl -svk https://localhost:9091/ 2>&1 | grep -i strict-transport-security
```

Expected output:

```none
< strict-transport-security: max-age=31536000
```

## [](#use-an-upstream-component-for-tls-termination)Use an upstream component for TLS termination

When you use an upstream component for TLS termination, the upstream component handles the secure TLS connection, and Redpanda Console receives unencrypted HTTP traffic from this component. You can use various upstream components, including reverse proxies, such as NGINX and HAProxy, as well as cloud HTTPS load balancers. To use this option, you must:

1.  Configure the upstream component to handle TLS termination.

2.  Ensure that the upstream component routes traffic to the address and port of Redpanda Console.

3.  Ensure that the upstream component is configured to pass along the original host header so that Redpanda Console can generate correct URLs, even when it’s behind a reverse proxy or load balancer.

4.  Disable TLS in Redpanda Console:


### Standalone

Add the following configuration to your `/etc/redpanda/redpanda-console-config.yaml` file:

```yaml
server:
  listenPort: 8080
  tls:
    enabled: false
```

### Kubernetes embedded

When using the Redpanda Operator or the Redpanda Helm chart, disable Redpanda Console TLS through the cluster configuration:
#### Operator

```yaml
apiVersion: cluster.redpanda.com/v1alpha2
kind: Redpanda
metadata:
  name: redpanda-sample
spec:
  chartRef: {}
  clusterSpec:
    console:
      config:
        server:
          listenPort: 8080
          tls:
            enabled: false
```

#### Helm

```yaml
console:
  config:
    server:
      listenPort: 8080
      tls:
        enabled: false
```

### Kubernetes standalone

When using the standalone Redpanda Console Helm chart, disable TLS in your Helm values:

```yaml
config:
  server:
    listenPort: 8080
    tls:
      enabled: false
```

Apply with:

```bash
helm upgrade --install redpanda-console redpanda/console -f console-values.yaml
```

> 📝 **NOTE**
>
> TLS is disabled by default.

Although Redpanda Console isn’t using TLS, the traffic remains secure because the upstream component handles TLS.

If you host Redpanda Console under a sub-path of your domain, such as `https://my-company.com/redpanda/console`, configure [HTTP path rewrites](https://docs.redpanda.com/streaming/25.3/console/config/http-path-rewrites/) in Redpanda Console.

## [](#suggested-reading)Suggested reading

-   [`server` configuration options](https://docs.redpanda.com/streaming/25.3/console/config/configure-console/)

-   NGINX

    -   [NGINX Beginner’s Guide](http://nginx.org/en/docs/beginners_guide.html)

    -   [NGINX SSL Termination](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)


-   [HAProxy documentation](https://www.haproxy.com/documentation/)

-   [AWS Elastic Load Balancing documentation](https://docs.aws.amazon.com/elasticloadbalancing/)

-   [Cloud Load Balancing documentation](https://cloud.google.com/load-balancing/docs)

-   [OpenSSL documentation](https://www.openssl.org/docs/)