In this post, we’ll set up Kafbat UI, a modern web-based Kafka management interface, to work with a secure Kafka 4.0 cluster that uses:
- SASL/PLAIN authentication
- SSL Termination via HAProxy
- No exposed ports — secure HTTPS access only
- Docker-based deployment
- systemd integration for auto-start
This post is a follow-up to:
- How to Install Kafka 4.0 on a Single Ubuntu 24.04 Node with HAProxy SSL Termination
- How to Enable Username/Password Authentication (SASL/PLAIN) in Kafka 4.0 with HAProxy SSL Termination
Architecture Overview
| Component | Address | Protocol | Role |
|---|---|---|---|
| Kafka Broker | 0.0.0.0:9092 | SASL/PLAIN | Internal Kafka listener |
| HAProxy | 192.168.0.127:9093 | SSL | TLS termination (Kafka) |
| HAProxy | 192.168.0.127:443 | HTTPS | TLS termination (UI) |
| Kafbat UI | 127.0.0.1:8080 (Docker) | HTTP (internal) | Kafka web management UI |
| Browser | https://kafka.maksonlee.com | HTTPS | Access point |
Prerequisites
Make sure:
- Your Kafka 4.0 is already running with SASL/PLAIN and HAProxy SSL
- DNS for
kafka.maksonlee.comresolves to your server - Your SSL cert (
kafka.maksonlee.com.pem) is already placed in/etc/haproxy/certs/
- Create the Docker Compose for Kafbat UI
Create /opt/kafbat-ui/docker-compose.yml:
version: '3'
services:
kafbat-ui:
image: ghcr.io/kafbat/kafka-ui:latest
network_mode: "host"
container_name: kafbat-ui
environment:
KAFKA_CLUSTERS_0_NAME: Kafka 4.0
KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka.maksonlee.com:9093
KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: PLAIN
KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: >
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin" password="admin-secret";
DYNAMIC_CONFIG_ENABLED: "false"
- Create a systemd Service
To auto-start Kafbat UI:
[Unit]
Description=Kafbat UI
Requires=docker.service
After=docker.service
StartLimitIntervalSec=300
StartLimitBurst=5
[Service]
Type=exec
WorkingDirectory=/opt/kafbat-ui
ExecStart=/usr/bin/docker compose up
ExecStop=/usr/bin/docker compose down
TimeoutStopSec=30
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable kafbat-ui
sudo systemctl start kafbat-ui
- Configure HAProxy (Port 443 for UI)
Append this to /etc/haproxy/haproxy.cfg:
userlist kafbat_users
user admin insecure-password mysecretpassword
frontend kafbat_ui_https
bind 192.168.0.127:443 ssl crt /etc/haproxy/certs/kafka.maksonlee.com.pem
mode http
acl is_auth_ok http_auth(kafbat_users)
http-request auth realm KafbatUI if !is_auth_ok
use_backend kafbat_ui_backend
backend kafbat_ui_backend
mode http
server kafbat_ui1 127.0.0.1:8080 check
Reload HAProxy:
sudo systemctl reload haproxy
- Access the UI
Open your browser and go to:
https://kafka.maksonlee.com
You should see the Kafbat UI dashboard with your Kafka 4.0 cluster connected via SASL/PLAIN.
Conclusion
With this setup, you now have a secure, restart-persistent, and authenticated Kafbat UI dashboard, perfect for monitoring Kafka topics, partitions, consumers, and more.