Pernod Ricard Tech
Published in

Pernod Ricard Tech

Adding Basic Authentication to Loki using Nginx

I’ll take you through a simple setup to add basic authentication to Loki using a Nginx reverse proxy.

In a previous article, I was writing about adding basic authentication to any application using Nginx. We are now going to apply this specifically to Loki.


Grafana Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus.

Loki does not come with any authentication layer. You are expected to use it with a reverse proxy in front to ensure it is secured.

Overall picture

Here is the overall picture of what we want to achieve:

Nginx Reverse proxy

We are going to reuse the Nginx reverse proxy I wrote about earlier here.

Its usage is very basic :

docker run -it -p 80:80 --env BASIC_USERNAME=john.doe --env BASIC_PASSWORD=myp@ssword! --env FORWARD_HOST=loki --env FORWARD_PORT=3100 laurentbel/nginx-basic-auth

This will forward all traffic to http://loki:3100 adding basic authentication on the way.

Docker compose

Putting everything in a nice docker compose:

Loki is exposed by the nginx container. You can specify username and password using environment variables.


If you now try to access a loki endpoint such as : localhost/loki/api/v1/labels you will get a nice authentication popup:

Enter the credentials you have specified in your docker-compose.yml file and voilà:


Loki is fantastic. If you want to expose it, you’ll have to secure it. You now have a easy way to do it.

Full source code here:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Laurent Bel

Laurent Bel

Leading the IT Architecture & Innovation team at Pernod Ricard. Interested in IT technology in general.