Adding Basic Authentication to Loki using Nginx
I’ll take you through a simple setup to add basic authentication to Loki using a Nginx reverse proxy.
In a previous article, I was writing about adding basic authentication to any application using Nginx. We are now going to apply this specifically to Loki.
Grafana Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus.
Loki does not come with any authentication layer. You are expected to use it with a reverse proxy in front to ensure it is secured.
Here is the overall picture of what we want to achieve:
Nginx Reverse proxy
We are going to reuse the Nginx reverse proxy I wrote about earlier here.
Its usage is very basic :
docker run -it -p 80:80 --env BASIC_USERNAME=john.doe --env BASIC_PASSWORD=myp@ssword! --env FORWARD_HOST=loki --env FORWARD_PORT=3100 laurentbel/nginx-basic-auth
This will forward all traffic to http://loki:3100 adding basic authentication on the way.
Putting everything in a nice docker compose:
Loki is exposed by the nginx container. You can specify username and password using environment variables.
If you now try to access a loki endpoint such as : localhost/loki/api/v1/labels you will get a nice authentication popup:
Enter the credentials you have specified in your docker-compose.yml file and voilà:
Loki is fantastic. If you want to expose it, you’ll have to secure it. You now have a easy way to do it.
Full source code here: https://gist.github.com/laurentbel/391e57e601f7d1c81d2d4e74879383d7