Skip to main content

🔐 Setup HTTPS with Self-Signed Certificate for Loki behind NGINX Reverse Proxy

📁 Step 1: Create Certificate Directory

sudo mkdir -p /etc/nginx/certs
cd /etc/nginx/certs

📝 Step 2: Create loki-cert.conf Configuration File

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca
prompt             = no

[req_distinguished_name]
C  = IN
ST = Haryana
L  = Gurugram
O  = domainname
OU = domainname
CN = loki.domainname.com

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth

[alt_names]
DNS.1 = loki.domainname.com

🔑 Step 3: Generate SSL Certificate and Key


openssl req -x509 -nodes -days 3652 -newkey rsa:4096 \
  -keyout loki.key \
  -out loki.crt \
  -config loki-domainname.com-cert.conf

chmod -R +r /etc/nginx/certs

🌐 Step 4: NGINX Configuration for Loki HTTPS Proxy

Create or update your NGINX site config: 
server {
    listen 443 ssl;
    server_name loki.domainname.com;

    ssl_certificate     /etc/nginx/certs/loki.crt;
    ssl_certificate_key /etc/nginx/certs/loki.key;

    # 🔐 Allow only /loki/api/v1/push with basic auth
      location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # ✅ Allow /ready endpoint without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }

    # 🚫 Deny all other routes
    location / {
        return 403;
    }
}

http and https both

# cat /etc/nginx/sites-available/loki-staging.domainname.com.conf 
########################################
# 1) HTTP block – listens on :80
########################################
server {
    listen 80;
    server_name loki-staging.domainname.com;

    # Allow only /loki/api/v1/push with Basic Auth
    location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # Expose /ready without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }

    # Deny everything else
    location / {
        return 403;
    }

}

########################################
# 2) HTTPS block – listens on :443 (your original server)
########################################
server {
    listen 443 ssl http2;
    server_name loki.domainname.com;

    ssl_certificate     /etc/nginx/certs/loki.crt;
    ssl_certificate_key /etc/nginx/certs/loki.key;

    # Allow only /loki/api/v1/push with Basic Auth
    location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # Expose /ready without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }

    # Deny everything else
    location / {
        return 403;
    }
}

🔐 Step 5: Create Basic Auth User

sudo htpasswd -c /etc/nginx/.htpasswd pushuser
# Enter password: pushpassword

🌍 Step 6: Test the Endpoint (with --insecure for self-signed cert)

curl -v https://loki.domainname.com/ready --insecure

🏢 Step 7: Add Certificate to System Trust Store It will remove the error of TLS verification failed

sudo cp loki.crt /usr/local/share/ca-certificates/loki.crt
sudo update-ca-certificates

Promtail Configuration ot use certificate :

  • use this if above update-ca-certificates does not work or you want to use certificate in promtail config file
# This Should be added in Agent to work with Loki over HTTPS
clients:
  - url: https://loki.domainname.com/loki/api/v1/push
    tls_config:
      ca_file: /etc/promtail/certs/loki.crt
      insecure_skip_verify: false
    basic_auth:
      username: pushuser
      password: pushpassword
  • After adding the above configuration in promtail config file, restart promtail service to apply changes.
curl -v https://loki.domainname.com/ready --insecure

🔄 Step 8: Restart Promtail to Apply Changes

sudo systemctl restart promtail
✅ Now, Loki is served securely over HTTPS with self-signed certs and access control via NGINX.