Adding basic auth to loki using Nginx

melingody · January 9, 2024, 7:16am

I am trying to run loki behind Nginx reverse proxy and add basic authentication with the labels, but stuck with wide range of documentation and no particular solution. Anyone can help me with that. Thank you : )

b0b · January 9, 2024, 8:54am

I run Loki behind Nginx with basic auth. I do not use multi tenancy. I run everything in Kubernetes. I use Promtail that needs to authenticate to be able to send logs to Loki but Grafana that is in the same cluster as Loki needs no authentication as connections do not go through the Nginx ingress controller. I can share my config if this is what you also want to do.

I can also possibly help otherwise but need more specific info on how you have setup things to be able to answer any questions.

melingody · January 9, 2024, 10:37am

We are completely on the same page I have configured promtail in different clusters and sending cluster/application logs to a central cluster. Which have loki, ALertmanager and grafana. The problem I am facing is with nginx and missing some thing while seting it up. I followed the following tutorial
Running Loki behind Nginx Reverse Proxy - DEV Community.
Can you please provide the configs of nginx, it will be great help.

b0b · January 9, 2024, 10:58am

Here is my config

The ingress

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    external-dns.alpha.kubernetes.io/hostname: loki-example.bwcom.io
    ingress.kubernetes.io/affinity: cookie
    ingress.kubernetes.io/auth-realm: Authentication Required
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Scope-OrgID: fake";
    ingress.kubernetes.io/proxy-read-timeout: "300"
    ingress.kubernetes.io/proxy-connect-timeout: "300"
    ingress.kubernetes.io/proxy-send-timeout: "300"
    ingress.kubernetes.io/session-cookie-hash: sha1
    ingress.kubernetes.io/session-cookie-name: route
    kubernetes.io/ingress.class: nginx
  name: loki-ingress-with-auth
spec:
  rules:
  - host: loki-example.bwcom.io
    http:
      paths:
      - backend:
          service:
            name: loki-distributed-distributor
            port:
              number: 3100
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - loki-example.bwcom.io
    secretName: loki-ingress-with-auth-certificate

You need a secret with the basic auth credentials. More info here

My Promtail client config looks like this

clients:
  - basic_auth:
      password: ${LOKI_BASIC_AUTH_PW}
      username: ${LOKI_BASIC_AUTH_USER}
    external_labels:
      cluster: ${CLUSTER}
    url: ${LOKI_URL}

melingody · January 12, 2024, 8:22am

Thanks for the effort it worked for me.

system · January 11, 2025, 8:22am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Setup Basic Auth Loki Grafana loki , auth	1	2763	May 29, 2024
Promtail nginx basic auth Grafana Loki	7	2220	February 14, 2024
Promtail 401 errors when Loki ingress is configured for basic auth Grafana Loki promtail	4	2034	November 21, 2024
Understanding basic auth and Loki Grafana Loki	4	2007	December 5, 2024
Authorization Required 401 when send logs from Fluentbit to Loki gateway with ingress and basic-auth Grafana Loki	7	743	April 18, 2025

Adding basic auth to loki using Nginx

Related topics