Adding basic auth to loki using Nginx

I am trying to run loki behind Nginx reverse proxy and add basic authentication with the labels, but stuck with wide range of documentation and no particular solution. Anyone can help me with that. Thank you : )

I run Loki behind Nginx with basic auth. I do not use multi tenancy. I run everything in Kubernetes. I use Promtail that needs to authenticate to be able to send logs to Loki but Grafana that is in the same cluster as Loki needs no authentication as connections do not go through the Nginx ingress controller. I can share my config if this is what you also want to do.

I can also possibly help otherwise but need more specific info on how you have setup things to be able to answer any questions.

We are completely on the same page I have configured promtail in different clusters and sending cluster/application logs to a central cluster. Which have loki, ALertmanager and grafana. The problem I am facing is with nginx and missing some thing while seting it up. I followed the following tutorial
Running Loki behind Nginx Reverse Proxy - DEV Community.
Can you please provide the configs of nginx, it will be great help.

Here is my config

The ingress

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    external-dns.alpha.kubernetes.io/hostname: loki-example.bwcom.io
    ingress.kubernetes.io/affinity: cookie
    ingress.kubernetes.io/auth-realm: Authentication Required
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Scope-OrgID: fake";
    ingress.kubernetes.io/proxy-read-timeout: "300"
    ingress.kubernetes.io/proxy-connect-timeout: "300"
    ingress.kubernetes.io/proxy-send-timeout: "300"
    ingress.kubernetes.io/session-cookie-hash: sha1
    ingress.kubernetes.io/session-cookie-name: route
    kubernetes.io/ingress.class: nginx
  name: loki-ingress-with-auth
spec:
  rules:
  - host: loki-example.bwcom.io
    http:
      paths:
      - backend:
          service:
            name: loki-distributed-distributor
            port:
              number: 3100
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - loki-example.bwcom.io
    secretName: loki-ingress-with-auth-certificate

You need a secret with the basic auth credentials. More info here

My Promtail client config looks like this

clients:
  - basic_auth:
      password: ${LOKI_BASIC_AUTH_PW}
      username: ${LOKI_BASIC_AUTH_USER}
    external_labels:
      cluster: ${CLUSTER}
    url: ${LOKI_URL}
1 Like

Thanks for the effort it worked for me.