Can I use Promtail as an HTTPS proxy server?

michaelchinkov · April 20, 2023, 9:53am

I have a question about Promtail. I know I can use Promtail as an HTTP or GRPC server, but can I use Promtail as an HTTPS server?

My case: we’re running a Promtail instance as a proxy server between Promtail clients (thousands of nodes) and Loki cluster. Currently, we use the following loki_push_api configuration

clients:
- url: http://my.loki.server:3100/loki/api/v1/push
  tenant_id: random

scrape_configs:
- job_name: loki_push_api
  loki_push_api:
    server:
      http_listen_port: 3100
    use_incoming_timestamp: true

The thing is that we want to add one more client and one more scrape config to support both HTTP and HTTPS for security reasons, something like

clients:
- url: http://my.loki.server:3100/loki/api/v1/push
  tenant_id: random
- url: https://my.loki.server:3101/loki/api/v1/push #let's suppose we're running 2 distributor instances, HTTP and HTTPS under the same hostname, different ports
  tenant_id: random_tls

scrape_configs:
- job_name: loki_push_api
  loki_push_api:
    server:
      http_listen_port: 3100
    use_incoming_timestamp: true
- job_name: loki_push_api_https
  loki_push_api:
    server:
      http_listen_port: 3101
      http_tls_config:
        cert_file: /etc/ssl/certs/promtail/cert.pem
        key_file: /etc/ssl/certs/promtail/key.pem
    use_incoming_timestamp: true

I didn’t test it, but I don’t think this will work, because there is no such config option for Promtail

Note the server configuration is the same as server.

The server block configures Promtail’s behavior as an HTTP server.

My first question of this thread: does Promtail’s server configuration support HTTPS?

If not, then my second question would be: does Promtail’s server configuration support gRPC with SSL/TLS? Something like

clients:
- url: http://my.loki.server:3100/loki/api/v1/push
  tenant_id: random
- url: https://my.loki.server:3101/loki/api/v1/push #let's suppose we're running 2 distributor instances, HTTP and HTTPS under the same hostname, different ports
  tenant_id: random

scrape_configs:
- job_name: loki_push_api
  loki_push_api:
    server:
      http_listen_port: 3100
    use_incoming_timestamp: true
- job_name: loki_push_api_grpc
  loki_push_api:
    server:
      grpc_listen_port: 3101
      grpc_tls_config:
        cert_file: /etc/ssl/certs/promtail/cert.pem
        key_file: /etc/ssl/certs/promtail/key.pem
    use_incoming_timestamp: true

Also, my third question which is kind of an off-topic: How can I point to one particular client in my scrape_config I want to use?

system · April 19, 2024, 9:54am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set up Loki and Promtail to communicate over TLS Grafana Loki	2	1401	November 21, 2023
Secure loki and promtail via TLS Grafana Loki	5	8722	October 17, 2023
Promtail issue throught proxy with config Grafana Loki	1	970	January 27, 2023
Please check the config files Grafana Loki promtail	0	102	March 22, 2024
Promtail ignoring tenant configurations for push API Grafana Loki promtail	2	278	December 19, 2023

Can I use Promtail as an HTTPS proxy server?

Related topics