How to restrict Loki API?

Am I crazy? Why is the data query API, and data Push API running on the same port (3100)?

I don’t want my clients being able to query all the data that is stored.

Is restricting the API only possible by placing Loki behind a proxy? If so, what paths would need to be allowed for pushing data, and what paths for querying data?

Right… Authentication | Grafana Loki documentation

Couple of things:

  1. Whether or not push and get queries run on the same endpoint or not has no bearing on how your grant access to your clients. As you pointed out in your second comment, you should enable authentication if you need a secure set up.

  2. In Loki if you need any sort of throughput you will likely be running separate containers for read and write path. And your frontend, whether it’s an Nginx proxy or some sort of application load balancer, will direct traffic to either read path or write path according to the uri. Again this has no bearing on how authentication and permission are granted.

Yes, understood.

Any ideas on how to achieve this? Since I’m using the filesystem as storage on a docker host, could I just bind the same volume to the two containers? Have one read only, and the other one write?

Although I’m having trouble understanding how that would increase performance?

If you are using file system then you can’t really do it. You need an object storage or some sort of SAN.