How to set up Loki and Promtail to communicate over TLS

I’m struggling how to get Loki and Promtail to run over TLS.
I added some lines to my config but see no difference.

  http_listen_port: 9080
  http_tls_config: &tls_server_config
    cert_file: /opt/loki/mycertificate.crt
    key_file: /opt/loki/mycertificate.key

  grpc_listen_port: 0

  filename: /tmp/positions.yaml

  - url: http://localhost:3100/loki/api/v1/push

- job_name: system
  - targets:
      - localhost
      job: varlogs
      host: 'lste005654'
      env: 'mon'
      __path__: /var/log/*log

What changes do i make to let both Loki and Promtail run under TLS

I’ve not tried to run Loki with end-to-end encryption, so I am unfortunately not answering your question directly.

However, for our usecase we find it enough to enforce TLS/HTTPS from the outside, and let Loki’s internal communication remain unencrypted (communication between loki components). You can do this pretty easily by putting an Nginx or some sort of application load balancer in front of Loki and enforce HTTPS from there. If you are using simple scalable mode or distributed mode you’ll need to route traffic based on URL path to readers or writers. And your clients (such as promtail or any other API requests) will go through the frontend nginx or ALB.


For Loki and Promtail to connect over TLS; you need Loki to be available over HTTPS. Then use https as the scheme of Loki’s address in Promtail’s client section.

A simple config for that will look like :

  http_listen_port: 9080
  http_tls_config: &tls_server_config
    cert_file: /opt/loki/mycertificate.crt
    key_file: /opt/loki/mycertificate.key
# You need to set other options as suited for you need

In Promtail’s you will need :

    url: https://hostname-in-certificat:9080/loki/api/v1/push
# Complete as needed.

I hope you can manage anything related to certificate validation.
You can look Configure Promtail | Grafana Loki documentation for Promtail’s options.
Also take a look at Grafana Loki configuration parameters | Grafana Loki documentation for Loki configuration option’s.

To summarize, you need to make Loki run with https and make Promtail connecter over HTTPS.
Any question ? Lets know.