Working with loki at our systems, recently we underwent a security audit and several vulnerabilities were identified.
Specifically, unauthenticated access to the /config, /ring, and /metrics endpoints was flagged.
Is there a supported way to enable authentication for these endpoints?
If not, is it possible to disable the /config and /metrics endpoints entirely to reduce exposure?
Any guidance or recommended best practices would be appreciated.
I don’t think it’s possible. I am not sure how you run your Loki instance, but these API endpoints are supposed to be internal/private, so I would recommend you to lock them down with some sort of firewall rules like iptables of security group if you are on AWS.
Authentication for Loki is done via the loki-gateway which is an nginx reverse proxy. It does the authentication and routes the request to proper backend service. As @tonyswumac mentioned, these endpoints you mentioned should be internal and not exposed to Internet. Depending on your deployment, you better only expose loki-gateway to public internet and restrict rest on private subnets.
If you can provide some more details on your deployment then we may be able to provide more guidance.
