πŸ‘‹ Hey friend! Got questions while reading? Just ask me β€” I'm your AI buddy here to explain anything that seems confusing! πŸ’¬βœ¨

πŸ” Setup HTTPS with Self-Signed Certificate for Loki behind NGINX Reverse Proxy

πŸ“ Step 1: Create Certificate Directory

sudo mkdir -p /etc/nginx/certs
cd /etc/nginx/certs

πŸ“ Step 2: Create loki-cert.conf Configuration File

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca
prompt             = no
 
[req_distinguished_name]
C  = IN
ST = Haryana
L  = Gurugram
O  = Seamlessfintech
OU = Seamlessfintech
CN = loki.seamlessfintech.com
 
[req_ext]
subjectAltName = @alt_names
 
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
 
[alt_names]
DNS.1 = loki.seamlessfintech.com

πŸ”‘ Step 3: Generate SSL Certificate and Key

 
openssl req -x509 -nodes -days 3652 -newkey rsa:4096 \
  -keyout loki.key \
  -out loki.crt \
  -config loki-seamlessfintech.com-cert.conf
chmod -R +r /etc/nginx/certs

🌐 Step 4: NGINX Configuration for Loki HTTPS Proxy

Create or update your NGINX site config:

server {
    listen 443 ssl;
    server_name loki.seamlessfintech.com;
 
    ssl_certificate     /etc/nginx/certs/loki.crt;
    ssl_certificate_key /etc/nginx/certs/loki.key;
 
    # πŸ” Allow only /loki/api/v1/push with basic auth
      location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
 
        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
 
    # βœ… Allow /ready endpoint without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }
 
    # 🚫 Deny all other routes
    location / {
        return 403;
    }
}

http and https both

# cat /etc/nginx/sites-available/loki-staging.seamlessfintech.com.conf 
########################################
# 1) HTTP block – listens on :80
########################################
server {
    listen 80;
    server_name loki-staging.seamlessfintech.com;
 
    # Allow only /loki/api/v1/push with Basic Auth
    location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
 
        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
 
    # Expose /ready without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }
 
    # Deny everything else
    location / {
        return 403;
    }
 
}
 
########################################
# 2) HTTPS block – listens on :443 (your original server)
########################################
server {
    listen 443 ssl http2;
    server_name loki.seamlessfintech.com;
 
    ssl_certificate     /etc/nginx/certs/loki.crt;
    ssl_certificate_key /etc/nginx/certs/loki.key;
 
    # Allow only /loki/api/v1/push with Basic Auth
    location = /loki/api/v1/push {
        proxy_pass http://localhost:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
 
        auth_basic "Push Access Only";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
 
    # Expose /ready without auth
    location = /ready {
        proxy_pass http://localhost:3100/ready;
    }
 
    # Deny everything else
    location / {
        return 403;
    }
}

πŸ” Step 5: Create Basic Auth User

sudo htpasswd -c /etc/nginx/.htpasswd pushuser
# Enter password: pushpassword

🌍 Step 6: Test the Endpoint (with --insecure for self-signed cert)

curl -v https://loki.seamlessfintech.com/ready --insecure

🏒 Step 7: Add Certificate to System Trust Store It will remove the error of TLS verification failed

sudo cp loki.crt /usr/local/share/ca-certificates/loki.crt
sudo update-ca-certificates

Promtail Configuration ot use certificate :

  • use this if above update-ca-certificates does not work or you want to use certificate in promtail config file
# This Should be added in Agent to work with Loki over HTTPS
clients:
  - url: https://loki.seamlessfintech.com/loki/api/v1/push
    tls_config:
      ca_file: /etc/promtail/certs/loki.crt
      insecure_skip_verify: false
    basic_auth:
      username: pushuser
      password: pushpassword
  • After adding the above configuration in promtail config file, restart promtail service to apply changes.
curl -v https://loki.seamlessfintech.com/ready --insecure

πŸ”„ Step 8: Restart Promtail to Apply Changes

sudo systemctl restart promtail

βœ… Now, Loki is served securely over HTTPS with self-signed certs and access control via NGINX.

InfraCraft
πŸ’¬ Need a Quick Summary?

Hey! Don't have time to read everything? I get it. 😊
Click below and I'll give you the main points and what matters most on this page.
Takes about 5 seconds β€’ Uses Perplexity AI