👋 Hey friend! Got questions while reading? Just ask me — I'm your AI buddy here to explain anything that seems confusing! 💬✨
2-Olly
Grafana-Stack
VM-Setup
Loki
Loki HTTPS Selfsigned Nginx

Secure Loki with Nginx Reverse Proxy and Self-Signed Certificates

Overview

This guide explains how to configure Nginx as a reverse proxy for Loki with HTTPS using self-signed SSL certificates.

1. Generate Self-Signed Certificates

Create a Certificate Authority (CA)

openssl genrsa -out loki-ca.key 2048
openssl req -x509 -new -nodes -key loki-ca.key -sha256 -days 365 -out loki-ca.crt -subj "/CN=Loki-CA"

Create Loki's SSL Certificate

openssl genrsa -out loki.key 2048
openssl req -new -key loki.key -out loki.csr -subj "/CN=loki.local"
openssl x509 -req -in loki.csr -CA loki-ca.crt -CAkey loki-ca.key -CAcreateserial -out loki.crt -days 365 -sha256

Move Certificates to Nginx Directory

mkdir -p /etc/nginx/certs
mv loki.crt loki.key /etc/nginx/certs/

2. Configure Nginx as Reverse Proxy

Create a new Nginx configuration file for Loki:

nano /etc/nginx/conf.d/loki.conf

Add the following content:

server {
    listen 443 ssl;
    server_name loki.local;
 
    ssl_certificate /etc/nginx/certs/loki.crt;
    ssl_certificate_key /etc/nginx/certs/loki.key;
 
    location / {
        proxy_pass http://localhost:3100/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
 
server {
    listen 80;
    server_name loki.local;
    return 301 https://$host$request_uri;
}

Restart Nginx

systemctl restart nginx

3. Configure Promtail to Send Logs Over HTTPS

Edit Promtail configuration (/etc/promtail/promtail-config.yml):

server:
  http_listen_port: 9080
 
clients:
  - url: "https://loki.local/loki/api/v1/push"
    tls_config:
      ca_file: /etc/promtail/certs/loki-ca.crt
      insecure_skip_verify: false

Move CA Certificate to Promtail

mkdir -p /etc/promtail/certs
mv loki-ca.crt /etc/promtail/certs/

Restart Promtail

systemctl restart promtail

4. Verify HTTPS Connection

Run:

curl -v --cacert /etc/promtail/certs/loki-ca.crt https://loki.local/ready

If successful, you should see:

HTTP/1.1 200 OK

5. Troubleshooting

  • Check Nginx logs: 
    journalctl -u nginx -f
  • Check Promtail logs: 
    journalctl -u promtail -f
  • If certificate issues occur, set insecure_skip_verify: true in Promtail (temporarily).

Conclusion

You have now successfully secured Loki with Nginx using HTTPS and self-signed certificates. 🚀

Loki HTTPS Nginx Setup LatestofficialLoki S3 24 Cache
💬 Need a Quick Summary?

Hey! Don't have time to read everything? I get it. 😊
Click below and I'll give you the main points and what matters most on this page.
Takes about 5 seconds • Uses Perplexity AI