Demonstration of how to more securely deploy Grafana Loki by using Caddy as a reverse proxy with support for TLS and Basic Authentication, all via Docker Compose.
Loki does not include support for authentication, and enabling TLS is an undocumented feature. Using Caddy solves these short-comings of Loki.
- Generate server key and certificate for your machine.
- Run the following in a terminal:
docker run -it caddy sh - A command prompt (shell in Docker) will appear. Enter
caddy hash-passwordand provide a password for Loki, then copy the resulting hashed password, and exit the Docker shell. You will use this hashed password to populate the environment variableLOKI_PASSWORD - Create a file
.envwhich will contain environment variables that Docker will use...in this example, the hashed password is for the value "admin". You can read more information about.envfiles for Docker at https://docs.docker.com/compose/environment-variables
SERVER=mycomputername
SERVER_KEY=mycomputername.key.pem
SERVER_CERT=mycomputername.cert.pem
LOKI_USER=admin
LOKI_PASSWORD=JDJhJDE0JFNrLkt5bjAxSGVTL2tUS2FYLldTak9Vc2ZYQ2YwMWd5d0dnWTdnanFFQmliVko0VGZyLjMu
- Launch the Docker containers via Docker Compose:
docker-compose up -d(to stop, dodocker-compose down). - To verify, navigate to https://mycomputername:8443/loki/api/v1/query ...a dialog should appear asking you for a username and password.
- To enable Grafana to use this more secured deployment of Loki, you will need to include Basic Authentication in the Loki datasource settings, as well as remember to include
httpsin the URL.