Menu
Open source
Authentication
Grafana Loki does not come with any included authentication layer. Operators are expected to run an authenticating reverse proxy in front of your services.
The simple scalable deployment mode requires a reverse proxy to be deployed in front of Loki, to direct client API requests to either the read or write nodes. The Loki Helm chart includes a default reverse proxy configuration, using Nginx.
A list of open-source reverse proxies you can use:
- Pomerium, which has a guide for securing Grafana
- NGINX using their guide on restricting access with HTTP basic authentication
- OAuth2 proxy
- HAProxy
Note
When using Loki in multi-tenant mode, Loki requires the HTTP headerX-Scope-OrgID
to be set to a string identifying the tenant; the responsibility of populating this value should be handled by the authenticating reverse proxy. For more information, read the multi-tenancy documentation.
For information on authenticating Promtail, see the documentation for how to configure Promtail.
Was this page helpful?
Related resources from Grafana Labs
Additional helpful documentation, links, and articles:
60 min
Getting started with logging and Grafana Loki
See a demo of the updated features in Loki, and how to create metrics from logs and alert on your logs with powerful Prometheus-style alerting rules.
Video
Essential Grafana Loki configuration settings
This webinar focuses on Grafana Loki configuration including agents Promtail and Docker; the Loki server; and Loki storage for popular backends.
Video
Scaling and securing your logs with Grafana Loki
This webinar covers the challenges of scaling and securing logs, and how Grafana Enterprise Logs powered by Grafana Loki can help, cost-effectively.