Grafana Loki
-
@doodlemania2 I have several servers that need to push logs to loki so it must be exposed to the internet and I wanted it to be secure. Protecting it with cloudron auth would make it so that loki could be exposed and not have to worry about someone fetching all my logs using loki's API
-
How do servers send their logs to Loki? With a token? Wouldn't putting basic auth affect the API?
-
@girish Well, the most used setup with Loki is using it with promtail. Promtail resides in your agents and it pushes the logs to loki. Grafana then fetches the logs from loki. It's my understanding that both promtail and grafana support basic auth when interacting with loki
-
@TomsFreitas yeah, i think that's right - I've never done it because it's always just been me pushing to it from a tailscale endpoint but I can see the value there.
@girish - I think the best approach would be to leave it open (but behind SSL) and let Loki handle the auth.
No?
-
@doodlemania2 agree, but apparently loki doesn't have any auth of it's own - https://grafana.com/docs/loki/latest/operations/authentication/ . I guess this is why @TomsFreitas wants Cloudron to provide the auth.
-
rats - I thought it would. Putting CR auth in front of Loki may be problematic - how would a payload or client that is pushing data to loki know that it's cloudron asking and not loki. if loki has no knowledge of auth, the inverse is problematic too.
-
Not sure what the status of https://git.cloudron.io/doodlemania2/loki is . @doodlemania2 any update?
I haven't used Loki myself but is it actually a web app?
-
It's not - it's really just an endpoint. I have used it as is for many moons and is rock solid. That said, it definitely needs an update. One of the challenges I faced is there's a LOT of changes under the covers, so I've stayed with this older version and it serves me well.