Loki uses JWT (JSON Web Tokens) for authentication.
To generate a signing key for JWT, you can use the following command:
openssl genrsa -out certs/jwt/private.key 4096To generate the public key from the private key, use:
openssl rsa -in certs/jwt/private.key -pubout -out certs/jwt/public.keyFor mTLS (mutual TLS), both the server and client need certificates. The process involves:
- Creating a Certificate Authority (CA)
- Creating server certificates signed by the CA
- Creating client certificates signed by the CA
Generate a private key for your CA
openssl genrsa -out certs/ca.key 4096
openssl req -new -x509 -key certs/ca.key -sha256 -subj '/CN=Loki CA' -out certs/ca.pem -days 3650openssl genrsa -out certs/server.key 4096openssl req -new -key certs/server.key -out certs/server.csr -config <(
cat <<-EOF
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
CN = loki-backend
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = backend
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
EOF
)openssl x509 -req -in certs/server.csr -CA certs/ca.pem -CAkey certs/ca.key -CAcreateserial -out certs/server.pem -days 825 -sha256 -extfile <(
cat <<-EOF
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = backend
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
EOF
)Generate client private key
openssl genrsa -out certs/client.key 4096openssl req -new -key certs/client.key -out certs/client.csr -config <(
cat <<-EOF
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = loki-backoffice
EOF
)openssl x509 -req -in certs/client.csr -CA certs/ca.pem -CAkey certs/ca.key -CAcreateserial -out certs/client.pem -days 825 -sha256openssl verify -CAfile certs/ca.pem certs/server.pemopenssl verify -CAfile certs/ca.pem certs/client.pem