grafana · fgouteroux · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 31, 2025
@@ -55,6 +55,8 @@ Main (unreleased)
 
 - Set the publisher name in the Windows installer to "Grafana Labs". (@martincostello)
 
+- Add support of `tls` in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and `pyroscope.receive_http`. (@fgouteroux)
+
 ### Bugfixes
 
 - Fix issues with propagating cluster peers change notifications to components configured with remotecfg. (@dehaansa)

@@ -36,10 +36,10 @@ The component starts an HTTP server on the configured port and address with the
 
 * `/loki/api/v1/push` - accepting `POST` requests compatible with [Loki push API][loki-push-api], for example, from another {{< param "PRODUCT_NAME" >}}'s [`loki.write`][loki.write] component.
 * `/loki/api/v1/raw` - accepting `POST` requests with newline-delimited log lines in body.
-   This can be used to send NDJSON or plain text logs.
-   This is compatible with the Promtail push API endpoint.
-   Refer to the [Promtail documentation][promtail-push-api] for more information.
-   When this endpoint is used, the incoming timestamps can't be used and the `use_incoming_timestamp = true` setting is ignored.
+  This can be used to send NDJSON or plain text logs.
+  This is compatible with the Promtail push API endpoint.
+  Refer to the [Promtail documentation][promtail-push-api] for more information.
+  When this endpoint is used, the incoming timestamps can't be used and the `use_incoming_timestamp = true` setting is ignored.
 * `/ready` - accepting `GET` requests. Can be used to confirm the server is reachable and healthy.
 * `/api/v1/push` - internally reroutes to `/loki/api/v1/push`.
 * `/api/v1/raw` - internally reroutes to `/loki/api/v1/raw`.
@@ -51,7 +51,7 @@ The component starts an HTTP server on the configured port and address with the
 You can use the following arguments with `loki.source.api`:
 
 | Name                     | Type                 | Description                                             | Default    | Required |
-|--------------------------|----------------------|---------------------------------------------------------|------------|----------|
+| ------------------------ | -------------------- | ------------------------------------------------------- | ---------- | -------- |
 | `forward_to`             | `list(LogsReceiver)` | List of receivers to send log entries to.               |            | yes      |
 | `labels`                 | `map(string)`        | The labels to associate with each received logs record. | `{}`       | no       |
 | `relabel_rules`          | `RelabelRules`       | Relabeling rules to apply on log entries.               | `{}`       | no       |
@@ -66,15 +66,26 @@ The `relabel_rules` field can make use of the `rules` export value from a [`loki
 
 You can use the following block with `loki.source.api`:
 
-| Name           | Description                                        | Required |
-| -------------- | -------------------------------------------------- | -------- |
-| [`http`][http] | Configures the HTTP server that receives requests. | no       |
+| Name                  | Description                                        | Required |
+| --------------------- | -------------------------------------------------- | -------- |
+| [`http`][http]        | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `http` > `tls` refers to a `tls` block defined inside an `http` block.
 
 [http]: #http
+[tls]: #tls
 
 ### `http`
 
-{{< docs/shared lookup="reference/components/loki-server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP server.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Exported fields
 
@@ -132,7 +143,7 @@ Replace the following:
 
 ### Technical details
 
-`loki.source.api` filters out all labels that start with `__`, for example,  `__tenant_id__`.
+`loki.source.api` filters out all labels that start with `__`, for example, `__tenant_id__`.
 
 If you need to be able to set the tenant ID, you must either make sure the `X-Scope-OrgID` header is present or use the [`loki.process`][loki.process] component.
 
@@ -146,7 +157,6 @@ If you need to be able to set the tenant ID, you must either make sure the `X-Sc
 
 - Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -103,21 +103,33 @@ The `relabel_rules` field can make use of the `rules` export value from a [`loki
 
 You can use the following blocks with `loki.source.awsfirehose`:
 
-| Name           | Description                                        | Required |
-|----------------|----------------------------------------------------|----------|
-| [`grpc`][grpc] | Configures the gRPC server that receives requests. | no       |
-| [`http`][http] | Configures the HTTP server that receives requests. | no       |
+| Name                  | Description                                        | Required |
+| --------------------- | -------------------------------------------------- | -------- |
+| [`grpc`][grpc]        | Configures the gRPC server that receives requests. | no       |
+| `gprc` > [`tls`][tls] | Configures TLS for the gRPC server.                | no       |
+| [`http`][http]        | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `http` > `tls` refers to a `tls` block defined inside an `http` block.
 
 [http]: #http
 [grpc]: #grpc
+[tls]: #tls
 
 ### `grpc`
 
 {{< docs/shared lookup="reference/components/loki-server-grpc.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ### `http`
 
-{{< docs/shared lookup="reference/components/loki-server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP and GRPC servers.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Exported fields
 
@@ -132,7 +144,7 @@ You can use the following blocks with `loki.source.awsfirehose`:
 The following are some of the metrics that are exposed when this component is used.
 
 {{< admonition type="note" >}}
-The metrics include labels  such as `status_code` where relevant, which you can use to measure request success rates.
+The metrics include labels such as `status_code` where relevant, which you can use to measure request success rates.
 {{< /admonition >}}
 
 * `loki_source_awsfirehose_batch_size` (histogram): Size (in units) of the number of records received per request.
@@ -227,7 +239,6 @@ Replace the following:
 
 - Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -44,12 +44,14 @@ You can use the following arguments with `loki.source.gcplog`:
 
 You can use the following blocks with `loki.source.gcplog`:
 
-| Name                    | Description                                                                   | Required |
-| ----------------------- | ----------------------------------------------------------------------------- | -------- |
-| [`pull`][pull]          | Configures a target to pull logs from a GCP Pub/Sub subscription.             | no       |
-| [`push`][push]          | Configures a server to receive logs as GCP Pub/Sub push requests.             | no       |
-| `push` > [`grpc`][grpc] | Configures the gRPC server that receives requests when using the `push` mode. | no       |
-| `push` > [`http`][http] | Configures the HTTP server that receives requests when using the `push` mode. | no       |
+| Name                           | Description                                                                   | Required |
+| ------------------------------ | ----------------------------------------------------------------------------- | -------- |
+| [`pull`][pull]                 | Configures a target to pull logs from a GCP Pub/Sub subscription.             | no       |
+| [`push`][push]                 | Configures a server to receive logs as GCP Pub/Sub push requests.             | no       |
+| `push` > [`grpc`][grpc]        | Configures the gRPC server that receives requests when using the `push` mode. | no       |
+| `push` > `gprc` > [`tls`][tls] | Configures TLS for the gRPC server.                                           | no       |
+| `push` > [`http`][http]        | Configures the HTTP server that receives requests when using the `push` mode. | no       |
+| `push` > `http` > [`tls`][tls] | Configures TLS for the HTTP server.                                           | no       |
 
 The > symbol indicates deeper levels of nesting.
 For example, `push` > `grpc` refers to a `grpc` block defined inside a `push` block.
@@ -62,6 +64,7 @@ The `http` and `grpc` block are just used when the `push` block is configured.
 [http]: #http
 [pull]: #pull
 [push]: #push
+[tls]: #tls
 
 ### `pull`
 
@@ -110,7 +113,13 @@ The `labels` map is applied to every entry that passes through the component.
 
 ### `http`
 
-{{< docs/shared lookup="reference/components/loki-server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP and GRPC servers.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Exported fields
 
@@ -187,7 +196,6 @@ loki.write "local" {
 
 - Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -55,21 +55,33 @@ The `relabel_rules` field can make use of the `rules` export value from a `loki.
 
 You can use the following blocks with `loki.source.heroku`:
 
-| Name           | Description                                        | Required |
-| -------------- | -------------------------------------------------- | -------- |
-| [`grpc`][grpc] | Configures the gRPC server that receives requests. | no       |
-| [`http`][http] | Configures the HTTP server that receives requests. | no       |
+| Name                  | Description                                        | Required |
+| --------------------- | -------------------------------------------------- | -------- |
+| [`grpc`][grpc]        | Configures the gRPC server that receives requests. | no       |
+| `gprc` > [`tls`][tls] | Configures TLS for the gRPC server.                | no       |
+| [`http`][http]        | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `http` > `tls` refers to a `tls` block defined inside an `http` block.
 
 [http]: #http
 [grpc]: #grpc
+[tls]: #tls
 
 ### `grpc`
 
 {{< docs/shared lookup="reference/components/loki-server-grpc.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ### `http`
 
-{{< docs/shared lookup="reference/components/loki-server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP and GRPC servers.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Labels
 
@@ -153,7 +165,6 @@ loki.write "local" {
 
 - Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -50,15 +50,26 @@ You can use the following argument with `prometheus.receive_http`:
 
 You can use the following block with `prometheus.receive_http`:
 
-| Name           | Description                                        | Required |
-| -------------- | -------------------------------------------------- | -------- |
-| [`http`][http] | Configures the HTTP server that receives requests. | no       |
+| Name                  | Description                                        | Required |
+| --------------------- | -------------------------------------------------- | -------- |
+| [`http`][http]        | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `http` > `tls` refers to a `tls` block defined inside an `http` block.
 
 [http]: #http
+[tls]: #tls
 
 ### `http`
 
-{{< docs/shared lookup="reference/components/loki-server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP server.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Exported fields
 
@@ -134,7 +145,7 @@ prometheus.remote_write "local" {
 
 ## Technical details
 
-`prometheus.receive_http` uses [snappy](https://en.wikipedia.org/wiki/Snappy_(compression)) for compression.
+`prometheus.receive_http` uses [snappy](<https://en.wikipedia.org/wiki/Snappy_(compression)>) for compression.
 
 <!-- START GENERATED COMPATIBLE COMPONENTS -->
 
@@ -144,7 +155,6 @@ prometheus.remote_write "local" {
 
 - Components that export [Prometheus `MetricsReceiver`](../../../compatibility/#prometheus-metricsreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -46,26 +46,26 @@ You can use the following argument with `pyroscope.receive_http`:
 
 You can use the following block with `pyroscope.receive_http`:
 
-| Name           | Description                                        | Required |
-| -------------- | -------------------------------------------------- | -------- |
-| [`http`][http] | Configures the HTTP server that receives requests. | no       |
+| Name                  | Description                                        | Required |
+| --------------------- | -------------------------------------------------- | -------- |
+| [`http`][http]        | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `http` > `tls` refers to a `tls` block defined inside an `http` block.
 
 [http]: #http
+[tls]: #tls
 
 ### `http`
 
-The `http` block configures the HTTP server.
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
 
-You can use the following arguments to configure the `http` block. Any omitted fields take their default values.
+The `tls` block configures TLS for the HTTP server.
 
-| Name                   | Type       | Description                                                                                                      | Default  | Required |
-| ---------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------- | -------- | -------- |
-| `conn_limit`           | `int`      | Maximum number of simultaneous HTTP connections. Defaults to 100.                                                | `0`      | no       |
-| `listen_address`       | `string`   | Network address on which the server listens for new connections. Defaults to accepting all incoming connections. | `""`     | no       |
-| `listen_port`          | `int`      | Port number on which the server listens for new connections.                                                     | `8080`   | no       |
-| `server_idle_timeout`  | `duration` | Idle timeout for the HTTP server.                                                                                | `"120s"` | no       |
-| `server_read_timeout`  | `duration` | Read timeout for the HTTP server.                                                                                | `"30s"`  | no       |
-| `server_write_timeout` | `duration` | Write timeout for the HTTP server.                                                                               | `"30s"`  | no       |
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
 ## Exported fields
 
@@ -121,7 +121,6 @@ This flexibility allows you to design a setup that best fits your infrastructure
 
 - Components that export [Pyroscope `ProfilesReceiver`](../../../compatibility/#pyroscope-profilesreceiver-exporters)
 
-
 {{< admonition type="note" >}}
 Connecting some components may not be sensible or components may require further configuration to make the connection work correctly.
 Refer to the linked documentation for more details.

@@ -1,6 +1,6 @@
 ---
-canonical: https://grafana.com/docs/alloy/latest/shared/reference/components/loki-server-http/
-description: Shared content, loki server http
+canonical: https://grafana.com/docs/alloy/latest/shared/reference/components/server-http/
+description: Shared content, server http
 headless: true
 ---
 

@@ -0,0 +1,22 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/shared/reference/components/server-tls-config-block/
+description: Shared content, tls config block
+headless: true
+---
+
+| Name               | Type     | Description                                                      | Default          | Required |
+| ------------------ | -------- | ---------------------------------------------------------------- | ---------------- | -------- |
+| `cert_pem`         | `string` | PEM data of the server TLS certificate.                          | `""`             | no       |
+| `cert_file`        | `string` | Path to the server TLS certificate on disk.                      | `""`             | no       |
+| `key_file`         | `string` | Path to the server TLS key on disk.                              | `""`             | no       |
+| `key_pem`          | `secret` | PEM data of the server TLS key.                                  | `""`             | no       |
+| `client_auth_type` | `string` | Client authentication to use.                                    | `"NoClientCert"` | no       |
+| `client_ca_file`   | `string` | Path to the client CA file on disk to validate requests against. | `""`             | no       |
+| `client_ca_pem`    | `string` | PEM data of the client CA to validate requests against.          | `""`             | no       |
+
+The following pairs of arguments are mutually exclusive and can't both be set simultaneously:
+
+* `cert_pem` and `cert_file`
+* `key_pem` and `key_file`
+
+When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.