Editorial Staff

Deploy full monitoring stack on debian vpsHere’s a comprehensive guide to deploy full monitoring stack on Debian VPS, including:

  • Prometheus – Metrics collection
  • Node Exporter – System metrics
  • Grafana – Visualization
  • Alertmanager – Alert notifications
  • Loki – Log aggregation
  • Promtail – Log shipping to Loki

Table of Contents

🎯 Goal

A production-ready observability stack for logs, metrics, dashboards, and alerts.
Launch 100% ssd debian vps from $2. 49/mo!

🚀 Deploy Full Monitoring Stack on Debian VPS

To deploy full monitoring stack on Debian VPS, follow the steps below:

  1. 📦 1. System Prep

    sudo apt update && sudo apt install -y curl wget unzip apt-transport-https software-properties-common

  2. 🔧 2. Install Prometheus

    Create user and folders:

    sudo useradd --no-create-home --shell /usr/sbin/nologin prometheus sudo mkdir /etc/prometheus /var/lib/prometheus

    Download & install:

    cd /tmp wget https://github.com/prometheus/prometheus/releases/download/v2.52.0/prometheus-2.52.0.linux-amd64.tar.gz tar -xzf prometheus-2.52.0.linux-amd64.tar.gz cd prometheus-2.52.0.linux-amd64 sudo cp prometheus promtool /usr/local/bin/ sudo cp -r consoles console_libraries /etc/prometheus/ sudo cp prometheus.yml /etc/prometheus/ sudo chown -R prometheus:prometheus /etc/prometheus /var/lib/prometheus /usr/local/bin/prometheus /usr/local/bin/promtool

    Create service:

    sudo nano /etc/systemd/system/prometheus.service
    [Unit] Description=Prometheus Wants=network-online.target After=network-online.target [Service] User=prometheus ExecStart=/usr/local/bin/prometheus \ --config.file=/etc/prometheus/prometheus.yml \ --storage.tsdb.path=/var/lib/prometheus \ --web.listen-address=:9090 [Install] WantedBy=multi-user.target
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now prometheus

  3. 📊 3. Install Node Exporter

    See: 🚀 How to Install and Configure Node Exporter on Debian VPS

  4. 📺 4. Install Grafana (Visual Dashboards)

    See: 🚀 How to Install Grafana on Debian VPS and Connect to Node Exporter

  5. 🚨 5. Install Alertmanager

    Create user:

    sudo useradd --no-create-home --shell /usr/sbin/nologin alertmanager

    Download and install:

    cd /tmp wget https://github.com/prometheus/alertmanager/releases/download/v0.27.0/alertmanager-0.27.0.linux-amd64.tar.gz tar -xzf alertmanager-0.27.0.linux-amd64.tar.gz cd alertmanager-0.27.0.linux-amd64 sudo cp alertmanager amtool /usr/local/bin/ sudo mkdir /etc/alertmanager /var/lib/alertmanager sudo cp alertmanager.yml /etc/alertmanager/ sudo chown -R alertmanager:alertmanager /etc/alertmanager /var/lib/alertmanager

    Create systemd service:

    sudo nano /etc/systemd/system/alertmanager.service
    [Unit] Description=Alertmanager After=network.target [Service] User=alertmanager ExecStart=/usr/local/bin/alertmanager \ --config.file=/etc/alertmanager/alertmanager.yml \ --storage.path=/var/lib/alertmanager [Install] WantedBy=multi-user.target
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now alertmanager

    To configure email/SMS/Slack alerts, edit /etc/alertmanager/alertmanager.yml

  6. 📚 6. Install Loki (Log Aggregation)

    cd /tmp wget https://github.com/grafana/loki/releases/download/v2.9.4/loki-linux-amd64.zip unzip loki-linux-amd64.zip chmod +x loki-linux-amd64 sudo mv loki-linux-amd64 /usr/local/bin/loki

    Default config:

    sudo nano /etc/loki-local-config.yaml

    Paste:

    auth_enabled: false server: http_listen_port: 3100 ingester: lifecycler: ring: kvstore: store: inmemory replication_factor: 1 chunk_idle_period: 5m chunk_retain_period: 30s schema_config: configs: - from: 2022-01-01 store: boltdb-shipper object_store: filesystem schema: v11 index: prefix: index_ period: 24h storage_config: boltdb_shipper: active_index_directory: /tmp/loki/index cache_location: /tmp/loki/cache shared_store: filesystem filesystem: directory: /tmp/loki/chunks limits_config: enforce_metric_name: false reject_old_samples: true reject_old_samples_max_age: 168h chunk_store_config: max_look_back_period: 0s table_manager: retention_deletes_enabled: true retention_period: 120h

    Create systemd service:

    sudo nano /etc/systemd/system/loki.service
    [Unit] Description=Loki Log Aggregator After=network.target [Service] ExecStart=/usr/local/bin/loki -config.file=/etc/loki-local-config.yaml Restart=always [Install] WantedBy=multi-user.target
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now loki

  7. 📤 7. Install Promtail (Log Shipper for Loki)

    cd /tmp wget https://github.com/grafana/loki/releases/download/v2.9.4/promtail-linux-amd64.zip unzip promtail-linux-amd64.zip chmod +x promtail-linux-amd64 sudo mv promtail-linux-amd64 /usr/local/bin/promtail

    Promtail config:

    sudo nano /etc/promtail-local-config.yaml

    Paste:

    server: http_listen_port: 9080 grpc_listen_port: 0 positions: filename: /tmp/positions.yaml clients: - url: http://localhost:3100/loki/api/v1/push scrape_configs: - job_name: system static_configs: - targets: - localhost labels: job: varlogs __path__: /var/log/*.log

    Service file:

    sudo nano /etc/systemd/system/promtail.service
    [Unit] Description=Promtail Log Shipper After=network.target [Service] ExecStart=/usr/local/bin/promtail -config.file=/etc/promtail-local-config.yaml Restart=always [Install] WantedBy=multi-user.target
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now promtail

  8. 📈 8. Connect Everything in Grafana

    Data Sources:

    • Go to Grafana > Settings > Data Sources
    • Add:
    • Prometheus: http://localhost:9090
    • Loki: http://localhost:3100

    Dashboards:

    • Node Exporter: Import dashboard ID 1860
    • Loki Logs: Use built-in “Logs” panel or import dashboard ID 13633

✅ You Now Have a Full Observability Stack

Component Purpose Port
Prometheus Metrics collection 9090
Node Exporter System metrics 9100
Grafana Dashboards 3000
Alertmanager Alert delivery 9093
Loki Log storage 3100
Promtail Log shipper to Loki

🔐 Secure Full Monitoring Stack with HTTPS + Basic Auth

Here’s how to secure each component of your monitoring stack (Prometheus, Grafana, Loki, Alertmanager, Node Exporter) behind HTTPS and Basic Authentication using NGINX reverse proxy + Let’s Encrypt TLS + htpasswd on a Debian VPS.

📦 Tools We’ll Use

  • NGINX: Reverse proxy for TLS and auth
  • Certbot: Free Let’s Encrypt SSL
  • htpasswd: Apache tool for basic auth
  • Separate subdomains for each service:
  • grafana.example.com
  • prometheus.example.com
  • loki.example.com
  • alertmanager.example.com
  • metrics.example.com (Node Exporter)

To secure full monitoring stack with HTTPS + Basic Auth, follow the steps below:

  1. ✅ Install NGINX and Certbot

    sudo apt update sudo apt install nginx certbot python3-certbot-nginx apache2-utils -y

  2. 🧪 Create Basic Auth Credentials

    sudo htpasswd -c /etc/nginx/.htpasswd yourusername

    Replace yourusername with desired username. You’ll be prompted for a password.

  3. 🌍 Setup NGINX Reverse Proxies

    For each service, create a file in /etc/nginx/sites-available/:

    🔧 Example: Grafana Reverse Proxy

    sudo nano /etc/nginx/sites-available/grafana

    server {
listen 80;
server_name grafana.example.com;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

    Link and test:

    sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

    Repeat for each service by changing:

    • server_name
    • proxy_pass (port)
    ⚡ Prometheus
    • server_name prometheus.example.com
    • proxy_pass http://localhost:9090
    ⚡ Alertmanager
    • server_name alertmanager.example.com
    • proxy_pass http://localhost:9093
    ⚡ Loki
    • server_name loki.example.com
    • proxy_pass http://localhost:3100
    ⚡ Node Exporter
    • server_name metrics.example.com
    • proxy_pass http://localhost:9100

  4. 🔒 Enable HTTPS with Certbot

    Run this for each domain:

    sudo certbot --nginx -d grafana.example.com sudo certbot --nginx -d prometheus.example.com sudo certbot --nginx -d alertmanager.example.com sudo certbot --nginx -d loki.example.com sudo certbot --nginx -d metrics.example.com

    Choose redirect to enforce HTTPS.

  5. 🔄 Test Everything

    1. Visit https://grafana.example.com → You should see a login prompt
    2. Enter credentials set with htpasswd
    3. Access should be proxied securely to Grafana

    Repeat for each secured domain.

  6. 🔁 Auto-Renew SSL

    Certbot auto-creates a systemd timer, but verify:

    sudo systemctl list-timers | grep certbot sudo certbot renew --dry-run

✅ Summary

Service Subdomain Local Port HTTPS Proxy Port
Grafana grafana.example.com 3000 443 via NGINX
Prometheus prometheus.example.com 9090 443
Alertmanager alertmanager.example.com 9093 443
Loki loki.example.com 3100 443
Node Exporter metrics.example.com 9100 443

Each is now:

  • 🔒 Protected by HTTPS
  • 🧱 Restricted with Basic Auth

Launch 100% ssd debian vps from $2. 49/mo!

Conclusion

You now know how to deploy full monitoring stack on Debian VPS and secure full monitoring stack with HTTPS + Basic Auth!

Related:

Avatar of editorial staff

Editorial Staff

Rad Web Hosting is a leading provider of web hosting, Cloud VPS, and Dedicated Servers in Dallas, TX.
lg