diff --git a/README.md b/README.md
index 5703f7291a55..beb7d7ee64ac 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ Your feedback is always welcome.
 - Callum Styan's March 2019 DevOpsDays Vancouver talk "[Grafana Loki: Log Aggregation for Incident Investigations][devopsdays19-talk]".
 - Grafana Labs blog post "[How We Designed Loki to Work Easily Both as Microservices and as Monoliths][architecture-blog]".
 - Julien Garcia Gonzalez' March 2019 blog post "[Grafana Logging using Loki][giant-swarm-blog]".
-- Tom Wilkie's early-2019 CNCF Paris/FODEM talk "[Grafana Loki: like Prometheus, but for logs][fosdem19-talk]" ([slides][fosdem19-slides], [video][fosdem19-video]).
+- Tom Wilkie's early-2019 CNCF Paris/FOSDEM talk "[Grafana Loki: like Prometheus, but for logs][fosdem19-talk]" ([slides][fosdem19-slides], [video][fosdem19-video]).
 - David Kaltschmidt's KubeCon 2018 talk "[On the OSS Path to Full Observability with Grafana][kccna18-event]" ([slides][kccna18-slides], [video][kccna18-video]) on how Loki fits into a cloud-native environment.
 - Goutham Veeramachaneni's blog post "[Loki: Prometheus-inspired, open source logging for cloud natives](https://grafana.com/blog/2018/12/12/loki-prometheus-inspired-open-source-logging-for-cloud-natives/)" on details of the Loki architectire.
 - David Kaltschmidt's blog post "[Closer look at Grafana's user interface for Loki](https://grafana.com/blog/2019/01/02/closer-look-at-grafanas-user-interface-for-loki/)" on the ideas that went into the logging user interface.
diff --git a/cmd/logcli/client.go b/cmd/logcli/client.go
index 9e31353ee69b..59b5754f914b 100644
--- a/cmd/logcli/client.go
+++ b/cmd/logcli/client.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/gorilla/websocket"
+	"github.com/prometheus/common/config"
 
 	"github.com/grafana/loki/pkg/logproto"
 )
@@ -60,9 +61,25 @@ func doRequest(path string, out interface{}) error {
 	if err != nil {
 		return err
 	}
+
 	req.SetBasicAuth(*username, *password)
 
-	resp, err := http.DefaultClient.Do(req)
+	clientConfig := config.HTTPClientConfig{
+		TLSConfig: config.TLSConfig{
+			CAFile:             *tlsCACertPath,
+			CertFile:           *tlsClientCertPath,
+			KeyFile:            *tlsClientCertKeyPath,
+			ServerName:         url,
+			InsecureSkipVerify: *tlsSkipVerify,
+		},
+	}
+
+	client, err := config.NewClientFromConfig(clientConfig, "logcli")
+	if err != nil {
+		return err
+	}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -86,6 +103,18 @@ func liveTailQueryConn() (*websocket.Conn, error) {
 }
 
 func wsConnect(path string) (*websocket.Conn, error) {
+
+	tlsConfig, err := config.NewTLSConfig(&config.TLSConfig{
+		CAFile:             *tlsCACertPath,
+		CertFile:           *tlsClientCertPath,
+		KeyFile:            *tlsClientCertKeyPath,
+		ServerName:         *addr,
+		InsecureSkipVerify: *tlsSkipVerify,
+	})
+	if err != nil {
+		return nil, err
+	}
+
 	url := *addr + path
 	if strings.HasPrefix(url, "https") {
 		url = strings.Replace(url, "https", "wss", 1)
@@ -95,7 +124,12 @@ func wsConnect(path string) (*websocket.Conn, error) {
 	log.Println(url)
 
 	h := http.Header{"Authorization": {"Basic " + base64.StdEncoding.EncodeToString([]byte(*username+":"+*password))}}
-	c, resp, err := websocket.DefaultDialer.Dial(url, h)
+
+	ws := websocket.Dialer{
+		TLSClientConfig: tlsConfig,
+	}
+
+	c, resp, err := ws.Dial(url, h)
 
 	if err != nil {
 		if resp == nil {
diff --git a/cmd/logcli/main.go b/cmd/logcli/main.go
index 42861a2d1b24..d37074bc18ab 100644
--- a/cmd/logcli/main.go
+++ b/cmd/logcli/main.go
@@ -14,6 +14,11 @@ var (
 	username = app.Flag("username", "Username for HTTP basic auth.").Default("").Envar("GRAFANA_USERNAME").String()
 	password = app.Flag("password", "Password for HTTP basic auth.").Default("").Envar("GRAFANA_PASSWORD").String()
 
+	tlsCACertPath        = app.Flag("ca-cert", "Path to the server Certificate Authority.").Default("").Envar("LOKI_CA_CERT_PATH").String()
+	tlsSkipVerify        = app.Flag("tls-skip-verify", "Server certificate TLS skip verify.").Default("false").Bool()
+	tlsClientCertPath    = app.Flag("cert", "Path to the client certificate.").Default("").Envar("LOKI_CLIENT_CERT_PATH").String()
+	tlsClientCertKeyPath = app.Flag("key", "Path to the client certificate key.").Default("").Envar("LOKI_CLIENT_KEY_PATH").String()
+
 	queryCmd        = app.Command("query", "Run a LogQL query.")
 	queryStr        = queryCmd.Arg("query", "eg '{foo=\"bar\",baz=\"blip\"}'").Required().String()
 	regexpStr       = queryCmd.Arg("regex", "").String()
diff --git a/docs/logcli.md b/docs/logcli.md
index b72727867bb6..678fb37b8817 100644
--- a/docs/logcli.md
+++ b/docs/logcli.md
@@ -44,8 +44,8 @@ Common labels: {job="cortex-ops/consul", namespace="cortex-ops"}
 
 ### Configuration
 
-
 Configuration values are considered in the following order (lowest to highest):
+
 - environment value
 - command line
 
@@ -53,17 +53,22 @@ The URLs of the requests are printed to help with integration work.
 
 ### Details
 
-```
+```console
 $ logcli help
 usage: logcli [<flags>] <command> [<args> ...]
 
 A command-line for loki.
 
 Flags:
-  --help         Show context-sensitive help (also try --help-long and --help-man).
-  --addr=""      Server address, need to specify.
-  --username=""  Username for HTTP basic auth.
-  --password=""  Password for HTTP basic auth.
+  --help             Show context-sensitive help (also try --help-long and --help-man).
+  --addr="https://logs-us-west1.grafana.net"
+                     Server address.
+  --username=""      Username for HTTP basic auth.
+  --password=""      Password for HTTP basic auth.
+  --ca-cert=""       Path to the server Certificate Authority.
+  --tls-skip-verify  Server certificate TLS skip verify.
+  --cert=""          Path to the client certificate.
+  --key=""           Path to the client certificate key.
 
 Commands:
   help [<command>...]
@@ -72,7 +77,7 @@ Commands:
   query [<flags>] <query> [<regex>]
     Run a LogQL query.
 
-  labels <label>
+  labels [<label>]
     Find values for a given label.
 
 $ logcli help query
diff --git a/docs/operations.md b/docs/operations.md
index 883766832a12..17190e6ac295 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -6,6 +6,7 @@ This page lists operational aspects of running Loki in alphabetical order:
 
 Loki does not have an authentication layer.
 You are expected to run an authenticating reverse proxy in front of your services, such as an Nginx with basic auth or an OAuth2 proxy.
+See [client options](promtail-setup.md#custom-client-options) for more details about supported authentication methods.
 
 ### Multi-tenancy
 
@@ -129,7 +130,6 @@ storage_config:
       dynamodb: dynamodb://region
 ```
 
-
 #### S3
 
 Loki is using S3 as object storage. It stores log within directories based on
@@ -158,4 +158,3 @@ create the table manually you cannot easily erase old data and your index just g
 If you set your DynamoDB table manually, ensure you set the primary index key to `h`
 (string) and use `r` (binary) as the sort key. Also set the "period" attribute in the yaml to zero.
 Make sure adjust your throughput base on your usage.
-
diff --git a/docs/promtail-setup.md b/docs/promtail-setup.md
index cd171c8cc9d1..0d596f7f25f4 100644
--- a/docs/promtail-setup.md
+++ b/docs/promtail-setup.md
@@ -2,7 +2,7 @@
 
 ## Daemonset method
 
-Daemonset will deploy promtail on every node within the kubernetes cluster.
+Daemonset will deploy `promtail` on every node within the Kubernetes cluster.
 
 Daemonset deployment is great to collect all of the container logs within the
 cluster. It is great solution for single tenant.  All of the logs will send to a
@@ -11,6 +11,7 @@ single Loki server.
 Check the `production` folder for examples of a daemonset deployment for kubernetes using both helm and ksonnet.
 
 ### Example
+
 ```yaml
 ---Daemonset.yaml
 apiVersion: extensions/v1beta1
@@ -87,14 +88,15 @@ roleRef:
 
 ## Sidecar Method
 
-Sidecar method will deploy promtail as a container within a pod that
+Sidecar method will deploy `promtail` as a container within a pod that
 developer/devops create.
 
-This method will deploy promtail as a sidecar container within a pod.
+This method will deploy `promtail` as a sidecar container within a pod.
 In a multi-tenant environment, this enables teams to aggregate logs
 for specific pods and deployments for example for all pods in a namespace.
 
 ### Example
+
 ```yaml
 ---Deployment.yaml
 apiVersion: extensions/v1beta1
@@ -102,7 +104,7 @@ kind: Deployment
 metadata:
   name: my_test_app
   ...
-spec: 
+spec:
   ...
   template:
     spec:
@@ -133,10 +135,11 @@ spec:
 Sometime application create customized log files.  To collect those logs, you
 would need to have a customized `__path__` in your scrape_config.
 
-Right now, the best way to watch and tail custom log path is define log filepath
+Right now, the best way to watch and tail custom log path is define log file path
 as a label for the pod.
 
 #### Example
+
 ```yaml
 ---Deployment.yaml
 apiVersion: extensions/v1beta1
@@ -164,3 +167,87 @@ scrape_configs:
         replacement: /your_log_file_dir/$1.log
       ...
 ```
+
+### Custom Client options
+
+`promtail` client configuration uses the [Prometheus http client](https://godoc.org/github.com/prometheus/common/config) implementation.
+Therefore you can configure the following authentication parameters in the `client` or `clients` section.
+
+```yaml
+---promtail_config.yaml
+...
+
+# Simple client
+client:
+  [ <client_option> ]
+
+# Multiple clients
+clients:
+  [ - <client_option> ]
+...
+```
+
+>Note: Passing the `-client.url` from command line is only valid if you set the `client` section.
+
+#### `<client_option>`
+
+```yaml
+  # Sets the `url` of loki api push endpoint
+  url: http[s]://<host>:<port>/api/prom/push
+
+  # Sets the `Authorization` header on every promtail request with the
+  # configured username and password.
+  # password and password_file are mutually exclusive.
+  basic_auth:
+    username: <string>
+    password: <secret>
+    password_file: <string>
+
+  # Sets the `Authorization` header on every promtail request with
+  # the configured bearer token. It is mutually exclusive with `bearer_token_file`.
+  bearer_token: <secret>
+
+  # Sets the `Authorization` header on every promtail request with the bearer token
+  # read from the configured file. It is mutually exclusive with `bearer_token`.
+  bearer_token_file: /path/to/bearer/token/file
+
+  # Configures the promtail request's TLS settings.
+  tls_config:
+    # CA certificate to validate API server certificate with.
+    # If not provided Trusted CA from sytem will be used.
+    ca_file: <filename>
+
+    # Certificate and key files for client cert authentication to the server.
+    cert_file: <filename>
+    key_file: <filename>
+
+    # ServerName extension to indicate the name of the server.
+    # https://tools.ietf.org/html/rfc4366#section-3.1
+    server_name: <string>
+
+    # Disable validation of the server certificate.
+    insecure_skip_verify: <boolean>
+
+  # Optional proxy URL.
+  proxy_url: <string>
+
+  # Maximum wait period before sending batch
+  batchwait: 1s
+
+  # Maximum batch size to accrue before sending, unit is byte
+  batchsize: 102400
+
+  # Maximum time to wait for server to respond to a request
+  timeout: 10s
+
+  backoff_config:
+    # Initial backoff time between retries
+    minbackoff: 100ms
+    # Maximum backoff time between retries
+    maxbackoff: 5s
+    # Maximum number of retires when sending batches, 0 means infinite retries
+    maxretries: 5
+
+  # The labels to add to any time series or alerts when communicating with loki
+  external_labels: {}
+```
diff --git a/main b/main
new file mode 100755
index 000000000000..b6d39ad42e30
Binary files /dev/null and b/main differ
diff --git a/pkg/promtail/client/client.go b/pkg/promtail/client/client.go
index 694491b70138..e2cc951eea4e 100644
--- a/pkg/promtail/client/client.go
+++ b/pkg/promtail/client/client.go
@@ -18,9 +18,11 @@ import (
 	"github.com/go-kit/kit/log/level"
 	"github.com/gogo/protobuf/proto"
 	"github.com/golang/snappy"
+
 	"github.com/grafana/loki/pkg/helpers"
 	"github.com/grafana/loki/pkg/logproto"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 )
 
@@ -62,6 +64,7 @@ type Client interface {
 type client struct {
 	logger  log.Logger
 	cfg     Config
+	client  *http.Client
 	quit    chan struct{}
 	entries chan entry
 	wg      sync.WaitGroup
@@ -75,7 +78,7 @@ type entry struct {
 }
 
 // New makes a new Client.
-func New(cfg Config, logger log.Logger) Client {
+func New(cfg Config, logger log.Logger) (Client, error) {
 	c := &client{
 		logger:  log.With(logger, "component", "client", "host", cfg.URL.Host),
 		cfg:     cfg,
@@ -84,9 +87,22 @@ func New(cfg Config, logger log.Logger) Client {
 
 		externalLabels: cfg.ExternalLabels.LabelSet,
 	}
+
+	err := cfg.Client.Validate()
+	if err != nil {
+		return nil, err
+	}
+
+	c.client, err = config.NewClientFromConfig(cfg.Client, "promtail")
+	if err != nil {
+		return nil, err
+	}
+
+	c.client.Timeout = cfg.Timeout
+
 	c.wg.Add(1)
 	go c.run()
-	return c
+	return c, nil
 }
 
 func (c *client) run() {
@@ -194,7 +210,7 @@ func (c *client) send(ctx context.Context, buf []byte) (int, error) {
 	req = req.WithContext(ctx)
 	req.Header.Set("Content-Type", contentType)
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := c.client.Do(req)
 	if err != nil {
 		return -1, err
 	}
diff --git a/pkg/promtail/client/config.go b/pkg/promtail/client/config.go
index 1cb129d7b4c6..b4652e4120de 100644
--- a/pkg/promtail/client/config.go
+++ b/pkg/promtail/client/config.go
@@ -7,6 +7,7 @@ import (
 	"github.com/cortexproject/cortex/pkg/util"
 	"github.com/cortexproject/cortex/pkg/util/flagext"
 	lokiflag "github.com/grafana/loki/pkg/util/flagext"
+	"github.com/prometheus/common/config"
 )
 
 // Config describes configuration for a HTTP pusher client.
@@ -15,6 +16,8 @@ type Config struct {
 	BatchWait time.Duration
 	BatchSize int
 
+	Client config.HTTPClientConfig `yaml:",inline"`
+
 	BackoffConfig util.BackoffConfig `yaml:"backoff_config"`
 	// The labels to add to any time series or alerts when communicating with loki
 	ExternalLabels lokiflag.LabelSet `yaml:"external_labels,omitempty"`
diff --git a/pkg/promtail/client/multi.go b/pkg/promtail/client/multi.go
index d634e3025059..47249948eeb7 100644
--- a/pkg/promtail/client/multi.go
+++ b/pkg/promtail/client/multi.go
@@ -17,9 +17,14 @@ func NewMulti(logger log.Logger, cfgs ...Config) (Client, error) {
 	if len(cfgs) == 0 {
 		return nil, errors.New("at least one client config should be provided")
 	}
-	var clients []Client
+
+	clients := make([]Client, 0, len(cfgs))
 	for _, cfg := range cfgs {
-		clients = append(clients, New(cfg, logger))
+		client, err := New(cfg, logger)
+		if err != nil {
+			return nil, err
+		}
+		clients = append(clients, client)
 	}
 	return MultiClient(clients), nil
 }