NGINX Plus R33 requires NGINX Instance Manager 2.18 or later
If your NGINX data plane instances are running NGINX Plus R33 or later, you must upgrade to NGINX Instance Manager 2.18 or later to support usage reporting. NGINX Plus R33 instances must report usage data to the F5 licensing endpoint or NGINX Instance Manager. Otherwise, they will stop processing user traffic.

For more details about usage reporting and enforcement, see About solution licenses.

Install on a virtual machine or bare metal

Legacy 'nms' references
Some commands, file paths, and configuration references still use nms due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.

Overview

This guide explains how to install NGINX Instance Manager on a virtual machine (VM) or bare metal. It includes key prerequisites like installing NGINX and setting up ClickHouse, as well as steps for adding a license, accessing the web interface, and optionally securing your deployment with Vault.

Supported versions

Supported NGINX versions

NGINX Instance Manager supports the following NGINX Open Source and NGINX Plus versions:

NGINX Instance Manager NGINX OSS NGINX Plus
2.16.0 and later 1.18–1.25.1 R31–R33
2.7.0–2.15.1 1.18–1.25.1 R21–R30
2.0.0–2.6.0 1.18–1.21.6 R21–R27
Supported Linux distributions

The following table lists the Linux distributions supported by NGINX Instance Manager and NGINX App Protect:

Distribution Version Architecture NGINX Instance Manager Support NGINX App Protect Support
Amazon Linux 2 LTS x86_64 Supported Support discontinued as of 2.18.0
CentOS 7.4 and later in the 7.x family x86_64 Support discontinued as of 2.17.0 Supported
Debian 11
12
x86_64
x86_64
Supported
Supported on 2.13.0+
Supported
Supported
Oracle Linux 7.4 and later in the 7.x family
8.0 and later in the 8.x family
x86_64
x86_64
Supported
Supported on 2.6.0+
Supported
Supported
RHEL 7.4 and later in the 7.x family
8.x and later in the 8.x family
9.x and later in the 9.x family
x86_64
x86_64
x86_64
Support discontinued as of 2.17.0
Supported
Supported on 2.6.0+
Supported
Supported
Supported
Ubuntu 20.04
22.04
x86_64
x86_64
Supported
Supported on 2.3.0+
Supported
Supported

Security considerations

To ensure that your NGINX Instance Manager deployment remains secure, follow these recommendations:

  • Install NGINX Instance Manager on a dedicated machine (bare metal, container, cloud, or VM).
  • Ensure that no other services are running on the same machine.

Prerequisites

Complete the following steps before installing NGINX Instance Manager:

  • Download the certificate and private key for NGINX Instance Manager.
    • The downloaded files have .crt and .key extensions
    • Record the location of these files on the target system. The default filenames / locations are:
      • /etc/ssl/nginx/nginx-repo.crt
      • /etc/ssl/nginx/nginx-repo.key
  • Record your current version of NGINX Instance Manager, along with the supported version of NGINX OSS or NGINX Plus that you want to use.
  • (Optional) Install and configure Vault if you plan to use it.

Download certificate and key

Download the certificate and private key required for NGINX Instance Manager. These files are necessary for adding the official repository during installation and can also be used when installing NGINX Plus.

  1. On the host where you’re installing NGINX Instance Manager, create the /etc/ssl/nginx/ directory:

    sudo mkdir -p /etc/ssl/nginx
    
  2. Download the SSL Certificate and Private Key files from MyF5 or use the download link provided in your trial activation email.

  3. Move and rename the downloaded files to the correct directory:

    sudo mv nginx-<subscription id>.crt /etc/ssl/nginx/nginx-repo.crt
    sudo mv nginx-<subscription id>.key /etc/ssl/nginx/nginx-repo.key
    

Download and run the installation script

Tip:
The installation script also works for upgrades of both NGINX Instance Manager and ClickHouse.

We created an installation script, install-nim-bundle.sh to automate the NGINX Instance Manager installation process. By default, it:

  • Installs the latest version of NGINX OSS
  • Assumes you’re connected to the internet for installations and upgrades
  • Reads SSL files from the /etc/ssl/nginx directory
  • Reads your JWT token from the directory defined in your NGINX configuration
Warning:
As noted in About subscription licenses, custom paths won’t work until you upgrade to NGINX Plus R33.

Download the install-nim-bundle.sh script:

Download install-nim-bundle.sh script

When you run the script, it downloads and installs NGINX Instance Manager.

If you want to use the script with non-default options, use these switches:

  • To point to a repository key stored in a directory other than /etc/ssl/nginx: -k /path/to/your/<nginx-repo.crt> file
  • To point to a repository certificate stored in a directory other than /etc/ssl/nginx: -c /path/to/your/<nginx-repo.crt> file
  • To install NGINX Plus (instead of NGINX OSS): -p <nginx_plus_version>

You also need to specify the current operating system. To get the latest list supported by the script, run the following command:

grep '\-d distribution' install-nim-bundle.sh

For example, to use the script to install NGINX Instance Manager on Ubuntu 24.04, with repository keys in the default /etc/ssl/nginx directory, with the latest version of NGINX Plus, run the following command:

sudo bash install-nim-bundle.sh -p latest -d ubuntu24.04

In most cases, the script completes the installation of NGINX Interface Manager and associated packages. At the end of the process, you’ll see an autogenerated password:

Regenerated Admin password: <encrypted password>

Save that password. You’ll need it when you sign in to NGINX Instance Manager.

Problems

If you see fatal errors when running the script, first run the following command, which includes command options that can help you bypass problems:

bash install-nim-bundle.sh -h

Configure ClickHouse

ClickHouse version requirement
NGINX Instance Manager relies on ClickHouse 24.9.2.42 or later to store essential data, including metrics, events, alerts, and configuration settings.
Setting a custom ClickHouse password
The NGINX Instance Manager installation script also installs ClickHouse with a blank password. Update the /etc/nms/nms.conf file with it after installing NGINX Instance Manager. Otherwise, NGINX Instance Manager won’t start. For more information on customizing ClickHouse settings, refer to the Configure ClickHouse topic.

ClickHouse default settings

NGINX Instance Manager uses the following default values for ClickHouse:

Customizing ClickHouse
You can customize these settings. However, if you use custom settings, make sure to follow the Configure ClickHouse instructions to update the nms.conf file after you’ve installed NGINX Instance Manager. Otherwise, NGINX Instance Manager won’t be able to connect to ClickHouse.
Configuration Default Notes
clickhouse.address tcp://localhost:9000
clickhouse.username
clickhouse.password
clickhouse.tls_mode false
clickhouse.tls.address tcp://localhost:9440
clickhouse.tls.skip_verify false clickhouse.tls.skip_verify should be used only for self-signed certificates and is never recommended for production use. When set to true, certificates are not verified, which exposes the connection to man-in-the-middle attacks.
clickhouse.tls.key_path
clickhouse.tls.cert_path
clickhouse.tls.ca_path /etc/ssl/certs/ca-certificates.crt The default value for clickhouse.tls.ca_path works out-of-the-box for Ubuntu and Debian. You’ll need to configure a different Certificate Authority for other distributions. Refer to your distribution’s documentation for additional information.

(Optional) Install and configure Vault

NGINX Instance Manager can use Vault as a datastore for secrets.

To install and enable Vault, follow these steps:


How to access the web interface

To access the NGINX Instance Manager web interface, open a web browser and go to https://<NIM_FQDN>, replacing <NIM_FQDN> with the Fully Qualified Domain Name of your NGINX Instance Manager host.

The default administrator username is admin, and the generated password is saved, in encrypted format, to the /etc/nms/nginx/.htpasswd file. The password was displayed in the terminal during installation. If you’d like to change this password, refer to the “Set or Change User Passwords” section in the Basic Authentication topic.


Post-installation steps (optional)

  • If you use Vault, follow the steps in the Configure Vault guide to update the /etc/nms/nms.conf file. If you don’t do so, NGINX Instance Manager won’t be able to connect to Vault.

  • If you use SELinux, follow the steps in the Configure SELinux guide to restore SELinux contexts (restorecon) for the files and directories related to NGINX Instance Manager.


Upgrade NGINX Instance Manager

You can now use the installation script to upgrade NGINX Instance Manager and ClickHouse.

If you use SELinux, after an upgrade, follow the steps in the Configure SELinux guide to restore the default SELinux labels (restorecon) for files and directories related to NGINX Instance Manager.


Uninstall NGINX Instance Manager

Follow the steps below to uninstall NGINX Instance Manager and ClickHouse.

  • For CentOS, RHEL, and RPM-based distributions:

    sudo yum remove -y nms-*
    sudo systemctl stop clickhouse-server
    sudo yum remove -y clickhouse-server
    
  • For Debian, Ubuntu, and Deb-based distributions:

    sudo apt-get remove -y nms-*
    sudo systemctl stop clickhouse-server
    sudo apt-get remove -y clickhouse-server
    

    If you want to remove the package and its configuration files, use apt-get purge -y <package> instead of apt-get remove -y.