Manually install any version of NGINX Instance Manager

Overview

Follow the steps in this guide to install or upgrade a specific version of NGINX Instance Manager.

Before You Begin

Security Considerations

To ensure that your NGINX Instance Manager deployment remains secure, follow the recommendations in this section:

  • Install NGINX Instance Manager and its modules on a dedicated machine (bare metal, container, cloud, or VM).
  • Make sure that no other services are running on the same machine.
  • Make sure that the machine is not accessible from the Internet.
  • Make sure that the machine is behind a firewall.

Requirements

To install NGINX Instance Manager, you need the following:

Allow external systems access by opening network firewalls. NGINX Instance Manager uses port 443 for both gRPC and API/web interfaces.

Download Certificate and Key

Follow these steps to download the certificate and private key for NGINX Instance Manager. You’ll need these files when adding the official repository for installing NGINX Instance Manager. You can also use the certificate and key when installing NGINX Plus.

  1. On the host where you’re installing NGINX Instance Manager, create the /etc/ssl/nginx/ directory:

    sudo mkdir -p /etc/ssl/nginx

  2. Download the NGINX Instance Manager .crt and .key files from MyF5 or follow the download link in your trial activation email.

  3. Move and rename the .crt and .key files:

    sudo mv <nginx-mgmt-suite-trial.crt> /etc/ssl/nginx/nginx-repo.crt
sudo mv <nginx-mgmt-suite-trial.key> /etc/ssl/nginx/nginx-repo.key

    The downloaded filenames may vary depending on your subscription type. Modify the commands above accordingly to match the actual filenames.

Install NGINX

Install NGINX Open Source or NGINX Plus on the host where you’ll install NGINX Instance Manager. NGINX Instance Manager uses NGINX as a front-end proxy and for managing user access.

Supported NGINX versions

NGINX Instance Manager supports the following NGINX Open Source and NGINX Plus versions:

NGINX Instance Manager NGINX OSS NGINX Plus
2.18.0 and later 1.18–1.28.0 R31–R34
2.16.0–2.17.x 1.18–1.25.1 R31–R32
2.7.0–2.15.x 1.18–1.25.1 R21–R30
2.0.0–2.6.0 1.18–1.21.6 R21–R27
Supported Linux distributions

The following table lists the Linux distributions supported by NGINX Instance Manager and NGINX App Protect:

Distribution Version Architecture NGINX Instance Manager Support NGINX App Protect Support
Amazon Linux 2 LTS x86_64 Supported Support discontinued as of 2.18.0
CentOS 7.4 and later in the 7.x family x86_64 Support discontinued as of 2.17.0 Supported
Debian 11
12		 x86_64
x86_64		 Supported
Supported on 2.13.0+		 Supported
Supported
Oracle Linux 7.4 and later in the 7.x family
8.0 and later in the 8.x family		 x86_64
x86_64		 Supported
Supported on 2.6.0+		 Supported
Supported
RHEL 7.4 and later in the 7.x family
8.x and later in the 8.x family
9.x and later in the 9.x family		 x86_64
x86_64
x86_64		 Support discontinued as of 2.17.0
Supported
Supported on 2.6.0+		 Supported
Supported
Supported
Ubuntu 20.04
22.04
24.04		 x86_64
x86_64
x86_64		 Supported
Supported on 2.3.0+
Supported on 2.18.0+		 Supported
Supported
Supported

Make sure to review the Technical Specifications guide for sizing requirements and other recommended specs.

Configure metrics collection

Disable metrics collection

NGINX Instance Manager uses ClickHouse to store metrics, events, alerts, and configuration data.

Starting in version 2.20.0, you can run NGINX Instance Manager in Lightweight mode, which skips the ClickHouse installation entirely. This setup works well if you don’t need monitoring data or want to reduce system requirements. It also avoids the effort of managing a metrics database. You can add ClickHouse later if your needs change.

If you don’t need to store metrics, you can skip installing ClickHouse. But you must use NGINX Agent version 2.41.1 or later, and you must disable metrics collection in the /etc/nms/nms.conf and /etc/nms-sm.conf.yaml files.

For instructions, see Disable metrics collection.

Install ClickHouse to enable metrics

NGINX Instance Manager uses ClickHouse to store metrics, events, alerts, and configuration settings.

If you install ClickHouse and choose to set a password (the default is an empty string), you must add it to the clickhouse.password setting in the /etc/nms/nms.conf file. If the password is missing or incorrect, NGINX Instance Manager will not start.

For instructions and additional configuration options, including TLS settings, see Configure ClickHouse.

NGINX Instance Manager requires ClickHouse version 24.8.12.28 or later.

Follow these steps to install and enable ClickHouse on supported Linux distributions.

  1. First, set up the repository.

    • For RPM-based systems (CentOS, RHEL):

      sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://packages.clickhouse.com/rpm/clickhouse.repo

    • For Debian-based systems (Debian, Ubuntu):

      sudo apt-get install -y apt-transport-https ca-certificates dirmngr
GNUPGHOME=$(mktemp -d)
sudo GNUPGHOME="$GNUPGHOME" gpg --no-default-keyring --keyring /usr/share/keyrings/clickhouse-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8919F6BD2B48D754
sudo rm -r "$GNUPGHOME"
sudo chmod +r /usr/share/keyrings/clickhouse-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https://packages.clickhouse.com/deb lts main" | sudo tee /etc/apt/sources.list.d/clickhouse.list
sudo apt-get update

  2. Next, install the ClickHouse server and client:

    • For RPM-based systems (CentOS, RHEL):

      sudo yum install -y clickhouse-server clickhouse-client

    • For Debian-based systems (Debian, Ubuntu):

      sudo apt-get install -y clickhouse-server clickhouse-client

  3. Then, enable the ClickHouse service so it starts automatically on reboot:

    sudo systemctl enable clickhouse-server

  4. Start the ClickHouse service:

    sudo systemctl start clickhouse-server

  5. Finally, confirm the service is running:

    sudo systemctl status clickhouse-server

ClickHouse Default Settings

NGINX Instance Manager uses the following default values for ClickHouse. To change these values, see the Configure ClickHouse guide.

Configuration Default Notes
clickhouse.enable true Set to false to disable metrics collection and run NGINX Instance Manager in lightweight mode. Requires a service restart.
clickhouse.address tcp://localhost:9000 The address of the ClickHouse database.
clickhouse.username The username NGINX Instance Manager uses to connect to ClickHouse, if authentication is enabled.
clickhouse.password The password for the specified ClickHouse user.
clickhouse.tls_mode false Set to true to enable TLS for the ClickHouse connection. This setting will be deprecated in a future release. Use the clickhouse.tls section instead.
clickhouse.tls.address tcp://localhost:9440 The address NGINX Instance Manager uses to connect to ClickHouse over TLS. Format: <ip-address>:<port>.
clickhouse.tls.skip_verify false Set to true to skip TLS certificate verification. Use only for self-signed certificates in non-production environments.
clickhouse.tls.key_path Path to the client TLS key file in PEM format. Required for client authentication.
clickhouse.tls.cert_path Path to the client TLS certificate file in PEM format. Required for client authentication.
clickhouse.tls.ca_path /etc/ssl/certs/ca-certificates.crt Path to the system Certificate Authority used to verify the server certificate. The default path works for Ubuntu and Debian. Use a CA bundle appropriate to your system. See TLS configuration for details.

Add NGINX Instance Manager Repository

To install NGINX Instance Manager, you need to add the official repository to pull the pre-compiled deb and rpm packages from.

Select the tab matching your Linux distribution, then follow the instructions to add the NGINX Instance Manager repository.


Add the NGINX Instance Manager repository:

  • CentOS/RHEL

    sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms.repo

    • RHEL 8: If you’re installing on RHEL 8 and using the distro’s NGINX, run the following commands to use the new version of NGINX (1.20 at the time of this update):

      sudo yum module disable nginx:1.14
sudo yum module enable nginx:1.20

  • Amazon Linux 2

    sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms-amazon2.repo
  1. Add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \
    | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

  1. Add the NGINX Instance Manager repository:

    • Debian
    printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/nms/debian $(lsb_release -cs) nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nms.list

sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx \
https://cs.nginx.com/static/files/90pkgs-nginx

    • Ubuntu
    printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/nms/ubuntu $(lsb_release -cs) nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nms.list

sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx \
https://cs.nginx.com/static/files/90pkgs-nginx

Install Instance Manager

  1. To install the latest version of Instance Manager, run the following command:

    sudo yum install -y nms-instance-manager

    IMPORTANT! The Instance Manager’s administrator username (default is admin) and generated password are displayed in the terminal during installation. You should make a note of the password and store it securely.

  1. To install the latest version of Instance Manager, run the following commands:

    sudo apt-get update
sudo apt-get install -y nms-instance-manager

    IMPORTANT! The Instance Manager’s administrator username (default is admin) and generated password are displayed in the terminal during installation. You should make a note of the password and store it securely.

  1. Enable and start the NGINX Instance Manager platform services:

    sudo systemctl enable nms nms-core nms-dpm nms-ingestion nms-integrations --now

    NGINX Instance Manager components started this way run by default as the non-root nms user inside the nms group, both of which are created during installation.

  2. Restart the NGINX web server:

    sudo systemctl restart nginx

Optional post-installation steps

Configure ClickHouse

If you installed ClickHouse and set a password (the default is an empty string), you must add it to the clickhouse.password setting in the /etc/nms/nms.conf file after installing NGINX Instance Manager. If the password is missing or incorrect, NGINX Instance Manager will not start.

You can also configure additional ClickHouse settings in the same section:

  • clickhouse.username – the username used to connect to ClickHouse
  • clickhouse.address – the address of the ClickHouse server (default is tcp://localhost:9000)
  • clickhouse.tls_mode – set to true to enable TLS
  • TLS certificate settings, such as:
    • clickhouse.tls.cert_path
    • clickhouse.tls.key_path
    • clickhouse.tls.ca_path
    • clickhouse.tls.skip_verify

For more details, see Configure ClickHouse.

Install and configure Vault

NGINX Instance Manager can use Vault as a datastore for secrets.

To install and enable Vault, follow these steps:

Configure SELinux

SELinux helps secure your deployment by enforcing mandatory access control policies.

If you use SELinux, follow the steps in the Configure SELinux guide to restore SELinux contexts (restorecon) for the files and directories related to NGINX Instance Manager.

Accessing the Web Interface

To access the NGINX Instance Manager web interface, open a web browser and go to https://<NMS_FQDN>, replacing <NMS_FQDN> with the Fully Qualified Domain Name of your NGINX Instance Manager host.

The default administrator username is admin, and the generated password was displayed in the terminal during installation. If you’d like to change this password, refer to the “Set or Change User Passwords section in the Basic Authentication topic.

Add License

A valid license is required to make full use of all the features in NGINX Instance Manager.

Refer to the Add a License topic for instructions on how to download and apply a trial license, subscription license, or Flexible Consumption Program license.

Upgrade Instance Manager

  1. To upgrade to the latest version of the Instance Manager, run the following command:

    sudo yum update -y nms-instance-manager

  1. To upgrade to the latest version of the Instance Manager, run the following command:

    sudo apt-get update && \
sudo apt-get install -y --only-upgrade nms-instance-manager

  1. Restart the NGINX Instance Manager platform services:

    sudo systemctl restart nms

    NGINX Instance Manager components started this way run by default as the non-root nms user inside the nms group, both of which are created during installation.

  2. Restart the NGINX web server:

    sudo systemctl restart nginx

  3. (Optional) If you use SELinux, follow the steps in the Configure SELinux guide to restore the default SELinux labels (restorecon) for the files and directories related to NGINX Management suite.

Next steps