Important: NGINX Plus R33 requires NGINX Instance Manager 2.18 or later
To ensure uninterrupted traffic processing, upgrade to NGINX Instance Manager 2.18 or later if your NGINX data plane instances are running NGINX Plus R33. This upgrade is necessary to support usage reporting.
NGINX Plus R33 instances must send usage data to the F5 licensing endpoint or NGINX Instance Manager. If they don’t, they will stop processing traffic.
For more information about usage reporting and enforcement, see About solution licenses.
Install on a virtual machine or bare metal
Legacy 'nms' references
Some commands, file paths, and configuration references still usenms
due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.
Overview
This guide explains how to install F5 NGINX Instance Manager on a virtual machine (VM) or bare metal. It includes key steps like:
- Installing NGINX with the GPG keys associated with F5 NGINX One
- Setting up ClickHouse
- Adding a license
- Accessing the web interface
- Securing your deployment with Vault (optional)
Access the deprecated manual steps
If you prefer to follow the original manual steps, you can access the deprecated guide. Please note that this guide is no longer actively maintained and may not reflect the latest updates or best practices.
Supported versions
Supported NGINX versions
NGINX Instance Manager supports the following NGINX Open Source and NGINX Plus versions:
NGINX Instance Manager | NGINX OSS | NGINX Plus |
---|---|---|
2.18.0 and later | 1.18–1.25.1 | R31–R33 |
2.16.0–2.17.x | 1.18–1.25.1 | R31–R32 |
2.7.0–2.15.x | 1.18–1.25.1 | R21–R30 |
2.0.0–2.6.0 | 1.18–1.21.6 | R21–R27 |
Supported Linux distributions
The following table lists the Linux distributions supported by NGINX Instance Manager and NGINX App Protect:
Distribution | Version | Architecture | NGINX Instance Manager Support | NGINX App Protect Support |
---|---|---|---|---|
Amazon Linux | 2 LTS | x86_64 | Supported | Support discontinued as of 2.18.0 |
CentOS | 7.4 and later in the 7.x family | x86_64 | Support discontinued as of 2.17.0 | Supported |
Debian | 11 12 |
x86_64 x86_64 |
Supported Supported on 2.13.0+ |
Supported Supported |
Oracle Linux | 7.4 and later in the 7.x family 8.0 and later in the 8.x family |
x86_64 x86_64 |
Supported Supported on 2.6.0+ |
Supported Supported |
RHEL | 7.4 and later in the 7.x family 8.x and later in the 8.x family 9.x and later in the 9.x family |
x86_64 x86_64 x86_64 |
Support discontinued as of 2.17.0 Supported Supported on 2.6.0+ |
Supported Supported Supported |
Ubuntu | 20.04 22.04 |
x86_64 x86_64 |
Supported Supported on 2.3.0+ |
Supported Supported |
Security considerations
To ensure that your NGINX Instance Manager deployment remains secure, follow these recommendations:
- Install NGINX Instance Manager on a dedicated machine (bare metal, container, cloud, or VM).
- Ensure that no other services are running on the same machine.
Prerequisites
Complete the following steps before installing NGINX Instance Manager:
- Download the certificate and private key for NGINX Instance Manager. You can use the same certificate and private key as NGINX Plus.
- The downloaded files have .crt and .key extensions
- Record the location of these files on the target system. The default filenames / locations are:
/etc/ssl/nginx/nginx-repo.crt
/etc/ssl/nginx/nginx-repo.key
- Record your current version of NGINX Instance Manager, along with the supported version of NGINX OSS or NGINX Plus that you want to use, if necessary. The latest version will be used by default.
- (Optional) Install and configure Vault if you plan to use it.
Download certificate and key
Download the certificate and private key required for NGINX Instance Manager. These files are necessary for adding the official repository during installation and can also be used when installing NGINX Plus.
-
On the host where you’re installing NGINX Instance Manager, create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginx
-
Download the SSL Certificate, Private Key and JSON Web Token files from MyF5 or use the download link provided in your trial activation email.
-
Move and rename the cert and key files to the correct directory:
sudo mv nginx-<subscription id>.crt /etc/ssl/nginx/nginx-repo.crt sudo mv nginx-<subscription id>.key /etc/ssl/nginx/nginx-repo.key
Download and run the installation script
Tip:
The installation script also works for upgrades of both NGINX Instance Manager and ClickHouse.
We created an installation script, install-nim-bundle.sh
to automate the NGINX Instance Manager installation process. By default, it:
- Reads SSL files from the /etc/ssl/nginx directory
- Installs the latest version of NGINX OSS
- Installs Clickhouse Database
- Installs NGINX Instance Manager
- Assumes you’re connected to the internet for installations and upgrades
Warning:
As noted in About subscription licenses, custom paths won’t work until you upgrade to NGINX Plus R33.
Download the install-nim-bundle.sh
script:
Download install-nim-bundle.sh script
When you run the script, it downloads and installs NGINX Instance Manager.
If you want to use the script with non-default options, use these switches:
- To point to a repository key stored in a directory other than /etc/ssl/nginx:
-k /path/to/your/<nginx-repo.key>
file - To point to a repository certificate stored in a directory other than /etc/ssl/nginx:
-c /path/to/your/<nginx-repo.crt>
file - To install NGINX Plus (instead of NGINX OSS):
-p <nginx_plus_version> -j /path/to/license.jwt
Note:
Starting from NGINX Plus Release 33, a JWT file is required for each NGINX Plus instance. For more information, see About Subscription Licenses.
You also need to specify the current operating system. To get the latest list supported by the script, run the following command:
grep '\-d distribution' install-nim-bundle.sh
For example, to use the script to install NGINX Instance Manager on Ubuntu 24.04, with repository keys in the default /etc/ssl/nginx
directory, with the latest version of NGINX OSS, run the following command:
sudo bash install-nim-bundle.sh -n latest -d ubuntu24.04 -j /path/to/license.jwt
To install NGINX Instance Manager on Ubuntu 24.04 with the latest version of NGINX Plus by pointing to the location of your NGINX cert and key, run the following command:
sudo bash install-nim-bundle.sh -c /path/to/nginx-repo.crt -k /path/to/nginx-repo.key -p latest -d ubuntu24.04 -j /path/to/license.jwt
In most cases, the script completes the installation of NGINX Instance Manager and associated packages. At the end of the process, you’ll see an autogenerated password:
Regenerated Admin password: <encrypted password>
Save that password. You’ll need it when you sign in to NGINX Instance Manager.
Problems and additional script parameters
There are multiple parameters to configure in the Installation script. If you see fatal errors when running the script, first run the following command, which includes command options that can help you bypass problems:
bash install-nim-bundle.sh -h
Configure ClickHouse
ClickHouse version requirement
NGINX Instance Manager relies on ClickHouse 24.9.2.42 or later to store essential data, including metrics, events, alerts, and configuration settings.
Setting a custom ClickHouse password
The NGINX Instance Manager installation script also installs ClickHouse with a blank password. Update the /etc/nms/nms.conf file with it after installing NGINX Instance Manager. Otherwise, NGINX Instance Manager won’t start. For more information on customizing ClickHouse settings, refer to the Configure ClickHouse topic.
ClickHouse default settings
NGINX Instance Manager uses the following default values for ClickHouse:
Customizing ClickHouse
You can customize these settings. However, if you use custom settings, make sure to follow the Configure ClickHouse instructions to update the nms.conf file after you’ve installed NGINX Instance Manager. Otherwise, NGINX Instance Manager won’t be able to connect to ClickHouse.
Configuration | Default | Notes |
---|---|---|
clickhouse.address | tcp://localhost:9000 | |
clickhouse.username | ||
clickhouse.password | ||
clickhouse.tls_mode | false | |
clickhouse.tls.address | tcp://localhost:9440 | |
clickhouse.tls.skip_verify | false | clickhouse.tls.skip_verify should be used only for self-signed certificates and is never recommended for production use. When set to true , certificates are not verified, which exposes the connection to man-in-the-middle attacks. |
clickhouse.tls.key_path | ||
clickhouse.tls.cert_path | ||
clickhouse.tls.ca_path | /etc/ssl/certs/ca-certificates.crt | The default value for clickhouse.tls.ca_path works out-of-the-box for Ubuntu and Debian. You’ll need to configure a different Certificate Authority for other distributions. Refer to your distribution’s documentation for additional information. |
How to access the web interface
To access the NGINX Instance Manager web interface, open a web browser and go to https://<NIM_FQDN>
, replacing <NIM_FQDN>
with the Fully Qualified Domain Name of your NGINX Instance Manager host.
The default administrator username is admin
, and the generated password is saved, in encrypted format, to the /etc/nms/nginx/.htpasswd
file. The password was displayed in the terminal during installation. If you’d like to change this password, refer to the “Set or Change User Passwords” section in the Basic Authentication topic.
To license NGINX Instance Manager, use a JSON Web token from your NIM Subscription in MyF5.
Post-installation steps (optional)
-
If you use Vault, follow the steps in the Configure Vault guide to update the
/etc/nms/nms.conf
file. If you don’t do so, NGINX Instance Manager won’t be able to connect to Vault. -
If you use SELinux, follow the steps in the Configure SELinux guide to restore SELinux contexts (
restorecon
) for the files and directories related to NGINX Instance Manager.
(Optional) Install and configure Vault
NGINX Instance Manager can use Vault as a datastore for secrets.
To install and enable Vault, follow these steps:
- Follow Vault’s instructions to install Vault 1.8.8 or later for your distribution.
- Ensure you’re running Vault in a production-hardened environment.
- After installing NGINX Instance Manager, follow the steps to configure Vault for storing secrets.
Upgrade NGINX Instance Manager
You can now use the installation script to upgrade NGINX Instance Manager and ClickHouse.
If you use SELinux, after an upgrade, follow the steps in the Configure SELinux guide to restore the default SELinux labels (restorecon
) for files and directories related to NGINX Instance Manager.
Uninstall NGINX Instance Manager
Follow the steps below to uninstall NGINX Instance Manager and ClickHouse.
-
For CentOS, RHEL, and RPM-based distributions:
sudo yum remove -y nms-* sudo systemctl stop clickhouse-server sudo yum remove -y clickhouse-server
-
For Debian, Ubuntu, and Deb-based distributions:
sudo apt-get remove -y nms-* sudo systemctl stop clickhouse-server sudo apt-get remove -y clickhouse-server
If you want to remove the package and its configuration files, use
apt-get purge -y <package>
instead ofapt-get remove -y
.