Reporting NGINX Plus Installation Counts for Compliance

Overview

Start by installing NGINX Instance Manager on a dedicated host. Then, configure your NGINX Plus systems to report back to Instance Manager. Once connected, you can easily view and report on your NGINX Plus inventory using the NGINX Management Suite REST API or web interface. You can send these reports to your F5 contact as needed.

Tip for Automated Reporting
To set up automatic reporting, add your JWT-based license to NGINX Management Suite. This license can be downloaded from MyF5 if needed.

Prerequisites

Install F5 NGINX Instance Manager on a dedicated host

Note:
A separate license for NGINX Management Suite is not required to track your NGINX product usage.

To start reporting on your NGINX Plus installations, you’ll first need to install NGINX Instance Manager on a dedicated host. You can choose between two installation options: either on a virtual machine or bare metal server, or by deploying on a Kubernetes cluster. Instructions for both methods are below:

Virtual Machine or Bare Metal

Kubernetes

Deploy Instance Manager on Kubernetes

View your NGINX Plus and NGINX App Protect Inventory

After you’ve installed NGINX Instance Manager, the next step involves configuring your NGINX Plus data plane to report back. This can be done in two ways. First, you can install NGINX Agent on each instance. Alternatively, for an agentless approach, you can set up HTTP Health Checks, which don’t require additional installations. Both methods enable your instances to communicate with Instance Manager.

Set up instance reporting for NGINX Plus

Select the tab that matches your preferred method for setting up reporting:

Configure native usage reporting (since NGINX Plus Release 31)
Install NGINX Agent
Configure HTTP Health Check for NGINX Plus without NGINX Agent

Since Release 31, NGINX Plus provides a built-in support for reporting of your NGINX Plus instances to NGINX Instance Manager without the need of installing NGINX Agent or tuning HTTP Health checks. If you participate in the F5 Flex Consumption Program, you will no longer need to manually track your NGINX Plus instances.

Usage reporting is enabled by default. At each startup, NGINX Plus attempts to discover NGINX Instance Manager via a DNS lookup of the nginx-mgmt.local hostname. Then NGINX Plus establishes a TLS connection to NGINX Instance Manager and every 30 minutes reports its version number, hostname, and identifier.

If NGINX instance reporting is not configured or NGINX Plus cannot provide its usage information to NGINX Instance Manager, a warning message will be logged.

Parameters customization can be done with the ngx_mgmt_module module, in particular if you need to:

use mTLS for enhanced security (recommended)
define a custom resolver
use an IP address or a different hostname to identify NGINX Instance Manager
specify other custom parameters such as reporting time, path to the reporting file, etc.

Enabling Mutual Client Certificate Auth Setup (mTLS)

It is highly recommended to secure and authorize NGINX Plus instance with NGINX Instance Manager by using client certificates unique to each endpoint.

Obtain a certificate, a key, and a CA certificate on both the NGINX Management Suite and NGINX Plus instance. See the Secure Traffic with Certificates for instructions on how to generate keys.
In the configuration file of NGINX Plus instance, on the main level, add the mgmt block:
```
mgmt {
    #...

}
```
Set up a HTTPS server that accepts and terminates the traffic from NGINX Instance Manager. Inside the mgmt block, specify the path to the client certificate and private key file with the ssl_certificate and ssl_certificate_key directives:
```
mgmt {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers   DEFAULT;

    ssl_certificate     client_cert.pem;
    ssl_certificate_key client_cert.key;
    #...
}
```
While the server certificate is a public entity and is sent to NMS, the private key is a secure entity and should be stored in a file with restricted access.

Configure the verification of the NMS server certificate to validate the authenticity of NMS:

mgmt {
    #...
    ssl_trusted_certificate  trusted_ca_cert.crt;
    ssl_verify               on;
    ssl_verify_depth         2;
}

Full configuration:

mgmt {
    resolver 10.0.0.1;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers   DEFAULT;

    ssl_certificate     client_cert.pem;
    ssl_certificate_key client_cert.key;

    ssl_trusted_certificate  trusted_ca_cert.crt;
    ssl_verify               on;
    ssl_verify_depth         2;
}

Reload the NGINX Plus configuration:
```
sudo nginx -s reload
```
Make the corresponding changes on the NGINX Instance Manager server side. See Secure Client Access and Network Traffic for NMS

Specifying a custom resolver

If there is a custom DNS server in your corporate network, you can specify its address with the resolver directive in the mgmt block:

mgmt {
    resolver 10.0.0.1;
    #...
}

By default, NGINX Plus re-resolves DNS records at the frequency specified by time‑to‑live (TTL) in the record, but you can override the TTL value with the valid parameter; in the example it is 300 seconds, or 5 minutes.

Also, the optional ipv6=off parameter means only IPv4 addresses are used, though resolving of both IPv4 and IPv6 addresses is supported by default:

mgmt {
    resolver 10.0.0.1 valid=300s ipv6=off;
    #...
}

To make the resolver statistics appear in Live Activity Monitoring Dashboard), specify the status_zone parameter of the resolver directive:

mgmt {
    resolver 10.0.0.1 status_zone=resolver-zone1;
    #...
}

Defining custom address for NGINX Instance Manager

There are several ways to configure the address of NGINX Instance Manager:

(recommended) add an A record to your local DNS that will associate the default hostname with the IP address of the system running NGINX Instance Manager
set the address with the endpoint parameter of the usage_report directive, by default the address is nginx-mgmt.local:
```
mgmt {
    resolver     10.0.0.1;
    usage_report endpoint=nms.local interval=15m;
    #...
}
```
If the name resolves into several IP addresses, the first IP address will be used.

Configuration Example

#...

mgmt {
    usage_report endpoint=nginx-mgmt.local interval=30m;
    resolver     DNS_IP;

    uid_file /var/lib/nginx/nginx.id;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers   DEFAULT;

    ssl_certificate     client_cert.pem;
    ssl_certificate_key client_cert.key;

    ssl_trusted_certificate  trusted_ca_cert.crt;
    ssl_verify               on;
    ssl_verify_depth         2;
}

#...

When you install NGINX Agent on an NGINX Plus instance, it will establish a connection with Instance Manager and begin transmitting usage data.

To install NGINX Agent, follow these instructions.
(Optional) If you’re using Instance Manager primarily for tracking NGINX Plus usage, you can optimize performance by modifying the NGINX Agent configuration. Add this line to /etc/nginx-agent/nginx-agent.conf:
```
features: registration,dataplane-status
```
Note:
If you upgrade to the full version of Instance Manager later, remove the features: registration,dataplane-status line from the configuration. This change will enable NGINX Agent to collect a broader range of metrics and manage configurations remotely.

You can track NGINX Plus instances using an HTTP Health Check without installing NGINX Agent. This involves updating the NGINX Plus configuration file. Follow these steps:

Open the NGINX Plus configuration file (/etc/nginx/conf.d) and insert the following code within the http {} block:

### F5 / NGINX Required Configuration Code ###
### Insert the following into the http {} block of your NGINX configuration file ###

keyval_zone zone=uuid:32K state=/var/lib/nginx/state/instance_uuid.json;
keyval 1 $nginx_uuid zone=uuid;

upstream receiver {
    zone receiver 64k;

    # REQUIRED: Update NMS_FQDN with NGINX Management Suite IP Address or hostname.
    # If configuring with hostname, please ensure to uncomment the resolver
    # directive below and define a DNS server that can resolve the hostname.
    server NMS_FQDN:443;

    # OPTIONAL: Update DNS_UP with DNS server IP address that can resolve
    # the hostname defined above.
    #resolver DNS_IP;
}

map CERT $repo_crt {
    # OPTIONAL: Location of client certificate
    #default /etc/ssl/nginx/nginx-client.crt;
}

map KEY $repo_key {
    # OPTIONAL: Location of client certificate private key
    #default /etc/ssl/nginx/nginx-client.key;
}

server {
    location @ngx_usage_https {
        # OPTIONAL: Configure scheme (http|https) here
        proxy_pass https://receiver;

        # REQUIRED: If using NGINX APP PROTECT (NAP) on this instance, set nap=active on the following line:
        proxy_set_header Nginx-Usage "Version=$nginx_version;Hostname=$hostname;uuid=$nginx_uuid;nap=inactive";

        health_check uri=/api/nginx-usage interval=1800s;       # DO NOT MODIFY
        proxy_ssl_certificate     $repo_crt;                    # DO NOT MODIFY
        proxy_ssl_certificate_key $repo_key;                    # DO NOT MODIFY
    }

    location @self {
        health_check uri=/_uuid interval=1d;
        proxy_pass http://self;
    }

    location = /_uuid {
        if ($nginx_uuid !~ .) {
            set $nginx_uuid $request_id;
        }
        return 204;
    }

    listen unix:/tmp/ngx_usage.sock;
}

upstream self {
    zone self 64k;
    server unix:/tmp/ngx_usage.sock;
}

### End of F5 / NGINX Required Configuration Code ###

Modify the configuration to suit your specific NGINX Instance Manager installation:
- Update the NMS_FQDN variable in the upstream receiver block with your Instance Manager hostname or IP address. If using a private DNS, uncomment and update the resolver with your DNS IP Address.
- If your Instance Manager server requires client SSL certification, specify the locations of the SSL certificate and key in the map CERT and map KEY blocks. For more details, see Securing HTTP Traffic to Upstream Servers.
- If you’re using NGINX App Protect, change nap=inactive to nap=active in the location @ngx_usage_https block.
- Optionally, you can limit access to the /api/nginx-usage location on your NGINX Instance Manager server based on client network address. For guidance on how to do this, refer to Module ngx_http_access_module.
Save the changes.

Important:
If you install NGINX Agent later, remove this configuration to prevent double-counting instances.

Reporting your NGINX Plus inventory to F5

Follow these steps to view and export the list of NGINX Plus instances that have successfully registered with Instance Manager:

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, select Instance Manager from the Launchpad menu.
On the left menu, select NGINX Plus.
To download a list of your NGINX Plus instances, select Export. Note that the export will include only the instances on the current page. You can then forward this list to your F5 representative.

View your NGINX Ingress Controller instances and nodes

You can set up your Kubernetes-based NGINX Plus products, including NGINX Ingress Controller and Connectivity Stack for Kubernetes, to report usage data to NGINX Instance Manager.

Set up usage reporting for NGINX Ingress Controller

Follow the instructions in the Enabling Usage Reporting guide to enable usage reporting for NGINX Ingress Controller.

Reporting your NGINX Ingress Controller clusters to F5

To report your NGINX Ingress Controller clusters to F5, follow these steps:

Run the following command in your terminal to get a list of NGINX Ingress Controller instances and nodes in your cluster. Remember to replace <NMS_FQDN> with the fully-qualified domain name of your NGINX Management Suite host:
```
curl -X GET --url "https://<NMS_FQDN>/api/platform/v1/k8s-usage"
```
Once you have the list of instances and nodes, send it to your F5 representative.

Last modified August 22, 2024