Reporting NGINX Plus Installation Counts for Compliance
Tracking your F5 NGINX Plus installations is straightforward with NGINX Management Suite Instance Manager. If you’re enrolled in a commercial program like the F5 Flex Consumption Program,you’ll need to regularly report this data to F5.
Start by installing NGINX Instance Manager on a dedicated host. Then, configure your NGINX Plus systems to report back to Instance Manager. Once connected, you can easily view and report on your NGINX Plus inventory using the NGINX Instance Manager REST API or web interface. You can send these reports to your F5 contact as needed.
Tip for Automated Reporting
To set up automatic reporting, add your JWT-based license to NGINX Instance Manager. This license can be downloaded from MyF5 if needed.
Prerequisites
Install NGINX Instance Manager on a dedicated host
Note:
A separate license for NGINX Instance Manager is not required to track your NGINX product usage.
To start reporting on your NGINX Plus installations, you’ll first need to install NGINX Instance Manager on a dedicated host. You can choose between two installation options: either on a virtual machine or bare metal server, or by deploying on a Kubernetes cluster. Instructions for both methods are below:
Virtual Machine or Bare Metal
Kubernetes
View your NGINX Plus and NGINX App Protect Inventory
After you’ve installed NGINX Instance Manager, the next step involves configuring your NGINX Plus data plane to report back. This can be done in several ways. In NGINX Plus Release 31, native usage reporting is enabled by default. If you are using an earlier version of NGINX Plus, you can install NGINX Agent on each instance or you can set up HTTP Health Checks, which don’t require additional installations. All methods enable your instances to communicate with Instance Manager.
Set up instance reporting for NGINX Plus
Select the tab that matches your preferred method for setting up reporting:
- Configure native usage reporting (since NGINX Plus Release 31)
- Install NGINX Agent
- Configure HTTP Health Check for NGINX Plus without NGINX Agent
Since Release 31, NGINX Plus provides a built-in support for reporting of your NGINX Plus instances to NGINX Instance Manager without the need of installing NGINX Agent or tuning HTTP Health checks. If you participate in the F5 Flex Consumption Program, you will no longer need to manually track your NGINX Plus instances.
Usage reporting is enabled by default. At each startup, NGINX Plus attempts to discover NGINX Instance Manager via a DNS lookup of the nginx-mgmt.local
hostname. Then NGINX Plus establishes a TLS connection to NGINX Instance Manager and every 30
minutes reports its version number, hostname, and identifier.
If NGINX instance reporting is not configured or NGINX Plus cannot provide its usage information to NGINX Instance Manager, a warning message will be logged.
Parameters customization can be done with the ngx_mgmt_module
module, in particular if you need to:
-
use mTLS for enhanced security (recommended)
-
define a custom resolver
-
use an IP address or a different hostname to identify NGINX Instance Manager
-
specify other custom parameters such as reporting time, path to the reporting file, etc.
Enabling Mutual Client Certificate Auth Setup (mTLS)
It is highly recommended to secure and authorize NGINX Plus instance with NGINX Instance Manager by using client certificates unique to each endpoint.
-
Obtain a certificate, a key, and a CA certificate on both the NGINX Instance Manager and NGINX Plus instance. See the Secure Traffic with Certificates for instructions on how to generate keys.
-
In the configuration file of NGINX Plus instance, on the
main
level, add themgmt
block:mgmt { #... }
-
Set up a HTTPS server that accepts and terminates the traffic from NGINX Instance Manager. Inside the
mgmt
block, specify the path to the client certificate and private key file with thessl_certificate
andssl_certificate_key
directives:mgmt { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers DEFAULT; ssl_certificate client_cert.pem; ssl_certificate_key client_cert.key; #... }
While the server certificate is a public entity and is sent to NMS, the private key is a secure entity and should be stored in a file with restricted access.
-
Configure the verification of the NMS server certificate to validate the authenticity of NMS:
mgmt { #... ssl_trusted_certificate trusted_ca_cert.crt; ssl_verify on; ssl_verify_depth 2; }
Full configuration:
mgmt { resolver 10.0.0.1; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers DEFAULT; ssl_certificate client_cert.pem; ssl_certificate_key client_cert.key; ssl_trusted_certificate trusted_ca_cert.crt; ssl_verify on; ssl_verify_depth 2; }
-
Reload the NGINX Plus configuration:
sudo nginx -s reload
-
Make the corresponding changes on the NGINX Instance Manager server side. See Secure Client Access and Network Traffic for NMS
Specifying a custom resolver
If there is a custom DNS server in your corporate network, you can specify its address with the resolver
directive in the mgmt
block:
mgmt {
resolver 10.0.0.1;
#...
}
By default, NGINX Plus re-resolves DNS records at the frequency specified by time‑to‑live (TTL) in the record, but you can override the TTL value with the valid parameter; in the example it is 300
seconds, or 5
minutes.
Also, the optional ipv6=off
parameter means only IPv4 addresses are used, though resolving of both IPv4 and IPv6 addresses is supported by default:
mgmt {
resolver 10.0.0.1 valid=300s ipv6=off;
#...
}
To make the resolver statistics appear in Live Activity Monitoring Dashboard), specify the status_zone
parameter of the resolver
directive:
mgmt {
resolver 10.0.0.1 status_zone=resolver-zone1;
#...
}
Defining custom address for NGINX Instance Manager
There are several ways to configure the address of NGINX Instance Manager:
-
(recommended) add an
A
record to your local DNS that will associate the default hostname with the IP address of the system running NGINX Instance Manager -
set the address with the
endpoint
parameter of theusage_report
directive, by default the address isnginx-mgmt.local
:mgmt { resolver 10.0.0.1; usage_report endpoint=nms.local interval=15m; #... }
If the name resolves into several IP addresses, the first IP address will be used.
Configuration Example
#...
mgmt {
usage_report endpoint=nginx-mgmt.local interval=30m;
resolver DNS_IP;
uid_file /var/lib/nginx/nginx.id;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers DEFAULT;
ssl_certificate client_cert.pem;
ssl_certificate_key client_cert.key;
ssl_trusted_certificate trusted_ca_cert.crt;
ssl_verify on;
ssl_verify_depth 2;
}
#...
When you install NGINX Agent on an NGINX Plus instance, it will establish a connection with Instance Manager and begin transmitting usage data.
-
To install NGINX Agent, follow these instructions.
-
(Optional) If you’re using Instance Manager primarily for tracking NGINX Plus usage, you can optimize performance by modifying the NGINX Agent configuration. Add this line to /etc/nginx-agent/nginx-agent.conf:
features: registration,dataplane-status
Note:
If you upgrade to the full version of Instance Manager later, remove thefeatures: registration,dataplane-status
line from the configuration. This change will enable NGINX Agent to collect a broader range of metrics and manage configurations remotely.
You can track NGINX Plus instances using an HTTP Health Check without installing NGINX Agent. This involves updating the NGINX Plus configuration file. Follow these steps:
-
Open the NGINX Plus configuration file (/etc/nginx/conf.d) and insert the following code within the
http {}
block:### F5 / NGINX Required Configuration Code ### ### Insert the following into the http {} block of your NGINX configuration file ### keyval_zone zone=uuid:32K state=/var/lib/nginx/state/instance_uuid.json; keyval 1 $nginx_uuid zone=uuid; upstream receiver { zone receiver 64k; # REQUIRED: Update NMS_FQDN with NGINX Instance Manager IP Address or hostname. # If configuring with hostname, please ensure to uncomment the resolver # directive below and define a DNS server that can resolve the hostname. server NMS_FQDN:443; # OPTIONAL: Update DNS_UP with DNS server IP address that can resolve # the hostname defined above. #resolver DNS_IP; } map CERT $repo_crt { # OPTIONAL: Location of client certificate #default /etc/ssl/nginx/nginx-client.crt; } map KEY $repo_key { # OPTIONAL: Location of client certificate private key #default /etc/ssl/nginx/nginx-client.key; } server { location @ngx_usage_https { # OPTIONAL: Configure scheme (http|https) here proxy_pass https://receiver; # REQUIRED: If using NGINX APP PROTECT (NAP) on this instance, set nap=active on the following line: proxy_set_header Nginx-Usage "Version=$nginx_version;Hostname=$hostname;uuid=$nginx_uuid;nap=inactive"; health_check uri=/api/nginx-usage interval=1800s; # DO NOT MODIFY proxy_ssl_certificate $repo_crt; # DO NOT MODIFY proxy_ssl_certificate_key $repo_key; # DO NOT MODIFY } location @self { health_check uri=/_uuid interval=1d; proxy_pass http://self; } location = /_uuid { if ($nginx_uuid !~ .) { set $nginx_uuid $request_id; } return 204; } listen unix:/tmp/ngx_usage.sock; } upstream self { zone self 64k; server unix:/tmp/ngx_usage.sock; } ### End of F5 / NGINX Required Configuration Code ###
-
Modify the configuration to suit your specific NGINX Instance Manager installation:
- Update the
NMS_FQDN
variable in theupstream receiver
block with your Instance Manager hostname or IP address. If using a private DNS, uncomment and update the resolver with your DNS IP Address. - If your Instance Manager server requires client SSL certification, specify the locations of the SSL certificate and key in the
map CERT
andmap KEY
blocks. For more details, see Securing HTTP Traffic to Upstream Servers. - If you’re using NGINX App Protect, change
nap=inactive
tonap=active
in thelocation @ngx_usage_https
block. - Optionally, you can limit access to the
/api/nginx-usage
location on your NGINX Instance Manager server based on client network address. For guidance on how to do this, refer to Module ngx_http_access_module.
- Update the
-
Save the changes.
Important:
If you install NGINX Agent later, remove this configuration to prevent double-counting instances.
Reporting your NGINX Plus inventory to F5
Follow these steps to view and export the list of NGINX Plus instances that have successfully registered with Instance Manager:
In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select Instance Manager from the Launchpad menu.
- On the left menu, select NGINX Plus.
- To download a list of your NGINX Plus instances, select Export. Note that the export will include only the instances on the current page. You can then forward this list to your F5 representative.
View your NGINX Ingress Controller instances and nodes
You can set up your Kubernetes-based NGINX Plus products, including NGINX Ingress Controller and Connectivity Stack for Kubernetes, to report usage data to NGINX Instance Manager.
Set up usage reporting for NGINX Ingress Controller
Follow the instructions in the Enabling Usage Reporting guide to enable usage reporting for NGINX Ingress Controller.
Reporting your NGINX Ingress Controller clusters to F5
To report your NGINX Ingress Controller clusters to F5, follow these steps:
-
Run the following command in your terminal to get a list of NGINX Ingress Controller instances and nodes in your cluster. Remember to replace
<NMS_FQDN>
with the fully-qualified domain name of your NGINX Instance Manager host:curl -X GET --url "https://<NMS_FQDN>/api/platform/v1/k8s-usage"
-
Once you have the list of instances and nodes, send it to your F5 representative.