About subscription licenses
We’re updating NGINX Plus to align with F5’s entitlement and visibility policy, bringing benefits like fair and compliant usage, better visibility into license management, and improved customer support.
Starting with NGINX Plus R33, all NGINX Plus instances require a valid JSON Web Token (JWT) license. This license is tied to your subscription (not individual instances) and is used to validate your subscription and automatically send usage reports to F5’s licensing endpoint (product.connect.nginx.com), as required by your subscription agreement. In offline environments, usage reporting is routed through NGINX Instance Manager.
- The JWT license is missing or invalid.
- The JWT license expired over 90 days ago.
-
It can’t submit an initial usage report to F5’s licensing endpoint or NGINX Instance Manager.
If the first report fails, NGINX Plus immediately stops processing traffic and logs an
EMERGmessage. NGINX Plus will attempt to report every minute, and traffic processing will resume once the initial report succeeds. If you need time to prepare for usage reporting, see Postpone reporting enforcement. -
It hasn’t submitted a usage report in the last 180 days (for subsequent reports).
Once the first successful report is made, NGINX Plus saves a record of the transaction. If subsequent reports fail, a 180-day reporting grace period starts, beginning from the last successful report. During this period, NGINX Plus will continue to operate normally, even during reloads, restarts, or reboots. However, if reporting isn’t restored by the end of the grace period, NGINX Plus will stop processing traffic.
When installing or upgrading to NGINX Plus R33 or later, take the following steps:
- Download and add a valid JWT license to each NGINX Plus instance.
- Set up your environment to allow NGINX Plus to send usage reports.
Before you install or upgrade to NGINX Plus R33 or later, make sure to:
- Log in to MyF5.
- Go to My Products & Plans > Subscriptions to see your active subscriptions.
- Find your NGINX products or services subscription, and select the Subscription ID for details.
- Download the JSON Web Token from the subscription page.
-
Copy the license file to
/etc/nginx/license.jwton Linux or/usr/local/etc/nginx/license.jwton FreeBSD for each NGINX Plus instance. -
Reload NGINX:
systemctl reload nginx
If SELinux is enabled:
Set the correct file context so NGINX can read the license:
chcon -t httpd_config_t /etc/nginx/license.jwtIf you plan to use a custom path for the license file, note that custom paths won’t work until after the R33 upgrade. You’ll need to create a placeholder file at /etc/nginx/license.jwt or /usr/local/etc/nginx/license.jwt on FreeBSD before upgrading.
-
Before upgrading: Create the placeholder file by running:
touch /etc/nginx/license.jwt -
After upgrading: Update the
license_tokendirective in the NGINX configurationmgmtblock to point to your custom path:mgmt { license_token <custom_path>; }
To ensure NGINX Plus R33 or later can send usage reports, follow these steps based on your environment:
-
Allow outbound HTTPS traffic on TCP port
443to communicate with F5’s licensing endpoint (product.connect.nginx.com). Ensure that the following IP addresses are allowed:3.135.72.1393.133.232.5052.14.85.249
-
(Optional, R34 and later) If your company enforces a strict outbound traffic policy, you can use an outbound proxy for establishing an end-to-end tunnel to the F5 licensing endpoint. On each NGINX Plus instance, update the
proxydirective in themgmtblock of the NGINX configuration (/etc/nginx/nginx.conf) to point to the company’s outbound proxy server:mgmt { proxy PROXY_ADDR:PORT; #can be http or https proxy_username USER; #optional proxy_password PASS; #optional }
In environments where NGINX Plus instances cannot access the internet, you’ll need NGINX Instance Manager to handle usage reporting.
To configure NGINX Plus R33 or later to report usage data to NGINX Instance Manager:
-
Open port
443for NGINX Instance Manager. -
On each NGINX Plus instance, update the
usage_reportdirective in themgmtblock of the NGINX configuration (/etc/nginx/nginx.conf) to point to your NGINX Instance Manager host:mgmt { usage_report endpoint=<NGINX-INSTANCE-MANAGER-FQDN>; }Extra steps for self-signed certificates
If you use self-signed certificates in your NGINX Instance Manager environment, follow the steps in Configure SSL verification for usage reporting with self-signed certificates. -
Reload NGINX:
systemctl reload nginx
To send NGINX Plus usage reports to F5, follow the instructions in Submit usage reports to F5 from NGINX Instance Manager.
To give yourself more time to submit the initial usage report, you can postpone reporting by setting enforce_initial_report to off. This change enables a 180-day reporting grace period, during which NGINX Plus will operate normally while still attempting to report.
# Modify this directive to start the 180-day grace period for initial reporting.
mgmt {
enforce_initial_report off;
}Important After 180 days, if usage reporting still hasn’t been established, NGINX Plus will stop processing traffic.
Monitor the NGINX error log, typically located at /var/log/nginx/error.log, for subscription-related issues — such as failed usage reports or approaching license expirations — to catch problems early and keep your subscription compliant.
Examples of subscription-related log entries include:
-
Failure to upload usage reports:
[error] 36387#36387: server returned 500 for <fqdn>:<port> during usage report [error] 36528#36528: <fqdn>:<port> could not be resolved (host not found) during usage report [error] 36619#36619: connect() failed (111: Connection refused) for <fqdn>:<port> during usage report [error] 38888#88: server returned 401 for <ip_address>:443 during usage report -
License approaching expiration:
[warn] license will expire in 14 days -
License expiration:
[alert] license expiry; grace period will end in 89 days [emerg] license expiredImportant When a license expires, NGINX Plus stops processing traffic.
NGINX Plus automatically sends usage data to F5 every hour by default. This data is sent as a POST request and includes details like how much traffic is processed and how long the instance has been running. Here’s an example of the data that’s sent:
{
"version": "<nginx_version>",
"uuid": "<nginx_uuid>",
"nap": "<active/inactive>", // status of NGINX App Protect
"http": {
"client": {
"received": 0, // bytes received
"sent": 0, // bytes sent
"requests": 0 // number of HTTP requests processed
},
"upstream": {
"received": 0, // bytes received
"sent": 0 // bytes sent
}
},
"stream": {
"client": {
"received": 0, // bytes received
"sent": 0 // bytes sent
},
"upstream": {
"received": 0, // bytes received
"sent": 0 // bytes sent
}
},
"workers": 0, // number of worker processes running
"uptime": 0, // number of seconds the instance has been running
"reloads": 0, // number of times the instance has been reloaded
"start_time": "epoch", // start time of data collection for the report
"end_time": "epoch" // end time of data collection for the report
}For detailed instructions on installing or upgrading NGINX Plus, visit the NGINX Plus installation guide.
For full details about the mgmt module and its directives, visit the Module ngx_mgmt_module reference guide.
The instructions below use the terms “internet-connected” and “network-restricted” to describe how NGINX Instance Manager accesses the internet.
- Internet-connected: Follow the steps in Add license.
- Network-restricted: Follow the steps in Add a license in a disconnected environment.
- Internet-connected: Follow the steps in Report usage to F5.
- Network-restricted: Follow the steps in Report usage to F5 in a disconnected environment.
For details on installing or upgrading NGINX App Protect WAF, visit the guide for the respective version:
For detailed instructions on installing or upgrading NGINX App Protect DoS, visit the NGINX App Protect DoS installation guide.