About subscription licenses
We’re updating NGINX Plus to align with F5’s entitlement and visibility policy, bringing benefits like fair and compliant usage, better visibility into license management, and improved customer support.
Starting with NGINX Plus R33, all NGINX Plus instances require a valid JSON Web Token (JWT) license. This license is tied to your subscription (not individual instances) and is used to validate your subscription and automatically send usage reports to F5’s licensing endpoint (product.connect.nginx.com), as required by your subscription agreement. In offline environments, usage reporting is routed through NGINX Instance Manager.
If you have multiple subscriptions, you’ll also have multiple JWT licenses. You can assign each NGINX Plus instance to the license you prefer. NGINX combines usage reporting across all licensed instances.
This feature is available in NGINX Instance Manager 2.20 and later.
- The JWT license is missing or invalid.
- The JWT license expired over 90 days ago.
-
It can’t submit an initial usage report to F5’s licensing endpoint or NGINX Instance Manager.
If the first report fails, NGINX Plus immediately stops processing traffic and logs an
EMERGmessage. NGINX Plus will attempt to report every minute, and traffic processing will resume once the initial report succeeds. If you need time to prepare for usage reporting, see Postpone reporting enforcement. -
It hasn’t submitted a usage report in the last 180 days (for subsequent reports).
Once the first successful report is made, NGINX Plus saves a record of the transaction. If subsequent reports fail, a 180-day reporting grace period starts, beginning from the last successful report. During this period, NGINX Plus will continue to operate normally, even during reloads, restarts, or reboots. However, if reporting isn’t restored by the end of the grace period, NGINX Plus will stop processing traffic.
When installing or upgrading to NGINX Plus R33 or later, take the following steps:
- Download and add a valid JWT license to each NGINX Plus instance.
- Set up your environment to allow NGINX Plus to send usage reports.
- Log in to MyF5.
- Go to My Products & Plans > Subscriptions to see your active subscriptions.
- Find your NGINX products or services subscription, and select the Subscription ID for details.
- Download the JSON Web Token from the subscription page.
After you download the JWT license, you can deploy it to your NGINX Plus instances using either of the following methods:
- Use a Config Sync Group if you’re managing instances with the NGINX One Console (recommended)
- Copy the license manually to each instance
Each method ensures your NGINX Plus instances have access to the required license file.
If you’re using the NGINX One Console, the easiest way to manage your JWT license is with a Config Sync Group. This method lets you:
- Avoid manual file copying
- Keep your fleet consistent
- Automatically apply updates to new NGINX Plus instances
To deploy the JWT license with a Config Sync Group:
-
In the NGINX One Console, go to Manage > Config Sync Groups, then select your group.
If you haven’t created a Config Sync Group yet, see Manage Config Sync Groups for setup instructions.
-
Select the Configuration tab, then choose Edit Configuration.
-
Select Add File, then choose New Configuration File.
-
In the File name field, enter:
- On Linux:
/etc/nginx/license.jwt - On FreeBSD:
/usr/local/etc/nginx/license.jwt
The name must be exact.
- On Linux:
-
Paste the contents of your JWT license file into the editor.
-
Select Next to preview the diff, then Save and Publish to apply the update.
Your JWT license now syncs to all NGINX Plus instances in the group.
When your subscription renews and a new JWT license is issued, update the file in the Config Sync Group to apply the change across your fleet.
New instances added to the group automatically inherit the license.
If you’re using NGINX Instance Manager If you’re using NGINX Instance Manager instead of the NGINX One Console, the equivalent feature is called an instance group. You can manage your JWT license in the same way by adding or updating the file in the instance group. For details, see Manage instance groups.
If you’re not using the NGINX One Console, copy the JWT license file to each NGINX Plus instance manually.
-
Copy the license file to:
/etc/nginx/license.jwton Linux/usr/local/etc/nginx/license.jwton FreeBSD
-
Reload NGINX:
systemctl reload nginx
If SELinux is enabled:
Set the correct file context so NGINX can read the license:
chcon -t httpd_config_t /etc/nginx/license.jwtIf you plan to use a custom path for the license file, note that custom paths won’t work until after the R33 upgrade. You’ll need to create a placeholder file at /etc/nginx/license.jwt or /usr/local/etc/nginx/license.jwt on FreeBSD before upgrading.
-
Before upgrading: Create the placeholder file by running:
touch /etc/nginx/license.jwt -
After upgrading: Update the
license_tokendirective in the NGINX configurationmgmtblock to point to your custom path:mgmt { license_token <custom_path>; }
To ensure NGINX Plus R33 or later can send usage reports, follow these steps based on your environment:
-
Allow outbound HTTPS traffic on TCP port
443to communicate with F5’s licensing endpoint (product.connect.nginx.com). Ensure that the following IP addresses are allowed:3.135.72.1393.133.232.5052.14.85.249
-
(Optional, R34 and later) If your company enforces a strict outbound traffic policy, you can use an outbound proxy for establishing an end-to-end tunnel to the F5 licensing endpoint. On each NGINX Plus instance, update the
proxydirective in themgmtblock of the NGINX configuration (/etc/nginx/nginx.conf) to point to the company’s outbound proxy server:mgmt { proxy PROXY_ADDR:PORT; #can be http or https proxy_username USER; #optional proxy_password PASS; #optional }
In environments where NGINX Plus instances cannot access the internet, you’ll need NGINX Instance Manager to handle usage reporting.
To configure NGINX Plus R33 or later to report usage data to NGINX Instance Manager:
-
Open port
443for NGINX Instance Manager. -
On each NGINX Plus instance, update the
usage_reportdirective in themgmtblock of the NGINX configuration (/etc/nginx/nginx.conf) to point to your NGINX Instance Manager host:mgmt { usage_report endpoint=<NGINX-INSTANCE-MANAGER-FQDN>; }Extra steps for self-signed certificates If you use self-signed certificates in your NGINX Instance Manager environment, follow the steps in Configure SSL verification for usage reporting with self-signed certificates. -
Reload NGINX:
systemctl reload nginx
To send NGINX Plus usage reports to F5, follow the instructions in Submit usage reports to F5 from NGINX Instance Manager.
To give yourself more time to submit the initial usage report, you can postpone reporting by setting enforce_initial_report to off. This change enables a 180-day reporting grace period, during which NGINX Plus will operate normally while still attempting to report.
# Modify this directive to start the 180-day grace period for initial reporting.
mgmt {
enforce_initial_report off;
}Important After 180 days, if usage reporting still hasn’t been established, NGINX Plus will stop processing traffic.
Monitor the NGINX error log, typically located at /var/log/nginx/error.log, for subscription-related issues — such as failed usage reports or approaching license expirations — to catch problems early and keep your subscription compliant.
Examples of subscription-related log entries include:
-
Failure to upload usage reports:
[error] 36387#36387: server returned 500 for <fqdn>:<port> during usage report [error] 36528#36528: <fqdn>:<port> could not be resolved (host not found) during usage report [error] 36619#36619: connect() failed (111: Connection refused) for <fqdn>:<port> during usage report [error] 38888#88: server returned 401 for <ip_address>:443 during usage report -
License approaching expiration:
[warn] license will expire in 14 days -
License expiration:
[alert] license expiry; grace period will end in 89 days [emerg] license expiredImportant When a license expires, NGINX Plus stops processing traffic.
NGINX Plus automatically sends usage data to F5 every hour by default. This data is sent as a POST request and includes details like how much traffic is processed and how long the instance has been running. Here’s an example of the data that’s sent:
{
"version": "<nginx_version>",
"uuid": "<nginx_uuid>",
"nap": "<active/inactive>", // status of NGINX App Protect
"http": {
"client": {
"received": 0, // bytes received
"sent": 0, // bytes sent
"requests": 0 // number of HTTP requests processed
},
"upstream": {
"received": 0, // bytes received
"sent": 0 // bytes sent
}
},
"stream": {
"client": {
"received": 0, // bytes received
"sent": 0 // bytes sent
},
"upstream": {
"received": 0, // bytes received
"sent": 0 // bytes sent
}
},
"workers": 0, // number of worker processes running
"uptime": 0, // number of seconds the instance has been running
"reloads": 0, // number of times the instance has been reloaded
"start_time": "epoch", // start time of data collection for the report
"end_time": "epoch" // end time of data collection for the report
}For detailed instructions on installing or upgrading NGINX Plus, visit the NGINX Plus installation guide.
For full details about the mgmt module and its directives, visit the Module ngx_mgmt_module reference guide.
The instructions below use the terms “internet-connected” and “network-restricted” to describe how NGINX Instance Manager accesses the internet.
- Internet-connected: Follow the steps in Add license.
- Network-restricted: Follow the steps in Add a license in a disconnected environment.
- Internet-connected: Follow the steps in Report usage to F5.
- Network-restricted: Follow the steps in Report usage to F5 in a disconnected environment.
For details on installing or upgrading NGINX App Protect WAF, visit the guide for the respective version:
For detailed instructions on installing or upgrading NGINX App Protect DoS, visit the NGINX App Protect DoS installation guide.