Hayden

If you’re currently operating NGINX Plus as your web server and load balancer or considering its adoption, understanding F5’s recent licensing policy changes and lifecycle management policies is crucial. The JWT licensing policy introduced with NGINX Plus R33 in November 2024 has direct implications for all users. This guide provides comprehensive details on NGINX Plus’s current licensing framework, EOS/EOL schedules, and essential information for technical teams.

NGINX Plus is F5’s commercial web server and application delivery platform built on open-source NGINX. Starting with NGINX Plus R33, all NGINX Plus instances require a valid JSON Web Token (JWT) license, representing a significant shift aligned with F5’s entitlement and visibility policies.

 

 

1. Key Changes in JWT Licensing Policy

Mandatory License File Requirements

All NGINX Plus instances starting from R33 require a valid JWT license file. This license is tied to your subscription (not individual instances) and must be stored at:

  • Linux: /etc/nginx/license.jwt
  • FreeBSD: /usr/local/etc/nginx/license.jwt
  • Custom Path: Configurable via the license_token directive in the mgmt context

Usage Reporting System

NGINX Plus automatically sends usage reports to F5’s licensing endpoint (product.connect.nginx.com) every hour. Key characteristics of this system:

Aspect Details
Reporting Frequency Hourly automatic transmission
Initial Report Required immediately after installation or upgrade
Offline Environments Routed through NGINX Instance Manager 2.18+
Grace Period 180 days (for subsequent reporting failures)

Critical: If the initial usage report fails, NGINX Plus immediately stops processing traffic, making network connectivity and firewall configuration verification essential beforehand.

 

 

2. License Models and Pricing Policy

Per-Instance Licensing

NGINX products are licensed “per instance,” with each subscription allowing one single instance of the software for the subscription period.

Pricing Structure

NGINX Plus offers three pricing editions ranging from $849 to $2,099, with a free trial available.

License Type Features Use Case
Standard Basic load balancing and proxy features Small to medium deployments
Professional Advanced monitoring and API management Enterprise environments
Enterprise Full features + priority support Mission-critical systems

 

 

3. NGINX Plus Release and Support Lifecycle

Current Release Status (2025)

Release Release Date Base NGINX Version 24-Month Support End Key Changes
R35 November 2024 1.29.0 November 2026 OIDC RP-Initiated Logout, QuickJS ES2023 support
R34 April 2024 1.27.4 April 2026 Native OIDC module, proxy usage reporting
R33 November 19, 2024 1.27.2 November 2026 Mandatory JWT licensing, usage reporting
R32 December 19, 2023 1.25.3 December 2025 SSL certificate caching, Stream Pass module
R31 October 2023 1.25.2 October 2025 Native NGINX usage reporting
R30 July 2023 1.25.1 July 2025 Native QUIC+HTTP/3 support, per-worker telemetry

Major Historical Releases and EOL Status

Release Release Date Base NGINX Version 24-Month Support End EOL Status Key Changes
R29 March 2023 1.23.4 March 2025 ⚠️ Near EOL MQTT protocol, SAML authentication, OpenTelemetry
R28 August 2022 1.23.2 August 2024 ❌ EOL Complete Additional TLS metrics, PROXY protocol v2
R27 February 15, 2022 1.21.5 February 2024 ❌ EOL Complete Enhanced ALPN support, JWT error code customization
R26 September 28, 2021 1.21.3 September 2023 ❌ EOL Complete Nested JWT support, API v7 updates
R25 June 2021 1.20.2 June 2023 ❌ EOL Complete JWT custom checks, HTTP health check improvements
R24 March 2021 1.19.8 March 2023 ❌ EOL Complete Encrypted JWT (JWE) support, F5 Device ID+ integration
R23 December 2020 1.19.4 December 2022 ❌ EOL Complete gRPC health checks, native cookie flags support

Historical Major Releases (Reference)

Release Release Year Major Milestone EOL Status
R18 2019 OpenTracing module introduction (deprecated in R34) ❌ EOL Complete
R17 2018 TLS 1.3 support, two-stage rate limiting ❌ EOL Complete
R15 2018 gRPC proxy, HTTP/2 server push, OpenID Connect ❌ EOL Complete
R14 2017 Enhanced JWT authentication, nested claims support ❌ EOL Complete
R12 2017 Configuration sharing, production-ready nginScript ❌ EOL Complete
R10 2016 Initial JWT support ❌ EOL Complete
R5 2015 TCP load balancing introduction ❌ EOL Complete

Technical Support Policy

F5 provides 24 months of technical support for each NGINX Plus release, beginning from the initial release date of each version.

Support Phase Policy

Phase Duration Services Provided
Active Support 24 months post-release Full technical support, bug fixes
Security Support Latest 2 releases only Critical bug patches and security updates only
End of Support After 24 months Support terminated

 

 

4. EOS (End of Software Development) Policy

Software Development End Schedule

Each NGINX Plus release reaches EoSD (End of Software Development) on the release date of the next version. After EoSD, no additional features or routine bug fixes are applied to that version.

Current Support Status (August 2025)

Release EOS Status Security Support 24-Month Support Remaining Recommendation
R35 Active ✅ Supported 15 months Production recommended
R34 Active ✅ Supported 8 months Safe
R33 EoSD ⚠️ Security only 15 months Consider upgrade
R32 EoSD ⚠️ Security only 4 months Upgrade planning needed
R31 EoSD ❌ Support ending soon 2 months Immediate upgrade required
R30 EoSD ❌ Support ending soon -1 month (expired) Immediate upgrade required
R29 and below EOL ❌ Support ended Immediate upgrade mandatory

Module-Specific EOL Schedule

1. ModSecurity WAF Module

  • EOL Date: March 31, 2024 (completed)
  • Impact: ModSecurity packages completely removed from NGINX Plus repository
  • Alternative: Migration to NGINX App Protect WAF required

2. OpenTracing Module

  • Introduction: NGINX Plus R18 (2019)
  • Deprecated: NGINX Plus R32 (December 2023)
  • Complete Removal: Scheduled for NGINX Plus R34
  • Alternative: OpenTelemetry Distributed Tracing module recommended (introduced in R29)

3. Cookie-Flag Module (Third-party)

  • Deprecated: NGINX Plus R23 (December 2020)
  • Complete Removal: NGINX Plus R26 (September 2021)
  • Alternative: Use proxy_cookie_flags directive

4. SSL Directive (Legacy)

  • Deprecated: NGINX 1.15.0
  • Complete Removal: NGINX Plus R30 (July 2023)
  • Alternative: Use ssl parameter of listen directive

5. HTTP/2 Server Push Support

  • Introduction: NGINX Plus R15 (2018)
  • Complete Removal: NGINX Plus R30 (July 2023)
  • Reason: Used in only 0.04% of sessions per IETF 102, disabled in Chrome 106

Platform-Specific EOL Schedule

Operating System Support End Status

Operating System Support End Release End Date Status
CentOS 8.1+ R27 December 31, 2021 ❌ Support ended
Power 8 (ppc64le) R28 August 2022 ❌ Support ended
Ubuntu 14.04 R19 2019 ❌ Support ended
FreeBSD 10.4, 11.1 R17 2018 ❌ Support ended
Debian 7 (Wheezy) R14 2017 ❌ Support ended

New Platform Support Additions

Operating System Support Start Release Notes
Ubuntu 22.04 LTS R28 Long-term support
Amazon Linux 2 R24 OpenSSL 1.1 dependency
Ubuntu 17.10 R14

API Version Support Status

NGINX Plus API Evolution

API Version Introduction Release Key Changes Support Status
API v9 R30 Per-worker connection metrics ✅ Current
API v8 R28 TLS handshake error metrics ✅ Supported
API v7 R26 HTTP status code statistics ✅ Supported
API v6 R24 gRPC health checks ✅ Supported
Status/Upstream Conf API ~R15 Completely removed in 2018 ❌ Support ended

Packaging and Repository Changes

Repository Change History

Repository Usage Period Current Status Migration
plus-pkgs.nginx.com ~R25 Completely decommissioned in R29 Must use pkgs.nginx.com
pkgs.nginx.com R24~ ✅ Currently active

PGP Key Updates

Change Timeline Impact
Existing key expiration June 16, 2024 Signature verification failure
Key expiration extension Handled in R32 Existing package verification possible
New key generation Future releases For new packages

 

 

5. License Expiration and Renewal Policy

Impact of Subscription Expiration

After your support contract expires, you are no longer licensed to use NGINX Plus or receive support from NGINX. You cannot access NGINX Plus updates and must stop and delete your NGINX Plus instances.

Renewal Process

  1. Advance Notification: F5 proactively notifies all subscribers when updates are available
  2. Renewal Procedure: Subscription renewal through MyF5 portal
  3. New JWT Download: New JWT license file issued upon renewal
  4. Deployment: Batch deployment via Config Sync Group or Instance Group recommended

 

 

6. Version-Specific Migration Guide and Checklists

Essential Tasks for R33+ Upgrades

Pre-Migration Checklist

Item Description Complete
JWT License Preparation Download JWT file from MyF5 portal
Network Connectivity Check Verify access to product.connect.nginx.com:443
Firewall Policy Update Allow outbound HTTPS connections
Offline Environment Prep Install NGINX Instance Manager 2.18+
Backup and Rollback Plan Backup existing config files and data

Step-by-Step Upgrade Procedure

  1. JWT License Deployment 
    # Verify license file location
sudo mkdir -p /etc/nginx
sudo cp license.jwt /etc/nginx/license.jwt
sudo chown nginx:nginx /etc/nginx/license.jwt
sudo chmod 600 /etc/nginx/license.jwt
  2. Configuration File Updates 
    # nginx.conf additional settings
mgmt {
    usage_report endpoint=product.connect.nginx.com:443;
    enforce_initial_report on;
}
  3. Offline Environment Configuration (if needed) 
    mgmt {
    usage_report endpoint=internal-nim.company.com:443;
    enforce_initial_report on;
    license_token /custom/path/license.jwt;
}

Major Release-Specific Upgrade Considerations

Upgrading to R35

  • OIDC RP-Initiated Logout functionality available
  • QuickJS ES2023 full support enables njs script modernization
  • CVE-2025-53859 security patch applied

Upgrading to R34

  • Proxy usage reporting support resolves network constraints
  • Native OIDC module introduction simplifies authentication
  • SNI-related security issue (CVE-2025-23419) patched

Upgrading to R33 (Mandatory)

  • JWT licensing system complete transition
  • Usage reporting mandatory activation
  • 180-day grace period configuration option

Legacy Module Migration Guide

1. ModSecurity → NGINX App Protect Migration

# Legacy ModSecurity configuration (no longer supported)
# load_module modules/ngx_http_modsecurity_module.so;
# modsecurity on;
# modsecurity_rules_file /etc/nginx/modsec/main.conf;

# NGINX App Protect alternative
load_module modules/ngx_http_app_protect_module.so;
app_protect_enable on;
app_protect_policy_file "/etc/app_protect/conf/NginxDefaultPolicy.json";
app_protect_security_log_enable on;
app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=127.0.0.1:514;

2. OpenTracing → OpenTelemetry Migration

# Legacy OpenTracing configuration (removal scheduled for R34)
# load_module modules/ngx_http_opentracing_module.so;
# opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/jaeger-config.json;
# opentracing on;

# OpenTelemetry alternative
load_module modules/ngx_http_otel_module.so;
otel_exporter {
    endpoint http://jaeger:14268/api/traces;
}
otel_trace on;

3. Legacy SSL Directive Migration

# Legacy approach (removed in R30)
# server {
#     listen 443;
#     ssl on;
# }

# Recommended approach
server {
    listen 443 ssl;
    listen [::]:443 ssl;
}

Special Considerations for Offline Environments

NGINX Instance Manager Configuration

# /etc/nginx/nginx.conf
mgmt {
    usage_report endpoint=nim.internal.company:443 interval=1h;
    enforce_initial_report on;
    license_token /etc/nginx/license.jwt;
}

# NIM to F5 forwarding configuration (requires NIM 2.18+)

Firewall Rules Example

# Allow outbound HTTPS
sudo iptables -A OUTPUT -p tcp --dport 443 -d product.connect.nginx.com -j ACCEPT

# Allow connection to internal NIM
sudo iptables -A OUTPUT -p tcp --dport 443 -d nim.internal.company -j ACCEPT

Monitoring and Verification Methods

License Status Verification

# Verify license file
sudo nginx -t
sudo ls -la /etc/nginx/license.jwt

# Check usage reporting in logs
sudo tail -f /var/log/nginx/error.log | grep -E "(usage|report|license)"

# License status via API
curl http://localhost:8080/api/9/nginx

Post-Upgrade Verification Checklist

Verification Item Command/Method Expected Result
Configuration Syntax nginx -t syntax is ok
License Loading Log verification No license-related ERRORs
Usage Reporting Log monitoring Hourly reporting success
Service Health systemctl status nginx active (running)
API Response curl localhost:8080/api JSON response

Emergency Response Guide

License Reporting Failure Response

  1. Immediate Response (within 180-day grace period) 
    # Check network connectivity
telnet product.connect.nginx.com 443

# Verify DNS resolution  
nslookup product.connect.nginx.com

# Check proxy configuration
echo $https_proxy
  2. Temporary Grace Period Activation 
    mgmt {
    usage_report endpoint=product.connect.nginx.com:443;
    enforce_initial_report off;  # Temporarily disable
}

Rollback Procedure

# 1. Stop service
sudo systemctl stop nginx

# 2. Restore previous version
sudo yum downgrade nginx-plus

# 3. Restore configuration files
sudo cp /etc/nginx/nginx.conf.backup /etc/nginx/nginx.conf

# 4. Restart service
sudo systemctl start nginx

 

 

For stable NGINX Plus operations, it’s crucial to understand licensing policies and support lifecycles while establishing regular update plans. Particularly important is reviewing network configurations and license management processes in response to JWT licensing changes.

 

Leave a Reply