NGINX Plus Licensing Policy and EOS/EOL Timeline - 헤이든의 전산실 (Hayden's Server Room)

If you’re currently operating NGINX Plus as your web server and load balancer or considering its adoption, understanding F5’s recent licensing policy changes and lifecycle management policies is crucial. The JWT licensing policy introduced with NGINX Plus R33 in November 2024 has direct implications for all users. This guide provides comprehensive details on NGINX Plus’s current licensing framework, EOS/EOL schedules, and essential information for technical teams.

NGINX Plus is F5’s commercial web server and application delivery platform built on open-source NGINX. Starting with NGINX Plus R33, all NGINX Plus instances require a valid JSON Web Token (JWT) license, representing a significant shift aligned with F5’s entitlement and visibility policies.

Table of Contents

1. Key Changes in JWT Licensing Policy

Mandatory License File Requirements

All NGINX Plus instances starting from R33 require a valid JWT license file. This license is tied to your subscription (not individual instances) and must be stored at:

Linux: /etc/nginx/license.jwt
FreeBSD: /usr/local/etc/nginx/license.jwt
Custom Path: Configurable via the license_token directive in the mgmt context

Usage Reporting System

NGINX Plus automatically sends usage reports to F5’s licensing endpoint (product.connect.nginx.com) every hour. Key characteristics of this system:

Aspect	Details
Reporting Frequency	Hourly automatic transmission
Initial Report	Required immediately after installation or upgrade
Offline Environments	Routed through NGINX Instance Manager 2.18+
Grace Period	180 days (for subsequent reporting failures)

Critical: If the initial usage report fails, NGINX Plus immediately stops processing traffic, making network connectivity and firewall configuration verification essential beforehand.

2. License Models and Pricing Policy

Per-Instance Licensing

NGINX products are licensed “per instance,” with each subscription allowing one single instance of the software for the subscription period.

Pricing Structure

NGINX Plus offers three pricing editions ranging from $849 to $2,099, with a free trial available.

License Type	Features	Use Case
Standard	Basic load balancing and proxy features	Small to medium deployments
Professional	Advanced monitoring and API management	Enterprise environments
Enterprise	Full features + priority support	Mission-critical systems

3. NGINX Plus Release and Support Lifecycle

Current Release Status (2025)

Release	Release Date	Base NGINX Version	24-Month Support End	Key Changes
R35	November 2024	1.29.0	November 2026	OIDC RP-Initiated Logout, QuickJS ES2023 support
R34	April 2024	1.27.4	April 2026	Native OIDC module, proxy usage reporting
R33	November 19, 2024	1.27.2	November 2026	Mandatory JWT licensing, usage reporting
R32	December 19, 2023	1.25.3	December 2025	SSL certificate caching, Stream Pass module
R31	October 2023	1.25.2	October 2025	Native NGINX usage reporting
R30	July 2023	1.25.1	July 2025	Native QUIC+HTTP/3 support, per-worker telemetry

Major Historical Releases and EOL Status

Release	Release Date	Base NGINX Version	24-Month Support End	EOL Status	Key Changes
R29	March 2023	1.23.4	March 2025	⚠️ Near EOL	MQTT protocol, SAML authentication, OpenTelemetry
R28	August 2022	1.23.2	August 2024	❌ EOL Complete	Additional TLS metrics, PROXY protocol v2
R27	February 15, 2022	1.21.5	February 2024	❌ EOL Complete	Enhanced ALPN support, JWT error code customization
R26	September 28, 2021	1.21.3	September 2023	❌ EOL Complete	Nested JWT support, API v7 updates
R25	June 2021	1.20.2	June 2023	❌ EOL Complete	JWT custom checks, HTTP health check improvements
R24	March 2021	1.19.8	March 2023	❌ EOL Complete	Encrypted JWT (JWE) support, F5 Device ID+ integration
R23	December 2020	1.19.4	December 2022	❌ EOL Complete	gRPC health checks, native cookie flags support

Historical Major Releases (Reference)

Release	Release Year	Major Milestone	EOL Status
R18	2019	OpenTracing module introduction (deprecated in R34)	❌ EOL Complete
R17	2018	TLS 1.3 support, two-stage rate limiting	❌ EOL Complete
R15	2018	gRPC proxy, HTTP/2 server push, OpenID Connect	❌ EOL Complete
R14	2017	Enhanced JWT authentication, nested claims support	❌ EOL Complete
R12	2017	Configuration sharing, production-ready nginScript	❌ EOL Complete
R10	2016	Initial JWT support	❌ EOL Complete
R5	2015	TCP load balancing introduction	❌ EOL Complete

Technical Support Policy

F5 provides 24 months of technical support for each NGINX Plus release, beginning from the initial release date of each version.

Support Phase Policy

Phase	Duration	Services Provided
Active Support	24 months post-release	Full technical support, bug fixes
Security Support	Latest 2 releases only	Critical bug patches and security updates only
End of Support	After 24 months	Support terminated

4. EOS (End of Software Development) Policy

Software Development End Schedule

Each NGINX Plus release reaches EoSD (End of Software Development) on the release date of the next version. After EoSD, no additional features or routine bug fixes are applied to that version.

Current Support Status (August 2025)

Release	EOS Status	Security Support	24-Month Support Remaining	Recommendation
R35	Active	✅ Supported	15 months	Production recommended
R34	Active	✅ Supported	8 months	Safe
R33	EoSD	⚠️ Security only	15 months	Consider upgrade
R32	EoSD	⚠️ Security only	4 months	Upgrade planning needed
R31	EoSD	❌ Support ending soon	2 months	Immediate upgrade required
R30	EoSD	❌ Support ending soon	-1 month (expired)	Immediate upgrade required
R29 and below	EOL	❌ Support ended	–	Immediate upgrade mandatory

Module-Specific EOL Schedule

1. ModSecurity WAF Module

EOL Date: March 31, 2024 (completed)
Impact: ModSecurity packages completely removed from NGINX Plus repository
Alternative: Migration to NGINX App Protect WAF required

2. OpenTracing Module

Introduction: NGINX Plus R18 (2019)
Deprecated: NGINX Plus R32 (December 2023)
Complete Removal: Scheduled for NGINX Plus R34
Alternative: OpenTelemetry Distributed Tracing module recommended (introduced in R29)

3. Cookie-Flag Module (Third-party)

Deprecated: NGINX Plus R23 (December 2020)
Complete Removal: NGINX Plus R26 (September 2021)
Alternative: Use proxy_cookie_flags directive

4. SSL Directive (Legacy)

Deprecated: NGINX 1.15.0
Complete Removal: NGINX Plus R30 (July 2023)
Alternative: Use ssl parameter of listen directive

5. HTTP/2 Server Push Support

Introduction: NGINX Plus R15 (2018)
Complete Removal: NGINX Plus R30 (July 2023)
Reason: Used in only 0.04% of sessions per IETF 102, disabled in Chrome 106

Platform-Specific EOL Schedule

Operating System Support End Status

Operating System	Support End Release	End Date	Status
CentOS 8.1+	R27	December 31, 2021	❌ Support ended
Power 8 (ppc64le)	R28	August 2022	❌ Support ended
Ubuntu 14.04	R19	2019	❌ Support ended
FreeBSD 10.4, 11.1	R17	2018	❌ Support ended
Debian 7 (Wheezy)	R14	2017	❌ Support ended

New Platform Support Additions

Operating System	Support Start Release	Notes
Ubuntu 22.04 LTS	R28	Long-term support
Amazon Linux 2	R24	OpenSSL 1.1 dependency
Ubuntu 17.10	R14	–

API Version Support Status

NGINX Plus API Evolution

API Version	Introduction Release	Key Changes	Support Status
API v9	R30	Per-worker connection metrics	✅ Current
API v8	R28	TLS handshake error metrics	✅ Supported
API v7	R26	HTTP status code statistics	✅ Supported
API v6	R24	gRPC health checks	✅ Supported
Status/Upstream Conf API	~R15	Completely removed in 2018	❌ Support ended

Packaging and Repository Changes

Repository Change History

Repository	Usage Period	Current Status	Migration
plus-pkgs.nginx.com	~R25	Completely decommissioned in R29	Must use pkgs.nginx.com
pkgs.nginx.com	R24~	✅ Currently active	–

PGP Key Updates

Change	Timeline	Impact
Existing key expiration	June 16, 2024	Signature verification failure
Key expiration extension	Handled in R32	Existing package verification possible
New key generation	Future releases	For new packages

5. License Expiration and Renewal Policy

Impact of Subscription Expiration

After your support contract expires, you are no longer licensed to use NGINX Plus or receive support from NGINX. You cannot access NGINX Plus updates and must stop and delete your NGINX Plus instances.

Renewal Process

Advance Notification: F5 proactively notifies all subscribers when updates are available
Renewal Procedure: Subscription renewal through MyF5 portal
New JWT Download: New JWT license file issued upon renewal
Deployment: Batch deployment via Config Sync Group or Instance Group recommended

6. Version-Specific Migration Guide and Checklists

Essential Tasks for R33+ Upgrades

Pre-Migration Checklist

Item	Description	Complete
JWT License Preparation	Download JWT file from MyF5 portal	☐
Network Connectivity Check	Verify access to `product.connect.nginx.com:443`	☐
Firewall Policy Update	Allow outbound HTTPS connections	☐
Offline Environment Prep	Install NGINX Instance Manager 2.18+	☐
Backup and Rollback Plan	Backup existing config files and data	☐

Step-by-Step Upgrade Procedure

JWT License Deployment

# Verify license file location
sudo mkdir -p /etc/nginx
sudo cp license.jwt /etc/nginx/license.jwt
sudo chown nginx:nginx /etc/nginx/license.jwt
sudo chmod 600 /etc/nginx/license.jwt

Configuration File Updates

# nginx.conf additional settings
mgmt {
    usage_report endpoint=product.connect.nginx.com:443;
    enforce_initial_report on;
}

Offline Environment Configuration (if needed)

mgmt {
    usage_report endpoint=internal-nim.company.com:443;
    enforce_initial_report on;
    license_token /custom/path/license.jwt;
}

Major Release-Specific Upgrade Considerations

Upgrading to R35

OIDC RP-Initiated Logout functionality available
QuickJS ES2023 full support enables njs script modernization
CVE-2025-53859 security patch applied

Upgrading to R34

Proxy usage reporting support resolves network constraints
Native OIDC module introduction simplifies authentication
SNI-related security issue (CVE-2025-23419) patched

Upgrading to R33 (Mandatory)

JWT licensing system complete transition
Usage reporting mandatory activation
180-day grace period configuration option

Legacy Module Migration Guide

1. ModSecurity → NGINX App Protect Migration

# Legacy ModSecurity configuration (no longer supported)
# load_module modules/ngx_http_modsecurity_module.so;
# modsecurity on;
# modsecurity_rules_file /etc/nginx/modsec/main.conf;

# NGINX App Protect alternative
load_module modules/ngx_http_app_protect_module.so;
app_protect_enable on;
app_protect_policy_file "/etc/app_protect/conf/NginxDefaultPolicy.json";
app_protect_security_log_enable on;
app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=127.0.0.1:514;

2. OpenTracing → OpenTelemetry Migration

# Legacy OpenTracing configuration (removal scheduled for R34)
# load_module modules/ngx_http_opentracing_module.so;
# opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/jaeger-config.json;
# opentracing on;

# OpenTelemetry alternative
load_module modules/ngx_http_otel_module.so;
otel_exporter {
    endpoint http://jaeger:14268/api/traces;
}
otel_trace on;

3. Legacy SSL Directive Migration

# Legacy approach (removed in R30)
# server {
#     listen 443;
#     ssl on;
# }

# Recommended approach
server {
    listen 443 ssl;
    listen [::]:443 ssl;
}

Special Considerations for Offline Environments

NGINX Instance Manager Configuration

# /etc/nginx/nginx.conf
mgmt {
    usage_report endpoint=nim.internal.company:443 interval=1h;
    enforce_initial_report on;
    license_token /etc/nginx/license.jwt;
}

# NIM to F5 forwarding configuration (requires NIM 2.18+)

Firewall Rules Example

# Allow outbound HTTPS
sudo iptables -A OUTPUT -p tcp --dport 443 -d product.connect.nginx.com -j ACCEPT

# Allow connection to internal NIM
sudo iptables -A OUTPUT -p tcp --dport 443 -d nim.internal.company -j ACCEPT

Monitoring and Verification Methods

License Status Verification

# Verify license file
sudo nginx -t
sudo ls -la /etc/nginx/license.jwt

# Check usage reporting in logs
sudo tail -f /var/log/nginx/error.log | grep -E "(usage|report|license)"

# License status via API
curl http://localhost:8080/api/9/nginx

Post-Upgrade Verification Checklist

Verification Item	Command/Method	Expected Result
Configuration Syntax	`nginx -t`	syntax is ok
License Loading	Log verification	No license-related ERRORs
Usage Reporting	Log monitoring	Hourly reporting success
Service Health	`systemctl status nginx`	active (running)
API Response	`curl localhost:8080/api`	JSON response

Emergency Response Guide

License Reporting Failure Response

Immediate Response (within 180-day grace period)

# Check network connectivity
telnet product.connect.nginx.com 443

# Verify DNS resolution  
nslookup product.connect.nginx.com

# Check proxy configuration
echo $https_proxy

Temporary Grace Period Activation

mgmt {
    usage_report endpoint=product.connect.nginx.com:443;
    enforce_initial_report off;  # Temporarily disable
}

Rollback Procedure

# 1. Stop service
sudo systemctl stop nginx

# 2. Restore previous version
sudo yum downgrade nginx-plus

# 3. Restore configuration files
sudo cp /etc/nginx/nginx.conf.backup /etc/nginx/nginx.conf

# 4. Restart service
sudo systemctl start nginx

For stable NGINX Plus operations, it’s crucial to understand licensing policies and support lifecycles while establishing regular update plans. Particularly important is reviewing network configurations and license management processes in response to JWT licensing changes.