As a reader of the NGINX blog, you’ve likely already gathered that NGINX Open Source is pretty popular. But it isn’t just because it’s free (though that’s nice, too!) – NGINX Open Source is so popular because it’s known for being stable, lightweight, and the developer’s Swiss Army Knife™.
Whether you need a web server, reverse proxy, API gateway, Ingress controller, or cache, NGINX (which is lightweight enough to be installed from a floppy disk) has your back. But there’s one thing NGINX Open Source users have told us is missing: Enterprise support. So, that (and more) is what we’re excited to introduce with the new Open Source Subscription!
What Is the Open Source Subscription?
The Open Source Subscription is a new bundle that includes:
- Enterprise Support: Get a trusted advisor and satisfy regulatory requirements
- Enterprise Features: Address a wide range of traffic management and identity use cases
- Fleet Management: Reduce risk and chaos with simplified administration of NGINX
NGINX Open Source has a reputation for reliability and the community provides fantastic support, but sometimes more is necessary. With the Open Source Subscription, F5 adds enterprise support to NGINX Open Source, including:
- SLA options of business hours or 24/7
- Security patches and bug fixes
- Security notifications
- Debugging and error correction
- Clarification of documentation discrepancies
Next, let’s dive into some of the benefits of having enterprise support.
Timely Patches and Fixes
A common vulnerability with any open source software (OSS) is the time it can take to address Common Vulnerabilities and Exposures (CVEs) and bugs. In fact, we’ve seen forks of NGINX Open Source take weeks, or even months, to patch. For example, on October 19, 2022, we announced fixes to CVE-2022-41741 and CVE-2022-41742 but the corresponding Ubuntu and Debian patches weren’t made available until November 15, 2022.
As a customer of the Open Source Subscription, you’ll get immediate access to patches and fixes, proactive notifications of CVEs, and more, including:
- Security patches in the latest mainline and stable releases
- Critical bug fixes in the latest mainline release
- Non-critical bug fixes in the latest or a future mainline release
An increasing number of companies and governments are concerned about software supply chain issues, with many adhering to the practice of building a software bill of materials (SBOM). As the SBOM concept matures, regulators are starting to require patching "on a reasonably justified regular cycle", with timely patches for serious vulnerabilities found outside of the normal patch cycle.
With the Open Source Subscription, you can ensure that your NGINX Open Source instances meet your organization’s OSS software requirements by demonstrating due diligence, traceability, and compliance with relevant regulations, especially when it comes to security aspects.
Getting good support requires sharing configuration files. However, if you’re sharing configs with a community member or in forums, then you’re exposing your organization to security vulnerabilities (or even breaches). Just one simple piece of NGINX code shared on Stack Overflow could offer bad actors insight into how to exploit your apps or architecture.
The Open Source Subscription grants you direct access to F5’s team of security experts, so you can be assured that your configs stay confidential. To learn more, see the NGINX Open Source Support Policy.
Note: The Open Source Subscription includes support for Linux packages of NGINX Open Source stable and mainline versions obtained directly from NGINX. We are exploring how we might be able to support packages customized and distributed by other vendors, so tell us in the comments which distros are important to you!
With the Open Source Subscription, you get access to NGINX Plus at no added cost. The subscription lets you choose when to use NGINX Open Source or NGINX Plus based on your business needs.
NGINX Open Source is perfect for many app delivery use cases, and is particularly outstanding for web serving, content caching, and basic traffic management. And while you can extend NGINX Open Source for other use cases, this can result in stability and latency issues. For example, it’s common to use Lua scripts to detect endpoint changes (where the Lua handler chooses which upstream service to route requests to, thus eliminating the need to reload the NGINX configuration). However, Lua must continuously check for changes, so it ends up consuming resources which, in turn, increases the processing time of incoming requests. In addition to causing timeouts, this also results in complexity and higher resource costs.
NGINX Plus can handle advanced use cases and provides out-of-the-box capabilities for load balancing, API gateway, Ingress controller, and more. Many customers choose NGINX Plus for business-critical apps and APIs that have stringent requirements related to uptime, availability, security, and identity.
Maintain Uptime and Availability at Scale
Uptime and availability are crucial to mission-critical apps and APIs because your customers (both internal and external) are directly impacted by any problems that arise when scaling up.
You can use NGINX Plus to:
- Reduce latency and outages with session persistence, high availability, and active health checks
- Update configurations without a reload using dynamic reconfiguration
- Easily troubleshoot issues via real-time monitoring, native OpenTelemetry, and over one hundred additional metrics exportable to your favorite monitoring tools
- Implement API gateway use cases, such as rate limiting
Improve Security and Identity Management
By building non-functional requirements into your traffic management strategy, you can offload those requirements from your apps. This reduces errors and frees up developers to work on core requirements.
With NGINX Plus, you can enhance security by:
- Using JWT authentication, OpenID Connect (OIDC), and SAML to centralize authentication and authorization at the load balancer, API gateway, or Ingress controller
- Enforcing end-to-end encryption and certificate management with SSL/TLS offloading and SSL termination
- Enabling FIPS 140-2 for the processing of all SSL/TLS and HTTP/2 traffic
- Implementing PCI DDS best practices for protecting consumer’s credit card numbers and other personal data
- Adding NGINX App Protect for Layer 7 WAF and denial-of-service (DoS) protection
Administration of a NGINX fleet at scale can be difficult. With NGINX Open Source, you might have hundreds of instances (maybe even thousands!) at your organization, which can introduce a lot of complexity and risk related to CVEs, configuration issues, and expired certificates. That’s why the Open Source Subscription includes NGINX Management Suite Instance Manager, which enables you to centrally inventory all of your NGINX Open Source, NGINX Plus, and NGINX App Protect WAF instances so you can configure, secure, and monitor your NGINX fleet with ease.
Understand Your NGINX Estate
With Instance Manager you can get an accurate count of your instances in any environment, including Kubernetes. Instance Manager allows you to:
- Inventory instances and discover software versions with potential CVE exposures
- Learn about configuration problems and resolve them with a built-in editor that leverages best practice recommendations
- Visualize protection insights, analyze possible threats, and identify opportunities for tuning your WAF policies with Security Monitoring
Expired certificates have become a notorious cause of breaches. Use Instance Manager to ensure secure communication between NGINX instances and their clients. With Instance manager, you can track, manage, and deploy SSL/TLS certificates on all of your instances (including by finding and updating expiring certificates) and rotate the encryption keys regularly (or whenever a key has been compromised).
The amount of data you can get from NGINX instances can be staggering. To help you get the most out of that data and your third-party tools, Instance Manager provides events and metrics data that helps you collect valuable NGINX metrics then forward them to commonly used monitoring, visibility, and alerting tools via API. In addition, you can get unique, curated insights into the protection of your apps and APIs, such as when NGINX App Protect is added.
Get Started with the Open Source Subscription
If you’re interested in getting started with the new Open Source Subscription, contact us today to discuss your use cases.
Dive deeper into the use cases you can enable with NGINX Plus:
- Compare the capabilities of NGINX Open Source and NGINX Plus
- Active or Passive Health Checks: Which Is Right for You?
- How to Visualize NGINX Plus with Prometheus and Grafana
- Deploying NGINX as an API Gateway
- Authenticating API Clients with JWT and NGINX Plus
- Achieving FIPS Compliance with NGINX Plus
Learn more about NGINX Management Suite Instance Manager: