registry.example.com.conf

upstream registry
{
    server 172.20.0.41:5000 fail_timeout=9s max_fails=1;
}

map $upstream_http_docker_distribution_api_version $docker_distribution_api_version
{
    '' 'registry/2.0';
}

server
{
    listen 443 ssl;
    server_name registry.example.com;

    ssl on;
    ssl_certificate         /etc/nginx/certs/registry.example.com/fullchain.pem;
    ssl_certificate_key     /etc/nginx/certs/registry.example.com/privkey.pem;
    ssl_trusted_certificate /etc/nginx/certs/registry.example.com/fullchain.pem;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    # set HSTS-Header because we only allow https traffic
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    proxy_set_header Host      $http_host;   # required for Docker client sake
    proxy_set_header X-Real-IP $remote_addr; # pass on real client IP

    client_max_body_size 0;

    chunked_transfer_encoding on;

    location /v2/
    {
        gzip off;

        if ( $http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" )
        {
            return 404;
        }

        auth_basic "Registry realm";
        auth_basic_user_file /etc/nginx/conf.d/registry.htpasswd;

        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

        proxy_pass http://registry;

        proxy_read_timeout    300;
        proxy_connect_timeout 300;

        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Url-Scheme      $scheme;
    }
}