NGINX config for a caching proxy that sits in front of a docker registry

docker-registry-caching-proxy.conf

upstream docker-mirror-upstream {
    server upstream.example.com;
}

proxy_cache_path /var/lib/docker-mirror/cache levels=1:2 max_size=10g inactive=48h keys_zone=cache:10m;

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    server_name docker.example.com;

    ssl_certificate /etc/nginx/ssl/example.com.cert;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    if ($request_method = POST) {
        return 405;
    }
    if ($request_method = PUT) {
        return 405;
    }
    if ($request_method = DELETE) {
        return 405;
    }

    proxy_read_timeout 900;
    # with 1.7.10, proxy_temp_path can be replaced with use_temp_path=off
    proxy_temp_path /var/lib/docker-mirror/temp 1 2;
    proxy_cache_lock on;
    proxy_cache_lock_timeout 30s;
    proxy_cache_valid 200 302 24h;
    # requires 1.7.0
    # proxy_ssl_verify on;
    # proxy_ssl_name docker.example.com;
    # requires 1.7.7
    # proxy_force_ranges on;

    # don't cache mutable entity /v2/<name>/manifests/<reference> (unless the reference is a digest)
    location ~ ^/v2/[^\/]+/manifests/(?![A-Fa-f0-9_+.-]+:) {
        proxy_pass https://docker-mirror-upstream;
    }

    # don't cache mutable entity /v2/<name>/tags/list
    location ~ ^/v2/[^\/]+/tags/list {
        proxy_pass https://docker-mirror-upstream;
    }

    # don't cache mutable entity /v2/_catalog
    location ~ ^/v2/_catalog$ {
        proxy_pass https://docker-mirror-upstream;
    }

    # cache everything else
    location / {
        proxy_pass https://docker-mirror-upstream;
        proxy_cache cache;
    }

}