docker-registry.conf

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
 server registry:5000;
}

server {
 listen 443 default_server;

 ssl on;
 ssl_certificate external/cert.pem;
 ssl_certificate_key external/key.pem;
 
 # set HSTS-Header because we only allow https traffic
 add_header Strict-Transport-Security "max-age=31536000;";
 
 proxy_set_header Host       $http_host;   # required for Docker client sake
 proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

 client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 chunked_transfer_encoding on;

 location / {
     # let Nginx know about our auth file
     auth_basic              "Restricted";
     auth_basic_user_file    external/docker-registry.htpasswd;

     proxy_pass http://docker-registry;
 }
 location /_ping {
     auth_basic off;
     proxy_pass http://docker-registry;
 }  
 location /v1/_ping {
     auth_basic off;
     proxy_pass http://docker-registry;
 }
 location /v2/ {
     if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
       return 404;
     }

     # To add basic authentication to v2 use auth_basic setting plus add_header
     auth_basic "Registry realm";
     auth_basic_user_file    external/docker-registry.htpasswd;
     add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

     proxy_pass                          http://docker-registry;
     proxy_set_header  Host              $http_host;   # required for docker client's sake
     proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
     proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
     proxy_set_header  X-Forwarded-Proto $scheme;
     proxy_read_timeout                  900;
 }

}