From 7e72a1084813aadaea41199eeba7ea6ff6aacc5a Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 14 Mar 2026 22:43:20 +0000
Subject: [PATCH] exclude manifest requests from nginx registry cache

Split /v2/ location into two: regex match for blobs (cached 24h, immutable
content-addressed by SHA256) and prefix match for everything else including
manifests (proxy_cache off, mutable tags). Also remove disabled registries
(quay, k8s, kyverno) whose containers/configs don't exist on the VM.
---
 modules/docker-registry/nginx_registry.conf | 129 +++-----------------
 1 file changed, 20 insertions(+), 109 deletions(-)

diff --git a/modules/docker-registry/nginx_registry.conf b/modules/docker-registry/nginx_registry.conf
index c17ae8a7..9f139137 100644
--- a/modules/docker-registry/nginx_registry.conf
+++ b/modules/docker-registry/nginx_registry.conf
@@ -33,21 +33,6 @@ http {
         keepalive 32;
     }
 
-    upstream quay {
-        server registry-quay:5000;
-        keepalive 32;
-    }
-
-    upstream k8s {
-        server registry-k8s:5000;
-        keepalive 32;
-    }
-
-    upstream kyverno {
-        server registry-kyverno:5000;
-        keepalive 32;
-    }
-
     upstream private {
         server registry-private:5000;
         keepalive 32;
@@ -63,7 +48,8 @@ http {
         proxy_request_buffering off;
         proxy_buffering on;
 
-        location /v2/ {
+        # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively
+        location ~ /v2/.*/blobs/ {
             proxy_pass http://dockerhub;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
@@ -81,6 +67,19 @@ http {
             proxy_send_timeout 900;
         }
 
+        # Manifests are mutable (tags can change) — no cache, pass through to registry
+        location /v2/ {
+            proxy_pass http://dockerhub;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header Connection "";
+
+            proxy_cache off;
+
+            proxy_read_timeout 900;
+            proxy_send_timeout 900;
+        }
+
         location / {
             return 200 'ok';
             add_header Content-Type text/plain;
@@ -97,7 +96,8 @@ http {
         proxy_request_buffering off;
         proxy_buffering on;
 
-        location /v2/ {
+        # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively
+        location ~ /v2/.*/blobs/ {
             proxy_pass http://ghcr;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
@@ -115,103 +115,14 @@ http {
             proxy_send_timeout 900;
         }
 
-        location / {
-            return 200 'ok';
-            add_header Content-Type text/plain;
-        }
-    }
-
-    # --- Quay (port 5020) ---
-
-    server {
-        listen 5020;
-        server_name _;
-
-        client_max_body_size 0;
-        proxy_request_buffering off;
-        proxy_buffering on;
-
+        # Manifests are mutable (tags can change) — no cache, pass through to registry
         location /v2/ {
-            proxy_pass http://quay;
+            proxy_pass http://ghcr;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header Connection "";
 
-            proxy_cache registry;
-            proxy_cache_lock on;
-            proxy_cache_lock_timeout 15m;
-            proxy_cache_lock_age 15m;
-            proxy_cache_use_stale updating;
-            proxy_cache_valid 200 206 24h;
-            proxy_cache_methods GET;
-
-            proxy_read_timeout 900;
-            proxy_send_timeout 900;
-        }
-
-        location / {
-            return 200 'ok';
-            add_header Content-Type text/plain;
-        }
-    }
-
-    # --- registry.k8s.io (port 5030) ---
-
-    server {
-        listen 5030;
-        server_name _;
-
-        client_max_body_size 0;
-        proxy_request_buffering off;
-        proxy_buffering on;
-
-        location /v2/ {
-            proxy_pass http://k8s;
-            proxy_http_version 1.1;
-            proxy_set_header Host $host;
-            proxy_set_header Connection "";
-
-            proxy_cache registry;
-            proxy_cache_lock on;
-            proxy_cache_lock_timeout 15m;
-            proxy_cache_lock_age 15m;
-            proxy_cache_use_stale updating;
-            proxy_cache_valid 200 206 24h;
-            proxy_cache_methods GET;
-
-            proxy_read_timeout 900;
-            proxy_send_timeout 900;
-        }
-
-        location / {
-            return 200 'ok';
-            add_header Content-Type text/plain;
-        }
-    }
-
-    # --- reg.kyverno.io (port 5040) ---
-
-    server {
-        listen 5040;
-        server_name _;
-
-        client_max_body_size 0;
-        proxy_request_buffering off;
-        proxy_buffering on;
-
-        location /v2/ {
-            proxy_pass http://kyverno;
-            proxy_http_version 1.1;
-            proxy_set_header Host $host;
-            proxy_set_header Connection "";
-
-            proxy_cache registry;
-            proxy_cache_lock on;
-            proxy_cache_lock_timeout 15m;
-            proxy_cache_lock_age 15m;
-            proxy_cache_use_stale updating;
-            proxy_cache_valid 200 206 24h;
-            proxy_cache_methods GET;
+            proxy_cache off;
 
             proxy_read_timeout 900;
             proxy_send_timeout 900;