worker_processes auto; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; events { worker_connections 1024; } http { proxy_cache_path /var/cache/nginx/registry levels=1:2 keys_zone=registry:500m max_size=50g inactive=24h use_temp_path=off; log_format registry '$remote_addr [$time_local] "$request" ' '$status $body_bytes_sent ' 'upstream=$upstream_addr time=$upstream_response_time ' 'cache=$upstream_cache_status'; access_log /var/log/nginx/access.log registry; # --- Upstreams --- upstream dockerhub { server registry-dockerhub:5000; keepalive 32; } upstream ghcr { server registry-ghcr:5000; keepalive 32; } upstream private { server registry-private:5000; keepalive 32; } # --- Docker Hub (port 5000) --- server { listen 5000; server_name _; client_max_body_size 0; proxy_request_buffering off; proxy_buffering on; # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively location ~ /v2/.*/blobs/ { proxy_pass http://dockerhub; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; # Reject truncated upstream responses proxy_intercept_errors on; error_page 502 503 504 = @upstream_error; proxy_cache registry; proxy_cache_lock on; proxy_cache_lock_timeout 5m; proxy_cache_lock_age 5m; proxy_cache_use_stale updating; proxy_cache_valid 200 24h; proxy_cache_valid any 0; proxy_cache_min_uses 2; proxy_cache_methods GET; proxy_read_timeout 900; proxy_send_timeout 900; } # Manifests are mutable (tags can change) — no cache, pass through to registry location /v2/ { proxy_pass http://dockerhub; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_cache off; proxy_read_timeout 900; proxy_send_timeout 900; } location @upstream_error { return 502 "upstream error"; } location /healthz { proxy_pass http://dockerhub/v2/; proxy_read_timeout 5s; proxy_connect_timeout 3s; access_log off; } location / { return 200 'ok'; add_header Content-Type text/plain; } } # --- GHCR (port 5010) --- server { listen 5010; server_name _; client_max_body_size 0; proxy_request_buffering off; proxy_buffering on; # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively location ~ /v2/.*/blobs/ { proxy_pass http://ghcr; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; # Reject truncated upstream responses proxy_intercept_errors on; error_page 502 503 504 = @upstream_error; proxy_cache registry; proxy_cache_lock on; proxy_cache_lock_timeout 5m; proxy_cache_lock_age 5m; proxy_cache_use_stale updating; proxy_cache_valid 200 24h; proxy_cache_valid any 0; proxy_cache_min_uses 2; proxy_cache_methods GET; proxy_read_timeout 900; proxy_send_timeout 900; } # Manifests are mutable (tags can change) — no cache, pass through to registry location /v2/ { proxy_pass http://ghcr; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_cache off; proxy_read_timeout 900; proxy_send_timeout 900; } location @upstream_error { return 502 "upstream error"; } location /healthz { proxy_pass http://ghcr/v2/; proxy_read_timeout 5s; proxy_connect_timeout 3s; access_log off; } location / { return 200 'ok'; add_header Content-Type text/plain; } } # --- Private R/W Registry (port 5050, TLS) --- server { listen 5050 ssl; server_name registry.viktorbarzin.me; ssl_certificate /etc/nginx/tls/fullchain.pem; ssl_certificate_key /etc/nginx/tls/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; client_max_body_size 0; proxy_request_buffering off; proxy_buffering off; chunked_transfer_encoding on; location /v2/ { proxy_pass http://private; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; proxy_send_timeout 900; } location / { return 200 'ok'; add_header Content-Type text/plain; } } }