proxy_cache_path /var/cache/nginx/registry
    levels=1:2
    keys_zone=registry:500m
    max_size=50g
    inactive=24h
    use_temp_path=off;

upstream docker_registry {
    server 127.0.0.1:5000;
    keepalive 32;
}

server {
    listen 5002;
    server_name _;

    # Access log
    access_log /var/log/nginx/registry.access.log combined;

    # Error log
    error_log /var/log/nginx/registry.error.log warn;

    # Required for large blobs
    client_max_body_size 0;

    # Disable buffering to clients, keep it between nginx<->registry
    proxy_request_buffering off;
    proxy_buffering on;

    location /v2/ {
        proxy_pass http://docker_registry;

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Connection "";

        # --- CRITICAL PART ---
        proxy_cache registry;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 15m;
        proxy_cache_lock_age 15m;
        proxy_cache_use_stale updating;

        # Cache only successful pulls
        proxy_cache_valid 200 206 24h;

        # HEAD requests must not poison cache
        proxy_cache_methods GET;

        # Do not cache pushes
        proxy_no_cache $http_authorization;
        proxy_cache_bypass $http_authorization;

        # Prevent partial responses
        proxy_read_timeout 900;
        proxy_send_timeout 900;
    }
}