worker_processes auto; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; events { worker_connections 1024; } http { proxy_cache_path /var/cache/nginx/registry levels=1:2 keys_zone=registry:500m max_size=50g inactive=24h use_temp_path=off; log_format registry '$remote_addr [$time_local] "$request" ' '$status $body_bytes_sent ' 'upstream=$upstream_addr time=$upstream_response_time ' 'cache=$upstream_cache_status'; access_log /var/log/nginx/access.log registry; # --- Upstreams --- upstream dockerhub { server registry-dockerhub:5000; keepalive 32; } upstream ghcr { server registry-ghcr:5000; keepalive 32; } # `upstream private` removed in Phase 4 of forgejo-registry-consolidation # 2026-05-07. The /v2/ private registry is now Forgejo at # forgejo.viktorbarzin.me/viktor/. # --- Docker Hub (port 5000) --- server { listen 5000; server_name _; client_max_body_size 0; proxy_request_buffering off; proxy_buffering on; # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively location ~ /v2/.*/blobs/ { proxy_pass http://dockerhub; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; # Reject truncated upstream responses proxy_intercept_errors on; error_page 502 503 504 = @upstream_error; proxy_cache registry; proxy_cache_lock on; proxy_cache_lock_timeout 5m; proxy_cache_lock_age 5m; proxy_cache_use_stale updating; proxy_cache_valid 200 24h; proxy_cache_valid any 0; proxy_cache_min_uses 2; proxy_cache_methods GET; proxy_read_timeout 900; proxy_send_timeout 900; } # Manifests are mutable (tags can change) — no cache, pass through to registry location /v2/ { proxy_pass http://dockerhub; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_cache off; proxy_read_timeout 900; proxy_send_timeout 900; } location @upstream_error { return 502 "upstream error"; } location /healthz { proxy_pass http://dockerhub/v2/; proxy_read_timeout 5s; proxy_connect_timeout 3s; access_log off; } location / { return 200 'ok'; add_header Content-Type text/plain; } } # --- GHCR (port 5010) --- server { listen 5010; server_name _; client_max_body_size 0; proxy_request_buffering off; proxy_buffering on; # Blobs are content-addressed (sha256) — immutable, safe to cache aggressively location ~ /v2/.*/blobs/ { proxy_pass http://ghcr; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; # Reject truncated upstream responses proxy_intercept_errors on; error_page 502 503 504 = @upstream_error; proxy_cache registry; proxy_cache_lock on; proxy_cache_lock_timeout 5m; proxy_cache_lock_age 5m; proxy_cache_use_stale updating; proxy_cache_valid 200 24h; proxy_cache_valid any 0; proxy_cache_min_uses 2; proxy_cache_methods GET; proxy_read_timeout 900; proxy_send_timeout 900; } # Manifests are mutable (tags can change) — no cache, pass through to registry location /v2/ { proxy_pass http://ghcr; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_cache off; proxy_read_timeout 900; proxy_send_timeout 900; } location @upstream_error { return 502 "upstream error"; } location /healthz { proxy_pass http://ghcr/v2/; proxy_read_timeout 5s; proxy_connect_timeout 3s; access_log off; } location / { return 200 'ok'; add_header Content-Type text/plain; } } # --- Private R/W Registry (port 5050) decommissioned Phase 4 2026-05-07 --- # The TLS port 5050 server block previously fronted `registry-private`. # Migrated to Forgejo at forgejo.viktorbarzin.me/viktor/. Both # docker-compose.yml and this nginx config no longer reference port 5050. }