docker upstream manifest caching

nginx.conf

user  nginx;
worker_processes  10;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    # TODO change cache path to point to a PVC
    proxy_cache_path /tmp/cache levels=1:2 keys_zone=manifests_cache:10m max_size=10g;

    server {
      listen       80;
      server_name  localhost;

      location = /api/version {
        return 404;
      }

      location = /v2/ {
        add_header Www-Authenticate 'Bearer realm="https://auth.docker.io/token",service="registry.docker.io"' always;
        default_type application/json;
        return 401;
      }

      location /v2/ {
        # TODO: optimize for docker blobs
        client_max_body_size 1024M;
        proxy_pass https://registry-1.docker.io;
        proxy_redirect https://registry-1.docker.io $scheme://$http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_read_timeout 900;
        proxy_connect_timeout 900;
      }

      location ~ ^/v2/.+/manifests/ {
        proxy_cache_key $scheme://$host$uri;

        proxy_cache manifests_cache;
        proxy_cache_valid any 24h;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass https://registry-1.docker.io;
      }
    }
}