ssl - malformed HTTP response with docker private registry (v2) behind an nginx proxy -

i have setup docker private registry (v2) on centos 7 box following offical documentation: https://docs.docker.com/registry/deploying/

i running docker 1.6.0 on fedora 21 box.

the registry running on port 5000, , using ssl key signed trusted ca. set dns record 'docker-registry.example.com' internal ip of server. running 'docker pull docker-registry.example.com:5000/tag/image', works expected.

i setup nginx server, running nginx version: nginx/1.8.0, , setup dns record 'nginx-proxy.example.com' pointing nginx server, , setup site. here config:

server {    listen 443 ssl;    server_name nginx-proxy.example.com;     add_header docker-distribution-api-version: registry/2.0 always;     ssl on;    ssl_certificate /etc/ssl/certs/cert.crt;    ssl_certificate_key /etc/ssl/certs/key.key;     proxy_set_header host $host;    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;    proxy_set_header x-real-ip $remote_addr;    proxy_set_header x-forwarded-proto $scheme;    proxy_set_header x-original-uri $request_uri;    proxy_set_header docker-distribution-api-version registry/2.0;     location / {      proxy_pass http://docker-registry.example.com:5000;    } } 

when try run 'docker pull nginx-proxy.example.com/tag/image' following error:

fata[0001] error response daemon: v1 ping attempt failed error: https://nginx-proxy.example.com/v1/_ping: malformed http response "\x15\x03\x01\x00\x02\x02" 

my question twofold.

1. why docker client looking /v1_/ping?
2. why seeing 'malformed http response'

if run 'curl -v nginx-proxy.example.com/v2' see:

[root@alex amerenda] $ curl -v https://nginx-proxy.example.com/v2/ * hostname not found in dns cache *   trying 10.1.43.165... * connected nginx-proxy.example.com (10.1.43.165) port 443 (#0) * initializing nss certpath: sql:/etc/pki/nssdb *   cafile: /etc/pki/tls/certs/ca-bundle.crt   capath: none * ssl connection using tls_dhe_rsa_with_aes_128_gcm_sha256 * server certificate: *   subject: cn=*.example.com,o="example, inc.",l=new york,st=new york,c=us *   start date: sep 15 00:00:00 2014 gmt *   expire date: sep 15 23:59:59 2015 gmt *   common name: *.example.com *   issuer: cn=geotrust ssl ca - g2,o=geotrust inc.,c=us > /v2/ http/1.1 > user-agent: curl/7.37.0 > host: nginx-proxy.example.com > accept: */* > \x15\x03\x01\x00\x02\x02 

if 'curl -v docker-registry.example.com' 200 ok response. nginx has responsible this. have idea why happening? driving me insane!

 proxy_pass http://docker-registry.example.com:5000; 

you passing request plain http (i.e. no https)

\x15\x03\x01\x00\x02\x02

and getting ssl response back. looks must use https:// , not http:// access port 5000. , know using ssl:

the registry running on port 5000, , using ssl key signed trusted ca...

apart that: please use names reserved examples example.com , don't use domain names in example don't belong you.