diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 4cac5a18ac..187213d2c9 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -545,7 +545,14 @@
- role: httpd/reverseproxy
website: registry.fedoraproject.org
- destname: registry
+ destname: registry-fedora
+ # proxyurl in this one is totally ignored, because Docker.
+ # (turns out it uses PATCH requests that Varnish cannot deal with)
+ proxyurl: "{{ varnish_url }}"
+
+ - role: httpd/reverseproxy
+ website: registry.centos.org
+ destname: registry-centos
# proxyurl in this one is totally ignored, because Docker.
# (turns out it uses PATCH requests that Varnish cannot deal with)
proxyurl: "{{ varnish_url }}"
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 6541f4c6de..3dccad7a77 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -568,6 +568,12 @@
sslonly: true
cert_name: "{{wildcard_cert_name}}"
+ - role: httpd/website
+ name: registry.centos.org
+ server_aliases: [registry.stg.centos.org]
+ sslonly: true
+ cert_name: "{{wildcard_cert_name}}"
+
- role: httpd/website
name: candidate-registry.fedoraproject.org
server_aliases: [candidate-registry.stg.fedoraproject.org]
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf
new file mode 100644
index 0000000000..abe388b26f
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-fedora.conf
@@ -0,0 +1,33 @@
+RewriteEngine on
+
+RewriteRule ^/v2/latest/(.*) /v2/f27/$1 [R,L]
+
+{% if env == "staging" %}
+RewriteRule ^/v2/(.*) /v2/fedora/$1
+{% endif %}
+
+RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
+
+
+ Require all granted
+
+
+{% include './reversepassproxy.registry-generic.conf' %}
+
+# Write access to docker-deployer only
+{% if env == "staging" %}
+
+
+ Require user docker-registry-internal-stg
+
+
+
+ Require all denied
+
+
+{% else %}
+
+
+ require valid-user
+
+{% endif %}
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
new file mode 100644
index 0000000000..da8b016c4a
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
@@ -0,0 +1,34 @@
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+ProxyPreserveHost On
+
+
+{% if env == "production" %}
+RewriteCond %{HTTP:VIA} !cdn77
+RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
+RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]
+{% endif %}
+
+# This is terible, but Docker.
+RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$
+RewriteRule ^/v2/(.*)$ http://docker-registry02:5000/v2/$1 [P,L]
+RewriteRule ^/v2/(.*)$ http://localhost:6081/v2/$1 [P,L]
+
+DocumentRoot /srv/web/registry-index/
+
+
+ Require all granted
+
+
+SSLVerifyClient optional
+SSLVerifyDepth 1
+SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
+SSLOptions +FakeBasicAuth
+
+
+
+ AuthName "Registry Authentication"
+ AuthType Basic
+ AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd
+
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
deleted file mode 100644
index 9d7c1ace0d..0000000000
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
+++ /dev/null
@@ -1,80 +0,0 @@
-RequestHeader set X-Forwarded-Scheme https early
-RequestHeader set X-Scheme https early
-RequestHeader set X-Forwarded-Proto https early
-ProxyPreserveHost On
-
-RewriteEngine on
-RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
-
-{% if env == "staging" %}
-RewriteCond %{HTTP_HOST} "registry{{env_suffix}}.fedoraproject.org"
-RewriteRule ^/v2/(.*) /v2/fedora/$1
-
-RewriteCond %{HTTP_HOST} "registry{{env_suffix}}.centos.org"
-RewriteRule ^/v2/(.*) /v2/centos/$1
-{% endif %}
-
-
-RewriteRule ^/v2/fedora/latest/(.*) /v2/fedora/f27/$1 [R,L]
-
-{% if env == "production" %}
-RewriteCond %{HTTP:VIA} !cdn77
-RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
-RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]
-{% endif %}
-
-# This is terible, but Docker.
-RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$
-RewriteRule ^/v2/(.*)$ http://docker-registry02:5000/v2/$1 [P,L]
-RewriteRule ^/v2/(.*)$ http://localhost:6081/v2/$1 [P,L]
-
-DocumentRoot /srv/web/registry-index/
-
-
- Require all granted
-
-
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
-SSLOptions +FakeBasicAuth
-
-
- Require all granted
-
-
-
-
- Order deny,allow
- Allow from all
- AuthName "Registry Authentication"
- AuthType Basic
- AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd
-
- # Anyone can read
-
- Require all granted
-
-
-
-# Write access to docker-deployer only
-{% if env == "staging" %}
-
-
- Require user docker-registry-internal-stg
-
-
-
-
-
- Require user docker-registry-centos-stg
-
-
-
- Require all denied
-
-{% else %}
-
- require valid-user
-
-{% endif %}