diff --git a/cluster/addons/registry/README.md b/cluster/addons/registry/README.md
index 57c6937d5a1..a43631bbcdb 100644
--- a/cluster/addons/registry/README.md
+++ b/cluster/addons/registry/README.md
@@ -188,7 +188,7 @@ metadata:
 spec:
   containers:
   - name: kube-registry-proxy
-    image: gcr.io/google_containers/kube-registry-proxy:0.3
+    image: gcr.io/google_containers/kube-registry-proxy:0.4
     resources:
       limits:
         cpu: 100m
diff --git a/cluster/addons/registry/images/Dockerfile b/cluster/addons/registry/images/Dockerfile
index 7a5b762036e..7b0d7323338 100644
--- a/cluster/addons/registry/images/Dockerfile
+++ b/cluster/addons/registry/images/Dockerfile
@@ -12,15 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM haproxy:1.5
-MAINTAINER Muhammed Uluyol <uluyol@google.com>
+FROM nginx:1.11
+MAINTAINER Matthew Fisher <mfisher@deis.com>
 
-RUN apt-get update && apt-get install -y dnsutils
+RUN apt-get update \
+	&& apt-get install -y \
+		curl \
+		--no-install-recommends \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/man /usr/share/doc
 
-ADD proxy.conf.insecure.in /proxy.conf.in
-ADD run_proxy.sh /usr/bin/run_proxy
+COPY rootfs /
 
-RUN chown root:users /usr/bin/run_proxy
-RUN chmod 755 /usr/bin/run_proxy
-
-CMD ["/usr/bin/run_proxy"]
+CMD ["/bin/boot"]
diff --git a/cluster/addons/registry/images/Makefile b/cluster/addons/registry/images/Makefile
index 26a6b244551..447853267c1 100644
--- a/cluster/addons/registry/images/Makefile
+++ b/cluster/addons/registry/images/Makefile
@@ -14,7 +14,7 @@
 
 .PHONY: build push vet test clean
 
-TAG = 0.3
+TAG = 0.4
 REPO = gcr.io/google_containers/kube-registry-proxy
 
 build:
diff --git a/cluster/addons/registry/images/proxy.conf.in b/cluster/addons/registry/images/proxy.conf.in
deleted file mode 100644
index b7a18f93ded..00000000000
--- a/cluster/addons/registry/images/proxy.conf.in
+++ /dev/null
@@ -1,17 +0,0 @@
-global
-  maxconn 1024
-
-defaults
-  mode http
-  retries 3
-  option redispatch
-  timeout client 1s
-  timeout server 5s
-  timeout connect 5s
-
-frontend forwarder
-  bind *:%FWDPORT%
-  default_backend registry
-
-backend registry
-  server kube-registry %HOST%:%PORT% ssl verify required ca-file %CA_FILE%
diff --git a/cluster/addons/registry/images/proxy.conf.insecure.in b/cluster/addons/registry/images/proxy.conf.insecure.in
deleted file mode 100644
index d70ff567b2c..00000000000
--- a/cluster/addons/registry/images/proxy.conf.insecure.in
+++ /dev/null
@@ -1,17 +0,0 @@
-global
-  maxconn 1024
-
-defaults
-  mode http
-  retries 3
-  option redispatch
-  timeout client 1s
-  timeout server 5s
-  timeout connect 5s
-
-frontend forwarder
-  bind *:%FWDPORT%
-  default_backend registry
-
-backend registry
-  server kube-registry %HOST%:%PORT%
diff --git a/cluster/addons/registry/images/rootfs/bin/boot b/cluster/addons/registry/images/rootfs/bin/boot
new file mode 100755
index 00000000000..04262b4642e
--- /dev/null
+++ b/cluster/addons/registry/images/rootfs/bin/boot
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# fail if no hostname is provided
+REGISTRY_HOST=${REGISTRY_HOST:?no host}
+REGISTRY_PORT=${REGISTRY_PORT:-5000}
+
+# we are always listening on port 80
+# https://github.com/nginxinc/docker-nginx/blob/43c112100750cbd1e9f2160324c64988e7920ac9/stable/jessie/Dockerfile#L25
+PORT=80
+
+sed -e "s/%HOST%/$REGISTRY_HOST/g" \
+	-e "s/%PORT%/$REGISTRY_PORT/g" \
+	-e "s/%BIND_PORT%/$PORT/g" \
+	</etc/nginx/conf.d/default.conf.in >/etc/nginx/conf.d/default.conf
+
+# wait for registry to come online
+while ! curl -sS "$REGISTRY_HOST:$REGISTRY_PORT" &>/dev/null; do
+	printf "waiting for the registry (%s:%s) to come online...\n" "$REGISTRY_HOST" "$REGISTRY_PORT"
+	sleep 1
+done
+
+printf "starting proxy...\n"
+exec nginx -g "daemon off;" "$@"
diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in b/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in
new file mode 100644
index 00000000000..ecd95fd2fe1
--- /dev/null
+++ b/cluster/addons/registry/images/rootfs/etc/nginx/conf.d/default.conf.in
@@ -0,0 +1,28 @@
+# Docker registry proxy for api version 2
+
+upstream docker-registry {
+    server %HOST%:%PORT%;
+}
+
+# No client auth or TLS
+# TODO(bacongobbler): experiment with authenticating the registry if it's using TLS
+server {
+    listen %BIND_PORT%;
+    server_name localhost;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    location / {
+        # Do not allow connections from docker 1.5 and earlier
+        # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+        }
+
+        include docker-registry.conf;
+    }
+}
diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf b/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf
new file mode 100644
index 00000000000..7dc8cfff266
--- /dev/null
+++ b/cluster/addons/registry/images/rootfs/etc/nginx/docker-registry.conf
@@ -0,0 +1,6 @@
+proxy_pass                          http://docker-registry;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_read_timeout                  900;
diff --git a/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf b/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf
new file mode 100644
index 00000000000..54ecc888e55
--- /dev/null
+++ b/cluster/addons/registry/images/rootfs/etc/nginx/nginx.conf
@@ -0,0 +1,26 @@
+user nginx;
+worker_processes auto;
+
+error_log   /var/log/nginx/error.log    warn;
+pid         /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include      /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+
+    sendfile on;
+
+    keepalive_timeout 65;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/cluster/addons/registry/images/run_proxy.sh b/cluster/addons/registry/images/run_proxy.sh
deleted file mode 100644
index 9d0b604090f..00000000000
--- a/cluster/addons/registry/images/run_proxy.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-REGISTRY_HOST=${REGISTRY_HOST:?no host}
-REGISTRY_PORT=${REGISTRY_PORT:-5000}
-REGISTRY_CA=${REGISTRY_CA:-/var/run/secrets/kubernetes.io/serviceaccount/ca.crt}
-FORWARD_PORT=${FORWARD_PORT:-5000}
-sed -e "s/%HOST%/$REGISTRY_HOST/g" \
-	-e "s/%PORT%/$REGISTRY_PORT/g" \
-	-e "s/%FWDPORT%/$FORWARD_PORT/g" \
-	-e "s|%CA_FILE%|$REGISTRY_CA|g" \
-	</proxy.conf.in >/proxy.conf
-
-# wait for registry to come online
-while ! host "$REGISTRY_HOST" &>/dev/null; do
-	printf "waiting for %s to come online\n" "$REGISTRY_HOST"
-	sleep 1
-done
-
-printf "starting proxy\n"
-exec haproxy -f /proxy.conf "$@"