diff --git a/conf/http-base.conf b/conf/http-base.conf
index d525b3dd3..8b7ff9e0b 100644
--- a/conf/http-base.conf
+++ b/conf/http-base.conf
@@ -16,6 +16,11 @@ gzip_types text/plain text/xml text/css
            text/javascript application/x-javascript
            application/octet-stream;
 
+map $proxy_protocol_addr $proper_forwarded_for {
+  ""      $proxy_add_x_forwarded_for;
+  default $proxy_protocol_addr;
+}
+
 upstream web_app_server {
     server unix:/tmp/gunicorn_web.sock fail_timeout=0;
 }
@@ -33,3 +38,4 @@ upstream build_manager_controller_server {
 upstream build_manager_websocket_server {
     server localhost:8787;
 }
+
diff --git a/conf/nginx-nossl.conf b/conf/nginx-nossl.conf
index 13c5d73b2..549f4b4e8 100644
--- a/conf/nginx-nossl.conf
+++ b/conf/nginx-nossl.conf
@@ -4,7 +4,6 @@ include root-base.conf;
 
 http {
     include http-base.conf;
-
     include rate-limiting.conf;
 
     server {
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 792b58faf..77a78f70e 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -4,9 +4,7 @@ include root-base.conf;
 
 http {
     include http-base.conf;
-
     include hosted-http-base.conf;
-
     include rate-limiting.conf;
 
     server {
@@ -25,8 +23,7 @@ http {
 
     server {
         include proxy-protocol.conf;
-
-        include proxy-server-base.conf;
+        include server-base.conf;
 
         listen 8443 default proxy_protocol;
 
diff --git a/conf/proxy-server-base.conf b/conf/proxy-server-base.conf
deleted file mode 100644
index 6230dbfd8..000000000
--- a/conf/proxy-server-base.conf
+++ /dev/null
@@ -1,87 +0,0 @@
-# vim: ft=nginx
-
-client_body_temp_path /var/log/nginx/client_body 1 2;
-server_name _;
-
-keepalive_timeout 5;
-
-if ($args ~ "_escaped_fragment_") {
-    rewrite ^ /snapshot$uri;
-}
-
-proxy_set_header X-Forwarded-For $proxy_protocol_addr;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header Host $http_host;
-proxy_redirect off;
-
-proxy_set_header Transfer-Encoding $http_transfer_encoding;
-
-location / {
-    proxy_pass   http://web_app_server;
-
-    limit_req zone=webapp burst=25 nodelay;
-}
-
-location /realtime {
-    proxy_pass   http://web_app_server;
-    proxy_buffering off;
-    proxy_request_buffering off;
-}
-
-location /v1/repositories/ {
-    proxy_buffering off;
-
-    proxy_request_buffering off;
-
-    proxy_pass http://registry_app_server;
-    proxy_temp_path /var/log/nginx/proxy_temp 1 2;
-
-    client_max_body_size 20G;
-
-    limit_req zone=repositories burst=5 nodelay;
-}
-
-location /v1/ {
-    proxy_buffering off;
-
-    proxy_request_buffering off;
-
-    proxy_pass   http://registry_app_server;
-    proxy_temp_path /var/log/nginx/proxy_temp 1 2;
-
-    client_max_body_size 20G;
-}
-
-location /c1/ {
-    proxy_buffering off;
-
-    proxy_request_buffering off;
-
-    proxy_pass   http://verbs_app_server;
-    proxy_temp_path /var/log/nginx/proxy_temp 1 2;
-
-    limit_req zone=api burst=5 nodelay;
-}
-
-location /static/ {
-    # checks for static file, if not found proxy to app
-    alias /static/;
-}
-
-location /v1/_ping {
-    add_header Content-Type text/plain;
-    add_header X-Docker-Registry-Version 0.6.0;
-    add_header X-Docker-Registry-Standalone 0;
-    return 200 'true';
-}
-
-location ~ ^/b1/controller(/?)(.*) {
-    proxy_pass http://build_manager_controller_server/$2;
-}
-
-location ~ ^/b1/socket(/?)(.*) {
-    proxy_pass http://build_manager_websocket_server/$2;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-}
diff --git a/conf/rate-limiting.conf b/conf/rate-limiting.conf
index 3e2538510..e25897d82 100644
--- a/conf/rate-limiting.conf
+++ b/conf/rate-limiting.conf
@@ -1,7 +1,16 @@
 # vim: ft=nginx
 
+# Check the Authorization header and, if it is empty, use their proxy protocol
+# IP, else use the header as their unique identifier for rate limiting.
+# Enterprise users will never be using proxy protocol, thus the value will be
+# empty string. This means they will not get rate limited.
+map $http_authorization $registry_bucket {
+  ""      $proxy_protocol_addr;
+  default $http_authorization;
+}
+
 limit_req_zone $proxy_protocol_addr zone=webapp:10m rate=25r/s;
-limit_req_zone $proxy_protocol_addr zone=repositories:10m rate=1r/s;
 limit_req_zone $proxy_protocol_addr zone=api:10m rate=1r/s;
+limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
 limit_req_status 429;
 limit_req_log_level warn;
diff --git a/conf/server-base.conf b/conf/server-base.conf
index 4122a99eb..bdb6b1a33 100644
--- a/conf/server-base.conf
+++ b/conf/server-base.conf
@@ -3,16 +3,13 @@
 client_body_temp_path /var/log/nginx/client_body 1 2;
 server_name _;
 
-set_real_ip_from 172.17.0.0/16;
-real_ip_header X-Forwarded-For;
-
 keepalive_timeout 5;
 
 if ($args ~ "_escaped_fragment_") {
     rewrite ^ /snapshot$uri;
 }
 
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-For $proper_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header Host $http_host;
 proxy_redirect off;
@@ -21,6 +18,8 @@ proxy_set_header Transfer-Encoding $http_transfer_encoding;
 
 location / {
     proxy_pass   http://web_app_server;
+
+    limit_req zone=webapp;
 }
 
 location /realtime {
@@ -29,6 +28,18 @@ location /realtime {
     proxy_request_buffering off;
 }
 
+location /v1/repositories/ {
+    proxy_buffering off;
+
+    proxy_request_buffering off;
+
+    proxy_pass http://registry_app_server;
+    proxy_read_timeout 2000;
+    proxy_temp_path /var/log/nginx/proxy_temp 1 2;
+
+    limit_req zone=repositories;
+}
+
 location /v1/ {
     proxy_buffering off;
 
@@ -47,6 +58,8 @@ location /c1/ {
 
     proxy_pass   http://verbs_app_server;
     proxy_temp_path /var/log/nginx/proxy_temp 1 2;
+
+    limit_req zone=api;
 }
 
 location /static/ {