diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md
index 411cc51..566f8a6 100644
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@@ -546,6 +546,8 @@ docker compose up -d
 exit
 ```
 
+**Important**: The registry uses standard authentication, but nginx provides intelligent routing to enable public read access for specific operations (manifests, blobs, tags) while requiring authentication for write operations (push, delete). This implements the "public read, authenticated write" model through nginx configuration.
+
 #### 5.7 Test Registry Setup
 
 ```bash
diff --git a/registry/docker-compose.yml b/registry/docker-compose.yml
index 3eadc97..7f7f070 100644
--- a/registry/docker-compose.yml
+++ b/registry/docker-compose.yml
@@ -41,6 +41,7 @@ services:
       - "8080:443"
     volumes:
       - /etc/ssl/registry:/etc/nginx/ssl:ro
+      - /etc/registry/auth/auth.htpasswd:/etc/nginx/auth/auth.htpasswd:ro
       - /opt/APP_NAME/registry/nginx.conf:/etc/nginx/nginx.conf:ro
     depends_on:
       - registry-ui
diff --git a/registry/nginx.conf b/registry/nginx.conf
index e11b129..3596ba1 100644
--- a/registry/nginx.conf
+++ b/registry/nginx.conf
@@ -20,8 +20,72 @@ http {
         ssl_protocols TLSv1.2 TLSv1.3;
         ssl_ciphers HIGH:!aNULL:!MD5;
 
-        # Proxy registry API requests
+        # Block all non-GET requests to public endpoints
+        location ~ ^/v2/([^/]+)/manifests/ {
+            limit_except GET {
+                deny all;
+            }
+            proxy_pass https://registry_api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 30s;
+            proxy_read_timeout 30s;
+            proxy_ssl_verify off;
+        }
+
+        location ~ ^/v2/([^/]+)/blobs/ {
+            limit_except GET {
+                deny all;
+            }
+            proxy_pass https://registry_api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 30s;
+            proxy_read_timeout 30s;
+            proxy_ssl_verify off;
+        }
+
+        location ~ ^/v2/([^/]+)/tags/list {
+            limit_except GET {
+                deny all;
+            }
+            proxy_pass https://registry_api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 30s;
+            proxy_read_timeout 30s;
+            proxy_ssl_verify off;
+        }
+
+        location /v2/_catalog {
+            limit_except GET {
+                deny all;
+            }
+            proxy_pass https://registry_api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 30s;
+            proxy_read_timeout 30s;
+            proxy_ssl_verify off;
+        }
+
+        # Require authentication for all other registry operations
         location /v2/ {
+            auth_basic "Registry Realm";
+            auth_basic_user_file /etc/nginx/auth/auth.htpasswd;
+            
             proxy_pass https://registry_api;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;