Add annotated example for adding header; +spelling

This adds a variable to help nginx add the
Docker-Distribution-Api-Version when using basic auth, and not add the
header when it sees it from the upstream.

Also fix some minor spelling/grammar issues.

Signed-off-by: Sharif Nassar <sharif@mrwacky.com>

docs/nginx.md

@@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use
 
 With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.
 
-While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple.
+While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.
 
-We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage.
+We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
 
 ### Gotchas
 
@@ -49,7 +49,7 @@ X-Forwarded-For   $proxy_add_x_forwarded_for;
 X-Forwarded-Proto $scheme;
 ```
 
-Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970).
+Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).
 
 ## Setting things up
 
@@ -69,6 +69,16 @@ upstream docker-registry {
   server registry:5000;
 }
 
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header will be unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+  'registry/2.0' '';
+  default registry/2.0;
+}
+
 server {
   listen 443 ssl;
   server_name myregistrydomain.com;
@@ -77,7 +87,7 @@ server {
   ssl_certificate /etc/nginx/conf.d/domain.crt;
   ssl_certificate_key /etc/nginx/conf.d/domain.key;
 
-  # Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_prefer_server_ciphers on;
@@ -96,10 +106,13 @@ server {
       return 404;
     }
 
-    # To add basic authentication to v2 use auth_basic setting plus add_header
+    # To add basic authentication to v2 use auth_basic setting.
     auth_basic "Registry realm";
     auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
-    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+
+    ## If $docker_distribution_api_version is empty, the header will not be added.
+    ## See the map directive above where this variable is defined.
+    add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
 
     proxy_pass                          http://docker-registry;
     proxy_set_header  Host              \$http_host;   # required for docker client's sake