diff --git a/.gitignore b/.gitignore
index 5202da831..8f9222025 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 target
 work
-demo/snapshot-plugins/
 .idea
 *.iml
diff --git a/demo/.dockerignore b/demo/.dockerignore
deleted file mode 100644
index 16d3c4dbb..000000000
--- a/demo/.dockerignore
+++ /dev/null
@@ -1 +0,0 @@
-.cache
diff --git a/demo/.gitignore b/demo/.gitignore
new file mode 100644
index 000000000..4a2f970cc
--- /dev/null
+++ b/demo/.gitignore
@@ -0,0 +1,2 @@
+snapshot-plugins/
+certs/
diff --git a/demo/Dockerfile b/demo/Dockerfile
index acad2c266..0e99c410f 100644
--- a/demo/Dockerfile
+++ b/demo/Dockerfile
@@ -37,6 +37,9 @@ RUN /usr/local/maven/bin/mvn -s settings.xml -Dmaven.repo.local=/usr/share/jenki
 COPY plugins.txt /tmp/files/
 RUN /usr/local/bin/plugins.sh /tmp/files/plugins.txt
 
+# Remove the base workflow-demo "cd" job
+RUN rm -rf /usr/share/jenkins/ref/jobs/cd
+
 ADD JENKINS_HOME /usr/share/jenkins/ref
 
 COPY run-demo.sh /usr/local/bin/run-demo.sh
diff --git a/demo/Dockerfile-proxy b/demo/Dockerfile-proxy
deleted file mode 100644
index 3a1da4454..000000000
--- a/demo/Dockerfile-proxy
+++ /dev/null
@@ -1,6 +0,0 @@
-FROM nginx:1.9.0
-RUN apt-get update
-RUN apt-get install -y apache2-utils
-COPY workflow-reg-proxy.conf /etc/nginx/conf.d/
-COPY gen-security-data.sh /usr/local/bin/
-RUN /usr/local/bin/gen-security-data.sh /var/registry/certs
diff --git a/demo/Dockerfile-registry b/demo/Dockerfile-registry
new file mode 100644
index 000000000..235838cfb
--- /dev/null
+++ b/demo/Dockerfile-registry
@@ -0,0 +1,7 @@
+FROM registry:2.5.1
+ADD certs/ca.crt certs/ca.key certs/docker-registry.htpasswd /var/registry/certs/
+ENV REGISTRY_HTTP_TLS_CERTIFICATE /var/registry/certs/ca.crt
+ENV REGISTRY_HTTP_TLS_KEY /var/registry/certs/ca.key
+ENV REGISTRY_AUTH htpasswd
+ENV REGISTRY_AUTH_HTPASSWD_REALM Registry Realm
+ENV REGISTRY_AUTH_HTPASSWD_PATH /var/registry/certs/docker-registry.htpasswd
diff --git a/demo/JENKINS_HOME/credentials.xml b/demo/JENKINS_HOME/credentials.xml
index 8b90faca4..d4c6ffbc1 100644
--- a/demo/JENKINS_HOME/credentials.xml
+++ b/demo/JENKINS_HOME/credentials.xml
@@ -10,7 +10,7 @@
           <scope>GLOBAL</scope>
           <id>docker-registry-login</id>
           <description></description>
-          <username>workflowuser</username>
+          <username>pipelineuser</username>
           <password>123123123</password>
         </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
       </java.util.concurrent.CopyOnWriteArrayList>
diff --git a/demo/Makefile b/demo/Makefile
index 8913aadd3..970bb0628 100644
--- a/demo/Makefile
+++ b/demo/Makefile
@@ -25,11 +25,12 @@
 TAG=$(shell perl -n -e 'if (/docker-workflow:(.+)/) {print $$1}' plugins.txt)
 IMAGE=jenkinsci/docker-workflow-demo
 
-build-proxy:
-	docker build -t nginx:docker-workflow-demo -f Dockerfile-proxy .
+build-registry:
+	./gen-security-data.sh certs
+	docker build -t registry:docker-workflow-demo -f Dockerfile-registry .
 
 # Builds a demo based on a released version of the plugin.
-build:	build-proxy
+build:	build-registry
 	docker build -t $(IMAGE):$(TAG) .
 
 # Builds a demo based on the current local snapshot build of the plugin.
@@ -55,7 +56,7 @@ run-snapshot:	build-snapshot
 	$(DOCKER_RUN) $(IMAGE):SNAPSHOT
 
 clean:
-	rm -rf snapshot-plugins
+	rm -rf certs snapshot-plugins
 
 push:
 	docker push $(IMAGE):$(TAG)
diff --git a/demo/gen-security-data.sh b/demo/gen-security-data.sh
index d1ef00cc5..99464d615 100755
--- a/demo/gen-security-data.sh
+++ b/demo/gen-security-data.sh
@@ -31,26 +31,9 @@ mkdir -p $1
 
 pushd $1
 
-htpasswd -bmc docker-registry.htpasswd workflowuser 123123123
+docker run --entrypoint htpasswd registry:2.5.1 -Bbn pipelineuser 123123123 > docker-registry.htpasswd 
 
 # Create the CA Key and Certificate for signing Certs
 openssl genrsa -des3 -passout pass:x -out ca.key 4096
 openssl rsa -passin pass:x -in ca.key -out ca.key # remove password!
-openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=California/L=San Jose/O=Jenkins CI/OU=Workflow Dept/CN=localhost"
- 
-# Create the Server Key, CSR, and Certificate
-openssl genrsa -des3 -passout pass:x -out key.pem 1024
-openssl rsa -passin pass:x -in key.pem -out key.pem # remove password!
-openssl req -new -key key.pem -out server.csr -subj "/C=US/ST=California/L=San Jose/O=Jenkins CI/OU=Workflow Dept/CN=localhost"
- 
-# Self sign the server cert.
-openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert.pem
-
-# cat the ca cert onto the server cert
-cat ca.crt >> cert.pem
-
-# White-list the CA cert (because it is self-signed), otherwise docker client will not be able to authenticate
-cp ca.crt /usr/local/share/ca-certificates
-update-ca-certificates
-
-popd
+openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=California/L=San Jose/O=Jenkins CI/OU=Pipeline Dept/CN=localhost"
diff --git a/demo/run-demo.sh b/demo/run-demo.sh
index 85728c7b9..69f532500 100755
--- a/demo/run-demo.sh
+++ b/demo/run-demo.sh
@@ -31,10 +31,9 @@
 echo '*************** Installing a local Docker Registry Service for the demo ***************'
 echo '***************            Please sit tight for a minute                ***************'
 
-cont1=$(docker run -d --name registry --restart=always registry:0.9.1)
-cont2=$(docker run -d -p 443:443 --name wf-registry-proxy --link registry:registry nginx:docker-workflow-demo)
+cont1=$(docker run -d -p 443:5000 --name registry --restart=always registry:docker-workflow-demo)
 # TODO would be natural to switch to Compose
-trap "docker rm -f $cont1 $cont2" EXIT
+trap "docker rm -f $cont1" EXIT
 
 # Note that this https://github.com/docker/docker/issues/23177 workaround is useless since the Docker CLI does not do the hostname resolution, the server does:
 # echo $(docker inspect -f '{{.NetworkSettings.Gateway}}' $HOSTNAME) docker.example.com >> /etc/hosts
@@ -44,11 +43,6 @@ echo '***************         Docker Registry Service running now             **
 # In case some tagged images were left over from a previous run using a cache:
 (docker images -q examplecorp/spring-petclinic; docker images -q localhost/examplecorp/spring-petclinic) | xargs docker rmi --no-prune=true --force
 
-#
-# Remove the base workflow-demo "cd" job
-#
-rm -rf /usr/share/jenkins/ref/jobs/cd /var/jenkins_home/jobs/cd
-
 #
 # Now run Jenkins.
 #
diff --git a/demo/workflow-reg-proxy.conf b/demo/workflow-reg-proxy.conf
deleted file mode 100644
index 6fa502c39..000000000
--- a/demo/workflow-reg-proxy.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-server {
-    listen              443 ssl;
-    server_name         localhost;
-
-    ssl on;
-    ssl_certificate     /var/registry/certs/cert.pem;
-    ssl_certificate_key /var/registry/certs/key.pem;
-    ssl_verify_client   off;
-
-    proxy_set_header Host       $http_host;   # required for Docker client
-    proxy_set_header X-Real-IP  $remote_addr; # pass client IP
-    proxy_set_header Authorization  ""; # see https://github.com/dotcloud/docker-registry/issues/170
-    proxy_read_timeout 900;
-
-    proxy_set_header X-Forwarded-Proto "https";
-    proxy_set_header X-Forwarded-Protocol "https";    
-
-    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
-
-    # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
-    chunked_transfer_encoding on;
-
-    location / {
-        # let Nginx know about our auth file
-        auth_basic              "Restricted Docker Registry";
-        auth_basic_user_file    /var/registry/certs/docker-registry.htpasswd;
-        proxy_pass              http://registry:5000/;
-    }
-    location /_ping {
-        auth_basic off;
-        proxy_pass              http://registry:5000/;
-    }  
-    location /v1/_ping {
-        auth_basic off;
-        proxy_pass              http://registry:5000/;
-    }
-}