Potential fix for code scanning alert no. 6: Failure to use HTTPS URLs

[bryantbiggs]

Potential fix for https://github.com/clowdhaus/docker-registry/security/code-scanning/6

The best way to remediate this is to prevent the use of HTTP by default, and discourage or disable HTTP usage except in clearly-marked/test configurations. Changes required:

1. Change the default for insecure_registry to false. (Already set, but highlight this in docs for clarity.)
2. Emit a warning or error when insecure_registry is set to true for public registries. Optionally, block non-localhost/loopback values.
3. Document and gate the use of HTTP: Require explicit opt-in, and annotate that HTTP is insecure and not recommended outside local/test scenarios.
4. Best single fix: Prevent the construction of HTTP URLs for public registries by raising an error or warning if insecure_registry is true and the registry hostname is not localhost/127.0.0.1.

Concrete implementation steps:

• In src/v2/config.rs, within the build() method, before constructing the URL, check if insecure_registry is true and if self.index points to a non-localhost host (not 127.0.0.1 or localhost). If so, return an error.
• If the registry is localhost, allow HTTP when insecure_registry is true.
• Optionally, raise a log warning even for localhost when using HTTP.
• No imports of external libraries are necessary; standard library string operations suffice.

Edits will only be to regions in src/v2/config.rs shown above, specifically lines around the URL schema selection in the build() method.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.