diff --git a/pkg/apis/registry/validation/validation.go b/pkg/apis/registry/validation/validation.go
index 3956ec5c..3d916ba6 100644
--- a/pkg/apis/registry/validation/validation.go
+++ b/pkg/apis/registry/validation/validation.go
@@ -86,6 +86,17 @@ func validateRegistryCache(cache registry.RegistryCache, fldPath *field.Path) fi
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("garbageCollection").Child("ttl"), ttl.Duration.String(), "ttl must be a non-negative duration"))
 		}
 	}
+	if cache.Proxy != nil {
+		if cache.Proxy.HTTPProxy != nil {
+			allErrs = append(allErrs, ValidateURL(fldPath.Child("proxy").Child("httpProxy"), *cache.Proxy.HTTPProxy)...)
+		}
+		if cache.Proxy.HTTPSProxy != nil {
+			allErrs = append(allErrs, ValidateURL(fldPath.Child("proxy").Child("httpsProxy"), *cache.Proxy.HTTPSProxy)...)
+		}
+		if cache.Proxy.NoProxy != nil && cache.Proxy.HTTPProxy == nil && cache.Proxy.HTTPSProxy == nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("proxy").Child("noProxy"), *cache.Proxy.NoProxy, "noProxy can only be set if HTTPProxy and/or HTTPSProxy is set."))
+		}
+	}
 
 	return allErrs
 }
diff --git a/pkg/apis/registry/validation/validation_test.go b/pkg/apis/registry/validation/validation_test.go
index 4b3a53ce..efbe5c7f 100644
--- a/pkg/apis/registry/validation/validation_test.go
+++ b/pkg/apis/registry/validation/validation_test.go
@@ -57,6 +57,11 @@ var _ = Describe("Validation", func() {
 				api.RegistryCache{
 					Upstream:  "my-registry.io:5000",
 					RemoteURL: ptr.To("http://my-registry.io:5000"),
+					Proxy: &api.Proxy{
+						HTTPProxy:  ptr.To("http://127.0.0.1"),
+						HTTPSProxy: ptr.To("https://127.0.0.1:1234"),
+						NoProxy:    ptr.To("127.0.0.1,127.0.0.2"),
+					},
 				},
 				api.RegistryCache{
 					Upstream:  "quay.io",
@@ -224,6 +229,49 @@ var _ = Describe("Validation", func() {
 				})),
 			))
 		})
+
+		It("should deny invalid proxy config", func() {
+			registryConfig.Caches[0].Proxy = &api.Proxy{
+				HTTPProxy:  ptr.To("10.10.10.10"),
+				HTTPSProxy: nil,
+				NoProxy:    nil,
+			}
+			registryConfig.Caches = append(registryConfig.Caches,
+				api.RegistryCache{
+					Upstream: "my-registry.io",
+					Proxy: &api.Proxy{
+						HTTPProxy:  nil,
+						HTTPSProxy: ptr.To("http://foo!bar"),
+						NoProxy:    nil,
+					},
+				},
+				api.RegistryCache{
+					Upstream: "my-registry2.io",
+					Proxy: &api.Proxy{
+						HTTPProxy:  nil,
+						HTTPSProxy: nil,
+						NoProxy:    ptr.To("127.0.0.1"),
+					},
+				},
+			)
+			Expect(ValidateRegistryConfig(registryConfig, fldPath)).To(ConsistOf(
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":     Equal(field.ErrorTypeInvalid),
+					"Field":    Equal("providerConfig.caches[0].proxy.httpProxy"),
+					"BadValue": Equal("10.10.10.10"),
+				})),
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":     Equal(field.ErrorTypeInvalid),
+					"Field":    Equal("providerConfig.caches[1].proxy.httpsProxy"),
+					"BadValue": Equal("http://foo!bar"),
+				})),
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":     Equal(field.ErrorTypeInvalid),
+					"Field":    Equal("providerConfig.caches[2].proxy.noProxy"),
+					"BadValue": Equal("127.0.0.1"),
+				})),
+			))
+		})
 	})
 
 	Describe("#ValidateRegistryConfigUpdate", func() {