diff --git a/lib/backend/registrybackend/security/security.go b/lib/backend/registrybackend/security/security.go
index bbdd79d98..b53c7722a 100644
--- a/lib/backend/registrybackend/security/security.go
+++ b/lib/backend/registrybackend/security/security.go
@@ -97,9 +97,12 @@ func (a *authenticator) Authenticate(repo string) ([]httputil.SendOption, error)
 		return opts, nil
 	}
 
-	if !config.EnableHTTPFallback {
+	if config.EnableHTTPFallback {
+		opts = append(opts, httputil.EnableHTTPFallback())
+	} else {
 		opts = append(opts, httputil.DisableHTTPFallback())
 	}
+
 	if !a.shouldAuth() {
 		opts = append(opts, httputil.SendTLSTransport(a.roundTripper))
 		return opts, nil
diff --git a/utils/httputil/httputil.go b/utils/httputil/httputil.go
index 9562029e2..e83ce3dde 100644
--- a/utils/httputil/httputil.go
+++ b/utils/httputil/httputil.go
@@ -243,6 +243,13 @@ func DisableHTTPFallback() SendOption {
 	}
 }
 
+// EnableHTTPFallback enables http fallback when https request fails.
+func EnableHTTPFallback() SendOption {
+	return func(o *sendOptions) {
+		o.httpFallbackDisabled = false
+	}
+}
+
 // SendTLS sets the transport with TLS config for the HTTP client.
 func SendTLS(config *tls.Config) SendOption {
 	return func(o *sendOptions) {