The proxy cache config model currently has an "insecure" flag, which it uses to decide whether to request the upstream registry via http or https.

Instead, the "insecure" flag should only be used to decide whether Quay should verify the SSL cert or not. The python requests library supports a `verify=False` flag [1], which can be used to achieve this, based on the value of "insecure".
To decide which protocol to use, Quay can first try one https, and on error try http instead (something like https://github.com/containers/image/blob/929f14a56f5c0f048121f72159acbc4df37ac054/docker/docker_client.go#L758-L761).

Suggested flow:

1. if "insecure" is true, set verify to false (verify is true by default)
2. try to connect with upstream registry via https, using the previously set verify flag
3. if connecting with upstream registry via https fails, try again using http (maybe you want to try http only if certain failures happen)
4. if http doesn't work either, raise an exception to caller

*ACCEPTANCE CRITERIA*

• support for http registries (no SSL)
• support for secure https registries (verify SSL cert)
• support for insecure https registries (do not verify SSL cert)
• "insecure" help text in the UI reflects its new function

It is out of the scope of this bug to add support for custom SSL certificates.

*NOTES*

• Requests session docs: https://requests.readthedocs.io/en/latest/api/#requests.Session

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification