Add --token-auth-force-tls

auth.go

@@ -50,7 +50,7 @@ func (c *CRProxy) authenticate(rw http.ResponseWriter, r *http.Request) {
 	tokenURL := c.tokenURL
 	if tokenURL == "" {
 		var scheme = "http"
-		if r.TLS != nil {
+		if c.tokenAuthForceTLS || r.TLS != nil {
 			scheme = "https"
 		}
 		tokenURL = scheme + "://" + r.Host + "/auth/token"

cmd/crproxy/main.go

@@ -57,6 +57,7 @@ var (
 	overrideDefaultRegistry     map[string]string
 	simpleAuth                  bool
 	tokenURL                    string
+	tokenAuthForceTLS           bool
 
 	redirectOriginBlobLinks bool
 
@@ -94,6 +95,7 @@ func init() {
 	pflag.StringToStringVar(&overrideDefaultRegistry, "override-default-registry", nil, "override default registry")
 	pflag.BoolVar(&simpleAuth, "simple-auth", false, "enable simple auth")
 	pflag.StringVar(&tokenURL, "token-url", "", "token url")
+	pflag.BoolVar(&tokenAuthForceTLS, "token-auth-force-tls", false, "token auth force TLS")
 
 	pflag.BoolVar(&redirectOriginBlobLinks, "redirect-origin-blob-links", false, "redirect origin blob links")
 
@@ -358,7 +360,7 @@ func main() {
 	}
 
 	if simpleAuth {
-		opts = append(opts, crproxy.WithSimpleAuth(true, tokenURL))
+		opts = append(opts, crproxy.WithSimpleAuth(true, tokenURL, tokenAuthForceTLS))
 	}
 
 	if redirectOriginBlobLinks {

crproxy.go

@@ -72,6 +72,7 @@ type CRProxy struct {
 	disableTagsList         bool
 	simpleAuth              bool
 	tokenURL                string
+	tokenAuthForceTLS       bool
 	matcher                 hostmatcher.Matcher
 
 	defaultRegistry         string
@@ -95,10 +96,11 @@ func WithRedirectToOriginBlobFunc(f func(r *http.Request, info *ImageInfo) bool)
 	}
 }
 
-func WithSimpleAuth(b bool, tokenURL string) Option {
+func WithSimpleAuth(b bool, tokenURL string, forceTLS bool) Option {
 	return func(c *CRProxy) {
 		c.simpleAuth = b
 		c.tokenURL = tokenURL
+		c.tokenAuthForceTLS = forceTLS
 	}
 }