This is a short guide for those who want to set up a NGINX reverse proxy with SSL cert authentication. The basic idea is to create a private CA and emit certificates signed by it. Only browsers and/or devices with the certs signed by this CA will be granted access to resources behind the proxy.
There are a few examples of similar configurations on the web, but most use openssl directly. This gist uses EasyRSA to simplify the task of creating and mantaining a private CA and certs to be distributed to clients.
Clone easyrsa v3: