This is a short guide for those who want to set up a NGINX reverse proxy with SSL cert authentication. The basic idea is to create a private CA and emit certificates signed by it. Only browsers and/or devices with the certs signed by this CA will be granted access to resources behind the proxy.
There are a few examples of similar configurations on the web, but most use openssl directly. This gist uses Easy-RSA to simplify the task of creating and maintaining a private CA and certs to be distributed to clients.
Clone Easy-RSA 3: