nginx-example.conf

## all http requests on port 80 would be redirected to https on port 443
server
{
   server_name domain.tld www.domain.tld;
   listen 80;
   return 301 https://$host$request_uri;
}

## main server for https requests
server
{
   listen 443;
   server_name domain.tld www.domain.tld;
   root /var/www/domain.tld;

   ## certificates for encrypting https from authority xyz
   ssl_certificate_key /etc/ssl/domain.tld/ssl.key;
   ssl_certificate /etc/ssl/domain.tld/allcert.pem;
   ssl on;

   ## self-signed certificate for client authentication
   ## for creation see howto at https://gist.github.com/mtigas/952344
   ssl_client_certificate /etc/ssl/client/ca.crt;
   ssl_verify_client optional;

   ## only location protected-dir needs ssl-client-auth
   location /protected-dir
   {
      if ($ssl_client_verify != SUCCESS)
      {
         ## if no ssl-client-auth forward to port 444 (see below)
         proxy_pass https://domain.tld:444;
      }
   }
}

## fallback server for basic-auth if ssl-client-auth failed
server
{
   listen 444;
   server_name domain.tld;
   root /var/www/domain.tld/protected-dir;

   ssl_certificate_key /etc/ssl/domain.tld/ssl.key;
   ssl_certificate /etc/ssl/domain.tld/allcert.pem;
   ssl on;

   auth_basic "Restricted";
   auth_basic_user_file user/myuser;
}