doc(tls-directive): Add the tls clients subdirective

- https://github.com/caddyserver/caddy/pull/3335

src/docs/markdown/caddyfile/directives/tls.md

@@ -24,6 +24,13 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 	ca_root   <pem_file>
 	dns       <provider_name> [<params...>]
 	on_demand
+	clients {
+    mode [request|require|verify_if_given|require_and_verify]
+		trusted_ca_certs        <trusted_ca_certs...>
+		trusted_ca_certs_file   <filename...>
+		trusted_leaf_certs      <trusted_leaf_certs...>
+		trusted_leaf_certs_file <filename...>
+  }
 }
 ```
 
@@ -62,7 +69,33 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store.
 - **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details. Maintaining support for each DNS provider is a community effort. [Learn how to enable the DNS challenge for your provider at our wiki.](https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148)
 - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es).
+- **clients** enables and configures TLS client authentication.
 
+The `clients` block can look like this:
+
+```caddy-d
+clients {
+	mode                    [request|require|verify_if_given|require_and_verify]
+	trusted_ca_certs        <trusted_ca_certs...>
+	trusted_ca_certs_file   <filename...>
+	trusted_leaf_certs      <trusted_leaf_certs...>
+	trusted_leaf_certs_file <filename...>
+}
+```
+
+- **trusted_ca_certs** is a list of base64 DER-encoded CA certificates against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected.
+- **trusted_ca_certs_file** is a list of base64 DER-encoded CA certificate files against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected.
+- **trusted_leaf_certs** is a list of base64 DER-encoded client leaf certs to accept. If this list is not empty, client certs which are not in this list will be rejected
+- **trusted_leaf_certs_file** is a list of base64 DER-encoded CA certificate files against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected.
+- **mode** is the mode for authenticating the client. Allowed values are:
+  | Mode               | Description                                                                              |
+  |--------------------|------------------------------------------------------------------------------------------|
+  | request            | Ask clients for a certificate, but allow even if there isn't one; do not verify it       |
+  | require            | Require clients to present a certificate, but do not verify it                           |
+  | verify_if_given    | Ask clients for a certificate; allow even if there isn't one, but verify it if there is  |
+	| require_and_verify | Require clients to present a valid certificate that is verified                          |
+
+	The default mode is `require_and_verify` if any TrustedCACerts or TrustedLeafCerts are provided; otherwise, the default mode is `require`
 
 
 ## Examples
@@ -99,4 +132,15 @@ Enable the DNS challenge for a domain managed on Cloudflare with account credent
 tls {
 	dns cloudflare {env.CLOUDFLARE_API_TOKEN}
 }
-```
+```
+
+Enable TLS Client Authentication
+
+```caddy-d
+tls {
+  clients {
+    mode                    require_and_verify
+    trusted_ca_certs_file   cacerts.crt
+  }
+}
+```