diff --git a/src/docs/markdown/caddyfile/directives/tls.md b/src/docs/markdown/caddyfile/directives/tls.md
index e5439e2..a855190 100644
--- a/src/docs/markdown/caddyfile/directives/tls.md
+++ b/src/docs/markdown/caddyfile/directives/tls.md
@@ -69,37 +69,26 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store.
 - **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details. Maintaining support for each DNS provider is a community effort. [Learn how to enable the DNS challenge for your provider at our wiki.](https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148)
 - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es).
-- **client_auth** enables and configures TLS client authentication.
+- **client_auth** enables and configures TLS client authentication:
+	- **mode** is the mode for authenticating the client. Allowed values are:
 
+		| Mode               | Description                                                                              |
+		|--------------------|------------------------------------------------------------------------------------------|
+		| request            | Ask clients for a certificate, but allow even if there isn't one; do not verify it       |
+		| require            | Require clients to present a certificate, but do not verify it                           |
+		| verify_if_given    | Ask clients for a certificate; allow even if there isn't one, but verify it if there is  |
+		| require_and_verify | Require clients to present a valid certificate that is verified                          |
 
-The `client_auth` block can look like this:
-
-```caddy-d
-client_auth {
-	mode                   [request|require|verify_if_given|require_and_verify]
-	trusted_ca_cert        <base64_der>
-	trusted_ca_cert_file   <filename>
-	trusted_leaf_cert      <base64_der>
-	trusted_leaf_cert_file <filename>
-}
-```
-
-- **trusted_ca_cert** is a base64 DER-encoded CA certificate against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
-- **trusted_ca_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
-- **trusted_leaf_cert** is a base64 DER-encoded client leaf certificate to accept. Client certificates which are not signed by any of these CAs will be rejected.
-- **trusted_leaf_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
+	Default: `require_and_verify` if any `trusted_ca_cert` or `trusted_leaf_cert` are provided; otherwise, `require`.
+	
+	- **trusted_ca_cert** is a base64 DER-encoded CA certificate against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
+	- **trusted_ca_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
+	- **trusted_leaf_cert** is a base64 DER-encoded client leaf certificate to accept. Client certificates which are not signed by any of these CAs will be rejected.
+	- **trusted_leaf_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected.
 
 	Multiple `trusted_*` directives may be specified as a way to chain multiple CA or leaf certificates.
 
-- **mode** is the mode for authenticating the client. Allowed values are:
-  | Mode               | Description                                                                              |
-  |--------------------|------------------------------------------------------------------------------------------|
-  | request            | Ask clients for a certificate, but allow even if there isn't one; do not verify it       |
-  | require            | Require clients to present a certificate, but do not verify it                           |
-  | verify_if_given    | Ask clients for a certificate; allow even if there isn't one, but verify it if there is  |
-  | require_and_verify | Require clients to present a valid certificate that is verified                          |
 
-	The default mode is `require_and_verify` if any `trusted_ca_cert` or `trusted_leaf_cert` are provided; otherwise, the default mode is `require`
 
 ## Examples
 
diff --git a/src/resources/css/docs.css b/src/resources/css/docs.css
index 3519cb3..332af85 100644
--- a/src/resources/css/docs.css
+++ b/src/resources/css/docs.css
@@ -275,6 +275,12 @@ article li {
 	line-height: 1.5em;
 }
 
+article li p,
+article li ul,
+article li ol {
+	margin-bottom: .5em;
+}
+
 h1,
 h2,
 h3,
