Feature/mtls (#60)

* caddy version for TLS client auth

must be >=2.8 for tls subdirective client_auth: trust_pool

* add mTLS documentation

* split syntax for compose.yaml and .env file

* typo

Author: nexero

README.md

@@ -204,6 +204,39 @@ services:
       - NET_ADMIN
 ```
 
+### mTLS (client authentication)
+
+It is possible to use Mutual TLS authentication for client connections, which is useful to prevent MITM attacks and reducing attack vector when running possibly insecure software in your containers. 
+
+You will need to create a self-signed CA certificate and sign X.509 client certificates, then use this snippet for your `compose.yaml`
+```yaml
+      TLS_INTERNAL_CONFIG: |2
+        tls {
+                client_auth {
+                    mode require_and_verify
+                    trust_pool inline {
+                        trust_der YOUR_BASE64_ENCODED_CA_IN_DER_FORMAT_BELONGS_HERE
+                    }
+                }
+            }
+```
+
+ or this for your `.env` file:
+```yaml
+TLS_INTERNAL_CONFIG='tls {
+        client_auth {
+            mode require_and_verify
+            trust_pool inline {
+                trust_der YOUR_BASE64_ENCODED_CA_IN_DER_FORMAT_BELONGS_HERE
+            }
+        }
+    }'
+```
+
+Now you won't be able to establish connections to your service withou your client certificate. There are other possible configuration values, of course, please have a look at the official [Caddy documentation](https://caddyserver.com/docs/caddyfile/directives/tls#client_auth). 
+
+Keep in mind, this might effect any corporate firewall as there is no way to terminate TLS without breaking client authentication and therefor no way to connect for a client behind one of these appliances.
+
 ### Show all links running on a Gateway
 ```
 $ docker ps

src/client-link/Dockerfile

@@ -1,4 +1,4 @@
-FROM caddy:2.7
+FROM caddy:2.8
 
 ARG RELEASE_TAG