Support Mutual TLS through client certificate

[tinsukE]

Mutual Authentication for TLS (mutual TLS, mTLS) is an optional mode of authentication in TLS.

By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication.[13] As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.

https://en.wikipedia.org/wiki/Mutual_authentication
https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

Now that Capy supports FreshRSS/Google Reader API accounts, it might become more common for users to want to access their self-hosted instances that provide access through that API in the internet.

While doing so is a risky business, HTTP reverse proxies (e.g., nginx, Caddy) can be configured to require client authentication using the same security standards that TLS employs for server authentication.

This is another layer of security on top of whatever the self-hosted RSS aggregator might provide.

An alternative to exposing your service on the internet is setting up VPN access, which has its own pros and cons.

I personally prefer the ease of use of having services reasonably safely exposed on the internet.

This PR adds support for mTLS: #688