Add template support for all host types to do client CA authorization

When an access list contains client CAs, the combined CA auth file is
added to all location blocks via an `if` statement. This allows
LetsEncrypt and other support paths to work, while correctly denying
access to the protected resources.

backend/templates/_access.conf

@@ -1,4 +1,10 @@
 {% if access_list_id > 0 %}
+{% if access_list.clientcas.size > 0 %}
+    # TLS Client Certificate Authorization
+    if ($ssl_client_verify != "SUCCESS") {
+        return 403;
+    }
+{% endif %}
     {% if access_list.items.length > 0 %}
     # Authorization
     auth_basic            "Authorization required";

backend/templates/_certificates.conf

@@ -11,4 +11,10 @@
   ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
 {% endif %}
 {% endif %}
-
+{% if access_list_id > 0 -%}
+{% if access_list.clientcas.size > 0 %}
+  # Client Certificate Authorization ({{access_list.clientcas.size}} CAs)
+  ssl_client_certificate /data/clientca/{{ access_list_id }};
+  ssl_verify_client optional;
+{% endif %}
+{% endif %}