In a reverse proxy, you can configure client authentication according to any of the following scenarios:
Proxy-Authenticates-Client. This scenario enables you to allow access to all clients with acceptable certificates, or to allow access to only those clients that have acceptable certificates and are recognized users on the access control list for your Proxy Server.
Proxy must have the user root keys of the CA or the self-signing application which signed the user certificate. User must have loaded Proxy Server root keys of either the CA or the self-signing application which signed the Proxy Server certificate.
Content-Server-Authenticates-Proxy. This scenario enables you to make sure that your content server is actually connecting with your Proxy Server and not some other server.
Proxy must have the content server root keys of either the CA or the self-signing application which signed the Content Server certificate. Content Server must have the Proxy Server root keys of either the CA or the self-signing application which signed the Proxy Server certificate.
Proxy-Authenticates-Client and Content-Server-Authenticates-Proxy. This scenario provides the maximum security and authentication for your reverse proxy.
For information about how to configure these scenarios, see Setting Up Client Authentication in a Reverse Proxy.