Vamos codificar não procura desafios no HTTPS, então você pode simplesmente configurar algo assim:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name x.example.com;
location /.well-known {
try_files $uri $uri/ =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
<ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>
ssl_client_certificate /etc/ssl/certs/root-ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}