Wait, how would you make client certificate auth work on a subpath, if it works on a layer below HTTP? One thing that comes to mind is making client certs optional and doing a 401/403 on pages that should require auth, but that should absolutely be doable with a liberal application of subroutes in Caddy. (The server will still request certificates, because it doesn't know which page you're visiting until the TLS handshake completes, but since the server indicates which roots it trusts, this shouldn't be a problem for random visitors — their user agent will skip the prompt if there are no suitable certificates.)