Is there a way to limit access to the known client certificates of known boxes so as to avoid access to files from anyone else? I could not see that in either configuration.
No there’s not. In order to do that in Haproxy you’d have to actually terminate the connection on the proxy.
That would entail a much more complicated setup.
Ok, thanks. Then I will go for knockd since my phone will usually be in the same WLAN.
The http web interface is only available on port 80.
The HTTPS port doesn’t have configuration access as default. You protect it with client certificate authentication. Beware it is not fully implemented and only checks if the common name of the client certificate is correct. The certificate itself is (yet) not verified.
You may need to use the develop branch for that.
In the nginx configuration referenced here, there is a map at the top to configure which certificates are allowed.