refining

docs/tls.md

@@ -29,3 +29,22 @@ headscale can also be configured to expose its web service via TLS. To configure
 tls_cert_path: ""
 tls_key_path: ""
 ```
+
+### Configuring Mutual TLS Authentication (mTLS)
+
+mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale,
+using TLS certificates. The capability can be configured by by applying one of
+the following values to the `tls_client_auth_mode` setting in the configuration
+file.
+
+| Value | Behavior |
+| ----- | -------- |
+| `disabled` | Disable mTLS (default). |
+| `relaxed` | A client certificate is required, but it is not verified. |
+| `enforced` | Requires clients to supply a certificate that is verified. |
+
+
+```yaml
+tls_client_auth_mode: ""
+```
+