fix review

README.md

@@ -304,19 +304,19 @@ $ docker run -v /path/to/cache/dir:/data \
 	--htpasswd_file /etc/bazel-remote/htpasswd --max_size=5
 ```
 
-You can also enforce authentication with client certificates by passing in a `tls_ca_file`:
+If you prefer not using `.htpasswd` files it is also possible to authenticate with mTLS (also can be known as "authenticating client certificates"). You can do this by passing in the the cert/key the server should use, as well as the certificate authority that signed the client certificates:
 
 ```bash
 $ docker run -v /path/to/cache/dir:/data \
-   -v /path/to/certificate_authority:/etc/bazel-remote/ca_cert \
-	-v /path/to/server_cert:/etc/bazel-remote/server_cert \
-	-v /path/to/server_key:/etc/bazel-remote/server_key \
-	-p 9090:8080 -p 9092:9092 buchgr/bazel-remote-cache \
-	--tls_enabled=true \
-   --tls_ca_file=/etc/bazel-remote/ca_cert \
-	--tls_cert_file=/etc/bazel-remote/server_cert \
-	--tls_key_file=/etc/bazel-remote/server_key \
-   --max_size=5
+  -v /path/to/certificate_authority:/etc/bazel-remote/ca_cert \
+  -v /path/to/server_cert:/etc/bazel-remote/server_cert \
+  -v /path/to/server_key:/etc/bazel-remote/server_key \
+  -p 9090:8080 -p 9092:9092 buchgr/bazel-remote-cache \
+  --tls_enabled=true \
+  --tls_ca_file=/etc/bazel-remote/ca_cert \
+  --tls_cert_file=/etc/bazel-remote/server_cert \
+  --tls_key_file=/etc/bazel-remote/server_key \
+  --max_size=5
 ```
 
 ### Profiling

config/config.go

@@ -180,8 +180,9 @@ func validateConfig(c *Config) error {
 	}
 
 	if c.TLSCaFile != "" && (c.TLSCertFile == "" || c.TLSKeyFile == "") {
-		return errors.New("When enabling mTLS one must specify a: 'tls_ca_file' " +
-			"as well as 'tls_cert_file', and 'tls_key_file'")
+		return errors.New("When enabling mTLS (authenticating client " +
+			"certificates) the server must have it's own 'tls_key_file' " +
+			"and 'tls_cert_file' specified.")
 	}
 
 	if c.GoogleCloudStorage != nil && c.HTTPBackend != nil && c.S3CloudStorage != nil {

main.go

@@ -145,7 +145,7 @@ func main() {
 		&cli.StringFlag{
 			Name:    "tls_ca_file",
 			Value:   "",
-			Usage:   "Path to a pem encoded certificate authority file.",
+			Usage:   "Optional. Enables mTLS (authenticating client certificates), should be the certificate authority that signed the client certificates.",
 			EnvVars: []string{"BAZEL_REMOTE_TLS_CA_FILE"},
 		},
 		&cli.StringFlag{
@@ -396,8 +396,6 @@ func main() {
 			tlsConfig = &tls.Config{
 				Certificates: []tls.Certificate{readCert},
 			}
-		} else {
-			tlsConfig = nil
 		}
 
 		mux := http.NewServeMux()