set $auth_basic "Challenge FIC";
if ($ssl_client_verify != "SUCCESS") {
    set $team "$remote_user";
    set $needauth "1";
}
if ($ssl_client_verify = "SUCCESS") {
    set $team "_AUTH_ID_$ssl_client_serial";
    set $auth_basic off;
    set $needauth "0";
}
if (!-f /srv/PKI/shared/ficpasswd) {
    set $needauth "${needauth}0";
}
if ($needauth = "10") {
    return 401;
}

auth_basic $auth_basic;
auth_basic_user_file /srv/PKI/shared/ficpasswd;