I have installed nginx on an Arch Linux VPS with Vultr. I intend to use it to serve files to myself and two colleagues. I have setup three accounts for us all with login names and passwords via the .htaccess and .htpasswd files. I will also be adding a certificate with let’s encrypt before the server will be used.
The data we will be sharing is commercially sensitive. Is there anything else I need to worry about? Is there anything else I can do to harden the server?
Yes, I understand what you mean, and you don’t seem to be misunderstanding how TLS client certificates function.
But my point was, that usually it is web server is that accepts and validates the client certificate. A web server is externally visible, and so it is potentially something that can be attacked even if the attacker doesn’t have a valid client certificate.