Mention how to disable the HTTP port

This is particularly important when mTLS is used.

docs/src/main/asciidoc/http-reference.adoc

@@ -151,7 +151,7 @@ Refer to the xref:./management-interface-reference.adoc[management interface ref
 ====
 
 [[ssl]]
-== Supporting secure connections with SSL
+== Supporting secure connections with TLS/SSL
 
 In order to have Quarkus support secure connections, you must either provide a certificate and associated key file, or supply a keystore.
 

docs/src/main/asciidoc/security-authentication-mechanisms.adoc

@@ -193,13 +193,15 @@ quarkus.http.ssl.certificate.trust-store-password=the_trust_store_secret
 quarkus.http.ssl.client-auth=required                                      <3>
 quarkus.http.auth.permission.default.paths=/*                              <4>
 quarkus.http.auth.permission.default.policy=authenticated
+quarkus.http.insecure-requests=disabled                                    <5>
 ----
 <1> The keystore where the server's private key is located.
 <2> The truststore from which the trusted certificates are loaded.
 <3> With this value set to `required`, the server requires certificates from clients.
 To relax this requirement so that the server accepts requests without a certificate, set the value to `REQUEST`.
 This option is useful when you are also supporting authentication methods other than mTLS.
 <4> Defines a policy where only authenticated users should have access to resources from your application.
+<5> Optionally, disable the plain HTTP protocol, and consequently require all requests to be made over HTTPS.
 
 When the incoming request matches a valid certificate in the truststore, your application can obtain the subject by injecting a `SecurityIdentity` as follows:
 

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/HttpBuildTimeConfig.java

@@ -28,7 +28,10 @@ public class HttpBuildTimeConfig {
 
     /**
      * Configures the engine to require/request client authentication.
-     * NONE, REQUEST, REQUIRED
+     * {@code NONE, REQUEST, REQUIRED}.
+     * <p>
+     * When set to REQUIRED, it's recommended to also set `quarkus.http.insecure-requests=disabled` to disable the
+     * plain HTTP port.
      */
     @ConfigItem(name = "ssl.client-auth", defaultValue = "NONE")
     public ClientAuth tlsClientAuth;
@@ -43,15 +46,15 @@ public class HttpBuildTimeConfig {
     /**
      * A common root path for non-application endpoints. Various extension-provided endpoints such as metrics, health,
      * and openapi are deployed under this path by default.
-     *
+     * <p>
      * * Relative path (Default, `q`) ->
      * Non-application endpoints will be served from
      * `${quarkus.http.root-path}/${quarkus.http.non-application-root-path}`.
      * * Absolute path (`/q`) ->
      * Non-application endpoints will be served from the specified path.
      * * `${quarkus.http.root-path}` -> Setting this path to the same value as HTTP root path disables
      * this root path. All extension-provided endpoints will be served from `${quarkus.http.root-path}`.
-     *
+     * <p>
      * If the management interface is enabled, the root path for the endpoints exposed on the management interface
      * is configured using the `quarkus.management.root-path` property instead of this property.
      *
@@ -69,7 +72,7 @@ public class HttpBuildTimeConfig {
     /**
      * If enabled then the response body is compressed if the {@code Content-Type} header is set and the value is a compressed
      * media type as configured via {@link #compressMediaTypes}.
-     *
+     * <p>
      * Note that the RESTEasy Reactive and Reactive Routes extensions also make it possible to enable/disable compression
      * declaratively using the annotations {@link io.quarkus.vertx.http.Compressed} and
      * {@link io.quarkus.vertx.http.Uncompressed}.
@@ -79,7 +82,7 @@ public class HttpBuildTimeConfig {
 
     /**
      * When enabled, vert.x will decompress the request's body if it's compressed.
-     *
+     * <p>
      * Note that the compression format (e.g., gzip) must be specified in the Content-Encoding header
      * in the request.
      */