I was trying to avoid the client certificate request for those who don’t need it, but I see it’s not possible. I cannot use the SNI solution, I have no control over the app that generates the URL not to be protected by TLS.
I think the solution is creating ACLs while permitting anyone to be asked for a certificate…