I'm not seeing any simple solutions for talking to a backend from Varnish over TLS unfortunately. I leveraged Varnish on a lot of hosts where the backend was local and we could have Varnish talk to the backend over HTTP so I don't think I ever had a need or tried to get Varnish to connect to an HTTPS backend. A useful tool for diagnosing Varnish activity can be watching the more detailed in memory log using the `varnishlog` command which can help to see what Varnish is doing (with a lot of detail) when making backend requests, and some details about the HTTP response it receives from the backend.
Nice to see you here Matt! As a next step, I am thinking of establishing a WireGuard connection locally - fly.io/blog/incoming-6pn-private-networks/ - then connect to the HTTP endpoint of the app directly, without going through the Fly.io Proxy, because that's what is happening when we are connecting via HTTPS. When we deploy this on Fly.io, we will connect to the app's internal host anyway, so that will take care of HTTP only when we roll this out in prod. Will try out `varnishlog` in the next session, thank you for the tip!