As varnish is a http-only cache, it only supports connecting to backends unencrypted.
This means we need to move the TLS configuration out of Apache and into another tool. The standard to put in front of varnish seems to be hitch, so we'll go with that.