I know this is a rather old question but I’ll leave my findings in case someone else needs to make this work.
Your approach helped me implement a similar setup.
In order for Varnish to keep a separate cache for http and https versions of the same page you simply need to add the X-Forwarded-Proto header in the hash_data() function in vcl_hash.
Like this:
sub vcl_hash {
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# Keep separate caches if https is used
hash_data(req.http.X-Forwarded-Proto);
}
This way a user visiting http://www.example.net will get the cache for the http version while a user visiting https://www.example.net will get the cache for the https version.
You may want to make it more specific so it will only keep double caches for the html content and not images, css, js, etc which are usually the same regardless of the protocol used.